Product Analysis & Roadmap
Deep analysis of security, features, competitive landscape, and growth opportunities — April 2026
3
Critical Security
19
Must-Have Gaps
66
Total Findings
4
Unique Differentiators
Executive Summary
Cuemark EVI is positioned to be the only AI rehearsal partner that detects and responds to an actor's emotional performance in real time. No competitor in the market does this — they all generate emotional speech but none listen to how the actor performs.
However, the current codebase has 3 critical security vulnerabilities that must be fixed before any public launch, 19 must-have feature gaps for a production-quality product, and significant opportunities for differentiation through Hume's emotion detection capabilities.
The Big Picture
graph LR
subgraph NOW
A[3 Sprints Built]
B[CLM Architecture Working]
C[Basic Rehearsal Flow]
end
subgraph NEXT_30_DAYS
D[Fix Security Critical]
E[Server-side Auth]
F[Session Recording]
G[Emotion Display]
end
subgraph NEXT_90_DAYS
H[Admin Dashboard]
I[Billing/Subscriptions]
J[Performance Analytics]
K[Director Mode]
end
subgraph DIFFERENTIATOR
L[Emotion Match Scoring]
M[AI Acting Coach]
N[Studio Security Suite]
end
A --> D
B --> E
C --> G
D --> H
E --> I
G --> J
F --> K
J --> L
K --> M
H --> N
Competitive Landscape
There are 9+ AI rehearsal tools in market. Here is how they compare:
| Product | Price | AI Voice | Emotion Detect | Analytics | Security | Platform |
|---|---|---|---|---|---|---|
| Cuemark EVI | TBD | ✓ Hume | ✓ Real-time | ✗ Not yet | ● In progress | Web |
| ActorLab | $19-49/mo | ✓ ElevenLabs | ✗ | ● Basic | ✗ | Web |
| ScenePartner | $13-30/mo | ✓ ElevenLabs | ✗ | ✗ | ✗ | Web |
| Linus | $15/mo | ✓ 65+ voices | ✗ | ✗ | ✗ | iOS/Android |
| Odee | TBD | ✓ Multi-provider | ● Preset only | ● Audition tracking | ✗ | Web |
| Rehearsal Pro | $20 once | ✗ Human only | ✗ | ✗ | ✗ | iOS |
| Scriptation | Enterprise | ✗ | ✗ | ✗ | ✓ Studio-grade | iOS/Web |
Key insight: Every competitor generates emotional speech. None detect the actor's emotional delivery. This is Cuemark's moat. Odee is the closest threat — if they integrate Hume or build their own emotion detection, they become a direct competitor. Speed to market with the emotion feedback loop is critical.
Critical Security Fixes
These must be fixed before any public users touch the system.
CRITICAL
SECURITY
C1. Hume API Key + Secret Key Exposed in Client Bundle
EXPO_PUBLIC_HUME_API_KEY and EXPO_PUBLIC_HUME_SECRET_KEY are embedded in the JavaScript bundle. Any user can extract them from DevTools. An attacker can generate unlimited Hume sessions, running up your bill, or access/modify your Hume account configs.
Files:
.env, src/lib/hume.ts, src/screens/RehearsalSessionScreen.tsx:54-55
Fix: Move
fetchAccessToken to a Supabase Edge Function or the CLM server. Client calls your backend, which calls Hume with the secret key and returns only the short-lived access token.
CRITICAL
SECURITY
C2. CLM /init-session Has No Authentication
Anyone who knows the CLM URL can POST to
File:
/init-session with no auth. They can load arbitrary text, overwrite sessions, enumerate session IDs, or exhaust server memory with thousands of fake sessions.
File:
clm/src/server.ts:45-66
Fix: Require Bearer token auth on
/init-session (same as /chat/completions). Better: validate the user's Supabase JWT.
CRITICAL
SECURITY
C3. CLM Auth Check Is Soft-Fail + Key in Client Bundle
The CLM auth key (
File:
cuemark-clm-key) is in EXPO_PUBLIC_CLM_AUTH_KEY (visible in client bundle), and the server only logs a warning on auth mismatch instead of rejecting the request.
