saravanakumardb1 dda38aa009 fix(exports): strip data payload from list endpoint + update audit doc

- exports/routes: exclude inline data from GET /exports list response
  to prevent returning megabytes of serialized export data (perf+security)
- Update WORKSPACE_TODO_AUDIT.md: add post-audit review section with
  9 bugs found and fixed across 2 commits (73b07c2, 841cdf3), mark
  all action plan sprints complete
- Typecheck clean, 1483/1483 tests pass

2026-03-22 01:23:08 -07:00

12 KiB

Raw Blame History

Workspace TODO / Disabled Feature Audit

Generated: 2026-03-22 Scope: All 15 workspace repos — platform-service, dashboards, packages, 9 product backends + webs Method: Automated grep scan for TODO, FIXME, HACK, disabled features, stubs, console.log

Executive Summary

Area	Actionable TODOs	False Positives	Priority Items
platform-service	12	0	5
admin-web	1	0	1
tracker-web	1	0	1
user-dashboard-web	1	0	1
shared packages	3	2 (test/template)	1
product backends (9 repos)	0	0	0
product webs (9 repos)	0	0	0
Total	18	2	8

Verdict: The codebase is in strong shape. All 9 product backends and webs are TODO-free. The 18 actionable items are concentrated in platform-service (the largest service with 37+ modules). Most are low-risk "wire integration" tasks that don't block core functionality.

Findings by Priority

P0 — High Impact, Low Effort (resolved)

#	Location	TODO	Effort	Status
1	`admin-web/src/app/error.tsx:13`	Send errors to telemetry	S	✅ FIXED `34c3436`
2	`tracker-web/src/app/error.tsx:13`	Send errors to telemetry	S	✅ FIXED `34c3436`
3	`user-dashboard-web/src/app/error.tsx:13`	Send errors to telemetry	S	✅ FIXED `4641daa`

Status: All 3 resolved — wired trackEvent('error', 'global', 'unhandled_error', ...) with error name, message, and digest.

P1 — Medium Impact, Medium Effort (resolved)

#	Location	TODO	Effort	Status
4	`delivery/subscribers.ts` — payment.failed	User lookup + payment-failed email dispatch	M	✅ FIXED
5	`delivery/subscribers.ts` — trial_expiring	User lookup + trial-expiring email dispatch	M	✅ FIXED
6	`delivery/subscribers.ts` — trial_expired	User lookup + trial-expired email dispatch	M	✅ FIXED
7	`surveys/routes.ts` — incentive fulfillment	Wire subscriptions module for pro_days/credits	M	✅ FIXED

Status: All 4 resolved. Added resolveUserEmail() helper using auth repo getById(). Survey incentives now extend currentPeriodEnd for pro_days and add tokensIncluded for credits via subscriptions module.

P2 — Low Impact, Medium Effort (resolved)

#	Location	TODO	Effort	Status
8	`telemetry/repository.ts` — upsertEventsBatch	Group by pk for partition-aware batching	M	✅ FIXED
9	`exports/routes.ts` — export processing	Async export via setImmediate + data source queries + CSV/JSON serialize	L	✅ FIXED
10	`broadcasts/repository.ts` — estimateTargetReach	Real user count query via auth module	M	✅ FIXED
11	`broadcasts/routes.ts` — broadcast delivery	Async delivery via setImmediate + dispatchEmail per user	L	✅ FIXED
12	`waitlist/routes.ts` — CAPTCHA validation	Requires external API keys (Turnstile/hCaptcha)	M	⏭️ DEFERRED
13	`waitlist/routes.ts` — auto-generate invitation codes	Wire invitations/repository.create() per entry	S	✅ FIXED

Status: 5 of 6 resolved. Item 12 (CAPTCHA) deferred — requires Turnstile/hCaptcha/reCAPTCHA API key configuration.

P3 — Operational / Nice-to-Have (resolved)

#	Location	TODO	Effort	Status
14	`diagnostics/subscribers.ts` — session.cancelled	Notify admin who created the session via email	S	✅ FIXED
15	`diagnostics/subscribers.ts` — session.completed	Email summary (logs/traces/screenshots) to admin	S	✅ FIXED
16	`diagnostics/subscribers.ts` — ingest.fatal	Send Slack alert for on-call engineer	L	✅ FIXED
17	`feedback-client/integration.test.ts` — blob skip	Clarify skip mechanism with NOTE (was TODO-4)	S	✅ FIXED
18	`feedback-client/gdpr.test.ts` — lifecycle policy	Accept Azure lifecycle policy as intended mechanism (was TODO-7)	XS	✅ FIXED

Status: All 5 resolved. Diagnostics notifications wired via delivery module (dispatchEmail for admin notifications, dispatchSlack for FATAL alerts). Test TODOs converted to NOTE/accepted.

