> For the complete documentation index, see [llms.txt](https://ai-os-and-trend-finder.gitbook.io/ai-os-and-trend-finder-docs/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://ai-os-and-trend-finder.gitbook.io/ai-os-and-trend-finder-docs/.spec_system/archive/sessions/phase31-session06-demo-qa-and-privacy-verification/implementation-notes.md).

# Implementation Notes

**Session ID**: `phase31-session06-demo-qa-and-privacy-verification` **Started**: 2026-06-24 13:56 **Last Updated**: 2026-06-24 14:35

***

## Session Progress

| Metric              | Value     |
| ------------------- | --------- |
| Tasks Completed     | 20 / 20   |
| Estimated Remaining | 0 minutes |
| Blockers            | 0         |

***

### Task T020 - Validate ASCII/LF and update final command results

**Started**: 2026-06-24 14:31 **Completed**: 2026-06-24 14:35 **Duration**: 4 minutes

**Notes**:

* Reran TypeScript checks after the T019 product-code fix.
* Reran focused Vitest coverage with the new home Knowledge Graph public-demo unit test included.
* Reran the Pages privacy scan against the rebuilt generated output.
* Checked changed tracked and untracked files for non-ASCII characters and CRLF line endings.
* Marked all session tasks and completion checklist items complete.

**Files Changed**:

* `.spec_system/specs/phase31-session06-demo-qa-and-privacy-verification/tasks.md` - Marked T020 and completion checklist complete, updated next step to `creview`.
* `.spec_system/specs/phase31-session06-demo-qa-and-privacy-verification/implementation-notes.md` - Recorded final closeout evidence.

**Verification**:

* Command/check: `bun run typecheck`
  * Result: PASS - App TypeScript check passed.
  * Evidence: `tsc --noEmit` exited 0.
* Command/check: `bun run typecheck:scripts`
  * Result: PASS - Script TypeScript check passed.
  * Evidence: `tsc --noEmit -p tsconfig.scripts.json` exited 0.
* Command/check: `bun run demo:scan:pages`
  * Result: PASS - Committed fixtures and generated Pages dist passed privacy scanning.
  * Evidence: Output reported fixtures pass with 5 scanned files and dist pass with 13 scanned files, 186 skipped files, and 0 issues.
* Command/check: `git diff --check`
  * Result: PASS - No tracked-diff whitespace errors.
  * Evidence: Command exited 0 with no output.
* Command/check: `git ls-files --modified --others --exclude-standard -z | xargs -0 perl -ne 'print "$ARGV:$.:$_" if /[^\x00-\x7F]/'`
  * Result: PASS - Changed tracked and untracked files are ASCII-only.
  * Evidence: Command exited 0 with no output.
* Command/check: `git ls-files --modified --others --exclude-standard -z | xargs -0 perl -ne 'print "$ARGV:$.\n" if /\r$/'`
  * Result: PASS - Changed tracked and untracked files use LF line endings.
  * Evidence: Command exited 0 with no output.
* Command/check: `bun run test -- scripts/lib/__tests__/pages-demo-routes.test.ts scripts/lib/__tests__/pages-demo-privacy-scan.test.ts scripts/lib/__tests__/pages-demo-snapshot.test.ts src/routes/__tests__/public-demo-routes.test.tsx src/components/home/__tests__/knowledge-graph-section.test.tsx`
  * Result: PASS - Focused route, scan, snapshot, public-demo helper, and home graph coverage passed.
  * Evidence: Vitest reported 5 test files passed and 28 tests passed.
* UI product-surface check: PASS - T019 static preview smoke passed all 24 configured product-surface checks.
* UI craft check: PASS - Final changes preserve existing UI and only route public demo state through existing components.

***

### Task T019 - Run static preview route smoke coverage

**Started**: 2026-06-24 14:24 **Completed**: 2026-06-24 14:31 **Duration**: 7 minutes

**Notes**:

* Started a Pages-style preview with `wrangler pages dev demo-website/dist --ip 127.0.0.1 --port 8789` and reused it from Playwright with an explicit base URL.
* The first preview run caught two issues: `/` requested `/__hermes_status` and `/__graphify_list`, and `/setup` was checking interactive setup copy instead of hosted-demo setup copy.
* Fixed the home Knowledge Graph section to pass `demoMode` when `VITE_AI_OS_PUBLIC_DEMO` is enabled, which also disables the nested Hermes status query.
* Updated the route matrix setup surface check to assert the hosted-demo setup dialog.
* Rebuilt Pages output, restarted Wrangler on the same port, reran the route smoke, and stopped the long-running Wrangler process after the pass.

