.planning/PROJECT.md

@@ -91,9 +91,13 @@ nothing is validated until SPEC §10 acceptance passes.)
 - **Buffer windows**: Video 30 s rolling, rrweb 10 min / 5 000 events whichever
   is tighter, user-event log 10 min (CON-video-window, CON-rrweb-window,
   CON-event-log-window).
-- **Sensitive data**: `input[type=password]` and `[data-sensitive="true"]` MUST
+- **Sensitive data**: ~~`input[type=password]` and `[data-sensitive="true"]` MUST
   be masked in rrweb (via v2 `maskInputFn`) AND the event logger MUST drop
-  password field values (CON-sensitive-data-masking).
+  password field values (CON-sensitive-data-masking).~~ **DEFERRED 2026-05-20**
+  per charter shift ("we don't care about privacy hardening. At least here.").
+  Archive flow is internal-only (no external transmission); CON-sensitive-data-
+  masking re-classified as Phase 4 optional hardening or v2 work. Operator-
+  facing password masking remains a future polish item but is no longer v1-blocking.
 - **Service Worker lifecycle**: MV3 SW unloads after ~30 s idle; a long-lived
   `chrome.runtime.connect` port from offscreen to SW emits a PING every 25 s
   to keep the SW alive (CON-display-capture-binding, AMENDED from
@@ -123,7 +127,7 @@ nothing is validated until SPEC §10 acceptance passes.)
 | **DEC-001**: Chrome Extension Manifest V3 | SPEC §2, §7 — required for `chrome.tabCapture`, `chrome.downloads`, `chrome.alarms`. | — Pending | locked (Phase 1) |
 | **DEC-002**: Service Worker as background coordinator | SPEC §2, §3, §8 — MV3 has no persistent background page; SW coordinates video buffer + archive packaging. | — Pending | locked (Phase 1) |
 | **DEC-003**: Active video via `getDisplayMedia()` (vp9 / 400 kbps / 2000 ms) | AMENDED by Phase 01: SPEC §2/§4.1/§7 originally specified `chrome.tabCapture`; Phase 01 swaps to `getDisplayMedia` invoked in the offscreen document with `chrome.offscreen.Reason.DISPLAY_MEDIA`. Codec/bitrate/timeslice binding unchanged. See `.planning/intel/decisions.md` DEC-003 Amendment. | — Pending | locked (Phase 1, post-Amendment) |
-| **DEC-004**: DOM capture via rrweb with `maskInputSelector` + 5 000-event cap | SPEC §2, §4.2 — rrweb is the only mature DOM-recording option; masking + cap are part of the privacy/memory contract. | — Pending | locked (Phase 1) |
+| **DEC-004**: DOM capture via rrweb with 5 000-event cap. ~~`maskInputSelector` masking~~ DEFERRED 2026-05-20 — `maskInputSelector` was rrweb 1.x; v2.0.0-alpha.4 requires `maskInputFn`. Per 2026-05-20 charter shift, masking deferred to Phase 4 (optional) or v2; AMENDED to "rrweb 5000-event cap; masking deferred". | SPEC §2, §4.2 — rrweb is the only mature DOM-recording option; cap is part of the memory contract; masking originally part of privacy contract (deferred). | — Pending | locked (Phase 1, post-Amendment) |
 | **DEC-005**: Archive packaging via JSZip | SPEC §2, §3, §6 — only ZIP library bundled per SPEC. | — Pending | locked (Phase 1) |
 | **DEC-006**: File download via `chrome.downloads` | SPEC §2, §5, §7 — no server upload in Phase 1 (SPEC §9). | — Pending | locked (Phase 1) |
 | **DEC-007**: In-memory buffers only (no Phase 1 persistence) | SPEC §2, §4.1–§4.3 — rolling buffers in SW (video) and Content Script (rrweb + log). | — Pending | locked (Phase 1) |

