Eko Monorepo Assessment Report v4
Assessment Date: 2025-12-19 Assessed By: Claude Code (Senior Monorepo Assessment Agent) Repository: Eko Stack Summary: Bun 1.1.0, Turbo 2.6.3, TypeScript 5.9.3, Next.js 16.0.10, React 19.2.3, Supabase, Upstash Redis, Playwright 1.57.0, Biome 2.3.9, Vitest 4.0.16 Version: v4.0
Executive Summary
| Area | Score (0-100) | Grade | Change | Notes |
|---|---|---|---|---|
| Repository Structure & Organization | 98 | A+ | = | UI registry adds structured metadata |
| Build System & Tooling | 95 | A | +1 | Registry drift check in CI |
| Code Quality & Standards | 90 | A- | = | No pre-commit hooks still |
| Type System Configuration | 94 | A | = | Strict mode maintained |
| Testing Infrastructure | 82 | B | +4 | New env-guard tests (160 LOC) |
| Documentation | 98 | A+ | +1 | UI registry docs + CSV exports |
| Backend / Data Layer | 98 | A+ | +2 | vNext migration (1,125 lines) |
| UI / Design System | 93 | A | +1 | UI element registry with drift detection |
| CI/CD & DevOps | 89 | B+ | +1 | Registry check added to pipeline |
| Security | 85 | B | = | Still missing dependency scanning |
| FINAL SCORE | 92 | A- | +1 | vNext architecture + UI registry |
Grade Legend
- A+: 97-100 (Exceptional)
- A: 93-96 (Production-ready)
- A-: 90-92
- B+: 87-89
- B: 83-86
- C+: 80-82
- <80: Needs intervention
Key Changes Since Last Assessment (2025-12-18)
Major Improvements
-
vNext Global URL Library Migration - New
0007_global-url-library-vnext.sqlwith 1,125 lines implementing:- Global
urlstable withcanonical_urluniqueness (replacing per-user model) - Global
url_observations,url_change_events,url_change_summaries user_url_librarywith history gating for subscription-based access- URL submission workflow with policy enforcement (
url_submissions,policy_logs) - Trend foundation tables (
trends,trend_data_points) - Billing/invoicing tables (
invoices,invoice_line_items) - Onboarding extensions (
user_onboarding_progress) - Write-through triggers syncing V1 → vNext automatically
- Complete data backfill from V1 tables (idempotent)
- Global
-
UI Element Registry System - New structured metadata for UI/data mapping:
packages/shared/src/ui-registry/ui-element-registry.json(272 lines)scripts/generate-ui-registry.ts(682 lines) - Generates registry from codebasescripts/check-ui-registry.ts(60 lines) - CI drift detectionscripts/export-ui-registry.ts(134 lines) - CSV export for spreadsheetsdocs/spreadsheets/csvs/- 24 screen-specific CSV exportsdocs/product/ui-element-registry.md- Registry documentation
-
Testing Improvements - New
packages/config/src/env-guard.test.ts(160 lines):- Tests for environment variable validation
- Zod schema edge cases covered
- First package-level unit tests in config package
-
Shared Package Expansion - 1,740 LOC (119% growth from v3):
- New
ui-registry/directory with JSON schema - Enhanced type definitions for vNext tables
- New
-
CI Pipeline Enhancement:
- Added
registry:checkjob to lint workflow - Detects drift between codebase and registry JSON
- Added
Metrics Changes
| Metric | v3 | v4 | Change |
|---|---|---|---|
| Migrations | 6 | 7 | +1 (major) |
| Migration LOC | ~31 KB | ~72 KB | +132% |
| Agent files | 17 | 17 | = |
| Turbo cache | 24 MB / 592 files | 33 MB / 744 files | +38% / +26% |
