Level 3StrongTwo P1 fixes outstanding

Engineering Maturity

“Will this code embarrass me in a security review?”

What this level means

The code is production-grade — secure, tested, schema-clean, type-safe, documented, and maintained with discipline. Static analysis runs on commit. Specs drive every change. Bug fixes carry regression tests. Dependencies are audited continuously.

Current status: Strong, with two P1 dependency fixes outstanding

Five of seven quality dimensions score A or A+. The two B-grade dimensions are logging discipline (mixed by deployment target — the admin app already uses a structured logger, the public Site does not yet) and dependency security (zero critical CVEs, but seven high CVEs reduce to four root packages with identified update paths).

The two P1 fixes — updating axios and next to their latest patched versions — clear six of the seven high CVEs in roughly ninety minutes of work total.

The seven-dimension scorecard

Dimension 1A+

Type safety

0.01 type-safety escape hatches per 1k lines · TS strict on · 2 escapes total in 500k lines

Industry-typical: 50–500 escape hatches

Dimension 2A

Test discipline

0.54 test:source file ratio · 18 explicit bug-regression markers in 9 files

Industry guideline: ≥0.30

Dimension 3A+

Known-issue debt

0.12 markers per 1k lines · 0 FIXME · 0 HACK across 500k lines

Industry-typical: 1–5 markers/kloc

Dimension 4B+

File complexity

91% of source files ≤500 lines · 26 over 1000 lines (refactor backlog)

Cursor Rule guideline: 200–300 lines

Dimension 5A+

Lint cleanliness

0.06 eslint-disable per 1k lines · 21 disables total in 500k lines

Industry-typical: 5–20 disables/kloc

Dimension 6B

Logging discipline

Mission Control 0.06/k (A+) · Site 5.75/k (B) · Fleet CLI N/A (CLI is the UI)

Mixed by deployment target

Dimension 7B

Dependency security

0 critical · 7 high · 10 moderate · 2 low across 746 production deps

Two P1 fixes outstanding (~90 min)

Schema usage audit

2.4%

Potential-orphan rate

875

Non-boilerplate fields analyzed

Review candidates (in 5 coherent buckets)

Industry-typical for a 3-year-old codebase is 10–30%. The 21 candidates fall into 5 coherent “captured but not yet displayed” buckets (Ethereum forensics, fraud-report intake, agent-referral staging, superseded auto-test settings, invitation metadata). No mystery columns.

Discipline evidence

243

Cursor Rules

7 always-applied P0

Specifications

tracked in STATUS-INDEX

815

Test files

own-code, excluding vendored

Bug-regression markers

Rule 340 evidence

Critical CVEs

production dependencies

Schema models

1,238 fields total

Outstanding fixes

Update axios to latest patched version

30 min

3 CVEs cleared (DoS via __proto__, NO_PROXY bypass, cloud-metadata exfil)

Update Next.js to latest patched version

1 hour

3 CVEs cleared (HTTP request smuggling, image cache DoS, postponed resume DoS)

Replace xlsx (community SheetJS) with exceljs

2–4 hours

2 CVEs cleared (prototype pollution, ReDoS) — community xlsx unmaintained

Reproducible audits

Every metric on this page is reproducible by anyone with a clone of the repository and a working Python 3 + npm install. Three commands, ~15 seconds total runtime:

# Seven-dimension scorecard
python3 scripts/code-quality-audit.py

# Schema usage audit
python3 scripts/schema-usage-audit.py

# Dependency CVE audit
npm audit --omit=dev

Promotion criterion to Level 4

The system has been load-tested, monitored, and its operational characteristics are documented and committed-to as SLAs. This criterion is not yet met — see Level 4: Operational Maturity (sign-in required).

Level 2: Product Build Level 4: Operational Maturity