W1 (call/protocol/abort-cascade-wiring): wire AbortCascade into CallAdapter handle_stream for EVENT_ABORTED. Cascades with AbortPolicy::AbortDependents, aborts root, no descendant frames on wire (ADR-016 Decision 2). Two integration tests added. W2 (core/endpoint-client-fingerprint): extract TLS client cert fingerprint in dispatch_quinn (SHA256:<hex> of leaf cert DER via peer_identity) and dispatch_iroh (ed25519:<hex> of peer NodeId). Fingerprint format documented in auth.md. Server config change (with_no_client_auth → request-but-don't-require) deferred to new follow-up task core/endpoint-request-client-cert. W3 (vault/mnemonic-debug-redaction): replace Mnemonic derive(Debug) with manual redacting impl (phrase: "[REDACTED]"). Seed confirmed no Debug impl. Redaction test added. W4 (core/auth-apikey-resources): Option B — drop entry.resources from spec. External identities (token/fingerprint) grant scopes only; resource-scoped ACLs are composition-internal (ADR-015/022). auth.md corrected + limitation documented. Two tests confirm empty resources. review-post-impl-fixes: all 4 verified, workspace green (326 tests, 0 failures, 0 clippy warnings). Review #004 status → resolved. Graph: 34 tasks, 12 gens.
5.0 KiB
id, name, status, depends_on, scope, risk, impact, level
| id | name | status | depends_on | scope | risk | impact | level | ||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| review-post-impl-fixes | Review the four post-implementation sanity-check | completed |
|
moderate | low | phase | review |
Description
Review the four fixes produced from review #004's findings (W1–W4)
before they are considered closed. Confirm each fix matches the
resolution described in docs/reviews/004-post-implementation-sanity- check.md, does not introduce new spec drift, and is adequately tested.
Per-fix review checklist
W1 — call/protocol/abort-cascade-wiring:
CallAdapter::handle_streamhandlesEVENT_ABORTED(not justEVENT_REQUESTED).- Cascade uses
AbortPolicy::AbortDependents(the wire caller does not choose the policy — ADR-016 Decision 6). - No
call.abortedframes are sent back to the wire for descendant IDs (ADR-016 Decision 2: server-side cascade; composed child request_ids are internal). - Root entry is also removed (cascade_abort skips the root by design).
- Integration test exercises the full path: inbound abort frame →
PendingRequestMapentries gone for parent + child.
W2 — core/endpoint-client-fingerprint:
dispatch_quinnanddispatch_irohextract a fingerprint when one is presented (not hard-codedNone).AuthContext.identityis populated viaresolve_from_fingerprintwhen the fingerprint resolves.- Fingerprint string format is documented in
auth.mdand consistent withAuthPolicy::authorized_fingerprints. - No regression: no-client-cert case still produces
tls_client_fingerprint: Noneandidentity: None. - Server-config decision (request-but-don't-require vs. no-client-auth) is documented.
W3 — vault/mnemonic-debug-redaction:
Mnemonichas a manual redactingDebugimpl;#[derive(Debug)]is gone.format!("{:?}", mnemonic)does not contain any phrase word.Seedchecked — noDebugimpl leaksbytes.
W4 — core/auth-apikey-resources:
- Decision (Option A or B) is documented in
auth.mdor a new ADR. - Implementation (if any) matches the decision.
auth.md:153no longer referencesentry.resourcesif Option B was chosen; orApiKeyEntry.resourcesexists and is populated if Option A was chosen.- Test covers the chosen behavior.
Cross-cutting checks
cargo build --workspace --all-featuressucceeds.cargo test --workspace --all-featuressucceeds (no regressions).cargo clippy --workspace --all-features --all-targetsclean.- No new spec/code drift introduced (reconcile any spec text touched against the implementation).
- Update
docs/reviews/004-post-implementation-sanity-check.md's status fromopentoresolvedonce all four findings are confirmed fixed.
Acceptance Criteria
- W1 fix confirmed: inbound
call.abortedcascades to descendants - W2 fix confirmed: endpoint extracts TLS client fingerprint
- W3 fix confirmed:
MnemonicDebugredacts the phrase - W4 fix confirmed:
ApiKeyEntry.resourcesreconciled with spec (or spec corrected) cargo build --workspace --all-featuressucceedscargo test --workspace --all-featuressucceedscargo clippy --workspace --all-features --all-targetssucceeds with no warnings- Review #004 status updated to
resolvedin its frontmatter
References
- docs/reviews/004-post-implementation-sanity-check.md — the review being closed
- tasks/call/protocol/abort-cascade-wiring.md — W1 fix task
- tasks/core/endpoint-client-fingerprint.md — W2 fix task
- tasks/vault/mnemonic-debug-redaction.md — W3 fix task
- tasks/core/auth-apikey-resources.md — W4 fix task
Notes
This review task mirrors the pattern of
vault/review-vault-sync,core/review-core, andcall/review-call: alevel: reviewgate at the end of a fix batch, withscope: moderate,risk: low,impact: phase. It does not need to re-derive the findings — review #004 already did that work. It only needs to confirm the fixes land correctly and the workspace stays green.
Summary
All four fixes verified against acceptance criteria:
- W1:
handle_streamhandlesEVENT_ABORTED, cascades withAbortDependents, no descendant frames on wire, root removed, two integration tests pass. - W2: both dispatch paths extract fingerprints, format documented in
auth.md, no-cert case returnsNone(no regression), server-config change deferred tocore/endpoint-request-client-cert. - W3:
Mnemonichas manual redactingDebug,Seedhas noDebug, redaction test passes. - W4: Option B — spec corrected, limitation documented, both resolvers return empty resources, tests pass.
Workspace green: cargo build --workspace --all-features ✓, cargo test --workspace --all-features (326 tests, 0 failures) ✓, cargo clippy --workspace --all-features --all-targets (0 warnings) ✓. Review #004
status updated to resolved.