Project Roadmap

BBQ Judge — Roadmap & Health

Project health, planned features, risk register, and audit findings. All data reflects the current state of the codebase.

Last updated: March 19, 2026

Project Health Scorecard

8/ 10
Architecture
9/10
Code Quality
8/10
Security
8/10
Testing
7/10
Documentation
9/10
Tooling
7/10

Product Roadmap

Short Term (Next 2 Sprints)
ST-0aP1MDone

Migrate hosting to Vercel + GitHub Pages

Moved Next.js app from Render Pro ($49/mo) to Vercel (free). Static marketing site to GitHub Pages. Split auth.config.ts for Edge Runtime.

infradevops
Fixed: 2026-03-26
ST-0bP1SDone

Hash competition judgePin with bcrypt

Competition judgePin was stored as plaintext. Now bcrypt-hashed with bcrypt.compare for verification. PIN display updated for hashed storage.

securityauth
Fixed: 2026-03-26
ST-0cP2SDone

TypeScript type augmentation for next-auth

Added module augmentation for next-auth types. Eliminated all unsafe `as unknown as` double-casts across auth files and guards.

dxtypescript
Fixed: 2026-03-26
ST-1P1MPlanned

Per-user PIN support

Replace shared competition PIN with individual hashed PINs per judge. Currently all judges use the same PIN.

authsecurity
ST-2P2SPlanned

Redis-backed rate limiting

Current in-memory rate limiter resets on deploy. Move to Redis for persistent rate limiting across restarts.

securityinfra
ST-3P2SPlanned

CSP headers

Add Content Security Policy headers. Currently no CSP configured despite OWASP security headers in next.config.

security
ST-4P1SPlanned

JWT role re-validation

Re-validate JWT role against database on sensitive operations. Currently stale role persists until token expires (24h).

authsecurity
ST-5P2LPlanned

E2E browser tests

Add Playwright tests for critical user flows: login, judge scoring, captain submission, organizer category advancement.

testing
Medium Term (1-2 Months)
MT-1P2LPlanned

Real-time score updates

Replace 15s polling with WebSocket or Server-Sent Events for live score updates on captain and results pages.

featuredx
MT-2P3LPlanned

Table Organizer role

New TABLE_ORGANIZER role for logistics — receives boxes, distributes to tables per the distribution plan. No judging. Separate from captain.

featureauth
MT-3P3MPlanned

Competition templates

Save and reuse competition configurations (table count, judge assignments, team slots) as templates for recurring events.

featureux
MT-4P2MPlanned

PDF score reports

Generate downloadable PDF reports with standings, per-category breakdowns, and individual judge scorecards.

feature
MT-5P3XLPlanned

Offline judge mode

Service worker + IndexedDB for judges to submit scores without internet. Sync when reconnected.

featurepwa
Long Term (3-6 Months)
LT-1P3XLPlanned

Multi-competition management

Dashboard for managing multiple concurrent competitions with shared judge pools and cross-event analytics.

featurescale
LT-2P3XLPlanned

KCBS API integration

Direct integration with KCBS systems for judge certification lookup, result submission, and event registration.

integration
LT-3P3XLPlanned

Mobile native app

React Native companion app for judges with push notifications, offline scoring, and camera-based box scanning.

mobilefeature
LT-4P3LPlanned

Analytics dashboard

Historical scoring trends, judge consistency metrics, team performance across events, and statistical outlier detection.

featuredata

Session Velocity

Mar 6
1
scaffold
Mar 8
12
PR #1
Mar 9 AM
5
PR #2, PR #3
Mar 9 mid
3
PR #4
Mar 9 PM
6
PR #5
Mar 10
7
PR #6
Mar 11
8
PR #7, PR #8
Mar 13
2
PR #9
Mar 16
3
PR #10
Mar 17
6
PR #11
Mar 18
4
PR #12, PR #13
Mar 19
3
PR #14, PR #15
Mar 26
11
scaffold
Apr 20-22
12
PR #18, PR #19, PR #20, PR #21, PR #22, PR #23

Items = features, fixes, and infrastructure changes completed per session.