File:
clm/src/server.ts:91-94
Fix: Make auth check strict (return 401). Remove the key from
EXPO_PUBLIC_*. The client should send the user's Supabase JWT, and the CLM server validates it.
High Priority Issues
HIGH
SECURITY
H1. Debug Endpoint Exposes Session Metadata Without Auth
GET /session/:id returns session metadata (line count, agent character name, progress) with zero authentication. Character names may be under NDA.
Fix: Remove this endpoint in production, or require authentication.
HIGH
SECURITY
H2. No Rate Limiting or Session Cap on CLM Server
The in-memory session store grows unboundedly. An attacker can exhaust server RAM by creating thousands of sessions. The 2-hour TTL cleanup is insufficient against burst attacks.
Fix: Add
express-rate-limit, cap max concurrent sessions (e.g., 100), require auth.
HIGH
SECURITY
H3. Script Sent to CLM Without User Authentication
Raw NDA-protected script text is POSTed to the CLM server without any user auth token. Anyone can load scripts.
Fix: Require Supabase JWT on
/init-session. Consider having CLM fetch scripts directly from Supabase using a service role key.
HIGH
SECURITY
H4. CORS Configured as Open Wildcard
app.use(cors()) allows requests from any origin. Any website can make requests to the CLM server.
Fix:
cors({ origin: 'https://cuemark-evi.logicmesh.dev' })
HIGH
SECURITY
H5. No Content Security Policy or HSTS Headers
Nginx config lacks CSP and HSTS headers. Since script text is displayed in the UI, a CSP would provide XSS defense-in-depth.
Fix: Add CSP and
Strict-Transport-Security headers to nginx.conf.Medium Issues & Bugs
MEDIUM
BUG
Timer Does Not Update Live
Duration is computed from
File:
Date.now() - startTime during render, but no setInterval triggers re-renders. Timer appears frozen during silence.
File:
RehearsalSessionScreen.tsx:397-399
Fix: Add a 1-second interval
useEffect that updates a duration state variable.
MEDIUM
BUG
Audio Player onPlaybackStart Never Fires
In
audio-player.ts:90-91, the condition checks !this.isPlaying after isPlaying was already set to true on line 81. The callback is unreachable.
Fix: Move the check before setting
isPlaying = true.
MEDIUM
BUG
Only Last 10 Emotion Snapshots Saved
.slice(-10) on emotion data means long scenes lose early emotion data. For a 50-line scene, 80% of emotion data is discarded.
File:
RehearsalSessionScreen.tsx:362
Fix: Save all snapshots. Consider a separate
emotion_snapshots table with per-line granularity.
MEDIUM
Script Encryption Declared But Not Implemented
Database comment says "Stored encrypted via RPC functions" and
File:
pgcrypto is enabled, but no encryption functions exist. Scripts stored as plaintext. This is a stated project security requirement.
File:
001_initial_schema.sql:19
Fix: Implement
encrypt_script/decrypt_script RPC functions using pgcrypto.
MEDIUM
Redaction Module and hume.ts Are Dead Code
src/lib/redaction.ts and src/lib/hume.ts are fully implemented but never imported. They were from the pre-CLM architecture.
Fix: Remove or repurpose. Redaction may still be useful for script display watermarking.
MEDIUM
CLM Session ID Uses Math.random() (Not Crypto-Safe)
Session IDs use
Date.now() + Math.random(), both predictable. Given the unauthenticated debug endpoint, an attacker could guess active session IDs.
Fix: Use
crypto.randomUUID().Actor Experience — Must-Have Features
These are gaps that need filling for a viable product launch.
MUST-HAVE
FEATURE
File Upload (PDF, .fdx, .fountain)
Currently paste-only. Actors receive scripts as PDFs or Final Draft files. This is the single biggest friction point for adoption.
MUST-HAVE
FEATURE
Real-Time Emotion Display
Hume prosody scores are captured but never shown to the actor. This is the entire value proposition of using Hume — the data exists, it just needs a UI. Show a live emotion meter during rehearsal and a breakdown after.