| node_modules | 699 MB | 699 MB | = |
| bun.lock lines | 1,304 | 1,304 | = |
| Shared package | ~795 LOC | ~1,740 LOC | +119% |
| Test files | 1 | 2 | +1 |
| Test LOC | 18 | 178 | +889% |
| Script files | 1 | 4 | +3 |
1. Repository Structure & Organization
Score: 98 (A+) (unchanged)
Current Structure
eko/
├── .claude/ 17 specialized agents
│ ├── agents/ Agent specifications
│ └── settings.local.json Local agent settings
├── .notes/ Development planning docs
├── apps/ 5 deployable applications
│ ├── web/ Next.js public app (port 3000)
│ ├── admin/ Next.js admin panel (port 3001)
│ ├── storybook/ Component documentation (port 6006)
│ ├── worker-render/ Playwright rendering service
│ └── worker-tracker/ URL tracking worker
├── packages/ 7 shared libraries
│ ├── ai/ OpenAI integration
│ ├── config/ Zod-validated env config [+TESTS]
│ ├── db/ Supabase client & queries
│ ├── observability/ Logging utilities
│ ├── queue/ Upstash Redis queue
│ ├── shared/ Types, schemas, UI registry [EXPANDED]
│ │ └── src/ui-registry/ [NEW] Screen-entity mapping
│ └── ui/ Shared UI components (20 components)
├── docs/ Comprehensive documentation
│ ├── assessments/ Assessment reports
│ ├── specs/ V1 specifications (7 files)
│ ├── spreadsheets/ [NEW] CSV exports for screen data
│ └── schema-reference.md Full schema reference
├── infra/ Docker, fly.toml configs
└── scripts/ 4 TypeScript scripts [+3]
├── agents-routing-check.ts
├── check-ui-registry.ts [NEW]
├── export-ui-registry.ts [NEW]
└── generate-ui-registry.ts [NEW]
Strengths
@eko/*package scope consistently applied across all workspaces- Clear separation: apps deploy, packages share
- New
ui-registryprovides structured metadata for UI/data relationships - Agent routing validation in CI
- Registry scripts enable automation and exports
Weaknesses
.notes/directory still not in.gitignore
2. Build System & Tooling
Score: 95 (A) (+1 from v3)
Turbo Configuration
{
"tasks": {
"build": { "dependsOn": ["^build"], "outputs": [".next/**", "dist/**", "storybook-static/**"] },
"dev": { "cache": false, "persistent": true },
"lint": { "dependsOn": ["^build"] },
"typecheck": { "dependsOn": ["^build"] },
"test": { "dependsOn": ["^build"] }
}
}
Metrics
| Metric | Value |
|---|---|
| Local Turbo cache | 33 MB (744 artifacts) |
| Web app .next build | 37 MB |
| Storybook static | 8.6 MB |
| node_modules | 699 MB |
| bun.lock lines | 1,304 |
Strengths
- Turbo task graph correctly models dependencies with
^build - Bun provides fast install and execution (1.1.0)
- Local caching working effectively (+38% cache growth indicates active development)
- TypeScript incremental builds enabled
- New
registry:checkscript integrated into CI - All dependencies locked to specific versions
Weaknesses
- No remote caching configured (Vercel Remote Cache or custom)
- Each CI job re-installs dependencies from scratch
3. Code Quality & Standards
Score: 90 (A-) (unchanged)
Biome Configuration (v2.3.9)
{
"linter": {
"rules": {
"noUnusedImports": "error",
"noUnusedVariables": "error",
"noExplicitAny": "warn",
"noNonNullAssertion": "off"
}
},
"formatter": {
"indentStyle": "space",
"indentWidth": 2,
"lineWidth": 100,
"quoteStyle": "single"
}
}
Strengths
- Single tool (Biome) eliminates config drift between lint/format
- Strict on unused code (errors, not warnings)
