alice.mosphere.at / perlsky
perlsky is a Perl 5 implementation of an AT Protocol Personal Data Server.
13
fork

Configure Feed

Select the types of activity you want to include in your feed.

Refresh test audit baseline

alice 77756b27 01bdc71b

+12 -7
+12 -7
docs/TEST_AUDIT.md
··· 1 1 # Test Audit Status 2 2 3 - As of 2026-03-12, the focused test-correctness and reference-audit pass is complete on rewritten history through `812a63f`. 3 + As of 2026-03-12, the focused test-correctness and reference-audit pass is complete on rewritten history through `16c510b`. 4 4 5 5 That does not mean every test has been manually revalidated against every other PDS implementation line by line. It means: 6 6 ··· 13 13 The current baseline for saying "the audited suite is green" is: 14 14 15 15 - `prove -lr t` 16 - - last green result in the realigned Meridian worktree: `Files=41, Tests=2318` 16 + - last full green result in the realigned Meridian worktree: `Files=44, Tests=2507` 17 17 - `prove -lv t/server-auth.t` 18 18 - `perl -c script/differential-validate` 19 19 - `PERLSKY_RUN_REFERENCE_DIFF=1 prove -lv t/reference-differential.t` ··· 45 45 - Firehose tests must not assume the smallest possible CAR diff. The reference runtime guarantees normalized behavior, not a minimal encoding. 46 46 - Label replay and cursor handling need exclusive replay semantics, proper future-cursor rejection, and forward progress across unhandled backlog events. 47 47 - `com.atproto.repo.listMissingBlobs` needed a real implementation rather than an always-empty placeholder. 48 - - ATProto OAuth `include:<nsid>` permission-set scopes are now compiled into concrete repo/RPC permissions before token issuance; local regression coverage pins that least-privilege behavior for supported and unsupported permissions. 48 + - ATProto OAuth `include:<nsid>` permission-set scopes are now compiled into concrete repo/RPC permissions before token issuance; local regression coverage pins that least-privilege behavior, including dropping unsupported account/blob/identity permission-set entries. 49 49 - Deactivated accounts should still be able to establish and refresh sessions, but those responses must stay marked `active=false` with `status=deactivated`. 50 50 - Local `app.bsky.*` emulation must be conservative: only synthesize owner-local feed/thread data when the PDS can answer authoritatively, and proxy upstream instead of inventing partial global state. 51 51 - Account email handling needs consistent normalization on write, lookup, session creation, and confirmation checks; treating email case inconsistently leaves both tests and user-facing auth behavior brittle. 52 - - `app.bsky.actor.putPreferences` and `app.bsky.notification.putPreferencesV2` need shape validation; unvalidated merges are not a critical exploit here, but they are a real correctness and hardening issue. 52 + - `app.bsky.actor.putPreferences` and `app.bsky.notification.putPreferencesV2` now have explicit shape validation plus focused regression coverage, turning an earlier hardening concern into a pinned contract. 53 53 - `com.atproto.identity.resolveHandle` should reject malformed handles with `400 InvalidHandle`, not quietly treat them as misses. 54 + - Remote `did:web` DID docs, conservative `resolveIdentity` handle validation, and external handle adoption all need explicit coverage because small resolver-policy drifts turn into visible interop bugs quickly. 55 + - `com.atproto.repo.getRecord` must honor `cid` when present, and `putRecord` / `deleteRecord` must actually enforce `swapRecord`; those negative edges are now covered directly. 56 + - `com.atproto.server.requestPasswordReset` and `com.atproto.server.deleteAccount` now follow the reference form-token flow, with focused regression coverage for missing-account and bearerless deletion semantics. 54 57 - `com.atproto.sync.getBlob` should ship the same download-hardening headers as the reference PDS (`X-Content-Type-Options`, `Content-Disposition`, `Content-Security-Policy`). 