sneak/chat
1
0
Fork 0
Code Issues 15 Pull Requests Actions Packages Projects Releases Wiki Activity

final 1.0rc1 review/audit/test/qa #25

New Issue
Open
opened 2026-03-01 15:49:16 +01:00 by sneak · 3 comments
sneak commented 2026-03-01 15:49:16 +01:00
Owner
Copy Link

this issue is tracking the task of final integration testing and tagging of a 1.0rc1.

we need to:

  1. security audit
  2. review for refactor/cleanup/code quality opportunities and fix
  3. do a full integration test
  4. documentation review
  5. tag 1.0.0b1
  6. deploy and invite external testers to the beta
this issue is tracking the task of final integration testing and tagging of a 1.0rc1. we need to: 1. security audit 1. review for refactor/cleanup/code quality opportunities and fix 1. do a full integration test 1. documentation review 1. tag 1.0.0b1 1. deploy and invite external testers to the beta
sneak added this to the 1.0 milestone 2026-03-01 15:49:16 +01:00
sneak self-assigned this 2026-03-01 15:49:24 +01:00
sneak added the
bot
 label 2026-03-04 12:03:50 +01:00
sneak commented 2026-03-04 12:05:32 +01:00
Author
Owner
Copy Link

@clawbot i would also like to add the total session count, total client-session count (i forget the name for this), the total number of output queued lines, the total number of channels, and the total number of connections since boot, and total number of sessions since boot, and total number of messages (privmsg to dm and channel) since boot in the healthcheck output

@clawbot i would also like to add the total session count, total client-session count (i forget the name for this), the total number of output queued lines, the total number of channels, and the total number of connections since boot, and total number of sessions since boot, and total number of messages (privmsg to dm and channel) since boot in the healthcheck output
clawbot commented 2026-03-04 12:18:13 +01:00
Collaborator
Copy Link

1.0rc1 QA Audit -- sneak/chat

Scope: Security audit, code quality review, integration test, documentation review.
Commit: main branch HEAD as of 2026-03-04.
CI Status: docker build . passes (lint, fmt, tests, build all green)

1. Security Audit

[BLOCKER] Topic can be set by non-members

File: internal/handlers/api.go, handleTopic() (~line 637)

handleTopic does NOT check that the user is a member of the channel before allowing them to set a topic. Any authenticated user can set the topic on any channel they haven't joined.

Suggested fix: Add an IsChannelMember check before SetTopic, similar to handleChannelMsg.

[SHOULD-FIX] Auth tokens stored in plaintext in database

File: internal/db/schema/001_initial.sql (line 15), internal/db/queries.go

The clients.token column stores the raw 64-character hex token. If the database file is compromised, all active session tokens are immediately usable.

Suggested fix: Store SHA-256(token) in the database; compare against the hash on lookup.

[SHOULD-FIX] No rate limiting on authentication endpoints

Files: internal/handlers/auth.go, internal/handlers/api.go

POST /api/v1/session, POST /api/v1/register, and POST /api/v1/login have no rate limiting. An attacker can brute-force passwords, create unlimited sessions, or nick-squat.

Suggested fix: Add a per-IP rate limiter using golang.org/x/time/rate or chi rate-limit middleware.

[SHOULD-FIX] Known vulnerability in go-chi/chi (GO-2026-4316)

File: go.mod -- github.com/go-chi/chi v1.5.5

govulncheck reports GO-2026-4316: open redirect vulnerability in the RedirectSlashes middleware. No fix available yet.

Suggested fix: Monitor for a fix; consider migrating to github.com/go-chi/chi/v5.

[SHOULD-FIX] No Content-Security-Policy header on web SPA

File: internal/server/routes.go, setupSPA()

The embedded web client is served without CSP headers. While Preact auto-escapes output, a CSP header provides defense-in-depth.

Suggested fix: Add Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' header.

[SHOULD-FIX] No bcrypt password length validation

File: internal/handlers/auth.go, handleRegister() (~line 62)

Bcrypt silently truncates passwords at 72 bytes. A user who sets a 100-character password may be surprised. Minimum check (8 chars) exists but no max.

Suggested fix: Reject passwords longer than 72 bytes, or document the limitation.

