The palette-consolidation task was dropped during the 2026-06-18 adjudication
because the rust-embedded admin SPA can't @import at runtime, so consolidation
there is a verbatim re-copy that removes no duplication. Update the §9 debt note
accordingly and drop the now-stale ROADMAP pointer.
ROADMAP: remove the resolved Design (contract conformance) section — the three
blockers shipped (admin SPA in :59, landing buy button on keysat.xyz) and the
structural + token tiers were dropped during adjudication. Current state: live
is now :59, blockers done; the Zaprite auto-charge silent-lapse bug is the top
remaining payments item.
Owner confirmed the lean-DROP verdict without the sandbox check: the harm is
cosmetic (duplicate rows in the operator's Zaprite contact list) and the fix is
HIGH blast radius on the money path. Recoverable from git history if real
recurring revenue ever makes it worth it.
Ran the investigate→debate→judge pipeline over 4 parked ROADMAP items.
DROP:
- Design "structural" tier (palette consolidation): the rust-embedded admin
SPA can't @import a shared file, so consolidation is a verbatim re-copy that
doesn't remove the duplication it targets; the drift it guards is hypothetical.
- Design "token gaps" tier: manual churn across untested public surfaces, and
the audit was partly mis-specified (#d4b985/#a6b7cf are token values, not
hardcoded literals).
DO (low blast radius):
- Reframe the manual "Zaprite sandbox pass" for multi-profile webhook routing
into an automated regression test — routing is a deterministic provider-id
PK lookup with an anti-forgery backstop, but the path-keyed route has zero
automated coverage on the money path.
ESCALATE:
- Zaprite contact dedup cache → lean DROP: cosmetic, unverified harm (Zaprite
dedup-on-email is undocumented); fix is HIGH blast radius on the money path.
Gated on one cheap sandbox check.
- Design "blocker" tier (3 gold-fill / pill-radius one-liners) → lean DO,
pending an owner glance since they alter public/admin visuals.
Replaces the "harden Zaprite failure-body shapes" item (already satisfied for
non-2xx) with a bug the investigation surfaced: try_auto_charge_zaprite returns
Ok(true) on any 2xx, so a 200 carrying a FAILED/DECLINED/EXPIRED status
silently lapses the subscription. Elevated above the other parked payments
items; safe fail-safe fix needs no prod data.
Record the cross-repo documentation fixes, registry-landing removal, and the
Start9 submission blockers. A plain GET to registry.keysat.xyz 404s by design
(StartOS registry protocol only), not an outage.
Trim Current state to the combined onboarding run (validated) and the live docs/
landing additions: agent.html buyer-pays money path, landing example-prompt card,
and the two-path Install section (Start9 vs run-from-source). Drop the done
"combined run" from Next and the redundant publish.sh/deploy-sites note (it lives
in docs/guides/startos-packaging.md).
The gate-a-paid-product + buyer-pays journey now validated as one run (was
separate). Record the agent.html money-path + landing example-prompt additions
and the publish.sh-vs-deploy-sites.sh distinction; drop the done "combined run"
from Next.
Current state rewritten to :58-shipped (both onboarding stages completed-clean,
validated separately); payments guide gains the scoped (agent) BTCPay connect
sandbox-gate section (two-gate fail-closed design, migration 0025, GET-callback
status gotcha, regtest validation facts); guide index flags it for the connect
gate + migrations 0024-0025.
Recommend the no-arg deploy-sites.sh (landing + docs + registry-landing) over a
single-site deploy, so every public page stays at its repo's latest and nothing
drifts even when only one site changed.
Current state: the onboarding doc-harness and its Stage 1 completed-clean
result. ROADMAP: spell out Stage 2 (regtest buyer-pays) under the
agent-payment-connect item. Drop the resolved GET /v1/admin/products 405
debt item.
Document the now-functional product→profile write path in the payments
guide (set_product_merchant_profile, post-write pattern, picker gating,
double-Option clear). Mark the multi-profile GAP closed, drop the done
work-queue item, and note the discovered set_product_entitlements_catalog
rows_affected gap.
Registry now publishes :55 (universal multi-arch, verified). Public docs
scrubbed of refund copy (Keysat has no refund feature). All 4 StartOS
submission blockers resolved and shipped.
Corrections surfaced by doc-auditor + start9-spec-checker:
- testing.md: api suite 47 -> 54
- payments.md: FK enforcement confirmed at db/mod.rs:29
- startos-packaging.md: publish.sh now ships a universal s9pk
- licensing-tiers.md: record enforce-mode retirement and Creator caps
Refresh Current state for the StartOS submission-blocker work.
Update Current state for the two P1 fixes done this session (source-only,
awaiting :55). Document the advisory settle-amount tripwire in payments.md. Add
Open TODOs: split audit:read into its own scope tier, and build the admin API-keys
management panel (both deferred to later sessions).
Rewrite the Current state section after the merchant-profile bug-fix session and
record that the daemon repo's main tracks GitHub (origin) with a gitea backup,
while root + plans are Gitea-only — check remotes before pushing.
Trim AGENTS.md to whole-repo, every-session facts (154 -> 110 lines) and move
subsystem guidance into docs/guides/*.md, each with paths: frontmatter and a
one-line index entry in AGENTS.md. Symlink each guide from .claude/rules/ so
Claude Code lazy-loads it by matching path; track those symlinks via a
.gitignore exception (.claude/settings.local.json stays ignored).
Agent-onboarding doc for the workspace: stack, build/test/run commands,
directory layout, conventions, and always/never gotchas, plus a Current
state section. CLAUDE.md symlinks to AGENTS.md so Claude Code auto-loads
it. Longer-term backlog lives in ROADMAP.md.
Glue files not covered by subproject repos: top-level docs, logo,
keysat-design-system, and crosscheck tests. Subproject folders are
gitignored (each has its own Gitea remote).
Keysat