Next Session Planner

Priority-Ordered Tasks

1.
P1Per-user PIN support

Security gap — shared PIN means any judge can impersonate another

2.
P1JWT role re-validation

Stale roles could allow unauthorized access for up to 24h

3.
P2CSP headers

Low effort, high security value — prevents XSS and data injection

4.
P2Redis rate limiting

Current in-memory limiter resets on every deploy

5.
P2E2E browser tests

Simulation script catches integration bugs but doesn't test real browser flows

Risk Register

Tracked Risks
RiskImpactLikelihoodStatus
R-1In-memory rate limiter ineffective on Vercel serverlessMediumHighActive
R-2Shared judge PIN allows impersonationHighMediumMonitoring
R-3JWT role not re-validated against DBMediumLowActive
R-4No CSP headers configuredMediumLowMonitoring
R-5Prisma v5 pinned — no security patches from v7MediumLowMonitoring
R-6Single Supabase instance — no read replicasLowLowMitigated

Audit Recommendations

Prioritized Action Items
P1Add auth guard integration tests

Verify every server action rejects unauthenticated and wrong-role requests. Current tests only cover pure utility functions.

testingsecurity
P1Input sanitization audit

Verify all user-facing inputs are sanitized before database writes. Zod validates types but doesn't sanitize HTML/SQL.

security
P2Add error boundary per feature module

Current error.tsx is dashboard-level only. A crash in judging takes down the entire dashboard.

uxresilience
P2Database index review

Profile slow queries under load. ScoreCard and Submission tables may need composite indexes for captain dashboard queries.

performancedatabase
P2Accessibility re-audit

WCAG pass was done in PR #6 but 20+ components were added since. Focus management and ARIA labels need re-verification.

a11y
P3Bundle size analysis

Run next/bundle-analyzer. Mermaid.js is large — consider lazy loading on /tech and /roadmap pages only.

performance
P3Storybook for design system

11 common components + 10 UI primitives with no visual testing. Storybook would catch visual regressions.

toolingtesting

Findings History & Patterns

Pattern Analysis

Findings by Category

Security
4
Code Quality
1
Correctness
1
Accessibility
1
Tooling
2
Data Integrity
1

Key Patterns

  • Security was the dominant finding category — auth guards, ownership verification, and input validation were all bolted on after initial build.
  • The E2E simulation script discovered correctness bugs that unit tests and code review both missed.
  • Two tooling constraints (Prisma v7, shadcn v4) were discovered via build failures rather than documentation — documenting these in CLAUDE.md prevented recurrence.

Timeline (Most Recent First)

F-10P2Prisma v7 incompatible with Next.js 14
F-9P2shadcn v4 generates Tailwind v4 code
F-8P2Monolithic action file (1,200+ lines)
F-7P1Captain can't verify table ownership
F-6P2Missing ARIA labels on interactive elements
F-5P1No rate limiting on login
F-4P1DQ edge cases in tabulation
F-3P1DB writes not wrapped in transactions
F-2P1Client-supplied user IDs in actions
F-1P1Auth guards missing from server actions

Tooling & Workflow

Available Commands
npm run devStart dev server on port 3030
npm run buildProduction build
npm testRun 113 unit tests (Vitest)
npm run lintESLint check
npm run db:migrateRun Prisma migrations
npm run db:seedSeed development data
npm run db:resetReset DB + re-seed
npx tsx scripts/simulate-competition.tsE2E simulation (2,000+ assertions)
Missing / Planned Tools
PlaywrightBrowser-based E2E testingplanned
StorybookVisual component testingplanned
Bundle analyzernext/bundle-analyzer for size trackingplanned
Database profilerQuery performance monitoringplanned

Overall Progress

Completed (13)
In Progress (0)
P1 Open (2)
P2 Open (5)
P3 Open (7)

27 total items tracked · 13 completed · 14 remaining

Items by Priority

P1 Items
ST-1P1MPlanned

Per-user PIN support

Replace shared competition PIN with individual hashed PINs per judge. Currently all judges use the same PIN.

authsecurity
ST-4P1SPlanned

JWT role re-validation

Re-validate JWT role against database on sensitive operations. Currently stale role persists until token expires (24h).

authsecurity
8 completed
F-1P1MDone

Auth guards missing from server actions

All 62 server actions had no auth guards — anyone could call any action.

securitysrc/shared/lib/auth-guards.ts
Found: Mar 9Fixed: Mar 9Source: Code review
F-2P1MDone

Client-supplied user IDs in actions

Server actions accepted userId as a parameter instead of deriving from session. IDOR vulnerability.

securitysrc/features/*/actions/
Found: Mar 9Fixed: Mar 9Source: Security audit
F-3P1SDone

DB writes not wrapped in transactions

Multi-step mutations (distribution approval, category submission) could leave partial state on error.

data-integritysrc/features/*/actions/
Found: Mar 9Fixed: Mar 9Source: Code review
F-4P1MDone

