# Pitfall Log

Project: floci-io/floci

Summary: Found 33 structured pitfall item(s), including 8 high/blocking item(s). Top priority: Installation risk - Installation risk requires verification.

## 1. Installation risk - Installation risk requires verification

- Severity: high
- Evidence strength: source_linked
- Finding: Project evidence flags a installation risk. Review the linked source before relying on this workflow.
- User impact: May increase setup, validation, or first-run risk for the user.
- Evidence: community_evidence:github | https://github.com/floci-io/floci/issues/1675

## 2. Installation risk - Installation risk requires verification

- Severity: high
- Evidence strength: source_linked
- Finding: Project evidence flags a installation risk. Review the linked source before relying on this workflow.
- User impact: May increase setup, validation, or first-run risk for the user.
- Evidence: community_evidence:github | https://github.com/floci-io/floci/issues/1632

## 3. Security or permission risk - Security or permission risk requires verification

- Severity: high
- Evidence strength: source_linked
- Finding: Developers should check this security_permissions risk before relying on the project: [BUG] ACL grant is not honoured
- User impact: Developers may expose sensitive permissions or credentials: [BUG] ACL grant is not honoured
- Evidence: failure_mode_cluster:github_issue | https://github.com/floci-io/floci/issues/1767

## 4. Security or permission risk - Security or permission risk requires verification

- Severity: high
- Evidence strength: source_linked
- Finding: Developers should check this security_permissions risk before relying on the project: [BUG] ECS services with load balancers fail to register ELBv2 targets when multiple tasks use container port 80
- User impact: Developers may expose sensitive permissions or credentials: [BUG] ECS services with load balancers fail to register ELBv2 targets when multiple tasks use container port 80
- Evidence: failure_mode_cluster:github_issue | https://github.com/floci-io/floci/issues/1778

## 5. Security or permission risk - Security or permission risk requires verification

- Severity: high
- Evidence strength: source_linked
- Finding: Developers should check this security_permissions risk before relying on the project: [BUG] Lambda execution role is not assumed; runtime always authenticates as root
- User impact: Developers may expose sensitive permissions or credentials: [BUG] Lambda execution role is not assumed; runtime always authenticates as root
- Evidence: failure_mode_cluster:github_issue | https://github.com/floci-io/floci/issues/1777

## 6. Security or permission risk - Security or permission risk requires verification

- Severity: high
- Evidence strength: source_linked
- Finding: Developers should check this security_permissions risk before relying on the project: [BUG] SAM transform drops `PackageType` on `AWS::Serverless::Function` — a container-image function deploys as a broken Zip function
- User impact: Developers may expose sensitive permissions or credentials: [BUG] SAM transform drops `PackageType` on `AWS::Serverless::Function` — a container-image function deploys as a broken Zip function
- Evidence: failure_mode_cluster:github_issue | https://github.com/floci-io/floci/issues/1770

## 7. Security or permission risk - Security or permission risk requires verification

- Severity: high
- Evidence strength: source_linked
- Finding: Developers should check this security_permissions risk before relying on the project: [BUG] s3: PHP fopen on S3 objects fails with "Stream is not seekable"
- User impact: Developers may expose sensitive permissions or credentials: [BUG] s3: PHP fopen on S3 objects fails with "Stream is not seekable"
- Evidence: failure_mode_cluster:github_issue | https://github.com/floci-io/floci/issues/1632

## 8. Security or permission risk - Security or permission risk requires verification

- Severity: high
- Evidence strength: source_linked
- Finding: Project evidence flags a security or permission risk. Review the linked source before relying on this workflow.
- User impact: May increase setup, validation, or first-run risk for the user.
- Evidence: community_evidence:github | https://github.com/floci-io/floci/issues/1774

## 9. Installation risk - Installation risk requires verification

- Severity: medium
- Evidence strength: runtime_trace
- Finding: Project evidence flags a installation risk. Review the linked source before relying on this workflow.
- User impact: May increase setup, validation, or first-run risk for the user.
- Repro command: `docker run -d --name floci -p 4566:4566 -v /var/run/docker.sock:/var/run/docker.sock -u root floci/floci:latest`
- Evidence: identity.distribution | https://github.com/floci-io/floci

## 10. Installation risk - Installation risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: Project evidence flags a installation risk. Review the linked source before relying on this workflow.
- User impact: May increase setup, validation, or first-run risk for the user.
- Evidence: community_evidence:github | https://github.com/floci-io/floci/issues/1766

## 11. Installation risk - Installation risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: Project evidence flags a installation risk. Review the linked source before relying on this workflow.
- User impact: May increase setup, validation, or first-run risk for the user.
- Evidence: community_evidence:github | https://github.com/floci-io/floci/issues/1775

## 12. Installation risk - Installation risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: Project evidence flags a installation risk. Review the linked source before relying on this workflow.
- User impact: May increase setup, validation, or first-run risk for the user.
- Evidence: community_evidence:github | https://github.com/floci-io/floci/issues/1770

## 13. Installation risk - Installation risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: Project evidence flags a installation risk. Review the linked source before relying on this workflow.
- User impact: May increase setup, validation, or first-run risk for the user.
- Evidence: community_evidence:github | https://github.com/floci-io/floci/issues/1771

## 14. Configuration risk - Configuration risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: Developers should check this configuration risk before relying on the project: 1.5.25
- User impact: Upgrade or migration may change expected behavior: 1.5.25
- Evidence: failure_mode_cluster:github_release | https://github.com/floci-io/floci/releases/tag/1.5.25

## 15. Configuration risk - Configuration risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: Developers should check this configuration risk before relying on the project: 1.5.26
- User impact: Upgrade or migration may change expected behavior: 1.5.26
- Evidence: failure_mode_cluster:github_release | https://github.com/floci-io/floci/releases/tag/1.5.26

