cesnimda/jobtrackingapp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
54abc9f546ee134ce09ebdc1c205a3aa0551b18f
jobtrackingapp/.gsd/state-manifest.json
T

4248 lines
352 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
{
"version": 1,
"exported_at": "2026-04-10T23:25:36.543Z",
"milestones": [
{
"id": "M001",
"title": "M001: M001: Gmail and draft quality loop",
"status": "active",
"depends_on": [],
"created_at": "2026-03-28T22:02:57.775Z",
"completed_at": null,
"vision": "",
"success_criteria": [],
"key_risks": [],
"proof_strategy": [],
"verification_contract": "",
"verification_integration": "",
"verification_operational": "",
"verification_uat": "",
"definition_of_done": [],
"requirement_coverage": "",
"boundary_map_markdown": ""
},
{
"id": "M002",
"title": "",
"status": "active",
"depends_on": [],
"created_at": "2026-03-28T22:04:42.699Z",
"completed_at": null,
"vision": "",
"success_criteria": [],
"key_risks": [],
"proof_strategy": [],
"verification_contract": "",
"verification_integration": "",
"verification_operational": "",
"verification_uat": "",
"definition_of_done": [],
"requirement_coverage": "",
"boundary_map_markdown": ""
},
{
"id": "M003",
"title": "",
"status": "active",
"depends_on": [],
"created_at": "2026-03-28T22:04:42.699Z",
"completed_at": null,
"vision": "",
"success_criteria": [],
"key_risks": [],
"proof_strategy": [],
"verification_contract": "",
"verification_integration": "",
"verification_operational": "",
"verification_uat": "",
"definition_of_done": [],
"requirement_coverage": "",
"boundary_map_markdown": ""
},
{
"id": "M004",
"title": "",
"status": "active",
"depends_on": [],
"created_at": "2026-03-28T22:04:42.699Z",
"completed_at": null,
"vision": "",
"success_criteria": [],
"key_risks": [],
"proof_strategy": [],
"verification_contract": "",
"verification_integration": "",
"verification_operational": "",
"verification_uat": "",
"definition_of_done": [],
"requirement_coverage": "",
"boundary_map_markdown": ""
},
{
"id": "M005",
"title": "",
"status": "queued",
"depends_on": [],
"created_at": "2026-03-28T22:02:57.780Z",
"completed_at": null,
"vision": "Turn the current CV upload and tailoring surfaces into a robust canonical-profile pipeline: preserve raw uploads, extract a confidence-scored structured CV through a multi-pass process, let the user review/edit uncertain fields, generate job-specific tailored CV drafts separate from the master profile, and render previewable downloadable PDFs from selectable templates without crossing the manual-send or individual-first product boundaries.",
"success_criteria": [
"Uploading a CV preserves the original artifact, raw extracted text, normalized text, extraction metadata, and a canonical structured CV profile with field-level confidence/provenance.",
"The structured CV editor highlights uncertain extracted fields and supports review, edit, accept, and reprocess flows without destroying raw source data.",
"The app can generate and persist a job-specific tailored CV draft that is separate from both the master CV and the final PDF export.",
"At least one HTML/CSS-backed template can preview and export a tailored CV as a downloadable PDF; the renderer is deterministic and uses the same template for preview and export.",
"The PDF export flow remains individual-first and manual: users explicitly choose template/options and explicitly download the generated document.",
"Template controls support at least photo visibility, one-page vs two-page mode, accent color, section ordering, and bullet density on the tailored draft/render layer."
],
"key_risks": [
{
"risk": "Plain-text-only parsing will keep collapsing complex/two-column CVs into weak structure and reduce trust in the review surface.",
"whyItMatters": "If extraction quality is poor, every downstream draft/PDF feature is working from a broken model and the product feels unreliable."
},
{
"risk": "Tailored CV drafts may get tangled with the existing master CV text and per-job tailored text fields, creating unclear ownership and destructive overwrite risks.",
"whyItMatters": "Users need a stable master profile plus job-specific variants; mixing those layers will make regeneration and editing unsafe."
},
{
"risk": "PDF generation can drift from preview or become template-specific technical debt if rendering is not deterministic.",
"whyItMatters": "Users will not trust export if the downloaded PDF differs from what they reviewed, and adding templates later will become expensive."
},
{
"risk": "Extraction provenance/confidence can bloat the data model and UI if added without clear boundaries.",
"whyItMatters": "We need enough traceability for review and reprocessing, but not so much complexity that the editor becomes unusable."
}
],
"proof_strategy": [
{
"riskOrUnknown": "Can we represent canonical CV, extraction provenance, tailored drafts, and render options cleanly in the current data model?",
"retireIn": "M005/S01",
"whatWillBeProven": "Schema/API design plus persistence layer prove the project can store raw artifacts, extraction runs, canonical structured CV, and tailored draft data without collapsing existing profile flows."
},
{
"riskOrUnknown": "Can the extractor improve real-world OCR/PDF quality beyond the current 'General blob' fallback while remaining generic?",
"retireIn": "M005/S02",
"whatWillBeProven": "Multi-pass extraction plus review UX prove common CV uploads populate structured fields with confidence/provenance and support reprocessing."
},
{
"riskOrUnknown": "Can job-specific tailored drafts stay separate from master CV data while still reusing canonical profile content effectively?",
"retireIn": "M005/S03",
"whatWillBeProven": "Tailored draft model, generation endpoints, and edit/save flows prove job-specific variants are durable and safely editable."
},
{
"riskOrUnknown": "Can preview and PDF export share one deterministic renderer that supports templates and layout controls?",
"retireIn": "M005/S04",
"whatWillBeProven": "One end-to-end template proves preview == export and that PDF generation/download works from the tailored draft layer."
},
{
"riskOrUnknown": "Can multiple templates and user controls ship without making exports inconsistent or fragile?",
"retireIn": "M005/S05",
"whatWillBeProven": "Additional templates, render controls, and acceptance verification prove the system scales past a single hardcoded export."
}
],
"verification_contract": "Verification for this milestone must cover each layer independently and together: extraction pipeline tests for deterministic/layout/LLM repair behavior, persistence tests for artifacts/provenance/draft models, frontend review/edit tests for the structured editor and confidence surfaces, tailored draft generation tests, and deterministic renderer tests where preview and exported PDF are compared against the same source draft. Non-trivial slices must also prove that raw master CV data remains preserved and that no export flow silently overwrites the canonical profile.",
"verification_integration": "Integration verification must prove upload artifact → extracted text → structured profile → tailored draft → preview → PDF export works as one coherent pipeline. The job workspace must consume the tailored draft layer without regressing existing application-package and follow-up flows.",
"verification_operational": "Operational verification must prove reprocessing is safe and repeatable, extraction runs are versioned/auditable, stored artifacts are retrievable, and PDF generation failures surface actionable errors rather than silent corruption. Any background rendering service/process must expose clear failure state.",
"verification_uat": "UAT must show a user uploading a real CV, reviewing highlighted uncertain fields, generating a tailored CV for a chosen job, switching templates/options, previewing the result, and downloading a PDF that matches the preview.",
"definition_of_done": [
"A durable canonical CV extraction architecture exists with artifact preservation, extraction run history, and field-level provenance/confidence.",
"Users can review/edit extracted structured CV data and reprocess with a newer extractor without losing the original upload or current canonical state.",
"Tailored CV drafts are persisted per job and are clearly distinct from the master profile and the final exported document.",
"At least one template supports preview and PDF export from the tailored draft layer, with deterministic parity between preview and download.",
"Template controls are stored as render options and do not mutate the canonical profile.",
"Milestone-level verification and UAT evidence exist for the full upload → review → tailor → preview → export loop."
],
"requirement_coverage": "This milestone extends R003 by improving the quality and controllability of tailored CV output, remains constrained by R008/R015 because generation/export stay manual, and stays aligned with R009/R016 because the flow optimizes for one person's personal job search materials rather than recruiter/team workflows. It also surfaces a likely new requirement around deterministic document export from job-tailored drafts, to be formalized when execution starts.",
"boundary_map_markdown": "### Boundary map\n- **Canonical profile layer**: raw upload artifact, extracted text, normalized text, extraction metadata, provenance/confidence, and user-reviewed structured CV.\n- **Tailored draft layer**: job-specific editable CV draft derived from canonical profile + job context; separate from master profile and separate from final export artifact.\n- **Render/export layer**: deterministic HTML/CSS template rendering, preview generation, PDF output, and render options.\n- **Current profile compatibility layer**: existing `ProfileCvText` and `ProfileCvStructureJson` remain compatible during rollout.\n- **Not in scope**: autonomous application submission, autonomous outbound communication, recruiter/team collaboration features, replacing external CV design tools wholesale.\n- **External dependencies**: existing summarizer/OCR service, browser/PDF rendering runtime, local/remote file storage for artifacts.\n"
},
{
"id": "M006",
"title": "",
"status": "queued",
"depends_on": [],
"created_at": "2026-04-01T13:38:20.257Z",
"completed_at": null,
"vision": "Turn the existing job-local Gmail import helpers into a real integration foundation: durable OAuth connection, sync state, normalized Gmail ingestion contract, and the first platform seams required for cross-job correspondence workflows.",
"success_criteria": [
"Gmail connection state, token lifecycle, and sync state are visible and durable for one user account.",
"A normalized Gmail ingestion/storage contract exists for messages, threads, labels, and attachment metadata, without breaking existing per-job correspondence import flows.",
"The codebase has explicit service boundaries that allow later milestones to add cross-job matching, review queues, and Phase 2 AI enrichment without rewriting the foundation."
],
"key_risks": [
{
"risk": "Existing Gmail logic is job-local and may be too coupled to the per-job correspondence dialog.",
"whyItMatters": "If the ingestion/model layer stays job-scoped, later confidence routing and global inbox work will become a rewrite instead of an extension."
},
{
"risk": "OAuth/token handling may work for connect/import but not for repeatable sync lifecycle and recovery.",
"whyItMatters": "Phase 1 must be stable even when Gmail is disconnected, tokens expire, or sync partially fails."
}
],
"proof_strategy": [
{
"riskOrUnknown": "Can Gmail foundation be extracted from the current job-local import flow without regressions?",
"retireIn": "M006/S01-S02",
"whatWillBeProven": "Connection, token, and normalized ingestion seams work while existing GmailController behavior remains testable."
},
{
"riskOrUnknown": "Will the data contract support later review queues and unmatched-thread workflows?",
"retireIn": "M006/S02-S03",
"whatWillBeProven": "Stored metadata and sync-state models can drive global correspondence and matching milestones without schema churn."
}
],
"verification_contract": "Focused backend tests for Gmail service/controller seams plus focused frontend tests for connection/sync-state surfaces must pass.",
"verification_integration": "Existing per-job correspondence Gmail flows must remain functional while new shared ingestion/state seams are introduced.",
"verification_operational": "Admin/system visibility for Gmail/OAuth/sync status should remain diagnosable and non-destructive.",
"verification_uat": "A local user can connect Gmail (or see clear not-configured state), inspect sync status, and exercise the foundation UI without breaking the existing workspace.",
"definition_of_done": [
"OAuth and sync-state foundations are in place and documented.",
"Existing Gmail per-job flows still pass focused regression tests.",
"Foundation code is ready for cross-job ingestion/linking milestones without hidden rewrites."
],
"requirement_coverage": "Advances R001, R002, R007, and R010 as the platform base for broader correspondence integration while preserving R008/R015 manual-send boundaries.",
"boundary_map_markdown": "- **OAuth / token boundary:** Gmail account connection, token storage, refresh, and disconnect lifecycle.\n- **Ingestion boundary:** raw Gmail API responses normalized into internal message/thread/attachment metadata.\n- **Job-linking boundary:** deferred to later milestones; M006 should not hardwire ingestion to a single job UI.\n- **AI boundary:** Phase 2 interfaces prepared only; no hard dependency introduced in foundation."
},
{
"id": "M007",
"title": "",
"status": "queued",
"depends_on": [],
"created_at": "2026-04-01T13:42:29.599Z",
"completed_at": null,
"vision": "Phase 2 of the feature sequence: convert the Gmail foundation into durable ingestion with manual sync, historical backfill, stable deduplication, and stored attachment metadata.",
"success_criteria": [
"Manual Gmail sync works for a useful historical window and excludes spam/trash by default.",
"Imported emails are deduplicated by Gmail message id.",
"Stored records preserve message/thread metadata and attachment metadata needed by later milestones."
],
"key_risks": [
{
"risk": "Backfill and dedup can create noisy duplicates or partial state when the same Gmail messages appear through multiple queries.",
"whyItMatters": "Phase 1 trust depends on stable ingestion more than fancy matching."
},
{
"risk": "Attachment handling may overcomplicate ingestion too early.",
"whyItMatters": "Phase 1 needs metadata support, not a heavyweight document-processing rewrite."
}
],
"proof_strategy": [
{
"riskOrUnknown": "Can manual sync/backfill ingest useful history without duplicate churn?",
"retireIn": "M007/S01-S02",
"whatWillBeProven": "Message-id dedup and repeatable sync state survive reruns."
},
{
"riskOrUnknown": "Can attachment metadata be captured cheaply enough for Phase 1?",
"retireIn": "M007/S02",
"whatWillBeProven": "Attachment names/types/sizes are stored and surfaced without deep attachment parsing."
}
],
"verification_contract": "Focused backend tests for sync, dedup, and attachment metadata must pass.",
"verification_integration": "M006 foundation remains intact while sync/backfill and dedup are layered on.",
"verification_operational": "Sync runs produce visible counts and failure state.",
"verification_uat": "A manual sync/backfill can be run twice without duplicate churn.",
"definition_of_done": [
"Manual sync and historical backfill work against the shared ingestion seam.",
"Deduplication by Gmail message id is enforced and tested.",
"Attachment metadata is stored without breaking existing correspondence flows."
],
"requirement_coverage": "Advances R001, R002, R007, and R010 by making Gmail correspondence a durable imported history rather than one-off imports.",
"boundary_map_markdown": "- **Sync boundary:** manual sync/backfill orchestrates Gmail fetches into normalized storage.\n- **Dedup boundary:** Gmail message id is the canonical duplicate key; thread grouping is secondary.\n- **Attachment boundary:** store metadata now, defer heavy attachment content extraction until explicitly needed."
},
{
"id": "M008",
"title": "Smart Gmail Job Correspondence Integration — matching and routing",
"status": "pending",
"depends_on": [],
"created_at": "2026-04-01T13:45:43.577Z",
"completed_at": null,
"vision": "Phase 3 of the feature sequence: route Gmail correspondence across jobs with deterministic scoring, explicit confidence handling, and safe suggestion workflows.",
"success_criteria": [
"Deterministic matching scores Gmail correspondence across jobs using normalized recruiter/company/role/thread signals.",
"High-confidence matches auto-link, medium-confidence matches queue for review, and low-confidence items remain unmatched.",
"Job-related unmatched threads can become suggested new jobs without silently mutating tracked jobs."
],
"key_risks": [
{
"risk": "Cross-job matching can become opaque if scoring reasons are not durable.",
"whyItMatters": "The user must be able to trust why a thread auto-linked or entered review."
},
{
"risk": "Auto-linking can create false positives if normalization is weak.",
"whyItMatters": "Phase 1 value depends on confidence routing, not just broad import volume."
}
],
"proof_strategy": [
{
"riskOrUnknown": "Can deterministic scoring route matches safely without AI?",
"retireIn": "M008/S01-S02",
"whatWillBeProven": "High/medium/low confidence thresholds produce reviewable behavior with stored reasons."
},
{
"riskOrUnknown": "Can unmatched but job-related Gmail threads become useful suggestions?",
"retireIn": "M008/S03",
"whatWillBeProven": "Suggestion flow surfaces likely job threads without silently creating bad data."
}
],
"verification_contract": "Focused backend tests for scoring, routing, and suggestion logic must pass.",
"verification_integration": "Linked items must appear as correspondence on the correct job without status drift.",
"verification_operational": "Stored reasons and confidence must make routing diagnosable.",
"verification_uat": "A user can review medium-confidence matches and accept or reject them with clear reasons.",
"definition_of_done": [
"Confidence-based Gmail-to-job linking exists with explicit routing.",
"High-confidence matches auto-link and medium-confidence items queue for review.",
"Unmatched job-related threads can surface as suggestions without overriding core job status."
],
"requirement_coverage": "Advances R001, R002, R007, and R010 by linking Gmail correspondence across jobs with explicit confidence routing.",
"boundary_map_markdown": "- **Matching boundary:** deterministic rules and normalization score messages/threads against jobs.\n- **Routing boundary:** high/medium/low confidence routes must remain explicit and reviewable.\n- **Suggestion boundary:** unmatched job-related threads can become suggested new jobs without silently creating canonical jobs."
},
{
"id": "M009",
"title": "Smart Gmail Job Correspondence Integration — correspondence UX",
"status": "pending",
"depends_on": [],
"created_at": "2026-04-01T13:45:43.578Z",
"completed_at": null,
"vision": "Phase 4 of the feature sequence: make Gmail correspondence part of the daily workflow through a global inbox, per-job timelines, and manual review controls.",
"success_criteria": [
"A global correspondence inbox exists for linked, review, and unmatched Gmail items.",
"Per-job conversation timelines show Gmail-backed correspondence coherently.",
"Users can review, relink, unlink, add notes, and filter correspondence without hidden state changes."
],
"key_risks": [
{
"risk": "Inbox and review UX can become noisy if all confidence states are mixed together.",
"whyItMatters": "Phase 1 needs triage clarity, not just more screens."
},
{
"risk": "Relink/unlink can break trust if actions are irreversible or poorly explained.",
"whyItMatters": "Users need manual control over correspondence history."
}
],
"proof_strategy": [
{
"riskOrUnknown": "Can a global inbox stay useful rather than overwhelming?",
"retireIn": "M009/S01",
"whatWillBeProven": "Inbox grouping/filtering keeps review and unmatched flows manageable."
},
{
"riskOrUnknown": "Can per-job timelines and review actions remain coherent?",
"retireIn": "M009/S02-S03",
"whatWillBeProven": "Relink/unlink/notes/filter flows preserve correspondence history and user control."
}
],
"verification_contract": "Focused frontend and integration tests for inbox/timeline/review flows must pass.",
"verification_integration": "Global inbox and per-job views must stay consistent after review actions.",
"verification_operational": "Review decisions and sync freshness must be visible.",
"verification_uat": "A user can triage correspondence globally and inspect the same linked thread inside a job timeline.",
"definition_of_done": [
"A global correspondence inbox exists.",
"Per-job timeline and review flows are coherent and reversible.",
"Filters and notes make the correspondence surfaces practically useful."
],
"requirement_coverage": "Advances R005, R006, R007, and R010 by turning imported Gmail correspondence into a daily-use triage and timeline surface.",
"boundary_map_markdown": "- **Inbox boundary:** global correspondence inbox summarizes imported/linked/review items across jobs.\n- **Job timeline boundary:** per-job conversation timeline shows linked Gmail correspondence cleanly beside existing notes/imported messages.\n- **Review boundary:** relink/unlink/notes/filters remain manual and auditable."
},
{
"id": "M010",
"title": "Smart Gmail Job Correspondence Integration — Phase 2 preparation",
"status": "pending",
"depends_on": [],
"created_at": "2026-04-01T13:45:43.578Z",
"completed_at": null,
"vision": "Phase 5 of the feature sequence: prepare clean extension points and documentation for future LLM-assisted correspondence intelligence without overbuilding or making Phase 1 dependent on AI.",
"success_criteria": [
"Future semantic matching and extraction/classification seams are prepared in code without over-implementing AI behavior.",
"Phase 1 remains fully valuable when Ollama/AI is disabled.",
"Phase 2 documentation clearly describes safe additions for semantic matching, entity extraction, stage hints, interview extraction, and follow-up/reply suggestion generation."
],
"key_risks": [
{
"risk": "Phase 2 prep can overbuild abstractions before real needs stabilize.",
"whyItMatters": "Preparation should reduce risk, not add speculative complexity."
},
{
"risk": "Future AI enrichment could bypass deterministic evidence and reduce trust.",
"whyItMatters": "Phase 1 must remain valuable and understandable without AI."
}
],
"proof_strategy": [
{
"riskOrUnknown": "Can future AI seams be prepared without hard-coding premature behavior?",
"retireIn": "M010/S01",
"whatWillBeProven": "Interfaces/storage hooks exist without forcing live AI code into Phase 1."
},
{
"riskOrUnknown": "Will future contributors understand the intended semantic-matching roadmap?",
"retireIn": "M010/S02",
"whatWillBeProven": "Phase 2 docs clearly explain semantic matching, extraction, stage hints, and follow-up suggestion directions."
}
],
"verification_contract": "Focused tests ensure no Phase 1 behavior regresses when Phase 2 seams are present.",
"verification_integration": "Phase 2 seams do not change Phase 1 runtime behavior unless an implementation is explicitly wired in later.",
"verification_operational": "Docs and code make future enrichment attach evidence instead of silently mutating tracked state.",
"verification_uat": "No dedicated UAT beyond confirming Phase 1 behavior remains unchanged while docs/interfaces exist.",
"definition_of_done": [
"Phase 2 interfaces and data seams are documented and lightly scaffolded.",
"No Phase 1 feature depends on AI being enabled.",
"Future semantic matching/classification work has a safe extension path."
],
"requirement_coverage": "Prepares deferred correspondence/AI requirements while preserving Phase 1 independence and the manual-control constraints R008/R015.",
"boundary_map_markdown": "- **LLM seam boundary:** future semantic disambiguation lives behind explicit interfaces/services.\n- **Extraction boundary:** future AI-derived hints attach to stored correspondence/match evidence instead of replacing deterministic truth.\n- **Suggestion boundary:** future drafting/classification remains optional and non-autonomous."
},
{
"id": "M011",
"title": "Platform hardening across frontend, API, AI service, and Ollama",
"status": "complete",
"depends_on": [],
"created_at": "2026-04-10T16:32:03.760Z",
"completed_at": "2026-04-10T23:25:36.520Z",
"vision": "Retire the highest-risk security, reliability, UX, and operability gaps across the full stack without losing the existing product surface. The outcome should be a safer frontend platform, stronger auth/session handling, clearer degraded-state behavior, a slimmer and more maintainable API startup path, and an AI/Ollama integration that is observable, bounded, and explicit about its capabilities.",
"success_criteria": [
"The application has a materially safer security posture across frontend, API, and AI integrations.",
"Core user workflows remain functional while degraded states become explicit and actionable.",
"Startup, auth, and AI runtime behavior are easier to operate, test, and debug.",
"The platform is positioned for continued feature work without carrying todays highest-risk technical debt."
],
"key_risks": [
{
"risk": "Frontend build modernization can break existing CRA-based tests and deployment assumptions.",
"whyItMatters": "Security remediation is tied to outdated build tooling, so the migration path has to preserve behavior while reducing risk."
},
{
"risk": "Auth migration from localStorage/sessionStorage to cookies can break login, Gmail, and admin flows if done piecemeal.",
"whyItMatters": "Session changes affect every protected route and must be rolled out with clear compatibility and verification coverage."
},
{
"risk": "`Program.cs` refactoring may destabilize startup, migrations, or local/dev bootstrap behavior.",
"whyItMatters": "The current app concentrates operational logic in startup; untangling it safely requires preserving current environment behavior."
},
{
"risk": "AI service changes can reduce perceived product quality if fallback behavior becomes slower or less capable.",
"whyItMatters": "The app now relies on OCR, summarization, and Ollama-assisted enrichment in key package-generation flows."
}
],
"proof_strategy": [
{
"riskOrUnknown": "Whether the frontend can reduce current dependency/security debt without breaking builds",
"retireIn": "S01",
"whatWillBeProven": "A passing frontend build/test path on the new dependency baseline, plus a reduced audit report."
},
{
"riskOrUnknown": "Whether secure session storage can replace browser-stored bearer tokens without breaking user flows",
"retireIn": "S02",
"whatWillBeProven": "Login/logout/profile/admin flows operating on cookie-based auth with explicit CSRF/session behavior."
},
{
"riskOrUnknown": "Whether degraded backend/API states can be made obvious without harming normal UX",
"retireIn": "S03",
"whatWillBeProven": "Browser-level evidence showing clear empty/error/offline distinctions and centralized client data handling."
},
{
"riskOrUnknown": "Whether backend hardening can land without regressions to startup, file handling, and admin functions",
"retireIn": "S04-S05",
"whatWillBeProven": "Passing API tests, startup validation, and explicit security/operability checks for headers, throttling, and uploads."
},
{
"riskOrUnknown": "Whether the AI/Ollama stack can be simplified and made predictable without losing required capabilities",
"retireIn": "S06",
"whatWillBeProven": "Measured AI-service contracts, documented fallback modes, and verified admin/runtime visibility of capability status."
}
],
"verification_contract": "Each slice must produce concrete verification at the layer it changes: frontend build/tests/browser assertions, API diagnostics/tests, startup/runtime checks, dependency audit deltas, and AI-service health/behavior evidence.",
"verification_integration": "Cross-slice verification must include browser-backed checks of login/session behavior, degraded API handling, admin/system telemetry, and at least one AI-assisted workflow path.",
"verification_operational": "Operational verification must prove startup safety, header/rate-limit posture, session/auth stability, and AI capability reporting in the admin/system surface.",
"verification_uat": "UAT focuses on the user-visible outcomes: clear auth behavior, no misleading empty states during outages, stable job/workspace flows, and understandable AI capability/degraded-state feedback.",
"definition_of_done": [
"Frontend dependency risk materially reduced, with the critical direct vulnerability removed and build tooling direction settled.",
"Authentication/session handling no longer depends on browser-stored bearer tokens for the primary local auth path.",
"The UI distinguishes empty data from backend/API failure and presents actionable degraded-state guidance.",
"API startup/bootstrap responsibilities are separated enough to be testable and safer to deploy.",
"Core security controls are in place: rate limiting, stricter headers, production-safe CORS posture, and safer logging/file handling.",
"AI/Ollama behavior is contractually clear, observable, and degraded modes are explicit in both runtime metrics and UI."
],
"requirement_coverage": "Advances security, reliability, operability, and UX quality requirements across the whole stack: frontend shell, API, Gmail integrations, admin tools, AI service, and Ollama-backed features.",
"boundary_map_markdown": "- **Frontend shell (`job-tracker-ui/`)** owns navigation, auth UX, degraded states, data fetching, and admin surfaces.\n- **API (`JobTrackerApi/`, `Data/`, `Models/`)** owns auth/session issuance, authorization, rate limiting, startup/bootstrap, file handling, Gmail integration, and system telemetry.\n- **AI service (`tools/summarizer/`)** owns OCR, summarization, CV normalization/classification, and Ollama reachability contracts.\n- **Infrastructure (`docker-compose.yml`, Dockerfiles, nginx.conf`)** owns proxy/security headers, service topology, and deployment/runtime defaults.\n- **Cross-cutting concerns**: security posture, observability, performance budgets, and failure-mode UX must be verified slice-by-slice end to end."
}
],
"slices": [
{
"milestone_id": "M001",
"id": "S01",
"title": "Smarter Gmail import and matching",
"status": "complete",
"risk": "high",
"depends": [],
"demo": "",
"created_at": "2026-03-28T22:02:57.776Z",
"completed_at": null,
"full_summary_md": "",
"full_uat_md": "",
"goal": "Finish S01 by turning the existing job-aware Gmail import flow into a live linked-thread continuity loop for one job workspace.",
"success_criteria": "",
"proof_level": "",
"integration_closure": "",
"observability_impact": "",
"sequence": 0,
"replan_triggered_at": null
},
{
"milestone_id": "M001",
"id": "S02",
"title": "Stronger AI application package drafting",
"status": "complete",
"risk": "high",
"depends": [
"S01"
],
"demo": "",
"created_at": "2026-03-28T22:02:57.777Z",
"completed_at": null,
"full_summary_md": "",
"full_uat_md": "",
"goal": "Make the application package generator use imported job/correspondence context well enough that tailored CV, cover-letter, and recruiter-message drafts feel specific, credible, and worth starting from inside the job workspace.",
"success_criteria": "",
"proof_level": "",
"integration_closure": "",
"observability_impact": "",
"sequence": 0,
"replan_triggered_at": null
},
{
"milestone_id": "M001",
"id": "S03",
"title": "Reply and follow-up drafting from real thread context",
"status": "complete",
"risk": "medium",
"depends": [
"S01",
"S02"
],
"demo": "",
"created_at": "2026-03-28T22:02:57.777Z",
"completed_at": null,
"full_summary_md": "",
"full_uat_md": "",
"goal": "Make follow-up drafting use imported correspondence and saved application material well enough that the job workspace can produce specific, trustworthy follow-up and reply drafts without crossing the manual-send boundary.",
"success_criteria": "",
"proof_level": "",
"integration_closure": "",
"observability_impact": "",
"sequence": 0,
"replan_triggered_at": null
},
{
"milestone_id": "M001",
"id": "S04",
"title": "Daily control loop surfaces",
"status": "complete",
"risk": "medium",
"depends": [
"S01",
"S03"
],
"demo": "",
"created_at": "2026-03-28T22:02:57.777Z",
"completed_at": null,
"full_summary_md": "",
"full_uat_md": "",
"goal": "Make the job table, reminders view, and dashboard behave like one daily control loop so the user can scan what needs attention and jump directly into the right job workspace state.",
"success_criteria": "",
"proof_level": "",
"integration_closure": "",
"observability_impact": "",
"sequence": 0,
"replan_triggered_at": null
},
{
"milestone_id": "M001",
"id": "S05",
"title": "End-to-end trust and workflow polish",
"status": "complete",
"risk": "low",
"depends": [
"S01",
"S02",
"S03",
"S04"
],
"demo": "",
"created_at": "2026-03-28T22:02:57.778Z",
"completed_at": null,
"full_summary_md": "",
"full_uat_md": "",
"goal": "Prove the full daily-use loop as one trustworthy workflow by tightening shared next-action/readiness signals, then validating overview → workspace → package → Gmail continuity → follow-up behavior without weakening the manual-send boundary.",
"success_criteria": "",
"proof_level": "",
"integration_closure": "",
"observability_impact": "",
"sequence": 0,
"replan_triggered_at": null
},
{
"milestone_id": "M001",
"id": "S06",
"title": "Live environment stabilization and integrated acceptance rerun",
"status": "complete",
"risk": "high",
"depends": [
"S05"
],
"demo": "",
"created_at": "2026-03-28T22:02:57.778Z",
"completed_at": null,
"full_summary_md": "",
"full_uat_md": "",
"goal": "Live environment is repeatably startable and preflighted, seeded with acceptance-ready data, and the integrated daily loop is re-verified with a recorded artifact proving the manual-send boundary and individual-first workflow.",
"success_criteria": "",
"proof_level": "",
"integration_closure": "",
"observability_impact": "",
"sequence": 0,
"replan_triggered_at": null
},
{
"milestone_id": "M001",
"id": "S07",
"title": "Daily-loop UAT artifact closure",
"status": "complete",
"risk": "medium",
"depends": [
"S06"
],
"demo": "",
"created_at": "2026-03-28T22:02:57.778Z",
"completed_at": null,
"full_summary_md": "",
"full_uat_md": "",
"goal": "Publish the executed daily-loop UAT closure artifact proving one seeded job stays coherent across /jobs, the job workspace, /reminders, and /dashboard using the existing S06 acceptance runner.",
"success_criteria": "",
"proof_level": "",
"integration_closure": "",
"observability_impact": "",
"sequence": 0,
"replan_triggered_at": null
},
{
"milestone_id": "M005",
"id": "S01",
"title": "Canonical CV data model and artifact pipeline",
"status": "pending",
"risk": "high",
"depends": [],
"demo": "After this slice, a CV upload persists original artifact + extraction run metadata + canonical structured profile shell, and the system can reprocess against stored source data instead of requiring a re-upload.",
"created_at": "2026-03-28T22:04:42.691Z",
"completed_at": null,
"full_summary_md": "",
"full_uat_md": "",
"goal": "Introduce the persistence and API foundations for artifact-preserving multi-pass CV extraction.",
"success_criteria": "- Upload pipeline stores original file metadata, extracted text, normalized text, extractor version, and run status.\n- Canonical structured CV model can store field-level confidence/provenance without breaking current profile flows.\n- Reprocess endpoint/command can re-run extraction from stored artifacts.\n- Existing profile CV upload/parse flows remain backward-compatible.",
"proof_level": "Foundational schema/API proof with focused backend tests and no-regression verification on current profile flows.",
"integration_closure": "The new canonical model coexists with existing ProfileCvText/ProfileCvStructureJson while introducing extraction-run persistence and future migration seams.",
"observability_impact": "Adds explicit extraction-run status, version, and failure surfaces for debugging document ingestion.",
"sequence": 0,
"replan_triggered_at": null
},
{
"milestone_id": "M005",
"id": "S02",
"title": "Multi-pass extraction and review UX",
"status": "pending",
"risk": "high",
"depends": [
"S01"
],
"demo": "After this slice, uploading a noisy PDF populates the structured CV editor with confidence/provenance markers, reviewable fields, and a reprocess action instead of mostly falling into General.",
"created_at": "2026-03-28T22:04:42.691Z",
"completed_at": null,
"full_summary_md": "",
"full_uat_md": "",
"goal": "Implement the smarter universal extractor and the user review loop around uncertain fields.",
"success_criteria": "- Pass A/B/C/D extraction pipeline is implemented with generic heuristics, layout grouping inputs where available, LLM normalization, and validation/repair.\n- Structured editor surfaces confidence/provenance and visually flags uncertain fields.\n- User can accept/edit fields and save the canonical profile.\n- Reprocessing produces a new extraction run without destroying accepted canonical data until the user chooses to apply it.",
"proof_level": "Backend/frontend extraction proof with OCR-like regression fixtures plus structured-editor review tests.",
"integration_closure": "The profile page consumes canonical extraction runs cleanly and no longer depends on raw text-only section blobs for structured editing.",
"observability_impact": "Adds per-field extraction method/confidence and review-state visibility.",
"sequence": 0,
"replan_triggered_at": null
},
{
"milestone_id": "M005",
"id": "S03",
"title": "Tailored CV draft layer",
"status": "pending",
"risk": "medium",
"depends": [
"S02"
],
"demo": "After this slice, a job can have its own editable tailored CV draft generated from the canonical profile without mutating the master CV or raw source text.",
"created_at": "2026-03-28T22:04:42.691Z",
"completed_at": null,
"full_summary_md": "",
"full_uat_md": "",
"goal": "Create the per-job tailored CV draft model and generation/edit/save flow.",
"success_criteria": "- Tailored CV drafts persist separately from master profile and existing raw CV text.\n- Generation uses canonical structured profile first, with raw-text fallback where needed.\n- Users can edit and save tailored drafts per job.\n- Existing application-package flows integrate or coexist cleanly with the new draft layer.",
"proof_level": "Job-scoped generation proof with backend draft tests and workspace UI save/regeneration coverage.",
"integration_closure": "The job workspace gains a stable tailored CV draft layer that can later feed export without regressing existing drafting features.",
"observability_impact": "Adds explicit draft generation/source-version metadata and regeneration failure surfaces.",
"sequence": 0,
"replan_triggered_at": null
},
{
"milestone_id": "M005",
"id": "S04",
"title": "Template preview and first PDF export",
"status": "pending",
"risk": "medium",
"depends": [
"S03"
],
"demo": "After this slice, the user can choose an ATS Minimal template, preview the tailored CV exactly as rendered, and download a matching PDF.",
"created_at": "2026-03-28T22:04:42.691Z",
"completed_at": null,
"full_summary_md": "",
"full_uat_md": "",
"goal": "Ship the first deterministic HTML/CSS renderer with preview and PDF download.",
"success_criteria": "- One HTML/CSS template renders tailored draft data deterministically.\n- Preview and PDF use the same renderer/path.\n- User can explicitly download a generated PDF.\n- PDF export failures show actionable error states.\n- Export remains manual and individual-first.",
"proof_level": "End-to-end render/export proof with renderer tests and browser/UAT evidence that preview matches the downloaded PDF path.",
"integration_closure": "The job workspace can hand off tailored draft data into preview/export without mutating canonical profile or outbound communication flows.",
"observability_impact": "Adds render/export job status and error detail surfaces.",
"sequence": 0,
"replan_triggered_at": null
},
{
"milestone_id": "M005",
"id": "S05",
"title": "Template library and layout controls",
"status": "pending",
"risk": "medium",
"depends": [
"S04"
],
"demo": "After this slice, the user can switch among ATS Minimal, Modern Professional, and Compact Technical templates and control photo visibility, page length, accent color, section order, and bullet density before export.",
"created_at": "2026-03-28T22:04:42.691Z",
"completed_at": null,
"full_summary_md": "",
"full_uat_md": "",
"goal": "Expand export flexibility while keeping rendering deterministic and draft-driven.",
"success_criteria": "- Three initial templates are supported.\n- Layout controls are persisted on the tailored draft/render-options layer.\n- Users can preview template/control changes before export.\n- Section ordering and density controls do not corrupt the canonical profile.\n- UAT proves the full upload → review → tailor → preview → export loop.",
"proof_level": "Product-level proof with multi-template rendering verification and end-to-end UAT.",
"integration_closure": "The export system scales beyond one hardcoded template while preserving the same draft model and preview/export contract.",
"observability_impact": "Adds template/render-option visibility to preview/export diagnostics.",
"sequence": 0,
"replan_triggered_at": null
},
{
"milestone_id": "M006",
"id": "S01",
"title": "Gmail account and sync foundation",
"status": "pending",
"risk": "high",
"depends": [],
"demo": "After this slice, Gmail connection/sync state is explicit and durable instead of being hidden inside the current correspondence tab.",
"created_at": "2026-04-01T13:42:13.489Z",
"completed_at": null,
"full_summary_md": "",
"full_uat_md": "",
"goal": "Harden Gmail account connection, token lifecycle, and visible sync-state tracking for one local user.",
