Skip to content

docs: upstream catalogue, security audit, 6-phase roadmap#25

Merged
e6qu merged 5 commits intodevfrom
next/remaining-work
Mar 21, 2026
Merged

docs: upstream catalogue, security audit, 6-phase roadmap#25
e6qu merged 5 commits intodevfrom
next/remaining-work

Conversation

@e6qu
Copy link
Copy Markdown
Owner

@e6qu e6qu commented Mar 21, 2026
edited
Loading

Summary

  • UPSTREAM_STATUS.md — catalogued 162 upstream commits + ~195 open PRs with author, category, priority, and backport determination
  • docs/SECURITY_AUDIT.md — 2 CVEs (CVSS 8.8, 9.4), 5 security vulnerabilities (S1-S5) tracked in BUGS.md
  • PLAN.md — rewritten as 6-phase roadmap with exit criteria (security first)
  • GAP_ANALYSIS.md — current → target state for each phase
  • AGENTS.md — phase methodology added (read/update tracking docs before/after each phase)
  • All tracking files updated and cross-linked

6-Phase Roadmap

Phase Priority Description
1 CRITICAL Security fixes: symlink bypass, command injection, workspace trust, server auth, .env exposure
2 High 8 upstream bug fixes from vouched contributors (Dax, Kit, James Long, Ariane Emory)
3 High OpenTUI 0.1.90 upgrade + quality fixes (ordering, apply_patch, Provider types)
4 Medium Community bug fixes (retry, memory, LSP leak) + features (auto-accept, quiet mode)
5 Medium Remaining tests (filterEdited, ContextEdit validation, TUI dialogs)
6 Low Effect behavioral analysis (extract bug fixes from upstream Effect PRs, reimplement)

Security Issues (S1-S5)

# Issue Severity
S1 Filesystem.contains() symlink bypass CRITICAL
S2 exec() command injection HIGH
S3 Untrusted .opencode/ autoloading HIGH
S4 Server unauthenticated on non-loopback MED
S5 Read tool exposes .env files MED

Upstream Integration Strategy

  • No simple rebase — each change analyzed individually
  • No desktop app — permanently skipped
  • No Bun→Node portability — Frankencode targets Bun only
  • Effect PRs → behavioral extraction, not cherry-pick

Test plan

  • No code changes — documentation only
  • All tracking files cross-linked and consistent

Adrian Mârza added 2 commits March 21, 2026 23:15
docs: update tracking files — Zod migration and tests now complete
196fb4c 
- PLAN.md: remove completed Zod/test sections, focus on upstream re-sync
- DO_NEXT.md: upstream re-sync is now priority 1, remaining tests priority 2
- STATUS.md: 1473 tests, 25 Frankencode-specific unit tests
- WHAT_WE_DID.md: compressed to PR summary
docs: catalogue 162 upstream commits in UPSTREAM_STATUS.md
a84f4d8 
Categorized all commits since last rebase into:
- 15 backportable fixes (8 high priority)
- 8 backportable features
- 10 backportable refactors
- 5 TUI fixes
- 12 Effect-ification (conflict with our approach, defer to rebase)
- 20+ app/desktop (skip)
- 50+ chore/generate (skip)
- 8 Zen platform (skip)

Each entry includes SHA, PR#, author, description, and priority.
Recommended 4-phase backport order documented.
@e6qu e6qu force-pushed the next/remaining-work branch from cf76db3 to a84f4d8 Compare March 21, 2026 21:31
Adrian Mârza added 3 commits March 21, 2026 23:36
docs: security audit — 2 CVEs, 5 vulnerabilities tracked
55ccb4c 
Security audit of upstream OpenCode issues applicable to Frankencode:

CVEs:
- CVE-2026-22812: Unauthenticated HTTP server RCE (CVSS 8.8) — partially mitigated
- CVE-2026-22813: XSS to RCE via markdown renderer (CVSS 9.4) — needs audit

Open security issues (S1-S5) added to BUGS.md:
- S1: Filesystem.contains() symlink bypass (CRITICAL)
- S2: exec() command injection in github.ts (HIGH)
- S3: Untrusted .opencode/ autoloading (HIGH)
- S4: Server unauthenticated on non-loopback (MED)
- S5: Read tool exposes .env files (MED)

Created docs/SECURITY_AUDIT.md with full analysis, upstream PRs, and
recommended fix priority. Cross-linked from UPSTREAM_STATUS.md, BUGS.md,
and docs/README.md.
docs: catalogue ~195 open upstream PRs for backport assessment
a0abfeb 
Added to UPSTREAM_STATUS.md:
- 9 PRs from vouched/recognized contributors (Dax, Sebastian, Kit, Tim, Ariane)
- 4 security PRs (CVE fix, TUI server guard, path bypass, XSS)
- 17 core bug fix PRs worth evaluating (retry, provider compat, memory, safety)
- 7 TUI feature PRs (sidebar, /edit, syntax highlighting, themes)
- 6 core feature PRs (quiet mode, offline, custom prompts, plugin robustness)
- ~80 permanently skipped (desktop, web app, Bun→Node, docs, niche)

Each categorized with author, priority, and Frankencode relevance.
Top 20 backport candidates identified and ordered by priority.
docs: 6-phase roadmap, gap analysis, phase methodology
a6354b8 
PLAN.md rewritten as 6-phase roadmap:
- Phase 1: Security fixes (S1-S5) — CRITICAL priority
- Phase 2: High-priority upstream bug fixes (8 cherry-picks)
- Phase 3: Quality fixes + OpenTUI upgrade
- Phase 4: Community bug fixes + features
- Phase 5: Remaining tests
- Phase 6: Effect behavioral analysis

GAP_ANALYSIS.md shows current → target state for each phase.
DO_NEXT.md points to Phase 1 immediate actions.
STATUS.md shows phase progress tracker.

AGENTS.md updated with phase methodology:
- Read tracking docs before/after each phase
- Update BUGS.md, STATUS.md, WHAT_WE_DID.md, GAP_ANALYSIS.md after work
- Follow PLAN.md phases with exit criteria
@e6qu e6qu changed the title docs: upstream status catalogue + tracking file updates docs: upstream catalogue, security audit, 6-phase roadmap Mar 21, 2026
@e6qu e6qu merged commit cf3f631 into dev Mar 21, 2026
1 check passed
@e6qu e6qu deleted the next/remaining-work branch March 21, 2026 21:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@e6qu