diff --git a/todo.md b/todo.md
new file mode 100644
index 0000000..50953e3
--- /dev/null
+++ b/todo.md
@@ -0,0 +1,22 @@
+# Project Optimizations TODO
+
+## 1. Consolidate and Refine Error Handling (`src/errors.rs`)
+- [ ] Split errors into two domains:
+  - `StartupError`: For config parsing, database connection pooling, and server binding failures (can return `eyre` or `anyhow::Error` in `main.rs`).
+  - `ApiError`: Dedicated exclusively to HTTP responses.
+- [ ] Add `tracing::error!` logging in the `IntoResponse` implementation for internal server errors (like `DbConnect`) before returning generic error JSON to clients.
+
+## 2. Reduce Boilerplate in Controllers (`src/controller/`)
+- [ ] Leverage Axum's `FromRequest` and `IntoResponse` traits more heavily on models.
+- [ ] Implement a custom extractor (e.g., using `validator` crate) to ensure controller signatures guarantee valid data (e.g., `ValidJson(payload)`).
+
+## 3. State Management (`src/state.rs`)
+- [ ] Audit state struct to ensure `PgPool` is not wrapped in an unnecessary `Arc` (since it is already an `Arc` internally).
+- [ ] Ensure application state leverages Axum's `FromRef` trait effectively for sub-components.
+
+## 4. Separation of Concerns in Database Repositories
+- [ ] Update `user_repository.rs` and `refresh_token_repository.rs` methods to accept `&sqlx::PgPool` or `&mut sqlx::Transaction` as arguments to support multi-table atomic transactions cleanly.
+
+## 5. Clean up Middleware (`src/controller/middleware/`)
+- [ ] Ensure `auth_middleware.rs` properly passes the authenticated user downstream using `Extension` or `State`.
+- [ ] Create a `CurrentUser` Extractor so route handlers can easily extract the user via `async fn get_profile(user: CurrentUser)` instead of manually extracting extensions.