MUST-HAVE
FEATURE
Session Summary / Review Screen
When a session ends, the overlay shows only line count and duration. No emotion breakdown, no accuracy score, no review. The
emotionData is saved to Supabase but never displayed. Need a post-session review screen.
MUST-HAVE
FEATURE
Pause / Resume During Sessions
Actors can mute but cannot pause a session. Muting sends silence frames but the session keeps running. If the actor needs a break (phone call, director note), they must end the session entirely.
MUST-HAVE
FEATURE
Line Skip / Rewind
The CLM server's
nextIndex only increments. If the actor flubs a line or wants to redo, there is no way to go back. Need a "redo last line" and "skip ahead" control.
MUST-HAVE
FEATURE
Multi-Character Scripts (3+ Characters)
Setup screen auto-assigns first two characters. No UI for scripts with 3+ characters where the actor picks one and the AI plays all others. The CLM server already supports this (it groups all non-actor lines as agent lines), but the UI doesn't.
MUST-HAVE
FEATURE
Line Accuracy Scoring
A
matchScore function exists in script-parser.ts:97-113 that compares spoken text to script text — but it is never called anywhere. The function is written and ready, just needs wiring to the session flow.
MUST-HAVE
FEATURE
Session Detail View
Dashboard shows last 5 sessions but clicking them does nothing (no
onPress handler). No way to review a past session's transcript or emotions.
Actor Experience — Should-Have Features
SHOULD-HAVE
Scene Selection Within a Script
The parser detects INT/EXT slug lines but they are not used for navigation. Actors should pick specific scenes to rehearse, not always the whole script.
SHOULD-HAVE
Voice Preview / Audition
No way to hear what a persona sounds like before starting a rehearsal. Need a "play sample" button on persona selection.
SHOULD-HAVE
Emotion Timeline Visualization
Show emotion arcs over a session — where did the actor's anger peak? Where did they go flat? Map emotions to specific script lines.
SHOULD-HAVE
Session Recording & Playback
Audio is streamed but never saved. Actors cannot replay sessions for self-review. This is a standard feature in ScenePartner and ActorLab.
SHOULD-HAVE
Script Notes & Annotations
No annotation system. Actors should be able to mark lines with notes, set emotional targets per line, or add blocking notes.
SHOULD-HAVE
Progress Tracking Over Time
No charts showing improvement across sessions. "You practiced this script 5 times; your line accuracy improved from 72% to 94%."
SHOULD-HAVE
Teleprompter Font Size Control
Script text is fixed at 14px. Actors may need larger text, especially on smaller screens or at a distance.
SHOULD-HAVE
Accessibility Labels
Zero
accessibilityLabel or accessibilityRole props on any component across 13 screens.Admin Dashboard & Backend
Currently there is zero admin UI. Everything requires direct SQL access.
MUST-HAVE
Admin Panel
No admin UI at all. Need: user management, system health, usage stats, content moderation. Consider a separate admin app or a protected /admin route.
MUST-HAVE
Cost Tracking & Usage Metering
Hume API calls are not metered. No tracking of TTS minutes consumed per user. With Hume charging $0.04-0.07/min for EVI 3, a single power user could cost $100+/month with no visibility.
Need: per-session duration logging, per-user monthly rollups, real-time cost dashboard, budget alerts.
Need: per-session duration logging, per-user monthly rollups, real-time cost dashboard, budget alerts.
MUST-HAVE
Rate Limiting & Usage Caps
Nothing prevents a user from running unlimited sessions. Need per-user rate limits tied to subscription tier.
MUST-HAVE
Subscription / Billing (Stripe)
No billing integration. Need: user profiles table, subscription plans table, Stripe integration, usage enforcement. No
profiles or subscriptions tables exist in the schema.
SHOULD-HAVE
System Health Monitoring
CLM server has only a basic
/health endpoint. No Sentry, no uptime monitoring, no error alerting. Need: error tracking, latency percentiles, EVI connection success rates.