- CSS modules and Tailwind directives supported
- Import organization automated
.editorconfigpresent for cross-editor consistency
Weaknesses
- No pre-commit hooks (husky/lefthook not configured)
noExplicitAnyis "warn" not "error"noNonNullAssertiondisabled- Quality enforcement relies entirely on CI
4. Type System Configuration
Score: 94 (A) (unchanged)
Base Config (tsconfig.base.json)
{
"compilerOptions": {
"target": "ES2022",
"module": "ESNext",
"moduleResolution": "bundler",
"strict": true,
"noEmit": true,
"isolatedModules": true,
"declaration": true,
"declarationMap": true,
"incremental": true
}
}
Inheritance Pattern
- All 12 workspaces extend
../../tsconfig.base.json - Next.js apps add
nextplugin for App Router types - Packages specify
outDir/rootDirfor build isolation - UI package adds
jsx: "react-jsx"and path aliases
Strengths
strict: trueglobally enforced- Modern bundler resolution (Node 16+)
- Declaration maps enable source navigation
isolatedModulesensures transpiler safety
Weaknesses
noUncheckedIndexedAccessnot enabledexactOptionalPropertyTypesnot enableduseUnknownInCatchVariablesnot enabled
5. Testing Infrastructure
Score: 82 (B) (+4 from v3)
Test Framework: Vitest 4.0.16
| Workspace | Config | Test Files |
|---|---|---|
| apps/web | Node env | 0 |
| apps/admin | Node env | 0 |
| apps/storybook | Default | 0 |
| apps/worker-render | Node env | 0 |
| apps/worker-tracker | Node env | 0 |
| packages/ai | Node env | 0 |
| packages/config | Node env | 1 (env-guard.test.ts, 160 LOC) [NEW] |
| packages/db | Node env | 0 |
| packages/observability | Node env | 0 |
| packages/queue | Node env | 0 |
| packages/shared | Node env | 1 (smoke.test.ts, 18 LOC) |
| packages/ui | No tests | 0 |
Total Test LOC: 178 (+889% from v3)
Strengths
- Vitest workspace configured across all workspaces
- E2E smoke test covers critical render pipeline (
e2e:render-smoke) - New env-guard tests validate environment config edge cases
- Test failures block CI build
- Consistent
vitest runpattern
Weaknesses
- Still only 2 test files across 12 workspaces
- No coverage reporting configured or tracked
passWithNoTests: truemasks missing tests- No component tests for UI library
- No visual regression testing
6. Documentation
Score: 98 (A+) (+1 from v3)
Documentation Structure
docs/
├── README.md Index with V1 spec links
├── CONVENTIONS.md Standards & front-matter rules
├── glossary.md Terminology (updated with V1 terms)
├── schema-reference.md Full schema reference (49 KB)
├── architecture/ 7 files + schema-naming-contracts.md
├── assessments/ Assessment reports
├── dev/ 9 files + observability.md, migration-coexistence.md
├── runbooks/ 7 files + scheduling.md
├── policies/ AI safety, fair use
├── product/ PRD, user guide, v1-execution-contract.md
│ └── ui-element-registry.md [NEW] Registry documentation
├── spreadsheets/ [NEW] CSV exports directory
│ └── csvs/ 24 screen-specific CSV files
└── specs/ 7 specification documents
New Documentation
docs/product/ui-element-registry.md- Registry format and usage guidedocs/spreadsheets/csvs/- 24 CSV exports for screen-entity mapping:account-home.csv,add-url-flow.csv,admin-brand-url-moderation.csvadmin-review-url-policy.csv,billing-overview.csv,brand-index.csv- And 18 more screen exports...
