Nexus Dev 0c29013931 docs: complete project research

2026-04-03 23:53:14 +00:00

97 KiB

Raw Blame History

Domain Pitfalls — Nexus Fork of Paperclip

Domain: Forked open-source project with display-layer renames, no i18n layer Researched: 2026-04-02 (updated for v1.5 milestone: smart onboarding, multi-provider, voice TTS, persistent memory, assistant mode, npx buildthis) Updated: 2026-04-03 (v1.6 milestone: server-side Whisper STT, server-side Piper TTS, Telegram bridge) Confidence: HIGH — based on direct codebase analysis of /opt/nexus/ plus targeted research on each new integration domain

About This Document

This file covers pitfalls for the v1.5 and v1.6 milestone additions. The original pitfalls (Pitfalls 1–11) covering fork hygiene, display-layer rename discipline, and upstream sync remain valid and are preserved below. Pitfalls 12–26 are new for v1.5. Pitfalls 27–44 are new for v1.6 (voice pipeline + Telegram bridge).

Critical Pitfalls (Fork Hygiene — v1.0–1.4, still active)

Pitfall 1: Renaming a Code Identifier That Is Also a Stored DB Value

What goes wrong: You rename a TypeScript constant, CLI command, or function to use the new Nexus vocabulary, not realising the same string is also stored as a literal value in database rows. The app breaks for any existing installation because the server checks approval.type === "hire_agent" but the DB still has "hire_agent" rows.

Why it happens: In Paperclip the same string serves double duty: it is both a TypeScript constant/enum and a persisted DB value. The CONCERNS.md audit identifies these dual-purpose strings explicitly: "ceo", "hire_agent", "approve_ceo_strategy", "bootstrap_ceo", "company" in goal levels, "board" in auth challenges.

How to avoid:

Treat every string in the Summary Risk Table (CONCERNS.md) marked "Critical" as immutable.
For display renaming only: change label maps (AGENT_ROLE_LABELS, ApprovalPayload display maps) without touching the underlying constant value.
Before touching any string, grep for it in packages/db/src/schema/ and migration files.

Warning signs:

Any string appearing in packages/db/src/schema/ or migration files
Approval, invite, and goal lists empty on existing install but work on fresh install

Phase to address: Phase 1 (Display Rename)

Pitfall 2: Treating "Display-Only Rename" as a Simple Find-Replace

What goes wrong: Bulk sed or IDE find-replace on "company" → "workspace" across the entire codebase. Touches service files, route files, schema files, and test files indiscriminately. The next git rebase upstream/master has conflicts on hundreds of files.

Why it happens: "Display-only" is a policy decision, not a property the codebase enforces. Nothing in the TypeScript source distinguishes a user-facing label string from an internal identifier.

How to avoid:

Establish a strict three-zone taxonomy: Zone A (display strings, safe), Zone B (code identifiers, do not rename), Zone C (dual-purpose stored values, label map only).
Never run a global find-replace. Work file-by-file.

Warning signs:

PR diff touching server/src/services/, server/src/routes/, or packages/db/ with rename changes
Diff showing TypeScript identifier name changes (not JSX string literals)

Phase to address: Phase 1 (Display Rename)

Pitfall 3: Diverging the Onboarding Assets Directory Name From Upstream

What goes wrong: Renaming server/src/onboarding-assets/ceo/ to pm/. Upstream changes a file inside ceo/ in a future commit. Git cannot reconcile rename-on-one-side with content-edit-on-other.

How to avoid: Do not rename the ceo/ directory. Change file content only. The directory path is Zone B.

Warning signs: Rebase conflict shows a file as "deleted" that you expected to be "modified."

Phase to address: Phase 1 (Onboarding Redesign)

Pitfall 4: Changing the `localStorage` Key or `~/.paperclip` Config Path Without a Migration

What goes wrong: Renaming "paperclip.selectedCompanyId" localStorage key or ~/.paperclip config path drops all existing state.

How to avoid: Keep key names unchanged OR implement a read-both-paths fallback that migrates existing values on boot before deleting the old key.

Warning signs: Server logs "no config found, starting fresh" on a machine with existing data.

Phase to address: Phase 2 (Directory Restructure)

Pitfall 5: Upstream Rebase Cadence Slipping Below Weekly

What goes wrong: Fork drift. Upstream has 120+ commits since fork. Waiting accumulates compound conflicts. A 10-minute weekly rebase becomes 4 hours after a month gap.

How to avoid: Rebase at minimum weekly. [nexus] commit prefix strictly enforced. CI alert on git rebase upstream/master failures in a test branch.

Warning signs: Last rebase more than 2 weeks ago; git log upstream/master..HEAD shows more than 20 upstream commits unmerged.

Phase to address: Ongoing from Phase 1

Pitfall 6: Renaming the CLI Binary Name Without a Shim

What goes wrong: Renaming to nexus without updating all four locations where paperclipai appears as an instructional string.

How to avoid: Add nexus as an alias; keep paperclipai binary working. If renaming, atomic commit covering all instructional copy.

Phase to address: Phase 1 (CLI String Updates)

Pitfall 7: Partial Rename — Changing Some Occurrences But Not All

What goes wrong: "CEO" renamed in 8 of 12 files. Users see mixed vocabulary.

How to avoid: Post-rename grep -ri "CEO" ui/src cli/src server/src and verify every remaining occurrence is Zone B/C or non-user-visible.

Phase to address: Phase 1 (Display Rename)

Pitfall 8: The `[nexus]` Commit Prefix Not Applied Consistently From the Start

What goes wrong: Without consistent prefixing, rebase archaeology becomes necessary to identify which commits are Nexus vs. upstream.

How to avoid: Pre-commit hook rejecting messages not starting with [nexus] from the first commit.

Phase to address: Phase 1 (First commit)

Pitfall 9: Onboarding Redesign Coupled to the Corporate Metaphor in Data Layer

What goes wrong: New wizard does not pass a company name; POST /api/companies requires it. Company created with undefined name.

How to avoid: Document API contract before redesigning wizard. Derive workspace name from directory basename (or VOCAB.appName as fallback — which NexusOnboardingWizard.tsx already does correctly).

Phase to address: Phase 2 (Onboarding Redesign)

Pitfall 10: Forgetting to Update Tests That Assert on Display Strings

What goes wrong: invite-onboarding-text.test.ts asserts invite text contains "CEO." After rename, tests fail.

How to avoid: Before any rename commit, grep all *.test.ts files for old vocabulary terms and update in the same commit.

Phase to address: Phase 1 (Display Rename)

Pitfall 11: Exporting a `.nexus.yaml` File While Upstream Exports `.paperclip.yaml`

What goes wrong: Breaking import compatibility with upstream Paperclip instances.

How to avoid: Keep emitting .paperclip.yaml. The filename and schema header are Zone B/C.

Phase to address: Phase 1 (Display Rename)

Critical Pitfalls (v1.5 New Features)

Pitfall 12: Vite Alias Swap Breaking Upstream Rebase on OnboardingWizard

What goes wrong: The current pattern aliases src/components/OnboardingWizard → NexusOnboardingWizard at build time via vite.config.ts. If upstream renames, moves, or splits OnboardingWizard.tsx into multiple files, the alias silently points to a non-existent target — the build succeeds (the alias target exists) but the import resolution breaks at runtime in any code path that imports the upstream file by a new name.

More critically: when v1.5 replaces the simple wizard with a multi-step hardware-detection wizard, the alias target NexusOnboardingWizard.tsx grows significantly. Upstream may add new features to OnboardingWizard.tsx (new props, context dependencies) that NexusOnboardingWizard.tsx silently misses, since it fully replaces rather than extends the upstream file.

Why it happens: Full file replacement via Vite alias means no inheritance from upstream. Every upstream improvement to the wizard is silently discarded.

How to avoid:

After each upstream rebase, diff OnboardingWizard.tsx against the previous upstream version: git diff upstream-prev..upstream-new -- ui/src/components/OnboardingWizard.tsx. If upstream adds new props or context hooks, integrate them into NexusOnboardingWizard.tsx.
Keep NexusOnboardingWizard.tsx surface API identical to OnboardingWizard.tsx (same component name export, same props interface as far as upstream is concerned).
Add a CI check: test -f ui/src/components/OnboardingWizard.tsx — verify the aliased-away file still exists with its expected export.

Warning signs:

NexusOnboardingWizard.tsx not using a DialogContext or CompanyContext hook that upstream's version uses
After rebase, pnpm dev fails with "cannot find module" for the alias source path
The multi-step wizard is missing features that upstream added (e.g., invite-based onboarding, workspace templates)

Phase to address: Phase 1 (Hardware Detection Wizard) — before building the multi-step v1.5 wizard, establish a diff-and-integrate protocol for this alias.

Pitfall 13: Hardware Detection Returning Inaccurate or Platform-Specific Values

What goes wrong: The v1.5 hardware detection step must surface GPU/RAM to recommend Ollama models. Two platform-specific traps exist on the Mac Mini M4 deploy target:

VRAM is not VRAM on Apple Silicon. The M4 uses unified memory — the same physical RAM serves both CPU and GPU. os.totalmem() in Node.js returns total unified memory. Reporting this as "VRAM available for Ollama" misleads: Ollama on Apple Silicon uses a portion of unified memory, but the OS, browser, and other processes also consume it. Treating totalmem × 0.75 as GPU-available VRAM overestimates for models that also need system RAM headroom.
os.totalmem() reads total installed RAM, not available RAM. The existing getRecommendedModel() in server/src/services/ollama.ts already applies a 0.75 multiplier to account for OS overhead, but it uses total RAM, not free RAM. If the system is under load (Paperclip server + Ollama already running), available RAM is far lower than 75% of total.

Why it happens: Node.js os module has totalmem() and freemem() but no VRAM API. Browser WebGL UNMASKED_RENDERER gives GPU name but not VRAM size; actual VRAM queries are blocked by browser security sandboxing. Developers reach for the most accessible number.

How to avoid:

Use os.freemem() (not totalmem()) as the baseline for available-RAM recommendations when Ollama is already running.
On Apple Silicon, explicitly document in UI copy that "available memory" is unified memory shared with OS, not dedicated GPU VRAM.
Treat hardware detection values as hints, not guarantees. Add a message: "Recommendation based on system RAM. Actual performance may vary."
The pre-built model catalog (ollama-model-catalog.json) is the right layer for model-to-RAM requirements; use it as the authoritative source rather than computing from raw hardware numbers.

Warning signs:

Model recommendation shows "fits in memory" but Ollama OOM-kills it at load time
M4 Mac Mini reports 16GB available for models but the system has 16GB total (OS needs 4–6GB)
AMD GPU users see wildly incorrect VRAM numbers (confirmed bug in Ollama's VRAM detection for AMD/Vulkan as of 2025)

Phase to address: Phase 1 (Hardware Detection) — define detection methodology before building the UI layer.

