grant/standards
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ce022ab2c19f0db46f3ac869e47e8b0d6e28472b
standards/STATUS.md
T
Keysat 1e5e85339a Roundup snapshot — 2026-06-16
2026-06-16 06:50:54 -05:00

106 lines
13 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Roundup — 2026-06-16
Repos scanned (11 operator git repos): keysat, matrix-bridge, premier-gunner, proof-of-work, recap-relay, recap, spark-control, standards (meta/tooling), ten31-database, ten31-signal-engine, ten31-transcripts.
Skipped: **start-os** (external upstream — Start9Labs/start-os, no AGENTS.md by design; firmware/OS build clone, not an operator project).
This report inventories every project's state and open work. It does **not** rank projects against each other or recommend what to do next — that's the operator's call.
---
## Per-project snapshot
**keysat** — Bitcoin-native software-licensing service (StartOS 0.4.x package, 4 SDKs, landing/docs site). Registry at `0.2.0:55`; live server still `:54`. In progress: this session shipped the product→merchant-profile write path (multi-profile now functional end-to-end), unreleased. Next: 3 remaining multi-profile UIs, then cut `:56` to ship the write path.
**matrix-bridge** — Single-user Matrix bot turning a room message into a live Claude Code session, surfaced to phone. Phases 03 + ask mode all DONE; Phase 3 (Spark Control tile) shipped today in v0.21.0. No active build work; Phase 4+ documented but not scoped.
**premier-gunner** — Kid-friendly soccer-training tracker PWA (StartOS `.s9pk`). Live at v0.1.7:0; all requested features built and deployed. In progress: none. Next: set real login password via action, confirm speed unit, then eval backlog if desired.
**proof-of-work** — Self-hosted multi-user workout logger (Next.js, StartOS `.s9pk`, private registry). At `1.2.0:3` (P3 hardening), built + sideloaded 2026-06-15. Pending: on-box boot check + Safari first-tap verification. Next: finish the P3 hardening batch.
**recap-relay** — Operator-side credit-metered transcription/diarization/analysis router (Gemini + Spark Control); private to operator's box. Relay `0.2.126` / app `0.2.155`, tree clean, 79 tests green. Deferred: splitting the 2225-line `internal-meetings.js` ("likely overkill"). Next: P3+ hardening backlog.
**recap** — YouTube/podcast summarizer + library; StartOS `.s9pk` single-mode + public `recaps.cc` multi-tenant cloud. App `0.2.159` / relay `0.2.126`, 144 tests passing. Loose end: Daily Digest relay-synthesis + SMTP path not yet smoke-tested off-box. 5 pending operator actions.
**spark-control** — Browser package controlling a dual DGX Spark AI cluster (vLLM swaps, speech/embeddings/redaction APIs; StartOS 0.4). matrix-bridge tile shipped v0.21.0:1; security hardening shipped v0.19.0:0; 70 pytest passing. In progress: Signal Engine concurrency remedy forwarded to dev 2026-06-15, awaiting their decision.
**standards** (meta/tooling) — Global agent-operating standards + the live fleet of commands/subagents served into `~/.claude`. Fleet built and live; `/new-project` upgraded; cross-repo git-hygiene audit done. Next: cross-repo quality-gate standard + `/harden`; non-git-folder sweep under `~/Projects` (~13).
**ten31-database** — Self-hosted venture CRM + agentic layer (thesis copilot, outreach drafting, Gmail capture via DWD) on Start9. Live & verified v0.1.0:77 (deployed 2026-06-16) incl. Phase B daily activity digest (auto-send OFF pending enablement); 20/20 backend tests green. Next: Grant validates Phase B on the box.
**ten31-signal-engine** — Recurring signal-extraction pipeline (audio/text → structured thesis-scored claims as falsifiable predictions). Strike adversarial test is the gating step: extraction running, long-form 400s fixed, draining ~700-doc/~5.7k-chunk backlog. **2 unpushed commits** blocked awaiting Grant's approval. Battery test PASSES.
**ten31-transcripts** — Native macOS menu-bar app: detects video calls, records dual-track audio w/ active-speaker detection, sends to SparkControl for transcription/diarization/naming. Main clean + pushed, 73 tests pass; backend connected end-to-end 2026-06-16. Next: backend URL primary→fallback + status indicator.
