Skip to content

Final-polish pass: consolidate security primitives + fix audit-found defects#91

Merged
RNT56 merged 2 commits into
mainfrom
claude/v06-final-polish
Jun 29, 2026
Merged

Final-polish pass: consolidate security primitives + fix audit-found defects#91
RNT56 merged 2 commits into
mainfrom
claude/v06-final-polish

Conversation

@RNT56

@RNT56 RNT56 commented Jun 29, 2026

Copy link
Copy Markdown
Owner

A final end-to-end cleanup pass, driven by a multi-agent audit (6 finder dimensions — changelog/runbook hygiene, cross-crate duplication, dead code, architecture/trust-boundary integrity, doc accuracy, consistency/bounds — with every finding adversarially verified to reject churn; 3 of 13 candidates rejected as spurious/cosmetic). A separate architecture re-audit confirmed no trust-boundary defects across the v0.6 additions.

Commit 1 — polish: (non-contract)

Defects fixed

  • SlackSignature::verify now bounds untrusted input (MAX_SLACK_BODY / MAX_SLACK_TIMESTAMP) before any allocation or HMAC — an unauthenticated caller can no longer force unbounded work (invariant 11). +1 test.
  • CHANGELOG.md [0.5.0] — merged the duplicate ### Added block (union-merge artifact) into one section; no content lost.
  • docs/live-socket-validation.md — reordered the scrambled F.4F.7 subsections to ascending; refreshed F.7's CI-core list.
  • README.md — stale test count 834~1,120 (badge + table).

Architecture

  • Consolidated the duplicated security primitives — constant-time 32-byte compare (ct_eq) + hex decoders (hex_val, hex32_decode) — into crustcore-types::hash, beside sha256/hmac_sha256, as the single audited home for every MAC/signature check. Removed the copies from crustcore-receipts, crustcore-daemon (webhook + slack), crustcore-dev (auth + backend). Behaviour-identical — every consumer's security tests pass unchanged; net nano impact ~0. +3 tests.
  • Removed the unused DaemonSurface marker enum.

Commit 2 — docs(CLAUDE.md): ⚠️ contract file (§7.3) — please review separately

Factual-only status sync (no invariant/policy change): notes v0.5/v0.6 merged to main, points the roadmap link at docs/roadmap-v0.6.md, and corrects the ~834~1,120 test count. Isolated in its own commit so it can be reviewed/reverted independently.

Flagged for the maintainer (not changed here)

The nano size figures in CLAUDE.md/README (478.7 KiB Linux / 412.0 KiB macOS, 59.8%) look drifted — the local macOS size-check reports 428.1 KiB — but the flagship Linux x86_64 number can't be re-measured off-Linux. Please re-confirm on a Linux build and update both docs.

Verification

cargo xtask verify green (fmt, clippy -D warnings, ~1,120 tests, all-features, forbidden-deps, runbook-check, size gate). Nano 438416 bytes (428.1 KiB), 53.5% — unchanged.

🤖 Generated with Claude Code

RNT56 and others added 2 commits June 30, 2026 01:26
…ects

Final-polish pass driven by a multi-agent end-to-end audit (6 finder
dimensions, every finding adversarially verified to reject churn; 3 of 13
rejected as spurious/cosmetic). A separate architecture re-audit found NO
trust-boundary defects across the v0.6 additions.

Defects fixed:
- slack::SlackSignature::verify now bounds body/timestamp (MAX_SLACK_BODY /
  MAX_SLACK_TIMESTAMP) BEFORE any allocation or HMAC work — an unauthenticated
  caller can no longer force unbounded work (invariant 11). +1 test.
- CHANGELOG.md [0.5.0]: merged the duplicate `### Added` block (a union-merge
  artifact) into one section; no content lost.
- docs/live-socket-validation.md: reordered the scrambled F.4–F.7 subsections
  to ascending (also a union-merge artifact); refreshed F.7's CI-core list to
  mention the SlackSignature verifier.
- README.md: stale test count 834 -> ~1,120 (badge + table).

Architecture:
- Consolidated the duplicated security primitives — the constant-time 32-byte
  compare (ct_eq) and hex decoders (hex_val, hex32_decode) — into
  crustcore-types::hash, beside sha256/hmac_sha256, as the single audited home
  for every MAC/signature check. Removed the copies from crustcore-receipts,
  crustcore-daemon (webhook + slack), and crustcore-dev (auth + backend).
  Behaviour-identical: every consumer's security tests pass unchanged. Net nano
  size impact ~0 (already in the nano-linked receipts/types graph). +3 tests.
- Removed the now-unused DaemonSurface marker enum.

`cargo xtask verify` green; nano 438416 bytes (53.5%), unchanged.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…contract file]

CONTRACT FILE (§7.3) — factual-only sync, no invariant/policy change; isolated
in its own commit for serialized maintainer review:
- Status line: note v0.5 (version roll) + v0.6 (the GitHub-PR-supervisor
  roadmap: D.1 task-loop, A.1-A.5, B.1-B.3, C.1-C.3, E.1-E.4, F.1-F.3) are
  merged to main; signed tag/sign/publish remains the only maintainer-owned step.
- Roadmap pointer: docs/roadmap-v0.2.md -> docs/roadmap-v0.6.md (latest), with
  the v0.2 doc kept as the earlier reference.
- Test count: ~834 -> ~1,120 workspace tests (actual: 1121 #[test] annotations).

NOT changed (flagged for the maintainer): the nano size figures (478.7 KiB
Linux / 412.0 KiB macOS, 59.8%) appear to have drifted — the local macOS
size-check reports 428.1 KiB — but the flagship Linux x86_64 figure can't be
re-measured off-Linux, so it's left for a maintainer Linux build to confirm.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@RNT56 RNT56 merged commit 1f5d4ce into main Jun 29, 2026
6 checks passed
@RNT56 RNT56 deleted the claude/v06-final-polish branch June 29, 2026 23:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant