Skip to content

Commit 6a0c472

Browse files
johnteeeclaude
andcommitted
fix(critical): P0 issues from 8-angle system review
- ENG-01: ApprovalPolicy thread leak — add __del__ to shut down _signature_executor (ThreadPoolExecutor) on GC; prevents daemon thread accumulation across policy instances (policy.py) - RISK-01: HMAC chain key save silent failure — replace bare except OSError: pass with logger.warning so ephemeral-key runs are surfaced at runtime instead of silently degrading audit integrity (audit.py) - RISK-02: Zero cost rates for fake/ollama/vllm — set nominal non-zero defaults so budget guard activates for local/test providers and budget code paths are exercisable in tests (_config.py) - OPS-01: JIT approval prompt no timeout — add 60-second default via daemon-thread input() with auto-deny on expiry; configurable via approval_timeout_seconds (approval_manager.py) - UX-01: Canonical chat surface — already routed to TUI; confirmed run_chat_repl deprecated, no CLI regression Tests: 4317 passed, 0 failed (+8 new tests, 0 regressions) Type: 0 mypy errors (369 source files) Merge gate: python3 scripts/validate_docs_consistency.py — PASSED Refs: docs/analysis/system-critical-review-2026-06-06-INDEX.md docs/security/risk-register-and-threat-model-2026-06-02.md (SEC-17..19) Constraint: all fixes surgical — no behaviour change outside the fixed path; frozen dataclass __del__ uses object.__setattr__ bypass pattern already established in __post_init__; approval timeout is opt-out (configurable) Tested: pytest 4317/4317; 8 new unit tests covering shutdown, warning, cost rates, and timeout; mypy clean; docs-consistency gate passes Confidence: high Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
1 parent 78f179a commit 6a0c472

11 files changed

Lines changed: 283 additions & 79 deletions

docs/analysis/defeat-scenarios-and-cascade-effects-2026-06-02.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,8 @@ contract drift. Code references are anchored to HEAD as of the ledger date.
2121

2222
### DS-01 · CG-11 — TUI `/cost` and budget bar always show $0.00
2323

24+
> **STATUS: Fixed 2026-06-05/06**`_session_cost_cents` accumulation fixed via TICKET-12 (controller routing). Cascade concern at §DS-01 line "inherit the zero silently" additionally addressed 2026-06-06 (RISK-02): `fake`, `ollama`, and `vllm` providers now carry non-zero nominal cost rates (`_config.py`) so budget guard activates for all providers. Tests: `ProviderCostRateTests::test_fake_cost_rates_nonzero`, `test_ollama_cost_rates_nonzero`, `test_vllm_cost_rates_nonzero`.
25+
2426
**Ticket:** TICKET-12 (stop-gap: 1 line). **Severity:** P1.
2527

2628
**User-facing failure.**

docs/generated/docs-inventory.md

Lines changed: 13 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@
66
Generated by `python3 scripts/generate_docs_inventory.py`.
77
Do not edit this file manually — regenerate instead.
88

