Skip to content

feat(tasks): add conditional claimability#1235

Merged
getlarge merged 6 commits into
mainfrom
issue-1158-rename-task-proposer-impose-terminology
May 26, 2026
Merged

feat(tasks): add conditional claimability#1235
getlarge merged 6 commits into
mainfrom
issue-1158-rename-task-proposer-impose-terminology

Conversation

@legreffier
Copy link
Copy Markdown
Contributor

@legreffier legreffier Bot commented May 25, 2026
edited by github-actions Bot
Loading

Summary

Implements conditional task claimability for promise-style task proposals and finishes the public rename from task imposer fields to proposer fields on the core task API surfaces.

  • adds waiting task status plus recursive claimCondition with all, any, task_status, and task_accepted
  • stores proposer fields and claim conditions in Postgres with a Drizzle migration
  • evaluates condition references with batched DB reads and batched Keto canViewTasks checks
  • promotes satisfied waiting tasks inside a transaction with a batched update
  • defers readiness checks for conditional downstream tasks, then re-runs strict async validation before promotion
  • updates REST schemas, TypeScript/Go generated clients, task UI, and console status handling
  • extends REST e2e coverage for a conditional judge_eval_attempt gated on two completed run_eval tasks

Notes

This keeps #1139's substrate-neutrality constraint: conditions only reference kernel task facts, not GitHub/platform predicates.

The previous follow-up idea in #1141 is superseded by proposer-declared conditional tasks: downstream work is created ahead of time and only becomes claimable after its conditions are satisfied.

Fixes #1158.
Supersedes #1141.

Validation

  • pnpm --filter @moltnet/task-service test
  • pnpm exec nx run @moltnet/task-ui:typecheck
  • pnpm exec nx run @moltnet/rest-api:typecheck
  • pnpm exec nx run @moltnet/console:typecheck
  • go test ./libs/moltnet-api-client/cmd/normalize-spec
  • pnpm run generate:openapi && pnpm run generate:client
  • pnpm run go:generate
  • pnpm run go:fmt
  • git diff --check

Not run locally: REST e2e execution, because the e2e Docker stack was not running in this workspace.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 25, 2026
edited
Loading

⚠️ CLI go.mod is behind internal Go module releases

The CLI release is intentionally decoupled from same-run Go lib releases, so apps/moltnet-cli/go.mod must already be bumped in a normal PR.

Detected drift:

  • moltnet-api-client: go.mod has v1.29.0, expected v1.29.1

Run these commands from apps/moltnet-cli:

GOWORK=off go get github.com/getlarge/themoltnet/libs/moltnet-api-client@v1.29.1
GOWORK=off go mod tidy

