Audit of feat/v1.1.4-http-cron against the v1.1.4 dispatch prompt.
All gates green on HEAD; 427 tests pass (+69 new), 140 ignored.
SSRF policy audited line-by-line: DNS-rebinding defense via reqwest
dns_resolver, literal-IP gap closed at validate_url on every redirect
hop, IPv4-mapped IPv6 re-check, IP never leaked in error strings.
Cron scheduler's fire-once catch-up policy verified; transactional
outbox-insert + last_fired_at bump.
Two flagged divergences accepted: three-arg verb(url, body, opts)
HTTP shape (resolves a self-contradiction in the brief; body_raw
dropped because raw strings just use positional body), and stale
schema-snapshot golden re-blessed (pre-existing drift from v1.1.1-
v1.1.3 — recommend lifting #[ignore] with CI DB in v1.1.5).
Three v1.1.3 follow-ups landed: module backend error redaction,
rhai = "=1.24" exact pin, retroactive CHANGELOG security note.
Audit of feat/v1.1.3-modules against the v1.1.3 dispatch prompt.
All three gates green on HEAD; 358 tests pass, 140 properly ignored.
Cross-app isolation in PicloudModuleResolver verified airtight,
RAII guard pattern for stack+depth cleanup audited line-by-line,
version-keyed cache invalidation model accepted as correct.
Three deviations from the prompt reviewed: depth-limit default 8
instead of 32 (silent change — discipline note for next retro,
but the choice is defensible), module-name CHECK and reserved-name
list (both net improvements not in the prompt), ScriptValidator
trait shape change (bounded blast radius, required by dep-graph
design).
Latent cross-app security gap in v1.1.1/v1.1.2 trigger creation
closed as part of this release — backport awareness flagged for
the retro.
Independent audit of feat/v1.1.2-documents over two iterations.
Iteration 1 returned for a single-line cargo-fmt fix that HANDBACK
had falsely claimed was green. Iteration 2 (bf26a25 + fedc63b)
applied the fix, re-verified all three gates on the new HEAD, and
recorded the discipline lesson in HANDBACK §1 for the v1.1.3 retro.
Re-audit on iteration-2 HEAD: fmt + clippy + 320-test workspace all
green. SQL builder is parameter-bound end-to-end (audited line-by-line
in docs_repo.rs:319-420 with adversarial-input tests). Layout E
extension for docs is mechanically clean. Query DSL operator set
is correct precedent for v1.2's advanced-query expansion.
Branch ready to merge as v1.1.2.
Independent audit of feat/v1.1.1-storage-and-events against the
design notes §1–4 (Decided 2026-06-01) and the original dispatch
prompt. Static checks reproduce green; 243-test workspace suite
passes; schema + dispatcher + inbox conform to the design notes
end-to-end. Nine HANDBACK-flagged deviations reviewed individually
and accepted. One ambient concern (manager-core → executor-core
DTO dependency) flagged for a small CLAUDE.md clarification
post-merge; not a merge blocker.
