Lantern App Comprehensive Audit Report

Date: February 9, 2026 Auditor: Claude Sonnet 4.5 (claude.ai/code) Scope: Full codebase audit covering code quality, security, testing, infrastructure, and documentation post-monorepo reorganization

---

Executive Summary

Overall Assessment: ⭐⭐⭐⭐ (4/5 - Strong with critical refactoring needed)

The Lantern app has successfully completed a major monorepo reorganization (PR #261) and React 19 upgrade, demonstrating strong infrastructure and modern architecture. However, critical technical debt in the Dashboard component has accelerated (+19.5% growth) since the last audit, and test coverage gaps remain despite 6x improvement in test file count. The codebase is production-ready but requires immediate attention to the Dashboard refactoring and hook testing.

Key Findings at a Glance

✅ Major Accomplishments Since Last Audit (Jan 7, 2026):

• Monorepo reorganization complete with 6 workspaces
• React 19.2.4 upgrade successful (from 18.x)
• Test files increased 6x (3 → 20 files)
• Issue #245 (Admin password encryption) resolved via PR #259
• Comprehensive CI/CD pipeline with CodeQL security scanning
• Issue #254 (~80% complete, infrastructure verification pending)

🔴 Critical Issues:

• Dashboard.jsx grew from 1,859 → 2,222 lines (+19.5%) - refactoring deferred
• Only 1 custom hook with 0 hook tests - critical business logic untested
• Manual Firestore index deployment creates drift risk
• OSM import security vulnerability (Issue #224) remains unaddressed

⚠️ Warnings:

• Screen components (30 files) have 0 test coverage
• Component test coverage minimal (1 test file for 49 components)
• 25 open issues requiring triage and prioritization
• Monorepo import paths need systematic verification

ℹ️ Opportunities:

• E2E testing framework not yet implemented
• Performance metrics and monitoring not tracked
• Code splitting not yet implemented
• Bundle size optimization opportunities

---

1. Monorepo Reorganization Impact Analysis

Status: ✅ Successfully Implemented (PR #261)

Workspace Structure

The monorepo is well-organized with clear separation of concerns:

apps/
  web/           — Main Lantern PWA (React 19 + Vite)
  admin/         — Admin dashboard (separate app)
services/
  functions/firebase/  — Cloud Functions (Node 22)
  api/docs/            — Express.js docs API
  bots/discord/        — Discord bot for issue triage
packages/
  shared/        — Shared constants (@lantern/shared)

Workspace Count: 6 workspaces Script Delegation: ✅ Working (npm commands properly delegate to workspaces) CI/CD Integration: ✅ Updated (node_modules paths fixed in workflows)

Recent Monorepo-Related Commits

Commit	Description	Status
ef19c93	Update imports to include React	✅ Complete
2010e39	Fix node_modules paths in CI	✅ Complete
add8e7f	Create apps/web/package.json	✅ Complete

Assessment

Strengths:

• Clean directory structure following industry standards
• Proper workspace isolation (separate package.json files)
• Build scripts working across all workspaces
• CI/CD successfully adapted to workspace structure

Potential Risks:

• Recent import path fixes (ef19c93) suggest edge cases may still exist
• Need systematic verification of all import paths across codebase
• Workspace dependency duplication should be monitored

Recommendation: 🟢 Low Priority - Run periodic import path audits using Glob/Grep to catch any remaining issues from the reorganization.

---

2. Code Quality & Architecture

2.1 Dashboard Component - CRITICAL TECHNICAL DEBT

File: apps/web/src/screens/dashboard/Dashboard.jsx

Metric	Jan 2026	Feb 2026	Change	Status
Lines of Code	1,859	2,222	+363 (+19.5%)	🔴 Worsening
React Hooks	~28 useState	~30+ useState	+2+	🔴 Growing
useEffect Blocks	~15	~17	+2	🔴 Growing
Responsibilities	8+	9+	+1	🔴 Worsening

Status: 🔴 CRITICAL - Technical Debt Accelerating

What Changed Since Jan 2026?

The Dashboard component has grown by 363 lines despite Phase 1 refactoring recommendations from the previous audit. This represents a 19.5% increase in complexity.

Current Responsibilities (9+ domains):

1. Home view management (places list, map, search, filtering)
2. Venue detail view
3. Lantern management (light, schedule, extinguish)
4. Wave system (send, receive, accept, decline)
5. Chat system (active chats, messages)
6. Connection management
7. Notification system (multiple types, persistence)
8. Navigation (bottom nav, tab switching)
9. Real-time data sync (Firestore listeners for 6+ collections)
10. Location services (geolocation, venue loading)
11. Forms & modals (multiple form flows)

Analysis of Growth

New State Added:

// Scroll position management (new complexity)
const mainScrollContainerRef = useRef(null)
const isRestoringScrollRef = useRef(false)
const lastRestoredCacheRef = useRef(null)
const localScrollPositionRef = useRef(0)
const previousViewRef = useRef('home')

