Skip to content

feat(rest-api): drop baked-in embedding model#1243

Merged
getlarge merged 2 commits into
mainfrom
moltnet/00bbac38-2c65-4cf6-8e2e-a70f1a1d1a04/consider-dropping-baked-in-embedding-model-in-favor-of-start
May 26, 2026
Merged

feat(rest-api): drop baked-in embedding model#1243
getlarge merged 2 commits into
mainfrom
moltnet/00bbac38-2c65-4cf6-8e2e-a70f1a1d1a04/consider-dropping-baked-in-embedding-model-in-favor-of-start

Conversation

@legreffier
Copy link
Copy Markdown
Contributor

@legreffier legreffier Bot commented May 26, 2026
edited by github-actions Bot
Loading

Summary

  • Drops the rest-api production image's baked embedding model path.
  • Removes the download-model dependency from the rest-api docker:build target.
  • Switches the production embedding cache to /app/models with remote model downloads enabled.
  • Updates the rest-api README to describe startup download by default and local offline pre-download when needed.

Fixes #1226.

Task Context

Produced by MoltNet fulfill_brief task 12b466aa-5819-4d12-8b93-4b265ce5e1b3.

The task completed with accepted attempt 1 and commit 89bb1fa3, but the model reported a non-existent PR URL (https://github.com/getlarge/themoltnet/pull/1250). This PR is the real PR opened from the pushed branch.

Correlation id:

00bbac38-2c65-4cf6-8e2e-a70f1a1d1a04

Validation

  • Task message stream confirmed the daemon ran in dedicated_worktree mode on ollama-cloud/glm-5.1:cloud.
  • Task output self-reported syntax checks and successful completion.
  • I inspected the branch diff before opening this PR.

No additional local test suite was run while opening this PR.

@legreffier
feat(rest-api): drop baked-in embedding model in favor of startup dow…
89bb1fa 
…nload

- Remove download-model Nx target and its Dockerfile COPY
- Change default EMBEDDING_ALLOW_REMOTE_MODELS=true for production
- Update README to reflect new approach for local development
- Keep EMBEDDING_CACHE_DIR for container-lifetime persistence

Fixes #1226

MoltNet-Diary: 03668d36-4e0b-4478-8f68-cc53c6a96a55
Moltnet-Correlation-Id: 00bbac38-2c65-4cf6-8e2e-a70f1a1d1a04
@getlarge getlarge marked this pull request as ready for review May 26, 2026 14:06
@getlarge getlarge deployed to legreffier May 26, 2026 14:06 — with GitHub Actions Active
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 26, 2026

✅ CLI go.mod matches internal Go module releases

apps/moltnet-cli/go.mod is aligned with the versions tracked in .release-please-manifest.json.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 26, 2026

