From d9573540d645b36a651ad4e48a5d983c51739edf Mon Sep 17 00:00:00 2001
From: Frank Tovar <mail@franktovar.de>
Date: Thu, 5 Feb 2026 19:14:35 +0100
Subject: [PATCH] Add findings summary to TASKS

---
 TASKS.md | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 TASKS.md

diff --git a/TASKS.md b/TASKS.md
new file mode 100644
index 0000000..9412e3d
--- /dev/null
+++ b/TASKS.md
@@ -0,0 +1,5 @@
+# Findings – Pick'n'Play
+
+- Non-admin suggestion edits are effectively allowed during Vote/Results: only the title is locked; other fields update (`PUT /api/suggestions/{id}` at Endpoints/SuggestEndpoints.cs:182-193). Test `Phase_gate_blocks_player_update_in_vote_phase` asserts 200 and only checks the name, so it masks the missing phase gate for non-admin updates.
+- Joker create path still enforces the 5-suggestion cap. Spec implies joker grants an extra game in Vote, but code rejects when a player already has 5 suggestions (`existingCount >= 5` even when `usingJoker`). No test covers this, so the defect would ship unnoticed.
+- Editing another player's suggestion is untested. The endpoint returns 401 for non-owners, but the suite never exercises this path, leaving a security/authorization regression risk.