Refresh AGENTS Current state for the full-eval session; document the email-based
community-registry submission flow and the start-cli installer in the packaging
guide; add a ROADMAP Security & hardening section so the eval P2s survive
EVALUATION.md overwrites.
Operators selling via Keysat own their buyer-email path through their own app plus the existing webhook delegation, so a Keysat-side SMTP send path is redundant and a branding/double-send liability. The surviving need -- operator visibility into failures where the webhook channel itself is what's broken (dead-lettered endpoint, revoked provider key, expiring license) -- is re-homed onto StartOS notifications/health checks rather than a mailer Keysat ships.
ROADMAP: remove the resolved Design (contract conformance) section — the three
blockers shipped (admin SPA in :59, landing buy button on keysat.xyz) and the
structural + token tiers were dropped during adjudication. Current state: live
is now :59, blockers done; the Zaprite auto-charge silent-lapse bug is the top
remaining payments item.
Owner confirmed the lean-DROP verdict without the sandbox check: the harm is
cosmetic (duplicate rows in the operator's Zaprite contact list) and the fix is
HIGH blast radius on the money path. Recoverable from git history if real
recurring revenue ever makes it worth it.
Ran the investigate→debate→judge pipeline over 4 parked ROADMAP items.
DROP:
- Design "structural" tier (palette consolidation): the rust-embedded admin
SPA can't @import a shared file, so consolidation is a verbatim re-copy that
doesn't remove the duplication it targets; the drift it guards is hypothetical.
- Design "token gaps" tier: manual churn across untested public surfaces, and
the audit was partly mis-specified (#d4b985/#a6b7cf are token values, not
hardcoded literals).
DO (low blast radius):
- Reframe the manual "Zaprite sandbox pass" for multi-profile webhook routing
into an automated regression test — routing is a deterministic provider-id
PK lookup with an anti-forgery backstop, but the path-keyed route has zero
automated coverage on the money path.
ESCALATE:
- Zaprite contact dedup cache → lean DROP: cosmetic, unverified harm (Zaprite
dedup-on-email is undocumented); fix is HIGH blast radius on the money path.
Gated on one cheap sandbox check.
- Design "blocker" tier (3 gold-fill / pill-radius one-liners) → lean DO,
pending an owner glance since they alter public/admin visuals.
Replaces the "harden Zaprite failure-body shapes" item (already satisfied for
non-2xx) with a bug the investigation surfaced: try_auto_charge_zaprite returns
Ok(true) on any 2xx, so a 200 carrying a FAILED/DECLINED/EXPIRED status
silently lapses the subscription. Elevated above the other parked payments
items; safe fail-safe fix needs no prod data.
Record the cross-repo documentation fixes, registry-landing removal, and the
Start9 submission blockers. A plain GET to registry.keysat.xyz 404s by design
(StartOS registry protocol only), not an outage.
Current state: the onboarding doc-harness and its Stage 1 completed-clean
result. ROADMAP: spell out Stage 2 (regtest buyer-pays) under the
agent-payment-connect item. Drop the resolved GET /v1/admin/products 405
debt item.
Agent-onboarding doc for the workspace: stack, build/test/run commands,
directory layout, conventions, and always/never gotchas, plus a Current
state section. CLAUDE.md symlinks to AGENTS.md so Claude Code auto-loads
it. Longer-term backlog lives in ROADMAP.md.
Keysat