Properties

category: reference
tags: [tasks, milestones, launch]
last_updated: 2026-03-17
confidence: high

Pre-Launch Milestone

Work required before opening robot.wtf to the ATProto community. Everything here is either a bug, a missing feature that blocks usability, or a safety issue.

Completed

MCP wiki routing (bug) ✅ FIXED (2026-03-15)

Fixed and deployed. See Tasks/MCP_Wiki_Routing.

Multi-tenant semantic search (bug) ✅ FIXED (2026-03-17)

See Tasks/Semantic_Search_Architecture and Tasks/Semantic_Search_Multi_Tenant.

FAISS index corruption risk ✅ RESOLVED (2026-03-15)

Sync thread removed. Index updates now happen through page lifecycle hooks only.

OAuth token refresh ✅ FIXED (2026-03-17)

ACCESS_TOKEN_EXPIRY_SECONDS extended from 3600 to 7 days (604800). Refresh tokens set to 30 days.

Per-wiki databases ✅ DEPLOYED (2026-03-17)

Each wiki gets /srv/data/wikis/{slug}/wiki.db with preferences, drafts, user, cache tables. Resolver swaps DB per-request.

Permissions panel ✅ DEPLOYED (2026-03-17)

Wiki owners can set READ_ACCESS/WRITE_ACCESS/ATTACHMENT_ACCESS via Otterwiki's admin UI. Resolver enforces by intersecting with platform ACL.

MCP OAuth hardcoded defaults ✅ DEPLOYED (2026-03-17)

CONSENT_URL and PLATFORM_DOMAIN no longer default to robot.wtf. InMemoryOAuthProvider fallback when unset.

MCP OAuth dynamic base URL ✅ DEPLOYED (2026-03-17)

OAuth metadata endpoint uses request Host header. Each wiki's MCP endpoint works correctly.

SERVER_NAME hidden ✅ DEPLOYED (2026-03-17)

SERVER_NAME field hidden from Application Preferences in PLATFORM_MODE.

Remove is_public toggle ✅ DEPLOYED (2026-03-17)

READ_ACCESS replaces is_public as sole source of truth. Migration seeds READ_ACCESS=REGISTERED for private wikis.

Resolver passes wiki URL as return_to when redirecting to login. Auth server accepts *.robot.wtf URLs.

SITE_NAME lazy init ✅ DEPLOYED (2026-03-17)

display_name passed through to _init_wiki_db during lazy init.

Upstream bug fix submitted (2026-03-17)

handle_permissions_and_registration missing ADMIN guard — PR pending to redimp/otterwiki (fix/permissions-admin-guard).

Blocking

Harden per-wiki DB initialization ✅ DEPLOYED (2026-03-17)

Comprehensive _init_wiki_db(): seeds SITE_NAME, READ_ACCESS, WRITE_ACCESS, ATTACHMENT_ACCESS (all REGISTERED), AUTH_METHOD (PROXY_HEADER), DISABLE_REGISTRATION, AUTO_APPROVAL (False), schema version marker. All INSERT OR IGNORE. Owner auto-seeded as admin.

Post-deploy smoke test ✅ MERGED (2026-03-17)

Shell script in Ansible post_tasks — checks all 4 services (systemctl + HTTP), auth/MCP well-known endpoints, dynamic wiki enumeration from DB. Retry loop with 30s ceiling per service.

Disk usage cap

No per-wiki disk space limit. page_count and disk_usage_bytes fields in robot.db always read 0 — tier limits and quota enforcement are dead code. Plan at Plans/Disk_Usage_Caps. Design doc at Design/Wiki_Stats_Plugin.

Management UI usability

Wiki creation flow should default slug to username
~~MCP connection instructions need to be clearer~~ Addressed: MCP info now on dashboard card with Claude Code example
~~Settings page layout needs work~~ Addressed: collapsed to single-page card layout

Landing page copy

Draft is live at robot.wtf/. Updated 2026-03-17. Still needs screenshots once UI is polished.

UX issues

JWT cookie detection: auto-redirects if authenticated, pre-fills handle if expired (sanitized, length-capped). Auth templates (login, consent, signup, error) restyled to match landing page — Pico CSS replaced with shared style.css + auth-specific styles. Site icon (robot.wtf.svg) added to favicon and nav across all pages. See Plans/Login_Page_UX.

Landing page redirect ✅ FIXED (2026-03-17)

Landing page no longer auto-redirects authenticated users to dashboard. Only /auth/login auto-redirects.

Permissions registration checkboxes ✅ DEPLOYED (2026-03-17)

Five registration checkboxes (DISABLE_REGISTRATION, EMAIL_NEEDS_CONFIRMATION, AUTO_APPROVAL, NOTIFY_ADMINS, NOTIFY_USER_ON_APPROVAL) hidden in PLATFORM_MODE via otterwiki fork template guards. ADMIN option also hidden from access level dropdowns. Deploy fix: state: forcereinstall on otterwiki pip task.

