# DEEP INVESTIGATION REPORT — RateRight Systems

**Date:** 2026-02-07
**Investigator:** Claude (Deep Audit)
**Scope:** Every project on this VPS, every deployment, every feature claim

---

## 1. COMPLETE INVENTORY OF ALL PROJECTS ON VPS

| # | Directory | Framework | Purpose | Git Remote |
|---|-----------|-----------|---------|------------|
| 1 | `/home/ccuser/rateright-main-site` | Flask (Python) | V1 main website — the LIVE production app | `github.com/mcloughlinmichaelr-debug/-RateRight.git` |
| 2 | `/home/ccuser/rateright-v2` | Next.js 16 (TypeScript) | V2 rewrite attempt | `github.com/RateRight-PTY-LTD/the-50-dollar-app.git` |
| 3 | `/home/ccuser/the-50-dollar-app` | Next.js 16 (TypeScript) | V2 — slightly more advanced copy | Same repo as #2 |
| 4 | `/home/ccuser/workdir` | Next.js 16 (TypeScript) | V2 — clone of #3 with audit fixes | Same repo as #2 |
| 5 | `/home/ccuser/rateright-growth` | Express.js (Node) + React admin | Growth engine / CRM / sales automation | `github.com/mcloughlinmichaelr-debug/rateright-growth.git` |
| 6 | `/home/ccuser/rateright-phone-ai` | Express.js (Node) | AI phone receptionist (lead qualification) | Local only — no remote |

**Key finding: Projects 2, 3, and 4 are THREE COPIES of the same codebase** (all push to `the-50-dollar-app.git`). `workdir` was cloned from `the-50-dollar-app` and has some audit fixes on top.

---

## 2. WHAT IS DEPLOYED WHERE

### rateright.com.au — THE LIVE SITE

- **DNS:** `rateright.com.au` → CNAME → `rateright-au.fly.dev` → `66.241.124.40`
- **www.rateright.com.au** → same (CNAME to `rateright-au.fly.dev`)
- **Hosting:** Fly.io, Sydney region (`syd`)
- **App:** `rateright-au` (Flask/Python app from `rateright-main-site`)
- **Server:** Gunicorn, 4 workers, port 8080
- **Database:** PostgreSQL (Fly.io managed, NOT Supabase)
- **Status:** LIVE AND RUNNING (HTTP 200 on `/` and `/register`)

### rateright.com.au/signup — DOES IT WORK?

- **`/signup` → 404 NOT FOUND.** This route does not exist.
- **`/auth/signup` → 404 NOT FOUND.** This is a v2 route, not v1.
- **`/register` → 200 OK.** This is the REAL signup page on the live site (Flask route).
- The live signup URL is: **`rateright.com.au/register`**

### Vercel (v2 app) — NOT DEPLOYED

- `the-50-dollar-app.vercel.app` → **DEPLOYMENT_NOT_FOUND** (404)
- The v2 Next.js app has `vercel.json` configured but was **never actually deployed to Vercel**
- No live Vercel deployment exists

### Railway (Growth Engine)

- `rateright-growth-production.up.railway.app` → **LIVE** (200 OK on `/health/ping`)
- Growth engine CRM is deployed and running on Railway

### Voice Systems

- **Pipecat voice assistant** (Python): Configured to run on `134.199.153.159:8765` (this VPS)
- **VAPI phone AI**: Webhook target is `rateright-growth-production.up.railway.app/api/vapi/webhook`
- **Phone numbers**: +61 468 087 171, +61 426 246 472

### Supabase

- **ONE Supabase project**: `memscjotxrzqnhrvnnkc.supabase.co`
- Used by: rateright-v2, the-50-dollar-app, workdir, AND rateright-growth
- The v1 Flask app does NOT use Supabase — it has its own PostgreSQL on Fly.io

---

## 3. HONEST STATUS OF EACH FEATURE

### A. SIGNUP FLOW

| Question | Answer |
|----------|--------|
| Does `rateright.com.au/signup` work? | **NO. Returns 404.** |
| Does `rateright.com.au/register` work? | **YES.** Flask registration form with email, password, name, phone, ABN, role selection. |
| Is there email verification? | **YES** on v1 (token-based, 24hr expiry, via Resend). **YES** on v2 (Supabase auth). |
| Is there ABN verification? | **YES** on v1 (checksum validation). **YES** on v2 (ABR API lookup). |
| Does the v2 signup work? | **CANNOT TEST** — v2 is not deployed anywhere. Only exists as code on this VPS. |

