airkjw/claude-mem
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

MAESTRO: Add Critical & High-Priority Issues triage report

Browse Source 
Categorized 17 open issues into Tier 1 (Critical Security & Stability)
and Tier 2 (High-Priority Bug Fixes) with KEEP/DISCARD/DEFER
recommendations for each. Cross-referenced 6 issues to active PRs.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Alex Newman
2026-02-07 20:55:14 -05:00
parent 1d090b33f5
commit a0d737ba51
2 changed files with 250 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Auto Run Docs/Wizard-2026-02-07-4/2026-02-07-Tissues-For-Issues/TISSUES-FOR-ISSUES-01.md
+72
View File
@@ -0,0 +1,72 @@
# Phase 01: Comprehensive Issue & PR Categorization Report
This phase produces the complete categorized report of all open issues and PRs in the claude-mem repository. It fetches live data from GitHub, categorizes every item into priority tiers, maps PRs to the issues they address, and generates a single structured report with keep/discard/defer recommendations. This report is the primary deliverable that enables the project owner to make informed decisions about what to act on, what to close, and what to defer.
## Tasks
- [x] Fetch all open issues and PRs from GitHub and save raw data to the Working folder for subsequent tasks to consume:
- **Completed**: 67 issues and 30 PRs fetched, valid JSON verified, saved to Working/
- Run `gh issue list --repo thedotmack/claude-mem --state open --limit 200 --json number,title,labels,createdAt,author,body,comments` and save to `Working/raw-issues.json`
- Run `gh pr list --repo thedotmack/claude-mem --state open --limit 100 --json number,title,labels,createdAt,author,headRefName,isDraft,reviews,body` and save to `Working/raw-prs.json`
- Verify both files are valid JSON and contain expected record counts (~65-70 issues, ~29 PRs)
- Note: "Working" folder is at `/Users/alexnewman/Scripts/claude-mem//Auto Run Docs/Wizard-2026-02-07-4/Working/`
- [x] Read `Working/raw-issues.json` and categorize ALL open issues into a structured report covering Critical, High-Priority, and Security tiers. Write the output to `Working/issues-critical-high.md`:
- **Completed**: 17 issues categorized (3 Critical/Security in Tier 1, 14 High-Priority in Tier 2). All 17 recommended KEEP. Cross-referenced 6 issues to active PRs. Report written to `Working/issues-critical-high.md` with YAML front matter and wiki-link cross-references.
- **Tier 1: Critical Security & Stability** — Issues labeled `priority:critical` or `security` that threaten data integrity, enable exploits, or cause system-wide failures. Expected: #982 (path traversal CWE-22), #1010 (orphaned subprocess spawning), #793 (CLAUDE.md file pollution in subdirectories)
- **Tier 2: High-Priority Bug Fixes** — Issues labeled `priority:high` that break core functionality. Expected: #998 (500 errors on PostToolUse), #987 (infinite session loop), #979 (migration fails to create tables), #966 (SDK generator abort loop), #942 (setting documented but not implemented), #855 (Gemini corruption), #843 (Windows bun:sqlite), #807 (Windows ProcessTransport), #785 (Windows WMIC removed), #730 (1TB vector-db growth), #729 (worker blocks startup), #718 (zombie session ID), #646 (stdin fstat crash), #997 (Windows command prompt spam), #990 (security report with 8 findings), #707 (SQLite-only mode - labeled enhancement but high priority)
- For each issue, write: issue number, title, one-line summary of the problem, current labels, and a **Recommendation** of KEEP (fix it), DISCARD (close as won't-fix), or DEFER (deprioritize)
- Use structured markdown with YAML front matter: `type: report`, `title: Critical & High-Priority Issues`, `tags: [triage, critical, high-priority, security]`
- Apply these recommendation criteria: KEEP items that affect security, data integrity, or block normal usage; DISCARD items that are already fixed, duplicated, or obsolete; DEFER items that affect edge cases or have workarounds
- [ ] Read `Working/raw-issues.json` and categorize ALL remaining open issues into Medium-Priority, Windows, Features, Integration, and Low-Priority tiers. Write the output to `Working/issues-medium-low.md`:
