2.9 KiB
2.9 KiB
Future — ideas & improvements backlog
Non-blocking ideas: things that work today but could be better, plus feature ideas. Actual bugs
(broken/incorrect behavior) live in ClaudeReport.md, not here.
QA
Improvement & feature ideas surfaced while QA-testing as a consumer (each works today — none are defects).
- Consistent brand glyphs across game cards + waiting/notification surfaces. (Blocked: needs the
generated G-set art — image generation is the user's step per
ClaudeBrandingReview.md.) Game cards (Play hub), the WaitingForPartner screen, and notifications mix Material icons with brand art. A small custom glyph set (the C-heart-keyhole mark, paired/sealed card, daily card, capsule, date-card, quiet-hours moon) used consistently would strengthen identity. Generate the G-set, drop the assets in, then wire them in. Prompted by: Pass H branding review.
Security hardening (defense-in-depth — not vulnerabilities; rules already hold)
- Enforce App Check on Firestore (currently OFF). Round 7 raw-API test: an authenticated request with no App
Check token (raw Firestore REST) returned
200for a member — so rules are the sole gate. Rules correctly deny non-members/cross-couple (all403), so this is not a live hole, but enabling App Check enforcement on Firestore would block non-app clients entirely (defense-in-depth). Prompted by: R7 D3 raw-API angle. - Tighten the
users/{uid}update rule to a field allowlist. The rule only blocks changinghasPremium; a user can write arbitrary other fields to their own doc (e.g. a cosmeticplan/junk). No gate reads those (premium gates on the server-onlyusers/{uid}/entitlements/premiumsubcollection +category.access), so it grants nothing — but restricting updates to a known field set is cleaner. Prompted by: R7 D3 (planfield writable, unused by gating).
Artwork to generate (ChatGPT prompts, house-style-matched) lives in
ClaudeBrandingReview.md, not here.