← Portal
AI Project Audit · Priority map 2026-05-19

Priority Map

SONI-remix-new

A data-driven view of the audit's 123 findings: clusters, 3-tier sprint allocation, and an effort gauge. Built from the structured cross-reference graph and the launch-priority field on each finding. Sprint assignment uses the simplest data-driven mapping (priority tier → sprint); refine by hand for client-specific timelines.

Total to launch-ready
~207 eng-days
First sprint
~150 eng-days
Backlog
~29 eng-days
01

Top-line gauge

Effort distribution by launch priority — segments are width-proportional to engineer-days.

Before launch
First sprint
Must fix before launch — 55 findings · ~207 eng-days First sprint — 52 findings · ~150 eng-days Backlog — 9 findings · ~29 eng-days

Effort heuristic: S = 1 day, M = 3 days, L = 10 days. These are coarse estimates aggregated across all launch-blocking findings; per-cluster execution may compress through parallelism. Use the cluster overview below to identify parallel tracks.

02

Cluster overview

Findings are interconnected. Resolving the gap underlying a cluster closes multiple findings at once — these are the highest-leverage targets.

Cluster (named)
AI cost and abuse
Hub: SCA-001
SCA-001, SEC-005, AI-005, SEC-002, AI-003, SCA-007
5 launch-blocking · 1 first-sprint · 0 backlog · 3 dimensions
Closes 5 launch-blocking findings across 3 dimensions if all members are remediated.
03

Sprint kanban

Three columns, three tiers. Each tier maps directly from priority_for_launch on the finding — no hand-curation required.

