Files
alknet/tasks/review-post-impl-fixes.md
glm-5.2 97216764ea fix: resolve review #004 findings W1-W4 + close review gate
W1 (call/protocol/abort-cascade-wiring): wire AbortCascade into
CallAdapter handle_stream for EVENT_ABORTED. Cascades with
AbortPolicy::AbortDependents, aborts root, no descendant frames on
wire (ADR-016 Decision 2). Two integration tests added.

W2 (core/endpoint-client-fingerprint): extract TLS client cert
fingerprint in dispatch_quinn (SHA256:<hex> of leaf cert DER via
peer_identity) and dispatch_iroh (ed25519:<hex> of peer NodeId).
Fingerprint format documented in auth.md. Server config change
(with_no_client_auth → request-but-don't-require) deferred to new
follow-up task core/endpoint-request-client-cert.

W3 (vault/mnemonic-debug-redaction): replace Mnemonic derive(Debug)
with manual redacting impl (phrase: "[REDACTED]"). Seed confirmed
no Debug impl. Redaction test added.

W4 (core/auth-apikey-resources): Option B — drop entry.resources from
spec. External identities (token/fingerprint) grant scopes only;
resource-scoped ACLs are composition-internal (ADR-015/022). auth.md
corrected + limitation documented. Two tests confirm empty resources.

review-post-impl-fixes: all 4 verified, workspace green (326 tests,
0 failures, 0 clippy warnings). Review #004 status → resolved.

Graph: 34 tasks, 12 gens.
2026-06-24 11:00:54 +00:00

115 lines
5.0 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
---
id: review-post-impl-fixes
name: Review the four post-implementation sanity-check #004 fixes for spec conformance
status: completed
depends_on: [call/protocol/abort-cascade-wiring, core/endpoint-client-fingerprint, vault/mnemonic-debug-redaction, core/auth-apikey-resources]
scope: moderate
risk: low
impact: phase
level: review
---
## Description
Review the four fixes produced from review #004's findings (W1W4)
before they are considered closed. Confirm each fix matches the
resolution described in `docs/reviews/004-post-implementation-sanity-
check.md`, does not introduce new spec drift, and is adequately tested.
### Per-fix review checklist
**W1 — `call/protocol/abort-cascade-wiring`**:
- `CallAdapter::handle_stream` handles `EVENT_ABORTED` (not just
`EVENT_REQUESTED`).
- Cascade uses `AbortPolicy::AbortDependents` (the wire caller does not
choose the policy — ADR-016 Decision 6).
- No `call.aborted` frames are sent back to the wire for descendant IDs
(ADR-016 Decision 2: server-side cascade; composed child request_ids
are internal).
- Root entry is also removed (cascade_abort skips the root by design).
- Integration test exercises the full path: inbound abort frame →
`PendingRequestMap` entries gone for parent + child.
**W2 — `core/endpoint-client-fingerprint`**:
- `dispatch_quinn` and `dispatch_iroh` extract a fingerprint when one
is presented (not hard-coded `None`).
- `AuthContext.identity` is populated via `resolve_from_fingerprint`
when the fingerprint resolves.
- Fingerprint string format is documented in `auth.md` and consistent
with `AuthPolicy::authorized_fingerprints`.
- No regression: no-client-cert case still produces
`tls_client_fingerprint: None` and `identity: None`.
- Server-config decision (request-but-don't-require vs. no-client-auth)
is documented.
**W3 — `vault/mnemonic-debug-redaction`**:
- `Mnemonic` has a manual redacting `Debug` impl; `#[derive(Debug)]`
is gone.
- `format!("{:?}", mnemonic)` does not contain any phrase word.
- `Seed` checked — no `Debug` impl leaks `bytes`.
**W4 — `core/auth-apikey-resources`**:
- Decision (Option A or B) is documented in `auth.md` or a new ADR.
- Implementation (if any) matches the decision.
- `auth.md:153` no longer references `entry.resources` if Option B was
chosen; or `ApiKeyEntry.resources` exists and is populated if Option
A was chosen.
- Test covers the chosen behavior.
### Cross-cutting checks
- `cargo build --workspace --all-features` succeeds.
- `cargo test --workspace --all-features` succeeds (no regressions).
- `cargo clippy --workspace --all-features --all-targets` clean.
- No new spec/code drift introduced (reconcile any spec text touched
against the implementation).
- Update `docs/reviews/004-post-implementation-sanity-check.md`'s
status from `open` to `resolved` once all four findings are confirmed
fixed.
## Acceptance Criteria
- [ ] W1 fix confirmed: inbound `call.aborted` cascades to descendants
- [ ] W2 fix confirmed: endpoint extracts TLS client fingerprint
- [ ] W3 fix confirmed: `Mnemonic` `Debug` redacts the phrase
- [ ] W4 fix confirmed: `ApiKeyEntry.resources` reconciled with spec (or spec corrected)
- [ ] `cargo build --workspace --all-features` succeeds
- [ ] `cargo test --workspace --all-features` succeeds
- [ ] `cargo clippy --workspace --all-features --all-targets` succeeds with no warnings
- [ ] Review #004 status updated to `resolved` in its frontmatter
## References
- docs/reviews/004-post-implementation-sanity-check.md — the review being closed
- tasks/call/protocol/abort-cascade-wiring.md — W1 fix task
- tasks/core/endpoint-client-fingerprint.md — W2 fix task
- tasks/vault/mnemonic-debug-redaction.md — W3 fix task
- tasks/core/auth-apikey-resources.md — W4 fix task
## Notes
> This review task mirrors the pattern of `vault/review-vault-sync`,
> `core/review-core`, and `call/review-call`: a `level: review` gate
> at the end of a fix batch, with `scope: moderate`, `risk: low`,
> `impact: phase`. It does not need to re-derive the findings — review
> #004 already did that work. It only needs to confirm the fixes land
> correctly and the workspace stays green.
## Summary
All four fixes verified against acceptance criteria:
- W1: `handle_stream` handles `EVENT_ABORTED`, cascades with
`AbortDependents`, no descendant frames on wire, root removed, two
integration tests pass.
- W2: both dispatch paths extract fingerprints, format documented in
`auth.md`, no-cert case returns `None` (no regression), server-config
change deferred to `core/endpoint-request-client-cert`.
- W3: `Mnemonic` has manual redacting `Debug`, `Seed` has no `Debug`,
redaction test passes.
- W4: Option B — spec corrected, limitation documented, both resolvers
return empty resources, tests pass.
Workspace green: `cargo build --workspace --all-features` ✓, `cargo test
--workspace --all-features` (326 tests, 0 failures) ✓, `cargo clippy
--workspace --all-features --all-targets` (0 warnings) ✓. Review #004
status updated to `resolved`.