📋 Daily Codebase Review - 2026-02-24

[claude]

Executive Summary

Comprehensive daily codebase review of the Sobers recovery app. The codebase demonstrates strong architecture with good test coverage (~90 test files), solid authentication patterns, and proper PII sanitization. However, several security concerns around Sentry configuration and invite code generation need attention, along with performance optimizations and test coverage gaps in the meetings feature.

Health Score: B

Justification: Strong fundamentals with comprehensive test suite and good separation of concerns. Deducted for: 3 HIGH-severity security findings (email leakage to Sentry, weak invite code generation), untested critical components (LogMeetingSheet), and significant performance opportunities (sequential DB queries, duplicate data fetching).

---

Top 5 Priority Items

#	Priority	Category	Issue	Effort
1	HIGH	Security	Email logged to Sentry on login failure + sendDefaultPii: true	Low
2	HIGH	Security	Invite codes use Math.random() (cryptographically weak)	Medium
3	HIGH	Performance	Journey screen: 5 sequential Supabase queries (should use Promise.all)	Low
4	MEDIUM	Testing	LogMeetingSheet + DayDetailSheet have no tests (critical data mutation)	Medium
5	MEDIUM	Tech Debt	SettingsContent.tsx is 2,088 lines - needs splitting	High

---

Detailed Findings by Category

1. Security Audit (3 HIGH, 4 MEDIUM, 5 LOW)

HIGH Severity:

• app/login.tsx:55 - Email address logged to Sentry on login failure
• lib/sentry.ts:78 - sendDefaultPii: true conflicts with privacy hooks
• app/(app)/(tabs)/profile/index.tsx:169 - Invite codes use Math.random()

MEDIUM Severity:

• contexts/AuthContext.tsx:403-405 - User email sent to Sentry via setSentryContext
• app/login.tsx - isValidEmail() never called in auth flows
• lib/supabase.ts:169-218 - Auth tokens in localStorage on web
• e2e/fixtures/test-data.ts:5 - Hardcoded fallback password in E2E fixtures

2. Test Coverage Gaps

HIGH priority: LogMeetingSheet.tsx, DayDetailSheet.tsx have NO tests
Skipped: MeetingsScreen test suite with TODO comment

3. Technical Debt

• SettingsContent.tsx is 2,088 lines - needs splitting
• Hardcoded colors (#fff) in 6+ files violating CLAUDE.md
• Magic numbers without constants
• Duplicated isOverdue() function

4. Performance Opportunities

HIGH Impact:

• journey.tsx - 5 sequential queries should use Promise.all()
• steps/[id].tsx - Re-fetches all steps on every navigation
• useDaysSober instantiated 3x across screens

5. Quick Wins

1. Remove email from logger.error in app/login.tsx:55
2. Set sendDefaultPii: false in lib/sentry.ts:78
3. Remove email from setSentryContext
4. Use Promise.all() in journey.tsx
5. Replace hardcoded colors with theme.white

See existing related issues: #386, #381, #375, #363, #346, #378

---

Generated by automated daily codebase review

[coderabbitai]

🔗 Related PRs

#165 - refactor: rename app from Sobriety Waypoint to Sobers [merged]
#187 - Release 1.1.0 [merged]
#192 - test: Add comprehensive unit tests for DevToolsContext, SettingsContent, and settings exports (Vibe Kanban) [merged]
#221 - test: increase test coverage across multiple components [merged]
#334 - Release: Analytics migration, 12-Step content toggle, and dependency updates [merged]

---

📝 Issue Planner

_{Check the box below or use the @coderabbitai plan command to generate an implementation plan and prompts that you can use with your favorite coding assistant.}

• Create Plan

---

🧪 Issue enrichment is currently in open beta.

You can configure auto-planning by selecting labels in the issue_enrichment configuration.

To disable automatic issue enrichment, add the following to your .coderabbit.yaml:

issue_enrichment:
  auto_enrich:
    enabled: false

💬 Have feedback or questions? Drop into our discord!

[BillChirico]

Closing as part of issue cleanup.