From f05c8521f94a504f659d40d62e6151a18329c9f7 Mon Sep 17 00:00:00 2001 From: jjoonleo Date: Sat, 9 May 2026 23:17:19 +0900 Subject: [PATCH 1/2] docs: audit content category and UGC for release (#460) --- docs/Release-Checklist.md | 21 +++++++ plans/460-audit-content-category-ugc-plan.md | 59 ++++++++++++++++++++ 2 files changed, 80 insertions(+) create mode 100644 plans/460-audit-content-category-ugc-plan.md diff --git a/docs/Release-Checklist.md b/docs/Release-Checklist.md index 9dde5b05..c17ff0a1 100644 --- a/docs/Release-Checklist.md +++ b/docs/Release-Checklist.md @@ -71,3 +71,24 @@ OnTime. - Confirm the app name, short description, full description, screenshots, support contact, privacy policy, and category are ready for the target stores. - Track any brand, icon, screenshot, or store copy gaps before submission. + +## Content Category and UGC + +- Current release audit result (2026-05-09): no UGC is exposed to other users. + Users can create schedules, schedule notes, preparation steps, + account profile values, and deletion or feedback text, but the checked app + routes and API clients do not provide public profiles, shared schedules, + comments, chat, feeds, uploads, groups, or other user-to-user content surfaces. +- Current restricted-category audit result (2026-05-09): OnTime is a schedule + preparation, alarm, reminder, and arrival-time planning app. The checked source + does not implement gambling, betting, regulated finance, trading, lending, + crypto, medical, adult, or other restricted-category flows. +- Before each store submission, re-check `lib/core/constants/endpoint.dart`, the + schedule, preparation, authentication, notification, and alarm data sources, + and user-facing flows for any newly added shared or public content surfaces. +- If user-created content becomes visible to other users, open release-blocking + issues for reporting, blocking, moderation or abuse handling, Play Data safety, + and content rating updates before release. +- Keep store category and listing copy aligned with productivity, planner, alarm, + and reminder functionality unless a future feature and policy review supports a + different category. diff --git a/plans/460-audit-content-category-ugc-plan.md b/plans/460-audit-content-category-ugc-plan.md new file mode 100644 index 00000000..c4c8bb1e --- /dev/null +++ b/plans/460-audit-content-category-ugc-plan.md @@ -0,0 +1,59 @@ +# Issue 460 Content Category and UGC Audit Plan + +## Goal + +Confirm whether the current OnTime release exposes user-created content to other +users, document the release checklist result, and confirm the app is not in a +restricted content category before Play submission. + +## Context + +- Parent release track: #466, Store listing and content. +- Sub-issue: #460, Audit content category and UGC exposure. +- #460 is labeled `codex-ready`, has no prerequisites, and asks for a scoped + audit only. +- The source issue references `plans/release_app_todos.md`, but that file is not + present in this checkout. +- Current app scope from `README.md` and `pubspec.yaml`: schedule preparation, + alarms, reminders, and arrival-time planning. +- Audited endpoint and data-source surfaces include authentication, user profile, + feedback, schedules, preparations, FCM token registration, alarm settings, + device registration, alarm windows, and alarm status reporting. + +## Decisions + +- Treat this as a documentation and release-readiness audit, not a product-code + change. No app behavior is required when the audit finds no UGC exposure. +- Use `docs/Release-Checklist.md` as the release checklist artifact requested by + the acceptance criteria. +- Do not create report, block, or moderation issues unless the audit finds + user-created content visible to other users. +- Keep restricted-category confirmation limited to the current repository + surface; future