27 lines
1006 B
Markdown
27 lines
1006 B
Markdown
# Risks And Gaps
|
|
|
|
Open items only; remove resolved duplicates.
|
|
|
|
## Auth
|
|
- KSA-focused phone normalization; multi-country strategy pending.
|
|
- Phone auth abuse controls need production tuning (IP/device thresholds).
|
|
- Social login/OAuth linking policy still undefined (collision/merge rules).
|
|
- JWT test warning exists for short test signing key (`InsecureKeyLengthWarning`).
|
|
|
|
## Booking
|
|
- No explicit timezone/business-hours policy beyond current availability checks.
|
|
- Cancellation policy and refund policy not finalized.
|
|
|
|
## Payments
|
|
- Core Moyasar flow works; admin capture/refund endpoints not exposed yet.
|
|
- Monitoring/alerting for webhook failures is still basic.
|
|
|
|
## Localization
|
|
- Foundations exist (`en`, `ar-sa`, RTL), but translation coverage is incomplete.
|
|
- RTL QA across all future pages still pending.
|
|
|
|
## Ops/Compliance
|
|
- No full audit log strategy for privileged actions.
|
|
- No PDPL/GDPR retention policy or data export workflow.
|
|
- No formal observability baseline (metrics/SLO dashboards).
|