@howlil/ez-agents 2.0.0 → 2.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (106) hide show
  1. package/LICENSE +21 -21
  2. package/README.md +93 -93
  3. package/agents/ez-plan-checker.md +2 -2
  4. package/agents/ez-research-synthesizer.md +1 -1
  5. package/agents/ez-ui-researcher.md +1 -1
  6. package/agents/ez-verifier.md +1 -1
  7. package/bin/install.js +132 -132
  8. package/get-shit-done/bin/lib/assistant-adapter.cjs +205 -205
  9. package/get-shit-done/bin/lib/audit-exec.cjs +150 -150
  10. package/get-shit-done/bin/lib/auth.cjs +175 -175
  11. package/get-shit-done/bin/lib/circuit-breaker.cjs +118 -118
  12. package/get-shit-done/bin/lib/commands.cjs +666 -666
  13. package/get-shit-done/bin/lib/config.cjs +183 -183
  14. package/get-shit-done/bin/lib/core.cjs +495 -495
  15. package/get-shit-done/bin/lib/file-lock.cjs +236 -236
  16. package/get-shit-done/bin/lib/frontmatter.cjs +299 -299
  17. package/get-shit-done/bin/lib/fs-utils.cjs +153 -153
  18. package/get-shit-done/bin/lib/git-utils.cjs +203 -203
  19. package/get-shit-done/bin/lib/health-check.cjs +163 -163
  20. package/get-shit-done/bin/lib/index.cjs +113 -113
  21. package/get-shit-done/bin/lib/init.cjs +710 -710
  22. package/get-shit-done/bin/lib/logger.cjs +117 -117
  23. package/get-shit-done/bin/lib/milestone.cjs +241 -241
  24. package/get-shit-done/bin/lib/model-provider.cjs +146 -146
  25. package/get-shit-done/bin/lib/phase.cjs +908 -908
  26. package/get-shit-done/bin/lib/retry.cjs +119 -119
  27. package/get-shit-done/bin/lib/roadmap.cjs +305 -305
  28. package/get-shit-done/bin/lib/safe-exec.cjs +128 -128
  29. package/get-shit-done/bin/lib/safe-path.cjs +130 -130
  30. package/get-shit-done/bin/lib/state.cjs +721 -721
  31. package/get-shit-done/bin/lib/temp-file.cjs +239 -239
  32. package/get-shit-done/bin/lib/template.cjs +222 -222
  33. package/get-shit-done/bin/lib/test-file-lock.cjs +112 -112
  34. package/get-shit-done/bin/lib/test-graceful.cjs +93 -93
  35. package/get-shit-done/bin/lib/test-logger.cjs +60 -60
  36. package/get-shit-done/bin/lib/test-safe-exec.cjs +38 -38
  37. package/get-shit-done/bin/lib/test-safe-path.cjs +33 -33
  38. package/get-shit-done/bin/lib/test-temp-file.cjs +125 -125
  39. package/get-shit-done/bin/lib/timeout-exec.cjs +62 -62
  40. package/get-shit-done/bin/lib/verify.cjs +820 -820
  41. package/get-shit-done/references/checkpoints.md +776 -776
  42. package/get-shit-done/references/questioning.md +162 -162
  43. package/get-shit-done/references/tdd.md +263 -263
  44. package/get-shit-done/templates/codebase/concerns.md +310 -310
  45. package/get-shit-done/templates/codebase/conventions.md +307 -307
  46. package/get-shit-done/templates/codebase/integrations.md +280 -280
  47. package/get-shit-done/templates/codebase/stack.md +186 -186
  48. package/get-shit-done/templates/codebase/testing.md +480 -480
  49. package/get-shit-done/templates/config.json +37 -37
  50. package/get-shit-done/templates/continue-here.md +78 -78
  51. package/get-shit-done/templates/milestone-archive.md +123 -123
  52. package/get-shit-done/templates/milestone.md +115 -115
  53. package/get-shit-done/templates/requirements.md +231 -231
  54. package/get-shit-done/templates/research-project/ARCHITECTURE.md +204 -204
  55. package/get-shit-done/templates/research-project/FEATURES.md +147 -147
  56. package/get-shit-done/templates/research-project/PITFALLS.md +200 -200
