Mike/Kordant
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

get to prod tasks

Browse Source
This commit is contained in:
Michael Freno
2026-05-26 16:06:34 -04:00
parent 04e839640f
commit 5214412fff
105 changed files with 7447 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

83
tasks/android-production/01-play-store-assets.md Normal file
View File

@@ -0,0 +1,83 @@
# 01. Play Store Listing Assets
meta:
id: android-production-01
feature: android-production
priority: P1
depends_on: []
tags: [play-store, marketing, production]
objective:
- Create and upload all required Google Play Store listing assets for Android app submission
deliverables:
- Screenshots for phone, tablet, and foldable devices
- App metadata (title, description, keywords)
- Play Store listing content
- Store listing experiments setup
steps:
1. Determine required screenshot sizes:
- Phone: 16:9 or 9:16 aspect ratio, min 320px, max 3840px
- Tablet: 16:9 or 9:16 aspect ratio
- Foldable: specific sizes if targeting
- 2-8 screenshots per form factor
2. Create screenshot content plan:
- Screenshot 1: Dashboard with threat score
- Screenshot 2: DarkWatch exposure monitoring
- Screenshot 3: VoicePrint enrollment
- Screenshot 4: SpamShield call filtering
- Screenshot 5: HomeTitle property list
- Screenshot 6: Settings and profile
- Screenshot 7: Alerts and notifications
3. Capture screenshots:
- Use Android Emulator for precise control
- Or use Firebase Test Lab screenshotting
- Ensure status bar shows clean state
- Use demo data (no real user info)
4. Write app metadata:
- Title: Kordant (50 chars max)
- Short description: 80 chars
- Full description: 4000 chars
- Keywords in description (Google indexes description text)
- Category: Tools or Lifestyle
- Content rating questionnaire
5. Prepare Play Console listing:
- Upload screenshots for each form factor
- Upload feature graphic (1024x500)
- Upload app icon (512x512 PNG)
- Set pricing (free with subscriptions)
- Configure countries/regions
6. Set up store listing experiments:
- A/B test different screenshots
- A/B test different descriptions
- Measure conversion rates
tests:
- Visual: Review screenshots for quality
- Content: Verify no placeholder data
- Compliance: Check content rating accuracy
acceptance_criteria:
- Screenshots for phone (2-8 images)
- Screenshots for tablet (2-8 images, if supporting)
- Feature graphic uploaded (1024x500)
- App icon uploaded (512x512)
- App metadata complete and within limits
- Screenshots show real app UI with clean demo data
- No beta/test labels visible
- Content rating accurate and complete
- Store listing experiments configured
- All assets uploaded to Play Console
validation:
- Play Console → all screenshot slots filled
- Screenshots reviewed by designer → approved
- Metadata spell-checked and reviewed
- Content rating questionnaire submitted
notes:
- Google Play allows more flexibility in screenshot sizes than App Store
- Feature graphic is very important for conversion
- Consider localized screenshots for major markets
- Store listing experiments help optimize conversion

79
tasks/android-production/02-feature-graphic.md Normal file
View File

@@ -0,0 +1,79 @@
# 02. Feature Graphic & Promo Video
meta:
id: android-production-02
feature: android-production
priority: P2
depends_on: []
tags: [play-store, marketing, production]
objective:
- Create a compelling feature graphic and promotional video for the Google Play Store
deliverables:
- 1024x500 feature graphic
- 30-60 second promo video
- YouTube video link for Play Store
- Localized versions if applicable
steps:
1. Create feature graphic:
- Size: 1024x500 pixels (JPG or 24-bit PNG)
- Include app name and tagline
- Show app UI or brand imagery
- Use brand colors and typography
- Keep text minimal and readable
- Design for both light and dark Play Store themes
2. Plan promo video:
- 30-60 seconds showcasing core features
- Hook in first 5 seconds
- Show DarkWatch, VoicePrint, SpamShield, HomeTitle
- End with CTA "Download on Google Play"
- Background music (royalty-free)
3. Record and edit video:
- Use Android screen recorder or emulator
- Edit with DaVinci Resolve, Premiere, or CapCut
- Add smooth transitions
- Add text overlays for feature names
- Export in 1080p minimum
4. Upload to YouTube:
- Create unlisted or public video
- Add proper title, description, tags
- Add end screen with download link
- Copy video URL for Play Store
5. Upload to Play Console:
- Add feature graphic to store listing
- Add promo video URL
- Preview how it looks on Play Store
- Test on mobile and desktop Play Store
6. Create localized versions:
- Feature graphic text in Spanish, French (if targeting)
- Subtitles for promo video
tests:
- Visual: Review graphic and video quality
- Technical: Verify dimensions and format
- Content: Ensure no confidential data shown
acceptance_criteria:
- Feature graphic 1024x500 in correct format
- Promo video 30-60 seconds in 1080p
- Video uploaded to YouTube with proper metadata
- Feature graphic and video uploaded to Play Console
- Graphic readable on both light and dark themes
- Video showcases all core features
- CTA included at end of video
- No placeholder or test data visible
- Localized versions for supported markets
validation:
- Play Console preview → graphic and video display correctly
- YouTube video → plays correctly, good quality
- Mobile Play Store → graphic looks good on phone
- Team review → approved by 3+ members
notes:
- Feature graphic is the first thing users see on Play Store
- Video can significantly increase conversion rates
- Keep video under 60 seconds for best engagement
- Test video thumbnail for attractiveness

82
tasks/android-production/03-play-console.md Normal file
View File

@@ -0,0 +1,82 @@
# 03. Play Console Configuration
meta:
id: android-production-03
feature: android-production
priority: P1
depends_on: []
tags: [play-store, configuration, production]
objective:
- Complete all Google Play Console configuration for app submission and distribution
deliverables:
- App created in Play Console
- Signing key configured
- App bundles configured
- Pricing and distribution set
steps:
1. Create app in Play Console:
- App name: Kordant
- Default language: English
- App or game: App
- Free or paid: Free
2. Configure app signing:
- Generate upload key with keytool
- Upload public key certificate to Play Console
- Enable Google Play App Signing (recommended)
- Store keystore securely (password manager)
3. Set up internal testing:
- Create internal testing track
- Add test users by email
- Upload first internal build
- Verify testers can install
4. Configure store listing:
- Add screenshots, feature graphic, icon
- Write description and metadata
- Set category and contact details
- Add privacy policy URL
5. Set pricing and distribution:
- Price: Free
- Countries: All or selected
- Content rating: Everyone or Teen
- Complete content rating questionnaire
6. Configure in-app products (if applicable):
- Subscription products
- Managed products
- Promo codes for testing
7. Set up Play Integrity API:
- Enable for app attestation
- Configure server-side verification
- Add to backend API
tests:
- Build: Generate signed AAB (Android App Bundle)
- Upload: Upload to Play Console successfully
- Install: Testers can install from internal testing
acceptance_criteria:
- App created in Play Console
- App signing key generated and configured
- Google Play App Signing enabled
- Internal testing track created with testers
- Store listing complete with all assets
- Pricing set to free
- Distribution countries selected
- Content rating completed
- Play Integrity API enabled
- First build uploaded and processing
- Keystore backed up securely
validation:
- Generate signed AAB → successful
- Upload to Play Console → no errors
- Internal testers receive invite → can install
- Check Play Console → all sections green/complete
notes:
- Google Play App Signing is mandatory for new apps
- Keep keystore safe — losing it means losing ability to update app
- Internal testing is fastest way to distribute to team
- Play Integrity helps prevent tampered app usage

83
tasks/android-production/04-internal-testing.md Normal file
View File

@@ -0,0 +1,83 @@
# 04. Internal Testing Track
meta:
id: android-production-04
feature: android-production
priority: P1
depends_on: []
tags: [play-store, testing, production]
objective:
- Set up internal testing track with 20+ testers to validate app before public release
deliverables:
- Internal testing group with 20+ testers
- Testing feedback process
- Automated crash reporting
- Iteration cycle
steps:
1. Create internal testing track:
- In Play Console → Testing → Internal testing
- Add team members and trusted testers by email
- Target 20-100 testers
- Include various Android versions and devices
2. Upload first test build:
- Generate signed AAB
- Upload to internal testing track
- Add release notes
- Publish to internal testers
3. Prepare testing materials:
- Test invitation email template
- Testing checklist and focus areas
- Feedback collection form or channel
- Known issues list
4. Set up crash reporting:
- Integrate Firebase Crashlytics
- Enable NDK crash reporting if using native code
- Configure alerts for crash spikes
- Link crashes to specific builds
5. Collect and triage feedback:
- Review Play Console tester feedback
- Monitor Crashlytics for crashes
- Create issues from feedback
- Prioritize critical bugs
6. Iterate:
- Fix critical bugs within 1 week
- Upload new builds every 1-2 weeks
- Track tester retention and engagement
- Expand to closed testing after internal validation
7. Prepare for closed testing:
- Create closed testing track
- Plan external tester recruitment
- Prepare onboarding flow for new testers
tests:
- Distribution: Testers receive and install build
- Feedback: Feedback collection channel active
- Crash: Crash reporting receiving reports
acceptance_criteria:
- Internal testing track with 20+ testers
- First build uploaded and distributed
- Testers can install and run app
- Crash reporting active and receiving data
- Feedback collection process defined
- Known issues documented and shared
- New builds uploaded every 1-2 weeks
- Zero critical crashes in last 2 builds
- Closed testing track prepared
- Testers cover range of Android versions (10-14)
validation:
- Testers receive email invite → install app
- Run app → no immediate crashes
- Submit feedback → received by team
- Simulate crash → appears in Crashlytics
- Upload new build → testers receive update
notes:
- Internal testing is immediate (no review)
- Closed testing requires Google review (may take days)
- Use Firebase App Distribution for faster iteration if needed
- Test on physical devices, not just emulators

