Самый важный слой: проверить, что нет утечек, слабых admin-путей, неподписанных webhooks, слишком широких RLS policies и опасных external URL flows.
Full System Audit Map
Чёткая карта того, что проверять, в каком порядке чинить, чем подтверждать и где не ломать текущую Mariachi-систему. Это не короткий список идей, а рабочая дорожная карта для последовательной проверки всего проекта.
Primary Phases
9
Release Gates
12
Priority Classes
P0/P1/P2
Deploy Rule
Test First
Dashboard
Where The Risk Is
P0 before release
P1 before growth
P2 polish
Stripe checkout, order creation, form submissions, Resend/Klaviyo delivery and Supabase inserts must fail safely and be testable end-to-end.
SPA meta injection, canonical URLs, sitemap, collection pages, product schema, FAQ schema and language rules are the main organic growth layer.
LCP, CLS, image dimensions, responsive images, video loading, unused JS and cache headers need a budget so the catalog stays fast on mobile.
Visual consistency, touch targets, contrast, form errors, hover behavior, responsive grids and modal focus must be verified against real viewport matrix.
Everything useful for future craft-brand starter must be documented: config, tokens, deploy wizard, reusable commerce/forms/admin patterns.
DoRead-only audit first
ThenFix P0 in slices
NextVerify test domain
OnlyProd with explicit OK
LogDEV-HISTORY
Specialist passes folded in
Actual Findings
P0 blockers
P1 deep work
P2 cleanup
Important
This section is the concrete audit payload. It intentionally avoids printing secret values, but it does name the files and systems that must be inspected, rotated, hardened or corrected.
P0 - no production promotion until resolved or explicitly risk-accepted
| Finding | Evidence area | Required gate |
|---|---|---|
| Secret-shaped values exist in tracked/local repo surfaces and backup/transcript artifacts. | scripts/full-backup.sh, Admin.tsx settings area, compacts/transcript JSONL, backup release flow | Inventory, revoke/rotate, remove literals, purge or protect history/releases/backups, add secret scanning. |
| Admin is a client-side password gate with direct browser Supabase CRUD/storage authority. | client/src/pages/Admin.tsx, client/src/lib/supabase.ts, RLS policy assumptions | Move admin to server-verified auth or Supabase Auth; destructive writes behind server-only endpoints. |
| Supabase anon key appears to have admin-like permissions for rugs/journal/bot history. | AGENTS RLS notes, Supabase client usage, Admin direct calls | Anon can read published public data and insert public form rows only; no destructive public CRUD. |
| Paid/action endpoints are unauthenticated and can burn vendor budget or perform privileged actions. | api/ai-image.ts, api/video-gen.ts, api/cutout.ts, api/pinterest-post.ts | Require signed admin session, request schema validation, rate limits and budget limits. |
| Telegram webhook can be forged if secret-token verification is absent and fallback unlocks exist. | api/telegram.ts webhook handling and unlock flow | Set and verify Telegram secret header, remove fallback unlock, use invite/whitelist flow. |
| Backup workflow may centralize decrypted env vars, PII and token tables into release artifacts. | .github/workflows/weekly-backup.yml, scripts/full-backup.sh, backup docs | Encrypt backups, exclude or separately encrypt token/PII tables, document access control. |
| Live product SEO route is confused: active `/catalog/:slug`, inactive/disabled `/shop/:slug` still has server meta. | client/src/App.tsx, api/index.ts PRODUCT_META/known routes, schema.tsx | Lock one canonical product URL family before schema, sitemap, Pinterest and external links. |
| Checkout can fall back to client-provided price and success/cancel URLs point at inactive shop path. | api/checkout.ts, App route table | Require valid available product from trusted source; reject client price fallback; fix success/cancel URLs. |
| Stripe webhook idempotency/raw body behavior is not proven enough for reliable orders. | api/stripe-webhook.ts | Use official raw-body verification, add event/payment unique key, replay same event creates one order. |
