Technical Debt
Scope
Consolidated technical debt findings from all FaceKom services. Organized by category with severity indicators.
TODOs and FIXMEs by Service
vuer_oss (25+)
Incomplete Implementations
| Location | Issue | Severity |
|---|---|---|
SelfServiceV2Service.js:737 | ”dead end in the workflow? Maybe use fail(…)” | High |
SelfServiceCheckerService.js:166 | ”now only a mock” | High |
SelfServiceCheckerService.js:627 | ”collect all relevant data, when the kau is implemented” | Medium |
SelfServiceRoomService.js:431 | ”save consent options” — not implemented | Medium |
FileValidatorService.js:69 | ”Implement other file types validation” | Medium |
FaceRecognitionService.js:12 | ”rework face recognition/comparison for videochat” | Medium |
CustomerDataService.js:16 | ”extended videochat logic not implemented” | Medium |
IdentificationRouterRPCServer.js:100 | Empty TODO | Low |
db/model/flow.js:65 | Empty TODO | Low |
db/model/activity.js:124 | ”missing event” for selfService:flow:create | Low |
SelfServiceV2Service.js:1197,1550 | ”what category is this?” — screenshot category unknown | Low |
Missing Error Handling
| Location | Issue |
|---|---|
ExportRoomPageService.js:290,293 | ”error handling (catch)” and “stream error handling” |
ExportImportedRoomPageService.js:216,219 | Same as above |
Missing Sorting
| Location | Issue |
|---|---|
selfservice-room.endpoint.js:251,257 | FIXME: sort for communicationlogs and clientErrorLogs |
selfserviceroom.endpoint.js:57,63 | Same FIXME duplicated |
Architecture Debt
| Location | Issue |
|---|---|
reportUtils.js:149 | ”remove this madness and replace it with a map call” |
roomlist.endpoint.js:107 | ”this is not dynamic, if search fields change this becomes useless” |
db/helpers.js:127 | ”remove customer argument” |
db/helpers.js:513 | ”Make it compatible with customerDataChangeBatch feature” |
videochat.customerDataChange.js:37 | Same customerDataChangeBatch compatibility |
RoomTransportSession.js:753 | Same customerDataChangeBatch compatibility |
Security-Relevant TODOs
Missing Access Controls
importDataRecords.endpoint.js:43— “handle access roles” — Import data endpoint lacks authorizationimportDataRoom.endpoint.js:85— “check accessibility” — Import room endpoint lacks access checksweb/api/common/screenshot.js:49andselfservice-screenshot.js:34— “is this really necessary?” — Unclear security check
vuer_css (15+)
| Location | Issue |
|---|---|
server.js:158-159 | customerDocuments and flowDocuments RPC clients: “TODO: remove? Never used…” |
feedback.endpoint.js:18 | ”TODO: assert if feedback was already given” |
DeviceHandler.js:133 | Generic “TODO” without description |
videochat.services.js:150 | ”TODO: handle when this is called meanwhile a sender peer is trying to reconnect” |
videochat.services.js:192 | ”TODO: do something with publishers” |
videochat.script.js:330 | ”TODO: needs server side implementation” |
self-service.ui.js | Multiple TODOs for “upload task” feature (lines 163, 238, 525, 587, 733, 783) |
self-service.ui.js:895 | ”flow action messages” TODO |
self-service.script.js:16 | FIXME: “why is this needed again?” for initial device summary call |
SelfServiceTransportSession.js:25 | FIXME: “after socket disconnect this is just noise” |
SelfServicePeer.js:51 | ”FIXME log order” |
vuer_cv (5+)
| Location | Issue |
|---|---|
document_ocr_engine.py:281 | OCR rewrite planned (see below) |
ocr_engine.py:18, 69, 323 | OCR rewrite planned (see below) |
hun_bo_05001_back.py:75 | "roi": [35, 1, 400, 1], # TODO? |
hun_bo_06001_back_po.py:75 | Same TODO |
esign_css (5)
| Location | Issue |
|---|---|
server/service/AppService.js:5 | ”oss sends notification” — not implemented |
server/web/web-server.js:112 | ”expires false?” on cookie config |
server/web/routes.js:69 | ”provide estimate location” (always ‘N/A’) |
server/web/api/customer/login.js:11 | Handle duplicate login sessions |
server/web/api/pre-check.js:3 | ”implement user-agent check login” (always returns compatible) |
Code Smells
Service Container Overwrite Bug
Potential Bug
File:
vuer_oss/server.js:409
serviceContainer.rpcServer.documentUploadis overwritten by Presentation RPC server whenpresentationModeis enabled. This silently replaces the document upload handler.