Tier 1 · Must fix
Before launch
55 findings · ~207 eng-days
01 · Security (5)
SEC-001
.env file committed to repo (Supabase URL + publishable key); .env not in .gitignore
Kritikus Launch előtt S Remix-context
SEC-002
Unauthenticated cron endpoint uses service-role key to enumerate all users and trigger AI calls
Kritikus Launch előtt S
SEC-003
Weekly-reports cron endpoint uses publishable (anon) key as the bearer secret — equivalent to no auth
Kritikus Launch előtt S Remix-context
SEC-004
No security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options) configured on the Cloudflare Worker
Magas Launch előtt M
SEC-005
No application-level rate limiting on AI coach endpoints or auth endpoints
Magas Launch előtt M
02 · Legal & Compliance (7)
LEG-001
No Privacy Policy exists anywhere in the application (no file, no route, no rendered page)
Kritikus Launch előtt M
LEG-002
No Terms of Service / Terms of Use document exists; signup screen claims one exists
Kritikus Launch előtt M
LEG-003
No data-subject rights implementation: no account deletion, no data export, no consent withdrawal endpoint
Kritikus Launch előtt L
LEG-004
Subprocessor inventory not maintained: Lovable AI Gateway, OpenAI, Google (Gemini), Supabase, Cloudflare process personal data with no DPA-trail evidence
Magas Launch előtt M
LEG-005
International data transfers to US-based subprocessors (OpenAI, Google, Cloudflare) not addressed: no transfer mechanism named
Magas Launch előtt M
LEG-008
DPIA required and not evidenced: large-scale special-category processing (biometrics, body photos, cycle, mental-health-adjacent coach data) plus AI profiling
Magas Launch előtt M
LEG-009
Records of Processing Activities (Article 30) not evidenced: required for special-category health data regardless of company size
Közepes Launch előtt S
03 · Domain Compliance (5)
DOM-001
EU MDR Rule 11 trigger: app computes and presents Biological age / Health age from biometric inputs - likely Class IIa medical-device intended purpose
Kritikus Launch előtt L
DOM-002
GDPR Article 9 explicit consent missing: special-category biometric + cycle + mental-health-adjacent data collected without a distinct consent step
Kritikus Launch előtt L
DOM-003
Cycle/menstrual data processed with no DPIA-grade safeguards: heightened scrutiny under EDPB and post-Dobbs cross-border risk
Magas Launch előtt L
DOM-004
No age gate at signup: minors can register; under-16 GDPR-K parental-consent path is absent
Magas Launch előtt M
DOM-005
EU AI Act Article 50 transparency missing: AI-generated coach content and AI-generated avatar images not labeled to the user as AI output
Magas Launch előtt M
04 · Scalability & Performance (6)
SCA-001
Coach chat endpoint loads massive context on every turn (10+ Supabase queries + 7-day biometrics + full profile JSON-stringified into prompt)
Kritikus Launch előtt L
SCA-002
Per-coach-turn fact extraction fires a SECOND openai/gpt-5 call on every chat turn - doubles AI cost per message
Magas Launch előtt S
SCA-003
i18n: all 6 locale JSON files (~858 KB total) eagerly imported and shipped to every visitor
Magas Launch előtt M
SCA-004
Unbounded coach_messages and coach_conversations load on chat sheet open - no LIMIT on history
Magas Launch előtt M
SCA-005
Coach-chat AI gateway fetch has no timeout - a hung upstream stalls the Worker request indefinitely
Magas Launch előtt S
SCA-006
Cron endpoints process all users in a tight sequential for-loop with no concurrency control or backpressure
Magas Launch előtt L
05 · Data Integrity (4)
DAT-001
36+ tables declare user_id UUID NOT NULL with NO foreign key to auth.users (orphan-row epidemic)
Kritikus Launch előtt M
DAT-002
fullResetUserData() deletes 33 tables sequentially with no transaction; partial-failure leaves the user in a half-reset state
Magas Launch előtt M
DAT-003
coach_messages.role is free-form TEXT with no CHECK constraint; schema accepts any role string including system/tool
Magas Launch előtt S
DAT-005
Storage objects orphaned on row delete; meals/coach_messages/body_measurements/full-reset have no cleanup hook
Magas Launch előtt M
06 · Ops & Deployability (9)
OPS-001
No CI/CD pipeline of any kind: no GitHub Actions, no GitLab CI, no Vercel/Netlify manifest
Kritikus Launch előtt M
OPS-005
