Roadmap

Tastemakers · Project Status & Planning · 50 open / 50 total

01Project Health Scorecard

3.8/ 10

Overall Score

Architecture
4/10
Code Quality
3/10
Security
2/10
Testing
1/10
Documentation
7/10
Tooling
6/10

02Product Roadmap

Short TermNext 1–2 sessions5 items
Rotate exposed production credentialsplanned2h

Change DB passwords, API keys, and WordPress salts exposed in .env_bkp and wp-config.php. Remove files from git history.

securityP1
Fix unauthenticated delete endpointsplanned1h

Move image-delete, tags-delete, tastemakerlist-delete inside auth:api middleware group in routes/api.php.

securityP1
Fix IDOR — replace user_id from request with Auth::id()planned3h

Audit all endpoints accepting user_id from request body. Replace with Auth::user()->id in RestaurantController and TagController.

securityP1
Fix Apple Sign-In JWT verificationplanned4h

Verify JWT signature against Apple's JWKS endpoint instead of just base64 decoding. Use firebase/php-jwt or lcobucci/jwt.

securityP1
Resolve API field name mismatchesplanned3h

Align tag_name vs name, description vs short_description across backend, iOS, Android, and web TypeScript types.

cross-platformP1
Medium Term3–6 sessions8 items
Add database indexes to pivot tablesplanned2h

Add indexes to restaurant_tag, restaurant_user, category_restaurant FK columns. Index users.is_testmaker and restaurants.place_id.

performanceP1
Fix N+1 queries in restaurant/tastemaker endpointsplanned6h

Use eager loading (with/withCount) in restaurantDetails, getRestaurants, and tastemaker list endpoints. Target: <10 queries per request.

performanceP1
Extract RestaurantController into service classesplanned12h

Break 2,985-line god controller into RestaurantService, ListService, ImageService, FoursquareService. Add Form Request validation.

architectureP2
Implement rate limiting on auth endpointsplanned3h

Add throttle middleware to login, signup, password reset. Replace rand() OTP with random_int(). Add OTP expiration.

securityP2
Upgrade web auth to httpOnly cookiesplanned4h

Replace localStorage token with httpOnly cookie via API middleware. Eliminate XSS token theft vector.

securityP2
Fix Android compilationplanned3h

Add Hilt AppModule, create google-services.json placeholder, remove premature Phase 3–5 dependencies.

androidP2
Add TypeScript response envelopesplanned2h

Create AuthResponse, RestaurantsResponse, TagsResponse wrapper types matching backend { status, data, message } format.

webP2
Standardize API response formatplanned6h

Create ApiResponse trait for consistent { status, data, message } envelope across all controller methods.

architectureP3
Long Term7+ sessions6 items
Web app Phase 2 — Authentication flowsplanned16h

Build login, register, forgot password pages. Google OAuth client-side flow. Auth context provider. Route protection middleware.

webfeature
Web app Phase 3 — Core pagesplanned24h

Home/discover, restaurant detail, search, cuisine browse, tastemaker profile pages with server-side rendering for SEO.

webfeature
Migrate lat/lng to DECIMAL + spatial indexingplanned4h

Change lat/lng from VARCHAR to DECIMAL(10,7). Extract Haversine into model scope. Add spatial index for geo queries.

performancedatabase
Comprehensive backend test suiteplanned20h

Write PHPUnit tests for all 50 API endpoints. Priority: auth, restaurant CRUD, list operations. Target: 80% coverage.

testingquality
Admin panel rebuild in Next.jsplanned30h

Replace Blade admin panel with React admin in tastemakers-web. RBAC, user/restaurant/tag management, analytics dashboard.

webadminfeature
CI/CD pipelineplanned8h

GitHub Actions for lint, type-check, PHPUnit, build. Auto-deploy on merge to main. Secret scanning in pre-commit hook.

infrastructuretooling

03Session Velocity

Session 1
31
Backend audit findings
Session 2
3
Web scaffold + config
Session 3
19
Cross-project findings
Session 4
10
Security audit items
Session 5
2
Android assessment
Session 6
4
Tech + roadmap pages

04Next Session Planner

Priority-ordered tasks for the next development session. All are P1 critical security fixes.

