pixelweaver 0.1.0

package/todo/comprehensive-audit.md

@@ -0,0 +1,1085 @@
+# PixelWeaver Comprehensive Codebase Audit
+
+**Date:** 2026-04-10
+**Scope:** Full audit of the PixelWeaver pixel art editor -- Svelte 5 frontend, Python server (wesktop/granian), and plugin system.
+**Note:** Items specific to the former Tauri 2 stack (now replaced by wesktop/granian) have been moved to `todo/.obsolete/comprehensive-audit-obsolete-items.md`.
+
+---
+
+## Table of Contents
+
+- [Severity Summary](#severity-summary)
+- [Critical Findings](#critical-findings)
+  - [C1. Menu/toolbar/palette commands bypass the dispatcher](#c1-menutoolbarpalette-commands-bypass-the-dispatcher)
+  - [C2. Undo/redo commands dispatch themselves, creating phantom stack entries](#c2-undoredo-commands-dispatch-themselves-creating-phantom-stack-entries)
+  - [C3. Pencil/eraser undo snapshots are always empty](#c3-pencileraser-undo-snapshots-are-always-empty)
+  - [C5. Server: MCP save handler imports from wrong module](#c5-server-mcp-save-handler-imports-from-wrong-module)
+- [High -- Bugs](#high----bugs)
+  - [H6. removeLayer uses wrong flat index](#h6-removelayer-uses-wrong-flat-index)
+  - [H7. Animation preview uses stale frame duration](#h7-animation-preview-uses-stale-frame-duration)
+  - [H8. Negative hue shift produces wrong colors](#h8-negative-hue-shift-produces-wrong-colors)
+  - [H9. 90/270-degree rotation destroys non-square buffers](#h9-90270-degree-rotation-destroys-non-square-buffers)
+- [High -- Architecture and Design](#high----architecture-and-design)
+  - [H1. 38 of 40 commands have empty undo but still push to undo stack](#h1-38-of-40-commands-have-empty-undo-but-still-push-to-undo-stack)
+  - [H2. Core imports from UI layer](#h2-core-imports-from-ui-layer)
+  - [H3. UI imports directly from plugin](#h3-ui-imports-directly-from-plugin)
+  - [H4. Plugin API has no mutators](#h4-plugin-api-has-no-mutators)
+  - [H5. menu-commands-plugin.ts is a 1333-line god file](#h5-menu-commands-plugints-is-a-1333-line-god-file)
+- [High -- Server](#high----server)
+  - [H10. Path traversal via project name](#h10-path-traversal-via-project-name)
+  - [H11. No canvas dimension validation](#h11-no-canvas-dimension-validation)
+  - [H13. Broadcast iterates mutable list](#h13-broadcast-iterates-mutable-list)
+  - [H14. MCPLock is created but never used](#h14-mcplock-is-created-but-never-used)
+- [High -- Type Safety](#high----type-safety)
+  - [H15. plugins/ excluded from ESLint](#h15-plugins-excluded-from-eslint)
+  - [H16. noUncheckedIndexedAccess not enabled](#h16-nouncheckedindexedaccess-not-enabled)
+  - [H17. 200+ unsafe casts](#h17-200-unsafe-casts)
+- [High -- Accessibility](#high----accessibility)
+  - [A1. No focus-visible indicators](#a1-no-focus-visible-indicators)
+  - [A2. Modals lack focus traps](#a2-modals-lack-focus-traps)
+  - [A3. Missing dialog ARIA roles](#a3-missing-dialog-aria-roles)
+  - [A4. Icon-only buttons lack aria-label](#a4-icon-only-buttons-lack-aria-label)
+  - [A5. Command palette missing combobox ARIA pattern](#a5-command-palette-missing-combobox-aria-pattern)
+  - [A6. Menus lack menu ARIA roles and keyboard navigation](#a6-menus-lack-menu-aria-roles-and-keyboard-navigation)
+  - [A7. Context menu has no viewport boundary clamping](#a7-context-menu-has-no-viewport-boundary-clamping)
+  - [A8. Canvas has tabindex but no role or label](#a8-canvas-has-tabindex-but-no-role-or-label)
+- [Medium -- DRY Violations](#medium----dry-violations)
+  - [M1. getActiveBuffer cast pattern repeated 69 times](#m1-getactivebuffer-cast-pattern-repeated-69-times)
+  - [M2. Snapshot entire buffer boilerplate in 9 files](#m2-snapshot-entire-buffer-boilerplate-in-9-files)
+  - [M3. Pencil and eraser are structurally identical](#m3-pencil-and-eraser-are-structurally-identical)
+  - [M4. Shape tool boilerplate](#m4-shape-tool-boilerplate)
+  - [M5. Identical undo handler across 25 files](#m5-identical-undo-handler-across-25-files)
+  - [M6. Zoom steps duplicated verbatim](#m6-zoom-steps-duplicated-verbatim)
+  - [M7. Palette helpers copy-pasted between files](#m7-palette-helpers-copy-pasted-between-files)
+  - [M8. rgbaToHex reimplemented in 3 places](#m8-rgbatohex-reimplemented-in-3-places)
+  - [M9. Importer reset-state boilerplate](#m9-importer-reset-state-boilerplate)
+  - [M10. Dialog CSS duplicated](#m10-dialog-css-duplicated)
+- [Medium -- State and Logic](#medium----state-and-logic)
+  - [M11. add_layer never sets previousActiveLayerId](#m11-add_layer-never-sets-previousactivelayerid)
+  - [M12. Dispatcher callback iteration during modification](#m12-dispatcher-callback-iteration-during-modification)
+  - [M13. input-handler exports plain let bindings](#m13-input-handler-exports-plain-let-bindings)
+  - [M14. tile-mode creates new OffscreenCanvas every frame](#m14-tile-mode-creates-new-offscreencanvas-every-frame)
+  - [M15. restoreLayer undo crashes if parent group was removed](#m15-restorelayer-undo-crashes-if-parent-group-was-removed)
+  - [M16. onCommand listener return value discarded](#m16-oncommand-listener-return-value-discarded)
+  - [M17. RecoveryManager start called but stop never called](#m17-recoverymanager-start-called-but-stop-never-called)
+  - [M18. WebSocket connect overwrites old socket without closing](#m18-websocket-connect-overwrites-old-socket-without-closing)
+  - [M19. syncPlugin swallows initializeSync rejection](#m19-syncplugin-swallows-initializesync-rejection)
+  - [M20. Clipboard trapped as module-level variable in god file](#m20-clipboard-trapped-as-module-level-variable-in-god-file)
+- [Medium -- Server](#medium----server)