- **Tier 3: Windows Platform Bugs** — Issues tagged `platform:windows`. Expected: #997, #843, #807, #785, #918, #723, #791, #675. Note some may overlap with Tier 2 (that's fine, list them in both with a cross-reference)
- **Tier 4: Medium-Priority Bugs** — Issues labeled `priority:medium` that affect specific scenarios or have workarounds. Expected: #984, #978, #975, #957, #927, #923, #918, #916, #897, #895, #838, #784, #781, #744, #740, #728, #714, #696, #692, #658, #598, #683, #659, #936, #943, #600, #927
- **Tier 5: High-Impact Features** — Enhancement requests with significant user value. Expected: #707 (SQLite-only mode), #659 (delete memories), #683 (project-scoped storage), #936 (orphan message processing), #943 (custom API endpoint), #668 (generalize anti-pattern-czar)
- **Tier 6: Integration & Compatibility** — Issues affecting third-party tool integration. Expected: #838 (Cursor), #744 (Codex), #690 (LiteLLM), #762 (Cursor install)
- **Tier 7: Low-Priority / Code Quality** — Issues labeled `priority:low` or affecting cosmetics/logging. Expected: #1011, #1005, #965, #816, #725, #716, #709, #695, #675, #649, #648, #642, #575, #762, #690, #753
- For each issue, write: issue number, title, one-line summary, current labels, and Recommendation (KEEP/DISCARD/DEFER)
- Use structured markdown with YAML front matter: `type: report`, `title: Medium & Low-Priority Issues`, `tags: [triage, medium-priority, low-priority, features, windows]`
- [ ] Read `Working/raw-prs.json` and `Working/raw-issues.json`, then categorize ALL open PRs into a structured PR triage report. Write the output to `Working/pr-triage.md`:
- Map each PR to the issue(s) it addresses (check PR body for "Fixes #", "Closes #", or issue references)
- Categorize each PR as one of:
- **MERGE** — PR addresses a critical/high issue, code looks reasonable, author is active
- **REVIEW** — PR addresses a real issue but needs code review or testing before merge
- **CLOSE** — PR is stale (>30 days with no activity), addresses a closed issue, or is low quality
- **DEFER** — PR addresses a low-priority issue or is a nice-to-have
- Group PRs by category:
- **Owner PRs** (by thedotmack): #1012 (OpenClaw plugin), #518 (SDK V2 migration), #516 (orphaned observer sessions)
- **Security Fixes**: #1002 (path traversal fix), #986 (CWE-22 + CWE-1321)
- **Critical Bug Fixes**: #1008 (unbounded subprocess spawning), #977 (Linux stdin crash), #996 (synthetic session IDs)
- **Windows Fixes**: #1021 (username spaces), #1006 (Chroma + WMIC), #474 (libuv assertion)
- **Features**: #1019 (env vars), #995 (subprocess pool), #994 (stale session recovery), #993 (Chroma timeout), #992 (MCP heartbeat), #991 (Chroma disable setting), #434 (project exclusion)
- **Infrastructure**: #1009 (MCP rename), #792 (Chroma HTTP server), #877/#876 (GitHub Actions upgrades)
- **Documentation**: #999, #1013, #983 (CLAUDE.md restructures)
- **Other**: #1000 (bug report diagnostics), #989 (FK constraint), #647 (9 bug fixes mega-PR), #498 (opencode plugin), #464 (Sleep Agent)
- For each PR, write: PR number, title, author, linked issue(s), age, and Recommendation (MERGE/REVIEW/CLOSE/DEFER)
- Use structured markdown with YAML front matter: `type: report`, `title: PR Triage Report`, `tags: [triage, pull-requests, code-review]`
- [ ] Read all three report files from Working/ (`issues-critical-high.md`, `issues-medium-low.md`, `pr-triage.md`) and compile them into a single master report. Write to `Working/MASTER-REPORT.md`:
- **Executive Summary** at the top with:
- Total counts: X open issues, Y open PRs
- Priority distribution: X critical, X high, X medium, X low
- Key findings: top 3 most impactful issues, top 3 most mergeable PRs
- Overall health assessment of the repository
- **Quick Decision Matrix** — A single table with ALL issues and PRs, each row showing: Number, Title (truncated), Category, Priority, Recommendation (KEEP/DISCARD/DEFER or MERGE/REVIEW/CLOSE/DEFER), and a 1-line rationale
- Then include all the detailed tier sections from the three input files, organized as:
1. Critical Security & Stability
2. High-Priority Bug Fixes
3. Windows Platform Bugs
4. Medium-Priority Bugs
5. High-Impact Features
6. Integration & Compatibility
7. Low-Priority / Code Quality
8. PR Triage
- **Action Plan** at the bottom with:
