Roundup snapshot — 2026-06-14
This commit is contained in:
Keysat
@@ -0,0 +1,100 @@
|
||||
# Roundup — 2026-06-14
|
||||
|
||||
Repos scanned (9 git): CRM, premier-gunner, recap-relay, recap, spark-control, Workout-log,
|
||||
ten31-transcripts, standards (meta/tooling).
|
||||
Skipped: **start-os** (external upstream — Start9Labs/start-os, no AGENTS.md); **15 non-git
|
||||
folders** under `~/Projects` (see Gaps).
|
||||
|
||||
> Generated by `/roundup` — read-only across all repos; quotes priorities/states as found and
|
||||
> does not rank projects against each other. Overwritten each run; git history is the diff.
|
||||
|
||||
## Per-project snapshot
|
||||
|
||||
- **CRM** — Self-hosted venture-fund CRM + agentic AI layer, on Start9. Live `v0.1.0:74`,
|
||||
healthy; `main` is **ahead** with a list-view soft-delete fix + 3 tests, not yet deployed.
|
||||
In progress: reports-subsystem soft-delete sweep. Next: bump version + redeploy to ship the
|
||||
queued fix.
|
||||
- **premier-gunner** — Kid-friendly soccer-training tracker PWA (StartOS s9pk). Live
|
||||
`v0.1.6:0`, all features shipped, nothing in progress. Next: set a real login password;
|
||||
confirm speed units.
|
||||
- **recap-relay** — Operator-side credit-metered AI relay (transcribe/diarize/analyze) +
|
||||
internal-meetings; private Start9 only. At `0.2.124`; full eval done, all P0/P1 fixed.
|
||||
In progress: open P2 queue (persist webhook dedup first).
|
||||
- **recap** — YouTube/podcast summarizer (StartOS s9pk + `recaps.cc` cloud). Live (app
|
||||
`0.2.155`). In progress: **P0/P1 security fixes required before exposing the cloud to
|
||||
untrusted users.** Next: fix the P0/P1s.
|
||||
- **spark-control** — StartOS controller for a dual DGX Spark cluster (vLLM swaps,
|
||||
speech/embeddings/redaction). Live `v0.19.0:0`. In progress: Signal Engine flakiness
|
||||
(transient GPU-busy) client-side remedy drafted; one CSRF click-through unverified.
|
||||
- **Workout-log** — Self-hosted multi-user workout logger (Next.js, StartOS s9pk). `v1.2.0:1`
|
||||
(Next 15 / React 19 upgrade) built + sideloaded; local checks green. Pending: on-box boot
|
||||
verification. Next: P3 hardening batch.
|
||||
- **ten31-transcripts** — macOS menu-bar app recording dual-track call audio → SparkControl
|
||||
backend. Main clean + pushed, 73 tests pass, Release app built. In progress: Meet visual fix
|
||||
(camera-off tiles) unverified. Next: persist backend URL + primary→fallback.
|
||||
- **standards** (meta/tooling) — Agent-operating standards + the live global fleet. Built:
|
||||
capture→triage→roundup loop, `/new-project`, deny-by-default `.gitignore`; git-hygiene audit
|
||||
done (2026-06-14). Next: the `/harden` quality-gate standard.
|
||||
|
||||
## Priority queue (all projects + untriaged inbox)
|
||||
|
||||
**P0 — recap (block cloud exposure to untrusted users):**
|
||||
- [P0] recap — arbitrary file write via `../../` path escape in library import (`:131-139`)
|
||||
- [P0] recap — SSRF with read-back in podcast download (unguarded `http.get`, any host)
|
||||
- [P0] recap — live Gemini key in git history (commit `d5046a0`, still active → rotate)
|
||||
|
||||
**P1:**
|
||||
- [P1] recap — ESM `require("crypto")` ReferenceError in the license-purchase settle path
|
||||
- [P1] recap — global `currentFreeJob` lock serializes the entire multi-tenant cloud
|
||||
- [P1] recap — trial IP-cap + magic-link rate-limit bypass via spoofed `X-Forwarded-For`
|
||||
- [P1] recap — StartOS registry submission blocked (missing `instructions.md`, wrong repo URLs, license gate)
|
||||
- [P1] ten31-transcripts — mini-retrofit (no `.claude/`); **inbox (untriaged)** — see "Not yet pushed down"
|
||||
|
||||
**P2:**
|
||||
- [P2] CRM — reports subsystem (~16 aggregate queries) still counts soft-deleted rows (next step #1)
|
||||
- [P2] CRM — `?limit=abc` crashes
|
||||
- [P2] recap-relay — persist webhook dedup so a restart can't double-credit/extend (`routes/credits.js:63`, `zaprite-webhook.js:27`)
