docs/research/sync-simplification-audit/findings.md
Baseline ID: 9b4481332dd635dce29da3774d1b8601ea213467f07dfc7fb0417f36328c3135
This coordinator-owned register receives immutable discovery origin records, then D1-assigned stable IDs. No candidate is implementation authorization.
Candidate revision hashes are SHA-256 over the exact UTF-8 bytes of the
candidate section, from its ### heading through the byte before the next
### heading, after replacing the hash value with the literal <self>.
capture-docs::state-diff-and-order-rationale; proposed.9b448133…; B02;
be3e7cf7dd2cfe9aff0e4aa5870d44c8a35b6beac56eb319b2ddba9ee0216a84.docs/sync-and-op-log/diagrams/05-meta-reducers.md:17,27,30-31,76-114,126-183
describes before-state capture, StateChangeCaptureService, broad
state-diff-derived entityChanges, and per-operation store dispatch.
operation-capture.meta-reducer.ts:223-236 correctly says state diffing is
gone but incorrectly says capture may occupy any meta-reducer position.
meta-reducer-registry.ts:29-32,79-83,145-162 retains the first-position
assertion with the obsolete before-state rationale. The current reason is
replay exclusion: bulk-hydration.meta-reducer.ts:37-40 internally reduces
replayed actions, so capture must remain outermost. The current counter path
is described at operation-log-architecture.md:2150-2160.entityChanges; there is no general before/after state diff.bulkApplyOperations dispatch
with its internal reducer loop; document optional entityChanges; preserve
and correctly explain the outermost-position assertion.85bedb1 removed expensive state diffing on
2025-12-22; 9f0adbb introduced the diagram already stale. #8306/#8318
document the later pending-counter path.#8760 and #8962,
but their verified scopes do not name this diagram/order contradiction. The
July 3 extraction plan Step 8 is future boundary work, not this correction.checkFile on capture/registry TypeScript comments if changed; run the
capture, bulk-hydration, and meta-reducer-ordering specs. Commands were not
executed by the audit.oplog-store::superseded-two-phase-dedup-api; proposed.9b448133…; B05; a21ee57393756742748ade8d994826239756cd72b48069d904c1a94f8b7a324b.operation-log-store.service.ts:742-775 defines
non-deduplicating appendBatch; :1311-1330 defines hasOp and two-phase
filterNewOps. Atomic canonical ingestion is :782-787,950-1043.
Obsolete direct tests are in its spec :410-462,1335-1468; remaining
consumers are test helpers/integrations at
simulated-client.helper.ts:92-116,250-324 and
indexeddb-error-recovery.integration.spec.ts:76-103. A SuperSync recovery
spec and sqlite-migration-followup.md:107-122 still describe old behavior.appendBatchSkipDuplicates through RemoteOperationApplyStorePort
(sync-core/src/remote-apply.ts:19-35,100-112) and another live call at
operation-log-sync.service.ts:2188. Exact production search finds no caller
for the three old APIs and no dynamic/package/plugin/serialized consumer.appendBatchSkipDuplicates or getOpById; delete obsolete spies/retry tests,
the three methods, and stale current docs. Keep historical changelog text.da71917019 explicitly
replaced filterNewOps() + appendBatch() with atomic duplicate skipping and
removed retry logic but left these APIs.checkFile all
touched TS; store, simulated-client, IDB recovery, remote-apply/conflict,
targeted SuperSync, and scheduled sync suites. Not run by the audit.oplog-store::orphaned-convenience-wrappers; proposed.9b448133…; B05; 92f08d879da35bd60a19e409c2ecec9717cd2fcab89580fd7b415fda05258a35.getLatestFullStateOp is at
operation-log-store.service.ts:1355-1369, clearFullStateOps at
:1447-1459, loadStateCacheBackup at :1932-1943, and
hasImportBackup at :2169-2176. Direct wrapper assertions remain at its
spec :992,2711-2720; other occurrences are stale spy members.getLatestFullStateOpEntry serves upload
and import filters; clearFullStateOpsExcept is in the remote-apply port;
hydrator uses hasStateCacheBackup plus restore; import flows use
save/load/clear import backup. The four candidates have no dynamic/export,
schema, persisted-key, backup-shape, or wire consumer.getLatestFullStateOpEntry, or replace selective
full-state clearing with unconditional deletion.loadStateCacheBackup never gained a consumer; 4cbe605b35 removed the sole
hasImportBackup UX consumer while retaining recovery storage.checkFile; store, hydrator,
import-filter, remote-apply, sync, backup recovery, and piggyback specs.oplog-store::remote-status-query-fallback; proposed.9b448133…; B05; 978f8b57be8844475ddbcf004f33676dd2bb155adb04474746ce3e68f06b8bdd.getPendingRemoteOps at
operation-log-store.service.ts:1279-1309 and getFailedRemoteOps at
:1744-1785 independently implement compound-index reads, broad catch/warn,
pre-v3 full-store fallback, rejected-row exclusion, and decoding. Normal and
fallback tests are in its spec :2185-2218,2334-2390,4285-4398.:760-790, and sync :2118-2119. This
is read policy only; no lifecycle value, index, or persisted shape changes.66bdf69607;
f38342eeb9 expanded failed retrieval to archive-pending, while
f9610530c9 later repaired rejected-row parity in the other method,
demonstrating policy drift.checkFile; both normal/fallback store paths,
remote-apply port, hydrator retry, recovery/sync, and IDB/SQLite parity specs.snapshot-entity-keys::focused-utility-tests; proposed.9b448133…; B05, independently
corroborated by B09; ebb09e37fe77c8adbeffe26d416f1449fdc26423924c6d198c6af2ada7b2226c.extract-entity-keys.ts:10-106 has no
co-located spec; direct behavior coverage lives behind compaction DI/mocks at
operation-log-compaction.service.spec.ts:611-887. Cases repeatedly bypass
the empty-state guard, call compact, and inspect spy arguments. The block
duplicates a MODEL_CONFIGS map at :764-850 and names a removed private
method at :847-849.saveStateCache. Do not change entity identities while moving
tests; the B20 question is separate.9bf27073c9 extracted production logic from
compaction for five consumers but left its direct tests behind; B05 and B09
independently reproduced the ownership issue.checkFile both specs; utility, compaction,
snapshot, backup, and clean-slate tests; compare model and empty-state
inventories. Not run.oplog-idb-lifecycle::adopt-connection-rollout; already-tracked.9b448133…; B05; 2dd9d7d40d2321c10c136ab92ef9270a6c4ad5ccc80c1a836be8efdbc09c4558.operation-log-store.service.ts:227-310,328-471
retains service-owned schema/connection/open retry and a private database
getter; indexed-db-op-log-adapter.ts:135-224 owns another open path;
archive-store.service.ts:55-184 repeats borrowed-connection lifecycle.
Tests dynamically access the private connection for fault injection.adoptConnection, service/archive open paths, private getter, and duplicated
schema types. Schema derivation is a separate decision.sqlite-migration-followup.md:203-216 Tracks D1/D2, A6-PW-008, and reconciled
rollout issues.oplog-db-port::unused-convenience-methods; proposed.9b448133…; B06; b4dc9a0f015675badd37fb8cecdcf744437c8f06ecfcaaac22b48987e23d773f.indexed-db-op-log-adapter.ts:278-280,296-304,318-324; unused transactional
getAllFromIndex is at :419-427. Their contracts are in
op-log-db-adapter.ts:97-128,175-215 and SQLite copies in
sqlite-op-log-adapter.ts:654-699,824-826. Remaining calls are tests at
indexed-db-op-log-adapter.spec.ts:217-230,267-274,
sqlite-op-log-adapter.spec.ts:289-294,332-386, and migration mocks at
op-log-backend-migration.spec.ts:28-70.clear, top-level
getKeyFromIndex, adapter countFromIndex, or transaction
getAllFromIndex. Similarly named conflict-journal calls use raw IDB. The
internal port is not a package/plugin/barrel or serialized contract.clear/getKeyFromIndex, top-level getAllFromIndex, normal
count, and their underlying primitives.4c239e5691/#7902; these four never
acquired a production consumer.#7931; it
changes neither backend selection nor migration.checkFile port, both adapters, and specs; IndexedDB, SQLite, migration, and
operation-store suites plus app typecheck. No tests ran during the audit.oplog-db-tests::shared-idb-sqlite-contract; proposed.9b448133…; B06; 7a2a52729b0ed35909ec97cc98c710ba0d4bf0232476ad44975be17a1eab4e3f.indexed-db-op-log-adapter.spec.ts:52-440 and
sqlite-op-log-adapter.spec.ts:267-660 independently spell roughly 18 common
CRUD, unique-index, range/index read, cursor ordering/deletion, transaction,
scope, commit, and rollback cases. B07 independently reproduced this overlap.
SQLite-specific translation/queue cases remain at :671-767; IDB lifecycle
and retry cases remain at its spec :442-565.OpLogDbAdapter contract on fake IndexedDB and
real sql.js. A roughly 210-line FakeSqliteDb additionally emulates enough
SQL semantics to duplicate the behavioral engine. None has a runtime or
persistent representation.FakeSqliteDb to a recording stub for
SQL emission, parameter translation, queue, and failure-injection cases; do
not use that hand-built emulator as a third conformance engine. Keep all
engine-specific assertions and exact error/rollback expectations rather than
lowering them to a common denominator.ConstraintError, readonly rejection, test isolation,
atomic rollback, SQLite sequence materialization/scope/queue/DDL, and IDB
retry/error/close/versionchange/adoption coverage.4c239e5691/#7902; rollout docs treat parity as a gate. B07 corroborated the
duplicate scenarios and challenged the original three-engine proposal:
sql.js, not a growing fake interpreter, is the meaningful SQLite behavior
target.#7931; no exact test-dedupe issue.checkFile specs/helper; run both adapter suites,
backend migration and dual-backend remote-apply integrations; compare test
scenario counts before/after. Not run by the audit.db-upgrade-tests::duplicate-final-shape; proposed.9b448133…; B06; 1dd864b5c919289ea9624bb3547d6332f23a48cf9b5f3621aee7f4623c914ff9.db-upgrade.spec.ts:325-400 reasserts all nine stores and
three indexes through mocks. Individual threshold tests at :55-250 already
cover each historical delta, while op-log-db-schema.spec.ts:25-76 validates
the complete final descriptors against real fake IndexedDB, including
uniqueness and auto-increment metadata.full upgrade path mock describe block. Retain every version threshold, v7 metadata cursor
seeding, v10 downgrade barrier, and real final-shape guard.53685eb3a7; redundancy
arose when 4c239e5691 added the stronger descriptor test.checkFile; DB-upgrade and schema specs; compare
retained threshold inventory. Commands were not run.oplog-schema-docs::indexeddb-descriptor-consumption; proposed.9b448133…; B06; c1b7762aef121df8c266925fe26785f8d42c022477d8fa838736abc445e5c440.op-log-db-schema.ts:4-12 says the descriptor replaces
runDbUpgrade and creates IDB stores/indexes, while its own :43-53 says it
is only a target shape. indexed-db-op-log-adapter.ts:194-199 still calls
runDbUpgrade and consumes only descriptor name/version. The schema spec
:6-13 accurately explains this; sqlite-migration-followup.md:210-216
leaves derivation as future work.4c239e5691; later
clarifying text did not replace it.checkFile op-log-db-schema.ts; schema drift spec if code moves.capture-meta::get-operation-capture-service; proposed.9b448133…; B02;
12e4b1b5cc79a9206bbd4a0ef5c53dc47ec48d1120d36addc2f91f07583634db.getOperationCaptureService() is defined at
operation-capture.meta-reducer.ts:110-115. Its only tracked reverse
references are its import/assertions in
operation-capture.meta-reducer.spec.ts:5,76-92; it is not barrel-exported.setOperationCaptureService and the
behavioral test proving that a persistent local action reaches the installed
service. Do not remove the separately consumed getIsApplyingRemoteOps().11375db on 2025-12-08 and never acquired a production
consumer.checkFile and the focused
operation-capture.meta-reducer.spec.ts; commands not run.capture-tests::effects-unused-scaffolding-single-deferred; proposed.9b448133…; B02;
2ee82fc7f933849add075814623b9cb3084d87223bd7ffb245f77623da6d1652.operation-log.effects.spec.ts:3,35,72,96,111
constructs/provides a Store spy although OperationLogEffects does not
inject Store; lines 57-62,88 include an unused append spy although
production uses appendWithVectorClockUpdate. The port-contract happy-path
test at lines 805-819 and single-deferred-action test at 827-840 exercise
the same action, method, and append assertion.append
fixture setup and only the duplicate single-action example. Retain the
interface-typed port test plus distinct ordering, acknowledgment, retained
suffix, concurrency, failure, lock, fresh-clock, and stream-survival cases.#8306 stream-survival regression remains necessary.checkFile and the focused effects plus
stream-survival specs; commands not run.remote-archive-postpass::remoteArchiveDataApplied::no-active-consumer;
proposed.9b448133…; B03, independently
corroborated by B04;
ebb061b94f886cd06adfa5c6ecf3867eb51456832ff8793369103813b6bbd792.operation-applier.service.ts:18,147-152 imports and
dispatches remoteArchiveDataApplied; sync-core/src/replay-coordinator.ts:43,55-61,107,159-161,230,238,263-266
carries a callback plus hadArchiveAffectingOp solely for that notification;
archive.actions.ts:5-14 declares it. Its only application consumer is the
fully commented block at archive-operation-handler.effects.ts:100-124,
disabled because immediate worklog reloads froze the UI. The historical
action-type sentinel is at action-types.enum.ts:15-20.hadArchiveAffectingOp, and disabled
effect block. Keep archive predicates, post-pass handling, sequential side
effects, partial-success/retry semantics, both event-loop yields, and the enum
compatibility sentinel.skipReducerDispatch.96a5a0d818 introduced the signal to break a WorklogService cycle;
92ed8322f5 disabled its consumer after freezes; 298928e6d2 moved the
surviving dispatch behind sync-core callback plumbing.checkFile all touched TS; run sync-core, operation-applier, and
archive-handler-effect specs; targeted archive/worklog browser
characterization. Commands not run by the audit.bulk-replay-naming::deprecated-hydration-aliases::internal-test-only;
proposed.9b448133…; B03;
9cb8eb1d5a35f85608f27337797daf23d398ddeed46d31af16c8b247adfd67f9.bulk-hydration.action.ts:40-43 aliases
bulkApplyHydrationOperations to bulkApplyOperations, and
bulk-hydration.meta-reducer.ts:211-214 aliases bulkHydrationMetaReducer to
bulkOperationsMetaReducer. Searches excluding tests/specs/docs find no
consumer beyond the alias definitions; remaining uses are tests and two
comments.edb164eb78, while broader remote/bulk vocabulary is now
canonical.checkFile production
files and touched specs; bulk meta-reducer, hydrator, and integration specs.
Commands not run.operation-apply-contract::duplicated-app-core-result-options::single-type-owner;
proposed.9b448133…; B03;
8cb963a3977f8a4543338c53a9d44fc960b97018e154e4790b69eaf671c44dcc.src/app/op-log/core/types/apply.types.ts:1-65
duplicates the result and base option fields in
packages/sync-core/src/apply.types.ts:1-48; the package port is at
sync-core/src/ports.ts:21-55. operation-applier.service.ts:22-32,82-85
imports/re-exports the app copies. App callers mostly infer service method
types; only a hydrator retry integration spec directly consumes the app type.Operation and add host lifecycle flags.
They have no emitted runtime or persisted/wire representation.ApplyOperationsResult to CoreApplyOperationsResult<Operation>; extend the
core base options and retain only app fields skipDeferredLocalActions,
remoteApplyWindowAlreadyOpen, and onReducersCommitted. Preserve app
Operation, callback signatures, and every call site.5fc9fe0411 / merged PR #7546
created the split; 79f91e36fe and 5624f6891d changed both copies in
lockstep, reproducing the drift cost.checkFile app types/service, sync-core tests,
operation-applier and hydrator retry specs, package/app typecheck. Commands
not run.archive-flush::local-young-old-write::atomic-adapter; proposed.9b448133…; B04;
9c73ffbd75d62e96c9b0ecc3b6c2ab20b5661877207af91823e5480bcaa213b8.archive.service.ts:279-330 saves young and old
separately, then implements a four-write best-effort rollback. The already
injected ArchiveDbAdapter exposes saveArchivesAtomic at
archive-db-adapter.service.ts:78-90, backed by one transaction at
archive-store.service.ts:257-289; the remote flush uses it at
archive-operation-handler.service.ts:312-350. Six rollback-oriented tests
occupy archive.service.spec.ts:283-423.saveArchivesAtomic(newYoung, newOld).
Keep the earlier task-to-young save, pre-dispatch ordering, mutex, sorting,
timestamps, error propagation, and no-dispatch-on-failure behavior.52c8237fa42 added manual rollback;
cddbcd8a64 and later #8843/5edb659a65 established the atomic API for
remote flush and compression. Open issue #8843 names compression, not this
remaining local path.#8843; no
fetched issue or local plan exactly tracks the local-flush residual.checkFile on touched TypeScript plus the focused
archive service, adapter/store transaction, handler, and archive replay
tests; no command was executed by the audit.isIgnoreDBLock option threadingarchive-mutex::is-ignore-db-lock::inert-flag-threading; proposed.9b448133…; B04;
8ae6c2f26cf23da82ebdd333b50f113cbb25739708e602b1fe4d095ff3512aca.task-archive.service.ts:112-127 states that every
mutation unconditionally takes TASK_ARCHIVE, yet seven public signatures
still accept isIgnoreDBLock at lines 253-357,408-507 without reading it.
archive-operation-handler.service.ts:231-302,383-463 still computes and
passes the flag. Its spec contains option-specific assertions throughout
:285-835,1557-1588, including comments that now incorrectly say remote
calls need the bypass.TASK_ARCHIVE is an independent mutex, every path now takes it. Tracked
Git-universe search finds only the service, handler, and their tests; the
flag has no serialized, persisted, wire, plugin, or provider representation.isSkipDispatch, all handler calls, the unconditional
mutex, and behavioral local/remote archive assertions.TASK_ARCHIVE, or dropping
isSkipDispatch on remote update calls, would reopen lost-write or duplicate
op-capture failures and must be rejected.867d84a3d1 made the mutex unconditional and explicitly
retained the flag only for a follow-up. Closed issue #8941 says to remove
this threading; merged PR #9006 completed the remaining writer locks but
left the flag in place.#8941 and its implementing history,
although that issue is closed with this cleanup still present. D1 should
preserve that overlap rather than create a new issue-shaped record.TASK_ARCHIVE for both local and remote
actions; run checkFile, TaskArchiveService lock tests, and archive handler
tests. No audit command executed tests.#8941, then pursue only as a separate cleanup.task-archive-api::get-by-id-batch::test-only; proposed.9b448133…; B04;
e556ccae25d4ea7388db292b239fc0f73ff3ab907152ad86db3b11512c1dd8b5.TaskArchiveService.getByIdBatch and its example occupy
task-archive.service.ts:219-251; its four direct tests are
task-archive.service.spec.ts:1195-1262. Tracked Git-universe reverse search
finds no other reference. The neighboring hasTasksBatch is consumed by
ArchiveOperationHandler and is explicitly excluded.getById,
hasTask, hasTasksBatch, or merged archive loading.e43adba618 added both batch methods, but
only hasTasksBatch acquired a production consumer.checkFile and the focused TaskArchiveService and
archive-handler specs. Commands were not executed by the audit.archive-tests::timezone-demo::get-db-date-str-owner; proposed.9b448133…; B04;
5868738df5350de21667f7ab329a11c3510969b194ee93a7226eb37777a462fc.archive.service.tz.spec.ts:1-83 never constructs or
calls ArchiveService; it only calls getDbDateStr, logs environment data,
manually repeats local date formatting, and asserts that an object key it
just created is present. Its fixed-instant case branches on the current
offset rather than exercising archive sorting. The utility already owns
focused coverage in src/app/util/get-db-date-str.spec.ts:1-16, and the
timezone npm lanes include every **/*.spec.ts, not only .tz.spec.ts.archive.service.ts:229-233; no format
or runtime consumer depends on the test file name.get-db-date-str.spec.ts, then delete the
archive-named demo spec and its console logging. Keep archive sorting tests
that actually exercise today's-data placement.package.json timezone
script inspection. The file began in c346694055; later fixes made it
host-independent, but it never became an ArchiveService test. Existing
utility and timezone integration suites cover the same primitive more
directly.checkFile the destination spec; run it in all
five timezone scripts and run archive sorting/service specs. Commands were
not executed during the audit.archive-docs::separate-indexeddb-claim::sup-ops-stores; proposed.9b448133…; B04;
7b13fb2ddda7f71cac976a60b6084a0e2c99ae32ef7a963761befb4db3bff5bf.diagrams/06-archive-operations.md:31-70,100-108
repeatedly depicts a separate Archive IndexedDB and a dual-database
architecture; diagrams/README.md:16 repeats the label. Current code says
and implements the opposite: archive-db-adapter.service.ts:27-35,50-89
delegates archive stores to ArchiveStoreService, whose
archive-store.service.ts:233-289 reads/writes archiveYoung and
archiveOld through the same persistence adapter/transaction as SUP_OPS.SUP_OPS persistence database/backend with separate ops, state-cache,
archive-young, and archive-old stores; change “dual database” references to
“separate archive stores.” Preserve all local/remote ordering and archive
resurrection material.9f0adbb95c
introduced the diagram wording in January 2026; archive persistence was
already routed through the op-log adapter, and later refactors
09d1c76d9d, 4c239e5691, and db990b7018 make the single backend explicit.#8760; that issue does not identify this exact archive topology claim.#8760 and pursue as a documentation correction separate from behavior.entity-registry::complete-regular-keyset::app-registry; proposed.9b448133…; B01; 47604c6f23c2b5484828c67155dd619688b018cc19f8253ade3001b942dedd9a.packages/shared-schema/src/entity-types.ts:15-43,
packages/sync-core/src/entity-registry.types.ts:43-51, and
src/app/op-log/core/entity-registry.ts:33-36,157-166,347-401 define the
regular and special entity set, but the generic registry type is partial.
entity-registry.spec.ts:15-97,381-426 manually duplicates inventories and
a hard-coded count. Validation, LWW replay, and conflict consumers include
validate-operation-payload.ts:92,146,
lww-update.meta-reducer.ts:463, and
conflict-resolution.service.ts:383.ALL, RECOVERY, and MIGRATION; require the built
object to satisfy Record<RegularEntityType, HostEntityConfig>. Keep the
injected generic registry partial. Remove only the manual completeness/count
canary, retaining storage-pattern, selector, unique-key, and special-type
behavior tests.206ebc5306: SECTION existed in entity types but not the registry, silently
disabling validation/LWW/conflict handling. The registry originated in
58372626f1; the generic package boundary changed in b56c997874.#8752 and broader model
registration work #8299, but neither tracks exact app-host completeness.checkFile on registry/spec; application
typecheck; entity-registry, payload validation, LWW, and conflict unit and
integration specs. Commands were not executed by the audit.error-surface::unreferenced-app-sync-errors; already-tracked.9b448133…; B01; 6f1cadce7b21aa031d20f46de9f3b3a47751364b40e884f12e1b32a7e6fc2e42.sync-errors.ts:4-6,31,113-115,275-331; the app extractErrorMessage alias
is at :370-372. Their only remaining checks are
sync-errors.spec.ts:1-10,63-83 and
encrypt-and-compress-handler.service.spec.ts:1-6,296-304.instanceof, name-string, serialized, or wire
consumer for UnknownSyncStateError, DBNotInitializedError,
ModelMigrationError, ModelRepairError, InvalidModelCfgError,
ModelVersionToImportNewerThanLocalError, or ModelValidationError; the
alias has only a duplicate test.rg is insufficient: it hides tracked
PFAPI JS and would wrongly admit additional live classes. Verification must
use the Git universe and retain all current catch branches.8171bb05d0 completed phase-one cleanup and left this exact residual.#8326 and prior
#8325/#8510; do not file a duplicate.git ls-files,
run checkFile, error/identity/encryption-handler specs, and app typecheck.