+  - [M21. save_project is sync I/O in async context](#m21-save_project-is-sync-io-in-async-context)
+  - [M22. Autosave clears dirty flag even on failure](#m22-autosave-clears-dirty-flag-even-on-failure)
+  - [M23. register_all_tools runs at import time](#m23-register_all_tools-runs-at-import-time)
+  - [M24. export_frame_png ignores the frame parameter](#m24-export_frame_png-ignores-the-frame-parameter)
+  - [M25. WebSocket crash path never closes socket](#m25-websocket-crash-path-never-closes-socket)
+- [Medium -- CSS and UI](#medium----css-and-ui)
+  - [M26. Hardcoded colors instead of design tokens](#m26-hardcoded-colors-instead-of-design-tokens)
+  - [M27. --text-on-accent referenced but never defined](#m27---text-on-accent-referenced-but-never-defined)
+  - [M28. Light theme broken hover states](#m28-light-theme-broken-hover-states)
+  - [M29. Global transition applies to canvas and animation elements](#m29-global-transition-applies-to-canvas-and-animation-elements)
+  - [M30. prompt() used for user input](#m30-prompt-used-for-user-input)
+- [Dead Code](#dead-code)
+  - [Entire Unused Modules](#entire-unused-modules)
+  - [Significant Unused Exports from Active Modules](#significant-unused-exports-from-active-modules)
+  - [Half-Implemented Features](#half-implemented-features)
+- [Static Analysis Enforcement Gaps](#static-analysis-enforcement-gaps)
+  - [TypeScript](#typescript)
+  - [ESLint](#eslint)
+  - [Python (Ruff)](#python-ruff)
+  - [JSON.parse Without Validation](#jsonparse-without-validation)
+- [Server Test Coverage Gaps](#server-test-coverage-gaps)
+- [Top 10 Recommendations by Impact](#top-10-recommendations-by-impact)
+
+---
+
+## Severity Summary
+
+| Severity | Count | Description |
+|----------|------:|-------------|
+| Critical | 4 | Broken core functionality or security vulnerabilities that block normal use |
+| High -- Bugs | 4 | Incorrect behavior producing wrong results |
+| High -- Architecture | 5 | Structural problems that compound maintenance cost and block feature work |
+| High -- Server | 4 | Server-side bugs including security and stability issues |
+| High -- Type Safety | 3 | Systemic gaps in compile-time safety |
+| High -- Accessibility | 8 | Barriers that prevent assistive technology users from operating the app |
+| Medium -- DRY | 10 | Duplicated code increasing maintenance burden |
+| Medium -- State/Logic | 10 | Subtle logic errors and resource leaks |
+| Medium -- Server | 5 | Server-side logic and reliability issues |
+| Medium -- CSS/UI | 5 | Visual inconsistencies and platform compatibility gaps |
+| Dead Code | -- | 6 unused modules, 40+ unused exports, 4+ half-implemented features |
+| Static Analysis | -- | Gaps in TS, ESLint, and Ruff configurations |
+| Test Coverage | -- | 10+ server modules with zero test coverage |
+| **Total** | **58+** | |
+
+---
+
+## Critical Findings
+
+### C1. Menu/toolbar/palette commands bypass the dispatcher
+
+**Severity:** Critical
+**Impact:** All UI-triggered commands are non-undoable, unlogged, and unobservable.
+
+All four UI entry points call `cmd.execute({}, {})` directly instead of routing through the dispatcher:
+
+| Location | Line | Entry Point |
+|----------|------|-------------|
+| `src/core/menu-builder.ts` | 67 | Menu bar clicks |
+| `src/ui/panels/ToolbarPanel.svelte` | 184 | Toolbar button clicks |
+| `src/ui/panels/TabAddMenu.svelte` | 27 | Tab add menu |
+| `src/core/command-palette-state.svelte.ts` | 54 | Command palette selection |
+
+**Files to change:** `menu-builder.ts`, `ToolbarPanel.svelte`, `TabAddMenu.svelte`, `command-palette-state.svelte.ts`
+**Effort:** Small -- replace `cmd.execute({}, {})` with `dispatch(cmd.id, params)` at each site.
+
+---
+
+### C2. Undo/redo commands dispatch themselves, creating phantom stack entries
+
+**Severity:** Critical
+**Impact:** Undo never undoes the user's last action. Redo is similarly broken.
+
+`menu-commands-plugin.ts:206-215` registers `undo` as a dispatchable command. When dispatched:
+
+1. The dispatcher pushes an `undo` entry onto the undo stack.
+2. The `undo` command calls `undoLast()`.
+3. `undoLast()` pops the top of the stack -- which is the `undo` entry just pushed, not the user's actual last action.
+
+The same pattern applies to `redo`.
+
+**Files to change:** `plugins/builtin/menu-commands-plugin.ts`, `src/core/dispatcher.ts`
+**Effort:** Small -- make undo/redo special dispatcher methods that are never pushed to the stack, or mark them as non-undoable commands that skip stack insertion.
+
+---
+
+### C3. Pencil/eraser undo snapshots are always empty
+
+**Severity:** Critical
+**Impact:** Undoing any pencil or eraser stroke restores nothing; pixel data is permanently lost.
+
+| Location | Line | Problem |
+|----------|------|---------|
+| `plugins/builtin/pencil-tool.ts` | 113 | `_snapshot: []` hardcoded to empty |
+| `plugins/builtin/eraser-tool.ts` | 107 | `_snapshot: []` hardcoded to empty |
+
+The comment in both files says "snapshot is filled by the canvas layer before dispatch" but no code performs this fill step.
+
+**Files to change:** `pencil-tool.ts`, `eraser-tool.ts`, and potentially the canvas layer or a new snapshot utility.
+**Effort:** Medium -- need to implement the snapshot-before-dispatch mechanism and verify it works with the dispatcher.
+
+---
+
+### C5. Server: MCP save handler imports from wrong module
+
+**Severity:** Critical
+**Impact:** MCP-initiated saves always write to `./projects` regardless of the user's `--data-dir` flag.
+
+`mcp_registry.py:596` imports `_data_dir` from `main.py`. The MCP process runs separately and never calls `main.set_data_dir()`, so `_data_dir` retains its default value.