| Forms can double-insert or lose leads depending on page/API split. | Commissions.tsx, Contact.tsx, InteriorDesigners.tsx, Workshops.tsx, form APIs | One server-side submission pipeline per form; checked vendor responses; exactly one row per submission. |
P1 - deep audit and growth blockers
| Finding | Evidence area | Required gate |
|---|---|---|
| Server meta missing for active routes, so crawlers can receive fallback/not-found metadata. | /catalog, /statement, /faq, /rug-care in api/index.ts ROUTE_META | Every active public route has server-injected title, description, canonical and OG/Twitter tags. |
| Journal detail server meta is generic and Article schema is absent. | api/index.ts, Blog.tsx, schema.tsx | Post-specific server meta plus Article/BlogPosting schema for every published post. |
| Catalog and collection pages need ItemList schema and route-consistent Product schema. | schema.tsx, Catalog.tsx, collection routes | ItemList on listings; Product schema only for canonical product details with live media/price/status. |
| Sitemap and llms.txt do not fully match the actual published journal/product inventory. | client/public/sitemap.xml, client/public/llms.txt, Blog.tsx, Supabase journal | Index files generated or manually reconciled from the chosen content source. |
| Public forms have no anti-spam/rate-limit/schema-validation layer. | commission/contact/trade/workshop APIs | Zod or equivalent validation, honeypot/Turnstile or rate limit, duplicate prevention. |
| Resend notifications are documented but not implemented consistently in form APIs. | Admin settings, Legal copy, commission/contact APIs | Verified notification path, checked failures, lead remains saved even if vendor side effect fails. |
| Catalog remains a primary visual/performance risk with prior high CLS and heavy cutout payload. | Catalog.tsx, index.css, Supabase media, Lighthouse notes | CLS below 0.1 on catalog, stable card dimensions, optimized image payload and hover/tap stability. |
| Lightbox accessibility needs focus trap, initial focus and focus return verification. | Catalog lightbox implementation | Keyboard-only user can open, navigate, close and return focus predictably. |
| Known contrast and sub-12px text issues still need a focused accessibility pass. | index.css nav/footer/lightbox/catalog classes, TODO-FIXES.md | WCAG AA contrast, no readable text below 0.75rem, focus visible everywhere. |
| Production build can include `data-loc` attributes from the JSX location plugin. | vite.config.ts, built dist assets | Remove or dev-gate plugin; rebuilt assets contain no `data-loc` or source path leakage. |
| Deploy rule path mismatch can cause future workers to miss the actual environment rules. | AGENTS references .Codex path, actual file is .claude/rules/deploy-environments.md | Canonicalize rule location or duplicate the rule file deliberately; roadmap test deploy commands corrected. |
| PENDING-CHANGES counter needs normalization before any production batch discussion. | PENDING-CHANGES.md | True counted delta confirmed; test2-only experiments separated from prod-ready batch. |
Specialist summary cards
Security / Data
- Rotate and purge secret-bearing surfaces first.
- Move admin authority out of browser.
- Tighten anon RLS and paid/action APIs.
- Harden Telegram, Stripe and backup workflows.
SEO / Content
- Resolve `/catalog` vs `/shop` canonical conflict.
- Add missing server meta for active routes.
- Add Article, ItemList and route-consistent Product schema.
- Reconcile sitemap and llms.txt to actual inventory.
Commerce / Forms
- Remove checkout client price fallback.
- Add order idempotency and inventory checks.
- Unify server-side form submission pipelines.
- Add validation, anti-spam and checked vendor responses.
UX / Visual
- Catalog CLS and hover/tap stability are priority.
- Lightbox focus trap and scroll lock need proof.
- Contrast, touch targets and font floor must pass.
- Viewport matrix must include small phones, tablets and wide desktop.
Performance / Ops
- Remove production source-location attributes.
- Re-measure mobile Lighthouse on home/catalog.
- Add CI gates for build, smoke, budget and 404.
- Normalize deploy docs and pending-change counter.
