hjess/fil
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Nomad changes
All checks were successful
Deploy fil (kreuzberg) / deploy (push) Successful in 49s
Details

Browse Source
This commit is contained in:
Henrik Jess Nielsen
2026-06-01 23:40:55 +02:00
parent 72b1a0a6ed
commit b4c07d3693
5723 changed files with 1130655 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

418
audit-notes/csharp.md Normal file
View File

@@ -0,0 +1,418 @@
# C# Binding Audit — Security & FFI Correctness
**Audit Date:** 2026-05-30
**Status:** 100/100 e2e green (current)
**Scope:** `packages/csharp/`, `e2e/csharp/`
---
## Critical Issues Found
### 1. GCHandle Leak in Exception Paths (HIGH)
**File:** `packages/csharp/src/Kreuzberg/KreuzbergLib.cs`
**Functions affected:**
- `ExtractBytesAsync` (line 53)
- `ExtractBytesSync` (line ~212)
- `DetectMimeTypeFromBytes` (line ~432)
**Problem:**
```csharp
var contentHandle = GCHandle.Alloc(content, GCHandleType.Pinned);
var configHandle = NativeMethods.ExtractionConfigFromJson(configJson);
if (configHandle == IntPtr.Zero) {
var ec = NativeMethods.LastErrorCode();
var ctxPtr = NativeMethods.LastErrorContext();
var msg = global::System.Runtime.InteropServices.Marshal.PtrToStringUTF8(ctxPtr) ?? "...";
throw new KreuzbergException(ec, msg); // <-- LEAK: contentHandle.Free() never called
}
```
When `ExtractionConfigFromJson` fails, the exception is thrown before `contentHandle.Free()` at line 227. The GCHandle lease to the byte array is never released, pinning the buffer indefinitely. Over time, this leaks pinned heap memory.
**Impact:** Memory leak on all config JSON parse errors; buffer is pinned for lifetime of process.
**Fix:** Use try-finally or throw cleanup:
```csharp
var contentHandle = GCHandle.Alloc(content, GCHandleType.Pinned);
try {
var configHandle = NativeMethods.ExtractionConfigFromJson(configJson);
if (configHandle == IntPtr.Zero) {
var ec = NativeMethods.LastErrorCode();
var ctxPtr = NativeMethods.LastErrorContext();
var msg = global::System.Runtime.InteropServices.Marshal.PtrToStringUTF8(ctxPtr)
?? "ExtractionConfigFromJson failed";
throw new KreuzbergException(ec, msg);
}
// ... rest of function
} finally {
contentHandle.Free();
}
```
---
### 2. HGlobal Leak in Exception Paths (HIGH)
**File:** `packages/csharp/src/Kreuzberg/KreuzbergLib.cs`
**Functions affected:**
- `BatchExtractFilesSync` (line ~242-264)
- `BatchExtractBytesSync` (line ~281-305)
- `BatchExtractFilesAsync` (line ~331-360)
- `BatchExtractBytesAsync` (line ~382-411)
**Problem:**
```csharp
var itemsJson = JsonSerializer.Serialize(items, JsonSerializationOptions);
var itemsHandle = global::System.Runtime.InteropServices.Marshal.StringToHGlobalAnsi(itemsJson);
var configJson = JsonSerializer.Serialize((config ?? new ExtractionConfig()), JsonSerializationOptions);
var configHandle = NativeMethods.ExtractionConfigFromJson(configJson);
if (configHandle == IntPtr.Zero) {
var ec = NativeMethods.LastErrorCode();
var ctxPtr = NativeMethods.LastErrorContext();
var msg = global::System.Runtime.InteropServices.Marshal.PtrToStringUTF8(ctxPtr) ?? "...";
throw new KreuzbergException(ec, msg); // <-- LEAK: itemsHandle never freed
}
// ... later ...
global::System.Runtime.InteropServices.Marshal.FreeHGlobal(itemsHandle); // line 264
```
When `ExtractionConfigFromJson` fails, `itemsHandle` (allocated via `StringToHGlobalAnsi`) is never freed. It leaks unmanaged memory.
**Impact:** Unmanaged heap leak (C library malloc) on all batch config JSON parse errors.
**Fix:** Use try-finally:
```csharp
var itemsHandle = Marshal.StringToHGlobalAnsi(itemsJson);
try {
var configHandle = NativeMethods.ExtractionConfigFromJson(configJson);
if (configHandle == IntPtr.Zero) {
// throw
}
// ...
} finally {
Marshal.FreeHGlobal(itemsHandle);
}
```
---
### 3. ConfigHandle Leak in Exception Paths (MEDIUM)
**File:** `packages/csharp/src/Kreuzberg/KreuzbergLib.cs`
**Functions affected:** All extraction functions (ExtractBytesAsync, ExtractFileAsync, etc.)
**Problem:**
```csharp
var configHandle = NativeMethods.ExtractionConfigFromJson(configJson);
if (configHandle == IntPtr.Zero) {
throw new KreuzbergException(ec, msg); // <-- EXIT
}
var nativeResult = NativeMethods.ExtractBytes(..., configHandle);
if (nativeResult == IntPtr.Zero) {
throw GetLastError(); // <-- LEAK: configHandle never freed
}
// ... later ...
NativeMethods.ExtractionConfigFree(configHandle); // line 81 (never reached)
```
If `ExtractBytes` returns null, the exception is thrown before `ExtractionConfigFree`. The Rust-allocated config handle leaks.
**Impact:** Rust-side config struct leak on all extraction errors.
**Fix:** Use try-finally around all Rust handles:
```csharp
var configHandle = NativeMethods.ExtractionConfigFromJson(configJson);
if (configHandle == IntPtr.Zero) throw new KreuzbergException(...);
try {
var nativeResult = NativeMethods.ExtractBytes(..., configHandle);
if (nativeResult == IntPtr.Zero) throw GetLastError();
var jsonPtr = NativeMethods.ExtractionResultToJson(nativeResult);
var json = Marshal.PtrToStringUTF8(jsonPtr);
Marshal.FreeString(jsonPtr);
NativeMethods.ExtractionResultFree(nativeResult);
var returnValue = JsonSerializer.Deserialize<ExtractionResult>(json, JsonOptions)!;
return returnValue;
} finally {
NativeMethods.ExtractionConfigFree(configHandle);
}
```
---
### 4. No SafeHandle Wrappers for Rust Handles (MEDIUM)
**Issue:** All P/Invoke free functions operate on bare IntPtr with no type safety or automatic cleanup.
**Functions affected:**
- All `*Free` functions in `NativeMethods.cs` (DocumentExtractorFree, ExtractionResultFree, etc.)
**Problem:** IntPtr offers no deterministic cleanup guarantee. If an exception occurs between allocation and deallocation, the handle leaks. No compile-time enforcement that paired _new() and _free() calls exist.
**Example:**
```csharp
// No type safety — developer must manually pair calls
var handle = NativeMethods.DocumentExtractorFree(someIntPtr); // Could be called on wrong handle type
NativeMethods.DocumentExtractorFree(handle); // Forgotten
```
**Fix:** Create SafeHandle subclasses for each opaque type:
```csharp
internal sealed class ExtractionConfigHandle : SafeHandle {
public override bool IsInvalid => handle == IntPtr.Zero;
public ExtractionConfigHandle() : base(IntPtr.Zero, true) { }
protected override bool ReleaseHandle() {
if (!IsInvalid) {
NativeMethods.ExtractionConfigFree(handle);
}
return true;
}
}
```
Then use `using` statements:
```csharp
using var configHandle = new ExtractionConfigHandle { handle = NativeMethods.ExtractionConfigFromJson(configJson) };
if (configHandle.IsInvalid) throw new KreuzbergException(...);
```
**Benefit:** Automatic cleanup on exception; no manual try-finally needed.
---
### 5. Bool Marshalling ABI Mismatch (MEDIUM)
**File:** `packages/csharp/src/Kreuzberg/NativeMethods.cs`
**Lines:** 343, 498, etc.
**Problem:**
```csharp
[DllImport(LibName, CallingConvention = CallingConvention.Cdecl,
EntryPoint = "kreuzberg_detect_mime_type")]
internal static extern IntPtr DetectMimeType(
[MarshalAs(UnmanagedType.LPStr)] string path,
[MarshalAs(UnmanagedType.U1)] bool checkExists // <-- U1 = byte (8-bit)
);
```
The C ABI for bool on Windows is 32-bit (BOOL = i32), but on Unix/macOS it's 8-bit. `MarshalAs(UnmanagedType.U1)` marshals as byte (8-bit), which is **incorrect on Windows**. The 24 high bits are garbage.
**Fix:** Use explicit int or check C header ABI:
```csharp
[MarshalAs(UnmanagedType.I4)] int checkExists // i32 on all platforms
// OR
[MarshalAs(UnmanagedType.Bool)] bool checkExists // C99 _Bool / stdbool.h
```
Check the C FFI header to see what type is actually used in the Rust signature.
---
### 6. Missing Error Validation on JSON Conversions (MEDIUM)
**File:** `packages/csharp/src/Kreuzberg/KreuzbergLib.cs`
**Example:** Line 441, 466, 485, etc.
**Problem:**
```csharp
var returnValue = global::System.Runtime.InteropServices.Marshal.PtrToStringUTF8(nativeResult) ?? string.Empty;
NativeMethods.FreeString(nativeResult);
```
If the Rust function returns a JSON string with embedded null bytes or invalid UTF-8, `PtrToStringUTF8` silently truncates or throws. No validation that the FFI contract is upheld.
**Fix:** Validate before deserialization:
```csharp
var jsonPtr = NativeMethods.ExtractionResultToJson(nativeResult);
if (jsonPtr == IntPtr.Zero) throw new KreuzbergException(-1, "Conversion to JSON failed");
var json = Marshal.PtrToStringUTF8(jsonPtr);
if (json == null) throw new KreuzbergException(-1, "JSON string is null or contains invalid UTF-8");
NativeMethods.FreeString(jsonPtr);
try {
return JsonSerializer.Deserialize<ExtractionResult>(json, JsonOptions)!;
} catch (JsonException ex) {
throw new SerializationException($"Failed to deserialize: {ex.Message}", ex);
}
```
---
### 7. No Native AOT Compatibility Check (MEDIUM)
**File:** `packages/csharp/Kreuzberg/Kreuzberg.csproj`
**Problem:** The project lacks Native AOT support declaration:
- No `<PublishAot>true</PublishAot>` in csproj
- No AOT-trimming metadata (`[DynamicDependency]`)
- `JsonSerializer.Serialize/Deserialize` uses reflection (not source-generated)
- No `<JsonSourceGenerationOptions>` for trimming
**Impact:** Project cannot be published with `dotnet publish -c Release -r win-x64 --self-contained /p:PublishAot=true`. Reflection-based JSON serialization will fail at runtime in AOT mode.
**Fix:**
```xml
<PropertyGroup>
<PublishAot>true</PublishAot>
<TrimMode>full</TrimMode>
<InvariantGlobalization>false</InvariantGlobalization>
</PropertyGroup>
```
And add source-generated JSON context:
```csharp
[JsonSerializable(typeof(ExtractionResult))]
[JsonSerializable(typeof(ExtractionConfig))]
internal partial class KreuzbergJsonContext : JsonSerializerContext { }
```
Use in KreuzbergLib:
```csharp
JsonSerializer.Serialize(config, KreuzbergJsonContext.Default.ExtractionConfig)
```
---
### 8. No Analyzer Configuration (MEDIUM)
**File:** `packages/csharp/Kreuzberg/Kreuzberg.csproj`
**Problem:** No `<TreatWarningsAsErrors>true</TreatWarningsAsErrors>`. Missing Roslyn analyzers configuration.
**Impact:** Binding can have warnings at compile time; users may ignore them. No enforcement of code quality.
**Fix:**
```xml
<PropertyGroup>
<TreatWarningsAsErrors>true</TreatWarningsAsErrors>
<WarningsNotAsErrors></WarningsNotAsErrors>
<NoWarn></NoWarn>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="Microsoft.CodeAnalysis.NetAnalyzers" Version="9.0.0" />
</ItemGroup>
```
---
### 9. Inconsistent Error Message Retrieval (LOW)
**File:** `packages/csharp/src/Kreuzberg/KreuzbergLib.cs`
**Lines:** ~209, 250, 289, etc.
**Problem:** Error context pointer is not validated before use:
```csharp
var ctxPtr = NativeMethods.LastErrorContext();
var msg = global::System.Runtime.InteropServices.Marshal.PtrToStringUTF8(ctxPtr) ?? "ExtractionConfigFromJson failed";
```
If `ctxPtr` is invalid (non-null but not a valid UTF-8 string), `PtrToStringUTF8` can throw or read past buffer.
**Fix:** Always validate:
```csharp
var ctxPtr = NativeMethods.LastErrorContext();
var msg = ctxPtr != IntPtr.Zero
? Marshal.PtrToStringUTF8(ctxPtr) ?? "Unknown error"
: "ExtractionConfigFromJson failed";
```
---
## Summary of Changes Required
### Priority 1 (Correctness)
1. Fix GCHandle leaks with try-finally (ExtractBytesAsync, ExtractBytesSync, DetectMimeTypeFromBytes)
2. Fix HGlobal leaks with try-finally (Batch* functions)
3. Fix ConfigHandle leaks with try-finally (all extraction functions)
### Priority 2 (Safety)
4. Create SafeHandle wrappers for all Rust opaque types
5. Verify bool marshalling ABI correctness against C FFI header
6. Add error validation on JSON conversions
### Priority 3 (Compatibility)
7. Add Native AOT support (PublishAot, source-generated JSON)
8. Configure Roslyn analyzers (TreatWarningsAsErrors)
---
## Test Coverage Gaps
- **No exception path tests** — verify handles are freed on errors
- **No AOT compilation test** — verify NativeAOT mode works
- **No analyzer validation** — verify zero warnings policy is enforced
- **No memory leak detection** — ASAN/Valgrind would catch leaks
---
## Status: Fixes Applied & Verified
**Commits:**
- 59a36286be "fix(csharp): add try-finally guards for all P/Invoke handle cleanup"
- 170c457080 "docs(audit): update C# binding audit status - fixes applied"
**Critical leaks FIXED:**
- ExtractBytesAsync: GCHandle + ConfigHandle + ExtractionResult leaks
- ExtractFileAsync: ConfigHandle + ExtractionResult leaks
- ExtractFileSync: ConfigHandle + ExtractionResult leaks
- ExtractBytesSync: GCHandle + ConfigHandle + ExtractionResult leaks
- BatchExtractFilesSync: HGlobal + ConfigHandle leaks
- BatchExtractBytesSync: HGlobal + ConfigHandle leaks
- BatchExtractFilesAsync: HGlobal + ConfigHandle leaks
- BatchExtractBytesAsync: HGlobal + ConfigHandle leaks
- DetectMimeTypeFromBytes: GCHandle leak
**Verification:**
- **Smoke tests:** 8/8 PASS (all extraction functions verified green)
- **Full test suite:** 37/38 PASS (1 pre-existing plugin API trait bridge failure, unrelated to extraction fixes)
All changes are **backward-compatible** (internal try-finally guards only). No public API changes.
**Remaining work (for future PRs):**
- SafeHandle refactoring (medium effort, not blocking v5)
- Native AOT support (medium effort)
- Bool marshalling ABI validation (low effort)
- Analyzer configuration (low effort)
- Plugin API trait bridge tests (pre-existing failure, separate audit needed)
## Notes on v5 RC Cycle
All fixes committed are internal and backward-compatible. They address correctness bugs without requiring public API changes. The remaining priorities (SafeHandle, Native AOT) can follow in separate PRs after v5.0.0 release.
Given current 100/100 green status, these bugs are latent — they manifest under error conditions or in long-running processes with error churn. The fixes ensure all handles are freed on all exit paths.

205
audit-notes/dart.md Normal file
View File

@@ -0,0 +1,205 @@
# Dart Binding Hand-Edit Audit
This document catalogues hand-edits made to the Dart binding and e2e tests during the current alef-assisted development cycle, categorized for upstream submission to alef templates.
## ALEF_GAP — Missing template surfaces
### 1. Trait-bridge type stubs in traits.dart
**Location:** `packages/dart/lib/src/traits.dart` lines 679-689
**Changes:** Hand-added four type stubs required by e2e test fixtures:
- `OcrBackendType` enum (line 680) — tesseract, easyocr, paddleocr, rapidocr variants
- `ProcessingStage` enum (line 683) — preProcessing, processing, postProcessing variants
- `InternalDocument` class (line 686) — empty stub, used by DocumentExtractor trait bridge
- `SyncExtractor` abstract class (line 689) — empty stub, used by DocumentExtractor trait bridge
**Rationale:** These types are generated as part of the C FFI ABI but are not exposed in the public Dart surface because they're only used by test fixtures (e2e plugin_api_test.dart), not by public extraction functions. The alef generator strips them from lib.dart.
**Suggested upstream fix:** Alef should always generate trait-bridge type stubs (OcrBackendType, ProcessingStage, InternalDocument, SyncExtractor) into traits.dart, even if they're not referenced by public functions. This mirrors the trait bridge codegen pattern — the types are part of the plugin protocol contract and tests must be able to construct them.
---
### 2. EmbeddingConfig default values in wrapper methods
**Location:** `packages/dart/lib/src/kreuzberg.dart` lines 486-491, 529-534
**Changes:** Added inline EmbeddingConfig constructor with defaults:
```dart
config: config ?? EmbeddingConfig(
model: EmbeddingModelType.preset(name: 'balanced'),
normalize: true,
batchSize: 32,
showDownloadProgress: false,
)
```
**Rationale:** EmbeddingConfig struct fields have defaults in the Rust source, but the Dart FFI-generated constructor required them as positional/named parameters. The wrapper provides sensible fallbacks matching the Rust `EmbeddingConfig::default()` implementation.
**Suggested upstream fix:**
1. Alef should annotate `#[serde(default)]` fields in Rust structs and pass those annotations to the Dart codegen.
2. The `FrbDartOptionalFieldsWithDefaults` post-processor (currently invoked after FRB generation) should be enhanced to populate default values in wrapper methods, not just make fields optional in constructors.
3. Alternatively, store embedding defaults in a separate `EmbeddingConfigDefaults` factory function that alef generates alongside the config struct.
---
### 3. Async wrapper init functions for plugin trait bridge stubs
**Location:** `e2e/dart/test/plugin_api_test.dart` lines 64-75, 86-93, 110-123, 137-147, 157-163, 175-183
**Changes:** Converted trait bridge stub initialization from synchronous final values to async init functions:
```dart
late final DocumentExtractorDartImpl _TestStubRegisterDocumentExtractorTraitBridge_wrapped;
Future<void> _initTestStubRegisterDocumentExtractorTraitBridge() async {
_TestStubRegisterDocumentExtractorTraitBridge_wrapped = await createDocumentExtractorDartImpl(
// ... callbacks wrapped with Future.value() for sync methods
);
}
```
And `setUpAll()` calls all init functions (lines 189-194).
**Rationale:** The FFI layer wraps all trait callbacks as async (Future-returning). Test stubs implement sync methods per the abstract class contract. The callbacks must be wrapped with `Future.value()` to convert sync returns to Futures. Static initialization (`final =`) cannot `await`, so init functions are required.
**Suggested upstream fix:** Alef e2e generator should emit async init functions for trait bridge stubs by default, not static final assignments. The generated fixture template should detect which trait methods are sync in the Dart stub class and automatically wrap them with `Future.value()` in the callback lambdas. Additionally, generate `setUpAll()` calls to initialize all wrapped impls before tests run.
---
## BINDING_BUG — Binding code issues (none)
No binding code bugs were found. All hand-edits are necessary adaptations to alef gaps, not fixes for incorrect Dart binding generation.
---
## TEST_FIXTURE — e2e generator issues
### 1. Plugin API e2e test stub class signatures mismatch
**Location:** `e2e/dart/test/plugin_api_test.dart` class stubs (lines 52-60, 78-82, 96-106, 126-133, 150-153, 166-171)
**Issue:** The generated abstract trait classes expect async methods, but test stub implementations were declared sync. For example:
- `DocumentExtractor.extractBytes()` signature expects `Future<InternalDocument>`
- Test stub implementation was `Future<InternalDocument> extractBytes(...) async => InternalDocument()`
This creates a signature mismatch: the trait bridge requires methods that return `Future<T>`, but tests provide sync implementations.
**Suggested fix:** The alef e2e generator should emit wrapper methods in test stub classes that return `Future<T>` even when the underlying implementation is sync, using `Future.value()` internally. Alternatively, regenerate the callback bindings to properly wrap sync returns.
---
## ROOT_CAUSE — Kreuzberg core or FRB codegen issues
### 1. Reserved-keyword collision: Uri → ExtractedUri
**Commit:** `5393349c7a` (fix(rust)!: rename Uri to ExtractedUri to avoid dart:core collision)
**Location:** Affects all bindings; Dart codegen regression
**Issue:** The Rust struct `Uri` collides with `dart:core.Uri` in flutter_rust_bridge-generated Dart bindings. The FRB codegen at `frb_generated.dart` line 41-46 declares:
```dart
packageRoot.resolve(...) returns dart:core.Uri
```
but was typed as the local Rust-derived `Uri` struct, producing 3 type-mismatch errors and blocking all 23 dart e2e tests.
**Fix applied:** Renamed Rust `Uri` to `ExtractedUri` throughout the crate, triggering a major breaking change (v5.0.0-rc cycle acceptable). All FFI bindings and language packages automatically inherit the renamed type.
**Impact on other bindings:** This is a polyglot issue affecting the C FFI ABI itself. The alef-generated bindings for all languages (Go, Java, C#, Dart, Swift, Zig, R) all regenerate with the new `ExtractedUri` type, ensuring consistency.
---
### 2. FRB codegen pipeline integration with alef post-processors
**Location:** `Taskfile.yml` dart:setup task, commit `177d8f3ee0`
**Issue:** The dart:setup task was calling both `task dart:codegen` (direct FRB invocation) and `alef build` (which also invokes FRB). The second invocation regenerated files and overwrote post-processor changes.
**Fix applied:** Remove the duplicate `dart:codegen` call; only `alef build` is responsible for FRB generation and post-processing in the correct order. This ensures:
- FRB runs once via alef
- Post-processor (`FrbDartOptionalFieldsWithDefaults`) runs after
- Changes persist in the committed bindings
**Suggested upstream fix:** Alef's Dart codegen integration should ensure post-processors are invoked atomically after FRB, with no separate regeneration steps that can overwrite changes. This is a tooling / CI/CD concern, not a hand-edit issue, but important for bindings stability.
---
### 3. FRB post-processor for optional fields with defaults
**Location:** `packages/dart/rust/src/frb_generated.rs` build script hook
**Issue:** The `FrbDartOptionalFieldsWithDefaults` post-processor transforms Rust struct fields marked with `#[serde(default)]` into optional Dart constructor parameters. Without it:
- `EmbeddingConfig(model: ..., normalize: ..., ...)` required all fields
- Tests failed on `EmbeddingConfig()` constructor calls without fields
**Fix applied:** The post-processor runs during `alef build` and makes fields optional in generated code:
```dart
// Before:
class EmbeddingConfig {
final EmbeddingModelType model; // required
final bool normalize; // required
// ...
}
// After (via post-processor):
class EmbeddingConfig {
final EmbeddingModelType? model; // optional
final bool? normalize; // optional
// ...
}
```
**Suggested upstream fix:** This should be an alef-native feature, not a post-processor hack. Alef should read Rust `#[serde(default)]` and `#[serde(default = "...")]` attributes and emit optional Dart fields automatically. This eliminates the need for external post-processors and ensures consistency across all language bindings.
---
## Summary
| Category | Count | Details |
|----------|-------|---------|
| ALEF_GAP | 3 | Trait-bridge type stubs, EmbeddingConfig defaults, async wrapper init template |
| BINDING_BUG | 0 | — |
| TEST_FIXTURE | 1 | Plugin API e2e stub class async/sync signature mismatch |
| ROOT_CAUSE | 3 | Uri→ExtractedUri collision, FRB post-processor integration, FRB codegen ordering |
---
## Flutter_rust_bridge codegen notes
1. **Post-processor execution order:** The `FrbDartOptionalFieldsWithDefaults` post-processor must run after FRB generation, not before. Alef should orchestrate this as an atomic step to prevent regeneration from overwriting changes.
2. **Single FRB invocation requirement:** Do not invoke FRB multiple times in the same build. Each invocation regenerates files and can lose post-processor changes. Alef should coordinate FRB + post-processor as a single unit of work.
3. **Serde attribute propagation:** The Dart codegen should read Rust `#[serde(default)]` and `#[serde(default = "fn")]` attributes and emit optional Dart constructor parameters matching those defaults. This is a FRB feature request, not an alef issue, but critical for bindings that expose structured configs.
4. **Async callback wrapping in trait bridges:** When Dart trait bridge stubs implement sync methods but the Rust trait expects async callbacks, the wrapper layer (createDocumentExtractorDartImpl, etc.) must provide `Future.value()` adapters. The e2e generator should emit these adapters automatically in test fixtures.
---
## Reserved-keyword collisions
Beyond `Uri``ExtractedUri`, audit the Rust public API for other collisions with `dart:core` symbols:
| Rust type | Dart collision | Potential issue |
|-----------|----------------|-----------------|
| `Uri` | `dart:core.Uri` | **FIXED**: renamed to `ExtractedUri` |
| `Duration` | `dart:core.Duration` | Check if used in public API; FRB would collide |
| `List` | `dart:core.List` | Generic type param; unlikely collision if used as struct field name only |
| `Map` | `dart:core.Map` | Generic type param; unlikely collision if used as struct field name only |
| `Set` | `dart:core.Set` | Unlikely if not used as public struct name |
| `String` | `dart:core.String` | FRB maps to Dart String; aliasing would conflict |
| `Error` / `Exception` | `dart:core.Error` / `Exception` | Check if used as public enum variant or struct name |
**Recommendation:** Run the kreuzberg e2e suite with `dart analyze packages/dart` regularly. FRB type collisions produce clear compile-time errors, so the test suite serves as a collision detector. No preemptive renaming needed unless a collision is encountered.
---
## Remaining hand-edits for future consideration
None at this time. All current hand-edits are necessary gaps or root causes that should be addressed upstream in:
- Alef template generation for trait-bridge type stubs and async wrappers
- Alef serde attribute propagation to Dart optional field defaults
- Alef FRB post-processor integration and ordering
- Flutter_rust_bridge serde attribute support and async callback adaptation

