Buildout Plan

Feature 0 — Contracts & Mock (BLOCKER; finish first)

Owner: Backend Lead (+ Mobile/Web reviewers)

Tasks

  • Write OpenAPI with these endpoints:
    • POST /v1/contacts/import
    • POST /v1/events/start → { event_id, short_links[] }
    • POST /v1/events/{id}/loc → 204
    • POST /v1/events/{id}/stop → 204
    • POST /v1/viewers/request-otp → { otp_sent: true }
    • POST /v1/viewers/verify-otp → { viewer_jwt }
    • GET /v1/events/{id}/live (SSE/WS) → location pings
  • Publish sample payloads including seq, ts, and event_id in AAD notes.
  • Spin up mock server returning fixed breadcrumbs; OTP always 123456 in dev.
  • Auto-generate TS/Swift/Kotlin SDKs.

Security baked-in

  • Tokens in spec: short-lived viewer_jwt (≤10m).
  • Errors standardized: TOKEN_EXPIRED, OTP_INVALID.
  • Phone handling: index by HMAC-SHA256(phone, server_salt).

Done when

Mobile/Web compile against SDK and display mock data end-to-end.

Feature 1 — Onboarding & Contact Opt-In

Owner: Mobile Lead; Backend for SMS; QA for flows

Tasks

  • Language select (EN/ES), permissions: Location (required), Notifications (required), Mic (off by default).
  • Add contacts (manual entry; we can add address-book later).
  • Call POST /v1/contacts/import.
  • Backend sends SMS: "<Alias> added you as a safety contact. Reply YES to accept, STOP to opt out."
  • Webhook to record YES/STOP → mark verified.

Security baked-in

  • Store only alias + phone + verified contact phones (hashed index).
  • No address-book upload; no names unless user types label.
  • Logs redact raw phone numbers.

Done when

Verified contact receives invite, replies YES, status flips to verified.

Feature 2 — Disguise Shell & Hidden Triggers

Owner: Mobile Lead

Tasks

  • Decoy app: "SafeNotes" with fake list.
  • Hidden triggers: corner long-press + search-box PIN (choose one or both).
  • 3-second cancel countdown; PIN to stop.

Security baked-in

  • Generic UI text; no "SOS" on screen.
  • Quick wipe on stop (delete temp files/keys; return to decoy UI).

Done when

Trigger fires reliably with screen on/off; cancel works; app returns to decoy.

Feature 3 — Start/Stop Event + Background Location (Encrypted)

Owner: Mobile Lead

Tasks

  • On trigger: create per-event session key in memory.
  • POST /v1/events/start → receive short links.
  • Start background location loop every 5–10s → POST /v1/events/{id}/loc.
  • On stop or TTL: POST /v1/events/{id}/stop → wipe key & caches.

Security baked-in

  • Client-side AEAD: XChaCha20-Poly1305 or AES-GCM for each ping.
  • AAD = event_id|seq; include seq and ts in payload to block replays.
  • Keys never written to disk; wiped on stop.

Done when

Ping payloads are encrypted on device; verified in local instrumentation.

Feature 4 — Event Service, SSE/WS, TTL Worker

Owner: Backend Lead

Tasks

  • Implement events start/loc/stop in Go/Node with Postgres + Redis.
  • SSE/WS stream endpoint (/live) keyed by viewer_jwt.
  • TTL worker: default 60-min event expiry; purge pings & tokens.
  • Basic admin table (active events count, SMS success rate).

Security baked-in

  • TLS 1.3 + HSTS; mTLS internal if split services.
  • Redacted logs (hash phones, strip tokens).
  • Rate limits (e.g., 3 active events/hour/phone).
  • SSE auth required; revoke on stop/TTL.

Done when

Event expires → DB rows & any stored blobs are zero; SSE rejects with TOKEN_EXPIRED.