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 25, 2026
edited
Loading

🚨 Dependency Audit — Vulnerabilities found

Full report 
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ critical            │ fast-jwt: Incomplete fix for CVE-2023-48223: JWT       │
│                     │ Algorithm Confusion via Whitespace-Prefixed RSA Public │
│                     │ Key                                                    │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ fast-jwt                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <=6.1.0                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=6.2.0                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-server>@getlarge/fastify-mcp>@fastify/       │
│                     │ jwt>fast-jwt                                           │
│                     │                                                        │
│                     │ libs__auth>fast-jwt                                    │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-mvf2-f6gm-w987      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ critical            │ fast-jwt: Cache Confusion via cacheKeyBuilder          │
│                     │ Collisions Can Return Claims From a Different Token    │
│                     │ (Identity/Authorization Mixup)                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ fast-jwt                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=0.0.1 <6.2.0                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=6.2.0                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-server>@getlarge/fastify-mcp>@fastify/       │
│                     │ jwt>fast-jwt                                           │
│                     │                                                        │
│                     │ libs__auth>fast-jwt                                    │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-rp9m-7r4c-75qg      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ critical            │ Arbitrary code execution in protobufjs                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ protobufjs                                             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <7.5.5                                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=7.5.5                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-server>pino-opentelemetry-transport>otlp-    │
│                     │ logger>@opentelemetry/exporter-logs-otlp-grpc>@grpc/   │
│                     │ grpc-js>@grpc/proto-loader>protobufjs                  │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-xq3m-2v4x-88gg      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ critical            │ Arbitrary code execution in protobufjs                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ protobufjs                                             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=8.0.0 <8.0.1                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=8.0.1                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__agent-daemon>@opentelemetry/exporter-trace-otlp- │
│                     │ proto>@opentelemetry/otlp-transformer>protobufjs       │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-xq3m-2v4x-88gg      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ critical            │ fast-jwt: JWT auth bypass due to empty HMAC secret     │
│                     │ accepted by async key resolver                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ fast-jwt                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <=6.2.3                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=6.2.4                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-server>@getlarge/fastify-mcp>@fastify/       │
│                     │ jwt>fast-jwt                                           │
│                     │                                                        │
│                     │ libs__auth>fast-jwt                                    │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-gmvf-9v4p-v8jc      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ fast-jwt accepts unknown `crit` header extensions (RFC │
│                     │ 7515 violation)                                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ fast-jwt                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <=6.1.0                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ <0.0.0                                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-server>@getlarge/fastify-mcp>@fastify/       │
│                     │ jwt>fast-jwt                                           │
│                     │                                                        │
│                     │ libs__auth>fast-jwt                                    │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-hm7r-c7qw-ghp6      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ Fastify has a Body Schema Validation Bypass via        │
│                     │ Leading Space in Content-Type Header                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ fastify                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=5.3.2 <=5.8.4                                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=5.8.5                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-server>fastify                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-247c-9743-5963      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ fast-uri vulnerable to path traversal via              │
│                     │ percent-encoded dot segments                           │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ fast-uri                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <=3.1.0                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=3.1.1                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-host>@modelcontextprotocol/sdk>ajv>fast-uri  │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-q3j6-qgpj-74h6      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ fast-uri vulnerable to host confusion via              │
│                     │ percent-encoded authority delimiters                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ fast-uri                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <=3.1.1                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=3.1.2                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-host>@modelcontextprotocol/sdk>ajv>fast-uri  │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-v39h-62p7-jpjc      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ protobuf.js: Code injection through bytes field        │
│                     │ defaults in generated toObject code                    │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ protobufjs                                             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=8.0.0 <=8.0.1                                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=8.0.2                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__agent-daemon>@opentelemetry/exporter-trace-otlp- │
│                     │ proto>@opentelemetry/otlp-transformer>protobufjs       │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-66ff-xgx4-vchm      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ protobuf.js: Code injection through bytes field        │
│                     │ defaults in generated toObject code                    │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ protobufjs                                             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <=7.5.5                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=7.5.6                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-server>pino-opentelemetry-transport>otlp-    │
│                     │ logger>@opentelemetry/exporter-logs-otlp-grpc>@grpc/   │
│                     │ grpc-js>@grpc/proto-loader>protobufjs                  │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-66ff-xgx4-vchm      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ protobuf.js: Code generation gadget after prototype    │
│                     │ pollution                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ protobufjs                                             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=8.0.0 <=8.0.1                                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=8.0.2                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__agent-daemon>@opentelemetry/exporter-trace-otlp- │
│                     │ proto>@opentelemetry/otlp-transformer>protobufjs       │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-75px-5xx7-5xc7      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ protobuf.js: Code generation gadget after prototype    │
│                     │ pollution                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ protobufjs                                             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <=7.5.5                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=7.5.6                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-server>pino-opentelemetry-transport>otlp-    │
│                     │ logger>@opentelemetry/exporter-logs-otlp-grpc>@grpc/   │
│                     │ grpc-js>@grpc/proto-loader>protobufjs                  │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-75px-5xx7-5xc7      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ protobuf.js: Process-wide denial of service through    │
│                     │ unsafe option paths                                    │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ protobufjs                                             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=8.0.0 <=8.0.1                                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=8.0.2                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__agent-daemon>@opentelemetry/exporter-trace-otlp- │
│                     │ proto>@opentelemetry/otlp-transformer>protobufjs       │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-jvwf-75h9-cwgg      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ protobuf.js: Process-wide denial of service through    │
│                     │ unsafe option paths                                    │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ protobufjs                                             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <=7.5.5                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=7.5.6                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-server>pino-opentelemetry-transport>otlp-    │
│                     │ logger>@opentelemetry/exporter-logs-otlp-grpc>@grpc/   │
│                     │ grpc-js>@grpc/proto-loader>protobufjs                  │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-jvwf-75h9-cwgg      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ protobuf.js: Denial of service through unbounded       │
│                     │ protobuf recursion                                     │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ protobufjs                                             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=8.0.0 <=8.0.1                                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=8.0.2                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__agent-daemon>@opentelemetry/exporter-trace-otlp- │
│                     │ proto>@opentelemetry/otlp-transformer>protobufjs       │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-685m-2w69-288q      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ protobuf.js: Denial of service through unbounded       │
│                     │ protobuf recursion                                     │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ protobufjs                                             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <=7.5.5                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=7.5.6                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-server>pino-opentelemetry-transport>otlp-    │
│                     │ logger>@opentelemetry/exporter-logs-otlp-grpc>@grpc/   │
│                     │ grpc-js>@grpc/proto-loader>protobufjs                  │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-685m-2w69-288q      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ Hono missing validation of cookie name on write path   │
│                     │ in setCookie()                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ hono                                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <4.12.12                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=4.12.12                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-host>@modelcontextprotocol/sdk>hono          │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-26pp-8wgv-hjvm      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ Hono: Non-breaking space prefix bypass in cookie name  │
│                     │ handling in getCookie()                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ hono                                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <4.12.12                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=4.12.12                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-host>@modelcontextprotocol/sdk>hono          │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-r5rp-j6wh-rvv4      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ Hono: Path traversal in toSSG() allows writing files   │
│                     │ outside the output directory                           │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ hono                                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=4.0.0 <=4.12.11                                      │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=4.12.12                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-host>@modelcontextprotocol/sdk>hono          │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-xf4j-xp2r-rqqx      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ Hono: Middleware bypass via repeated slashes in        │
│                     │ serveStatic                                            │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ hono                                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <4.12.12                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=4.12.12                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-host>@modelcontextprotocol/sdk>hono          │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-wmmm-f939-6g9c      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ @hono/node-server: Middleware bypass via repeated      │
│                     │ slashes in serveStatic                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ @hono/node-server                                      │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <1.19.13                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=1.19.13                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-host>@modelcontextprotocol/sdk>@hono/node-   │
│                     │ server                                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-92pp-h63x-v22m      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ fast-jwt has a ReDoS when using RegExp in allowed*     │
│                     │ leading to CPU exhaustion during token verification    │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ fast-jwt                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=5.0.0 <=6.2.0                                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=6.2.1                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-server>@getlarge/fastify-mcp>@fastify/       │
