TuneNest

Partial

Music Without Middlemen

Creator-sovereign music distribution. Artists keep 90%+ of revenue. AI-powered DAW studio with beat/lyrics/melody generation. Part of Sporus.

Completion76%

Live

Partial

Stub

Missing

13/13

Pages

0/22

APIs

58%

Security

Features (19)

Core3/5 live

✓

Music Upload & PublishingLive

Audio + cover art upload with metadata and scheduling

✓

Artist Profiles & DiscoveryLive

Public artist profiles with track listings

✓

Playlists & LibraryLive

Personal library, playlists, and track likes

○

Schedule PublishingPartial

UI has scheduling dialog, backend incomplete

✗

External DistributionMissing

No Spotify/Apple Music distribution connectors

Auth1/1 live

✓

WebAuthn/Passkeys AuthLive

Passwordless passkey authentication

Monetization2/3 live

✓

Tips & Direct SupportLive

Stripe payments with 5% platform fee, 95% to creator

✓

Creator Stripe ConnectLive

Onboarding, payout status, earnings tracking

✗

Royalty SplitsMissing

No multi-artist revenue sharing

Studio3/6 live

✓

AI Beat GenerationLive

Genre-specific drum patterns via Claude API

✓

AI Lyrics GenerationLive

Full/continue/rewrite modes with syllable counting

✓

AI Melody/Rhyme/MixLive

3 additional AI endpoints for music production

○

Studio DAWPartial

Sequencer/piano roll UI built, Tone.js playback partial

○

Effects & MixerPartial

UI complete, audio processing partially integrated

□

CollaborationStub

Database schema ready, sharing UI not built

Social2/2 live

✓

Following FeedLive

Cross-platform following from all 5 Sporus platforms

✓

NotificationsLive

Tips, follows, and publishing event notifications

Protection2/2 live

✓

Perceptual hash duplicate detection

✓

AI Consent ControlsLive

Per-content training/remix/style protections

Security

Security Checklist

2/6 passing

Check	Status	Details
CSRF Protection	Pass	Implicit via SameSite=lax cookies + Stripe webhook signatures
Rate Limiting	Fail	Not implemented — AI endpoints vulnerable to abuse
Input Validation	Partial	File size/type checks, payment range validation, but no server-side file type verification
Security Headers	Partial	X-Frame-Options, X-Content-Type-Options set; CSP and HSTS missing
Auth / Session	Pass	WebAuthn + Supabase SSR + cross-subdomain SSO
Encryption	Partial	HTTPS only, Supabase at-rest, no field-level encryption

Issues(6 open)

Critical

No rate limiting — AI endpoints can be abused (expensive Anthropic calls)

Open

High

Missing CSP header — XSS risk on public profiles

Open

High

No server-side file type verification — relies on extension only

Open

Medium

Username/bio fields lack output sanitization

Open

Medium

Passkey challenge table has no cleanup job

Open

Low

Studio audio engine partially integrated

Open

API Route Inventory

Total Routes

Rate Limited

Total Pages

Live Pages