Full-codebase-audit 2026-05-30 outputs: - Audit report: 09 - Audits/Full Codebase Audit - 2026-05-30.md - 81 issue files ISSUE-055..135 (decisions + 1 skipped no-brainer). - Scanner docs from scratch (was zero): architecture, data model, API ref, payment flow, operations runbook + repo README. - Doc-sync updates across API reference, data models, flows, design system. - Secret Rotation Runbook (08 - Operations) for the exposed credentials. - Reusable workflow guide (07 - Development) + .claude/workflows/full-codebase-audit.js. Issues remain status:open intentionally — the code fixes are uncommitted-then-committed working-tree changes per repo and aren't "resolved" until merged/deployed. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
1.2 KiB
1.2 KiB
issue, title, severity, domain, labels, status, created, source
| issue | title | severity | domain | labels | status | created | source | |||
|---|---|---|---|---|---|---|---|---|---|---|
| 112 | Scanner: unbounded goroutine fan-out for webhook retries and reconciliation | medium | Scanner |
|
open | 2026-05-30 | Full Codebase Audit 2026-05-30 |
Scanner: unbounded goroutine fan-out for webhook retries and reconciliation
Severity: medium Domain: Scanner Labels: bug, scanner, goroutine-leak
Description
scanner/main.go:130 spawns goroutines for retry and reconciliation fan-out without any concurrency bound. Under high load or many failed deliveries, the number of live goroutines is unbounded, risking OOM.
Options
- Bound with a semaphore/worker pool (e.g.
errgroupwith limit). - Process retries in batches sequentially.
- Rate-limit outbound webhook calls globally.
Recommendation
Introduce a bounded worker pool (errgroup.SetLimit or semaphore) for all retry fan-out paths. Coordinate with ISSUE-111.
Affected Files
scanner/main.go:130scanner/webhook.go— retry fan-out