Strengths
- Enforced front-matter with CI validation (
scripts/docs-lint.sh) - Agent routing validation in CI
- Comprehensive runbooks for each subsystem
- Clear onboarding in
dev/local-development.md - V1 specifications are production-ready
- UI registry enables structured data exports
Weaknesses
- No API documentation generation (TypeDoc)
- No auto-generated component docs from Storybook
7. Backend / Data Layer
Score: 98 (A+) (+2 from v3)
Schema (7 migrations)
packages/db/migrations/
├── 0001_init.sql Core schema + RLS (7.6 KB)
├── 0002_renders.sql url_renders table (1.9 KB)
├── 0003_storage_renders_bucket.sql Storage bucket (2.5 KB)
├── 0004_user_note_and_checked_day.sql User annotations (1.2 KB)
├── 0005_brand_library_v1.sql Brand library (5.8 KB)
├── 0006_v1_contracts.sql V1 contracts (11.7 KB)
└── 0007_global-url-library-vnext.sql [NEW] vNext architecture (41 KB, 1,125 lines)
New Tables (0007 - vNext Global URL Library)
| Table | Purpose |
|---|---|
urls | Global URL registry with canonical uniqueness |
url_observations | Check results per URL per day |
url_change_events | Detected changes between observations |
url_change_summaries | AI summaries for changes |
url_render_artifacts | Playwright screenshots and renders |
user_url_library | User-URL relationships with history gating |
url_submissions | URL submission workflow |
url_policies | URL-specific policy overrides |
policy_logs | Policy decision audit trail |
trends | Trend definitions |
trend_data_points | Time-series trend data |
invoices | Stripe-aligned invoicing |
invoice_line_items | Invoice detail lines |
user_onboarding_progress | Onboarding step tracking |
New Features (0007)
- Global URL model (shared observations across users)
- History gating (subscription-based access control)
- Policy enforcement workflow (allow/block/review)
- Write-through triggers (V1 → vNext automatic sync)
- Idempotent backfill procedures
- 11 new ENUMs for type safety
Row-Level Security - All 26+ tables protected with principle of least privilege
Strengths
- Clean normalized schema with proper FK constraints
- RLS policies follow principle of least privilege
- Global URL model eliminates duplicate observations
- History gating is data-driven (not hardcoded)
- Write-through triggers enable gradual migration
- Backfill procedures are idempotent
Weaknesses
- No explicit rollback migrations
- No migration tests
8. UI / Design System
Score: 93 (A) (+1 from v3)
Storybook (apps/storybook)
- Version: 10.1.9
- Framework: React + Vite 7.3.0
- Addons: docs, themes
- Stories: 19 files covering all components
- Dark/light mode toggle in preview
Shared UI Library (packages/ui)
| Component | Sub-components | Dark Mode |
|---|---|---|
| AlertDialog | 11 | Yes |
| Avatar | 3 | Yes |
| Badge | 4 variants | Yes |
| Button | 6 variants, 6 sizes | Yes |
| Card | 6 | Yes |
| Checkbox | 1 | Yes |
| Dialog | 10 | Yes |
| DropdownMenu | 14 | Yes |
| Input | 1 | Yes |
| Label | 1 | Yes |
| Popover | 4 | Yes |
| RadioGroup | 2 | Yes |
| Select | 11 | Yes |
| Separator | 1 | Yes |
| Skeleton | 1 | Yes |
| Switch | 1 | Yes |
| Tabs | 4 | Yes |
| Textarea | 1 | Yes |
| Tooltip | 4 | Yes |
UI Element Registry (NEW)
ui-element-registry.json(272 lines)- Maps screens → routes → database entities
- Enables automated drift detection in CI
- Exports to CSV for product/design collaboration
Technology Stack
- Radix UI primitives (14 packages) for accessibility
- class-variance-authority (CVA) for variant management
- Tailwind CSS v4 with CSS variables
cn()utility (clsx + tailwind-merge)- Lucide React for icons
Strengths
- 20 components with 60+ sub-components
- Full dark mode via CSS custom properties
- All components documented in Storybook
- Accessibility built-in via Radix
- shadcn/ui "New York" style
- UI registry provides structured screen metadata
Weaknesses
- No README in packages/ui
- No accessibility testing (axe, pa11y)
- No component unit tests
9. CI/CD & DevOps
Score: 89 (B+) (+1 from v3)
GitHub Actions Pipeline
Triggers: push/PR to main/dev
Jobs (Parallel):
1. docs-lint - Validates markdown front-matter
2. agents-routing - Validates agent ownership
