SHOTid auditfeat/v2 · 38549fa · 2026-05-16
Overview · multi-page

SHOTid audit · index

Branchfeat/v2 Commit38549fa AudienceJonny, Liam, eng
00

What's in this audit

Multi-page review of SHOTid (feat/v2 @ 38549fa) covering business positioning, architecture, security, performance at global/3G scale, regulatory exposure, i18n + accessibility, cost economics, and the December 2026 launch GTM. Internal audience — Jonny, Liam, eng team. Frank tone, file:line references retained, P0 findings loud.

01

Headline verdict

Composite verdict · 4 of 9 pages flag reconsider/launch-blocker

Pretty avatar picker, defining features unbuilt, multiple P0 wounds, six months of focused work to get to a defensible launch

SHOTid today is a polished registration journey on a thoughtful schema with the OAuth provider, VC issuance, federation portal, and observability all at zero. The codebase has pending_profiles open to anonymous read+write, a SECURITY DEFINER RPC that maps public handles to recovery emails, and an identity-lock trigger users can self-bypass by bumping identity_lock_version. The December 2026 Sierra Leone launch is loaded onto one event with no graceful fallback, no observability, and a two-person on-call rotation that reads "ping Jonny on WhatsApp". None of this is unrecoverable — the work is named, the gaps are mostly tractable — but the next six months have to deliver against a launch deadline, not against the original roadmap.

02

Per-domain summary

Each page is independently shareable. Click through for the file:line evidence and the must-do/next-quarter fix list per domain.

Business · §02

Business value & positioning

sporthead.com vs sporthead.id — net positive but executing under-delivers. White-space is sport-native + federation-aware + VC-grade + open OIDC. Recommend federation tenancy + VC issuance fee dual revenue model.

Confidence 7/10
Architecture · §03

Architecture — what Cloudflare/Supabase do

What Cloudflare does (Pages × 2, Workers, D1, KV, planned OIDC/VC/CDN), what Supabase does (Postgres, Auth, Storage, RPCs), and the issuer/holder/verifier boundary that doesn't yet exist. Inline SVG.

Half built
Engineering · §04

Engineering critique + counter-proposals

Distinguished Engineer verdict + four-way options paper (status quo / small / medium / big). Recommended path: B now → C next quarter. Buy OIDC, drop Next.js, fix RLS.

Reconsider
Security · §05

Security posture — red-team review

Red-team posture · composite 1.4/5. P0 RLS leak, handle→email phishing oracle, self-bypassable identity lock, four trivially-walkable kill chains. Do not ship the founder cohort on this codebase.

Do not ship as-is
Performance · §06

Performance & global scale (Africa-on-3G)

Launch-blocker as written. Sequential image loads in avatar-export, 37MB raw trait library, no edge CDN, Dublin Supabase 5,000km from Freetown. Three weeks of focused work + ~£50/mo infra to make it ship-ready.

Launch-blocker
Regulatory · §07

Regulatory & privacy

Cannot ship Dec cohort without material exposure. No age gate (UK Children's Code violation, TikTok was fined £12.7m for this). No DPIA. Handle→email RPC is a notifiable breach in waiting. Three must-do fixes before December.

Reconsider
i18n + a11y · §08

Internationalisation & accessibility

Shippable for the cohort, not for the brand promise. Four of five launch locales are placeholder-quality. en-WA improvises a register no platform ships. Phase 2 (Mandarin dual-handle, RTL, ICU plurals) is a one-quarter project, not a sprint.

v0 register
Cost · §09

Cost economics & vendor lock-in

Healthy at the bottom (£25-40/mo at launch), fragile in the middle. Three hidden surprises: build-vs-buy OIDC math is wrong, compliance (SOC2/pentest/DPIA) is £30-60k/yr invisible, did:web on sporthead.id is permanent lock-in.

Healthy bottom
Launch · §10

GTM · federation · DevOps readiness

Not launch-ready as configured, six months to fix. Single-event GTM with no fallback, federation commercial model unwritten, two-founder bus factor with no observability or runbook. Top 3 fixes: observability + load test + SLFA contract.

Not launch-ready
03

The three irreversible decisions for the next Monday meeting

  1. Buy or self-host OIDC, do not build bespoke. Ory Hydra (self-host) or WorkOS (managed). Reopen ADR-0006. The "1–2 week Cloudflare Worker OIDC issuer" estimate is wrong by an order of magnitude.
  2. Close pending_profiles RLS, kill lookup_signin_email_by_handle, fix the identity-lock self-bypass before the next commit. These are P0 wounds the team named in migration comments and shipped anyway.
  3. Stand up minimum-viable observability + a written incident runbook + a load test against staging before any external press touches the launch story. Detection probability for in-progress incidents is currently zero.

If those three land in Q3 2026, the December cohort launch is achievable as a stripped-back "registration + numbered VC" event. If they don't, the Sierra Leone fight night becomes a postmortem instead of a product.