// Enhanced venue state
const [venuesBeforeMapSearch, setVenuesBeforeMapSearch] = useState(null)
const [isMapSearchActive, setIsMapSearchActive] = useState(false)
const [viewMode, setViewMode] = useState('list')
const [mapPosition, setMapPosition] = useState(null)

What This Means:

• Scroll restoration logic added significant complexity
• Map integration added 4+ new state variables
• State management becoming more intertwined
• Harder to reason about component behavior

Impact on Development

• Onboarding: New developers struggle to understand this file
• Maintenance: Changes risk breaking unrelated features
• Testing: Nearly impossible to test in isolation
• Performance: Re-renders affect multiple unrelated UI sections
• Debugging: Stack traces span 100+ line useEffect blocks

Recommended Refactoring Plan (UPDATED)

Phase 1: Extract View Components (Week 1-2) Target: Reduce from 2,222 → ~1,000 lines

Dashboard.jsx (2222 lines)
  └─> Extract to:
      ├── PlacesScreen.jsx (✅ Already exists, but inline rendering remains)
      ├── VenueDetailScreen.jsx (✅ Already exists, but state management in parent)
      ├── ActiveLanternScreen.jsx (✅ Already exists, but coupled to parent)
      ├── LanternSuccessScreen.jsx (✅ Already exists, but minimal)
      └── MapViewContainer.jsx (❌ NEW - extract map-specific state and logic)

Phase 2: Extract Business Logic Hooks (Week 3-4) Target: Reduce from ~1,000 → ~500 lines

apps/web/src/hooks/
  ├── useLightLantern.js (✅ Already exists)
  ├── useWaveManagement.js (❌ NEW - wave send/accept/decline logic)
  ├── useConnectionManagement.js (❌ NEW - connection CRUD + chat state)
  ├── useNotifications.js (❌ NEW - notification queue + localStorage)
  ├── useVenueData.js (❌ NEW - venue loading + filtering + search)
  ├── useMapState.js (❌ NEW - map position, search, view mode)
  └── useScrollRestoration.js (❌ NEW - scroll position management)

Phase 3: Extract UI Component Library (Week 5-6) Target: Reduce from ~500 → ~200 lines

apps/web/src/components/dashboard/
  ├── VenueCard.jsx
  ├── VenueMapView.jsx
  ├── SearchBar.jsx
  ├── CategoryTabs.jsx
  └── NotificationBanner.jsx

Success Criteria:

• Dashboard.jsx < 300 lines
• Each sub-component < 200 lines
• Hooks testable in isolation
• Clear single responsibility per file

---

2.2 Codebase Metrics

Metric	Count	Comparison
Total Source Files	135	+69 from Jan 2026 (66) = +104%
Components (*.jsx)	49	New metric
Screens (*.jsx)	30	New metric
Hooks (*.js)	1	🔴 CRITICAL: Only 1 custom hook
Test Files	20	+17 from Jan 2026 (3) = +567%
Storybook Stories	33	New metric
Documentation Files	206	Growing documentation library

Analysis:

Strengths:

• Source files doubled due to monorepo reorganization (expected growth)
• Strong component library (49 components + 33 stories)
• Test coverage infrastructure maturing rapidly

Concerns:

• Only 1 custom hook (useLightLantern.js) suggests business logic lives in components
• This is likely why Dashboard.jsx is so large - logic not extracted
• Screen components (30) are likely large like Dashboard

---

2.3 Code Organization Patterns

Strengths:

• Clear separation between screens/ and components/
• Service modules well-organized in lib/
• Shared package (@lantern/shared) for cross-workspace code
• Storybook integration for component documentation

Opportunities:

• Extract more custom hooks to reduce component complexity
• Consider feature-based organization for large domains (lanterns, waves, venues)
• Implement barrel exports for cleaner imports

---

3. Security Audit

3.1 Firebase Security Rules

File: firestore.rules

Status: ✅ Comprehensive with ⚠️ 2 Known TODOs

Security Architecture

Authentication Methods:

• Firebase Auth with custom claims (role-based access)
• Admin role via request.auth.token.role == 'admin'
• Merchant role via request.auth.token.role == 'merchant'
• Zero-knowledge encryption (client-side only)

Access Control Patterns:

• ✅ Helper functions: isAuthenticated(), isOwner(), isAdmin(), isMerchant()
• ✅ Email validation regex
• ✅ Field-level access control
• ✅ Audit trail (admin actions cannot be deleted)
• ✅ Private by default (deny-all catchall)

Issue #245 Resolution (Admin Password Encryption)

Status: ✅ RESOLVED via PR #259

Rules now include encryption recovery mechanism:

// firestore.rules:143-150
// Encryption re-initialization (Issue #245)
(
  resource.data.encryptionCorrupted == true &&
  request.resource.data.diff(resource.data).affectedKeys()
    .hasOnly(['salt', 'encryptedBirthDate', 'encryptionCanary',
              'encryptionCorrupted', 'encryptionReinitialized',
              'encryptionReinitializedAt', 'updatedAt'])
)

Verification: Users can now reset their encryption keys when corruption is detected, without breaking zero-knowledge architecture.

