Skip to content

audit F23 [tech-debt]: kicked-member rejection missing for Message / EditMessage / DeleteMessage / Reaction #623

Open
Open
audit F23 [tech-debt]: kicked-member rejection missing for Message / EditMessage / DeleteMessage / Reaction#623
Labels
audittech-debt
@intendednull

Description

@intendednull
intendednull
opened on May 4, 2026

File: crates/state/src/tests/permissions.rs:1196
Severity: tech-debt
Obvious? yes

crates/state/src/tests/permissions.rs has *_by_kicked_member_is_rejected tests for SetProfile (line 1196), UpdateProfile (1319), PinMessage (1491), and UnpinMessage (1683), but no parallel coverage for the four chat-channel event kinds: Message, EditMessage, DeleteMessage, Reaction. These are the most-emitted events in the system, and the e2e/permissions.spec.ts:77 Playwright test (a 30+ second multi-peer round-trip) is the only thing currently asserting that a kicked peer's Message is dropped. Per CLAUDE.md "Adding a new EventKind" rule + the decision tree §1.

Fix: add four state-tier tests in permissions.rs: message_by_kicked_member_is_rejected, edit_message_by_kicked_member_is_rejected, delete_message_by_kicked_member_is_rejected, reaction_by_kicked_member_is_rejected — each grants membership, kicks the member via Propose/Vote, then asserts apply_incremental returns the MemberKicked rejection. Sub-millisecond per test vs. the current 30-second Playwright roundtrip.

Filed by /general-audit @ 88498a5 (2026-05-04). master: #600.

Metadata

Metadata

Assignees

No one assigned

    Labels

    audittech-debt

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions