mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 2 Wiki Activity

chore: upgrade Node.js runtime to v24 across codebase #419

Merged
jason.woltje merged 438 commits from fix/auth-frontend-remediation into main 2026-02-17 01:04:47 +00:00
Conversation 0 Commits 438 Files Changed 983 +210 -47
2 changed files with 210 additions and 47 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit 52f47c2311 - Show all commits

154
docs/orchestrator-learnings.json
View File

@@ -16,6 +16,160 @@
"analysis": "CRITICAL VARIANCE - Investigate. Possible causes: (1) Auth already existed, (2) Task was trivial decorator addition, (3) Reporting error. Need to verify task completion quality.",
"flags": ["CRITICAL", "NEEDS_INVESTIGATION"],
"captured_at": "2026-02-05T15:30:00Z"
},
{
"task_id": "MS-SEC-003",
"task_type": "ERROR_HANDLING",
"estimate_k": 8,
"actual_k": 18.5,
"variance_pct": 131,
"characteristics": {
"file_count": 4,
"keywords": ["secret scanner", "error state", "scan result type", "Zod schema"]
},
"analysis": "CRITICAL VARIANCE - Task required adding new fields to existing type, updating all callers, modifying error messages, comprehensive error path tests. Type interface changes cascade through codebase.",
"flags": ["CRITICAL"],
"captured_at": "2026-02-05T16:42:00Z"
},
{
"task_id": "MS-SEC-006",
"task_type": "CONFIG_DEFAULT_CHANGE",
"estimate_k": 10,
"actual_k": 18,
"variance_pct": 80,
"characteristics": {
"file_count": 3,
"keywords": ["Docker sandbox", "default enabled", "security warning", "config test"]
},
"analysis": "Underestimated test coverage needed. New config test file (8 tests) + security warning tests (2 tests) required more tokens than simple default flip.",
"flags": [],
"captured_at": "2026-02-05T16:05:00Z"
},
{
"task_id": "MS-SEC-010",
"task_type": "INPUT_VALIDATION",
"estimate_k": 5,
"actual_k": 8.5,
"variance_pct": 70,
"characteristics": {
"file_count": 2,
"keywords": ["OAuth callback", "error sanitization", "allowlist", "encodeURIComponent"]
},
"analysis": "Underestimated allowlist complexity. Required 18 OAuth 2.0/OIDC error codes, URL encoding for all params, and 5 comprehensive security tests.",
"flags": [],
"captured_at": "2026-02-05T16:36:00Z"
},
{
"task_id": "MS-SEC-011",
"task_type": "CONFIG_EXTERNALIZATION",
"estimate_k": 8,
"actual_k": 15,
"variance_pct": 87.5,
"characteristics": {
"file_count": 2,
"keywords": ["OIDC", "federation", "env vars", "trailing slash normalization"]
},
"analysis": "Underestimated integration complexity. Required reusing auth.config OIDC vars, handling trailing slash differences between auth config and JWT validation, adding fail-fast logic, and 5 new tests.",
"flags": [],
"captured_at": "2026-02-05T16:45:00Z"
},
{
"task_id": "MS-SEC-012",
"task_type": "BUG_FIX_SIMPLE",
"estimate_k": 3,
"actual_k": 12.5,
"variance_pct": 317,
"characteristics": {
"file_count": 2,
"keywords": ["boolean logic", "nullish coalescing", "ReactFlow", "handleDeleteSelected"]
},
"analysis": "CRITICAL VARIANCE - Estimate was for simple operator change (?? to ||), but task expanded to add 13 comprehensive tests covering all boolean logic scenarios. 'Simple fix' tasks with untested code should include test addition in estimate.",
