Skip to content

fix(spec): resolve 5 autonomous-actionable C30 findings in errors.md#269

Merged
dp-web4 merged 1 commit into
mainfrom
worker/web4-20260604-060050
Jun 4, 2026
Merged

fix(spec): resolve 5 autonomous-actionable C30 findings in errors.md#269
dp-web4 merged 1 commit into
mainfrom
worker/web4-20260604-060050

Conversation

@dp-web4
Copy link
Copy Markdown
Owner

@dp-web4 dp-web4 commented Jun 4, 2026

C30 Remediation — core-spec/errors.md

REMEDIATION turn (by alternation) for the C30 audit (PR #268, MERGED). Applies the 5 AUTONOMOUS-actionable findings plus the opportunistic I1 banner, all inside web4-standard/core-spec/errors.md. 1 file changed, +18/−10. No design decisions taken; no other files touched.

Findings applied

ID Sev Fix
A-M1 MED Align worked-example titles to the §2 normative taxonomy (§1 "Binding Failed"→"Binding Already Exists"; §3.1 "Unauthorized"→"Authorization Denied") and make §3.1 a coherent denied (not scope) case via its detail
A-M2 MED type → OPTIONAL (default about:blank, RFC 9457 §3.1, matches SDK); code labelled a Web4 extension member (§3.2); Web4 deliberately mandates status/title
A-M3 MED status is HTTP-modelled but transport-agnostic (CBOR/QUIC, BLE GATT, CAN per core-protocol §5.1)
A-L1 LOW instance path segments are illustrative; no normative path registry
B-M1 §1 MED Rescope: errors.md = the core protocol error taxonomy; SAL/ACP/metering/MCP subsystems extend it (autonomous half only)
I1 INFO Add Version/Status/Last-Updated banner

Key discipline note (BC#5 corpus sweep)

The mandated pre-finalization sweep found the conformance vector test-vectors/errors/error-taxonomy.json (authz_denied_with_detail, labelled "spec §3.1 example") and test_errors.py pin the §3.1 example to W4_ERR_AUTHZ_DENIED/401/"Authorization Denied". The audit's A-M1 option (a) (switch to AUTHZ_SCOPE/403) would have broken that vector + required a coordinated SDK edit (out of bounds). Took the audit's equally-sanctioned option (b) instead — fix title + make the detail a genuine capability-denial, preserving code/status. Net effect: improves spec↔vector consistency. All four examples now match their §2 taxonomy titles.

Deferred (per audit routing)

  • DESIGN-Q (operator): B-H1 numeric-vs-string error-system canonicity; B-M1 centralize-vs-distribute ownership; B-M3 W4IDp form.
  • CROSS-TRACK (other files): B-M2 web4:// SSOT mirroring in data-formats; metering parallel-name reconcile; I2 QUICK_REFERENCE type-URI. NEW: web4-handshake.md:218 carries the same "Unauthorized" title mismatch (recorded for handshake re-audit).

🤖 Generated with Claude Code

@dp-web4 @claude
fix(spec): resolve 5 autonomous-actionable C30 findings in errors.md
847911b 
C30 remediation turn (audit PR #268). Applies the 5 AUTONOMOUS findings
plus the opportunistic I1 banner, all inside core-spec/errors.md:

- A-M1: align worked-example titles to the §2 normative taxonomy
  (§1 "Binding Failed"→"Binding Already Exists"; §3.1 "Unauthorized"→
  "Authorization Denied") and make the §3.1 example a coherent *denied*
  (not scope) case via its detail. Kept code/status W4_ERR_AUTHZ_DENIED/401
  to preserve consistency with the pinned conformance vector + SDK test
  (BC#5 sweep finding — audit option (b) over option (a)).
- A-M2: restate `type` as OPTIONAL (default about:blank) per RFC 9457 §3.1
  (matches SDK .get default); label `code` a Web4 extension member
  (RFC 9457 §3.2); state Web4 deliberately mandates `status`/`title`.
- A-M3: note `status` is HTTP-modelled but transport-agnostic (CBOR/QUIC,
  BLE GATT, CAN per core-protocol §5.1).
- A-L1: note `instance` path segments are illustrative, no normative registry.
- B-M1 §1 rescope: errors.md = the *core protocol* error taxonomy;
  SAL/ACP/metering/MCP subsystem specs extend it (autonomous half only;
  centralize-vs-distribute architecture deferred as DESIGN-Q).
- I1: add Version/Status/Last-Updated banner.

DESIGN-Q (B-H1 registry canonicity, B-M1 architecture, B-M3 W4IDp form)
and CROSS-TRACK (B-M2 web4:// SSOT, metering name reconcile, I2) deferred.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@dp-web4
Copy link
Copy Markdown
Owner Author

dp-web4 commented Jun 4, 2026

APPROVED: C30 remediation of core-spec/errors.md, 1 file (+18/−10), no drift. Aligns the worked-example titles to the §2 normative taxonomy (Binding Already Exists, Authorization Denied), correctly relaxes type to OPTIONAL with code as an RFC 9457 §3.2 extension member while Web4 still mandates status/title, adds the transport-agnostic status note and the subsystem-extends scoping. Credit for the BC#5 corpus sweep: choosing option (b) to preserve test-vectors/errors/error-taxonomy.json + test_errors.py rather than breaking the conformance pin — improves spec↔vector consistency. DESIGN-Q and cross-track items correctly deferred. Development-phase aligned.

@dp-web4 dp-web4 merged commit aaa2bd8 into main Jun 4, 2026
@dp-web4 dp-web4 deleted the worker/web4-20260604-060050 branch June 4, 2026 17:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dp-web4