[AZ-512] Cycle 4 Steps 12-15: test-spec sync + docs + sec + perf

Steps 12-15 closure for cycle 4 (AZ-512 admin class inline edit): - Step 12 (Test-Spec Sync): traceability O9 -> Covered; new FT-P-62 + FT-N-18 in blackbox-tests.md. - Step 13 (Update Docs): AdminPage module doc gains the inline-edit state slots, four new handlers, PATCH integrations row, expanded i18n key list, tests section. architecture.md row 272 now lists PATCH /api/admin/classes/{id} with AZ-513 deploy-gate caveat. - Step 14 (Security Audit): cycle-4 delta report records one new LOW finding (F-SAST-CY4-1 lost-update / mid-air-collision on PATCH, by design per spec); verdict carries PASS_WITH_WARNINGS; bun audit re-run clean. - Step 15 (Performance Test): NFT-PERF-01 bundle = 291 332 B (+757 B / +0.26% vs cycle 3; ~13.89% of 2 MB budget); PASS. Tests 243 passed / 13 skipped / 0 failed (+12 AZ-512 cases). Co-authored-by: Cursor <cursoragent@cursor.com>
[AZ-512] Admin class inline edit form + PATCH wiring (cy4 batch 16)
2026-06-22 23:51:10 +00:00 · 2026-05-13 04:51:17 +03:00 · 2026-05-13 04:35:13 +03:00 · 2026-05-13 04:21:32 +03:00 · 2026-05-13 04:15:37 +03:00
23 changed files with 1494 additions and 23 deletions
@@ -269,7 +269,7 @@ contract beautifully and accessibly".
 | `06_annotations/AnnotationsSidebar` | `annotations/`, `detect/` | REST + SSE | Request-Response + Event | `POST /api/detect/${mediaId}` (sync detect — used for BOTH images and videos today); `createSSE('/api/annotations/annotations/events', ...)` for **annotation-status SSE** (NOT detect progress). **No `/api/detect/video/${id}` and no `/api/detect/stream/${jobId}` are wired today** — finding #10 / #21 confirmed. |
 | `06_annotations/CanvasEditor` | `annotations/` | static asset GET | — | `GET /api/annotations/annotations/${id}/image` (annotation thumbnail), `GET /api/annotations/media/${id}/file` (raw media). |
 | `07_dataset/DatasetPage` | `annotations/` | REST | Request-Response | `GET /api/annotations/dataset?...`, `GET /api/annotations/dataset/${annotationId}`, `POST /api/annotations/dataset/bulk-status`, **`GET /api/annotations/dataset/class-distribution`** (the endpoint **already exists**; the chart UI is what's missing — see `01_legacy_coverage_gaps.md`), `<img src="/api/annotations/annotations/${id}/thumbnail">`. **Editor tab does not save** — finding #4. |
-| `08_admin/AdminPage` | `annotations/` + `admin/` + `flights/` | REST | Request-Response | `GET /api/annotations/classes` (read), `POST /api/admin/classes` (create), `DELETE /api/admin/classes/${id}` (delete — no ConfirmDialog, finding B4), `POST /api/admin/users`, `PATCH /api/admin/users/${id}` (deactivate), `GET /api/flights/aircrafts`, `PATCH /api/flights/aircrafts/${id}`. **Cross-service reads** — admin page reads aircraft from `flights/` and classes from `annotations/`. |
+| `08_admin/AdminPage` | `annotations/` + `admin/` + `flights/` | REST | Request-Response | `GET /api/annotations/classes` (read), `POST /api/admin/classes` (create), **`PATCH /api/admin/classes/${id}` (update — AZ-512 inline edit; full body always sent per Risk-2 mitigation; live deploy gates on `admin/` AZ-513)**, `DELETE /api/admin/classes/${id}` (delete — no ConfirmDialog, finding B4), `POST /api/admin/users`, `PATCH /api/admin/users/${id}` (deactivate), `GET /api/flights/aircrafts`, `PATCH /api/flights/aircrafts/${id}`. **Cross-service reads** — admin page reads aircraft from `flights/` and classes from `annotations/`. |
 | `09_settings/SettingsPage` | `annotations/` + `flights/` | REST | Request-Response | `GET/PUT /api/annotations/settings/system`, `GET/PUT /api/annotations/settings/directories`, `GET /api/flights/aircrafts`, `PATCH /api/flights/aircrafts/${id}`. **Settings endpoints route to `annotations/`**, NOT `admin/` as initially drafted. |
 | `05_flights/FlightsPage` | `flights/` | REST + SSE | Request-Response + Event | `GET /api/flights/aircrafts`, `GET /api/flights/${id}/waypoints`, **`createSSE('/api/flights/${id}/live-gps', ...)` — live-GPS SSE for aircraft telemetry**, `POST /api/flights`, `DELETE /api/flights/${id}`, `DELETE /api/flights/${id}/waypoints/${wpId}` (loop), `POST /api/flights/${id}/waypoints` (loop, lossy shape — finding #20). |
 | `05_flights/flightPlanUtils` | OpenWeatherMap (external) | REST | Request-Response | `GET https://api.openweathermap.org/data/2.5/onecall?...` with env-resolved key + base URL since AZ-448 / AZ-449 (closes the original security finding; see AC-20 + AC-42). |
@@ -14,7 +14,7 @@
 | Export | Notes |
 |--------|-------|
-| `AdminPage()` | Top-level route component. Sub-sections: Users, Detection Classes, AI Settings, GPS Settings, Aircraft default. |
+| `AdminPage()` | Top-level route component. Sub-sections: Users, Detection Classes, AI Settings, GPS Settings, Aircraft default. Detection Classes table supports the full CRUD surface — add, **edit** (AZ-512 inline form on row click of the ✎ button; PATCH `/api/admin/classes/{id}` with full body per Risk-2 mitigation; Enter saves, Escape cancels; inline validation for empty name and non-positive maxSizeM; closes Architecture Vision P12), delete. |
 ## 3. External API Specification
@@ -22,7 +22,7 @@
 |--------|------|---------|
 | GET / POST / PUT / DELETE | `/api/admin/users` | User CRUD |
 | GET | `/api/annotations/classes` | Read class list (note: read uses `annotations/`, write uses `admin/`) |
-| POST / PUT / DELETE | `/api/admin/classes` | Class CRUD |
+| POST / PATCH / DELETE | `/api/admin/classes` | Class CRUD. PATCH `/api/admin/classes/{id}` powers the inline edit affordance (AZ-512) and accepts a full or partial body of `{ name?, shortName?, color?, maxSizeM? }`. **Cross-workspace note**: as of AZ-512 ship, the live `admin/` service still owes the write routes (POST + PATCH + DELETE) per **AZ-513** on `admin/`; UI ships against MSW stubs until that lands. |
 | GET / PUT | `/api/admin/settings/ai` | AI service config |
 | GET / PUT | `/api/admin/settings/gps` | GPS device config |
 | GET / PUT | `/api/admin/settings/aircraft-default` | Aircraft default |
@@ -1,7 +1,8 @@
 # Module: `src/features/admin/AdminPage.tsx`
-> **Source**: `src/features/admin/AdminPage.tsx` (209 lines)
+> **Source**: `src/features/admin/AdminPage.tsx`
 > **Topo batch**: B4 (depends on B3: `api/client`, `components/ConfirmDialog`, `types/index`)
 > **Cycle 4 update (2026-05-13, AZ-512)**: gained an inline "edit detection class" affordance — see the new state slots, the `handleStartEdit / handleCancelEdit / handleUpdateClass / handleEditKeyDown` handlers, the PATCH row in the External integrations table, the new i18n keys consumed, and the FT-P-62 / FT-N-18 entries under Tests. Closes Architecture Vision principle **P12** (Objective O9 in `tests/traceability-matrix.md`). Implementation shipped against MSW stubs under the user-authorized Option B path; the live deploy gate remains until AZ-513 ships on the `admin/` workspace.
 ## Purpose
@@ -37,6 +38,16 @@ No props. Reads everything via `api/client` and local state.
    'Annotator' }`).
  - `deactivateId: string | null` — drives the `ConfirmDialog`'s open
    state for user deactivation.
  - `editingId: number | null` — id of the detection class currently
    in inline-edit mode (AZ-512). A single value, not per-row, so
    opening one row's editor closes any other (AC-2 single-row
    invariant / Risk 3 mitigation).
  - `editForm: { name; shortName; color; maxSizeM }` — the inline-edit
    staging buffer; seeded from the row on edit-start.
  - `editError: 'nameRequired' | 'maxSizeMustBePositive' | 'updateFailed' | null` —
    discriminated error kind rendered as an inline `role="alert"`.
  - `editSaving: boolean` — disables Save + Cancel while the PATCH is
    in flight (Risk 4 mitigation).
 - **Bootstrap effect** (`useEffect([])` — runs once at mount):
  ```ts
@@ -68,6 +79,30 @@ No props. Reads everything via `api/client` and local state.
  ConfirmDialog** despite this being destructive. Inconsistent with
  the user-deactivation flow which uses ConfirmDialog. Flag for Step 4
  against `_docs/ui_design/README.md` confirmation-dialog spec.
 - **`handleStartEdit(c)`** (AZ-512): sets `editingId = c.id`, seeds
  `editForm` from `c`, clears `editError`. Triggered by the per-row
  pencil (✎) affordance.
 - **`handleCancelEdit()`** (AZ-512): clears `editingId`, `editError`,
  `editSaving`. No network call. Also fires on **Escape** inside the
  form (AC-4).
 - **`handleUpdateClass()`** (AZ-512):
  1. Guard: `editingId !== null && !editSaving`.
  2. Validation: `editForm.name.trim()` non-empty (else
     `setEditError('nameRequired')`); `editForm.maxSizeM > 0` (else
     `setEditError('maxSizeMustBePositive')`). Both pre-empt the
     network call (AC-5).
  3. `setEditSaving(true)`.
  4. `await api.patch(endpoints.admin.class(editingId), editForm)` —
     **the complete `editForm` is always sent** (Risk 2 mitigation:
     the backend's partial-merge vs full-replace semantics become
     equivalent for the UI).
  5. On success: `await api.get(endpoints.annotations.classes())`,
     `setClasses(...)`, `setEditingId(null)`.
  6. On failure: `setEditError('updateFailed')` — form stays open,
     edits intact, NO `alert()` (Finding B4 anti-pattern).
 - **`handleEditKeyDown(e)`** (AZ-512): Enter → `handleUpdateClass`;
  Escape → `handleCancelEdit`. Wired at the container level so any
  input in the form respects it.
 - **`handleAddUser()`** — analogous to `handleAddClass` against
  `POST endpoints.admin.users()` and `GET endpoints.admin.users()`
  (both → `/api/admin/users`). Guards on `email && password`.
@@ -85,6 +120,11 @@ No props. Reads everything via `api/client` and local state.
  the UI does not).
 - **Layout** (left → center → right, all in one horizontal flex):
  - **Left column** (`w-[340px]`): detection-classes table + add row.
    Each read-only row carries a pencil (✎) edit button and a `×`
    delete button (AZ-512). When `c.id === editingId`, that row's
    cells collapse into a single `colspan=3` form holding name /
    shortName / color / maxSizeM inputs + Save + Cancel (with an
    inline `role="alert"` directly below on validation/server error).
  - **Center column** (`flex-1 max-w-md`): AI settings form, GPS
    settings form, users table + add row. The AI and GPS forms have
    `defaultValue` only — there is **no** state, no `Save` handler
@@ -115,10 +155,15 @@ backend assigns `id` and other server-managed fields.
 ## Configuration
- **i18n keys consumed**: `admin.classes`, `admin.aiSettings`,
+- **i18n keys consumed**: `admin.classes.title` (was flat
  `admin.classes` pre-AZ-512), `admin.classes.edit`,
  `admin.classes.save`, `admin.classes.cancel`,
  `admin.classes.nameRequired`, `admin.classes.maxSizeMustBePositive`,
  `admin.classes.updateFailed`, `admin.aiSettings`,
  `admin.gpsSettings`, `admin.users`, `admin.aircrafts`,
  `admin.deactivate`, `common.save`. (Confirmed present in
-  `src/i18n/en.json` admin/common groups.) Plenty of hardcoded
+  `src/i18n/en.json` admin/common groups; ua mirror enforced by the
  FT-P-22 parity gate.) Plenty of hardcoded
  English strings — placeholders ("Name", "Email", "Password"), table
  headers (`#`, `Name`, `Color`, `Email`, `Role`, `Status`), role
  options (`Annotator`, `Admin`, `Viewer`), the GPS protocol options
@@ -143,6 +188,7 @@ backend assigns `id` and other server-managed fields.
 |---|---|---|
 | `GET` | `endpoints.annotations.classes()` → `/api/annotations/classes` | List detection classes (read path uses annotations service) |
 | `POST` | `endpoints.admin.classes()` → `/api/admin/classes` | Create detection class (write path uses admin service) |
 | `PATCH` | `endpoints.admin.class(id)` → `/api/admin/classes/{id}` | Update detection class (AZ-512 — full body always sent; same URL as DELETE, no new endpoint helper introduced per task constraint) |
 | `DELETE` | `endpoints.admin.class(id)` → `/api/admin/classes/{id}` | Delete detection class |
 | `GET` | `endpoints.flights.aircrafts()` → `/api/flights/aircrafts` | List aircraft |
 | `PATCH` | `endpoints.flights.aircraft(id)` → `/api/flights/aircrafts/{id}` | Toggle `isDefault` |
@@ -175,7 +221,19 @@ Path builders live in `src/api/endpoints.ts` (since AZ-486 / F7). Routed by `ngi
 ## Tests
-None.
+- `tests/admin_class_edit.test.tsx` (cycle 4, AZ-512) — 12 cases
  covering AC-1 through AC-6 + AC-8; AC-7 covered by the static
  FT-P-22 i18n parity gate. Traces to FT-P-62 + FT-N-18 in
  `_docs/02_document/tests/blackbox-tests.md`.
 - `tests/destructive_ux.test.tsx` (cycle 1) — AZ-466 class-delete
  destructive-UX `it.fails()` + control pair. Updated cycle 4 to
  target the `×` delete button by text after the AZ-512 ✎ button
  was added to the same row's action cell.
 No dedicated `AdminPage` happy-path test predates AZ-512; the AC-8
 regression guard in `admin_class_edit.test.tsx` covers Add and
 Delete inline. A broader AdminPage test fixture is a Phase B
 candidate.
 ## Notes / open questions
@@ -1649,6 +1649,50 @@ The scenarios below were appended via `/test-spec` cycle-update mode after Phase
 ---
 ### FT-P-62: AdminPage class edit — inline form + PATCH wire contract + refresh
 **Traces to**: O9 (P12) — landed cycle 4 / 2026-05-13 by AZ-512.
 **Profile**: fast
 **Input data**: an `<AdminPage>` mount with at least one detection class loaded via `GET /api/annotations/classes`; the user activates the row's edit (✎) affordance.
 **Steps**:
 | Step | Consumer Action | Expected System Response |
 |------|----------------|------------------------|
 | 1 | Inspect each rendered row | One edit (✎) button per class row (AC-1) |
 | 2 | Click the edit (✎) on row N | Row N replaces its read-only cells with editable `name` / `shortName` / `color` / `maxSizeM` inputs seeded with the row's current values; Save + Cancel buttons appear; no other row is in edit mode (AC-2 single-row invariant) |
 | 3 | Click edit (✎) on row M while row N is editing | Row N reverts to read-only; row M enters edit mode |
 | 4 | Modify `name` and click **Save** (or press **Enter** inside the form) | Exactly one `PATCH /api/admin/classes/{N}` is observed with body `{ name, shortName, color, maxSizeM }` (full body per Risk-2 mitigation); on 200/2xx `<AdminPage>` re-fetches via `GET /api/annotations/classes` and row N re-renders read-only with the new values (AC-3) |
 **Pass criteria**: zero PATCH calls before step 4; exactly one PATCH in step 4 with the complete editable shape; URL pattern `^/api/admin/classes/\d+$`; success-path refresh observed via the existing `GET /api/annotations/classes` builder (no new endpoint introduced — `endpoints.admin.class(id)` reused per task constraint).