│                     │ jwt>fast-jwt                                           │
│                     │                                                        │
│                     │ libs__auth>fast-jwt                                    │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-cjw9-ghj4-fwxf      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ fast-jwt: Stateful RegExp (/g or /y) causes            │
│                     │ non-deterministic allowed-claim validation (logical    │
│                     │ DoS)                                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ fast-jwt                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <6.2.1                                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=6.2.1                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-server>@getlarge/fastify-mcp>@fastify/       │
│                     │ jwt>fast-jwt                                           │
│                     │                                                        │
│                     │ libs__auth>fast-jwt                                    │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-3j8v-cgw4-2g6q      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ hono Improperly Handles JSX Attribute Names Allows     │
│                     │ HTML Injection in hono/jsx SSR                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ hono                                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <4.12.14                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=4.12.14                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-host>@modelcontextprotocol/sdk>hono          │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-458j-xx4x-4375      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ Hono has incorrect IP matching in ipRestriction() for  │
│                     │ IPv4-mapped IPv6 addresses                             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ hono                                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <4.12.12                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=4.12.12                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-host>@modelcontextprotocol/sdk>hono          │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-xpcf-pg52-r92g      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ Hono has CSS Declaration Injection via Style Object    │
│                     │ Values in JSX SSR                                      │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ hono                                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <4.12.18                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=4.12.18                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-host>@modelcontextprotocol/sdk>hono          │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-qp7p-654g-cw7p      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ ip-address has XSS in Address6 HTML-emitting methods   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ ip-address                                             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <=10.1.0                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=10.1.1                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-host>@modelcontextprotocol/sdk>express-rate- │
│                     │ limit>ip-address                                       │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-v2v4-37r5-5v8g      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ protobuf.js: Denial of service from crafted field      │
│                     │ names in generated code                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ protobufjs                                             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=8.0.0 <=8.0.1                                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=8.0.2                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__agent-daemon>@opentelemetry/exporter-trace-otlp- │
│                     │ proto>@opentelemetry/otlp-transformer>protobufjs       │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-2pr8-phx7-x9h3      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ protobuf.js: Denial of service from crafted field      │
│                     │ names in generated code                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ protobufjs                                             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <=7.5.5                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=7.5.6                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-server>pino-opentelemetry-transport>otlp-    │
│                     │ logger>@opentelemetry/exporter-logs-otlp-grpc>@grpc/   │
│                     │ grpc-js>@grpc/proto-loader>protobufjs                  │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-2pr8-phx7-x9h3      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ protobuf.js: Prototype injection in generated message  │
│                     │ constructors                                           │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ protobufjs                                             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=8.0.0 <=8.0.1                                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=8.0.2                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__agent-daemon>@opentelemetry/exporter-trace-otlp- │
│                     │ proto>@opentelemetry/otlp-transformer>protobufjs       │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-fx83-v9x8-x52w      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ protobuf.js: Prototype injection in generated message  │
│                     │ constructors                                           │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ protobufjs                                             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <=7.5.5                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=7.5.6                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-server>pino-opentelemetry-transport>otlp-    │
│                     │ logger>@opentelemetry/exporter-logs-otlp-grpc>@grpc/   │
│                     │ grpc-js>@grpc/proto-loader>protobufjs                  │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-fx83-v9x8-x52w      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ protobufjs has overlong UTF-8 decoding                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ @protobufjs/utf8                                       │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <=1.1.0                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=1.1.1                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__agent-daemon>@opentelemetry/exporter-trace-otlp- │
│                     │ proto>@opentelemetry/otlp-                             │
│                     │ transformer>protobufjs>@protobufjs/utf8                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-q6x5-8v7m-xcrf      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ protobufjs has overlong UTF-8 decoding                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ protobufjs                                             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=8.0.0 <=8.0.1                                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=8.0.2                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__agent-daemon>@opentelemetry/exporter-trace-otlp- │
│                     │ proto>@opentelemetry/otlp-transformer>protobufjs       │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-q6x5-8v7m-xcrf      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ protobufjs has overlong UTF-8 decoding                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ protobufjs                                             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <=7.5.5                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=7.5.6                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-server>pino-opentelemetry-transport>otlp-    │
│                     │ logger>@opentelemetry/exporter-logs-otlp-grpc>@grpc/   │
│                     │ grpc-js>@grpc/proto-loader>protobufjs                  │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-q6x5-8v7m-xcrf      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ Hono's Cache Middleware ignores Vary: Authorization /  │
│                     │ Vary: Cookie leading to cross-user cache leakage       │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ hono                                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <4.12.18                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=4.12.18                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-host>@modelcontextprotocol/sdk>hono          │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-p77w-8qqv-26rm      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ Hono: bodyLimit() can be bypassed for chunked /        │
│                     │ unknown-length requests                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ hono                                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <4.12.16                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=4.12.16                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-host>@modelcontextprotocol/sdk>hono          │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-9vqf-7f2p-gf9v      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ hono/jsx has Unvalidated JSX Tag Names that May Allow  │
│                     │ HTML Injection                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ hono                                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <4.12.16                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=4.12.16                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-host>@modelcontextprotocol/sdk>hono          │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-69xw-7hcm-h432      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ brace-expansion: Large numeric range defeats           │
│                     │ documented `max` DoS protection                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ brace-expansion                                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=5.0.0 <5.0.6                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=5.0.6                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__agent-daemon>@earendil-works/pi-coding-          │
│                     │ agent>minimatch>brace-expansion                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-jxxr-4gwj-5jf2      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ ws: Uninitialized memory disclosure                    │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ ws                                                     │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=8.0.0 <8.20.1                                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=8.20.1                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__agent-daemon>@earendil-works/pi-ai>@google/      │
│                     │ genai>ws                                               │
│                     │                                                        │
│                     │ libs__database>@dbos-inc/dbos-sdk>ws                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-58qx-3vcg-4xpx      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ protobufjs: Denial of Service via unbounded recursive  │
│                     │ JSON descriptor expansion                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ protobufjs                                             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=8.0.0 <8.2.0                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=8.2.0                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__agent-daemon>@opentelemetry/exporter-trace-otlp- │
│                     │ proto>@opentelemetry/otlp-transformer>protobufjs       │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-jggg-4jg4-v7c6      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ protobufjs: Denial of Service via unbounded recursive  │
│                     │ JSON descriptor expansion                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ protobufjs                                             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <=7.5.7                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=7.5.8                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__agent-daemon>@earendil-works/pi-ai>@google/      │
│                     │ genai>protobufjs                                       │
│                     │                                                        │
│                     │ apps__mcp-server>pino-opentelemetry-transport>otlp-    │
│                     │ logger>@opentelemetry/exporter-logs-otlp-grpc>@grpc/   │
│                     │ grpc-js>@grpc/proto-loader>protobufjs                  │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-jggg-4jg4-v7c6      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ uuid: Missing buffer bounds check in v3/v5/v6 when buf │
│                     │ is provided                                            │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ uuid                                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <11.1.1                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=11.1.1                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-server>@getlarge/fastify-mcp>mqemitter-      │
│                     │ redis>hyperid>uuid                                     │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-w5hq-g745-h8pq      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ qs has a remotely triggerable DoS: qs.stringify        │
│                     │ crashes with TypeError on null/undefined entries in    │
│                     │ comma-format arrays when encodeValuesOnly is set       │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ qs                                                     │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=6.11.1 <=6.15.1                                      │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=6.15.2                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-host>@modelcontextprotocol/sdk>express>qs    │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-q8mj-m7cp-5q26      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ low                 │ Elliptic Uses a Cryptographic Primitive with a Risky   │
│                     │ Implementation                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ elliptic                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <=6.6.1                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ <0.0.0                                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ libs__auth>get-jwks>jwk-to-pem>elliptic                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-848j-6mx2-7j84      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ low                 │ Hono has improper validation of NumericDate claims     │
│                     │ (exp, nbf, iat) in JWT verify()                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ hono                                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <4.12.18                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=4.12.18                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-host>@modelcontextprotocol/sdk>hono          │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-hm8q-7f3q-5f36      │
└─────────────────────┴────────────────────────────────────────────────────────┘
54 vulnerabilities found
Severity: 2 low | 31 moderate | 13 high | 8 critical