1
Rotate production credentials (.env_bkp, wp-config.php)2h

Active secret exposure — every day they remain is a breach risk

2
Move delete endpoints inside auth:api middleware1h

Anonymous users can delete images, tags, and lists right now

3
Fix IDOR — replace user_id from request body with Auth::id()3h

Authenticated users can act as any other user

4
Fix Apple Sign-In JWT signature verification4h

Attacker can forge JWT and log in as any email address

5
Remove debug echo/print_r leaking Foursquare API credentials30m

API credentials visible in HTTP responses on public endpoints

05Risk Register

8 Tracked Risks6 active
RiskImpactLikelihoodMitigationStatus
Production secrets exposed in git historycriticalcertainRotate all credentials, use git-filter-repo to scrub history, enforce .gitignoreactive
IDOR allows cross-user data manipulationcriticallikelyReplace all user_id from request body with Auth::id()active
Apple Sign-In JWT forgerycriticalpossibleImplement proper JWKS signature verificationactive
N+1 queries cause timeouts at scalehighlikelyAdd eager loading, indexes, and query monitoringactive
No test coverage — refactoring breaks things silentlyhighcertainWrite critical-path tests before major refactorsactive
God controllers make changes riskymediumlikelyExtract into service classes incrementallymonitoring
XSS via localStorage token thefthighpossibleMigrate to httpOnly cookiesactive
Android app cannot compilemediumcertainFix Hilt module + remove premature dependenciesmonitoring

06Audit Recommendations

15 RecommendationsPrioritized action items from code reviews
P1Credential rotation + secret scrubbing from gitSecurity2h
P1Move destructive endpoints behind auth middlewareSecurity1h
P1Fix all IDOR vulnerabilities (5 endpoints)Security3h
P1Verify Apple Sign-In JWT signatures against JWKSSecurity4h
P1Add database indexes to all pivot table FKsPerformance2h
P1Fix N+1 query catastrophe in tastemaker endpointsPerformance6h
P2Extract Foursquare API calls into service classArchitecture4h
P2Add rate limiting to authentication endpointsSecurity3h
P2Replace localStorage auth with httpOnly cookiesSecurity4h
P2Add Form Request validation classesArchitecture6h
P2Fix Android compilation (Hilt + google-services)Platform3h
P3Extract Haversine into reusable model scopeQuality2h
P3Remove 390+ lines of commented-out codeQuality1h
P3Rename testmaker → tastemaker (228 occurrences)Quality4h
P3Write PHPUnit tests for critical auth/CRUD pathsTesting12h

07Findings History & Patterns

Pattern Analysis50 total findings across 5 categories

Category Breakdown

Security
16
Performance
8
Architecture
8
Quality / Cleanup
11
Cross-Platform
7

Key Insights

  • Security issues dominate P1 (10 of 15) — the codebase shipped to production with multiple critical auth vulnerabilities.
  • Performance issues cluster around two god controllers (RestaurantController, UserController) that contain 70% of all business logic.
  • Cross-platform field mismatches (tag_name vs name, description vs short_description) indicate the API contract was never formally defined.
  • All 50 items are currently open — no fixes have been shipped yet, only documentation and tracking.
  • The testmaker/tastemaker naming inconsistency (228 occurrences) suggests the database was designed by someone other than the product team.
Findings TimelineWhen issues were discovered
2026-03-1231 findings
Backend audit
2026-03-1319 findings
Cross-project audit

08Tooling & Workflow

Available Now5 items
availableClaude Code CLIAI-assisted development, code auditing, boilerplate generation
availableCLAUDE.md context files6 files providing cross-session project memory
availableTypeScript strict modeCompile-time type safety for web frontend
availableESLintCode linting for TypeScript/React
availablePHPUnitBackend test framework (no custom tests written yet)
Planned4 items
plannedTailwind CSS v4Replacing inline styles with utility classes
plannedCI/CD (GitHub Actions)Automated lint, type-check, test, build on PR
plannedPre-commit hooksSecret scanning, lint, type-check before commits
plannedError monitoringSentry or similar for production error tracking
Missing / Needed4 items
missingAPI documentationNo Swagger/OpenAPI spec. Docs are in CLAUDE.md only.
missingDatabase migrations (down)No down() methods — rollbacks impossible
missingStaging environmentNo non-production environment for testing
missingLogging / APMNo structured logging or application performance monitoring