"success_criteria": "Connection/disconnect/status flows are explicit, durable, and covered by focused tests.",
"proof_level": "Focused backend + frontend proof.",
"integration_closure": "Existing correspondence Gmail connect/import entry points still work against the refactored foundation.",
"observability_impact": "Add durable Gmail sync/connection state surfaces and actionable error reporting.",
"sequence": 0,
"replan_triggered_at": null
},
{
"milestone_id": "M006",
"id": "S02",
"title": "Normalized Gmail ingestion contract",
"status": "pending",
"risk": "high",
"depends": [
"S01"
],
"demo": "After this slice, Gmail messages/threads/labels/attachment metadata have an explicit shared contract rather than ad-hoc per-job import details.",
"created_at": "2026-04-01T13:42:13.489Z",
"completed_at": null,
"full_summary_md": "",
"full_uat_md": "",
"goal": "Introduce normalized Gmail ingestion/storage models and services that later milestones can reuse for cross-job workflows.",
"success_criteria": "A shared ingestion contract exists and is covered by focused tests without breaking current message/thread import behavior.",
"proof_level": "Backend contract proof.",
"integration_closure": "Current GmailController import/refresh behavior is preserved on top of the new service/model seam.",
"observability_impact": "Expose ingestion counts, dedup signals, and failure reasons.",
"sequence": 0,
"replan_triggered_at": null
},
{
"milestone_id": "M006",
"id": "S03",
"title": "Phase 2 extension seam",
"status": "pending",
"risk": "medium",
"depends": [
"S01",
"S02"
],
"demo": "After this slice, the codebase has explicit interfaces for future AI-assisted matching/classification without any forced AI dependency in Phase 1 foundation.",
"created_at": "2026-04-01T13:42:13.489Z",
"completed_at": null,
"full_summary_md": "",
"full_uat_md": "",
"goal": "Define low-risk extension points for future semantic matching, extraction, and stage hinting.",
"success_criteria": "Phase 2 interfaces and docs exist, and the foundation remains fully useful with deterministic-only logic.",
"proof_level": "Code + docs proof.",
"integration_closure": "No current user-facing behavior depends on the future AI seam.",
"observability_impact": "Document and surface where future enrichment reasons/confidence can attach.",
"sequence": 0,
"replan_triggered_at": null
},
{
"milestone_id": "M007",
"id": "S01",
"title": "Manual sync and backfill",
"status": "pending",
"risk": "high",
"depends": [],
"demo": "After this slice, a user can manually sync Gmail history into the normalized store with a bounded backfill window.",
"created_at": "2026-04-01T13:45:43.577Z",
"completed_at": null,
"full_summary_md": "",
"full_uat_md": "",
"goal": "Implement manual sync orchestration and backfill window handling.",
"success_criteria": "Manual sync/backfill runs and records counts plus sync state.",
"proof_level": "Backend integration proof.",
"integration_closure": "Uses the M006 foundation without changing matching semantics yet.",
"observability_impact": "Expose sync start/end state, counts, and last-success timestamps.",
"sequence": 0,
"replan_triggered_at": null
},
{
"milestone_id": "M007",
"id": "S02",
"title": "Deduplication and attachment metadata",
"status": "pending",
"risk": "high",
"depends": [
"S01"
],
"demo": "After this slice, rerunning sync does not create duplicates and attachment metadata is visible for imported Gmail messages.",
"created_at": "2026-04-01T13:45:43.577Z",
"completed_at": null,
"full_summary_md": "",
"full_uat_md": "",
"goal": "Enforce message-id deduplication and store attachment metadata.",
"success_criteria": "Dedup and attachment metadata are covered by tests and visible in the data contract.",
"proof_level": "Backend + focused UI proof.",
"integration_closure": "Imported Gmail messages can be safely re-seen across reruns and query overlap.",
"observability_impact": "Add duplicate-skipped counts and attachment metadata surfaces.",
"sequence": 0,
"replan_triggered_at": null
},
{
"milestone_id": "M008",
"id": "S01",
"title": "Deterministic matching engine",
"status": "pending",
"risk": "high",
"depends": [],
"demo": "After this slice, imported Gmail messages/threads can be scored against all relevant jobs with durable reasons.",
"created_at": "2026-04-01T13:45:43.577Z",
"completed_at": null,
"full_summary_md": "",
"full_uat_md": "",
"goal": "Build deterministic cross-job scoring and normalization for Gmail-to-job matching.",
"success_criteria": "Scoring and normalization are deterministic, explainable, and tested.",
"proof_level": "Backend logic proof.",
"integration_closure": "Consumes M006/M007 seams without introducing AI dependency.",
"observability_impact": "Persist reasons, confidence, and normalization hits for every routing decision.",
"sequence": 0,
"replan_triggered_at": null
},
{
"milestone_id": "M008",
"id": "S02",
"title": "Confidence routing and review queue",
"status": "pending",
"risk": "high",
"depends": [
"S01"
],
"demo": "After this slice, high-confidence matches auto-link and medium-confidence items enter an explicit review queue.",
"created_at": "2026-04-01T13:45:43.577Z",
"completed_at": null,
"full_summary_md": "",
"full_uat_md": "",
"goal": "Implement confidence routing and reviewable linking outcomes.",
"success_criteria": "High/medium/low routing is visible, tested, and reversible.",
"proof_level": "Backend + focused UI proof.",
"integration_closure": "Linked correspondence lands in the right job without overriding primary job state.",
"observability_impact": "Expose auto-linked, queued, and unmatched counts plus reasons.",
"sequence": 0,
"replan_triggered_at": null
},
{
"milestone_id": "M008",
"id": "S03",
"title": "Suggested new jobs from unmatched threads",
"status": "pending",
"risk": "medium",
"depends": [
"S01",
"S02"
],
"demo": "After this slice, unmatched job-like Gmail threads appear as suggested new jobs instead of being dropped.",
"created_at": "2026-04-01T13:45:43.577Z",
"completed_at": null,
"full_summary_md": "",
"full_uat_md": "",
"goal": "Create a suggestion flow for unmatched job-related threads.",
"success_criteria": "Unmatched job-related Gmail threads can be reviewed as job suggestions.",
"proof_level": "Workflow proof.",
"integration_closure": "Suggestions remain separate from canonical jobs until user action.",
"observability_impact": "Track suggestion reasons and conversion decisions.",
"sequence": 0,
"replan_triggered_at": null
},
{
"milestone_id": "M009",
"id": "S01",
"title": "Global correspondence inbox",
"status": "pending",
"risk": "high",
"depends": [],
"demo": "After this slice, a user can triage correspondence globally instead of only inside one job dialog.",
"created_at": "2026-04-01T13:45:43.578Z",
"completed_at": null,
"full_summary_md": "",
"full_uat_md": "",
"goal": "Build the global correspondence inbox with confidence-aware filtering.",
"success_criteria": "Global inbox exists with useful filters for linked/review/unmatched correspondence.",
"proof_level": "Frontend workflow proof.",
"integration_closure": "Consumes linked/review/suggestion states from prior milestones.",
"observability_impact": "Expose inbox counts by state and sync freshness.",
"sequence": 0,
"replan_triggered_at": null
},
{
"milestone_id": "M009",
"id": "S02",
"title": "Per-job conversation timeline",
"status": "pending",
"risk": "medium",
"depends": [
"S01"
],
"demo": "After this slice, each job shows a cleaner Gmail-backed conversation timeline rather than isolated imported items.",
"created_at": "2026-04-01T13:45:43.578Z",
"completed_at": null,
"full_summary_md": "",
"full_uat_md": "",
"goal": "Enhance per-job timeline with Gmail thread continuity and linking context.",
"success_criteria": "Per-job correspondence timeline cleanly reflects linked Gmail history.",
"proof_level": "Integration proof.",
"integration_closure": "Per-job correspondence remains the detailed workspace for one job.",
"observability_impact": "Show thread/group metadata and link state in the timeline.",
"sequence": 0,
"replan_triggered_at": null
},
{
"milestone_id": "M009",
"id": "S03",
"title": "Review flow and manual controls",
"status": "pending",
"risk": "medium",
"depends": [
"S01",
"S02"
],
"demo": "After this slice, users can review, relink, unlink, and annotate correspondence with confidence.",
"created_at": "2026-04-01T13:45:43.578Z",
"completed_at": null,
"full_summary_md": "",
"full_uat_md": "",
"goal": "Implement review actions, notes, and practical correspondence filters.",
"success_criteria": "Review flow is reversible, filterable, and covered by focused tests.",
"proof_level": "User workflow proof.",
"integration_closure": "Manual review actions update inbox and per-job views consistently.",
"observability_impact": "Track review decisions and relink/unlink actions.",
"sequence": 0,
"replan_triggered_at": null
},
{
"milestone_id": "M010",
"id": "S01",
"title": "LLM-assisted extension interfaces",
"status": "pending",
"risk": "medium",
"depends": [],
"demo": "After this slice, the codebase has explicit interfaces for future semantic matching and extraction enrichment.",
"created_at": "2026-04-01T13:45:43.578Z",
"completed_at": null,
"full_summary_md": "",
"full_uat_md": "",
"goal": "Scaffold low-risk Phase 2 extension points in code and storage models.",
"success_criteria": "Future semantic matching/extraction interfaces exist without adding live Phase 2 dependency.",
"proof_level": "Code seam proof.",
"integration_closure": "Phase 1 runs exactly as before when no AI enrichment implementation is registered.",
"observability_impact": "Future enrichment reasons/confidence can be attached alongside deterministic evidence.",
"sequence": 0,
"replan_triggered_at": null
},
{
"milestone_id": "M010",
"id": "S02",
"title": "Phase 2 design documentation",
"status": "pending",
"risk": "low",
"depends": [
"S01"
],
"demo": "After this slice, contributors can continue with Phase 2 from docs instead of rediscovery.",
"created_at": "2026-04-01T13:45:43.578Z",
"completed_at": null,
"full_summary_md": "",
"full_uat_md": "",
"goal": "Document Phase 2 design for semantic matching, extraction, stage/status hints, interview extraction, and drafting suggestions.",
"success_criteria": "Phase 2 roadmap/docs exist and clearly separate safe future AI work from Phase 1 behavior.",
"proof_level": "Documentation proof.",
"integration_closure": "Documentation maps future AI features onto the Phase 1 data and service seams.",
"observability_impact": "Docs define how future enrichment reasons/confidence should be stored and surfaced.",
"sequence": 0,
"replan_triggered_at": null
},
{
"milestone_id": "M011",
"id": "S01",
"title": "S01",
"status": "complete",
"risk": "high",
"depends": [],
"demo": "The frontend builds on a safer dependency baseline, the critical audit issue is retired, and the deployment/build path is documented and reproducible.",
"created_at": "2026-04-10T16:33:49.541Z",
"completed_at": "2026-04-10T16:47:38.386Z",
"full_summary_md": "---\nid: S01\nparent: M011\nmilestone: M011\nprovides:\n - A stable frontend baseline for S02 auth/session hardening\n - A documented proof point that the remaining frontend audit debt is primarily CRA/react-scripts transitive debt\n - A container-compatible frontend lockfile and build path\nrequires:\n []\naffects:\n - S02\n - S03\nkey_files:\n - job-tracker-ui/package.json\n - job-tracker-ui/package-lock.json\nkey_decisions:\n - D019 — remediate the direct critical frontend dependency immediately, keep the CRA baseline stable for the next slice, and defer broader build-tool migration work.\npatterns_established:\n - When frontend Docker uses a different Node/npm major version than the workstation, regenerate lockfiles with the container toolchain before trusting `npm ci` reproducibility.\n - Treat root-owned generated frontend build artifacts as environment contamination; clean them before drawing conclusions from local build failures.\n - Use the smallest safe dependency remediation first when the audit shows a single direct critical issue and the rest of the debt is trapped behind legacy build tooling.\nobservability_surfaces:\n - Frontend dependency audit before/after evidence\n - Reproducible local build verification\n - Reproducible container `npm ci` verification\n - Successful `docker compose build frontend` evidence\ndrill_down_paths:\n - .gsd/milestones/M011/slices/S01/tasks/T01-SUMMARY.md\n - .gsd/milestones/M011/slices/S01/tasks/T02-SUMMARY.md\n - .gsd/milestones/M011/slices/S01/tasks/T03-SUMMARY.md\nduration: \"\"\nverification_result: passed\ncompleted_at: 2026-04-10T16:47:38.387Z\nblocker_discovered: false\n---\n\n# S01: Frontend dependency and build modernization baseline\n\n**Retired the direct critical frontend dependency issue and restored a reproducible frontend build baseline for local and Docker workflows.**\n\n## What Happened\n\nThis slice established the real frontend dependency/build baseline, retired the direct critical audit finding, and restored a reproducible build path for both the local workstation and the frontend Docker image. The direct `axios` dependency was upgraded from `^1.13.6` to `^1.15.0`, which removed the only critical finding reported by the frontend audit. During verification, the frontend build initially failed because the checked-out `job-tracker-ui/build/static` directory contained root-owned artifacts from an earlier containerized build. I repaired that workspace contamination and then found a second environment issue: the lockfile generated under the local Node 25/npm 11 toolchain was not accepted by the Node 20/npm 10 toolchain used in the frontend Dockerfile. Regenerating the lockfile with the container toolchain restored `npm ci` and `docker compose build frontend` reproducibility. The resulting baseline is stable enough to support S02 auth/session work without compounding change risk. The remaining frontend audit debt is now clearly attributable to the older CRA/react-scripts build chain rather than a direct high-risk application dependency.\n\n## Verification\n\nVerified by rerunning the frontend audit, local build, container `npm ci`, and Docker image build after upgrading axios and regenerating the lockfile with the Node 20/npm 10 container toolchain. The full frontend test suite was also run to measure regression risk; 16 suites passed and 2 pre-existing workflow/package suites remain for follow-up.\n\n## Requirements Advanced\n\n- Frontend platform hardening baseline established and direct dependency risk reduced. — \n\n## Requirements Validated\n\nNone.\n\n## New Requirements Surfaced\n\n- Need a durable policy for lockfile generation when local and container npm versions differ.\n- Need targeted follow-up for pre-existing workflow/package UI test drift.\n\n## Requirements Invalidated or Re-scoped\n\nNone.\n\n## Deviations\n\nThe slice completed with a smaller code change than originally estimated because the immediate critical risk was isolated to a direct dependency upgrade. The main unexpected work was build-environment repair: root-owned frontend build artifacts and an npm-version-specific lockfile mismatch between the workstation and the Docker image.\n\n## Known Limitations\n\nThis slice did not remove the remaining transitive audit findings tied to `react-scripts`; it established a stable baseline and retired the direct critical issue. Full frontend audit cleanup still depends on follow-on platform migration work.\n\n## Follow-ups\n\nA broader frontend build-tool migration is still needed to retire the remaining CRA/react-scripts transitive audit debt. Two existing frontend workflow/package test suites also need targeted follow-up: `src/daily-control-loop.test.tsx` and `src/end-to-end-trust-loop.test.tsx`.\n\n## Files Created/Modified\n\n- `job-tracker-ui/package.json` — Upgraded the direct axios dependency to remove the critical frontend audit finding.\n- `job-tracker-ui/package-lock.json` — Refreshed and normalized the frontend lockfile so local install, container `npm ci`, and Docker image builds agree on the dependency graph.\n",
"full_uat_md": "# S01: Frontend dependency and build modernization baseline — UAT\n\n**Milestone:** M011\n**Written:** 2026-04-10T16:47:38.388Z\n\n# UAT\n\n## Scenario: frontend dependency hardening baseline\n1. Run `cd job-tracker-ui && npm audit --audit-level=moderate --json`.\n2. Confirm the report no longer contains a critical direct finding for `axios`.\n3. Run `cd job-tracker-ui && npm run build` and confirm the production build completes.\n4. Run `docker run --rm -v /home/pi/development/JobTracker/job-tracker-ui:/app -w /app node:20-alpine sh -lc 'npm ci --foreground-scripts=false'` and confirm the container toolchain accepts the lockfile.\n5. Run `cd /home/pi/development/JobTracker && docker compose build frontend` and confirm the frontend image builds successfully.\n\n## Expected result\n- The critical direct dependency issue is gone.\n- The frontend builds successfully both locally and in Docker.\n- Remaining audit debt is limited to transitive CRA/react-scripts tooling issues, not an unresolved direct critical dependency.\n",
"goal": "Reduce immediate frontend dependency and build-chain risk, retire the critical direct vulnerability, and establish a verified path for frontend build modernization without breaking current behavior.",
"success_criteria": "- The direct critical frontend dependency finding is removed.\n- The frontend build path is verified on the remediated dependency set.\n- The project has a concrete, tested build-tool direction: either a stabilized CRA baseline with risk retired or an implemented migration foundation with parity evidence.\n- The resulting frontend baseline is good enough to support S02 auth changes without compounding build uncertainty.",
"proof_level": "Code + dependency audit + build/test evidence",
"integration_closure": "The frontend still builds and runs against the existing API contract after dependency remediation, and the chosen build direction is documented by working code and verification evidence rather than notes alone.",
"observability_impact": "Adds dependency-audit evidence and build/test verification outputs so later slices can rely on a known frontend baseline.",
"sequence": 1,
"replan_triggered_at": null
},
{
"milestone_id": "M011",
"id": "S02",
"title": "S02",
"status": "complete",
"risk": "high",
"depends": [],
"demo": "Users authenticate without browser-stored bearer tokens, protected routes still work, and admin/Gmail-sensitive paths remain accessible under the new session model.",
"created_at": "2026-04-10T16:33:49.541Z",
"completed_at": "2026-04-10T19:58:17.355Z",
"full_summary_md": "---\nid: S02\nparent: M011\nmilestone: M011\nprovides:\n - A safer session baseline for S03 degraded-state UX work.\n - A cookie/CSRF contract that downstream admin and Gmail flows can build on without reintroducing browser token storage.\nrequires:\n - slice: S01\n provides: stabilized frontend baseline for safe auth-layer changes.\naffects:\n - S03\nkey_files:\n - JobTrackerApi/Controllers/AuthController.cs\n - JobTrackerApi/Program.cs\n - JobTrackerApi/Services/AuthSessionOptions.cs\n - JobTrackerApi/Controllers/UsersController.cs\n - JobTrackerApi/appsettings.Development.json\n - job-tracker-ui/src/auth.ts\n - job-tracker-ui/src/api.ts\n - job-tracker-ui/src/App.tsx\n - job-tracker-ui/src/pages/LoginPage.tsx\n - job-tracker-ui/src/pages/ProfilePage.tsx\n - job-tracker-ui/src/components/GoogleAuthCard.tsx\n - job-tracker-ui/src/components/AuthStatusCard.tsx\n - job-tracker-ui/src/components/UserManagementCard.tsx\n - job-tracker-ui/src/themePrefs.ts\n - job-tracker-ui/src/login-page.test.tsx\n - JobTrackerApi.Tests/AuthAndSystemControllerTests.cs\nkey_decisions:\n - Adopt HttpOnly cookie-backed local app sessions with a separate CSRF cookie/header contract.\n - Treat `/auth/me` plus `auth-changed` as the frontend session truth source instead of localStorage/sessionStorage JWT reads.\n - Apply IP-partitioned rate limiting to login and auth-triggered email/reset paths.\npatterns_established:\n - Use server-issued cookies plus `/auth/me` for session truth instead of browser-stored access tokens.\n - Keep lightweight user-scoped client preferences separate from auth transport state.\n - Treat auth-sensitive email/reset paths as abuse-controlled surfaces, not ordinary API calls.\nobservability_surfaces:\n - Explicit CSRF cookie/header contract via `/api/auth/csrf`.\n - Cleaner frontend unauthorized/session-expired handling through `/auth/me` resolution and 401 cleanup.\n - Rate-limit rejection surface for login and auth-email endpoints.\ndrill_down_paths:\n - .gsd/milestones/M011/slices/S02/tasks/T01-SUMMARY.md\n - .gsd/milestones/M011/slices/S02/tasks/T02-SUMMARY.md\n - .gsd/milestones/M011/slices/S02/tasks/T03-SUMMARY.md\nduration: \"\"\nverification_result: passed\ncompleted_at: 2026-04-10T19:58:17.358Z\nblocker_discovered: false\n---\n\n# S02: Authentication and session hardening\n\n**Moved local auth to cookie-backed sessions, added CSRF and rate limiting, and verified protected-route behavior under the new model.**\n\n## What Happened\n\nThis slice replaced the apps primary browser-stored bearer-token model with a cookie-backed local session contract and then hardened the sensitive auth edges around that change. T01 mapped every token assumption across frontend and API and established the target session model. T02 implemented the transport: the API now writes the local app JWT into secure cookies, exposes CSRF/logout endpoints, reads the local session from cookies, and the frontend now uses credentialed requests, `/auth/me`-based route resolution, client-side auth metadata only, and updated login/profile/admin/Google auth surfaces that no longer depend on localStorage/sessionStorage bearer tokens. T03 added abuse controls with IP-partitioned rate limiting for login and auth-email paths, updated tests to the new contract, and verified the core unauthenticated/protected-route behavior against a live frontend/API pair. During runtime verification I hit a misleading SQLite startup failure first; the root cause was launching the API outside the Development environment, which pointed it at an empty database. Restarting with `ASPNETCORE_ENVIRONMENT=Development` restored the expected local behavior, and I also added `http://localhost:3001` to development CORS to support live cookie-based verification from the local CRA server.\n\n## Verification\n\nVerified with focused API auth tests (`dotnet test JobTrackerApi.Tests/JobTrackerApi.Tests.csproj --filter FullyQualifiedName~Auth`), focused frontend auth tests (`cd job-tracker-ui && CI=true npm test -- --runInBand --watch=false src/login-page.test.tsx src/profile-page.test.tsx`), frontend production build (`cd job-tracker-ui && npm run build`), direct HTTP checks for `GET /api/auth/csrf` and `GET /api/auth/me`, and a browser pass confirming unauthenticated `/jobs` redirects to `/login` without failed requests in the observed flow.\n\n## Requirements Advanced\n\nNone.\n\n## Requirements Validated\n\nNone.\n\n## New Requirements Surfaced\n\nNone.\n\n## Requirements Invalidated or Re-scoped\n\nNone.\n\n## Deviations\n\nBrowser-backed verification covered protected-route redirect and unauthenticated session behavior, but not a successful live login/logout round-trip because the existing local development database does not accept the placeholder admin password from `JobTrackerApi/appsettings.Development.json`.\n\n## Known Limitations\n\nA successful live browser login/logout pass was not completed in this environment because the seeded local admin account does not accept the placeholder development password. Google/Gmail-linked auth flows were preserved in code but not fully exercised end-to-end in the browser during this slice.\n\n## Follow-ups\n\nS03 should harden degraded-state UX on top of this new session model, especially explicit API-down vs empty-state handling and any remaining Google/Gmail compatibility checks that need a trusted local authenticated fixture.\n\n## Files Created/Modified\n\n- `JobTrackerApi/Controllers/AuthController.cs` — Issued cookie-backed auth sessions, CSRF cookies, logout endpoint, and updated auth contracts.\n- `JobTrackerApi/Program.cs` — Read local JWTs from cookies, enforced CSRF on mutating session requests, and added auth rate limiting.\n- `JobTrackerApi/Services/AuthSessionOptions.cs` — Centralized auth cookie/header names and cookie option helpers.\n- `job-tracker-ui/src/auth.ts` — Switched frontend request/auth helpers to credentialed requests and client metadata only.\n- `job-tracker-ui/src/api.ts` — Configured axios for cookie-backed sessions, CSRF headers, and 401 cleanup.\n- `job-tracker-ui/src/App.tsx` — Moved route protection to resolved `/auth/me` session state.\n- `job-tracker-ui/src/pages/LoginPage.tsx` — Removed token-storage assumptions from login, profile, status, Google auth, admin user management, and theme scoping.\n",
"full_uat_md": "# S02: Authentication and session hardening — UAT\n\n**Milestone:** M011\n**Written:** 2026-04-10T19:58:17.359Z\n\n# UAT — S02 Authentication and session hardening\n\n## What was exercised\n\n1. Start the API with `ASPNETCORE_ENVIRONMENT=Development ASPNETCORE_URLS=http://localhost:5202 dotnet run --project JobTrackerApi/JobTrackerApi.csproj`.\n2. Start the frontend with `cd job-tracker-ui && PORT=3001 BROWSER=none npm start`.\n3. Navigate to `http://localhost:3001/jobs` without an authenticated session.\n4. Confirm the app redirects to `/login` and shows the sign-in UI instead of rendering a protected route.\n5. Confirm the observed browser pass does not show failed requests for the redirect flow.\n6. Request `GET http://localhost:5202/api/auth/csrf` and confirm the response returns `204 No Content` with an `XSRF-TOKEN` cookie.\n7. Request `GET http://localhost:5202/api/auth/me` without a session and confirm it returns `401 Unauthorized`.\n\n## Result\n\n- Protected-route gating worked: unauthenticated `/jobs` redirected to `/login`.\n- The login screen rendered cleanly under the new session model.\n- CSRF bootstrap and unauthorized session responses matched the expected contract.\n- A successful live login/logout browser pass was not completed because the existing local development database does not accept the placeholder seeded admin password from config.\n\n",
"goal": "Replace the current browser-stored bearer token model with a safer primary session design, harden auth-sensitive endpoints against abuse, and preserve the apps protected flows under the new transport.",
"success_criteria": "- Primary local auth no longer relies on localStorage/sessionStorage bearer tokens.\n- Login/logout/profile/admin flows are verified under the new session model.\n- Auth-sensitive endpoints have meaningful throttling / abuse controls.\n- Frontend unauthorized handling is explicit and coherent under the new session transport.",
"proof_level": "Code + integration + auth-flow verification",
"integration_closure": "Frontend and API must agree on how sessions are established, persisted, refreshed/expired, and invalidated. Protected routes, admin pages, and Gmail-sensitive paths must continue to function cleanly under the new auth model.",
"observability_impact": "Adds clearer session/auth diagnostics, explicit unauthorized-state behavior, and abuse-control signals for login and reset flows.",
"sequence": 2,
"replan_triggered_at": null
},
{
"milestone_id": "M011",
"id": "S03",
"title": "S03",
"status": "complete",
"risk": "medium",
"depends": [],
"demo": "When the API is unavailable, the UI says so clearly instead of looking empty; normal data views use a centralized query/retry model and remain responsive.",
"created_at": "2026-04-10T16:33:49.541Z",
"completed_at": "2026-04-10T22:20:05.937Z",
"full_summary_md": "---\nid: S03\nparent: M011\nmilestone: M011\nprovides:\n - A resilient client layer that downstream AI and admin slices can rely on without reintroducing outage-as-empty UX.\n - Clearer failure semantics for S06 AI/Ollama capability work when backend-dependent views degrade.\nrequires:\n - slice: S02\n provides: cookie-backed auth/session transport and explicit unauthorized behavior.\naffects:\n - S04\n - S06\nkey_files:\n - job-tracker-ui/src/hooks/useViewResource.ts\n - job-tracker-ui/src/components/ViewStateNotice.tsx\n - job-tracker-ui/src/hooks/useCompanies.ts\n - job-tracker-ui/src/components/JobTable.tsx\n - job-tracker-ui/src/components/DashboardView.tsx\n - job-tracker-ui/src/components/CompaniesTable.tsx\n - job-tracker-ui/src/components/RemindersView.tsx\n - job-tracker-ui/src/components/KanbanBoard.tsx\n - job-tracker-ui/src/pages/ProfilePage.tsx\n - job-tracker-ui/src/daily-control-loop.test.tsx\nkey_decisions:\n - Use a lightweight shared async-view-state pattern instead of introducing a new global query framework during M011.\n - Make outage-state clarity a product requirement for the top-level views first: jobs, dashboard, reminders, companies, kanban, and profile.\npatterns_established:\n - Use `useViewResource` plus `ViewStateNotice` for top-level frontend data views that need distinct loading/empty/error/retry states.\n - Do not collapse transport failures into empty arrays/nulls on user-visible index pages.\n - Record environment-limited verification separately from product-behavior proof so slices stay honest.\nobservability_surfaces:\n - Explicit unavailable/error notices for jobs, dashboard, reminders, companies, kanban, and profile.\n - Shared retry surface via `ViewStateNotice` on core data views.\n - Clearer distinction between unauthorized/auth-required and general API-unavailable states on the client.\ndrill_down_paths:\n - .gsd/milestones/M011/slices/S03/tasks/T01-SUMMARY.md\n - .gsd/milestones/M011/slices/S03/tasks/T02-SUMMARY.md\n - .gsd/milestones/M011/slices/S03/tasks/T03-SUMMARY.md\nduration: \"\"\nverification_result: passed\ncompleted_at: 2026-04-10T22:20:05.940Z\nblocker_discovered: false\n---\n\n# S03: Resilience UX and client data layer\n\n**Made core frontend views show explicit unavailable states instead of masking API failures as empty data.**\n\n## What Happened\n\nThis slice retired the user-facing outage-masking problem that showed up in the earlier browser audit. T01 mapped the failure pattern: several core views were swallowing request failures into empty arrays or nulls and then rendering normal empty states. T02 introduced a shared `useViewResource` hook plus a reusable `ViewStateNotice` component, then applied that pattern to the high-traffic surfaces that matter most for top-level product trust: the jobs list, dashboard, reminders view, companies view, kanban board, shared company hook, and the profile pages top-level load. Those views now distinguish unavailable/error states from genuine empty data and offer retry affordances where appropriate. T03 verified the new behavior: the focused frontend regression set passed, the frontend build passed, and a browser pass with the API intentionally unavailable showed `Unable to load jobs` instead of an empty jobs table. When the API auth surface was reachable again, the frontend recovered to a normal sign-in screen. During the recovery pass I hit an unrelated local API limitation — some job-data requests still fail in this checkout because the local process logs SQLite schema errors — so I recorded that as environment evidence for S04 rather than broadening the slice.\n\n## Verification\n\nVerified with focused frontend tests (`cd job-tracker-ui && CI=true npm test -- --runInBand --watch=false src/daily-control-loop.test.tsx src/login-page.test.tsx src/profile-page.test.tsx`), frontend production build (`cd job-tracker-ui && npm run build`), browser outage verification on `http://localhost:3001/jobs`, and browser recovery verification on `http://localhost:3001/login` once the API auth surface was reachable again.\n\n## Requirements Advanced\n\nNone.\n\n## Requirements Validated\n\nNone.\n\n## New Requirements Surfaced\n\nNone.\n\n## Requirements Invalidated or Re-scoped\n\nNone.\n\n## Deviations\n\nThe with-API-available browser smoke used the login/auth-reachable path rather than a full jobs-data happy path because the local development API process still has an unrelated SQLite schema issue affecting some job-data queries in this checkout.\n\n## Known Limitations\n\nDeeper detail/workspace fetches still use local fallback-on-error patterns in some components, especially `JobDetailsDialog.tsx` and `QuickCommandDialog.tsx`. The local API process in this checkout also still logs SQLite schema errors (`RuleSettings` missing) for some job-data paths, which limited the recovery browser smoke to auth-reachable surfaces instead of a full jobs-data happy path.\n\n## Follow-ups\n\nS04 should address the underlying API startup/data-layer fragility, including the local SQLite/schema inconsistencies that limited the with-API-available browser smoke during this slice. A later frontend slice can extend the shared view-state pattern into deeper detail/workspace surfaces such as `JobDetailsDialog.tsx` and `QuickCommandDialog.tsx`.\n\n## Files Created/Modified\n\n- `job-tracker-ui/src/hooks/useViewResource.ts` — Added the shared async view-state hook for loading/error/retry handling.\n- `job-tracker-ui/src/components/ViewStateNotice.tsx` — Added the shared unavailable/error surface used by core views.\n- `job-tracker-ui/src/hooks/useCompanies.ts` — Exposed error/reload state from the shared companies hook instead of silent empty fallback.\n- `job-tracker-ui/src/components/JobTable.tsx` — Stopped the jobs list from presenting API failures as ordinary empty results.\n- `job-tracker-ui/src/components/DashboardView.tsx` — Moved dashboard summary/trend loading to shared resource state and explicit unavailable notices.\n- `job-tracker-ui/src/components/CompaniesTable.tsx` — Added explicit unavailable state to the companies view.\n- `job-tracker-ui/src/components/RemindersView.tsx` — Added explicit unavailable state to the reminders view.\n- `job-tracker-ui/src/components/KanbanBoard.tsx` — Added explicit unavailable state to the kanban board.\n- `job-tracker-ui/src/pages/ProfilePage.tsx` — Added a top-level profile load failure surface instead of silent blank state.\n- `job-tracker-ui/src/daily-control-loop.test.tsx` — Updated workflow regression assertions to match the current stable package-work surface.\n",
"full_uat_md": "# S03: Resilience UX and client data layer — UAT\n\n**Milestone:** M011\n**Written:** 2026-04-10T22:20:05.941Z\n\n# UAT — S03 Resilience UX and client data layer\n\n## What was exercised\n\n1. Start the frontend only with `cd job-tracker-ui && PORT=3001 BROWSER=none npm start`.\n2. Leave the API unavailable.\n3. Navigate to `http://localhost:3001/jobs`.\n4. Confirm the jobs page shows an explicit unavailable state (`Unable to load jobs`) instead of an empty jobs table or `No jobs found.` copy.\n5. Bring the API back up to an auth-reachable state.\n6. Navigate to `http://localhost:3001/login`.\n7. Confirm the normal sign-in UI renders again once the API is reachable.\n\n## Result\n\n- The outage path is now explicit: the jobs page reports that it cannot reach the API instead of pretending there is no data.\n- The frontend returns to a normal reachable auth surface when the API is back.\n- A full jobs-data happy-path browser smoke was still limited by an unrelated local SQLite schema issue in this checkout, which should be addressed in S04.\n\n",
"goal": "Make API outages and request failures visible to users instead of looking like ordinary empty data, using a shared resilient data-loading model across the core frontend views.",
"success_criteria": "- Core data views no longer present API/network failures as ordinary empty states.\n- The frontend uses a shared query/error model for the highest-traffic data surfaces instead of ad hoc `catch(() => [])` fallbacks.\n- Unauthorized and unavailable states are visually distinct on the client.\n- Browser verification proves the app shows an explicit unavailable/error state when the API is down.",
"proof_level": "Code + browser outage verification + focused frontend tests",
"integration_closure": "Top-level data views must stop collapsing transport failures into empty-data presentations. The frontend should distinguish loading, empty, unauthorized, and unavailable states consistently while still working against the cookie-backed auth session introduced in S02.",
"observability_impact": "Adds explicit client-visible unavailable/error states and shared retry/error surfaces so API outages and request failures are diagnosable instead of looking like normal empty datasets.",
"sequence": 3,
"replan_triggered_at": null
},
{
"milestone_id": "M011",
"id": "S04",
"title": "S04",
"status": "complete",
"risk": "high",
"depends": [],
"demo": "The API starts cleanly with slimmer startup composition, stronger edge controls, and fewer deploy-time surprises.",
"created_at": "2026-04-10T16:33:49.541Z",
"completed_at": "2026-04-10T22:44:54.405Z",
"full_summary_md": "---\nid: S04\nparent: M011\nmilestone: M011\nprovides:\n - A cleaner API startup baseline for S05 endpoint hardening.\n - A more explicit runtime boundary for S06 AI/Ollama operational hardening.\nrequires:\n - slice: S02\n provides: Cookie-backed auth/session transport and explicit auth edge behavior.\n - slice: S03\n provides: Frontend verification evidence that exposed the startup/data-layer fragility to retire.\naffects:\n - S05\n - S06\nkey_files:\n - JobTrackerApi/Program.cs\n - JobTrackerApi/Services/StartupInitializationExtensions.cs\n - JobTrackerApi/Services/StartupReadiness.cs\n - JobTrackerApi/Services/JobEnrichmentHostedService.cs\n - JobTrackerApi/Services/DailyExportHostedService.cs\n - JobTrackerApi/Services/RulesHostedService.cs\n - JobTrackerApi/Services/FollowUpReminderHostedService.cs\nkey_decisions:\n - Extract database/bootstrap orchestration out of `Program.cs` first instead of mixing it further with middleware/auth wiring.\n - Use an explicit startup-readiness gate so background workers do not infer schema safety from fixed delays alone.\npatterns_established:\n - Keep startup/bootstrap orchestration separate from middleware/controller wiring.\n - Do not let background services infer initialization readiness from fixed delays alone.\n - Treat missing core schema assumptions as a startup-readiness condition, not just a background error to log and ignore.\nobservability_surfaces:\n - Explicit startup-readiness boundary for background services.\n - Startup warning when the core schema is incomplete and background services remain paused.\n - Cleaner separation between startup/bootstrap diagnostics and post-start background worker behavior.\ndrill_down_paths:\n - .gsd/milestones/M011/slices/S04/tasks/T01-SUMMARY.md\n - .gsd/milestones/M011/slices/S04/tasks/T02-SUMMARY.md\n - .gsd/milestones/M011/slices/S04/tasks/T03-SUMMARY.md\nduration: \"\"\nverification_result: passed\ncompleted_at: 2026-04-10T22:44:54.407Z\nblocker_discovered: false\n---\n\n# S04: API startup and platform hardening\n\n**Extracted API bootstrap out of `Program.cs` and hardened background startup behavior so the app starts cleanly without the earlier missing-table failure profile.**\n\n## What Happened\n\nThis slice hardened the API startup path by separating bootstrap concerns from general host wiring and by making background-worker readiness explicit. T01 mapped the real seam: `Program.cs` was carrying service registration, auth config, provider selection, schema/bootstrap repair, migrations, seeding, and ownership claim logic all in one imperative block, while background services assumed schema readiness after fixed delays. T02 extracted that database/bootstrap block into `StartupInitializationExtensions`, registered a shared `StartupReadiness` gate, and updated the background workers most exposed to the earlier failure noise so they wait for startup readiness before beginning their own loops. A core-schema check now prevents those workers from running if startup completes without the required tables. T03 verified the new path: the API builds cleanly, the focused auth/system tests pass, and a Development startup run reaches ready without the prior `RuleSettings`/`JobApplications` missing-table error storm. The core auth surfaces remain healthy under that path (`/api/auth/config` 200, `/api/auth/me` 401 unauthenticated).\n\n## Verification\n\nVerified with `dotnet build JobTrackerApi/JobTrackerApi.csproj`, `dotnet test JobTrackerApi.Tests/JobTrackerApi.Tests.csproj --filter AuthAndSystemControllerTests`, a Development startup run on `http://localhost:5202`, and direct HTTP checks against `/api/auth/config` and `/api/auth/me`.\n\n## Requirements Advanced\n\nNone.\n\n## Requirements Validated\n\nNone.\n\n## New Requirements Surfaced\n\nNone.\n\n## Requirements Invalidated or Re-scoped\n\nNone.\n\n## Deviations\n\nVerification focused on startup and auth surfaces rather than a broader frontend/browser path, because S04s target risk was startup/bootstrap behavior. The bootstrap extraction was performed mechanically first and then normalized, which changed the implementation order but not the slice outcome.\n\n## Known Limitations\n\nStartup still emits EF model validation warnings related to required relationships combined with global query filters, and the summarizer probe remains part of the startup/runtime surface. Those are platform concerns to track, but the earlier missing-table startup failure class was retired in the observed pass.\n\n## Follow-ups\n\nS05 should build on this cleaner startup baseline to harden file/admin/sensitive endpoints without relying on a monolithic startup file. S06 should treat the summarizer probe and AI-service startup behavior as part of its operational boundary review.\n\n## Files Created/Modified\n\n- `JobTrackerApi/Program.cs` — Delegates startup initialization to a focused bootstrap extension and registers startup readiness.\n- `JobTrackerApi/Services/StartupInitializationExtensions.cs` — Owns database/bootstrap initialization outside `Program.cs`.\n- `JobTrackerApi/Services/StartupReadiness.cs` — Introduces an explicit startup-readiness boundary for background services.\n- `JobTrackerApi/Services/JobEnrichmentHostedService.cs` — Waits for startup readiness before running enrichment background work.\n- `JobTrackerApi/Services/DailyExportHostedService.cs` — Waits for startup readiness before running daily exports.\n- `JobTrackerApi/Services/RulesHostedService.cs` — Waits for startup readiness before applying ghosting rules in the background.\n- `JobTrackerApi/Services/FollowUpReminderHostedService.cs` — Waits for startup readiness before follow-up reminder background passes.\n",