contactValidatoin Typo
File: vuer_oss/server.js:163-167
A contactValidatoin (typo of “contactValidation”) deprecation proxy was added — creative but adds runtime overhead. The typo persists as a property name.
Duplicate encrypt() Operations
File: vuer_oss/server/gcm.js:237-255
The encrypt() function creates a cipher, updates, and finals, then calls encryptBuffer() which does the exact same thing again. Double work on every encryption call.
config.get() Falsy Bug
Both vuer_css and esign config.get() treats 0 and '' as missing values due to !current[path[0]] check. Valid falsy config values are silently replaced with defaults.
Wrong Error Handler Signature
File: vuer_css/server/web/WebServer.js
Express error handler missing next parameter, which may cause Express to not recognize it as an error handler.
Filename Typos
| File | Typo |
|---|---|
vuer_cv/server/http/exeption_handler.py | ”exeption” instead of “exception” |
vuer_css/client/features/compatibility/kiosk-compatiblity.js | Missing ‘i’ in “compatibility” |
Inconsistent Error Handling (vuer_css)
Socket callbacks inconsistently use:
cb('error')(string)cb(new Error(...))(Error object)cb(err.message)(message string)
setInterval Without Cleanup
File: vuer_css/server/service/IpFilterService.js
Creates interval in constructor, never cleared. Memory leak if service is recreated.
Type Confusion in Error Handling (vuer_cv)
FaceCompareResource returns HTTP 403 for generic exceptions (should be 500). Multiple endpoints use 403 for server errors.
Architecture Issues
Mixed JS/TS
Clarification
Analysis found the codebase is overwhelmingly JavaScript with CommonJS modules. Only one TypeScript type definition file was found in vuer_oss server:
server/service/types/Appointment.types.ts. However,server/db/models.ts(the critical single-point-of-failure file referenced in CLAUDE.md) may use TypeScript with Node’s experimental--experimental-strip-typesflag rather than ts-node. The.jsfiles importing.tspattern mentioned in CLAUDE.md may be limited to the DB model layer rather than pervasive across the codebase.
O(n^2) HoloStack
File: vuer_cv/server/cv/holo/holo_stack.py
self.stack = np.append(self.stack, card, 3) copies the entire numpy array on each frame. For n frames, this is O(n^2) memory allocation. Should use pre-allocated buffer or list-then-stack pattern.
numpy-to-JSON Serialization
All numpy arrays are serialized to JSON lists via NumpyEncoder for Redis RPC. Face encodings (512 floats) and landmarks (98x2 floats) are serialized/deserialized on every call. This is a significant performance bottleneck.
Per-Call Process Spawning
File: vuer_cv/server/utils/processing.py
runAsyncProcess() creates a new multiprocessing.Process for each invocation. Used in hologram detection and face distance calculation. Significant overhead per call.
Host Networking
All Docker containers use network_mode: "host", sharing the host’s network namespace. Simplifies communication but eliminates network isolation between services.
In-Container Redis
vuer_oss runs its own Redis instance inside the container instead of using a shared Redis service. Duplicates infrastructure.
God Object Pattern
serviceContainer holds 80+ services, DB, queue, socket, transport, etc. Not a true DI container.
Service Duplication Across Processes
Each vuer_oss entry point (server.js, cron.js, background.js, convert.js, media.js, storage.js, integrationLog.js) re-instantiates many of the same services. Significant startup overhead.
