docs(v1.3): re-audit milestone — all 16/16 requirements satisfied after Phase 18 gap closure

JakeHartnell · JakeHartnell · commit 9a82b470e824 · 2026-04-04T18:33:26.000+02:00
diff --git a/.planning/REQUIREMENTS.md b/.planning/REQUIREMENTS.md
@@ -11,7 +11,7 @@ Requirements for per-service P2P targeting. Each maps to roadmap phases.
 
 - [x] **SUB-01**: Node maintains a per-service peer subscription map (`service_id → Set<PeerPubkey>`) updated from announcement messages
 - [x] **SUB-02**: Node maintains a reverse index (`PeerPubkey → Set<service_id>`) for efficient cleanup on peer disconnect
-- [ ] **SUB-03**: When a peer disconnects, all its subscription entries are removed from both maps
+- [x] **SUB-03**: When a peer disconnects, all its subscription entries are removed from both maps
 
 ### Announcement Protocol
 
@@ -36,7 +36,7 @@ Requirements for per-service P2P targeting. Each maps to roadmap phases.
 
 - [x] **COMPAT-01**: Existing secp256k1 e2e tests pass unchanged
 - [x] **COMPAT-02**: Existing BLS e2e tests pass unchanged
-- [ ] **COMPAT-03**: Nodes without v1.3 targeting are treated as subscribed-to-all (backward compatible during rolling updates)
+- [x] **COMPAT-03**: Nodes without v1.3 targeting are treated as subscribed-to-all (backward compatible during rolling updates)
 
 ## Future Requirements
 
@@ -72,7 +72,7 @@ Which phases cover which requirements. Updated during roadmap creation.
 |-------------|-------|--------|
 | SUB-01 | Phase 14 | Complete |
 | SUB-02 | Phase 14 | Complete |
-| SUB-03 | Phase 18 | Pending |
+| SUB-03 | Phase 18 | Complete |
 | ANN-01 | Phase 15 | Complete |
 | ANN-02 | Phase 15 | Complete |
 | ANN-03 | Phase 15 | Complete |
@@ -85,7 +85,7 @@ Which phases cover which requirements. Updated during roadmap creation.
 | OBS-01 | Phase 17 | Complete |
 | COMPAT-01 | Phase 16 | Complete |
 | COMPAT-02 | Phase 16 | Complete |
-| COMPAT-03 | Phase 18 | Pending |
+| COMPAT-03 | Phase 18 | Complete |
 