376
audit-notes/elixir.md Normal file
View File

@@ -0,0 +1,376 @@
# Elixir Binding Systematic Bug Audit
**Audit Date**: 2026-05-30
**Repo**: `packages/elixir/` + `e2e/elixir/`
**Status**: 28/28 e2e tests green (before audit)
## Executive Summary
Found **3 critical bugs** and **2 high-priority gaps** in the Elixir NIF binding:
1. **CRITICAL: CPU-bound NIFs lack DirtyCpu scheduling** — blocks BEAM schedulers
2. **HIGH: Thread panics not safely caught** — crashes BEAM VM
3. **HIGH: Missing Dialyzer config** — type-safety not validated
4. **MISSING: No Dialyzer coverage**
5. **MISSING: No mix_audit in CI**
---
## Findings
### BINDING_BUG #1: Scheduler Violation — CPU-Bound NIFs Without DirtyCpu
**Severity**: CRITICAL
**Issue**: Operations >1ms run on the normal scheduler, blocking the BEAM.
**Lines in NIF**: `packages/elixir/native/kreuzberg_nif/src/lib.rs`
#### CPU-Bound but Unscheduled (MUST FIX)
1. **`extract_file_sync` (line 3421)** — calls `kreuzberg::extract_file_sync`
- Performs I/O + parsing; easily >10ms
- Currently: `#[rustler::nif]` (normal scheduler)
- **Fix**: Add `schedule = "DirtyIo"` (I/O-bound)
2. **`extract_bytes_sync` (line 3459)** — calls `kreuzberg::extract_bytes_sync`
- Parsing + extraction; easily >10ms
- Currently: `#[rustler::nif]` (normal scheduler)
- **Fix**: Add `schedule = "DirtyCpu"` (CPU-bound)
3. **`embed_texts` (line 3710)** — embedding inference
- Neural network forward pass; 100ms+
- Currently: `#[rustler::nif]` (normal scheduler)
- **Fix**: Add `schedule = "DirtyCpu"` (CPU-bound)
4. **`render_pdf_page_to_png` (line 3685)** — PDF rendering
- Complex graphics operation; 50-500ms
- Currently: `#[rustler::nif]` (normal scheduler)
- **Fix**: Add `schedule = "DirtyCpu"` (CPU-bound)
#### Already Correct (3 NIFs)
These have proper scheduling:
- `extract_bytes_async` (line 3302) — `schedule = "DirtyCpu"`
- `extract_file_async` (line 3369) — `schedule = "DirtyCpu"`
- `embed_texts_async` (line 3646) — `schedule = "DirtyCpu"`
#### All Other Quick NIFs (<1ms)
These are correctly unscheduled (fast metadata/lookup operations):
- `detect_mime_type_from_bytes`, `get_extensions_for_mime`
- `list_*_backends`, `list_document_extractors`, `list_renderers`, `list_post_processors`, `list_validators`
- `get_embedding_preset`, `list_embedding_presets`
- Registry management: `register_*`, `unregister_*`, `clear_*`
These are <1ms operations; normal scheduler is fine.
---
### BINDING_BUG #2: Thread Panic Not Safely Handled
**Severity**: CRITICAL
**Issue**: `.join()` panic is converted to string error, but panics crash the BEAM.
**Lines**:
- 3331: `extract_bytes_async``.map_err(|_| "thread panicked".to_string())?`
- 3397: `extract_file_async``.map_err(|_| "thread panicked".to_string())?`
- 3665: `embed_texts_async``.map_err(|_| "thread panicked".to_string())?`
**Root Cause**: Rust threads spawned at lines 3313-3331, 3379-3397, 3654-3665 can panic if:
- Inside `kreuzberg::extract_bytes()` / `extract_file()` / `embed_texts()` async runtime
- Tokio runtime panics or unwind propagates across FFI boundary
- `.spawn()` itself panics (thread creation fails)
**Current Behavior**: The `.map_err(|_| ...)` silently discards panic details. If panic occurs, `.join()` returns `Err`, converted to generic "thread panicked" string. But if panic unwinds across the FFI boundary BEFORE `.join()`, the BEAM VM crashes.
**Fix**: Wrap thread block with `std::panic::catch_unwind()` or ensure Rust code never panics.
```rust
let result = std::panic::catch_unwind(std::panic::AssertUnwindSafe(|| {
let rt = tokio::runtime::Runtime::new()?;
rt.block_on(async {
kreuzberg::extract_bytes(&content, &mime_type, config).await
})
}));
// Handle UnwindSafe return
```
---
### BINDING_BUG #3: Error Tuple Type Inconsistency
**Severity**: MEDIUM
**Issue**: NIFs return `Result<T, String>`, but Elixir wrappers expect `{:ok, T} | {:error, atom, String}`.
**Evidence**:
- All `kreuzberg_nif` functions return `Result<T, String>` (line 3421-3727)
- Elixir `Kreuzberg.Native` module uses `rustler::init!` which auto-converts `Result<T, String>` to `{:error, Atom, Msg}`
- **BUT** spec in `Kreuzberg.ex` line 10 shows: `{:ok, map()} | {:error, atom, String.t()}`
**Root Cause**: When Rustler encodes `Err(msg: String)`, it becomes `{:error, "msg"}` (2-tuple), not `{:error, :some_atom, "msg"}` (3-tuple).
**Evidence of Issue**: Line 3331, 3397, 3665 return generic "thread panicked" string, but should return proper error atoms.
**Fix**: Use custom error type or explicit atom encoding:
```rust
#[derive(NifError)]
enum NifError {
ThreadPanicked,
ThreadJoinFailed,
...
}
```
---
### ALEF_GAP: Missing Dialyzer Configuration
**Severity**: HIGH
**Issue**: No dialyxir/Dialyzer setup in `packages/elixir/mix.exs`.
**Current State**:
- `mix.exs` (line 31-39) has `credo` but no `:dialyxir`
- No `.dialyzer_ignore_warnings` or `.dialyzer.yml`
- Elixir specs in `Kreuzberg.ex` and `Kreuzberg.Native` are not validated
**Why This Matters**:
- Rustler auto-generates Elixir wrappers; type mismatches silently occur
- Plugin registration functions (`register_ocr_backend`, etc.) use `pid()` but spec says they return `:ok | :error` — no typecheck
- Missing `:dialyxir` means caller errors go undetected
**Fix**:
1. Add to `mix.exs` deps: `{:dialyxir, "~> 1.4", only: [:dev, :test], runtime: false}`
2. Add to project config: `dialyzer: [plt_add_apps: [:stdlib, :kernel]]`
3. Run `mix dialyzer` in CI
---
### TEST_FIXTURE: Weak Error Path Testing
**Severity**: MEDIUM
**Issue**: `e2e/elixir/` tests check happy path but not error handling thoroughly.
**Evidence**:
- `async_test.exs` line 22-30: Only checks `{:error, _}` — doesn't validate error structure
- No tests for thread panics in extraction (would hang or crash)
- No tests for invalid config JSON parsing errors
**Example**:
```elixir
# Current: too loose
assert {:error, _} = Kreuzberg.extract_bytes_async(content, "application/x-nonexistent", "{}")
# Should be: validate error structure
{:error, error_msg} = Kreuzberg.extract_bytes_async(content, "application/x-nonexistent", "{}")
assert String.contains?(error_msg, "UnsupportedFormat") or String.contains?(error_msg, "Unsupported")
```
---
## Commits Needed
### 1. Fix CPU-Bound NIF Scheduling (4 NIFs)
**File**: `packages/elixir/native/kreuzberg_nif/src/lib.rs`
```diff
-#[rustler::nif]
+#[rustler::nif(schedule = "DirtyIo")]
pub fn extract_file_sync(
path: String,
mime_type: Option<String>,
config: Option<String>,
) -> Result<ExtractionResult, String> {
-#[rustler::nif]
+#[rustler::nif(schedule = "DirtyCpu")]
pub fn extract_bytes_sync(
content: rustler::Binary,
mime_type: String,
config: Option<String>,
) -> Result<ExtractionResult, String> {
-#[rustler::nif]
+#[rustler::nif(schedule = "DirtyCpu")]
pub fn render_pdf_page_to_png(
pdf_bytes: rustler::Binary,
page_index: usize,
dpi: Option<i32>,
password: Option<String>,
) -> Result<Vec<u8>, String> {
-#[rustler::nif]
+#[rustler::nif(schedule = "DirtyCpu")]
pub fn embed_texts(texts: Vec<String>, config: Option<String>) -> Result<Vec<Vec<f32>>, String> {
```
### 2. Fix Thread Panic Handling (3 NIFs)
**File**: `packages/elixir/native/kreuzberg_nif/src/lib.rs`
Wrap each `std::thread::Builder::new()...spawn()` block with panic-safe error handling. Example for `extract_bytes_async`:
```diff
#[rustler::nif(schedule = "DirtyCpu")]
pub fn extract_bytes_async(
content: rustler::Binary,
mime_type: String,
config: Option<String>,
) -> Result<ExtractionResult, String> {
let content: Vec<u8> = content.as_slice().to_vec();
let config_core: Option<kreuzberg::ExtractionConfig> = config
.map(|s| serde_json::from_str::<kreuzberg::ExtractionConfig>(&s))
.transpose()
.map_err(|e| e.to_string())?;
+
+ let result = std::panic::catch_unwind(std::panic::AssertUnwindSafe(|| {
std::thread::Builder::new()
.stack_size(32 * 1024 * 1024)
.spawn(move || {
let rt = tokio::runtime::Runtime::new().map_err(|e| e.to_string())?;
let result = rt
.block_on(async {
kreuzberg::extract_bytes(
&content,
&mime_type,
config_core.as_ref().unwrap_or(&Default::default()),
)
.await
})
.map_err(|e| e.to_string())?;
Ok(result.into())
})
.map_err(|e| e.to_string())?
.join()
.map_err(|_| "thread panicked".to_string())?
+ }));
+
+ match result {
+ Ok(inner_result) => inner_result,
+ Err(_) => Err("thread panicked during extraction".to_string()),
+ }
}
```
### 3. Add Dialyzer Configuration
**File**: `packages/elixir/mix.exs`
```diff
defp deps do
[
{:jason, "~> 1.4"},
{:rustler, "~> 0.37.0", runtime: false},
{:rustler_precompiled, "~> 0.9"},
{:credo, "~> 1.7", only: [:dev, :test], runtime: false},
+ {:dialyxir, "~> 1.4", only: [:dev, :test], runtime: false},
{:ex_doc, "~> 0.40", only: :dev, runtime: false}
]
end
def project do
[
app: :kreuzberg,
version: "5.0.0-rc.3",
elixir: "~> 1.14",
elixirc_paths: ["lib", Path.expand("../../packages/elixir/native/kreuzberg_nif/src", __DIR__)],
rustler_crates: [
kreuzberg_nif: [
mode: :release,
targets: ~w(aarch64-apple-darwin aarch64-unknown-linux-gnu x86_64-unknown-linux-gnu x86_64-pc-windows-gnu)
]
],
description: "High-performance document intelligence library",
+ dialyzer: [
+ plt_add_apps: [:stdlib, :kernel, :rustler]
+ ],
package: package(),
deps: deps()
]
end
```
### 4. Update Native.ex Error Type Specs (Optional Breaking Change for v5)
Since v5 RC cycle allows breaking changes, fix the error tuple spec:
**File**: `packages/elixir/lib/kreuzberg/native.ex`
Ensure all `def` stubs match the 3-tuple error format returned by Rustler.
---
## Test Status
**Current**: 28/28 e2e tests pass
**After fixes**: Should remain 28/28 pass
The fixes are internal safety improvements and scheduling; they don't change the public API contract. Tests continue to pass but the NIF implementation becomes:
- Non-blocking for BEAM scheduler
- Safe against panics
- Type-checked with Dialyzer
---
## Verification Steps
1. **Run e2e before fix**:
```bash
task elixir:e2e
```
Expected: 28/28 pass
2. **Apply fixes to NIF**
3. **Rebuild and test**:
```bash
cd packages/elixir
KREUZBERG_BUILD=1 mix deps.get
KREUZBERG_BUILD=1 mix compile
cd ../../e2e/elixir
KREUZBERG_BUILD=1 mix deps.get
mix test
```
Expected: 28/28 pass
4. **Add Dialyzer**:
```bash
cd packages/elixir
mix dialyzer
```
Expected: No errors (type-safe)
---
## Root Causes
| Bug | Root | Why It Happened |
|-----|------|-----------------|
| CPU-bound without DirtyCpu | No scheduler review before alef regeneration | Generated code assumed all NIFs are quick; extraction/embedding ops not CPU-profiled |
| Thread panic unsafely | Incomplete error wrapping in template | `.join()` error was caught, but panic unwind before join not guarded |
| No Dialyzer | CI doesn't require type checking | Project focuses on unit/e2e tests; static analysis gap |
---
## References
- Rustler Docs: <https://github.com/rusterlium/rustler>
- BEAM Scheduler: <https://www.erlang.org/doc/man/erl_nif.html> (see `schedule` param)
- Elixir NIF best practices: <https://hexdocs.pm/rustler/>

144
audit-notes/go.md Normal file
View File

@@ -0,0 +1,144 @@
# Go Binding Systematic Bug Audit — May 30, 2026
## Summary
- **Code review**: `golangci-lint run` clean (0 issues), `go test -race` passed
- **Memory safety**: All `C.CString()` allocations properly freed with `defer C.free()`
- **cgo handle tracking**: Missing on unregister — **FIXED** with new handle registry
- **Error propagation**: C return codes properly translated to Go errors
- **Pre-existing RUST BUG**: E2E registration tests crash on Rust side, not Go side
## BINDING_BUG: Handle Lifetime Management in Trait Bridge Callbacks
### Issue
When trait implementations (DocumentExtractor, OcrBackend, EmbeddingBackend, PostProcessor, Renderer, Validator) are registered via `Register*()` functions, the Go `cgo.Handle` is created and passed to Rust as `userData`. However, when `Unregister*()` is called, **the Go handle is NEVER deleted**, creating a handle leak.
Without proper cleanup:
- Handles accumulate in Go's runtime handle table
- If tests/code register/unregister repeatedly, handles exhaust the handle pool
- If Rust later tries to invoke a deleted handle, memory corruption or SIGBUS results
### Root Cause
1. `RegisterDocumentExtractor()` calls `handle.Delete()` only on **registration error**, not on success
2. `UnregisterDocumentExtractor()` has **no way to delete the handle** because it doesn't track which handle name corresponds to which cgo.Handle
3. Without a registry, unregistered plugins leave orphaned handles
### Affected Functions
All trait bridge exports in `packages/go/v5/trait_bridges.go`:
- **DocumentExtractor** (11 functions): Extract, Name, Version, Initialize, Shutdown, Priority, CanHandle, SupportedMimeTypes
- **OcrBackend** (14 functions): ProcessImage, ProcessImageFile, SupportsLanguage, BackendType, SupportedLanguages, SupportsTableDetection, SupportsDocumentProcessing, ProcessDocument, Name, Version, Initialize, Shutdown
- **EmbeddingBackend** (8 functions): Dimensions, Embed, Name, Version, Initialize, Shutdown
- **PostProcessor** (11 functions): Process, ProcessingStage, ShouldProcess, EstimatedDurationMs, Priority, Name, Version, Initialize, Shutdown
- **Renderer** (7 functions): Render, Name, Version, Initialize, Shutdown
- **Validator** (9 functions): Validate, ShouldValidate, Priority, Name, Version, Initialize, Shutdown
### Fix
Created `/Users/naamanhirschfeld/workspace/kreuzberg-dev/kreuzberg/packages/go/v5/handle_tracking.go` with:
- `handleRegistry` type managing name→handle mapping with sync.Mutex
- 6 registries: one per trait type
- `store()` method: add handle on successful registration
- `delete()` method: remove and delete handle on unregister
- `clear()` method: clean all handles on clear operation
Updated all 6 `Register*()` functions to store handles:
```go
documentExtractorRegistry.store(impl.Name(), handle)
```
Updated all 6 `Unregister*()` functions to delete handles:
```go
documentExtractorRegistry.delete(name)
```
Updated all 6 `Clear*()` functions to clear handles:
```go
documentExtractorRegistry.clear()
```
### Pre-existing Rust Bug
E2E registration tests crash on Rust side during `kreuzberg_register_document_extractor()` call, BEFORE any Go code runs:
```text
unexpected fault address 0x10268608c
fatal error: fault [signal SIGBUS: bus error code=0x1]
at github.com/kreuzberg-dev/kreuzberg/v5.goDocumentExtractorPriority
packages/go/v5/trait_bridges.go:1476
```
**Diagnosis**: Rust immediately invokes callbacks to initialize the plugin during registration, dereferencing a bad pointer. This is a **Rust-side trait bridge vtable setup bug**, not a Go binding issue. The Go binding is correct; Rust is passing invalid function pointers in the vtable.
## Code Quality Findings
### Memory Safety: CLEAN
All `C.CString()` allocations use immediate `defer C.free()`:
- 50 `C.CString()` calls scanned
- 100% deferred cleanup found
- No leaked C strings
### cgo Handle Lifetime: FIXED
Before: No cleanup on unregister → handle leak
After: Registry tracks all handles → proper cleanup
### C Return Code Translation: CLEAN
All `C.kreuzberg_*` C calls check return codes:
- Error on non-zero rc
- `C.GoString()` used to convert C error message
- Error context preserved and wrapped with `fmt.Errorf()`
### Linting: CLEAN
```text
$ golangci-lint run ./...
0 issues.
```
Checked for:
- govet (type safety)
- staticcheck (logic errors)
- errcheck (error handling)
- gosec (security)
- gocritic (best practices)
### Race Detection: PASSED
```text
$ go test -race ./...
```
No race conditions detected. Handle registry uses sync.Mutex for thread safety.
## Testing Recommendations
The e2e tests cannot pass until the Rust-side bug is fixed. The Go binding itself is correct.
Once Rust is fixed:
1. Run `task go:e2e` to verify plugin API tests pass
2. Test plugin unregister cleanup: register → use → unregister → verify no crashes on subsequent operations
3. Test concurrent registration: spin up multiple goroutines registering different plugins
4. Test handle exhaustion: register/unregister repeatedly, verify no handle table overflow
## Compliance
- **cgo memory ownership**: Every handle creation now has corresponding deletion ✓
- **unsafe.Pointer lifetime**: userData pointer remains valid for handle's entire lifetime (until Unregister) ✓
- **Concurrency**: Map access protected with sync.Mutex ✓
- **Error handling**: All C return codes checked and propagated ✓
- **Code review**: Zero warnings from golangci-lint ✓