Feature 5 — SMS Alerts + Viewer OTP

Owner: Backend Lead; Web Lead for OTP UI

Tasks

  • On events/start, SMS alert to verified contacts with short-lived link.
  • OTP request/verify → mint short-lived viewer_jwt (≤10m).
  • Lock link usage to the invited phone number (via OTP).

Security baked-in

  • OTP brute-force limits and cooldown; IP/device heuristics optional.
  • Short link token opaque; no embedded PII.

Done when

Contact taps link → enters OTP → gets map; wrong phones cannot view.

Feature 6 — Live Map Viewer

Owner: Web Lead

Tasks

  • OTP screen → viewer_jwt.
  • Map (Leaflet/MapLibre) with live breadcrumb via SSE/WS.
  • Actions: Call, Text, Directions (Google/Apple).
  • States: "Event ended," "Link expired," "Unauthorized."

Security baked-in

  • No secrets in localStorage; use memory only.
  • Auto-refresh viewer_jwt if needed; disconnect on stop/TTL.

Done when

p95 map update latency ≤ 5s from device ping.

Feature 7 — Reliability & Perf

Owner: DevOps/Sec + all leads

Tasks

  • Retries with backoff on mobile for /loc.
  • SMS provider fallback (if feasible) or retry.
  • CDN for viewer; keep bundle light.

Security baked-in

  • Secrets in KMS/Vault; separate staging/prod keys.
  • CI checks: secret scans, dependency audit, log redaction test.

Done when

Drive test shows: press→SMS < 3s, OTP < 6s, map p95 < 5s, battery ≤ 8%/hr.

Feature 8 — (Optional for MVP) Rolling Audio Clips

Owner: Mobile Lead (capture), Backend Lead (presign/list), Web Lead (progressive player)

Tasks

  • Record 5–10s chunks; encrypt client-side with per-event audio key.
  • Upload chunk; viewer auto-plays in sequence.
  • Purge with event TTL.

Security baked-in

  • Encrypted at rest (E2EE) + short presigned URLs; viewer decrypts.
  • Never store unencrypted audio anywhere.

Done when

First audible playback ≤ 5s from capture; blobs purged at TTL.

Feature 9 — Docs, Privacy, Ops

Owner: DevOps/Sec + Backend Lead

Tasks

  • SECURITY_BASELINE.md (transport, logging, hashing).
  • RETENTION.md (60-min TTL, logs ≤7d, what's stored).
  • LE-request playbook (what exists: ciphertext + hashed indexes).
  • Basic runbook: rotate tokens, disable event, check TTL worker, SMS health.

Security baked-in

  • Public-facing plain-English retention in landing page/app.

Done when

Docs merged; team can answer "what do you store?" in one sentence.

Feature 10 — QA & Field Testing

Owner: QA/Field Lead

Tasks

  • Test matrix: iOS/Android; LTE/Wi-Fi; lock screen; low battery.
  • Replay test: resend old seq → server rejects.
  • Expired token test: viewer link after TTL → "Link expired."
  • Accessibility & EN/ES copy pass.

Security baked-in

  • Verify: no raw phones/tokens in logs; TTL deletes rows/blobs.

Done when

All blockers closed; demo drive in target neighborhood passes SLOs.

Two-Weekend Timeline (suggested)

  • Fri Night: Feature 0 done; mock + SDKs published.
  • Sat: Features 1–3 (mobile), 4–5 (backend), 6 (web) against mock.
  • Sun: Swap to staging; basic end-to-end run; fix blockers.
  • Weekdays: Features 7, 9, 10; optional 8 (audio).
  • Next Weekend: Field tests + polish; tag v0.1.

Definition of Done (MVP)

  • Trigger → verified contacts receive SMS → OTP → authorized viewer sees live updating map within ≤5s.
  • Event auto-expires at TTL; pings, tokens, and any media purged; logs redacted.
  • Disguise shell + hidden trigger + cancel reliable.
  • Docs + runbook exist; retention and LE-request policy published.