  57. package/get-shit-done/templates/research-project/STACK.md +120 -120
  58. package/get-shit-done/templates/research-project/SUMMARY.md +170 -170
  59. package/get-shit-done/templates/retrospective.md +54 -54
  60. package/get-shit-done/templates/roadmap.md +202 -202
  61. package/get-shit-done/templates/summary-minimal.md +41 -41
  62. package/get-shit-done/templates/summary-standard.md +48 -48
  63. package/get-shit-done/templates/summary.md +248 -248
  64. package/get-shit-done/templates/user-setup.md +311 -311
  65. package/get-shit-done/templates/verification-report.md +322 -322
  66. package/get-shit-done/workflows/add-phase.md +112 -112
  67. package/get-shit-done/workflows/add-tests.md +351 -351
  68. package/get-shit-done/workflows/add-todo.md +158 -158
  69. package/get-shit-done/workflows/audit-milestone.md +332 -332
  70. package/get-shit-done/workflows/autonomous.md +743 -743
  71. package/get-shit-done/workflows/check-todos.md +177 -177
  72. package/get-shit-done/workflows/cleanup.md +152 -152
  73. package/get-shit-done/workflows/complete-milestone.md +766 -766
  74. package/get-shit-done/workflows/diagnose-issues.md +219 -219
  75. package/get-shit-done/workflows/discovery-phase.md +289 -289
  76. package/get-shit-done/workflows/discuss-phase.md +762 -762
  77. package/get-shit-done/workflows/execute-phase.md +468 -468
  78. package/get-shit-done/workflows/execute-plan.md +483 -483
  79. package/get-shit-done/workflows/health.md +159 -159
  80. package/get-shit-done/workflows/help.md +492 -492
  81. package/get-shit-done/workflows/insert-phase.md +130 -130
  82. package/get-shit-done/workflows/list-phase-assumptions.md +178 -178
  83. package/get-shit-done/workflows/map-codebase.md +316 -316
  84. package/get-shit-done/workflows/new-milestone.md +384 -384
  85. package/get-shit-done/workflows/new-project.md +1111 -1111
  86. package/get-shit-done/workflows/node-repair.md +92 -92
  87. package/get-shit-done/workflows/pause-work.md +122 -122
  88. package/get-shit-done/workflows/plan-milestone-gaps.md +274 -274
  89. package/get-shit-done/workflows/plan-phase.md +651 -651
  90. package/get-shit-done/workflows/progress.md +382 -382
  91. package/get-shit-done/workflows/quick.md +610 -610
  92. package/get-shit-done/workflows/remove-phase.md +155 -155
  93. package/get-shit-done/workflows/research-phase.md +74 -74
  94. package/get-shit-done/workflows/resume-project.md +307 -307
  95. package/get-shit-done/workflows/set-profile.md +81 -81
  96. package/get-shit-done/workflows/settings.md +242 -242
  97. package/get-shit-done/workflows/stats.md +57 -57
  98. package/get-shit-done/workflows/transition.md +544 -544
  99. package/get-shit-done/workflows/ui-phase.md +290 -290
  100. package/get-shit-done/workflows/ui-review.md +157 -157
  101. package/get-shit-done/workflows/update.md +320 -320
  102. package/get-shit-done/workflows/validate-phase.md +167 -167
  103. package/get-shit-done/workflows/verify-phase.md +243 -243
  104. package/package.json +1 -1
  105. package/scripts/build-hooks.js +43 -43
  106. package/scripts/run-tests.cjs +29 -29
@@ -1,310 +1,310 @@
1
- # Codebase Concerns Template
2
-
3
- Template for `.planning/codebase/CONCERNS.md` - captures known issues and areas requiring care.
4
-
5
- **Purpose:** Surface actionable warnings about the codebase. Focused on "what to watch out for when making changes."