.planning/REQUIREMENTS.md

@@ -216,21 +216,27 @@ Which phase covers which requirement. See ROADMAP.md for phase details.
 | Requirement | Phase | Status |
 |-------------|-------|--------|
 | REQ-video-ring-buffer | Phase 1 | Complete 2026-05-20 (Plans 01-08 WebM remux + 01-14 monitorTypeSurfaces; verified via gsd-verifier audit; fixture `tests/fixtures/last_30sec.webm` ffprobe + ffmpeg dry-run GREEN; Chrome playback confirmed) |
-| REQ-rrweb-dom-buffer | Phase 2 | Pending |
-| REQ-user-event-log | Phase 2 | Pending |
-| REQ-password-confidentiality | Phase 2 | Pending |
-| REQ-popup-ui | Phase 3 | Pending |
-| REQ-screenshot-on-export | Phase 3 | Pending |
-| REQ-archive-layout | Phase 3 | Pending |
-| REQ-meta-json-schema | Phase 3 | Pending |
-| REQ-archive-export-latency | Phase 3 | Pending |
+| REQ-rrweb-dom-buffer | Phase 2 (originally) → **Phase 3** (post-2026-05-20 re-phasing) | Pending (verification absorbed by smoke phase; UAT harness A24+ extension planned) |
+| REQ-user-event-log | Phase 2 (originally) → **Phase 3** (post-2026-05-20 re-phasing) | Pending (same verification context as REQ-rrweb-dom-buffer) |
+| REQ-password-confidentiality | Phase 2 (originally) → **Out of Scope (v1)** | DEFERRED per 2026-05-20 charter shift ("we don't care about privacy hardening. At least here.") — archive flow is internal-only (no external transmission); P0-5 password masking re-classified as Phase 4 optional hardening or v2 work |
+| REQ-popup-ui | Phase 3 (originally) → **Phase 2** (renumbered) | Pending (largely shipped via Plan 01-09 SAVE-only popup + Plan 01-12 i18n; residual gaps in Phase 2) |
+| REQ-screenshot-on-export | Phase 3 (originally) → **Phase 2** (renumbered) | Pending |
+| REQ-archive-layout | Phase 3 (originally) → **Phase 2** (renumbered) | Pending (substantively shipped via Plans 01-08 webm-remux + JSZip; verification in Phase 2) |
+| REQ-meta-json-schema | Phase 3 (originally) → **Phase 2** (renumbered) | Pending |
+| REQ-archive-export-latency | Phase 3 (originally) → **Phase 2** (renumbered) | Pending |
 | REQ-manifest-permissions | Phase 3 (originally) → Phase 1 closure via Plan 01-12 i18n migration | Complete (2026-05-20 — manifest __MSG_*__ + default_locale='en' + 16 i18n keys per locale; permissions DEC-011 baseline unchanged; operator brand-fit ack) |
 | REQ-install-clean | Phase 4 (originally) → Phase 1 closure via Plan 01-12 design integration | Complete (2026-05-20 — fresh build + load unpacked clean; zero remote-font CSP errors; branded icons rendering; en+ru manifest:name resolution; operator brand-fit ack) |
 
 **Coverage:**
 - v1 requirements: 11 total
-- Mapped to phases: 11
+- Mapped to phases: 10 (REQ-password-confidentiality deferred to Out of Scope v1 per 2026-05-20)
 - Unmapped: 0 ✓
+- Out of Scope: 1 (REQ-password-confidentiality)
+
+**2026-05-20 re-phasing note:** Original Phase 2 ("Stabilize DOM + event-capture
+privacy") REMOVED entirely. REQ-rrweb-dom-buffer + REQ-user-event-log
+verification ABSORBED by new Phase 3 (SPEC §10 smoke + DOM/event-log). All
+subsequent phases renumbered: old 3 → new 2, old 4 → new 3, old 5 → new 4.
 
