Commit Graph

471 Commits

Author SHA1 Message Date
Дмитрий bcdcca01a5 fix(graph): T1 hardening — localStorage try/catch + rAF throttle on redraw
После T1 code-quality review: 2 Important issues из spec §9 mitigation list. (1) try/catch обернул read/write localStorage — в Edge InPrivate / quota-exceeded не падает, fallback на default 300. (2) network.redraw() rAF-throttled через redrawScheduled flag — устраняет potential jank при fast drag на медленном hardware (mousemove может fire'ить >60Hz).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-14 12:22:52 +03:00
Дмитрий 97da018724 feat(graph): resize handle 300-900px + localStorage
Drag-handle 6px на левой границе #legend-panel (cursor:col-resize, hover-bg #0d4a5a), JS-обработчики mousedown/mousemove/mouseup, clamp [300, 900]px, сохранение ширины в localStorage ключ liderra-map-legend-width, restoration on DOMContentLoaded. После каждого resize вызывается network.redraw() для пересчёта vis.js canvas. Iter2 spec §2.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-14 12:17:08 +03:00
Дмитрий abaeebbde6 docs(plan): automation-graph iter2 — 10 atomic tasks (7 parallel-safe + 3 sequential)
Tasks 1-7 (parallel-safe через dispatching-parallel-agents): T1 resize handle CSS+JS+localStorage, T2-T5 text rewrite groups A/B/C/D (9+21+18+25=73 nodes по Style Guide), T6 CONFLICT_TYPES enum + 2 new  edges + reclassify 6, T7 EDGE_DETAILS data (74 entries). Tasks 8-10 (sequential): T8 edge legend render + click handler (depends T7), T9 3-color render + sort + footer (depends T6), T10 visual smoke + push.

Test strategy для single-file HTML без unit-tests: 3-уровневая verification (Level 1 — Node.js syntax check per Edit, Level 2 — lefthook pre-commit gauntlet per commit, Level 3 — manual visual smoke в Edge browser). Pre-push: gitleaks full-history + lychee. Self-review pass: spec coverage 100%, no placeholders, no type drift.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-14 12:12:33 +03:00
Дмитрий c18cc93c78 chore(cspell): +2 words for automation-graph iter2 plan
qitem + skreview — фрагменты идентификаторов узлов карты (sk_qitem, ag_skreview); cspell токенизирует по `_` и видит их как unknown words. Упомянуты в plan-файле как ссылки на task'и/инструменты. Iter2 plan reference.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-14 12:12:21 +03:00
Дмитрий f936944237 docs(spec): automation-graph iter2 — resize + simple-language + 3-color conflicts + edge legend
4 improvements after iter1 ride-out: drag-handle resize 300-900px + localStorage; rewrite 73 nodes to plain language with Style Guide; reclassify 8 conflicts as 🔴 not-closed /  practice-observed / 🟢 closed-by-rule; new 7-field edge legend (source/target/relation-type/trigger/transfers/mandatory/regulation).

Parallel execution strategy: Phase 2 dispatches 6 subagents (P1 resize, P2-P5 text rewrite by category, P6 conflict types + EDGE_DETAILS) returning raw JS blocks; Phase 3 main agent applies 12 atomic Edits in sequence → 11 atomic commits total.

Through superpowers:brainstorming 4-clarifying-question cycle (text scope / conflict classification / resize UX / edge legend fields), all options chosen by Дмитрий explicitly. Self-review pass; no placeholders, no contradictions, 0 open questions.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-14 10:29:40 +03:00
Дмитрий 8e75951edc chore(cspell): +3 words for automation-graph iter2 spec
зарелизен + отрефакторен (русифицированные tech-термины «released» / «refactored»; используются в iter2 spec §0 Context); cdesc (CSS class из docs/automation-graph.html .conflict-item .cdesc, ссылка в iter2 spec §4.3 renderer changes).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-14 10:29:28 +03:00
Дмитрий b73ddaaedd docs(a11y): authenticated rescan baseline + findings (21/21 passing)
Final state docs after a11y rescan session:

- docs/audit-baseline-pa11y.md: «Authenticated rescan 2026-05-14» section
  added (14 new URLs, all 21 passing). Old «out of scope для первой
  baseline» section marked SUPERSEDED. Per-pattern fix table with file
  references + ignored selector rationale. axe-core cross-validation
  results documented (only DevIndexBadge dev-only remains).

