Priority Triage — Top 10 Before Next Pilot¶
Parent: Code Review Index Purpose: The ten changes that, done in order, most improve pilot readiness. Use this as a rolling checklist.
Each row is the pointer to a full task block in the relevant section file.
| Rank | ID | One-line | Section | Impact | Cplx | Time |
|---|---|---|---|---|---|---|
| 1 | A1 | Close CORS (no more allow_origins=["*"]) |
A. Security | H | L | 0.5 D |
| 2 | A2 | Gate all mutating routes with Cloudflare Access dependency | A. Security | H | M | 3–5 D |
| 3 | A3 + A4 | Remove user-supplied API keys and base_url; allowlist providers | A. Security | H | L | 2 D |
| 4 | A5 | Upload size/MIME/extension guards; sanitize filenames | A. Security | H | M | 2 D |
| 5 | B5 + E2 | Pin deps, commit lock file, CI installs from lock | B. Runtime | H | L | 1 D |
| 6 | B1 | Atomic-write + per-model lock on JSON stores | B. Runtime | H | M | 1 W |
| 7 | B2 | Move blocking CAD work off the event loop | B. Runtime | H | M | 1 W |
| 8 | D3 | App-level error boundary + toast with server request IDs | D. Frontend | H | L | 1 D |
| 9 | D2 | One typed API client; remove 27-site fetch duplication | D. Frontend | H | M | 1 W |
| 10 | F1 + F3 | Append-only activity log + snapshot schemaVersion discipline | F. Product Trust | H | M | 1–2 W |
Parallel Quick Wins (half a day each)¶
Drop in alongside the top 10 — they are zero-coordination.
- E1 — run the full pytest suite in CI
- E5 — clean
AGENTS.mdabsolute paths - E7 — fix corrupted
requirements_pythonocc.txt - B4 — real
/healthz//readyz - G1 — PDF report header + footer with page numbers
- G2 — PDF cover identity block
Sequencing Notes¶
- A1 first — ten minutes of risk reduction; nothing depends on anything.
- A2 before B2/B3 — rate limits and threadpool sizing only matter when auth is enforced.
- B5 before E1 — don't expand CI against floating deps.
- B1 before F1 — the activity log must inherit the locking primitives.
- F3 (schemaVersion) before F2 (evidence pointers) and before the deeper PDF G-items that rely on stable payloads.
- D1 (Zustand) + D2 (React Query) as one coordinated migration, not two — splitting leads to a half-migrated UI.
Calendar Estimate¶
Assuming one engineer-equivalent working full-time and shipping incrementally behind a gated pilot:
- Week 1 — A1 + A2 + A3 + A4 + A5 (security close-the-door)
- Week 2 — B5 + E1 + E2 (reproducibility); B4 + B6 (ops hygiene)
- Week 3–4 — B1 + B2 (concurrency + event loop)
- Week 5 — D3 + D4 + D6 + E3 (frontend ground truth)
- Week 6–7 — D1 + D2 (store + API client)
- Week 8 — F3 (schema version)
- Week 9–10 — F1 (activity log) + F4 (rule_id on findings)
- Week 11 — G-series (PDF upgrades; 3-day minimum = G13+G1+G2+G4)
- Week 12 — F5 (regression harness) + F2 (evidence pointers) started
After this, the product can honestly make the claims in the Master Narrative and the USP document.