 Note on CON-ram-ceiling (SPEC §10 #9): tracked as a non-functional constraint
 verified in Phase 4 (smoke verification) rather than as a standalone

.planning/ROADMAP.md

@@ -4,15 +4,25 @@
 
 The Mokosh codebase is a partially-broken first attempt at SPEC `Тз расширение
 фаза1.md`. An external audit identified 7 P0 defects that prevent SPEC §10
-acceptance. This roadmap therefore frames Phase 1 as **stabilization to spec**,
-not greenfield: phases 1–3 each remediate a tightly-grouped subset of the P0
-defects along sensible commit boundaries; phase 4 runs the SPEC §10 smoke pass
-end-to-end. An optional phase 5 absorbs the P1/P2 follow-ups (SW state
-persistence, `fetch` interception fix, `meta.json` field hardening,
+acceptance. This roadmap framed Phase 1 as **stabilization to spec**, not
+greenfield: phases 1–2 each remediate a tightly-grouped subset of the P0
+defects along sensible commit boundaries; phase 3 runs the SPEC §10 smoke pass
+end-to-end (and now also absorbs the DOM + event-log verification surface that
+was originally Phase 2). An optional phase 4 absorbs the P1/P2 follow-ups (SW
+state persistence, `fetch` interception fix, `meta.json` field hardening,
 `generate-icons.js` ESM/CJS, dead-code cleanup).
 
-The journey: **broken-but-installable → playable video → masked DOM + log →
-working export → green §10 smoke → harden + clean up**.
+**Roadmap re-phasing 2026-05-20:** original Phase 2 ("Stabilize DOM +
+event-capture privacy") REMOVED per operator charter shift — archive flow is
+internal-only (no external transmission); P0-5 password masking dropped as
+v1 priority ("we don't care about privacy hardening. At least here."). DOM
++ event-log VERIFICATION (REQ-rrweb-dom-buffer + REQ-user-event-log) absorbed
+by new Phase 3 (SPEC §10 smoke). REQ-password-confidentiality moved to Out
+of Scope (v1). All subsequent phases renumbered: old 3 → new 2, old 4 → new
+3, old 5 → new 4.
+
+The journey: **broken-but-installable → playable video → working export →
+green §10 smoke (incl. DOM + event-log verification) → harden + clean up**.
 
 ## Phases
 
@@ -23,10 +33,9 @@ working export → green §10 smoke → harden + clean up**.
 Decimal phases appear between their surrounding integers in numeric order.
 
 - [x] **Phase 1: Stabilize video pipeline** — Collapse offscreen duality, fix MediaRecorder shadow, fix WebM ring buffer playability, replace `chrome.tabCapture` with offscreen `getDisplayMedia` (AMENDED from original DEC-003). **CLOSED 2026-05-20** via gsd-verifier goal-backward audit GREEN (17/17 must-haves: 11 REQs/charters + 6 cross-cutting gates; see `.planning/phases/01-stabilize-video-pipeline/01-VERIFICATION.md`). Closure arc: 2026-05-15 (Plan 01-07) → 2026-05-16 (REOPENED on D-13 multi-EBML bug) → Plan 01-08 (WebM remux via ts-ebml + webm-muxer) → Plans 01-09/01-10 (whole-desktop + welcome-tab UX) → Plan 01-11 (spike-pivot) → Plan 01-12 (Design Integration) → Plan 01-13 (UAT harness 15/15 GREEN, 2026-05-19) → Plan 01-14 (monitorTypeSurfaces picker) → Plan 01-10 cycle-2 ack 'All good' 2026-05-20 + 5 inter-cycle debug fixes + brand-rename polish. 14/14 plans; 5 operator acks; 153/153 vitest + 24/24 UAT + Tier-1 grep 12 FORBIDDEN_HOOK_STRINGS all GREEN.
-- [ ] **Phase 2: Stabilize DOM + event capture privacy** — Migrate rrweb to v2 `maskInputFn`, plug `content/index.ts setupInputLogging` password leak
-- [ ] **Phase 3: Stabilize export pipeline** — Restore user-activation gesture in popup, delete dead `permissions.request`, replace base64 `data:` URL with Blob URL minted in offscreen
-- [ ] **Phase 4: SPEC §10 smoke verification** — End-to-end install-and-record-and-export pass against all 9 acceptance criteria
-- [ ] **Phase 5: Harden + clean up** _(optional)_ — P1/P2 follow-ups: SW state persistence, fetch interception, `meta.json` fields, `generate-icons.js` ESM/CJS, dead-code
+- [ ] **Phase 2: Stabilize export pipeline** — Close remaining export gaps (screenshot-at-click, meta.json schema, archive layout, manifest permission verification). Mostly already shipped via Plans 01-08 + 01-09 + 01-10 + 01-12 — narrowed scope post-re-phasing.
+- [ ] **Phase 3: SPEC §10 smoke verification** — End-to-end install-and-record-and-export pass against all 9 acceptance criteria. **ABSORBS** REQ-rrweb-dom-buffer + REQ-user-event-log verification (originally Phase 2) per 2026-05-20 re-phasing. UAT harness extended with A24+ assertions for rrweb/event-log contracts.
+- [ ] **Phase 4: Harden + clean up** _(optional)_ — P1/P2 follow-ups: SW state persistence, fetch interception, `meta.json` fields, `generate-icons.js` ESM/CJS, dead-code; plus deferred items from Phase 1 session (cursor visibility, dark-surface logo, tabs permission gap, 2 ffprobe flakes, ROADMAP backfill verification, rrweb 2.0.0-alpha.4 → stable v2 upgrade research).
 