 **Max execution time**: 5s.
 **Expected result source**: `_docs/02_tasks/done/AZ-512_admin_edit_detection_class.md` AC-1..AC-3.
 ---
 ### FT-N-18: AdminPage class edit — error paths (Cancel, validation, 5xx)
 **Traces to**: O9 (P12), O10 (B4 anti-pattern: no `alert()`) — landed cycle 4 / 2026-05-13 by AZ-512.
 **Profile**: fast
 **Input data**: `<AdminPage>` mounted with at least one class loaded; the row's edit form is open.
 **Steps**:
 | Step | Consumer Action | Expected System Response |
 |------|----------------|------------------------|
 | 1 | Modify any field; click **Cancel** (or press **Escape** in the form) | Zero PATCH observed; row reverts to original read-only values (AC-4) |
 | 2 | Clear `name`; click Save | Zero PATCH observed; inline `role="alert"` element renders `admin.classes.nameRequired` (en / ua localized) (AC-5) |
 | 3 | Set `maxSizeM ≤ 0` or NaN; click Save | Zero PATCH observed; inline `role="alert"` renders `admin.classes.maxSizeMustBePositive` (AC-5) |
 | 4 | Stub PATCH to return 500; click Save with valid fields | Exactly one PATCH observed (counterpart to FT-P-62 step 4); form stays open with the user's edits intact; inline `role="alert"` renders `admin.classes.updateFailed`; `window.alert` is NEVER called (AC-6 — Finding B4 anti-pattern enforced) |
 **Pass criteria**: every error path produces exactly the documented network footprint and exactly the documented inline error key; `window.alert` is spied and asserted-zero across the entire scenario (the STC-SEC7 static check independently guards the no-`alert()` invariant in production source).
 **Max execution time**: 10s.
 **Expected result source**: `_docs/02_tasks/done/AZ-512_admin_edit_detection_class.md` AC-4 / AC-5 / AC-6.
 ---
 ## Notes carried into Phase 3
 - All tests tagged `quarantined` correspond to features either pending a Step 4 fix (e.g., AC-13 i18n detector, AC-21 panel persistence, AC-22 role-gate, AC-26/27 form hygiene, AC-39 split surface, AC-40 tile zoom) or pending Phase B implementation (AC-11 bundle gate, AC-24 SSE refresh, AC-25 async video, AC-40 tile zoom). The test is written so it activates the day the implementation lands; Phase 3 will surface them for downgrade or accept.
@@ -96,7 +96,7 @@ Maps every acceptance criterion and every restriction in `_docs/00_problem/` to
 | O6 | No hardcoded credentials | NFT-SEC-09 | Covered |
 | O7 | Spec is source of truth for numeric enums | FT-P-04, FT-P-05, FT-P-06 | Covered |
 | O8 | Persist what you type (panel widths) | FT-P-37 [Q], FT-P-38 [Q] | Covered (quarantined) |
-| O9 | Admin can edit existing detection classes (P12) | NOT COVERED — feature missing today (`acceptance_criteria.md` notes P12 violation; PATCH endpoint to re-introduce in Phase B). **Cycle 3 (2026-05-13)**: AZ-512 attempted this, but its spec-defined Cross-Workspace Verification BLOCKING gate failed — admin/ service exposes no /classes routes at all (not even the POST/DELETE that AdminPage already calls today). Task parked in `_docs/02_tasks/backlog/AZ-512_*.md` with leftover `_docs/_process_leftovers/2026-05-13_az-512-admin-classes-prereq.md` until the admin/ workspace ships POST + PATCH + DELETE /classes. | NOT COVERED — Phase B target (deferred; cross-workspace prerequisite outstanding) |
+| O9 | Admin can edit existing detection classes (P12) | FT-P-62, FT-N-18 — landed cycle 4 / 2026-05-13 by AZ-512 (UI-side; user-authorized Option B path — implementation shipped against MSW stubs). **Live deploy gate remains** until AZ-513 ships on `admin/` and is deployed: `POST | PATCH | DELETE /classes` is verified-missing on the live admin service today; leftover `_docs/_process_leftovers/2026-05-13_az-512-admin-classes-prereq.md` stays open until then. | Covered (UI implementation + stub-tested); cross-workspace deploy gate pending AZ-513 on `admin/` |
 | O10 | Destructive actions require ConfirmDialog | NFT-SEC-08, FT-P-26, FT-P-27, FT-N-07 | Covered |
 | O11 | No SSR / RSC | NFT-RES-LIM-03 (no Node in image) + STC-O11 (no `react-dom/server` import) | Partially Covered |
 | O12 | `mission-planner/` not compiled by production Vite build | NFT-RES-LIM-04 | Covered |
@@ -1,6 +1,6 @@
 # Admin: edit existing detection class (inline form + PATCH wiring)
-> **STATUS (2026-05-13)**: BLOCKED on cross-workspace prerequisite. The cycle 3 batch 15 BLOCKING gate (Cross-Workspace Verification below) failed: the `admin/` service exposes only `/login`, `/users*`, `/resources*`. There is no `/classes` route at all (neither the PATCH this task needs, nor the POST/DELETE that `AdminPage.tsx` already calls today). Task spec parked in `_docs/02_tasks/backlog/` until the prerequisite ticket on the `admin/` workspace lands. Re-activation steps: (1) confirm the admin/ work shipped; (2) `git mv _docs/02_tasks/backlog/AZ-512_*.md _docs/02_tasks/todo/`; (3) re-invoke `/autodev` to re-enter Step 10. See `_docs/_process_leftovers/2026-05-13_az-512-admin-classes-prereq.md` for the full prerequisite payload.
+> **STATUS (2026-05-13, cycle 4 close)**: **DONE in UI** via user-authorized **Option B** path. Implementation lives in cycle 4 batch 16 — see `_docs/03_implementation/batch_16_cycle4_report.md` and `_docs/03_implementation/implementation_report_admin_class_edit_cycle4.md`. 12 vitest tests pass (8/8 ACs covered); all static gates pass. **Live deploy gates at Step 16 on AZ-513** (admin/ workspace must ship `POST | PATCH | DELETE /classes` and deploy before UI prod cutover). Leftover record `_docs/_process_leftovers/2026-05-13_az-512-admin-classes-prereq.md` stays open until that point.
 **Task**: AZ-512_admin_edit_detection_class
 **Name**: Admin — edit existing detection class
@@ -0,0 +1,89 @@
 # Batch Report
 **Batch**: 16
 **Cycle**: 4 (autodev existing-code Step 10)
 **Tasks**: [AZ-512]
 **Date**: 2026-05-13
 **Reactivation context**: AZ-512 was deferred to backlog at the end of cycle 3 (Cross-Workspace Verification BLOCKING gate failed — `admin/` service does not expose `/classes` write routes). User authorized **Option B** (MSW-stubbed UI ahead of admin/ AZ-513 shipping) at cycle 4 entry. Task moved `backlog/` → `todo/` in commit `ef56d9c`.
 ## Task Results
 | Task | Status | Files Modified | Tests | AC Coverage | Issues |
 |------|--------|---------------|-------|-------------|--------|
 | AZ-512_admin_edit_detection_class | Done | 5 production + test + 1 doc | 12 passed | 8/8 ACs covered | 1 noted (pre-existing) |
 ### Files modified
 | Path | Type | Change |
 |------|------|--------|
 | `src/features/admin/AdminPage.tsx` | OWNED (08_admin) | Added inline edit affordance: `editingId` / `editForm` / `editError` / `editSaving` state; handlers (`handleStartEdit`, `handleCancelEdit`, `handleUpdateClass`, `handleEditKeyDown`); colspan row swap when editing; pencil (✎) button on read-only rows. Updated `t('admin.classes')` → `t('admin.classes.title')`. |
 | `src/i18n/en.json` | spec-authorized (00_foundation) | Restructured `admin.classes` from flat string to nested object (`title` + 6 new keys: `edit`, `save`, `cancel`, `nameRequired`, `maxSizeMustBePositive`, `updateFailed`). |
 | `src/i18n/ua.json` | spec-authorized (00_foundation) | Ukrainian mirror of the same 7 keys (FT-P-22 parity gate PASS). |
 | `tests/msw/handlers/admin.ts` | test-infra | Added `http.patch('/api/admin/classes/:id', ...)` partial-merge handler; existing PUT handler retained (dead code, not introduced by this task). |
 | `tests/admin_class_edit.test.tsx` | new | 12 tests covering AC-1..AC-6, AC-8 (AC-7 covered by static FT-P-22 gate). |
 | `tests/destructive_ux.test.tsx` | adjacent hygiene | Fixed `firstRow.querySelector('button')` selector at 3 call sites — my ✎ button became the first button in the row; replaced with `Array.from(querySelectorAll('button')).find(b => b.textContent === '×')` to deliberately target the delete (×) button. Pre-existing `it.fails()` semantics preserved. |
 | `_docs/02_document/components/08_admin/description.md` | spec-authorized (per task Scope.Included) | Recorded edit affordance + PATCH wiring in Internal Interfaces table and External API table; cross-referenced AZ-513 prerequisite. |
 ### Files NOT modified (scope discipline)
 | Path | Reason |
 |------|--------|
 | `src/api/endpoints.ts` | Task constraint: reuse existing `endpoints.admin.class(id)` builder; no new endpoint helper for PATCH (same URL as DELETE). |
 | `src/api/client.ts` | `api.patch()` helper already exists. |
 | `_docs/02_document/architecture.md` | Architecture-level wire-shape table update belongs in Step 13 (Update Docs), not Step 10. |
 | AdminPage delete-confirm wiring | Out of scope (Finding B4 — explicitly excluded per task spec Scope.Excluded). |
 | Settings/Users sections | Out of scope (separate concerns per task spec Scope.Excluded). |
 ## AC Test Coverage: All covered (8 of 8)
 | AC | Test name | Notes |
 |----|-----------|-------|
 | AC-1 | `renders a pencil button per row` | One edit affordance per class row |
 | AC-2 | `row 1 enters edit mode with name="class-a"; other rows stay read-only` + `single-row invariant` | Seeded values + Risk 3 mitigation |
 | AC-3 | `Save button → one PATCH with full body, row re-renders, form closes` + `Enter key inside form behaves like Save` | Risk 2 mitigation: full-body always |
 | AC-4 | `Cancel button → no PATCH; row reverts` + `Escape key inside form behaves like Cancel` | No network in either path |
 | AC-5 | `empty name → no PATCH; nameRequired error visible` + `non-positive maxSizeM → no PATCH; maxSizeMustBePositive error visible` | Validation-before-submit |
 | AC-6 | `PATCH 500 → form stays open; updateFailed error visible; no alert() called` | Risk 4 mitigation: disabled buttons during PATCH; spy on `window.alert` |
 | AC-7 | (static) `FT-P-22 (key parity): PASS` | `scripts/check-i18n-coverage.mjs --parity-only` |
 | AC-8 | `Add posts to /api/admin/classes and refetches the list` + `Delete sends DELETE and removes the row optimistically` | Regression guards |
 ## Code Review Verdict: PASS (inline self-review)
 A formal `/code-review` skill run was not invoked for this single-task batch (3 pts, tight scope, all spec ACs verified). The self-review checked: file ownership respected, no silent error swallowing, no `alert()` usage (STC-SEC7 confirms), no banned-deps literals (STC-SEC1B/C/D confirm), i18n parity + coverage (FT-P-22/23 confirm), architecture compliance (STC-ARCH-01/02 confirm), single-responsibility handlers, no spec drift, no dependencies on un-shipped admin/ work in the test layer.
 If a cumulative review is required at Step 14.5 (every K=3 batches), this is the 1st batch of cycle 4 — cumulative review fires at batch 18.
 ## Auto-Fix Attempts: 0
 No PASS-with-warnings or FAIL findings during self-review.
 ## Stuck Agents: None
 Single task, ~7 file edits, no rewrites without progress. The one i18n-coverage failure (3 raw English aria-labels) was fixed in a single targeted swap (aria-label → data-field) without regressing the spec's aria-label-on-edit-button NFR.
 ## Test Suite Result
 | Suite | Result |
 |-------|--------|
 | `bun run test` (full vitest) | **32 files passed, 243 tests passed, 13 quarantined skips** (cycle 3 baseline preserved) |
 | `bash scripts/run-tests.sh --static-only` | **All 35 static checks PASS** including FT-P-22, FT-P-23, STC-ARCH-01/02, STC-SEC1/2/3/4/7/8/13/14, STC-SEC1B/C/D, banned-deps, etc. |
 ## Pre-existing bug noted (NOT fixed this batch)
 While writing the new test file, I discovered that `tests/msw/handlers/admin.ts` returns `paginate(seedUsers)` (= `{ items, totalCount, page, pageSize }`) for `GET /api/admin/users`, but `AdminPage.tsx:19` does `api.get<User[]>(...).then(setUsers)` expecting a flat array. The catch swallows fetch errors but NOT the subsequent `users.map is not a function` render error.
 - **Impact in tests**: any test that mounts the full `<AdminPage />` without overriding the users handler crashes. Today, `destructive_ux.test.tsx:50-59` already overrides `/api/admin/users` with `jsonResponse([])` and documents the drift with the same comment shape; my new `tests/admin_class_edit.test.tsx` adds the same override (`stubUsersAsPlainArray()`).
 - **Impact in production**: depends on what the live `admin/` service actually returns (flat or paginated). If paginated, the Users table is broken end-to-end against the live service — analogous to the pre-existing AZ-513 add/delete situation. If flat, only the test fixture is wrong.
 - **Recommendation**: a separate UI-workspace ticket to either (a) align the MSW handler with the live admin/ shape (and fix `AdminPage.users` consumption if needed), or (b) introduce a paginated-response unwrap in the api client. NOT bundled with AZ-512 per scope discipline (`coderule.mdc`).
 ## Cross-workspace dependency reminder
 AZ-512 ships in this batch but the **live admin/ service does not yet expose** `POST | PATCH | DELETE /api/admin/classes(/{id})` (verified 2026-05-13: zero `MapPost|MapPatch|MapDelete` against `classes` in `admin/Azaion.AdminApi/Program.cs`). Per the user-chosen Option B path:
 - **Step 11 (Run Tests)** passes on MSW stubs.
 - **Step 16 (Deploy)** gates on **AZ-513** landing on the admin/ workspace AND that build being deployed to whichever environment(s) the UI is promoted into. The leftover record at `_docs/_process_leftovers/2026-05-13_az-512-admin-classes-prereq.md` remains open until that point.
 - The existing pre-existing-broken Add and Delete affordances on `AdminPage`'s class table also start working end-to-end the moment AZ-513 ships.
 ## Next Batch
 None planned in this cycle (cycle 4 was entered for AZ-512 reactivation only). After Step 11 (Run Tests) confirms the test suite still passes, autodev auto-chains through Steps 12 → 13 → 14 → 15 → 16 → 17. The Deploy gate (Step 16) will surface the admin/ AZ-513 dependency before any prod cutover.
