daily: morning triage + db health 2026-03-23

[vayungodara]

Summary

• Triage: 11 findings from 3 email sources (Report A, Report B, Frontend Audit)
• Dedup: 11 unique issues (no overlapping findings between reports)
• Cross-referenced: 2 already fixed, 9 still open, 0 unverifiable
• Automated fixes: None applied — all 9 open issues touch cron routes, auth logic, or require architectural changes exceeding easy-fix criteria
• DB Health: WARNINGS — 23/24 checks passed; 1 unread notification >30 days old; 0 orphaned rows; 0 anomalies; 0 XP drift

Key Still-Open Issues (for manual review)

Severity	Issue
critical	Open redirect via x-forwarded-host in auth callback
critical	Orphaned session duration inflated in cleanup cron
high	DST boundary may break streak calculation
high	Timing-attack vulnerable cron secret (all 4 routes)
high	FocusContext re-renders on every timer tick
high	N+1 notification inserts in streak-breaks cron
high	Async IIFE race condition in FocusContext unmount cleanup

Already Fixed

• Stale closure in timer completion (ref-sync pattern already in place)
• PWA manifest exists (Report B incorrectly claimed it was missing)

Full triage report: docs/reports/triage-2026-03-23.md
Full DB health report: docs/reports/db-health-2026-03-23.md

https://claude.ai/code/session_012fyhytkj2ydbYNs25mBAv7

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
lockin	Ready	Preview, Comment	Mar 23, 2026 3:21pm

[vayungodara]

Closing — docs-only triage reports with no code fixes. All 13 findings are now resolved in PR #29 (fix/triage-2026-03-23). The emails remain the source of truth.