🚨 Dependency Audit — Vulnerabilities found

Full report 
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ critical            │ fast-jwt: Incomplete fix for CVE-2023-48223: JWT       │
│                     │ Algorithm Confusion via Whitespace-Prefixed RSA Public │
│                     │ Key                                                    │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ fast-jwt                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <=6.1.0                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=6.2.0                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-server>@getlarge/fastify-mcp>@fastify/       │
│                     │ jwt>fast-jwt                                           │
│                     │                                                        │
│                     │ libs__auth>fast-jwt                                    │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-mvf2-f6gm-w987      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ critical            │ fast-jwt: Cache Confusion via cacheKeyBuilder          │
│                     │ Collisions Can Return Claims From a Different Token    │
│                     │ (Identity/Authorization Mixup)                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ fast-jwt                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=0.0.1 <6.2.0                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=6.2.0                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-server>@getlarge/fastify-mcp>@fastify/       │
│                     │ jwt>fast-jwt                                           │
│                     │                                                        │
│                     │ libs__auth>fast-jwt                                    │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-rp9m-7r4c-75qg      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ critical            │ Arbitrary code execution in protobufjs                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ protobufjs                                             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <7.5.5                                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=7.5.5                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-server>pino-opentelemetry-transport>otlp-    │
│                     │ logger>@opentelemetry/exporter-logs-otlp-grpc>@grpc/   │
│                     │ grpc-js>@grpc/proto-loader>protobufjs                  │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-xq3m-2v4x-88gg      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ critical            │ Arbitrary code execution in protobufjs                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ protobufjs                                             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=8.0.0 <8.0.1                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=8.0.1                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__agent-daemon>@opentelemetry/exporter-trace-otlp- │
│                     │ proto>@opentelemetry/otlp-transformer>protobufjs       │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-xq3m-2v4x-88gg      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ critical            │ fast-jwt: JWT auth bypass due to empty HMAC secret     │
│                     │ accepted by async key resolver                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ fast-jwt                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <=6.2.3                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=6.2.4                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-server>@getlarge/fastify-mcp>@fastify/       │
│                     │ jwt>fast-jwt                                           │
│                     │                                                        │
│                     │ libs__auth>fast-jwt                                    │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-gmvf-9v4p-v8jc      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ fast-jwt accepts unknown `crit` header extensions (RFC │
│                     │ 7515 violation)                                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ fast-jwt                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <=6.1.0                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ <0.0.0                                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-server>@getlarge/fastify-mcp>@fastify/       │
│                     │ jwt>fast-jwt                                           │
│                     │                                                        │
│                     │ libs__auth>fast-jwt                                    │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-hm7r-c7qw-ghp6      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ Fastify has a Body Schema Validation Bypass via        │
│                     │ Leading Space in Content-Type Header                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ fastify                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=5.3.2 <=5.8.4                                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=5.8.5                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-server>fastify                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-247c-9743-5963      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ fast-uri vulnerable to path traversal via              │
│                     │ percent-encoded dot segments                           │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ fast-uri                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <=3.1.0                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=3.1.1                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-host>@modelcontextprotocol/sdk>ajv>fast-uri  │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-q3j6-qgpj-74h6      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ fast-uri vulnerable to host confusion via              │
│                     │ percent-encoded authority delimiters                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ fast-uri                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <=3.1.1                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=3.1.2                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-host>@modelcontextprotocol/sdk>ajv>fast-uri  │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-v39h-62p7-jpjc      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ protobuf.js: Code injection through bytes field        │
│                     │ defaults in generated toObject code                    │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ protobufjs                                             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=8.0.0 <=8.0.1                                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=8.0.2                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__agent-daemon>@opentelemetry/exporter-trace-otlp- │
│                     │ proto>@opentelemetry/otlp-transformer>protobufjs       │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-66ff-xgx4-vchm      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ protobuf.js: Code injection through bytes field        │
│                     │ defaults in generated toObject code                    │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ protobufjs                                             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <=7.5.5                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=7.5.6                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-server>pino-opentelemetry-transport>otlp-    │
│                     │ logger>@opentelemetry/exporter-logs-otlp-grpc>@grpc/   │
│                     │ grpc-js>@grpc/proto-loader>protobufjs                  │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-66ff-xgx4-vchm      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ protobuf.js: Code generation gadget after prototype    │
│                     │ pollution                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ protobufjs                                             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=8.0.0 <=8.0.1                                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=8.0.2                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__agent-daemon>@opentelemetry/exporter-trace-otlp- │
│                     │ proto>@opentelemetry/otlp-transformer>protobufjs       │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-75px-5xx7-5xc7      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ protobuf.js: Code generation gadget after prototype    │
│                     │ pollution                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ protobufjs                                             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <=7.5.5                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=7.5.6                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-server>pino-opentelemetry-transport>otlp-    │
│                     │ logger>@opentelemetry/exporter-logs-otlp-grpc>@grpc/   │
│                     │ grpc-js>@grpc/proto-loader>protobufjs                  │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-75px-5xx7-5xc7      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ protobuf.js: Process-wide denial of service through    │
│                     │ unsafe option paths                                    │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ protobufjs                                             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=8.0.0 <=8.0.1                                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=8.0.2                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__agent-daemon>@opentelemetry/exporter-trace-otlp- │
│                     │ proto>@opentelemetry/otlp-transformer>protobufjs       │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-jvwf-75h9-cwgg      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ protobuf.js: Process-wide denial of service through    │
│                     │ unsafe option paths                                    │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ protobufjs                                             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <=7.5.5                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=7.5.6                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-server>pino-opentelemetry-transport>otlp-    │
│                     │ logger>@opentelemetry/exporter-logs-otlp-grpc>@grpc/   │
│                     │ grpc-js>@grpc/proto-loader>protobufjs                  │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-jvwf-75h9-cwgg      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ protobuf.js: Denial of service through unbounded       │
│                     │ protobuf recursion                                     │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ protobufjs                                             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=8.0.0 <=8.0.1                                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=8.0.2                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__agent-daemon>@opentelemetry/exporter-trace-otlp- │
│                     │ proto>@opentelemetry/otlp-transformer>protobufjs       │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-685m-2w69-288q      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ protobuf.js: Denial of service through unbounded       │
│                     │ protobuf recursion                                     │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ protobufjs                                             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <=7.5.5                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=7.5.6                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-server>pino-opentelemetry-transport>otlp-    │
│                     │ logger>@opentelemetry/exporter-logs-otlp-grpc>@grpc/   │
│                     │ grpc-js>@grpc/proto-loader>protobufjs                  │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-685m-2w69-288q      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ Hono missing validation of cookie name on write path   │
│                     │ in setCookie()                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ hono                                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <4.12.12                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=4.12.12                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-host>@modelcontextprotocol/sdk>hono          │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-26pp-8wgv-hjvm      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ Hono: Non-breaking space prefix bypass in cookie name  │
│                     │ handling in getCookie()                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ hono                                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <4.12.12                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=4.12.12                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-host>@modelcontextprotocol/sdk>hono          │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-r5rp-j6wh-rvv4      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ Hono: Path traversal in toSSG() allows writing files   │
│                     │ outside the output directory                           │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ hono                                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=4.0.0 <=4.12.11                                      │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=4.12.12                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-host>@modelcontextprotocol/sdk>hono          │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-xf4j-xp2r-rqqx      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ Hono: Middleware bypass via repeated slashes in        │
│                     │ serveStatic                                            │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ hono                                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <4.12.12                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=4.12.12                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-host>@modelcontextprotocol/sdk>hono          │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-wmmm-f939-6g9c      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ @hono/node-server: Middleware bypass via repeated      │
│                     │ slashes in serveStatic                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ @hono/node-server                                      │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <1.19.13                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=1.19.13                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-host>@modelcontextprotocol/sdk>@hono/node-   │
│                     │ server                                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-92pp-h63x-v22m      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ fast-jwt has a ReDoS when using RegExp in allowed*     │
│                     │ leading to CPU exhaustion during token verification    │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ fast-jwt                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=5.0.0 <=6.2.0                                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=6.2.1                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-server>@getlarge/fastify-mcp>@fastify/       │
│                     │ jwt>fast-jwt                                           │