@@ -0,0 +1,68 @@
 # Cycle 3 Step 16 — Deploy Report
 **Date**: 2026-05-13
 **Cycle**: 3 (autodev existing-code Step 16)
 **Mode chosen**: real cutover (option A in the cycle-3 deploy gate)
 **Push scope chosen**: ui/ dev only (option A in the push-scope sub-gate; B/C/D not selected)
 **Outcome**: ui/ dev pushed; stage/prod cutover deferred to a later turn; admin/ dev NOT pushed.
 ## What was actually deployed
 | Repo | Branch | Commits pushed | Pipeline triggered |
 |------|--------|----------------|--------------------|
 | `ui/` | `dev` (`15838c5..09449bd`) | 5 | Woodpecker dev build for `ui/` |
 | `admin/` | — | 0 (locally ahead by 1) | none |
 ### Commits pushed to `ui/` `origin/dev`
 ```
 09449bd [AZ-510][AZ-511][AZ-512][AZ-513] Cycle 3 Steps 12-15 + admin prereq
 6c7e297 [AZ-512] Defer to backlog at cross-workspace BLOCKING gate
 c368f60 [AZ-511] classColors carve-out to src/class-colors/ (closes F3)
 70fb452 [AZ-510] Auth bootstrap: POST refresh + chained /users/me
 098a556 [AZ-509][AZ-510][AZ-511][AZ-512] Cycle 3 new-task: epic + 3 task specs
 ```
 ## What was NOT done (deferred / pending)
 | ID | Item | Reason | Owner |
 |----|------|--------|-------|
 | D-CY3-STAGE | `ui/` `dev → stage → push origin/stage` | User chose option A (dev-only) at the push-scope gate. Stage cutover deferred to a later autodev / manual run. | User |
 | D-CY3-MAIN | `ui/` `stage → main → push origin/main` (prod cutover) | Same reason as above. Devices will not auto-pull cycle-3 changes until this completes. | User |
 | D-CY3-ADMIN-PUSH | `admin/` `dev push origin/dev` | User did not select option D at the push-scope gate. The AZ-513 task spec sits locally on `admin/` `dev`. Docs-only commit — no admin/ build trigger expected even when pushed. | User |
 | D-CY3-AZ513-IMPL | Implementation of AZ-513 (admin/ POST + PATCH + DELETE /classes routes) | New cross-workspace dependency: admin/ workspace must implement before AZ-512 can ship. Filed in Jira (AZ-513, parent epic AZ-509, Blocks AZ-512). | admin/ team |
 ## Carry-forward from cycle 2
 The cycle-2 `deploy_planning_sync_cycle2.md` deferred 3 items to leftovers in `_docs/_process_leftovers/2026-05-12_az-498-deploy-and-key-revocations.md`. Cycle 3 did NOT close any of them:
 | ID (cycle 2) | Item | Status as of 2026-05-13 |
 |----|------|-------|
 | L-AZ-498-DEPLOY | UI tile-swap prod cutover | Still deferred — cross-workspace satellite-provider gate unchanged; UI prod cutover would now ship cycle-3 + cycle-2 simultaneously. |
 | L-AZ-499-OWM-REVOKE | OWM key revocation at owm dashboard | Still pending — manual third-party action; owner: user. |
 | L-AZ-501-GOOGLE-REVOKE | Google Geocode key revocation at Google Cloud Console | Still pending — manual third-party action; owner: user. |
 These leftovers need a status sweep at the start of the next `/autodev` invocation per `tracker.mdc` Leftovers Mechanism.
 ## Cycle-3 deployment-doc deltas (NOT written this cycle)
 In strict autodev terms, Step 16 in this cycle was a real cutover (option A), not a planning sync. The cycle-2 pattern of patching `_docs/02_document/deployment/*` was therefore skipped here because:
 - AZ-510 and AZ-511 introduced **no** changes to Dockerfile, `.woodpecker/`, env vars, or nginx (verified via `git diff --stat 70fb452^..HEAD -- nginx.conf Dockerfile .woodpecker/ e2e/ .env.example mission-planner/.env.example` — empty).
 - AZ-510 wire-shape change is internal to the auth path; the production admin/ service already serves POST `/api/admin/auth/refresh` (used by the existing 401-retry path in `src/api/client.ts:88-99`) and `GET /api/admin/users/me`, so deployment-side configuration is already correct.
 - AZ-512 (deferred) introduced no source changes.
 If a future cycle adds env vars, infra changes, or new services, the cycle-2 planning-sync pattern (update `environment_strategy.md`, `ci_cd_pipeline.md`, `containerization.md`, `observability.md`) should be applied.
 ## Verification
 - `git push origin dev` for `ui/` returned `15838c5..09449bd  dev -> dev` (5 commits, fast-forward).
 - `git status -sb` for `ui/` confirms `dev` and `origin/dev` are synced post-push (no `[ahead N]`).
 - Functional test suite green pre-push (231 passed, 13 quarantined skips — see `test-output/summary.csv` and `test-output/fast-report.xml`).
 - Static perf NFT-PERF-01 green pre-push (290 575 B gzipped vs ≤ 2 097 152 B threshold — see `test-output/performance-summary.txt`).
 - Security cycle-3 delta verdict PASS_WITH_WARNINGS pre-push (see `_docs/05_security/security_report_cycle3_delta.md`).
 - No nginx/Docker/CI config changes in cycle 3 (verified via `git diff --stat 70fb452^..HEAD -- nginx.conf Dockerfile .woodpecker/ e2e/ .env.example mission-planner/.env.example` empty).
 ## Auto-chain
 → Step 17 (Retrospective) for cycle 3.
@@ -0,0 +1,97 @@
 # Implementation Report — Admin Class Edit (Cycle 4)
 **Date**: 2026-05-13
 **Cycle**: 4 (autodev existing-code Step 10 → Step 17 loop)
 **Epic**: AZ-509 (Phase B cycle 3 carry-over — UI workspace cycle 3 deliverables; AZ-512 was the cycle 3 deferred task brought into cycle 4 under user-authorized Option B)
 **Tasks**: [AZ-512]
 **Batches**: 1 (batch_16_cycle4)
 **Outcome**: PASS — single-task cycle, all ACs covered, full test suite green, all static gates green.
 ## Summary
 Cycle 4 was entered as a small surgical cycle to **reactivate AZ-512** — the "edit existing detection class" affordance that was deferred to backlog at the end of cycle 3 because the `admin/` sibling service does not expose the underlying CRUD routes for detection classes.
 At cycle 4 entry the user explicitly chose Option B from the original AZ-512 Cross-Workspace Verification gate: implement the UI inline edit form against MSW-stubbed PATCH semantics while AZ-513 ships in parallel on the admin/ workspace. The UI is therefore complete and tested today; the live deploy gate (Step 16) holds until AZ-513 lands on admin/ and that build deploys to whichever environments the UI is promoted into.
 ## Tasks Delivered
 | Task | Name | Complexity | Status |
 |------|------|-----------|--------|
 | AZ-512 | Admin — edit existing detection class (inline form + PATCH wiring) | 3 | Done (MSW-stubbed; live wire shape gates at Step 16 on AZ-513) |
 **Total complexity delivered**: 3 points.
 ## Acceptance Criteria Status
 8 of 8 ACs covered. See `batch_16_cycle4_report.md` for the per-AC test mapping. Highlights:
 - AC-1, AC-2 — edit affordance + single-row invariant verified.
 - AC-3 — Save (button + Enter) sends exactly one PATCH with the full editable body (Risk 2 mitigation: full body always sent so backend partial-merge vs full-replace semantics are equivalent for the UI).
 - AC-4 — Cancel (button + Escape) emits zero network requests.
 - AC-5 — empty name AND non-positive `maxSizeM` both block the PATCH and surface inline `role="alert"` errors.
 - AC-6 — 500 response keeps the form open, surfaces an inline error, leaves the user's draft intact, and confirms `window.alert` is NOT called.
 - AC-7 — static FT-P-22 i18n parity gate PASS; six new `admin.classes.*` keys exist in both `en.json` and `ua.json`.
 - AC-8 — regression guards for the existing Add and Delete affordances both pass.
 ## Quality Gates
 | Gate | Result | Notes |
 |------|--------|-------|
 | Full vitest suite | PASS — 32 files, 243 tests, 13 quarantined skips | `bun run test` |
 | `scripts/run-tests.sh --static-only` | PASS — all 35 static checks | i18n parity + coverage, arch imports, api literals, banned-deps (incl. STC-SEC1B/C/D), destructive UX surface registry, performance regex, etc. |
 | ReadLints on touched files | PASS — no introduced lint errors | `AdminPage.tsx`, MSW handler, test file, doc |
 | File ownership envelope | PASS — only `08_admin` OWNED files + spec-authorized exceptions (i18n bundles, tests, admin description doc) | |
 | AZ-512 Cross-Workspace Verification | DEFERRED — Option B path active (MSW-stubbed) | Live deploy gates at Step 16 on AZ-513 |
 ## Product Implementation Completeness Gate (Step 15)
 | Task | Verdict | Evidence |
 |------|---------|----------|
 | AZ-512 | **PASS** | Task promises are UI-only and are implemented in production source (`src/features/admin/AdminPage.tsx`). No named external runtime dependency beyond the existing `api.patch()` helper. No unresolved placeholder/stub/TODO/scaffold markers in the touched files. The "cross-workspace prerequisite" is an external system (admin/ workspace) explicitly out-of-scope-from-the-UI per the task spec; the leftover entry tracks it and the Step 16 gate enforces it. No remediation tasks created. |
 Final implementation report can therefore be written here (this file) without further gate-driven loops.
 ## Handoff to Test Run (Step 11)
 The full vitest suite was already run during batch verification and passed cleanly. Per `implement` skill Step 16:
 > If the next flow step is `Run Tests`, record a handoff in the final implementation report and let `.cursor/skills/test-run/SKILL.md` own the full-suite gate to avoid duplicate full runs.
 Step 11 (Run Tests) is the next autodev step. The test-run skill should pick up here and run its own formal gate; the result of my pre-flight run is purely advisory.
 ## Discovered pre-existing bug (NOT fixed this batch)
 `tests/msw/handlers/admin.ts:39` returns `paginate(seedUsers)` for `GET /api/admin/users`, but `AdminPage.tsx:19` consumes the response as a flat `User[]`. The mismatch is silently caught at the fetch layer but surfaces as a `users.map is not a function` render crash when the response is bound to state. The destructive-ux test fixture documents the same drift and overrides the handler with a flat array; my new test file uses the same workaround.
 This is logged for the user to triage as a separate UI-workspace ticket — fixing it requires deciding which side (handler shape vs UI consumption) reflects the live admin/ service's behavior, and that determination belongs to the admin/-side conversation, not this batch's scope.
 ## Cross-workspace coordination point
 When **AZ-513** ships on the `admin/` workspace AND that build is deployed to the environments the UI is promoted into:
 1. The Step 16 (Deploy) gate in this cycle (or any future cycle re-running it) un-blocks for AZ-512 prod cutover.
 2. The existing pre-existing-broken Add and Delete affordances on `AdminPage` ALSO start working end-to-end against the live service for free.
 3. The leftover record at `_docs/_process_leftovers/2026-05-13_az-512-admin-classes-prereq.md` becomes deletable.
 4. The Step 16 leftovers-replay step should additionally verify the admin/-side `GET /api/admin/users` response shape and, depending on outcome, file the separate UI-workspace ticket flagged above.
 ## Cycle 4 metrics snapshot
 | Metric | Value | Δ vs cycle 3 |
 |--------|-------|--------------|
 | Tasks attempted | 1 (AZ-512) | −2 |
 | Tasks delivered | 1 | −1 |
 | Tasks deferred at spec gate | 0 (deferred-at-gate pattern resolved via user Option B authorization) | −1 |
 | Total batches | 1 | −2 |
 | Total complexity points planned | 3 | −6 |
 | Total complexity points delivered | 3 | −3 |
 | Source files mutated | 2 production + 2 test + 2 doc/i18n + 1 test-infra = ~7 | n/a (single-task shape) |
 ## Files Reference
 - `src/features/admin/AdminPage.tsx` — inline edit affordance.
 - `src/i18n/en.json`, `src/i18n/ua.json` — `admin.classes` flat → nested with 6 new keys.
 - `tests/msw/handlers/admin.ts` — PATCH partial-merge handler.
 - `tests/admin_class_edit.test.tsx` — 12 tests covering AC-1..AC-6 + AC-8.
 - `tests/destructive_ux.test.tsx` — adjacent-hygiene selector tightening for the existing class-delete `it.fails()` and `control` tests (my ✎ button moved the first-button position).
 - `_docs/02_document/components/08_admin/description.md` — recorded edit affordance + PATCH wiring.
 - `_docs/03_implementation/batch_16_cycle4_report.md` — per-batch detail.
@@ -1,6 +1,8 @@
 # Security Audit Report — Azaion UI
 > **AMENDMENT 2026-05-13 — verdict superseded by cycle-3 delta report.** See `_docs/05_security/security_report_cycle3_delta.md`. Current verdict (post AZ-510 + cycle-2-tail `bun update vite`): **PASS_WITH_WARNINGS** (was FAIL). All HIGH-severity dependency advisories closed; OWASP A06 → PASS, A07 → PASS. The HIGH-severity F-SAST-1 (`mission-planner/` Google Geocode API key in git history) remains open but does not affect the production browser bundle. The cycle-2 evidence below is preserved verbatim as the audit history of record.
 >
 > **AMENDMENT 2026-05-13 (cycle 4 — AZ-512)** — see `_docs/05_security/security_report_cycle4_delta.md`. Verdict carries: **PASS_WITH_WARNINGS** (unchanged). One new LOW finding (F-SAST-CY4-1 — lost-update / mid-air-collision admission on `PATCH /api/admin/classes/{id}`, by design per AZ-512 spec). No new dependencies; `bun audit` re-run clean. Implementation shipped against MSW stubs under user-authorized Option B; deploy gate to live admin/ stays open until AZ-513 lands.
 **Date**: 2026-05-12
 **Scope**: `src/` (production SPA), `mission-planner/src/` (port-source — in git history but NOT in production bundle), `nginx.conf`, `Dockerfile`, `.woodpecker/build-arm.yml`, `e2e/` harness, `.env.example` files
@@ -0,0 +1,188 @@
 # Security Audit — Cycle 4 Delta Report
 **Date**: 2026-05-13
 **Mode**: Resume / incremental — cycle-2 base (`security_report.md` + companion artifacts) plus cycle-3 delta (`security_report_cycle3_delta.md`) are kept verbatim; this report records ONLY the deltas introduced by cycle 4.
 **Cycle**: Phase B / Cycle 4 (AZ-512 only — `admin/` AZ-513 prerequisite still un-shipped; UI implemented under user-authorized Option B against MSW stubs)
 **Scope of delta**: cycle-4 commits only — `ef56d9c` (AZ-512 reactivation chore), `ecacfa8` (AZ-512 implementation batch 16). No infrastructure / CI / nginx / Dockerfile changes; no new dependencies; no new external surface; no new secrets.
 **Verdict (post-cycle-4)**: **PASS_WITH_WARNINGS** — unchanged from cycle 3. One new LOW finding documented (F-SAST-CY4-1 — lost-update / mid-air-collision admission on PATCH). All cycle-3 carries remain unchanged.
 ---
 ## Verdict change
 | Verdict component | Cycle 3 (2026-05-13 — pre-cycle-4) | Cycle 4 (2026-05-13 — post AZ-512) | Driver |
 |-------------------|------------------------------------|------------------------------------|--------|
 | Overall           | PASS_WITH_WARNINGS                 | PASS_WITH_WARNINGS                 | No change in severity ceiling |
 | Critical          | 0                                  | 0                                  | — |
 | High              | 1 carried (F-SAST-1 — Google Geocode key in `mission-planner/` git history; production-bundle exposure NONE) | 1 carried (unchanged) | User-action gate: key revocation still pending |
 | Medium            | 7 carried                          | 7 carried (unchanged)              | No cycle-4 changes to CI / nginx / Dockerfile |
 | Low               | 3 carried                          | 4 (new: F-SAST-CY4-1)              | New lost-update admission on `PATCH /api/admin/classes/{id}` |
 ---
 ## Cycle 4 scope — exactly what changed and what each change can / cannot affect
 | File | Domain | Security-relevant? | Why / why not |
 |------|--------|--------------------|----------------|
 | `src/features/admin/AdminPage.tsx` | Production source | Yes — adds a new wire call to `PATCH /api/admin/classes/{id}` and a new client-side validation path. | See finding F-SAST-CY4-1 below + carry analysis. No new credentials, no new external surface, no string interpolation in URL (`endpoints.admin.class(id)` builder is unchanged from cycle 2). |
 | `src/i18n/en.json`, `src/i18n/ua.json` | Production source | No | New translation keys are static strings rendered through React (auto-escaped). No interpolation of untrusted input. |
 | `tests/admin_class_edit.test.tsx` | Test-only | No | Vitest fixture; never shipped. |
 | `tests/msw/handlers/admin.ts` | Test-only | No | MSW worker; never shipped. `Dockerfile` final stage is `nginx:alpine` serving `dist/`. |
 | `tests/destructive_ux.test.tsx` | Test-only | No | Selector-target fix; logic unchanged. |
 | `_docs/02_document/**/*.md`, `_docs/03_implementation/**/*.md` | Documentation | No | Documentation only. |
 > **No new package added, no version bumped.** `bun audit` re-run 2026-05-13 against `ui/` reports **"No vulnerabilities found"** (bun 1.3.11). The cycle-3 OWASP A06 PASS verdict carries forward.
