docs(plans): add GOAP Wave 2-7 plan with 54 tasks, update audit with 12 new findings

[d-oit]

Summary

• New: plans/16-GOAP-WAVE2-6.md — 7-wave GOAP plan with 54 tasks covering CI config, constants extraction, quality/safety fixes, Rust file splits (semantic_cache.rs 1056, config.rs 712, query.rs 527), test coverage, and cross-platform parity
• Updated: plans/AUDIT.md — M7 resolved (Playwright runs 3 projects), P3 resolved (Rust --profile wired), Q4/Q5 added, 12 new findings (N1-N12)
• Updated: plans/README.md — Wave 7 added, plan 16 active / 15 superseded
• Condensed: 8 prior roadmap plans (01-08) into ~30-line summaries

Key Findings From Audit

ID	Issue	Severity
N1	semantic_cache.rs 1056 lines (2x limit)	P0
N2	config.rs 712 lines (over limit)	P0
N3	build_budget() duplicated in query.rs + url.rs	P1
N5	CircuitBreakerRegistry.is_open() TOCTOU	P1
N12	Raw requests.post() in synthesis — no SSRF, no retry	P1
N4	Dead Profile methods never called	P2
N6	_maybe_evict() not lock-protected	P2

Waves Defined

Wave	Focus	Est. PRs
2	CI/config fixes	~1
3	constants.py + state.py extraction	~1
4	Quality/safety fixes (TOCTOU, silent exceptions, synthesis)	~2-3
5	Rust file splits (semantic_cache, config, query)	~2
6	Test coverage (web lib, Rust resolver, skills evals)	~2
7	Web middleware + cross-platform parity	~2

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
do-web-doc-resolover	Ready	Preview, Comment	May 13, 2026 8:43am

[deepsource-io]

DeepSource Code Review

We reviewed changes in b4dd390...378fbe9 on this pull request. Below is the summary for the review, and you can see the individual issues we found as inline review comments.

See full review on DeepSource ↗

Important

Some issues found as part of this review are outside of the diff in this pull request and aren't shown in the inline review comments due to GitHub's API limitations. You can see those issues on the DeepSource dashboard.

PR Report Card

Overall Grade

Security   Reliability   Complexity   Hygiene

Code Review Summary

Analyzer	Status	Updated (UTC)	Details
JavaScript		May 13, 2026 8:42a.m.	Review ↗
Python		May 13, 2026 8:42a.m.	Review ↗
Rust		May 13, 2026 8:42a.m.	Review ↗
Shell		May 13, 2026 8:42a.m.	Review ↗

---

Important

AI Review is run only on demand for your team. We're only showing results of static analysis review right now. To trigger AI Review, comment @deepsourcebot review on this thread.

[deepsource-io]

Access to a protected member _query_resolve of a client class

Accessing a protected member (a member prefixed with _) of a class from outside that class is not recommended, since the creator of that class did not intend this member to be exposed. If accesing this attribute outside of the class is absolutely needed, refactor it such that it becomes part of the public interface of the class.

[deepsource-io]

Access to a protected member _circuit_breakers of a client class

Accessing a protected member (a member prefixed with _) of a class from outside that class is not recommended, since the creator of that class did not intend this member to be exposed. If accesing this attribute outside of the class is absolutely needed, refactor it such that it becomes part of the public interface of the class.

[deepsource-io]

Access to a protected member _url_resolve of a client class

Accessing a protected member (a member prefixed with _) of a class from outside that class is not recommended, since the creator of that class did not intend this member to be exposed. If accesing this attribute outside of the class is absolutely needed, refactor it such that it becomes part of the public interface of the class.

[deepsource-io]

Method doesn't use the class instance and could be converted into a static method

The method doesn't use its bound instance. Decorate this method with @staticmethod decorator, so that Python does not have to instantiate a bound method for every instance of this class thereby saving memory and computation. Read more about staticmethods here.

[deepsource-io]

Using the global statement

It is recommended not to use global statement unless it is really necessary. Global variables are dangerous because they can be simultaneously accessed from multiple sections of a program. This frequently results in bugs. This also make code difficult to read, because they force you to search through multiple functions or even modules just to understand all the different locations where the global variable is used and modified. Read more about why it should be avoided here.

[deepsource-io]

Access to a protected member _circuit_breakers of a client class

Accessing a protected member (a member prefixed with _) of a class from outside that class is not recommended, since the creator of that class did not intend this member to be exposed. If accesing this attribute outside of the class is absolutely needed, refactor it such that it becomes part of the public interface of the class.

[deepsource-io]

Access to a protected member _routing_memory of a client class

Accessing a protected member (a member prefixed with _) of a class from outside that class is not recommended, since the creator of that class did not intend this member to be exposed. If accesing this attribute outside of the class is absolutely needed, refactor it such that it becomes part of the public interface of the class.

