# Refactor Execution Progress

Companion to [REFACTOR_PLAN.md](REFACTOR_PLAN.md). The plan is **read-only**: never edit it. All progress, deviations, and lessons go HERE.

## Rules for the executing model

1. Before starting an item: set its Status to `in-progress`.
2. After finishing: set Status (`done` / `blocked` / `needs-review` / `skipped`), fill Commit with the short SHA, add Notes if anything was non-obvious.
3. **⚠️ items:** implement on the branch, set Status to `needs-review`, do NOT merge. A human or stronger model reviews the diff.
4. If the code does not match the plan's description (moved, already fixed, different shape): set `blocked`, write what you found in Notes, move to the next item. Do not improvise.
5. If you learn something that affects later items (e.g. "FK cascade route chosen in CORR-05, so DEAD-11's helper is gone"), add it to **Lessons Learned** at the bottom — next session reads it before starting.
6. One commit per item: `<ID>: <one-line description>`.
7. End of session: append a row to **Session Log**.

**Status values:** `pending` · `in-progress` · `done` · `needs-review` (⚠️ implemented, awaiting human) · `blocked` (mismatch/failed, see Notes) · `skipped` (owner decision) · `n/a`

## Owner decisions required (blocks the marked items)

| Decision | Blocks | Roberto's answer |
|---|---|---|
| Encrypt relational labels vs document + KEK only | SEC-16 | _pending_ |
| Web SPA token: httpOnly cookie vs in-memory vs defer | SEC-22 | _pending_ |
| Local at-rest encryption: SQLCipher / OS FDE / backup-key | SEC-28 | _pending_ |
| Delete chat.py HTTP routes or keep as public API | DEAD-04 | _pending_ |
| Wire backup-key.ts or delete | DEAD-07 | _pending_ |
| Decay fix: pure-function vs last_decayed_at column | CORR-08 | _pending_ |
| Python lock tool: uv vs pip-compile | DEPS-04 | _pending_ |

---

## Phase 0 — Mechanical quick wins
Branch: `refactor/phase-0` · Verify after each: `cd api && ruff check . && pytest` / `cd adiuvAI && npm run lint && npx tsc --noEmit`

| ID | ⚠️ | Status | Commit | Notes |
|---|---|---|---|---|
| TYPE-01 | | pending | | |
| DEPS-01 | | pending | | |
| DEAD-10 | | pending | | |
| DEAD-01 | | pending | | |
| DEAD-02 | | pending | | |
| DEAD-05 | | pending | | |
| DEAD-08 | | pending | | |
| DEPS-08 | | pending | | |
| DEAD-11 | | pending | | |
| DEAD-12 | | pending | | |
| PERF-14 | | pending | | |
| PERF-18 | | pending | | |
| CORR-20 | | pending | | |

## Phase 1 — Critical & High security (ALL ⚠️ — implement, never merge unreviewed)
Branch: `refactor/phase-1-security`

| ID | ⚠️ | Status | Commit | Notes |
|---|---|---|---|---|
| SEC-01 | ⚠️ | pending | | |
| SEC-05 | ⚠️ | pending | | |
| SEC-06 | ⚠️ | pending | | |
| SEC-07 | ⚠️ | pending | | |
| SEC-20 | ⚠️ | pending | | |
| SEC-02 | ⚠️ | pending | | |
| SEC-14 | ⚠️ | pending | | do before SEC-19 (shared startup guard) |
| SEC-19 | ⚠️ | pending | | |
| SEC-09 | ⚠️ | pending | | |
| SEC-08 | ⚠️ | pending | | deploy together with env value |
| SEC-04 | ⚠️ | pending | | |
| SEC-15 | ⚠️ | pending | | |
| SEC-03 | ⚠️ | pending | | migration design — human-led |

## Phase 2 — Critical & High correctness
Branch: `refactor/phase-2-correctness`

| ID | ⚠️ | Status | Commit | Notes |
|---|---|---|---|---|
| CORR-01 | ⚠️ | pending | | with CORR-02, same files |
| CORR-02 | ⚠️ | pending | | |
| CORR-12 | | pending | | before CORR-04 (frame contract) |
| CORR-04 | | pending | | |
| CORR-06 | | pending | | |
| CORR-05 | ⚠️ | pending | | deletes data — human review |
| CORR-03 | | pending | | |