Known Security TODOs

1. OSM Import Security (Issue #224)

Location: firestore.rules:290Risk: 🔴 HIGH - Fraud/abuse vector Current: Client-side OSM imports with field validation only Needed: Move to Cloud Function for server-side rate limiting and validation

// firestore.rules:290
// TODO: This should eventually be moved to a Cloud Function
// to better control OSM import rate limits, validation, and potential fraud

Impact:

• Malicious users could flood the venue database
• OSM API rate limits could be exceeded
• No server-side deduplication or validation
• No audit trail of who imported what

Recommendation: 🔴 CRITICAL - Migrate OSM imports to Cloud Function within 4 weeks

---

2. Venue Refresh Metadata (Public Write Access)

Location: firestore.rules:394Risk: ⚠️ MEDIUM - Abuse vector Current: Any unauthenticated user can trigger venue refresh Needed: Restrict to Cloud Function or authenticated users

Impact:

• Potential abuse to trigger excessive API calls
• No accountability for who triggered refreshes
• Could be used for DoS-style attacks

Recommendation: ⚠️ HIGH PRIORITY - Restrict refresh triggers to Cloud Function within 6 weeks

---

Storage Rules

File: storage.rules

Status: ✅ Excellent - Privacy-First

Explicit Denials:

• ❌ No user profile photos allowed
• ❌ No arbitrary user uploads
• ✅ Only venue photos (merchants, 5MB limit)
• ✅ Only offer images (merchants, 2MB limit)
• ✅ Only documentation images (authenticated users, 5MB limit)

Allowed Formats: image/jpeg, image/png, image/webp

Assessment: Storage rules are exemplary - explicit denials prevent common attack vectors.

---

3.2 Dependency Security

Production Dependencies Audit

Command: npm run audit (production dependencies only)

Status: ⚠️ NEEDS MANUAL RUN (not executed in this audit)

Dependencies:

Root (package.json):

• React 19.2.4 (modern, latest stable)
• Firebase 12.9.0 (modern)
• lucide-react 0.563.0 (UI icons)
• geofire-common 6.0.0 (geohashing)

Web App (apps/web/package.json):

• Same core dependencies as root
• maplibre-gl 5.17.0 (mapping)
• prop-types 15.8.1

Node Engine: >=22.0.0 (modern, recommended)

Recommendation: 🟡 Run npm run audit and npm outdated --workspaces to identify specific vulnerabilities and outdated packages.

---

3.3 Authentication & Authorization

Architecture: ✅ Well-Designed

Admin Authentication:

• Separate admin password system (adminProfiles.adminPasswordHash)
• Admin roles via Firebase custom claims
• Cannot be modified client-side
• Cloud Functions enforce role changes

Main App Authentication:

• PILOT_MODE flag in apps/web/src/App.jsx
• AccessGate components restrict access to admin-role users
• Firebase auth with persistence (IndexedDB)

Zero-Knowledge Encryption:

• PBKDF2 with 600,000 iterations
• AES-256-GCM encryption
• Keys derived from user passphrase (never sent to server)
• No passphrase recovery by design
• Encryption canary for corruption detection

Assessment: Authentication architecture is robust and follows security best practices.

---

3.4 Infrastructure Security

Content Security Policy (CSP)

Validation: ✅ Automated via npm run validate:headers

What It Checks:

• Scans source code for external URLs
• Validates all domains are in CSP header
• Reports missing or misconfigured domains
• Located in apps/web/public/_headers

Status: CSP validation is part of CI/CD pipeline (npm run validate)

---

CodeQL Security Scanning

Workflow: .github/workflows/codeql.yml

Status: ✅ ENABLED

• Runs on push to main/dev branches
• Scans JavaScript/TypeScript code
• Identifies security vulnerabilities automatically
• Results visible in GitHub Security tab

---

3.5 Security Summary

Area	Status	Priority
Firebase Security Rules	✅ Comprehensive	-
Storage Rules	✅ Excellent	-
Admin Authentication	✅ Robust	-
Zero-Knowledge Encryption	✅ Best Practice	-
Issue #245 (Encryption)	✅ Resolved	-
OSM Import Security (#224)	🔴 Vulnerable	CRITICAL
Venue Refresh Access	⚠️ Open	HIGH
Dependency Audit	⚠️ Not Run	MEDIUM
CodeQL Scanning	✅ Enabled	-
CSP Validation	✅ Automated	-

---

4. Testing & Coverage

4.1 Test Infrastructure

Framework: Vitest + Testing Library React + jsdom Coverage Tool: v8 Coverage Threshold: 75% (lines, functions, branches, statements) CI Integration: ✅ Enforced (coverage threshold must pass)

Config Files:

• apps/web/vitest.config.js - Main tests
• vitest.workflows.config.js - Workflow tests
• apps/web/test.setup.js - Test environment setup

---

4.2 Test File Inventory

Total Test Files: 20 (up from 3 in Jan 2026)

Test Categories:

Service/Utility Tests (7 files):

• searchUtils.test.js - Search normalization
• osmFormatters.test.js - OSM data formatting
• locationPermission.test.js - Geolocation handling
• devLog.test.js - Development logging
• venueService.test.js - Venue data service
• venueService.enrich.test.js - Venue enrichment
• venueConfig.test.js - Venue tier configuration

