You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A1 - Task plugin selection + config flowbroken - Task creation stores plugins = ["0"]. Worker ignores tasks.plugins and iterates the registry snapshot. Worker-side plugin config building is a TODO.
A2 - Submission API / runtime alignmentpartial - Task-create API accepts package, module, options, machine, custom, memory, unique - none are meaningfully honored at runtime.
A3 - Submission-path panic cleanuppartial - Request path uses unwrap() / expect() where it should return proper API errors.
Timeout semanticspartial - enforce_timeout is stored, but worker timeout is just "wrap execute_task() in a timeout".
B. Machine Lifecycle / Cleanup / Recovery
B1 - Timeout-safe machine ownershipbroken - Once execute_task() is canceled, worker loses machine_id and the machine stays assigned until restart.
B1 - Post-acquire failure cleanupbroken - Later failure paths can bubble out without guaranteed release/repair. Not exception-safe in general.
B2 - Completed vs. reverted contractpartial - Task Completed means "worker reached the release path", not "machine is confirmed clean". Needs an explicit contract.
B3 - Recovery and reprovision fidelitypartial - Recovery is restart-centric, not self-healing while live. Interrupted Provisioning machines get restored to Ready with provider_config = None - lossy.
C. Guest Access / Networking / Trust Model
C1 - Guest RPC contract + trust/authbroken - Guest sample execution hard-requires gRPC on port 50051. Disabling guest_access doesn't actually disable guest execution semantics. Guest gRPC is a trusted-lab transport assumption, not an authenticated boundary. Registration is reachability-based, not handshake-based.
C2 - Guest endpoint discovery / IP refreshpartial - DHCP lease lookup works for libvirt but the IP is persisted and trusted later without revalidation.
C3 - Transport config authoritypartial - ResolvedTransport::Grpc stores an address, but workers still dial http://<db_machine.ip>:50051 directly. network_isolated = false is passed unconditionally. Provider-side endpoint reconstruction hardcodes Windows in places.
C4 - Guest runtime config paritypartial - Windows guest-plugin deploy sets MALBOX_WORK_DIR, but the default guest runtime only reads MALBOX_PLUGIN_PORT - override path isn't wired.
Task lifetime ownershipambiguous - Sample execution is fire-and-observe. Open decision: should task lifetime be driven by sample exit, observation window, plugin-controlled keepalive, overall timeout, or a mix?
Sequential guest-plugin portspartial - 50051 + index is brittle if plugin ordering becomes dynamic. First plugin on 50051 also acts as the base guest agent.
D. Plugin Runtime / Ordering / Lifecycle
D1 - Host plugin reality checkbroken - Persistent host plugins spawn in Starting, manager acquires Ready/Busy, but the explicit host execution path returns empty results. Event-runtime fallback gives task handlers an empty sample path while examples expect sample bytes.
D2 - Deterministic plugin ordering + execution contextsbroken - Plugin selection and ordering are not task-driven or deterministic. Manifest contexts (exclusive, sequential, parallel) are parsed but not enforced.
D3 - Guest plugin lifecycle contractpartial - Guest plugin lifetime is VM-boot scoped, not task scoped. Worker doesn't drive initialize() / shutdown() in a real lifecycle sense.
D4 - Event-hook / runtime alignmentpartial - Event-hook docs and manifests are ahead of reality. Worker only emits a small subset of task events over host IPC; guest event delivery doesn't appear to be used operationally.
Plugin acquisition trackingpartial - Still records Busy { task_id: 0 } instead of the actual task ID.
Live reconcile wiringpartial - Registry pending-change application and manager reconcile exist, but no top-level runtime loop wires plugin watch changes into live reconcile.
Lifecycle typespartial - Persistent and ephemeral are partially real; scoped is not implemented.
E. Results / Reports / Contributor Health
E1 - Result artifact read/download APIpartial - Result retrieval is metadata-only.
E2 - Result model consolidationpartial - Two result stories: per-plugin artifact path and older aggregate TaskResult shape. TaskStore::update_task_result() is still a TODO.
F1 - Config / docs drift cleanupdoc-lag - Sample config references the removed native provisioner. Some operator-facing comments still reference "native". CLI grouping is aspirational in places.
F2 - Front-end truthfulnessdoc-lag - Svelte front end is mock-backed.
F3 - Security assumptions / lab-mode docsmissing - No auth model across HTTP API, CLI, and web UI.