- docs/superpowers/audits/2026-05-14-a11y-rescan-findings.md (new):
  Full audit findings doc — TL;DR, scope expansion table, per-pattern
  root cause + fix sections (A-H), axe-core cross-validation, метрики
  до/после, verdict 🟢 GREEN.

Regression sweep:
- Pa11y: 21/21 URLs passed
- Vitest: 91 files / 736 passed / 3 skipped / 0 failed
- Pest --parallel: 742/739/3sk/0
- Vite build: ~2s
- gitleaks: 0 leaks / 457 commits / 12.72 MB
- lychee: 345 OK / 0 errors / 457 total
- markdownlint: 0 errors (after auto-fix)
- cspell: 0 issues

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-14 10:08:08 +03:00
Дмитрий e39a42cfdf fix(a11y): admin search inputs — add label prop for accessible name (Pattern H)
A11y rescan Pattern H — Vuetify <v-text-field> без `label` prop рендерит
empty `<label id="input-v-NN-label">` (referenced via aria-labelledby).
Pa11y/axe видит unlabelled input на /admin/billing (search «Поиск по
названию или ИНН») и /admin/system (search «Поиск по ключу или описанию»).

Initial naive fix добавил `aria-label="..."` — но ARIA priority говорит
aria-labelledby overrides aria-label, поэтому осталось violation.

Final fix: add `label="Поиск"` prop on VTextField. Vuetify рендерит
floating label с правильным accessible text → axe-core resolves через
aria-labelledby chain successfully. Placeholder сохранён (split: «Поиск»
теперь в label, «по названию или ИНН» / «по ключу или описанию» —
placeholder).

Files:
- AdminBillingView.vue:209-217
- AdminSystemView.vue:130-138

Closes Pa11y «label» violations на 2 admin URLs.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-14 10:07:48 +03:00
Дмитрий 398f6bcf5a fix(a11y): Vuetify tonal alert/chip + text-warning contrast overrides (Patterns C+D+E)
A11y rescan Patterns C+D+E — Vuetify default theme colours для tonal-variant
.v-alert .v-alert__content (4.18:1) и tonal .v-chip__content (success 4.25:1
/ warning 2.25:1), плюс `.text-warning` utility used в count badges (2.03:1
на ivory) — все ниже WCAG 2.1 AA 4.5:1.

Global CSS overrides in app/resources/css/app.css:

Pattern C — alert tonal content (2 URLs: billing, admin/system):
  .v-alert--variant-tonal .v-alert__content {
      color: #0a0700;   /* near-black, 16:1 on ivory */
  }

Pattern D — chip tonal success/warning content (4 URLs: billing,
admin/{tenants,billing,incidents,system}):
  .v-chip--variant-tonal.bg-success .v-chip__content { color: #1f5e3a }
  .v-chip--variant-tonal.bg-warning .v-chip__content { color: #6a4504 }

Pattern E — .text-warning utility (2 URLs: admin/billing «5», admin/incidents
«1»). Critical specificity fix: Vuetify defines selector as
`.v-theme--liderraForest .text-warning { color: rgb(var(--v-theme-warning))
!important }` (specificity 0,2,0 + !important). Naive `.text-warning
!important` (0,1,0) loses on specificity even with !important. Match Vuetify
selector exactly so override wins on cascade order (loaded after Vuetify CSS):

  .v-theme--liderraForest .text-warning,
  .v-theme--liderraForest.text-warning,
  .text-warning {
      color: #6a4504 !important;
  }

Closes 4+11+2 = 17 color-contrast violations across 5 distinct URLs.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-14 10:07:35 +03:00
Дмитрий 6387706be6 fix(a11y): .sep dot separator contrast 2.92:1 → 5.33:1 (Pattern B)
A11y rescan Pattern B — scoped CSS `.sep { color: #92907b; }` повторяется
в 8 компонентах (page-stats / page-meta / hero-meta containers с точкой-
разделителем `·`). На ivory page background #f6f3ec даёт contrast
2.92:1, ниже WCAG 2.1 AA 4.5:1 threshold.