feature work must re-audit before store submission. + +## Steps + +1. Inspect #466 and #460 metadata, labels, prerequisites, and comments. +2. Confirm the active branch is `codexd/460-audit-content-category-ugc`. +3. Audit source endpoints, remote data sources, entities, and public docs for + social sharing, public profiles, feeds, comments, chat, uploads, report/block + controls, and restricted-category signals. +4. Update `docs/Release-Checklist.md` with the current no-UGC result, + restricted-category result, and explicit re-audit requirements. +5. Review the diff and verify the added documentation answers each #460 + acceptance criterion. +6. Commit only #460-related files, push the branch, and open a draft PR that + closes #460 and references #466. + +## Validation + +- `git diff --check` +- `git diff -- docs/Release-Checklist.md plans/460-audit-content-category-ugc-plan.md` +- Source audit searches over `lib`, `docs`, `README.md`, and `pubspec.yaml` for + UGC, sharing, moderation, and restricted-category terms. + +## Open Questions + +None. Human Play Console category selection still needs normal release-owner +confirmation during store submission, but it does not block documenting this +repository audit. From 36f681f54a6991efada118f16f3a47e1da713f40 Mon Sep 17 00:00:00 2001 From: jjoonleo Date: Sun, 10 May 2026 12:08:03 +0900 Subject: [PATCH 2/2] ci: skip Firebase previews for draft PRs --- .../firebase-hosting-pull-request-widgetbook.yml | 8 ++++++-- .github/workflows/firebase-hosting-pull-request.yml | 8 ++++++-- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/.github/workflows/firebase-hosting-pull-request-widgetbook.yml b/.github/workflows/firebase-hosting-pull-request-widgetbook.yml index 8a1c37b6..1c6bff65 100644 --- a/.github/workflows/firebase-hosting-pull-request-widgetbook.yml +++ b/.github/workflows/firebase-hosting-pull-request-widgetbook.yml @@ -2,14 +2,16 @@ # https://github.com/firebase/firebase-tools name: Deploy to Firebase Hosting on PR (Widgetbook) -on: pull_request +on: + pull_request: + types: [opened, synchronize, reopened, ready_for_review] permissions: checks: write contents: read pull-requests: write jobs: build_and_preview: - if: "${{ github.event.pull_request.head.repo.full_name == github.repository }}" + if: "${{ github.event.pull_request.head.repo.full_name == github.repository && github.event.pull_request.draft == false }}" runs-on: ubuntu-latest env: working-directory: ./widgetbook @@ -44,5 +46,7 @@ jobs: firebaseServiceAccount: "${{ secrets.FIREBASE_SERVICE_ACCOUNT_ON_TIME_FRONT_WIDGETBOOK }}" projectId: on-time-front-widgetbook entryPoint: ${{ env.working-directory }} + channelId: pr-${{ github.event.pull_request.number }} + expires: 3d env: FIREBASE_CLI_EXPERIMENTS: webframeworks diff --git a/.github/workflows/firebase-hosting-pull-request.yml b/.github/workflows/firebase-hosting-pull-request.yml index 5ba48c93..2bdd13af 100644 --- a/.github/workflows/firebase-hosting-pull-request.yml +++ b/.github/workflows/firebase-hosting-pull-request.yml @@ -2,14 +2,16 @@ # https://github.com/firebase/firebase-tools name: Deploy to Firebase Hosting on PR -on: pull_request +on: + pull_request: + types: [opened, synchronize, reopened, ready_for_review] permissions: checks: write contents: read pull-requests: write jobs: build_and_preview: - if: "${{ github.event.pull_request.head.repo.full_name == github.repository }}" + if: "${{ github.event.pull_request.head.repo.full_name == github.repository && github.event.pull_request.draft == false }}" runs-on: ubuntu-latest environment: debug steps: @@ -46,5 +48,7 @@ jobs: repoToken: "${{ secrets.GITHUB_TOKEN }}" firebaseServiceAccount: "${{ secrets.FIREBASE_SERVICE_ACCOUNT_ONTIME_C63F1 }}" projectId: ontime-c63f1 + channelId: pr-${{ github.event.pull_request.number }} + expires: 3d env: FIREBASE_CLI_EXPERIMENTS: webframeworks