## Phase 3 — Medium security + remaining correctness
Branch: `refactor/phase-3`

| ID | ⚠️ | Status | Commit | Notes |
|---|---|---|---|---|
| SEC-10 | ⚠️ | pending | | |
| SEC-11 | ⚠️ | pending | | mechanical |
| SEC-12 | ⚠️ | pending | | two-repo |
| SEC-13 | ⚠️ | pending | | two-repo, keep fallback one release |
| SEC-17 | ⚠️ | pending | | Redis intro — with SEC-18 |
| SEC-18 | ⚠️ | pending | | |
| SEC-27 | ⚠️ | pending | | |
| SEC-21 | ⚠️ | pending | | |
| SEC-23 | ⚠️ | pending | | mechanical |
| SEC-24 | ⚠️ | pending | | |
| SEC-25 | ⚠️ | pending | | needs SEC-08 first |
| SEC-26 | ⚠️ | pending | | mechanical |
| SEC-16 | ⚠️ | skipped | | awaiting owner decision |
| SEC-22 | ⚠️ | skipped | | awaiting owner decision |
| SEC-28 | ⚠️ | skipped | | awaiting owner decision |
| SEC-29 | ⚠️ | pending | | no code change — verify + close |
| SEC-30 | ⚠️ | pending | | mechanical |
| SEC-31 | ⚠️ | pending | | |
| SEC-32 | ⚠️ | pending | | |
| SEC-33 | | pending | | |
| SEC-34 | ⚠️ | pending | | infra, not repo code |
| SEC-35 | ⚠️ | pending | | mechanical |
| SEC-36 | ⚠️ | pending | | full packaged-app regression |
| CORR-07 | | pending | | |
| CORR-08 | | skipped | | awaiting owner decision |
| CORR-09 | ⚠️ | pending | | migration + dedupe |
| CORR-10 | ⚠️ | pending | | cap value judgment |
| CORR-11 | | pending | | |
| CORR-13 | ⚠️ | pending | | classify call sites |
| CORR-14 | | pending | | |
| CORR-15 | | pending | | |
| CORR-16 | ⚠️ | pending | | irreversible path — review |
| CORR-17 | | pending | | |
| CORR-18 | | pending | | |
| CORR-19 | | pending | | |
| CORR-21 | | pending | | |

## Phase 4 — Performance
Branch: `refactor/phase-4-perf`

| ID | ⚠️ | Status | Commit | Notes |
|---|---|---|---|---|
| PERF-01 | | pending | | |
| PERF-02 | ⚠️ | pending | | strong-model territory |
| PERF-03 | | pending | | LIMIT part urgent + mechanical |
| PERF-04 | | pending | | test migration on populated dev DB |
| PERF-05 | | pending | | coordinate with CORR-09 |
| PERF-09 | | pending | | |
| PERF-10 | | pending | | |
| PERF-06 | | pending | | |
| PERF-07 | | pending | | or fold into QUAL-03 later |
| PERF-08 | | pending | | |
| PERF-11 | | pending | | |
| PERF-12 | | pending | | |
| PERF-13 | | pending | | |
| PERF-15 | | pending | | |
| PERF-16 | | pending | | |
| PERF-17 | | pending | | two-repo |
| PERF-19 | | pending | | defer OK |
| PERF-20 | | pending | | superseded if SEC-17 Redis lands |
| PERF-21 | | pending | | |
| PERF-22 | | pending | | |

## Phase 5 — Dependencies & tooling
Branch: `refactor/phase-5-deps`

| ID | ⚠️ | Status | Commit | Notes |
|---|---|---|---|---|
| DEPS-02 | | pending | | |
| DEPS-03 | | pending | | |
| DEPS-04 | | skipped | | awaiting owner decision (tool) |
| TYPE-02 | ⚠️ | pending | | config choices |
| TYPE-03 | | pending | | after TYPE-01 |
| DEPS-05 | ⚠️ | pending | | dedicated PR |
| DEPS-06 | ⚠️ | pending | | dedicated PR, native rebuild |
| DEPS-07 | | n/a | | monitor only |

## Phase 6 — Structural refactors (LAST — invalidates plan line numbers)
Branch: `refactor/phase-6-quality`

| ID | ⚠️ | Status | Commit | Notes |
|---|---|---|---|---|
| QUAL-02 | ⚠️ | pending | | before QUAL-03 |
| QUAL-03 | ⚠️ | pending | | |
| QUAL-01 | | pending | | with QUAL-11 |
| QUAL-04 | ⚠️ | pending | | prototype on clients first |
| QUAL-05 | | pending | | |
| QUAL-06 | ⚠️ | pending | | after CORR-07 |
| QUAL-07 | ⚠️ | pending | | characterization tests first |
| QUAL-08 | | pending | | with QUAL-12 |
| QUAL-09 | | pending | | |
| QUAL-10 | | pending | | |
| QUAL-11 | ⚠️ | pending | | |
| QUAL-12 | | pending | | |
| QUAL-13 | | pending | | |
| QUAL-14 | | pending | | store built in SEC-18; file moves here |
| QUAL-15 | | pending | | |
| TYPE-04 | | pending | | with QUAL-05 |
| TYPE-05 | | pending | | |
| TYPE-06 | | pending | | |
| TYPE-07 | | pending | | |
| DEAD-04 | ⚠️ | skipped | | awaiting owner decision |
| DEAD-07 | ⚠️ | skipped | | awaiting owner decision |

---

## Lessons Learned

_Append findings that affect later items. Format: `- [ID] lesson`_

(none yet)

## Session Log

| Date | Model | Phase | Items touched | Outcome |
|---|---|---|---|---|
| | | | | |