From 66eddb9a2af7120f85b7e31b9b9c8290040fee32 Mon Sep 17 00:00:00 2001 From: lila Date: Wed, 22 Apr 2026 21:09:24 +0200 Subject: [PATCH] creating backlog with issues --- documentation/backlog.md | 122 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 122 insertions(+) create mode 100644 documentation/backlog.md diff --git a/documentation/backlog.md b/documentation/backlog.md new file mode 100644 index 0000000..8515238 --- /dev/null +++ b/documentation/backlog.md @@ -0,0 +1,122 @@ +# lila — backlog + +Labels: `[feature]` `[infra]` `[security]` `[ux]` `[debt]` + +--- + +## now + +Things that are actively in progress or should be picked up immediately. Mostly operational risk and the remaining phase 7 hardening work. + +- **Migrations in the deploy pipeline** `[infra]` `[debt]` + Run `drizzle migrate` as a step in the CI/CD pipeline before the API container is restarted. Deploying code before schema is applied causes crashes. See `deployment.md` — deploy order is currently documented but not enforced. + +- **Rate limiting on API endpoints** `[security]` + At minimum: auth endpoints (brute force prevention) and game endpoints (spam prevention). Consider `express-rate-limit`. + +- **404 and redirect handling** `[ux]` + Unknown routes return raw errors. Add a catch-all route on the frontend for client-side 404s. Consider a Caddy fallback for unrecognized subdomains. + +- **React error boundaries** `[ux]` + Catch and display runtime errors gracefully instead of crashing the entire app. + +- **Pin dependencies in package.json** `[debt]` `[infra]` + Unpinned deps in a CI/CD pipeline are a real risk. Pin all versions to exact values to prevent unexpected breakage on build. + +- **Docker credential helper** `[debt]` `[infra]` + Credentials are stored unencrypted in `~/.docker/config.json`. Set up a credential helper. See https://docs.docker.com/go/credential-store/ + +- **Google OAuth publishing** `[infra]` + Only test users can currently log in via Google. Publish the OAuth consent screen so any Google user can sign in — requires branding verification in Google Cloud Console. + +- **Hetzner domain migration check** `[infra]` + Verify whether the lilastudy.com domain needs to be migrated following a Hetzner DNS change. Check Hetzner dashboard for any pending migration notice. + +- **Security headers with helmet** `[security]` + Add helmet middleware to set secure HTTP response headers. One-liner: app.use(helmet()). Covers headers like X-Content-Type-Options, X-Frame-Options, and Content-Security-Policy. + +--- + +## next + +Clearly planned work, not yet started. No hard ordering — sequence based on what unblocks real users first. + +- **Guest / try-now flow** `[feature]` + Allow users to play a quiz without signing in so they can see what the app offers before creating an account. Make auth middleware optional on game routes, add a "Try without account" button on the landing/login page. + +- **Favicon, page titles, Open Graph meta** `[ux]` + Add favicon, set proper per-route page titles, add Open Graph meta tags for link previews. + +- **Accessibility pass** `[ux]` + Keyboard navigation for quiz buttons, ARIA labels on interactive elements, focus management during quiz flow. + +- **Monitoring and logging** `[infra]` + Uptime monitoring and centralized logging on the VPS. Options: `chkrootkit`/`rkhunter` for security, `logwatch`/`monit` for daily summaries. + +- **Offsite backup storage** `[infra]` + Database backups currently live on the same VPS. Add offsite copies to Hetzner Object Storage or an S3-compatible service to protect against VPS failure. + +- **Valkey for game session store** `[infra]` + Add Valkey to the production Docker stack. Implement `ValkeyGameSessionStore` against the existing `GameSessionStore` interface. Required before multiplayer scales. + +- **User stats endpoint + profile page** `[feature]` + `GET /users/me/stats` returning games played, score history, etc. Frontend profile page displaying the stats. + +- **Admin dashboard** `[feature]` + User management, overview of words and languages, and per-term stats. Not urgent but has real operational value once real users are present. + +- **Email + password login** `[feature]` + Traditional email/password auth as an alternative to social login. Configure via Better Auth. + +- **Apple login** `[feature]` + Add Apple as a social login option via Better Auth. Requires Apple Developer account and Sign in with Apple configuration. + +- **Graceful WS reconnect** `[infra]` + Handle WebSocket disconnections gracefully. Reconnect with exponential back-off. Restore game state on reconnection if a game is still in progress. + +- **Configurable game settings in multiplayer lobby** `[feature]` + Game settings (mode, round count, timer duration, target score) are currently hardcoded. The host should be able to configure these when creating a lobby. Settings should be stored in the settings jsonb column on the lobbies table and passed through to the game service at start. + +--- + +## later + +Directionally right, timing is unclear. Revisit when the next/now work is done. + +- **Game modes** `[feature]` + Five modes are designed in `game_modes.md` — TV Quiz Show, Race to the Top, Chain Link, Elimination Round, Cooperative Challenge. The lobby infrastructure is mode-agnostic; each mode adds game logic only. First mode to implement is TBD. This is effectively a new phase. + +- **Single Player Extended** `[feature]` + Expanded singleplayer flow. Possible directions: longer sessions with increasing difficulty, streak bonuses, mixed POS/language rounds, progress tracking across sessions, timed challenge mode. + +- **Users in a separate database** `[infra]` + Architectural separation of auth/user data from vocabulary and game data. No immediate benefit — revisit after hardening is complete and user growth justifies the complexity. + +- **Modern env management** `[debt]` + Replace `.env` files with a more robust approach (e.g. `dotenvx`, `infisical`). Current setup works but is error-prone and not versioned. + +- **Reorganize datafiles and wordlists** `[debt]` + The current layout of `data-sources/`, `scripts/datafiles/`, `scripts/data-sources/`, and `packages/db/src/data/` is confusing with overlapping content. Consolidate into a clear structure. + +- **Resolve eslint peer dependency warning** `[debt]` + `eslint-plugin-react-hooks 7.0.1` expects `eslint ^3.0.0–^9.0.0` but found `10.0.3`. Low impact but worth cleaning up when nearby. + +- **husky + lint-staged** `[debt]` + Set up husky and lint-staged to run linting and formatting checks before every commit. Prevents CI failures from formatting or lint issues that slipped through locally. + +- **OpenAPI documentation for REST endpoints** `[feature]` + Document the API surface using OpenAPI/Swagger. Covers all REST endpoints with request/response shapes. Useful groundwork for the admin dashboard and any future contributors. + +--- + +## changelog + +Shipped milestones, newest first. + +- **04 - 2026 — Phase 6: Production deployment** — Hetzner VPS, Caddy HTTPS, Forgejo CI/CD, daily DB backups, cross-subdomain auth +- **04 - 2026 — Phase 5: Multiplayer game** — real-time simultaneous play, 15s server timer, live scoring, winner screen +- **04 - 2026 — Phase 4: Multiplayer lobby** — WebSocket server, lobby create/join, real-time player list +- **04 - 2026 — Phase 3: Auth** — Better Auth, Google + GitHub social login, session middleware, auth guard +- **04 - 2026 — Phase 2: Singleplayer UI** — full quiz loop in browser, game setup, question card, score screen +- **04 - 2026 — Phase 1: Vocabulary data + API** — WordNet/OMW data pipeline, CEFR enrichment, game session endpoints +- **04 - 2026 — Phase 0: Foundation** — pnpm monorepo, TypeScript, ESLint, Vitest, Drizzle, Docker Compose