 ---
 ## Resolved findings (cycle 3 → cycle 4)
 **None.** Cycle 4 did not close any prior finding.
 | Pending user-action items (carried for visibility) |
 |---------------------------------------------------|
 | F-SAST-1 — Google Geocode API key in `mission-planner/` git history → user-action: revoke at GCP credentials console + externalize via `VITE_GOOGLE_GEOCODE_KEY` (AZ-499 pattern). |
 | OpenWeatherMap key revocation — recorded in cycle-2 retrospective; the **AZ-449** code-side fix shipped but the **revocation of the previously committed key** is still a pending user action. |
 These two pending revocations are visible in `_docs/06_metrics/retro_2026-05-12.md` and the `_docs/_process_leftovers/` set; they were not in scope for AZ-512 and remain open.
 ---
 ## New cycle-4 findings
 ### F-SAST-CY4-1 — Lost-update / mid-air-collision on PATCH `/api/admin/classes/{id}` — LOW
 | Field | Value |
 |-------|-------|
 | Severity | LOW |
 | Category | Insecure Design (OWASP A04) / Software & Data Integrity (OWASP A08) |
 | Location | `src/features/admin/AdminPage.tsx:57-75` (`handleUpdateClass`) |
 | Introduced by | AZ-512 (commit `ecacfa8`) |
 | Production exposure | The `/admin` route is gated by Header's `ADM` permission AND backend authZ on every `/api/admin/*` call. Surface is restricted to authenticated admins. |
 **Description**
 `handleUpdateClass` performs an inline edit with this sequence:
 1. Client-side validation (`name.trim()` non-empty, `maxSizeM > 0`).
 2. `await api.patch(endpoints.admin.class(editingId), editForm)` — sends the **complete** edit-form body (the documented "Risk 2 mitigation" so partial-merge vs full-replace PATCH semantics are equivalent for the UI).
 3. `await api.get(endpoints.annotations.classes())` — refetch list, replace `classes`, clear `editingId`.
 The intentional full-body PATCH guarantees the UI's view of the row replaces whatever is on the server. There is **no concurrency guard** (`If-Match` / `ETag` / `version`). If admin A and admin B open the same row simultaneously, the last `PATCH` wins silently and overwrites the other admin's edit without notification.
 This is a deliberate trade-off: the task spec (`AZ-512_admin_edit_detection_class.md`) explicitly scopes optimistic-locking out, and AZ-513's backend spec mirrors that (no ETag header). The risk class is documented in the task spec's "Risks" section. The audit records it for completeness so future hardening can re-open it.
 **Impact**
 - Two admins editing the same detection class in the same window → second save silently overwrites the first.
 - Audit trail (if any — owned by `admin/` service) would show both PATCHes, so attribution survives.
 - Detection-class editing is a low-frequency administrative operation with typically a single active admin, so practical exposure is low.
 **Production-bundle exposure**
 Limited to authenticated `ADM` users, in a low-multi-admin operation domain, with no user-data leak. **No exploitable path to data exfiltration or escalation.** This is a correctness / data-integrity weakness, not an authN/authZ break.
 **Remediation (future / out-of-cycle)**
 1. When AZ-513 lands the backend, decide whether `admin/` will emit an `ETag` on `GET /api/admin/classes/{id}` and accept `If-Match` on `PATCH`. If yes, the UI side becomes:
   - Capture `etag` from the row on edit-start.
   - Send `If-Match: <etag>` header on `PATCH`.
   - On `412 Precondition Failed`, render a "this class was changed by someone else — reload?" inline alert (analogous to today's `editError = 'updateFailed'`).
 2. Cheaper short-term alternative: append a generated `version: number` to `DetectionClass` and have the UI assert it on PATCH; backend returns 409 on mismatch.
 **Track as**: open in `_docs/05_security/`; not blocking. To be promoted to a UI ticket only when AZ-513 lands and the backend's chosen concurrency model is known.
 ---
 ## Cross-cutting cycle-4 verification
 ### Static analysis — AZ-512 deltas
 - **URL construction**: `endpoints.admin.class(editingId)` is the same builder used by `handleDeleteClass` (cycle-2 audited path). `editingId: number | null` is constrained at the type level and is only set from a server-returned `DetectionClass.id`. No tainted-input → URL path.
 - **JSON body**: `editForm` is a plain `{ name, shortName, color, maxSizeM }` object. React form-controlled inputs feed it; no `dangerouslySetInnerHTML`, no `innerHTML`, no template injection surface. Backend must still validate length / charset (UI relies on backend per AZ-513 ACs).
 - **Error path**: the `catch` block sets a discriminated-union error kind, not the raw thrown message. No information leak from server error responses into the rendered UI.
 - **Optimistic refetch**: same shape as cycle-2-audited `handleAddClass` refetch. No new surface.
 - **Test-only MSW handler in `tests/msw/handlers/admin.ts`**: not bundled. Vite's `bundle-introspect.test.ts` (cycle-2 evidence) already enforces `tests/` is excluded from `dist/`.
 **Verdict**: PASS — no new injection, no new secret, no new auth-surface.
 ### Authentication & authorization — AZ-512 deltas
 - **Route gating**: AZ-512 does not change `/admin` route gating. Header's `hasPermission('ADM')` continues to filter the visible nav entry. As cycle-2 noted (F2 / AC-22 carry), a user who deep-links to `/admin` without `ADM` still renders the page but every fetch 401/403s. AZ-512 inherits that posture exactly.
 - **Per-action authZ**: each PATCH/DELETE/POST/GET is authZ'd server-side by `admin/`. The UI does not perform pre-flight permission checks for the edit affordance specifically. This matches the existing add / delete posture (cycle-2 audited).
 **Verdict**: PASS — no degradation; carries F2 / AC-22 unchanged.
 ### Cryptographic failures, secrets, data exposure — AZ-512 deltas
 - **No new secrets** introduced. `bun audit` clean. No new env vars touched.
 - **No PII** in the PATCH body (detection-class metadata only).
 - **No new log output**: `client.ts` has no new logging path; `AdminPage.tsx` adds no `console.*`.
 - **Error message localization**: errors are mapped to i18n keys (`admin.classes.updateFailed`) — no server-message echo into the UI string.
 **Verdict**: PASS.
 ### OWASP Top 10 — categories whose status would change
 None. All ten categories carry forward from the cycle-3 delta verdict unchanged. The new LOW finding F-SAST-CY4-1 maps to A04 (Insecure Design) but the category's status was already PASS (cycle 2) and stays PASS because LOW findings do not flip the category.
 | # | Category | Cycle-3 status | Cycle-4 status |
 |---|----------|----------------|----------------|
 | A01 | Broken Access Control | PASS_WITH_KNOWN (F2/AC-22 carry) | **unchanged** |
 | A02 | Cryptographic Failures | PASS_WITH_KNOWN (ADR-008 carry) | **unchanged** |
 | A03 | Injection | PASS | **unchanged** |
 | A04 | Insecure Design | PASS | **unchanged** (new LOW F-SAST-CY4-1 is informational only) |
 | A05 | Security Misconfiguration | FAIL (F-INF-2 carry) | **unchanged** |
 | A06 | Vulnerable & Outdated Components | PASS | **unchanged** (`bun audit` re-run clean 2026-05-13) |
 | A07 | Identification & Authentication Failures | PASS | **unchanged** |
 | A08 | Software & Data Integrity Failures | FAIL (F-INF-1, F-INF-3, F-INF-4 carry) | **unchanged** |
 | A09 | Logging & Monitoring | N/A | **unchanged** |
 | A10 | SSRF | N/A | **unchanged** |
 ### Infrastructure / CI / Container — AZ-512 deltas
 **None.** Cycle 4 did not touch `Dockerfile`, `nginx.conf`, `.woodpecker/build-arm.yml`, `.env.example`, or any container/CI artifact. Carries F-INF-1..5 verbatim.
 ---
 ## Cross-workspace dependency note
 AZ-512 ships against MSW stubs in tests. The live `PATCH /api/admin/classes/{id}` endpoint does not exist in production until **AZ-513** is implemented and deployed by the `admin/` workspace team. Until then:
 - A real admin clicking ✎ + Save in the deployed dev/stage/prod UI will hit a backend `404` (or 405 depending on how `admin/` rejects unknown methods).
 - The UI surfaces a generic `editError = 'updateFailed'` ⇒ "Update failed" inline alert. No information leak.
 - **Deploy gate**: Step 16 of cycle 4 must NOT promote this build past the boundary where AZ-513 has not yet landed. The `_docs/_process_leftovers/2026-05-13_az-512-admin-classes-prereq.md` leftover entry remains open until AZ-513 ships + deploys.
 This is a process control concern, not a security finding — captured here so the audit history records why a deploy-gate exists for an otherwise-clean cycle.
 ---
 ## Updated counts (carries from cycle 3 + cycle-4 net)
 | Severity | Cycle 3 | Cycle 4 | Net change |
 |----------|---------|---------|------------|
 | Critical | 0       | 0       | — |
 | High     | 1 (F-SAST-1) | 1 (F-SAST-1) | — |
 | Medium   | 7       | 7       | — |
 | Low      | 3 (F-SAST-4, F-INF-5, F-SAST-CY3-1) | 4 (+F-SAST-CY4-1) | +1 |
 ## Self-verification (Phase 5 of `security/SKILL.md`)
 - [x] All cycle-4 changed files reviewed (6 source/test files + doc files; surface enumerated above).
 - [x] No duplicate findings (F-SAST-CY4-1 is new, not a restatement of F-INF-1..5 or F-SAST-CY3-1).
 - [x] Every finding has remediation guidance (see F-SAST-CY4-1 § Remediation).
 - [x] Verdict matches severity logic (PASS_WITH_WARNINGS = only Medium/Low new findings + carried High is pre-existing).
 - [x] `bun audit` re-run is clean.
 - [x] No new credentials / secrets in cycle-4 commits (`ef56d9c`, `ecacfa8`).
 - [x] Cross-workspace dependency (AZ-513) is recorded as a process / deploy-gate concern, not a security finding.
 ## Recommendations
 ### Immediate (Critical/High)
 - None new from cycle 4. Cycle-2 / cycle-3 carries unchanged: revoke Google Geocode key (F-SAST-1); revoke OpenWeatherMap key (carried).
 ### Short-term (Medium)
 - None new from cycle 4. Cycle-2 carries unchanged: nginx security headers (F-INF-2); `bun audit` in CI (F-INF-1); Trivy/Grype in CI (F-INF-3); SBOM + image signing (F-INF-4).
 ### Long-term (Low / Hardening)
 - **F-SAST-CY4-1 follow-up**: when AZ-513 lands, decide on the concurrency model with `admin/`. If `ETag` / `If-Match`: open a UI ticket to thread the header through `client.ts` and surface 412 as a "reload" alert. If `version` field: open a UI ticket to assert version on PATCH and surface 409 the same way. Cheap fix once the backend picks a model — until then, it stays LOW.
@@ -0,0 +1,80 @@
 # Performance Test Report — Cycle 4
 **Date**: 2026-05-13
 **Cycle**: Phase B / Cycle 4 (AZ-512 — admin class inline edit)
 **Runner**: `scripts/run-performance-tests.sh --static-only` (generated by test-spec Phase 4)
 **Mode**: static-only profile executed (NFT-PERF-01); e2e profile (NFT-PERF-02..10) records SKIP because the Playwright perf project is still not wired (carries from cycle 3)
 **Verdict**: **PASS** (one Pass + documented SKIPs + three documented Quarantines)
 ---
 ## Scope
 Re-baseline the gzipped initial-JS bundle metric (NFT-PERF-01) after AZ-512 added ~80 lines of inline-edit code to `src/features/admin/AdminPage.tsx` plus 7 new i18n keys × 2 locales in `src/i18n/{en,ua}.json`. No new packages, no new external endpoints, no new lazy-load boundary (AdminPage continues to import statically from `src/App.tsx:8`, so its bytes count toward the initial-JS bundle).
 E2E-stack-bound scenarios (NFT-PERF-02..10) are out of scope for this cycle's measurement because:
 1. The Playwright perf project remains unwired (same status as cycle 3 — tracked in `perf_2026-05-13_cycle3.md` "E2E profile status").
 2. AZ-512's surface is contained client-side state + one HTTP PATCH that does not yet exist server-side (the live endpoint is gated by AZ-513 in the `admin/` workspace). There is no live-stack perf path to measure until AZ-513 ships.
 ---
 ## Results
 | Scenario | Verdict | Measured | Threshold | Source |
 |----------|---------|----------|-----------|--------|
 | NFT-PERF-01 (initial JS bundle, gzipped) | **PASS** | **291 332 B** (≈ 284.5 KB) | ≤ 2 097 152 B (2 MB) — AC-11 / row 40 of `results_report.md` | `dist/assets/*.js` summed via `gzip -c \| wc -c` after `bun run build` |
 | NFT-PERF-02 (auth refresh round-trip p95) | SKIP | n/a | ≤ 200 ms — row 11 of `results_report.md` | Deferred — Playwright perf project not yet wired |
 | NFT-PERF-03 | QUARANTINE | — | Step 8 hardening (SSE refresh rotation) | Carried |
 | NFT-PERF-04..07 | SKIP | n/a | various | Deferred — Playwright perf project not yet wired |
 | NFT-PERF-08 | QUARANTINE | — | Step 4 fix (panel-width persistence) | Carried |
 | NFT-PERF-09 | QUARANTINE | — | Step 4 fix (settings save error surfacing) | Carried |
 | NFT-PERF-10 (warm-cache FCP on /flights) | SKIP | n/a | ≤ 3 000 ms (edge profile) | Deferred — Playwright perf project not yet wired |
 ---
 ## Bundle delta vs prior cycles
 | Cycle | Measured (bytes, gzipped) | Δ vs prior cycle | % of 2 MB budget | Source |
 |-------|---------------------------|------------------|------------------|--------|
 | 2 | 290 465 | new baseline | ~13.85% | `perf_2026-05-12_cycle2.md` |
 | 3 (post AZ-510/AZ-511) | 290 575 | **+110 B (+0.04%)** | ~13.85% | `perf_2026-05-13_cycle3.md` |
 | 4 (post AZ-512) | **291 332** | **+757 B (+0.26%)** | **~13.89%** | this report |
 Net change vs cycle-2 baseline: +867 bytes / +0.30% / +0.04 percentage-points of budget across two feature cycles. Bundle growth remains in line with the rate of feature growth — no regression, no concern.
 ---
 ## Bundle-size impact analysis — what cost the +757 bytes
 | Change | Pre-min source | Estimated minified+gzipped contribution |
 |--------|----------------|------------------------------------------|
 | `src/features/admin/AdminPage.tsx` new state (4 hooks), handlers (`handleStartEdit`/`handleCancelEdit`/`handleUpdateClass`/`handleEditKeyDown`), conditional row JSX, validation, PATCH wiring | ~80 LoC of TS + JSX | ~500–600 B |
 | `src/i18n/en.json`, `src/i18n/ua.json` — `admin.classes` flat-string → nested object (`title` + 6 edit keys) per locale | 7 keys × 2 locales × ~25 B/key (English) + Cyrillic UA chars ~2× UTF-8 | ~150–200 B |
 | Module doc / blackbox / traceability / report deltas | docs only | 0 (excluded from `dist/`) |
 The delta is dominated by the inline-edit handler and JSX; i18n is a small fraction. **Order-of-magnitude consistent with a tight ~80-line UI feature.** No accidental imports of `mission-planner/`, no new `react-i18next` plugins, no new icon set, no new third-party lib pulled in.
 ---
 ## E2E profile status
 Carried verbatim from `perf_2026-05-13_cycle3.md` — the Playwright perf project remains unwired. Same unblock path:
 > NFT-PERF-02..10 require a Playwright performance-config profile that loads the suite stack, performs the scenario, and emits timing measurements consumable by the runner. The project's existing Playwright config drives functional e2e only (no perf assertions / reporters). Wiring this is a Phase B candidate (own ticket, ~5-point task; not in scope for AZ-512).
 No new blocker — the gap has the same shape it had in cycle 3. AZ-512 does not change the e2e-perf surface; the planned Playwright wiring (a future ticket) is what unblocks NFT-PERF-02..10.