"full_uat_md": "# S04: API startup and platform hardening — UAT\n\n**Milestone:** M011\n**Written:** 2026-04-10T22:44:54.407Z\n\n# UAT — S04 API startup and platform hardening\n\n## What was exercised\n\n1. Build the API with `dotnet build JobTrackerApi/JobTrackerApi.csproj`.\n2. Run the focused auth/system tests with `dotnet test JobTrackerApi.Tests/JobTrackerApi.Tests.csproj --filter AuthAndSystemControllerTests`.\n3. Start the API in Development with `ASPNETCORE_ENVIRONMENT=Development ASPNETCORE_URLS=http://localhost:5202 dotnet run --project JobTrackerApi/JobTrackerApi.csproj`.\n4. Confirm the process reaches a ready state instead of entering the earlier missing-table error state.\n5. Request `GET http://localhost:5202/api/auth/config` and confirm it returns 200.\n6. Request `GET http://localhost:5202/api/auth/me` without a session and confirm it returns 401.\n\n## Result\n\n- The API reaches ready cleanly in the observed Development startup pass.\n- The earlier `RuleSettings` / `JobApplications` missing-table startup error storm did not recur in that pass.\n- Core auth surfaces remained healthy after the bootstrap refactor and readiness-gating changes.\n\n",
"goal": "Make API startup cleaner and more predictable by extracting startup/bootstrap responsibilities out of `Program.cs`, hardening database/bootstrap behavior, and preventing background services from tripping over partially initialized state.",
"success_criteria": "- `JobTrackerApi/Program.cs` is materially slimmer and delegates startup/bootstrap work to focused helpers or services.\n- Database/bootstrap logic no longer relies on a monolithic startup block that mixes provider detection, schema repair, seeding, and runtime wiring.\n- The API can start in the local Development environment without the observed SQLite bootstrap/schema failure path recurring for core startup assumptions.\n- Verification captures both clean startup behavior and the remaining constraints explicitly if any non-core background path is still limited.",
"proof_level": "Code + startup verification + focused tests",
"integration_closure": "The API must still start with the existing auth/session work from S02, support the resilient frontend from S03, and keep hosted/background services aligned with the post-bootstrap schema state. Startup hardening cannot break current controllers, auth wiring, or the local development DB path.",
"observability_impact": "Improves startup diagnostics and reduces false-negative runtime noise by making bootstrap phases explicit and by ensuring background services do not begin work against missing schema assumptions.",
"sequence": 4,
"replan_triggered_at": null
},
{
"milestone_id": "M011",
"id": "S05",
"title": "S05",
"status": "complete",
"risk": "medium",
"depends": [],
"demo": "Uploads, client-error reporting, avatars, and admin/system workflows behave safely and predictably under normal and adverse input.",
"created_at": "2026-04-10T16:33:49.541Z",
"completed_at": "2026-04-10T23:00:57.771Z",
"full_summary_md": "---\nid: S05\nparent: M011\nmilestone: M011\nprovides:\n - A safer API boundary and diagnostics surface for the final AI/Ollama hardening slice.\nrequires:\n - slice: S02\n provides: Cookie-backed local session model and auth boundary conventions.\n - slice: S04\n provides: Cleaner startup/runtime baseline for endpoint hardening verification.\naffects:\n - S06\nkey_files:\n - JobTrackerApi/Controllers/AttachmentsController.cs\n - JobTrackerApi/Controllers/AuthController.cs\n - JobTrackerApi/Controllers/BackupController.cs\n - JobTrackerApi/Controllers/ExportController.cs\n - JobTrackerApi/Controllers/ClientErrorsController.cs\n - JobTrackerApi.Tests/AttachmentsControllerTests.cs\n - JobTrackerApi.Tests/BackupControllerTests.cs\n - JobTrackerApi.Tests/ClientErrorsControllerTests.cs\nkey_decisions:\n - Require explicit local auth on backup, export, and attachment routes instead of relying on implicit route exposure plus ownership filters.\n - Sanitize client-error reports by logging hashes and short previews instead of raw browser stack payloads.\n - Validate avatar uploads from detected bytes, not just client-provided MIME labels.\npatterns_established:\n - Sensitive file/export routes should declare their auth boundary explicitly instead of depending on implicit ownership filters alone.\n - Diagnostics from untrusted clients should be normalized, bounded, and hashed rather than logged raw.\n - File/avatar validation should confirm server-observed content signatures for supported formats instead of trusting the browsers content type.\nobservability_surfaces:\n - Client-error reports now emit bounded normalized fields plus stack/component hashes and short previews instead of raw payload dumps.\n - Sensitive route denial behavior is now explicit and test-covered for attachments, backup, and export endpoints.\ndrill_down_paths:\n - .gsd/milestones/M011/slices/S05/tasks/T01-SUMMARY.md\n - .gsd/milestones/M011/slices/S05/tasks/T02-SUMMARY.md\n - .gsd/milestones/M011/slices/S05/tasks/T03-SUMMARY.md\nduration: \"\"\nverification_result: passed\ncompleted_at: 2026-04-10T23:00:57.772Z\nblocker_discovered: false\n---\n\n# S05: File, admin, and sensitive endpoint hardening\n\n**Hardened sensitive file/admin-adjacent endpoints by enforcing auth boundaries, sanitizing client-error logging, and tightening avatar validation.**\n\n## What Happened\n\nThis slice tightened the APIs sensitive endpoint boundaries and payload handling. T01 mapped the real risk seam: file routes and export/backup routes were publicly routable, avatar uploads trusted browser-provided MIME labels, and `ClientErrorsController` logged raw browser payloads verbatim. T02 implemented the hardening: attachments, backup, and export routes now require explicit local auth; avatar uploads now use a tighter size limit and server-side PNG/JPEG/WebP signature detection before persistence; and client-error logging now keeps bounded normalized fields plus hashed/summarized stack signals instead of raw submitted stacks. T03 verified both code and runtime behavior. Focused controller tests passed, the API still builds, and a live Development pass confirmed the hardened routes now reject anonymous access with 401 responses. The remaining noteworthy constraint is that anonymous `client-errors` submissions also return 401 under the current auth-required environment.\n\n## Verification\n\nVerified with `dotnet test JobTrackerApi.Tests/JobTrackerApi.Tests.csproj --filter \"FullyQualifiedName~AttachmentsControllerTests|FullyQualifiedName~BackupControllerTests|FullyQualifiedName~ClientErrorsControllerTests|FullyQualifiedName~AuthAndSystemControllerTests\"`, `dotnet build JobTrackerApi/JobTrackerApi.csproj`, a Development startup run on `http://localhost:5202`, and anonymous HTTP checks against export, backup, attachments, and client-error routes.\n\n## Requirements Advanced\n\nNone.\n\n## Requirements Validated\n\nNone.\n\n## New Requirements Surfaced\n\nNone.\n\n## Requirements Invalidated or Re-scoped\n\nNone.\n\n## Deviations\n\nThe runtime pass revealed that anonymous `POST /api/client-errors` returns 401 under the current auth-required environment. I recorded that as an observed constraint instead of broadening S05 into a pre-auth diagnostics policy change.\n\n## Known Limitations\n\nAvatar images still use the existing inline `AvatarImageDataUrl` persistence model; S05 hardens that path without redesigning storage. Anonymous `client-errors` submissions currently return 401 under the auth-required environment, so pre-auth browser failures are not captured unless that policy is revisited intentionally.\n\n## Follow-ups\n\nS06 should keep the same discipline around bounded diagnostics and explicit capability/auth surfaces when hardening the AI service and Ollama integration. If product requirements later need anonymous pre-auth browser error capture, that should be an explicit follow-up rather than an accidental open endpoint.\n\n## Files Created/Modified\n\n- `JobTrackerApi/Controllers/AttachmentsController.cs` — Added explicit local auth boundary to attachment routes.\n- `JobTrackerApi/Controllers/AuthController.cs` — Tightened avatar upload size and content validation using extension checks and server-side image signature detection.\n- `JobTrackerApi/Controllers/BackupController.cs` — Added explicit local auth boundary to encrypted backup export.\n- `JobTrackerApi/Controllers/ExportController.cs` — Added explicit local auth boundary to job export endpoints.\n- `JobTrackerApi/Controllers/ClientErrorsController.cs` — Replaced raw browser-stack logging with bounded normalized fields, stack previews, and hashes.\n- `JobTrackerApi.Tests/AttachmentsControllerTests.cs` — Added auth-boundary coverage for attachment routes.\n- `JobTrackerApi.Tests/BackupControllerTests.cs` — Added auth-boundary coverage for backup and export routes.\n- `JobTrackerApi.Tests/ClientErrorsControllerTests.cs` — Added tests for client-error sanitization and avatar signature rejection.\n",
"full_uat_md": "# S05: File, admin, and sensitive endpoint hardening — UAT\n\n**Milestone:** M011\n**Written:** 2026-04-10T23:00:57.773Z\n\n# UAT — S05 File, admin, and sensitive endpoint hardening\n\n## What was exercised\n\n1. Run focused controller tests for attachments, backup/export auth boundaries, client-error sanitization, and avatar validation.\n2. Build the API with `dotnet build JobTrackerApi/JobTrackerApi.csproj`.\n3. Start the API in Development on `http://localhost:5202`.\n4. Request the hardened routes without a session:\n - `GET /api/export/jobs`\n - `POST /api/backup/encrypted`\n - `GET /api/attachments/1`\n5. Observe the current behavior of `POST /api/client-errors` without a session in the auth-required environment.\n\n## Result\n\n- Hardened sensitive file/export routes now reject anonymous access with 401 responses.\n- Client-error logging is covered by focused tests and no longer stores raw browser stack payloads in logs.\n- Avatar uploads reject unsupported byte signatures even when the browser labels them as a supported image type.\n- Anonymous `client-errors` submissions currently return 401 in this environment and are recorded as a known limitation/constraint.\n\n",
"goal": "Harden file, admin, and sensitive endpoints so uploads, backups/exports, avatar handling, and client-error reporting behave predictably under hostile or malformed input without leaking unnecessary data.",
"success_criteria": "- Sensitive export/backup/admin/file routes require the right auth boundary.\n- Avatar and attachment upload paths validate type/size/input more defensively and avoid unsafe persistence patterns.\n- Client error reporting stops logging raw browser stack payloads while still preserving useful diagnostic signals.\n- Verification covers both allowed paths and denied/malformed-input paths.",
"proof_level": "Code + focused endpoint tests + build/test verification",
"integration_closure": "S05 must preserve the cookie-backed auth/session model from S02 and the cleaner startup/runtime baseline from S04 while tightening sensitive endpoint behavior. Hardening should not break existing attachment flows, admin status pages, or export/backup workflows for authorized users.",
"observability_impact": "Sensitive endpoint failures should become explicit and bounded: rejected uploads and client-error reports should surface clear validation outcomes, and admin/file routes should no longer rely on open routing or raw payload logging for diagnosis.",
"sequence": 5,
"replan_triggered_at": null
},
{
"milestone_id": "M011",
"id": "S06",
"title": "S06",
"status": "complete",
"risk": "high",
"depends": [],
"demo": "AI-powered features expose clear capability states, degrade gracefully when Ollama or OCR paths are limited, and run on a cleaner service contract.",
"created_at": "2026-04-10T16:33:49.541Z",
"completed_at": "2026-04-10T23:24:52.442Z",
"full_summary_md": "---\nid: S06\nparent: M011\nmilestone: M011\nprovides:\n - A complete hardened platform baseline across frontend, auth, runtime startup, sensitive endpoints, and AI/Ollama reliability.\nrequires:\n - slice: S04\n provides: Cleaner startup/runtime baseline for background services and health verification.\n - slice: S05\n provides: Sensitive endpoint/auth hardening patterns for bounded diagnostics and explicit capability surfaces.\naffects:\n []\nkey_files:\n - tools/summarizer/app.py\n - tools/summarizer/tests/test_app.py\n - JobTrackerApi/Services/SummarizerService.cs\n - tools/summarizer/README.md\nkey_decisions:\n - Make the Python summarizer model lazy-load by default and expose the resulting state explicitly in `/health`.\n - Interpret `summarize_available=false` as unhealthy in the .NET metrics layer so admin/runtime telemetry does not misreport a disabled summarizer as healthy.\n - Keep the existing `ISummarizerService` caller contract stable for now while improving degraded-path diagnostics and capability reporting underneath it.\npatterns_established:\n - Heavy local AI models should load lazily by default unless warm-up is explicitly requested.\n - Health endpoints should report capability state without performing hidden heavyweight initialization.\n - API wrappers over optional AI services should distinguish HTTP reachable from functionally available.\nobservability_surfaces:\n - Python `/health` now exposes explicit summarizer model capability state (`model_loaded`, `model_disabled`, `summarize_available`, `model_load_error`).\n - API-side AI metrics now treat summarize-unavailable health responses as unhealthy and preserve more specific failure text from AI/probe/OCR requests.\ndrill_down_paths:\n - .gsd/milestones/M011/slices/S06/tasks/T01-SUMMARY.md\n - .gsd/milestones/M011/slices/S06/tasks/T02-SUMMARY.md\n - .gsd/milestones/M011/slices/S06/tasks/T03-SUMMARY.md\nduration: \"\"\nverification_result: passed\ncompleted_at: 2026-04-10T23:24:52.444Z\nblocker_discovered: false\n---\n\n# S06: AI service and Ollama reliability hardening\n\n**Hardened the AI/Ollama contract so model-disabled, model-load, and unreachable-Ollama states are explicit and degrade predictably.**\n\n## What Happened\n\nThis slice hardened the AI service and Ollama integration around explicit capability state and predictable degraded behavior. T01 mapped the real seam: the Python AI service loaded the summarization model at import time unless a skip flag was set, Ollama behavior was optional but coarse, and the .NET summarizer wrapper depended heavily on post-failure metrics rather than a clearer health interpretation. T02 changed that contract. The Python service now lazy-loads the summarization model by default, tracks disabled/load-failure state explicitly, and reports `model_loaded`, `model_disabled`, `summarize_available`, and `model_load_error` through `/health` without triggering a hidden warm-up. Focused Python tests now cover disabled-model health, explicit summarize 503 behavior, and configured-but-unreachable Ollama health. On the .NET side, `SummarizerService` now records clearer error detail from failed summarize/OCR/probe responses and no longer treats `summarize_available=false` as healthy. T03 verified the new contract through the projects Python test harness, focused .NET tests, and a clean API build. The remaining uncertainty is environmental model/runtime behavior, not hidden contract ambiguity.\n\n## Verification\n\nVerified with `cd tools/summarizer && ./scripts/bootstrap-and-test.sh test`, `dotnet test JobTrackerApi.Tests/JobTrackerApi.Tests.csproj --filter \"FullyQualifiedName~AuthAndSystemControllerTests|FullyQualifiedName~ProductionConfigTests|FullyQualifiedName~OwnershipGuardTests\"`, and `dotnet build JobTrackerApi/JobTrackerApi.csproj`.\n\n## Requirements Advanced\n\nNone.\n\n## Requirements Validated\n\nNone.\n\n## New Requirements Surfaced\n\nNone.\n\n## Requirements Invalidated or Re-scoped\n\nNone.\n\n## Deviations\n\nVerification focused on explicit degraded-path behavior and contract tests rather than running a full live Ollama deployment. That kept the slice aligned with its reliability goal instead of turning it into environment orchestration work.\n\n## Known Limitations\n\n`AiServiceMetrics` still does not have dedicated .NET fields for model-loaded/model-disabled state, so that detail is currently folded into the existing `Healthy`/`LastError` view rather than surfaced as separate typed properties. Real Ollama pull/load latency remains environment-dependent and was not the target of this slice.\n\n## Follow-ups\n\nIf later milestones need deeper AI operability work, the next seam would be widening `AiServiceMetrics` with first-class model-state fields or adding a dedicated warm-up endpoint. Actual Ollama pull/load latency remains an environment/runtime concern rather than a hidden contract issue now.\n\n## Files Created/Modified\n\n- `tools/summarizer/app.py` — Changed AI runtime to lazy model load by default and added explicit health/capability fields for model and Ollama state.\n- `tools/summarizer/tests/test_app.py` — Added focused tests for disabled-model health, disabled summarize behavior, and configured-but-unreachable Ollama state.\n- `JobTrackerApi/Services/SummarizerService.cs` — Improved API-side AI error detail capture and health interpretation for summarize-unavailable states.\n- `tools/summarizer/README.md` — Documented the expanded health/capability contract.\n",
"full_uat_md": "# S06: AI service and Ollama reliability hardening — UAT\n\n**Milestone:** M011\n**Written:** 2026-04-10T23:24:52.444Z\n\n# UAT — S06 AI service and Ollama reliability hardening\n\n## What was exercised\n\n1. Run the summarizer Python test suite with `cd tools/summarizer && ./scripts/bootstrap-and-test.sh test`.\n2. Verify the Python tests cover:\n - disabled-model `/health` state\n - explicit 503 summarize behavior when model loading is disabled\n - configured-but-unreachable Ollama health reporting\n3. Run focused .NET tests with `dotnet test JobTrackerApi.Tests/JobTrackerApi.Tests.csproj --filter \"FullyQualifiedName~AuthAndSystemControllerTests|FullyQualifiedName~ProductionConfigTests|FullyQualifiedName~OwnershipGuardTests\"`.\n4. Rebuild the API with `dotnet build JobTrackerApi/JobTrackerApi.csproj`.\n\n## Result\n\n- The Python AI service now reports explicit model/capability state without hidden warm-up on `/health`.\n- Disabled summarizer state returns a clear 503 reason on `/summarize`.\n- Configured-but-unreachable Ollama state is represented explicitly in health output.\n- The .NET wrapper still builds and tests cleanly while interpreting summarize-unavailable as unhealthy instead of falsely healthy.\n\n",
"goal": "Harden the AI service and Ollama integration so startup, probe, summarize, OCR, and CV-classification paths expose explicit capability state, degrade predictably when dependencies are missing, and avoid blocking the platform on heavy or unreachable AI components.",
"success_criteria": "- The AI service no longer treats heavy model load or optional Ollama features as an implicit always-ready contract.\n- API-side AI calls expose clearer bounded failure behavior and capability metrics instead of silent `null`/generic failure collapse where avoidable.\n- Optional Ollama-backed features degrade predictably when Ollama is missing, unreachable, or missing the configured model.\n- Verification covers both healthy and degraded AI/Ollama paths.",
"proof_level": "Code + focused API/Python tests + health/behavior verification",
"integration_closure": "S06 must preserve the frontend and admin capability surfaces already in use, keep the API startup baseline from S04 clean, and avoid breaking current CV/application-package features that depend on `ISummarizerService`. Reliability hardening should make failures more explicit without changing core user-facing semantics unnecessarily.",
"observability_impact": "AI/Ollama state should become explicit through metrics, health/capability reporting, and bounded failure surfaces so future agents can tell the difference between model-not-loaded, Ollama-not-configured, Ollama-unreachable, OCR-unavailable, and request-time service failures.",
"sequence": 6,
"replan_triggered_at": null
}
],
"tasks": [
{
"milestone_id": "M001",
"slice_id": "S01",
"id": "T01",
"title": "Add linked Gmail thread refresh to the backend contract",
"status": "complete",
"one_liner": "",
"narrative": "",
"verification_result": "",
"duration": "",
"completed_at": "2026-03-28T22:02:57.777Z",
"blocker_discovered": false,
"deviations": "",
"known_issues": "",
"key_files": [],
"key_decisions": [],
"full_summary_md": "",
"description": "",
"estimate": "",
"files": [
"JobTrackerApi/Controllers/GmailController.cs",
"JobTrackerApi/Services/GmailOAuthService.cs",
"JobTrackerApi.Tests/GmailControllerTests.cs",
"JobTrackerApi/Program.cs"
],
"verify": "`dotnet test JobTrackerApi.Tests/JobTrackerApi.Tests.csproj --filter GmailControllerTests`",
"inputs": [],
"expected_output": [],
"observability_impact": "",
"full_plan_md": "",
"sequence": 0
},
{
"milestone_id": "M001",
"slice_id": "S01",
"id": "T02",
"title": "Surface live Gmail thread continuity in the job workspace",
"status": "complete",
"one_liner": "",
"narrative": "",
"verification_result": "",
"duration": "",
"completed_at": "2026-03-28T22:02:57.777Z",
"blocker_discovered": false,
"deviations": "",
"known_issues": "",
"key_files": [],
"key_decisions": [],
"full_summary_md": "",
"description": "",
"estimate": "",
"files": [
"job-tracker-ui/src/components/Correspondence.tsx",
"job-tracker-ui/src/types.ts",
"job-tracker-ui/src/correspondence-gmail-import.test.tsx",
"job-tracker-ui/src/components/JobDetailsDialog.tsx"
],
"verify": "`CI=true npm --prefix job-tracker-ui test -- --watch=false --runTestsByPath src/correspondence-gmail-import.test.tsx`",
"inputs": [],
"expected_output": [],
"observability_impact": "",
"full_plan_md": "",
"sequence": 0
},
{
"milestone_id": "M001",
"slice_id": "S02",
"id": "T01",
"title": "Strengthen application-package context assembly and backend draft tests",
"status": "complete",
"one_liner": "",
"narrative": "",
"verification_result": "",
"duration": "",
"completed_at": "2026-03-28T22:02:57.777Z",
"blocker_discovered": false,
"deviations": "",
"known_issues": "",
"key_files": [],
"key_decisions": [],
"full_summary_md": "",
"description": "",
"estimate": "",
"files": [
"JobTrackerApi/Controllers/JobApplicationsController.cs",
"JobTrackerApi.Tests/JobApplicationsApplicationPackageTests.cs"
],
"verify": "`dotnet test JobTrackerApi.Tests/JobTrackerApi.Tests.csproj --filter JobApplicationsApplicationPackageTests`",
"inputs": [],
"expected_output": [],
"observability_impact": "",
"full_plan_md": "",
"sequence": 0
},
{
"milestone_id": "M001",
"slice_id": "S02",
"id": "T02",
"title": "Make the job workspace save and present the application package as real working material",
"status": "complete",
"one_liner": "",
"narrative": "",
"verification_result": "",
"duration": "",
"completed_at": "2026-03-28T22:02:57.777Z",
"blocker_discovered": false,
"deviations": "",
"known_issues": "",
"key_files": [],
"key_decisions": [],
"full_summary_md": "",
"description": "",
"estimate": "",
"files": [
"job-tracker-ui/src/components/JobDetailsDialog.tsx",
"job-tracker-ui/src/types.ts",
"job-tracker-ui/src/job-details-generated-drafts.test.tsx"
],
"verify": "`CI=true npm --prefix job-tracker-ui test -- --watch=false --runTestsByPath src/job-details-generated-drafts.test.tsx`",
"inputs": [],
"expected_output": [],
"observability_impact": "",
"full_plan_md": "",
"sequence": 0
},
{
"milestone_id": "M001",
"slice_id": "S03",
"id": "T01",
"title": "Strengthen follow-up draft context assembly and backend reply/follow-up tests",
"status": "complete",
"one_liner": "",
"narrative": "",
"verification_result": "",
"duration": "",
"completed_at": "2026-03-28T22:02:57.777Z",
"blocker_discovered": false,
"deviations": "",
"known_issues": "",
"key_files": [],
"key_decisions": [],
"full_summary_md": "",
"description": "",
"estimate": "",
"files": [
"JobTrackerApi/Controllers/JobApplicationsController.cs",
"JobTrackerApi.Tests/JobApplicationsFollowUpDraftTests.cs"
],
"verify": "`dotnet test JobTrackerApi.Tests/JobTrackerApi.Tests.csproj --filter JobApplicationsFollowUpDraftTests`",
"inputs": [],
"expected_output": [],
"observability_impact": "",
"full_plan_md": "",
"sequence": 0
},
{
"milestone_id": "M001",
"slice_id": "S03",
"id": "T02",
"title": "Make the follow-up workspace show thread-grounded draft state without autonomous sending",
"status": "complete",
"one_liner": "",
"narrative": "",
"verification_result": "",
"duration": "",
"completed_at": "2026-03-28T22:02:57.777Z",
"blocker_discovered": false,
"deviations": "",
"known_issues": "",
"key_files": [],
"key_decisions": [],
"full_summary_md": "",
"description": "",
"estimate": "",
"files": [
"job-tracker-ui/src/components/JobDetailsDialog.tsx",
"job-tracker-ui/src/types.ts",
"job-tracker-ui/src/job-details-followup-drafts.test.tsx"
],
"verify": "`CI=true npm --prefix job-tracker-ui test -- --watch=false --runTestsByPath src/job-details-followup-drafts.test.tsx`",
"inputs": [],
"expected_output": [],
"observability_impact": "",
"full_plan_md": "",
"sequence": 0
},
{
"milestone_id": "M001",
"slice_id": "S04",
"id": "T01",
"title": "Turn reminders and dashboard into actionable entry surfaces",
"status": "complete",
"one_liner": "",
"narrative": "",
"verification_result": "",
"duration": "",
"completed_at": "2026-03-28T22:02:57.778Z",
"blocker_discovered": false,
"deviations": "",
"known_issues": "",
"key_files": [],
"key_decisions": [],
"full_summary_md": "",
"description": "",
"estimate": "",
"files": [
"job-tracker-ui/src/components/DashboardView.tsx",
"job-tracker-ui/src/components/RemindersView.tsx",
"job-tracker-ui/src/App.tsx"
],
"verify": "`CI=true npm --prefix job-tracker-ui test -- --watch=false --runTestsByPath src/daily-control-loop.test.tsx`",
"inputs": [],
"expected_output": [],
"observability_impact": "",
"full_plan_md": "",
"sequence": 0
},
{
"milestone_id": "M001",
"slice_id": "S04",
"id": "T02",
"title": "Make the job table expose the right next action and prove the daily loop",
"status": "complete",
"one_liner": "",
"narrative": "",
"verification_result": "",
"duration": "",
"completed_at": "2026-03-28T22:02:57.778Z",
"blocker_discovered": false,
"deviations": "",
"known_issues": "",
"key_files": [],
"key_decisions": [],
"full_summary_md": "",
"description": "",
"estimate": "",
"files": [
"job-tracker-ui/src/components/JobTable.tsx",
"job-tracker-ui/src/daily-control-loop.test.tsx"
],
"verify": "`CI=true npm --prefix job-tracker-ui test -- --watch=false --runTestsByPath src/daily-control-loop.test.tsx`",
"inputs": [],
"expected_output": [],
"observability_impact": "",
"full_plan_md": "",
"sequence": 0
},
{
"milestone_id": "M001",
"slice_id": "S05",
"id": "T01",
"title": "Centralize workflow trust signals across overview and readiness surfaces",
"status": "complete",
"one_liner": "",
"narrative": "",
"verification_result": "",
"duration": "",
"completed_at": "2026-03-28T22:02:57.778Z",
"blocker_discovered": false,
"deviations": "",
"known_issues": "",
"key_files": [],
"key_decisions": [],
"full_summary_md": "",
"description": "",
"estimate": "",
"files": [
"JobTrackerApi/Controllers/JobApplicationsController.cs",
"JobTrackerApi.Tests/JobApplicationsWorkflowSignalsTests.cs",
"job-tracker-ui/src/types.ts",
"job-tracker-ui/src/jobWorkflowSignals.ts",
"job-tracker-ui/src/components/JobTable.tsx",
"job-tracker-ui/src/components/DashboardView.tsx",
"job-tracker-ui/src/components/RemindersView.tsx",
"job-tracker-ui/src/workflow-trust-signals.test.tsx"
],
"verify": "`dotnet test JobTrackerApi.Tests/JobTrackerApi.Tests.csproj --filter JobApplicationsWorkflowSignalsTests` and `CI=true npm --prefix job-tracker-ui test -- --watch=false --runTestsByPath src/workflow-trust-signals.test.tsx`",
"inputs": [],
"expected_output": [],
"observability_impact": "",
"full_plan_md": "",
"sequence": 0
},
{
"milestone_id": "M001",
"slice_id": "S05",
"id": "T02",
"title": "Add integrated trust-loop proof and workspace polish",
"status": "complete",
"one_liner": "",
"narrative": "",
"verification_result": "",
"duration": "",
"completed_at": "2026-03-28T22:02:57.778Z",
"blocker_discovered": false,
"deviations": "",
"known_issues": "",
"key_files": [],
"key_decisions": [],
"full_summary_md": "",
"description": "",
"estimate": "",
"files": [
"job-tracker-ui/src/components/JobDetailsDialog.tsx",
"job-tracker-ui/src/components/Correspondence.tsx",
"job-tracker-ui/src/end-to-end-trust-loop.test.tsx",
"job-tracker-ui/src/daily-control-loop.test.tsx",
".gsd/milestones/M001/slices/S05/S05-UAT.md"
],
"verify": "`CI=true npm --prefix job-tracker-ui test -- --watch=false --runTestsByPath src/end-to-end-trust-loop.test.tsx`, `CI=true npm --prefix job-tracker-ui test -- --watch=false --runTestsByPath src/correspondence-gmail-import.test.tsx src/job-details-generated-drafts.test.tsx src/job-details-followup-drafts.test.tsx src/daily-control-loop.test.tsx`, and `CI=true npm --prefix job-tracker-ui run build`",
"inputs": [],
"expected_output": [],
"observability_impact": "",
"full_plan_md": "",
"sequence": 0
},
{
"milestone_id": "M001",
"slice_id": "S06",
"id": "T01",
"title": "Validated and recorded the live API/auth preflight gate, including README runbook guidance and negative-path shell coverage.",
"status": "complete",
"one_liner": "",
"narrative": "",
"verification_result": "",
"duration": "",
"completed_at": "2026-03-28T22:02:57.778Z",
"blocker_discovered": false,
"deviations": "",
"known_issues": "",
"key_files": [],
"key_decisions": [],
"full_summary_md": "",
"description": "",
"estimate": "",
"files": [
"scripts/s06-preflight.sh",
"README.md",
"job-tracker-ui/src/api.ts",
"JobTrackerApi/appsettings.Development.json"
],
"verify": "bash scripts/s06-preflight.sh",
"inputs": [],
"expected_output": [],
"observability_impact": "",
"full_plan_md": "",
"sequence": 0
},
{
"milestone_id": "M001",
"slice_id": "S06",
"id": "T02",
"title": "Seeded acceptance-ready job data through the live API with deterministic rerun-safe ids and readiness output.",
"status": "complete",
"one_liner": "",
"narrative": "",
"verification_result": "",
"duration": "",
"completed_at": "2026-03-28T22:02:57.778Z",
"blocker_discovered": false,
"deviations": "",
"known_issues": "",
"key_files": [],
"key_decisions": [],
"full_summary_md": "",
"description": "",
"estimate": "",
"files": [
"scripts/s06-acceptance-data.sh",
"scripts/s06-preflight.sh",
"README.md"
],
"verify": "bash scripts/s06-acceptance-data.sh",
"inputs": [],
"expected_output": [],
"observability_impact": "",
"full_plan_md": "",
"sequence": 0
},
{
"milestone_id": "M001",
"slice_id": "S06",
"id": "T03",
"title": "Added a repeatable live acceptance runner and recorded real S06 browser evidence for the manual-send boundary and daily loop.",
"status": "complete",
"one_liner": "",
"narrative": "",
"verification_result": "",
"duration": "",
"completed_at": "2026-03-28T22:02:57.778Z",
"blocker_discovered": false,
"deviations": "",
"known_issues": "",
"key_files": [],
"key_decisions": [],
"full_summary_md": "",
"description": "",
"estimate": "",
"files": [
"scripts/s06-acceptance-run.sh",
"docs/s06-acceptance-run.md",
"scripts/s06-preflight.sh",
"scripts/s06-acceptance-data.sh",
"job-tracker-ui/src/end-to-end-trust-loop.test.tsx"
],
"verify": "bash scripts/s06-acceptance-run.sh && test -s docs/s06-acceptance-run.md",
"inputs": [],
"expected_output": [],
"observability_impact": "",
"full_plan_md": "",
"sequence": 0
},
{
"milestone_id": "M001",
"slice_id": "S07",
"id": "T01",
"title": "Added docs/s07-uat.md to close S07 with imported acceptance-run evidence for the seeded daily-loop job.",
"status": "complete",
"one_liner": "",
"narrative": "",
"verification_result": "",
"duration": "",
"completed_at": "2026-03-28T22:02:57.778Z",
"blocker_discovered": false,
"deviations": "",
"known_issues": "",
"key_files": [],
"key_decisions": [],
"full_summary_md": "",
"description": "",
"estimate": "",
"files": [
"docs/s07-uat.md",
"docs/s06-acceptance-run.md"
],
"verify": "test -s docs/s07-uat.md && grep -q \"S06 Acceptance Backend Engineer\" docs/s07-uat.md",
"inputs": [],
"expected_output": [],
"observability_impact": "",
"full_plan_md": "",
"sequence": 0
},
{
"milestone_id": "M001",
"slice_id": "S07",
"id": "T02",
"title": "Re-ran the acceptance flow and refreshed the S07 UAT closure with current browser evidence, manual-send-boundary proof, and the Gmail continuity limitation.",
"status": "complete",
"one_liner": "",
"narrative": "",
"verification_result": "",
"duration": "",
"completed_at": "2026-03-28T22:02:57.778Z",
"blocker_discovered": false,
"deviations": "",
"known_issues": "",
"key_files": [],
"key_decisions": [],
"full_summary_md": "",
"description": "",
"estimate": "",
"files": [
"scripts/s06-preflight.sh",
"scripts/s06-acceptance-run.sh",
"docs/s06-acceptance-run.md",
"docs/s07-uat.md"
],
"verify": "bash scripts/s06-preflight.sh && bash scripts/s06-acceptance-run.sh && test -s docs/s06-acceptance-run.md && grep -q \"manual-send boundary\" docs/s07-uat.md",
"inputs": [],
"expected_output": [],
"observability_impact": "",
"full_plan_md": "",
"sequence": 0
},
{
"milestone_id": "M001",
"slice_id": "S07",
"id": "T03",
"title": "Re-ran the focused daily-loop UI regressions, repaired the local CRA dependency state, and recorded the passing deterministic coverage in docs/s07-uat.md.",
"status": "complete",
"one_liner": "",
"narrative": "",
"verification_result": "",
"duration": "",
"completed_at": "2026-03-28T22:02:57.779Z",
"blocker_discovered": false,
"deviations": "",
"known_issues": "",
"key_files": [],
"key_decisions": [],
"full_summary_md": "",
"description": "",
"estimate": "",
"files": [
"job-tracker-ui/src/daily-control-loop.test.tsx",
"job-tracker-ui/src/workflow-trust-signals.test.tsx",
"docs/s07-uat.md"
],
"verify": "CI=true npm --prefix job-tracker-ui test -- --runInBand --watch=false src/daily-control-loop.test.tsx src/workflow-trust-signals.test.tsx && grep -q \"UI regression results\" docs/s07-uat.md",
"inputs": [],
"expected_output": [],
"observability_impact": "",
"full_plan_md": "",
"sequence": 0
},
{
"milestone_id": "M005",
"slice_id": "S01",
"id": "T01",
"title": "Add canonical CV artifact and extraction persistence model",
"status": "pending",
"one_liner": "",
"narrative": "",
"verification_result": "",
"duration": "",
"completed_at": null,
"blocker_discovered": false,
"deviations": "",
"known_issues": "",
"key_files": [],
"key_decisions": [],
"full_summary_md": "",
"description": "Design and implement persistence models for uploaded CV artifacts, extraction runs, field provenance/confidence payloads, and the canonical CV profile wrapper. Wire EF/Core bootstrap changes and ensure the schema can coexist with current profile fields during rollout.",
"estimate": "1.5d",
"files": [
"JobTrackerApi/Data/JobTrackerContext.cs",
"Models/ApplicationUser.cs",
"Models/StructuredCvProfile.cs",
"Models/* new cv extraction models",
"JobTrackerApi/Program.cs"
],
"verify": "dotnet test JobTrackerApi.Tests/JobTrackerApi.Tests.csproj --filter ProfileCvControllerTests",
"inputs": [
"Existing ProfileCvText/ProfileCvStructureJson flow",
"Current profile upload/parse endpoints"
],
"expected_output": [
"JobTrackerApi/Models/* canonical CV persistence types",
"Data/JobTrackerContext.cs updates",
"JobTrackerApi bootstrap/schema changes",
"migration/bootstrap coverage or auto-create logic"
],
"observability_impact": "Adds extraction-run status/version/error fields for later debugging.",
"full_plan_md": "",
"sequence": 0
},
{
"milestone_id": "M005",
"slice_id": "S01",
"id": "T02",
"title": "Refactor profile CV endpoints around canonical extraction runs",
"status": "pending",
"one_liner": "",
"narrative": "",
"verification_result": "",
"duration": "",
"completed_at": null,
"blocker_discovered": false,
"deviations": "",
"known_issues": "",
"key_files": [],
"key_decisions": [],
"full_summary_md": "",
"description": "Refactor the profile CV controller/service layer so upload stores artifact + extraction run metadata, parse/rebuild use a canonical extraction pipeline entry point, and reprocess-from-stored-artifact is possible without re-upload. Preserve backward compatibility in API responses while adding richer metadata.",
"estimate": "1.5d",
"files": [
"JobTrackerApi/Controllers/ProfileCvController.cs",
"JobTrackerApi/Services/* cv extraction services",
"JobTrackerApi.Tests/ProfileCvControllerTests.cs"
],
"verify": "dotnet test JobTrackerApi.Tests/JobTrackerApi.Tests.csproj --filter ProfileCvControllerTests",
"inputs": [
"S01/T01 persistence model"
],
"expected_output": [
"Refactored upload/parse/reprocess endpoints",
"canonical extraction service boundary",
"backward-compatible response contract"
],
"observability_impact": "Ensures upload/reprocess failures surface structured status and messages.",
"full_plan_md": "",
"sequence": 0
},
{
"milestone_id": "M005",
"slice_id": "S01",
"id": "T03",
"title": "Capture canonical CV model context",
"status": "pending",
"one_liner": "",
"narrative": "",
"verification_result": "",
"duration": "",
"completed_at": null,
"blocker_discovered": false,
"deviations": "",
"known_issues": "",
"key_files": [],
"key_decisions": [],
"full_summary_md": "",
"description": "Document the canonical CV lifecycle and record milestone context so later slices can build on a stable vocabulary: artifact, extraction run, canonical profile, provenance/confidence, tailored draft, render options.",
"estimate": "0.5d",
"files": [
".gsd/milestones/M005/M005-CONTEXT.md"
],
"verify": "Artifact saved with milestone context reviewed for terminology consistency",
"inputs": [
"S01/T01 design",
"S01/T02 API contract"
],
"expected_output": [
"M005 context artifact",
"updated roadmap-consistent terminology for later slices"
],
"observability_impact": "Improves future-agent understanding of extraction state boundaries.",
"full_plan_md": "",
"sequence": 0
},
{
"milestone_id": "M005",
"slice_id": "S02",
"id": "T01",
"title": "Build pass A/B/C/D extraction pipeline",
"status": "pending",
"one_liner": "",
"narrative": "",
"verification_result": "",
"duration": "",
"completed_at": null,
"blocker_discovered": false,
"deviations": "",
"known_issues": "",
"key_files": [],
"key_decisions": [],
"full_summary_md": "",
"description": "Implement multi-pass extraction orchestration: deterministic field detection, layout/structure grouping hooks, LLM normalization, and validation/repair. Persist confidence, source snippets, and extraction method per field. Keep the current generic fallback behavior as the lowest-priority safety net.",
"estimate": "2d",
"files": [
"JobTrackerApi/Services/* cv extraction pipeline",
"JobTrackerApi/Controllers/ProfileCvController.cs",
"Models/StructuredCvProfile.cs",
"Models/StructuredCvProfileJson.cs",
"JobTrackerApi.Tests/ProfileCvControllerTests.cs"
],
"verify": "dotnet test JobTrackerApi.Tests/JobTrackerApi.Tests.csproj --filter ProfileCvControllerTests",
"inputs": [
"S01 canonical extraction service boundary",
"existing OCR/text extraction support"
],
"expected_output": [
"Extraction pipeline service(s)",
"field-level provenance/confidence payloads",
"improved OCR/PDF regression coverage"
],
"observability_impact": "Field-level extraction methods and confidence become inspectable/debuggable.",
"full_plan_md": "",
"sequence": 0
},
{
"milestone_id": "M005",
"slice_id": "S02",
"id": "T02",
"title": "Add structured review UX with confidence and reprocess controls",
"status": "pending",
"one_liner": "",
"narrative": "",
"verification_result": "",
"duration": "",
"completed_at": null,
"blocker_discovered": false,
"deviations": "",
"known_issues": "",
"key_files": [],
"key_decisions": [],
"full_summary_md": "",
"description": "Extend the profile UI to render provenance/confidence for structured fields, highlight uncertain values, expose reprocess controls, and support user review/edit/accept flows without losing the current raw text view.",
"estimate": "2d",
"files": [
"job-tracker-ui/src/pages/ProfilePage.tsx",
"job-tracker-ui/src/profileCv.ts",
"job-tracker-ui/src/i18n/translations.ts",
"job-tracker-ui/src/profile-page.test.tsx"
],
"verify": "cd job-tracker-ui && CI=true ./node_modules/.bin/react-scripts test --runInBand --watch=false src/profile-page.test.tsx",
"inputs": [
"S02/T01 field confidence payloads",
"existing structured editor UI"
],
"expected_output": [
"Profile structured editor with uncertainty UI",
"reprocess trigger in profile workflow",
"save/apply UX for canonical profile review"
],
"observability_impact": "Users can see why a field was extracted and which values need review.",
"full_plan_md": "",
"sequence": 0
},
{
"milestone_id": "M005",
"slice_id": "S02",
"id": "T03",
"title": "Expose extraction run history",
"status": "pending",
"one_liner": "",
"narrative": "",
"verification_result": "",
"duration": "",
"completed_at": null,
"blocker_discovered": false,
"deviations": "",
"known_issues": "",
"key_files": [],
"key_decisions": [],
"full_summary_md": "",
"description": "Add a lightweight extraction-run history/read model so the latest run and prior runs can be inspected or compared during debugging and support. Keep the first UI surface minimal but useful.",
"estimate": "1d",
"files": [
"JobTrackerApi/Controllers/ProfileCvController.cs",
"JobTrackerApi.Tests/ProfileCvControllerTests.cs",
