# Stewards Tracking Report

**Run Date:** 2026-03-22
**Project:** Azure-AI-RAG-CSharp-Semantic-Kernel-Functions
**Stewards Reporting:** 29
**Comparison Run:** None (first run — all findings classified as Baseline)

---

## Executive Delta

**First run — Baseline established.** +0 new, -0 fixed, 0 changed, 0 unchanged.
Total findings baselined: **363** across 29 stewards (69 critical, 148 notable, 91 minor, 55 info).

---

## Change Summary Table

| Steward | 📊 Baseline | 🆕 New | ✅ Fixed | 🔄 Changed | ➡️ Unchanged | Total |
|---|---|---|---|---|---|---|
| .NET Best Practices | 15 | 0 | 0 | 0 | 0 | 15 |
| API Config | 12 | 0 | 0 | 0 | 0 | 12 |
| API Observability | 14 | 0 | 0 | 0 | 0 | 14 |
| API Resilience | 11 | 0 | 0 | 0 | 0 | 11 |
| API Telemetry | 13 | 0 | 0 | 0 | 0 | 13 |
| Bicep Module | 19 | 0 | 0 | 0 | 0 | 19 |
| Bicep Testing | 10 | 0 | 0 | 0 | 0 | 10 |
| C# Unit Test | 7 | 0 | 0 | 0 | 0 | 7 |
| CosmosDB | 11 | 0 | 0 | 0 | 0 | 11 |
| Infra Deployment | 12 | 0 | 0 | 0 | 0 | 12 |
| Infra Networking | 15 | 0 | 0 | 0 | 0 | 15 |
| Infra Security | 19 | 0 | 0 | 0 | 0 | 19 |
| Interface Design | 11 | 0 | 0 | 0 | 0 | 11 |
| Python Best Practices | 16 | 0 | 0 | 0 | 0 | 16 |
| Python Config | 10 | 0 | 0 | 0 | 0 | 10 |
| Python Observability | 11 | 0 | 0 | 0 | 0 | 11 |
| Python Resilience | 11 | 0 | 0 | 0 | 0 | 11 |
| Python Test | 10 | 0 | 0 | 0 | 0 | 10 |
| REST API | 16 | 0 | 0 | 0 | 0 | 16 |
| React API Client | 13 | 0 | 0 | 0 | 0 | 13 |
| React Auth | 8 | 0 | 0 | 0 | 0 | 8 |
| React Config | 9 | 0 | 0 | 0 | 0 | 9 |
| React DI | 7 | 0 | 0 | 0 | 0 | 7 |
| React SP Practices | 11 | 0 | 0 | 0 | 0 | 11 |
| React Telemetry | 8 | 0 | 0 | 0 | 0 | 8 |
| React UX Components | 14 | 0 | 0 | 0 | 0 | 14 |
| React UX Observability | 10 | 0 | 0 | 0 | 0 | 10 |
| React UX | 18 | 0 | 0 | 0 | 0 | 18 |
| Security | 17 | 0 | 0 | 0 | 0 | 17 |
| **TOTAL** | **363** | **0** | **0** | **0** | **0** | **363** |

---

## Per-Steward Diff Sections

---

### 1. .NET Best Practices Steward

📄 [Full Review](../Stewards%20Reviews%20-%20.NET%20Best%20Practices%20Steward%20-%20Azure-AI-RAG-CSharp-Semantic-Kernel-Functions/)

| # | ID | Severity | Title | Status |
|---|---|---|---|---|
| 1 | DNET-DI-001 | 🔴 Critical | Singleton ChatHistory shared across all requests — multi-tenancy data leak | 📊 Baseline |
| 2 | DNET-EXCEPT-001 | 🔴 Critical | Startup exception swallowed silently in PopulateCosmosAsync | 📊 Baseline |
| 3 | DNET-NULL-001 | 🟡 Notable | Non-nullable return type on GetProductByNameAsync despite returning null | 📊 Baseline |
| 4 | DNET-NULL-002 | 🟡 Notable | ChatMessage model properties uninitialized — nullable annotation mismatch | 📊 Baseline |
| 5 | DNET-NULL-003 | 🟡 Notable | Product model properties uninitialized — nullable annotation mismatch | 📊 Baseline |
| 6 | DNET-EXCEPT-002 | 🟡 Notable | Exceptions logged at LogInformation level in plugin catch blocks | 📊 Baseline |
| 7 | DNET-NULL-004 | 🟡 Notable | ChatRequest model properties uninitialized — nullable annotation mismatch | 📊 Baseline |
| 8 | DNET-DISPOSE-001 | 🟢 Minor | FeedIterator not disposed in GetMessagesBySessionIdAsync and GetProductByNameAsync | 📊 Baseline |
| 9 | DNET-DISPOSE-002 | 🟢 Minor | MemoryStream not disposed in loop in PopulateCosmosAsync | 📊 Baseline |
| 10 | DNET-LINQ-001 | 🟢 Minor | Count() > 0 used instead of Any() in GetProductByNameAsync | 📊 Baseline |
| 11 | DNET-ASYNC-001 | 🟢 Minor | Dead variable embeddingString computed and discarded in ResourceLookup | 📊 Baseline |
| 12 | DNET-MODERN-001 | 🟢 Minor | AISearchDataPlugin and ProductDataPlugin use explicit constructors inconsistently | 📊 Baseline |
| 13 | DNET-INFO-001 | ℹ️ Info | Nullable reference types enabled and ImplicitUsings enabled — good baseline | 📊 Baseline |
| 14 | DNET-INFO-002 | ℹ️ Info | Primary constructors adopted across most classes — modern C# practice applied | 📊 Baseline |

---

### 2. API Config Steward

📄 [Full Review](../Stewards%20Reviews%20-%20API%20Config%20Steward%20-%20Azure-AI-RAG-CSharp-Semantic-Kernel-Functions/API%20Config%20Review%20-%20Azure-AI-RAG-CSharp-Semantic-Kernel-Functions.md)

| # | ID | Severity | Title | Status |
|---|---|---|---|---|
| 1 | ACFG-VALID-001 | 🔴 Critical | No startup validation — missing config causes runtime failures | 📊 Baseline |
| 2 | ACFG-OPTIONS-001 | 🟡 Notable | Raw IConfiguration injection in service classes instead of typed options | 📊 Baseline |
| 3 | ACFG-OPTIONS-002 | 🟡 Notable | No typed options classes or IOptions<T> used anywhere in the project | 📊 Baseline |
| 4 | ACFG-OPTIONS-003 | 🟡 Notable | Direct builder.Configuration["Key"]! at service registration in Program.cs | 📊 Baseline |
| 5 | ACFG-SECRET-001 | 🟡 Notable | No Azure Key Vault integration in the configuration pipeline | 📊 Baseline |
| 6 | ACFG-SECRET-002 | 🟡 Notable | No dotnet user-secrets configured for local development | 📊 Baseline |
| 7 | ACFG-VALID-002 | 🟡 Notable | No ValidateDataAnnotations() or ValidateOnStart() for any options | 📊 Baseline |
| 8 | ACFG-ENV-001 | 🟡 Notable | Swagger unconditionally enabled — environment guard is commented out | 📊 Baseline |
| 9 | ACFG-CORS-001 | 🟡 Notable | AllowAll CORS policy hardcoded with no environment-specific override | 📊 Baseline |
| 10 | ACFG-STRUCT-001 | 🟢 Minor | No appsettings.Development.json or appsettings.Production.json | 📊 Baseline |
| 11 | ACFG-STRUCT-002 | 🟢 Minor | Required configuration keys undocumented — absent from appsettings.json | 📊 Baseline |
| 12 | ACFG-ENV-002 | 🟢 Minor | launchSettings.json has only one profile — no HTTPS or Staging profile | 📊 Baseline |
| 13 | ACFG-POSIT-001 | ℹ️ Info | No secrets committed to source control — appsettings.json is clean | 📊 Baseline |

