docs(design): fix Claude-bot follow-ups from #701 review

bootjp · bootjp · commit 1825f1d212a2 · 2026-04-29T02:02:19.000+09:00
Three issues from the @claude review of PR #701: 1. **Anchor link target now resolves**. The accepted gemini suggestion added `[follow-ups](#out-of-scope-follow-ups)` to the P1 status-table row, but the target was a plain-text paragraph — GitHub only auto-generates anchors for headings, so the link silently scrolled to the top of the document. Promoted "Out-of-scope follow-ups" to a `### ` heading and moved the parenthetical caption onto its own italicised line below it. Anchor `#out-of-scope-follow-ups` now actually resolves. 2. **Stale subsection pointer in safety-net doc**. The 2026_04_28_proposed_admin_delete_bucket_safety_net.md Background section pointed at "Out-of-scope follow-ups" for the TOCTOU description, but after the rename the TOCTOU is no longer in that section — it's resolved (described in the implementation-status block at the top of the implemented doc, line 23). Updated the prose to say "resolved by this design and recorded in the implementation-status block of …" so the cross-link points where the TOCTOU is actually discussed in the renamed doc. 3. **Stale link description in admin_deployment.md**. The final cross-references list called the design doc's third bullet "outstanding items" — that is the `_partial_`-era wording. Renamed to "out-of-scope follow-ups" to match the promoted doc's actual section heading. Also reordered the implementation-status block: TOCTOU resolution paragraph now precedes the Out-of-scope section so the doc reads "what shipped → how the late-breaking issue was fixed → what was deliberately deferred". Previously the TOCTOU paragraph sat after the deferred-items bullet list which read awkwardly. No content changes other than the three fixes above and the section reorder.
diff --git a/docs/admin_deployment.md b/docs/admin_deployment.md
@@ -403,7 +403,7 @@ mean the cluster has lost quorum.
 - [`docs/admin.md`](admin.md) — per-flag configuration reference,
   audit log shapes, troubleshooting catalogue.
 - [`docs/design/2026_04_24_implemented_admin_dashboard.md`](design/2026_04_24_implemented_admin_dashboard.md) —
-  design rationale, acceptance criteria, outstanding items.
+  design rationale, acceptance criteria, out-of-scope follow-ups.
 - [`scripts/rolling-update.sh`](../scripts/rolling-update.sh) —
   the rollout driver this doc references throughout.
 - [`scripts/rolling-update.env.example`](../scripts/rolling-update.env.example) —
diff --git a/docs/design/2026_04_24_implemented_admin_dashboard.md b/docs/design/2026_04_24_implemented_admin_dashboard.md
@@ -14,14 +14,16 @@
 | **P3** — React SPA + embed | ✅ shipped | #649, #650 |
 | **P4** — TLS, read-only role, CSRF, `docs/admin.md`, deployment runbook + `scripts/rolling-update.sh` admin support | ✅ shipped | TLS / role / CSRF live in P1; operator doc + runbook + script wiring in #674 / #669 / #678 |
 
-Out-of-scope follow-ups (recorded so future readers know what was deliberately deferred):
+The AdminDeleteBucket TOCTOU is fully resolved: see [`2026_04_28_proposed_admin_delete_bucket_safety_net.md`](2026_04_28_proposed_admin_delete_bucket_safety_net.md) for the safety-net design and [`docs/admin_deployment.md`](../admin_deployment.md) §4.6 for the operator-side contract (a `PutObject` 200-OK landing during the race window can be swept by the concurrent admin delete; pause writes before delete to retain in-flight writes).
+
+### Out-of-scope follow-ups
+
+_Recorded so future readers know what was deliberately deferred._
 
 - **AdminForward acceptance criterion 5** — rolling-upgrade compatibility flag (`admin.leader_forward_v2`). Deferred at design time behind a cluster-version bump that does not exist yet; not blocking dashboard usability today because every node forwards through the same `pb.AdminOperation` enum.
 - **S3 object browser** — explicitly called out as "next phase" in §2.2 Non-goals; no work item yet.
 - **Operator-visible TLS cert reload** — out of scope; restart-to-rotate is the documented model in `docs/admin.md`.
 
-The AdminDeleteBucket TOCTOU is fully resolved: see [`2026_04_28_proposed_admin_delete_bucket_safety_net.md`](2026_04_28_proposed_admin_delete_bucket_safety_net.md) for the safety-net design and [`docs/admin_deployment.md`](../admin_deployment.md) §4.6 for the operator-side contract (a `PutObject` 200-OK landing during the race window can be swept by the concurrent admin delete; pause writes before delete to retain in-flight writes).
-
 ---
 
 ## 1. Background and Motivation
diff --git a/docs/design/2026_04_28_proposed_admin_delete_bucket_safety_net.md b/docs/design/2026_04_28_proposed_admin_delete_bucket_safety_net.md
@@ -7,10 +7,10 @@
 ## 1. Background
 
 `AdminDeleteBucket` and the SigV4 `s3.go:deleteBucket` share a known
-TOCTOU race documented in
-[`docs/design/2026_04_24_implemented_admin_dashboard.md`](2026_04_24_implemented_admin_dashboard.md)
-under Out-of-scope follow-ups. coderabbitai 🔴/🟠 flagged it during PR
-#669 review.
+TOCTOU race resolved by this design and recorded in the
+implementation-status block of
+[`docs/design/2026_04_24_implemented_admin_dashboard.md`](2026_04_24_implemented_admin_dashboard.md).
+coderabbitai 🔴/🟠 flagged it during PR #669 review.
 
 The current shape:
 
