profit/golangLAKEHOUSE
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
golangLAKEHOUSE/reports/scrum/risk-register.md
root 91edd43164 scrum audit: 5 reports under reports/scrum/ · score 35/60 
Adapts docs/SCRUM.md framework (originally written for the
matrix-agent-validated repo) to the Go rewrite. Five deliverables:

  golang-lakehouse-scrum-test.md  top-line + scoring + verdict
  risk-register.md                12 findings, R-001..R-012
  claim-coverage-table.md         claim/test/risk for Sprint 2
  sprint-backlog.md               5 sprints, ~2 weeks of work
  acceptance-gates.md             DoD as runnable commands

Every claim cites file:line, command output, or "missing evidence."
Smoke chain ran clean (33s wall, all 9 PASS) and is captured in
reports/scrum/_evidence/smoke_chain.log (gitignored — runtime artifact).

Scoring:
  Reproducibility       7/10  9 smokes deterministic, no just/CI gate
  Test Coverage         6/10  internal/ packages tested, 6/7 cmd/ aren't
  Trust Boundary        7/10  escapes ok, zero auth, /sql is RCE-eq off-loopback
  Memory Correctness    3/10  pathway/playbook/observer not yet ported
  Deployment Readiness  4/10  no REPLICATION, no env template, no systemd
  Maintainability       8/10  no god-files, 7 lean binaries, ADRs current

Top three risks:
  R-001 HIGH  queryd /sql + DuckDB + non-loopback bind = RCE-equivalent
  R-002 HIGH  internal/shared (server.go + config.go) zero tests
  R-003 HIGH  internal/storeclient zero tests, used by 2 services
  R-004 MED   9-smoke chain green but not gated (no justfile/hook)

The audit is the work; refactors come after. Sprint 0 owns coverage
+ CI gating; Sprint 1 owns trust-boundary decisions; Sprints 2-3 are
mostly design-bar work for unbuilt agent components.

.gitignore exception: /reports/* + !/reports/scrum/ keeps reports/
a runtime-artifact directory while exposing reports/scrum/ as
tracked documentation. Mirrors the pattern future audit passes will
land in.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-29 04:51:47 -05:00

