auto-fix batch claude/friendly-maxwell-3QJhB 2026-05-05

[intendednull]

scheduled /resolving-issues sweep against the 2026-05-04 general-audit (master ticket #600). 4/4 dispatches landed clean. picks chosen to NOT overlap with PR #630's in-flight files (docker-compose.yml + relay/worker entrypoints + state tests + crates/messaging/lib.rs + crates/web/tests/static_assets.rs + crates/network/src/traits.rs + README.md + CLAUDE.md + justfile), PR #599's (.github/workflows/* + e2e/permissions.spec.ts + crates/web/tests/browser.rs + state-mgmt spec doc), and PR #566's (crates/{client,messaging,state,storage,web,worker}/src/... deep churn). all 4 picks landed on web public assets / web src non-overlapping files / project root.

Fixes

• Fixes audit F5 [tech-debt]: PWA manifest icons missing purpose: maskable; manifest missing scope and id #605 — fix(web): add maskable purpose, scope, id to manifest (d3543cc). PWA manifest now has "id": "/", "scope": "/" top-level + "purpose": "any maskable" on both icon entries. Android adaptive-icon containers get a safe-zone-aware variant; same-origin install identity is no longer URL-derived. Coordinator pre-decided narrowing: simpler-form (audit's own accepted fallback — both icons gain "any maskable" purpose; existing SVGs already have ample safe-zone padding) over the aspirational separate-maskable-icon ship.

• Fixes audit F6 [quality]: service-worker registration swallows all errors silently #606 — fix(web): port sw register to web_sys + log err (791faa5). crates/web/src/main.rs:17 swapped js_sys::eval(...) string for web_sys::window().navigator().service_worker().register("/sw.js") driven by wasm_bindgen_futures::spawn_local. On Err(JsValue), formats via as_string().unwrap_or_else(|| format!("{e:?}")) and logs through tracing::warn!. Drops one js_sys::eval user (still ~6 elsewhere in the web crate per [security] XSS-prone js_sys::eval() in pinned message jump #171/[WS-1] Web: js_sys::eval(format!()) for pinned-message scroll uses band-aid sanitization #425 tracker) AND surfaces SW registration failures (HTTPS misconfig, MIME mismatch, parse, scope) that previously vanished. Coordinator pre-decided narrowing: Option B (port to web_sys) over Option A (just log the eval result), justified by audit's explicit endorsement + concrete unsafe-eval removal progress. web_sys::ServiceWorkerContainer was already in the Cargo.toml feature list — no new flag added.

• Fixes audit F20 [robustness]: swallowed create_ephemeral_channel Result in member-list temp-channel button #620 — fix(web): log create_ephemeral_channel error (22969f5). crates/web/src/components/member_list.rs:383-390 swapped let _ = h.create_ephemeral_channel(...).await; for if let Err(e) = ... { tracing::warn!(?e, "create_ephemeral_channel failed"); }. Mirrors the audit F18 [quality]: ICE candidate handle_ice_candidate result swallowed #585 / 41736c0 ICE-candidate-handle-error pattern verbatim. Coordinator pre-decided narrowing: log-only over toast-surface (toast wiring is a separate scope decision; the audit's primary concern was diagnostic visibility).

• Fixes audit F7 [docs]: PLAN.md is pre-iroh-migration (still says libp2p, GossipSub, Kademlia, mDNS) #607 — docs: delete stale PLAN.md (duplicates README + CLAUDE.md) (e290875). 209-line doc deleted. Pre-iroh-migration content (libp2p, GossipSub, Kademlia, mDNS, port 9090/9091) had drifted on three top-level docs — README + CLAUDE were already canonical post-iroh, PLAN was the only stale source. Phase-status checklist was decorative, drifted independently of the codebase. Coordinator pre-flight grep -rn "PLAN.md" returned zero hits — no broken references anywhere in the repo. Coordinator pre-decided narrowing: Option A (delete) over Option B (rewrite), per the rationale that docs/specs/2026-03-29-iroh-migration-design.md is the canonical historical record for the architecture transition; PLAN.md adds no information not better captured elsewhere AND drifts faster than CLAUDE.md.

Already-Fixed

None. Audit @ 88498a5 = master-branch base (88498a5); same-day audit-to-fix gap. Per the skill's "When same-day audit-to-fix gap, expect ~zero already-fixed hits" clause, the sweep was a one-line git log origin/main..HEAD check that confirmed empty. No time invested.

