grant/standards
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c8c1daf763bc94d77776007669a8fd5bee8eca0c
standards/STATUS.md
T
Keysat c8c1daf763 Correct stale repo name Workout-log → proof-of-work in roundup docs 
The repo was renamed; note the rename in the STATUS.md scan header so the
historical snapshot stays unambiguous. The dead ~/Projects/Workout-log
folder (empty/crash logs, no git) was removed separately.
2026-06-15 13:48:44 -05:00

7.3 KiB
Raw Blame History

Roundup — 2026-06-14

Repos scanned (9 git): CRM, premier-gunner, recap-relay, recap, spark-control, proof-of-work (renamed from Workout-log — same repo), ten31-transcripts, standards (meta/tooling). Skipped: start-os (external upstream — Start9Labs/start-os, no AGENTS.md); 15 non-git folders under ~/Projects (see Gaps).

Generated by /roundup — read-only across all repos; quotes priorities/states as found and does not rank projects against each other. Overwritten each run; git history is the diff.

Per-project snapshot

  • CRM — Self-hosted venture-fund CRM + agentic AI layer, on Start9. Live v0.1.0:74, healthy; main is ahead with a list-view soft-delete fix + 3 tests, not yet deployed. In progress: reports-subsystem soft-delete sweep. Next: bump version + redeploy to ship the queued fix.
  • premier-gunner — Kid-friendly soccer-training tracker PWA (StartOS s9pk). Live v0.1.6:0, all features shipped, nothing in progress. Next: set a real login password; confirm speed units.
  • recap-relay — Operator-side credit-metered AI relay (transcribe/diarize/analyze) + internal-meetings; private Start9 only. At 0.2.124; full eval done, all P0/P1 fixed. In progress: open P2 queue (persist webhook dedup first).
  • recap — YouTube/podcast summarizer (StartOS s9pk + recaps.cc cloud). Live (app 0.2.155). In progress: P0/P1 security fixes required before exposing the cloud to untrusted users. Next: fix the P0/P1s.
  • spark-control — StartOS controller for a dual DGX Spark cluster (vLLM swaps, speech/embeddings/redaction). Live v0.19.0:0. In progress: Signal Engine flakiness (transient GPU-busy) client-side remedy drafted; one CSRF click-through unverified.
  • proof-of-work — Self-hosted multi-user workout logger (Next.js, StartOS s9pk). v1.2.0:1 (Next 15 / React 19 upgrade) built + sideloaded; local checks green. Pending: on-box boot verification. Next: P3 hardening batch.
  • ten31-transcripts — macOS menu-bar app recording dual-track call audio → SparkControl backend. Main clean + pushed, 73 tests pass, Release app built. In progress: Meet visual fix (camera-off tiles) unverified. Next: persist backend URL + primary→fallback.
  • standards (meta/tooling) — Agent-operating standards + the live global fleet. Built: capture→triage→roundup loop, /new-project, deny-by-default .gitignore; git-hygiene audit done (2026-06-14). Next: the /harden quality-gate standard.

Priority queue (all projects + untriaged inbox)

P0 — recap (block cloud exposure to untrusted users):

  • [P0] recap — arbitrary file write via ../../ path escape in library import (:131-139)
  • [P0] recap — SSRF with read-back in podcast download (unguarded http.get, any host)
  • [P0] recap — live Gemini key in git history (commit d5046a0, still active → rotate)

P1:

  • [P1] recap — ESM require("crypto") ReferenceError in the license-purchase settle path
  • [P1] recap — global currentFreeJob lock serializes the entire multi-tenant cloud
  • [P1] recap — trial IP-cap + magic-link rate-limit bypass via spoofed X-Forwarded-For
  • [P1] recap — StartOS registry submission blocked (missing instructions.md, wrong repo URLs, license gate)
  • [P1] ten31-transcripts — mini-retrofit (no .claude/); inbox (untriaged) — see "Not yet pushed down"

P2:

