From 18d059be5353ae742be4b71fdb40a80f081811e4 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Sun, 3 May 2026 00:28:49 +0000
Subject: [PATCH 01/11] chore: open auto-fix batch
 claude/friendly-maxwell-UlJEd


From 8089a6227169bb1aca84a7dfd1187ec3caa356c5 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Sun, 3 May 2026 00:31:25 +0000
Subject: [PATCH 02/11] fix(scripts): use npm ci in setup-e2e
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

`npm install` can mutate package-lock.json; `npm ci` installs
exactly the lockfile + refuses to mutate it. Deterministic E2E
setup demands the strict variant.

No Rust changes — only fmt run as smoke check (clippy/test skipped).

Refs #530
---
 scripts/setup-e2e.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/setup-e2e.sh b/scripts/setup-e2e.sh
index e1963a70..e325250a 100755
--- a/scripts/setup-e2e.sh
+++ b/scripts/setup-e2e.sh
@@ -55,7 +55,7 @@ fi
 # npm dependencies
 if [ ! -d "$ROOT/node_modules" ]; then
     step "Installing npm dependencies..."
-    (cd "$ROOT" && npm install)
+    (cd "$ROOT" && npm ci)
 fi
 
 # Playwright browsers. `--dry-run` prints the install location whether

From a5e2ad0810abeca32ef5b01478cb299c737ddba0 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Sun, 3 May 2026 00:32:44 +0000
Subject: [PATCH 03/11] build(setup-e2e): pin trunk + just installs with
 --locked

Bare `cargo install` ignores each tool's Cargo.lock, so any
compromised transitive dep on crates.io silently lands in the
E2E env. `--locked --version X.Y.Z` deterministic.

- trunk 0.21.14 matches deploy.yml workflow pin
- just 1.50.0 latest stable (no existing pin in workflows)

Refs #529
---
 scripts/setup-e2e.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/scripts/setup-e2e.sh b/scripts/setup-e2e.sh
index e325250a..1b083dfc 100755
--- a/scripts/setup-e2e.sh
+++ b/scripts/setup-e2e.sh
@@ -43,13 +43,13 @@ fi
 # trunk
 if ! command -v trunk &>/dev/null; then
     step "Installing trunk (WASM bundler)..."
-    cargo install trunk 2>&1 | tail -1
+    cargo install --locked --version 0.21.14 trunk 2>&1 | tail -1
 fi
 
 # just
 if ! command -v just &>/dev/null; then
     step "Installing just (task runner)..."
-    cargo install just 2>&1 | tail -1
+    cargo install --locked --version 1.50.0 just 2>&1 | tail -1
 fi
 
 # npm dependencies

From c65ffabb6e89b1ee16c8c6902d14bbb5187df335 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Sun, 3 May 2026 00:40:31 +0000
Subject: [PATCH 04/11] fix(replay): cap peer HeadsSummary in sync
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Mirror the storage cap added by PR #507 / b075140
(MAX_AUTHORS_PER_SYNC = 256) on the replay path. Without
the guard, ReplayRole::handle_request(WorkerRequest::Sync)
iterates a peer-supplied HeadsSummary into a BTreeMap and
walks the in-memory DAG once per author — same DoS shape as
storage's sync_since/history before #507.

Approach A (centralize the const in willow-common alongside
SYNC_BATCH_LIMIT) chosen over B (define a local const in
replay): the cap is a wire-protocol invariant that BOTH
workers must agree on. A single source of truth in
willow-common — already a dep of both crates — guarantees
they cannot drift. Cost is one extra crate dep edge for
willow-replay (already had willow-state, willow-identity,
willow-worker, willow-network).

Storage's local pub const is removed; it now imports from
willow-common. No behavioural change to storage — the value
and the bail! sites are byte-identical.

Replay uses WorkerResponse::Denied { reason } (sync handler,
not anyhow::Result) mirroring the existing "unknown server"
branch and the storage error message text.

Tests:
- sync_request_rejects_oversize_heads (MAX+1 → Denied)
- sync_request_accepts_exact_cap_heads (MAX → not Denied)

