IndexedDB schema versioning + migration story (TASK-2.1.1). What happens if a future Pour version changes the queue schema while a phone has pending records on the old schema? Migration path? "Drop and warn"? The manifesto's "no capture loss" pillar makes "drop and warn" weak.

Heatmap data source — aggregate endpoint or client-side rollup? (TASK-2.5.5). Decide before TASK-2.5.4 ships. Contract amendment cost vs payload cost.

Background Sync API absence on iOS Safari (TASK-2.1.3). The fallback online event listener is documented, but does it reliably fire after the PWA returns from background? Real-device verification needed.

Idempotency-Key reuse on edit-and-resubmit (TASK-2.1.5). Should the user editing a queued submit's body get a fresh key (so the new payload executes) or keep the original key (so a server-cached 201 takes precedence)? Current proposal: KEEP — preserves the duplicate-write protection the queue exists to provide. Confirm.

Long-press conflict with iOS native gestures (TASK-2.4.2). -webkit-touch-callout: none on chips is necessary. Are there other native gesture conflicts (3D Touch / haptic touch on iPhone) the architect should design for?

Synthetic 202 wire-shape exposure (TASK-2.1.2). The contract amendment says "synthetic 202 is client-side only — clients written against the contract directly will never see it." Is this enforceable? An MCP companion (Phase 4) would never see the 202 because it doesn't run through a service worker. The amendment should be precise: "the PWA service worker emits 202 to the page; no server response carries 202." Confirm wording.

Drain order during clock skew (TASK-2.1.3). FIFO is queued_at-ordered. If two records have identical queued_at (rare but possible — same-millisecond), what's the tiebreak? The IDB auto-increment id is deterministic. Document.

Preset mutation while another client is active (TASK-2.4.x). The TUI and the PWA both write ~/.pour/presets.json. Two concurrent writers can race. Existing src/data/presets.rs should be checked for atomic-write semantics; if absent, flag for hardening. NOT a Phase 2 task; flag-only.

PWA test infrastructure gap (TASK-2.0.1). Phase 2 ships a service worker, an IndexedDB queue, drag-and-drop, and a heatmap with zero JS-side automated test coverage. Flag-and-defer — but at what point does this become a release blocker for v1.0.0?

Heatmap accessibility (TASK-2.5.4). Color-only differentiation fails screen readers. Should each cell carry an aria-label with date + count? Probably yes; confirm it doesn't tank performance on 90+ cells.

Idempotency-Key discipline across the offline queue. Same key reused on every retry of the same payload (contract §9 round 5). Rotated only on 2xx success or explicit form reset. Verified across: queue-write (TASK-2.1.1), drain (TASK-2.1.3), edit-and-resubmit (TASK-2.1.5). One leak here = duplicate writes, the entire raison d'être of idempotency defeated.

captured_at preservation through the offline queue. Original wall-clock instant of the user's tap, not drain time. Festival case (capture Friday night, sync Monday) is the whole point. Verified: TASK-2.1.1 stores it, TASK-2.1.3 sends it unmodified, TASK-2.1.5 keeps it on edit. Plus the server-side validation window (30 days past, 5 min future) — a multi-week-old queue could trip it. Document the user-visible "this capture is too old to sync" failure mode.

Sub-form a11y + UX consistency with the TUI. Up/Down navigates, Left/Right cycles, NO <select> in overlays. Memory feedback_subform_ux.md is non-negotiable. Inline cycling MUST show ◂ ▸ per feedback_inline_cycling.md. The inspector should verify these on a real screen reader, not just by reading the code.

CRITICAL 1 — Dead 507 handler (web/app.js handleSubmit): The resp.status === 507 check was nested inside if (resp.status === 202) — status can never be both. Moved the 507 branch to a sibling check BEFORE the 202 branch. Toast reads "Queue is full — clear discarded captures or sync existing ones first." Dead code path eliminated.

