Eko Monorepo Assessment Report v3

Assessment Date: 2025-12-18 Assessed By: Claude Code (Senior Monorepo Assessment Agent) Repository: Eko Stack Summary: Bun 1.1.0, Turbo 2.6.3, TypeScript 5.9.3, Next.js 16.0.10, React 19.2.3, Supabase, Upstash Redis, Playwright 1.57.0, Biome 2.3.9, Vitest 4.0.16 Version: v3.0

Executive Summary

AreaScore (0-100)GradeChangeNotes
Repository Structure & Organization98A++1New specs directory, subscription-manager agent
Build System & Tooling94A+1Turbo cache growing, larger codebase
Code Quality & Standards90A-=Biome unified, no pre-commit hooks
Type System Configuration94A=Strict mode, modern bundler resolution
Testing Infrastructure78C+=Single test file, no coverage reporting
Documentation97A++3Comprehensive V1 specs and contracts
Backend / Data Layer96A+3Major V1 contracts migration (0006)
UI / Design System92A-=Full Storybook, 20 components, dark mode
CI/CD & DevOps88B+=Full pipeline, missing remote caching
Security85B=RLS strong, missing dependency scanning
FINAL SCORE91A-+1V1 contracts infrastructure complete

Grade Legend

  • A+: 97-100 (Exceptional)
  • A: 93-96 (Production-ready)
  • A-: 90-92
  • B+: 87-89
  • B: 83-86
  • C+: 80-82
  • <80: Needs intervention

Key Changes Since Last Assessment (2025-12-16)

Major Improvements

  1. V1 Contracts Migration - New 0006_v1_contracts.sql with 278 lines implementing:

    • plan_definitions table for subscription tiers (free/base/pro/team)
    • user_subscriptions with Stripe integration
    • notification_preferences and notification_deliveries for email alerts
    • tracking_suggestions and tracking_suggestion_examples for discovery
    • Weekly cadence support in check_frequency
    • ai_provider and ai_model columns on summaries
    • URL cap enforcement trigger with plan-based limits
    • Full RLS policies on all new tables

  2. Specification Documents - New docs/specs/ directory with 7 detailed specs:

    • v1-business-rules.md - Core business logic
    • service-levels.md - SLA definitions
    • naming-contracts.md - Naming conventions
    • meaningful-change.md - Change detection spec
    • render-escalation.md - Playwright escalation rules
    • summarization-safety.md - AI safety guidelines
    • url-normalization.md - URL handling spec

  3. Subscription Manager Agent - New agent for subscription lifecycle management

  4. Entitlements System - New packages/shared/src/entitlements.ts (72 lines)

  5. Documentation Expansion:

    • docs/dev/observability.md - Observability guide
    • docs/dev/migration-coexistence.md - Migration strategy
    • docs/runbooks/scheduling.md - Scheduling runbook
    • docs/product/v1-execution-contract.md - V1 execution plan
    • docs/product/tracking-suggestions/ - Suggestion templates
    • docs/architecture/schema-naming-contracts.md - Schema conventions
    • docs/schema-reference.md - Full schema reference (49KB)

Metrics Changes

Metricv2v3Change
Migrations56+1
Agent files1717=
Turbo cache13 MB / 408 files24 MB / 592 files+85%
node_modules649 MB699 MB+8%
bun.lock lines1,2781,304+2%
Shared package~600 LOC~795 LOC+33%

1. Repository Structure & Organization

Score: 98 (A+) (+1 from v2)

Current Structure

eko/
├── .claude/                 17 specialized agents
│   ├── agents/             Agent specifications
│   └── settings.local.json Local agent settings
├── .notes/                  Development planning docs
├── apps/                    5 deployable applications
│   ├── web/                Next.js public app (port 3000)
│   ├── admin/              Next.js admin panel (port 3001)
│   ├── storybook/          Component documentation (port 6006)
│   ├── worker-render/      Playwright rendering service
│   └── worker-tracker/     URL tracking worker
├── packages/                7 shared libraries
│   ├── ai/                 OpenAI integration
│   ├── config/             Zod-validated env config
│   ├── db/                 Supabase client & queries
│   ├── observability/      Logging utilities
│   ├── queue/              Upstash Redis queue
│   ├── shared/             Types, schemas, entitlements [EXPANDED]
│   └── ui/                 Shared UI components (20 components)
├── docs/                    Comprehensive documentation
│   ├── assessments/        Assessment reports
│   ├── specs/              [NEW] V1 specifications (7 files)
│   └── schema-reference.md [NEW] Full schema reference
├── infra/                   Docker, fly.toml configs
└── scripts/                 Setup and utility scripts

