Codebase Audit - 20260521_191625

GeneratedAt: 2026-05-21 19:16:25 local time Scope: current workspace on feature/ai-memory-suite-governance-foundation Validation: dotnet build MemorySmith.slnx -v minimal passed; focused governance/page tests passed 60/60 before repair; asset/API focused tests passed 56/56 after repair; full test run passed 220/220 after repair.

1. Summary

MemorySmith is structurally strong as a single-host local memory app, and the first AI memory suite governance slice is mostly implemented with warning-first diagnostics, tests, and documentation. A page-asset route regression found during the audit was repaired by restoring malformed percent-encoding rejection and delegating access checks to the service-backed asset index; the full suite now passes.

2. Completion Percentage

Scope Completion Rationale Confidence
This audit 92% Direct code, docs, git state, build, focused tests, full test result, and the repaired page-asset route were reviewed. Live browser validation, coverage report generation, provider integration checks, and direct MCP tool execution were not completed. 0.86
Final single-host refactor plan 82% MemorySmith.App is the active host, Worker/Dashboard are historical, REST/MCP/UI/storage/test surfaces exist, and CI is present. Residual complexity remains in Program.cs, duplicated formatters, and some stale docs. 0.80
AI memory suite implementation plan 34% Phase 1 warning-first governance foundations are partially delivered. Phase 2 tag manager/workbench controls, Phase 3 retrieval-wide warning propagation, Phase 4 Agent write governance, and Phase 5 measurement gates remain mostly open. 0.78

3. Detailed Audit Sections

Findings

Architecture

ID Severity Finding Evidence Reasoning Confidence
ARCH-01 Medium The single-host architecture is largely achieved and coherent. README.md, MemorySmith.App/Program.cs, MemorySmith.slnx, .github/copilot-instructions.md. The app hosts Blazor UI, REST controllers, MCP endpoint, storage, auth, diagnostics, maintenance, chat, and proposal services in one process. This aligns with the final refactor design. 0.86
ARCH-02 Medium Program.cs still owns route path normalization, but page-asset authorization now delegates to the service-backed asset index. MemorySmith.App/Program.cs has ResolvePageAssetPath, NormalizePageAssetRequestPath, HasValidPercentEncoding, and CanViewPageAssetAsync; CanViewPageAssetAsync calls FilePageService.GetAssetAccessInfoAsync. The release-blocking route-local substring scan was removed. Remaining route helper logic is smaller, but a dedicated route-safe asset service would still be cleaner than composition-root helpers. 0.88
ARCH-03 Medium MCP/context-pack formatting is split across multiple paths. MemorySmith.App/Controllers/McpController.cs, MemorySmith.App/Services/ChatToolCatalog.cs, and stale private helpers in MemorySmith.App/Services/ChatServices.cs. Prior tracker notes show this contract already drifted once. Multiple serializers/formatters for the same tool contract increase regression risk when schema metadata or diagnostics change. 0.81
ARCH-04 Medium The governance foundation is additive, but later AI memory suite phase gates are not implemented. Data/Pages/ai-memory-suite-implementation-plan.md, Data/Pages/memory-governance-guide.md, MemorySmith.App/Services/MemoryGovernanceServices.cs. Tag/source/relation/staleness diagnostics exist, but tag manager UI, schema promotion gates, retrieval-wide provenance, and Agent write evidence gates remain planned work. 0.84

Code Quality

ID Severity Finding Evidence Reasoning Confidence
CQ-01 High The uncommitted page-asset change weakens parsing by using substring matching instead of the existing Markdown AST based asset index. Program.cs PageReferencesAsset; PageService.cs ExtractReferencedAssetPaths, CollectReferencedAssetPaths, TryNormalizeReferencedAssetPath; PagesAndChatTests.cs asset-index tests. The service parser ignores plain text and code blocks and computes the most restrictive role. The new route helper can treat plain text/code mentions as real references and can allow access through any viewable page that contains the substring. 0.94
CQ-02 Medium TagPolicyService silently falls back to defaults when the policy file cannot be read or parsed. MemorySmith.App/Services/MemoryGovernanceServices.cs catches all exceptions in GetPolicy. A corrupt or malformed governance policy can look like a valid default policy. That protects availability but hides governance misconfiguration from operators and tests unless another diagnostic reports it. 0.76
CQ-03 Medium Diagnostics are useful but may become expensive because they are recomputed per record and can touch source files. MemoryDiagnosticsService.Analyze, AnalyzeSourceLinks, File.ReadLines(fullPath).Count(), MemoryApplicationService.GetDiagnostics. For the current small wiki this is acceptable. For larger stores or many source-linked memories, list/search/context-pack views can trigger repeated full-record dictionaries and file line counts. 0.72
CQ-04 Low There is dead or stale private context-pack formatting code in ChatServices.cs. ChatServices.cs defines ReadContextPackQuery, FormatSemanticResults, FormatHybridResults, and FormatContextPack; grep found no call sites in that file. Unused private helpers are not runtime defects, but they are misleading because the old JSON path lacks the newer schema/diagnostics projection. 0.69