DQ edge cases in tabulation

E2E simulation found 3 bugs: DQ competitors not handled correctly in tiebreaking, dropped score calculation wrong with DQs.

scoringcorrectnesssrc/features/tabulation/utils/
Found: Mar 11Fixed: Mar 11Source: E2E simulation
F-5P1SDone

No rate limiting on login

Brute-force PIN guessing possible. 4-digit shared PIN especially vulnerable.

securitysrc/shared/lib/rate-limit.ts
Found: Mar 10Fixed: Mar 10Source: Security audit
F-7P1SDone

Captain can't verify table ownership

Captain actions didn't check if the captain actually owned the table they were modifying.

securityauthsrc/features/scoring/actions/
Found: Mar 9Fixed: Mar 9Source: Code review
ST-0aP1MDone

Migrate hosting to Vercel + GitHub Pages

Moved Next.js app from Render Pro ($49/mo) to Vercel (free). Static marketing site to GitHub Pages. Split auth.config.ts for Edge Runtime.

infradevops
Fixed: 2026-03-26
ST-0bP1SDone

Hash competition judgePin with bcrypt

Competition judgePin was stored as plaintext. Now bcrypt-hashed with bcrypt.compare for verification. PIN display updated for hashed storage.

securityauth
Fixed: 2026-03-26
P2 Items
ST-2P2SPlanned

Redis-backed rate limiting

Current in-memory rate limiter resets on deploy. Move to Redis for persistent rate limiting across restarts.

securityinfra
ST-3P2SPlanned

CSP headers

Add Content Security Policy headers. Currently no CSP configured despite OWASP security headers in next.config.

security
ST-5P2LPlanned

E2E browser tests

Add Playwright tests for critical user flows: login, judge scoring, captain submission, organizer category advancement.

testing
MT-1P2LPlanned

Real-time score updates

Replace 15s polling with WebSocket or Server-Sent Events for live score updates on captain and results pages.

featuredx
MT-4P2MPlanned

PDF score reports

Generate downloadable PDF reports with standings, per-category breakdowns, and individual judge scorecards.

feature
5 completed
F-6P2MDone

Missing ARIA labels on interactive elements

Buttons, dropdowns, and modals missing screen reader labels. Keyboard navigation broken on DataTable.

a11y
Found: Mar 10Fixed: Mar 10Source: WCAG audit
F-8P2MDone

Monolithic action file (1,200+ lines)

competition/actions/index.ts had all 27 actions in one file. Hard to navigate and review.

code-qualitysrc/features/competition/actions/
Found: Mar 11Fixed: Mar 11Source: Refactor pass
F-9P2SDone

shadcn v4 generates Tailwind v4 code

Default shadcn CLI generates v4-incompatible code. Must use npx shadcn@1 or manually adjust.

tooling
Found: Mar 6Fixed: Mar 6Source: Build failure
F-10P2SDone

Prisma v7 incompatible with Next.js 14

Prisma v7 uses node: protocol imports which Next.js 14 doesn't support. Must pin to v5.

toolingconstraint
Found: Mar 6Fixed: Mar 6Source: Build failure
ST-0cP2SDone

TypeScript type augmentation for next-auth

Added module augmentation for next-auth types. Eliminated all unsafe `as unknown as` double-casts across auth files and guards.

dxtypescript
Fixed: 2026-03-26
P3 Items
MT-2P3LPlanned

Table Organizer role

New TABLE_ORGANIZER role for logistics — receives boxes, distributes to tables per the distribution plan. No judging. Separate from captain.

featureauth
MT-3P3MPlanned

Competition templates

Save and reuse competition configurations (table count, judge assignments, team slots) as templates for recurring events.

featureux
MT-5P3XLPlanned

Offline judge mode

Service worker + IndexedDB for judges to submit scores without internet. Sync when reconnected.

featurepwa
LT-1P3XLPlanned

Multi-competition management

Dashboard for managing multiple concurrent competitions with shared judge pools and cross-event analytics.

featurescale
LT-2P3XLPlanned

KCBS API integration

Direct integration with KCBS systems for judge certification lookup, result submission, and event registration.

integration
LT-3P3XLPlanned

Mobile native app

React Native companion app for judges with push notifications, offline scoring, and camera-based box scanning.

mobilefeature
LT-4P3LPlanned

Analytics dashboard

Historical scoring trends, judge consistency metrics, team performance across events, and statistical outlier detection.

featuredata