mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 2 Wiki Activity

chore(orchestrator): Bootstrap Phase 4 tasks + document deferred items

Browse Source 
Parsed remaining medium-severity findings into 12 tasks + verification.
Created docs/deferred-errors.md for MS-MED-006 (CSP) and MS-MED-008 (Valkey SSOT).
Created Gitea issue #347 for Phase 4.
Estimated total: 117K tokens.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Jason Woltje
2026-02-06 13:09:24 -06:00
parent d84730e8e1
commit 89ec509eb9
2 changed files with 103 additions and 56 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
docs/deferred-errors.md Normal file
View File

@@ -0,0 +1,34 @@
# Deferred Errors
Documented per Two-Phase Completion Protocol during Phase 3 Polish.
---
## MS-MED-006: SEC-WEB-16 - Add Content Security Policy Headers
- **File:** `apps/web/next.config.ts`
- **Error:** No Content Security Policy (CSP) headers configured
- **Category:** Architectural
- **Reason:** CSP requires extensive configuration specific to the deployment environment. Inline scripts from Next.js, third-party integrations (Authentik, Ollama), WebSocket connections, and dynamic imports all need careful allowlisting. A misconfigured CSP breaks the application in production. This needs a dedicated effort with staging environment testing.
- **Suggested approach:**
1. Audit all script sources, style sources, connect sources, and frame sources
2. Start with CSP report-only mode to capture violations without blocking
3. Add nonce-based script loading for Next.js inline scripts
4. Configure per-environment CSP (dev permissive, prod strict)
5. Add violation reporting endpoint
- **Risk:** Medium — Mitigated by other security controls (CSRF tokens, XSS sanitization, auth guards). CSP is defense-in-depth.
---
## MS-MED-008: CQ-ORCH-2 - Use Valkey as Single Source of Truth for Sessions
- **File:** `apps/orchestrator/src/spawner/agent-spawner.service.ts:19`
- **Error:** In-memory Map used for sessions alongside Valkey, creating dual source of truth
- **Category:** Architectural
- **Reason:** Migrating from in-memory Map to Valkey-only requires: (1) redesigning the session access pattern to be async everywhere, (2) handling Valkey connection failures gracefully, (3) ensuring atomic read-modify-write for state transitions, (4) updating ~20 call sites that currently access the synchronous Map. The in-memory Map is bounded by CQ-ORCH-1 (session cleanup on terminal states), reducing the unbounded growth risk.
- **Suggested approach:**
1. Add TTL-based expiry to Valkey session keys
2. Implement read-through cache pattern: Map as cache, Valkey as source
3. Add Valkey connection health check before spawn operations
4. Migrate call sites incrementally with feature flag
- **Risk:** Low — Bounded by CQ-ORCH-1 cleanup. Single-instance deployment means no cross-instance consistency issue.

