Findings – Pick'n'Play

Non-admin suggestion edits are effectively allowed during Vote/Results: only the title is locked; other fields update (PUT /api/suggestions/{id} at Endpoints/SuggestEndpoints.cs:182-193). Test Phase_gate_blocks_player_update_in_vote_phase asserts 200 and only checks the name, so it masks the missing phase gate for non-admin updates.
Joker create path still enforces the 5-suggestion cap. Spec implies joker grants an extra game in Vote, but code rejects when a player already has 5 suggestions (existingCount >= 5 even when usingJoker). No test covers this, so the defect would ship unnoticed.
Editing another player's suggestion is untested. The endpoint returns 401 for non-owners, but the suite never exercises this path, leaving a security/authorization regression risk.