Refs #514

https://claude.ai/code/session_019HhgeDZ5HCbEUygRRLCjde
---
 Cargo.lock                  |  1 +
 crates/common/src/lib.rs    | 18 ++++++++
 crates/replay/Cargo.toml    |  1 +
 crates/replay/src/role.rs   | 90 +++++++++++++++++++++++++++++++++++++
 crates/storage/src/store.rs | 18 +-------
 5 files changed, 111 insertions(+), 17 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index ccf03abd..47ba1bea 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -6224,6 +6224,7 @@ dependencies = [
  "tracing",
  "tracing-subscriber",
  "uuid",
+ "willow-common",
  "willow-identity",
  "willow-network",
  "willow-state",
diff --git a/crates/common/src/lib.rs b/crates/common/src/lib.rs
index e9ab8c3a..eab85f82 100644
--- a/crates/common/src/lib.rs
+++ b/crates/common/src/lib.rs
@@ -24,3 +24,21 @@ pub use worker_types::*;
 /// `willow-common` (already a dep of both crates) guarantees they stay
 /// aligned at compile time.
 pub const SYNC_BATCH_LIMIT: usize = 10_000;
+
+/// Maximum number of `(author, head)` entries accepted from a peer-supplied
+/// [`willow_state::HeadsSummary`] in a single sync / history call.
+///
+/// Single source of truth shared by:
+/// - `willow-storage` — `sync_since` / `history` build SQL by concatenating
+///   one `(author = ? AND seq <op> ?)` fragment per entry; an oversize
+///   summary would either exceed rusqlite's bind-parameter limit
+///   (default 32766) or waste CPU compiling a giant prepared statement.
+/// - `willow-replay` — `handle_request(Sync)` iterates per-author into a
+///   `BTreeMap` then walks the in-memory DAG; an oversize summary forces
+///   O(N) work and is the same DoS shape as the storage path.
+///
+/// 256 is well above any plausible honest server's distinct-author count
+/// while keeping bind-parameter and BTreeMap-construction costs bounded.
+/// Both production sites MUST agree on this value, so the canonical
+/// definition lives here alongside [`SYNC_BATCH_LIMIT`].
+pub const MAX_AUTHORS_PER_SYNC: usize = 256;
diff --git a/crates/replay/Cargo.toml b/crates/replay/Cargo.toml
index 0e648e25..2f489bd8 100644
--- a/crates/replay/Cargo.toml
+++ b/crates/replay/Cargo.toml
@@ -12,6 +12,7 @@ willow-worker = { path = "../worker" }
 willow-state = { path = "../state" }
 willow-identity = { path = "../identity" }
 willow-network = { path = "../network" }
+willow-common = { path = "../common" }
 clap = { version = "4", features = ["derive"] }
 dirs = "6"
 anyhow = { workspace = true }
diff --git a/crates/replay/src/role.rs b/crates/replay/src/role.rs
index d51b56a7..1fe2da6d 100644
--- a/crates/replay/src/role.rs
+++ b/crates/replay/src/role.rs
@@ -7,6 +7,7 @@
 use std::collections::{BTreeMap, HashMap};
 
 use tracing::warn;
+use willow_common::MAX_AUTHORS_PER_SYNC;
 use willow_state::{
     apply_incremental, Event, EventDag, EventHash, EventKind, HeadsSummary, InsertError,
     PendingBuffer, ServerState, Snapshot, DEFAULT_PENDING_MAX_AGE_MS, DEFAULT_PENDING_MAX_ENTRIES,
@@ -273,6 +274,21 @@ impl WorkerRole for ReplayRole {
     fn handle_request(&mut self, req: WorkerRequest) -> WorkerResponse {
         match req {
             WorkerRequest::Sync { server_id, heads } => {
+                // Reject peer-supplied summaries that would force O(N)
+                // BTreeMap construction and DAG walks (see
+                // `MAX_AUTHORS_PER_SYNC`). Mirrors the storage cap added in
+                // PR #507 / b075140; gated before any allocation so a hostile
+                // request fails fast.
+                if heads.heads.len() > MAX_AUTHORS_PER_SYNC {
+                    return WorkerResponse::Denied {
+                        reason: format!(
+                            "too many heads in sync request: {} > {}",
+                            heads.heads.len(),
+                            MAX_AUTHORS_PER_SYNC
+                        ),
+                    };
+                }
+
                 let data = match self.servers.get(&server_id) {
                     Some(d) => d,
                     None => {
@@ -1458,6 +1474,80 @@ mod tests {
         }
     }
 