+
+**Files to change:** `server/src/pixelweaver/mcp_registry.py`
+**Effort:** Small -- use the MCP server's own data dir reference or read it from a shared configuration source.
+
+---
+
+## High -- Bugs
+
+### H6. removeLayer uses wrong flat index
+
+**Severity:** High
+**Impact:** After deleting a layer, the wrong layer gets selected.
+
+`layer-tree.svelte.ts:239-240` finds the index of the first *other* pixel layer in the flat list instead of using the removed layer's former position to determine the nearest neighbor.
+
+**Files to change:** `src/state/layer-tree.svelte.ts`
+**Effort:** Small
+
+---
+
+### H7. Animation preview uses stale frame duration
+
+**Severity:** High
+**Impact:** Frames with different durations play at incorrect speeds during preview.
+
+`animation-preview.svelte.ts:100-108` computes `frameDuration` once before entering a `while` loop that may advance through multiple frames, each potentially having a different duration.
+
+**Files to change:** `src/state/animation-preview.svelte.ts`
+**Effort:** Small -- recompute `frameDuration` inside the loop body.
+
+---
+
+### H8. Negative hue shift produces wrong colors
+
+**Severity:** High
+**Impact:** Color effects produce incorrect hues when shift is negative.
+
+`effects/color-effects.ts:134` uses `(hsv.h + degrees) % 360`. In JavaScript, the modulo operator returns negative values for negative inputs (e.g., `(-10) % 360 === -10`).
+
+**Fix:** Use `((hsv.h + degrees) % 360 + 360) % 360` to normalize to `[0, 360)`.
+
+**Files to change:** `plugins/builtin/effects/color-effects.ts`
+**Effort:** Small
+
+---
+
+### H9. 90/270-degree rotation destroys non-square buffers
+
+**Severity:** High
+**Impact:** Rotating rectangular canvases by 90 or 270 degrees produces corrupted output with out-of-bounds reads.
+
+`effects/rotate.ts:33-59` maps source coordinates assuming `w === h`. For non-square buffers, pixel reads go out of bounds.
+
+**Files to change:** `plugins/builtin/effects/rotate.ts`
+**Effort:** Small -- swap width/height in the output buffer and fix coordinate mapping.
+
+---
+
+## High -- Architecture and Design
+
+### H1. 38 of 40 commands have empty undo but still push to undo stack
+
+**Severity:** High
+**Impact:** Non-undoable actions (zoom, toggle theme, open dialog, etc.) consume undo slots, polluting the undo stack and evicting real undoable actions when the stack limit is reached.
+
+All 38 commands in `menu-commands-plugin.ts` that register with the dispatcher get pushed to the undo stack despite having empty `undo()` implementations.
+
+**Files to change:** `plugins/builtin/menu-commands-plugin.ts`, `src/core/dispatcher.ts`
+**Effort:** Medium -- add an `undoable: boolean` flag to command registration, make the dispatcher skip stack insertion for non-undoable commands, and mark all 38 commands appropriately.
+
+---
+
+### H2. Core imports from UI layer
+
+**Severity:** High
+**Impact:** Architectural layering violation. Core cannot be tested, bundled, or reasoned about independently of the UI.
+
+`plugin-api.ts:21` imports `notificationState` from `../ui/notifications/`. The dependency should flow UI -> Core, not the reverse.
+
+**Files to change:** `src/core/plugin-api.ts`, potentially extract a notification interface in core.
+**Effort:** Medium -- define a notification interface in core, have the UI layer provide the implementation.
+
+---
+
+### H3. UI imports directly from plugin
+
+**Severity:** High
+**Impact:** Breaks the plugin boundary. The plugin system's encapsulation is bypassed.
+
+`menu-commands-plugin.ts:38` directly imports selection state from `plugins/builtin/selection-tool.js`. Selection state should be exposed through the plugin API or a shared state module.
+
+**Files to change:** `plugins/builtin/menu-commands-plugin.ts`, potentially `src/core/plugin-api.ts`
+**Effort:** Medium
+
+---
+
+### H4. Plugin API has no mutators
+
+**Severity:** High
+**Impact:** All 3 importers must bypass the plugin API entirely, directly importing and mutating 5+ internal modules (canvasState, layer-tree, frame-model, palette-state, dispatcher).
+
+`PluginAPI` only provides read-only getters that return `unknown`. There is no way for a plugin to perform legitimate mutations (set canvas size, add layers, add frames, set pixels) through the official API.
+
+**Files to change:** `src/core/plugin-api.ts`
+**Effort:** Large -- design and implement mutator methods (`setCanvasSize()`, `addLayer()`, `addFrame()`, `setPixels()`, etc.) and migrate importers to use them.
+
+---
+
+### H5. menu-commands-plugin.ts is a 1333-line god file
+
+**Severity:** High
+**Impact:** Maintenance nightmare. 38 commands, 50+ menu items, duplicated zoom logic, clipboard state management, DOM queries via `document.querySelector('.canvas-viewport')`, and `prompt()` calls all in one file.
+
+**Files to change:** `plugins/builtin/menu-commands-plugin.ts` (split into multiple files)
+**Effort:** Large -- split into domain-specific files:
+
+- `file-commands.ts` -- new, open, save, export, import
+- `edit-commands.ts` -- undo, redo, clipboard, select all, deselect
+- `view-commands.ts` -- zoom, grid, theme, fullscreen
+- `layer-commands.ts` -- add/remove/merge/flatten
+- `image-commands.ts` -- resize, crop, rotate, flip
+- `animation-commands.ts` -- frame management, playback
+
+---
+
+## High -- Server
+
+### H10. Path traversal via project name
+
+**Severity:** High (Security)
+**Impact:** An attacker can write files anywhere on the filesystem by setting `CreateProjectRequest.name` to a traversal path like `../../../etc/evil`.
+
+| Location | Line |
+|----------|------|
+| `server/src/pixelweaver/main.py` | 98 |
+| `server/src/pixelweaver/storage.py` | 30 |
+
+`CreateProjectRequest.name` is unconstrained; no sanitization or path-component validation is performed.
+
+**Files to change:** `server/src/pixelweaver/main.py`, `server/src/pixelweaver/storage.py`
+**Effort:** Small -- validate that the name contains no path separators or `..` components; reject or sanitize.