"flags": ["CRITICAL"],
"captured_at": "2026-02-05T16:55:00Z"
},
{
"task_id": "MS-HIGH-001",
"task_type": "NULLABLE_REFACTOR",
"estimate_k": 8,
"actual_k": 12.5,
"variance_pct": 56,
"characteristics": {
"file_count": 2,
"keywords": ["OpenAI", "nullable client", "embedding service", "graceful degradation"]
},
"analysis": "Making a service client nullable requires updating all call sites with null checks and adding tests for the unconfigured path. Estimate should include caller updates.",
"flags": [],
"captured_at": "2026-02-05T17:27:00Z"
},
{
"task_id": "MS-HIGH-004",
"task_type": "OBSERVABILITY_ADD",
"estimate_k": 10,
"actual_k": 22,
"variance_pct": 120,
"characteristics": {
"file_count": 2,
"keywords": ["rate limiter", "fallback", "health check", "degraded mode"]
},
"analysis": "CRITICAL VARIANCE - Adding observability to a service requires: (1) tracking state variables, (2) new methods for status exposure, (3) integration with health check system, (4) comprehensive test coverage for all states. Estimate 2x for 'add health check' tasks.",
"flags": ["CRITICAL"],
"captured_at": "2026-02-05T18:02:00Z"
},
{
"task_id": "MS-HIGH-006",
"task_type": "RATE_LIMITING_ADD",
"estimate_k": 8,
"actual_k": 25,
"variance_pct": 213,
"characteristics": {
"file_count": 3,
"keywords": ["rate limiting", "catch-all route", "IP extraction", "X-Forwarded-For"]
},
"analysis": "CRITICAL VARIANCE - Adding rate limiting requires: (1) understanding existing throttle infrastructure, (2) IP extraction helpers for proxy setups, (3) new test file for rate limit behavior, (4) Retry-After header testing. Estimate 3x for rate limiting tasks.",
"flags": ["CRITICAL"],
"captured_at": "2026-02-05T18:22:00Z"
},
{
"task_id": "MS-HIGH-007",
"task_type": "CONFIG_VALIDATION",
"estimate_k": 5,
"actual_k": 18,
"variance_pct": 260,
"characteristics": {
"file_count": 4,
"keywords": ["UUID validation", "federation", "startup validation", "config file"]
},
"analysis": "CRITICAL VARIANCE - 'Simple validation' tasks expand to: (1) new config module/file, (2) validation function with edge cases, (3) module init hook integration, (4) updating callers to use new config getter, (5) 18 comprehensive tests. Estimate 3-4x for config validation tasks.",
"flags": ["CRITICAL"],
"captured_at": "2026-02-05T18:35:00Z"
},
{
"task_id": "MS-HIGH-008",
"task_type": "SECURITY_REFACTOR",
"estimate_k": 12,
"actual_k": 25,
"variance_pct": 108,
"characteristics": {
"file_count": 5,
"keywords": ["CSRF", "fetch replacement", "API client", "FormData upload"]
},
"analysis": "CRITICAL VARIANCE - Routing fetch() through API client required: (1) adding new apiPostFormData() method for FormData, (2) finding additional calls not in original finding, (3) updating test mocks to handle CSRF fetches, (4) handling different Content-Type scenarios. Multi-file refactors expand beyond listed files.",
"flags": ["CRITICAL"],
"captured_at": "2026-02-05T18:50:00Z"
},
{
"task_id": "MS-HIGH-009",
"task_type": "FEATURE_GATING",
"estimate_k": 10,
"actual_k": 30,
"variance_pct": 200,
"characteristics": {
"file_count": 6,
"keywords": ["NODE_ENV", "mock data", "Coming Soon component", "environment check"]