**Files Changed**:

* `src/components/home/knowledge-graph-section.tsx` - Passes public-demo mode into the home Knowledge Graph hook.
* `src/components/home/__tests__/knowledge-graph-section.test.tsx` - Verifies public demo mode is forwarded to `useKnowledgeGraph`.
* `scripts/lib/pages-demo-routes.ts` - Aligns `/setup` surface checks with the hosted demo dialog.
* `.spec_system/specs/phase31-session06-demo-qa-and-privacy-verification/tasks.md` - Marked T019 complete.
* `.spec_system/specs/phase31-session06-demo-qa-and-privacy-verification/implementation-notes.md` - Recorded T019 evidence.

**Verification**:

* Command/check: `bun run test -- scripts/lib/__tests__/pages-demo-routes.test.ts src/components/home/__tests__/knowledge-graph-section.test.tsx`
  * Result: PASS - Focused route matrix and home graph public-demo coverage passed.
  * Evidence: Vitest reported 2 test files passed and 8 tests passed.
* Command/check: `bun run demo:build:pages`
  * Result: PASS - Rebuilt static Pages output after the public-demo guard fix.
  * Evidence: Command exited 0 and reported `Pages demo dist assembled`, `Files: 199`, `Promoted client files: 192`, and `Copied public files: 7`.
* Command/check: `PLAYWRIGHT_BASE_URL=http://127.0.0.1:8789 PLAYWRIGHT_REUSE_EXISTING_SERVER=true bunx playwright test tests/e2e/pages-demo-routes.spec.ts`
  * Result: PASS - Static preview route smoke passed.
  * Evidence: Playwright reported 24 passed in 48.5s with no `/__*` route request failures.
* UI product-surface check: PASS - Each of the 24 static routes rendered at least one configured product surface.
* UI craft check: PASS - The change only routes the existing home graph widget into existing demo-mode states and does not alter layout or styling.

***

### Task T018 - Run Pages build and privacy scan

**Started**: 2026-06-24 14:22 **Completed**: 2026-06-24 14:24 **Duration**: 2 minutes

**Notes**:

* Ran the Pages build and the new scan command in sequence.
* Confirmed generated output shape and privacy scan pass for committed fixtures plus generated dist.

**Files Changed**:

* `demo-website/dist/` - Regenerated by the Pages build for local verification.
* `.spec_system/specs/phase31-session06-demo-qa-and-privacy-verification/implementation-notes.md` - Recorded T018 evidence.

**Verification**:

* Command/check: `bun run demo:build:pages && bun run demo:scan:pages`
  * Result: PASS - Pages build and privacy scan passed.
  * Evidence: Build reported `Pages demo dist assembled`, `Files: 199`, `Promoted client files: 192`, `Copied public files: 7`; scan reported fixtures pass with 5 scanned files and dist pass with 13 scanned files.
* UI product-surface check: N/A - Build and scan only.
* UI craft check: N/A - No UI changes.

***

### Task T017 - Run TypeScript verification

**Started**: 2026-06-24 14:21 **Completed**: 2026-06-24 14:22 **Duration**: 1 minute

**Notes**:

* Ran app TypeScript verification and script-specific TypeScript verification after adding new scripts and tests.

**Files Changed**:

* `.spec_system/specs/phase31-session06-demo-qa-and-privacy-verification/implementation-notes.md` - Recorded T017 evidence.

**Verification**:

* Command/check: `bun run typecheck`
  * Result: PASS - App TypeScript check passed.
  * Evidence: `tsc --noEmit` exited 0.
* Command/check: `bun run typecheck:scripts`
  * Result: PASS - Script TypeScript check passed.
  * Evidence: `tsc --noEmit -p tsconfig.scripts.json` exited 0.
* UI product-surface check: N/A - Type checks only.
* UI craft check: N/A - No UI changes.

***

### Task T016 - Run focused Vitest coverage

**Started**: 2026-06-24 14:20 **Completed**: 2026-06-24 14:21 **Duration**: 1 minute

**Notes**:

* Ran the focused route, privacy scan, snapshot metadata, and public-demo route helper tests.
* Used `src/routes/__tests__/public-demo-routes.test.tsx` because the task checklist's `.ts` suffix is stale and that file exists as `.tsx` in this repo.

**Files Changed**:

* `.spec_system/specs/phase31-session06-demo-qa-and-privacy-verification/implementation-notes.md` - Recorded T016 evidence.

