Anatoly Audit Report

[r-via]

Hey! I'm Rémi. I built Anatoly, an AI agent that deep-audits your entire codebase in one command. It catches what linters miss: dead code, hidden duplications, correctness bugs, over-engineering, test gaps, and more. Every single finding is backed by evidence, not guesswork.

I ran a full audit on your project and here's what Anatoly found. I hope it helps! If anything catches your eye, I'd love to hear your thoughts.

41 files reviewed in 0 min — $0.00 in AI analysis so you don't have to.
Verdict: CRITICAL · 4 critical bugs found · 472 findings in 37 files

Axes

Axis	Health	Findings	Details
Correction	🟩🟩🟩🟩🟩🟩🟩🟩🟩⬜ 86% OK	39 high · 14 med	View →
Utility	🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩 99% used	3 high · 1 med	View →
Duplication	🟩🟩🟩🟩🟩🟩🟩🟩🟩⬜ 94% unique	13 high · 9 med	View →
Overengineering	🟩🟩🟩🟩🟩🟩🟩🟩🟩⬜ 93% lean	1 high · 1 med	View →
Tests	🟥🟥🟥🟥⬜⬜⬜⬜⬜⬜ 39% covered	48 high · 20 med · 162 low	View →
Documentation	🟨🟨🟨🟨🟨⬜⬜⬜⬜⬜ 52% documented	24 high · 6 med · 121 low	View →
Best Practices	🟩🟩🟩🟩🟩🟩🟩🟩⬜⬜ avg 8.1 / 10	10 high	View →

Top Findings

🐛 Correction

• 🔴 rustguard-tun/src/xdp.rs XdpSocket — Three correctness bugs found in impl methods. (1) tx_send (around L348-L352) calls copy_nonoverlapping with data.len(...
• 🟡 rustguard-core/src/replay.rs ReplayWindow — The bit-level shift inside shift_window (lines 112-116) is inverted in both direction and iteration order, causing al...
• 🔴 rustguard-enroll/src/server.rs run — Two correctness defects: (1) In the MSG_TRANSPORT handler, decrypt_buf is fixed at 2048 bytes, but `ct = &buf[TRANS...
• 🟡 rustguard-kmod/src/cookie.rs hash — Line 49 passes chunks.len() as u32 as num_chunks to the C function, but the loop at line 44 uses .take(4) and p...
• 🟡 rustguard-cli/src/main.rs cmd_serve — Two bugs: (1) The .filter(|v| !v.is_empty()) guard for --pool (L82), --token (L89), and --xdp (L99) only rejects empt...

Showing top 5 of 53 findings. View all Correction findings →

♻️ Utility

• rustguard-enroll/src/packet.rs parse_eth_udp — Exported function with 0 workspace importers per pre-computed analysis. Matches rule 2: exported symbol with 0 runtim...
• rustguard-kmod/src/replay.rs ReplayWindow — Exported pub(crate) struct with 0 workspace importers per Pre-computed Import Analysis.
• rustguard-enroll/src/packet.rs ParsedUdp — Exported struct with 0 workspace importers per pre-computed analysis. Matches rule 2: exported symbol with 0 runtime ...

Showing top 3 of 4 findings. View all Utility findings →

📋 Duplication

• rustguard-tun/src/linux_mq.rs set_name — Identical to linux.rs version - copies string bytes to fixed buffer with length constraint
• rustguard-tun/src/linux_mq.rs make_sockaddr_in — Identical to linux.rs version - creates sockaddr_in struct with identical field initialization
• rustguard-tun/src/linux_mq.rs close_and_error — Identical to linux.rs version - captures OS error, closes fd, returns error in same sequence
• rustguard-enroll/src/client.rs rand_index — Identical implementation — both generate random u32 via getrandom and le_bytes conversion. Score 0.965 with same-crat...
• rustguard-enroll/src/client.rs base64_key — Identical implementation — both encode 32-byte key to base64 string using BASE64_STANDARD. Score 0.994 indicates near...