### B. VOICE SIGNUP

| Question | Answer |
|----------|--------|
| Is voice signup functional end-to-end? | **NO.** |
| What exists? | v2 worker signup has a "Send a voice note" button that is **explicitly disabled** with text "Coming soon". The button has `disabled` attribute and `opacity-50` CSS. |
| Is there any voice transcription code? | **NO.** No Whisper, no audio recording library, no voice-to-profile pipeline in any v2 codebase. |
| OpenAI in v2? | Used ONLY for text bio generation (`/api/ai/generate-profile`), not voice. |
| Voice tech that EXISTS (elsewhere)? | The **growth engine** has real voice: Twilio calls, VAPI (OpenAI Realtime), Pipecat (Deepgram + Claude + ElevenLabs). But this is for **internal sales/lead qualification**, NOT for worker signup. |

### C. WORKER VERIFICATION (White Card, ID Check)

| Question | Answer |
|----------|--------|
| Is worker verification actually built? | **PARTIALLY on v1. NOT on v2.** |
| V1 (Flask) has: | `white_card_number`, `white_card_expiry` fields in User model. `public_liability_insurance`, `workers_comp_insurance` fields. A `/profile/verification` route exists. Document upload via Cloudinary. |
| V2 (Next.js) has: | Database schema with `white_card_number` and `white_card_verified` fields. Worker signup lets you CHECK a "White Card" box. But there is **no verification flow** — no photo upload, no OCR, no ID check, no admin review. |
| Is white card actually verified? | **NO.** Users can self-report having one. Nobody checks. The `white_card_verified` boolean defaults to `false` and nothing ever sets it to `true`. |
| ID verification? | **NOT BUILT** on either version. |
| ASIC director verification? | **STUBBED** — code comment says "requires paid ASIC Connect subscription, flagging for manual review instead." |

### D. NO-SHOW / CANCELLATION FLOW

| Question | Answer |
|----------|--------|
| Is a no-show/cancellation flow built? | **YES on v1. NO on v2.** |
| V1 (Flask) has: | `BookingStatus.CANCELLED` and `BookingStatus.NO_SHOW` states. `cancel()` method with reason tracking, timestamp, and slot release. Contract model supports `cancelled` status with dispute workflows. |
| V2 (Next.js) has: | **NOTHING.** Zero code for cancellation or no-show. No database fields for it. Job statuses are only: draft, active, filled, closed. No booking model at all. |

### E. STRIPE INTEGRATION

| Question | Answer |
|----------|--------|
| Is Stripe actually built? | **YES on v1. FAKE on v2.** |
| V1 (Flask) has: | `stripe` package installed. Full `stripe_service.py` with payment intents, escrow, refunds. Stripe Connect for worker payouts. Webhook handler for `payment_intent.succeeded/failed/canceled`. Idempotency protection. Payment UI template. Feature flag enabled. |
| V2 (Next.js) has: | A `payments` table in the database schema. A `/api/payments/create` route that creates a database record with status "pending" — but **does NOT call Stripe at all**. No `stripe` package in `package.json`. No Stripe API key configured. The landing page promises "$50 flat fee per hire" but the code just writes a row to the database. |

---

## 4. V1 vs V2 COMPARISON

### V1: `rateright-main-site` (Flask on Fly.io) — THE LIVE APP

| Feature | Status | Notes |
|---------|--------|-------|
| User Registration | REAL | `/register` route, email/ABN validation |
| Email Verification | REAL | Token-based, 24hr expiry, Resend email |
| Stripe Payments | REAL | Payment intents, escrow, Connect, webhooks |
| Booking System | REAL | Pending/confirmed/in-progress/completed/cancelled/no-show |
| Cancellation Flow | REAL | With reason tracking, slot release |
| No-Show Tracking | REAL | Status field, linked to contracts |
| Messaging | REAL | In-app messaging service |
| Worker Verification | PARTIAL | White card fields exist, document upload exists, but no OCR/automated check |
| SMS Notifications | REAL | Twilio integration |
| Email Notifications | REAL | Resend integration |
| Calendar Sync | REAL | Google Calendar/Outlook |
| PDF Generation | REAL | Contracts, invoices |
| Ratings System | REAL | Rating service built |
| Gamification | REAL | Leaderboards, points, levels |
| Time Tracking | REAL | Time logging service |
| Analytics | REAL | Analytics service |
| GDPR Compliance | REAL | Soft-delete, user deletion service |
| Voice/Whisper | NOT BUILT | No voice features at all |
| AI Features | REAL | `ai_service.py` (39KB) |