Deprecated Patterns
| Item | Location | Replacement |
|---|---|---|
pc.addStream(stream) | vuer_css/client/features/webrtc/Peer.js | Use addTrack() |
pc.onaddstream | vuer_css/client/features/webrtc/Peer.js | Use ontrack |
| Browserify | vuer_css externals | Already using esbuild for main bundles |
csurf package | All Express apps | Deprecated with known issues |
OCR System Marked for Rewrite
Planned Rewrite
Multiple comments indicate the OCR system is planned for rewrite:
### this logic will be revamped with standardized ocr api development ###Found in 4 locations:
vuer_cv/server/cv/document_ocr_engine.py:281vuer_cv/server/cv/ocr_engine.py:18vuer_cv/server/cv/ocr_engine.py:69vuer_cv/server/cv/ocr_engine.py:323
NOSONAR Suppressions (vuer_cv)
14 instances of complexity warnings suppressed on critical methods:
| Method | Location |
|---|---|
calcHoloMask | Hologram detection |
getRoisFromMask | Text detection |
processOutput | Liveness tasks |
| Various | Other CV processing methods |
These suppress SonarQube complexity warnings, which may hide maintainability issues in safety-critical code.
Dead Code
| Location | Issue |
|---|---|
vuer_css/client/features/webrtc/Peer.js:133-210 | startWatcher() always returns false, entire implementation commented out |
vuer_css/server.js:158-159 | customerDocuments and flowDocuments RPC clients likely unused |
vuer_css/server/socket/client.js | Two require lines commented out |
vuer_css/server/web/WebServer.js:156 | log4js.connectLogger commented out |
vuer_oss/background.js:87-88 | flowFilter created twice |
Notable Hacks/Workarounds
| # | Hack | Location | Purpose |
|---|---|---|---|
| 1 | Config.js SyntaxError parsing | config.js:27-52 | Manually parses error position from exception string |
| 2 | Spring Cloud Config with promise-retry | Config loading | Complex and potentially slow startup |
| 3 | Undefined value stripping | sequelize.js:36-58 | Global Sequelize hook to work around v6 breaking change |
| 4 | SIGUSR1/SIGUSR2 debug hooks | sequelize.js:100-115 | Direct signal handlers using global.console.log |
| 5 | Session scanning | session.js:4-17 | O(n) scan of ALL sessions to find user’s sessions |
| 6 | Migration via CLI exec | connection/db.js:19 | Shells out to sequelize CLI instead of programmatic API |
| 7 | SmsLog foreign key hack | esign_oss/models.js:101 | Uses customerId as cross-reference instead of proper FK |
| 8 | BackgroundProcess polymorphism | esign_oss/models.js:110-128 | belongsTo 18 different models |
| 9 | Dual PDF signer | esign_oss/SignatureService | Tries new binary, falls back to JAR |
| 10 | Hardcoded temppassword | vuer_oss/server.js:290-292 | Test mode returns 'temppassword' for all temp passwords |
| 11 | contactValidatoin proxy | vuer_oss/server.js:163-167 | Typo deprecation proxy with runtime overhead |
| 12 | Global mutable state | vuer_cv/OcrEngine | CONFUSED_LETTERS and CONFUSED_NUMBERS as class-level mutable lists |
Priority Recommendations
Immediate (Security)
- Replace
pickle.loads()with safe deserialization in vuer_cv AppCache - Replace
exec()withexecFile()in Janus media conversion - Implement access controls on data import endpoints
- Sanitize innerHTML usage in vuer_css
Short-Term (Stability)
- Fix CORS mutation race condition in vuer_css
- Add error handling to export services
- Add sorting to endpoint query results
- Increase PBKDF2 iterations to 600,000+
Medium-Term (Architecture)
- Execute the OCR system rewrite
- Replace
np.appendwith pre-allocated buffers in HoloStack - Implement connection pooling for vuer_cv HTTP clients
- Migrate from Browserify to esbuild for all bundles
- Replace deprecated WebRTC APIs (
addStream→addTrack)
Long-Term (Modernization)
- Replace deprecated
csurfwith modern CSRF protection - Introduce proper Docker networking (remove host mode)
- Implement shared Redis instead of per-container instances
- Refactor serviceContainer toward proper DI