Boxed Product
- Config-first brand, design tokens and tenant data.
- Server admin API plus strict RLS as the generic pattern.
- Encrypted tenant backups, not raw env/PII releases.
- Do not template Mariachi-specific art direction.
Non-negotiable
Blockers
Hard Rules
Deployment rules
- Read deployment environment rules before any deploy work.
- Each environment uses its own deployment ID. Never alias one deployment to both test and production.
- Use preview deployment for test. Production deploy only after explicit approval.
- After test deployment, verify that the test domain opens and serves the intended build.
- Record meaningful changes in project history so boxed-product extraction remains possible.
Report rules
- Do not overwrite old HTML reports. Create a new versioned file.
- Add the new document to the Docs registry as a separate entry.
- Do not expose real secrets, passwords, tokens, deployment credentials or customer data.
- Do not present unresolved items as completed work.
- Every fix phase must end with concrete verification, not just code changes.
0
Required first
Inventory And Baseline
Know what exists before touching anythingЦель фазы - не чинить, а собрать правдивую карту текущего состояния: routes, docs, APIs, Supabase tables, public assets, Vercel config, old TODOs, existing audit debt and known dirty worktree changes.
Checklist
- Snapshot git status and explicitly separate user changes from new work.
- Read project rules: AGENTS.md, deployment environment rules, TODO-FIXES.md, audit/TODO-LATER.md.
- Map route registry: App.tsx, useSEO, api/index.ts ROUTE_META, sitemap.xml, robots.txt, llms.txt.
- Map data sources: hardcoded data fallback, Supabase loader, public tables and storage buckets.
- Map all public docs and old reports without editing them.
- List live domains and confirm test/prod separation before any deploy command.
Commands
git status --short find . -maxdepth 3 -name AGENTS.md -o -name "deploy-environments.md" rg -n "TODO|FIXME|HACK|password|secret|token|sk_live|sk_test" AGENTS.md TODO-FIXES.md mariachi-react audit rg -n "Route|useSEO|ROUTE_META|sitemap|robots|llms" mariachi-react/client/src mariachi-react/api mariachi-react/client/public find mariachi-react/client/public/docs -maxdepth 1 -type f | sort
Acceptance gate
- There is one written baseline of files/routes/APIs/data sources before fixes begin.
- No old report has been overwritten.
- Dirty worktree has been respected and unrelated changes are not reverted.
1
P0
Security, Access, Cost
Stop leaks and unsafe entry points first
Rule
If this phase finds a real exposed secret or production-breaking access issue, stop normal roadmap work and isolate the fix.
Checklist
- Search repo for tokens, passwords, webhook secrets, service keys and accidental logs.
- Move admin credentials and bot access secrets out of client-visible code and into server-side environment/config path.
- Verify Stripe webhook signature validation and replay/idempotency behavior.
- Verify API endpoints reject unsupported methods and malformed payloads.
- Review external URL handling: image imports, media upload, map/proxy calls and webhook URLs.
- Add security headers in vercel.json where compatible with current SPA.
- Review rate limits and spam protection for forms and admin-like operations.
- Check that error responses do not reveal stack traces, keys, database details or vendor internals.
Files to inspect
- mariachi-react/api/stripe-webhook.ts
- mariachi-react/api/checkout.ts
- mariachi-react/api/commission.ts
- mariachi-react/api/contact.ts
- mariachi-react/api/trade-enquiry.ts
- mariachi-react/api/workshop-booking.ts
- mariachi-react/api/telegram.ts
- mariachi-react/client/src/pages/Admin.tsx
- mariachi-react/vercel.json
- mariachi-react/client/src/lib/supabase.ts
Verification commands
rg -n "(sk_live|sk_test|SECRET|TOKEN|ADMIN_PASS|password|webhook|signature|service_role)" mariachi-react
rg -n "Access-Control|Content-Security|X-Frame|X-Content-Type|Referrer-Policy|Permissions-Policy" mariachi-react/vercel.json mariachi-react/api
curl -i -X POST https://test.mariachiart.com/api/checkout -H "content-type: application/json" -d '{}'
curl -i -X GET https://test.mariachiart.com/api/checkout
Release gate
- No real secret is present in committed client/server files.