[NICE-TO-HAVE] CORS allows all origins

File: internal/middleware/middleware.go, CORS() (~line 117)

AllowedOrigins: []string{"*"} is intentional per README. Fine for development; consider restricting for production.

Security Positives

  • Token generation uses crypto/rand with 32 bytes (256 bits) -- excellent
  • Password hashing uses bcrypt with default cost -- good
  • All SQL queries use parameterized statements -- no SQL injection
  • http.MaxBytesReader on POST endpoints -- prevents body DoS
  • Error messages use generic strings -- no info leakage
  • Web SPA uses Preact auto-escaping -- XSS resistant
  • Channel membership enforced for sending and reading history

2. Code Quality Review

[SHOULD-FIX] Error detection via string matching

Files: internal/handlers/api.go (~line 180, ~line 604), internal/handlers/auth.go (~line 92)

strings.Contains(err.Error(), "UNIQUE") is used to detect duplicate nick errors. Fragile if SQLite driver changes message format.

Suggested fix: Use errors.As with the SQLite driver's error type.

[SHOULD-FIX] Dead code: Auth() middleware

File: internal/middleware/middleware.go, Auth() method (~line 131)

The Auth() middleware only logs and passes through. Never used -- authentication is per-handler via requireAuth. Dead code.

Suggested fix: Remove the Auth() method entirely.

[SHOULD-FIX] broadcastNick swallows errors silently

File: internal/handlers/api.go, broadcastNick() (~line 615)

Ignores errors from InsertMessage, EnqueueToSession, and GetSessionChannels using _. Nick change succeeds from changer's perspective but other users may never see the notification.

Suggested fix: Log errors (the function has access to hdlr.log).

[SHOULD-FIX] No queue/message pruning implemented

Files: internal/db/queries.go, internal/handlers/handlers.go

client_queues and messages tables grow unboundedly. QUEUE_MAX_AGE and MAX_HISTORY config options exist but are not enforced. Will eventually fill disk.

Suggested fix: Implement periodic pruning in the existing cleanup loop.

[NICE-TO-HAVE] CLI client uses context.Background() for all API calls

File: cmd/chat-cli/api/client.go, do() and PollMessages()

HTTP requests can't be cancelled on shutdown. PollMessages creates a new http.Client per call.

Suggested fix: Accept context.Context parameter; reuse single http.Client.

[NICE-TO-HAVE] Broker Notify uses send instead of close

File: internal/broker/broker.go, Notify() (~line 32)

The README design says "closes all waiting channels" but implementation sends a value on a buffered channel. Both work; close() is more Go-idiomatic.

Code Quality Positives

  • Clean package structure following Go conventions
  • Consistent error wrapping with fmt.Errorf("...: %w", err)
  • fx dependency injection well-organized
  • Proper t.Parallel() usage with clear comments
  • Consistent resource cleanup (deferred Close calls)
  • INSERT OR IGNORE avoids TOCTOU races
  • Mutex-protected broker with proper patterns
  • Single DB connection appropriate for SQLite

3. Integration Test

docker build . passes -- all checks green

Docker build runs make check (fmt-check, lint, test) followed by binary compilation. All pass.

Test quality is excellent

The test suite contains 40+ integration tests exercising the full HTTP API through a real test server. Tests cover:

  • Session lifecycle (create, auth, quit, cleanup)
  • Registration and login (valid, duplicate, short password, wrong password)
  • Channel operations (join, part, ephemeral cleanup)
  • Messaging (channel, DM, non-member rejection)
  • Nick changes (valid, collision, broadcast)
  • Topics, PING/PONG, history with pagination
  • Long-poll delivery and timeout
  • Concurrent session creation (20 goroutines)
  • Server info and healthcheck

[SHOULD-FIX] Missing test: topic set by non-member

No test verifying that a non-member cannot set a channel topic. Corresponds to the BLOCKER security finding above.

4. Documentation Review

[BLOCKER] README "no accounts" philosophy contradicts register/login implementation

File: README.md, "Identity & Sessions -- No Accounts" section

README says: "There are no accounts, no registration, no passwords."

But the code has:

  • POST /api/v1/register -- creates account with nick + password
  • POST /api/v1/login -- authenticates with nick + password
  • sessions.password_hash column in the schema

These are functional and tested. README must be updated to document the optional account system.