---

### 3. API Observability Steward

📄 [Full Review](../Stewards%20Reviews%20-%20API%20Observability%20Steward%20-%20Azure-AI-RAG-CSharp-Semantic-Kernel-Functions/API%20Observability%20Review%20-%20Azure-AI-RAG-CSharp-Semantic-Kernel-Functions.md)

| # | ID | Severity | Title | Status |
|---|---|---|---|---|
| 1 | AOTL-HEALTH-001 | 🔴 Critical | No health check endpoint configured | 📊 Baseline |
| 2 | AOTL-LOG-001 | 🔴 Critical | Exceptions logged at Information level instead of Error | 📊 Baseline |
| 3 | AOTL-LOG-002 | 🔴 Critical | Full AI response and full product JSON logged — potential PII and data volume risk | 📊 Baseline |
| 4 | AOTL-TRACE-001 | 🟡 Notable | No custom spans on critical LLM, search, and Cosmos DB paths | 📊 Baseline |
| 5 | AOTL-PIPE-001 | 🟡 Notable | No explicit OpenTelemetry pipeline configuration — pipeline is entirely implicit | 📊 Baseline |
| 6 | AOTL-PIPE-002 | 🟡 Notable | No service name or version set in OpenTelemetry resource attributes | 📊 Baseline |
| 7 | AOTL-PIPE-003 | 🟡 Notable | No Cosmos DB SDK instrumentation package referenced | 📊 Baseline |
| 8 | AOTL-LOG-003 | 🟡 Notable | String concatenation used instead of structured log template | 📊 Baseline |
| 9 | AOTL-CORR-001 | 🟡 Notable | No correlation ID included in error responses | 📊 Baseline |
| 10 | AOTL-LOG-004 | 🟢 Minor | ChatHistoryData injects ILogger<ProductData> — wrong generic type parameter | 📊 Baseline |
| 11 | AOTL-MON-001 | 🟢 Minor | No sampling explicitly configured for Azure Monitor | 📊 Baseline |
| 12 | AOTL-MON-002 | 🟢 Minor | No startup validation for APPLICATIONINSIGHTS_CONNECTION_STRING | 📊 Baseline |
| 13 | AOTL-INFO-001 | ℹ️ Info | UseAzureMonitor with DefaultAzureCredential is a good pattern | 📊 Baseline |
| 14 | AOTL-INFO-002 | ℹ️ Info | ILogger<T> used consistently; no Console.WriteLine calls present | 📊 Baseline |
| 15 | AOTL-INFO-003 | ℹ️ Info | W3C TraceContext propagation implicitly enabled via UseAzureMonitor | 📊 Baseline |

---

### 4. API Resilience Steward

📄 [Full Review](../Stewards%20Reviews%20-%20API%20Resilience%20Steward%20-%20Azure-AI-RAG-CSharp-Semantic-Kernel-Functions/API%20Resilience%20Review%20-%20Azure-AI-RAG-CSharp-Semantic-Kernel-Functions.md)

| # | ID | Severity | Title | Status |
|---|---|---|---|---|
| 1 | RESL-TIMEOUT-001 | 🔴 Critical | No timeout configured for Azure OpenAI calls | 📊 Baseline |
| 2 | RESL-TIMEOUT-002 | 🔴 Critical | No timeout configured for Azure AI Search calls | 📊 Baseline |
| 3 | RESL-CANCEL-001 | 🔴 Critical | CancellationToken not propagated anywhere in the service layer | 📊 Baseline |
| 4 | RESL-RETRY-001 | 🟡 Notable | No retry policy on Azure OpenAI chat completion calls | 📊 Baseline |
| 5 | RESL-RETRY-002 | 🟡 Notable | No retry policy on Azure OpenAI embedding generation calls | 📊 Baseline |
| 6 | RESL-RETRY-003 | 🟡 Notable | No retry policy on Azure AI Search calls | 📊 Baseline |
| 7 | RESL-CB-001 | 🟡 Notable | No circuit breaker on any critical external dependency | 📊 Baseline |
| 8 | RESL-CANCEL-002 | 🟢 Minor | Azure AI Search SearchAsync called without CancellationToken | 📊 Baseline |
| 9 | RESL-CANCEL-003 | 🟢 Minor | Cosmos DB operations called without CancellationToken | 📊 Baseline |
| 10 | RESL-HTTPCLIENT-001 | ℹ️ Info | No raw new HttpClient() usage detected | 📊 Baseline |
| 11 | RESL-COSMOS-001 | ℹ️ Info | Cosmos DB SDK built-in retry active but not explicitly tuned | 📊 Baseline |

---

### 5. API Telemetry Steward

📄 [Full Review](../Stewards%20Reviews%20-%20API%20Telemetry%20Steward%20-%20Azure-AI-RAG-CSharp-Semantic-Kernel-Functions/API%20Telemetry%20Review%20-%20Azure-AI-RAG-CSharp-Semantic-Kernel-Functions.md)

| # | ID | Severity | Title | Status |
|---|---|---|---|---|
| 1 | ATEL-COVER-001 | 🔴 Critical | No telemetry on the chat completion flow | 📊 Baseline |
| 2 | ATEL-COVER-002 | 🔴 Critical | LLM response content logged in full — potential PII exposure | 📊 Baseline |
| 3 | ATEL-SKTEL-001 | 🔴 Critical | Semantic Kernel OTel diagnostics not enabled — no AI operation spans | 📊 Baseline |
| 4 | ATEL-COVER-003 | 🟡 Notable | No telemetry on session creation | 📊 Baseline |
| 5 | ATEL-COVER-004 | 🟡 Notable | No telemetry on RAG search execution | 📊 Baseline |
| 6 | ATEL-SKTEL-002 | 🟡 Notable | Token usage not tracked — no cost visibility | 📊 Baseline |
| 7 | ATEL-EVENT-001 | 🟡 Notable | Error paths use LogInformation instead of LogError | 📊 Baseline |
| 8 | ATEL-COVER-005 | 🟡 Notable | No error telemetry on chat completion failure path | 📊 Baseline |
| 9 | ATEL-EVENT-002 | 🟢 Minor | Session ID never tagged on logs or spans | 📊 Baseline |
| 10 | ATEL-METRIC-001 | 🟢 Minor | No custom business metrics defined | 📊 Baseline |
| 11 | ATEL-EVENT-003 | 🟢 Minor | Log messages use vague, non-semantic names | 📊 Baseline |
| 12 | ATEL-INFRA-001 | ℹ️ Info | Azure Monitor / OpenTelemetry infrastructure correctly wired | 📊 Baseline |
| 13 | ATEL-SKTEL-003 | ℹ️ Info | SK 1.31.0 supports OTel diagnostics via experimental feature flag | 📊 Baseline |

---

### 6. Bicep Module Steward

📄 [Full Review](../Stewards%20Reviews%20-%20Bicep%20Module%20Steward%20-%20Azure-AI-RAG-CSharp-Semantic-Kernel-Functions/Bicep%20Module%20Review%20-%20Azure-AI-RAG-CSharp-Semantic-Kernel-Functions.md)

| # | ID | Severity | Title | Status |
|---|---|---|---|---|
| 1 | BICM-PARAM-001 | 🔴 Critical | CosmosDb_ConnectionString set to empty string — API app will fail to connect to Cosmos DB at runtime | 📊 Baseline |
| 2 | BICM-PARAM-002 | 🔴 Critical | No parameter files exist for any environment — no reproducible multi-environment deployments possible | 📊 Baseline |
| 3 | BICM-APIVER-001 | 🟡 Notable | Microsoft.Authorization/roleAssignments@2020-04-01-preview preview API used in four files | 📊 Baseline |
| 4 | BICM-APIVER-002 | 🟡 Notable | Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30 is over 5 years old | 📊 Baseline |
| 5 | BICM-APIVER-003 | 🟡 Notable | Microsoft.Search/searchServices@2021-04-01-preview is a 2021 preview API | 📊 Baseline |
| 6 | BICM-APIVER-004 | 🟡 Notable | Microsoft.OperationalInsights/workspaces@2021-12-01-preview is a preview API | 📊 Baseline |
| 7 | BICM-APIVER-005 | 🟡 Notable | Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions@2021-07-01-preview is a preview API | 📊 Baseline |
| 8 | BICM-PARAM-003 | 🟡 Notable | Hardcoded location 'centralus' for Cosmos DB bypasses the deployment location parameter | 📊 Baseline |
| 9 | BICM-PARAM-004 | 🟡 Notable | Storage account name missing uniqueString() token — globally unique name not guaranteed across subscriptions | 📊 Baseline |
| 10 | BICM-PARAM-005 | 🟡 Notable | Multiple app settings hardcoded inline — model names, API versions, index names, and DB names cannot vary by environment | 📊 Baseline |
| 11 | BICM-OUTPUT-001 | 🟡 Notable | instrumentationKey exported as plain string output — sensitive credential should use Key Vault reference | 📊 Baseline |
| 12 | BICM-MODULE-001 | 🟡 Notable | key-vault.bicep is an empty placeholder file — Key Vault integration was planned but never implemented | 📊 Baseline |
| 13 | BICM-PARAM-006 | 🟢 Minor | Parameter names use non-camelCase conventions in multiple modules | 📊 Baseline |
| 14 | BICM-PARAM-007 | 🟢 Minor | Missing @description() decorators on parameters across multiple modules | 📊 Baseline |
| 15 | BICM-NAMING-001 | 🟢 Minor | Variables blob_uri and queue_uri use snake_case instead of camelCase | 📊 Baseline |
| 16 | BICM-NAMING-002 | 🟢 Minor | Custom Cosmos DB role display name 'My Read Write Role' is informal and misleading | 📊 Baseline |
| 17 | BICM-OUTPUT-002 | 🟢 Minor | appServiceURL and storageBlobURL constructed via string interpolation instead of resource properties | 📊 Baseline |
| 18 | BICM-INFO-001 | ℹ️ Info | Module decomposition into core/ primitives and app/ orchestration is a sound pattern | 📊 Baseline |
| 19 | BICM-INFO-002 | ℹ️ Info | Managed identity plus RBAC-only access pattern correctly avoids connection string secrets | 📊 Baseline |