**Verification**:

* Command/check: `bun run test -- scripts/lib/__tests__/pages-demo-routes.test.ts scripts/lib/__tests__/pages-demo-privacy-scan.test.ts scripts/lib/__tests__/pages-demo-snapshot.test.ts src/routes/__tests__/public-demo-routes.test.tsx`
  * Result: PASS - Focused Vitest coverage passed.
  * Evidence: Vitest reported 4 test files passed and 24 tests passed.
* UI product-surface check: N/A - Unit and helper tests only.
* UI craft check: N/A - No UI changes.

***

### Task T013 - Add static output shape checks to scan path

**Started**: 2026-06-24 14:17 **Completed**: 2026-06-24 14:18 **Duration**: 1 minute

**Notes**:

* Added generated Pages output shape checks to the dist scan path.
* The scan now reports missing `index.html`, `_redirects`, `_headers`, required `/demo/*` fixture files, and missing or empty `demo` assets as explicit findings.
* Added unit coverage for missing `_headers` and `demo/live-data.snapshot.json`.

**Files Changed**:

* `scripts/lib/pages-demo-privacy-scan.ts` - Added static Pages output shape verification.
* `scripts/lib/__tests__/pages-demo-privacy-scan.test.ts` - Added missing-output shape coverage.
* `.spec_system/specs/phase31-session06-demo-qa-and-privacy-verification/implementation-notes.md` - Recorded T013 evidence.

**Verification**:

* Command/check: `bun run test -- scripts/lib/__tests__/pages-demo-privacy-scan.test.ts`
  * Result: PASS - Privacy scan and static output shape tests passed.
  * Evidence: Vitest reported 1 test file passed and 10 tests passed.
* UI product-surface check: N/A - Scan path only.
* UI craft check: N/A - No UI changes.

***

### Task T012 - Add route-specific readiness assertions

**Started**: 2026-06-24 14:16 **Completed**: 2026-06-24 14:17 **Duration**: 1 minute

**Notes**:

* Added route-specific product-surface checks through the shared route matrix.
* The Playwright smoke spec now requires each route to show at least one configured heading, text, ARIA label, or selector before passing.
* The route matrix tests enforce that every route has at least one product-facing smoke expectation and no expectation contains local bridge paths.

**Files Changed**:

* `scripts/lib/pages-demo-routes.ts` - Added per-route smoke expectations as route metadata.
* `scripts/lib/__tests__/pages-demo-routes.test.ts` - Verified smoke expectations are present and product-facing.
* `tests/e2e/pages-demo-routes.spec.ts` - Added `expectRouteSurface` readiness assertions.
* `.spec_system/specs/phase31-session06-demo-qa-and-privacy-verification/implementation-notes.md` - Recorded T012 evidence.

**Verification**:

* Command/check: `bun run test -- scripts/lib/__tests__/pages-demo-routes.test.ts`
  * Result: PASS - Route matrix expectations passed.
  * Evidence: Vitest reported 1 test file passed and 4 tests passed.
* Command/check: `bunx playwright test --list tests/e2e/pages-demo-routes.spec.ts`
  * Result: PASS - Route-specific smoke suite remained discoverable.
  * Evidence: Output listed 24 Chromium route tests.
* UI product-surface check: N/A - Browser route inspection is scheduled for T019 against static preview.
* UI craft check: N/A - No UI changes.

***

### Task T011 - Create Playwright static-demo smoke harness

**Started**: 2026-06-24 14:15 **Completed**: 2026-06-24 14:16 **Duration**: 1 minute

**Notes**:

* Added a Playwright smoke spec that iterates over the shared Pages demo route matrix.
* Each test navigates to one static route, records same-page requests, fails on any request pathname beginning with `/__`, and allows `/demo/*` fixture requests by not treating them as bridge paths.
* Kept the normal Playwright webserver config unchanged; the suite can be run against an explicit static preview base URL with server reuse.

**Files Changed**:

* `tests/e2e/pages-demo-routes.spec.ts` - Added static route smoke harness.
* `.spec_system/specs/phase31-session06-demo-qa-and-privacy-verification/implementation-notes.md` - Recorded T011 evidence.

**Verification**:

* Command/check: `bunx playwright test --list tests/e2e/pages-demo-routes.spec.ts`
  * Result: PASS - Playwright discovered the matrix-driven suite.
  * Evidence: Output listed 24 Chromium tests, one for each shared Pages demo route.
* UI product-surface check: N/A - Browser execution is scheduled for T019; this task added the harness structure.
* UI craft check: N/A - No rendered UI changes.