[deepsource-io]

Attribute '_conn' defined outside __init__

Defining an instance attribute outside __init__ affects the readability of code. It is expected to find all the attributes an instance may have by reading its __init__ method. If there is a need to initialize attribute via sub-initialization methods, it is recommended to assign attributes to None in the init then call the sub-initialization methods.

[deepsource-io]

Using the global statement

It is recommended not to use global statement unless it is really necessary. Global variables are dangerous because they can be simultaneously accessed from multiple sections of a program. This frequently results in bugs. This also make code difficult to read, because they force you to search through multiple functions or even modules just to understand all the different locations where the global variable is used and modified. Read more about why it should be avoided here.

[deepsource-io]

Using the global statement

It is recommended not to use global statement unless it is really necessary. Global variables are dangerous because they can be simultaneously accessed from multiple sections of a program. This frequently results in bugs. This also make code difficult to read, because they force you to search through multiple functions or even modules just to understand all the different locations where the global variable is used and modified. Read more about why it should be avoided here.

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 4 complexity · 7 duplication

Metric	Results
Complexity	4
Duplication	7

View in Codacy

AI Reviewer: first review requested successfully. AI can make mistakes. Always validate suggestions.

_{TIP This summary will be updated as you push new changes.}

[codacy-production]

Pull Request Overview

This PR establishes the GOAP Wave 2-7 implementation roadmap and addresses Wave 1 safety/correctness fixes. While the documentation updates are comprehensive, the implementation of thread-safety in scripts/circuit_breaker.py and scripts/utils.py contains critical gaps where locks are released prematurely, potentially leading to race conditions under high concurrency.

Codacy results indicate the project is 'Up to Standards', but substantial code duplication exists between core scripts and agent-specific directories that must be managed to prevent logic drift. Furthermore, while the plan claims to wire missing providers (LLMS_TXT, SERPER, etc.), the orchestration logic for these appears incomplete or untested in the current diff. High-risk files like circuit_breaker.py have identified logic issues combined with missing coverage, making them primary candidates for regression testing before merging.

About this PR

• The documentation mentions wiring LLMS_TXT, SERPER, DOCLING, and OCR providers into resolve_direct, but this orchestration logic appears unaddressed in the current code changes. Ensure these are integrated and tested.
• Finding N12 (raw requests.post) is flagged as a P1 security risk but deferred to Wave 4. Given that Wave 1 is intended as a safety and correctness push, consider moving the migration to the shared session and is_safe_url validation into this PR or the immediate next phase.

Test suggestions

• Verify is_url rejects ftp and ftps schemes.
• Verify safeFetch performs initial URL validation before the first fetch attempt to prevent SSRF.
• Verify CircuitBreakerState.is_open captures temporal state once to prevent TOCTOU races.
• Verify resolve_direct correctly handles LLMS_TXT, SERPER, DOCLING, and OCR providers.
• Verify RoutingMemory ranking remains stable and thread-safe under concurrent access via RLock.
• Increase unit test coverage for scripts/semantic_cache.py and scripts/routing_memory.py to address high-complexity uncovered paths.

Prompt proposal for missing tests

Consider implementing these tests if applicable:
1. Verify resolve_direct correctly handles LLMS_TXT, SERPER, DOCLING, and OCR providers.
2. Increase unit test coverage for `scripts/semantic_cache.py` and `scripts/routing_memory.py` to address high-complexity uncovered paths.

_{TIP Improve review quality by adding custom instructions
TIP How was this review? Give us feedback}

[codacy-production]

_{🟡 MEDIUM RISK}

There is significant code duplication between the core scripts and the .agents/skills directory. This logic drift risk should be addressed by moving shared logic into a common internal package or using symbolic links.

See Clone in Codacy

[codacy-production]

_{🟡 MEDIUM RISK}

Extend the lock scope to cover the entire function to maintain operation atomicity and ensure the cache proxy remains valid during the set operation.

[codacy-production]

_{🟡 MEDIUM RISK}

The _cache_lock (RLock) should be held for the full duration of the read-and-retrieve sequence. Releasing it before accessing the cache instance allows for other threads to modify or clear the cache proxy in the gap.

[codacy-production]

_{🟡 MEDIUM RISK}

The breaker status check should be wrapped within the registry lock to ensure atomicity between retrieval and state inspection. This fulfills the requirement identified in finding N5.

Suggested change

	def is_open(self, provider: str) -> bool:
	return self.get_breaker(provider).is_open()
	def is_open(self, provider: str) -> bool:
	with self._lock:
	return self.get_breaker(provider).is_open()

[codacy-production]

_{⚪ LOW RISK}

Suggestion: Scheme validation correctly restricted to http and https to satisfy SSRF hardening requirement S2.

[codacy-production]

_{⚪ LOW RISK}

Nitpick: Use lazy log formatting (e.g., logger.warning('msg %s', arg)) to remain consistent with other providers and avoid unnecessary string interpolation costs when the log level is not active.