Enterprise Readiness Assessment¶
1. Executive summary¶
Verdict: An internal staff tool that's functionally rich (73 pages covering the entire content-factory workflow) but structurally underdeveloped (only 4 reusable components, single-file Vuex store, no tests, no caching, no auth-redirect guarantee). It works because the staff using it are accommodating, not because the architecture is healthy. The biggest looming concern is the Vue 2 EOL — Vue 2 has been unsupported since Dec 2023, and Bootstrap-Vue 2 (the UI library) won't follow Vue 3. A migration plan is overdue.
Top 3 strengths: 1. Functional coverage matches the BE — staff can do everything they need 2. Polotno editor integration is the leanest in the platform (50 KB bundle vs 221 KB customer) 3. Multi-stage Dockerfile + EFS-mounted node_modules pattern is consistent with the platform
Top 5 risks: 1. Vue 2 EOL — no more security patches; migration is a real piece of work 2. Auth-redirect possibly missing — verify; if absent, unauthenticated visitors reach page chrome 3. Single-file Vuex store is becoming a bottleneck for maintainability 4. Role-typed UI gating is inline-literal scattered across Navbar and pages 5. No tests — Vue 2 → Vue 3 migration without tests is high-risk
Top 5 recommendations:
1. This week: verify F-1 (auth redirect); fix; add noindex meta; strip console.log
2. Phase 0: add Sentry; add ESLint; centralise role IDs
3. Phase 0: add Vuex action caching (mirror someli-platform/store/api.js)
4. Phase 1: refactor pages/ into subdirectories; split store/index.js into modules; extract reusable components from pages
5. Phase 1-2: plan + execute Vue 2 → Vue 3 / Nuxt 3 migration
2. Methodology & scope¶
Audited via find, cat, grep, wc against someli-gh/Someli-Designer/. Compared against someli-platform/ for shared lineage. Polotno subproject and its bundle structure compared too. No tests run (none exist). No production deploy inspected.
3. Maturity assessment (CMMI 1–5)¶
| Pillar | Current | 12-mo target | Why |
|---|---|---|---|
| Architecture & Modularity | 1 | 3 | Flat 73-page directory; single store; only 4 components; inline role literals |
| API Contract & Versioning | 1 | 2 | No OpenAPI; inconsistent path naming inherited from BE |
| Data Architecture | 1 | 3 | No caching; every page-mount re-fetches; single-file store |
| Background Processing | n/a | n/a | n/a — FE |
| Security & Compliance | 1 | 3 | Auth-redirect possibly missing; CDN scripts without SRI; token in localStorage; no logout |
| Observability | 1 | 3 | console.log everywhere; Hotjar (with privacy questions); no error tracker |
| Reliability & Resilience | 2 | 3 | No error boundaries; no 401 handler; no retry |
| Scalability | 2 | 3 | BootstrapVue 2 whole-library import bloats bundle; no virtualisation |
| Testing & Quality Gates | 1 | 3 | Zero tests; no lint; no CI gate |
| CI/CD & Deployment | 2 | 3 | Good Dockerfile, no CI workflow in repo |
| Infrastructure as Code | 2 | 3 | Dockerfile + start.sh in repo; no nginx.conf detail audit |
| Cost Visibility & FinOps | 2 | 2 | Modest hosting cost; not a concern |
| Documentation & Knowledge Management | 2 | 3 | This audit covers the gap; README only documents Polotno workflow |
| Team Practices & Governance | 2 | 3 | Implied branch model; no PR template, no code-owners |
4. Findings¶
| ID | Severity | Description | Phase |
|---|---|---|---|
| F-1 | HIGH if true | Auth-redirect possibly missing | 0a verify |
| F-2 | MEDIUM | Token in localStorage + userdetail cookie, both XSS-readable |
1 (BE coord) |
| F-3 | MEDIUM | No server-side logout (logout: false) |
0 |
| F-4 | MEDIUM | Role gating UI-only; BE coverage unverified | 0 |
| F-5 | LOW | CDN scripts without SRI | 0a |
| F-6 | MEDIUM | No CSP set from repo | 0 |
| F-7 | LOW | Bootstrap-Vue v2 + Bootstrap v5 conflict | 1 |
| F-8 | LOW | Polotno localStorage design persistence (PII risk) |
1 |
| F-9 | LOW | bcryptjs in FE deps (verify usage) |
0a |
| F-10 | LOW | jQuery loaded via Bootstrap CDN bundle | 1 |
| N-1 | n/a | Vue 3 deps coexisting with Vue 2 | 0a |
| N-2 | n/a | Polotno version drift (parent ^2.9.14 vs subproject ^2.13.10) | 0 |
| N-3 | n/a | Single-file Vuex store (no modules) | 1 |
| N-4 | n/a | Inline role-ID literals | 0 |
| N-5 | n/a | No tests, no lint, no CI workflow in repo | 0 |
| N-6 | n/a | console.log leaks to production |
0a |
| N-7 | n/a | Flat pages/ (73 files) |
1 |
| N-8 | n/a | No caching layer; every page-mount re-fetches | 1 |
| N-9 | n/a | Hotjar privacy/PII posture unverified | 0 |
| N-10 | n/a | Vue 2 EOL | 1-2 (migration) |
5. Strategic decisions¶
-
Vue 2 EOL is the platform's biggest looming FE problem. Both this repo and
someli-platformuse Vue 2. A coordinated Vue 3 / Nuxt 3 migration is in the future. Don't pour new features into Vue 2 patterns without thinking about portability. -
Polotno editor split between this repo and
someli-platformis intentional — staff need different features. Don't try to merge unless a third "shared editor core" repo is set up. -
Add a caching layer (port
someli-platform/store/api.js). Cheapest perf + cost win. -
Someli-Designeris internal. Investment priorities should reflect that — security and correctness over polish.
