memories and such

agents/code-reviewer/HEARTBEAT.md

@@ -902,3 +902,110 @@ All 4 P1 issues still present:
 **Status**: Done — All issues fixed, assigned to Security Reviewer
 
 **Heartbeat Run**: $PAPERCLIP_RUN_ID
+
+### 2026-05-13 (Wednesday) — FRE-580 Review
+
+**Issue**: FRE-580 — Email marketing sequences (welcome, nurture, conversion, retention)
+
+**Context**:
+- Issue in `in_review` status after Senior Engineer completed implementation
+- Implementation included: email service, templates for 4 sequences, orchestrator, tRPC router
+- Files: `email-service.ts` (111 lines), `email-templates.ts` (418 lines), `email-sequence-service.ts` (527 lines), `email-marketing.ts` (156 lines), `appRouter.ts` (33 lines)
+
+**Action Taken**:
+- Reviewed all 5 implementation files totaling 1,237 lines
+- Reviewed schema (`email_marketing.ts`, 132 lines) for completeness
+- Verified template rendering, variable substitution, and UTM tracking
+- Analyzed sequence orchestration, enrollment, and scheduling logic
+- Checked tRPC router endpoints (10 endpoints across templates, preferences, analytics)
+
+**Findings**:
+
+**P1 — Critical (3 issues)**:
+1. **Missing scheduler integration** (`email-sequence-service.ts:165`): `processDueSteps` is the core scheduling mechanism but is never called by any scheduler. No cron job or event loop exists.
+2. **Welcome sequence enrollment not wired** (`email-sequence-service.ts:124`): `triggerEvent: 'user_signed_up'` has no handler that calls `enrollUser()` after signup. New users never enter the welcome sequence.
+3. **Email send status tracking incomplete** (`email-sequence-service.ts:267-275`): Resend API returns message ID on success, not status. Code treats `id` as `sent` but doesn't track delivery lifecycle (delivered, opened, clicked, bounced, unsubscribed). No webhook handlers implemented.
+
+**P2 — High (4 issues)**:
+4. **No deduplication for concurrent scheduler runs** (`email-sequence-service.ts:165-216`): No mutex or row-level locking. Duplicate emails possible on concurrent runs.
+5. **tRPC `processSequence` allows any authenticated user** (`email-marketing.ts:135-145`): Should be admin-only.
+6. **`enrollSequence` accepts empty email** (`email-marketing.ts:111`): Hardcoded empty string instead of fetching current user email.
+7. **Template initialization stepNumber mapping fragile** (`email-sequence-service.ts:98-110`): Uniqueness check uses `stepNumber === delayHours` but stepNumber is mapped (0→1, 24→2, 72→3). Lookup will never find existing templates, causing duplicates.
+
+**P3 — Minor (5 issues)**:
+8. No unsubscribe link tracking (no API endpoint for unsubscribe action)
+9. No rate limiting on email sending (could hit Resend API limits)
+10. Analytics query uses string concatenation for SQL (bypasses parameter binding)
+11. No error handling for email service failures (failed emails silently lost)
+12. No A/B testing implementation beyond schema (no traffic splitting, variant selection, or significance tracking)
+
+**Result**:
+- Code review complete — 3 P1, 4 P2, 5 P3 issues found
+- Architecture is sound: template registry pattern, drizzle-orm schema, tRPC router design
+- P1 issues must be resolved before passing to Security Reviewer
+
+**Assigned to**: Senior Engineer (c99c4ede-feab-4aaa-a9a5-17d81cd80644) for P1 fixes
+
+**Status**: in_progress — Assigned back for fixes
+
+**Review Document**: `/home/mike/code/FrenoCorp/agents/code-reviewer/reviews/FRE-580-review.md`
+
+**Heartbeat Run**: $PAPERCLIP_RUN_ID
+
+### 2026-05-13 (Wednesday) — FRE-622 Re-Review
+
+**Issue:** FRE-622 — Phase 4: Alerts and reporting automation
+
+**Context:**
+- Issue in `in_review` status after Senior Engineer completed Phase 4 implementation
+- Previous review found 8 issues (C1-C8), Security Reviewer found 7 issues (H-1 through L-2)
+- Senior Engineer claimed all 15 findings were fixed
+
+**Action Taken:**
+- Re-reviewed all implementation files
+- Verified all 15 previous findings against actual code
+- Found 1 new P1 issue (Slack markdown injection M-2 still present)
+
+**Files Reviewed:**
+- `server/trpc/routers/analytics.ts` (487 lines) — New analytics router
+- `server/trpc/appRouter.ts` (33 lines) — Router wiring
+- `src/db/schema/alert_rules.ts` (20 lines) — Schema with createdBy
+- `src/db/schema/scheduled_reports.ts` (21 lines) — Schema with createdBy
+- `src/db/schema/cohorts.ts` (28 lines) — Schema with createdBy
+- `src/lib/analytics/kpi-service.ts` (98 lines) — Real implementation
+- `src/lib/analytics/slack-alerts.ts` (208 lines) — Real implementation
+- `src/lib/analytics/report-generator.ts` (178 lines) — Real implementation
+- `src/lib/analytics/cohort-analysis.ts` (140 lines) — Real implementation
+- `src/lib/analytics/nps-service.ts` (204 lines) — Real implementation
+
+**Findings:**
+
+**P1 — Critical (1 issue):**
+1. **Slack Markdown Injection (M-2)** — `formatAlertMessage` (slack-alerts.ts:124) uses ruleName directly, sent as `mrkdwn` type (slack-alerts.ts:182-184). No escaping.
+
+**P2 — High (2 issues):**
+2. **No unit tests** — No test files for analytics router or service layer
+3. **Legacy router dead code** — `server/trpc/legacy/analytics-router.ts` (16KB) unused
+
+**P3 — Minor (3 issues):**
+4. `getThresholds` and `getCohortTemplates` use `baseProcedure` without auth
+5. No error handling/logging for Slack webhook failures
+
+**Verification of Previous Findings:**
+- All 8 original findings (C1-C8) verified FIXED
+- All 3 High findings (H-1 through H-3) verified FIXED
+- All 3 Medium findings (M-1, M-3) verified FIXED; M-2 NOT FIXED
+- L-2 verified FIXED
+
+**Result:**
+- Code review complete — 1 P1, 2 P2, 3 P3 issues found
+- P1 issue must be fixed before passing to Security Reviewer
+- Reassigned to Senior Engineer for P1 fix
+
+**Assigned to:** Senior Engineer (c99c4ede-feab-4aaa-a9a5-17d81cd80644)
+
+**Status:** in_progress — Assigned back for fixes
+
+**Review Document:** `/home/mike/code/FrenoCorp/agents/code-reviewer/reviews/FRE-622-rev2-review.md`
+
+**Heartbeat Run:** $PAPERCLIP_RUN_ID