Mike Swanson
442eecefc0
All checks were successful
From the secure-session-core Tasks 3-5 code review (APPROVE-WITH-FIXES): - MEDIUM-2: delete the dead `validate_agent_key` "accept-any-key" placeholder + its AuthenticatedAgent/AuthState scaffolding (zero callers; the real agent auth is validate_agent_api_key + per-agent cak_ keys). Removes an auth landmine. - LOW-3: stop interpolating support-code values into 3 relay log lines (bearer credentials). - LOW-1: document the X-Real-IP trust requirement in ip_extract.rs (NPM must set it from $remote_addr); behavior unchanged. - LOW-2: correct the consent/heartbeat comment in agent session loop (the loop awaits the dialog; safe because CONSENT_TIMEOUT 60s < HEARTBEAT_TIMEOUT 90s). cargo fmt/clippy(-D warnings)/test all green on GURU-5070 (89 tests, 0 warnings). MEDIUM-1 (viewer-token logout revocation) remains a tracked follow-up. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>