Skip to content

Known limitations / risk register

Soundverse 2.0 is a fast-moving greenfield rebuild, and it has debt. None of it is a surprise — the items below are known, and the full analysis (46 findings confirmed adversarially against the code) lives in the architecture review at backend/core/docs/INFRA-REVIEW.md. None of this blocks local development or normal feature work. Think of each item as an edge to respect when you touch the relevant area, not a landmine in your path. Where live state matters, the item carries a status badge.

The three P0 blockers exploitable as deployed

Section titled “The three P0 blockers ”

These are the items to fix before any further external exposure. All three are still live in the current tree (verified against staging).

The rough-edge inventory (P1 / P2 / by-design)

Section titled “The rough-edge inventory (P1 / P2 / by-design)”

Everything below is tracked and bounded — mostly “coordinate by hand” or “throughput-capped, not lost.” Full severity and evidence for each is in backend/core/docs/INFRA-REVIEW.md (sections 4–6).

Area Current state What to watch for Status
Auth env drift (Zitadel → Logto) core-identity and the live frontend are Logto-wired, but root .env.example and the compose soundverse-saas-2.0 service still only carry AUTH_ZITADEL_* slots (plus a NEXT_PUBLIC_ZITADEL_GOOGLE_ORG build arg). There are no AUTH_LOGTO_* / LOGTO_M2M_* slots yet. make up-frontend hands the Logto frontend dead vars, so browser sign-in won’t authenticate out of the box. Set AUTH_LOGTO_* (and the LOGTO_M2M_* creds identity needs) by hand — see Configure Logto. Config drift
No DB migration tooling schema.sql is hand-applied reference DDL. There is no Atlas / goose / Alembic runner — nothing versions, applies, or diffs it. Keep schema.sql, the db_column proto annotations, and the live DB in lockstep by hand, and coordinate any DDL change with the proto release that needs it. P1
Missing task fencing token ClaimNextTask re-claims a task whose lease expired, but CompleteTask / FailTask carry no owner guard — the lease is time-only, with no claimed_by liveness. A stalled-but-live worker can have its task stolen and both run → duplicate provider spend and uploads. Token billing stays single-charged (stable settle keys). See Task queue. P1
Prod proto cascade gap The prod release fires a proto_updated_prod dispatch, but consumers listen for soundverse_updated / proto_updated, and the Go services are bumped by hand. A prod contract change does not auto-propagate. Coordinate prod proto changes manually — see the proto → deploy cascade. P1
Schema-skew not caught in CI buf breaking is intentionally disabled for the startup phase. Python/web consumers pin @staging; the Go services pin a frozen pseudo-version. A wire-compatible-but-semantic change (reused field number, unit change) is only caught at compile/runtime, not in CI. By design
Redis is single-replica One Redis serves as cache, task queue, and event bus at once — a single point of failure. A configured-but-down Redis fails requests closed (errors before reserve/queue), not open. A Redis blip stops generation and live streaming together. Fail-safe (no double-charge), but not highly available. P2
Fixed worker autoscaling Workers deploy with hardcoded --min-replicas 1 --max-replicas 10 and no KEDA queue-depth rule. Workers have no HTTP ingress, so ACA’s default HTTP/concurrency scaler never fires. A burst queues behind one replica per tool — throughput-capped (bounded by per-worker concurrency), not lost. P2
gRPC services lack a real readiness probe The deploy template emits only an httpGet probe, which can’t probe a pure-gRPC port, so application-level unreadiness (process up, downstream channel dead) goes undetected. Rolling deploys can briefly sever in-flight streams. Recoverable via the reconciler / stream auto-reconnect — churn, not data loss. P2

Local dev and normal feature work are unaffected by everything above. The three P0s are deployment/exposure risks, not local blockers; the rest are “coordinate by hand” edges. When you do touch one of these areas, the full review at backend/core/docs/INFRA-REVIEW.md (sections 4–6) has the severity, evidence, and recommended fix for each — plus the P1/P2/P0 priority ordering and the open architectural questions the team still has to answer (is core-mcp a public peer or an internal detail? should nested agent calls bill once or twice? AKS or ACA for core-database?).