# Code Review — Technical Debt & Stability Issues

**Date:** 2026-04-29
**Scope:** Full backend + frontend review
**Total items:** 53 issues

Security items are listed in a separate deferred section at the end of this document. They are **not** in scope for the current fix pass but must be addressed before any multi-user or public-facing deployment.

---

## Critical — Stability / Data Loss / Crash

| # | Problem | File | Line | Explanation |
|---|---------|------|------|-------------|
| 1 | **[FIXED] Race condition: concurrent runs overwrite each other** | `navi/api/websocket.py` | 70, 328-331, 164 | `_runs[session_id] = run` has no guard. Two tabs or rapid reconnects for the same session overwrite each other. The first run's `finally` block calls `_runs.pop()`, which accidentally removes the *second* run. Cooperative stop signals break; zombie tasks remain. |
| 2 | **[FIXED] Resource leak: tool tasks never cancelled on generator teardown** | `navi/core/agent.py` | 842-892 | Each tool call runs in `asyncio.create_task()`. If the consumer (WebSocket handler) is cancelled, `GeneratorExit` breaks the `while True` loop at `yield item` but `tool_task` is never awaited or cancelled. It continues executing filesystem/SSH/shell commands in the background with no way to stop it. |
| 3 | **[FIXED] Empty LLM stream silently kills fallback** | `navi/llm/fallback.py` | 162-165, 208-210 | `stream()` and `stream_complete()` catch `StopAsyncIteration` from an empty generator and do `return`, ending the entire fallback chain instead of trying the next server. User sees an empty response with no error. |
| 4 | **[FIXED] Frontend race condition in session loading** | `webclient/src/stores/chat.js` | 34-58 | `loadSession()` guards against reloading the *same* ID, but has no guard against two *different* concurrent loads. If user switches A→B while `loadSession(A)` is in-flight, the late completion overwrites `currentId` back to A. UI snaps to the wrong session. |
| 5 | **[FIXED] Frontend crash on non-string tool result** | `webclient/src/components/messages/ContentCard.vue` | 100-111 | `metadata` computed property calls `.match()` on `props.tool.result ?? ''`. If `result` is an object or `null`, `.match()` throws `TypeError` and crashes the component. |
| 6 | **[FIXED] Frontend crash on malformed image data** | `webclient/src/stores/chat.js` | 393 | `buildMessageList` calls `b.startsWith('data:')` on every element of `m.images`. If backend sends `null` or a non-string, the history builder crashes. |

---

## High — Performance / Reliability / UX Breakage

| # | Problem | File | Line | Explanation |
|---|---------|------|------|-------------|
| 7 | **[FIXED] Unbounded WebSocket replay buffer** | `navi/api/websocket.py` | 44-45 | `_AgentRun.events` is a plain `list[dict]` with no size limit. Large tool results (e.g. 5 MB terminal output) accumulate. Every reconnect replays the entire buffer, causing memory and bandwidth spikes. |
| 8 | **[REMOVED] SQLite opens a new connection per operation** | `navi/core/sqlite_session_store.py` | 68, 79, 89, 101, 111, 121, 129 | SQLite support was removed entirely. PostgreSQL is now the only supported database. `aiosqlite` dependency removed, `db_path` config removed. |
| 9 | **[FIXED] Memory extraction task storm** | `navi/api/routes/sessions.py` | 50 | Every `POST /sessions` spawns a fire-and-forget `asyncio.create_task(_process_stale_sessions(...))`. No deduplication or rate-limiting. Rapid session creation launches many concurrent LLM calls, overwhelming the backend. |
| 10 | **[FIXED] Permanent blacklisting with no recovery** | `navi/llm/fallback.py` | 38-39 | `_dead_servers` and `_dead_models` are module-level sets. A transient network blip permanently blacklists the server until Python process restart. |
| 11 | **[FIXED] Subagent exception isolation missing** | `navi/core/agent.py` | 512 | Inside `run_ephemeral()`, tools execute with bare `await tool.execute()`. No `_run_with_sentinel` wrapper. If a tool crashes, the subagent dies and all partial progress is lost. |
| 12 | **[FIXED] No size validation on inline images** | `navi/api/websocket.py` | 297-304 | `raw_images` is taken directly from client JSON with no length or size checks. A client can send massive base64 payloads, causing memory exhaustion. |
| 13 | **[FIXED] Orphaned files when DB insert fails** | `navi/content_store.py` | 114-129 | In `publish()`, `shutil.copy2` runs first. If the subsequent DB `INSERT` fails (caught and logged), the copied file remains on disk with no metadata record, accumulating orphaned files in `navi/content/`. |
| 14 | **[FIXED] Frontend: broken streaming auto-scroll** | `webclient/src/components/chat/MessageList.vue` | 76-89 | Watchers on `chat.streamingMsg?.text` never fire during streaming because `streamingMsg` is a `shallowRef`. Vue does not track deep mutations, so the chat list does not auto-scroll as new deltas arrive. |
| 15 | **[FIXED] Frontend: mixed-content WebSocket on HTTPS** | `webclient/src/composables/useWebSocket.js` | 4-6 | WS URL is hardcoded to `ws://${location.host}`. When served over HTTPS, browsers block `ws://` as mixed content. Must switch to `wss://` when `location.protocol === 'https:'`. |
| 16 | **[FIXED] Frontend: duplicate message sends from rapid clicks** | `webclient/src/components/chat/InputBar.vue` | 141-160 | `handleSend` has no debounce or in-flight guard. `canSend` only checks `!chat.streaming`, which is not set until `stream_start`. Rapid clicks can queue multiple identical messages. |
| 17 | **[FIXED] Frontend: unhandled promise rejections across API layer** | `webclient/src/api/index.js` and callers | — | `request()` and `uploadFile()` throw on errors, but almost no callers wrap their awaits in `try/catch`. Failures become unhandled rejections and leave the UI in a broken silent state. |
| 18 | **SSH connections not closed on shutdown** | `navi/tools/ssh_exec.py` | 54-90 | `_PoolEntry` connections hang until TTL or process kill. No graceful cleanup on server shutdown. |