+    // ── Issue #514: oversize HeadsSummary rejection ──────────────────────
+    //
+    // Mirrors the storage cap added by PR #507 / b075140. Without a guard
+    // here, a malicious peer could send a multi-thousand-entry HeadsSummary
+    // and force replay to do per-author BTreeMap inserts and DAG walks for
+    // every entry — same DoS shape as the storage path the sibling PR fixed.
+
+    /// Build a `HeadsSummary` with `n` distinct random authors. Mirrors the
+    /// helper in `crates/storage/src/store.rs` (sibling cap test infra).
+    fn heads_summary_with_authors(n: usize) -> HeadsSummary {
+        use willow_state::AuthorHead;
+        let mut heads = BTreeMap::new();
+        for _ in 0..n {
+            let id = Identity::generate();
+            heads.insert(
+                id.endpoint_id(),
+                AuthorHead {
+                    seq: 1,
+                    hash: EventHash::ZERO,
+                },
+            );
+        }
+        HeadsSummary { heads }
+    }
+
+    /// A peer-supplied `HeadsSummary` with more than `MAX_AUTHORS_PER_SYNC`
+    /// entries must be rejected by `handle_request(Sync)` before any
+    /// per-author BTreeMap construction or DAG walk occurs.
+    #[test]
+    fn sync_request_rejects_oversize_heads() {
+        use willow_common::MAX_AUTHORS_PER_SYNC;
+        let mut role = ReplayRole::new(ReplayConfig::default());
+        let (_, _) = setup_server(&mut role, "srv-1");
+
+        let oversize = heads_summary_with_authors(MAX_AUTHORS_PER_SYNC + 1);
+        let resp = role.handle_request(WorkerRequest::Sync {
+            server_id: "srv-1".to_string(),
+            heads: oversize,
+        });
+
+        match resp {
+            WorkerResponse::Denied { reason } => {
+                assert!(
+                    reason.contains("too many heads"),
+                    "denial reason should mention the cap; got: {reason}"
+                );
+            }
+            other => panic!("expected Denied for oversize heads, got: {other:?}"),
+        }
+    }
+
+    /// `handle_request(Sync)` must accept exactly `MAX_AUTHORS_PER_SYNC`
+    /// entries — the cap is inclusive on the legal side.
+    #[test]
+    fn sync_request_accepts_exact_cap_heads() {
+        use willow_common::MAX_AUTHORS_PER_SYNC;
+        let mut role = ReplayRole::new(ReplayConfig::default());
+        let (_, _) = setup_server(&mut role, "srv-1");
+
+        let at_cap = heads_summary_with_authors(MAX_AUTHORS_PER_SYNC);
+        let resp = role.handle_request(WorkerRequest::Sync {
+            server_id: "srv-1".to_string(),
+            heads: at_cap,
+        });
+
+        // The peer's heads mention authors we don't know, so events_since
+        // returns the genesis event; our store has 1 author the peer doesn't,
+        // so they_are_behind is true. Either branch is acceptable — the only
+        // forbidden outcome is Denied for at-cap input.
+        if let WorkerResponse::Denied { reason } = resp {
+            panic!("at-cap heads must not be denied; got reason: {reason}");
+        }
+    }
+
     /// When the configured `pending_max_entries` is exceeded, the oldest
     /// entries are evicted and `pending_count()` reflects the cap.
     #[test]
diff --git a/crates/storage/src/store.rs b/crates/storage/src/store.rs
index 03028aae..69026a12 100644
--- a/crates/storage/src/store.rs
+++ b/crates/storage/src/store.rs
@@ -20,25 +20,9 @@
 //! never reordered or rewritten so existing databases stay consistent.
 
 use rusqlite::{params, Connection};
-use willow_common::SYNC_BATCH_LIMIT;
+use willow_common::{MAX_AUTHORS_PER_SYNC, SYNC_BATCH_LIMIT};
 use willow_state::{Event, EventKind, HeadsSummary};
 
-/// Maximum number of `(author, head)` entries accepted from a peer-supplied
-/// [`HeadsSummary`] in a single `sync_since` / `history` call.
-///
-/// `sync_since` and `history` build their SQL clauses by concatenating one
-/// `(author = ? AND seq <op> ?)` fragment per entry. A peer-supplied summary
-/// with thousands of entries (still well within the transport envelope cap)
-/// would either exceed rusqlite's bind-parameter limit (default 32766) or
-/// waste CPU compiling a giant prepared statement.
-///
-/// 256 is well above any plausible honest server's distinct-author count
-/// while keeping the bind-parameter count (~512 per call) and the SQL
-/// expression-tree depth safely below SQLite's defaults
-/// (32766 binds, depth 1000). Requests over the cap are rejected at the store layer;
-/// the caller in `role.rs` maps the error to a `WorkerResponse::Denied`.
-pub const MAX_AUTHORS_PER_SYNC: usize = 256;
-
 /// Ordered list of schema migrations. Each entry is run inside its own
 /// transaction the first time the database is opened. Once a migration is
 /// shipped, never edit or reorder it — only append new entries.

From d23f3f88b99687ae29b17a03ac651f267a2a5ebe Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Sun, 3 May 2026 00:47:34 +0000
Subject: [PATCH 05/11] fix(web): treat sub-1ms transition as zero-duration
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

is_zero_duration only matched "", "0s", "0ms" — but the global
prefers-reduced-motion rule in style.css forces transition-duration
to 0.01ms !important on every element, which engines serialise as
either "0.01ms" or "0.0001s". Both slipped past the strict matcher,
so mobile_shell, confirm_dialog, bottom_sheet, grove_drawer, and
message reactions all sat waiting for a transitionend that never
fires under reduced-motion — UI hang.