***

### Task T010 - Wire rerunnable package privacy scan script

**Started**: 2026-06-24 14:14 **Completed**: 2026-06-24 14:15 **Duration**: 1 minute

**Notes**:

* Added `demo:scan:pages` as a rerunnable package script.
* Kept the script scoped to `scripts/demo/scan-pages-demo.ts`; it does not invoke `demo:snapshot`.

**Files Changed**:

* `package.json` - Added `demo:scan:pages`.
* `.spec_system/specs/phase31-session06-demo-qa-and-privacy-verification/implementation-notes.md` - Recorded T010 evidence.

**Verification**:

* Command/check: `bun run demo:scan:pages`
  * Result: PASS - Package scan script passed.
  * Evidence: Output reported `Pages demo privacy scan passed`, fixtures pass with 5 scanned files, and dist pass with 13 scanned files.
* UI product-surface check: N/A - Package script wiring only.
* UI craft check: N/A - No UI changes.

***

### Task T009 - Add Pages demo privacy scan CLI

**Started**: 2026-06-24 14:12 **Completed**: 2026-06-24 14:14 **Duration**: 2 minutes

**Notes**:

* Added a Bun CLI for fixture and generated-output scans with target selection, JSON/text output, quiet mode, max file size override, workspace root override, and optional application bundle scanning.
* Default CLI behavior scans both committed fixtures and generated dist.
* Verified the CLI returns non-zero for privacy failures by forcing a one-byte max file size against generated output.

**Files Changed**:

* `scripts/demo/scan-pages-demo.ts` - Added Pages demo privacy scan CLI.
* `.spec_system/specs/phase31-session06-demo-qa-and-privacy-verification/implementation-notes.md` - Recorded T009 evidence.

**Verification**:

* Command/check: `bun run scripts/demo/scan-pages-demo.ts --help`
  * Result: PASS - CLI help rendered.
  * Evidence: Output listed `--all`, `--fixtures`, `--dist`, `--json`, `--quiet`, and scan option flags.
* Command/check: `bun run scripts/demo/scan-pages-demo.ts --json`
  * Result: PASS - Default fixture plus dist scan passed.
  * Evidence: JSON output reported `ok: true`, `issueCount: 0`, fixture scan pass with 5 scanned files, and dist scan pass with 13 scanned files.
* Command/check: `bun run scripts/demo/scan-pages-demo.ts --dist --max-file-bytes 1 --quiet`
  * Result: PASS - Forced privacy failure returned a non-zero status.
  * Evidence: Command exited with code 2.
* UI product-surface check: N/A - CLI only.
* UI craft check: N/A - No UI changes.

***

### Task T008 - Add privacy scan unit coverage

**Started**: 2026-06-24 14:10 **Completed**: 2026-06-24 14:12 **Duration**: 2 minutes

**Notes**:

* Added temp-workspace unit coverage for committed fixture scans, generated dist scans, skipped JS bundle reporting, JSON privacy failures, text asset bridge/token failures, missing generated output, invalid JSON, file-size limits, and deterministic issue ordering.
* The first deterministic-ordering assertion assumed one finding per unsafe file; the helper correctly returned multiple findings for one unsafe string, so the test was adjusted to assert stable first/last file ordering instead.

**Files Changed**:

* `scripts/lib/__tests__/pages-demo-privacy-scan.test.ts` - Added privacy scan test coverage.
* `.spec_system/specs/phase31-session06-demo-qa-and-privacy-verification/implementation-notes.md` - Recorded T008 evidence.

**Verification**:

* Command/check: `bun run test -- scripts/lib/__tests__/pages-demo-privacy-scan.test.ts`
  * Result: PASS - Focused privacy scan tests passed.
  * Evidence: Vitest reported 1 test file passed and 9 tests passed.
* UI product-surface check: N/A - Test coverage only.
* UI craft check: N/A - No UI changes.

***

### Task T007 - Implement fixture and generated-dist privacy scan helpers

**Started**: 2026-06-24 14:07 **Completed**: 2026-06-24 14:10 **Duration**: 3 minutes

**Notes**:

* Added reusable scan helpers for committed fixtures and generated Pages output.
* Implemented approved-root validation, deterministic traversal, bounded text reads, JSON parsing, file-level findings, skipped-file reporting, and explicit error classes.
* Reused the existing snapshot privacy helper for committed fixture verification and the existing payload privacy collector for parsed JSON and text files.
* Added generated-output shape checks for `index.html`, `_redirects`, `_headers`, copied `/demo/*` fixtures, and non-empty demo assets.
* Default generated-dist scans skip compiled application bundle JS literals and leave actual local-bridge request enforcement to the Playwright route smoke suite.
* Removed auth-term wording from the copied public README source so public text assets pass the privacy scanner.

