Soreto / Reverb Ecosystem — Technical Audit
How to Use This Document
Each section is a standalone file. Start with the Executive Summary and the Final Recommendation for the top-level picture, then drill into any section for evidence and detail.
Cross-links between sections are relative — every file links back to this README and forward to related sections.
Table of Contents
Overview
| Section |
File |
Summary |
| A. Executive Summary |
A-executive-summary.md |
TL;DR — what was found, what matters most, top risks |
| P. Final Recommendation |
P-final-recommendation.md |
Confidence level, direction, immediate next steps |
Factual Inventory (Phase 1)
| Section |
File |
Summary |
| B. Current State Inventory |
B-current-state/ |
Repo-by-repo breakdown of versions, architecture, tooling, risks |
| ↳ reverb-backend |
B-current-state/reverb-backend.md |
Node 14, Express, JavaScript, Heroku, Travis CI |
| ↳ reverb-react |
B-current-state/reverb-react.md |
Node 10 EOL, React mismatch, Babel 6, legacy portal |
| ↳ soreto-melissa |
B-current-state/soreto-melissa.md |
Node 22, Next.js 13, React 18, no CI/CD |
| ↳ soreto-zoe |
B-current-state/soreto-zoe.md |
Node 16, Bull jobs, leaked PAT, AMD TypeScript |
| C. Cross-Repo Gap Analysis |
C-cross-repo-gap-analysis.md |
Comparison tables, hidden coupling map, dependency drift |
Risk & Architecture Analysis (Phase 2)
Architecture Assessments (Phase 3)
Strategy (Phases 4–6)
| Section |
File |
Summary |
| J. AI Context & Spec-Driven Engineering |
J-ai-context-spec-engineering.md |
AI development readiness, documentation strategy, spec recommendations |
| K. Recommended Target Architecture |
K-target-architecture.md |
Monorepo structure diagram, tooling choices, workspace layout |
| L. Migration Feasibility & Phased Plan |
L-migration-plan.md |
5-phase migration, dependencies between phases, sequencing |
| M. Resource & Timeline Estimate |
M-resources-timeline.md |
Team composition, low/realistic/worst-case estimates, ROI |
| N. Risks & Mitigations |
N-risks-mitigations.md |
Risk register with probability, impact, and mitigations |
| O. Discovery Questions |
O-discovery-questions.md |
Open questions that require human input before proceeding |
| Q. Epics & User Stories |
Q-epics-and-stories.md |
6 epics, 31 stories, 183 tasks with priorities, effort, and owners |
Critical Findings at a Glance
These items require attention regardless of the architecture decision.
| # |
Severity |
Finding |
Repo |
Section |
| 1 |
⛔ CRITICAL |
Live GitHub PAT embedded in package.json |
soreto-zoe |
D, B4 |
| 2 |
⛔ CRITICAL |
Node 10 — EOL December 2020, zero security patches |
reverb-react |
F, B2 |
| 3 |
🔴 HIGH |
Two library-pair mismatches: react@17/react-dom@16.5 and react-router@3/react-router-dom@4 |
reverb-react |
G, B2 |
| 4 |
🔴 HIGH |
No CI/CD pipeline exists |
melissa, zoe |
D |
| 5 |
🔴 HIGH |
Hardcoded default secrets in config |
reverb-backend |
D, B1 |
| 6 |
🔴 HIGH |
Node 16 EOL, Knex 0.16.3 (2018) |
soreto-zoe |
F, B4 |
| 7 |
🟡 MEDIUM |
No OpenAPI contract — API shape undiscoverable |
reverb-backend |
H |
| 8 |
🟡 MEDIUM |
seneca.js messaging library unmaintained |
reverb-backend |
H |
Repository Quick Reference
| Repo |
Role |
Node |
Language |
CI |
Deploy |
reverb-backend |
Core API platform |
14.17.3 |
JavaScript |
Travis CI |
Heroku |
reverb-react |
Legacy admin portal |
~10.15.3 ⛔ |
JavaScript/JSX |
Travis CI (no tests) |
Heroku |
soreto-melissa |
New platform UI |
22.0.0 |
TypeScript |
None |
Unknown |
soreto-zoe |
Job scheduler / integrations |
16.13.0 |
TS + JS |
None |
Unknown |
Assumptions
All assumptions made during this audit are listed in P. Final Recommendation — Assumptions.