[Discussion] Product decisions needed for 23 open issues #523
Description
Summary
During the January 2026 issue triage, 23 issues were identified as requiring team discussion before proceeding. This issue consolidates them for efficient decision-making.
Image Password Format - CRITICAL SECURITY ISSUE
The Problem:
The current steganography implementation (ts-steganography) outputs PNG regardless of input format. This is a security vulnerability for victim-survivors:
- Most phones save photos as HEIC or JPEG
- If their key image is the only PNG in their camera roll, an abuser can easily identify it
- The whole security model relies on the key image being indistinguishable from other photos
Technical constraint: Standard LSB steganography requires lossless PNG - JPEG/HEIC compression destroys the embedded data.
Options to discuss:
| Option | Description | Pros | Cons |
|---|---|---|---|
| A. Image-as-seed | Hash the image → derive key. The photo itself IS the password, no modification needed. | Any format works, completely untraceable | If user edits/crops/filters the photo, they lose access forever |
| B. Alternative disguise | Hide the key in something else common - a contact card, voice memo, note, etc. | Doesn't depend on image format | Different UX, may be less intuitive |
| C. JPEG-compatible stego | Research libraries that survive JPEG compression (F5, OutGuess) | Preserves format | Less reliable, may need larger images, more visible artifacts |
Recommendation: Option A (image-as-seed) is most promising - need to evaluate the "edited photo = lost access" risk vs current "PNG = identifiable" risk.
Privacy vs Analytics Tradeoffs
| # | Issue | Decision Needed |
|---|---|---|
| 54 | Record basic, anonymous user metrics | Do we want analytics? What metrics? How to ensure privacy? |
| 117 | Add reason buttons for deletion | Collect feedback vs user privacy on why they delete |
UX Decisions
| # | Issue | Decision Needed |
|---|---|---|
| 142 | Visually treat Safe name like password (asterisks) | Hide safe name while typing? May cause usability issues |
| 173 | Offer plausible deniability | Feature scope - how to implement? Fake "empty" safe? |
| 215 | Restrict downloads per month | Anti-abuse vs legitimate heavy users |
| 89 | Uploads from Peru to Switzerland | Latency/geo concerns - add regional servers? |
Content Moderation
| # | Issue | Decision Needed |
|---|---|---|
| 167 | Consider PhotoDNA to prevent abuse | Content scanning vs absolute privacy - fundamental tradeoff |
Major Architectural Changes
| # | Issue | Decision Needed |
|---|---|---|
| 243 | Switch from Express to Fastify | Performance gains vs migration effort |
| 247 | Split client/backend into separate repos | Monorepo vs multi-repo tradeoffs |
| 263 | Switch to Next.js for client | Framework migration - is it worth it for new design? |
| 237 | Restructure the codebase | Scope and approach for major refactor |
| 220 | Same tech stack for Sophia and Digital Safe | Cross-project alignment |
Code Quality (Suggestions - Low Priority)
These are suggestions only per engineering guidelines. Discuss if/when to address:
| # | Issue | Suggestion |
|---|---|---|
| 246 | Clean up server-blob routes | Routes shouldn't contain business logic |
| 245 | Clean up database-routes.ts | Same as above |
| 244 | Centralize all utils | Single utils directory |
| 242 | Break db.ts into services | Better separation of concerns |
| 239 | Breakdown BlobService classes | Functions vs classes |
| 77 | Improve code replication for soft deletion | DRY principle |
Status Checks Needed
These may already be done - someone should verify:
| # | Issue | Check |
|---|---|---|
| 224 | Set up Continuous Integration | Does CI exist in .github/workflows? |
| 259 | Move Digital Safe to Azure | Where is it currently hosted? |
| 260 | Investigate recent downtime | Was root cause found? |
| 277 | Defender for Storage pricing | Azure billing status |
| 281 | Upgrade to Node 20 LTS | package.json shows >=20, verify prod deployment |
Proposed Process
- Schedule 30-min team sync to review this list
- For each item, decide: Do it / Won't do / Defer / Need more info
- Update individual issues with decisions
- Close this tracking issue when all resolved
Reference
See full triage document: docs/ISSUE_TRIAGE_2026.md