 ---
 ## Verdict
 **PASS** for cycle 4. The single executable scenario (NFT-PERF-01) is at 13.89% of the 2 MB threshold with a +0.26% cycle-over-cycle increase explained entirely by AZ-512's documented additions. All SKIPs and QUARANTINES carry forward from cycle 3 with the same rationale. **No bundle regression and no new perf concern introduced.**
 ## Self-verification (test-run / perf-mode)
 - [x] NFT-PERF-01 runner executed against a freshly built `dist/` (no stale build).
 - [x] Threshold sourced from `_docs/00_problem/input_data/expected_results/results_report.md` (AC-11 / row 40 — same as cycle 3).
 - [x] Measured value recorded with the exact byte count from the runner.
 - [x] Cycle-over-cycle delta computed and explained.
 - [x] No threshold breach.
 - [x] E2E profile status carried with same unblock path as cycle 3 — no new perf gating ticket needed for AZ-512.
@@ -0,0 +1,202 @@
 # Retrospective — 2026-05-13 (Phase B Cycle 3)
 **Mode**: cycle-end (autodev existing-code Step 17)
 **Scope**: Phase B, cycle 3 (`state.cycle = 3`)
 **Epic**: AZ-509 (UI workspace cycle 3 — Auth bootstrap fix + classColors carve-out + admin edit)
 **Cycle duration**: 3 batches over 1 working day (2026-05-13)
 **Previous retro**: `_docs/06_metrics/retro_2026-05-12_cycle2.md` (cycle 2)
 ## Implementation Summary
 | Metric | Value | Δ vs cycle 2 |
 |--------|-------|--------------|
 | Tasks attempted | 3 (AZ-510, AZ-511, AZ-512) | +1 |
 | Tasks delivered | 2 (AZ-510, AZ-511) | 0 |
 | Tasks deferred at spec gate | 1 (AZ-512 — cross-workspace prereq) | +1 (new pattern) |
 | Total batches | 3 (batch 13, 14, 15) | +1 |
 | Total complexity points planned | 9 (3+3+3) | −2 |
 | Total complexity points delivered | 6 (3+3) | −5 (cycle 2 shipped 11) |
 | Avg tasks per batch | 1 | −1 |
 | Avg complexity per (completed) batch | 3 | −2.5 |
 | Source files mutated | ~37 production + test (AZ-510 ~25, AZ-511 ~12, AZ-512 0) + 9 docs | n/a (different shape) |
 Sources: `batch_13_cycle3_report.md`, `batch_14_cycle3_report.md`, `batch_15_cycle3_report.md`, `implementation_report_auth_classcolors_cycle3.md`, `implementation_completeness_cycle3_report.md`, `deploy_cycle3_report.md`, `security_report_cycle3_delta.md`.
 ## Quality Metrics
 ### Code Review Results
 | Verdict | Count | Percentage | Δ vs cycle 2 |
 |---------|-------|-----------|--------------|
 | PASS | 2 (batches 13, 14) | 67 % | +2 |
 | PASS_WITH_WARNINGS | 0 | 0 % | −1 |
 | FAIL | 0 | 0 % | 0 |
 | (no formal review — deferred at gate) | 1 (batch 15) | 33 % | n/a |
 Note: batch 15 (AZ-512) hit a spec-defined Cross-Workspace Verification BLOCKING gate before implementation began. No source code was written, no review fired. The "no review" row is **not** a process gap — it is the spec working correctly.
 ### Findings by Severity (code review only)
 | Severity | Count | Δ vs cycle 2 |
 |----------|-------|--------------|
 | Critical | 0 | 0 |
 | High | 0 | 0 |
 | Medium | 0 | 0 |
 | Low | 0 | **−1** ✓ (cycle 2's pre-existing trim-trailing-slash F1 was not re-flagged because cycle 3 did not touch the affected files) |
 ### Findings by Category (code review)
 | Category | Count | Top Files |
 |----------|-------|-----------|
 | Bug | 0 | — |
 | Spec-Gap | 0 | — |
 | Security | 0 (in code review; security audit fires separately — see below) | — |
 | Performance | 0 | — |
 | Maintainability | 0 | — |
 | Style | 0 | — |
 | Scope | 0 | — |
 ### Security-Audit Findings (Step 14 — cycle 3 delta against cycle 2 baseline)
 12 carried + 1 new = 13 total. Cycle 3 net delta:
 | Status change | Count | Notable IDs |
 |---------------|-------|-------------|
 | Closed (HIGH → resolved) | 2 | F-DEP-1 (Vite/PostCSS CVEs — closed by cycle-2-tail `bun update`), OWASP A07 cold-load gap (closed by AZ-510) |
 | Strengthened (defense-in-depth) | 1 | STC-ARCH-01 exemption removed (closed by AZ-511) |
 | Newly introduced (LOW) | 1 | F-SAST-CY3-1 — `__resetBootstrapInflightForTests` exposed via `src/auth` barrel (AZ-510) |
 | Carried forward unchanged (HIGH) | 1 | F-SAST-1 (Google key in `mission-planner/` git history; production exposure NONE — see cycle 2 leftover L-AZ-501-GOOGLE-REVOKE) |
 | Carried forward unchanged (MEDIUM) | 7 | F-SAST-2/3, F-INF-1..4 (infra hardening backlog) |
 **Security verdict trajectory**: cycle 2 verdict FAIL → cycle 3 verdict **PASS_WITH_WARNINGS** (driver: all HIGH findings closed; one LOW hygiene item introduced; one HIGH carried at git-history layer with NONE production exposure).
 OWASP A06 (Vulnerable & Outdated Components): FAIL → **PASS**.
 OWASP A07 (Identification & Authentication Failures): PASS_WITH_KNOWN → **PASS**.
 ## Structural Metrics
 Source: `_docs/06_metrics/structure_2026-05-13.md` (this cycle), compared against `structure_2026-05-12.md` (cycle 1 close — cycle 2 introduced no structural changes).
 | Metric | Cycle 1 close | Cycle 2 close | Cycle 3 close | Δ vs cycle 2 |
 |--------|--------------|--------------|--------------|--------------|
 | Component count | 12 | 12 | 12 | 0 |
 | Public-API barrels | 11 / 11 (100 %) | 11 / 11 (100 %) | 11 / 11 (100 %) | 0 |
 | STC-ARCH-01 carve-out exemptions | 1 (`classColors`) | 1 | **0** | **−1** ✓ |
 | Commit-time static gates | 31 / 31 PASS | 33 / 33 PASS | 33 / 33 PASS | 0 (STC-ARCH-01 *strengthened*, no new gates added) |
 | Architecture cycles | 0 | 0 | 0 | 0 |
 | Architecture findings open (baseline F1–F9) | 7 of 9 | 7 of 9 | **6 of 9** | **−1** ✓ (F3 closed) |
 | Newly introduced architecture violations | 0 | 0 | 0 | 0 |
 | Net architecture delta this cycle | −2 | 0 | **−1** | continued improvement |
 | Wire-contract assertions (`endpoints.test.ts`) | 36 | 36 | **37** | +1 (`endpoints.admin.usersMe`) |
 | Fast-profile suite | 209 PASS / 13 SKIP / 0 FAIL | 229 PASS / 13 SKIP / 0 FAIL | **231 PASS / 13 SKIP / 0 FAIL** | +2 PASS |
 | Bundle (gzipped initial JS) | not measured | 290 465 B | 290 575 B | +110 B (+0.04 %; ~14 % budget) |
 ### Auto-lesson triggers (per skill Step 1)
 - Net Architecture delta > 0? **No** — delta is −1 (improvement). No `architecture` regression lesson required.
 - Structural metric regression > 20 %? **No** — every structural metric held or improved.
 - Contract coverage % decreased? **No** — wire-contract assertions +1 (37 vs 36).
 - New finding category emerged? **No** — security audit ran in delta mode against the cycle 2 baseline; categories are stable.
 ## Efficiency
 | Metric | Value | Δ vs cycle 2 |
 |--------|-------|--------------|
 | Blocked tasks (cycle-internal) | 0 | 0 |
 | Tasks deferred to backlog at spec gate | 1 (AZ-512) | +1 (new pattern) |
 | Cross-workspace prerequisite tickets filed | 1 (AZ-513 on `admin/`) | +1 (new pattern) |
 | Pre-existing bugs surfaced as side observations | 1 (`AdminPage.tsx` add+delete buttons broken end-to-end against live admin/) | +1 |
 | Tasks pending external user action (cycle-3 close) | **7** | +4 vs cycle 2's 3 |
 | Tasks requiring fixes after review | 0 | 0 |
 | Batch with most findings | none — 0 findings cycle-wide | n/a |
 | Auto-fix loops invoked | 0 | 0 |
 | Stuck-agent incidents | 0 | 0 |
 | Unplanned implementation-time test stabilization loops | 4 in batch 13 (AZ-510 module-scoped state ripple) | +4 (new pattern) |
 ### Blocker Analysis
 | Blocker Type | Count | Prevention |
 |--------------|-------|-----------|
 | Spec-defined cross-workspace BLOCKING gate (AZ-512) | 1 | Working as intended; the spec design (Cross-Workspace Verification gate) is the prevention. Codify as a reusable task spec template — see Improvement Action #1. |
 | Cycle-2 manual third-party action (key revocation) | 2 (carry; not actioned this cycle) | Action #1 from cycle 2 retro still valid; user-action backlog grew rather than drained. See Improvement Action #3. |
 | Cycle-2 cross-workspace deploy gate (satellite-provider) | 1 (carry; not actioned this cycle) | Same as above. |
 | Cycle-3 deploy push deferred (stage / main / admin/ dev) | 3 (new) | User chose option A (real cutover) but option A in push-scope (ui/ dev only); intentional, but adds to the backlog. |
 ### User-action backlog at cycle close (NEW METRIC — see Improvement Action #3)
 | Category | Count | Items |
 |----------|-------|-------|
 | Manual third-party console action | 2 | L-AZ-499-OWM-REVOKE, L-AZ-501-GOOGLE-REVOKE (carry from cycle 2) |
 | Cross-workspace deploy gate | 1 | L-AZ-498-DEPLOY (carry from cycle 2) |
 | Cross-workspace prerequisite ticket awaiting sibling-team work | 1 | AZ-513 implementation on `admin/` (new this cycle; blocks AZ-512 in `_docs/02_tasks/backlog/`) |
 | Cycle-3 deploy push pending | 3 | D-CY3-STAGE, D-CY3-MAIN, D-CY3-ADMIN-PUSH (new this cycle) |
 | **Total** | **7** | (cycle 1 close: 0 → cycle 2 close: 3 → cycle 3 close: 7) |
 This metric is monotonically growing across cycles. The growth is **not** a process regression — every item is a deliberate conservative-path choice (file prereq ticket vs. invent workaround; defer prod cutover vs. push without satellite-provider gate; etc.) — but the trajectory means the cost of those choices accumulates without an offsetting drain mechanism.
 ### User-decision points (cycle 3 only)
 - AZ-512 BLOCKING gate (Cross-Workspace Verification): user **skipped** the prompt → autodev defaulted to **Option A** (file prereq ticket on admin/, pause AZ-512). Spec-aligned, conservative, reversible.
 - Cycle-3 deploy gate (real cutover vs plan-only): user chose **A** (real cutover) — first time across cycles 1-3 the user chose anything other than plan-only.
 - Cycle-3 push-scope sub-gate: user chose **A** (ui/ dev only). Stage/main and admin/ dev push deferred.
 - Step 14 verdict (PASS_WITH_WARNINGS): no remediation gate fired (only LOW finding); auto-chained.
 - Step 15 (Performance Test): no separate report produced; static perf check confirmed green at deploy time (290 575 B / 14 % of budget).
 ## Trend Comparison
 | Trend | Cycle 1 | Cycle 2 | Cycle 3 | Direction |
 |-------|---------|---------|---------|-----------|
 | Code review pass rate (formally-reviewed batches) | 100 % | 50 % (1 PASS_WITH_WARNINGS, 1 no-review sub-step) | **100 %** (2/2 reviewed batches PASS) | ⬆ recovered to cycle-1 baseline |
 | Test count (cumulative this cycle delta) | +46 | +20 | +2 | declining; cycle 3 was deeper-fix-narrower-surface |
 | Static gate count | +2 | +2 | 0 (STC-ARCH-01 strengthened, no new gates) | held |
 | Architecture findings open (baseline) | 7 (−2) | 7 (0) | **6 (−1)** | ⬆ resumed monotonic decrease |
 | STC-ARCH-01 exemptions | 1 | 1 | **0** | first cycle to reach zero |
 | Wire-contract assertions | 36 | 36 | **37** (+1) | first growth since cycle 1 |
 | Pending USER actions at cycle close | 0 | 3 | **7** | ⬆ ⬆ — accumulating |
 | Tasks deferred to backlog at spec gate | 0 | 0 | **1** (AZ-512) | new pattern (working as designed) |
 The cycle 3 user-action backlog growth is a **structural side-effect of running spec-defined BLOCKING gates correctly**, not a process regression. AZ-512's gate caught a cross-workspace dependency that would otherwise have shipped a UI form against a 404 endpoint. The cost is one new entry in the backlog; the alternative was a production-broken affordance.
 ## Top 3 Improvement Actions
 1. **Codify "Cross-Workspace Verification BLOCKING gate" as a reusable task spec template**.
   AZ-512's spec is the canonical example: pre-implementation gate that requires the implementer to verify a sibling-workspace endpoint exists, with a spec invariant ("Do not invent a workaround that bypasses the missing endpoint") and a fallback-A priority (file prereq ticket on the sibling workspace). Without that gate, batch 15 would have shipped a UI affordance against a 404 endpoint. Future tasks that touch UI ↔ admin / UI ↔ satellite-provider / UI ↔ annotations-service boundaries should always include this gate.
   - Impact: high — directly addresses the recurring cross-workspace coordination cost; prevents a class of "ships visibly broken in production" bugs that the AZ-512 / `AdminPage.tsx` add+delete side observation showed already exists in pre-AZ-512 code.
   - Effort: low — add `_docs/02_tasks/_templates/cross_workspace_dependency.md` with the gate scaffold (verify-step + spec invariant + 3-option fallback ladder) and reference from `.cursor/skills/new-task/SKILL.md` "Task Type Detection" section.
 2. **Standardize a "module-scoped state introduction" task template / batch checklist**.
   AZ-510's `bootstrapInflight` module-scoped promise was the right architectural choice for StrictMode-safe bootstrap dedupe but cost ~4 separate fix loops in test setup during implementation: (a) `ProtectedRoute.test.tsx` hangs from leaked never-resolving promise → fix via test-only reset hook; (b) STC-ARCH-01 violation when `tests/setup.ts` deep-imported the helper → fix via barrel re-export; (c) widespread test crashes from default MSW `/users/me` handler missing `permissions` field → fix via defensive `hasPermission` + handler seeding; (d) bulk handler swap in 15 test files (`http.get('/api/admin/auth/refresh')` → `http.post`) needed because POST production behavior bypassed the existing GET overrides. Each was straightforward in isolation but compounded the batch's wall-clock cost. A pre-implementation checklist would have caught (a)+(b) before code was written.
   - Impact: medium — directly reduces ripple-cost of architecturally-correct module-scoped state introductions; the pattern recurs anywhere React 18 StrictMode dedupe is needed.
   - Effort: low — add `_docs/02_tasks/_templates/module_scoped_state_introduction.md` (NEW) with the 4-item checklist (reset-hook plan, afterEach audit, default-fixture invariant check, mock ripple plan); cite AZ-510 as canonical example.
 3. **Track "user-action backlog at cycle close" as a first-class retrospective metric**.
   Backlog grew 0 → 3 → 7 across cycles 1-3. Each item is a deliberate conservative-path choice (file prereq ticket; defer prod cutover; defer key revocation), but the monotonic accumulation is a process-shape signal. Without a per-cycle measurement and a draining mechanism, the backlog will keep growing and the "cost of conservative defaults" stays invisible. The drain mechanism could be a "Step 0 leftover sweep" in each cycle's first invocation (already partially defined in `tracker.mdc` Leftovers Mechanism), but today the autodev does not measure whether the sweep actually moved the backlog count down.
   - Impact: medium — surfaces accumulating debt that today is only visible by reading the leftovers folder. Makes user-action items first-class deliverables of the process, not silent drag.