│                     │                                                        │
│                     │ libs__auth>fast-jwt                                    │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-cjw9-ghj4-fwxf      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ fast-jwt: Stateful RegExp (/g or /y) causes            │
│                     │ non-deterministic allowed-claim validation (logical    │
│                     │ DoS)                                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ fast-jwt                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <6.2.1                                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=6.2.1                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-server>@getlarge/fastify-mcp>@fastify/       │
│                     │ jwt>fast-jwt                                           │
│                     │                                                        │
│                     │ libs__auth>fast-jwt                                    │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-3j8v-cgw4-2g6q      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ hono Improperly Handles JSX Attribute Names Allows     │
│                     │ HTML Injection in hono/jsx SSR                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ hono                                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <4.12.14                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=4.12.14                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-host>@modelcontextprotocol/sdk>hono          │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-458j-xx4x-4375      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ Hono has incorrect IP matching in ipRestriction() for  │
│                     │ IPv4-mapped IPv6 addresses                             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ hono                                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <4.12.12                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=4.12.12                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-host>@modelcontextprotocol/sdk>hono          │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-xpcf-pg52-r92g      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ Hono has CSS Declaration Injection via Style Object    │
│                     │ Values in JSX SSR                                      │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ hono                                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <4.12.18                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=4.12.18                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-host>@modelcontextprotocol/sdk>hono          │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-qp7p-654g-cw7p      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ ip-address has XSS in Address6 HTML-emitting methods   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ ip-address                                             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <=10.1.0                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=10.1.1                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-host>@modelcontextprotocol/sdk>express-rate- │
│                     │ limit>ip-address                                       │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-v2v4-37r5-5v8g      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ protobuf.js: Denial of service from crafted field      │
│                     │ names in generated code                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ protobufjs                                             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=8.0.0 <=8.0.1                                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=8.0.2                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__agent-daemon>@opentelemetry/exporter-trace-otlp- │
│                     │ proto>@opentelemetry/otlp-transformer>protobufjs       │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-2pr8-phx7-x9h3      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ protobuf.js: Denial of service from crafted field      │
│                     │ names in generated code                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ protobufjs                                             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <=7.5.5                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=7.5.6                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-server>pino-opentelemetry-transport>otlp-    │
│                     │ logger>@opentelemetry/exporter-logs-otlp-grpc>@grpc/   │
│                     │ grpc-js>@grpc/proto-loader>protobufjs                  │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-2pr8-phx7-x9h3      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ protobuf.js: Prototype injection in generated message  │
│                     │ constructors                                           │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ protobufjs                                             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=8.0.0 <=8.0.1                                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=8.0.2                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__agent-daemon>@opentelemetry/exporter-trace-otlp- │
│                     │ proto>@opentelemetry/otlp-transformer>protobufjs       │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-fx83-v9x8-x52w      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ protobuf.js: Prototype injection in generated message  │
│                     │ constructors                                           │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ protobufjs                                             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <=7.5.5                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=7.5.6                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-server>pino-opentelemetry-transport>otlp-    │
│                     │ logger>@opentelemetry/exporter-logs-otlp-grpc>@grpc/   │
│                     │ grpc-js>@grpc/proto-loader>protobufjs                  │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-fx83-v9x8-x52w      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ protobufjs has overlong UTF-8 decoding                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ @protobufjs/utf8                                       │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <=1.1.0                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=1.1.1                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__agent-daemon>@opentelemetry/exporter-trace-otlp- │
│                     │ proto>@opentelemetry/otlp-                             │
│                     │ transformer>protobufjs>@protobufjs/utf8                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-q6x5-8v7m-xcrf      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ protobufjs has overlong UTF-8 decoding                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ protobufjs                                             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=8.0.0 <=8.0.1                                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=8.0.2                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__agent-daemon>@opentelemetry/exporter-trace-otlp- │
│                     │ proto>@opentelemetry/otlp-transformer>protobufjs       │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-q6x5-8v7m-xcrf      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ protobufjs has overlong UTF-8 decoding                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ protobufjs                                             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <=7.5.5                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=7.5.6                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-server>pino-opentelemetry-transport>otlp-    │
│                     │ logger>@opentelemetry/exporter-logs-otlp-grpc>@grpc/   │
│                     │ grpc-js>@grpc/proto-loader>protobufjs                  │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-q6x5-8v7m-xcrf      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ Hono's Cache Middleware ignores Vary: Authorization /  │
│                     │ Vary: Cookie leading to cross-user cache leakage       │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ hono                                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <4.12.18                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=4.12.18                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-host>@modelcontextprotocol/sdk>hono          │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-p77w-8qqv-26rm      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ Hono: bodyLimit() can be bypassed for chunked /        │
│                     │ unknown-length requests                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ hono                                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <4.12.16                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=4.12.16                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-host>@modelcontextprotocol/sdk>hono          │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-9vqf-7f2p-gf9v      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ hono/jsx has Unvalidated JSX Tag Names that May Allow  │
│                     │ HTML Injection                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ hono                                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <4.12.16                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=4.12.16                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-host>@modelcontextprotocol/sdk>hono          │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-69xw-7hcm-h432      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ brace-expansion: Large numeric range defeats           │
│                     │ documented `max` DoS protection                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ brace-expansion                                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=5.0.0 <5.0.6                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=5.0.6                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__agent-daemon>@earendil-works/pi-coding-          │
│                     │ agent>minimatch>brace-expansion                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-jxxr-4gwj-5jf2      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ ws: Uninitialized memory disclosure                    │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ ws                                                     │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=8.0.0 <8.20.1                                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=8.20.1                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__agent-daemon>@earendil-works/pi-ai>@google/      │
│                     │ genai>ws                                               │
│                     │                                                        │
│                     │ libs__database>@dbos-inc/dbos-sdk>ws                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-58qx-3vcg-4xpx      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ protobufjs: Denial of Service via unbounded recursive  │
│                     │ JSON descriptor expansion                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ protobufjs                                             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=8.0.0 <8.2.0                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=8.2.0                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__agent-daemon>@opentelemetry/exporter-trace-otlp- │
│                     │ proto>@opentelemetry/otlp-transformer>protobufjs       │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-jggg-4jg4-v7c6      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ protobufjs: Denial of Service via unbounded recursive  │
│                     │ JSON descriptor expansion                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ protobufjs                                             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <=7.5.7                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=7.5.8                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__agent-daemon>@earendil-works/pi-ai>@google/      │
│                     │ genai>protobufjs                                       │
│                     │                                                        │
│                     │ apps__mcp-server>pino-opentelemetry-transport>otlp-    │
│                     │ logger>@opentelemetry/exporter-logs-otlp-grpc>@grpc/   │
│                     │ grpc-js>@grpc/proto-loader>protobufjs                  │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-jggg-4jg4-v7c6      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ uuid: Missing buffer bounds check in v3/v5/v6 when buf │
│                     │ is provided                                            │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ uuid                                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <11.1.1                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=11.1.1                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-server>@getlarge/fastify-mcp>mqemitter-      │
│                     │ redis>hyperid>uuid                                     │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-w5hq-g745-h8pq      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ qs has a remotely triggerable DoS: qs.stringify        │
│                     │ crashes with TypeError on null/undefined entries in    │
│                     │ comma-format arrays when encodeValuesOnly is set       │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ qs                                                     │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=6.11.1 <=6.15.1                                      │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=6.15.2                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-host>@modelcontextprotocol/sdk>express>qs    │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-q8mj-m7cp-5q26      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ low                 │ Elliptic Uses a Cryptographic Primitive with a Risky   │
│                     │ Implementation                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ elliptic                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <=6.6.1                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ <0.0.0                                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ libs__auth>get-jwks>jwk-to-pem>elliptic                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-848j-6mx2-7j84      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ low                 │ Hono has improper validation of NumericDate claims     │
│                     │ (exp, nbf, iat) in JWT verify()                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ hono                                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <4.12.18                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=4.12.18                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__mcp-host>@modelcontextprotocol/sdk>hono          │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-hm8q-7f3q-5f36      │
└─────────────────────┴────────────────────────────────────────────────────────┘
54 vulnerabilities found
Severity: 2 low | 31 moderate | 13 high | 8 critical