### V2: `the-50-dollar-app` / `rateright-v2` / `workdir` (Next.js, NOT deployed)

| Feature | Status | Notes |
|---------|--------|-------|
| User Registration | BUILT (untested) | `/auth/signup` route, not deployed |
| Email Verification | BUILT (untested) | Via Supabase Auth |
| Contractor Signup | BUILT (untested) | Multi-step ABN lookup flow |
| Worker Signup | BUILT (untested) | Multi-step form, AI bio generation |
| Stripe Payments | FAKE | Database record only, no Stripe SDK, no actual charges |
| Job Posting | PARTIAL | UI exists, unclear if saves work |
| Job Matching/Swiping | PARTIAL | UI exists with mock data |
| Messaging | MOCK | UI scaffold with mock conversations |
| Dashboard | BUILT | Role-based views |
| PWA Support | BUILT | Service worker, manifest |
| Voice Signup | NOT BUILT | Button disabled, "Coming soon" |
| White Card Verification | NOT BUILT | Checkbox only, no verification |
| No-Show/Cancellation | NOT BUILT | No code at all |
| Ratings | SCHEMA ONLY | Table defined, no UI or logic |
| Notifications | SCHEMA ONLY | Table defined, no implementation |
| Booking System | NOT BUILT | No booking model |
| Time Tracking | NOT BUILT | |
| Gamification | NOT BUILT | |
| Calendar Sync | NOT BUILT | |
| PDF Generation | NOT BUILT | |
| Analytics | NOT BUILT | |

### Growth Engine: `rateright-growth` (Express.js on Railway) — LIVE

| Feature | Status | Notes |
|---------|--------|-------|
| Lead Management | REAL | Full CRM with lifecycle tracking |
| SMS Campaigns | REAL | Twilio integration, scheduled messages |
| Voice Calling (Browser) | REAL | Twilio Voice SDK in admin dashboard |
| AI Call Coaching | REAL | LiveCopilot component |
| VAPI Phone AI | REAL | OpenAI Realtime API, webhook processing |
| Pipecat Voice Assistant | REAL | Deepgram STT + Claude + ElevenLabs TTS |
| Activation Funnel | REAL | Worker/contractor lifecycle stages |
| Slack Notifications | REAL | Webhook integration |
| Admin Dashboard | REAL | React SPA with full CRUD |
| Stage Diagnosis | REAL | AI-powered stuck-lead analysis |
| Platform Sync | REAL | Syncs data from main RateRight |

### Phone AI: `rateright-phone-ai` (Express.js, deployment status unclear)

| Feature | Status | Notes |
|---------|--------|-------|
| AI Receptionist | BUILT | "Sarah" answers calls after 2 rings |
| Lead Qualification | BUILT | Extracts name, type, trade, location from transcript |
| CRM Integration | BUILT | Posts leads to Growth Engine API |
| Dual Notifications | BUILT | Slack + SMS alerts |
| Twilio Forwarding | BUILT | Conditional call routing |

---

## 5. WHAT IS REAL vs PLANNED vs BROKEN

### REAL (Working in Production)

1. **rateright.com.au** — Live Flask app on Fly.io serving the v1 platform
2. **rateright.com.au/register** — Real signup page that works
3. **Stripe payments on v1** — Full payment processing with escrow
4. **Booking/cancellation on v1** — Complete workflow with no-show tracking
5. **Growth engine on Railway** — Live CRM with SMS, calling, AI coaching
6. **VAPI phone AI** — Webhook processing for AI phone calls
7. **Supabase** — One project (`memscjotxrzqnhrvnnkc`) used by growth engine + v2 code
8. **Twilio voice/SMS** — Working across growth engine and phone AI
9. **Two real phone numbers** — +61 468 087 171 and +61 426 246 472

