# E-1 Incomplete Features Audit

**Date:** 2026-03-29
**Branch:** culurien

---

## 1. SIGNED PACKAGE DOWNLOADS

### Current State
- **downloads.go:92-98**: Comment block with TODO — `GetSignedPackage` is stubbed out but the code path falls through to unsigned binary serving
- **Migration 016**: `agent_update_packages` table EXISTS with columns: id, version, platform, architecture, binary_path, signature, checksum, file_size, created_at, created_by, is_active
- **Server handlers**: `SignUpdatePackage` and `ListUpdatePackages` handlers EXIST in `agent_updates.go` (lines 424, 459) — these are functional
- **Agent side**: Agent does NOT call `/downloads/updates/:package_id` (zero grep results). The A-2 update download endpoint is now auth-protected but unused by agents
- **Build orchestrator**: `agent_build.go`, `build_orchestrator.go`, `build_types.go` exist — these handle cross-platform agent binary compilation

### Assessment
The signed package infrastructure is 80% complete:
- DB schema: EXISTS
- Sign endpoint: EXISTS
- List endpoint: EXISTS
- Download endpoint: EXISTS (was protected in A-3)
- Agent-side download + verify: MISSING
- Wire `downloads.go:92` to query DB instead of commented-out stub: 1 line fix

---

## 2. CONFIGURABLE CHECK-IN INTERVALS & TIMEOUTS

### Hardcoded Values

| Value | Location | Hardcoded |
|-------|----------|-----------|
| Offline check frequency | main.go:429 | 2 minutes |
| Offline threshold | main.go:436 | 10 minutes |
| Sent command timeout | timeout.go:28 | 2 hours |
| Pending command timeout | timeout.go:29 | 30 minutes |
| Token cleanup interval | main.go:445 | 24 hours |
| Timeout check interval | timeout.go:40 | 5 minutes |

### Settings Infrastructure

| Component | Status |
|-----------|--------|
| `security_settings` table | EXISTS (migration 020) |
| `security_settings_audit` table | EXISTS (migration 020) |
| `scanner_config` table | EXISTS (migration 027) |
| `SecuritySettingsService` | EXISTS — has GetSetting, SetSetting, ValidateSetting |
| Security settings API | EXISTS (7 routes re-enabled in A-3) |
| General settings API | EXISTS (timezone only — 3 routes) |
| Scanner config API | EXISTS (3 routes for scanner timeouts) |
| Settings UI page | EXISTS (`Settings.tsx`) — timezone + dashboard refresh only |
| Security settings UI | EXISTS (`SecuritySettings.tsx`) — categories and events |

### Assessment
The settings infrastructure EXISTS but the operational timeouts (offline threshold, command timeout, etc.) are not wired to it. The `security_settings` table is designed for security-specific settings. General operational settings would need either a new table or reuse of the existing infrastructure with a new category. The scanner_config table already handles per-scanner timeouts, suggesting the pattern could be extended.

**Effort: LOW-MEDIUM** — The DB, API, and UI patterns exist. Need to add timeout values to `security_settings` (or a new `operational_settings` table) and wire the hardcoded constants to read from DB at startup.

---

## 3. INSTALL/LOGS UI (AgentUpdates.tsx)

### Stubs Found

| Location | Stub | What's Missing |
|----------|------|----------------|
| `AgentUpdates.tsx:184` | `console.log('Install update:', update.id)` | API call to install endpoint |
| `AgentUpdates.tsx:193` | `console.log('View logs for update:', update.id)` | API call to logs endpoint |
| `AgentUpdatesEnhanced.tsx:93` | `api.installUpdate` not in API client | Missing API method |
| `AgentUpdatesEnhanced.tsx:141` | `api.getCommandLogs` not in API client | Missing API method |

### Backend Status
- Install endpoint (`POST /updates/:id/install`): EXISTS and functional
- Logs endpoint (`GET /logs`): EXISTS and functional
- Command logs per update: needs a filtered query but infrastructure exists

### Assessment
**Frontend-only fix** — backend endpoints exist. The UI needs:
1. Wire `Install` button to existing `POST /updates/:id/install` API
2. Wire `Logs` button to existing `GET /updates/:id/logs` API
3. Add `installUpdate` and `getCommandLogs` to the API client (`api.ts`)

**Effort: LOW** — pure frontend wiring.

---

## 4. SECURITY SETTINGS UI

### Backend Status
| Method | Status |
|--------|--------|
| GetAllSecuritySettings | EXISTS — returns settings from DB |
| GetSecuritySettingsByCategory | EXISTS |
| UpdateSecuritySetting | EXISTS |
| ValidateSecuritySettings | EXISTS |
| ApplySecuritySettings | EXISTS |
| GetSecurityAuditTrail | PLACEHOLDER — returns empty array (DEV-020) |
| GetSecurityOverview | PLACEHOLDER — returns all settings as overview (DEV-020) |

