AccessHunter System Assessment
From AIEE to Angry Dog — April 21, 2026
Backend + Frontend production readiness assessment — the first step toward taking AccessHunter from MVP scaffolding to a live marketplace.
The Verdict: NO-GO on Both Repositories
accesshunter-backend
2/100
11 P0 + 14 P1 findings
Security: 38/100
accesshunter-frontend
4/100
15 P0 findings
Security: 32/100

Security dimension blocks deployment on both independently. Every audited dimension falls below the 70-point threshold. No production traffic against current main of either repository under any circumstance.
What Was Built — And Is Real
The previous developer delivered a data model and CRUD scaffolding for two parallel verticals: hunting properties and ice shacks. Quarters, bookings, reviews, memberships, and access requests are all first-class entities.
UI components render the domain for both verticals. The progress report accurately describes the shape of that scaffolding.

In MVP terms, roughly 30–40% of a shippable product.
What Is Missing
Every layer that turns CRUD scaffolding into a product:
Authentication
Authentication that is not bypassable
Authorization
Authorization decisions made on the server
Deployment
A deployable container
Mobile
Native mobile shells (ios/, android/)
Observability
APM, crash reporting, structured logging
Quality Gates
Automated tests and CI/CD
The audits converge on these gaps from eight dimensions on the backend and six on the frontend.
Cross-Cutting Risk #1 — Authentication & Authorization
Auth is broken on both sides simultaneously.
Backend
completeSignup has no middleware and writes user role from the request body. Password reset requires no token. OTP values are returned in response JSON.
Frontend
Bearer tokens are never attached. Interceptor reads access_token; every login path writes token. Key mismatch means the axios interceptor always attaches null.
Mobile
Bearer tokens delivered via URL query string — leaks to browser history, server logs, and analytics.

Maps to OWASP A01 (Broken Access Control) and A07 (Authentication Failures).
Cross-Cutting Risk #2 — Platform & Deployment
Neither repository is deployable as shipped.
Backend Dockerfile
Installs PostgreSQL drivers for a MySQL-configured application. Cannot connect to its database. Uses artisan serve as production CMD. Runs as root with chmod -R 777.
Frontend Mobile
ios/ and android/ directories absent. @capacitor/ios missing from package.json. CLI/Core version mismatch — cap sync will fail.
No CI/CD
No linting, type-checking, build, or test gate on either repository.
App Store Violation
Guideline 4.8 violation — Google Sign-In without Apple Sign-In.
Cross-Cutting Risk #3 — Operational Blindness
No application in the system has error tracking, crash reporting, APM, RUM, or structured logging.
  • Zero Sentry, Bugsnag, or equivalent
  • Zero APM / application monitoring
  • Zero health or readiness endpoints
  • Zero alerting, distributed tracing, or backup strategy
  • 249 console.* calls shipping to production

Production failures will be invisible until reported by end users. This is the same visibility gap Angry Dog experienced firsthand during the handover.
Two Ship Scopes to Authorize Against
*Pre-GST. Rate $125 CAD/hour, continuous with the Q2 Energy engagement.
Delivery Plan — 30h/week
The work in each application opens with its test and CI foundation before any any changes — the same pattern that worked on Q2.
Timeline
1
MVL
2.5–3 weeks
2
Full Path to Live
3.5–4 weeks
30 hours/week single-project block, not a shared slice.
Payment — Two Installments
Payment 1
$5,000 CAD (40 hrs) (+GST) — end of first week 1, fixed advance
Payment 2
Balance at deployment time.

If actual hours fall below 40, the delta is refunded. Payment 1 is never billed as a minimum commitment. This is very unlikely though…
What We Need From Angry Dog
To Authorize
  • Ship scope decision — MVL or Full Path to Live
  • Written authorization of this engagement
Product Decisions (before start day)
  • Commission model and pricing
  • Pro vs Free tier unlocks
  • Cancellation and refund policy
Client-Owned Accounts and Assets
  • Apple Developer + App Store Connect access
  • Google Play Console access
  • Stripe account (we integrate)
  • Domain + DNS control
  • Legal documents — ToS, Privacy Policy, Host and Guest Agreements

Ready to proceed on written authorization.