- "Immediate Actions" — Critical items to fix NOW (security + stability)
- "Next Sprint" — High-priority items that should be scheduled soon
- "Community Contributions" — PRs that can be merged with minimal effort
- "Close Candidates" — Issues and PRs recommended for closure with reasons
- Use YAML front matter: `type: report`, `title: Claude-Mem Issue & PR Triage Report`, `created: 2026-02-07`, `tags: [triage, master-report, prioritization]`
- Use `[[Issues-Critical-High]]`, `[[Issues-Medium-Low]]`, `[[PR-Triage]]` wiki-links to reference the component reports
Auto Run Docs/Wizard-2026-02-07-4/Working/issues-critical-high.md
+178
View File
@@ -0,0 +1,178 @@
---
type: report
title: Critical & High-Priority Issues
created: 2026-02-07
tags:
- triage
- critical
- high-priority
- security
related:
- "[[Issues-Medium-Low]]"
- "[[PR-Triage]]"
- "[[MASTER-REPORT]]"
---
# Critical & High-Priority Issues — Claude-Mem Repository
Report generated from live GitHub data on 2026-02-07. Covers all open issues in the `thedotmack/claude-mem` repository that are labeled `priority:critical`, `security`, or `priority:high`.
---
## Tier 1: Critical Security & Stability
These issues threaten data integrity, enable exploits, or cause system-wide failures. They should be addressed immediately.
### #982 — Security: Path Traversal in /api/instructions endpoint (CWE-22)
- **Summary:** The `/api/instructions` endpoint allows arbitrary file reads via path traversal in the `operation` query parameter, plus an object injection risk (CWE-1321) via the `topic` parameter.
- **Labels:** `security`, `priority:critical`
- **Author:** NakayoshiUsagi | **Created:** 2026-02-06
- **CVSS:** 7.5 (High) for path traversal, 5.3 (Medium) for object injection
- **Recommendation:** **KEEP** — Active security vulnerability enabling arbitrary file reads. Must be patched immediately. PR #1002 and #986 address this.
### #1010 — Worker daemon spawns orphaned claude-sonnet-4-5 subagent processes (~1/min, never cleaned up)
- **Summary:** The worker daemon continuously spawns `claude-sonnet-4-5` subagent processes that are never terminated, accumulating rapidly and consuming significant system resources (CPU, memory).
- **Labels:** `bug`, `priority:critical`
- **Author:** fuzzystripes | **Created:** 2026-02-07
- **Recommendation:** **KEEP** — Critical resource leak that degrades system performance over time. Affects all platforms. PR #1008 addresses this.
### #793 — isProjectRoot() doesn't detect subdirectories within git repos, causing CLAUDE.md pollution
- **Summary:** The `isProjectRoot()` function only checks if a folder directly contains `.git`, not if it's inside a git repo. This causes CLAUDE.md files to be created in all subdirectories of git repos.
- **Labels:** `bug`, `priority:critical`
- **Author:** alexrodriguezintegrityxd | **Created:** 2026-01-24
- **Recommendation:** **KEEP** — Affects every user with nested project directories. Creates unwanted files across the filesystem. Multiple community reports. PR #834 proposes a fix.
---
## Tier 2: High-Priority Bug Fixes
These issues break core functionality for significant user populations. They should be scheduled for the next development sprint.
### #998 — Observation storage failed: 500 on every PostToolUse hook after v9.0.17 upgrade
- **Summary:** After upgrading to v9.0.17, every tool call triggers a PostToolUse hook error with a 500 response from the observation storage backend. Non-blocking but produces constant error noise.
- **Labels:** `bug`, `priority:high`
- **Author:** nyflyer | **Created:** 2026-02-06
- **Recommendation:** **KEEP** — Core observation pipeline is broken for upgraded users. Likely a regression in the v9.0.17 release.
### #987 — Stop hook causes infinite session loop when summarize output is interpreted as instructions
- **Summary:** The Stop hook's `summarize` command returns a `systemMessage` containing session context that Claude interprets as new instructions, causing an infinite feedback loop where sessions never terminate.
- **Labels:** `bug`, `priority:high`
- **Author:** costa-marcello | **Created:** 2026-02-06
- **Recommendation:** **KEEP** — Prevents clean session termination. Users must force-quit Claude Code to escape the loop.
