|
| 1 | +# ADR-080: QE Analysis Remediation Plan |
| 2 | + |
| 3 | +- **Status:** Proposed |
| 4 | +- **Date:** 2026-04-06 |
| 5 | +- **Source:** [QE Analysis Gist (2026-04-05)](https://gist.github.com/proffesor-for-testing/a6b84d7a4e26b7bbef0cf12f932925b7) |
| 6 | +- **Full Reports:** [proffesor-for-testing/RuView `qe-reports` branch](https://github.com/proffesor-for-testing/RuView/tree/qe-reports/docs/qe-reports) |
| 7 | + |
| 8 | +## Context |
| 9 | + |
| 10 | +An 8-agent QE swarm analyzed ~305K lines across Rust, Python, C firmware, and TypeScript on 2026-04-05. The overall score was **55/100 (C+) — Quality Gate FAILED**. This ADR captures the findings and establishes a remediation plan. |
| 11 | + |
| 12 | +## Decision |
| 13 | + |
| 14 | +Address the 15 prioritized issues from the QE analysis in three waves: P0 (immediate), P1 (this sprint), P2 (this quarter). |
| 15 | + |
| 16 | +## P0 — Fix Immediately |
| 17 | + |
| 18 | +### 1. Rate Limiter Bypass (Security HIGH) |
| 19 | + |
| 20 | +- **Location:** `v1/src/middleware/rate_limit.py:200-206` |
| 21 | +- **Problem:** Trusts `X-Forwarded-For` without validation. Any client bypasses rate limits via header spoofing. |
| 22 | +- **Fix:** Validate forwarded headers against trusted proxy list, or use connection IP directly. |
| 23 | + |
| 24 | +### 2. Exception Details Leaked in Responses (Security HIGH) |
| 25 | + |
| 26 | +- **Location:** `v1/src/api/routers/pose.py:140`, `stream.py:297`, +5 endpoints |
| 27 | +- **Problem:** Stack traces visible regardless of environment. |
| 28 | +- **Fix:** Wrap with generic error responses in production; log details server-side only. |
| 29 | + |
| 30 | +### 3. WebSocket JWT in URL (Security HIGH, CWE-598) |
| 31 | + |
| 32 | +- **Location:** `v1/src/api/routers/stream.py:74`, `v1/src/middleware/auth.py:243` |
| 33 | +- **Problem:** Tokens in query strings visible in logs/proxies/browser history. |
| 34 | +- **Fix:** Use WebSocket subprotocol or first-message auth pattern. |
| 35 | + |
| 36 | +### 4. Rust Tests Not in CI |
| 37 | + |
| 38 | +- **Problem:** 2,618 tests across 153K lines of Rust — zero run in any GitHub Actions workflow. Regressions ship undetected. |
| 39 | +- **Fix:** Add `cargo test --workspace --no-default-features` to CI. 1-2 hour task. |
| 40 | + |
| 41 | +### 5. WebSocket Path Mismatch (Bug) |
| 42 | + |
| 43 | +- **Location:** `ui/mobile/src/services/ws.service.ts:104` constructs `/ws/sensing`, but `constants/websocket.ts:1` defines `WS_PATH = '/api/v1/stream/pose'`. |
| 44 | +- **Problem:** Mobile WebSocket silently fails. |
| 45 | +- **Fix:** Align paths. Verify which endpoint the server actually serves. |
| 46 | + |
| 47 | +## P1 — Fix This Sprint |
| 48 | + |
| 49 | +| # | Issue | Location | Impact | |
| 50 | +|---|-------|----------|--------| |
| 51 | +| 6 | God file: 4,846 lines, CC=121 | `sensing-server/src/main.rs` | Untestable monolith | |
| 52 | +| 7 | O(L×V) voxel scan per frame | `ruvsense/tomography.rs:345-383` | ~10ms wasted; use DDA ray march | |
| 53 | +| 8 | Sequential neural inference | `wifi-densepose-nn inference.rs:334-336` | 2-4× GPU latency penalty | |
| 54 | +| 9 | 720 `.unwrap()` in Rust | Workspace-wide | Each = potential panic in RT paths | |
| 55 | +| 10 | 112KB alloc/frame in Python | `csi_processor.py:412-414` | Deque→list→numpy every frame | |
| 56 | + |
| 57 | +## P2 — Fix This Quarter |
| 58 | + |
| 59 | +| # | Issue | Impact | |
| 60 | +|---|-------|--------| |
| 61 | +| 11 | 11/12 Python modules have zero unit tests (12,280 LOC) | Services, middleware, DB untested | |
| 62 | +| 12 | Firmware at 19% coverage (WASM runtime, OTA, swarm) | Security-critical code untested | |
| 63 | +| 13 | MAT screen auto-falls back to simulated data | Disaster responders could monitor fake data | |
| 64 | +| 14 | Token blacklist never consulted during auth | Revoked tokens remain valid | |
| 65 | +| 15 | 50ms frame budget never benchmarked | Real-time requirement unverified | |
| 66 | + |
| 67 | +## Bright Spots |
| 68 | + |
| 69 | +- 79 ADRs (exceptional governance) |
| 70 | +- Witness bundle system (ADR-028) with SHA-256 proof |
| 71 | +- 2,618 Rust tests with mathematical rigor |
| 72 | +- Daily security scanning (Bandit, Semgrep, Safety) |
| 73 | +- Ed25519 WASM signature verification on firmware |
| 74 | +- Clean mobile state management with good test coverage |
| 75 | + |
| 76 | +## Full QE Reports (9 files, 4,914 lines) |
| 77 | + |
| 78 | +| Report | What it covers | |
| 79 | +|--------|---------------| |
| 80 | +| `EXECUTIVE-SUMMARY.md` | Top-level synthesis with all scores and priority matrix | |
| 81 | +| `00-qe-queen-summary.md` | Master coordination, quality posture, test pyramid | |
| 82 | +| `01-code-quality-complexity.md` | Cyclomatic complexity, code smells, top 20 hotspots | |
| 83 | +| `02-security-review.md` | 15 security findings (3 HIGH, 7 MEDIUM), OWASP coverage | |
| 84 | +| `03-performance-analysis.md` | 23 perf findings (4 CRITICAL), frame budget analysis | |
| 85 | +| `04-test-analysis.md` | 3,353 tests inventoried, duplication, quality grading | |
| 86 | +| `05-quality-experience.md` | API/CLI/Mobile/DX UX assessment | |
| 87 | +| `06-product-assessment-sfdipot.md` | SFDIPOT analysis, 57 test ideas, 14 session charters | |
| 88 | +| `07-coverage-gaps.md` | Coverage matrix, top 20 risk gaps, 8-week roadmap | |
| 89 | + |
| 90 | +## Consequences |
| 91 | + |
| 92 | +- **P0 fixes** eliminate 3 security vulnerabilities and 2 functional bugs |
| 93 | +- **P1 fixes** improve performance, reliability, and maintainability |
| 94 | +- **P2 fixes** close coverage gaps and harden the system for production |
| 95 | +- Target score improvement: 55 → 75+ after P0+P1 completion |
| 96 | + |
| 97 | +--- |
| 98 | + |
| 99 | +*Generated from QE swarm analysis (fleet-02558e91) on 2026-04-05* |
0 commit comments