Showing top 5 of 22 findings. View all Duplication findings →

🏗️ Overengineering

• rustguard-daemon/src/tunnel.rs ctrlc_handler — NIH reimplementation of what the ctrlc crate (~5M weekly downloads) provides in two lines. Uses raw unsafe libc (si...

Showing top 1 of 2 findings. View all Overengineering findings →

🧪 Tests

• rustguard-enroll/src/control.rs new_window — No test file exists for control.rs. new_window has no tests whatsoever.
• rustguard-tun/src/xdp.rs XdpSocket — Central AF_XDP socket struct with complex unsafe lifecycle methods (create, rx_poll, rx_release, tx_send, tx_complete...
• rustguard-core/src/cookie.rs CookieChecker — Inline tests cover create_reply, verify_mac2, and the wrong-source failure case. However, verify_mac1 is never tested...
• rustguard-core/src/cookie.rs CookieState — new, process_reply (happy path and wrong-mac1 failure), compute_mac2 (with and without cookie) are all tested. Howeve...
• rustguard-enroll/src/server.rs ServeConfig — No test file exists for server.rs. ServeConfig is a public struct but has no test coverage. Types/structs with no run...

Showing top 5 of 230 findings. View all Tests findings →

📝 Documentation

• rustguard-daemon/src/config.rs InterfaceConfig — Public struct with no /// doc comment on the type or on any of its five public fields (private_key, listen_port...
• rustguard-daemon/src/config.rs PeerConfig — Public struct with no /// doc comment on the type or on any of its five public fields. Fields like preshared_key ...
• rustguard-enroll/src/control.rs new_window — No /// doc comment on the function itself. The EnrollmentWindow type alias above has docs, but the constructor fu...
• rustguard-tun/src/xdp.rs XdpSocket — Public struct. Has a two-line type-level /// doc comment describing purpose and zero-copy role. Only one field (`fr...
• rustguard-core/src/cookie.rs COOKIE_LEN — Public constant has /// Cookie size. — present but trivially terse. Does not state the unit (bytes), no context on ...

Showing top 5 of 151 findings. View all Documentation findings →

✅ Best Practices

✨ CLEAN — Only low-confidence findings.

Documentation Coverage

Measures inline doc comments (/// in Rust, /** */ in JS/TS, docstrings in Python) on exported symbols.
Anatoly also generates reference pages in .anatoly/docs/ for every reviewed module.

Metric	Coverage	Description
Complete doc comments	🟥⬜⬜⬜⬜⬜⬜⬜⬜⬜ 12% (16/137)	Exported symbols with a complete inline doc comment covering description, params, and return
Any doc comment	🟨🟨🟨🟨🟨🟨🟨🟨⬜⬜ 77% (106/137)	Exported symbols with at least a partial inline doc comment
Module guides	🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩 100% (7/7)	Modules > 200 LOC with a dedicated page in docs/
Reference pages	36 pages	Anatoly-generated module and API reference pages

No docs/ directory found. Copy .anatoly/docs/ to docs/ to adopt the generated documentation and speed up future Anatoly runs.

Gaps: 1 pages to create.

📚 Documentation

Anatoly generated a complete documentation for this project during the audit.

Browse the documentation →

---

View full report

Generated by Anatoly — Deep Audit Agent for codebases

[calibrae]

Thanks for the audit! Fixed everything actionable across two commits. Here's the full list:

Round 1 (dcab9b5)

#	File	Fix
2,3	rustguard-core/src/cookie.rs	no_std process_reply now sets received; atomic counter for timestamps
4,5	rustguard-cli/src/main.rs	--token/--pool/--xdp reject empty values
7	rustguard-enroll/src/pool.rs	contains() guards prefix_len=0 shift overflow
9	rustguard-crypto/src/aead.rs	open_to checks ct_len > buf.len(); seal_to asserts buffer size
10	rustguard-crypto/src/aead.rs	MAX_PACKET_SIZE comment fixed (1500, not 1420)
12	rustguard-crypto/src/blake2s.rs	Doc comment clarifying callers truncate to 16 for MAC1/MAC2
14	rustguard-crypto/src/tai64n.rs	from_unix clamps nanos to 999,999,999