Replace the string-equality check with parse_duration_seconds (parses
both s and ms suffixes) and accept anything ≤ 1ms (epsilon) as zero.
Unparseable input stays conservative (not zero). Sibling-of-closed
audit follow-up to #496 (8d89f18).

Approach A (parse-and-compare) chosen over B (hardcode the two known
strings) because reduced-motion is the authoritative contract — any
sub-millisecond duration is indistinguishable from "no transition"
for transitionend purposes, so a numeric threshold is the durable fix.

Tests added (native, no DOM): parse_duration_seconds_handles_units,
parse_duration_seconds_rejects_malformed,
is_zero_duration_str_recognises_explicit_zero,
is_zero_duration_str_recognises_reduced_motion_override,
is_zero_duration_str_treats_sub_millisecond_as_zero,
is_zero_duration_str_rejects_real_durations,
is_zero_duration_str_multi_value_all_zero,
is_zero_duration_str_multi_value_mixed_is_not_zero,
is_zero_duration_str_unparseable_is_not_zero.

Gates: fmt clean, clippy native + wasm32 clean (-D warnings), 86
willow-web lib tests pass, wasm32 --tests check clean (wasm-pack /
geckodriver not available in env — used cargo check --target
wasm32-unknown-unknown --tests as fallback gate per CLAUDE.md).

Refs #515

https://claude.ai/code/session_019HhgeDZ5HCbEUygRRLCjde
---
 crates/web/src/components/lifecycle.rs | 137 +++++++++++++++++++++++--
 1 file changed, 127 insertions(+), 10 deletions(-)

diff --git a/crates/web/src/components/lifecycle.rs b/crates/web/src/components/lifecycle.rs
index aaea2921..64e6e470 100644
--- a/crates/web/src/components/lifecycle.rs
+++ b/crates/web/src/components/lifecycle.rs
@@ -52,15 +52,68 @@ pub const fn advance(state: LifecycleState) -> LifecycleState {
     }
 }
 
+/// Maximum transition duration (in seconds) that we treat as effectively
+/// zero — i.e. "skip the wait, snap synchronously". 1ms is the threshold
+/// because the global reduced-motion override at `style.css` writes
+/// `transition-duration: 0.01ms !important` for every element, and we must
+/// honour that as the authoritative reduced-motion contract. Any user CSS
+/// using ≤1ms transitions is also indistinguishable from "no transition"
+/// for the purpose of `transitionend` firing reliably across engines.
+const ZERO_DURATION_EPSILON_SECONDS: f64 = 0.001;
+
+/// Parse a single CSS `<time>` value (e.g. `"0s"`, `"0.01ms"`, `"250ms"`,
+/// `"0.0001s"`) into seconds. Returns `None` for empty / malformed input —
+/// callers must treat that as "not zero" to preserve the wait-for-event path.
+///
+/// Per CSS spec the computed value of `transition-duration` is canonicalised
+/// to seconds, but engines vary in serialisation (some emit `"0.0001s"`,
+/// others preserve `"0.01ms"`), so we accept both `s` and `ms` suffixes.
+fn parse_duration_seconds(value: &str) -> Option<f64> {
+    let trimmed = value.trim();
+    if trimmed.is_empty() {
+        return None;
+    }
+    // Order matters: check `ms` before `s` (else `s` matches `ms` suffix's `s`).
+    let (number, divisor) = if let Some(num) = trimmed.strip_suffix("ms") {
+        (num, 1000.0_f64)
+    } else if let Some(num) = trimmed.strip_suffix('s') {
+        (num, 1.0_f64)
+    } else {
+        return None;
+    };
+    number.trim().parse::<f64>().ok().map(|n| n / divisor)
+}
+
+/// Predicate form of [`is_zero_duration`] operating on the raw computed
+/// `transition-duration` string. Split out for unit testing without a DOM.
+///
+/// Empty input (no `transition` property set at all) → zero. Any
+/// comma-separated component that fails to parse → not zero (conservative:
+/// keep waiting for `transitionend` rather than snap incorrectly). All
+/// components must parse and be ≤ [`ZERO_DURATION_EPSILON_SECONDS`] for the
+/// element to count as zero-duration.
+fn is_zero_duration_str(duration: &str) -> bool {
+    if duration.is_empty() {
+        return true;
+    }
+    duration.split(',').all(|component| {
+        parse_duration_seconds(component)
+            .is_some_and(|seconds| seconds <= ZERO_DURATION_EPSILON_SECONDS)
+    })
+}
+
 /// Returns true if the element has no animation duration (reduced motion or
 /// untransitioned). When this returns true, callers must snap to the
 /// terminal lifecycle state synchronously without waiting for `transitionend`
 /// — otherwise the test hangs because no event will fire.
 ///
-/// Reads `getComputedStyle(el).transition-duration`. Empty string and "0s"
-/// both count as zero. Multi-property transitions (comma-separated values)
-/// are conservatively treated as non-zero unless every component is "0s",
-/// matching the spec's "if computed-zero, skip wait" semantics.
+/// Reads `getComputedStyle(el).transition-duration` and treats any value
+/// ≤ 1ms as zero. The global `prefers-reduced-motion` rule in `style.css`
+/// sets `transition-duration: 0.01ms !important` (≈ `0.0001s` once
+/// canonicalised), so a strict `"0s" | "0ms"` check would miss it and the
+/// caller would hang waiting for a `transitionend` event that never fires.
+/// Multi-property transitions (comma-separated values) require *every*
+/// component to be ≤ 1ms; an unparseable component is treated as non-zero.
 pub fn is_zero_duration(element: &Element) -> bool {
     let Some(window) = web_sys::window() else {
         return false;
@@ -71,12 +124,7 @@ pub fn is_zero_duration(element: &Element) -> bool {
     let Ok(duration) = computed.get_property_value("transition-duration") else {
         return false;
     };
-    if duration.is_empty() {
-        return true;
-    }
-    duration
-        .split(',')
-        .all(|d| matches!(d.trim(), "" | "0s" | "0ms"))
+    is_zero_duration_str(&duration)
 }
 