Documentation

ID Severity Finding Evidence Reasoning Confidence
DOC-01 Medium README test-count documentation is stale. README.md says MemorySmith.Tests includes 184 NUnit tests; current full run reports 220 discovered tests with 219 pass and 1 fail. Stale validation counts reduce trust in release/readiness claims. The docs otherwise reflect recent auth, chat, MCP, maintenance, and governance work well. 0.92
DOC-02 Low Historical review/plan docs remain noisy and sometimes contradict current code. MemorySmith.Core/Docs/Reviews/*, MemorySmith.Core/Docs/Plans/*, README note that older files are historical. This is partially mitigated by the final refactor plan and README source-of-truth guidance, but audit/search results still surface old TODO/stub claims. 0.82
DOC-03 Low The governance guide accurately documents warning-first behavior and closed gates. Data/Pages/memory-governance-guide.md. The guide explicitly says diagnostics do not mutate records or ranking and lists closed gates. This is good governance hygiene. 0.87

Testing

ID Severity Finding Evidence Reasoning Confidence
TEST-01 Resolved The page-asset API contract failure found during the audit is fixed. PageAssetsApi_RejectsMalformedPercentEncoding passed 1/1, AppApiContractTests + PagesAndChatTests passed 56/56, and full suite passed 220/220 after repair. Program.cs now rejects malformed percent encodings before decoding and uses FilePageService.GetAssetAccessInfoAsync for visibility checks. 0.97
TEST-02 Medium Focused governance tests are strong for the first slice. Focused run over MemoryDiagnosticsTests.cs, MemoryMaintenanceTasksTests.cs, McpAndSemanticSearchTests.cs, and PagesAndChatTests.cs passed 60/60. Diagnostics, warning-first deprecation, context-pack JSON, and page asset index behavior have targeted coverage. 0.88
TEST-03 Medium UI visual behavior was not validated in this audit. No browser page was shared; no Playwright/browser validation was run. The /memories diagnostics UI and /proposals dashboard are user-facing. Unit/integration tests cannot fully validate layout, affordances, or accessibility. 0.74
TEST-04 Low CI has build, test, coverage, and docs workflows, but no markdown lint or format enforcement was observed. .github/workflows/ci.yml, .github/workflows/docs-pages.yml, no .editorconfig or Directory.Build.* found. The tool diagnostics show markdownlint issues in existing docs/logs, while CI does not appear to enforce markdown or formatting consistency. 0.70

Security

ID Severity Finding Evidence Reasoning Confidence
SEC-01 Resolved The current page-asset route now preserves malformed path rejection and service-backed visibility rules. Program.cs HasValidPercentEncoding, ResolvePageAssetPath, and CanViewPageAssetAsync; PageService.cs existing asset access index. The route no longer uses substring scanning for page references. The service-backed asset index retains the Markdown-aware parser and most-restrictive-role behavior tested in PagesAndChatTests. 0.90
SEC-02 Medium Source-link boundaries are generally well designed but diagnostics are warning-only. VarResolver, MemoryGovernanceServices.cs, Data/Pages/memory-governance-guide.md, README.md. Warning-only behavior matches the current plan, but operators need clear visibility before trusting source-backed agent outputs. Missing variables, disallowed roots, and bad lines are surfaced as diagnostics rather than blockers. 0.78
SEC-03 Medium Auth/RBAC posture appears mature for local use. README.md, SecurityServices.cs, Program.cs permission policies, auth/admin tests in the suite. Admin, audit, settings, restore, source bundle, chat, and agent-write permissions are separate policies. This matches the local single-operator threat model better than a single shared API key. 0.80

Performance

ID Severity Finding Evidence Reasoning Confidence
PERF-01 Medium The current uncommitted page-asset route does O(number of pages) reads per asset request. Program.cs CanViewPageAssetAsync calls pages.ListAsync and pages.GetAsync for every summary. FilePageService already maintains an invalidated asset minimum-role index. The route should use that indexed path, especially for pages with many assets. 0.88
PERF-02 Medium Semantic search remains exact in-memory cosine over filtered records when ONNX assets are available. README.md, SemantingSearch.md, SemanticEmbeddingSearchService. This is appropriate for the current local scope and avoids premature FAISS/native complexity, but it is a known scaling limit. The plan correctly keeps durable vector indexes out of scope. 0.77
PERF-03 Low Diagnostics and source line counting may need caching before large-wiki adoption. MemoryDiagnosticsService.AnalyzeAll, AnalyzeSourceLinks. Current fixture scale is small. If the wiki grows, cache policy parse results, source file line counts, and per-record diagnostics with invalidation on save. 0.68

