[Audit-Medium] both components classify any OperationCanceledExceptio…

[pepone]

AI-generated audit finding — this issue was opened from an automated security/correctness audit. It has not been triaged by a human yet; verify the reasoning, reproducibility, and severity before acting on it.

Medium: both components classify any OperationCanceledException as a canceled request, even when unrelated to the caller token — CONFIRMED

Affected code:

• src/IceRpc.Metrics/MetricsInterceptor.cs:34-38 — unfiltered catch (OperationCanceledException)
• src/IceRpc.Metrics/MetricsMiddleware.cs:36-40 — same pattern
• src/IceRpc/Internal/IceProtocolConnection.cs:1046, src/IceRpc/Server.cs:699 — core code uses exception.CancellationToken == cancellationToken to identify caller-initiated cancellation

Verification:

Confirmed. The catch has no when filter on exception.CancellationToken. Any internal layer that throws OperationCanceledException bearing a different token — deadline timeout with its own CTS, transport abort, retry interceptor's linked source — increments canceled-requests instead of failed-requests.

Impact:

• Real failures disappear into canceled-requests.
• Cancellation metrics become ambiguous — operators cannot distinguish "caller aborted" from "something timed out internally" or "something inside the pipeline faulted with OCE".

Recommendation:

• Tighten to catch (OperationCanceledException exception) when (exception.CancellationToken == cancellationToken). Let other OperationCanceledException instances fall through to the general failure handler.
• Add regression tests with an OperationCanceledException carrying a token other than the invocation/dispatch token and assert it increments failed-requests, not canceled-requests.

Status: Valid, Medium severity.

---

Source report: src-IceRpc.Metrics-audit-2026-04-14.md (finding both components classify any OperationCanceledException as a canceled request, even when unrelated to the caller token — **CONFIRMED**)

Severity (auditor-assigned): Medium