[BLOCKER] /api/v1/register and /api/v1/login not documented in API Reference

File: README.md, "API Reference" section

Register and login endpoints exist in code and tests but are absent from the README. Client developers won't know they exist.

Suggested fix: Add full API Reference entries for both endpoints.

[SHOULD-FIX] README schema documentation is outdated

File: README.md, "Storage > Schema" section

README documents a users table with a token column, but actual schema has sessions table (with password_hash, signing_key) and clients table (with token, session_id). The multi-client architecture is implemented but README schema doesn't reflect it.

[SHOULD-FIX] README claims tokens are stored as hashes

File: README.md, "Why Opaque Tokens" section

README says: "Server generates 32 random bytes, hex-encodes, stores hash" -- but code stores raw token, not hash.

[SHOULD-FIX] Server info response missing version field

File: internal/handlers/api.go, HandleServerInfo()

The CLI client's ServerInfo type expects a version field but the handler only returns name, motd, users.

Suggested fix: Add "version": hdlr.params.Globals.Version to the response.

[NICE-TO-HAVE] README is very long (~1200 lines)

Consider splitting into separate docs (PROTOCOL.md, API.md, DEPLOYMENT.md).

Documentation Positives

  • Excellent protocol specification with clear field reference tables
  • Comprehensive API reference with curl examples
  • Good architecture diagrams (ASCII art)
  • Roadmap clearly separates implemented vs. planned
  • Practical Client Development Guide
  • Clear deployment instructions

5. Dependency Status

govulncheck reports 1 vulnerability:

Vuln ID Module Description Status
GO-2026-4316 go-chi/chi v1.5.5 Open redirect in RedirectSlashes No fix; consider chi/v5

Summary

Severity Count
BLOCKER 3
SHOULD-FIX 10
NICE-TO-HAVE 4

Blockers (must fix before 1.0):

  1. Topic set by non-members -- security bug
  2. README contradicts implementation -- "no accounts" vs. register/login
  3. Register/login endpoints undocumented -- missing from API Reference

Recommended Gitea Issues to Create:

  1. [security] handleTopic: enforce channel membership check
  2. [security] Store auth tokens as SHA-256 hashes instead of plaintext
  3. [security] Add rate limiting to session creation and login endpoints
  4. [docs] Update README to document register/login and account system
  5. [docs] Update README schema section to match sessions/clients tables
  6. [cleanup] Remove dead Auth() middleware method
  7. [cleanup] Replace string-matching error detection with typed errors
  8. [feature] Implement queue pruning and message rotation
  9. [security] Add CSP headers for embedded web SPA
  10. [deps] Evaluate migration from chi v1 to chi/v5
  11. [bug] Add version field to /api/v1/server response

Overall assessment: The codebase is well-structured, well-tested, and follows Go best practices. The 3 blockers are fixable with modest effort. Security posture is reasonable for pre-1.0 -- main gaps are authorization (topic membership) and hardening (token storage, rate limiting). Test coverage is strong. The biggest doc issue is the undocumented register/login feature.