Pitfall 14: The Onboarding Probe Running at the Wrong Authentication Level

What goes wrong: The existing adapter probe endpoint (GET /adapters/:type/probe) requires board authentication (req.actor.type !== "board"). The v1.5 onboarding wizard runs during first-time setup — before the user has authenticated. If the probe is called before board auth is established, every probe returns 403, the wizard always falls back to claude_local, and the user never gets the Hermes auto-detection benefit.

This is the exact scenario the current NexusOnboardingWizard.tsx is vulnerable to: it calls agentsApi.probeAdapter("hermes_local") on wizard open, but if the user arrives at the onboarding page without board auth (fresh install, incognito session), the probe silently fails and defaultAdapter stays "claude_local".

Why it happens: Board auth is the right guard for post-setup adapter operations. But hardware detection and provider probing are legitimately pre-auth operations — you want to present the right setup path before any credentials exist.

How to avoid:

Create a separate GET /system/providers endpoint that does not require board auth. It returns available local providers (Ollama status, Hermes status) based purely on server-side detection (no user credentials needed).
Alternatively, make the probe endpoint check auth level: if no board auth exists (fresh install), allow the probe to run unauthenticated for a whitelist of safe probe types (hermes_local, ollama).
Never gate hardware detection on user credentials — hardware is a property of the machine, not the user session.

Warning signs:

Browser network tab shows 403 on the probe call during onboarding
defaultAdapter in the wizard is always "claude_local" even when Ollama/Hermes are running
Probe works in the settings page (user is auth'd) but not during initial onboarding

Phase to address: Phase 1 (Hardware Detection) — the probe auth story must be designed before the multi-step wizard is built.

Pitfall 15: Puter.js "Zero-Config" Promise Breaking on Paperclip's Server-Side Architecture

What goes wrong: Puter.js is designed for purely browser-side use: load the CDN script, call puter.ai.chat(), Puter handles auth via its own popup login flow. Nexus/Paperclip proxies AI calls through the server (/api/chat, /api/agents). If Puter.js is loaded browser-side and calls Puter's servers directly, it bypasses Paperclip's cost tracking, budget enforcement, session codec, and skill sync entirely.

This creates a split-brain: the Puter adapter sends messages to Puter's cloud while Paperclip's adapter system thinks the agent is using a different provider. Cost tracking shows $0 for Puter sessions. Heartbeat and session management are not wired up.

Why it happens: Puter.js is documented as a CDN-loaded browser library with client-side auth. The natural integration is to <script src="https://js.puter.com/v2/"> and call the API directly. But Paperclip's architecture requires all AI calls to go through server-side adapter machinery.

How to avoid:

Implement Puter as a server-side adapter that calls Puter's API from Node.js using HTTP (not the browser SDK). The Puter API is callable via standard HTTP — use fetch() on the server, not the browser SDK.
The server-side Puter adapter must implement the full adapter contract: spawn, heartbeat, sessionCodec, configFields (see packages/adapters/ pattern).
If browser-side Puter SDK is needed for auth popup (Puter uses its own account system), implement auth as a UI-only step that retrieves a Puter token, then stores that token in Paperclip's adapter config for server-side use.
Confirm Puter's rate limiting behavior for server-side calls. Puter's "free unlimited" claim applies to personal/hobby use; verify terms before treating it as production-grade.

Warning signs:

Puter.js loaded via <script> CDN tag in the app shell
Cost tracking shows $0 for all Puter-backed agent sessions
puter.ai.chat() calls appearing in browser network tab (not proxied through /api/)

Phase to address: Phase 2 (Zero-Config Cloud / Puter.js)

Pitfall 16: OAuth Token Storage in `localStorage` Creating Security and Rebase Risk

What goes wrong: The natural place to store OAuth access tokens in an SPA is localStorage. But:

localStorage is accessible to any JS on the page — XSS vulnerabilities can steal tokens.
Paperclip already uses localStorage with "paperclip.*" prefixed keys. Any Nexus key added with "nexus.*" prefix will need a migration if the key name is ever changed, per Pitfall 4.
OAuth refresh token rotation (required for Google/OpenAI free tiers) must clear-and-rewrite the stored token on every refresh. If this fails mid-write (e.g., browser close), the user is logged out and must re-authenticate.

Why it happens: localStorage is the default that every OAuth tutorial reaches for in SPA context. The PKCE security guidance says to use sessionStorage for the code verifier but often developers apply localStorage for the actual access token.

How to avoid:

Store OAuth tokens server-side in Paperclip's existing config/secrets mechanism (server/src/secrets/). The server does the OAuth exchange and stores the token; the browser never sees the raw token.
Use Paperclip's existing board auth cookie mechanism to gate whether the OAuth integration is enabled — do not create a separate browser-side auth session for each OAuth provider.
If browser-side token storage is unavoidable, use sessionStorage (not localStorage) for OAuth code verifiers; store refresh tokens server-side only.
For the state parameter in PKCE flow: generate a cryptographically random state with crypto.getRandomValues(), store in sessionStorage, verify on redirect.

Warning signs:

window.localStorage.getItem("nexus.oauth.google.accessToken") or similar in browser DevTools
OAuth token visible in network requests from browser to Google/OpenAI APIs (not proxied through Paperclip server)
Re-authentication required after browser restart (session not persisting correctly)

Phase to address: Phase 3 (OAuth Cloud Tier)

Pitfall 17: Multi-Provider Onboarding Creating Multiple Competing Default Adapters

What goes wrong: v1.5 adds multiple provider tiers: local Ollama/Hermes, free cloud Puter.js, OAuth Google Gemini/OpenAI, and subscription detection (Claude Code, OpenClaw). If a user configures more than one provider during onboarding, the resulting agents get created with the adapter config from the onboarding summary step. But Paperclip's agent model is one-adapter-per-agent. If the wizard creates agents without being explicit about which provider wins, agents may be created with inconsistent adapter types (one with hermes_local, another with puter_cloud), creating a confusing mixed-provider workspace.

The deeper trap: the onboarding wizard currently creates exactly 2 agents (PM + Engineer) with identical adapter config. v1.5 may want different agents on different providers (e.g., assistant on Puter, PM on Hermes). This is a valid architecture but requires explicit per-agent provider selection, which the current wizard doesn't support.

Why it happens: Multi-provider selection UX tends to present all providers as equally valid, then requires a tie-breaking decision the wizard may not have asked the user to make.

How to avoid:

Make the onboarding wizard select ONE primary provider and create all initial agents on that provider. Secondary provider credentials can be stored for later use (configuring individual agents from the settings page).
If the mode selection is "Personal AI Assistant," create the assistant agent on the highest-quality available provider (subscription > OAuth > Puter > local).
If the mode selection is "Project Builder," create PM + Engineer on the local/privacy-first provider since these agents run autonomously and should not require cloud API credits per task.
Document the provider selection logic explicitly in code comments.

Warning signs:

PM agent created with hermes_local, Engineer created with puter_cloud after the same onboarding flow
"Recommended provider" badge in wizard applied to multiple providers simultaneously
Users confused about which API credits are being used for which agents

Phase to address: Phase 1 (Mode Selection) — define the provider-per-mode rule before building the selection UI.

Pitfall 18: Voice TTS (Piper) Cold Start Blocking the First Spoken Response

What goes wrong: Piper TTS (browser WASM implementation) downloads the voice model on the first synthesis call. This means the first time a user activates TTS, they wait 5–30 seconds for the model to download before hearing anything. Without user feedback, this appears as a hang or broken feature.

A secondary trap: the WASM Piper phonemizer does not always match the phoneme mapping expected by every Piper voice model. Using a voice model that was compiled for a different language variant (e.g., an en_GB model on a browser Piper instance expecting en_US phoneme tables) produces garbled or silent output.

Why it happens: Browser-based Piper TTS stores models in the Origin Private File System (OPFS). The first call triggers the download. Developers who test Piper locally after the first call never encounter the cold start because the model is already cached.

How to avoid:

Pre-warm Piper on background thread during onboarding (after the voice step is confirmed, not on first message). Use a silent warmup synthesis ("...") to trigger model download before the user expects to hear anything.
Show a download progress indicator on the TTS toggle — not a spinner (implies in-progress work) but a "preparing voice model" state with estimated download size.
Limit initial voice model choices to stable Piper models with confirmed browser WASM compatibility. Avoid offering non-English models unless specifically verified.
Store pre-downloaded voice models in OPFS; on subsequent loads, check navigator.storage.getDirectory() before re-downloading.

Warning signs:

TTS button appears responsive (toggles on) but no audio plays for 15+ seconds
Voice model download appears in DevTools network tab on the first "speak" action
Users reporting "the voice feature is broken" on first use but "works fine" on subsequent uses

Phase to address: Phase 4 (Voice TTS) — warmup strategy must be designed before the TTS toggle is wired up.

Pitfall 19: Persistent Memory Injecting Sensitive Data Into System Prompts

What goes wrong: The Personal AI Assistant stores memories (user preferences, past conversation summaries, project context) to inject into future system prompts. Two failure modes:

Prompt injection via stored memory. If memory content is retrieved from external sources (web fetch, document import, MCP tools) and stored verbatim, malicious content in those sources gets injected into future system prompts with elevated priority. Palo Alto Unit 42 documented this attack vector in 2025: memory-poisoning allows persistent malicious instructions affecting agent behavior across sessions.
Sensitive data leaking between sessions. If the assistant stores a memory like "user's Stripe API key is sk_live_..." (from a pasted credential) and that memory surfaces in a future session with a different context (e.g., a Puter.js provider that logs requests), the credential leaks.

Why it happens: Memory systems treat all content as equal. The distinction between "safe user preference" and "sensitive credential that should never be persisted" is not obvious at write time.

How to avoid:

Apply rule-based filters at write time: never store content matching secret patterns (API key regexes, tokens, passwords). Use a blocklist of patterns before persisting any memory fragment.
Sanitize memory content before injecting into system prompts — strip any content between < > tags, backtick blocks, or content that looks like instruction syntax.
For MCP tool results that become memory, apply the same sanitization as user-pasted content.
Implement memory scoping: memories should only surface in sessions with the same mode (assistant memories should not surface in project builder sessions).

Warning signs:

Memory fragments containing "api_key", "token", "password", "secret" stored in the memory DB
A stored memory from a previous session altering agent behavior in unexpected ways
MCP tool output (e.g., fetched web page content) appearing verbatim in system prompts

Phase to address: Phase 5 (Persistent Memory) — memory schema must include sanitization at write time before any memory is persisted.

Pitfall 20: MCP Integration Conflicting With Paperclip's Existing Tool/Skill System

What goes wrong: Paperclip has its own skill/tool system (AdapterSkillSnapshot, AdapterSkillEntry, company-skills.ts). MCP also defines tools. If an MCP server exposes a tool named "terminal" or "file_read" and Paperclip's skill system also has these (used in Hermes heartbeat prompt templates), the agent receives duplicate or conflicting tool definitions. The LLM may call the MCP version when the Paperclip version was intended, bypassing Paperclip's permission and cost tracking.

Additionally, MCP uses SSE as its transport, which is deprecated in the latest MCP spec (June 2025 spec prefers Streamable HTTP). If the MCP server is implemented with SSE transport, it will need migration as MCP clients drop SSE support.

