You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Umbrella issue tracking the repository technical audit (v0.17.1, commit 1de7e73) and its improvement plan. The full audit document lives on branch claude/repo-technical-audit-tzr3ub (kept out of main so it doesn't go stale there).
Audit summary
Overall health: A−. Engineering hygiene well above the OSS norm: zero any in ~97k LOC of production TS, one runtime dependency, clean dead-code analysis, per-PR real-emulator smoke CI plus nightly device replays, hardened daemon security (loopback bind, per-boot 0600 token, tar/upload defenses). No Critical findings in product code.
Key findings (severity):
High — src/daemon-client.ts (1,801 LOC) concentrates daemon lifecycle, transports, progress streaming, and artifact transfer; 4 functions grandfathered complexity-critical; only fragment-level tests. The most failure-prone path is the hardest to test.
High — Largest platform modules have no direct unit tests: platforms/ios/apps.ts (1,231 LOC), compat/maestro/runtime-targets.ts (1,080), platforms/android/app-lifecycle.ts (920), client-metro.ts (995).
High (re-rated from Medium: cloud deployment is near) — Sync zlib (inflateSync/deflateSync, src/utils/png-codec.ts) runs on the daemon event loop via screenshot overlay/diff, stalling all sessions during decode.
Medium — Layering drift: 10+ src/daemon/ files and 5 src/platforms/ files import from src/commands/; the CLI surface has become a de facto shared contract layer.
Maintainer decisions (2026-06-10): cloud is very near (security/perf items re-rated up); Maestro compat stays; no formal perf target ("faster is better"); fallow config should be tuned to reduce overrides; daemon-client split approved where it improves maintainability.
Extract+test decision logic from android/app-lifecycle.ts and ios/apps.ts; client-metro.ts tests; replace 250ms+ real sleeps in unit tests with fake timers; ADR for daemon protocol/compatibility strategy.
Sequencing notes:#726 → #727 are strictly sequential (overlapping import graphs). #728/#729/#730 can each run in their own worktree in parallel with anything.
Umbrella issue tracking the repository technical audit (v0.17.1, commit
1de7e73) and its improvement plan. The full audit document lives on branchclaude/repo-technical-audit-tzr3ub(kept out ofmainso it doesn't go stale there).Audit summary
Overall health: A−. Engineering hygiene well above the OSS norm: zero
anyin ~97k LOC of production TS, one runtime dependency, clean dead-code analysis, per-PR real-emulator smoke CI plus nightly device replays, hardened daemon security (loopback bind, per-boot 0600 token, tar/upload defenses). No Critical findings in product code.Key findings (severity):
src/daemon-client.ts(1,801 LOC) concentrates daemon lifecycle, transports, progress streaming, and artifact transfer; 4 functions grandfathered complexity-critical; only fragment-level tests. The most failure-prone path is the hardest to test.platforms/ios/apps.ts(1,231 LOC),compat/maestro/runtime-targets.ts(1,080),platforms/android/app-lifecycle.ts(920),client-metro.ts(995).inflateSync/deflateSync,src/utils/png-codec.ts) runs on the daemon event loop via screenshot overlay/diff, stalling all sessions during decode.src/daemon/files and 5src/platforms/files import fromsrc/commands/; the CLI surface has become a de facto shared contract layer.shell-quote@1.8.3) inexamples/test-applockfile (fixed by fix(daemon): timing-safe token comparison, daemon.json hardening, shell-quote CVE #731).daemon.jsonchmod gap (fixed by fix(daemon): timing-safe token comparison, daemon.json hardening, shell-quote CVE #731), one TODO insnapshot-unchanged.ts:72(stringify-based snapshot identity).Maintainer decisions (2026-06-10): cloud is very near (security/perf items re-rated up); Maestro compat stays; no formal perf target ("faster is better"); fallow config should be tuned to reduce overrides; daemon-client split approved where it improves maintainability.
Quick wins — PRs
Milestone 0 — safety net (before refactoring)
Milestone 2 — high leverage
src/commands/(lands before refactor: split daemon-client.ts into lifecycle / transport / progress / artifacts modules (M2-1) #727; flips layering guard to hard fail)daemon-client.ts(blocked by test: characterization tests for daemon-client lifecycle (M0-1) #723, test: characterization tests for artifact upload resume/redirect and download abort (M0-2) #724, refactor: extract shared contracts out of src/commands so daemon/platforms stop importing the CLI layer (M2-2) #726)Milestone 3 — polish (file as capacity allows)
Extract+test decision logic from
android/app-lifecycle.tsandios/apps.ts;client-metro.tstests; replace 250ms+ real sleeps in unit tests with fake timers; ADR for daemon protocol/compatibility strategy.Sequencing notes: #726 → #727 are strictly sequential (overlapping import graphs). #728/#729/#730 can each run in their own worktree in parallel with anything.