6. Roadmap¶
Phase 0a — This week¶
- Verify F-1 (auth-redirect); fix if missing
- Add
noindex, nofollowmeta +static/robots.txt - Strip
console.login production builds - Remove Vue 3 deps from
package.json(N-1) - Add SRI to CDN scripts (F-5)
- Verify
bcryptjsusage; remove if unused (F-9)
Phase 0 — Stabilise (months 0-3)¶
- Add server-side logout (F-3)
- Add CSP via nginx (F-6)
- Centralise role-ID literals (N-4)
- Audit BE role-check coverage (F-4 cross-cutting)
- Add Sentry (N-9-adjacent)
- Audit Hotjar config (mask sensitive fields)
- Add ESLint (with Vue + a11y plugins)
- Align Polotno version drift (N-2)
- Add CI workflow file (
.github/workflows/dev-des-app-deploy.yml)
Phase 1 — Foundation (months 3-9)¶
- Port
someli-platform/store/api.jscache pattern (N-8) - Split
store/index.jsinto feature modules (N-3) - Refactor
pages/into subdirectories by domain (N-7) - Extract reusable components from pages (currently only 4 components)
- Switch to per-component BootstrapVue import (perf)
- Add minimal smoke tests (auth flow, navbar role gating, polotno mount) (N-5)
- Eliminate Bootstrap-Vue v2 + Bootstrap v5 dual setup (F-7)
- Migrate token to httpOnly cookie (F-2; BE coord)
Phase 2 — Modular refactor (months 9-18)¶
- Vue 3 / Nuxt 3 migration (N-10) — coordinate with
someli-platform - Replace Bootstrap-Vue with BootstrapVueNext or shift to a shadcn-style Vue library
- Replace Vuex with Pinia
- Replace
vue-notification/vue-toastificationwith a single Vue 3-compatible toast - Consider TypeScript migration (smaller win in Vue 3 than React, but worth considering)
Phase 3 — Selective extraction (months 18+)¶
- Possible split: separate the AI tools into their own micro-app; keep template management here
7. Risk register¶
| ID | Risk | Likelihood | Impact | Phase |
|---|---|---|---|---|
| R-1 | Vue 2 security CVE → no upstream patch | High | Medium | 1-2 (migration) |
| R-2 | Unauthenticated user reaches protected page chrome (F-1) | Verify | Medium | 0a |
| R-3 | Stolen token never expires; ex-staff retains access | Medium | High | 1 |
| R-4 | Role ID added on BE without FE update → UI shows wrong items | Medium | Low | 0 |
| R-5 | Hotjar captures sensitive customer data viewed by staff | Medium | Medium | 0 |
| R-6 | Single-file store eventually becomes unmergeable in PRs | High | Low | 1 |
| R-7 | Polotno version drift causes editor runtime breakage | Low | Medium | 0 |
| R-8 | Bootstrap dual setup causes subtle UI bugs in modal/dropdown | Medium | Low | 1 |
8. Standards compliance¶
- WCAG 2.1 AA: BootstrapVue gives most of the way; needs jsx-a11y-equivalent + skip link
- OWASP A02 / A05 / A07 — see
security.md - GDPR (re: Hotjar) — verify retention + masking
- Vue 2 EOL — security pillar is degraded over time
9. Open questions¶
See verify-markers.md.