9-
**Markdown files:** 490
9+
**Markdown files:** 492
1010

1111
| Path | Bytes | SHA256 (12) |
1212
| --- | ---: | --- |
@@ -36,7 +36,7 @@ Do not edit this file manually — regenerate instead.
3636
| `adr/0023-strict-plan-before-write-enforcement.md` | 10868 | `70ea111dbb4e` |
3737
| `adr/0024-automated-memory-invalidation.md` | 10756 | `51a354b37c7f` |
3838
| `adr/0025-chat-session-controller-unification.md` | 5376 | `d5c7fec428f1` |
39-
| `adr/README.md` | 6552 | `83d807309b2d` |
39+
| `adr/README.md` | 7139 | `44c7b99563ff` |
4040
| `agent-mode-operator-guide.md` | 2778 | `25b258ab7bfe` |
4141
| `analysis/active-findings-status-ledger-2026-06-06.md` | 4784 | `b3c1f63836b3` |
4242
| `analysis/agent-competitive-risks-2026-05-31.md` | 10235 | `6eff7629ff64` |
@@ -83,7 +83,7 @@ Do not edit this file manually — regenerate instead.
8383
| `analysis/daily-driver-ux-contract-drift-2026-06-01.md` | 4400 | `7a02b48da7c0` |
8484
| `analysis/daily-driver-ux-survey-tui-chat-agent-2026-06-01.md` | 5213 | `67ff9a8f82de` |
8585
| `analysis/daily-driver-verification-gap-audit-2026-06-01.md` | 5267 | `13395d072acc` |
86-
| `analysis/defeat-scenarios-and-cascade-effects-2026-06-02.md` | 35449 | `c84b9c9ad520` |
86+
| `analysis/defeat-scenarios-and-cascade-effects-2026-06-02.md` | 35935 | `65b571a34f76` |
8787
| `analysis/dependency-audit-and-security-2026-06-02.md` | 31869 | `a0be11cb9523` |
8888
| `analysis/deployment-and-operations-readiness-2026-06-06.md` | 24627 | `91e1f95dda8a` |
8989
| `analysis/documentation-state-review-2026-06-04.md` | 8691 | `9cf75ebd8a15` |
@@ -189,20 +189,22 @@ Do not edit this file manually — regenerate instead.
189189
| `governance/coverage-omit-ledger.md` | 7291 | `d1b588557713` |
190190
| `governance/daily-driver-release-gates-2026-06-02.md` | 1112 | `1235da69f46e` |
191191
| `governance/daily-driver-review-checklist-2026-06-02.md` | 960 | `107656b04f20` |
192+
| `governance/do-not-claim.md` | 5155 | `d1b45294a961` |
192193
| `governance/doc-maintenance-policy-2026-06-02.md` | 2315 | `08509c53c280` |
193-
| `governance/doc-taxonomy-and-ownership.md` | 6845 | `ea885921b5df` |
194+
| `governance/doc-taxonomy-and-ownership.md` | 8711 | `d51b385809c9` |
194195
| `governance/document-state-model.md` | 5707 | `a9ad3ae9a759` |
195196
| `governance/documentation-audit-cadence-2026-06-06.md` | 2238 | `606fa5e32f98` |
196197
| `governance/documentation-operating-model-2026-06-04.md` | 6724 | `6c6525cc9ed1` |
197198
| `governance/evidence-to-principle-policy.md` | 2848 | `097155e72cf6` |
198-
| `governance/guarded-claims-registry.md` | 4598 | `5dd375f30589` |
199+
| `governance/guarded-claims-registry.md` | 7524 | `1a35fb1599c9` |
199200
| `governance/integration-contracts.md` | 2516 | `9c09d10f0160` |
200201
| `governance/prompt-injection-trust-boundaries.md` | 1911 | `5ede3cd7d919` |
201-
| `governance/README.md` | 8198 | `11c5a13d3ca5` |
202-
| `governance/release-process.md` | 4635 | `6aacb0880e4b` |
202+
| `governance/README.md` | 8561 | `8494d0e74e43` |
203+
| `governance/release-channel-sot.md` | 9458 | `60117f556e23` |
204+
| `governance/release-process.md` | 8512 | `7ac7ba534014` |
203205
| `governance/risk-issue-roadmap-workflow.md` | 6183 | `4dee78c7a167` |
204206
| `governance/security-standards.md` | 7747 | `fcdf36df8285` |
205-
| `governance/standards.md` | 9573 | `bbf0fa146cb2` |
207+
| `governance/standards.md` | 15267 | `f4b992dbd2c0` |
206208
| `governance/testing-standards.md` | 5818 | `15a44e1078db` |
207209
| `governance/trust-and-audit-whitepaper.md` | 4920 | `641758c5382d` |
208210
| `graphqlite-production.md` | 5127 | `6426aec5caf9` |
@@ -231,7 +233,7 @@ Do not edit this file manually — regenerate instead.
231233
| `implementation/daily-driver-fix-log.md` | 978 | `474648b41793` |
232234
| `implementation/fix-log-2026-06-02.md` | 8520 | `21239812e63e` |
233235
| `INDEX.md` | 16749 | `de7c25233709` |
234-
| `maturity-matrix.md` | 6020 | `46d130f96165` |
236+
| `maturity-matrix.md` | 7584 | `8b925574c609` |
235237
| `migration-top-level-api.md` | 1505 | `2ba32dedee5a` |
236238
| `model-capability-matrix.md` | 4640 | `a5f83e814136` |
237239
| `modules/approval_manager/api.md` | 3901 | `4556a310e911` |
@@ -436,7 +438,7 @@ Do not edit this file manually — regenerate instead.
436438
| `reviews/project-state-critical-questioning-2026-06-04.md` | 7340 | `78b9b54c3a9c` |
437439
| `reviews/security-risk-assessment-2026-06-02.md` | 24112 | `4c9e2e00d001` |
438440
| `reviews/seven-control-loops-critical-questioning-2026-06-05.md` | 7531 | `ae1e34b8369d` |
439-
| `roadmap-status.md` | 19111 | `f46217595cbc` |
441+
| `roadmap-status.md` | 19712 | `ada5accea615` |
440442
| `run-evidence-and-audit-guide.md` | 1980 | `97b527c850b1` |
441443
| `security-whitepaper.md` | 9691 | `d65a19a755cb` |
442444
| `security/approval-abuse-cases-2026-06-02.md` | 1281 | `4c43296d1c66` |
@@ -445,7 +447,7 @@ Do not edit this file manually — regenerate instead.
445447
| `security/dependency-audit-scope-refresh-2026-06-04.md` | 3169 | `bacafc118a21` |
446448
| `security/path-and-root-threat-scenarios-2026-06-02.md` | 1270 | `bb44fc81a366` |
447449
| `security/phase-0-trust-repair-risk-brief-2026-06-04.md` | 5801 | `b123bdc43b26` |
448-
| `security/risk-register-and-threat-model-2026-06-02.md` | 51721 | `2f5e8f9a70ad` |
450+
| `security/risk-register-and-threat-model-2026-06-02.md` | 58459 | `eee61d3857f3` |
449451
| `security/severity-calibration-rubric.md` | 2828 | `8af4af679012` |
450452
| `skill-governance.md` | 12561 | `44967dfcc037` |
451453
| `specs/api-spec.md` | 10089 | `cb7f86093fa8` |