+
+---
+
+### H11. No canvas dimension validation
+
+**Severity:** High (Security/Stability)
+**Impact:** A request with `width=100000, height=100000` allocates ~40 GB of zeros, causing instant OOM.
+
+`state.py:88` accepts arbitrary dimensions. The MCP interface limits to 1024x1024 but the REST API has no limit.
+
+**Files to change:** `server/src/pixelweaver/state.py`, `server/src/pixelweaver/main.py`
+**Effort:** Small -- add a max dimension constant and validate in both REST and state creation paths.
+
+---
+
+### H13. Broadcast iterates mutable list
+
+**Severity:** High
+**Impact:** If `send_json` triggers a disconnect callback during iteration, the connection list is mutated mid-loop, causing skipped messages or a `RuntimeError`.
+
+`connections.py:43-48` iterates the connection list directly while sending.
+
+**Files to change:** `server/src/pixelweaver/connections.py`
+**Effort:** Small -- iterate over a snapshot (`list(connections)`) or collect disconnected clients and remove after iteration.
+
+---
+
+### H14. MCPLock is created but never used
+
+**Severity:** High
+**Impact:** The documented concurrency protection between MCP and WebSocket mutations is completely unimplemented. Concurrent mutations can corrupt state.
+
+| Location | Line |
+|----------|------|
+| `server/src/pixelweaver/mcp_server.py` | 53 |
+| `server/src/pixelweaver/mcp_lock.py` | entire file |
+
+**Files to change:** `server/src/pixelweaver/mcp_server.py`, mutation handlers
+**Effort:** Medium -- acquire the lock in all MCP and WebSocket mutation paths.
+
+---
+
+## High -- Type Safety
+
+### H15. plugins/ excluded from ESLint
+
+**Severity:** High
+**Impact:** 35+ plugin files containing 200+ type assertions are completely unlinted. Bugs, style violations, and unsafe patterns go undetected.
+
+`eslint.config.js` excludes the `plugins/` directory entirely.
+
+**Files to change:** `eslint.config.js`
+**Effort:** Medium -- remove the exclusion, fix the resulting lint errors (expect ~50-100 initial errors).
+
+---
+
+### H16. noUncheckedIndexedAccess not enabled
+
+**Severity:** High
+**Impact:** All `array[i]` and `record[key]` access is silently assumed to succeed. No compile-time protection against out-of-bounds or missing-key access.
+
+`tsconfig.app.json` does not set `noUncheckedIndexedAccess: true`.
+
+**Files to change:** `tsconfig.app.json`
+**Effort:** Medium -- enable the flag and fix resulting type errors (expect 100-200 sites needing `?.` or explicit checks).
+
+---
+
+### H17. 200+ unsafe casts
+
+**Severity:** High
+**Impact:** `Record<string, unknown>` for command params forces unsafe `as X` casts everywhere. Zero compile-time safety for command parameters.
+
+This is systemic across all tools, effects, and command handlers. The root cause is the untyped `params` design in the command/dispatcher system.
+
+**Files to change:** `src/core/dispatcher.ts`, `src/core/plugin-api.ts`, all command/tool files
+**Effort:** Large -- design typed command param interfaces, update dispatcher generics, migrate all command registrations.
+
+---
+
+## High -- Accessibility
+
+### A1. No focus-visible indicators
+
+**Severity:** High
+**Impact:** Keyboard-only users cannot see which element has focus. The app is effectively unusable without a mouse.
+
+No component defines `:focus-visible` outlines. The global CSS reset removes browser defaults without replacing them.
+
+**Files to change:** `src/app.css`, potentially individual component styles
+**Effort:** Small -- add a global `:focus-visible` rule with a visible outline, then refine per-component as needed.
+
+---
+
+### A2. Modals lack focus traps
+
+**Severity:** High
+**Impact:** Pressing Tab inside a dialog moves focus to elements behind the overlay. Users can interact with hidden content.
+
+Affected dialogs:
+
+- `NewProjectDialog.svelte`
+- `ExportDialog.svelte`
+- `AboutDialog.svelte`
+
+**Files to change:** All three dialog components
+**Effort:** Medium -- implement a focus trap utility (or use a library) and apply to all dialogs.
+
+---
+
+### A3. Missing dialog ARIA roles
+
+**Severity:** High
+**Impact:** Screen readers do not announce dialogs as modal overlays. Users may not realize a dialog has opened.
+
+All three dialog components (`NewProjectDialog`, `ExportDialog`, `AboutDialog`) suppress Svelte a11y warnings with `<!-- svelte-ignore -->` instead of adding `role="dialog"` and `aria-modal="true"`.
+
+**Files to change:** `NewProjectDialog.svelte`, `ExportDialog.svelte`, `AboutDialog.svelte`
+**Effort:** Small
+
+---
+
+### A4. Icon-only buttons lack aria-label
+
+**Severity:** High
+**Impact:** Assistive technology announces these as unlabeled buttons. ~20 buttons are affected.
+
+Buttons in `FrameStrip.svelte`, `LayerPanel.svelte`, and `ToolbarPanel.svelte` have only `title` attributes (not universally exposed to assistive tech) with no `aria-label`.
+
+**Files to change:** `FrameStrip.svelte`, `LayerPanel.svelte`, `ToolbarPanel.svelte`
+**Effort:** Small -- add `aria-label` matching the existing `title` text.
+
+---
+
+### A5. Command palette missing combobox ARIA pattern
+
+**Severity:** High
+**Impact:** Screen readers cannot navigate the filtered command list or understand the autocomplete behavior.
+
+`CommandPalette.svelte` is missing:
+
+- `role="combobox"` on the input
+- `aria-autocomplete="list"`
+- `aria-activedescendant` pointing to the highlighted item
+- `role="listbox"` on the results container
+- `role="option"` on each result item
+
+**Files to change:** `src/ui/CommandPalette.svelte`
+**Effort:** Medium
+
+---
+
+### A6. Menus lack menu ARIA roles and keyboard navigation
+
+**Severity:** High
+**Impact:** Menus are not navigable via keyboard. No ArrowUp/Down, Home/End support.
+
+Affected components:
+
+- `MenuBar.svelte`
+- `ContextMenu.svelte`
+
+Neither component implements `role="menu"`, `role="menuitem"`, or keyboard event handlers for standard menu navigation.