---

### 7. Bicep Testing Steward

📄 [Full Review](../Stewards%20Reviews%20-%20Bicep%20Testing%20Steward%20-%20Azure-AI-RAG-CSharp-Semantic-Kernel-Functions/Bicep%20Testing%20Review%20-%20Azure-AI-RAG-CSharp-Semantic-Kernel-Functions.md)

| # | ID | Severity | Title | Status |
|---|---|---|---|---|
| 1 | ITST-TEST-001 | 🔴 Critical | No Bicep test files exist anywhere in the infra folder | 📊 Baseline |
| 2 | ITST-LINT-001 | 🔴 Critical | No bicepconfig.json — linting is unconfigured and unenforced | 📊 Baseline |
| 3 | ITST-WHATIF-001 | 🔴 Critical | No what-if validation before deployment — changes applied directly | 📊 Baseline |
| 4 | ITST-PSRULE-001 | 🟡 Notable | No PSRule for Azure configuration — no compliance testing | 📊 Baseline |
| 5 | ITST-LINT-002 | 🟡 Notable | key-vault.bicep is empty (0 bytes) — no lint or content check catches this | 📊 Baseline |
| 6 | ITST-LINT-003 | 🟡 Notable | secure-params-in-nested-deploy rule not enforced — CosmosDB connection string passed as plain string | 📊 Baseline |
| 7 | ITST-PARAM-001 | 🟢 Minor | Storage account name has no @minLength(3) / @maxLength(24) constraint | 📊 Baseline |
| 8 | ITST-PARAM-002 | 🟢 Minor | Cosmos DB container throughput has no @minValue(400) / @maxValue(1000000) constraint | 📊 Baseline |
| 9 | ITST-PARAM-003 | 🟢 Minor | Multiple app module parameters have no @description or length constraints | 📊 Baseline |
| 10 | ITST-PARAM-004 | ℹ️ Info | main.bicep and search-services.bicep use parameter validation decorators correctly | 📊 Baseline |

---

### 8. C# Unit Test Steward

📄 [Full Review](../Stewards%20Reviews%20-%20C%23%20Unit%20Test%20Steward%20-%20Azure-AI-RAG-CSharp-Semantic-Kernel-Functions/C%23%20Unit%20Test%20Review%20-%20Azure-AI-RAG-CSharp-Semantic-Kernel-Functions.md)

| # | ID | Severity | Title | Status |
|---|---|---|---|---|
| 1 | TEST-COVER-001 | 🔴 Critical | No C# test project exists — zero test coverage across the entire solution | 📊 Baseline |
| 2 | TEST-COVER-002 | 🟡 Notable | Controllers (ChatController, SessionController) have zero test coverage | 📊 Baseline |
| 3 | TEST-COVER-003 | 🟡 Notable | ChatService has zero test coverage including untested branching logic | 📊 Baseline |
| 4 | TEST-ISOL-001 | 🟡 Notable | Data classes depend on concrete Azure SDK types with no interface seam for unit testing | 📊 Baseline |
| 5 | TEST-COVER-004 | 🟢 Minor | Semantic Kernel plugins (AISearchDataPlugin, ProductDataPlugin) have zero test coverage | 📊 Baseline |
| 6 | TEST-QUAL-001 | 🟢 Minor | ChatService has 6 constructor dependencies — exceeds the over-mocking threshold for unit tests | 📊 Baseline |
| 7 | TEST-COVER-005 | ℹ️ Info | GenerateProductInfo.PopulateCosmosAsync silently swallows all exceptions — untested | 📊 Baseline |

---

### 9. CosmosDB Steward

📄 [Full Review](../Stewards%20Reviews%20-%20CosmosDB%20Steward%20-%20Azure-AI-RAG-CSharp-Semantic-Kernel-Functions/CosmosDB%20Review%20-%20Azure-AI-RAG-CSharp-Semantic-Kernel-Functions.md)

| # | ID | Severity | Title | Status |
|---|---|---|---|---|
| 1 | CSDB-PARTKEY-001 | 🔴 Critical | Chat history partitioned by /id but queried by sessionid — full cross-partition scan on every session load | 📊 Baseline |
| 2 | CSDB-QUERY-001 | 🔴 Critical | GetProductByNameAsync issues cross-partition fan-out query with no partition key filter | 📊 Baseline |
| 3 | CSDB-ERROR-001 | 🟡 Notable | Chat history write methods have no error handling — 429 and other Cosmos errors propagate unhandled | 📊 Baseline |
| 4 | CSDB-ERROR-002 | 🟡 Notable | No 429 retry logic at application layer; SDK retry policy not configured | 📊 Baseline |
| 5 | CSDB-QUERY-002 | 🟡 Notable | SELECT * used in both containers — fetches full documents when only specific fields are needed | 📊 Baseline |
| 6 | CSDB-ERROR-003 | 🟡 Notable | GetProductByNameAsync returns null on no-match; callers risk NullReferenceException | 📊 Baseline |
| 7 | CSDB-CONFIG-001 | 🟢 Minor | No CosmosClientOptions configured — connection mode, retry policy, and serialization options at defaults | 📊 Baseline |
| 8 | CSDB-CONFIG-002 | 🟢 Minor | EnableContentResponseOnWrite not set to false — write operations return full document payloads | 📊 Baseline |
| 9 | CSDB-TTL-001 | 🟢 Minor | Chat history container has no TTL configured — old session messages accumulate indefinitely | 📊 Baseline |
| 10 | CSDB-CLIENT-001 | ℹ️ Info | CosmosClient correctly registered as Singleton — connection pool is properly shared | 📊 Baseline |
| 11 | CSDB-SEED-001 | ℹ️ Info | Startup seeding catches all exceptions silently — application may start with empty product catalog | 📊 Baseline |

---

### 10. Infra Deployment Steward

📄 [Full Review](../Stewards%20Reviews%20-%20Infra%20Deployment%20Steward%20-%20Azure-AI-RAG-CSharp-Semantic-Kernel-Functions/Infra%20Deployment%20Review%20-%20Azure-AI-RAG-CSharp-Semantic-Kernel-Functions.md)

| # | ID | Severity | Title | Status |
|---|---|---|---|---|
| 1 | IDEP-CICD-001 | 🔴 Critical | No CI/CD pipeline — deployment is fully manual | 📊 Baseline |
| 2 | IDEP-CICD-002 | 🔴 Critical | No Bicep what-if validation before deployment | 📊 Baseline |
| 3 | IDEP-SECRETS-001 | 🔴 Critical | CosmosDB connection string managed manually outside automation | 📊 Baseline |
| 4 | IDEP-ENV-001 | 🟡 Notable | Single hardcoded environment — no staging or promotion gates | 📊 Baseline |
| 5 | IDEP-ROLLBACK-001 | 🟡 Notable | No rollback mechanism — no deployment slots or artifact preservation | 📊 Baseline |
| 6 | IDEP-VALIDATE-001 | 🟡 Notable | No post-deployment health check after application deployment | 📊 Baseline |
| 7 | IDEP-SECRETS-002 | 🟡 Notable | Key Vault provisioned but key-vault.bicep is empty and KeyVaultUri is unset | 📊 Baseline |
| 8 | IDEP-CICD-003 | 🟢 Minor | Interactive az login in deploy script prevents pipeline automation | 📊 Baseline |
| 9 | IDEP-CICD-004 | 🟢 Minor | Fixed Start-Sleep used as infrastructure readiness wait | 📊 Baseline |
| 10 | IDEP-CICD-005 | 🟢 Minor | --track-status false suppresses deployment error detection | 📊 Baseline |
| 11 | IDEP-SECRETS-003 | ℹ️ Info | Managed Identity used for all service authentication | 📊 Baseline |
| 12 | IDEP-AZD-001 | ℹ️ Info | No azure.yaml — project does not use Azure Developer CLI | 📊 Baseline |