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 25, 2026
edited
Loading

⚠️ Knip — Unused code or dependencies found

Run pnpm run knip locally to see details, or pnpm run knip:fix to auto-fix some of them.

Full report 
�[93m�[4mUnused files�[24m�[39m (39)
.agents/skills/monitor-ci/scripts/ci-poll-decide.mjs                                       
.agents/skills/monitor-ci/scripts/ci-state-update.mjs                                      
apps/agent-daemon/src/node-sqlite.d.ts                                                     
apps/console/e2e/seed-diary-browser.ts                                                     
apps/landing/src/hooks/useFeedSSE.ts                                                       
apps/mcp-host/server.mjs                                                                   
apps/mcp-host/src/sandbox.ts                                                               
apps/mcp-server/src/schemas/index.ts                                                       
apps/rest-api/src/migrate.ts                                                               
apps/rest-api/src/sse/public-feed-poller.ts                                                
apps/rest-api/src/sse/sse-writer.ts                                                        
docs/.vitepress/env.d.ts                                                                   
evals/moltnet-practices/auth-middleware-early-return/fixtures/auth-plugin.ts               
evals/moltnet-practices/auth-middleware-early-return/fixtures/team-resolver.ts             
evals/moltnet-practices/e2e-raw-fetch-vs-api-client/fixtures/sdk.gen.ts                    
evals/moltnet-practices/repository-tenant-scope-bypass/fixtures/consolidate-workflow.ts    
evals/moltnet-practices/repository-tenant-scope-bypass/fixtures/diary-entry.repository.ts  
evals/moltnet-practices/rest-error-boundary/fixtures/pack-routes.ts                        
evals/moltnet-practices/rest-error-boundary/fixtures/verification-routes.ts                
evals/moltnet-practices/webhook-auth-status-code/fixtures/hooks.ts                         
examples/compile-context.ts                                                                
examples/diary-create.ts                                                                   
examples/diary-search.ts                                                                   
examples/register.ts                                                                       
examples/sign-entry.ts                                                                     
libs/context-distill/__tests__/benchmarks/cluster.bench.ts                                 
libs/context-distill/__tests__/benchmarks/compile.bench.ts                                 
test-fixtures/generate-ssh-vectors.mjs                                                     
test-fixtures/generate-x25519-vectors.mjs                                                  
tools/db/backfill-content-hashes.ts                                                        
tools/db/backfill-diary-team-links.ts                                                      
tools/db/backfill-keto-subject-set.ts                                                      
tools/db/backfill-personal-teams.ts                                                        
tools/db/backfill-team-relations-plural.ts                                                 
tools/db/cleanup-legacy-diary-tuples.ts                                                    
tools/generators/split-tsconfigs/index.ts                                                  
tools/generators/split-tsconfigs/schema.d.ts                                               
tools/src/tasks/seed-judge-fixture.ts                                                      
tools/src/verify-task-context.ts                                                           
�[93m�[4mUnused dependencies�[24m�[39m (41)
@earendil-works/gondolin                     apps/agent-daemon/package.json:32:6        
pino-pretty                                  apps/agent-daemon/package.json:45:6        
@moltnet/models                              apps/console/package.json:11:6             
@moltnet/entry-explore-mcp-app               apps/mcp-server/package.json:30:6          
@themoltnet/design-system                    apps/mcp-server/package.json:34:6          
@fastify/otel                                apps/mcp-server/package.json:36:6          
@opentelemetry/exporter-metrics-otlp-proto   apps/mcp-server/package.json:38:6          
@opentelemetry/exporter-trace-otlp-proto     apps/mcp-server/package.json:39:6          
@opentelemetry/instrumentation               apps/mcp-server/package.json:40:6          
@opentelemetry/instrumentation-dns           apps/mcp-server/package.json:41:6          
@opentelemetry/instrumentation-http          apps/mcp-server/package.json:42:6          
@opentelemetry/instrumentation-net           apps/mcp-server/package.json:43:6          
@opentelemetry/instrumentation-pino          apps/mcp-server/package.json:44:6          
@opentelemetry/instrumentation-pg            apps/mcp-server/package.json:45:6          
@opentelemetry/instrumentation-runtime-node  apps/mcp-server/package.json:46:6          
@opentelemetry/instrumentation-undici        apps/mcp-server/package.json:47:6          
@opentelemetry/resources                     apps/mcp-server/package.json:48:6          
@opentelemetry/sdk-metrics                   apps/mcp-server/package.json:49:6          
@opentelemetry/sdk-trace-base                apps/mcp-server/package.json:50:6          
@opentelemetry/sdk-trace-node                apps/mcp-server/package.json:51:6          
@opentelemetry/semantic-conventions          apps/mcp-server/package.json:52:6          
pino                                         apps/mcp-server/package.json:56:6          
pino-opentelemetry-transport                 apps/mcp-server/package.json:57:6          
thread-stream                                apps/mcp-server/package.json:58:6          
multiformats                                 apps/rest-api/package.json:36:6            
@huggingface/transformers                    apps/rest-api/package.json:38:6            
@opentelemetry/exporter-metrics-otlp-proto   apps/rest-api/package.json:48:6            
@opentelemetry/instrumentation               apps/rest-api/package.json:50:6            
@opentelemetry/resources                     apps/rest-api/package.json:58:6            
@opentelemetry/sdk-metrics                   apps/rest-api/package.json:59:6            
@opentelemetry/sdk-trace-base                apps/rest-api/package.json:60:6            
@opentelemetry/sdk-trace-node                apps/rest-api/package.json:61:6            
@opentelemetry/semantic-conventions          apps/rest-api/package.json:62:6            
pino-pretty                                  apps/rest-api/package.json:70:6            
thread-stream                                apps/rest-api/package.json:71:6            
@noble/hashes                                libs/context-pack-service/package.json:19:6
tslib                                        package.json:156:6                         
@moltnet/auth                                tools/package.json:39:6                    
@moltnet/models                              tools/package.json:46:6                    
drizzle-orm                                  tools/package.json:54:6                    
fastq                                        tools/package.json:55:6                    
�[93m�[4mUnused devDependencies�[24m�[39m (14)
@moltnet/bootstrap      apps/mcp-server/package.json:61:6           
@moltnet/database       apps/mcp-server/package.json:62:6           
drizzle-orm             apps/mcp-server/package.json:65:6           
pino-pretty             apps/mcp-server/package.json:66:6           
vitest                  libs/bootstrap/package.json:24:6            
testcontainers          libs/diary-service/package.json:29:6        
@testing-library/react  libs/entry-explore-mcp-app/package.json:30:6
vitest                  libs/mcp-test-harness/package.json:23:6     
@nx/devkit              package.json:83:6                           
@swc/helpers            package.json:95:6                           
husky                   package.json:103:6                          
lint-staged             package.json:108:6                          
vite-plugin-dts         package.json:116:6                          
@types/figlet           tools/package.json:61:6                     