+
+**Files to change:** `src/ui/MenuBar.svelte`, `src/ui/ContextMenu.svelte`
+**Effort:** Medium
+
+---
+
+### A7. Context menu has no viewport boundary clamping
+
+**Severity:** High (Accessibility/Usability)
+**Impact:** Context menus opened near screen edges appear partially or fully off-screen.
+
+`ContextMenu.svelte` positions at raw click coordinates without checking against viewport bounds.
+
+**Files to change:** `src/ui/ContextMenu.svelte`
+**Effort:** Small -- measure menu dimensions after render, clamp position to keep within viewport.
+
+---
+
+### A8. Canvas has tabindex but no role or label
+
+**Severity:** High
+**Impact:** The canvas receives focus (via `tabindex="0"`) but screen readers announce nothing meaningful about it.
+
+`CanvasViewport.svelte:147` sets `tabindex="0"` without a corresponding `role` (e.g., `role="img"` or `role="application"`) or `aria-label`.
+
+**Files to change:** `src/ui/panels/CanvasViewport.svelte`
+**Effort:** Small
+
+---
+
+## Medium -- DRY Violations
+
+### M1. getActiveBuffer cast pattern repeated 69 times
+
+**Severity:** Medium
+**Impact:** ~70 lines of duplicated unsafe casting across 24 files.
+
+The following pattern appears 69 times:
+
+```typescript
+const buffer = (ctx as { getActiveBuffer?: () => PixelBuffer }).getActiveBuffer?.();
+if (!buffer) return;
+```
+
+**Fix:** Extract a typed `getBuffer(ctx)` helper in a shared utility module.
+
+**Files to change:** 24 tool/effect files, plus a new utility function
+**Effort:** Small -- mechanical replacement once the helper exists.
+
+---
+
+### M2. Snapshot entire buffer boilerplate in 9 files
+
+**Severity:** Medium
+**Impact:** ~45 lines of duplicated snapshot logic. `color-effects.ts` already has a local `snapshotAll()` proving the abstraction is natural.
+
+Nine files build an all-points array and call `snapshotPixels` with identical boilerplate.
+
+**Fix:** Extract `snapshotAll(buffer): SnapshotData` into `drawing-utils.ts`.
+
+**Files to change:** 9 effect/tool files, `drawing-utils.ts`
+**Effort:** Small
+
+---
+
+### M3. Pencil and eraser are structurally identical
+
+**Severity:** Medium
+**Impact:** ~60 saveable lines. The two tools are ~100 lines each and differ only in:
+
+| Aspect | Pencil | Eraser |
+|--------|--------|--------|
+| Command name | `pencil` | `eraser` |
+| Description verb | "Draw" | "Erase" |
+| Pixel color | Foreground color | Transparent |
+| Icon | `pencil` | `eraser` |
+
+**Fix:** Create a `makeStrokeTool(config)` factory.
+
+**Files to change:** `pencil-tool.ts`, `eraser-tool.ts`, new `stroke-tool-factory.ts`
+**Effort:** Small
+
+---
+
+### M4. Shape tool boilerplate
+
+**Severity:** Medium
+**Impact:** ~50 saveable lines across 5 files with identical structure.
+
+Duplications:
+
+- Center/radii math duplicated between circle tool and diamond tool
+- Bounding box normalization duplicated between rect tool and dither tool
+- Overall structure identical across rect, circle, diamond, line, dither
+
+**Fix:** Create a `makeShapeCommand(config)` factory.
+
+**Files to change:** 5 shape tool files, new factory module
+**Effort:** Medium
+
+---
+
+### M5. Identical undo handler across ~25 files
+
+**Severity:** Medium
+**Impact:** ~60 saveable lines. Every pixel-modifying command repeats the same 5-line undo handler pattern.
+
+**Fix:** Extract `makeSnapshotUndo()` into `drawing-utils.ts`.
+
+**Files to change:** ~25 tool/effect files, `drawing-utils.ts`
+**Effort:** Small
+
+---
+
+### M6. Zoom steps duplicated verbatim
+
+**Severity:** Medium
+**Impact:** ~30 saveable lines. `ZOOM_STEPS`, `zoomStepUp()`, and `zoomStepDown()` are copy-pasted.
+
+| Location | Lines |
+|----------|-------|
+| `src/canvas/input-handler.ts` | 16-31 |
+| `plugins/builtin/menu-commands-plugin.ts` | 96-109 |
+
+**Fix:** Single source of truth in a `zoom-utils.ts` module.
+
+**Files to change:** `input-handler.ts`, `menu-commands-plugin.ts`, new `zoom-utils.ts`
+**Effort:** Small
+
+---
+
+### M7. Palette helpers copy-pasted between files
+
+**Severity:** Medium
+**Impact:** ~25 saveable lines. `collectPixelLayerIds` and `findLayer` are duplicated.
+
+| Location | Contains |
+|----------|----------|
+| `plugins/builtin/effects/palette-swap.ts` | `collectPixelLayerIds`, `findLayer` |
+| `plugins/builtin/effects/palette-extraction.ts` | `collectPixelLayerIds`, `findLayer` |
+| `src/state/layer-tree.svelte.ts` | `getLayer(id)`, `flattenLayers()` (overlapping semantics) |
+
+**Fix:** Use `layer-tree.svelte.ts` exports; delete the copy-pasted versions.
+
+**Files to change:** `palette-swap.ts`, `palette-extraction.ts`
+**Effort:** Small
+
+---
+
+### M8. rgbaToHex reimplemented in 3 places
+
+**Severity:** Medium
+**Impact:** ~8 saveable lines. `color-utils.ts` already exports this function.
+
+| Location | Line |
+|----------|------|
+| `plugins/builtin/aseprite-importer-plugin.ts` | 80 |
+| `plugins/builtin/effects/seam-checker.ts` | 30 |
+| `src/utils/color-utils.ts` | (canonical, already exported) |
+
+**Fix:** Import from `color-utils.ts` in both files.
+
+**Files to change:** `aseprite-importer-plugin.ts`, `seam-checker.ts`
+**Effort:** Small
+
+---
+
+### M9. Importer reset-state boilerplate
+
+**Severity:** Medium
+**Impact:** ~24 saveable lines. All 3 importers (aseprite, piskel, sky-spec) perform identical state reset: set canvas size, deserialize empty layers/frames.
+
+**Fix:** Extract `resetProjectState(width, height, fps?)` utility.
