W1 (call/protocol/abort-cascade-wiring): wire AbortCascade into CallAdapter handle_stream for EVENT_ABORTED. Cascades with AbortPolicy::AbortDependents, aborts root, no descendant frames on wire (ADR-016 Decision 2). Two integration tests added. W2 (core/endpoint-client-fingerprint): extract TLS client cert fingerprint in dispatch_quinn (SHA256:<hex> of leaf cert DER via peer_identity) and dispatch_iroh (ed25519:<hex> of peer NodeId). Fingerprint format documented in auth.md. Server config change (with_no_client_auth → request-but-don't-require) deferred to new follow-up task core/endpoint-request-client-cert. W3 (vault/mnemonic-debug-redaction): replace Mnemonic derive(Debug) with manual redacting impl (phrase: "[REDACTED]"). Seed confirmed no Debug impl. Redaction test added. W4 (core/auth-apikey-resources): Option B — drop entry.resources from spec. External identities (token/fingerprint) grant scopes only; resource-scoped ACLs are composition-internal (ADR-015/022). auth.md corrected + limitation documented. Two tests confirm empty resources. review-post-impl-fixes: all 4 verified, workspace green (326 tests, 0 failures, 0 clippy warnings). Review #004 status → resolved. Graph: 34 tasks, 12 gens.
115 lines
5.0 KiB
Markdown
115 lines
5.0 KiB
Markdown
---
|
||
id: review-post-impl-fixes
|
||
name: Review the four post-implementation sanity-check #004 fixes for spec conformance
|
||
status: completed
|
||
depends_on: [call/protocol/abort-cascade-wiring, core/endpoint-client-fingerprint, vault/mnemonic-debug-redaction, core/auth-apikey-resources]
|
||
scope: moderate
|
||
risk: low
|
||
impact: phase
|
||
level: review
|
||
---
|
||
|
||
## Description
|
||
|
||
Review the four fixes produced from review #004's findings (W1–W4)
|
||
before they are considered closed. Confirm each fix matches the
|
||
resolution described in `docs/reviews/004-post-implementation-sanity-
|
||
check.md`, does not introduce new spec drift, and is adequately tested.
|
||
|
||
### Per-fix review checklist
|
||
|
||
**W1 — `call/protocol/abort-cascade-wiring`**:
|
||
- `CallAdapter::handle_stream` handles `EVENT_ABORTED` (not just
|
||
`EVENT_REQUESTED`).
|
||
- Cascade uses `AbortPolicy::AbortDependents` (the wire caller does not
|
||
choose the policy — ADR-016 Decision 6).
|
||
- No `call.aborted` frames are sent back to the wire for descendant IDs
|
||
(ADR-016 Decision 2: server-side cascade; composed child request_ids
|
||
are internal).
|
||
- Root entry is also removed (cascade_abort skips the root by design).
|
||
- Integration test exercises the full path: inbound abort frame →
|
||
`PendingRequestMap` entries gone for parent + child.
|
||
|
||
**W2 — `core/endpoint-client-fingerprint`**:
|
||
- `dispatch_quinn` and `dispatch_iroh` extract a fingerprint when one
|
||
is presented (not hard-coded `None`).
|
||
- `AuthContext.identity` is populated via `resolve_from_fingerprint`
|
||
when the fingerprint resolves.
|
||
- Fingerprint string format is documented in `auth.md` and consistent
|
||
with `AuthPolicy::authorized_fingerprints`.
|
||
- No regression: no-client-cert case still produces
|
||
`tls_client_fingerprint: None` and `identity: None`.
|
||
- Server-config decision (request-but-don't-require vs. no-client-auth)
|
||
is documented.
|
||
|
||
**W3 — `vault/mnemonic-debug-redaction`**:
|
||
- `Mnemonic` has a manual redacting `Debug` impl; `#[derive(Debug)]`
|
||
is gone.
