Summary
Package the current HelmV3 cleanup work into one fix-ready tracking issue. This combines findings from the repo freshness audit, the follow-up agent handoff, and the latest Codex session work.
The repo is buildable/testable, but not yet a clean maintenance baseline. Work should proceed as small PRs, not one mega cleanup.
Hard guardrails
- Do not mutate linked Supabase during discovery/planning.
- Do not close GitHub issues/PRs automatically from this issue.
- Do not delete source files from the first Knip pass.
- Do not run
npm audit fix or npm audit fix --force.
- Do not run broad destructive cleanup like
git clean -Xdf.
- Do not treat
npm run db:types:check as read-only; it runs npm run db:types first and can rewrite src/lib/types/database.ts.
- Keep generated-file/audit-output cleanup separate from app behavior changes.
Repomix status
Fresh context generation was run successfully on 2026-07-03:
Generated packs, all gitignored under .repomix/:
.repomix/helmv3-compressed.xml — 4,377 files, 5,202,055 tokens, security check passed
.repomix/changed-files-context.xml — 24 changed files, 69,150 tokens, includes diffs/logs, security check passed
.repomix/helmv3-db-context.xml — 218 DB/schema files, 1,018,810 tokens, security check passed
Repomix wrapper/config/docs are present locally:
repomix.config.json
scripts/context/repomix.sh
docs/operations/REPOMIX_CONTEXT_PACKS.md
docs/prompts/repomix/repo-cleanup.md
docs/prompts/repomix/db-audit.md
docs/prompts/repomix/changed-files-review.md
Use these prompts with the packs above when assigning the fix work.
Local work already prepared
A prior Codex session created/updated these cleanup docs and helpers:
docs/audits/REPO_FRESHNESS_BASELINE_2026-07-03.md
docs/audits/CLEANUP_PR_SEQUENCE_2026-07-03.md
docs/audits/SUPABASE_LINKED_LINT_FIX_PLAN_2026-07-03.md
docs/audits/KNIP_TRIAGE_2026-07-03.md
docs/audits/AGENT_HANDOFF_CLEANUP_KNIP_SUPABASE_2026-07-03.md
scripts/git/audit.sh
scripts/git/clean-dry.sh
scripts/git/stash-audit.sh
- package scripts:
git:audit, git:clean:dry, git:stash:audit, knip:*, ctx:*, fresh:context, arch helpers
Latest Codex tuning updated knip.json so that:
- CRM migration scripts are modeled as Knip entrypoints, so
postgres is no longer a false unused-devDependency finding.
- native Capacitor packages are ignored because iOS SPM references them under
ios/App/CapApp-SPM/Package.swift.
- admin security/test fixture files are ignored as intentional fixtures.
- the redundant
next.config.mjs Knip entry pattern was removed.
Current local repo state to be aware of
Working tree was already dirty before this issue packaging. Current notable local changes include:
- generated drift:
next-env.d.ts, public/sw.js
- cleanup/config docs: audit docs, Repomix docs/prompts/config, Git helper scripts
- package/package-lock changes adding tooling/scripts already present locally
.gitignore, .repomixignore, .dependency-cruiser.cjs, .github/workflows/repomix-context.yml, CLAUDE.md
Do not blindly revert unrelated dirty files; split intentional work into small PRs.
Findings to track
1. Generated file drift
next-env.d.ts changed route types import from ./.next/dev/types/routes.d.ts to ./.next/types/routes.d.ts.
public/sw.js cache version changed from golfhelm-v48d739cec to golfhelm-v8b9986e1a.
public/sw.js is stamped by scripts/stamp-sw.mjs during prebuild.
Decision needed:
- commit these generated outputs in a narrow generated-file PR, or
- stop tracking one/both and generate reliably in CI/deploy.
2. db:types:check audit correction
The freshness baseline must not say npm run db:types:check passed. It was skipped/deferred because it regenerates src/lib/types/database.ts before diffing it.
Read-only drift check is npm run check:types-drift, but it requires SUPABASE_ACCESS_TOKEN.
3. Local Git hygiene
Freshness baseline found:
- local
git fsck --full failed due to commit-graph parse failures, likely local metadata
- 24 stashes
- 6 merged local non-main branches tracking gone upstreams
- large ignored artifact set
Safe prepared helpers:
npm run git:audit
npm run git:clean:dry
npm run git:stash:audit
Do not run broad destructive cleanup. Branch deletions, if approved, should use git branch -d, not -D.
