After TL4 went live, I commissioned a second full codebase audit. Not because anything had broken — but because building at speed accumulates debt you can’t see until you stop and look.
199 findings across 7 audit units. Every module, every integration, every boundary.
The fixes came in waves. FIX-1 through FIX-19 covered everything from DNS rebinding in the sidecar to input bounds and injection guards, scanner hardening, channel resilience with circuit breakers, and sanitising error messages so internal details don’t leak to external callers. SYS-1 through SYS-7 tackled the structural stuff — removing event loop blocking, adding timeouts to every entry point (orchestrator, API, sandbox, SMTP, CalDAV, IMAP), shutdown coordination with task draining, bounded table growth with retention cleanup, and fixing a subtle bug where the leak detector’s Mutex was serialising all requests.
The session concurrency fix (SYS-4) was particularly satisfying. Per-session locks and atomic risk score updates replaced what had been a shared-state race condition waiting to happen. The kind of bug that works fine with one user and falls apart with two.
The hardest part wasn’t any individual fix — it was maintaining confidence that each change didn’t break something else. Every fix got its own tests. Every systemic improvement got integration verification. The test count climbed past 3,000.
By the end of it, the codebase was measurably harder to exploit, more resilient to failure, and cleaner than it had ever been. The audit paid for itself ten times over.