+
+**Files to change:** 3 importer plugins, new shared utility
+**Effort:** Small
+
+---
+
+### M10. Dialog CSS duplicated
+
+**Severity:** Medium
+**Impact:** ~100 lines duplicated between two dialogs. The following classes are near-identical in both:
+
+- `.modal-overlay`
+- `.modal`
+- `.btn`
+- `.form-row`
+- `.form-label`
+- `.form-input`
+
+| File | Approximate CSS lines |
+|------|-----------------------|
+| `NewProjectDialog.svelte` | ~100 |
+| `ExportDialog.svelte` | ~100 |
+
+**Fix:** Extract shared dialog styles into a `dialog.css` module or a shared Svelte component.
+
+**Files to change:** `NewProjectDialog.svelte`, `ExportDialog.svelte`, new shared CSS/component
+**Effort:** Small
+
+---
+
+## Medium -- State and Logic
+
+### M11. add_layer never sets previousActiveLayerId
+
+**Severity:** Medium
+**Impact:** Undoing an "add layer" command always restores `undefined` as the active layer instead of the layer that was active before the addition.
+
+`layer-commands.ts:55-81` does not capture `_previousActiveLayerId` before adding the layer.
+
+**Files to change:** `plugins/builtin/layer-commands.ts`
+**Effort:** Small
+
+---
+
+### M12. Dispatcher callback iteration during modification
+
+**Severity:** Medium
+**Impact:** If a listener unsubscribes during notification dispatch, the callback array is mutated mid-iteration, causing skipped callbacks.
+
+`dispatcher.ts:146-148` iterates the callback array directly.
+
+**Fix:** Iterate over a copy of the array, or use a copy-on-write pattern.
+
+**Files to change:** `src/core/dispatcher.ts`
+**Effort:** Small
+
+---
+
+### M13. input-handler exports plain let bindings
+
+**Severity:** Medium
+**Impact:** Svelte components that read `isDrawing`, `isPanning`, or `pressure` will not re-render when these values change, because they are plain `let` exports rather than `$state` runes.
+
+`input-handler.ts:55-57`
+
+**Files to change:** `src/canvas/input-handler.ts`
+**Effort:** Small -- change to `$state` runes.
+
+---
+
+### M14. tile-mode creates new OffscreenCanvas every frame
+
+**Severity:** Medium
+**Impact:** GC pressure in the render loop. A new `OffscreenCanvas` is allocated on every frame.
+
+`tile-mode.ts:64-66` creates a fresh canvas instead of caching and reusing one (as `canvas-renderer.ts` already does).
+
+**Files to change:** `src/canvas/tile-mode.ts`
+**Effort:** Small
+
+---
+
+### M15. restoreLayer undo crashes if parent group was removed
+
+**Severity:** Medium
+**Impact:** If a parent group and its child are both removed, undoing the child restore crashes because `tree.getLayer(position.parentId)` returns `undefined`.
+
+`layer-commands.ts:39-45` does not check whether the parent group still exists before calling `siblings.splice(...)`.
+
+**Files to change:** `plugins/builtin/layer-commands.ts`
+**Effort:** Small -- add a null check and handle the missing-parent case.
+
+---
+
+### M16. onCommand listener return value discarded
+
+**Severity:** Medium
+**Impact:** Event listener leak on HMR. The unsubscribe function returned by `onCommand` is never stored or called.
+
+`canvas-init-plugin.ts:76`
+
+**Files to change:** `plugins/builtin/canvas-init-plugin.ts`
+**Effort:** Small -- store the unsubscribe function and call it in a cleanup path.
+
+---
+
+### M17. RecoveryManager start called but stop never called
+
+**Severity:** Medium
+**Impact:** The interval timer and visibility event listener leak during HMR reloads.
+
+`recovery-plugin.ts:19-53` calls `start()` but never calls `stop()`.
+
+**Files to change:** `plugins/builtin/recovery-plugin.ts`
+**Effort:** Small -- call `stop()` in a plugin cleanup/dispose handler.
+
+---
+
+### M18. WebSocket connect overwrites old socket without closing
+
+**Severity:** Medium
+**Impact:** The old WebSocket's `onclose` handler may fire after the new socket is assigned, triggering a double-reconnect loop.
+
+`ws-client.ts:93-132` reassigns the socket reference without closing the previous one.
+
+**Files to change:** `src/sync/ws-client.ts`
+**Effort:** Small -- close the existing socket before creating a new one.
+
+---
+
+### M19. syncPlugin swallows initializeSync rejection
+
+**Severity:** Medium
+**Impact:** If `initializeSync()` fails, the promise rejection is silently swallowed, potentially hiding startup errors.
+
+`sync-plugin.ts:17` calls the async function without `.catch()`.
+
+**Files to change:** `plugins/builtin/sync-plugin.ts`
+**Effort:** Small -- add `.catch()` with appropriate error handling/logging.
+
+---
+
+### M20. Clipboard trapped as module-level variable in god file
+
+**Severity:** Medium
+**Impact:** No other module can access the clipboard state. Copy/paste cannot be implemented or extended outside `menu-commands-plugin.ts`.
+
+`menu-commands-plugin.ts:92` declares the clipboard as a module-scoped variable.
+
+**Fix:** Move clipboard state to a dedicated `clipboard-state.ts` module exposed through the plugin API.
+
+**Files to change:** `plugins/builtin/menu-commands-plugin.ts`, new `clipboard-state.ts`
+**Effort:** Small
+
+---
+
+## Medium -- Server
+
+### M21. save_project is sync I/O in async context
+
+**Severity:** Medium
+**Impact:** Blocks the event loop during disk writes, stalling all other connections.
+
+| Location | Line |
+|----------|------|
+| `server/src/pixelweaver/autosave.py` | 101 |
+| `server/src/pixelweaver/main.py` | 107 |
+
+**Fix:** Wrap in `asyncio.to_thread()` or use `aiofiles`.
+
+**Files to change:** `autosave.py`, `main.py`
+**Effort:** Small
+
+---
+
+### M22. Autosave clears dirty flag even on failure
+
+**Severity:** Medium
+**Impact:** If a project fails to save, the dirty flag is cleared anyway. The failed project won't be retried until the next mutation, risking data loss.
+
+`autosave.py:99-106` clears `_dirty` unconditionally after the save attempt.
+
+**Fix:** Only clear `_dirty` for projects that saved successfully.
