Thoughts

Tat-Tally Session 52 E2E Audit - Final Status (as of Session 54, 2026-03-16) All audit findings from the Session 52 full E2E audit are now resolved except two env-config items: FIXED: - B1: RLS policies on scoring_frameworks/criteria fixed (join through categories) - B2: Anon insert policies on entrants/entries tightened (event/category scoping) - H1: scoring_mode change auto-triggers recalculation - H2: Admin warns before removing judge with existing scores - H3: assign_queue_position() has FOR UPDATE lock - H4 (code): @sentry/react added to registration app, initSentry() wired - H5: XSS fix in server/index.mjs via safeJsonStringify() - M1: Display auto-reload 5min to 30min - M2: MC control panel virtualized with @tanstack/react-virtual - M3: Leaderboard tie-breaking uses scored_at instead of submitted_at - M4: All 16 edge function source files in infrastructure/edge-functions/ - M5: Server null-event cache TTL reduced to 5s - M6: Unique Realtime channel names per app - L1: getEntryUrl() uses VITE_ENTRANT_URL env var instead of hardcoded port - L2: Ordinal suffix handles 11th/12th/13th correctly STILL OPEN (env config, not code): - H4-ENV: Need to create Sentry project and set VITE_SENTRY_DSN in Railway env vars - A2P 10DLC: Blocked on LLC/EIN formation - Supabase Pro tier upgrade before Norfolk L3-L5 were structural observations (test coverage gaps), not actionable code fixes. Next up: Phase 12 (Norfolk test event planning) or Sentry project creation.

Tat-Tally Session 46: Post-Feature Audit (2026-03-15) Audited all new code from Sessions 43-45 (entry codes, registration desk app, scoring modes/display overhaul). Bottom-up review: database, Edge Functions, shared package, frontend apps, infrastructure. SECURITY FIXES APPLIED: - Entry codes RLS policies were missing event_id scoping. Staff from one event could read/write codes for another event. Fixed by adding event_id = get_request_event_id() to all 3 staff policies. - Scoring trigger had 0 >= 0 edge case: when no judges or criteria were assigned, the trigger would calculate and set a false final_score. Added zero guard to both update_entry_final_score() and recalculate_event_scores(). OPERATIONAL FIXES: - expire_old_entry_codes() function existed but nothing called it. Enabled pg_cron extension and scheduled it to run every 5 minutes. - formatScore() showed "87.0 / 0" when maxPossible was 0. Added guard. - Admin event settings: scoring mode save and recalculation RPC were non-atomic. Added rollback if RPC fails. - Registration app had no ErrorBoundary (white screen on crash). Added React class-based ErrorBoundary with reload fallback. - CI workflow was missing registration app in build matrix. Added it. EDGE FUNCTIONS AUDITED (all clean, no fixes needed): - generate-entry-code: auth, event scoping, crypto random codes, 30min expiry - validate-entry-code: status checks, expiry, category status validation - submit-entry v7: atomic code claim, phone dedup, rate limiting, rollback on failure - get-portal v7: scoring_mode, max_possible, per-judge breakdowns all correct DOCUMENTATION: Updated CLAUDE.md (MC now shows entrant names intentionally, app count updated to 6, registration app added). Two commits pushed to main: b1adcf5 (Session 45 features) and a94fa8e (Session 46 audit fixes). All 6 apps pass tsc --noEmit. Two migrations applied to Supabase: session46_audit_fixes and enable_pg_cron_expire_entry_codes. Next up: Norfolk test event planning (Phase 12).