---

### 11. Infra Networking Steward

📄 [Full Review](../Stewards%20Reviews%20-%20Infra%20Networking%20Steward%20-%20Azure-AI-RAG-CSharp-Semantic-Kernel-Functions/Infra%20Networking%20Review%20-%20Azure-AI-RAG-CSharp-Semantic-Kernel-Functions.md)

| # | ID | Severity | Title | Status |
|---|---|---|---|---|
| 1 | INET-PVTEP-001 | 🔴 Critical | Storage Account publicly accessible with no IP restriction | 📊 Baseline |
| 2 | INET-PVTEP-002 | 🔴 Critical | Cosmos DB publicly accessible with no network restriction | 📊 Baseline |
| 3 | INET-PVTEP-003 | 🔴 Critical | Azure AI Search publicly accessible with no IP restriction or private endpoint | 📊 Baseline |
| 4 | INET-PVTEP-004 | 🔴 Critical | Azure OpenAI publicly accessible with no network restriction | 📊 Baseline |
| 5 | INET-VNET-001 | 🟡 Notable | No VNet deployed — entire workload runs on public internet | 📊 Baseline |
| 6 | INET-VNET-002 | 🟡 Notable | App Service (API) has no VNet integration | 📊 Baseline |
| 7 | INET-VNET-003 | 🟡 Notable | Function App has no VNet integration | 📊 Baseline |
| 8 | INET-VNET-004 | 🟡 Notable | App Service Plan Basic tier prevents VNet integration | 📊 Baseline |
| 9 | INET-KV-001 | 🟡 Notable | Key Vault module file is empty — Key Vault is not deployed | 📊 Baseline |
| 10 | INET-CORS-001 | 🟡 Notable | Storage Account blob service has no explicit CORS policy | 📊 Baseline |
| 11 | INET-STOR-001 | 🟢 Minor | Blob containers missing explicit publicAccess: None | 📊 Baseline |
| 12 | INET-NSG-001 | 🟢 Minor | No NSG resources exist in the infrastructure | 📊 Baseline |
| 13 | INET-DNS-001 | 🟢 Minor | No private DNS zones scaffolded for future private endpoint readiness | 📊 Baseline |
| 14 | INET-AUTH-001 | ℹ️ Info | Managed Identity RBAC used consistently across all services | 📊 Baseline |
| 15 | INET-AUTH-002 | ℹ️ Info | Azure AI Search local auth correctly disabled | 📊 Baseline |

---

### 12. Infra Security Steward

📄 [Full Review](../Stewards%20Reviews%20-%20Infra%20Security%20Steward%20-%20Azure-AI-RAG-CSharp-Semantic-Kernel-Functions/Infra%20Security%20Review%20-%20Azure-AI-RAG-CSharp-Semantic-Kernel-Functions.md)

| # | ID | Severity | Title | Status |
|---|---|---|---|---|
| 1 | ISEC-PUBLIC-001 | 🔴 Critical | Storage account has public network access explicitly enabled | 📊 Baseline |
| 2 | ISEC-PUBLIC-002 | 🔴 Critical | Storage account missing allowBlobPublicAccess: false; three containers lack publicAccess: 'None' | 📊 Baseline |
| 3 | ISEC-HTTPS-001 | 🔴 Critical | App Services and Function App missing httpsOnly: true | 📊 Baseline |
| 4 | ISEC-KV-001 | 🔴 Critical | No Key Vault provisioned; secrets have no managed secret store | 📊 Baseline |
| 5 | ISEC-PUBLIC-003 | 🟡 Notable | Azure OpenAI has public network access enabled with no IP restrictions | 📊 Baseline |
| 6 | ISEC-PUBLIC-004 | 🟡 Notable | Azure AI Search public network access defaults to enabled with no IP rules | 📊 Baseline |
| 7 | ISEC-PUBLIC-005 | 🟡 Notable | Cosmos DB has no publicNetworkAccess restriction configured | 📊 Baseline |
| 8 | ISEC-AUTH-001 | 🟡 Notable | Cosmos DB key-based authentication not disabled (disableKeyBasedAuth hardcoded to false) | 📊 Baseline |
| 9 | ISEC-RBAC-001 | 🟡 Notable | Storage account has redundant and over-permissioned RBAC roles (Blob Data Owner + Blob Data Contributor + Account Contributor) | 📊 Baseline |
| 10 | ISEC-RBAC-002 | 🟡 Notable | Search Service Contributor grants management-plane access beyond what RAG operations require | 📊 Baseline |
| 11 | ISEC-DIAG-001 | 🟡 Notable | Storage, AI Search, OpenAI, Cosmos DB, and React web app have no diagnostic settings | 📊 Baseline |
| 12 | ISEC-STORAGE-001 | 🟡 Notable | Storage account has allowSharedKeyAccess: true — shared keys enabled alongside managed identity | 📊 Baseline |
| 13 | ISEC-COSMOSDB-001 | 🟡 Notable | Cosmos DB data-plane role assignment module is never called; managed identity has no Cosmos DB access | 📊 Baseline |
| 14 | ISEC-TLS-001 | 🟢 Minor | Storage account missing explicit minimumTlsVersion: 'TLS1_2' | 📊 Baseline |
| 15 | ISEC-TLS-002 | 🟢 Minor | Storage account missing explicit supportsHttpsTrafficOnly: true | 📊 Baseline |
| 16 | ISEC-RBAC-003 | 🟢 Minor | Role assignments use deprecated API version 2020-04-01-preview | 📊 Baseline |
| 17 | ISEC-MI-001 | ℹ️ Info | User-assigned managed identity used consistently across all compute resources | 📊 Baseline |
| 18 | ISEC-MI-002 | ℹ️ Info | Function App uses managed identity for AzureWebJobsStorage and BlobTriggerConnection — no storage connection strings in config | 📊 Baseline |
| 19 | ISEC-DIAG-002 | ℹ️ Info | API App Service and Function App have comprehensive diagnostic settings forwarding to Log Analytics | 📊 Baseline |

---

### 13. Interface Design Steward

📄 [Full Review](../Stewards%20Reviews%20-%20Interface%20Design%20Steward%20-%20Azure-AI-RAG-CSharp-Semantic-Kernel-Functions/Interface%20Design%20Review%20-%20Azure-AI-RAG-CSharp-Semantic-Kernel-Functions.md)

| # | ID | Severity | Title | Status |
|---|---|---|---|---|
| 1 | INTF-MISS-001 | 🟡 Notable | ChatService injected as concrete type with no interface seam | 📊 Baseline |
| 2 | INTF-MISS-002 | 🟡 Notable | ProductData has no interface — Cosmos DB boundary is not abstracted | 📊 Baseline |
| 3 | INTF-MISS-003 | 🟡 Notable | ChatHistoryData has no interface — Cosmos DB boundary is not abstracted | 📊 Baseline |
| 4 | INTF-MISS-004 | 🟡 Notable | AISearchData has no interface — AI Search boundary is not abstracted | 📊 Baseline |
| 5 | INTF-SIG-001 | 🟡 Notable | All async I/O methods lack CancellationToken | 📊 Baseline |
| 6 | INTF-DI-002 | 🟡 Notable | ChatHistory registered as Singleton consumed by Scoped ChatService — mutable shared state | 📊 Baseline |
| 7 | INTF-SIG-002 | 🟢 Minor | ProductData.GetProductByNameAsync returns unannotated nullable Dictionary | 📊 Baseline |
| 8 | INTF-SIG-003 | 🟢 Minor | ChatHistoryData public methods accept ChatHistory (Semantic Kernel infrastructure type) | 📊 Baseline |
| 9 | INTF-DI-001 | 🟢 Minor | SearchIndexClient registered in DI but never injected into any class | 📊 Baseline |
| 10 | INTF-STRCT-001 | ℹ️ Info | Product class defined twice in different files with different property sets | 📊 Baseline |
| 11 | INTF-STRCT-002 | ℹ️ Info | ChatRequest DTO properties lack nullability annotations | 📊 Baseline |

---

### 14. Python Best Practices Steward

📄 [Full Review](../Stewards%20Reviews%20-%20Python%20Best%20Practices%20Steward%20-%20Azure-AI-RAG-CSharp-Semantic-Kernel-Functions/Python%20Best%20Practices%20Review%20-%20Azure-AI-RAG-CSharp-Semantic-Kernel-Functions.md)