Post-Audit Review (2026-03-22) — 8 bugs found in P2/P3 implementations

#	Location	Bug	Severity	Status
R1	`diagnostics/subscribers.ts` — session.cancelled	Used non-existent `'generic'` template ID (throws at runtime)	P0	✅ FIXED `73b07c2`
R2	`diagnostics/subscribers.ts` — session.completed	Used non-existent `'generic'` template ID (throws at runtime)	P0	✅ FIXED `73b07c2`
R3	`delivery/templates.ts`	Missing `'broadcast'` template used by broadcast delivery	P0	✅ FIXED `73b07c2`
R4	`broadcasts/routes.ts` — delivery complete	Dot-path `'metrics.sent'` in updateBroadcast (not Cosmos syntax)	P1	✅ FIXED `73b07c2`
R5	`exports/routes.ts` — async processing	Serialized data computed but never stored — no download endpoint	P1	✅ FIXED `73b07c2`
R6	`waitlist/routes.ts` — batch invite	Stored code string as `invitationCodeId` instead of doc ID	P2	✅ FIXED `73b07c2`
R7	`diagnostics/subscribers.ts` — session.created	Target user email not sent (just logging) despite template exist	P2	✅ FIXED `841cdf3`
R8	`events/types.ts` + `delivery/subscribers.ts`	`payment.failed` missing `currency` field (inconsistent schema)	P2	✅ FIXED `841cdf3`
R9	`exports/routes.ts` — list endpoint	Returns full `data` payload in list response (perf/security)	P2	✅ FIXED (pending)

Items Explicitly NOT TODOs (Excluded)

These were found in scans but are not actionable gaps:

Location	Content	Why Excluded
`packages/create-app/src/lib/templates.ts:276`	`// TODO: Register your route modules here`	Template placeholder for `create-app` scaffolding — intentional
`packages/feedback-client/src/gdpr.test.ts:23`	`describeIntegration('GDPR Deletion Compliance (TODO-5)')`	Test suite name contains TODO — it's a label, not missing work
`user-dashboard-web/.../sessions/[id]/page.tsx:695`	`['list', 'todo', 'task', 'priority'...]`	String data containing the word "todo" — not a code TODO
All `*.test.ts` files with "mock"	Test mocks using vi.fn() / vi.mock()	Standard test pattern, not production stubs

Repos With Zero TODOs (Clean)

These backends and webs have no actionable TODOs — fully implemented:

Repo	Backend	Web	Notes
ActionTrail	✅ 0	✅ 0	Production-ready, v1.0.0
NoteLett	✅ 0	✅ 0	MCP tools complete
FlowMonk	✅ 0	✅ 0	Scheduler complete
JarvisJr	✅ 0	✅ 0	Voice + agents
ChronoMind	✅ 0	—	Timers + cascades
PeakPulse	✅ 0	—	Adventure tracker
NomGap	✅ 0	—	Fasting app
Local Memory GPT	✅ 0	—	Local AI chat
MindLyst	✅ 0	—	KMP shared module
LysnrAI (backend)	✅ 0	—	62 tests
extraction-service	✅ 0	—	Python sidecar
mcp-server	✅ 0	—	MCP protocol

Recommended Action Plan

Sprint A (1–2 days) — Quick Wins ✅ COMPLETE

~~Wire telemetry reportError() in all 3 dashboard error.tsx files~~ ✅
~~Wire waitlist → invitations module for auto-generated invite codes~~ ✅

Sprint B (3–5 days) — User-Facing Gaps ✅ COMPLETE

~~Implement user lookup helper for delivery subscribers~~ ✅
~~Wire survey incentive fulfillment to billing/subscriptions module~~ ✅
~~Wire export job processing through the jobs module~~ ✅

Sprint C (deferred → resolved) ✅ COMPLETE

~~Implement real broadcast audience estimation query~~ ✅
~~Wire broadcast delivery via event bus~~ ✅
Add CAPTCHA validation to waitlist signup ⏭️ DEFERRED (requires API keys)
~~Telemetry bulk upsert optimization~~ ✅
~~PagerDuty/Slack integration for FATAL diagnostic logs~~ ✅

Post-Audit Review ✅ COMPLETE

~~8 bugs found and fixed in P2/P3 implementations~~ ✅ (73b07c2, 841cdf3)

Methodology

Scanned 15 repos across:

3 dashboards (admin-web, tracker-web, user-dashboard-web)
3 services (platform-service, extraction-service, mcp-server)
14+ shared packages
9 product backends (LysnrAI, ActionTrail, NoteLett, FlowMonk, JarvisJr, ChronoMind, PeakPulse, NomGap, Local Memory GPT)
9 product webs

Search patterns: TODO, FIXME, HACK, STUB, XXX, console.log, disabled, stub, placeholder, not implemented, noop

Excluded: test file mocks/stubs, template placeholders, data strings containing "todo", console.error in catch blocks (acceptable browser error logging)

12 KiB Raw Blame History Unescape Escape