Why it happens: MCP tool names are unscoped — any tool named "terminal" is "terminal". The collision with Paperclip's native tools is invisible until an agent calls the wrong one. Developers add MCP without auditing for name collisions.

How to avoid:

Use Streamable HTTP transport for the MCP server (not SSE, which is deprecated as of MCP spec 2025-06-18).
Prefix all Nexus-registered MCP tools with a namespace: nexus_memory_read, nexus_memory_write, nexus_context_set, etc.
Before exposing any MCP tool, check it against the list of tool names in TOOLS.md (Hermes skill bundle). If there is a collision, rename the MCP tool.
TypeScript interface pitfall: when defining structuredContent types for MCP tool responses, use type aliases not interface declarations — interfaces lack implicit index signatures and cause TypeScript assignment errors with { [key: string]: unknown }.

Warning signs:

Agent calling terminal tool but the call is going to MCP server, not Paperclip's exec sandbox
TypeScript compile errors: "Type 'XInterface' is not assignable to type '{ [key: string]: unknown }'"
MCP server implemented with sse transport (use streamable-http instead)

Phase to address: Phase 5 (MCP Integration)

Pitfall 21: `npx buildthis` Conflicting With an Existing Paperclip CLI Entry Point

What goes wrong: The npx buildthis entry point must add a new bin entry to the Nexus package. Paperclip's CLI already has bin.paperclipai. If buildthis is added to a package that does not yet exist on npm (or is published under a different name), npx buildthis will either: (a) fetch the wrong package from npm (there are existing npm packages named buildthis), or (b) fail with "package not found" because the Nexus fork is not on npm.

A secondary trap: npx installs packages temporarily in a user's npm cache. If npx buildthis is run on a machine that already has npx cached from a previous install, it may use the old version without the latest onboarding flow.

Why it happens: npx resolves package names from the public npm registry first. If the package name collides with an existing npm package, users get the wrong thing. If the package is private (Forgejo only), npx cannot find it by default.

How to avoid:

Before naming the CLI entry buildthis, search npm: npm search buildthis — verify there is no collision. If there is, choose nexus-buildthis or @yourusername/buildthis (scoped package).
Since Nexus is deployed on a Mac Mini for single-user use, npx buildthis likely resolves to a local package reference rather than npm. Document this explicitly: npx /path/to/nexus/packages/cli buildthis or publish to a private registry.
For first-run detection: check for ~/.paperclip (or ~/.nexus) existence before running full onboarding; if config exists, route to the "already configured" path.

Warning signs:

npx buildthis prints output from an unrelated npm package
CLI help text shows incorrect version (cached from npm, not local build)
npm info buildthis returns a package that is not Nexus

Phase to address: Phase 6 (npx buildthis CLI)

Moderate Pitfalls (v1.5)

Pitfall 22: Multi-Step Onboarding Wizard Breaking the "Every Step Skippable" Requirement

What goes wrong: The v1.5 onboarding has many steps: mode selection, hardware detection, local AI setup, voice, Puter.js, OAuth, subscription detection, summary, and straight-into-chat. As the wizard grows, "every step skippable" becomes hard to maintain because steps develop implicit dependencies:

The summary step shows "selected providers" — if you skip all provider steps, the summary is empty and the wizard has no actionable result.
The voice step configures Piper — if it's skipped, the voice feature is silently disabled without telling the user.
OAuth setup creates credentials — if skipped after starting the OAuth popup, the popup tab is orphaned.

Why it happens: Step dependencies are added incrementally as each step is built. By the time all steps exist, the skip logic has edge cases that weren't anticipated.

How to avoid:

Define the "skip all" state explicitly before building any step: what does a fully-skipped onboarding produce? Answer: one workspace, one agent, Hermes or claude_local as default, no voice, no OAuth, no memory. Make this the minimum valid state.
Code the summary step to present a useful state even when every step is skipped.
Treat OAuth flows specially: if a user starts an OAuth popup (opens Google auth window) and then closes the wizard, cancel the OAuth state cleanly. Never leave orphaned OAuth state.

Warning signs:

Summary step shows empty provider list when all steps are skipped
"Skip" button disabled on certain steps
Closing the wizard mid-OAuth leaves the OAuth callback URL still active

Phase to address: Phase 1 (Mode Selection) — define the skip-all state as a test case before building any step.

What goes wrong: The Personal AI Assistant has its own conversation context: user preferences, daily notes, personal projects. The Project Builder has PM + Engineer agents working on specific code issues. If both modes share the same conversations table without a mode discriminator, the assistant's personal context bleeds into project sessions and vice versa.

A user asking the assistant "remind me what I was working on yesterday" should not surface issues from the Project Builder's agent task queue. An agent executing a coding task should not have the user's personal assistant context injected into its system prompt.

Why it happens: The conversations table is generic. Adding a mode column or agent_type discriminator requires a DB schema change, which is out of scope for Nexus (no migrations). Without a schema change, mode separation must be achieved through metadata conventions.

How to avoid:

Since DB schema changes are out of scope, use the existing conversation metadata/tagging system (if available) to tag conversations as assistant vs. agent. Filter on this tag when fetching conversation history.
If no tagging system exists, use the agent's role field as a discriminator: conversations involving a role: "ceo" or role: "engineer" agent are project builder context; conversations with a dedicated assistant agent are personal assistant context.
The personal assistant agent should have a distinct adapterType or name pattern that makes it queryable as a filter.

Warning signs:

Assistant surfacing agent task IDs or issue numbers when answering personal questions
Project Builder agents including personal notes in their task context
conversations table query returns mixed results from both modes

Phase to address: Phase 2 (Mode Selection / Assistant Mode) — define the conversation isolation strategy before creating the assistant agent.

Pitfall 24: Subscription/API Key Auto-Detection Creating False Positives

What goes wrong: The onboarding tries to auto-detect existing Hermes, Claude Code, and OpenClaw subscriptions. Each of these works differently:

Hermes: probe the local adapter (existing probeAdapter endpoint)
Claude Code: check for ~/.claude/ directory or claude binary in PATH
OpenClaw: check for an OpenClaw-specific config file or env var

False positives occur when: a Claude Code config exists but the API key is expired; an OpenClaw config file exists but the subscription is cancelled; a claude binary exists but is the wrong version for the adapter.

Showing "Claude Code detected — ready to use" when the subscription is inactive is worse than not detecting it, because the user proceeds with a broken setup.

Why it happens: Presence of config files or binaries does not guarantee valid credentials or active subscriptions. The only reliable detection is making an actual API call, which has latency implications for onboarding.

How to avoid:

Distinguish between "binary/config present" (detected) and "API call succeeded" (verified). Show "detected" state immediately but show "verified" state only after a lightweight API validation call.
For expensive verification calls, do them in parallel with a timeout. If verification times out, show "detected but unverified" rather than "ready to use."
Never block onboarding progress on subscription verification. Mark unverified detections prominently and let the user proceed, then verify asynchronously.

Warning signs:

Onboarding step shows "Claude Code ready" but first agent run fails with auth error
Detection step takes more than 3 seconds (verification calls blocking UI)
Config file present but API key revoked 6 months ago

Phase to address: Phase 3 (Subscription/API Key Auto-Detection)

Minor Pitfalls (v1.5)

Pitfall 25: Project Handoff from Assistant Conversation Losing Context

What goes wrong: "Project handoff: assistant conversation → PM with context transfer" is a v1.5 requirement. The naive implementation creates a new issue in the project from the assistant conversation summary. But the handoff loses: branching context (which assistant conversation branch), attachment references (files uploaded in the assistant chat), and the interim decisions the user made during the assistant conversation.

How to avoid:

Handoff should carry: (a) conversation ID or branch ID as a reference, (b) a structured summary (not just free text), and (c) attachment IDs from the assistant conversation.
The PM agent receiving the handoff should be able to GET /api/chat/conversations/{id} to retrieve the full context if needed.
Do not flatten the handoff context into the issue title/description alone — preserve the conversation reference.

Phase to address: Phase 5 (Persistent Memory + Assistant Mode)

Pitfall 26: `ollama-model-catalog.json` Becoming Stale as New Models Are Released

What goes wrong: The pre-built model catalog (server/src/data/ollama-model-catalog.json) hard-codes RAM/VRAM requirements per model name. Ollama releases new model versions and new model families frequently. A user who installs a new model after the catalog was last updated gets no recommendation reason — the model is silently marked recommended: false with recommendationReason: null because it is not in the catalog.

The existing code in getRecommendedModel() silently skips models not in the catalog (const entry = catalogMap.get(model.name); if (!entry) continue;). A model installed as llama3.3:latest may not match a catalog entry for llama3.3:70b-instruct-q4_K_M.

How to avoid:

Implement a fallback heuristic: if a model is not in the catalog, estimate RAM requirements from the model's parameterSize and quantization fields that Ollama already returns. A 7B Q4_K_M model reliably fits in ~5GB.
Normalize model name matching — strip version tags and match on family+quantization pattern, not exact name string.
Document the catalog update process: when to update it, who owns it, and how to add new families.

Phase to address: Phase 1 (Hardware Detection / Model Recommendations)

Critical Pitfalls (v1.6 — Voice Pipeline + Telegram Bridge)

Pitfall 27: Audio Format Mismatch Between Browser Recording and Whisper Input

What goes wrong: The browser's MediaRecorder produces audio in formats that vary by browser. Chrome records audio/webm;codecs=opus. Firefox records audio/ogg;codecs=opus. Safari (since 18.4) can record audio/webm;codecs=opus but used to produce audio/mp4. Whisper (and faster-whisper) requires 16 kHz mono PCM WAV — none of these formats match directly.

The trap is assuming a single format pipeline will work everywhere. Sending a WebM blob directly to Whisper either causes a silent transcription failure (empty string returned) or an error that is swallowed by the error handler, making the feature appear to work while returning nothing.

Why it happens: Browser format diversity is historically inconsistent. MediaRecorder.isTypeSupported('audio/webm;codecs=opus') returns true in Chrome, Firefox, and Safari 18.4+ — but the produced bitrates and frame durations differ in ways that affect downstream processing. Developers test on Chrome and never encounter Firefox/Safari failures.

How to avoid:

Always transcode to 16 kHz mono WAV on the server before passing audio to Whisper. Use ffmpeg: ffmpeg -i input -ar 16000 -ac 1 -f wav output.wav. This handles any valid audio format the browser might send.
On the client, use MediaRecorder.isTypeSupported() to detect the actual format being used and send the MIME type in the upload request header so the server knows what it is receiving.
Do not assume the file extension from the Content-Type header — WebM containers can hold different codecs; always transcode rather than assume.
ffmpeg must be installed and in PATH on the server. Make this a hard dependency checked at server startup (which ffmpeg || exit 1), not a silent fallback.

