Move deferred evaluation backlog into ROADMAP

ROADMAP.md

@@ -9,6 +9,17 @@ Longer-term backlog and deferred decisions. Near-term status lives in `AGENTS.md
 - Per-category drill ideas on demand.
 - Config via env-var names (endpoint URL, model); no keys in the repo.
 
+## Evaluation backlog
+
+A full independent evaluation lives in `EVALUATION.md` (committed; re-runnable via `/full-eval`). Deferred items, by priority:
+
+- **P2 — dependency**: upgrade `@fastify/static` 8.3.0 → ≥9.1.3 (known path-traversal advisories; no concrete exploit path here) and re-test static serving.
+- **P2 — input validation**: reject unknown metric `kind` (not `count|duration|score|decimal`); validate calendar-date semantics (the `\d{4}-\d{2}-\d{2}` regex accepts `2026-13-99`); return 400 instead of a raw `SQLITE_CONSTRAINT_FOREIGNKEY` 500 on a bad `metric_id`.
+- **P2 — tests**: no automated suite yet; cover record-recompute direction, streak math, and migration idempotency against a temp DB.
+- **P3**: CSRF token beyond `SameSite=Lax`; cross-category metric guard on entry write; logout without a session; consistent 404s on delete; validate category `color`.
+
+Registry-submission blockers (private repo URLs, empty `assets/`, no CI) are intentionally **not** being worked — publishing to the community registry is not a goal.
+
 ## Product backlog
 
 - **"Log another"**: allow multiple sessions of the same category in one day (the category pill currently edits the existing entry instead of creating a second).