# Code Hardening — Senior Dev Audit Fixes

## Phase 1: Quick Wins (safety + correctness)
- [x] Cap API list limit at 200
- [x] Fix markdown XSS — add DOMPurify to sanitize marked output
- [x] Add missing DB indexes (deleted_at, modified_at) via v4 migration
- [x] Fix v2 migration error handling (swallowed ALTER TABLE errors)
- [x] Fix ~/.nib directory permissions (0o755 → 0o700)

## Phase 2: CI Pipeline
- [x] Gitea Actions workflow: test + lint on PR

## Phase 3: context.Context in Store
- [x] Thread context.Context through all Store methods
- [x] Use context in API handlers (from r.Context())
- [x] Use context in CLI commands (cobra context)

## Phase 4: cmd/ Tests
- [x] Test add command
- [x] Test ls command
- [x] Test promote/demote commands
- [x] Test delete command
- [x] Test absorb command

## Phase 5: Backup/Export
- [x] nib export — dump entities to JSON
- [x] nib backup — safe SQLite backup (handles WAL)