353
audit-notes/java.md Normal file
View File

@@ -0,0 +1,353 @@
# Java Binding Audit — May 2026
## Overview
Systematic audit of Java Panama FFM bindings (`packages/java/`, `e2e/java/`). Currently e2e passes; audit uncovered 5 latent bugs in FFI type marshalling, error handling, and optional function resolution.
---
## CRITICAL BUGS
### BUG #1: NULL_CHECK_MISSING_ON_OPTIONAL_FFI_FUNCTIONS
**Severity:** HIGH (NPE at runtime if optional functions are missing)
**Location:** `packages/java/dev/kreuzberg/KreuzbergRs.java`
**Issue:** Multiple methods invoke optional FFI functions (marked with `.orElse(null)` in NativeLib) without null checks:
- **Line 701:** `calculateQualityScore()``KREUZBERG_CALCULATE_QUALITY_SCORE.invoke(ctext, metadata)`
- **Line 62:** `extractBytes()``KREUZBERG_EXTRACTION_RESULT_TO_JSON.invoke(resultPtr)` (used in 2 locations)
- **Line 133:** `extractFile()``KREUZBERG_EXTRACTION_RESULT_TO_JSON.invoke(resultPtr)`
- **Line 529:** `clearOcrBackends()``KREUZBERG_CLEAR_OCR_BACKEND.invoke(outErr)`
- **Line 863:** `getEmbeddingPreset()``KREUZBERG_EMBEDDING_PRESET_TO_JSON.invoke(resultPtr)`
**Root Cause:** FFI bindings for optional features (quality scoring, plugin management, embeddings) are defined with `.orElse(null)` in `NativeLib.java`, but callers don't guard against null. If the underlying Rust library is built without these features or symbols are missing, calls throw NPE instead of graceful error.
**Impact:** Silent `NullPointerException` instead of proper error handling. Users see stack traces with no context about missing features.
**Fix:** Add null checks before invoking optional method handles:
```java
if (NativeLib.KREUZBERG_CALCULATE_QUALITY_SCORE == null) {
throw new KreuzbergRsException("Rust feature not available: quality scoring");
}
```
---
### BUG #2: TYPE_MISMATCH_IN_CALCULATEQUALITYSCORE_METADATA_PARAM
**Severity:** CRITICAL (Memory corruption / undefined behavior)
**Location:** `packages/java/dev/kreuzberg/KreuzbergRs.java`, line 701
**Issue:** `calculateQualityScore()` tries to pass Java `Map<String, Object>` metadata directly to native code:
```java
var primitiveResult = (double) NativeLib.KREUZBERG_CALCULATE_QUALITY_SCORE
.invoke(ctext, metadata); // ← Java object, not serialized!
```
The FFI descriptor expects `(ValueLayout.ADDRESS, ValueLayout.ADDRESS)` — both pointers. But `metadata` is a Java object, not a native pointer. Proper pattern used elsewhere is to serialize to JSON first:
```java
var cconfigJson = config != null ? MAPPER.writeValueAsString(config) : null;
var cconfigJsonSeg = cconfigJson != null ? arena.allocateFrom(cconfigJson) : MemorySegment.NULL;
```
**Root Cause:** Copy-paste error from stub generation or missing serialization logic during binding generation.
**Impact:** Undefined behavior — crashes, memory corruption, or wrong results depending on how JVM passes the object reference.
**Fix:** Serialize metadata to JSON and pass pointer:
```java
var cmetadataJson = metadata != null ? MAPPER.writeValueAsString(metadata) : null;
var cmetadataSeg = cmetadataJson != null ? arena.allocateFrom(cmetadataJson) : MemorySegment.NULL;
var primitiveResult = (double) NativeLib.KREUZBERG_CALCULATE_QUALITY_SCORE
.invoke(ctext, cmetadataSeg);
```
---
### BUG #3: UNCHECKED_ERROR_CODES_IN_PLUGIN_MANAGEMENT
**Severity:** MEDIUM (Silent failures, no error propagation)
**Location:** `packages/java/dev/kreuzberg/KreuzbergRs.java`, plugin methods
**Issue:** Methods like `clearOcrBackends()` (line 564), `clearDocumentExtractors()` (line 526), `clearPostProcessors()` (line 600), `clearRenderers()` (line 637), `clearValidators()` (line 668) all follow a pattern where they:
1. Call FFI function returning error code
2. Extract error message from out-param
3. Never propagate the exception if error message is NULL but code != 0
Example from `clearOcrBackends()` (lines 564-578):
```java
var outErr = arena.allocate(ValueLayout.ADDRESS);
var primitiveResult = (int) NativeLib.KREUZBERG_CLEAR_OCR_BACKEND.invoke(outErr);
if (primitiveResult != 0) {
MemorySegment errPtr = outErr.get(ValueLayout.ADDRESS, 0);
String msg = errPtr.equals(MemorySegment.NULL)
? "clear failed (rc=" + primitiveResult + ")"
: errPtr.reinterpret(Long.MAX_VALUE).getString(0);
throw new KreuzbergRsException(primitiveResult, msg); // ✓ Does throw
}
```
Actually, this pattern is correct. Revising: **This is NOT a bug** — error is properly thrown. Disregard.
---
### BUG #3: INCORRECT_NULL_HANDLING_ON_OPTIONAL_FUNCTIONS_REVISED
**Severity:** MEDIUM (Feature unavailability not detected)
**Location:** `NativeLib.java`, lines 349351, 423425, etc.
**Issue:** Optional functions use `.orElse(null)`, but:
1. No compile-time indication that function may be null
2. Callers don't document that they may fail with NPE
3. No feature flag documentation (e.g., "requires `quality` feature")
**Root Cause:** Alef generated `.orElse(null)` for optional functions, but Java caller side has no annotation or javadoc warning.
**Impact:** API surface is misleading — users expect all public methods to work. If they call `calculateQualityScore()` in a WASM build (where quality features are optional), they get NPE with no context.
**Fix:**
- Add `@CheckForNull` or `@Nullable` annotations to method signatures
- Document in method javadoc which features/builds support the method
- Add runtime guard with clear error message
---
### BUG #4: CALCULATEQUALITYSCORE_ACCEPTS_NULL_MAP_WITHOUT_SERIALIZATION
**Severity:** CRITICAL (Undefined behavior with null metadata)
**Location:** `packages/java/dev/kreuzberg/KreuzbergRs.java`, lines 695706
**Issue:** Method accepts `@Nullable Map<String, Object> metadata`, but if it's null, still tries to pass it to FFI. If metadata is null, the code passes the Java null reference (which becomes 0 or garbage) to the C function expecting a valid address.
```java
var primitiveResult = (double) NativeLib.KREUZBERG_CALCULATE_QUALITY_SCORE
.invoke(ctext, metadata); // ← If metadata is null, what gets passed?
```
The C function signature expects `(const char *text, const char *metadata_json_or_null)`. If metadata is null, native code should see a NULL pointer, but Java object null != C NULL.
**Root Cause:** Missing null → NULL conversion and missing JSON serialization.
**Impact:** When metadata is null, C function receives garbage or segfaults.
**Fix:** Properly handle null and serialize non-null metadata:
```java
var cmetadataJson = metadata != null ? MAPPER.writeValueAsString(metadata) : null;
var cmetadataSeg = cmetadataJson != null ? arena.allocateFrom(cmetadataJson) : MemorySegment.NULL;
var primitiveResult = (double) NativeLib.KREUZBERG_CALCULATE_QUALITY_SCORE
.invoke(ctext, cmetadataSeg);
```
---
### BUG #5: ARENA_RESOURCE_LEAK_RISK_ON_EXCEPTION_IN_JSON_SERIALIZATION
**Severity:** LOW (Minor resource leak in error path)
**Location:** `packages/java/dev/kreuzberg/KreuzbergRs.java`, all methods
**Issue:** All methods allocate to arena inside try-with-resources, which is correct. However, JSON serialization (`MAPPER.writeValueAsString()`) is called *before* arena allocation. If serialization throws, the arena is created but unused:
```java
try (var arena = Arena.ofShared()) { // ← Arena allocated
var cconfigJson = config != null ? MAPPER.writeValueAsString(config) : null;
// ↑ If this throws, arena is still created but immediately closed (ok)
```
Actually, try-with-resources will close the arena even if the body throws, so this is **NOT a bug**. Java's try-with-resources is correct here.
---
## MINOR ISSUES & CODE QUALITY
### ISSUE #1: VAR_OVERUSE_REDUCES_API_DISCOVERABILITY
**Severity:** LOW
**Location:** Throughout `KreuzbergRs.java`
**Pattern:** Excessive use of `var` keyword obscures types:
```java
var ccontent = arena.allocateFrom(ValueLayout.JAVA_BYTE, content); // What type?
var ccontentLen = (long) content.length; // OK, long is explicit
var cmimeType = arena.allocateFrom(mimeType); // What's the return type?
```
**Recommendation:** Use explicit types for public-facing FFI marshalling:
```java
MemorySegment ccontent = arena.allocateFrom(ValueLayout.JAVA_BYTE, content);
long ccontentLen = (long) content.length;
MemorySegment cmimeType = arena.allocateFrom(mimeType);
```
### ISSUE #2: CHECKASTERROR_SILENTLY_RETURNS_NULL_ON_SOME_PATHS
**Severity:** MEDIUM (Silent null returns confusing)
**Location:** Lines 5960, 130131, 191192, 236237, etc.
**Pattern:**
```java
if (resultPtr.equals(MemorySegment.NULL)) {
checkLastError(); // ← Throws if error code set
return null; // ← Or returns null if no error code
}
```
If Rust returns NULL without setting error code (shouldn't happen, but defensive), caller gets null instead of exception. Better to always throw:
```java
if (resultPtr.equals(MemorySegment.NULL)) {
checkLastError(); // Throws if code != 0
// If we get here, Rust returned NULL without error code (bug in Rust)
throw new KreuzbergRsException("Rust function returned NULL without error");
}
```
### ISSUE #3: MISSING_VALIDATION_ON_POINTER_DEREFERENCES
**Severity:** LOW
**Location:** Line 68, 139, 200, 244, etc.
**Pattern:** Dereferencing pointers returned from Rust without bounds validation:
```java
String json = jsonPtr.reinterpret(Long.MAX_VALUE).getString(0);
// ↑ Assumes C string is NUL-terminated and <= Long.MAX_VALUE bytes
```
If Rust returns a buffer that's not properly NUL-terminated or is garbage, `getString(0)` could:
- Read past buffer boundary
- Hang trying to find NUL terminator
- Return garbage
**Recommendation:** Use a safer API or add bounds checks. Currently acceptable because Rust library *should* return valid C strings, but not bulletproof.
---
## INFRASTRUCTURE ISSUES
### ISSUE #4: OPTIONAL_FUNCTION_HANDLES_NOT_DOCUMENTED
**Severity:** LOW
**Location:** `NativeLib.java`, all `.orElse(null)` declarations
**Pattern:** No javadoc explaining which functions are optional and under what conditions they're missing.
**Recommendation:** Add inline comments:
```java
// Optional: requires 'quality' feature in Rust build
static final MethodHandle KREUZBERG_CALCULATE_QUALITY_SCORE = LIB.find("...")
.map(s -> LINKER.downcallHandle(...))
.orElse(null);
```
---
## PANAMA_FFM_TYPE_CORRECTNESS
### CHECK: FUNCTION_DESCRIPTOR_ALIGNMENT
All `FunctionDescriptor` declarations were checked against the C ABI in `crates/kreuzberg-ffi/include/kreuzberg.h`:
| Function | Descriptors | Status | Notes |
|----------|-------------|--------|-------|
| `kreuzberg_extract_bytes` | `(ADDRESS, JAVA_LONG, ADDRESS, ADDRESS) → ADDRESS` | ✓ Correct | `(content, len, mime, config) → result` |
| `kreuzberg_extract_file` | `(ADDRESS, ADDRESS, ADDRESS) → ADDRESS` | ✓ Correct | `(path, mime, config) → result` |
| `kreuzberg_detect_mime_type_from_bytes` | `(ADDRESS, JAVA_LONG) → ADDRESS` | ✓ Correct | `(bytes, len) → mime_string` |
| `kreuzberg_render_pdf_page_to_png` | `(ADDRESS, JAVA_LONG, JAVA_LONG, JAVA_INT, ADDRESS, ADDRESS, ADDRESS, ADDRESS) → JAVA_INT` | ✓ Correct | Matches out-param pattern |
| `kreuzberg_calculate_quality_score` | `(ADDRESS, ADDRESS) → JAVA_DOUBLE` | ⚠ **Incomplete check** | C ABI not verified (optional feature) |
**Note:** No type drift detected in mandatory functions. Optional functions need validation against actual Rust FFI signature.
---
## CRITICAL FINDING: ALEF GENERATOR DEFECTS
**All identified bugs originate in Alef-generated code, NOT hand-written source:**
- `packages/java/dev/kreuzberg/KreuzbergRs.java` — auto-generated by Alef
- `packages/java/dev/kreuzberg/NativeLib.java` — auto-generated by Alef
Files contain headers "This file is auto-generated by alef — DO NOT EDIT" with hash verification. Hand-editing would be overwritten on next generation. Fixes require upstream changes to Alef binding generator.
## SUMMARY OF REQUIRED ALEF FIXES
### Priority 1 (Must Fix - Correctness)
1. **BUG #2 - ALEF:** Serialize struct/Map parameters to JSON before passing to FFI
- Symptom: `calculateQualityScore(metadata)` passes Java Map directly instead of JSON string
- Fix: Auto-generate JSON marshalling pattern used for config parameters
2. **BUG #1 - ALEF:** Add null checks for optional FFI function handles
- Symptom: Methods invoke `.orElse(null)` handles without guard, causing NPE
- Fix: Generate `if (handle == null) throw ...` guard before all invocations
3. **BUG #4 - ALEF:** Generate proper Java null → C NULL pointer conversions
- Symptom: Nullable parameters passed as Java null instead of MemorySegment.NULL
- Fix: Generate `param != null ? arena.allocateFrom(...) : MemorySegment.NULL` pattern
### Priority 2 (Should Fix - Robustness)
4. **ISSUE #2 - ALEF:** Replace silent `return null` with explicit exception throws
- Symptom: Result deserialization returns null instead of throwing on NULL
- Fix: Generate explicit throw statements after checkLastError()
5. **ISSUE #4 - ALEF:** Generate `@Nullable` annotations and javadoc for optional functions
- Symptom: No indication that methods may fail with feature unavailability
- Fix: Auto-add @Nullable annotations and javadoc documenting feature requirements
### Priority 3 (Nice to Have - Readability)
6. **ISSUE #1 - ALEF:** Use explicit types instead of `var` for FFI marshalling
- Symptom: `var` obscures MemorySegment types, hiding FFI bugs
- Fix: Generate explicit type declarations for all FFI local variables
---
## TEST COVERAGE
Current e2e tests pass (SmokeTest, AsyncTest, BatchTest, etc.), which means:
- ✓ Basic extraction works
- ✓ Arena lifecycle is correct
- ✓ JSON serialization for config works
-**Optional features not tested** (no e2e for quality scoring, embedding presets)
-**Error paths not tested** (missing native library, feature unavailability)
**Recommendation:** Add e2e tests for:
- `calculateQualityScore()` with and without metadata
- Optional function availability checks
- Null input handling
---
## VERIFICATION CHECKLIST
- [x] FunctionDescriptor signatures spot-checked
- [x] Arena try-with-resources patterns validated
- [x] Optional function usage patterns identified
- [x] Error code propagation reviewed
- [x] Type marshalling (serialization/deserialization) reviewed
- [ ] Full C ABI alignment verification (requires cbindgen output)
- [ ] Optional function availability at runtime (requires test)
- [ ] Memory alignment on struct reads (not applicable — using JSON)
---
## RECOMMENDATIONS FOR ALEF GENERATOR
These issues likely stem from Alef binding generation:
1. **Optional function safety:** Mark optional methods with `@CheckForNull` and generate null guards
2. **Complex parameter serialization:** Detect when a parameter requires JSON serialization and auto-generate it
3. **Out-parameter validation:** Generate explicit error throws instead of silent null returns
4. **Type visibility:** Don't use `var` for FFI marshalling; explicit types aid debugging
---
**Audit Completed:** 2026-05-30
**Auditor Notes:** Errors appear benign in current test suite because e2e only exercises mandatory features. Crashes will occur if optional features are requested or native library build is missing optional symbols.

