Engineering Review¶
Date: 2026-03-17
This review focuses on major architecture, reliability, security, and maintainability issues identified from repository inspection.
Critical Issues¶
1. Credential token model is weak for hostile networks¶
Evidence:
- Frontend stores auth token in local storage as
username:sha256(password)insrc/lib/utils.ts. - Middleware compares against config-stored hash in
internal/server/server.go. - Existing documentation already warns HTTPS is required in
docs/reference/user-authentication.md.
Impact:
- Token replay is possible if intercepted over HTTP.
- Token lifetime is effectively unbounded.
- Browser storage exposure (for example through XSS) gives durable API access.
Remediation priority: P0
Recommended actions:
- Move to server-issued session tokens with expiry.
- Prefer secure, HTTP-only, SameSite cookies for browser auth.
- Add explicit network hardening guidance and reverse-proxy examples for TLS termination.
2. Database schema evolution relies on implicit AutoMigrate¶
Evidence:
- Auto migration invoked from serve/startup/sync paths (
cmd/serve.go,desktop/app.go,internal/model/model.go). - No explicit migration version files or rollback strategy.
Impact:
- Hard to reason about deterministic upgrades/downgrades.
- Risk during major schema changes.
Remediation priority: P1
Recommended actions:
- Introduce explicit migration tooling and schema version table.
- Keep
AutoMigrateonly for development mode if desired.
High Priority Issues¶
3. Error handling often fails closed via process termination¶
Evidence:
log.Fatalusage in core startup/config/server flows (cmd/root.go,internal/config/config.go,internal/server/server.go).
Impact:
- Single operation failures can terminate the service.
- Reduced resilience for long-running deployments.
Remediation priority: P1
Recommended actions:
- Return typed errors to callers and API clients.
- Reserve process exit for unrecoverable startup failures.
- Standardize API error envelopes.
4. Handler layer owns both policy and orchestration logic¶
Evidence:
internal/server/server.goincludes route registration, readonly checks, payload binding, and direct domain invocation.
Impact:
- Repetition across many endpoints.
- Harder testing and policy consistency.
Remediation priority: P1
Recommended actions:
- Introduce dedicated middleware/policy gates for write operations.
- Move endpoint orchestration into service methods.
Medium Priority Issues¶
5. Test coverage is narrow for critical paths¶
Evidence:
- Backend tests are limited; only a small number of package tests exist.
- Snapshot regression test exists in
tests/regression.test.tsbut requires local toolchain not available in this environment.
Impact:
- Refactors risk behavioral regressions.
- Security and concurrency regressions are likely to slip.
Remediation priority: P2
Recommended actions:
- Add service-level unit tests for sync/auth/error paths.
- Add API integration tests for auth, readonly mode, and editor write paths.
- Add security-focused tests for token handling and brute-force controls.
6. Config state is global and mutable¶
Evidence:
- Config singleton is process-global in
internal/config/config.go.
Impact:
- Limits test isolation.
- Potential race and coupling risks as concurrency increases.
Remediation priority: P2
Recommended actions:
- Introduce immutable config snapshots and dependency injection.
- Avoid hidden global reads in deep domain layers.
Observed Strengths¶
- Clear domain-oriented package structure in
internal/. - Shared backend across web and desktop reduces feature divergence.
- Path traversal mitigation helper exists (
BuildSubPathininternal/utils/utils.go). - Config schema validation and docs are already mature for user-facing configuration.
Validation Limits¶
- Could not execute
go test ./...becausegois unavailable in current terminal environment. - Could not execute frontend checks because
svelte-kitdependencies are unavailable in current terminal environment.
These runtime/toolchain checks should be re-run in CI or a fully provisioned dev machine as part of remediation.