+Code review punch list (2026-03)
+=================================
+Grouped by topic, roughly ordered so that simpler/higher-impact items
+come first within each group.
+
+Quick fixes
+-----------
+[ ] Fix typo in empathy.js: "this.ansering_idle_timer" → "this.answering_idle_timer"
+
+[ ] Fix session config in lmno.js: set resave:false and
+ saveUninitialized:false to silence deprecation warnings and avoid
+ creating unnecessary session cookies for every visitor.
+
+[ ] Replace body-parser with express.json() / express.urlencoded()
+ (built into Express since 4.16, body-parser is redundant).
+
+Input validation and security
+-----------------------------
+[ ] Add input validation at route boundaries: type checks, length
+ limits, and HTML-entity encoding for user-provided strings
+ (character names, prompt text, answers) before broadcasting.
+
+[ ] Run "npm audit" and update pinned dependency versions
+ (express 4.17.1, nunjucks 3.2.1, etc. are from ~2019-2020).
+
+Robustness
+----------
+[ ] Add basic state persistence (e.g., write game state to a JSON file
+ on each move, reload on server startup) so games survive a server
+ restart.
+
+[ ] Add a process manager (pm2 or systemd unit) to auto-restart the
+ server on crashes.
+
+Testing
+-------
+[ ] Add unit tests for core game logic — especially Empathy scoring,
+ Scribe glyph detection, and Empires capture chains. Node's built-in
+ test runner or Jest would both work.
+
+Frontend modernization (larger effort)
+---------------------------------------
+[ ] Upgrade from React 16 class components to modern React with hooks
+ and functional components. Replace the window.game global pattern
+ with a useEventSource hook and context provider.
+
+[ ] Replace Babel 6 + Makefile build with Vite (or similar modern
+ bundler) for ES module imports, HMR in development, and proper
+ tree-shaking/minification.
+
+Server architecture (larger effort)
+------------------------------------
+[ ] Consider a formal state-machine pattern for Empathy's phase
+ management (prompts → answering → judging → scoring) instead of
+ scattered if-checks across methods.
+
+[ ] Replace the meta getter/setter trick in game.js with plain static
+ class fields or a game registry for clarity.
+
+=================================
+Original TODO list follows below
+=================================
+
Ordered list (repeating some of the below)
-----------------------------------------
projects / lmno-todo / commitdiff