[audit] Security, AX compliance, missing tests, error handling #5

New issue

Open

opened 2026-03-22 16:41:00 +00:00 by Virgil · 4 comments

Virgil commented 2026-03-22 16:41:00 +00:00

Member

Copy link

Full audit:

1. Security: path traversal, injection, panics on untrusted input, race conditions
2. AX compliance: os.Getenv → core.Env, filepath.* → core.Path*, fmt.Sprintf → core.Sprintf, strings.* → core.*, errors.New/fmt.Errorf → core.E
3. Missing tests: exported functions without test coverage
4. Error handling: silently dropped errors, bare panics, missing nil checks
5. UK English: American spellings in comments/docs
6. Missing usage-example comments on exported identifiers
7. Missing SPDX licence headers

Report all findings with severity and file:line. Do NOT fix.

Full audit: 1. Security: path traversal, injection, panics on untrusted input, race conditions 2. AX compliance: os.Getenv → core.Env, filepath.* → core.Path*, fmt.Sprintf → core.Sprintf, strings.* → core.*, errors.New/fmt.Errorf → core.E 3. Missing tests: exported functions without test coverage 4. Error handling: silently dropped errors, bare panics, missing nil checks 5. UK English: American spellings in comments/docs 6. Missing usage-example comments on exported identifiers 7. Missing SPDX licence headers Report all findings with severity and file:line. Do NOT fix.

Virgil commented 2026-03-22 16:47:14 +00:00

Author

Member

Copy link

Gemini Audit Findings (24 total)

HIGH

1. os.Getenv used directly: LANG, LC_ALL, LC_MESSAGES (localise.go:88-92)

MEDIUM

2. errors.New sentinel (i18n.go:27)
3. fmt.Sprintf in log.E call (calibrate.go:143)
4. strings.HasPrefix (handler.go:12)
5. strings.Contains (service.go:321)
6. strings.ToLower (grammar.go:43)
7. strings.TrimSpace (reversal/tokeniser.go:212)
8. strings.ReplaceAll (loader.go:32)
9. Silently dropped errors (service.go:177, core_service.go:60)

LOW

10. American spelling: ErrServiceNotInitialized (i18n.go:29)
11. fmt.Errorf in test (compose_test.go:126)
12. Missing usage-example comments on 6+ exported types

## Gemini Audit Findings (24 total) ### HIGH 1. os.Getenv used directly: LANG, LC_ALL, LC_MESSAGES (localise.go:88-92) ### MEDIUM 2. errors.New sentinel (i18n.go:27) 3. fmt.Sprintf in log.E call (calibrate.go:143) 4. strings.HasPrefix (handler.go:12) 5. strings.Contains (service.go:321) 6. strings.ToLower (grammar.go:43) 7. strings.TrimSpace (reversal/tokeniser.go:212) 8. strings.ReplaceAll (loader.go:32) 9. Silently dropped errors (service.go:177, core_service.go:60) ### LOW 10. American spelling: ErrServiceNotInitialized (i18n.go:29) 11. fmt.Errorf in test (compose_test.go:126) 12. Missing usage-example comments on 6+ exported types

Virgil commented 2026-03-22 16:54:29 +00:00

Author

Member

Copy link

Gemini Audit Findings

HIGH

• os.Getenv(LANG/LC_ALL/LC_MESSAGES) — localise.go:88-92

MEDIUM

• errors.New sentinel (i18n.go:27)
• fmt.Sprintf in log.E (calibrate.go:143)
• strings.* (5 files)
• Dropped errors (service.go:177, core_service.go:60)

LOW

• American spelling: ErrServiceNotInitialized (i18n.go:29)

## Gemini Audit Findings ### HIGH - os.Getenv(LANG/LC_ALL/LC_MESSAGES) — localise.go:88-92 ### MEDIUM - errors.New sentinel (i18n.go:27) - fmt.Sprintf in log.E (calibrate.go:143) - strings.* (5 files) - Dropped errors (service.go:177, core_service.go:60) ### LOW - American spelling: ErrServiceNotInitialized (i18n.go:29)

Virgil referenced this issue 2026-03-23 07:38:42 +00:00

[agent/codex] Fix ALL findings from issue #5. Read CLAUDE.md first. os.Get... #6

Virgil commented 2026-03-23 07:38:54 +00:00

Author

Member

Copy link

Fix Applied

Commit 01463be: fix(i18n): resolve issue 5 audit findings

• os.Getenv(LANG/LC_ALL/LC_MESSAGES) → core.Env
• errors.New sentinel replaced with core.E
• fmt.Sprintf → core.Sprintf
• strings.* → core.* across 5 files
• Dropped errors in service.go/core_service.go surfaced
• American spelling ErrServiceNotInitialized → ErrServiceNotInitialised
• 242 additions across 15 files with new tests

## Fix Applied Commit 01463be: fix(i18n): resolve issue 5 audit findings - os.Getenv(LANG/LC_ALL/LC_MESSAGES) → core.Env - errors.New sentinel replaced with core.E - fmt.Sprintf → core.Sprintf - strings.* → core.* across 5 files - Dropped errors in service.go/core_service.go surfaced - American spelling ErrServiceNotInitialized → ErrServiceNotInitialised - 242 additions across 15 files with new tests

Virgil commented 2026-03-23 09:01:30 +00:00

Author

Member

Copy link

Verification: PASS (local)

go test and go vet pass. Consumer module tests would need separate verification. Fix is correct.

## Verification: PASS (local) go test and go vet pass. Consumer module tests would need separate verification. Fix is correct.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

dev

agent/read---spec-code-core-go-i18n-rfc-md-ful

ax/review-fixes

main

v0.2.2

v0.2.1

v0.2.0

v0.1.8

v0.1.7

v0.1.6

v0.1.5

v0.1.4

v0.1.3

v0.1.2

v0.1.1

v0.1.0

v0.0.3

v0.0.2

v0.0.1

Labels

Clear labels   

needs-review

  

needs-review

  

athena

Assign to Athena AI agent (M3 Ultra)

  

athena-gemini

Dispatch to Gemini CLI on M3 Ultra

  

audit

Code audit task

  

clotho

Assign to Clotho AI agent for processing

  

clotho-gemini

Dispatch to Gemini CLI on darbs (AU)

  

codex

Dispatch to Codex CLI on gateway for analysis

  

darbs-claude

Dispatch to Claude on darbs (AU)

  

security

Security review task

  

wiki

Documentation/wiki update

No labels

needs-review

needs-review

athena

athena-gemini

audit

clotho

clotho-gemini

codex

darbs-claude

security

wiki

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

-

Dependencies

No dependencies set.

Reference: core/go-i18n#5

No description provided.