📌Remaining Issues

Maintainability items deferred to a later phase (CM-3 / CM-5) and the Low group.

Source: REMAINING_ISSUES.md. These are all maintainability (architecture) items, not bugs or security, positioned to be tackled in a later phase together with the reviewers.

Design refactors (later phase)

🧱

CM-3: the service layer depends on fastapi.HTTPException

Split out into domain exceptions and translate at the API layer. Wide blast radius (~8 routers + MCP strict_fallback + 27 tests).

🧩

CM-5: business logic leaking into adapters/routers

Can be split into extracting the Scorer (CM-5a, medium) and consolidating CallLog state transitions (CM-5b, large).

ℹ️Why not now

These are not production blockers; starting them requires a full-suite regression (about 4 minutes a run) and cross-cutting follow-through, so the plan is to agree on the blast radius first and handle them in a dedicated refactor pass.

The Low group (not started / operational caveats)

Low-1: inconsistent HTTP 503/502 responses (realtime_session)
Low-2: a broad except Exception swallowing errors (use explicit types)
Low-3: the source of the monitoring health/alert-level backend enum is undetermined
Low-4: forgetting to set runtime_env skips the weak-JWT-secret check (operational caveat)

✅Resolved items are on another page

Critical-1 / H-1–H-5 / CM-1, 2, 4, 6 / PM-1, 2, 4 / n+101 / C-2(b) are all fixed. See “Reviews & Findings” and “PR Timeline” for details.