grant/standards
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
cfe7f47964ef1513fdfeafdb040869f8deca52b3
standards/STATUS.md
T
Keysat 231bc9f1a0 Roundup snapshot — 2026-06-14
2026-06-14 14:22:57 -05:00

101 lines
7.2 KiB
Markdown
Raw Blame History

# Roundup — 2026-06-14
Repos scanned (9 git): CRM, premier-gunner, recap-relay, recap, spark-control, Workout-log,
ten31-transcripts, standards (meta/tooling).
Skipped: **start-os** (external upstream — Start9Labs/start-os, no AGENTS.md); **15 non-git
folders** under `~/Projects` (see Gaps).
> Generated by `/roundup` — read-only across all repos; quotes priorities/states as found and
> does not rank projects against each other. Overwritten each run; git history is the diff.
## Per-project snapshot
- **CRM** — Self-hosted venture-fund CRM + agentic AI layer, on Start9. Live `v0.1.0:74`,
healthy; `main` is **ahead** with a list-view soft-delete fix + 3 tests, not yet deployed.
In progress: reports-subsystem soft-delete sweep. Next: bump version + redeploy to ship the
queued fix.
- **premier-gunner** — Kid-friendly soccer-training tracker PWA (StartOS s9pk). Live
`v0.1.6:0`, all features shipped, nothing in progress. Next: set a real login password;
confirm speed units.
- **recap-relay** — Operator-side credit-metered AI relay (transcribe/diarize/analyze) +
internal-meetings; private Start9 only. At `0.2.124`; full eval done, all P0/P1 fixed.
In progress: open P2 queue (persist webhook dedup first).
- **recap** — YouTube/podcast summarizer (StartOS s9pk + `recaps.cc` cloud). Live (app
`0.2.155`). In progress: **P0/P1 security fixes required before exposing the cloud to
untrusted users.** Next: fix the P0/P1s.
- **spark-control** — StartOS controller for a dual DGX Spark cluster (vLLM swaps,
speech/embeddings/redaction). Live `v0.19.0:0`. In progress: Signal Engine flakiness
(transient GPU-busy) client-side remedy drafted; one CSRF click-through unverified.
- **Workout-log** — Self-hosted multi-user workout logger (Next.js, StartOS s9pk). `v1.2.0:1`
(Next 15 / React 19 upgrade) built + sideloaded; local checks green. Pending: on-box boot
verification. Next: P3 hardening batch.
- **ten31-transcripts** — macOS menu-bar app recording dual-track call audio → SparkControl
backend. Main clean + pushed, 73 tests pass, Release app built. In progress: Meet visual fix
(camera-off tiles) unverified. Next: persist backend URL + primary→fallback.
- **standards** (meta/tooling) — Agent-operating standards + the live global fleet. Built:
capture→triage→roundup loop, `/new-project`, deny-by-default `.gitignore`; git-hygiene audit
done (2026-06-14). Next: the `/harden` quality-gate standard.