6
-
7
- ---
8
-
9
- ## File Template
10
-
11
- ```markdown
12
- # Codebase Concerns
13
-
14
- **Analysis Date:** [YYYY-MM-DD]
15
-
16
- ## Tech Debt
17
-
18
- **[Area/Component]:**
19
- - Issue: [What's the shortcut/workaround]
20
- - Why: [Why it was done this way]
21
- - Impact: [What breaks or degrades because of it]
22
- - Fix approach: [How to properly address it]
23
-
24
- **[Area/Component]:**
25
- - Issue: [What's the shortcut/workaround]
26
- - Why: [Why it was done this way]
27
- - Impact: [What breaks or degrades because of it]
28
- - Fix approach: [How to properly address it]
29
-
30
- ## Known Bugs
31
-
32
- **[Bug description]:**
33
- - Symptoms: [What happens]
34
- - Trigger: [How to reproduce]
35
- - Workaround: [Temporary mitigation if any]
36
- - Root cause: [If known]
37
- - Blocked by: [If waiting on something]
38
-
39
- **[Bug description]:**
40
- - Symptoms: [What happens]
41
- - Trigger: [How to reproduce]
42
- - Workaround: [Temporary mitigation if any]
43
- - Root cause: [If known]
44
-
45
- ## Security Considerations
46
-
47
- **[Area requiring security care]:**
48
- - Risk: [What could go wrong]
49
- - Current mitigation: [What's in place now]
50
- - Recommendations: [What should be added]
51
-
52
- **[Area requiring security care]:**
53
- - Risk: [What could go wrong]
54
- - Current mitigation: [What's in place now]
55
- - Recommendations: [What should be added]
56
-
57
- ## Performance Bottlenecks
58
-
59
- **[Slow operation/endpoint]:**
60
- - Problem: [What's slow]
61
- - Measurement: [Actual numbers: "500ms p95", "2s load time"]
62
- - Cause: [Why it's slow]
63
- - Improvement path: [How to speed it up]
64
-
65
- **[Slow operation/endpoint]:**
66
- - Problem: [What's slow]
67
- - Measurement: [Actual numbers]
68
- - Cause: [Why it's slow]
69
- - Improvement path: [How to speed it up]
70
-
71
- ## Fragile Areas
72
-
73
- **[Component/Module]:**
74
- - Why fragile: [What makes it break easily]
75
- - Common failures: [What typically goes wrong]
76
- - Safe modification: [How to change it without breaking]
77
- - Test coverage: [Is it tested? Gaps?]
78
-
79
- **[Component/Module]:**
80
- - Why fragile: [What makes it break easily]
81
- - Common failures: [What typically goes wrong]
82
- - Safe modification: [How to change it without breaking]
83
- - Test coverage: [Is it tested? Gaps?]
84
-
85
- ## Scaling Limits
86
-
87
- **[Resource/System]:**
88
- - Current capacity: [Numbers: "100 req/sec", "10k users"]
89
- - Limit: [Where it breaks]
90
- - Symptoms at limit: [What happens]
91
- - Scaling path: [How to increase capacity]
92
-
93
- ## Dependencies at Risk
94
-
95
- **[Package/Service]:**
96
- - Risk: [e.g., "deprecated", "unmaintained", "breaking changes coming"]
97
- - Impact: [What breaks if it fails]
98
- - Migration plan: [Alternative or upgrade path]
99
-
100
- ## Missing Critical Features
101
-
102
- **[Feature gap]:**
103
- - Problem: [What's missing]
104
- - Current workaround: [How users cope]
105
- - Blocks: [What can't be done without it]
106
- - Implementation complexity: [Rough effort estimate]
107
-
108
- ## Test Coverage Gaps
109
-
110
- **[Untested area]:**
111
- - What's not tested: [Specific functionality]
112
- - Risk: [What could break unnoticed]
113
- - Priority: [High/Medium/Low]
114
- - Difficulty to test: [Why it's not tested yet]
115
-
116
- ---
117
-
118
- *Concerns audit: [date]*
119
- *Update as issues are fixed or new ones discovered*
120
- ```
121
-
122
- <good_examples>
123
- ```markdown
124
- # Codebase Concerns
125
-
126
- **Analysis Date:** 2025-01-20
127
-
128
- ## Tech Debt
129
-
130
- **Database queries in React components:**
131
- - Issue: Direct Supabase queries in 15+ page components instead of server actions
132
- - Files: `app/dashboard/page.tsx`, `app/profile/page.tsx`, `app/courses/[id]/page.tsx`, `app/settings/page.tsx` (and 11 more in `app/`)
133
- - Why: Rapid prototyping during MVP phase
134
- - Impact: Can't implement RLS properly, exposes DB structure to client
135
- - Fix approach: Move all queries to server actions in `app/actions/`, add proper RLS policies
136
-
137
- **Manual webhook signature validation:**
138
- - Issue: Copy-pasted Stripe webhook verification code in 3 different endpoints
139
