StringStep Engineering Plan

Date: 2026-05-15

Status: locked P0 build plan.

Product Center

StringStep is a visible safety Step that automatically becomes a private, searchable, beautiful timeline:

• map;
• movement;
• audio;
• transcript;
• check-ins;
• sharing events;
• delete receipt.

The loop is:

Start -> Record -> Retrace

Everything that does not make that loop feel magical waits.

P0 Promise

P0 is an iPhone-first product:

1. Tap Start and the active UI appears in under 300 ms.
2. The phone records audio and location visibly.
3. Route, audio, and transcript state are captured local-first.
4. Live location can be shared with one trusted viewer through a link.
5. A stopped Step opens a snappy review shell in under 500 ms.
6. The Step becomes a beautiful replay: map, movement, audio, transcript, check-ins, sharing events, and delete receipt.
7. Private storage is encrypted; cloud transcription is optional and auditable.

Non-Goals For P0

Cut hard:

• web owner dashboard;
• trusted contact accounts;
• People tab;
• live audio streaming;
• emergency release rules;
• public trails;
• social features;
• Apple Watch;
• Android;
• family/child mode;
• direct emergency dispatch;
• hidden or remote microphone activation;
• AI summaries or memory features;
• broad export unless needed for review/legal trust.

Product Screens

The iPhone app has three tabs:

• Start
• Steps
• Account

Start

One primary button:

Start Step

Requirements:

• active state under 300 ms;
• stop always visible;
• check-in marker under 150 ms local;
• Ask for help / Mark urgent, not Panic;
• status chips for Audio, Location, Upload, Access, Transcription, Delete.

Steps

The archive is the product, not a storage drawer.

Step detail must include:

• beautiful route replay;
• timeline scrubber;
• audio rows aligned to the same timeline;
• transcript segments aligned to the same timeline;
• check-ins and urgent markers;
• sharing events;
• retention state;
• delete receipt.

Account

Account owns:

• trial/subscription state;
• transcript preference;
• retention preference;
• support;
• privacy policy/terms;
• restore purchases.

Transcription Modes

Auto transcription is core. The simplification is not removing transcription; it is making transcription honest and privacy-enabled.

1. Private Auto Transcript

Long-term default.

The iPhone transcribes after the Step ends using on-device recognition when available. Transcript segments are encrypted locally and uploaded only as ciphertext.

Copy:

StringStep can automatically transcribe your Steps without sending audio to StringStep servers or a third-party transcription provider, when your device supports private transcription.

2. Cloud Enhanced Auto Transcript

Practical MVP/beta path.

The user explicitly enables:

Automatically transcribe new Steps with cloud transcription.

Copy:

To create transcripts, your audio is temporarily decrypted and sent to our transcription provider. StringStep does not store plaintext audio or plaintext transcripts. Transcript results are encrypted before storage.

Do not say nobody ever sees plaintext when cloud transcription is enabled. Say:

Private storage is encrypted. Cloud transcription is optional and auditable.

3. Manual Transcript

Fallback for:

• ask-each-time users;
• expired subscriptions;
• low battery;
• bad network;
• unsupported language;
• selected audio windows.

Transcript Preference Choices

Show during onboarding and in Account:

• Private on-device when available.
• Cloud enhanced after each Step.
• Ask me each time.
• Off.

Transcript Badges

Every Step detail screen should show one of:

• Transcript ready.
• Transcribing on device.
• Waiting for Wi-Fi.
• Cloud transcription enabled.
• Transcript encrypted.
• Transcript deleted.

Transcription Architecture

Build transcription as a first-class pipeline, not a bolt-on job.

TranscriptionOrchestrator

Runs after Stop:

1. Check account-level transcript setting.
2. Check per-Step transcript override.
3. Check battery, network, and Wi-Fi constraints.
4. Prefer on-device transcription if available.
5. Otherwise, if cloud enhanced transcription is enabled, enqueue cloud transcription.
6. Emit transcript segments as start_ms, end_ms, text, source, revision.
7. Encrypt transcript segment objects before durable storage.
8. Align segments to the same timeline as map/audio.
9. Add audit events for requested, segment stored, completed, failed, and deleted states without logging transcript text.

OpenAI Path

Use OpenAI transcription only after explicit cloud opt-in.

Implementation notes:

• Use realtime transcription when transcript deltas materially improve the review experience.
• Use batch speech-to-text for offline/file workflows where streaming is not needed.
• Long Steps need chunking because file transcription has upload limits.
• Keep plaintext transcript text out of logs, analytics, support events, and audit event bodies.
• Encrypt transcript output before persistence.
• Delete queued and completed transcript artifacts when the Step is deleted.

