Issues [highway-workflow-engine]

ID	Title	Status	Priority	Created	Due Date	Actions
#547	[API/Perf] analytics.py heavy PERCENTILE_CONT aggregation File: api/blueprints/v1/analytics.py:520-535. Running p50, p95, p99 percentiles on potentially milli...	closed	high	2025-12-17 16:29	-	Edit
#546	[API/Perf] analytics.py full table scan in list_queue_analytics File: api/blueprints/v1/analytics.py:45-65. Query groups ALL workflow_runs for a tenant with no time...	closed	high	2025-12-17 16:29	-	Edit
#545	[API/Race] tenant_apps.py TOCTOU in set_secret and delete_secret File: api/blueprints/v1/tenant_apps.py:913-1027. SELECT secrets_config, modify in Python, then UPDAT...	closed	high	2025-12-17 16:29	-	Edit
#544	[API/Race] apps.py TOCTOU in create_version File: api/blueprints/v1/apps.py:790-852. Two separate checks (app ownership, version existence) befo...	closed	high	2025-12-17 16:29	-	Edit
#543	[API/Race] apps.py TOCTOU in create_app File: api/blueprints/v1/apps.py:193-236. SELECT checks for duplicate, then INSERT. Between these ope...	closed	high	2025-12-17 16:29	-	Edit
#542	[API/Race] rbac.py TOCTOU in API key validation File: api/middleware/rbac.py:146-209. _validate_api_key performs SELECT then UPDATE without FOR UPDA...	closed	high	2025-12-17 16:29	-	Edit
#541	[API/Perf] auth_wrapper.py N+1 query in get_user_accessible_tenants File: engine/security/auth_wrapper.py:311-330. Loops through ALL tenants making separate auth query ...	closed	high	2025-12-17 16:29	-	Edit
#540	[API/Perf] oauth2.py blocking requests library in async handler File: api/oauth_handlers/oauth2.py:374-401. Uses synchronous requests.post() and requests.get() in a...	closed	high	2025-12-17 16:29	-	Edit
#539	[API/Perf] rbac.py N+1 DB queries - no permission cache File: api/middleware/rbac.py:659-661. Every permission check opens new DB connection and creates new...	closed	high	2025-12-17 16:29	-	Edit
#538	[API/Perf] steps.py full data scan for count-only operation Fixed: Added row_count() to DataShard, steps.py uses parquet metadata for count-only queries	closed	high	2025-12-17 16:29	-	Edit
#537	[API/Perf] signals.py:73 sync function blocks event loop File: api/blueprints/v1/signals.py:73-94. get_signals is a synchronous function (def get_signals) de...	closed	high	2025-12-17 16:29	-	Edit
#527	[API/Perf] Sync subprocess blocks async event loop File: api/blueprints/v1/workflows.py:115-122 Problem: `subprocess.run()` is synchronous and...	closed	high	2025-12-17 15:00	-	Edit
#523	[API/Race] Signal duplicate send - no idempotency File: api/blueprints/v1/signals.py:33-64 Problem: Client retries can send duplicate signals...	closed	high	2025-12-17 14:59	-	Edit
#522	[API/Race] Rate limiter TOCTOU - incorrect quota enforcement File: api/middleware/rate_limiter.py:22-47 Problem: `check_quota()` and `get_tenant_stats()...	closed	high	2025-12-17 14:59	-	Edit
#521	[API/Race] Workflow definition hash collision on concurrent submit File: api/blueprints/v1/workflows.py:236-256 Problem: Two concurrent submissions of same wo...	closed	high	2025-12-17 14:59	-	Edit
#519	[API/Memory] Workflow graph generation - unbounded recursion File: api/blueprints/v1/workflows.py:1283-1307, 1488-1526 Problem: Deeply nested workflows ...	closed	high	2025-12-17 14:59	-	Edit
#518	[API/Memory] Workflow list query - unbounded days filter File: api/blueprints/v1/workflows.py:814-885 Problem: User can request `?days=36500` (100 y...	closed	high	2025-12-17 14:59	-	Edit
#514	[ENGINE/Perf] Regex compiled on every call in activity_context.py hot path File: engine/activity_context.py:151-160 Problem: Pattern `r"\{\{([^}]+)\}\}"` is compiled ...	closed	high	2025-12-17 14:59	-	Edit
#512	[ENGINE/Race] Tenant config cache snapshot TOCTOU race File: engine/config.py:640-661 Problem: TOCTOU between cache snapshot and cleanup - another...	closed	high	2025-12-17 14:58	-	Edit
#511	[ENGINE/Race] Circuit breaker storage singleton missing lock File: engine/config.py:337-365 Problem: Missing lock for singleton initialization. Two thre...	closed	high	2025-12-17 14:58	-	Edit

Previous Page 7 of 17 Next