Campaign_Tracker/_bmad-output/implementation-artifacts/deferred-work.md

Deferred from: fix-strictmode-oidc-callback-race (2026-05-06)

• pendingCallbackSequence is not scoped to a specific callback invocation — if useOidcSession were ever mounted twice simultaneously, the second instance would skip CSRF validation and piggyback on the first's exchange. Pre-existing architectural assumption; low risk given single-mount usage, but worth an assertion if the hook gains wider use.
• user.workspacePath is used in window.history.replaceState without validating it is a relative path. Server currently returns only hard-coded relative paths, but an open-redirect risk exists if the return value ever comes from user-controlled input.

Deferred from: code review of 1-4-keycloak-role-mapping-application-authorization.md (2026-05-06)

• AuthorizationProbeController ships canned operational routes in the production controller surface. Evidence: Campaign_Tracker.Server/Controllers/AuthorizationProbeController.cs:8. Reason: deferred by user choice during review.