Tastemakers

01Genesis

Tastemakers is a social restaurant discovery platform where users and “tastemakers” discover, review, tag, and curate restaurant lists. The project started as an iOS app with a Laravel API backend — built by a solo developer learning to ship a full-stack product. It has since expanded to Android, a Next.js web frontend, and a WordPress marketing site.

I’m now rebuilding and auditing the full stack with Claude Code — working entirely from the terminal, with AI handling the heavy lifting of code auditing, boilerplate generation, and cross-repo consistency checks. This page is a living record of that process: what was built, how it was built, and what it would cost to replicate.

View Roadmap →

02By the Numbers

📝

~69K

Lines of Code

📦

624

Git Commits

🔌

50

API Endpoints

🗄️

15

DB Tables

📊

9

Eloquent Models

🎛️

11

Controllers

📋

17

Migrations

📱

25

iOS Screens

📁

5

Repositories

🐛

50+

Tracked Issues

📦

16

Dependencies

🖥️

4

Client Platforms

LOC by Project

WordPress (PHP)
32,893
iOS (Swift)
17,795
Backend (PHP)
17,592
Web (TS/TSX)
1,100
Android (Kotlin)
135

03What Would This Cost to Build?

Cost Comparison CalculatorUS dev shop vs offshore vs AI-assisted

US Dev ShopSenior full-stack team in SF/NYC

$150–250/hr

Hours: 2,000–3,200

Total: $300,500,000–$800,000

Includes PM overhead, design sprints, QA cycles, standups

Offshore (India/China)Outsourced development team

$25–60/hr

Hours: 2,400–4,000

Total: $6,144,000–$240,000

Higher hours due to communication overhead and iteration cycles

AI-Assisted (Actual)Solo developer + Claude Code

~$20/mo (API)

Hours: 80–200

Total: $200–$4,000

Human hours only — AI handles boilerplate, auditing, refactoring

Scope BreakdownWhat's included

Laravel 8 API with OAuth2 auth, 50 endpoints, 9 models, RBAC admin
iOS app — 25 screens, Google/Apple social login, geolocation, image uploads
Android app — Kotlin/Compose scaffold (early stage)
Next.js 15 web frontend with TypeScript strict mode
WordPress marketing site with custom theme
PostgreSQL schema design, Redis caching, Foursquare/FCM integrations
Cross-platform API contract coordination across 3 mobile clients
Security audit, code review, and 50+ issue tracking/documentation

Disclaimer: These are rough estimates based on actual codebase complexity (69K LOC, 50 API endpoints, 4 client platforms, 15 DB tables). Actual costs vary by team experience, project management overhead, design requirements, and scope changes. AI-assisted costs reflect human hours only — AI API costs are minimal (~$20/mo for Claude Code).

04AI Development Workflow

CLAUDE.md as Cross-Session Memory

6 CLAUDE.md files across the monorepo — one per project plus the root. They document the API contract, port registry, implementation plans, and 50+ tracked issues. Claude Code reads these on every session start, so each conversation begins with full project context.

Session Structure

Each session begins with Claude Code reading context files, then the human sets the goal. Exploration first (read, audit, document), then targeted changes. No autonomous large-scale refactors without human review.

Feedback Loops

Direct exploration ('read every controller and list security issues'), review findings, then approve or redirect specific changes. Claude Code proposes diffs, each is reviewed before accepting. Findings are captured in todos/ for cross-session persistence.

Human vs AI Responsibilities

Delegated to AI: reading and auditing code, generating boilerplate, finding inconsistencies across repos, writing documentation. Directed by human: architecture decisions, security fixes, API contract changes, anything that touches production.

Terminal-Only Development

Built entirely via Claude Code CLI in the terminal — no IDE GUI, no drag-and-drop, no visual editor. Every file is created and edited through text commands. This /tech page's 1000+ lines of inline-styled React was written without previewing in a browser.

Documentation-First Strategy

Spent the first two sessions reading and documenting the existing codebase instead of writing new code. This surfaced 50 issues including critical security vulnerabilities — saving weeks of building on a broken foundation.

6+

Sessions

6

CLAUDE.md Files

50+

Tracked Issues

5

Repos Managed

05Architecture Overview

Loading diagram...

All clients (iOS, Android, Web) consume the same Laravel API. The web frontend proxies /api/* requests through Next.js rewrites to avoid CORS. External services (Foursquare, FCM) are called via raw cURL from the backend — no SDK abstractions.

06Tech Stack

Frontend

Next.js 15App Router, React Server Components

TypeScriptStrict mode, path aliases

React 19Client + Server Components

Mobile

Swift / UIKitiOS — 25 ViewControllers, 617 commits

Kotlin / Jetpack ComposeAndroid — early stage

Backend

Laravel 8PHP 7.3/8.0, Eloquent ORM

Laravel PassportOAuth2 token auth for mobile

Maatwebsite/ExcelBulk category imports

Yajra DataTablesAdmin panel data grids

Database & Auth

PostgreSQLPrimary database, port 5446

RedisCache layer, port 6384

OAuth2 (Passport)Bearer token authentication

Google OAuthSocial login

Apple Sign-IniOS JWT authentication

Data & Integrations

Foursquare APIVenue search, restaurant data

Firebase FCMPush notifications to mobile

SMTPWelcome emails, password resets

Google MapsGeocoding, place details

Testing & Quality

PHPUnitBackend unit/feature tests

ESLintTypeScript/React linting

TypeScript StrictCompile-time type safety

Infrastructure

WordPressMarketing site — tastemakersapp.com

Local StorageImage uploads (profile, restaurant)

Mermaid.jsArchitecture & ERD diagrams (this page)

07Database Schema

15 tables · PostgreSQL · Laravel Eloquent · Click to expand each domain group.

