Menu
Find places where documented API contracts and the implementation diverge
Install with Codex or Claude Copy this prompt, paste it into Codex, Claude, or another assistant, and let it review the skill page and install it for you.
Based on SOC occupation classification
| name | audit-contract-drift |
| description | Find places where documented API contracts and the implementation diverge |
| context | fork |
| agent | auditor |
| disable-model-invocation | true |
Most audits read code; this one reads documentation first and then traces each promise to every implementation path that should honor it. The bugs caught here are not concurrency or arithmetic defects — they are quiet contradictions between what the javadoc promises and what the code does.
Build a list of behavioral promises from public API docs, then trace each one to every code path that should honor it.
Sources of contracts to enumerate:
Caffeine.java — every <b>Note:</b> and <b>Warning:</b> block in a
builder method's javadoc. Pay particular attention to:
weakKeys, weakValues, softValues — equality semantics flip to
identity (==) for the configured strengthexpireAfter*, refreshAfterWrite — duration constraints, what
"expired" means at boundariesmaximumSize, maximumWeight — eviction triggering and amortizationremovalListener, evictionListener — when and how notifications fireCache.java, LoadingCache.java, AsyncCache.java, AsyncLoadingCache.java
— javadoc of every method, especially "must", "will", "guarantees",
"for any reason" language.Policy.java — every method's documented behavior.Weigher.java, Expiry.java, RemovalListener.java, RemovalCause.java
— user-facing contracts referenced by the cache.For each contract, record the exact wording, the configurations that activate it, and the set of operations affected.
Then trace each promise through every code path that should honor it:
Cache / LoadingCache / AsyncCacheasMap() view methods (size, isEmpty, containsKey, containsValue,
get, put, remove(k), remove(k,v), replace, compute*, merge,
equals, hashCode)asMap().keySet() / values() / entrySet() — contains, remove,
removeAll, retainAll, removeIf, iterator, spliteratorputAll, getAll, getAllPresent, invalidateAll)AsyncCache.synchronous() round-trip — does the sync view honor the same
contract as the async cache?A path that uses a different equivalence, ordering, or visibility from what the contract promises is a contract drift finding. So is a path that silently downgrades a configuration on round-trip.
Common drift patterns to check explicitly:
weakKeys/weakValues/
softValues promise identity, but view collections that use
o.equals(value) or Collection.contains(value) may apply the user's
equality semantics instead.size, isEmpty,
equals, hashCode, and iterators on the same view.removalListener documented to fire
for any cause, but async paths may drop notifications for null or
exceptional completions.compute(k, (k,v) -> v) is
documented one way but updates timestamps/weight regardless.size() documented as estimate: this is an explicit out — verify it
is actually documented as an estimate everywhere it diverges from logical
presence.synchronous()
view's asMap() may treat in-flight entries inconsistently across query,
mutation, and cardinality methods.Each finding should anchor both sides of the drift — the source of the contract (file + javadoc snippet) and the divergent implementation (file + method) — and include a minimal user-observable scenario where the docs and the code disagree.
Audit the adaptive window hill-climber and region-resize logic for implementation defects (not algorithm quality)
JSR-107 (JCache) spec-conformance audit
Audit explicit state machines (drain status, node lifecycle, async-value lifecycle) for illegal or missed transitions
Heavyweight history-mining bug audit. Walks the caffeine module's git history chronologically (oldest to HEAD), maintains a forward-tracked issue database, and surfaces concerns introduced by past commits that were never resolved. Catches bugs that snapshot mining cannot — half-fixes invisible from current state, latent+trigger pairs across multi-commit interactions, and partial refactors. Slow (model/effort-dependent; ~24h on Opus + max effort) and rare-run (every several months or before a major release).
Differential audit comparing matched code paths that should behave identically. Spawns one auditor per sibling pair (sync/async, bounded/unbounded, view consistency, bulk vs single, generated node variants, read fast vs slow, adapter conformance) and requires a concrete witness scenario where the two paths diverge observably.
Audit exception safety and failure atomicity across all throw sites