},
"analysis": "CRITICAL VARIANCE - Feature gating requires: (1) creating reusable placeholder component, (2) tests for the component, (3) updating multiple pages, (4) environment-specific logic in each page. Creating reusable UI components adds significant overhead.",
"flags": ["CRITICAL"],
"captured_at": "2026-02-05T19:05:00Z"
}
],
"phase_summaries": [],

103
docs/tasks.md
View File

@@ -1,49 +1,58 @@
# Tasks
| id | status | description | issue | repo | branch | depends_on | blocks | agent | started_at | completed_at | estimate | used |
| ----------- | ----------- | --------------------------------------------------------------------- | ----- | ------------ | ------------ | ----------- | ----------- | -------- | -------------------- | ------------ | -------- | ---- |
| MS-SEC-001 | in-progress | SEC-ORCH-2: Add authentication to orchestrator API | #337 | orchestrator | fix/security | | MS-SEC-002 | worker-1 | 2026-02-05T15:15:00Z | | 15K | |
| MS-SEC-002 | not-started | SEC-WEB-2: Fix WikiLinkRenderer XSS (sanitize HTML before wiki-links) | #337 | web | fix/security | MS-SEC-001 | MS-SEC-003 | | | | 8K | |
| MS-SEC-003 | not-started | SEC-ORCH-1: Fix secret scanner error handling (return error state) | #337 | orchestrator | fix/security | MS-SEC-002 | MS-SEC-004 | | | | 8K | |
| MS-SEC-004 | not-started | SEC-API-2+3: Fix guards swallowing DB errors (propagate as 500s) | #337 | api | fix/security | MS-SEC-003 | MS-SEC-005 | | | | 10K | |
| MS-SEC-005 | not-started | SEC-API-1: Validate OIDC config at startup (fail fast if missing) | #337 | api | fix/security | MS-SEC-004 | MS-SEC-006 | | | | 8K | |
| MS-SEC-006 | not-started | SEC-ORCH-3: Enable Docker sandbox by default, warn when disabled | #337 | orchestrator | fix/security | MS-SEC-005 | MS-SEC-007 | | | | 10K | |
| MS-SEC-007 | not-started | SEC-ORCH-4: Add auth to inter-service communication (API key) | #337 | orchestrator | fix/security | MS-SEC-006 | MS-SEC-008 | | | | 15K | |
| MS-SEC-008 | not-started | SEC-ORCH-5+CQ-ORCH-3: Replace KEYS with SCAN in Valkey client | #337 | orchestrator | fix/security | MS-SEC-007 | MS-SEC-009 | | | | 12K | |
| MS-SEC-009 | not-started | SEC-ORCH-6: Add Zod validation for deserialized Redis data | #337 | orchestrator | fix/security | MS-SEC-008 | MS-SEC-010 | | | | 12K | |
| MS-SEC-010 | not-started | SEC-WEB-1: Sanitize OAuth callback error parameter | #337 | web | fix/security | MS-SEC-009 | MS-SEC-011 | | | | 5K | |
| MS-SEC-011 | not-started | CQ-API-6: Replace hardcoded OIDC values with env vars | #337 | api | fix/security | MS-SEC-010 | MS-SEC-012 | | | | 8K | |
| MS-SEC-012 | not-started | CQ-WEB-5: Fix boolean logic bug in ReactFlowEditor | #337 | web | fix/security | MS-SEC-011 | MS-SEC-013 | | | | 3K | |
| MS-SEC-013 | not-started | SEC-API-4: Add workspaceId query verification tests | #337 | api | fix/security | MS-SEC-012 | MS-SEC-V01 | | | | 20K | |
| MS-SEC-V01 | not-started | Phase 1 Verification: Run full quality gates | #337 | all | fix/security | MS-SEC-013 | MS-HIGH-001 | | | | 5K | |
| MS-HIGH-001 | not-started | SEC-API-5: Fix OpenAI embedding service dummy key handling | #338 | api | fix/high | MS-SEC-V01 | MS-HIGH-002 | | | | 8K | |
