jordan/stemedb
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
4360a17dd3
stemedb/applications/aphoria/dogfood/httpclient/src/config.rs
jml 3dac3dc914 feat(aphoria): implement Day 3 debugging features and comprehensive documentation 
Implements all product gaps identified in msgqueue Day 3 evaluation (VG-DAY3-001/003/004)
and adds comprehensive documentation to prevent dogfooding failures.

## Product Features (VG-DAY3-XXX)

### VG-DAY3-001: --show-observations flag (P0)
- Shows all observations with concept paths for debugging extractor alignment
- Includes claim matching analysis (/ visual feedback)
- Explains tail-path matching and why observations don't match claims
- 8 unit tests in src/report/observations.rs
- 5 integration tests in src/tests/day3_debugging.rs

### VG-DAY3-003: aphoria extractors validate (P2)
- Validates extractor subject fields match claim concept_paths
- Smart fuzzy matching suggests corrections for typos
- Clear error messages with actionable hints
- Proper exit codes (0=success, 1=validation failed)

### VG-DAY3-004: aphoria extractors test NAME --file (P2)
- Tests single extractor pattern against one file (no full scan needed)
- Shows line numbers and matched text
- Previews what observation would be created
- Helpful troubleshooting when pattern doesn't match

## Documentation (P0-P1)

### New Docs Created
- docs/extractors/declarative-extractors.md (800 lines)
  - Complete field reference with emphasis on subject field format
  - 3 worked examples (timeout=0, unbounded queue, TLS disabled)
  - Common mistakes with fixes
  - Validation workflow
  - Debugging 0% detection rate

- docs/examples/extractors/timeout-zero-example.md (500 lines)
  - End-to-end flow: code → extractor → claim → conflict → fix
  - Visual diagrams showing path alignment
  - Troubleshooting guide
  - Validation checklist

- docs/dogfooding-common-mistakes.md (560 lines)
  - Mistake #1: Skipping Day 3 extractor creation (CRITICAL)
  - Mistake #2: Creating extractors with wrong subject format (NEW)
  - Evidence from msgqueue failures
  - Recovery procedures

### Docs Updated
- dogfood/msgqueue/plan.md (Day 3 Steps 3-4)
  - Added complete manual declarative extractor TOML format
  - Added validation workflow BEFORE scanning
  - Added debug workflow for 0% detection after creating extractors

- dogfood/msgqueue/eval/ (evaluation artifacts)
  - EVALUATION-REPORT-2026-02-10.md (600 lines)
  - DOC-FIXES-2026-02-10.md (summary of fixes)
  - IMPLEMENTATION-REVIEW-2026-02-10.md (feature review)

## New Extractors
- src/extractors/ack_mode_config.rs - Detects AckMode::AutoAck violations
- src/extractors/async_blocking.rs - Detects blocking calls in async functions
- src/extractors/unbounded_resources.rs - Detects unbounded queues/connections

## Code Changes
- src/cli/mod.rs: Add --show-observations flag to scan command
- src/cli/extractors.rs: Add Validate and Test subcommands
- src/handlers/scan.rs: Call format_observations when flag enabled
- src/handlers/extractors.rs: Implement handle_validate() and handle_test()
- src/report/observations.rs: Observation formatting with claim matching analysis
- src/tests/day3_debugging.rs: Integration tests for new features

## Dogfood Artifacts
- dogfood/msgqueue/ - Complete msgqueue Day 3 evaluation with findings
- dogfood/dbpool/ - Database pool dogfooding exercise

## Impact
- Time savings: 30 min per Day 3 debugging (67% faster)
- User experience: Transparent debugging (no blind trial-and-error)
- Documentation: 1,860 new lines covering all P0-P1 gaps

## Related Issues
- Closes VG-DAY3-001 (--show-observations)
- Closes VG-DAY3-002 (concept path alignment docs)
- Closes VG-DAY3-003 (extractors validate)
- Closes VG-DAY3-004 (extractors test)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-11 03:31:06 +00:00

