Issues [highway-workflow-engine]

ID	Title	Status	Priority	Created	Due Date	Actions
#363	CRITICAL: sleeping_tasks.discard() called on dict - AttributeError ## Issue In engine/durable_context.py:1389, the code calls discard() on sleeping_tasks which is a d...	closed	critical	2025-12-11 21:39	-	Edit
#362	CRITICAL: Heartbeat updates not committed to database ## Issue The heartbeat service in engine/services/heartbeat_service.py:179-207 updates heartbeats w...	closed	critical	2025-12-11 21:39	-	Edit
#361	CRITICAL: ctx.now is non-deterministic - breaks replay guarantees ## Issue The ctx.now property in engine/durable_context.py:486-503 returns datetime.now(timezone.ut...	closed	critical	2025-12-11 21:39	-	Edit
#360	CRITICAL: DataShard script storage uses workflow_name+version instead of definition_hash - causes stale data collisions ## Problem When storing Python DSL scripts in DataShard, the key is based on workflow_name + version...	closed	critical	2025-12-11 10:26	-	Edit
#354	CRITICAL: http_request.py - Add SSRF Protection ## Issue The http_request.py tool has no URL validation, allowing Server-Side Request Forgery (SSRF)...	closed	critical	2025-12-10 08:16	-	Edit
#353	Security & Implementation Review: Built-in Tools ## Tools Security Review (Issue #353) ### CRITICAL Issues Found and Fixed - **#354 SSRF in http_req...	closed	critical	2025-12-10 08:12	-	Edit
#326	CRITICAL: Implement Database-Stored App Code - All Code Must Come From DB ## Problem The current app/marketplace architecture has a critical flaw: app code is loaded from dis...	closed	critical	2025-12-09 11:23	-	Edit
#325	CRITICAL: Absurd retry creates new run_id while keeping same workflow_run_id, causing failed workflows to appear completed bug data-integrity orchestrator retry ## Bug Summary When an Absurd task fails and retries, a NEW run_id is created (e.g., attempt=2) but ...	closed	critical	2025-12-09 05:51	-	Edit
#324	CRITICAL: App versioning does not isolate code - all tenants run whatever code is on disk App version system gives FALSE sense of isolation. Workers load code from disk via importlib, ignori...	closed	critical	2025-12-09 05:45	-	Edit
#321	CRITICAL: Secrets system accepts name-based lookups instead of requiring UUID Issue #317 was supposed to implement UUID-based secret identifiers, but the E2E test revealed that g...	closed	critical	2025-12-08 18:38	-	Edit
#320	CRITICAL: workflow_logging_injector.py fails with list-format tasks The workflow_logging_injector.py expects tasks as a dict but workflow JSON has tasks as a list. Line...	closed	critical	2025-12-08 17:45	-	Edit
#315	Add Secret Scopes with Access Control (tenant/app/workflow) ## Problem Currently any workflow in a tenant can access ANY secret in that tenant. No restrictions ...	closed	critical	2025-12-08 14:39	-	Edit
#260	CRITICAL: OAuth login allows any Google user to get JWT without tenant membership ## Security Vulnerability ### Problem OAuth login generates JWT for ANY Google user with any tenant...	closed	critical	2025-12-04 18:51	-	Edit
#259	Implement Platform Tenant (_platform) for super admin access ## Overview Implement a special '_platform' tenant that serves as the administrative domain for plat...	closed	critical	2025-12-04 18:17	-	Edit
#249	[PHASE 1] Add RBAC Permissions to Critical Endpoints Phase 1: Add @require_permission decorators to: 1. artifacts.py - manage_artifacts permission 2. app...	closed	critical	2025-12-04 09:22	-	Edit
#248	[CRITICAL] Security Audit: Missing RBAC Permission Checks on Multiple Endpoints COMPREHENSIVE SECURITY AUDIT FINDINGS - See Phase 1 breakdown for fix plan	closed	critical	2025-12-04 09:22	-	Edit
#246	Activity worker should use LISTEN/NOTIFY instead of polling Activity workers poll every 1s for new activities. Should use PostgreSQL LISTEN/NOTIFY like orchestr...	closed	critical	2025-12-03 20:51	-	Edit
#245	Activity worker should use BulkheadSync for parallel execution Activity worker processes activities sequentially (1 at a time). Should use BulkheadSync like orches...	closed	critical	2025-12-03 20:30	-	Edit
#244	Critical: Activity worker holds DB connection for entire shell execution duration activity-worker database scalability ## Problem Activity worker holds a database connection checked out from the pool for the ENTIRE dur...	closed	critical	2025-12-03 15:53	-	Edit
#243	BUG: Workflow cancel doesn't kill shell child processes When a workflow is cancelled, shell processes spawned by tools.shell.run are NOT terminated. Curren...	closed	critical	2025-12-03 15:27	-	Edit

Previous Page 5 of 9 Next