dbedb8846c
Mark fix/rename-misleading-test as completed
2026-06-12 14:29:51 +00:00
8ff8c71783
Mark fix/rate-limiter-connectinfo-tests as completed
2026-06-12 14:27:08 +00:00
21186b8265
Mark fix/http-port-type-u16 and fix/log-root-cert-count as completed
2026-06-12 14:21:37 +00:00
9a3b8831c7
Mark fix/json-format-without-logfile as completed
2026-06-12 14:19:49 +00:00
01e3b1cd9a
Mark 6 fix tasks as completed (admin-socket-resource-limits, upstream-uri-error-handling, remove-dead-code-remnants, acme-contact-validation, admin-socket-reload-mutex-visibility, connector-timeout-ceiling)
2026-06-12 14:18:23 +00:00
db982e9c4d
Mark fix/inflight-counter-increment, fix/consolidate-config-types, fix/rate-limiter-ip-source as completed
2026-06-12 14:02:02 +00:00
54f1725173
Decompose security review #003 findings into 17 fix tasks and 1 review task
...
Address 4 critical, 8 warning, and 5 suggestion findings from the
security and bug review by creating atomic, dependency-ordered tasks:
Critical fixes (C1-C4): rate limiter IP source (ADR-025), InFlightCounter
increment + drain interval, connector timeout ceiling (ADR-026), JSON format
without log file.
Validation tightening (W1, W2): upstream host validation, ACME contact email
validation.
Robustness (W3, W4, W5, W12): upstream URI error handling (502 not silent
drop), admin socket resource limits (ADR-027), TlsMode wildcard mismatch,
http_port u32→u16.
Code quality (W6, W10, W11, S1, S3, W8/W9): config type consolidation,
TokenBucket field visibility, reload_mutex #[cfg(test)], dead code removal,
root cert count logging, misleading test names.
Test coverage (S10): rate limiter ConnectInfo tests (depends on C1 fix).
Review: post-security-fix-review checkpoint covering all critical fixes
and sensitive config consolidation path.
2026-06-12 13:42:37 +00:00
da28ea749d
Mark fix/clean-dead-code as completed
2026-06-12 05:13:10 +00:00
8f3c56e6bc
Mark fix/add-code-comments as completed
2026-06-12 05:05:36 +00:00
516efb0403
Mark fix/connect-timeout as completed
2026-06-12 05:02:41 +00:00
1da01a2336
Mark fix/graceful-shutdown as completed
2026-06-12 05:00:28 +00:00
abc8a44134
Mark fix/request-timeout-scope as completed
2026-06-12 04:47:15 +00:00
f02670d5ef
Mark Batch 2 tasks as completed (remove-health, access-logging, acme-contact)
2026-06-12 04:46:34 +00:00
19efbd42ee
Mark fix/normalize-host-ipv6 as completed
2026-06-12 04:41:52 +00:00
53d601522e
Mark fix/config-reload-static-drift as completed
2026-06-12 04:36:34 +00:00
d7f811ffb5
Mark fix/logging-test-global-subscriber as completed
2026-06-12 04:29:48 +00:00
c50d2e8d1b
Mark fix/http-port-validation as completed
2026-06-12 04:29:02 +00:00
53ef5b32c3
Mark fix/fragile-error-detection as completed
2026-06-12 04:25:49 +00:00
4db4ecbeb9
Mark fix/integration-test-toml as completed
2026-06-12 04:23:27 +00:00
426333eeda
Mark fix/token-bucket-nanosecond as completed
2026-06-12 04:22:35 +00:00
f9d7b8112b
Decompose implementation review fixes into 14 atomic tasks with post-fix review
...
