docs(docs): add initiative 0011 — foundation adoption + process discipline (post-launch sweep, subordinate to 0010 freeze)

[Skords-01]

Summary

Додає нову ініціативу 0011 — Foundation adoption + process discipline (post-launch sweep) у docs/initiatives/ і реєструє її в таблиці активних у docs/initiatives/README.md. Ініціатива підпорядкована 0010-revenue-first-launch — поважає її 4-тижневий scope-freeze для shipping білінгу.

Renumber-нотатка: початково мала номер 0010, але main змерджив 0010-revenue-first-launch (#1673) поки PR готувався. Перенумеровано на 0011 і узгоджено timeline під 0010 freeze.

Ініціатива об'єднує 18 PR-ів у 4 фазах у двох вікнах:

• Phase 1 (in-freeze, 4 PR, 1 тиждень — 2026-05-05 → 2026-05-12): CI-guards проти PR-template-violation (Devin/1777848219 impl 0002 phase1 mobile decision #1571 type-incident), cross-branch migration-collision (fix(migrations): dedupe 035 collision (rate_limit_buckets → 037) #1652 type-incident), deployment-конфіг drift без staging-перевірки (feat(server): security hardening — close H2 + H7 + ship C2 Phase 1 (CSP report sink) #1595→fix(ci): restore apps/web/vercel.json as Vercel SSOT (H7 hot-fix) #1600 type-incident), CSP_DISABLE retrospective audit. Ці зміни не блокують revenue-first роботу — навпаки, скорочують risk incidents.
• Phase 2 (post-0010, 9 PR, 3 тижні — 2026-06-02 → 2026-06-23): consumer-міграції з useFormValidation → useApiForm (feat(web): додати useApiForm — уніфікований form-engine на RHF + zod #1614), ad-hoc isLoading/isError → <DataState> (feat(web): add <DataState> wrapper for RQ loading/empty/error/stale #1588). Реальний baseline (2026-05-04): 2 active form consumers, 6 useApiForm consumers, 0 <DataState> real consumers, 15 manual-loading sites, 0 raw fetch() у modules.
• Phase 3 (post-0010, 4 PR, 2 тижні — 2026-06-23 → 2026-07-07): pen-test для H5/H6/H8/H9 закритих 2026-05-04 за один день; integration-test для всіх session-protected роутів; e2e transcribe USD-cap з реальним audio fixture; soft-gate sweep plan для legacy unverified emails.
• Phase 4 (post-0010, 1 PR, 1 тиждень — 2026-07-07 → 2026-07-14): baseline-метрика Storybook coverage (поточно ~16%) і передача власності у 0007 design-system-tooling.

ETA загальна — 7 тижнів від старту, з 11-тижневим буфером до Q3-launch deadline 2026-09-30.

Цей PR — тільки документ-план. Жодних змін до коду / CI / runtime тут немає; кожна фаза породить окремі PR-и.

Governing Skill

• Primary skill: sergeant-start-here (planning / governance, не feature)
• Secondary skill (if truly needed): n/a

Playbook

• Primary playbook: n/a — це нова ініціатива, не feature execution
• Why this playbook: ініціатива готує playbook'и для своїх фаз (docs/playbooks/deploy-config-change.md, docs/playbooks/security-pen-test-checklist.md) як частину PR 1.3 / 3.1.
• If no playbook matched, why: для додавання нової ініціативи playbook не потрібен; конвенція docs/initiatives/NNNN-slug.md + оновлення docs/initiatives/README.md — стандарт.

Verification

pnpm lint:tech-debt-freshness                                                   # passed
pnpm lint:hard-rules-registry                                                   # passed (18 rules)
pnpm lint:governance-sync | grep -i "0011\|foundation-adoption"                 # no new errors related to 0011
pnpm prettier --check docs/initiatives/0011-foundation-adoption-and-process-discipline.md docs/initiatives/README.md  # all matched files use Prettier code style

Future-file refs у Phase 1/2/3/4 загорнуті у <placeholder> синтаксис (наприклад, scripts/<check-pr-body>.mjs), щоб не triggerити check-governance-sync.mjs як dangling refs (file-template convention з scripts/check-governance-sync.mjs:185).

Pre-existing CI failures (Test coverage (vitest), check) не пов'язані з цим doc-only PR — підтверджено: PR #1685 (інший docs-only PR, який було змерджено) мав ті ж failures на main.

