docs/DECISIONS.md

# DECISIONS.md — Architectural Decision Log

This file documents major architectural decisions and their rationale.

---

## Decision: Dynamic Model Name in System Prompts

**Date:** 2026-02-26

**Context:** Timmy's system prompts hardcoded "llama3.2" but the actual model is "llama3.1:8b-instruct", causing confusion.

**Decision:** Make model name dynamic by:
- Using `{model_name}` placeholder in prompt templates
- Injecting actual value from `settings.ollama_model` at runtime via `get_system_prompt()`

**Rationale:** Single source of truth. If model changes in config, prompts reflect it automatically.

---

## Decision: Unified Repo Root Detection

**Date:** 2026-02-26

**Context:** Multiple places in code detected repo root differently (git_tools.py, file_ops.py, timmy.py).

**Decision:** Add `repo_root` to config.py with auto-detection:
- Walk up from `__file__` to find `.git`
- Fall back to environment or current directory

**Rationale:** Consistent path resolution for all tools.

---

## Decision: XSS Prevention in Mission Control Dashboard

**Date:** 2026-03-02

**Context:** The Mission Control dashboard was using `innerHTML` to render dependency details and recommendations from the `/health/sovereignty` endpoint. While these sources are currently internal, using `innerHTML` with dynamic data is a security risk and violates the "Non-Negotiable Rules" in `AGENTS.md`.

**Decision:** Refactored the JavaScript in `mission_control.html` to use `document.createElement` and `textContent` for all dynamic data rendering.

**Rationale:** This approach provides built-in XSS protection by ensuring that any data from the API is treated as plain text rather than HTML, fulfilling the security requirements of the project.

---

## Add New Decisions Above This Line

When making significant architectural choices, document:
1. Date
2. Context (what problem prompted the decision)
3. Decision (what was chosen)
4. Rationale (why this approach was better than alternatives)
feat: Timmy fixes and improvements (#72) * test: remove hardcoded sleeps, add pytest-timeout - Replace fixed time.sleep() calls with intelligent polling or WebDriverWait - Add pytest-timeout dependency and --timeout=30 to prevent hangs - Fixes test flakiness and improves test suite speed * feat: add Aider AI tool to Forge's toolkit - Add Aider tool that calls local Ollama (qwen2.5:14b) for AI coding assist - Register tool in Forge's code toolkit - Add functional tests for the Aider tool * config: add opencode.json with local Ollama provider for sovereign AI * feat: Timmy fixes and improvements ## Bug Fixes - Fix read_file path resolution: add ~ expansion, proper relative path handling - Add repo_root to config.py with auto-detection from .git location - Fix hardcoded llama3.2 - now dynamic from settings.ollama_model ## Timmy's Requests - Add communication protocol to AGENTS.md (read context first, explain changes) - Create DECISIONS.md for architectural decision documentation - Add reasoning guidance to system prompts (step-by-step, state uncertainty) - Update tests to reflect correct model name (llama3.1:8b-instruct) ## Testing - All 177 dashboard tests pass - All 32 prompt/tool tests pass --------- Co-authored-by: Alexander Payne <apayne@MM.local> 2026-02-26 23:39:13 -05:00			`# DECISIONS.md — Architectural Decision Log`

			`This file documents major architectural decisions and their rationale.`

			`---`

			`## Decision: Dynamic Model Name in System Prompts`

			`Date: 2026-02-26`

			`Context: Timmy's system prompts hardcoded "llama3.2" but the actual model is "llama3.1:8b-instruct", causing confusion.`

			`Decision: Make model name dynamic by:`
			- Using `{model_name}` placeholder in prompt templates
			- Injecting actual value from `settings.ollama_model` at runtime via `get_system_prompt()`

			`Rationale: Single source of truth. If model changes in config, prompts reflect it automatically.`

			`---`

			`## Decision: Unified Repo Root Detection`

			`Date: 2026-02-26`

			`Context: Multiple places in code detected repo root differently (git_tools.py, file_ops.py, timmy.py).`

			Decision: Add `repo_root` to config.py with auto-detection:
			- Walk up from `__file__` to find `.git`
			`- Fall back to environment or current directory`

			`Rationale: Consistent path resolution for all tools.`

			`---`

Security: XSS Prevention in Mission Control Dashboard (#117) * security: prevent XSS in mission control dashboard by using textContent and DOM manipulation instead of innerHTML * docs: document XSS prevention decision in DECISIONS.md 2026-03-02 07:31:27 -05:00			`## Decision: XSS Prevention in Mission Control Dashboard`

			`Date: 2026-03-02`

			Context: The Mission Control dashboard was using `innerHTML` to render dependency details and recommendations from the `/health/sovereignty` endpoint. While these sources are currently internal, using `innerHTML` with dynamic data is a security risk and violates the "Non-Negotiable Rules" in `AGENTS.md`.

			Decision: Refactored the JavaScript in `mission_control.html` to use `document.createElement` and `textContent` for all dynamic data rendering.

			`Rationale: This approach provides built-in XSS protection by ensuring that any data from the API is treated as plain text rather than HTML, fulfilling the security requirements of the project.`

			`---`

feat: Timmy fixes and improvements (#72) * test: remove hardcoded sleeps, add pytest-timeout - Replace fixed time.sleep() calls with intelligent polling or WebDriverWait - Add pytest-timeout dependency and --timeout=30 to prevent hangs - Fixes test flakiness and improves test suite speed * feat: add Aider AI tool to Forge's toolkit - Add Aider tool that calls local Ollama (qwen2.5:14b) for AI coding assist - Register tool in Forge's code toolkit - Add functional tests for the Aider tool * config: add opencode.json with local Ollama provider for sovereign AI * feat: Timmy fixes and improvements ## Bug Fixes - Fix read_file path resolution: add ~ expansion, proper relative path handling - Add repo_root to config.py with auto-detection from .git location - Fix hardcoded llama3.2 - now dynamic from settings.ollama_model ## Timmy's Requests - Add communication protocol to AGENTS.md (read context first, explain changes) - Create DECISIONS.md for architectural decision documentation - Add reasoning guidance to system prompts (step-by-step, state uncertainty) - Update tests to reflect correct model name (llama3.1:8b-instruct) ## Testing - All 177 dashboard tests pass - All 32 prompt/tool tests pass --------- Co-authored-by: Alexander Payne <apayne@MM.local> 2026-02-26 23:39:13 -05:00			`## Add New Decisions Above This Line`

			`When making significant architectural choices, document:`
			`1. Date`
			`2. Context (what problem prompted the decision)`
			`3. Decision (what was chosen)`
			`4. Rationale (why this approach was better than alternatives)`