Issues & TODOs
Known issues, improvement opportunities, and technical debt identified during the codebase audit. Prioritized by severity and impact.
5
Critical Issues
7
High Priority
12
Medium Priority
15+
Low Priority
🔴 Critical Issues
Issues that could cause data loss, crashes, or security vulnerabilities.
Sherpa-ONNX Native Crash on ARM Devices
Critical
app/pubspec.yaml (dependency_overrides)
Version 1.12.21 has a SIGSEGV crash at 0x3f800000 on certain ARM devices (Daylight DC-1 with MediaTek chipset). Currently mitigated by pinning to 1.12.20.
Impact: App crash on affected devices.
Mitigation: Version pinned. Do NOT upgrade without testing on affected devices.
Impact: App crash on affected devices.
Mitigation: Version pinned. Do NOT upgrade without testing on affected devices.
File Locking Not Implemented
Critical
app/lib/core/services/file_system_service.dart
Multiple processes (app + server, or multiple app instances) could write to the same journal file simultaneously, causing data corruption.
Impact: Potential journal data corruption.
Fix: Implement file locking using platform-specific APIs or a lock file mechanism.
Impact: Potential journal data corruption.
Fix: Implement file locking using platform-specific APIs or a lock file mechanism.
No Atomic Writes for Journal Entries
Critical
app/lib/features/daily/journal/services/journal_service.dart
Journal files are written directly without atomic write (write to temp, then rename). A crash or power loss during write could corrupt the file.
Impact: Partial data loss on crash mid-write.
Fix: Write to temp file first, then atomically rename to target path.
Impact: Partial data loss on crash mid-write.
Fix: Write to temp file first, then atomically rename to target path.
HOME Override Race Condition
Critical
computer/parachute/core/claude_sdk.py:24
The
Impact: Vault operations could use wrong directory.
Fix: Use try/finally more carefully or subprocess with explicit env.
_override_home context manager sets os.environ['HOME'] temporarily. If an exception occurs, HOME may not be properly restored, affecting subsequent operations.
Impact: Vault operations could use wrong directory.
Fix: Use try/finally more carefully or subprocess with explicit env.
.env Files in Attachment Whitelist
Critical
computer/parachute/models/requests.py:11
The
Impact: Credential leakage through attachments.
Fix: Remove sensitive config extensions from whitelist or add content scanning.
ALLOWED_ATTACHMENT_EXTENSIONS whitelist includes .env, .ini, .conf, and .cfg files. Users could accidentally upload credentials.
Impact: Credential leakage through attachments.
Fix: Remove sensitive config extensions from whitelist or add content scanning.
🟠High Priority
Issues that significantly impact functionality or user experience.
Chat URL Not Updating on Config Change
High
app/lib/features/chat/providers/chat_providers.dart
When server URL is changed in settings, existing chat sessions continue using the old URL until app restart. Comment in code acknowledges this issue.
Impact: Chat fails silently when changing servers.
Fix: Invalidate chatServiceProvider when serverUrlProvider changes.
Impact: Chat fails silently when changing servers.
Fix: Invalidate chatServiceProvider when serverUrlProvider changes.
Agent Config Caching Race Condition
High
app/lib/features/daily/journal/providers/journal_providers.dart
Agent configuration is cached without thread-safe access. Multiple provider updates could cause race conditions in agent selection.
Impact: Wrong agent may be selected intermittently.
Fix: Add proper synchronization or use immutable state patterns.
Impact: Wrong agent may be selected intermittently.
Fix: Add proper synchronization or use immutable state patterns.
Attachment Save Fails Silently
High
computer/parachute/core/orchestrator.py:340
When attachment saving fails, error is logged but message still sent. Client doesn't know attachment failed - just sees "[Failed to attach: filename]" in message.
Impact: User confusion about missing attachments.
Fix: Return attachment errors in response events or reject message.
Impact: User confusion about missing attachments.
Fix: Return attachment errors in response events or reject message.
Permission System Desync Risk
High
computer/parachute/models/session.py + core/permission_handler.py
Two separate permission systems:
Impact: UI may show permission as allowed when actually denied.
Fix: Single source of truth for permission evaluation.
SessionPermissions (for UI) and PermissionHandler (for enforcement). Could show different allowed vs actual permissions.
Impact: UI may show permission as allowed when actually denied.
Fix: Single source of truth for permission evaluation.
No Session Pagination
High
app/lib/features/chat/providers/chat_providers.dart
Session list loads all sessions at once. With hundreds of sessions, this causes noticeable delay and memory usage.
Impact: Slow app startup with many sessions.
Fix: Implement pagination with lazy loading.
Impact: Slow app startup with many sessions.
Fix: Implement pagination with lazy loading.
Markdown Rendering Fallback to Plain Text
High
app/lib/features/chat/widgets/message_bubble.dart
When flutter_markdown encounters a builder error, it silently falls back to plain text without logging. Complex markdown may render incorrectly.
Impact: Code blocks and formatting may disappear.
Fix: Log builder errors and show placeholder for failed blocks.
Impact: Code blocks and formatting may disappear.
Fix: Log builder errors and show placeholder for failed blocks.
Transcription Model Init Blocking
High
app/lib/core/services/transcription/sherpa_onnx_service.dart
Model initialization has no timeout. If model files are corrupted or slow to load, app could hang indefinitely on startup.
Impact: App may appear frozen on first launch.
Fix: Add initialization timeout and fallback behavior.
Impact: App may appear frozen on first launch.
Fix: Add initialization timeout and fallback behavior.