Additional checks:

• Local smoke / manual validation completed (формат відповідає 0008/0009; статус-таблиця у README.md оновлена; 0010 row preserved with new 0011 row appended)
• Surface-specific checks completed (no code/CI/runtime touched)

Docs and Governance

• I updated docs that changed with the behavior, contract, workflow, or rollout.
• I checked whether AGENTS.md needed an update. — Ні, ця ініціатива не змінює hard-rules; вона лише планує їх посилення (PR 1.1 — PR-template-guard) як майбутнє правило.
• I checked whether a playbook or skill needed an update. — Phase 1.3 і 3.1 створять нові playbooks; цей doc-PR — лише plan.
• I checked whether governance docs or review docs needed an update. — docs/initiatives/README.md updated.

Updated docs:

• docs/initiatives/0011-foundation-adoption-and-process-discipline.md (новий, 158 рядків)
• docs/initiatives/README.md (рядок 0011 у таблиці активних ініціатив)

Risk and Rollout

• User-visible risk: none — це plan-doc, runtime/UX не змінюється.
• Rollout / deploy order: merge → Phase 1 (в період 0010-freeze) → 0010 завершується → Phases 2–4 на launch-readiness sweep.
• Backout plan: git revert цього PR-а; вилучити 0011-рядок з docs/initiatives/README.md. Жодних follow-up cleanup не потрібно — нічого in-flight.

Hard Rule #15

• I read AGENTS.md before coding.
• Internal docs I touched are in Ukrainian.
• I did not use --no-verify.

Reviewer Notes

• Підпорядкованість 0010 freeze: Phase 1 явно declared як freeze-compatible (CI-guards, не блокують білінг-PR-и); Phases 2–4 declared post-0010-launch (≥ 2026-06-02). Якщо 0010 launch посунеться — автоматично посуваються 2–4.
• Phase 4 — Storybook hand-off: свідомо мінімальний скоуп тут (тільки coverage-baseline metric), щоб не дублювати власність 0007. Якщо власник 0007 захоче інакше — це є topic для уточнення coordination між 0011 і 0007.
• Future file refs у Phase plan: загорнуті у placeholder syntax (scripts/<check-pr-body>.mjs) за convention з scripts/check-governance-sync.mjs:185 — інакше governance-sync лінтер падав з 8 dangling refs. Реальні файли створяться у відповідних PR-ах.
• Хто веде: roll-up власник @Skords-01. Sub-tasks Phase 2 можуть делегуватися через child-Devin-сесії (1-2 одночасно, рішення user 2026-05-04).
• Залежність на 0009: PR 1.1 (PR-template guard) — симетричний з 0009 PR 1.1 / 1.2 patterns (skills-lock, playbook-language-lint). Якщо 0009 phase 2 готує docs/governance/pr-template-required.json registry — об'єднати enforcement.
• Перетин з 0008: Phase 3 (hardening verification) — це не нова hardening робота, а підтвердження уже закритих cards H5/H6/H8/H9 з 0008. Окремий ризик-pos: швидкість їх закриття 2026-05-04 (5 cards/день) виправдовує externally-verifiable pen-test.
• Existing PR-body-validator? Я помітив у CI вже існує check «PR body validator» на інших PR-ах. Якщо PR 1.1 дублює цю функціональність — фаза 1 зменшиться, потрібно лише уточнити scope. Зазначено в Phase 1 risks.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
sergeant	Ready	Preview, Comment	May 4, 2026 1:27pm

[coderabbitai]

📝 Walkthrough

Walkthrough

A new pre-launch hardening initiative (0010) is documented with four phases: CI guards for process discipline, foundation adoption via migrations and deprecations, hardening verification through security and integration tests, and Storybook coverage hand-off. The initiative is indexed in the README with P0 priority and Sprint 2 ETA.

Changes

Pre-Launch Hardening Initiative Documentation

Layer / File(s)	Summary
Initiative Plan Documentation docs/initiatives/0010-foundation-adoption-and-process-discipline.md	Defines four-phase initiative: Phase 1 (CI guards for PR template compliance and deployment staging verification), Phase 2 (foundation migrations to useApiForm and <DataState> with useFormValidation deprecation), Phase 3 (security pen-test, server integration, and e2e verification), and Phase 4 (Storybook baseline hand-off to initiative 0007). Includes rationale, scope, DONE criteria, risks, ownership, and timeline breakdown per phase.
Initiative Index docs/initiatives/README.md	Adds initiative 0010 entry to active initiatives table with P0 priority, owner assignment, Sprint 2 ETA, and brief description; updates table header formatting.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• docs(docs): plan revenue-first launch (initiative 0010 + roast audit) #1673: Adds initiative 0010 document and updates docs/initiatives/README.md with same initiative ID, representing a potential naming or content collision.

