Home A - Z
Page Index

An Otter Wiki
Properties 
category: reference
tags: [tasks, milestones, launch]
last_updated: 2026-03-17
confidence: high

Pre-Launch Milestone

Work required before opening robot.wtf to the ATProto community. Everything here is either a bug, a missing feature that blocks usability, or a safety issue.

Completed

MCP wiki routing (bug) ✅ FIXED (2026-03-15)

Fixed and deployed. See Tasks/MCP_Wiki_Routing.

Multi-tenant semantic search (bug) ✅ FIXED (2026-03-17)

See Tasks/Semantic_Search_Architecture and Tasks/Semantic_Search_Multi_Tenant.

FAISS index corruption risk ✅ RESOLVED (2026-03-15)

Sync thread removed. Index updates now happen through page lifecycle hooks only.

OAuth token refresh ✅ FIXED (2026-03-17)

ACCESS_TOKEN_EXPIRY_SECONDS extended from 3600 to 7 days (604800). Refresh tokens set to 30 days.

Per-wiki databases ✅ DEPLOYED (2026-03-17)

Each wiki gets /srv/data/wikis/{slug}/wiki.db with preferences, drafts, user, cache tables. Resolver swaps DB per-request.

Permissions panel ✅ DEPLOYED (2026-03-17)

Wiki owners can set READ_ACCESS/WRITE_ACCESS/ATTACHMENT_ACCESS via Otterwiki's admin UI. Resolver enforces by intersecting with platform ACL.

MCP OAuth hardcoded defaults ✅ DEPLOYED (2026-03-17)

CONSENT_URL and PLATFORM_DOMAIN no longer default to robot.wtf. InMemoryOAuthProvider fallback when unset.

MCP OAuth dynamic base URL ✅ DEPLOYED (2026-03-17)

OAuth metadata endpoint uses request Host header. Each wiki's MCP endpoint works correctly.

SERVER_NAME hidden ✅ DEPLOYED (2026-03-17)

SERVER_NAME field hidden from Application Preferences in PLATFORM_MODE.

Remove is_public toggle ✅ DEPLOYED (2026-03-17)

READ_ACCESS replaces is_public as sole source of truth. Migration seeds READ_ACCESS=REGISTERED for private wikis.

Login return_to redirect ✅ DEPLOYED (2026-03-17)

Resolver passes wiki URL as return_to when redirecting to login. Auth server accepts *.robot.wtf URLs.

SITE_NAME lazy init ✅ DEPLOYED (2026-03-17)

display_name passed through to _init_wiki_db during lazy init.

Upstream bug fix submitted (2026-03-17)

handle_permissions_and_registration missing ADMIN guard — PR pending to redimp/otterwiki (fix/permissions-admin-guard).

Blocking

Harden per-wiki DB initialization

The lazy init pattern for wiki.db has needed repeated fixes (missing DB swap, missing SITE_NAME, missing READ_ACCESS migration). The current approach seeds fields piecemeal as we discover gaps. Replace with a comprehensive init that seeds all expected defaults upfront: SITE_NAME, READ_ACCESS (based on is_public), WRITE_ACCESS, ATTACHMENT_ACCESS. Audit _init_wiki_db() for any preference that Otterwiki expects but doesn't have a built-in default for, and seed them all.

Post-deploy smoke test ✅ MERGED (2026-03-17)

Shell script in Ansible post_tasks — checks all 4 services (systemctl + HTTP), auth/MCP well-known endpoints, dynamic wiki enumeration from DB. Retry loop with 30s ceiling per service.

Disk usage cap

No per-wiki disk space limit. page_count and disk_usage_bytes fields in robot.db always read 0 — tier limits and quota enforcement are dead code. Design doc at Design/Wiki_Stats_Plugin describes an otterwiki plugin approach using lifecycle hooks + cron backstop. Not yet implemented.

Management UI usability

  • Wiki creation flow should default slug to username
  • MCP connection instructions need to be clearer
  • Settings page layout needs work

Landing page copy

Draft is live at robot.wtf/. Updated 2026-03-17. Still needs screenshots once UI is polished.

UX issues

Login page remembers nothing

The login page doesn't pre-fill the Bluesky handle from the platform JWT cookie. If a valid token exists, should skip login entirely and redirect to dashboard.

