James Chang

James Chang / Work / The Judge Tool / Roadmap & health

Static snapshot of the in-app /roadmap page as of April 2026. Live version at thejudgetool.com/roadmap.

Judge Tool · Roadmap & health · Last Updated

Product health scorecard, risk register, roadmap.

8.0/10 overall health across six dimensions. Six tracked risks with mitigations. Short-term / medium-term / long-term roadmap with priority triage.

Health scorecard

Six dimensions, scored on intake and reviewed each session.

9/10 Architecture
8/10 Code quality
8/10 Security
7/10 Testing
9/10 Documentation
7/10 Tooling

Architecture 9/10: Feature modules, barrel exports, clean separation.

Code quality 8/10: TypeScript strict, pure utils, tests for business logic.

Security 8/10: Auth guards in place, password hashing, rate limiting. Gaps: per-user PINs, CSP.

Testing 7/10: 113 unit tests, E2E simulation, zero browser tests.

Documentation 9/10: 15 docs in Diataxis framework, CLAUDE.md, build journal.

Tooling 7/10: Vitest, ESLint present. Missing: Playwright, Storybook, bundle analyzer.

Short-term roadmap

Next two sprints. Done first, then planned with priority triage.

Done

  • Migrate hosting to Vercel + GitHub Pages — $49/mo savings (M effort)
  • Hash competition judgePin with bcrypt — was plaintext (S effort)
  • TypeScript module augmentation for next-auth — eliminated unsafe casts (S effort)

Planned

  • P1: Per-user PIN support (M) — currently all judges share one PIN
  • P1: JWT role re-validation (S) — stale role persists until 24h token expires
  • P2: Redis-backed rate limiting (S) — in-memory resets on Vercel cold starts
  • P2: CSP headers (S) — OWASP headers present but no CSP
  • P2: E2E browser tests (L) — Playwright tests for login, judge flow, captain submission

Medium & long term

Medium term · 1–2 months

• Real-time score updates (L) — replace 15s polling with WebSocket/SSE [P2]

• Table Organizer role (L) — new role for logistics, boxes, distribution [P3]

• Competition templates (M) — save and reuse competition configurations [P3]

• PDF score reports (M) — downloadable standings + judge scorecards [P2]

• Offline judge mode (XL) — service worker + IndexedDB for offline scoring [P3]

Long term · 3–6 months

• Multi-competition management (XL) — dashboard for concurrent events [P3]

• KCBS API integration (XL) — direct integration with KCBS systems [P3]

• Mobile native app (XL) — React Native with push, offline, scanning [P3]

• Analytics dashboard (L) — historical trends, judge consistency, outlier detection [P3]

Risk register

Six tracked risks with mitigations. Impact x Likelihood scoring, updated per session.

R-1 · In-memory rate limiter ineffective on Vercel serverless

Impact: Medium · Likelihood: High

Mitigation: Redis migration planned (ST-2).

R-2 · Shared judge PIN allows impersonation

Impact: High · Likelihood: Medium

Mitigation: PIN now bcrypt-hashed. Per-user PINs planned (ST-1). Seat selection is weak identity today.

R-3 · JWT role not re-validated against DB

Impact: Medium · Likelihood: Low

Mitigation: 24h token expiry limits the window. Critical actions should re-check DB (ST-4).

R-4 · No CSP headers configured

Impact: Medium · Likelihood: Low

Mitigation: OWASP headers present. CSP planned (ST-3). No user-generated content reduces XSS surface.

R-5 · Prisma v5 pinned — no patches from v7

Impact: Medium · Likelihood: Low

Mitigation: Next.js 14 incompatible with Prisma v7 node: imports. Will migrate when moving to Next.js 15.

R-6 · Single Supabase instance — no read replicas

Impact: Low · Likelihood: Low

Mitigation: Connection pooling enabled. Single competition doesn't need replicas yet.

Findings history

Ten critical issues caught and fixed during the 20-day build. All closed.

← Under the hood