🔵 Medium Priority
Issues that affect code quality or have workarounds.
Orphaned Pending Sessions
Medium
computer/parachute/core/session_manager.py
Sessions start as "pending" until SDK returns ID. If SDK error occurs, session stays pending forever. No cleanup job for old pending sessions.
Fix: Add cleanup job for pending sessions older than X minutes.
Fix: Add cleanup job for pending sessions older than X minutes.
MCP Server Python Path Not Validated
Medium
computer/parachute/lib/mcp_loader.py:54
MCP server config hardcodes Python command without validating it exists. Could fail silently if venv not activated.
Fix: Validate Python path exists; fall back to sys.executable.
Fix: Validate Python path exists; fall back to sys.executable.
Error Event Inconsistency
Medium
computer/parachute/api/chat.py + orchestrator.py
Some errors yield ErrorEvent, some return JSONResponse with 401, some raise HTTPException. Client can't uniformly handle errors.
Fix: Standardize on one error pattern (SSE events for streaming).
Fix: Standardize on one error pattern (SSE events for streaming).
ChatService Too Large
Medium
app/lib/features/chat/services/chat_service.dart
Single file is 2,059 lines. Mixes HTTP, WebSocket, session management, and import logic. Hard to maintain and test.
Fix: Split into ChatHttpService, ChatStreamService, SessionService, ImportService.
Fix: Split into ChatHttpService, ChatStreamService, SessionService, ImportService.
ToolCall.summary Brittle
Medium
app/lib/features/chat/models/chat_message.dart
ToolCall summary uses hardcoded field name checks (e.g., "command", "file_path"). New tool input fields would be missed.
Fix: Use a registry pattern or dynamic field summarization.
Fix: Use a registry pattern or dynamic field summarization.
VaultPathNotifier Too Complex
Medium
app/lib/core/providers/app_state_provider.dart
Single notifier handles server fetch, local cache, migration, and error recovery. Hard to understand and test.
Fix: Split into VaultPathFetcher, VaultPathCache, and VaultPathNotifier.
Fix: Split into VaultPathFetcher, VaultPathCache, and VaultPathNotifier.
No Request Signing
Medium
app/lib/features/chat/services/chat_service.dart
API key sent in plain header (x-api-key). No request signing or HTTPS enforcement in URL validation.
Fix: Implement HMAC request signing for integrity; enforce HTTPS.
Fix: Implement HMAC request signing for integrity; enforce HTTPS.
Missing Database Indexes
Medium
computer/parachute/db/database.py
No explicit indexes on frequently queried columns (e.g., session_tags.tag, sessions.archived). Could slow down as data grows.
Fix: Add CREATE INDEX statements for common query patterns.
Fix: Add CREATE INDEX statements for common query patterns.
Large Orchestrator Function
Medium
computer/parachute/core/orchestrator.py:189-450
The run_streaming method is ~260 lines. Mixes session setup, prompt building, attachment handling, and streaming. Hard to test individual pieces.
Fix: Extract into _prepare_session, _build_prompt, _process_attachments, _run_sdk_query.
Fix: Extract into _prepare_session, _build_prompt, _process_attachments, _run_sdk_query.
🟢 Low Priority
Minor issues, dead code, and improvement opportunities.
Vision Service Stubs
Low
app/lib/core/services/vision/
Vision/OCR service files exist but contain only stub implementations. Never called from app code. Either implement or remove.
Unused Dependencies
Low
app/pubspec.yaml
Several dependencies appear unused:
dio (HTTP), bm25 (search), go_router (routing). Consider removal.
TODOs in Base Codebase
Low
computer/parachute/ (multiple files)
4 TODO comments found:
orchestrator.py:412- Inject context from session historyapi/modules.py:150- Implement semantic searchapi/modules.py:191- Implement with ModuleIndexermcp_server.py:408- Add full-text search in chunks
Limited Test Coverage
Low
app/test/
13 test files but mostly disposal/widget tests. No unit tests for services, no integration tests, no E2E tests, no performance benchmarks.
Para-ID Format Not Validated
Low
app/lib/features/daily/journal/models/
Para-IDs (para:abc123xyz) are accepted without regex validation. Malformed IDs could cause sync issues.
Settings Scattered Across Notifiers
Low
app/lib/core/providers/
13 different notifiers store settings in SharedPreferences. Hard to find where a setting is stored. Consider a unified SettingsService.
No Image Compression
Low
app/lib/features/daily/capture/
Captured images stored at full resolution. Could bloat vault significantly with many photos.
Missing Provider Documentation
Low
app/lib/core/providers/, app/lib/features/*/providers/
25 core providers lack comprehensive documentation. Provider invalidation cascades not clearly documented.
Recommendations Summary
Top Priority Fixes
- Implement file locking in FileSystemService to prevent data corruption
- Add atomic write support for journal entries (write to temp, then rename)
- Remove sensitive extensions from attachment whitelist
- Fix HOME override race condition in claude_sdk.py
- Add bot connector error recovery for dropped connections
Top Architectural Improvements
- Split ChatService into focused modules (~500 lines max)
- Simplify VaultPathNotifier into separate concerns
- Standardize error handling across streaming and HTTP responses
- Implement session pagination for large session counts
- Add comprehensive test coverage for services and providers
Technical Debt Summary
- 78,240 lines of Dart code across 247 files
- 13 state notifiers with scattered logic
- 2,059-line ChatService (should be split)
- Multiple copy-paste service implementations
- 4 TODOs in computer server, various stubs in app