Add audit documentation for error type issues

agentbox · agentbox · commit 0acbd95067c8 · 2026-03-02T18:14:43.000+08:00
Document findings from issue payjoin#749 audit of SessionError, CreateRequestError, and DecapsulationError (formerly EncapsulationError): - Variant duplication across send and receive error types - Naming inconsistencies (Url vs ParseUrl) - Hpke variant placement concerns - process_response return type asymmetry Items requiring maintainer design decisions are cataloged separately from the implemented rename fix.
diff --git a/PULL-REQUEST.md b/PULL-REQUEST.md
@@ -0,0 +1,71 @@
+# Audit and rename error types for issue #749
+
+## Summary
+
+- Rename `EncapsulationError` to `DecapsulationError` (and internal types)
+- Document duplication and naming issues across `SessionError`,
+  `CreateRequestError`, and the former `EncapsulationError`
+
+## What changed
+
+`EncapsulationError` was a misnomer: it is exclusively raised when
+_decapsulating_ responses (`process_response`), never during request
+_encapsulation_ (`create_v2_post_request` / `create_poll_request`, which
+produce `CreateRequestError`). Renamed to `DecapsulationError` throughout
+core and FFI crates, including the `InternalValidationError::V2Encapsulation`
+variant (now `V2Decapsulation`).
+
+## Audit findings
+
+### Error type inventory
+
+| Type                                                            | Location   | Variants                                                                 |
+| --------------------------------------------------------------- | ---------- | ------------------------------------------------------------------------ |
+| `InternalCreateRequestError`                                    | send v2    | `Url`, `Hpke`, `OhttpEncapsulation`, `Expired`                           |
+| `InternalDecapsulationError` (was `InternalEncapsulationError`) | send v2    | `Hpke`, `DirectoryResponse`                                              |
+| `InternalSessionError`                                          | receive v2 | `ParseUrl`, `Expired`, `OhttpEncapsulation`, `Hpke`, `DirectoryResponse` |
+
+### Duplication between send and receive error types
+
+`InternalSessionError` is a superset containing all variants from both
+`InternalCreateRequestError` and `InternalDecapsulationError`:
+
+| Variant            | CreateRequest | Decapsulation | Session  |
+| ------------------ | :-----------: | :-----------: | :------: |
+| Url / ParseUrl     |      Url      |       -       | ParseUrl |
+| Hpke               |       x       |       x       |    x     |
+| OhttpEncapsulation |       x       |       -       |    x     |
+| Expired            |       x       |       -       |    x     |
+| DirectoryResponse  |       -       |       x       |    x     |
+
+### Issues requiring maintainer decisions
+
+1. **Cross-side deduplication**: `InternalCreateRequestError` and
+   `InternalSessionError` have nearly identical variant sets but serve
+   different sides of the protocol (send vs receive). Collapsing them
+   requires architectural decisions about shared error types.
+
+2. **Decapsulation/Session subset**: `InternalDecapsulationError` is a
+   strict subset of `InternalSessionError` (`Hpke` + `DirectoryResponse`).
+   Could potentially reuse a shared type.
+
+3. **Inconsistent variant naming**: `Url` (send) vs `ParseUrl` (receive)
+   for the same semantic concept (`into_url::Error`).
+
+4. **Hpke variant placement**: The `Hpke` variant in `DecapsulationError`
+   represents HPKE decryption (a distinct crypto operation from OHTTP
+   decapsulation). May belong at a different level.
+
+5. **process_response return type asymmetry**: Send POST returns
+   `DecapsulationError`, send GET returns `ResponseError`. The asymmetry
+   may be intentional (POST only confirms acceptance; GET retrieves and
+   validates a full proposal).