CRITICAL 2 — _editingQueueId leak (web/app.js): _editingQueueId was not cleared when the user navigated away from a queue-edit form session. Added _editingQueueId = null to: openForm() (module tile taps), loadDashboard() (back-to-dashboard navigation), and btn-pour-another click handler. The variable is now cleared on every non-editQueueRecord path that enters or leaves the form view.

CRITICAL 3 — Fresh-install update banner (web/sw.js activate): The activate event unconditionally fired postMessage({type: 'SW_UPDATED'}). Fixed: activate now detects whether old pour-shell-* cache keys existed before pruning them. SW_UPDATED is only posted when oldCacheKeys.length > 0 (true update), not on fresh install.

CRITICAL 4 — Stale auth token bricks queued records (web/sw.js): Chose approach (a) — stop storing the auth token in IDB entirely. handleSubmitRequest no longer writes auth_header to the queue record. drainQueue calls a new getAuthFromClient() helper that uses MessageChannel to ask an open page client for its current localStorage.pour_token. If no client is open, drain defers (returns early); the page re-triggers drain via DRAIN_NOW on DOMContentLoaded and window.online. Page-side handleSwMessage handles GET_TOKEN and replies on the port. Also added a boot-time DRAIN_NOW trigger when an SW is already controlling on page load.

CRITICAL 5 — Dead #queue-sync-status (web/app.js, web/styles.css): Wired setQueueSyncStatus(state) to all drain state-machine transitions. DRAIN_STARTED → "Syncing…"; DRAIN_FINISHED + empty queue → "Synced" (auto-clears after 3 s); window.offline + panel open → "Network unreachable"; panel open with no network → "Network unreachable". sw.js drainQueue now postMessages DRAIN_STARTED before iterating and DRAIN_FINISHED after the loop. CSS modifier classes added for the three states.

MAJOR 1 — Error routing (name-collision) (web/app.js): Removed the templateFieldNames filter from the validation_failed handler. All details.fields[] entries now route to the parent form. The overlay never receives errors from this path — only from the explicit auto_create_input_required code (handled upstream at the autoCreateRequired guard). Comment updated to document the invariant.

MAJOR 2 — Focus trap leak (web/app.js): Added !panel.contains(document.activeElement) check at the top of the Tab handler. If focus has drifted outside the panel, Tab/Shift-Tab now forces it back to first/last focusable before evaluating wrap-around, then returns early.

MAJOR 3 — static_select required-validation bypass (web/app.js): Added wrapper.dataset.userInteracted = "false" to buildInlineCycleControl; set to "true" inside cycle() on first ◂/▸/Left/Right interaction. confirmSubform reads the flag: a required: true field with no configured default treats userInteracted !== "true" as empty, surfacing a "Required" error.

MAJOR 4 — iOS Safari race / reopen clobber (web/app.js): Guarded the openSubformOverlay call in the auto_create_input_required defensive path with !_overlayContext. If the overlay is already open, only showSubformTopError fires — renderSubformFields (which blanks innerHTML) is never reached.

MAJOR 5 — Server warning messages echo user content (src/server/handlers/submit.rs + web/app.js): Line 373 message changed to "failed to sanitize filename" (no '{value}' interpolation). Line 424 message changed to "failed to create autocreate file" with the original error moved to tracing::warn!(error = %e, …). Client comment at the warning chip updated to accurately describe the server's code-only guarantee and textContent XSS safety.

CRITICAL 1 — collectPresetValues empty-string divergence (web/app.js:2050): Changed el.value || "" written unconditionally to if (val !== "") values[f.name] = val (raw, no trim), exactly mirroring TUI !val.is_empty() predicate at src/tui/form.rs:2731.

CRITICAL 2 — Preset named "order" unreachable (web/app.js save-as + rename validators; src/server/handlers/presets.rs): (a) Client now rejects name "order" (case-insensitive) in both save-as and rename validation blocks with inline error "'order' is reserved — pick another name." (b) Server put_handler rejects the name with 400 validation_failed { code: "reserved_name" } as a belt-and-suspenders guard. (c) Contract §6.8 amended (round 8) + OpenAPI note added. 3 regression tests in tests/server_presets.rs.