111 lines
11 KiB
Markdown
Raw Blame History

# golangLAKEHOUSE — Risk Register
Severity-ranked findings from the 2026-04-29 scrum audit. Each row cites `file:line` or command output per SCRUM.md's "no vibes" rule. Severity uses HIGH (likely + impactful) / MED (one of those) / LOW (latent or mitigated). Risk IDs are stable — `sprint-backlog.md` and `acceptance-gates.md` reference them by ID.
---
## HIGH severity
### R-001 — `queryd POST /sql` accepts arbitrary SQL; localhost binding is sole guardrail
- **Where:** `cmd/queryd/main.go:142` registers `r.Post("/sql", h.handleSQL)`. `cmd/queryd/main.go:181` passes `req.SQL` directly to `db.QueryContext`. No allowlist, no statement-type check, no rate limit.
- **Why this is HIGH:** DuckDB is not a sandbox. `COPY ... TO '/tmp/x'` writes the host filesystem. `read_csv('s3://...')` reads any S3 object the configured creds can reach. `read_text('/etc/passwd')` reads local files. Anything that can reach `:3214` can exfil anything queryd's process can read.
- **Today's mitigation:** every binary binds `127.0.0.1` by default (`internal/shared/config.go:132-160`). Network-layer is the only auth layer.
- **What breaks the mitigation:** any future deploy that binds non-loopback (Docker port-publish, K8s pod IP, accidental `0.0.0.0`) opens RCE-equivalent access. There is no second line of defense.
- **Recommended fix:** Sprint 1 — decide the auth posture (Bearer token, mTLS, IP allow-list) and add middleware. Document the design risk in `docs/SECURITY.md`. Until middleware lands: assert in `cmd/queryd/main.go` startup that bind starts with `127.` and `os.Exit(1)` otherwise — fail-loud rather than silent expose.
### R-002 — `internal/shared` (server factory + config) has zero tests
- **Where:** `internal/shared/server.go` (server.go: 0 tests, src=2 — `server.go` + `config.go`). Confirmed by `ls internal/shared/*_test.go` returning empty.
- **Why HIGH:** `server.go` contains the shared chi factory + race-free `net.Listen()` + graceful shutdown that every binary depends on. `config.go` contains the TOML loader that every binary calls in `main()`. A regression here breaks all 7 binaries silently — and the only thing that catches it today is the 9-smoke chain at the integration layer.
- **Recommended fix:** Sprint 0 — add `internal/shared/server_test.go` (table-test bind-error surfacing, graceful-shutdown ordering, /health response shape) and `config_test.go` (TOML round-trip, missing-file warn behavior, default values).
### R-003 — `internal/storeclient` has zero tests
- **Where:** `internal/storeclient/client.go` (src=1, test=0). Used by `catalogd` (`store_client.go` originally; extracted to shared package per memory `4205ecd`) and `vectord` (G1P persistence). Two services depend on it directly.
- **Why HIGH:** This client owns the keep-alive pool, body-drain semantics, and the retry/timeout policy for storaged calls. The ADR-020 idempotency contract on catalogd partially relies on this client's error semantics. Untested + load-bearing = silent correctness risk.
- **Recommended fix:** Sprint 0 — add `client_test.go` covering the keep-alive drain path (the comment in `internal/catalogclient/client.go` cites this as a known footgun), 4xx vs 5xx classification, body-cap enforcement on response.
---
## MEDIUM severity
### R-004 — Smokes are documentation, not a CI gate
- **Where:** `README.md:60` shows `for s in scripts/{...}_smoke.sh; do ...; done` as the run instruction. No `justfile`, no `Makefile`, no `.github/workflows/`, no `.git/hooks/pre-push`. Confirmed by `ls justfile Makefile .github` — all "No such file."
- **Why MED:** the smokes are *deterministic and fast* (33s wall for the full chain — `_evidence/smoke_chain.log`). The discipline of running them is purely human at the moment. A future commit that breaks `d4` will pass review unless the reviewer happens to run the chain.
- **Recommended fix:** Sprint 0 — `justfile` with `verify` (full chain) + `smoke <day>` (single) + `doctor` (deps probe) + `fmt`/`vet`/`test` shortcuts. Pre-push hook calls `just verify` and aborts on non-zero exit.
### R-005 — 6 of 7 `cmd/<bin>/main.go` files are untested
- **Where:** only `cmd/storaged/main_test.go` exists. The other six binaries' wiring layers (route registration, handler chaining, error-mapping middleware, request-body decoding) are integration-tested only via shell smokes.
- **Why MED:** wiring bugs don't show up in `go test` and don't show up in `go vet`. They show up at smoke time, which is a slower feedback loop than per-package unit tests would give. `cmd/queryd/main.go:142` is the highest-priority candidate for cmd-level tests because the `handleSQL` body-decode + cap path is the entry point for R-001 and runs without unit-test coverage today.
- **Recommended fix:** Sprint 0 — pattern-match `cmd/storaged/main_test.go`'s shape across the other 6 binaries. Test scope per binary: routes registered, body-cap rejection (request entity too large), schema-validation rejection (400 on bad JSON), happy-path with mocked dependency.
### R-006 — Smokes hit real MinIO + Ollama; no fixture-only path
- **Where:** `g2_smoke.sh:14` requires Ollama at `:11434` with `nomic-embed-text` loaded. `d2_smoke.sh` requires MinIO at `:9000` with bucket `lakehouse-go-primary`. Confirmed in `README.md:67-71` ("Cold-start dependencies").
- **Why MED:** any CI runner without these services cannot run the smoke chain. Fresh-clone reviewers cannot run it. Any downtime or version drift in MinIO / Ollama produces flaky CI.