| MS-HIGH-002 | not-started | SEC-API-6: Add structured logging for embedding failures | #338 | api | fix/high | MS-HIGH-001 | MS-HIGH-003 | | | | 8K | |
| MS-HIGH-003 | not-started | SEC-API-7: Bind CSRF token to session with HMAC | #338 | api | fix/high | MS-HIGH-002 | MS-HIGH-004 | | | | 12K | |
| MS-HIGH-004 | not-started | SEC-API-8: Log ERROR on rate limiter fallback, add health check | #338 | api | fix/high | MS-HIGH-003 | MS-HIGH-005 | | | | 10K | |
| MS-HIGH-005 | not-started | SEC-API-9: Implement proper system admin role | #338 | api | fix/high | MS-HIGH-004 | MS-HIGH-006 | | | | 15K | |
| MS-HIGH-006 | not-started | SEC-API-10: Add rate limiting to auth catch-all | #338 | api | fix/high | MS-HIGH-005 | MS-HIGH-007 | | | | 8K | |
| MS-HIGH-007 | not-started | SEC-API-11: Validate DEFAULT_WORKSPACE_ID as UUID | #338 | api | fix/high | MS-HIGH-006 | MS-HIGH-008 | | | | 5K | |
| MS-HIGH-008 | not-started | SEC-WEB-3: Route all fetch() through API client (CSRF) | #338 | web | fix/high | MS-HIGH-007 | MS-HIGH-009 | | | | 12K | |
| MS-HIGH-009 | not-started | SEC-WEB-4: Gate mock data behind NODE_ENV check | #338 | web | fix/high | MS-HIGH-008 | MS-HIGH-010 | | | | 10K | |
| MS-HIGH-010 | not-started | SEC-WEB-5: Log auth errors, distinguish backend down | #338 | web | fix/high | MS-HIGH-009 | MS-HIGH-011 | | | | 8K | |
| MS-HIGH-011 | not-started | SEC-WEB-6: Enforce WSS, add connect_error handling | #338 | web | fix/high | MS-HIGH-010 | MS-HIGH-012 | | | | 8K | |
| MS-HIGH-012 | not-started | SEC-WEB-7+CQ-WEB-7: Implement optimistic rollback on Kanban | #338 | web | fix/high | MS-HIGH-011 | MS-HIGH-013 | | | | 12K | |
| MS-HIGH-013 | not-started | SEC-WEB-8: Handle non-OK responses in ActiveProjectsWidget | #338 | web | fix/high | MS-HIGH-012 | MS-HIGH-014 | | | | 8K | |
| MS-HIGH-014 | not-started | SEC-WEB-9: Disable QuickCaptureWidget with Coming Soon | #338 | web | fix/high | MS-HIGH-013 | MS-HIGH-015 | | | | 5K | |
| MS-HIGH-015 | not-started | SEC-WEB-10+11: Standardize API base URL and auth mechanism | #338 | web | fix/high | MS-HIGH-014 | MS-HIGH-016 | | | | 12K | |
| MS-HIGH-016 | not-started | SEC-ORCH-7: Add circuit breaker to coordinator loops | #338 | coordinator | fix/high | MS-HIGH-015 | MS-HIGH-017 | | | | 15K | |
| MS-HIGH-017 | not-started | SEC-ORCH-8: Log queue corruption, backup file | #338 | coordinator | fix/high | MS-HIGH-016 | MS-HIGH-018 | | | | 10K | |
| MS-HIGH-018 | not-started | SEC-ORCH-9: Whitelist allowed env vars in Docker | #338 | orchestrator | fix/high | MS-HIGH-017 | MS-HIGH-019 | | | | 10K | |
| MS-HIGH-019 | not-started | SEC-ORCH-10: Add CapDrop, ReadonlyRootfs, PidsLimit | #338 | orchestrator | fix/high | MS-HIGH-018 | MS-HIGH-020 | | | | 12K | |
| MS-HIGH-020 | not-started | SEC-ORCH-11: Add rate limiting to orchestrator API | #338 | orchestrator | fix/high | MS-HIGH-019 | MS-HIGH-021 | | | | 10K | |
| MS-HIGH-021 | not-started | SEC-ORCH-12: Add max concurrent agents limit | #338 | orchestrator | fix/high | MS-HIGH-020 | MS-HIGH-022 | | | | 8K | |
| MS-HIGH-022 | not-started | SEC-ORCH-13: Block YOLO mode in production | #338 | orchestrator | fix/high | MS-HIGH-021 | MS-HIGH-023 | | | | 8K | |