CRITICAL 3 — Rename clobbers existing preset (web/app.js:1415): Added pre-check before PUT: if (nameChanged && _presetsCache.find(p => p.name === newName)) → inline error "A preset named '…' already exists. Pick a different name." Blocks the PUT entirely.

CRITICAL 4 — Long-press fallback creates panel with empty values (web/app.js:1658): longPressTimer callback is now async. On !chipPreset, re-fetches presets, updates _presetsCache, retries lookup. If still missing after re-fetch: showToast("Preset state out of sync — refreshing"), re-renders chip row, returns without opening the edit panel. The synthetic { values: {} } fallback is eliminated.

MAJOR 5 — Active-preset desync after delete or rename (web/app.js:1300–1304, 1475): (a) refreshPresetChipRowFromList now calls applyPreset(mod, null) when _activePreset is cleared (preset deleted or no longer in list), resetting form fields to defaults. (b) Rename success path sets _activePreset = newName BEFORE calling fetchPresets/refreshPresetChipRowFromList, so the renamed chip renders highlighted.

MAJOR 6 — Reorder 400 leaves DOM in dragged-but-rejected state (web/app.js:1606): Added fetchPresets + refreshPresetChipRowFromList call in the !resp.ok branch of fireReorderPut. Server-canonical order is restored after toast.

MAJOR 7 — Save-as silent overwrite (web/app.js:1978): Added single-tap-confirm pattern: first save attempt on a name collision sets saveBtn.dataset.overwritePending = "true", shows inline error "Tap Save again to overwrite", auto-resets after 5 s or on any name-input change. Second tap within the window proceeds normally. Per feedback_pour_aesthetic.md — single-tap-confirm only, no multi-step modal.

CRITICAL 1 — Heatmap fetch loop infinite on malformed response (web/app.js fetchAndRenderHeatmap): Added HEATMAP_MAX_PAGES = 50 constant (50 × 1000 = 50 000 captures; sufficient for any realistic vault). Loop now increments an iterations counter and aborts with console.warn if it hits the cap. Also added empty-page guard: if entries.length === 0 on any page (regardless of has_more), loop aborts immediately with a console.warn — an empty page with has_more=true is a malformed server response.

CRITICAL 2 — Memory + listener leak in renderHeatmap (web/app.js renderHeatmap): renderHeatmap now reuses a single #heatmap-popover element via document.getElementById('heatmap-popover') — creates once, reuses on every subsequent call. The global dismiss click listener is now guarded by _heatmapClickListenerAttached module-level flag (initialized false, set true on first attach). The handler references document.getElementById('heatmap-popover') at call-time (not a stale closure), so it always operates on the live element.

CRITICAL 3 — Browser back from open capture panel skips closure (web/app.js openCapturePanel, closeCapturePanel, popstate handler): openCapturePanel now pushes Level 2 state { view: "history", panel: historyId } after the panel is shown. closeCapturePanel(fromPopstate) takes a boolean: false (button close) calls history.back() to consume the Level 2 entry; true (popstate close) skips history.back() to avoid double-pop. The close button wiring passes an explicit arrow () => closeCapturePanel(false) (not the function reference directly, which would pass the MouseEvent as a truthy fromPopstate). Popstate handler routes on new state shape: { view:"history", panel!=null } → open panel; { view:"history", panel==null } → close panel, stay on history; otherwise → go to dashboard.

CRITICAL 4 — pushState guard breaks on reload (web/app.js openHistoryTab): Replaced history.state?.view !== "history" guard with module-level _historyViewPushed flag (initialized false at declaration). openHistoryTab pushes once when !_historyViewPushed and sets it true. The flag is reset to false in the popstate handler when navigating away from the history view (Level 1 pop). Because module-level state is always fresh after a reload, this is immune to the persisted-history.state bug.