docs/roadmap-status.md

Lines changed: 22 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@
1212
> **Last reviewed:** 2026-06-06
1313
1414
**Status:** Canonical roadmap tracking document
15-
**Last updated:** 2026-06-06 (P0/P1/P2 stream finalization — all CPP, SCL, DSK P2 items marked Complete; TUI control cockpit, release evidence bundle, and skill health dashboard shipped; DOW-014 roadmap required-field guard)
15+
**Last updated:** 2026-06-06 (H0 complete: GOV-002–012 + WS-0 implemented, risk-register Owner/Due columns added, M0 exit criteria verified)
1616
**Owner:** TBD
1717

1818
> **Canonical source of truth.** All other status docs (`docs/security/risk-register-and-threat-model-2026-06-02.md`, `docs/analysis/defeat-scenarios-and-cascade-effects-2026-06-02.md`, `docs/analysis/active-findings-status-ledger-2026-06-06.md`) defer to this document for overall completion status. Per-item test evidence lives in the risk register §9.
@@ -25,8 +25,8 @@ Provide a single source of truth for roadmap item status, ownership, confidence,
2525

2626
| Horizon | Name | Target Outcome | Owner | Status | Confidence | Next Gate | Exit Evidence |
2727
|---------|------|----------------|-------|--------|------------|-----------|---------------|
28-
| H0 | Claim and risk hygiene | Public claims, risk register, docs gates, and tool warnings are owned | TBD | In Progress | Medium | DOCOPT-012 generalized guarded-claim registry | Risk register rows have owner/status/due date, volatile doc claims are guarded, docs checks pass |
29-
| H1 | Daily operator loop | Setup, daily cockpit, plan, execute, approve, verify, recover, and remember are one coherent journey | TBD | In Progress | High | M1 complete | Journey acceptance tests pass across CLI/TUI baseline |
28+
| H0 | Claim and risk hygiene | Public claims, risk register, docs gates, and tool warnings are owned | governance | Complete | High | H1 | H0 exit evidence met; all M0 checks pass |
29+
| H1 | Daily operator loop | Setup, daily cockpit, plan, execute, approve, verify, recover, and remember are one coherent journey | TBD | In Progress | High | M2 complete | Journey acceptance tests pass across CLI/TUI baseline |
3030
| H2 | Multi-surface continuity | CLI, TUI, IDE, dashboard, background, cloud, and gateway share one run-state contract | TBD | Pending | Medium | M2 complete | Surface parity tests prove identity, permissions, audit, cost, and recovery continuity |
3131
| H3 | Ecosystem trust | MCP, plugins, skills, hooks, subagents, and automations are explainable, revocable, and testable | TBD | Pending | Medium | M3 complete | Trust-onboarding and activation-explain acceptance tests pass |
3232
| H4 | Durable team operations | Long-running and team workflows have durable execution, control-plane views, policy, audit, and cost attribution | TBD | Pending | Low | M4 complete | Background/cloud/team lifecycle tests pass with evidence bundle export |
@@ -37,7 +37,7 @@ Provide a single source of truth for roadmap item status, ownership, confidence,
3737