**Files Changed**:

* `scripts/lib/pages-demo-privacy-scan.ts` - Added reusable Pages demo privacy scan helpers and result/error types.
* `public/README_public.md` - Reworded public asset boundary copy to avoid credential-shaped terms in generated Pages output.
* `demo-website/dist/` - Regenerated after the public README source change for local verification.
* `.spec_system/specs/phase31-session06-demo-qa-and-privacy-verification/implementation-notes.md` - Recorded T007 evidence.

**Verification**:

* Command/check: `bun -e 'import { scanCommittedPagesDemoFixtures } from "./scripts/lib/pages-demo-privacy-scan.ts"; const result = await scanCommittedPagesDemoFixtures(); console.log(JSON.stringify({ status: result.status, scanned: result.scannedFiles.length, skipped: result.skippedFiles.length, issues: result.issueCount, firstIssue: result.issues[0] ?? null }, null, 2)); if (result.status !== "pass") process.exit(1);'`
  * Result: PASS - Committed fixture scan passed.
  * Evidence: Output reported `status: pass`, 5 scanned files, 0 skipped files, and 0 issues.
* Command/check: `bun run demo:build:pages`
  * Result: PASS - Rebuilt generated Pages output after public README source update.
  * Evidence: Command exited 0 and reported `Pages demo dist assembled`, `Files: 199`, and `Copied public files: 7`.
* Command/check: `bun -e 'import { scanGeneratedPagesDemoDist } from "./scripts/lib/pages-demo-privacy-scan.ts"; const result = await scanGeneratedPagesDemoDist(); console.log(JSON.stringify({ status: result.status, scanned: result.scannedFiles.length, skipped: result.skippedFiles.length, issues: result.issueCount, firstIssues: result.issues.slice(0, 8) }, null, 2)); if (result.status !== "pass") process.exit(1);'`
  * Result: PASS - Generated dist scan passed.
  * Evidence: Output reported `status: pass`, 13 scanned files, 186 skipped files, and 0 issues.
* UI product-surface check: N/A - Script helper and public static README wording only.
* UI craft check: N/A - No rendered UI changes.

**BQC Fixes**:

* Error information boundaries: Reworded copied public README guidance so the static public file avoids credential-shaped terms (`public/README_public.md`).
* Trust boundary enforcement: Added approved-root checks and bounded reads before scanning filesystem content (`scripts/lib/pages-demo-privacy-scan.ts`).

***

### Task T006 - Replace local snapshot route coverage with shared route matrix

**Started**: 2026-06-24 14:06 **Completed**: 2026-06-24 14:07 **Duration**: 1 minute

**Notes**:

* Replaced the hand-maintained `PAGES_DEMO_ROUTE_COVERAGE` array with the shared route matrix paths.
* Kept the existing `PAGES_DEMO_ROUTE_COVERAGE` export name stable for snapshot callers.
* Updated snapshot tests to assert metadata route coverage equals the shared matrix and includes Session 06 routes that the old array missed.

**Files Changed**:

* `scripts/lib/pages-demo-snapshot.ts` - Imported `PAGES_DEMO_ROUTE_PATHS` and reused it for snapshot metadata route coverage.
* `scripts/lib/__tests__/pages-demo-snapshot.test.ts` - Added shared-matrix metadata assertions.
* `.spec_system/specs/phase31-session06-demo-qa-and-privacy-verification/implementation-notes.md` - Recorded T006 evidence.

**Verification**:

* Command/check: `bun run test -- scripts/lib/__tests__/pages-demo-routes.test.ts scripts/lib/__tests__/pages-demo-snapshot.test.ts`
  * Result: PASS - Focused route and snapshot tests passed.
  * Evidence: Vitest reported 2 test files passed and 11 tests passed.
* UI product-surface check: N/A - Snapshot metadata wiring only.
* UI craft check: N/A - No UI changes.

***

### Task T005 - Add route matrix unit coverage

**Started**: 2026-06-24 14:05 **Completed**: 2026-06-24 14:06 **Duration**: 1 minute

**Notes**:

* Added Vitest coverage for deterministic route order, required route IDs and paths, unique route IDs, unique absolute paths, no `/__` route paths, required route groups, lookup helpers, and product-facing smoke expectations.