### Frontend Status
- `SecuritySettings.tsx`: EXISTS — full category-based settings UI with save/validate
- `SecurityEvents.tsx`: EXISTS — event display component
- `useSecurity.ts`: EXISTS — calls `/security/overview`
- `useSecuritySettings.ts`: EXISTS — CRUD operations

### Assessment
The security settings pipeline is functional except for two placeholder endpoints. The audit trail needs the `security_settings_audit` table query (table exists, query not written). The overview needs a summary aggregation query.

**Effort: LOW** — write 2 queries for the placeholder handlers.

---

## 5. TYPESCRIPT BUILD ERRORS

**Total unique error locations: 217**

| Error Code | Count | Description |
|------------|-------|-------------|
| TS6133 | 112 | Unused declared variables |
| TS2339 | 49 | Property does not exist on type |
| TS2322 | 20 | Type mismatch |
| TS2367 | 4 | Comparison type mismatch |
| TS7006 | 3 | Implicit any parameter |
| TS2353 | 3 | Object literal unknown property |
| TS2345 | 3 | Argument type mismatch |
| Other | 23 | Various |

**Top affected files:**
- `AgentHealth.tsx` — 10 errors (type mismatches on security status)
- `AgentUpdatesEnhanced.tsx` — 6 errors (missing API methods, undefined state)
- `ChatTimeline.tsx` — multiple unused variables
- `SecuritySettings.tsx` — type issues

**Note:** The Vite production build PASSES (uses `vite build` not `tsc`). These are strict TypeScript errors that Vite's esbuild transpilation ignores. The app runs correctly despite these type errors.

---

## 6. FEATURE COMPLETENESS MATRIX

| Feature | DB Schema | API Endpoint | Frontend UI | Status |
|---------|-----------|--------------|-------------|--------|
| Signed package download | EXISTS | EXISTS (stub wiring) | MISSING (no agent-side) | 80% |
| Configurable timeouts | PARTIAL (security only) | PARTIAL (security only) | PARTIAL (timezone only) | 40% |
| Install/Logs UI | EXISTS | EXISTS | STUB (console.log) | 85% |
| Security audit trail | EXISTS (table) | PLACEHOLDER | EXISTS (UI calls it) | 70% |
| Security overview | EXISTS (settings table) | PLACEHOLDER | EXISTS (UI calls it) | 70% |

---

## 7. PRIORITIZATION

| Rank | Feature | Value | Infrastructure | Effort | Notes |
|------|---------|-------|----------------|--------|-------|
| 1 | Install/Logs UI | HIGH | 85% complete | LOW | Frontend wiring only |
| 2 | Security audit trail + overview | MEDIUM | 70% complete | LOW | 2 DB queries |
| 3 | Configurable timeouts | MEDIUM | 40% complete | MEDIUM | Need to wire hardcoded values to DB |
| 4 | Signed package download | HIGH (for upgrades) | 80% complete | MEDIUM | Agent-side download + verify needed |

**Note for Fimeg:** The signed package download (rank 4) is prerequisite for the agent self-upgrade feature that was explicitly requested. The infrastructure is mostly there — the missing piece is agent-side download and Ed25519 verification of the downloaded package.

---

## FINDINGS SUMMARY

| ID | Feature | Severity | Finding | Location |
|----|---------|----------|---------|----------|
| F-E1-1 | Signed download | MEDIUM | Stub code commented out, needs 1-line DB lookup fix | downloads.go:92-98 |
| F-E1-2 | Signed download | HIGH | Agent has no package download/verify code | aggregator-agent/ (missing) |
| F-E1-3 | Timeouts | MEDIUM | 6 hardcoded operational values not configurable | main.go, timeout.go |
| F-E1-4 | Install UI | LOW | Install button is console.log stub | AgentUpdates.tsx:184 |
| F-E1-5 | Logs UI | LOW | Logs button is console.log stub | AgentUpdates.tsx:193 |
| F-E1-6 | Install UI | MEDIUM | API client missing installUpdate method | AgentUpdatesEnhanced.tsx:93 |
| F-E1-7 | Audit trail | LOW | GetSecurityAuditTrail returns empty array | security_settings.go (DEV-020) |
| F-E1-8 | Overview | LOW | GetSecurityOverview returns raw settings | security_settings.go (DEV-020) |
| F-E1-9 | TypeScript | MEDIUM | 217 strict TS errors (112 unused vars, 49 property errors) | aggregator-web/src/ |