| MS-HIGH-023 | not-started | SEC-ORCH-14: Sanitize issue body for prompt injection | #338 | coordinator | fix/high | MS-HIGH-022 | MS-HIGH-024 | | | | 12K | |
| MS-HIGH-024 | not-started | SEC-ORCH-15: Warn when VALKEY_PASSWORD not set | #338 | orchestrator | fix/high | MS-HIGH-023 | MS-HIGH-025 | | | | 5K | |
| MS-HIGH-025 | not-started | CQ-ORCH-6: Fix N+1 with MGET for batch retrieval | #338 | orchestrator | fix/high | MS-HIGH-024 | MS-HIGH-026 | | | | 10K | |
| MS-HIGH-026 | not-started | CQ-ORCH-1: Add session cleanup on terminal states | #338 | orchestrator | fix/high | MS-HIGH-025 | MS-HIGH-027 | | | | 10K | |
| MS-HIGH-027 | not-started | CQ-API-1: Fix WebSocket timer leak (clearTimeout in catch) | #338 | api | fix/high | MS-HIGH-026 | MS-HIGH-028 | | | | 8K | |
| MS-HIGH-028 | not-started | CQ-API-2: Fix runner jobs interval leak (clearInterval) | #338 | api | fix/high | MS-HIGH-027 | MS-HIGH-029 | | | | 8K | |
| MS-HIGH-029 | not-started | CQ-WEB-1: Fix useWebSocket stale closure (use refs) | #338 | web | fix/high | MS-HIGH-028 | MS-HIGH-030 | | | | 10K | |
| MS-HIGH-030 | not-started | CQ-WEB-4: Fix useChat stale messages (functional updates) | #338 | web | fix/high | MS-HIGH-029 | MS-HIGH-V01 | | | | 10K | |
| MS-HIGH-V01 | not-started | Phase 2 Verification: Run full quality gates | #338 | all | fix/high | MS-HIGH-030 | MS-MED-001 | | | | 5K | |
| id | status | description | issue | repo | branch | depends_on | blocks | agent | started_at | completed_at | estimate | used |
| ----------- | -------- | --------------------------------------------------------------------- | ----- | ------------ | ------------ | ----------- | ----------- | -------- | -------------------- | -------------------- | -------- | ----- |
| MS-SEC-001 | done | SEC-ORCH-2: Add authentication to orchestrator API | #337 | orchestrator | fix/security | | MS-SEC-002 | worker-1 | 2026-02-05T15:15:00Z | 2026-02-05T15:25:00Z | 15K | 0.3K |
| MS-SEC-002 | done | SEC-WEB-2: Fix WikiLinkRenderer XSS (sanitize HTML before wiki-links) | #337 | web | fix/security | MS-SEC-001 | MS-SEC-003 | worker-1 | 2026-02-05T15:26:00Z | 2026-02-05T15:35:00Z | 8K | 8.5K |
| MS-SEC-003 | done | SEC-ORCH-1: Fix secret scanner error handling (return error state) | #337 | orchestrator | fix/security | MS-SEC-002 | MS-SEC-004 | worker-1 | 2026-02-05T15:36:00Z | 2026-02-05T15:42:00Z | 8K | 18.5K |
| MS-SEC-004 | done | SEC-API-2+3: Fix guards swallowing DB errors (propagate as 500s) | #337 | api | fix/security | MS-SEC-003 | MS-SEC-005 | worker-1 | 2026-02-05T15:43:00Z | 2026-02-05T15:50:00Z | 10K | 15K |
| MS-SEC-005 | done | SEC-API-1: Validate OIDC config at startup (fail fast if missing) | #337 | api | fix/security | MS-SEC-004 | MS-SEC-006 | worker-1 | 2026-02-05T15:51:00Z | 2026-02-05T15:58:00Z | 8K | 12K |
| MS-SEC-006 | done | SEC-ORCH-3: Enable Docker sandbox by default, warn when disabled | #337 | orchestrator | fix/security | MS-SEC-005 | MS-SEC-007 | worker-1 | 2026-02-05T15:59:00Z | 2026-02-05T16:05:00Z | 10K | 18K |
