airkjw/claude-mem
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
bd9b02f3644d82ff4cbca85788384c7537be7285
claude-mem/Auto Run Docs/Wizard-2026-02-07-4/Working/issues-critical-high.md
T
Alex Newman a0d737ba51 MAESTRO: Add Critical & High-Priority Issues triage report 
Categorized 17 open issues into Tier 1 (Critical Security & Stability)
and Tier 2 (High-Priority Bug Fixes) with KEEP/DISCARD/DEFER
recommendations for each. Cross-referenced 6 issues to active PRs.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-07 20:55:14 -05:00

12 KiB
Raw Blame History

type, title, created, tags, related
type title created tags related
report Critical & High-Priority Issues 2026-02-07
triage
critical
high-priority
security
Issues-Medium-Low
PR-Triage
MASTER-REPORT

Critical & High-Priority Issues — Claude-Mem Repository

Report generated from live GitHub data on 2026-02-07. Covers all open issues in the thedotmack/claude-mem repository that are labeled priority:critical, security, or priority:high.

Tier 1: Critical Security & Stability

These issues threaten data integrity, enable exploits, or cause system-wide failures. They should be addressed immediately.

#982 — Security: Path Traversal in /api/instructions endpoint (CWE-22)

  • Summary: The /api/instructions endpoint allows arbitrary file reads via path traversal in the operation query parameter, plus an object injection risk (CWE-1321) via the topic parameter.
  • Labels: security, priority:critical
  • Author: NakayoshiUsagi | Created: 2026-02-06
  • CVSS: 7.5 (High) for path traversal, 5.3 (Medium) for object injection
  • Recommendation: KEEP — Active security vulnerability enabling arbitrary file reads. Must be patched immediately. PR #1002 and #986 address this.

#1010 — Worker daemon spawns orphaned claude-sonnet-4-5 subagent processes (~1/min, never cleaned up)

  • Summary: The worker daemon continuously spawns claude-sonnet-4-5 subagent processes that are never terminated, accumulating rapidly and consuming significant system resources (CPU, memory).
  • Labels: bug, priority:critical
  • Author: fuzzystripes | Created: 2026-02-07
  • Recommendation: KEEP — Critical resource leak that degrades system performance over time. Affects all platforms. PR #1008 addresses this.

#793 — isProjectRoot() doesn't detect subdirectories within git repos, causing CLAUDE.md pollution

  • Summary: The isProjectRoot() function only checks if a folder directly contains .git, not if it's inside a git repo. This causes CLAUDE.md files to be created in all subdirectories of git repos.
  • Labels: bug, priority:critical
  • Author: alexrodriguezintegrityxd | Created: 2026-01-24
  • Recommendation: KEEP — Affects every user with nested project directories. Creates unwanted files across the filesystem. Multiple community reports. PR #834 proposes a fix.

Tier 2: High-Priority Bug Fixes

These issues break core functionality for significant user populations. They should be scheduled for the next development sprint.

#998 — Observation storage failed: 500 on every PostToolUse hook after v9.0.17 upgrade

  • Summary: After upgrading to v9.0.17, every tool call triggers a PostToolUse hook error with a 500 response from the observation storage backend. Non-blocking but produces constant error noise.
  • Labels: bug, priority:high
  • Author: nyflyer | Created: 2026-02-06
  • Recommendation: KEEP — Core observation pipeline is broken for upgraded users. Likely a regression in the v9.0.17 release.

#987 — Stop hook causes infinite session loop when summarize output is interpreted as instructions

  • Summary: The Stop hook's summarize command returns a systemMessage containing session context that Claude interprets as new instructions, causing an infinite feedback loop where sessions never terminate.
  • Labels: bug, priority:high
  • Author: costa-marcello | Created: 2026-02-06
  • Recommendation: KEEP — Prevents clean session termination. Users must force-quit Claude Code to escape the loop.