No audit tests were run.#8326.model-types::unknown-json-union-and-duplicate-map; proposed.9b448133…; B01; 4e5d62db54a1e3903aba1d686cd21a1f594a3f771dbbc99561b9ba690e4f8867.src/app/op-log/core/types/sync.types.ts:20-29,49-62,139
defines ModelBase as SerializableObject | SerializableArray | unknown
and defines AllSyncModels<T> identically to AllModelData<T>.
sync-exports.ts:4-20 exports the latter; the only other reference is
pseudocode at operation-log-architecture.md:178.unknown accepts every value.
The second appears to name another model map but has no code consumer beyond
its barrel export. Both erase at runtime.ModelBase directly as
unknown; delete AllSyncModels and its barrel export; change the one doc
reference to the canonical map. Do not tighten malformed-data inputs.AllModelData inference stays intact; persisted and wire shapes do not
change. An untracked external type importer is the only identified risk.db990b7018.#8326 and A6-PW-005, with no exact tracked
item for these aliases.checkFile both
TS files; app typecheck/build and model-config/backup validation compilation.entity-key::unused-app-parser-and-duplicate-tests; proposed.9b448133…; B01; e69f1c1e93feaecb8121120d10bfefe2dfa2b21431fa4904b1698b473bdce5ab.entity-key.util.ts:1-18 wraps the package utility;
app entity-key.util.spec.ts:1-119 tests both wrappers. The canonical parser
is packages/sync-core/src/entity-key.util.ts:9-27 and is publicly exported
at sync-core/src/index.ts:168. Tracked search finds the app
parseEntityKey only in its definition and spec, while app toEntityKey has
conflict, rejection, clock, and store consumers.EntityType; the unused
parser only casts arbitrary package output to that type. The TYPE:id
format, first-colon parsing, and colon-containing IDs are persisted contract
details owned by sync-core.5fc9fe0411 created the generic implementation and deliberately retained
app-narrowed seams.#7546/A6-PW-005; no exact
open issue found.checkFile; sync-core entity-key spec/package
typecheck; app consumer typecheck. Commands were not run.privacy::json-parse-error::plaintext-data-sample; proposed.9b448133…; B01; 79a3da4fd738460559d70b974ef52eb8093cc3c9cfc07b7145fe5a8f32a98ff4.sync-errors.ts:241-267 stores about 100 characters of
decrypted sync JSON in JsonParseError.dataSample.
encrypt-and-compress-handler.service.ts:140-145 passes the full output;
sample-specific tests are at its spec :129-145,205-294. Recovery consumers
at sync-wrapper.service.ts:797-809 and the file adapter :2851-2874 do not
read the field; core/log.ts:54-70 does not serialize Error own-properties.JsonParseError and expose an actionable position; sanitization
must not bypass fail-closed decryption or recovery UI.git grep dataSample finds only the class/tests.
Commit 7496b2dd604 added the sample for debugging #5771;
8171bb05d0 later removed constructor logging because of privacy risk.#7619/#7870, but no
exact fetched issue covers this retained in-memory diagnostic data.checkFile; error, encryption-handler, wrapper,
and file-adapter corruption/recovery specs; add an assertion that the thrown
error exposes no plaintext sample. No audit test ran.compact-codec::operation-log-entry-half::test-only; proposed.9b448133…; B09; 219cf80e1322d1fa422d9d86ee3aa0c2681e37f37551ee183046313cb0308ae7.CompactOperationLogEntry occupies
compact-operation.types.ts:61-73; encodeOperationLogEntry,
decodeOperationLogEntry, and isCompactOperationLogEntry occupy
operation-codec.service.ts:79-135,152-164. Their only tracked consumers are
codec tests at operation-codec.service.spec.ts:5-8,99-153,173-194.
Production store and file-sync paths consume only CompactOperation,
encodeOperation, decodeOperation, and isCompactOperation.op; only the operation
payload is encoded. The entry-level interface/functions model an alternative
whole-entry codec that was never adopted. They are not barrel/package/plugin,
reflection, wire, or database-schema APIs.op is full
from the never-used whole-entry codec and must retain compact operation
compatibility for IndexedDB and file-sync envelopes.e177d928f6 introduced the entry codec and its tests together, but the
store in that same commit used only the operation codec; no later commit
added a production consumer.CompactOperationLogEntry returned no match; no local plan names it.checkFile
codec/types/spec; store codec, mixed historical-row, file adapter, and compact
operation tests. No tests ran during the audit.action-code-tests::duplicate-count-inverse-roundtrip; proposed.9b448133…; B09; 164bb88960d2bd01555aed43540f207f2b0665458add257068b5241e7c2de3be.action-type-codes.spec.ts:27-37,67-75 separately proves
inverse mapping and then the same all-entry round trip. The core enum spec
action-types.enum.spec.ts:15-31 adds a manually maintained member count,
map-set correspondence, and another direct round trip. Compile-time
Record<ActionType,string> completeness is at action-type-codes.ts:35.ARCHIVE_REMOTE_DATA_APPLIED sentinel with B03-C01.e177d928f6, while repeated enum canaries accumulated after
170db8ab81. Feature commits repeatedly update both mapping and the manual
count, demonstrating the drift cost without additional coverage.checkFile both specs; focused enum/code and
operation codec suites; mutation-check a missing mapping and duplicate code.compaction-tests::duplicate-lock-race-timeout-orchestration; proposed.9b448133…; B09; f2717bba63760eea5934fce8cf6a81ff605eb0d9b52a06db34cd56055e51273c.operation-log-compaction.service.spec.ts:93-227,409-460
splits one happy-path call into many spy micro-tests and then records its
ordered lock path. Lock-name assertions at :93-100 and :918-925 are
identical. Last-sequence filtering is repeated at :349-368,927-967,997-1047.
The “concurrent” case at :969-995 uses an inline callback mock that does not
serialize. Save-failure coverage repeats at :462-468,1049-1089; timeout
error content repeats at :1099-1123,1132-1151, with a normal happy path at
:1125-1130.seq <= lastSeq, pending and
rejected semantics, regular/emergency cutoffs, error propagation, lock name,
and timeout branch. A future ordering mutation must still fail.11d0fef9ac, 526afbafef, 3930526f77, and later race fixes without
retiring superseded micro-tests.checkFile; focused compaction unit/integration,
capture quota recovery, remote processing, and LockService suites; compare
named scenario inventory and use a representative ordering mutation.snapshot-tests::repeated-validation-and-migration-happy-path; proposed.9b448133…; B09; 877fd682a351d478a3e5569b61f75e52be13c188efc4a88874802b7b24a06f2d.operation-log-snapshot.service.spec.ts:98-169 uses 13
near-identical tests for required metadata/core models; :409-462 repeats
identical migration setup four times to assert backup, save, clear, and
return separately. Failure/rollback/validation cases at :464-582 are
distinct and excluded.checkFile; snapshot, schema migration, hydrator,
state-consistency, and legacy migration specs; compare case inventory.hydration-api::dead-data-init-hydrator-facades; proposed.9b448133…; B08; a360c8019486e74642c0fb45072dba3b448f211888832191f5727c8564fa6528.data-init.service.ts:55-72 exposes
reInitFromRemoteSync(), which only calls
operation-log-hydrator.service.ts:701-709; that method delegates to
SyncHydrationService. Its import/injection are at
operation-log-hydrator.service.ts:14,82. Repository-wide search finds no
production caller. Active sync calls SyncHydrationService directly at
operation-log-sync.service.ts:1327,1923. Dead fixtures remain across the
hydrator, retry-integration, and sync-wrapper specs.DataInitService
fixtures in sync-wrapper tests. Leave direct SyncHydrationService callers
unchanged.c77e34c7a0; 3ef23354e4 removed its last production call and injection
from SyncWrapperService but left the downstream facade and spec fixtures.checkFile all
changed TypeScript; hydrator, DataInit, retry-integration, and sync-wrapper
specs. No tests ran during the audit.hydrator::last-full-state-direct-load; proposed.9b448133…; B08; 7894006eaf433207decd29208248c317f40546398c7be08fa1ae5d0961052054.operation-log-hydrator.service.ts:253-293 and full
replay at :359-387. Both reject the shortcut when any row is pending,
extract the last full-state payload, validate non-fatally, merge its clock
before loadAllData, and dispatch replacement state. Regression coverage is
duplicated around operation-log-hydrator.service.spec.ts:731-876,1572-1636.SYNC_IMPORT, BACKUP_IMPORT, or REPAIR without replay while
preserving pending-row checkpointing and clock order.431290c170 patched
clock-before-load in both branches; 5624f6891d added the pending-work guard
to both. Repeated paired edits demonstrate drift cost.hydrator::inert-startup-hooks-and-di; proposed.9b448133…; B08; 0f387e495d1e38027385f14b8d362c0dafcc40d4e4519da25f4f4e1a61e716b1.operation-log-hydrator.service.ts:98,432 and defined at :756-758,869-871.
VectorClockService is imported/injected at :33,73 but never read.
RepairOperationService and VectorClockService are hydrator-spec-only dead
fixtures.OperationLogMigrationService, ArchiveMigrationService,
OperationLogRecoveryService, or OperationLogEffects.082d363b55.
Non-ancestor branch pr-8588, commit ebd612200f, already removes both
placeholder hooks, confirming prior work, but leaves unused vector/repair
scaffolding.pr-8588; do not import its
wider unrelated refactor.checkFile service and
spec; hydrator and retry-integration specs plus DI construction.snapshot-anchor::append-returned-sequence; proposed.9b448133…; B08; ce5f722ecfc04b5122ef52059ca279d6707d30b7b21bd0f89e47906d5f01dd5d.OperationLogStoreService.append() returns the exact
inserted sequence at operation-log-store.service.ts:666-688, but
SyncHydrationService discards it and queries the global tail at
sync-hydration.service.ts:238-243; migration repeats this at
operation-log-migration.service.ts:278-284.lastAppliedOpSeq defines
which operations a snapshot includes and which tail must replay.lastSeq directly from
append() in the createSyncImportOp branch and migration. Keep
getLastSeq() at sync-hydration.service.ts:259 for file bootstrap, where no
operation was appended.append()
began returning its assigned key in cabf266574c and retained exact
transactional return for full-state ops in 807d3bf5e5; the older callers
were not updated.append() → 7 and
getLastSeq() → 8, asserting anchor 7 and replayable tail row 8; migration,
destructive hydration, and file-bootstrap suites.sync-hydration-tests::local-only-round-trip-matrix; proposed.9b448133…; B08; 18392a332fc8db1f618aae3ac128dd8348e1e52a71e957c2b68b76c0d6916371.sync-hydration.service.spec.ts:851-1089,1141-1187. The self-expanding
LOCAL_ONLY_SYNC_KEYS round trip at :1091-1139 already checks every key in
dispatch and snapshot. :291-320 separately checks the persisted
SYNC_IMPORT payload and preservation of non-local properties. Utility edge
cases live in local-only-sync-settings.util.spec.ts:81-116.4a3155b887,
d401e6169e, and c19365908a; dynamic coverage added later in 1bfa6028de
explicitly grows with the key list and supersedes most permutations.LOCAL_ONLY_SYNC_KEYS member across operation payload, snapshot,
and dispatch; preserve a mechanical assertion map.oplog-db-port::unused-readonly-transaction-mode; proposed.9b448133…; B07; 80ee63bb5d8b2ad2f7ebe6425614e2890a53f3ef2c448185f81e3b8345cacf76.op-log-db-adapter.ts:34,79-87,206-215 offers
readonly/readwrite callback transactions. SQLite maps readonly to
BEGIN DEFERRED at sqlite-op-log-adapter.ts:719-726, but transaction
mutators at :784-806 never inspect _mode; SQLite deferred transactions
remain writable. tx.iterate at :828-841 also lets options.mode override
the enclosing mode, contradicting the port's “ignored; enclosing transaction
governs” contract. IndexedDB naturally rejects readonly writes.readwrite; only an IndexedDB adapter test exercises readonly callback
transactions. Standalone readonly iterate is live and must remain. No wire,
package, or persisted-format impact.transaction(stores, fn) readwrite-only; remove its mode argument, SQLite
DEFERRED branch, _mode, and repeated 'readwrite' arguments. Keep
DbIterateOptions.mode for standalone scans.4c239e5691; 39755a3503 guarded only cursor deletion. The stale Android
rollout branch retains the defect and has no production readonly callback.sqlite-adapter::missing-insert-rowid-fallback; proposed.9b448133…; B07; c1274764ffb08b02936230507e167684669f8b734b6cbade4677e7fd54de7cb9.SqliteDb.run makes lastId optional at
sqlite-op-log-adapter.ts:94-99, and sqlAdd returns res.lastId ?? 0 at
:326-340. SQLite auto-increment operation sequences begin above zero.
Operation-store callers immediately use this result as durable snapshot,
frontier, or full-state metadata at
operation-log-store.service.ts:666-765,1006-1035.lastId optional on generic non-insert run responses.4c239e5691. The unmerged Android
wrapper forwards optional plugin lastId, and branch tip ba6474f6f6
retains the zero fallback without an omission test.run returning {changes: 1} must reject;
valid fake, sql.js, and native-wrapper appends remain positive; append, batch,
recovery-snapshot, full-state-metadata, and rollback suites.sqlite-migration-docs::duplicate-stale-status; proposed.9b448133…; B07; 6bf42cd7457bac533297481a53dfa67d5d83a8ef6abc6db547e1c98cae6fcc08.sqlite-migration.md:3-65 duplicates live progress;
:44-45 says backend-aware initialization remains while :93 says no seam
exists, both contradicted by code and
sqlite-migration-followup.md:8-35,146-179. The follow-up calls A1 shipped at
:91-92 while retaining todo prose at :55-67, and calls transaction
reentrancy lint future at :175-179 although 610ca64894 enabled
no-adapter-in-tx. It also overstates any-source/any-destination migration;
only IDB-to-SQLite is implemented and tested.sqlite-migration.md as
stable rationale/invariants, make the follow-up the sole current rollout
ledger, remove duplicate progress/resolved Track A prose, and accurately
scope migration to IDB-to-SQLite.#8760/#8962; avoid another generic docs-drift issue until their exact scope
is checked.backup-import::verified-recovery-id-without-legacy-flags; proposed.9b448133…; B10; 461c208ba1bd86d3fbf2d2d6cb7e0017975af1ed05324c06434d1acbf2b51047.backup.service.ts:75-100 accepts backup data plus five
positional controls. isSkipLegacyWarnings is never read. isSkipReload
and isForceConflict are read only at :209-211, while all six production
invocations pass isSkipReload=true: file import, local backup, SuperSync
restore, recovery-slot restore, and both profile-switch branches.
isSkipPreImportBackup and requiredImportBackupId must have identical
presence at :96-100 and then travel together to :269-334.BACKUP_IMPORT wire
shape, archives, fresh client ID, and vector clock are unaffected.importCompleteBackup(data, requiredRecoveryBackupId?); ID presence alone
skips the pre-import snapshot and is passed to
runDestructiveStateReplacement. Remove the three obsolete flags, the
redundant skip boolean, the impossible-pair guard, and positional booleans
at callers.lastServerSeq reset, fresh {clientId: 1} clock, and import filtering.2387d8b15e records that an
omitted positional boolean previously reused a clock and caused stale-client
identity growth; 435018719f later made fresh-clock generation
unconditional, and ffca0f1397 added exact backup-ID pairing.#7709/#8107 atomic-recovery work.checkFile every touched TypeScript file.complete-backup::mandatory-archive-inclusive-snapshot; proposed.9b448133…; B10; a09b63098dde754ffecc7014954453eafb35e09d409e22ec63faf8c975d4ba37.backup.service.ts:53-72 names its result
CompleteBackup but defaults includeArchives=false; that branch calls
getAllSyncModelDataFromStore(), whose
state-snapshot.service.ts:117-124 substitutes empty archives. Every
production call explicitly passes true: the global error handler, two
profile snapshots, manual JSON export, and privacy export. No false or
omitted production call or direct method test was found.CompleteBackup.
Archives are already part of AppDataComplete and the backup wire shape;
omitting them can lose archived tasks and time tracking on restore.includeArchives and
the empty-archive branch; always await canonical getStateSnapshotAsync();
remove explicit true arguments and add one focused archive-inclusion test.db990b7018; no current caller uses its default.
Archive persistence fixes 6c3f183fb7 and architecture require both archive
halves in full-state backups.BackupService; global-error, profile, file-export, privacy-export, archive
import/persistence suites; targeted import/export E2E and checkFile.state-snapshot::pfapi-era-method-and-class-aliases; proposed.9b448133…; B10; 9504c00bdc5ace4400d5a51376d8488f96320a5ca2eca2b08e541579a676b835.state-snapshot.service.ts:138-144,182-188 wraps
getStateSnapshot() and getStateSnapshotAsync() under old names, and
:234-235 re-exports the class as PfapiStoreDelegateService. Live alias
calls remain in backup, local-backup, and sync-hydration services. No tracked
TypeScript import of the class alias exists; architecture prose, specs,
spies, and one obsolete E2E debug-log filter retain the old vocabulary.AppStateSnapshot type re-export remains.db990b7018 during the
PFAPI-to-op-log transition; canonical APIs now have broad direct use.#8326; this
candidate removes only unused TypeScript transition names.checkFile all touched TypeScript.legacy-backup-v10::work-context-time-tracking-extractor; proposed.9b448133…; B10; b70d3355c9ecfed8bdcf65280d82cd0eb93df23e30c589ddc5749c11010cac2c.migrate-legacy-backup.ts:140-189,191-229 independently
iterates project and tag entities, initializes the same session-map entry,
overlays workStart/workEnd/breakNr/breakTime into s/e/b/bt by date, and
deletes the same four fields. Existing coverage tests only project
extraction/removal; the tracked v10 fixture has no tag work fields.78699d278e, whose
history explicitly names project/tag extraction and real v10 preservation;
blame shows no intentional divergence.checkFile and targeted specs.legacy-pf-db::orphan-save-archive-and-clear-all; proposed.9b448133…; B10; 68dff22a1f2ee21c97156cfb977ff5adb4209cd20bbad3f75d6f414d73f3b902.legacy-pf-db.service.ts:312-320 defines saveArchive
and :382-397 defines clearAll. Whole-tree closure finds calls only in
their direct spec blocks; no production, computed-property, package, plugin,
or dynamic consumer exists. Active consumers use existence/data checks,
entity and archive reads, meta/client-ID access, migration locks, and generic
load/save for reminder cleanup.saveArchive,
clearAll, and their isolated specs. Retain generic save, which still
clears the legacy reminders key, and every migration/read path.db990b7018 and never acquired a
production caller or later revision.#8326 tracks
broader PFAPI artifacts. This narrow deletion is compatible with both and
does not authorize legacy-support retirement.checkFile service and spec.entity-state-util::fix-or-error::test-only; proposed.9b448133…; B12; 7ffe233fd65fc0d5430c930fe6301cbbd8d0760641c17f6f6c8c1db25970f270.check-fix-entity-state-consistency.ts:46-67 exports
fixEntityStateConsistencyOrError; only its spec import and two direct tests
at :147-181 reference it. Current-tree and all-Git-ref exact, string,
barrel, plugin, and package closure found no runtime consumer.ids for
inconsistent entity state but throws when state is already consistent,
duplicating live fixEntityStateConsistency behind an inverted contract.isEntityStateConsistent and
fixEntityStateConsistency.1e88740dd1, with direct coverage in
557412586d; it never acquired a production consumer.checkFile both files.repair-service::empty-summary::test-only-static-api; proposed.9b448133…; B12; 29aaec6be139374644742f8d0dfe7ea4569af31432d72764a8237451999c7104.RepairOperationService.createEmptyRepairSummary() at
repair-operation.service.ts:239-251 is referenced only by its direct spec
at :360-371. The similarly named integration helper is file-local and
independent. Production dataRepair() constructs the real summary.REPAIR payload, notification,
vector clock, or persisted operation.d22fbe28b2a, direct test in
1ed936ab235; qualified-symbol closure found no runtime use.checkFile service and spec; documentation
reconciliation.repair-logging::orphan-task-arrays::exportable-history; proposed.9b448133…; B12; 5ce3f82462290e2557c246139d24342aacc82d3ea0ed1d942107cc3351eabbc9.data-repair.ts:497,564,631 passes three TaskCopy[]
collections to OpLog.log; those objects include titles and other user
content. core/log.ts:1-3,123-164,238-268,365-368 retains trailing arguments
in exportable log history.5772b3416c redacted exportable
user content and changed nearby data-repair logging, but missed these exact
three arrays. This is a bounded residual, not a new generic sweep.5772b3416c/GHSA hardening lineage and A6
privacy issue record.checkFile.auto-fix-tests::time-number-probe::canonical-owner; proposed.9b448133…; B12; e7688adbcc100561b13593feda2417968f13d046823fce032acdceb2e1bd5026.auto-fix-time-spent-investigation.spec.ts:1-142 labels
itself PROBE/CONFIRM, repeats the setup/helper owned by
auto-fix-typia-errors.spec.ts:1-28, logs to console, and uses four tests for
the same task-number fallback.timeSpentOnDay, timeSpent, and
timeEstimate, including multiple errors and a valid day bucket.devError release valve unchanged.87bfb606e2; later changes were lint maintenance only.checkFile canonical spec.validation-tests::hibernate-repro::canonical-cross-model-suite; proposed.9b448133…; B12; f01857a7d6a305ecd82c5b538c86410a63df1d04af786978454f30929155423b.hibernate-repro.integration.spec.ts:1-295 calls one pure
validator, manually builds complete state, mutates global production mode,
and logs five scenarios despite its integration label. Its missing-project
task, TODAY, and valid controls already exist in the canonical relationship
spec. Five corruptions remain unique: stale task tag, stale task project,
orphaned task ID, contextless task, and regular-tag orphan.#7330; real recreate and
multi-client convergence coverage exists elsewhere and remains.is-related-model-data-valid.spec.ts, preserving expected
validity/error and #7330 rationale; delete the duplicate harness, logs, and
environment mutation.c590447d00;
a57323277b later had to repair stale message assertions in this second
owner, demonstrating drift cost.ValidateState, and real #7330 replay/convergence suites;
checkFile.lock-service-tests::current-web-lock-and-fallback-matrix; proposed.9b448133…; B14; f8d7dcc5afbfc49de0f538837ae538070dc258b38c903d432327e7dc60a44edb.lock.service.spec.ts tests a 130-line
service. :103-162 contains four localStorage stale/corrupt-value tests, but
current fallback state is only _fallbackLocks: Map<string, Promise<void>>
at lock.service.ts:29-30,88-129 and never reads localStorage. Basic,
concurrency, async/error, platform-fallback, Web-Lock, and contention success
cases repeat across spec ranges :21-101,164-230,373-676,678-764.#7700 regression proving clock-before-deferred
persistence under actual LockService.a9becc2058 deleted the localStorage two-phase
fallback but left its specs. Early breadth accumulated in
a18fc9d3ad, e498acc020, 615188bf88, 526afbafef; newer
cc2c1a8162, 37cb791053, 753e5714fb added distinct queue/reentry correctness
regressions that must not be folded away.#7700 regression and B09 lock/compaction
invariants; generic C6 overlap only.navigator.locks branches; fake-time timeout/queue mutation checks; checkFile.operation-sync-util-tests::exhaustive-classification-and-conversion-matrix;
proposed.9b448133…; B14; c28106b37dc8c0c893df8742250e5f9298566e671079b9e930c8713d0a95eae8.operation-sync.util.spec.ts:17-50 individually checks
four file providers and SuperSync, although :56-85 already exhaustively
partitions every SyncProviderId; :89-102 repeats provider/id agreement.