Fix: #92907b → #6b6356 — same warm-grey hue, darker tone, gives
5.33:1 contrast. 8 files:

- views/{DealsView,BillingView,KanbanView,ReportsView}.vue
- components/dashboard/DashboardPageHead.vue
- components/deals/DealDetailHero.vue
- components/admin/tenants/TenantsStatsHeader.vue
- components/admin/tenant-detail/TenantDetailHeader.vue

Closes Pa11y «color-contrast» violations на /dashboard /billing /reports
(8 .sep elements total flagged).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-14 10:07:11 +03:00
Дмитрий 667befde96 fix(a11y): add aria-label to mobile nav-icon button (closes Pattern A)
A11y rescan Pattern A — Vuetify <v-app-bar-nav-icon class="d-md-none">
без accessible name. Pa11y/axe видит button в DOM даже на desktop где
он hidden via CSS — флагает «button-name» violation на 9 AppLayout views
(/dashboard, /deals, /kanban, /projects, /billing, /settings, /reports,
/reminders, /admin/tenants).

Fix: AppTopbar.vue:90-94 — `aria-label="Открыть меню навигации"`.

Closes 9 of 14 authenticated routes' a11y violations (down 14→5 affected
URLs after this commit).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-14 10:06:52 +03:00
Дмитрий 35387e8b17 feat(a11y): extend Pa11y scope to 14 authenticated routes + Vuetify hideElements
pa11y.config.json теперь covers 21 URLs (7 guest + 14 authenticated).

Authenticated URLs использует per-URL actions login flow:
1. navigate to /login
2. fill input[autocomplete="email"] = admin@demo.local (DemoSeeder)
3. fill input[autocomplete="current-password"] = password
4. click button[type="submit"]
5. wait for path /dashboard
6. navigate to target URL + wait path

14 routes added: /dashboard, /deals, /kanban, /projects, /billing, /settings,
/reports, /reminders, /admin/{tenants,billing,incidents,system,pricing-tiers,
supplier-prices}.

hideElements extended:
- select[hidden] — Vuetify VSelect рендерит hidden native <select> для
  form-submission compatibility (не visible UX, screenreader skip).
- input[aria-controls^="menu-v-"] — Vuetify VDataTable items-per-page
  combobox с aria-labelledby chain issue (Vuetify-internal pattern).

timeout 30000 → 60000ms, wait 1500 → 2000ms — accommodate Vue SPA async
hydration после login flow.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-14 10:06:40 +03:00
Дмитрий a650484b11 docs(plan): A11y rescan — live portal authenticated routes
11-task plan для повторного a11y-аудита: extend Pa11y от 7 guest URLs к 21
URLs (включая 14 authenticated через per-URL actions login flow), + axe-core
cross-validation via Playwright MCP, + inline fixes для real prod findings.

Closes Audit #3 Phase 7 «authenticated pages out of scope» clause per
explicit user request «Pa11y был настроен на старые HTML-эскизы, проведи
повторно аудит в этой части, чтобы он проверил реальный портал».

Plan: docs/superpowers/plans/2026-05-14-a11y-rescan-live-portal.md

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-14 10:06:19 +03:00
Дмитрий 54ee37c54e feat(graph): physics off by default + buttons restore radial layout + smooth continuous 2026-05-14 09:23:46 +03:00
Дмитрий d75b3b85d3 feat(graph): radial-sector layout — 6 колец × 4 сектора (workflow/UI/infra/data) 2026-05-14 09:22:45 +03:00
Дмитрий 0da8dbf042 feat(graph): when+limits content for memory files (15) — all 73 nodes done 2026-05-14 09:20:54 +03:00
Дмитрий a19bee28be feat(graph): when+limits content for lefthook jobs (10) 2026-05-14 09:19:38 +03:00
Дмитрий 0634426c30 feat(graph): when+limits content for MCP servers (7) 2026-05-14 09:18:45 +03:00
Дмитрий ee958f884a feat(graph): when+limits content for hooks (5) + agents (11) 2026-05-14 09:17:37 +03:00
Дмитрий 2b38e7be32 feat(graph): when+limits content for skills (14 SP + 2 проектных) 2026-05-14 09:16:02 +03:00
Дмитрий 413803e569 feat(graph): when+limits content for rules + plugins (9 nodes) 2026-05-14 09:14:10 +03:00
Дмитрий 1a7cd90c32 feat(graph): nd() helper supports when+limits fields; showLegend renders them 2026-05-14 09:10:57 +03:00
Дмитрий 40b437ccb7 feat(graph): legend panel — add «Когда используется» and «Ограничения» sections 2026-05-14 09:10:15 +03:00
Дмитрий aa258e1ad0 fix(graph): remove edge labels from canvas, move to hover tooltips 2026-05-14 09:09:42 +03:00
Дмитрий 5c2556b73f fix(graph): canvas rendering artifacts — explicit canvas bg + remove hideEdgesOnDrag 2026-05-14 09:09:01 +03:00
Дмитрий e3974482a9 docs(plan): automation-graph refactor — 10 atomic tasks
Implementation plan для spec 2026-05-14-automation-graph-refactor-design.md.
10 tasks, каждый = 1 коммит, в порядке:
1. canvas rendering fix
2. edge labels → tooltips
3. HTML legend sections (когда + ограничения)
4. nd() helper signature + render
5a-5f. when+limits content для 73 узлов (rules+plugins / skills / hooks+agents / MCP / lefthook / memory)
6. radial-sector positioning (ring + sectorAngle на 73 NODES + pos() helper)
7. physics off + button handlers + smooth continuous
8. final smoke + data integrity check