|
||
- `format!("{:?}", mnemonic)` does not contain any phrase word.
|
||
- `Seed` checked — no `Debug` impl leaks `bytes`.
|
||
|
||
**W4 — `core/auth-apikey-resources`**:
|
||
- Decision (Option A or B) is documented in `auth.md` or a new ADR.
|
||
- Implementation (if any) matches the decision.
|
||
- `auth.md:153` no longer references `entry.resources` if Option B was
|
||
chosen; or `ApiKeyEntry.resources` exists and is populated if Option
|
||
A was chosen.
|
||
- Test covers the chosen behavior.
|
||
|
||
### Cross-cutting checks
|
||
|
||
- `cargo build --workspace --all-features` succeeds.
|
||
- `cargo test --workspace --all-features` succeeds (no regressions).
|
||
- `cargo clippy --workspace --all-features --all-targets` clean.
|
||
- No new spec/code drift introduced (reconcile any spec text touched
|
||
against the implementation).
|
||
- Update `docs/reviews/004-post-implementation-sanity-check.md`'s
|
||
status from `open` to `resolved` once all four findings are confirmed
|
||
fixed.
|
||
|
||
## Acceptance Criteria
|
||
|
||
- [ ] W1 fix confirmed: inbound `call.aborted` cascades to descendants
|
||
- [ ] W2 fix confirmed: endpoint extracts TLS client fingerprint
|
||
- [ ] W3 fix confirmed: `Mnemonic` `Debug` redacts the phrase
|
||
- [ ] W4 fix confirmed: `ApiKeyEntry.resources` reconciled with spec (or spec corrected)
|
||
- [ ] `cargo build --workspace --all-features` succeeds
|
||
- [ ] `cargo test --workspace --all-features` succeeds
|
||
- [ ] `cargo clippy --workspace --all-features --all-targets` succeeds with no warnings
|
||
- [ ] Review #004 status updated to `resolved` in its frontmatter
|
||
|
||
## References
|
||
|
||
- docs/reviews/004-post-implementation-sanity-check.md — the review being closed
|
||
- tasks/call/protocol/abort-cascade-wiring.md — W1 fix task
|
||
- tasks/core/endpoint-client-fingerprint.md — W2 fix task
|
||
- tasks/vault/mnemonic-debug-redaction.md — W3 fix task
|
||
- tasks/core/auth-apikey-resources.md — W4 fix task
|
||
|
||
## Notes
|
||
|
||
> This review task mirrors the pattern of `vault/review-vault-sync`,
|
||
> `core/review-core`, and `call/review-call`: a `level: review` gate
|
||
> at the end of a fix batch, with `scope: moderate`, `risk: low`,
|
||
> `impact: phase`. It does not need to re-derive the findings — review
|
||
> #004 already did that work. It only needs to confirm the fixes land
|
||
> correctly and the workspace stays green.
|
||
|
||
## Summary
|
||
|
||
All four fixes verified against acceptance criteria:
|
||
- W1: `handle_stream` handles `EVENT_ABORTED`, cascades with
|
||
`AbortDependents`, no descendant frames on wire, root removed, two
|
||
integration tests pass.
|
||
- W2: both dispatch paths extract fingerprints, format documented in
|
||
`auth.md`, no-cert case returns `None` (no regression), server-config
|
||
change deferred to `core/endpoint-request-client-cert`.
|
||
- W3: `Mnemonic` has manual redacting `Debug`, `Seed` has no `Debug`,
|
||
redaction test passes.
|
||
- W4: Option B — spec corrected, limitation documented, both resolvers
|
||
return empty resources, tests pass.
|
||
|
||
Workspace green: `cargo build --workspace --all-features` ✓, `cargo test
|
||
--workspace --all-features` (326 tests, 0 failures) ✓, `cargo clippy
|
||
--workspace --all-features --all-targets` (0 warnings) ✓. Review #004
|
||
status updated to `resolved`. |