Known weaknesses and missing production pieces. This keeps the PR honest while the foundation grows.
Connector can edit GitHub but cannot run npm install or npm run verify locally.
Run npm install and npm run verify on local machine or VPS. (Mitigated: Hermes/Leno long-session workflow now runs `node scripts/verify-foundation.mjs` + `npm install` + `npm audit --audit-level=moderate` + `npm run verify` + `node scripts/smoke-test.mjs http://localhost:3000` on every checkpoint and pre-merge gate. See v0.2.0 merge report.)
Dependencies use latest and no generated lockfile is committed yet.
Generate package-lock.json from a clean install and commit it after verification. (Mitigated: committed package-lock.json + yarn.lock from clean install in v0.3.0 PR #21.)
Activities, jobs, ledger, artifacts and usage use local JSON storage under .data.
Move repositories behind a Postgres adapter after foundation build passes. (Tracked in v0.3.0 PR #23.)
Hermes is wired in preview mode. Real provider connection remains behind review and permission gates.
Implement provider adapter with explicit owner approval and audit events. (Tracked in v0.3.0 PR #25.)
The foundation shell does not yet include login, roles or session ownership.
Add owner auth before production deployment. (Tracked in v0.3.0 PR #22.)
Premium visual direction exists, but final responsive polish and Framer handoff are not complete.
Create final component polish pass after build verification. (Deferred — v2 Agent Command Deck / Framer/Motion roadmap is paused per Jonas.)
Production-gate verdict is DO_NOT_SHIP at 54% score with 6 remaining blockers: auth-owner-boundary, db-adapter, provider-activation, approval-engine-storage, black-box-audit, backup-restore-plan. Rate-limiting + CSRF resolved by PR #21. Monitoring added by PR #21+.
Addressed in v0.3.0 PRs #21–#25. See docs/V0_3_0_PRODUCTION_GATE_UNLOCK_PLAN.md.