Maps

Beautiful map replay is core.

P0 map requirements:

• native MapKit on iPhone;
• lightweight web map for live links;
• clear current-position state;
• start/end markers;
• route line with calm premium styling;
• timeline-linked movement;
• readable street/area context;
• route playback independent of network after local metadata exists.

MapReplayEngine owns:

• normalized route geometry;
• sampled replay frames;
• timeline sync;
• start/end/current markers;
• live viewer frame handling.

Latency Targets

Local state wins first. Network reconciliation comes second.

Data Model

Minimal P0 tables:

• users;
• devices;
• sessions;
• sensor_chunks;
• live_frames;
• share_links;
• transcript_jobs;
• transcript_segments;
• deletion_jobs;
• audit_events;
• billing_entitlements.

Defer:

• trusted_contacts;
• recipient_grants beyond simple link scope;
• recovery/escrow;
• owner web dashboard key state;
• social/public stream tables.

Protocol

Private storage path:

1. Capture route/audio locally.
2. Write encrypted chunks locally.
3. Upload ciphertext chunks.
4. Commit chunk manifests.
5. Store metadata and audit events.
6. Never require server-side plaintext for private route/audio/transcript storage.

Transcript path:

1. Consent decision.
2. On-device transcription when available.
3. Cloud fallback only after explicit opt-in.
4. Segment output.
5. Encrypt segment objects.
6. Store encrypted transcript artifacts and segment metadata.
7. Delete transcript artifacts with the Step.

API Surface

P0 routes:

GET    /health
GET    /v1/me
POST   /v1/devices/register
POST   /v1/sessions
GET    /v1/sessions
GET    /v1/sessions/:id
POST   /v1/sessions/:id/stop
POST   /v1/sessions/:id/check-in
POST   /v1/sessions/:id/urgent
POST   /v1/sessions/:id/upload-url
POST   /v1/sessions/:id/chunks/commit
POST   /v1/sessions/:id/transcripts
DELETE /v1/sessions/:id
GET    /live/:token

Use session internally if helpful, but user-facing copy says Step.

Billing

Keep the accepted pricing:

• 90 days free;
• no credit card required;
• then $10/month or $90/year.

Use RevenueCat for iOS launch unless there is a strong reason not to.

The 90-day no-card trial is a server entitlement, not an App Store intro trial.

Expired users cannot:

• start new Steps;
• live share;
• create new transcription jobs.

Expired users must still be able to:

• review existing Steps;
• play existing audio;
• view existing transcripts;
• delete;
• export if export exists;
• manage subscription;
• restore purchases;
• contact support.

First Implementation Slices

Slice 1: Local Step Reality

Exit criteria:

• no recording before Start;
• no recording after Stop;
• active UI under 300 ms;
• route point visible under 1 sec;
• local route replay works;
• local audio playback works;
• delete removes local Step data.

Slice 2: Encrypted Queue And Upload

Exit criteria:

• encrypted audio chunks;
• encrypted route chunks;
• chunk manifests;
• upload URL;
• batch commit;
• offline retry;
• no plaintext audio/route/transcript in logs.

Slice 3: Retrace Experience

Exit criteria:

• Steps archive;
• beautiful map replay;
• synchronized timeline;
• audio rows;
• transcript badges;
• sharing events;
• delete receipt;
• 60 fps feel while scrubbing local data.

Slice 4: Transcription

Exit criteria:

• transcript preference onboarding;
• TranscriptionOrchestrator;
• on-device preferred path;
• cloud enhanced opt-in path;
• segment schema;
• encrypted transcript artifact storage;
• transcript deletion;
• audit events without text.

Slice 5: Live Link

Exit criteria:

• one-time live location link;
• 1-3 second refresh while active;
• current position/status;
• check-in/urgent markers;
• expiration/revoked state;
• no live audio.

Current Repo Anchors

Important files:

• docs/product-contract.md
• docs/mvp-build-plan.md
• apps/ios/Sources/StringStepKit/StepCore.swift
• packages/protocol/src/index.ts
• apps/api/src/server.ts
• apps/web-dashboard/app/page.tsx

The current local commit that locked the P0 spine:

58db4a0 Lock StringStep P0 product spine

Bottom Line

Do not build a broad safety platform.

Build the magical core:

Start -> Record -> Retrace

Auto transcription is core. Beautiful maps are core. Snappy local-first UX is core. Everything else waits.