- - Files: `app/api/webhooks/stripe/route.ts`, `app/api/webhooks/checkout/route.ts`, `app/api/webhooks/subscription/route.ts`
140
- - Why: Each webhook added ad-hoc without abstraction
141
- - Impact: Easy to miss verification in new webhooks (security risk)
142
- - Fix approach: Create shared `lib/stripe/validate-webhook.ts` middleware
143
-
144
- ## Known Bugs
145
-
146
- **Race condition in subscription updates:**
147
- - Symptoms: User shows as "free" tier for 5-10 seconds after successful payment
148
- - Trigger: Fast navigation after Stripe checkout redirect, before webhook processes
149
- - Files: `app/checkout/success/page.tsx` (redirect handler), `app/api/webhooks/stripe/route.ts` (webhook)
150
- - Workaround: Stripe webhook eventually updates status (self-heals)
151
- - Root cause: Webhook processing slower than user navigation, no optimistic UI update
152
- - Fix: Add polling in `app/checkout/success/page.tsx` after redirect
153
-
154
- **Inconsistent session state after logout:**
155
- - Symptoms: User redirected to /dashboard after logout instead of /login
156
- - Trigger: Logout via button in mobile nav (desktop works fine)
157
- - File: `components/MobileNav.tsx` (line ~45, logout handler)
158
- - Workaround: Manual URL navigation to /login works
159
- - Root cause: Mobile nav component not awaiting supabase.auth.signOut()
160
- - Fix: Add await to logout handler in `components/MobileNav.tsx`
161
-
162
- ## Security Considerations
163
-
164
- **Admin role check client-side only:**
165
- - Risk: Admin dashboard pages check isAdmin from Supabase client, no server verification
166
- - Files: `app/admin/page.tsx`, `app/admin/users/page.tsx`, `components/AdminGuard.tsx`
167
- - Current mitigation: None (relying on UI hiding)
168
- - Recommendations: Add middleware to admin routes in `middleware.ts`, verify role server-side
169
-
170
- **Unvalidated file uploads:**
171
- - Risk: Users can upload any file type to avatar bucket (no size/type validation)
172
- - File: `components/AvatarUpload.tsx` (upload handler)
173
- - Current mitigation: Supabase bucket limits to 2MB (configured in dashboard)
174
- - Recommendations: Add file type validation (image/* only) in `lib/storage/validate.ts`
175
-
176
- ## Performance Bottlenecks
177
-
178
- **/api/courses endpoint:**
179
- - Problem: Fetching all courses with nested lessons and authors
180
- - File: `app/api/courses/route.ts`
181
- - Measurement: 1.2s p95 response time with 50+ courses
182
- - Cause: N+1 query pattern (separate query per course for lessons)
183
- - Improvement path: Use Prisma include to eager-load lessons in `lib/db/courses.ts`, add Redis caching
184
-
185
- **Dashboard initial load:**
186
- - Problem: Waterfall of 5 serial API calls on mount
187
- - File: `app/dashboard/page.tsx`
188
- - Measurement: 3.5s until interactive on slow 3G
189
- - Cause: Each component fetches own data independently
190
- - Improvement path: Convert to Server Component with single parallel fetch
191
-
192
- ## Fragile Areas
193
-
194
- **Authentication middleware chain:**
195
- - File: `middleware.ts`
196
- - Why fragile: 4 different middleware functions run in specific order (auth -> role -> subscription -> logging)
197
- - Common failures: Middleware order change breaks everything, hard to debug
198
- - Safe modification: Add tests before changing order, document dependencies in comments
199
- - Test coverage: No integration tests for middleware chain (only unit tests)
200
-
201
- **Stripe webhook event handling:**
202
- - File: `app/api/webhooks/stripe/route.ts`
203
- - Why fragile: Giant switch statement with 12 event types, shared transaction logic
204
- - Common failures: New event type added without handling, partial DB updates on error
205
- - Safe modification: Extract each event handler to `lib/stripe/handlers/*.ts`
206
- - Test coverage: Only 3 of 12 event types have tests
207
-
208
- ## Scaling Limits
209
-
210
- **Supabase Free Tier:**
211
- - Current capacity: 500MB database, 1GB file storage, 2GB bandwidth/month
212
- - Limit: ~5000 users estimated before hitting limits
213
- - Symptoms at limit: 429 rate limit errors, DB writes fail
214
- - Scaling path: Upgrade to Pro ($25/mo) extends to 8GB DB, 100GB storage
215
-
216
- **Server-side render blocking:**
217
- - Current capacity: ~50 concurrent users before slowdown
218