 /// Convenience: convert an `&HtmlElement` to `&Element` for `is_zero_duration`.
@@ -116,4 +164,73 @@ mod tests {
             assert!(!state.as_str().is_empty());
         }
     }
+
+    #[test]
+    fn parse_duration_seconds_handles_units() {
+        assert_eq!(parse_duration_seconds("0s"), Some(0.0));
+        assert_eq!(parse_duration_seconds("0ms"), Some(0.0));
+        assert_eq!(parse_duration_seconds("1s"), Some(1.0));
+        assert_eq!(parse_duration_seconds("250ms"), Some(0.25));
+        assert_eq!(parse_duration_seconds("0.0001s"), Some(0.0001));
+        assert_eq!(parse_duration_seconds("0.01ms"), Some(0.000_01));
+        // Whitespace tolerated (comma-split leaves it).
+        assert_eq!(parse_duration_seconds(" 100ms "), Some(0.1));
+    }
+
+    #[test]
+    fn parse_duration_seconds_rejects_malformed() {
+        assert_eq!(parse_duration_seconds(""), None);
+        assert_eq!(parse_duration_seconds("100"), None); // no unit
+        assert_eq!(parse_duration_seconds("abc"), None);
+        assert_eq!(parse_duration_seconds("ms"), None); // no number
+    }
+
+    #[test]
+    fn is_zero_duration_str_recognises_explicit_zero() {
+        assert!(is_zero_duration_str(""));
+        assert!(is_zero_duration_str("0s"));
+        assert!(is_zero_duration_str("0ms"));
+    }
+
+    #[test]
+    fn is_zero_duration_str_recognises_reduced_motion_override() {
+        // The reduced-motion media query forces 0.01ms !important; engines
+        // may serialise that as either form. Both must count as zero —
+        // this is the regression case for issue #515.
+        assert!(is_zero_duration_str("0.01ms"));
+        assert!(is_zero_duration_str("0.0001s"));
+    }
+
+    #[test]
+    fn is_zero_duration_str_treats_sub_millisecond_as_zero() {
+        assert!(is_zero_duration_str("0.5ms"));
+        assert!(is_zero_duration_str("1ms"));
+    }
+
+    #[test]
+    fn is_zero_duration_str_rejects_real_durations() {
+        assert!(!is_zero_duration_str("100ms"));
+        assert!(!is_zero_duration_str("1.5ms"));
+        assert!(!is_zero_duration_str("0.25s"));
+        assert!(!is_zero_duration_str("1s"));
+    }
+
+    #[test]
+    fn is_zero_duration_str_multi_value_all_zero() {
+        assert!(is_zero_duration_str("0.01ms, 0s"));
+        assert!(is_zero_duration_str("0s, 0ms, 0.0001s"));
+    }
+
+    #[test]
+    fn is_zero_duration_str_multi_value_mixed_is_not_zero() {
+        assert!(!is_zero_duration_str("100ms, 0s"));
+        assert!(!is_zero_duration_str("0s, 250ms"));
+    }
+
+    #[test]
+    fn is_zero_duration_str_unparseable_is_not_zero() {
+        // Conservative: if we can't parse, keep waiting for transitionend.
+        assert!(!is_zero_duration_str("garbage"));
+        assert!(!is_zero_duration_str("0s, garbage"));
+    }
 }

From b20b8ec943a3ec402d2296d50d6dbf36f9da00bb Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Sun, 3 May 2026 00:51:47 +0000
Subject: [PATCH 06/11] test(client): inject now into worker_cache eviction
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Audit F47 (#547): `evict_stale_removes_expired` slept 10ms after a
1ms TTL — flake risk on slow CI per `condition-based-waiting`.