Firebase & Core Tests (3 files):

• firebase.test.js - Firebase initialization, environment detection
• geofencing.test.js - Geofencing logic
• StyleGuide.test.jsx - Style guide validation

Feature Tests (3 files):

• lanternService.test.js - Lantern check-in service
• lanternProximity.test.js - Proximity calculations
• locationProximityGate.test.js - Location-based access control

Component Tests (1 file):

• CreateNewProfile.test.jsx - Profile creation component

Workflow Tests (3 files):

• ai-issue-triage.test.js - AI triage mock tests
• ai-issue-triage-mock.test.js - Mock implementation
• ai-issue-triage-real.test.js - Real API tests (optional)

---

4.3 Coverage Analysis

Status: ⚠️ COVERAGE DATA NOT AVAILABLE (test run not executed in this audit)

Coverage Command: npm run test:coverage -w apps/web

To verify actual coverage:

1. Run npm run test:coverage -w apps/web
2. Review apps/web/coverage/coverage-final.json
3. Identify modules below 75% threshold
4. Prioritize critical areas for additional tests

---

4.4 Critical Coverage Gaps

🔴 CRITICAL GAP: Custom Hooks

Hook Files: 1 file (apps/web/src/hooks/useLightLantern.js) Hook Test Files: 0 files Coverage: 0%

Impact:

• Business logic in useLightLantern is completely untested
• Logic includes Firestore operations, state management, error handling
• Changes could introduce silent bugs
• No safety net for refactoring

Recommendation: 🔴 CRITICAL - Create apps/web/src/hooks/__tests__/useLightLantern.test.js within 1 week

---

⚠️ HIGH PRIORITY GAP: Screen Components

Screen Files: 30 files (apps/web/src/screens/**/*) Screen Test Files: 0 files Coverage: 0%

Known Screens:

• Dashboard.jsx (2,222 lines - largest component)
• PlacesScreen.jsx
• VenueDetailScreen.jsx
• ActiveLanternScreen.jsx
• LanternSuccessScreen.jsx
• Profile, Auth, Merchant, Frens screens

Impact:

• User flows completely untested
• Navigation logic untested
• Integration points between components untested
• No regression detection for UI changes

Recommendation: ⚠️ HIGH - Prioritize Dashboard.jsx integration tests, then other high-traffic screens

---

⚠️ MEDIUM PRIORITY GAP: Component Tests

Component Files: 49 files Component Test Files: 1 file (CreateNewProfile.test.jsx) Coverage: ~2%

Impact:

• UI regressions not caught by tests
• Component prop validation untested
• Accessibility features untested
• Storybook stories exist (33 files) but no automated tests

Recommendation: 🟡 MEDIUM - Add tests for critical components (WaveManager, Chat, LanternBeacon)

---

4.5 Testing Strengths

✅ Test Infrastructure:

• Comprehensive Vitest setup with jsdom
• Testing Library React for best practices
• Coverage reporting with multiple formats (text, json, html, lcov)
• CI integration with PR comments (LCOV reporter)

✅ Service Layer Coverage:

• Good coverage of utility functions
• Venue service well-tested
• Location services tested

✅ Workflow Testing:

• Dedicated config for AI triage tests
• Mock and real API test support
• Triage consistency validation

---

4.6 Testing Roadmap

Immediate (Week 1):

1. Create hook tests for useLightLantern.js
2. Run coverage report and identify critical gaps
3. Document coverage baseline

Short Term (Weeks 2-4):

1. Add integration tests for Dashboard.jsx
2. Test high-traffic screens (Profile, Auth, VenueDetail)
3. Add tests for WaveManager and Chat components

Medium Term (Weeks 5-8):

1. Increase component test coverage to 50%
2. Add E2E tests for critical user flows
3. Implement visual regression testing with Storybook

Long Term (Weeks 9-12):

1. Achieve 75% coverage across all modules
2. Add performance testing
3. Implement mutation testing

---

5. Infrastructure & DevOps

5.1 CI/CD Pipeline

Workflow File: .github/workflows/ci.yml

Status: ✅ Robust

Jobs:

1. lint-and-security - ESLint, format check, npm audit
2. test - Test suite with coverage, PR comments
3. build - Build app, Storybook, docs
4. validate-firestore-indexes - JSON validation, deployment reminder
5. workflows - Triage consistency validation
6. final-check - Requires all above to pass

Triggers:

• Push to main/dev (excluding docs/markdown)
• Pull requests to main/dev

Artifacts:

• Test coverage (30-day retention)
• Build outputs (7-day retention)
• Storybook static build

LCOV Reporter:

• Automated PR comments with coverage summary
• Line-by-line annotations for changed files
• Helps catch coverage drops during review

---

5.2 Deployment Automation

Dev Deployment: .github/workflows/deploy-dev.ymlStatus: ✅ Automated

Deployment Targets:

• Cloudflare Pages (dev.ourlantern.app)
• Firebase Functions (dev environment)
• Firebase Firestore rules/indexes