**Files Changed**:

* `scripts/lib/__tests__/pages-demo-routes.test.ts` - Added focused route matrix tests.
* `.spec_system/specs/phase31-session06-demo-qa-and-privacy-verification/implementation-notes.md` - Recorded T005 evidence.

**Verification**:

* Command/check: `bun run test -- scripts/lib/__tests__/pages-demo-routes.test.ts`
  * Result: PASS - Focused route matrix tests passed.
  * Evidence: Vitest reported 1 test file passed and 4 tests passed.
* UI product-surface check: N/A - Test coverage only.
* UI craft check: N/A - No UI changes.

***

### Task T004 - Create shared Pages demo route matrix

**Started**: 2026-06-24 14:00 **Completed**: 2026-06-24 14:05 **Duration**: 5 minutes

**Notes**:

* Added a shared route matrix with deterministic ordering, stable route IDs, absolute paths, product surface labels, route groups, and smoke expectations.
* Included the union of the previous snapshot metadata routes and Session 06 planned host, agent, Trend Finder, Knowledge Graph, and AI Rogue routes.
* Kept the matrix in `scripts/lib/` so snapshot metadata, unit tests, privacy tooling, and Playwright can share it without importing app route modules.

**Files Changed**:

* `scripts/lib/pages-demo-routes.ts` - Created shared public-demo route matrix and helper lookups.
* `.spec_system/specs/phase31-session06-demo-qa-and-privacy-verification/implementation-notes.md` - Recorded T004 evidence.

**Verification**:

* Command/check: `bun -e 'import { PAGES_DEMO_ROUTES } from "./scripts/lib/pages-demo-routes.ts"; const ids = new Set(PAGES_DEMO_ROUTES.map((route) => route.id)); const paths = new Set(PAGES_DEMO_ROUTES.map((route) => route.path)); if (ids.size !== PAGES_DEMO_ROUTES.length) throw new Error("duplicate ids"); if (paths.size !== PAGES_DEMO_ROUTES.length) throw new Error("duplicate paths"); if (PAGES_DEMO_ROUTES.some((route) => !route.path.startsWith("/") || route.path.startsWith("/__"))) throw new Error("invalid path"); console.log(`${PAGES\_DEMO\_ROUTES.length} routes ok`);'`
  * Result: PASS - Matrix imported and route invariants held.
  * Evidence: Output reported `24 routes ok`.
* UI product-surface check: N/A - Shared data module only.
* UI craft check: N/A - No UI changes.

***

### Task T003 - Review existing public demo scan and route-test helpers

**Started**: 2026-06-24 13:58 **Completed**: 2026-06-24 14:00 **Duration**: 2 minutes

**Notes**:

* Reviewed `scripts/lib/pages-demo-snapshot.ts` constants, `collectPublicDemoPrivacyIssues`, `scanPublicDemoPayload`, and `verifySnapshotFilePrivacy` before designing file-tree scanning.
* Reviewed `scripts/lib/pages-demo-build.ts` for existing Pages output shape requirements and deterministic file traversal patterns.
* Reviewed `src/routes/__tests__/public-demo-routes.test.tsx` for the existing fetch recorder that fails on `/__*` while allowing `/demo/*` fixture requests.
* Reviewed `playwright.config.ts` and existing E2E specs for the normal Vite webserver path so the new static-preview smoke suite can avoid changing it.
* Noted the focused route helper test path is `src/routes/__tests__/public-demo-routes.test.tsx`; the task command later in this session names the same test without the `.tsx` suffix.

**Files Changed**:

* `.spec_system/specs/phase31-session06-demo-qa-and-privacy-verification/implementation-notes.md` - Recorded T003 review evidence.

**Verification**:

* Command/check: `sed -n '1,180p' src/routes/__tests__/public-demo-routes.test.tsx`
  * Result: PASS - Existing public-demo request recorder inspected.
  * Evidence: Recorder stores requested paths, throws on pathnames beginning with `/__`, and allows `/demo/live-data.snapshot.json`.
* Command/check: `sed -n '240,560p' scripts/lib/pages-demo-snapshot.ts`
  * Result: PASS - Existing privacy patterns and collector inspected.
  * Evidence: Collector checks local paths, file URLs, bridge URLs, private URLs, secret-like strings, raw prompts, transcripts, command output, private labels, and auth terms.
* Command/check: `sed -n '1,520p' scripts/lib/pages-demo-build.ts`
  * Result: PASS - Existing build verification contract inspected.
  * Evidence: Assembler requires `index.html`, `_redirects`, `_headers`, `demo/live-data.snapshot.json`, `demo/snapshot-metadata.json`, and `demo/graphs/index.json` in output.
* Command/check: `sed -n '1,140p' playwright.config.ts`
  * Result: PASS - Normal Playwright Vite webserver path inspected and left unchanged.
  * Evidence: Config uses `bash scripts/playwright-webserver.sh ${port}` and `PLAYWRIGHT_REUSE_EXISTING_SERVER` for reuse.
* UI product-surface check: N/A - Helper review only.
* UI craft check: N/A - No UI changes.