:106-147 has five nearly identical capability fixtures. :166-298 copies
one field or operation type per test and uses forbidden any at :286-287,
while optional syncImportReason, repairBaseServerSeq, and invalid
opType behavior lack direct coverage.entityIds, optional
fields, and invalid-op-type cases. Remove one-field/type permutations and
inspect nested payload with a typed shape.11d0fef9ac;
7df43358ab/bac801faf3 added the missing-provider regression,
4eaa7da06a introduced provider modes, and 10a47888a6 added the ID sibling.
Later additions accumulated instead of consolidating the exhaustive seam.SyncProviderId,
provider mode, Operation field, optional causal field, and all OpType
acceptance/rejection semantics; focused spec and checkFile.any.operation-log-sync-spec::typed-operation-download-provider-fixtures;
proposed.9b448133…; B14; d93fb835aeb31c3e942f08fb6ce939ee9bbedbb541aa3cf12198c11bf62c6ff3.downloadRemoteOps().resolveTo({...}) results, 128 mockProvider literals,
and 121 as any casts. A typed makeRemoteOp exists only inside the
force-download block at :4359; earlier sections repeat full operation
objects. :5070-5109 and :5252-5290 assert the same forced-processing call.
Cursor tests at :4788-4835,5111-5144 separately assert final value and the
stronger replacement-before-acknowledgement order.Operation, DownloadResult, and an operation-capable provider; replace
repeated defaults with explicit overrides. Move makeRemoteOp to shared
spec scope. Delete the exact forced-processing duplicate and combine final
cursor value/count with the existing order test. Do not table-drive unrelated
race or failure scenarios.1f8fe61c84; 44e0762fba later added an exact delegation duplicate for a
moved validation-latch rationale. July 2026 fixes repeatedly edited inline
result/provider shapes across the file, demonstrating the fixture drift cost.it title and expectation; focused orchestrator spec; mutation-check factory
defaults for provider mode, cursor, snapshot, success, and failed-file count;
relevant upload/download/rebuild integrations; checkFile.cross-model-validation::dead-legacy-scaffolding; proposed.9b448133…; B11; 5ed98eecf14085e6ba7ebdab85bfe8c427ca87c7ce9a63fe279edada7109a7b0.is-related-model-data-valid.ts:13-20,91-93,135,149-152, 167-184,262-278,390-394,553-557 contains four inert mechanisms. errorCount
resets per call, while all 32 _validityError() sites immediately exit, so
its >3 path is unreachable. projectTaskMap is populated but never read;
projectIds is passed to validateNotes() but unused; and
validateReminders() unconditionally returns true.devError, and exposes that first error synchronously to validateFull().
Consumers include backup import, legacy migration, hydration/recovery,
snapshot validation, and post-sync repair; no format change is proposed.devError.TODAY
exceptions, menu-tree checks, provider references, and privacy-safe logs.b03cfcdd9b6 added a multi-error throttle when an older reminder validator
could report repeatedly; 6839c20c272 removed reminderId validation and
left the no-op; the project map survives from the PFAPI-era validator.checkFile.state-validity-tests::repeated-validity-assertion-boilerplate; proposed.9b448133…; B11; 123a496e503f2fb4621d6c54322a92cab7349171e0a894685b898be6d3f68566.state-validity-after-actions.spec.ts:165-865 contains
26 validationResult blocks and three result blocks repeating the same
expectation, invalid-result branch, and scenario-specific fail() call.expectValid(result, message) helper near :134-163 and replace only the 29
repeated assertion blocks. Do not table-drive or remove scenarios.fail() behavior must remain.fail()
calls. The suite began in c93714bd0e1; 196e50b906 strengthened note
assertions without creating a shared assertion seam.checkFile; deliberately force
one invalid result to confirm its scenario-specific detail still appears.remote-op-migration::dead-dropped-entity-tracking; proposed.9b448133…; B17; 52d3680d6801c6423e8a85b9eacc88b1707c599c17be18ca37cbeacbdad5daff.remote-ops-processing.service.ts:149,184-190 allocates
and fills droppedEntityIds, but the set is never read or returned.
remote-ops-processing.service.spec.ts:519-555 says the tracking supports
possible future dependency warnings, yet it can only reassert the same
terminal-null migration behavior already covered at :430-458.null
intentionally drops that operation without blocking the batch. The useful
behavior is the remaining verbose op-ID diagnostic and the filtered batch;
no consumer, result field, persisted shape, or wire format observes the set.null result remains a terminal drop,
and cursor blocking remains restricted to incompatible or failed migrations.
Do not change split-operation ordering or the blocked-op result.c27a07df4c introduced the set during service extraction; the later
affected-entity work in 0893a86162 was reverted by 9540593d60, leaving
this bookkeeping inert.blockedByIncompatibleOp; checkFile on both files.superseded-resolver::redundant-per-item-existing-clock; proposed.9b448133…; B17; c1777bbd3795797d540b32f69d395a6134135516ee708d34365388f3d06a2d1e.superseded-operation-resolver.service.ts:89-93,142-180
repeats existingClock in its input and internal item types, but never reads
it. The only runtime caller, rejected-ops-handler.service.ts:445-545, first
extracts those clocks and passes them through extraClocks in all three
resolution branches. Resolver specs at :1478-1570 claim to exercise the
per-item value, but also place serverEntityClient in globalClock, so they
pass even though the item property is ignored.existingClock remains required. RejectedOpsHandlerService carries it
until the op is confirmed pending and combines it with force-download clocks
or the snapshot clock; resolver inputs then merge that explicit clock list,
the global clock, and each operation clock.existingClock only from
the resolver's public item shape and its repeated local aliases; delete the
two false resolver tests. Keep the rejection-response type, handler
extraction, extraClocks, and handler boundary tests at
rejected-ops-handler.service.spec.ts:836-919 unchanged.405812e7b3 added the per-item property when the
resolver used it for client-side pruning. fdc942babb removed that pruning
and its read to prevent an infinite conflict loop, but left the property and
tests behind. Exact reference closure confirms no hidden read.checkFile on all touched files.rejected-ops-handler-spec::retry-budget-state-matrix; proposed.9b448133…; B17; 94829bfef4a8169ab492416cba82434fb40c6bae93d6edc0ff0e232c62975fd0.rejected-ops-handler.service.spec.ts:610-771,943-1404 repeats operation
loops, untyped mockEntry() values, download callbacks, and resolver setup to
reach adjacent retry-counter states. The reset cases at :1281-1348 and
:1350-1404 overlap, while distinct same-batch, cross-call, mixed-entity,
cancellation, and transient-failure assertions are spread through the same
fixture boilerplate.OperationLogEntry factory and one typed completed-download callback, then
table-drive only retry-state transitions. Preserve separate named regressions
for nested/forced cancellation rollback and thrown-download rollback.#8331's no-terminal-rejection assertions.fdc942babb, c112b65d64, 13dc7a988a, 217796b742, and
55d3490e19; later changes copied full setup to pin each newly discovered
boundary instead of sharing a scenario harness.checkFile.mockEntry(): any, with no production change.remote-processor-spec::collaborator-conflict-algorithm-copy; proposed.9b448133…; B17; 8191b978f3574c9439c725ba429837a19a515d7adf2f719d01e8920e76da2db8.remote-ops-processing.service.spec.ts:144-226
reimplements vector-clock comparison and conflict construction for the
ConflictResolutionService spy. Its own comment admits it omits the current
entity-existence branch. Tests at :1470-1549,1587-1613 then assert those
collaborator semantics through the copy. Production
remote-ops-processing.service.ts:749-791 only builds context, delegates per
operation, accumulates every reported conflict, filters superseded results,
and yields in batches.conflict-resolution.service.spec.ts, while
the #8956 multi-entity case at remote-spec :1551-1585 uniquely proves all
collaborator conflicts are retained.c27a07df4c introduced the copied fake during
service extraction. 6a2b7e3b9b later documented its semantic omission, and
51bf689bd56 had to extend its result shape for multi-conflict support,
demonstrating drift across two owners.checkFile.superseded-resolver-spec::actual-batch-port-and-object-matrix; proposed.9b448133…; B17; cdf4ab2b5b87b443d61f09df4e71dd578db4b99f21920b696067708099460c6c.superseded-operation-resolver.service.spec.ts:50-87 makes the
real appendMixedSourceBatchSkipDuplicates spy call the obsolete
appendWithVectorClockUpdate spy, after which most assertions inspect the
latter. Production only calls the batch port at
superseded-operation-resolver.service.ts:309-322. One-field permutations
for move-to-archive (:829-1101), delete replay (:1124-1315), and
no-client-pruning (:1331-1476) repeatedly reconstruct the same operations.existingClock cases under B17-C02, not here.61b8d82ad6; 7e273a0e5c introduced the atomic batch port and its
compatibility fake, leaving assertions coupled to a method production no
longer calls. The repeated field cases accumulated around correctness fixes
instead of being reconciled against the new port.checkFile.sync-shell-contracts::orphan-pfapi-constants-and-types; proposed.9b448133…; B13; df039e9b1843346331007c282396a26886943c8c44c51f6ed0fd4bf75bc4cbfc.sync.const.ts:38-42,53-96 has no consumers for
SYNC_REINIT_DELAY_MS, DEFAULT_APP_BASE_DATA,
PREPEND_STR_ENCRYPTION, PREPEND_STR_COMPRESSION, or the empty
GLOBAL_CONFIG_LOCAL_ONLY_FIELDS. sync.model.ts:37-44,54-69,85-95 has no
consumers for AppMainFileNoRevsData, AppMainFileData,
LocalSyncMetaForProvider, LocalSyncMetaModel,
DialogPermissionResolutionResult, SyncGetRevResult, or
SyncResultLegacy.AppDataCompleteLegacy,
base/archive shapes, AppBaseDataEntityLikeStates, and
DialogConflictResolutionResult.rg closure is empty outside the declarations.
Origins span c06f0a2867, 490018db81, a081ee3fb0, 1059eeea04, and
3ef23354e4; later migrations removed their producers/consumers without
deleting the declarations.checkFile for both files.sync-wrapper::dead-wait-facade-and-status-getter; proposed.9b448133…; B13; eab9dbdd8c7eea13b8f8cc93e968de69775c6533b421021244afa3878b392a3b.sync-wrapper.service.ts:237-238 exposes a wait facade
with no runtime caller, while the direct observable timeout path at
:240-264 is live. sync-trigger.service.ts:42-47 exposes the corresponding
getter only to that facade. Stale trigger-spec setup/assertions occur at
sync-trigger.service.spec.ts:36-39,140-143,163-203,247-252,372-380.startWaitingForNextSync() sources and is consumed through the wrapper's
observable/timeout behavior. The synchronous facade adds no policy, state,
persistence, or wire format.f24e73302b, fe75a05127, and 3d1430b56a show the older polling
seam surviving after the observable path became authoritative.startWaitingForNextSync() source; checkFile on all touched
TypeScript files.sync-wrapper-di::unused-reminder-service; proposed.9b448133…; B13; 6727927f31adaf4522b70b90b0b274d0bf5a7e05ce4a7535101ad425652b3999.sync-wrapper.service.ts:60,119 imports and injects
ReminderService but never reads the field. Its spec repeats the unused spy
at :16,65,183,230,2448,2576. The real initialization owner is
features/reminder/reminder.module.ts:53,68.ReminderModule owns
reminder initialization and active-reminder behavior. The wrapper dependency
has no call, side effect, status role, persistent representation, or provider
contract.inject() merely obtains an already-provided
service here. Confirm there is no constructor-time effect or provider-lifetime
dependency hidden behind injection.b2f5ee820d and 3ef23354e4 trace the stale dependency across reminder and
sync reorganizations.checkFile on service/spec.sync-trigger::resettable-delay-subject-audittime; proposed.9b448133…; B13; ac205f602375f4fc7b562c69b64c86f99b60879d9a42e7467b1d4ddfda34d0c0.sync-trigger.service.ts:81-84,288-303 creates a private
subject, pushes once per source subscription, and uses auditTime(delay) to
emit null. sync-trigger.service.spec.ts:294-333 checks delayed emission
but does not pin unsubscribe/reset timing precisely.null, restart for each subscription, and not alter the separate 100 ms
debounce, maximum interval, or hydration-window immediate path.auditTime construction with timer(delay).pipe(mapTo(null)) (or the
repository's equivalent typed mapping). Add characterization before changing
it; do not unify other trigger clocks.null value. A shared/hot timer or changed leading/trailing behavior
is not equivalent.db990b7018 introduced the current subject form; no later
consumer acquired multi-event semantics.checkFile.sync-wrapper-spec::provider-status-testbed-copies; proposed.9b448133…; B13; 2b6537b01216c2d8c2b33c2f82cfd08eea208719af30659b00cc7672d64f6962.sync-wrapper.service.ts:195-202 derives status signals
from provider kind and confirmed/pending state. The spec rebuilds nearly the
same 13-provider TestBed and assertions across
sync-wrapper.service.spec.ts:2405-2602 for SuperSync, WebDAV, Dropbox, and
LocalFile.77d09796d8 and
40def4a576f; later cases copied setup rather than extending a case table.checkFile.op-download-result::dead-failed-file-count; proposed.9b448133…; B15; 918d7338d06cd8acfe6ca81867486054ad644d1a399a35a10c23edee32cb6c02.core/types/sync-results.types.ts:21-29 declares
failedFileCount; operation-log-download.service.ts:89-93,476-503 only
returns zero; operation-log-sync.service.ts:565-572,1703-1707 forwards or
inspects it without any producer of a nonzero value. The download spec's
assertions are at :78-81,894-899; the orchestrator spec contains 96 textual
occurrences, with the only nonzero value being a synthetic fixture at
:4860-4866.#6571 failure gate.a70273597f introduced the result shape and c12900329c retained it
through download extraction without adding a failure producer.checkFile on touched files.op-download::single-use-api-wrapper; proposed.9b448133…; B15; c304c773c961988bdb8a70c5c7fa8a7f580999b765310c7d03caed23741be989.operation-log-download.service.ts:35-44,85-105 defines
_downloadRemoteOpsViaApi() and calls it once; the method only forwards the
same provider arguments and returns the same result.c12900329c introduced the wrapper during service extraction; it never gained
independent behavior.checkFile.initial-download::duplicate-full-state-migration-plan; proposed.9b448133…; B15; 87e1a7e5becf56ffc02c42fa4404a6574fd5c0770ab1a03dc1f84f96f45dd291.operation-log-download.service.ts:393-448 reconstructs
the same initial/full-state migration decision encoded by
packages/sync-core/src/download-planning.ts:23-99 and covered by
packages/sync-core/tests/download-planning.spec.ts:23-89.610fbc1c75 extracted the canonical planner but left this small app copy.checkFile.op-download-spec::duplicate-gap-key-refresh-case; proposed.9b448133…; B15; f672d40f8a0a056bb1d24de50f996df8875644cb2fba703f56447b3e4217d673.operation-log-download.service.spec.ts:1522-1604
thoroughly proves refresh/retry for an encryption-key gap. The case at
:1606-1660 repeats the same branch with fewer assertions. The distinct
disabled-to-enabled transition at :1710-1772 covers another state and must
remain.035fe0a95f; the weaker lineage is
68a268c18d.checkFile.op-download-spec::repeated-server-operation-literals; proposed.9b448133…; B15; c6bba020fb15f9048a08cf71bf26f517356aba2f2bf2a671560034e7c5cc295c.operation-log-download.service.spec.ts:119-1758
repeats server-operation literals with 38 serverSeq, 37 task-shaped
payloads, and 38 schemaVersion assignments around the same required base
fields.checkFile.immediate-upload-spec::wall-clock-debounce-failure; proposed.9b448133…; B16; 6df55bc133102b81dddc43f69604cd8cac330b8779f0c2c9123755409c68a6dd.immediate-upload.service.ts:22 defines a 2,000 ms
debounce. immediate-upload.service.spec.ts:325-338 waits only 150 ms before
asserting failure behavior, so the upload branch cannot have run under the
production delay.c379a8a2ab, b38f38098a, and 77f83c56878.checkFile.op-upload-service::unused-result-reexports; proposed.9b448133…; B16; ee4049d19a6a387d8cf7da47c7cfcf9d0eb67e3602fa212df33d6f37a1c55db8.operation-log-upload.service.ts:48-53 re-exports upload
result types whose canonical declarations/exports are
core/types/sync-results.types.ts:7-15,112-188. Repository-wide import and
export closure finds no consumer through the service file.ea04ee5f81
left the compatibility re-exports during type consolidation.checkFile.op-upload-spec::full-state-retry-case-copies; proposed.9b448133…; B16; d9472214d3b31328574d3aa852c3a370d4d7c419629a52bcdce8ebddb6fdf9e2.operation-log-upload.service.spec.ts:1124-1214 repeats
near-identical setup for full-state retryable/non-retryable failures. The
canonical provider classifier matrix already exists at
packages/sync-providers/tests/retryable-upload-error.spec.ts:4-160.bf7db5515e,
e03a4d41bd, and 8005b4ec52; the package now has the canonical matrix.checkFile.write-flush-spec::vacuous-fifo-case; proposed.9b448133…; B16; 926944df713c38399b849e0d2f870a020cc977d90d73375b2e8852e88268f346.operation-write-flush.service.spec.ts:184-214 labels a
FIFO scenario, but its lock spy runs callbacks immediately, so no competing
call is queued and the assertion cannot distinguish FIFO from arbitrary
order. Real service cases at :39-61,94-116,119-181 and operation-lock specs
at :164-188,435-456,737-757 cover flush behavior and actual lock queueing.ef40c7ba6a introduced the service case despite FIFO already
belonging to the lock.checkFile.upload-logging::raw-provider-error-content; proposed.9b448133…; B16; 466640e8678c7b432f94cc5ffb95d847d734288ff16bd234a7e1e9db6c6b2075.operation-log-upload.service.ts:318,333 logs
result.error, :444,789 logs err.message, and :566 logs a raw rejection;
immediate-upload.service.ts:380-384 logs the caught object. core/log.ts:1-3, 54-71,123-158,238-280 shows app logs are retained/exportable. Provider
contracts allow arbitrary error text at
packages/sync-providers/src/provider.types.ts:112-119,152-160.packages/sync-providers/src/log/error-meta.ts:34-48 pattern.
Do not alter thrown errors or UI messages.526afbaf, 016e680c, 8bf0568f, and ec2d2057
introduced raw logging; faa9434a6a and dc66b235a6 establish the newer
allowlisted metadata precedent.checkFile.journal-outcome-emission::parallel-lww-and-merged-hooks; proposed.9b448133…; B19; 347137abaa4e681acbd7ffedf6e869cb880a8bd59804372ea1eff1da8708b22b.conflict-resolution.service.ts:1723-1729,2287-2314, 2467-2495 uses _journalResolution for ordinary LWW outcomes and
_journalMergedResolution for successful disjoint merges. Both build the same
classification input, call the same journal service, and contain the same
observe-only failure swallowing. Direct hook tests occur at
conflict-resolution.service.spec.ts:4802-4887,4900-4909._journalResolution(plan, winnerOverride?); ordinary calls use
plan.winner, successful merges pass 'merged'. Keep each call at its
existing post-persist/post-reducer location and one generic never-throw catch.merged/disjoint-merge/info
output. Failed append/apply/merge paths must never be recorded as successful,
and journal failures must never change conflict resolution.rg finds two production call sites and private-test
spies only. git log -L traces both hooks to 962c5bbeb1, where they were
introduced together.#8937;
no exact hook-deduplication candidate exists.checkFile on modified TypeScript.journal-review-lifecycle::reserved-expired-never-emitted; proposed.9b448133…; B19; 6325c39d8d11179863d4ca5089211064381e0e91ed3f22ceb389b9bb545f8fe7.conflict-journal.model.ts:46-59 reserves expired in
ConflictJournalStatus; sync-conflict-review.util.ts:149-158 maps it to an
informational label. Exact repository search finds no constructor,
transition, write, fixture, documentation contract, or translation that
emits the value; retention physically deletes old records.unreviewed, kept, flipped, and info. Records are device-local
IndexedDB v1 values; status is not synced or exported as an app data format.expired from the union
and STATUS_KEYS; retain age/count pruning and the mapper's runtime fallback
for an unexpected persisted string.rg "expired|status: 'expired'|markExpired" closes
on the model and mapper only. aaad592c46, 2d8343fb64, and the squash
962c5bbeb1 show it began as speculative reserved state without a transition.checkFile on both files.journal-test-data::five-inline-entry-builders; proposed.9b448133…; B19; 12062b44ba39db345d4f80a4bd447ad2e6b6fae28a27f1fa849295b1bc9bab89.conflict-journal.service.spec.ts:16-31,
sync-conflict-banner.service.spec.ts:15-30,
sync-conflict-review.util.spec.ts:14-29,
sync-conflict-ui.service.spec.ts:18-41, and
pages/sync-conflicts-page/sync-conflicts-page.component.spec.ts:12-34.src/app/op-log/testing/ with explicit overrides. Keep thin
local wrappers only where a component's defaults carry meaning.962c5bbeb1, and no shared journal fixture exists.checkFile on helper/specs.mobile-conflict-dialog-layout::copied-local-ng-deep-overrides; proposed,
investigate before admission.9b448133…; B19; 1699fb0e75c5a58e8c432145d0a7ab2212f530ca5c5577bfdf391f65a9e94632.imex/sync/dialog-sync-conflict/dialog-sync-conflict.component.scss:74-90
and
op-log/sync/dialog-sync-import-conflict/dialog-sync-import-conflict.component.scss:87-102
contain the same mobile padding/max-width/overflow block. Their
mat-dialog-content elements are at HTML lines 3 and 10; shared Material
rules already live in src/styles/components/_overwrite-material.scss:89-124.:host descendant even though the Material container is an
ancestor; the content selector is the effective portion.mat-dialog-content elements, put its xs-only rule in the shared Material
style layer, and delete the two local ::ng-deep blocks. Reuse the existing
global overlay-panel width rule.b0cb36eebb, copy f9620d4f37, and token conversion 114e5067a1.#8936; it may cover
older non-journal dialog behavior but not necessarily this duplication.checkFile for every
modified HTML/SCSS file.vector-clock-service::unused-get-full-vector-clock; proposed.9b448133…; B20; 4b249c444af44656f30e6f3352732b86bfcb3b61d4a0f042e4c56ced29aa8f8b.vector-clock.service.ts:84-109 defines
getFullVectorClock(). Exact repository, DI-string, integration, and
serialized-name closure finds only its four direct tests at
vector-clock.service.spec.ts:301-378. The live getCurrentVectorClock() at
:58-82 owns authoritative-store lookup with snapshot-plus-tail fallback.allOpClocks through OperationLogSyncService. The method
is an internal Angular service API, not a plugin, package, persisted, or wire
contract.getFullVectorClock() and its four direct tests.allOpClocks,
authoritative persistence, pruning, and every serialized clock shape. Repeat
external/deep-path closure before implementation.ef0a84f290
introduced it during sequence-zero recovery, but no call followed. Unmerged
branch pr-8588, commit ebd612200f, independently deletes the same method
and tests; it is not an ancestor of frozen HEAD.checkFile on both files.sync-import-filter-tests::classifier-vs-orchestration-ownership; proposed.9b448133…; B20; 48799add0f5569e1909f8ad2cc6491c29f2fe3c1c785d04a2653c47bf398224c.sync-import-filter.service.spec.ts:442-1004,1441-2305,2314-2860 and an unused
getLatestFullStateOp spy at :35-40; production calls only
getLatestFullStateOpEntry. Canonical classification is
packages/sync-core/src/sync-import-filter.ts:1-67, with 16 focused cases in
packages/sync-core/tests/sync-import-filter.spec.ts; the app delegates once
at sync-import-filter.service.ts:177.>,
different-client import-counter >=, zero/empty edges, causal REPAIR prefix,
legacy concurrent prefix replay, suffix order, and local conflict-dialog
semantics.ba838eccf6 extracted and tested the pure
classifier without consolidating the app suite. cfc6749197 removed the old
pruning heuristic; e92eb79db7 and 329da9b9f3 define current counter and
REPAIR behavior.checkFile.vector-clock-pruning-tests::removed-heuristic-replica; proposed.9b448133…; B20; 914ebbc98922f2b1fd51bd7d6a1447b5a95342eee3acca42888908e3c9bf0b64.testing/integration/vector-clock-import-reset.integration.spec.ts:24-39
locally reimplements removed isLikelyPruningArtifact; :492-602 tests only
that copy. Production deleted the heuristic in cfc6749197. Actual client
scenarios at :280-490,604-887 cover current reset/counter/MAX/lifecycle and
second-round convergence. e2e/tests/sync/supersync-vector-clock-pruning.spec.ts:13-35
says import-client IDs are protected while acknowledging it cannot trigger
pruning; the executable cases actually cover post-import convergence.791022b2dd; current
mechanism arrived in e92eb79db7, and cfc6749197 removed production's old
heuristic without its test copy.checkFile on both specs.
