← Portal
AI Project Audit · Executive report 2026-05-19

SONI-remix-new

executive report

This audit covered 10 dimensions of the SONI-remix-new codebase, looking for issues that would block a launch, expose the business to legal or regulatory risk, or make the product hard to operate. The audit was performed against the Audit Charter v0.4 --- a structured methodology with explicit severity and launch-priority definitions.

This report summarizes findings in business terms, with recommended fixes and effort estimates for each. The companion technical report (tech-report.md) contains the file-level details for the engineering team.

Total findings
123
Cannot launch as-is
55
Should fix first sprint
52
01

Top-line summary

18
Kritikus
38
Magas
50
Közepes
17
Alacsony
55 of 123 findings must be fixed before public launch.

The product cannot launch in its current state. 55 of 123 findings are launch-blocking. The most urgent are concentrated in security, legal compliance, and AI integration --- these compound each other and require sequenced remediation.

02

What this means for the launch

The audit covered ten dimensions of the application and identified 123 findings, of which 55 are launch-blocking. Eighteen findings are at the critical severity level (production-launch blocker), concentrated in three areas: legal documentation (no Privacy Policy and no Terms of Service exist, against a sign-up screen that already claims a user has accepted them), domain compliance (the Biological/Health-age computation crosses the EU Medical Device Regulation Rule 11 threshold, and the app has no age gate to keep minors out), and operational security around the AI coach (an unauthenticated cron endpoint can drain the AI credit balance, the chat endpoint loads a 3,000-token context on every turn, and there is no per-user budget or rate limit). The product as it stands cannot be launched in the EU.

Four clusters carry most of the leverage. The first is the legal-documentation cluster (LEG-001 Privacy Policy, LEG-002 Terms of Service, LEG-008 DPIA, plus the cookie/consent and DSR findings) - fourteen findings reference these as prerequisites. Standing up a real Privacy Policy, Terms of Service, and a documented DPIA closes the single largest block to EU launch and unlocks app-store submission. This cluster is engineer-cheap (mostly hosting a static page) but counsel-expensive (the content needs a privacy lawyer); plan on calendar time, not engineering time.

The second is the medical-device positioning cluster around DOM-001 (Biological-age = Class IIa medical device under MDR Rule 11). This is a decision before it is a fix: launch as a wellness/lifestyle product (which means removing the Biological-age feature or recasting it explicitly as non-diagnostic) or pursue CE marking (12-18 month timeline, six-figure cost). DOM-001 is referenced by ten other findings - the choice flows through to copy, consent text, age gating, AI Act labelling, and the DPIA scope.

The third is the AI cost and abuse cluster (SEC-002 unauthenticated cron, SEC-005 no rate limit, AI-003 no per-user budget, AI-005 single-provider lock-in, SCA-001 prompt bloat, SCA-007 cost runaway). A single attacker with curl can drain the AI credit balance in minutes; a single user with a script can do the same more slowly through the front door. The fix is sequenced: authenticate the cron endpoint, add per-user rate limits and a daily token budget, slim the per-turn coach prompt, then wire a fallback AI provider. Doing this work in order closes seven launch-blockers and removes the single largest unplanned-spend risk.

The fourth is the mobile readiness cluster - four critical and four high findings in this dimension. The product runs as a web SPA today; mobile entry is via screenshot OCR rather than native HealthKit/Health Connect, there is no PWA install prompt, push notifications and offline mode are not implemented, and the touch surface has not been audited for one-handed use. This is a deployment-path decision (PWA, Capacitor wrapper, or native rewrite) before it is a remediation list.

Total estimated effort to launch-readiness, summing only the must-fix findings on the S=1/M=3/L=10-day heuristic, is approximately 207 engineering-days (~41-42 engineer-weeks for one developer, materially shorter with two engineers plus parallel counsel work on the legal cluster). The first-sprint backlog is another 150 engineering-days; the deferrable backlog is 29 days.

03

Top launch-blockers in detail

The four issue clusters identified above carry the bulk of the launch-blocking risk. Each cluster's top 5 findings are shown below as compact cards. Full technical anatomy — evidence, code locations, fix steps, references — lives in the linked dimension pages of the tech report.

