Phase 2: High Priority Security + Infrastructure #338

New Issue

jason.woltje · 2026-02-05T21:12:42Z

jason.woltje commented

2026-02-05 21:12:42 +00:00

Findings (High Severity)

Security - API:

SEC-API-5: OpenAI embedding service initialized with dummy API key
SEC-API-6: Embedding generation failures silently swallowed
SEC-API-7: CSRF token not cryptographically tied to session
SEC-API-8: Rate limiter silently falls back to in-memory
SEC-API-9: AdminGuard uses workspace ownership as admin check
SEC-API-10: Auth route catch-all bypasses guards
SEC-API-11: Federation uses hardcoded default workspace default

Security - Web:

SEC-WEB-3: Missing CSRF token on multiple direct fetch() calls
SEC-WEB-4: Mock data shipped in production code paths
SEC-WEB-5: Silent auth session check failure
SEC-WEB-6: WebSocket token without TLS verification
SEC-WEB-7: KanbanBoard swallows task update errors
SEC-WEB-8: ActiveProjectsWidget silently drops non-OK responses
SEC-WEB-9: QuickCaptureWidget discards user data
SEC-WEB-10: Inconsistent API base URL for knowledge graph
SEC-WEB-11: Dual auth mechanisms (Cookie + Bearer)

Security - Orchestrator/Coordinator:

SEC-ORCH-7: Coordinator loops silently swallow all exceptions
SEC-ORCH-8: Queue file corrupted data silently discarded
SEC-ORCH-9: Environment variable injection via Docker container
SEC-ORCH-10: Docker container not properly isolated
SEC-ORCH-11: No rate limiting on orchestrator API
SEC-ORCH-12: No max concurrent agents enforcement
SEC-ORCH-13: YOLO mode bypasses all quality gates
SEC-ORCH-14: Parser prompt injection via issue body
SEC-ORCH-15: Valkey connection has no authentication by default

Code Quality - Critical/High:

CQ-ORCH-3: KEYS -> SCAN in Valkey
CQ-ORCH-6: N+1 query in listTasks/listAgents
CQ-ORCH-1: Memory leak - agent sessions never cleaned up
CQ-API-1: Memory leak - setTimeout not cleared in WebSocket
CQ-API-2: Memory leak - setInterval not cleared in runner jobs
CQ-WEB-1: Stale closure in useWebSocket hook
CQ-WEB-4: Stale messages in useChat hook

Acceptance Criteria

All high-priority findings remediated
Quality gates passing
No new regressions

## Findings (High Severity) **Security - API:** - SEC-API-5: OpenAI embedding service initialized with dummy API key - SEC-API-6: Embedding generation failures silently swallowed - SEC-API-7: CSRF token not cryptographically tied to session - SEC-API-8: Rate limiter silently falls back to in-memory - SEC-API-9: AdminGuard uses workspace ownership as admin check - SEC-API-10: Auth route catch-all bypasses guards - SEC-API-11: Federation uses hardcoded default workspace default **Security - Web:** - SEC-WEB-3: Missing CSRF token on multiple direct fetch() calls - SEC-WEB-4: Mock data shipped in production code paths - SEC-WEB-5: Silent auth session check failure - SEC-WEB-6: WebSocket token without TLS verification - SEC-WEB-7: KanbanBoard swallows task update errors - SEC-WEB-8: ActiveProjectsWidget silently drops non-OK responses - SEC-WEB-9: QuickCaptureWidget discards user data - SEC-WEB-10: Inconsistent API base URL for knowledge graph - SEC-WEB-11: Dual auth mechanisms (Cookie + Bearer) **Security - Orchestrator/Coordinator:** - SEC-ORCH-7: Coordinator loops silently swallow all exceptions - SEC-ORCH-8: Queue file corrupted data silently discarded - SEC-ORCH-9: Environment variable injection via Docker container - SEC-ORCH-10: Docker container not properly isolated - SEC-ORCH-11: No rate limiting on orchestrator API - SEC-ORCH-12: No max concurrent agents enforcement - SEC-ORCH-13: YOLO mode bypasses all quality gates - SEC-ORCH-14: Parser prompt injection via issue body - SEC-ORCH-15: Valkey connection has no authentication by default **Code Quality - Critical/High:** - CQ-ORCH-3: KEYS -> SCAN in Valkey - CQ-ORCH-6: N+1 query in listTasks/listAgents - CQ-ORCH-1: Memory leak - agent sessions never cleaned up - CQ-API-1: Memory leak - setTimeout not cleared in WebSocket - CQ-API-2: Memory leak - setInterval not cleared in runner jobs - CQ-WEB-1: Stale closure in useWebSocket hook - CQ-WEB-4: Stale messages in useChat hook ## Acceptance Criteria - [ ] All high-priority findings remediated - [ ] Quality gates passing - [ ] No new regressions

jason.woltje added the security label 2026-02-05 21:12:42 +00:00

jason.woltje referenced this issue from a commit

2026-02-05 21:14:00 +00:00

chore(orchestrator): Bootstrap tasks.md from review report

jason.woltje added this to the M6-AgentOrchestration-Fixes milestone 2026-02-05 22:09:45 +00:00

jason.woltje referenced this issue from a commit

2026-02-05 22:38:12 +00:00

fix(#338): Don't instantiate OpenAI client with missing API key

jason.woltje referenced this issue from a commit

2026-02-05 22:38:12 +00:00

fix(#338): Add structured logging for embedding failures

jason.woltje referenced this issue from a commit