Self-review: spec coverage , no placeholders , type consistency ,
backward-compat nd() handler в Task 4 (for intermediate state).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-14 09:05:21 +03:00
Дмитрий b747880ddc docs(spec): automation-graph refactor — 4 fixes (фон / подписи / радиальная иерархия / when+limits)
Дизайн рефакторинга docs/automation-graph.html после визуальной проверки
коммита 7ee78a9:
- canvas background на самом canvas + удаление hideEdgesOnDrag (artifacts)
- удаление labels с edges, переход на title-tooltip + legend section
- radial-sector layout: 6 колец × 4 функциональных сектора, physics off
- 2 новые секции легенды: «Когда используется» + «Ограничения»

cspell: +mgmt (валидный идентификатор узла claude_md_mgmt)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-14 08:55:32 +03:00
Дмитрий ae20033652 docs(claude.md): v1.92 → v1.93 — sync schema header drift 62→63 (Audit #3 P2)
Tail closure of Audit #3 P2 «schema.sql header drift» finding. Schema
source-of-truth was already updated in commit e746b3c (db/schema.sql:4
header «62 базовые таблицы» → «63 (61 regular + 2 partitioned parents:
deals + supplier_lead_costs)»). This commit syncs three CLAUDE.md
references to match.

Touch points:
- Header version 1.92 → 1.93 + description of session
- §0 «Источник истины» row «Схема БД» — 62 → 63 baseline
- §2 «Стек проекта» БД row — 62 → 63 baseline
- §8 self-review triggers row `db/schema.sql` — 62 → 63 baseline
- §9 history — new v1.93 entry summarising 5-commit sprint
  (8ba9c55..c524227), closure tally (1 P1 + 7 P2 + 4 P3), and regression
  check (Pest 742/739/3sk/0, Vitest 91f/736/3sk/0, gitleaks 0/442,
  lychee 325/0).

Via `/claude-md-management:claude-md-improver` per CLAUDE.md §5 п.10
(only sanctioned channel for direct CLAUDE.md edits).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-14 08:47:42 +03:00
Дмитрий c5242271d7 chore(p3): close P3 tooling and structural mini-fixes
Closes Audit #3 P3 batch.

Changes:

1. **knip.config.ts cleanup** — remove 4 stale config hints flagged in
   Audit #3 Phase 1B (`ignore: tests/**` redundant since `project` is
   `resources/js/**`; `ignoreDependencies` for vitest/@vue/test-utils/jsdom
   redundant since knip auto-detects test frameworks). Add `histoire.config.ts`
   + `resources/js/histoire.setup.ts` to entry — closes 2 documented FPs
   (histoire.setup.ts + @histoire/plugin-vue unused-flag). Verified:
   `npx knip` exits 0 clean.

2. **Admin table actions column header label** — change `title: ''` →
   `title: 'Действия'` in:
   - TenantsTable.vue (actions column, /admin/tenants)
   - AdminSupplierPricesView.vue (actions column, /admin/supplier-prices)
   Closes axe-core `empty-table-header` violation seen in Audit #3 Phase 7
   on /admin/tenants. Header is now visible in UI (better UX than sr-only
   sleight-of-hand).