 ## Phase Details
 
@@ -86,46 +95,22 @@ directory + `vite.config.ts` inline string + `src/background/`.
 - [x] 01-13-PLAN.md — UAT harness via Approach B (extension-internal-page driver + offscreen synthetic stream; 15/15 GREEN; Plan 01-09 functional closure)
 - [x] 01-14-PLAN.md — Picker narrowing via monitorTypeSurfaces:'include' (Chrome 119+ picker enhancement; A23 harness regression)
 
-### Phase 2: Stabilize DOM + event capture privacy
-**Goal**: rrweb captures DOM events on typical pages and the user-event log
-captures clicks/navigation/network errors — and in neither stream do password
-values appear.
-
-**Depends on**: Phase 1 (no functional dependency, but Phase 1 establishes the
-"capture is always-on" baseline that this phase plugs into).
-
-**Requirements**: REQ-rrweb-dom-buffer, REQ-user-event-log,
-REQ-password-confidentiality
-
-**P0 defects addressed**:
-- P0-5: rrweb data-sensitive leak — migrate to rrweb v2 `maskInputFn` (the
-  legacy `maskInputSelector` is gone in v2.0.0-alpha.4 per `package.json`); fix
-  the parallel leak in `src/content/index.ts setupInputLogging` so password
-  field values are dropped at logger entry, not just at rrweb level.
-
-**Success Criteria** (what must be TRUE):
-  1. On a page containing `<input type="password">` and elements with
-     `data-sensitive="true"`, rrweb snapshots for that page mask the value of
-     both kinds of fields (verified by inspecting exported `rrweb/session.json`).
-  2. On the same page, typing into a password field produces no `input` event
-     entry containing the typed value in the user-event log
-     (`logs/events.json`).
-  3. On a typical page with forms, tables, and a modal, rrweb records DOM
-     events without throwing in the Content Script console; the event log
-     captures clicks, navigations (`popstate`/`hashchange`), and network errors
-     (`fetch` / `XHR` >= 400).
-
-**Plans**: TBD
-**UI hint**: yes
-
-### Phase 3: Stabilize export pipeline
+### Phase 2: Stabilize export pipeline
 **Goal**: A click on "Сохранить отчёт об ошибке" produces a SPEC-conformant ZIP
 archive on disk in under 5 s, containing a screenshot taken at click time,
 laid out per CON-archive-layout, with `meta.json` per CON-meta-json-schema, and
 declared by a manifest carrying exactly the permission set in DEC-011.
 
-**Depends on**: Phase 1, Phase 2 (export consumes the video + rrweb + event-log
-buffers established by phases 1 and 2).
+**Depends on**: Phase 1 (export consumes the video buffer + the rrweb/event-log
+infrastructure already shipped in src/content/index.ts; original "Phase 2 DOM"
+dependency removed per 2026-05-20 re-phasing).
+
+**Scope note (2026-05-20):** Plans 01-08 (webm-remux + JSZip), 01-09 (popup
+state machine + SAVE-only UI), 01-10 (welcome tab + i18n), and 01-12 (manifest
+i18n + en+ru locales) already shipped most of the originally-planned export
+surface. Phase 2 likely collapses to 2-3 small plans closing residual gaps:
+screenshot-at-click capture, meta.json schema validation, and SPEC §10 #6
+<5s export-latency verification.
 