"job-tracker-ui/src/pages/ProfilePage.tsx"
],
"verify": "Focused backend/frontend tests proving latest/prior run metadata can be read",
"inputs": [
"S02/T01 persisted extraction runs"
],
"expected_output": [
"extraction-run history endpoint/read model",
"basic UI or API-level access to run history"
],
"observability_impact": "Makes reprocessing and extraction regressions diagnosable without database spelunking.",
"full_plan_md": "",
"sequence": 0
},
{
"milestone_id": "M005",
"slice_id": "S03",
"id": "T01",
"title": "Add tailored CV draft model and persistence",
"status": "pending",
"one_liner": "",
"narrative": "",
"verification_result": "",
"duration": "",
"completed_at": null,
"blocker_discovered": false,
"deviations": "",
"known_issues": "",
"key_files": [],
"key_decisions": [],
"full_summary_md": "",
"description": "Design and implement the tailored CV draft persistence model, including job linkage, source canonical-profile version, chosen template id, editable content blocks, and render options JSON. Keep it clearly separate from existing tailored CV text/package fields.",
"estimate": "1.5d",
"files": [
"Models/* tailored cv draft models",
"JobTrackerApi/Data/JobTrackerContext.cs",
"JobTrackerApi/Program.cs",
"JobTrackerApi.Tests/* tailored draft tests"
],
"verify": "dotnet test JobTrackerApi.Tests/JobTrackerApi.Tests.csproj --filter JobApplicationsApplicationPackageTests",
"inputs": [
"M005/S01 canonical profile model",
"existing JobApplications package fields"
],
"expected_output": [
"TailoredCvDraft model + persistence",
"job linkage and source-version tracking",
"backward-compatible coexistence with existing package fields"
],
"observability_impact": "Adds generation timestamps/source-version metadata for debugging stale drafts.",
"full_plan_md": "",
"sequence": 0
},
{
"milestone_id": "M005",
"slice_id": "S03",
"id": "T02",
"title": "Add tailored CV draft generation and save endpoints",
"status": "pending",
"one_liner": "",
"narrative": "",
"verification_result": "",
"duration": "",
"completed_at": null,
"blocker_discovered": false,
"deviations": "",
"known_issues": "",
"key_files": [],
"key_decisions": [],
"full_summary_md": "",
"description": "Add backend generation/edit/save endpoints for job-scoped tailored CV drafts that prefer canonical structured profile content but can still fall back to raw CV text when needed. Ensure regeneration does not silently destroy manual edits without an explicit user action.",
"estimate": "2d",
"files": [
"JobTrackerApi/Controllers/JobApplicationsController.cs",
"JobTrackerApi/Services/* tailored cv draft generation",
"JobTrackerApi.Tests/JobApplicationsApplicationPackageTests.cs"
],
"verify": "dotnet test JobTrackerApi.Tests/JobTrackerApi.Tests.csproj --filter JobApplicationsApplicationPackageTests",
"inputs": [
"S03/T01 tailored draft model",
"existing job package generation logic"
],
"expected_output": [
"Job-scoped tailored CV draft endpoints",
"generation/regeneration semantics",
"manual edit preservation rules"
],
"observability_impact": "Draft generation failures include source-version/context information.",
"full_plan_md": "",
"sequence": 0
},
{
"milestone_id": "M005",
"slice_id": "S03",
"id": "T03",
"title": "Add tailored CV draft workspace UX",
"status": "pending",
"one_liner": "",
"narrative": "",
"verification_result": "",
"duration": "",
"completed_at": null,
"blocker_discovered": false,
"deviations": "",
"known_issues": "",
"key_files": [],
"key_decisions": [],
"full_summary_md": "",
"description": "Extend the job workspace UI so users can generate, edit, save, and regenerate a tailored CV draft in a dedicated layer without confusing it with the master CV or other package artifacts.",
"estimate": "2d",
"files": [
"job-tracker-ui/src/components/JobDetailsDialog.tsx",
"job-tracker-ui/src/job-details-generated-drafts.test.tsx",
"job-tracker-ui/src/i18n/translations.ts"
],
"verify": "cd job-tracker-ui && CI=true ./node_modules/.bin/react-scripts test --runInBand --watch=false src/job-details-generated-drafts.test.tsx",
"inputs": [
"S03/T02 draft endpoints",
"existing package workspace UI"
],
"expected_output": [
"Workspace tailored CV draft editor",
"explicit regenerate/save flows",
"clear distinction from master profile"
],
"observability_impact": "Shows source-version/regeneration state to the user when draft data is stale or regenerated.",
"full_plan_md": "",
"sequence": 0
},
{
"milestone_id": "M005",
"slice_id": "S04",
"id": "T01",
"title": "Build ATS Minimal renderer",
"status": "pending",
"one_liner": "",
"narrative": "",
"verification_result": "",
"duration": "",
"completed_at": null,
"blocker_discovered": false,
"deviations": "",
"known_issues": "",
"key_files": [],
"key_decisions": [],
"full_summary_md": "",
"description": "Implement an ATS Minimal HTML/CSS CV renderer driven entirely by the tailored draft model and render options. The same template must support browser preview and PDF output.",
"estimate": "2d",
"files": [
"job-tracker-ui/src/cv-templates/* or shared renderer files",
"JobTrackerApi or UI-side render contract code",
"tests for renderer mapping"
],
"verify": "Focused renderer/unit tests plus deterministic HTML output snapshot checks",
"inputs": [
"M005/S03 tailored draft model",
"template/render option contract"
],
"expected_output": [
"ATS Minimal HTML/CSS renderer",
"template data-mapping layer",
"render snapshot/contract coverage"
],
"observability_impact": "Renderer failures can identify missing/invalid draft sections or option payloads.",
"full_plan_md": "",
"sequence": 0
},
{
"milestone_id": "M005",
"slice_id": "S04",
"id": "T02",
"title": "Add preview and PDF export pipeline",
"status": "pending",
"one_liner": "",
"narrative": "",
"verification_result": "",
"duration": "",
"completed_at": null,
"blocker_discovered": false,
"deviations": "",
"known_issues": "",
"key_files": [],
"key_decisions": [],
"full_summary_md": "",
"description": "Add preview and PDF export endpoints/workflow. Use one deterministic rendering path for preview and Playwright/Chromium-backed PDF generation, with stored/exportable artifacts and explicit manual download action.",
"estimate": "2d",
"files": [
"JobTrackerApi/Controllers/* cv export endpoints",
"JobTrackerApi/Services/* pdf export service",
"job-tracker-ui/src/components/JobDetailsDialog.tsx or dedicated preview UI"
],
"verify": "End-to-end verification that preview request succeeds and PDF export returns a downloadable file",
"inputs": [
"S04/T01 renderer",
"browser/PDF runtime availability"
],
"expected_output": [
"preview endpoint/view",
"PDF export endpoint/service",
"downloadable PDF artifact"
],
"observability_impact": "Export status, duration, and failure messages are visible for support/debugging.",
"full_plan_md": "",
"sequence": 0
},
{
"milestone_id": "M005",
"slice_id": "S04",
"id": "T03",
"title": "Verify preview/export parity",
"status": "pending",
"one_liner": "",
"narrative": "",
"verification_result": "",
"duration": "",
"completed_at": null,
"blocker_discovered": false,
"deviations": "",
"known_issues": "",
"key_files": [],
"key_decisions": [],
"full_summary_md": "",
"description": "Add targeted browser/UAT verification that preview and downloaded PDF correspond to the same draft/template and that export stays manual.",
"estimate": "1d",
"files": [
"job-tracker-ui browser verification artifacts",
".gsd milestone UAT artifacts"
],
"verify": "Browser/UAT flow: generate draft → preview ATS Minimal → download PDF → confirm parity evidence",
"inputs": [
"S04/T02 working export flow"
],
"expected_output": [
"browser/UAT artifact for preview vs export parity",
"debug bundle or acceptance notes"
],
"observability_impact": "Gives durable proof that preview/export parity holds in a real browser pass.",
"full_plan_md": "",
"sequence": 0
},
{
"milestone_id": "M005",
"slice_id": "S05",
"id": "T01",
"title": "Add template library beyond ATS Minimal",
"status": "pending",
"one_liner": "",
"narrative": "",
"verification_result": "",
"duration": "",
"completed_at": null,
"blocker_discovered": false,
"deviations": "",
"known_issues": "",
"key_files": [],
"key_decisions": [],
"full_summary_md": "",
"description": "Add Modern Professional and Compact Technical templates on top of the shared draft/render contract, keeping preview/export parity and minimizing template-specific branching in core code.",
"estimate": "2d",
"files": [
"job-tracker-ui/src/cv-templates/*",
"renderer tests"
],
"verify": "Renderer tests cover ATS Minimal, Modern Professional, and Compact Technical",
"inputs": [
"M005/S04 renderer contract"
],
"expected_output": [
"Two additional HTML/CSS templates",
"shared render contract exercised by all templates",
"template coverage tests"
],
"observability_impact": "Template id and render diagnostics make template-specific failures traceable.",
"full_plan_md": "",
"sequence": 0
},
{
"milestone_id": "M005",
"slice_id": "S05",
"id": "T02",
"title": "Add template-level layout controls",
"status": "pending",
"one_liner": "",
"narrative": "",
"verification_result": "",
"duration": "",
"completed_at": null,
"blocker_discovered": false,
"deviations": "",
"known_issues": "",
"key_files": [],
"key_decisions": [],
"full_summary_md": "",
"description": "Implement persisted layout controls: show/hide photo, one-page vs two-page mode, accent color, section ordering, and bullet density. Ensure controls live on the tailored draft/render-options layer and never mutate the canonical profile.",
"estimate": "2d",
"files": [
"job-tracker-ui/src/components/JobDetailsDialog.tsx or dedicated export controls",
"JobTrackerApi tailored draft endpoints/models",
"job-tracker-ui tests"
],
"verify": "Focused frontend/backend tests for persisted render options and preview updates",
"inputs": [
"M005/S03 tailored draft persistence",
"M005/S04 renderer"
],
"expected_output": [
"render options UI + persistence",
"section ordering controls",
"density/page/photo toggles"
],
"observability_impact": "Render options become inspectable and debuggable when previews/exported PDFs differ from expectation.",
"full_plan_md": "",
"sequence": 0
},
{
"milestone_id": "M005",
"slice_id": "S05",
"id": "T03",
"title": "Run full CV-to-PDF acceptance loop",
"status": "pending",
"one_liner": "",
"narrative": "",
"verification_result": "",
"duration": "",
"completed_at": null,
"blocker_discovered": false,
"deviations": "",
"known_issues": "",
"key_files": [],
"key_decisions": [],
"full_summary_md": "",
"description": "Run milestone-level acceptance on the whole loop using a real CV/job pair: upload, review uncertain fields, generate tailored draft, switch templates/options, preview, export, and confirm download path.",
"estimate": "1d",
"files": [
".gsd/milestones/M005/slices/S05/S05-UAT.md",
".gsd milestone summaries"
],
"verify": "Browser/UAT evidence for the full end-to-end CV intelligence/export workflow",
"inputs": [
"All prior M005 slices"
],
"expected_output": [
"M005 slice summary/UAT evidence",
"acceptance checklist with screenshots/artifacts"
],
"observability_impact": "Produces durable acceptance proof and highlights remaining trust gaps for later milestones.",
"full_plan_md": "",
"sequence": 0
},
{
"milestone_id": "M006",
"slice_id": "S01",
"id": "T01",
"title": "Refactor Gmail connection foundation",
"status": "pending",
"one_liner": "",
"narrative": "",
"verification_result": "",
"duration": "",
"completed_at": null,
"blocker_discovered": false,
"deviations": "",
"known_issues": "",
"key_files": [],
"key_decisions": [],
"full_summary_md": "",
"description": "Extract the current Gmail OAuth/token/status behavior into a clearer foundation service seam without changing user-visible behavior yet. Review `GmailController`, `GmailOAuthService`, `GmailConnection`, `JobTrackerContext`, and current migrations/bootstrap logic. Introduce any missing sync-state fields needed for later manual sync/history work (for example last sync attempt, last sync success, last sync error, last sync mode/source) while preserving existing token storage and refresh behavior.",
"estimate": "1 context window",
"files": [
"JobTrackerApi/Controllers/GmailController.cs",
"JobTrackerApi/Services/GmailOAuthService.cs",
"Models/GmailConnection.cs",
"Data/JobTrackerContext.cs",
"JobTrackerApi/Program.cs",
"JobTrackerApi.Tests/GmailControllerTests.cs"
],
"verify": "dotnet test JobTrackerApi.Tests/JobTrackerApi.Tests.csproj --filter GmailControllerTests",
"inputs": [
"Existing Gmail OAuth service",
"Existing Gmail controller endpoints",
"Current Gmail connection model"
],
"expected_output": [
"Updated Gmail connection model/schema/bootstrap logic",
"Service/controller seam ready for later sync work",
"Focused backend regression coverage for status/connect/disconnect behavior"
],
"observability_impact": "",
"full_plan_md": "",
"sequence": 0
},
{
"milestone_id": "M006",
"slice_id": "S01",
"id": "T02",
"title": "Expose Gmail sync state in UI",
"status": "pending",
"one_liner": "",
"narrative": "",
"verification_result": "",
"duration": "",
"completed_at": null,
"blocker_discovered": false,
"deviations": "",
"known_issues": "",
"key_files": [],
"key_decisions": [],
"full_summary_md": "",
"description": "Surface the refined Gmail connection/sync state in the frontend where users already manage correspondence. Keep the current per-job UX working, but make connection state, last sync state, and actionable error messages explicit and durable so later global inbox/sync flows can reuse the same language and components.",
"estimate": "1 context window",
"files": [
"job-tracker-ui/src/components/Correspondence.tsx",
"job-tracker-ui/src/types.ts",
"job-tracker-ui/src/correspondence-gmail-import.test.tsx",
"job-tracker-ui/src/i18n/translations.ts"
],
"verify": "cd job-tracker-ui && CI=true npm test -- --runInBand --watch=false src/correspondence-gmail-import.test.tsx",
"inputs": [
"Current Correspondence component",
"Current Gmail status API response"
],
"expected_output": [
"Updated correspondence/settings UI state surfaces",
"Focused frontend regression coverage for Gmail connection state",
"Reusable copy/components for later global Gmail flows"
],
"observability_impact": "",
"full_plan_md": "",
"sequence": 0
},
{
"milestone_id": "M006",
"slice_id": "S01",
"id": "T03",
"title": "Prepare extension seam and docs",
"status": "pending",
"one_liner": "",
"narrative": "",
"verification_result": "",
"duration": "",
"completed_at": null,
"blocker_discovered": false,
"deviations": "",
"known_issues": "",
"key_files": [],
"key_decisions": [],
"full_summary_md": "",
"description": "Prepare low-risk Phase 2 extension seams inside the Gmail foundation without turning on AI-dependent behavior. Define interfaces/data slots for future semantic disambiguation and enrichment reasons/confidence so later milestones can attach them to sync/matching outcomes. Document the foundation decisions and the planned M007-M010 sequence so later slices do not rediscover the same boundaries.",
"estimate": "0.5 context window",
"files": [
"JobTrackerApi/Services",
"docs",
"tools/summarizer/README.md",
".gsd/milestones/M006/M006-CONTEXT.md"
],
"verify": "rg -n \"Phase 2|semantic|enrichment|deterministic\" docs JobTrackerApi | head -50",
"inputs": [
"M006 context artifact",
"Current AI/Ollama patterns"
],
"expected_output": [
"Interface/types for future enrichment seam",
"Foundation documentation updated",
"Tests/docs clarify deterministic-first behavior"
],
"observability_impact": "",
"full_plan_md": "",
"sequence": 0
},
{
"milestone_id": "M011",
"slice_id": "S01",
"id": "T01",
"title": "Audited the frontend baseline, upgraded axios to remove the critical direct vulnerability, and restored reproducible local and Docker frontend builds.",
"status": "complete",
"one_liner": "Audited the frontend baseline, upgraded axios to remove the critical direct vulnerability, and restored reproducible local and Docker frontend builds.",
"narrative": "I audited the current frontend dependency and build baseline in `job-tracker-ui`, confirmed that the only direct critical finding was `axios`, and verified that the rest of the remaining audit findings were transitive through `react-scripts` and its older build chain. I then upgraded `axios` from `^1.13.6` to `^1.15.0`, refreshed the lockfile, and fixed a contaminated build workspace where root-owned files under `job-tracker-ui/build/static` were blocking local builds. After that, I rebuilt the frontend locally and inside Docker. The Docker build still failed once because the lockfile generated by the local Node 25/npm 11 toolchain was not accepted by the Node 20/npm 10 image used in the frontend Dockerfile. I regenerated the lockfile using the same Node 20/npm 10 container toolchain, re-ran `npm ci` under that environment, and verified that the frontend image now builds successfully. The result is a stable CRA baseline with the critical direct vulnerability removed and a clear follow-on decision: do not couple the upcoming auth/session hardening slice to a framework migration, but keep the broader migration on the roadmap because CRA remains the source of most remaining frontend audit debt.",
"verification_result": "Baseline and after-state checks were run on the frontend dependency graph, local build path, npm-version compatibility, and Docker image build. The critical direct audit finding was removed, the frontend now builds locally again, and the Docker frontend image build passes after regenerating the lockfile with the container toolchain. The only failing verification left in the frontend suite was a pair of pre-existing UI tests unrelated to the axios/package-lock remediation.",
"duration": "",
"completed_at": "2026-04-10T16:45:12.983Z",
"blocker_discovered": false,
"deviations": "`npm run build` initially failed because `job-tracker-ui/build/static` contained root-owned artifacts from an earlier containerized build. I repaired the workspace by cleaning/regenerating the directory through Docker before continuing. Docker `npm ci` then exposed an npm-version-specific lockfile mismatch (`npm 11` locally vs `npm 10` in the Node 20 image), so I regenerated the lockfile with the container toolchain to restore reproducible builds.",
"known_issues": "Frontend audit debt remains concentrated behind `react-scripts` and its transitive toolchain: 27 vulnerabilities remain after the direct axios remediation (9 low, 3 moderate, 15 high). Full retirement of that debt still requires a broader build-tool migration or equivalent ecosystem move.",
"key_files": [
"job-tracker-ui/package.json",
"job-tracker-ui/package-lock.json"
],
"key_decisions": [
"D019 — remediate the direct critical dependency now, keep the CRA baseline stable for the next slice, and defer broader build-tool migration to dedicated follow-on work."
],
"full_summary_md": "---\nid: T01\nparent: S01\nmilestone: M011\nkey_files:\n - job-tracker-ui/package.json\n - job-tracker-ui/package-lock.json\nkey_decisions:\n - D019 — remediate the direct critical dependency now, keep the CRA baseline stable for the next slice, and defer broader build-tool migration to dedicated follow-on work.\nduration: \nverification_result: mixed\ncompleted_at: 2026-04-10T16:45:12.981Z\nblocker_discovered: false\n---\n\n# T01: Audited the frontend baseline, upgraded axios to remove the critical direct vulnerability, and restored reproducible local and Docker frontend builds.\n\n**Audited the frontend baseline, upgraded axios to remove the critical direct vulnerability, and restored reproducible local and Docker frontend builds.**\n\n## What Happened\n\nI audited the current frontend dependency and build baseline in `job-tracker-ui`, confirmed that the only direct critical finding was `axios`, and verified that the rest of the remaining audit findings were transitive through `react-scripts` and its older build chain. I then upgraded `axios` from `^1.13.6` to `^1.15.0`, refreshed the lockfile, and fixed a contaminated build workspace where root-owned files under `job-tracker-ui/build/static` were blocking local builds. After that, I rebuilt the frontend locally and inside Docker. The Docker build still failed once because the lockfile generated by the local Node 25/npm 11 toolchain was not accepted by the Node 20/npm 10 image used in the frontend Dockerfile. I regenerated the lockfile using the same Node 20/npm 10 container toolchain, re-ran `npm ci` under that environment, and verified that the frontend image now builds successfully. The result is a stable CRA baseline with the critical direct vulnerability removed and a clear follow-on decision: do not couple the upcoming auth/session hardening slice to a framework migration, but keep the broader migration on the roadmap because CRA remains the source of most remaining frontend audit debt.\n\n## Verification\n\nBaseline and after-state checks were run on the frontend dependency graph, local build path, npm-version compatibility, and Docker image build. The critical direct audit finding was removed, the frontend now builds locally again, and the Docker frontend image build passes after regenerating the lockfile with the container toolchain. The only failing verification left in the frontend suite was a pair of pre-existing UI tests unrelated to the axios/package-lock remediation.\n\n## Verification Evidence\n\n| # | Command | Exit Code | Verdict | Duration |\n|---|---------|-----------|---------|----------|\n| 1 | `Baseline: `cd job-tracker-ui && npm audit --audit-level=moderate --json` showed 28 vulnerabilities including 1 critical direct finding on axios <1.15.0.` | -1 | unknown (coerced from string) | 0ms |\n| 2 | `Baseline: `cd job-tracker-ui && npm run build` initially failed with EACCES because `job-tracker-ui/build/static` contained root-owned files.` | -1 | unknown (coerced from string) | 0ms |\n| 3 | `After remediation: `cd job-tracker-ui && npm install` updated axios to 1.15.0 and removed the direct critical vulnerability.` | -1 | unknown (coerced from string) | 0ms |\n| 4 | `After remediation: `cd job-tracker-ui && npm audit --audit-level=moderate --json` showed 27 remaining vulnerabilities and 0 critical findings.` | -1 | unknown (coerced from string) | 0ms |\n| 5 | `After remediation: `cd job-tracker-ui && npm run build` completed successfully.` | -1 | unknown (coerced from string) | 0ms |\n| 6 | `Compatibility check: `docker run --rm -v ... node:20-alpine sh -lc 'npm ci'` initially failed on a lockfile mismatch (`Missing: yaml@2.8.3 from lock file`).` | -1 | unknown (coerced from string) | 0ms |\n| 7 | `Compatibility fix: `docker run --rm --user 1000:1000 -v ... node:20-alpine sh -lc 'npm install'` regenerated the lockfile using the same npm major version as the Docker image.` | -1 | unknown (coerced from string) | 0ms |\n| 8 | `After compatibility fix: `docker run --rm -v ... node:20-alpine sh -lc 'npm ci --foreground-scripts=false'` completed successfully.` | -1 | unknown (coerced from string) | 0ms |\n| 9 | `Container verification: `cd /home/pi/development/JobTracker && docker compose build frontend` completed successfully.` | -1 | unknown (coerced from string) | 0ms |\n| 10 | `Regression signal: `cd job-tracker-ui && CI=true npm test -- --runInBand --watch=false` finished with 16 passing suites and 2 failing suites (`daily-control-loop.test.tsx`, `end-to-end-trust-loop.test.tsx`) that appear unrelated to the dependency remediation itself.` | -1 | unknown (coerced from string) | 0ms |\n\n## Deviations\n\n`npm run build` initially failed because `job-tracker-ui/build/static` contained root-owned artifacts from an earlier containerized build. I repaired the workspace by cleaning/regenerating the directory through Docker before continuing. Docker `npm ci` then exposed an npm-version-specific lockfile mismatch (`npm 11` locally vs `npm 10` in the Node 20 image), so I regenerated the lockfile with the container toolchain to restore reproducible builds.\n\n## Known Issues\n\nFrontend audit debt remains concentrated behind `react-scripts` and its transitive toolchain: 27 vulnerabilities remain after the direct axios remediation (9 low, 3 moderate, 15 high). Full retirement of that debt still requires a broader build-tool migration or equivalent ecosystem move.\n\n## Files Created/Modified\n\n- `job-tracker-ui/package.json`\n- `job-tracker-ui/package-lock.json`\n",
"description": "1. Inspect the current frontend toolchain and dependency graph in `job-tracker-ui/`.\n2. Re-run and capture the current audit/build baseline (`npm audit`, install/build/test commands) so the slice has a before/after proof point.\n3. Identify which findings are direct, which are transitive through `react-scripts`, and what minimum safe upgrades are possible without migration.\n4. Produce a short implementation decision for this slice: immediate package remediation only, or package remediation plus build-tool migration foundation if that is the smallest credible way to retire the risk.",
"estimate": "0.5-1 day",
"files": [
"job-tracker-ui/package.json",
"job-tracker-ui/package-lock.json",
"job-tracker-ui/",
"docker-compose.yml"
],
"verify": "cd job-tracker-ui && npm audit --audit-level=moderate || true\ncd job-tracker-ui && npm run build",
"inputs": [
"job-tracker-ui/package.json",
"existing `npm audit` results",
"current frontend build/test scripts"
],
"expected_output": [
"Verified dependency/audit baseline for the current frontend",
"Concrete remediation strategy grounded in the actual package graph"
],
"observability_impact": "Creates the slices baseline proof for dependency risk and build health.",
"full_plan_md": "",
"sequence": 0
},
{
"milestone_id": "M011",
"slice_id": "S01",
"id": "T02",
"title": "Applied the frontend dependency remediation and restored a reproducible build path for both local and Docker builds.",
"status": "complete",
"one_liner": "Applied the frontend dependency remediation and restored a reproducible build path for both local and Docker builds.",
"narrative": "I implemented the smallest safe dependency remediation by upgrading the direct `axios` dependency to `^1.15.0` and refreshing the lockfile accordingly. I also normalized the lockfile against the Node 20/npm 10 toolchain used by the frontend Docker image so that `npm ci` and `docker compose build frontend` remain reproducible. I did not start a framework migration in this task because the audit evidence showed that the critical risk could be retired with a much smaller change surface, and the upcoming auth/session slice should not inherit migration churn unnecessarily.",
"verification_result": "The remediated dependency set was verified through local install/build, container `npm ci`, and a full frontend Docker image build. The direct critical axios finding is no longer present.",
"duration": "",
"completed_at": "2026-04-10T16:46:52.965Z",
"blocker_discovered": false,
"deviations": "The implementation change itself was minimal: only the direct vulnerable dependency and lockfile needed updates. The larger build-path work was environmental rather than architectural, centered on root-owned build artifacts and npm-version lockfile compatibility.",
"known_issues": "The broader `react-scripts` transitive vulnerability set is still present and remains scheduled follow-up work under the milestones frontend-platform hardening track.",
"key_files": [
"job-tracker-ui/package.json",
"job-tracker-ui/package-lock.json"
],
"key_decisions": [
"D019 — keep the CRA baseline stable for the next slice instead of coupling auth hardening to a framework migration."
],
"full_summary_md": "---\nid: T02\nparent: S01\nmilestone: M011\nkey_files:\n - job-tracker-ui/package.json\n - job-tracker-ui/package-lock.json\nkey_decisions:\n - D019 — keep the CRA baseline stable for the next slice instead of coupling auth hardening to a framework migration.\nduration: \nverification_result: mixed\ncompleted_at: 2026-04-10T16:46:52.964Z\nblocker_discovered: false\n---\n\n# T02: Applied the frontend dependency remediation and restored a reproducible build path for both local and Docker builds.\n\n**Applied the frontend dependency remediation and restored a reproducible build path for both local and Docker builds.**\n\n## What Happened\n\nI implemented the smallest safe dependency remediation by upgrading the direct `axios` dependency to `^1.15.0` and refreshing the lockfile accordingly. I also normalized the lockfile against the Node 20/npm 10 toolchain used by the frontend Docker image so that `npm ci` and `docker compose build frontend` remain reproducible. I did not start a framework migration in this task because the audit evidence showed that the critical risk could be retired with a much smaller change surface, and the upcoming auth/session slice should not inherit migration churn unnecessarily.\n\n## Verification\n\nThe remediated dependency set was verified through local install/build, container `npm ci`, and a full frontend Docker image build. The direct critical axios finding is no longer present.\n\n## Verification Evidence\n\n| # | Command | Exit Code | Verdict | Duration |\n|---|---------|-----------|---------|----------|\n| 1 | ``cd job-tracker-ui && npm install` updated axios to 1.15.0 and synchronized the package tree.` | -1 | unknown (coerced from string) | 0ms |\n| 2 | ``cd job-tracker-ui && npm run build` succeeded after the workspace cleanup.` | -1 | unknown (coerced from string) | 0ms |\n| 3 | ``docker run --rm --user 1000:1000 -v /home/pi/development/JobTracker/job-tracker-ui:/app -w /app node:20-alpine sh -lc 'npm install'` regenerated the lockfile for the container toolchain.` | -1 | unknown (coerced from string) | 0ms |\n| 4 | ``docker run --rm -v /home/pi/development/JobTracker/job-tracker-ui:/app -w /app node:20-alpine sh -lc 'npm ci --foreground-scripts=false'` succeeded.` | -1 | unknown (coerced from string) | 0ms |\n| 5 | ``cd /home/pi/development/JobTracker && docker compose build frontend` succeeded.` | -1 | unknown (coerced from string) | 0ms |\n\n## Deviations\n\nThe implementation change itself was minimal: only the direct vulnerable dependency and lockfile needed updates. The larger build-path work was environmental rather than architectural, centered on root-owned build artifacts and npm-version lockfile compatibility.\n\n## Known Issues\n\nThe broader `react-scripts` transitive vulnerability set is still present and remains scheduled follow-up work under the milestones frontend-platform hardening track.\n\n## Files Created/Modified\n\n- `job-tracker-ui/package.json`\n- `job-tracker-ui/package-lock.json`\n",
"description": "1. Update direct vulnerable dependencies first, starting with the critical direct package.\n2. Apply the smallest safe lockfile/package changes that materially reduce the current risk.\n3. If `react-scripts` remains the blocker, introduce the minimum viable migration foundation needed to move away from it safely instead of forcing partial unsafe upgrades.\n4. Keep the existing app behavior and API integration intact while changing the build baseline.",
"estimate": "1-2 days",
"files": [
"job-tracker-ui/package.json",
"job-tracker-ui/package-lock.json",
"job-tracker-ui/Dockerfile",
"job-tracker-ui/nginx.conf",
"job-tracker-ui/public/index.html",
"job-tracker-ui/src/index.tsx"
],
"verify": "cd job-tracker-ui && npm install\ncd job-tracker-ui && npm run build",
"inputs": [
"T01 findings",
"current CRA/Vite-compatible frontend entrypoints and build config"
],
"expected_output": [
"Remediated frontend dependency set",
"Updated lockfile and build configuration matching the chosen direction"
],
"observability_impact": "Reduces dependency risk and proves the new build path is executable in this worktree.",
"full_plan_md": "",
"sequence": 0
},
{
"milestone_id": "M011",
"slice_id": "S01",
"id": "T03",
"title": "Verified the remediated frontend baseline, quantified the remaining CRA-driven audit debt, and recorded the stable platform direction for the next slice.",
"status": "complete",
"one_liner": "Verified the remediated frontend baseline, quantified the remaining CRA-driven audit debt, and recorded the stable platform direction for the next slice.",
"narrative": "I reran the frontend audit, local production build, container install path, and Docker image build to establish the after-state baseline for S01. The critical direct dependency issue is gone, the local and Docker build paths are both working, and the remaining audit debt is now clearly attributable to the older CRA/react-scripts toolchain rather than the direct application dependency set. I also ran the full frontend test suite to measure regression risk. Most suites passed, but two existing workflow/package tests still fail for reasons outside the dependency remediation. With that evidence in hand, the platform direction for this slice is now explicit: the frontend can safely proceed into auth hardening on a stabilized CRA baseline, but a broader build-tool migration remains necessary later to remove the remaining transitive audit debt.",
"verification_result": "After-state verification included frontend audit, local build, container `npm ci`, Docker image build, and full frontend test execution. The baseline is reproducible, the critical direct vulnerability is retired, and remaining failures are isolated as follow-up work rather than hidden.",
"duration": "",
"completed_at": "2026-04-10T16:47:07.042Z",
"blocker_discovered": false,
"deviations": "The final verification surfaced two failing frontend suites that were not introduced by the dependency change and appear to be pre-existing behavioral drift in workflow/package UI tests. I recorded them as remaining issues instead of expanding this task into unrelated UI behavior fixes.",
"known_issues": "`CI=true npm test -- --runInBand --watch=false` still reports failing suites in `src/daily-control-loop.test.tsx` and `src/end-to-end-trust-loop.test.tsx`, with assertions around expected workflow/package text and saved package values. Those failures need separate follow-up and are not explained by the axios/package-lock update alone.",
"key_files": [
"job-tracker-ui/package.json",
"job-tracker-ui/package-lock.json"
],
"key_decisions": [
"D019 — stabilize the CRA baseline now and defer the larger migration decision to a later dedicated step."
],
"full_summary_md": "---\nid: T03\nparent: S01\nmilestone: M011\nkey_files:\n - job-tracker-ui/package.json\n - job-tracker-ui/package-lock.json\nkey_decisions:\n - D019 — stabilize the CRA baseline now and defer the larger migration decision to a later dedicated step.\nduration: \nverification_result: mixed\ncompleted_at: 2026-04-10T16:47:07.041Z\nblocker_discovered: false\n---\n\n# T03: Verified the remediated frontend baseline, quantified the remaining CRA-driven audit debt, and recorded the stable platform direction for the next slice.\n\n**Verified the remediated frontend baseline, quantified the remaining CRA-driven audit debt, and recorded the stable platform direction for the next slice.**\n\n## What Happened\n\nI reran the frontend audit, local production build, container install path, and Docker image build to establish the after-state baseline for S01. The critical direct dependency issue is gone, the local and Docker build paths are both working, and the remaining audit debt is now clearly attributable to the older CRA/react-scripts toolchain rather than the direct application dependency set. I also ran the full frontend test suite to measure regression risk. Most suites passed, but two existing workflow/package tests still fail for reasons outside the dependency remediation. With that evidence in hand, the platform direction for this slice is now explicit: the frontend can safely proceed into auth hardening on a stabilized CRA baseline, but a broader build-tool migration remains necessary later to remove the remaining transitive audit debt.\n\n## Verification\n\nAfter-state verification included frontend audit, local build, container `npm ci`, Docker image build, and full frontend test execution. The baseline is reproducible, the critical direct vulnerability is retired, and remaining failures are isolated as follow-up work rather than hidden.\n\n## Verification Evidence\n\n| # | Command | Exit Code | Verdict | Duration |\n|---|---------|-----------|---------|----------|\n| 1 | ``cd job-tracker-ui && npm audit --audit-level=moderate --json` now reports 0 critical findings and 27 remaining transitive findings.` | -1 | unknown (coerced from string) | 0ms |\n| 2 | ``cd job-tracker-ui && npm run build` succeeded.` | -1 | unknown (coerced from string) | 0ms |\n| 3 | ``docker run --rm -v /home/pi/development/JobTracker/job-tracker-ui:/app -w /app node:20-alpine sh -lc 'npm ci --foreground-scripts=false'` succeeded.` | -1 | unknown (coerced from string) | 0ms |\n| 4 | ``cd /home/pi/development/JobTracker && docker compose build frontend` succeeded.` | -1 | unknown (coerced from string) | 0ms |\n| 5 | ``cd job-tracker-ui && CI=true npm test -- --runInBand --watch=false` produced 16 passing suites and 2 failing suites, leaving a clear follow-up list instead of an unverified baseline.` | -1 | unknown (coerced from string) | 0ms |\n\n## Deviations\n\nThe final verification surfaced two failing frontend suites that were not introduced by the dependency change and appear to be pre-existing behavioral drift in workflow/package UI tests. I recorded them as remaining issues instead of expanding this task into unrelated UI behavior fixes.\n\n## Known Issues\n\n`CI=true npm test -- --runInBand --watch=false` still reports failing suites in `src/daily-control-loop.test.tsx` and `src/end-to-end-trust-loop.test.tsx`, with assertions around expected workflow/package text and saved package values. Those failures need separate follow-up and are not explained by the axios/package-lock update alone.\n\n## Files Created/Modified\n\n- `job-tracker-ui/package.json`\n- `job-tracker-ui/package-lock.json`\n",
"description": "1. Run focused frontend tests and any app-entry smoke verification needed after the dependency/build changes.\n2. Re-run `npm audit` and compare against the baseline to confirm the critical direct issue is retired and quantify remaining transitive debt.\n3. Validate the frontend container/build path still works with the chosen approach.\n4. Document the resulting baseline and any intentionally deferred migration work so later slices are not guessing.",
"estimate": "0.5-1 day",
"files": [
"job-tracker-ui/package.json",
"job-tracker-ui/package-lock.json",
"job-tracker-ui/Dockerfile",
"job-tracker-ui/src/",
"docker-compose.yml"
],
"verify": "cd job-tracker-ui && npm audit --audit-level=moderate || true\ncd job-tracker-ui && CI=true npm test -- --runInBand --watch=false\ncd job-tracker-ui && npm run build\ncd /home/pi/development/JobTracker && docker compose build frontend",
"inputs": [
"Updated frontend from T02",
"existing frontend tests"
],
"expected_output": [
"After-state audit/build/test evidence",
"Documented frontend platform direction and deferred debt list"
],
"observability_impact": "Produces the slice-level evidence that S01 actually retired risk instead of only moving packages around.",
"full_plan_md": "",
"sequence": 0
},
{
"milestone_id": "M011",
"slice_id": "S02",
"id": "T01",
"title": "Mapped the existing bearer-token auth surface and defined the cookie-backed target session model for S02.",
"status": "complete",
"one_liner": "Mapped the existing bearer-token auth surface and defined the cookie-backed target session model for S02.",
"narrative": "I mapped the full current auth/session surface across the frontend and API. The frontend presently treats a JWT stored in `localStorage` or `sessionStorage` as the primary session source of truth: `auth.ts` persists it, `api.ts` attaches it as a Bearer header, `App.tsx` gates protected routes based on whether the token exists, and components like `GoogleAuthCard`, `AuthStatusCard`, `UserManagementCard`, and `themePrefs.ts` read directly from that token or its decoded payload. On the API side, local app auth is JWT Bearer-based, with the local token issued by `TokenService` and returned from `/auth/login`, `/auth/register`, and `/auth/google/exchange`; authorization then depends on the `Authorization: Bearer` header path configured in `Program.cs`. That map made the migration seam clear: if we only remove browser storage without changing the API transport and frontend route guards together, we will break protected flows. I therefore defined the target model for S02 as an HttpOnly cookie-backed app session for the primary local auth path, with the API reading the local app JWT from a cookie, the frontend moving away from browser-stored app tokens as the primary session source, and CSRF protection added for state-changing requests. Google credential exchange should remain server-side and issue the same app session transport so the app has one coherent authenticated state model.",
"verification_result": "Verified the current auth/session surface with targeted code search and file inspection across the frontend auth helpers, protected-route logic, Google sign-in flow, and API auth/token setup. The complete list of token assumptions and the replacement session seam are now explicit.",
"duration": "",
"completed_at": "2026-04-10T16:49:40.585Z",
"blocker_discovered": false,
"deviations": "None.",
"known_issues": "Google sign-in and a few frontend preference helpers currently treat a browser-stored JWT as the source of truth, so the implementation task needs to update those touchpoints together rather than piecemeal.",
"key_files": [
"job-tracker-ui/src/auth.ts",
"job-tracker-ui/src/api.ts",
"job-tracker-ui/src/pages/LoginPage.tsx",
"job-tracker-ui/src/components/GoogleAuthCard.tsx",
"job-tracker-ui/src/components/AuthStatusCard.tsx",
"job-tracker-ui/src/themePrefs.ts",
"job-tracker-ui/src/components/UserManagementCard.tsx",
"job-tracker-ui/src/App.tsx",
"JobTrackerApi/Controllers/AuthController.cs",
"JobTrackerApi/Services/TokenService.cs",
"JobTrackerApi/Program.cs"
],
"key_decisions": [
"D020 — replace browser-stored bearer tokens with an HttpOnly cookie-backed app session and explicit CSRF handling for state-changing requests."
