KwadMarket Docs
Reviews

Review History

How the codebase got here — audits, reviews and their outcomes

A timeline of the audit/review passes and what each produced. The current state of open work always lives in the plan — this section is the record, useful for understanding why the conventions and plan say what they say.

June 2026 — Full audit

Security, code-quality, testing/CI and feature-gap reports across the whole monorepo. Headline findings: IDOR criticals on deals/discussions (since fixed and verified), the JS-readable auth token, zero tests, default-secret fallbacks. Produced the first remediation plans (frontend migration plan + backend plan).

June 2026 — Frontend migration (executed)

The apps/web refactor: features/<domain>/ structure, TanStack Query for all server state, RHF + zod forms, middleware auth, one API layer. Fully executed — this is why the frontend conventions describe patterns that are all live in the code.

2026-06-14/15 — Frontend code-quality review ("opus")

Deep polish pass with a re-review the next day. Steps 1–8 landed (dead code, error boundaries, one API_URL/upload/toast, auth on TanStack Query, header decomposition, color tokens, lint enforcement, HttpOnly cookie). → Condensed review with what stayed open.

2026-07-02 — Scored reviews + consolidation

Frontend + backend reviews at commit 0b38d35, then all docs consolidated: fixed items removed, everything still open verified against the code. That consolidation is today's conventions + plan.

Full text

The complete original reports (June audit 01-security.md06-feature-roadmap.md, the migration plans, the July scored reviews, and the opus docs) live in git history — last complete state of the consolidated fable/ docs at commit fefbb12; the pre-consolidation trees exist in earlier commits.

On this page