You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
[2026-07-10] lint | Haiku validation wave 3: 6/6 scenarios (security authn choice, JWT server, token client, infinite scroll, platforms, mobile) solved via routing alone, 0 STUCK — incl. 3-domain hop security→backend→frontend on the authn scenario
[2026-07-10] ingest | Add plan + implement skills: capable-model planning (decisions in plan, wiki-mapped small-model-sized tasks) and small-model execution contract (no improvisation, BLOCKED over guessing). E2E validated: planner produced a 17-task login plan (8 self-check fixes); haiku executed tasks 01 (DONE, verified) and 03 (correct BLOCKED on unrunnable psql verify — schema itself applied all 4 mapped wiki pages exactly)
[2026-07-10] revise | backend restructured into stack subtrees: 13 pages moved to common/ (ids backend-common-*, all references rewritten), AGENTS.md naming rule extended for one-level subtrees, backend index routes concern-first/stack-second
[2026-07-10] ingest | mobile +3: navigation/deep-links-and-entry-points (cold-process rebuild per entry, verified links, synthesized back stack, auth continuation), permissions/runtime-permissions (in-context requests, outcome table, live status checks), security/sensitive-data-on-device (Keychain/Keystore, leak-surface table: snapshot/clipboard/backup/logs/WebView)
[2026-07-11] gap | Planning realestate-collector (external XML API ingestion) surfaced 4 [no-wiki] decisions with no owning page: (1) idempotent re-ingestion of an external source that has no stable per-row id → "partition replace" (delete-by-natural-scope + insert in one txn) as the ingestion analogue of upsert; (2) never overwrite a partition with an empty fetch result (transient upstream failure vs genuine zero-rows); (3) normalizing a foreign-government XML feed into an English canonical schema (field-name mapping verified against a live response, not from memory); (4) romanization of Korean admin-region names as static seed. Ingest candidate: a backend category like common/ingestion/external-source-sync.md (partition-replace idempotency, empty-result guard, boundary parse of XML→model). Routing itself worked: keyset-pagination, composite-index-column-order, pagination-contract, idempotent-handlers, scheduled-job-overlap, timeouts-and-retries, python/runtime-validation, and schema-design pages all applied cleanly to the covered decisions.
[2026-07-11] ingest | security +1 (new category api-exposure): exposing-an-origin-http-api — code-vs-edge control split for putting an origin HTTP API behind a public tunnel/proxy. Captures the non-obvious 5xx-bypasses-request-middleware gotcha (set security headers in the exception handler too — verify with a forced 500), header-only fail-closed auth, docs/OpenAPI off at the origin by default, sanitized 5xx bodies, and the code(validate/headers/errors)-vs-edge(TLS/HSTS/rate-limit/WAF) boundary. Derived from hardening korea-data-suite for external exposure + independent pentest; sources OWASP Secure Headers, MDN, Starlette middleware, FastAPI docs.
[2026-07-12] ingest | databases +1 (new category sqlite): concurrent-access-for-a-read-api — WAL + busy_timeout for a read-heavy API with a background writer; set journal_mode once (per-connection pragma cost ~0.4ms measured vs 0.04ms busy_timeout), single writer, run the batch writer as a separate process (interpreter-lock isolation), scale reads with worker processes not threads. Derived from load-testing korea-data-suite (measured connect/query/pragma costs, GIL-bound concurrency, separate-sync-process deployment). Sources: SQLite WAL/pragma/FAQ docs.
[2026-07-12] revise | security/secrets-in-code +1 edge case: third-party HTTP client (httpx/requests) logs the full request URL — including a query-param API key — at INFO, so root/DEBUG logging leaks it; keep the client logger above INFO. Found when a standalone sync process set logging.basicConfig(INFO) and httpx wrote the data.go.kr serviceKey to the log file. last_verified bumped to 2026-07-12.