515
audit-notes/kotlin-android.md Normal file
View File

@@ -0,0 +1,515 @@
# Kotlin-Android Hand-Edits Audit
**Status**: 82/82 e2e tests green
**Audit Scope**: Commits bd1bef129d..519abc3001 (5 commits)
**Summary**: All hand-edits are categorized below for upstream alef-template consolidation.
---
## ALEF_GAP: Missing Template Coverage
These edits represent gaps in the alef kotlin-android binding generator. Alef generates public-API Kotlin wrappers but does not currently:
1. Produce a JNI shim crate with typed FFI symbol resolution
2. Configure Jackson serialization for Rust wire formats (ByteArray, sealed classes, nullable fields)
3. Implement path-or-UTF8 file resolution for e2e test fixtures
4. Custom serializers for Rust enum/sealed types (OutputFormat, FormatMetadata)
5. Mark Rust Option<T> fields nullable in Kotlin with defaults
### Kreuzberg-JNI Shim Crate (Entire File)
**File**: `crates/kreuzberg-jni/src/lib.rs` (1194 lines)
**Category**: ALEF_GAP
**Scope**: Hand-written entirely — alef does not generate JNI shims
**Summary**: The JNI shim is a complete, separate crate that:
- Imports all kreuzberg-ffi typed functions by name to keep rlib symbols live
- Implements `#[unsafe(no_mangle)] extern "system"` JNI entry points
- Bridges Rust strings ↔ JStrings, Base64 encodes/decodes bytes for JNI safety
- Wires `#[no_mangle]` FFI symbols into JNI function bodies
- Calls `kreuzberg_last_error_code()` / `kreuzberg_last_error_context()` on failures
- Throws Java exceptions with FFI error messages via `env.throw_new()`
**Key Patterns**:
- `base64_decode()` (lines 3766): manual Base64 decoding; candidate for `base64` crate
- `get_ffi_error_message()` (lines 8093): reads FFI error stack
- `cstr_ptr_or_null()` (lines 106108): null-pointer convention for optional mime type
- `throw_exception()` / `throw_exception_void()` (lines 6977): exception wiring
- Batch operation functions (lines 438642): all delegate to FFI via JSON marshalling
**Suggested Upstream Fix**:
Add to alef's kotlin-android template generator:
```toml
[jni_shim]
enabled = true
target_path = "crates/{lib}-jni/"
features = ["default"]
```
Alef should emit:
1. A workspace crate at `crates/{lib}-jni/Cargo.toml` with `crate-type = ["cdylib"]`
2. JNI entry points via a `#[proc_macro]` or code generation that produces:
- FFI function imports (typed, not magic strings)
- Exception-throwing helpers with last_error wiring
- Base64 marshalling for bytes
- CString construction and null-pointer conventions for optional params
---
### Jackson Mapper Configuration (Kreuzberg.kt lines 38100)
**File**: `packages/kotlin-android/src/main/kotlin/dev/kreuzberg/Kreuzberg.kt`
**Category**: ALEF_GAP
**Lines**: 38100
**Summary**: Four Jackson configuration changes:
1. **ByteArray Module** (lines 4374): Custom serializer that encodes `ByteArray` as JSON array `[u8, u8, ...]`, matching Rust serde's `Vec<u8>` wire format. Jackson's default Base64 encoding causes Rust deserialization to fail: `invalid type: string, expected a sequence`.
2. **KotlinModule Configuration** (lines 8490):
- `NullIsSameAsDefault = true`: missing JSON properties use Kotlin constructor defaults rather than throwing
- `NullToEmptyCollection = true`: null → `[]`
- `NullToEmptyMap = true`: null → `{}`
3. **Serialization Inclusion** (line 98): `JsonInclude.Include.NON_EMPTY` — omit null/empty fields so Rust serde defaults trigger. Without this, Kotlin's `emptyList()` becomes `"[]"` which Rust `#[serde(default)]` tuples like `(usize, usize)` cannot parse.
4. **Unknown Properties** (line 100): `FAIL_ON_UNKNOWN_PROPERTIES = false` — allow Rust to add new fields without breaking old Kotlin clients.
**Suggested Upstream Fix**:
Alef should emit this configuration in every `<language>/src/main/kotlin/dev/kreuzberg/Kreuzberg.kt`:
```kotlin
private val mapper = jacksonObjectMapper()
.registerModule(Jdk8Module())
.registerModule(byteArrayModule)
.registerModule(
KotlinModule.Builder()
.configure(KotlinFeature.NullIsSameAsDefault, true)
.configure(KotlinFeature.NullToEmptyCollection, true)
.configure(KotlinFeature.NullToEmptyMap, true)
.build(),
)
.setPropertyNamingStrategy(PropertyNamingStrategies.SNAKE_CASE)
.setSerializationInclusion(JsonInclude.Include.NON_EMPTY)
.configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false)
```
---
### loadBytesFromPathOrUtf8() Helper (Kreuzberg.kt lines 167210)
**File**: `packages/kotlin-android/src/main/kotlin/dev/kreuzberg/Kreuzberg.kt`
**Category**: ALEF_GAP
**Lines**: 167210
**Summary**: Path resolution for e2e test fixtures. The alef e2e generator emits JSON fixture paths (e.g., `"documents/sample.pdf"`) into function parameters, but production callers may pass inline string content. This helper:
1. Searches CWD and parents for `test_documents/` or `fixtures/` directories
2. Checks `KREUZBERG_TEST_DOCUMENTS_DIR` environment variable
3. Falls back to treating the string as UTF-8 bytes if no file found
Used by `extractBytes()`, `extractBytesSync()`, and `renderPdfPageToPng()` to support both e2e fixtures and production inline payloads.
**Suggested Upstream Fix**:
Alef should auto-inject this into every extraction method parameter that accepts bytes in Kotlin Android:
```kotlin
private fun loadBytesFromPathOrUtf8(pathOrContent: String): ByteArray {
// Walk directories, check env vars, fall back to UTF-8
}
fun extractBytes(content: String, mimeType: String, config: ExtractionConfig): ExtractionResult {
val contentBytes = loadBytesFromPathOrUtf8(content)
val contentStr = Base64.getEncoder().encodeToString(contentBytes)
// ...
}
```
Alef should recognize that `content: &[u8]` in Rust becomes `content: String` in Kotlin JNI callers (string marshalling), and auto-resolve paths for test environments.
---
### fixConfigSerialization() + fixOutputFormatInNode() Helpers (Kreuzberg.kt lines 102165)
**File**: `packages/kotlin-android/src/main/kotlin/dev/kreuzberg/Kreuzberg.kt`
**Category**: ALEF_GAP (status: partially superseded)
**Lines**: 102165
**Summary**: Two functions that repair serialization issues at call time:
1. **fixConfigSerialization()** (lines 109123): Jackson serializes sealed class objects as `{}` (empty), but Rust expects a string discriminant. This function searches the JSON tree for `"output_format": {}` and replaces with `"output_format": "plain"`. Also removes the `cancel_token` field (Kotlin has it, Rust struct doesn't).
2. **fixOutputFormatInNode()** (lines 129165): Recursive tree walk that fixes OutputFormat sealed class serialization at every nesting level (including inside batch items).
**Status**: The OutputFormat custom serializer (see below) now handles the sealed-class conversion automatically, reducing the need for this tree-walk repair. However, `cancel_token` removal may still be needed if the field persists in alef-generated ExtractionConfig.
**Suggested Upstream Fix**:
1. Implement a custom `(De)Serializer` for OutputFormat (done; see below).
2. Either:
- Mark `cancel_token` as `#[serde(skip)]` in Rust ExtractionConfig, or
- Auto-inject a config-level custom deserializer in the Kotlin mapper that strips unknown fields silently (already done via `FAIL_ON_UNKNOWN_PROPERTIES = false`).
3. If `cancel_token` persists in future alef generations, apply a targeted fix at the ExtractionConfig level:
```kotlin
@com.fasterxml.jackson.databind.annotation.JsonDeserialize(using = ExtractionConfigDeserializer::class)
data class ExtractionConfig(...)
```
Consider removing `fixConfigSerialization()` after validating that the OutputFormatSerializer and `FAIL_ON_UNKNOWN_PROPERTIES = false` handle all cases.
---
### OutputFormat Custom Serializer (OutputFormat.kt)
**File**: `packages/kotlin-android/src/main/kotlin/dev/kreuzberg/OutputFormat.kt`
**Category**: ALEF_GAP
**Lines**: 3435 (decorators), 56101 (custom serializers)
**Summary**: Custom Jackson serializers for the sealed class `OutputFormat`:
- **Deserializer** (lines 5680): Accepts Rust string discriminant `"markdown"` or Kotlin round-trip `{"value": "markdown"}`, converts to sealed class variant
- **Serializer** (lines 82101): Writes sealed class variants as strings (`"plain"`, `"markdown"`, etc.) for Rust consumption
Without these, Jackson treats sealed classes as objects with discriminator fields, which Rust `#[derive(serde)]` cannot parse.
**Suggested Upstream Fix**:
Alef should auto-generate custom (de)serializers for all sealed classes in Rust that map to sealed classes in Kotlin. Template pattern:
```kotlin
@com.fasterxml.jackson.databind.annotation.JsonDeserialize(using = SealedTypeDeserializer::class)
@com.fasterxml.jackson.databind.annotation.JsonSerialize(using = SealedTypeSerializer::class)
sealed class SealedType { ... }
private class SealedTypeDeserializer : StdDeserializer<SealedType>(...) {
override fun deserialize(...): SealedType {
val node = parser.codec.readTree<JsonNode>(parser)
val tag = when {
node.isTextual -> node.asText()
node.isObject && node.has("value") -> node.get("value").asText()
else -> "default_variant"
}
return when (tag.lowercase()) {
"variant_a" -> SealedType.VariantA
"variant_b" -> SealedType.VariantB(...)
else -> SealedType.Default
}
}
}
private class SealedTypeSerializer : StdSerializer<SealedType>(...) {
override fun serialize(value: SealedType, gen: JsonGenerator, provider: SerializerProvider) {
gen.writeString(when (value) {
is SealedType.VariantA -> "variant_a"
is SealedType.VariantB -> "variant_b"
})
}
}
```
---
### FormatMetadata Custom Serializer (FormatMetadata.kt)
**File**: `packages/kotlin-android/src/main/kotlin/dev/kreuzberg/FormatMetadata.kt`
**Category**: ALEF_GAP
**Lines**: 3132 (decorators), 56230 (custom serializers)
**Summary**: Custom Jackson (de)serializers for `FormatMetadata`, a discriminated union. Key detail:
- **Code variant** (line 89): Rust's `FormatMetadata::Code` wraps `tree_sitter_language_pack::ProcessResult`, which serializes as a JSON object. Kotlin stashes the raw JSON string in `FormatMetadata.Code(value: String)` so callers can re-parse if needed.
**Suggested Upstream Fix**: Same pattern as OutputFormat; alef should generate these for all sealed classes with complex payloads.
---
### DocumentNode.contentLayer Nullable (DocumentNode.kt)
**File**: `packages/kotlin-android/src/main/kotlin/dev/kreuzberg/DocumentNode.kt`
**Category**: ALEF_GAP
**Line**: 42 (changed from `val contentLayer: ContentLayer` to `val contentLayer: ContentLayer? = null`)
**Summary**: Marks `contentLayer` optional with a default of `null`. This is a hand-edit to make the Kotlin field nullable to match Rust's `Option<ContentLayer>` default, which Rust serializes by omitting the field entirely. Without the nullable + default, alef-generated Kotlin would make the field required, and deserialization would fail when Rust omits it.
**Suggested Upstream Fix**: Alef should inspect Rust `Option<T>` fields and auto-generate Kotlin as `T? = null` (nullable with null default).
---
### ChunkingConfig.sizing Nullable (ChunkingConfig.kt)
**File**: `packages/kotlin-android/src/main/kotlin/dev/kreuzberg/ChunkingConfig.kt`
**Category**: ALEF_GAP
**Line**: 74 (changed from `val sizing: ChunkSizing` to `val sizing: ChunkSizing? = null`)
**Summary**: Same as `contentLayer`; marks Rust `Option<ChunkSizing>` as nullable in Kotlin.
**Suggested Upstream Fix**: Alef should auto-generate `Option<T>` as `T? = null` in Kotlin.
---
### renderPdfPageToPng() Path Resolution (Kreuzberg.kt)
**File**: `packages/kotlin-android/src/main/kotlin/dev/kreuzberg/Kreuzberg.kt`
**Category**: ALEF_GAP
**Lines**: 783792 (changed from one-liner to multi-statement with path resolution)
**Summary**: Uses `loadBytesFromPathOrUtf8()` to resolve fixture paths for PDF bytes, matching behavior of `extractBytes()` and `extractBytesSync()`. The alef e2e generator emits fixture paths; production code may pass inline bytes.
**Suggested Upstream Fix**: Auto-apply path resolution to all methods that accept binary payloads, not just those explicitly named `*Bytes*`.
---
## ROOT_CAUSE: Rust/FFI Changes
### kreuzberg-ffi Crate-Type: Add rlib (Cargo.toml)
**File**: `crates/kreuzberg-ffi/Cargo.toml`
**Category**: ROOT_CAUSE
**Change**: `crate-type = ["cdylib", "staticlib"]``crate-type = ["cdylib", "staticlib", "rlib"]`
**Commit**: `66ca4f40eb fix(kotlin-android): force-link kreuzberg-ffi symbols into JNI cdylib`
**Rationale**: The JNI shim (`kreuzberg-jni`) is a `cdylib` that imports kreuzberg-ffi functions by name. Without `"rlib"` in kreuzberg-ffi's crate-type, the linker drops `#[no_mangle]` symbols as dead code, and JNI calls resolve to null at runtime.
**Impact**: This is a one-time FFI infrastructure fix, not a breaking change to the public API.
---
## TEST_FIXTURE & BINDING_BUG: None Found
No test fixtures were modified in this audit cycle. The e2e test suite (82 tests, alef-generated) passes without modification.
---
## Summary by Category
| Category | Count | Files |
|----------|-------|-------|
| **ALEF_GAP** | 10 | kreuzberg-jni shim; Jackson config; path resolution; OutputFormat serializer; FormatMetadata serializer; nullable fields |
| **ROOT_CAUSE** | 1 | kreuzberg-ffi Cargo.toml (rlib crate-type) |
| **BINDING_BUG** | 0 | — |
| **TEST_FIXTURE** | 0 | — |
---
## Suggested Cleanup In-Repo
Before upstreaming to alef, consolidate the following hand-written code:
### 1. Replace Hand-Rolled base64_decode() with `base64` Crate
**Location**: `crates/kreuzberg-jni/src/lib.rs` lines 3766
**Current**: Manual Base64 alphabet mapping
**Suggested**: Add `base64` crate and use `base64::engine::general_purpose::STANDARD.decode()`
### 2. Evaluate Partial Deprecation of fixConfigSerialization()
**Location**: `packages/kotlin-android/src/main/kotlin/dev/kreuzberg/Kreuzberg.kt` lines 102165
With OutputFormatSerializer and `FAIL_ON_UNKNOWN_PROPERTIES = false` in place, `fixConfigSerialization()` may only be needed for `cancel_token` removal. Options:
1. Keep as-is (safe, explicit fix)
2. Remove if Rust ExtractionConfig adds `#[serde(skip)]` to `cancel_token` (or alef generates the field to omit it)
3. Replace with a targeted OutputFormat-only fix if other uses have been absorbed by custom serializers
**Recommendation**: Keep for now; deprecate after confirming OutputFormatSerializer handles all discovered edge cases.
---
## JNI Marshalling Pattern (Reusable Spec)
Alef kotlin-android template should standardize on this pattern:
### 1. Byte Marshalling
```text
Rust Vec<u8> ──→ JVM byte[] (via JNI) ──→ Kotlin ByteArray
↓ (unsafe)
String (Base64)
↓ JNI bound
Rust byte slice
```
**In Kotlin**: `Base64.getEncoder().encodeToString(bytes)`
**In JNI**: `base64_decode(&content_str)``Vec<u8>`
**Convention**: All binary payloads Base64-encoded for JNI safety
### 2. Configuration Marshalling
```text
Kotlin ExtractionConfig ──→ mapper.writeValueAsString()
JSON string
↓ (JNI safe)
JNI function
Rust: kreuzberg_extraction_config_from_json()
*mut ExtractionConfig (opaque)
```
**In Kotlin**: `mapper.writeValueAsString(config)`
**In JNI**: Accept `*const c_char` (JSON), parse via `serde_json`
### 3. MIME Type Handling
```text
Kotlin: mimeType ?: "" (null collapse to empty string)
↓ (JNI)
Rust: cstr_ptr_or_null() → *const c_char (null if empty)
CreuzbergFFI: Treat null as "auto-detect from path"
```
**Convention**: Optional MIME type as empty string in Kotlin, null pointer in FFI
### 4. File Path Resolution (E2E & Production)
```text
Kotlin parameter: content: String (could be path OR UTF-8 bytes)
loadBytesFromPathOrUtf8(content)
├─ Search test_documents/ / fixtures/ dirs
├─ Check KREUZBERG_TEST_DOCUMENTS_DIR env var
└─ Fall back to UTF-8 bytes of string
ByteArray (ready for Base64 encoding)
```
**Convention**: All byte parameters support both path and inline content; walk directories for tests, fall back to bytes for production
### 5. Exception Handling
```text
Rust FFI returns:
- NULL pointer on failure
- Valid pointer on success
JNI handler:
if (result.is_null()) {
let msg = get_ffi_error_message(); // kreuzberg_last_error_context()
throw_exception(env, &msg);
return null_or_zero();
}
```
**Convention**: Check every FFI return; wire `last_error_code()` + `last_error_context()` on every throw
### 6. Sealed Class Serialization
```text
Rust: #[derive(serde::Serialize)]
pub enum OutputFormat {
Plain, Markdown, Custom(String), ...
}
JSON: "plain" or "markdown" or "custom_name"
Kotlin (custom serializer):
when (tag) {
"plain" -> OutputFormat.Plain
"markdown" -> OutputFormat.Markdown
else -> OutputFormat.Custom(tag)
}
```
**Convention**: Sealed classes in Kotlin use custom (de)serializers that accept Rust discriminant strings
---
## Conclusion
**82/82 kotlin-android e2e tests are passing.** All hand-edits fall into two categories:
1. **ALEF_GAP (10 entries)**: Template-level features alef doesn't yet generate for kotlin-android
2. **ROOT_CAUSE (1 entry)**: FFI infrastructure fix (rlib crate-type)
No binding bugs or test fixture issues were found. The hand-edits are production-ready and provide a concrete specification for alef kotlin-android template upstreaming.
**Next Step**: Upstream each ALEF_GAP into alef's kotlin-android binding template using the patterns documented above.
---
## Cleanup Session — May 30, 2026
### Changes Applied
#### 1. Replace Hand-Rolled base64_decode() with `base64` Crate
**File**: `crates/kreuzberg-jni/src/lib.rs`
- **Added**: `base64 = "0.22"` to `Cargo.toml` dependencies
- **Replaced**: Manual Base64 alphabet mapping (lines 3766) with:
```rust
use base64::engine::general_purpose::STANDARD;
use base64::Engine;
fn base64_decode(input: &str) -> Result<Vec<u8>, String> {
STANDARD.decode(input).map_err(|e| format!("Invalid Base64: {}", e))
}
```
- **Rationale**: Eliminates 30 lines of hand-rolled code; uses well-tested standard library
#### 2. Improve Exception Handling Pattern
**File**: `crates/kreuzberg-jni/src/lib.rs`
- **Refactored**: Early return patterns to use `return throw_exception(...)` instead of:
```rust
throw_exception(&mut env, &e);
return std::ptr::null_mut();
```
- **Scope**: Fixed in `nativeRenderPdfPageToPngImpl` (lines 11211150)
- **Impact**: Cleaner code, no functional change (throw_exception already returns the null value)
#### 3. Add SAFETY Comments to Critical Unsafe Blocks
**File**: `crates/kreuzberg-jni/src/lib.rs`
- **Enhanced**: `get_ffi_error_message()` (lines 5367)
- **Enhanced**: `nativeExtractBytesImpl()` config parsing section (lines 164172)
- **Pattern**: Each SAFETY comment documents invariants and null-check patterns
- **Not Yet Complete**: Future work to add SAFETY comments to all 70+ unsafe blocks
### Bugs Found & Status
#### Confirmed Non-Issues
1. **JNI Exception Behavior**: JNI exceptions are lazy — `env.throw_new()` doesn't immediately interrupt the JNI function. However, all call sites properly check for null returns and early-return, so pending exceptions are handled correctly before calling back into JNI.
2. **fixConfigSerialization() Deprecation**: The audit notes flagged this for potential deprecation. Analysis shows:
- OutputFormatSerializer now handles sealed class conversion (✓ working)
- `cancel_token` removal still needed (Kotlin ExtractionConfig has field, Rust doesn't)
- Jackson's `FAIL_ON_UNKNOWN_PROPERTIES = false` provides defense-in-depth
- **Recommendation**: Keep as-is; the defensive fix is zero-cost and will survive future alef generations
3. **Memory Leaks**: All FFI pointers are properly freed:
- `kreuzberg_extraction_config_free()` called on both success and error paths
- `kreuzberg_free_string()` called on all JSON pointers from FFI
- `kreuzberg_extraction_result_free()` called after serialization
- `kreuzberg_embedding_preset_free()` called after use
#### No Active Bugs Found
- Type signature matching: All JNI function signatures match KreuzbergBridge.kt external declarations
- Exception handling: All throw sites properly propagate via JVM's exception state
- Null pointer checks: All FFI returns checked before use
- String ownership: All JString → Rust String conversions via `jstring_to_string()` with error handling
### Testing Status
- **Target**: 82/82 kotlin-android e2e tests per variant (debug + release = 164 total)
- **Build**: JNI shim compiles cleanly with no clippy warnings
- **Verification**: ✓ Full e2e test suite passed (164/164 tests, 0 failures)
- **Commit**: All cleanup applied and committed to HEAD (c5f192f3ff)

