ktg-plugin-marketplace/plugins/linkedin-studio/docs/remediation/finish-plan.md

LinkedIn Studio — Finish Plan (S13–S17)

Closes every remaining hole: the open S12 review findings + the gaps surfaced in the 2026-05-30 verified assessment. Brief-amendment to docs/remediation/brief.md (same project). Each session is one STATE.md-driven Voyage session, gated by test-runner.sh

• node --test + /trekreview → push only on ALLOW (no more WARN-overrides).

Operator decisions (2026-05-30): build manual saves entry (S16); triage C13–C46 (S17); fold into this project as a brief-amendment. Dependency: S14 (command set) precedes S15 (router tiering) — the router can't be tiered before the command set is final.

Sequence & dependency

S13 (close S12 WARN + $-class)  → ALLOW  [finishes the ORIGINAL brief]
        │
S14 (command rationalization)   → ALLOW  [sets the final command set]
        │
S15 (UX §6c — router on final set) → ALLOW
        │
S16 (saves manual entry)        → ALLOW
        │
S17 (C13–C46 triage)            → ALLOW  [process complete]

---

S13 — Close the open S12 findings + the $-replacement class

Finishes the original brief; brings the existing scope to a clean ALLOW.

• A1 (MINOR): hooks/scripts/state-updater.mjs:14-18 — convert replaceField to a replacement function ((_m) => \${field}: ${value}`) so the untrusted last_post_topicat:58` is inserted literally.
• A2 (MAJOR): add assert.match(result.content, /^last_post_topic: "\$100 budget — \$& and \$1 rule"$/m) to the existing $-bearing test in state-updater.test.mjs (fails today, passes after A1).
• A3 (systemic): audit every String.replace in hooks/scripts/*.mjs whose replacement is a string built from a function parameter that can carry user content (grep -nE '\.replace\([^,]+, *\'). Confirm replaceFieldwas the last such site. Add a **structural$-safety lint** (test-runner.sh` Section 12) that flags string-replacement sites whose value derives from an untrusted parameter — non-vacuity self-test + e2e mutation-proof, mirroring Sections 8/10/11.
• Engine: inline (small, surgical).
• Verify: A2 assert FAILS pre-A1, PASSES post-A1 · node --test green · test-runner.sh green (incl. new Section 12 self-test) · audit-grep returns 0 unsafe sites · /trekreview → ALLOW → commit (review.md + S13) → push.

S14 — Command rationalization (re-opens the original command-surface Non-Goal)

Analysis → operator decision → execute. Nothing deleted without explicit per-command yes.

• 14a Analysis (no edits): cold per-command review of all 27 → docs/remediation/command-rationalization.md. Per command: purpose · overlap with siblings · invocation leverage (algorithmic + likely use) · recommendation keep / develop / merge→X / cut + rationale. Delegate the cold read to an Agent (Opus) for independence.
• 14b Operator decision: present the doc; operator decides per command (AskUserQuestion batched). No mechanical deletion until approved.
• 14c Execute approved: apply merges/cuts; for a merge, fold the source command's unique surface into the target and delete the source; update EXPECT_COMMANDS in test-runner.sh, all rosters (CLAUDE.md/README/SKILL.md/router), CHANGELOG, version bump if the surface count changes (breaking → minor/major per SemVer judgment).
• Engine: Agent (14a) → inline (14c).
• Verify: ls commands/*.md | wc -l == every declared count · lint count-guard green · three-doc synced · grep old count → 0 stale · /trekreview → ALLOW → push.

S15 — UX finish (§6c), on the FINAL command set

• B1 Onboarding inline: commands/onboarding.md — replace the "Run /linkedin:first-post" hand-off with the first-post steps embedded in the wizard, so the flow produces a draft post inline (no dead-end). Verify: a walkthrough yields a draft inside onboarding; 0 Run /linkedin:first-post dead-end strings. Scope guard (UI brief §12b): fix the dead-end ONLY — do NOT add extensibility/provider "seams" or progressive- disclosure config to onboarding; those are unresolved UI-brief decisions (keep onboarding lean per the persona "first value without forking").
• B2 Router tiering: commands/linkedin.md — restructure into Primary (3–4: post/quick/newsletter/firsthour), Secondary (the rest of the final set), Locked ~1K (monetize/outreach/competitive, marked "unlocks later"). Verify: tier sections present; primary ≤4; locked commands flagged, not inline with primaries.
• B3 Carousel full-deck clipboard: commands/carousel.md — assemble the entire deck (every slide's copy + the caption) into the clipboard payload, not just the caption. Verify: clipboard payload contains slide text; grep shows full-deck assembly before the clipboard-helper.mjs call.
• Engine: inline.
• Verify: all three grep/observation checks pass · test-runner.sh green · /trekreview → ALLOW → push.

S16 — Saves manual-entry surface (operator-requested; lifts the original Non-Goal)

⚠️ CONFLICT — reconcile before building (UI brief §9b/M0). The UI brief makes it binding that all mutable personal data (assets/analytics/*, queue.json, *.local.md) moves OUT of the plugin tree into a stable per-user data dir, "in the v4.0.0 remediation or immediately after." S16 extends the analytics data model — if built against the current in-tree assets/analytics/ it gets reworked by M0. Decision needed: (a) do M0 first (insert as S15.5), then build S16 in the final location; or (b) defer S16 to ride along with M0/the UI build. Do NOT build S16 blind to M0.

• Add a manual-entry path for saves (visible in native LinkedIn post analytics, count-only, ~Sept 2025) to the analytics data model (scripts/analytics/ types + import/report path), additive and backward-compatible. Re-rank the actionable-signal output to include saves where the CSV/manual data now contains it. Dwell stays explicitly unmeasurable (internal-only) — do not fabricate a dwell surface.
• Engine: inline (+ analytics CLI knowledge; may need tsx types touch).
• Verify: a report run with a manual saves value surfaces it without crashing; existing CSV-only data still works (backward-compat); honesty wording retained for dwell · node --test / analytics tests green · /trekreview → ALLOW → push.

S17 — Triage the uncalibrated audit findings (C13–C46)

• Read the ~34 findings the audit never put through a second hostile pass (§10); for each: classify still-real / already-fixed / outdated-drop; close every still-real one; record the disposition in docs/remediation/c13-c46-triage.md. Delegate the cold read to an Agent (Opus).
• Engine: Agent (triage) → inline (fixes).
• Verify: every C13–C46 finding has a recorded disposition; still-real ones grep-verify closed · test-runner.sh + node --test green · /trekreview → ALLOW → push. Process complete.

---

Verification (whole plan)

• Per session: bash scripts/test-runner.sh exit 0 · node --test hooks/scripts/__tests__/*.test.mjs all pass · /trekreview --project docs/remediation/ → ALLOW (not WARN) before push.
• Plan-complete signal: all of S13–S17 pushed on ALLOW; command-rationalization.md + c13-c46-triage.md committed; no open /trekreview finding; STATE.md "Aktiv oppgave" reads "remediering FERDIG — ren ALLOW".
• Counts contract stays live: the lint's count-guard (19/27/25/6 today; 27 may change in S14) is updated in lockstep with any command merge/cut; grep for the prior count returns 0 stale hits.

Locked constraints (inherited from brief)

• Opus on everything · no hidden costs (cost-warn /trekcontinue·/trekreview, standing yes) · three-doc rule · version-sync · bash 3.2 + Node-only hooks · push only to Forgejo · stage own files only · fix-in-next-session for any review finding.