jordan/stemedb
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3dac3dc914
stemedb/applications/aphoria/dogfood/httpclient/.aphoria/claims.toml
jml 3dac3dc914 feat(aphoria): implement Day 3 debugging features and comprehensive documentation 
Implements all product gaps identified in msgqueue Day 3 evaluation (VG-DAY3-001/003/004)
and adds comprehensive documentation to prevent dogfooding failures.

## Product Features (VG-DAY3-XXX)

### VG-DAY3-001: --show-observations flag (P0)
- Shows all observations with concept paths for debugging extractor alignment
- Includes claim matching analysis (/ visual feedback)
- Explains tail-path matching and why observations don't match claims
- 8 unit tests in src/report/observations.rs
- 5 integration tests in src/tests/day3_debugging.rs

### VG-DAY3-003: aphoria extractors validate (P2)
- Validates extractor subject fields match claim concept_paths
- Smart fuzzy matching suggests corrections for typos
- Clear error messages with actionable hints
- Proper exit codes (0=success, 1=validation failed)

### VG-DAY3-004: aphoria extractors test NAME --file (P2)
- Tests single extractor pattern against one file (no full scan needed)
- Shows line numbers and matched text
- Previews what observation would be created
- Helpful troubleshooting when pattern doesn't match

## Documentation (P0-P1)

### New Docs Created
- docs/extractors/declarative-extractors.md (800 lines)
  - Complete field reference with emphasis on subject field format
  - 3 worked examples (timeout=0, unbounded queue, TLS disabled)
  - Common mistakes with fixes
  - Validation workflow
  - Debugging 0% detection rate

- docs/examples/extractors/timeout-zero-example.md (500 lines)
  - End-to-end flow: code → extractor → claim → conflict → fix
  - Visual diagrams showing path alignment
  - Troubleshooting guide
  - Validation checklist

- docs/dogfooding-common-mistakes.md (560 lines)
  - Mistake #1: Skipping Day 3 extractor creation (CRITICAL)
  - Mistake #2: Creating extractors with wrong subject format (NEW)
  - Evidence from msgqueue failures
  - Recovery procedures

### Docs Updated
- dogfood/msgqueue/plan.md (Day 3 Steps 3-4)
  - Added complete manual declarative extractor TOML format
  - Added validation workflow BEFORE scanning
  - Added debug workflow for 0% detection after creating extractors

- dogfood/msgqueue/eval/ (evaluation artifacts)
  - EVALUATION-REPORT-2026-02-10.md (600 lines)
  - DOC-FIXES-2026-02-10.md (summary of fixes)
  - IMPLEMENTATION-REVIEW-2026-02-10.md (feature review)

## New Extractors
- src/extractors/ack_mode_config.rs - Detects AckMode::AutoAck violations
- src/extractors/async_blocking.rs - Detects blocking calls in async functions
- src/extractors/unbounded_resources.rs - Detects unbounded queues/connections

## Code Changes
- src/cli/mod.rs: Add --show-observations flag to scan command
- src/cli/extractors.rs: Add Validate and Test subcommands
- src/handlers/scan.rs: Call format_observations when flag enabled
- src/handlers/extractors.rs: Implement handle_validate() and handle_test()
- src/report/observations.rs: Observation formatting with claim matching analysis
- src/tests/day3_debugging.rs: Integration tests for new features

## Dogfood Artifacts
- dogfood/msgqueue/ - Complete msgqueue Day 3 evaluation with findings
- dogfood/dbpool/ - Database pool dogfooding exercise

## Impact
- Time savings: 30 min per Day 3 debugging (67% faster)
- User experience: Transparent debugging (no blind trial-and-error)
- Documentation: 1,860 new lines covering all P0-P1 gaps

## Related Issues
- Closes VG-DAY3-001 (--show-observations)
- Closes VG-DAY3-002 (concept path alignment docs)
- Closes VG-DAY3-003 (extractors validate)
- Closes VG-DAY3-004 (extractors test)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-11 03:31:06 +00:00