Cluster 1 of 1
AI cost and abuse
5 of top 5 shown · 31 total assigned to this cluster
Kritikus Launch előtt L
SCA-001 Coach chat endpoint loads massive context on every turn (10+ Supabase queries + 7-day biometrics + full profile JSON-stringified into prompt)
Mit jelent ez Önnek
Every time a user sends a chat message to your coach, your server runs around 17 database queries and packs the user entire week of biometrics, full profile, all today meals and workouts into the prompt sent to OpenAI. None of this is cached, so two messages five seconds apart re-do all the work.
Mit javaslunk
Introduce a per-user context cache keyed by (userId, dayKey) with a 60-90 second TTL via Cloudflare Workers KV or an in-Worker Map.
Full detail: SCA-001 in scalability.html
Kritikus Launch előtt S
SEC-002 Unauthenticated cron endpoint uses service-role key to enumerate all users and trigger AI calls
Mit jelent ez Önnek
There is a URL on your app that, when anyone on the internet sends a POST request to it, will run an expensive AI job for every user in your database. There is no password or signature check on it. This is the single fastest way for someone to run up your AI bill or probe your user list.
Mit javaslunk
Add a shared-secret header check at the top of the handler. Generate a long random string (e.g. openssl rand -hex 32), store it as CRON_SHARED_SECRET in the environment, and reject requests whose Authorization: Bearer <secret> header does not match.
Full detail: SEC-002 in security.html
Magas Launch előtt L
AI-003 No per-user AI budget, no per-call token logging, no system-wide circuit breaker - single user can drain the AI credit balance
Mit jelent ez Önnek
Your app makes paid AI calls in 38+ different places, but there is nothing tracking how many tokens each user is using, no per-user spending cap, and no log of which call cost what. When your AI bill arrives, you have no way to see which user or which feature drove the spend. The fix is to wrap every AI call in a single helper that checks the user's monthly quota, records the cost, and refuses to call if the quota is exceeded.
Mit javaslunk
Add columns to profiles: monthly_ai_tokens_used INTEGER NOT NULL DEFAULT 0, monthly_ai_tokens_limit INTEGER NOT NULL DEFAULT 200000, monthly_reset_at TIMESTAMPTZ.
Full detail: AI-003 in ai-integration.html
Magas Launch előtt L
AI-005 Single-provider lock-in via Lovable AI Gateway with no fallback, no abstraction layer - 38+ files each construct their own fetch and hard-code the URL / model
Mit jelent ez Önnek
Every AI feature in your app calls one specific URL provided by Lovable. There is no backup, no second option, and the URL plus model name are copied across 38 different files. If Lovable has an outage (which happens to every AI provider a few times a year), every AI feature in your app stops working at the same time. If Lovable changes their prices, you have no leverage. The fix is a small wrapper module everyone calls instead of fetch - and once that wrapper exists, adding a fallback (say, calling OpenAI directly when Lovable is down) is a small change.
Mit javaslunk
Create src/server/_shared/ai-gateway.ts as the single source of truth (overlaps with AI-003 fix - same module). Export: (a) AI_GATEWAY_URL constant; (b) AI_MODELS registry mapping task names to model + temperature + maxTokens; (c) callAIGateway(opts) function with budget+log+timeout+abort wiring (from AI-003).
Full detail: AI-005 in ai-integration.html
Magas Launch előtt M
SEC-005 No application-level rate limiting on AI coach endpoints or auth endpoints
Mit jelent ez Önnek
There is no spending-limit logic on the AI endpoints. One user (or one bug) sending requests in a tight loop can burn through your AI budget in hours. Adding a simple per-user cap (e.g. 60 messages per hour) is a half-day job and gives you predictable costs.
Mit javaslunk
Add per-user rate limiting on api.coach-chat.ts and api.voice-coach-chat.ts. Cheapest approach: a Cloudflare Workers KV (or Durable Object) sliding-window counter keyed by userId. Suggested limits: 60 chat turns per hour, 20 voice transcriptions per hour, with a soft warning at 50% and a hard reject at 100%.
Full detail: SEC-005 in security.html
04

All other findings

The remaining 118 findings are grouped below by audit theme. Each row links to the full anatomy in the tech report — open any ID for evidence, code locations, and fix steps.

