Codebase logic-bug audit report#370
Draft
passcod wants to merge 3 commits into
Draft
Conversation
Cross-crate audit for logic bugs (behaviour diverging from evident intent) across database, public-server, private-server, jobs, commons crates, canopy-mcp, the private-web SPA, and SQL migrations. 53 findings categorised by severity/impact and by how hard a regression test for each fix would be. No fixes applied. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01QuGCnSzfmJfuzKinqRVeR1
Companion report to the logic audit: inventories every HTTP-reachable AppError::custom call site, classifies each by the status it should carry, and proposes five new typed variants (NotFound, Forbidden, Unprocessable, Unavailable, Internal) plus a call-site migration map so custom stops defaulting client/upstream errors to 500. Crosslinked with the audit's L11/L15/L16/L17 findings. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01QuGCnSzfmJfuzKinqRVeR1
Standalone systemic-fix companion to the logic audit: names six cross-cutting concerns (fail-open monitoring defaults; a shared resilient job-loop harness; single source of truth for derived state; inconsistent soft-delete scoping; DB-write + external-effect compensation; handler/OpenAPI conformance testing), each with a global mechanism and the findings it retires. Crosslinked from the audit's cross-cutting section. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01QuGCnSzfmJfuzKinqRVeR1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this is
A workspace-wide audit for logic bugs — code whose behaviour diverges from its evident intent — across every crate and subsystem:
database,public-server,private-server,jobs, the commons crates,canopy-mcp, theprivate-webReact app, and the SQL migrations. Out of scope by design: style, missing features, hypothetical hardening, and pure simplification.No fixes are in this PR. The single change is a new report at
docs/logic-audit-2026-07.md. This is a draft for discussion/triage.How findings are categorised
Two axes, as requested:
TestDb/HTTP-harness test) → moderate (stub, multi-step, or Playwright) → hard (time control, concurrency, or fault injection).The report opens with a severity × test-difficulty matrix, then details each finding with file:line, the intended-vs-actual behaviour, a concrete failure scenario, a fix direction, and a test difficulty note.
Headline numbers
1 critical, 9 high, 20 medium, 23 low (53 findings). Several were reported independently by more than one reviewer and are consolidated.
Highlights:
>=prefilter that drops valid cross-minor matches on the public update/download path; Slack outbox has no retry backoff (an outage beyond ~1 minute permanently drops pages); a NULL-interval "manual-only" schedule silently reverts to the default cadence; XFCC client-cert parsing reads the untrusted end of the header (conditional device-auth bypass); a ServerDetail issues link queries with a server id where a group id is required, so it always reads empty.Verification notes
Findings were cross-checked against callers, tests, DB constraints, and documented contracts. The two highest-severity backup items were re-verified by hand against current source; the
version_updatesview bug, thevalid_snippet_nameCHECK, and theserver_groupsbackfill collision were reproduced live on Postgres 16. Items with residual uncertainty are marked confidence: medium in the report.Cross-cutting patterns
The report closes with systemic patterns worth a single sweep rather than one-off fixes: filter-after-LIMIT in the MCP read tools, the 7-day status lookback leaking into "latest" semantics,
AppError::customwhere a typed variant exists (500s that should be 400/404),securityannotations without the matching extractor, TS/Rust logic mirrors drifting apart, and remainingslot_is_duecallers that can skip a whole period.🤖 Generated with Claude Code
Generated by Claude Code