Council Review: Ultra Codebase Audit Prioritization

Decision

Prioritize stabilization, governance, and validation gates for the next three sprints before broad feature expansion or large UI/runtime feature work.

Evidence Reviewed

Findings

Seat Recommendation Confidence Blocking Concern
Source-Grounded Archivist Treat current code and Core memories as primary; update stale source-link and observability/task evidence as part of backlog grooming. 88% Historical docs and some task comments still describe pre-OTel/pre-source-governance state.
Data Model Architect Fix task-key uniqueness and canonical task validation before relying on /tasks as a sprint source of truth. 91% Duplicate TSK-0060 creates ambiguous key lookup and weakens audit traceability.
Retrieval Specialist Keep lexical/semantic/hybrid/search/MCP work mostly stable; focus retrieval sprint energy on chat governance, source-read status drift, and response quality tasks already in the backlog. 84% Chat Agent write proposal routing still crosses maintenance proposal boundaries without caller-specific write roots.
Security Reviewer Make remote hardening and dependency advisory tracking explicit before any remote-friendly release posture. 87% HSTS/secure cookie/forwarded header controls are absent and OTel advisories are current warnings.
Skeptical Reviewer Do not label this audit exhaustive until e2e browser, dependency-vulnerability, and remote/proxy validation gates run. 76% This pass is evidence-heavy but still planning-mode, not full execution-mode validation.
Synthesizer Commit a three-sprint stabilization plan: task integrity and chat governance first, CI/security gates second, decomposition and observability budgets third. 82% Scope discipline is the main delivery risk; many valuable tasks compete for the same single-host surfaces.

Synthesis

What changes now: - Add focused task records for task-key consistency, benchmark budgets, and OTel advisory remediation. - Use the sprint plan to sequence existing high-value tasks rather than creating a parallel backlog. - Refresh the stale source-link security memory to match current code.

What is deferred: - Broad markdown runtime features, Pyodide, advanced exports, and UI feature expansion remain behind stabilization gates. - Large service/component decomposition starts after governance and CI gates have a stable baseline. - Full e2e/browser/deployment execution is a sprint validation activity, not completed in this discovery pass.

Dissent

Acceptance Criteria

Open Questions

Confidence