Security & data protection
11 findings
Kritikus Launch előtt S Remix-context SEC-001 .env file committed to repo (Supabase URL + publishable key); .env not in .gitignore in security.html
Kritikus Launch előtt S Remix-context SEC-003 Weekly-reports cron endpoint uses publishable (anon) key as the bearer secret — equivalent to no auth in security.html
Alacsony Első sprint L SEC-011 Supabase session token stored in localStorage (vulnerable to any XSS) in security.html
Kritikus Launch előtt M LEG-001 No Privacy Policy exists anywhere in the application (no file, no route, no rendered page) in legal-compliance.html
Kritikus Launch előtt M LEG-002 No Terms of Service / Terms of Use document exists; signup screen claims one exists in legal-compliance.html
Közepes Első sprint S DOM-008 AI Act Annex III risk-classification analysis not performed or documented in domain-compliance.html
Performance & scalability
13 findings
Data correctness & integrity
12 findings
Közepes Első sprint S DAT-011 Backup posture undocumented in repo; Supabase Pro PITR / retention not verified in data-integrity.html
Operations & deployment
15 findings
Kritikus Launch előtt M OPS-001 No CI/CD pipeline of any kind: no GitHub Actions, no GitLab CI, no Vercel/Netlify manifest in ops-deployability.html
Kritikus Launch előtt M OPS-005 No error tracking installed -- Sentry/Honeybadger/Rollbar/Bugsnag SDKs all absent in ops-deployability.html
Magas Launch előtt S Remix-context OPS-002 No .env.example and no documented env-var inventory -- a second engineer cannot bootstrap in ops-deployability.html
Közepes should_fix_before_launch M OPS-011 Database migrations have no documented deploy mechanism and no rollback procedure in ops-deployability.html
Közepes should_fix_before_launch M OPS-013 No feature-flag mechanism -- partial rollout, kill-switches, and dark-launching impossible in ops-deployability.html
Code quality & maintainability
12 findings
Alacsony Első sprint S COD-008 Hard-coded mock trend data ships to signed-in users on the dashboard sparklines in code-quality.html
Alacsony Első sprint M COD-010 177 raw console.* calls in production code with no logger abstraction in code-quality.html
Documentation
14 findings
Közepes Launch előtt S Remix-context DOC-003 Environment variables have no inventory document: ten required keys must be discovered by grepping source in documentation.html
Alacsony Első sprint S DOC-010 No CHANGELOG.md and no git tags: shipped behaviour has no versioned record in documentation.html
AI features
9 findings
Mobile readiness
14 findings
Kritikus Launch előtt S MOB-001 No Web App Manifest -- PWA install and baseline App Store icon requirements unmet in mobile-readiness.html
Kritikus Launch előtt L MOB-003 Lovable OAuth redirect flow will break inside iOS WKWebView (Capacitor wrapper) in mobile-readiness.html
Kritikus Launch előtt M MOB-004 No in-app account deletion -- Apple 5.1.1(v) and Google Play 2024 policy violation in mobile-readiness.html
Kritikus Launch előtt M MOB-005 Privacy policy is plain text with no URL -- Apple 5.1.1 and Play Store policy violation in mobile-readiness.html
Magas Első sprint M MOB-002 Service worker deletes all caches on every update -- no offline support in mobile-readiness.html
Magas Első sprint S Remix-context MOB-006 VAPID public key hard-coded in client bundle -- impedes key rotation in mobile-readiness.html
Közepes Első sprint S MOB-009 localStorage session storage may be cleared by iOS ITP -- unexpected logouts on mobile in mobile-readiness.html
Közepes Első sprint M MOB-011 No Universal Links or Android App Links -- notification taps open browser instead of app in mobile-readiness.html
Közepes Backlog M MOB-012 Framer Motion used across 105 files -- animation jank risk on low-end Android in mobile-readiness.html
05