***

### Task T002 - Run Pages build and confirm generated static artifact roots

**Started**: 2026-06-24 13:57 **Completed**: 2026-06-24 13:58 **Duration**: 1 minute

**Notes**:

* Ran the Pages demo build before scan implementation so generated-output assumptions can be checked against `demo-website/dist`.
* Confirmed the generated static tree contains the required Pages files and copied demo fixture assets.

**Files Changed**:

* `demo-website/dist/` - Regenerated by `bun run demo:build:pages` for local verification; generated output remains outside the source scope.
* `.spec_system/specs/phase31-session06-demo-qa-and-privacy-verification/implementation-notes.md` - Recorded T002 evidence.

**Verification**:

* Command/check: `bun run demo:build:pages`
  * Result: PASS - Vite built client and SSR environments and assembled Pages dist.
  * Evidence: Command exited 0, reported `Pages demo dist assembled`, `Dist: demo-website/dist`, `Files: 199`, `Promoted client files: 192`, and `Copied public files: 7`.
* Command/check: `test -f demo-website/dist/index.html && test -f demo-website/dist/_redirects && test -f demo-website/dist/_headers && test -d demo-website/dist/demo && find demo-website/dist/demo -maxdepth 2 -type f | sort | sed -n '1,40p'`
  * Result: PASS - Required root files and `/demo/*` copied fixture files exist.
  * Evidence: Output included `demo-website/dist/demo/live-data.snapshot.json`, `demo-website/dist/demo/snapshot-metadata.json`, graph fixtures, and `trend-finder-assets/README.md`.
* UI product-surface check: N/A - Build and filesystem verification only.
* UI craft check: N/A - No UI changes.

***

## Task Log

### 2026-06-24 - Session Start

**Environment verified**:

* [x] Prerequisites confirmed
* [x] Tools available
* [x] Directory structure ready

***

## Static Preview Invocation

The normal Playwright config remains unchanged and still starts Vite through `bash scripts/playwright-webserver.sh ${port}`.

For the Pages static route smoke suite, use an explicit Pages preview server and reuse it from Playwright:

```bash
bun run demo:build:pages
wrangler pages dev demo-website/dist --ip 127.0.0.1 --port 8789
PLAYWRIGHT_BASE_URL=http://127.0.0.1:8789 PLAYWRIGHT_REUSE_EXISTING_SERVER=true bunx playwright test tests/e2e/pages-demo-routes.spec.ts
```

Stop the long-running `wrangler pages dev` process after the smoke suite finishes.

***

## Unsafe Route, Scan, And Preview Findings

| Finding                                                     | Status   | Evidence                                                                                                                                                                | Resolution                                                                                                                                |
| ----------------------------------------------------------- | -------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- |
| Generated dist scan flagged public README auth-term wording | Resolved | `bun -e 'import { scanGeneratedPagesDemoDist } from "./scripts/lib/pages-demo-privacy-scan.ts"; ...'` initially reported `README_public.md: auth_term (API key phrase)` | Reworded `public/README_public.md` boundary copy and rebuilt Pages output                                                                 |
| Unsafe route requests                                       | Resolved | Initial T019 preview run reported `/ -> /__hermes_status` and `/ -> /__graphify_list`                                                                                   | Passed public-demo mode into `KnowledgeGraphSection`'s `useKnowledgeGraph` call; passing rerun reported 24 passed with no `/__*` failures |
| Static preview route failures                               | Resolved | Initial T019 preview run failed `/` for local bridge requests and `/setup` for interactive setup copy expectations                                                      | Updated the home graph public-demo guard and `/setup` route matrix surface checks; passing rerun reported 24 passed in 48.5s              |

***

### Task T001 - Verify Session 06 prerequisites and route matrix inputs

**Started**: 2026-06-24 13:56 **Completed**: 2026-06-24 13:57 **Duration**: 1 minute

**Notes**:

* Confirmed the active spec-system session is `phase31-session06-demo-qa-and-privacy-verification`.
* Confirmed Sessions 03, 04, and 05 are listed as completed in spec-system analysis output.
* Read the Session 06 phase stub and captured its planned Pages route matrix, scan targets, no-bridge rule, and required verification commands.