+
+## Test plan
+
+- [x] `cargo clippy --all-targets --keep-going --all-features -- -D warnings`
+- [x] `cargo fmt --all -- --check`
+- [x] `codespell`
+- [x] `nix fmt -- --ci`
+
+Disclosure: co-authored by Claude
diff --git a/STATUS.md b/STATUS.md
@@ -0,0 +1,122 @@
+# Status: Issue #749
+
+## Task
+
+Audit error types for duplication and naming issues
+
+## Progress
+
+- [x] Understanding complete
+- [x] Audit documented
+- [x] Targeted fixes implemented
+- [x] Pre-commit checks passing
+- [x] All changes committed
+
+## Audit Findings
+
+### Error Type Inventory
+
+**`InternalCreateRequestError`** (send-side, `payjoin/src/core/send/v2/error.rs:15`):
+
+- `Url(crate::into_url::Error)`
+- `Hpke(crate::hpke::HpkeError)`
+- `OhttpEncapsulation(crate::ohttp::OhttpEncapsulationError)`
+- `Expired(Time)`
+
+**`InternalEncapsulationError`** (send-side, `payjoin/src/core/send/v2/error.rs:63`):
+
+- `Hpke(crate::hpke::HpkeError)`
+- `DirectoryResponse(DirectoryResponseError)`
+
+**`InternalSessionError`** (receive-side, `payjoin/src/core/receive/v2/error.rs:26`):
+
+- `ParseUrl(crate::into_url::Error)`
+- `Expired(Time)`
+- `OhttpEncapsulation(OhttpEncapsulationError)`
+- `Hpke(HpkeError)`
+- `DirectoryResponse(DirectoryResponseError)`
+
+### Duplication: InternalEncapsulationError vs InternalSessionError
+
+| Variant                                   | InternalEncapsulationError | InternalSessionError |
+| ----------------------------------------- | -------------------------- | -------------------- |
+| Hpke(HpkeError)                           | YES                        | YES                  |
+| DirectoryResponse(DirectoryResponseError) | YES                        | YES                  |
+
+`InternalEncapsulationError` is a strict subset of `InternalSessionError`.
+
+### Duplication: InternalCreateRequestError vs InternalSessionError
+
+| Variant                                     | InternalCreateRequestError | InternalSessionError |
+| ------------------------------------------- | -------------------------- | -------------------- |
+| Url / ParseUrl (into_url::Error)            | `Url`                      | `ParseUrl`           |
+| Hpke(HpkeError)                             | YES                        | YES                  |
+| OhttpEncapsulation(OhttpEncapsulationError) | YES                        | YES                  |
+| Expired(Time)                               | YES                        | YES                  |
+
+`InternalCreateRequestError` maps 1:1 to `InternalSessionError` (with the
+naming difference of `Url` vs `ParseUrl`). `InternalSessionError` has one
+extra variant: `DirectoryResponse`.
+
+### Naming Issues
+
+1. **EncapsulationError is a misnomer**: Used exclusively in `process_response`
+   methods (decapsulating responses), never during encapsulation (creating
+   requests, where CreateRequestError is used).
+2. **Hpke variant placement**: In `InternalEncapsulationError`, the `Hpke`
+   variant represents HPKE _decryption_ failure (`decrypt_message_b`), which
+   is a distinct crypto operation from OHTTP en/decapsulation.
+3. **Inconsistent variant naming**: `Url` (send) vs `ParseUrl` (receive) for
+   the same semantic concept.
+
+### Return Type Inconsistency
+
+- Send POST `process_response` → `EncapsulationError`
+- Send GET `process_response` → `ResponseError`
+- Receive `process_response`-like methods → `SessionError` or `Error`
+
+The POST/GET asymmetry may be intentional (POST only confirms acceptance;
+GET retrieves and validates a proposal). The receive side is different because
+errors may need to be returned to the sender as JSON.
+
+### Classification
+
+**CLEAR FIX:**
+
+1. Rename `EncapsulationError` → `DecapsulationError` (and internal variant)
+
+**NEEDS DECISION (documented, not fixed):**
+
+1. Deduplicating InternalCreateRequestError / InternalSessionError — they serve
+   different sides (send vs receive) and collapsing requires architectural
+   decisions about shared error types.
+2. Deduplicating InternalEncapsulationError / InternalSessionError — strict
+   subset but different roles (send response processing vs receive session).
+3. Standardizing Url vs ParseUrl naming across send/receive.
+4. Whether to move the Hpke variant out of EncapsulationError/DecapsulationError
+   since HPKE decryption is distinct from OHTTP decapsulation.
+5. Unifying process_response return types across POST/GET/receive.
+
+## Decisions
+
+- Rename EncapsulationError → DecapsulationError: clear-cut fix, only
+  used during response decapsulation. ~15 sites to update across core +
+  FFI, manageable scope.
+- Not deduplicating cross-side error types: too architecturally entangled
+  for a targeted fix; would require maintainer design input.
+
+## Questions
+
+- Should InternalCreateRequestError and InternalSessionError share a common
+  type or trait? Both represent "session operation failed" with nearly
+  identical variant sets.
+- Should Hpke be a separate error variant at a higher level rather than
+  being embedded in en/decapsulation error types?
+
+## Commits
+
+- `0dee49bd` — Rename EncapsulationError to DecapsulationError
+  Renamed EncapsulationError → DecapsulationError across core crate
+  (send/v2/error.rs, send/v2/mod.rs, send/error.rs) and FFI crate
+  (send/error.rs, send/mod.rs). Updated V2Encapsulation variant to
+  V2Decapsulation and fixed display string.
