Mark UX-12.3 (rich-text) and UX-13.1 (NotificationCenter) as
🔒 blocked-on-backend rather than open — they are excluded from the ✅
count and each now carries a one-paragraph spec of the exact
platform-service change required:
- UX-12.3: server-side HTML sanitization (allowlist tags/attrs; strip
scripts/event-handlers/js: + data: URLs) on items.description +
comments.body write paths, so RichTextEditor/RichTextViewer can be
safely adopted.
- UX-13.1: emit notifications into platform-service's existing
notifications module on tracker events (new comment, status change,
vote milestone) targeted to the item author/subscribers with productId,
exposed via the /api/tracker proxy, so NotificationCenter binds a real
feed.
Add BACKEND_ENABLERS.md tracking both follow-ups (title, blocking item,
target module, acceptance criteria, backward-compat constraint —
platform-service is shared by 9 products). Update the Expand tracker line
and notes to show all client-only waves complete and these two
backend-blocked. Docs only — no source/dep/lockfile changes.
Generated with [Devin](https://cli.devin.ai/docs)
Co-Authored-By: Devin <158243242+devin-ai-integration[bot]@users.noreply.github.com>
060daa4883