Strengths

  • @eko/* package scope consistently applied across all workspaces
  • Clear separation: apps deploy, packages share
  • New docs/specs/ directory provides formal specification artifacts
  • Agent system with 17 specialized agents for autonomous workflows
  • Agent routing validation in CI (agents-routing-check.ts)

Weaknesses

  • .notes/ directory not in .gitignore (consider if these should be tracked)

2. Build System & Tooling

Score: 94 (A) (+1 from v2)

Turbo Configuration

{
  "tasks": {
    "build": { "dependsOn": ["^build"], "outputs": [".next/**", "dist/**", "storybook-static/**"] },
    "dev": { "cache": false, "persistent": true },
    "lint": { "dependsOn": ["^build"] },
    "typecheck": { "dependsOn": ["^build"] },
    "test": { "dependsOn": ["^build"] }
  }
}

Metrics

MetricValue
Local Turbo cache24 MB (592 artifacts)
Web app .next build37 MB
Storybook static7.3 MB
node_modules699 MB
bun.lock lines1,304

Strengths

  • Turbo task graph correctly models dependencies with ^build
  • Bun provides fast install and execution (1.1.0)
  • Local caching working effectively (85% cache growth indicates active development)
  • TypeScript incremental builds enabled
  • All dependencies locked to specific versions

Weaknesses

  • No remote caching configured (Vercel Remote Cache or custom)
  • Each CI job re-installs dependencies from scratch

3. Code Quality & Standards

Score: 90 (A-) (unchanged)

Biome Configuration (v2.3.9)

{
  "linter": {
    "rules": {
      "noUnusedImports": "error",
      "noUnusedVariables": "error",
      "noExplicitAny": "warn",
      "noNonNullAssertion": "off"
    }
  },
  "formatter": {
    "indentStyle": "space",
    "indentWidth": 2,
    "lineWidth": 100,
    "quoteStyle": "single"
  }
}

Strengths

  • Single tool (Biome) eliminates config drift between lint/format
  • Strict on unused code (errors, not warnings)
  • CSS modules and Tailwind directives supported
  • Import organization automated
  • .editorconfig present for cross-editor consistency

Weaknesses

  • No pre-commit hooks (husky/lefthook not configured)
  • noExplicitAny is "warn" not "error"
  • noNonNullAssertion disabled
  • Quality enforcement relies entirely on CI

4. Type System Configuration

Score: 94 (A) (unchanged)

Base Config (tsconfig.base.json)

{
  "compilerOptions": {
    "target": "ES2022",
    "module": "ESNext",
    "moduleResolution": "bundler",
    "strict": true,
    "noEmit": true,
    "isolatedModules": true,
    "declaration": true,
    "declarationMap": true,
    "incremental": true
  }
}

Inheritance Pattern

  • All 12 workspaces extend ../../tsconfig.base.json
  • Next.js apps add next plugin for App Router types
  • Packages specify outDir/rootDir for build isolation
  • UI package adds jsx: "react-jsx" and path aliases

Strengths

  • strict: true globally enforced
  • Modern bundler resolution (Node 16+)
  • Declaration maps enable source navigation
  • isolatedModules ensures transpiler safety

Weaknesses

  • noUncheckedIndexedAccess not enabled
  • exactOptionalPropertyTypes not enabled
  • useUnknownInCatchVariables not enabled

5. Testing Infrastructure

Score: 78 (C+) (unchanged)

Test Framework: Vitest 4.0.16

WorkspaceConfigTest Files
apps/webNode env0
apps/adminNode env0
apps/storybookDefault0
apps/worker-renderNode env0
apps/worker-trackerNode env0
packages/aiNode env0
packages/configNode env0
packages/dbNode env0
packages/observabilityNode env0
packages/queueNode env0
packages/sharedNode env1 (smoke.test.ts)
packages/uiNo tests0

Strengths

  • Vitest workspace configured across all workspaces
  • E2E smoke test covers critical render pipeline (e2e:render-smoke)
  • Test failures block CI build
  • Consistent vitest run pattern

Weaknesses

  • Only 1 test file exists (18 lines in packages/shared)
  • No coverage reporting configured or tracked
  • passWithNoTests: true masks missing tests
  • No component tests for UI library
  • No visual regression testing

6. Documentation

Score: 97 (A+) (+3 from v2)