Tooling

ID Severity Finding Evidence Reasoning Confidence
TOOL-01 Medium The solution builds successfully on the current machine. dotnet build MemorySmith.slnx -v minimal passed in 1.3s. Compile health is good despite the current test failure. 0.96
TOOL-02 Medium The project targets preview .NET 10.0. MemorySmith.App.csproj, MemorySmith.Tests.csproj; build emits NETSDK1057 preview warning. This may be intentional, but release planning should account for SDK availability and support policy. CI uses 10.0.x, so the dependency is explicit. 0.83
TOOL-03 Low There is no central build/style configuration file in the workspace root. File search found no .editorconfig or Directory.Build.*. Central analyzer, warning, nullable, package, and formatting policy would reduce drift across App/Core/Storage/Tests/Benchmarks. 0.74

Remaining Tasks

Priority Task Area Evidence Confidence
P0 No current P0 code/test blocker after repair. Security, Testing Full test suite passed 220/220 after Program.cs was repaired. 0.96
P1 Consider moving route-safe page-asset normalization and authorization behind a dedicated service. Architecture, Security Program.cs still owns route helpers even though access policy now delegates to FilePageService.GetAssetAccessInfoAsync. 0.84
P1 Complete Phase 2 tag workbench controls: chips/autocomplete, inline warnings before save, tag manager, policy mode controls, and source-link health indicators. UX, Governance Data/Pages/ai-memory-suite-implementation-plan.md Phase 2 remains gated. 0.82
P1 Propagate diagnostics/provenance across all retrieval outputs, not just memory search/context pack paths. Retrieval, MCP, Chat SearchController.UnifiedSearchResult has no diagnostics; page results do not carry stale/source/tag warnings. 0.80
P1 Expand Agent write governance with evidence, citations, rationale, risk, prevalidation, approval checklist, and role tiers. Agent Governance AI memory suite Phase 4 remains gated; current chat write model is still basic proposal/approval. 0.79
P1 Add measurement gates before schema promotion or ranking changes. Search, Schema Phase 5 is explicitly future work; ranking is intentionally unchanged. 0.78
P2 Deduplicate MCP/chat context-pack JSON and Markdown formatting into one shared formatter with tests for all call paths. Maintainability Prior tracker notes and current duplicated formatters show drift risk. 0.81
P2 Update README validation/test-count docs and mark historical docs more clearly. Documentation README says 184 tests while current suite has 220 discovered tests. 0.92
P2 Add UI-level validation for /memories diagnostics chips/panel and /proposals workflows. Testing No browser validation was run in this audit; UI is feature-critical. 0.74
P3 Add central style/build config and consider markdownlint/format checks in CI. Tooling No .editorconfig or Directory.Build.*; markdown diagnostics exist outside CI. 0.70

Suggested Improvements

ID Priority Severity Effort Benefit Recommendation Rationale Confidence
REC-01 Done Critical Small High Restore malformed percent-encoding validation in /page-assets and require 400 BadRequest for invalid encodings. Implemented in Program.cs; PageAssetsApi_RejectsMalformedPercentEncoding passed. 0.98
REC-02 Done Critical Medium High Remove route-local substring authorization and delegate to the existing service-backed page-asset access index. Implemented in Program.cs; AppApiContractTests + PagesAndChatTests passed 56/56. 0.94
REC-03 P1 High Small High Add any remaining route-level regressions for mixed public/admin asset references, plain-text references, code-block references, query/hash suffixes, and encoded traversal attempts. Service-level tests cover mixed-role and plain-text/code-block parsing; route-level coverage could still be expanded for defense in depth. 0.84
REC-04 P1 High Medium High Introduce a shared ContextPackFormatter used by McpController, ChatToolCatalog, and any chat-agent fallback path. Contract drift already occurred once and will recur as diagnostics/schema metadata expand. 0.82
REC-05 P1 Medium Medium High Surface tag policy read/parse failures through StorageDiagnostics or OperationalDiagnosticsService. Silent fallback hides governance failures. Availability can remain, but operators need a warning. 0.76
REC-06 P1 Medium Medium High Build the Phase 2 tag manager and editor affordances before making policy modes stricter. Warning-first diagnostics are useful only if users can understand and fix warnings without memorizing conventions. 0.82
REC-07 P1 Medium Medium Medium Add diagnostics fields to unified search memory results and define a page diagnostics model for page/search/chat retrieval. Current agent retrieval can see memory diagnostics in context packs, but combined search and page retrieval remain less provenance-aware. 0.80
REC-08 P2 Medium Medium Medium Cache per-record diagnostics and source line counts with invalidation on memory/source-policy changes. This protects larger local wikis without changing the current warning-first behavior. 0.68
REC-09 P2 Medium Small Medium Update README test counts and add a short validation matrix for build, focused tests, full tests, docs build, and optional coverage. The current stale count is small but undercuts readiness claims. 0.92
REC-10 P3 Low Medium Medium Add .editorconfig, Directory.Build.props, and optional markdownlint/format CI checks after agreeing on style. Centralized policy lowers drift across projects and docs. 0.72