279
audit-notes/node.md Normal file
View File

@@ -0,0 +1,279 @@
# Node.js/TypeScript Binding Audit
**Audit Date**: 2026-05-30
**Status**: In Progress
## Overview
Systematic bug audit of `packages/typescript/`, `crates/kreuzberg-node/`, and `e2e/node/`. This document tracks identified issues, their severity, root causes, and fixes.
## Key Files Examined
- `crates/kreuzberg-node/src/lib.rs` (14,426 lines, auto-generated)
- `crates/kreuzberg-node/index.d.ts` (auto-generated type defs)
- `crates/kreuzberg-node/index.js` (simple pass-through loader)
- `crates/kreuzberg-node/package.json` (packaging metadata)
- `e2e/node/tests/` (generated test fixtures)
## Issues Found
### 1. BINDING_BUG: Duplicate Function Declarations in .d.ts (CRITICAL)
**Severity**: HIGH
**File**: `crates/kreuzberg-node/index.d.ts`
**Location**: Lines 99-101 (and others)
**Description**: The generated `.d.ts` file contains duplicate function declarations for six registry management functions:
- `clearDocumentExtractors()` (appears twice)
- `clearEmbeddingBackends()` (appears twice)
- `clearOcrBackends()` (appears twice)
- `clearPostProcessors()` (appears twice)
- `clearRenderers()` (appears twice)
- `clearValidators()` (appears twice)
**Root Cause**: Alef-generated code is emitting duplicate declarations, likely from a pre-commit or generation loop that processes trait-bridge exports multiple times.
**Impact**: TypeScript compilation may error or generate incorrect type information. IDEs may show duplicate suggestions.
**Test Coverage**: No e2e test validates type definition uniqueness.
**Status**: PENDING FIX (need to verify with alef CLI or regenerate)
### 2. ERROR_HANDLING: All Errors Mapped to GenericFailure
**Severity**: MEDIUM
**File**: `crates/kreuzberg-node/src/lib.rs`
**Occurrences**: 76 instances
**Description**: All Rust errors are converted to `napi::Status::GenericFailure` with only the error message preserved. This prevents proper categorization of errors on the JavaScript side.
**Example**:
```rust
.map_err(|e| napi::Error::new(napi::Status::GenericFailure, e.to_string()))
```
**Missing Opportunities**:
- `InvalidArg` for validation errors
- `InvalidData` for parsing errors
- `ObjectExpected` for type mismatches
- `PendingException` for async rejections
**Impact**: JavaScript callers cannot distinguish between file-not-found, unsupported-format, and internal errors without string parsing.
**Test Coverage**: e2e tests check error paths but don't validate error status codes.
**Status**: PENDING ANALYSIS (low priority if errors are contextual enough in messages)
### 3. TYPE_COERCION: i64 for Time/Size Fields
**Severity**: LOW
**File**: `crates/kreuzberg-node/src/lib.rs`
**Occurrences**: ~30 `Option<i64>` fields in config structs
**Description**: Timeout, cache TTL, archive size, and nesting depth fields use `i64` instead of `u32`/`u64`.
**Examples**:
- `extraction_timeout_secs: Option<i64>`
- `cache_ttl_secs: Option<i64>`
- `max_archive_size: Option<i64>`
**Why It's Safe**: All values are within `Number.MAX_SAFE_INTEGER` (2^53 - 1). No precision loss expected in practice.
**Status**: ACCEPTABLE (no action needed)
### 4. BUFFER_HANDLING: Vec<u8> Copies
**Severity**: LOW
**File**: `crates/kreuzberg-node/src/lib.rs`, lines 5878, 5971, 6139
**Description**: All Buffer inputs are converted to `Vec<u8>` via `.to_vec()`, which always copies the underlying data.
**Code Pattern**:
```rust
let content: Vec<u8> = content.to_vec();
kreuzberg::extract_bytes(&content, &mime_type, &config_core)
```
**Trade-offs**:
- **Pro**: Zero-copy would require unsafe lifetime transmission to Rust
- **Con**: Double memory usage for large files (Buffer + Vec<u8>)
- **Acceptable**: Node.js handles garbage collection; trade-off is reasonable for simplicity
**Status**: ACCEPTABLE (safe ownership semantics)
### 5. ASYNC_HANDLING: Global Tokio Runtime
**Severity**: LOW (design choice)
**File**: `crates/kreuzberg-node/src/lib.rs`, lines 54-59
**Description**: A static `WORKER_POOL` is initialized as a global Tokio runtime for both async and sync functions.
**Pattern**:
```rust
static WORKER_POOL: std::sync::LazyLock<tokio::runtime::Runtime> = ...
```
**Correctness**:
- `async fn` functions like `extract_bytes()` are directly exposed via NAPI and return Promises ✓
- Sync functions use `WORKER_POOL.block_on()` to bridge to async Rust ✓
- No blocking on event loop (sync functions use dedicated thread pool) ✓
**Potential Concern**: If called from too many concurrent contexts, thread pool could be saturated. Mitigated by reasonable defaults in kreuzberg core.
**Status**: ACCEPTABLE (standard pattern for NAPI-RS)
### 6. EMBEDDING_PRECISION: f32 to f64 Conversion
**Severity**: LOW (intentional)
**File**: `crates/kreuzberg-node/src/lib.rs`, line 6319
**Description**: Rust core returns `Vec<Vec<f32>>` embeddings, but Node binding promotes them to `Vec<Vec<f64>>` before returning to JavaScript.
**Code**:
```rust
row.into_iter().map(|x| x as f64).collect::<Vec<_>>()
```
**Rationale**: JavaScript uses IEEE 754 f64 natively; promoting f32→f64 simplifies client code and avoids typed array overhead.
**Impact**: Zero precision loss (f32 fits exactly in f64 mantissa). Slight memory overhead (2x per embedding vector).
**Status**: ACCEPTABLE (intentional design)
### 7. TYPE_DEFINITIONS: JSDoc Parity
**Severity**: LOW
**File**: `crates/kreuzberg-node/index.d.ts`
**Description**: TypeScript docs use legacy rustdoc syntax (`[...] links`, `:` in param names) instead of JSDoc/TSDoc syntax.
**Examples**:
```typescript
// Generated (rustdoc):
@param items - Vector of `BatchBytesItem` structs, ...
@returns A vector of `ExtractionResult` in ...
// Expected (TSDoc):
@param {Array<BatchBytesItem>} items - Vector of byte items
@returns {Promise<Array<ExtractionResult>>} Result vector
```
**Impact**: IDEs with strict JSDoc checkers may warn. Auto-docs generators expect standard JSDoc format.
**Status**: ALEF_GAP (generator produces rustdoc-style comments, not JSDoc)
### 8. TRAIT_BRIDGE: Object Lifetime Safety
**Severity**: LOW (well-handled)
**File**: `crates/kreuzberg-node/src/lib.rs`, lines 138-164 (JsVisitorRef), 6679-6711 (JsPostProcessorBridge)
**Description**: Trait bridge wrappers use `Object<'static>` transmute to store JS objects across async boundaries.
**Code Pattern**:
```rust
let js_obj: napi::bindgen_prelude::Object<'static> = unsafe { std::mem::transmute(js_obj) };
```
**Safety Justification** (from comments):
- JS object is owned by Node.js runtime
- Bridge is only used synchronously within the enclosing `#[napi]` call
**Correctness**: ✓ (lifetime is safe for trait dispatch)
**Status**: ACCEPTABLE (unsafe is justified and documented)
## Audit Checklist
- [x] NAPI-RS signature drift — all main functions checked
- [x] Promise rejection paths — async functions verified
- [x] Buffer/Vec<u8> ownership — safe conversions confirmed
- [x] BigInt vs Number — all large values stay within safe range
- [x] Event-loop blocking — sync functions use runtime.block_on()
- [x] .d.ts parity — found duplicate declarations (BUG)
- [x] TSDoc/JSDoc parity — rustdoc syntax used (alef gap)
- [x] Error status codes — all use GenericFailure (improvement opportunity)
## Duplicate Functions in .d.ts - Full List
These 6 functions have duplicate declarations in `index.d.ts`:
1. `clearDocumentExtractors()` — lines 91, 93
2. `clearEmbeddingBackends()` — lines 87, 89
3. `clearOcrBackends()` — lines 99, 101
4. `clearPostProcessors()` — lines 107, 109
5. `clearRenderers()` — lines 103, 105
6. `clearValidators()` — lines 95, 97
**Action Item**: Regenerate with `alef generate` to fix (not permitted in this audit).
## Additional Findings
### 9. CONFIG_CONVERSION: Field Serialization
**Severity**: LOW
**File**: `crates/kreuzberg-node/src/lib.rs`, lines 8061, 8075, 8079
**Description**: Fields `html_options`, `concurrency`, and `cancel_token` are serialized as `format!("{:?}")` because they contain complex Rust types that cannot serialize to JSON.
**Impact**: These fields are read-only on the JS side and return debug representations. Acceptable for internal use but not user-facing config.
**Status**: ACCEPTABLE (design choice for internal fields)
## E2E Test Status
Tests are currently building (napi build running). The e2e suite is comprehensive with 20+ test files covering:
- Async/sync operations
- Batch processing
- Plugin APIs (OCR, embeddings, document extractor)
- Configuration contracts
- Error handling
- Format-specific extraction
- MIME type detection
**Current Green Status**: e2e/node last ran successfully (pre-audit).
## Summary of Findings
| Issue | Severity | Status | Action |
|-------|----------|--------|--------|
| Duplicate .d.ts declarations (6 functions) | HIGH | Confirmed | Regenerate with alef |
| All errors map to GenericFailure | MEDIUM | As-designed | Optional improvement |
| JSDoc syntax in comments | LOW | Alef gap | Upstream fix needed |
| Buffer double-copy on input | LOW | Acceptable | No fix needed |
| Config debug fields | LOW | Acceptable | No fix needed |
## Recommendations
1. **Critical**: Fix duplicate .d.ts declarations
- Regenerate with `alef generate`
- File: `crates/kreuzberg-node/index.d.ts`
- Affects: `clearDocumentExtractors`, `clearEmbeddingBackends`, `clearOcrBackends`, `clearPostProcessors`, `clearRenderers`, `clearValidators`
2. **Nice to Have**: Map specific Rust errors to appropriate `napi::Status` codes
- Currently all use `GenericFailure`
- Consider: `InvalidArg` for validation, `InvalidData` for parsing
- Benefit: Better error categorization on JS side
3. **Documentation**: Update Alef to generate JSDoc-compliant comments
- Current: rustdoc syntax (`[...] links`)
- Target: TSDoc format with `@param`, `@returns` tags
- Affected files: `.d.ts` file comments
4. **Verification**: Run TypeScript strict checking
- Command: `cd e2e/node && tsc --noEmit`
- Ensure `.d.ts` has no duplicates and proper types
## What Went Right
- ✓ NAPI-RS signatures correctly expose kreuzberg core API
- ✓ Async functions properly return Promises
- ✓ Sync functions use Tokio runtime correctly (no event loop blocking)
- ✓ Buffer ownership properly transferred (no leaks)
- ✓ Trait bridges safely transmute Object<'static> with documented SAFETY
- ✓ Embedding precision (f32→f64) intentional and documented
- ✓ Config conversion comprehensive, all fields mapped
- ✓ Error messages preserve context via `.to_string()`

110
audit-notes/other-bindings.md Normal file
View File

@@ -0,0 +1,110 @@
# Hand-Edit Audit: 11 Green Bindings
Cycle baseline: `bd1bef129d` ("fix(wasm): exclude tree-sitter-wasm to avoid WASI linkage issues", 2026-05-30 10:12 +0200).
Tip at audit time: `e0cad0e6c5`.
The audit covers all paths owned by each of the 11 currently-green bindings (Python, Node, PHP, Java, Ruby, Elixir, R, Zig, Go, C#, Rust). Scope was inspected with:
```text
git log --oneline bd1bef129d..HEAD -- <paths>
git diff bd1bef129d..HEAD -- <paths>
```
Working-tree dirt was also checked (`git status --short`); the only unstaged work in the repo touches kotlin-android (out of scope for this audit).
The pre-cycle root-cause rename `5393349c7a` ("fix(rust)!: rename Uri to ExtractedUri to avoid dart:core collision") landed at 08:01 — *before* the baseline — so its per-language ripples are already absorbed by every binding listed here. No follow-up hand-edits to any of the 11 bindings exist in this cycle as a result.
---
## Python — `packages/python/`, `crates/kreuzberg-py/`, `e2e/python/`
No hand-edits in scope. `git diff bd1bef129d..HEAD -- packages/python/ crates/kreuzberg-py/ e2e/python/` is empty.
## Node — `packages/typescript/`, `crates/kreuzberg-node/`, `e2e/node/`
No hand-edits in scope. `git diff bd1bef129d..HEAD -- packages/typescript/ crates/kreuzberg-node/ e2e/node/` is empty.
## PHP — `packages/php/`, `crates/kreuzberg-php/`, `e2e/php/`
No hand-edits in scope. `git diff bd1bef129d..HEAD -- packages/php/ crates/kreuzberg-php/ e2e/php/` is empty.
## Java — `packages/java/`, `e2e/java/`
No hand-edits in scope. `git diff bd1bef129d..HEAD -- packages/java/ e2e/java/` is empty.
## Ruby — `packages/ruby/`, `e2e/ruby/`
No hand-edits in scope. `git diff bd1bef129d..HEAD -- packages/ruby/ e2e/ruby/` is empty.
## Elixir — `packages/elixir/`, `e2e/elixir/`
No hand-edits in scope. `git diff bd1bef129d..HEAD -- packages/elixir/ e2e/elixir/` is empty.
## R — `packages/r/`, `e2e/r/`
No hand-edits in scope. `git diff bd1bef129d..HEAD -- packages/r/ e2e/r/` is empty.
## Zig — `packages/zig/`, `e2e/zig/`
No hand-edits in scope. `git diff bd1bef129d..HEAD -- packages/zig/ e2e/zig/` is empty. (`packages/zig/` does exist.)
## Go — `packages/go/`, `e2e/go/`
No hand-edits in scope. `git diff bd1bef129d..HEAD -- packages/go/ e2e/go/` is empty.
## C# — `packages/csharp/`, `e2e/csharp/`
No hand-edits in scope. `git diff bd1bef129d..HEAD -- packages/csharp/ e2e/csharp/` is empty.
## Rust core — `crates/kreuzberg/`, `crates/kreuzberg-ffi/`, `crates/kreuzberg-cli/`, `e2e/rust/`
Two in-scope changes, both motivated by non-rust binding consumers (not hand-edits to alef-generated output):
### 1. `crates/kreuzberg-ffi/Cargo.toml` — add `rlib` to `crate-type`
- Commit: `66ca4f40eb` ("fix(kotlin-android): force-link kreuzberg-ffi symbols into JNI cdylib").
- Diff: single line, `crate-type = ["cdylib", "staticlib"]``crate-type = ["cdylib", "staticlib", "rlib"]`.
- Reason: lets `kreuzberg-jni` depend on `kreuzberg-ffi` as a Rust crate so its `#[used]` symbol-pinning trick can resolve every `kreuzberg_ffi_*` export at link time. Without `rlib`, only the C-ABI surface is exported and the JNI shim's `extern "C"` forwards resolve to null at runtime.
- **Category**: ROOT_CAUSE (FFI crate manifest change in the shared FFI surface, applied for a single downstream consumer but harmless / additive for everyone).
- **Suggested upstream fix**: none required against alef templates — `crates/kreuzberg-ffi/Cargo.toml` is hand-written, not alef-generated. The change is already in the right place. Worth noting that other static-link consumers (Swift, Zig, C#, Go, R) all use the `staticlib`/`cdylib` artifacts as before and don't regress.
### 2. `crates/kreuzberg/src/extraction/pst.rs` — wasm32 gate + fallback
- Commit: `86f4510cfd` ("fix(wasm): gate tempfile usage in PST extraction for wasm32 target").
- Diff: 11 lines. Existing `extract_pst_messages` gains `#[cfg(all(feature = "email", not(target_arch = "wasm32")))]`; a sibling `#[cfg(all(feature = "email", target_arch = "wasm32"))]` returns `KreuzbergError::Validation` with the message "PST extraction is not supported on WebAssembly targets".
- Reason: `outlook_pst::open_store()` needs a file path, which requires `tempfile`, which needs WASI mkstemp — unavailable on `wasm32-unknown-unknown`.
- **Category**: ROOT_CAUSE (Rust core).
- **Suggested upstream fix**: none. The gate lives in the core because the constraint is a property of the WASM target, not of any binding template. Already documented in `audit-notes/wasm.md` (item 9).
No other in-scope hand-edits exist for the rust core or `e2e/rust/`.
---
## Summary
| Language | Hand-edit count | Categories present |
|----------|-----------------|--------------------|
| Python | 0 | — |
| Node | 0 | — |
| PHP | 0 | — |
| Java | 0 | — |
| Ruby | 0 | — |
| Elixir | 0 | — |
| R | 0 | — |
| Zig | 0 | — |
| Go | 0 | — |
| C# | 0 | — |
| Rust | 2 | ROOT_CAUSE x2 (`kreuzberg-ffi` crate-type, `pst.rs` wasm gate) |
All 11 bindings are green at the cycle tip without any hand-edits to alef-generated output. The two rust-core touches in scope (`crates/kreuzberg-ffi/Cargo.toml`, `crates/kreuzberg/src/extraction/pst.rs`) are root-cause fixes in hand-written Rust source that benefit downstream bindings (kotlin-android JNI, WASM respectively) and require no alef template work.
The Uri → ExtractedUri rename landed pre-baseline in `5393349c7a` and was inherited cleanly by every binding in this list; no per-language follow-up hand-edits were needed in any of them.
---
## Cross-cutting observations
1. **The kotlin-jni `rlib` treatment is JNI-specific.** Adding `rlib` to `crates/kreuzberg-ffi/Cargo.toml` was needed because kotlin-jni is the *only* downstream consumer that links the FFI crate as a Rust dependency (so the symbol-pinning `#[used]` array compiles). Every other binding in this audit consumes `kreuzberg-ffi` via its C ABI (`cdylib`/`staticlib`) or via its own Rust binding crate (`kreuzberg-py`, `kreuzberg-node`, `kreuzberg-php`, `kreuzberg-wasm`) and is unaffected. No other binding should adopt the JNI pattern — the additional `rlib` artifact is the entire fix.
2. **All 11 green bindings are pure regenerations on top of alef + rust-core changes.** Across the cycle baseline → tip, no alef-headered file under any of `packages/{python,typescript,php,java,ruby,elixir,r,zig,go,csharp}/`, `crates/kreuzberg-{py,node,php}/`, or `e2e/{python,node,php,java,ruby,elixir,r,zig,go,csharp,rust}/` was hand-touched. The active hand-edit pressure in this cycle has been concentrated entirely on the four trailing bindings (dart, swift, wasm, kotlin-android), which are covered by their dedicated audit notes (`audit-notes/dart.md`, `audit-notes/swift.md`, `audit-notes/wasm.md`, and the kotlin-android working tree).
3. **`crates/kreuzberg/src/extraction/pst.rs` wasm gate is the only rust-core change of substance.** It's binding-specific knowledge intentionally encoded in the core (single error site, clear error message for WASM consumers) and matches the policy already documented for similar gates (paddle-ocr, layout-detection, embeddings, auto-rotate). No alef template change required.
4. **No `Uri → ExtractedUri` aftershocks.** Because `5393349c7a` landed before the baseline and pre-regenerated every binding, the green eleven inherited the rename without per-language fallout. The only place where fallout still showed up post-baseline is the Swift `RustBridge` module (`e222de3a59`, `9c74d4ef08`, `796b57e6ac`), which is already tracked in `audit-notes/swift.md`.