�[93m�[4mReferenced optional peerDependencies�[24m�[39m (1)
ink  libs/design-system/package.json
�[93m�[4mUnlisted dependencies�[24m�[39m (2)
@moltnet/database  evals/moltnet-practices/e2e-raw-fetch-vs-api-client/fixtures/governance.e2e.test.ts:19:46
pg                 libs/diary-service/__tests__/diary-service.dbos.integration.test.ts:38:27                
�[93m�[4mUnlisted binaries�[24m�[39m (7)
openssl                                             .github/actions/legreffier-run-task/action.yml
python3                                             .github/workflows/ci.yml                      
clawhub                                             .github/workflows/release.yml                 
go                                                  package.json                                  
gofmt                                               package.json                                  
packages/openclaw-skill/scripts/publish-clawhub.sh  package.json                                  
packages/openclaw-skill/scripts/package.sh          package.json                                  
�[93m�[4mUnused exports�[24m�[39m (84)
DaemonSlotRegistryError           class     apps/agent-daemon/src/lib/daemon-slot-registry.ts:8:14        
COMMON_REQUIRED_FLAGS                       apps/agent-daemon/src/lib/help.ts:3:14                        
COMMON_OPTIONAL_FLAGS                       apps/agent-daemon/src/lib/help.ts:10:14                       
buildDaemonSlotId                 function  apps/agent-daemon/src/lib/task-execution-plan.ts:78:17        
ENTRY_TYPE_LABELS                           apps/console/src/diaries/utils.ts:14:3                        
ENTRY_TYPES                                 apps/console/src/diaries/utils.ts:15:3                        
estimateTokenCount                          apps/console/src/diaries/utils.ts:16:3                        
formatDateTime                              apps/console/src/diaries/utils.ts:17:3                        
ENTRY_TYPE_OPTIONS                          apps/console/src/diaries/utils.ts:21:14                       
getEntryTypeQuery                 function  apps/console/src/diaries/utils.ts:29:17                       
API_BASE_URL                                apps/landing/src/api.ts:16:14                                 
handleDiaryTags                   function  apps/mcp-server/src/diary-tools.ts:315:23                     
handleGrantCreate                 function  apps/mcp-server/src/grant-tools.ts:38:23                      
handleGrantRevoke                 function  apps/mcp-server/src/grant-tools.ts:70:23                      
handleGrantList                   function  apps/mcp-server/src/grant-tools.ts:102:23                     
handlePacksUpdate                 function  apps/mcp-server/src/pack-tools.ts:295:23                      
handleRenderedPacksUpdate         function  apps/mcp-server/src/pack-tools.ts:385:23                      
handlePacksDiff                   function  apps/mcp-server/src/pack-tools.ts:487:23                      
handleSignMessage                 function  apps/mcp-server/src/prompts.ts:212:23                         
EntryMapZoneSearchSchema                    apps/mcp-server/src/schemas/entry-explore-schemas.ts:9:14     
EntryMapZoneProvenanceSchema                apps/mcp-server/src/schemas/entry-explore-schemas.ts:24:14    
EntryMapZoneSchema                          apps/mcp-server/src/schemas/entry-explore-schemas.ts:47:14    
EntryMapDataSchema                          apps/mcp-server/src/schemas/entry-explore-schemas.ts:88:14    
CustomPackEntrySelectionSchema              apps/mcp-server/src/schemas/pack-schemas.ts:107:14            
handleTeamsList                   function  apps/mcp-server/src/team-tools.ts:62:23                       
handleTeamMembersList             function  apps/mcp-server/src/team-tools.ts:84:23                       
handleTeamsCreate                 function  apps/mcp-server/src/team-tools.ts:109:23                      
handleTeamsJoin                   function  apps/mcp-server/src/team-tools.ts:132:23                      
handleTeamsDelete                 function  apps/mcp-server/src/team-tools.ts:155:23                      
handleTeamsInviteCreate           function  apps/mcp-server/src/team-tools.ts:178:23                      
handleTeamsInviteList             function  apps/mcp-server/src/team-tools.ts:211:23                      
handleTeamsInviteDelete           function  apps/mcp-server/src/team-tools.ts:236:23                      
handleTeamsMemberRemove           function  apps/mcp-server/src/team-tools.ts:264:23                      
ServerConfigSchema                          apps/rest-api/src/config.ts:26:14                             
DatabaseConfigSchema                        apps/rest-api/src/config.ts:38:14                             
WebhookConfigSchema                         apps/rest-api/src/config.ts:43:14                             
RecoveryConfigSchema                        apps/rest-api/src/config.ts:47:14                             
OryConfigSchema                             apps/rest-api/src/config.ts:51:14                             
ObservabilityConfigSchema                   apps/rest-api/src/config.ts:62:14                             
EmbeddingConfigSchema                       apps/rest-api/src/config.ts:98:14                             
SecurityConfigSchema                        apps/rest-api/src/config.ts:105:14                            
loadEmbeddingConfig               function  apps/rest-api/src/config.ts:264:17                            
loadPackGcConfig                  function  apps/rest-api/src/config.ts:274:17                            
loadTaskOrphanSweeperConfig       function  apps/rest-api/src/config.ts:284:17                            
acceptsProblemJson                          apps/rest-api/src/problems/index.ts:2:3                       
findProblemTypeByCode                       apps/rest-api/src/problems/index.ts:8:3                       
findProblemTypeByStatus                     apps/rest-api/src/problems/index.ts:9:3                       
getTypeUri                                  apps/rest-api/src/problems/index.ts:10:3                      
problemTypes                                apps/rest-api/src/problems/index.ts:12:3                      
DiaryTagCountSchema                         apps/rest-api/src/schemas/diary.ts:58:14                      
PublicAuthorSchema                          apps/rest-api/src/schemas/diary.ts:123:14                     
ContextPackEntrySchema                      apps/rest-api/src/schemas/packs.ts:9:14                       
TaskTypeDescriptorSchema                    apps/rest-api/src/schemas/tasks.ts:215:14                     
inflateRowCreator                 function  apps/rest-api/src/utils/auth-principal.ts:142:23              
resolvePrincipal                            apps/rest-api/src/utils/auth-principal.ts:191:10              
consolidateQueue                            apps/rest-api/src/workflows/context-distill-workflows.ts:58:14
compileQueue                                apps/rest-api/src/workflows/context-distill-workflows.ts:63:14
HumanOnboardingError              class     apps/rest-api/src/workflows/human-onboarding-workflow.ts:36:14
compileQueue                                apps/rest-api/src/workflows/index.ts:2:3                      
consolidateQueue                            apps/rest-api/src/workflows/index.ts:4:3                      
contextDistillWorkflows                     apps/rest-api/src/workflows/index.ts:7:3                      
diaryTransferWorkflow                       apps/rest-api/src/workflows/index.ts:14:3                     
TRANSFER_DECISION_EVENT                     apps/rest-api/src/workflows/index.ts:17:3                     
HumanOnboardingError                        apps/rest-api/src/workflows/index.ts:22:3                     
DEFAULT_WORKFLOW_TIMEOUT_MS                 apps/rest-api/src/workflows/index.ts:56:3                     
runWorkflow                                 apps/rest-api/src/workflows/index.ts:57:3                     
FOUNDING_ACCEPT_EVENT                       apps/rest-api/src/workflows/index.ts:61:3                     
TeamFoundingTimeoutError                    apps/rest-api/src/workflows/index.ts:67:3                     
teamFoundingWorkflow                        apps/rest-api/src/workflows/index.ts:68:3                     
DEFAULT_WORKFLOW_TIMEOUT_MS                 apps/rest-api/src/workflows/run-workflow.ts:14:14             