Parked

• audit F22 [quality]: search index remove_* mutations silently dropped on mailbox full #622 (audit F22 [quality]: search index remove_* mutations silently dropped on mailbox full). Ambiguous-fix-path skip without close per skill rule. Audit's option (b) "log via tracing::warn!" violates the explicit privacy contract in crates/client/src/search/handle.rs:3-8 ("All tracing::* macros in this module are forbidden" per docs/specs/2026-04-19-ui-design/local-search.md §Privacy). Audit's option (a) "document the same recovery story" was based on a misreading — insert's own doc-comment cites a "rebuild Effect in crates/web/src/app.rs re-runs on every messages_sig change and reseeds the index from scratch" but no such Effect exists: the actual recovery path is the event-loop subscription at app.rs:393-459 which itself uses do_send (same fragility as the remove_* calls the audit flags). Both audit options non-viable as-stated. A real fix requires design work (bounded-mailbox + Result return? ask().await with sync→async ripple? privacy-conscious in-memory metric?). Skipped per skill; future session decides. This run's skill edit (18d5564) codifies the lesson so the next run pre-flight catches the same shape.

• audit F2 [tech-debt]: docker-compose.yml has zero healthchecks; depends_on waits only for container start #602 (audit F2 [tech-debt]: docker-compose healthchecks). Cross-PR coupling — audit's prescribed healthcheck command targets port 3340, but the docker-compose.yml on main (and on this run's master branch) still has port 9090 until PR auto-fix batch claude/friendly-maxwell-s1tqN 2026-05-04 #630 lands. A healthcheck against 3340 would fail on this PR's tree pre-auto-fix batch claude/friendly-maxwell-s1tqN 2026-05-04 #630-merge. Conversely, a healthcheck against 9090 would fail post-auto-fix batch claude/friendly-maxwell-s1tqN 2026-05-04 #630-merge. Park until auto-fix batch claude/friendly-maxwell-s1tqN 2026-05-04 #630 lands; not a coordinator-skip, just an order-dependency. The skill's "Cargo.lock conflicts are additive" clause covers most shared-file cases but a port-renumber dependency is one degree stricter — re-trigger on next scheduled run.

Skill Evolution

One skill edit this run, committed on master in 18d5564 docs(skill): pre-flight verify audit's claimed mechanism:

• Adds a sub-paragraph to step 2 of the Implementer Agent section. Mandates pre-flight verification of the audit's claimed mechanism (logging path, recovery code, test parser shape), not just its line numbers. Audits sometimes prescribe a fix predicated on a stated mechanism that (a) violates a module-local constraint (privacy contract, observability forbids), or (b) describes code that doesn't actually exist as cited. Both checks should fire before dispatching. If either fails, treat as ambiguous-fix-path → coordinator-skip without close. Cites audit F22 [quality]: search index remove_* mutations silently dropped on mailbox full #622 as the surfacing example so the next session has full provenance.

Lessons Learned

• 4/4 implementer dispatches landed cleanly. No mid-flight aborts. No finalize-implementer rescues. Sequential pattern + pre-decided narrowing held. All four picks resolved without brainstorm gate triggering on the implementer side — the coordinator pre-resolved the design calls in each brief (simpler-form vs aspirational for audit F5 [tech-debt]: PWA manifest icons missing purpose: maskable; manifest missing scope and id #605; port vs log for audit F6 [quality]: service-worker registration swallows all errors silently #606; log vs toast for audit F20 [robustness]: swallowed create_ephemeral_channel Result in member-list temp-channel button #620; delete vs rewrite for audit F7 [docs]: PLAN.md is pre-iroh-migration (still says libp2p, GossipSub, Kademlia, mDNS) #607). This same pattern is reproducing across the last 5+ scheduled runs (PR auto-fix batch claude/friendly-maxwell-M5xB6 2026-05-03 #566 11/11, auto-fix batch claude/friendly-maxwell-m1efN 2026-05-03 #596 9/9, auto-fix batch claude/friendly-maxwell-cCGXk 2026-05-04 #598 5/5, auto-fix batch claude/friendly-maxwell-iEXwu 2026-05-04 #599 4/4, auto-fix batch claude/friendly-maxwell-s1tqN 2026-05-04 #630 10/10, this run 4/4). Fully reliable now.

• Coordinator pre-flight read on audit F22 [quality]: search index remove_* mutations silently dropped on mailbox full #622 prevented a wasted dispatch. Reading search/handle.rs lines 1-15 surfaced the explicit privacy contract before dispatching — without that read, the implementer would have followed the audit's "log via tracing::warn!" prescription, hit the contract, and returned with a brainstorm note (probably 5-10 min wasted + a stop-hook noise spike). Pre-flight read cost was 1 file read + 2 minutes of mechanism-verification grepping (hydrate_index, rebuild, messages_sig). This is the second run where coordinator pre-flight saved a wasted dispatch (auto-fix batch claude/friendly-maxwell-s1tqN 2026-05-04 #630's audit F26 [quality]: Docker relay entrypoint passes --tcp-port/--ws-port flags the binary does not accept (HARD RUNTIME BREAK) #626 was the first — discovered worker entrypoints also stale). Pre-flight read is now load-bearing for any audit issue with non-trivial mechanism prescription. Codified into the skill as 18d5564.