Deployment Flow:

1. Merge to dev branch
2. Build all artifacts
3. Deploy to Cloudflare Pages
4. Deploy Firebase Functions
5. Update Firestore rules

---

5.3 Firestore Index Management

Index File: firestore.indexes.json

Status: ⚠️ MANUAL DEPLOYMENT REQUIRED

Current Process:

1. Indexes defined in firestore.indexes.json
2. CI validates JSON structure
3. CI prints reminder to deploy manually
4. Developer must run: firebase deploy --only firestore:indexes

Risk:

• Indexes can drift between dev and prod
• Easy to forget manual deployment step
• No automated verification that indexes match deployed state

Recommendation: 🟡 MEDIUM PRIORITY - Automate index deployment in CI/CD or add verification step to check deployed indexes match config file.

---

5.4 Build Configuration

Vite Config: apps/web/vite.config.mjs

Status: ✅ Modern

Features:

• React plugin with Fast Refresh
• PWA plugin for service worker
• Path alias: @ → ./src
• Tailwind CSS v4
• PostCSS processing

Build Output: apps/web/dist/

---

5.5 Workspace Validation

Master Validation Command: npm run validate

What It Runs:

1. validate:headers - CSP validation
2. test:workflows:validate - Triage consistency
3. test:coverage -w apps/web - Web app tests
4. format:check -w apps/web - Prettier check
5. lint -w apps/web - ESLint + specialized linters
6. audit - Production dependency audit
7. validate -w apps/admin - Admin app validation
8. validate -w services/bots/discord - Discord bot validation
9. validate -w services/functions/firebase - Functions validation

Status: ✅ Comprehensive - Must pass before commits

---

5.6 Infrastructure Summary

Component	Status	Notes
CI/CD Pipeline	✅ Robust	Multi-job workflow
Deployment Automation	✅ Working	Cloudflare + Firebase
Firestore Indexes	⚠️ Manual	Should automate
Build Configuration	✅ Modern	Vite, React 19, PWA
Workspace Validation	✅ Comprehensive	9-step validation
Artifact Management	✅ Good	7-30 day retention
Security Scanning	✅ Enabled	CodeQL automated

---

6. Documentation Health

6.1 Documentation Metrics

Total Documentation Files: 206 markdown files

Structure:

• docs/audit/ - Audit reports (3 files including this one)
• docs/worklog/ - Historical work records
• docs/plans/ - Forward-looking plans (including 12-week roadmap)
• docs/engineering/ - Technical documentation
• docs/business/ - Business documentation
• docs/features/ - Feature specifications

---

6.2 Roadmap Alignment

Current Roadmap: docs/plans/2026-02-06_12-week-roadmap.md

Status: Active (Last updated: 2026-02-08)

Current Priorities:

Priority 1: Issue #254 - Replace Cloudflare Access with Firebase Auth Gate

• Timeline: Week 1 (Feb 6-13, 2026)
• Status: ~80% Complete (code ready, infra verification needed)
• Impact: HIGH | Effort: LOW

Priority 2: Issue #255 - Bundle Docs and Storybook into Admin Portal

• Timeline: Weeks 1-2 (Feb 6-20, 2026)
• Status: Partially Started
• Impact: MEDIUM | Effort: MEDIUM

Assessment:

• Roadmap is current and well-documented
• Priorities align with recent work (admin auth improvements)
• Issue #254 completion will be a quick win
• Dashboard refactoring NOT on current roadmap (should be added)

Recommendation: 🟡 Update roadmap to include Dashboard refactoring as high priority after Issue #255

---

6.3 Documentation Quality

Strengths:

• CLAUDE.md provides clear project guidance
• Comprehensive DIRECTORY_DEFINITIONS.md for docs organization
• Worklog pattern for historical records
• Plans pattern for forward-looking work

Gaps:

• Monorepo migration guide (how to work with workspaces)
• Testing strategy documentation (what to test, when, how)
• Architecture decision records (ADRs) not formalized

Recommendation: 🟢 LOW PRIORITY - Create monorepo developer guide and testing strategy docs

---

7. Open Issues Analysis

Total Open Issues: 25 (via gh issue list)

Breakdown by Type:

Enhancement: 18 issues Bug: 3 issues Documentation: 3 issues Other: 1 issue

High-Impact Open Issues

Security:

• Issue #224 - Move OSM Import to server-side (🔴 CRITICAL)
• Issue #230 - Rate limiting for admin actions (⚠️ HIGH)

DevOps:

• Issue #254 - Replace Cloudflare Access (~80% done) (⚠️ HIGH)
• Issue #217 - User flag for permanently closed venues (🟡 MEDIUM)
• Issue #216 - Update OSM places from user tags (🟡 MEDIUM)

Bugs:

• Issue #219 - Console error on login (🟡 MEDIUM)
• Issue #214 - "Unknown Location" on mobile browsers (⚠️ HIGH)

Features:

• Issue #255 - Bundle docs/Storybook into admin portal (⚠️ HIGH)
• Issue #251 - Unique Lantern Name generation (🟡 MEDIUM)
• Issue #250 - Don't lantern outside business hours (🟡 MEDIUM)