TeamFoundingTimeoutError          class     apps/rest-api/src/workflows/team-founding-workflow.ts:32:14   
DBOSWorkflowConflictError                   libs/database/src/dbos.ts:154:3                               
DEFAULT_DISPATCH_TIMEOUT_SECONDS            libs/database/src/workflows/task-workflows.ts:125:14          
DEFAULT_RUNNING_TIMEOUT_SECONDS             libs/database/src/workflows/task-workflows.ts:129:14          
MAX_PUBLIC_CONTENT_LENGTH                   libs/diary-service/src/diary-service.ts:53:14                 
nextStepId                        function  libs/entry-explore-mcp-app/src/state/map.ts:117:17            
resolveTaskScratchPath            function  libs/pi-extension/src/runtime/task-workspace.ts:130:17        
makeClient                        function  packages/legreffier-cli/src/api.ts:78:17                      
formatPortIssues                  function  packages/legreffier-cli/src/phases/portValidate.ts:213:17     
gitMergeBase                      function  tools/src/tasksmith/gh-client.ts:151:23                       
gitShowFileAtRef                  function  tools/src/tasksmith/gh-client.ts:206:23                       
SEED_INSTRUCTION                            tools/src/tasksmith/task-extractor.ts:538:10                  
verifyTask                        function  tools/src/tasksmith/verify.ts:356:23                          
cleanupPrArtifacts                function  tools/src/tasksmith/verify.ts:480:23                          
�[93m�[4mUnused exported types�[24m�[39m (55)
MailRecord                 interface  apps/console/e2e/helpers/mailslurper.ts:3:18                      
UiResourceData             interface  apps/mcp-host/src/implementation.ts:25:18                         
EntryMapZoneSearch         type       apps/mcp-server/src/schemas/entry-explore-schemas.ts:22:13        
EntryMapZone               type       apps/mcp-server/src/schemas/entry-explore-schemas.ts:86:13        
CorsPluginOptions          interface  apps/rest-api/src/plugins/cors.ts:11:18                           
RateLimitPluginOptions     interface  apps/rest-api/src/plugins/rate-limit.ts:14:18                     
ProblemType                type       apps/rest-api/src/problems/index.ts:11:8                          
AgentPrincipal             type       apps/rest-api/src/schemas/principal.ts:37:8                       
HumanPrincipal             type       apps/rest-api/src/schemas/principal.ts:39:8                       
PrincipalIdentity          type       apps/rest-api/src/schemas/principal.ts:41:8                       
CreateTaskInput            type       apps/rest-api/src/services/task.service.ts:2:8                    
AuthContext                type       apps/rest-api/src/types.ts:14:3                                   
PermissionChecker          type       apps/rest-api/src/types.ts:15:3                                   
RelationshipReader         type       apps/rest-api/src/types.ts:16:3                                   
RelationshipWriter         type       apps/rest-api/src/types.ts:17:3                                   
CompileWorkflowInput       type       apps/rest-api/src/workflows/index.ts:3:8                          
ConsolidateWorkflowInput   type       apps/rest-api/src/workflows/index.ts:5:8                          
ContextDistillDeps         type       apps/rest-api/src/workflows/index.ts:6:8                          
DiaryTransferDeps          type       apps/rest-api/src/workflows/index.ts:12:8                         
DiaryTransferResult        type       apps/rest-api/src/workflows/index.ts:13:8                         
TransferDecision           type       apps/rest-api/src/workflows/index.ts:18:8                         
HumanOnboardingDeps        type       apps/rest-api/src/workflows/index.ts:21:8                         
HumanOnboardingResult      type       apps/rest-api/src/workflows/index.ts:23:8                         
LegreffierOnboardingDeps   type       apps/rest-api/src/workflows/index.ts:34:8                         
MaintenanceDeps            type       apps/rest-api/src/workflows/index.ts:43:8                         
RegistrationDeps           type       apps/rest-api/src/workflows/index.ts:48:8                         
RegistrationResult         type       apps/rest-api/src/workflows/index.ts:49:8                         
RunWorkflowOptions         type       apps/rest-api/src/workflows/index.ts:58:8                         
FoundingMember             type       apps/rest-api/src/workflows/index.ts:62:8                         
TeamFoundingDeps           type       apps/rest-api/src/workflows/index.ts:65:8                         
TeamFoundingResult         type       apps/rest-api/src/workflows/index.ts:66:8                         
AdoptionState              interface  docs/.vitepress/theme/auth/useAdoption.ts:38:18                   
AdoptionStageKey           type       docs/.vitepress/theme/auth/useAdoption.ts:284:13                  
AdoptionStage              interface  docs/.vitepress/theme/auth/useAdoption.ts:292:18                  
DocsTeam                   interface  docs/.vitepress/theme/auth/useTeamSelection.ts:9:18               
SessionResolverLogger      interface  libs/auth/src/session-resolver.ts:24:18                           
GroupCreator               interface  libs/database/src/repositories/group.repository.ts:15:18          
EntriesListArgs            interface  libs/entry-explore-mcp-app/src/adapter/tool-calls.ts:28:18        
EntriesSearchArgs          interface  libs/entry-explore-mcp-app/src/adapter/tool-calls.ts:38:18        
DiaryTagsArgs              interface  libs/entry-explore-mcp-app/src/adapter/tool-calls.ts:50:18        
EntriesGetArgs             interface  libs/entry-explore-mcp-app/src/adapter/tool-calls.ts:57:18        
PacksCreateArgs            interface  libs/entry-explore-mcp-app/src/adapter/tool-calls.ts:63:18        
PacksUpdateArgs            interface  libs/entry-explore-mcp-app/src/adapter/tool-calls.ts:71:18        
PacksProvenanceArgs        interface  libs/entry-explore-mcp-app/src/adapter/tool-calls.ts:77:18        
CommandRegistrar           type       libs/pi-extension/src/commands/index.ts:5:3                       
SessionMeta                type       libs/pi-extension/src/commands/index.ts:7:3                       
RateLimitRetryOptions      type       libs/sdk/src/retry.ts:5:15                                        
AgentAdapter               type       packages/legreffier-cli/src/adapters/index.ts:11:15               
AgentAdapterOptions        type       packages/legreffier-cli/src/adapters/index.ts:11:29               
ResolveInstallationStatus  type       packages/legreffier-cli/src/phases/portResolveInstallation.ts:6:13
VerifyInstallationStatus   type       packages/legreffier-cli/src/phases/portVerifyInstallation.ts:4:13 
InitPhase                  type       packages/legreffier-cli/src/state.ts:4:13                         
EvalMode                   type       tools/src/tasks/scenario.ts:31:13                                 
EvalWorkspace              type       tools/src/tasks/scenario.ts:32:13                                 
ScenarioCriterion          interface  tools/src/tasks/scenario.ts:34:18                                 
�[93m�[4mUnused catalog entries�[24m�[39m (4)
@anthropic-ai/claude-agent-sdk  default  pnpm-workspace.yaml:25:4 
@fastify/static                 default  pnpm-workspace.yaml:35:4 
@openai/codex-sdk               default  pnpm-workspace.yaml:60:4 
zod                             default  pnpm-workspace.yaml:146:3
�[33m�[4mConfiguration hints�[24m (5)�[39m
. �[90m(root)�[39m                …p.config.ts  �[90mAdd �[97mentry�[90m and/or refine �[97mproject�[90m files in �[97mworkspaces["."]�[90m (17 unused files)�[39m        
tools                   …p.config.ts  �[90mAdd �[97mentry�[90m and/or refine �[97mproject�[90m files in �[97mworkspaces["tools"]�[90m (10 unused files)�[39m    
apps/rest-api           …p.config.ts  �[90mAdd �[97mentry�[90m and/or refine �[97mproject�[90m files in �[97mworkspaces["apps/rest-api"]�[90m (3 unused fi…�[39m
libs/context-distill    …p.config.ts  �[90mAdd �[97mentry�[90m and/or refine �[97mproject�[90m files in �[97mworkspaces["libs/context-distill"]�[90m (2 un…�[39m
apps/mcp-host           …p.config.ts  �[90mAdd �[97mentry�[90m and/or refine �[97mproject�[90m files in �[97mworkspaces["apps/mcp-host"]�[90m (2 unused fi…�[39m
 ELIFECYCLE  Command failed with exit code 1.

