plans: Block 2-7 implementation plans (production-polish roadmap)

[aksOps]

Adds six implementation plans covering the remaining 40 tasks of the production-polish roadmap (spec: docs/superpowers/specs/2026-04-23-production-polish-roadmap-design.md). Each plan follows the superpowers:writing-plans conventions — bite-sized TDD steps, exact code, exact commands, commit messages with Co-Authored-By trailer.

Plans added

Block	File	Tasks	Lines
2 Security & auth hardening	docs/superpowers/plans/2026-04-23-block2-security-plan.md	5	1,110
3 Resource safety & correctness	docs/superpowers/plans/2026-04-23-block3-resource-safety-plan.md	7	2,222
4 Observability & ops	docs/superpowers/plans/2026-04-23-block4-observability-plan.md	5	2,853
5 UI polish	docs/superpowers/plans/2026-04-23-block5-ui-polish-plan.md	10	2,549
6 Testing & CI	docs/superpowers/plans/2026-04-23-block6-testing-ci-plan.md	6	1,763
7 OSS polish	docs/superpowers/plans/2026-04-23-block7-oss-polish-plan.md	7	1,830
Total		40	12,327

Block dependencies

• Block 4 hard-depends on Block 2.5 (req_id slog threading). Execution will wait for Block 2 to merge before starting Block 4.
• Blocks 2, 3 share the router.go middleware chain — Block 3 rebases after Block 2.
• Blocks 5 (UI), 6 (Testing & CI), 7 (OSS polish) are independent of 2/3/4 and will execute in parallel worktrees.

Notable design decisions surfaced during planning

• Block 3 Task 7 (graceful shutdown) scoped narrowly to the two real gaps left after Block 1: panic-log enrichment (req_id/route/method/auth/stack) and the 10s→30s Shutdown deadline bump. Most of the skeleton is already landed.
• Block 3 Task 1 (SQLite hardening) raises MaxOpenConns from 1 to 4 and adds PRAGMA synchronous=NORMAL; flagged as a regression-risk area for the race-detector pass.
• Block 4 Task 1 retargets Makefile LDFLAGS from cmd.Version/Commit/Date to a new internal/buildinfo package (breaks an import cycle).
• Block 4 adds prometheus/client_golang as a new dep (contradicts spec's "already vendored"; Task 3 adds it explicitly).
• Block 4 access log emits auth=bearer|cookie|anon in place of user_id (docsiq has no per-user identity).
• Block 5 Task 5 ("Maximum update depth") is staged as capture → bisect → fix → regression; may turn out to already be fixed by Block 1 churn.
• Block 6 Task 3 fuzzes store.SearchNotes (real FTS5 MATCH entry point) and MCP tool-argument extractors, not JSON-RPC transport.
• Block 7 README refactor is Task 7 (last) so it can reference screenshots + badges from earlier tasks.

What this PR is and isn't

• Is: Review gate for all six plans before execution begins.
• Isn't: Code changes. Zero Go or TypeScript files touched.

How to review

1. Skim the header of each plan — Goal, Architecture, Tech Stack, task list.
2. Sanity-check one task per plan in detail — confirm the test-first shape, the exact code shown, and the commit message.
3. Flag anything you want reshaped before execution kicks off.

Next step after merge

Execution begins per the sequenced parallel plan: Blocks 2 + 5 + 6 + 7 start in parallel worktrees; Blocks 3 and 4 start after Block 2 merges.

🤖 Generated with Claude Code