Webisoft
Prepared for Tamarack Defense

Software Takeover & Maintenance

Full ownership of your MVP portal — maintenance, performance optimization, and continuous feature development.

Tamarack Defense·Webisoft·March 30, 2026·v1.0
Section 01

Overview

Webisoft proposes to take full ownership of Tamarack Defense's MVP portal — currently built on React, TypeScript, Django 5.2, and Python — providing long-term maintenance, performance optimization, and continuous feature development.

This engagement replaces the current single-developer dependency with a stable, onshore Canadian engineering team of ~40 people with deep Django and React expertise.

Section 02

Scope of Engagement

Phase 1

Onboarding & Takeover

  • NDA execution and codebase access
  • Full code review and architecture assessment
  • Developer knowledge transfer and documentation
  • Performance audit and optimization (targeting the 4–5M row load latency issue, currently 5–10s)
  • Parallel collaboration with existing freelance developer during handoff
  • Delivery of internal technical documentation
Phase 2

Ongoing Maintenance & Development

  • Primary point of ownership for the portal
  • SLA coverage for bug fixes and critical updates
  • Continuous improvements drawn from monthly development hour bank
  • Quarterly roadmap reviews aligned with product priorities
Section 03

Pricing

One-Time Onboarding Fee

Covers codebase review, architecture documentation, knowledge transfer, and initial performance optimization sprint.

$5,000USD one-time

Monthly Retainer

ItemDetailCost
Base RetainerMaintenance, SLA coverage & monitoring$2,000/mo
Included Dev Hours8 hrs/month @ no additional chargeIncluded
Additional HoursDiscounted retainer rate$110/hr $125
Unused HoursRoll over after 3 months
Section 04

Key Differentiators

Onshore Canadian Team

All engineering based in Montreal — no offshore risk, same timezone, same standards.

Exact Stack Match

React + Django expertise at the CTO and senior dev level. No learning curve.

Proven B2B Portal Experience

Dashboards, data-heavy platforms, government sector (RCMP asset seizure tool).

Performance Track Record

Experience resolving similar high-volume data load issues in production environments.

Flexible Model

Hour bank rolls over. Pricing adjusts as scope evolves. No lock-in.

Security-First Mindset

Immediate attention to hardcoded secrets, exposed keys, and auth vulnerabilities.

Section 05

Codebase Evaluation: TDGUI

A full-stack defense analytics platform (Django 5.2 + React 18 + PostgreSQL) for tracking military platforms, budgets, and subsystems.

AreaRatingKey Issues
Architecture7/10Well-structured, but monolithic files
Code Quality5/10Broad exceptions, debug prints, no typing
Security3/10Secrets in code, no rate limiting
Testing2/10Only 76 lines of tests in entire project
Error Handling4/1040+ bare except Exception: blocks
Performance7/10Good indexing/rollups, but no caching strategy
Dependencies8/10All current, no known CVEs
Section 06

Critical Security Issues

These must be addressed immediately — they represent active risk in production.

Hardcoded SECRET_KEY in settings.py:25 — must be an environment variable
settings.py:25
ALLOWED_HOSTS = ['*'] in settings.py:30 — accepts any hostname in production
settings.py:30
DB password webtest123 in docker-compose.yml:13 — use .env files
docker-compose.yml:13
Certbot private keys committed in certbot/conf/accounts/ — must be removed from repo history
certbot/conf/
Hardcoded API URL in djangoClient.js:376 — should use import.meta.env
djangoClient.js:376
Auth tokens in localStorage — vulnerable to XSS; prefer httpOnly cookies
auth flow
Section 07

Improvement Roadmap

P0

Security (do now)

  • Move all secrets to environment variables (SECRET_KEY, DB creds, API URLs)
  • Remove certbot private keys from git history (BFG)
  • Restrict ALLOWED_HOSTS to actual domains
  • Add rate limiting middleware (django-ratelimit)
P1

Code Quality

  • Split monolithic files: subsystem_views.py (2,043 lines), views.py (1,709 lines), models.py (1,087 lines)
  • Replace 30+ print() statements in utils.py with Python logging module
  • Remove 20+ console.log() calls in React components
  • Replace bare except Exception: with specific types across 40+ occurrences
P2

Testing

  • Only users/tests.py exists (10 test cases) — zero API, React, or integration tests
  • Add coverage for: auth flows, data filtering, Excel imports, permission checks
  • Set up CI/CD pipeline
P3

Frontend

  • Add PropTypes or TypeScript for component type safety
  • Extract magic numbers into constants
  • Add error boundaries and retry logic for API calls
  • Implement lazy loading for page components
P4

Operations

  • Create .env.example for onboarding
  • Reduce DATA_UPLOAD_MAX_MEMORY_SIZE from 10GB (abuse vector)
  • Reduce Celery worker memory cap from 12GB
  • Extend GET request cache TTL beyond 500ms
  • Remove commented-out AWS S3 code in utils.py:156-170
Section 08

What's Done Well

Request deduplication in the API client (prevents thundering herd)
Chunked deletion for large datasets (delete_heavy())
Celery heartbeat monitoring for background tasks
Precomputed rollup tables (SubsystemProgramMetricRollup, PlatformYearSpend)
Proper DB indexing on frequently filtered fields
Modern dependency versions across the stack

The biggest wins would be fixing the security issues (hardcoded secrets, exposed keys) and adding test coverage — those are the highest risk-to-effort improvements.

Section 09

Next Steps

Next Steps

  1. 1. Sign letter of engagement
  2. 2. Schedule the knowledge transfer and kick off the takeover
514-668-9506 phil@webisoft.com

This proposal is valid for 30 days from the date of issue. Pricing is subject to change after the validity period.

WBSFT®

Prepared by Webisoft for Tamarack Defense · March 2026