"Scan once, avoid crowds everywhere."
A production-grade, real-time smart crowd management system for stadiums and large venues. Built with Firebase Realtime Database, Google Gemini AI, and deployed on Google Cloud Run β QuickFlow guides attendees through the fastest routes with zero app downloads.
Large venues like stadiums face severe crowd congestion at entry gates, food stalls, and exits β leading to long wait times, safety risks, and poor attendee experience. Traditional crowd management relies on manual staff coordination with zero visibility into real-time bottlenecks.
QuickFlow solves this with a lightweight, QR-code-driven web application that provides:
Real-time crowd visibility across all zones
AI-powered smart routing via Google Gemini
Digital token queuing to eliminate physical lines
Staff alert broadcasting for instant communication
π€ User Dashboard (index.html)
Feature
Description
Live Crowd Status Real-time wait times for all gates and food stalls via Firebase
Color-Coded Indicators π’ Low (β€5 min) Β· π‘ Medium (β€15 min) Β· π΄ High (>15 min)
AI Smart Advice Google Gemini generates optimal routing suggestions
Digital Token System Scan QR β get token number β roam freely (no physical queue)
Live Alerts Receive real-time staff announcements
PWA / Offline Support Service Worker caches static assets for offline access
π‘οΈ Admin Panel (admin.html)
Feature
Description
Crowd Control Increment/decrement wait times per gate and stall
Alert Broadcaster Send instant alerts to all connected users
Token Monitoring Track tokens served per food stall
π€ AI-Powered API Endpoints (Google Gemini 2.0 Flash)
Endpoint
Method
Description
/api/smart-advicePOST
AI-generated crowd routing recommendations
/api/analyze-crowdPOST
Zone-based density analysis with risk levels
/api/emergency-planPOST
AI emergency response action plans
/api/predict-crowdPOST
Predictive crowd analytics for upcoming events
/api/healthGET
Cloud Run liveness probe with memory stats
/api/readyGET
Cloud Run readiness probe
/api/metricsGET
Cache stats, uptime, and system metrics
Layer
Technology
Purpose
Frontend HTML5, CSS3, Vanilla JS
Lightweight, no-build UI
Backend Node.js 18+, Express 5
Modular API server
Real-time DB Firebase Realtime Database
Live crowd data sync
AI Engine Google Gemini 2.0 Flash
4 AI endpoints
Security Helmet, CORS, Rate Limiting, CSP
Defense-in-depth
Testing Jest, Supertest
60+ automated tests
CI/CD GitHub Actions
Multi-version test + auto-deploy
Container Docker (multi-stage)
Non-root, health checked
Deployment Google Cloud Run
Serverless containers
Build Google Cloud Build
Automated Docker builds
Hosting Firebase Hosting
Global CDN with security headers
Logging Google Cloud Logging
Structured JSON logs
Performance Compression, LRU Cache
Gzip + API response caching
PWA Service Worker, Manifest
Offline support, installable
PromptWar/
β
βββ config/
β βββ index.js # Centralized config β zero magic numbers
β
βββ middleware/
β βββ security.js # Helmet CSP, CORS whitelist, request ID tracking
β βββ rateLimiter.js # Dual rate limiting (global + API-specific)
β βββ validator.js # Input sanitization & validation middleware
β βββ logger.js # Google Cloud Logging compatible structured logs
β βββ cache.js # LRU in-memory cache with TTL & stats
β βββ errorHandler.js # Custom AppError class, centralized error handling
β
βββ routes/
β βββ api.js # 4 Gemini AI endpoints with caching + validation
β βββ health.js # Health, readiness, metrics probes for Cloud Run
β
βββ public/
β βββ css/
β β βββ style.css # Dark-mode glassmorphism UI, accessibility utils
β βββ js/
β β βββ firebase-config.js # Firebase Realtime DB init & auto-seeding
β β βββ main.js # User-side real-time rendering logic
β β βββ admin.js # Admin panel controls
β βββ icons/
β β βββ icon-192.png # PWA icon 192x192
β β βββ icon-512.png # PWA icon 512x512
β βββ index.html # User dashboard (ARIA, semantic, skip links)
β βββ admin.html # Staff panel (accessible, noindex)
β βββ manifest.json # PWA Web App Manifest
β βββ sw.js # Service Worker β offline support
β
βββ .github/
β βββ workflows/
β βββ ci.yml # CI/CD: Test on Node 18/20 β Deploy to Cloud Run
β
βββ server.js # Entry point β clean composition of all modules
βββ server.test.js # 60+ automated tests across 12 suites
βββ Dockerfile # Multi-stage build, non-root user, health check
βββ .dockerignore # Excludes tests, docs, git from container
βββ cloudbuild.yaml # Google Cloud Build configuration
βββ firebase.json # Firebase Hosting config with security headers
βββ database.rules.json # Firebase DB rules β auth + field validation
βββ package.json # Dependencies, scripts, engine constraints
βββ README.md
π Security Implementation
Layer
Measure
Details
HTTP Headers Helmet.js
Strict CSP, HSTS preload, X-Frame DENY, hide X-Powered-By
Cross-Origin CORS Whitelist
Origin validation, production enforcement
