Audit of feat/v1.1.6-realtime-client against the v1.1.6 dispatch
prompt. All gates green; clippy clean; ~550 tests pass (HANDBACK §8
claimed 482 — minor count-discrepancy flagged for retro, not a
blocker).
Both flagged items verified and resolved:
- §4-vs-§8 publish-ordering contradiction in the brief: the agent
picked §8 (broadcast AFTER outbox commit) and explicitly flagged
the contradiction. Confirmed correct — §8's ordering protects
against subscribers being told an event happened that subsequently
failed to durably commit. §4's broadcast-first phrasing was a
latency-optimization aside; §8 is the dedicated numbered spec.
The v1.1.4 retro discipline lesson (flag-don't-reinterpret) worked.
- Latent finding: dead_letter trigger handlers never fire — verified
via grep. list_matching_dead_letter has no production caller; the
bug predates v1.1.6 (shipped silent since v1.1.1). Correctly
out-of-scope for v1.1.6. The dispatcher e2e test for dead_letter
asserts the wired behavior (row created) with inline docs explaining
why it's not asserting handler-fire. Fix folded into v1.1.7 prompt
recommendations along with a retroactive CHANGELOG note.
Three v1.1.5 follow-ups landed: six dispatcher e2e tests gated on
DATABASE_URL, empty-blob relaxed, orphan tmp-sweeper. HMAC signing
key persisted to app_secrets table (recommended path); streaming-
fetch SSE in the client lib unlocks bearer-header auth + 401
detection + Last-Event-ID resume.
Audit of feat/v1.1.5-files-pubsub against the v1.1.5 dispatch prompt.
All gates green on HEAD; 491 tests pass (+64 new), 139 ignored.
Atomic write protocol audited line-by-line: single-pass SHA-256,
temp→fsync→rename→fsync-dir→DB sequence as specified, unique pid+
counter temp suffix, path-traversal defense at SDK boundary and repo.
Pub/sub fan-out is correctly transactional (single tx begin+commit;
one outbox row per matching subscriber; trigger_depth saturating-
bumped). Topic pattern matcher rejects every shape the brief called
out (*.created, **, a.*.b, user.*x, *user, empty).
Three flagged open questions resolved: orphan-sweep deferred (matches
planning decision), test count 63 vs 70 (defensible — gap is the
dispatcher e2e test, which is already covered for kv/docs/cron via
the shared dispatcher path), empty-blob = missing-data (defensible
interpretation, relaxable later).
First CI workflow added; schema_snapshot un-ignored with DATABASE_URL-
absent skip path.
Audit of feat/v1.1.4-http-cron against the v1.1.4 dispatch prompt.
All gates green on HEAD; 427 tests pass (+69 new), 140 ignored.
SSRF policy audited line-by-line: DNS-rebinding defense via reqwest
dns_resolver, literal-IP gap closed at validate_url on every redirect
hop, IPv4-mapped IPv6 re-check, IP never leaked in error strings.
Cron scheduler's fire-once catch-up policy verified; transactional
outbox-insert + last_fired_at bump.
Two flagged divergences accepted: three-arg verb(url, body, opts)
HTTP shape (resolves a self-contradiction in the brief; body_raw
dropped because raw strings just use positional body), and stale
schema-snapshot golden re-blessed (pre-existing drift from v1.1.1-
v1.1.3 — recommend lifting #[ignore] with CI DB in v1.1.5).
Three v1.1.3 follow-ups landed: module backend error redaction,
rhai = "=1.24" exact pin, retroactive CHANGELOG security note.
Audit of feat/v1.1.3-modules against the v1.1.3 dispatch prompt.
All three gates green on HEAD; 358 tests pass, 140 properly ignored.
Cross-app isolation in PicloudModuleResolver verified airtight,
RAII guard pattern for stack+depth cleanup audited line-by-line,
version-keyed cache invalidation model accepted as correct.
Three deviations from the prompt reviewed: depth-limit default 8
instead of 32 (silent change — discipline note for next retro,
but the choice is defensible), module-name CHECK and reserved-name
list (both net improvements not in the prompt), ScriptValidator
trait shape change (bounded blast radius, required by dep-graph
design).
Latent cross-app security gap in v1.1.1/v1.1.2 trigger creation
closed as part of this release — backport awareness flagged for
the retro.
Independent audit of feat/v1.1.2-documents over two iterations.
Iteration 1 returned for a single-line cargo-fmt fix that HANDBACK
had falsely claimed was green. Iteration 2 (bf26a25 + fedc63b)
applied the fix, re-verified all three gates on the new HEAD, and
recorded the discipline lesson in HANDBACK §1 for the v1.1.3 retro.
Re-audit on iteration-2 HEAD: fmt + clippy + 320-test workspace all
green. SQL builder is parameter-bound end-to-end (audited line-by-line
in docs_repo.rs:319-420 with adversarial-input tests). Layout E
extension for docs is mechanically clean. Query DSL operator set
is correct precedent for v1.2's advanced-query expansion.
Branch ready to merge as v1.1.2.
Independent audit of feat/v1.1.1-storage-and-events against the
design notes §1–4 (Decided 2026-06-01) and the original dispatch
prompt. Static checks reproduce green; 243-test workspace suite
passes; schema + dispatcher + inbox conform to the design notes
end-to-end. Nine HANDBACK-flagged deviations reviewed individually
and accepted. One ambient concern (manager-core → executor-core
DTO dependency) flagged for a small CLAUDE.md clarification
post-merge; not a merge blocker.
