Code Review Notes

Date: 2026-01-04
Scope: High-level review of client/server for pediatric cognitive assessment platform.

Findings

• Server schemas only accept simple_rt/cpt/nback/tmt (server/app/models/cognitive_data.py); client submits nine task summaries, so flanker, digit_span, choice_rt, digit_symbol, verbal_pa, visual_pa are dropped before persistence/REDCap.
• Rate limiting is configured but not applied (slowapi middleware/decorators absent), leaving /session/start and /submit unthrottled.
• Sessions live in-memory; multi-process or restart drops active sessions and submissions 401. No signing/binding of session IDs (plain UUIDs) and session_secret unused.
• Local storage writes raw_trials verbatim with no size cap or PII scrubbing; large/malicious payloads could fill disk.
• Task summary math uses lower-middle median and population SD (e.g., simple RT); may misalign with normative scoring.
• No automated tests for FastAPI endpoints or task summary functions; regressions hard to detect.

Open Questions

• Should all nine task summaries be persisted and sent to REDCap?
• Expected deployment topology (single worker vs multi-instance)? Drives session store choice.
• Storage/privacy requirements for raw trial data vs summaries only?

Suggested Next Steps

1) Align server models/storage/REDCap mapping with all tasks; add integration tests for full submissions. 2) Enforce rate limiting/auth (SlowAPI middleware, signed/opaque session tokens) and move sessions to Redis/DB with TTL. 3) Add contract tests for API and unit tests for task summary calculations; standardize median/SD definitions.