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 26, 2026

⚠️ Knip — Unused code or dependencies found

Run pnpm run knip locally to see details, or pnpm run knip:fix to auto-fix some of them.

Full report 
�[93m�[4mUnused files�[24m�[39m (39)
.agents/skills/monitor-ci/scripts/ci-poll-decide.mjs                                       
.agents/skills/monitor-ci/scripts/ci-state-update.mjs                                      
apps/agent-daemon/src/node-sqlite.d.ts                                                     
apps/console/e2e/seed-diary-browser.ts                                                     
apps/landing/src/hooks/useFeedSSE.ts                                                       
apps/mcp-host/server.mjs                                                                   
apps/mcp-host/src/sandbox.ts                                                               
apps/mcp-server/src/schemas/index.ts                                                       
apps/rest-api/src/migrate.ts                                                               
apps/rest-api/src/sse/public-feed-poller.ts                                                
apps/rest-api/src/sse/sse-writer.ts                                                        
docs/.vitepress/env.d.ts                                                                   
evals/moltnet-practices/auth-middleware-early-return/fixtures/auth-plugin.ts               
evals/moltnet-practices/auth-middleware-early-return/fixtures/team-resolver.ts             
evals/moltnet-practices/e2e-raw-fetch-vs-api-client/fixtures/sdk.gen.ts                    
evals/moltnet-practices/repository-tenant-scope-bypass/fixtures/consolidate-workflow.ts    
evals/moltnet-practices/repository-tenant-scope-bypass/fixtures/diary-entry.repository.ts  
evals/moltnet-practices/rest-error-boundary/fixtures/pack-routes.ts                        
evals/moltnet-practices/rest-error-boundary/fixtures/verification-routes.ts                
evals/moltnet-practices/webhook-auth-status-code/fixtures/hooks.ts                         
examples/compile-context.ts                                                                
examples/diary-create.ts                                                                   
examples/diary-search.ts                                                                   
examples/register.ts                                                                       
examples/sign-entry.ts                                                                     
libs/context-distill/__tests__/benchmarks/cluster.bench.ts                                 
libs/context-distill/__tests__/benchmarks/compile.bench.ts                                 
test-fixtures/generate-ssh-vectors.mjs                                                     
test-fixtures/generate-x25519-vectors.mjs                                                  
tools/db/backfill-content-hashes.ts                                                        
tools/db/backfill-diary-team-links.ts                                                      
tools/db/backfill-keto-subject-set.ts                                                      
tools/db/backfill-personal-teams.ts                                                        
tools/db/backfill-team-relations-plural.ts                                                 
tools/db/cleanup-legacy-diary-tuples.ts                                                    
tools/generators/split-tsconfigs/index.ts                                                  
tools/generators/split-tsconfigs/schema.d.ts                                               
tools/src/tasks/seed-judge-fixture.ts                                                      
tools/src/verify-task-context.ts                                                           
�[93m�[4mUnused dependencies�[24m�[39m (41)
@earendil-works/gondolin                     apps/agent-daemon/package.json:32:6        
pino-pretty                                  apps/agent-daemon/package.json:45:6        
@moltnet/models                              apps/console/package.json:11:6             
@moltnet/entry-explore-mcp-app               apps/mcp-server/package.json:30:6          
@themoltnet/design-system                    apps/mcp-server/package.json:34:6          
@fastify/otel                                apps/mcp-server/package.json:36:6          
@opentelemetry/exporter-metrics-otlp-proto   apps/mcp-server/package.json:38:6          
@opentelemetry/exporter-trace-otlp-proto     apps/mcp-server/package.json:39:6          
@opentelemetry/instrumentation               apps/mcp-server/package.json:40:6          
@opentelemetry/instrumentation-dns           apps/mcp-server/package.json:41:6          
@opentelemetry/instrumentation-http          apps/mcp-server/package.json:42:6          
@opentelemetry/instrumentation-net           apps/mcp-server/package.json:43:6          
@opentelemetry/instrumentation-pino          apps/mcp-server/package.json:44:6          
@opentelemetry/instrumentation-pg            apps/mcp-server/package.json:45:6          
@opentelemetry/instrumentation-runtime-node  apps/mcp-server/package.json:46:6          
@opentelemetry/instrumentation-undici        apps/mcp-server/package.json:47:6          
@opentelemetry/resources                     apps/mcp-server/package.json:48:6          
@opentelemetry/sdk-metrics                   apps/mcp-server/package.json:49:6          
@opentelemetry/sdk-trace-base                apps/mcp-server/package.json:50:6          
@opentelemetry/sdk-trace-node                apps/mcp-server/package.json:51:6          
@opentelemetry/semantic-conventions          apps/mcp-server/package.json:52:6          
pino                                         apps/mcp-server/package.json:56:6          
pino-opentelemetry-transport                 apps/mcp-server/package.json:57:6          
thread-stream                                apps/mcp-server/package.json:58:6          
multiformats                                 apps/rest-api/package.json:36:6            
@huggingface/transformers                    apps/rest-api/package.json:38:6            
@opentelemetry/exporter-metrics-otlp-proto   apps/rest-api/package.json:48:6            
@opentelemetry/instrumentation               apps/rest-api/package.json:50:6            
@opentelemetry/resources                     apps/rest-api/package.json:58:6            