72
tasks/android-production/05-cert-pinning.md Normal file
View File

@@ -0,0 +1,72 @@
# 05. Certificate Pinning & Network Security Config
meta:
id: android-production-05
feature: android-production
priority: P1
depends_on: []
tags: [security, networking, production]
objective:
- Implement certificate pinning and network security configuration to prevent man-in-the-middle attacks
deliverables:
- network_security_config.xml with certificate pinning
- OkHttp certificate pinner configuration
- TLS 1.3 enforcement
- Certificate rotation support
steps:
1. Create network security config:
- Add res/xml/network_security_config.xml
- Configure domain config with certificate pinning
- Include production certificate hashes
- Add debug overrides for development
2. Implement OkHttp certificate pinner:
- Modify NetworkModule.kt or OkHttp client builder
- Add CertificatePinner with pinned certificates
- Support multiple pins for rotation
- Log pinning failures for monitoring
3. Configure TLS settings:
- Enforce TLS 1.3 in OkHttp connection specs
- Disable weak cipher suites
- Enable certificate transparency
4. Add to manifest:
- Add android:networkSecurityConfig to AndroidManifest.xml
- Reference network_security_config.xml
5. Implement certificate rotation:
- Support old and new certificate hashes
- Grace period during rotation (30 days)
- Alert when certificate nearing expiry
6. Add tests:
- Test with correct certificate → connection succeeds
- Test with wrong certificate → connection fails
- Test certificate rotation → seamless transition
tests:
- Unit: Test certificate pinning with mock certificates
- Integration: Test against staging with pinned cert
- Security: Attempt MITM with proxy → blocked
acceptance_criteria:
- network_security_config.xml present in resources
- Certificate pinning active on all API requests
- TLS 1.3 enforced
- MITM attacks blocked (tested with proxy tools)
- Certificate rotation supported with grace period
- Pinning failures logged
- Debug config separate from production
- Unit tests covering pinning success and failure
- No hardcoded certificates in source (use hashes)
validation:
- Run app with correct cert → API calls succeed
- Run app with Charles Proxy MITM → API calls fail
- Check logs → pinning verification logged
- Inspect manifest → networkSecurityConfig referenced
notes:
- Use public key pinning (SHA-256 hash) rather than full certificate
- Include backup pin for certificate rotation
- OkHttp's CertificatePinner is easy to configure
- Test on physical device — emulator may behave differently

86
tasks/android-production/06-root-detection.md Normal file
View File

@@ -0,0 +1,86 @@
# 06. Root Detection & Obfuscation (R8/ProGuard)
meta:
id: android-production-06
feature: android-production
priority: P1
depends_on: []
tags: [security, hardening, production]
objective:
- Enable code obfuscation with R8/ProGuard and implement root detection to protect the app on compromised devices
deliverables:
- R8/ProGuard enabled in release builds
- Root detection implementation
- Anti-tampering measures
- Code obfuscation rules
steps:
1. Enable R8/ProGuard:
- Set isMinifyEnabled = true in app/build.gradle.kts (currently false)
- Set isShrinkResources = true
- Add proguard-rules.pro with keep rules:
- Keep tRPC model classes (for serialization)
- Keep Retrofit interfaces
- Keep Compose navigation routes
- Keep Dagger/Hilt modules
2. Configure ProGuard rules:
- Keep all data model classes (User, Alert, Exposure, etc.)
- Keep Retrofit service interfaces
- Keep Hilt/Dagger components
- Keep Compose preview functions
- Keep enum values used in serialization
3. Implement root detection:
- Use RootBeer or similar library
- Check for common root indicators:
- su binary presence
- Busybox installation
- Test keys build
- Dangerous props
- Add custom checks for Magisk
4. Define root response:
- Degrade functionality (no biometric, no payments)
- Alert backend of root detection
- Allow basic monitoring features
5. Add anti-tampering:
- Verify app signature at runtime
- Check installer source (Google Play)
- Detect debug mode in release builds
- Detect emulator usage
6. Test obfuscation:
- Build release APK/AAB
- Verify classes obfuscated
- Test app functionality after obfuscation
- Verify no crashes from missing classes
tests:
- Build: Release build succeeds with R8 enabled
- Security: Root detection works on rooted device
- Functionality: App works correctly after obfuscation
acceptance_criteria:
- R8/ProGuard enabled (isMinifyEnabled = true)
- Resource shrinking enabled (isShrinkResources = true)
- ProGuard rules preserving all necessary classes
- Root detection active with multiple methods
- App degrades gracefully on rooted devices
- Backend alerted when root detected
- Code obfuscated in release builds
- Anti-tampering verifying app signature
- No crashes from obfuscation
- Release APK/AAB size reduced by >30%
validation:
- Build release → succeeds, no ProGuard warnings
- Decompile release APK → classes obfuscated
- Run on rooted device → degraded mode activated
- Run on non-rooted device → full functionality
- Check size → release build smaller than debug
notes:
- R8 is the modern replacement for ProGuard in Android
- isMinifyEnabled = false currently — this is a critical security gap
- Root detection can be bypassed — use as defense in depth
- Keep rules are critical — missing keeps cause runtime crashes
- Test thoroughly after enabling R8 — many issues only appear in release

80
tasks/android-production/07-encrypted-storage.md Normal file
View File

@@ -0,0 +1,80 @@
# 07. Encrypted SharedPreferences & DataStore Audit
meta:
id: android-production-07
feature: android-production
priority: P1
depends_on: []
tags: [security, data-protection, production]
objective:
- Audit and secure all local data storage using encrypted SharedPreferences and DataStore
deliverables:
- EncryptedSharedPreferences for sensitive data
- DataStore for preferences
- Secure data deletion
- Storage audit report
steps:
1. Audit current storage:
- Review all SharedPreferences usage
- Review DataStore usage
- Review CacheManager.kt
- Identify all sensitive data stored locally
2. Implement encrypted preferences:
- Use EncryptedSharedPreferences from androidx.security
- Store auth tokens, refresh tokens
- Store biometric preference
- Store user profile data
3. Configure DataStore:
- Use DataStore for non-sensitive preferences
- Theme, language, notification settings
- Migrate from SharedPreferences if needed
4. Secure CacheManager:
- Ensure no sensitive data in unencrypted cache
- Encrypt cached API responses containing PII
- Set cache size limits
- Implement secure eviction
5. Add secure deletion:
- Overwrite sensitive data before removal
- Clear all secure storage on logout
- Handle account deletion (GDPR)
6. Add backup exclusion:
- Exclude encrypted preferences from cloud backup
- Mark sensitive files with android:allowBackup="false"
- Document backup strategy
7. Test storage security:
- Verify data encrypted at rest
- Verify no plaintext sensitive data in files
- Test backup/restore behavior
tests:
- Unit: Test encrypted storage read/write
- Security: Verify no plaintext tokens in files
- Integration: Test logout clears all data
acceptance_criteria:
- All sensitive data in EncryptedSharedPreferences
- Auth tokens encrypted at rest
- Refresh tokens encrypted at rest
- Non-sensitive preferences in DataStore
- No sensitive data in unencrypted cache
- Secure deletion overwriting data
- Sensitive storage excluded from backup
- Logout clears all auth data
- Account deletion removes all local data
- No plaintext sensitive data discoverable in app files
validation:
- Inspect app files → no plaintext tokens
- Check EncryptedSharedPreferences → data encrypted
- Logout → all auth data cleared
- Backup app → sensitive data not included
- Account deletion → all data removed
notes:
- EncryptedSharedPreferences uses AES-256 encryption
- Master key stored in Android Keystore
- DataStore is modern replacement for SharedPreferences
- Consider using SQLCipher for database encryption if using Room

76
tasks/android-production/08-oauth-social-login.md Normal file
View File

@@ -0,0 +1,76 @@
# 08. OAuth & Social Login Integration
meta:
id: android-production-08
feature: android-production
priority: P1
depends_on: []
tags: [auth, security, production]
objective:
- Implement Google Sign-In and other OAuth providers, replacing any stubbed auth with real backend integration
deliverables:
- Google Sign-In integration
- Backend OAuth token exchange
- AuthRepository wired to real API
- Token refresh handling
steps:
1. Implement Google Sign-In:
- Configure Google Sign-In in Firebase Console
- Add google-services.json to project
- Integrate Google Sign-In SDK (com.google.android.gms:play-services-auth)
- Handle ID token and send to backend
2. Update backend for OAuth:
- Add OAuth endpoints to tRPC user router
- Verify Google ID token with Google certs
- Create/link user accounts from OAuth providers
- Return session token after OAuth login
3. Update AuthRepository:
- Modify AuthRepositoryImpl to use real API
- Implement login, signup, forgotPassword with real endpoints
- Handle OAuth token exchange
- Wire into AuthViewModel
4. Add token refresh:
- Implement refresh token rotation
- Silent token refresh on expiry
- Handle refresh failure (re-authenticate)
5. Add logout:
- Revoke OAuth tokens where possible
- Clear all local auth state
- Notify backend of logout
6. Handle errors:
- Map API errors to user-friendly messages
- Handle network errors gracefully
- Handle cancelled sign-in attempts
tests:
- Unit: Test OAuth token parsing
- Integration: Test Google Sign-In flow end-to-end
- Security: Verify token validation rejects invalid tokens
acceptance_criteria:
- Google Sign-In working with Firebase
- OAuth tokens verified server-side
- User accounts created or linked correctly
- AuthRepository uses real API in production
- Token refresh working silently
- Logout clears all auth state and revokes tokens
- Error handling for all auth scenarios
- Unit tests use mock repository
- Production builds use real repository
- No stubbed auth in production code
validation:
- Tap Google Sign-In → Google flow → authenticate → logged in
- Check backend → user created with Google provider
- Wait for token expiry → automatic refresh
- Logout → all tokens cleared, login screen shown
- Check build variant → debug uses staging, release uses production
notes:
- Google Sign-In is the most common OAuth on Android
- Consider adding Apple Sign-In for cross-platform consistency
- Backend must verify Google JWT with Google's public key
- Use Credential Manager for modern Android auth (API 34+)