Recommendation: 🟡 Triage all 25 issues, assign priorities, link to roadmap

---

8. Dependency Analysis

8.1 Core Dependencies

React Ecosystem:

• React 19.2.4 ✅ (latest stable, modern)
• React DOM 19.2.4 ✅
• React Testing Library 16.3.2 ✅

Firebase:

• Firebase 12.9.0 ✅ (modern)
• Firebase Admin 13.6.1 ✅
• Firebase Tools 15.5.1 ✅

Build Tools:

• Vite latest ✅
• Vitest 4.0.18 ✅
• Tailwind CSS 4.1.18 ✅

Node:

• Required: >=22.0.0 ✅ (modern)

---

8.2 Outdated Packages

Status: ⚠️ NOT CHECKED (requires npm outdated --workspaces)

Recommendation: 🟡 Run npm outdated --workspaces to identify packages needing updates

---

8.3 React 19 Upgrade Impact

Status: ✅ SUCCESSFULLY COMPLETED

Breaking Changes Addressed:

• React imports updated (commit ef19c93)
• No major issues detected in recent commits
• JSX runtime working correctly
• Testing Library compatible with React 19

Benefits:

• Modern React features available
• Performance improvements
• Better concurrent rendering
• Improved TypeScript support (if migrating later)

---

9. Prioritized Recommendations

9.1 Immediate Actions (This Week)

🔴 CRITICAL:

1. Create Hook Tests for useLightLantern.js

• Effort: 4-6 hours
• Impact: HIGH - Protects critical business logic
• Files: Create apps/web/src/hooks/__tests__/useLightLantern.test.js
• Dependencies: None
• Implementation:
  • Test lantern creation flow
  • Test error handling
  • Test Firestore interactions (mocked)
  • Achieve >80% coverage for hook

2. Run Full Test Coverage Report

• Effort: 30 minutes
• Impact: HIGH - Establishes baseline metrics
• Commands:

  npm run test:coverage -w apps/web
  cat apps/web/coverage/coverage-final.json

• Deliverable: Document actual coverage percentages by module

3. Complete Issue #254 Infrastructure Verification

• Effort: 2-3 hours
• Impact: HIGH - Quick win, unblocks roadmap
• Steps:
  • Verify Cloudflare Access removed from dev.ourlantern.app
  • Test Firebase auth gate in production-like environment
  • Confirm real-time updates work without cache issues
  • Close Issue #254

---

9.2 Short Term (Next 2 Weeks)

⚠️ HIGH PRIORITY:

1. Dashboard Refactoring - Phase 1 (Extract Views)

• Effort: 2 weeks (80 hours)
• Impact: CRITICAL - Reduces technical debt
• Target: 2,222 lines → ~1,000 lines
• Files:
  • Create apps/web/src/screens/dashboard/MapViewContainer.jsx
  • Refactor PlacesScreen, VenueDetailScreen, ActiveLanternScreen to own state
  • Extract scroll restoration logic
• Success Criteria: Dashboard.jsx < 1,200 lines

2. Add Integration Tests for Dashboard

• Effort: 1 week (40 hours)
• Impact: HIGH - Protects critical user flows
• Tests:
  • Navigation between views
  • Venue selection and detail display
  • Lantern lighting flow
  • Wave sending flow
• Target: >60% coverage for Dashboard component

3. Address OSM Import Security (Issue #224)

• Effort: 1.5 weeks (60 hours)
• Impact: CRITICAL - Security vulnerability
• Implementation:
  • Create Cloud Function: importOSMVenue
  • Implement server-side rate limiting
  • Add audit logging for imports
  • Update Firestore rules to restrict client access
  • Migrate existing imports to new system

4. Add Screen Component Tests

• Effort: 1 week (40 hours)
• Impact: HIGH - Covers user flows
• Priority Screens:
  • Profile screen
  • Auth screens (signup, login)
  • Venue detail screen
  • Merchant screen
• Target: >50% coverage for high-traffic screens

---

9.3 Medium Term (Next Month)

🟡 MEDIUM PRIORITY:

1. Dashboard Refactoring - Phase 2 (Extract Hooks)

• Effort: 2 weeks (80 hours)
• Target: ~1,000 lines → ~500 lines
• Extract:
  • useWaveManagement.js
  • useConnectionManagement.js
  • useNotifications.js
  • useVenueData.js
  • useMapState.js
  • useScrollRestoration.js

2. Automate Firestore Index Deployment

• Effort: 1 week (40 hours)
• Implementation:
  • Add firebase deploy step to CI/CD
  • Create index verification script
  • Add rollback mechanism
  • Document manual override process

3. Fix Venue Refresh Security (firestore.rules:394)

• Effort: 3 days (24 hours)
• Implementation:
  • Create Cloud Function: refreshVenueMetadata
  • Update Firestore rules to restrict access
  • Add authentication requirement
  • Add rate limiting

4. Increase Component Test Coverage

• Effort: 2 weeks (80 hours)
• Target: Component coverage from 2% → 50%
• Priority Components:
  • WaveManager
  • Chat
  • LanternBeacon
  • VenuePicker
  • InfoPanel

