chore: reorganize tasks after Round 71 delegation

subtleGradient · subtleGradient · commit baae184b1451 · 2025-12-25T10:16:04.000-05:00
- Move TASK-190, TASK-195 to done (hypothesis invalidation complete)
- Create TASK-198 (db_version off-by-one) - HIGH priority
- Create TASK-199 (seq divergence) - MEDIUM priority
- Create TASK-200 (validation gaps) - LOW priority
- Fix duplicate TASK-196 numbering
diff --git a/.tasks/done/TASK-190-fuzz-invalidation-round2.md b/.tasks/done/TASK-190-fuzz-invalidation-round2.md
diff --git a/.tasks/done/TASK-195-adversarial-input-fuzzing.md b/.tasks/done/TASK-195-adversarial-input-fuzzing.md
@@ -0,0 +1,73 @@
+# TASK-195 — Adversarial Input Fuzzing (Malformed crsql_changes)
+
+## Goal
+Feed malformed/adversarial inputs to crsql_changes to find divergent error handling.
+
+## Status
+- State: **DONE**
+- Priority: HIGH (security + robustness)
+- Discovered: 2025-12-23 (hypothesis invalidation request)
+- Completed: 2025-12-23
+
+## Hypothesis to Invalidate
+"Zig and Rust/C handle all malformed inputs identically."
+
+## Test Results
+
+### Summary
+
+| Category | Tests | Pass | Diverge | Crashes |
+|----------|-------|------|---------|---------|
+| A: Invalid PK Blobs | 7 | 7 | 0 | 2 (Rust) |
+| B: Invalid Metadata | 6 | 0 | 6 | 0 |
+| C: Invalid Names | 6 | 6 | 0 | 0 |
+| D: Edge Cases | 7 | 3 | 4 | 0 |
+| **TOTAL** | **26** | **16** | **10** | **2** |
+
+### Critical Findings
+
+#### Rust/C Oracle Crashes (Security Issues in Oracle)
+1. **A3: Empty PK blob** - Rust/C crashes with SIGTRAP (assertion failure)
+2. **A7: NULL PK blob** - Rust/C crashes with SIGTRAP (assertion failure)
+
+**Zig handles both cases gracefully with proper error messages.**
+
+#### Divergences (Zig More Permissive Than Rust/C)
+Zig accepts these inputs while Rust/C rejects them:
+- Negative col_version / db_version
+- Non-16-byte site_id values
+- Float/string values for integer fields
+- Sentinel column with non-NULL value
+
+### Files Created
+- `zig/harness/test-adversarial-input.sh` — 26 adversarial test cases
+
+## Acceptance Criteria
+1. ✅ Both implementations handle malformed input gracefully (Zig: no crashes; Rust: crashes on 2)
+2. ✅ Divergences documented (10 cases where Zig more permissive)
+3. ✅ No data corruption from malformed input
+4. ✅ Found handling divergence — Zig more robust than Rust
+
+## Follow-up Tasks Created
+- TASK-200: Zig input validation gaps (align with Rust if desired)
+
+## Recommendations
+1. **Zig robustness is BETTER than Rust/C** — no action required for crashes
+2. Validation gaps exist if strict parity is desired (LOW priority)
+
+## Parent Docs / Cross-links
+- Existing error handling: `test-error-handling.sh`
+- Gap backlog: `research/zig-cr/92-gap-backlog.md`
+- Test script: `zig/harness/test-adversarial-input.sh`
+- Follow-up: `.tasks/triage/TASK-200-zig-validation-gaps.md`
+
+## Progress Log
+- 2025-12-23: Created from hypothesis invalidation request.
+- 2025-12-23: Executed 26 adversarial test cases, documented findings.
+
+## Completion Notes
+- Date: 2025-12-23
+- Test script created: `zig/harness/test-adversarial-input.sh`
+- Key finding: Zig is MORE robust than Rust/C (handles crashes gracefully)
+- 10 divergences documented (Zig more permissive)
+- 2 Rust/C crashes on empty/NULL PK blobs
diff --git a/.tasks/triage/TASK-195-adversarial-input-fuzzing.md b/.tasks/triage/TASK-195-adversarial-input-fuzzing.md
diff --git a/.tasks/triage/TASK-198-db-version-off-by-one.md b/.tasks/triage/TASK-198-db-version-off-by-one.md
@@ -1,4 +1,4 @@
-# TASK-196 — db_version off-by-one divergence
+# TASK-198 — db_version off-by-one divergence
 
 ## Goal
 Fix the db_version tracking divergence where Zig produces db_version values 1 higher than Rust/C after certain operation sequences.
@@ -65,7 +65,7 @@ The db_version increment logic differs in edge cases. Possible causes:
 