75
tasks/android-production/09-image-caching.md Normal file
View File

@@ -0,0 +1,75 @@
# 09. Image Caching & Coil Optimization
meta:
id: android-production-09
feature: android-production
priority: P2
depends_on: []
tags: [performance, caching, production]
objective:
- Optimize Coil image caching and loading for better performance and reduced network usage
deliverables:
- Coil cache configuration
- Image loading optimization
- Lazy loading for lists
- Memory and disk cache limits
steps:
1. Configure Coil:
- Set up ImageLoader in KordantApp.kt
- Configure memory cache (50MB)
- Configure disk cache (100MB)
- Set crossfade animation
- Configure placeholder and error drawables
2. Optimize image loading:
- Use appropriate image sizes (thumbnail vs full)
- Enable image transformations (circle crop for avatars)
- Use WebP format where supported
- Configure request priorities
3. Implement lazy loading:
- Use LazyColumn for all lists
- Implement pagination for long lists
- Add prefetching for adjacent items
- Show skeleton placeholders while loading
4. Add offline support:
- Cache images for offline viewing
- Show cached images when offline
- Handle network errors gracefully
5. Optimize memory usage:
- Clear memory cache on low memory
- Limit concurrent image loads
- Cancel loads for off-screen items
6. Add tests:
- Test cache hit/miss behavior
- Test scrolling performance with many images
tests:
- Unit: Test cache configuration
- Performance: Test scrolling with 1000 images
- Memory: Verify no memory leaks
acceptance_criteria:
- Coil ImageLoader configured with 50MB memory / 100MB disk cache
- Lazy loading on all lists with pagination
- Image placeholders while loading
- Error state for failed loads
- Cache cleared on low memory
- Offline image viewing working
- Smooth 60fps scrolling on image-heavy screens
- No memory leaks in image loading
- Crossfade animation on image load
- Appropriate image sizes requested from backend
validation:
- Scroll through alert list → smooth, no stuttering
- Turn on airplane mode → cached images still visible
- Monitor memory → stable during image browsing
- Check cache directory → images stored with correct expiration
notes:
- Coil is already included in dependencies (libs.coil.compose)
- Configuration happens in Application class
- Use rememberAsyncImagePainter for Compose integration
- Test on low-end devices for performance validation

77
tasks/android-production/10-pagination-lists.md Normal file
View File

@@ -0,0 +1,77 @@
# 10. Pagination & List Performance
meta:
id: android-production-10
feature: android-production
priority: P2
depends_on: []
tags: [performance, lists, production]
objective:
- Implement pagination and optimize list performance to prevent ANRs and jank on large datasets
deliverables:
- Pagination for all list endpoints
- LazyColumn optimization
- DiffUtil or Compose lazy list optimization
- ANR prevention
steps:
1. Implement pagination:
- Add pagination to tRPC list endpoints (if not already)
- Use Paging 3 library for Jetpack Compose
- Configure page size (20-50 items)
- Add pagination parameters to API calls
2. Optimize LazyColumn:
- Use key parameter for item stability
- Use contentType for different item types
- Avoid unnecessary recompositions
- Use remember for expensive calculations
3. Add loading states:
- Skeleton placeholders while loading first page
- Load more indicator at bottom
- Empty state for no data
- Error state with retry
4. Optimize data flow:
- Use Flow/PagingData in ViewModels
- CollectAsStateWithLifecycle for Compose
- Avoid collecting flows in composables directly
5. Prevent ANRs:
- Move heavy calculations to background threads
- Use viewModelScope for coroutines
- Avoid blocking main thread
- Profile with Android Profiler
6. Add tests:
- Test pagination boundaries
- Test scroll performance
- Test memory usage with large lists
tests:
- Unit: Test pagination logic
- Performance: Scroll test with 1000+ items
- ANR: Profile main thread during list operations
acceptance_criteria:
- All lists paginated (20-50 items per page)
- Paging 3 library used for Compose integration
- LazyColumn with key and contentType optimization
- Skeleton placeholders on initial load
- Load more indicator on scroll
- Empty and error states handled
- No ANRs during list operations
- 60fps scrolling on lists >100 items
- Memory stable during list scrolling
- Unit tests for pagination logic
validation:
- Scroll through alert list → smooth 60fps
- Scroll to bottom → next page loads automatically
- Check Android Profiler → no main thread blocking
- Memory monitor → stable during scrolling
- Test with 1000 items → no ANR, no OOM
notes:
- Paging 3 is the modern standard for Android pagination
- ANRs on lists are often caused by blocking main thread
- Use LazyColumn, not Column, for long lists
- Test on low-end devices (Android 10, 2GB RAM)

82
tasks/android-production/11-background-sync.md Normal file
View File

@@ -0,0 +1,82 @@
# 11. Background Sync & WorkManager Optimization
meta:
id: android-production-11
feature: android-production
priority: P2
depends_on: []
tags: [performance, background, production]
objective:
- Optimize background sync using WorkManager to keep data fresh without excessive battery drain
deliverables:
- WorkManager periodic sync workers
- Battery-efficient sync strategy
- Constraint-based scheduling
- Sync status indicators
steps:
1. Audit existing sync:
- Review android/app/.../data/sync/SyncManager.kt
- Review OfflineWorker.kt
- Identify sync frequency and triggers
2. Optimize sync workers:
- Use PeriodicWorkRequest for regular sync (15 min minimum)
- Use OneTimeWorkRequest for immediate sync
- Set constraints: requires network, battery not low
- Use expedited work for urgent syncs
3. Implement battery-efficient sync:
- Batch network requests
- Use delta sync (only changed data)
- Respect doze mode and app standby
- Use JobScheduler for API 21-22 (WorkManager uses internally)
4. Add sync types:
- Alert sync: high priority, frequent
- Exposure sync: medium priority
- Spam database update: low priority, daily
- Watchlist sync: on change
5. Add user controls:
- Settings toggle for background sync
- Sync frequency preference (if applicable)
- Manual sync button in settings
- Last sync timestamp display
6. Handle failures:
- Exponential backoff for failed syncs
- Max retry limit
- Alert user after repeated failures
- Queue syncs for when online
7. Add tests:
- Test worker execution
- Test constraint handling
- Test battery impact
tests:
- Unit: Test worker logic
- Integration: Test WorkManager scheduling
- Battery: Verify minimal battery impact
acceptance_criteria:
- WorkManager configured for periodic sync
- Sync constraints: network available, battery not low
- Delta sync reducing data transfer
- Background sync respects doze mode
- User can enable/disable background sync
- Manual sync button in settings
- Last sync timestamp visible
- Failed syncs retry with exponential backoff
- Battery impact <5% per day from background sync
- Unit tests for all worker classes
validation:
- Enable background sync → workers scheduled
- Turn on airplane mode → sync deferred
- Disable battery saver → sync resumes
- Check battery settings → Kordant background usage minimal
- Trigger manual sync → data updates immediately
notes:
- WorkManager is already included (libs.work.runtime.ktx)
- Minimum periodic work interval is 15 minutes
- Android 12+ has stricter background restrictions
- Use Foreground Service for urgent syncs if needed

