SRE peer audit identified 4 concerns + 3 immediate actions; applied in 6
independent PRs (#3-#8) on hardening/audit-* branches.
Fixed:
- Trust I/O fail-closed: load_or_default returns Result<_, TrustStoreError>
- Sync sub-second mtime precision: Mtime { secs, nanos } round-trip via filetime
- Sync walkdir error propagation: explicit iter instead of .filter_map(|e| e.ok())
- RateLimiter set_limit(0) clamps to DEFAULT_RATE_PER_MIN
- ALPN derives from DEFAULT_ALPN via default_alpn_bytes() helper
- CI actions SHA-pinned (verified via git ls-remote):
- actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 (v4.2.2)
- actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f (v4.2.1)
- dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 (stable)
- CI persist-credentials: false, concurrency.cancel-in-progress,
permissions: contents: read, --locked, fmt + clippy gates
- README.md: src/quic.rs -> src/quic/
Added:
- SECURITY.md disclosure channel (opensource@loust.pro, 48h SLA, 90d coord)
- docs/SECURITY-MODEL.md threat model + hardening posture table
Rejected (peer claim, audited false):
- verify_ticket not validating expected VK — src/session.rs:verify_ticket
already takes expected_vk as parameter and uses it directly. No-op.
Deferred (deuda tecnica for v0.3.0):
- NonceStore + RateLimiter std::sync::Mutex contention. Trigger documented
in docs/SECURITY-MODEL.md: sustained >100 handshakes/sec OR
profile-identified hot spot.
Test count: 48 -> 54 passing (+6 new tests covering each fix). All PRs
CI-green via CodeRabbit + cargo test.