5. Run Dependency Audit and Updates

• Effort: 1 week (40 hours)
• Steps:
  • Run npm audit --workspaces
  • Run npm outdated --workspaces
  • Update non-breaking packages
  • Test major version updates in feature branches
  • Document breaking changes

---

9.4 Long Term (Next Quarter)

ℹ️ STRATEGIC:

1. Dashboard Refactoring - Phase 3 (UI Components)

• Effort: 2 weeks (80 hours)
• Target: ~500 lines → <300 lines
• Final component library extraction

2. Implement E2E Testing

• Effort: 3 weeks (120 hours)
• Framework: Playwright (already in devDependencies)
• Critical Flows:
  • User signup and onboarding
  • Lantern lighting end-to-end
  • Wave sending and acceptance
  • Chat conversation
  • Merchant offer creation

3. Performance Monitoring

• Effort: 2 weeks (80 hours)
• Metrics to Track:
  • Bundle size
  • Core Web Vitals (LCP, FID, CLS)
  • Time to Interactive
  • API response times
• Tools: Firebase Performance Monitoring, Lighthouse CI

4. Code Splitting & Lazy Loading

• Effort: 2 weeks (80 hours)
• Implementation:
  • Route-based code splitting
  • Lazy load heavy components (Map, Chat)
  • Analyze bundle with vite-bundle-visualizer
• Target: Reduce initial bundle size by 40%

---

10. Metrics Comparison Table

Metric	Jan 7, 2026	Feb 9, 2026	Change	Status
Dashboard.jsx LOC	1,859	2,222	+363 (+19.5%)	🔴 Worsening
Total Source Files	66	135	+69 (+104%)	✅ Expected (monorepo)
Test Files	3	20	+17 (+567%)	✅ Improving
Custom Hooks	N/A	1	N/A	🔴 Too Few
Hook Tests	0	0	0	🔴 Critical Gap
Component Tests	0	1	+1	⚠️ Minimal
Screen Tests	0	0	0	⚠️ Critical Gap
React Version	18.x	19.2.4	Major upgrade	✅ Modern
Open Issues	N/A	25	N/A	⚠️ Needs Triage
Monorepo Workspaces	0	6	+6	✅ Organized
Documentation Files	N/A	206	N/A	✅ Comprehensive
Storybook Stories	N/A	33	N/A	✅ Good Coverage

---

11. Risk Assessment

Critical Risks (🔴)

Risk	Impact	Likelihood	Mitigation
Dashboard tech debt compounds	HIGH	HIGH	Phase 1 refactoring within 2 weeks
OSM import fraud/abuse (Issue #224)	HIGH	MEDIUM	Migrate to Cloud Function within 4 weeks
Hook logic untested	HIGH	LOW	Create hook tests within 1 week
Firestore index drift	MEDIUM	MEDIUM	Automate deployment within 1 month

High Risks (⚠️)

Risk	Impact	Likelihood	Mitigation
Screen components untested	MEDIUM	MEDIUM	Add integration tests within 2 weeks
Issue #254 incomplete	MEDIUM	LOW	Complete infra verification within 1 week
Venue refresh abuse	MEDIUM	LOW	Restrict to Cloud Function within 6 weeks
Dependency vulnerabilities	MEDIUM	MEDIUM	Run audit within 1 week

---

12. Success Highlights

Major Accomplishments Since Last Audit

✅ Monorepo Reorganization Complete (PR #261)

• Clean 6-workspace structure
• Script delegation working
• CI/CD successfully adapted
• Build and deployment pipelines functional

✅ React 19 Upgrade Successful

• Modern React 19.2.4 installed
• No major breaking issues
• Performance improvements available
• Improved developer experience

✅ Test Infrastructure Matured

• 6x increase in test files (3 → 20)
• Coverage enforcement in CI (75% threshold)
• Comprehensive test setup with jsdom
• LCOV reporter for PR feedback

✅ Issue #245 Resolved (Admin Password Encryption)

• Separate admin password system implemented
• Encryption recovery mechanism added
• Zero-knowledge architecture maintained
• PR #259 merged and verified

✅ Robust CI/CD Pipeline

• Multi-job workflow with 6 validation stages
• CodeQL security scanning enabled
• Automated CSP validation
• Artifact management and retention
• PR-level coverage reporting

✅ Comprehensive Validation System

• Master npm run validate command
• 9-step validation covering all workspaces
• Specialized linters (docs, venue config, cache)
• Format and style enforcement

✅ Issue #254 Nearly Complete (~80%)

• Firebase auth gate implemented
• Code complete and tested
• Infrastructure verification pending
• Quick win ready to close

---

13. Action Plan (Sprint-Based)

Sprint 1 (Week 1: Feb 9-15, 2026)

Focus: Critical Gaps & Quick Wins

Tasks:

1. ✅ Create hook tests for useLightLantern.js (4-6 hours)
2. ✅ Run full test coverage report (30 min)
3. ✅ Complete Issue #254 infrastructure verification (2-3 hours)
4. ✅ Run dependency audit and document vulnerabilities (2 hours)
5. ✅ Triage all 25 open issues and assign priorities (4 hours)

