Decompose implementation review fixes into 14 atomic tasks with post-fix review

Break down findings from review #002 into dependency-ordered fix tasks: Critical/High: - fix/acme-contact-and-challenge (C1+C2): Add acme_contact field, wire to ACME, remove unused challenge_config, add validation rule 19 - fix/remove-health-and-hardcode-https (W5+W14+ADR-022): Remove /health from main listener, hardcode X-Forwarded-Proto to https - fix/config-reload-static-drift (C4): Use ArcSwap<StaticConfig> so reload diffs against last config, not startup config - fix/access-logging (W13): Wire up log_request! macro for every proxied request with client_ip, host, method, path, status, upstream, duration_ms Medium: - fix/graceful-shutdown (W1+W7): Join HTTPS tasks with timeout instead of abort, add shutdown signal to admin socket and eviction task - fix/connect-timeout (W4): Wire upstream_connect_timeout_secs to enforce separate connect timeout Low/Independent: - fix/token-bucket-nanosecond (W6): Use as_nanos() instead of as_millis() - fix/normalize-host-ipv6 (S3): Handle IPv6 bracket notation in normalize_host - fix/http-port-validation (S1): Validate http_port in range 0 or 1-65535 - fix/integration-test-toml (S10): Fix double-nested listeners.listeners.sites - fix/logging-test-global-subscriber (W9): Use try_init() to avoid test conflicts - fix/fragile-error-detection (W3): Add typed error matching or documented string match - fix/add-code-comments (C3,W8,W10,W11,S9): Document correct-but-non-obvious behaviors - fix/request-timeout-scope (S8): Document full-request timeout scope - fix/clean-dead-code (S4+S2): Remove dead_code annotations, add #[non_exhaustive] Review gate: - review/post-fix-review: Verify all fixes against architecture spec
2026-06-12 04:08:45 +00:00
parent fe1ae6c05e
commit f9d7b8112b
16 changed files with 1074 additions and 0 deletions
--- a/tasks/fix/token-bucket-nanosecond.md
+++ b/tasks/fix/token-bucket-nanosecond.md
@@ -0,0 +1,56 @@
+---
+id: fix/token-bucket-nanosecond
+name: Fix token bucket refill to use nanosecond precision
+status: pending
+depends_on: []
+scope: single
+risk: trivial
+impact: isolated
+level: implementation
+review_findings: [W6]
+---
+
+## Description
+
+The token bucket refill calculation in `src/rate_limit/bucket.rs` uses `as_millis()` which truncates sub-millisecond time. Two requests arriving 500µs apart both see `0ms` elapsed and don't refill tokens. This can lead to token refill inaccuracies under high-frequency request bursts.
+
+### Changes Required
+
+**`src/rate_limit/bucket.rs`**:
+- Change line 37 from:
+  ```rust
+  let elapsed = now.duration_since(self.last_refill).as_millis() as f64;
+  let tokens_to_add = (elapsed * rate) / 1000.0;
+  ```
+  to:
+  ```rust
+  let elapsed = now.duration_since(self.last_refill).as_nanos() as f64;
+  let tokens_to_add = (elapsed / 1_000_000_000.0) * rate;
+  ```
+
+This provides nanosecond-precision refill while keeping the math in floating point.
+
+### Tests
+
+- Verify existing token bucket tests still pass
+- The `token_bucket_refills_over_time` test already validates refill behavior; it may need a longer sleep to notice the difference with nanosecond precision
+
+## Acceptance Criteria
+
+- [ ] Token refill uses nanosecond precision (`as_nanos()`)
+- [ ] Math is `(elapsed_nanos / 1_000_000_000.0) * rate`
+- [ ] Existing token bucket tests pass
+- [ ] `cargo clippy` passes with no warnings
+
+## References
+
+- docs/reviews/002-implementation-review.md — W6 finding
+- src/rate_limit/bucket.rs — current millisecond-based refill
+
+## Notes
+
+> To be filled by implementation agent
+
+## Summary
+
+> To be filled on completion