Warning signs:

Transcription returns empty string on Safari or Firefox but works on Chrome
Whisper logs show "unsupported format" or "decode error"
ffmpeg not in PATH on production server (check server startup log)
Audio upload succeeds (HTTP 200) but transcribed text is empty

Phase to address: Phase 1 (Whisper STT pipeline) — transcode pipeline must be in place before any browser testing.

Pitfall 28: Telegram Voice Messages Arriving as OGG/Opus at 48 kHz, Not 16 kHz

What goes wrong: Telegram voice messages use the OGG container with Opus codec at 48 kHz mono, stored as audio_[id].ogg. This is a different container format from what the browser sends (WebM), and a different sample rate from what Whisper expects (16 kHz). Treating the two pipelines identically breaks silently: ffmpeg will convert the format but the sample rate mismatch causes Whisper to either produce garbage transcriptions or fail.

A documented second trap: some Telegram voice messages arrive with the MIME type flagged as audio/ogg but the file extension .oga. Not all MIME type parsers recognize .oga, so the media pipeline may classify the file as "unrecognized audio" and skip transcription entirely.

Why it happens: Telegram's wire format is documented but developers building voice-to-text pipelines often copy the browser audio pipeline without adjusting for Telegram's specific encoding. The OGG container with Opus codec at 48 kHz is valid audio that plays fine in media players, so local testing succeeds but transcription quality degrades.

How to avoid:

Use a dedicated Telegram audio conversion step: ffmpeg -i input.ogg -ar 16000 -ac 1 -f wav output.wav. This is identical to the browser pipeline but sourced from a downloaded Telegram file, not a browser blob.
Download the Telegram voice file using getFile + the CDN URL before transcribing. Do not attempt to stream or pipe Telegram file downloads directly to Whisper.
Treat .oga and .ogg as the same format — normalize file handling to check codec metadata rather than relying on extension.
Log the input audio duration before transcribing: if Telegram sends a 0-byte or corrupted file, ffmpeg will fail loudly rather than silently returning empty text.

Warning signs:

Telegram voice messages return empty transcription while browser voice works correctly
ffmpeg logs showing "48000 Hz" input — correct but needs explicit -ar 16000 flag
Files downloaded from Telegram with .oga extension not recognized by MIME type check

Phase to address: Phase 3 (Telegram bridge audio handling) — the OGG/Opus download-and-transcode path must be tested with real Telegram voice messages before the bridge ships.

Pitfall 29: Spawning a New Piper Process Per TTS Request (Process-Per-Request Anti-Pattern)

What goes wrong: The Piper binary is a CLI tool: piper --model voice.onnx --output_file out.wav < text.txt. The naive Node.js integration spawns a new process for each TTS request. Two problems emerge:

Model reload latency. Piper loads the ONNX voice model into memory on startup. On CPU-only hardware (M4 Mac Mini with no explicit CUDA), this takes 200–800ms per request. For a voice reply to a short message, this means 1–2 seconds of silence before audio starts.
Long text truncation. A documented Piper bug: when processing text longer than ~500 characters via stdin pipe, Piper silently truncates the output or exits early. The generated audio file exists but is shorter than expected. The calling code sees a successful exit code and plays the truncated audio without knowing content was lost.

Why it happens: CLI tools feel simple to integrate. The first working implementation spawns a process, gets output, done. The model-reload cost and the long-text bug only surface in production use with real message lengths.

How to avoid:

Run Piper as a persistent HTTP service on a local port (there is a community piper-http wrapper, or implement one). The process stays alive between requests, keeping the model in memory.
For long responses (>400 characters), split text into sentence-level chunks before sending to Piper. Synthesize each chunk and concatenate the WAV files. This avoids both truncation and per-request reload cost.
Implement a warmup call at server startup: send a short dummy text to Piper to force model loading before the first real request.
Cap TTS at a reasonable character limit for voice output (e.g., 1500 chars) — this is a UX constraint anyway; wall-of-text responses should not be read aloud verbatim.

Warning signs:

First TTS response takes 2+ seconds after server restart
Audio playback cuts off mid-sentence on responses longer than ~30 words
Process table shows a new piper process appearing and dying for each TTS request
TTS works in unit tests (short strings) but fails in integration tests (real agent responses)

Phase to address: Phase 2 (Piper TTS pipeline) — persistent process architecture must be designed before the first response endpoint is implemented.

Pitfall 30: Whisper Model Loading on Every Request (Memory Spike Anti-Pattern)

What goes wrong: Whisper and faster-whisper load a large model into memory (tiny: ~150MB, small: ~500MB, medium: ~1.5GB). If the STT endpoint loads the model fresh for each HTTP request — or if the Python process exits and restarts — every concurrent transcription request duplicates the model in memory. On an M4 Mac Mini with 16GB unified memory running Paperclip + Ollama, this can cause the system to swap and degrade all services.

A secondary issue: faster-whisper has a documented memory leak where RAM from a transcription session is not fully released. On a long-running server, this causes gradual memory growth over hours.

Why it happens: Python subprocesses spawned from Node.js are short-lived by default. The "simplest integration" is spawn('python3', ['transcribe.py', audioPath]) — this reloads the model every time. Developers test with a handful of requests and don't observe the memory pattern.

How to avoid:

Run Whisper/faster-whisper as a persistent sidecar process (e.g., a FastAPI service on localhost:8001). Node.js calls POST /transcribe via HTTP. The model stays loaded in the Python process between requests.
On the Mac Mini M4, use whisper-mlx or mlx-whisper which uses Apple's MLX framework for 2–3x faster transcription on Apple Silicon with lower memory overhead compared to PyTorch.
Implement a request queue in the sidecar: accept one transcription at a time, queue the rest. This prevents concurrent requests from doubling memory usage.
Add a health check endpoint to the sidecar: /health returns model load status. The main server waits for this to be healthy before routing traffic.

Warning signs:

Memory usage spikes by 500MB+ on each transcription request
python3 processes appearing in ps aux that don't match the count of active requests
Transcription latency increasing linearly with server uptime (memory leak indicator)
System starts swapping after 20–30 transcription requests

Phase to address: Phase 1 (Whisper STT pipeline) — sidecar architecture must be the starting design, not a later refactor.

Pitfall 31: Browser Silence Detection Triggering Too Early or Too Late

What goes wrong: The web chat mic button uses client-side silence detection to auto-stop recording and send the audio. Threshold-based silence detection (RMS below X for N milliseconds) has two failure modes:

Too eager: Fires after a natural pause mid-sentence ("I want to... create a new task"). The user is still speaking, but the detector interprets the inter-clause pause as end-of-speech. Audio is sent and transcribed as incomplete input.
Too late: In a quiet room with a good microphone, even breathing or HVAC noise keeps the RMS above the silence threshold. Recording never auto-stops. The user waits, unsure if anything is working.

Simple RMS-based detection (the first approach most developers reach for) achieves only ~50% true positive rate for end-of-speech detection at a 5% false positive rate. Production-quality VAD (Silero, Picovoice Cobra) achieves 87–99%.

Why it happens: RMS threshold detection is two lines of code. It works in demo conditions (quiet room, clear speech, no pauses). It fails noticeably in real use. Developers ship the demo implementation.

How to avoid:

Use @ricky0123/vad-web (browser-native VAD using Silero model via ONNX Runtime Web). It runs off the main thread, handles natural pauses, and achieves significantly better accuracy than threshold detection.
Set a maximum recording duration (e.g., 60 seconds) as a fallback — always auto-stop even if silence detection is confused.
Show a waveform visualization while recording so users can see whether the mic is capturing audio (helps them self-diagnose "is it recording?").
Provide a manual stop button alongside auto-stop — never rely solely on automatic detection.

Warning signs:

Transcription of "I want to" submitted as complete message
Recording indicator stays active for 30+ seconds in normal use
Users repeatedly clicking the mic button because auto-stop didn't fire
Silence threshold value hardcoded to a constant (needs to be calibrated per device)

Phase to address: Phase 2 (Web chat mic button) — VAD library choice must be made before the recording UI is built.

Pitfall 32: Voice Mode Flag Not Propagated Through the Agent Session Layer

What goes wrong: The voice mode flag (isVoiceMode: true) attached to a user message in the web chat must reach the agent's system prompt generator to trigger voice-optimized response formatting (shorter sentences, no markdown, no code blocks). If the flag is stripped or not forwarded at any point in the message pipeline — SSE event, message persistence, agent session codec, Hermes adapter — the agent responds in its default text format. The TTS then tries to synthesize text containing backtick code blocks, markdown headers, and bullet points, producing robotic-sounding output like "backtick backtick backtick bash backtick backtick backtick."

Why it happens: Message metadata (anything beyond content and role) is treated as optional. Each layer in the pipeline — the Express route handler, the SSE broadcaster, the DB persistence layer, the adapter's session encoder — may serialize/deserialize the message and drop non-standard fields. The flag is present in the browser but never reaches the agent runtime.

How to avoid:

Audit every layer the message passes through: client → POST /api/chat/messages → message persistence → agent session codec → Hermes adapter system prompt. Verify isVoiceMode (or equivalent) is preserved at each layer.
Use Paperclip's existing message metadata mechanism (if present) rather than adding a top-level field that might be stripped. Check whether the message schema has a metadata JSON column.
Test the full pipeline end-to-end: send a voice-flagged message and check the agent's system prompt (log it in development mode) to confirm the voice formatting instruction is present.
The dual output pattern (voice-optimized response + full text with code blocks) requires the LLM to produce two outputs or a structured output with separate fields. Design this contract before implementing either end.

Warning signs:

Agent responses in voice mode contain markdown formatting
TTS output includes spoken "asterisk", "backtick", or "hash" characters
isVoiceMode present in browser network request payload but absent in server-side agent session log
Voice and text responses are identical in content and format

Phase to address: Phase 1 (Voice mode flag) — the flag propagation path must be fully designed and tested with a no-op handler before the dual output pattern is built on top of it.

Pitfall 33: Telegram Bridge Creating a Competing Session Identity for the Same Agent

What goes wrong: Paperclip's agent session model assigns one session per agent per "channel" (web, API, etc.). The Telegram bridge opens a new channel. If the bridge creates a new session for each Telegram message instead of maintaining a persistent session for the Telegram channel, the agent loses context between Telegram messages — each message starts a fresh conversation.

A documented related bug in similar systems: when the Telegram bridge relays a message through the web channel gateway instead of its own channel, the session's channel field gets overwritten from telegram to webchat. Subsequent agent replies are then routed to the web UI, not back to Telegram. The user sends a Telegram message and the reply appears in the browser but never arrives in Telegram.

Why it happens: Reusing the existing web session mechanism (the path of least resistance) overwrites session channel metadata. The Telegram bridge needs its own channel identity that the session persists.

How to avoid:

Create a dedicated telegram channel type in the session layer. Do not route Telegram messages through the webchat gateway — use a separate message path that preserves channel: "telegram".
Maintain a persistent session per Telegram chat ID (not per message). Store the sessionId ↔ chatId mapping in a lightweight lookup (in-memory Map for single-user deployment, or a simple JSON file).
On agent reply, inspect the originating session's channel field. Route replies to Telegram if channel === "telegram", to the web UI if channel === "webchat". Never allow this routing to be overwritten by message relay logic.
Test the routing explicitly: send a Telegram message, verify the reply arrives in Telegram (not in web UI), send a web chat message to the same agent, verify the reply arrives in the browser (not in Telegram).

