Skip to content

docs: add AUDIT.md — security & quality audit (status reflects current code)#141

Closed
john988 wants to merge 2 commits into
phuryn:mainfrom
john988:docs/audit
Closed

docs: add AUDIT.md — security & quality audit (status reflects current code)#141
john988 wants to merge 2 commits into
phuryn:mainfrom
john988:docs/audit

Conversation

@john988

@john988 john988 commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

Summary

Adds AUDIT.md — a point-in-time security & quality audit of claude-usage. Docs-only; no code changes.

  • Multi-dimension review (scanner correctness, cost accuracy, data integrity, security, cross-platform, performance, maintainability, docs) with adversarial per-finding verification: 80 raised → 73 confirmed / 7 refuted.
  • It audited a local checkout that was ~2 months behind main, so the status column reflects the current code — it explicitly marks which findings v1.4.0 already resolved (pricing/XSS/threading/tests/…) and which are addressed elsewhere.
  • Records the verified-safe (refuted) items too, so they don't get re-reported: e.g. the PRAGMA table_info(...) / AGENT_TYPE_EXPR f-strings are not injectable (constants only), Path.home() + dual subagents separators are cross-platform-correct, and the CLI's derived cache rates equal the dashboard's explicit ones.

Severity summary (confirmed)

0 critical · 2 high · 9 medium · 42 low · 20 info — the two "high" rows were the same claude-opus-4-8 mispricing (already fixed in v1.4.0).

Notes

  • This is a community audit contributed from a fork — please adjust framing/scope as you see fit, or treat it as a checklist rather than something to merge verbatim.
  • A few rows reference a separate feature branch (subagent attribution + optional ccusage integration) for where certain items are addressed; that work is in a different PR and isn't part of this docs-only change.
  • The full raw per-finding output (all 73 with verification rationale) is large and lives outside the repo; AUDIT.md links to where it was produced.

john988 added 2 commits June 17, 2026 11:28
@john988
docs: add AUDIT.md — point-in-time security/quality audit with curren…
f7fb467 
…t status

Multi-dimension audit of the pre-v1.4.0 local copy (73 confirmed findings).
Most are already resolved by v1.4.0 and PR phuryn#140; the doc marks the three still
genuinely open (scanner shrink-skip, today/week timezone, dashboard query cache)
and records the refuted/safe items.
@john988
docs(audit): mark the 3 remaining findings fixed in PR phuryn#140
50db034 
Scanner shrink-skip, today/week UTC dates, and dashboard /api/data caching are
resolved; note the residual stale-turn limitation on compaction.
@phuryn

phuryn commented Jun 21, 2026

Copy link
Copy Markdown
Owner

Thanks for putting this together, @john988 — a multi-dimension audit with per-finding verification is real work and genuinely useful.

We treated it as a checklist rather than merging verbatim (matching your own framing). The confirmed findings are addressed — pricing/XSS/threading/test items in v1.4.0, the subagent rows in v1.5.0 — and the verified-safe items (the PRAGMA table_info/AGENT_TYPE_EXPR f-strings being constants-only, Path.home() + dual subagents separators, CLI/dashboard cache-rate parity) are noted.

We're going to pass on keeping a static AUDIT.md in-tree, though — a point-in-time audit goes stale fast (this one already audited a checkout ~2 months behind), and we'd rather track issues as they arise than carry a snapshot. Closing for that reason; the audit itself shaped real fixes. Thank you! 🙏

@phuryn phuryn closed this Jun 21, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@john988 @phuryn