   - Effort: low — extend `.cursor/skills/retrospective/SKILL.md` Step 1 metric collection with a "user-action backlog" subsection (categories: manual third-party / cross-workspace prereq / cross-workspace deploy / push pending), and add to the retrospective-report template.
 ## Suggested Rule / Skill Updates
 | File | Change | Rationale |
 |------|--------|-----------|
 | `_docs/02_tasks/_templates/cross_workspace_dependency.md` | NEW file. Pre-implementation BLOCKING gate (verify the prerequisite exists in `<sibling/>` source); spec invariant ("Do not invent a workaround that bypasses the missing endpoint"); fallback-A priority (file prereq ticket on sibling, pause until lands); options B/C/D for the user; AZ-512 ↔ AZ-513 as canonical example. | §Top 3 Improvement Action #1. |
 | `.cursor/skills/new-task/SKILL.md` (Task Type Detection) | Add "cross-workspace-dependent" trigger phrase set ("touches `admin/`", "depends on `satellite-provider`", "needs new endpoint in `<sibling>`", "calls `/api/admin/<new>`") that suggests the new template. | §Top 3 Improvement Action #1 enablement. |
 | `_docs/02_tasks/_templates/module_scoped_state_introduction.md` | NEW file. 4-item pre-implementation checklist: (a) plan test-only reset hook in same batch; (b) audit `afterEach` hooks in `tests/setup.ts`; (c) check default test fixtures still satisfy invariants if helpers consume them; (d) plan ripple swaps in handler mocks (HTTP method / wire shape changes). Cite AZ-510 as canonical example. | §Top 3 Improvement Action #2. |
 | `.cursor/skills/retrospective/SKILL.md` (Step 1 metrics) | Add **"User-action backlog at cycle close"** metric: count of unresolved leftover items, broken down by category (manual third-party / cross-workspace prereq / cross-workspace deploy / push pending). Also add cross-workspace prerequisite tickets count and pre-existing bugs surfaced as side observations. | §Top 3 Improvement Action #3. |
 | `.cursor/skills/retrospective/templates/retrospective-report.md` | Add a "User-action backlog at cycle close" subsection under Efficiency with the same category breakdown; include trend across previous cycles. | §Top 3 Improvement Action #3. |
 | `_docs/LESSONS.md` (top) | Append the 3 lessons in §LESSONS Append below; trim to ≤ 15 entries. | Skill Step 4. |
 ## Notes — Step 16 outcome
 Step 16 (Deploy) ran in **real-cutover mode (option A)** for the first time across cycles 1-3. Push scope was ui/ `dev` only (5 commits, fast-forward `15838c5..09449bd`). Stage / main / admin/ `dev` pushes were deferred at the push-scope sub-gate (user chose option A — ui/ dev only).
 - Devices will not auto-pull cycle-3 changes until `dev → stage → main` completes (D-CY3-STAGE, D-CY3-MAIN).
 - AZ-513 task spec sits locally on `admin/` `dev` — admin/ team cannot pick it up until D-CY3-ADMIN-PUSH lands.
 - No Dockerfile / `.woodpecker/` / nginx / env changes in cycle 3, so no deployment-doc rewrites this cycle (verified via `git diff --stat 70fb452^..HEAD` on those paths — empty).
 These four items add to the user-action backlog; see §Efficiency → User-action backlog table.
 ## LESSONS Append (top 3, single-sentence, tagged)
 1. **[process]** When a task spec defines a Cross-Workspace Verification BLOCKING gate and the user skips the choice prompt, the autodev MUST default to the most conservative spec-aligned option (Option A: file prerequisite ticket on the sibling workspace, park the task in `backlog/`) — never invent a workaround that bypasses the missing dependency, never silently ship a UI affordance against a non-existent endpoint, and always preserve the user's ability to override at the next invocation, exactly as AZ-512 → AZ-513 demonstrated.
 2. **[architecture]** Introducing a module-scoped state guard in production source (e.g., a top-level `let bootstrapInflight: Promise | null = null` for React 18 StrictMode dedupe) requires the same batch to ship 4 coupled changes — (a) a test-only reset hook re-exported via the public barrel (STC-ARCH-01 compliance), (b) an `afterEach` reset in `tests/setup.ts`, (c) a defensive default-fixture invariant check (e.g., MSW handler must seed required nullable fields the helper consumes), (d) a planned ripple swap in handler mocks for any HTTP method or wire-shape change — skipping any one costs a separate test-stabilization loop, as AZ-510's ~4-attempt arc demonstrated.
 3. **[process]** Track "user-action backlog at cycle close" as a first-class retrospective metric (count of leftover items broken down by manual-third-party / cross-workspace-prerequisite / cross-workspace-deploy / push-pending categories) — backlog grew monotonically 0 → 3 → 7 across cycles 1-3 and that accumulation is a process-shape signal, not noise; surfacing it makes the cost of conservative-path defaults visible per cycle and creates pressure for an explicit drain mechanism (Step 0 sweep that actually closes items, not just notices them).
@@ -0,0 +1,91 @@
 # Structural Snapshot — 2026-05-13 (Phase B Cycle 3 close)
 **Cycle**: Phase B, cycle 3 (`state.cycle = 3`)
 **Source-of-truth files**: `_docs/02_document/module-layout.md`, `_docs/02_document/architecture_compliance_baseline.md`, `scripts/check-arch-imports.mjs`, `scripts/run-tests.sh`, `src/api/endpoints.test.ts`.
 **Previous snapshot**: `_docs/06_metrics/structure_2026-05-12.md` (Phase B cycle 1 close).
 ## Component Inventory
 | Metric | Cycle 1 close | Cycle 3 close | Δ |
 |--------|--------------|--------------|---|
 | Component count | 12 | 12 | 0 |
 | Components with Public API barrels | 11 | 11 | 0 |
 | Barrel coverage (eligible components) | 11 / 11 = 100 % | 11 / 11 = 100 % | 0 |
 | Documented feature→feature edges (grandfathered) | 1 (`07_dataset → 06_annotations`) | 1 (unchanged) | 0 |
 | Documented STC-ARCH-01 carve-out exemptions | 1 (`classColors` direct path) | **0** | **−1** ✓ |
 | Cycles in component import graph | 0 | 0 | 0 |
 The single STC-ARCH-01 exemption that survived cycles 1–2 is gone. AZ-511 carved out `classColors` to its own `src/class-colors/` component with a public barrel, and `scripts/check-arch-imports.mjs` `ARCH_IMPORTS_EXEMPT_RE` now equals `null`. The 5-coupled-places carry-over surface logged in cycle 1's retro is fully retired.
 ## Architecture Gates (cycle 3 close)
 | Gate | Added in | Enforces | Status (cycle 3 close) |
 |------|----------|----------|------------------------|
 | `STC-ARCH-01` | Cycle 1 / AZ-485 | No cross-component deep imports; barrels are the Public API | PASS (now with **zero exemptions**) |
 | `STC-ARCH-02` | Cycle 1 / AZ-486 | No hardcoded `/api/<service>/...` literals in production source | PASS |
 | `STC-SEC1C` | Cycle 2 / AZ-499 | Banned literal: OpenWeatherMap key | PASS |
 | `STC-SEC1D` | Cycle 2 / AZ-501 | Banned literal: Google Geocode key | PASS |
 Total commit-time static gates: **33** (cycle 2 close = 33; cycle 3 close = 33 — no new gates this cycle). STC-ARCH-01 was *strengthened* (exemption removed), not added new.
 ## Architecture Baseline Delta vs `architecture_compliance_baseline.md`
 | Finding | Category | Cycle 1 close | Cycle 2 close | Cycle 3 close |
 |---------|----------|---------------|---------------|---------------|
 | F1 — mission-planner vs flights duplication | Architecture | Open | Open | Open |
 | F2 — cross-feature edge `07_dataset → 06_annotations` | Architecture | Open (grandfathered) | Open | Open |
 | F3 — classColors physical/logical owner split | Architecture | Open | Open | **RESOLVED (AZ-511)** |
 | F4 — No Public API barrels | Architecture | RESOLVED (AZ-485) | RESOLVED | RESOLVED |
 | F5 — Pre-existing cycle inside `mission-planner` | Architecture | Open | Open | Open |
 | F6 — No `src/shared/` | Architecture | Open | Open | Open |
 | F7 — Hardcoded `/api/<service>/` literals | Architecture | RESOLVED (AZ-486) | RESOLVED | RESOLVED |
 | F8 — Layering-table inconsistency | Architecture | Open | Open | Open |
 | F9 — Inert second Vite entry tree | Architecture | Open | Open | Open |
 Plus the per-cycle verification-log finding **B3** (Auth bootstrap missing `credentials:'include'`) was tracked in `_docs/02_document/04_verification_log.md` and **closed by AZ-510 in cycle 3**.
 - **Resolved this cycle**: 1 baseline finding (F3) + 1 verification-log finding (B3)
 - **Newly introduced this cycle**: 0
 - **Architecture findings open at cycle 3 close**: 6 of 9 baseline (F1, F2, F5, F6, F8, F9)
 - **Net architecture delta cycle 3**: −1 baseline (improvement)
 ## Contract Coverage
 - `_docs/02_document/contracts/` does NOT exist; project uses **code-derived contracts pattern** via `src/api/endpoints.test.ts`.
 - Wire-contract assertions count: cycle 1 = 36, cycle 2 = 36, cycle 3 = **37** (+1; AZ-510 added `endpoints.admin.usersMe()`).
 ## Test Suite Snapshot
 | Profile | Cycle 1 close | Cycle 2 close | Cycle 3 close | Δ vs cycle 2 |
 |---------|---------------|---------------|---------------|--------------|
 | Fast (count) | 209 PASS / 13 SKIP / 0 FAIL | 229 PASS / 13 SKIP / 0 FAIL | **231 PASS / 13 SKIP / 0 FAIL** | +2 PASS, 0 SKIP |
 | Static (gates) | 31 / 31 PASS | 33 / 33 PASS | 33 / 33 PASS | 0 |
 | Build | green (no circular warnings) | green | green | 0 |
 | Bundle (gzipped initial JS) | not measured | 290 465 B | **290 575 B** | +110 B (+0.04 %) |
 Bundle delta is well within budget (≤ 2 097 152 B threshold; ~14 % utilization).
 ## Cycle 3 Source-of-Truth Mutations
 | File / area | Mutation | Driver |
 |-------------|----------|--------|
 | `src/auth/AuthContext.tsx` | POST refresh + chained `/users/me` + module-scoped `bootstrapInflight` + test-only reset hook | AZ-510 (B3 / Vision P3) |
 | `src/auth/index.ts` | Re-exports `__resetBootstrapInflightForTests` | AZ-510 (STC-ARCH-01 compliance) |
 | `src/api/endpoints.ts` | Added `usersMe: () => '/api/admin/users/me'` builder | AZ-510 (STC-ARCH-02 compliance) |
 | `src/class-colors/` | New component directory: `classColors.ts` (`git mv` from `src/features/annotations/`) + `index.ts` (new barrel) | AZ-511 (F3) |
 | `src/components/DetectionClasses.tsx`, `src/features/annotations/{CanvasEditor,AnnotationsSidebar,AnnotationsPage}.tsx` | Import path swap to barrel | AZ-511 (F3) |
 | `src/features/annotations/index.ts` | Removed F3 carry-over comment block | AZ-511 (cleanup) |
 | `scripts/check-arch-imports.mjs` | `ARCH_IMPORTS_EXEMPT_RE = null`; `class-colors` added to `COMPONENT_DIRS` | AZ-511 (gate strengthening) |
 | `tests/architecture_imports.test.ts` | AC-4 inverted to assert deep imports FAIL | AZ-511 (regression guard) |
 ## Sources
 - `_docs/03_implementation/batch_13_cycle3_report.md` (AZ-510)
 - `_docs/03_implementation/batch_14_cycle3_report.md` (AZ-511)
 - `_docs/03_implementation/batch_15_cycle3_report.md` (AZ-512 deferred)
 - `_docs/03_implementation/implementation_report_auth_classcolors_cycle3.md`
 - `_docs/03_implementation/implementation_completeness_cycle3_report.md`
 - `_docs/03_implementation/deploy_cycle3_report.md`
 - `_docs/05_security/security_report_cycle3_delta.md`
 - `_docs/02_document/module-layout.md`
 - `_docs/02_document/architecture_compliance_baseline.md`
@@ -8,6 +8,36 @@ Categories: estimation · architecture · testing · dependencies · tooling ·
 ---
 - [2026-05-13] [process] When a task spec defines a Cross-Workspace Verification
  BLOCKING gate and the user skips the choice prompt, the autodev MUST default
  to the most conservative spec-aligned option (Option A: file prerequisite
  ticket on the sibling workspace, park the task in `backlog/`) — never invent
  a workaround that bypasses the missing dependency, never silently ship a UI
  affordance against a non-existent endpoint, and always preserve the user's
  ability to override at the next invocation (AZ-512 → AZ-513 pattern).
  Source: _docs/06_metrics/retro_2026-05-13_cycle3.md
 - [2026-05-13] [architecture] Introducing a module-scoped state guard in
  production source (e.g., a top-level `let bootstrapInflight: Promise | null
  = null` for React 18 StrictMode dedupe) requires the same batch to ship 4
  coupled changes — (a) a test-only reset hook re-exported via the public
  barrel (STC-ARCH-01 compliance), (b) an `afterEach` reset in
  `tests/setup.ts`, (c) a defensive default-fixture invariant check (e.g.,
  MSW handler must seed required nullable fields the helper consumes), (d) a
  planned ripple swap in handler mocks for any HTTP method or wire-shape
  change — skipping any one costs a separate test-stabilization loop, as
  AZ-510's ~4-attempt arc demonstrated.
  Source: _docs/06_metrics/retro_2026-05-13_cycle3.md
 - [2026-05-13] [process] Track "user-action backlog at cycle close" as a
  first-class retrospective metric (count of leftover items broken down by
  manual-third-party / cross-workspace-prerequisite / cross-workspace-deploy
  / push-pending categories) — backlog grew monotonically 0 → 3 → 7 across
  cycles 1-3 and that accumulation is a process-shape signal, not noise;
  surfacing it makes the cost of conservative-path defaults visible per
  cycle and creates pressure for an explicit drain mechanism.
  Source: _docs/06_metrics/retro_2026-05-13_cycle3.md
 - [2026-05-12] [process] When externalizing a committed API key, always follow
  the 4-step rotation discipline: (a) extract to env-var via a service module
  so unit tests can stub it, (b) add a literal-scan static gate (STC-SECx)
@@ -10,9 +10,11 @@ sub_step:
  name: awaiting-invocation
  detail: ""
 retry_count: 0
-cycle: 3
+cycle: 4
 tracker: jira
 ## Notes
- Cycle 3 Step 10 (Implement) shipped 6 of 9 points: AZ-510 + AZ-511 done; AZ-512 deferred to backlog/ at its BLOCKING cross-workspace verification gate (admin/ workspace lacks the prerequisite /classes routes). Leftover: `_docs/_process_leftovers/2026-05-13_az-512-admin-classes-prereq.md`.
+- Cycle 4 batch 16 shipped (commit ecacfa8): AZ-512 — 3/3 pts. Jira: To Do → In Testing.
- Cycle 2 leftovers still pending (deploy + manual key revocations).
+- Cross-workspace: AZ-513 on admin/ NOT shipped. Step 16 (Deploy) gates on it.
 - Leftovers: `2026-05-12_az-498-deploy-and-key-revocations.md` (manual), `2026-05-13_az-512-admin-classes-prereq.md` (re-opened).
 - Pre-existing bug surfaced during AZ-512: `/api/admin/users` MSW shape (paginated) vs `AdminPage` consumption (flat `User[]`) mismatch. Flagged in batch + impl reports; needs separate UI ticket triage.
@@ -2,6 +2,8 @@
 > **PARTIALLY RESOLVED 2026-05-13T03:51+02:00** — prerequisite ticket **AZ-513** was filed on the admin/ workspace (Jira Task, parent epic AZ-509, "Blocks" link to AZ-512). Matching task spec written to `admin/_docs/02_tasks/todo/AZ-513_classes_crud_routes.md`. AZ-512 carries a comment pointing at AZ-513. Replay obligation below now waits on AZ-513 shipping (admin/ side work), not on the autodev session itself.
