# Known Issues & Future Work --- ## Medium ### 1. Cascade Correlation Is Heuristic **File:** `src/mitm/intercept.rs` — `extract_cascade_hint()` The MITM proxy matches intercepted API traffic to cascade IDs by scanning for `metadata.user_id` or `workspace_id` in the request body. If neither is found, it stores under `_latest`. Since `take_usage()` no longer falls back to `_latest`, unidentified requests will have **no MITM usage data at all**. **Fix:** Investigate the actual request body format the LS sends for better correlation keys. Alternatively, use timing-based correlation (match MITM capture timestamp to cascade polling window). --- ### ~~2. Domain Certificate Cache Is Unbounded~~ ✅ FIXED **File:** `src/mitm/ca.rs` — `domain_cache` ~~The `domain_cache` (`HashMap>`) grows without bound.~~ **Fixed:** Added a 64-entry cap with clear-on-overflow. In practice only ~5-10 domains are ever intercepted, so this is a safety valve. Full LRU would be overkill. --- ### 3. Request Modification Not Implemented **File:** `src/mitm/proxy.rs` — `modify_requests: false` The `MitmConfig.modify_requests` flag exists and is plumbed through, but no actual modification logic is implemented. The flag is hardcoded to `false`. **Fix:** When needed, implement request body mutation in `handle_http_over_tls()` — parse JSON, modify, reserialize, update `Content-Length`. --- ### ~~4. `total_cost_usd` Is Dead~~ ✅ FIXED **File:** `src/mitm/store.rs` ~~`ApiUsage.total_cost_usd` is `Option` but is **always `None`**.~~ **Fixed:** Removed the field entirely from `ApiUsage` and all 3 construction sites (`proto.rs`, `intercept.rs` ×2). --- ## 🟢 Low ### ~~5. Wrapper Script Fallback Paths May Be Stale~~ ✅ FIXED **File:** `scripts/mitm-wrapper.sh` — `LS_FALLBACK_DIRS` ~~Stale `.cursor`, `.vscode`, `.antigravity` glob patterns.~~ **Fixed:** Replaced with actual Antigravity install paths (`/usr/share/antigravity/`, `/opt/Antigravity/`, `~/.local/share/antigravity/`). Primary /proc-based discovery is unaffected. --- ### 6. No Integration Tests for MITM Module The MITM module has unit tests for protobuf decoding and intercept parsing, but no integration tests that verify: - TLS interception end-to-end with the generated CA - Full HTTP/1.1 request/response cycle through the proxy - gRPC (HTTP/2) request/response cycle through `h2_handler` - Store recording and retrieval under concurrency - Wrapper script install/uninstall lifecycle --- ## 🔍 Investigation ### ~~7. LS Exposes Credit/Quota Data via `GetUserStatus`~~ ✅ IMPLEMENTED **File:** `src/quota.rs` ~~Investigation item.~~ **Implemented:** The `QuotaStore` polls `GetUserStatus` every 60s and exposes credit/quota data via `GET /v1/quota`. Shows plan info, prompt/flow credit balances, per-model remaining fraction, and reset timers. --- ## 🔴 Blockers ### 8. LS Go LLM Client Ignores System TLS Trust Store **File:** `docs/mitm-interception-status.md` The LS binary is a Go program whose HTTP client for LLM API calls uses a custom `tls.Config` that does **not** trust system CAs or honor `SSL_CERT_FILE`. This means our MITM proxy's generated CA cert is rejected even when properly installed system-wide. The extension patch (`detectAndUseProxy=1`) only makes the LS honor `HTTPS_PROXY` for routing — it doesn't fix CA trust. Without this, the MITM proxy can route but not decrypt LLM traffic. **Potential fixes:** - Binary patching the Go TLS verification (hard, breaks on updates) - Full standalone LS control (in progress, see issue #9) - Network namespace + iptables redirect (eliminates HTTPS_PROXY need but doesn't fix TLS trust) - eBPF/ptrace to inject certs at runtime (complex) **See:** `docs/mitm-interception-status.md` for full analysis --- ### 9. Standalone LS Cascades Silently Fail **File:** `docs/standalone-ls-todo.md` When running a standalone LS instance (outside of Antigravity), cascades start but produce no output. The LS accepts `StartCascade` RPCs without error, but the cascade never progresses. **Suspected blockers:** - Missing auth context (OAuth token not properly propagated) - Unleash feature flags differ between main and standalone instances (`GetUnleashData` returns different flags) - `LoadCodeAssist` / `OnboardUser` initialization steps may be required - Extension server callbacks (`WriteCascadeEdit`, `ExecuteCommand`, etc.) have no handler **See:** `docs/standalone-ls-todo.md` for investigation plan --- ## Medium ### ~~10. Extension Patch Fragility~~ ✅ FIXED **File:** GEMINI.md, `docs/mitm-interception-status.md` ~~The `sed` patch that sets `detectAndUseProxy=1` in `extension.js` must be **re-applied after every Antigravity update**. The search pattern (`detectAndUseProxy=pe.UNSPECIFIED`) is brittle — if the minified variable name changes from `pe` to something else, the patch silently fails.~~ **Fixed:** Updated sed to use extended regex `s/detectAndUseProxy=[^,;)]+/detectAndUseProxy=1/g` which matches any value assignment regardless of minified variable names. Still requires re-applying after updates, but the pattern is now resilient to bundler name changes. --- ### 11. Polling-Based Cascade Updates vs Streaming RPC **File:** `src/api/polling.rs` We poll `GetCascadeTrajectorySteps` on a timer to check for new cascade output. The LS has a `StreamCascadeReactiveUpdates` streaming gRPC method that pushes updates in real-time. Our polling approach works but adds latency and unnecessary requests. **Impact:** Functional but suboptimal. The streaming approach would give lower latency and less LS load, but requires maintaining a long-lived gRPC stream and handling reconnection. **See:** `docs/ls-binary-analysis.md` → gRPC Services → LanguageServerService --- ### 12. No BYOK Model Routing **File:** `src/api/models.rs` The LS supports BYOK (Bring Your Own Key) variants for Claude and OpenAI models (e.g., `MODEL_CLAUDE_4_SONNET_BYOK`, `MODEL_OPENAI_COMPATIBLE`). Our proxy only exposes the 5 built-in placeholder models. Users with BYOK keys can't use them through the proxy. **Fix:** Add a mechanism to register BYOK models at runtime (e.g., via a config file or API endpoint). The BYOK model IDs and their proto enum numbers are documented in `docs/ls-binary-analysis.md`. --- ### ~~13. `total_cost_usd` Could Use Pricing Table~~ ✅ RESOLVED Moot — `total_cost_usd` field was removed in issue #4 fix.