# Phase 4 — Hardening + docs + final review

## Tasks

- [ ] **Concurrent-sync guard** (review S5): per-workload sync mutex (or re-read-then-apply
  with a compare) so a sync racing the edit-form save / another sync can't silently lose
  writes.
- [ ] **File-size + path hardening**: confirm the 64 KiB `DownloadFile` cap is enforced
  across all three providers; confirm `gitops_path` validation rejects traversal.
- [ ] **Security-reviewer pass**: SSRF (verify the fetch goes through `NewGitProvider`/the
  safe client, never raw `http.Get`), secret handling (token never logged/persisted/leaked
  in errors — `sanitizeError`), admin-gating on sync + put.
- [ ] **Docs**: `docs/gitops.md` (or extend `docs/plans/`): the `.tinyforge.yml` v1 schema
  reference, how to enable, the sync flow, and an explicit **"not in v1"** section
  (env/faces, auto-apply-on-deploy, multi-workload Framing B) with the future seams noted.
- [ ] **Final comprehensive review** + (if triggered) security review, then present for the
  merge gate.

## Verify

- Full backend + frontend build/test/vet green; dev server healthy on :8090.

## Handoff notes

_(filled after implementation)_