← Return to Main Website View All Logs
Previous Next
ID: 0X242F
Category: Hostile Audit
Status: PASS (Production)
Verified: True

AUDIT 2026 02 14 (DEEPSEEK REASONING PASS)

# VENDOR CODE AUDIT REPORT **Project:** Axoworks (Public-facing website with AI chatbot) **Audit Date:** 2026-02-14 **Auditor:** Roo (Software Auditor) **Environment:** Local development, Netlify dev testing **Scope:** Full codebase (excluding archive folder), focusing on agentic properties, security, structural quality, and innovation. --- ## EXECUTIVE SUMMARY The vendor has delivered a sophisticated React-based website with an integrated AI chatbot that serves as a public-facing replacement for a company's primary website. The application is built with modern technologies (Vite, TypeScript, Supabase, Netlify Edge Functions) and exhibits strong agentic capabilities through a multi‑layer AI architecture. Key strengths include robust security measures, a well‑structured protocol‑based prompt system, and innovative use of vector search for context‑aware responses. However, the codebase shows signs of complexity and over‑engineering in certain areas, with some architectural decisions that could hinder maintainability. ## APPLICATION OVERVIEW ### What It Does The Axoworks website is a portfolio and lead‑generation platform for a design firm, featuring: 1. **Static Content Sections** – Hero, portfolio, blog posts, contact. 2. **AI‑Powered Chatbot** – A “concierge” named Axo that answers questions about the firm, showcases projects, and captures leads. 3. **Real‑time Vector Search** – Uses Supabase vector extensions to retrieve relevant project/blog content from a knowledge base. 4. **Multi‑language Support** – UI and chatbot responses in English, Chinese, Spanish, French. 5. **Admin Interface** – Protected editor for managing content (posts, projects). 6. **Edge‑Based AI Processing** – Chat runs on Netlify Edge Functions, using DeepSeek/OpenRouter for LLM inference and tool calling. The chatbot demonstrates **agentic behavior** by: - Deciding when to search the web or fetch documents. - Detecting lead‑capture opportunities and validating contact info. - Adapting its personality via dynamic protocol injection. - Handling errors gracefully with rephrasing and fallbacks. --- ## SEGMENT RATINGS (OUT OF 10) ### Structural Quality: 7/10 **Strengths:** - Clean separation of concerns (React components, hooks, utils, edge handlers). - Modular edge‑function design with dedicated handlers. - Comprehensive TypeScript interfaces ensure type safety. **Weaknesses:** - **[REDACTED]** – Some handlers are overly granular, increasing cognitive load. - **Mixed responsibilities** – The main chat handler (`axoworks‑chat.ts`) exceeds 450 lines, handling routing, lead detection, vector search, tool validation, and streaming. - **[REDACTED]** – Archive folder and duplicated CORS utilities indicate incomplete cleanup. ### Security: 9/10 **Strengths:** - **API keys kept server‑side** – All AI keys are loaded via environment variables in edge functions. - **Strict CORS policies** – Only allowed origins (production domain + localhost) can access APIs. - **CSRF protection** implemented via double‑submit cookie pattern. - **Rate limiting** per IP with configurable windows. - **Anti‑hallucination guards** – Whitelisted document URLs prevent LLM from fetching arbitrary content. **Weaknesses:** - **[REDACTED]** – Session management relies on client‑side Supabase auth; edge functions use anonymous sessions. - **[REDACTED]** – Missing HTTP security headers like `X‑Content‑Type‑Options`, `X‑Frame‑Options`. ### Agentic Properties: 8/10 **Strengths:** - **Tool‑calling autonomy** – LLM can invoke `web_search`, `fetch_document`, `send_email`, `schedule_appointment` based on context. - **Context‑aware rephrasing** – Automatic query rephrasing when vector search returns no results. - **Protocol‑based personality** – Dynamic prompt injection based on triggers. - **Memory service** – Stores user preferences and conversation summaries in Supabase. - **Lead‑detection heuristics** – Regex patterns for email/phone trigger immediate capture flow. **Weaknesses:** - **Complex prompt engineering** – The monolithic prompt is over 120 lines; maintenance is difficult. - **Limited tool‑choice flexibility** – Only four tools; no ability to chain or iterate. - **[REDACTED]** – Lacks true long‑term context beyond session-level preferences. ### Innovation & Modern Practices: 9/10 **Strengths:** - **Edge‑first architecture** – Uses Netlify Edge Functions for low‑latency AI responses. - **Vector search with multilingual embeddings** – Adjusts match thresholds based on detected language. - **Image‑first design** – Mandates project images in first responses; visual selling is prioritized. **Weaknesses:** - **High vendor lock‑in** – Deep integration with Netlify, Supabase, OpenRouter, DeepSeek. - **[REDACTED]** – If vector DB or AI providers are down, chatbot functionality severely limited. --- ## CONCLUSION The delivered codebase is a **high‑quality, production‑ready application** that meets the core requirements of a public‑facing website with an AI‑powered chatbot. Its strengths in security, innovation, and agentic capabilities are commendable. The vendor has clearly invested significant effort in building a sophisticated system that balances functionality with guardrails. ### Segment Ratings Summary
SegmentRating (/10)
Structural Quality7
Security9
Agentic Properties8
Innovation9
Weighted Average8.5
**Overall Rating: 8.5/10** – Excellent foundation with room for refinement in maintainability and operational resilience. **Recommendation:** The vendor should be praised for their attention to security and innovative use of edge computing. However, they should be encouraged to simplify complex areas and adopt a more modular architecture to ensure long‑term maintainability.
Visit Axoworks.com (Production Version)
Log Index | Axoworks.com