4.0 KiB
WealthySmart — Five-Hat Codebase Review
Date: 2026-06-09
Scope: Full repository (backend/, frontend/, compose files, CI workflow). tech_docs/, node_modules/, and .claude/ excluded.
Method: Five independent senior/staff-level review agents, each with a distinct lens, followed by cross-verification of the highest-severity claims against the actual repo state and a consolidated synthesis.
The Five Hats
| Hat | Report | Focus |
|---|---|---|
| 🏛 Architect | 01-architect.md | System structure, layering, data model, migrations, deploy topology |
| ⚙️ Backend | 02-backend.md | FastAPI/SQLModel correctness, money/date math, queries, PDF parsing, agent tools |
| 🎨 Frontend | 03-frontend.md | React data fetching, state, type safety, a11y, Hono server, CopilotKit |
| 🔐 Cybersec | 04-security.md | AuthN/Z, secrets, CORS, rate limiting, uploads, injection surface |
| 👤 Poweruser | 05-poweruser.md | Daily-use UX, feedback loops, data trust, consistency, feature gaps |
Synthesis Documents
- 06-weak-spots-inventory.md — All 90+ findings deduplicated into 13 cross-cutting themes with a severity matrix.
- 07-improvement-plan.md — Phased implementation plan (Phase 0–4) with concrete steps, acceptance criteria, and effort estimates.
Editorial Corrections (verified against the repo)
Agent findings were spot-checked. One material correction:
.env/.env.prodare NOT committed to git. Both are covered by.gitignore(.env,.env.*) andgit log --all --diff-filter=A -- .env .env.prodreturns nothing. The Architect's ARCH-01 ("secrets in version control", Critical) is downgraded: the files exist only in the working tree, which is expected. The real residual risks are (a) hardcoded fallback credentials inbackend/app/config.py(verified:SECRET_KEY = "change-me-in-production",ADMIN_PASSWORD = "admin") and (b) hardcoded dev DB credentials indocker-compose.yml. These are tracked as SEC-01 / BE-15.
Claims that were verified as accurate: CORS allow_origins=["*"] with allow_credentials=True (backend/app/main.py:81), 30-day token expiry (backend/app/config.py:7), default admin credentials (backend/app/config.py:9), zero test files in the repo, and no Alembic directory.
Top 10 — If You Only Fix Ten Things
- Fail fast on default secrets — startup must refuse to run with
SECRET_KEY="change-me-in-production"oradmin/admin(SEC-01, BE-15). S - Rate-limit + constant-time login — both login endpoints have unlimited attempts and
!=comparison (SEC-02, SEC-03). S - Restrict CORS to
https://wealth.cescalante.dev(SEC-04). S - Add a test suite — zero tests guard the most complex logic in the app (billing-cycle math, deferred carryover, PDF parsing) (ARCH-06, BE-25). L
- Adopt Alembic — schema evolution is ad-hoc
ALTER TABLEstrings indb.py; memory says "never reset prod DB," which makes real migrations essential (ARCH-02, BE-19). M - Verify billing-cycle boundary math — possible off-by-one in
get_cycle_rangewould misalign every monthly budget (BE-06). S to verify, with tests - Migrate money fields from
floattoDecimal/Numeric(BE-02). M - Validate uploads — size cap,
%PDFmagic-byte check, per-file transactional rollback (SEC-06, BE-10). S - Frontend error/feedback layer — surfaced errors, success toasts, request cancellation; today failures are silent
console.error(FE-01/02/03, UX-01/02). M - n8n sync visibility — silent parser failures mean missing transactions go unnoticed; add a sync-status/reconciliation view (UX-17, UX-20). L
Reading Order
For a quick pass: this README → 06-weak-spots-inventory.md → 07-improvement-plan.md. The five hat reports hold the file:line evidence behind every consolidated item.