grant/standards
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4e98106ac644041848717b4c982b729f8b638dc0
standards/STATUS.md
T
Keysat 1e5e85339a Roundup snapshot — 2026-06-16
2026-06-16 06:50:54 -05:00

13 KiB
Raw Blame History

Roundup — 2026-06-16

Repos scanned (11 operator git repos): keysat, matrix-bridge, premier-gunner, proof-of-work, recap-relay, recap, spark-control, standards (meta/tooling), ten31-database, ten31-signal-engine, ten31-transcripts. Skipped: start-os (external upstream — Start9Labs/start-os, no AGENTS.md by design; firmware/OS build clone, not an operator project).

This report inventories every project's state and open work. It does not rank projects against each other or recommend what to do next — that's the operator's call.

Per-project snapshot

keysat — Bitcoin-native software-licensing service (StartOS 0.4.x package, 4 SDKs, landing/docs site). Registry at 0.2.0:55; live server still :54. In progress: this session shipped the product→merchant-profile write path (multi-profile now functional end-to-end), unreleased. Next: 3 remaining multi-profile UIs, then cut :56 to ship the write path.

matrix-bridge — Single-user Matrix bot turning a room message into a live Claude Code session, surfaced to phone. Phases 03 + ask mode all DONE; Phase 3 (Spark Control tile) shipped today in v0.21.0. No active build work; Phase 4+ documented but not scoped.

premier-gunner — Kid-friendly soccer-training tracker PWA (StartOS .s9pk). Live at v0.1.7:0; all requested features built and deployed. In progress: none. Next: set real login password via action, confirm speed unit, then eval backlog if desired.

proof-of-work — Self-hosted multi-user workout logger (Next.js, StartOS .s9pk, private registry). At 1.2.0:3 (P3 hardening), built + sideloaded 2026-06-15. Pending: on-box boot check + Safari first-tap verification. Next: finish the P3 hardening batch.

recap-relay — Operator-side credit-metered transcription/diarization/analysis router (Gemini + Spark Control); private to operator's box. Relay 0.2.126 / app 0.2.155, tree clean, 79 tests green. Deferred: splitting the 2225-line internal-meetings.js ("likely overkill"). Next: P3+ hardening backlog.

recap — YouTube/podcast summarizer + library; StartOS .s9pk single-mode + public recaps.cc multi-tenant cloud. App 0.2.159 / relay 0.2.126, 144 tests passing. Loose end: Daily Digest relay-synthesis + SMTP path not yet smoke-tested off-box. 5 pending operator actions.

spark-control — Browser package controlling a dual DGX Spark AI cluster (vLLM swaps, speech/embeddings/redaction APIs; StartOS 0.4). matrix-bridge tile shipped v0.21.0:1; security hardening shipped v0.19.0:0; 70 pytest passing. In progress: Signal Engine concurrency remedy forwarded to dev 2026-06-15, awaiting their decision.

standards (meta/tooling) — Global agent-operating standards + the live fleet of commands/subagents served into ~/.claude. Fleet built and live; /new-project upgraded; cross-repo git-hygiene audit done. Next: cross-repo quality-gate standard + /harden; non-git-folder sweep under ~/Projects (~13).

ten31-database — Self-hosted venture CRM + agentic layer (thesis copilot, outreach drafting, Gmail capture via DWD) on Start9. Live & verified v0.1.0:77 (deployed 2026-06-16) incl. Phase B daily activity digest (auto-send OFF pending enablement); 20/20 backend tests green. Next: Grant validates Phase B on the box.

ten31-signal-engine — Recurring signal-extraction pipeline (audio/text → structured thesis-scored claims as falsifiable predictions). Strike adversarial test is the gating step: extraction running, long-form 400s fixed, draining ~700-doc/~5.7k-chunk backlog. 2 unpushed commits blocked awaiting Grant's approval. Battery test PASSES.

ten31-transcripts — Native macOS menu-bar app: detects video calls, records dual-track audio w/ active-speaker detection, sends to SparkControl for transcription/diarization/naming. Main clean + pushed, 73 tests pass; backend connected end-to-end 2026-06-16. Next: backend URL primary→fallback + status indicator.

Priority queue (all projects + untriaged inbox)

Items quoted with the priority markers found in each source. Concrete "next steps" that carry no Px in their repo are listed under "Unprioritized — needs triage" (repo-sequenced), never dropped.

