Skip to content

Repository Evaluation Framework

Repository Evaluation Framework

A structured set of dimensions for periodically assessing the health of this codebase. Review quarterly, or before any significant release.

Score each dimension 1–5:

  • 1 — not addressed, actively harmful
  • 2 — partially addressed, gaps present
  • 3 — adequate for current project stage
  • 4 — well handled
  • 5 — exemplary

Dimensions

1. Code health

CheckNotes
Modules are single-responsibilityApp.jsx currently does too much — known debt
Business logic separated from UISync and DB logic in db.js / supabase.js — good
No obvious duplicationReview for repeated patterns
File sizes are reasonableFlag any file >300 lines for review
Imports are clean and intentionalNo unused imports

Target for v1: 3/5
Target for v2: 4/5 (requires App.jsx refactor)


2. Commit discipline

CheckNotes
Each commit represents one logical change
Commit messages follow Conventional CommitsSee CONTRIBUTING.md
main has never been brokenVerify with build history
No debug commits (fix typo, WIP, asdfgh) on main
Sensitive data never committedAudit with git log --all -S "sk-ant"

How to audit:

Terminal window
# Check for any potential secrets in history
git log --all --oneline | head -20
git log --all -S "sk-ant" --source --all
git log --all -S "supabase" --source --all

3. Documentation

CheckNotes
README covers setup from scratchTest by following it cold
Architecture decisions are recordeddocs/architecture.md
Supabase setup is documenteddocs/supabase-setup.md
CHANGELOG is currentUpdated before every release
Non-obvious code has inline commentsCheck sync and migration logic

4. Dependency hygiene

CheckNotes
No known vulnerabilitiesRun npm audit
Dependencies are up to dateRun npm outdated
Each dependency is justifiedReview package.json
Dev vs runtime dependencies correctly separated
package-lock.json committed

How to check:

Terminal window
npm audit
npm outdated

5. Security posture

CheckNotes
.env is gitignoredVerify with git check-ignore .env
No secrets in commit historySee audit commands above
Only anon key used client-sideservice_role must never appear
Row-level security enabled on all tablesVerify in Supabase dashboard
User data not logged to consoleGrep for console.log

How to check:

Terminal window
git check-ignore -v .env
grep -r "service_role" src/
grep -r "console.log" src/

6. Test coverage

CheckNotes
Critical sync logic testeddb.js — mergeCloudRecords, outbox
Import/export testedSchema migration paths
Auth flow testedSign in, sign out, session restore

Current state: No tests. Acceptable for v1 personal tool.
Target for public release: Unit tests on db.js and supabase.js.


7. Release discipline

CheckNotes
Releases tagged with semvergit tag v1.0.0
CHANGELOG updated before tagging
Tag pushed to remotegit push --tags
Netlify deploy confirmed after release

Evaluation log

DateCodeCommitsDocsDepsSecurityTestsReleaseNotes
2026-03-2634441Initial commit

Add a row after each quarterly review or significant release.