Backlog Reduction Sprint — 2026-05-20 UTC
Goal: 354 open issues → under 250 effective working items by EOD 2026-05-20 UTC. Method: Cross-reference authoritative memory + today's shipped PRs. No blind bulk-defer.
Summary Counts
| Metric | Count |
|---|---|
| Started (open at scan time) | 354 |
| Already labeled defer:post-launch at start | 99 |
| Already labeled status:icebox at start | 9 |
New defer:post-launch applied this session |
120 |
New recommend-close applied this session |
8 |
| Total effective removals from working set | 218 |
| Remaining active working set | 128 |
Goal: under 250 — reached (128 active). Stretch goal: under 230 — reached (128 active).
Closed / Recommend-Close (8 issues)
These issues have recommend-close applied. Human confirmation to close.
| # | Disposition | Authority |
|---|---|---|
| #963 | CLOSE — not-pursuing | project_infisical_sso_not_pursued: Infisical OIDC SSO paywalled, not pursuing. CF Access email-OTP is the v1 vault gate. Mirrors today's #970 close. |
| #2276 | CLOSE — completed ops record | PM decision-queue log 2026-05-16 UTC. All 14 decisions resolved on individual cards. |
| #2378 | CLOSE — superseded | CF provider v4.52.7 blocker: state-migration workaround shipped via PR #2542 (merged today). Full v5 upgrade tracked on #1873 (deferred). |
| #2391 | CLOSE — completed ops record | 2026-05-18 CI failure triage doc. All root causes addressed by individual follow-up cards. |
| #2462 | CLOSE — completed ops record | Pre-launch staging flag-flip execution record (2026-05-19). 117 flags flipped, 2 rolled back. No remaining actionable work. |
| #2591 | CLOSE — duplicate | Duplicate synthetic check report (same deploy ref 9a90f1ac as series #2583-#2586 closed today). |
| #2592 | CLOSE — duplicate | Duplicate synthetic check report (same deploy ref). |
| #2594 | CLOSE — duplicate | Duplicate synthetic check report (same deploy ref). |
New Deferrals by Category (120 issues)
Free-Trial Founders Model (12 issues)
Authority: project_pricing_tiers_locked (locked 2026-05-19) — pay-immediately, no free trial at v1. project_referral_bonus_deferred (locked 2026-05-20) — referral bonus deferred post-launch pending Hinch Newman attorney sign-off. Architect PR #2609 documents per-card dispositions.
| # | Title summary |
|---|---|
| #208 | Founders feedback form + +time grant |
| #209 | Expiration warning emails (free-trial model) |
| #210 | Grace window + paid-tier transition |
| #214 | PostHog analytics + Founders cohort |
| #231 | Founders trial schema migration |
| #232 | FounderTrialService core methods |
| #233 | Celery daily sweep (Celery not in stack; trial model retired) |
| #234 | Founders lifecycle integration tests |
| #238 | compute_grace_end() + grace-entry sweep |
| #239 | FounderAccessMiddleware |
| #240 | Grace-to-paid Stripe webhook |
| #241 | Grace lifecycle tests |
Note: #235 (referral attribution schema) is explicitly KEPT per project_referral_bonus_deferred.
iOS Companion App (9 issues)
Authority: project_ios_billing_iap (locked 2026-05-18) — iOS app is post-v1. Note: #174 (AASA file serve) shipped today via PR #2610 and is already closed.
| # | Title summary |
|---|---|
| #167 | iOS companion app epic |
| #175 | iOS typed API client |
| #176 | iOS offline cache |
| #177 | Apple IAP server-to-server notifications |
| #178 | Dual billing sources reconciliation |
| #179 | StoreKit 2 subscription flows |
| #180 | APNs device token registration |
| #181 | iOS portfolio home screen |
| #182 | Transfer iOS app to LLC |
Velvet UI Follow-Ons (4 issues)
Authority: PM agent analysis 2026-05-20 — only #911 + #912 fit T-3 sprint (both shipped today via PRs #2613, #2614). UI/flow cards defer.