Warning signs:

Telegram messages receive no reply in Telegram but a reply appears in the web chat interface
Session channel field changes from telegram to webchat after the first reply
New session created for every Telegram message (no conversation continuity)
Agent session table grows unboundedly (new session per Telegram message)

Phase to address: Phase 3 (Telegram bridge session layer) — session identity design must be finalized before the bridge handler is implemented.

Pitfall 34: Telegram Webhook vs. Long Polling — Wrong Choice for This Deployment

What goes wrong: Telegram bots receive updates either via long polling (getUpdates) or webhooks. The choice matters for this deployment:

Webhook requires: a publicly accessible HTTPS URL, a valid TLS certificate, and a port in [80, 88, 443, 8443]. The Nexus deployment is a local Mac Mini without a public URL. Webhooks do not work behind NAT/LAN without a tunnel (ngrok, Cloudflare Tunnel, etc.).
Long polling works from behind NAT. The bot proactively calls getUpdates every N seconds. No public URL required.

The trap: developers set up webhooks because webhook tutorials are more common, then wonder why Telegram isn't delivering updates. Or they use long polling but run multiple processes that all call getUpdates simultaneously — Telegram delivers each update to only one caller, so updates are split between processes and lost.

Why it happens: Webhook is the "production-grade" recommendation in most Telegram bot guides. Local deployment contexts are underrepresented in tutorials.

How to avoid:

For this deployment (local Mac Mini, no public URL, single user): use long polling. It is simpler, works behind NAT, and the latency difference (1–2 seconds vs. real-time) is irrelevant for a personal assistant.
Ensure only ONE process calls getUpdates. If the Express server restarts, verify the previous polling loop has stopped before starting a new one.
Use a Telegram bot library (Telegraf, grammY) rather than raw HTTP polling — these libraries handle the polling loop, update acknowledgement, and error recovery correctly.
Never mix polling and webhooks: if a webhook was previously registered, it must be explicitly deleted (deleteWebhook) before long polling will work.

Warning signs:

Telegram updates not arriving despite correct bot token
Some messages received, others not (multiple processes polling simultaneously)
setWebhook called during testing but server not publicly accessible
getWebhookInfo returns a webhook URL pointing to localhost

Phase to address: Phase 1 (Telegram bridge setup) — polling vs. webhook decision must be made before any bot code is written.

Pitfall 35: TTS Synthesizing Agent Prefixes, Timestamps, and Metadata Verbatim

What goes wrong: The Telegram bridge prefixes agent replies with the agent name: [Nexus] Here is your answer.... The web chat renders this as a styled badge. When the same message content is passed to TTS, Piper synthesizes "bracket Nexus bracket Here is your answer" — the prefix is read aloud verbatim.

Similarly, if any message metadata (issue IDs like #ISS-42, timestamps, Markdown formatting characters) reaches the TTS synthesis input without being stripped, the audio sounds broken and robotic.

Why it happens: The message content as stored is the same string used for both display (where the prefix is rendered as a badge) and audio synthesis. The stripping step is obvious in retrospect but is easily forgotten when the display rendering works correctly.

How to avoid:

Create a sanitizeForTTS(text: string): string utility function applied before any text reaches the Piper synthesis call. It strips: agent prefixes ([AgentName] patterns), Markdown formatting (**, *, #, backticks, > blockquote markers), issue/task IDs (#ISS-\d+, #TSK-\d+), URLs (replace with "link"), and code blocks (replace with "code example").
Apply this sanitization at the TTS layer, not at the storage layer — the stored message should remain unmodified so the web UI can render it correctly.
For the dual output pattern (voice-optimized + full text), the voice-optimized variant should already be prose-formatted — sanitizeForTTS is a safety net, not the primary formatting mechanism.

Warning signs:

TTS reads "asterisk asterisk important asterisk asterisk" instead of "important"
TTS reads "hash" or "pound" characters from Markdown headers
Agent prefix brackets audible in playback
Code block content being read aloud character by character

Phase to address: Phase 2 (Piper TTS pipeline + dual output pattern) — sanitizeForTTS must exist before the first TTS integration test.

Pitfall 36: CPU-Only Whisper Model Size Too Large for Acceptable Latency

What goes wrong: The Whisper model family spans: tiny (39M params, ~200MB), base (74M, ~300MB), small (244M, ~500MB), medium (769M, ~1.5GB), large (1.5B, ~3GB). On Apple Silicon M4 with Metal/MLX acceleration, the medium model runs in under 1 second for typical voice input. On CPU-only fallback (or if MLX is not configured), medium model transcription takes 4–15 seconds for a 10-second clip — too slow for interactive voice use.

Developers test on the primary deployment target (M4 with MLX fast path) and set model: "medium" as the default. On any other machine (CI server, Docker container, Linux server without Metal), the same default makes the feature unusable.

Why it happens: The bottleneck is hardware-dependent and only surfaces when Metal/MLX is unavailable. The test environment is the Mac Mini M4 where everything is fast.

How to avoid:

Make the Whisper model size configurable at startup, not hardcoded. Default to small (good accuracy, fast on CPU), allow upgrade to medium or large in config.
Add hardware detection to the STT sidecar startup: if Apple Silicon + MLX available, default to medium; if CPU-only, default to small or tiny.
Benchmark the chosen model on the target hardware before committing to it: time python3 -c "from faster_whisper import WhisperModel; m = WhisperModel('small'); list(m.transcribe('test.wav'))".
For the Mac Mini M4 specifically: mlx-whisper or whisper-mlx uses Apple's MLX framework and is 2–8x faster than faster-whisper's CPU path, and does not require CUDA.

Warning signs:

Transcription taking 5+ seconds for a 5-second voice clip
Default model is medium or large without hardware detection
MLX not installed or not used (check: python3 -c "import mlx" should succeed on M4)
STT latency acceptable on the dev machine but reported as "frozen" on other hardware

Phase to address: Phase 1 (Whisper STT pipeline + CPU fallback) — model selection logic and hardware detection must be in place before the latency target (<3 seconds) is validated.

Pitfall 37: Telegram File Downloads Blocking the Bot Event Loop

What goes wrong: When a Telegram voice message arrives, the bot must: (1) call getFile to get the file path, (2) download the file from Telegram's CDN, (3) transcode with ffmpeg, (4) transcribe with Whisper. Steps 2–4 each take 0.5–3 seconds. If the bot processes messages synchronously in the main event loop, it cannot acknowledge incoming updates during this window. Telegram resends unacknowledged updates after a timeout, causing the bot to process the same voice message multiple times and flood the agent with duplicate transcriptions.

Why it happens: Bot frameworks (Telegraf, grammY) handle one update at a time by default. Voice message handling is I/O-heavy. The simple implementation puts all processing in the message handler, which blocks the next update from being processed.

How to avoid:

Acknowledge the Telegram update immediately (return from the handler without awaiting the full pipeline). Kick off the transcription + agent call pipeline asynchronously.
Use a per-chat-ID in-flight tracker: if a voice transcription is already in progress for a given chatId, queue the next one rather than spawning a second concurrent pipeline.
Send an intermediate "Transcribing..." status message to Telegram immediately after receiving the voice message, so the user gets immediate feedback while the pipeline runs.
Set a timeout on the ffmpeg + Whisper steps. If transcription takes longer than 30 seconds, send an error reply and discard the audio.

Warning signs:

Same Telegram voice message transcribed 2–3 times (duplicate update delivery)
Bot stops responding to text messages while a voice message is being processed
Telegram delivery reports showing retried updates
getFile + downloadFile calls in the main event handler (not in a background task)

Phase to address: Phase 3 (Telegram bridge) — async pipeline architecture must be in place before end-to-end testing with real voice messages.

Pitfall 38: Piper Binary Not Found When Node.js Server Starts as a Service

What goes wrong: piper is installed to a user directory like ~/.local/share/piper-tts/piper or /usr/local/bin/piper. When Node.js server runs interactively in a terminal, the shell PATH includes this directory. When the server starts via a system service (launchd on macOS, systemd on Linux), the service environment has a minimal PATH that does not include user-local directories. child_process.spawn('piper', ...) throws ENOENT: no such file or directory.

This is a common and non-obvious failure: the feature works in development (interactive terminal) and silently fails in production (service startup).

Why it happens: Service environment PATH is not the same as interactive shell PATH. This is a standard UNIX gotcha that every server deployment eventually encounters.

How to avoid:

Never rely on PATH resolution for subprocess binaries in server code. Store the absolute path to the Piper binary in the Nexus config file and use it explicitly in spawn(): spawn('/usr/local/bin/piper', ...).
Check for the binary at server startup and log its absolute path: which piper || echo "piper not found in PATH" in the startup health check.
Add a voices.piper_binary_path config key that can be overridden in ~/.paperclip/nexus.yaml without code changes.
The same issue applies to ffmpeg. Both must be resolved to absolute paths.

Warning signs:

TTS works when running pnpm dev but fails when running via launchctl/systemctl
ENOENT errors in server logs for piper or ffmpeg processes
process.env.PATH in server context is shorter than interactive shell PATH

Phase to address: Phase 2 (Piper TTS pipeline) — absolute path configuration must be in place before any service deployment testing.

Moderate Pitfalls (v1.6)

Pitfall 39: Dual Output Pattern Producing Two Separate LLM Calls Per Voice Message

What goes wrong: The dual output pattern (voice-optimized response + full text with code blocks) is straightforward to implement as two separate LLM calls: one with a "respond in plain spoken prose" system prompt for TTS, one with the standard formatting for display. But two calls per voice message doubles cost and doubles latency. For a local Hermes/Ollama backend, this doubles the time-to-response.

An alternative (one call, structured output) requires the LLM to produce a JSON object with { voice: "...", text: "..." }. This requires reliable structured output, which is model-dependent — smaller models (7B) produce malformed JSON under structured output constraints more often than larger ones.

Why it happens: Two-call is the obvious, correct first implementation. The optimization is non-trivial and model-dependent.

How to avoid:

For the MVP, use a single LLM call. Ask the agent to produce a voice-formatted response (plain prose, no markdown). Display the voice-formatted text in the chat UI as well — users reading the chat still get the content, just formatted for voice.
Reserve the dual-output (voice prose + full-text-with-code) pattern for a later iteration when the voice pipeline is stable and the cost/latency of two calls is measurable.
If dual output is required from the start: use function calling / tool use to get structured output rather than relying on JSON in the completion text. Most current models support structured output via the tools API more reliably than via raw JSON generation.

Warning signs:

Two sequential LLM calls observed in the server log per voice-flagged message
Latency in voice mode is 2× text mode latency
Structured output JSON malformed ~10% of the time on the 7B model

Phase to address: Phase 1 (Voice mode flag + dual output pattern) — design the output contract before implementation to avoid a costly rewrite.