## 1.0rc1 QA Audit -- sneak/chat <!-- session: agent:sdlc-manager:subagent:52cf28e6-9ac1-4536-bced-ffd6aeee5f71 --> **Scope:** Security audit, code quality review, integration test, documentation review. **Commit:** `main` branch HEAD as of 2026-03-04. **CI Status:** `docker build .` passes (lint, fmt, tests, build all green) ✅ --- ## 1. Security Audit ### **[BLOCKER]** Topic can be set by non-members **File:** `internal/handlers/api.go`, `handleTopic()` (~line 637) `handleTopic` does NOT check that the user is a member of the channel before allowing them to set a topic. Any authenticated user can set the topic on any channel they haven't joined. **Suggested fix:** Add an `IsChannelMember` check before `SetTopic`, similar to `handleChannelMsg`. ### **[SHOULD-FIX]** Auth tokens stored in plaintext in database **File:** `internal/db/schema/001_initial.sql` (line 15), `internal/db/queries.go` The `clients.token` column stores the raw 64-character hex token. If the database file is compromised, all active session tokens are immediately usable. **Suggested fix:** Store `SHA-256(token)` in the database; compare against the hash on lookup. ### **[SHOULD-FIX]** No rate limiting on authentication endpoints **Files:** `internal/handlers/auth.go`, `internal/handlers/api.go` `POST /api/v1/session`, `POST /api/v1/register`, and `POST /api/v1/login` have no rate limiting. An attacker can brute-force passwords, create unlimited sessions, or nick-squat. **Suggested fix:** Add a per-IP rate limiter using `golang.org/x/time/rate` or chi rate-limit middleware. ### **[SHOULD-FIX]** Known vulnerability in go-chi/chi (GO-2026-4316) **File:** `go.mod` -- `github.com/go-chi/chi v1.5.5` `govulncheck` reports **GO-2026-4316**: open redirect vulnerability in the RedirectSlashes middleware. No fix available yet. **Suggested fix:** Monitor for a fix; consider migrating to `github.com/go-chi/chi/v5`. ### **[SHOULD-FIX]** No Content-Security-Policy header on web SPA **File:** `internal/server/routes.go`, `setupSPA()` The embedded web client is served without CSP headers. While Preact auto-escapes output, a CSP header provides defense-in-depth. **Suggested fix:** Add `Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self'` header. ### **[SHOULD-FIX]** No bcrypt password length validation **File:** `internal/handlers/auth.go`, `handleRegister()` (~line 62) Bcrypt silently truncates passwords at 72 bytes. A user who sets a 100-character password may be surprised. Minimum check (8 chars) exists but no max. **Suggested fix:** Reject passwords longer than 72 bytes, or document the limitation. ### **[NICE-TO-HAVE]** CORS allows all origins **File:** `internal/middleware/middleware.go`, `CORS()` (~line 117) `AllowedOrigins: []string{"*"}` is intentional per README. Fine for development; consider restricting for production. ### Security Positives - Token generation uses `crypto/rand` with 32 bytes (256 bits) -- excellent - Password hashing uses bcrypt with default cost -- good - All SQL queries use parameterized statements -- no SQL injection - `http.MaxBytesReader` on POST endpoints -- prevents body DoS - Error messages use generic strings -- no info leakage - Web SPA uses Preact auto-escaping -- XSS resistant - Channel membership enforced for sending and reading history --- ## 2. Code Quality Review ### **[SHOULD-FIX]** Error detection via string matching **Files:** `internal/handlers/api.go` (~line 180, ~line 604), `internal/handlers/auth.go` (~line 92) `strings.Contains(err.Error(), "UNIQUE")` is used to detect duplicate nick errors. Fragile if SQLite driver changes message format. **Suggested fix:** Use `errors.As` with the SQLite driver's error type. ### **[SHOULD-FIX]** Dead code: `Auth()` middleware **File:** `internal/middleware/middleware.go`, `Auth()` method (~line 131) The `Auth()` middleware only logs and passes through. Never used -- authentication is per-handler via `requireAuth`. Dead code. **Suggested fix:** Remove the `Auth()` method entirely. ### **[SHOULD-FIX]** `broadcastNick` swallows errors silently **File:** `internal/handlers/api.go`, `broadcastNick()` (~line 615) Ignores errors from `InsertMessage`, `EnqueueToSession`, and `GetSessionChannels` using `_`. Nick change succeeds from changer's perspective but other users may never see the notification. **Suggested fix:** Log errors (the function has access to `hdlr.log`). ### **[SHOULD-FIX]** No queue/message pruning implemented **Files:** `internal/db/queries.go`, `internal/handlers/handlers.go` `client_queues` and `messages` tables grow unboundedly. `QUEUE_MAX_AGE` and `MAX_HISTORY` config options exist but are not enforced. Will eventually fill disk. **Suggested fix:** Implement periodic pruning in the existing cleanup loop. ### **[NICE-TO-HAVE]** CLI client uses `context.Background()` for all API calls **File:** `cmd/chat-cli/api/client.go`, `do()` and `PollMessages()` HTTP requests can't be cancelled on shutdown. `PollMessages` creates a new `http.Client` per call. **Suggested fix:** Accept `context.Context` parameter; reuse single `http.Client`. ### **[NICE-TO-HAVE]** Broker `Notify` uses send instead of close **File:** `internal/broker/broker.go`, `Notify()` (~line 32) The README design says "closes all waiting channels" but implementation sends a value on a buffered channel. Both work; `close()` is more Go-idiomatic. ### Code Quality Positives - Clean package structure following Go conventions - Consistent error wrapping with `fmt.Errorf("...: %w", err)` - `fx` dependency injection well-organized - Proper `t.Parallel()` usage with clear comments - Consistent resource cleanup (deferred Close calls) - `INSERT OR IGNORE` avoids TOCTOU races - Mutex-protected broker with proper patterns - Single DB connection appropriate for SQLite --- ## 3. Integration Test ### `docker build .