PRODUCTION_READINESS.md

# Production Readiness Audit

Scope: frontend, database, features, and user experience.

## High Priority Gaps
- Auth is not secure or enforced: APIs accept `user_id` from client and return user history without verifying identity. Any client can access other users' data. Implement token-based auth and derive user_id server-side.
- Passwords stored insecurely: client stores plaintext password in SharedPreferences; server allows plaintext fallback and uses unsalted SHA-256. Use bcrypt/argon2; remove plaintext fallback; store tokens in secure storage only.
- Check-ins not persisted in DB: daily check-ins stored locally only. Add a `checkins` table and persist via API.
- Database schema incomplete for core features: missing tables for check-ins, goals, sessions, etc. Add required tables and foreign keys.

## Medium Priority Gaps
- Hardcoded API base URL: no staging/production environment separation. Move to environment config.
- Logout does not clear stored user state: it navigates without clearing saved data. Call a clear/reset routine on logout.
- DASS scale mismatch risk: UI uses 0-4 while DASS-42 is typically 0-3. Align scale or adjust scoring logic.
- Error handling is weak: network failures often return empty lists or generic errors. Add timeouts, retries, and user-friendly error states.

## UX and Feature Completeness
- Auto-login missing: splash always routes to onboarding even if user is logged in. Route based on `AppState.isLoggedIn`.
- Placeholder actions: "Forgot Password", social login, profile edits are non-functional. Implement or remove until ready.

## Data and Analytics Limitations
- Analyses not fully stored: minimal fields saved; missing detailed scores/recommendations and client timestamps. Persist full output fields for analytics and debugging.
- Indexing missing: no indexes on `created_at`/`user_id` for history queries. Add indexes for performance.

## Backend Gaps
- No auth enforcement: endpoints accept user_id from clients and return data without verifying identity. Add JWT/session auth and authorization checks.
- Password handling is weak: unsalted SHA-256 and plaintext fallback. Move to bcrypt/argon2 and remove plaintext path.
- CORS is wide open: `allow_origins=["*"]` with credentials. Restrict origins and limit credentials.
- No rate limiting or abuse protection: add per-IP/user throttling on auth and analysis endpoints.
- Error handling leaks details: raw exceptions are returned. Normalize error responses and hide internals.
- No database migrations: relies on `create_all`. Introduce Alembic migrations and schema versioning.
- Missing structured logging/monitoring: add request logs, tracing, and health checks.