Fix per audit suggestion: inject a clock. Added
`pub(crate) evict_stale_at(&mut self, now: Instant)`; production
`evict_stale()` delegates with `Instant::now()`. Test now feeds a
synthetic future `now`, removing the timing dependency entirely.

Picked clock-injection (A) over a clock trait (B, too heavy for one
test) and over cutoff-injection (C, equivalent but maps less directly
to "inject a clock" in the audit).

#545 (Instant::now wasm linkage) is a separate ticket — not addressed
here.

Refs #547
---
 crates/client/src/worker_cache.rs | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/crates/client/src/worker_cache.rs b/crates/client/src/worker_cache.rs
index c633d781..1515aadf 100644
--- a/crates/client/src/worker_cache.rs
+++ b/crates/client/src/worker_cache.rs
@@ -58,7 +58,15 @@ impl WorkerCache {
 
     /// Evict workers that haven't sent a heartbeat within the TTL.
     pub fn evict_stale(&mut self) {
-        let cutoff = Instant::now() - self.ttl;
+        self.evict_stale_at(Instant::now());
+    }
+
+    /// Evict workers stale relative to an injected `now`.
+    ///
+    /// Used by tests to remove timing dependencies; production callers should
+    /// use [`Self::evict_stale`].
+    pub(crate) fn evict_stale_at(&mut self, now: Instant) {
+        let cutoff = now - self.ttl;
         self.workers.retain(|_, info| info.last_seen > cutoff);
     }
 
@@ -171,10 +179,11 @@ mod tests {
 
     #[test]
     fn evict_stale_removes_expired() {
-        let mut cache = WorkerCache::new(Duration::from_millis(1));
+        let mut cache = WorkerCache::new(Duration::from_secs(30));
         cache.update(&make_replay_announcement(gen_id(), vec!["srv-1"]));
-        std::thread::sleep(Duration::from_millis(10));
-        cache.evict_stale();
+        // Simulate "now" being well past the TTL boundary instead of sleeping.
+        let future = Instant::now() + Duration::from_secs(60);
+        cache.evict_stale_at(future);
         assert!(cache.is_empty());
     }
 

From 4a19bc6d64d08adf659dd12cc781df8ab43012e0 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Sun, 3 May 2026 00:53:54 +0000
Subject: [PATCH 07/11] fix(web): handle missing window in getUserMedia path

Match surrounding let-Ok-else style: log + return instead
of unwrap, so non-window contexts (e.g. worker harness)
do not panic.

Refs #543
---
 crates/web/src/app.rs | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/crates/web/src/app.rs b/crates/web/src/app.rs
index b9444aab..da2926b8 100644
--- a/crates/web/src/app.rs
+++ b/crates/web/src/app.rs
@@ -922,7 +922,10 @@ pub fn App() -> impl IntoView {
 
                                     // Request mic permission SYNCHRONOUSLY in the click handler
                                     // to preserve the user gesture chain (required on mobile).
-                                    let window = web_sys::window().unwrap();
+                                    let Some(window) = web_sys::window() else {
+                                        tracing::error!("No browser window context for getUserMedia");
+                                        return;
+                                    };
                                     let navigator = window.navigator();
                                     let Ok(media_devices) = navigator.media_devices() else {
                                         tracing::error!("No media devices available");

From 2363f99ad6e9bc2bba5b4962a05e7090eb994945 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Sun, 3 May 2026 00:55:46 +0000
Subject: [PATCH 08/11] chore(identity): drop unused tokio dev-dep

No production or test code in willow-identity uses tokio.
`grep -rn "tokio::\|#\[tokio::" crates/identity/src` returns
only a doc-comment reference at lib.rs:99. Lib crates must
stay tokio-free per CLAUDE.md; dev-dep was dead weight.

