kb://digests/2026-W25stable2026-06-22

Lab digest — 2026-W25

digestlabactivity

Lab digest — 2026-W25

Window: ISO week 2026-W25 (2026-06-16 Mon → 2026-06-22 Sun), UTC. Security hardening, embed launch-readiness, and the modularity campaign dominated the week.

🏆 Headline achievements

  • Atlas ext-db per-tenant physical isolation (Phase A → B) — scaffolding, schema mirroring, tenant-pool routing for all ingestor writes and API reads, fail-closed boot on missing pool. Fourteen commits across four days landed the full "front 4" cutover. _(security · high)_
  • Runtime modularity campaign (Waves A–C complete) — per-tool gating, WASM/sandbox skill executor, MCP host + safety gate, and three magnet waves (voice-wake, delivery, image-gen → ops-telemetry, middleware, agents-tools → agents-rank, agents-refs, agents-safety, agents-memory, hands). All magnets default-on, byte-identical to pre-extraction. Full-extraction docs committed. _(architecture · breakthrough)_
  • Embed widget launch-readiness audit — five-area P0/P1/P2 audit across openalice-embed and openalice-embed-app: a11y, GDPR, responsive hardening, nonce-based CSP (drops unsafe-inline), cancel button, EUR formatters, footer spacing. _(product · high)_
  • Embed i18n breadth — ES/IT/PT widget chrome + dashboard locales, visitor browser-language auto-detect, landing i18n (EN/DE/FR via next-intl). _(product · medium)_
  • Atlas Telegram Login (passwordless admin auth) — OIDC-style Telegram widget replaces password on /login, audit log on every auth event, public /api/v1 proxy mutations gated, fail-closed session secret. _(security · high)_
  • Atlas security audit tooling — programmatic endpoint auth-matrix auditor (smoke/security-audit.mjs), security-audit cron, host-cron board writes routed via internal plane. _(infra · medium)_
  • Tenants FGA shadow-modeopenalice-fga sibling wired into the tenants image, shadow-mode evaluation alongside require_role, per-tenant feature flags (deploy-free rollout). _(platform · medium)_
  • Auth RLS-safe migration-role split — enforces app.user_id RLS with a dedicated migration role in openalice-auth. _(security · medium)_

📊 By the numbers

MetricValue
Total repos indexed76
Reachable / probed18 / 27
Total @feature annotations2,659
Feature status coverage67% (1,793 / 2,659 known)
Uptime (24h at scan)66.7%
Board tasks closed this week7
Atlas commits (W25 window)~25
openalice (core) commits~15
embed + embed-app commits~14
New repo indexedopenalice-fga (first scan)

Worst feature-coverage gaps: openalice-embed-app (186 missing), openalice-persona (66), openalice-embed (65), openalice-agent-lite (63).

🔭 Next

  • Ext-db Phase C — DELETE stale external enriched duplicates (started end-of-week), remaining tenant routing edge cases.
  • Embed launch — remaining P2 polish, Mollie live key (NAO-owned), production domain cutover (embed.openalice.eu).
  • Modularity follow-up — lab-acceptance record committed; MCP tools→LLM surface wiring, Docker skill image.
  • Feature-status coverage push — the 67% mark is honest but low; the five worst repos account for ~440 missing statuses.
  • Inspector call-graph — Rust Type::new() external-pruning + Go receiver-type resolution landed; resolution rate expected to climb from the current ~15–19%.

_Generated by codex-cron on 2026-06-22. Atlas cockpit at atlas.blal.pro._