No error tracking installed -- Sentry/Honeybadger/Rollbar/Bugsnag SDKs all absent
Kritikus Launch előtt M
OPS-002
No .env.example and no documented env-var inventory -- a second engineer cannot bootstrap
Magas Launch előtt S Remix-context
OPS-003
wrangler.jsonc has no environment separation -- same Worker, secrets, Supabase project for dev/staging/prod
Magas Launch előtt M
OPS-004
Deployment-platform secret store is not used as system of record -- secrets in repo .env with no Wrangler secret bindings declared
Magas Launch előtt M
OPS-006
Logging is 177 raw console.log/error/warn calls across 81 files -- no structured logger, no correlation IDs, no log levels
Magas Launch előtt M
OPS-007
No uptime monitoring, no alert routing, no APM, no AI-cost alerts -- team will not know the app is down until a user emails
Magas Launch előtt M
OPS-008
No deployment runbook, no rollback procedure, no smoke-test checklist, no on-call escalation document
Magas Launch előtt S
OPS-010
Cron jobs have no success/failure observability -- pg_cron-driven scheduled work fails silently
Magas Launch előtt M
07 · Code Quality & Maintainability (1)
COD-001
Single test file across 80,000+ lines of application code: regressions cannot be detected by anything except live users
Magas Launch előtt L
08 · Documentation (6)
DOC-001
No README at the repo root: a second engineer cannot orient or bootstrap without reading code
Magas Launch előtt S
DOC-002
No architecture document: the service topology (Worker, Supabase, AI Gateway, push, SSE) lives only in the original developer head
Magas Launch előtt M
DOC-005
No decision records (ADRs): vendor lock-in choices, regulatory positions, and wellness-vs-medical framing exist only as verbal lore
Magas Launch előtt M
DOC-003
Environment variables have no inventory document: ten required keys must be discovered by grepping source
Közepes Launch előtt S Remix-context
DOC-011
No LICENSE file: a private repo with no license is fine, but the moment any third party touches it the license status is unclear
Közepes Launch előtt S
DOC-012
Privacy Policy, Terms of Service, and Imprint exist neither as published pages nor as repo-versioned source-of-truth documents
Közepes Launch előtt M
09 · AI Integration (6)
AI-001
Academy lesson system prompt explicitly instructs the AI to fabricate citations (named researchers, studies, institutions) with no allow-list, no retrieval, no verification
Kritikus Launch előtt M
AI-002
Coach chat and voice-coach do not validate role field on inbound messages - user-supplied role=system survives into the LLM context and persists in coach_messages
Kritikus Launch előtt M
AI-003
No per-user AI budget, no per-call token logging, no system-wide circuit breaker - single user can drain the AI credit balance
Magas Launch előtt L
AI-004
No persistent in-chat AI label, no AI-generated badge on synthetic avatars, no machine-readable watermark - EU AI Act Article 50 transparency gap
Magas Launch előtt M
AI-005
Single-provider lock-in via Lovable AI Gateway with no fallback, no abstraction layer - 38+ files each construct their own fetch and hard-code the URL / model
Magas Launch előtt L
AI-006
No AI-request audit log: per-call inputs, outputs, model, tokens, prompt-version not persisted - incompatible with AI Act Article 12 record-keeping if reclassified high-risk
Magas Launch előtt M
10 · Mobile Readiness (6)
MOB-001
No Web App Manifest -- PWA install and baseline App Store icon requirements unmet
Kritikus Launch előtt S
MOB-003
Lovable OAuth redirect flow will break inside iOS WKWebView (Capacitor wrapper)
Kritikus Launch előtt L
MOB-004
No in-app account deletion -- Apple 5.1.1(v) and Google Play 2024 policy violation
Kritikus Launch előtt M
MOB-005
Privacy policy is plain text with no URL -- Apple 5.1.1 and Play Store policy violation
Kritikus Launch előtt M
MOB-007
Voice coach uses MediaRecorder with webm MIME priority -- breaks on iOS Safari and WKWebView
Magas Launch előtt M
MOB-010
No age rating assessment -- health and mental-health content likely requires 12+ or 17+ rating
Közepes Launch előtt S
Tier 2 · First sprint
First sprint
52 findings · ~150 eng-days
01 · Security (7)
SEC-006
TanStack Start server-core advisory GHSA-9m65-766c-r333 unpatched (sibling server-function invocation)
Magas Első sprint S
SEC-007