@getlarge getlarge marked this pull request as ready for review May 25, 2026 06:26
@getlarge getlarge force-pushed the issue-1158-rename-task-proposer-impose-terminology branch from b52d092 to 55776fb Compare May 25, 2026 06:28
@legreffier
Copy link
Copy Markdown
Contributor Author

legreffier Bot commented May 25, 2026

Complexity Review (PR #1235)

Composite Score: 0.30 / 1.00
Verdict: High complexity / low reviewability — recommend splitting into 3-4 smaller PRs

Criterion Scores

Criterion Weight Score Rationale
cognitive_load 0.25 ❌ FAIL PR mixes schema migration, recursive type, batch auth, promotion workflow, generated client regeneration, and UI updates. 8.8K lines across 35 files forces reviewer to juggle multiple intertwined concerns.
blast_radius 0.25 ❌ FAIL Touches database schema, core task service, auth permission layer, REST API, generated TypeScript + Go clients, and console UI. Changes propagate across the entire task system surface.
test_coverage_delta 0.20 ❌ FAIL One new E2E test added. No unit tests for claim-condition.ts (validateClaimConditionShape, evaluateClaimConditionFromTasks, collectConditionTaskIds) or promoteWaitingTasks repo method. Test additions not proportional to risk.
security_surface 0.20 ✅ PASS Auth changes are extensions of existing permission checks (batch canViewTasks, readability assertions on condition-referenced tasks). No new auth mechanisms, secrets, or crypto surfaces introduced.
reviewer_orientation 0.10 ✅ PASS PR description clearly explains the feature, design constraints (substrate-neutrality), and validation commands. Links to superseded/fixed issues.

Main Complexity Drivers

  1. Generated client bulk: ~6K lines of regenerated TypeScript + Go clients obscures actual logic changes
  2. Schema + logic coupling: Database migration (enum + column + FK renames) intertwined with new recursive evaluation logic
  3. Batch auth path: New canViewTasks() method + assertClaimConditionReadable() adds permission-check surface that needs careful review
  4. Transactional promotion: promoteWaitingTasks() workflow with strict validation re-runs adds concurrency considerations

Recommendation

Split into:

  1. Schema migration + generated clients (mechanical)
  2. claim-condition.ts with unit tests (isolated logic)
  3. Task service integration + E2E (behavioral)
  4. UI updates (presentation)

Review performed for task 6dbfe5cf-69f6-459e-8c3b-64c71afa7bb4 (pr_review)

@getlarge getlarge force-pushed the issue-1158-rename-task-proposer-impose-terminology branch from 55776fb to d4dea76 Compare May 25, 2026 15:18
@legreffier legreffier Bot force-pushed the issue-1158-rename-task-proposer-impose-terminology branch from d4dea76 to 502e83a Compare May 26, 2026 08:41
@getlarge
Copy link
Copy Markdown
Owner

getlarge commented May 26, 2026

@claude review

@claude
Copy link
Copy Markdown

claude Bot commented May 26, 2026

Code Review — PR #1235 feat(tasks): add conditional claimability

Reviewed at commit 502e83a (branch issue-1158-rename-task-proposer-impose-terminology).

Files read: libs/task-service/src/{claim-condition,task.service,wire-mappers,task.service.test}.ts, libs/database/src/{schema,repositories/task.repository}.ts, libs/database/drizzle/0014_task_claim_conditions.sql, libs/auth/src/permission-checker.ts, libs/tasks/src/{wire,async-validation}.ts, libs/tasks/src/task-types/judge-eval-attempt.ts, apps/rest-api/{src/routes/tasks,e2e/judge-eval-attempt.e2e.test}.ts. The mechanical imposedBy*proposedBy* renames across REST/MCP/Go/TS clients were spot-checked but not line-audited.

Summary

The feature is well-structured and the core mechanics are correct. The condition evaluator is a clean recursive tree-walk with no evaluation cycles (conditions reference task statuses, not other conditions, and self-reference is impossible at create time since the row has no id yet). Authorization is handled in the right order: assertClaimConditionReadable runs a batched canViewTasks check before isClaimConditionSatisfied reads the referenced rows, and promotion re-validates under the proposer's identity, so a proposer cannot craft a condition referencing tasks they cannot see. The migration is correct (nullable claim_condition with no default is right for existing rows; ADD VALUE 'waiting' is valid PG12+; renames preserve data; the new XOR check holds for existing rows). The claim route correctly rejects waiting with 409, and waiting tasks are cancellable.

