O. Discovery Questions Still Needed
These questions could not be answered from the codebase alone. Answers affect the migration sequencing, risk assessment, and timeline estimates in this audit. Each question is tagged with the phase it blocks or influences.
Operations & Deployment
Q1 — What are the production deployment targets for soreto-melissa and soreto-zoe?
Affects: Phase 2, Phase 4
Why: Neither repo has a Procfile, Dockerfile, or CI config. Deployment method is unknown. If deployed via Heroku, the monorepo migration must account for Heroku's monorepo support (it is limited — buildpacks don't natively support pnpm workspaces). If on other platforms (Railway, Fly.io, AWS), different constraints apply.
Q2 — Is RabbitMQ actively used in production for reverb-backend?
Affects: Phase 3 — Backend Modernization, H — Backend Architecture
Why: seneca-amqp-transport routes messages via RabbitMQ between reverb-backend's internal processes (service_meta, service_api, service_email_queue). If these services are running in production and receiving messages, seneca is load-bearing. If they're dormant or the connection is not actually active, seneca can be removed more aggressively.
How to check: Review Heroku add-on list for CloudAMQP or similar. Check application logs for amqp connection events.
Q3 — What is the active user count and traffic volume on reverb-react?
Affects: Phase 5 — Legacy Portal Cut-over, G — Frontend Architecture, R02 Why: If reverb-react serves thousands of daily active users, the cut-over must be gradual (10% → 50% → 100%) with a longer WAF window and more monitoring. If it serves a handful of internal admin users, cut-over can be faster and less formal.
Q4 — What are the production Heroku config vars for reverb-backend?
Affects: D — Technical Debt, Phase 0
Why: The config.js file contains default values for SESSION_SECRET, TOKEN_SECRET, and COOKIE_SECRET. If these env vars are absent from Heroku, the app is running with publicly known secrets. This needs to be verified against the actual Heroku config var list.
How to check: heroku config -a <app-name> for each environment (staging, production).
Database Architecture
Q5 — Does the zoe PostgreSQL schema reference the reverb schema directly?
Affects: Phase 4 — Zoe Modernization, F — Version Standardization
Why: If soreto-zoe's database queries use cross-schema references (e.g., SELECT * FROM reverb.campaigns JOIN zoe.jobs ON ...), then the two schemas are tightly coupled at the database level. This means any infrastructure change (separate PostgreSQL instances, schema rename) must coordinate both schemas simultaneously, increasing the upgrade complexity.
How to check:
SELECT routine_name, routine_definition
FROM information_schema.routines
WHERE routine_definition LIKE '%reverb.%';
Also search the codebase for reverb. in Knex query strings.
Q6 — What is the PostgreSQL version in production?
Affects: F — Version Standardization
Why: The Travis CI config uses postgresql: "9.5" — which is EOL. If production is also on PostgreSQL 9.x, this is an independent security risk (PostgreSQL 9.5 reached EOL in 2021). Modern Knex versions also have different behavior on PostgreSQL 9.x vs 14+.
Technical
Q7 — What is the actual test coverage percentage in reverb-backend?
Affects: M — Timeline Estimates, Phase 3 Why: Low test coverage means the Node version upgrade requires extensive manual regression testing, significantly increasing timeline. The difference between 20% coverage and 80% coverage is roughly 4–8 additional weeks of testing effort.
How to check: npm run test — nyc outputs a coverage summary. Or nyc report --reporter=text-summary.
Q8 — Which reverb-react features and routes need to be ported in the Next.js 16 rewrite?
Affects: Phase 5 — Legacy Portal Cut-over Why: This is the critical input for scoping the Next.js 16 rewrite. Without a complete route and feature inventory, the rewrite cannot be time-boxed accurately.
How to resolve: A product owner or senior engineer who knows reverb-react should complete the reverb-react feature parity checklist (to be created in Phase 1). Scope admin dashboard, client dashboard, campaign management, user management, and reporting as the priority set.
Q9 — Is soreto-arena actively used in production and by whom?
Affects: Phase 0 (PAT revocation)
Why: soreto-arena is a Bull queue monitoring dashboard installed via a GitHub PAT. If it is actively used by the engineering team to monitor job queues, the PAT must be replaced before the current one is revoked — otherwise the monitoring dashboard breaks when npm install fails on the next deploy.
How to check: Look for the arena route in production and check if anyone is accessing it. The appSettings.ts config shows it runs on Config.Arena.port at Config.Arena.route.
Q10 — Is the heroku-private-modules package in soreto-zoe still in use?
Affects: Phase 0, Phase 4
Why: heroku-private-modules@0.0.1 is in soreto-zoe's package.json with heroku-prebuild and heroku-postbuild scripts. This package is used to install private npm packages on Heroku using authentication. If it's only used to pull soreto-arena, removing it simplifies the dependency graph. If it's used for other private packages, those need to be identified.
Q11 — What is the team size and TypeScript experience level?
Affects: M — Timeline Estimates Why: The TypeScript migration timeline for reverb-backend depends heavily on whether the team is comfortable with TypeScript. A team experienced with TypeScript can type-annotate service files rapidly. A team new to TypeScript needs ramp-up time that must be budgeted into the estimate.
Q12 — Are there mobile apps or third-party API consumers calling reverb-backend directly?
Affects: H — Backend Architecture, Phase 3 Why: If external systems (mobile apps, partner integrations, client systems) call reverb-backend APIs directly, then API versioning becomes critical before any endpoint changes. Without versioning, breaking changes silently break external consumers. This affects whether OpenAPI specification and API versioning must be done before or after the Node upgrade.
Immediate Actions Requiring Answers
These questions should be answered before Phase 1 begins:
| Priority | Question | Blocks |
|---|---|---|
| ⛔ IMMEDIATE | Q9 — is soreto-arena used in production? | Phase 0 PAT revocation |
| 🔴 THIS WEEK | Q4 — are production secrets set correctly? | Security posture |
| 🔴 THIS WEEK | Q2 — is RabbitMQ active in production? | Phase 3 scope |
| 🟡 MONTH 1 | Q7 — reverb-backend test coverage? | Phase 3 timeline |
| 🟡 MONTH 1 | Q8 — feature parity gaps? | Phase 5 timeline |
| 🟡 MONTH 1 | Q5 — cross-schema PostgreSQL queries? | Phase 4 complexity |
| 🟡 MONTH 1 | Q1 — deployment targets for melissa/zoe? | Phase 2 complexity |