File uploads accept arbitrary content type and have no server-side mime/size enforcement
Magas Első sprint M
SEC-008
meal-photos storage bucket still flagged public:true despite policy being revoked
Közepes Első sprint S
SEC-009
Password minimum length of 6 characters; no strength rules; no breach-list check
Közepes Első sprint S
SEC-010
Server functions and API routes mostly lack zod input validation (most server modules use no schema validation)
Közepes Első sprint L
SEC-013
OAuth flow delegated entirely to @lovable.dev/cloud-auth-js with no in-repo state/nonce verification
Közepes Első sprint M
SEC-011
Supabase session token stored in localStorage (vulnerable to any XSS)
Alacsony Első sprint L
02 · Legal & Compliance (3)
LEG-006
No cookie/storage consent banner: currently low-risk because no analytics, but the gap will become a violation when tracking is added
Közepes Első sprint S
LEG-007
EU Accessibility Act (WCAG 2.1 AA) gaps: clickable divs, alt-empty content images, no focus-visible discipline
Közepes Első sprint L
LEG-010
No Imprint / Impressum block on the site: likely required under HU and DE consumer-information rules
Közepes Első sprint S
03 · Domain Compliance (3)
DOM-006
Health-claim advertising risk: marketing copy uses longevity, live longer, add years to your life without substantiation framework
Közepes Első sprint S
DOM-007
Mental-health-adjacent coach surface lacks audit-grade documentation of safety-rail performance
Közepes Első sprint M
DOM-008
AI Act Annex III risk-classification analysis not performed or documented
Közepes Első sprint S
04 · Scalability & Performance (6)
SCA-007
AI cost runaway: per-user concurrent AI calls unbounded; no per-user daily token budget; no usage telemetry
Magas Első sprint L
SCA-008
Frontend src/assets contains 5 raw mockup images >1 MB each (~8 MB total) imported via @/assets
Közepes Első sprint M
SCA-009
No Cache-Control / CDN cache rules configured - every static request hits the Worker / origin
Közepes Első sprint S
SCA-010
useDashboardData uses select(*) on biometrics, meals, subjective_pulse - over-fetches every column
Közepes Első sprint S
SCA-011
Hot tables likely to grow large (coach_messages, meals, habit_logs) have user_id indexes but no archival or row-cap policy
Közepes Első sprint M
SCA-012
Supabase clients re-instantiated per server function (no shared admin client across in-loop invocations)
Közepes Első sprint S
05 · Data Integrity (7)
DAT-004
Status / pace / category enum-style columns lack CHECK constraints across 10+ tables; DB accepts arbitrary values
Közepes Első sprint M
DAT-006
RESET_TABLES list references 3 already-dropped tables (biomarkers, bloodwork_uploads, supplement_stacks); silent migration drift
Közepes Első sprint S
DAT-007
No account-deletion (GDPR Article 17 erasure) flow exists in the repo; auth.users delete would orphan 36+ tables
Közepes Első sprint M
DAT-008
Multi-step Storage+DB delete patterns (pantry-scan, bio-twin avatar) are not transactional; partial failure leaves Storage and DB out of sync
Közepes Első sprint M
DAT-009
handle_new_user trigger has no DO NOTHING / ON CONFLICT; repeated signup edge cases (e.g. soft-delete + recreate) can fail
Közepes Első sprint S
DAT-010
meal-photos bucket marked public:true while policy enforces per-user access; bucket-level inconsistency invites future re-exposure
Közepes Első sprint S
DAT-011
Backup posture undocumented in repo; Supabase Pro PITR / retention not verified
Közepes Első sprint S
07 · Code Quality & Maintainability (10)
COD-002
TanStack Query installed but zero usage: data layer is 510 useState + 304 useEffect + raw Supabase calls
Közepes Első sprint M
COD-003
Five files over 700 lines mix UI, data fetching, and business logic in one component
Közepes Első sprint L
COD-004
Errors swallowed by catch-and-console pattern: ~105 catch blocks log and silently return without surfacing failures
Közepes Első sprint M
COD-005
Coach context-loader duplication: text-coach and voice-coach endpoints reimplement the same load helpers in parallel
Közepes Első sprint M
COD-007
Server-side input validation absent in 88 of 100 server modules: TypeScript casts stand in for runtime validation
Közepes Első sprint M
COD-006
36 of 46 shadcn/ui primitives are imported nowhere: ~5,000 LOC of dead component code in the repo
