Skip to content

fix: address pre-merge audit findings (WASM drift, RLS PII, FFI panics, config, tests)#150

Merged
daharoni merged 2 commits into
mainfrom
audit/fixes
Jun 8, 2026
Merged

fix: address pre-merge audit findings (WASM drift, RLS PII, FFI panics, config, tests)#150
daharoni merged 2 commits into
mainfrom
audit/fixes

Conversation

@daharoni

@daharoni daharoni commented Jun 8, 2026

Copy link
Copy Markdown
Contributor

Sweep across the codebase resolving the highest-priority items from a pre-merge audit. No behavior change for valid inputs; the WASM binding surface is byte-identical. Full local CI equivalent passes (278 JS + 125 Rust tests, format/lint/typecheck/clippy/fmt).

Changes

1. Stale WASM artifact (CRITICAL)

crates/solver/pkg/ was force-added against its own * gitignore, so local rebuilds were invisible to git status and the committed binary drifted ~2 months behind the Rust source — every dev checkout and all of CI typechecked/tested the apps against a stale binding.

  • Untrack pkg/ (build-only, matching the existing intent).
  • Add scripts/ensure-wasm.mjs — rebuilds only when missing/stale — wired as predev/pretypecheck/pretest/prebuild:apps.
  • Give both check jobs (ci.yml + deploy.yml) the Rust + wasm-pack toolchain so the binding is always built fresh.

2. Submission PII read access (HIGH)

catune/cadecon submission tables granted anon SELECT USING (true) over orcid/lab_name/notes — anyone with the public key could deanonymize contributors.

  • Migration 010: base-table SELECT → owner+admin; PII-free *_public views for browsing.
  • App reads repointed to the views; writes/deletes stay on base tables.
  • +9 RLS matrix assertions; existing cross-user tests updated for owner-scoped reads.

3. FFI panic surfaces (HIGH)

  • simulate clamps bins_per_frame >= 1 (was degenerate for low spike rates).
  • WASM/PyO3 kernel-estimation wrappers validate array lengths and throw JsError / raise PyValueError instead of aborting the module; core has defensive guards + debug_assert.
  • (The audit's "downsample factor==0 panic" was a false positive — already guarded.)

4. Config-overridable tuning params

  • CaDecon inner-loop FISTA params → algorithm-store signals (identical defaults).
  • Python kernel-length 5.0 → named constant.

5. Cleanup + coverage

  • Broaden .gitignore (crates/*/target, crates/*/pkg, .test_data, .playwright-mcp) — silences orphan dirs.
  • Add 9 worker-pool state-machine tests (queue/priority/cancel/dispose).

⚠️ Deploy ordering

Migration 010 must be applied to the production Supabase project before deploying this app build — the apps now read *_public views that don't exist until 010 runs.

Deferred (flagged, not in this PR)

  • ~20 Rust-internal tuning constants (threading them through config would change the binding surface — separate effort).
  • Recording FISTA params in submission metadata (needs a schema migration).
  • Audit Medium/Low items: geo-session error leak, is_admin() search_path, bandpass_filter silent no-op, cross-language test tolerances.

🤖 Generated with Claude Code

daharoni and others added 2 commits June 8, 2026 13:28
@daharoni @claude
fix: address pre-merge audit findings (WASM drift, RLS PII, FFI panic…
2ad6861 
…s, config, tests)

Sweep across the codebase resolving the highest-priority audit items:

1. Stale WASM (critical): the committed crates/solver/pkg/ was force-added
   against its own `*` gitignore, so local rebuilds were invisible to git and
   the binary drifted ~2 months behind the Rust source. Untrack pkg/, add
   scripts/ensure-wasm.mjs (rebuilds only when stale) wired as pre-hooks for
   dev/typecheck/test/build:apps, and give both CI `check` jobs the
   Rust+wasm-pack toolchain so the binding is always built fresh.

2. Submission PII (high): migration 010 restricts catune/cadecon base-table
   SELECT to owner+admin and exposes PII-free *_public views for community
   browsing (omits orcid/lab_name/notes). App reads repointed to the views;
   writes/deletes stay on the base tables. Adds 9 RLS matrix assertions.

3. FFI panic surfaces (high): clamp simulate bins_per_frame >= 1; validate
   array lengths in the WASM/PyO3 kernel-estimation wrappers (throw JsError /
   raise PyValueError instead of aborting the module); defensive guards +
   debug_assert in the core. (Audit's downsample factor==0 was a false
   positive — already guarded.)

4. Config-overridable tuning params: CaDecon inner-loop FISTA params moved to
   algorithm-store signals (identical defaults); Python kernel-length 5.0 ->
   named constant.

5. Cleanup + coverage: broaden .gitignore (crates/*/target, crates/*/pkg,
   .test_data, .playwright-mcp); add worker-pool state-machine tests.

No behavior change for valid inputs; WASM binding surface is byte-identical.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@daharoni @claude
style: prettier-format supabase README migration table
56fecdb 
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@daharoni daharoni merged commit 14ebf37 into main Jun 8, 2026
6 checks passed
@daharoni daharoni deleted the audit/fixes branch June 8, 2026 20:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@daharoni