 **Requirements**: REQ-popup-ui, REQ-screenshot-on-export, REQ-archive-layout,
 REQ-meta-json-schema, REQ-archive-export-latency, REQ-manifest-permissions
@@ -159,19 +144,37 @@ REQ-meta-json-schema, REQ-archive-export-latency, REQ-manifest-permissions
 **Plans**: TBD
 **UI hint**: yes
 
-### Phase 4: SPEC §10 smoke verification
+### Phase 3: SPEC §10 smoke verification + DOM/event-log verification
 **Goal**: All 9 SPEC §10 acceptance criteria pass against an unpacked load of
-the build into a real Chrome instance.
+the build into a real Chrome instance. **ABSORBS** DOM + event-log verification
+work (REQ-rrweb-dom-buffer + REQ-user-event-log) originally planned as Phase 2
+per 2026-05-20 re-phasing.
 
-**Depends on**: Phase 1, Phase 2, Phase 3.
+**Depends on**: Phase 1, Phase 2.
 
-**Requirements**: REQ-install-clean (and end-to-end verification of all
-preceding REQs)
+**Requirements**: REQ-install-clean + REQ-rrweb-dom-buffer + REQ-user-event-log
++ end-to-end verification of all preceding REQs.
 
 **P0 defects addressed**:
 - P0-7: End-to-end smoke verification against §10. This is a verification
   phase, not a new implementation — it confirms the cumulative output of
-  phases 1–3 actually satisfies the SPEC.
+  phases 1–2 actually satisfies the SPEC.
+
+**Absorbed Phase-2 scope (2026-05-20 re-phasing):**
+- Verify rrweb 2.0.0-alpha.4 captures DOM events on typical pages (form +
+  table + modal) without throwing in the Content Script console (REQ-rrweb-dom-buffer
+  acceptance criterion #3).
+- Verify the user-event log captures click + input (non-password) +
+  navigation (popstate/hashchange) + js_error + network_error per
+  CON-event-log-schema (REQ-user-event-log).
+- Extend UAT harness with A24+ assertions covering the above contracts —
+  consistent with Phase 1's Approach-B harness pattern (Plan 01-13).
+- rrweb version research (foreground gsd-phase-researcher spawn) to verify
+  alpha-pin is safe or if stable v2 has shipped. Deferred to Phase 4 if
+  Phase 3 plans are tight.
+- **NOT in scope:** P0-5 password masking (REQ-password-confidentiality
+  dropped to Out of Scope v1 per "we don't care about privacy hardening.
+  At least here." 2026-05-20).
 
 **Success Criteria** (what must be TRUE):
   1. The extension installs into Chrome via "Load unpacked" against `dist/`
@@ -181,8 +184,9 @@ preceding REQs)
      than 30 s of footage (confirmed by inspecting the SW console / a debug
      export).
   3. On a typical page (form + table + modal) rrweb records without throwing,
-     the event log captures clicks/navigation/network errors, and passwords
-     are absent from both streams.
+     the event log captures clicks/navigation/network errors. (Password
+     masking criterion DROPPED per 2026-05-20 re-phasing —
+     REQ-password-confidentiality is Out of Scope v1.)
   4. A click on the popup button produces a ZIP in Downloads in under 5 s; the
      ZIP opens; `video/last_30sec.webm` plays in a browser.
   5. Background RAM consumption (measured via Chrome Task Manager) does not
@@ -190,15 +194,15 @@ preceding REQs)
 
 **Plans**: TBD
 
-### Phase 5: Harden + clean up _(optional)_
+### Phase 4: Harden + clean up _(optional)_
 **Goal**: Eliminate the P1/P2 follow-ups identified in the audit so that the
 codebase is not just spec-conformant but maintainable. This phase has no new
 v1 requirements — it improves robustness and removes technical debt around
 already-shipped behaviour.
 