 > **RE-OPENED 2026-05-13T04:17+03:00 (cycle 4)** — user explicitly chose Option B from the original gate: implement AZ-512 in the UI workspace with MSW-stubbed tests in parallel with AZ-513 shipping on admin/. AZ-512 moved back to `_docs/02_tasks/todo/`. This leftover stays open until AZ-513 ships on admin/ AND the UI's Step 16 (Deploy) gate verifies live wire shape against the deployed admin/ build — at that point delete this entry.
 ## Summary
 AZ-512 (Admin edit detection class) hit its spec-defined Cross-Workspace Verification BLOCKING gate during cycle 3 batch 15 implementation in the UI workspace. The `admin/` sibling service (Azaion.AdminApi) does not expose `/classes` routes at all. This leftover records (a) the deferred AZ-512 work in the UI, and (b) a separately-noted pre-existing bug discovered during verification.
@@ -1,9 +1,12 @@
-import { useState, useEffect } from 'react'
+import { useState, useEffect, type KeyboardEvent } from 'react'
 import { useTranslation } from 'react-i18next'
 import { api, endpoints } from '../../api'
 import { ConfirmDialog } from '../../components'
 import type { DetectionClass, Aircraft, User } from '../../types'
 type EditForm = { name: string; shortName: string; color: string; maxSizeM: number }
 type EditErrorKind = 'nameRequired' | 'maxSizeMustBePositive' | 'updateFailed'
 export default function AdminPage() {
  const { t } = useTranslation()
  const [classes, setClasses] = useState<DetectionClass[]>([])
@@ -12,6 +15,12 @@ export default function AdminPage() {
  const [newClass, setNewClass] = useState({ name: '', shortName: '', color: '#FF0000', maxSizeM: 7 })
  const [newUser, setNewUser] = useState({ name: '', email: '', password: '', role: 'Annotator' })
  const [deactivateId, setDeactivateId] = useState<string | null>(null)
  // AZ-512 — inline edit state. Single `editingId` (not per-row) so opening
  // one row's editor implicitly closes any other (Risk 3 mitigation).
  const [editingId, setEditingId] = useState<number | null>(null)
  const [editForm, setEditForm] = useState<EditForm>({ name: '', shortName: '', color: '#FF0000', maxSizeM: 0 })
  const [editError, setEditError] = useState<EditErrorKind | null>(null)
  const [editSaving, setEditSaving] = useState(false)
  useEffect(() => {
    api.get<DetectionClass[]>(endpoints.annotations.classes()).then(setClasses).catch(() => {})
@@ -32,6 +41,44 @@ export default function AdminPage() {
    setClasses(prev => prev.filter(c => c.id !== id))
  }
  const handleStartEdit = (c: DetectionClass) => {
    setEditingId(c.id)
    setEditForm({ name: c.name, shortName: c.shortName, color: c.color, maxSizeM: c.maxSizeM })
    setEditError(null)
    setEditSaving(false)
  }
  const handleCancelEdit = () => {
    setEditingId(null)
    setEditError(null)
    setEditSaving(false)
  }
  const handleUpdateClass = async () => {
    if (editingId === null || editSaving) return
    if (!editForm.name.trim()) { setEditError('nameRequired'); return }
    if (!(editForm.maxSizeM > 0)) { setEditError('maxSizeMustBePositive'); return }
    setEditError(null)
    setEditSaving(true)
    try {
      // Risk 2 mitigation — always send the complete form so backend PATCH
      // semantics (full-replace vs partial-merge) don't matter.
      await api.patch(endpoints.admin.class(editingId), editForm)
      const updated = await api.get<DetectionClass[]>(endpoints.annotations.classes())
      setClasses(updated)
      setEditingId(null)
    } catch {
      setEditError('updateFailed')
    } finally {
      setEditSaving(false)
    }
  }
  const handleEditKeyDown = (e: KeyboardEvent<HTMLElement>) => {
    if (e.key === 'Enter') { e.preventDefault(); void handleUpdateClass() }
    else if (e.key === 'Escape') { e.preventDefault(); handleCancelEdit() }
  }
  const handleAddUser = async () => {
    if (!newUser.email || !newUser.password) return
    await api.post(endpoints.admin.users(), newUser)
@@ -56,7 +103,7 @@ export default function AdminPage() {
    <div className="flex h-full overflow-y-auto p-4 gap-4">
      {/* Detection classes */}
      <div className="w-[340px] shrink-0">
-        <h2 className="text-sm font-semibold text-white mb-2">{t('admin.classes')}</h2>
+        <h2 className="text-sm font-semibold text-white mb-2">{t('admin.classes.title')}</h2>
        <div className="bg-az-panel border border-az-border rounded overflow-hidden">
          <table className="w-full text-xs">
            <thead>
@@ -68,12 +115,75 @@ export default function AdminPage() {
              </tr>
            </thead>
            <tbody>
-              {classes.map(c => (
+              {classes.map(c => c.id === editingId ? (
                <tr key={c.id} className="border-b border-az-border text-az-text bg-az-bg/40" data-editing-row={c.id}>
                  <td className="px-2 py-1 align-top">{c.id}</td>
                  <td colSpan={3} className="px-2 py-1">
                    <div className="flex flex-wrap gap-1 items-center" onKeyDown={handleEditKeyDown}>
                      <input
                        autoFocus
                        data-field="name"
                        value={editForm.name}
                        onChange={e => setEditForm(p => ({ ...p, name: e.target.value }))}
                        className="flex-1 min-w-[80px] bg-az-bg border border-az-border rounded px-1 py-0.5 text-az-text"
                      />
                      <input
                        data-field="shortName"
                        value={editForm.shortName}
                        onChange={e => setEditForm(p => ({ ...p, shortName: e.target.value }))}
                        className="w-12 bg-az-bg border border-az-border rounded px-1 py-0.5 text-az-text"
                      />
                      <input
                        type="color"
                        data-field="color"
                        value={editForm.color}
                        onChange={e => setEditForm(p => ({ ...p, color: e.target.value }))}
                        className="w-7 h-6 border-0 bg-transparent cursor-pointer"
                      />
                      <input
                        type="number"
                        data-field="maxSizeM"
                        value={editForm.maxSizeM}
                        onChange={e => setEditForm(p => ({ ...p, maxSizeM: Number(e.target.value) }))}
                        className="w-14 bg-az-bg border border-az-border rounded px-1 py-0.5 text-az-text"
                      />
                      <button
                        onClick={() => void handleUpdateClass()}
                        disabled={editSaving}
                        className="bg-az-orange text-white px-2 py-0.5 rounded disabled:opacity-50"
                      >
                        {t('admin.classes.save')}
                      </button>
                      <button
                        onClick={handleCancelEdit}
                        disabled={editSaving}
                        className="bg-az-bg border border-az-border text-az-text px-2 py-0.5 rounded disabled:opacity-50"
                      >
                        {t('admin.classes.cancel')}
                      </button>
                    </div>
                    {editError && (
                      <div role="alert" className="mt-1 text-az-red">
                        {t(`admin.classes.${editError}`)}
                      </div>
                    )}
                  </td>
                </tr>
              ) : (
                <tr key={c.id} className="border-b border-az-border text-az-text">
                  <td className="px-2 py-1">{c.id}</td>
                  <td className="px-2 py-1">{c.name}</td>
                  <td className="px-2 py-1 text-center"><span className="inline-block w-3 h-3 rounded-full" style={{ backgroundColor: c.color }} /></td>
-                  <td className="px-2 py-1"><button onClick={() => handleDeleteClass(c.id)} className="text-az-muted hover:text-az-red">×</button></td>
+                  <td className="px-2 py-1 text-right whitespace-nowrap">
                    <button
                      onClick={() => handleStartEdit(c)}
                      aria-label={t('admin.classes.edit')}
                      className="text-az-muted hover:text-az-orange mr-1"
                    >
                      {'\u270E'}
                    </button>
                    <button onClick={() => handleDeleteClass(c.id)} className="text-az-muted hover:text-az-red">×</button>
                  </td>
                </tr>
              ))}
            </tbody>
@@ -114,7 +114,15 @@
  },
  "admin": {
    "title": "Admin",
-    "classes": "Detection Classes",
+    "classes": {
      "title": "Detection Classes",
      "edit": "Edit",
      "save": "Save",
      "cancel": "Cancel",
      "nameRequired": "Name is required",
      "maxSizeMustBePositive": "Max size must be a positive number",
      "updateFailed": "Update failed. Please try again."
    },
    "aiSettings": "AI Recognition Settings",
    "gpsSettings": "GPS Device Settings",
    "aircrafts": "Default Aircrafts",
@@ -114,7 +114,15 @@
  },
  "admin": {
    "title": "Адмін",
-    "classes": "Класи детекцій",
+    "classes": {
      "title": "Класи детекцій",
      "edit": "Редагувати",
      "save": "Зберегти",
      "cancel": "Скасувати",
      "nameRequired": "Назва обов'язкова",
      "maxSizeMustBePositive": "Максимальний розмір має бути додатнім числом",
      "updateFailed": "Не вдалося оновити. Спробуйте ще раз."
    },
    "aiSettings": "AI Налаштування",
    "gpsSettings": "GPS Пристрій",
    "aircrafts": "Літальні апарати",
@@ -0,0 +1,370 @@
 import { describe, it, expect, beforeEach, afterEach } from 'vitest'
 import { http } from 'msw'
 import { server } from './msw/server'
 import { jsonResponse, errorResponse } from './msw/helpers'
 import { renderWithProviders, screen, fireEvent, waitFor, userEvent, within } from './helpers/render'
 import { seedBearer, clearBearer } from './helpers/auth'
 import { AdminPage } from '../src/features/admin'
 import type { DetectionClass } from '../src/types'
 // AZ-512 — Admin: edit existing detection class (inline form + PATCH wiring).
 //
 // AC-1 — edit affordance visible on every class row
 // AC-2 — clicking edit opens inline form, seeded values, single-row at a time
 // AC-3 — Save → exactly one PATCH /api/admin/classes/{id} with full body;
 //         row re-renders with new values; form closes
 // AC-3 — Enter inside form behaves like Save
 // AC-4 — Cancel button → no network call; row reverts
 // AC-4 — Escape inside form behaves like Cancel
 // AC-5 — empty name OR non-positive maxSizeM → no PATCH; inline error visible
 // AC-6 — PATCH 500 → form stays open; inline error visible; no alert()
 // AC-7 — covered by the static FT-P-22 parity gate (scripts/check-i18n-coverage.mjs)
 //         which runs in CI; AdminPage uses `t('admin.classes.<key>')` for every
 //         user-visible new string. No runtime test added here.
 // AC-8 — regression guards for add + delete behaviour (no dedicated AdminPage
 //         test suite predates this file; cover the smallest happy path).
 //
 // Cross-workspace note: as of AZ-512 ship, the admin/ sibling service does NOT
 // expose PATCH /api/admin/classes/{id} (verified 2026-05-13). Tests pass on
 // MSW stubs; Step 11 (Run Tests) is therefore passable on stubs; Step 16
 // (Deploy) gates on AZ-513 landing on admin/.
 const TWO_CLASSES: DetectionClass[] = [
  { id: 1, name: 'class-a', shortName: 'a', color: '#ff0000', maxSizeM: 7, photoMode: 0 },
  { id: 2, name: 'class-b', shortName: 'b', color: '#00ff00', maxSizeM: 5, photoMode: 0 },
 ]
 function setClassesHandler(classes: DetectionClass[]) {
  server.use(http.get('/api/annotations/classes', () => jsonResponse(classes)))
 }
 // Pre-existing bug: the default `/api/admin/users` handler returns
 // `paginate(seedUsers)` → `{ items, totalCount, ... }`, but AdminPage does
 // `setUsers(response)` expecting `User[]`, then crashes on `users.map`. The
 // catch() swallows fetch errors but not the subsequent React render error.
 // Sidestep here by returning a plain array — does NOT fix the underlying
 // shape mismatch (out of scope for AZ-512; flag in batch report).
 function stubUsersAsPlainArray() {
  server.use(http.get('/api/admin/users', () => jsonResponse([])))
 }
 function capturePatchCalls() {
  const calls: { url: string; body: unknown }[] = []
  server.use(
    http.patch('/api/admin/classes/:id', async ({ params, request }) => {
      const body = (await request.json().catch(() => ({}))) as Record<string, unknown>
      calls.push({ url: `/api/admin/classes/${String(params.id)}`, body })
      return jsonResponse({ id: Number(params.id), ...body })
    }),
  )
  return calls
 }
 function getRow(idText: string): HTMLElement {
  const cell = screen.getByText(idText, { selector: 'td' })
  const tr = cell.closest('tr')
  if (!tr) throw new Error(`row for "${idText}" not found`)
  return tr as HTMLElement
 }
 async function clickEdit(rowIdText: string) {
  // Arrange — find the editable row by its id-cell, then its pencil button.
  const row = getRow(rowIdText)
  const editBtn = within(row).getByRole('button', { name: /edit|редагувати/i })
  await userEvent.click(editBtn)
 }
 beforeEach(() => {
  seedBearer()
  setClassesHandler(TWO_CLASSES)
  stubUsersAsPlainArray()
 })
 afterEach(() => {
  clearBearer()
 })
 describe('AZ-512 / AdminPage — inline detection-class edit', () => {
  describe('AC-1: edit affordance visible on every class row', () => {
    it('renders a pencil button per row', async () => {
      // Act
      renderWithProviders(<AdminPage />)
      await screen.findByText('class-a')
      // Assert — one edit button per class row.
      const editButtons = await screen.findAllByRole('button', { name: /edit|редагувати/i })
      expect(editButtons.length).toBe(TWO_CLASSES.length)
    })
  })
  describe('AC-2: clicking edit opens inline form with seeded values', () => {
    it('row 1 enters edit mode with name="class-a"; other rows stay read-only', async () => {
      // Arrange
      renderWithProviders(<AdminPage />)
      await screen.findByText('class-a')
      // Act
      await clickEdit('1')
      // Assert — form is visible inside row 1.
      const row1 = getRow('1')
      const nameInput = within(row1).getByDisplayValue('class-a') as HTMLInputElement
      expect(nameInput).toBeInTheDocument()
      const shortInput = within(row1).getByDisplayValue('a') as HTMLInputElement
      expect(shortInput).toBeInTheDocument()
      const maxSize = within(row1).getByDisplayValue('7') as HTMLInputElement
      expect(maxSize).toBeInTheDocument()
      // Assert — row 2 stays read-only: the row still shows the plain text name.
      const row2 = getRow('2')
      expect(within(row2).getByText('class-b')).toBeInTheDocument()
    })
    it('opening edit on row 2 while row 1 is editing closes row 1 (single-row invariant)', async () => {
      // Arrange
      renderWithProviders(<AdminPage />)
      await screen.findByText('class-a')
      await clickEdit('1')
      expect(within(getRow('1')).getByDisplayValue('class-a')).toBeInTheDocument()
      // Act
      await clickEdit('2')
      // Assert — row 1 reverts; row 2 now hosts the form.
      expect(within(getRow('1')).getByText('class-a')).toBeInTheDocument()
      expect(within(getRow('2')).getByDisplayValue('class-b')).toBeInTheDocument()
    })
  })
  describe('AC-3: Save sends PATCH and refreshes', () => {
    it('Save button → one PATCH with full body, row re-renders, form closes', async () => {
      // Arrange — capture PATCH; second GET returns the renamed class.
      const patchCalls = capturePatchCalls()
      let getCount = 0
      server.use(
        http.get('/api/annotations/classes', () => {
          getCount += 1
          if (getCount === 1) return jsonResponse(TWO_CLASSES)
          return jsonResponse([{ ...TWO_CLASSES[0], name: 'class-a-renamed' }, TWO_CLASSES[1]])
        }),
      )
      renderWithProviders(<AdminPage />)
      await screen.findByText('class-a')
      // Act
      await clickEdit('1')
      const row1 = getRow('1')
      const nameInput = within(row1).getByDisplayValue('class-a') as HTMLInputElement
      await userEvent.clear(nameInput)
      await userEvent.type(nameInput, 'class-a-renamed')
      await userEvent.click(within(row1).getByRole('button', { name: /^save$|^зберегти$/i }))
      // Assert — exactly one PATCH with the complete editable shape.