Multi-worker preference staleness ✅ FIXED (2026-03-17)

update_app_config() now called on fast path in _swap_database(), so preference changes (e.g. READ_ACCESS) propagate immediately across workers. See Design/Resolver.

Admin UI cleanup (otterwiki fork)

Mail preferences tab still visible in PLATFORM_MODE — should be hidden (no SMTP in platform mode)
"Email" column label on User Management page should say "Handle" in PLATFORM_MODE
"Approved" checkbox semantics unclear in platform context — investigate what APPROVED access level means for per-wiki users and whether the checkbox is relevant

No way to get from within a wiki back to the platform dashboard. Plan at Plans/Wiki_To_Dashboard_Navigation. One template change in otterwiki fork.

Safety

Backup coverage gaps

Backup cron runs every 4 hours, retains 7 days. Uses sqlite3 .backup for consistency.

What IS backed up: robot.db, mcp_oauth.db, per-wiki wiki.db files.

What is NOT backed up:

Git repos (/srv/data/wikis/{slug}/repo/) — all wiki content. Relies on Proxmox VM snapshots. Verify Proxmox snapshot schedule is actually running.
Signing keys (signing_key.pem, signing_key.pub, client_jwk.json, client_jwk_pub.json) — losing these breaks all OAuth sessions. Generated once, never backed up. Should be added to backup script or Ansible vault.
FAISS indexes — can be rebuilt from wiki content (not critical).

Recommended actions (in priority order):

Verify Proxmox snapshots are running on schedule
Add git bundle create per wiki to the backup script
Add signing key backup to the script
Write and test a restore script
Automate a periodic integrity check (PRAGMA integrity_check on all DBs)

Backup verification

No tested restore path exists. Minimal local test: pull a backup, run integrity checks on each DB, verify schema matches.

Rate limiting + security headers

No rate limiting on any endpoint; no security response headers. Both handled in Caddy. Plan at Plans/Rate_Limiting_And_Security_Headers. Phase 1 (headers only) can deploy immediately. Phase 2 (rate limiting) requires xcaddy rebuild with rate_limit module.

OWASP remaining items

From Security/OWASP_2025_Audit:

~~Bcrypt linear scan DoS~~ ✅ MERGED (2026-03-17)
~~Security response headers~~ Plan ready (see above)
Security logging: No audit trail for auth events, ACL changes, wiki deletions.

Git remote push/pull security ✅ DEPLOYED (2026-03-17)

Repository Management panel hidden in PLATFORM_MODE (@platform_mode_disabled decorator + nav guard). Pull webhook also gated. auto_push_if_enabled() and auto_pull_webhook() return early in PLATFORM_MODE — prevents outbound SSH even if previously configured. Feature may be re-enabled with proper sandboxing if there's demand.

Monitoring dashboard

Grafana or similar for service metrics. Currently health checks are binary (up/down) with no latency or throughput visibility.

Not blocking but important

Phase 2: User Management ✅ DEPLOYED (2026-03-17)

Platform ACL removed entirely. Per-wiki user table is sole source of truth. Resolver restructured: owner gets ADMIN via wikis.owner_did, per-wiki user flags derive permissions, APPROVED access level functional, bearer tokens wiki-scoped. Dashboard collapsed to single-page card layout. Otterwiki role UI (admin/editor/viewer dropdown) deployed. Repository Management gated in PLATFORM_MODE. Init hardening comprehensive.

Wiki stats plugin

Track page count and disk usage via otterwiki lifecycle hooks. Enables tier limits and quota enforcement. Design at Design/Wiki_Stats_Plugin. Parked — design only.

SMTP alerts test

Health check and disk monitoring alerts configured but not tested end-to-end.

CI/CD pipeline

Currently deploy is git push + ansible-playbook. GitHub Actions for tests on PR + auto-deploy would reduce risk.

Post-launch

Account deletion (V7-8)

User can delete their account from the management UI. Deletes wiki (git repo, FAISS index), SQLite records, ACL grants. Requires typing username to confirm.

Git clone auth

Read-only git clone works (V4-6) but has no auth — anyone can clone any wiki. Should require bearer token or platform JWT for private wikis.

Multiple wikis per user

Currently limited to 1 wiki per user. The data model supports multiple wikis. Needs UI for wiki selection and limit increase.

Bluesky DM alerts

Translate health check / disk monitoring alerts into Bluesky DMs via ATProto API. Small webhook relay.

Wiki import

Import existing git repos (from GitHub, local, etc.) as a new wiki. Upload or provide a git URL.

Attachment size limits

Per-file and per-wiki attachment size enforcement. Currently no limits on uploaded files.

Proxmox CPU type change

Change from kvm64 to host to enable numpy 2.4+ and remove the pin. Requires VM reboot. See Dev/Proxmox_CPU_Type.