---

## Medium — Architectural / Edge Cases / Maintainability

| # | Problem | File | Line | Explanation |
|---|---------|------|------|-------------|
| 19 | **[FIXED] N+1 UPDATE queries in embedding backfill** | `navi/memory/store.py` | 170-176 | `backfill_embeddings()` loops over rows, issuing one `UPDATE` per row. Should batch via `executemany` or multi-row `UPDATE`. |
| 20 | **[FIXED] Unindexed ILIKE fallback search** | `navi/memory/store.py` | 282-314 | Text fallback constructs dynamic SQL with `ILIKE` on `category`, `key`, `value`. No indexes exist on these columns individually. Full table scan on large tables. |
| 21 | **[FIXED] Context list rebuilt from scratch every iteration** | `navi/core/agent.py` | ~683 | `_build_context()` creates a brand-new list by filtering and prepending system messages on every tool-calling iteration. O(n) per iteration, generating significant garbage. |
| 22 | **[FIXED] Unbounded `planning_logs` growth** | `navi/core/agent.py` | 651 | `session.planning_logs.append(_ev.log)` with no size limit or rotation. Long sessions with planning enabled produce huge JSON in DB, slowing `save()`. |
| 23 | **[FIXED] Background cleanup task unreferenced** | `navi/main.py` | 72 | `asyncio.create_task(cleanup_loop(...))` — the returned `Task` is not stored. In Python < 3.11, unhandled exceptions may be silently discarded. |
| 24 | **[FIXED] BaseException catches SystemExit** | `navi/core/agent.py` | 847-848 | `_run_with_sentinel` catches `BaseException`, which includes `SystemExit`. Should catch only `Exception`. |
| 25 | **[FIXED] SystemExit swallowed in agent loop** | `navi/core/agent.py` | 871 | `isinstance(r, BaseException)` includes `SystemExit`. It should propagate to allow graceful server shutdown. |
| 26 | **[FIXED] Hardcoded context output reserve** | `navi/core/agent.py` | 1521 | `output_reserve = 2048` tokens is not configurable per model. May falsely reject valid contexts for small models. |
| 27 | **[FIXED] Vector literal NaN/Infinity vulnerability** | `navi/memory/store.py` | 73-75 | `_vector_to_str` converts floats naively. A misbehaving embedding model returning `NaN` or `Infinity` creates invalid PostgreSQL vector syntax. |
| 28 | **Tight coupling to todo module internals** | `navi/core/agent.py` | 176-224 | `_todo_status_snapshot` directly reads `navi.tools.todo._plans`, a module-level dict. Hard to test and refactor. |
| 29 | **ContextVar values not reset in subagent path** | `navi/core/agent.py` | 350-351 | `run_ephemeral()` sets `_sid_var` and `_model_var` but never resets them. Background tasks spawned by the subagent may inherit stale values. |
| 30 | **[FIXED] Replay/reattach may miss post-finish events** | `navi/api/websocket.py` | 274-277 | If a client reconnects after a run finishes but before disconnect is fully processed, it gets `session_sync`. No push event indicates new messages were persisted while disconnected. |
| 31 | **[FIXED] Frontend: singleton confirm-dialog promise leak** | `webclient/src/composables/useConfirm.js` | 5-30 | Module-level `_resolve`. If `confirm()` is called twice before the first resolves, the second overwrites `_resolve`, causing the first promise to hang forever. |
| 32 | **[FIXED] Frontend: body overflow leak on lightbox unmount** | `webclient/src/components/ui/ImageLightbox.vue` | 26-28 | `watch(src)` sets `document.body.style.overflow = 'hidden'`. If component unmounts while open, the side effect is never reverted. Page stays permanently unscrollable. |
| 33 | **[FIXED] Frontend: DOM leak on fallback copy failure** | `webclient/src/composables/useCopy.js` | 10-17 | Fallback copy appends a `<textarea>` to body but lacks `try/finally`. If `document.execCommand('copy')` throws, the textarea remains in DOM. |
| 34 | **[FIXED] Frontend: reconnect race in WebSocket send()** | `webclient/src/composables/useWebSocket.js` | 52-64 | Multiple `send()` calls while `ws.readyState === CLOSING` each trigger `_connect()`, creating redundant sockets that are immediately destroyed. |