- - Limit: Vercel Hobby plan (10s function timeout, 100GB-hrs/mo)
219
- - Symptoms at limit: 504 gateway timeouts on course pages
220
- - Scaling path: Upgrade to Vercel Pro ($20/mo), add edge caching
221
-
222
- ## Dependencies at Risk
223
-
224
- **react-hot-toast:**
225
- - Risk: Unmaintained (last update 18 months ago), React 19 compatibility unknown
226
- - Impact: Toast notifications break, no graceful degradation
227
- - Migration plan: Switch to sonner (actively maintained, similar API)
228
-
229
- ## Missing Critical Features
230
-
231
- **Payment failure handling:**
232
- - Problem: No retry mechanism or user notification when subscription payment fails
233
- - Current workaround: Users manually re-enter payment info (if they notice)
234
- - Blocks: Can't retain users with expired cards, no dunning process
235
- - Implementation complexity: Medium (Stripe webhooks + email flow + UI)
236
-
237
- **Course progress tracking:**
238
- - Problem: No persistent state for which lessons completed
239
- - Current workaround: Users manually track progress
240
- - Blocks: Can't show completion percentage, can't recommend next lesson
241
- - Implementation complexity: Low (add completed_lessons junction table)
242
-
243
- ## Test Coverage Gaps
244
-
245
- **Payment flow end-to-end:**
246
- - What's not tested: Full Stripe checkout -> webhook -> subscription activation flow
247
- - Risk: Payment processing could break silently (has happened twice)
248
- - Priority: High
249
- - Difficulty to test: Need Stripe test fixtures and webhook simulation setup
250
-
251
- **Error boundary behavior:**
252
- - What's not tested: How app behaves when components throw errors
253
- - Risk: White screen of death for users, no error reporting
254
- - Priority: Medium
255
- - Difficulty to test: Need to intentionally trigger errors in test environment
256
-
257
- ---
258
-
259
- *Concerns audit: 2025-01-20*
260
- *Update as issues are fixed or new ones discovered*
261
- ```
262
- </good_examples>
263
-
264
- <guidelines>
265
- **What belongs in CONCERNS.md:**
266
- - Tech debt with clear impact and fix approach
267
- - Known bugs with reproduction steps
268
- - Security gaps and mitigation recommendations
269
- - Performance bottlenecks with measurements
270
- - Fragile code that breaks easily
271
- - Scaling limits with numbers
272
- - Dependencies that need attention
273
- - Missing features that block workflows
274
- - Test coverage gaps
275
-
276
- **What does NOT belong here:**
277
- - Opinions without evidence ("code is messy")
278
- - Complaints without solutions ("auth sucks")
279
- - Future feature ideas (that's for product planning)
280
- - Normal TODOs (those live in code comments)
281
- - Architectural decisions that are working fine
282
- - Minor code style issues
283
-
284
- **When filling this template:**
285
- - **Always include file paths** - Concerns without locations are not actionable. Use backticks: `src/file.ts`
286
- - Be specific with measurements ("500ms p95" not "slow")
287
- - Include reproduction steps for bugs
288
- - Suggest fix approaches, not just problems
289
- - Focus on actionable items
290
- - Prioritize by risk/impact
291
- - Update as issues get resolved
292
- - Add new concerns as discovered
293
-
294
- **Tone guidelines:**
295
- - Professional, not emotional ("N+1 query pattern" not "terrible queries")
296
- - Solution-oriented ("Fix: add index" not "needs fixing")
297
- - Risk-focused ("Could expose user data" not "security is bad")
298
- - Factual ("3.5s load time" not "really slow")
299
-
300
- **Useful for phase planning when:**
301
- - Deciding what to work on next
302
- - Estimating risk of changes
303
- - Understanding where to be careful
304
- - Prioritizing improvements
305
- - Onboarding new Claude contexts
306
- - Planning refactoring work
307
-
308
- **How this gets populated:**
309
- Explore agents detect these during codebase mapping. Manual additions welcome for human-discovered issues. This is living documentation, not a complaint list.
310
- </guidelines>
1
+ # Codebase Concerns Template
2
+
3
+ Template for `.planning/codebase/CONCERNS.md` - captures known issues and areas requiring care.
4
+
5
+ **Purpose:** Surface actionable warnings about the codebase. Focused on "what to watch out for when making changes."
