AaaS Supervisor
Updated 2026-04-23T14:00:00Z

Open Issues

Manual follow-up registry — only active items shown. Resolved issues are purged. Source of truth: tasks/open-issues.md.

Last sync: 2026-04-23 · Blocked: 4 · Pending: 8 · Info: 1 · Critical: 3
Active Issues
12
Blocked
4
Pending
8
Critical
3

Info

Reference — not blocking.

#37 — Secret Manager Audit — Many Blockers Already Unblocked 2026-04-21

Information

Full Secret Manager audit confirmed that many previously "human-gated" items are already provisioned. The following secrets exist in GCP Secret Manager:

  • CLERK_SECRET_KEY + NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY — dev keys, need prod upgrade (see #33 Clerk)
  • NEON_DATABASE_URL — provisioned 2026-03-29; needs schema migration only
  • STRIPE_API_KEY, STRIPE_API_SECRET, STRIPE_WEBHOOK_SECRET, BOUTIQUE_STRIPE_WEBHOOK_SECRET
  • TAVILY_API_KEY — provisioned 2026-03-21
  • TELEGRAM_BOT_TOKEN + TELEGRAM_CHAT_ID — provisioned 2026-03-21
  • GOOGLE_OAUTH_CLIENT_ID + GOOGLE_OAUTH_CLIENT_SECRET — provisioned 2026-03-23
  • POSTHOG_API_KEY — provisioned 2026-03-28

Still missing: GA4 Measurement ID — not in Secret Manager; requires analytics.google.com property creation (see #35).

Blocked Issues — Step Plans Required

Hard-blocked on human credentials, dashboard access, or external services.

#33 — Clerk Production Key — Platform Auth

Blocked High

Platform uses a Clerk development key (pk_test_...). This crashes for unauthenticated visitors. Middleware and Clerk env vars are disabled as a workaround. Unblocks issue #36 (anonymous account flow).

Added: 2026-04-19 · Owner: Human (account credentials required)

Steps Required
  1. Go to Clerk Dashboard → create production instance
  2. Get production keys: pk_live_... (publishable) + sk_live_... (secret)
  3. Update secrets via gcloud: NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY and CLERK_SECRET_KEY
  4. Re-enable middleware in apps/platform/src/middleware.ts
  5. Trigger rollout: firebase apphosting:rollouts:create platform --git-branch main --project aaas-platform

#10 — LinkedIn/Twitter API Automation

LinkedIn Keys Exist — Wire + Build High

No automated social posting of content. Content already exists in GravityClaw pipeline. Blocked on registering OAuth apps at LinkedIn and Twitter Developer portals.

Steps Required
  1. Register LinkedIn API app at LinkedIn Developer Portal
  2. Register Twitter API app at Twitter Developer Portal
  3. Get OAuth tokens for company page posting
  4. Set API keys as Cloud Functions secrets
  5. Build posting functions (content already exists in GravityClaw pipeline)

#36 — Feature: Project Persistence + Anonymous-to-Named Account Migration

Concept — Needs Clerk Prod Key First High

All service results must be permanently persisted — customers access deliverables up to 1 year later. VM lifecycle must not affect persistence. Architecture: git repo per project (auto-created via GITHUB_PAT). Anonymous users can start without an account; migration via magic link / Stripe match / support ticket. Blocked on Clerk production key (#33) — anonymous flow cannot ship without real auth.

Added: 2026-04-18 · Owner: Product + Engineering

What Needs to Be Built (after #33 Clerk is unblocked)
  1. auth-core: anonymous user type + token flow
  2. aaas-api: project creation without auth gate, POST /projects with optional auth
  3. agentZeroCallback: deliverable directly committed to Git (in addition to Firestore)
  4. GitHub auto-repo-creation at project start (GITHUB_PAT already in Secret Manager)
  5. platform: "My Project" dashboard + migration CTA for anonymous users
  6. Migration endpoint: POST /auth/migrate-anonymous with proof verification

#22/#23/#24 — Full-System-Audit (platform-feature-check, a0-dispatch-check, stability-tests)

Blocked Medium

#22 requires browser access to live platform. #23 requires a running A0 VM (GCE + Docker) — VM a0-ops is now running (resolved 2026-04-19), but dispatch path needs verification. #24 (stability-tests) is blocked on both #22 and #23. Produce audit results in docs/audit-results/.

Added: 2026-04-18 · Plan: full-system-audit

#8 — API Gateway: Upstream Provider API Keys

Partially Wired Critical

LLM, media, scraping, and business service endpoints won't function without AaaS's own provider keys. Each key goes into GCP Secret Manager once and serves all customers.

Phase 1 — LLM Providers
  1. OpenRouter → OPENROUTER_API_KEY
  2. Anthropic → ANTHROPIC_API_KEY
  3. OpenAI → OPENAI_API_KEY
  4. Perplexity → PERPLEXITY_API_KEY
Phase 2 — Media / Scraping / Business
  1. Replicate → REPLICATE_API_KEY
  2. FAL → FAL_API_KEY
  3. ElevenLabs → ELEVENLABS_API_KEY
  4. Apify → APIFY_API_KEY
  5. Firecrawl → FIRECRAWL_API_KEY
  6. Scrapecreators → SCRAPECREATORS_API_KEY
  7. EnsembleData → ENSEMBLEDATA_API_KEY
  8. Linkup → LINKUP_API_KEY
  9. Prelude → PRELUDE_API_KEY
  10. Reducto → REDUCTO_API_KEY
  11. Gamma → GAMMA_API_KEY

#31 — Firestore Database Migration US → EU Region (GDPR)

Major Infrastructure Project High

Current Firestore location: us-east1. aaas.builders legal terms are governed by German law; EU data residency is expected. Firestore location cannot be changed — requires creating a new database in an EU region and migrating all 133+ collections. Estimate: 2–4 day project.

