| Main CI red right after a green PR merged | Coverage thresholds and fail-closed OSV run only on main | Coverage step → add tests; OSV → bump/override the vulnerable dep. Not snapshots (CI passes -u) |
| Deploy didn't happen after merging a config change | scripts/vercel-ignore.sh skipped it (vercel.json / docs / CI paths excluded) | Manual deploy from Vercel dashboard, or ride along with an SPA change |
pnpm install can't resolve a version visible on npm | minimumReleaseAge: 10080 in pnpm-workspace.yaml (7-day supply-chain cooldown) | Wait, pin the previous version, or add to minimumReleaseAgeExclude with justification per SECURITY.md |
| CHANGELOG entry / version bump missing for a merged PR | PR title used a hidden type (chore/refactor/etc.) | Titles are baked in at squash; land a follow-up correctly-typed commit if a bump is needed |
| Green "PWA Smoke Test" but no preview was actually tested | Vercel legitimately ignored the build (docs/CI-only PR) or Dependabot PR (no bypass secret) | Expected; the job passes with a warning by design |
| Unminified production stack traces in PostHog lag a deploy | Source-map upload runs only on main pushes (POSTHOG_API_KEY / POSTHOG_PROJECT_ID) | Check that step in the main-branch CI run |
Fresh clone: bare pnpm vitest fails with lazy-load errors | en.json is generated and gitignored | pnpm run build:en-locale first |