6
+
7
+ ---
8
+
9
+ ## File Template
10
+
11
+ ```markdown
12
+ # Codebase Concerns
13
+
14
+ **Analysis Date:** [YYYY-MM-DD]
15
+
16
+ ## Tech Debt
17
+
18
+ **[Area/Component]:**
19
+ - Issue: [What's the shortcut/workaround]
20
+ - Why: [Why it was done this way]
21
+ - Impact: [What breaks or degrades because of it]
22
+ - Fix approach: [How to properly address it]
23
+
24
+ **[Area/Component]:**
25
+ - Issue: [What's the shortcut/workaround]
26
+ - Why: [Why it was done this way]
27
+ - Impact: [What breaks or degrades because of it]
28
+ - Fix approach: [How to properly address it]
29
+
30
+ ## Known Bugs
31
+
32
+ **[Bug description]:**
33
+ - Symptoms: [What happens]
34
+ - Trigger: [How to reproduce]
35
+ - Workaround: [Temporary mitigation if any]
36
+ - Root cause: [If known]
37
+ - Blocked by: [If waiting on something]
38
+
39
+ **[Bug description]:**
40
+ - Symptoms: [What happens]
41
+ - Trigger: [How to reproduce]
42
+ - Workaround: [Temporary mitigation if any]
43
+ - Root cause: [If known]
44
+
45
+ ## Security Considerations
46
+
47
+ **[Area requiring security care]:**
48
+ - Risk: [What could go wrong]
49
+ - Current mitigation: [What's in place now]
50
+ - Recommendations: [What should be added]
51
+
52
+ **[Area requiring security care]:**
53
+ - Risk: [What could go wrong]
54
+ - Current mitigation: [What's in place now]
55
+ - Recommendations: [What should be added]
56
+
57
+ ## Performance Bottlenecks
58
+
59
+ **[Slow operation/endpoint]:**
60
+ - Problem: [What's slow]
61
+ - Measurement: [Actual numbers: "500ms p95", "2s load time"]
62
+ - Cause: [Why it's slow]
63
+ - Improvement path: [How to speed it up]
64
+
65
+ **[Slow operation/endpoint]:**
66
+ - Problem: [What's slow]
67
+ - Measurement: [Actual numbers]
68
+ - Cause: [Why it's slow]
69
+ - Improvement path: [How to speed it up]
70
+
71
+ ## Fragile Areas
72
+
73
+ **[Component/Module]:**
74
+ - Why fragile: [What makes it break easily]
75
+ - Common failures: [What typically goes wrong]
76
+ - Safe modification: [How to change it without breaking]
77
+ - Test coverage: [Is it tested? Gaps?]
78
+
79
+ **[Component/Module]:**
80
+ - Why fragile: [What makes it break easily]
81
+ - Common failures: [What typically goes wrong]
82
+ - Safe modification: [How to change it without breaking]
83
+ - Test coverage: [Is it tested? Gaps?]
84
+
85
+ ## Scaling Limits
86
+
87
+ **[Resource/System]:**
88
+ - Current capacity: [Numbers: "100 req/sec", "10k users"]
89
+ - Limit: [Where it breaks]
90
+ - Symptoms at limit: [What happens]
91
+ - Scaling path: [How to increase capacity]
92
+
93
+ ## Dependencies at Risk
94
+
95
+ **[Package/Service]:**
96
+ - Risk: [e.g., "deprecated", "unmaintained", "breaking changes coming"]
97
+ - Impact: [What breaks if it fails]
98
+ - Migration plan: [Alternative or upgrade path]
99
+
100
+ ## Missing Critical Features
101
+
102
+ **[Feature gap]:**
103
+ - Problem: [What's missing]
104
+ - Current workaround: [How users cope]
105
+ - Blocks: [What can't be done without it]
106
+ - Implementation complexity: [Rough effort estimate]
107
+
108
+ ## Test Coverage Gaps
109
+
110
+ **[Untested area]:**
111
+ - What's not tested: [Specific functionality]
112
+ - Risk: [What could break unnoticed]
113
+ - Priority: [High/Medium/Low]
114
+ - Difficulty to test: [Why it's not tested yet]
115
+
116
+ ---
117
+
118
+ *Concerns audit: [date]*
119
+ *Update as issues are fixed or new ones discovered*
120
+ ```
121
+
122
+ <good_examples>
123
+ ```markdown
124
+ # Codebase Concerns
125
+
126
+ **Analysis Date:** 2025-01-20
127
+
128
+ ## Tech Debt
129
+
130
+ **Database queries in React components:**
131
+ - Issue: Direct Supabase queries in 15+ page components instead of server actions
132
+ - Files: `app/dashboard/page.tsx`, `app/profile/page.tsx`, `app/courses/[id]/page.tsx`, `app/settings/page.tsx` (and 11 more in `app/`)
133
+ - Why: Rapid prototyping during MVP phase
134
+ - Impact: Can't implement RLS properly, exposes DB structure to client
135
+ - Fix approach: Move all queries to server actions in `app/actions/`, add proper RLS policies
136
+
137
+ **Manual webhook signature validation:**
138
+ - Issue: Copy-pasted Stripe webhook verification code in 3 different endpoints