4. Knip tuned baseline
After latest tuning:
reports 6 unused-file candidates:
src/components/baseball/dashboard/dashboard-types.ts
src/components/baseball/recruiting-philosophy/MatchScoreBadge.tsx
src/components/products/golf-mockups/index.tsx
src/lib/mapbox/client.ts
src/lib/recruiting/match-calculator.ts
src/lib/types/table.ts
reports 5 unlisted direct imports:
postcss-load-config from postcss.config.mjs
@radix-ui/react-compose-refs from src/components/fairway/controls/tabs.tsx
fflate from src/lib/baseball/__tests__/import-formats.test.ts
fflate from src/lib/baseball/adapters/pdf-reader.ts
fflate from src/lib/baseball/adapters/xlsx-reader.ts
npm run knip still exits 1 because it includes the 6 files, 5 unlisted deps, and 695 unused exports. Do not act on the 695 export findings in bulk.
5. Supabase linked lint follow-up
Linked lint reported two real public-function errors:
public.can_manage_baseball_lift_group references missing relation public.baseball_strength_groups.
public.baseball_accept_staff_invite references missing record field v_invitation.invitee_email.
Plan only until live definitions are fetched.
For can_manage_baseball_lift_group:
- local migration
20260624000050_baseball_rls_helpers_and_policies.sql defines can_manage_baseball_lift_group(p_team_id uuid, p_player_id uuid) without baseball_strength_groups
- likely production has an older function body while legacy Lift Lab tables were moved to
graveyard
- do not restore
public.baseball_strength_groups
For baseball_accept_staff_invite:
- local superseding migration
20260624000081_baseball_staff_roles_scope_audit.sql uses v_invite.email, not v_invitation.invitee_email
- likely production has an older/manual function body or stale table column reference
- do not add
invitee_email without confirming current writers/product intent
Read-only discovery needed:
select pg_get_functiondef('public.can_manage_baseball_lift_group(uuid, uuid)'::regprocedure);
select pg_get_functiondef('public.baseball_accept_staff_invite(text)'::regprocedure);
select column_name, data_type
from information_schema.columns
where table_schema = 'public'
and table_name = 'baseball_staff_invitations'
order by ordinal_position;
6. Dependency/security cleanup
Open Dependabot PR set was dependency-only. Recommended order from audit:
#735 tar 7.5.19
#741 Anthropic SDK
- then grouped Actions/dev/prod dependency PRs separately
Do not run npm audit fix --force. Security audit needs small dependency buckets.
7. Issue cleanup ledger
Open issue cleanup should be evidence-backed. Do not bulk close. Create/update an issue ledger with each issue classified as:
- still valid
- fixed but needs evidence comment
- duplicate/superseded
- blocked by DB/admin access
- backlog/product decision
Recommended PR sequence
- Audit correction + generated-file policy
- Repomix/context tooling + local Git hygiene helpers
- Knip config/tuning baseline
- Add direct dependencies or refactor imports for
postcss-load-config, @radix-ui/react-compose-refs, fflate
- Dead-file deletion batch 1, only after per-file source/route/test review
- Supabase linked lint live-definition discovery doc, no mutation
- Supabase additive migration fix for the two confirmed lint errors
- Small dependency security PRs, starting with tar
- Issue cleanup ledger
- Evidence-comment/close issues in batches after human review
Validation already run successfully
From local Codex work:
npm run typecheck
npm run lint:ratchet
npm run test:run
npm run docs:check
npm run knowledge:check
npm run fresh:context
npm run test:run result from prior pass: 4,398 passed, 39 skipped.
Knip commands intentionally exit 1 with the tuned baseline findings above.
Acceptance criteria for this tracking issue
Summary
Package the current HelmV3 cleanup work into one fix-ready tracking issue. This combines findings from the repo freshness audit, the follow-up agent handoff, and the latest Codex session work.
The repo is buildable/testable, but not yet a clean maintenance baseline. Work should proceed as small PRs, not one mega cleanup.
Hard guardrails
npm audit fixornpm audit fix --force.git clean -Xdf.npm run db:types:checkas read-only; it runsnpm run db:typesfirst and can rewritesrc/lib/types/database.ts.Repomix status
Fresh context generation was run successfully on 2026-07-03:
Generated packs, all gitignored under
.repomix/:.repomix/helmv3-compressed.xml— 4,377 files, 5,202,055 tokens, security check passed.repomix/changed-files-context.xml— 24 changed files, 69,150 tokens, includes diffs/logs, security check passed.repomix/helmv3-db-context.xml— 218 DB/schema files, 1,018,810 tokens, security check passedRepomix wrapper/config/docs are present locally:
repomix.config.jsonscripts/context/repomix.shdocs/operations/REPOMIX_CONTEXT_PACKS.mddocs/prompts/repomix/repo-cleanup.mddocs/prompts/repomix/db-audit.mddocs/prompts/repomix/changed-files-review.mdUse these prompts with the packs above when assigning the fix work.
