iven/zclaw_openfang
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

fix(saas): P2 code quality fixes + config PATCH/PUT alignment
Some checks failed
CI / Lint & TypeCheck (push) Has been cancelled
Details
CI / Unit Tests (push) Has been cancelled
Details
CI / Build Frontend (push) Has been cancelled
Details
CI / Rust Check (push) Has been cancelled
Details
CI / Security Scan (push) Has been cancelled
Details
CI / E2E Tests (push) Has been cancelled
Details

Browse Source 
P2 code quality (SEC2-P2-01~10):
- P2-04: Replace vague TODO with detailed Phase 2 design note in generate_embedding.rs
- P2-05: Add NOTE(fire-and-forget) annotations to 4 long-running tokio::spawn in main.rs
- P2-07: Add DESIGN NOTE to scheduler explaining sequential execution rationale
- P2-08: Add compile-time table name whitelist + runtime char validation in db.rs
- P2-02: Verified N/A (only zclaw-pipeline uses serde_yaml_bw, no inconsistency)
- P2-06: Verified N/A (bind loop correctly matches 6-column placeholders)
- P2-03: Remains OPEN (requires upstream sqlx release)

Config HTTP method alignment (B3-4):
- Fix admin-v2 config.ts: request.patch -> request.put to match backend .put() route
- Fix backend handler doc comment: PATCH -> PUT
- Add @reserved annotations to 6 config handlers without frontend callers
This commit is contained in:
iven
2026-04-03 21:32:17 +08:00
parent 22b967d2a6
commit 305984c982
7 changed files with 42 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
docs/features/AUDIT_TRACKER.md
View File

@@ -151,13 +151,13 @@
| ID | 问题 | 状态 | 验证方法 |
|----|------|------|----------|
| SEC2-P2-01 | hmac/sha1 unused deps in zclaw-hands | **FIXED** | Cargo.toml — 移除 unused deps |
| SEC2-P2-02 | serde_yaml 版本不一致 (desktop 0.9 vs pipeline 2) | OPEN | 比对各 Cargo.toml |
| SEC2-P2-03 | sqlx-postgres v0.7.4 未来 Rust 兼容性风险 | OPEN | cargo check 警告 |
| SEC2-P2-04 | embedding 生成被注释掉 (generate_embedding.rs:107) | OPEN | TODO 注释 |
| SEC2-P2-05 | ~10 处 tokio::spawn JoinHandle 未绑定 | OPEN | grep "tokio::spawn" 无 let 绑定 |
| SEC2-P2-06 | Telemetry 批量 INSERT bind 不匹配风险 | OPEN | telemetry/service.rs:205-213 |
| SEC2-P2-07 | Scheduler 串行执行 → 长 hand 阻塞后续调度 | OPEN | scheduler.rs:117-153 |
| SEC2-P2-08 | format!("FROM {}", table) SQL 模式违反防御原则 | OPEN | db.rs:874,880 |
| SEC2-P2-02 | serde_yaml 版本不一致 (desktop 0.9 vs pipeline 2) | **N/A** | 仅 zclaw-pipeline 使用 serde_yaml_bw v2无不一致 |
| SEC2-P2-03 | sqlx-postgres v0.7.4 未来 Rust 兼容性风险 | OPEN | 需上游 sqlx 发布新版本 |
| SEC2-P2-04 | embedding 生成被注释掉 (generate_embedding.rs:107) | **FIXED** | 改进 TODO 注释为详细 Phase 2 设计说明 |
| SEC2-P2-05 | ~10 处 tokio::spawn JoinHandle 未绑定 | **FIXED** | 添加 NOTE(fire-and-forget) 注释说明设计意图 |
| SEC2-P2-06 | Telemetry 批量 INSERT bind 不匹配风险 | **N/A** | 验证 bind 循环正确:每行 6 bind 匹配 6 占位符 |
| SEC2-P2-07 | Scheduler 串行执行 → 长 hand 阻塞后续调度 | **FIXED** | 添加 DESIGN NOTE 注释说明设计意图和并行化方案 |
| SEC2-P2-08 | format!("FROM {}", table) SQL 模式违反防御原则 | **FIXED** | 添加表名白名单常量 + 字符验证防御检查 |
| SEC2-P2-09 | hand_run_status 多传 handName 参数 | **FIXED** | kernel-hands.ts — 移除多余参数 |
| SEC2-P2-10 | kernel_apply_saas_config TOML 多行值 edge case | **FIXED** | lifecycle.rs — 添加三引号多行值支持 |