- Payment webhook rejects unsigned requests.
- Admin and bot access paths are documented and not client-exposed as permanent secrets.
- Security headers are either implemented or explicitly parked with reason.
2
P0/P1
Supabase And Data Integrity
RLS, publication state, fallback drift, storage rulesChecklist
- Confirm public SELECT policies expose only intended fields and published records.
- Confirm INSERT policies for commissions/contacts/trade/workshops cannot write arbitrary protected columns.
- Review anon CRUD policies on rugs, journal and bot history; decide if current alpha convenience must be reduced before wider release.
- Compare hardcoded data fallback with Supabase rugs and flag drift in names, slugs, prices, statuses and image arrays.
- Validate all active product image URLs, hover images, cutout URLs and storage paths return HTTP 200.
- Check order fields: product slug, Stripe price ID, amount, currency, status transitions and duplicate handling.
- Confirm drafts/published flags work for rugs and decide if journal/content need the same workflow.
- Verify storage upload categories and file type validation.
Data tables
| Area | Must verify |
|---|---|
| rugs | slug uniqueness, published status, price source, image array order, hover image behavior |
| journal | published state, markdown sanitization, cover URL, sitemap inclusion |
| leads | commissions, contacts, trade enquiries and workshop bookings all insert reliably |
| settings | no secrets stored for public client reads unless intentionally public |
| storage | media categories, upload type limits, orphan media, broken references |
Verification commands
rg -n "from\\(\"rugs\"\\)|from\\(\"journal\"\\)|from\\(\"commissions\"\\)|from\\(\"contacts\"\\)|from\\(\"trade_enquiries\"\\)|from\\(\"workshop_bookings\"\\)" mariachi-react/client/src mariachi-react/api rg -n "published|has_changes|draft|status|stripe|price|images|hover|cutout" mariachi-react/client/src mariachi-react/api rg -n "storage|upload|move|delete|media" mariachi-react/client/src/pages/Admin.tsx mariachi-react/api
Release gate
- RLS policy map is documented with public/private decision per table.
- No product visible on site has broken media or mismatched payment amount.
- Fallback data either matches production data or is clearly treated as emergency-only.
3
P0
Commerce And Checkout
Stripe, order lifecycle, failure recoveryChecklist
- Checkout amount must come from trusted Supabase/Stripe source, not client hardcode.
- Verify unavailable/sold/draft products cannot be purchased.
- Verify currency and decimal handling for EUR prices.
- Confirm success and cancel URLs are correct for test and production domains.
- Review webhook idempotency: duplicate event should not create duplicate order or email.
- Ensure order status transitions are explicit: created, paid, failed, refunded/canceled if supported.
- Confirm Apple Pay, Google Pay and Klarna availability is controlled by Stripe, not frontend claims.
- Test checkout with live-like test cards on test domain only.
Test matrix
| Case | Expected result |
|---|---|
| Active rug checkout | Session created, amount matches product source, redirects to Stripe |
| Sold rug checkout | API rejects with readable error, no order created |
| Missing slug | 400, no vendor call if possible |
| Duplicate webhook | Idempotent handling, one order/effect |
| Payment cancel | User returns to site without false success state |
Commands
rg -n "checkout|stripe|price|amount|currency|success_url|cancel_url|webhook|idempot" mariachi-react/api mariachi-react/client/src npx vite build
Release gate
- Checkout source of truth is documented and verified by test transaction flow.
- Webhook signature validation passes and unsigned request fails.
- Order side effects are idempotent.
4
P1
SEO, Routes, Schema
Organic growth layer and crawler truthChecklist
- Every public route has unique title, description, canonical and crawlable body content.
- H1s contain primary search intent, not only brand or artwork names.
- Product routes use Product schema with price, availability, image and canonical URL.