3. **npm overrides for lodash** in `package.json` — pin `pa11y-ci > lodash`
   to ^4.17.21. Verified: `npm ls lodash` resolves to lodash@4.17.23 (latest
   4.x; CVE-2021-23337 + GHSA-f23m patched in <4.17.21, our version is above
   that). npm audit may still surface advisory ranges as informational.

4. **Decision doc for pgFormatter (Q.HARD.002)** — explicit FIX-DEFER with
   3-hypothesis comparison (Strawberry Perl install vs sqlfluff replacement
   vs Docker pg_format vs drop SQL formatting). Decision: drop automated
   SQL formatting until Б-1 closure; squawk (linter) covers correctness.
   Addendum: axe-core .v-overlay-container region landmark — no permanent
   axe-core test setup exists, so no whitelist needed at this point.

Verification:
- knip: 0 issues
- vue-tsc: 0 errors
- ESLint: 0 errors
- Vitest: 91 files / 736 passed / 3 skipped (no regressions)
- Vite build: 2.03s

Plan: docs/superpowers/plans/2026-05-14-audit3-deferred-fixes.md Task 4.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-14 08:38:51 +03:00
Дмитрий c5c0e76950 test(coverage): close F-COV-01/02/03 — ReminderDialog + AdminLayout + api/admin
Closes Audit #2+#3 P2 carryforward triplet (low-coverage files at risk
of silent regression).

Coverage results (Vitest --coverage --coverage.include per-file):

| File | Stmts before | Stmts now | Δ |
|---|---|---|---|
| ReminderDialog.vue | 0% | 95.38% | +95 pp |
| AdminLayout.vue | 9.09% | 95.45% | +86 pp |
| api/admin.ts | 11.53% | 100% | +88 pp |

Branches/Funcs deltas (subagent reports):
- ReminderDialog: Branch 0→97.56%, Funcs 0→85.71%, Lines 0→96.61%
- AdminLayout: Branch 0→90%, Funcs 0→90%, Lines 9.09→94.73%
- api/admin: Branch 0→100%, Funcs 27.27→100%, Lines 11.53→100%

Approach: TDD via @vue/test-utils + Vuetify global plugin + vi.mock for
store/api. Three parallel subagents (general-purpose), each focused on
single target — no production code changes, only test infrastructure.

Coverage areas:
- ReminderDialog (19 specs): rendering, watch(dialogOpen) populate/reset,
  submit create-mode happy + 3 errors, submit edit-mode happy + 1 error,
  cancel, common validation paths
- AdminLayout (16 specs): brand block, 5 nav items, count badges (142/3),
  breadcrumb per route (5 cases + fallback), userInitials computed (4
  cases incl. fallback), userShortName (4 cases), handleLogout call-order,
  active state, aria-label
- api/admin (18 specs): 11 exported functions × happy-path; 2 encodeURI
  edge cases; 4 ensureCsrfCookie call-order verifications via
  invocationCallOrder; 2 error-propagation tests

Verification (full sweep after merge):
- Vitest: 91 files / 736 passed / 3 skipped / 0 failed (+3 files, +53 specs
  from Audit #3 baseline 88/683/3sk)
- Pest --parallel: 742/739/3sk/0 (identical to baseline, 0 regressions)
- Vite build: 2.03s
- vue-tsc: 0 errors
- ESLint: 0 errors

Plan: docs/superpowers/plans/2026-05-14-audit3-deferred-fixes.md Task 3.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-14 08:37:26 +03:00
Дмитрий e746b3c9a4 chore(cleanup): dead code removal + DemoSeeder env-conditional + schema header drift
Closes Audit #3 P2 batch (knip dead exports/components, DemoSeeder
hygiene, schema header drift).

- Remove app/resources/js/views/admin/AdminPlaceholderView.vue
  (unreferenced placeholder view — confirmed via repo-wide grep, only
  doc references remain)
- npm uninstall concurrently (no script invoked it; --legacy-peer-deps
  for Histoire 1.0-beta.1 peerDep quirk)
- 12 unused exports → internal types (remove `export` keyword):
  - api/admin.ts: AdminTenantsStats, ApiTenantMetrics,
    ApiAdminBillingSummary, ApiAdminIncidentsSummary
  - api/notifications.ts: NotificationEvent
  - api/reports.ts: ApiReportType, ApiReportFormat, ApiReportParameters,
    ReportCounts, ReportQuota
  - composables/mockBilling.ts: TxType
  - composables/useStatusPill.ts: StatusPillSlug
  All 12 are used INSIDE their own file (response shapes), just not
  exported externally — converting to internal types satisfies knip
  without losing type-checking inside the file.
- DatabaseSeeder::run() — DemoSeeder runs only in local+testing envs
  (`migrate:fresh --seed` in dev now produces demo tenant + admin@demo.local
  + 3 projects + ~14 demo deals; prod environments skip)
- db/schema.sql header line 4: «62 базовые таблицы» → «63 базовые
  таблицы (61 regular + 2 partitioned parents: deals + supplier_lead_costs)»
  Closes schema header drift finding from Phase 3.