**Files Changed**:

* `.spec_system/specs/phase31-session06-demo-qa-and-privacy-verification/implementation-notes.md` - Recorded session start and T001 evidence.

**Verification**:

* Command/check: `if [ -d ".spec_system/scripts" ]; then bash .spec_system/scripts/analyze-project.sh --json; else bash /home/aiwithapex/.codex/plugins/cache/apex-spec-system/apex-spec/2.1.3-codex/scripts/analyze-project.sh --json; fi`
  * Result: PASS - Active session and completed session state resolved.
  * Evidence: Output reported `current_session` as `phase31-session06-demo-qa-and-privacy-verification` and included completed `phase31-session03-app-data-and-mutation-boundary`, `phase31-session04-extensions-and-agent-routes`, and `phase31-session05-pages-build-and-deployment-scaffold`.
* Command/check: `if [ -d ".spec_system/scripts" ]; then bash .spec_system/scripts/check-prereqs.sh --json --env; else bash /home/aiwithapex/.codex/plugins/cache/apex-spec-system/apex-spec/2.1.3-codex/scripts/check-prereqs.sh --json --env; fi`
  * Result: PASS - Environment prerequisites passed.
  * Evidence: Output reported `overall: pass`, `.spec_system`, `jq-1.7`, and `git version 2.43.0`.
* Command/check: `sed -n '1,260p' .spec_system/PRD/phase_31/session_06_demo_qa_and_privacy_verification.md`
  * Result: PASS - Route matrix and scan requirements inspected.
  * Evidence: Stub lists planned host, agent, Trend Finder, Knowledge Graph, and AI Rogue routes plus fixture/dist scan targets.
* UI product-surface check: N/A - Documentation and spec-state verification only.
* UI craft check: N/A - No UI changes.

***

### Task T015 - Record unsafe route, scan finding, or preview failure evidence

**Started**: 2026-06-24 14:19 **Completed**: 2026-06-24 14:20 **Duration**: 1 minute

**Notes**:

* Added a findings ledger for unsafe route requests, scan findings, and preview failures.
* Recorded the one scan finding encountered during implementation and its completed source-level resolution.
* Kept release polish, mobile review, and bundle review out of scope.

**Files Changed**:

* `.spec_system/specs/phase31-session06-demo-qa-and-privacy-verification/implementation-notes.md` - Added findings ledger and T015 evidence.

**Verification**:

* Command/check: Manual notes inspection in `implementation-notes.md`
  * Result: PASS - Findings ledger added.
  * Evidence: Notes record the resolved `README_public.md` scan finding plus the T019 unsafe route request and preview failure resolutions.
* UI product-surface check: N/A - Notes only.
* UI craft check: N/A - No UI changes.

***

### Task T014 - Record static preview invocation for smoke suite

**Started**: 2026-06-24 14:18 **Completed**: 2026-06-24 14:19 **Duration**: 1 minute

**Notes**:

* Recorded the static preview flow required for `tests/e2e/pages-demo-routes.spec.ts`.
* Confirmed no change was made to `playwright.config.ts`; normal E2E runs still use the Vite webserver script.

**Files Changed**:

* `.spec_system/specs/phase31-session06-demo-qa-and-privacy-verification/implementation-notes.md` - Added static preview invocation notes and T014 evidence.

**Verification**:

* Command/check: `sed -n '1,140p' playwright.config.ts`
  * Result: PASS - Existing Vite webserver path was inspected and left unchanged.
  * Evidence: Config still uses `bash scripts/playwright-webserver.sh ${port}` and `PLAYWRIGHT_REUSE_EXISTING_SERVER`.
* Command/check: Manual notes inspection in `implementation-notes.md`
  * Result: PASS - Static preview invocation recorded.
  * Evidence: Notes include `wrangler pages dev demo-website/dist --ip 127.0.0.1 --port 8789` plus the `PLAYWRIGHT_BASE_URL` and `PLAYWRIGHT_REUSE_EXISTING_SERVER=true` Playwright command.
* UI product-surface check: N/A - Notes only.
* UI craft check: N/A - No UI changes.

***


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://ai-os-and-trend-finder.gitbook.io/ai-os-and-trend-finder-docs/.spec_system/archive/sessions/phase31-session06-demo-qa-and-privacy-verification/implementation-notes.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