|
||||
- [P2] recap-relay — BTCPay manifest/deps decision (hard-required vs. truly optional)
|
||||
- [P2] recap-relay — money-path unit tests; `cors()` scope off `/admin/*`; split 2225-line `routes/internal-meetings.js`; fix two AGENTS.md auth-doc drifts
|
||||
- [P2] spark-control — no automated tests (swap state machine, proxies, SSH wrapper, package) — biggest coverage gap
|
||||
- [P2] ten31-transcripts — guard `RecapAnalyzer.mmss()` against NaN/∞; rewrite stale README
|
||||
|
||||
**P3 — deferred hardening / hygiene:**
|
||||
- [P3] recap — request-size caps, invoice-ID hijack binding, container root, in-memory rate-limit buckets, repo hygiene, packaging polish, doc reconciliation
|
||||
- [P3] recap-relay — no `/relay/*` rate limiting, container root, dashboard XSS, `lan-fetch` TLS off; versions prune; stale `/relay/health` version; bulk doc fixes
|
||||
- [P3] Workout-log — login timing oracle, CSP `unsafe-eval`, `/api/health` info disclosure, rate-limit map leak, `exerciseId` ownership on PATCH/sets POST, 30-day sessions, text max-length
|
||||
- [P3] spark-control — stale README, deprecated `@app.on_event`, hardcoded version, unescaped `innerHTML` sink, packaging placeholders
|
||||
- [P3] ten31-transcripts — reconcile `docs/` specs with reality, `SessionController` state-machine tests, smaller items in `EVALUATION.md`
|
||||
|
||||
**Unprioritized — needs triage (actionable next-steps with no priority marker as found):**
|
||||
- CRM — bump version + rebuild/redeploy the queued list-view fix + tests; Grant+Jonathan freeze v2.0 canonical; build reply-all for Tier-B drafts; confirm Appendix-A + Maple/OpenSecret/Primal, then promote
|
||||
- premier-gunner — set a real login password; confirm speed unit (mph vs km/h); decide on "log another" same-category session
|
||||
- recap — persist provider preference server-side; apply Export ▾ to clip-collection panel; verify "Take Recaps home" licensing; confirm cloud paid-only vs. free-signed-in intent; Zaprite recurring (BLOCKED on Zaprite API); CI lint + type-check
|
||||
- spark-control — on-box CSRF click-through test; forward concurrency note to Signal Engine dev; concurrency sweep; parakeet-asr `--memory` cap; start the ROADMAP tech-debt list (pytest harness first)
|
||||
- Workout-log — tiered AI prompt formatting (JSON-schema output, etc.); (later) Next 15→16 upgrade; verify StartOS forwards real client IPs
|
||||
- ten31-transcripts — persist backend URL in Settings + primary→fallback on connection failure
|
||||
- standards — build the `/harden` quality-gate standard (item 1); the non-git-folder sweep
|
||||
|
||||
## Not yet pushed down (inbox)
|
||||
|
||||
These exist nowhere but `~/Projects/standards/INBOX.md` (1 untriaged item):
|
||||
- **ten31-transcripts** — `[chore][P1]` Mini-retrofit: add the inbox-check line, create
|
||||
`.claude/settings.json`, normalize `.gitignore` to the deny-by-default canonical block
|
||||
(+ `.env.*` / `!.env.example`), and decide on a `docs/guides/` reorg. → run `/triage` inside
|
||||
ten31-transcripts to route it.
|
||||
|
||||
## Proposed new projects
|
||||
|
||||
None — no `(new)` / `(new:name)` items in the inbox.
|
||||
|
||||
## Gaps
|
||||
|
||||
- **start-os** — external upstream (`Start9Labs/start-os`); no AGENTS.md/ROADMAP. Out of scope
|
||||
(not your project); skipped, not a deficiency.
|
||||
- **15 non-git folders under `~/Projects` are unprotected** (no git, no standards):
|
||||
discount-watcher, expense-organizer, giga, Grand-Cayman-paddleboard, heart-rate, licensing,
|
||||
one-river, satoshi-sleep, START9 PACKAGING, ten31-agents, ten31-command-center,
|
||||
ten31-signal-engine, timestamp-converter, timestamp-newspaper, website-landing. Each needs
|
||||
`git init` + retrofit, or an explicit "scratch, don't track" decision (tracked as the
|
||||
standards item-6 non-git-folder sweep).
|
||||
- No stale-looking Current states — every snapshot is dated 2026-06-13/14.
|
||||
Reference in New Issue
Block a user