3.8 KiB
Architect Assessment
Flaws identified by order of priority
[P0] Backend/Frontend contract is still broken for GET /syntheses. Backend returns { items: [...] } in backend/src/handlers/syntheses.rs:38, but frontend expects a raw array in frontend/src/api/syntheses.ts:63 and uses it directly in frontend/src/pages/Home.tsx:37.
[P0] List item shape mismatch remains (sections vs preview fields). Backend list item exposes preview fields in backend/src/models/synthesis.rs:77, while frontend type requires sections in frontend/src/types.ts:122 and renders from it in frontend/src/pages/Home.tsx:181.
[P0] Admin rate-limit update path mismatch is still present. Backend route expects provider_name in backend/src/router.rs:73 and backend/src/handlers/admin.rs:227, but frontend sends id in frontend/src/api/admin.ts:38 and frontend/src/pages/admin/RateLimits.tsx:70.
[P0] Scraper SSRF hardening is incomplete (inference). SSRF check is pre-request only in backend/src/services/scraper.rs:84 / backend/src/services/scraper.rs:184, then request executes in backend/src/services/scraper.rs:87. The hardened scraper client exists in backend/src/services/scraper.rs:57 but app boot still uses generic client in backend/src/main.rs:53.
[P1] Scraper body-size protection is post-download. Body is fully read first in backend/src/services/scraper.rs:111, then checked in backend/src/services/scraper.rs:116, which weakens memory/DoS protection.
[P1] User-level rate-limit override appears per-job, not persistent across jobs. Limiter is built in-run in backend/src/services/synthesis.rs:292, created from settings in backend/src/services/synthesis.rs:386, and keyed at check in backend/src/services/synthesis.rs:410.
[P1] Runtime state is not multi-instance safe. Generation jobs and provider buckets are in-memory (backend/src/app_state.rs:21, backend/src/app_state.rs:24, backend/src/services/synthesis.rs:82, backend/src/services/rate_limiter.rs:113).
[P2] Magic-link quota can still be consumed before email send success. Token creation occurs before delivery in backend/src/handlers/auth.rs:100 and backend/src/handlers/auth.rs:153, with active-token cap in backend/src/services/auth.rs:21.
[P2] Frontend test strategy still masks backend contract drift. Home tests mock sections list items in frontend/src/tests/pages/home.test.tsx:24, which does not match backend list payload.
[P2] Frontend unit tests still cannot run in this environment. npm run test -- --run fails on missing optional Rollup native module (@rollup/rollup-darwin-x64), so current frontend unit-test signal is unavailable locally.
[P3] sqlx compile-time query guarantees are still not implemented. Runtime query usage is explicit in backend/src/db/users.rs:35, despite offline mode setup in backend/Dockerfile:21.
[P3] Postgres is still published on host by default. Port mapping is open in docker-compose.yml:38.
Remediation Order
Summary
- Fix API contract breaks first.
- Then close scraper/network security gaps.
- Then harden runtime architecture for scale/reliability.
Key Changes
- Align
/synthesesand admin rate-limit contracts end-to-end (backend + frontend + tests). - Wire dedicated hardened HTTP clients and enforce SSRF checks per hop with streaming body limits.
- Move job/rate-limit state to shared backing (Redis/DB) if multi-instance is in scope.
- Add contract tests so frontend mocks cannot drift from backend payloads.
Test Plan
- Backend integration tests for
/syntheseslist shape and/admin/rate-limits/{provider_name}update path. - Security tests for scraper redirect/private-IP/rebinding cases and oversized responses.
- Frontend tests consuming real API fixtures (or generated schema fixtures), not hand-crafted mismatched types.
Assumptions
- Backend is the API source of truth.
- You want production-safe defaults even for self-hosted single-tenant deployments.