| # | ID | Severity | Title | Status |
|---|---|---|---|---|
| 1 | PYBP-ERRH-001 | 🔴 Critical | Cleanup code executes unconditionally after exception — risk of data loss | 📊 Baseline |
| 2 | PYBP-ERRH-002 | 🔴 Critical | Variables used outside try/except scope — NameError on exception path | 📊 Baseline |
| 3 | PYBP-DEPS-001 | 🔴 Critical | Critical dependencies unpinned — langchain and langchain-openai prone to breaking changes | 📊 Baseline |
| 4 | PYBP-TYPE-001 | 🟡 Notable | No type annotations on public function signatures | 📊 Baseline |
| 5 | PYBP-TYPE-002 | 🟡 Notable | Unused typing imports (List, Optional) — annotations not applied | 📊 Baseline |
| 6 | PYBP-DEPS-002 | 🟡 Notable | Unused dependencies in requirements.txt inflate deployment package | 📊 Baseline |
| 7 | PYBP-DEPS-003 | 🟡 Notable | No dev dependency separation | 📊 Baseline |
| 8 | PYBP-QUAL-001 | 🟡 Notable | logging module passed as constructor argument — fragile coupling | 📊 Baseline |
| 9 | PYBP-ERRH-003 | 🟡 Notable | raise ex loses original traceback — use bare raise | 📊 Baseline |
| 10 | PYBP-QUAL-002 | 🟡 Notable | environ.get() and environ[] used inconsistently — silent None vs KeyError | 📊 Baseline |
| 11 | PYBP-QUAL-003 | 🟢 Minor | Loader function name uses PascalCase — should be snake_case | 📊 Baseline |
| 12 | PYBP-QUAL-004 | 🟢 Minor | Commented-out code blocks left in production file | 📊 Baseline |
| 13 | PYBP-QUAL-005 | 🟢 Minor | Magic strings for container names — use constants | 📊 Baseline |
| 14 | PYBP-QUAL-006 | 🟢 Minor | Indentation inconsistencies — extra leading spaces | 📊 Baseline |
| 15 | PYBP-STRUCT-001 | 🟢 Minor | All application logic in a single file — should be modularized | 📊 Baseline |
| 16 | PYBP-STRUCT-002 | ℹ️ Info | Azure Functions v2 programming model used correctly | 📊 Baseline |
| 17 | PYBP-ASYNC-001 | ℹ️ Info | Sync handler with all-sync I/O is functional but limits concurrency at scale | 📊 Baseline |

---

### 15. Python Config Steward

📄 [Full Review](../Stewards%20Reviews%20-%20Python%20Config%20Steward%20-%20Azure-AI-RAG-CSharp-Semantic-Kernel-Functions/Python%20Config%20Review%20-%20Azure-AI-RAG-CSharp-Semantic-Kernel-Functions.md)

| # | ID | Severity | Title | Status |
|---|---|---|---|---|
| 1 | PYCFG-ENVVAR-001 | 🟡 Notable | No startup validation of required environment variables | 📊 Baseline |
| 2 | PYCFG-ENVVAR-002 | 🟡 Notable | Bare environ[] subscript without error handling for required variables | 📊 Baseline |
| 3 | PYCFG-ENVVAR-003 | 🟡 Notable | environ.get() returns None silently for required OpenAI parameters | 📊 Baseline |
| 4 | PYCFG-ENVVAR-004 | 🟡 Notable | Runtime mutation of os.environ is a concurrency hazard | 📊 Baseline |
| 5 | PYCFG-LOCAL-001 | 🟡 Notable | No local.settings.json.example provided | 📊 Baseline |
| 6 | PYCFG-SECRET-001 | 🟢 Minor | Key Vault scaffolding present but unused | 📊 Baseline |
| 7 | PYCFG-ENVVAR-005 | 🟢 Minor | Dead AZURE_STORAGE_URL environment variable — Bicep/code mismatch | 📊 Baseline |
| 8 | PYCFG-LOGGING-001 | 🟢 Minor | Full document content logged at INFO level in production | 📊 Baseline |
| 9 | PYCFG-ENVVAR-006 | 🟢 Minor | No environment-aware log level configuration | 📊 Baseline |
| 10 | PYCFG-SECRET-002 | ℹ️ Info | AZURE_OPENAI_API_KEY parameter creates latent plaintext key fallback path | 📊 Baseline |
| 11 | PYCFG-INFRA-001 | ℹ️ Info | Managed Identity authentication correctly implemented for all Azure services | 📊 Baseline |

---

### 16. Python Observability Steward

📄 [Full Review](../Stewards%20Reviews%20-%20Python%20Observability%20Steward%20-%20Azure-AI-RAG-CSharp-Semantic-Kernel-Functions/Python%20Observability%20Review%20-%20Azure-AI-RAG-CSharp-Semantic-Kernel-Functions.md)

| # | ID | Severity | Title | Status |
|---|---|---|---|---|
| 1 | PYOTL-ERR-001 | 🔴 Critical | Blob delete outside try/except causes NameError masking original failure | 📊 Baseline |
| 2 | PYOTL-MON-001 | 🟡 Notable | APPINSIGHTS_INSTRUMENTATIONKEY used instead of APPLICATIONINSIGHTS_CONNECTION_STRING | 📊 Baseline |
| 3 | PYOTL-LOG-001 | 🟡 Notable | Root logger used instead of named module logger | 📊 Baseline |
| 4 | PYOTL-ERR-002 | 🟡 Notable | Exceptions logged as two separate records instead of using logging.exception() | 📊 Baseline |
| 5 | PYOTL-LOG-002 | 🟡 Notable | Full document content logged at INFO — potential PII exposure in Application Insights | 📊 Baseline |
| 6 | PYOTL-TRC-001 | 🟡 Notable | Blob name absent from error log messages — hinders cross-document error correlation | 📊 Baseline |
| 7 | PYOTL-LOG-003 | 🟢 Minor | F-string formatting in log calls instead of lazy % formatting | 📊 Baseline |
| 8 | PYOTL-ERR-003 | 🟢 Minor | AI Search error log missing exc_info — no stack trace attached to log record | 📊 Baseline |
| 9 | PYOTL-LOG-004 | 🟢 Minor | Index-not-found logged at INFO instead of WARNING | 📊 Baseline |
| 10 | PYOTL-MON-002 | ℹ️ Info | Application Insights and Log Analytics are provisioned and diagnostic settings are configured | 📊 Baseline |
| 11 | PYOTL-MON-003 | ℹ️ Info | No print() statements used — logging module is used throughout | 📊 Baseline |

---

### 17. Python Resilience Steward

📄 [Full Review](../Stewards%20Reviews%20-%20Python%20Resilience%20Steward%20-%20Azure-AI-RAG-CSharp-Semantic-Kernel-Functions/Python%20Resilience%20Review%20-%20Azure-AI-RAG-CSharp-Semantic-Kernel-Functions.md)

| # | ID | Severity | Title | Status |
|---|---|---|---|---|
| 1 | PYRES-RETRY-001 | 🔴 Critical | No retry policy in host.json | 📊 Baseline |
| 2 | PYRES-ERR-001 | 🔴 Critical | All exceptions swallowed — function always returns success on failure | 📊 Baseline |
| 3 | PYRES-ERR-002 | 🔴 Critical | Blob delete executed outside try block — undefined variable reference on error path | 📊 Baseline |
| 4 | PYRES-TIMEOUT-001 | 🔴 Critical | No timeout on embedding API call — function can block indefinitely | 📊 Baseline |
| 5 | PYRES-TIMEOUT-002 | 🟡 Notable | functionTimeout not explicitly set in host.json | 📊 Baseline |
| 6 | PYRES-CLEANUP-001 | 🟡 Notable | Blob clients and search clients never explicitly closed | 📊 Baseline |
| 7 | PYRES-DLQ-001 | 🟡 Notable | No dead-letter handling for permanently unprocessable blobs | 📊 Baseline |
| 8 | PYRES-ERR-003 | 🟡 Notable | Index existence check not guarded against non-ResourceNotFoundError exceptions | 📊 Baseline |
| 9 | PYRES-RETRY-002 | 🟢 Minor | AzureOpenAIEmbeddings client created on every invocation — no connection reuse | 📊 Baseline |
| 10 | PYRES-IDEM-001 | ℹ️ Info | AI Search upload_documents is effectively idempotent via key-based replace | 📊 Baseline |
| 11 | PYRES-IDEM-002 | ℹ️ Info | Blob copy to completed container uses overwrite=True — idempotent on retry | 📊 Baseline |

---

### 18. Python Test Steward

📄 [Full Review](../Stewards%20Reviews%20-%20Python%20Test%20Steward%20-%20Azure-AI-RAG-CSharp-Semantic-Kernel-Functions/Python%20Test%20Review%20-%20Azure-AI-RAG-CSharp-Semantic-Kernel-Functions.md)

| # | ID | Severity | Title | Status |
|---|---|---|---|---|
| 1 | PYTS-COVER-001 | 🔴 Critical | Zero test coverage across all Python modules | 📊 Baseline |
| 2 | PYTS-CONFIG-001 | 🔴 Critical | No pytest configuration | 📊 Baseline |
| 3 | PYTS-COVER-002 | 🔴 Critical | Blob trigger handler Loader has no test coverage | 📊 Baseline |
| 4 | PYTS-COVER-003 | 🔴 Critical | AISearchIndexLoader.populate_search_index has no test coverage | 📊 Baseline |
| 5 | PYTS-MOCK-001 | 🟡 Notable | No mocking infrastructure for Azure SDK or LangChain | 📊 Baseline |
| 6 | PYTS-COVER-004 | 🟡 Notable | html_to_json has no tests despite being purely functional | 📊 Baseline |
| 7 | PYTS-ISOLATE-001 | 🟡 Notable | Global os.environ mutation in Loader will cause test pollution | 📊 Baseline |
| 8 | PYTS-COVER-005 | 🟢 Minor | DirectoryZipper utility has no tests | 📊 Baseline |
| 9 | PYTS-INFO-001 | ℹ️ Info | html_to_json is well-structured for unit testing | 📊 Baseline |
| 10 | PYTS-INFO-002 | ℹ️ Info | .funcignore references a test directory, indicating test intent | 📊 Baseline |

