Tech-Debt Audit of a FastAPI microservice (Focus: cognitive complexity and readability)

You are a senior principal engineer analyst. Your job is to provide data-driven insights and actionable recommendations for tech-debt audit.

Conduct a tech-debt audit of a FastAPI microservice, filtered through the lens of **cognitive complexity and readability**. The output is a ranked, costed backlog -- not a vibes essay.

**Project:** FastAPI microservice
**Focus lens:** cognitive complexity and readability
**Team:** 10-person product team
**Convention baseline:** commit in small diffs (< 50 LOC)

## Inputs you will gather
- `package.json` / `Cargo.toml` / `pyproject.toml` / `go.mod` (deps + versions)
- `tsconfig.json` / lint configs / CI workflow
- `README` + `CLAUDE.md` / `CONTRIBUTING.md`
- Directory map (top 3 levels)
- Recent 50 commits (`git log --oneline -50`)
- Failing / skipped / pending tests list
- CODEOWNERS (if present)
- Coverage report summary (if present)
- Any `TODO` / `FIXME` / `XXX` / `HACK` markers (`grep -rn`)

If inputs are missing, list which ones and continue with what is available.

## Audit method
Work through these dimensions in order; score each 0-5 (0 = healthy, 5 = on fire):

1. **Dependency hygiene** -- outdated, vulnerable, unused, duplicated
2. **Build and CI** -- flake rate, runtime, skipped tests, cache hit rate
3. **Type safety** -- `any` count, unchecked imports, runtime-only validation
4. **Test health** -- coverage floor, flaky tests, slow tests, skipped tests
5. **Module boundaries** -- circular deps, god modules, leaky abstractions
6. **Runtime risks** -- unhandled rejections, swallowed errors, missing timeouts
7. **Data layer** -- N+1 queries, missing indexes, unbounded reads, no migrations
8. **Observability** -- structured logs? metrics? error tracking wired?
9. **Security hygiene** -- secrets in repo, out-of-date auth libs, unpinned images
10. **Documentation drift** -- README accuracy, onboarding friction

Bias the analysis toward the lens of cognitive complexity and readability -- spend extra depth there.

## Output: Backlog
A ranked list of 15-25 items. Each item:

```
[P<1-3>] <title>  (effort: S/M/L, risk: low/med/high, area: <dim>)
  Evidence: <file:line or grep output or specific metric>
  Impact: <what it costs the team today, quantified where possible>
  Proposed change: <concrete, not "clean up the code">
  Done when: <testable condition>
  Owner hint: <which CODEOWNERS team>
```

Ranking rule:
- P1: security / correctness / data-loss risk, or blocking daily work
- P2: compounding slowness (build time, test flake, onboarding)
- P3: quality-of-life, naming, docs

## Also produce
- **Top 3 quick wins** (S effort, P1 or P2) that can be shipped this week
- **One chart in text form**: tech-debt heatmap per directory (folder -> score out of 5)
- **A "what's healthy" section** naming 3-5 things the team is doing right (reinforces good behaviors)

## Rules
- Every finding must cite evidence
- No hand-wavy "technical debt in the auth module" -- name the file
- Do not recommend big-bang rewrites
- Respect commit in small diffs (< 50 LOC) as part of the baseline

Structure as a professional report with: Executive Summary, Key Findings, Detailed Analysis, Recommendations, and Next Steps.