#979 — MigrationRunner.initializeSchema() fails to create observations and session_summaries tables

  • Summary: Fresh install of v9.0.15 fails during database initialization — the observations and session_summaries tables are never created, causing the worker to fail readiness checks and crash.
  • Labels: bug, priority:high
  • Author: kitadesign | Created: 2026-02-06
  • Recommendation: KEEP — Blocks new installations entirely. Database initialization must work on first run.

#966 — SDK Generator immediately aborts on every observation, causing infinite pending queue backlog

  • Summary: The ClaudeSdkAgent generator starts, registers a PID, creates a message generator, then instantly aborts — never processing any messages. Pending messages accumulate indefinitely.
  • Labels: bug, priority:high
  • Author: NoobyNull | Created: 2026-02-05
  • Recommendation: KEEP — AI summarization pipeline completely non-functional. Observations pile up unprocessed.

#942 — CLAUDE_MEM_FOLDER_CLAUDEMD_ENABLED setting is documented but not implemented

  • Summary: The CLAUDE_MEM_FOLDER_CLAUDEMD_ENABLED setting exists in documentation but has no effect in code. Users cannot disable CLAUDE.md auto-generation.
  • Labels: bug, priority:high
  • Author: costa-marcello | Created: 2026-02-05
  • Recommendation: KEEP — Documented feature that doesn't work. Related to #793 (CLAUDE.md pollution). Users expect this setting to function.

#855 — Gemini API summarization fails and causes database corruption

  • Summary: Using Gemini via API for summarization doesn't work, and switching between providers corrupts the database, requiring a full wipe to restore normal operation.
  • Labels: bug, priority:high
  • Author: jerzydziewierz | Created: 2026-01-30
  • Recommendation: KEEP — Data corruption is a severe consequence. Gemini is a popular alternative provider that many users want to use.

#843 — Worker fails to start on Windows: bun:sqlite not available when spawned via Node.js

  • Summary: On Windows, ProcessManager.spawnDaemon() uses process.execPath which resolves to node.exe, but worker-service.cjs requires bun:sqlite (Bun-only). Worker never starts.
  • Labels: bug, priority:high, platform:windows
  • Author: bivlked | Created: 2026-01-28
  • Recommendation: KEEP — Fundamental Windows startup failure. Needs architecture fix to ensure Bun is used for worker spawning.

#807 — [Windows] ProcessTransport error — Worker fails with "ProcessTransport is not ready for writing"

  • Summary: Worker crashes with ProcessTransport is not ready for writing on Windows. MCP search always fails. Worker briefly starts (port 37777 opens) but crashes during Bun subprocess communication.
  • Labels: bug, priority:high, platform:windows
  • Author: Istrebitel98 | Created: 2026-01-25
  • Recommendation: KEEP — Core Windows functionality broken. Bun's subprocess transport layer may need a workaround on Windows.

#785 — Worker fails to spawn on Windows 11 25H2+ (WMIC removed)

  • Summary: Worker daemon fails to start on Windows 11 25H2 (Build 26200+) because wmic.exe has been completely removed, but ProcessManager.ts uses WMIC to spawn the daemon.
  • Labels: bug, priority:high, platform:windows
  • Author: bivlked | Created: 2026-01-23
  • Recommendation: KEEP — Windows 11 25H2 is shipping to consumers. WMIC removal breaks worker spawning entirely. PR #1006 addresses this.

#730 — Vector-db folder grows to 1TB+ when multiple Docker containers share the same .claude-mem mount

  • Summary: Multiple Docker containers mounting the same .claude-mem directory causes the vector-db folder to grow uncontrollably to 1.1TB+, filling all available disk space within hours.
  • Labels: bug, priority:high
  • Author: lucacri | Created: 2026-01-16
  • Recommendation: KEEP — Critical data issue for Docker/CI users. Unbounded growth filling disks is a production-breaking problem.

