Closer/qa
null 55699e17ed feat: security hardening, CI, analytics, invite deep links, solo mode, weekly recap
Roadmap phases 0-3.1 (see plan). Verified: unit tests, functions tests,
firestore rules 119/119, live emulator smokes.

Security + CI:
- Move App Check debug token out of committed build.gradle.kts to
  local.properties (secret() resolver: local.properties -> -P -> env);
  admin service-account key relocated outside the repo.
- Add GitHub Actions (android unit/scan/gitleaks, backend functions +
  rules emulator via emulators:exec) with a CI google-services.json stub
  and a reviewed .gitleaksignore baseline.
- Fix firestore rules tests to the current deployed contract (was 108/118,
  now 119/119).

Analytics + consent:
- FirebaseRetentionAnalytics behind a fail-safe composite sink, single-
  sourced hashing (AnalyticsHashing), Settings -> Privacy opt-out toggle
  gating Firebase + the sink, and the ~11 missing event call sites.
- NoPlaintextInAnalyticsTest guards the content-free rule at build time.

Funnel:
- Invite deep links (https App Link + closer:// fallback), JoinLink parser,
  PendingJoinCodeStore, prefilled/already-paired pairing, richer share text.
- Solo pre-pairing: UnpairedLockedCard on Play, SoloAnswerMigrator + consent
  dialog moving pre-pairing answers into Couple Lore.

Weekly recap:
- WeeklyRecapScreen driven by the existing generator from local answer data,
  Home card rewired, content-free shareable card.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-06 20:33:38 -05:00
..
README.md feat: security hardening, CI, analytics, invite deep links, solo mode, weekly recap 2026-07-06 20:33:38 -05:00
entrypoint_smoke.sh chore: working tree changes — QA docs, app tweaks, Cloud Functions updates 2026-06-27 13:31:09 -05:00
qa_push.js feat: security hardening, CI, analytics, invite deep links, solo mode, weekly recap 2026-07-06 20:33:38 -05:00

README.md

qa/ — re-runnable QA smokes (autonomous)

Durable, committed QA tooling so each round re-checks the fragile paths cheaply instead of by hand. See ClaudeQAPlan.md (Pass E crash-triage, Pass F cold-start ownership, Definition of Done) for how these fit the run.

entrypoint_smoke.sh — cold-start / entry-point launch integrity

The smoke that catches the "app opens and immediately closes" class (e.g. the splash-exit iconView NPE on a notification cold-start). That class breaks every notification at once (shared cold-start path) and is invisible to adb am start — only a REAL push tapped from the shade on a genuinely killed app reproduces it.

# both emulators; run after ANY change to MainActivity / splash / theme / manifest / nav / notifications, and every round
bash qa/entrypoint_smoke.sh emulator-5554 Y05AKO2IlTPMa0JQW1BiNIM0uzK2
bash qa/entrypoint_smoke.sh emulator-5556 imDjjOTTQvXGGjyUhUc5JSeHWkU2

Asserts each entry (launcher icon · each notification type tapped from a killed app · …) opens AND stays (process alive, 0 FATAL, off the launcher). PASS/FAIL/BLOCK:

  • FAIL = a real app crash (the bug). Pull the stack: adb -s <serial> logcat -d | grep -E "FATAL EXCEPTION|getIconView".
  • BLOCK = the push didn't reach the killed app (flaky emulator FCM / FcmRetry) — environmental, just rerun.
  • Runtime ~37 min (FCM retries); run in the background and read the matrix. Exit 0 only if 0 FAIL.

qa_push.js — send a real push (helper)

Sends a faithful notification+data FCM to a user's token so a killed app shows it and tapping cold-starts via the real OS handover. Use am kill (NOT am force-stop) to kill — force-stopped apps are excluded from FCM.

NODE_PATH=functions/node_modules node qa/qa_push.js <uid> partner_started_game game_type=this_or_that
NODE_PATH=functions/node_modules node qa/qa_push.js <uid> partner_finished_game game_type=wheel   # auto-resolves a completed session
NODE_PATH=functions/node_modules node qa/qa_push.js <uid> chat_message conversation_id=main

Test couple (current emulators)

  • coupleId Xal3Kw3gjSdn0niERYKJ
  • QA (emulator-5554) Y05AKO2IlTPMa0JQW1BiNIM0uzK2 · Sam (emulator-5556) imDjjOTTQvXGGjyUhUc5JSeHWkU2
  • Admin SA JSON: ~/.config/closer/closer-admin-sa.json (kept OUTSIDE the repo; override path via SA_JSON). For tools using Application Default Credentials: export GOOGLE_APPLICATION_CREDENTIALS=~/.config/closer/closer-admin-sa.json.