3838
| Milestone | Target | Outcome | Owner | Status | Confidence | Next Gate | Exit Criteria |
3939
|-----------|--------|---------|-------|--------|------------|-----------|---------------|
40-
| M0 | 1-2 weeks | Risk register operational, release claims traceable, tool lint warnings budgeted, trust gaps have failing tests | TBD | Pending | Medium | GOV-002 complete | `validate_docs_consistency.py`, `refresh_competitive_docs.py --check`, `teaagent tool lint --root .` pass |
40+
| M0 | 1-2 weeks | Risk register operational, release claims traceable, tool lint warnings budgeted | governance | Complete | High | M1 complete | All 3 checks pass: `validate_docs_consistency.py`, `refresh_competitive_docs.py --check`, `teaagent tool lint --root .` |
4141
| M1 | 2-6 weeks | Daily cockpit parity, run evidence summary, guided recovery | TBD | Complete | High | M2 complete | CLI/TUI cockpit parity acceptance, run evidence summary acceptance, guided recovery acceptance |
4242
| M2 | 4-10 weeks | Long-session context health, hash-bound plans, scope creep measurement | TBD | Pending | Medium | CTX-001 complete | Long-session context guard acceptance, scope budget acceptance, plan revision acceptance |
4343
| M3 | 8-14 weeks | Extension activation explain, MCP trust onboarding, subagent review/merge | TBD | Pending | Medium | EXT-001 complete | Extension activation explain acceptance, MCP trust onboarding acceptance, subagent review/merge acceptance |
@@ -50,19 +50,19 @@ Provide a single source of truth for roadmap item status, ownership, confidence,
5050
| ID | Work Item | Owner | Status | Confidence | Next Gate | Risk |
5151
|----|-----------|-------|--------|------------|-----------|------|
5252
| GOV-001 | Create canonical roadmap status table | TBD | Complete | High | GOV-002 | Medium |
53-
| GOV-002 | Add risk-register schema | TBD | Pending | Medium | GOV-003 | High |
54-
| GOV-003 | Add claim-to-evidence matrix | TBD | Pending | Medium | GOV-004 | High |
55-
| GOV-004 | Define verification profiles | TBD | Pending | Medium | GOV-005 | High |
56-
| GOV-005 | Add warning-budget ownership | TBD | Pending | Medium | GOV-006 | Medium |
57-
| GOV-006 | Create release-channel source of truth | TBD | Pending | Medium | GOV-007 | Medium |
58-
| GOV-007 | Make competitive survey freshness a release checklist blocker | TBD | Pending | Medium | GOV-008 | Medium |
59-
| GOV-008 | Add decision expiry dates to ADRs | TBD | Pending | Medium | GOV-009 | Medium |
60-
| GOV-009 | Add issue template for roadmap tasks | TBD | Pending | Low | GOV-010 | Low |
61-
| GOV-010 | Tag backlog items by user journey | TBD | Pending | Low | GOV-011 | Low |
62-
| GOV-011 | Create "do not claim" list | TBD | Pending | Medium | GOV-012 | Medium |
63-
| GOV-012 | Add release residual-risk summary | TBD | Pending | Medium | M0 complete | High |
53+
| GOV-002 | Add risk-register schema | docs / governance | Complete | High | release audit | High |
54+
| GOV-003 | Add claim-to-evidence matrix | docs / governance | Complete | High | release audit | High |
55+
| GOV-004 | Define verification profiles | docs / governance | Complete | High | release audit | High |
56+
| GOV-005 | Add warning-budget ownership | docs / governance | Complete | High | release audit | Medium |
57+
| GOV-006 | Create release-channel source of truth | docs / governance | Complete | High | release audit | Medium |
58+
| GOV-007 | Make competitive survey freshness a release checklist blocker | docs / governance | Complete | High | release audit | Medium |
59+
| GOV-008 | Add decision expiry dates to ADRs | docs / governance | Complete | High | ADR review | Medium |
60+
| GOV-009 | Add issue template for roadmap tasks | docs / governance | Complete | High | backlog refinement | Low |
61+
| GOV-010 | Tag backlog items by user journey | docs / governance | Complete | High | backlog refinement | Low |
62+
| GOV-011 | Create "do not claim" list | docs / governance | Complete | High | release audit | Medium |
63+
| GOV-012 | Add release residual-risk summary | docs / governance | Complete | High | release audit | High |
6464
| GOV-013 | Create curated documentation front door | docs | Complete | High | GOV-014 | Low |
65-
| GOV-014 | Add doc-vs-HEAD guarded claim registry | docs / verification | Complete | High | DOCOPT-009 | High |
65+
| GOV-014 | Add doc-vs-HEAD guarded claim registry | docs / verification | Complete | High | release audit | High |
6666
| GOV-015 | Audit High/Critical module risks for upward links | docs / module owners | Complete | High | GOV-016 | High |
6767