09Overall Progress

0 completed / 50 total findings0%
P1: 15
P2: 17
P3: 18
Completed: 0
P1 Critical: 15
P2 Important: 17
P3 Nice-to-have: 18

10P1 — Critical

15 open · 0 completed · 15 total
X-001.env_bkp with Production Secrets in Git2hcross-project

DB password, mail password, Foursquare client ID/secret, Laravel APP_KEY all exposed in committed file.

tastemakers-backend/.env_bkp·Found 2026-03-13
securitysecrets
X-002Tag name vs tag_name Field Mismatch3hcross-project

Backend uses 'name' column, TypeScript and Kotlin expect 'tag_name'. Tag names deserialize as null/undefined.

app/Models/Tag.php:16, src/types/index.ts:25·Found 2026-03-13
cross-platformdata
X-003User short_description vs description Mismatch2hcross-project

Backend stores short_description, all clients expect description. Profile bios fail to save/load.

app/Models/User.php, src/types/index.ts·Found 2026-03-13
cross-platformdata
X-004search-tags Endpoint Divergence2hcross-project

iOS calls pre-define-search-tags (CategoryController), docs say search-tags (TagController). New clients will call wrong endpoint.

iOS: NetworkManager.swift:35, routes/api.php·Found 2026-03-13
cross-platformrouting
X-005wp-config.php Production DB Password Exposed1hcross-project

MySQL password, username, all 8 WordPress auth salts exposed on disk.

tastemakers-wordpress/wp-config.php·Found 2026-03-13
securitysecrets
B-001Unauthenticated Destructive Endpoints1hbackend

image-delete, tags-delete, tastemakerlist-delete outside auth:api middleware. Anonymous users can delete data.

routes/api.php:65-67·Found 2026-03-12
securityrouting
B-002Hardcoded Firebase FCM Server Key2hbackend

FCM server key, hardcoded device token, Google OAuth client ID in plaintext source code.

UserController.php:559·Found 2026-03-12
securitysecrets
B-003Broken Apple Sign-In — JWT Never Verified4hbackend

jwtTokenDcode() only base64-decodes. Signature never verified against Apple JWKS. Attacker can forge any email.

UserController.php:1317-1339·Found 2026-03-12
securityauth
B-004Debug Output Leaks Foursquare API Credentials30mbackend

Active echo/print_r statements output full API URL with credentials in HTTP responses.

RestaurantController.php:332·Found 2026-03-12
securitysecrets
B-005Public /clear-cache Runs Artisan Commands30mbackend

Unauthenticated GET /clear-cache runs cache:clear, config:clear, config:cache, route:clear, view:clear.

web.php:186-194·Found 2026-03-12
securityroutes
B-006IDOR — user_id Accepted from Request Body3hbackend

Multiple endpoints accept user_id from request instead of Auth::user()->id. Any user can act as another.

RestaurantController.php:1489,1713,1828·Found 2026-03-12
securityauth
B-007Missing Database Indexes on All Pivot Tables2hbackend

Zero indexes on FK columns in 3 most-queried pivot tables. Every JOIN triggers full table scan.

migrations/2021_02_24_*·Found 2026-03-12
performancedatabase
B-008N+1 Query Catastrophe6hbackend

Loads ALL tastemakers then runs 2+ queries per tastemaker per restaurant. 100 tastemakers = 600+ queries.

RestaurantController.php:1074-1077·Found 2026-03-12
performancequeries
B-009OAuth Stores Raw Token as Unhashed Password1hbackend

Google/Apple login stores raw OAuth token in password field without Hash::make().