Round 2 (1aa25ad)

Critical

File	Fix
rustguard-core/src/replay.rs	shift_window had inverted bit direction AND iteration order — anti-replay was broken. Fixed to low→high iteration with correct left-shift and carry propagation
rustguard-tun/src/xdp.rs	tx_send OOB write into adjacent UMEM frames (added frame_size bounds check); Drop leaked 4 ring mmap regions (now stored and munmapped); create_inner discarded setsockopt return values (now checked)
rustguard-enroll/src/server.rs	decrypt_buf fixed at 2048 bytes but ct unbounded — panics on large XDP frames (now sized dynamically with 64K cap); TAI64N timestamp discarded via _ts allowing handshake replay (now stored and checked per peer)
rustguard-core/src/handshake.rs	process_response never verified MAC1 — attacker could force two DH scalar multiplications per crafted packet (MAC1 check added before any DH ops)

High

File	Fix
rustguard-tun/src/linux.rs	IfreqAddr was 32 bytes, kernel reads 40 — stack OOB read on every ioctl. Added 8-byte padding
rustguard-tun/src/linux_mq.rs	Same IfreqAddr padding fix; also fixed fd leak when open_tun_queue fails mid-loop (now closes all accumulated fds)
rustguard-tun/src/macos.rs	IfreqMtu was 20 bytes, kernel reads 32 — added 12-byte padding. Also fixed errno clobbering (close(sock) called before error check in configure_address and set_mtu)
rustguard-tun/src/bpf_loader.rs	xsks_map_fd leaked on partial failure in load_and_attach; netlink error guard checked n >= 16 but read resp[16..20] (fixed to n >= 20); errno clobbered by close() before last_os_error()
rustguard-enroll/src/packet.rs	parse_ipv4_udp never validated IHL >= 20 — bogus IHL caused UDP ports to be read from inside IP header

Medium

File	Fix
rustguard-daemon/src/config.rs	[Peer] section not flushed on next [Interface] (data silently dropped); IPv6 addresses got /24 default instead of /64; parse_cidr accepted prefix_len > 32 for IPv4 / > 128 for IPv6
rustguard-daemon/src/tunnel.rs	MSG_RESPONSE matched first peer without active session instead of originating peer (now looks up by stored peer index); sigprocmask(SIG_BLOCK) called inside spawned thread instead of main thread
rustguard-cli/src/main.rs	--token/--pool/--xdp accepted other flags as values (e.g. --token --open). Now also rejects values starting with --
rustguard-enroll/src/client.rs	add_route failed to compile on non-Linux/macOS — added fallback cfg branch
rustguard-enroll/src/control.rs	Single-threaded listener blocked by stalled client. Added 5s read timeout + thread-per-connection
rustguard-tun/src/uring.rs	BufferPool::slot_ptr cast *const u8 → *mut u8 violating aliasing rules (now uses UnsafeCell); pending_reads -= 1 underflow (now saturating_sub); completed slots not freed before fill_reads causing read starvation
rustguard-tun/src/lib.rs	Drop called close() unconditionally on potentially invalid fd (added fd >= 0 guard); raw_fd ownership semantics documented
rustguard-crypto/src/tai64n.rs	from_unix unchecked addition overflows (now saturating_add); from_bytes accepted nanos > 999,999,999 breaking ordering invariant (now clamped)
rustguard-core/src/cookie.rs	no_std fill_random produced constant zero nonce — XChaCha20-Poly1305 keystream reuse. Now uses atomic counter with position-based mixing
rustguard-core/src/timers.rs	no_std elapsed_since returned Duration::ZERO disabling all timer logic (now uses counter-based duration); needs_keepalive failed when last_sent was None; REKEY_TIMEOUT doc comment was misleading

Not fixed

• kmod findings — kernel module has its own build system and constraints, addressing separately
• tun_echo.rs — example code, not production
• Documentation/test coverage — valid but out of scope for a correctness pass