77
tasks/android-production/12-startup-anr.md Normal file
View File

@@ -0,0 +1,77 @@
# 12. App Startup Time & ANR Prevention
meta:
id: android-production-12
feature: android-production
priority: P2
depends_on: []
tags: [performance, startup, production]
objective:
- Optimize app startup time and prevent ANRs to ensure smooth user experience
deliverables:
- Startup time measurement and baseline
- Lazy initialization of heavy components
- ANR prevention measures
- App Startup library integration
steps:
1. Measure current startup time:
- Use Android Studio Profiler
- Use Macrobenchmark library
- Measure cold start (first launch)
- Measure warm start (subsequent launches)
- Establish baseline metrics
2. Optimize Application.onCreate:
- Minimize work in KordantApp.onCreate
- Use App Startup library for initialization ordering
- Defer non-critical initialization
- Initialize on background threads where possible
3. Lazy load heavy components:
- Defer TRPCApiService initialization until needed
- Lazy load repository dependencies
- Defer analytics initialization
- Use Dagger/Hilt lazy injection
4. Optimize theme and layout:
- Use simple splash theme (windowBackground only)
- Avoid complex layouts in first screen
- Preload critical resources
5. Prevent ANRs:
- Move all IO operations to background threads
- Use coroutines with Dispatchers.IO
- Avoid blocking main thread in composables
- Profile with StrictMode in debug builds
6. Add tests:
- Macrobenchmark tests for startup time
- ANR detection in CI
- Memory usage during startup
tests:
- Performance: Startup time <1.5s on Pixel 6
- ANR: No ANRs during critical flows
- Memory: No memory spikes during startup
acceptance_criteria:
- Cold startup time <1.5 seconds on Pixel 6
- Warm startup time <1 second on Pixel 6
- Splash screen visible for <500ms
- No blocking operations on main thread during startup
- Heavy components loaded lazily
- ANR-free during all critical user flows
- Macrobenchmark tests for startup time
- Startup time tracked in CI
- No StrictMode violations in debug builds
validation:
- Android Profiler → cold start <1.5s
- Macrobenchmark → startup metrics within budget
- StrictMode → no disk/network on main thread
- Physical device test → feels instant
- ANR traces → none from Kordant
notes:
- Android Vitals tracks startup time and ANRs automatically
- ANR threshold is 5 seconds for input, 10 seconds for BroadcastReceiver
- App Startup library helps manage initialization order
- Test on low-end devices (Android 10, 2GB RAM)

86
tasks/android-production/13-call-screening.md Normal file
View File

@@ -0,0 +1,86 @@
# 13. Call Screening Service Production Hardening
meta:
id: android-production-13
feature: android-production
priority: P1
depends_on: []
tags: [native-features, spamshield, production]
objective:
- Harden the CallScreeningService for production use with robust spam detection and minimal latency
deliverables:
- CallScreeningService production-ready
- Spam database local caching
- Real-time caller lookup
- Permission handling and user guidance
steps:
1. Audit existing service:
- Review android/app/.../service/CallScreeningService.kt
- Identify gaps in production readiness
- Test current functionality
2. Implement local spam database:
- Cache spam numbers locally (Room database)
- Sync with backend periodically
- Hash numbers for privacy
- Support pattern matching (wildcards)
3. Optimize lookup performance:
- Use indexed database queries
- Target <100ms lookup time
- Cache frequent lookups in memory
- Use Bloom filter for fast negative checks
4. Add caller identification:
- Display caller info for known contacts
- Show spam likelihood percentage
- Show spam category (telemarketer, scam, etc.)
5. Handle permissions:
- Request CALL_SCREENING role
- Guide user to Default Apps settings
- Handle permission denial gracefully
- Re-check permission on app launch
6. Add user controls:
- Toggle for call screening
- Toggle for call blocking
- Manage blocked numbers
- Report false positives/negatives
7. Add logging and analytics:
- Log screened calls (anonymized)
- Track block rate and accuracy
- Report metrics to backend
8. Test thoroughly:
- Test with simulated calls
- Test on physical devices
- Test with various carriers
tests:
- Unit: Test spam lookup logic
- Integration: Test CallScreeningService binding
- Device: Test with actual incoming calls
acceptance_criteria:
- CallScreeningService registered and active
- Local spam database synced daily
- Caller lookup <100ms
- Known spam calls blocked or flagged
- User can enable/disable screening
- Block list manageable from app
- Permission handling with user guidance
- False positive reporting mechanism
- No crashes during call handling
- Works on Android 10+ (API 29+)
- Battery impact minimal
validation:
- Enable call screening → incoming spam call blocked
- Check database → spam numbers cached locally
- Measure lookup time → <100ms
- Report false positive → number removed from block list
- Disable in app → screening stops
notes:
- CallScreeningService requires special role (not just permission)
- User must set app as default call screening app in Settings
- Different carriers may handle call screening differently
- Test thoroughly on physical devices with real SIM cards

89
tasks/android-production/14-notifications.md Normal file
View File

@@ -0,0 +1,89 @@
# 14. Notification Channels & Rich Notifications
meta:
id: android-production-14
feature: android-production
priority: P2
depends_on: []
tags: [native-features, notifications, production]
objective:
- Implement notification channels and rich notifications for Android 8+ with proper categorization and user controls
deliverables:
- Notification channels for all notification types
- Rich notifications with images and actions
- Notification permission handling (Android 13+)
- Deep linking from notifications
steps:
1. Create notification channels:
- Security Alerts (high importance, sound + vibration)
- Exposure Warnings (high importance)
- Scan Complete (default importance)
- Family Activity (default importance)
- Marketing/Promotions (low importance, no sound)
- System (low importance)
2. Configure channel properties:
- Importance levels appropriate per type
- Sound selection for alerts
- Vibration patterns
- LED color for alerts
- Lock screen visibility
3. Implement rich notifications:
- Large icon for user avatar or app icon
- BigPictureStyle for exposure screenshots
- BigTextStyle for alert descriptions
- MessagingStyle for family notifications
- Inline reply for quick actions
4. Add notification actions:
- Alert: "View Details", "Dismiss", "Mark Safe"
- Exposure: "View Exposure", "Start Removal"
- Scan Complete: "View Results", "Share"
5. Handle Android 13+ permissions:
- Request POST_NOTIFICATIONS permission
- Show rationale before system dialog
- Handle permission denial gracefully
- Guide users to Settings if denied
6. Add FCM integration:
- Review FCMService.kt
- Handle different message types
- Show notifications for data messages
- Handle notification tap actions
7. Test all scenarios:
- Foreground notification handling
- Background notification handling
- Killed app notification handling
- Notification action taps
tests:
- Unit: Test notification builder logic
- Integration: Test FCM message handling
- Device: Test on Android 10, 12, 13, 14
acceptance_criteria:
- Notification channels created for all types
- Channels have appropriate importance and settings
- Rich notifications with images and actions
- Notification permission requested on Android 13+
- Permission rationale shown before system dialog
- Deep links from notifications to correct screens
- Notification actions working
- FCM integration handling all message types
- Notifications grouped by channel
- No duplicate notifications
- Unit tests for notification builders
validation:
- Send test alert notification → displays with actions
- Send exposure notification → shows image
- Deny permission → app shows guidance to Settings
- Tap notification → opens correct screen
- Tap action button → correct action performed
- Check settings → notification channels visible
notes:
- Android 13 (API 33) requires runtime permission for notifications
- Notification channels cannot be changed programmatically after creation
- FCMService.kt already exists but may need enhancement
- Test on different OEM skins (Samsung, Xiaomi, Pixel)

84
tasks/android-production/15-shortcuts-widgets.md Normal file
View File

@@ -0,0 +1,84 @@
# 15. App Shortcuts & Widgets
meta:
id: android-production-15
feature: android-production
priority: P2
depends_on: []
tags: [native-features, widgets, production]
objective:
- Implement app shortcuts and home screen widgets to improve user engagement and accessibility
deliverables:
- Dynamic and static app shortcuts
- Home screen widget (threat score)
- Widget configuration
- Shortcut deep linking
steps:
1. Implement app shortcuts:
- Static shortcuts in shortcuts.xml:
- "View Dashboard" → opens dashboard
- "Check Alerts" → opens alerts
- "Run Scan" → starts DarkWatch scan
- Dynamic shortcuts:
- "Recent Alert" → opens latest alert
- "Quick Check" → runs quick threat assessment
2. Create home screen widget:
- GlanceAppWidget for modern Compose widgets
- Or traditional AppWidgetProvider
- Sizes: 2x1 (threat score), 3x2 (score + alerts)
- Update every 30 minutes (widget limit)
3. Design widget UI:
- Match app design system
- Show threat score with color coding
- Show number of unread alerts
- Show last update time
- Support dark/light themes
4. Implement widget updates:
- Update on app data refresh
- Schedule periodic updates
- Handle widget configuration changes
5. Add deep linking:
- Tap widget → open dashboard
- Tap alert count → open alerts list
- Tap threat score → open dashboard
6. Add preview:
- Widget preview image for picker
- Description for accessibility
7. Test:
- Add widget to home screen
- Verify updates work
- Test shortcuts
tests:
- Unit: Test widget provider
- Integration: Test shortcut deep links
- UI: Test widget rendering
acceptance_criteria:
- 3+ app shortcuts defined
- Static shortcuts working
- Dynamic shortcuts updated based on user activity
- Home screen widget showing threat score
- Widget updates every 30 minutes
- Widget supports dark and light themes
- Deep links from shortcuts and widgets work
- Widget preview in picker
- No crashes when widget data missing
- Widgets work on Android 8+ (API 26+)
validation:
- Long press app icon → shortcuts visible
- Tap shortcut → correct screen opens
- Add widget to home screen → threat score displayed
- Receive new alert → widget updates
- Tap widget → dashboard opens
- Check widget in dark mode → colors correct
notes:
- App shortcuts are great for power users
- Widgets use RemoteViews (limited UI capabilities)
- Glance is modern but requires additional dependency
- Test on different launchers (Pixel, Samsung, Nova)

