Audit remediation (2026-05-29): functional CLI + framework + doc fidelity#82
Merged
Conversation
…panics Empty prefix+path produced the pattern "GET ", panicking http.ServeMux at startup. joinPath never returns "" and collapses double slashes; Resource guards base=="". Adds package-internal regression tests. (audit FW-1)
…s (audit DOC-1/2/3)
…ols with shipped API (audit DOC-3)
- app: resolve admin_auth_database only when !WithoutDefaults - auth: SameSite=None forces/【requires Secure (warn + startup validation) - nucleus: bound app-level Lifecycle.OnShutdown with a deadline - router: never emit Allow-Origin:* with Allow-Credentials:true (reflect origin)
… (audit CLI-1/2/3/4, FW-5) - scaffold: generated go.mod floor go 1.26 + toolchain go1.26.3 (interpolated) - new: pin framework dep to v0.8.0 (not mutable latest); network build smoke - generate: fix writeError arity + ResourceHandlers via router.FromHTTP - contracts: freeze typed consts (typ.Consts); add config/doctor/openapi/wizard
…ces (audit DOC-3)
…+ session handoff
…n FW-4 session test runGenerate parsed args with fs.Parse(args), so Go's flag pkg stopped at the first positional and silently dropped --out/--force/--migrations after the <kind> <name> (writing into CWD). Now extracts leading positionals then parses, accepting flags before and after. Also fixes a go vet %v-on-func-value in pkg/app/session_fw4_test.go.
…ated consts (FW-5)
The freeze generator now iterates typ.Consts, surfacing previously-unguarded
exported constants: auth {HS256,RS256,ES256}, nucleus ResourceMethod
{Index,Show,Create,Update,Patch,Destroy}, signals {Pre,Post}{Create,Save,Update,Delete},
circuit State{Closed,Open,HalfOpen}, db EngineSQL, plugins Source*, storage
Provider*/Public/Private. Additions only; no removals.
…ck 2) TestRun_NewProjectScaffold asserted the old `go 1.25` floor; update it to the corrected `go 1.26` + `toolchain go1.26.3` that the scaffolder now emits.
1 task
jcsvwinston
added a commit
that referenced
this pull request
May 29, 2026
…83) PR #82 (audit remediation) merged to main as 64897f4. Archive the completed iteration to docs/iterations/2026-05-29-audit-remediation.md, reset CURRENT_ITERATION.md to an awaiting-owner-direction stub (backlog carried forward), and refresh HANDOFF.md. Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This was referenced May 31, 2026
jcsvwinston
added a commit
that referenced
this pull request
May 31, 2026
Block 8 / Go-version doc fix (audit OTH README go-version cross-check) merged to main as 6ce4831 (PR #88), which closes the entire 2026-05-29 exhaustive audit (Blocks 1-8 all shipped via PRs #82, #86, #88). Archive the iteration directly to docs/iterations/2026-05-29-block8-go-version-docs.md (CURRENT_ITERATION.md was never scoped mid-flight for this small doc fix). Record the completion and the audit-closed milestone in the decisions log, remove the now-done Block 8 item from the maintainer backlog, and refresh HANDOFF.md with the remaining candidate (modules.* env-layer override). Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Remediates the 2026-05-29 exhaustive audit (
docs/audits/2026-05-29-exhaustive-audit.md):the CLI again scaffolds buildable projects, several framework anomalies are fixed,
and the website/guides are made faithful to the shipped API. 11 commits, grouped by block.
Changes
Router.Resource("")no longer panics at startup (pkg/nucleus/router.gojoinPathfloors empty to/and collapses//).go.moddeclaresgo 1.26+toolchain go1.26.3; framework dependency pinned tov0.8.0(not the floatinglatest);nucleus generate resourcenow emits compiling code (writeErrorarity +router.FromHTTPadapter);generatehonors flags placed before/after the positionals.admin_auth_databaseis resolved only when defaults are enabled (WithoutDefaultsno longer fails on a stray alias);SameSite=NonerequiresSecure(warn + startup validation); app-levelLifecycle.OnShutdownis bounded by a deadline; CORS never emitsAllow-Origin: *together withAllow-Credentials: true.HS256/RS256/ES256, nucleusResourceMethod, signals, circuit, db, plugins, storage); the CLI freeze baseline + matrix now coverconfig/doctor/openapi/wizard..Start(); ~24 non-existent symbols across website + guides replaced with the shipped API; tasks/scheduler API corrected to the realpkg/tasksinterfaces.Verification (all green locally, 2026-05-29)
go vet ./...go test ./...go test ./internal/cli/...go test ./contracts/...(freeze green with the regenerated baseline)cd website && npm run buildDetails under
CHANGELOG.md[Unreleased]. Full findings and rationale indocs/audits/2026-05-29-exhaustive-audit.md.