E2E execution is optional because only its description changes.vector-clock-docs::current-atomic-reset-and-filter-lifecycle;
already-tracked.9b448133…; B20; 559f53cd669a0af4cde6ae57e9b6babc0d100d19124d63f015ca51a26eb8f117.docs/sync-and-op-log/vector-clocks.md:80 describes a
separate remote clock write although
operation-log-store.service.ts:1160-1249 commits reducers and clocks
atomically. Doc lines 118-120,355 describe full import-clock replacement,
while calculateRemoteClockMerge() at store lines 185-224 performs minimal
import/current-client reset plus suffix merge/prune. Lines 147-160 omit the
remote checkpoint path; :172 omits multi-entity arrays; :250-256,353 omit
counter exceptions/REPAIR order and mention the removed heuristic; :107,377
name obsolete server owners. sync-import-filter.service.ts:53-67 also says
“no exceptions” immediately before documenting exceptions.48924428c6/29541951a3;
atomic remote checkpointing arrived in bdb0fef9a9.#8760/#8962; do not create a duplicate generic docs item.checkFile if service JSDoc changes.full-state-meta::derived-latest-after-status-aware-reader; proposed.9b448133…; B21; fa03f9eddcde7e8e31a0179254231784b6ce10f5d98cc43bb585bf147758d5cb.persistence/full-state-ops-meta.ts:18-50 defines,
derives, and writes FullStateOpsMetaEntry.latest. Runtime normalization at
operation-log-store.service.ts:544-570 reads only refs; active/rejected
lookup sorts refs by durable sequence at :1408-1444. Exact search finds no
runtime read of meta.latest or getLatestFullStateRef.
db-upgrade.ts:51-66 writes the shared shape,
db-upgrade.spec.ts:292-299 is the only raw-shape assertion, and store lines
2810-2816 retain stale “latest is derived” prose.SUP_OPS.meta[full_state_ops] is a derived local IndexedDB/SQLite acceleration
index. refs is load-bearing for active and rejected lookup, cleanup,
rebuild, replacement, and backend parity. latest was an O(1) selector before
status-aware lookup made it insufficient.latest and
getLatestFullStateRef, make buildFullStateOpsMeta return a copied refs
array only, update stale prose and the v7 raw-shape expectation, and add no
migration or rewrite.latest; frozen pre-329da9b9f3 readers normalize refs through their
own builder before consulting it, so refs-only rows are backward-readable.
Preserve ref copying/validation/order, active and rejected barriers, stale-ref
rebuild, v7 compact o and historical opType seeding, transactional updates,
malformed-row rebuild, and SQLite parity..latest search close on the helper, raw assertion,
and stale prose. 807d3bf5e5 introduced the cache; 329da9b9f3 introduced
status-aware ref scanning. Its parent version proves old readers re-derived
the pointer from refs.checkFile on the five
touched source/spec files.snapshot-upload::obsolete-low-level-public-facade; proposed.9b448133…; B21; d7ba24b8fa791ed8c3106c64a0797d5bbce467e182c604a9caa7fbdb396cff0e.snapshot-upload.service.ts:34-49 exports
SnapshotUploadData/Result; :83-200 exposes four low-level helpers. Exact
and computed-property search finds no caller of
getValidatedSuperSyncProvider, gatherSnapshotData, uploadSnapshot, or
updateLastServerSeq outside the service/spec. The only production callers
invoke deleteAndReuploadWithNewEncryption at
supersync-encryption-toggle.service.ts:64-68,113-117 and
import-encryption-handler.service.ts:130-135, await it, and discard the
value. Yet snapshot lines 217,310 return existingCfg plus upload result,
and spec lines 158-297,500-507 test obsolete seams directly.Promise<void>; remove its dead result and make caller spies resolve void.
Reframe direct helper tests through the public workflow without dropping
unique safety assertions.0d2538fc53
explains the original multi-caller mechanics; 49bf056ee0 consolidated them
behind the high-level workflow but left the facade/result. Security/race fixes
63253f8e0c and bd67174863 attach to that workflow and remain.checkFile.conflict-service::post-extraction-helper-facades-and-copy-tests; proposed.9b448133…; B18; 5017c79d17b2a1876510575b8b86c3174800efad28360e15fb59be3528c0be50.conflict-resolution.service.ts:786-800 exposes unused
isIdenticalConflict and dead _deepEqual; :3542-3562 contains dead
_extractEntityFromPayload/_extractUpdateChanges; :3703,3714,3783, 3798-3868 routes one call each through _buildEntityFrontier,
_adjustForClockCorruption, and _suggestResolution. Exact repository search
finds no runtime consumer of the first four and only those single call sites
for the latter three. App copy tests occupy
conflict-resolution.service.spec.ts:210-435,5131-5356,6928-7018,7089-7292.
Canonical helper tests are in
packages/sync-core/tests/conflict-resolution.spec.ts:63-188,731-853, 1184-1318.devError inputs, track corruption-escalated conflict objects for journal
classification, and use the results in actual detection/resolution._checkEntityForConflict; delete exhaustive app copies of core algorithm
matrices. Retain or add one app-boundary characterization for registry key
resolution, corruption escalation plus journal tagging, and suggested
resolution wiring.onPotentialCorruption: devError, exact frontier context, comparison values,
WeakSet identity/tagging, suggestion values, payload keys, and never change
conflict detection or LWW planning. Core tests remain exhaustive; app tests
must fail if adapter arguments or call order are wrong.4d632aba3b introduced identical-conflict app tests;
172fe1a49c, cd0d8f5cb9, a977fa2fbe, and e0bff64b34 accumulated helper
suites. d0b5771a47 extracted canonical conflict helpers/tests to sync-core
but deliberately left app service integration, after which copies remained.#8937 is
broader and not a substitute.checkFile on service/spec.any algorithm tests.conflict-service-spec::duplicate-archive-wins-block; proposed.9b448133…; B18; 4426941ec78504a8f4029eecf6d56b575d1a6c8d154bc9cdb134ebc55aa21a79.conflict-resolution.service.spec.ts:5557-5903 covers remote archive versus
local update, local archive versus remote update, replacement clock/payload/
footprint, mixed local ops, archive versus delete, both-archive behavior, and
multi-conflict resurrection prevention. The later archive-wins rule block
at :6051-6195 repeats only local archive/remote update, remote archive/local
update, and local archive/remote delete with fewer assertions.cba5ba3f12; the stronger block includes
later archive safety fixes such as 27cb18b85a.checkFile.conflict-service-spec::generic-entity-smokes-vs-registry-branches; proposed.9b448133…; B18; 46b4f57c7b9ed5566837f75bcf527ec4b238bab306a696df58c848fd8eae2047.conflict-resolution.service.spec.ts:3722-3988 builds
large one-off LWW conflicts for GLOBAL_CONFIG, PLANNER, BOARD, REMINDER, and
PLUGIN_USER_DATA. The generic resolver does not branch on those names, and
the remote-winning PLANNER/REMINDER/PLUGIN cases never call
getCurrentEntityState; therefore the PLUGIN test's comment claiming it
proves the registry's array branch is false. Actual storage-pattern branches
are conflict-resolution.service.ts:3585-3643; the only focused state lookup
case is the ISSUE_PROVIDER selector-factory test at spec :181-208.GLOBAL_CONFIG), map (PLANNER), keyed-array (BOARD), and
state-is-array (REMINDER, PLUGIN_USER_DATA) lookup shapes. Generic LWW
winner planning is already covered independently.getCurrentEntityState, one row per
storage branch and an explicit PLUGIN_USER_DATA regression row. Keep the
mixed-entity atomic batch test at :3989-4067 separate.4d96c8ffff;
plugin cases were strengthened in 196e50b906/92947d4acb but remained on a
remote-winner path that never exercises the branch they describe.checkFile.conflict-service-spec::clock-skew-case-copies; proposed.9b448133…; B18; 03b18695137abbf385014b39ffb1ee136f87ea84feb76d14494dd9863562bd67.conflict-resolution.service.spec.ts:5357-5556 repeats
full setup for far-future, far-past, zero, negative, and two exact-timestamp
tie directions. Canonical LWW planning and both stable client-ID tie
directions are covered at
packages/sync-core/tests/conflict-resolution.spec.ts:494-603.#9035 requires both devices to choose the
same physical client.936f374bde; stable client-ID tie behavior was later fixed in
9132ab6722, so those two cases are deliberately retained.checkFile.supersync-encryption::ui-hidden-disable-rejected-by-mandatory-guard;
proposed.9b448133…; B22; d27e6079df3c9b422ed82b7414ed09f2ff79496b9c78c05b3685be64d6adc20f.sync-form.const.ts:489-515 hides disable for SuperSync
and calls only openDisableEncryptionDialogForFileBased.
encryption-password-dialog-opener.service.ts exposes disable only for
file-based providers, and
dialog-change-encryption-password.component.html renders removal only when
provider type is not SuperSync. Yet its TypeScript :145-154 keeps a
SuperSync branch/injection, supersync-encryption-toggle.service.ts:100-144
keeps disableEncryption, and snapshot upload :252-265 rejects plaintext
mandatory-encryption providers before deletion while calling future disable
wiring currently UI-unreachable.3ef23354e4 with mandatory encryption, gained revert handling in
49d24bfec0, and was later made impossible by the plaintext guard.checkFile; later scheduled SuperSync setup/password-change E2E.import-encryption::generic-bidirectional-state-for-one-way-enable;
proposed.9b448133…; B22; 028ce40baee350b88628324a16b8087839d57d989ed770e6eb1780138aa53d12.import-encryption-handler.service.ts:95-98 defines
willChange = !currentEnabled && importedEnabled, making its later
current-enabled/imported-disabled branch at :178-184 unreachable.
currentHasKey/importedHasKey have no production consumer. The public helper
accepts importedData it never uses, exposes a false/disable mode rejected by
mandatory snapshot upload, and returns status booleans consumed only by tests;
file-imex.component.ts:243-250 reads only .error. Its catch also always
reports serverDataDeleted: false, although upload may throw after deletion
or config update. The warning dialog's isDisablingEncryption branch is
unreachable for the same reason.{error?: string} result; remove unused key flags, parameter, disable branch,
unreliable booleans, disabling warning UI, and direct tests of those states..error is
observed. The generic surface came from 76defad7325; one-way mandatory
behavior was formalized in a4dee9d5f7 without closing old branches.checkFile on every touched file.sync-json-errors::raw-decrypted-data-sample; proposed.9b448133…; B22; c8dabc4170d690333bbdce075355313c963255a4be331c5f946577a6f1ee1bc7.core/errors/sync-errors.ts:241-266 stores enumerable
dataSample containing roughly 100 characters around a JSON parse position.
encrypt-and-compress-handler.service.ts:140-145 passes post-decrypt/
post-decompress outStr, which is user data. Repository closure finds only
the definition and direct tests, no runtime consumer. SyncWrapperService
passes the caught error to SyncLog.err before its JsonParseError branch, so
export exposure is plausible depending on serializer; that exposure is an
inference because the serializer was outside this run's 60-file closure.dataSample and the
constructor's dataStr parameter; pass only the original parse error and
preserve position/safe message/name. Replace sample tests with absence-of-
content assertions using sentinel user data.dataSample closure is test-only. It was
introduced in 7496b2dd60, before log-redaction work 5772b3416c.checkFile on touched files.oauth-dialog::reverted-native-ui-branch; proposed.9b448133…; B23; 70346857f0ae13dede78a158b7b5ff33d37c46e8b30fa44fffbb804b592c4a35.dialog-get-and-enter-auth-code.component.ts:24,47,64-80 hardcodes
isNativePlatform to false, so the manual branch always renders and the
native spinner/waiting branch in the template at :6-89 never renders. The
two native translations at t.const.ts:1299,1304 and en.json:1276,1281
have no other consumers.40b18c4693 added mobile deep-link UI;
ec847ce897 deliberately returned mobile to manual entry; 01e30b9c7e
records app-kill/PKCE and redirect-registration constraints but left the
obsolete UI.checkFile for touched files.wrapped-provider-cache::dead-manual-clear; proposed.9b448133…; B23; 0775f964ea53800d79f5c08c30c7628ea8dcf2e72cc309f324acc00f6c8f25d7.wrapped-provider.service.ts:167-175 defines
clearCache(). Repository-wide exact closure finds only its declaration,
JSDoc, and direct spec at :276-295. Configuration changes already invalidate
the cache through providerConfigChanged$ at service :49-58, proved by the
spec at :297-315.clearCache(), its test,
and manual-invalidation wording from the class comment.28fd19209f introduced the method; it became
redundant after 49bf056ee0. Non-ancestor pr-8588 commit ebd612200f
independently removes exactly this method/test; do not import its wider
refactor.checkFile.credential-store::unused-app-change-callback; proposed.9b448133…; B23; f0131262b478b710a60bb180520a49036766a7c0bc9cdd83f05fad4b5922dda1.CredentialChangeCallback|onConfigChange closure
finds no production registration or call for
credential-store.service.ts:34-38,67,73-78,308-314; only its direct spec at
:88-99 and a no-op integration mock member at :50-58 exercise it.db990b7018; a97a15457b later copied it to an optional package port, but no
app consumer was added.checkFile.provider-host-logging::credential-and-callback-values; proposed.9b448133…; B23; 77734fe3b1b29989be623210544f8ddb7b88bd002cc59e015299677ff05fc4b2.sync-config.service.ts:32-66,264-268 uses a recursive
denylist that still logs baseUrl, serverUrl, syncFolderPath, OneDrive
clientId/tenantId, and future fields by default. OAuth logging at
oauth-callback-handler.service.ts:63-68,94-98,139,169-177 records provider-
controlled descriptions/text and, on parse failure, the callback URL with
code/state. Credential diagnostics at
credential-store.service.ts:112-129,293-304 export password/key length.
core/log.ts:115-149,236-280 confirms logs are retained and exportable.6470725eaf, 3ef23354e4,
and 74ce49428f; OAuth raw values came from 40b18c4693/02bc3e88e3;
key-length instrumentation came from incident commit ee58cc3acf.sync-docs::duplicated-stale-provider-comparison; proposed, dependent on C7.9b448133…; B23; a9c34f94415eb9477d810aaf6406b5ce85ddbe4f4fa7bcdaf46ad3fc78deac4f.diagrams/07-supersync-vs-file-based.md claims server
operations live forever, file sync retains 200 ops, late SuperSync clients
replay everything, and HTTP 409 means a generic sequence gap. Current code
instead has 45-day retention with snapshot-covered cleanup, cached server
snapshots, MAX_RECENT_OPS = 2000, optional split sync-ops.json/
sync-state.json format with compatibility tombstones, and 409
SYNC_IMPORT_EXISTS semantics. The 395-line file is linked only by the
diagrams README and also recommends team workflows outside product scope.9f0adbb95c and expanded in
9605177fc0, both before current snapshot, retention, and split-file work.dropbox-token-refresh::duplicated-provider-wrapper; proposed.9b448133…; B26; 4eef3ba2fb0ca2cdb0954c622d9565f19c3f11db71caf53e2b4c14693aa4591e.file-based/dropbox/dropbox.ts:134-294 wrap DropboxApi calls in
_withTokenRefresh(). The API already owns the same one-retry policy for
native and web requests at dropbox-api.ts:643-649,776-783. After that retry,
_handleErrorResponse() converts a second 401 to AuthFailSPError at
:849-860; the provider's response-shaped _isTokenError() at :392-399
therefore cannot observe it. Focused API specs at :236-286,748-785 pin the
refresh and terminal-auth behavior; no provider-level test exercises the
second wrapper.DropboxApi loads tokens,
refreshes once, retries once, clears invalid refresh credentials, and
normalizes the final failure. The provider adapts revisions/data to the
generic file-provider interface._withTokenRefresh(), _isTokenError(), and
the two token-summary constants. Keep caller-specific data/path handling.AuthFailSPError, token
clearing, CAS, and file-not-found behavior. A regression could duplicate a
write if either owner retries more than once, so verify invocation counts.5089b8d987/087b9dd43f consolidated an older
recursive provider retry into the bounded wrapper but did not remove the API
layer that already refreshes and normalizes 401s.checkFile.dropbox-metadata::unused-sdk-contract; proposed, subject to C1.9b448133…; B26; c07b640a1538738f5dad4f7a541677f4b6e4358e1a6e9c5fea8386256d8c1c8c.dropbox.model.ts defines 101 lines of copied SDK
metadata. Exact repository closure finds DropboxFileMetadata only in that
file, dropbox-api.ts, and the /dropbox barrel export. Runtime consumers
read only meta.rev at provider :174,191 and result.rev/result.size at API
:270,277; tests assert only revision and upload-size behavior. No app,
server, test, tool, or package consumer imports the public metadata type.rev and size, remove the copied model and unused public
barrel export, and retain runtime response validation.1db67bdc4d and
became a tiered export in 00098f52fb; exact current closure proves no
repository consumer.checkFile.dropbox-dead-code::check-user-and-file-path-constants; proposed.9b448133…; B26; b79aa133d567808212c8388d0dcdf11744a734830421c275a6ddb5631c6ecc7b.DropboxApi.checkUser()
only at its declaration (dropbox-api.ts:318-335). DROPBOX_APP_FOLDER,
DROPBOX_SYNC_MAIN_FILE_PATH, and DROPBOX_SYNC_ARCHIVE_FILE_PATH occur only
in dropbox.const.ts:5-8; only DROPBOX_APP_KEY is imported by the live
provider factory. _unusedCfg at dropbox-api.spec.ts:59-60 is the sole use
of that spec's DropboxCfg import and exercises no behavior.basePath.checkUser(), the three
dead path constants plus their now-unused environment import/prefix, and the
no-op compile fixture/type import.basePath, live file-prefix generation, token readiness, or wire paths.checkUser() moved with the provider in
1db67bdc4d; the path constants date to 0a889cb506 and were left behind by
later file-adapter routing.checkFile.dropbox-oauth::impossible-null-result; proposed.9b448133…; B26; 4ed2b1b58a0a3ec90c010e407169673f53273c5a19a741d562127e8590387035.DropboxApi.getTokensFromAuthCode() declares an object-
or-null result at dropbox-api.ts:458-466, but every success branch returns
the token object at :548-553 and every failure throws at :554-562.
Consequently the provider guard/error at dropbox.ts:341-344 is unreachable.