Pitfall 40: Audio Playback Autoplay Blocked by Browser Policy

What goes wrong: Browsers block audio.play() calls that are not triggered by a user gesture. The voice pipeline flow is: user records → server transcribes → agent responds → server synthesizes → client receives audio blob → client plays. The final audio.play() call is triggered by an SSE event or fetch response completion, not by a user gesture. Chrome and Safari block this as autoplay.

The feature appears to work in development (because the developer's browser has granted the page autoplay permissions during testing) and fails for first-time users on a clean browser profile.

Why it happens: Autoplay policies protect users from unexpected audio. Developers habitually run with autoplay unlocked in their dev browsers.

How to avoid:

Require an explicit user gesture to initiate the voice mode session. The "start voice mode" button click counts as a user gesture — use it to create and unlock an AudioContext (const ctx = new AudioContext(); await ctx.resume()). Once unlocked, the AudioContext can play audio without further gesture requirements for the remainder of the session.
Do not use <audio> element autoplay. Instead, decode the received audio blob with AudioContext.decodeAudioData() and play via AudioBufferSourceNode — this uses the already-unlocked context.
Test on a clean browser profile with default settings to verify autoplay works before shipping.

Warning signs:

Audio plays fine in development but silently fails on first user visit
Browser DevTools console shows "play() failed because the user didn't interact with the document first"
AudioContext state is suspended when audio playback is attempted

Phase to address: Phase 3 (Web chat audio playback) — AudioContext unlock must be part of the "start voice mode" button handler design.

Pitfall 41: Telegram Bot Token Stored in Environment Variable That Leaks Into Client Bundle

What goes wrong: The Telegram bot token (TELEGRAM_BOT_TOKEN) is a server-side secret. In a Vite/React monorepo, environment variables prefixed with VITE_ are bundled into the client. A developer who adds VITE_TELEGRAM_BOT_TOKEN to expose it to React code, or who imports a .env file in a Vite config context, risks the token appearing in the compiled JS bundle served to the browser.

Even without VITE_ prefix, if the token is loaded into a shared packages/shared module that is imported by both server and client code, Vite may tree-shake incorrectly and include it in the client bundle.

Why it happens: Monorepo shared package boundary between server and client code is not enforced by Vite's environment variable system. VITE_ prefix is the documented mechanism but developers sometimes work around it.

How to avoid:

Store TELEGRAM_BOT_TOKEN in .env.server (not .env or .env.local which Vite reads). Use dotenv on the server explicitly; never load this file through Vite.
Validate at build time: add a lint check or Vite plugin that fails the build if any variable containing TOKEN, SECRET, or KEY appears in the client bundle.
Keep Telegram bridge code entirely in server/src/ — never in packages/shared/ or any package imported by the UI.

Warning signs:

TELEGRAM_BOT_TOKEN value visible in browser DevTools → Sources → compiled JS
.env file containing TELEGRAM_BOT_TOKEN in the repo root (Vite reads this)
Telegram bridge code imported from a shared package used by UI code

Phase to address: Phase 1 (Telegram bridge setup) — secret handling policy must be validated before the bot token is added to any config file.

Pitfall 42: Voice Waveform UI Causing Unnecessary Re-renders During Recording

What goes wrong: The recording waveform visualization reads audio amplitude data from an AnalyserNode via requestAnimationFrame at ~60fps. If this data is stored in React state (useState), every frame triggers a re-render of the component tree above the waveform. For a chat interface with many messages, this causes perceptible jank during recording (dropped frames, slow scrolling).

Why it happens: Waveform amplitude data is time-series state that changes at animation frame rate. React state is not designed for 60fps updates. The trap is copy-pasting a CanvasRenderingContext2D waveform example that stores amplitude in useState without considering the re-render cost.

How to avoid:

Read amplitude data via useRef + direct Canvas 2D drawing inside the requestAnimationFrame loop. Never put waveform data in useState.
Keep the waveform Canvas element isolated from the React component tree — render it outside the main message list DOM subtree (e.g., as an absolutely positioned overlay) so re-draws do not trigger layout recalculation for sibling components.
Stop the requestAnimationFrame loop and disconnect the AnalyserNode immediately when recording stops — do not leave the loop running even at low amplitude.

Warning signs:

React DevTools Profiler shows high commit count and component renders during recording
Chat scroll is janky while recording
requestAnimationFrame callback showing useState setter calls

Phase to address: Phase 2 (Web chat mic button + waveform UI) — Canvas-direct rendering pattern must be established before the waveform component is built.

Pitfall 43: Missing ffmpeg on Production Mac Mini Silently Disabling Voice

What goes wrong: The entire STT + Telegram audio pipeline depends on ffmpeg for audio format conversion. If ffmpeg is not installed, the transcode step fails. Depending on error handling: (a) the transcription endpoint returns an HTTP 500, (b) it returns an empty transcription, or (c) it silently discards the audio and moves on. Outcomes (b) and (c) are worse than (a) because the user sees no error.

ffmpeg is not installed by default on macOS. It is available via Homebrew (brew install ffmpeg) but is not a Node.js dependency and will not be installed by pnpm install.

Why it happens: ffmpeg is a system dependency, not an npm dependency. It is easy to forget to document, and installation instructions are frequently missing from setup guides.

How to avoid:

Add a startup check to the Nexus server: detect ffmpeg at boot time and log its version. If absent, log a prominent warning and disable the voice pipeline gracefully (return a clear error from the transcription endpoint, show a "voice unavailable" state in the UI).
Add ffmpeg installation to the npx buildthis setup flow — if voice mode is enabled and ffmpeg is absent, the CLI should prompt to install it (brew install ffmpeg).
Document ffmpeg as a hard prerequisite for voice features in the onboarding hardware detection step.

Warning signs:

which ffmpeg returns nothing on the production machine
Voice features work in development (developer has ffmpeg) but fail in any fresh install
Transcription endpoint returning 500 with no diagnostic message

Phase to address: Phase 1 (Whisper STT pipeline) — ffmpeg detection and graceful degradation must be implemented before any voice endpoint is exposed.

Minor Pitfalls (v1.6)

Pitfall 44: Telegram Agent Prefix Leaking Into Whisper Transcription Input

What goes wrong: The Telegram bridge formats replies as [AgentName] response text. If the bridge accidentally echoes the agent's own message back into the Whisper transcription pipeline (e.g., when relaying between agents or logging), Whisper transcribes the agent prefix along with the user's intended input. The resulting transcription contains [Nexus] previous response... prepended to whatever the user said. The agent receives this as its next input and behaves erratically.

Why it happens: Message relay and logging code passes message objects through the same pipeline as user input without filtering by sender type.

How to avoid:

In the Telegram bridge handler, only transcribe messages where update.message.from.id !== bot.id — never transcribe messages sent by the bot itself.
Apply a sender-type check before the transcription pipeline: if the message is from a bot, skip transcription and routing entirely.

Phase to address: Phase 3 (Telegram bridge) — sender-type filtering must be in the handler before end-to-end testing.

Technical Debt Patterns

Shortcut	Immediate Benefit	Long-term Cost	When Acceptable
Browser-side Puter.js SDK instead of server adapter	Faster to ship	Bypasses cost tracking, skill sync, session codec; creates split-brain	Never for production use
`localStorage` for OAuth tokens	Easy to implement	XSS exposure; migration required if key renamed; conflicts with upstream Paperclip keys	Never; use server-side secrets storage
`os.totalmem()` for RAM recommendations	One-line implementation	Overestimates available RAM on loaded systems; misleads model recommendations	Only as a fallback when `freemem()` is not available
Polling for hardware detection status	Avoids SSE complexity	Hammers server during onboarding; creates race conditions with slow detection	Only if SSE is unavailable
Inline Piper model download on first TTS call	Zero extra onboarding step	Silent hang on first use; poor UX; perceived as broken feature	Never; always pre-warm
Flat memory injection (all memories into every prompt)	Simple implementation	Context window overflow; irrelevant memories degrade response quality	Only for prototyping
No mode discriminator on conversations table	No schema change needed	Mode cross-contamination; hard to query assistant vs. agent conversations	Acceptable with explicit agent-based filtering
Spawn new Piper process per TTS request	Trivial first implementation	200–800ms model reload per request; long-text truncation bug	Never; use persistent process
Skip ffmpeg transcode, send raw audio to Whisper	One less dependency	Silent transcription failures on non-WAV formats; broken on Safari/Firefox	Never; transcode is mandatory
Whisper in-process (Python subprocess per request)	No sidecar to manage	Model reload on every call; memory leak; concurrent request memory doubling	Only for one-off scripts, never for server
Telegram webhook on local server	"Production-grade" pattern	Requires public URL; breaks behind NAT; doesn't work for this deployment	Never for local Mac Mini deployment
`useState` for waveform animation data	Familiar React pattern	60fps state updates cause continuous re-renders; UI jank during recording	Never; use `useRef` + Canvas direct

Integration Gotchas

Integration	Common Mistake	Correct Approach
Puter.js	Load browser SDK, call `puter.ai.chat()` directly	Implement as server-side HTTP adapter; Puter token stored in Paperclip config
Piper TTS (WASM)	Call synthesis on first user message	Pre-warm on background thread during onboarding step; show download progress
Ollama probe	Probe at onboarding time without board auth	Use a dedicated unauthenticated `/system/providers` endpoint for pre-auth hardware detection
MCP tools	Add tools with generic names (`terminal`, `search`)	Namespace all MCP tools: `nexus_memory_`, `nexus_context_`
Google OAuth	Store access token in `localStorage`	Exchange code server-side; store token in Paperclip secrets; never expose to browser
Upstream rebase after v1.5	Forget to diff `OnboardingWizard.tsx` against upstream	Post-rebase protocol: diff the aliased-away file, integrate any new upstream props
Apple Silicon VRAM	Report `os.totalmem()` as available GPU memory	Use `os.freemem()` with explicit copy: "unified memory, shared with OS"
Whisper STT (server-side)	Pass raw browser WebM to Whisper	Transcode to 16 kHz mono WAV via ffmpeg first; Whisper expects PCM WAV
Telegram voice messages	Assume same pipeline as browser audio	Telegram sends OGG/Opus at 48 kHz; same ffmpeg transcode step applies but source is CDN download
Piper TTS (server-side binary)	Spawn new process per request	Keep Piper as persistent HTTP sidecar; model stays loaded between requests
Telegram bot updates	Use webhooks for local deployment	Use long polling (`getUpdates`) — works behind NAT, no public URL required
Telegram bot token	Add `VITE_TELEGRAM_BOT_TOKEN` for debugging	Keep token server-side only; never in Vite env variables
Audio autoplay (browser)	Call `audio.play()` from SSE event handler	Unlock `AudioContext` on the "start voice mode" gesture; play via AudioBufferSourceNode
ffmpeg dependency	Assume it is installed	Detect at server startup; degrade gracefully with clear error; add to `npx buildthis` setup