SHOULD-HAVE
Persistent Session Store (Redis)
CLM uses in-memory
Map. If the server restarts, all active sessions are lost. Single instance only — no horizontal scaling. Need Redis or similar.Differentiators — What No Competitor Has
These features leverage Hume's emotion detection to create a moat that competitors using ElevenLabs or OpenAI cannot replicate.
DIFFERENTIATOR
1. Emotion Match Scoring
Compare the actor's emotional delivery against target emotions for each line. A director (or AI analysis) sets the target: "This line should be 70% sadness, 20% resignation." After the take, score how close the actor got. No product in the market does this.
DIFFERENTIATOR
2. AI Director Mode
Between takes, the AI gives acting direction based on emotion data: "That read felt 70% angry but the scene calls for suppressed rage — try holding back more." Uses Hume's prosody scores to generate specific, actionable feedback. This turns the tool from a "line reader" into an "acting coach."
DIFFERENTIATOR
3. Per-Line Emotion Heatmap
Map emotion data back to specific script lines. Show a heatmap of the entire script colored by the actor's emotional delivery. Identify "cold spots" where the actor went flat and "hot spots" where they peaked. No competitor tracks this.
DIFFERENTIATOR
4. Cue-Line Mode (Memorization Drill)
AI only speaks the last few words of each preceding line as a prompt, forcing the actor to recall the full text from memory. Progressively hide more words as the actor improves. This is how actors actually memorize — no app implements it with an AI voice partner.
Pricing Strategy
Based on competitor pricing ($13-49/mo) and Hume API costs ($0.04-0.07/min):
| Tier | Price | EVI Minutes | Target User | Your Hume Cost | Margin |
|---|---|---|---|---|---|
| Free Trial | $0 | 15 min total | Try before buy | ~$0.90 | -$0.90 (acquisition cost) |
| Rehearsal | $12.99/mo | 120 min/mo | Casual actors | ~$7.00 | ~$6.00 (46%) |
| Professional | $24.99/mo | 400 min/mo | Working actors | ~$23.20 | ~$1.80 (7%) |
| Studio | $49.99/mo | 1000 min/mo | Power users, coaches | ~$40-58 | Negotiate Hume volume pricing |
Key insight: Professional tier margin is razor-thin at current Hume rates. Consider: (1) negotiating volume pricing with Hume, (2) using EVI 4 Mini for non-premium features at ~$0.03/min, (3) making emotion analytics the premium upsell rather than minutes.
Cost Visibility Architecture
graph TB
subgraph Per_Session_Tracking
A[Session Start] --> B[Log: user_id + session_id + start_time]
B --> C[Hume EVI Running]
C --> D[Session End]
D --> E[Log: duration_ms + lines_completed]
E --> F[Calculate: duration_ms x cost_per_min]
end
subgraph Daily_Rollup
F --> G[Aggregate per user per day]
G --> H[Store in usage_daily table]
end
subgraph Admin_Dashboard
H --> I[Cost per user chart]
H --> J[Total spend this month]
H --> K[Budget alerts]
H --> L[Usage by tier]
end
Market Positioning
The Tagline
"The only AI scene partner that actually listens to how you perform — not just what you say."
Three Pillars of Differentiation
| Pillar | What It Means | Competitor Gap |
|---|---|---|
| Emotion Intelligence | Real-time emotion detection, scoring, and feedback on the actor's delivery | Zero competitors detect actor emotion |
| Studio-Grade Security | Encrypted scripts, audit logging, zero data retention, NDA compliance | Only Scriptation has security; they don't have AI |
| Performance Analytics | Track improvement over time, emotion arcs, line accuracy, pacing | No competitor tracks performance across sessions |
Biggest Risk
Odee (odee.io) is the closest competitor in spirit. They combine multiple AI providers with emotional direction controls. If they integrate Hume's emotion detection (not just generation), they become a direct threat. Speed to market with the emotion feedback loop is critical.
Cuemark EVI — Product Analysis — Generated April 2026