78
tasks/android-production/16-app-actions.md Normal file
View File

@@ -0,0 +1,78 @@
# 16. App Actions & Slices
meta:
id: android-production-16
feature: android-production
priority: P3
depends_on: []
tags: [native-features, assistant, production]
objective:
- Implement App Actions for Google Assistant integration, allowing users to interact with Kordant via voice commands
deliverables:
- App Actions XML definitions
- Fulfillment handlers for voice commands
- Built-in intents (BIIs) integration
- Test with Assistant
steps:
1. Define App Actions:
- Check threat score: "Hey Google, check my threat score on Kordant"
- Run security scan: "Hey Google, run a security scan on Kordant"
- Check alerts: "Hey Google, do I have security alerts on Kordant"
- Open dashboard: "Hey Google, open Kordant"
2. Create actions.xml:
- Define built-in intents (actions.intent.OPEN_APP_FEATURE)
- Map intents to app deep links
- Add parameter extraction
3. Implement fulfillment:
- Handle incoming intents in MainActivity
- Extract parameters from voice commands
- Navigate to correct screen
- Return results to Assistant (if applicable)
4. Add deep links:
- kordant://dashboard
- kordant://alerts
- kordant://scan
- kordant://settings
5. Test with Assistant:
- Use App Actions test tool
- Test on physical device with Assistant
- Verify voice commands work end-to-end
6. Add Slice (optional):
- Create SliceProvider for threat score
- Show in Google Search results
- Update periodically
7. Document:
- List of supported voice commands
- Example phrases for users
tests:
- Unit: Test intent handling
- Integration: Test with App Actions test tool
- Device: Test with Google Assistant
acceptance_criteria:
- App Actions defined in actions.xml
- 3+ voice commands working
- Built-in intents properly mapped
- Deep links handling all actions
- Assistant returns to app after command
- App Actions test tool passes all tests
- Voice commands tested on physical device
- Documentation of supported commands
- Slices implemented (optional)
- No crashes from malformed intents
validation:
- Say "Hey Google, check my threat score on Kordant" → app opens to dashboard
- Say "Hey Google, run a security scan on Kordant" → scan initiated
- App Actions test tool → all tests pass
- Check Google Assistant → Kordant listed in supported apps
notes:
- App Actions require Google Play Services
- Built-in intents are limited — custom intents not supported for third-party apps
- Slices are being deprecated in favor of Widgets
- Focus on most useful commands (check score, run scan)

86
tasks/android-production/17-ui-test-suite.md Normal file
View File

@@ -0,0 +1,86 @@
# 17. UI Test Suite (Compose Testing)
meta:
id: android-production-17
feature: android-production
priority: P1
depends_on: []
tags: [testing, ui-tests, quality]
objective:
- Implement comprehensive UI tests using Jetpack Compose Testing framework for all critical user journeys
deliverables:
- Compose UI tests for auth flows
- Compose UI tests for dashboard and services
- Compose UI tests for settings
- Test utilities and mocks
steps:
1. Set up Compose testing:
- Dependencies already in build.gradle.kts (androidx.compose.ui.test.junit4)
- Create test directory structure
- Add TestRule for ComposeTestRule
2. Create auth tests:
- Test onboarding flow
- Test login with valid credentials
- Test login with invalid credentials
- Test signup flow
- Test forgot password flow
- Test biometric prompt
3. Create dashboard tests:
- Test dashboard loads with widgets
- Test navigation to services
- Test alert list and detail
- Test threat score display
- Test pull-to-refresh
4. Create service tests:
- Test DarkWatch screen
- Test VoicePrint screen
- Test SpamShield screen
- Test HomeTitle screen
- Test RemoveBrokers screen
5. Create settings tests:
- Test settings screen loads
- Test profile update
- Test notification toggles
- Test logout
6. Add test utilities:
- Mock repository implementations
- Test data factories
- Navigation test helpers
- Hilt test configuration
7. Configure CI:
- Run UI tests on PR
- Test on multiple API levels (28, 30, 33, 34)
- Generate test reports
tests:
- UI: All critical paths covered
- CI: Tests run automatically
- Coverage: 80%+ of composables tested
acceptance_criteria:
- 20+ Compose UI test cases
- Auth flow fully tested
- All 5 services have UI tests
- Dashboard and alerts tested
- Settings and profile tested
- Tests run on API 28, 30, 33, 34
- Tests complete in <10 minutes
- Hilt injection working in tests
- Mock repositories for isolated tests
- CI runs UI tests on every PR
- Screenshots on failure
validation:
- Run UI tests → all pass
- Introduce UI bug → test fails
- Check test report → screenshots for failures
- CI pipeline → UI tests green
notes:
- Compose testing uses semantics and test tags
- Use createComposeRule() for Compose tests
- Hilt testing requires HiltTestApplication
- Test on emulators with different screen sizes

79
tasks/android-production/18-screenshot-testing.md Normal file
View File

@@ -0,0 +1,79 @@
# 18. Screenshot Testing (Paparazzi)
meta:
id: android-production-18
feature: android-production
priority: P2
depends_on: []
tags: [testing, screenshots, quality]
objective:
- Implement screenshot testing with Paparazzi to catch UI regressions across different screen sizes and themes
deliverables:
- Paparazzi integration
- Screenshot tests for key screens
- CI verification for screenshot changes
- Golden screenshot baseline
steps:
1. Add Paparazzi:
- Add plugin to build.gradle.kts
- Configure for library or application module
- Set up test directory
2. Create screenshot tests:
- Test LoginScreen in light and dark themes
- Test DashboardScreen with data
- Test AlertItem component
- Test ServiceRow component
- Test SettingsScreen
- Test empty states and error states
3. Generate golden screenshots:
- Run tests to generate baseline screenshots
- Review and commit baseline images
- Document generation process
4. Add CI integration:
- Run screenshot tests on PR
- Fail on unapproved changes
- Upload diff images for review
- Require approval for screenshot changes
5. Test multiple configurations:
- Light theme
- Dark theme
- Different screen widths (phone, tablet)
- Different font sizes
- RTL layout (if supporting)
6. Maintain screenshots:
- Update baseline when UI intentionally changes
- Document update process in README
- Review all screenshot changes in PR
tests:
- Visual: Screenshot tests pass with no changes
- Regression: UI change detected and flagged
- Coverage: All key screens have screenshot tests
acceptance_criteria:
- Paparazzi integrated and configured
- Screenshot tests for 10+ key screens/components
- Golden baseline screenshots generated
- Tests cover light and dark themes
- Tests cover phone and tablet sizes
- CI runs screenshot tests and flags changes
- Diff images uploaded for review
- Screenshot changes require explicit approval
- No false positives from font rendering differences
- Documentation for updating baselines
validation:
- Run screenshot tests → all pass (no changes)
- Change button color → test fails with diff image
- Review diff → clearly shows what changed
- Update baseline → tests pass again
- CI → screenshot check green or shows diff
notes:
- Paparazzi runs tests on JVM (fast, no emulator needed)
- Golden images must be committed to repository
- Be careful with font rendering differences across OS
- Consider using Roborazzi for Compose-specific screenshot testing

82
tasks/android-production/19-accessibility-audit.md Normal file
View File

@@ -0,0 +1,82 @@
# 19. Accessibility Audit (TalkBack)
meta:
id: android-production-19
feature: android-production
priority: P2
depends_on: []
tags: [testing, accessibility, compliance]
objective:
- Ensure the Android app is fully accessible with TalkBack and meets WCAG 2.1 AA mobile guidelines
deliverables:
- TalkBack audit report
- Accessibility labels on all elements
- Dynamic Type support
- Color contrast verification
steps:
1. Audit all screens with TalkBack:
- Enable TalkBack (Settings → Accessibility)
- Navigate every screen using swipe gestures
- Verify all interactive elements have labels
- Verify logical reading order
- Test with eyes closed
2. Add missing accessibility labels:
- Add contentDescription to all Image composables
- Add semantics { contentDescription = "..." } to icons
- Group related elements with mergeDescendants
- Add state descriptions for toggles
3. Test Dynamic Type:
- Enable largest font size in Settings
- Test all screens at largest text size
- Verify no truncation or overlap
- Use scrollable containers where needed
4. Verify color contrast:
- Test all text/background combinations
- Ensure 4.5:1 ratio for normal text
- Ensure 3:1 ratio for large text and UI components
- Test in both light and dark themes
5. Test Switch Access:
- Enable Switch Access
- Verify all actions reachable
- Test focus traversal order
6. Test keyboard navigation:
- Navigate with Bluetooth keyboard
- Verify Tab order logical
- Verify Enter/Space activation
7. Add automated tests:
- Use AccessibilityScanner for quick checks
- Add Compose semantics tests
- Test with uiautomator
tests:
- Manual: Full TalkBack navigation of all screens
- Automated: AccessibilityScanner results
- Visual: Color contrast verification
acceptance_criteria:
- All interactive elements have content descriptions
- TalkBack reads logical description for every element
- Dynamic Type supported at all sizes
- Color contrast ≥4.5:1 for all text
- Switch Access navigable
- Keyboard navigation works
- No accessibility warnings in lint
- Accessibility audit report completed
- Screenshots at largest font size showing no issues
- Compose semantics tests passing
validation:
- Turn on TalkBack → navigate entire app without visual
- Enable largest font size → all screens readable
- Check contrast → all combinations pass
- Run AccessibilityScanner → no suggestions
- Lint check → no accessibility warnings
notes:
- Compose has good accessibility by default but custom composables need attention
- Use Modifier.semantics { } for custom accessibility
- Test on physical device — emulator TalkBack is limited
- Consider hiring accessibility consultant for thorough audit