Focused web/native specs exercise success and thrown failures but no null.| null from the return
type and delete the impossible caller guard.1db67bdc4d; no null-producing branch exists in current or
historical closure.checkFile.file-envelope::snapshot-ref-rev::write-only-best-effort-pointer; proposed.9b448133…; B24; cf913de82a25563c2f0e4961998ef066590a0b8dda8be5cd3594dc0735dc922a.file-based-sync-data.ts:90-109 exports optional
FileBasedSnapshotRef.rev; file-based.ts:1-10 publishes it. The adapter
captures a forced state upload's revision at
file-based-sync-adapter.service.ts:1460-1488 and writes it during migration
(:1873-1883), compaction (:2141-2160), and snapshot upload
(:2585-2596). Snapshot validation at :1574-1582 compares only
syncVersion and an EQUAL vector clock; exhaustive snapshotRef closure
finds no revision read. Spec values at :3118,3338,3471,3505 are unread
fixtures.sync-ops.json. Actual concurrency control uses
the ops/main-file revision passed to conditional uploadFile; snapshot
identity uses snapshotRef.file, and recovery validates version/clock then
falls back to fixed-state and .bak. The v2 envelope has no such field._writeStateFile await the
forced upload without returning its revision and stop emitting rev in the
three v3 producers. Retain deprecated optional rev? in the public type and
a legacy fixture so existing files and typed consumers remain readable; do
not bump or migrate the format.snapshotRef.file,
syncVersion/vector-clock equality, immutable snapshot-before-ops order,
fixed-state old-client copy, migration/tombstone order, backups,
encryption/prefix checks, conditional ops CAS, mismatch retries, and pending-
revision promotion only after durable apply.eca816a68c introduced optional rev? and the writers without a consumer;
f75346613d later added immutable file pointers but still no reader.rev; assert new
migration, compaction, and snapshot-upload envelopes omit it; rerun snapshot
mismatch/backup, immutable preference, migration crash/race, ops-CAS,
cancellation/pending-baseline, and provider-contract cases; focused tests and
checkFile.file-download-gap::v2-v3-copied-causal-policy; proposed.9b448133…; B24; 4825cc496283c7f4c8d62330636dcb294e5701f0da72d705e872b20d1790862e.oldestOpSyncVersion > sinceSeq + 1, and aggregate gap at adapter
:932-1039; split download repeats it at :2363-2395. Both then stage
baselines (:1041-1046,2397-2399) and return the whole cursorless buffer
(:1048-1100,2401-2432). The parity matrix is repeated in the adapter spec
at :959-1011,1987-2140,2246-2325,3280-3350.gapDetected makes
OperationLogDownloadService reset to sequence zero at :180-250; the v2
embedded state or v3 referenced snapshot is hydrated before the durable
cursor advances. A false negative can omit compacted operations.!!syncData.state for v2
and the mandatory snapshot-ref condition for v3. Preserve EQUAL as the only
cosmetic regression, gap behavior for GREATER_THAN/LESS_THAN/CONCURRENT,
contiguous oldest-op boundary, legacy missing sv, fresh sequence zero, own
empty snapshot, invalid-v3 gap, whole-buffer semantics, and durable-apply
promotion. Do not alter bytes, CAS, migrations, backups, or crash order.7f953aae0f and the
split copy to eca816a68c. The latter duplicated an already-fixed
EQUAL || GREATER_THAN bug; 610ca64894 later repaired only that fork and
documents copy drift as a silent-divergence risk.#8759 track broader god-object
decomposition, not this bounded policy seam. Do not widen into M-13.sinceSeq + 1, missing sv, and sequence zero. Preserve 600-op whole-buffer,
v3 invalid/ref-backup fallback, snapshotAppliedOpIds, cancelled apply, and
file-sync convergence/compaction integrations; focused tests and checkFile.credential-store::unused-clear-and-change-hooks; proposed; merge with
B23-C03 at D1.9b448133…; B30; f86d1f2767ea734ad1895f718750ac19bdf89b60f43f93ef28c3caa51492b93c.credential-store-port.ts:1-13 requires clear() and
optionally exposes onConfigChange(). Exact production closure finds no
clear() call on a credential store and no callback registration. The only
concrete calls are direct app specs at
credential-store.service.spec.ts:88-99,116-127; structural mocks implement
both solely to satisfy the port. The concrete callback field/method/dispatch
are at service :67,73-78,308-314; clear() is at :170-187. Provider-
configuration invalidation already travels through ProviderManager's live
config-change stream, while provider-specific clearAuthCredentials() uses
setComplete() to preserve encryption state and typed secrets.clear(),
CredentialChangeHandler, and onConfigChange() from the package port/barrel;
remove their app implementation, direct tests, and mock members. Coordinate
with B23-C03 rather than landing two overlapping changes.load, setComplete,
updatePartial, upsertPartial, IndexedDB migration/cache, provider-manager
notifications, automatic wrapped-adapter invalidation, and per-provider auth
clearing. Never replace safe token clearing with whole-record deletion.a97a15457b; the app callback originated in 082d363b55. Exact current
direct/dynamic/structural closure finds no production consumer.checkFile.sync-providers-exports::test-only-log-subpath; proposed, subject to C1.9b448133…; B30; 21b9b07314d627c9f8d850aeff38f8e94ad3596fcc2a010308f555ac62b0c905.package.json publishes ./log, tsup.config.ts builds
src/log.ts, and root/spec/Electron tsconfigs map the subpath. Exact import
closure finds no app, Electron, server, E2E, plugin, or other package consumer
of @sp/sync-providers/log. The only test imports the source barrel relatively
(tests/log/error-meta.spec.ts:2); package implementations import the internal
log/error-meta module directly.errorMeta, urlPathOnly,
and urlHostOnly remain internal provider logging helpers with direct tests.
No runtime API or persisted/wire format requires a public log entry point../log package export,
tsup entry, three tsconfig aliases, and one-line src/log.ts; point its test
directly at the internal module.3bb07fc6d0 added the subpath solely when the test
was changed to import built output. 49ac0ca823 later moved that test back to
source but left the export, build entry, and aliases behind.6797e9eed2 previously removed the unused root barrel and
47 unused sync-core exports using the same focused-subpath policy.checkFile for touched TypeScript.provider-auth-helper::redundant-code-verifier-output; proposed, subject to
C1.9b448133…; B30; 1332a9cd374bfcb26bb324809650c31804e00c97c51db60994111c903c88aa6b.SyncProviderAuthHelper.codeVerifier is declared at
provider-types.ts:6-14. Dropbox and OneDrive return it, but both
verifyCodeChallenge closures capture the verifier internally. The sole app
production read is a truthiness gate in sync-wrapper.service.ts:1122-1124;
the value is never passed back or otherwise used. Direct Dropbox tests inspect
it only to infer cache rotation. If verifier generation fails,
getAuthHelper() rejects before returning, so the extra readiness flag cannot
represent a distinct live state.codeVerifier from the
public helper and provider return objects; gate the dialog on authUrl plus
verifyCodeChallenge; assert cache pairing/rotation through generated URLs
and exchange requests rather than exposing verifier bytes.a97a15457b/6797e9eed2; current closure proves it is only a
redundant gate plus direct-test observation.checkFile.provider-tests::retry-classifier-case-tables; proposed for C6.9b448133…; B30; 38eac966b43dd48a255ef7883766f5312b26b17cd50d5fa8f30808ab41081684.native-http-retry.spec.ts repeat the same one-call boolean assertion across
iOS/Android code, fallback-text, and negative inputs. The 161-line
retryable-upload-error.spec.ts repeats the same assertion across retryable
and permanent strings, often several per test. The execution retry/budget/log
cases after native spec line 206 are distinct and should remain imperative.it.each tables with one row per existing input/expected result.
Keep execution-order, delay, call-count, default, and privacy assertions
unchanged; delete the unused NOOP_TEST_LOGGER helper export/comment while in
the test-helper surface.1cbc6335dc, 058f92e972, 24a691bed5, a2509cb8ac, and 54dbc683a8;
the duplication is test syntax, not duplicated production semantics.087b9dd43f already used a
table for error-class identity in the neighboring spec.checkFile.schema-migration-app::dead-alias-and-inspection-api; proposed, subject to
C1.9b448133…; B31; c9bfc97077dd33d622dadf034d1fe27d3f23b98763cfbafa1f5468c24fd02017.schema-migration.service.ts:141-143 retains deprecated
migrateIfNeeded() as a direct alias for migrateStateIfNeeded(), while
:277-285 exposes getMigrations() and imports the registry solely for that
inspection method. Exact repository closure finds both methods only in their
direct service spec at schema-migration.service.spec.ts:52-63,215-222.
The associated SchemaMigration re-export at service :22 has no production
consumer. In contrast, migrateStateIfNeeded, migrateOperation,
migrateOperations, needsMigration, operationNeedsMigration, and
getCurrentVersion all have live app consumers or enforce migration startup
behavior.Operation metadata and startup cache
shape. It must preserve order, split/drop behavior, operation IDs and clocks,
and the current/minimum schema gates.082d363b55; exact direct, barrel, dynamic, test, and structural searches
reproduce that only their defining spec remains.checkFile for touched TypeScript.shared-schema-api::unused-batch-inspection-exports; proposed, subject to C1.9b448133…; B31; 337d8373e0b6799119d16aa5da204b396f9d01b35b15aa1f965aa33d2bce9023.src/index.ts:12-28 publicly exports
MigratableStateCache, migrateOperations, getCurrentSchemaVersion, and
MIGRATIONS. Exact monorepo closure finds getCurrentSchemaVersion() and the
generic batch migrateOperations() only in tests/migrate.spec.ts; the app
uses its own metadata-preserving batch adapter. The shared
MigratableStateCache interface has no consumer, while the app has a distinct
live cache shape with sequence, vector-clock, and compaction metadata. The
public registry is consumed by the app only through B31-C01's test-only
inspection API; migration internals and dedicated migration specs can import
it internally. The generic batch function's droppedCount at
migrate.ts:219-231 is accumulated but absent from the returned result.8dc8207da2 introduced these package conveniences
during extraction. Current direct, barrel, package-alias, dynamic, plugin,
server, app, and test closure finds no live monorepo consumer beyond the
noted tests and B31-C01 surface.6797e9eed2 removed other unused
sync exports, but no exact current issue or implementation covers these
members.checkFile for touched TypeScript.shared-schema-tests::vacuous-mock-and-duplicate-cases; proposed for C6.9b448133…; B31; f8cd87dcfc2ef57ec2edcc45afbb23dc71005fe9ca14c5417edc509169bcd8e2.tests/migrate.spec.ts:120-128,235-243 guards missing-
path/registry assertions behind conditions that are false for the current
complete registry, so those branches execute no expectation. Lines 246-373
instantiate local mock SchemaMigration objects and call their callbacks
directly; they do not pass those mocks through the real registry or migration
engine. The project-delete crossing case at :131-151 duplicates the
dedicated v3→v4 barrier suite, which exercises the actual registered
migration.8dc8207da2; the dedicated project-delete suite was later strengthened in
8e810edbe7 and aa09b09b0a. Static control-flow inspection reproduces the
unreachable expectations.checkFile for the touched spec.local-file::dead-directory-probe-ipc; proposed, subject to C1.9b448133…; B27; 345fcbddb15ae3b223d820a96d3918d9cebc8fce114f042a3ca3791a527c2161.file-adapter.ts:5 declares checkDirExists; Android SAF
implements/tests it at saf-file-adapter.ts:48-52 and spec :127-155.
Electron carries the same method through electronAPI.d.ts:59,102,
preload.ts:60, ipc-events.const.ts:48, and
local-file-sync.ts:232-261 with direct tests at :234-243. Whole-repository
call closure finds declarations, transport plumbing, and those tests only—no
production caller. Renderer readiness instead uses the main-owned
getMainSyncFolderPath() flow.checkDirExists from the
provider port, SAF adapter, Electron API/preload/IPC/handler, and direct tests;
update the stale resolver comment. Preserve list/read/write/delete and folder-
selection behavior.userData rejection, root-cache race protection,
safe IPC errors, and Android permission checks. C1 must confirm no supported
external Electron client invokes the IPC name.552b25074d introduced the active probe;
e4f9a4e2e5 moved it during extraction; 0c21649fde removed the last
provider/factory caller for #8228 but left the plumbing. Non-ancestor
6da578aa8d still retains it and overlaps the Electron handler/spec, so a
future implementation must rebase carefully.#8228 is the
historical caller-removal context, not current cleanup authorization.local-file-sync.test.cjs; checkFile for touched TS.android-saf::unused-check-file-exists-bridge; proposed, subject to C1.9b448133…; B27; 20904d39f607e0b378cda95bc6bc2a6b8799964b36ba765f4b7d86db5eade5b3.saf.service.ts:19-22,42-44,104-116 declares a web stub
and wrapper for checkFileExists; SafBridgePlugin.kt:188-210 implements the
Capacitor method. Exact repository search finds no caller and no direct test.
Live SAF flows use read/write/delete plus permission and folder validation.ea2ca8e622 introduced the complete bridge during
the original SAF outline; Git and current-universe closure find no consumer
since introduction.checkFile for touched TypeScript.onedrive-deps::unused-platform-info; proposed, subject to C1.9b448133…; B27; 2631dabb61f98e01ae45326565690f3625bf3f708c8256a254080c99f4236fdf.onedrive.ts:27 declares platformInfo in
OneDriveDeps; the app factory supplies it at its OneDrive adapter
:9,31, and the package spec mocks it at :40-44. Exact member closure finds
no _deps.platformInfo read in the provider and no behavioral test using its
value.OneDriveDeps supplies the
live fetch, credential-store, logger, OAuth callback, random/crypto, and
environment seams. Platform information has no current branch or payload role.platformInfo from
the exported dependency interface, app factory, and test fixture. Do not
combine it with other nullable client-ID or platform-policy changes.9910d30fca introduced the
dependency field; no later read or rationale appears in history.checkFile.onedrive-app::type-forwarding-shim; proposed.9b448133…; B27; f06beefb69d4812494c6a7ab347da48d70f92a6e9c12d7eb12f18f65f67c71ef.onedrive.model.ts:1-6 only reexports package types.
Its only live type is OneDrivePrivateCfg, imported by the app OneDrive spec
and sync-config dialog; the forwarded OneDriveItem, OneDriveListResponse,
and OneDriveTokenResponse have no app consumer. The app factory's additional
type reexport at onedrive.ts:24 also has no consumer.OneDrivePrivateCfg
directly from @sp/sync-providers/onedrive, delete the forwarding file and
unused factory reexport. Leave the package barrel and runtime behavior alone.9910d30fca created the forwarding layers during
extraction; exact direct/barrel/import closure finds no later consumer.checkFile.onedrive-errors::unreachable-and-pass-through-branches; proposed.9b448133…; B27; df19836bce1cd765769a919ddb048241e71c0d6c9d7709affe13bd4f92c62c68.onedrive.ts:177,205,247 has fallback throws
immediately after _mapAndThrow(...): never; branches at :778-783 rethrow
RemoteFileNotFoundAPIError and AuthFailSPError identically to the final
throw error at :803. The parsed Graph message fields at :741,847 are
never read; mapping consumes only code.9910d30fca; exact
control-flow/member closure finds no distinct side effect or later rationale.checkFile.webdav-upload-verify::caller-cache-header-duplicates-platform-adapter;
proposed; sync-critical.9b448133…; B25; da2265c4d825cc452da0b950b60e978b902fbf2ca7ff247a31c3518255525ae1.webdav-api.ts:350-387, specifically :355-361, adds
Cache-Control: no-cache only to the post-upload verification GET.
webdav-http-adapter.ts:45-62 explicitly makes cache policy an adapter
responsibility because caller Cache-Control is not CORS-safelisted. Native
requests overwrite it with no-cache, no-store plus Pragma at :92-111;
browser/Electron requests use fetch cache: 'no-store' at :117-131.
Adapter specs pin both platform policies at :67-115._verifyUpload() re-GETs
the just-written file, rejects empty/HTML responses, hashes the content, and
returns the verified revision. Its only caller is upload() at API :331.headers
object at API :358-360; keep the verification GET and every validation/hash
check. The platform adapter remains the sole freshness owner.cache: 'no-store' while an avoidable non-safelisted header disappears.
Preserve strong-ETag If-Match, create-only If-None-Match: *, hash fallback,
PUT→GET verification, 412 mapping, and mismatch retry. Stale verification can
lose data, so two fresh reviewers remain mandatory despite the tiny diff.e571cc2433 added the explicit verification header
before 5aea4b0143 centralized native headers and browser cache mode; the
later change left this earlier caller override behind.checkFile; focused rapid/conflict WebDAV E2E. Two fresh sync/provider
reviewers must independently check proxy freshness and CORS behavior.webdav-read-surface::unused-listing-metadata-dom-parser; decision-required,
subject to C1.9b448133…; B25; 7722334603a43ce752dd7bd3059b4c4eeeb737c584e0ef380553d7d3d93aa4ad.webdav-base-provider.ts:181-185; internal listing/metadata live at
webdav-api.ts:80-163; structural DOM types/traversal and multi-property
parsers are webdav-xml-parser.ts:4-115,187-320. Exact repository closure
finds no production invocation of WebDAV listFiles() and no call to
getFileMeta(). parseMultiplePropsFromXml is then used only by those two
methods and direct specs; DOMParser/@xmldom is used only by this parser and
tests/setup-dom-parser.ts. Live sync reads GET bodies/content hashes.WebdavBaseProvider and Webdav are public
through the /webdav package subpath, so their concrete listFiles() method
is observable to an external package consumer. The generic optional
FileSyncProvider.listFiles remains live for other providers and Android SAF.getFileMeta, structural response parser/
FileMeta, their direct tests, and the then-unused DOMParser test setup and
package-local dependency. Keep PROPFIND_XML for connection probing and keep
response-content validation for download/upload verification.RemoteFileNotFoundAPIError, but API :113-120 catches only
HttpNotOkAPIError(404).553f944c39 added listFiles() during a compile
repair. 946339a035 replaced header/PROPFIND revision tracking with content
hashing and reduced metadata use but left listing. 087b9dd43f deliberately
kept generic listing optional.webdav-http-status::reintroduced-conditional-download-304-path; proposed.9b448133…; B25; ca0d1102745af6675c6e511ff5adb1462e878a3b13827b8769f2d7c070d806e9.webdav-http-adapter.ts:296-323 uniquely passes status
304 through; webdav.const.ts:4-17 defines NOT_MODIFIED, used only by that
branch and its direct spec at :165-181. No read sends If-None-Match or
If-Modified-Since; the remaining IF_NONE_MATCH is PUT create-only at
webdav-api.ts:260. CREATED, NO_CONTENT, and CONTENT_LENGTH occur only
at their declarations.HttpNotOkAPIError path, using a null-body Response because platform
constructors forbid bodies for status 304; delete the pass-through test and
occurrence-one constants. Do not alter supported 2xx handling.TypeError.c9e6bba64a explicitly removed conditional request
parameters and 304 handling; 914122f134 reintroduced the adapter branch and
constant during package extraction without a read validator.TypeError; all adapter/
API specs, package test/build/typecheck, and checkFile.entity-registry-lint::unreachable-registry-check; already-tracked; merge
with B01-C01 at D1.9b448133…; B37; 6e522a8a7756292a27892c422e5ce1faa4f54345217213b3fec5ab5732044641.require-entity-registry.js:135-166 can check completeness
only when a variable named ENTITY_CONFIGS is initialized directly with an
object literal. The real registry is ENTITY_CONFIGS = buildEntityRegistry()
at entity-registry.ts:350, so that branch cannot inspect it. ESLint scopes
the rule only to **/*.effects.ts at eslint.config.js:214-225, excluding the
registry file entirely. Exact effects-file search finds no literal
entityType properties or entity-type switch cases for its remaining typo
visitors. The 224-line rule has no spec.ALL, RECOVERY, and MIGRATION.
Removing it without the B01 replacement would reduce false confidence but not
improve enforcement, so D1 should merge the candidates.58372626f1 introduced the rule with the registry;
19796204f30 later placed it in the effects-only block. Current control-flow,
scope, and literal-use searches reproduce that it reports nothing relevant.#8752 already tracks the dead rule; B01-C01 provides
the bounded compile-time replacement.checkFile on
changed TypeScript.root-dependencies::orphaned-patch-package; already-tracked.9b448133…; B37; 7e60582b3b1566b3b227b00cc6f53927c5d4ce902592d68ff6ebd3cc4e9977d3.package.json:25,301 runs and depends on
patch-package, while no patches/ directory exists. Exact repository search
finds no other invocation. The package and its dependency tree remain in
package-lock.json:22255-22375, so every install executes an empty hook and
installs unused tooling.postinstall script,
root dev dependency, and regenerated lockfile entries. Do not add a replacement
hook or retain an empty placeholder for hypothetical future patches.prepare where intended; a hidden/untracked local patch is not repository
behavior and must not justify a permanent dependency.5497212b99 added the tool for one Android patch;
c247bc541a removed that last patch after it caused device behavior regressions
but left the hook and dependency.#8843 already tracks this
exact cleanup.npm ci, prepare/package builds, Android dependency resolution, root
lint/tests, and diff the installed lifecycle output.#8843.root-dependencies::ignored-yarn-resolutions; already-tracked.9b448133…; B37; f379548b02339855ad92ed781639a854321abddf082ef8613146896a724661c3.package.json:177-180 declares Yarn-style resolutions
for Sass 1.32.6 and @ctrl/tinycolor 4.1.0, while the repository declares
packageManager: [email protected] and uses npm overrides at :320-343 for live
constraints. The npm lock installs Sass 1.97.3 and top-level tinycolor 4.2.0,
directly proving the two resolutions do not control this installation.resolutions object.resolutions object. Do not translate stale pins into live npm overrides
without a separately reproduced compatibility need.#8843 includes this exact
dead configuration.ci-e2e-setup::main-job-copy; proposed.9b448133…; B37; 01316455324c4280dfe4ac34f3b5b389f56e832909f60a978a12f3f0e2bd8167.ci.yml:81-109 manually repeats Node 22 setup, Git HTTPS
rewriting, npm-cache discovery/action, npm i, and Playwright browser/system-
dependency installation. .github/actions/setup-e2e/action.yml:1-55 owns the
same sequence, cache keys, and purpose, adds bounded retry for Prisma download
failures, and is already used seven times by scheduled and PR sync workflows.