- LocalBusiness schema matches Barcelona studio details and does not conflict with page content.
- FAQ schema only includes visible page questions and answers.
- Breadcrumb schema exists for collection/product routes.
- sitemap.xml includes canonical public pages and excludes test/variant/orphan-only routes.
- robots.txt and llms.txt match intended crawl policy.
- OG/Twitter injected meta works for direct route request, not only client navigation.
- Language rules are consistent: English first, Spanish legal route lang if needed.
Route groups
| Group | SEO action |
|---|---|
| Home | Add keyword H1 support while preserving visual hero |
| Catalog / Portfolio | Make collection intent explicit, keep product discovery crawlable |
| Product pages | Canonical to collection slug, unique schema, product-specific H1 |
| Commissions | Target custom rug intent, add price/lead-time clarity if approved |
| Journal | Add internal links into collection/commercial pages |
| Legal | Correct language/canonical, no growth indexing over-optimization |
Verification commands
rg -n "useSEO|title:|description:|canonical|ROUTE_META|schema|JsonLd|Product|LocalBusiness|FAQPage|Breadcrumb" mariachi-react/client/src mariachi-react/api curl -s https://test.mariachiart.com/catalog | rg -n "title|description|og:|twitter:|canonical" curl -s https://test.mariachiart.com/sitemap.xml | head -80 curl -s https://test.mariachiart.com/robots.txt curl -s https://test.mariachiart.com/llms.txt | head -120
Release gate
- No important public page has duplicated title/description.
- Direct URL curl returns the expected server-injected meta.
- Sitemap, robots and llms files agree with canonical route map.
- Schema validates without hidden/spammy content.
5
P0/P1
Forms, Leads, Notifications
Commission, contact, trade, workshopsChecklist
- Every form has server endpoint, Supabase insert and email/list side effect where intended.
- Every form has same success/error UX: inline field errors, toast/global message, retry path.
- Client-side validation matches server-side validation.
- Radio groups use fieldset/legend and labels are attached correctly.
- Optional fields are truly optional on both client and server.
- Anti-spam protection exists or is explicitly parked with risk note.
- Vendor failures degrade safely: data saved even if newsletter/email side effect fails, where appropriate.
- Admin can distinguish new, contacted, resolved and archived leads.
End-to-end tests
| Form | Must prove |
|---|---|
| Commission | Supabase row, notification email, clear success, no duplicate on refresh |
| Contact | Supabase row, notification email, newsletter consent handled correctly |
| Trade enquiry | Supabase row and vendor side effect, no mailto-only fake success |
| Workshop booking | Supabase row and vendor side effect, selected workshop stored correctly |
| Newsletter | List join works, duplicate subscriber is friendly, no blocking UI crash |
Verification commands
rg -n "form|handleSubmit|fetch\\('/api|supabase\\.from|Resend|Klaviyo|newsletter|toast|error|success" mariachi-react/client/src mariachi-react/api
npx vite build
Release gate
- Each lead form can be submitted on test and inspected in Supabase.
- Each failure mode has a user-visible recovery state.
- No form claims success when only a mail client was supposed to open.
6
P1
Performance And Media
Core Web Vitals, bundle, images, videoChecklist
- Run Lighthouse mobile and desktop against test, not just localhost.
- Track LCP element per key route: home, catalog, product, commission, journal.
- Add width/height or aspect-ratio for hero, catalog images, journal covers and deco media.
- Use responsive images for heavy product/catalog assets.
- Confirm hero video loads after critical render and never blocks initial page view.
- Audit unused JS and unused UI dependencies; target boxed-product bundle budget separately.
- Review cache headers: HTML no stale SEO risk, assets long cache with hashed names.
- Remove global third-party scripts from Admin/Docs where not needed.