  • [P2] CRM — reports subsystem (~16 aggregate queries) still counts soft-deleted rows (next step #1)
  • [P2] CRM — ?limit=abc crashes
  • [P2] recap-relay — persist webhook dedup so a restart can't double-credit/extend (routes/credits.js:63, zaprite-webhook.js:27)
  • [P2] recap-relay — BTCPay manifest/deps decision (hard-required vs. truly optional)
  • [P2] recap-relay — money-path unit tests; cors() scope off /admin/*; split 2225-line routes/internal-meetings.js; fix two AGENTS.md auth-doc drifts
  • [P2] spark-control — no automated tests (swap state machine, proxies, SSH wrapper, package) — biggest coverage gap
  • [P2] ten31-transcripts — guard RecapAnalyzer.mmss() against NaN/∞; rewrite stale README

P3 — deferred hardening / hygiene:

  • [P3] recap — request-size caps, invoice-ID hijack binding, container root, in-memory rate-limit buckets, repo hygiene, packaging polish, doc reconciliation
  • [P3] recap-relay — no /relay/* rate limiting, container root, dashboard XSS, lan-fetch TLS off; versions prune; stale /relay/health version; bulk doc fixes
  • [P3] proof-of-work — login timing oracle, CSP unsafe-eval, /api/health info disclosure, rate-limit map leak, exerciseId ownership on PATCH/sets POST, 30-day sessions, text max-length
  • [P3] spark-control — stale README, deprecated @app.on_event, hardcoded version, unescaped innerHTML sink, packaging placeholders
  • [P3] ten31-transcripts — reconcile docs/ specs with reality, SessionController state-machine tests, smaller items in EVALUATION.md

Unprioritized — needs triage (actionable next-steps with no priority marker as found):

  • CRM — bump version + rebuild/redeploy the queued list-view fix + tests; Grant+Jonathan freeze v2.0 canonical; build reply-all for Tier-B drafts; confirm Appendix-A + Maple/OpenSecret/Primal, then promote
  • premier-gunner — set a real login password; confirm speed unit (mph vs km/h); decide on "log another" same-category session
  • recap — persist provider preference server-side; apply Export ▾ to clip-collection panel; verify "Take Recaps home" licensing; confirm cloud paid-only vs. free-signed-in intent; Zaprite recurring (BLOCKED on Zaprite API); CI lint + type-check
  • spark-control — on-box CSRF click-through test; forward concurrency note to Signal Engine dev; concurrency sweep; parakeet-asr --memory cap; start the ROADMAP tech-debt list (pytest harness first)
  • proof-of-work — tiered AI prompt formatting (JSON-schema output, etc.); (later) Next 15→16 upgrade; verify StartOS forwards real client IPs
  • ten31-transcripts — persist backend URL in Settings + primary→fallback on connection failure
  • standards — build the /harden quality-gate standard (item 1); the non-git-folder sweep

Not yet pushed down (inbox)

These exist nowhere but ~/Projects/standards/INBOX.md (1 untriaged item):

  • ten31-transcripts[chore][P1] Mini-retrofit: add the inbox-check line, create .claude/settings.json, normalize .gitignore to the deny-by-default canonical block (+ .env.* / !.env.example), and decide on a docs/guides/ reorg. → run /triage inside ten31-transcripts to route it.

Proposed new projects

None — no (new) / (new:name) items in the inbox.

Gaps

  • start-os — external upstream (Start9Labs/start-os); no AGENTS.md/ROADMAP. Out of scope (not your project); skipped, not a deficiency.
  • 15 non-git folders under ~/Projects are unprotected (no git, no standards): discount-watcher, expense-organizer, giga, Grand-Cayman-paddleboard, heart-rate, licensing, one-river, satoshi-sleep, START9 PACKAGING, ten31-agents, ten31-command-center, ten31-signal-engine, timestamp-converter, timestamp-newspaper, website-landing. Each needs git init + retrofit, or an explicit "scratch, don't track" decision (tracked as the standards item-6 non-git-folder sweep).
  • No stale-looking Current states — every snapshot is dated 2026-06-13/14.
Reference in New Issue View Git Blame Copy Permalink