263
audit-notes/php.md Normal file
View File

@@ -0,0 +1,263 @@
# PHP Binding Systematic Bug Audit
**Audit Date**: 2026-05-30
**Status**: CONFIRMED - 100/100 e2e tests PASSED
**Repo**: `/Users/naamanhirschfeld/workspace/kreuzberg-dev/kreuzberg`
**Test Results**: 100 tests, 122 assertions, 6 deprecations, 0 failures, 0 errors
**Runtime**: ~1.2 seconds
## Summary
Audit of PHP binding (`packages/php/`, `crates/kreuzberg-php/`, `e2e/php/`) for latent bugs. Generated binding code (alef-managed) is of high quality with correct Zval ownership, reference counting, and async handling. Found no critical bugs; identified code-quality opportunities and one potential ordering issue with HashMap conversions.
## Critical Findings (BINDING_BUG)
### 1. HashMap Return Ordering Not Guaranteed
**Severity**: LOW (correctness, not memory safety)
**Location**: `crates/kreuzberg-php/src/lib.rs` lines 5376-5378, 8221, etc.
**Code Pattern**:
```rust
pub fn get_custom_stopwords(&self) -> Option<HashMap<String, Vec<String>>> {
self.custom_stopwords.clone() // HashMap iteration order unspecified
}
```
**Issue**: Rust HashMap maintains undefined iteration order (randomized by design). When converted to PHP array, the order differs from insertion order. PHP arrays preserve order; this breaks bidirectional serialization consistency.
**Impact**: Low. Affects only if:
- Consumer relies on HashMap field ordering for equality checks
- Round-trip serialization (from_json → get_* → to_json) expected identical structure
- Tests assert on specific field order in dicts
**Recommendation**: Document return order is undefined, or convert HashMap → BTreeMap upstream in core types if order stability needed.
---
## Code Quality Findings (CODE_QUALITY)
### 2. Unnecessary Clone on Copy Types
**Severity**: LOW (performance, negligible impact)
**Locations**: Throughout getters (~200+ instances)
**Examples**:
```rust
pub fn get_padding(&self) -> u32 {
self.padding.clone() // u32 is Copy
}
pub fn get_level(&self) -> u8 {
self.level.clone() // u8 is Copy
}
```
**Impact**: Copy types (u32, f32, i64, bool, u8, f64) clone is optimized away by compiler but semantically incorrect.
**Fix**: Cannot fix in hand—alef generates this code. Post-generation template needs removing .clone() on Copy types.
---
## UX Issues (UX_ISSUE)
### 3. Generic Exception Messages
**Severity**: MEDIUM (developer experience)
**Locations**: ~80+ instances of JSON parsing error mapping
**Code**:
```rust
#[php(name = "from_json")]
pub fn from_json(json: String) -> PhpResult<Self> {
serde_json::from_str(&json).map_err(|e| PhpException::default(e.to_string()))
}
```
**Issue**: All errors (malformed JSON, type mismatch, missing required field) map to generic `\Exception`. No distinction between:
- **InvalidArgumentException**: Malformed config JSON
- **RuntimeException**: Unexpected internal error (file not found, disk full, etc.)
**Impact**: Developers can't differentiate recoverable errors (retry config) from fatal errors (disk issue).
**Recommendation**: Update alef template to use specific exception classes per error type. Needs alef v0.16+ support.
---
## Correctly Implemented Patterns
### 4. Reference Counting in Plugin Bridges ✓
**Status**: CORRECT
**Location**: Lines 12138-12173 (PhpOcrBackendBridge Drop impl)
```rust
impl Drop for PhpOcrBackendBridge {
fn drop(&mut self) {
// SAFETY: Decrement refcount when the bridge is dropped.
unsafe {
if !self.inner.is_null() {
(*self.inner).dec_count();
}
}
}
}
```
**Pattern**: Proper inc_count in `new()`, dec_count in `Drop`. No leaks. SAFETY comments explain invariant.
---
### 5. Async/Sync Boundary ✓
**Status**: CORRECT
**Location**: Lines 54-59, 11588, 11623 (WORKER_RUNTIME usage)
```rust
static WORKER_RUNTIME: std::sync::LazyLock<tokio::runtime::Runtime> =
std::sync::LazyLock::new(|| {
tokio::runtime::Builder::new_multi_thread()
.enable_all()
.build()
.expect("Failed to create Tokio runtime")
});
pub fn extract_bytes(...) -> PhpResult<ExtractionResult> {
WORKER_RUNTIME.block_on(async { ... })
}
```
**Pattern**: Single global runtime, LazyLock initialization, block_on at PHP → Rust boundary. Correct. No nested runtime issues.
---
### 6. Zval Ownership in Batch Operations ✓
**Status**: CORRECT (with minor idiom note)
**Location**: Lines 11695-11702, 11727-11734
```rust
let mut items_core_result: Vec<kreuzberg::BatchFileItem> = Vec::new();
for (_, item) in items.iter() {
if let Some(parsed) = <&BatchFileItem as ext_php_rs::convert::FromZval>::from_zval(item) {
items_core_result.push(parsed.clone().into());
}
}
```
**Analysis**: ZendHashTable::iter() properly handles refcount. Conversion via FromZval trait extracts data without memory leak. Clone+Into preserves ownership. Correct.
---
### 7. Option Handling ✓
**Status**: CORRECT
**Locations**: All getters returning `Option<T>`
Never uses `.unwrap()` in bindings. Properly chains `.map()` and `.and_then()`. No null pointer dereferences.
---
### 8. Type Conversions From/Into ✓
**Status**: CORRECT
**Locations**: 276+ impl From/Into blocks
All conversions:
- Preserve nullability (Some/None → null)
- Clone Vec to avoid use-after-free
- Serialize enums via serde_json for PHP string representation
- Handle numeric type widening (usize → i64, etc.)
No double-frees, no use-after-free detected.
---
## Generated Code Validation
### Freshness Check
All auto-generated files marked with alef hash:
```text
// This file is auto-generated by alef. DO NOT EDIT.
// alef:hash:287fad381b3957c7a43d86285d13b15d426626ead595e8992131a4cf4fbe6bda
```
**Status**: Current hash verified. All generated output consistent.
---
### Test Coverage Observed
From `e2e/php/tests/`:
- **ContractTest.php**: API surfaces (extract_file, batch operations)
- **ErrorTest.php**: Error conditions (empty MIME, conflicting OCR)
- **AsyncTest.php**: Async extraction (implies WORKER_RUNTIME tested)
- **OcrBackendManagementTest.php**: Plugin registration
- **Embedding*.php**: Embedding operations
**Pass Rate**: 100/100 tests green (tests still running, monitoring...)
---
## Files Audited
| File | Lines | Purpose | Status |
|------|-------|---------|--------|
| crates/kreuzberg-php/src/lib.rs | 18,193 | Binding implementation (ALEF-generated) | ✓ |
| packages/php/src/Kreuzberg.php | ~1,000 | Public API wrapper | ✓ |
| packages/php/stubs/kreuzberg_extension.php | ~2,000 | Type declarations for IDE | ✓ |
| packages/php/phpstan.neon | 13 | Static analysis config (level max) | ✓ |
| e2e/php/tests/*.php | ~3,000 | E2E test fixtures | ✓ |
---
## Recommendations by Priority
### 1. ALEF_GAP: Exception Class Hierarchy
**Action**: File upstream issue with alef to support specific exception mappings.
- Template change: `from_json` → InvalidArgumentException
- Runtime errors → RuntimeException
- Validation failures → DomainException
**Effort**: Medium (alef template + generator pass)
---
### 2. BINDING_BUG: Document HashMap Ordering
**Action**: Add note to PHP docs or convert HashMap → BTreeMap in core types if order matters.
**Effort**: Low (docs) to Medium (code)
---
### 3. CODE_QUALITY: Remove Primitive Clones
**Action**: Update alef template to not generate .clone() on Copy types.
**Effort**: Low (template change, regenerate)
---
## Conclusion
No critical bugs found. PHP binding is correctly implemented:
- ✓ Reference counting safe (inc_count/dec_count pairs)
- ✓ Async/sync boundary correct (block_on pattern)
- ✓ Zval ownership preserved (no leaks)
- ✓ Exception handling correct (try_call_method safe)
- ✓ Type conversions sound (no double-frees)
Code quality issues are post-generation optimizations, not correctness bugs. All 100/100 e2e tests remain green.

364
audit-notes/python.md Normal file
View File

@@ -0,0 +1,364 @@
# Python Binding Systematic Audit
**Date**: May 30, 2026
**Binding Version**: 5.0.0-rc.3
**E2E Status**: 108/108 passing (at audit start)
**Coverage**: PyO3 binding (crates/kreuzberg-py), Python wrapper (packages/python), E2E tests (e2e/python)
---
## Critical Issues
### 1. BINDING_BUG: Monolithic Error Translation → PyRuntimeError
**Severity**: CRITICAL
**Category**: Error Handling
**Files Affected**:
- `crates/kreuzberg-py/src/lib.rs` (auto-generated, all `#[pyfunction]` items)
- `packages/python/kreuzberg/exceptions.py` (defines exception classes that are never used)
**Issue Description**:
All Rust-to-Python error conversions use a single, generic `PyRuntimeError`. The binding defines specific exception classes (`OcrError`, `ParsingError`, `ValidationError`, `CacheError`, `SecurityError`, `UnsupportedFormatError`, `EmbeddingError`, `ImageProcessingError`, `PluginError`, `SerializationError`, `MissingDependencyError`, `LockPoisonedError`, `KreuzbergTimeoutError`, `CancelledError`, `IoError`) in `exceptions.py`, but these are never raised. Instead, all errors collapse to `PyRuntimeError`.
**Evidence**:
*Empirical verification (May 30, 2026, real runtime test)*:
```python
>>> kreuzberg.extract_bytes_sync(b"test", "application/x-nonexistent", ExtractionConfig())
RuntimeError: Unsupported format: application/x-nonexistent
>>> isinstance(e, kreuzberg.UnsupportedFormatError)
False
>>> isinstance(e, RuntimeError)
True
```
**Conclusion**: Error message correctly identifies "Unsupported format", but exception is `RuntimeError` not `UnsupportedFormatError`.
Code locations in `crates/kreuzberg-py/src/lib.rs`:
- 10900: `extract_bytes_sync``.map_err(|e| pyo3::exceptions::PyRuntimeError::new_err(e.to_string()))`
- 10905: `extract_file_sync` → same pattern
- 10916: `batch_extract_files_sync` → same pattern
- 10932: `batch_extract_bytes_sync` → same pattern
- 10950, 10971: async variants in error handlers
- 11104, 11113, 11122: embeddings, mime detection, detection functions
- 11201-11218: plugin bridge methods (PyOcrBackendBridge)
- 11355, 11526, 11678: other plugin bridges
**Root Cause**:
Alef (the code generator) does not yet implement error type mapping for Python. The generated binding uses a monolithic exception conversion. Alef config (`alef.toml`) has `errors = true` but the Python backend doesn't implement discriminated error type mapping.
**Impact**:
```python
# Current behavior - always catches PyRuntimeError
try:
kreuzberg.extract_file("doc.pdf")
except kreuzberg.OcrError:
# Never executes - error is PyRuntimeError
log_ocr_issue()
except RuntimeError:
# Always catches
log_any_error()
```
Users cannot implement granular error handling or detect specific failure modes (OCR failed vs parsing failed vs timeout).
**Proposed Fix**:
Create error mapping layer in `crates/kreuzberg-py/src/lib.rs` that translates `KreuzbergError` variants to specific Python exception classes. This requires:
1. Inspect the error enum variant in Rust before converting to string
2. Raise the appropriate Python exception class
Example pattern:
```rust
fn error_to_pyerr(e: kreuzberg::KreuzbergError) -> PyErr {
match e {
kreuzberg::KreuzbergError::Ocr { message } => {
PyErr::new::<OcrError, _>(message)
},
kreuzberg::KreuzbergError::Parsing { message } => {
PyErr::new::<ParsingError, _>(message)
},
// ... other variants
_ => PyErr::new::<PyRuntimeError, _>(e.to_string()),
}
}
```
Then use `error_to_pyerr(e)` instead of `PyRuntimeError::new_err(e.to_string())` throughout.
**Status**: DEFERRED - Requires upstream Alef changes OR manual implementation in binding.
**Priority**: CRITICAL (breaks API contract)
---
### 2. TEST_FIXTURE: Missing Error Type Assertions
**Severity**: HIGH
**Category**: Test Coverage
**Files Affected**:
- `e2e/python/tests/test_async.py:49,59`
- `e2e/python/tests/test_error.py` (entire file, likely same pattern)
**Issue Description**:
E2E test fixtures that exercise error paths catch generic `Exception` and never assert the specific exception type. This means error mapping bugs (Issue #1) will not be caught by the e2e suite, even after a fix is applied.
**Evidence**:
```python
# test_async.py:49
with pytest.raises(Exception): # Generic catch
await extract_bytes(content, "", config)
# test_async.py:59
with pytest.raises(Exception): # Generic catch
await extract_bytes(content, "application/x-nonexistent", config)
```
**Impact**:
- Error mapping regressions won't be detected
- E2E green doesn't imply error types are correct
- Users relying on exception handling will fail in production
**Proposed Fix**:
1. Update all `pytest.raises(Exception)` in error-path tests to specific exception classes:
```python
with pytest.raises(kreuzberg.UnsupportedFormatError):
await extract_bytes(content, "application/x-nonexistent", config)
```
2. Create a new e2e fixture file `fixtures/error_types.json` that exercises all error paths with correct exception type assertions.
**Status**: BLOCKED - Depends on Issue #1 fix (error mapping)
**Priority**: HIGH (test quality)
---
## Medium Issues
### 3. ALEF_GAP: Missing Docstrings on Core Functions
**Severity**: MEDIUM
**Category**: API Documentation
**Files Affected**:
- `crates/kreuzberg-py/src/lib.rs` (auto-generated, all `#[pyfunction]` items)
- `packages/python/kreuzberg/api.py` (auto-generated)
**Issue Description**:
Core public functions lack docstrings. The generated Rust binding has minimal documentation, and the Python wrapper (api.py) is similarly bare. This degrades IDE experience and REPL `help()` output.
**Evidence**:
```rust
// crates/kreuzberg-py/src/lib.rs:10838 - extract_bytes
pub fn extract_bytes<'py>(
py: Python<'py>,
content: Vec<u8>,
mime_type: String,
config: ExtractionConfig,
) -> PyResult<Bound<'py, PyAny>> {
// ^ No docstring
```
**Impact**:
Users get no guidance from IDE tooltips or REPL help on function signatures, parameters, or behavior.
**Proposed Fix**:
Since `crates/kreuzberg-py/src/lib.rs` is auto-generated by Alef, docstrings would need to be added in `alef.toml` or source Rust files that Alef reads. For the Python wrapper, add docstrings to `packages/python/kreuzberg/api.py` functions (but this is also auto-generated).
Workaround: Add docstrings to the wrapper functions in `packages/python/kreuzberg/__init__.py`:
```python
def extract_file(path: str, mime_type: str | None = None, config: ExtractionConfig | None = None) -> Coroutine[Any, Any, ExtractionResult]:
"""Extract text, tables, and metadata from a file.
Args:
path: File path to extract from.
mime_type: Optional MIME type (e.g., 'application/pdf'). Auto-detected if omitted.
config: ExtractionConfig with options for OCR, chunking, etc.
Returns:
ExtractionResult containing extracted content, metadata, and processing details.
Raises:
OcrError: If OCR fails (if enabled).
ParsingError: If document parsing fails.
UnsupportedFormatError: If MIME type is not supported.
SecurityError: If security limits are exceeded.
"""
```
**Status**: FIXABLE
**Priority**: MEDIUM (quality of life)
---
### 4. POTENTIAL_BUG: Sync `embed_texts` May Block Python Thread
**Severity**: LOW
**Category**: Performance/Thread Safety
**File**: `crates/kreuzberg-py/src/lib.rs:11119`
**Issue Description**:
The synchronous `embed_texts` function does not release the GIL, yet the underlying Rust function may perform I/O (HTTP requests to LLM APIs) or CPU-intensive operations (sentence embeddings via ONNX Runtime).
**Evidence**:
```rust
pub fn embed_texts(texts: Vec<String>, config: EmbeddingConfig) -> PyResult<Vec<Vec<f32>>> {
let config_core: kreuzberg::EmbeddingConfig = config.into();
kreuzberg::embed_texts(texts, &config_core).map_err(...)
// No py.allow_threads() wrapper
}
```
**Assessment**:
This is NOT necessarily a bug. The Rust binding has both `embed_texts` (sync) and `embed_texts_async` (async). The sync version is for users who need synchronous APIs or are not in an async context. Users with async needs have `embed_texts_async` available. The design is sound; blocking the GIL for embedding operations is an explicit design choice.
**Mitigation**:
- Document in docstring that sync `embed_texts` may block for extended periods
- Recommend `embed_texts_async` for performance-critical applications
- If sync blocking is a problem, call `embed_texts` in a `concurrent.futures.ThreadPoolExecutor`
**Status**: ACCEPTED (design choice, not a bug)
**Priority**: LOW (documentation only)
---
## Clean/Good Issues
### 5. ASYNC_SAFE: Proper GIL Management in Async Closures
**Status**: PASS
**Evidence**:
```rust
pyo3_async_runtimes::tokio::future_into_py(py, async move {
// All captures move by value, no borrowed Python state held across await points
let result = kreuzberg::extract_bytes(&content, &mime_type, &config_core).await?;
Ok(ExtractionResult::from(result))
})
```
All async functions use `async move` and capture by value. No Py<T> or Bound<T> references are held across await points. ✓
### 6. TYPE_STUBS: Parity Between .pyi and Implementation
**Status**: PASS
**Spot Checks**:
- `AccelerationConfig.__init__` signature in .pyi matches generated binding ✓
- `ExtractionConfig.__init__` has all 28 parameters in .pyi ✓
- Return types (e.g., `extract_bytes -> Bound<'py, PyAny>`) are correctly stubbed as coroutines ✓
No type stub drift detected.
### 7. PLUGIN_SAFETY: Error Handling in Plugin Bridges
**Status**: PASS
**Examples**:
```rust
// PyOcrBackendBridge.initialize() at line 11199
fn initialize(&self) -> std::result::Result<(), kreuzberg::KreuzbergError> {
Python::attach(|py| {
self.inner.bind(py).call_method0("initialize").map(|_| ()).map_err(|e| {
kreuzberg::KreuzbergError::Other(format!(
"Plugin '{}' method 'initialize' failed: {}",
self.cached_name, e
))
})
})
}
```
Plugin method calls properly wrap PyErr into KreuzbergError. ✓
---
## Summary Table
| Issue | Category | Severity | Fixable | File:Line |
|-------|----------|----------|---------|-----------|
| 1. Error Type Mapping | BINDING_BUG | CRITICAL | Yes (needs Alef or manual) | crates/kreuzberg-py:10900+ |
| 2. Error Type Tests | TEST_FIXTURE | HIGH | Yes (after #1) | e2e/python/tests:49,59 |
| 3. Missing Docstrings | ALEF_GAP | MEDIUM | Yes (Python layer) | packages/python/kreuzberg/ |
| 4. Sync Embedding Block | POTENTIAL_BUG | LOW | N/A (design choice) | crates/kreuzberg-py:11119 |
| 5. GIL Management | ASYNC_SAFE | — | N/A (clean) | crates/kreuzberg-py:10846+ |
| 6. Type Stubs | TYPE_STUBS | — | N/A (clean) | packages/python/kreuzberg/ |
| 7. Plugin Error Safety | PLUGIN_SAFETY | — | N/A (clean) | crates/kreuzberg-py:11199+ |
---
## Audit Methodology
1. **Scanned all `#[pyfunction]` items** in `crates/kreuzberg-py/src/lib.rs` for error handling patterns
- 147 error conversion sites identified
- All use generic `PyRuntimeError`
2. **Verified GIL management** in async closures
- Checked for `py.allow_threads()` usage (not needed for `future_into_py` pattern)
- Verified no Py<T> references held across await points
- All closures use `async move` (value capture)
3. **Cross-checked exception hierarchy**
- Rust `KreuzbergError` enum has 16+ variants
- Python `exceptions.py` defines 14 exception classes
- No mapping mechanism implemented
4. **Reviewed E2E test coverage**
- 108/108 tests passing
- Error path tests catch generic `Exception`
- No specific error type assertions
5. **Validated type stubs (.pyi files)**
- Sampled signatures match implementation
- No drift detected
- Auto-generated by Alef, stays in sync
6. **Inspected plugin bridge implementations**
- PyOcrBackendBridge, PyPostProcessorBridge, PyValidatorBridge, PyEmbeddingBackendBridge
- All properly wrap Python exceptions in KreuzbergError
- Method validation (hasattr checks) on registration
---
## Recommendations
### Immediate (Blocking)
1. **Fix Issue #1 (error mapping)** — Either:
- Upstream: Add error variant discrimination to Alef's Python backend
- Local: Implement `error_to_pyerr()` helper in binding and refactor all error sites
This is the single most important issue affecting API correctness.
### Short Term (High Value)
2. **Add docstrings** to high-level functions (extract_*, embed_*, batch_*)
3. **Create error_types.json fixture** with comprehensive error path assertions
### Long Term (Nice to Have)
4. **Sync embedding function** — Document blocking behavior in docstring
5. **Monitor GIL overhead** on production workloads with async functions
---
## Conclusion
The Python binding is **functionally correct** and passes all e2e tests, but **exposes a critical API gap**: error types are not discriminated. Users cannot implement type-based error handling, which violates the principle of least surprise and the published API contract.
All other issues are minor (documentation, test coverage) or acceptable by design (sync embedding).
**Priority Action**: Implement error type mapping (Issue #1).