@opentelemetry/sdk-metrics                   apps/rest-api/package.json:59:6            
@opentelemetry/sdk-trace-base                apps/rest-api/package.json:60:6            
@opentelemetry/sdk-trace-node                apps/rest-api/package.json:61:6            
@opentelemetry/semantic-conventions          apps/rest-api/package.json:62:6            
pino-pretty                                  apps/rest-api/package.json:70:6            
thread-stream                                apps/rest-api/package.json:71:6            
@noble/hashes                                libs/context-pack-service/package.json:19:6
tslib                                        package.json:156:6                         
@moltnet/auth                                tools/package.json:39:6                    
@moltnet/models                              tools/package.json:46:6                    
drizzle-orm                                  tools/package.json:54:6                    
fastq                                        tools/package.json:55:6                    
�[93m�[4mUnused devDependencies�[24m�[39m (14)
@moltnet/bootstrap      apps/mcp-server/package.json:61:6           
@moltnet/database       apps/mcp-server/package.json:62:6           
drizzle-orm             apps/mcp-server/package.json:65:6           
pino-pretty             apps/mcp-server/package.json:66:6           
vitest                  libs/bootstrap/package.json:24:6            
testcontainers          libs/diary-service/package.json:29:6        
@testing-library/react  libs/entry-explore-mcp-app/package.json:30:6
vitest                  libs/mcp-test-harness/package.json:23:6     
@nx/devkit              package.json:83:6                           
@swc/helpers            package.json:95:6                           
husky                   package.json:103:6                          
lint-staged             package.json:108:6                          
vite-plugin-dts         package.json:116:6                          
@types/figlet           tools/package.json:61:6                     
�[93m�[4mReferenced optional peerDependencies�[24m�[39m (1)
ink  libs/design-system/package.json
�[93m�[4mUnlisted dependencies�[24m�[39m (2)
@moltnet/database  evals/moltnet-practices/e2e-raw-fetch-vs-api-client/fixtures/governance.e2e.test.ts:19:46
pg                 libs/diary-service/__tests__/diary-service.dbos.integration.test.ts:38:27                
�[93m�[4mUnlisted binaries�[24m�[39m (7)
openssl                                             .github/actions/legreffier-run-task/action.yml
python3                                             .github/workflows/ci.yml                      
clawhub                                             .github/workflows/release.yml                 
go                                                  package.json                                  
gofmt                                               package.json                                  
packages/openclaw-skill/scripts/publish-clawhub.sh  package.json                                  
packages/openclaw-skill/scripts/package.sh          package.json                                  
�[93m�[4mUnused exports�[24m�[39m (84)
DaemonSlotRegistryError           class     apps/agent-daemon/src/lib/daemon-slot-registry.ts:8:14        
COMMON_REQUIRED_FLAGS                       apps/agent-daemon/src/lib/help.ts:3:14                        
COMMON_OPTIONAL_FLAGS                       apps/agent-daemon/src/lib/help.ts:10:14                       
buildDaemonSlotId                 function  apps/agent-daemon/src/lib/task-execution-plan.ts:78:17        
ENTRY_TYPE_LABELS                           apps/console/src/diaries/utils.ts:14:3                        
ENTRY_TYPES                                 apps/console/src/diaries/utils.ts:15:3                        
estimateTokenCount                          apps/console/src/diaries/utils.ts:16:3                        
formatDateTime                              apps/console/src/diaries/utils.ts:17:3                        
ENTRY_TYPE_OPTIONS                          apps/console/src/diaries/utils.ts:21:14                       
getEntryTypeQuery                 function  apps/console/src/diaries/utils.ts:29:17                       
API_BASE_URL                                apps/landing/src/api.ts:16:14                                 
handleDiaryTags                   function  apps/mcp-server/src/diary-tools.ts:315:23                     
handleGrantCreate                 function  apps/mcp-server/src/grant-tools.ts:38:23                      
handleGrantRevoke                 function  apps/mcp-server/src/grant-tools.ts:70:23                      
handleGrantList                   function  apps/mcp-server/src/grant-tools.ts:102:23                     
handlePacksUpdate                 function  apps/mcp-server/src/pack-tools.ts:295:23                      
handleRenderedPacksUpdate         function  apps/mcp-server/src/pack-tools.ts:385:23                      
handlePacksDiff                   function  apps/mcp-server/src/pack-tools.ts:487:23                      
handleSignMessage                 function  apps/mcp-server/src/prompts.ts:212:23                         
EntryMapZoneSearchSchema                    apps/mcp-server/src/schemas/entry-explore-schemas.ts:9:14     
EntryMapZoneProvenanceSchema                apps/mcp-server/src/schemas/entry-explore-schemas.ts:24:14    
EntryMapZoneSchema                          apps/mcp-server/src/schemas/entry-explore-schemas.ts:47:14    
EntryMapDataSchema                          apps/mcp-server/src/schemas/entry-explore-schemas.ts:88:14    
CustomPackEntrySelectionSchema              apps/mcp-server/src/schemas/pack-schemas.ts:107:14            
handleTeamsList                   function  apps/mcp-server/src/team-tools.ts:62:23                       
handleTeamMembersList             function  apps/mcp-server/src/team-tools.ts:84:23                       
handleTeamsCreate                 function  apps/mcp-server/src/team-tools.ts:109:23                      
handleTeamsJoin                   function  apps/mcp-server/src/team-tools.ts:132:23                      
handleTeamsDelete                 function  apps/mcp-server/src/team-tools.ts:155:23                      
handleTeamsInviteCreate           function  apps/mcp-server/src/team-tools.ts:178:23                      
