Keysat
601ccea39c
Ran the investigate→debate→judge pipeline over 4 parked ROADMAP items. DROP: - Design "structural" tier (palette consolidation): the rust-embedded admin SPA can't @import a shared file, so consolidation is a verbatim re-copy that doesn't remove the duplication it targets; the drift it guards is hypothetical. - Design "token gaps" tier: manual churn across untested public surfaces, and the audit was partly mis-specified (#d4b985/#a6b7cf are token values, not hardcoded literals). DO (low blast radius): - Reframe the manual "Zaprite sandbox pass" for multi-profile webhook routing into an automated regression test — routing is a deterministic provider-id PK lookup with an anti-forgery backstop, but the path-keyed route has zero automated coverage on the money path. ESCALATE: - Zaprite contact dedup cache → lean DROP: cosmetic, unverified harm (Zaprite dedup-on-email is undocumented); fix is HIGH blast radius on the money path. Gated on one cheap sandbox check. - Design "blocker" tier (3 gold-fill / pill-radius one-liners) → lean DO, pending an owner glance since they alter public/admin visuals. Replaces the "harden Zaprite failure-body shapes" item (already satisfied for non-2xx) with a bug the investigation surfaced: try_auto_charge_zaprite returns Ok(true) on any 2xx, so a 200 carrying a FAILED/DECLINED/EXPIRED status silently lapses the subscription. Elevated above the other parked payments items; safe fail-safe fix needs no prod data.
