Hatch Social — Infrastructure & Code Audit

A single source of truth for the servers, databases, and source code behind Hatch Social — the website, backend, and mobile apps.

Generated 2026-06-08 2 servers 5 GitHub repos 3 critical findings

⚠️ Read the Findings page first

This audit surfaced active security and configuration issues — including production apps running in debug mode, an unaccounted-for backend host the mobile app actually talks to, and database dumps committed to source control. See Findings & Risks.

What Hatch Social is made of

Hatch Social is a social marketplace product delivered through four surfaces, all sharing one Laravel backend:

📱 Mobile apps

One React Native 0.78 codebase building both the iPhone and Android apps (com.hatchsocial). Uses Firebase, Stripe, and Agora video/audio.

🧩 Backend (API + Dashboard)

A single Laravel 9 application that serves the mobile API and an admin web dashboard. 267 lines of API routes, 160 controllers.

🌐 Marketing site

WordPress (hatch.social) on OceanWP + Elementor, plus a second WordPress build at web.hatch.social.

🛠️ Hosting

Two DigitalOcean droplets — a CloudPanel production box and a small staging VM — plus at least one third-party host the app actually calls.

Servers at a glance

Server	Role	Stack	Hosts	Status
161.35.191.47 prod	Production	Ubuntu 22.04 · CloudPanel · Nginx→Varnish→PHP-FPM · MySQL 8	hatch.social, web.hatch.social, api.hatch.social, dash.hatch.social	needs hardening
206.189.206.251 staging	"Backup" VM	Ubuntu 24.04 · Apache · MariaDB · PHP 8.3	One empty default WordPress install	empty / unused
hatch-social.cstmpanel.com unknown	Actual mobile API?	Unknown — third-party panel (not in your access list)	The live endpoint the shipping mobile app calls	unaccounted-for

Repositories at a glance

Repo	What it really is	Size	Last push
`redesigned-spoon-Dashboard`	✅ The Laravel 9 backend (API + dashboard) — misleadingly named	419 MB	2026-04-14
`HSF-Code`	📱 Mobile app (React Native) — newest copy	81 MB	2025-12-28
`Hatch-Front-End-Code`	📱 Mobile app — identical duplicate	81 MB	2025-12-26
`HSFE`	📱 Mobile app — duplicate (nested in a subfolder)	81 MB	2025-12-27
`HSB-Code`	🪧 Empty stub — only a README + a repo-sync workflow	2 KB	2025-12-30

See Repositories for the full breakdown, and Architecture for how everything connects.

Hatch Social Infrastructure Wiki · compiled from live read-only audits of both servers and all five GitHub repositories · 2026-06-08. Source material and cloned repositories are stored privately on this host and are not served publicly.