Documentation Structure

docs/
├── README.md               Index with V1 spec links
├── CONVENTIONS.md          Standards & front-matter rules
├── glossary.md             Terminology (updated with V1 terms)
├── schema-reference.md     [NEW] Full schema reference (49 KB)
├── architecture/           7 files + schema-naming-contracts.md [NEW]
├── assessments/            Assessment reports
├── dev/                    9 files + observability.md, migration-coexistence.md [NEW]
├── runbooks/               7 files + scheduling.md [NEW]
├── policies/               AI safety, fair use
├── product/                PRD, user guide, v1-execution-contract.md [NEW]
└── specs/                  [NEW] 7 specification documents

New Documentation

  • docs/specs/ - 7 formal specification documents for V1 contracts
  • docs/schema-reference.md - Comprehensive schema documentation (49 KB)
  • docs/dev/observability.md - Observability guide
  • docs/dev/migration-coexistence.md - Migration strategy
  • docs/runbooks/scheduling.md - Scheduling operations
  • docs/product/v1-execution-contract.md - V1 execution plan (19 KB)
  • docs/architecture/schema-naming-contracts.md - Schema conventions

Strengths

  • Enforced front-matter with CI validation (scripts/docs-lint.sh)
  • Agent routing validation in CI
  • Comprehensive runbooks for each subsystem
  • Clear onboarding in dev/local-development.md
  • V1 specifications are production-ready

Weaknesses

  • No API documentation generation (TypeDoc)
  • No auto-generated component docs from Storybook

7. Backend / Data Layer

Score: 96 (A) (+3 from v2)

Schema (6 migrations)

packages/db/migrations/
├── 0001_init.sql                    Core schema + RLS (7.6 KB)
├── 0002_renders.sql                 url_renders table (1.9 KB)
├── 0003_storage_renders_bucket.sql  Storage bucket (2.5 KB)
├── 0004_user_note_and_checked_day.sql User annotations (1.2 KB)
├── 0005_brand_library_v1.sql        Brand library (5.8 KB)
└── 0006_v1_contracts.sql            [NEW] V1 contracts (11.7 KB, 278 lines)

New Tables (0006)

  • plan_definitions - Subscription tiers with limits and features
  • user_subscriptions - User-to-plan mapping with Stripe integration
  • notification_preferences - Email notification settings
  • notification_deliveries - Notification audit log with deduplication
  • tracking_suggestions - Discovery templates
  • tracking_suggestion_examples - URL type examples per suggestion

New Features (0006)

  • Weekly cadence support (check_frequency IN ('daily', 'weekly'))
  • AI provider metadata (ai_provider, ai_model columns on summaries)
  • URL cap enforcement trigger (check_url_cap())
  • Comprehensive RLS on all new tables

Row-Level Security

TableSELECTINSERTUPDATEDELETE
profilesOwnAuth triggerOwnCascade
tracked_urlsOwnEnforce user_idOwnOwn
url_checksOwn (EXISTS)Service role--
url_changesOwn (EXISTS)Service role--
summariesOwn (2-level EXISTS)Service role--
url_rendersOwn (EXISTS)Service role--
plan_definitionsPublic (active)---
user_subscriptionsOwn---
notification_preferencesOwnOwnOwnOwn
notification_deliveriesOwn---
tracking_suggestionsAuth (active)---
tracking_suggestion_examplesAuth (via FK)---

Strengths

  • Clean normalized schema with proper FK constraints
  • RLS policies follow principle of least privilege
  • URL cap enforcement at database level (not application)
  • Plan-based limits are data-driven (no hardcoding)
  • Comprehensive indexes on query-critical columns

Weaknesses

  • No explicit rollback migrations
  • No migration tests

8. UI / Design System

Score: 92 (A-) (unchanged)

Storybook (apps/storybook)

  • Version: 10.1.9
  • Framework: React + Vite 7.3.0
  • Addons: docs, themes
  • Stories: 19 files covering all components
  • Dark/light mode toggle in preview

Shared UI Library (packages/ui)

ComponentSub-componentsDark Mode
AlertDialog11Yes
Avatar3Yes
Badge4 variantsYes
Button6 variants, 6 sizesYes
Card6Yes
Checkbox1Yes
Dialog10Yes
DropdownMenu14Yes
Input1Yes
Label1Yes
Popover4Yes
RadioGroup2Yes
Select11Yes
Separator1Yes
Skeleton1Yes
Switch1Yes
Tabs4Yes
Textarea1Yes
Tooltip4Yes

