Skip to content

Codebase logic-bug audit report#370

Draft
passcod wants to merge 3 commits into
mainfrom
claude/codebase-logic-audit-8fn0e3
Draft

Codebase logic-bug audit report#370
passcod wants to merge 3 commits into
mainfrom
claude/codebase-logic-audit-8fn0e3

Conversation

@passcod

@passcod passcod commented Jul 16, 2026

Copy link
Copy Markdown
Member

What this is

A workspace-wide audit for logic bugs — code whose behaviour diverges from its evident intent — across every crate and subsystem: database, public-server, private-server, jobs, the commons crates, canopy-mcp, the private-web React app, and the SQL migrations. Out of scope by design: style, missing features, hypothetical hardening, and pure simplification.

No fixes are in this PR. The single change is a new report at docs/logic-audit-2026-07.md. This is a draft for discussion/triage.

How findings are categorised

Two axes, as requested:

  • Severity/impact — critical (silent fleet-wide blindspot / data loss / auth bypass) → high → medium → low (cosmetic / wrong status code / rare edge).
  • Test difficulty — easy (pure-function or single TestDb/HTTP-harness test) → moderate (stub, multi-step, or Playwright) → hard (time control, concurrency, or fault injection).

The report opens with a severity × test-difficulty matrix, then details each finding with file:line, the intended-vs-actual behaviour, a concrete failure scenario, a fix direction, and a test difficulty note.

Headline numbers

1 critical, 9 high, 20 medium, 23 low (53 findings). Several were reported independently by more than one reviewer and are consolidated.

Highlights:

  • Critical — backup staleness/reconcile monitoring silently skips every group that inherits the seeded default interval (the normal out-of-box path), so backups can stop fleet-wide with no alert. Verified by hand against the current source.
  • High — semver range resolution uses a per-component >= prefilter that drops valid cross-minor matches on the public update/download path; Slack outbox has no retry backoff (an outage beyond ~1 minute permanently drops pages); a NULL-interval "manual-only" schedule silently reverts to the default cadence; XFCC client-cert parsing reads the untrusted end of the header (conditional device-auth bypass); a ServerDetail issues link queries with a server id where a group id is required, so it always reads empty.

Verification notes

Findings were cross-checked against callers, tests, DB constraints, and documented contracts. The two highest-severity backup items were re-verified by hand against current source; the version_updates view bug, the valid_snippet_name CHECK, and the server_groups backfill collision were reproduced live on Postgres 16. Items with residual uncertainty are marked confidence: medium in the report.

Cross-cutting patterns

The report closes with systemic patterns worth a single sweep rather than one-off fixes: filter-after-LIMIT in the MCP read tools, the 7-day status lookback leaking into "latest" semantics, AppError::custom where a typed variant exists (500s that should be 400/404), security annotations without the matching extractor, TS/Rust logic mirrors drifting apart, and remaining slot_is_due callers that can skip a whole period.

🤖 Generated with Claude Code


Generated by Claude Code

claude added 3 commits July 16, 2026 10:50
Cross-crate audit for logic bugs (behaviour diverging from evident intent)
across database, public-server, private-server, jobs, commons crates,
canopy-mcp, the private-web SPA, and SQL migrations. 53 findings categorised
by severity/impact and by how hard a regression test for each fix would be.
No fixes applied.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01QuGCnSzfmJfuzKinqRVeR1
Companion report to the logic audit: inventories every HTTP-reachable
AppError::custom call site, classifies each by the status it should carry,
and proposes five new typed variants (NotFound, Forbidden, Unprocessable,
Unavailable, Internal) plus a call-site migration map so custom stops
defaulting client/upstream errors to 500. Crosslinked with the audit's
L11/L15/L16/L17 findings.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01QuGCnSzfmJfuzKinqRVeR1
Standalone systemic-fix companion to the logic audit: names six cross-cutting
concerns (fail-open monitoring defaults; a shared resilient job-loop harness;
single source of truth for derived state; inconsistent soft-delete scoping;
DB-write + external-effect compensation; handler/OpenAPI conformance testing),
each with a global mechanism and the findings it retires. Crosslinked from the
audit's cross-cutting section.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01QuGCnSzfmJfuzKinqRVeR1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants