Stage D — second half (parent plan plan-2026-05-16-prelaunch-audit, sub-plan plan-stage-d-medium-sweep). Bundles D.5 (live + docs medium, 6 items) + D.6 (UX medium, 8 items) + 2 structural drift-guards (mass-assignment prevention + workflow filename uniqueness extension) = 16 deliverables. Combined with 1.11.0, Stage D ships 51 of 51 P-M items + 3 of 3 P-DG drift-guards = 54 of 54 deliverables — Stage D 100% code-complete.
Ceremony PAUSED before tag / npm publish / sync-public / Vercel deploy per operator directive 2026-05-17. The 1.11.0 + 1.11.1 ceremonies move together in a follow-up session after operator approval.
Added
website/src/lib/sso/state.ts(P-M-016 follow-up extracted from route file per arch review H-1) — was part of 1.11.0 conceptually but the rename to a separate module is now reinforced via the workflow-uniqueness P-DG-003 filename-pattern checks.website/src/components/docs/ArticleUnavailableFallback.tsx(P-M-049) — user-visible fallback component when MDX content fails to load. Wired intoarticles/[slug]/page.tsxandreleases/[slug]/page.tsxvia ternary; closes the CR-39 empty-UI class for article pages.scripts/diff-commands-vs-docs.sh+.claude/commands/.docs-triage-pending.txt(P-M-040) — structural ledger of 16 commands awaiting publicize-vs-internalize triage. Drift-guardcommands-docs-completeness.test.tsenforces that every public command file gets a corresponding doc page OR is explicitly triage-pending. Pattern Scanner Check 24 mirrors.- Pattern Scanner Check 24 — public-command docs completeness gate (P-M-040).
website/content/docs/reference/custom-governance-rules.mdx— was added in 1.11.0; the docs ship for the first time in this release window as part of the broader docs sweep.
Changed
website/src/components/ui/SectionHeading.tsx(P-M-044) — adds anas?: 'h1' | 'h2' | 'h3'prop (default'h2'). Revenue-critical landing pages (/redeem,/bonus,/how-it-works) now passas="h1"for WCAG 2.1 SC 2.4.6 heading hierarchy.website/src/components/layout/Footer.tsx(P-M-047) — addsBook(/book,/redeem,/bonus,/about) andAccount(/login,/signup,/dashboard) sections +/how-it-works+/overviewto Product. Grid expanded to 6 columns at lg.website/src/app/login/page.tsx(P-M-045) — reads?error=URL param and renders user-visible message for documented codes (auth_failed,session_expired,oauth_denied). Unknown error codes are deliberately NOT rendered (XSS surface).website/src/app/sitemap.ts(P-M-046) — adds/overviewto staticPages.website/src/components/ui/TextInput.tsx+website/src/components/ui/FormField.tsx(P-M-050) — WCAG 2.1 SC 3.3.1 fix: whenerrorprop is set, the input getsaria-invalid="true"andaria-describedbylinked to the error<p>. FormField usescloneElementto inject the same attrs onto its wrapped child input. Both preserve caller-suppliedaria-describedbyvia space-joined merge.website/src/components/dashboard/TrialBanner.tsx(P-M-051) — defeats hydration mismatch by accepting a server-computeddaysRemainingServerprop AND deferring clientDate.now()to auseEffect-set state. First render with neither source returns null rather than risking a mismatch.website/src/components/redeem/RedeemForm.tsx(P-M-048) — Activate button now also disables whenlicenseKey.trim()is empty.website/content/docs/reference/api-v1.mdx(P-M-043) — sub-paths rewritten to match real route handlers. Removed/api/v1/security/alerts,/api/v1/security/score,/api/v1/team/members,/api/v1/team/activity,/api/v1/cost/budget,/api/v1/risk/prs,/api/v1/quality/:session_id(none existed). AddedGet Audit Report,Get Cost Trend,Get Quality Trend,Get Team Expertise,Get Security Heatmapto match real routes.website/content/docs/reference/tool-reference.mdx(P-M-042) — addedmassu_memory_backfillFree-tier row to matchTOOL_TIER_MAP(was registered inmemory-tools.tsbut missing from both the tier map AND docs).TOOL_TIER_MAPextended withmemory_backfill: 'free'.website/vercel.json(P-M-039) — CSPconnect-srcextended withhttps://*.lemonsqueezy.com+https://app.lemonsqueezy.comto pre-stage future client-JS Lemon Squeezy integration without CSP-blocked fetch errors.scripts/PUBLIC_MANIFEST.md(P-M-041) — replaced raw-count language ("20 public commands" / "25 internal commands") with the rule-statement form:sync-public.sh syncs every .claude/commands/massu-.md EXCEPT massu-internal-.md. Drift-resistant; auto-updates without manifest edits.
Fixed
/api/v1/audit/reportdoc (P-M-043) — was undocumented despite the route existing; now has its own subsection./api/v1/security//api/v1/team(P-M-043) — top-level routes now properly documented with the aggregated payload shapes they actually return.
Security
mass-assignment-prevention.test.ts(P-DG-002) — structural drift-guard asserts: (1) migration 020/026/039 trigger blocks every billing-sensitive column under user role, (2) the trigger is attached toorganizations, (3) no PATCH route writes toorganizationsoutside a webhook context without an explicit field whitelist. Closes the bug class where a future PATCH endpoint could spreadreq.bodyinto a Supabaseupdate({})and let the caller escalateplan/plan_status/stripe_*/trial_ends_at/billing_period_start.workflow-uniqueness.test.tsextended (P-DG-003) — adds 3 new cases: (1) workflow filenames are case-insensitively unique, (2) sibling workflows (same base name post-.public/-backup/-copystripping) have distinct concurrency groups AND names, (3) each (filename, name) pair is unique. Extends Stage A P-020 from name-collision to filename-pattern coverage.
Removed
/api/v1/security/alerts//api/v1/security/score//api/v1/team/members//api/v1/team/activity//api/v1/cost/budget//api/v1/risk/prs//api/v1/quality/:session_iddoc entries (P-M-043) — none mapped to real route handlers. Replaced with single top-level +:slug/trendaggregated payload documentation matching the actual route surface.PUBLIC_MANIFEST.mdraw-count tables (P-M-041) — replaced with rule-statement form to eliminate the per-release drift.