# Discoveries > Things found during implementation that don't belong in the current spec. > Review weekly. Promote to [spec-candidates.md](spec-candidates.md) or discard. Items that are already tracked in [spec-candidates.md](spec-candidates.md) or [roadmap.md](roadmap.md) should not remain here. **Last reviewed**: 2026-03-15 --- ## 2026-03-15 — Queued execution trust relies too much on dispatch-time authority - **Source**: architecture audit - **Observation**: Queued jobs still rely too heavily on the actor, tenant, and authorization state captured at dispatch time. Execution-time scope continuity and reauthorization are not yet hardened as a canonical backend contract. - **Category**: hardening - **Priority**: high - **Suggested follow-up**: Track in [../audits/2026-03-15-audit-spec-candidates.md](../audits/2026-03-15-audit-spec-candidates.md) as Candidate A: queued execution reauthorization and scope continuity. --- ## 2026-03-15 — Tenant-owned query canon remains too ad hoc - **Source**: architecture audit - **Observation**: Tenant isolation is broadly present, but many tenant-owned reads still depend on repeated local `tenant_id` filtering instead of a reusable canonical query path. This increases drift risk and weakens wrong-tenant regression discipline. - **Category**: hardening - **Priority**: high - **Suggested follow-up**: Track in [../audits/2026-03-15-audit-spec-candidates.md](../audits/2026-03-15-audit-spec-candidates.md) as Candidate B: tenant-owned query canon and wrong-tenant guards. --- ## 2026-03-15 — Findings lifecycle truth is stronger in docs than in enforcement - **Source**: architecture audit - **Observation**: Findings workflow semantics are well-defined at spec level, but architectural enforcement still depends too much on service-path discipline. Direct or bypassing status mutations remain too plausible. - **Category**: hardening - **Priority**: high - **Suggested follow-up**: Track in [../audits/2026-03-15-audit-spec-candidates.md](../audits/2026-03-15-audit-spec-candidates.md) as Candidate C: findings workflow enforcement and audit backstop. --- ## 2026-03-15 — Livewire trust-boundary hardening is still convention-driven - **Source**: architecture audit - **Observation**: Complex Livewire and Filament flows still expose too much ownership-relevant context in public component state. This is not a proven exploit in the repo today, but the hardening standard is not yet explicit or reusable. - **Category**: hardening - **Priority**: medium - **Suggested follow-up**: Track in [../audits/2026-03-15-audit-spec-candidates.md](../audits/2026-03-15-audit-spec-candidates.md) as Candidate D: Livewire context locking and trusted-state reduction. --- ## 2026-03-08 — Alert `sla_due` event type is dead code - **Source**: Spec 109 (Review Pack Export) - **Observation**: `sla_due` alert rule event type exists in the schema but no producer dispatches it. Dead code path. - **Category**: cleanup - **Priority**: low - **Suggested follow-up**: Remove or implement. If SLA alerting is a future feature, document the intent; otherwise delete. --- ## 2026-03-08 — Alert Deliveries header-action exemption needs permanent documentation - **Source**: Spec 122 (Empty State Consistency) - **Observation**: Alert Deliveries is the first resource with an explicit UX-001 relocation exemption — its CTA exists only in the empty state and does NOT relocate to the header. This needs to remain documented so future developers don't "fix" it. - **Category**: documentation - **Priority**: low - **Suggested follow-up**: Ensure the exemption is captured in the Action Surface Contract guard tests and/or resource-level comments. --- ## 2026-03-08 — Historical findings backfill for `source` field - **Source**: Spec 101 (Golden Master Baseline Governance) - **Observation**: The `source` field on findings was added but historical findings may not be backfilled. Reporting accuracy depends on this. - **Category**: data integrity - **Priority**: medium - **Suggested follow-up**: One-time migration or backfill job to classify existing findings by source. --- ## 2026-03-08 — Baseline profile hard-delete deferred - **Source**: Spec 101 (Golden Master Baseline Governance) - **Observation**: Baseline profiles can only be archived, not hard-deleted, in v1. If archive accumulation becomes a problem, a hard-delete with cascade needs to be built. - **Category**: feature gap - **Priority**: low - **Suggested follow-up**: Monitor archive count. Spec only if it becomes a user-reported issue. --- ## 2026-03-08 — Drift engine hard-fail when no Inventory Sync exists - **Source**: Spec 119 (Baseline Drift Engine Cutover) - **Observation**: Currently drift capture does NOT hard-fail when no completed Inventory Sync exists. This was deferred as a "larger product behavior change." - **Category**: hardening - **Priority**: medium - **Suggested follow-up**: Evaluate whether capturing drift without a baseline sync produces misleading results. If so, enforce the prerequisite. --- ## 2026-03-08 — Performance indexes for system console windowed queries - **Source**: Spec 114 (System Console Control Tower) - **Observation**: EXPLAIN baselines don't show pressure yet, but windowed queries on operation_runs could become slow at scale. Indexes were explicitly deferred. - **Category**: performance - **Priority**: low - **Suggested follow-up**: Monitor query times. Add indexes proactively if run count exceeds ~100k. --- ## Template ```md ## YYYY-MM-DD — Short title - **Source**: Spec NNN (Name) | chat | audit | coding - **Observation**: - **Category**: feature gap | cleanup | hardening | UX polish | performance | documentation | data integrity - **Priority**: low | medium | high - **Suggested follow-up**: ```