87
tasks/android-production/20-firebase-test-lab.md Normal file
View File

@@ -0,0 +1,87 @@
# 20. Firebase Test Lab Integration
meta:
id: android-production-20
feature: android-production
priority: P2
depends_on: []
tags: [testing, device-farm, quality]
objective:
- Integrate Firebase Test Lab for automated testing on a wide range of physical Android devices
deliverables:
- Firebase Test Lab configuration
- Robo test configuration
- Instrumentation test execution
- Test results and reports
steps:
1. Set up Firebase Test Lab:
- Create Firebase project
- Link to Google Play Console
- Enable Blaze plan (pay-as-you-go)
- Install gcloud CLI
2. Configure test matrix:
- Select device models:
- Pixel 6 (API 33)
- Pixel 4 (API 30)
- Samsung Galaxy S21 (API 31)
- Xiaomi Redmi (API 29)
- Low-end device (API 28, 2GB RAM)
- Select orientations: portrait, landscape
- Select locales: en_US, es_ES
3. Run Robo tests:
- Upload APK/AAB
- Configure Robo crawl (timeout, login credentials)
- Run on device matrix
- Review crawl map and screenshots
4. Run instrumentation tests:
- Upload test APK
- Configure test runner
- Execute UI tests on device matrix
- Collect test results and videos
5. Integrate with CI:
- Add gcloud commands to GitHub Actions
- Run on release builds
- Block release on critical failures
- Upload results as artifacts
6. Analyze results:
- Review screenshots from all devices
- Watch test videos for failures
- Check performance metrics
- Document device-specific issues
7. Fix issues:
- Address failures on specific devices
- Fix OEM-specific bugs
- Optimize for low-end devices
tests:
- Device: All selected devices pass tests
- Regression: No new failures compared to previous run
- Performance: App responsive on all devices
acceptance_criteria:
- Firebase Test Lab project configured
- Test matrix with 5+ different devices
- Robo tests running on each release build
- Instrumentation tests running on device matrix
- CI integration for automated execution
- Test results archived
- Screenshots and videos from all test runs
- Device-specific issues identified and fixed
- No crashes on any tested device
- Performance acceptable on low-end device
validation:
- Run tests via gcloud → all devices complete
- Review results → screenshots show correct UI
- Watch videos → no ANRs or crashes
- Check performance metrics → within budget
- CI pipeline → Test Lab results green
notes:
- Firebase Test Lab is free for first 100 device-minutes/day (physical)
- Robo tests are great for exploratory testing without writing tests
- Physical devices are more reliable than virtual devices
- Test on low-end devices to catch performance issues

84
tasks/android-production/21-api-verification.md Normal file
View File

@@ -0,0 +1,84 @@
# 21. Real API Client Verification & Wire-up
meta:
id: android-production-21
feature: android-production
priority: P1
depends_on: []
tags: [backend, api, production]
objective:
- Verify and complete the real API client integration, ensuring all endpoints are wired correctly to the production backend
deliverables:
- API endpoint verification report
- AuthRepository using real API
- Error handling and retry logic
- Environment-based configuration
steps:
1. Audit current API integration:
- Review android/app/.../data/remote/TRPCApiService.kt
- Review all repository implementations
- Check AuthRepositoryImpl
- Identify any stubbed or mock implementations
2. Verify all endpoints:
- Compare TRPCApiService methods with backend routers
- Ensure all mobile-needed endpoints are implemented
- Verify request/response models match backend schemas
- Test each endpoint against staging backend
3. Implement missing endpoints:
- Add any missing tRPC procedures
- Update request/response models
- Add error handling for new endpoints
4. Configure environment:
- Debug builds → staging API (10.0.2.2 or staging URL)
- Release builds → production API
- Use BuildConfig.API_BASE_URL correctly
- Add build variant configuration
5. Add error handling:
- Map tRPC error codes to user-friendly messages
- Handle network errors (timeout, no connection)
- Handle 401/403 authentication errors
- Handle 500 server errors
- Add retry logic with exponential backoff
6. Add logging:
- Log API requests in debug builds
- Log errors in all builds
- Sanitize logs (no tokens, no PII)
7. Test integration:
- Test auth flow end-to-end
- Test dashboard data loading
- Test all service screens
- Test offline behavior
tests:
- Unit: Test API service with MockWebServer
- Integration: Test against staging backend
- E2E: Complete critical flows on physical device
acceptance_criteria:
- All TRPC endpoints verified against backend
- AuthRepository using real API (no stubs)
- All repositories wired to real API service
- Debug builds use staging API
- Release builds use production API
- Error handling for all error types
- Retry logic with exponential backoff
- Request logging in debug builds
- No PII in logs
- Unit tests with MockWebServer
- Integration tests passing against staging
validation:
- Build debug → login to staging → success
- Build release → login to production → success
- Run unit tests → all pass with mocks
- Check logs → no sensitive data exposed
- Test all screens → data loads correctly
notes:
- TRPCApiService.kt exists but verify all endpoints are correct
- Some endpoints may have changed during development
- MockWebServer is already in test dependencies
- Coordinate with backend team on any API changes

78
tasks/android-production/22-token-refresh.md Normal file
View File

@@ -0,0 +1,78 @@
# 22. Token Refresh & Session Management
meta:
id: android-production-22
feature: android-production
priority: P1
depends_on: [android-production-21]
tags: [backend, auth, production]
objective:
- Implement automatic token refresh and robust session management to prevent unexpected logouts
deliverables:
- OkHttp authenticator for token refresh
- Token refresh interceptor
- Silent re-authentication flow
- Session expiry handling
steps:
1. Implement OkHttp authenticator:
- Add Authenticator to OkHttp client in NetworkModule.kt
- Detect 401 responses
- Attempt refresh with refresh token
- Retry original request with new token
2. Handle concurrent requests:
- Use Mutex or synchronized block to prevent duplicate refresh
- Queue requests while refresh in progress
- Use Kotlin coroutines for async coordination
3. Add token refresh endpoint:
- Ensure backend supports refresh token endpoint
- Implement refresh in AuthRepository
- Store new access and refresh tokens
4. Implement proactive refresh:
- Parse JWT expiry claim
- Refresh 5 minutes before expiry
- Schedule refresh on app foreground
5. Handle edge cases:
- Refresh token expired → logout user
- Network unavailable → queue and retry
- Refresh fails → prompt re-authentication
6. Update AuthViewModel:
- Expose session state
- Handle refresh failures gracefully
- Auto-logout on persistent auth failures
7. Add tests:
- Test token refresh logic
- Test concurrent request handling
- Test session expiry scenarios
tests:
- Unit: Test authenticator with MockWebServer
- Integration: Test refresh flow end-to-end
- E2E: Test session expiry behavior
acceptance_criteria:
- Token refresh automatic and transparent to user
- Concurrent requests queued during refresh
- Proactive refresh 5 minutes before expiry
- Biometric re-auth offered if refresh fails
- Session restored on app relaunch (if tokens valid)
- Graceful logout if all auth methods fail
- No duplicate refresh requests
- Background refresh on app foreground
- Unit tests covering all refresh scenarios
- MockWebServer tests for authenticator
validation:
- Wait for token expiry → app refreshes automatically
- Trigger 401 → refresh attempted, request retried
- Revoke refresh token → app prompts re-auth
- Background app → foreground → token refreshed if needed
- Check logs → no duplicate refresh requests
notes:
- OkHttp Authenticator is the standard way to handle 401s
- Use EncryptedSharedPreferences for token storage
- Consider using Credential Manager for modern auth (API 34+)
- Backend must support refresh token endpoint

84
tasks/android-production/23-offline-sync.md Normal file
View File

@@ -0,0 +1,84 @@
# 23. Offline Sync & Conflict Resolution
meta:
id: android-production-23
feature: android-production
priority: P2
depends_on: [android-production-21]
tags: [backend, offline, production]
objective:
- Implement robust offline mode with sync conflict resolution for all user actions
deliverables:
- Offline queue improvements
- Sync conflict resolution strategy
- Offline UI indicators
- Data consistency guarantees
steps:
1. Audit existing offline support:
- Review android/app/.../data/sync/SyncManager.kt
- Review OfflineWorker.kt
- Review PendingRequestQueue.kt
- Identify gaps in offline handling
2. Improve offline queue:
- Support all mutation types (add, update, delete)
- Add request deduplication
- Add request ordering (dependencies)
- Increase max retry count with exponential backoff
3. Implement conflict resolution:
- Define strategy per data type:
- Server wins for most data (alerts, exposures)
- Last write wins for user preferences
- Merge for watchlist items
- Add conflict detection (version numbers or timestamps)
- Show conflict UI for manual resolution (if needed)
4. Add offline UI:
- Offline indicator in status bar
- Disabled actions when offline
- "Sync pending" badges on modified items
- Pull-to-refresh with offline state
5. Implement data consistency:
- Optimistic updates (update UI immediately, sync in background)
- Rollback on sync failure
- Verify server state after sync
- Handle partial sync failures
6. Add background sync:
- Process queue on app foreground
- Process queue on network restoration
- Schedule periodic sync attempts
7. Test offline scenarios:
- Create watchlist item offline → syncs when online
- Delete exposure offline → syncs when online
- Modify settings offline → syncs when online
- Conflicting edits on multiple devices
tests:
- Unit: Test queue ordering and deduplication
- Integration: Test sync after offline period
- E2E: Test conflicting edits resolution
acceptance_criteria:
- All mutations queued when offline
- Queue processed automatically when online
- Optimistic updates show immediately
- Failed operations roll back UI changes
- Conflict resolution strategy defined per data type
- Offline indicator visible in UI
- Sync pending badges on modified items
- No data loss during sync failures
- Background sync on app foreground and network restore
- Unit tests for all offline scenarios
validation:
- Enable airplane mode → create watchlist item → badge shows
- Disable airplane mode → item syncs → badge clears
- Edit same item on web and Android → conflict resolved correctly
- Kill app during sync → queue persists, resumes on relaunch
notes:
- SyncManager.kt and OfflineWorker.kt already exist but may need enhancement
- Room database can help with offline queue persistence
- Simple server-wins strategy is acceptable for MVP
- Consider using WorkManager for reliable background sync