### #979 — MigrationRunner.initializeSchema() fails to create observations and session_summaries tables
- **Summary:** Fresh install of v9.0.15 fails during database initialization — the `observations` and `session_summaries` tables are never created, causing the worker to fail readiness checks and crash.
- **Labels:** `bug`, `priority:high`
- **Author:** kitadesign | **Created:** 2026-02-06
- **Recommendation:** **KEEP** — Blocks new installations entirely. Database initialization must work on first run.
### #966 — SDK Generator immediately aborts on every observation, causing infinite pending queue backlog
- **Summary:** The `ClaudeSdkAgent` generator starts, registers a PID, creates a message generator, then instantly aborts — never processing any messages. Pending messages accumulate indefinitely.
- **Labels:** `bug`, `priority:high`
- **Author:** NoobyNull | **Created:** 2026-02-05
- **Recommendation:** **KEEP** — AI summarization pipeline completely non-functional. Observations pile up unprocessed.
### #942 — CLAUDE_MEM_FOLDER_CLAUDEMD_ENABLED setting is documented but not implemented
- **Summary:** The `CLAUDE_MEM_FOLDER_CLAUDEMD_ENABLED` setting exists in documentation but has no effect in code. Users cannot disable CLAUDE.md auto-generation.
- **Labels:** `bug`, `priority:high`
- **Author:** costa-marcello | **Created:** 2026-02-05
- **Recommendation:** **KEEP** — Documented feature that doesn't work. Related to #793 (CLAUDE.md pollution). Users expect this setting to function.
### #855 — Gemini API summarization fails and causes database corruption
- **Summary:** Using Gemini via API for summarization doesn't work, and switching between providers corrupts the database, requiring a full wipe to restore normal operation.
- **Labels:** `bug`, `priority:high`
- **Author:** jerzydziewierz | **Created:** 2026-01-30
- **Recommendation:** **KEEP** — Data corruption is a severe consequence. Gemini is a popular alternative provider that many users want to use.
### #843 — Worker fails to start on Windows: bun:sqlite not available when spawned via Node.js
- **Summary:** On Windows, `ProcessManager.spawnDaemon()` uses `process.execPath` which resolves to `node.exe`, but `worker-service.cjs` requires `bun:sqlite` (Bun-only). Worker never starts.
- **Labels:** `bug`, `priority:high`, `platform:windows`
- **Author:** bivlked | **Created:** 2026-01-28
- **Recommendation:** **KEEP** — Fundamental Windows startup failure. Needs architecture fix to ensure Bun is used for worker spawning.
### #807 — [Windows] ProcessTransport error — Worker fails with "ProcessTransport is not ready for writing"
- **Summary:** Worker crashes with `ProcessTransport is not ready for writing` on Windows. MCP search always fails. Worker briefly starts (port 37777 opens) but crashes during Bun subprocess communication.
- **Labels:** `bug`, `priority:high`, `platform:windows`
- **Author:** Istrebitel98 | **Created:** 2026-01-25
- **Recommendation:** **KEEP** — Core Windows functionality broken. Bun's subprocess transport layer may need a workaround on Windows.
### #785 — Worker fails to spawn on Windows 11 25H2+ (WMIC removed)
- **Summary:** Worker daemon fails to start on Windows 11 25H2 (Build 26200+) because `wmic.exe` has been completely removed, but `ProcessManager.ts` uses WMIC to spawn the daemon.
- **Labels:** `bug`, `priority:high`, `platform:windows`
- **Author:** bivlked | **Created:** 2026-01-23
- **Recommendation:** **KEEP** — Windows 11 25H2 is shipping to consumers. WMIC removal breaks worker spawning entirely. PR #1006 addresses this.
### #730 — Vector-db folder grows to 1TB+ when multiple Docker containers share the same .claude-mem mount
- **Summary:** Multiple Docker containers mounting the same `.claude-mem` directory causes the `vector-db` folder to grow uncontrollably to 1.1TB+, filling all available disk space within hours.
- **Labels:** `bug`, `priority:high`
- **Author:** lucacri | **Created:** 2026-01-16
- **Recommendation:** **KEEP** — Critical data issue for Docker/CI users. Unbounded growth filling disks is a production-breaking problem.