The main CI test job still predates that composite action.ci.yml.uses: ./.github/actions/setup-e2e. Do not create
another workflow or generalize Electron/release setup.9a22232e597; the reusable
action was introduced days later by c0387f12d2 and hardened in
7eeea37b7a, but the older job was never migrated.supersync-validation::double-validator-adapter; proposed.9b448133…; B28; 581287a4719da627e9d8aec1c005d81482323f314dbd3d78e7db514ea1962f1e.response-validators.ts:41-130 owns schema parsing and
exports six validator functions. App factory super-sync.ts:14-21,54-61
imports all six, renames every member, and reconstructs the exact six-member
SuperSyncResponseValidators port declared at package
response-validators.ts:9-27. Exact import/name closure finds only that
factory and the co-located validator spec as app-wrapper consumers.SUPER_SYNC_RESPONSE_VALIDATORS object typed as the package port and pass it
directly. Keep parseResponse and the six schema-specific functions private;
do not move shared-schema across the package boundary.InvalidDataSPError identity/detail, passthrough field, and deliberate
snapshotState stripping. A missing member would weaken a sync input boundary,
so the typed object and focused invalid-response cases remain required.c40feef6d2 introduced the validator port during
extraction but retained the older individually named app exports and one-hop
remapping.snapshotState
assertions; app/package typechecks and checkFile.supersync-websocket::intentional-close-duplicate-state; proposed.9b448133…; B28; 86cc9bc836fdb09dc2b698f571fa5c99d5b0861630ba48a6cd6fa3f65aa3336c.super-sync-websocket.service.ts:49-57,78-104,183-216, 255-293 maintains _isIntentionalClose, while disconnect() already nulls
_currentParams, increments _connectGeneration, clears the reconnect timer,
and nulls _ws. Event handlers reject stale sockets by identity;
_scheduleReconnect() and its timer callback separately require current
params.onclose during
disconnect() must be stopped by null params; an async callback is stale after
_ws = null; replaced sockets fail identity; in-flight connects fail
generation. Preserve close-code 4003/4008/4009 policies, backoff/jitter,
heartbeat, and same-params promise sharing. A missed interleaving can reconnect
forever.7fa8f12132 added the flag;
8dd188b054 later added generation, promise, and identity hardening without
removing it; 1661579aed added terminal code 4009.checkFile.sync-diagnostics::raw-websocket-error-and-reason; proposed for C8; privacy
hardening, not simplification benefit.9b448133…; B28; 3aab82a0f96195288147cf8fe717ddde4952d0bce2bc9464409c665cb54bd775.:98-100,148-150,177-180,187-189, 248-251,287-290,311-315 logs raw caught errors and server-controlled close
reasons. WS-triggered download :302-325 and the immediate wrapper connection
catch sync-wrapper.service.ts:681-691 also log raw errors. core/log.ts:54-71, 123-158,238-280,364-369 serializes error messages/stacks into exportable
history; the existing sync-core sanitizer retains only error identity/code.7fa8f12132/8dd188b054 and
later recovery changes; the newer sync logger contract explicitly rejects raw
provider responses, credentials, and user text.checkFile.supersync-status-tests::repeated-truth-table-and-expiry-setup; proposed for
C6.9b448133…; B28; f7b6e0854d16352ad1516fd47406c9e5fd2376d373ef2a768e79223ed6b91ac8.super-sync-status.service.spec.ts:15-158 repeats the same
two-boolean truth table, order, idempotence, reset, and pending setup. Lines
160-267 repeat clock/service setup and call forceRecompute() even though the
expiry callback itself changes _hasRecentRemoteCheck at service :50-62.forceRecompute(). Preserve descriptive row names.clearScope() timer
cancellation/reset, true at 59,999 ms, false at 60,000 ms, and refreshed
expiry. Keep fake-clock cleanup isolated per case.6b04bc6d7c removed a polling timer and simplified
the service; 40def4a576 later added the repeated all-provider status cases.checkFile.server-upload-conflict-code::three-path-wire-mapping; proposed; sync-critical.9b448133…; B32; 4c0ade0074e3907ab956236842e3a1a5864557e805dbc8eaf8b63ecf826a28dd.operation-upload.service.ts:524-529,785-790,821-825
repeats the same mapping in batch, serial initial-check, and serial final-check
paths: concurrent and equal_different_client become
CONFLICT_CONCURRENT; superseded, unknown, or missing type becomes
CONFLICT_SUPERSEDED.conflictErrorCode() with the exact fail-closed default, called at all three
sites. Do not merge upload paths or move conflict checks.c8fc1ea03d introduced
this exact helper, but merged squash 2d9988dd73 did not retain it; frozen
HEAD and master still contain all three copies.batchUpload: true
conflict specs; server typecheck/test suite; two fresh multi-client reviewers.server-upload-prune::serial-inline-vs-shared-helper; proposed; sync-critical.9b448133…; B32; 5ff4b204c8d8188912cd868dd4c6678c6e0a4336d8974d0acd96e636391fefe3.conflict.ts:581-590 defines
pruneVectorClockForStorage(), used by the batch path at upload service :542;
serial upload repeats it inline at :838-852, including preserved client,
before/after size, and debug message.:845-852 with
the shared helper, remove the unused direct limiter import, and retain the
ordering rationale next to the call.#6434 infinite conflict loop.fdc942babb established compare-before-prune;
batch extraction introduced the helper while leaving the serial copy.server-conflict-entry::duplicate-full-state-and-entity-normalization;
proposed; sync-critical.9b448133…; B32; 1273dda2d495ef94179127b9d626085725fb4f35ff28278ad05dbcd04a033f26.conflict.ts:28-34 explicitly compares the three full-
state operation types despite already importing/using isFullStateOpType();
:39-63 renames and wraps entity IDs in another Set, while
getConflictEntityIds() already deduplicates at :413-421. Shared schema's
canonical snapshot list is exactly SYNC_IMPORT, BACKUP_IMPORT, and REPAIR.GLOBAL_CONFIG:misc → tasks compatibility alias.isFullStateOpType(op.opType),
name the first result entityIdsToCheck, and pass it directly. Preserve the
legacy alias branch and canonical helpers.c8fc1ea03d previously removed the redundant entity
normalization before decomposition; later alias work e019ef0b71f retained
the old naming/second dedupe.#8334 coverage; two fresh conflict
reviewers.server-upload-piggyback::cached-normal-result-fetch-duplication; proposed;
sync-critical, characterization-required.9b448133…; B32; b5a4710ea0948798eed374fafcedd9ddd730da284516fd205fdada0cb9748041.sync.routes.ops-handler.ts:135-169,258-296 independently
sets limit 500, calls getOpsSinceWithSeq(..., false), obtains latest sequence
when no cursor is returned, and computes hasMorePiggyback for cached retry
and normal upload responses. Commit 064c2452ca had to update both copies in
lockstep.{ newOps, latestSeq, hasMorePiggyback }, invoked at the same two
points. Keep branch-specific logging, deduplicated, WebSocket notification,
quota ordering, and response construction separate.lastKnownServerSeq, the false snapshot argument,
latest seq with zero returned ops, and quota/read order. A cursor error can
permanently hide remote operations.5f9d73c37c added fresh retry piggybacking;
064c2452ca added hasMorePiggyback twice. Current tests cover current-cursor
retry and the false argument but not exactly-limit versus over-limit parity.hasMore policy.download-planning::single-boolean-wrapper::gap-and-encryption-state;
proposed, decision-required public API.9b448133…; B29; fbe5f8277a97c259a67f9bf2ed8c5a7f74245cc8cdcc38d3c53fcf85c3e3a661.packages/sync-core/src/download-planning.ts:4-23,102-118
wraps !!gapDetected && !hasResetForGap and
sawAnyOps && !sawEncryptedOp; root barrel src/index.ts:105-108 exports
both; their only repository callers are in
operation-log-download.service.ts. Focused wrapper tests are at
tests/download-planning.spec.ts:9-21,91-109.610fbc1c75 extracted the same expressions without changing
their policy.upload-sequence-plan::duplicate-derived-fields::single-seq-reason;
proposed, decision-required public result shape.9b448133…; B29; 20230055db01bb3a041f216122399fa10a2b26e9591b7c544c7f9f783509753f.packages/sync-core/src/upload-planning.ts:73-77,88-121
guarantees seqToStore === highestReceivedSeq in every branch and echoes
hasMorePiggyback, which is also represented by reason; the sole repository
caller consumes all three at operation-log-upload.service.ts:522-545.{ seqToStore, reason }; let the caller use seqToStore for both aggregate and persistence,
and the original response flag or reason for its OR condition.hasMore aggregate.3c06157324;
tests at tests/upload-planning.spec.ts:77-125 restate all fields.encryption-decrypt::duplicated-single-vs-batch-state-machine::one-batch-path;
proposed, characterization-required, sync/security-critical.9b448133…; B29; 56b458483415ddd03e304a59cae9edea884aaf0461727842080b0f05d85ac491.packages/sync-core/src/encryption.ts:115-156 and
:180-297 separately implement format detection, Argon derivation, AES
decrypt, and legacy fallback. tests/encryption.spec.ts covers both paths;
repository closure finds four decrypt and two decryptBatch consumers.decrypt() handles
the Argon [salt16][iv12][cipher+tag] layout and legacy
[iv12][cipher+tag], sharing session caches and cross-platform WebCrypto
error normalization with batch decryption.decrypt(data, password) as the one-element decryptBatch([data], password) case and remove
only the private duplicate Argon helper/path; keep the public signature.1d08cb9bc4 and 087b9dd43f establish the formats;
18cae275f5 fixed >100-unique-salt and password-cache collisions and must not
regress.sync-import-filter-spec::exact-boundary-case-duplicates::single-core-owner;
proposed, test-only.9b448133…; B29; c1b3d10a99f1c681c62ea6a05b6a29942e660851c33d17e7a3f2d7528c923d10.packages/sync-core/tests/sync-import-filter.spec.ts:53-64
duplicates :207-219; :79-90 semantically duplicates :174-188, with only
an irrelevant third-client counter changed.ba838eccf6 introduced the originals and
087b9dd43f the later hardening cases.vector-clock-spec::scale-only-and-no-flip-duplicates::algebra-contract;
proposed, test-only, mutation-gated.9b448133…; B29; 89f27285d768fbf18c2744df19debef5a287d4e1056ede345b9af73a5b99c289.packages/sync-core/tests/vector-clock.spec.ts:78-136
repeats the four relations already proved at :10-76 with 20-key inputs even
though comparison has no size branch. :554-578 labels a GREATER→CONCURRENT
flip but asserts CONCURRENT→CONCURRENT. Genuine cap/tie/preserve/retry and
actual relation-flip cases remain at :580-653.9fd9d386a87 added the scale cases;
087b9dd43f added the pruning hardening around them..env.exampleserver-env-example::dotfile-vs-production-example::single-authoritative-file;
proposed.9b448133…; B38.1; b7368abb2802006d3fa959d59e2e3d57e3a72cd207b424cddce690947d426afb.packages/super-sync-server/.env.example:1-81 and
env.example:1-125 both instruct operators to copy themselves to .env but
materially diverge. The package README uses cp env.example .env at
:43,169; no package workflow or documentation references the dotted file.
The dotted file supplies a localhost database URL, enabled preview CORS,
passkey/privacy values, and uncommented fake GHCR credentials while omitting
required compose DOMAIN and POSTGRES_PASSWORD.env.example is the live
production/deploy-script contract; the root .env.example used by E2E is a
different file and remains untouched.env.example.d82754faf2, while the
production file received deploy/migration/pool hardening through
b83a6745e6; 6af85b6892 established the README copy command.env.example, and one fresh ops reviewer.server-encryption-at-rest::abandoned-live-and-archive-snapshots::decision-record;
proposed, decision-required operational archive.9b448133…; B38.1; 36ed9c171bd45b35c7442b1e9d2819f014dd91b05a5748b034a342b24dd7e034.e050eb99fa records that LUKS and TDE were
incompatible with the OpenVZ deployment, moved nine LUKS artifacts under
archive/encryption-attempts-openvz-incompatible/, and chose operation without
database encryption at rest. Nevertheless,
docs/long-term-plans/supersync-encryption-at-rest.md:1-30 says “Planned” and
reviewed, packages/super-sync-server/docs/encryption-at-rest.md:1-12 says
“Production-ready,” and docs/testing-guide.md invokes tool paths that were
moved out of tools/. The eleven redundant plan/guide/archive artifacts total
5,243 LOC before the stale testing guide.backup-encrypted.sh and backup/recovery docs are separate and retained.cb2e2e65a2 and c8bce3c8cf contain
the complete implementation; e050eb99fa is the explicit retirement record.
Repository search finds no consumer outside the archived/contradictory docs.helm-single-replica::noop-hpa-pdb-controls::fixed-replica-contract;
proposed, decision-required public chart values.9b448133…; B38.1; f0f781a6cf0a110484f97656b2f0f283f55d0e0f023bd66a77083ccfe21b54d7.templates/deployment.yaml:1-3 forbids
replicaCount > 1; templates/hpa.yaml:1-3 forbids
autoscaling.maxReplicas > 1, so the only valid HPA has min/max one and cannot
scale. templates/pdb.yaml:1-13 defaults maxUnavailable: 1, which permits
the sole replica to be unavailable and therefore adds no disruption
protection. values.yaml:196-219 exposes both mechanisms despite those
constraints.7fa8f12132; WebSocket connection state
requires one server replica until shared state exists.replicas: 1 directly and
remove HPA/PDB templates and their values until multi-replica architecture is
implemented. Preserve the explicit fail-closed replica guard or equivalent
validation.helm lint
and template snapshots; install/upgrade compatibility review; fresh
Kubernetes and WebSocket reviewers.helm-database-env::migrator-app-exact-duplication::single-template;
proposed.9b448133…; B38.1; d0310f00e1d2cd457e7ccd4c276b32a837d058a851f4fcd7a8fc2dc086df0fca.templates/deployment.yaml:47-70 and :101-123 repeat the
bundled PostgreSQL user/database/password/URL and external URL/secret branches
for the migration init container and app container. Blame assigns both copies
to 7fa8f12132; later migration hardening relies on them selecting the same
database.DATABASE_URL construction and secret keys in all four
bundled/external and inline/existing-secret combinations.$(POSTGRES_*) substitution must be identical. A
whitespace or context bug can migrate one database and run against another.helm template output for bundled inline,
bundled existing secret, external URL, and external secret; migration test and
fresh deployment reviewer.gzip-boundary::dead-standalone-decompress-helper::compressed-body-parser;
proposed.9b448133…; B34.1; 10a6e2e7cd16885b6f753ef8bba229a0ddf4ac32753bea5e51103600cacf5e27.compressed-body-parser.ts:3-9,67-83 defines
decompressBody(), but repository closure finds it only in its declaration
and tests/decompress-body.spec.ts:4-167. Production ops/snapshot handlers use
isSingleTokenGzipEncoding() plus parseCompressedJsonBody(); the
unsupported-content-encoding reason is likewise declaration-only because
sync.routes.ts produces the actual 415.7b34820b74 introduced the helper as a parser
dependency; 9b965f2c35 deliberately inlined decode/decompress into the parser
to decode once and distinguish errors, leaving the old helper test-only.device-lifecycle::test-only-owner-and-user-list-queries::device-service;
proposed.9b448133…; B34.1; 70dbbe8fdb8ae198357b047188bfbef3b9a5785faee8808014ef58c421ed3aa1.device.service.ts:11-31 exposes isDeviceOwner() and
getAllUserIds(); exact repository searches find no production caller and
only direct tests at device.service.spec.ts:31-92,
sync-operations.spec.ts:1093-1155, and
sync.service.spec.ts:3416-3466. Live getOnlineDeviceCount() and
deleteStaleDevices() are separate.07589dd67f extracted all four methods;
c0b8f30214/#8498 removed the dead SyncService facades but rewired tests
directly to the now-unconsumed lower methods.#8498, not otherwise implemented.auth-email::repeated-transport-send-log-fallback::email-ts; proposed,
characterization-required, privacy/security-sensitive.9b448133…; B34.1; 6845aee810c9fa35639d71ca154362509266f278239585699deda8b8cf9f2a6b.email.ts:48-209 has three public verification, recovery,
and login functions that repeat transporter lookup, a second config load,
sender selection, delivery, Ethereal preview, success log, exception handling,
and false fallback. Consumers are auth.ts and passkey.ts; current tests
characterize only verification failure without SMTP.false, preview
behavior, and privacy-safe logs. Never add addresses or tokens to diagnostics.6308e33a56, fd6499f138,
and 9c0a728ef4; privacy hardening 1907df68d7 had to update all three.cors-policy::duplicate-origin-map-catch-branches::config-ts; proposed,
security-sensitive.9b448133…; B34.1; 943949de89058addedc673d71c025ab0dd5afbc3223bac244d5c3ba1036fcd91.config.ts:224-257 has wildcard-present and wildcard-
absent branches that duplicate the same try/catch, origin mapping, config
assignment, and error wrapper. Tests at config.spec.ts:172-224 and
security-fixes.spec.ts:19-61 cover production wildcard rejection, development
warning, exact origins, and subdomain patterns.*; development can retain it with a warning; other values pass through
parseCorsOrigin() and implicitly enable CORS when not explicitly disabled.origin === '*' ? origin : parseCorsOrigin(origin) and one error wrapper.02ec2d97b9 introduced the security policy; no
branch-specific mapping behavior exists.server-snapshot::dead-cached-read; proposed.9b448133…; B33; 5c3f0a71881d6a711372e2a973bf891b218757bf16d66bdab68f20021b61fbc3.snapshot.service.ts:103-159 implements
getCachedSnapshot() and _invalidateCachedSnapshot(). Exact and reflective
repository searches find no runtime call; only
snapshot.service.spec.ts:60-126 calls the public method. The service barrel is
internal and the executable package exposes no named library API.user_sync_state.snapshot_data and may clear corrupt snapshot
metadata. Live snapshot generation reads its base independently inside a
RepeatableRead transaction.18f03c1ec7 extracted the method;
9b965f2c35 added invalidation; c0b8f30214 removed the already-dead
SyncService facade but left this test-only residual.storage-quota::single-reconcile-body; proposed, sync-critical.9b448133…; B33; 2bda7c57362a008e5505198ebbeca23721730e6d6263170fc2823b13d52f4444.storage-quota.service.ts:279-297 and :304-317 both
calculate exact usage, reject unbackfilled rows, write
users.storage_used_bytes, and clear forcedReconciles. Only the surrounding
reentrant versus ordinary lock/dedupe paths differ; tests at
storage-quota.service.spec.ts:204-401 cover both.updateStorageUsage() through SyncService;
the cached counter derives from operation payload bytes plus snapshot bytes.d1918b342b added the reentrant bypass to fix a
deadlock; 2d9988dd73 copied the unbackfilled-row guard into both bodies.server-download-tests::snapshot-fast-forward-owners; proposed, test-only.9b448133…; B33; 304d587e986b8d45e6b9b9eca27cb660cc0acee662b1e464a6c82cf7384b74cd.snapshot-skip-optimization.spec.ts is 822 LOC and
integration/snapshot-skip-optimization.integration.spec.ts is 361 LOC. Both
have been excluded by vitest.config.ts:20-23 since 5f9d73c37c; the mocked
integration file is absent from test:integration:postgres. Active
operation-download.service.spec.ts:126-1060 already covers stable bounds,
full-state fast-forward, gaps, exclude-client behavior, pagination, and clocks.
Stale type mocks return a row regardless of predicate, so they do not prove
causal BACKUP_IMPORT/REPAIR selection.GET /api/sync/ops fast-forward and DownloadOpsResponse, but run
under neither normal nor explicit PostgreSQL CI.e36ba3f47d added both; 5f9d73c37c excluded them
four days later as internal-detail tests, before service decomposition.server-download-tests::production-sql-path; proposed, test-only.9b448133…; B33; 86b186bf0d756b29e6ee6b24b9c641d5f5bc70902edb8f3e248c3c787644bdd0.snapshot-vector-clock-sql.integration.spec.ts:59-81
copies SQL and row mapping from operation-download.service.ts:318-355 while
claiming to verify the query used by getOpsSinceWithSeq(); it never
instantiates the service. The PostgreSQL suite selects this file, while unit
coverage mocks $queryRaw.861425fd28 added the suite to validate production
SQL but implemented a fork; d32f7037a3 changed surrounding clock behavior
without removing the split owner.android-background-roadmap::unsafe-reminder-cursor-as-state-cursor::rejection-note;
discovered/proposed, unverified; sync-critical documentation.9b448133…; B35.1; be4fcefe437b1d10105885883aab2e8ca4e68666a790ea27a381ee1b671143bb.docs/long-term-plans/android-background-sync-improvements.md:16-77,168-174
proposes using the worker's lastServerSeq as foreground sync start.
SyncReminderWorker.kt:26-83 uses that cursor only to fetch reminder changes,
update native reminders, and persist the reminder cursor; it never applies
operations to Angular state. getLastSyncSeq has no implementation consumer.10a3db97ea introduced roadmap and worker together;
no implementation of the proposed cursor bridge followed.android-background-sync::single-implementation-provider-interface::direct-concrete-class;
discovered/proposed, unverified.9b448133…; B35.1; e843437372ff4ffa93f94c4c8a71871dca13e322a207ae6d1d776ad90aa4056b.BackgroundSyncProvider.kt:75-94 has one implementation,
SuperSyncBackgroundProvider.kt:10-20,73-80; the only production caller,
SyncReminderWorker.kt:33,48-52, constructs that concrete class directly.
Other references are KDoc and speculative roadmap Phase 3.override markers; retain limit: Int = 100 directly on the concrete
method and defer an abstraction until a second provider exists.10a3db97ea introduced the interface solely for
hypothetical Dropbox/WebDAV extensibility; no polymorphic consumer followed.main-header::post-extraction-dead-state-and-constant-route-stream;
discovered/proposed, unverified.9b448133…; B35.1; 3fa606cb84f9771decd1f1b57d599a4b4e00428c9bb5194bcf593342b0bac518.main-header.component.ts:112-144,166-168,195-206,299-301,355-360
retains parent focus state, isXxxs, and a NavigationEnd pipeline that maps
every event to true and starts true. FocusButton and PageTitle now own the
actual focus and responsive state; the remaining parent fields have no live
template consumer. Track functions merely return stable IDs.bda5a187418 made the route predicate unconditional;
b51bd2c9ca moved focus behavior into the child and left parent residue.component-styles::parent-scoped-child-selector-residue::emulated-encapsulation;
discovered/proposed, unverified.9b448133…; B35.1; 81aa543a8944ba1a230b0f18131d3311e61842a59606d221956895490eea898b.main-header.component.scss standalone blocks for
.project-settings-btn, .panel-btn, and .current-task-title, plus the empty
.backdrop and old .right-panel blocks in app.component.scss, target
classes now owned inside child views. Default Emulated encapsulation prevents
these non-::ng-deep parent selectors from matching child templates. The
corresponding PageTitle, PlayButton, DesktopPanelButtons, and RightPanel
components own the live styles.::ng-deep .current-task-title rules and button.isActive2,
which the Velvet theme still consumes.bda5a187418 globalized the right-panel wrapper without removing the old rule.perimeter-contracts::zero-consumer-and-no-op-constants::remove-zombies;
discovered/proposed, unverified.9b448133…; B35.1; adc4f1b3bc597dacf195a2a1f771b4156999a4ca25a8e9442f9f005381a87777.CORS_SKIP_EXTRA_HEADERS in
app.constants.ts:74-83 are {} and its two calendar spreads are no-ops;
ALLOWED_COMMANDS in simple-store.const.ts has no reader/writer and the
generic JSON loader ignores an old persisted key; FILE_SYNC_GET_REV_AND_CLIENT_UPDATE
in ipc-events.const.ts has no symbol or literal consumer.6d13abcc6e added the never-activated CORS hook;
97e97042cde removed the command path; 1059eeea04 removed the file-sync
handler/preload/API but left the enum member.supersync-monitoring-docs::docker-and-script-manuals::single-canonical-runbook;
discovered/proposed, unverified.9b448133…; B38.2; 8bf0e8f5598e0c82745c32d29f7a363adfc2b2c1f51af6a298c4cfed17c58804.DOCKER-MONITORING.md is 274 lines and
scripts/MONITORING-README.md is 298 lines. Both enumerate the same monitor,
analyze-storage, full-suite, quick/save, per-user, export, automation,
investigation, troubleshooting, performance, and privacy workflows. The
Docker guide adds wrapper/report-copy details; the scripts guide adds local
development notes. They already disagree about compiled execution versus
installing/running tsx in the production container.5027b31431 introduced the scripts manual for the
toolkit; 554cc09608 added a second near-complete manual nine minutes later
for the Docker wrapper. Subsequent compiled-JS changes updated mechanics but
left the split documentation.supersync-image-provenance::deploy-and-publish-duplicate-shell-guards::shared-owner;
discovered/proposed, unverified; deployment-sensitive.9b448133…; B38.2; 0937aa614e6f46928dc43d8b9ad19193832d528ea5185b8de2dd677c9e6de0ce.build-and-push.sh:44-99 and deploy.sh:108-170
independently define supersync_image_source_revision() and
assert_clean_supersync_image_inputs(), including the same seven path groups,
tracked/cached dirty checks, untracked scan, fallback revision, and nearly
identical refusal text. The differences are only current-directory handling,
fallback output, and the --build message.deploy.sh has pulled/re-executed current
code. Keep login, build, pull, image-label comparison, and deploy sequencing in
their existing owners.b83a6745e6 to fix
stale deploy-image skew; they enforce one policy but can now drift separately.passkey-storage-migration::manual-double-encoding-repair::retire-after-data-gate;
discovered/proposed, unverified; decision-required compatibility/privacy.9b448133…; B38.2; dd38c09eaedada8f7c2d8f1fb6e25a711a0a78acca857ce5dfa45f22d713e6d7.prisma/migrations/migrate-passkey-credentials.ts is a
97-line, manually invoked script added in January 2026 to rewrite the original
double-encoded WebAuthn IDs. Exact repository search finds no package command,
deployment hook, test, or documentation consumer beyond its own run comment.
