-
Notifications
You must be signed in to change notification settings - Fork 0
2026 07 01 deep review
This is the first entry in docs/analysis/ — session-level analysis output
that is too narrative for decisions.md (which records individual judgment
calls) but worth keeping: what was reviewed, how, what was found, and what
changed as a result.
A full product-manager + technical-SME review of the codebase and every open issue: file researched issues for findings, fix what could be fixed safely in one session, and interview the maintainer where the answer had to come from him rather than the code.
Four questions were put to the maintainer up front; the answers reshaped the whole session's priorities:
| Question | Decision |
|---|---|
| Hardware for validation? | GL-RM1PE on hand / arriving soon — hardware validation is the critical path; emulators are a bridge, not a substitute. |
| Primary audience? | AI-agent builders (MCP/Claude) — the MCP server + skill + safety story is the flagship surface; the CLI is secondary. |
| Release posture? |
Cut an installable 0.1.0a2 soon — keep alpha warnings loud, but let pip install --pre work so community validation can start. |
| Filing & fixing? |
One issue per finding; small verified fixes committed straight to main and cross-referenced. |
Two follow-up decisions were made after the findings landed: #38
accepted (keep unverified TLS as the default, but warn once and add
ssl_ca_file pinning — shipped the same day) and #56 deferred
(branch protection changes the direct-push workflow; revisit later).
The review was a structured multi-agent pass rather than one long read:
- Nine parallel domain reviewers, each with its own lens and file set: PiKVM core, Redfish (spec fidelity against DSP0266/DSP0268), vision, CLI + config + packaging, MCP server + skill, security, tests + CI/CD, docs accuracy (every claim treated as a hypothesis to verify against the code), and product/backlog health.
-
Adversarial verification: every finding went to an independent skeptic
agent instructed to refute it — re-reading the code, re-running the
reasoning, checking the specs, often reproducing the failure empirically
(e.g. a stall server proving read-timeouts escaped as raw
builtins.TimeoutError; a coverage run confirming the exact untested lines). Findings the skeptic could refute were dropped. - A completeness critic then swept for blind spots — subsystems no finding touched, cross-cutting concerns no single domain owned.
In total: 102 agents, ~1,360 tool calls. Of 92 candidate findings, 86 survived verification (16 high, 40 medium, 30 low) and 6 were refuted — the refuted ones are exactly why the verification pass exists.
The codebase reviewed well for an alpha: spec-literate Redfish driver, honest docs, real security intent (redaction, same-origin guards, Trusted Publishing). The serious findings clustered where mock-only testing cannot see:
-
The safety layer had decorative stretches. HID keystrokes bypassed it
entirely (
type "rm -rf /"sailed past--dry-run),mount --dry-runreally uploaded the ISO before any gate fired, and dry-run prompted for confirmation it would never use — blocking unattended automation. - Transport failure modes were untested and wrong. Read-phase timeouts and resets escaped both HTTP transports as raw builtins (unmapped, tracebacking through the CLI), and the retry layer could re-fire a destructive POST whose response was lost — the double-power-cycle case.
-
Real-BMC lifecycle gaps in the Redfish driver: sessions leaked (no
close()caller), no 401 re-login, andPushPowerButtonchosen as a power-off fallback can power an already-off host on (intent inversion, verified against iDRAC8AllowableValues). -
The vision gates could lie. An ATX-less device (no add-on board) made
is_powered_on()read a meaningless LED as "off", short-circuiting every classification topower_offwithout ever taking a snapshot; the unchanged-frame cache could pin a wait loop to a staleunknownforever. -
The MCP server didn't match its own safety story. The destructive
powertool's only gate was a boolean the calling model sets itself — with a refusal message that coached the model to set it. Snapshots came back as base64 text the model can't see; three of five tools crashed on the redfish/fake drivers the config explicitly routes to it. -
Product/backlog: the yanked
0.1.0a1on PyPI documents features it doesn't contain; the repo had no description/topics; the structured-sensing surface (BootProgress/Sensors/Logs) was implemented but reachable from no entry point; three issues depended on an IPMI driver no issue tracked.
Ten commits landed on main (a73f10b…5de030d), all with tests, suite
green: the safety-ordering and HID/MSD gating fixes, delivery-aware retry +
error-taxonomy mapping in both transports, the vision robustness batch, config
typo-warnings (admin/admin lockout risk), kvm-pilot eject, the Redfish
transitional-PowerState fix, a full MCP-server hardening pass (capability-aware
per-call drivers, image snapshots, tool annotations, operator-side
KVM_PILOT_MCP_ALLOW_POWER gate, dry-run mode, local-VLM support, a 9-test
stdio suite), TLS pinning via ssl_ca_file (#38), and a docs batch that
realigned every safety/config/packaging claim with the code. The complete
per-commit record is #66 (closed as the session's fix log).
Three deliberate breaking changes shipped while the API is alpha:
snapshot() lost its no-op quality parameter, HID/MSD writes became gated
destructive ops, and dry-run stopped invoking the confirm callback. Rationale
for each is in decisions.md.
Issues #37–#65 — one per verified finding (grouped only where the root cause was shared), each carrying the evidence with line numbers, spec citations, detailed follow-up instructions, and the verifier's independent notes. Three milestones now express the strategy:
- 0.1.0a2 — installable alpha: release-pipeline gates, supply-chain pinning, credential hygiene — what stands between today and an installable pre-release.
- First hardware contact (GL-RM1PE): emulator fidelity, safety-guard test coverage, the exact client surface the first real run will exercise.
- MCP flagship: act-capability parity (#61 — agents can see but can't yet drive; the unattended-install loop is not yet possible over MCP), prompt-injection threat model (#39), vision quality, and making the structured-sensing surface reachable (#60).
Backlog hygiene from the PM pass: labels and milestones across the pre-existing issues, re-scoping comments on the stale epics (#5, #6, #7, #13, #17), #2 closed as delivered/superseded, repo description + topics set, Discussions and private vulnerability reporting enabled.
The stated #1 risk is unchanged — nothing has run against real hardware —
but the failure modes most likely to bite on first contact (silent destructive
no-ops and double-fires, false power_off on ATX-less devices, raw-traceback
timeouts, stuck keys) now have fixes and regression tests, and the risk itself
has a milestone with a concrete work-list. The flagship gap for the chosen
audience is scoped in #61. The next substantive decisions on record:
branch protection (#56, deferred) and cutting 0.1.0a2 once its
milestone clears.
- Home
- Getting started
- Architecture
- CLI reference
- Configuration
- Design decisions
- Reflexes (RFC)
- Redfish reference
- Firmware registry
- Remote firmware update
- Claude skill
- MCP server
- Contributing
- Security policy
- Analysis: 2026-07-01 deep review
- Analysis: 2026-07-03 RM1PE firmware + encoder
- Hardware compatibility