Deliverables:

• Hook test coverage >80%
• Coverage baseline documented
• Issue #254 closed
• Dependency audit report
• Prioritized issue backlog

---

Sprint 2 (Week 2: Feb 16-22, 2026)

Focus: Dashboard Refactoring - Phase 1 Start

Tasks:

1. ✅ Extract MapViewContainer from Dashboard (12 hours)
2. ✅ Refactor PlacesScreen to manage own state (16 hours)
3. ✅ Refactor VenueDetailScreen to manage own state (16 hours)
4. ✅ Extract scroll restoration logic (8 hours)
5. ✅ Add integration tests for Dashboard navigation (8 hours)

Deliverables:

• Dashboard.jsx reduced to ~1,500 lines
• 3 new screen components with isolated state
• Integration tests covering navigation flows

---

Sprint 3 (Week 3: Feb 23 - Mar 1, 2026)

Focus: Dashboard Refactoring - Phase 1 Complete + Security

Tasks:

1. ✅ Complete Dashboard Phase 1 refactoring (24 hours)
2. ✅ Start OSM import Cloud Function (Issue #224) (20 hours)
3. ✅ Add screen component tests (Profile, Auth) (16 hours)

Deliverables:

• Dashboard.jsx < 1,200 lines (Phase 1 complete)
• OSM import Cloud Function 50% complete
• Profile and Auth screens tested

---

Sprint 4 (Week 4: Mar 2-8, 2026)

Focus: Security & Testing

Tasks:

1. ✅ Complete OSM import Cloud Function (Issue #224) (20 hours)
2. ✅ Add Dashboard integration tests (20 hours)
3. ✅ Add screen tests (Venue Detail, Merchant) (20 hours)

Deliverables:

• Issue #224 closed (OSM security resolved)
• Dashboard integration tests >60% coverage
• High-traffic screens tested

---

Sprint 5-6 (Weeks 5-6: Mar 9-22, 2026)

Focus: Dashboard Refactoring - Phase 2 (Extract Hooks)

Tasks:

1. Extract 6 custom hooks from Dashboard
2. Write tests for each new hook
3. Reduce Dashboard.jsx to ~500 lines
4. Fix venue refresh security (firestore.rules:394)

Deliverables:

• Dashboard.jsx < 600 lines (Phase 2 complete)
• 6 new tested custom hooks
• Venue refresh security resolved

---

Sprint 7-8 (Weeks 7-8: Mar 23 - Apr 5, 2026)

Focus: Component Testing & Infrastructure

Tasks:

1. Automate Firestore index deployment
2. Increase component test coverage to 30%
3. Start Dashboard Phase 3 (UI components)

Deliverables:

• Automated index deployment in CI/CD
• 15+ components tested
• Dashboard Phase 3 50% complete

---

Sprint 9-12 (Weeks 9-12: Apr 6 - May 3, 2026)

Focus: Finalize Refactoring & E2E

Tasks:

1. Complete Dashboard Phase 3 refactoring
2. Achieve 75% coverage across all modules
3. Implement E2E testing for critical flows
4. Performance monitoring setup
5. Code splitting implementation

Deliverables:

• Dashboard.jsx < 300 lines (all phases complete)
• 75% test coverage achieved
• E2E tests for 5 critical flows
• Performance monitoring dashboard
• 40% reduction in initial bundle size

---

14. Conclusion

The Lantern app has made significant progress since the last audit, successfully completing a major monorepo reorganization and React 19 upgrade. The infrastructure is robust, security architecture is sound, and test coverage is improving rapidly.

However, the Dashboard component technical debt has accelerated (+19.5% growth) rather than improving, making it the single highest priority for immediate refactoring. Additionally, critical security vulnerabilities in OSM imports (Issue #224) and testing gaps in custom hooks require urgent attention.

Key Takeaways

✅ Strengths:

• Modern architecture (React 19, Firebase 12, Vite)
• Robust CI/CD with comprehensive validation
• Zero-knowledge encryption properly implemented
• Strong security rules and storage policies
• Test infrastructure maturing rapidly

🔴 Critical Actions Required:

1. Dashboard refactoring (19.5% growth is unsustainable)
2. Hook testing (critical business logic untested)
3. OSM import security (fraud vulnerability)

⚠️ High Priority Actions:

1. Screen component testing (user flows untested)
2. Complete Issue #254 (quick win)
3. Venue refresh security (abuse vector)

Overall Trajectory: ✅ Positive with targeted improvements needed

The app is production-ready and well-architected, but requires immediate focus on Dashboard technical debt and hook testing to maintain velocity and code quality.

---

End of Audit Report

Next Steps:

1. Review this audit with the team
2. Prioritize Sprint 1 tasks
3. Create GitHub issues for critical findings
4. Update 12-week roadmap based on recommendations
5. Schedule follow-up audit for April 2026 (8 weeks)

Questions or Concerns: Contact the development team via GitHub Issues or Discord.