The main substantive findings are around when promotion fires and promotion as a failure-coupled, unbounded side effect.

Issues

🔴 Important (non-blocking but worth addressing)

1. waiting tasks can get stuck forever when the unblocking transition is expired (or any workflow-driven terminal)

promoteSatisfiedWaitingTasks() is invoked only from complete, fail, and cancel in task.service.ts (lines ~1237, ~1327, ~1436). It is not exposed on the service and not driven by any sweeper or cron. A ClaimCondition can legitimately gate on { op: 'task_status', statuses: ['expired'] }. A producer task transitions to expired via the DBOS workflow timeout / orphan-recovery path — none of which call promotion. So a waiting task whose condition becomes satisfiable purely by expiry will never be promoted.

Suggested fix: also trigger promotion on the workflow-driven expired/terminal transition, or add a periodic sweeper that calls promoteSatisfiedWaitingTasks().

2. A failure inside promoteSatisfiedWaitingTasks() fails the primary request that already succeeded

The calls are awaited with no surrounding try/catch, immediately before return dbTaskToWire(updated). The completion/cancellation has already committed at this point. Promotion does real work that can throw — it opens a DB transaction and, inside it, runs validateTaskInputAsync which issues Keto network calls and additional DB reads. If Keto blips or the tx errors, the worker's /complete (or a caller's /cancel) gets a 500 even though the operation succeeded, likely triggering spurious retries from the executor.

Promotion is a best-effort side effect; wrapping it in try/catch with a log-on-failure path would make this resilient:

try {
  await promoteSatisfiedWaitingTasks();
} catch (err) {
  fastify.log.error({ err }, 'promoteSatisfiedWaitingTasks failed after task transition');
}

3. Promotion is an unbounded, system-wide scan that holds a DB transaction across external network calls

promoteSatisfiedWaitingTasks() calls taskRepository.listWaitingTasks(), which is SELECT ... WHERE status='waiting' with no team scope and no filter on whether the just-finished task is even referenced. For every terminal transition of any task in the system, it re-evaluates every waiting task and re-runs full async validation (DB + Keto calls) for each — all inside one runInTransaction block. This is O(global waiting tasks) per terminal event and holds a DB transaction open across N external network calls.

Consider scoping the scan to waiting tasks that reference the completed task (e.g. a JSONB containment query on claim_condition), and moving per-task validation outside the transaction (evaluate first, then promote the satisfied IDs in a short transaction).

🟡 Non-blocking

4. Test coverage gaps for the condition evaluator

task.service.test.ts exercises only the task_accepted op. There are no unit tests for:

  • task_status op
  • all/any operators (partial vs. full satisfaction)
  • A referenced task that does not exist in the DB
  • promoteSatisfiedWaitingTasks itself (the mocks return empty arrays, so the promotion path, evaluateClaimConditionFromTasks, and collectConditionTaskIds are never unit-covered)

The e2e covers all + task_accepted happy path only. claim-condition.ts is pure and very easy to unit-test; given the TDD/AAA emphasis in CLAUDE.md, isolated unit tests for the evaluator would close this gap cleanly.

5. No depth/breadth bound on the recursive ClaimCondition

all/any arrays have minItems: 1 but no maxItems, and there is no nesting-depth cap in the schema or evaluator. Deeply nested input is bounded only by the HTTP body limit. This is a defensive-hardening note rather than a blocking concern — the empty-array case is genuinely prevented by minItems: 1, and the evaluator's .every()/.some() would handle it correctly anyway.

6. expiresAt is unenforced for waiting tasks; queuedAt is not updated on promotion

A waiting task never enters the DBOS workflow (no claim), so its expiresAt is never acted upon — it can sit waiting past expiry indefinitely. Separately, promoteWaitingTasks flips status to queued without updating queuedAt, so promoted tasks carry their original creation-time timestamp. Both may be intentional design decisions, but worth a deliberate call.

Positives

  • Authorization ordering is correct. assertClaimConditionReadable runs visibility + existence checks before evaluation, and returns an indistinguishable error — matching the UUID-guessing threat model already documented in makeAsyncValidationContext.
  • canViewTasks batch method mirrors the existing canReadPacks pattern in permission-checker.ts (consistent Map return, index-aligned, ?? false default). Clean addition.
  • Promotion re-validates under proposer identity with currentTaskId set, correctly excluding the task from its own duplicate-judge check and preventing privilege escalation.
  • promoteWaitingTasks UPDATE is guarded with AND status='waiting', making the batched promotion idempotent under concurrency — concurrent promotions and concurrent claim/cancel cannot double-promote.
  • Missing referenced task is treated as unsatisfied (task ? ... : false and the ?. chain on acceptedAttemptN), avoiding false promotions when a condition references a task that was deleted or is invisible.
  • deferReadinessChecks/currentTaskId are threaded cleanly through AsyncTaskValidationContext so a conditional judge can be proposed before its producer is ready, while stable facts (type, existence, visibility, duplicate guard) are still enforced at create time.
  • Migration and schema are coherent: nullable claim_condition, correct ADD VALUE ... BEFORE 'queued', FK + XOR rename done safely, and wire-mappers.ts round-trips the nullable condition correctly.
  • The e2e scenario (keeps a conditional judge task waiting until all promised run evals are accepted) is a meaningful golden-path integration test that covers the full state machine: waiting → premature-claim-rejected → partial-complete → still-waiting → full-complete → promoted → claimable.

@getlarge getlarge force-pushed the issue-1158-rename-task-proposer-impose-terminology branch from 502e83a to 61c4a7c Compare May 26, 2026 10:49
getlarge
getlarge reviewed May 26, 2026
View reviewed changes
Comment thread infra/ory/permissions.ts
Comment thread libs/auth/src/permission-checker.ts
@getlarge getlarge force-pushed the issue-1158-rename-task-proposer-impose-terminology branch from afcf61c to 1d2bb41 Compare May 26, 2026 16:39
@getlarge getlarge merged commit 78bb795 into main May 26, 2026
30 checks passed
@getlarge getlarge deleted the issue-1158-rename-task-proposer-impose-terminology branch May 26, 2026 16:52
@legreffier legreffier Bot mentioned this pull request May 26, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@getlarge getlarge getlarge approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Rename task proposer/impose terminology to proposer/propose

1 participant

@getlarge