15
docs/tasks.md
View File

@@ -1,7 +1,7 @@
# Tasks # Tasks
| id | status | description | issue | repo | branch | depends_on | blocks | agent | started_at | completed_at | estimate | used | | id | status | description | issue | repo | branch | depends_on | blocks | agent | started_at | completed_at | estimate | used |
| ----------- | -------- | --------------------------------------------------------------------- | ----- | ------------ | ------------ | ----------- | ----------- | -------- | -------------------- | -------------------- | -------- | ----- | | ----------- | ----------- | --------------------------------------------------------------------- | ----- | ------------ | ------------ | ----------- | ----------- | -------- | -------------------- | -------------------- | -------- | ----- |
| MS-SEC-001 | done | SEC-ORCH-2: Add authentication to orchestrator API | #337 | orchestrator | fix/security | | MS-SEC-002 | worker-1 | 2026-02-05T15:15:00Z | 2026-02-05T15:25:00Z | 15K | 0.3K | | MS-SEC-001 | done | SEC-ORCH-2: Add authentication to orchestrator API | #337 | orchestrator | fix/security | | MS-SEC-002 | worker-1 | 2026-02-05T15:15:00Z | 2026-02-05T15:25:00Z | 15K | 0.3K |
| MS-SEC-002 | done | SEC-WEB-2: Fix WikiLinkRenderer XSS (sanitize HTML before wiki-links) | #337 | web | fix/security | MS-SEC-001 | MS-SEC-003 | worker-1 | 2026-02-05T15:26:00Z | 2026-02-05T15:35:00Z | 8K | 8.5K | | MS-SEC-002 | done | SEC-WEB-2: Fix WikiLinkRenderer XSS (sanitize HTML before wiki-links) | #337 | web | fix/security | MS-SEC-001 | MS-SEC-003 | worker-1 | 2026-02-05T15:26:00Z | 2026-02-05T15:35:00Z | 8K | 8.5K |
| MS-SEC-003 | done | SEC-ORCH-1: Fix secret scanner error handling (return error state) | #337 | orchestrator | fix/security | MS-SEC-002 | MS-SEC-004 | worker-1 | 2026-02-05T15:36:00Z | 2026-02-05T15:42:00Z | 8K | 18.5K | | MS-SEC-003 | done | SEC-ORCH-1: Fix secret scanner error handling (return error state) | #337 | orchestrator | fix/security | MS-SEC-002 | MS-SEC-004 | worker-1 | 2026-02-05T15:36:00Z | 2026-02-05T15:42:00Z | 8K | 18.5K |
@@ -56,3 +56,16 @@
| MS-MED-007 | done | CQ-API-3: Make activity logging fire-and-forget | #339 | api | fix/medium | MS-MED-006 | MS-MED-008 | worker-1 | 2026-02-05T23:28:00Z | 2026-02-05T23:32:00Z | 8K | 5K | | MS-MED-007 | done | CQ-API-3: Make activity logging fire-and-forget | #339 | api | fix/medium | MS-MED-006 | MS-MED-008 | worker-1 | 2026-02-05T23:28:00Z | 2026-02-05T23:32:00Z | 8K | 5K |
| MS-MED-008 | deferred | CQ-ORCH-2: Use Valkey as single source of truth for sessions | #339 | orchestrator | fix/medium | MS-MED-007 | MS-MED-V01 | | | | 15K | | | MS-MED-008 | deferred | CQ-ORCH-2: Use Valkey as single source of truth for sessions | #339 | orchestrator | fix/medium | MS-MED-007 | MS-MED-V01 | | | | 15K | |
| MS-MED-V01 | done | Phase 3 Verification: Run full quality gates | #339 | all | fix/medium | MS-MED-008 | | worker-1 | 2026-02-05T23:35:00Z | 2026-02-06T00:30:00Z | 5K | 2K | | MS-MED-V01 | done | Phase 3 Verification: Run full quality gates | #339 | all | fix/medium | MS-MED-008 | | worker-1 | 2026-02-05T23:35:00Z | 2026-02-06T00:30:00Z | 5K | 2K |
| MS-P4-001 | not-started | CQ-WEB-2: Fix missing dependency in FilterBar useEffect | #347 | web | fix/security | MS-MED-V01 | MS-P4-002 | | | | 10K | |
| MS-P4-002 | not-started | CQ-WEB-3: Fix race condition in LinkAutocomplete (AbortController) | #347 | web | fix/security | MS-P4-001 | MS-P4-003 | | | | 12K | |
| MS-P4-003 | not-started | SEC-API-17: Block data: URI scheme in markdown renderer | #347 | api | fix/security | MS-P4-002 | MS-P4-004 | | | | 8K | |
| MS-P4-004 | not-started | SEC-API-19+20: Validate brain search length and limit params | #347 | api | fix/security | MS-P4-003 | MS-P4-005 | | | | 8K | |
| MS-P4-005 | not-started | SEC-API-21: Add DTO validation for semantic/hybrid search body | #347 | api | fix/security | MS-P4-004 | MS-P4-006 | | | | 10K | |
| MS-P4-006 | not-started | SEC-API-12: Throw error when CurrentUser decorator has no user | #347 | api | fix/security | MS-P4-005 | MS-P4-007 | | | | 8K | |
| MS-P4-007 | not-started | SEC-ORCH-20: Bind orchestrator to 127.0.0.1, configurable via env | #347 | orchestrator | fix/security | MS-P4-006 | MS-P4-008 | | | | 5K | |
| MS-P4-008 | not-started | SEC-ORCH-22: Validate Docker image tag format before pull | #347 | orchestrator | fix/security | MS-P4-007 | MS-P4-009 | | | | 8K | |
| MS-P4-009 | not-started | CQ-API-7: Fix N+1 query in knowledge tag lookup (use findMany) | #347 | api | fix/security | MS-P4-008 | MS-P4-010 | | | | 8K | |
| MS-P4-010 | not-started | CQ-ORCH-5: Fix TOCTOU race in agent state transitions | #347 | orchestrator | fix/security | MS-P4-009 | MS-P4-011 | | | | 15K | |
| MS-P4-011 | not-started | CQ-ORCH-7: Graceful Docker container shutdown before force remove | #347 | orchestrator | fix/security | MS-P4-010 | MS-P4-012 | | | | 10K | |
| MS-P4-012 | not-started | CQ-ORCH-9: Deduplicate spawn validation logic | #347 | orchestrator | fix/security | MS-P4-011 | MS-P4-V01 | | | | 10K | |
| MS-P4-V01 | not-started | Phase 4 Verification: Run full quality gates | #347 | all | fix/security | MS-P4-012 | | | | | 5K | |