You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
AMS already has at least one confirmed, shipped example of untenant-scoped global state: packages/gittensory-miner/lib/governor-kill-switch.js resolves a kill-switch purely from process env (isGlobalMinerKillSwitch/resolveMinerKillSwitch) with no per-tenant key. ORB is running an equivalent sweep for itself (#4885-#4893: agent-controls table, contributor blacklist union, admin allowlist, etc.), but AMS has no tracked equivalent, so other instances of the same class of bug are likely still undiscovered.
Area
AMS / Multi-tenancy audit
Proposal
Systematically grep and document every module in packages/gittensory-miner and packages/gittensory-engine/src/miner that holds process-wide or file-scoped singleton state (kill switches, allowlists, blacklists, rate-limit counters, in-memory caches), and produce a findings doc listing each with its current scope and the risk if that same code ran as a shared hosted service across multiple tenants.
Deliverables
A findings document enumerating every global-singleton module found, with file:line references
A risk rating per item (leaks across tenants / safe as-is / needs redesign), to seed follow-up fix issues
Audit and documentation only — this issue must NOT fix any finding itself, even an obvious one; every confirmed leak gets its own follow-up issue.
Any follow-up fix issue that touches trust/safety-relevant global state (e.g. the kill-switch itself, blacklist/allowlist logic) must NOT be self-triaged as contributor-eligible by this audit — it needs maintainer review before it's labeled, the same way ORB's Redesign the global agent-controls table for per-tenant scoping #4885 redesign was maintainer-owned rather than opened as a generic contributor task.
This issue must NOT make an architecture decision about how the eventual tenant-scoping fix should work — it only documents what exists and how risky it is.
Problem
AMS already has at least one confirmed, shipped example of untenant-scoped global state:
packages/gittensory-miner/lib/governor-kill-switch.jsresolves a kill-switch purely from process env (isGlobalMinerKillSwitch/resolveMinerKillSwitch) with no per-tenant key. ORB is running an equivalent sweep for itself (#4885-#4893: agent-controls table, contributor blacklist union, admin allowlist, etc.), but AMS has no tracked equivalent, so other instances of the same class of bug are likely still undiscovered.Area
AMS / Multi-tenancy audit
Proposal
Systematically grep and document every module in
packages/gittensory-minerandpackages/gittensory-engine/src/minerthat holds process-wide or file-scoped singleton state (kill switches, allowlists, blacklists, rate-limit counters, in-memory caches), and produce a findings doc listing each with its current scope and the risk if that same code ran as a shared hosted service across multiple tenants.Deliverables
Resources
packages/gittensory-miner/lib/governor-kill-switch.js(confirmed existing example)Boundaries