handleTeamsInviteList             function  apps/mcp-server/src/team-tools.ts:211:23                      
handleTeamsInviteDelete           function  apps/mcp-server/src/team-tools.ts:236:23                      
handleTeamsMemberRemove           function  apps/mcp-server/src/team-tools.ts:264:23                      
ServerConfigSchema                          apps/rest-api/src/config.ts:26:14                             
DatabaseConfigSchema                        apps/rest-api/src/config.ts:38:14                             
WebhookConfigSchema                         apps/rest-api/src/config.ts:43:14                             
RecoveryConfigSchema                        apps/rest-api/src/config.ts:47:14                             
OryConfigSchema                             apps/rest-api/src/config.ts:51:14                             
ObservabilityConfigSchema                   apps/rest-api/src/config.ts:62:14                             
EmbeddingConfigSchema                       apps/rest-api/src/config.ts:98:14                             
SecurityConfigSchema                        apps/rest-api/src/config.ts:105:14                            
loadEmbeddingConfig               function  apps/rest-api/src/config.ts:264:17                            
loadPackGcConfig                  function  apps/rest-api/src/config.ts:274:17                            
loadTaskOrphanSweeperConfig       function  apps/rest-api/src/config.ts:284:17                            
acceptsProblemJson                          apps/rest-api/src/problems/index.ts:2:3                       
findProblemTypeByCode                       apps/rest-api/src/problems/index.ts:8:3                       
findProblemTypeByStatus                     apps/rest-api/src/problems/index.ts:9:3                       
getTypeUri                                  apps/rest-api/src/problems/index.ts:10:3                      
problemTypes                                apps/rest-api/src/problems/index.ts:12:3                      
DiaryTagCountSchema                         apps/rest-api/src/schemas/diary.ts:58:14                      
PublicAuthorSchema                          apps/rest-api/src/schemas/diary.ts:123:14                     
ContextPackEntrySchema                      apps/rest-api/src/schemas/packs.ts:9:14                       
TaskTypeDescriptorSchema                    apps/rest-api/src/schemas/tasks.ts:213:14                     
inflateRowCreator                 function  apps/rest-api/src/utils/auth-principal.ts:142:23              
resolvePrincipal                            apps/rest-api/src/utils/auth-principal.ts:191:10              
consolidateQueue                            apps/rest-api/src/workflows/context-distill-workflows.ts:58:14
compileQueue                                apps/rest-api/src/workflows/context-distill-workflows.ts:63:14
HumanOnboardingError              class     apps/rest-api/src/workflows/human-onboarding-workflow.ts:36:14
compileQueue                                apps/rest-api/src/workflows/index.ts:2:3                      
consolidateQueue                            apps/rest-api/src/workflows/index.ts:4:3                      
contextDistillWorkflows                     apps/rest-api/src/workflows/index.ts:7:3                      
diaryTransferWorkflow                       apps/rest-api/src/workflows/index.ts:14:3                     
TRANSFER_DECISION_EVENT                     apps/rest-api/src/workflows/index.ts:17:3                     
HumanOnboardingError                        apps/rest-api/src/workflows/index.ts:22:3                     
DEFAULT_WORKFLOW_TIMEOUT_MS                 apps/rest-api/src/workflows/index.ts:56:3                     
runWorkflow                                 apps/rest-api/src/workflows/index.ts:57:3                     
FOUNDING_ACCEPT_EVENT                       apps/rest-api/src/workflows/index.ts:61:3                     
TeamFoundingTimeoutError                    apps/rest-api/src/workflows/index.ts:67:3                     
teamFoundingWorkflow                        apps/rest-api/src/workflows/index.ts:68:3                     
DEFAULT_WORKFLOW_TIMEOUT_MS                 apps/rest-api/src/workflows/run-workflow.ts:14:14             
TeamFoundingTimeoutError          class     apps/rest-api/src/workflows/team-founding-workflow.ts:32:14   
DBOSWorkflowConflictError                   libs/database/src/dbos.ts:154:3                               
DEFAULT_DISPATCH_TIMEOUT_SECONDS            libs/database/src/workflows/task-workflows.ts:124:14          
DEFAULT_RUNNING_TIMEOUT_SECONDS             libs/database/src/workflows/task-workflows.ts:128:14          
MAX_PUBLIC_CONTENT_LENGTH                   libs/diary-service/src/diary-service.ts:53:14                 
nextStepId                        function  libs/entry-explore-mcp-app/src/state/map.ts:117:17            
resolveTaskScratchPath            function  libs/pi-extension/src/runtime/task-workspace.ts:130:17        
makeClient                        function  packages/legreffier-cli/src/api.ts:78:17                      
formatPortIssues                  function  packages/legreffier-cli/src/phases/portValidate.ts:213:17     
gitMergeBase                      function  tools/src/tasksmith/gh-client.ts:151:23                       
gitShowFileAtRef                  function  tools/src/tasksmith/gh-client.ts:206:23                       
SEED_INSTRUCTION                            tools/src/tasksmith/task-extractor.ts:538:10                  
verifyTask                        function  tools/src/tasksmith/verify.ts:356:23                          
cleanupPrArtifacts                function  tools/src/tasksmith/verify.ts:480:23                          
�[93m�[4mUnused exported types�[24m�[39m (55)
MailRecord                 interface  apps/console/e2e/helpers/mailslurper.ts:3:18                      
UiResourceData             interface  apps/mcp-host/src/implementation.ts:25:18                         
EntryMapZoneSearch         type       apps/mcp-server/src/schemas/entry-explore-schemas.ts:22:13        
EntryMapZone               type       apps/mcp-server/src/schemas/entry-explore-schemas.ts:86:13        
CorsPluginOptions          interface  apps/rest-api/src/plugins/cors.ts:11:18                           
RateLimitPluginOptions     interface  apps/rest-api/src/plugins/rate-limit.ts:14:18                     