### #729 — Worker startup blocks Claude Code entirely when not ready within 15 seconds
- **Summary:** When the worker isn't ready within 15 seconds, the `UserPromptSubmit` hook blocks completely, preventing Claude Code from working at all. Users must manually restart.
- **Labels:** `bug`, `priority:high`
- **Author:** andygmassey | **Created:** 2026-01-16
- **Recommendation:** **KEEP** — Blocking startup failure affects UX severely. Should degrade gracefully instead of blocking entirely.
### #718 — VSCode reuses zombie content_session_id after session completion, causing Generator abort loop
- **Summary:** VSCode continues reusing the same `content_session_id` after session completion, causing the Generator to abort repeatedly with "Prompt is too long" errors.
- **Labels:** `bug`, `priority:high`
- **Author:** soho-dev-account | **Created:** 2026-01-15
- **Recommendation:** **KEEP** — Causes Generator to be permanently broken for long-running VSCode sessions. PR #996 addresses this.
### #646 — Plugin bricks Claude Code — stdin fstat EINVAL crash
- **Summary:** The SessionStart hook crashes Claude Code with an `fstat EINVAL` error on stdin, bricking Claude Code in most directories. Users cannot start sessions until the plugin is manually uninstalled.
- **Labels:** `bug`, `priority:high`
- **Author:** MaxWolf-01 | **Created:** 2026-01-09
- **Recommendation:** **KEEP** — Severity is critical despite high-priority label. Completely bricks Claude Code for affected users. PR #977 addresses this.
### #997 — Windows VSCode CLI: Bun command prompt spam
- **Summary:** On Windows, Bun command prompt windows constantly pop up and spam the screen when using claude-mem in VSCode CLI. No effective workaround exists.
- **Labels:** `bug`, `priority:high`, `platform:windows`
- **Author:** cryptodoran | **Created:** 2026-02-06
- **Recommendation:** **KEEP** — Makes the product unusable on Windows. User reports switching to paid alternatives due to this issue.
### #990 — Security Report: 8 findings (2 Critical, 4 High) from automated analysis
- **Summary:** Automated security audit identified 8 findings including SQL injection via dynamic query construction and other vulnerabilities across the codebase.
- **Labels:** `security`, `priority:high`
- **Author:** devatsecure | **Created:** 2026-02-06
- **Recommendation:** **KEEP** — Comprehensive security report with actionable findings. Overlaps with #982 (path traversal). Individual findings should be validated and addressed.
### #707 — Feature: SQLite-only backend mode to prevent Chroma memory consumption (35GB RAM)
- **Summary:** Chroma MCP process consumes 35GB+ RAM on macOS, making the system unusable. Request for a SQLite-only backend mode that skips Chroma entirely.
- **Labels:** `enhancement`, `priority:high`
- **Author:** soho-dev-account | **Created:** 2026-01-14
- **Recommendation:** **KEEP** — While labeled as an enhancement, the 35GB RAM consumption is a critical resource issue. A SQLite-only mode would resolve #730, #695, #675, and other Chroma-related issues. High community demand.
---
## Summary Statistics
| Tier | Count | Breakdown |
|------|-------|-----------|
| **Tier 1: Critical Security & Stability** | 3 | 1 security vulnerability, 1 resource leak, 1 filesystem pollution |
| **Tier 2: High-Priority Bug Fixes** | 14 | 4 Windows-specific, 3 startup/blocking, 2 security, 2 data integrity, 3 core functionality |
| **Total Critical + High** | **17** | |
### Recommendation Distribution
| Recommendation | Count |
|----------------|-------|
| **KEEP** | 17 |
| **DISCARD** | 0 |
| **DEFER** | 0 |
All 17 critical and high-priority issues are recommended to be kept open. These represent genuine, impactful bugs and security vulnerabilities that affect core functionality, data integrity, or platform compatibility. None are duplicates, already fixed, or obsolete.
### Cross-References to PRs
Several high-priority issues have active PRs addressing them:
| Issue | Related PR(s) | PR Status |
|-------|--------------|-----------|
| #982 (Path Traversal) | #1002, #986 | Open |
| #1010 (Orphaned Processes) | #1008 | Open |
| #793 (CLAUDE.md Pollution) | #834 | Open |
| #785 (WMIC Removed) | #1006 | Open |
| #718 (Zombie Session ID) | #996 | Open |
| #646 (stdin Crash) | #977 | Open |