Budgets
| Metric | Target | Audit action |
|---|---|---|
| LCP | < 2.5s | Optimize hero/catalog media and preload only true critical asset |
| CLS | < 0.1 | Stable dimensions for images/video/fonts/nav |
| INP | < 200ms | Reduce JS, avoid heavy hover/modal work |
| Bundle | Site: improve; boxed v1: <= 300KB gz | Dependency audit and code splitting |
| TTFB | < 800ms | Check serverless meta injection and cache policy |
Verification commands
cd mariachi-react npx vite build npm ls --depth=0 du -sh dist/assets/* 2>/dev/null | sort -h | tail -40 curl -I https://test.mariachiart.com/ curl -I https://test.mariachiart.com/catalog
Release gate
- Mobile Lighthouse regressions are documented and P0/P1 performance blockers are fixed or parked intentionally.
- Catalog and product images do not cause visible layout jump.
- Admin/Docs do not load unnecessary public marketing scripts.
7
P1
UX, Accessibility, Visual QA
Design system, catalog interaction, mobile realityChecklist
- Read DESIGN-SYSTEM.md before any visual change.
- Use existing CSS patterns before introducing any new classes.
- Verify contrast for nav, hero serif text, footer titles, footer legal and CTA states.
- Verify all interactive targets are 44px minimum where touch is expected.
- Check mobile menu scroll lock, focus behavior, close behavior and background nav visibility.
- Check catalog card hover: no image jump, no transform conflict, no layout shift, no hover state stuck.
- Check modals: focus, escape, backdrop, internal gallery arrows and body scroll.
- Check forms with keyboard only and screen-reader labels.
- Run viewport matrix: 320, 375, 390, 430, 768, 834, 1024, 1440, 1920.
Visual rules to enforce
- Buttons stay outline pill unless the design system explicitly says otherwise.
- Page heroes keep required structure: back, eyebrow, sans, serif, lead.
- Bottom CTA pattern uses page-cta-section and page-cta-primary where required.
- Minimum font size stays at 0.75rem or above.
- No horizontal scroll at mobile/tablet viewports.
- No overlapping text, image, nav, modal or CTA elements.
- No nested card-in-card patterns in new report/app surfaces.
Browser QA matrix
| Viewport | Pages | Checks |
|---|---|---|
| 320 x 667 | Home, Catalog, Product, Commission | No horizontal scroll, buttons fit, menu usable |
| 390 x 844 | Home, Catalog, Lightbox | Catalog hover/tap state, modal scroll, CTA spacing |
| 768 x 1024 | Catalog, About, Trade | Grid transition, sticky sections, no dead zones |
| 1440 x 900 | Home, Catalog, Docs | Desktop nav, product grid density, readable docs |
| 1920 x 1080 | Home, Portfolio, Product | Hero framing, media crispness, no overly wide text |
Verification commands
rg -n "font-size: 0\\.[0-6]|font-size: 0\\.7|contrast|outline|focus|hover|transform|transition|overflow-x|100vh" mariachi-react/client/src mariachi-react/client/src/index.css rg -n "page-hero|page-cta|btn-pill|form-input|portfolio-card|catalog|lightbox|modal" mariachi-react/client/src mariachi-react/client/src/index.css
Release gate
- Every fixed visual issue has before/after screenshot on at least one desktop and one mobile viewport.
- No design-system exception exists without explicit note.
- Catalog hover/tap behavior is stable on mouse, touch and keyboard paths.
8
P2
Ops, QA, Boxed Product
Make Mariachi reliable and reusableOps checklist
- Confirm current checkpoint exists before risky cleanup or production release.
- Keep PENDING-CHANGES and DEV-HISTORY truthful after significant work.
- Keep test and production deployments separate.
- Document rollback command for every production batch.
- Verify Vercel env vars by name only, never writing secret values into repo.
- Document observability gaps: errors, form failures, payment failures, bot failures.
- Define smoke tests for test domain after every deploy.
Boxed product checklist
- Replace brand name, colors, fonts, Barcelona address and social handles with config/tokens.
- Move admin password and access secrets into environment/config flow.
- Abstract categories, workshop defaults and content blocks into database seed/config.