 **Coverage:**
 - v1.3 requirements: 16 total
diff --git a/.planning/v1.3-MILESTONE-AUDIT.md b/.planning/v1.3-MILESTONE-AUDIT.md
@@ -1,37 +1,15 @@
 ---
 milestone: v1.3
 audited: 2026-04-04
-status: gaps_found
+status: tech_debt
 scores:
-  requirements: 14/16
-  phases: 4/4
-  integration: 14/16
+  requirements: 16/16
+  phases: 5/5
+  integration: 16/16
   flows: 1/1
 gaps:
-  requirements:
-    - id: "SUB-03"
-      status: "partial"
-      phase: "Phase 14"
-      claimed_by_plans: ["14-01-PLAN.md"]
-      completed_by_plans: ["14-01-SUMMARY.md"]
-      verification_status: "missing"
-      evidence: "remove_peer() is implemented and unit-tested but never triggered by peer disconnect in either bridge loop. No peer-disconnect event arm exists in tokio::select! loops. Stale entries persist until heartbeat replace-not-merge (2s interval) or node restart."
-    - id: "COMPAT-03"
-      status: "partial"
-      phase: "Phase 15"
-      claimed_by_plans: ["15-01-PLAN.md", "15-02-PLAN.md"]
-      completed_by_plans: ["15-01-SUMMARY.md", "15-02-SUMMARY.md"]
-      verification_status: "missing"
-      evidence: "has_announced() is defined at p2p.rs:422 but never called in production bridge loops (clippy dead_code). get_recipients() falls back to Recipients::All at service level (zero subscribers), but excludes pre-v1.3 peers when at least one v1.3 peer subscribes to the same service."
-  integration:
-    - from: "Phase 14 (PeerSubscriptionMap.remove_peer)"
-      to: "Bridge loops (disconnect handling)"
-      issue: "remove_peer() has no caller on peer disconnect — no disconnect event arm in either bridge loop"
-      affected_requirements: ["SUB-03"]
-    - from: "Phase 15 (has_announced)"
-      to: "Phase 16 (get_recipients)"
-      issue: "has_announced() is dead production code — get_recipients() does not check per-peer announcement status"
-      affected_requirements: ["COMPAT-03"]
+  requirements: []
+  integration: []
   flows: []
 tech_debt:
   - phase: 14-subscription-data-structures
@@ -42,7 +20,6 @@ tech_debt:
     items:
       - "No VERIFICATION.md created during execution"
       - "No VALIDATION.md sign-off (nyquist_compliant: false)"
-      - "has_announced() dead_code warning (test-only method)"
   - phase: 16-targeted-delivery
     items:
       - "No VERIFICATION.md created during execution"
@@ -53,26 +30,30 @@ tech_debt:
       - "No VERIFICATION.md created during execution"
       - "No VALIDATION.md sign-off (nyquist_compliant: false)"
       - "peer_subscriptions data not rendered in P2pPage.tsx UI (display gap only — API requirement OBS-01 satisfied)"
+  - phase: 18-peer-state-correctness
+    items:
+      - "No VERIFICATION.md created during execution"
+      - "No VALIDATION.md sign-off (nyquist_compliant: false)"
 nyquist:
   compliant_phases: 0
   partial_phases: 0
-  missing_phases: 4
-  overall: "All 4 phases have VALIDATION.md with nyquist_compliant: false and wave_0_complete: false"
+  missing_phases: 5
+  overall: "All 5 phases have VALIDATION.md with nyquist_compliant: false and wave_0_complete: false"
 ---
 
 # Milestone v1.3 Audit: Per-Service P2P Targeting
 
-**Audited:** 2026-04-04
-**Status:** gaps_found (2 partial requirements)
-**Scores:** 14/16 requirements satisfied, 4/4 phases complete, 14/16 integration paths wired, 1/1 E2E flows complete
+**Audited:** 2026-04-04 (re-audit after Phase 18 gap closure)
+**Status:** tech_debt (all requirements satisfied, no critical gaps)
+**Scores:** 16/16 requirements satisfied, 5/5 phases complete, 16/16 integration paths wired, 1/1 E2E flows complete
 
 ## Requirements Coverage (3-Source Cross-Reference)
 
 | REQ-ID | Description | Phase | SUMMARY frontmatter | REQUIREMENTS.md | Integration | Final Status |
 |--------|-------------|-------|--------------------|-----------------|----|---|
 | SUB-01 | Per-service peer subscription map | 14 | listed (14-01) | [x] | WIRED | satisfied |
 | SUB-02 | Reverse index for cleanup | 14 | listed (14-01) | [x] | WIRED | satisfied |
-| SUB-03 | Peer disconnect removes subscriptions | 14 | listed (14-01) | [x] | UNWIRED | **partial** |
+| SUB-03 | Peer disconnect removes subscriptions | 18 | listed (18-01) | [x] | WIRED | **satisfied** |
 | ANN-01 | Subscribe announcement on service add | 15 | listed (15-02) | [x] | WIRED | satisfied |
 | ANN-02 | Unsubscribe announcement on service remove | 15 | listed (15-02) | [x] | WIRED | satisfied |
 | ANN-03 | Subscription piggybacked on heartbeats | 15 | listed (15-01, 15-02) | [x] | WIRED | satisfied |
@@ -82,51 +63,52 @@ nyquist:
 | TGT-02 | Empty subscriber set falls back to All | 16 | listed (16-01, 16-02) | [x] | WIRED | satisfied |
 | TGT-03 | Engine channel stays Recipients::All | 16 | listed (16-01, 16-02) | [x] | WIRED | satisfied |
 | TGT-04 | Retry queue re-resolves recipients | 16 | listed (16-01, 16-02) | [x] | WIRED | satisfied |
-| OBS-01 | /p2p/status includes peer counts | 17 | provides (17-01) | [x] | WIRED | satisfied |
+| OBS-01 | /p2p/status includes peer counts | 17 | listed (17-01) | [x] | WIRED | satisfied |
 | COMPAT-01 | secp256k1 e2e tests pass | 16 | listed (16-01, 16-02) | [x] | WIRED | satisfied |
 | COMPAT-02 | BLS e2e tests pass | 16 | listed (16-02) | [x] | WIRED | satisfied |
-| COMPAT-03 | Pre-v1.3 nodes treated as subscribed-to-all | 15 | listed (15-01, 15-02) | [x] | PARTIAL | **partial** |
+| COMPAT-03 | Pre-v1.3 nodes treated as subscribed-to-all | 18 | listed (18-01) | [x] | WIRED | **satisfied** |
 