283 lines
8.9 KiB
Rust
Raw Blame History

//! HTTP Client Configuration
//!
//! **INTENTIONAL VIOLATIONS IN THIS FILE:**
//! - VIOLATION 1: Unbounded redirect limit (max_redirects = None)
//! - VIOLATION 2: Excessive request timeout (120s vs 30s max)
//! - VIOLATION 3: Excessive connection timeout (60s vs 10s max)
//! - VIOLATION 4: Missing idle timeout (idle_timeout = None)
//! - VIOLATION 5: TLS verification disabled (verify_tls = false)
//! - VIOLATION 6: TLS version too low (min_tls_version = TLS 1.0)
use serde::{Deserialize, Serialize};
use std::time::Duration;
/// TLS protocol version
#[derive(Debug, Clone, Copy, Serialize, Deserialize, PartialEq, Eq)]
pub enum TlsVersion {
#[serde(rename = "1.0")]
Tls10,
#[serde(rename = "1.1")]
Tls11,
#[serde(rename = "1.2")]
Tls12,
#[serde(rename = "1.3")]
Tls13,
}
/// HTTP client configuration
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct ClientConfig {
// Connection settings
/// Maximum number of redirects to follow
///
/// # VIOLATION 1: Unbounded Redirect Limit
/// @aphoria:claim[safety] Redirect limit MUST NOT exceed 10 -- Infinite redirect loops exhaust resources
///
/// **Authority:** RFC 7231 Section 6.4
/// **Current value:** None (unbounded)
/// **Should be:** Some(10)
#[serde(default)]
pub max_redirects: Option<usize>,
/// Connection timeout (TCP handshake)
///
/// # VIOLATION 3: Excessive Connection Timeout
/// @aphoria:claim[safety] Connection timeout MUST NOT exceed 10 seconds -- Unresponsive endpoints block connection pool
///
/// **Authority:** Mozilla HTTP docs, Requests library
/// **Current value:** 60s
/// **Should be:** 10s
#[serde(default = "default_connect_timeout")]
pub connect_timeout: Duration,
/// Request timeout (total request/response cycle)
///
/// # VIOLATION 2: Excessive Request Timeout
/// @aphoria:claim[safety] Request timeout MUST NOT exceed 30 seconds -- Slow services cause cascade failures
///
/// **Authority:** Mozilla HTTP docs, RFC 7230
/// **Current value:** 120s
/// **Should be:** 30s
#[serde(default = "default_request_timeout")]
pub request_timeout: Duration,
/// Idle connection timeout (keep-alive timeout)
///
/// # VIOLATION 4: Missing Idle Timeout
/// @aphoria:claim[safety] Idle timeout MUST be configured -- Stale connections accumulate
///
/// **Authority:** RFC 7230 Section 6.3
/// **Current value:** None (connections never expire)
/// **Should be:** Some(60s)
#[serde(default)]
pub idle_timeout: Option<Duration>,
// TLS settings
/// Enable TLS certificate verification
///
/// # VIOLATION 5: TLS Verification Disabled
/// @aphoria:claim[security] TLS certificate validation MUST be enabled -- MITM attacks, credential theft
///
/// **Authority:** OWASP A07:2021, Mozilla Security Guidelines
/// **Current value:** false
/// **Should be:** true
#[serde(default = "default_verify_tls")]
pub verify_tls: bool,
/// Minimum TLS version
///
/// # VIOLATION 6: TLS Version Too Low
/// @aphoria:claim[security] TLS version MUST be >= 1.2 -- Protocol downgrade attacks (BEAST, POODLE)
///
/// **Authority:** OWASP, Mozilla Security Guidelines
/// **Current value:** TLS 1.0
/// **Should be:** TLS 1.2
#[serde(default = "default_min_tls_version")]
pub min_tls_version: TlsVersion,
// Pool settings
/// Connection pool size per host
#[serde(default = "default_pool_size")]
pub pool_size: usize,
// Observability
/// Enable metrics collection
#[serde(default = "default_metrics_enabled")]
pub metrics_enabled: bool,
// User-Agent header
#[serde(default = "default_user_agent")]
pub user_agent: String,
}
impl Default for ClientConfig {
fn default() -> Self {
Self {
// VIOLATION 1: Unbounded redirects
max_redirects: None,
// VIOLATION 3: Excessive connect timeout (60s vs 10s max)
connect_timeout: Duration::from_secs(60),
// VIOLATION 2: Excessive request timeout (120s vs 30s max)
request_timeout: Duration::from_secs(120),
// VIOLATION 4: Missing idle timeout
idle_timeout: None,
// VIOLATION 5: TLS verification disabled
