Thoughts

CLAUDE.md Audit (April 2026): Audited all 21 CLAUDE.md files across Projects directory plus global ~/.claude/CLAUDE.md and 8 rules files. Key changes: (1) TattooContestSystem CLAUDE.md trimmed from 167 to ~50 lines, product spec moved to docs/product-spec.md. (2) tracking-and-verification.md rules file condensed from 228 to ~95 lines, saving ~130 lines loaded into every session. (3) Global CLAUDE.md trimmed Cross-Platform Usage section. (4) Lauren Website CLAUDE.md collapsed Completed Work and removed generic MCP tool list. (5) Dave Website Image optimization CLAUDE.md history collapsed to pointer. (6) TFT analytics CLAUDE.md removed duplicated communication rules. (7) TFT archived email Setup CLAUDE.md removed duplicate Session Handoff Protocol. Model files that need no changes: Open Brain dashboard (82 lines), Codex Meal Planner (90 lines), Claude Code pointer (10 lines). 2nd Brain main CLAUDE.md was already clean at 101 lines (stale 415-line worktree copy exists at .claude/worktrees/affectionate-maxwell/). Best practices reinforced: keep CLAUDE.md under 100 lines where possible, no session logs in CLAUDE.md, no product specs in CLAUDE.md, no duplicating global rules in project files, no listing MCP tools agents can discover on their own.

Tat-Tally Pre-Norfolk Deep Audit Complete (Session 36, 2026-03-14) Ran a comprehensive 6-track parallel audit of the entire Tat-Tally contest system. Tracks covered: Security & Auth, Data Integrity & Database, Frontend Code Quality (all 5 apps), Multi-Tenancy & Isolation, Deployment & Infrastructure, UX & Event-Day Resilience. RESULTS: 5 blockers, 22 should-fix, 9 nice-to-have. All Session 30-31 findings confirmed resolved with no regressions. BLOCKERS (fix before Norfolk): B1: seed-event Edge Function has zero authentication (bypasses all RLS, anyone can inject data) B2: Entrant app missing ErrorBoundary (highest-traffic app crashes to white screen) B3: Dockerfile doesn't install @tat-tally/shared package before app builds B4: CI workflow same issue as B3 B5: CORS wildcards on check-approaching and send-sms Edge Functions (missed in Session 34) KEY CROSS-TRACK PATTERNS: 1. Multi-tenancy isolation is frontend-only: x-event-id header never sent by any app, RLS NULL bypass makes event-scoped policies permissive. Safe for Norfolk (single event), must fix before multi-tenant production. 2. Error response handling gaps: Edge Functions leak Postgres internals, entrant app has no ErrorBoundary, admin/display ErrorBoundaries don't report to Sentry. 3. Build pipeline fragility: shared package not installed in Dockerfile or CI. 4. Event-day resilience gaps: display monitors don't refetch on reconnect, entrant submissions have no timeout, admin can edit frameworks during active scoring. NORFOLK VERDICT: Conditional GO. All 5 blockers fixable in one session. System is architecturally sound, load-tested at 522 VUs, and hardened against critical failure modes. Fix execution plan: 6 chats total. Chat 1: Blockers. Chats 2-5: Should-fix items split by domain (Infrastructure, Frontend, Security+DB, Multi-Tenancy RLS). Chat 6: Nice-to-have items. Full report: docs/audit-pre-norfolk.md in TattooContestSystem project.