---
## Priority queue (all projects + untriaged inbox)
*Items quoted with the priority markers found in each source. Concrete "next steps" that carry no Px in their repo are listed under "Unprioritized — needs triage" (repo-sequenced), never dropped.*
### P1
- [P1] Mini-retrofit ten31-transcripts repo — add inbox-check line, `.claude/settings.json`, canonical `.gitignore`, optional docs reorg — source: inbox(untriaged) — INBOX.md `(ten31-transcripts)[chore][P1]`
### P2
- [P2] keysat: `set_product_entitlements_catalog` lacks `rows_affected` guard — bad product-id silently 200s with stale data; one-line fix deferred — source: keysat — AGENTS.md Known issues
- [P2] keysat: payments/API debt batch — no rate-limit on `/v1/purchase`+`/v1/redeem`; bucket keys on spoofable `X-Forwarded-For`; `422`/`415` return plain-text not JSON; `slug` unvalidated; `GET /v1/admin/products` 405s; dep advisories (`sqlx`≥0.8.1, `rustls-webpki`≥0.103.12); no CI / fmt/clippy/prettier unenforced — source: keysat — AGENTS.md debt
- [P2] premier-gunner: upgrade `@fastify/static` 8.3.0 → ≥9.1.3 (path-traversal advisories) — source: premier-gunner — ROADMAP eval backlog (dependency)
- [P2] premier-gunner: input validation — reject unknown metric `kind`; validate calendar-date semantics; 400 on bad `metric_id` — source: premier-gunner — ROADMAP eval backlog
- [P2] premier-gunner: automated test suite (record-recompute direction, streak math, migration idempotency) — source: premier-gunner — ROADMAP eval backlog
- [P2] recap: known-debt batch — SSE error-string leak to cloud users; credit over-spend TOCTOU; multi-tenant Gemini-key bypass; `GET /api/history` perf; dependency CVEs; no integration tests; smaller hardening + doc drift — source: recap — ROADMAP Known debt
- [P2] spark-control: tech-debt batch — no automated tests beyond redaction; loose dep floors (`python-multipart`/`starlette` DoS CVEs); opaque HTTP 500s; NGC API key on process cmd line; global mutable `catalog` race; container runs uvicorn as root — source: spark-control — ROADMAP Tech debt
- [P2] ten31-database: reports subsystem counts soft-deleted rows (~16 aggregates); `?limit=abc` crashes authenticated lists; TLS verify off in scrub gateway; hardcoded Spark/Qdrant IPs in s9pk; 5.4k-line monolith — source: ten31-database — AGENTS.md Known debt
- [P2] standards: automate Gitea create/publish gate in `/new-project` via Gitea API — source: inbox(untriaged) — INBOX.md `(standards)[feature][P2]`
- [P2] ten31-transcripts: add Jitsi support — source: inbox(untriaged) — INBOX.md `(ten31-transcripts)[feature][P2]`
- [P2] recap: Recaps (or a recaps relay) should send a daily digest via SMTP — source: inbox(untriaged) — INBOX.md `(recap)[feature][P2]`
- [P2] recap: mobile gets stuck and can't scroll back to top (recaps.cc transcript view) — attempted in 0.2.157, UNVERIFIED; needs on-iPad check + screen recording — source: inbox(untriaged) — INBOX.md `(recap)[bug][P2]`
- [P2] ten31-database: reconcile AGENTS.md networking facts — CRM is served over ClearNet (StartTunnel) w/ app-level auth, not "LAN or Tailscale" — source: inbox(untriaged) — INBOX.md `(ten31-database)[chore][P2]`
### P3
- [P3] keysat: deferred batch — `/v1/purchase` 400 vs `/v1/btcpay/webhook` 503 asymmetry; undocumented required `kind` on discount-codes; field-naming drift; migration self-heal foot-gun; Zaprite payload WARN-log; outbound-webhook SSRF; registry icon non-render — source: keysat — AGENTS.md P3+ deferred
- [P3] premier-gunner: CSRF token; cross-category metric guard; logout without session; consistent 404s; validate category `color` — source: premier-gunner — ROADMAP eval backlog
- [P3] recap-relay: P3+ post-eval backlog — no `/relay/*` rate limiting; container likely root; dashboard `innerHTML` XSS; `lan-fetch` TLS verify off; debug/error fields leaked; packaging/ops polish; `/relay/health` stale `0.2.11`; doc fixes — source: recap-relay — ROADMAP / docs/issues-backlog.md
- [P3] recap: deferred hardening — request-size caps; invoice-ID hijack; container runs as root; in-memory rate-limit buckets; repo hygiene (`cookies.txt` rotation, old `.s9pk` delete, `package.json` rename); StartOS registry submission; bulk doc reconciliation — source: recap — ROADMAP Deferred hardening
- [P3] spark-control: README stale; deprecated `@app.on_event`; packaging placeholders/broken links; missing SSH user specs; no upload size limits; startup crash on bad env; unescaped innerHTML sink — source: spark-control — ROADMAP Tech debt P3
- [P3] recap-relay: AGENTS.md mis-describes `POST /relay/analyze` — actual route takes `{ prompt }` and returns `{ result: { text } }`; fix request-shape wording — source: inbox(untriaged) — INBOX.md `(recap-relay)[chore][P3]`