- **Recommended fix:** Sprint 0 — define `embed.Provider` and `storage.Bucket` mock implementations behind the existing interfaces (`internal/embed/embed.go:20`, `internal/storaged/bucket.go`). Add `just smoke-fixtures` that points the binaries at the fakes via env vars. Real-MinIO / real-Ollama smokes become the "hardware-in-the-loop" tier.
### R-007 — Zero auth middleware on 22 public routes
- **Where:** `grep -rn 'Authorization\|Bearer'` returns zero matches outside test files. Routes inventoried: vectord (6), storaged (4), catalogd (3), queryd (1), ingestd (1), embedd (1), gateway (proxies all upstream), plus `/health` on every binary.
- **Why MED:** localhost-only binding is the sole guardrail (R-001 covers the worst case). Non-localhost deploy = open admin panel. The header design ("Authorization: Bearer ..." vs "X-API-Key" vs mTLS cert subject) needs to be decided once and then applied uniformly across all 22 routes — retrofit is more painful per-route than upfront.
- **Recommended fix:** Sprint 1 — write ADR-003 picking the auth model. Most likely choice: Bearer token + IP allow-list, with token loaded from `secrets-go.toml`. Add `internal/shared/auth.go` middleware so adding it to a new binary is one chi `r.Use()` line.
### R-008 — `internal/queryd/db.go` (DuckDB connector + `CREATE SECRET` site) untested
- **Where:** `internal/queryd/db.go` is referenced via `func (h *handlers) handleSQL` and contains `sqlEscape` (line 122), `redactCreds` (line 132), and the `CREATE SECRET ... '%s'` formation (line 102). `internal/queryd/registrar_test.go` exists, but no `db_test.go`.
- **Why MED:** `sqlEscape` correctness is one bug from a credential-leak via SQL error chain. `redactCreds` correctness is the *only* layer between a bad SECRET creation and S3 keys ending up in slog output. Both deserve unit tests with adversarial inputs (single-quote in key, embedded SECRET token, etc.).
- **Recommended fix:** Sprint 0 — add `db_test.go` with: `sqlEscape` round-trip on adversarial strings; `redactCreds` exhaustive case for empty / partial / multiple-occurrence credential values; `bootstrapStatements` order assertion (INSTALL → LOAD → CREATE SECRET).
---
## LOW severity
### R-009 — `registrar.go:153` uses `fmt.Sprintf` for view DDL
- **Where:** `internal/queryd/registrar.go:153``sql := fmt.Sprintf("CREATE OR REPLACE VIEW %s AS SELECT * FROM %s", quoteIdent(m.Name), fromExpr)`.
- **Why LOW:** `m.Name` comes from catalogd's manifest (server-controlled), is wrapped with `quoteIdent` (line 172, doubles `"`). `fromExpr` is built from S3 URLs which are themselves wrapped with `'` and escaped via `sqlEscape` (line 145, doubles `'`). DuckDB doesn't accept `?` placeholders for DDL, so `fmt.Sprintf` is unavoidable here. Inputs are not user-controlled at the SQL boundary; they came from a registration API call but the dataset name was already vetted by catalogd.
- **Recommended fix:** none — currently correct. Note as a "design risk to remember" if catalogd ever loosens validation on dataset names. Add a regression test that asserts a manifest with `name: 'foo"; DROP TABLE x; --'` produces a quoted-but-non-executing view name.
### R-010 — No CORS posture on any binding
- **Where:** `grep -rni 'Access-Control'` returns zero hits in source. Confirmed.
- **Why LOW:** all binaries bind 127.0.0.1; no browser is making cross-origin requests today; the future HTMX UI will be same-origin via gateway.
- **Recommended fix:** none until a non-localhost binding is needed. When it is needed (Sprint 4 or later), the decision belongs in the same ADR as auth posture (R-007) — same blast radius, same review.
### R-011 — `g2_smoke.sh:79` exact-match on `nomic-embed-text` model name
- **Where:** `scripts/g2_smoke.sh:79``[ "$MODEL" = "nomic-embed-text" ]`.
- **Why LOW:** if the operator swaps to `nomic-embed-text-v2-moe` (which is also loaded on this box), the smoke fails *loudly* — the dimension and recall would still likely pass; only the literal model-name assertion fails. That's the right failure mode (not silent acceptance), so this is more of an annotation than a finding.
- **Recommended fix:** none — keep the assertion strict. If the swap is intentional, the operator updates the smoke alongside the swap. That's the discipline.
### R-012 — `tests/` directory exists but is empty
- **Where:** `ls tests/` returns only `.` and `..`. Listed in `README.md:90` ("Layout") but uncited in any code path.
- **Why LOW:** dead directory, harmless, but suggests an older plan (Rust-style integration test convention) that didn't carry over.
- **Recommended fix:** either remove the directory or claim it for the fixture-mode smoke story (R-006). Pick one in Sprint 0.
---
## Risk-to-sprint mapping
| Risk | Severity | Sprint |
|---|---|---|
| R-001 queryd /sql RCE-eq via DuckDB | HIGH | 1 |
| R-002 internal/shared untested | HIGH | 0 |
| R-003 internal/storeclient untested | HIGH | 0 |
| R-004 smokes not gated | MED | 0 |
| R-005 6/7 cmd/main.go untested | MED | 0 |
| R-006 no fixture-only smokes | MED | 0 |
| R-007 zero auth on 22 routes | MED | 1 |
| R-008 queryd/db.go untested | MED | 0 |
| R-009 registrar.go fmt.Sprintf | LOW | — (note only) |
| R-010 no CORS posture | LOW | 1 (with R-007) |
| R-011 g2 smoke model assertion | LOW | — (correct as-is) |
| R-012 empty tests/ dir | LOW | 0 |
Sprint 0 owns the test-coverage and CI-gate work (R-002, R-003, R-004, R-005, R-006, R-008, R-012). Sprint 1 owns the trust-boundary decisions (R-001, R-007, R-010). Sprint 2-4 are design-bar work for unbuilt components.
Reference in New Issue View Git Blame Copy Permalink