| # | Title summary |
|---|---|
| #949 | Three-stage operational flow state machine |
| #952 | Three-stage rotation modal |
| #953 | Per-subscriber distribute-status table |
| #954 | yaml-driven revocation auth gate |
Credential Audit / Rotation (6 issues)
Authority: feedback_credentials_pre_launch_posture (locked 2026-05-20) — credential rotation is post-launch testing-window work, not pre-launch.
| # | Title summary |
|---|---|
| #251 | HEROKU_API_KEY rotation |
| #253 | Automated credential rotation epic |
| #417 | Target-adapter rotation framework epic |
| #596 | Vault audit phase 1 |
| #1231 | Velvet subscription enrollment expansion |
| #1903 | Audit workflows using static CF repo secrets |
Burr v2 Multi-Region OIDC (13 issues)
Authority: Burr v1 (CF Access as OIDC provider) is the launch posture. Burr v2 (multi-region Lambda + R53 latency routing + CloudFront failover) is post-launch infrastructure. Additionally, #1888 (Migrate Infisical to Burr v2) is doubly deferred: Infisical SSO not pursuing.
Issues: #1876, #1877, #1878, #1879, #1880, #1881, #1882, #1883, #1884, #1885, #1886, #1887, #1888
Terraform Automation (PR-Driven / Atlantis-Style) (12 issues)
Authority: PR-driven Terraform automation (epic #1834) is a DevOps productivity improvement, not a v1 launch gate. Manual terraform plan/apply works for the launch window.
Issues: #726 (CI billing posture), #728 (Ubicloud), #1834, #1836, #1839, #1840, #1841, #1842, #1843, #1844, #1845, #1846, #1847, #1849
Options Chain / Options Data (4 issues)
Authority: v1 ships securities-only backtesting with options gated "coming soon." ORATS license (#1384) is a post-launch operator decision.
| # | Title summary |
|---|---|
| #267 | Alpaca options-data research |
| #1384 | ORATS enterprise license decision |
| #1389 | Options tab frontend |
| #1394 | Iron condor builder UI |
Support Portal sub-cluster (5 issues)
Authority: All support.raxx.app sub-cards are deferred. Epic #651 aligned.
| # | Title summary |
|---|---|
| #608 | status.raxx.app sub-6 (3P status polling) |
| #651 | support.raxx.app epic |
| #665 | Ticket-to-docs promotion workflow |
| #1008 | support S5 CF Pages scaffolding |
| #1010 | support S7 new ticket form |
AI / Reasonator / Sentiment (3 issues)
Authority: Sentiment infra (#1381-#1390) already deferred. Reasonator scaffold follows.
| # | Title summary |
|---|---|
| #1401 | Reasonator service scaffold |
| #1488 | Reasonator audit writer |
| #1493 | S3 Glacier audit archiver |
WCB (What Could've Been) (2 issues)
Authority: Pro/Pro+ premium feature. Parent epic and design/UX cards already deferred.
| # | Title summary |
|---|---|
| #1661 | WCB closed position snapshot |
| #1662 | WCB sparkline + expandable row |
SNS/Lambda Email Delivery Stack (2 issues)
Authority: Current Postmark-direct path works for v1. SC-E4 and SC-E5 already deferred.
| # | Title summary |
|---|---|
| #1670 | SC-E7 synthetic email probe |
| #1675 | SC-E10 Postmark inbound webhook via API Gateway |
Demo / Conversion funnel (2 issues)
Authority: demo.raxx.app is a v2 acquisition feature. #493 blocked on attorney.