## 16. Configuration risk - Configuration risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: Developers should check this configuration risk before relying on the project: 1.5.27
- User impact: Upgrade or migration may change expected behavior: 1.5.27
- Evidence: failure_mode_cluster:github_release | https://github.com/floci-io/floci/releases/tag/1.5.27

## 17. Configuration risk - Configuration risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: Developers should check this configuration risk before relying on the project: 1.5.28
- User impact: Upgrade or migration may change expected behavior: 1.5.28
- Evidence: failure_mode_cluster:github_release | https://github.com/floci-io/floci/releases/tag/1.5.28

## 18. Configuration risk - Configuration risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: Developers should check this configuration risk before relying on the project: 1.5.29
- User impact: Upgrade or migration may change expected behavior: 1.5.29
- Evidence: failure_mode_cluster:github_release | https://github.com/floci-io/floci/releases/tag/1.5.29

## 19. Configuration risk - Configuration risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: Developers should check this configuration risk before relying on the project: 1.5.31
- User impact: Upgrade or migration may change expected behavior: 1.5.31
- Evidence: failure_mode_cluster:github_release | https://github.com/floci-io/floci/releases/tag/1.5.31

## 20. Configuration risk - Configuration risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: Developers should check this configuration risk before relying on the project: [BUG] S3 DeleteObject on version-enabled buckets does not set isLatest=true to the latest (after delete) version
- User impact: Developers may misconfigure credentials, environment, or host setup: [BUG] S3 DeleteObject on version-enabled buckets does not set isLatest=true to the latest (after delete) version
- Evidence: failure_mode_cluster:github_issue | https://github.com/floci-io/floci/issues/1775

## 21. Configuration risk - Configuration risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: Developers should check this configuration risk before relying on the project: [FEAT] Lambda Extensions API — no `/2020-01-01/extension/*` endpoints, and `/opt/extensions/*` binaries are never launched
- User impact: Developers may misconfigure credentials, environment, or host setup: [FEAT] Lambda Extensions API — no `/2020-01-01/extension/*` endpoints, and `/opt/extensions/*` binaries are never launched
- Evidence: failure_mode_cluster:github_issue | https://github.com/floci-io/floci/issues/1771

## 22. Configuration risk - Configuration risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: Developers should check this configuration risk before relying on the project: feat(cloudhsmv2): implement AWS CloudHSM v2 service (phased)
- User impact: Developers may misconfigure credentials, environment, or host setup: feat(cloudhsmv2): implement AWS CloudHSM v2 service (phased)
- Evidence: failure_mode_cluster:github_issue | https://github.com/floci-io/floci/issues/1774

## 23. Capability evidence risk - Capability evidence risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: README/documentation is current enough for a first validation pass.
- User impact: May increase setup, validation, or first-run risk for the user.
- Evidence: capability.assumptions | https://github.com/floci-io/floci

## 24. Runtime risk - Runtime risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: Developers should check this runtime risk before relying on the project: [BUG] ACL headers are ignored
- User impact: Developers may hit a documented source-backed failure mode: [BUG] ACL headers are ignored
- Evidence: failure_mode_cluster:github_issue | https://github.com/floci-io/floci/issues/1766

## 25. Maintenance risk - Maintenance risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: Developers should check this migration risk before relying on the project: 1.5.24
- User impact: Upgrade or migration may change expected behavior: 1.5.24
- Evidence: failure_mode_cluster:github_release | https://github.com/floci-io/floci/releases/tag/1.5.24

## 26. Maintenance risk - Maintenance risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: Project evidence flags a maintenance risk. Review the linked source before relying on this workflow.
- User impact: May increase setup, validation, or first-run risk for the user.
- Evidence: evidence.maintainer_signals | https://github.com/floci-io/floci

## 27. Security or permission risk - Security or permission risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: no_demo
- User impact: May increase setup, validation, or first-run risk for the user.
- Evidence: downstream_validation.risk_items | https://github.com/floci-io/floci

## 28. Security or permission risk - Security or permission risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: no_demo
- User impact: May increase setup, validation, or first-run risk for the user.
- Evidence: risks.scoring_risks | https://github.com/floci-io/floci

## 29. Security or permission risk - Security or permission risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: Project evidence flags a security or permission risk. Review the linked source before relying on this workflow.
- User impact: May increase setup, validation, or first-run risk for the user.
- Evidence: community_evidence:github | https://github.com/floci-io/floci/issues/1767

## 30. Security or permission risk - Security or permission risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: Project evidence flags a security or permission risk. Review the linked source before relying on this workflow.
- User impact: May increase setup, validation, or first-run risk for the user.
- Evidence: community_evidence:github | https://github.com/floci-io/floci/issues/1778

## 31. Security or permission risk - Security or permission risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: Project evidence flags a security or permission risk. Review the linked source before relying on this workflow.
- User impact: May increase setup, validation, or first-run risk for the user.
- Evidence: community_evidence:github | https://github.com/floci-io/floci/issues/1777

## 32. Maintenance risk - Maintenance risk requires verification

- Severity: low
- Evidence strength: source_linked
- Finding: issue_or_pr_quality=unknown。
- User impact: May increase setup, validation, or first-run risk for the user.
- Evidence: evidence.maintainer_signals | https://github.com/floci-io/floci

## 33. Maintenance risk - Maintenance risk requires verification

- Severity: low
- Evidence strength: source_linked
- Finding: release_recency=unknown。
- User impact: May increase setup, validation, or first-run risk for the user.
- Evidence: evidence.maintainer_signals | https://github.com/floci-io/floci
