Skip to content

Map comprehensive project cleanup #36

Description

@vekexasia

Destination

Produce a comprehensive, backward-compatible, user-impact-first cleanup backlog for Tony Menu, with scope and priority settled across security, reliability, data integrity, maintainability, dependencies, tests, documentation, and small adjacent improvements.

The backlog must preserve Cloudflare production, self-hosting, and the current passwordless public-demo behavior. Wayfinder plans the cleanup; it does not implement it.

Notes

  • Consult the grilling skill for decision tickets; ask one question at a time and let the human answer.
  • Verify runtime Cloudflare/demo and self-host boundaries rather than treating deployment-dependent risks as confirmed.
  • Preserve public APIs and existing production data through additive migrations, versioned formats, and compatibility checks.
  • Prioritize user-visible operator and diner impact before internal risk or aesthetic cleanup.
  • The destination is a prioritized backlog, not implementation-ready specifications. Broad refactors need concrete payoff; use the smallest cleanup that resolves verified debt.
  • Small adjacent UX/workflow improvements may enter scope when discovered in an affected area.

Decisions so far

  • Define backup and restore guarantees — ship a validated, transactional version-2 configuration export/import with rollback download, history-safe floor handling, pending-intent invalidation, and forced draft publication; exclude images and operational history.

  • Choose public demo containment — use generic fail-closed ADMIN_PASSWORD HTTP Basic auth with a dedicated login UX for all /admin/*; keep waiter/public flows and hourly demo resets unchanged.

  • Verify live deployment boundaries — production auth is solid; demo admin bypass is intentional and confirmed live; AI cost cap absent in production; /refresh-menu fails open in demo (no REFRESH_SECRET); self-host does not strip CF-Connecting-IP; chat sessions retained indefinitely in production (53 sessions, oldest Apr 2026); localhost CORS is deployed but not exploitable.

  • Define ordering correctness and abuse policy — enforce bounded unique quantities, payload-bound retry safety, waiter-mediated stale intents, separate venue-safe public limits, 24-hour terminal-intent cleanup, and documented local-midnight numbering.

  • Set AI chat limits and retention — enforce atomic 200/day, 25/session, and 120/IP-hour limits with strict validation, fail-closed accounting, trusted anonymous identity, 30-day latest-transcript retention, and bearer-driven erasure.

Not yet specified

  • Exact implementation slices and release grouping that emerge after each cleanup area has a settled scope.
  • Additional user-facing improvements exposed by runtime verification and structural review but not yet precise enough to ask as standalone questions.

Out of scope

  • New product capabilities unrelated to an affected cleanup area.
  • Implementing the cleanup inside this Wayfinder effort.

Metadata

Metadata

Assignees

No one assigned

    Labels

    wayfinder:mapCanonical Wayfinder planning map

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions