# Risks And Gaps

This file tracks known gaps and risks to address in future iterations.

## Security And Auth
- Phone auth only verifies existing users. Add phone-first sign-up flow.
- OTP rate limiting, resend cooldown, and abuse protections are missing.
- Phone normalization/validation (E.164) not implemented.
- Social login is a placeholder.

## Booking Integrity
- No availability checks or overlap prevention for staff/salon schedules.
- No timezone handling or business hours enforcement.
- No cancellation rules or refund logic.

## Payments
- Payment integration is not implemented. Current API only stores records.
- Webhook handling and payment status reconciliation missing.
- Idempotency handling for payment creation missing.

## Data And UX
- Ratings are not recalculated from reviews.
- No image upload or storage strategy for photos.
- No notifications (email/SMS) beyond OTP scaffolding.

## Ops And Compliance
- No audit logs for admin actions.
- No multi-tenant isolation or data export tooling.
- No GDPR/PDPL data retention policies defined.