tasks: decompose review #004 findings into 4 fix tasks + review gate

W1 (call/protocol/abort-cascade-wiring): wire AbortCascade into CallAdapter
handle_stream for EVENT_ABORTED. W2 (core/endpoint-client-fingerprint):
extract TLS client cert fingerprint in dispatch_quinn/dispatch_iroh.
W3 (vault/mnemonic-debug-redaction): replace Mnemonic derive(Debug) with
redacting impl. W4 (core/auth-apikey-resources, level: research): decide
whether ApiKeyEntry should carry resources, then implement or drop from
spec. review-post-impl-fixes gates on all four. Graph: 33 tasks, 12 gens.
This commit is contained in:
2026-06-24 10:02:03 +00:00
parent d904dfc243
commit d149932e2a
5 changed files with 571 additions and 0 deletions

View File

@@ -0,0 +1,96 @@
---
id: review-post-impl-fixes
name: Review the four post-implementation sanity-check #004 fixes for spec conformance
status: pending
depends_on: [call/protocol/abort-cascade-wiring, core/endpoint-client-fingerprint, vault/mnemonic-debug-redaction, core/auth-apikey-resources]
scope: moderate
risk: low
impact: phase
level: review
---
## Description
Review the four fixes produced from review #004's findings (W1W4)
before they are considered closed. Confirm each fix matches the
resolution described in `docs/reviews/004-post-implementation-sanity-
check.md`, does not introduce new spec drift, and is adequately tested.
### Per-fix review checklist
**W1 — `call/protocol/abort-cascade-wiring`**:
- `CallAdapter::handle_stream` handles `EVENT_ABORTED` (not just
`EVENT_REQUESTED`).
- Cascade uses `AbortPolicy::AbortDependents` (the wire caller does not
choose the policy — ADR-016 Decision 6).
- No `call.aborted` frames are sent back to the wire for descendant IDs
(ADR-016 Decision 2: server-side cascade; composed child request_ids
are internal).
- Root entry is also removed (cascade_abort skips the root by design).
- Integration test exercises the full path: inbound abort frame →
`PendingRequestMap` entries gone for parent + child.
**W2 — `core/endpoint-client-fingerprint`**:
- `dispatch_quinn` and `dispatch_iroh` extract a fingerprint when one
is presented (not hard-coded `None`).
- `AuthContext.identity` is populated via `resolve_from_fingerprint`
when the fingerprint resolves.
- Fingerprint string format is documented in `auth.md` and consistent
with `AuthPolicy::authorized_fingerprints`.
- No regression: no-client-cert case still produces
`tls_client_fingerprint: None` and `identity: None`.
- Server-config decision (request-but-don't-require vs. no-client-auth)
is documented.
**W3 — `vault/mnemonic-debug-redaction`**:
- `Mnemonic` has a manual redacting `Debug` impl; `#[derive(Debug)]`
is gone.
- `format!("{:?}", mnemonic)` does not contain any phrase word.
- `Seed` checked — no `Debug` impl leaks `bytes`.
**W4 — `core/auth-apikey-resources`**:
- Decision (Option A or B) is documented in `auth.md` or a new ADR.
- Implementation (if any) matches the decision.
- `auth.md:153` no longer references `entry.resources` if Option B was
chosen; or `ApiKeyEntry.resources` exists and is populated if Option
A was chosen.
- Test covers the chosen behavior.
### Cross-cutting checks
- `cargo build --workspace --all-features` succeeds.
- `cargo test --workspace --all-features` succeeds (no regressions).
- `cargo clippy --workspace --all-features --all-targets` clean.
- No new spec/code drift introduced (reconcile any spec text touched
against the implementation).
- Update `docs/reviews/004-post-implementation-sanity-check.md`'s
status from `open` to `resolved` once all four findings are confirmed
fixed.
## Acceptance Criteria
- [ ] W1 fix confirmed: inbound `call.aborted` cascades to descendants
- [ ] W2 fix confirmed: endpoint extracts TLS client fingerprint
- [ ] W3 fix confirmed: `Mnemonic` `Debug` redacts the phrase
- [ ] W4 fix confirmed: `ApiKeyEntry.resources` reconciled with spec (or spec corrected)
- [ ] `cargo build --workspace --all-features` succeeds
- [ ] `cargo test --workspace --all-features` succeeds
- [ ] `cargo clippy --workspace --all-features --all-targets` succeeds with no warnings
- [ ] Review #004 status updated to `resolved` in its frontmatter
## References
- docs/reviews/004-post-implementation-sanity-check.md — the review being closed
- tasks/call/protocol/abort-cascade-wiring.md — W1 fix task
- tasks/core/endpoint-client-fingerprint.md — W2 fix task
- tasks/vault/mnemonic-debug-redaction.md — W3 fix task
- tasks/core/auth-apikey-resources.md — W4 fix task
## Notes
> This review task mirrors the pattern of `vault/review-vault-sync`,
> `core/review-core`, and `call/review-call`: a `level: review` gate
> at the end of a fix batch, with `scope: moderate`, `risk: low`,
> `impact: phase`. It does not need to re-derive the findings — review
> #004 already did that work. It only needs to confirm the fixes land
> correctly and the workspace stays green.