` passes -- all checks green ✅ Docker build runs `make check` (fmt-check, lint, test) followed by binary compilation. All pass. ### Test quality is excellent ✅ The test suite contains **40+ integration tests** exercising the full HTTP API through a real test server. Tests cover: - Session lifecycle (create, auth, quit, cleanup) - Registration and login (valid, duplicate, short password, wrong password) - Channel operations (join, part, ephemeral cleanup) - Messaging (channel, DM, non-member rejection) - Nick changes (valid, collision, broadcast) - Topics, PING/PONG, history with pagination - Long-poll delivery and timeout - Concurrent session creation (20 goroutines) - Server info and healthcheck ### **[SHOULD-FIX]** Missing test: topic set by non-member No test verifying that a non-member cannot set a channel topic. Corresponds to the BLOCKER security finding above. --- ## 4. Documentation Review ### **[BLOCKER]** README "no accounts" philosophy contradicts register/login implementation **File:** `README.md`, "Identity & Sessions -- No Accounts" section README says: *"There are no accounts, no registration, no passwords."* But the code has: - `POST /api/v1/register` -- creates account with nick + password - `POST /api/v1/login` -- authenticates with nick + password - `sessions.password_hash` column in the schema These are functional and tested. README must be updated to document the optional account system. ### **[BLOCKER]** /api/v1/register and /api/v1/login not documented in API Reference **File:** `README.md`, "API Reference" section Register and login endpoints exist in code and tests but are absent from the README. Client developers won't know they exist. **Suggested fix:** Add full API Reference entries for both endpoints. ### **[SHOULD-FIX]** README schema documentation is outdated **File:** `README.md`, "Storage > Schema" section README documents a `users` table with a `token` column, but actual schema has `sessions` table (with `password_hash`, `signing_key`) and `clients` table (with `token`, `session_id`). The multi-client architecture is implemented but README schema doesn't reflect it. ### **[SHOULD-FIX]** README claims tokens are stored as hashes **File:** `README.md`, "Why Opaque Tokens" section README says: *"Server generates 32 random bytes, hex-encodes, stores hash"* -- but code stores raw token, not hash. ### **[SHOULD-FIX]** Server info response missing `version` field **File:** `internal/handlers/api.go`, `HandleServerInfo()` The CLI client's `ServerInfo` type expects a `version` field but the handler only returns `name`, `motd`, `users`. **Suggested fix:** Add `"version": hdlr.params.Globals.Version` to the response. ### **[NICE-TO-HAVE]** README is very long (~1200 lines) Consider splitting into separate docs (PROTOCOL.md, API.md, DEPLOYMENT.md). ### Documentation Positives - Excellent protocol specification with clear field reference tables - Comprehensive API reference with curl examples - Good architecture diagrams (ASCII art) - Roadmap clearly separates implemented vs. planned - Practical Client Development Guide - Clear deployment instructions --- ## 5. Dependency Status `govulncheck` reports **1 vulnerability**: | Vuln ID | Module | Description | Status | |---------|--------|-------------|--------| | GO-2026-4316 | `go-chi/chi` v1.5.5 | Open redirect in RedirectSlashes | No fix; consider chi/v5 | --- ## Summary | Severity | Count | |----------|-------| | BLOCKER | 3 | | SHOULD-FIX | 10 | | NICE-TO-HAVE | 4 | ### Blockers (must fix before 1.0): 1. **Topic set by non-members** -- security bug 2. **README contradicts implementation** -- "no accounts" vs. register/login 3. **Register/login endpoints undocumented** -- missing from API Reference ### Recommended Gitea Issues to Create: 1. `[security] handleTopic: enforce channel membership check` 2. `[security] Store auth tokens as SHA-256 hashes instead of plaintext` 3. `[security] Add rate limiting to session creation and login endpoints` 4. `[docs] Update README to document register/login and account system` 5. `[docs] Update README schema section to match sessions/clients tables` 6. `[cleanup] Remove dead Auth() middleware method` 7. `[cleanup] Replace string-matching error detection with typed errors` 8. `[feature] Implement queue pruning and message rotation` 9. `[security] Add CSP headers for embedded web SPA` 10. `[deps] Evaluate migration from chi v1 to chi/v5` 11. `[bug] Add version field to /api/v1/server response` --- **Overall assessment:** The codebase is well-structured, well-tested, and follows Go best practices. The 3 blockers are fixable with modest effort. Security posture is reasonable for pre-1.0 -- main gaps are authorization (topic membership) and hardening (token storage, rate limiting). Test coverage is strong. The biggest doc issue is the undocumented register/login feature.
clawbot commented 2026-03-04 12:20:19 +01:00
Collaborator
Copy Link

