# Pitfall Log

Project: ruvnet/ruflo

Summary: Found 39 structured pitfall item(s), including 6 high/blocking item(s). Top priority: Security or permission risk - Security or permission risk requires verification.

## 1. Security or permission risk - Security or permission risk requires verification

- Severity: high
- Evidence strength: source_linked
- Finding: Developers should check this security_permissions risk before relying on the project: ADR-153 — Integrate @metaharness/darwin (Darwin Mode) into ruflo
- User impact: Developers may expose sensitive permissions or credentials: ADR-153 — Integrate @metaharness/darwin (Darwin Mode) into ruflo
- Evidence: failure_mode_cluster:github_issue | https://github.com/ruvnet/ruflo/issues/2409

## 2. Security or permission risk - Security or permission risk requires verification

- Severity: high
- Evidence strength: source_linked
- Finding: Developers should check this security_permissions risk before relying on the project: security cve subcommand is a stub — never returns CVE data (scan already does, via npm audit)
- User impact: Developers may expose sensitive permissions or credentials: security cve subcommand is a stub — never returns CVE data (scan already does, via npm audit)
- Evidence: failure_mode_cluster:github_issue | https://github.com/ruvnet/ruflo/issues/2403

## 3. Security or permission risk - Security or permission risk requires verification

- Severity: high
- Evidence strength: source_linked
- Finding: Project evidence flags a security or permission risk. Review the linked source before relying on this workflow.
- User impact: May increase setup, validation, or first-run risk for the user.
- Evidence: community_evidence:github | https://github.com/ruvnet/ruflo/issues/2286

## 4. Security or permission risk - Security or permission risk requires verification

- Severity: high
- Evidence strength: source_linked
- Finding: Project evidence flags a security or permission risk. Review the linked source before relying on this workflow.
- User impact: May increase setup, validation, or first-run risk for the user.
- Evidence: community_evidence:github | https://github.com/ruvnet/ruflo/issues/2412

## 5. Security or permission risk - Security or permission risk requires verification

- Severity: high
- Evidence strength: source_linked
- Finding: Project evidence flags a security or permission risk. Review the linked source before relying on this workflow.
- User impact: May increase setup, validation, or first-run risk for the user.
- Evidence: community_evidence:github | https://github.com/ruvnet/ruflo/issues/2047

## 6. Security or permission risk - Security or permission risk requires verification

- Severity: high
- Evidence strength: source_linked
- Finding: Project evidence flags a security or permission risk. Review the linked source before relying on this workflow.
- User impact: May increase setup, validation, or first-run risk for the user.
- Evidence: community_evidence:github | https://github.com/ruvnet/ruflo/issues/2313

## 7. Installation risk - Installation risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: Developers should check this installation risk before relying on the project: [verification] HIGH: @claude-flow/cli@alpha --version hangs >60s on cold install (ONNX model download on every startup)
- User impact: Developers may fail before the first successful local run: [verification] HIGH: @claude-flow/cli@alpha --version hangs >60s on cold install (ONNX model download on every startup)
- Evidence: failure_mode_cluster:github_issue | https://github.com/ruvnet/ruflo/issues/2286

## 8. Installation risk - Installation risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: Developers should check this installation risk before relying on the project: [verification] HIGH: Witness manifests report 95–99 missing build artifacts (dist/ absent)
- User impact: Developers may fail before the first successful local run: [verification] HIGH: Witness manifests report 95–99 missing build artifacts (dist/ absent)
- Evidence: failure_mode_cluster:github_issue | https://github.com/ruvnet/ruflo/issues/2391

## 9. Installation risk - Installation risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: Developers should check this installation risk before relying on the project: [verification] HIGH: witness manifests report missing=95 drift=2 on all three platforms
- User impact: Developers may fail before the first successful local run: [verification] HIGH: witness manifests report missing=95 drift=2 on all three platforms
- Evidence: failure_mode_cluster:github_issue | https://github.com/ruvnet/ruflo/issues/2047

## 10. Installation risk - Installation risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: Developers should check this installation risk before relying on the project: memory_store emits 128-dim mock embeddings — AgentDB vectorBackend controller never enables
- User impact: Developers may fail before the first successful local run: memory_store emits 128-dim mock embeddings — AgentDB vectorBackend controller never enables
- Evidence: failure_mode_cluster:github_issue | https://github.com/ruvnet/ruflo/issues/2395

## 11. Installation risk - Installation risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: Developers should check this installation risk before relying on the project: v3.10.43 — Fable 5 / Opus 4.x temperature fix, daemon TTL, federation cap
- User impact: Upgrade or migration may change expected behavior: v3.10.43 — Fable 5 / Opus 4.x temperature fix, daemon TTL, federation cap
- Evidence: failure_mode_cluster:github_release | https://github.com/ruvnet/ruflo/releases/tag/v3.10.43