Performance Traps

Trap	Symptoms	Prevention	When It Breaks
Sequential provider probes in onboarding	Each probe adds 3s+ to wizard load time	Probe all providers in parallel with `Promise.allSettled()`	Any multi-provider step with 3+ probes
Memory retrieval on every chat message	200-500ms added to every response	Cache last N memories; only re-fetch if conversation context changes	Systems with >100 stored memory fragments
Piper TTS blocking main thread	UI freezes during synthesis	Run Piper WASM in a Web Worker; stream audio chunks as they generate	Models larger than small/medium quality
Ollama model catalog loaded from disk on every request	File I/O on every recommendation call	Load and cache catalog at server startup, not per-request	High-frequency polling during onboarding
MCP tool calls in the critical path of assistant response	Latency spikes when memory server is slow	Make MCP tool calls non-blocking where possible; set aggressive timeouts	MCP server under load or starting up
Whisper model reload per STT request	500MB+ memory spike; 2–5s startup delay per transcription	Persistent sidecar process; model loaded once at startup	First concurrent request pair
Piper process spawn per TTS request	200–800ms model reload per voice response	Persistent Piper process or HTTP sidecar	Any production traffic
Telegram file download in main bot handler	Bot stops processing messages during download	Download + transcode + transcribe in async background task	Any voice message >2 seconds
60fps waveform data in React state	Chat UI jank during recording	Canvas-direct rendering via `useRef`, no React state for amplitude data	Any component tree with >20 chat messages
No request queue on Whisper sidecar	Memory doubles under concurrent requests	Semaphore pattern; max 1 concurrent transcription	2+ simultaneous voice inputs

Security Mistakes

Mistake	Risk	Prevention
Storing OAuth tokens in `localStorage`	XSS can steal tokens; Paperclip key collision	Server-side token storage in existing secrets mechanism
Persisting raw user input in memory without sanitization	Credential leakage; prompt injection across sessions	Regex-based blocklist at write time; strip instruction-like syntax
Unauthenticated MCP endpoint exposure	External callers invoking memory read/write	MCP server bound to `localhost` only; board auth required for all tool calls
Puter.js API key in browser bundle	Key exposure in DevTools	Server-side Puter adapter; no Puter credentials in browser
Recording audio without explicit per-session consent indicator	Privacy violation perception	Show persistent recording indicator; stop all audio tracks immediately on stop
`VITE_TELEGRAM_BOT_TOKEN` in environment	Token bundled into client JS; visible in DevTools	Server-only env vars for all bot tokens; no `VITE_` prefix for secrets
Telegram bridge accepting messages from any chat ID	Unauthorized users can send commands to agent	Whitelist allowed `chatId` values in config; reject all other chat IDs
Audio files persisted to disk without cleanup	Disk space exhaustion; audio data retained longer than needed	Delete transcoded WAV files immediately after Whisper transcription

UX Pitfalls

Pitfall	User Impact	Better Approach
Multi-step wizard with no skip-all option	Users with existing tools feel trapped	"Skip setup" at top of wizard; minimum valid state if skipped
Showing all providers as equally valid	Decision paralysis; wrong choice for hardware	Pre-select the best option; others are secondary alternatives
TTS toggle with no download state	Appears broken; silent 15-30s wait	Pre-warm voice model; show download progress before toggle is active
Hardware detection with false confidence	User loads model that OOMs	Label recommendations as "estimated" not "guaranteed"; add safety margin
Mode selection before hardware detection	User picks "Personal AI Assistant" but their hardware can't run local models	Show hardware detection first; mode recommendation follows hardware capability
Summary screen with no way to change a step	User made wrong choice earlier; stuck	Every summary item links back to the relevant step
No intermediate "transcribing..." feedback on Telegram	User resends voice message thinking it was lost	Send immediate typing indicator + "Transcribing..." message to Telegram
Voice auto-stop firing mid-sentence	Partial input submitted; confusing agent response	Use VAD library (Silero/`@ricky0123/vad-web`) not threshold detection; add manual stop button
TTS reading agent prefix brackets aloud	Robotic "bracket Nexus bracket" audio	`sanitizeForTTS()` strips all formatting before synthesis
Autoplay blocked with no feedback	Audio response plays silently; user thinks voice is broken	Unlock AudioContext on voice mode toggle; show clear "tap to enable audio" prompt if blocked

"Looks Done But Isn't" Checklist

Puter.js adapter: Is it going through the server-side adapter machinery (cost tracking, heartbeat, session codec) or calling Puter's API directly from the browser?
Adapter probe during onboarding: Does it work before board auth is established (fresh install) or does it silently return 403?
Piper TTS first use: Has the warmup been tested on a clean browser profile with no OPFS cache?
Persistent memory: Are there sanitization filters at write time preventing credential storage?
MCP tool names: Have all Nexus MCP tools been checked against the Hermes TOOLS.md skill bundle for name collisions?
OAuth token storage: Is the refresh token stored server-side? Is the browser holding only a session indicator, not the raw token?
Mode isolation: Can assistant conversation history be queried without surfacing project builder agent conversations?
Onboarding skip: Does skipping every step produce a usable workspace with at least one agent?
Apple Silicon VRAM copy: Does the hardware detection screen say "unified memory" not "VRAM" for M-series chips?
npx buildthis package name: Has npm search buildthis been run to verify no collision?
Upstream OnboardingWizard diff: After the v1.5 wizard is built, has OnboardingWizard.tsx been diffed against upstream to check for new props that NexusOnboardingWizard.tsx needs to handle?
Audio format transcode: Does the /transcribe endpoint transcode to 16 kHz mono WAV before passing to Whisper? Test with a Safari recording (mp4) and Firefox recording (ogg).
Telegram OGG pipeline: Is the Telegram voice download → ffmpeg → Whisper path tested with a real Telegram voice message (not a local file)?
Piper persistent process: Is Piper running as a persistent process/sidecar, not spawned per request? Check ps aux | grep piper count during consecutive TTS calls.
Whisper sidecar health check: Does the server wait for the Whisper sidecar /health endpoint before routing STT requests?
Voice mode flag propagation: Is isVoiceMode present in the agent's system prompt log? Check server logs for a voice-flagged message.
TTS sanitization: Does sanitizeForTTS() strip agent prefixes, Markdown, and issue IDs? Test with a response containing backtick code blocks.
Telegram session routing: After sending a Telegram message, does the reply appear in Telegram (not web UI)? Check session channel field in DB.
Long polling only: Is deleteWebhook called on bot startup to ensure no stale webhook is registered?
AudioContext unlock: Does audio autoplay work on a fresh browser profile (no stored autoplay permissions)?
ffmpeg at startup: Does the server log ffmpeg version on startup? Does it gracefully disable voice with a clear error if ffmpeg is absent?
Telegram token not in client bundle: Does grep -r "VITE_TELEGRAM" ui/src return nothing?
Telegram chat ID whitelist: Does the bot reject messages from unknown chat IDs?
Audio file cleanup: Are transcoded WAV temp files deleted after transcription?

Recovery Strategies

Pitfall	Recovery Cost	Recovery Steps
Puter.js browser-side integration shipped	HIGH	Rewrite as server-side adapter; migrate conversation history to route through server
OAuth tokens in `localStorage` shipped	HIGH	Server-side migration: on next load, detect browser-stored tokens, exchange for server-stored ones, clear localStorage
Persistent memory storing credentials	HIGH	Purge memory store; add retroactive scan-and-delete for credential patterns; add blocklist
Piper TTS no warmup (silent hang)	LOW	Add warmup call in background; show download progress indicator
Model catalog stale	LOW	Add fallback heuristic; document update process
Onboarding probe auth-gated on board auth	MEDIUM	Add unauthenticated system/providers endpoint; update wizard to use new endpoint
Mode contamination in conversations table	MEDIUM	Add agent-based filter to conversation queries; document the filtering convention
Piper spawn-per-request shipped	MEDIUM	Wrap Piper in persistent HTTP sidecar; update spawn calls to HTTP requests; no data migration needed
Whisper in-process (no sidecar) shipped	HIGH	Extract to standalone FastAPI/Flask sidecar; update all Node.js callers; retest on CPU fallback path
Telegram webhook on local deploy	LOW	Call `deleteWebhook`; switch to `getUpdates` long polling; update bot startup code
Telegram session channel overwritten	MEDIUM	Add dedicated `telegram` channel type; audit all `sessions_send` call sites; retest routing
`VITE_TELEGRAM_BOT_TOKEN` in bundle shipped	HIGH	Rotate bot token immediately; move to server-only env var; rebuild and redeploy
ffmpeg missing, voice silently broken	LOW	Install ffmpeg; add startup check to catch future regressions
Audio autoplay blocked	LOW	Implement AudioContext unlock on voice mode toggle; test on clean browser profile

