docs: fix all findings from the documentation audit#49
Conversation
The script's -addext basicConstraints combined with some OpenSSL builds' default req_extensions to emit the extension twice, producing a CA that Go rejects with 'duplicate extension with OID 2.5.29.19' (Homebrew OpenSSL 1.1.1). LibreSSL's one-step EC keygen emitted parameters Go rejects with 'invalid ECDSA parameters'. Generate from an explicit OpenSSL config and split keygen into ecparam + req, verified on both toolchains through proxy.LoadCA.
…top-level docs Fixes every confirmed finding from an adversarially-verified docs audit: the two live-reproduced getting-started failures (quick-start cd/path mismatch, --config /dev/null verify step), five reference/concept corrections (LLM denial 400 not 200, KeepEngines scope keying, grant claude tie-break, token-exchange 1-minute hard cap, credential host matching semantics, MCP SSE flush mechanism), and newly documents the HTTP-scope Keep policy layer, 401/403 credential invalidation, OTEL_SDK_DISABLED, the daemon-mode MCP path, ALPN negotiation, and the missing canonical log fields. Adds README sections for MCP relay, LLM policy, and host gateway plus the container image install path, updates the AGENTS.md architecture tree, de-orphans docs/token-exchange-endpoint.md, and restores the changelog PR-link convention.
|
Claude finished @andybons's task in 2m 33s —— View job Reviewing PR #49
SummaryThis PR is docs-only plus a rewrite of
All matched the docs. I didn't find any remaining doc/code mismatches in the sampled claims.
No inline comments filed — nothing rose to the level of a code defect. |
What
Fixes every confirmed finding from a full adversarially-verified documentation audit of this repo (5 audit agents → 2 sweep lenses → 37 independent verifiers → synthesis, with human re-verification of disputed refutations).
Two commits:
fix(examples):gen-ca.shrewritten to generate from an explicit OpenSSL config instead of-addext, and EC keygen split intoecparam+req. The old script produced CAs Go rejects on Homebrew OpenSSL 1.1.1 (duplicate extension with OID "2.5.29.19") and macOS LibreSSL 3.3.6 (invalid ECDSA parameters). Both failures were reproduced live before the fix and the new script verified throughproxy.LoadCAon both toolchains.docs: every doc correction —--config /dev/nullerrors (it starts and blocks — replaced with the no-config exit-1 path).KeepEnginesis scope-keyed (llm-gateway/http/mcp-<server>) with a hardcodedapi.anthropic.comgate, not hostname-keyed;grantdocuments theclaudetie-break; token-exchange cache TTL is a 1-minute hard cap, not a 5-minute default; credential host matching strips any port and rejects:in config (the 80/443 semantics belong to network policy); MCP SSE uses a per-chunk-flushing loop, notio.Copy;injected_headersvalues are lowercased.X-Moat-Blocked: keep-policy), 401/403 credential invalidation + 10s cooldown,OTEL_SDK_DISABLED, the daemon-mode/mcp/{token}/{server}path, ALPN negotiation, five missing canonical-log fields,postgresinproxy_type.docs/token-exchange-endpoint.mdde-orphaned and reconciled (singleflight); changelog PR links restored (fix(proxy): match wildcard host patterns in credential lookup #43–fix(otel): stop OTel export failures from flooding INFO logs #47) and a v0.17.1 entry added.Every changed claim was re-verified against code by the fixing agent and independently re-checked in review (including running the new gen-ca.sh on both OpenSSL builds and confirming the
claudetie-break direction againstselectWinners).Verification
go build ./...clean (docs + one shell script; no Go changes)shellcheck examples/gen-ca.shclean