UserController.php:1288,1362·Found 2026-03-12
securityauth
B-010env() Called in Controllers — Breaks After config:cache2hbackend

env() called 12+ times for Foursquare credentials. Returns null after php artisan config:cache.

RestaurantController.php:330,512,712·Found 2026-03-12
configreliability

P2 — Important

17 open · 0 completed · 17 total
X-006Web TypeScript Types Missing Response Envelopes2hcross-project

Types define inner data but not envelopes. Backend wraps in { status, ... }. apiFetch<T>() calls will fail.

tastemakers-web/src/types/index.ts·Found 2026-03-13
webtypes
X-007Android Won't Compile3hcross-project

Empty Hilt DI directory, google-services plugin fails without config file. Project cannot build.

tastemakers-android/app/build.gradle.kts·Found 2026-03-13
androidbuild
X-008Web localStorage Token is XSS-Exploitable4hcross-project

Auth token in localStorage accessible to all JavaScript. Single XSS = full account takeover.

tastemakers-web/src/lib/api.ts:8·Found 2026-03-13
securityweb
X-009Android user_id in Requests Codifies IDOR1hcross-project

SaveRestaurantRequest includes user_id field sent to backend, masking IDOR vulnerability.

tastemakers-android/Models.kt:15·Found 2026-03-13
androidsecurity
X-010error_log Files with Production Paths in Git30mcross-project

PHP stack traces revealing /home/tastofgc/public_html/ internal paths.

tastemakers-backend/app/Http/Controllers/error_log·Found 2026-03-13
securitycleanup
X-0115 Different Brand Name Spellings4hcross-project

tastemaker, testmaker (228x), testsmaker, testemakers, TasteMaker across codebase.

Database + all repos·Found 2026-03-13
qualitynaming
X-012Android Has Premature Phase 3–5 Dependencies2hcross-project

Google Play Services, Firebase, camera permissions at scaffold stage. Blocks compilation.

tastemakers-android/app/build.gradle.kts:75-84·Found 2026-03-13
androidbuild
B-011No Rate Limiting on Auth Endpoints3hbackend

Only default 60 req/min throttle. OTP uses rand() not random_int(). OTP never expires.

api.php:21-24·Found 2026-03-12
securityauth
B-012God Controller Decomposition Needed12hbackend

RestaurantController (2,985 LOC) and UserController (1,623 LOC) handle 9+ domains each.

RestaurantController.php, UserController.php·Found 2026-03-12
architecturerefactoring
B-013Extract Foursquare API into Service Class4hbackend

Raw cURL duplicated 7 times. CURLOPT_TIMEOUT=0 (infinite). limit=500. No caching.

RestaurantController.php:333,513,713·Found 2026-03-12
architectureperformance
B-014SSL Verification Disabled for FCM30mbackend

CURLOPT_SSL_VERIFYPEER=false. Vulnerable to MITM intercepting FCM server API key.

UserController.php:580·Found 2026-03-12
securitynetwork
B-015lat/lng Stored as Strings4hbackend

VARCHAR columns force string-to-numeric cast in Haversine formula (duplicated 16 times). No spatial index.

create_restaurants_table.php:24-25·Found 2026-03-12
performancedatabase
B-016Mass Assignment Risk — Sensitive Fields in $fillable1hbackend

role_id, password, forget_code, login_count in $fillable. Any unvalidated create/update = privilege escalation.

User.php ($fillable)·Found 2026-03-12
securitymodels
B-017GET-Based Delete Routes Bypass CSRF2hbackend

8 admin delete operations use Route::get(). Not protected by CSRF middleware.

web.php:48,50,52,77,80,85,87,91·Found 2026-03-12
securityroutes
B-018$_POST Superglobal Used Directly2hbackend

HomeController and RestaurantController use $_POST/$_FILES directly, bypassing middleware.

HomeController.php:393-394·Found 2026-03-12
securityinput
B-019No Form Request Validation Classes6hbackend

All validation inline with empty rules like "password" => "". No app/Http/Requests/ directory.