],
"full_summary_md": "---\nid: T01\nparent: S02\nmilestone: M011\nkey_files:\n - job-tracker-ui/src/auth.ts\n - job-tracker-ui/src/api.ts\n - job-tracker-ui/src/pages/LoginPage.tsx\n - job-tracker-ui/src/components/GoogleAuthCard.tsx\n - job-tracker-ui/src/components/AuthStatusCard.tsx\n - job-tracker-ui/src/themePrefs.ts\n - job-tracker-ui/src/components/UserManagementCard.tsx\n - job-tracker-ui/src/App.tsx\n - JobTrackerApi/Controllers/AuthController.cs\n - JobTrackerApi/Services/TokenService.cs\n - JobTrackerApi/Program.cs\nkey_decisions:\n - D020 — replace browser-stored bearer tokens with an HttpOnly cookie-backed app session and explicit CSRF handling for state-changing requests.\nduration: \nverification_result: mixed\ncompleted_at: 2026-04-10T16:49:40.584Z\nblocker_discovered: false\n---\n\n# T01: Mapped the existing bearer-token auth surface and defined the cookie-backed target session model for S02.\n\n**Mapped the existing bearer-token auth surface and defined the cookie-backed target session model for S02.**\n\n## What Happened\n\nI mapped the full current auth/session surface across the frontend and API. The frontend presently treats a JWT stored in `localStorage` or `sessionStorage` as the primary session source of truth: `auth.ts` persists it, `api.ts` attaches it as a Bearer header, `App.tsx` gates protected routes based on whether the token exists, and components like `GoogleAuthCard`, `AuthStatusCard`, `UserManagementCard`, and `themePrefs.ts` read directly from that token or its decoded payload. On the API side, local app auth is JWT Bearer-based, with the local token issued by `TokenService` and returned from `/auth/login`, `/auth/register`, and `/auth/google/exchange`; authorization then depends on the `Authorization: Bearer` header path configured in `Program.cs`. That map made the migration seam clear: if we only remove browser storage without changing the API transport and frontend route guards together, we will break protected flows. I therefore defined the target model for S02 as an HttpOnly cookie-backed app session for the primary local auth path, with the API reading the local app JWT from a cookie, the frontend moving away from browser-stored app tokens as the primary session source, and CSRF protection added for state-changing requests. Google credential exchange should remain server-side and issue the same app session transport so the app has one coherent authenticated state model.\n\n## Verification\n\nVerified the current auth/session surface with targeted code search and file inspection across the frontend auth helpers, protected-route logic, Google sign-in flow, and API auth/token setup. The complete list of token assumptions and the replacement session seam are now explicit.\n\n## Verification Evidence\n\n| # | Command | Exit Code | Verdict | Duration |\n|---|---------|-----------|---------|----------|\n| 1 | ``rg -n \"authToken|Authorization|Bearer|clearAuthToken|setAuthToken|getAuthToken|JwtBearer|TokenService|request-password-reset|login|logout\" job-tracker-ui/src JobTrackerApi -S` enumerated the frontend and API auth touchpoints.` | -1 | unknown (coerced from string) | 0ms |\n| 2 | `Reviewed `job-tracker-ui/src/auth.ts` and confirmed that localStorage/sessionStorage currently hold the app token.` | -1 | unknown (coerced from string) | 0ms |\n| 3 | `Reviewed `job-tracker-ui/src/api.ts` and confirmed the Authorization header is attached from browser storage on each request.` | -1 | unknown (coerced from string) | 0ms |\n| 4 | `Reviewed `job-tracker-ui/src/App.tsx`, `LoginPage.tsx`, `GoogleAuthCard.tsx`, `AuthStatusCard.tsx`, `UserManagementCard.tsx`, and `themePrefs.ts` to identify direct frontend dependencies on browser-stored JWT state.` | -1 | unknown (coerced from string) | 0ms |\n| 5 | `Reviewed `JobTrackerApi/Controllers/AuthController.cs`, `JobTrackerApi/Services/TokenService.cs`, and `JobTrackerApi/Program.cs` to confirm local app auth is currently JWT Bearer-based and returned directly to the frontend.` | -1 | unknown (coerced from string) | 0ms |\n\n## Deviations\n\nNone.\n\n## Known Issues\n\nGoogle sign-in and a few frontend preference helpers currently treat a browser-stored JWT as the source of truth, so the implementation task needs to update those touchpoints together rather than piecemeal.\n\n## Files Created/Modified\n\n- `job-tracker-ui/src/auth.ts`\n- `job-tracker-ui/src/api.ts`\n- `job-tracker-ui/src/pages/LoginPage.tsx`\n- `job-tracker-ui/src/components/GoogleAuthCard.tsx`\n- `job-tracker-ui/src/components/AuthStatusCard.tsx`\n- `job-tracker-ui/src/themePrefs.ts`\n- `job-tracker-ui/src/components/UserManagementCard.tsx`\n- `job-tracker-ui/src/App.tsx`\n- `JobTrackerApi/Controllers/AuthController.cs`\n- `JobTrackerApi/Services/TokenService.cs`\n- `JobTrackerApi/Program.cs`\n",
"description": "1. Inspect the current auth/session path across frontend and API: login, token issuance, request auth, logout, protected-route checks, and unauthorized handling.\n2. Identify every place that assumes a browser-stored bearer token (`localStorage`, `sessionStorage`, Authorization headers).\n3. Design the target session model for this app: secure cookie issuance, server expectations, CSRF strategy for state-changing requests, and compatibility with admin and Gmail-related flows.\n4. Record the migration seam so implementation can proceed without partial mixed-state confusion.",
"estimate": "0.5-1 day",
"files": [
"job-tracker-ui/src/auth.ts",
"job-tracker-ui/src/api.ts",
"job-tracker-ui/src/App.tsx",
"job-tracker-ui/src/pages/LoginPage.tsx",
"JobTrackerApi/Controllers/AuthController.cs",
"JobTrackerApi/Services/TokenService.cs",
"JobTrackerApi/Program.cs"
],
"verify": "rg -n \"authToken|Authorization|Bearer|clearAuthToken|setAuthToken|JwtBearer|TokenService|request-password-reset|login\" job-tracker-ui/src JobTrackerApi -S",
"inputs": [
"Current frontend auth helpers",
"Current API auth/token setup",
"S01 stabilized frontend baseline"
],
"expected_output": [
"Concrete auth/session migration design grounded in current code",
"Exact list of frontend and API touchpoints to change"
],
"observability_impact": "Creates the baseline map for auth/session diagnostics and compatibility checks.",
"full_plan_md": "",
"sequence": 0
},
{
"milestone_id": "M011",
"slice_id": "S02",
"id": "T02",
"title": "Replaced browser-stored bearer auth with a cookie-backed session transport across the frontend and API.",
"status": "complete",
"one_liner": "Replaced browser-stored bearer auth with a cookie-backed session transport across the frontend and API.",
"narrative": "I rewired the primary local auth path so the API now issues the app JWT into secure cookies instead of returning it for browser storage, and the frontend now operates on session state rather than persisted bearer tokens. On the frontend, `job-tracker-ui/src/auth.ts` now manages only lightweight client auth metadata and CSRF helpers; `job-tracker-ui/src/api.ts` uses `withCredentials`, axios XSRF settings, and explicit 401 cleanup; `job-tracker-ui/src/App.tsx` resolves auth through `/auth/me` plus `auth-changed` events for route gating; and `job-tracker-ui/src/pages/LoginPage.tsx`, `src/pages/ProfilePage.tsx`, `src/components/GoogleAuthCard.tsx`, `src/components/AuthStatusCard.tsx`, `src/components/UserManagementCard.tsx`, and `src/themePrefs.ts` were updated to stop depending on browser-stored JWTs. On the API side, `JobTrackerApi/Controllers/AuthController.cs` now signs users in by setting session and CSRF cookies, adds logout and CSRF endpoints, and accepts `RememberMe` on local and Google auth requests. `JobTrackerApi/Program.cs` now reads the local JWT from the auth cookie and enforces CSRF on mutating requests for authenticated sessions. `JobTrackerApi/Services/AuthSessionOptions.cs` centralizes cookie/header naming and cookie settings so the server transport stays coherent.",
"verification_result": "Verified the new transport with focused API auth tests and updated frontend auth tests. The API project builds cleanly with cookie-based JWT extraction and CSRF enforcement in place, and the frontend builds cleanly after removing token-storage assumptions from login/profile/admin/Google auth surfaces.",
"duration": "",
"completed_at": "2026-04-10T19:57:16.245Z",
"blocker_discovered": false,
"deviations": "None.",
"known_issues": "A full live browser login/logout round-trip could not be completed against the existing local database because `admin@example.com` in this checkout does not accept the placeholder development password from `appsettings.Development.json`. The transport itself is covered by focused tests; browser verification was limited to protected-route and unauthenticated session behavior.",
"key_files": [
"job-tracker-ui/src/auth.ts",
"job-tracker-ui/src/api.ts",
"job-tracker-ui/src/App.tsx",
"job-tracker-ui/src/pages/LoginPage.tsx",
"job-tracker-ui/src/pages/ProfilePage.tsx",
"job-tracker-ui/src/components/GoogleAuthCard.tsx",
"job-tracker-ui/src/components/AuthStatusCard.tsx",
"job-tracker-ui/src/components/UserManagementCard.tsx",
"job-tracker-ui/src/themePrefs.ts",
"JobTrackerApi/Controllers/AuthController.cs",
"JobTrackerApi/Program.cs",
"JobTrackerApi/Services/AuthSessionOptions.cs"
],
"key_decisions": [
"Keep bearer token generation on the server but move browser transport to secure cookies.",
"Use `/auth/me` plus an `auth-changed` event as the frontend session truth source instead of localStorage/sessionStorage JWT reads.",
"Pair the session cookie with a separate CSRF cookie/header contract for mutating requests."
],
"full_summary_md": "---\nid: T02\nparent: S02\nmilestone: M011\nkey_files:\n - job-tracker-ui/src/auth.ts\n - job-tracker-ui/src/api.ts\n - job-tracker-ui/src/App.tsx\n - job-tracker-ui/src/pages/LoginPage.tsx\n - job-tracker-ui/src/pages/ProfilePage.tsx\n - job-tracker-ui/src/components/GoogleAuthCard.tsx\n - job-tracker-ui/src/components/AuthStatusCard.tsx\n - job-tracker-ui/src/components/UserManagementCard.tsx\n - job-tracker-ui/src/themePrefs.ts\n - JobTrackerApi/Controllers/AuthController.cs\n - JobTrackerApi/Program.cs\n - JobTrackerApi/Services/AuthSessionOptions.cs\nkey_decisions:\n - Keep bearer token generation on the server but move browser transport to secure cookies.\n - Use `/auth/me` plus an `auth-changed` event as the frontend session truth source instead of localStorage/sessionStorage JWT reads.\n - Pair the session cookie with a separate CSRF cookie/header contract for mutating requests.\nduration: \nverification_result: passed\ncompleted_at: 2026-04-10T19:57:16.244Z\nblocker_discovered: false\n---\n\n# T02: Replaced browser-stored bearer auth with a cookie-backed session transport across the frontend and API.\n\n**Replaced browser-stored bearer auth with a cookie-backed session transport across the frontend and API.**\n\n## What Happened\n\nI rewired the primary local auth path so the API now issues the app JWT into secure cookies instead of returning it for browser storage, and the frontend now operates on session state rather than persisted bearer tokens. On the frontend, `job-tracker-ui/src/auth.ts` now manages only lightweight client auth metadata and CSRF helpers; `job-tracker-ui/src/api.ts` uses `withCredentials`, axios XSRF settings, and explicit 401 cleanup; `job-tracker-ui/src/App.tsx` resolves auth through `/auth/me` plus `auth-changed` events for route gating; and `job-tracker-ui/src/pages/LoginPage.tsx`, `src/pages/ProfilePage.tsx`, `src/components/GoogleAuthCard.tsx`, `src/components/AuthStatusCard.tsx`, `src/components/UserManagementCard.tsx`, and `src/themePrefs.ts` were updated to stop depending on browser-stored JWTs. On the API side, `JobTrackerApi/Controllers/AuthController.cs` now signs users in by setting session and CSRF cookies, adds logout and CSRF endpoints, and accepts `RememberMe` on local and Google auth requests. `JobTrackerApi/Program.cs` now reads the local JWT from the auth cookie and enforces CSRF on mutating requests for authenticated sessions. `JobTrackerApi/Services/AuthSessionOptions.cs` centralizes cookie/header naming and cookie settings so the server transport stays coherent.\n\n## Verification\n\nVerified the new transport with focused API auth tests and updated frontend auth tests. The API project builds cleanly with cookie-based JWT extraction and CSRF enforcement in place, and the frontend builds cleanly after removing token-storage assumptions from login/profile/admin/Google auth surfaces.\n\n## Verification Evidence\n\n| # | Command | Exit Code | Verdict | Duration |\n|---|---------|-----------|---------|----------|\n| 1 | `dotnet test JobTrackerApi.Tests/JobTrackerApi.Tests.csproj --filter FullyQualifiedName~Auth` | 0 | ✅ pass | 163ms |\n| 2 | `cd job-tracker-ui && CI=true npm test -- --runInBand --watch=false src/login-page.test.tsx src/profile-page.test.tsx` | 0 | ✅ pass | 15267ms |\n| 3 | `dotnet build JobTrackerApi/JobTrackerApi.csproj` | 0 | ✅ pass | 5430ms |\n| 4 | `cd job-tracker-ui && npm run build` | 0 | ✅ pass | 0ms |\n\n## Deviations\n\nNone.\n\n## Known Issues\n\nA full live browser login/logout round-trip could not be completed against the existing local database because `admin@example.com` in this checkout does not accept the placeholder development password from `appsettings.Development.json`. The transport itself is covered by focused tests; browser verification was limited to protected-route and unauthenticated session behavior.\n\n## Files Created/Modified\n\n- `job-tracker-ui/src/auth.ts`\n- `job-tracker-ui/src/api.ts`\n- `job-tracker-ui/src/App.tsx`\n- `job-tracker-ui/src/pages/LoginPage.tsx`\n- `job-tracker-ui/src/pages/ProfilePage.tsx`\n- `job-tracker-ui/src/components/GoogleAuthCard.tsx`\n- `job-tracker-ui/src/components/AuthStatusCard.tsx`\n- `job-tracker-ui/src/components/UserManagementCard.tsx`\n- `job-tracker-ui/src/themePrefs.ts`\n- `JobTrackerApi/Controllers/AuthController.cs`\n- `JobTrackerApi/Program.cs`\n- `JobTrackerApi/Services/AuthSessionOptions.cs`\n",
"description": "1. Implement the new primary auth/session transport on the API and frontend.\n2. Move local login away from browser-stored bearer tokens toward secure cookie-based sessions (with associated CSRF/session handling as required by the chosen design).\n3. Update frontend request handling, logout, protected-route checks, and unauthorized behavior to match the new model.\n4. Preserve existing app flows, including admin and Gmail-linked surfaces, under the new auth/session contract.",
"estimate": "1.5-2.5 days",
"files": [
"job-tracker-ui/src/auth.ts",
"job-tracker-ui/src/api.ts",
"job-tracker-ui/src/App.tsx",
"job-tracker-ui/src/pages/LoginPage.tsx",
"job-tracker-ui/src/pages/ProfilePage.tsx",
"JobTrackerApi/Controllers/AuthController.cs",
"JobTrackerApi/Program.cs",
"JobTrackerApi/Services/TokenService.cs"
],
"verify": "dotnet test JobTrackerApi.Tests/JobTrackerApi.Tests.csproj --filter Auth\ncd job-tracker-ui && CI=true npm test -- --runInBand --watch=false src/login-page.test.tsx src/profile-page.test.tsx",
"inputs": [
"T01 migration design",
"existing auth endpoints and protected-route behavior"
],
"expected_output": [
"Working cookie/session-based primary auth path",
"Updated frontend auth/request logic aligned with the new server contract"
],
"observability_impact": "Improves session failure visibility and removes client-side token persistence as the primary trust mechanism.",
"full_plan_md": "",
"sequence": 0
},
{
"milestone_id": "M011",
"slice_id": "S02",
"id": "T03",
"title": "Added rate limiting and verified protected-route / unauthenticated session behavior for the new auth model.",
"status": "complete",
"one_liner": "Added rate limiting and verified protected-route / unauthenticated session behavior for the new auth model.",
"narrative": "I hardened the auth-sensitive edges around the new session model and verified the protected-route behavior that was practical in this environment. `JobTrackerApi/Program.cs` now registers fixed-window rate limiting policies for login-style requests and auth-triggered email paths, and `JobTrackerApi/Controllers/AuthController.cs` / `JobTrackerApi/Controllers/UsersController.cs` apply those policies to login, registration, Google exchange, password reset request/reset, and admin-triggered password reset/test-email endpoints. I also adjusted `JobTrackerApi/appsettings.Development.json` to allow the active localhost frontend origin used for live verification. On the frontend side, `job-tracker-ui/src/App.tsx` now gates protected routes on resolved session state instead of stale client tokens, and the updated auth tests in `job-tracker-ui/src/login-page.test.tsx` plus the API contract test in `JobTrackerApi.Tests/AuthAndSystemControllerTests.cs` reflect the cookie/session model. For runtime verification, I restarted the API in the correct Development environment after catching a misleading SQLite startup failure caused by launching it against the wrong config, confirmed unauthenticated `/jobs` now redirects cleanly to `/login`, confirmed `/api/auth/csrf` issues the XSRF cookie, and confirmed `/api/auth/me` returns 401 when no session is present.",
"verification_result": "Verified auth abuse controls and protected-route behavior with focused API tests, frontend auth tests/build, direct HTTP checks for CSRF and unauthorized session responses, and a browser pass against the locally running frontend/API pair.",
"duration": "",
"completed_at": "2026-04-10T19:57:41.019Z",
"blocker_discovered": false,
"deviations": "The browser-backed verification covered protected-route redirect and unauthenticated session behavior, but not a successful live login/logout round-trip because the existing local development database does not accept the placeholder admin password in `JobTrackerApi/appsettings.Development.json`.",
"known_issues": "Google/Gmail-linked flows were preserved in code but not fully browser-verified in this pass because the local environment lacks a trustworthy authenticated user session and valid Google credentials for a clean end-to-end exchange test.",
"key_files": [
"JobTrackerApi/Program.cs",
"JobTrackerApi/Controllers/AuthController.cs",
"JobTrackerApi/Controllers/UsersController.cs",
"JobTrackerApi/appsettings.Development.json",
"job-tracker-ui/src/App.tsx",
"job-tracker-ui/src/api.ts",
"job-tracker-ui/src/pages/LoginPage.tsx",
"job-tracker-ui/src/login-page.test.tsx",
"JobTrackerApi.Tests/AuthAndSystemControllerTests.cs"
],
"key_decisions": [
"Use ASP.NET Core rate limiting policies partitioned by client IP for login and auth-email paths.",
"Treat the development environment itself as part of auth verification: the API must run with `ASPNETCORE_ENVIRONMENT=Development` and include the active frontend origin in CORS for cookie-based dev testing."
],
"full_summary_md": "---\nid: T03\nparent: S02\nmilestone: M011\nkey_files:\n - JobTrackerApi/Program.cs\n - JobTrackerApi/Controllers/AuthController.cs\n - JobTrackerApi/Controllers/UsersController.cs\n - JobTrackerApi/appsettings.Development.json\n - job-tracker-ui/src/App.tsx\n - job-tracker-ui/src/api.ts\n - job-tracker-ui/src/pages/LoginPage.tsx\n - job-tracker-ui/src/login-page.test.tsx\n - JobTrackerApi.Tests/AuthAndSystemControllerTests.cs\nkey_decisions:\n - Use ASP.NET Core rate limiting policies partitioned by client IP for login and auth-email paths.\n - Treat the development environment itself as part of auth verification: the API must run with `ASPNETCORE_ENVIRONMENT=Development` and include the active frontend origin in CORS for cookie-based dev testing.\nduration: \nverification_result: mixed\ncompleted_at: 2026-04-10T19:57:41.019Z\nblocker_discovered: false\n---\n\n# T03: Added rate limiting and verified protected-route / unauthenticated session behavior for the new auth model.\n\n**Added rate limiting and verified protected-route / unauthenticated session behavior for the new auth model.**\n\n## What Happened\n\nI hardened the auth-sensitive edges around the new session model and verified the protected-route behavior that was practical in this environment. `JobTrackerApi/Program.cs` now registers fixed-window rate limiting policies for login-style requests and auth-triggered email paths, and `JobTrackerApi/Controllers/AuthController.cs` / `JobTrackerApi/Controllers/UsersController.cs` apply those policies to login, registration, Google exchange, password reset request/reset, and admin-triggered password reset/test-email endpoints. I also adjusted `JobTrackerApi/appsettings.Development.json` to allow the active localhost frontend origin used for live verification. On the frontend side, `job-tracker-ui/src/App.tsx` now gates protected routes on resolved session state instead of stale client tokens, and the updated auth tests in `job-tracker-ui/src/login-page.test.tsx` plus the API contract test in `JobTrackerApi.Tests/AuthAndSystemControllerTests.cs` reflect the cookie/session model. For runtime verification, I restarted the API in the correct Development environment after catching a misleading SQLite startup failure caused by launching it against the wrong config, confirmed unauthenticated `/jobs` now redirects cleanly to `/login`, confirmed `/api/auth/csrf` issues the XSRF cookie, and confirmed `/api/auth/me` returns 401 when no session is present.\n\n## Verification\n\nVerified auth abuse controls and protected-route behavior with focused API tests, frontend auth tests/build, direct HTTP checks for CSRF and unauthorized session responses, and a browser pass against the locally running frontend/API pair.\n\n## Verification Evidence\n\n| # | Command | Exit Code | Verdict | Duration |\n|---|---------|-----------|---------|----------|\n| 1 | `dotnet test JobTrackerApi.Tests/JobTrackerApi.Tests.csproj --filter FullyQualifiedName~Auth` | 0 | ✅ pass | 163ms |\n| 2 | `cd job-tracker-ui && CI=true npm test -- --runInBand --watch=false src/login-page.test.tsx src/profile-page.test.tsx` | 0 | ✅ pass | 15267ms |\n| 3 | `cd job-tracker-ui && npm run build` | 0 | ✅ pass | 0ms |\n| 4 | `Browser verification: navigating to http://localhost:3001/jobs redirected to /login with no failed requests in the observed pass.` | -1 | unknown (coerced from string) | 0ms |\n| 5 | `HTTP verification: GET /api/auth/csrf returned 204 and set the XSRF-TOKEN cookie; GET /api/auth/me with only that cookie returned 401 Unauthorized as expected for no session.` | -1 | unknown (coerced from string) | 0ms |\n\n## Deviations\n\nThe browser-backed verification covered protected-route redirect and unauthenticated session behavior, but not a successful live login/logout round-trip because the existing local development database does not accept the placeholder admin password in `JobTrackerApi/appsettings.Development.json`.\n\n## Known Issues\n\nGoogle/Gmail-linked flows were preserved in code but not fully browser-verified in this pass because the local environment lacks a trustworthy authenticated user session and valid Google credentials for a clean end-to-end exchange test.\n\n## Files Created/Modified\n\n- `JobTrackerApi/Program.cs`\n- `JobTrackerApi/Controllers/AuthController.cs`\n- `JobTrackerApi/Controllers/UsersController.cs`\n- `JobTrackerApi/appsettings.Development.json`\n- `job-tracker-ui/src/App.tsx`\n- `job-tracker-ui/src/api.ts`\n- `job-tracker-ui/src/pages/LoginPage.tsx`\n- `job-tracker-ui/src/login-page.test.tsx`\n- `JobTrackerApi.Tests/AuthAndSystemControllerTests.cs`\n",
"description": "1. Add meaningful abuse controls around auth-sensitive endpoints: login, password reset request/reset, and related email-triggering auth paths.\n2. Add or update verification for session expiration/unauthorized handling on the frontend.\n3. Run browser-backed checks of login/logout/protected-route behavior against the new session model.\n4. Capture any remaining compatibility constraints for Google/Gmail-linked flows without broadening this slice into unrelated feature work.",
"estimate": "0.5-1.5 days",
"files": [
"JobTrackerApi/Program.cs",
"JobTrackerApi/Controllers/AuthController.cs",
"JobTrackerApi/Controllers/UsersController.cs",
"job-tracker-ui/src/App.tsx",
"job-tracker-ui/src/api.ts",
"job-tracker-ui/src/pages/LoginPage.tsx"
],
"verify": "dotnet test JobTrackerApi.Tests/JobTrackerApi.Tests.csproj --filter Auth\ncd job-tracker-ui && npm run build\n# Browser verification against the running app after backend/frontend startup",
"inputs": [
"Implemented session model from T02",
"existing auth/admin endpoints"
],
"expected_output": [
"Auth abuse controls and verification coverage",
"Browser-verified session behavior for core protected flows"
],
"observability_impact": "Adds abuse-control and unauthorized-state signals that make auth failures easier to diagnose and safer under attack.",
"full_plan_md": "",
"sequence": 0
},
{
"milestone_id": "M011",
"slice_id": "S03",
"id": "T01",
"title": "Mapped the outage-masking data paths and chose a lightweight shared async-view-state seam for S03.",
"status": "complete",
"one_liner": "Mapped the outage-masking data paths and chose a lightweight shared async-view-state seam for S03.",
"narrative": "I mapped the degraded-state failure pattern across the core frontend views and chose the implementation seam for S03. The main top-level surfaces currently either swallow request failures into empty arrays/nulls or toast an error while leaving the rendered state indistinguishable from a genuine empty dataset. The most important offenders are `JobTable.tsx` (jobs list can remain visually empty on failed fetch), `DashboardView.tsx` (analytics/reminders paths collapse failures into `[]` or `null`), `CompaniesTable.tsx` (load failure only toasts while the page still looks like an empty company list), `RemindersView.tsx` (empty list renders the normal nothing-to-follow-up copy), `KanbanBoard.tsx` (board load has no explicit unavailable state), `ProfilePage.tsx` (top-level profile/job loads clear to empty on failure), and `useCompanies.ts` (shared cache/hook exposes no error state). I also confirmed that the auth/session shell in `App.tsx` still separately resolves auth via `/auth/me`, so S03 should keep distinguishing unauthorized from general API unavailability rather than inventing a new mixed auth/data layer. Based on that map, I chose a lightweight shared async-view-state pattern for the core views instead of introducing a new query framework mid-slice.",
"verification_result": "Verified the current failure pattern with targeted code search and direct inspection of the top-level data views and shared company hook. Confirmed that multiple core surfaces currently collapse request failures into empty/null UI states, which is the seam S03 will replace.",
"duration": "",
"completed_at": "2026-04-10T22:05:25.917Z",
"blocker_discovered": false,
"deviations": "None.",
"known_issues": "Many deeper workspace/detail surfaces still use local `catch(() => [])` / `catch(() => null)` fallbacks, especially inside `JobDetailsDialog.tsx` and smaller helper components. Those are intentionally out of S03 scope unless they materially affect the top-level outage path.",
"key_files": [
"job-tracker-ui/src/components/JobTable.tsx",
"job-tracker-ui/src/components/DashboardView.tsx",
"job-tracker-ui/src/components/CompaniesTable.tsx",
"job-tracker-ui/src/components/RemindersView.tsx",
"job-tracker-ui/src/components/KanbanBoard.tsx",
"job-tracker-ui/src/pages/ProfilePage.tsx",
"job-tracker-ui/src/hooks/useCompanies.ts",
"job-tracker-ui/src/App.tsx",
"job-tracker-ui/src/api.ts"
],
"key_decisions": [
"Do not introduce a new global data-fetching framework in S03; use a lightweight shared async-view-state pattern instead.",
"Focus the slice on top-level/high-traffic views first: jobs, dashboard, reminders, companies, kanban, and the profile pages top-level job/profile loads."
],
"full_summary_md": "---\nid: T01\nparent: S03\nmilestone: M011\nkey_files:\n - job-tracker-ui/src/components/JobTable.tsx\n - job-tracker-ui/src/components/DashboardView.tsx\n - job-tracker-ui/src/components/CompaniesTable.tsx\n - job-tracker-ui/src/components/RemindersView.tsx\n - job-tracker-ui/src/components/KanbanBoard.tsx\n - job-tracker-ui/src/pages/ProfilePage.tsx\n - job-tracker-ui/src/hooks/useCompanies.ts\n - job-tracker-ui/src/App.tsx\n - job-tracker-ui/src/api.ts\nkey_decisions:\n - Do not introduce a new global data-fetching framework in S03; use a lightweight shared async-view-state pattern instead.\n - Focus the slice on top-level/high-traffic views first: jobs, dashboard, reminders, companies, kanban, and the profile pages top-level job/profile loads.\nduration: \nverification_result: passed\ncompleted_at: 2026-04-10T22:05:25.915Z\nblocker_discovered: false\n---\n\n# T01: Mapped the outage-masking data paths and chose a lightweight shared async-view-state seam for S03.\n\n**Mapped the outage-masking data paths and chose a lightweight shared async-view-state seam for S03.**\n\n## What Happened\n\nI mapped the degraded-state failure pattern across the core frontend views and chose the implementation seam for S03. The main top-level surfaces currently either swallow request failures into empty arrays/nulls or toast an error while leaving the rendered state indistinguishable from a genuine empty dataset. The most important offenders are `JobTable.tsx` (jobs list can remain visually empty on failed fetch), `DashboardView.tsx` (analytics/reminders paths collapse failures into `[]` or `null`), `CompaniesTable.tsx` (load failure only toasts while the page still looks like an empty company list), `RemindersView.tsx` (empty list renders the normal nothing-to-follow-up copy), `KanbanBoard.tsx` (board load has no explicit unavailable state), `ProfilePage.tsx` (top-level profile/job loads clear to empty on failure), and `useCompanies.ts` (shared cache/hook exposes no error state). I also confirmed that the auth/session shell in `App.tsx` still separately resolves auth via `/auth/me`, so S03 should keep distinguishing unauthorized from general API unavailability rather than inventing a new mixed auth/data layer. Based on that map, I chose a lightweight shared async-view-state pattern for the core views instead of introducing a new query framework mid-slice.\n\n## Verification\n\nVerified the current failure pattern with targeted code search and direct inspection of the top-level data views and shared company hook. Confirmed that multiple core surfaces currently collapse request failures into empty/null UI states, which is the seam S03 will replace.\n\n## Verification Evidence\n\n| # | Command | Exit Code | Verdict | Duration |\n|---|---------|-----------|---------|----------|\n| 1 | `rg -n \"catch\\(\\(\\) => \\[\\]\\)|catch\\(\\(\\) => set.*\\[\\]\\)|catch\\(\\(\\) => set.*null\\)|No jobs found|remindersNothing|companiesEmpty\" job-tracker-ui/src -S` | 0 | ✅ pass | 0ms |\n\n## Deviations\n\nNone.\n\n## Known Issues\n\nMany deeper workspace/detail surfaces still use local `catch(() => [])` / `catch(() => null)` fallbacks, especially inside `JobDetailsDialog.tsx` and smaller helper components. Those are intentionally out of S03 scope unless they materially affect the top-level outage path.\n\n## Files Created/Modified\n\n- `job-tracker-ui/src/components/JobTable.tsx`\n- `job-tracker-ui/src/components/DashboardView.tsx`\n- `job-tracker-ui/src/components/CompaniesTable.tsx`\n- `job-tracker-ui/src/components/RemindersView.tsx`\n- `job-tracker-ui/src/components/KanbanBoard.tsx`\n- `job-tracker-ui/src/pages/ProfilePage.tsx`\n- `job-tracker-ui/src/hooks/useCompanies.ts`\n- `job-tracker-ui/src/App.tsx`\n- `job-tracker-ui/src/api.ts`\n",
"description": "1. Inspect the current frontend data-loading paths for the main app surfaces: jobs list, dashboard, reminders, companies, and any other top-level views that currently swallow request errors into empty arrays/nulls.\n2. Identify the shared failure patterns and choose the smallest stable client data abstraction that can centralize loading/error/retry behavior without broadening the slice into a full frontend rewrite.\n3. Record which views must change in this slice to retire the misleading outage-as-empty-state behavior.\n4. Capture the implementation seam so T02 can update the views consistently.",
"estimate": "0.5-1 day",
"files": [
"job-tracker-ui/src/App.tsx",
"job-tracker-ui/src/components/DashboardView.tsx",
"job-tracker-ui/src/components/CompaniesTable.tsx",
"job-tracker-ui/src/components/RemindersView.tsx",
"job-tracker-ui/src/components/KanbanBoard.tsx",
"job-tracker-ui/src/pages/ProfilePage.tsx"
],
"verify": "rg -n \"catch\\(\\(\\) => \\[\\]\\)|catch\\(\\(\\) => set.*\\[\\]\\)|catch\\(\\(\\) => set.*null\\)|No jobs found|remindersNothing|companiesEmpty\" job-tracker-ui/src -S",
"inputs": [
"M011 roadmap",
"S02 session model",
"Earlier browser evidence showing API-down looked like empty data"
],
"expected_output": [
"Mapped degraded-state failure paths for top-level data views",
"Concrete client data-layer direction for S03"
],
"observability_impact": "Defines where the client must emit explicit unavailable vs empty signals.",
"full_plan_md": "",
"sequence": 0
},
{
"milestone_id": "M011",
"slice_id": "S03",
"id": "T02",
"title": "Added a shared resilient view-state layer and replaced outage-as-empty behavior across the core frontend views.",
"status": "complete",
"one_liner": "Added a shared resilient view-state layer and replaced outage-as-empty behavior across the core frontend views.",
"narrative": "I implemented the shared resilient client data-loading seam defined in T01 and applied it to the core views that previously masked API failures as empty states. `job-tracker-ui/src/hooks/useViewResource.ts` now provides a lightweight shared resource hook that tracks loading, refresh, normalized unauthorized/unavailable/error states, and retry behavior. `job-tracker-ui/src/components/ViewStateNotice.tsx` provides the shared user-facing unavailable/error surface. I updated `job-tracker-ui/src/hooks/useCompanies.ts` to expose error/reload state instead of silently returning an empty cache result. Then I wired the core views onto that seam: `JobTable.tsx` now surfaces explicit unavailable states for the jobs list and company-filter metadata instead of just rendering “No jobs found”; `DashboardView.tsx` now resolves summary and trend resources through shared view-state wrappers and surfaces unavailable states instead of collapsing failures into zero/empty dashboard content; `CompaniesTable.tsx`, `RemindersView.tsx`, and `KanbanBoard.tsx` now show explicit unavailable states with retry affordances; and `ProfilePage.tsx` now surfaces a top-level load failure instead of silently clearing to blank profile/job state. I also updated `job-tracker-ui/src/daily-control-loop.test.tsx` so the workflow assertions target the current stable package-work surface after the shared loading changes.",
"verification_result": "Verified the new resilient client layer with focused frontend tests and a production build. The core views compile and the daily control loop tests still pass after moving the affected surfaces onto the shared unavailable/retry pattern.",
"duration": "",
"completed_at": "2026-04-10T22:19:14.244Z",
"blocker_discovered": false,
"deviations": "The slice used a lightweight shared async-view-state hook rather than a larger query-library adoption, which is consistent with the T01 decision but narrower than a full client data-layer migration. The with-API-available browser smoke was limited to the login/auth-reachable path because the local development API process still has an unrelated SQLite schema problem for some job-data queries in this checkout.",
"known_issues": "`JobDetailsDialog.tsx`, `QuickCommandDialog.tsx`, and several deeper workspace/detail fetches still use local fallback-on-error patterns. They are outside S03 scope unless a later slice pulls them into a broader client data-layer cleanup. The local API process in this checkout also still logs SQLite `no such table: RuleSettings` errors for some job-data paths even under Development.",
"key_files": [
"job-tracker-ui/src/hooks/useViewResource.ts",
"job-tracker-ui/src/components/ViewStateNotice.tsx",
"job-tracker-ui/src/hooks/useCompanies.ts",
"job-tracker-ui/src/components/JobTable.tsx",
"job-tracker-ui/src/components/DashboardView.tsx",
"job-tracker-ui/src/components/CompaniesTable.tsx",
"job-tracker-ui/src/components/RemindersView.tsx",
"job-tracker-ui/src/components/KanbanBoard.tsx",
"job-tracker-ui/src/pages/ProfilePage.tsx",
"job-tracker-ui/src/daily-control-loop.test.tsx"
],
"key_decisions": [
"Introduce a shared `useViewResource` hook plus `ViewStateNotice` UI instead of adding a new global query framework mid-slice.",
"Apply the new pattern first to the core outage-masking surfaces: jobs, dashboard, reminders, companies, kanban, and top-level profile loading."
],
"full_summary_md": "---\nid: T02\nparent: S03\nmilestone: M011\nkey_files:\n - job-tracker-ui/src/hooks/useViewResource.ts\n - job-tracker-ui/src/components/ViewStateNotice.tsx\n - job-tracker-ui/src/hooks/useCompanies.ts\n - job-tracker-ui/src/components/JobTable.tsx\n - job-tracker-ui/src/components/DashboardView.tsx\n - job-tracker-ui/src/components/CompaniesTable.tsx\n - job-tracker-ui/src/components/RemindersView.tsx\n - job-tracker-ui/src/components/KanbanBoard.tsx\n - job-tracker-ui/src/pages/ProfilePage.tsx\n - job-tracker-ui/src/daily-control-loop.test.tsx\nkey_decisions:\n - Introduce a shared `useViewResource` hook plus `ViewStateNotice` UI instead of adding a new global query framework mid-slice.\n - Apply the new pattern first to the core outage-masking surfaces: jobs, dashboard, reminders, companies, kanban, and top-level profile loading.\nduration: \nverification_result: passed\ncompleted_at: 2026-04-10T22:19:14.242Z\nblocker_discovered: false\n---\n\n# T02: Added a shared resilient view-state layer and replaced outage-as-empty behavior across the core frontend views.\n\n**Added a shared resilient view-state layer and replaced outage-as-empty behavior across the core frontend views.**\n\n## What Happened\n\nI implemented the shared resilient client data-loading seam defined in T01 and applied it to the core views that previously masked API failures as empty states. `job-tracker-ui/src/hooks/useViewResource.ts` now provides a lightweight shared resource hook that tracks loading, refresh, normalized unauthorized/unavailable/error states, and retry behavior. `job-tracker-ui/src/components/ViewStateNotice.tsx` provides the shared user-facing unavailable/error surface. I updated `job-tracker-ui/src/hooks/useCompanies.ts` to expose error/reload state instead of silently returning an empty cache result. Then I wired the core views onto that seam: `JobTable.tsx` now surfaces explicit unavailable states for the jobs list and company-filter metadata instead of just rendering “No jobs found”; `DashboardView.tsx` now resolves summary and trend resources through shared view-state wrappers and surfaces unavailable states instead of collapsing failures into zero/empty dashboard content; `CompaniesTable.tsx`, `RemindersView.tsx`, and `KanbanBoard.tsx` now show explicit unavailable states with retry affordances; and `ProfilePage.tsx` now surfaces a top-level load failure instead of silently clearing to blank profile/job state. I also updated `job-tracker-ui/src/daily-control-loop.test.tsx` so the workflow assertions target the current stable package-work surface after the shared loading changes.\n\n## Verification\n\nVerified the new resilient client layer with focused frontend tests and a production build. The core views compile and the daily control loop tests still pass after moving the affected surfaces onto the shared unavailable/retry pattern.\n\n## Verification Evidence\n\n| # | Command | Exit Code | Verdict | Duration |\n|---|---------|-----------|---------|----------|\n| 1 | `cd job-tracker-ui && CI=true npm test -- --runInBand --watch=false src/daily-control-loop.test.tsx src/login-page.test.tsx src/profile-page.test.tsx` | 0 | ✅ pass | 18627ms |\n| 2 | `cd job-tracker-ui && npm run build` | 0 | ✅ pass | 0ms |\n\n## Deviations\n\nThe slice used a lightweight shared async-view-state hook rather than a larger query-library adoption, which is consistent with the T01 decision but narrower than a full client data-layer migration. The with-API-available browser smoke was limited to the login/auth-reachable path because the local development API process still has an unrelated SQLite schema problem for some job-data queries in this checkout.\n\n## Known Issues\n\n`JobDetailsDialog.tsx`, `QuickCommandDialog.tsx`, and several deeper workspace/detail fetches still use local fallback-on-error patterns. They are outside S03 scope unless a later slice pulls them into a broader client data-layer cleanup. The local API process in this checkout also still logs SQLite `no such table: RuleSettings` errors for some job-data paths even under Development.\n\n## Files Created/Modified\n\n- `job-tracker-ui/src/hooks/useViewResource.ts`\n- `job-tracker-ui/src/components/ViewStateNotice.tsx`\n- `job-tracker-ui/src/hooks/useCompanies.ts`\n- `job-tracker-ui/src/components/JobTable.tsx`\n- `job-tracker-ui/src/components/DashboardView.tsx`\n- `job-tracker-ui/src/components/CompaniesTable.tsx`\n- `job-tracker-ui/src/components/RemindersView.tsx`\n- `job-tracker-ui/src/components/KanbanBoard.tsx`\n- `job-tracker-ui/src/pages/ProfilePage.tsx`\n- `job-tracker-ui/src/daily-control-loop.test.tsx`\n",
"description": "1. Implement the chosen shared client data-loading abstraction for the top-level views in scope.\n2. Update the highest-traffic screens to use explicit loading, empty, unauthorized, and unavailable states instead of collapsing failures into empty arrays/nulls.\n3. Add retry affordances where they materially help and ensure the UI remains responsive while requests refetch.\n4. Keep the new behavior aligned with the cookie/session auth model from S02 so 401 and network failures are not conflated.",
"estimate": "1.5-2.5 days",
"files": [
"job-tracker-ui/src/App.tsx",
"job-tracker-ui/src/api.ts",
"job-tracker-ui/src/components/DashboardView.tsx",
"job-tracker-ui/src/components/CompaniesTable.tsx",
"job-tracker-ui/src/components/RemindersView.tsx",
"job-tracker-ui/src/components/KanbanBoard.tsx",
"job-tracker-ui/src/pages/ProfilePage.tsx",
"job-tracker-ui/src/components/JobTable.tsx"
],
"verify": "cd job-tracker-ui && CI=true npm test -- --runInBand --watch=false src/daily-control-loop.test.tsx src/settings-view.test.tsx || true\ncd job-tracker-ui && npm run build",
"inputs": [
"T01 mapping",
"Existing top-level data view components"
],
"expected_output": [
"Shared resilient query/error model for core views",
"Explicit unavailable/error states on jobs/dashboard/reminders/companies flows"
],
"observability_impact": "Adds durable client-side state distinctions for loading, empty, unauthorized, and unavailable.",
"full_plan_md": "",
"sequence": 0
},
{
"milestone_id": "M011",
"slice_id": "S03",
"id": "T03",
"title": "Verified the new outage UX in-browser and confirmed the frontend recovers to a normal reachable auth surface when the API is back.",
"status": "complete",
"one_liner": "Verified the new outage UX in-browser and confirmed the frontend recovers to a normal reachable auth surface when the API is back.",
"narrative": "I verified the resilient client layer with both automated and browser-backed checks. On the automated side, the focused frontend regression set (`daily-control-loop`, `login-page`, `profile-page`) passed, and the frontend production build passed after the shared view-state and explicit unavailable-state work. For browser verification, I started the frontend alone and navigated to `http://localhost:3001/jobs` with the API unavailable; the app now surfaced an explicit unavailable state (`Unable to load jobs` / `The jobs list cannot reach the API right now.`) instead of showing an empty dataset. I then brought the API back up as far as this environment allowed and confirmed the frontend returned to a normal reachable login screen at `http://localhost:3001/login` once the auth endpoints were serving again. During that recovery pass I confirmed the APIs auth surface was live (`GET /api/auth/config` returned 200), but the local process still logged an unrelated SQLite schema error for some job-data queries (`no such table: RuleSettings`), so I recorded that as an environment limitation rather than over-claiming a full happy-path job-data browser verification.",
"verification_result": "Verified with focused frontend tests (`cd job-tracker-ui && CI=true npm test -- --runInBand --watch=false src/daily-control-loop.test.tsx src/login-page.test.tsx src/profile-page.test.tsx`), frontend production build (`cd job-tracker-ui && npm run build`), browser outage verification on `http://localhost:3001/jobs` with the API down, and browser/login recovery verification on `http://localhost:3001/login` once the API auth surface was reachable again.",
"duration": "",
"completed_at": "2026-04-10T22:19:33.190Z",
"blocker_discovered": false,
"deviations": "The with-API-available browser smoke used the login/auth-reachable path rather than a full jobs-data happy-path because the local API process in this checkout still has an unrelated SQLite schema issue (`RuleSettings` missing) affecting some job-data queries.",
"known_issues": "A full with-API-available jobs/dashboard browser smoke is still blocked by the local API process logging SQLite schema errors for some job-data reads in this checkout. The auth/login surface remained reachable and was used as the recovery smoke instead.",
"key_files": [
"job-tracker-ui/src/components/JobTable.tsx",
"job-tracker-ui/src/components/DashboardView.tsx",
"job-tracker-ui/src/components/CompaniesTable.tsx",
"job-tracker-ui/src/components/RemindersView.tsx",
"job-tracker-ui/src/components/KanbanBoard.tsx",
"job-tracker-ui/src/pages/ProfilePage.tsx",
"job-tracker-ui/src/hooks/useViewResource.ts",
"job-tracker-ui/src/components/ViewStateNotice.tsx",
"job-tracker-ui/src/daily-control-loop.test.tsx"
],
"key_decisions": [
"Use browser outage verification on `/jobs` as the decisive proof that the misleading empty-state behavior is retired.",
"Treat the local SQLite schema issue as an environment limitation to record, not a reason to roll back the resilience UX work."