139
+ - Files: `app/api/webhooks/stripe/route.ts`, `app/api/webhooks/checkout/route.ts`, `app/api/webhooks/subscription/route.ts`
140
+ - Why: Each webhook added ad-hoc without abstraction
141
+ - Impact: Easy to miss verification in new webhooks (security risk)
142
+ - Fix approach: Create shared `lib/stripe/validate-webhook.ts` middleware
143
+
144
+ ## Known Bugs
145
+
146
+ **Race condition in subscription updates:**
147
+ - Symptoms: User shows as "free" tier for 5-10 seconds after successful payment
148
+ - Trigger: Fast navigation after Stripe checkout redirect, before webhook processes
149
+ - Files: `app/checkout/success/page.tsx` (redirect handler), `app/api/webhooks/stripe/route.ts` (webhook)
150
+ - Workaround: Stripe webhook eventually updates status (self-heals)
151
+ - Root cause: Webhook processing slower than user navigation, no optimistic UI update
152
+ - Fix: Add polling in `app/checkout/success/page.tsx` after redirect
153
+
154
+ **Inconsistent session state after logout:**
155
+ - Symptoms: User redirected to /dashboard after logout instead of /login
156
+ - Trigger: Logout via button in mobile nav (desktop works fine)
157
+ - File: `components/MobileNav.tsx` (line ~45, logout handler)
158
+ - Workaround: Manual URL navigation to /login works
159
+ - Root cause: Mobile nav component not awaiting supabase.auth.signOut()
160
+ - Fix: Add await to logout handler in `components/MobileNav.tsx`
161
+
162
+ ## Security Considerations
163
+
164
+ **Admin role check client-side only:**
165
+ - Risk: Admin dashboard pages check isAdmin from Supabase client, no server verification
166
+ - Files: `app/admin/page.tsx`, `app/admin/users/page.tsx`, `components/AdminGuard.tsx`
167
+ - Current mitigation: None (relying on UI hiding)
168
+ - Recommendations: Add middleware to admin routes in `middleware.ts`, verify role server-side
169
+
170
+ **Unvalidated file uploads:**
171
+ - Risk: Users can upload any file type to avatar bucket (no size/type validation)
172
+ - File: `components/AvatarUpload.tsx` (upload handler)
173
+ - Current mitigation: Supabase bucket limits to 2MB (configured in dashboard)
174
+ - Recommendations: Add file type validation (image/* only) in `lib/storage/validate.ts`
175
+
176
+ ## Performance Bottlenecks
177
+
178
+ **/api/courses endpoint:**
179
+ - Problem: Fetching all courses with nested lessons and authors
180
+ - File: `app/api/courses/route.ts`
181
+ - Measurement: 1.2s p95 response time with 50+ courses
182
+ - Cause: N+1 query pattern (separate query per course for lessons)
183
+ - Improvement path: Use Prisma include to eager-load lessons in `lib/db/courses.ts`, add Redis caching
184
+
185
+ **Dashboard initial load:**
186
+ - Problem: Waterfall of 5 serial API calls on mount
187
+ - File: `app/dashboard/page.tsx`
188
+ - Measurement: 3.5s until interactive on slow 3G
189
+ - Cause: Each component fetches own data independently
190
+ - Improvement path: Convert to Server Component with single parallel fetch
191
+
192
+ ## Fragile Areas
193
+
194
+ **Authentication middleware chain:**
195
+ - File: `middleware.ts`
196
+ - Why fragile: 4 different middleware functions run in specific order (auth -> role -> subscription -> logging)
197
+ - Common failures: Middleware order change breaks everything, hard to debug
198
+ - Safe modification: Add tests before changing order, document dependencies in comments
199
+ - Test coverage: No integration tests for middleware chain (only unit tests)
200
+
201
+ **Stripe webhook event handling:**
202
+ - File: `app/api/webhooks/stripe/route.ts`
203
+ - Why fragile: Giant switch statement with 12 event types, shared transaction logic
204
+ - Common failures: New event type added without handling, partial DB updates on error
205
+ - Safe modification: Extract each event handler to `lib/stripe/handlers/*.ts`
206
+ - Test coverage: Only 3 of 12 event types have tests
207
+
208
+ ## Scaling Limits
209
+
210
+ **Supabase Free Tier:**
211
+ - Current capacity: 500MB database, 1GB file storage, 2GB bandwidth/month
212
+ - Limit: ~5000 users estimated before hitting limits
213
+ - Symptoms at limit: 429 rate limit errors, DB writes fail
214