-**Depends on**: Phase 4 (do not harden until §10 is green).
+**Depends on**: Phase 3 (do not harden until §10 is green).
 
-**Requirements**: none (no new v1 REQs; all v1 REQs are covered by phases 1–4)
+**Requirements**: none (no new v1 REQs; all v1 REQs are covered by phases 1–3)
 
 **P1/P2 items addressed** (informative list from the audit, exact scope
 finalized at plan time):
@@ -242,8 +246,7 @@ Phases execute in numeric order: 1 → 2 → 3 → 4 → 5.
 
 | Phase | Plans Complete | Status | Completed |
 |-------|----------------|--------|-----------|
-| 1. Stabilize video pipeline | 14/14 | Final-closure marker flip pending (all functional plans complete; awaiting REQUIREMENTS / ROADMAP / STATE markers + optional /gsd-verify-work 1) | Functional contract closed 2026-05-19 via Plan 01-13 harness PASS; design/brand contract closed 2026-05-20 via Plan 01-12 brand-fit ack; welcome-tab contract closed 2026-05-20 via Plan 01-10 cycle-2 operator ack "All good" + 5 inter-cycle debug fixes |
-| 2. Stabilize DOM + event capture privacy | 0/TBD | Not started | - |
-| 3. Stabilize export pipeline | 0/TBD | Not started | - |
-| 4. SPEC §10 smoke verification | 0/TBD | Not started | - |
-| 5. Harden + clean up (optional) | 0/TBD | Not started | - |
+| 1. Stabilize video pipeline | 14/14 | **CLOSED 2026-05-20** via gsd-verifier audit GREEN (17/17 must-haves; commit 586836f); all markers flipped | Functional contract closed 2026-05-19 via Plan 01-13 harness PASS; design/brand contract closed 2026-05-20 via Plan 01-12 brand-fit ack; welcome-tab contract closed 2026-05-20 via Plan 01-10 cycle-2 operator ack "All good" + 5 inter-cycle debug fixes |
+| 2. Stabilize export pipeline | 0/TBD | Not started (narrowed scope post-2026-05-20 re-phasing; ~2-3 plans expected) | - |
+| 3. SPEC §10 smoke + DOM/event-log verification | 0/TBD | Not started (absorbed Phase-2 DOM verification per 2026-05-20 re-phasing; ~2-3 plans) | - |
+| 4. Harden + clean up (optional) | 0/TBD | Not started (deferred backlog: cursor visibility, dark-surface logo, tabs perm gap, ffprobe flakes, ROADMAP backfill, rrweb-version upgrade research, REQ-password-confidentiality v2 candidate) | - |

.planning/STATE.md

@@ -3,11 +3,11 @@ gsd_state_version: 1.0
 milestone: v2.0.0
 milestone_name: milestone
 status: executing
-stopped_at: Phase 1 FULLY CLOSED 2026-05-20 — gsd-verifier audit GREEN (17/17 must-haves; 11 REQs/charters + 6 cross-cutting gates); 14/14 plans complete; 5 operator empirical acks (Plan 01-07 + 01-13 + 01-12 + 01-10 cycle-2 + 01-10 brand-rename follow-up); Phase 2 (Stabilize DOM + event-capture privacy) kickoff pending
-last_updated: "2026-05-20T13:00:00.000Z"
+stopped_at: Phase 1 FULLY CLOSED 2026-05-20. Roadmap RE-PHASED 2026-05-20 per charter shift — original Phase 2 (DOM/event-capture privacy) REMOVED; DOM/event-log verification absorbed by new Phase 3 (SPEC §10 smoke); REQ-password-confidentiality moved to Out of Scope (v1) per "we don't care about privacy hardening. At least here." Total phases now 4. Phase 2 (export pipeline) discussion next.
+last_updated: "2026-05-20T14:30:00.000Z"
 last_activity: 2026-05-20
 progress:
-  total_phases: 5
+  total_phases: 4
   completed_phases: 1
   total_plans: 14
   completed_plans: 14