55 58 56 59 ## Known Intentional Divergences ··· 84 87 | `t/cors.t` | local correctness/infrastructure | CORS and preflight behavior | 85 88 | `t/crawlers.t` | audited local regression | outbound crawl notification semantics | 86 89 | `t/crypto-interop.t` | direct reference differential | pinned upstream crypto fixture coverage | 90 + | `t/delete-account.t` | audited local regression | reference-style account deletion flow using DID, password, and action token without a live bearer session | 87 91 | `t/email-confirmation.t` | audited local regression | intentionally testing-friendly email flow | 88 92 | `t/event-stream.t` | audited local regression | wire-format, malformed frame, and event decoding coverage | 89 93 | `t/extended-api.t` | audited local regression | broad XRPC behavior including invites and moderation-adjacent flows; still intentionally mixes conformance-ish happy paths with local-policy coverage | 90 94 | `t/external-surface.t` | audited local regression | external repo/account surface including missing-blob behavior; intentionally broad, with order-insensitive assertions for label presence rather than brittle label ordering | 91 95 | `t/firehose.t` | audited local regression | repo subscription lifecycle, cursor, and CAR behavior | 92 - | `t/identity.t` | local correctness/infrastructure | handle and DID identity flow coverage | 96 + | `t/identity.t` | local correctness/infrastructure | lower-level handle and DID helper coverage, including DNS-over-well-known preference and malformed-handle rejection | 93 97 | `t/import-repo.t` | audited local regression | import/snapshot restore behavior, including perlsky's intentionally tolerant malformed-record import semantics and explicit rollback to the imported snapshot | 94 98 | `t/invite-gating.t` | audited local regression | self-service invite flag behavior | 95 99 | `t/ipld-canonical.t` | local correctness/infrastructure | canonical IPLD encoding invariants | ··· 98 102 | `t/metrics.t` | audited local regression | metrics endpoint, token-gating smoke, and instrumentation contract for local appview behavior | 99 103 | `t/moderation.t` | audited local regression | takedown visibility and moderation behavior | 100 104 | `t/oauth-include.t` | audited local regression | permission-set scope expansion and least-privilege enforcement from `include:<nsid>` scopes | 101 - | `t/oauth-permissions.t` | audited local regression | granular OAuth permission enforcement across repo/blob/rpc scope families | 105 + | `t/oauth-permissions.t` | audited local regression | granular OAuth permission enforcement across account/email, identity, repo, blob, and rpc scope families | 102 106 | `t/oauth-scopes.t` | audited local regression | OAuth scope parsing, normalization, and token-grant shaping | 103 107 | `t/oauth.t` | audited local regression | OAuth provider metadata, PAR, PKCE, DPoP, and token lifecycle coverage | 108 + | `t/password-reset.t` | audited local regression | password reset token issuance and missing-email rejection semantics | 104 109 | `t/pds_smoke.t` | local correctness/infrastructure | broad local PDS smoke; still intentionally optimistic and should only carry a small number of negative assertions | 105 110 | `t/plc-identity.t` | direct reference differential | PLC mock driven by official library semantics | 106 111 | `t/reference-differential-plc.t` | direct reference differential | official runtime comparison in PLC mode | 107 112 | `t/reference-differential.t` | direct reference differential | official runtime comparison in baseline mode | 108 - | `t/remote-handle-resolution.t` | audited local regression | remote handle resolution behavior and invalid-handle rejection, with some malformed/upstream-failure branches still worth expanding | 113 + | `t/remote-handle-resolution.t` | audited local regression | remote `did:web` DID docs, conservative remote identity handling, external-handle adoption, and invalid-handle rejection, with some upstream-failure branches still worth expanding | 109 114 | `t/repo-api.t` | audited local regression | record mutation and read semantics, but still lighter than ideal on some negative/reference edge cases | 110 115 | `t/repo-firehose-car.t` | audited local regression | repo commit CAR shape and firehose interactions | 111 116 | `t/repo_formats.t` | audited local regression | direct repo wire-format and CAR expectations |