Posture + phasing

D-009: Posture + phasing

Round 3 of /research full-app-scope:

1. Auth = Firebase Auth multi-provider — Google Sign-In + Apple Sign-In + Email/Password. Apple Sign-In mandatory on iOS when other providers are present (App Store rule). NestJS verifies tokens via Firebase Admin SDK. Verify-before-phase-8: Firebase Auth project MUST be created with EU residency enabled via Identity Platform tier, OR a fallback Auth shim implemented. tech-architect confirms residency setup before phase 8 work starts.
2. Offline play = heavy. Players walk, allocate points, and complete quests offline. Anti-cheat validates server-side on sync. 7-day offline cap before forced re-attestation. Allocations made offline are provisional until server validates step provenance against HealthKit / Health Connect authoritative source.
3. GDPR = strict. All data resident in GCP europe-central2-warsaw. Delete-on-demand within 30 days, full purge. Anonymization after 12-month inactivity. No profiling-based ML training on user data, no behavioural ads. Marketable as “privacy-first walking RPG”.
4. Phasing past phase 10:
   • Phase 11 — closed beta vertical slice (6 regions sketched, basic combat preview, faction reputation, full social/guild systems; no deep crafting, no watch).
   • Phase 12 — crafting system (recipes, materials, leak harvesting per region).
   • Phase 13 — watch-native (Apple Watch + Wear OS). The original CLAUDE.md “Phase 2” sentinel resolves to Phase 13, post-beta-1.

Reasoning: Strict GDPR posture is a competitive differentiator for hardcore EU audience and aligns with the anti-cheat philosophy (control over data). Heavy offline solves walking-game UX in low-signal environments. Phasing protects scope discipline — closed beta ships the core walking + tree + quest loop first; crafting and watch are post-beta moves.