W1 (call/protocol/abort-cascade-wiring): wire AbortCascade into CallAdapter handle_stream for EVENT_ABORTED. W2 (core/endpoint-client-fingerprint): extract TLS client cert fingerprint in dispatch_quinn/dispatch_iroh. W3 (vault/mnemonic-debug-redaction): replace Mnemonic derive(Debug) with redacting impl. W4 (core/auth-apikey-resources, level: research): decide whether ApiKeyEntry should carry resources, then implement or drop from spec. review-post-impl-fixes gates on all four. Graph: 33 tasks, 12 gens.
96 lines
4.1 KiB
Markdown
96 lines
4.1 KiB
Markdown
---
|
||
id: review-post-impl-fixes
|
||
name: Review the four post-implementation sanity-check #004 fixes for spec conformance
|
||
status: pending
|
||
depends_on: [call/protocol/abort-cascade-wiring, core/endpoint-client-fingerprint, vault/mnemonic-debug-redaction, core/auth-apikey-resources]
|
||
scope: moderate
|
||
risk: low
|
||
impact: phase
|
||
level: review
|
||
---
|
||
|
||
## Description
|
||
|
||
Review the four fixes produced from review #004's findings (W1–W4)
|
||
before they are considered closed. Confirm each fix matches the
|
||
resolution described in `docs/reviews/004-post-implementation-sanity-
|
||
check.md`, does not introduce new spec drift, and is adequately tested.
|
||
|
||
### Per-fix review checklist
|
||
|
||
**W1 — `call/protocol/abort-cascade-wiring`**:
|
||
- `CallAdapter::handle_stream` handles `EVENT_ABORTED` (not just
|
||
`EVENT_REQUESTED`).
|
||
- Cascade uses `AbortPolicy::AbortDependents` (the wire caller does not
|
||
choose the policy — ADR-016 Decision 6).
|
||
- No `call.aborted` frames are sent back to the wire for descendant IDs
|
||
(ADR-016 Decision 2: server-side cascade; composed child request_ids
|
||
are internal).
|
||
- Root entry is also removed (cascade_abort skips the root by design).
|
||
- Integration test exercises the full path: inbound abort frame →
|
||
`PendingRequestMap` entries gone for parent + child.
|
||
|
||
**W2 — `core/endpoint-client-fingerprint`**:
|
||
- `dispatch_quinn` and `dispatch_iroh` extract a fingerprint when one
|
||
is presented (not hard-coded `None`).
|
||
- `AuthContext.identity` is populated via `resolve_from_fingerprint`
|
||
when the fingerprint resolves.
|
||
- Fingerprint string format is documented in `auth.md` and consistent
|
||
with `AuthPolicy::authorized_fingerprints`.
|
||
- No regression: no-client-cert case still produces
|
||
`tls_client_fingerprint: None` and `identity: None`.
|
||
- Server-config decision (request-but-don't-require vs. no-client-auth)
|
||
is documented.
|
||
|
||
**W3 — `vault/mnemonic-debug-redaction`**:
|
||
- `Mnemonic` has a manual redacting `Debug` impl; `#[derive(Debug)]`
|
||
is gone.
|
||
- `format!("{:?}", mnemonic)` does not contain any phrase word.
|
||
- `Seed` checked — no `Debug` impl leaks `bytes`.
|
||
|
||
**W4 — `core/auth-apikey-resources`**:
|
||
- Decision (Option A or B) is documented in `auth.md` or a new ADR.
|
||
- Implementation (if any) matches the decision.
|
||
- `auth.md:153` no longer references `entry.resources` if Option B was
|
||
chosen; or `ApiKeyEntry.resources` exists and is populated if Option
|
||
A was chosen.
|
||
- Test covers the chosen behavior.
|
||
|
||
### Cross-cutting checks
|
||
|
||
- `cargo build --workspace --all-features` succeeds.
|
||
- `cargo test --workspace --all-features` succeeds (no regressions).
|
||
- `cargo clippy --workspace --all-features --all-targets` clean.
|
||
- No new spec/code drift introduced (reconcile any spec text touched
|
||
against the implementation).
|
||
- Update `docs/reviews/004-post-implementation-sanity-check.md`'s
|
||
status from `open` to `resolved` once all four findings are confirmed
|
||
fixed.
|
||
|
||
## Acceptance Criteria
|
||
|
||
- [ ] W1 fix confirmed: inbound `call.aborted` cascades to descendants
|
||
- [ ] W2 fix confirmed: endpoint extracts TLS client fingerprint
|
||
- [ ] W3 fix confirmed: `Mnemonic` `Debug` redacts the phrase
|
||
- [ ] W4 fix confirmed: `ApiKeyEntry.resources` reconciled with spec (or spec corrected)
|
||
- [ ] `cargo build --workspace --all-features` succeeds
|
||
- [ ] `cargo test --workspace --all-features` succeeds
|
||
- [ ] `cargo clippy --workspace --all-features --all-targets` succeeds with no warnings
|
||
- [ ] Review #004 status updated to `resolved` in its frontmatter
|
||
|
||
## References
|
||
|
||
- docs/reviews/004-post-implementation-sanity-check.md — the review being closed
|
||
- tasks/call/protocol/abort-cascade-wiring.md — W1 fix task
|
||
- tasks/core/endpoint-client-fingerprint.md — W2 fix task
|
||
- tasks/vault/mnemonic-debug-redaction.md — W3 fix task
|
||
- tasks/core/auth-apikey-resources.md — W4 fix task
|
||
|
||
## Notes
|
||
|
||
> This review task mirrors the pattern of `vault/review-vault-sync`,
|
||
> `core/review-core`, and `call/review-call`: a `level: review` gate
|
||
> at the end of a fix batch, with `scope: moderate`, `risk: low`,
|
||
> `impact: phase`. It does not need to re-derive the findings — review
|
||
> #004 already did that work. It only needs to confirm the fixes land
|
||
> correctly and the workspace stays green. |