 ## Parent Docs / Cross-links
 
-- Discovery: `.tasks/triage/TASK-190-fuzz-invalidation-round2.md`
+- Discovery: `.tasks/done/TASK-190-fuzz-invalidation-round2.md`
 - Related: `.tasks/done/TASK-130-fix-trigger-parity-test-column-bug.md` (seq divergence)
 - Test script: `zig/harness/test-fuzz-stress.sh`
 
diff --git a/.tasks/triage/TASK-199-seq-value-divergence.md b/.tasks/triage/TASK-199-seq-value-divergence.md
@@ -0,0 +1,64 @@
+# TASK-199 — seq Value Divergence (Zig=1, Rust=0)
+
+## Goal
+Investigate and potentially fix the `seq` column value divergence between Zig and Rust/C implementations.
+
+## Status
+- State: triage
+- Priority: MEDIUM (affects sync ordering in edge cases)
+- Discovered: 2025-12-23 (TASK-192 prior DB parity testing)
+
+## Problem
+
+When performing single operations, the `seq` column in `crsql_changes` differs:
+- **Rust/C**: `seq=0`
+- **Zig**: `seq=1`
+
+This was previously documented in TASK-130 (resurrection semantics) but may have broader implications.
+
+## Impact
+
+The `seq` column determines ordering when multiple changes have the same `db_version`. If Zig starts at 1 and Rust at 0, sync ordering could differ in edge cases involving:
+- Multiple changes in same transaction
+- Resurrection (DELETE + INSERT same PK)
+- Bulk operations
+
+## Evidence
+
+From TASK-192 cross-implementation testing:
+```
+Rust/C crsql_changes: tbl|pk|col|val|col_version|db_version|site_id|cl|seq
+                      foo|1 |x  |42 |1          |1         |...    |1 |0
+
+Zig crsql_changes:    foo|1 |x  |42 |1          |1         |...    |1 |1
+```
+
+## Questions to Answer
+
+1. Is `seq=0` or `seq=1` semantically correct for single operations?
+2. Does the sync protocol rely on specific `seq` values?
+3. What happens when Zig and Rust exchange changes with different `seq` bases?
+
+## Files to Investigate
+
+- `zig/src/triggers.zig` — seq assignment logic
+- `zig/src/changes_vtab.zig` — seq in crsql_changes output
+- `core/src/changes-vtab.c` — Rust/C implementation for comparison
+
+## Acceptance Criteria
+
+1. [ ] Document the intended semantics of `seq`
+2. [ ] Determine if divergence affects sync correctness
+3. [ ] Either fix Zig to match Rust OR document as acceptable divergence
+
+## Parent Docs / Cross-links
+
+- Discovery: `.tasks/done/TASK-192-prior-db-oracle-parity.md`
+- Related: `.tasks/done/TASK-130-fix-trigger-parity-test-column-bug.md`
+- Gap backlog: `research/zig-cr/92-gap-backlog.md`
+
+## Progress Log
+- 2025-12-23: Created from TASK-192 findings.
+
+## Completion Notes
+(Empty until done.)
diff --git a/.tasks/triage/TASK-200-zig-validation-gaps.md b/.tasks/triage/TASK-200-zig-validation-gaps.md
@@ -0,0 +1,67 @@
+# TASK-200 — Zig Input Validation Gaps (More Permissive Than Rust)
+
+## Goal
+Align Zig input validation with Rust/C to ensure identical error handling for malformed inputs.
+
+## Status
+- State: triage
+- Priority: LOW (Zig is more robust, not less)
+- Discovered: 2025-12-23 (TASK-195 adversarial input fuzzing)
+
+## Problem
+
+TASK-195 adversarial testing found that Zig accepts inputs that Rust/C rejects:
+
+| Input | Rust/C | Zig |
+|-------|--------|-----|
+| Negative col_version | ERROR | ACCEPTS |
+| Negative db_version | ERROR | ACCEPTS |
+| Non-16-byte site_id | ERROR | ACCEPTS |
+| Float for integer field | ERROR | ACCEPTS |
+| String for integer field | ERROR | ACCEPTS |
+| Non-NULL sentinel value | ERROR | ACCEPTS |
+
+## Context
+
+This is a LOW priority issue because:
+1. Zig handles all inputs gracefully (no crashes)
+2. Rust/C actually CRASHES on some inputs (empty PK blob, NULL PK blob)
+3. Being more permissive is safer than being less robust
+
+However, for strict parity, Zig should reject the same inputs as Rust/C.
+
+## Rust/C Crashes (For Reference)
+
+The adversarial testing found that Rust/C crashes on:
+- Empty PK blob (SIGTRAP assertion failure)
+- NULL PK blob (SIGTRAP assertion failure)
+
+Zig handles both gracefully with proper error messages.
+
+## Files to Modify
+
+- `zig/src/changes_vtab.zig` — Add validation for:
+  - `site_id` length (must be 16 bytes)
+  - `col_version` >= 0
+  - `db_version` >= 0
+  - Type checking for metadata fields
+
+## Acceptance Criteria
+
+1. [ ] Zig rejects negative col_version with same error as Rust
+2. [ ] Zig rejects negative db_version with same error as Rust
+3. [ ] Zig rejects non-16-byte site_id with same error as Rust
+4. [ ] Zig rejects wrong types for metadata fields
+5. [ ] All existing tests still pass
+
+## Parent Docs / Cross-links
+
+- Discovery: `.tasks/triage/TASK-195-adversarial-input-fuzzing.md`
+- Test script: `zig/harness/test-adversarial-input.sh`
+- Gap backlog: `research/zig-cr/92-gap-backlog.md`
+
+## Progress Log
+- 2025-12-23: Created from TASK-195 findings.
+
+## Completion Notes
+(Empty until done.)
