Dev: Helmet CSP blocks Vite HMR WebSocket in development
UX: Form submit button shows text change but no loading spinner/animation
Bug: CSP connect-src 'self' blocks Zoho API calls (when ZOHO_ENABLED=true)
Cleanup: React Query dependency is overkill (only 2 mutations, no queries)
SEO: No HTTP-to-HTTPS redirect or www-to-non-www canonical redirect
Bug: api.js retries 409 Conflict responses (duplicate lead submissions)
Bug: Dynamic icon lookup in Home.jsx has no fallback (render crash risk)
Security: CORS defaults to allow all origins in development
Security: Database file created with world-writable permissions (0o666/0o777)
Security: Production build generates sourcemaps (exposes source code)
Bug: Docker healthcheck always reports healthy (process.exit never called)
Bug: db.js is dead code with conflicting schema (no UNIQUE on leads.email)
Security: No form spam protection (honeypot, captcha, or turnstile)
Performance: logo.svg is 348KB (SVG logos should be <10KB)
SEO: og:image uses SVG which is unsupported by most social platforms
Cleanup: zustand dependency is unused (never imported)
Cleanup: Dialog.jsx is unused (no component imports it)
Cleanup: CardDescription.jsx is a duplicate of Card.jsx export
Cleanup: MobileNav.jsx is dead code (Header has its own mobile menu)
Bug: Support page secondary CTA bg-secondary-bg is undefined in Tailwind config