- Create reusable form pipeline: validate, insert, notify, list sync, retry/failure status.
- Create reusable product pipeline: products, images, checkout, order webhook, stock state.
- Create install/onboarding wizard only after Mariachi has stable pilot behavior.
- Track which improvements are Mariachi-specific art direction vs generic craft-brand platform.
QA smoke list
- Open home, catalog, product, commission, contact, docs and admin login on test domain.
- Submit one safe test payload per public form and confirm storage/notification behavior.
- Run one Stripe test checkout path and one cancel path.
- Open catalog lightbox, switch images, close, reopen, test hover/tap stability.
- Run mobile menu keyboard/touch flow at 390px and 768px.
- Curl a nonexistent route and confirm HTTP 404 behavior.
- Confirm sitemap/robots/llms are reachable and current.
Global gates
No fake done
Done Means Verified
Build and static checks
- npx vite build passes from mariachi-react.
- No new TypeScript errors from changed files.
- No lint/console errors in browser that are caused by the change.
- No broken import or route after docs registry update.
cd mariachi-react npx vite build
Test deploy checks
- Deploy preview only for test.
- Alias the preview deployment to test domain only.
- Open test domain and key routes after alias.
- Do not production deploy without explicit approval.
cd mariachi-react npx vercel --yes npx vercel alias set <deploy-url> test.mariachiart.com --scope meclive curl -I https://test.mariachiart.com/ curl -I https://test.mariachiart.com/catalog
Priority order
Slice 1
Security/access/webhooks/RLS audit and fixes. No SEO or polish work should outrank real P0 exposure.
Slice 2
Commerce and forms reliability: checkout, orders, leads, notifications, failure states.
Slice 3
SEO route truth: metadata, sitemap, schema, H1/canonical, crawler response and non-existent route behavior.
Slice 4
Performance and visual QA: catalog/card behavior, viewport screenshots, mobile scroll, contrast and Core Web Vitals.
Slice 5
Ops and boxed-product extraction: history, config, reusable patterns, deploy discipline, cleanup.
Engineering handoff
Use when executing
Copy-Ready Prompt
Работай в /Users/forril/Documents/MARIACHICC, все изменения только внутри mariachi-react если не указано иначе. Сначала прочитай: - AGENTS.md - .claude/rules/deploy-environments.md - TODO-FIXES.md - audit/TODO-LATER.md - mariachi-react/DESIGN-SYSTEM.md если будет визуальная правка Задача: выполнить System Audit Map v1 по фазам. Не смешивай всё в одну огромную правку. Иди slices: 1. Inventory baseline 2. Security/access/webhooks/RLS 3. Commerce/forms/data reliability 4. SEO/routes/schema 5. Performance/media 6. UX/a11y/design-system 7. Ops/boxed-product documentation Для каждого slice: - сначала audit notes - потом scoped changes only if explicitly requested - потом build - потом test-domain verification if deploy is requested - потом DEV-HISTORY entry Нельзя: - overwriting old reports - production deploy without explicit approval - alias same deployment to test and production - committing or exposing real secrets - reverting unrelated dirty worktree changes - saying done without verification output
Appendix
Known Debt To Fold In
From current TODO
- WCAG contrast issues in nav, hero serif text and footer.
- Horizontal scroll on iPhone SE and iPad Pro.
- Font sizes below 0.75rem in nav, footer, admin, lightbox and labels.
- SEO H1/canonical/sitemap/OG/lang cleanup.
- Data fallback synchronization with Supabase.
- Map/proxy, upload validation, admin performance and content migration backlog.
From old roadmap/audit parking
- Trade and workshop form reliability must avoid mailto-only success state.
- Dead CSS and dead component cleanup should happen after P0 slices, not before.
- Responsive layout needs viewport screenshots before reporting done.
- Footer/nav orphan pages need a deliberate SEO decision.
- Product specs can be expanded with pile height, weight and lead time.
- Catalog Paolo-style/cutout path is parked until explicitly activated.