- scripts/git-hooks/pre-push: the fixed hook (dirty-tree guards kept; the
self-defeating 'unpushed commits' blocker replaced with a behind-remote
fail-fast + an informational listing of what a push will publish). Hooks
don't sync on clone, so scripts/install-git-hooks.sh installs them; verified
idempotent against the live .git/hooks copy.
- Future.md: scheduledOutcomesReminder .limit(200) no-pagination scaling cap
recorded with the fix pattern (assignDailyQuestion's page loop); npm-audit
entry re-verified 2026-07-11 (still 9 moderate, transitive; no lockfile churn).
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
After an APK reinstall a device registers a fresh FCM token alongside stale
ones (~33h). The smoke harness grabbed docs[0] (unordered) and could hit a
stale token -> FCM 'Requested entity was not found' -> false smoke FAIL.
Now sort fcmTokens by updatedAt and try newest-first across all tokens,
skipping dead ones, mirroring the app's sendToUser + pruneTokens behavior.
Also file two R31 QA-env observations to Future.md (add the RevenueCat test_
key to local.properties so QA can drive the live paywall; FCM token churn note).
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
The webhook verified an Ed25519 signature in an X-Signature header, but RevenueCat
offers no public-key signing — it sends HMAC-SHA256 in X-RevenueCat-Webhook-Signature
(t=<ts>,v1=<hex>) computed over "<ts>.<rawBody>". As written, every real event would
have 401'd and premium would never sync for the partner.
- Rewrite verification to HMAC-SHA256 with a +/-5-min timestamp replay guard and a
constant-time compare; extract a pure verifyWebhookSignature() for unit testing.
- Rename secret REVENUECAT_SIGNING_KEY -> REVENUECAT_WEBHOOK_SECRET (it is an HMAC
secret, not an Ed25519 key). Never deployed, so no migration.
- Uncomment the export in index.ts (deploy still gated on seeding the secret).
- Add revenueCatWebhook.test.ts: valid / tampered / wrong-secret / missing / stale.
- Reconcile Future.md + Engineering_Reference_Manual.md to the real scheme.
Verified against the live account: the entitlement identifier is now closer_premium,
so events match entitlementLogic. Build + 80 tests green.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Establishes a typed Kotlin copy catalog (ui/brand/CloserCopy.kt), sibling to the existing
CloserBrandCopy (privacy rotator). Rationale over strings.xml: the app is English-only and
pre-launch, so a typed catalog gives one-place brand-voice review + compile-time safety
without Compose stringResource() friction or orphaned-string drift. strings.xml's real value
is the localization pipeline, which we migrate to in one pass when i18n is on the roadmap
(gate recorded in Future.md).
First slice (highest-value, monetization surface):
- PaywallScreen + SubscriptionScreen voice copy (benefit lists, headlines, value props,
"Thank you for supporting Closer", couple-shared taglines) now source from CloserCopy.
- Generic chrome ("Continue", "Restore", "Manage subscription", error-retry) intentionally
stays inline — it isn't brand voice.
- Surfaced real copy drift: the paywall and subscription benefit lists differ (swap two
items + reorder) — co-located and flagged in CloserCopy.kt for a copy decision, left
verbatim (not silently unified).
compileDebugKotlin clean; no behavior change (copy identical, just relocated).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The R29 games-review section had drifted — most of it shipped in R30 (batches C1–C4) and
went live with today's deploy. Reconciled against the git record, not memory:
- Shipped block added: server daily-question pool seeded + server-authoritative/mode-aware/
deterministic selection (f2321d35, kills DQ-MISMATCH + cross-timezone splits); banner
lifecycle BANNER-LIFE-001 (C1); retention set — HowWell role-swap rematch, NextBeatCard
return-tomorrow beat, DS seen-question memory, deterministic Date Match shuffle +
skip-swiped, daily_fun_mc excluded from HowWell pool, Challenges day-N+1 teaser (C2).
- Still-open list trimmed to what's genuinely open: the game-engine/replay/composable
dedup refactors, premium-check helper, GameConstants, DispatcherProvider, error-surfacing,
retention analytics events (the one unbuilt retention piece), the daily_fun_mc sex retag
(now DS-only hygiene post-C3), npm audit (firebase-admin transitives).