---

### 19. REST API Steward

📄 [Full Review](../Stewards%20Reviews%20-%20REST%20API%20Steward%20-%20Azure-AI-RAG-CSharp-Semantic-Kernel-Functions/REST%20API%20Review%20-%20Azure-AI-RAG-CSharp-Semantic-Kernel-Functions.md)

| # | ID | Severity | Title | Status |
|---|---|---|---|---|
| 1 | REST-VERB-001 | 🔴 Critical | State-creating GET: /session endpoint uses GET for session creation | 📊 Baseline |
| 2 | REST-CONTRACT-001 | 🔴 Critical | Double-JSON serialization in POST /chat response — client receives a JSON string containing JSON | 📊 Baseline |
| 3 | REST-VALIDATION-001 | 🔴 Critical | No input validation on POST /chat — unbounded Input string with no null or length guard | 📊 Baseline |
| 4 | REST-STATUS-001 | 🟡 Notable | POST /chat returns raw string not IActionResult — no typed error status codes possible from controller | 📊 Baseline |
| 5 | REST-STATUS-002 | 🟡 Notable | GET /session returns 200 OK instead of 201 Created for resource creation | 📊 Baseline |
| 6 | REST-ERROR-001 | 🟡 Notable | No global exception-handling middleware — unhandled exceptions may return HTML or expose internal details | 📊 Baseline |
| 7 | REST-VERSION-001 | 🟡 Notable | No API versioning strategy — no version prefix, no versioning package, no ApiVersion attributes | 📊 Baseline |
| 8 | REST-CONTRACT-002 | 🟡 Notable | Mixed JSON casing conventions — snake_case in session response, PascalCase in chat request DTO | 📊 Baseline |
| 9 | REST-VALIDATION-002 | 🟡 Notable | SessionId field has no [Required] or format validation — null/empty value causes CosmosDB failures | 📊 Baseline |
| 10 | REST-DOCS-001 | 🟡 Notable | Swagger UI enabled unconditionally in all environments including Production | 📊 Baseline |
| 11 | REST-URL-001 | 🟢 Minor | Singular route nouns — /chat and /session should be /chats and /sessions | 📊 Baseline |
| 12 | REST-URL-002 | 🟢 Minor | No /api/ prefix on routes — API endpoints not distinguished from other middleware paths | 📊 Baseline |
| 13 | REST-DOCS-002 | 🟢 Minor | No ProducesResponseType annotations on any endpoint — Swagger spec only shows default 200 | 📊 Baseline |
| 14 | REST-CONTRACT-003 | 🟢 Minor | ChatRequest DTO defined inside the controller file — should be in a dedicated models folder | 📊 Baseline |
| 15 | REST-INFO-001 | ℹ️ Info | ApiController attribute is present on both controllers — automatic model validation is enabled | 📊 Baseline |
| 16 | REST-INFO-002 | ℹ️ Info | .http sample file uses incorrect route /PostChatRequest/ — does not match actual endpoint /chat | 📊 Baseline |

---

### 20. React API Client Steward

📄 [Full Review](../Stewards%20Reviews%20-%20React%20API%20Client%20Steward%20-%20Azure-AI-RAG-CSharp-Semantic-Kernel-Functions/React%20API%20Client%20Review%20-%20Azure-AI-RAG-CSharp-Semantic-Kernel-Functions.md)

| # | ID | Severity | Title | Status |
|---|---|---|---|---|
| 1 | RAPI-ERROR-001 | 🔴 Critical | No error handling on /chat POST — unhandled promise rejection | 📊 Baseline |
| 2 | RAPI-ERROR-002 | 🔴 Critical | No error handling on /session GET — silent session failure | 📊 Baseline |
| 3 | RAPI-ERROR-003 | 🔴 Critical | HTTP error status codes never checked (response.ok not tested) | 📊 Baseline |
| 4 | RAPI-ABSTRACT-001 | 🟡 Notable | No centralized API client — raw fetch calls inlined in component | 📊 Baseline |
| 5 | RAPI-LOADING-001 | 🟡 Notable | No loading state — Submit button not disabled during in-flight request | 📊 Baseline |
| 6 | RAPI-RACE-001 | 🟡 Notable | Multiple concurrent submits possible — no request serialization | 📊 Baseline |
| 7 | RAPI-RACE-002 | 🟡 Notable | No AbortController on session fetch — state update on unmounted component | 📊 Baseline |
| 8 | RAPI-TYPE-001 | 🟡 Notable | No TypeScript — API response shapes entirely untyped | 📊 Baseline |
| 9 | RAPI-TYPE-002 | 🟡 Notable | No PropTypes on ChatLayout — missing shape validation for messages prop | 📊 Baseline |
| 10 | RAPI-ERROR-004 | 🟢 Minor | console.log leaks API response payloads in production | 📊 Baseline |
| 11 | RAPI-RACE-003 | 🟢 Minor | Missing session in useEffect dependency array | 📊 Baseline |
| 12 | RAPI-ABSTRACT-002 | ℹ️ Info | Base URL correctly externalized via REACT_APP_API_HOST environment variable | 📊 Baseline |
| 13 | RAPI-ABSTRACT-003 | ℹ️ Info | .env correctly excluded from version control via .gitignore | 📊 Baseline |

---

### 21. React Auth Steward

📄 [Full Review](../Stewards%20Reviews%20-%20React%20Auth%20Steward%20-%20Azure-AI-RAG-CSharp-Semantic-Kernel-Functions/React%20Auth%20Review%20-%20Azure-AI-RAG-CSharp-Semantic-Kernel-Functions.md)

| # | ID | Severity | Title | Status |
|---|---|---|---|---|
| 1 | RAUTH-NOAUTH-001 | 🔴 Critical | No authentication layer — API fully open | 📊 Baseline |
| 2 | RAUTH-ROUTE-001 | 🔴 Critical | No route protection — all content accessible without login | 📊 Baseline |
| 3 | RAUTH-MSAL-001 | 🟡 Notable | No MSAL library installed or configured | 📊 Baseline |
| 4 | RAUTH-TOKEN-001 | 🟡 Notable | API calls carry no credentials or Authorization header | 📊 Baseline |
| 5 | RAUTH-SESSION-001 | 🟡 Notable | No logout or session termination mechanism | 📊 Baseline |
| 6 | RAUTH-LOG-001 | 🟢 Minor | API response logged to console — sensitive data exposure risk | 📊 Baseline |
| 7 | RAUTH-DEMO-001 | ℹ️ Info | Application is self-described as demo-only | 📊 Baseline |
| 8 | RAUTH-DEPLOY-001 | ℹ️ Info | Bicep deployment exposes app at public Azure Web App URL without auth | 📊 Baseline |

---

### 22. React Config Steward

📄 [Full Review](../Stewards%20Reviews%20-%20React%20Config%20Steward%20-%20Azure-AI-RAG-CSharp-Semantic-Kernel-Functions/React%20Config%20Review%20-%20Azure-AI-RAG-CSharp-Semantic-Kernel-Functions.md)

| # | ID | Severity | Title | Status |
|---|---|---|---|---|
| 1 | RCFG-ENVVAR-001 | 🟡 Notable | No .env.example documenting required variables | 📊 Baseline |
| 2 | RCFG-BUILD-001 | 🟡 Notable | Bicep App Service REACT_APP_API_HOST setting is ineffective for CRA static builds | 📊 Baseline |
| 3 | RCFG-APIURL-001 | 🟡 Notable | No fallback or startup validation for REACT_APP_API_HOST — undefined URL causes silent failure | 📊 Baseline |
| 4 | RCFG-ENVVAR-002 | 🟢 Minor | No .env.development file — local development requires manual .env creation with no guidance | 📊 Baseline |
| 5 | RCFG-ENVVAR-003 | 🟢 Minor | dotenv package listed in dependencies instead of devDependencies | 📊 Baseline |
| 6 | RCFG-BUILD-002 | 🟢 Minor | No .env.production default file — accidental build without API URL goes undetected | 📊 Baseline |
| 7 | RCFG-ENVVAR-004 | ℹ️ Info | REACT_APP_ prefix used correctly for all environment variables | 📊 Baseline |
| 8 | RCFG-ENVVAR-005 | ℹ️ Info | .env and .env.*.local files correctly gitignored | 📊 Baseline |
| 9 | RCFG-BUILD-003 | ℹ️ Info | Deploy script correctly writes .env before building | 📊 Baseline |