3. lint - Biome check + registry:check [NEW]
4. typecheck - tsc
5. test - Vitest
Job (Sequential):
6. build - Depends on all above
New in v4
registry:checkadded to lint job- Detects drift between codebase and registry JSON
Strengths
- Full quality gate (docs, agents, lint, types, tests, build)
- Parallel execution for independent jobs
- Build blocked until all checks pass
--frozen-lockfileensures determinism- Agent routing validation prevents ownership conflicts
- Registry drift detection prevents stale metadata
Weaknesses
- No remote caching (each run installs fresh)
- No preview environments on PRs
- No deployment automation
- No GitHub Actions dependency caching
10. Security
Score: 85 (B) (unchanged)
Strengths
| Area | Status |
|---|---|
| RLS Policies | Strong - all 26+ tables protected |
| Env Validation | Strong - Zod schemas at runtime + tests |
| Secret Exclusion | Good - .gitignore configured |
| Auth Separation | Good - anon vs service role clients |
| Worker Security | Good - proper cleanup, timeouts |
| Security Policy | Present - SECURITY.md with scope |
| URL Cap Enforcement | Database-level plan limits |
| Policy Enforcement | [NEW] URL submission workflow with allow/block/review |
Weaknesses
| Area | Status | Priority |
|---|---|---|
| Dependency Scanning | Missing (no Dependabot) | P1 |
| Secret Scanning | Missing (no GitHub scanning) | P1 |
| SSRF Prevention | Missing (no private IP blocking) | P2 |
| Rate Limiting | Missing (no per-user limits) | P2 |
| Admin Authorization | Incomplete (run_now disabled) | P2 |
Recommendations
- Add
.github/dependabot.ymlfor npm vulnerability scanning - Enable GitHub secret scanning in repository settings
- Add
isAllowedUrl()validation to block private IPs and metadata endpoints - Complete admin authorization feature
Risk Assessment
| Risk Area | Level | Change | Mitigation |
|---|---|---|---|
| Build stability | Low | = | Turbo graph + lockfile ensure reproducibility |
| Data integrity | Low | = | RLS + FK constraints + triggers |
| Security | Medium | = | Add dependency/secret scanning urgently |
| Team velocity | Low | = | Clear structure, good docs, fast tooling |
| UI consistency | Low | -1 | UI registry + Storybook + shared components |
| V1 readiness | Low | = | Specs complete, schema ready, entitlements defined |
| vNext readiness | Low | NEW | Migration complete, triggers active, backfill done |
Recommended Next Steps
P0 - Critical
- None (no blocking issues for production)
P1 - High Priority
- Add Dependabot for dependency vulnerability scanning
- Enable GitHub secret scanning
- Add pre-commit hooks (husky + lint-staged)
- Configure coverage reporting and set minimum thresholds
- Add unit tests for entitlements logic
P2 - Medium Priority
- Add SSRF prevention (private IP blocklist)
- Enable Turbo remote caching for CI speedup
- Add GitHub Actions dependency caching
- Add unit tests for UI components
- Enable
noUncheckedIndexedAccessin TypeScript
P3 - Long-Term
- Add visual regression testing (Chromatic)
- Add load testing infrastructure
- Create migration rollback procedures
- Add TypeDoc for API documentation
- Add accessibility testing (axe-core)
Readiness Scorecard
| Target | Previous | Current | Gap |
|---|---|---|---|
| Production ready | 91% | 92% | Testing coverage, dependency scanning |
| V1 launch ready | 95% | 96% | Entitlements tests, notification worker |
| vNext ready | - | 85% | API layer, history gating UI |
| Scale ready | 80% | 82% | Remote caching, rate limiting |
| Team onboarding | 97% | 98% | Excellent docs, registry exports |
| Design system | 92% | 93% | Component tests, accessibility |
Assessment Metadata
- Assessment Date: 2025-12-19
- Previous Assessment: 2025-12-18 (v3)
- Assessed By: Claude Code (Senior Monorepo Assessment Agent)
- Repository: Eko
- Stack Summary: Bun 1.1.0, Turbo 2.6.3, TypeScript 5.9.3, Next.js 16.0.10, React 19.2.3, Supabase, Upstash Redis, Playwright 1.57.0, Biome 2.3.9, Vitest 4.0.16
- Version: v4.0
This assessment reflects the state of the Eko monorepo as of December 19, 2025. Scores are based on industry best practices for production-grade TypeScript monorepos.