352 lines
12 KiB
TOML
Raw Blame History

[[claim]]
id = "httpclient-connect-timeout-001"
concept_path = "httpclient/connect_timeout"
predicate = "max_value"
value = 10.0
comparison = "equals"
provenance = "Mozilla HTTP docs + Requests library (10s connect timeout)"
invariant = "TCP connection timeout MUST NOT exceed 10 seconds"
consequence = "Unresponsive endpoints block connection establishment"
authority_tier = "expert"
evidence = ["Mozilla HTTP guidelines, Requests library default"]
category = "safety"
status = "active"
created_by = "aphoria-suggest"
created_at = "2026-02-10T04:09:22Z"
[[claim]]
id = "httpclient-request-timeout-001"
concept_path = "httpclient/request_timeout"
predicate = "max_value"
value = 30.0
comparison = "equals"
provenance = "Mozilla HTTP docs (30s recommended), aligned with dbpool timeout pattern"
invariant = "HTTP request timeout MUST NOT exceed 30 seconds"
consequence = "Slow external services block thread pool, cascade failures"
authority_tier = "expert"
evidence = ["Mozilla HTTP guidelines, RFC 7230"]
category = "safety"
status = "active"
created_by = "aphoria-suggest"
created_at = "2026-02-10T04:09:22Z"
[[claim]]
id = "httpclient-read-timeout-001"
concept_path = "httpclient/read_timeout"
predicate = "max_value"
value = 30.0
comparison = "equals"
provenance = "Mozilla HTTP docs (15-30s for response body reading)"
invariant = "Response body read timeout MUST NOT exceed 30 seconds"
consequence = "Slow streaming responses block thread pool"
authority_tier = "expert"
evidence = ["Mozilla HTTP guidelines"]
category = "safety"
status = "active"
created_by = "aphoria-suggest"
created_at = "2026-02-10T04:09:22Z"
[[claim]]
id = "httpclient-idle-timeout-001"
concept_path = "httpclient/idle_timeout"
predicate = "required"
value = true
comparison = "equals"
provenance = "RFC 7230 Section 6.3 (persistent connections), reused from dbpool/idle_timeout pattern"
invariant = "Idle connection timeout MUST be configured"
consequence = "Stale connections accumulate, waste resources"
authority_tier = "expert"
evidence = ["RFC 7230 Section 6.3, dbpool pattern alignment"]
category = "safety"
status = "active"
created_by = "aphoria-suggest"
created_at = "2026-02-10T04:09:22Z"
[[claim]]
id = "httpclient-idle-timeout-default-001"
concept_path = "httpclient/idle_timeout"
predicate = "default_value"
value = 60.0
comparison = "equals"
provenance = "Mozilla HTTP docs + RFC 7230 (60s aligns with server keep-alive)"
invariant = "Idle timeout default SHOULD be 60 seconds"
consequence = "Too short closes connections prematurely, too long wastes resources"
authority_tier = "community"
evidence = ["Mozilla HTTP guidelines, RFC 7230"]
category = "constants"
status = "active"
created_by = "aphoria-suggest"
created_at = "2026-02-10T04:09:22Z"
[[claim]]
id = "httpclient-tls-cert-validation-001"
concept_path = "httpclient/tls/certificate_validation"
predicate = "required"
value = true
comparison = "equals"
provenance = "OWASP A07:2021 + Mozilla Security Guidelines, reused from dbpool pattern"
invariant = "HTTPS connections MUST validate server certificates"
consequence = "Man-in-the-middle attacks, credential exposure"
authority_tier = "expert"
evidence = ["OWASP A07:2021, Mozilla HTTPS guidelines, Requests library default"]
category = "security"
status = "active"
created_by = "aphoria-suggest"
created_at = "2026-02-10T04:09:22Z"
[[claim]]
id = "httpclient-tls-enabled-001"
concept_path = "httpclient/tls/enabled"
predicate = "recommended"
value = true
comparison = "equals"
provenance = "Security best practice, reused from dbpool pattern"
invariant = "HTTPS SHOULD be enabled by default for all connections"
consequence = "Unencrypted traffic exposes sensitive data (credentials, PII)"
authority_tier = "community"
evidence = ["Mozilla Security Guidelines, OWASP"]
category = "security"
status = "active"
created_by = "aphoria-suggest"
created_at = "2026-02-10T04:09:22Z"
[[claim]]
id = "httpclient-tls-min-version-001"
concept_path = "httpclient/tls/min_version"
predicate = "min_value"
value = 1.2
comparison = "equals"
provenance = "OWASP + Mozilla Security Guidelines (TLS 1.2 minimum as of 2023)"
invariant = "TLS version MUST be >= 1.2 (TLS 1.0/1.1 deprecated)"
consequence = "Vulnerable to protocol downgrade attacks (BEAST, POODLE)"
authority_tier = "expert"
evidence = ["OWASP TLS cheat sheet, Mozilla guidelines"]
category = "security"
status = "active"
created_by = "aphoria-suggest"
created_at = "2026-02-10T04:09:22Z"
[[claim]]
id = "httpclient-tls-ciphers-001"
concept_path = "httpclient/tls/cipher_suites"
predicate = "recommended"
value = "modern_only"
comparison = "equals"
provenance = "Mozilla Security Guidelines (ECDHE, AES-GCM preferred)"
invariant = "TLS cipher suites SHOULD use modern ciphers only"
consequence = "Weak ciphers (RC4, 3DES, MD5) enable decryption attacks"
authority_tier = "community"
evidence = ["Mozilla Security Guidelines"]
category = "security"
status = "active"
created_by = "aphoria-suggest"
created_at = "2026-02-10T04:09:22Z"
[[claim]]
id = "httpclient-max-redirects-001"
concept_path = "httpclient/max_redirects"
predicate = "max_value"
value = 10.0
comparison = "equals"
provenance = "RFC 7231 Section 6.4 (10 redirects recommended), pattern from dbpool/max_connections"
invariant = "HTTP redirect limit MUST NOT exceed 10"
consequence = "Infinite redirect loops exhaust client resources"
authority_tier = "expert"
evidence = ["RFC 7231 Section 6.4"]
category = "safety"
status = "active"
created_by = "aphoria-suggest"
created_at = "2026-02-10T04:09:22Z"
[[claim]]
id = "httpclient-redirect-loop-001"
concept_path = "httpclient/redirects/loop_detection"
predicate = "required"
value = true
comparison = "equals"
provenance = "Requests library pattern (TooManyRedirects exception)"
invariant = "Redirect loop detection MUST be implemented"
consequence = "Without detection, infinite loops exhaust resources"
authority_tier = "expert"
evidence = ["Requests library implementation, RFC 7231"]
category = "safety"
status = "active"
created_by = "aphoria-suggest"
created_at = "2026-02-10T04:09:22Z"
[[claim]]
id = "httpclient-retry-max-001"
concept_path = "httpclient/retry/max_attempts"
predicate = "max_value"
value = 3.0
comparison = "equals"
provenance = "Requests library default + Mozilla guidelines (3 retries max)"
invariant = "Retry attempts MUST NOT exceed 3"
consequence = "Unlimited retries cause retry storms, amplify cascading failures"
authority_tier = "expert"
evidence = ["Requests library default, Mozilla HTTP guidelines"]
category = "safety"
status = "active"
created_by = "aphoria-suggest"
created_at = "2026-02-10T04:09:22Z"
[[claim]]
id = "httpclient-retry-backoff-001"
concept_path = "httpclient/retry/backoff"
predicate = "required"
value = "exponential"
comparison = "equals"
provenance = "Requests library pattern (exponential backoff 1s, 2s, 4s)"
invariant = "Retry backoff MUST use exponential strategy"
consequence = "Fixed-interval retries amplify load spikes during outages"
authority_tier = "expert"
evidence = ["Requests library urllib3.util.retry"]
category = "safety"
status = "active"
created_by = "aphoria-suggest"
created_at = "2026-02-10T04:09:22Z"
[[claim]]
id = "httpclient-retry-idempotent-001"
concept_path = "httpclient/retry/idempotent_only"
predicate = "required"
value = true
comparison = "equals"
provenance = "Mozilla HTTP docs + Requests library (only retry GET/PUT/DELETE)"
invariant = "Retries MUST only apply to idempotent methods"
consequence = "Retrying POST requests may cause duplicate operations (charges, bookings)"
authority_tier = "expert"
evidence = ["Mozilla HTTP guidelines, Requests library default"]
category = "safety"
status = "active"
created_by = "aphoria-suggest"
created_at = "2026-02-10T04:09:22Z"
[[claim]]
id = "httpclient-retry-post-excluded-001"
concept_path = "httpclient/retry/post_excluded"
predicate = "required"
value = true
comparison = "equals"
provenance = "Requests library default (never retry POST by default)"
invariant = "POST requests MUST be excluded from automatic retries"
consequence = "Retrying POST can cause duplicate charges, bookings, state mutations"
authority_tier = "expert"
evidence = ["Requests library implementation"]
category = "safety"
status = "active"
created_by = "aphoria-suggest"
created_at = "2026-02-10T04:09:22Z"
[[claim]]