Break down findings from review #002 into dependency-ordered fix tasks:
Critical/High:
- fix/acme-contact-and-challenge (C1+C2): Add acme_contact field, wire to
ACME, remove unused challenge_config, add validation rule 19
- fix/remove-health-and-hardcode-https (W5+W14+ADR-022): Remove /health
from main listener, hardcode X-Forwarded-Proto to https
- fix/config-reload-static-drift (C4): Use ArcSwap<StaticConfig> so reload
diffs against last config, not startup config
- fix/access-logging (W13): Wire up log_request! macro for every proxied
request with client_ip, host, method, path, status, upstream, duration_ms
Medium:
- fix/graceful-shutdown (W1+W7): Join HTTPS tasks with timeout instead of
abort, add shutdown signal to admin socket and eviction task
- fix/connect-timeout (W4): Wire upstream_connect_timeout_secs to enforce
separate connect timeout
Low/Independent:
- fix/token-bucket-nanosecond (W6): Use as_nanos() instead of as_millis()
- fix/normalize-host-ipv6 (S3): Handle IPv6 bracket notation in normalize_host
- fix/http-port-validation (S1): Validate http_port in range 0 or 1-65535
- fix/integration-test-toml (S10): Fix double-nested listeners.listeners.sites
- fix/logging-test-global-subscriber (W9): Use try_init() to avoid test conflicts
- fix/fragile-error-detection (W3): Add typed error matching or documented string match
- fix/add-code-comments (C3,W8,W10,W11,S9): Document correct-but-non-obvious behaviors
- fix/request-timeout-scope (S8): Document full-request timeout scope
- fix/clean-dead-code (S4+S2): Remove dead_code annotations, add #[non_exhaustive]
Review gate:
- review/post-fix-review: Verify all fixes against architecture spec
2026-06-12 04:08:45 +00:00
57cb071ff2
Fix task status: 'complete' -> 'completed' for taskgraph compatibility
2026-06-11 14:06:20 +00:00
cf002cc40f
Fix spec deviations and implement graceful shutdown drain
...
- Replace determine_if_https() with ProxyState.is_https field so X-Forwarded-Proto
reflects the listener's protocol instead of guessing from the Host header
- Return ProxyError::BadGateway with host/upstream context for non-connect upstream
errors instead of bare StatusCode::BAD_GATEWAY
- Implement InFlightCounter with RAII guard for tracking in-flight connections
- Add drain_in_flight() to wait for connections to complete on shutdown, with
configurable timeout before forcing exit
- Mark review/core-components and review/integration-readiness as complete
2026-06-11 14:01:55 +00:00
9e11e755ea
Mark integration/startup-orchestration as complete
2026-06-11 13:46:46 +00:00
3754b40904
Mark deploy/systemd-and-container as complete
2026-06-11 13:42:57 +00:00
5d1e29fde9
Mark tls/tls-listener-setup as complete
2026-06-11 13:40:14 +00:00
eb13c8cd9b
Mark ops/signals-and-shutdown as complete
2026-06-11 13:34:48 +00:00
ecdfac1a1f
Mark proxy/headers-and-forwarding as complete
2026-06-11 13:24:50 +00:00
134cb53de0
Mark ops/admin-socket as complete
2026-06-11 13:20:40 +00:00
bb33dc18e9
Mark tls/http-redirect as complete
2026-06-11 13:18:56 +00:00
f3ee0b7a97
Mark config/cli-parsing as complete
2026-06-11 13:16:58 +00:00
05b720eb7a
Mark proxy/error-responses as complete
2026-06-11 13:13:59 +00:00
91f76e9646
Mark ops/body-size-limit as complete
2026-06-11 13:12:50 +00:00
4b4ff838fe
Mark ops/rate-limiting as complete
2026-06-11 13:03:30 +00:00
f1cada010f
Mark proxy/host-routing as complete
2026-06-11 12:59:48 +00:00
994ce0fb66
Mark config/validation as complete
2026-06-11 12:49:46 +00:00
07fb4ce411
Mark ops/logging as complete
2026-06-11 12:49:05 +00:00
30d391b353
Mark config/dynamic-config as complete
2026-06-11 12:48:10 +00:00
5ca658e8f3
Mark ops/health-check as complete
2026-06-11 12:41:29 +00:00
468adb21de
Mark tls/manual-tls as complete
2026-06-11 11:59:12 +00:00
ff5112e4d5
Mark tls/acme-tls as complete
2026-06-11 11:56:31 +00:00
33a448505e
Mark setup/test-infrastructure as complete
2026-06-11 11:49:37 +00:00
dc12e75bdf
Mark config/static-config as complete
2026-06-11 11:46:38 +00:00
9b4cabc4d6
Mark setup/project-init as complete
2026-06-11 11:36:51 +00:00
309878c561
Decompose architecture into 23 atomic tasks across 7 parallel generations
...
Task graph covers all Phase 1 concerns: config system, TLS termination,
proxy handler, operations (rate limiting, logging, health check, admin
socket, signals, shutdown, body size limit), deployment artifacts, and
two review checkpoints.
No circular dependencies. Critical path length of 7. Risk distribution:
3 high-risk (ACME, TLS listener setup, startup orchestration), 7 medium,
11 low, 2 trivial.
2026-06-11 11:21:10 +00:00