Refs #537
---
 Cargo.lock                 | 1 -
 crates/identity/Cargo.toml | 1 -
 2 files changed, 2 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 47ba1bea..24d93c8b 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -6151,7 +6151,6 @@ dependencies = [
  "serde",
  "tempfile",
  "thiserror 2.0.18",
- "tokio",
  "willow-transport",
  "zeroize",
 ]
diff --git a/crates/identity/Cargo.toml b/crates/identity/Cargo.toml
index 6942b9ce..0ecae1fd 100644
--- a/crates/identity/Cargo.toml
+++ b/crates/identity/Cargo.toml
@@ -20,5 +20,4 @@ getrandom_02 = { package = "getrandom", version = "0.2", features = ["js"] }
 getrandom_03 = { package = "getrandom", version = "0.3", features = ["wasm_js"] }
 
 [dev-dependencies]
-tokio = { workspace = true }
 tempfile = "3"

From baa4484d71ab65d14067966bbb1f16f88cdd3cc5 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Sun, 3 May 2026 00:56:58 +0000
Subject: [PATCH 09/11] ci(deploy): poll verify endpoint up to ~30s

Replaces a blind 3s sleep before curl with a 15-attempt loop
(2s backoff). The relay can take longer than 3s to bind after a
restart, and combined with StrictHostKeyChecking=no a slow bind
could mask a silent deploy failure as a passing job.

Refs #531
---
 .github/workflows/deploy.yml | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 9ed9b83b..22c1c244 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -72,6 +72,17 @@ jobs:
 
       - name: Verify deployment
         run: |
-          sleep 3
-          curl -sf -o /dev/null -w "Web: HTTP %{http_code}\n" https://willow.intendednull.com/
+          # Poll the web endpoint until it serves (max ~30s) instead of a
+          # blind 3s sleep — avoids flaking when the relay takes longer to
+          # bind and masking a silent deploy failure.
+          for i in $(seq 1 15); do
+            if curl -sf -o /dev/null -w "Web: HTTP %{http_code}\n" https://willow.intendednull.com/; then
+              break
+            fi
+            if [ "$i" -eq 15 ]; then
+              echo "verify: HTTP probe never succeeded after 15 attempts (~30s)" >&2
+              exit 1
+            fi
+            sleep 2
+          done
           sshpass -p '${{ secrets.DEPLOY_PASSWORD }}' ssh -o StrictHostKeyChecking=no root@willow.intendednull.com 'systemctl is-active willow-relay'

From 64ca482e1930d3cf782570273ea1f857fef4aa10 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Sun, 3 May 2026 00:59:00 +0000
Subject: [PATCH 10/11] docs: drop fictional KickMembers/Administrator perms
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Permission enum (crates/state/src/event.rs:46-69) defines exactly:
SyncProvider, ManageChannels, ManageRoles, SendMessages, CreateInvite
(plus __UnknownLegacy sentinel). Admin status and member kicks live on
the ProposedAction + vote path by design — see
docs/specs/2026-04-01-per-author-merkle-dag-state-design.md:295 ("the
Permission enum does not contain Administrator"). The type system
enforces the governance path; granting admin via GrantPermission is
structurally impossible.

CLAUDE.md and the agentic-peer-api spec listed KickMembers and
Administrator as valid permission values — pure doc drift. Realign
both with the enum and clarify trust_peer/untrust_peer route through
the vote path, not GrantPermission.

Refs #521
---
 CLAUDE.md                                        |  2 +-
 docs/specs/2026-03-29-agentic-peer-api-design.md | 10 ++++++----
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/CLAUDE.md b/CLAUDE.md
index a984800b..1c90bd3f 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -342,7 +342,7 @@ All shared state derived from per-author Merkle DAG of signed events. `willow-st
 - **EventDag** (`crates/state/src/dag.rs`): in-memory store of all known events, indexed by `EventHash`. `EventDag::insert` validates signature, genesis, `prev`/`deps` linkage. No explicit "merge" — DAG converges as events arrive.
 - **ServerState** (`crates/state/src/server.rs`): materialized state derived by walking the DAG.
 - **`materialize::apply_incremental(state, event)`**: ONLY public mutation entry point. Pure. Internally calls `apply_event` + `required_permission` for authority checks.
-- **Permission model**: Owner = root of trust. Fine-grained permissions (SyncProvider, ManageChannels, ManageRoles, KickMembers, SendMessages, CreateInvite, Administrator) granted via `GrantPermission` events.
+- **Permission model**: Owner = root of trust. Fine-grained permissions (SyncProvider, ManageChannels, ManageRoles, SendMessages, CreateInvite) granted via `GrantPermission` events. Admin status is structurally separate — managed exclusively through `ProposedAction` + vote path, never via `GrantPermission`. Kicks are an admin-only `ProposedAction` (no granular "can kick" permission).
 - **Sync** (`crates/state/src/sync.rs`): `HeadsSummary` = compact per-author DAG state for efficient sync; `PendingBuffer` holds events arriving before their `prev` chain predecessors.
 