Decisions you need to make

  • Choose the regulatory path for the Biological-age feature (DOM-001). Two options: (a) reposition as a wellness/lifestyle product, which means removing or recasting the Biological-age computation so it is plainly non-diagnostic, or (b) pursue CE marking under EU MDR Class IIa, which is a 12-18 month and six-figure engagement with a notified body. This decision gates roughly ten other findings (copy, consent, AI Act labels, DPIA scope).
  • Engage privacy counsel to author the Privacy Policy, the Terms of Service, and the DPIA (LEG-001, LEG-002, LEG-008). The product is already showing users a consent-screen that claims these exist. Counsel engagement is the single highest-leverage item in the report - it unlocks the legal cluster (14 findings).
  • Decide whether minors can use the product (DOM-004). No age gate exists today. Under GDPR-K, processing data of children under 16 requires verifiable parental consent. Either add an age gate at signup (engineering: small) or document the legal basis for accepting minors (counsel: required).
  • Pick a backup AI provider for the coach (AI-005). Currently the entire AI surface depends on the Lovable AI Gateway. Choose a secondary provider (Anthropic, OpenAI direct, Google direct, Bedrock) so the abstraction layer has a target to fall back to.
  • Decide data-retention periods per data category (LEG-008, AI-006). Body photos are already auto-purged at 90 days per settings.tsx. The other categories (coach messages, biometrics, profile, AI request logs) need explicit retention periods documented and enforced. This is a counsel + product call, not pure engineering.
  • Choose a mobile deployment path (Mobile readiness section). PWA (cheapest, weakest store presence), Capacitor wrapper (medium effort, app-store distribution, partial native APIs), or native rewrite (largest investment, best UX, native HealthKit/Health Connect). The decision shapes 14 findings.
  • Pick an error-monitoring and log-aggregation stack (Ops findings). Sentry, Datadog, Better Stack, or self-hosted - the choice affects setup time and recurring cost. Without this, post-launch incident triage is blind.
  • Decide on the AI-output-labelling pattern for the EU AI Act (DOM-005). Article 50 obligations apply from 2 August 2026. The fix is small (visible label on AI coach, visible label on AI-generated avatar images, watermark metadata on synthetic media) but the decision on copy and placement belongs to the product owner.
06

Total effort to launch-readiness

| Severity / Priority | Count | Estimated effort | |---|---|---| | Critical, must-fix | 18 | 81 days | | High, must-fix | 32 | 119 days | | Medium, must-fix | 5 | 7 days | | Low, must-fix | 0 | 0 days | | Total to launch-ready | 55 | 207 days | | First-sprint | 52 | 150 days | | Deferrable | 9 | 29 days |

_Effort heuristic: S = under a day, M = 1-3 days, L = 1-2 weeks._

07

Next steps

  1. Week 1 - engage counsel and start the legal artefacts. Counsel calendar is the long pole; if work on LEG-001/LEG-002/LEG-008 does not start now it will be the gating item for launch regardless of how fast engineering moves.
  2. Week 1-2 - close the AI cost-and-abuse cluster. Authenticate the cron endpoint (SEC-002), add per-user rate limits and daily token budgets (SEC-005, AI-003, SCA-007), slim the coach prompt context (SCA-001), and add the AI request audit log (AI-006). This removes the single largest unplanned-spend risk and closes 7 launch-blockers.
  3. Week 2-3 - decide on the medical-device path (DOM-001) and ship the consequence. Either remove/reposition the Biological-age feature (small engineering, large copy and consent rework) or commit to CE marking and pause that surface for launch.
  4. Week 3-4 - operations hardening. Set up the chosen error-monitoring stack, write the incident runbook and backup-restore procedure, rotate the discovered secrets, document the deployment process, and verify a real restore from backup.
  5. Week 4+ - mobile deployment decision and AI provider abstraction (AI-005). These are first-sprint-after-launch items and can be sequenced after the launch-blockers are closed.

This report is generated from structured findings in findings/.json. The companion technical report at tech-report.md includes file-line references and full fix steps for the engineer.*

AI Project Audit · Executive report Charter v0.4 · 2026-05-19