πReviews & Findings
Findings from the two reviews (Aegis Cloud / Phase C) and their resolution. All Critical and High items resolved.
The findings from two code reviews (REVIEW_AEGIS_CLOUD.md / REVIEW_PHASE_C.md) and how they were resolved.
Summary
β
19
Fixed
π¦ 1
Partial
π 6
Remaining
The Low group + CM-3 / CM-5
π’ 26
Total findings
β
All Critical / High resolved
Across both reviews, the 3 Critical and 9 High findings are all fixed (or folded into the main branch, as with C-2(b)). What remains is only the Medium items CM-3 / CM-5 and the Low group (see the βRemaining Issuesβ page).
Aegis Cloud review (REVIEW_AEGIS_CLOUD.md)
Critical 1 / High 5 / Medium 6 / Low 4.
Critical-1 Critical POST /api/whitelist/import bypasses the strict_approval gate and audit log Fixed PR #22
High-1 High Recording at-rest encryption had no decryption path (playback broke when enabled) Fixed PR #23
High-2 High Logout had no server-side JWT invalidation (valid up to 24h) Fixed PR #24
High-3 High RhodiumAdapter was a stub (its wording was misleading) Fixed PR #25 (comments cleaned up, behavior unchanged)
High-4 High No ON DELETE clause on any ForeignKey Fixed PR #26
High-5 High Insufficient authorization-boundary test coverage (0 dedicated tests across 7 modules) Fixed PR #27
CM-1 Medium check_client_access lacked a NULL-tenant guard Fixed PR #28
CM-2 Medium Recording-storage logs emitted the full NAS path at INFO level Fixed PR #29
CM-3 Medium The service layer depends on fastapi.HTTPException (layer erosion) Remaining Remaining (REMAINING_ISSUES.md)
CM-4 Medium tools_core held message_ja (provider coupling) Fixed PR #30
CM-5 Medium Business logic leaking into adapters/routers Remaining Remaining (REMAINING_ISSUES.md)
CM-6 Medium Drift between .env.example and config.py Fixed PR #31
Low-1 Low Inconsistent HTTP 503/502 responses Remaining Not started (Low)
Low-2 Low Broad except Exception swallowing errors Remaining Not started (Low)
Low-3 Low i18n: the source of the monitoring health/alert-level backend enum is unclear Remaining Undetermined (Low)
Low-4 Low Forgetting to set runtime_env skips the weak-JWT-secret check Remaining Operational caveat (Low)
Phase C review (REVIEW_PHASE_C.md)
Critical 2 / High 4 / Medium 4.
PC Critical-1 Critical The deploy layout (wiring package vs. bridge) cannot be separated given the repo structure Partial Separation approach documented (PR #6); wiring-only packaging comes after on-device testing
PC Critical-2 Critical Default on failure was "hang up every call" β i.e. a business outage Fixed C-2(b) routes to a human (folded into PR #2)
PC High-1 High AMI account had excessive privileges Fixed Reduced to least privilege (folded into PR #2)
PC High-2 High The OpenAI pump could hang (no timeout) Fixed Post-call timeout added (folded into PR #2)
PC High-3 High No OpenAI WS reconnection during a call Fixed Exponential-backoff reconnection (folded into PR #2)
PC High-4 High systemd crash-loop protection was placed where it had no effect Fixed Moved into [Unit] (folded into PR #2)
PM-1 Medium Robustness of AMI secret injection (sed/eval metacharacters) Fixed PR #3
PM-2 Medium Caller PII appears in logs Fixed PR #4
PM-3 Medium The n+101 priority in extensions.conf was dead code Fixed Aligned to fail-open (folded into PR #2)
PM-4 Medium Stale bridge.py docstring Fixed PR #5