# Gap Analysis: Scan v1

**Date:** 2026-02-11
**Scan:** scan-v1.json
**Detection Rate:** 0% (0/10 violations detected)

## Violations vs Detection

| # | Violation | Claim ID | File:Line | Detected? | Why Not? | Extractor Needed |
|---|-----------|----------|-----------|-----------|----------|------------------|
| 1 | Key injection | cache-key-validation-001 | client.rs:27 | ❌ | No key validation checker | `key_validation_check.toml` |
| 2 | TLS disabled | cache-tls-validation-001 | config.rs:23 | ❌ | No `verify_tls: false` detector | `tls_verification_check.toml` |
| 3 | Hardcoded password | cache-hardcoded-password-001 | config.rs:18 | ❌ | Built-in secrets extractor may not match pattern | `hardcoded_password_check.toml` |
| 4 | Missing TTL | cache-ttl-required-001 | client.rs:66 | ❌ | No SET without EX/PX detector | `ttl_presence_check.toml` |
| 5 | Unbounded size | cache-max-size-001 | config.rs:32 | ❌ | No `max_size: None` detector | `max_size_check.toml` |
| 6 | Sync blocking | cache-async-blocking-001 | client.rs:105 | ❌ | No blocking in async detector | `async_blocking_check.toml` |
| 7 | No eviction | cache-eviction-policy-001 | config.rs:37 | ❌ | No `eviction_policy: None` detector | `eviction_policy_check.toml` |
| 8 | Zero timeout | cache-timeout-001 | config.rs:27 | ❌ | No `Duration::from_secs(0)` detector | `timeout_check.toml` |
| 9 | No pooling | cache-max-connections-001 | client.rs:30 | ❌ | No connection-per-request detector | `connection_pool_check.toml` |
| 10 | No metrics | cache-metrics-enabled-001 | config.rs:42 | ❌ | No `metrics_enabled: false` detector | `metrics_check.toml` |

## Summary

- **Violations embedded:** 10
- **Detected by built-in extractors:** 0
- **Missing (need custom extractors):** 10 (100%)

## Extractor Creation Plan

All 10 violations need custom extractors. Priority by category:

### Security (3 extractors):
1. `key_validation_check.toml` - Detect missing `validate_key()` call
2. `tls_verification_check.toml` - Detect `verify_tls: false`
3. `hardcoded_password_check.toml` - Detect `password: "secret123"`

### Performance (3 extractors):
4. `ttl_presence_check.toml` - Detect `SET` without `EX`/`PX`
5. `max_size_check.toml` - Detect `max_size: None`
6. `async_blocking_check.toml` - Detect `get_connection()` in async fn

### Correctness (3 extractors):
7. `eviction_policy_check.toml` - Detect `eviction_policy: None`
8. `timeout_check.toml` - Detect `Duration::from_secs(0)`
9. `connection_pool_check.toml` - Detect repeated `get_multiplexed_async_connection()`

### Observability (1 extractor):
10. `metrics_check.toml` - Detect `metrics_enabled: false`

## Next Step: Phase 4 Extractor Creation

Use `/aphoria-custom-extractor-creator` for each of the 10 missing patterns.

**Target:** Create all 10 extractors in ~40 minutes (4 min per extractor)