-## Gap Details
+## Gap Closure: Phase 18
 
-### SUB-03: Peer disconnect cleanup not triggered (medium severity)
+Phase 18 was created to close the two gaps identified in the initial audit:
 
-**What:** `PeerSubscriptionMap.remove_peer()` is implemented at `p2p.rs:407` and fully unit-tested, but never called from the bridge loops when a peer disconnects. Neither `run_lookup_network` nor `run_discovery_network` has a peer-disconnect event arm in their `tokio::select!` loop.
+### SUB-03: Peer disconnect cleanup — CLOSED
 
-**Impact:** Stale subscription entries accumulate for disconnected peers. `get_recipients()` may include departed peers in `Recipients::Some(...)`, causing sends to unreachable peers (silently dropped by commonware-p2p).
+**Prior gap:** `remove_peer()` was implemented and unit-tested but never triggered by peer disconnect. No disconnect event arm existed in either bridge loop.
 
-**Mitigation:** Heartbeat replace-not-merge (every 2s) overwrites stale entries when a peer reconnects. For truly departed peers, entries persist until node restart. The Engine broadcast channel (channel 0) still delivers to all peers as catch-up reliability.
+**Fix (Phase 18):** Heartbeat-driven pruning via `tracked_peers().difference(&connected_peer_set)` in both bridge loops. On each 2-second heartbeat tick, peers tracked in `PeerSubscriptionMap` but absent from the connected peer set are pruned via `remove_peer()`. `known_peers` is also pruned to allow ANN-04 re-hello on reconnect.
 
-**Root cause:** commonware-p2p does not expose a peer-disconnect callback/event channel — no mechanism to trigger `remove_peer()` directly.
+**Evidence:** `tracked_peers()` called at lines 1126 (lookup) and 1624 (discovery). `remove_peer(departed)` called at lines 1128 and 1626. 45/45 unit tests pass including `test_heartbeat_prune_departed_peer`.
 
-### COMPAT-03: Per-peer backward compatibility incomplete (low severity)
+### COMPAT-03: Pre-v1.3 backward compatibility — CLOSED
 
-**What:** `has_announced()` at `p2p.rs:422` was designed for per-peer COMPAT-03 checking but is never called in production code (dead_code warning). `get_recipients()` falls back to `Recipients::All` only when the service has zero subscribers — correct for the zero-subscriber case, but excludes pre-v1.3 peers when at least one v1.3 peer has subscribed to the same service.
+**Prior gap:** `has_announced()` was dead production code. `get_recipients()` excluded pre-v1.3 peers when at least one v1.3 peer subscribed to the same service.
 
-**Impact:** During rolling upgrade with mixed v1.3 + pre-v1.3 operators, legacy peers are excluded from targeted delivery for services where at least one v1.3 peer has subscribed. Engine channel (channel 0) catch-up mitigates this by delivering via `Recipients::All` on the broadcast channel.
+**Fix (Phase 18):** `get_recipients()` now takes a `connected_peers: &HashSet<ed25519::PublicKey>` parameter. For each connected peer that has never announced (`!has_announced(peer)`), the peer is unconditionally included in the recipient set. All 6 production call sites pass `&connected_peer_set`.
 
-**Fix path:** Call `has_announced(peer)` per connected peer in `get_recipients()` and include un-announced peers unconditionally in the recipient set.
+**Evidence:** `has_announced()` called at line 473 inside `get_recipients()`. No dead_code clippy warning. Tests `test_get_recipients_includes_unannounced_connected_peers` and `test_get_recipients_all_announced_no_legacy` verify behavior.
 