P1

  • [P1] Mini-retrofit ten31-transcripts repo — add inbox-check line, .claude/settings.json, canonical .gitignore, optional docs reorg — source: inbox(untriaged) — INBOX.md (ten31-transcripts)[chore][P1]

P2

  • [P2] keysat: set_product_entitlements_catalog lacks rows_affected guard — bad product-id silently 200s with stale data; one-line fix deferred — source: keysat — AGENTS.md Known issues
  • [P2] keysat: payments/API debt batch — no rate-limit on /v1/purchase+/v1/redeem; bucket keys on spoofable X-Forwarded-For; 422/415 return plain-text not JSON; slug unvalidated; GET /v1/admin/products 405s; dep advisories (sqlx≥0.8.1, rustls-webpki≥0.103.12); no CI / fmt/clippy/prettier unenforced — source: keysat — AGENTS.md debt
  • [P2] premier-gunner: upgrade @fastify/static 8.3.0 → ≥9.1.3 (path-traversal advisories) — source: premier-gunner — ROADMAP eval backlog (dependency)
  • [P2] premier-gunner: input validation — reject unknown metric kind; validate calendar-date semantics; 400 on bad metric_id — source: premier-gunner — ROADMAP eval backlog
  • [P2] premier-gunner: automated test suite (record-recompute direction, streak math, migration idempotency) — source: premier-gunner — ROADMAP eval backlog
  • [P2] recap: known-debt batch — SSE error-string leak to cloud users; credit over-spend TOCTOU; multi-tenant Gemini-key bypass; GET /api/history perf; dependency CVEs; no integration tests; smaller hardening + doc drift — source: recap — ROADMAP Known debt
  • [P2] spark-control: tech-debt batch — no automated tests beyond redaction; loose dep floors (python-multipart/starlette DoS CVEs); opaque HTTP 500s; NGC API key on process cmd line; global mutable catalog race; container runs uvicorn as root — source: spark-control — ROADMAP Tech debt
  • [P2] ten31-database: reports subsystem counts soft-deleted rows (~16 aggregates); ?limit=abc crashes authenticated lists; TLS verify off in scrub gateway; hardcoded Spark/Qdrant IPs in s9pk; 5.4k-line monolith — source: ten31-database — AGENTS.md Known debt
  • [P2] standards: automate Gitea create/publish gate in /new-project via Gitea API — source: inbox(untriaged) — INBOX.md (standards)[feature][P2]
  • [P2] ten31-transcripts: add Jitsi support — source: inbox(untriaged) — INBOX.md (ten31-transcripts)[feature][P2]
  • [P2] recap: Recaps (or a recaps relay) should send a daily digest via SMTP — source: inbox(untriaged) — INBOX.md (recap)[feature][P2]
  • [P2] recap: mobile gets stuck and can't scroll back to top (recaps.cc transcript view) — attempted in 0.2.157, UNVERIFIED; needs on-iPad check + screen recording — source: inbox(untriaged) — INBOX.md (recap)[bug][P2]
  • [P2] ten31-database: reconcile AGENTS.md networking facts — CRM is served over ClearNet (StartTunnel) w/ app-level auth, not "LAN or Tailscale" — source: inbox(untriaged) — INBOX.md (ten31-database)[chore][P2]

P3

  • [P3] keysat: deferred batch — /v1/purchase 400 vs /v1/btcpay/webhook 503 asymmetry; undocumented required kind on discount-codes; field-naming drift; migration self-heal foot-gun; Zaprite payload WARN-log; outbound-webhook SSRF; registry icon non-render — source: keysat — AGENTS.md P3+ deferred
  • [P3] premier-gunner: CSRF token; cross-category metric guard; logout without session; consistent 404s; validate category color — source: premier-gunner — ROADMAP eval backlog
  • [P3] recap-relay: P3+ post-eval backlog — no /relay/* rate limiting; container likely root; dashboard innerHTML XSS; lan-fetch TLS verify off; debug/error fields leaked; packaging/ops polish; /relay/health stale 0.2.11; doc fixes — source: recap-relay — ROADMAP / docs/issues-backlog.md
  • [P3] recap: deferred hardening — request-size caps; invoice-ID hijack; container runs as root; in-memory rate-limit buckets; repo hygiene (cookies.txt rotation, old .s9pk delete, package.json rename); StartOS registry submission; bulk doc reconciliation — source: recap — ROADMAP Deferred hardening
  • [P3] spark-control: README stale; deprecated @app.on_event; packaging placeholders/broken links; missing SSH user specs; no upload size limits; startup crash on bad env; unescaped innerHTML sink — source: spark-control — ROADMAP Tech debt P3
  • [P3] recap-relay: AGENTS.md mis-describes POST /relay/analyze — actual route takes { prompt } and returns { result: { text } }; fix request-shape wording — source: inbox(untriaged) — INBOX.md (recap-relay)[chore][P3]

Unprioritized — needs triage (active next steps, repo-sequenced, no Px in source)