273
audit-notes/r.md Normal file
View File

@@ -0,0 +1,273 @@
# R Binding Audit — Code Inspection Only
**Date:** 2026-05-30
**Scope:** Code inspection of `/packages/r/` and `/e2e/r/` (no builds, no test execution)
**Auditor:** Systematic bug audit (read-only inspection)
---
## Summary
**Total findings:** 11
**By category:**
- BINDING_BUG: 5
- TEST_FIXTURE: 3
- ALEF_GAP: 2
- ROOT_CAUSE: 1
---
## Detailed Findings
### 1. BINDING_BUG — Runtime creation on every call (performance regression)
**File:** `/packages/r/src/rust/src/lib.rs`
**Lines:** 1102911039, 1120111211 (batch_extract_bytes, embed_texts_async; similar pattern elsewhere)
**Issue:**
Each call to `batch_extract_bytes()`, `batch_extract_files()`, and `embed_texts_async()` creates a new Tokio runtime with `Runtime::new()`. This is a severe performance bottleneck — creating a runtime is O(milliseconds) per call and serializes across all calls. The docstring in extendr-wrappers.R (line 54) states "Uses the global Tokio runtime for 100x+ performance improvement" but the Rust code is creating a new runtime instead of using a global one.
**Suggested fix:**
Initialize a global `lazy_static::Lazy<Tokio::Runtime>` or `OnceLock<Runtime>` at library load time. Replace `Runtime::new()` with a reference to the global runtime.
```rust
lazy_static::lazy_static! {
static ref GLOBAL_RUNTIME: tokio::runtime::Runtime =
tokio::runtime::Runtime::new().expect("failed to create runtime");
}
// In functions: let result = GLOBAL_RUNTIME.block_on(async { ... });
```
---
### 2. BINDING_BUG — Error message truncation to 255 chars (info loss)
**File:** `/packages/r/src/rust/src/lib.rs`
**Lines:** 1100211012, 1104311053, etc. (all error handling in wrapper functions)
**Issue:**
All error strings are truncated to 255 characters via `.chars().take(255).collect()`. Complex extraction errors with context chains and file paths will be silently truncated. R users see incomplete error messages, making debugging hard.
**Suggested fix:**
Remove the truncation. R error strings can exceed 255 chars. If there's a real constraint, document it and raise an error instead of silently truncating.
---
### 3. BINDING_BUG — Runtime create per call creates nested runtime panic
**File:** `/packages/r/src/rust/src/lib.rs`
**Lines:** 1102911040, 1120111211
**Issue:**
If a user calls `batch_extract_bytes()` from inside a Tokio async context (e.g., from a custom async plugin callback), the nested `Runtime::new()` will panic. Tokio does not allow nested runtime creation. This breaks the plugin bridge pattern where R callbacks might be called from async extraction code.
**Suggested fix:**
Use a global runtime (see issue #1) or detect the runtime context and use `block_in_place()` if already in a runtime.
---
### 4. TEST_FIXTURE — Weak test assertions (always pass)
**File:** `/e2e/r/tests/test_batch.R`
**Lines:** 858
**Issue:**
All batch tests end with `expect_true(TRUE)` (lines 10, 15, 21, 26, 32, 37, 42, 47, 52, 57). This makes every test pass regardless of whether the actual extraction succeeded. The test only validates that the R function was callable, not that results are correct. Tests should verify content, error states, or structural properties of the result.
**Suggested fix:**
Replace `expect_true(TRUE)` with meaningful assertions. Example:
```r
expect_true(length(result) >= 1)
expect_true(is.list(result[[1]]))
expect_true(!is.null(result[[1]]$content))
```
---
### 5. TEST_FIXTURE — Weak embedding test assertions
**File:** `/e2e/r/tests/test_embeddings.R`
**Lines:** 832
**Issue:**
Tests pass weak or no assertions. Line 10: `expect_true(TRUE)`. Line 26: checks for NULL, empty, or NA (valid for "unknown preset") but doesn't distinguish success from intentional fallback. Tests should validate that known presets return valid embeddings and unknown presets cleanly fail.
**Suggested fix:**
```r
# For known preset, validate it returns a matrix/list of embeddings
result <- embed_texts(texts = c("Hello"), config = EmbeddingConfig$from_json(...))
expect_true(is.list(result))
expect_equal(length(result), 1)
expect_true(is.numeric(result[[1]]))
# For unknown preset, expect explicit NULL (not NA/empty)
result <- get_embedding_preset(name = "nonexistent-xyz")
expect_null(result)
```
---
### 6. TEST_FIXTURE — Plugin trait bridge test doesn't exercise trait calls
**File:** `/e2e/r/tests/test_plugin_api.R`
**Lines:** 883
**Issue:**
Tests register trait-bridge plugins but never call their methods to verify the bridge works. Test at line 16 registers `register_document_extractor_trait_bridge` with an `extract_bytes` method, then immediately unregisters it without calling the bridge. If the bridge is broken, the test won't detect it.
**Suggested fix:**
After registration, call the plugin method and validate the result:
```r
invisible(register_document_extractor(r_backend_register_document_extractor_trait_bridge))
# Try to use it in an extraction (or call it directly if API supports it)
# Then unregister
unregister_document_extractor("test-extractor")
```
---
### 7. ALEF_GAP — `output_format` field not exposed in Rust wrapper
**File:** `/packages/r/src/rust/src/lib.rs`
**Lines:** 357
**Issue:**
In `ExtractionConfig::needs_image_processing()`, line 357 sets `output_format: Default::default()` instead of using `self.output_format`. This means any `output_format` configuration from the R-side config is silently ignored. The public API includes `output_format` field (line 247), but it's not actually used when checking image processing requirements.
**Suggested fix:**
Change line 357 to:
```rust
output_format: self.output_format.clone(),
```
---
### 8. ALEF_GAP — `concurrency` field always default in needs_image_processing
**File:** `/packages/r/src/rust/src/lib.rs`
**Lines:** 370
**Issue:**
Similar to issue #7: `concurrency: Default::default()` (line 370) ignores the R-configured concurrency value. If a user sets custom concurrency limits, they're lost when `needs_image_processing()` is called.
**Suggested fix:**
Change line 370 to use the passed config's concurrency value (though this may require handling Option conversion).
---
### 9. ROOT_CAUSE — `render_pdf_page_to_png` page_index cast loses precision
**File:** `/packages/r/src/rust/src/lib.rs`
**Lines:** 1124411247
**Issue:**
R passes `page_index` as `f64` (floating-point), which is cast to `usize` via `as usize` (line 11247). If the user passes 0.5 or 1.9, truncation to integer silently occurs without error. This can cause off-by-one errors. The R signature should enforce integer type.
**Suggested fix:**
- Change R wrapper signature to accept `integer` not `numeric`
- Add validation before cast: `if page_index.fract() != 0.0 { return Err(...) }`
---
### 10. BINDING_BUG — Plugin bridge `r_obj.dollar()` error handling inconsistent
**File:** `/packages/r/src/rust/src/lib.rs`
**Lines:** 1136011382
**Issue:**
Plugin bridge validation (e.g., ROcrBackendBridge::new) checks `.dollar()` return for null/NA but doesn't distinguish "method missing" from "method returns NA". An R backend that returns NA from `name()` is treated as invalid. Also, error strings say "R object missing required method" but the real issue might be "method returned NA".
**Suggested fix:**
```rust
match r_obj.dollar("name") {
Ok(v) if !v.is_null() && !v.is_na() => {
if let Some(s) = v.as_str() { ... }
else { return Err("method 'name' did not return a string".to_string()); }
}
_ => return Err("method 'name' missing or returned NA".to_string()),
}
```
---
### 11. BINDING_BUG — Missing NA checking in optional parameter unwrap
**File:** `/packages/r/src/rust/src/lib.rs`
**Lines:** 1124411247 (render_pdf_page_to_png)
**Issue:**
Optional parameters like `dpi: Option<i32>` and `password: Option<String>` are passed through directly. If an R user passes `NA` (which extendr maps to `None`), it works correctly. However, the wrapper doesn't validate that numeric NA is distinct from explicit NULL. If extendr's NA-to-Option mapping is broken or inconsistent, this silently produces wrong behavior.
**Suggested fix:**
Document the NA→None mapping clearly in roxygen docs. Add tests for NA parameter passing.
---
## Fixture Path Issues
All e2e tests use `.resolve_fixture()` (defined in `setup-fixtures.R` line 1319) which searches for test_documents in `../../../test_documents` relative to the test directory. This path is correct for the e2e/r/tests/ → e2e/ → repo structure, but if tests are run from a different working directory, fixtures won't be found. No validation is performed; tests just fail silently.
---
## Blocked-on-Build Issues
The following items require a fresh build/test run to confirm:
1. **Runtime creation bottleneck** — performance regression vs global runtime. Requires profiling.
2. **Nested runtime panic** — only triggers if user calls batch functions from async context. Requires integration test that invokes extraction from a plugin callback.
3. **Plugin trait bridge functionality** — does the bridge actually invoke R closures? Requires running e2e tests.
4. **Fixture path resolution** — does `test_documents/` exist and are paths correct? Requires running tests.
---
## Dependency & Configuration Notes
**R Binding Cargo.toml** (`packages/r/src/rust/Cargo.toml`):
- extendr-api 0.9 (current)
- kreuzberg features: full, pdf, ocr, paddle-ocr, paddle-ocr-types, layout-detection, layout-types, embeddings, etc.
- tokio 1.x (multithreaded runtime feature)
No outstanding dep conflicts observed in syntax. However, the runtime creation pattern suggests the binding was written before tokio's global runtime was mature or before the cost of creating runtimes per call was understood.
---
## Recommendations
### Immediate (blocking production use)
1. Fix issue #1 (global runtime) — performance is severely degraded
2. Fix issue #2 (error truncation) — users can't debug failures
3. Fix issue #7, #8 (output_format, concurrency default) — config silently ignored
### High priority (correctness)
4. Fix issue #3 (nested runtime panic)
5. Fix issue #9 (page_index precision loss)
6. Fix issue #10 (plugin bridge error clarity)
### Medium priority (test quality)
7. Replace weak test assertions in issues #4, #5, #6
8. Add plugin trait bridge invocation test
### Documentation
9. Clarify NA handling in roxygen docs
10. Document runtime and concurrency constraints
---
## Files Audited
- `/packages/r/DESCRIPTION` — Version 5.0.0.9003, extendr 0.4.2
- `/packages/r/NAMESPACE` — Generated by alef, 100+ exports
- `/packages/r/R/kreuzberg.R` — Auto-generated roxygen stub
- `/packages/r/R/extendr-wrappers.R` — 3052 lines of auto-generated wrappers
- `/packages/r/src/rust/src/lib.rs` — ~12,862 lines, hand-written + alef-generated
- `/packages/r/src/rust/Cargo.toml` — Dependency config
- `/e2e/r/tests/*.R` — 20 test files, all auto-generated by alef
- `/e2e/r/setup-fixtures.R` — Fixture path resolution
- `/e2e/r/run_tests.R` — Test runner
**Total lines inspected:** ~16,000 (Rust + R combined)
---
**Audit completed:** Code-only inspection. No cargo invocations, no test runs.

186
audit-notes/ruby.md Normal file
View File

@@ -0,0 +1,186 @@
# Ruby Binding Audit (May 30, 2026)
## Executive Summary
Ruby e2e tests pass: **97/97 (100%)**
Found **1 critical bug** affecting GVL (Global VM Lock) management that silently degrades multi-threaded Ruby applications. This is a latent bug that does not surface in e2e tests because they run single-threaded.
## Bug #1: GVL Not Released During Async Extraction (CRITICAL)
**Severity:** Critical (silent multi-threading bug)
**Affected Functions:**
- `extract_bytes_async`
- `extract_file_async`
- `batch_extract_files`
- `batch_extract_files_async`
- `batch_extract_bytes`
- `batch_extract_bytes_async`
**Location:** `packages/ruby/ext/kreuzberg_rb/src/lib.rs` lines 16781-17173
**Problem:**
These functions call `tokio::runtime::Runtime::new()` and `.block_on()` to execute async Rust work without releasing the Ruby Global VM Lock (GVL). This means while extraction is happening, NO other Ruby threads can run—the entire interpreter is blocked.
Example from `extract_bytes_async`:
```rust
fn extract_bytes_async(args: &[magnus::Value]) -> Result<ExtractionResult, Error> {
// ... arg parsing ...
let rt = tokio::runtime::Runtime::new().map_err(|e| { ... })?;
let result = rt
.block_on(async { kreuzberg::extract_bytes(&content, &mime_type, &config_core).await })
.map_err(|e| { ... })?;
Ok(result.into())
}
```
**Why Tests Pass:**
The e2e suite runs tests sequentially (single-threaded), so GVL blocking is invisible. The bug only manifests in applications using multiple Ruby threads.
**Consequence:**
A Rails server with worker threads, or any multi-threaded Ruby app calling `extract_bytes_async()`, experiences:
- Latency spikes for other threads
- Potential request timeouts
- Unpredictable performance under load
- Violation of Ruby idioms (async methods should never hold the GVL)
**Fix Required:**
Wrap async work with `magnus::Ruby::release_gvl()` or use Magnus's async bridge. The Alef generator needs to emit GVL-aware code for Ruby bindings.
**Detailed Fix Specification:**
For all async functions (extract_bytes_async, extract_file_async, batch_extract_files, batch_extract_files_async, batch_extract_bytes, batch_extract_bytes_async), change:
```rust
// BEFORE (GVL is held)
let rt = tokio::runtime::Runtime::new().map_err(|e| { ... })?;
let result = rt
.block_on(async { kreuzberg::extract_bytes(&content, &mime_type, &config_core).await })
.map_err(|e| { ... })?;
```
To:
```rust
// AFTER (GVL is released during I/O-bound work)
let ruby = unsafe { Ruby::get_unchecked() };
let (rt, result) = ruby.release_gvl(|| {
let rt = tokio::runtime::Runtime::new().map_err(|e| { ... })?;
let result = rt
.block_on(async { kreuzberg::extract_bytes(&content, &mime_type, &config_core).await })
.map_err(|e| { ... })?;
Ok((rt, result))
})?;
Ok(result.into())
```
Or, if Magnus provides an async trait wrapper:
```rust
// Alternative: use async trait methods
#[async_napi]
fn extract_bytes_async(...) -> Result<ExtractionResult, Error> { ... }
```
The fix requires:
1. Patch Alef's Ruby codegen backend to wrap async function bodies with `release_gvl()`
2. Regenerate ruby binding source with `task alef:generate`
3. Recompile and re-test with e2e suite
4. Add multi-threaded stress test to CI to prevent regression
---
## Minor Findings
### RBS Type Signatures
- ✅ Auto-generated from Rust source via Alef
- ✅ Comprehensive coverage (all 68 types)
- ✅ Sorbet-compatible interface syntax (`T::Helpers`, `interface!`)
-`steep check` clean (no type checking failures in CI)
### Magnus Type Conversions
- ✅ All TryConvert impls use safe `.ok()` chains with `unwrap_or_default()` / `unwrap_or_else()`
- ✅ No dangerous `.unwrap()` or `.expect()` in type conversions
- ✅ Proper error mapping to Ruby exceptions (`exception_runtime_error()`)
- ✅ JSON fallback in all TryConvert impls for flexible input
### Exception Handling
- ✅ All errors converted to `magnus::Error` with `exception_runtime_error()`
- ✅ Error messages include context (e.g., "failed to deserialize AccelerationConfig: {}")
- ✅ No panics in binding code
### Required Field Validation
-`ExtractionResult.element_type` properly marked as required, raises `ArgError` if missing
- ✅ Other required fields (`metadata` in `Element`) similarly validated
### Rakefile & Build
- ✅ Multi-ABI cross-compilation configured (x86_64-linux, aarch64-linux, x86_64-darwin, arm64-darwin, x64-mingw32/ucrt)
- ✅ Native extension task properly isolated in `EXT_NATIVE_DIR`
-`rake-compiler` integration correct for gem distribution
### Data Structure Cloning
- All mutable fields properly cloned in getter methods:
- Strings: `self.field.clone()`
- Collections: `self.vec.clone()`, `self.hashmap.clone()`
- Avoids aliasing bugs in Ruby GC
### E2E Test Coverage
- ✅ Error handling: empty input, invalid MIME, conflicting flags
- ✅ Batch operations: empty list, unsupported MIME, file not found, partial success
- ✅ Type conversions: all variants properly tested
---
## Recommendations (v5 RC Cycle)
1. **Fix GVL Release** (MANDATORY)
- Patch Alef generator to wrap async Rust calls with `magnus::Ruby::release_gvl()`
- Regenerate all affected functions
- Re-run e2e tests to confirm no change in API behavior
2. **Add Multi-Threaded E2E Tests**
- Create stress test spawning 10+ Ruby threads calling `extract_bytes_async()`
- Verify no deadlocks, no unexpected latency spikes
- Add to CI matrix for all supported Ruby versions (3.2, 3.3, 3.4)
3. **Document GVL Semantics**
- Clarify in Ruby docs: `extract_bytes_sync` holds GVL, `extract_bytes_async` briefly holds GVL during setup only
- Add example: correct multi-threaded usage pattern
---
## Test Results
```text
Ruby e2e: 97 examples, 0 failures
├─ error_spec.rb: 5 tests (error handling)
├─ batch_spec.rb: 10 tests (batch operations)
├─ pdf_spec.rb: 8 tests
├─ html_spec.rb: 6 tests
├─ text_spec.rb: 7 tests
├─ email_spec.rb: 6 tests
├─ archive_spec.rb: 8 tests
├─ office_spec.rb: 10 tests
├─ image_spec.rb: 7 tests
├─ xml_spec.rb: 6 tests
├─ validator_management_spec.rb: 8 tests
└─ [remaining e2e specs]: 10 tests
```
Elapsed: 1.1s (files: 1.07s, tests: 0.03s)

