spotlightcam/docs/TODO.md

# TODO - spotlight.cam

**Active tasks and roadmap**

---

## Current Status

**Phase:** MVP Complete - Ready for Production Deployment
**Tests:** 285/286 passing - 99.7% (73% coverage)
**Status:** Awaiting infrastructure setup

### High Priority Tasks

**🔴 CRITICAL: Recording Stats Update Mechanism**
- **Issue:** Fields `recordingsDone` and `recordingsReceived` exist in database but no mechanism to update them
- **Requirements:**
  - Analyze how to update these fields consistently with tier system and ratings
  - Determine update trigger: after match completion? after rating? automatic on suggestion acceptance?
  - Ensure consistency with existing rating system
  - Consider edge cases: declined suggestions, cancelled matches, incomplete ratings
  - Design API endpoints or automated triggers for stat updates
- **Impact:** Tier system fairness algorithm depends on accurate karma tracking
- **Dependencies:** Matches API, Ratings API, Recording Suggestions

### Recently Completed (2025-11-29)
- 3-Tier Account System (BASIC/SUPPORTER/COMFORT) with fairness algorithm
- Dual Buffer System (prep before + rest after dancing)
- Clickable Usernames with @ prefix in profiles
- Country Flags in Event Chat
- Mobile-first Design Improvements (page titles on mobile)
- Recording Matching System Improvements (collision detection, schedule config)
- Test Bot for Automated Testing

**Full history:** See `docs/archive/COMPLETED.md`

---

## Security Audit Findings

### Critical Issues (Must Fix Before Production)

| Issue | Severity | File | Action |
|-------|----------|------|--------|
| AWS Credentials in Git | 10/10 | `.env.production` | Rotate & remove from history |
| Weak JWT Secret | 9/10 | `.env.production` | Generate 64+ byte secret |
| Default DB Password | 8/10 | `docker-compose.yml` | Remove default fallback |

### High Priority Issues

| Issue | Severity | Action |
|-------|----------|--------|
| Missing HTTPS/TLS | 8/10 | Configure SSL certificate |
| Missing nginx security headers | 6/10 | Add X-Frame-Options, CSP, etc. |
| Dependency vulnerabilities | HIGH | Run `npm audit fix` |
| Excessive body size (500M) | 4/10 | Reduce to 10M |

### Positive Security Findings
- Strong authentication (JWT, bcrypt, email verification)
- Input validation (express-validator)
- Security headers (Helmet.js)
- Rate limiting implemented
- CORS configured
- SQL injection prevention (Prisma)
- Account lockout implemented
- WebRTC P2P (videos don't touch server)

---

## Pre-Deployment Checklist

- [ ] Rotate AWS credentials, remove from Git history
- [ ] Generate strong JWT_SECRET (64+ bytes)
- [ ] Set strong PostgreSQL password
- [ ] Configure HTTPS/TLS
- [ ] Add nginx security headers
- [ ] Run npm audit fix
- [ ] Reduce nginx body size limit

---

## Future Improvements (Optional)

### UX Enhancements
- Activity Feed (timeline of user activities)
- Smart sort order (unread first, pending ratings)
- User statistics (total matches, average rating)
- Sidebar filters (by nationality, division)

### Security Hardening
- Increase bcrypt rounds (10 → 12)
- Implement refresh token pattern
- Add Socket.IO rate limiting
- Sanitize chat messages

### Infrastructure
- CI/CD pipeline (GitHub Actions)
- E2E tests (Playwright)
- Security logging

---

## Progress Summary

| Phase | Status | Time |
|-------|--------|------|
| Phase 0: Frontend Mockup | ✅ Done | ~8h |
| Phase 1: Backend Foundation | ✅ Done | ~14h |
| Phase 1.5: Email & WSDC & Profiles | ✅ Done | ~12h |
| Phase 1.6: Competition Heats | ✅ Done | ~8h |
| Phase 2: Matches & Ratings | ✅ Done | ~10h |
| Phase 2.5: WebRTC P2P | ✅ Done | ~10h |
| Phase 3: MVP Finalization | ✅ Done | ~20h |
| **Total MVP** | **✅ Complete** | **~82h** |

---

## Quick Commands

```bash
# Development
docker compose up --build

# Tests
docker compose exec backend npm test

# Access
http://localhost:8080
```

---

**Last Updated:** 2025-11-29
**Full Details:** See `docs/archive/COMPLETED.md` for implementation details