Rate Limiting Dual Limiters
Global: 200 req/15min Β· API: 10 req/min
Input Sanitization
HTML tag stripping via sanitizeInput()
Input Validation
Type checking, range (0β999), length limits (3β500)
Payload Size Limit
JSON body capped at 10KB
Errors Centralized Handler
Stack traces hidden in production, request ID correlation
Tracing Request IDs
Auto-generated X-Request-ID on every response
Container Docker
Multi-stage build, non-root appuser, health check
Database Firebase Rules
Auth-required writes, type + range validation
Permissions Policy Header
Camera, microphone, geolocation disabled
Transport HSTS
1-year max-age, includeSubDomains, preload
π§ͺ Testing β 60+ Automated Tests npm test # Run all tests# Verbose output# With coverage report
Suite
Tests
Coverage
sanitizeInput() unit tests12
XSS, HTML stripping, null/undefined, edge cases
validateCrowdData() unit tests16
Types, ranges, boundaries, NaN, Infinity
Cache module tests
7
Set/get, TTL expiry, key generation, stats, clear
Static file serving
6
HTML, CSS, JS, Firebase config, 404
Security headers (Helmet)
10
CSP, HSTS, X-Frame, XSS, Referrer, Request ID
Input validation & XSS
9
Missing fields, injection, out-of-range, arrays
/api/smart-advice3
Valid data, fallback, single-gate
/api/analyze-crowd2
Valid zones, fallback with structure check
/api/emergency-plan4
Valid, fallback, XSS stripping, optional fields
/api/predict-crowd2
Valid prediction, fallback
Cloud Run probes
3
Health (memory, version), readiness, metrics
Error handling
3
404 JSON, unknown routes, invalid JSON
git clone https://github.com/omkhandare55/PromptWar.git
cd PromptWar
npm install
node server.js
Variable
Required
Description
PORTNo
Server port (default: 8080, auto-set by Cloud Run)
NODE_ENVNo
production or development
GEMINI_API_KEYNo
Google Gemini API key for AI endpoints
ALLOWED_ORIGINSNo
Comma-separated CORS whitelist
Option 1: Google Cloud Run (Recommended) # Authenticate & configureset project promptwar-fcc9a
# Enable required APIsenable run.googleapis.com cloudbuild.googleapis.com
# Deploy from source. \
--region us-central1 \
--allow-unauthenticated \
--set-env-vars " NODE_ENV=production,GEMINI_API_KEY=your_key" Option 2: Firebase Hosting npm install -g firebase-tools
firebase login
firebase init hosting # Select: promptwar-fcc9a, public dir: public Option 3: CI/CD (Fully Automated) Every push to main triggers the GitHub Actions pipeline:
β
Test β 60+ tests on Node.js 18 and 20
π Audit β npm audit for dependency vulnerabilities
π Deploy β Automatic deployment to Google Cloud Run
π Google Services Integration
#
Service
How It's Used
1
Firebase Realtime Database Live crowd data sync across all connected clients
2
Google Gemini 2.0 Flash 4 AI endpoints: advice, analysis, emergency, prediction
3
Google Cloud Run Containerized serverless deployment with health probes
4
Google Cloud Build Automated Docker image builds (cloudbuild.yaml)
5
Google Cloud Logging Structured JSON logs with severity, latency, request tracing
6
Firebase Hosting Global CDN delivery with security headers (firebase.json)
βΏ Accessibility (WCAG 2.1 AA)
Feature
Implementation
Skip Links "Skip to main content" for keyboard navigation
ARIA Labels All interactive elements have descriptive labels
ARIA Roles role="banner", role="list", role="dialog", role="alert"
Live Regions aria-live="polite" for real-time crowd updates
Screen Reader .sr-only helper class for visually hidden text
Focus Management focus-visible outlines for keyboard users
Reduced Motion prefers-reduced-motion media query support
Semantic HTML <header>, <main>, <section>, <nav> landmarks
Form Labels Hidden labels on all inputs for assistive technology
Color Contrast WCAG AA compliant contrast ratios on all text
π Performance Optimizations
Optimization
Impact
Gzip Compression ~70% reduction in response sizes
LRU API Cache 30s TTL, max 100 entries β reduces Gemini API calls
Static Asset Caching 1-day max-age with ETag validation
Service Worker Cache-first for static, network-first for API
Multi-stage Docker Smaller production image, faster cold starts
Engine Constraints "node": ">=18.0.0" ensures modern runtime
ββββββββββββββββ QR Scan ββββββββββββββββ Firebase RT DB βββββββββββββββ
β Attendee β βββββββββββββΊ β QuickFlow β βββββββββββββββββββΊ β Firebase β
β (Phone) β β Web App β β Realtime DB β
ββββββββββββββββ ββββββββ¬ββββββββ βββββββββββββββ
β
ββββββββΌββββββββ Gemini API βββββββββββββββ
β Express β βββββββββββββββββββΊ β Google β
β API Server β β Gemini AI β
ββββββββ¬ββββββββ βββββββββββββββ
β
ββββββββΌββββββββ
β Google β
β Cloud Run β
ββββββββββββββββ
Scan QR β Opens web app instantly (no download)View Live Status β See which gates/stalls have shortest waitGet AI Advice β Gemini suggests fastest routeGet Digital Token β Skip physical queue at food stallsReceive Alerts β Staff broadcasts reach all users in real time
ISC
Om Khandare β @omkhandare55