---

## Low — Code Smell / Minor

| # | Problem | File | Line | Explanation |
|---|---------|------|------|-------------|
| 35 | **No tests** | Entire project | — | Neither backend nor frontend has unit or integration tests. Refactoring is risky. |
| 36 | **[FIXED] Import-time side effects in deps** | `navi/api/deps.py` | 37, 88, 89 | `_memory_store`, `_session_store`, `_workers` instantiated at import time. SQLite table creation runs synchronously. Blocks health checks on lock failure. |
| 37 | **Hardcoded `old_webclient` static mount** | `navi/main.py` | 36-38 | `/static/` mounted from `old_webclient`. If renamed/removed, middleware fails. |
| 38 | **[FIXED] `__import__` anti-patterns** | `navi/content_store.py:188`, `navi/main.py:16-19` | 188, 16-19 | Inline `__import__` instead of direct imports. Hard to read and static analysis misses them. |
| 39 | **[FIXED] Token count `0` coerced to `None`** | `navi/llm/ollama.py` | 137-138 | `or None` converts legitimate `0` token count to `None`. Metrics lose precision. |
| 40 | **TODO: semantic deduplication** | `navi/memory/extractor.py` | 170 | Memory facts accumulate duplicates. Vector search + similarity threshold needed before upsert. |
| 41 | **Frontend: global `marked` singleton mutation** | `webclient/src/composables/useMarkdown.js` | 5-16 | `marked.setOptions()` and `marked.use()` mutate the global singleton. Conflicts with any other module wanting different options. |
| 42 | **Frontend: profile selector does not change active session profile** | `webclient/src/components/ui/AppSidebar.vue` | 16 | `@change` updates `profilesStore.selectedProfileId` directly but does not change the active session's profile. User thinks they switched but they didn't. |
| 43 | **[FIXED] Frontend: stale `streamingMsg` after reconnect reload** | `webclient/src/stores/chat.js` | 74-86 | `reloadSession` rebuilds `messages.value` but does not clear `streamingMsg.value`. Subsequent deltas mutate an orphaned object not in the rendered array. |
| 44 | **[FIXED] Frontend: incomplete HTML escaping in user messages** | `webclient/src/components/messages/UserMessage.vue` | 48-54 | `escapeHtml` encodes `& < > "` but not `'`. Defense-in-depth gap if ever injected into single-quoted attributes. |
| 45 | **Frontend: no message virtualization** | `webclient/src/components/chat/MessageList.vue` | 7-13 | All messages rendered in DOM. Long sessions degrade scroll/render performance. `vue-virtual-scroller` is already in the project but unused here. |
| 46 | **Frontend: fragile content-type detection from URL** | `webclient/src/components/messages/ContentCard.vue` | 120 | `url.split('.').pop()` does not strip query strings, so `image.png?size=large` fails lookup. |
| 47 | **Frontend: unused dependency** | `webclient/package.json` | 12 | `@tanstack/vue-virtual` listed but never imported; `vue-virtual-scroller` is used instead. |
| 48 | **[FIXED] Frontend: `findLast` compatibility risk** | `webclient/src/stores/chat.js` | 186-189, 257 | `Array.prototype.findLast` requires ES2023. Fails on older browsers unless polyfilled. |
| 49 | **[FIXED] Frontend: fragile table-wrapper regex** | `webclient/src/composables/useMarkdown.js` | 121 | `html.replace(/<table>/g, ...)` does not match `<table class="foo">`, so those tables miss the scrollable wrapper. |
| 50 | **[FIXED] Frontend: inefficient copy-button re-attachment** | `webclient/src/components/messages/AssistantMessage.vue` | 126 | `watch(renderedText)` calls `attachCopyButtons` on every streaming delta, repeatedly querying DOM even though buttons haven't changed. |
| 51 | **Frontend: imprecise relative-time updates** | `webclient/src/composables/useTime.js` | 36 | 30-second interval means "just now" can be stale for up to 30s before jumping. |
| 52 | **Frontend: stream message ID collision risk** | `webclient/src/stores/chat.js` | 148 | `id: 'stream_${Date.now()}'` could collide within the same millisecond on rapid reconnect. |
| 53 | **[FIXED] Frontend: flawed meta-row visibility logic** | `webclient/src/components/messages/AssistantMessage.vue` | 102-104 | `hasMeta` uses `|| props.msg.tool_call_count`, so `0` is falsy and may incorrectly hide the meta row. |
| 54 | **[FIXED] Dead `stream()` method on LLM backends** | `navi/llm/ollama.py:149`, `navi/llm/fallback.py:168` | `OllamaBackend.stream()` and `FallbackOllamaBackend.stream()` existed in code but were never called by `agent.py` or `messages.py`. Only `stream_complete()` was used. Removed from all backends and the base `LLMBackend` interface. |

