# Code Review Issues

| #  | Severity | File                            | Issue                                                                                                                                                                                                                              | Status |
|----|----------|---------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|
| 1  | Critical | `scripts/deploy.sh`             | `SCRIPT_DIR` resolves to `scripts/` but paths assume repo root (e.g. `$SCRIPT_DIR/caddy/docker-compose.yml`). All scripts broken after move to `scripts/`. Fix: use `REPO_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"` | DONE   |
| 2  | Critical | `scripts/backup.sh`             | Same broken `SCRIPT_DIR` path issue                                                                                                                                                                                                | DONE   |
| 3  | Critical | `scripts/restore.sh`            | Same broken `SCRIPT_DIR` path issue                                                                                                                                                                                                | DONE   |
| 4  | High     | `scripts/backup.sh:20`          | `pg_dumpall -U nextcloud` hardcodes DB username instead of reading from env                                                                                                                                                        | DONE   |
| 5  | High     | `scripts/restore.sh:68`         | `psql -U nextcloud` hardcodes DB username instead of reading from env                                                                                                                                                              | DONE   |
| 6  | High     | `scripts/deploy.sh:13`          | `source .env` in a root-privileged script can execute arbitrary commands. Consider safer parsing or variable validation                                                                                                            | DONE   |
| 7  | Medium   | `monitoring/docker-compose.yml` | Docker socket + `/proc` + `/sys` + `/` mounted into Alloy container. Consider using a Docker socket proxy to limit API access                                                                                                      | DONE   |
| 8  | Medium   | `caddy/Caddyfile`               | No rate limiting configured at the reverse proxy layer                                                                                                                                                                             | DONE   |
| 9  | Low      | `gitea/docker-compose.yml`      | `gitea/gitea:latest-rootless` unpinned — pin to specific version like Nextcloud does                                                                                                                                               | TODO   |
| 10 | Low      | `monitoring/docker-compose.yml` | `grafana/alloy:latest` unpinned — pin to specific version                                                                                                                                                                          | TODO   |