## 12. Installation risk - Installation risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: Developers should check this installation risk before relying on the project: v3.10.44 — CI OOM fix, Windows plugin install
- User impact: Upgrade or migration may change expected behavior: v3.10.44 — CI OOM fix, Windows plugin install
- Evidence: failure_mode_cluster:github_release | https://github.com/ruvnet/ruflo/releases/tag/v3.10.44

## 13. Installation risk - Installation risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: Developers should check this installation risk before relying on the project: v3.10.45 — hive-mind --dangerously-skip-permissions deny clause
- User impact: Upgrade or migration may change expected behavior: v3.10.45 — hive-mind --dangerously-skip-permissions deny clause
- Evidence: failure_mode_cluster:github_release | https://github.com/ruvnet/ruflo/releases/tag/v3.10.45

## 14. Installation risk - Installation risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: Developers should check this installation risk before relying on the project: v3.10.46 — stale claude-flow@v3alpha references swept (@dskarasev community batch)
- User impact: Upgrade or migration may change expected behavior: v3.10.46 — stale claude-flow@v3alpha references swept (@dskarasev community batch)
- Evidence: failure_mode_cluster:github_release | https://github.com/ruvnet/ruflo/releases/tag/v3.10.46

## 15. Installation risk - Installation risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: Developers should check this installation risk before relying on the project: v3.11.0 — router ADR-148/149 + cost-tracker observability + fleet audits
- User impact: Upgrade or migration may change expected behavior: v3.11.0 — router ADR-148/149 + cost-tracker observability + fleet audits
- Evidence: failure_mode_cluster:github_release | https://github.com/ruvnet/ruflo/releases/tag/v3.11.0

## 16. Installation risk - Installation risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: Developers should check this installation risk before relying on the project: v3.12.0 — ADR-150 metaharness deep integration
- User impact: Upgrade or migration may change expected behavior: v3.12.0 — ADR-150 metaharness deep integration
- Evidence: failure_mode_cluster:github_release | https://github.com/ruvnet/ruflo/releases/tag/v3.12.0

## 17. Installation risk - Installation risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: Developers should check this installation risk before relying on the project: v3.12.1 — bundle metaharness plugin scripts
- User impact: Upgrade or migration may change expected behavior: v3.12.1 — bundle metaharness plugin scripts
- Evidence: failure_mode_cluster:github_release | https://github.com/ruvnet/ruflo/releases/tag/v3.12.1

## 18. Installation risk - Installation risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: Developers should check this installation risk before relying on the project: v3.12.2 — kernel-panic fix + cve subcommand fix + hooks hardening
- User impact: Upgrade or migration may change expected behavior: v3.12.2 — kernel-panic fix + cve subcommand fix + hooks hardening
- Evidence: failure_mode_cluster:github_release | https://github.com/ruvnet/ruflo/releases/tag/v3.12.2

## 19. Installation risk - Installation risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: Developers should check this installation risk before relying on the project: v3.12.3 — #2395 fix: MCP no longer emits 128-dim mock embeddings
- User impact: Upgrade or migration may change expected behavior: v3.12.3 — #2395 fix: MCP no longer emits 128-dim mock embeddings
- Evidence: failure_mode_cluster:github_release | https://github.com/ruvnet/ruflo/releases/tag/v3.12.3

## 20. Installation risk - Installation risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: Project evidence flags a installation risk. Review the linked source before relying on this workflow.
- User impact: May increase setup, validation, or first-run risk for the user.
- Evidence: community_evidence:github | https://github.com/ruvnet/ruflo/issues/2409

## 21. Installation risk - Installation risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: Project evidence flags a installation risk. Review the linked source before relying on this workflow.
- User impact: May increase setup, validation, or first-run risk for the user.
- Evidence: community_evidence:github | https://github.com/ruvnet/ruflo/issues/2448

## 22. Installation risk - Installation risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: Project evidence flags a installation risk. Review the linked source before relying on this workflow.
- User impact: May increase setup, validation, or first-run risk for the user.
- Evidence: community_evidence:github | https://github.com/ruvnet/ruflo/issues/2426

## 23. Installation risk - Installation risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: Project evidence flags a installation risk. Review the linked source before relying on this workflow.
- User impact: May increase setup, validation, or first-run risk for the user.
- Evidence: community_evidence:github | https://github.com/ruvnet/ruflo/issues/2431