+
+**Files to change:** `server/src/pixelweaver/autosave.py`
+**Effort:** Small
+
+---
+
+### M23. register_all_tools runs at import time
+
+**Severity:** Medium
+**Impact:** Importing `mcp_server.py` triggers filesystem reads (tool registration). Breaks test isolation and makes the module impossible to import without side effects.
+
+`mcp_server.py:154` calls `register_all_tools()` at module scope.
+
+**Fix:** Move to an explicit initialization function called at server startup.
+
+**Files to change:** `server/src/pixelweaver/mcp_server.py`
+**Effort:** Small
+
+---
+
+### M24. export_frame_png ignores the frame parameter
+
+**Severity:** Medium
+**Impact:** Exporting any frame always exports frame 0, regardless of which frame was requested.
+
+`storage.py:156` accepts a `frame` argument but never uses it in the export logic.
+
+**Files to change:** `server/src/pixelweaver/storage.py`
+**Effort:** Small
+
+---
+
+### M25. WebSocket crash path never closes socket
+
+**Severity:** Medium
+**Impact:** On server-side WebSocket errors, the client socket is never explicitly closed. The client may hang indefinitely waiting for a response.
+
+`main.py:160-172` catches exceptions in the WebSocket handler but does not close the socket in the error path.
+
+**Files to change:** `server/src/pixelweaver/main.py`
+**Effort:** Small
+
+---
+
+## Medium -- CSS and UI
+
+### M26. Hardcoded colors instead of design tokens
+
+**Severity:** Medium
+**Impact:** ~30 hardcoded color values across 10+ Svelte files bypass the theming system.
+
+Examples: `#ffffff`, `rgba(255,255,255,...)`, `#000000`, etc. used directly instead of CSS custom properties (`--bg-*`, `--text-*`, `--border`, `--accent`).
+
+**Files to change:** 10+ Svelte component files
+**Effort:** Medium -- search and replace with appropriate design tokens.
+
+---
+
+### M27. --text-on-accent referenced but never defined
+
+**Severity:** Medium
+**Impact:** Components silently fall back to `#fff`, which may not be correct for all accent colors or themes.
+
+| File | Fallback |
+|------|----------|
+| `AboutDialog.svelte` | `#fff` |
+| `ToolbarPanel.svelte` | `#fff` |
+
+The variable `--text-on-accent` is never defined in `app.css` for either the dark or light theme.
+
+**Files to change:** `src/app.css`
+**Effort:** Small -- define `--text-on-accent` in both themes.
+
+---
+
+### M28. Light theme broken hover states
+
+**Severity:** Medium
+**Impact:** Hover overlays using white-alpha values are invisible on white backgrounds in light theme.
+
+| File | Line | Problem |
+|------|------|---------|
+| `LayerPanel.svelte` | 471 | `rgba(255,255,255,0.04)` on white |
+| `FrameStrip.svelte` | 486 | `rgba(255,255,255,0.04)` on white |
+| `dockview-theme.css` | 63, 67 | Same white-alpha overlays |
+
+**Fix:** Use theme-aware tokens or invert the overlay color for light theme.
+
+**Files to change:** `LayerPanel.svelte`, `FrameStrip.svelte`, `dockview-theme.css`
+**Effort:** Small
+
+---
+
+### M29. Global transition applies to canvas and animation elements
+
+**Severity:** Medium
+**Impact:** The 150ms transition on all elements causes visible drag lag on the canvas, color picker, and animation playback.
+
+`app.css:98-101` applies `transition: 150ms ease` to `background-color`, `color`, and `border-color` on the universal `*` selector.
+
+**Fix:** Scope the transition to theme-sensitive containers only, excluding canvas and interactive elements.
+
+**Files to change:** `src/app.css`
+**Effort:** Small
+
+---
+
+### M30. prompt() used for user input
+
+**Severity:** Medium
+**Impact:** `window.prompt()` is a blocking browser API that does not exist in Tauri's desktop WebView. These calls silently return `null` in production.
+
+| Location | Line |
+|----------|------|
+| `menu-commands-plugin.ts` | 382 |
+| `menu-commands-plugin.ts` | 669 |
+
+**Fix:** Replace with custom dialog components.
+
+**Files to change:** `plugins/builtin/menu-commands-plugin.ts`, potentially new dialog components
+**Effort:** Medium
+
+---
+
+## Dead Code
+
+### Entire Unused Modules
+
+The following modules are fully unused -- no imports from any other module in the codebase:
+
+| Module | Exports | Purpose |
+|--------|---------|---------|
+| `src/canvas/reference-image.svelte.ts` | `referenceImageState`, `renderReferenceImage` | Reference image overlay |
+| `src/canvas/guides.svelte.ts` | `guidesState`, `renderGuides`, `snapPosition` | Guide lines and snapping |
+| `src/core/plugin-api-docs.ts` | `getAPIDocumentation` | Auto-generated API docs |
+| `src/ui/plugin-state.svelte.ts` | `pluginState` | Plugin UI state |
+| `plugins/builtin/symmetry-tool.ts` | `getSymmetryConfig`, `setSymmetryConfig`, `getSymmetricPoints` | Symmetry drawing |
+| `server/src/pixelweaver/thumbnails.py` | `generate_thumbnail`, `generate_region_thumbnail` | Thumbnail generation |
+
+**Effort:** Small -- delete the files. If any are intended for future use, move to a `_planned/` directory or document the intent.