Assumptions

ID Assumption Confidence
AS-01 The repository root is the correct location for Audit_20260521_191625.md. 0.78
AS-02 The active implementation plan for this audit is Data/Pages/ai-memory-suite-implementation-plan.md, with MemorySmith.Core/Docs/Plans/MemorySmith_FinalRefactorDesign_20260507.md as the broader architecture source of truth. 0.90
AS-03 The uncommitted Program.cs page-asset change is current workspace state and should be audited rather than silently reverted. 0.95
AS-04 Local single-operator deployment remains the primary threat model; public multi-tenant SaaS hardening is out of scope unless a later plan changes that. 0.84
AS-05 Tests copy Data/Memories fixtures to temp storage and should not mutate the live project wiki. 0.88

Unknowns

ID Unknown Impact Confidence
UNK-01 Whether the uncommitted Program.cs asset change was intentional feature work, partial review feedback, or leftover local residue. Determines whether to fix forward or revert to the service-index path. 0.63
UNK-02 Current coverage percentage and uncovered risk hotspots. CI can produce Cobertura, but this audit did not generate a fresh coverage report. 0.65
UNK-03 Live behavior of Ollama, GitHub Copilot provider, and maintenance-agent LLM review on this machine. Provider integration and prompt quality remain partly unverified by unit tests. 0.70
UNK-04 Visual and accessibility quality of the latest /memories diagnostics panel and /proposals dashboard. User-facing governance may be implemented but not ergonomic. 0.72
UNK-05 Whether historical docs should be archived, hidden from generated docs, or left searchable with stronger disclaimers. Affects agent retrieval quality and human onboarding. 0.68

Open Questions

ID Question Suggested Owner Confidence
OQ-01 Should page asset authorization live entirely in FilePageService, or should a separate PageAssetAuthorizationService own route-safe path validation and access policy? App architecture owner 0.86
OQ-02 Should malformed tag/source diagnostics remain warnings forever, or should Admin-configurable blocking modes be introduced after Phase 2 UI exists? Governance owner 0.80
OQ-03 What threshold will justify schema promotion for kind, priority, review dates, expiration, or typed relations? Data model owner 0.76
OQ-04 Should all Core memory Agent write approvals require Admin until proposal quality is measured? Security/governance owner 0.79
OQ-05 Should README and docs report dynamic test counts or avoid exact counts to reduce churn? Documentation owner 0.74

Confidence Values

Claim Confidence Justification
The release-blocking page-asset test failure was fixed. 0.97 Focused failing test passed 1/1 and the full suite passed 220/220 after repair.
The solution currently builds. 0.96 Direct dotnet build MemorySmith.slnx -v minimal passed.
The page-asset route regression was tied to the earlier uncommitted Program.cs diff. 0.93 The repair restored percent validation and service-backed asset access in Program.cs; the affected test now passes.
The first governance foundation slice is mostly implemented. 0.84 Code, docs, policy file, UI hooks, and tests exist for tag/source/relation/staleness diagnostics and warning-first deprecation.
The full AI memory suite plan is around one-third complete. 0.78 Phase 1 foundations exist; Phases 2-5 remain mostly planned and explicitly gated.
Duplicated context-pack formatting is a maintainability risk. 0.81 Current code has multiple formatters; prior tracker notes document a JSON contract drift failure.
README test count is stale. 0.92 README says 184 tests; current full run discovered 220 tests.
Performance risks are future-facing, not current blockers. 0.68 Exact scan and diagnostic recomputation are acceptable for the current local fixture scale, but code paths scale linearly with wiki/source size.

4. Issues / Blockers

ID Blocker Evidence Next Action Confidence
BLK-01 No current test blocker after repair. Full suite passed 220/220 after the page-asset route fix. Keep the repair commit in the PR and monitor CI. 0.96
BLK-02 The generated audit report is currently a local untracked artifact. Audit_20260521_191625.md was generated for this audit but was not added to the PR commit. Commit it separately only if the audit report should be part of repository history. 0.92
BLK-03 Live UI and provider behavior were not exercised. No browser pages were shared; no Ollama/GitHub provider run was performed. Run browser validation for /memories and /proposals, plus provider smoke tests if review scope includes chat/agent behavior. 0.72
BLK-04 Coverage and docs-site output were not regenerated. CI workflow supports coverage/docs, but this audit did not run those heavier commands. Run coverage/docs build before release readiness sign-off. 0.67

5. Continuation Signal

%CONTINUE%