2026-03-07 — Eclectis

What shipped today

Today was primarily a quality and infrastructure session — no new features, but significant improvements to operational readiness and testing capability.

Deep scout across all three layers. Three parallel agents explored the engine, web app, and database migrations looking for bugs, security issues, and performance gaps. The engine audit surfaced a crash-path in article_fetch (NULL URL), a SQL interpolation risk in the admin usage endpoint, and missing cumulative timeouts on scraper escalation. The web audit found an unsigned admin impersonation cookie, silent error suppression on analytics calls, and a command type mismatch (already fixed by #73). The database audit identified missing composite indexes on hot query paths — feeds, articles, commands, and engagement_events tables all lack indexes that match actual query patterns.

Five issues were created from the findings: four labeled ready-for-grind (#78, #79, #81, #82) and one needing human design input (#80 — admin impersonation hardening). A duplicate (#83) was caught and closed immediately.

Skopos QA test account was created for the automated Playwright-based QA agent. User [email protected] is set up in Supabase with a confirmed email, free plan, and credentials stored in the paulos .env. This unblocks the Skopos dev pipeline extension (pwelty/paulos#220).

Completed

• #84 — Create skopos test account for automated QA
• #83 — Closed as duplicate of #73
• #78 — Created: fix article_fetch crash on NULL URL + cumulative timeout
• #79 — Created: add missing composite indexes for hot query paths
• #80 — Created: harden admin impersonation cookie
• #81 — Created: replace silent .catch(() => {}) with error logging
• #82 — Created: sanitize admin_usage SQL interpolation

Carry-over

• 4 issues ready for grind: #78, #79, #81, #82
• #80 (admin impersonation) needs prep — design decision between signed cookie, server-side session, or removing client cookie
• #72 (feed discovery ports) still needs decomposition
• #77 (Vercel incident notification) should be closed — it’s informational, not actionable

Risks

• Admin impersonation cookie (#80) is an active security concern — unsigned cookie could theoretically be forged. Low practical risk (requires cookie access) but should be addressed.
• Missing database indexes (#79) won’t cause errors but will degrade performance as data grows.

Flags and watch-outs

• The scout found additional medium-severity issues not yet tracked: RSS batch scoring index mismatch, unbounded list accumulation in rss_scan, missing integration tests. These are larger scope and need separate issues if prioritized.
• Skopos test account is on the free plan — if QA needs to test Pro features, the plan will need to be upgraded.

Next session

• /grind 78 79 81 82 — burn down the four grindable scout findings
• /issue prep 80 — shape the admin impersonation fix (pick an approach)
• Close #77 (Vercel incident) — informational, not actionable
• Consider creating a milestone to organize the growing backlog (10 open issues, 0 milestoned)