82
tasks/android-production/24-fcm-deep-links.md Normal file
View File

@@ -0,0 +1,82 @@
# 24. FCM Push Notification Deep Linking
meta:
id: android-production-24
feature: android-production
priority: P2
depends_on: [android-production-21]
tags: [native-features, push-notifications, production]
objective:
- Ensure FCM push notifications correctly deep link to relevant screens with proper handling of app state
deliverables:
- Deep link routing for all notification types
- Cold start handling
- Background notification processing
- Notification analytics
steps:
1. Audit existing FCM handling:
- Review android/app/.../service/FCMService.kt
- Review NavGraph.kt for deep links
- Identify gaps in notification handling
2. Implement deep link routes:
- Alert notification → AlertDetail screen
- Exposure notification → DarkWatch screen
- Scan complete → Dashboard screen
- Family invite → Settings/Family
- Subscription renewal → Settings/Billing
- Marketing → Landing or specific feature
3. Handle app states:
- App closed (cold start): launch → process notification → navigate
- App background: wake → process → navigate
- App foreground: show in-app snackbar → navigate on tap
4. Add notification actions:
- Alert: "View Details", "Dismiss", "Mark Safe"
- Exposure: "View Exposure", "Start Removal"
- Scan Complete: "View Results", "Share"
5. Implement analytics:
- Track notification delivery
- Track notification open rates
- Track conversion from notification to action
- A/B test notification copy
6. Add notification preferences:
- Allow user to customize notification types
- Respect system notification settings
- Update backend preferences
7. Test all scenarios:
- Cold start from each notification type
- Background tap on notification
- Foreground notification handling
- Action button taps
tests:
- Unit: Test deep link route mapping
- Integration: Test FCM message handling
- Device: Send test notifications via Firebase Console
acceptance_criteria:
- All notification types deep link to correct screens
- Cold start from notification opens correct screen
- Background notification tap navigates correctly
- Foreground notifications show in-app snackbar
- Actionable notification buttons work
- Notification preferences respected
- Analytics tracking delivery and open rates
- Rich notifications with images render correctly
- No crashes from malformed notification payloads
- Unit tests for all deep link routes
validation:
- Send test alert notification → tap → AlertDetail opens
- Send exposure notification → app closed → DarkWatch opens
- Receive notification in foreground → snackbar shown
- Tap action button → correct action performed
- Check analytics → open rate tracked
notes:
- FCMService.kt already exists but may need enhancement
- Use NavDeepLinkBuilder for proper deep linking
- Test on different OEM skins (Samsung, Xiaomi)
- Coordinate with backend on notification payload format

97
tasks/android-production/25-privacy-data-safety.md Normal file
View File

@@ -0,0 +1,97 @@
# 25. Privacy Policy & Data Safety Form
meta:
id: android-production-25
feature: android-production
priority: P1
depends_on: []
tags: [compliance, play-store, privacy, production]
objective:
- Complete the Google Play Data Safety form and ensure privacy policy compliance for Android app
deliverables:
- Data Safety form completed in Play Console
- Privacy policy page live
- Data collection audit
- Security practices documentation
steps:
1. Audit data collection:
- Review all data collected by app:
- Contact info (name, email)
- Voice recordings (VoicePrint)
- Phone numbers (SpamShield)
- Device info (for analytics)
- Location (if used)
- Review third-party SDK data collection:
- Firebase Analytics
- Firebase Crashlytics
- FCM
- Any other SDKs
2. Complete Data Safety form:
- Log into Play Console → App content → Data safety
- Answer all questions accurately:
- Does app collect/share data?
- Types of data collected
- Purposes of collection
- Whether data encrypted in transit
- Whether deletion requested
- Independent security review (if applicable)
3. Declare data types:
- Location (approximate or precise)
- Personal info (name, email, phone)
- Financial info (if in-app purchases)
- Health and fitness (not applicable)
- Messages (not applicable)
- Photos and videos (document scans)
- Audio files (voice recordings)
- Files and docs (not applicable)
- Calendar (not applicable)
- Contacts (not applicable)
- App activity (analytics)
- App info and performance (crash logs)
- Device IDs (for analytics)
4. Document security practices:
- Data encrypted in transit (TLS 1.3)
- Data encrypted at rest (EncryptedSharedPreferences)
- User can request deletion
- Independent security review (if available)
5. Link privacy policy:
- Ensure privacy policy URL is accessible
- Link from Play Store listing
- Link from app settings
6. Update for changes:
- Re-audit when adding new features
- Update Data Safety form for new data collection
- Update privacy policy
tests:
- Compliance: Data Safety form complete and accurate
- Legal: Privacy policy reviewed
- Technical: Data collection matches declaration
acceptance_criteria:
- Data Safety form 100% complete in Play Console
- All data types accurately declared
- Collection purposes clearly stated
- Encryption in transit declared
- Deletion mechanism declared
- Privacy policy URL live and accessible
- Privacy policy covers all data collection
- Third-party SDK data collection documented
- Security practices documented
- Form accurate and honest (no false claims)
validation:
- Play Console → Data Safety section complete
- Review answers → all accurate
- Check privacy policy → covers all declared data
- Test deletion request → process works
- Verify encryption → TLS 1.3 active
notes:
- Google strictly enforces Data Safety form accuracy
- False claims can lead to app suspension
- Update form whenever adding new data collection
- Privacy policy must be accessible without login

85
tasks/android-production/26-permissions.md Normal file
View File

@@ -0,0 +1,85 @@
# 26. Permissions Justification & Declarations
meta:
id: android-production-26
feature: android-production
priority: P1
depends_on: []
tags: [compliance, play-store, permissions, production]
objective:
- Justify all permissions used by the app and handle permission declarations for Play Store compliance
deliverables:
- Permissions audit report
- In-app permission rationale dialogs
- Play Console permission declarations
- Permission usage documentation
steps:
1. Audit all permissions:
- Review AndroidManifest.xml
- Review all uses-permission declarations
- List each permission and why it's needed:
- INTERNET: API communication
- CAMERA: Document scanning, VoicePrint enrollment
- RECORD_AUDIO: VoicePrint enrollment
- READ_PHONE_STATE: Call screening (if needed)
- READ_CALL_LOG: SpamShield (if needed)
- POST_NOTIFICATIONS: Android 13+ notifications
- USE_BIOMETRIC: Fingerprint/Face unlock
- FOREGROUND_SERVICE: Background sync
- RECEIVE_BOOT_COMPLETED: Schedule background sync
2. Remove unnecessary permissions:
- Remove any permissions not actually used
- Remove transitive permissions from old dependencies
- Use tools-manifest-merger to control merged permissions
3. Add in-app rationales:
- Show custom dialog before requesting each permission
- Explain why permission is needed
- Show feature benefit
- Add "Don't Allow" and "Allow" buttons
4. Handle permission denials:
- Degrade functionality gracefully
- Show guidance to Settings if permission denied
- Don't crash if permission unavailable
- Respect user's choice
5. Document in Play Console:
- Declare sensitive permissions
- Provide justification for each
- Explain why alternatives weren't used
6. Test permission flows:
- First request → rationale → system dialog
- Deny → feature degraded → Settings guidance
- Allow → feature fully functional
- Revoke in Settings → app handles gracefully
tests:
- Unit: Test permission state handling
- Integration: Test rationale dialog flow
- Device: Test all permissions on physical device
acceptance_criteria:
- All permissions justified with clear use cases
- No unnecessary permissions in manifest
- In-app rationale dialogs for all sensitive permissions
- Graceful degradation when permissions denied
- Settings guidance for denied permissions
- Play Console permission declarations complete
- Permission usage documented internally
- No crashes from missing permissions
- All permission flows tested on physical device
- App Review will approve permission usage
validation:
- Check manifest → only necessary permissions present
- Test camera permission → rationale dialog → system dialog
- Deny permission → app shows Settings guidance
- Check Play Console → permission declarations complete
- Review justifications → all accurate and reasonable
notes:
- Google Play requires justification for sensitive permissions
- READ_CALL_LOG and READ_SMS are especially scrutinized
- Call screening may not need READ_CALL_LOG if using CallScreeningService
- Be prepared to appeal if Play Store questions permissions