UserController.php:415-428·Found 2026-03-12
architecturevalidation
B-020Password Reset OTP Never Expires2hbackend

forget_code has no expiration timestamp. OTP remains valid indefinitely.

users table (forget_code column)·Found 2026-03-12
securityauth

P3 — Nice-to-have

18 open · 0 completed · 18 total
18 Open P3 ItemsCleanup and improvements
X-013TypeScript Nullability Doesn't Match API1hcross-project

Marks first_name, last_name, address, lat, lng as non-nullable but backend allows nulls.

tastemakers-web/src/types/index.ts·Found 2026-03-13
webtypes
X-014Android Restaurant Missing city/country Fields30mcross-project

Missing backend fields. Location info cannot display in Android UI.

tastemakers-android/Models.kt:44-51·Found 2026-03-13
androidmodels
X-015User Models Missing 6 Social Fields1hcross-project

Backend supports tiktok, youtube, instagram, twitter, facebook, website. Clients can't display/edit.

src/types/index.ts, Models.kt·Found 2026-03-13
cross-platformmodels
X-016Root CLAUDE.md API Contract Incomplete1hcross-project

Missing 11+ endpoints. gettastemaker-List marked auth-required but is public.

CLAUDE.md·Found 2026-03-13
documentation
X-017Android Using kapt Instead of KSP1hcross-project

Hilt uses slower kapt. Hilt 2.51.1 supports KSP for faster builds.

tastemakers-android/app/build.gradle.kts:8·Found 2026-03-13
androidbuild
X-018WordPress Missing .gitignore and .htaccess30mcross-project

No .gitignore so wp-config.php could be committed. No .htaccess for sensitive file protection.

tastemakers-wordpress/·Found 2026-03-13
wordpresssecurity
X-019Android allowBackup="true"5mcross-project

Allows ADB data extraction including auth tokens. Should be false.

AndroidManifest.xml:11·Found 2026-03-13
androidsecurity
B-021Haversine Formula Duplicated 16 Times2hbackend

Same raw SQL copy-pasted 16 times. Should be a model scope.

RestaurantController.php·Found 2026-03-12
qualityduplication
B-022390+ Lines of Commented-Out Code1hbackend

13% of RestaurantController is dead code including duplicate getRestaurants1() method.

RestaurantController.php·Found 2026-03-12
qualitycleanup
B-023"testmaker" vs "tastemaker" Naming (228 occurrences)4hbackend

testmaker_list, testmaker_follow tables, is_testmaker column. Product name is Tastemakers.

Database + codebase·Found 2026-03-12
qualitynaming
B-024Remove CurModel Alias Anti-Pattern1hbackend

Every controller aliases model as CurModel, obscuring actual type.

All controllers·Found 2026-03-12
qualityclarity
B-025Replace var Keyword with Proper Visibility30mbackend

PHP 4-era var $prop instead of protected/private with type hints. 24 occurrences.

8 controllers·Found 2026-03-12
qualitymodernization
B-026Inconsistent API Response Format6hbackend

Three different structures. Typos: "Unable to fecth restaturants" (10x).

All controllers·Found 2026-03-12
architectureconsistency
B-027No Test Coverage12hbackend

Only default Laravel example tests. 4,600+ LOC with zero custom tests.

tests/·Found 2026-03-12
testing
B-028Route Naming Inconsistency3hbackend

Mixed casing (ListTitleSave, TastemakerList-edit), typos (resaturantsbylistid).

routes/api.php·Found 2026-03-12
qualityconsistency
B-029apiTags() Returns ALL Tags Without Pagination1hbackend

CurModel::all() on every request. No pagination, caching, or field selection.

TagController::apiTags()·Found 2026-03-12
performancescalability
B-030Permission Checking Copy-Pasted 51 Times3hbackend

Auth::user()->checkPermission() repeated 51 times. Should be middleware.

7 controllers·Found 2026-03-12
architectureduplication
B-031DataTable N+1 Queries in Admin Panel1hbackend

CurModel::find($row->id)->restaurants->count() per row. Should use withCount.

TagController::index(), UserController::index()·Found 2026-03-12
performancequeries