Verification:
- vue-tsc --noEmit: 0 errors
- ESLint on touched files: 0 errors
- Pest --parallel: 742/739/3sk/0 failed (identical to baseline, no regressions)
- 2243 assertions / 34.46s

Plan: docs/superpowers/plans/2026-05-14-audit3-deferred-fixes.md Task 2.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-14 08:28:44 +03:00
Дмитрий 0c36b7a28d feat(a11y): migrate Pa11y scope from handoff prototypes to live Vue app
Closes Audit #3 sole P1 (F-A11Y-PA11Y-SCOPE-01).

Pa11y was scanning handoff HTML prototypes from liderra_v8_handoff/concepts/
(3 URLs, ~10 contrast violations), NOT the live Vue app. Audit #2 baseline
"0 errors" was inaccurate — real portal was never covered.

Changes:
- pa11y.config.json: now targets http://localhost:8000/<route> for 7 guest
  pages (login, register, forgot, 2fa, recovery, 403, 500)
- pa11y-handoff.config.json: preserves historical handoff baseline as
  opt-in (`npm run a11y:handoff`)
- package.json: new `a11y:handoff` script; `a11y` repointed to live target
- RecoveryCodesView.vue: scoped CSS override fixes Vuetify warning-tonal
  alert content contrast (2.03:1 → ≥4.5:1, color #0a0700 per Pa11y rec)
- .github/workflows/a11y.yml: new CI job with dev-server lifecycle
  (php artisan serve + curl wait-on + Pa11y + screenshot artifact upload)
- docs/audit-baseline-pa11y.md: first live baseline document with per-URL
  status, ignore selectors rationale, re-run instructions

Local verification:
- npm run a11y: 7/7 URLs passed (0 violations)
- vue-tsc: 0 errors
- ESLint: 0 errors
- Vitest: 88 files / 683 passed / 3 skipped / 0 failed (no regressions)

Plan: docs/superpowers/plans/2026-05-14-audit3-deferred-fixes.md Task 1.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-14 08:25:14 +03:00
Дмитрий 8ba9c55724 docs(plan): Audit #3 deferred fixes sprint plan
25 deferred findings (1 P1 + 11 P2 + 14 P3) → 4 task batches:

1. P1 Pa11y scope migration to live Vue app
2. P2 dead code + dev hygiene (knip findings + DemoSeeder + schema header)
3. P2 coverage debt (ReminderDialog + AdminLayout + api/admin via TDD)
4. P3 tooling + structural mini-fixes

Plan: docs/superpowers/plans/2026-05-14-audit3-deferred-fixes.md
Source audit: docs/superpowers/audits/2026-05-14-portal-full-audit-report.md

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-14 08:24:49 +03:00
Дмитрий f9d2452386 docs(audit): finalize portal full audit #3 — report (2026-05-14) 2026-05-14 07:52:27 +03:00
Дмитрий 301334c288 docs(audit): Phase 14 final regression (audit #3) 2026-05-14 07:46:56 +03:00
Дмитрий abb8a5135e docs(audit): Phase 13 categorization + fix decisions (audit #3)
Final audit rollup: 0 P0 / 1 P1 / 11 P2 / 14 P3 (26 total).

Pa11y P1 decision: FIX-DEFER with concrete migration plan
(6 acceptance criteria + 60-120 min estimate). Decision driven by
3-hypothesis analysis: (1) config-only swap surfaces new live-app
violations (color-contrast on DevIndexBadge, region landmarks),
(2) additive both-kept keeps handoff failures blocking CI,
(3) deferred migration with proper sprint task is cleanest path.
Both decision-matrix triggers from brief apply: risk of new
failures without follow-up plan + new CI infra requirement
(live dev server lifecycle).

