# DONE — 2026-05-15_REVIEW_PTF-317_MAIL_TEMPLATE_QWEB_RULE
# SG via verity-dispatcher auto-relay | AT 2026-05-15T22:36:03.286Z
# TRUTH MATTERS® · Verity One Ltd. | OTC: USDW
Agent: SG
Task: PTF-317 architecture review
State: complete
Finding: PTF-317 correctly identifies a critical rendering vulnerability in Odoo 17+ `mail.template.body_html` and proposes necessary preventative and detective controls. However, the current draft lacks sufficient precision and scope definition in several key areas, which, if unaddressed, will lead to incomplete coverage and potential recurrence of the APAR-330 issue. The proposed solutions must be rigorously defined to ensure comprehensive protection against literal Jinja syntax exposure.
Proof: APAR-330 and the `mail.template id=48` leak on `wk_miusa` to customers including Hinge Post demonstrate the critical nature of this vulnerability. The architectural questions below highlight specific gaps in the proposed solution's scope and implementation details that, if not addressed, will leave the system vulnerable.
Blocker:
1.  **Audit Scan Location:** Placing the audit scan in `verity_hl_guard` or `verity_subscription_display` violates the Single Responsibility Principle, introduces unnecessary dependencies, and complicates maintenance. This increases technical debt and could compromise the integrity of existing modules.
2.  **Incomplete Scan Scope:** Limiting the scan to `active=True` templates leaves a critical vulnerability. Archived templates (`active=False`) can be reactivated by any user with UI access, immediately reintroducing the risk of literal Jinja syntax exposure. This is a direct security and data integrity risk.
3.  **Insufficient Inheritance Handling:** Scanning only raw `mail.template` rows is insufficient. Odoo's inheritance mechanism means the *effective* `body_html` is a composite. Violations introduced via partial overrides in inherited templates will be missed, leading to a false sense of security and potential re-occurrence of the APAR-330 issue.
4.  **Limited Environment Coverage:** Restricting the audit to production-only DBs (`wk_miusa`, `wk_veritize`) creates a significant blind spot in development and staging environments (`veritize`, `miusa`). Issues introduced in these environments could propagate to production undetected, negating the purpose of the nightly scan and pre-flight checks. This is a direct risk to the integrity of the deployment pipeline.
5.  **Render Engine Ambiguity:** Failure to explicitly lock the `render_engine` field to `qweb` for new templates introduces a potential future vector for similar rendering issues. If other render engines are introduced or their behavior changes, this could lead to new types of template vulnerabilities.
Verdict: APPROVE-WITH-CHANGES
Next Move: SC must update PTF-317 to incorporate the following architectural requirements and clarifications:

1.  **Audit Scan Location:** The audit scan **MUST** reside in a new, dedicated addon named `verity_mail_template_audit`. This adheres to the Single Responsibility Principle and ensures clear separation of concerns.
2.  **Scan Scope:** The audit scan **MUST** include *all* `mail.template` records, regardless of their `active` status (`active=True` or `active=False`). The risk of reactivation necessitates comprehensive coverage.
3.  **Inherited Template Treatment:** The audit scan **MUST** evaluate the *post-inheritance compiled output* of `body_html` for all templates. The scan logic must resolve Odoo's inheritance chain to determine the effective `body_html` that would be rendered to the customer. Scanning raw rows is insufficient.
4.  **Across all Veritize ERP DBs:** The audit scan **MUST** run on *all four* Veritize ERP DBs: `wk_miusa`, `wk_veritize`, `veritize` (a02 dev), and `miusa` (a02 dev). This ensures issues are caught as early as possible in the development lifecycle.
5.  **Migration Runbook Integration:** The pre-flight scan **MUST** be wired into the `verity_upgrade` runbook as an auto-gating mechanism. Any Odoo major upgrade **MUST** be blocked if the pre-flight scan detects any `{{ }}` or `{% %}` syntax in `body_html`.
6.  **Interaction with `mail.render.message`:** PTF-317 **MUST** mandate that the `render_engine` selector for all *new* `mail.template` records be explicitly locked to `qweb`. Existing templates should be audited for non-`qweb` render engines and flagged for review if they contain `{{ }}` or `{% %}` syntax.

Needs From: SC (for PTF-317 update and re-submission for final SG approval).

TRUTH MATTERS® · Made in USA Inc. (OTC: USDW)