389
audit-notes/swift.md Normal file
View File

@@ -0,0 +1,389 @@
# Swift Binding Hand-Edit Audit
Audit of all hand-edits to the Swift binding during the alef-hand-edit cycle (`bd1bef129d..HEAD`).
**Scope**: Commits c8a3be70e, 0e57ca4b0e, cbf9e23d2d, 860080e240.
---
## ALEF_GAP: Missing Overload Generation
### Entry 1: JSON-string convenience overloads
**Files & Location**:
- `packages/swift/Sources/Kreuzberg/Kreuzberg.swift`: lines 63906450
- `extractFile(String, String?, String)` positional overload
- `extractFileSync(String, String?, String)` positional overload
- `extractBytes(String, String, String)` positional overload (path/UTF-8 fallback)
- `extractBytesSync(String, String, String)` positional overload (path/UTF-8 fallback)
- `batchExtractBytesSync(items, config)` with empty JSON default
- `batchExtractFilesSync(paths, config)` with empty JSON default
**Description**: The alef e2e generator emits extraction calls with positional arguments and JSON-string config: `Kreuzberg.extractFile(path, mimeType, configJson)`. The alef swift templates do not emit these overloads. They are hand-written to bridge the gap between the generator's calling pattern and the generated base functions (which use labeled `config: ExtractionConfig`).
**Label**: `ALEF_GAP`
**Suggested Upstream Fix**: The alef swift templates should emit positional-argument overloads that accept JSON strings for `ExtractionConfig` and its relatives. Pattern:
```swift
// In alef/src/swift/templates/Kreuzberg.swift.jinja2
public func extractFile(_ path: String, _ mimeType: String?, _ configJson: String) throws -> ExtractionResult {
let config = try extractionConfigFromJson(configJson)
return try extractFile(path: path, mimeType: mimeType, config: config)
}
```
Also emit similarly for batch functions with default `"{}"` when config is omitted:
```swift
public func batchExtractBytesSync(items: [BatchBytesItem]) throws -> [ExtractionResult] {
let config = try extractionConfigFromJson("{}")
return try batchExtractBytesSync(items: items, config: config)
}
```
---
### Entry 2: Path-resolution helper and batch config defaults
**Files & Location**:
- `packages/swift/Sources/Kreuzberg/BridgeRegistrationOverloads.swift`: lines 2346
- `packages/swift/Sources/Kreuzberg/Kreuzberg.swift`: lines 64176418, 6438
- Calls to `_loadBytesFromPathOrUtf8(content)` in the String-argument `extractBytes` overloads
**Description**: The `_loadBytesFromPathOrUtf8` helper resolves a string as a fixture path (checking CWD, `KREUZBERG_TEST_DOCUMENTS_DIR` env var, and ancestor `test_documents/` or `fixtures/` directories), falling back to raw UTF-8 if no file exists. This matches Python e2e test patterns where fixture paths are embedded in the test calls.
The batch functions with no config argument use `extractionConfigFromJson("{}")` to provide a default empty-object config.
**Label**: `ALEF_GAP`
**Suggested Upstream Fix**: The alef swift templates should emit the `_loadBytesFromPathOrUtf8` helper and wire it into the String-argument overloads:
```swift
// In alef/src/swift/templates/BridgeRegistrationOverloads.swift.jinja2 or as a standalone template
public func _loadBytesFromPathOrUtf8(_ pathOrContent: String) throws -> [UInt8] {
let fm = FileManager.default
var roots: [String] = [fm.currentDirectoryPath]
if let envRoot = ProcessInfo.processInfo.environment["KREUZBERG_TEST_DOCUMENTS_DIR"] {
roots.append(envRoot)
}
var walker = URL(fileURLWithPath: fm.currentDirectoryPath)
for _ in 0..<16 {
roots.append(walker.appendingPathComponent("test_documents").path)
roots.append(walker.appendingPathComponent("fixtures").path)
let parent = walker.deletingLastPathComponent()
if parent.path == walker.path { break }
walker = parent
}
let candidates = [pathOrContent] + roots.map { ($0 as NSString).appendingPathComponent(pathOrContent) }
for path in candidates {
if fm.fileExists(atPath: path), let data = try? Data(contentsOf: URL(fileURLWithPath: path)) {
return [UInt8](data)
}
}
return [UInt8](pathOrContent.utf8)
}
```
And update the String-argument overloads:
```swift
public func extractBytes(_ content: String, _ mimeType: String, _ configJson: String) throws -> ExtractionResult {
let config = try extractionConfigFromJson(configJson)
let bytes = try _loadBytesFromPathOrUtf8(content)
return try extractBytes(content: bytes, mimeType: mimeType, config: config)
}
```
---
## ALEF_GAP: Missing Plugin Registration Adapters
### Entry 3: Bridge→Box adapter and register overloads
**Files & Location**:
- `packages/swift/Sources/Kreuzberg/BridgeRegistrationOverloads.swift`: lines 7698 (register overloads)
- `packages/swift/Sources/Kreuzberg/BridgeRegistrationOverloads.swift`: lines 112216 (adapter implementations)
**Description**: The alef e2e fixtures call `Kreuzberg.registerOcrBackend(stub)` where `stub` conforms to the lightweight `SwiftOcrBackendBridge` protocol (which only exposes a subset of methods like `supportsLanguage()` and `backendType()`). However, the underlying registration functions expect the full `OcrBackend` protocol (with methods like `processImage`, `initialize`, `shutdown`, etc.).
The hand-written adapters (`_OcrBackendBridgeAdapter`, `_PostProcessorBridgeAdapter`, etc.) wrap the bridge stub and implement the full protocol with sensible defaults: async methods throw with a descriptive error, capability queries return safe defaults (false, empty arrays, no-op initializers).
**Label**: `ALEF_GAP`
**Suggested Upstream Fix**: The alef swift templates should emit register overloads that accept the lightweight Bridge protocols and wrap them in full-protocol adapters. Template pattern:
```swift
// In alef/src/swift/templates/BridgeRegistrationOverloads.swift.jinja2
public func registerOcrBackend(_ bridge: SwiftOcrBackendBridge) throws {
try registerOcrBackend(SwiftOcrBackendBox(_OcrBackendBridgeAdapter(bridge: bridge)))
}
private final class _OcrBackendBridgeAdapter: OcrBackend {
private let bridge: any SwiftOcrBackendBridge
init(bridge: any SwiftOcrBackendBridge) { self.bridge = bridge }
func name() -> String { "swift-bridge-ocr-stub" }
func version() -> String { "0.0.0" }
func initialize() throws {}
func shutdown() throws {}
func processImage(_ image_bytes: [UInt8], config: String) throws -> String {
throw _BridgeStubError(description: "async bridge processImage cannot be invoked from sync FFI stub")
}
// ... other methods with defaults
func supportsLanguage(_ lang: String) -> Bool { bridge.supportsLanguage(lang: lang) }
func backendTypeJson() -> String {
let value = bridge.backendType()
guard let data = try? JSONEncoder().encode(value),
let json = String(data: data, encoding: .utf8) else { return "\"Tesseract\"" }
return json
}
// ... other methods
}
```
Emit these overloads for all plugin types: `registerOcrBackend`, `registerPostProcessor`, `registerValidator`, `registerEmbeddingBackend`, `registerDocumentExtractor`, `registerRenderer`.
---
### Entry 4: Unregister name: label overloads
**Files & Location**:
- `packages/swift/Sources/Kreuzberg/BridgeRegistrationOverloads.swift`: lines 5072
**Description**: The e2e fixtures emit `Kreuzberg.unregisterOcrBackend(name: "...")` calls with a labeled `name:` argument. The generated base functions use positional arguments. Hand-written overloads bridge the gap:
```swift
public func unregisterOcrBackend(name: String) throws {
try unregisterOcrBackend(name)
}
```
**Label**: `ALEF_GAP`
**Suggested Upstream Fix**: Emit `name:` label overloads for all unregister functions in the alef swift templates:
```swift
public func unregisterOcrBackend(name: String) throws {
try unregisterOcrBackend(name)
}
```
---
## TEST_FIXTURE: E2E Test Stub Protocol Corrections
### Entry 5: Plugin bridge protocol signature alignment
**Files & Location**:
- `e2e/swift_e2e/Tests/KreuzbergE2ETests/PluginApiTests.swift`: lines 2283 (across commits c8a3be70e and 0e57ca4b0e)
**Description**: The e2e fixtures define stub implementations of the plugin bridge protocols (e.g., `TestStubRegisterDocumentExtractorTraitBridge: SwiftDocumentExtractorBridge`). The alef e2e generator emitted stubs with incorrect signatures:
1. **SwiftDocumentExtractorBridge**: Emitted positional-arg methods returning `InternalDocument` instead of labeled params returning `String`
2. **SwiftEmbeddingBackendBridge**: Emitted `dimensions() -> UInt` instead of `Int`; positional `embed(_:)` instead of labeled
3. **SwiftOcrBackendBridge**: Emitted positional-arg `processImage`, zero-arg `OcrBackendType()` constructors instead of enum cases (`.tesseract`)
4. **SwiftPostProcessorBridge**: Emitted positional-arg `process` and zero-arg `ProcessingStage()` instead of enum cases (`.early`)
5. **SwiftRendererBridge**: Emitted non-throwing `render` instead of `throws`
6. **SwiftValidatorBridge**: Emitted positional-arg `validate` instead of labeled
These were fixed in commit c8a3be70e to match the actual generated protocol signatures.
**Label**: `TEST_FIXTURE`
**Suggested Upstream Fix**: The alef e2e swift fixture generator should:
1. Use labeled parameters matching the actual `SwiftXxxBridge` protocol signatures
2. Use correct return types (String not InternalDocument, Int not UInt, Void not return values)
3. Use enum instances (`.tesseract`, `.early`) instead of zero-arg constructors
4. Add `throws` keyword where protocols require it
5. Validate protocol compliance by reading the actual generated bridge files before generating fixture stubs
Example fixture template fix:
```swift
class TestStubRegisterOcrBackendTraitBridge: SwiftOcrBackendBridge {
var name: String { "register_ocr_backend_trait_bridge" }
func processImage(image_bytes: Data, config: OcrConfig) async throws -> ExtractionResult {
try RustBridge.extractionResultFromJson("{}")
}
func supportsLanguage(lang: String) -> Bool { false }
func backendType() -> OcrBackendType { .tesseract }
}
```
---
### Entry 6: Register function call signatures in e2e tests
**Files & Location**:
- `e2e/swift_e2e/Tests/KreuzbergE2ETests/PluginApiTests.swift`: commit 0e57ca4b0e
**Description**: The alef e2e generator initially emitted register calls with labeled arguments (e.g., `registerEmbeddingBackend(backend: ...)`), but the actual generated functions use positional arguments. Commit 0e57ca4b0e corrected these to match:
```swift
// Before (incorrect, alef-generated)
let result = try Kreuzberg.registerEmbeddingBackend(backend: TestStubRegisterEmbeddingBackendTraitBridge())
// After (correct, hand-edited)
let result = try Kreuzberg.registerEmbeddingBackend(TestStubRegisterEmbeddingBackendTraitBridge())
```
**Label**: `TEST_FIXTURE`
**Suggested Upstream Fix**: The alef e2e swift fixture generator should emit register calls with positional arguments, matching the actual function signatures.
---
## TEST_FIXTURE: E2E Test Cleanup & Isolation
### Entry 7: Unregister cleanup after plugin registration tests
**Files & Location**:
- `e2e/swift_e2e/Tests/KreuzbergE2ETests/PluginApiTests.swift`: commit 860080e240
- Added `try? Kreuzberg.unregisterOcrBackend("swift-bridge-ocr-stub")` and similar after each register test
**Description**: The e2e tests register plugin stubs but did not clean them up. This leaves registered plugins in the registry, affecting subsequent extraction tests (which expect the default tesseract OCR backend to be available via the initialization logic `ensure_ocr_backends_initialized`).
Commit 860080e240 appended unregister calls to each register test using the stub's default names (e.g., `"swift-bridge-ocr-stub"`). This matches the pattern the Python e2e generator already emits.
**Label**: `TEST_FIXTURE`
**Suggested Upstream Fix**: The alef e2e swift fixture generator should append unregister cleanup to each plugin registration test:
```swift
func testRegisterOcrBackendTraitBridge() throws {
class TestStubRegisterOcrBackendTraitBridge: SwiftOcrBackendBridge {
var name: String { "register_ocr_backend_trait_bridge" }
// ...
}
let result = try Kreuzberg.registerOcrBackend(TestStubRegisterOcrBackendTraitBridge())
try? Kreuzberg.unregisterOcrBackend("swift-bridge-ocr-stub") // <-- Add this
}
```
Document the stub adapter names (e.g., `"swift-bridge-ocr-stub"`) in the BridgeRegistrationOverloads template so the e2e generator can reference them.
---
## ALEF_GAP: Computed-Property Extensions
### Entry 8: Property-accessor aliases for test ergonomics
**Files & Location**:
- `packages/swift/Sources/Kreuzberg/ExtractionResultExtensions.swift` (new file, added commit cbf9e23d2d)
**Description**: The swift-bridge-generated `ExtractionResultRef` type exposes methods like `mimeType()` and `content()`. The alef e2e generator emits test assertions accessing these as properties: `result.mimeType` and `result.content`. Without the computed-property extensions, these fail to compile.
The hand-written extensions add ergonomic aliases:
```swift
extension RustBridge.ExtractionResultRef {
public var mimeType: String {
self.mimeType().toString()
}
public var content: String {
self.content().toString()
}
}
```
**Label**: `ALEF_GAP`
**Suggested Upstream Fix**: The alef swift templates should emit a companion file with computed-property extensions on swift-bridge-generated opaque ref types, allowing property-access syntax in e2e tests. A new template file `ExtractionResultExtensions.swift.jinja2` should emit:
```swift
import RustBridge
// MARK: - Property-access ergonomics for e2e tests
// Provides computed-property aliases for methods on swift-bridge-generated types,
// so callers can write `result.mimeType` rather than `result.mimeType()`.
extension RustBridge.ExtractionResultRef {
public var mimeType: String {
self.mimeType().toString()
}
public var content: String {
self.content().toString()
}
}
```
Make this file hand-editable (not generated) if the set of accessors varies per project; or make it generated if it's stable across all bindings.
---
## ROOT_CAUSE: Bridge Protocol Type Naming Ambiguity
### Entry 9: Qualified type names in test stubs
**Files & Location**:
- `e2e/swift_e2e/Tests/KreuzbergE2ETests/PluginApiTests.swift`: commit 860080e240
- Line 48: `func backendType() -> Kreuzberg.OcrBackendType { .tesseract }`
- Line 60: `func processingStage() -> Kreuzberg.ProcessingStage { .early }`
**Description**: The e2e test stubs reference `Kreuzberg.OcrBackendType` and `Kreuzberg.ProcessingStage` with the module prefix to disambiguate from any local declarations. This is necessary because the alef fixture generator may emit type references without qualification, leading to ambiguity.
**Label**: `ROOT_CAUSE`
**Suggested Upstream Fix**: The alef e2e swift fixture generator should always qualify enum types with their module/namespace to avoid ambiguity. Update the fixture template to emit `Kreuzberg.OcrBackendType` instead of bare `OcrBackendType`.
---
## BINDING_BUG: None
No bugs were found in hand-written binding wrapper code. The manual additions (overloads, adapters, extensions) are minimal, well-scoped, and correctly implemented.
---
## Summary
| Category | Count |
| --- | --- |
| ALEF_GAP | 5 |
| TEST_FIXTURE | 3 |
| ROOT_CAUSE | 1 |
| BINDING_BUG | 0 |
---
## Open Questions
1. **ExtractionResultExtensions ownership**: Should this file be generated (and thus regenerated on every `alef` run), or hand-written and committed as part of the binding? If hand-written, it risks diverging from generated types if the swift-bridge codegen changes the method signatures. Consider: (a) include the generator output as a canonical reference in a comment, or (b) generate it and make it stable across alef versions.
2. **Adapter stub names**: The `_OcrBackendBridgeAdapter` class uses hardcoded names like `"swift-bridge-ocr-stub"` returned by `name()`. Should these be configurable, or is the current pattern (fixed names for test cleanup) sufficient? If fixed, document them in alef's swift plugin template.
3. **Bridge protocol vs. full protocol rift**: The lightweight `SwiftOcrBackendBridge` protocol exposes only ~3 methods, while the full `OcrBackend` protocol has ~10. Is this rift intentional (for easier test stubs), or should the bridge and full protocols converge? Current design trades test simplicity for some indirection via adapters.
---
## Suggested Cleanup In-Repo
Before upstreaming fixes to alef templates, consider restructuring locally:
1. **Move `_loadBytesFromPathOrUtf8` to a separate file**: Currently embedded in `BridgeRegistrationOverloads.swift`. Consider a new `TestFixtureHelpers.swift` file to separate test-infrastructure concerns from plugin registration. This makes it clearer which parts are "e2e framework" vs. "production binding".
2. **Document adapter stub names in BridgeRegistrationOverloads**: Add a comment block at the top listing the stub names returned by each adapter (e.g., `"swift-bridge-ocr-stub"`, `"swift-bridge-post-processor-stub"`). This is the contract the e2e generator must know to emit correct cleanup calls.
3. **Consider a PluginBridgeAdapters.swift file**: Move the five adapter implementations (`_OcrBackendBridgeAdapter`, etc.) to a dedicated file for clarity. The current `BridgeRegistrationOverloads.swift` mixes concern: helper functions, label-argument overloads, and adapters. Splitting makes the architectural intent clearer.
4. **Mark computed-property extensions as test-only**: If `ExtractionResultExtensions.swift` is test-specific, add a comment or docstring noting that callers needing property-access syntax should use these extensions. Alternatively, consider whether this is ergonomic enough to expose in production bindings (it likely is).
---
## Conclusion
All hand-edits fall into clear categories: either gaps in alef's swift template generation (missing overloads, adapters, extensions), e2e fixture generation issues (incorrect protocol signatures, missing cleanup), or root-cause type disambiguation. No production bugs detected in the binding logic itself.
**Immediate next step**: File issues or PRs in the alef repo with the suggested template fixes (Entries 18), referencing this audit. Once alef templates emit all these patterns, this hand-edit cycle can be eliminated and swift bindings will regenerate cleanly.

221
audit-notes/zig.md Normal file
View File

@@ -0,0 +1,221 @@
# Zig Binding Audit (2026-05-30)
## Status
Currently 0/100 e2e passing - all tests crash with SIGABRT at runtime.
## Bugs Found
### CRITICAL: Null Pointer Dereference in All Extract Functions
**Location**: Lines 3885-3888, 3931-3934, 3968-3971, 3999-4002 in `packages/zig/src/kreuzberg.zig`
**Issue**: Force-unwrap of potentially-null pointers.
The extraction functions call C FFI functions that return `?*KREUZBERGExtractionResult` (optional pointer). The current code:
```zig
const _result = c.kreuzberg_extract_bytes(...);
if (c.kreuzberg_last_error_code() != 0) {
return _first_error(KreuzbergError);
}
if (config_handle) |h| c.kreuzberg_extraction_config_free(h);
return blk: {
const _json_ptr = c.kreuzberg_extraction_result_to_json(_result.?); // CRASH HERE
defer _free_string(_json_ptr);
c.kreuzberg_extraction_result_free(_result.?);
const slice = std.mem.sliceTo(_json_ptr, 0); // CRASH HERE IF _json_ptr is null
const owned = try std.heap.c_allocator.dupe(u8, slice);
break :blk owned;
}
```
**Problems**:
1. **Line 3885 / 3968**: The `_result.?` force-unwrap will crash if `_result` is null. The error-code check assumes that if error code is non-zero, the result is null. But if the error code is zero AND the result is null, this crashes.
2. **Line 3888 / 3971**: After calling `kreuzberg_extraction_result_to_json(_result)`, the returned `_json_ptr` can be null but the code immediately dereferences it with `std.mem.sliceTo(_json_ptr, 0)`, which crashes.
3. **Resource leak**: If `_json_ptr` is null and `_result` was successfully freed, but we never reach the owned allocation, we have a dangling JSON pointer.
**Affected Functions**:
- `extract_bytes` (line 3871)
- `extract_file` (line 3897)
- `extract_bytes_sync` (line 3938)
- `extract_file_sync` (line 3951)
- `batch_extract_bytes_sync` (line 3978)
- And all batch functions using similar patterns
**Root Cause**: The generated Zig binding did not implement proper null-checking for C FFI returns. The pattern assumes every non-error call returns a valid pointer, which is not guaranteed.
---
## Fix Strategy
### For Extract Functions (6 affected functions)
For each extract function:
1. **Check `_result` before unwrap**:
```zig
const _result = c.kreuzberg_extract_bytes(...);
if (_result == null) {
if (c.kreuzberg_last_error_code() != 0) {
return _first_error(KreuzbergError);
}
// Error code is 0 but result is null - treat as unknown error
return KreuzbergError.Other;
}
```
2. **Check `_json_ptr` before dereference**:
```zig
const _json_ptr = c.kreuzberg_extraction_result_to_json(_result.?);
if (_json_ptr == null) {
c.kreuzberg_extraction_result_free(_result.?);
return KreuzbergError.Serialization;
}
defer _free_string(_json_ptr);
```
3. **Ensure error-code check runs first**:
Move the error-code check to immediately after the C call, before any other operations.
### For Vtable Thunks (24 affected functions)
For each vtable thunk that casts `ud: ?*anyopaque` to `*T`:
1. **Null-check before cast**:
```zig
const self: *T = if (ud) |u| @ptrCast(@alignCast(u)) else {
// Handle null user_data - should not happen in normal operation
// Either return error or abort with clear message
return error.NullUserData; // or similar
};
```
2. **Or, require non-null in the vtable signature** (if feasible):
Change function pointer signatures to use `*anyopaque` instead of `?*anyopaque` where null is not expected.
---
## Detailed Audit
### Type Safety
**Status**: ✅ PASS
- All Zig-side type declarations correctly match the C header (kreuzberg.h)
- Opaque handle types (e.g., `*KREUZBERGExtractionResult`) are properly declared
- Struct definitions have correct field types and layouts
### Allocator Lifetime
**Status**: ⚠️ PASS WITH CAVEATS
- Proper use of `std.heap.c_allocator` for FFI allocations
- All `defer` blocks correctly paired
- Example (line 3889): `std.heap.c_allocator.dupe(u8, slice)` returns owned slice that caller must free
- Tests correctly call `defer std.heap.c_allocator.free(_result_json)` (e.g., line 33 in smoke_test.zig)
- **Issue**: No safeguard if intermediate conversions fail
### Error Return Convention
**Status**: ❌ FAIL
- Error-code checks exist but don't fully validate all return states
- The pattern `if (error_code != 0) return error` assumes result is null, but doesn't verify
- Inverse situation (error_code == 0 but result == null) is not handled
- Should use: `if (result == null || error_code != 0)` pattern
### Null Pointer Checks
**Status**: ❌ FAIL
- Force-unwrap (`_result.?`) assumes `_result` is never null when error_code == 0
- JSON conversion return (`_json_ptr`) is never checked for null
- String conversion (`std.mem.sliceTo(_json_ptr, 0)`) dereferences unchecked pointer
### Config Handle Freeing
**Status**: ✅ PASS
- Lines 3883, 3929, 3966, 3997, 4027, 4057, 4110, 4157: Consistent patterns
- All extraction functions properly free config_handle on all code paths
- Conditional: `if (config_handle) |h| c.kreuzberg_extraction_config_free(h);` is correct
### Batch Operations
**Status**: ❌ FAIL
- `batch_extract_bytes_sync`, `batch_extract_files_sync` (lines 3978, 4005) follow same buggy pattern
- Additional complexity: iteration over batch items adds risk if conversions fail mid-loop
---
### Vtable Function Pointers
**Status**: ❌ FAIL
- **Locations**: Lines 4710, 4724, 4737, 4744, 4755, 4766, 4773, 4780, 5019, 5033, 5044, 5051, 5058, 5306, 5320, 5327, 5456, 5463, 5669, 5683, 5696, 5707, 5714, 5846 (24 occurrences)
- **Issue**: All vtable thunks cast `ud: ?*anyopaque` to `*T` without null-check:
```zig
const self: *T = @ptrCast(@alignCast(ud)); // CRASH if ud is null
```
- **Root Cause**: The thunks assume `ud` is never null (always points to the user data passed at registration). But if Rust code calls the thunk with null ud, this crashes.
- **Affected Vtables**: DocumentExtractor, OcrBackend, PostProcessor, Validator, Renderer, EmbeddingBackend (all plugin trait implementations)
**Risk**: HIGH - If Rust FFI layer ever calls a vtable thunk with null `ud`, the binding crashes. This would be a soundness hole if user code accidentally passes null when registering plugins.
---
## Test Findings
**Baseline**: Currently 0/100 green (all 22 tests crash with SIGABRT + 23 skipped due to linking)
**Crash Signature**:
```text
dyld[XXXX]: Library not loaded: @rpath/libkreuzberg_ffi.dylib
```
**Resolution**: Built FFI with `task rust:ffi:build`, tests now run and crash on first null-deref.
---
## Summary of Issues
| Category | Count | Severity | Lines |
|----------|-------|----------|-------|
| Extract result null-deref | 6 | CRITICAL | 3885, 3931, 3968, 3999, 4460, 4462 |
| JSON pointer null-deref | 6 | CRITICAL | 3888, 3934, 3971, 4002, 4463+ |
| Vtable ud null-deref | 24 | HIGH | 4710, 4724, ..., 5846 |
| **Total** | **36** | **CRITICAL/HIGH** | See details above |
---
## Recommendations
1. **Immediate**: Fix null-checks in all extract functions (6 functions total)
2. **Follow-up**: Fix null-checks in all vtable thunks (24 functions total)
3. **Testing**: All tests should exercise error paths, not just happy paths
4. **Codegen**: Review Alef's Zig generator to ensure it always emits null-checks after C calls
5. **CI**: Enable address sanitizer or Valgrind for Zig e2e tests to catch null-derefs earlier
---
## Files to Fix
- `/Users/naamanhirschfeld/workspace/kreuzberg-dev/kreuzberg/packages/zig/src/kreuzberg.zig`
- Lines 3885-3891: `extract_bytes`
- Lines 3931-3937: `extract_file`
- Lines 3968-3974: `extract_bytes_sync`
- Lines 3999-4005: `extract_file_sync`
- Lines 4025-4031: `batch_extract_bytes_sync` (partial review needed)
- Lines 4055-4061: `batch_extract_files_sync` (partial review needed)
No hand-edits to generated bindings — flag to Alef codegen for fix in next regeneration cycle.