[P0] Backend/Frontend contract is still broken for GET /syntheses.
Backend returns { items: [...] } in backend/src/handlers/syntheses.rs:38, but frontend expects a raw array in frontend/src/api/syntheses.ts:63 and uses it directly in frontend/src/pages/Home.tsx:37.
[P0] List item shape mismatch remains (sections vs preview fields).
Backend list item exposes preview fields in backend/src/models/synthesis.rs:77, while frontend type requires sections in frontend/src/types.ts:122 and renders from it in frontend/src/pages/Home.tsx:181.
[P0] Admin rate-limit update path mismatch is still present.
Backend route expects provider_name in backend/src/router.rs:73 and backend/src/handlers/admin.rs:227, but frontend sends id in frontend/src/api/admin.ts:38 and frontend/src/pages/admin/RateLimits.tsx:70.
[P0] Scraper SSRF hardening is incomplete (inference).
SSRF check is pre-request only in backend/src/services/scraper.rs:84 / backend/src/services/scraper.rs:184, then request executes in backend/src/services/scraper.rs:87. The hardened scraper client exists in backend/src/services/scraper.rs:57 but app boot still uses generic client in backend/src/main.rs:53.
[P1] Scraper body-size protection is post-download.
Body is fully read first in backend/src/services/scraper.rs:111, then checked in backend/src/services/scraper.rs:116, which weakens memory/DoS protection.
[P1] User-level rate-limit override appears per-job, not persistent across jobs.
Limiter is built in-run in backend/src/services/synthesis.rs:292, created from settings in backend/src/services/synthesis.rs:386, and keyed at check in backend/src/services/synthesis.rs:410.
[P1] Runtime state is not multi-instance safe.
Generation jobs and provider buckets are in-memory (backend/src/app_state.rs:21, backend/src/app_state.rs:24, backend/src/services/synthesis.rs:82, backend/src/services/rate_limiter.rs:113).
[P2] Magic-link quota can still be consumed before email send success.
Token creation occurs before delivery in backend/src/handlers/auth.rs:100 and backend/src/handlers/auth.rs:153, with active-token cap in backend/src/services/auth.rs:21.
[P2] Frontend test strategy still masks backend contract drift.
Home tests mock sections list items in frontend/src/tests/pages/home.test.tsx:24, which does not match backend list payload.
[P2] Frontend unit tests still cannot run in this environment.
npm run test -- --run fails on missing optional Rollup native module (@rollup/rollup-darwin-x64), so current frontend unit-test signal is unavailable locally.
[P3] sqlx compile-time query guarantees are still not implemented.
Runtime query usage is explicit in backend/src/db/users.rs:35, despite offline mode setup in backend/Dockerfile:21.
[P3] Postgres is still published on host by default.
