From c670471c8a0b210aa61eb1d3a226a2497a42c875 Mon Sep 17 00:00:00 2001 From: Mike Swanson Date: Fri, 29 May 2026 18:39:35 -0700 Subject: [PATCH] fix(gc-audit): correct Pass B sqlx premise (GC uses runtime sqlx) GC's db layer uses runtime sqlx::query()/query_as() throughout - zero compile-time macros (verified during v2 Task 1; CLAUDE.md's "compile-time checked queries" line is stale). Pass B now treats a NEW sqlx::query! macro as a [LOW] deviation (reintroduces the .sqlx-cache footgun + build-time DATABASE_URL) instead of blessing macros as the GC norm. Fixed both the intro divergence note and the Pass B check. Co-Authored-By: Claude Opus 4.8 (1M context) --- .claude/skills/gc-audit/SKILL.md | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/.claude/skills/gc-audit/SKILL.md b/.claude/skills/gc-audit/SKILL.md index cf8ed07..7ceedfd 100644 --- a/.claude/skills/gc-audit/SKILL.md +++ b/.claude/skills/gc-audit/SKILL.md @@ -28,8 +28,10 @@ file and living docs are updated. No production code is changed. > **This is GuruConnect, not GuruRMM.** GC diverges from the RMM audit in ways that matter — > do NOT copy RMM assumptions. The biggest traps, called out where they apply below: -> - **sqlx compile-time macros (`sqlx::query!` / `query_as!`) are the GC NORM and are allowed.** -> RMM bans them; GC does not. Do not flag them as violations. +> - **GC uses runtime `sqlx::query()`/`query_as()` — NOT compile-time `sqlx::query!` macros** +> (verified 2026-05-29; CLAUDE.md's "compile-time checked queries" line is stale, and v2 keeps runtime +> sqlx). This matches RMM. A *new* `query!`/`query_as!` macro is therefore a deviation worth a `[LOW]` +> (it reintroduces the `.sqlx`-cache-regen footgun + a build-time `DATABASE_URL` requirement), not the norm. > - **Wire format is Protobuf**, not RMM's JSON `AgentMessage`/`ServerMessage` enums. The > integrity pass chases drift across four artifacts: `proto/guruconnect.proto` → > prost-generated agent code → prost-generated server code → **hand-written binary decode in @@ -174,9 +176,11 @@ hashed/short-lived tokens; log auth attempts), `api/response-format` (consistent - `todo!()` / `unimplemented!()` in non-test production paths. - `println!` / `eprintln!` used for logging instead of `tracing::` macros. - `format!()` used to build SQL strings (injection risk — parameterize instead). -- **DO NOT flag `sqlx::query!` / `sqlx::query_as!` compile-time macros.** They are the GC - convention (the codebase relies on compile-time query checking). This is the inverse of the - RMM rule — flagging them here is a false positive. +- **sqlx style:** GC's db layer uses **runtime `sqlx::query()`/`query_as()`** throughout, NOT + compile-time `sqlx::query!` macros (verified 2026-05-29 — CLAUDE.md's "compile-time checked queries" + claim is stale; v2 keeps runtime sqlx, matching RMM). So a **new `sqlx::query!`/`query_as!` macro is a + deviation** worth `[LOW]` (reintroduces the `.sqlx`-cache-regen footgun + build-time `DATABASE_URL`), + not the norm. Still flag `format!()`-built SQL (above) as the real injection risk. **Auth coverage (server):** - Read `server/src/api/mod.rs` + `server/src/auth/mod.rs`. Identify which route groups go through