Fallback Tech Debt Register¶

Purpose: - Track runtime fallbacks that can mask defects or create security/operability risk. - Enforce explicit retirement plans for pre-MVP and post-MVP hardening.

Policy: - Root-cause fix in owning layer is mandatory. - Any remaining fallback must be explicit, bounded, and tracked here with owner + target date/phase.

How we inventory: - Discovery command: - rg -n "fallback|legacy|noop|ssh_legacy|managed-by-user" packages cmd --glob '!**/*_test.go' -S - Triage rule: - config-default: acceptable if fail-closed semantics remain. - runtime-compat: allowed only if explicitly temporary and documented. - risk: fallback can hide failures or weaken security posture; must be retired.

Active Fallback Debt (High Priority)¶

Terminal legacy SSH key-source compatibility chain
Type: risk
Location: packages/services/terminal/proxy.go
Why risky: multiple env fallback paths (TERMINAL_* -> PROVISIONING_*) and legacy key loading increase misconfiguration surface.
Correct target state: single terminal credential source contract for the active mode only.
Owner: Backend (A)
Target: pre-MVP cleanup sprint (A-CLEAN-001/follow-up).
Provisioning worker lazy POSIX identity creation
Type: runtime-compat
Location: packages/services/provisioning/worker/service.go
Why risky: worker writes identity if onboarding path misses it; useful as guardrail but can hide upstream onboarding regression.
Correct target state: auth onboarding is primary creator; worker guardrail retained with metric/alert.
Owner: Backend (A)
Target: keep as guardrail; add alert + runbook in ops hardening.
API runbook catalog fallback bundle
Type: runtime-compat
Location: cmd/api/main.go, cmd/api/admin_runbooks.go
Why risky: fallback catalog can drift from real runbook set and hide config/package errors.
Correct target state: strict manifest validation in production mode; fallback only for local dev.
Owner: Ops (C) + Backend (A)
Target: before production deploy.
Legacy error mapping bridge
Type: runtime-compat
Location: cmd/api/routes.go (extractLegacyError, mapLegacyErrorCode)
Why risky: permits mixed old/new error shapes; can hide endpoint contract drift.
Correct target state: canonical ErrorResponse everywhere; remove legacy bridge.
Owner: Backend (A)
Target: cleanup sprint after terminal/ssh completion.
Provisioning runtime noop mode path
Type: risk (if enabled outside tests/local)
Location: cmd/provisioning-worker/main.go, packages/services/provisioning/worker/service.go
Why risky: can mark flows without real node-side execution if misused.
Correct target state: restricted to test/local only, hard-block in production env profile.
Owner: Backend (A) + Ops (C)
Target: pre-production gate.
Terminal impersonation command surface and policy drift
Type: risk
Location: cmd/node-agent/terminal_stream.go, node sudoers policy
Why risky: terminal bootstrap uses host impersonation command path; broad sudo policy or mixed execution path can widen privilege surface.
Correct target state: single constrained impersonation path for terminal.open, strict sudoers command allowlist, and explicit test proving PTY runs as allocation user.
Owner: Backend (A) + Ops (C)
Target: pre-MVP cleanup sprint hard gate.
Admin ops dashboard counters are in-memory only
Type: runtime-compat
Location: cmd/api/routes.go (adminGetOpsOverviewHandler via statsSnapshot)
Why risky: totals reset on API restart and can diverge between replicas, reducing incident correlation reliability.
Correct target state: configurable metrics source with explicit mode:
in_memory for local dev/demo,
backend for persisted/queryable totals from observability backend (Prometheus/OTel/Loki/Tempo-derived signals).
Owner: Backend (A) + Ops (C)
Target: post-terminal cleanup sprint before production hardening.

Process Requirement¶

For any new fallback introduced: - Add an entry here in the same PR. - Add queue task for retirement (or explicit reason why permanent). - Include runtime metric/log signal to detect fallback activation.