Technology Stack

  • Radix UI primitives (14 packages) for accessibility
  • class-variance-authority (CVA) for variant management
  • Tailwind CSS v4 with CSS variables
  • cn() utility (clsx + tailwind-merge)
  • Lucide React for icons

Strengths

  • 20 components with 60+ sub-components
  • Full dark mode via CSS custom properties
  • All components documented in Storybook
  • Accessibility built-in via Radix
  • shadcn/ui "New York" style

Weaknesses

  • No README in packages/ui
  • No accessibility testing (axe, pa11y)
  • No component unit tests

9. CI/CD & DevOps

Score: 88 (B+) (unchanged)

GitHub Actions Pipeline

Triggers: push/PR to main/dev

Jobs (Parallel):
1. docs-lint      - Validates markdown front-matter
2. agents-routing - Validates agent ownership
3. lint           - Biome check
4. typecheck      - tsc
5. test           - Vitest

Job (Sequential):
6. build          - Depends on all above

Strengths

  • Full quality gate (docs, agents, lint, types, tests, build)
  • Parallel execution for independent jobs
  • Build blocked until all checks pass
  • --frozen-lockfile ensures determinism
  • Agent routing validation prevents ownership conflicts

Weaknesses

  • No remote caching (each run installs fresh)
  • No preview environments on PRs
  • No deployment automation
  • No GitHub Actions dependency caching

10. Security

Score: 85 (B) (unchanged)

Strengths

AreaStatus
RLS PoliciesStrong - all 12 tables protected
Env ValidationStrong - Zod schemas at runtime
Secret ExclusionGood - .gitignore configured
Auth SeparationGood - anon vs service role clients
Worker SecurityGood - proper cleanup, timeouts
Security PolicyPresent - SECURITY.md with scope
URL Cap Enforcement[NEW] Database-level plan limits

Weaknesses

AreaStatusPriority
Dependency ScanningMissing (no Dependabot)P1
Secret ScanningMissing (no GitHub scanning)P1
SSRF PreventionMissing (no private IP blocking)P2
Rate LimitingMissing (no per-user limits)P2
Admin AuthorizationIncomplete (run_now disabled)P2

Recommendations

  1. Add .github/dependabot.yml for npm vulnerability scanning
  2. Enable GitHub secret scanning in repository settings
  3. Add isAllowedUrl() validation to block private IPs and metadata endpoints
  4. Complete admin authorization feature

Risk Assessment

Risk AreaLevelChangeMitigation
Build stabilityLow=Turbo graph + lockfile ensure reproducibility
Data integrityLow-1RLS + FK constraints + URL cap trigger
SecurityMedium=Add dependency/secret scanning urgently
Team velocityLow=Clear structure, good docs, fast tooling
UI consistencyLow=Storybook + shared components unified
V1 readinessLowNEWSpecs complete, schema ready, entitlements defined

P0 - Critical

  • None (no blocking issues for production)

P1 - High Priority

  • Add Dependabot for dependency vulnerability scanning
  • Enable GitHub secret scanning
  • Add pre-commit hooks (husky + lint-staged)
  • Configure coverage reporting and set minimum thresholds
  • Add unit tests for entitlements logic

P2 - Medium Priority

  • Add SSRF prevention (private IP blocklist)
  • Enable Turbo remote caching for CI speedup
  • Add GitHub Actions dependency caching
  • Add unit tests for UI components
  • Enable noUncheckedIndexedAccess in TypeScript

P3 - Long-Term

  • Add visual regression testing (Chromatic)
  • Add load testing infrastructure
  • Create migration rollback procedures
  • Add TypeDoc for API documentation
  • Add accessibility testing (axe-core)

Readiness Scorecard

TargetPreviousCurrentGap
Production ready90%91%Testing coverage, dependency scanning
V1 launch ready-95%Entitlements tests, notification worker
Scale ready78%80%Remote caching, rate limiting
Team onboarding95%97%Excellent docs, specs complete
Design system92%92%Component tests, accessibility

Assessment Metadata

  • Assessment Date: 2025-12-18
  • Previous Assessment: 2025-12-16 (v2)
  • Assessed By: Claude Code (Senior Monorepo Assessment Agent)
  • Repository: Eko
  • Stack Summary: Bun 1.1.0, Turbo 2.6.3, TypeScript 5.9.3, Next.js 16.0.10, React 19.2.3, Supabase, Upstash Redis, Playwright 1.57.0, Biome 2.3.9, Vitest 4.0.16
  • Version: v3.0

This assessment reflects the state of the Eko monorepo as of December 18, 2025. Scores are based on industry best practices for production-grade TypeScript monorepos.