+ - Scaling path: Upgrade to Pro ($25/mo) extends to 8GB DB, 100GB storage
215
+
216
+ **Server-side render blocking:**
217
+ - Current capacity: ~50 concurrent users before slowdown
218
+ - Limit: Vercel Hobby plan (10s function timeout, 100GB-hrs/mo)
219
+ - Symptoms at limit: 504 gateway timeouts on course pages
220
+ - Scaling path: Upgrade to Vercel Pro ($20/mo), add edge caching
221
+
222
+ ## Dependencies at Risk
223
+
224
+ **react-hot-toast:**
225
+ - Risk: Unmaintained (last update 18 months ago), React 19 compatibility unknown
226
+ - Impact: Toast notifications break, no graceful degradation
227
+ - Migration plan: Switch to sonner (actively maintained, similar API)
228
+
229
+ ## Missing Critical Features
230
+
231
+ **Payment failure handling:**
232
+ - Problem: No retry mechanism or user notification when subscription payment fails
233
+ - Current workaround: Users manually re-enter payment info (if they notice)
234
+ - Blocks: Can't retain users with expired cards, no dunning process
235
+ - Implementation complexity: Medium (Stripe webhooks + email flow + UI)
236
+
237
+ **Course progress tracking:**
238
+ - Problem: No persistent state for which lessons completed
239
+ - Current workaround: Users manually track progress
240
+ - Blocks: Can't show completion percentage, can't recommend next lesson
241
+ - Implementation complexity: Low (add completed_lessons junction table)
242
+
243
+ ## Test Coverage Gaps
244
+
245
+ **Payment flow end-to-end:**
246
+ - What's not tested: Full Stripe checkout -> webhook -> subscription activation flow
247
+ - Risk: Payment processing could break silently (has happened twice)
248
+ - Priority: High
249
+ - Difficulty to test: Need Stripe test fixtures and webhook simulation setup
250
+
251
+ **Error boundary behavior:**
252
+ - What's not tested: How app behaves when components throw errors
253
+ - Risk: White screen of death for users, no error reporting
254
+ - Priority: Medium
255
+ - Difficulty to test: Need to intentionally trigger errors in test environment
256
+
257
+ ---
258
+
259
+ *Concerns audit: 2025-01-20*
260
+ *Update as issues are fixed or new ones discovered*
261
+ ```
262
+ </good_examples>
263
+
264
+ <guidelines>
265
+ **What belongs in CONCERNS.md:**
266
+ - Tech debt with clear impact and fix approach
267
+ - Known bugs with reproduction steps
268
+ - Security gaps and mitigation recommendations
269
+ - Performance bottlenecks with measurements
270
+ - Fragile code that breaks easily
271
+ - Scaling limits with numbers
272
+ - Dependencies that need attention
273
+ - Missing features that block workflows
274
+ - Test coverage gaps
275
+
276
+ **What does NOT belong here:**
277
+ - Opinions without evidence ("code is messy")
278
+ - Complaints without solutions ("auth sucks")
279
+ - Future feature ideas (that's for product planning)
280
+ - Normal TODOs (those live in code comments)
281
+ - Architectural decisions that are working fine
282
+ - Minor code style issues
283
+
284
+ **When filling this template:**
285
+ - **Always include file paths** - Concerns without locations are not actionable. Use backticks: `src/file.ts`
286
+ - Be specific with measurements ("500ms p95" not "slow")
287
+ - Include reproduction steps for bugs
288
+ - Suggest fix approaches, not just problems
289
+ - Focus on actionable items
290
+ - Prioritize by risk/impact
291
+ - Update as issues get resolved
292
+ - Add new concerns as discovered
293
+
294
+ **Tone guidelines:**
295
+ - Professional, not emotional ("N+1 query pattern" not "terrible queries")
296
+ - Solution-oriented ("Fix: add index" not "needs fixing")
297
+ - Risk-focused ("Could expose user data" not "security is bad")
298
+ - Factual ("3.5s load time" not "really slow")
299
+
300
+ **Useful for phase planning when:**
301
+ - Deciding what to work on next
302
+ - Estimating risk of changes
303
+ - Understanding where to be careful
304
+ - Prioritizing improvements
305
+ - Onboarding new Claude contexts
306
+ - Planning refactoring work
307
+
308
+ **How this gets populated:**
309
+ Explore agents detect these during codebase mapping. Manual additions welcome for human-discovered issues. This is living documentation, not a complaint list.
310
+ </guidelines>