---

## Security (Deferred — address before multi-user/public deployment)

| # | Problem | File | Line | Explanation |
|---|---------|------|------|-------------|
| S1 | **Arbitrary code execution (`code_exec`)** | `navi/tools/code_exec.py` | 54 | `asyncio.create_subprocess_exec(sys.executable, script_path)` with no sandbox (no seccomp, chroot, separate user). LLM-generated code runs with full server privileges. |
| S2 | **Full shell access by default (`terminal`)** | `navi/tools/terminal.py` | 66; `navi/config.py` | `TERMINAL_ALLOWED_COMMANDS=*` default. `create_subprocess_shell` allows any command including `rm -rf`, `curl \| sh`. |
| S3 | **Self-modifying code (`write_tool`)** | `navi/tools/write_tool.py` | 84 | LLM writes arbitrary `.py` to `tools/` and immediately imports it. Prompt injection → persistent backdoor without server restart. |
| S4 | **Path traversal in `content_publish`** | `navi/content_store.py` | 97-99 | `dest = dest_dir / dest_name` where `dest_name` is unsanitized user input. `../../etc/passwd` escapes the content directory. |
| S5 | **XSS via `v-html` in markdown rendering** | `webclient/src/composables/useMarkdown.js` | 119; `AssistantMessage.vue` | `renderMarkdown` returns raw HTML from `marked.parse()`. `v-html` in AssistantMessage, SummaryCard, CompressionNotice, ToolCard renders it unsanitized. |
| S6 | **Iframe sandbox bypass** | `webclient/src/components/messages/ContentCard.vue` | 26-41 | `sandbox="allow-scripts allow-same-origin"` on same-origin iframe removes all restrictions. Framed content can access `localStorage`, cookies, `window.parent`. |
| S7 | **Symlink traversal in `filesystem`** | `navi/tools/filesystem.py` | 71-88 | `Path.resolve()` follows symlinks. If `FS_ALLOWED_PATHS=/home/user` and a symlink points to `/etc`, `read` accesses `/etc/shadow`. |
| S8 | **SSH MITM by default** | `navi/tools/ssh_exec.py` | 254, 271 | `known_hosts="none"` disables host key verification. Vulnerable to man-in-the-middle attacks. |
| S9 | **Weak content UUID (8 chars)** | `navi/content_store.py` | 93 | `str(uuid.uuid4())[:8]` — only 4 billion combinations. `/content` is open without auth. Brute-force guessable. |
| S10 | **Passwords in plaintext in SSH pool** | `navi/tools/ssh_exec.py` | 48-51 | `_PoolEntry.connect_kwargs` stores passwords/keys. No scrubbing in logs or memory. |
| S11 | **No image size validation on WS** | `navi/api/websocket.py` | 297-304 | `raw_images` taken directly from client JSON without length/size checks. Malicious client can OOM the server. |
| S12 | **Indirect recursion in `spawn_agent`** | `navi/tools/spawn_agent.py` | 128 | `exclude_tools=["spawn_agent"]` blocks direct call, but sub-agent can call `write_tool` → new tool → `spawn_agent`. |
| S13 | **No `working_dir` validation in `terminal`** | `navi/tools/terminal.py` | 70 | `working_dir` passed directly to `cwd`. Any directory accessible if unrestricted mode. |