Core — Users, Restaurants, TagsMain entities and many-to-many pivots

Loading diagram...

Categories & Predefined TagsCuisine categories and tag/restaurant associations

Loading diagram...

Access Control — Roles & ModulesRBAC with granular view/add/edit/delete permissions

Loading diagram...

Schema notes:

All pivot tables use explicit id PKs (not composite keys)
Soft deletes on: users, restaurants, tags, countries
restaurant_tag is a 3-way pivot (user + restaurant + tag)
lat/lng stored as strings, not numeric types
No FK constraints in migrations — only column definitions
users.role_id is integer, all other FKs are bigInteger

08Feature Modules

10 ModulesClick to expand

AuthenticationEmail/password, Google OAuth, Apple Sign-In, device registration, password reset with OTP

User ProfilesProfile CRUD, avatars, badges, login tracking, notification preferences

Restaurant DiscoveryFoursquare-powered search, geolocation, Haversine distance, saved restaurants

Tagging SystemUser-created tags applied to restaurants — 3-way pivot (user × restaurant × tag)

Tastemaker ListsCurated restaurant lists, follow tastemakers, bookmark lists

Restaurant ImagesUpload, view, like/unlike photos, report inappropriate content

CategoriesPredefined cuisine categories with tag groupings, bulk Excel import

Admin PanelDashboard, user/restaurant/tag CRUD, role-based access control (RBAC)

Social FeaturesFollow tastemakers, like images, bookmark lists, activity feeds

GeolocationNearby restaurants, cuisine-based search by coordinates

09Build Journal

6 SessionsMost recent first

Session 6feature

/tech page — full technical overview

Built the Under the Hood page with 11 data-driven sections, Mermaid.js architecture diagrams, cost comparison calculator, collapsible ERD schemas, and build timeline. All inline-styled, no Tailwind dependency.

Session 5mistake

Android project assessment

Discovered Android won't compile — missing Hilt dependency injection module, premature Firebase dependencies without google-services.json. Only 135 LOC, 1 commit. Marked as P2.

Session 4mistake

Security audit findings

Found production secrets in git, unauthenticated delete endpoints, hardcoded FCM server key, IDOR vulnerabilities (user_id from request body instead of Auth::id()), SSL verification disabled on cURL calls, public /clear-cache route running artisan commands.

Session 3refactor

Cross-platform API contract mapping

Mapped every API endpoint across iOS, Android, and web. Found field name mismatches (tag_name vs name, description vs short_description) and endpoint divergence between iOS and API docs. Documented in P1 todos.

Session 2feature

Web frontend scaffold

Created tastemakers-web with Next.js 15, TypeScript strict mode, API proxy config. Established port assignments (3050 web, 4050 API) to avoid collisions across 5 projects on one machine.

Session 1setup

Backend API audit & CLAUDE.md setup

Read every controller, model, and migration. Documented 31 backend findings and 19 cross-project issues in todos/. Set up CLAUDE.md files for each repo so Claude Code has persistent context across sessions.

10Lessons Learned

7 InsightsWhat worked and what was hard

what workedCLAUDE.md is the killer feature

Writing project context into CLAUDE.md files means each new Claude Code session starts with full awareness of ports, conventions, known bugs, and cross-project dependencies. Without this, every session would start from zero.

what workedAudit before building

Spending the first sessions reading and documenting the existing codebase (instead of writing new code) surfaced 50 issues including critical security vulnerabilities. This saved weeks of building on a broken foundation.

what was hardCross-project coordination is the hard part

The API contract between 3 mobile clients and a backend had drifted. Field names, response envelopes, and endpoint paths all had subtle differences. AI can find these inconsistencies fast, but fixing them requires coordinated changes across repos.

what was hardGod controllers resist refactoring

RestaurantController is 2,985 lines with 35+ public methods. Every change risks breaking something else. AI suggests clean extractions but each one requires tracing dependencies through the entire monolith.

what workedLet AI explore, human decides

The best workflow: tell Claude Code to read and analyze, review its findings, then direct specific changes. Letting it make autonomous large-scale changes without review leads to subtle regressions.

what workedTerminal-only development works

This entire web frontend — including this 1000+ line page — was built without opening a browser preview. Claude Code writes the code, TypeScript catches the errors. You only need the browser for final visual verification.

what was hardSecurity debt compounds silently

Production secrets in git, unauthenticated delete endpoints, and IDOR vulnerabilities were all live in the codebase. Without a systematic audit, these would have shipped to production. AI-assisted auditing caught them in hours, not weeks.