Alacsony Első sprint S
COD-008
Hard-coded mock trend data ships to signed-in users on the dashboard sparklines
Alacsony Első sprint S
COD-009
28 react-hooks/exhaustive-deps lint disables: hook dependency arrays opted out of correctness check
Alacsony Első sprint M
COD-010
177 raw console.* calls in production code with no logger abstraction
Alacsony Első sprint M
COD-011
Minor naming inconsistency: one hook uses kebab-case while all 37 others use camelCase
Alacsony Első sprint S
08 · Documentation (6)
DOC-004
42-table Supabase schema has no domain-model documentation: only 12 column/table comments across 89 migrations
Közepes Első sprint M
DOC-006
Two SSE / API endpoints (api.coach-chat.ts, api.voice-coach-chat.ts) carry no contract document for request shape, event format, or error model
Közepes Első sprint M
DOC-007
JSDoc on exported APIs is near-zero: only 3 occurrences of @param/@returns/@throws across approximately 86,000 lines of TS/TSX
Közepes Első sprint L
DOC-009
No CONTRIBUTING.md, no CODEOWNERS, no PR template, no commit-message convention -- the repo is opaque to contributors
Közepes Első sprint S
DOC-013
Lovable-platform-specific gotchas (nodejs_compat, generated files, two lockfiles, project-id pinning) are nowhere documented
Közepes Első sprint S
DOC-010
No CHANGELOG.md and no git tags: shipped behaviour has no versioned record
Alacsony Első sprint S
09 · AI Integration (5)
AI-007
AI-extracted long-term facts (extractAndPinFacts) auto-pin without explicit user confirmation, no expiry, limited user agency
Közepes Első sprint M
AI-008
Coach SSE stream has no client-disconnect handling - abandoned chats keep paying the upstream gateway and complete the assistant message anyway
Közepes Első sprint M
AI-009
Model selection inconsistency: text-coach uses gpt-5 for some flows and gemini-3-flash for others; deterministic translation/OCR tasks use full gpt-5 without temperature=0
Közepes Első sprint M
AI-010
System prompts shipped server-side in plain TypeScript with no version stamp; SYSTEM_BASE references the brand persona without acknowledging IP-leak risk via prompt-exfiltration
Közepes Első sprint S
AI-011
extractAndPinFacts unbounded second AI call per turn doubles per-message cost and runs on the request hot path with no timeout
Közepes Első sprint S
10 · Mobile Readiness (5)
MOB-002
Service worker deletes all caches on every update -- no offline support
Magas Első sprint M
MOB-006
VAPID public key hard-coded in client bundle -- impedes key rotation
Magas Első sprint S Remix-context
MOB-008
Web-push (VAPID) notifications do not work in native Capacitor wrapper -- APNs and FCM setup required
Magas Első sprint M
MOB-009
localStorage session storage may be cleared by iOS ITP -- unexpected logouts on mobile
Közepes Első sprint S
MOB-011
No Universal Links or Android App Links -- notification taps open browser instead of app
Közepes Első sprint M
Tier 3 · Backlog
Backlog
9 findings · ~29 eng-days
01 · Security (1)
SEC-012
Two co-existing lockfiles (bun.lockb + package-lock.json) — supply-chain provenance ambiguity
Alacsony Backlog S
04 · Scalability & Performance (2)
SCA-013
No bundle-size budget in CI; vite-bundle-analyzer not wired; home route explicitly NOT code-split
Alacsony Backlog S
SCA-014
AI image generation max_completion_tokens: 8192 - high ceiling burned per avatar generation
Alacsony Backlog S
05 · Data Integrity (1)
DAT-012
Server-side input validation patchy; most server functions use TypeScript casts instead of zod (defense-in-depth gap for DB integrity)
Alacsony Backlog L
08 · Documentation (2)
DOC-008
Generated files committed to repo carry do-not-edit headers but no docs explain the regeneration mechanism
Alacsony Backlog S
DOC-014
No known-issues or self-acknowledged-gaps document: the project does not document what it knows it does not do
Alacsony Backlog S
10 · Mobile Readiness (3)
MOB-012
Framer Motion used across 105 files -- animation jank risk on low-end Android
Közepes Backlog M
MOB-013
Wearable data ingested via screenshot OCR only -- HealthKit and Health Connect not available
Alacsony Backlog L
MOB-014
Lovable preview-token guard shipped in production HTML -- dead code in native app build
Alacsony Backlog S
AI Project Audit · Priority map Charter v0.4 · 2026-05-19