[nightshift] tech-debt-classify: Tech Debt Classification

[nightshift-micr]

Tech Debt Classification Report: micr-dev/about

Automated by Nightshift v3 (GLM 5.1).

---

Summary

Category	Count	P0	P1	P2	P3
Bit Rot	3	1	1	1	0
Deliberate Debt	2	0	1	1	0
Design Debt	4	1	2	1	0
Security Debt	2	2	0	0	0
Test Debt	1	0	0	1	0
Documentation Debt	1	0	0	0	1
Dependency Debt	1	0	0	1	0

---

P0 — Critical

1. XSS via innerHTML with Unsanitized JSON Data

• Category: Security Debt
• File: script.js, lines 196 and 332
• Effort: S (1-2 hours)
• The render() function injects data from data.json directly into the DOM using innerHTML without sanitization. If data.json is compromised, arbitrary JS can execute.
• Fix: Use textContent or createElement + createTextNode instead of string interpolation into innerHTML.

2. No Content Security Policy (CSP)

• Category: Design Debt
• File: netlify.toml
• Effort: S (30 min)
• No CSP header defined. Combined with innerHTML usage, zero defense-in-depth against script injection.
• Fix: Add CSP headers in netlify.toml.

---

P1 — High

3. 2.4 MB of Unused Font Files

• Category: Bit Rot
• File: fonts/ directory
• Effort: S (15 min)
• Only DecimaMono.ttf (94 KB) is used. Seven other fonts (~2.4 MB) are dead weight.
• Fix: Delete unused font files.

4. Unused Duplicate Image (right-image.jpg)

• Category: Bit Rot
• File: images/right-image.jpg (249 KB)
• Effort: S (5 min)
• Both .png and .jpg exist, only .png is referenced. The .jpg is dead weight.
• Fix: Delete images/right-image.jpg.

5. Monolithic render() Function (300+ lines)

• Category: Design Debt
• File: script.js, lines 119-420
• Effort: M (3-5 hours)
• Single function handles all 8 content types via nested if/else. Queries computedStyle inside loop. Adding new content types requires editing this function.
• Fix: Extract a renderer registry pattern with isolated, testable functions.

6. Fragile Intro Text Processing

• Category: Deliberate Debt
• File: script.js, lines 154-158
• Effort: S (30 min)
• Hardcoded 74-space string replacement. Any change to name/pronoun/spacing in data.json silently breaks this.
• Fix: Move header text to dedicated JSON fields (details.name, details.pronouns).

---

P2 — Medium

7. No .gitignore File — Design Debt, S effort

8. font-display: block Delays First Paint — style.css line 5, S effort, change to swap

9. No prefers-reduced-motion Respect — style.css, S effort

10. cache: "no-store" on data.json Fetch — script.js line 59, S effort

11. Zero Test Coverage — no tests exist, L effort

12. Inline style Block in HTML — index.html lines 39-72, S effort

13. Large Hero Image (1.4 MB PNG) — images/right-image.png, S effort

---

P3 — Low

14. Misaligned SKILL.md Configuration — references React/Tailwind for vanilla project

15. Orphaned CSS Comment — style.css line 389

16. Hardcoded Name/Pronouns — script.js lines 144/147

---

Priority Ranking (Impact on Development Velocity)

1. [nightshift] tech-debt-classify: Tech Debt Classification #5 Monolithic render() — every content change edits 300-line function
2. [nightshift] readme-improvements: add live URL header, browser support, AI dev section #6 Fragile intro processing — will silently break on next name change
3. [nightshift] readme-improvements: add README.md #1+[nightshift] readme-improvements: add README.md #2 XSS + no CSP — security risk
4. #11 Zero test coverage — no safety net for refactoring
5. [nightshift] changelog-synth: automated changelog generation #3 Unused fonts — bloats clone/deploy times

Total estimated remediation: 3-4 days of focused work.