It prints user IDs plus old/new credential IDs in hex and base64url before
mutating each row. Current registration/login code stores and queries raw bytes.a57a197d44 fixed new writes and 868ed71c4a
added this manual repair the following day. Later passkey hardening changed live
flows but no repository evidence proves every deployed database was migrated.e2e-docs::orphaned-encryption-failure-memo; discovered/proposed, unverified.9b448133…; B36.1; 2e4db0e7be318d4cbf8adb6f35dab1a6f5bd480b2d25153a0bd10c8b91f3ac4e.ENCRYPTION-E2E-STATUS.md is a 525-line memo dated
2026-01-24 and headed “ALL TESTS FAILING.” Its named owner,
supersync-encryption-enable-disable.spec.ts, was deleted by cf7fa73e5b.
Repository-wide backlink, filename, local-storage-key, and selector searches
find no current consumer; its checkbox workflow no longer exists in
SuperSyncPage.e2e/CLAUDE.md and live
scenario specs.035fe0a95f; its only later edit was an
enum rename in 08e8329f97, before the owning suite was removed.git diff --check.e2e-fixture::unused-describe-and-client-tracking-apis;
discovered/proposed, unverified.9b448133…; B36.1; 66eb7e3c34b24568080dff3663297a0797a17f16c722d1ef5479de5c30d66c51.supersync.fixture.ts:115-183 exports
supersyncDescribe, trackClient, and cleanupTrackedClients plus a module
map. Exact and computed-property searches find no consumers. The advertised
automatic cleanup is not registered with a fixture or afterEach; 71 sync
specs use explicit client cleanup instead.SimulatedE2EClient import, and misleading prose. Preserve health
gating, testRunId, serverHealthy, and the exported Playwright primitives.f37110bbb5 and never
adopted by a scenario.e2e-helpers::duplicate-archive-worklog-spec-functions;
discovered/proposed, unverified.9b448133…; B36.1; c07784b387cda8b1c20e177fe5f1f8082c98e2101fa69e7396aa6692e583c2d7.supersync-archive-data-sync.spec.ts:35-91 and
supersync-backup-recovery.spec.ts:38-102 locally duplicate mark-done, Daily
Summary archive, worklog navigation/week expansion, and task counting.
supersync-helpers.ts:1067-1123,1220-1251 now provides matching
markTaskDoneByKey, archiveDoneTasks, and getWorklogTaskCount helpers.0fd2618dab and
a93f6a7ba2; shared helpers followed in 7ed76c13a4.e2e-scenarios::sequential-concurrent-import-duplicates;
discovered/proposed, unverified; sync-scenario-sensitive.9b448133…; B36.1; 03d3f6c2f0e4e0ffe7358935315b984a5b89398afee69954a1f41c7229a698d2.supersync-concurrent-import.spec.ts:46-233
finish Client A's import and sync before Client B is created. Client B never
imports, uploads never overlap, and no concurrency primitive remains.
supersync-lastseq-preservation.spec.ts and
supersync-import-clean-server-state.spec.ts cover the retained sequential
imported-state and post-import propagation behavior more directly.a977fa2fbe originally ran parallel two-client
imports; cce9576946 removed Client B's import/overlap for mandatory encryption
while retaining the old names and rationale.e2e-page-object::orphaned-supersync-encryption-controls;
discovered/proposed, unverified.9b448133…; B36.1; 6fa4a8556c0704785572d231b42338cac69582a52714888493151269d4298295.SuperSyncPage.enableEncryption(),
disableEncryption(), isSyncInErrorState(), or isSyncEnabled(). Two
private wait helpers are used only by those methods, and
encryptionPasswordInput is unread. The 561-line owning enable/disable suite
was deleted by cf7fa73e5b.1c41228a7f; state queries followed in 788f2dedf8; suite deletion left the
surface. This is the B36 companion to B22-C01.retired-password-auth::orphaned-page-asset-and-tests::password-reset-remnants;
discovered/proposed, unverified; deprecation/auth-sensitive.9b448133…; B34.2; 2426fcab2c29b8af31d8e181ef0e9dab01a5ac1621c429a2e10a43453864d0e4.src/pages.ts:23-25,36-97 still serves
/reset-password, and public/reset-password.js:1-57 posts to
/api/reset-password. No current reset or forgot-password route/function or
link producer exists. password-reset-api.spec.ts invents removed auth exports
and is excluded by vitest.config.ts:30-31; password-reset.spec.ts imports no
production code and tests Node/bcrypt primitives. server-security.spec.ts
preserves only the orphaned GET page.fd6499f138 added the flow; 9c0a728ef4 replaced
password auth; f0f536671b explicitly excluded the missing-route suite;
70414145a3 later externalized the orphaned script for CSP only.websocket-auth::copied-handler-test-double::websocket-routes-spec;
discovered/proposed, unverified; security-boundary test.9b448133…; B34.2; 3935bfd6b00f0791e12e486fbb2b14178c593c8c3804323e1692fc0292397583.websocket.routes.spec.ts:14-90 copies
websocket.routes.ts:45-81 into simulateWsHandler, then tests the copy at
:193-306; regex/constant checks add more indirect coverage. Installed
@fastify/websocket ^11.2.0 exposes FastifyInstance.injectWS() in its
bundled typings/testing guide, so the stated inability to inject a WebSocket
is obsolete.wsRoutes, drive /ws through injectWS, retain direct rate-limit-key tests,
and move any pure client-ID truth table to its actual utility owner.7fa8f12132; later validation changes were split across 0c70e7906f and
3fbde60742, demonstrating dual-maintenance risk.injectWS close-code and
teardown behavior; then route/connection/storm/rate-limit suites and server
build/typecheck with a fresh WebSocket-security reviewer.sync-architecture::parallel-mermaid-sources::package-and-canonical-diagrams;
discovered/proposed, unverified; characterization-required.9b448133…; B34.2; d3eaf9c5ba2ed49fe007b075d99e9c03716147f5afae98b16028c9403df20cf7.sync-server-architecture-diagrams.md is
994 lines and has only the package README plus one test-comment consumer;
indexed docs/sync-and-op-log/diagrams/02-server-sync.md is the ADR-linked
canonical-looking server diagram. The package tome still shows removed
password auth; the canonical diagram still shows removed tombstones; both use
lastKnownSeq while runtime uses lastKnownServerSeq, and one package link is
path-invalid.b671a8cf17; the second
diagram arrived in 9f0adbb95c as a paths/types refresh. Both needed updates
in 0b4bc79354 when GET snapshot was retired, confirming parallel ownership.banner-singleton::redundant-dismiss-all-and-debug-tombstone::banner-service-startup;
discovered/proposed, unverified.9b448133…; B35.2; 47992b271ba694c8b014de6f8662dde4c773d3a86a51284f4a6d380cc25639f3.banner.service.ts:42-121 is an 80-line commented debug
harness. open() replaces an existing same-ID banner and private storage starts
empty, so at most one banner per ID exists; dismiss() filters that ID, making
dismissAll() identical today. Its only production caller is
startup.service.ts:397, with one direct spec block.dismiss(BannerId.Offline) from StartupService, delete dismissAll, its
redundant spec, the commented harness, and the commented log line.hideWhen, and
auto-dismiss stay unchanged. activeBanner$ is live in Task UI and Banner
component and must remain.cdb212a6ec added dismissAll when dismiss() used
shift(); 8203409e05 changed both storage and targeted filtering, removing
that distinction. Debug examples date to 2019.android-foreground-tests::removed-pfapi-immediate-save-replicas::obsolete-spec-blocks;
discovered/proposed, unverified.9b448133…; B35.2; 5068c1bd3a5fafce1e46872758d08e35ba3f927bed0112396dbf4e5cb3430ef3.android-foreground-tracking.effects.spec.ts:552-821
locally reimplements _saveTimeTrackingImmediately and notification handlers;
ten tests invoke only those copies. Current production instead awaits
_flushPendingOperations() and op-log flush; current sequencing tests remain
at :1083-1198. The old symbol/model-save logic exists only in the stale blocks.55d4fd1520 introduced the PFAPI path and replicas;
db990b7018 replaced production with op-log flushing four days later without
updating the spec.core-log::unused-global-context-and-x-helper::direct-log-surface;
discovered/proposed, unverified; privacy/API-sensitive.9b448133…; B35.2; 399ff43389ce37e6227f738fd35f214945dbc6b4b7a5d13299f5e5d46b1dfa75.log.ts:91,114-120 owns mutable global context/prefix and
direct methods consume it at :170-212; x is at :217-222. Whole-repository
exact searches find no Log.setContext or Log.x call. Direct context is
therefore always empty; real scoped callers use separate withContext.
PluginAPI exposes PluginLog, not these members.context, setContext,
getPrefix, and x; inline the current empty prefix/context into direct calls.
Retain withContext, PluginLog, and heavily consumed error/normal aliases.ctx: '', console argument shape, and scoped contexts.30998b21da introduced setContext with no found
caller; 2bb32b4bba added x, whose last lineage caller was removed in
080f0b0be3.withContext, then modified-file
checks and build/unit closure.snack-render::vacuous-type-switch::single-open-from-component;
discovered/proposed, unverified.9b448133…; B35.2; 24dca6fa4033b977d398a89deff58fa67de8645ad9796ebd134b931643bf5282.snack.service.ts:119-128 routes ERROR, CUSTOM, SUCCESS,
and default through the identical
openFromComponent(SnackCustomComponent, cfg) call. Type remains meaningful
earlier for duration and data but does not affect rendering.e829a9c29b introduced the already-vacuous switch
during the 2019 snack-store removal; later edits changed only its common call.boards-panel-update::unconsumed-full-panel-action-and-commented-reducer::task-id-update-path;
discovered/proposed, unverified; compatibility-sensitive.9b448133…; B35.3; 70fd299a18c23ae447bd0bbb195ab3399807859a73abece3972597cdcf8f7842.BoardsActions.updatePanelCfg; only its declaration/export remains at
boards.actions.ts:45-56,90. Its reducer has been commented out in full at
boards.reducer.ts:165-196 since 2025. BoarFieldsToRemove is declared only
at boards.model.ts:47-49. Live panel ordering uses the distinct
updatePanelCfgTaskIds action from board-panel.component.ts:253,272.d5859521a04; the
persistent action wrapper was added later in b2f5ee820d4 but no producer was
found. BoarFieldsToRemove originated in 963701ac7f and has no consumer.focus-break-effects::unused-config-with-latest-from::complete-and-skip-break;
discovered/proposed, unverified.9b448133…; B35.3; bb4eff89837d6c45d45cef2b00d6e26a273e5db6ebe00d584fc861140cf67e8b.focus-mode.effects.ts:627-643 adds
selectFocusModeConfig to autoStartSessionOnBreakComplete$ but destructures
config without reading it. The same unused selector/value occurs in
skipBreak$ at :659-687. Strategy mode, current task, and action payload
alone determine every branch and emitted action.f945c9850ce introduced both unused reads during a
focus-mode settings change; surrounding logic predates them and never consumed
the values.focus-effects-spec::duplicate-scenarios-and-tautological-sync-test::real-effect-contract;
discovered/proposed, unverified; characterization-required.9b448133…; B35.3; a45039d862580efc77eeab547de6b1696ec2cc95ab0701216923fa8e0f77b289.combined behavior case at :909-923 that repeats the immediately preceding
paused-task test, and repeats pause-tracking cases at :2348-2391 and
:2873-2943. The rapid-sync toggle case at :1827-1865 concludes only
expect(emitCount).toBeGreaterThanOrEqual(0), which cannot fail for its
initialized counter. The Bug #5954 Additional Edge Cases block re-exercises
earlier missing/done/paused-task and break cases.1997081a01; duplicated pause-tracking blocks trace to
7b099af796 and later bug-specific additions accumulated beside them.idle-core::redundant-selector-wrapper-fake-async-and-debug-tombstone::idle-services;
discovered/proposed, unverified.9b448133…; B35.3; 7b14be90aec1cdbb4e76c65c2a7e3c05dc5e0b2ef008d90368571f1660b33c73.idle.service.ts:13-18 wraps store.select(selectIsIdle)
in a private observable plus distinctUntilChanged/shareReplay, although NgRx
selector output already supplies the live distinct state stream. In
idle.effects.ts:395-407, _updateSimpleCounterValues contains no await and
both callers ignore its synthetic promise. A commented debug constructor
remains at :370-376.void, and delete the
commented dispatch harness. Do not restructure idle-dialog orchestration.7858d07eac; the
fake-async helper to af43ed3aef. Neither acquired asynchronous work, and the
debug harness is historical residue.calendar-banner::event-object-debug-log::exportable-log-history;
discovered/proposed, unverified; privacy-sensitive.9b448133…; B35.3; 3e01545b28d8b6ca57d9a770eaa6113c50721fda117d59fc47838094cd18d799._addEvToShow at
calendar-integration.effects.ts:227-239 calls
Log.log('addEvToShow', curVal, calEv). CalendarIntegrationEvent explicitly
contains user titles, descriptions, URLs, IDs, and provider IDs, while curVal
also embeds provider configuration. Log records every call to exportable
history (log.ts:1,73-94,123-162,228-271). A second adjacent typo-only debug
message (UDATE _currentlyShownBanners$) carries no diagnostic state.97f96f2393 mechanically converted it to Log.log, thereby making it part of
retained/exportable history. The neighboring marker dates to bb337cc422.project-backlog-disable::effect-generated-second-persistent-op::project-update-and-legacy-move-action;
discovered/proposed, unverified; sync-critical.9b448133…; B35.4; defefc52971116e28214bfc611c99c8b7bd40071feda7b39367204afc384bf72.project.effects.ts:59-70 reacts to
updateProject(isEnableBacklog:false) by dispatching a second action;
project.actions.ts:284-294 marks that generated action persistent, and
project.reducer.ts:151,623-635 applies the flag and task-list transfer in two
reducer passes. plugin-hooks.effects.ts:314-335 observes both. Static closure
found no other producer of the move-all action.updateProject reducer
append current backlog IDs to regular task IDs and clear the backlog when the
flag becomes false; remove only the generating effect and its three specs.
Retain the legacy action creator, reducer handler, action type, and plugin-hook
registration so historical persisted operations can still replay.d6708d8d18 introduced the two-step flow before the
op log; f4df0731e3 later made the second action persistent. 03ddbb5ab4
moved the effect to LOCAL_ACTIONS, so remote replay of the first op cannot
recreate its companion.project-lookup::identical-catch-error-alias-after-selector-contract-change::project-service-and-note-consumer;
discovered/proposed, unverified.9b448133…; B35.4; 47142eb66dd7097d2f19f6376f175097f5fdbd98000294446c181da39e689eb4.project.service.ts:354-366 implements getByIdOnce$ and
getByIdOnceCatchError$ byte-for-byte identically. Repository closure finds
one alias caller, note.component.ts:109.getByIdOnce$ and delete the alias; add no replacement helper.undefined, invalid empty IDs still throw, and selector logging stays unchanged.1c73db9cae5 changed selectProjectById to return
undefined and removed the alias's catchError, leaving two names for one
contract.planner-today::mockstore-post-dispatch-state-invention::planner-today-sync-spec;
discovered/proposed, unverified; characterization-required.9b448133…; B35.4; ec7c07738973231137d9251f53b3454f05d7bfd722e55fa330ce9bac8ace2f47.planner-today-sync.spec.ts:91-350
dispatch an action, manually install the expected post-reducer state, override
selectTodayTaskIds with the expected answer, then assert that override. No
production reducer or selector result is exercised. Real coverage exists in
planner-shared.reducer.spec.ts:234+ and
task-shared-crud.reducer.spec.ts:169+,2248+.TODAY_TAG, and
Today selector visibility through real code paths.4b63554b185 explicitly converted the suite to
simulated meta-reducer behavior because MockStore does not run meta-reducers.planner-calendar::copied-private-event-partitioner-tests::planner-selectors-spec-and-source;
discovered/proposed, unverified; characterization-required.9b448133…; B35.4; 289563eea26863d48fccb4beb93a5a08b70878a63e6d59a2e16bf8d093648d88.planner.selectors.spec.ts:30-315 defines and tests a local
getIcalEventsForDay; production separately implements the behavior at
planner.selectors.ts:375-407. The copy compares local calendar components and
classifies all-day events itself, while production now applies
startOfNextDayDiffMs, getDbDateStr, and isAllDayCalendarEvent. Actual
selectPlannerDays.projector tests already exist at spec :465-644.26723bfa6d6; production became
logical-day-offset aware in 03572c3f2c without updating it, demonstrating
drift and false confidence.metric-chart::parallel-click-and-stopwatch-chart-builders::metric-selectors;
discovered/proposed, unverified.9b448133…; B35.4; 62f483b4d3ec93a765e465a88bb2c8a82c6389d7bc54795e2b81fd31cf8d8c7b.metric.selectors.ts:73-131 contains parallel 29-line
click-counter and stopwatch chart builders; only counter type and value
conversion differ. Both exports flow through MetricService, and ten focused
selector tests cover their contracts.SimpleCounterType and value conversion; retain both
exported selectors and service APIs.undefined for zero/missing values, stopwatch millisecond-to-minute
rounding, and selector memoization boundaries.5c0232b33c; count-map
guards and chart fixes have repeatedly modified both blocks in lockstep.privacy-safe-logging::raw-task-reminder-payloads::reminder-tag-repeat-effects;
discovered/proposed, unverified; privacy-sensitive.9b448133…; B35.5; 23150221dbb76bb3c4ca160d0c675e3faa08aa20d1b397ba71544d904d38bccf.reminder.service.ts:110-114 logs full
WorkerReminder[] objects whose titles are populated at :106;
tag.effects.ts:128-138 logs an object containing full tasks; and
task-repeat-cfg.effects.ts:718-719,759 logs repeat changes, live/archive
tasks, and archive changes that can contain titles and notes.environment/repeat Log imports. If diagnostics are proven
necessary, retain only privacy-reviewed counts, IDs, and changed-field names.Log.log/console.log closure reproduced the
five sites. The reminder log came from 3129c1dbca; tag/archive logs came
through the console-to-exportable-log conversion 97f96f2393; current repeat
logs blame to the 3d2c811e78 RRULE revert.unused-tag-read-surface::zero-runtime-consumers::tag-service-and-selector;
discovered/proposed, unverified.9b448133…; B35.5; 41ff4452841e9cc6e5269c3248edc0386f3afd482c29e1cf9da2de72c53538af.tagsSortedForUI$, tagsSortedForUI, the signal
tagsNoMyDayAndNoListSorted, or getTagsByIds$. selectTagsByIds occurs only
in its definition, the service wrapper, and direct service tests. The live
observable tagsNoMyDayAndNoListSorted$ is a distinct API and remains used.tagsNoMyDayAndNoListSorted$.cc002d192e; d50c74eda7
moved UI consumers to tree-order signals and left this surface behind. The
by-ID selector/wrapper dates to the earlier 2019–2020 service design.unused-repeat-mutation-surface::zero-runtime-producers-preserve-persisted-actions;
discovered/proposed, unverified; compatibility-sensitive.9b448133…; B35.5; dde454663b400ed67cb8d2961e352247da299d7355d7bc80ed583b54fa8bd38f.deleteTaskRepeatCfgsNoTaskCleanup, the
updateTaskRepeatCfgs service wrapper, and the upsertTaskRepeatCfg service
wrapper have only definition/test/comment references. The singular
upsertTaskRepeatCfg action is non-persistent and has no runtime producer.
Whole-repository exact searches reproduce that closure.79c2136572 removed repeat action-based save effects when persistence became
centralized. Old project-delete alternatives survive only as comments from
e88b0aea5c.repeat-eligibility-invariant::duplicated-selector-prefilter::repeat-selectors;
discovered/proposed, unverified; sync-critical.9b448133…; B35.5; 32bf73cc1c1a7bad835bc4a94a138c324db84199eb0ca02184ec5e81dcbc74e7.task-repeat-cfg.selectors.ts:88-165 contains two
selectors that independently implement the same paused, effective-cursor,
future-cursor, deleted-instance, date-conversion, and newest-due checks; only
the final exact-day versus overdue predicate differs.null. Keep final predicates explicit:
exact-day requires isSameDay; unprocessed/overdue requires only an eligible
due date. Do not add a boolean “mode” or shared memoized selector.d4e5673e55d; later pause and
deleted-instance/cursor fixes (0414b743650, 6b3675cd611) had to be mirrored.repeat-delete-semantics::duplicate-reducer-registration-and-debug-tombstones;
discovered/proposed, unverified.9b448133…; B35.5; b03e117cf7fa725ddbe8e10427e9f75163990b48d850ae3d80e6707f567c7b2f.task-repeat-cfg.reducer.ts:72,83 registers the identical
delete reducer twice; :43-56 is a commented alternative after an
unconditional return. task-repeat-cfg.selectors.ts:188-206 is a disabled
debug override; its spec :256-297 has three disabled tests and :435,509
has debug console output.6e3ddf008b;
unreachable alternatives came from e88b0aea5c, debug override from
df829fd4d15, and disabled tests from the 2025 selector-test move.dead-page-scaffolding::zero-consumer-fields-and-no-op-load::work-context-work-view-daily-summary;
discovered/proposed, unverified.9b448133…; B35.7; 13ef167a6df5a7543b3ae916c5290d9d1945275e6f627b85b05ec64701ede9bf.work-context.service.ts:633-638 exposes an empty
load(): Promise<void> whose commented implementation is obsolete; exact
repository searches find no caller. work-view.component.ts:351 initializes
isShowTimeWorkedWithoutBreak to true and never writes it, so the sole
template branch at work-view.component.html:53 is constant.
