Bug & code-quality checklist: High/Medium tiers + most Low items

Bug & code-quality checklist: High/Medium tiers + most Low items

#8 in tonybierman/dx-blog — merged 2026-05-29

Works the TODO_BUGS.md checklist produced by the security/correctness/DRY review. This branch fixes all High (H1–H3), all Medium (M1–M11), and most Low items (L1, L3–L11, L14). Deferred items (L2, L12, L13, L15, and the arium users-nullability question) are documented inline in TODO_BUGS.md with rationale.

Highlights

Security / abuse

  • H1 anonymous subscribe email-bomb → 5-min re-send cooldown (repeat calls become no-ops)
  • H3 seeded demo authors no longer use a hardcoded "password" in release builds (env/random)
  • M1 comment flooding → per-identity cooldown + per-post burst cap
  • L1 featured_image_url validated to same-origin path or http(s) host
  • L4 sfe logs server-side and returns a generic message (no raw sqlx leak)

Correctness

  • H2 feeds/sitemap return 500 on DB error instead of a silent empty 200 (deindex risk)
  • M2 unique_slug insert retries on UNIQUE collisions (no raw 500 on concurrent same-title create)
  • M3/M4 reader pagination resets on feed change; search box syncs to ?q=
  • M5/M6 added the three missing post_views / comments indexes
  • M7 subscriber token rotate/confirm now transactional
  • L6 Status/Published admin columns can toggle sort direction
  • L7 theme-hue save debounced (no stale-value race)
  • L11 delete_post cascade deletes wrapped in a transaction
  • L14 no empty og:url/description tags on the meta fallback branch

Tests / CI

  • M8 server tests run with foreign keys on (+ a users stub) and assert a post→comment cascade
  • M9 CI now runs cargo clippy -D warnings on the wasm target too

DRY/KISS

  • M10/M11 list_states!/feed_states! macros + a shared FeedShape/FeedBody (home & all reader feeds render through one place)
  • L8/L9/L10 save_with_status helper, shared LIST_POSTS_WHERE / CommentView SQL consts

Verification

  • cargo test --no-default-features --features server,sqlite → 11 pass (incl. new deleting_post_cascades_to_comments)
  • cargo clippy -D warnings on both the server and wasm targets → clean
  • cargo fmt --all -- --check → clean

🤖 Generated with Claude Code

tonybierman/dx-blog2026rust

Last updated 2026-05-30

Links to this note

Credits

Merged pull requests, newest first.