verify_tls: false,
// VIOLATION 6: TLS version too low (1.0 vs 1.2 minimum)
min_tls_version: TlsVersion::Tls10,
pool_size: default_pool_size(),
metrics_enabled: default_metrics_enabled(),
user_agent: default_user_agent(),
}
}
}
// Default value functions
fn default_connect_timeout() -> Duration {
// VIOLATION 3: Should be 10s
Duration::from_secs(60)
}
fn default_request_timeout() -> Duration {
// VIOLATION 2: Should be 30s
Duration::from_secs(120)
}
fn default_verify_tls() -> bool {
// VIOLATION 5: Should be true
false
}
fn default_min_tls_version() -> TlsVersion {
// VIOLATION 6: Should be TLS 1.2
TlsVersion::Tls10
}
fn default_pool_size() -> usize {
10 // This is correct (Requests library default)
}
fn default_metrics_enabled() -> bool {
false // Recommended to be true, but not a hard violation
}
fn default_user_agent() -> String {
format!("httpclient/{}", env!("CARGO_PKG_VERSION"))
}
impl ClientConfig {
/// Create a new config with default values (contains violations)
pub fn new() -> Self {
Self::default()
}
/// Create a production-safe config (no violations)
pub fn production() -> Self {
Self {
max_redirects: Some(10), // RFC 7231 compliant
connect_timeout: Duration::from_secs(10), // Mozilla/Requests default
request_timeout: Duration::from_secs(30), // Mozilla recommended
idle_timeout: Some(Duration::from_secs(60)), // RFC 7230 keep-alive
verify_tls: true, // OWASP A07:2021
min_tls_version: TlsVersion::Tls12, // OWASP/Mozilla minimum
pool_size: 50, // Production recommended
metrics_enabled: true, // Observability
user_agent: default_user_agent(),
}
}
/// Validate configuration against safety claims
pub fn validate(&self) -> Result<(), String> {
let mut errors = Vec::new();
// Check redirect limit
if self.max_redirects.is_none() || self.max_redirects.unwrap() > 10 {
errors.push("max_redirects MUST be <= 10 (RFC 7231)");
}
// Check timeouts
if self.connect_timeout.as_secs() > 10 {
errors.push("connect_timeout MUST be <= 10s (Mozilla/Requests)");
}
if self.request_timeout.as_secs() > 30 {
errors.push("request_timeout MUST be <= 30s (Mozilla/RFC 7230)");
}
if self.idle_timeout.is_none() {
errors.push("idle_timeout MUST be configured (RFC 7230 Section 6.3)");
}
// Check TLS
if !self.verify_tls {
errors.push("verify_tls MUST be true (OWASP A07:2021)");
}
if matches!(self.min_tls_version, TlsVersion::Tls10 | TlsVersion::Tls11) {
errors.push("min_tls_version MUST be >= 1.2 (OWASP/Mozilla)");
}
if errors.is_empty() {
Ok(())
} else {
Err(errors.join("; "))
}
}
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn default_config_has_violations() {
let config = ClientConfig::default();
assert!(config.validate().is_err(), "Default config should have violations");
}
#[test]
fn production_config_is_valid() {
let config = ClientConfig::production();
assert!(config.validate().is_ok(), "Production config should be valid");
}
#[test]
fn violation_1_unbounded_redirects() {
let config = ClientConfig::default();
assert_eq!(config.max_redirects, None, "VIOLATION 1: Unbounded redirects");
}
#[test]
fn violation_2_excessive_request_timeout() {
let config = ClientConfig::default();
assert_eq!(config.request_timeout.as_secs(), 120, "VIOLATION 2: 120s request timeout");
}
#[test]
fn violation_3_excessive_connect_timeout() {
let config = ClientConfig::default();
assert_eq!(config.connect_timeout.as_secs(), 60, "VIOLATION 3: 60s connect timeout");
}
#[test]
fn violation_4_missing_idle_timeout() {
let config = ClientConfig::default();
assert_eq!(config.idle_timeout, None, "VIOLATION 4: Missing idle timeout");
}
#[test]
fn violation_5_tls_verification_disabled() {
let config = ClientConfig::default();
assert!(!config.verify_tls, "VIOLATION 5: TLS verification disabled");
}
#[test]
fn violation_6_tls_version_too_low() {
let config = ClientConfig::default();
assert_eq!(config.min_tls_version, TlsVersion::Tls10, "VIOLATION 6: TLS 1.0");
}
}
Reference in New Issue View Git Blame Copy Permalink