Pitfall-to-Phase Mapping

Pitfall	Prevention Phase	Verification
Vite alias swap breaking upstream rebase (12)	Phase 1 — Hardware Wizard	Post-rebase diff protocol in place and documented
Hardware detection inaccuracy on Apple Silicon (13)	Phase 1 — Hardware Detection	Unit test: compare `totalmem()` vs `freemem()` recommendations; verify M4 copy says "unified"
Probe endpoint requires board auth (14)	Phase 1 — Hardware Detection	Test: call probe endpoint with no board auth cookie; should succeed
Puter.js bypassing adapter system (15)	Phase 2 — Zero-Config Cloud	Verify: Puter sessions appear in cost tracking with correct provider label
OAuth tokens in localStorage (16)	Phase 3 — OAuth	Verify: no OAuth tokens visible in browser DevTools localStorage
Multi-provider creating competing defaults (17)	Phase 1 — Mode Selection	Test: skip-all onboarding produces exactly one adapter type per agent
Piper TTS cold start hang (18)	Phase 4 — Voice TTS	Test: fresh browser profile, enable TTS, measure time-to-first-audio
Memory prompt injection (19)	Phase 5 — Persistent Memory	Test: paste a credential into chat; verify it is NOT stored in memory DB
MCP tool name collision (20)	Phase 5 — MCP Integration	Audit: compare MCP tool names against TOOLS.md before shipping
`npx buildthis` package name collision (21)	Phase 6 — CLI	Run `npm search buildthis` before publishing
Skip-all onboarding broken (22)	Phase 1 — Mode Selection	Test: skip every step; verify workspace + one agent created
Assistant/project builder context bleed (23)	Phase 2 — Mode Selection	Test: assistant query does not surface issue IDs from project builder
Subscription detection false positives (24)	Phase 3 — Subscription Detection	Test: revoke an API key; verify wizard shows "unverified" not "ready"
Project handoff losing context (25)	Phase 5 — Persistent Memory	Test: handoff includes conversation ID, not just flat text summary
Model catalog staleness (26)	Phase 1 — Hardware Detection	Test: install an uncatalogued Ollama model; verify fallback heuristic fires
Audio format mismatch browser → Whisper (27)	v1.6 Phase 1 — Whisper STT	Test: record on Safari + Firefox; verify both transcribe correctly
Telegram OGG/Opus 48 kHz mismatch (28)	v1.6 Phase 3 — Telegram audio	Test: send real Telegram voice message; verify transcription succeeds
Piper spawn-per-request (29)	v1.6 Phase 2 — Piper TTS	Verify: `ps aux \| grep piper` shows one persistent process, not N per request
Whisper model reload per request (30)	v1.6 Phase 1 — Whisper sidecar	Verify: memory stays flat across 10 consecutive transcription requests
Browser silence detection too eager/late (31)	v1.6 Phase 2 — Web mic button	Test: natural mid-sentence pause does not auto-submit; quiet room does not stall recording
Voice mode flag not propagated (32)	v1.6 Phase 1 — Voice mode flag	Test: voice-flagged message; verify agent system prompt contains voice formatting instruction
Telegram competing session identity (33)	v1.6 Phase 3 — Telegram session	Test: Telegram message reply arrives in Telegram, not web UI
Telegram webhook on local deploy (34)	v1.6 Phase 1 — Telegram setup	Verify: `getWebhookInfo` returns empty webhook URL; bot uses long polling
TTS synthesizing agent prefixes verbatim (35)	v1.6 Phase 2 — TTS sanitization	Test: agent reply with `[Nexus]` prefix; verify audio does not contain "bracket"
Whisper model too large for CPU fallback (36)	v1.6 Phase 1 — CPU fallback	Benchmark: transcribe 10s clip on CPU-only path; must complete in <5s
Telegram file download blocking event loop (37)	v1.6 Phase 3 — Telegram async	Test: send voice message; verify text messages still processed during download
Piper binary not found in service PATH (38)	v1.6 Phase 2 — Piper binary config	Test: start server via launchctl; verify Piper path resolves
Dual output two LLM calls doubling latency (39)	v1.6 Phase 1 — Output pattern design	Verify: single LLM call per voice message in server logs
Audio autoplay blocked by browser policy (40)	v1.6 Phase 3 — Web audio playback	Test: fresh browser profile; voice response plays without user interaction after voice mode toggle
Telegram bot token in client bundle (41)	v1.6 Phase 1 — Telegram setup	Verify: `grep -r TELEGRAM ui/dist` returns nothing
Waveform causing React re-renders (42)	v1.6 Phase 2 — Waveform UI	Profile: React DevTools shows no re-renders in parent components during recording
ffmpeg missing on production (43)	v1.6 Phase 1 — Whisper STT	Verify: server logs ffmpeg version on startup; `which ffmpeg` on production machine
Telegram agent prefix in transcription input (44)	v1.6 Phase 3 — Telegram handler	Verify: bot-originated messages are filtered before the transcription pipeline

Sources

Codebase analysis (HIGH confidence):

/opt/nexus/server/src/services/ollama.ts — RAM detection using totalmem(), catalog lookup
/opt/nexus/ui/src/components/NexusOnboardingWizard.tsx — probe auth requirement, adapter detection
/opt/nexus/server/src/routes/agents.ts — board-auth gate on probe endpoint
/opt/nexus/ui/vite.config.ts — OnboardingWizard Vite alias pattern
/opt/nexus/ui/src/components/VoiceRecordButton.tsx — existing Whisper STT implementation
/opt/nexus/ui/src/adapters/registry.ts — adapter registration pattern

Research (MEDIUM confidence unless noted):

Puter.js Free Unlimited AI API — Puter is browser-SDK-first; server-side HTTP integration requires manual HTTP calls
WebGPU/WebGL VRAM Limitations — VRAM not queryable from browser; integrated vs. dedicated GPU reporting issues (HIGH confidence — peer-reviewed)
Ollama AMD VRAM Detection Bug — confirmed VRAM misreport on AMD/Vulkan
MCP Tips, Tricks and Pitfalls — Nearform — TypeScript interface vs. type alias; SSE deprecated
MCP Specification 2025-06-18 — SSE deprecated, Streamable HTTP preferred
Memory Poison Attack — Palo Alto Unit 42 — persistent memory prompt injection attack vector (HIGH confidence)
Piper TTS WASM cold start — first-run download, OPFS caching, warmup pattern
OAuth PKCE SPA Best Practices — Curity — sessionStorage for verifiers, server-side token storage
AI Agent Memory — Redis — context window overflow, hybrid vector+graph architecture
faster-whisper audio format and WebM handling — WebM input requires ffmpeg transcode to 16 kHz WAV (MEDIUM confidence)
Whisper concurrent requests memory issue — each worker loads full model; use semaphore pattern (HIGH confidence — official issue tracker)
Piper long message truncation bug — messages >500 chars cause silent truncation; chunk input (HIGH confidence — confirmed upstream bug)
Piper persistent process discussion — subprocess exits after each synthesis; keep alive pattern documented (HIGH confidence)
Telegram webhooks guide — official — port and SSL requirements; mixing polling/webhook forbidden (HIGH confidence — official docs)
Telegram voice message OGG/Opus format — OGG Opus 48 kHz; ffmpeg transcode required (MEDIUM confidence)
Telegram session channel overwrite bug — sessions_send overwrites channel field to webchat (HIGH confidence — confirmed bug in similar system)
Silero VAD vs WebRTC VAD comparison — WebRTC VAD 50% TPR vs Silero 87.7% at 5% FPR (HIGH confidence — benchmark data)
Whisper on Apple Silicon M4 benchmarks — all models process 10s audio faster than real-time on M4 with MLX (MEDIUM confidence)
MediaRecorder cross-browser format differences — Chrome/Firefox/Safari produce different formats and bitrates (HIGH confidence)
Node.js child_process binary PATH issue — service environment PATH differs from interactive shell; use absolute paths (HIGH confidence)
Whisper memory leak — RAM not fully released after transcription in some environments (MEDIUM confidence)

Pitfalls research for: Nexus v1.5 — Smart Onboarding + Personal AI Assistant; v1.6 — Voice Pipeline + Telegram Bridge Researched: 2026-04-02; Updated: 2026-04-03

97 KiB Raw Blame History Unescape Escape

Domain Pitfalls — Nexus Fork of Paperclip

About This Document

Critical Pitfalls (Fork Hygiene — v1.0–1.4, still active)

Pitfall 1: Renaming a Code Identifier That Is Also a Stored DB Value

Pitfall 2: Treating "Display-Only Rename" as a Simple Find-Replace

Pitfall 3: Diverging the Onboarding Assets Directory Name From Upstream

Pitfall 4: Changing the localStorage Key or ~/.paperclip Config Path Without a Migration

Pitfall 5: Upstream Rebase Cadence Slipping Below Weekly

Pitfall 6: Renaming the CLI Binary Name Without a Shim

Pitfall 7: Partial Rename — Changing Some Occurrences But Not All

Pitfall 8: The [nexus] Commit Prefix Not Applied Consistently From the Start

Pitfall 9: Onboarding Redesign Coupled to the Corporate Metaphor in Data Layer

Pitfall 10: Forgetting to Update Tests That Assert on Display Strings

Pitfall 11: Exporting a .nexus.yaml File While Upstream Exports .paperclip.yaml

Critical Pitfalls (v1.5 New Features)

Pitfall 12: Vite Alias Swap Breaking Upstream Rebase on OnboardingWizard

Pitfall 13: Hardware Detection Returning Inaccurate or Platform-Specific Values

Pitfall 14: The Onboarding Probe Running at the Wrong Authentication Level

Pitfall 15: Puter.js "Zero-Config" Promise Breaking on Paperclip's Server-Side Architecture

Pitfall 16: OAuth Token Storage in localStorage Creating Security and Rebase Risk

Pitfall 17: Multi-Provider Onboarding Creating Multiple Competing Default Adapters

Pitfall 18: Voice TTS (Piper) Cold Start Blocking the First Spoken Response

Pitfall 19: Persistent Memory Injecting Sensitive Data Into System Prompts

Pitfall 20: MCP Integration Conflicting With Paperclip's Existing Tool/Skill System

Pitfall 21: npx buildthis Conflicting With an Existing Paperclip CLI Entry Point

Moderate Pitfalls (v1.5)

Pitfall 22: Multi-Step Onboarding Wizard Breaking the "Every Step Skippable" Requirement

Pitfall 23: Assistant Mode and Project Builder Mode Sharing Conversation History

Pitfall 24: Subscription/API Key Auto-Detection Creating False Positives

Minor Pitfalls (v1.5)

Pitfall 25: Project Handoff from Assistant Conversation Losing Context

Pitfall 26: ollama-model-catalog.json Becoming Stale as New Models Are Released

Critical Pitfalls (v1.6 — Voice Pipeline + Telegram Bridge)

Pitfall 27: Audio Format Mismatch Between Browser Recording and Whisper Input

Pitfall 28: Telegram Voice Messages Arriving as OGG/Opus at 48 kHz, Not 16 kHz

Pitfall 29: Spawning a New Piper Process Per TTS Request (Process-Per-Request Anti-Pattern)

Pitfall 30: Whisper Model Loading on Every Request (Memory Spike Anti-Pattern)

Pitfall 31: Browser Silence Detection Triggering Too Early or Too Late

Pitfall 32: Voice Mode Flag Not Propagated Through the Agent Session Layer

Pitfall 33: Telegram Bridge Creating a Competing Session Identity for the Same Agent

Pitfall 34: Telegram Webhook vs. Long Polling — Wrong Choice for This Deployment

Pitfall 35: TTS Synthesizing Agent Prefixes, Timestamps, and Metadata Verbatim

Pitfall 36: CPU-Only Whisper Model Size Too Large for Acceptable Latency

Pitfall 37: Telegram File Downloads Blocking the Bot Event Loop

Pitfall 38: Piper Binary Not Found When Node.js Server Starts as a Service

Moderate Pitfalls (v1.6)

Pitfall 39: Dual Output Pattern Producing Two Separate LLM Calls Per Voice Message

Pitfall 40: Audio Playback Autoplay Blocked by Browser Policy

Pitfall 41: Telegram Bot Token Stored in Environment Variable That Leaks Into Client Bundle

Pitfall 42: Voice Waveform UI Causing Unnecessary Re-renders During Recording

Pitfall 43: Missing ffmpeg on Production Mac Mini Silently Disabling Voice

Minor Pitfalls (v1.6)

Pitfall 44: Telegram Agent Prefix Leaking Into Whisper Transcription Input

Technical Debt Patterns

Integration Gotchas

Performance Traps

Security Mistakes

UX Pitfalls

"Looks Done But Isn't" Checklist

Recovery Strategies

Pitfall-to-Phase Mapping

Sources

97 KiB

Raw Blame History

Pitfall 4: Changing the `localStorage` Key or `~/.paperclip` Config Path Without a Migration

Pitfall 8: The `[nexus]` Commit Prefix Not Applied Consistently From the Start

Pitfall 11: Exporting a `.nexus.yaml` File While Upstream Exports `.paperclip.yaml`

Pitfall 16: OAuth Token Storage in `localStorage` Creating Security and Rebase Risk

Pitfall 21: `npx buildthis` Conflicting With an Existing Paperclip CLI Entry Point

Pitfall 26: `ollama-model-catalog.json` Becoming Stale as New Models Are Released