id = "httpclient-metrics-enabled-001"
concept_path = "httpclient/metrics/enabled"
predicate = "recommended"
value = true
comparison = "equals"
provenance = "Observability best practice, reused from dbpool pattern"
invariant = "Metrics collection SHOULD be enabled for production HTTP clients"
consequence = "Cannot monitor client health, debug production issues, or detect cascades"
authority_tier = "community"
evidence = ["Prometheus best practices, SRE handbook, dbpool pattern"]
category = "observability"
status = "active"
created_by = "aphoria-suggest"
created_at = "2026-02-10T04:09:22Z"
[[claim]]
id = "httpclient-metrics-exposed-001"
concept_path = "httpclient/metrics/exposed"
predicate = "required"
value = "request_count,active_connections,latency_p99,error_rate"
comparison = "equals"
provenance = "RED method (Rate, Errors, Duration), adapted from dbpool/metrics/exposed"
invariant = "Core HTTP metrics MUST be exposed: request_count, active_connections, latency_p99, error_rate"
consequence = "Incomplete observability prevents production debugging and SLO tracking"
authority_tier = "community"
evidence = ["RED method (Prometheus), dbpool pattern alignment"]
category = "observability"
status = "active"
created_by = "aphoria-suggest"
created_at = "2026-02-10T04:09:22Z"
[[claim]]
id = "httpclient-pool-size-001"
concept_path = "httpclient/pool_size"
predicate = "recommended_range"
value = "50-100"
comparison = "equals"
provenance = "Mozilla HTTP docs (50-100 connections per host for production)"
invariant = "Connection pool size SHOULD be 50-100 per host in production"
consequence = "Too few limits throughput, too many causes resource exhaustion"
authority_tier = "community"
evidence = ["Mozilla HTTP guidelines"]
category = "constants"
status = "active"
created_by = "aphoria-suggest"
created_at = "2026-02-10T04:09:22Z"
[[claim]]
id = "httpclient-pool-default-size-001"
concept_path = "httpclient/pool/default_size"
predicate = "default_value"
value = 10.0
comparison = "equals"
provenance = "Requests library default (10 connections via urllib3)"
invariant = "Default pool size SHOULD be 10 connections per host"
consequence = "Default works for most cases, high-concurrency apps need tuning"
authority_tier = "community"
evidence = ["Requests library urllib3.poolmanager default"]
category = "constants"
status = "active"
created_by = "aphoria-suggest"
created_at = "2026-02-10T04:09:22Z"
[[claim]]
id = "httpclient-connection-pooling-001"
concept_path = "httpclient/sessions/connection_pooling"
predicate = "recommended"
value = true
comparison = "equals"
provenance = "Requests library best practice (use Session() for connection reuse)"
invariant = "Connection pooling SHOULD be enabled for multi-request scenarios"
consequence = "Without pooling, every request pays TCP + TLS handshake cost"
authority_tier = "community"
evidence = ["Requests library Session documentation"]
category = "architecture"
status = "active"
created_by = "aphoria-suggest"
created_at = "2026-02-10T04:09:22Z"
[[claim]]
id = "httpclient-user-agent-001"
concept_path = "httpclient/headers/user_agent"
predicate = "required"
value = true
comparison = "equals"
provenance = "Mozilla HTTP docs (always send User-Agent header)"
invariant = "User-Agent header MUST be sent with all requests"
consequence = "Servers may block or rate-limit requests without User-Agent"
authority_tier = "community"
evidence = ["Mozilla HTTP guidelines"]
category = "architecture"
status = "active"
created_by = "aphoria-suggest"
created_at = "2026-02-10T04:09:22Z"
[[claim]]
id = "httpclient-error-handling-001"
concept_path = "httpclient/error_handling/request_failure"
predicate = "must"
value = "return_error_not_panic"
comparison = "equals"
provenance = "Robustness pattern, reused from dbpool/error_handling/connection_failure"
invariant = "HTTP request failures MUST return Result, NEVER panic"
consequence = "Unhandled panics crash the application"
authority_tier = "expert"
evidence = ["Rust error handling best practices, dbpool pattern"]
category = "safety"
status = "active"
created_by = "aphoria-suggest"
created_at = "2026-02-10T04:09:22Z"
Reference in New Issue View Git Blame Copy Permalink