| MS-SEC-007 | done | SEC-ORCH-4: Add auth to inter-service communication (API key) | #337 | orchestrator | fix/security | MS-SEC-006 | MS-SEC-008 | worker-1 | 2026-02-05T16:06:00Z | 2026-02-05T16:12:00Z | 15K | 12.5K |
| MS-SEC-008 | done | SEC-ORCH-5+CQ-ORCH-3: Replace KEYS with SCAN in Valkey client | #337 | orchestrator | fix/security | MS-SEC-007 | MS-SEC-009 | worker-1 | 2026-02-05T16:13:00Z | 2026-02-05T16:19:00Z | 12K | 12.5K |
| MS-SEC-009 | done | SEC-ORCH-6: Add Zod validation for deserialized Redis data | #337 | orchestrator | fix/security | MS-SEC-008 | MS-SEC-010 | worker-1 | 2026-02-05T16:20:00Z | 2026-02-05T16:28:00Z | 12K | 12.5K |
| MS-SEC-010 | done | SEC-WEB-1: Sanitize OAuth callback error parameter | #337 | web | fix/security | MS-SEC-009 | MS-SEC-011 | worker-1 | 2026-02-05T16:30:00Z | 2026-02-05T16:36:00Z | 5K | 8.5K |
| MS-SEC-011 | done | CQ-API-6: Replace hardcoded OIDC values with env vars | #337 | api | fix/security | MS-SEC-010 | MS-SEC-012 | worker-1 | 2026-02-05T16:37:00Z | 2026-02-05T16:45:00Z | 8K | 15K |
| MS-SEC-012 | done | CQ-WEB-5: Fix boolean logic bug in ReactFlowEditor | #337 | web | fix/security | MS-SEC-011 | MS-SEC-013 | worker-1 | 2026-02-05T16:46:00Z | 2026-02-05T16:55:00Z | 3K | 12.5K |
| MS-SEC-013 | done | SEC-API-4: Add workspaceId query verification tests | #337 | api | fix/security | MS-SEC-012 | MS-SEC-V01 | worker-1 | 2026-02-05T16:56:00Z | 2026-02-05T17:05:00Z | 20K | 18.5K |
| MS-SEC-V01 | done | Phase 1 Verification: Run full quality gates | #337 | all | fix/security | MS-SEC-013 | MS-HIGH-001 | worker-1 | 2026-02-05T17:06:00Z | 2026-02-05T17:18:00Z | 5K | 2K |
| MS-HIGH-001 | done | SEC-API-5: Fix OpenAI embedding service dummy key handling | #338 | api | fix/high | MS-SEC-V01 | MS-HIGH-002 | worker-1 | 2026-02-05T17:19:00Z | 2026-02-05T17:27:00Z | 8K | 12.5K |
| MS-HIGH-002 | done | SEC-API-6: Add structured logging for embedding failures | #338 | api | fix/high | MS-HIGH-001 | MS-HIGH-003 | worker-1 | 2026-02-05T17:28:00Z | 2026-02-05T17:36:00Z | 8K | 12K |
| MS-HIGH-003 | done | SEC-API-7: Bind CSRF token to session with HMAC | #338 | api | fix/high | MS-HIGH-002 | MS-HIGH-004 | worker-1 | 2026-02-05T17:37:00Z | 2026-02-05T17:50:00Z | 12K | 12.5K |
| MS-HIGH-004 | done | SEC-API-8: Log ERROR on rate limiter fallback, add health check | #338 | api | fix/high | MS-HIGH-003 | MS-HIGH-005 | worker-1 | 2026-02-05T17:51:00Z | 2026-02-05T18:02:00Z | 10K | 22K |
| MS-HIGH-005 | done | SEC-API-9: Implement proper system admin role | #338 | api | fix/high | MS-HIGH-004 | MS-HIGH-006 | worker-1 | 2026-02-05T18:03:00Z | 2026-02-05T18:12:00Z | 15K | 8.5K |
| MS-HIGH-006 | done | SEC-API-10: Add rate limiting to auth catch-all | #338 | api | fix/high | MS-HIGH-005 | MS-HIGH-007 | worker-1 | 2026-02-05T18:13:00Z | 2026-02-05T18:22:00Z | 8K | 25K |
| MS-HIGH-007 | done | SEC-API-11: Validate DEFAULT_WORKSPACE_ID as UUID | #338 | api | fix/high | MS-HIGH-006 | MS-HIGH-008 | worker-1 | 2026-02-05T18:23:00Z | 2026-02-05T18:35:00Z | 5K | 18K |
| MS-HIGH-008 | done | SEC-WEB-3: Route all fetch() through API client (CSRF) | #338 | web | fix/high | MS-HIGH-007 | MS-HIGH-009 | worker-1 | 2026-02-05T18:36:00Z | 2026-02-05T18:50:00Z | 12K | 25K |