### Unprioritized — needs triage (active next steps, repo-sequenced, no Px in source)
- keysat: (1) ship 3 remaining multi-profile UIs + `unlimited_merchant_profiles` policy; (2) cut `:56` to ship this session's write path; (3) deferred — split `audit:read` from `:read`, build admin "API keys" SPA panel — source: keysat
- matrix-bridge: no active steps; optional/triggered only — Docker `HEALTHCHECK` for the badge, ask-mode trust flag, Phase 4+ (intent-routing brain, thread continuity) — source: matrix-bridge
- premier-gunner: (1) set real login password via action; (2) confirm speed unit (`mph` vs `km/h`); (3) work eval backlog if desired — source: premier-gunner
- proof-of-work: pending on-box check — confirm `1.2.0:3` boots clean + Safari first-tap works; then finish P3 hardening batch (CSP `unsafe-eval`, `/api/health` info disclosure, rate-limit map leak, configurable sessions, text max-length, unify 3rd JSON-parse) — source: proof-of-work
- recap-relay: split `routes/internal-meetings.js` (deferred, "likely overkill") — source: recap-relay
- recap: 5 pending operator actions — verify iPad scroll fix (0.2.157), optional Gemini-key rotation, real-world cloud tests (first Bitcoin/Zaprite/reminder email), set `RECAP_TRUSTED_PROXY_HOPS` if CDN/LB added, smoke-test Daily Digest via admin endpoints — source: recap
- spark-control: (1) audio concurrency sweep only if Signal Engine dev wants the measured knee (needs owner OK, quiet window); (2) else pull from ROADMAP — local-path/fine-tuned model support or P2 debt — source: spark-control
- standards: (1) cross-repo quality-gate standard + `/harden` (unblocks `/new-project`'s deferred quality gate); (2) non-git-folder sweep under `~/Projects` (~13) — source: standards
- ten31-database: (1) Grant validates Phase B on the box ("Send Digest Now" + arm auto-send); (2) reports soft-delete sweep + tests; (3) fix `?limit=abc` crash; (4) freeze v2.0 thesis canonical; (5) reply-all for Tier-B drafts; (6) confirm Appendix-A + promote — source: ten31-database
- ten31-signal-engine: (1) finish ~700-doc backlog extraction (~67h); (2) `embed-claims`; (3) `two-sided --conviction STRIKE2022`; (4) **approve push of 2 commits to `main`** (blocked); (5) decide speed-up approach (recommend real-time concurrency over Batch API) — source: ten31-signal-engine
- ten31-transcripts: (1) backend URL primary→fallback + endpoint status indicator; (2) guard `mmss()` NaN/∞; (3) validate Meet visual fix (reject camera-off tiles) with real session — source: ten31-transcripts
---
## Not yet pushed down (inbox) — grouped by target project
These exist nowhere but `INBOX.md`; they have not reached any repo's ROADMAP.
- **ten31-transcripts** — `[chore][P1]` mini-retrofit (no `.claude/` dir; add inbox line, `settings.json`, canonical `.gitignore`, optional docs reorg). `[feature][P2]` add Jitsi.
- **recap** — `[feature][P2]` daily digest via SMTP. `[bug][P2]` mobile can't-scroll-to-top (attempted 0.2.157, UNVERIFIED).
- **ten31-database** — `[chore][P2]` reconcile networking facts (ClearNet/StartTunnel, not LAN/Tailscale).
- **standards** — `[feature][P2]` Gitea API automation in `/new-project`.
- **recap-relay** — `[chore][P3]` fix `/relay/analyze` request-shape wording (`{ prompt }`).
## Proposed new projects (inbox `(new:…)`)
Ideas awaiting the new-repo bootstrap (`/new-project`):
- **new:embedded-links-reader** `[project][P2]` — give the app an article/blog URL; it scrapes the author's embedded links, reads them, and summarizes them.
- **new:portfolio-scraper** `[project][P2]` — tracks portfolio companies (podcasts, tweets, founder appearances, news) and delivers a digest via email or another interface.
## Gaps
- **keysat** — registry is at `:55` but the live server still runs `:54`, and this session's merchant-profile write path is built but unreleased; the deployed product trails HEAD by two version steps.
- **proof-of-work** — `1.2.0:3` is built/sideloaded but the on-box boot + Safari first-tap verification is still pending; "deployed" is not yet "verified."
- **ten31-signal-engine** — 2 commits sit unpushed pending approval; the Strike adversarial gating test is mid-run, so its PASS/FAIL is not yet known.
- **recap / recap-relay** — several verification-dependent loose ends (Daily Digest off-box smoke test, iPad scroll fix) remain UNVERIFIED rather than closed.
- **start-os** — carries no AGENTS.md/ROADMAP.md; this is by design (external Start9 upstream clone), so it is excluded from the roundup rather than a missing-brain gap.
- Inbox health: no `(?)`-target or stale-looking items; all 9 untriaged items carry a clear target and type.
Reference in New Issue View Git Blame Copy Permalink