Added: 2026-04-15 · Source: PR #302 review · Owner: Infra / platform team

Steps Required
  1. Decision: EU region choice — recommend eur3 multi-region (Frankfurt/Belgium HA)
  2. Create new Firestore database in chosen EU region
  3. Firestore Export → GCS bucket → Firestore Import into new EU database
  4. Maintenance window: all writes paused during final sync cutover
  5. Update firebase.json, functions, services to point to new DB
  6. Update privacy policy to remove "migration in progress" language

Pending Issues — Human Action Required

Not hard-blocked, but require human decision, credentials, or verification.

#19 — CRITICAL — Rotate All Exposed API Keys (Quality Audit 2026-04-09)

Pending Critical

Quality audit found services/api/.env contains API keys locally. While .env is gitignored and not tracked in git, keys should be rotated as a precaution.

Added: 2026-04-09

Keys to Rotate
  1. OpenRouter — regenerate at openrouter.ai dashboard
  2. Anthropic — regenerate at console.anthropic.com
  3. OpenAI — regenerate at platform.openai.com
  4. Google API — regenerate in GCP Console
  5. Supabase Access Token — regenerate in Supabase dashboard
  6. Apify — regenerate in Apify Console
  7. Brave Search — regenerate at brave.com/search/api
  8. fal.ai, Telegram Bot Token, YouTube API Key, Tavus API Key
  9. Also: add secret scanning to CI (truffleHog or detect-secrets as GitHub Action)
  10. Rotate Google Service Account key in GCP IAM

#16 — Neon Postgres — Schema Migrated, Minor Fixups Remaining

Mostly Resolved 2026-04-23 Medium

17 tables verified in Neon DB (7 new created, 10 pre-existing confirmed). No pgvector needed. Two fixups remain: activities table column mismatch (DB vs drizzle schema) and contextEventEmitter Cloud Function missing NEON_DATABASE_URL secret binding.

#23 — Workflow Spec Gaps (workflow_aaas.com_A0_v2.md) — Remaining Items

Partially Resolved High

ClamAV malware scan is now integrated (done 2026-04-21, PR #383). The following items still require new development work:

Added: 2026-04-11

Still Open
  1. HIGH — PDF text extraction before A0 handoff (not implemented anywhere; PDFs passed as-is)
  2. HIGH — Anonymous sessions / guest flow (all API routes require auth via requireAuth middleware)
  3. MEDIUM — Learning System: Template Archive (saveTemplateArtifact / findSimilarTemplates Cloud Functions do not exist)
  4. MEDIUM — Onboarding Phase 0 (3-question interview, not in platform UI)
  5. MEDIUMtoken_cost field in A0 agent profiles — mandate in every callback
  6. MEDIUM — P3: autoresearch as A0 tool — usr/plugins/autoresearch_tool/ not in docker volume injection
  7. LOW — WhatsApp / Telegram inbound messages (email inbound exists; others not wired)
  8. LOW — P5: _self_healing "Never push" constraint

#32 — Academy Packs/Tracks — Verified, Minor Fixups

Verified 2026-04-23 Low

The academySeeder Cloud Function was specified in the execution plan but verification status is unknown.

Added: 2026-04-20 · Source: aaas-supervisor execution-plan-credit-system.md

Steps Required
  1. Does functions/src/academySeeder.ts exist and deploy?
  2. Are academy packs seeded in Firestore (academy_packs collection)?
  3. Is the academy UI in aaas.select wired to these packs?

#15 (clerk) — Clerk + Supabase: Register Clerk Webhook in Dashboard

Mostly Resolved Medium

All Firebase secrets set, clerkWebhook deployed. One manual step remains: Clerk does not expose a webhook-creation REST API — must be registered in the Clerk Dashboard UI.

Resolved: 2026-03-31 (partial)

One Manual Step Required
  1. Go to Clerk Dashboard → Webhooks → Add Endpoint
  2. URL: https://clerkwebhook-q66ryynraa-uc.a.run.app
  3. Events: user.created, user.updated, user.deleted
  4. Verify signing secret matches what is in Secret Manager (CLERK_WEBHOOK_SECRET)
  5. Create test user via /sign-in → check Supabase users table for the row

GitHub Tasks (ibossyNr1/tasks)

Tracked Separately High

The following are tracked in the GitHub issue tracker at ibossyNr1/tasks:

Open GitHub Issues
  1. #6 — Provision GCP credentials for aaas.diy Phase A
  2. #5 — FIREBASE_SERVICE_ACCOUNT_JSON secret missing on aaas.com
  3. #4 — Add aaas.diy to Platform dropdown
  4. #3 — Cross-domain auth: DNS + shared auth domain setup
  5. #2 — Enable GCP APIs + create resources for aaas.diy