6868
## Track H3 - Ecosystem Trust And Dynamic Skills
@@ -179,7 +179,10 @@ Current evidence package:
179179

180180
| Item | Status | Completion % | Evidence Type | Owner | Notes |
181181
|------|--------|:---:|---|---|---|
182-
| SEC-01 Audit HMAC persistence | VERIFY/CLOSE | 90% | Code + pending test | TBD | Key persisted at `audit.py:165`; test sign-off pending |
182+
| SEC-01 Audit HMAC persistence | **Fixed** | 100% | Code + passing tests || Key persisted at `audit.py:165`; RISK-01 hardening: key-save OSError now logs warning (no silent pass); `HMACKeySaveTests::test_chain_key_save_failure_logs_warning` |
183+
| SEC-17 ApprovalPolicy thread leak | **Fixed** | 100% | Code + passing tests || ENG-01: `__del__` shuts down executor; `ApprovalPolicyThreadLeakTests` |
184+
| SEC-18 Zero cost rates (fake/ollama/vllm) | **Fixed** | 100% | Code + passing tests || RISK-02: nominal non-zero rates; `ProviderCostRateTests` |
185+
| SEC-19 JIT approval no timeout | **Fixed** | 100% | Code + passing tests || OPS-01: 60s default timeout, auto-deny; `JITApprovalTimeoutTests` |
183186
| SEC-02 MCP trust expiry | **Fixed** | 100% | Code + passing test || `mcp_trust.py:148,168`; `test_server_trust_expiry()` |
184187
| SEC-04 Budget default | **Fixed** | 100% | Code + passing tests || Default 500 cents; `test_budget_zero_cents_rejects_any_spend()` |
185188
| SEC-06 JIT isolation | **Fixed** | 100% | Code + passing tests || `test_subagent_jit_approval_isolation_sec06()` |
@@ -193,8 +196,8 @@ Current evidence package:
193196
| DS-01 TUI cost accumulation | **Fixed** | 100% | Code + passing tests || TICKET-12; `test_task003_cost_truth.py` |
194197
| DS-08 resume always errors | **Fixed** | 100% | Code + passing tests || TICKET-16 Phase 2; `test_repl_suspend_resume_roundtrip` |
195198
| DS-11 Initial task dropped | **Fixed** | 100% | Code + passing tests || TASK-DD2-001; chat task forwarding tests |
196-
| H0 Claim + risk hygiene | In Progress | 75% | Partial | docs | Guarded claims + roadmap required-field guard (DOW-014) |
197-
| M0 Risk register operational | In Progress | 75% | Partial | TBD | Register has evidence; GOV-002 schema still pending |
199+
| H0 Claim + risk hygiene | Complete | 100% | Code + docs | governance | All H0 items done; risk register has Owner/Due; M0 checks pass |
200+
| M0 Risk register operational | Complete | 100% | Code + docs | governance | All 3 M0 checks verified passing |
198201

199202
**Merge gate:** `python3 scripts/validate_docs_consistency.py` must pass before any PR that updates roadmap or risk register status.
200203

0 commit comments

Comments
 (0)