alice.mosphere.at / perlsky
perlsky is a Perl 5 implementation of an AT Protocol Personal Data Server.
13
fork

Configure Feed

Select the types of activity you want to include in your feed.

Document current conformance audit

alice 67249bce 50447c9c

+13 -7
+13 -7
docs/TEST_AUDIT.md
··· 1 1 # Test Audit Status 2 2 3 - As of 2026-03-11, the focused test-correctness and reference-audit pass is complete on rewritten history through `c51228e`. 3 + As of 2026-03-12, the focused test-correctness and reference-audit pass is complete on rewritten history through `50447c9`. 4 4 5 5 That does not mean every test has been manually revalidated against every other PDS implementation line by line. It means: 6 6 ··· 13 13 The current baseline for saying "the audited suite is green" is: 14 14 15 15 - `prove -lr t` 16 - - last green result in the realigned Meridian worktree: `Files=36, Tests=1847` 16 + - last green result in the realigned Meridian worktree: `Files=40, Tests=2258` 17 17 - `prove -lv t/server-auth.t` 18 18 - `perl -c script/differential-validate` 19 19 - `PERLSKY_RUN_REFERENCE_DIFF=1 prove -lv t/reference-differential.t` 20 20 - `PERLSKY_RUN_REFERENCE_DIFF=1 prove -lv t/reference-differential-plc.t` 21 21 22 - Focused suites were also rerun during individual fixes, especially around labels, firehose, repo writes, moderation, missing blobs, and service-auth behavior. 22 + Focused suites were also rerun during individual fixes, especially around labels, firehose, repo writes, moderation, missing blobs, service-auth behavior, local appview fallbacks, preference validation, handle resolution, and blob download headers. 23 23 24 24 ## Reference Hierarchy 25 25 ··· 45 45 - Firehose tests must not assume the smallest possible CAR diff. The reference runtime guarantees normalized behavior, not a minimal encoding. 46 46 - Label replay and cursor handling need exclusive replay semantics, proper future-cursor rejection, and forward progress across unhandled backlog events. 47 47 - `com.atproto.repo.listMissingBlobs` needed a real implementation rather than an always-empty placeholder. 48 + - Deactivated accounts should still be able to establish and refresh sessions, but those responses must stay marked `active=false` with `status=deactivated`. 49 + - Local `app.bsky.*` emulation must be conservative: only synthesize owner-local feed/thread data when the PDS can answer authoritatively, and proxy upstream instead of inventing partial global state. 50 + - `app.bsky.actor.putPreferences` and `app.bsky.notification.putPreferencesV2` need shape validation; unvalidated merges are not a critical exploit here, but they are a real correctness and hardening issue. 51 + - `com.atproto.identity.resolveHandle` should reject malformed handles with `400 InvalidHandle`, not quietly treat them as misses. 52 + - `com.atproto.sync.getBlob` should ship the same download-hardening headers as the reference PDS (`X-Content-Type-Options`, `Content-Disposition`, `Content-Security-Policy`). 48 53 49 54 ## Known Intentional Divergences 50 55 ··· 70 75 | --- | --- | --- | 71 76 | `t/api-util.t` | audited local regression | helper semantics, cursor validation, service-auth helper behavior | 72 77 | `t/app-routes.t` | local correctness/infrastructure | app route exposure and startup wiring smoke | 73 - | `t/app.t` | local correctness/infrastructure | application bootstrap and core route smoke | 78 + | `t/app.t` | audited local regression | application bootstrap plus malformed-handle rejection and startup hardening | 74 79 | `t/auth-jwt.t` | local correctness/infrastructure | JWT signing and validation behavior | 75 80 | `t/browser-smoke.t` | local correctness/infrastructure | optional browser-driven end-to-end wrapper | 76 81 | `t/catalog.t` | local correctness/infrastructure | lexicon/catalog exposure smoke | ··· 88 93 | `t/ipld-canonical.t` | local correctness/infrastructure | canonical IPLD encoding invariants | 89 94 | `t/ipld-codecs.t` | local correctness/infrastructure | DAG-CBOR and codec coverage | 90 95 | `t/labels.t` | audited local regression | label persistence, replay, negation, and cursor behavior | 91 - | `t/metrics.t` | local correctness/infrastructure | metrics endpoint and token-gating smoke | 96 + | `t/metrics.t` | audited local regression | metrics endpoint, token-gating smoke, and instrumentation contract for local appview behavior | 92 97 | `t/moderation.t` | audited local regression | takedown visibility and moderation behavior | 93 98 | `t/pds_smoke.t` | local correctness/infrastructure | broad local PDS smoke | 94 99 | `t/plc-identity.t` | direct reference differential | PLC mock driven by official library semantics | 95 100 | `t/reference-differential-plc.t` | direct reference differential | official runtime comparison in PLC mode | 96 101 | `t/reference-differential.t` | direct reference differential | official runtime comparison in baseline mode | 97 - | `t/remote-handle-resolution.t` | local correctness/infrastructure | remote handle resolution behavior | 102 + | `t/remote-handle-resolution.t` | audited local regression | remote handle resolution behavior and invalid-handle rejection | 98 103 | `t/repo-api.t` | audited local regression | record mutation and read semantics | 99 104 | `t/repo-firehose-car.t` | audited local regression | repo commit CAR shape and firehose interactions | 100 105 | `t/repo_formats.t` | audited local regression | direct repo wire-format and CAR expectations | 101 106 | `t/server-auth.t` | direct reference differential | auth/session/service-auth behavior repeatedly compared to official runtime | 102 107 | `t/service-proxy-local.t` | audited local regression | local appview fallback behavior | 103 - | `t/service-proxy.t` | local correctness/infrastructure | upstream service-proxy behavior | 108 + | `t/service-proxy.t` | audited local regression | upstream proxy behavior plus conservative local appview fallback and preference semantics | 104 109 | `t/sqlite-binary.t` | local correctness/infrastructure | SQLite binary round-trip correctness | 105 110 | `t/store-sqlite.t` | audited local regression | store-level session, invite, label, and repo persistence behavior | 106 111 | `t/tid-repair.t` | local correctness/infrastructure | TID repair and recovery helpers | ··· 124 129 3. add a written mapping from each local-only suite to the protocol or product invariant it is meant to protect 125 130 4. decide whether to tighten admin auth to reference semantics or document the bearer shortcut as a permanent extension 126 131 5. move the testing-friendly email confirmation path behind an explicit smoke/dev switch instead of ambient behavior 132 + 6. keep narrowing the local `ServiceProxy` surface until every locally answered `app.bsky.*` field is either authoritative or explicitly documented as a local-only extension 127 133 128 134 ## Practical Reading Of The Current Status 129 135