Scholexis — March 30, 2026

What shipped today

Today’s session focused on hardening the codebase — fixing security vulnerabilities and improving error handling consistency across the app. The /start refresh also regenerated project metadata (CODEBASE.md and a new .scout.yml) to keep navigation and scout scanning current.

The main security work was upgrading Next.js from 16.1.6 to 16.2.1, which resolved five CSRF/security advisories that affected all Next.js versions from 16.0.0 through 16.1.6. Alongside the framework upgrade, npm audit fix cleaned up transitive dependency vulnerabilities — flatted (prototype pollution), path-to-regexp (ReDoS), picomatch (method injection), and brace-expansion (hang). Audit went from 9 vulnerabilities (3 high) to 4 moderate dev-only issues locked inside drizzle-kit’s esbuild dependency, which can’t be fixed without a breaking drizzle-kit downgrade.

The scout scan also found that the energy widget’s quick check-in was the only form in the entire app that silently swallowed errors. Every other form uses toast.error() for user feedback — the energy widget now does too. Small fix, but it closed the last gap in the error handling pattern.

A second session ran a deeper /scout with parallel agents scanning error-handling, security, dead-code, UX gaps, and performance. Manual scans covered dependency health and feature gaps. The codebase is in solid shape: every server action uses requireAuth() + Zod validation, every client form has isRedirectError + toast.error() catch blocks, every list page has empty states, and every route has a loading.tsx. Dependency audit found 8 semver-safe package updates available and several major version bumps worth tracking (lucide-react 0.577→1.7, TypeScript 5→6, ESLint 9→10). The scout was interrupted before agents returned results, so a follow-up scout should complete the scan.

Completed

• #245 — Add toast error feedback to energy widget quick check-in
• #242 — Fix npm audit vulnerabilities — upgrade Next.js and transitive deps

Release progress

• Next.js port: 109/113 closed (4 remaining)
• v1.0: 6/6 closed

Carry-over

• #244 (ready-for-dev): Remove 5 dead schema tables (aiTaskBreakdowns, appPreferences, attachments, commands, domainEvents) — fully specced, was next in queue when session closed
• #243 (ready-for-prep): Zero test coverage for server actions — all 12 CRUD modules untested
• #246 (ready-for-prep): Landing page is placeholder — needs features section, value proposition

Risks

• 4 moderate esbuild vulnerabilities remain (dev-only, locked to drizzle-kit). Force-fixing would downgrade drizzle-kit to 0.18.1 which is a breaking change. Safe to leave but worth revisiting when drizzle-kit releases a new version.

Flags and watch-outs

• 4 issues stuck in needs-clarification (#232, #223, #65, #64) — these need human decisions on AI task breakdown UI, tokens page, data migration, and deployment pipeline
• All 103 vitest tests passing after the Next.js upgrade

Next session

1. Pick up #244 — remove the 5 dead schema tables (ready-for-dev, fully specced)
2. Run /scout to completion — second session’s parallel agents were interrupted before returning results
3. Prep #243 — server action test coverage. This is the biggest gap in the codebase right now.
4. Consider filing issue for semver-safe dependency updates (8 packages) and lucide-react major upgrade
5. Review needs-clarification issues — some have been waiting since early March