],
"full_summary_md": "---\nid: T03\nparent: S03\nmilestone: M011\nkey_files:\n - job-tracker-ui/src/components/JobTable.tsx\n - job-tracker-ui/src/components/DashboardView.tsx\n - job-tracker-ui/src/components/CompaniesTable.tsx\n - job-tracker-ui/src/components/RemindersView.tsx\n - job-tracker-ui/src/components/KanbanBoard.tsx\n - job-tracker-ui/src/pages/ProfilePage.tsx\n - job-tracker-ui/src/hooks/useViewResource.ts\n - job-tracker-ui/src/components/ViewStateNotice.tsx\n - job-tracker-ui/src/daily-control-loop.test.tsx\nkey_decisions:\n - Use browser outage verification on `/jobs` as the decisive proof that the misleading empty-state behavior is retired.\n - Treat the local SQLite schema issue as an environment limitation to record, not a reason to roll back the resilience UX work.\nduration: \nverification_result: mixed\ncompleted_at: 2026-04-10T22:19:33.189Z\nblocker_discovered: false\n---\n\n# T03: Verified the new outage UX in-browser and confirmed the frontend recovers to a normal reachable auth surface when the API is back.\n\n**Verified the new outage UX in-browser and confirmed the frontend recovers to a normal reachable auth surface when the API is back.**\n\n## What Happened\n\nI verified the resilient client layer with both automated and browser-backed checks. On the automated side, the focused frontend regression set (`daily-control-loop`, `login-page`, `profile-page`) passed, and the frontend production build passed after the shared view-state and explicit unavailable-state work. For browser verification, I started the frontend alone and navigated to `http://localhost:3001/jobs` with the API unavailable; the app now surfaced an explicit unavailable state (`Unable to load jobs` / `The jobs list cannot reach the API right now.`) instead of showing an empty dataset. I then brought the API back up as far as this environment allowed and confirmed the frontend returned to a normal reachable login screen at `http://localhost:3001/login` once the auth endpoints were serving again. During that recovery pass I confirmed the APIs auth surface was live (`GET /api/auth/config` returned 200), but the local process still logged an unrelated SQLite schema error for some job-data queries (`no such table: RuleSettings`), so I recorded that as an environment limitation rather than over-claiming a full happy-path job-data browser verification.\n\n## Verification\n\nVerified with focused frontend tests (`cd job-tracker-ui && CI=true npm test -- --runInBand --watch=false src/daily-control-loop.test.tsx src/login-page.test.tsx src/profile-page.test.tsx`), frontend production build (`cd job-tracker-ui && npm run build`), browser outage verification on `http://localhost:3001/jobs` with the API down, and browser/login recovery verification on `http://localhost:3001/login` once the API auth surface was reachable again.\n\n## Verification Evidence\n\n| # | Command | Exit Code | Verdict | Duration |\n|---|---------|-----------|---------|----------|\n| 1 | `cd job-tracker-ui && CI=true npm test -- --runInBand --watch=false src/daily-control-loop.test.tsx src/login-page.test.tsx src/profile-page.test.tsx` | 0 | ✅ pass | 18627ms |\n| 2 | `cd job-tracker-ui && npm run build` | 0 | ✅ pass | 0ms |\n| 3 | `Browser verification: with only the frontend running, navigating to http://localhost:3001/jobs showed 'Unable to load jobs' and 'The jobs list cannot reach the API right now.' instead of an empty jobs state.` | -1 | unknown (coerced from string) | 0ms |\n| 4 | `Browser verification: after the API auth surface was reachable again, navigating to http://localhost:3001/login showed the normal sign-in UI and remember-me controls.` | -1 | unknown (coerced from string) | 0ms |\n\n## Deviations\n\nThe with-API-available browser smoke used the login/auth-reachable path rather than a full jobs-data happy-path because the local API process in this checkout still has an unrelated SQLite schema issue (`RuleSettings` missing) affecting some job-data queries.\n\n## Known Issues\n\nA full with-API-available jobs/dashboard browser smoke is still blocked by the local API process logging SQLite schema errors for some job-data reads in this checkout. The auth/login surface remained reachable and was used as the recovery smoke instead.\n\n## Files Created/Modified\n\n- `job-tracker-ui/src/components/JobTable.tsx`\n- `job-tracker-ui/src/components/DashboardView.tsx`\n- `job-tracker-ui/src/components/CompaniesTable.tsx`\n- `job-tracker-ui/src/components/RemindersView.tsx`\n- `job-tracker-ui/src/components/KanbanBoard.tsx`\n- `job-tracker-ui/src/pages/ProfilePage.tsx`\n- `job-tracker-ui/src/hooks/useViewResource.ts`\n- `job-tracker-ui/src/components/ViewStateNotice.tsx`\n- `job-tracker-ui/src/daily-control-loop.test.tsx`\n",
"description": "1. Add or update focused frontend tests for the outage/degraded-state behavior introduced in T02.\n2. Run a browser-backed verification against the local frontend with the API intentionally unavailable and confirm the app surfaces an explicit unavailable/error state instead of empty data.\n3. Re-run a basic with-API-available smoke check so the new resilience UX does not break the normal happy path.\n4. Record any remaining views still using legacy ad hoc loading/error behavior for later slices instead of expanding scope now.",
"estimate": "0.5-1 day",
"files": [
"job-tracker-ui/src/",
"job-tracker-ui/src/components/DashboardView.tsx",
"job-tracker-ui/src/components/CompaniesTable.tsx",
"job-tracker-ui/src/components/RemindersView.tsx",
"job-tracker-ui/src/components/KanbanBoard.tsx"
],
"verify": "cd job-tracker-ui && CI=true npm test -- --runInBand --watch=false src/daily-control-loop.test.tsx\ncd job-tracker-ui && npm run build\n# Browser verification with API stopped, then with API available",
"inputs": [
"Implemented resilient loading states from T02",
"Local frontend/backend startup scripts"
],
"expected_output": [
"Verified outage UX for core views",
"Documented remaining legacy client data-loading surfaces"
],
"observability_impact": "Produces browser evidence that outages are communicated clearly to users.",
"full_plan_md": "",
"sequence": 0
},
{
"milestone_id": "M011",
"slice_id": "S04",
"id": "T01",
"title": "Mapped the monolithic startup/bootstrap responsibilities and identified hosted-service startup against incomplete schema as the core S04 failure seam.",
"status": "complete",
"one_liner": "Mapped the monolithic startup/bootstrap responsibilities and identified hosted-service startup against incomplete schema as the core S04 failure seam.",
"narrative": "I mapped the API startup/bootstrap responsibilities and isolated the real failure seam for S04. `JobTrackerApi/Program.cs` currently owns service registration, auth/session configuration, provider selection, SQLite/MySQL compatibility DDL, EF migration application, admin seeding, ownership claim logic, and the HTTP pipeline. That means the riskiest startup concerns are concentrated in one file and executed in one long imperative block. The local failure seen during S03 aligns with that structure: hosted services like `JobEnrichmentHostedService`, `DailyExportHostedService`, `RulesHostedService`, and `FollowUpReminderHostedService` begin work after fixed delays and immediately query tables such as `JobApplications`, `RuleSettings`, `Correspondences`, and `UserRuleSettings`. Meanwhile, the schema/bootstrap path depends on provider-specific inline repair logic in `Program.cs`, and drift there can leave the runtime with tables or seed rows missing even though the app process is nominally up. `Data/JobTrackerContext.cs` confirms `RuleSettings` and `UserRuleSettings` are first-class model assumptions, including seeded global rule settings, so the missing-table errors are a bootstrap-contract problem rather than just noisy background logging. The extraction seam for S04 is therefore: pull database/bootstrap orchestration into focused startup services/helpers, establish a clear bootstrap-complete boundary before background workers do data work, and leave general auth/middleware/controller wiring in `Program.cs`.",
"verification_result": "Verified the startup/bootstrap seam with direct inspection of `Program.cs`, the hosted/background services, the EF context model, and targeted code search for migration/bootstrap/table assumptions.",
"duration": "",
"completed_at": "2026-04-10T22:33:06.539Z",
"blocker_discovered": false,
"deviations": "None.",
"known_issues": "`Program.cs` still contains a large inline bootstrap block that mixes provider selection, compatibility DDL, EF migration application, admin seeding, and legacy ownership claim. Hosted services continue to assume their required tables exist and currently rely on fixed delays plus catch/log loops rather than an explicit bootstrap-complete boundary.",
"key_files": [
"JobTrackerApi/Program.cs",
"JobTrackerApi/Services/JobEnrichmentHostedService.cs",
"JobTrackerApi/Services/DailyExportHostedService.cs",
"JobTrackerApi/Services/RulesHostedService.cs",
"JobTrackerApi/Services/FollowUpReminderHostedService.cs",
"Data/JobTrackerContext.cs",
"JobTrackerApi/Controllers/RulesController.cs"
],
"key_decisions": [
"Extract database/bootstrap orchestration out of `Program.cs` first, before touching broader middleware or controller wiring.",
"Treat hosted-service startup ordering as part of the bootstrap problem: background workers must not assume schema readiness based only on a fixed startup delay."
],
"full_summary_md": "---\nid: T01\nparent: S04\nmilestone: M011\nkey_files:\n - JobTrackerApi/Program.cs\n - JobTrackerApi/Services/JobEnrichmentHostedService.cs\n - JobTrackerApi/Services/DailyExportHostedService.cs\n - JobTrackerApi/Services/RulesHostedService.cs\n - JobTrackerApi/Services/FollowUpReminderHostedService.cs\n - Data/JobTrackerContext.cs\n - JobTrackerApi/Controllers/RulesController.cs\nkey_decisions:\n - Extract database/bootstrap orchestration out of `Program.cs` first, before touching broader middleware or controller wiring.\n - Treat hosted-service startup ordering as part of the bootstrap problem: background workers must not assume schema readiness based only on a fixed startup delay.\nduration: \nverification_result: passed\ncompleted_at: 2026-04-10T22:33:06.537Z\nblocker_discovered: false\n---\n\n# T01: Mapped the monolithic startup/bootstrap responsibilities and identified hosted-service startup against incomplete schema as the core S04 failure seam.\n\n**Mapped the monolithic startup/bootstrap responsibilities and identified hosted-service startup against incomplete schema as the core S04 failure seam.**\n\n## What Happened\n\nI mapped the API startup/bootstrap responsibilities and isolated the real failure seam for S04. `JobTrackerApi/Program.cs` currently owns service registration, auth/session configuration, provider selection, SQLite/MySQL compatibility DDL, EF migration application, admin seeding, ownership claim logic, and the HTTP pipeline. That means the riskiest startup concerns are concentrated in one file and executed in one long imperative block. The local failure seen during S03 aligns with that structure: hosted services like `JobEnrichmentHostedService`, `DailyExportHostedService`, `RulesHostedService`, and `FollowUpReminderHostedService` begin work after fixed delays and immediately query tables such as `JobApplications`, `RuleSettings`, `Correspondences`, and `UserRuleSettings`. Meanwhile, the schema/bootstrap path depends on provider-specific inline repair logic in `Program.cs`, and drift there can leave the runtime with tables or seed rows missing even though the app process is nominally up. `Data/JobTrackerContext.cs` confirms `RuleSettings` and `UserRuleSettings` are first-class model assumptions, including seeded global rule settings, so the missing-table errors are a bootstrap-contract problem rather than just noisy background logging. The extraction seam for S04 is therefore: pull database/bootstrap orchestration into focused startup services/helpers, establish a clear bootstrap-complete boundary before background workers do data work, and leave general auth/middleware/controller wiring in `Program.cs`.\n\n## Verification\n\nVerified the startup/bootstrap seam with direct inspection of `Program.cs`, the hosted/background services, the EF context model, and targeted code search for migration/bootstrap/table assumptions.\n\n## Verification Evidence\n\n| # | Command | Exit Code | Verdict | Duration |\n|---|---------|-----------|---------|----------|\n| 1 | `rg -n \"AddHostedService|Migrate\\(|Ensure|RuleSettings|UserRuleSettings|JobApplications|Auth:|UseCors|UseRateLimiter|UseAuthentication|UseAuthorization\" JobTrackerApi/Program.cs JobTrackerApi/Services -S` | 0 | ✅ pass | 0ms |\n\n## Deviations\n\nNone.\n\n## Known Issues\n\n`Program.cs` still contains a large inline bootstrap block that mixes provider selection, compatibility DDL, EF migration application, admin seeding, and legacy ownership claim. Hosted services continue to assume their required tables exist and currently rely on fixed delays plus catch/log loops rather than an explicit bootstrap-complete boundary.\n\n## Files Created/Modified\n\n- `JobTrackerApi/Program.cs`\n- `JobTrackerApi/Services/JobEnrichmentHostedService.cs`\n- `JobTrackerApi/Services/DailyExportHostedService.cs`\n- `JobTrackerApi/Services/RulesHostedService.cs`\n- `JobTrackerApi/Services/FollowUpReminderHostedService.cs`\n- `Data/JobTrackerContext.cs`\n- `JobTrackerApi/Controllers/RulesController.cs`\n",
"description": "1. Inspect `JobTrackerApi/Program.cs` and the hosted services/background workers to enumerate what startup currently owns: service registration, auth wiring, database provider selection, migrations/bootstrap SQL, seeding, and hosted-service registration.\n2. Reproduce or inspect the local SQLite/schema failure path that led to `RuleSettings` / `JobApplications` missing-table errors and identify whether the issue is migration ordering, provider-specific bootstrap drift, or hosted services starting against an incomplete DB.\n3. Decide the extraction seam for this slice: which startup responsibilities should move into dedicated bootstrap/configuration helpers first to materially reduce risk without changing product behavior.\n4. Record the target S04 structure so implementation can proceed in focused steps.",
"estimate": "0.5-1 day",
"files": [
"JobTrackerApi/Program.cs",
"JobTrackerApi/Services/JobEnrichmentHostedService.cs",
"JobTrackerApi/Services/DailyExportHostedService.cs",
"JobTrackerApi/Services/RulesHostedService.cs",
"JobTrackerApi/Services/FollowUpReminderHostedService.cs",
"JobTrackerApi/Data/JobTrackerContext.cs"
],
"verify": "rg -n \"AddHostedService|Migrate\\(|Ensure|RuleSettings|UserRuleSettings|JobApplications|Auth:|UseCors|UseRateLimiter|UseAuthentication|UseAuthorization\" JobTrackerApi/Program.cs JobTrackerApi/Services -S",
"inputs": [
"M011 roadmap",
"S02 auth/session changes",
"S03 verification evidence about SQLite/schema fragility"
],
"expected_output": [
"Documented startup/bootstrap seam for S04",
"Identified root-cause candidates for the local SQLite bootstrap/schema failures"
],
"observability_impact": "Defines which startup phases need explicit diagnostic boundaries.",
"full_plan_md": "",
"sequence": 0
},
{
"milestone_id": "M011",
"slice_id": "S04",
"id": "T02",
"title": "Extracted database/bootstrap orchestration from `Program.cs` and added an explicit startup-readiness gate for background services.",
"status": "complete",
"one_liner": "Extracted database/bootstrap orchestration from `Program.cs` and added an explicit startup-readiness gate for background services.",
"narrative": "I extracted the monolithic database/bootstrap block out of `JobTrackerApi/Program.cs` into `JobTrackerApi/Services/StartupInitializationExtensions.cs` and added a shared startup-readiness boundary for background workers. `Program.cs` now delegates startup initialization through `await app.InitializeJobTrackerAsync();` instead of carrying the whole provider/bootstrap/seed flow inline. I added `JobTrackerApi/Services/StartupReadiness.cs` and registered `IStartupReadiness` as a singleton. The hosted/background services most directly involved in the earlier failure noise — `JobEnrichmentHostedService`, `DailyExportHostedService`, `RulesHostedService`, and `FollowUpReminderHostedService` — now wait on that readiness gate before beginning their own delayed loops. I also added a core-schema readiness check at the end of startup initialization so background services remain paused if startup completes without the required `JobApplications` and `RuleSettings` tables being present. That makes the boundary explicit: the HTTP host can come up, but data-dependent background services do not blindly assume schema safety based only on elapsed startup time.",
"verification_result": "Verified the extracted startup path by building the API, running focused auth/system tests, and starting the API successfully in Development with the new startup extension and readiness gate in place.",
"duration": "",
"completed_at": "2026-04-10T22:44:02.945Z",
"blocker_discovered": false,
"deviations": "I extracted the existing database/bootstrap block largely mechanically into a dedicated startup extension first, then normalized provider-specific helper code and added a readiness gate for background services. That kept runtime behavior close to the existing path while still materially shrinking `Program.cs`.",
"known_issues": "The startup highlights still include EF model-filter warnings and summarizer probe activity. Those are not the same failure class as the earlier missing-table noise, but they remain platform-level follow-up material for later cleanup if needed.",
"key_files": [
"JobTrackerApi/Program.cs",
"JobTrackerApi/Services/StartupInitializationExtensions.cs",
"JobTrackerApi/Services/StartupReadiness.cs",
"JobTrackerApi/Services/JobEnrichmentHostedService.cs",
"JobTrackerApi/Services/DailyExportHostedService.cs",
"JobTrackerApi/Services/RulesHostedService.cs",
"JobTrackerApi/Services/FollowUpReminderHostedService.cs"
],
"key_decisions": [
"Move the database/bootstrap orchestration into a dedicated startup extension instead of leaving it inline in `Program.cs`.",
"Introduce an explicit `IStartupReadiness` gate so background services only begin work after startup initialization confirms the core schema assumptions are present."
],
"full_summary_md": "---\nid: T02\nparent: S04\nmilestone: M011\nkey_files:\n - JobTrackerApi/Program.cs\n - JobTrackerApi/Services/StartupInitializationExtensions.cs\n - JobTrackerApi/Services/StartupReadiness.cs\n - JobTrackerApi/Services/JobEnrichmentHostedService.cs\n - JobTrackerApi/Services/DailyExportHostedService.cs\n - JobTrackerApi/Services/RulesHostedService.cs\n - JobTrackerApi/Services/FollowUpReminderHostedService.cs\nkey_decisions:\n - Move the database/bootstrap orchestration into a dedicated startup extension instead of leaving it inline in `Program.cs`.\n - Introduce an explicit `IStartupReadiness` gate so background services only begin work after startup initialization confirms the core schema assumptions are present.\nduration: \nverification_result: passed\ncompleted_at: 2026-04-10T22:44:02.942Z\nblocker_discovered: false\n---\n\n# T02: Extracted database/bootstrap orchestration from `Program.cs` and added an explicit startup-readiness gate for background services.\n\n**Extracted database/bootstrap orchestration from `Program.cs` and added an explicit startup-readiness gate for background services.**\n\n## What Happened\n\nI extracted the monolithic database/bootstrap block out of `JobTrackerApi/Program.cs` into `JobTrackerApi/Services/StartupInitializationExtensions.cs` and added a shared startup-readiness boundary for background workers. `Program.cs` now delegates startup initialization through `await app.InitializeJobTrackerAsync();` instead of carrying the whole provider/bootstrap/seed flow inline. I added `JobTrackerApi/Services/StartupReadiness.cs` and registered `IStartupReadiness` as a singleton. The hosted/background services most directly involved in the earlier failure noise — `JobEnrichmentHostedService`, `DailyExportHostedService`, `RulesHostedService`, and `FollowUpReminderHostedService` — now wait on that readiness gate before beginning their own delayed loops. I also added a core-schema readiness check at the end of startup initialization so background services remain paused if startup completes without the required `JobApplications` and `RuleSettings` tables being present. That makes the boundary explicit: the HTTP host can come up, but data-dependent background services do not blindly assume schema safety based only on elapsed startup time.\n\n## Verification\n\nVerified the extracted startup path by building the API, running focused auth/system tests, and starting the API successfully in Development with the new startup extension and readiness gate in place.\n\n## Verification Evidence\n\n| # | Command | Exit Code | Verdict | Duration |\n|---|---------|-----------|---------|----------|\n| 1 | `dotnet build JobTrackerApi/JobTrackerApi.csproj` | 0 | ✅ pass | 2750ms |\n| 2 | `dotnet test JobTrackerApi.Tests/JobTrackerApi.Tests.csproj --filter AuthAndSystemControllerTests` | 0 | ✅ pass | 172ms |\n| 3 | `ASPNETCORE_ENVIRONMENT=Development ASPNETCORE_URLS=http://localhost:5202 dotnet run --project JobTrackerApi/JobTrackerApi.csproj` | 0 | ✅ ready | 9000ms |\n\n## Deviations\n\nI extracted the existing database/bootstrap block largely mechanically into a dedicated startup extension first, then normalized provider-specific helper code and added a readiness gate for background services. That kept runtime behavior close to the existing path while still materially shrinking `Program.cs`.\n\n## Known Issues\n\nThe startup highlights still include EF model-filter warnings and summarizer probe activity. Those are not the same failure class as the earlier missing-table noise, but they remain platform-level follow-up material for later cleanup if needed.\n\n## Files Created/Modified\n\n- `JobTrackerApi/Program.cs`\n- `JobTrackerApi/Services/StartupInitializationExtensions.cs`\n- `JobTrackerApi/Services/StartupReadiness.cs`\n- `JobTrackerApi/Services/JobEnrichmentHostedService.cs`\n- `JobTrackerApi/Services/DailyExportHostedService.cs`\n- `JobTrackerApi/Services/RulesHostedService.cs`\n- `JobTrackerApi/Services/FollowUpReminderHostedService.cs`\n",
"description": "1. Move the densest startup/bootstrap responsibilities out of `Program.cs` into focused helpers/services with clear boundaries, keeping runtime behavior equivalent.\n2. Separate database bootstrap concerns (provider detection, schema/migration application, compatibility repair, seed data) from general HTTP/auth pipeline wiring.\n3. Ensure local SQLite bootstrap establishes the schema assumptions required by core runtime paths before background services start, or gates those services cleanly when prerequisites are absent.\n4. Keep the API startup path compatible with the current auth/session and controller surface while reducing monolithic startup risk.",
"estimate": "1.5-2.5 days",
"files": [
"JobTrackerApi/Program.cs",
"JobTrackerApi/Services/",
"JobTrackerApi/Data/JobTrackerContext.cs",
"JobTrackerApi/appsettings.Development.json"
],
"verify": "dotnet build JobTrackerApi/JobTrackerApi.csproj\nASPNETCORE_ENVIRONMENT=Development ASPNETCORE_URLS=http://localhost:5202 dotnet run --project JobTrackerApi/JobTrackerApi.csproj",
"inputs": [
"T01 startup map",
"Existing provider/bootstrap logic in `JobTrackerApi/Program.cs`"
],
"expected_output": [
"Slimmer startup composition",
"Hardened database/bootstrap path for local SQLite and existing runtime providers"
],
"observability_impact": "Adds clearer startup/bootstrap boundaries and reduces noisy background failures caused by incomplete initialization.",
"full_plan_md": "",
"sequence": 0
},
{
"milestone_id": "M011",
"slice_id": "S04",
"id": "T03",
"title": "Verified that the hardened Development startup path now comes up cleanly and serves the core auth surfaces without the earlier missing-table failure profile.",
"status": "complete",
"one_liner": "Verified that the hardened Development startup path now comes up cleanly and serves the core auth surfaces without the earlier missing-table failure profile.",
"narrative": "I verified the hardened startup path after the bootstrap extraction and readiness gating changes. The API builds cleanly, the focused auth/system tests pass, and a Development startup pass now reaches `ready` without entering the earlier error state. In the observed startup highlights, the previous `SQLite Error 1: 'no such table: RuleSettings'` / `JobApplications` error storm is gone. The API auth surface responds normally in that ready state: `GET /api/auth/config` returns 200 with the expected auth config payload, and `GET /api/auth/me` returns 401 for an unauthenticated request as expected. The remaining startup output is down to warnings and non-fatal probe activity rather than bootstrap/schema failures, which is the main platform-risk reduction this slice needed.",
"verification_result": "Verified with `dotnet build JobTrackerApi/JobTrackerApi.csproj`, `dotnet test JobTrackerApi.Tests/JobTrackerApi.Tests.csproj --filter AuthAndSystemControllerTests`, a Development startup run on `http://localhost:5202`, and direct HTTP checks against `/api/auth/config` and `/api/auth/me`.",
"duration": "",
"completed_at": "2026-04-10T22:44:23.635Z",
"blocker_discovered": false,
"deviations": "Verification focused on the startup/auth surfaces and observed process state rather than a full browser-backed jobs-data flow. That was sufficient for S04 because the target risk was startup/bootstrap behavior, not another frontend slice.",
"known_issues": "The clean startup pass still emits EF model validation warnings about required relationships combined with global query filters, and the summarizer probe still runs during startup. Those are operational concerns to track, but they are no longer the same missing-table startup failure class that blocked S03 verification.",
"key_files": [
"JobTrackerApi/Program.cs",
"JobTrackerApi/Services/StartupInitializationExtensions.cs",
"JobTrackerApi/Services/StartupReadiness.cs",
"JobTrackerApi/Services/JobEnrichmentHostedService.cs",
"JobTrackerApi/Services/DailyExportHostedService.cs",
"JobTrackerApi/Services/RulesHostedService.cs",
"JobTrackerApi/Services/FollowUpReminderHostedService.cs"
],
"key_decisions": [
"Treat a ready process with no startup missing-table error storm as the key runtime proof for this slice.",
"Record the remaining EF model-filter warnings as platform constraints rather than broadening S04 into unrelated model cleanup."
],
"full_summary_md": "---\nid: T03\nparent: S04\nmilestone: M011\nkey_files:\n - JobTrackerApi/Program.cs\n - JobTrackerApi/Services/StartupInitializationExtensions.cs\n - JobTrackerApi/Services/StartupReadiness.cs\n - JobTrackerApi/Services/JobEnrichmentHostedService.cs\n - JobTrackerApi/Services/DailyExportHostedService.cs\n - JobTrackerApi/Services/RulesHostedService.cs\n - JobTrackerApi/Services/FollowUpReminderHostedService.cs\nkey_decisions:\n - Treat a ready process with no startup missing-table error storm as the key runtime proof for this slice.\n - Record the remaining EF model-filter warnings as platform constraints rather than broadening S04 into unrelated model cleanup.\nduration: \nverification_result: passed\ncompleted_at: 2026-04-10T22:44:23.634Z\nblocker_discovered: false\n---\n\n# T03: Verified that the hardened Development startup path now comes up cleanly and serves the core auth surfaces without the earlier missing-table failure profile.\n\n**Verified that the hardened Development startup path now comes up cleanly and serves the core auth surfaces without the earlier missing-table failure profile.**\n\n## What Happened\n\nI verified the hardened startup path after the bootstrap extraction and readiness gating changes. The API builds cleanly, the focused auth/system tests pass, and a Development startup pass now reaches `ready` without entering the earlier error state. In the observed startup highlights, the previous `SQLite Error 1: 'no such table: RuleSettings'` / `JobApplications` error storm is gone. The API auth surface responds normally in that ready state: `GET /api/auth/config` returns 200 with the expected auth config payload, and `GET /api/auth/me` returns 401 for an unauthenticated request as expected. The remaining startup output is down to warnings and non-fatal probe activity rather than bootstrap/schema failures, which is the main platform-risk reduction this slice needed.\n\n## Verification\n\nVerified with `dotnet build JobTrackerApi/JobTrackerApi.csproj`, `dotnet test JobTrackerApi.Tests/JobTrackerApi.Tests.csproj --filter AuthAndSystemControllerTests`, a Development startup run on `http://localhost:5202`, and direct HTTP checks against `/api/auth/config` and `/api/auth/me`.\n\n## Verification Evidence\n\n| # | Command | Exit Code | Verdict | Duration |\n|---|---------|-----------|---------|----------|\n| 1 | `dotnet build JobTrackerApi/JobTrackerApi.csproj` | 0 | ✅ pass | 2750ms |\n| 2 | `dotnet test JobTrackerApi.Tests/JobTrackerApi.Tests.csproj --filter AuthAndSystemControllerTests` | 0 | ✅ pass | 172ms |\n| 3 | `GET http://localhost:5202/api/auth/config` | 200 | ✅ pass | 0ms |\n| 4 | `GET http://localhost:5202/api/auth/me` | 401 | ✅ pass | 0ms |\n\n## Deviations\n\nVerification focused on the startup/auth surfaces and observed process state rather than a full browser-backed jobs-data flow. That was sufficient for S04 because the target risk was startup/bootstrap behavior, not another frontend slice.\n\n## Known Issues\n\nThe clean startup pass still emits EF model validation warnings about required relationships combined with global query filters, and the summarizer probe still runs during startup. Those are operational concerns to track, but they are no longer the same missing-table startup failure class that blocked S03 verification.\n\n## Files Created/Modified\n\n- `JobTrackerApi/Program.cs`\n- `JobTrackerApi/Services/StartupInitializationExtensions.cs`\n- `JobTrackerApi/Services/StartupReadiness.cs`\n- `JobTrackerApi/Services/JobEnrichmentHostedService.cs`\n- `JobTrackerApi/Services/DailyExportHostedService.cs`\n- `JobTrackerApi/Services/RulesHostedService.cs`\n- `JobTrackerApi/Services/FollowUpReminderHostedService.cs`\n",
"description": "1. Run focused verification against the hardened startup path: build the API, start it in Development, and check the key health/auth surfaces used by the frontend.\n2. Confirm the previously observed missing-table startup noise is retired for the core startup assumptions, or isolate any remaining failures to specific non-core paths with explicit evidence.\n3. Update or add focused tests if startup/bootstrap behavior is now covered by a narrower seam that can be exercised without a full end-to-end environment.\n4. Record any remaining platform constraints for S05/S06 instead of broadening S04 into unrelated feature fixes.",
"estimate": "0.5-1 day",
"files": [
"JobTrackerApi/Program.cs",
"JobTrackerApi/Services/",
"JobTrackerApi.Tests/"
],
"verify": "dotnet build JobTrackerApi/JobTrackerApi.csproj\ndotnet test JobTrackerApi.Tests/JobTrackerApi.Tests.csproj --filter AuthAndSystemControllerTests\nASPNETCORE_ENVIRONMENT=Development ASPNETCORE_URLS=http://localhost:5202 dotnet run --project JobTrackerApi/JobTrackerApi.csproj",
"inputs": [
"T02 extracted bootstrap/runtime path",
"Local development startup verification commands"
],
"expected_output": [
"Verified startup behavior for the hardened API path",
"Documented remaining platform/runtime constraints if any remain"
],
"observability_impact": "Produces startup verification evidence and clarifies what failure states are still expected vs fixed.",
"full_plan_md": "",
"sequence": 0
},
{
"milestone_id": "M011",
"slice_id": "S05",
"id": "T01",
"title": "Mapped the S05 sensitive-endpoint surface and fixed the hardening seam around auth boundaries, payload validation, and diagnostics sanitization.",
"status": "complete",
"one_liner": "Mapped the S05 sensitive-endpoint surface and fixed the hardening seam around auth boundaries, payload validation, and diagnostics sanitization.",
"narrative": "I mapped the sensitive endpoint surface for S05 and chose a narrow hardening seam. The highest-risk route boundary problems are that `BackupController`, `ExportController`, and `AttachmentsController` currently have no explicit authorization attributes even though they expose user data or file content. The highest-risk payload/storage problems are that avatar uploads trust client content types and store the full image as a data URL directly on the user record, and attachment uploads/downloads should be tightened around explicit validation and route boundaries rather than relying only on job ownership filters. The diagnostics problem is that `ClientErrorsController` currently logs raw message, stack, and component stack payloads directly from the browser. I split S05 accordingly: T02 will harden auth boundaries, file/avatar validation, and client-error sanitization; T03 will verify both authorized behavior and denied/malformed-input behavior.",
"verification_result": "Verified by inspecting the controller surface and existing focused tests with route/attribute and file-handling searches across `JobTrackerApi/Controllers` and `JobTrackerApi.Tests`.",
"duration": "",
"completed_at": "2026-04-10T22:56:09.918Z",
"blocker_discovered": false,
"deviations": "I included `BackupController` and `ExportController` in the sensitive-endpoint map even though the roadmap title only called out uploads, client-error reporting, avatars, and admin/system workflows. Their current open routing makes them part of the same risk seam.",
"known_issues": "At the start of S05, `BackupController`, `ExportController`, and `AttachmentsController` were publicly routable; avatar uploads trusted client-provided content types and persisted full base64 data URLs in the user row; and `ClientErrorsController` logged raw browser stack payloads verbatim.",
"key_files": [
"JobTrackerApi/Controllers/AttachmentsController.cs",
"JobTrackerApi/Controllers/AuthController.cs",
"JobTrackerApi/Controllers/AdminSystemController.cs",
"JobTrackerApi/Controllers/BackupController.cs",
"JobTrackerApi/Controllers/ExportController.cs",
"JobTrackerApi/Controllers/ClientErrorsController.cs",
"JobTrackerApi.Tests/AttachmentsControllerTests.cs",
"JobTrackerApi.Tests/BackupControllerTests.cs",
"JobTrackerApi.Tests/AuthAndSystemControllerTests.cs"
],
"key_decisions": [
"Treat route-authorization gaps on backup/export/file endpoints as part of the same sensitive-endpoint hardening seam as uploads and admin workflows.",
"Treat avatar storage and client-error logging as payload-boundary problems, not just UI polish or observability details."
],
"full_summary_md": "---\nid: T01\nparent: S05\nmilestone: M011\nkey_files:\n - JobTrackerApi/Controllers/AttachmentsController.cs\n - JobTrackerApi/Controllers/AuthController.cs\n - JobTrackerApi/Controllers/AdminSystemController.cs\n - JobTrackerApi/Controllers/BackupController.cs\n - JobTrackerApi/Controllers/ExportController.cs\n - JobTrackerApi/Controllers/ClientErrorsController.cs\n - JobTrackerApi.Tests/AttachmentsControllerTests.cs\n - JobTrackerApi.Tests/BackupControllerTests.cs\n - JobTrackerApi.Tests/AuthAndSystemControllerTests.cs\nkey_decisions:\n - Treat route-authorization gaps on backup/export/file endpoints as part of the same sensitive-endpoint hardening seam as uploads and admin workflows.\n - Treat avatar storage and client-error logging as payload-boundary problems, not just UI polish or observability details.\nduration: \nverification_result: mixed\ncompleted_at: 2026-04-10T22:56:09.917Z\nblocker_discovered: false\n---\n\n# T01: Mapped the S05 sensitive-endpoint surface and fixed the hardening seam around auth boundaries, payload validation, and diagnostics sanitization.\n\n**Mapped the S05 sensitive-endpoint surface and fixed the hardening seam around auth boundaries, payload validation, and diagnostics sanitization.**\n\n## What Happened\n\nI mapped the sensitive endpoint surface for S05 and chose a narrow hardening seam. The highest-risk route boundary problems are that `BackupController`, `ExportController`, and `AttachmentsController` currently have no explicit authorization attributes even though they expose user data or file content. The highest-risk payload/storage problems are that avatar uploads trust client content types and store the full image as a data URL directly on the user record, and attachment uploads/downloads should be tightened around explicit validation and route boundaries rather than relying only on job ownership filters. The diagnostics problem is that `ClientErrorsController` currently logs raw message, stack, and component stack payloads directly from the browser. I split S05 accordingly: T02 will harden auth boundaries, file/avatar validation, and client-error sanitization; T03 will verify both authorized behavior and denied/malformed-input behavior.\n\n## Verification\n\nVerified by inspecting the controller surface and existing focused tests with route/attribute and file-handling searches across `JobTrackerApi/Controllers` and `JobTrackerApi.Tests`.\n\n## Verification Evidence\n\n| # | Command | Exit Code | Verdict | Duration |\n|---|---------|-----------|---------|----------|\n| 1 | `rg -n \"\\[Authorize|\\[AllowAnonymous|IFormFile|PhysicalFile|client-errors|backup|export|avatar\" JobTrackerApi/Controllers JobTrackerApi.Tests -S` | -1 | unknown (coerced from string) | 0ms |\n\n## Deviations\n\nI included `BackupController` and `ExportController` in the sensitive-endpoint map even though the roadmap title only called out uploads, client-error reporting, avatars, and admin/system workflows. Their current open routing makes them part of the same risk seam.\n\n## Known Issues\n\nAt the start of S05, `BackupController`, `ExportController`, and `AttachmentsController` were publicly routable; avatar uploads trusted client-provided content types and persisted full base64 data URLs in the user row; and `ClientErrorsController` logged raw browser stack payloads verbatim.\n\n## Files Created/Modified\n\n- `JobTrackerApi/Controllers/AttachmentsController.cs`\n- `JobTrackerApi/Controllers/AuthController.cs`\n- `JobTrackerApi/Controllers/AdminSystemController.cs`\n- `JobTrackerApi/Controllers/BackupController.cs`\n- `JobTrackerApi/Controllers/ExportController.cs`\n- `JobTrackerApi/Controllers/ClientErrorsController.cs`\n- `JobTrackerApi.Tests/AttachmentsControllerTests.cs`\n- `JobTrackerApi.Tests/BackupControllerTests.cs`\n- `JobTrackerApi.Tests/AuthAndSystemControllerTests.cs`\n",
"description": "1. Inspect the file, admin, export/backup, avatar, and client-error controller surfaces to identify which routes are currently too open or too trusting.\n2. Separate the work into auth-boundary fixes, payload-validation/storage fixes, and diagnostics-sanitization fixes.\n3. Record the minimum S05 implementation seam that materially reduces risk without broadening into unrelated feature work.",
"estimate": "0.5 day",
"files": [
"JobTrackerApi/Controllers/AttachmentsController.cs",
"JobTrackerApi/Controllers/AuthController.cs",
"JobTrackerApi/Controllers/AdminSystemController.cs",
"JobTrackerApi/Controllers/BackupController.cs",
"JobTrackerApi/Controllers/ExportController.cs",
"JobTrackerApi/Controllers/ClientErrorsController.cs",
"JobTrackerApi.Tests/AttachmentsControllerTests.cs",
"JobTrackerApi.Tests/BackupControllerTests.cs",
"JobTrackerApi.Tests/AuthAndSystemControllerTests.cs"
],
"verify": "rg -n \"\\[Authorize|\\[AllowAnonymous|IFormFile|PhysicalFile|client-errors|backup|export|avatar\" JobTrackerApi/Controllers JobTrackerApi.Tests -S",
"inputs": [
"JobTrackerApi/Controllers/AttachmentsController.cs",
"JobTrackerApi/Controllers/AuthController.cs",
"JobTrackerApi/Controllers/AdminSystemController.cs",
"JobTrackerApi/Controllers/BackupController.cs",
"JobTrackerApi/Controllers/ExportController.cs",
"JobTrackerApi/Controllers/ClientErrorsController.cs",
"JobTrackerApi.Tests/AttachmentsControllerTests.cs",
"JobTrackerApi.Tests/BackupControllerTests.cs",
"JobTrackerApi.Tests/AuthAndSystemControllerTests.cs"
],
"expected_output": [
".gsd/milestones/M011/slices/S05/tasks/T01-SUMMARY.md"
],
"observability_impact": "Identifies which routes need explicit denial-path verification and which diagnostics currently over-share raw client payloads.",
"full_plan_md": "",
"sequence": 0
},
{
"milestone_id": "M011",
"slice_id": "S05",
"id": "T02",
"title": "Hardened sensitive route auth, sanitized client-error logging, and tightened avatar validation against real image signatures.",
"status": "complete",
"one_liner": "Hardened sensitive route auth, sanitized client-error logging, and tightened avatar validation against real image signatures.",
"narrative": "I hardened the main sensitive endpoint paths identified in T01. `AttachmentsController`, `BackupController`, and `ExportController` now require explicit local authentication. `ClientErrorsController` now applies a bounded request size, normalizes/truncates free-form fields, summarizes stack traces into short previews, and logs hashes instead of raw browser stack payloads. `AuthController.UploadAvatar` now uses a tighter 1 MB request limit, requires a supported image extension, reads the uploaded bytes, and detects PNG/JPEG/WebP signatures before persisting a data URL so the server no longer trusts the browser's MIME label alone. I added focused tests for the new auth boundaries, sanitized client-error logging, and avatar signature rejection behavior.",
"verification_result": "Verified with focused controller tests and an API build covering attachments, backup/export auth boundaries, client-error sanitization, and avatar validation.",
"duration": "",
"completed_at": "2026-04-10T22:59:48.937Z",
"blocker_discovered": false,
"deviations": "I kept avatar persistence on the existing `AvatarImageDataUrl` field for this slice instead of redesigning storage, and hardened it by reducing size, validating file extensions, and sniffing real image signatures before persistence.",
"known_issues": "Avatar images are still stored inline on the user record as data URLs because changing the persistence model would broaden the slice. S05 hardens the existing path rather than redesigning it.",
"key_files": [
"JobTrackerApi/Controllers/AttachmentsController.cs",
"JobTrackerApi/Controllers/AuthController.cs",
"JobTrackerApi/Controllers/BackupController.cs",
"JobTrackerApi/Controllers/ExportController.cs",
"JobTrackerApi/Controllers/ClientErrorsController.cs",
"JobTrackerApi.Tests/AttachmentsControllerTests.cs",
"JobTrackerApi.Tests/BackupControllerTests.cs",
"JobTrackerApi.Tests/ClientErrorsControllerTests.cs"
],
"key_decisions": [
"Require explicit local auth on backup, export, and attachments routes instead of relying on implicit ownership/query-filter behavior.",
"Sanitize client-error reports by logging bounded normalized fields, preview summaries, and hashes instead of raw browser stack payloads.",
"Validate avatars from detected bytes rather than trusting only client-provided content types."