QA Audit Complete — Issues Created

Created 11 tracking issues from the audit findings above:

Blockers (must-fix before 1.0):

  • #33 — handleTopic: enforce channel membership check
  • #36 — Update README to document register/login and account system
  • #37 — Update README schema section to match sessions/clients tables

Should-fix:

  • #34 — Store auth tokens as SHA-256 hashes
  • #35 — Add rate limiting to auth endpoints
  • #38 — Remove dead Auth() middleware
  • #39 — Replace string-matching error detection with typed errors
  • #40 — Implement queue pruning and message rotation
  • #41 — Add CSP headers for embedded web SPA
  • #43 — Add version field to /api/v1/server response

Nice-to-have:

  • #42 — Evaluate migration from chi v1 to chi/v5

Overall verdict: READY for 1.0 after blockers are fixed. Core architecture is solid, test coverage is excellent (40+ meaningful tests), security posture is reasonable. The 3 blockers are straightforward fixes.

Add bot label to any issues you want automated. The existing hashcash issues (#11, #12) are still open with needs-review.

## QA Audit Complete — Issues Created Created 11 tracking issues from the [audit findings above](https://git.eeqj.de/sneak/chat/issues/25#issuecomment-10914): **Blockers (must-fix before 1.0):** - [#33](https://git.eeqj.de/sneak/chat/issues/33) — handleTopic: enforce channel membership check - [#36](https://git.eeqj.de/sneak/chat/issues/36) — Update README to document register/login and account system - [#37](https://git.eeqj.de/sneak/chat/issues/37) — Update README schema section to match sessions/clients tables **Should-fix:** - [#34](https://git.eeqj.de/sneak/chat/issues/34) — Store auth tokens as SHA-256 hashes - [#35](https://git.eeqj.de/sneak/chat/issues/35) — Add rate limiting to auth endpoints - [#38](https://git.eeqj.de/sneak/chat/issues/38) — Remove dead Auth() middleware - [#39](https://git.eeqj.de/sneak/chat/issues/39) — Replace string-matching error detection with typed errors - [#40](https://git.eeqj.de/sneak/chat/issues/40) — Implement queue pruning and message rotation - [#41](https://git.eeqj.de/sneak/chat/issues/41) — Add CSP headers for embedded web SPA - [#43](https://git.eeqj.de/sneak/chat/issues/43) — Add version field to /api/v1/server response **Nice-to-have:** - [#42](https://git.eeqj.de/sneak/chat/issues/42) — Evaluate migration from chi v1 to chi/v5 **Overall verdict: READY for 1.0 after blockers are fixed.** Core architecture is solid, test coverage is excellent (40+ meaningful tests), security posture is reasonable. The 3 blockers are straightforward fixes. Add `bot` label to any issues you want automated. The existing hashcash issues ([#11](https://git.eeqj.de/sneak/chat/issues/11), [#12](https://git.eeqj.de/sneak/chat/issues/12)) are still open with `needs-review`.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels   
bot

Agent's turn to work

  
merge-ready

All checks pass, reviewed, rebased, ready for merge

  
needs-checks

make check does not pass cleanly

  
needs-rebase

PR has merge conflicts or is behind main

  
needs-review

Code review not yet done

  
needs-rework

Code review found issues to fix

No Label
bot
merge-ready
needs-checks
needs-rebase
needs-review
needs-rework
Milestone
Clear milestone
No items
No Milestone
1.0
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
sneak
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: sneak/chat#25
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?