| MS-HIGH-009 | done | SEC-WEB-4: Gate mock data behind NODE_ENV check | #338 | web | fix/high | MS-HIGH-008 | MS-HIGH-010 | worker-1 | 2026-02-05T18:51:00Z | 2026-02-05T19:05:00Z | 10K | 30K |
| MS-HIGH-010 | done | SEC-WEB-5: Log auth errors, distinguish backend down | #338 | web | fix/high | MS-HIGH-009 | MS-HIGH-011 | worker-1 | 2026-02-05T19:06:00Z | 2026-02-05T19:18:00Z | 8K | 12.5K |
| MS-HIGH-011 | done | SEC-WEB-6: Enforce WSS, add connect_error handling | #338 | web | fix/high | MS-HIGH-010 | MS-HIGH-012 | worker-1 | 2026-02-05T19:19:00Z | 2026-02-05T19:32:00Z | 8K | 15K |
| MS-HIGH-012 | done | SEC-WEB-7+CQ-WEB-7: Implement optimistic rollback on Kanban | #338 | web | fix/high | MS-HIGH-011 | MS-HIGH-013 | worker-1 | 2026-02-05T19:33:00Z | 2026-02-05T19:55:00Z | 12K | 35K |
| MS-HIGH-013 | done | SEC-WEB-8: Handle non-OK responses in ActiveProjectsWidget | #338 | web | fix/high | MS-HIGH-012 | MS-HIGH-014 | worker-1 | 2026-02-05T19:56:00Z | 2026-02-05T20:05:00Z | 8K | 18.5K |
| MS-HIGH-014 | done | SEC-WEB-9: Disable QuickCaptureWidget with Coming Soon | #338 | web | fix/high | MS-HIGH-013 | MS-HIGH-015 | worker-1 | 2026-02-05T20:06:00Z | 2026-02-05T20:18:00Z | 5K | 12.5K |
| MS-HIGH-015 | done | SEC-WEB-10+11: Standardize API base URL and auth mechanism | #338 | web | fix/high | MS-HIGH-014 | MS-HIGH-016 | worker-1 | 2026-02-05T20:19:00Z | 2026-02-05T20:30:00Z | 12K | 8.5K |
| MS-HIGH-016 | done | SEC-ORCH-7: Add circuit breaker to coordinator loops | #338 | coordinator | fix/high | MS-HIGH-015 | MS-HIGH-017 | worker-1 | 2026-02-05T20:31:00Z | 2026-02-05T20:42:00Z | 15K | 18.5K |
| MS-HIGH-017 | done | SEC-ORCH-8: Log queue corruption, backup file | #338 | coordinator | fix/high | MS-HIGH-016 | MS-HIGH-018 | worker-1 | 2026-02-05T20:43:00Z | 2026-02-05T20:50:00Z | 10K | 12.5K |
| MS-HIGH-018 | done | SEC-ORCH-9: Whitelist allowed env vars in Docker | #338 | orchestrator | fix/high | MS-HIGH-017 | MS-HIGH-019 | worker-1 | 2026-02-05T20:51:00Z | 2026-02-05T21:00:00Z | 10K | 32K |
| MS-HIGH-019 | done | SEC-ORCH-10: Add CapDrop, ReadonlyRootfs, PidsLimit | #338 | orchestrator | fix/high | MS-HIGH-018 | MS-HIGH-020 | worker-1 | 2026-02-05T21:01:00Z | 2026-02-05T21:10:00Z | 12K | 25K |
| MS-HIGH-020 | done | SEC-ORCH-11: Add rate limiting to orchestrator API | #338 | orchestrator | fix/high | MS-HIGH-019 | MS-HIGH-021 | worker-1 | 2026-02-05T21:11:00Z | 2026-02-05T21:20:00Z | 10K | 12.5K |
| MS-HIGH-021 | done | SEC-ORCH-12: Add max concurrent agents limit | #338 | orchestrator | fix/high | MS-HIGH-020 | MS-HIGH-022 | worker-1 | 2026-02-05T21:21:00Z | 2026-02-05T21:28:00Z | 8K | 12.5K |
| MS-HIGH-022 | done | SEC-ORCH-13: Block YOLO mode in production | #338 | orchestrator | fix/high | MS-HIGH-021 | MS-HIGH-023 | worker-1 | 2026-02-05T21:29:00Z | 2026-02-05T21:35:00Z | 8K | 12K |
| MS-HIGH-023 | done | SEC-ORCH-14: Sanitize issue body for prompt injection | #338 | coordinator | fix/high | MS-HIGH-022 | MS-HIGH-024 | worker-1 | 2026-02-05T21:36:00Z | 2026-02-05T21:42:00Z | 12K | 12.5K |
| MS-HIGH-024 | done | SEC-ORCH-15: Warn when VALKEY_PASSWORD not set | #338 | orchestrator | fix/high | MS-HIGH-023 | MS-HIGH-025 | worker-1 | 2026-02-05T21:43:00Z | 2026-02-05T21:50:00Z | 5K | 6.5K |