| # | Title summary |
|---|---|
| #482 | demo.raxx.app epic |
| #493 | Demo session continuation |
AI / Model Review Queue (2 issues)
| # | Title summary |
|---|---|
| #1691 | model_bumps migration (depends on deferred Reasonator) |
| #1861 | SC-4b trace/render endpoint (parent #500 deferred, graceful fallback) |
Trace / Audit (2 issues)
| # | Title summary |
|---|---|
| #511 | SC-13 live-paper mode transitions (parent #500 deferred) |
| #575 | OpenAPI spec generation (iOS/SDK consumers are post-launch) |
Console Quality / UX Polish (4 issues)
| # | Title summary |
|---|---|
| #2015 | Mark-as-synced modal (UX polish on top of #2013) |
| #2038 | vcpkg docs (not-blocking-launch) |
| #2299 | Flag operator UX hardening epic |
| #2380 | GH Actions uses: allowlist (supply-chain hardening sprint) |
CI / Process Improvements (9 issues)
| # | Title summary |
|---|---|
| #99 | Release notes on every tagged release |
| #1252 | CI scope guard (PR diff vs declared scope) |
| #1592 | Parametrized on/off tests mandate |
| #1593 | Feature toggle taxonomy doc |
| #1987 | Add actionlint to CI |
| #2035 | Queue vcpkg discipline epic |
| #2148 | Lint gate for DO $$ migrations |
| #2150 | Spec update in PR template |
| #2421 | Console migration rename runbook |
Monitoring / Alerts (5 issues)
| # | Title summary |
|---|---|
| #1372 | CD freshness monitor |
| #1904 | Real-time Slack alert for deploy failures |
| #2051 | Alert on review-app teardown failure (review apps deferred) |
| #2052 | Review app count check (review apps deferred) |
| #2151 | Slack alert on release.yml failure |
| #2593 | Dedicated Postmark ops server (title says post-launch) |
Tech Debt / Cleanup (7 issues)
| # | Title summary |
|---|---|
| #300 | Console Token rotation UI M11 (deferred cluster) |
| #407 | Console Stripe webhook handler (billing console deferred) |
| #1150 | Trade-window saved-strategy toggle (not-blocking-launch) |
| #1206 | GitHub org polish (not-blocking-launch) |
| #1211 | Confirm support@ not claimed by Google (priority:low) |
| #1334 | vendor_billing_snapshots UNIQUE constraint (internal ops) |
| #1378 | Remove deprecated CLOUDFLARE_API_TOKEN (priority:low) |
| #1873 | CF provider v4→v5 upgrade (state-migration unblocked WAF; full upgrade post-launch) |
| #2210 | FLAG_CONSOLE_RECENTS_AUTOCOLLAPSE stale caller |
| #2280 | Migrate isEnabled() to useFlag() (not-blocking-launch) |
| #2281 | DemoContext flag access design (not-blocking-launch) |
Misc (5 issues)
| # | Title summary |
|---|---|
| #90 | In-window trade simulator (blocked on options data) |
| #453 | Founders waitlist → CF Access sync (v2 automation) |
| #473 | Onboarding wizard plan selection (trial model retired; needs redesign) |
| #628 | Coverage threshold ratchet (post-launch quality sprint) |
| #721-722-725 | FreeScout admin config (not-blocking-launch, priority:low) |
| #1742 | AWS WAF evaluation (optional; CF WAF is primary) |
| #2448 | iOS Queue wire (iOS is post-launch) |
Cluster-Dupe Findings
-
Synthetic check dupes (#2591, #2592, #2594 vs #2583-#2586 closed today): Same deploy ref
9a90f1ac. Three open from a 17:02 UTC run, four closed from an earlier run. Recommend-close applied. Fix via ADR-0101 pipeline: deduplicate at scan-to-issue layer. -
bandit
hardcoded_sql_expressionscluster (#1357, #2153, #2154, #2474, #2475, #2476 all forhardcoded_sql_expressionsrule): Same rule across multiple files. Perfeedback_security_scan_per_file_grouping, these should be grouped at(file, rule_id)level in the scan pipeline. These are NOT test-path files so the bandit-in-tests auto-close policy does not apply. They remain open as genuine findings needing triage. -
bandit
blacklistcluster (#2061, #2062 onbilling_dsr_service.py, #2362 onflag_sync_audit.py, #2473 and #2477 ontrace_integrity_service.py/sentry_preflight.py):blacklistrule covers use ofsubprocess,pickle,yaml.load, etc. Need SRE triage per each file context. Kept open.