Windows provisioning shortcutssecurity - Relies on Administrator / packer, WinRM, insecure cert validation, guest plugin scheduled tasks as SYSTEM.
Linux provisioning shortcutssecurity - Base images allow password SSH, malbox user has passwordless sudo.
Network isolationpartial - Isolation controls exist in playbooks as image/provisioning policy, not centrally enforced. Libvirt domain build hardcodes default NAT network + e1000 NIC.
v0.1.0 - Open Issues
A. Task Model / Submission / Scheduler
broken- Task creation storesplugins = ["0"]. Worker ignorestasks.pluginsand iterates the registry snapshot. Worker-side plugin config building is a TODO.partial- Task-create API acceptspackage,module,options,machine,custom,memory,unique- none are meaningfully honored at runtime.partial- Request path usesunwrap()/expect()where it should return proper API errors.partial-enforce_timeoutis stored, but worker timeout is just "wrapexecute_task()in a timeout".B. Machine Lifecycle / Cleanup / Recovery
broken- Onceexecute_task()is canceled, worker losesmachine_idand the machine stays assigned until restart.broken- Later failure paths can bubble out without guaranteed release/repair. Not exception-safe in general.partial- TaskCompletedmeans "worker reached the release path", not "machine is confirmed clean". Needs an explicit contract.partial- Recovery is restart-centric, not self-healing while live. InterruptedProvisioningmachines get restored toReadywithprovider_config = None- lossy.C. Guest Access / Networking / Trust Model
broken- Guest sample execution hard-requires gRPC on port50051. Disablingguest_accessdoesn't actually disable guest execution semantics. Guest gRPC is a trusted-lab transport assumption, not an authenticated boundary. Registration is reachability-based, not handshake-based.partial- DHCP lease lookup works for libvirt but the IP is persisted and trusted later without revalidation.partial-ResolvedTransport::Grpcstores an address, but workers still dialhttp://<db_machine.ip>:50051directly.network_isolated = falseis passed unconditionally. Provider-side endpoint reconstruction hardcodes Windows in places.partial- Windows guest-plugin deploy setsMALBOX_WORK_DIR, but the default guest runtime only readsMALBOX_PLUGIN_PORT- override path isn't wired.ambiguous- Sample execution is fire-and-observe. Open decision: should task lifetime be driven by sample exit, observation window, plugin-controlled keepalive, overall timeout, or a mix?partial-50051 + indexis brittle if plugin ordering becomes dynamic. First plugin on50051also acts as the base guest agent.D. Plugin Runtime / Ordering / Lifecycle
broken- Persistent host plugins spawn inStarting, manager acquiresReady/Busy, but the explicit host execution path returns empty results. Event-runtime fallback gives task handlers an empty sample path while examples expect sample bytes.broken- Plugin selection and ordering are not task-driven or deterministic. Manifest contexts (exclusive,sequential,parallel) are parsed but not enforced.partial- Guest plugin lifetime is VM-boot scoped, not task scoped. Worker doesn't driveinitialize()/shutdown()in a real lifecycle sense.partial- Event-hook docs and manifests are ahead of reality. Worker only emits a small subset of task events over host IPC; guest event delivery doesn't appear to be used operationally.partial- Still recordsBusy { task_id: 0 }instead of the actual task ID.partial- Registry pending-change application and manager reconcile exist, but no top-level runtime loop wires plugin watch changes into live reconcile.partial- Persistent and ephemeral are partially real; scoped is not implemented.E. Results / Reports / Contributor Health
partial- Result retrieval is metadata-only.partial- Two result stories: per-plugin artifact path and older aggregateTaskResultshape.TaskStore::update_task_result()is still a TODO.broken-task_resultsrepo breaks clean contributor test runs unlessDATABASE_URLor prepared SQLx metadata exists.F. Docs / Config / Operator Surfaces
doc-lag- Sample config references the removed native provisioner. Some operator-facing comments still reference"native". CLI grouping is aspirational in places.doc-lag- Svelte front end is mock-backed.missing- No auth model across HTTP API, CLI, and web UI.security- Relies onAdministrator/packer, WinRM, insecure cert validation, guest plugin scheduled tasks asSYSTEM.security- Base images allow password SSH,malboxuser has passwordless sudo.partial- Isolation controls exist in playbooks as image/provisioning policy, not centrally enforced. Libvirt domain build hardcodes default NAT network +e1000NIC.