From 2042bdd2cf12fbe3c181d4ccd361b0d378c0b642 Mon Sep 17 00:00:00 2001
From: Your Name <your.email@example.com>
Date: Thu, 28 May 2026 15:18:38 +0800
Subject: [PATCH] docs: sync status truth and repo hygiene

---
 .gitignore                         |  3 +++
 docs/guides/TESTING.md             |  2 ++
 docs/status/REAL_PROJECT_STATUS.md | 34 ++++++++++++++++++++++++++++++
 3 files changed, 39 insertions(+)

diff --git a/.gitignore b/.gitignore
index c5bc50f..20a3b9b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -28,6 +28,7 @@ go.work
 # Build
 build/
 dist/
+server
 
 # Database
 data/*.db
@@ -72,6 +73,8 @@ frontend/admin/.npm-cache/
 # Uploads (keep directory but ignore contents)
 uploads/avatars/*
 !uploads/avatars/.gitkeep
+internal/api/handler/uploads/avatars/*
+!internal/api/handler/uploads/avatars/.gitkeep
 
 # Backup temp
 backup_temp/
diff --git a/docs/guides/TESTING.md b/docs/guides/TESTING.md
index 2789e9b..c002b5e 100644
--- a/docs/guides/TESTING.md
+++ b/docs/guides/TESTING.md
@@ -99,6 +99,8 @@ cd D:\project\frontend\admin
 npm.cmd run e2e:full:win
 ```
 
+> 若本机 `3000` 端口并非当前 admin Vite dev server（例如被 Gitea、Grafana 等其他服务占用），请显式设置 `E2E_BASE_URL` 指向真实前端地址。`run-playwright-cdp-e2e.mjs` 默认假设前端运行在 `http://127.0.0.1:3000`，并会在命中错误站点时 fail-fast 给出提示。
+
 当前覆盖：
 
 - `login-surface`
diff --git a/docs/status/REAL_PROJECT_STATUS.md b/docs/status/REAL_PROJECT_STATUS.md
index 965c049..085104f 100644
--- a/docs/status/REAL_PROJECT_STATUS.md
+++ b/docs/status/REAL_PROJECT_STATUS.md
@@ -1,5 +1,39 @@
 # REAL PROJECT STATUS
 
+## 2026-05-28 review 修复后最新状态（live verifier snapshot）
+
+> 本节反映 2026-05-28 最新 live verifier 结果，不替代下方历史审查记录。
+
+### 最新验证快照
+
+| Command | Result | Note |
+|------|------|------|
+| `go build ./cmd/server` | `PASS` | backend build is green |
+| `go vet ./...` | `PASS` | backend vet is clean |
+| `go test ./... -count=1` | `PASS` | full backend matrix is green |
+| `cd frontend/admin && env -u NODE_ENV npm run lint` | `PASS` | frontend lint is green |
+| `cd frontend/admin && env -u NODE_ENV npm run build` | `PASS` | frontend build is green |
+| `cd frontend/admin && env -u NODE_ENV npm run test:run` | `PASS` | `82` files / `522` tests passed |
+| `cd frontend/admin && env -u NODE_ENV npm audit --omit=dev --json` | `PASS` | production vulnerabilities `0` |
+| `cd frontend/admin && env -u NODE_ENV npm audit --json` | `PASS` | dev + prod vulnerabilities `0` |
+| `cd frontend/admin && env -u NODE_ENV npm run e2e:full` | `PASS` | Playwright CDP full-chain E2E is green in current Linux workspace |
+
+### 当前状态
+
+**已闭环：**
+- P1 后端问题已修复并补回归：logout fail-closed、admin context key 漂移、修改密码权限约束、密码历史同步写入、avatar token 随机源 fail-closed
+- 前端 dev toolchain 依赖漏洞已收敛为 `0`
+- 后端 build / vet / full test matrix 全绿
+- 前端 lint / build / unit test 全绿
+- 浏览器级真实 E2E 已闭环
+
+**当前活跃阻塞：**
+- 无新的功能性阻塞；剩余工作主要是提交边界整理与文档/工作树卫生收口
+
+### 当前可诚实复用的一句话状态
+
+> 后端与前端静态/单测基线、依赖审计与浏览器级真实 E2E 均已恢复绿色；当前剩余的是提交前的文档真相同步和工作树卫生收口，而非功能性阻塞。
+
 ## 2026-04-10 复核更新（TDD修复后）
 
 本节记录 2026-04-10 TDD修复后的最新状态。