Suggested labels

size/M

Poem

🐰 A doc so grand, four phases deep,
With guards and migrations to keep,
Foundation laid, hardening done,
Before the launch, we'll have our fun!
Process discipline, tested and true—
Let's hop to it, PR on through! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The PR title references initiative '0011' but the changeset documents initiative '0010' as the primary change.	Update the title to reference initiative 0010 instead of 0011, or clarify if this PR is about 0011 (a subordinate post-launch initiative).

✅ Passed checks (4 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch devin/1777900501-init-0010-foundation-adoption

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

docs/initiatives/0010-foundation-adoption-and-process-discipline.md (1)

158-163: 💤 Low value

Consider router introspection complexity vs manual allowlist.

PR 3.2 proposes using "Express router-introspection або via OpenAPI-spec" to programmatically verify session protection. This approach has trade-offs:

Pros: Automated, catches future regressions
Cons: Complex to implement reliably (line 163 acknowledges false-negative risk from dynamic mounts)

The mitigation is an explicit EXEMPT_ROUTES allowlist, but this creates maintenance burden and somewhat defeats the purpose of automatic discovery.

Consider whether a simpler approach might be more maintainable:

• Option A (current plan): Router introspection + manual allowlist
• Option B: Explicit test suite covering all sensitive routes (more manual but clearer)
• Option C: Schema-driven approach using OpenAPI tags (routes tagged requiresAuth: true)

The current plan is acceptable, but if implementation proves complex, fallback to Option B.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/initiatives/0010-foundation-adoption-and-process-discipline.md` around
lines 158 - 163, The comment flags that router-introspection plus an
EXEMPT_ROUTES allowlist (and requireSession() as the middleware being asserted)
may be overly complex and high-maintenance; update the document to require a
clear fallback plan: implement the automated router-introspection/OpenAPI-spec
approach as the primary method but add explicit acceptance criteria (what counts
as "covered") and a trigger to fall back to Option B (manual explicit test
suite) if dynamic mounts or false-negatives are detected during implementation;
also add guidance to minimize EXEMPT_ROUTES maintenance (single canonical
EXEMPT_ROUTES constant and review checklist) and optional longer-term migration
to Option C (OpenAPI tag requiresAuth:true) so maintainers know to prefer
schema-driven tagging when available.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@docs/initiatives/0010-foundation-adoption-and-process-discipline.md`:
- Around line 158-163: The comment flags that router-introspection plus an
EXEMPT_ROUTES allowlist (and requireSession() as the middleware being asserted)
may be overly complex and high-maintenance; update the document to require a
clear fallback plan: implement the automated router-introspection/OpenAPI-spec
approach as the primary method but add explicit acceptance criteria (what counts
as "covered") and a trigger to fall back to Option B (manual explicit test
suite) if dynamic mounts or false-negatives are detected during implementation;
also add guidance to minimize EXEMPT_ROUTES maintenance (single canonical
EXEMPT_ROUTES constant and review checklist) and optional longer-term migration
to Option C (OpenAPI tag requiresAuth:true) so maintainers know to prefer
schema-driven tagging when available.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: cdaba324-d066-4480-9bae-8c77a9b9455a

📥 Commits

Reviewing files that changed from the base of the PR and between 82c5057 and 4764e4e.

📒 Files selected for processing (2)

• docs/initiatives/0010-foundation-adoption-and-process-discipline.md
• docs/initiatives/README.md

[github-actions]

⏱️ CI Pipeline Duration Report

Based on the last 50 successful runs on the default branch.

Overall Pipeline

Metric	Value
p50	6m 26s
p95	7m 55s
p99	9m 3s
Current run	6m 42s
vs p95	-15.4%

Trend (last 20 runs): ▃▃▁▂▃▃▃▂▃▃▂▂▄▃▃▆▅▄█▆

Per-Job Breakdown

Job	p50	p95	p99	Current	vs p95
Accessibility (axe-core)	2m 5s	2m 21s	2m 23s	0s	-100.0%
Commit messages (commitlint)	0s	0s	0s	31s	N/A
Critical-flow E2E (Playwright)	1m 36s	1m 44s	1m 44s	6m 13s	+258.7%
Migration lint (AGENTS rule	0s	0s	0s	7s	N/A
Pipeline duration (p95 trend)	26s	27s	27s	—	—
Secret scan (gitleaks)	8s	11s	11s	10s	-9.1%
Smoke E2E (Playwright)	1m 26s	1m 40s	1m 40s	—	—
Test coverage (vitest)	2m 4s	2m 33s	2m 33s	2m 21s	-7.8%
Workflow lint (actionlint)	7s	7s	7s	8s	+14.3%
check	4m 12s	4m 54s	5m 6s	58s	-80.3%
tsconfig strict guard (PR-1.A)	5s	14s	14s	8s	-42.9%