# Architect Assessment

## Updated Remediation Order

### Summary
- Fix API contract breaks first.
- Then close scraper/network security gaps.
- Then harden runtime architecture for scale/reliability.

### Key Changes
- Align `/syntheses` and admin rate-limit contracts end-to-end (backend + frontend + tests).
- Wire dedicated hardened HTTP clients and enforce SSRF checks per hop with streaming body limits.
- Move job/rate-limit state to shared backing (Redis/DB) if multi-instance is in scope.
- Add contract tests so frontend mocks cannot drift from backend payloads.

### Test Plan
- Backend integration tests for `/syntheses` list shape and `/admin/rate-limits/{provider_name}` update path.
- Security tests for scraper redirect/private-IP/rebinding cases and oversized responses.
- Frontend tests consuming real API fixtures (or generated schema fixtures), not hand-crafted mismatched types.

### Assumptions
- Backend is the API source of truth.
- You want production-safe defaults even for self-hosted single-tenant deployments.