chore(todo): close frontend, security, and pairwise audit items

1 files changed, 18 insertions, 44 deletions

diff --git a/todo.org b/todo.org
index 010fc20..b8084a2 100644
--- a/todo.org
+++ b/todo.org
@@ -746,16 +746,16 @@ Each item below is a one-line summary of a sub-TODO further down. Tick the box w
 - [ ] [#B] =playwright-js= + =playwright-py=: remove emoji console markers from examples
 
 **** Frontend / UI
-- [ ] [#B] =frontend-design=: WCAG 2.2 alignment, accessibility non-optional
-- [ ] [#B] =frontend-design=: harmonize aesthetic guidance with anti-pattern rules
+- [X] [#B] =frontend-design=: WCAG 2.2 alignment, accessibility non-optional
+- [X] [#B] =frontend-design=: harmonize aesthetic guidance with anti-pattern rules
 
 **** Security
-- [ ] [#A] =security-check=: OWASP 2021 + WSTG coverage
-- [ ] [#B] =security-check=: tooling and offline/network caveats
+- [X] [#A] =security-check=: OWASP 2021 + WSTG coverage
+- [X] [#B] =security-check=: tooling and offline/network caveats
 
 **** Combinatorial testing
-- [ ] [#B] =pairwise-tests=: t-way escalation guidance beyond pairwise
-- [ ] [#B] =pairwise-tests=: clarify negative value syntax + generator availability
+- [X] [#B] =pairwise-tests=: t-way escalation guidance beyond pairwise
+- [X] [#B] =pairwise-tests=: clarify negative value syntax + generator availability
 
 **** V2MOM
 - [ ] [#A] =create-v2mom=: rename Metrics → Measures (Salesforce alignment)
@@ -850,55 +850,29 @@ The broader rules discourage emojis in shared engineering output. The
 Playwright examples print camera/check/cross emoji. Replace with plain ASCII
 status prefixes.
 
-*** TODO [#A] =frontend-design=: make accessibility non-optional and align with WCAG 2.2
+*** 2026-05-22 Fri @ 14:35:16 -0500 Made accessibility a non-optional WCAG 2.2 gate in frontend-design
 
-The workflow only loads =references/accessibility.md= for interactive
-components. Accessibility should be a baseline for all frontend work: keyboard
-operation, focus visibility/not-obscured, target size, contrast, reduced
-motion, labels, and semantic structure. Add WCAG 2.2-oriented gates before
-handoff.
+Added an "Accessibility Gate (required before handoff)" section to =frontend-design/SKILL.md= covering keyboard operation, focus visibility, focus-not-obscured (2.2), target size (2.2), contrast, reduced motion, labels, and semantic structure — a baseline for all frontend work, not just interactive components. Rewrote the Build/Review phases to build accessibly as you go and clear the gate before handoff, and bumped =references/accessibility.md= from WCAG 2.1 to 2.2 with backing detail for the new criteria.
 
-*** TODO [#A] =frontend-design=: harmonize aesthetic guidance with current UI anti-pattern rules
+*** 2026-05-22 Fri @ 14:35:16 -0500 Added a "creative but bounded" section to frontend-design
 
-The skill encourages gradient meshes, heavy texture, custom cursors, overlap,
-and maximalist directions. Those can conflict with the repo's newer frontend
-discipline against generic gradients, decorative blobs/orbs, text overlap,
-single-hue palettes, unreadable layouts, and marketing-style dashboards. Add a
-"creative but bounded" section: domain fit, readability, responsive stability,
-and no decorative effects that degrade the task workflow.
+Added a subsection under Frontend Aesthetics framing the bold/maximalist directions as tools, not obligations: domain fit, readability first, responsive stability, and no decorative effect that degrades the workflow. Reconciles rather than contradicts the maximalist encouragement (maximalism stays on the table as deliberate usable density), and ties the readability bullet to the new accessibility gate.
 