ProblemType                type       apps/rest-api/src/problems/index.ts:11:8                          
AgentPrincipal             type       apps/rest-api/src/schemas/principal.ts:37:8                       
HumanPrincipal             type       apps/rest-api/src/schemas/principal.ts:39:8                       
PrincipalIdentity          type       apps/rest-api/src/schemas/principal.ts:41:8                       
CreateTaskInput            type       apps/rest-api/src/services/task.service.ts:2:8                    
AuthContext                type       apps/rest-api/src/types.ts:14:3                                   
PermissionChecker          type       apps/rest-api/src/types.ts:15:3                                   
RelationshipReader         type       apps/rest-api/src/types.ts:16:3                                   
RelationshipWriter         type       apps/rest-api/src/types.ts:17:3                                   
CompileWorkflowInput       type       apps/rest-api/src/workflows/index.ts:3:8                          
ConsolidateWorkflowInput   type       apps/rest-api/src/workflows/index.ts:5:8                          
ContextDistillDeps         type       apps/rest-api/src/workflows/index.ts:6:8                          
DiaryTransferDeps          type       apps/rest-api/src/workflows/index.ts:12:8                         
DiaryTransferResult        type       apps/rest-api/src/workflows/index.ts:13:8                         
TransferDecision           type       apps/rest-api/src/workflows/index.ts:18:8                         
HumanOnboardingDeps        type       apps/rest-api/src/workflows/index.ts:21:8                         
HumanOnboardingResult      type       apps/rest-api/src/workflows/index.ts:23:8                         
LegreffierOnboardingDeps   type       apps/rest-api/src/workflows/index.ts:34:8                         
MaintenanceDeps            type       apps/rest-api/src/workflows/index.ts:43:8                         
RegistrationDeps           type       apps/rest-api/src/workflows/index.ts:48:8                         
RegistrationResult         type       apps/rest-api/src/workflows/index.ts:49:8                         
RunWorkflowOptions         type       apps/rest-api/src/workflows/index.ts:58:8                         
FoundingMember             type       apps/rest-api/src/workflows/index.ts:62:8                         
TeamFoundingDeps           type       apps/rest-api/src/workflows/index.ts:65:8                         
TeamFoundingResult         type       apps/rest-api/src/workflows/index.ts:66:8                         
AdoptionState              interface  docs/.vitepress/theme/auth/useAdoption.ts:38:18                   
AdoptionStageKey           type       docs/.vitepress/theme/auth/useAdoption.ts:284:13                  
AdoptionStage              interface  docs/.vitepress/theme/auth/useAdoption.ts:292:18                  
DocsTeam                   interface  docs/.vitepress/theme/auth/useTeamSelection.ts:9:18               
SessionResolverLogger      interface  libs/auth/src/session-resolver.ts:24:18                           
GroupCreator               interface  libs/database/src/repositories/group.repository.ts:15:18          
EntriesListArgs            interface  libs/entry-explore-mcp-app/src/adapter/tool-calls.ts:28:18        
EntriesSearchArgs          interface  libs/entry-explore-mcp-app/src/adapter/tool-calls.ts:38:18        
DiaryTagsArgs              interface  libs/entry-explore-mcp-app/src/adapter/tool-calls.ts:50:18        
EntriesGetArgs             interface  libs/entry-explore-mcp-app/src/adapter/tool-calls.ts:57:18        
PacksCreateArgs            interface  libs/entry-explore-mcp-app/src/adapter/tool-calls.ts:63:18        
PacksUpdateArgs            interface  libs/entry-explore-mcp-app/src/adapter/tool-calls.ts:71:18        
PacksProvenanceArgs        interface  libs/entry-explore-mcp-app/src/adapter/tool-calls.ts:77:18        
CommandRegistrar           type       libs/pi-extension/src/commands/index.ts:5:3                       
SessionMeta                type       libs/pi-extension/src/commands/index.ts:7:3                       
RateLimitRetryOptions      type       libs/sdk/src/retry.ts:5:15                                        
AgentAdapter               type       packages/legreffier-cli/src/adapters/index.ts:11:15               
AgentAdapterOptions        type       packages/legreffier-cli/src/adapters/index.ts:11:29               
ResolveInstallationStatus  type       packages/legreffier-cli/src/phases/portResolveInstallation.ts:6:13
VerifyInstallationStatus   type       packages/legreffier-cli/src/phases/portVerifyInstallation.ts:4:13 
InitPhase                  type       packages/legreffier-cli/src/state.ts:4:13                         
EvalMode                   type       tools/src/tasks/scenario.ts:31:13                                 
EvalWorkspace              type       tools/src/tasks/scenario.ts:32:13                                 
ScenarioCriterion          interface  tools/src/tasks/scenario.ts:34:18                                 
�[93m�[4mUnused exported enum members�[24m�[39m (1)
Impose  TaskPermission  libs/auth/src/keto-constants.ts:135:3
�[93m�[4mUnused catalog entries�[24m�[39m (4)
@anthropic-ai/claude-agent-sdk  default  pnpm-workspace.yaml:25:4 
@fastify/static                 default  pnpm-workspace.yaml:35:4 
@openai/codex-sdk               default  pnpm-workspace.yaml:60:4 
zod                             default  pnpm-workspace.yaml:146:3
�[33m�[4mConfiguration hints�[24m (5)�[39m
. �[90m(root)�[39m                …p.config.ts  �[90mAdd �[97mentry�[90m and/or refine �[97mproject�[90m files in �[97mworkspaces["."]�[90m (17 unused files)�[39m        
tools                   …p.config.ts  �[90mAdd �[97mentry�[90m and/or refine �[97mproject�[90m files in �[97mworkspaces["tools"]�[90m (10 unused files)�[39m    
apps/rest-api           …p.config.ts  �[90mAdd �[97mentry�[90m and/or refine �[97mproject�[90m files in �[97mworkspaces["apps/rest-api"]�[90m (3 unused fi…�[39m
libs/context-distill    …p.config.ts  �[90mAdd �[97mentry�[90m and/or refine �[97mproject�[90m files in �[97mworkspaces["libs/context-distill"]�[90m (2 un…�[39m
apps/mcp-host           …p.config.ts  �[90mAdd �[97mentry�[90m and/or refine �[97mproject�[90m files in �[97mworkspaces["apps/mcp-host"]�[90m (2 unused fi…�[39m
 ELIFECYCLE  Command failed with exit code 1.