 ## Cross-Phase Integration
 
-### E2E Flow: Service → Subscription → Targeting → Observability
-
-| Step | Status |
-|------|--------|
-| Service add → AggregatorCommand::SubscribeService | CONNECTED |
-| Subscribe arm → SubscriptionAnnouncement broadcast via direct_sender | CONNECTED (ANN-01) |
-| Remote peer → is_subscription_announcement() → handle_announcement() | CONNECTED (SUB-01, ANN-05) |
-| Heartbeat → full_state=true → set_peer_subscriptions() | CONNECTED (ANN-03) |
-| New peer → known_peers check → hello via Recipients::One | CONNECTED (ANN-04) |
-| Publish → get_recipients() → targeted send | CONNECTED (TGT-01, TGT-02) |
-| Retry drain → re-resolve get_recipients() | CONNECTED (TGT-04) |
-| mailbox.broadcast() → Recipients::All (unchanged) | CONNECTED (TGT-03) |
-| GetStatus → peer_subscription_counts() → P2pStatus | CONNECTED (OBS-01) |
-| /p2p/status → JSON response with peer_subscriptions | CONNECTED |
+### E2E Flow: Service → Subscription → Targeting → Observability → Cleanup
+
+| Step | Status | Requirements |
+|------|--------|-------------|
+| Service add → AggregatorCommand::SubscribeService | CONNECTED | — |
+| Subscribe arm → SubscriptionAnnouncement broadcast | CONNECTED | ANN-01 |
+| Remote peer → is_subscription_announcement() → handle_announcement() | CONNECTED | SUB-01, ANN-05 |
+| Heartbeat → full_state=true → set_peer_subscriptions() | CONNECTED | ANN-03 |
+| New peer → known_peers check → hello via Recipients::One | CONNECTED | ANN-04 |
+| Publish → get_recipients(svc, connected) → targeted send | CONNECTED | TGT-01, TGT-02, COMPAT-03 |
+| Retry drain → re-resolve get_recipients() | CONNECTED | TGT-04 |
+| mailbox.broadcast() → Recipients::All (unchanged) | CONNECTED | TGT-03 |
+| Heartbeat tick → tracked_peers().difference() → prune departed | CONNECTED | SUB-03 |
+| GetStatus → peer_subscription_counts() → P2pStatus | CONNECTED | OBS-01 |
+| /p2p/status → JSON response with peer_subscriptions | CONNECTED | — |
 
 ### Orphaned Code
 
-- `has_announced()` — defined, tested, never called in production (dead_code)
+None. `has_announced()` dead_code resolved by Phase 18.
 
 ## Nyquist Compliance
 
@@ -136,18 +118,20 @@ nyquist:
 | 15 | exists | false | `/gsd:validate-phase 15` |
 | 16 | exists | false | `/gsd:validate-phase 16` |
 | 17 | exists | false | `/gsd:validate-phase 17` |
+| 18 | exists | false | `/gsd:validate-phase 18` |
 
-All 4 phases have VALIDATION.md but none are signed off (nyquist_compliant: false, wave_0_complete: false). Validation strategies were defined but not executed during phase work.
+All 5 phases have VALIDATION.md but none are signed off (nyquist_compliant: false, wave_0_complete: false).
 
 ## Tech Debt Summary
 
 | Phase | Items |
 |-------|-------|
-| All phases | No VERIFICATION.md files (process gap) |
+| All phases | No VERIFICATION.md files (verifier disabled in config) |
 | All phases | VALIDATION.md unsigned (nyquist_compliant: false) |
-| Phase 15 | has_announced() dead_code warning |
 | Phase 16 | Pre-existing clippy warnings (too_many_arguments, let_underscore_future, etc.) |
-| Phase 17 | peer_subscriptions not rendered in Tauri P2P dashboard UI |
+| Phase 17 | peer_subscriptions not rendered in Tauri P2P dashboard UI (API satisfied) |
+
+### Total: 4 distinct items across 5 phases
 
 ---
-*Audit generated: 2026-04-04*
+*Re-audit generated: 2026-04-04 after Phase 18 gap closure*
