Matt
7675a26889
Closes out the dep-upgrade session by laying out the path from "deps done" → "audit-clean codebase." Maps the 534 findings in AUDIT-2026-05-12.md to concrete waves with file pointers, effort estimates, and acceptance criteria. Wave 1 — Stop-ship CRITICALs: db:migrate runner, EMAIL_REDIRECT_TO prod guard, orphan-blob fix, escape URLs in templates, replace window.confirm calls, GDPR export completeness, right-to-be-forgotten true erase, FK + onDelete on permission_overrides, resolve-identifier hardening. Wave 2 — HIGH security/observability: PII masking in audit_logs, webhook→error pipeline, admin email template subject editor wire-up, PII redaction in error pipeline, notification email worker XSS. Wave 3 — React Compiler set-state-in-effect cleanup (~41 sites). Two migration patterns from this session as templates. Wave 4 — UI/UX consistency + a11y. Wave 5 — Concurrency + Postgres FTS perf. Wave 6 — Email + Documenso depth. Wave 7 — Reporting + recommender quality. Wave 8 — Long tail (PDF, copy, onboarding, types, build). Also closes out major-version deferrals: Next 15→16 + Tailwind 3→4 now DONE; eslint 9→10 documented as upstream-blocked. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>