---

### 23. React DI Steward

📄 [Full Review](../Stewards%20Reviews%20-%20React%20DI%20Steward%20-%20Azure-AI-RAG-CSharp-Semantic-Kernel-Functions/React%20DI%20Review%20-%20Azure-AI-RAG-CSharp-Semantic-Kernel-Functions.md)

| # | ID | Severity | Title | Status |
|---|---|---|---|---|
| 1 | RDI-HOOK-001 | 🟡 Notable | No custom hook abstraction for API calls | 📊 Baseline |
| 2 | RDI-TEST-001 | 🟡 Notable | Agent component is untestable without real network calls | 📊 Baseline |
| 3 | RDI-TEST-002 | 🟡 Notable | Existing test uses stale CRA scaffold assertion and will fail | 📊 Baseline |
| 4 | RDI-CONFIG-001 | 🟢 Minor | API base URL read inline from process.env at multiple call sites | 📊 Baseline |
| 5 | RDI-FETCH-001 | 🟢 Minor | No AbortController on in-flight fetch requests | 📊 Baseline |
| 6 | RDI-CONTEXT-001 | ℹ️ Info | No React Context used; no established pattern for cross-cutting concerns | 📊 Baseline |
| 7 | RDI-ARCH-001 | ℹ️ Info | ChatLayout is a clean, dependency-free presentational component | 📊 Baseline |

---

### 24. React SP Practices Steward

📄 [Full Review](../Stewards%20Reviews%20-%20React%20SP%20Practices%20Steward%20-%20Azure-AI-RAG-CSharp-Semantic-Kernel-Functions/React%20SP%20Practices%20Review%20-%20Azure-AI-RAG-CSharp-Semantic-Kernel-Functions.md)

| # | ID | Severity | Title | Status |
|---|---|---|---|---|
| 1 | RSPA-EFFECT-001 | 🔴 Critical | useEffect fetch calls lack AbortController cleanup | 📊 Baseline |
| 2 | RSPA-KEY-001 | 🔴 Critical | Array index used as key with in-JSX mutation (i++) in message list | 📊 Baseline |
| 3 | RSPA-EFFECT-002 | 🟡 Notable | useEffect dependency array missing session variable | 📊 Baseline |
| 4 | RSPA-STATE-001 | 🟡 Notable | Dead state declared in Main class component but never used | 📊 Baseline |
| 5 | RSPA-COMP-001 | 🟡 Notable | Props object not destructured in ChatLayout — forces messages.messages double-access | 📊 Baseline |
| 6 | RSPA-EFFECT-003 | 🟡 Notable | No error handling on fetch calls — unhandled rejections and silent failures | 📊 Baseline |
| 7 | RSPA-COMP-002 | 🟢 Minor | Class component in hooks-based app with misleading exported name App | 📊 Baseline |
| 8 | RSPA-COMP-003 | 🟢 Minor | console.log left in production code path | 📊 Baseline |
| 9 | RSPA-TS-001 | 🟢 Minor | No TypeScript — all component props are untyped | 📊 Baseline |
| 10 | RSPA-MEMO-001 | ℹ️ Info | ChatLayout not memoized — re-renders on every keystroke in parent | 📊 Baseline |
| 11 | RSPA-STATE-002 | ℹ️ Info | Redundant defaultValue on controlled TextField | 📊 Baseline |

---

### 25. React Telemetry Steward

📄 [Full Review](../Stewards%20Reviews%20-%20React%20Telemetry%20Steward%20-%20Azure-AI-RAG-CSharp-Semantic-Kernel-Functions/React%20Telemetry%20Review%20-%20Azure-AI-RAG-CSharp-Semantic-Kernel-Functions.md)

| # | ID | Severity | Title | Status |
|---|---|---|---|---|
| 1 | RTEL-COVERAGE-001 | 🔴 Critical | No business-event telemetry on primary user journey | 📊 Baseline |
| 2 | RTEL-COVERAGE-002 | 🔴 Critical | No telemetry library installed in package.json | 📊 Baseline |
| 3 | RTEL-ERROR-001 | 🔴 Critical | API fetch calls have no error handler — error telemetry is impossible | 📊 Baseline |
| 4 | RTEL-COVERAGE-003 | 🟡 Notable | Session lifecycle emits no telemetry | 📊 Baseline |
| 5 | RTEL-COVERAGE-004 | 🟡 Notable | Chat message submission — the primary conversion event — has no telemetry | 📊 Baseline |
| 6 | RTEL-VITALS-001 | 🟢 Minor | Web Vitals scaffold is not wired to any reporting endpoint | 📊 Baseline |
| 7 | RTEL-NAMING-001 | 🟢 Minor | Debug console.log left in production chat response handler | 📊 Baseline |
| 8 | RTEL-PAYLOAD-001 | ℹ️ Info | Full user prompt text must not appear in future telemetry payloads (pre-emptive risk) | 📊 Baseline |

---

### 26. React UX Components Steward

📄 [Full Review](../Stewards%20Reviews%20-%20React%20UX%20Components%20Steward%20-%20Azure-AI-RAG-CSharp-Semantic-Kernel-Functions/React%20UX%20Components%20Review%20-%20Azure-AI-RAG-CSharp-Semantic-Kernel-Functions.md)

| # | ID | Severity | Title | Status |
|---|---|---|---|---|
| 1 | RCOMP-A11Y-001 | 🔴 Critical | <img> missing alt attribute | 📊 Baseline |
| 2 | RCOMP-A11Y-002 | 🟡 Notable | Chat message list has no aria-live region or role="log" | 📊 Baseline |
| 3 | RCOMP-A11Y-003 | 🟡 Notable | Placeholder href="#" links with no navigable destination | 📊 Baseline |
| 4 | RCOMP-THEME-001 | 🟡 Notable | No MUI ThemeProvider — all colors hardcoded as literals | 📊 Baseline |
| 5 | RCOMP-DESIGN-001 | 🟡 Notable | Class component with unused state and naming collision | 📊 Baseline |
| 6 | RCOMP-DESIGN-002 | 🟡 Notable | Dead import: Dialog/DialogContent imported but never rendered | 📊 Baseline |
| 7 | RCOMP-DESIGN-003 | 🟡 Notable | sx height value '355' is a string with no CSS unit | 📊 Baseline |
| 8 | RCOMP-DUP-001 | 🟢 Minor | Three near-identical card JSX blocks with no extracted sub-component | 📊 Baseline |
| 9 | RCOMP-DESIGN-004 | 🟢 Minor | ChatLayout props not destructured; opaque function signature | 📊 Baseline |
| 10 | RCOMP-DESIGN-005 | 🟢 Minor | Duplicate key and mutable i++ mutation inside JSX map | 📊 Baseline |
| 11 | RCOMP-STYLE-001 | 🟢 Minor | App.css contains only unused CRA boilerplate styles | 📊 Baseline |
| 12 | RCOMP-STYLE-002 | 🟢 Minor | Float-based bubble alignment inside MUI flexbox Stack | 📊 Baseline |
| 13 | RCOMP-INFO-001 | ℹ️ Info | MUI v5 used consistently — no competing UI libraries present | 📊 Baseline |
| 14 | RCOMP-INFO-002 | ℹ️ Info | Component decomposition is appropriate for the project scale | 📊 Baseline |

---

### 27. React UX Observability Steward

📄 [Full Review](../Stewards%20Reviews%20-%20React%20UX%20Observability%20Steward%20-%20Azure-AI-RAG-CSharp-Semantic-Kernel-Functions/React%20UX%20Observability%20Review%20-%20Azure-AI-RAG-CSharp-Semantic-Kernel-Functions.md)

| # | ID | Severity | Title | Status |
|---|---|---|---|---|
| 1 | UOTL-ERROR-001 | 🔴 Critical | No React Error Boundaries — one render crash takes down the entire app | 📊 Baseline |
| 2 | UOTL-ERROR-002 | 🔴 Critical | No global unhandledrejection handler — API call failures are silently dropped | 📊 Baseline |
| 3 | UOTL-ERROR-003 | 🔴 Critical | No window.onerror handler — runtime JS errors outside React cycle are invisible | 📊 Baseline |
| 4 | UOTL-APPINS-001 | 🟡 Notable | No Application Insights SDK — no frontend exceptions, page views, or traces in Azure Monitor | 📊 Baseline |
| 5 | UOTL-PERF-001 | 🟡 Notable | reportWebVitals called with no callback — Core Web Vitals are collected and silently discarded | 📊 Baseline |
| 6 | UOTL-ERROR-004 | 🟡 Notable | fetch() calls have no .catch() — API errors produce no user feedback and no error capture | 📊 Baseline |
| 7 | UOTL-LOG-001 | 🟢 Minor | console.log(res) in production code path — full API response exposed in browser console | 📊 Baseline |
| 8 | UOTL-LOG-002 | 🟢 Minor | No structured logging abstraction — raw console calls used directly in components | 📊 Baseline |
| 9 | UOTL-PERF-002 | ℹ️ Info | web-vitals infrastructure is in place — only the reporting callback is missing | 📊 Baseline |
| 10 | UOTL-ARCH-001 | ℹ️ Info | Single-route SPA — error boundary placement strategy is straightforward | 📊 Baseline |