_switchListAnimationTimeout is only declared at :380 and conditionally
cleared at :506-507, never assigned. In
daily-summary.component.ts:180-182,266, hasTasksForToday$ and
actionsToExecuteBeforeFinishDay have no template, test, or production
consumer.load predates its
explicit async return type in 3e8865e9aa; the work-view flag and timeout
trace to 0cbd272bbc; no later producer or consumer was found.date-test-oracles::copied-native-date-and-range-logic::worklog-daily-summary;
discovered/proposed, unverified.9b448133…; B35.7; 1f4c0dd7731810623b82c2f53f1c666ed3f8f41538577eaeb3fa146a1533b9e5.worklog.service.spec.ts:14-30 splits date strings and
constructs Date objects locally without invoking WorklogService.
daily-summary.component.spec.ts:283-316 likewise tests a locally constructed
new Date() and never calls the component's finish-day methods.
worklog.service.timezone.spec.ts:1-117 copies range filtering over local
arrays, conditionally asserts by host timezone, and never instantiates
WorklogService; the root suite runs every spec in Berlin and Los Angeles at
package.json:133-137.WorklogService range-boundary characterization, reusing the existing
context-aware service setup. Do not remove distinct worklog or finish-day
sync/error scenarios.0080154ca5; the standalone timezone copy entered in f499802306. Exact
service-reference inspection confirms that none of the three blocks executes
the production path.plugin-test-harness::repeated-testbed-provider-inventory::plugin-bridge-specs;
discovered/proposed, unverified.9b448133…; B35.7; ba9b5e8a6c08e077380fb715f94b4f2c8354bc71bcfc7d20610dc16649be6e78.TestBed provider blocks: seven in plugin-bridge.service.spec.ts and one
each in the add-task, counter, and work-context specs. Each repeats most of
the same 15–20 dependencies, including hooks, persistence, configuration,
archive, translation, sync, theme, HTTP, and data-init services, while only a
few behavior-specific spies differ.d4d81bf511, and
later feature/privacy commits repeatedly copied or extended it, including
8a331c05ba, b96321fe57, 9176fa5238, 9a7a86c8ec, and
0c07053032.plugin-runtime::unreachable-pre-lazy-loader-subtree::plugin-service;
discovered/proposed, unverified; compatibility-sensitive.9b448133…; B35.7; 31a3e12a572db8b5fe156130d39a152a4244c1d6a407ac22947a0d8965a799a6.plugin.service.ts, _loadBuiltInPlugins:284-289 and
_loadUploadedPlugins:807-833 have no callers; _loadPluginsFromPaths:836-861
is called only by the dead built-in method; _loadPlugin:863-986 is reached
only through that chain and loadPluginFromPath:1237-1244, for which an exact
repository search finds no consumer. Startup instead calls
_discoverBuiltInPlugins, _discoverUploadedPlugins, and
_loadEnabledPlugins at :165-169, with activation using
_loadPluginLazy:585,649.d4d81bf511; no later owner was found.plugin-runtime::legacy-and-zero-consumer-read-accessors::plugin-service;
discovered/proposed, unverified; compatibility-sensitive.9b448133…; B35.7; d1292e47a1f7131c6b4d2e2e9b629b7554b049c4690e6cbff64cdc9ae12ab98e.plugin.service.ts:1033-1070 getAllPluginsLegacy() is
used only by its direct spec; getLoadedPlugins:1072-1074 and
getLoadedPlugin:1080-1085 are likewise referenced only by direct tests.
getPluginIcon:1112-1114 has no consumer; live UI consumers use
getPluginIconsSignal() at :1119 from the icon component and magic-nav
configuration. The same-named PluginRunner.getLoadedPlugin is a separate
method and remains live.getAllPlugins,
plugin-state queries, initialization status, lazy activation, and the signal-
based icon API.d4d81bf511; the legacy test was revived in 196e50b906, but no runtime
consumer was restored.task-shared-meta-reducer-coverage::superseded-monolithic-plus-split-owner-suites::task-shared.reducer.spec.ts+task-shared-meta-reducers/*-shared.reducer.spec.ts;
discovered/proposed, unverified; sync-sensitive.9b448133…; B35.8; 1baaf892fbdfc927ff4688469f2ef712151b1bb93221f67f3b938c39ad78c555.task-shared.reducer.spec.ts is 2,709 lines with 99 test
cases; 93 titles exactly match cases in the split owner suites. The six
unmatched titles start at lines 266,282,1541,1862,2508,2524; semantic
neighbors already exist for done timestamps, TODAY ordering, future planner
days, and deadline creation, but title matching alone does not prove assertion
equivalence. Production and integration consumers use
createCombinedTaskSharedMetaReducer, not the monolithic spec.task.reducer.spec.ts:85,92, then
delete the monolith. Do not change the combined reducer or its ordering.9bf9d82d44 added roughly 2,930 lines across six split suites while
retaining the monolith; 0854d469ef split production reducers and barely
changed the old suite.task-shared-crud-coverage::spy-only-concurrency-plus-wall-clock-smoke::task-shared-crud.reducer.spec.ts:2346-2389;
discovered/proposed, unverified.9b448133…; B35.8; 90cec306928e413992a6f9d5ebd002fdd6c315e76ea2ccae8030bf81fd5751f9.task-shared-crud.reducer.spec.ts:2346-2389, the
concurrency case uses an identity mock and asserts only two spy calls; the
“large numbers efficiently” case uses a Date.now() < 1000ms wall-clock
assertion while likewise exercising only spies. Neither reduces state,
overlaps work, or measures the production reducer.9bf9d82d44
from the monolithic suite and still do not invoke reducer behavior.tag-delete-cascade-coverage::four-nontiming-large-fixture-replicas::tag-shared.reducer.spec.ts:1004-1234;
discovered/proposed, unverified.9b448133…; B35.8; 784b2e178a2acb2d062b3a8f85b07c641a6499ee63ce4d669ea7919a49905592.tag-shared.reducer.spec.ts:1004-1234 contains four large-
fixture “performance” cases that record no time or complexity measure. Smaller
cases already cover delete cascades, orphans, repeat config, and ordering;
the four larger fixtures vary scale/fan-out but repeat their semantic oracle.943913a2fd deliberately introduced all four with
Set optimizations, so scale intent is plausible even though no explicit
metric was added.deadline-input-validation::copy-pasted-nonfinite-case-matrix::task-shared-deadline.reducer.spec.ts:131-187;
discovered/proposed, unverified.9b448133…; B35.8; 859914787202c7d555ec3253807f6a7cb8c1a01040bdd2e01db2e5819f366e3d.task-shared-deadline.reducer.spec.ts:131-187 repeats five
cases for NaN, positive infinity, and negative infinity across
deadlineWithTime and deadlineRemindAt, with the same unchanged-state
expectation and near-identical setup.d401e6169e; exact inspection reproduces one setup/oracle shape.batch-consistency-invariants::repeated-six-argument-test-invocations::validate-and-fix-data-consistency-after-batch-update.spec.ts;
discovered/proposed, unverified.9b448133…; B35.8; 88e9fb50125961e2d103454f2112d982a697f1922206f0114d89978062e0af21.validate-and-fix-data-consistency-after-batch-update.spec.ts:72-669
repeats 18 six-argument calls whose meaningful variations are obscured by
positional defaults. The duplication is test-only; the production function's
signature and behavior are distinct from the proposed helper.5fb3328a1f and remained through 7ca216f64a and 1118e04ddf.debounce-during-startup::remove-unused-operator;
discovered/proposed, unverified.9b448133…; B35.9; ac55d6c7dc2eff9cceed262aebe1c99acf7a8d5328fba06a30effb6d3fae9c3b.debounceDuringStartup only in
debounce-during-startup.operator.ts and its spec. The pair totals 408 lines;
no effect, barrel, dynamic lookup, plugin surface, or documentation consumer
was found. The separately live skipDuringSyncWindow() operator is not part
of this candidate.06e3136dd7 introduced it as a possible future
effects utility; no consumer was ever added.skip-during-sync::remove-deprecated-alias;
discovered/proposed, unverified; compatibility-sensitive.9b448133…; B35.9; 910e08a6c69bc788ee0b80a81b7a75fc4411f5ff12e4998fedc4cd3e8a1d388a.skipDuringSync; live code uses skipWhileApplyingRemoteOps(). The old name
remains only in its alias/tests, stale focus-mode test wording, and
require-hydration-guard.js plus rule tests that recognize both spellings.skipWhileApplyingRemoteOps() unchanged. Do not weaken the distinct full
startup/apply/cooldown skipDuringSyncWindow() rule.b3022c7285 added the alias only for backwards compatibility during the
rename, with no rollout horizon recorded.generic-utility-logs::redact-values;
discovered/proposed, unverified; privacy-sensitive.9b448133…; B35.9; 757f9d9a748ff2f45686a1119cc0e731757b5cb14fc6e960f9fdec0bae6eebe9.wait-for-sync-window.operator.ts passes its generic T
to three exportable Log calls. Current documented use is date-change
strings, but the type permits future user-content values. locale-date.pipe.ts
logs both the input value and caught exception on formatting failure. Exported
log history therefore receives data that is unnecessary to identify the
diagnostic phase.9810c320b1; no
sanitizer boundary guarantees generic T is content-free.owned-utilities::remove-unreferenced-exports;
discovered/proposed, unverified.9b448133…; B35.9; f96195002a7e7470053e7089b81e1466633921446630f1098b167cb15f5aa63a.getEnvNumber, getAllEnv, or
fakeEntityStateFromNumbersArray. PasswordStrengthLevel is used only in its
defining component file, so its export modifier is unused. getAllEnv also
exposes the full generated environment object without a caller.PasswordStrengthLevel file-private.
Preserve active environment accessors, entity factories, and password scoring.electron-add-task::duplicate-effect-validation-and-fake-spec::ipc-parser-boundary;
discovered/proposed, unverified.9b448133…; B35.6 clean replacement;
2a58a02e1acd5a18b6772f31c99f904af4ba2ce3c25fadcea65cfd0233670aef.ipcAddTaskFromAppUri$ parses unknown values through
parseAddTaskFromAppUriPayload and filters nulls at
core/ipc-events.ts:7-18,53-58. Its only repository consumer,
TaskElectronEffects.handleAddTaskFromProtocol$:203-217, repeats payload
validation. The 124-line effect spec immediately replaces that production
observable with a local subject/pipeline, and its validator case tests another
local copy; it therefore exercises neither production path.TaskService.add(title) tap,
and delete the fake spec. Do not add an injection seam solely to test one tap.IPC.ADD_TASK_FROM_APP_URI channel remain. One valid event must add one
task; malformed/non-string/missing values must add none. No task/action/schema
or plugin format changes.time-tracking-tag-cleanup::deprecated-zero-caller-current-plus-archive-path;
discovered/proposed, unverified.9b448133…; B35.6 clean replacement;
8d6f8c327cbecd859e29013d0aec0457e0355a657cd72668ac0f7b6811e12e65.cleanupDataEverywhereForTag only at its declaration in
time-tracking.service.ts:108-144. Runtime/tests use the distinct
cleanupArchiveDataForTag, including ArchiveOperationHandler; current-state
tag cleanup moved into the atomic tag meta-reducer.cleanupArchiveDataForTag exactly.TASK_ARCHIVE; archive shapes, triggers, ordering, and
replay behavior do not change. Out-of-tree deep callers are the residual risk.39a199af096 explicitly moved live tag cleanup into
the meta-reducer, added the archive-only method, and deprecated this copy; no
later consumer was found.task-service-archive-reads::repeated-id-materialization-and-orphan-filter::getArchivedTasks;
discovered/proposed, unverified; sync-sensitive.9b448133…; B35.6 clean replacement;
2deb966697c18bd315365e28807bad7c81fccba1dbf70381227db2762dc00594.task.service.ts:1342-1393,
getAllTasksForProject, getArchiveTasksForRepeatCfgId, getArchivedTasks,
and getAllTasksEverywhere repeat archive load → IDs → entity lookup →
orphan filtering. 29eeb80c327 deliberately added the same type guard to all
copies after orphaned archive IDs caused crashes.getArchivedTasks() while preserving current evaluation order:
snapshot live tasks first, then load archive. Add no new abstraction and keep
all public method names/types.29eeb80c327 demonstrate one
policy maintained in four places.timezone-tests::utility-diagnostics-without-component-or-effect::reminder-short-syntax;
discovered/proposed, unverified.9b448133…; B35.6 clean replacement;
fb64639220988f00f6ad56b950b8e0db2c85e104b12dbbc741eb5a8e4ce182c5.dialog-view-task-reminders.component.tz.spec.ts never
creates the component; its near-midnight date is never passed to getTomorrow
and another case calls the same utility three times.
short-syntax.effects.tz.spec.ts never creates the effect and executes
assertions only for selected LA/Berlin names or winter offsets, allowing
other environments to run zero expectations. Both emit diagnostic console
output.get-db-date-str tests and the normal Berlin/Los Angeles lanes remain, but
deletion must not be represented as owner-level timezone behavior coverage.android-reminder-cancel::paired-base-and-deadline-try-block::delete-bulk-archive;
discovered/proposed, unverified.9b448133…; B35.6 clean replacement;
508617652ab2ec8258600b90bf5d29517ae21fe0e1a00d814459fb19839f611c.task-reminder.effects.ts:256-329 repeat cancellation of the base
notification and its _deadline notification inside identical try/catch
blocks.LOCAL_ACTIONS, action
filters, Android gates, notification ID construction, call order, exception
behavior, and action counts. Done-task, unschedule/dismiss, deadline-only, and
dialog paths stay separate because their gates/sets/errors differ.e2e-diagnostics::snapshot-7810-full-body-and-idb-capture;
discovered/proposed, unverified.9b448133…; B36.2; 8767792f2a6e0c36aff3295574d8a339872e3d4fe3b68a82997ec3eb647b4fb0.supersync-snapshot-vector-clock.spec.ts:2,12-111,159-161,169,190,211-250,325-331
installs request/response listeners, buffers full API bodies, reads IndexedDB
and localStorage, and wraps failures only to log diagnostics. No assertion
consumes the captured state, and the diagnostic clear() has no caller.aa1c13e805 added the block to diagnose #7810; 87212472fa fixed the
cross-test database clobber and reports both files stable under repeated
parallel runs.e2e-diagnostics::stress-unasserted-idb-and-store-probes;
discovered/proposed, unverified.9b448133…; B36.2; 32d5fef4e63a49afefceaa30b0a9809e57276bcc2dd36c3c92d5ba345237b4f4.supersync-stress.spec.ts:255-307 reads SUP_OPS and
converts every success or error outcome into a logged object;
:333-377 inspects an optional global store or DOM fallback and likewise
only logs the result. The actual task-count and done-state assertions are at
:326-330,379-384.064c2452ca introduced the probes as diagnostic logging while fixing the
piggyback limit; later blame is formatting and stability work.e2e-scenarios::large-time-estimate-unobserved-property;
discovered/proposed, unverified.9b448133…; B36.2; 1912500202572e02f0780fb5907c4d85d647a0c075e6ae969f2a3f9d3ca91032.supersync-time-tracking-advanced.spec.ts:253-310 says it
verifies an eight-hour estimate exactly, but :281-305 only creates t:8h
and asserts that the task title is visible on each client. The estimate is
never read or compared, and exact-name search finds no second implementation.expectTaskVisible import, and the suite-header claim; explicitly record
large-estimate precision as uncovered. Do not replace it with another
visibility smoke test.d9f35be660 introduced the broad scenario; later
changes stabilized/formatted it without adding an estimate oracle.e2e-scenarios::planner-future-day-visibility-triplicate;
discovered/proposed, unverified.9b448133…; B36.2; 70c8f45250626ca4808b161310f1af296659ffea7084b14cf5bd824b061c3fd0.supersync-planner.spec.ts:32-86 checks one future task
created with sd:1d. :88-140 repeats the same flow with sd:2d while its
prose falsely claims a move to today; :205-257 repeats it with sd:3d.
Both duplicates search the whole planner and never assert a date bucket.:142-203.d9f35be660 without
bug-specific lineage; later edits were generic E2E stabilization.e2e-scenarios::error-recovery-and-retry-without-fault;
discovered/proposed, unverified.9b448133…; B36.2; b9b5cabc2e26e6c5baba640e350883e300b28fdf2ec73a6ceb0be3664c285757.supersync-error-handling.spec.ts:144-196 labels two
successful sequential uploads as network-failure recovery without inducing a
failure. :198-248 claims retry/idempotency but awaits three completed syncs
after acknowledgement; it neither resends one operation nor overlaps requests.9e8d05f430 introduced both as broad error coverage
with the missing fault/retry present from inception. Exact closure finds
explicit no-op coverage in supersync-no-op-sync.spec.ts:35-72, duplicate-op
injection in supersync-error-scenarios.spec.ts:230-331, and transient-failure
injection in the #8331 spec :69-268.e2e-helpers::unused-supersync-assertion-and-time-display-apis;
discovered/proposed, unverified.9b448133…; B36.3; 1a69b3ad2f75e847a37ac3cfdaea416cf9ca0c37cd00a087000e214b28ea6d5a.expectTaskNotOnAnyClient,
expectTaskDoneOnAllClients, expectTaskOrderMatches,
expectSameTaskOrder, expectTaskExists, expectTimeTrackingActive,
expectTimeTrackingInactive, cleanupTestData, getTaskElementFromPage,
getTaskTimeDisplay, waitForTaskTimeDisplay, expectTaskNotInWorklog, and
getWorklogTaskCount. The time-display pair forms an internal dead chain;
the other symbols occur only at their definitions.supersync-assertions.ts and
supersync-helpers.ts. Preserve every helper with a live scenario consumer
and the generic helpers documented by e2e/CLAUDE.md.f37110bbb5,
e62f2f86fa3, 4b5fc3fb33, and 7ed76c13a4; no adoption was found.e2e-scenarios::worklog-tracked-time-unobserved-property;
discovered/proposed, unverified.9b448133…; B36.3; 6a7f91bc4672d008a71dea12443c2e55c9a81e6c7ac31413a378a144fd9720d6.supersync-worklog.spec.ts:118-204 spends three seconds
tracking, completes and archives the task, then asserts only that its title is
visible. Lines 197-199 explicitly avoid reading the time. Generic worklog
propagation is already asserted earlier in the file, while
supersync.spec.ts:773-865 compares persisted timeSpent across clients.d9f35be660 and never gained one.e2e-scenarios::webdav-same-second-burst-accepts-failures;
discovered/proposed, unverified.9b448133…; B36.3; 0adbeaeffd0a4ac80ca0f3dda157808ca459916e7e019725d1ef10974a1f6390.webdav-single-client-rapid-sync.spec.ts:234-310 claims
ten same-second successful syncs, but the loop serially waits 500 ms plus sync
completion, catches every timeout/error, and passes with only three successes.
It therefore establishes neither same-second overlap nor completion of all
ten attempts.7ed76c13a4; 350e07e6961
relaxed it to its current three-of-ten threshold. Direct flow inspection
reproduces the serial waits and swallowed failures.archive-subtask-tests::payload-echo-does-not-exercise-orphan-cleanup;
discovered/proposed, unverified.9b448133…; B36.3; ebb9ca06833c267861d1dee9973a2a4544978d0eca6d472d3244463443542654.archive-subtask-sync.integration.spec.ts:572-725 builds,
stores, and reconstructs archive payloads but never invokes the task reducer.
Its first case explicitly delegates orphan removal to
task.reducer.spec.ts:827-924; payload preservation is already exercised at
:103-388 and handler flow at :395-569 in the same integration file.dd5741faa70; direct inspection shows no reducer call in the
block and stronger payload/handler owners earlier in the file.compaction-tests::unsynced-and-rejected-without-compaction-call;
discovered/proposed, unverified.9b448133…; B36.3; bd69cda6ef8bf543d49aadfb48d0f00a773b92d7914072e4d9a0e66a5eea9d8f.compaction.integration.spec.ts:234-311 calls compact() or
emergencyCompact(); they only query unsynced operations or mark/read
rejection metadata. Direct compaction owners exist in
operation-log-compaction.service.spec.ts:229-246,553-570, with store query
behavior at operation-log-store.service.spec.ts:489-520 and state-level
integration at state-consistency.integration.spec.ts:295-327.4b8edc91ab1 and was never
upgraded to exercise the service.lww-tests::store-and-utility-self-tests-without-conflict-service;
discovered/proposed, unverified; sync-sensitive.9b448133…; B36.4; accf109c4d3b94e896cdd8fa6068204db369c34c38b4eac6d8c2c313022a9fbf.lww-conflict-resolution.integration.spec.ts:1-1559
imports store and vector-clock utilities but never imports or invokes
ConflictResolutionService. Most cases calculate timestamps/clocks inside
the test and manually call generic rejection/application methods. Its
unconditional equal-timestamp “remote wins” prose also conflicts with the
live stable client-ID tie-breaker.conflict-resolution.service.spec.ts, conflict-persistence integration,
store/vector-clock specs, and supersync-lww-conflict.spec.ts.4d96c8ffff, expanded in
ee7e0750da, and gained documentary payload cases in 527bb229ac without
being converted to a real service test.sync-scenario-tests::shared-db-mock-protocol-without-sync-service;
discovered/proposed, unverified; sync-sensitive.9b448133…; B36.4; 380350aabdcceb57f514712df245df620f926b9ff7f05ab13932e2f816ad354f.sync-scenarios.integration.spec.ts:1-1048 acknowledges
that clients share one IndexedDB and performs neither state application nor UI
conflict resolution. It tests SimulatedClient, MockSyncServer, and store
primitives, not OperationLogSyncService or the real server; “convergence”
assertions compare mock operation counts rather than application state.9a654c0c47; later
changes removed ACKs, renamed types, or moved paths without connecting it to
production synchronization.legacy-archive-tests::opaque-payload-cache-echo-without-import-export;
discovered/proposed, unverified.9b448133…; B36.4; b4895172386076789b23db51354a9bc8e89bc4c056f0259c2b6dea5bfaa7ca5a.legacy-archive-subtasks.integration.spec.ts:1-445
constructs legacyData, puts that same object in a SYNC_IMPORT operation or
state cache, then reads it back. It never invokes legacy parsing, finish-day
archival, export serialization, or an operation applier. The real regression
at e2e/tests/import-export/archive-subtasks.spec.ts:176-275 imports the
legacy fixture, archives, exports, and checks all tasks and relationships.6191c782f0; the
export correction followed in 3bf1cc348f.provider-switch-tests::no-provider-transition-before-after-identity;
discovered/proposed, unverified.9b448133…; B36.4; 0f806d4cd34aea882c59b4730db0a53b510c4a811c660517f708d1859ced569c.provider-switch.integration.spec.ts:43-197 creates only
serverA; at each alleged switch it executes no transition and creates no
second provider, then rereads unchanged rows or writes with the same client.
Later cases in the file at least use a second endpoint, while three browser
suites exercise actual WebDAV/SuperSync provider changes.a7a831c2f1; later
commits only moved or formatted it.integration-harness::definition-only-helper-surface;
discovered/proposed, unverified.9b448133…; B36.4; d75667b114fd1b86c1661d888f6dd672b64c480601f6b8a2b6c022ea38fc312a.getClient, setMockArchive, syncAtoB,
createTestSyncOperation; provider setLatency, setReady,
getCallHistory, getFileCount, createMockProviderWithData; factory
createGenericOperation, createMinimalTagPayload,
createMinimalNotePayload, createMinimalGlobalConfigPayload; simulated
client getOpsBySource; and mock-server getOpsForEntity, receiveUpload,
getOpsSince.9a654c0c47, 6235a3de67, 91dc87a867, and
c29913aeac without adoption. This does not overlap B36-C11's E2E APIs.additionalLog from crash-report surfaceserror-diagnostics::additional-log::crash-alert-and-github-issue;
discovered/proposed, unverified; privacy/security-sensitive.9b448133…; C8;
cc55043380464bc5bb7477418ea9e377e620fbeed50d59ecb8bf3a99ca15042d.packages/sync-providers/src/errors/index.ts:18-35
states that additionalLog may contain raw user data and must never enter a
logger, while retaining raw constructor arguments. HttpNotOkAPIError at
:80-130 retains a raw response/body, and app validation errors at
sync-errors.ts:333-345 retain serialized Typia errors whose values can
contain model content. global-error-handler.util.ts:140-145 renders any
object's additionalLog, and getGithubIssueErrorMarkdown() at :257-318
embeds it under ### AL in the prefilled GitHub issue URL.Error serialization does not itself prove that
additionalLog enters JSON log exports; the alert displays it locally and
prefilled report content leaves the app only if the user follows/submits it.additionalLog
reflection from the crash alert and GitHub markdown. Do not delete the error
property wholesale. If classification is required, retain only fixed error
name/code and reviewed primitive metadata.00526ad712 added alert rendering and 9ca4fabdcc
added ### AL. 91e53bb488 later shifted privacy responsibility to
structured catch-site logging and explicitly prohibited raw additionalLog,
but the older global consumers remained. 4d8605baa3 made the DOM sink XSS-
safe via textContent; it did not make the content privacy-safe.additionalLog.