Carryforward audit: 9 items still open from Audit #2 (all
P2/P3, no regressions). 11 Audit #2 items verified closed in
this audit (bf84568 aria fix, CTO-19 Lucide, Q.DEFER.001-004,
quirks #62/#72/#80, cron, RUNBOOK.md).

FIX-NOW this session: 0 commits (Pa11y deferred per matrix).
FIX-NOW earlier in audit: 1 commit (823da29 cspell inline).
FIX-DEFER documented: 25.
BLOCKED: 0.

Verdict: GREEN — 0 P0, sole P1 is methodology audit-fidelity gap
(Pa11y declared but not exercised against live code); axe-core
via Playwright in Phase 7 provides actual a11y coverage with 0
real prod issues against DevIndexBadge temp feature.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-14 07:38:25 +03:00
Дмитрий 4b4705295c docs(audit): Phase 10-12 pre-prod/TODO/untracked findings (audit #3) 2026-05-14 07:34:35 +03:00
Дмитрий 9d27783729 docs: commit untracked plan files + parse-bundle-analyze.mjs (audit #3) 2026-05-14 07:29:47 +03:00
Дмитрий 51664a0aa4 docs(audit): Phase 9 bundle analyzer delta (audit #3) 2026-05-14 07:27:36 +03:00
Дмитрий ad89473331 docs(audit): Phase 8 coverage targeted (audit #3) 2026-05-14 07:24:12 +03:00
Дмитрий 8fa545e113 docs(audit): Phase 7 a11y targeted Pa11y+axe-core (audit #3) 2026-05-14 07:20:49 +03:00
Дмитрий 8ec7a8c116 docs(audit): Phase 6 cross-doc integrity findings (audit #3) 2026-05-14 07:14:59 +03:00
Дмитрий 1f43beacc3 docs(audit): Phase 5 UI smoke 22-view Playwright sweep (audit #3) 2026-05-14 07:12:48 +03:00
Дмитрий 9e2914a72d docs(audit): Phase 4 security findings (audit #3)
CI workflows: 3 (sast/dependency-check/trivy), unchanged from Audit #2.
gitleaks delta (9e175a1..HEAD): 0 leaks / 18 commits.
gitleaks full history: 0 leaks / 426 commits.
gitleaks no-git app/: 1847 matches all in gitignored vendor/ +
phpstan-cache; P2: GITHUB_TOKEN env var captured in gitignored
nette DI container cache (not in git history, mitigations in place);
P3: generic-api-key FPs in phpstan.phar / cache suggest gitleaks.toml.
cspell-words.txt +3: nette, phar, serialises.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-14 06:29:31 +03:00
Дмитрий 93a3c667e0 docs(audit): Phase 3 schema integrity findings (audit #3)
Query results A-G: root_tables=63 (61r+2p), partitions=12,
indexes=289, RLS=39, functions=5 (correct names), triggers=13
logical/19 total, orphan_FK=0. One P2 finding: schema.sql v8.20
header "62 базовые таблицы" drift → actual 63 (deals +
supplier_lead_costs both partitioned parents). All invariants
RLS/functions/orphan-FK pass.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-14 06:23:25 +03:00
Дмитрий af97885266 docs(audit): Phase 2 test suite findings (audit #3)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-14 06:19:50 +03:00
Дмитрий 4a5ecb085a docs(audit): Phase 1D SQL static analysis + Phase 1 итог (audit #3)
squawk v2.51.0 — 0 issues (bin\squawk.exe db/schema.sql, exit 0).
pgFormatter — N/A (perl not in PATH, known Q.HARD.002 carryforward).
Phase 1 combined итог: P0=0 P1=0 P2=4 P3=2.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-14 06:13:04 +03:00
Дмитрий 823da293de docs(audit): Phase 1C docs static analysis findings + cspell words (audit #3)
markdownlint=0, cspell=0 (+3 words: shapkas/SUT/SUT's), lychee=318 OK/0 errors.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-14 06:09:29 +03:00
Дмитрий 362af8c981 docs(audit): Phase 1B frontend static analysis findings (audit #3) 2026-05-14 06:06:54 +03:00
Дмитрий 85d79499e9 docs(audit): Phase 0 addendum + Phase 1A backend static analysis (audit #3)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-14 06:02:45 +03:00