Soreto / Reverb Ecosystem — Technical Audit
Auditor: Principal Software Architect (AI-assisted via Claude Code)
Date: 2026-05-19
Repositories audited: soreto-melissa · soreto-zoe · reverb-react · reverb-backend
Nature: Read-only audit — no code was modified
IMPORTANT: These four projects are currently independent repositories. They were temporarily placed inside a single parent folder for audit convenience. All analysis explicitly distinguishes between the current real-world repository boundaries and the proposed future architecture.
How to Use This Document
Each section is a standalone file. Start with the Executive Summary and the Final Recommendation for the top-level picture, then drill into any section for evidence and detail.
Cross-links between sections are relative — every file links back to this README and forward to related sections.
Table of Contents
Overview
| Section | File | Summary |
|---|---|---|
| A. Executive Summary | A-executive-summary.md |
TL;DR — what was found, what matters most, top risks |
| P. Final Recommendation | P-final-recommendation.md |
Confidence level, direction, immediate next steps |
Factual Inventory (Phase 1)
| Section | File | Summary |
|---|---|---|
| B. Current State Inventory | B-current-state/ |
Repo-by-repo breakdown of versions, architecture, tooling, risks |
| ↳ reverb-backend | B-current-state/reverb-backend.md |
Node 14, Express, JavaScript, Heroku, Travis CI |
| ↳ reverb-react | B-current-state/reverb-react.md |
Node 10 EOL, React mismatch, Babel 6, legacy portal |
| ↳ soreto-melissa | B-current-state/soreto-melissa.md |
Node 22, Next.js 13, React 18, no CI/CD |
| ↳ soreto-zoe | B-current-state/soreto-zoe.md |
Node 16, Bull jobs, leaked PAT, AMD TypeScript |
| C. Cross-Repo Gap Analysis | C-cross-repo-gap-analysis.md |
Comparison tables, hidden coupling map, dependency drift |
Risk & Architecture Analysis (Phase 2)
| Section | File | Summary |
|---|---|---|
| D. Technical Debt & Risk Assessment | D-technical-debt-risk.md |
Risk matrix, severity ratings, immediate threats |
| E. Monorepo Evaluation | E-monorepo-evaluation.md |
Benefits, risks, feasibility, maturity assessment |
| F. Version Standardization | F-version-standardization.md |
Node upgrade paths, blockers, dependency compatibility |
Architecture Assessments (Phase 3)
| Section | File | Summary |
|---|---|---|
| G. Frontend Architecture | G-frontend-architecture.md |
React fragmentation, Next.js assessment, reverb-react modernization plan |
| H. Backend Architecture | H-backend-architecture.md |
reverb-backend maturity, soreto-zoe patterns, Seneca risk |
| I. Shared Platform Opportunities | I-shared-platform-opportunities.md |
What to share, what not to share, package candidates |
Strategy (Phases 4–6)
| Section | File | Summary |
|---|---|---|
| J. AI Context & Spec-Driven Engineering | J-ai-context-spec-engineering.md |
AI development readiness, documentation strategy, spec recommendations |
| K. Recommended Target Architecture | K-target-architecture.md |
Monorepo structure diagram, tooling choices, workspace layout |
| L. Migration Feasibility & Phased Plan | L-migration-plan.md |
5-phase migration, dependencies between phases, sequencing |
| M. Resource & Timeline Estimate | M-resources-timeline.md |
Team composition, low/realistic/worst-case estimates, ROI |
| N. Risks & Mitigations | N-risks-mitigations.md |
Risk register with probability, impact, and mitigations |
| O. Discovery Questions | O-discovery-questions.md |
Open questions that require human input before proceeding |
Critical Findings at a Glance
These items require attention regardless of the architecture decision.
| # | Severity | Finding | Repo | Section |
|---|---|---|---|---|
| 1 | ⛔ CRITICAL | Live GitHub PAT embedded in package.json |
soreto-zoe | D, B4 |
| 2 | ⛔ CRITICAL | Node 10 — EOL December 2020, zero security patches | reverb-react | F, B2 |
| 3 | 🔴 HIGH | Two library-pair mismatches: react@17/react-dom@16.5 and react-router@3/react-router-dom@4 | reverb-react | G, B2 |
| 4 | 🔴 HIGH | No CI/CD pipeline exists | melissa, zoe | D |
| 5 | 🔴 HIGH | Hardcoded default secrets in config | reverb-backend | D, B1 |
| 6 | 🔴 HIGH | Node 16 EOL, Knex 0.16.3 (2018) | soreto-zoe | F, B4 |
| 7 | 🟡 MEDIUM | No OpenAPI contract — API shape undiscoverable | reverb-backend | H |
| 8 | 🟡 MEDIUM | seneca.js messaging library unmaintained |
reverb-backend | H |
Repository Quick Reference
| Repo | Role | Node | Language | CI | Deploy |
|---|---|---|---|---|---|
reverb-backend |
Core API platform | 14.17.3 | JavaScript | Travis CI | Heroku |
reverb-react |
Legacy admin portal | ~10.15.3 ⛔ | JavaScript/JSX | Travis CI (no tests) | Heroku |
soreto-melissa |
New platform UI | 22.0.0 | TypeScript | None | Unknown |
soreto-zoe |
Job scheduler / integrations | 16.13.0 | TS + JS | None | Unknown |
Assumptions
All assumptions made during this audit are listed in P. Final Recommendation — Assumptions.
Audit conducted 2026-05-19 · Read-only inspection · No code modified