Sequenced Sprint Plan

Sprint 0: Foundations and Config (1 week)

Goal: Establish configuration surface and basic scaffolding for hardening work.
Backlog Items: A.9.1.1, A.9.1.2, A.9.1.3, A.9.1.4, A.9.1.6, A.9.1.9 (config only)
Tasks:
A.9.0.1 Add config types for diagnostics, CORS, limits, validation, and metrics in types/app-config-types.ts.
- Dependencies: None
A.9.0.2 Add default config values (new defaults module or config helper).
- Dependencies: A.9.0.1
A.9.0.3 Wire config into motia.ts and server.ts without changing behavior.
- Dependencies: A.9.0.1, A.9.0.2
A.9.0.4 Add typed config accessors for diagnostics, CORS, limits, validation, metrics.
- Dependencies: A.9.0.1
A.9.0.5 Document config flags in a short README section.
- Dependencies: A.9.0.1, A.9.0.2
A.9.0.6 Add config unit tests or type tests.
- Dependencies: A.9.0.1, A.9.0.2
Exit Criteria:
Core compiles with new config fields and defaults.
No behavioral changes yet, only config surfaces.

Goal: Close immediate security gaps.
Backlog Items: A.9.1.1, A.9.1.2
Tasks:
A.9.1.1.1 Implement diagnostics guard middleware (enabled/disabled + optional auth).
- Dependencies: A.9.0.1, A.9.0.2, A.9.0.3
A.9.1.1.2 Add role/permission check stubs (diagnostics read/write) for future RBAC integration.
- Dependencies: A.9.1.1.1
A.9.1.1.3 Gate flowsEndpoint, flowsConfigEndpoint, stepEndpoint, analyticsEndpoint.
- Dependencies: A.9.1.1.1
A.9.1.1.4 Add tests for 404/403 behavior under each mode.
- Dependencies: A.9.1.1.3
A.9.1.2.1 Implement allowlist CORS middleware with credential-safe rules.
- Dependencies: A.9.0.1, A.9.0.2
A.9.1.2.2 Remove Access-Control-Allow-Private-Network by default; gate via config.
- Dependencies: A.9.1.2.1
A.9.1.2.3 Add preflight tests and Origin allowlist tests.
- Dependencies: A.9.1.2.1
Exit Criteria:
All diagnostic endpoints return 404/403 when disabled or unauthorized.
CORS no longer allows * with credentials.

Goal: Enforce stability limits and eliminate CLI-arg payload risks.
Backlog Items: A.9.1.3, A.9.1.4, A.9.1.5
Tasks:
A.9.1.3.1 Add request size limits to config with safe defaults.
- Dependencies: A.9.0.1, A.9.0.2
A.9.1.3.2 Apply limits to body-parser (json, urlencoded, text).
- Dependencies: A.9.1.3.1
A.9.1.3.3 Add tests for 413 responses on oversize payloads.
- Dependencies: A.9.1.3.2
A.9.1.4.1 Add max concurrency config and implement semaphore in call-step-file.
- Dependencies: A.9.0.1, A.9.0.2
A.9.1.4.2 Add default step timeout and apply when per-step timeout missing.
- Dependencies: A.9.1.4.1
A.9.1.4.3 Add tests for timeout enforcement and concurrency backpressure.
- Dependencies: A.9.1.4.1, A.9.1.4.2
A.9.1.5.1 Add payload size detection threshold.
- Dependencies: A.9.1.3.1
A.9.1.5.2 Implement temp-file or stdin payload transport in call-step-file.
- Dependencies: A.9.1.5.1
A.9.1.5.3 Update node/python/ruby runners to read payload from file or stdin.
- Dependencies: A.9.1.5.2
A.9.1.5.4 Add cross-language tests for large payload handling.
- Dependencies: A.9.1.5.3
Exit Criteria:
No ARG_MAX failures under large payload tests.
Limits are enforced and observable.

Goal: Deterministic execution and safer input handling.
Backlog Items: A.9.1.6, A.9.1.7, A.9.1.8
Tasks:
A.9.1.6.1 Add validation.strictEvents config and defaults.
- Dependencies: A.9.0.1, A.9.0.2
A.9.1.6.2 Make validateEventInput throw or block when strict mode is enabled.
- Dependencies: A.9.1.6.1
A.9.1.6.3 Add tests for strict vs non-strict behavior.
- Dependencies: A.9.1.6.2
A.9.1.7.1 Replace forEach(async) with for...of or Promise.all for subscriptions.
- Dependencies: None
A.9.1.7.2 Ensure handlerMap is set only after subscriptions succeed.
- Dependencies: A.9.1.7.1
A.9.1.7.3 Add explicit logging for subscription failures.
- Dependencies: A.9.1.7.1
A.9.1.8.1 Wrap WS JSON.parse in try/catch.
- Dependencies: None
A.9.1.8.2 Add message schema validation and error responses.
- Dependencies: A.9.1.8.1
A.9.1.8.3 Add tests for malformed WS payloads.
- Dependencies: A.9.1.8.2
Exit Criteria:
No async subscription races on startup.
Invalid inputs do not crash handlers.

Goal: Add platform-grade metrics, traces, and structured logging.
Backlog Items: A.9.1.9
Tasks:
A.9.1.9.1 Define metrics interface (counters, timers, gauges).
- Dependencies: A.9.0.1, A.9.0.2
A.9.1.9.2 Add API metrics hooks (request count, error count, latency).
- Dependencies: A.9.1.9.1
A.9.1.9.3 Add step execution metrics (count, error, latency).
- Dependencies: A.9.1.9.1
A.9.1.9.4 Add queue and stream metrics as available.
- Dependencies: A.9.1.9.1
A.9.1.9.5 Add structured log format toggle with trace IDs.
- Dependencies: A.9.0.1, A.9.0.2
A.9.1.9.6 Expose metrics endpoint when enabled.
- Dependencies: A.9.1.9.1, A.9.1.9.2
A.9.1.9.7 Add tests for metrics increments and log shape.
- Dependencies: A.9.1.9.2, A.9.1.9.3, A.9.1.9.5
Exit Criteria:
SLO dashboards can be populated from emitted metrics.

Goal: Demonstrate resilience and performance.
Backlog Items: Test plan execution from platform-hardening/test-plan.md
Tasks:
A.9.5.1 Build API load test scripts with mixed GET/POST.
- Dependencies: A.9.1.9.2
A.9.5.2 Build event burst and fan-out tests.
- Dependencies: A.9.1.9.3
A.9.5.3 Build stream subscription concurrency tests.
- Dependencies: A.9.1.9.4
A.9.5.4 Run 24-hour soak test with scheduled spikes.
- Dependencies: A.9.5.1, A.9.5.2, A.9.5.3
A.9.5.5 Implement Redis outage injection and verify recovery.
- Dependencies: A.9.5.4
A.9.5.6 Implement event adapter outage injection and verify recovery.
- Dependencies: A.9.5.4
A.9.5.7 Integrate load/soak tests into CI on schedule.
- Dependencies: A.9.5.4
Exit Criteria:
SLO targets met under defined load profiles.
Recovery behavior documented and verified.