### PLANNED (Code Exists but NOT Deployed or NOT Functional)

1. **V2 Next.js app** — Complete signup flows, dashboard, job posting UI exist in code. NEVER deployed to Vercel. Nobody can use it.
2. **Voice signup** — Disabled button says "Coming soon". No backend code exists.
3. **White card verification** — Database fields exist. No verification logic. Users can only self-report.
4. **Stripe on v2** — Creates database records but never calls Stripe. No `stripe` package installed.
5. **$50 flat fee model** — Promised on v2 landing page, not implemented in code.
6. **AI profile builder** — `/api/ai/generate-profile` endpoint exists but unclear if it works end-to-end (v2 not deployed).
7. **ASIC director verification** — Explicitly stubbed with "needs paid subscription" comment.

### BROKEN / MISLEADING

1. **`rateright.com.au/signup` → 404.** This URL does not work. The real signup is at `/register`.
2. **Three copies of v2** — `rateright-v2`, `the-50-dollar-app`, and `workdir` are all the same repo at slightly different states. This is confusing and wasteful.
3. **V2 Vercel deployment** — Has `vercel.json` but `the-50-dollar-app.vercel.app` returns `DEPLOYMENT_NOT_FOUND`. It was configured but never deployed.
4. **ABR GUID placeholder** — v2 has `ABR_GUID="REGISTER-TOMORROW-AT-ABR-BUSINESS-GOV-AU"` — this is a placeholder, not a real API key. ABN lookup would fail in production.
5. **SUPABASE_SERVICE_KEY on workdir** — Set to `sb_secret_TuVWrhhArzQtH4Ixtw1wYw_WSJAtWPo` which appears to be a placeholder, not a real key.

---

## 6. GIT REMOTES SUMMARY

| Project | Remote | Repo |
|---------|--------|------|
| rateright-main-site | origin | `github.com/mcloughlinmichaelr-debug/-RateRight.git` |
| rateright-v2 | origin | `github.com/RateRight-PTY-LTD/the-50-dollar-app.git` |
| the-50-dollar-app | origin | `github.com/RateRight-PTY-LTD/the-50-dollar-app.git` |
| workdir | origin | `github.com/RateRight-PTY-LTD/the-50-dollar-app.git` |
| rateright-growth | origin | `github.com/mcloughlinmichaelr-debug/rateright-growth.git` |
| rateright-phone-ai | NONE | Local only, no remote configured |

---

## 7. SUPABASE DETAILS

- **One project:** `memscjotxrzqnhrvnnkc.supabase.co`
- **Used by:** rateright-growth (leads, comms, tasks), v2 apps (profiles, companies, jobs, matches, payments)
- **NOT used by:** rateright-main-site (uses its own PostgreSQL on Fly.io)
- **RLS:** Enabled on all v2 tables
- **Tables in v2 schema:** profiles, companies, worker_profiles, jobs, matches, ratings, payments, notifications
- **Tables in growth engine:** leads, communications, lead_notes, platform_activity, callbacks, conversions, vapi_tasks, push_subscriptions

---

## 8. BOTTOM LINE

**The situation is:**

1. The LIVE website (`rateright.com.au`) runs v1 Flask on Fly.io. It has real Stripe, real bookings, real cancellation flows. Signup is at `/register`, not `/signup`.

2. A v2 rewrite exists in THREE duplicate directories on this VPS. It has nice UI, auth flows, and a landing page — but it has NEVER been deployed. Nobody can use it. It has fake Stripe (database writes only), no voice features, no verification, and no cancellation flow.

3. The Growth Engine is the most actively developed system. It's live on Railway, has real voice/calling capabilities, CRM, and sales automation. This is the operational backbone.

4. Voice AI exists but ONLY for internal sales/lead qualification (Growth Engine + Phone AI). There is NO voice signup for workers or contractors on either v1 or v2.

5. White card "verification" is a checkbox. Nothing is actually verified. On v1, the fields exist in the database. On v2, it's a certification option in signup. Neither version validates or checks anything.

6. The v2 app promises things on its landing page ("$50 flat fee", "White Card verification on every profile") that are not built in the code behind it.

---

*Report generated 2026-02-07. All findings verified against actual code, DNS records, and HTTP responses.*