| MS-HIGH-025 | done | CQ-ORCH-6: Fix N+1 with MGET for batch retrieval | #338 | orchestrator | fix/high | MS-HIGH-024 | MS-HIGH-026 | worker-1 | 2026-02-05T21:51:00Z | 2026-02-05T21:58:00Z | 10K | 8.5K |
| MS-HIGH-026 | done | CQ-ORCH-1: Add session cleanup on terminal states | #338 | orchestrator | fix/high | MS-HIGH-025 | MS-HIGH-027 | worker-1 | 2026-02-05T21:59:00Z | 2026-02-05T22:07:00Z | 10K | 12.5K |
| MS-HIGH-027 | done | CQ-API-1: Fix WebSocket timer leak (clearTimeout in catch) | #338 | api | fix/high | MS-HIGH-026 | MS-HIGH-028 | worker-1 | 2026-02-05T22:08:00Z | 2026-02-05T22:15:00Z | 8K | 12K |
| MS-HIGH-028 | done | CQ-API-2: Fix runner jobs interval leak (clearInterval) | #338 | api | fix/high | MS-HIGH-027 | MS-HIGH-029 | worker-1 | 2026-02-05T22:16:00Z | 2026-02-05T22:24:00Z | 8K | 12K |
| MS-HIGH-029 | done | CQ-WEB-1: Fix useWebSocket stale closure (use refs) | #338 | web | fix/high | MS-HIGH-028 | MS-HIGH-030 | worker-1 | 2026-02-05T22:25:00Z | 2026-02-05T22:32:00Z | 10K | 12.5K |
| MS-HIGH-030 | done | CQ-WEB-4: Fix useChat stale messages (functional updates) | #338 | web | fix/high | MS-HIGH-029 | MS-HIGH-V01 | worker-1 | 2026-02-05T22:33:00Z | 2026-02-05T22:38:00Z | 10K | 12K |
| MS-HIGH-V01 | done | Phase 2 Verification: Run full quality gates | #338 | all | fix/high | MS-HIGH-030 | MS-MED-001 | worker-1 | 2026-02-05T22:40:00Z | 2026-02-05T22:45:00Z | 5K | 2K |
| MS-MED-001 | done | CQ-ORCH-4: Fix AbortController timeout cleanup in finally | #339 | orchestrator | fix/medium | MS-HIGH-V01 | MS-MED-002 | worker-1 | 2026-02-05T22:50:00Z | 2026-02-05T22:55:00Z | 8K | 6K |
| MS-MED-002 | done | CQ-API-4: Remove Redis event listeners in onModuleDestroy | #339 | api | fix/medium | MS-MED-001 | MS-MED-003 | worker-1 | 2026-02-05T22:56:00Z | 2026-02-05T23:00:00Z | 8K | 5K |
| MS-MED-003 | done | SEC-ORCH-16: Implement real health and readiness checks | #339 | orchestrator | fix/medium | MS-MED-002 | MS-MED-004 | worker-1 | 2026-02-05T23:01:00Z | 2026-02-05T23:10:00Z | 12K | 12K |
| MS-MED-004 | done | SEC-ORCH-19: Validate agentId path parameter as UUID | #339 | orchestrator | fix/medium | MS-MED-003 | MS-MED-005 | worker-1 | 2026-02-05T23:11:00Z | 2026-02-05T23:15:00Z | 8K | 4K |
| MS-MED-005 | done | SEC-API-24: Sanitize error messages in global exception filter | #339 | api | fix/medium | MS-MED-004 | MS-MED-006 | worker-1 | 2026-02-05T23:16:00Z | 2026-02-05T23:25:00Z | 10K | 12K |
| MS-MED-006 | deferred | SEC-WEB-16: Add Content Security Policy headers | #339 | web | fix/medium | MS-MED-005 | MS-MED-007 | | | | 12K | |
| MS-MED-007 | done | CQ-API-3: Make activity logging fire-and-forget | #339 | api | fix/medium | MS-MED-006 | MS-MED-008 | worker-1 | 2026-02-05T23:28:00Z | 2026-02-05T23:32:00Z | 8K | 5K |
| MS-MED-008 | deferred | CQ-ORCH-2: Use Valkey as single source of truth for sessions | #339 | orchestrator | fix/medium | MS-MED-007 | MS-MED-V01 | | | | 15K | |
| MS-MED-V01 | done | Phase 3 Verification: Run full quality gates | #339 | all | fix/medium | MS-MED-008 | | worker-1 | 2026-02-05T23:35:00Z | 2026-02-06T00:30:00Z | 5K | 2K |