• Audit narrative can misrepresent code mechanism. audit F22 [quality]: search index remove_* mutations silently dropped on mailbox full #622's audit cited insert's doc-comment as ground truth ("the rebuild Effect in crates/web/src/app.rs re-runs on every messages_sig change and reseeds the index from scratch"). The doc-comment IS in the file at HEAD. But verifying that mechanism in app.rs — searching for any Effect::* watching messages_sig and calling search.rebuild(...) — produced zero hits. The cited rebuild path doesn't exist; only the event-loop subscription exists, sharing the same do_send fragility. Lesson: the audit may be correct about the symptom (mutations silently dropped) but wrong about the recovery story; pre-flight verify the recovery code, not just the call site of the bug.

• PLAN.md deletion (audit F7 [docs]: PLAN.md is pre-iroh-migration (still says libp2p, GossipSub, Kademlia, mDNS) #607) was the right principled call. Doc duplicated README + CLAUDE.md but with stale terminology. Two reasonable approaches (delete vs search-and-replace rewrite); coordinator chose delete per the rationale that (a) the historical roadmap is captured better in docs/specs/2026-03-29-iroh-migration-design.md, (b) phase-status checklists drift faster than canonical docs, and (c) the "Deployed" section was a third site for stale port info that audit F27 [docs]: README + CLAUDE.md "Local Development" tables reference removed relay ports 9090/9091 #627/auto-fix batch claude/friendly-maxwell-s1tqN 2026-05-04 #630 already flagged twice elsewhere. Future-proofing > preservation of decorative content.

• Sandbox quirk on audit F5 [tech-debt]: PWA manifest icons missing purpose: maskable; manifest missing scope and id #605. Implementer reported pre-existing rust toolchain damage (missing librustc_driver*.so) and stale wasm32-unknown-unknown directory blocking rustup target add. Self-repaired via rustup toolchain install stable --force + manual orphan cleanup, then ran the gate clean. Worth flagging — this is the first observed case of an actively-broken toolchain on dispatch entry. Future runs may want a brief pre-flight cargo --version && rustup target list --installed sanity step on the implementer side, OR the sandbox provisioning to lock the toolchain version. NOT codified yet — single observation; revisit if it reproduces.

• grep -rn "PLAN.md" zero-hit pre-flight on audit F7 [docs]: PLAN.md is pre-iroh-migration (still says libp2p, GossipSub, Kademlia, mDNS) #607 saved a deletion-with-broken-references hazard. The implementer's brief explicitly required them to redo the grep + report back if any reference was found. They did, returned zero, deleted clean. Pattern is worth keeping for any future "delete a top-level doc" pick.

Test plan

master-PR CI is the load-bearing gate. each implementer ran the scoped subset locally (fmt + native clippy + cargo test on touched crates + wasm32 check + wasm32 clippy on touched crates).

CI gates to verify on this PR:

• cargo fmt
• cargo clippy workspace (native + wasm32)
• cargo test workspace — no new tests added this run (4/4 picks were doc / asset / single-callsite-log / file-delete fixes); existing 252-test willow-state suite + 53-test willow-messaging suite + willow-web wasm-pack browser tests should run unchanged.
• cargo test -p willow-web --test static_assets (7/7 — confirmed locally green by audit F5 [tech-debt]: PWA manifest icons missing purpose: maskable; manifest missing scope and id #605 implementer; manifest still references both bundled SVG icons after the field additions)
• wasm-pack browser tests (Firefox + geckodriver — observable on CI only) — service-worker registration via web_sys runs at app boot in the browser-test harness; verify no new console errors there.
• cargo audit (no advisory changes this run).
• Playwright e2e — no behavior-change picks; sanity only.
• manual smoke (post-merge): install Willow as PWA on Android — confirm adaptive-icon containers no longer crop the launcher icon awkwardly. Out-of-band; the PR's local validation was JSON parse + the static-asset test.

Cargo.lock churn: none this run. No new deps added.

Mergeable_state expected: clean against current main. Possible textual conflicts if PR #630 / PR #599 / PR #566 land first — none of them touch any of this PR's 4 file paths (crates/web/manifest.json, crates/web/src/main.rs, crates/web/src/components/member_list.rs, PLAN.md), so any conflict would be entirely on .claude/skills/resolving-issues/SKILL.md (this run's skill edit + previous runs' skill edits in the in-flight PRs). All such conflicts are textual and resolvable in seconds; no logic-fix conflicts expected.

---

Generated by Claude Code