-*** TODO [#A] =security-check=: update OWASP coverage to the 2021 categories and WSTG test areas
+*** 2026-05-22 Fri @ 14:35:16 -0500 Updated security-check to OWASP Top 10 2021 + WSTG mapping
 
-The current security checklist uses older category names and misses several
-current Top 10 items: Insecure Design, Software and Data Integrity Failures,
-Security Logging and Monitoring Failures, and SSRF. Expand the review table so
-each finding maps to either OWASP Top 10 2021 or a WSTG area, and add explicit
-checks for authorization object/function-level access, SSRF URL fetches,
-integrity of update/plugin paths, and security-relevant logging gaps.
+Replaced the older six-category list in =.claude/commands/security-check.md= with the full Top 10 2021 set, each finding mapped to a 2021 category or WSTG area. Added the four missing categories (Insecure Design, Software and Data Integrity Failures, Security Logging and Monitoring Failures, SSRF) plus explicit checks for object/function-level authorization, SSRF on URL-fetch paths, update/plugin/dependency integrity, and logging/monitoring gaps.
 
-*** TODO [#A] =security-check=: add practical tooling and offline/network caveats
+*** 2026-05-22 Fri @ 14:35:16 -0500 Added scanner tooling + network caveats to security-check
 
-Add optional use of project-configured scanners such as =gitleaks= or
-=trufflehog= for secrets, =semgrep= for source patterns, =pip-audit= / =npm
-audit= / OSV where configured, and lockfile diff review. Note that dependency
-audits may need network access and should report "not run" clearly rather than
-silently passing.
+Added an optional configured-scanners step (=gitleaks=/=trufflehog= secrets, =semgrep= source patterns, OSV scanner, lockfile-diff review) that supplements the manual scans, plus a network caveat: dependency audits that can't run (offline, tool absent, DB unreachable) must report "not run" naming the tool and reason, never read as a pass. Carried that into the no-issues summary.
 
-*** TODO [#A] =pairwise-tests=: add t-way escalation guidance beyond pairwise
+*** 2026-05-22 Fri @ 14:35:16 -0500 Added t-way escalation guidance to pairwise-tests
 
-Pairwise is a pragmatic default, but NIST's combinatorial testing work covers
-higher-strength t-way arrays too. Add a rule: start with pairwise for broad
-coverage, escalate selected high-risk parameter clusters to 3-way or higher
-when history, safety, security, or domain reasoning suggests faults require
-more than two interacting factors.
+Added an "Escalating Beyond Pairwise (t-way)" subsection: start with pairwise across the whole space, then escalate specific high-risk clusters to 3-way+ when history, safety, security, or domain coupling says a fault needs more than two interacting factors. Lists escalation triggers and shows the sub-model order syntax (={ A, B, C } @ 3=) vs a blanket =/o:3= bump, stressing targeted not uniform escalation. Cites NIST combinatorial-testing work.
 
-*** TODO [#A] =pairwise-tests=: clarify negative value syntax and actual generator availability
+*** 2026-05-22 Fri @ 14:35:16 -0500 Clarified PICT ~ syntax + honest generator-availability path in pairwise-tests
 
-The examples use =~0= style values that are PICT-specific and easy to
-misread. Add a short "negative testing values are labels, not operators unless
-PICT treats them specially" explanation, and make the run path honest: if PICT
-or =pypict= is unavailable, produce the model and stop instead of implying
-cases were generated.
+Added a "~ prefix" explanation (PICT marker tagging a value as negative/invalid, not an arithmetic operator; PICT pairs negatives with valid values once and strips the marker before the SUT) and a stop-at-the-model rule: if neither the =pict= binary nor =pypict= is present, produce the model and stop rather than hand-writing a table and passing it off as PICT output.
 
 *** TODO [#A] =create-v2mom=: rename "Metrics" to Salesforce's "Measures" or explicitly justify the deviation