zerogravity/KNOWN_ISSUES.md

# Known Issues & Future Work

All fixable issues from the original report have been resolved. The remaining
items require either architectural changes, new features, or deep investigation
of the Go language server binary.

---

## 🔴 Blockers (Require Deep Investigation)

### 1. LS Go LLM Client Ignores System TLS Trust Store

**File:** `docs/mitm-interception-status.md`

The LS binary's Go HTTP client for LLM API calls uses a custom `tls.Config` that
does **not** trust system CAs or honor `SSL_CERT_FILE`. Our MITM proxy can route
traffic but not decrypt it.

**Investigation status:** All practical approaches have been tried and failed:

- iptables REDIRECT → redirect loop + broke all HTTPS traffic
- DNS redirect → same TLS trust failure
- LD_PRELOAD → Go doesn't use libc for syscalls
- SSLKEYLOGFILE → Go doesn't support it

**Remaining options (untried):**

- Binary patching Go TLS verification (fragile, breaks on updates)
- Full standalone LS control (see issue #2)
- eBPF/ptrace syscall interception (complex)
- Network namespace isolation (complex setup)

**Confidence: <30%** — all easy paths exhausted. Requires reverse engineering the Go binary's TLS setup.

**See:** `docs/mitm-interception-status.md` for full analysis

---

### 2. Standalone LS Cascades Silently Fail

**File:** `docs/standalone-ls-todo.md`

Standalone LS (outside Antigravity) accepts `StartCascade` RPCs without error
but cascade never progresses. No output.

**Suspected blockers:**

- Missing auth context (OAuth token propagation)
- Different Unleash feature flags between main and standalone instances
- Missing initialization steps (`LoadCodeAssist`, `OnboardUser`)
- Missing extension server callbacks (`WriteCascadeEdit`, `ExecuteCommand`)

**Confidence: <30%** — too many unknowns. Needs systematic debugging with the standalone LS.

**See:** `docs/standalone-ls-todo.md` for investigation plan

---

## Medium (Architecture / Future Work)

### 3. Cascade Correlation Is Heuristic

**File:** `src/mitm/intercept.rs` — `extract_cascade_hint()`

The MITM proxy matches intercepted API traffic to cascade IDs heuristically:

- HTTP/1.1 path: scans JSON body for `metadata.user_id` or `workspace_id`
- gRPC/H2 path: recursively searches proto fields for UUID strings

If neither method finds a match, usage is stored under `_latest` but never
consumed (since `take_usage()` requires exact cascade ID match).

**Confidence: <50%** — can't test without working MITM interception (blocked by issue #1). The heuristic is reasonable but unverified against real traffic.

---

### 4. Request Modification Not Implemented

**File:** `src/mitm/proxy.rs` — `modify_requests: bool`

The `MitmConfig.modify_requests` flag is plumbed through the entire call chain
but hardcoded to `false`. No modification logic exists. This is intentional
scaffolding for future use.

**Status:** Not a bug — reserved for potential request mutation features.

---

### 5. Polling-Based Cascade Updates vs Streaming RPC

**File:** `src/api/polling.rs`

We poll `GetCascadeTrajectorySteps` on a timer. The LS has a
`StreamCascadeReactiveUpdates` streaming gRPC method that pushes updates
in real-time. Polling works but adds latency.

**Status:** Functional but suboptimal. Switching to streaming requires
implementing a gRPC streaming client with reconnection handling. Not blocking.

---

## 🟢 Low

### 6. No Integration Tests for MITM Module

Unit tests cover protobuf decoding and intercept parsing (17 tests pass), but
no integration tests for:

- TLS interception end-to-end with the generated CA
- Full HTTP/1.1 request/response cycle through the proxy
- gRPC (HTTP/2) request/response cycle through `h2_handler`
- Store recording and retrieval under concurrency

**Status:** The MITM can't intercept real traffic anyway (blocked by issue #1),
so integration tests would be somewhat hypothetical. Worth adding when the TLS
blocker is resolved.