#729 — Worker startup blocks Claude Code entirely when not ready within 15 seconds

  • Summary: When the worker isn't ready within 15 seconds, the UserPromptSubmit hook blocks completely, preventing Claude Code from working at all. Users must manually restart.
  • Labels: bug, priority:high
  • Author: andygmassey | Created: 2026-01-16
  • Recommendation: KEEP — Blocking startup failure affects UX severely. Should degrade gracefully instead of blocking entirely.

#718 — VSCode reuses zombie content_session_id after session completion, causing Generator abort loop

  • Summary: VSCode continues reusing the same content_session_id after session completion, causing the Generator to abort repeatedly with "Prompt is too long" errors.
  • Labels: bug, priority:high
  • Author: soho-dev-account | Created: 2026-01-15
  • Recommendation: KEEP — Causes Generator to be permanently broken for long-running VSCode sessions. PR #996 addresses this.

#646 — Plugin bricks Claude Code — stdin fstat EINVAL crash

  • Summary: The SessionStart hook crashes Claude Code with an fstat EINVAL error on stdin, bricking Claude Code in most directories. Users cannot start sessions until the plugin is manually uninstalled.
  • Labels: bug, priority:high
  • Author: MaxWolf-01 | Created: 2026-01-09
  • Recommendation: KEEP — Severity is critical despite high-priority label. Completely bricks Claude Code for affected users. PR #977 addresses this.

#997 — Windows VSCode CLI: Bun command prompt spam

  • Summary: On Windows, Bun command prompt windows constantly pop up and spam the screen when using claude-mem in VSCode CLI. No effective workaround exists.
  • Labels: bug, priority:high, platform:windows
  • Author: cryptodoran | Created: 2026-02-06
  • Recommendation: KEEP — Makes the product unusable on Windows. User reports switching to paid alternatives due to this issue.

#990 — Security Report: 8 findings (2 Critical, 4 High) from automated analysis

  • Summary: Automated security audit identified 8 findings including SQL injection via dynamic query construction and other vulnerabilities across the codebase.
  • Labels: security, priority:high
  • Author: devatsecure | Created: 2026-02-06
  • Recommendation: KEEP — Comprehensive security report with actionable findings. Overlaps with #982 (path traversal). Individual findings should be validated and addressed.

#707 — Feature: SQLite-only backend mode to prevent Chroma memory consumption (35GB RAM)

  • Summary: Chroma MCP process consumes 35GB+ RAM on macOS, making the system unusable. Request for a SQLite-only backend mode that skips Chroma entirely.
  • Labels: enhancement, priority:high
  • Author: soho-dev-account | Created: 2026-01-14
  • Recommendation: KEEP — While labeled as an enhancement, the 35GB RAM consumption is a critical resource issue. A SQLite-only mode would resolve #730, #695, #675, and other Chroma-related issues. High community demand.

Summary Statistics

Tier Count Breakdown
Tier 1: Critical Security & Stability 3 1 security vulnerability, 1 resource leak, 1 filesystem pollution
Tier 2: High-Priority Bug Fixes 14 4 Windows-specific, 3 startup/blocking, 2 security, 2 data integrity, 3 core functionality
Total Critical + High 17

Recommendation Distribution

Recommendation Count
KEEP 17
DISCARD 0
DEFER 0

All 17 critical and high-priority issues are recommended to be kept open. These represent genuine, impactful bugs and security vulnerabilities that affect core functionality, data integrity, or platform compatibility. None are duplicates, already fixed, or obsolete.

Cross-References to PRs

Several high-priority issues have active PRs addressing them:

Issue Related PR(s) PR Status
#982 (Path Traversal) #1002, #986 Open
#1010 (Orphaned Processes) #1008 Open
#793 (CLAUDE.md Pollution) #834 Open
#785 (WMIC Removed) #1006 Open
#718 (Zombie Session ID) #996 Open
#646 (stdin Crash) #977 Open
Reference in New Issue View Git Blame Copy Permalink