## Priority queue (all projects + untriaged inbox)
**P0 — recap (block cloud exposure to untrusted users):**
- [P0] recap — arbitrary file write via `../../` path escape in library import (`:131-139`)
- [P0] recap — SSRF with read-back in podcast download (unguarded `http.get`, any host)
- [P0] recap — live Gemini key in git history (commit `d5046a0`, still active → rotate)
**P1:**
- [P1] recap — ESM `require("crypto")` ReferenceError in the license-purchase settle path
- [P1] recap — global `currentFreeJob` lock serializes the entire multi-tenant cloud
- [P1] recap — trial IP-cap + magic-link rate-limit bypass via spoofed `X-Forwarded-For`
- [P1] recap — StartOS registry submission blocked (missing `instructions.md`, wrong repo URLs, license gate)
- [P1] ten31-transcripts — mini-retrofit (no `.claude/`); **inbox (untriaged)** — see "Not yet pushed down"
**P2:**
- [P2] CRM — reports subsystem (~16 aggregate queries) still counts soft-deleted rows (next step #1)
- [P2] CRM — `?limit=abc` crashes
- [P2] recap-relay — persist webhook dedup so a restart can't double-credit/extend (`routes/credits.js:63`, `zaprite-webhook.js:27`)
- [P2] recap-relay — BTCPay manifest/deps decision (hard-required vs. truly optional)
- [P2] recap-relay — money-path unit tests; `cors()` scope off `/admin/*`; split 2225-line `routes/internal-meetings.js`; fix two AGENTS.md auth-doc drifts
- [P2] spark-control — no automated tests (swap state machine, proxies, SSH wrapper, package) — biggest coverage gap
- [P2] ten31-transcripts — guard `RecapAnalyzer.mmss()` against NaN/∞; rewrite stale README
**P3 — deferred hardening / hygiene:**
- [P3] recap — request-size caps, invoice-ID hijack binding, container root, in-memory rate-limit buckets, repo hygiene, packaging polish, doc reconciliation
- [P3] recap-relay — no `/relay/*` rate limiting, container root, dashboard XSS, `lan-fetch` TLS off; versions prune; stale `/relay/health` version; bulk doc fixes
- [P3] Workout-log — login timing oracle, CSP `unsafe-eval`, `/api/health` info disclosure, rate-limit map leak, `exerciseId` ownership on PATCH/sets POST, 30-day sessions, text max-length
- [P3] spark-control — stale README, deprecated `@app.on_event`, hardcoded version, unescaped `innerHTML` sink, packaging placeholders
- [P3] ten31-transcripts — reconcile `docs/` specs with reality, `SessionController` state-machine tests, smaller items in `EVALUATION.md`
**Unprioritized — needs triage (actionable next-steps with no priority marker as found):**
- CRM — bump version + rebuild/redeploy the queued list-view fix + tests; Grant+Jonathan freeze v2.0 canonical; build reply-all for Tier-B drafts; confirm Appendix-A + Maple/OpenSecret/Primal, then promote
- premier-gunner — set a real login password; confirm speed unit (mph vs km/h); decide on "log another" same-category session
- recap — persist provider preference server-side; apply Export ▾ to clip-collection panel; verify "Take Recaps home" licensing; confirm cloud paid-only vs. free-signed-in intent; Zaprite recurring (BLOCKED on Zaprite API); CI lint + type-check
- spark-control — on-box CSRF click-through test; forward concurrency note to Signal Engine dev; concurrency sweep; parakeet-asr `--memory` cap; start the ROADMAP tech-debt list (pytest harness first)
- Workout-log — tiered AI prompt formatting (JSON-schema output, etc.); (later) Next 15→16 upgrade; verify StartOS forwards real client IPs
- ten31-transcripts — persist backend URL in Settings + primary→fallback on connection failure
- standards — build the `/harden` quality-gate standard (item 1); the non-git-folder sweep
## Not yet pushed down (inbox)
These exist nowhere but `~/Projects/standards/INBOX.md` (1 untriaged item):
- **ten31-transcripts** — `[chore][P1]` Mini-retrofit: add the inbox-check line, create
`.claude/settings.json`, normalize `.gitignore` to the deny-by-default canonical block
(+ `.env.*` / `!.env.example`), and decide on a `docs/guides/` reorg. → run `/triage` inside
ten31-transcripts to route it.
## Proposed new projects
None — no `(new)` / `(new:name)` items in the inbox.
## Gaps
- **start-os** — external upstream (`Start9Labs/start-os`); no AGENTS.md/ROADMAP. Out of scope
(not your project); skipped, not a deficiency.
- **15 non-git folders under `~/Projects` are unprotected** (no git, no standards):
discount-watcher, expense-organizer, giga, Grand-Cayman-paddleboard, heart-rate, licensing,
one-river, satoshi-sleep, START9 PACKAGING, ten31-agents, ten31-command-center,
ten31-signal-engine, timestamp-converter, timestamp-newspaper, website-landing. Each needs
`git init` + retrofit, or an explicit "scratch, don't track" decision (tracked as the
standards item-6 non-git-folder sweep).
- No stale-looking Current states — every snapshot is dated 2026-06-13/14.
Reference in New Issue View Git Blame Copy Permalink