@legreffier
Copy link
Copy Markdown
Contributor Author

legreffier Bot commented May 26, 2026

Complexity Review (PR #1243)

Composite Score: 1.0 / 1.0Low complexity, highly reviewable

Criterion Scores

Criterion Score Rationale
cognitive_load ✅ PASS Single-purpose change: removes baked model, enables runtime download. Three files with coherent, focused edits.
blast_radius ✅ PASS Isolated to Docker image composition and env defaults. Embedding service code unchanged; regression would only affect startup model loading (already has error handling).
test_coverage_delta ✅ PASS No new tests needed — embedding-service already has comprehensive tests for allowRemoteModels option covering both true/false cases with env restoration assertions.
security_surface ✅ PASS Enables downloads from Hugging Face (trusted source) at startup. Hardcoded model ID, no secrets or user input affecting downloads.
reviewer_orientation ✅ PASS Clear title, detailed summary with what/why, references issue #1226, task context included, README updated.

Verdict

This is a well-scoped infrastructure change that shifts model acquisition from build-time to runtime. The change is easy to review: it removes the download-model Nx target, adjusts Docker env defaults, and updates documentation. All behavioral aspects (remote model loading, caching, error recovery) are already covered by existing embedding-service tests. No security-sensitive paths are introduced.

@getlarge getlarge merged commit 244e3ac into main May 26, 2026
28 checks passed
@getlarge getlarge deleted the moltnet/00bbac38-2c65-4cf6-8e2e-a70f1a1d1a04/consider-dropping-baked-in-embedding-model-in-favor-of-start branch May 26, 2026 14:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Consider dropping baked-in embedding model in favor of startup warmup

1 participant

@getlarge