# ROADMAP

Longer-term backlog and deferred decisions. Near-term status lives in `AGENTS.md` → Current state; package-specific follow-ups live in `s9pk/TODO.md`.

## Phase 3 — AI coach (deferred, not started)

- Integrate the DGX Spark LLM box (Qwen3.6 35B, OpenAI-compatible endpoint) as a training coach.
- Login-time training suggestions based on recent activity and goals.
- Per-category drill ideas on demand.
- Config via env-var names (endpoint URL, model); no keys in the repo.

## Evaluation backlog

A full independent evaluation lives in `EVALUATION.md` (committed; re-runnable via `/full-eval`). Deferred items, by priority:

- **P2 — dependency**: upgrade `@fastify/static` 8.3.0 → ≥9.1.3 (known path-traversal advisories; no concrete exploit path here) and re-test static serving.
- **P2 — input validation**: reject unknown metric `kind` (not `count|duration|score|decimal`); validate calendar-date semantics (the `\d{4}-\d{2}-\d{2}` regex accepts `2026-13-99`); return 400 instead of a raw `SQLITE_CONSTRAINT_FOREIGNKEY` 500 on a bad `metric_id`.
- **P2 — tests**: no automated suite yet; cover record-recompute direction, streak math, and migration idempotency against a temp DB.
- **P3**: CSRF token beyond `SameSite=Lax`; cross-category metric guard on entry write; logout without a session; consistent 404s on delete; validate category `color`.

Registry-submission blockers (private repo URLs, empty `assets/`, no CI) are intentionally **not** being worked — publishing to the community registry is not a goal.

## Product backlog

- **"Log another"**: allow multiple sessions of the same category in one day (the category pill currently edits the existing entry instead of creating a second).
- **Speed units**: option for `km/h` in addition to `mph`.
- **Per-metric direction**: expose a "higher is better / lower is better" toggle in the Settings metric editor (today it is set only via seed/migration; needed for new lower-is-better metrics like time or strokes).

## Platform / packaging

- **Password UX under StartOS**: make the in-app Settings password change agree with the "Set Login Password" action — hide the in-app field on StartOS, or write changes through to `store.json`.
- **Packaging hygiene**: the vendored `s9pk/app/` is gitignored, so the package `gitHash` does not reflect app-source changes; revisit before publishing to a registry.
- **Other arches**: build aarch64/riscv64 only if a target host needs them (currently x86_64-only).

## Ops

- `origin` is configured on self-hosted Gitea (SSH, in `.git/config`); push after committing.