Local work already prepared
A prior Codex session created/updated these cleanup docs and helpers:
docs/audits/REPO_FRESHNESS_BASELINE_2026-07-03.mddocs/audits/CLEANUP_PR_SEQUENCE_2026-07-03.mddocs/audits/SUPABASE_LINKED_LINT_FIX_PLAN_2026-07-03.mddocs/audits/KNIP_TRIAGE_2026-07-03.mddocs/audits/AGENT_HANDOFF_CLEANUP_KNIP_SUPABASE_2026-07-03.mdscripts/git/audit.shscripts/git/clean-dry.shscripts/git/stash-audit.shgit:audit,git:clean:dry,git:stash:audit,knip:*,ctx:*,fresh:context, arch helpersLatest Codex tuning updated
knip.jsonso that:postgresis no longer a false unused-devDependency finding.ios/App/CapApp-SPM/Package.swift.next.config.mjsKnip entry pattern was removed.Current local repo state to be aware of
Working tree was already dirty before this issue packaging. Current notable local changes include:
next-env.d.ts,public/sw.js.gitignore,.repomixignore,.dependency-cruiser.cjs,.github/workflows/repomix-context.yml,CLAUDE.mdDo not blindly revert unrelated dirty files; split intentional work into small PRs.
Findings to track
1. Generated file drift
next-env.d.tschanged route types import from./.next/dev/types/routes.d.tsto./.next/types/routes.d.ts.public/sw.jscache version changed fromgolfhelm-v48d739cectogolfhelm-v8b9986e1a.public/sw.jsis stamped byscripts/stamp-sw.mjsduringprebuild.Decision needed:
2. db:types:check audit correction
The freshness baseline must not say
npm run db:types:checkpassed. It was skipped/deferred because it regeneratessrc/lib/types/database.tsbefore diffing it.Read-only drift check is
npm run check:types-drift, but it requiresSUPABASE_ACCESS_TOKEN.3. Local Git hygiene
Freshness baseline found:
git fsck --fullfailed due to commit-graph parse failures, likely local metadataSafe prepared helpers:
Do not run broad destructive cleanup. Branch deletions, if approved, should use
git branch -d, not-D.4. Knip tuned baseline
After latest tuning:
reports 6 unused-file candidates:
src/components/baseball/dashboard/dashboard-types.tssrc/components/baseball/recruiting-philosophy/MatchScoreBadge.tsxsrc/components/products/golf-mockups/index.tsxsrc/lib/mapbox/client.tssrc/lib/recruiting/match-calculator.tssrc/lib/types/table.tsreports 5 unlisted direct imports:
postcss-load-configfrompostcss.config.mjs@radix-ui/react-compose-refsfromsrc/components/fairway/controls/tabs.tsxfflatefromsrc/lib/baseball/__tests__/import-formats.test.tsfflatefromsrc/lib/baseball/adapters/pdf-reader.tsfflatefromsrc/lib/baseball/adapters/xlsx-reader.tsnpm run knipstill exits 1 because it includes the 6 files, 5 unlisted deps, and 695 unused exports. Do not act on the 695 export findings in bulk.5. Supabase linked lint follow-up
Linked lint reported two real public-function errors:
public.can_manage_baseball_lift_groupreferences missing relationpublic.baseball_strength_groups.public.baseball_accept_staff_invitereferences missing record fieldv_invitation.invitee_email.Plan only until live definitions are fetched.
For
can_manage_baseball_lift_group:20260624000050_baseball_rls_helpers_and_policies.sqldefinescan_manage_baseball_lift_group(p_team_id uuid, p_player_id uuid)withoutbaseball_strength_groupsgraveyardpublic.baseball_strength_groupsFor
baseball_accept_staff_invite:20260624000081_baseball_staff_roles_scope_audit.sqlusesv_invite.email, notv_invitation.invitee_emailinvitee_emailwithout confirming current writers/product intentRead-only discovery needed:
6. Dependency/security cleanup
Open Dependabot PR set was dependency-only. Recommended order from audit:
#735tar7.5.19#741Anthropic SDKDo not run
npm audit fix --force. Security audit needs small dependency buckets.7. Issue cleanup ledger
Open issue cleanup should be evidence-backed. Do not bulk close. Create/update an issue ledger with each issue classified as:
Recommended PR sequence
postcss-load-config,@radix-ui/react-compose-refs,fflateValidation already run successfully
From local Codex work:
npm run test:runresult from prior pass: 4,398 passed, 39 skipped.Knip commands intentionally exit 1 with the tuned baseline findings above.
Acceptance criteria for this tracking issue
npm audit fix --force.