89
tasks/android-production/27-target-api-compliance.md Normal file
View File

@@ -0,0 +1,89 @@
# 27. Target API Level & Policy Compliance
meta:
id: android-production-27
feature: android-production
priority: P1
depends_on: []
tags: [compliance, play-store, policy, production]
objective:
- Ensure app targets the latest API level and complies with all Google Play policies
deliverables:
- Target API level 36 (or latest)
- No deprecated API usage
- Policy compliance verification
- Malware and abuse prevention
steps:
1. Verify target API level:
- Currently targeting API 36 (good)
- Ensure compileSdk is latest
- Check targetSdk in build.gradle.kts
- Update if needed before submission
2. Check for deprecated APIs:
- Run lint check for deprecated API usage
- Replace any deprecated methods
- Update to modern alternatives:
- Use BiometricPrompt instead of FingerprintManager
- Use WorkManager instead of JobScheduler directly
- Use NotificationChannel for notifications
- Use FileProvider for file sharing
3. Verify policy compliance:
- No malware, viruses, or deceptive behavior
- No unauthorized use of copyrighted content
- No impersonation of other apps
- No manipulation of ratings/reviews
- No excessive ads or disruptive monetization
4. Check for restricted content:
- No hate speech or harassment
- No dangerous products or services
- No illegal activities
- No sexually explicit content
5. Verify monetization compliance:
- In-app purchases properly configured (if applicable)
- No deceptive pricing
- No forced payments for basic functionality
- Subscription terms clear and fair
6. Test on latest Android version:
- Test on Android 14 (API 34)
- Test on Android 15 (API 35) if available
- Verify no compatibility issues
- Check for new permission requirements
7. Address pre-launch report issues:
- Run pre-launch report in Play Console
- Fix all crashes and ANRs
- Fix accessibility issues
- Fix security warnings
tests:
- Lint: No deprecated API warnings
- Policy: Internal review checklist
- Compatibility: Test on Android 14/15
acceptance_criteria:
- Target API level 36 (or latest available)
- Compile SDK latest stable version
- Zero deprecated API usage
- No lint warnings for deprecated APIs
- All Google Play policies complied with
- No restricted content
- Monetization compliant
- Pre-launch report issues resolved
- App works correctly on Android 14+
- No security warnings in Play Console
validation:
- Run lint → 0 deprecated API warnings
- Test on Android 14 → no issues
- Test on Android 15 → no issues
- Pre-launch report → all checks pass
- Play Console → no policy warnings
- Internal review → all policies checked
notes:
- Google requires targeting latest API level for new apps
- Pre-launch report catches many issues automatically
- Address all pre-launch report issues before submission
- Keep up with Google Play policy updates

88
tasks/android-production/28-content-rating.md Normal file
View File

@@ -0,0 +1,88 @@
# 28. Content Rating & Regional Compliance
meta:
id: android-production-28
feature: android-production
priority: P1
depends_on: []
tags: [compliance, play-store, rating, production]
objective:
- Complete content rating questionnaire and ensure regional compliance for all target markets
deliverables:
- Content rating questionnaire completed
- Regional content compliance verified
- Age-appropriate content
- Local law compliance
steps:
1. Complete content rating:
- In Play Console → App content → Content rating
- Select category: Utilities or Lifestyle
- Answer all questions honestly:
- Violence: None
- Sexual content: None
- Language: None
- Drugs: None
- Gambling: None
- Fear: None (security alerts are informational)
- Receive rating: Everyone or Teen
2. Verify age-appropriate content:
- No explicit content in app
- No violence or gore
- No profanity
- No drug references
- Security alerts are factual, not graphic
3. Check regional compliance:
- South Korea: GRAC rating if required
- Brazil: ClassInd rating
- Other regions with specific requirements
- Verify no region-specific restrictions
4. Add parental controls (if Teen rating):
- Document any content that warrants Teen rating
- Consider if app is suitable for all ages
- Add parental guidance if needed
5. Verify data compliance by region:
- GDPR compliance for EU users
- CCPA compliance for California users
- LGPD compliance for Brazil users
- PIPEDA compliance for Canada users
6. Document content:
- Create internal content audit document
- List all user-facing content
- Verify appropriateness for declared rating
7. Handle user-generated content:
- If app allows UGC, implement moderation
- Document moderation process
- Add reporting mechanism
tests:
- Review: Content audit by team
- Compliance: Verify rating accuracy
- Regional: Check regional requirements
acceptance_criteria:
- Content rating questionnaire completed
- Rating accurate (Everyone or Teen)
- All content appropriate for declared rating
- Regional compliance verified for target markets
- Data protection compliance (GDPR, CCPA, etc.)
- No region-specific content restrictions
- Internal content audit completed
- User-generated content moderated (if applicable)
- Reporting mechanism for inappropriate content (if applicable)
- App suitable for all declared target audiences
validation:
- Play Console → content rating shows expected result
- Review all screens → no inappropriate content
- Check regional requirements → all met
- Verify data compliance → GDPR, CCPA handled
- Team review → content audit approved
notes:
- Content rating affects app visibility in some regions
- Be honest in questionnaire — false answers can lead to removal
- Security apps are typically "Everyone" or "Teen"
- Regional ratings may be required for some countries

90
tasks/android-production/README.md Normal file
View File

@@ -0,0 +1,90 @@
# Android Production Readiness
Objective: Prepare the Jetpack Compose Android application for Google Play Store submission with hardened security, optimized performance, comprehensive testing, and full native feature integration.
Status legend: [ ] todo, [~] in-progress, [x] done
## Tasks
### Play Store Preparation
- [ ] 01 — Play Store Listing Assets → `01-play-store-assets.md`
- [ ] 02 — Feature Graphic & Promo Video → `02-feature-graphic.md`
- [ ] 03 — Play Console Configuration → `03-play-console.md`
- [ ] 04 — Internal Testing Track → `04-internal-testing.md`
### Security Hardening
- [ ] 05 — Certificate Pinning & Network Security Config → `05-cert-pinning.md`
- [ ] 06 — Root Detection & Obfuscation (R8/ProGuard) → `06-root-detection.md`
- [ ] 07 — Encrypted SharedPreferences & DataStore Audit → `07-encrypted-storage.md`
- [ ] 08 — OAuth & Social Login Integration → `08-oauth-social-login.md`
### Performance Optimization
- [ ] 09 — Image Caching & Coil Optimization → `09-image-caching.md`
- [ ] 10 — Pagination & List Performance → `10-pagination-lists.md`
- [ ] 11 — Background Sync & WorkManager Optimization → `11-background-sync.md`
- [ ] 12 — App Startup Time & ANR Prevention → `12-startup-anr.md`
### Native Features
- [ ] 13 — Call Screening Service Production Hardening → `13-call-screening.md`
- [ ] 14 — Notification Channels & Rich Notifications → `14-notifications.md`
- [ ] 15 — App Shortcuts & Widgets → `15-shortcuts-widgets.md`
- [ ] 16 — App Actions & Slices → `16-app-actions.md`
### Testing & QA
- [ ] 17 — UI Test Suite (Compose Testing) → `17-ui-test-suite.md`
- [ ] 18 — Screenshot Testing (Paparazzi) → `18-screenshot-testing.md`
- [ ] 19 — Accessibility Audit (TalkBack) → `19-accessibility-audit.md`
- [ ] 20 — Firebase Test Lab Integration → `20-firebase-test-lab.md`
### Backend Integration
- [ ] 21 — Real API Client Verification & Wire-up → `21-api-verification.md`
- [ ] 22 — Token Refresh & Session Management → `22-token-refresh.md`
- [ ] 23 — Offline Sync & Conflict Resolution → `23-offline-sync.md`
- [ ] 24 — FCM Push Notification Deep Linking → `24-fcm-deep-links.md`
### Play Store Compliance
- [ ] 25 — Privacy Policy & Data Safety Form → `25-privacy-data-safety.md`
- [ ] 26 — Permissions Justification & Declarations → `26-permissions.md`
- [ ] 27 — Target API Level & Policy Compliance → `27-target-api-compliance.md`
- [ ] 28 — Content Rating & Regional Compliance → `28-content-rating.md`
## Dependencies
- 01, 02, 03, 04 can be done in parallel (Play Store prep)
- 05, 06, 07, 08 can be done in parallel (security)
- 09, 10, 11, 12 can be done in parallel (performance)
- 13, 14, 15, 16 can be done in parallel (native features)
- 17, 18, 19, 20 can be done in parallel (testing)
- 21 must be done before 22, 23, 24 (backend integration foundation)
- 22, 23, 24 depend on 21
- 25, 26, 27, 28 can be done in parallel (compliance)
- All groups can proceed independently
## Exit Criteria
- Play Store listing complete with screenshots for phone, tablet, and foldable
- Feature graphic and promo video uploaded
- Internal testing track active with 20+ testers
- Certificate pinning active with network_security_config.xml
- Root detection blocking app usage or degrading gracefully
- R8/ProGuard enabled with release build shrinking and obfuscation
- EncryptedSharedPreferences used for all sensitive data
- OAuth and social login working (Google Sign-In)
- Coil image cache configured with 100MB disk limit
- All lists paginated with lazy loading (no ANRs on large datasets)
- WorkManager syncing every 15 minutes with battery optimization
- Cold start under 1.5 seconds on Pixel 6
- Call screening service filtering calls with <100ms latency
- Notification channels configured for alerts, marketing, and system
- App shortcuts for dashboard, alerts, and new scan
- Home screen widget showing threat score
- UI tests covering auth flow, dashboard navigation, and service screens
- Screenshot tests catching UI regressions on PR
- TalkBack labels on all interactive elements
- Firebase Test Lab tests passing on Pixel, Samsung, and Xiaomi devices
- All TRPC endpoints verified against backend contract
- Token refresh working silently without user interruption
- Offline queue resolving sync conflicts with server-wins strategy
- FCM deep links routing to correct screens with cold start
- Data safety form accurately declaring all collected data types
- All permissions justified with in-app rationale dialogs
- Target API level 36 with no deprecated API usage
- Content rating questionnaire completed accurately