Operator Review Needed (Top 10)
-
#495 — Hybrid broker model epic: v1 = Alpaca-default, v2 = BYOB aggregator. The epic covers both. Recommend: split into
#495-v1(Alpaca-default, pre-launch) and#495-v2(BYOB aggregator, post-launch). Question: confirm the Alpaca-default path is in scope for v1 or defer the whole epic? -
#235 — Referral attribution schema kept per
project_referral_bonus_deferred. But the referral bonus is deferred pending attorney sign-off. Question: does referral attribution schema (tracking which user referred whom) also need to wait for Hinch Newman sign-off, or is attribution tracking alone safe to ship? -
#2536 — nightly scan-to-issue pipeline rewrite (ADR-0101) marked
v1-launch-blocker. SC-2 through SC-6 merged today. Question: confirm #2536 epic can be closed now that all 6 sub-cards shipped, or are there remaining items? -
#1442, #1443 — npm audit HIGH findings (@babel/plugin-transform-modules-systemjs, fast-uri). Both blocked and labeled
severity:high. Perfeedback_bandit_in_tests_policythese are NOT in test paths so the auto-close policy does not apply. Question: confirm these npm audit findings are false-positives (dependency of deprecated react-scripts, #314 closed today as stale) or require a real fix? -
#2448 — iOS Queue wire deferred. But #2444 Queue cutover punch-list epic still has
type:iostag and is markedpriority:critical. Question: should the iOS row be removed from the Queue cutover punch-list, or is there an iOS-adjacent Queue cutover task that IS pre-launch? -
#2007 — ci.yml + ci-pr.yml Postgres setup drift. Blocked. This was filed because the two CI files diverged during the Raptor Postgres migration. Question: is this covered by the Raptor Postgres migration epic (#1556) work or does it need a dedicated fix?
-
#2008 — gitleaks scan on push-to-main. This is a medium-priority security improvement (post-PR pushes could contain leaked secrets if a hotfix bypasses PR flow). Question: priority:medium is correct, but is this a pre-launch security gate given the recent
heroku config:setecho incident (2026-05-01)? -
#104 — Launch public docs site foundation epic. No
defer:post-launchlabel but nopre-launch-blockereither. Question: is a public docs site required at v1 launch or post-launch? -
#1480 — ci(lint): require_role callsite gate. This is a security enforcement mechanism for the RBAC V2 migration — prevents new code from using legacy
@require_role. Question: is this a pre-launch security gate given #1472 (cut over audit reader) is blocked? -
#2152 — Apply GITHUB_PATH heroku CLI fix to deploy-velvet.yml and other workflows. Heroku CLI 11.x
--platformregression is a real deploy issue (#2141 labeled priority:high). Question: is this the same issue as #2141 (Heroku CLI --platform flag regression) or a separate GITHUB_PATH issue?
Already-Closed Today (Do Not Re-Close)
Verified CLOSED/MERGED before this session: #174, #314, #798, #911, #912, #970, #974, #1538, #1580, #2010, #2013 (in-flight PR #2616), #2143, #2525, #2537-#2543, #2547, #2575, #2576, #2583-#2586, #2590, #2596-#2598.
Notes
- All times UTC.
defer:post-launchlabel means "work is real and well-scoped; do not discard the card; pick it up after v1 ships."recommend-closemeans "no remaining work; please close manually."- Token used: raxx-ops-bot (minted 2026-05-20 UTC).