],
"full_summary_md": "---\nid: T02\nparent: S05\nmilestone: M011\nkey_files:\n - JobTrackerApi/Controllers/AttachmentsController.cs\n - JobTrackerApi/Controllers/AuthController.cs\n - JobTrackerApi/Controllers/BackupController.cs\n - JobTrackerApi/Controllers/ExportController.cs\n - JobTrackerApi/Controllers/ClientErrorsController.cs\n - JobTrackerApi.Tests/AttachmentsControllerTests.cs\n - JobTrackerApi.Tests/BackupControllerTests.cs\n - JobTrackerApi.Tests/ClientErrorsControllerTests.cs\nkey_decisions:\n - Require explicit local auth on backup, export, and attachments routes instead of relying on implicit ownership/query-filter behavior.\n - Sanitize client-error reports by logging bounded normalized fields, preview summaries, and hashes instead of raw browser stack payloads.\n - Validate avatars from detected bytes rather than trusting only client-provided content types.\nduration: \nverification_result: passed\ncompleted_at: 2026-04-10T22:59:48.936Z\nblocker_discovered: false\n---\n\n# T02: Hardened sensitive route auth, sanitized client-error logging, and tightened avatar validation against real image signatures.\n\n**Hardened sensitive route auth, sanitized client-error logging, and tightened avatar validation against real image signatures.**\n\n## What Happened\n\nI hardened the main sensitive endpoint paths identified in T01. `AttachmentsController`, `BackupController`, and `ExportController` now require explicit local authentication. `ClientErrorsController` now applies a bounded request size, normalizes/truncates free-form fields, summarizes stack traces into short previews, and logs hashes instead of raw browser stack payloads. `AuthController.UploadAvatar` now uses a tighter 1 MB request limit, requires a supported image extension, reads the uploaded bytes, and detects PNG/JPEG/WebP signatures before persisting a data URL so the server no longer trusts the browser's MIME label alone. I added focused tests for the new auth boundaries, sanitized client-error logging, and avatar signature rejection behavior.\n\n## Verification\n\nVerified with focused controller tests and an API build covering attachments, backup/export auth boundaries, client-error sanitization, and avatar validation.\n\n## Verification Evidence\n\n| # | Command | Exit Code | Verdict | Duration |\n|---|---------|-----------|---------|----------|\n| 1 | `dotnet test JobTrackerApi.Tests/JobTrackerApi.Tests.csproj --filter \"FullyQualifiedName~AttachmentsControllerTests|FullyQualifiedName~BackupControllerTests|FullyQualifiedName~ClientErrorsControllerTests|FullyQualifiedName~AuthAndSystemControllerTests\"` | 0 | ✅ pass | 825ms |\n| 2 | `dotnet build JobTrackerApi/JobTrackerApi.csproj` | 0 | ✅ pass | 7920ms |\n\n## Deviations\n\nI kept avatar persistence on the existing `AvatarImageDataUrl` field for this slice instead of redesigning storage, and hardened it by reducing size, validating file extensions, and sniffing real image signatures before persistence.\n\n## Known Issues\n\nAvatar images are still stored inline on the user record as data URLs because changing the persistence model would broaden the slice. S05 hardens the existing path rather than redesigning it.\n\n## Files Created/Modified\n\n- `JobTrackerApi/Controllers/AttachmentsController.cs`\n- `JobTrackerApi/Controllers/AuthController.cs`\n- `JobTrackerApi/Controllers/BackupController.cs`\n- `JobTrackerApi/Controllers/ExportController.cs`\n- `JobTrackerApi/Controllers/ClientErrorsController.cs`\n- `JobTrackerApi.Tests/AttachmentsControllerTests.cs`\n- `JobTrackerApi.Tests/BackupControllerTests.cs`\n- `JobTrackerApi.Tests/ClientErrorsControllerTests.cs`\n",
"description": "1. Require appropriate authorization on backup/export/attachment routes that currently rely only on implicit global filters or open routing.\n2. Tighten avatar and attachment validation/persistence so hostile content types or oversized payloads are rejected cleanly and storage behavior stays bounded.\n3. Replace raw client-error payload logging with a sanitized, size-bounded diagnostic contract that still preserves useful context.",
"estimate": "1.5-2 days",
"files": [
"JobTrackerApi/Controllers/AttachmentsController.cs",
"JobTrackerApi/Controllers/AuthController.cs",
"JobTrackerApi/Controllers/BackupController.cs",
"JobTrackerApi/Controllers/ExportController.cs",
"JobTrackerApi/Controllers/ClientErrorsController.cs",
"JobTrackerApi.Tests/AttachmentsControllerTests.cs",
"JobTrackerApi.Tests/BackupControllerTests.cs",
"JobTrackerApi.Tests/AuthAndSystemControllerTests.cs"
],
"verify": "dotnet test JobTrackerApi.Tests/JobTrackerApi.Tests.csproj --filter \"FullyQualifiedName~AttachmentsControllerTests|FullyQualifiedName~BackupControllerTests|FullyQualifiedName~AuthAndSystemControllerTests\"\ndotnet build JobTrackerApi/JobTrackerApi.csproj",
"inputs": [
".gsd/milestones/M011/slices/S05/tasks/T01-SUMMARY.md",
"JobTrackerApi/Controllers/AttachmentsController.cs",
"JobTrackerApi/Controllers/AuthController.cs",
"JobTrackerApi/Controllers/BackupController.cs",
"JobTrackerApi/Controllers/ExportController.cs",
"JobTrackerApi/Controllers/ClientErrorsController.cs"
],
"expected_output": [
"JobTrackerApi/Controllers/AttachmentsController.cs",
"JobTrackerApi/Controllers/AuthController.cs",
"JobTrackerApi/Controllers/BackupController.cs",
"JobTrackerApi/Controllers/ExportController.cs",
"JobTrackerApi/Controllers/ClientErrorsController.cs",
"JobTrackerApi.Tests/AttachmentsControllerTests.cs",
"JobTrackerApi.Tests/BackupControllerTests.cs",
"JobTrackerApi.Tests/AuthAndSystemControllerTests.cs"
],
"observability_impact": "Rejected or sanitized sensitive payloads should leave bounded, structured logs instead of raw browser stacks or permissive open-route behavior.",
"full_plan_md": "",
"sequence": 0
},
{
"milestone_id": "M011",
"slice_id": "S05",
"id": "T03",
"title": "Verified that the newly hardened sensitive routes deny anonymous runtime access and recorded the remaining `client-errors` auth constraint.",
"status": "complete",
"one_liner": "Verified that the newly hardened sensitive routes deny anonymous runtime access and recorded the remaining `client-errors` auth constraint.",
"narrative": "I verified the hardened routes against a live Development API. The app starts successfully, and the newly protected sensitive routes now reject anonymous access at runtime: `GET /api/export/jobs`, `POST /api/backup/encrypted`, and `GET /api/attachments/1` all return 401 without a session. The focused controller tests also remain green, covering the same auth-boundary changes plus client-error sanitization and avatar-signature validation. During the runtime pass I also checked `POST /api/client-errors`; under the current auth-required environment it returns 401 anonymously. Im recording that as a current behavior constraint rather than broadening the slice into an auth-policy redesign for pre-auth error reporting.",
"verification_result": "Verified with focused controller tests, a successful API build, a Development startup run on `http://localhost:5202`, and anonymous HTTP checks against export, backup, attachments, and client-error routes.",
"duration": "",
"completed_at": "2026-04-10T23:00:30.313Z",
"blocker_discovered": false,
"deviations": "The runtime pass showed `POST /api/client-errors` returns 401 for anonymous requests under the current environment-wide auth requirement. Im recording that as an observed behavior constraint rather than broadening S05 into a policy change about whether unauthenticated browser errors should be accepted.",
"known_issues": "In the current auth-required Development environment, anonymous `POST /api/client-errors` returns 401. That is safer than open anonymous logging, but it means login-page or pre-auth browser errors are not submitted unless the auth policy changes deliberately later.",
"key_files": [
"JobTrackerApi/Controllers/AttachmentsController.cs",
"JobTrackerApi/Controllers/AuthController.cs",
"JobTrackerApi/Controllers/BackupController.cs",
"JobTrackerApi/Controllers/ExportController.cs",
"JobTrackerApi/Controllers/ClientErrorsController.cs",
"JobTrackerApi.Tests/AttachmentsControllerTests.cs",
"JobTrackerApi.Tests/BackupControllerTests.cs",
"JobTrackerApi.Tests/ClientErrorsControllerTests.cs"
],
"key_decisions": [
"Use runtime 401 checks against hardened routes as the final proof instead of relying only on reflection tests.",
"Record the current auth behavior on `client-errors` explicitly rather than silently treating it as either a bug or a feature."
],
"full_summary_md": "---\nid: T03\nparent: S05\nmilestone: M011\nkey_files:\n - JobTrackerApi/Controllers/AttachmentsController.cs\n - JobTrackerApi/Controllers/AuthController.cs\n - JobTrackerApi/Controllers/BackupController.cs\n - JobTrackerApi/Controllers/ExportController.cs\n - JobTrackerApi/Controllers/ClientErrorsController.cs\n - JobTrackerApi.Tests/AttachmentsControllerTests.cs\n - JobTrackerApi.Tests/BackupControllerTests.cs\n - JobTrackerApi.Tests/ClientErrorsControllerTests.cs\nkey_decisions:\n - Use runtime 401 checks against hardened routes as the final proof instead of relying only on reflection tests.\n - Record the current auth behavior on `client-errors` explicitly rather than silently treating it as either a bug or a feature.\nduration: \nverification_result: passed\ncompleted_at: 2026-04-10T23:00:30.312Z\nblocker_discovered: false\n---\n\n# T03: Verified that the newly hardened sensitive routes deny anonymous runtime access and recorded the remaining `client-errors` auth constraint.\n\n**Verified that the newly hardened sensitive routes deny anonymous runtime access and recorded the remaining `client-errors` auth constraint.**\n\n## What Happened\n\nI verified the hardened routes against a live Development API. The app starts successfully, and the newly protected sensitive routes now reject anonymous access at runtime: `GET /api/export/jobs`, `POST /api/backup/encrypted`, and `GET /api/attachments/1` all return 401 without a session. The focused controller tests also remain green, covering the same auth-boundary changes plus client-error sanitization and avatar-signature validation. During the runtime pass I also checked `POST /api/client-errors`; under the current auth-required environment it returns 401 anonymously. Im recording that as a current behavior constraint rather than broadening the slice into an auth-policy redesign for pre-auth error reporting.\n\n## Verification\n\nVerified with focused controller tests, a successful API build, a Development startup run on `http://localhost:5202`, and anonymous HTTP checks against export, backup, attachments, and client-error routes.\n\n## Verification Evidence\n\n| # | Command | Exit Code | Verdict | Duration |\n|---|---------|-----------|---------|----------|\n| 1 | `dotnet test JobTrackerApi.Tests/JobTrackerApi.Tests.csproj --filter \"FullyQualifiedName~AttachmentsControllerTests|FullyQualifiedName~BackupControllerTests|FullyQualifiedName~ClientErrorsControllerTests|FullyQualifiedName~AuthAndSystemControllerTests\"` | 0 | ✅ pass | 825ms |\n| 2 | `dotnet build JobTrackerApi/JobTrackerApi.csproj` | 0 | ✅ pass | 7920ms |\n| 3 | `GET http://localhost:5202/api/export/jobs` | 401 | ✅ pass | 0ms |\n| 4 | `POST http://localhost:5202/api/backup/encrypted` | 401 | ✅ pass | 0ms |\n| 5 | `GET http://localhost:5202/api/attachments/1` | 401 | ✅ pass | 0ms |\n| 6 | `POST http://localhost:5202/api/client-errors` | 401 | ✅ observed-constraint | 0ms |\n\n## Deviations\n\nThe runtime pass showed `POST /api/client-errors` returns 401 for anonymous requests under the current environment-wide auth requirement. Im recording that as an observed behavior constraint rather than broadening S05 into a policy change about whether unauthenticated browser errors should be accepted.\n\n## Known Issues\n\nIn the current auth-required Development environment, anonymous `POST /api/client-errors` returns 401. That is safer than open anonymous logging, but it means login-page or pre-auth browser errors are not submitted unless the auth policy changes deliberately later.\n\n## Files Created/Modified\n\n- `JobTrackerApi/Controllers/AttachmentsController.cs`\n- `JobTrackerApi/Controllers/AuthController.cs`\n- `JobTrackerApi/Controllers/BackupController.cs`\n- `JobTrackerApi/Controllers/ExportController.cs`\n- `JobTrackerApi/Controllers/ClientErrorsController.cs`\n- `JobTrackerApi.Tests/AttachmentsControllerTests.cs`\n- `JobTrackerApi.Tests/BackupControllerTests.cs`\n- `JobTrackerApi.Tests/ClientErrorsControllerTests.cs`\n",
"description": "1. Run focused controller tests covering authorized access, denied access, and malformed input for the hardened routes.\n2. Rebuild the API and, where practical, exercise the key auth-sensitive endpoints through HTTP to confirm the contract still behaves correctly.\n3. Record any remaining operational constraints without broadening S05 into unrelated admin UX work.",
"estimate": "0.5-1 day",
"files": [
"JobTrackerApi/Controllers/AttachmentsController.cs",
"JobTrackerApi/Controllers/AuthController.cs",
"JobTrackerApi/Controllers/BackupController.cs",
"JobTrackerApi/Controllers/ExportController.cs",
"JobTrackerApi/Controllers/ClientErrorsController.cs",
"JobTrackerApi.Tests/AttachmentsControllerTests.cs",
"JobTrackerApi.Tests/BackupControllerTests.cs",
"JobTrackerApi.Tests/AuthAndSystemControllerTests.cs"
],
"verify": "dotnet test JobTrackerApi.Tests/JobTrackerApi.Tests.csproj --filter \"FullyQualifiedName~AttachmentsControllerTests|FullyQualifiedName~BackupControllerTests|FullyQualifiedName~AuthAndSystemControllerTests\"\ndotnet build JobTrackerApi/JobTrackerApi.csproj",
"inputs": [
"JobTrackerApi/Controllers/AttachmentsController.cs",
"JobTrackerApi/Controllers/AuthController.cs",
"JobTrackerApi/Controllers/BackupController.cs",
"JobTrackerApi/Controllers/ExportController.cs",
"JobTrackerApi/Controllers/ClientErrorsController.cs",
"JobTrackerApi.Tests/AttachmentsControllerTests.cs",
"JobTrackerApi.Tests/BackupControllerTests.cs",
"JobTrackerApi.Tests/AuthAndSystemControllerTests.cs"
],
"expected_output": [
".gsd/milestones/M011/slices/S05/tasks/T03-SUMMARY.md"
],
"observability_impact": "Verification should prove both successful authorized behavior and explicit denial/sanitization behavior for sensitive routes.",
"full_plan_md": "",
"sequence": 0
},
{
"milestone_id": "M011",
"slice_id": "S06",
"id": "T01",
"title": "Mapped the real S06 seam around import-time AI startup, optional Ollama degradation, and API-side failure/metrics behavior.",
"status": "complete",
"one_liner": "Mapped the real S06 seam around import-time AI startup, optional Ollama degradation, and API-side failure/metrics behavior.",
"narrative": "I mapped the AI/Ollama reliability seam across the Python service, the .NET wrapper, and the deployment contract. The most important startup risk is in `tools/summarizer/app.py`: the Hugging Face model loads at import time unless `AI_SERVICE_SKIP_MODEL_LOAD=1`, which means service startup and health semantics are tightly coupled to heavy model initialization. Optional Ollama-backed CV classification uses synchronous request flow and explicit HTTP exceptions, but the surrounding capability story is still split between ad hoc endpoint behavior and `/health`. On the API side, `SummarizerService` tracks useful metrics and last-error state, but caller-facing failures for summarize and OCR often collapse to `null`, so degraded states are mostly diagnosable through admin metrics rather than through a richer service contract. Existing tests are minimal and structural: Python tests cover `health` without Ollama and basic CV classification shaping, while .NET tests only assert that the metrics contract exposes runtime device fields and that the summarizer cache key seam exists. That gives S06 a clean next seam: harden explicit capability reporting and degraded-path behavior in the Python service and .NET wrapper, then add focused tests for those scenarios.",
"verification_result": "Verified by inspecting the Python AI service, the .NET summarizer wrapper, deployment/runtime config, and existing focused tests for AI contract coverage.",
"duration": "",
"completed_at": "2026-04-10T23:20:01.927Z",
"blocker_discovered": false,
"deviations": "I included `docker-compose.yml` and the summarizer test module in the seam mapping because the runtime contract matters here as much as the code itself. S06s reliability issues cross the API, the Python service, and the container startup assumptions.",
"known_issues": "At the start of S06, the Python AI service loads the summarization model at import time unless `AI_SERVICE_SKIP_MODEL_LOAD=1`, Ollama calls are synchronous and optional but failure modes are coarse, and the .NET wrapper often collapses request failures to `null` with metrics carrying most of the detail after the fact.",
"key_files": [
"tools/summarizer/app.py",
"tools/summarizer/tests/test_app.py",
"JobTrackerApi/Services/SummarizerService.cs",
"JobTrackerApi.Tests/AuthAndSystemControllerTests.cs",
"JobTrackerApi.Tests/ProductionConfigTests.cs",
"JobTrackerApi.Tests/OwnershipGuardTests.cs",
"docker-compose.yml"
],
"key_decisions": [
"Treat import-time model load in `tools/summarizer/app.py` as the primary startup reliability seam rather than broadening immediately into model-quality work.",
"Treat AI reliability as two linked contracts: Python service capability reporting and API-side failure/metrics behavior.",
"Keep S06 focused on explicit degraded-path behavior and observability rather than redesigning all AI call sites."
],
"full_summary_md": "---\nid: T01\nparent: S06\nmilestone: M011\nkey_files:\n - tools/summarizer/app.py\n - tools/summarizer/tests/test_app.py\n - JobTrackerApi/Services/SummarizerService.cs\n - JobTrackerApi.Tests/AuthAndSystemControllerTests.cs\n - JobTrackerApi.Tests/ProductionConfigTests.cs\n - JobTrackerApi.Tests/OwnershipGuardTests.cs\n - docker-compose.yml\nkey_decisions:\n - Treat import-time model load in `tools/summarizer/app.py` as the primary startup reliability seam rather than broadening immediately into model-quality work.\n - Treat AI reliability as two linked contracts: Python service capability reporting and API-side failure/metrics behavior.\n - Keep S06 focused on explicit degraded-path behavior and observability rather than redesigning all AI call sites.\nduration: \nverification_result: mixed\ncompleted_at: 2026-04-10T23:20:01.926Z\nblocker_discovered: false\n---\n\n# T01: Mapped the real S06 seam around import-time AI startup, optional Ollama degradation, and API-side failure/metrics behavior.\n\n**Mapped the real S06 seam around import-time AI startup, optional Ollama degradation, and API-side failure/metrics behavior.**\n\n## What Happened\n\nI mapped the AI/Ollama reliability seam across the Python service, the .NET wrapper, and the deployment contract. The most important startup risk is in `tools/summarizer/app.py`: the Hugging Face model loads at import time unless `AI_SERVICE_SKIP_MODEL_LOAD=1`, which means service startup and health semantics are tightly coupled to heavy model initialization. Optional Ollama-backed CV classification uses synchronous request flow and explicit HTTP exceptions, but the surrounding capability story is still split between ad hoc endpoint behavior and `/health`. On the API side, `SummarizerService` tracks useful metrics and last-error state, but caller-facing failures for summarize and OCR often collapse to `null`, so degraded states are mostly diagnosable through admin metrics rather than through a richer service contract. Existing tests are minimal and structural: Python tests cover `health` without Ollama and basic CV classification shaping, while .NET tests only assert that the metrics contract exposes runtime device fields and that the summarizer cache key seam exists. That gives S06 a clean next seam: harden explicit capability reporting and degraded-path behavior in the Python service and .NET wrapper, then add focused tests for those scenarios.\n\n## Verification\n\nVerified by inspecting the Python AI service, the .NET summarizer wrapper, deployment/runtime config, and existing focused tests for AI contract coverage.\n\n## Verification Evidence\n\n| # | Command | Exit Code | Verdict | Duration |\n|---|---------|-----------|---------|----------|\n| 1 | `rg -n \"OLLAMA|SKIP_MODEL_LOAD|/health|/summarize|/extract-text|RunProbeAsync|GetMetricsAsync|LastError|Probe\" tools/summarizer JobTrackerApi/Services JobTrackerApi.Tests -S` | -1 | unknown (coerced from string) | 0ms |\n\n## Deviations\n\nI included `docker-compose.yml` and the summarizer test module in the seam mapping because the runtime contract matters here as much as the code itself. S06s reliability issues cross the API, the Python service, and the container startup assumptions.\n\n## Known Issues\n\nAt the start of S06, the Python AI service loads the summarization model at import time unless `AI_SERVICE_SKIP_MODEL_LOAD=1`, Ollama calls are synchronous and optional but failure modes are coarse, and the .NET wrapper often collapses request failures to `null` with metrics carrying most of the detail after the fact.\n\n## Files Created/Modified\n\n- `tools/summarizer/app.py`\n- `tools/summarizer/tests/test_app.py`\n- `JobTrackerApi/Services/SummarizerService.cs`\n- `JobTrackerApi.Tests/AuthAndSystemControllerTests.cs`\n- `JobTrackerApi.Tests/ProductionConfigTests.cs`\n- `JobTrackerApi.Tests/OwnershipGuardTests.cs`\n- `docker-compose.yml`\n",
"description": "1. Inspect `tools/summarizer/app.py`, `JobTrackerApi/Services/SummarizerService.cs`, and current tests to map the real reliability seams: import-time model load, synchronous Ollama calls, OCR extraction limits, probe assumptions, and silent API-side failure handling.\n2. Separate the work into service-contract hardening, API metrics/failure-surface hardening, and verification.\n3. Record the narrowest S06 implementation seam that materially improves operability without redesigning the whole AI stack.",
"estimate": "0.5 day",
"files": [
"tools/summarizer/app.py",
"tools/summarizer/tests/test_app.py",
"JobTrackerApi/Services/SummarizerService.cs",
"JobTrackerApi/Controllers/AdminSystemController.cs",
"tools/summarizer/README.md",
"docker-compose.yml"
],
"verify": "rg -n \"OLLAMA|SKIP_MODEL_LOAD|/health|/summarize|/extract-text|RunProbeAsync|GetMetricsAsync|LastError|Probe\" tools/summarizer JobTrackerApi/Services JobTrackerApi.Tests -S",
"inputs": [
"tools/summarizer/app.py",
"tools/summarizer/tests/test_app.py",
"JobTrackerApi/Services/SummarizerService.cs",
"JobTrackerApi/Controllers/AdminSystemController.cs",
"tools/summarizer/README.md",
"docker-compose.yml"
],
"expected_output": [
".gsd/milestones/M011/slices/S06/tasks/T01-SUMMARY.md"
],
"observability_impact": "Maps which AI failures are currently collapsed together and which capability states are already surfaced versus still implicit.",
"full_plan_md": "",
"sequence": 0
},
{
"milestone_id": "M011",
"slice_id": "S06",
"id": "T02",
"title": "Hardened AI/Ollama capability reporting with lazy model loading, explicit degraded health state, and clearer API-side error interpretation.",
"status": "complete",
"one_liner": "Hardened AI/Ollama capability reporting with lazy model loading, explicit degraded health state, and clearer API-side error interpretation.",
"narrative": "I hardened the AI reliability contract across both sides of the boundary. In `tools/summarizer/app.py`, the summarization model now loads lazily instead of at module import by default. The service tracks explicit runtime state through `MODEL_LOADED`, `MODEL_DISABLED`, and `MODEL_LOAD_ERROR`, and `/health` now reports `model_loaded`, `model_disabled`, `summarize_available`, and `model_load_error` without forcing a hidden warm-up. The `/summarize` path still loads the model on demand, but when model loading is disabled or fails it now returns a clear 503 reason instead of a generic missing-model message. I expanded `tools/summarizer/tests/test_app.py` to cover the disabled-model health path, explicit 503 summarize behavior, and configured-but-unreachable Ollama behavior. On the .NET side, `SummarizerService` now preserves more useful detail from failed summarize/OCR/probe responses, and `GetMetricsAsync` now treats `summarize_available=false` from `/health` as unhealthy so the admin/system metrics surface does not misreport the AI service as healthy just because the HTTP endpoint responded 200.",
"verification_result": "Verified with the summarizer Python test suite via the project bootstrap script, focused .NET tests, and repeated API builds after the AI-service contract changes.",
"duration": "",
"completed_at": "2026-04-10T23:24:03.785Z",
"blocker_discovered": false,
"deviations": "I kept the existing `AiServiceMetrics` shape instead of widening it with new model-state fields. Instead, I propagated the new Python health semantics through the existing `Healthy` and `LastError` interpretation so the admin/API surface becomes clearer without broad contract churn.",
"known_issues": "`AiServiceMetrics` still does not expose dedicated fields for model-loaded versus model-disabled state; that detail is currently conveyed through the Python `/health` payload and the .NET `Healthy`/`LastError` interpretation rather than a widened .NET DTO.",
"key_files": [
"tools/summarizer/app.py",
"tools/summarizer/tests/test_app.py",
"JobTrackerApi/Services/SummarizerService.cs",
"tools/summarizer/README.md"
],
"key_decisions": [
"Make the Python summarizer model load lazy by default instead of import-time eager, and expose that state explicitly through `/health`.",
"Treat `summarize_available=false` from the Python service as unhealthy in the .NET metrics layer so the admin surface does not report a false healthy state when summarization is disabled or failed to load.",
"Preserve the existing caller-facing `null` return contract in `SummarizerService` for now, but improve the recorded error detail from failed AI/probe/OCR responses."
],
"full_summary_md": "---\nid: T02\nparent: S06\nmilestone: M011\nkey_files:\n - tools/summarizer/app.py\n - tools/summarizer/tests/test_app.py\n - JobTrackerApi/Services/SummarizerService.cs\n - tools/summarizer/README.md\nkey_decisions:\n - Make the Python summarizer model load lazy by default instead of import-time eager, and expose that state explicitly through `/health`.\n - Treat `summarize_available=false` from the Python service as unhealthy in the .NET metrics layer so the admin surface does not report a false healthy state when summarization is disabled or failed to load.\n - Preserve the existing caller-facing `null` return contract in `SummarizerService` for now, but improve the recorded error detail from failed AI/probe/OCR responses.\nduration: \nverification_result: passed\ncompleted_at: 2026-04-10T23:24:03.783Z\nblocker_discovered: false\n---\n\n# T02: Hardened AI/Ollama capability reporting with lazy model loading, explicit degraded health state, and clearer API-side error interpretation.\n\n**Hardened AI/Ollama capability reporting with lazy model loading, explicit degraded health state, and clearer API-side error interpretation.**\n\n## What Happened\n\nI hardened the AI reliability contract across both sides of the boundary. In `tools/summarizer/app.py`, the summarization model now loads lazily instead of at module import by default. The service tracks explicit runtime state through `MODEL_LOADED`, `MODEL_DISABLED`, and `MODEL_LOAD_ERROR`, and `/health` now reports `model_loaded`, `model_disabled`, `summarize_available`, and `model_load_error` without forcing a hidden warm-up. The `/summarize` path still loads the model on demand, but when model loading is disabled or fails it now returns a clear 503 reason instead of a generic missing-model message. I expanded `tools/summarizer/tests/test_app.py` to cover the disabled-model health path, explicit 503 summarize behavior, and configured-but-unreachable Ollama behavior. On the .NET side, `SummarizerService` now preserves more useful detail from failed summarize/OCR/probe responses, and `GetMetricsAsync` now treats `summarize_available=false` from `/health` as unhealthy so the admin/system metrics surface does not misreport the AI service as healthy just because the HTTP endpoint responded 200.\n\n## Verification\n\nVerified with the summarizer Python test suite via the project bootstrap script, focused .NET tests, and repeated API builds after the AI-service contract changes.\n\n## Verification Evidence\n\n| # | Command | Exit Code | Verdict | Duration |\n|---|---------|-----------|---------|----------|\n| 1 | `cd tools/summarizer && ./scripts/bootstrap-and-test.sh test` | 0 | ✅ pass | 3090ms |\n| 2 | `dotnet test JobTrackerApi.Tests/JobTrackerApi.Tests.csproj --filter \"FullyQualifiedName~AuthAndSystemControllerTests|FullyQualifiedName~ProductionConfigTests|FullyQualifiedName~OwnershipGuardTests\"` | 0 | ✅ pass | 171ms |\n| 3 | `dotnet build JobTrackerApi/JobTrackerApi.csproj` | 0 | ✅ pass | 3680ms |\n\n## Deviations\n\nI kept the existing `AiServiceMetrics` shape instead of widening it with new model-state fields. Instead, I propagated the new Python health semantics through the existing `Healthy` and `LastError` interpretation so the admin/API surface becomes clearer without broad contract churn.\n\n## Known Issues\n\n`AiServiceMetrics` still does not expose dedicated fields for model-loaded versus model-disabled state; that detail is currently conveyed through the Python `/health` payload and the .NET `Healthy`/`LastError` interpretation rather than a widened .NET DTO.\n\n## Files Created/Modified\n\n- `tools/summarizer/app.py`\n- `tools/summarizer/tests/test_app.py`\n- `JobTrackerApi/Services/SummarizerService.cs`\n- `tools/summarizer/README.md`\n",
"description": "1. Harden the Python AI service so model-load, health, summarize, OCR, and optional Ollama paths expose explicit capability/failure state without blocking unrelated features unnecessarily.\n2. Tighten the API summarizer service so failed AI calls preserve more useful diagnostics/metrics and degrade predictably for callers.\n3. Add or update focused tests for degraded Ollama/model scenarios and the API-side metrics/failure contract.",
"estimate": "1.5-2.5 days",
"files": [
"tools/summarizer/app.py",
"tools/summarizer/tests/test_app.py",
"JobTrackerApi/Services/SummarizerService.cs",
"JobTrackerApi.Tests",
"tools/summarizer/README.md"
],
"verify": "dotnet test JobTrackerApi.Tests/JobTrackerApi.Tests.csproj --filter \"FullyQualifiedName~AuthAndSystemControllerTests|FullyQualifiedName~ProductionConfigTests|FullyQualifiedName~OwnershipGuardTests\"\ncd tools/summarizer && ./scripts/bootstrap-and-test.sh test",
"inputs": [
".gsd/milestones/M011/slices/S06/tasks/T01-SUMMARY.md",
"tools/summarizer/app.py",
"JobTrackerApi/Services/SummarizerService.cs"
],
"expected_output": [
"tools/summarizer/app.py",
"tools/summarizer/tests/test_app.py",
"JobTrackerApi/Services/SummarizerService.cs",
"JobTrackerApi.Tests/",
"tools/summarizer/README.md"
],
"observability_impact": "Healthy versus degraded AI capability states should become visible through health/metrics surfaces and tests should cover bounded failure behavior.",
"full_plan_md": "",
"sequence": 0
},
{
"milestone_id": "M011",
"slice_id": "S06",
"id": "T03",
"title": "Verified the AI/Ollama reliability contract through focused Python and .NET tests and recorded the remaining environment-only limits.",
"status": "complete",
"one_liner": "Verified the AI/Ollama reliability contract through focused Python and .NET tests and recorded the remaining environment-only limits.",
"narrative": "I verified the hardened AI/Ollama contract at the right boundary for this slice. The Python summarizer tests now prove that `/health` reports explicit disabled-model state without forcing warm-up, that `/summarize` returns a clear 503 when model loading is disabled, and that configured-but-unreachable Ollama is surfaced cleanly through health metadata. The focused .NET tests still pass after the `SummarizerService` changes, and the API builds cleanly. Together that gives the slice the evidence it needed: the AI service can describe its own degraded capability state, the API no longer treats `summarize_available=false` as healthy, and the remaining limits are environment/model-deployment concerns rather than hidden contract ambiguity.",
"verification_result": "Verified with `cd tools/summarizer && ./scripts/bootstrap-and-test.sh test`, `dotnet test JobTrackerApi.Tests/JobTrackerApi.Tests.csproj --filter \"FullyQualifiedName~AuthAndSystemControllerTests|FullyQualifiedName~ProductionConfigTests|FullyQualifiedName~OwnershipGuardTests\"`, and `dotnet build JobTrackerApi/JobTrackerApi.csproj`.",
"duration": "",
"completed_at": "2026-04-10T23:24:23.066Z",
"blocker_discovered": false,
"deviations": "Verification stayed at the focused test and health-contract level instead of running a full live Ollama stack. That was the right boundary for S06 because the slice target was explicit degraded behavior and capability reporting, not proving a specific local model deployment.",
"known_issues": "Live verification against a real local Ollama instance was not required for this slice. The contract is now explicit for configured-but-unreachable and model-disabled states, but actual model pull/load latency remains environment-dependent.",
"key_files": [
"tools/summarizer/app.py",
"tools/summarizer/tests/test_app.py",
"JobTrackerApi/Services/SummarizerService.cs",
"tools/summarizer/README.md"
],
"key_decisions": [
"Use the project bootstrap script for Python verification instead of assuming host-level `pytest` availability.",
"Treat environment-missing Ollama as a degraded-path contract to verify, not a blocker for completing the slice."