## 24. Installation risk - Installation risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: Project evidence flags a installation risk. Review the linked source before relying on this workflow.
- User impact: May increase setup, validation, or first-run risk for the user.
- Evidence: community_evidence:github | https://github.com/ruvnet/ruflo/issues/2432

## 25. Installation risk - Installation risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: Project evidence flags a installation risk. Review the linked source before relying on this workflow.
- User impact: May increase setup, validation, or first-run risk for the user.
- Evidence: community_evidence:github | https://github.com/ruvnet/ruflo/issues/2391

## 26. Installation risk - Installation risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: Project evidence flags a installation risk. Review the linked source before relying on this workflow.
- User impact: May increase setup, validation, or first-run risk for the user.
- Evidence: community_evidence:github | https://github.com/ruvnet/ruflo/issues/2412

## 27. Installation risk - Installation risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: Project evidence flags a installation risk. Review the linked source before relying on this workflow.
- User impact: May increase setup, validation, or first-run risk for the user.
- Evidence: community_evidence:github | https://github.com/ruvnet/ruflo/issues/2437

## 28. Installation risk - Installation risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: Project evidence flags a installation risk. Review the linked source before relying on this workflow.
- User impact: May increase setup, validation, or first-run risk for the user.
- Evidence: community_evidence:github | https://github.com/ruvnet/ruflo/issues/2395

## 29. Configuration risk - Configuration risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: Project evidence flags a configuration risk. Review the linked source before relying on this workflow.
- User impact: May increase setup, validation, or first-run risk for the user.
- Evidence: capability.host_targets | https://github.com/ruvnet/ruflo

## 30. Configuration risk - Configuration risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: Developers should check this configuration risk before relying on the project: [BUG] daemon proliferation: `init.ts:424` spawns `daemon start &` racing the PID-file dedup → kernel panic on macOS
- User impact: Developers may misconfigure credentials, environment, or host setup: [BUG] daemon proliferation: `init.ts:424` spawns `daemon start &` racing the PID-file dedup → kernel panic on macOS
- Evidence: failure_mode_cluster:github_issue | https://github.com/ruvnet/ruflo/issues/2407

## 31. Configuration risk - Configuration risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: Project evidence flags a configuration risk. Review the linked source before relying on this workflow.
- User impact: May increase setup, validation, or first-run risk for the user.
- Evidence: community_evidence:github | https://github.com/ruvnet/ruflo/issues/2450

## 32. Capability evidence risk - Capability evidence risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: README/documentation is current enough for a first validation pass.
- User impact: May increase setup, validation, or first-run risk for the user.
- Evidence: capability.assumptions | https://github.com/ruvnet/ruflo

## 33. Maintenance risk - Maintenance risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: Project evidence flags a maintenance risk. Review the linked source before relying on this workflow.
- User impact: May increase setup, validation, or first-run risk for the user.
- Evidence: evidence.maintainer_signals | https://github.com/ruvnet/ruflo

## 34. Security or permission risk - Security or permission risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: no_demo
- User impact: May increase setup, validation, or first-run risk for the user.
- Evidence: downstream_validation.risk_items | https://github.com/ruvnet/ruflo

## 35. Security or permission risk - Security or permission risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: no_demo
- User impact: May increase setup, validation, or first-run risk for the user.
- Evidence: risks.scoring_risks | https://github.com/ruvnet/ruflo

## 36. Security or permission risk - Security or permission risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: Project evidence flags a security or permission risk. Review the linked source before relying on this workflow.
- User impact: May increase setup, validation, or first-run risk for the user.
- Evidence: community_evidence:github | https://github.com/ruvnet/ruflo/issues/2410

## 37. Security or permission risk - Security or permission risk requires verification

- Severity: medium
- Evidence strength: source_linked
- Finding: Project evidence flags a security or permission risk. Review the linked source before relying on this workflow.
- User impact: May increase setup, validation, or first-run risk for the user.
- Evidence: community_evidence:github | https://github.com/ruvnet/ruflo/issues/2452

## 38. Maintenance risk - Maintenance risk requires verification

- Severity: low
- Evidence strength: source_linked
- Finding: issue_or_pr_quality=unknown。
- User impact: May increase setup, validation, or first-run risk for the user.
- Evidence: evidence.maintainer_signals | https://github.com/ruvnet/ruflo

## 39. Maintenance risk - Maintenance risk requires verification

- Severity: low
- Evidence strength: source_linked
- Finding: release_recency=unknown。
- User impact: May increase setup, validation, or first-run risk for the user.
- Evidence: evidence.maintainer_signals | https://github.com/ruvnet/ruflo