+
+### Significant Unused Exports from Active Modules
+
+| Module | Unused Exports |
+|--------|---------------|
+| `src/core/dispatcher.ts` | `onLog`, `onSpecExport`, `canUndo`, `canRedo`, `setMaxUndoSize`, `getContext` |
+| `src/canvas/onion-skin.svelte.ts` | Entire module (13 exports, zero consumers) |
+| `src/state/animation-preview.svelte.ts` | `getMode`, `setMode`, `getSpeedMultiplier`, `setSpeed`, `getPreviewFrameIndex`, `PreviewMode` |
+| `src/state/frame-tags.svelte.ts` | `getTagsForFrame`, `getFrameRange`, `updateTag` |
+| `src/state/palette-state.svelte.ts` | `getProjectPalette`, `getGlobalPalettes`, `addGlobalPalette`, `removeGlobalPalette`, `setActivePalette`, `getAutoCollectedColors`, `snapToActivePalette` |
+| `src/state/color-state.svelte.ts` | `getActiveColorSpace`, `setActiveColorSpace` |
+| `src/core/shortcut-registry.svelte.ts` | `updateBindingKey` |
+| `src/core/plugin-loader.ts` | `getLoadedPlugin`, `getAllLoadedPlugins` |
+| `src/state/layer-tree.svelte.ts` | `getPath`, `getVisiblePixelLayers`, `flattenGroup` |
+
+### Half-Implemented Features
+
+| Feature | Location | Status |
+|---------|----------|--------|
+| `invert_selection` | Plugin command | Logs `console.warn("not yet implemented")` |
+| `select_by_color` | Plugin command | Logs `console.warn("not yet implemented")` |
+| `crop_to_selection` | Plugin command | Warns pixel data remapping is unimplemented |
+| `save_project` | Plugin command | Just logs to console |
+| Shortcut actions | `shortcut-init.ts:65-68` | Four actions return no-op functions |
+
+---
+
+## Static Analysis Enforcement Gaps
+
+### TypeScript
+
+| Setting | Status | Impact |
+|---------|--------|--------|
+| `noUncheckedIndexedAccess` | Not enabled (`tsconfig.app.json`) | Array/object index access assumed safe |
+| `noUnusedLocals` | Only in node config, not app config | Dead variables accumulate silently |
+| `noUnusedParameters` | Only in node config, not app config | Unused params hide API surface |
+| `noFallthroughCasesInSwitch` | Only in node config | Switch fallthrough bugs possible |
+| `exactOptionalPropertyTypes` | Not enabled | `undefined` vs missing property conflated |
+
+### ESLint
+
+| Issue | Impact |
+|-------|--------|
+| `plugins/` excluded from linting | 35+ files, 200+ type assertions unlinted |
+| Uses `recommended` not `strict-type-checked` | `no-unsafe-assignment`, `no-unsafe-member-access`, `no-unsafe-call`, `no-unsafe-return`, `no-unsafe-argument` all OFF |
+| `consistent-type-assertions` OFF | Dangerous `as` casts not flagged |
+| `no-non-null-assertion` OFF | `!` operator used without checks |
+| `strict-boolean-expressions` OFF | Truthy/falsy coercions not flagged |
+| Currently reports 36 errors | Existing errors across Svelte files (unused vars, missing each-keys) |
+
+### Python (Ruff)
+
+| Missing Rule Set | Purpose |
+|-----------------|---------|
+| `S` (security/bandit) | Security vulnerability detection |
+| `B` (bugbear) | Common bug patterns |
+| `C4` (comprehensions) | Comprehension optimizations |
+| `SIM` (simplifications) | Code simplification suggestions |
+| `ASYNC` (async pitfalls) | Async/await anti-patterns |
+
+Additionally: no dependency upper bounds in `pyproject.toml`, allowing untested major version upgrades.
+
+### JSON.parse Without Validation
+
+All of the following sites parse unvalidated external data and cast with `as X` -- no runtime schema validation:
+
+| File | Line | Data Source |
+|------|------|-------------|
+| `src/ui/dock-persistence.ts` | 24 | localStorage |
+| `src/ui/toolbar-config.ts` | 29 | localStorage |
+| `src/sync/ws-client.ts` | 263 | WebSocket message |
+| `plugins/builtin/sky-spec-plugin.ts` | 369 | File import |
+| `plugins/builtin/piskel-importer-plugin.ts` | 142 | File import |
+| `src/state/macros.svelte.ts` | 27 | localStorage |
+
+---
+
+## Server Test Coverage Gaps
+
+The following server modules and code paths have zero test coverage:
+
+| Module / Path | What is Untested |
+|---------------|-----------------|
+| `autosave.py` | `AutoSaver` class entirely |
+| `cli.py` | Subcommand parsing, default argument fallbacks |
+| `mcp_server.py` | `_format_result`, `_make_tool_handler`, `register_all_tools`, stdio transport |
+| `connections.py` | No dedicated test file; broadcast exclude logic only tested indirectly |
+| `state.py` | No dedicated test file |
+| `main.py` lifespan | Loading projects at startup, starting/stopping autosaver |
+| `main.py` WebSocket | Actual WebSocket endpoint never integration-tested |
+| `storage.py` edge cases | Corrupted JSON, missing directories, pixel data size mismatches |
+| `mcp_registry.py` handlers | `export_png`, `export_spritesheet`, `get_palette`, `get_canvas_thumbnail`, `get_region`, `open_project`, `get_project_info`, `save_project`, `resize_canvas`, `apply_effect` |
+
+---
+
+## Top 10 Recommendations by Impact
+
+| Priority | Finding | Action | Effort | Rationale |
+|----------|---------|--------|--------|-----------|
+| 1 | C1 | Route all UI command triggers through `dispatch()` instead of `cmd.execute()` | Small | Unblocks undo/redo, logging, and observability for every command in the app |
+| 2 | C2 | Make undo/redo special dispatcher methods, not registered commands | Small | Without this, undo literally cannot work even after C1 is fixed |
+| 3 | C3 | Implement snapshot-before-dispatch for pencil and eraser tools | Medium | Drawing is the primary user action; undo must work for strokes |
+| 4 | H5 | Split `menu-commands-plugin.ts` into domain-specific files | Large | Prerequisite for safely fixing most other plugin-layer issues |
+| 5 | H4 | Add mutator methods to `PluginAPI` (`setCanvasSize`, `addLayer`, `addFrame`, `setPixels`) | Large | Eliminates the need for plugins to bypass the API, restoring encapsulation |
+| 6 | M1-M5 | Extract shared tool factories: `getBuffer()`, `snapshotAll()`, `makeStrokeTool()`, `makeShapeCommand()`, shared undo handler | Medium | Eliminates ~285 lines of duplication, reduces bug surface, makes adding new tools trivial |
+| 7 | H15-H17 | Enable `noUncheckedIndexedAccess`, lint `plugins/`, design typed command params | Large | Systemic type safety improvement; catches bugs at compile time instead of runtime |
+| 8 | H10, H11 | Sanitize project names, cap canvas dimensions on the server | Small | Closes two security holes (path traversal and OOM via unbounded dimensions) |
+| 9 | A1-A3 | Add `:focus-visible` outlines, focus traps, and `role="dialog"` / `aria-modal="true"` to all dialogs | Medium | Minimum viable accessibility for keyboard and screen reader users |
+| 10 | Dead code | Remove 6 unused modules, 40+ unused exports, and half-implemented stubs | Small | Reduces codebase noise, prevents confusion, lowers onboarding cost |