Issues [highway-workflow-engine]

ID	Title	Status	Priority	Created	Due Date	Actions
#568	[MEDIUM] Public endpoint lists scattered across files PUBLIC_PATHS and skip-auth endpoint lists are defined in multiple places (rbac.py, auth.py) leading ...	closed	medium	2025-12-17 16:32	-	Edit
#567	[MEDIUM] Missing workflow_id in permission check logs Permission check audit logs in api/middleware/rbac.py don't include workflow_id when checking workfl...	closed	medium	2025-12-17 16:32	-	Edit
#566	[MEDIUM] security_headers.py CSP nonce generated but unused CSP nonce is generated on every request but never actually used in responses. This is wasted computa...	closed	medium	2025-12-17 16:32	-	Edit
#565	[MEDIUM] apps.py N+1 query in list_versions endpoint N+1 query pattern in list_versions endpoint. Each version fetches related data in separate queries i...	closed	medium	2025-12-17 16:32	-	Edit
#564	[MEDIUM] apps.py TOCTOU in update_app/delete_app/publish_version Multiple TOCTOU race conditions in apps.py: 1) update_app(): SELECT then UPDATE without locking 2) d...	closed	medium	2025-12-17 16:32	-	Edit
#563	[API/Memory] logs.py DataFrame copies on every filter operation File: api/blueprints/v1/logs.py:392-410. Multiple filtering operations create 5+ DataFrame copies. F...	closed	medium	2025-12-17 16:30	-	Edit
#562	[API/Perf] logs.py df.iterrows() performance anti-pattern File: api/blueprints/v1/logs.py:412. df.iterrows() is notoriously slow - creates a Series for each r...	closed	medium	2025-12-17 16:30	-	Edit
#561	[API/Memory] tenant_apps.py unbounded tool list in list_available_tools File: api/blueprints/v1/tenant_apps.py:1256-1298. No pagination. Tenant with many installed apps wit...	closed	medium	2025-12-17 16:30	-	Edit
#560	[API/Race] tenant_apps.py TOCTOU in update_configuration File: api/blueprints/v1/tenant_apps.py:746-789. SELECT current config, merge, then UPDATE. Concurren...	closed	medium	2025-12-17 16:30	-	Edit
#559	[API/Race] tenant_apps.py TOCTOU in enable_app/disable_app File: api/blueprints/v1/tenant_apps.py:554-657. SELECT to check current status, then UPDATE. Concurr...	closed	medium	2025-12-17 16:30	-	Edit
#558	[API/Race] tenant_apps.py TOCTOU in upgrade_app File: api/blueprints/v1/tenant_apps.py:442-513. Multiple sequential SELECTs (current installation, t...	closed	medium	2025-12-17 16:30	-	Edit
#557	[API/Perf] workflows.py multiple DB connections in get_workflow File: api/blueprints/v1/workflows.py:1054,1078,1096. get_workflow opens 3 separate database connecti...	closed	high	2025-12-17 16:30	-	Edit
#556	[API/Memory] response.py serialize_data recursion without depth limit File: api/utils/response.py:20-39. serialize_data recursively processes nested data without depth li...	closed	high	2025-12-17 16:30	-	Edit
#555	[API/Perf] tasks.py N+1 query pattern in list_tasks File: api/blueprints/v1/tasks.py:117-131. When no queue filter, runs separate COUNT queries for each...	closed	high	2025-12-17 16:30	-	Edit
#554	[API/Perf] health.py missing async declaration File: api/blueprints/v1/health.py:52. health_check() function is not async but contains blocking DB ...	closed	high	2025-12-17 16:30	-	Edit
#553	[API/Perf] rbac.py import inside decorator function File: api/middleware/rbac.py:557-559,598. 'import asyncio' happens inside decorator function on ever...	closed	high	2025-12-17 16:30	-	Edit
#552	[API/Memory] auth_wrapper.py session leak risk in get_auth_for_tenant File: engine/security/auth_wrapper.py:162-210. Function returns session that caller MUST close. If c...	closed	high	2025-12-17 16:30	-	Edit
#551	[API/Perf] rate_limiter.py TenantRateLimiter instantiated per request File: api/middleware/rate_limiter.py:31. TenantRateLimiter() is instantiated on EVERY rate limit che...	closed	high	2025-12-17 16:30	-	Edit
#550	[API/Race] approvals.py no locking on approval state transitions File: api/blueprints/v1/approvals.py:99-157. approve() and reject() endpoints call service without l...	closed	high	2025-12-17 16:30	-	Edit
#549	[API/Perf] logs.py full table scan without predicate pushdown File: api/blueprints/v1/logs.py:127-224. _read_table_to_pandas reads ALL parquet files into memory, ...	closed	high	2025-12-17 16:30	-	Edit

Previous Page 13 of 39 Next