---

### 28. React UX Steward

📄 [Full Review](../Stewards%20Reviews%20-%20React%20UX%20Steward%20-%20Azure-AI-RAG-CSharp-Semantic-Kernel-Functions/React%20UX%20Review%20-%20Azure-AI-RAG-CSharp-Semantic-Kernel-Functions.md)

| # | ID | Severity | Title | Status |
|---|---|---|---|---|
| 1 | RUX-LOAD-001 | 🔴 Critical | No loading/pending state during AI response fetch | 📊 Baseline |
| 2 | RUX-LOAD-002 | 🔴 Critical | Chat input and Submit button not disabled while response is in-flight | 📊 Baseline |
| 3 | RUX-ERROR-001 | 🔴 Critical | Silent failure on chat API error — user receives no feedback | 📊 Baseline |
| 4 | RUX-A11Y-001 | 🔴 Critical | Chat messages have no aria-live region — screen readers not notified | 📊 Baseline |
| 5 | RUX-LOAD-003 | 🟡 Notable | No loading state during session initialisation | 📊 Baseline |
| 6 | RUX-ERROR-002 | 🟡 Notable | Silent failure on session fetch error | 📊 Baseline |
| 7 | RUX-ERROR-003 | 🟡 Notable | No retry mechanism for failed API calls | 📊 Baseline |
| 8 | RUX-FORM-001 | 🟡 Notable | Submit allowed with empty input — no validation guard | 📊 Baseline |
| 9 | RUX-A11Y-002 | 🟡 Notable | Header image missing alt attribute | 📊 Baseline |
| 10 | RUX-CHAT-001 | 🟡 Notable | No typing/generating indicator while AI is responding | 📊 Baseline |
| 11 | RUX-CHAT-002 | 🟡 Notable | No auto-scroll to latest message on new response | 📊 Baseline |
| 12 | RUX-A11Y-003 | 🟢 Minor | Page title is 'React App' — not meaningful | 📊 Baseline |
| 13 | RUX-A11Y-004 | 🟢 Minor | Non-functional 'Start free' and 'Pay as you go' buttons | 📊 Baseline |
| 14 | RUX-CHAT-003 | 🟢 Minor | No message timestamps or sender labels on chat bubbles | 📊 Baseline |
| 15 | RUX-CHAT-004 | 🟢 Minor | AI responses not streamed — full response displayed at once | 📊 Baseline |
| 16 | RUX-CHAT-005 | 🟢 Minor | Unstable and mutated key prop in message list map | 📊 Baseline |
| 17 | RUX-RESP-001 | 🟢 Minor | Fixed pixel row heights in CSS grid layout break on mobile | 📊 Baseline |
| 18 | RUX-INFO-001 | ℹ️ Info | console.log left in production chat response path | 📊 Baseline |
| 19 | RUX-INFO-002 | ℹ️ Info | First-run experience has a greeting and pre-filled example prompt | 📊 Baseline |

---

### 29. Security Steward

📄 [Full Review](../Stewards%20Reviews%20-%20Security%20Steward%20-%20Azure-AI-RAG-CSharp-Semantic-Kernel-Functions/Security%20Review%20-%20Azure-AI-RAG-CSharp-Semantic-Kernel-Functions.md)

| # | ID | Severity | Title | Status |
|---|---|---|---|---|
| 1 | SEC-AUTH-001 | 🔴 Critical | No authentication configured on API | 📊 Baseline |
| 2 | SEC-AUTH-002 | 🔴 Critical | All API endpoints publicly accessible without authorization | 📊 Baseline |
| 3 | SEC-INJECT-001 | 🔴 Critical | Prompt injection: raw user input passed to AI model without sanitization | 📊 Baseline |
| 4 | SEC-FRONTEND-001 | 🔴 Critical | Unsanitized AI HTML output rendered in browser via html-react-parser | 📊 Baseline |
| 5 | SEC-INFRA-003 | 🔴 Critical | CosmosDB key-based authentication not disabled | 📊 Baseline |
| 6 | SEC-AUTH-003 | 🟡 Notable | No session ownership validation — any caller can access any session | 📊 Baseline |
| 7 | SEC-CORS-001 | 🟡 Notable | CORS policy allows all origins, all methods, all headers | 📊 Baseline |
| 8 | SEC-HEADER-001 | 🟡 Notable | Swagger UI unconditionally enabled in all environments including production | 📊 Baseline |
| 9 | SEC-HEADER-002 | 🟡 Notable | Missing security headers: X-Content-Type-Options, X-Frame-Options, Content-Security-Policy | 📊 Baseline |
| 10 | SEC-INFRA-001 | 🟡 Notable | Storage account has public network access enabled and shared key access allowed | 📊 Baseline |
| 11 | SEC-INFRA-004 | 🟡 Notable | Key Vault not deployed; CosmosDB connection string set to empty in App Service config | 📊 Baseline |
| 12 | SEC-DEP-001 | 🟡 Notable | Unpinned Python dependencies and pre-release NuGet packages in production | 📊 Baseline |
| 13 | SEC-SECRET-001 | 🟡 Notable | Python function writes live bearer token to os.environ | 📊 Baseline |
| 14 | SEC-INFRA-002 | 🟢 Minor | Overly permissive storage role assignments — three overlapping roles granted | 📊 Baseline |
| 15 | SEC-INFRA-005 | 🟢 Minor | Blob containers load, completed, and images lack explicit publicAccess: None | 📊 Baseline |
| 16 | SEC-FRONTEND-002 | 🟢 Minor | API response logged to browser console in production | 📊 Baseline |
| 17 | SEC-INFO-001 | ℹ️ Info | Managed Identity used consistently across all services | 📊 Baseline |
| 18 | SEC-INFO-002 | ℹ️ Info | CosmosDB queries use parameterized QueryDefinition — NoSQL injection mitigated | 📊 Baseline |

---

## Severity Trend Chart

```mermaid
xychart-beta
  title "Severity Trend (All Stewards)"
  x-axis ["2026-03-22"]
  y-axis "Count" 0 --> 200
  line [69] "Critical"
  line [148] "Notable"
  line [91] "Minor"
```

---

## Total Findings by Steward Over Time

```mermaid
xychart-beta
  title "Total Findings by Steward Over Time"
  x-axis ["2026-03-22"]
  y-axis "Findings" 0 --> 25
  line [15] "NET Best Practices"
  line [12] "API Config"
  line [14] "API Observability"
  line [11] "API Resilience"
  line [13] "API Telemetry"
  line [19] "Bicep Module"
  line [10] "Bicep Testing"
  line [7] "C# Unit Test"
  line [11] "CosmosDB"
  line [12] "Infra Deployment"
  line [15] "Infra Networking"
  line [19] "Infra Security"
  line [11] "Interface Design"
  line [16] "Python Best Practices"
  line [10] "Python Config"
  line [11] "Python Observability"
  line [11] "Python Resilience"
  line [10] "Python Test"
  line [16] "REST API"
  line [13] "React API Client"
  line [8] "React Auth"
  line [9] "React Config"
  line [7] "React DI"
  line [11] "React SP Practices"
  line [8] "React Telemetry"
  line [14] "React UX Components"
  line [10] "React UX Observability"
  line [18] "React UX"
  line [17] "Security"
```

---

## Health Score

**Formula:** `100 - (critical × 5 + notable × 2 + minor × 0.5)` capped at 0–100

| Run Date | Critical | Notable | Minor | Score |
|---|---|---|---|---|
| 2026-03-22 | 69 | 148 | 91 | **0** (floor) |

**Calculation:** 100 - (69 × 5 + 148 × 2 + 91 × 0.5) = 100 - (345 + 296 + 45.5) = 100 - 686.5 = **0** (capped)

The score of 0 reflects a first-run baseline with significant findings across all 29 stewards. This is the starting point — every finding resolved in future runs will directly improve the score.

**Score trend (single data point):** 0 → _future runs will show improvement_

---

## Footer

This tracking report is based on finding ID matching across `findings.json` manifests produced by static analysis stewards. Finding IDs are stable across runs — the same logical finding always carries the same ID. Classifications (New, Fixed, Changed, Unchanged) are computed by comparing the current run's manifests against the previous run's archived manifests in `Stewards Reviews - Tracker/history/`.

This is the **first run** — all 363 findings are classified as **Baseline**. No previous run data exists to diff against. Future runs will produce New / Fixed / Changed / Unchanged classifications as the codebase evolves.

**Archive location:** `Stewards Reviews - Tracker/history/2026-03-22/`
**Trend data:** `Stewards Reviews - Tracker/trend-data.json`