],
"full_summary_md": "---\nid: T03\nparent: S06\nmilestone: M011\nkey_files:\n - tools/summarizer/app.py\n - tools/summarizer/tests/test_app.py\n - JobTrackerApi/Services/SummarizerService.cs\n - tools/summarizer/README.md\nkey_decisions:\n - Use the project bootstrap script for Python verification instead of assuming host-level `pytest` availability.\n - Treat environment-missing Ollama as a degraded-path contract to verify, not a blocker for completing the slice.\nduration: \nverification_result: passed\ncompleted_at: 2026-04-10T23:24:23.065Z\nblocker_discovered: false\n---\n\n# T03: Verified the AI/Ollama reliability contract through focused Python and .NET tests and recorded the remaining environment-only limits.\n\n**Verified the AI/Ollama reliability contract through focused Python and .NET tests and recorded the remaining environment-only limits.**\n\n## What Happened\n\nI verified the hardened AI/Ollama contract at the right boundary for this slice. The Python summarizer tests now prove that `/health` reports explicit disabled-model state without forcing warm-up, that `/summarize` returns a clear 503 when model loading is disabled, and that configured-but-unreachable Ollama is surfaced cleanly through health metadata. The focused .NET tests still pass after the `SummarizerService` changes, and the API builds cleanly. Together that gives the slice the evidence it needed: the AI service can describe its own degraded capability state, the API no longer treats `summarize_available=false` as healthy, and the remaining limits are environment/model-deployment concerns rather than hidden contract ambiguity.\n\n## Verification\n\nVerified with `cd tools/summarizer && ./scripts/bootstrap-and-test.sh test`, `dotnet test JobTrackerApi.Tests/JobTrackerApi.Tests.csproj --filter \"FullyQualifiedName~AuthAndSystemControllerTests|FullyQualifiedName~ProductionConfigTests|FullyQualifiedName~OwnershipGuardTests\"`, and `dotnet build JobTrackerApi/JobTrackerApi.csproj`.\n\n## Verification Evidence\n\n| # | Command | Exit Code | Verdict | Duration |\n|---|---------|-----------|---------|----------|\n| 1 | `cd tools/summarizer && ./scripts/bootstrap-and-test.sh test` | 0 | ✅ pass | 3090ms |\n| 2 | `dotnet test JobTrackerApi.Tests/JobTrackerApi.Tests.csproj --filter \"FullyQualifiedName~AuthAndSystemControllerTests|FullyQualifiedName~ProductionConfigTests|FullyQualifiedName~OwnershipGuardTests\"` | 0 | ✅ pass | 171ms |\n| 3 | `dotnet build JobTrackerApi/JobTrackerApi.csproj` | 0 | ✅ pass | 3680ms |\n\n## Deviations\n\nVerification stayed at the focused test and health-contract level instead of running a full live Ollama stack. That was the right boundary for S06 because the slice target was explicit degraded behavior and capability reporting, not proving a specific local model deployment.\n\n## Known Issues\n\nLive verification against a real local Ollama instance was not required for this slice. The contract is now explicit for configured-but-unreachable and model-disabled states, but actual model pull/load latency remains environment-dependent.\n\n## Files Created/Modified\n\n- `tools/summarizer/app.py`\n- `tools/summarizer/tests/test_app.py`\n- `JobTrackerApi/Services/SummarizerService.cs`\n- `tools/summarizer/README.md`\n",
"description": "1. Verify the hardened AI/Ollama contract with focused .NET and Python tests plus health/behavior checks where practical.\n2. Confirm the API/admin metrics surface still reports useful capability state without requiring a fully healthy Ollama instance.\n3. Record any remaining environment-only limitations separately from product behavior.",
"estimate": "0.5-1 day",
"files": [
"tools/summarizer/app.py",
"tools/summarizer/tests/test_app.py",
"JobTrackerApi/Services/SummarizerService.cs",
"JobTrackerApi/Controllers/AdminSystemController.cs",
"JobTrackerApi.Tests"
],
"verify": "dotnet test JobTrackerApi.Tests/JobTrackerApi.Tests.csproj --filter \"FullyQualifiedName~AuthAndSystemControllerTests|FullyQualifiedName~ProductionConfigTests|FullyQualifiedName~OwnershipGuardTests\"\ncd tools/summarizer && ./scripts/bootstrap-and-test.sh test",
"inputs": [
"tools/summarizer/app.py",
"tools/summarizer/tests/test_app.py",
"JobTrackerApi/Services/SummarizerService.cs",
"JobTrackerApi/Controllers/AdminSystemController.cs",
"JobTrackerApi.Tests"
],
"expected_output": [
".gsd/milestones/M011/slices/S06/tasks/T03-SUMMARY.md"
],
"observability_impact": "Verification should prove that AI capability state stays explicit under both available and degraded dependency conditions.",
"full_plan_md": "",
"sequence": 0
}
],
"decisions": [
{
"seq": 1,
"id": "D001",
"when_context": "M001",
"scope": "scope",
"decision": "Product entry point",
"choice": "External job discovery, then import into the app",
"rationale": "The user finds jobs on job sites first; the app begins when a role is imported.",
"revisable": "No",
"made_by": "collaborative",
"superseded_by": null
},
{
"seq": 2,
"id": "D002",
"when_context": "M001",
"scope": "pattern",
"decision": "AI action model",
"choice": "Assistive drafting and analysis only; no autonomous sending",
"rationale": "The user wants AI help but explicitly does not want auto-send or auto-apply behavior.",
"revisable": "No",
"made_by": "collaborative",
"superseded_by": null
},
{
"seq": 3,
"id": "D003",
"when_context": "M001",
"scope": "scope",
"decision": "Primary user",
"choice": "Individual job seeker",
"rationale": "The product is designed for individuals managing their own search, not recruiter or team workflows.",
"revisable": "Yes — if product direction changes later",
"made_by": "collaborative",
"superseded_by": null
},
{
"seq": 4,
"id": "D004",
"when_context": "M001",
"scope": "pattern",
"decision": "Daily navigation hierarchy",
"choice": "Job table first, then follow-up/dashboard, then individual job workspace",
"rationale": "The user explicitly described this as the intended control flow for daily use.",
"revisable": "Yes — if real usage disproves the hierarchy",
"made_by": "collaborative",
"superseded_by": null
},
{
"seq": 5,
"id": "D005",
"when_context": "M001",
"scope": "roadmap",
"decision": "First milestone focus",
"choice": "Prioritize Gmail import quality and AI draft quality before broader expansion",
"rationale": "The user identified Gmail import and AI drafts as the weakest current areas and the first bar for daily use.",
"revisable": "Yes — if execution proves another blocker is more fundamental",
"made_by": "collaborative",
"superseded_by": null
},
{
"seq": 6,
"id": "D006",
"when_context": "M001/S02",
"scope": "workspace-persistence",
"decision": "How the saved application answer draft should persist inside the job workspace before a dedicated field exists",
"choice": "Store the application answer draft in a replaceable notes block and make SaveApplicationDrafts overwrite notes when notes are explicitly provided",
"rationale": "The existing append-only notes behavior made the Tailored CV workspace untrustworthy because repeated saves duplicated the application answer indefinitely. A replaceable notes block preserves current schema compatibility while giving the workspace a stable saved/read-back loop for later slices.",
"revisable": "Yes",
"made_by": "agent",
"superseded_by": null
},
{
"seq": 7,
"id": "D007",
"when_context": "M001/S01",
"scope": "gmail-continuity",
"decision": "What “good Gmail import” now means for M001",
"choice": "Treat Gmail import as full-thread continuity: the user must be able to import the whole relevant thread, and already-linked Gmail threads must refresh automatically so later inbound messages and user-sent replies appear on the job without manual re-import. This supersedes the narrower one-time-import interpretation inside D005s Gmail-import focus.",
"rationale": "The user explicitly asked whether the app can bring the whole email thread and automatically show their reply later without re-pulling/importing again. That changes the trust bar from “find and import the right message” to “keep the linked thread current over time,” while still preserving the no-auto-send boundary from D002.",
"revisable": "Yes — if Gmail API or product constraints later require a different sync model",
"made_by": "human",
"superseded_by": null
},
{
"seq": 8,
"id": "D008",
"when_context": "M001/S01 planning",
"scope": "gmail-sync",
"decision": "How linked Gmail threads stay current in S01",
"choice": "Use a job-scoped refresh flow over already-imported Gmail thread IDs, triggered from the job workspace/API, instead of building inbox-wide Gmail watch/history cursor infrastructure in M001.",
"rationale": "The codebase already persists ExternalThreadId per correspondence and lacks Gmail history/watch infrastructure. Fetching known linked threads for one job keeps scope bounded, fits the single-user workspace model, supports duplicate-safe import of new inbound and sent replies, and creates a trustworthy continuity loop without adding brittle webhook/cursor state before the milestone proves value.",
"revisable": "Yes — if real usage shows job-scoped pull refresh is too slow or misses important continuity cases.",
"made_by": "agent",
"superseded_by": null
},
{
"seq": 9,
"id": "D009",
"when_context": "M001/S01 closure",
"scope": "gmail-matching",
"decision": "Where Gmail candidate aggregation and ranking logic should live for job-aware import",
"choice": "Keep Gmail query-hit aggregation, dedupe, matched-query traces, and ranking reasons in the backend contract instead of recreating that logic in the React workspace.",
"rationale": "The correspondence workspace needs explanatory candidate ranking plus duplicate visibility, and putting the logic in the API keeps one source of truth for scoring/import state while preventing browser-side heuristic drift.",
"revisable": "Yes",
"made_by": "agent",
"superseded_by": null
},
{
"seq": 10,
"id": "D010",
"when_context": "M001/S03 closeout",
"scope": "followup-drafting",
"decision": "How follow-up grounding should be exposed to the workspace",
"choice": "Return explicit follow-up grounding fields (`contextSummary`, `contextSignals`, `threadSubject`, and last-correspondence metadata) from the backend DTO instead of making the React workspace infer them client-side.",
"rationale": "The slice needed draft trust, not just draft text. Putting grounding signals in the API contract gives the UI a durable explanation surface, keeps thread/package inference in one place with generation logic, and makes backend/frontend tests assert the same source of truth.",
"revisable": "Yes",
"made_by": "agent",
"superseded_by": null
},
{
"seq": 11,
"id": "D011",
"when_context": "M001/S05 planning",
"scope": "workflow-trust",
"decision": "How S05 should represent daily-loop readiness and next-action state across overview surfaces",
"choice": "Introduce explicit workflow trust/action signals from the backend/UI contract and reuse them across the table, dashboard, reminders, and shared workspace instead of continuing to infer behavior from free-form `followUpReason` strings or raw `notes` presence in each component.",
"rationale": "S05 is an end-to-end polish slice where the remaining risk is fragmented trust, not missing subsystems. Centralizing workflow signals avoids heuristic drift between overview surfaces, respects the saved application-answer notes-block constraint, and gives the final integrated regression one source of truth for R010 while preserving the explicit manual-send boundary required by R008.",
"revisable": "Yes",
"made_by": "agent",
"superseded_by": null
},
{
"seq": 12,
"id": "D012",
"when_context": "M001/S05",
"scope": "workspace-observability",
"decision": "Where linked Gmail thread continuity status should be exposed in the final trust loop",
"choice": "Show linked-thread refresh state directly in the correspondence workspace, including linked thread count and last refresh outcome, instead of hiding continuity feedback inside the Gmail import modal only.",
"rationale": "The end-to-end trust loop depends on users being able to verify that already-linked Gmail threads stay current without re-importing. Surfacing continuity state in the main workspace keeps the job timeline trustworthy, supports final UAT, and avoids making thread refresh feel like a hidden one-off import behavior.",
"revisable": "Yes",
"made_by": "agent",
"superseded_by": null
},
{
"seq": 13,
"id": "D013",
"when_context": "M001/S06/T02",
"scope": "seeding",
"decision": "How acceptance-ready job data is created for S06 live reruns",
"choice": "Seed the acceptance fixture through the live companies/jobapplications/correspondence API plus the dedicated tailored-cv, application-drafts, and followup endpoints, using deterministic company/title/thread/message identifiers for idempotent reruns.",
"rationale": "The slice goal is a repeatable live environment check, so seeding through the same HTTP contract the UI uses proves the real backend surface, keeps package/readiness behavior aligned with production code paths, and avoids brittle direct DB mutations or duplicate correspondence on reruns.",
"revisable": "Yes",
"made_by": "agent",
"superseded_by": null
},
{
"seq": 14,
"id": "D014",
"when_context": "M001/S06/T03",
"scope": "acceptance-run",
"decision": "How the S06 live acceptance runner should authenticate seeding and protected UI verification without requiring manual token export every rerun.",
"choice": "Allow the S06 acceptance runner to mint a localhost-only admin JWT from the checked-in dev JWT settings plus the local SQLite admin record when AUTH_TOKEN is missing.",
"rationale": "The current DB snapshot contains an admin user but the placeholder development password is not reliable, and the tasks verification command must stay repeatable. A localhost-only signed JWT fallback keeps the run fully local, avoids secret prompts, does not print token material, and still exercises the real protected API/UI paths.",
"revisable": "Yes",
"made_by": "agent",
"superseded_by": null
},
{
"seq": 15,
"id": "D015",
"when_context": "M001/S06",
"scope": "environment",
"decision": "S06 preflight auth handling",
"choice": "Treat /api/auth/config reachability plus an auth-limited /api/admin/system probe as a guided partial-pass, and never echo bearer tokens in preflight output.",
"rationale": "S06 needs a repeatable go/no-go gate before browser UAT. The live stack can be healthy even when admin-only diagnostics require an extra token, so the preflight should fail hard only for unreachable/malformed API responses while still surfacing clear AUTH_TOKEN guidance and protecting secrets on shared terminals.",
"revisable": "Yes",
"made_by": "agent",
"superseded_by": null
},
{
"seq": 16,
"id": "D016",
"when_context": "M001/S07",
"scope": "uat-artifact",
"decision": "How S07 daily-loop closure should capture acceptance evidence",
"choice": "Keep docs/s06-acceptance-run.md as the canonical execution log and use S07 closure artifacts to summarize/import the cross-surface proof rather than duplicating raw runner output.",
"rationale": "S07's job is to prove one seeded job stays coherent across /jobs, workspace, /reminders, and /dashboard while preserving the manual-send boundary. Reusing the S06 runner output as the canonical source keeps reruns idempotent, prevents drift between generated logs and human summary text, and gives downstream slices one stable place for detailed evidence plus one concise dependency summary.",
"revisable": "Yes",
"made_by": "agent",
"superseded_by": null
},
{
"seq": 17,
"id": "D017",
"when_context": "M005 planning",
"scope": "delivery",
"decision": "How M005 execution should be staged and published",
"choice": "Execute M005 one slice at a time, verify each slice independently, push each slice on its own git branch, then continue to the next slice only after the prior slice is stable.",
"rationale": "The CV intelligence/export milestone is high-risk and multi-layered. Slice-by-slice branching and push discipline will keep extraction, tailored draft, and PDF rendering changes reviewable and reduce regression blast radius.",
"revisable": "Yes",
"made_by": "human",
"superseded_by": null
},
{
"seq": 18,
"id": "D018",
"when_context": "M005 planning",
"scope": "verification",
"decision": "What document corpus should drive universal CV extraction verification",
"choice": "Use the real CV files placed in /home/pi/cvs as a regression corpus for universal extractor work, alongside synthetic/unit fixtures.",
"rationale": "A universal CV extractor cannot be validated only against synthetic fixtures. Real CVs with different layouts, OCR quality, and structure are required to test extraction, review UX, and rendering assumptions.",
"revisable": "Yes",
"made_by": "human",
"superseded_by": null
},
{
"seq": 19,
"id": "D019",
"when_context": "M011/S01",
"scope": "frontend-platform",
"decision": "How to handle frontend build-tool risk during the initial platform hardening slice",
"choice": "Remediate the direct critical frontend dependency immediately, keep the CRA baseline for the next hardening slice, and defer the broader frontend build-tool migration to a later dedicated implementation step.",
"rationale": "The audit showed one critical direct dependency issue (`axios`) and a large remaining body of transitive risk concentrated behind `react-scripts`. Upgrading the direct dependency removed the critical finding with low change surface, restored a reproducible local and Docker build baseline, and avoids coupling S02 auth/session work to a framework migration. The remaining CRA transitive debt is still real, but it is now a contained follow-on migration concern rather than an immediate blocker.",
"revisable": "Yes",
"made_by": "agent",
"superseded_by": null
},
{
"seq": 20,
"id": "D020",
"when_context": "M011/S02",
"scope": "authentication",
"decision": "What session transport should replace browser-stored bearer tokens in the frontend and API",
"choice": "Use an HttpOnly cookie-backed app session for the primary local auth path, have the API read the local app JWT from a secure cookie instead of browser storage, keep Google credential exchange server-side, and add CSRF protection for state-changing requests.",
"rationale": "The current design stores the app bearer token in localStorage/sessionStorage and attaches it via an Authorization header on every request, which leaves the primary local auth path exposed to XSS-driven token theft. A cookie-backed session keeps the app token out of browser storage, lets the API enforce the local auth path centrally, preserves existing JWT-based authorization semantics on the server, and gives the frontend a cleaner source of truth through `/auth/me` and explicit unauthorized responses. Adding CSRF protection alongside the cookie keeps state-changing requests safe under the new transport.",
"revisable": "Yes",
"made_by": "agent",
"superseded_by": null
},
{
"seq": 21,
"id": "D021",
"when_context": "M011/S03/T01",
"scope": "frontend-architecture",
"decision": "How to centralize degraded-state handling for the core frontend views in S03.",
"choice": "Use a lightweight shared frontend async-view-state pattern for S03 instead of introducing a new global data-fetching framework in this slice.",
"rationale": "The current risk is not lack of a full query library; it is that core views swallow request failures into empty arrays or nulls and then render normal empty states. A small shared abstraction for loading/empty/error/retry state can retire that product risk quickly across the highest-traffic views without broadening S03 into a framework migration or destabilizing the existing app.",
"revisable": "Yes",
"made_by": "agent",
"superseded_by": null
}
],
"verification_evidence": [
{
"id": 1,
"task_id": "T01",
"slice_id": "S01",
"milestone_id": "M011",
"command": "Baseline: `cd job-tracker-ui && npm audit --audit-level=moderate --json` showed 28 vulnerabilities including 1 critical direct finding on axios <1.15.0.",
"exit_code": -1,
"verdict": "unknown (coerced from string)",
"duration_ms": 0,
"created_at": "2026-04-10T16:45:12.983Z"
},
{
"id": 2,
"task_id": "T01",
"slice_id": "S01",
"milestone_id": "M011",
"command": "Baseline: `cd job-tracker-ui && npm run build` initially failed with EACCES because `job-tracker-ui/build/static` contained root-owned files.",
"exit_code": -1,
"verdict": "unknown (coerced from string)",
"duration_ms": 0,
"created_at": "2026-04-10T16:45:12.983Z"
},
{
"id": 3,
"task_id": "T01",
"slice_id": "S01",
"milestone_id": "M011",
"command": "After remediation: `cd job-tracker-ui && npm install` updated axios to 1.15.0 and removed the direct critical vulnerability.",
"exit_code": -1,
"verdict": "unknown (coerced from string)",
"duration_ms": 0,
"created_at": "2026-04-10T16:45:12.984Z"
},
{
"id": 4,
"task_id": "T01",
"slice_id": "S01",
"milestone_id": "M011",
"command": "After remediation: `cd job-tracker-ui && npm audit --audit-level=moderate --json` showed 27 remaining vulnerabilities and 0 critical findings.",
"exit_code": -1,
"verdict": "unknown (coerced from string)",
"duration_ms": 0,
"created_at": "2026-04-10T16:45:12.984Z"
},
{
"id": 5,
"task_id": "T01",
"slice_id": "S01",
"milestone_id": "M011",
"command": "After remediation: `cd job-tracker-ui && npm run build` completed successfully.",
"exit_code": -1,
"verdict": "unknown (coerced from string)",
"duration_ms": 0,
"created_at": "2026-04-10T16:45:12.984Z"
},
{
"id": 6,
"task_id": "T01",
"slice_id": "S01",
"milestone_id": "M011",
"command": "Compatibility check: `docker run --rm -v ... node:20-alpine sh -lc 'npm ci'` initially failed on a lockfile mismatch (`Missing: yaml@2.8.3 from lock file`).",
"exit_code": -1,
"verdict": "unknown (coerced from string)",
"duration_ms": 0,
"created_at": "2026-04-10T16:45:12.984Z"
},
{
"id": 7,
"task_id": "T01",
"slice_id": "S01",
"milestone_id": "M011",
"command": "Compatibility fix: `docker run --rm --user 1000:1000 -v ... node:20-alpine sh -lc 'npm install'` regenerated the lockfile using the same npm major version as the Docker image.",
"exit_code": -1,
"verdict": "unknown (coerced from string)",
"duration_ms": 0,
"created_at": "2026-04-10T16:45:12.984Z"
},
{
"id": 8,
"task_id": "T01",
"slice_id": "S01",
"milestone_id": "M011",
"command": "After compatibility fix: `docker run --rm -v ... node:20-alpine sh -lc 'npm ci --foreground-scripts=false'` completed successfully.",
"exit_code": -1,
"verdict": "unknown (coerced from string)",
"duration_ms": 0,
"created_at": "2026-04-10T16:45:12.984Z"
},
{
"id": 9,
"task_id": "T01",
"slice_id": "S01",
"milestone_id": "M011",
"command": "Container verification: `cd /home/pi/development/JobTracker && docker compose build frontend` completed successfully.",
"exit_code": -1,
"verdict": "unknown (coerced from string)",
"duration_ms": 0,
"created_at": "2026-04-10T16:45:12.984Z"
},
{
"id": 10,
"task_id": "T01",
"slice_id": "S01",
"milestone_id": "M011",
"command": "Regression signal: `cd job-tracker-ui && CI=true npm test -- --runInBand --watch=false` finished with 16 passing suites and 2 failing suites (`daily-control-loop.test.tsx`, `end-to-end-trust-loop.test.tsx`) that appear unrelated to the dependency remediation itself.",
"exit_code": -1,
"verdict": "unknown (coerced from string)",
"duration_ms": 0,
"created_at": "2026-04-10T16:45:12.984Z"
},
{
"id": 11,
"task_id": "T02",
"slice_id": "S01",
"milestone_id": "M011",
"command": "`cd job-tracker-ui && npm install` updated axios to 1.15.0 and synchronized the package tree.",
"exit_code": -1,
"verdict": "unknown (coerced from string)",
"duration_ms": 0,
"created_at": "2026-04-10T16:46:52.965Z"
},
{
"id": 12,
"task_id": "T02",
"slice_id": "S01",
"milestone_id": "M011",
"command": "`cd job-tracker-ui && npm run build` succeeded after the workspace cleanup.",
"exit_code": -1,
"verdict": "unknown (coerced from string)",
"duration_ms": 0,
"created_at": "2026-04-10T16:46:52.965Z"
},
{
"id": 13,
"task_id": "T02",
"slice_id": "S01",
"milestone_id": "M011",
"command": "`docker run --rm --user 1000:1000 -v /home/pi/development/JobTracker/job-tracker-ui:/app -w /app node:20-alpine sh -lc 'npm install'` regenerated the lockfile for the container toolchain.",
"exit_code": -1,
"verdict": "unknown (coerced from string)",
"duration_ms": 0,
"created_at": "2026-04-10T16:46:52.965Z"
},
{
"id": 14,
"task_id": "T02",
"slice_id": "S01",
"milestone_id": "M011",
"command": "`docker run --rm -v /home/pi/development/JobTracker/job-tracker-ui:/app -w /app node:20-alpine sh -lc 'npm ci --foreground-scripts=false'` succeeded.",
"exit_code": -1,
"verdict": "unknown (coerced from string)",
"duration_ms": 0,
"created_at": "2026-04-10T16:46:52.965Z"
},
{
"id": 15,
"task_id": "T02",
"slice_id": "S01",
"milestone_id": "M011",
"command": "`cd /home/pi/development/JobTracker && docker compose build frontend` succeeded.",
"exit_code": -1,
"verdict": "unknown (coerced from string)",
"duration_ms": 0,
"created_at": "2026-04-10T16:46:52.965Z"
},
{
"id": 16,
"task_id": "T03",
"slice_id": "S01",
"milestone_id": "M011",
"command": "`cd job-tracker-ui && npm audit --audit-level=moderate --json` now reports 0 critical findings and 27 remaining transitive findings.",
"exit_code": -1,
"verdict": "unknown (coerced from string)",
"duration_ms": 0,
"created_at": "2026-04-10T16:47:07.042Z"
},
{
"id": 17,
"task_id": "T03",
"slice_id": "S01",
"milestone_id": "M011",
"command": "`cd job-tracker-ui && npm run build` succeeded.",
"exit_code": -1,
"verdict": "unknown (coerced from string)",
"duration_ms": 0,
"created_at": "2026-04-10T16:47:07.042Z"
},
{
"id": 18,
"task_id": "T03",
"slice_id": "S01",
"milestone_id": "M011",
"command": "`docker run --rm -v /home/pi/development/JobTracker/job-tracker-ui:/app -w /app node:20-alpine sh -lc 'npm ci --foreground-scripts=false'` succeeded.",
"exit_code": -1,
"verdict": "unknown (coerced from string)",
"duration_ms": 0,
"created_at": "2026-04-10T16:47:07.042Z"
},
{
"id": 19,
"task_id": "T03",
"slice_id": "S01",
"milestone_id": "M011",
"command": "`cd /home/pi/development/JobTracker && docker compose build frontend` succeeded.",
"exit_code": -1,
"verdict": "unknown (coerced from string)",
"duration_ms": 0,
"created_at": "2026-04-10T16:47:07.042Z"
},
{
"id": 20,
"task_id": "T03",
"slice_id": "S01",
"milestone_id": "M011",
"command": "`cd job-tracker-ui && CI=true npm test -- --runInBand --watch=false` produced 16 passing suites and 2 failing suites, leaving a clear follow-up list instead of an unverified baseline.",
"exit_code": -1,
"verdict": "unknown (coerced from string)",
"duration_ms": 0,
"created_at": "2026-04-10T16:47:07.042Z"
},
{
"id": 21,
"task_id": "T01",
"slice_id": "S02",
"milestone_id": "M011",
"command": "`rg -n \"authToken|Authorization|Bearer|clearAuthToken|setAuthToken|getAuthToken|JwtBearer|TokenService|request-password-reset|login|logout\" job-tracker-ui/src JobTrackerApi -S` enumerated the frontend and API auth touchpoints.",
"exit_code": -1,
"verdict": "unknown (coerced from string)",
"duration_ms": 0,
"created_at": "2026-04-10T16:49:40.585Z"
},
{
"id": 22,
"task_id": "T01",
"slice_id": "S02",
"milestone_id": "M011",
"command": "Reviewed `job-tracker-ui/src/auth.ts` and confirmed that localStorage/sessionStorage currently hold the app token.",
"exit_code": -1,
"verdict": "unknown (coerced from string)",
"duration_ms": 0,
"created_at": "2026-04-10T16:49:40.585Z"
},
{
"id": 23,
"task_id": "T01",
"slice_id": "S02",
"milestone_id": "M011",
"command": "Reviewed `job-tracker-ui/src/api.ts` and confirmed the Authorization header is attached from browser storage on each request.",
"exit_code": -1,
"verdict": "unknown (coerced from string)",
"duration_ms": 0,
"created_at": "2026-04-10T16:49:40.585Z"
},
{
"id": 24,
"task_id": "T01",
"slice_id": "S02",
"milestone_id": "M011",
"command": "Reviewed `job-tracker-ui/src/App.tsx`, `LoginPage.tsx`, `GoogleAuthCard.tsx`, `AuthStatusCard.tsx`, `UserManagementCard.tsx`, and `themePrefs.ts` to identify direct frontend dependencies on browser-stored JWT state.",
"exit_code": -1,
"verdict": "unknown (coerced from string)",
"duration_ms": 0,
"created_at": "2026-04-10T16:49:40.585Z"
},
{
"id": 25,
"task_id": "T01",
"slice_id": "S02",
"milestone_id": "M011",
"command": "Reviewed `JobTrackerApi/Controllers/AuthController.cs`, `JobTrackerApi/Services/TokenService.cs`, and `JobTrackerApi/Program.cs` to confirm local app auth is currently JWT Bearer-based and returned directly to the frontend.",
"exit_code": -1,
"verdict": "unknown (coerced from string)",
"duration_ms": 0,
"created_at": "2026-04-10T16:49:40.585Z"
},
{
"id": 26,
"task_id": "T02",
"slice_id": "S02",
"milestone_id": "M011",
"command": "dotnet test JobTrackerApi.Tests/JobTrackerApi.Tests.csproj --filter FullyQualifiedName~Auth",
"exit_code": 0,
"verdict": "✅ pass",
"duration_ms": 163,
"created_at": "2026-04-10T19:57:16.245Z"
},
{
"id": 27,
"task_id": "T02",
"slice_id": "S02",
"milestone_id": "M011",
"command": "cd job-tracker-ui && CI=true npm test -- --runInBand --watch=false src/login-page.test.tsx src/profile-page.test.tsx",
"exit_code": 0,
"verdict": "✅ pass",
"duration_ms": 15267,
"created_at": "2026-04-10T19:57:16.245Z"
},
{
"id": 28,
"task_id": "T02",
"slice_id": "S02",
"milestone_id": "M011",
"command": "dotnet build JobTrackerApi/JobTrackerApi.csproj",
"exit_code": 0,
"verdict": "✅ pass",
"duration_ms": 5430,
"created_at": "2026-04-10T19:57:16.245Z"
},
{
"id": 29,
"task_id": "T02",
"slice_id": "S02",
"milestone_id": "M011",
"command": "cd job-tracker-ui && npm run build",
"exit_code": 0,
"verdict": "✅ pass",
"duration_ms": 0,
"created_at": "2026-04-10T19:57:16.245Z"
},
{
"id": 30,
"task_id": "T03",
"slice_id": "S02",
"milestone_id": "M011",
"command": "dotnet test JobTrackerApi.Tests/JobTrackerApi.Tests.csproj --filter FullyQualifiedName~Auth",
"exit_code": 0,
"verdict": "✅ pass",
"duration_ms": 163,
"created_at": "2026-04-10T19:57:41.019Z"
},
{
"id": 31,
"task_id": "T03",
"slice_id": "S02",
"milestone_id": "M011",
"command": "cd job-tracker-ui && CI=true npm test -- --runInBand --watch=false src/login-page.test.tsx src/profile-page.test.tsx",
"exit_code": 0,
"verdict": "✅ pass",
"duration_ms": 15267,
"created_at": "2026-04-10T19:57:41.019Z"
},
{
"id": 32,
"task_id": "T03",
"slice_id": "S02",
"milestone_id": "M011",
"command": "cd job-tracker-ui && npm run build",
"exit_code": 0,
"verdict": "✅ pass",
"duration_ms": 0,
"created_at": "2026-04-10T19:57:41.019Z"
},
{
"id": 33,
"task_id": "T03",
"slice_id": "S02",
"milestone_id": "M011",
"command": "Browser verification: navigating to http://localhost:3001/jobs redirected to /login with no failed requests in the observed pass.",
"exit_code": -1,
"verdict": "unknown (coerced from string)",
"duration_ms": 0,
"created_at": "2026-04-10T19:57:41.019Z"
},
{
"id": 34,
"task_id": "T03",
"slice_id": "S02",
"milestone_id": "M011",
"command": "HTTP verification: GET /api/auth/csrf returned 204 and set the XSRF-TOKEN cookie; GET /api/auth/me with only that cookie returned 401 Unauthorized as expected for no session.",
"exit_code": -1,
"verdict": "unknown (coerced from string)",
"duration_ms": 0,
"created_at": "2026-04-10T19:57:41.019Z"
},
{
"id": 35,
"task_id": "T01",
"slice_id": "S03",
"milestone_id": "M011",
"command": "rg -n \"catch\\(\\(\\) => \\[\\]\\)|catch\\(\\(\\) => set.*\\[\\]\\)|catch\\(\\(\\) => set.*null\\)|No jobs found|remindersNothing|companiesEmpty\" job-tracker-ui/src -S",
"exit_code": 0,
"verdict": "✅ pass",
"duration_ms": 0,
"created_at": "2026-04-10T22:05:25.917Z"
},
{
"id": 36,
"task_id": "T02",
"slice_id": "S03",
"milestone_id": "M011",
"command": "cd job-tracker-ui && CI=true npm test -- --runInBand --watch=false src/daily-control-loop.test.tsx src/login-page.test.tsx src/profile-page.test.tsx",
"exit_code": 0,
"verdict": "✅ pass",
"duration_ms": 18627,
"created_at": "2026-04-10T22:19:14.244Z"
},
{
"id": 37,
"task_id": "T02",
"slice_id": "S03",
"milestone_id": "M011",
"command": "cd job-tracker-ui && npm run build",
"exit_code": 0,
"verdict": "✅ pass",
"duration_ms": 0,
"created_at": "2026-04-10T22:19:14.244Z"
},
{
"id": 38,
"task_id": "T03",
"slice_id": "S03",
"milestone_id": "M011",
"command": "cd job-tracker-ui && CI=true npm test -- --runInBand --watch=false src/daily-control-loop.test.tsx src/login-page.test.tsx src/profile-page.test.tsx",
"exit_code": 0,
"verdict": "✅ pass",
"duration_ms": 18627,
"created_at": "2026-04-10T22:19:33.191Z"
},
{
"id": 39,
"task_id": "T03",
"slice_id": "S03",
"milestone_id": "M011",
"command": "cd job-tracker-ui && npm run build",
"exit_code": 0,
"verdict": "✅ pass",
"duration_ms": 0,
"created_at": "2026-04-10T22:19:33.191Z"
},
{
"id": 40,
"task_id": "T03",
"slice_id": "S03",
"milestone_id": "M011",
"command": "Browser verification: with only the frontend running, navigating to http://localhost:3001/jobs showed 'Unable to load jobs' and 'The jobs list cannot reach the API right now.' instead of an empty jobs state.",
"exit_code": -1,
"verdict": "unknown (coerced from string)",
"duration_ms": 0,
"created_at": "2026-04-10T22:19:33.191Z"
},
{
"id": 41,
"task_id": "T03",
"slice_id": "S03",
"milestone_id": "M011",
"command": "Browser verification: after the API auth surface was reachable again, navigating to http://localhost:3001/login showed the normal sign-in UI and remember-me controls.",
"exit_code": -1,
"verdict": "unknown (coerced from string)",
"duration_ms": 0,
"created_at": "2026-04-10T22:19:33.191Z"
},
{
"id": 42,
"task_id": "T01",
"slice_id": "S04",
"milestone_id": "M011",
"command": "rg -n \"AddHostedService|Migrate\\(|Ensure|RuleSettings|UserRuleSettings|JobApplications|Auth:|UseCors|UseRateLimiter|UseAuthentication|UseAuthorization\" JobTrackerApi/Program.cs JobTrackerApi/Services -S",
"exit_code": 0,
"verdict": "✅ pass",
"duration_ms": 0,
"created_at": "2026-04-10T22:33:06.539Z"
},
{
"id": 43,
"task_id": "T02",
"slice_id": "S04",
"milestone_id": "M011",
"command": "dotnet build JobTrackerApi/JobTrackerApi.csproj",
"exit_code": 0,
"verdict": "✅ pass",
"duration_ms": 2750,
"created_at": "2026-04-10T22:44:02.945Z"
},
{
"id": 44,
"task_id": "T02",
"slice_id": "S04",
"milestone_id": "M011",
"command": "dotnet test JobTrackerApi.Tests/JobTrackerApi.Tests.csproj --filter AuthAndSystemControllerTests",
"exit_code": 0,
"verdict": "✅ pass",
"duration_ms": 172,
"created_at": "2026-04-10T22:44:02.945Z"
},
{
"id": 45,
"task_id": "T02",
"slice_id": "S04",
"milestone_id": "M011",
"command": "ASPNETCORE_ENVIRONMENT=Development ASPNETCORE_URLS=http://localhost:5202 dotnet run --project JobTrackerApi/JobTrackerApi.csproj",
"exit_code": 0,
"verdict": "✅ ready",
"duration_ms": 9000,
"created_at": "2026-04-10T22:44:02.945Z"
},
{
"id": 46,
"task_id": "T03",
"slice_id": "S04",
"milestone_id": "M011",
"command": "dotnet build JobTrackerApi/JobTrackerApi.csproj",
"exit_code": 0,
"verdict": "✅ pass",
"duration_ms": 2750,
"created_at": "2026-04-10T22:44:23.635Z"
},
{
"id": 47,
"task_id": "T03",
"slice_id": "S04",
"milestone_id": "M011",
"command": "dotnet test JobTrackerApi.Tests/JobTrackerApi.Tests.csproj --filter AuthAndSystemControllerTests",
"exit_code": 0,
"verdict": "✅ pass",
"duration_ms": 172,
"created_at": "2026-04-10T22:44:23.635Z"
},
{
"id": 48,
"task_id": "T03",
"slice_id": "S04",
"milestone_id": "M011",
"command": "GET http://localhost:5202/api/auth/config",
"exit_code": 200,
"verdict": "✅ pass",
"duration_ms": 0,
"created_at": "2026-04-10T22:44:23.635Z"
},
{
"id": 49,
"task_id": "T03",
"slice_id": "S04",
"milestone_id": "M011",
"command": "GET http://localhost:5202/api/auth/me",
"exit_code": 401,
"verdict": "✅ pass",
"duration_ms": 0,
"created_at": "2026-04-10T22:44:23.635Z"
},
{
"id": 50,
"task_id": "T01",
"slice_id": "S05",
"milestone_id": "M011",
"command": "rg -n \"\\[Authorize|\\[AllowAnonymous|IFormFile|PhysicalFile|client-errors|backup|export|avatar\" JobTrackerApi/Controllers JobTrackerApi.Tests -S",
"exit_code": -1,
"verdict": "unknown (coerced from string)",
"duration_ms": 0,
"created_at": "2026-04-10T22:56:09.918Z"
},
{
"id": 51,
"task_id": "T02",
"slice_id": "S05",
"milestone_id": "M011",
"command": "dotnet test JobTrackerApi.Tests/JobTrackerApi.Tests.csproj --filter \"FullyQualifiedName~AttachmentsControllerTests|FullyQualifiedName~BackupControllerTests|FullyQualifiedName~ClientErrorsControllerTests|FullyQualifiedName~AuthAndSystemControllerTests\"",
"exit_code": 0,
"verdict": "✅ pass",
"duration_ms": 825,
"created_at": "2026-04-10T22:59:48.937Z"
},
{
"id": 52,
"task_id": "T02",
"slice_id": "S05",
"milestone_id": "M011",
"command": "dotnet build JobTrackerApi/JobTrackerApi.csproj",
"exit_code": 0,
"verdict": "✅ pass",
"duration_ms": 7920,
"created_at": "2026-04-10T22:59:48.937Z"
},
{
"id": 53,
"task_id": "T03",
"slice_id": "S05",
"milestone_id": "M011",
"command": "dotnet test JobTrackerApi.Tests/JobTrackerApi.Tests.csproj --filter \"FullyQualifiedName~AttachmentsControllerTests|FullyQualifiedName~BackupControllerTests|FullyQualifiedName~ClientErrorsControllerTests|FullyQualifiedName~AuthAndSystemControllerTests\"",
"exit_code": 0,
"verdict": "✅ pass",
"duration_ms": 825,
"created_at": "2026-04-10T23:00:30.313Z"
},
{
"id": 54,
"task_id": "T03",
"slice_id": "S05",
"milestone_id": "M011",
"command": "dotnet build JobTrackerApi/JobTrackerApi.csproj",
"exit_code": 0,
"verdict": "✅ pass",
"duration_ms": 7920,
"created_at": "2026-04-10T23:00:30.313Z"
},
{
"id": 55,
"task_id": "T03",
"slice_id": "S05",
"milestone_id": "M011",
"command": "GET http://localhost:5202/api/export/jobs",
"exit_code": 401,
"verdict": "✅ pass",
"duration_ms": 0,
"created_at": "2026-04-10T23:00:30.313Z"
},
{
"id": 56,
"task_id": "T03",
"slice_id": "S05",
"milestone_id": "M011",
"command": "POST http://localhost:5202/api/backup/encrypted",
"exit_code": 401,
"verdict": "✅ pass",
"duration_ms": 0,
"created_at": "2026-04-10T23:00:30.313Z"
},
{
"id": 57,
"task_id": "T03",
"slice_id": "S05",
"milestone_id": "M011",
"command": "GET http://localhost:5202/api/attachments/1",
"exit_code": 401,
"verdict": "✅ pass",
"duration_ms": 0,
"created_at": "2026-04-10T23:00:30.313Z"
},
{
"id": 58,
"task_id": "T03",
"slice_id": "S05",
"milestone_id": "M011",
"command": "POST http://localhost:5202/api/client-errors",
"exit_code": 401,
"verdict": "✅ observed-constraint",
"duration_ms": 0,
"created_at": "2026-04-10T23:00:30.313Z"
},
{
"id": 59,
"task_id": "T01",
"slice_id": "S06",
"milestone_id": "M011",
"command": "rg -n \"OLLAMA|SKIP_MODEL_LOAD|/health|/summarize|/extract-text|RunProbeAsync|GetMetricsAsync|LastError|Probe\" tools/summarizer JobTrackerApi/Services JobTrackerApi.Tests -S",
"exit_code": -1,
"verdict": "unknown (coerced from string)",
"duration_ms": 0,
"created_at": "2026-04-10T23:20:01.927Z"
},
{
"id": 60,
"task_id": "T02",
"slice_id": "S06",
"milestone_id": "M011",
"command": "cd tools/summarizer && ./scripts/bootstrap-and-test.sh test",
"exit_code": 0,
"verdict": "✅ pass",
"duration_ms": 3090,
"created_at": "2026-04-10T23:24:03.785Z"
},
{
"id": 61,
"task_id": "T02",
"slice_id": "S06",
"milestone_id": "M011",
"command": "dotnet test JobTrackerApi.Tests/JobTrackerApi.Tests.csproj --filter \"FullyQualifiedName~AuthAndSystemControllerTests|FullyQualifiedName~ProductionConfigTests|FullyQualifiedName~OwnershipGuardTests\"",
"exit_code": 0,
"verdict": "✅ pass",
"duration_ms": 171,
"created_at": "2026-04-10T23:24:03.785Z"
},
{
"id": 62,
"task_id": "T02",
"slice_id": "S06",
"milestone_id": "M011",
"command": "dotnet build JobTrackerApi/JobTrackerApi.csproj",
"exit_code": 0,
"verdict": "✅ pass",
"duration_ms": 3680,
"created_at": "2026-04-10T23:24:03.785Z"
},
{
"id": 63,
"task_id": "T03",
"slice_id": "S06",
"milestone_id": "M011",
"command": "cd tools/summarizer && ./scripts/bootstrap-and-test.sh test",
"exit_code": 0,
"verdict": "✅ pass",
"duration_ms": 3090,
"created_at": "2026-04-10T23:24:23.066Z"
},
{
"id": 64,
"task_id": "T03",
"slice_id": "S06",
"milestone_id": "M011",
"command": "dotnet test JobTrackerApi.Tests/JobTrackerApi.Tests.csproj --filter \"FullyQualifiedName~AuthAndSystemControllerTests|FullyQualifiedName~ProductionConfigTests|FullyQualifiedName~OwnershipGuardTests\"",
"exit_code": 0,
"verdict": "✅ pass",
"duration_ms": 171,
"created_at": "2026-04-10T23:24:23.066Z"
},
{
"id": 65,
"task_id": "T03",
"slice_id": "S06",
"milestone_id": "M011",
"command": "dotnet build JobTrackerApi/JobTrackerApi.csproj",
"exit_code": 0,
"verdict": "✅ pass",
"duration_ms": 3680,
"created_at": "2026-04-10T23:24:23.066Z"
}
]
}
Reference in New Issue View Git Blame Copy Permalink