forgejo-lila/lila
1
0
Fork 0
Code Issues 50 Pull requests Projects 1 Releases Packages Wiki Activity Actions
lila/documentation/backlog.md
lila 66eddb9a2a creating backlog with issues
2026-04-22 21:09:24 +02:00

7.1 KiB
Raw Blame History

lila — backlog

Labels: [feature] [infra] [security] [ux] [debt]

now

Things that are actively in progress or should be picked up immediately. Mostly operational risk and the remaining phase 7 hardening work.

  • Migrations in the deploy pipeline [infra] [debt] Run drizzle migrate as a step in the CI/CD pipeline before the API container is restarted. Deploying code before schema is applied causes crashes. See deployment.md — deploy order is currently documented but not enforced.

  • Rate limiting on API endpoints [security] At minimum: auth endpoints (brute force prevention) and game endpoints (spam prevention). Consider express-rate-limit.

  • 404 and redirect handling [ux] Unknown routes return raw errors. Add a catch-all route on the frontend for client-side 404s. Consider a Caddy fallback for unrecognized subdomains.

  • React error boundaries [ux] Catch and display runtime errors gracefully instead of crashing the entire app.

  • Pin dependencies in package.json [debt] [infra] Unpinned deps in a CI/CD pipeline are a real risk. Pin all versions to exact values to prevent unexpected breakage on build.

  • Docker credential helper [debt] [infra] Credentials are stored unencrypted in ~/.docker/config.json. Set up a credential helper. See https://docs.docker.com/go/credential-store/

  • Google OAuth publishing [infra] Only test users can currently log in via Google. Publish the OAuth consent screen so any Google user can sign in — requires branding verification in Google Cloud Console.

  • Hetzner domain migration check [infra] Verify whether the lilastudy.com domain needs to be migrated following a Hetzner DNS change. Check Hetzner dashboard for any pending migration notice.

  • Security headers with helmet [security] Add helmet middleware to set secure HTTP response headers. One-liner: app.use(helmet()). Covers headers like X-Content-Type-Options, X-Frame-Options, and Content-Security-Policy.

next

Clearly planned work, not yet started. No hard ordering — sequence based on what unblocks real users first.

  • Guest / try-now flow [feature] Allow users to play a quiz without signing in so they can see what the app offers before creating an account. Make auth middleware optional on game routes, add a "Try without account" button on the landing/login page.

  • Favicon, page titles, Open Graph meta [ux] Add favicon, set proper per-route page titles, add Open Graph meta tags for link previews.

  • Accessibility pass [ux] Keyboard navigation for quiz buttons, ARIA labels on interactive elements, focus management during quiz flow.

  • Monitoring and logging [infra] Uptime monitoring and centralized logging on the VPS. Options: chkrootkit/rkhunter for security, logwatch/monit for daily summaries.

  • Offsite backup storage [infra] Database backups currently live on the same VPS. Add offsite copies to Hetzner Object Storage or an S3-compatible service to protect against VPS failure.

  • Valkey for game session store [infra] Add Valkey to the production Docker stack. Implement ValkeyGameSessionStore against the existing GameSessionStore interface. Required before multiplayer scales.

  • User stats endpoint + profile page [feature] GET /users/me/stats returning games played, score history, etc. Frontend profile page displaying the stats.

  • Admin dashboard [feature] User management, overview of words and languages, and per-term stats. Not urgent but has real operational value once real users are present.

  • Email + password login [feature] Traditional email/password auth as an alternative to social login. Configure via Better Auth.

  • Apple login [feature] Add Apple as a social login option via Better Auth. Requires Apple Developer account and Sign in with Apple configuration.

  • Graceful WS reconnect [infra] Handle WebSocket disconnections gracefully. Reconnect with exponential back-off. Restore game state on reconnection if a game is still in progress.

  • Configurable game settings in multiplayer lobby [feature] Game settings (mode, round count, timer duration, target score) are currently hardcoded. The host should be able to configure these when creating a lobby. Settings should be stored in the settings jsonb column on the lobbies table and passed through to the game service at start.

later

Directionally right, timing is unclear. Revisit when the next/now work is done.

  • Game modes [feature] Five modes are designed in game_modes.md — TV Quiz Show, Race to the Top, Chain Link, Elimination Round, Cooperative Challenge. The lobby infrastructure is mode-agnostic; each mode adds game logic only. First mode to implement is TBD. This is effectively a new phase.

  • Single Player Extended [feature] Expanded singleplayer flow. Possible directions: longer sessions with increasing difficulty, streak bonuses, mixed POS/language rounds, progress tracking across sessions, timed challenge mode.

  • Users in a separate database [infra] Architectural separation of auth/user data from vocabulary and game data. No immediate benefit — revisit after hardening is complete and user growth justifies the complexity.

  • Modern env management [debt] Replace .env files with a more robust approach (e.g. dotenvx, infisical). Current setup works but is error-prone and not versioned.

  • Reorganize datafiles and wordlists [debt] The current layout of data-sources/, scripts/datafiles/, scripts/data-sources/, and packages/db/src/data/ is confusing with overlapping content. Consolidate into a clear structure.

  • Resolve eslint peer dependency warning [debt] eslint-plugin-react-hooks 7.0.1 expects eslint ^3.0.0^9.0.0 but found 10.0.3. Low impact but worth cleaning up when nearby.

  • husky + lint-staged [debt] Set up husky and lint-staged to run linting and formatting checks before every commit. Prevents CI failures from formatting or lint issues that slipped through locally.

  • OpenAPI documentation for REST endpoints [feature] Document the API surface using OpenAPI/Swagger. Covers all REST endpoints with request/response shapes. Useful groundwork for the admin dashboard and any future contributors.

changelog

Shipped milestones, newest first.

  • 04 - 2026 — Phase 6: Production deployment — Hetzner VPS, Caddy HTTPS, Forgejo CI/CD, daily DB backups, cross-subdomain auth
  • 04 - 2026 — Phase 5: Multiplayer game — real-time simultaneous play, 15s server timer, live scoring, winner screen
  • 04 - 2026 — Phase 4: Multiplayer lobby — WebSocket server, lobby create/join, real-time player list
  • 04 - 2026 — Phase 3: Auth — Better Auth, Google + GitHub social login, session middleware, auth guard
  • 04 - 2026 — Phase 2: Singleplayer UI — full quiz loop in browser, game setup, question card, score screen
  • 04 - 2026 — Phase 1: Vocabulary data + API — WordNet/OMW data pipeline, CEFR enrichment, game session endpoints
  • 04 - 2026 — Phase 0: Foundation — pnpm monorepo, TypeScript, ESLint, Vitest, Drizzle, Docker Compose