Skip to content

fix: code quality audit - thread safety, path hardening, PBKDF2 bump#12

Merged
Romain-Grosos merged 6 commits intomainfrom
fix/code-quality-audit
Mar 7, 2026
Merged

fix: code quality audit - thread safety, path hardening, PBKDF2 bump#12
Romain-Grosos merged 6 commits intomainfrom
fix/code-quality-audit

Conversation

@Romain-Grosos
Copy link
Contributor

@Romain-Grosos Romain-Grosos commented Mar 7, 2026
edited
Loading

Summary

Address findings from external code quality audit (score: 81/100, projected: ~91-94/100).

  • Thread-safe analysis state: add threading.Lock around _last_analysis read/write in server/handler - Path traversal hardening: use Path.resolve() + is_file() check in /admin/analyze path mode
  • PBKDF2 iterations bump: 600,000 -> 1,200,000 (2x OWASP 2023 minimum for SHA-256)
  • Documentation consistency: fix all PRD, architecture, stories, and QA gates to reflect 16-word mnemonic and 1.2M iterations
  • Coverage badge: add static badge (CI enforces >= 80% via --cov-fail-under)
  • Roadmap: reorder Done items first, mark 5 audit items as completed

Audit context

Finding Points lost Fix
_last_analysis race condition -4 threading.Lock
Path traversal partial -3 resolve() + is_file()
Mnemonic not 0600 -3 Already 0600 (reviewer error)
No admin rate-limiting -2 Roadmap (token is 256-bit)
No coverage badge -7 Badge + CI gate

Test plan

  • 373 unit/integration tests pass (coverage 82.08%)
  • - [x] 13 e2e tests pass
  • Lint clean (ruff check + format)
  • .deb build + install verified in Docker (Debian 12)
  • PBKDF2 default = 1,200,000 confirmed in installed package

@Romain-Grosos
fix(server): add threading.Lock for _last_analysis state
ac4caf3 
Wrap all reads and writes to _last_analysis with a Lock to
prevent race conditions with the ThreadPool (16 workers).
@Romain-Grosos
fix(handler): harden path traversal in /admin/analyze
0b44b48 
Use Path.resolve() to follow symlinks before validation and add
is_file() check to reject non-existent or directory paths.
@Romain-Grosos
fix(crypto): bump PBKDF2 iterations from 600k to 1.2M
b3cc1cd 
Double the OWASP 2023 minimum for PBKDF2-SHA256 (600k).
No backward compatibility needed (no existing installations).
@Romain-Grosos
docs: fix PRD and stories to reflect 16-word mnemonic and 1.2M iterat…
3346a98 
…ions

- FR9: 12 words -> 16 words (12 secret + 4 salt)
- Story 1.2 AC: iterations 600k -> 1.2M, mnemonic 12 -> 16 words
- Story 4.4/5.2: update performance notes with new iteration count
- Update all PRD shards consistently
@Romain-Grosos
ci: add coverage badge and update roadmap
66aa766 
- Add coverage >= 80% badge (enforced by CI --cov-fail-under=80)
- Mark 5 roadmap items as Done: thread-safe state, path traversal,
  PBKDF2 bump, PRD mnemonic fix, coverage reporting
@Romain-Grosos
docs: fix remaining 12-word and 600k references across all docs
aeb5dbb 
- Architecture mermaid diagrams: 12 words -> 16 words
- Stories 1.2, 3.4, 4.4: update mnemonic word counts and iterations
- QA gate 1.2: update status_reason with 16-word and 1.2M iterations
- Test comment in conftest.py: 600,000 -> 1,200,000
- Roadmap: reorder Done items first
@Romain-Grosos Romain-Grosos self-assigned this Mar 7, 2026
@Romain-Grosos Romain-Grosos added documentation Improvements or additions to documentation security labels Mar 7, 2026
@Romain-Grosos Romain-Grosos merged commit a76f64a into main Mar 7, 2026
5 checks passed
@Romain-Grosos Romain-Grosos deleted the fix/code-quality-audit branch March 7, 2026 22:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@Romain-Grosos Romain-Grosos

Labels

documentation Improvements or additions to documentation security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Romain-Grosos