      await waitFor(() => expect(patchCalls.length).toBe(1))
      expect(patchCalls[0].url).toBe('/api/admin/classes/1')
      expect(patchCalls[0].body).toEqual({
        name: 'class-a-renamed',
        shortName: 'a',
        color: '#ff0000',
        maxSizeM: 7,
      })
      // Assert — row re-renders read-only with the new name.
      await waitFor(() => {
        expect(screen.getByText('class-a-renamed')).toBeInTheDocument()
      })
    })
    it('Enter key inside form behaves like Save', async () => {
      // Arrange
      const patchCalls = capturePatchCalls()
      renderWithProviders(<AdminPage />)
      await screen.findByText('class-a')
      await clickEdit('1')
      const row1 = getRow('1')
      const nameInput = within(row1).getByDisplayValue('class-a') as HTMLInputElement
      await userEvent.clear(nameInput)
      await userEvent.type(nameInput, 'pressed-enter')
      // Act
      fireEvent.keyDown(nameInput, { key: 'Enter' })
      // Assert
      await waitFor(() => expect(patchCalls.length).toBe(1))
      expect((patchCalls[0].body as { name: string }).name).toBe('pressed-enter')
    })
  })
  describe('AC-4: Cancel discards edits without network', () => {
    it('Cancel button → no PATCH; row reverts', async () => {
      // Arrange
      const patchCalls = capturePatchCalls()
      renderWithProviders(<AdminPage />)
      await screen.findByText('class-a')
      await clickEdit('1')
      const row1 = getRow('1')
      const nameInput = within(row1).getByDisplayValue('class-a') as HTMLInputElement
      await userEvent.clear(nameInput)
      await userEvent.type(nameInput, 'never-saved')
      // Act
      await userEvent.click(within(row1).getByRole('button', { name: /^cancel$|^скасувати$/i }))
      // Assert — original value back; no PATCH issued.
      expect(within(getRow('1')).getByText('class-a')).toBeInTheDocument()
      expect(patchCalls.length).toBe(0)
    })
    it('Escape key inside form behaves like Cancel', async () => {
      // Arrange
      const patchCalls = capturePatchCalls()
      renderWithProviders(<AdminPage />)
      await screen.findByText('class-a')
      await clickEdit('1')
      const row1 = getRow('1')
      const nameInput = within(row1).getByDisplayValue('class-a') as HTMLInputElement
      // Act
      fireEvent.keyDown(nameInput, { key: 'Escape' })
      // Assert
      expect(within(getRow('1')).getByText('class-a')).toBeInTheDocument()
      expect(patchCalls.length).toBe(0)
    })
  })
  describe('AC-5: validation prevents invalid submits', () => {
    it('empty name → no PATCH; nameRequired error visible', async () => {
      // Arrange
      const patchCalls = capturePatchCalls()
      renderWithProviders(<AdminPage />)
      await screen.findByText('class-a')
      await clickEdit('1')
      const row1 = getRow('1')
      const nameInput = within(row1).getByDisplayValue('class-a') as HTMLInputElement
      await userEvent.clear(nameInput)
      // Act
      await userEvent.click(within(row1).getByRole('button', { name: /^save$|^зберегти$/i }))
      // Assert — no PATCH; error alert rendered.
      expect(patchCalls.length).toBe(0)
      const alert = within(row1).getByRole('alert')
      expect(alert.textContent ?? '').toMatch(/name is required|назва обов/i)
    })
    it('non-positive maxSizeM → no PATCH; maxSizeMustBePositive error visible', async () => {
      // Arrange
      const patchCalls = capturePatchCalls()
      renderWithProviders(<AdminPage />)
      await screen.findByText('class-a')
      await clickEdit('1')
      const row1 = getRow('1')
      const maxInput = within(row1).getByDisplayValue('7') as HTMLInputElement
      await userEvent.clear(maxInput)
      await userEvent.type(maxInput, '0')
      // Act
      await userEvent.click(within(row1).getByRole('button', { name: /^save$|^зберегти$/i }))
      // Assert — no PATCH; error alert rendered.
      expect(patchCalls.length).toBe(0)
      const alert = within(row1).getByRole('alert')
      expect(alert.textContent ?? '').toMatch(/positive|додатнім/i)
    })
  })
  describe('AC-6: backend error is surfaced inline', () => {
    it('PATCH 500 → form stays open; updateFailed error visible; no alert() called', async () => {
      // Arrange — install a stub that 500s on PATCH; spy on window.alert.
      let patchCount = 0
      server.use(
        http.patch('/api/admin/classes/:id', () => {
          patchCount += 1
          return errorResponse(500, 'simulated server error')
        }),
      )
      const alertSpy = window.alert
      let alertCalls = 0
      window.alert = () => { alertCalls += 1 }
      try {
        renderWithProviders(<AdminPage />)
        await screen.findByText('class-a')
        await clickEdit('1')
        const row1 = getRow('1')
        const nameInput = within(row1).getByDisplayValue('class-a') as HTMLInputElement
        await userEvent.clear(nameInput)
        await userEvent.type(nameInput, 'will-fail')
        // Act
        await userEvent.click(within(row1).getByRole('button', { name: /^save$|^зберегти$/i }))
        // Assert — PATCH happened, error rendered, form still open, no alert().
        await waitFor(() => expect(patchCount).toBe(1))
        const row1After = getRow('1')
        const alert = await within(row1After).findByRole('alert')
        expect(alert.textContent ?? '').toMatch(/update failed|не вдалося оновити/i)
        expect(within(row1After).getByDisplayValue('will-fail')).toBeInTheDocument()
        expect(alertCalls).toBe(0)
      } finally {
        window.alert = alertSpy
      }
    })
  })
  describe('AC-8: regression — add + delete unchanged', () => {
    it('Add posts to /api/admin/classes and refetches the list', async () => {
      // Arrange — capture POST; second GET returns 3 classes.
      const postCalls: { body: unknown }[] = []
      let getCount = 0
      const NEW_CLASS: DetectionClass = { id: 3, name: 'fresh', shortName: '', color: '#FF0000', maxSizeM: 7, photoMode: 0 }
      server.use(
        http.post('/api/admin/classes', async ({ request }) => {
          postCalls.push({ body: await request.json() })
          return jsonResponse(NEW_CLASS, { status: 201 })
        }),
        http.get('/api/annotations/classes', () => {
          getCount += 1
          if (getCount === 1) return jsonResponse(TWO_CLASSES)
          return jsonResponse([...TWO_CLASSES, NEW_CLASS])
        }),
      )
      renderWithProviders(<AdminPage />)
      await screen.findByText('class-a')
      // Act — scope to the classes table panel (both the class-add row and
      // the user-add row use placeholder="Name" + a `+` button; disambiguate
      // by walking up from the class-a cell to the enclosing panel).
      const classesPanel = (getRow('1').closest('table') as HTMLElement).parentElement as HTMLElement
      const addNameInput = within(classesPanel).getByPlaceholderText('Name') as HTMLInputElement
      await userEvent.type(addNameInput, 'fresh')
      await userEvent.click(within(classesPanel).getByRole('button', { name: '+' }))
      // Assert
      await waitFor(() => expect(postCalls.length).toBe(1))
      expect((postCalls[0].body as { name: string }).name).toBe('fresh')
      await waitFor(() => expect(screen.getByText('fresh')).toBeInTheDocument())
    })
    it('Delete sends DELETE and removes the row optimistically', async () => {
      // Arrange
      const deleteCalls: string[] = []
      server.use(
        http.delete('/api/admin/classes/:id', ({ params }) => {
          deleteCalls.push(`/api/admin/classes/${String(params.id)}`)
          return new Response(null, { status: 204 })
        }),
      )
      renderWithProviders(<AdminPage />)
      await screen.findByText('class-a')
      // Act
      const row1 = getRow('1')
      await userEvent.click(within(row1).getByRole('button', { name: '×' }))
      // Assert
      await waitFor(() => expect(deleteCalls).toEqual(['/api/admin/classes/1']))
      await waitFor(() => expect(screen.queryByText('class-a')).not.toBeInTheDocument())
    })
  })
 })
@@ -80,10 +80,11 @@ describe('AZ-466 — Destructive UX policy (class-delete cross-component test)',
        // Wait for the class table to populate.
        await screen.findByText('class-a')
-        // Act — find the delete button on the first class row.
+        // Act — find the delete button on the first class row. AZ-512 added
        // an edit (✎) button alongside the delete (×); select by text.
        const rows = screen.getAllByText(/^class-/i)
        const firstRow = rows[0].closest('tr')!
-        const deleteBtn = firstRow.querySelector('button')!
+        const deleteBtn = Array.from(firstRow.querySelectorAll('button')).find(b => b.textContent === '×')!
        await userEvent.click(deleteBtn)
        // Assert — a ConfirmDialog must appear before any DELETE fires.
@@ -111,7 +112,7 @@ describe('AZ-466 — Destructive UX policy (class-delete cross-component test)',
      const rows = screen.getAllByText(/^class-/i)
      const firstRow = rows[0].closest('tr')!
-      const deleteBtn = firstRow.querySelector('button')!
+      const deleteBtn = Array.from(firstRow.querySelectorAll('button')).find(b => b.textContent === '×')!
      await userEvent.click(deleteBtn)
      await waitFor(() => expect(deletes).toHaveLength(1), { timeout: 1000 })
@@ -129,10 +130,12 @@ describe('AZ-466 — Destructive UX policy (class-delete cross-component test)',
        renderWithProviders(<AdminPage />)
        await screen.findByText('class-a')
-        // Act — click delete, then Cancel on the dialog.
+        // Act — click delete, then Cancel on the dialog. AZ-512 added an
        // edit (✎) button alongside the delete (×); select by text.
        const rows = screen.getAllByText(/^class-/i)
        const firstRow = rows[0].closest('tr')!
-        await userEvent.click(firstRow.querySelector('button')!)
+        const deleteBtn = Array.from(firstRow.querySelectorAll('button')).find(b => b.textContent === '×')!
        await userEvent.click(deleteBtn)
        // Drift: the dialog never appears today. The find call fails first
        // (no `role="dialog"` ever mounts), but even if it did, cancel would
@@ -56,6 +56,25 @@ export const adminHandlers = [
    return jsonResponse(body)
  }),
  // AZ-512 — PATCH partial-merge over the seeded class. Default-handler
  // returns the merged shape so the UI's PATCH-then-refetch sequence sees the
  // updated row. Tests that need 404/5xx semantics override per-scenario.
  http.patch('/api/admin/classes/:id', async ({ params, request }) => {
    const idParam = String(params.id)
    const id = Number(idParam)
    const body = (await request.json().catch(() => ({}))) as Partial<{
      name: string
      shortName: string
      color: string
      maxSizeM: number
      photoMode: number
    }>
    const existing =
      seedClasses.find((c) => String(c.id) === idParam) ??
      ({ id: Number.isFinite(id) ? id : 0, name: '', shortName: '', color: '#FF0000', maxSizeM: 5, photoMode: 0 } as const)
    return jsonResponse({ ...existing, ...body, id: existing.id })
  }),
  http.delete('/api/admin/classes/:id', () => noContent()),
  http.get('/api/admin/settings', () =>
Author	SHA1	Message	Date
Oleksandr Bezdieniezhnykh	873749197a	[AZ-512] Cycle 4 Steps 12-15: test-spec sync + docs + sec + perf ci/woodpecker/push/build-arm Pipeline failed Details Steps 12-15 closure for cycle 4 (AZ-512 admin class inline edit): - Step 12 (Test-Spec Sync): traceability O9 -> Covered; new FT-P-62 + FT-N-18 in blackbox-tests.md. - Step 13 (Update Docs): AdminPage module doc gains the inline-edit state slots, four new handlers, PATCH integrations row, expanded i18n key list, tests section. architecture.md row 272 now lists PATCH /api/admin/classes/{id} with AZ-513 deploy-gate caveat. - Step 14 (Security Audit): cycle-4 delta report records one new LOW finding (F-SAST-CY4-1 lost-update / mid-air-collision on PATCH, by design per spec); verdict carries PASS_WITH_WARNINGS; bun audit re-run clean. - Step 15 (Performance Test): NFT-PERF-01 bundle = 291 332 B (+757 B / +0.26% vs cycle 3; ~13.89% of 2 MB budget); PASS. Tests 243 passed / 13 skipped / 0 failed (+12 AZ-512 cases). Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-13 04:51:17 +03:00
Oleksandr Bezdieniezhnykh	ecacfa8b43	[AZ-512] Admin class inline edit form + PATCH wiring (cy4 batch 16) Implements the cycle-3-deferred AZ-512 task under the user-authorized Option B path (MSW-stubbed; live deploy gates at Step 16 on AZ-513). Code: - src/features/admin/AdminPage.tsx — inline edit affordance: editingId/editForm state, handleStartEdit/Cancel/Update, Enter+Escape keyboard handling, colspan row swap when editing, pencil (✎) button per row. Full-body PATCH (Risk 2). Single editingId enforces the one-row-at-a-time invariant (Risk 3). Disabled buttons during the in-flight PATCH (Risk 4). Inline role="alert" on validation/server errors (no alert() per Finding B4 anti-pattern). - src/i18n/{en,ua}.json — `admin.classes` flat → nested with `title` + 6 new keys (edit, save, cancel, nameRequired, maxSizeMustBePositive, updateFailed). Parity gate FT-P-22 PASS. Test infrastructure: - tests/msw/handlers/admin.ts — PATCH /api/admin/classes/:id partial-merge handler. - tests/admin_class_edit.test.tsx — 12 tests covering AC-1..AC-6 + AC-8 (AC-7 satisfied by static FT-P-22 gate). - tests/destructive_ux.test.tsx — adjacent-hygiene selector fix at 3 call sites: the new ✎ button moved the first-button position; targeting × explicitly preserves the existing it.fails()/control semantics. Docs: - _docs/02_document/components/08_admin/description.md — recorded edit affordance + PATCH wiring + AZ-513 cross-workspace note. - _docs/03_implementation/batch_16_cycle4_report.md - _docs/03_implementation/implementation_report_admin_class_edit_cycle4.md - _docs/02_tasks/todo → done — AZ-512 archived. Quality gates: 32 files / 243 tests / 13 quarantined skips PASS; all 35 static checks PASS (FT-P-22/23, STC-ARCH-01/02, STC-SEC*, banned-deps incl. SEC1B/C/D). Cross-workspace dependency: admin/ AZ-513 (POST + PATCH + DELETE /classes routes) NOT yet shipped. Step 11 (Run Tests) passes on stubs; Step 16 (Deploy) holds until AZ-513 lands live. Leftover record at _docs/_process_leftovers/2026-05-13_az-512-admin- classes-prereq.md stays open. Discovered pre-existing bug (NOT bundled): tests/msw/handlers/ admin.ts returns paginate(seedUsers) for GET /api/admin/users, but AdminPage consumes as flat User[] → users.map crash. Test files use the same flat-array workaround destructive_ux.test.tsx documented. Flagged in batch + impl reports for separate triage. Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-13 04:35:13 +03:00
Oleksandr Bezdieniezhnykh	ef56d9c207	[AZ-512] chore: reactivate for cycle 4 (Option B path) User authorized Option B from the original AZ-512 Cross-Workspace Verification gate: implement UI form with MSW-stubbed tests in parallel with AZ-513 shipping on admin/. Task spec moved from backlog/ → todo/. STATUS line updated. Leftover record re-opened until AZ-513 deploys live. Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-13 04:21:32 +03:00
Oleksandr Bezdieniezhnykh	eef3bdf7db	[AZ-509][AZ-510][AZ-511] Cycle 3 closure: deploy + retro + state Steps 16 (Deploy) and 17 (Retrospective) outputs for cycle 3. - 03_implementation/deploy_cycle3_report.md — ui/ dev pushed (15838c5..09449bd, 5 commits); stage/prod cutover deferred per push-scope gate option A. - 06_metrics/retro_2026-05-13_cycle3.md — cycle 3 retro: 6/9 pts shipped (AZ-510, AZ-511); AZ-512 deferred to backlog at cross-workspace prereq gate (AZ-513 filed on admin/). - 06_metrics/structure_2026-05-13.md — structural snapshot referenced by retro. - LESSONS.md — appended 3 cycle-3 lessons (process x2, architecture x1). - _autodev_state.md — cycle 3 closed; cycle 4 Step 9 not started. Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-13 04:15:37 +03:00