nikolanovoselec · nikolanovoselec · May 3, 2026 · May 3, 2026 · May 3, 2026 · May 3, 2026
diff --git a/.trivyignore b/.trivyignore
@@ -199,3 +199,27 @@ CVE-2026-41179
 # System library transitive dep; container does not process untrusted ECDH ciphertext.
 # No fix available in Debian bookworm.
 CVE-2026-41989
+
+# libcap2 1:2.66-4+deb12u2+b2: privilege escalation via TOCTOU race in
+# cap_set_file(). System library used during container init only — no
+# application code path passes untrusted paths to cap_set_file. The race
+# requires local file-access on the same filesystem, which doesn't exist
+# as a multi-tenant boundary in the sandboxed container model.
+# No fix available in Debian bookworm.
+CVE-2026-4878
+
+# libgnutls30 3.7.9-2+deb12u6: DTLS DoS via zero-length fragment.
+# Container does not expose any DTLS/UDP TLS service; GnuTLS is linked
+# by CLI tools (curl, wget) for outbound HTTPS only. The vulnerable
+# DTLS server path is never reached.
+# No fix available in Debian bookworm.
+CVE-2026-33845
+
+# openssh-client 1:9.2p1-2+deb12u9: arbitrary command execution via shell
+# metacharacters in username. Codeflare uses git-over-HTTPS exclusively
+# (rules/cloudflare-environment.md: "Git over HTTPS only, no SSH keys"),
+# so the openssh-client binary is installed but not invoked. The exploit
+# path requires the user to ssh somewhere with attacker-controlled
+# username, which doesn't happen in the codeflare workflow.
+# No fix available in Debian bookworm.
+CVE-2026-35386
diff --git a/documentation/README.md b/documentation/README.md
@@ -17,8 +17,10 @@ Technical reference documentation for Codeflare.
 | [Development & Deployment](deployment.md) | Dev setup, file structure, cost analysis | Developers |
 | [Troubleshooting](troubleshooting.md) | Diagnostic commands, common failures, resolutions | Operators |
 | [Mobile Terminal](mobile.md) | Keyboard handling, scroll stability, touch input | Developers |
-| [Memory & Preseed](memory.md) | Memory capture, session modes, preseed system | Developers |
-| [Architecture Decisions](decisions/README.md) | 42 ADRs with rationale and trade-offs | Developers |
+| [Memory](memory.md) | MCP memory server, automatic capture, two-phase compaction | Developers |
+| [Preseed System](preseed.md) | Session modes, manifest pipeline, multi-agent adaptation, hooks | Developers |
+| [Token Scopes](token-scopes.md) | GitHub PAT and Cloudflare API token scope guidance | Operators |
+| [Architecture Decisions](decisions/README.md) | 44 ADRs with rationale and trade-offs | Developers |
 | [Penetration Testing](PENTEST.md) | Security scan results | Security |
 | [Stress Testing](STRESS_TEST.md) | Load testing guide | Operators |
 

diff --git a/documentation/architecture.md b/documentation/architecture.md
@@ -1,3 +1,6 @@
+<!-- doc-allow-large -->
+<!-- doc-discipline note: this file currently exceeds the 350-line soft budget defined in documentation-discipline.md. Two known follow-ups (tracked separately) would shrink it: (1) move the Container DO internal-method documentation (collectMetrics / destroy / setBucketName) into container.md, where the operational details actually live; (2) move the Backend Libraries error-class status-code mapping to api-reference.md#error-response-format and replace the Route Registration list with a one-line link to api-reference.md. Until that surgery happens, this opt-out is honest about the current state. -->
+
 # Architecture
 
 System architecture, components, data flow, and design rationale for Codeflare.

diff --git a/documentation/authentication.md b/documentation/authentication.md
@@ -1,3 +1,6 @@
+<!-- doc-allow-large -->
+<!-- doc-discipline note: ~900 lines covering dual auth, SaaS mode, subscriptions, Stripe webhooks, and provisioning in one file. A future split could extract billing/Stripe into a sibling file, but the cross-references between auth flow and billing tier checks are dense enough that the single file is currently the most navigable shape. -->
+
 # Authentication & Billing
 
 Dual authentication (Cloudflare Access and GitHub OIDC), SaaS mode, subscription tiers, Stripe billing, and user provisioning.

diff --git a/documentation/container.md b/documentation/container.md
@@ -193,4 +193,5 @@ Optional feature that lets users connect GitHub and Cloudflare accounts once in
 - [Architecture](architecture.md#container-do) - Container Durable Object
 - [Storage & Sync](storage-and-sync.md) - R2 sync during startup
 - [Configuration](configuration.md#container-environment) - Container environment variables
-- [Memory](memory.md) - Memory persistence and preseed system
+- [Memory](memory.md) - MCP memory server and capture/compact
+- [Preseed System](preseed.md) - Session modes, manifest pipeline, multi-agent adaptation, hooks
diff --git a/documentation/decisions/README.md b/documentation/decisions/README.md
@@ -1,3 +1,6 @@
+<!-- doc-allow-large -->
+<!-- doc-discipline note: per documentation-discipline.md the per-ADR budget is 100 lines. All 44 ADRs currently live here as a single file rather than one-file-per-ADR. The combined file is over the implicit 100×44 budget but each individual ADR is under the per-ADR cap. Splitting into 44 files would scatter related decisions and break inbound AD-N references throughout the codebase, so the unified file is the deliberately chosen shape. -->
+
 # Architecture Decisions
 
 Architecture Decision Records for Codeflare. Each decision documents a design trade-off with rationale. Referenced as AD1-AD44 throughout the codebase and documentation.