- partner_joined_game push: "pending deploy" → BUILT + LIVE (2026-07-08); noted the
abandoned-session false-finish guard that shipped in the same deploy.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Deployed 2026-07-08: all 35 functions in-place on nodejs22 (incl. gen1 onUserDelete),
CI pins matched, verified via functions:list + callable cold-boot smoke + clean logs.
Recorded why nodejs24 was rejected (2nd-gen only; gen1 onUserDelete blocks a codebase-wide
24) and the next forced-bump horizon (Node 22 decommissioned 2027-10-31).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Content-free daily-question state + streak, mirrored from HomeViewModel via a
dedicated DataStore (TodayWidgetUpdater -> TodayWidgetState). App-lock drops it
to a generic card so partner-activity state doesn't sit on the protected home
screen; signed-out/unpaired show neutral prompts. Tapping opens the daily
question via MainActivity's app_route extra.
Verified: provider registers, state bridge writes, headline logic unit-tested
(TodayWidgetTest), no crash on launch. On-home-screen render + a Remote Config
kill switch are tracked in Future.md.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
- New Cloud Function: onEntitlementChanged (Firestore onWrite on entitlements/premium) — edge-triggered inactive→active, notifies the OTHER partner so couple-shared unlock isn't silent
- New notification type SUBSCRIPTION_CHANGED → routes to SUBSCRIPTION
- AnswerRevealViewModel: re-issue markRevealed if best-effort failed (offline/transient) so partner_opened_answer push eventually fires
- firestore.rules: harden users/{uid} update allowlist (defense-in-depth; no live hole)
- 18 new brand glyph vector drawables (drawable-nodpi/)
- SettingsScreen / PlayHubScreen / WaitingForPartnerScreen: swap Material icons for new brand glyphs
- ClaudeQA docs + Future.md updated
Code check: the speculative Pass E types added by the merged playbook (join_game,
partner_joined_game, game_ended, date_plan_update, subscription_entitlement_changed,
...) are not implemented (0 files) -> marked not implemented -> Future.md. Logged the
worthwhile ones to Future.md ## QA (notify free partner on couple premium unlock; join/
end pushes). Round 8 at the flawless bar: 0 open P0-P2 (1 P3 J-OBS); I-001/I-002 fixed+
verified pending Round 9 confirm.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Implements the QA improvement backlog from Future.md:
- Inclusive sex/gender options (Female/Male/Non-binary/Prefer not to say) in onboarding +
Edit Profile; honest copy (Desire Sync is already gender-neutral, no tailoring fallback needed).
- Turn-aware Home "waiting to play" copy ("Your turn to play.").
- Partner-action/results pushes exempt from the weekly promotional rate-limit ceiling
(NotificationRateLimiter); reminders still bound by it. Tests updated.
- Suppress the redundant results / "partner finished" push when the recipient is already on that
game's screen — new ActiveGameSessionMonitor (mirrors ActiveThreadMonitor), wired into the
This or That / How Well / Desire Sync VMs + Wheel results; guarded in PartnerNotificationManager.
- Paywall: retry-with-backoff, offline-aware error copy, Continue hidden until plans load.
- Privacy-message rotator on Sign up + Forgot password (Login already had it).
iOS illustrations were already wired into the Android empty states (no change needed).
Brand-glyph G-set remains in Future.md — blocked on generated art.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
- Pass H: consumer-mindset branding review of every screen; output = ready-to-paste ChatGPT image
prompts; must lock the house style first (read brand docs + open existing illustrations) so all
generated art matches the shipped artwork.
- ClaudeBrandingReview.md: canonical House Style prompt prefix + palette + negatives; screen-by-screen
audit (every route); 12 illustration prompts (A1-A12) + glyph set + pack-art prompt, all reusing the
house style; flags 'wire existing iOS art into Android' vs new generation.
- Future.md QA: non-art branding ideas (wire iOS illustrations to Android, consistent glyphs, rotate
privacy messages on auth screens).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
- Pass B: cover the full depth x round-length matrix (Light/Everyday/Deep/All x 5/10/15), not one combo;
short+long, shallow+deep, every answer type.
- Methodology: THINK AS A CONSUMER (approach from many angles); capture works-but-could-be-better /
feature ideas to Future.md '## QA' (kept separate from the ClaudeReport.md bug log).
- New Future.md seeded with 5 grounded QA improvement ideas (inclusive onboarding options, turn-aware
'waiting to play' copy, rate-limit exemption for high-value pushes, suppress redundant results push,
friendlier paywall error state).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>