Remediation roadmap
Immediate (before production exposure)
- Add access control or network restrictions for
/healthand WebSocket endpoints. - Fix TSL UMD sender startup state to handle bind failures cleanly.
- Document CasparCG shared listener limitation or update to support multiple channels per IP.
Short-Term (next sprint)
- Add schema validation for
config.json(types, ranges, required fields). - Add unit tests for HyperDeck, vMix, and CasparCG client parsing.
- Introduce WebSocket rate limiting or connection caps.
Medium-Term
- Publish JSON schema for
/healthand WebSocket payloads. - Add accessibility improvements (ARIA live region, contrast checks).
- Add optional SIGTERM handler for graceful shutdown under systemd.
Attestation
# Identityagent_id: audit-report-writeragent_version: "1.0"protocol_version: "2.0"
# Timingtimestamp: 2026-01-31T17:11:26Zduration_seconds: 180
# Contextgit_ref: e4bb0098264f90d3afc7b5d0f3b5e425d1825761git_branch: mainworking_directory: /Users/david/Documents/GitHub/superdash
# Artefact metadataartefact: REMEDIATION_ROADMAP.mdphase: 7status: COMPLETE
# Confidence assessmentconfidence: MEDIUMconfidence_notes: "Roadmap is derived from audit findings, not validated against product priorities."
# Inputs consumed (with integrity hashes)inputs_consumed: - path: docs/audit/SECURITY.md type: file - path: docs/audit/RELIABILITY.md type: file - path: docs/audit/CONFIGURATION.md type: file - path: docs/audit/TEST_QUALITY.md type: file - path: docs/audit/ACCESSIBILITY.md type: file
# Commands executedcommands_executed: - seq: 1 cmd: "ls docs/audit" exit_code: 0 purpose: "Enumerate audit artefacts" output_summary: "Used as input for roadmap"
# Findings summaryfindings: critical: 0 high: 0 medium: 9 low: 9 info: 8
# Blocking issuesblocking_issues: - "CVE audit incomplete due to network restrictions"
# Handoffhandoff: ready: true next_agents: - orchestrator dependencies_satisfied: REMEDIATION_ROADMAP.md: COMPLETE context_for_next: | Roadmap prioritizes access control, TSL sender bind handling, CasparCG multiplexing, and test coverage.