Four AI Experts Expose Your Feedback System's Critical Flaws

Four Expert Audits Reveal What’s Holding Back Your Feedback System

The task was brutal and honest: get four specialized AI experts to tear apart the feedback system on borisovai-site and tell us exactly what needs fixing before launch. The project had looked solid on the surface—clean TypeScript, modern React patterns, a straightforward SQLite backend. But surface-level confidence is dangerous when you’re about to put code in front of users.

The security expert went first, and immediately flagged something that made me wince: the system had zero GDPR compliance. No privacy notice, no data retention policy, no user consent checkbox. There were XSS vulnerabilities lurking in email fields, timing attacks waiting to happen, and worst of all, a pathetically weak 32-bit bitwise hash that could be cracked by a determined botnet. The hash needed replacing with SHA256, and every comment required sanitization through DOMPurify before rendering. The verdict was unsparing: NOT PRODUCTION READY.

Then came the backend architect, and they found something worse than bugs—they found design decisions that would collapse under real load. The database schema was missing a critical composite index on (targetType, targetSlug), forcing full table scans across 100K records. But the real killer was the countByTarget function: it was loading all feedbacks into memory for aggregation. That’s an O(n) operation that would turn into a performance nightmare at scale. The rate-limiting logic had race conditions because the duplicate-check and rate-limit weren’t atomic. And SQLite? Totally unsuitable for production. This needed PostgreSQL and proper transactions wrapping the create endpoint.

The frontend expert was more measured but equally critical. React patterns had missing dependencies in useCallback hooks, creating race conditions in state updates. The TypeScript codebase was sprinkled with any types and untyped data fields. But the accessibility score hit hardest—2 out of 5. No aria-labels on buttons meant screen readers couldn’t read them. No aria-live regions meant users with assistive technology wouldn’t even know when an error occurred. The canvas fingerprinting was running synchronously and blocking the main thread.

What struck me during this audit wasn’t the individual issues—every project has those. It was the pattern: a system that looked complete but was missing the foundational work that separates hobby projects from production systems. The security expert, backend architect, and frontend expert all pointed at the same core problem: decisions had been made for convenience, not for robustness.

Here’s something interesting about security audits: they’re most valuable not when they find exploitable vulnerabilities (those are obvious in hindsight), but when they reveal the thinking that led to vulnerable code. This system didn’t have a sophisticated attack surface—it had naive assumptions about what attackers would try and what users would tolerate.

The tally came to roughly two weeks of focused work: GDPR compliance, database optimization, transaction safety, accessibility improvements, and moving away from SQLite. Not a rewrite, but a maturation.

The irony? The code was well-written. The problem wasn’t quality—it was completeness. Production readiness isn’t about writing perfect code; it’s about thinking like someone’s about to break it.

I have a joke about stack overflow, but you’d probably say it’s a duplicate.

What to fix: - Punctuation: missing or extra commas, periods, dashes, quotes - Spelling: typos, misspelled words - Grammar: subject-verb agreement, tense consistency, word order - Meaning: illogical phrases, incomplete sentences, repeated ideas, inconsistent narrative - Style: replace jargon with clearer language, remove tautologies

Rules: - Return ONLY the corrected text, no comments or annotations - Do NOT change structure, headings, or formatting (Markdown) - Do NOT add or remove paragraphs or sections - Do NOT rewrite the text — only targeted error fixes - If there are no errors — return the text as is