Ran the investigate→debate→judge pipeline over 4 parked ROADMAP items.
DROP:
- Design "structural" tier (palette consolidation): the rust-embedded admin
SPA can't @import a shared file, so consolidation is a verbatim re-copy that
doesn't remove the duplication it targets; the drift it guards is hypothetical.
- Design "token gaps" tier: manual churn across untested public surfaces, and
the audit was partly mis-specified (#d4b985/#a6b7cf are token values, not
hardcoded literals).
DO (low blast radius):
- Reframe the manual "Zaprite sandbox pass" for multi-profile webhook routing
into an automated regression test — routing is a deterministic provider-id
PK lookup with an anti-forgery backstop, but the path-keyed route has zero
automated coverage on the money path.
ESCALATE:
- Zaprite contact dedup cache → lean DROP: cosmetic, unverified harm (Zaprite
dedup-on-email is undocumented); fix is HIGH blast radius on the money path.
Gated on one cheap sandbox check.
- Design "blocker" tier (3 gold-fill / pill-radius one-liners) → lean DO,
pending an owner glance since they alter public/admin visuals.
Replaces the "harden Zaprite failure-body shapes" item (already satisfied for
non-2xx) with a bug the investigation surfaced: try_auto_charge_zaprite returns
Ok(true) on any 2xx, so a 200 carrying a FAILED/DECLINED/EXPIRED status
silently lapses the subscription. Elevated above the other parked payments
items; safe fail-safe fix needs no prod data.
Record the cross-repo documentation fixes, registry-landing removal, and the
Start9 submission blockers. A plain GET to registry.keysat.xyz 404s by design
(StartOS registry protocol only), not an outage.
Current state: the onboarding doc-harness and its Stage 1 completed-clean
result. ROADMAP: spell out Stage 2 (regtest buyer-pays) under the
agent-payment-connect item. Drop the resolved GET /v1/admin/products 405
debt item.
Agent-onboarding doc for the workspace: stack, build/test/run commands,
directory layout, conventions, and always/never gotchas, plus a Current
state section. CLAUDE.md symlinks to AGENTS.md so Claude Code auto-loads
it. Longer-term backlog lives in ROADMAP.md.
Keysat