 ### Trust Model
diff --git a/docs/specs/2026-03-29-agentic-peer-api-design.md b/docs/specs/2026-03-29-agentic-peer-api-design.md
index af96473f..32640dc2 100644
--- a/docs/specs/2026-03-29-agentic-peer-api-design.md
+++ b/docs/specs/2026-03-29-agentic-peer-api-design.md
@@ -230,8 +230,8 @@ string (the Ed25519 public key of the target peer).
 
 | Tool | Parameters | Description |
 |---|---|---|
-| `trust_peer` | `peer_id` | Grant Administrator permission |
-| `untrust_peer` | `peer_id` | Revoke Administrator permission |
+| `trust_peer` | `peer_id` | Grant admin status (via vote) |
+| `untrust_peer` | `peer_id` | Revoke admin status (via vote) |
 | `kick_member` | `peer_id` | Remove member, rotate keys |
 | `create_role` | `name` | Create a permission role |
 | `delete_role` | `role_id` | Delete a role |
@@ -240,8 +240,10 @@ string (the Ed25519 public key of the target peer).
 | `authorize_workers` | `worker_peer_ids` | Grant SyncProvider to workers |
 
 Valid `permission` values: `SyncProvider`, `ManageChannels`,
-`ManageRoles`, `KickMembers`, `SendMessages`, `CreateInvite`,
-`Administrator`.
+`ManageRoles`, `SendMessages`, `CreateInvite`. Admin status is not a
+`Permission` — `trust_peer` / `untrust_peer` go through the
+`ProposedAction` + vote path. There is no `KickMembers` permission;
+kicks are admin-only via `ProposedAction::KickMember`.
 
 #### Identity
 

From 5320c8eb3793b3f4256b38ef73affcb92f6ba27f Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Sun, 3 May 2026 01:00:39 +0000
Subject: [PATCH 11/11] docs(skill): coordinator-skip for ambiguous-fix-path
 issues
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Same-day audit runs yield ~zero already-fixed sweep hits — note
explicitly so future runs skip the deeper search. Document the
ambiguous-fix-path pattern (audit premise real, fix is a design
call w/ ≥2 valid approaches): skip from dispatch queue without
closing, surface in Lessons Learned. Surfaced this run by #535
(Arc<Mutex> in fsm.rs is already in mod tests; audit's "move to
mod tests" prescription doesn't apply — fix is either external
test file or glob update, design call).
---
 .claude/skills/resolving-issues/SKILL.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.claude/skills/resolving-issues/SKILL.md b/.claude/skills/resolving-issues/SKILL.md
index 99ee970f..962b81c8 100644
--- a/.claude/skills/resolving-issues/SKILL.md
+++ b/.claude/skills/resolving-issues/SKILL.md
@@ -59,6 +59,10 @@ Why this shape:
    - if closed issue is a sub-issue of a parent, run parent close-out check (see ## Parent issue close-out) — close parent too if this was its last open child
    
    Closing GH issues = metadata work, not code work; allowed under "coordinator never codes." Implementers only dispatch for *unresolved* issues. This pass typically clears audit lessons (already folded into skills), structural-deps follow-ups (still structural), and audit findings closed by intervening fixes — saves dispatch overhead on no-op work.
+
+   **When same-day audit-to-fix gap, expect ~zero already-fixed hits.** The sweep yields most when the audit ran days/weeks before the fix run (intervening PRs land between audit and fix). When the audit was filed earlier the same day against the current `main`, no fixes can have landed between audit and fix run by definition — the sweep correctly returns empty. Don't over-invest sweep effort in this case; one quick `git log <audit-ref>..origin/main` check on each pick's path is enough to confirm.
+
+   **Ambiguous-fix-path (audit premise real, fix is a design call) — coordinator-skip without close.** Some audit findings flag a real concern but the prescribed fix is ambiguous-by-design with ≥ 2 legitimate approaches that need a design decision the coordinator can't make unilaterally. Common shape: "audit-glob doesn't catch in-file `mod tests` — move to external test file OR update glob." Both are valid; picking either silently is wrong. **Action:** during step 6 picks, if the audit's literal fix conflicts with HEAD reality (e.g. code already satisfies the surface premise) AND the underlying concern requires a design call, **skip the issue from this run's dispatch queue without closing it**. Note it in the run-end `## Lessons Learned` so the next session has full context. Don't comment on the issue — the audit description already captures the concern; a "skipped, design call needed" comment adds noise without progress. The next run with fresh eyes / accumulated context can decide.
 7. Per remaining issue, sequential, max 10 per run:
    - **Pre-dispatch sync:** before spawning each implementer, in the coordinator's checkout:
      ```bash