Login page visual mismatch

The login page color scheme and layout are completely different from the landing page, the Otterwiki admin panel, and the wikis themselves. Should be visually consistent.

No navigation from wiki to dashboard

There's no obvious way to get from within a wiki back to the platform dashboard or admin panel. Needs a nav link or menu item.

Safety

Backup coverage gaps

Backup cron runs every 4 hours, retains 7 days. Uses sqlite3 .backup for consistency.

What IS backed up: robot.db, mcp_oauth.db, per-wiki wiki.db files.

What is NOT backed up:

  • Git repos (/srv/data/wikis/{slug}/repo/) — all wiki content. Relies on Proxmox VM snapshots. Verify Proxmox snapshot schedule is actually running.
  • Signing keys (signing_key.pem, signing_key.pub, client_jwk.json, client_jwk_pub.json) — losing these breaks all OAuth sessions. Generated once, never backed up. Should be added to backup script or Ansible vault.
  • FAISS indexes — can be rebuilt from wiki content (not critical).

Recommended actions (in priority order):

  1. Verify Proxmox snapshots are running on schedule
  2. Add git bundle create per wiki to the backup script
  3. Add signing key backup to the script
  4. Write and test a restore script
  5. Automate a periodic integrity check (PRAGMA integrity_check on all DBs)

Backup verification

No tested restore path exists. Minimal local test: pull a backup, run integrity checks on each DB, verify schema matches.

Rate limiting

No rate limiting on any endpoint. Caddy can add this. Not critical for soft launch, needed before wider announcement.

OWASP high-priority items

From Security/OWASP_2025_Audit:

  • Bcrypt linear scan DoS ✅ MERGED (2026-03-17): Replaced bcrypt with SHA-256 for API token hashing. get_by_token() does O(1) indexed lookup. Ansible migration invalidates legacy bcrypt hashes.
  • Security response headers: Add X-Content-Type-Options, X-Frame-Options, Strict-Transport-Security in Caddy.
  • Security logging: No audit trail for auth events, ACL changes, wiki deletions.

Git remote push/pull security

Repository Management admin panel lets wiki owners store SSH keys that the platform executes. Should be gated or disabled in PLATFORM_MODE. Noted in Design/Admin_Panel_Reenablement.

Monitoring dashboard

Grafana or similar for service metrics. Currently health checks are binary (up/down) with no latency or throughput visibility.

Not blocking but important

Phase 2: User Management

Consolidate Collaborators tab into Otterwiki's User Management panel. Explicit user roster per wiki. Admin adds DID handles, sets per-user flags. Completes the APPROVED access level. Remove Collaborators tab from dashboard. Design at Design/Admin_Panel_Reenablement (Phase 2 section).

Wiki stats plugin

Track page count and disk usage via otterwiki lifecycle hooks. Enables tier limits and quota enforcement. Design at Design/Wiki_Stats_Plugin. Parked — design only.

SMTP alerts test

Health check and disk monitoring alerts configured but not tested end-to-end.

CI/CD pipeline

Currently deploy is git push + ansible-playbook. GitHub Actions for tests on PR + auto-deploy would reduce risk.

Post-launch

Account deletion (V7-8)

User can delete their account from the management UI. Deletes wiki (git repo, FAISS index), SQLite records, ACL grants. Requires typing username to confirm.

Git clone auth

Read-only git clone works (V4-6) but has no auth — anyone can clone any wiki. Should require bearer token or platform JWT for private wikis.

Multiple wikis per user

Currently limited to 1 wiki per user. The data model supports multiple wikis. Needs UI for wiki selection and limit increase.

Bluesky DM alerts

Translate health check / disk monitoring alerts into Bluesky DMs via ATProto API. Small webhook relay.

Wiki import

Import existing git repos (from GitHub, local, etc.) as a new wiki. Upload or provide a git URL.

Attachment size limits

Per-file and per-wiki attachment size enforcement. Currently no limits on uploaded files.

Proxmox CPU type change

Change from kvm64 to host to enable numpy 2.4+ and remove the pin. Requires VM reboot. See Dev/Proxmox_CPU_Type.