Skip to main content

Source: ocean/docs/audits/codebase-audit-2025-08-29.md | ✏️ Edit on GitHub

Ocean Codebase Audit — 2025-08-29

Generated at 2025-08-29T11:22:22-04:00

⚠️ DEPRECATED: All issues identified in this audit have been resolved as of 2025-08-29.
See ADR-046: Codebase Audit Remediation for implementation details.
This document is preserved for historical reference only.

Scope

  • Dependencies and script ecosystem
  • Broken patterns / risky usages
  • Duplicate or dead code
  • Suggested remediations

Summary of Findings

  • Missing dev tools in dependencies: tsx, ts-node, and concurrently are used in package.json scripts but not present in devDependencies.
  • Server-only SDK in src with a hardcoded key: posthog-node is imported in src/lib/posthog-edge.ts with a default API key value. File is not referenced elsewhere but should be isolated from client code and secrets removed.
  • Duplicate components: Two OTP component implementations (src/components/ui/input-otp.tsx and src/components/ui/input-otp-custom.tsx) with overlapping responsibility. One appears redundant.
  • Duplicate data-table columns: Parallel column definitions exist in src/components/data-table/columns.tsx and an unused variant in src/components/data-table-columns.tsx.
  • General setup otherwise consistent: React 19 + Vite 6 + Tailwind 4 + TanStack ecosystem versions are aligned. Sentry and Tailwind plugin configuration look correct.

Evidence & Details

1) Dependencies and Scripts

  • Scripts using missing packages in package.json:

    • codegen:schema, analyze:bundle, perf:check use tsx.
    • design:codemod uses ts-node --transpile-only.
    • dev:full uses concurrently.
    • None of tsx, ts-node, concurrently are declared in devDependencies of package.json (/package.json lines ~117–160).

  • Tailwind plugin usage:

    • @tailwindcss/vite present and configured in vite.config.ts.
    • tailwindcss-animate is declared and used in src/styles.css via @plugin "tailwindcss-animate".

  • Stripe packages:

    • @stripe/react-stripe-js and @stripe/stripe-js (browser) in dependencies.
    • stripe (server SDK) in devDependencies only; no usages found under src/ (good separation).

2) Server-only SDK in src with default key

  • File: src/lib/posthog-edge.ts
    • Imports server SDK: import { PostHog } from 'posthog-node'.
    • Initializes client with a default API key fallback: process.env.VITE_POSTHOG_API_KEY || 'phc_…'.
    • Risks:
      • Keeping a default key string in the repo is a security footgun, even if not currently imported elsewhere.
      • VITE_ prefix is meant for Vite-exposed client env vars; Edge/server code should read non-exposed keys (e.g., POSTHOG_SECRET_KEY).
    • Current usage: no in-repo references found to posthog-edge.ts (appears unused), but its location in src/lib/ increases the chance of accidental client import.

3) Duplicate / Dead Code

  • OTP components:

    • src/components/ui/input-otp.tsx and src/components/ui/input-otp-custom.tsx both wrap input-otp with similar slot APIs and styling.
    • Consider consolidating into a single implementation exported with a stable API.

  • Data-table columns:

    • src/components/data-table/columns.tsx: Active column model used by src/components/data-table/index.tsx.
    • src/components/data-table-columns.tsx: Alternate/older column model. No references found; likely dead code.

4) Configuration sanity checks

  • Vite config (/vite.config.ts):

    • Plugins: TanStack Router, React, Tailwind, Sentry — ordered and gated properly.
    • Manual chunks configured for vendor splitting; aligns with bundle outputs in /dist/assets/*.

  • Classnames utility (/src/lib/utils.ts):

    • Single cn() helper backed by clsx + tailwind-merge. No duplicate cn found.

Mermaid — Dependency Script Usage Map

Mermaid — Analytics Architecture

Recommendations

  • Add missing dev tools to devDependencies in /package.json:

    • tsx, ts-node, concurrently with pinned versions compatible with Node 18+.

  • Secure and isolate server analytics:

    • Remove default API key literal in src/lib/posthog-edge.ts.
    • Read a server-only env var (e.g., POSTHOG_SECRET_KEY) instead of VITE_*.
    • Move file under a server-only directory (e.g., server/ or supabase/functions/_shared/), or add an eslint rule/bazel path block to prevent client imports.
    • If unused, delete the file to reduce risk.

  • Deduplicate components:

    • Merge input-otp.tsx and input-otp-custom.tsx into a single, themable OTP component.
    • Delete src/components/data-table-columns.tsx if truly unused, or integrate its variants into the active table via feature flags/props.

  • Add guardrails:

    • Add ESLint restriction to forbid importing posthog-node from anywhere under src/.
    • Add CI check to fail on presence of default secret-like strings (basic regex patterns) in source.

Additional Observations

  • Dual icon libraries in use:

    • lucide-react and @tabler/icons-react are both imported across UI components (e.g., src/components/data-table/columns.tsx, src/components/nav-*).
    • Not a bug, but consolidating to a single library can reduce bundle size and maintenance overhead.

  • next-themes in a Vite (non-Next) app:

    • Referenced in src/components/ui/sonner.tsx, src/hooks/use-theme.ts, and src/routes/__root.tsx.
    • Acceptable for CSR usage; no concrete issues detected. Keep if it meets theming needs.

Validation Pass — 2025-08-29 11:26 EDT

  • Re-ran targeted searches to confirm all findings:
    • Missing dev tools (tsx, ts-node, concurrently) still not present in devDependencies.
    • src/lib/posthog-edge.ts remains unused, contains default API key fallback, and imports posthog-node under src/.
    • Duplicate OTP components confirmed; both wrap input-otp.
    • src/components/data-table-columns.tsx has no inbound references; active table uses src/components/data-table/columns.tsx.
    • No stripe (server SDK) imports under src/.
    • Single cn() utility at src/lib/utils.ts; no duplicates.
  • No contradictions found compared to the initial audit.

Citations

  • package.json scripts and deps: /package.json
  • Vite config: /vite.config.ts
  • Tailwind usage: /src/styles.css
  • Client analytics wrapper: /src/lib/posthog.ts
  • Edge/server analytics (risk): /src/lib/posthog-edge.ts
  • Classnames utility: /src/lib/utils.ts
  • Data table and columns: /src/components/data-table/index.tsx, /src/components/data-table/columns.tsx, /src/components/data-table-columns.tsx
  • OTP components: /src/components/ui/input-otp.tsx, /src/components/ui/input-otp-custom.tsx