a73x

specs/003-key-trust-allowlist/review.md

Ref:   Size: 4.0 KiB

# Review: 003-key-trust-allowlist

**Date**: 2026-03-21
**Reviewer**: Automated cross-artifact analysis
**Artifacts**: spec.md, plan.md, tasks.md
**Codebase verified**: src/signing.rs, src/error.rs, src/sync.rs

---

## Dimension Evaluation

### 1. Spec-Plan Alignment: PASS
The plan faithfully implements all 12 functional requirements (FR-001 through FR-010, including FR-002a and FR-002b). The architecture decisions (separate trust module, post-verification filter, Untrusted variant) directly serve the spec's requirements. The fallback behavior (FR-007), key validation (FR-008), duplicate prevention (FR-009), and label support (FR-010) are all addressed. No spec requirements are missed or contradicted.

### 2. Plan-Tasks Completeness: PASS
Every architectural element in the plan maps to at least one task. All files listed in the plan's Project Structure section appear in the tasks' File Ownership table. The TDD approach from the plan is reflected in test tasks preceding implementation tasks in every phase. One minor note: T009 bundles `remove_trusted_key()` implementation into Phase 2 (US1) rather than Phase 4 (US3), but this is pragmatic grouping for code locality and does not create a gap.

### 3. Dependency Ordering: PASS
Phase dependencies are correct and verified against the codebase:
- Phase 1 creates types that Phase 2+ needs (VerifyStatus::Untrusted, Error::UntrustedKey, trust module)
- Phase 2 creates trust.rs I/O functions that Phase 3 (sync integration) and Phase 4 (CLI list/remove) need
- Phase 3 and Phase 4 touch different files (sync.rs vs lib.rs) and can correctly parallelize
- Phase 5 depends on all prior phases
- Within-phase sequential ordering is correct (tests before implementation)

### 4. Parallelization Correctness: PASS
Parallel groups are correctly identified:
- Group 1 (T004/T005/T006): Different test locations (unit vs integration), no file conflicts
- Group 2 (T008/T009): Different functions in same file but no overlap in implementation
- Group 3 (T012/T013): Unit tests vs integration tests, different files
- Group 4 (T016/T017): Different test functions in same file, independent
- Group 5 (T020/T021): Different test files
- Phase 3 || Phase 4: Confirmed different files (sync.rs vs lib.rs)

Minor concern: Group 2 (T008/T009) both write to `src/trust.rs`. While they implement different functions, parallel editing of the same file can cause merge conflicts. This is a WARN-level risk but manageable with coordination.

### 5. Feasibility & Risk: PASS
- All referenced crate APIs exist and are correct (ed25519-dalek VerifyingKey::from_bytes, base64 decode, etc.)
- The existing codebase structure (SignatureVerificationResult with pubkey: Option<String>) supports the plan's approach
- The existing rejection logic in reconcile_refs (`r.status != VerifyStatus::Valid`) means adding Untrusted variant will be caught automatically, simplifying T015
- No new dependencies needed -- confirmed against Cargo.toml implicit constraints
- File format (authorized_keys style) is simple and well-understood
- Scale assumption (<100 keys) makes O(n) lookup acceptable

### 6. Implementation Readiness: PASS
- File paths are exact and verified against the repository
- Function signatures are specified with input/output types
- Test scenarios map to acceptance criteria in the spec
- Checkpoints after each phase enable incremental validation
- The TDD workflow is explicit and matches the user's stated preferences
- 22 tasks at reasonable granularity -- neither too coarse nor too fine

---

## Overall Verdict: PASS

The spec, plan, and tasks are well-aligned, complete, and ready for implementation. No critical or high-severity issues found. The architecture integrates cleanly with the existing codebase. The only minor concerns are:

1. T009 labeling (remove function grouped under US1 phase) -- pragmatic but slightly misleading
2. T008/T009 parallel editing of the same file -- manageable risk
3. T015's integration point description could be more explicit about insertion location within reconcile_refs

These are all LOW severity and do not block implementation.