  • keysat: (1) ship 3 remaining multi-profile UIs + unlimited_merchant_profiles policy; (2) cut :56 to ship this session's write path; (3) deferred — split audit:read from :read, build admin "API keys" SPA panel — source: keysat
  • matrix-bridge: no active steps; optional/triggered only — Docker HEALTHCHECK for the badge, ask-mode trust flag, Phase 4+ (intent-routing brain, thread continuity) — source: matrix-bridge
  • premier-gunner: (1) set real login password via action; (2) confirm speed unit (mph vs km/h); (3) work eval backlog if desired — source: premier-gunner
  • proof-of-work: pending on-box check — confirm 1.2.0:3 boots clean + Safari first-tap works; then finish P3 hardening batch (CSP unsafe-eval, /api/health info disclosure, rate-limit map leak, configurable sessions, text max-length, unify 3rd JSON-parse) — source: proof-of-work
  • recap-relay: split routes/internal-meetings.js (deferred, "likely overkill") — source: recap-relay
  • recap: 5 pending operator actions — verify iPad scroll fix (0.2.157), optional Gemini-key rotation, real-world cloud tests (first Bitcoin/Zaprite/reminder email), set RECAP_TRUSTED_PROXY_HOPS if CDN/LB added, smoke-test Daily Digest via admin endpoints — source: recap
  • spark-control: (1) audio concurrency sweep only if Signal Engine dev wants the measured knee (needs owner OK, quiet window); (2) else pull from ROADMAP — local-path/fine-tuned model support or P2 debt — source: spark-control
  • standards: (1) cross-repo quality-gate standard + /harden (unblocks /new-project's deferred quality gate); (2) non-git-folder sweep under ~/Projects (~13) — source: standards
  • ten31-database: (1) Grant validates Phase B on the box ("Send Digest Now" + arm auto-send); (2) reports soft-delete sweep + tests; (3) fix ?limit=abc crash; (4) freeze v2.0 thesis canonical; (5) reply-all for Tier-B drafts; (6) confirm Appendix-A + promote — source: ten31-database
  • ten31-signal-engine: (1) finish ~700-doc backlog extraction (~67h); (2) embed-claims; (3) two-sided --conviction STRIKE2022; (4) approve push of 2 commits to main (blocked); (5) decide speed-up approach (recommend real-time concurrency over Batch API) — source: ten31-signal-engine
  • ten31-transcripts: (1) backend URL primary→fallback + endpoint status indicator; (2) guard mmss() NaN/∞; (3) validate Meet visual fix (reject camera-off tiles) with real session — source: ten31-transcripts

Not yet pushed down (inbox) — grouped by target project

These exist nowhere but INBOX.md; they have not reached any repo's ROADMAP.

  • ten31-transcripts[chore][P1] mini-retrofit (no .claude/ dir; add inbox line, settings.json, canonical .gitignore, optional docs reorg). [feature][P2] add Jitsi.
  • recap[feature][P2] daily digest via SMTP. [bug][P2] mobile can't-scroll-to-top (attempted 0.2.157, UNVERIFIED).
  • ten31-database[chore][P2] reconcile networking facts (ClearNet/StartTunnel, not LAN/Tailscale).
  • standards[feature][P2] Gitea API automation in /new-project.
  • recap-relay[chore][P3] fix /relay/analyze request-shape wording ({ prompt }).

Proposed new projects (inbox (new:…))

Ideas awaiting the new-repo bootstrap (/new-project):

  • new:embedded-links-reader [project][P2] — give the app an article/blog URL; it scrapes the author's embedded links, reads them, and summarizes them.
  • new:portfolio-scraper [project][P2] — tracks portfolio companies (podcasts, tweets, founder appearances, news) and delivers a digest via email or another interface.

Gaps

  • keysat — registry is at :55 but the live server still runs :54, and this session's merchant-profile write path is built but unreleased; the deployed product trails HEAD by two version steps.
  • proof-of-work1.2.0:3 is built/sideloaded but the on-box boot + Safari first-tap verification is still pending; "deployed" is not yet "verified."
  • ten31-signal-engine — 2 commits sit unpushed pending approval; the Strike adversarial gating test is mid-run, so its PASS/FAIL is not yet known.
  • recap / recap-relay — several verification-dependent loose ends (Daily Digest off-box smoke test, iPad scroll fix) remain UNVERIFIED rather than closed.
  • start-os — carries no AGENTS.md/ROADMAP.md; this is by design (external Start9 upstream clone), so it is excluded from the roundup rather than a missing-brain gap.
  • Inbox health: no (?)-target or stale-looking items; all 9 untriaged items carry a clear target and type.
Reference in New Issue View Git Blame Copy Permalink