01
API keys hardcoded "for now"
Keys in source code, committed to git, shared in Slack.
Workspace-scoped keys in settings. SDK auth via CLI — keys never touch source code.
02
No rate limit on auth or writes
Brute force login, spam submissions, zero throttling.
Rate limit guards, CAPTCHA, and honeypots on all public endpoints — baked in.
03
No input validation
Trusting whatever the client sends. Injection-ready.
Zod schemas enforce validation across frontend and backend. GraphQL types add a second layer.
04
CORS set to *
Any origin can call your API. Wide open to CSRF.
Explicit origin allowlists in NestJS CORS config. Locked down by default.
05
Same API token across all envs
Dev, staging, prod share one key — breach one, breach all.
Workspace-scoped tokens. Each env has its own isolated keys.
06
Schema changes live in your head
No migrations, no versioning, ALTER TABLE in prod.
Dynamic metadata engine — schemas stored in DB, versioned, synced across workspaces.
07
Every query is SELECT *
Fetching 40 columns when you need 3.
GraphQL resolvers enforce field selection. AI agents must specify explicit fields.
08
UTC and local time mixed
Timestamps inconsistent. Appointments off by hours.
TypeORM enforces UTC at the DB layer. DATE_TIME fields handle timezone consistently.
09
DB backups "automatic" but untested
Assume backups work until the day you need them.
Docker volume management with TypeORM migration rollback. Reversible by design.
10
Error handling = console.log(e)
Errors swallowed. Users see blank screens. No trail.
NestJS exception filters, structured responses, Sentry integration — all baked in.
11
One god component owns the screen
2,000-line component. Impossible to test or refactor.
50+ pre-built components (RecordTable, Kanban, Timeline) — modularity enforced.
12
"We'll clean this up after launch"
Cowboy code becomes the foundation. Launch was 6 months ago.
SDK's defineObject / defineRole enforce structure from day one.
13
Frontend talks to 5 APIs directly
Client-side spaghetti — Stripe, Twilio, SendGrid, all hardwired.
All integrations go through server modules. Frontend talks to one platform API.
14
Feature flags = commenting code out
Toggling features by editing source code in production.
Workflow engine acts as a runtime toggle. Sync/async switches per workflow.
15
No /health endpoint
Load balancer can't tell if your app is alive.
NestJS ships health checks out-of-the-box. Docker Compose includes healthcheck.
16
No staging environment
Testing in production. Deploying with crossed fingers.
Docker Compose profiles + workspace isolation = multiple envs on one instance.
17
No analytics or telemetry
Flying blind — no idea who uses what or where it breaks.
Built-in telemetry. Workflow execution history with step-level tracing.
18
Env vars only on your laptop
Bus factor of 1 — secrets live in someone's .zshrc.
Env var reference in docs. Docker Compose propagates all config.
19
No monitoring or alerts
Users report outages before your team notices.
Sentry error tracking + CloudWatch logs + SSE event streams.
20
Logs only in terminal
Close the SSH session, lose the evidence.
Structured NestJS logging, Sentry breadcrumbs, workflow logs persisted to DB.
21
Deploys from local machine
scp to production. No audit trail. "Works on my machine."
Automated deployment. Docker Compose + ECR. CI/CD via GitHub Actions.
22
CI = "ran it locally once"
No automated tests, no linting, yolo merge to main.
Nx affected for targeted lint/test. Playwright E2E. GitHub Actions.
23
Only one person can deploy
The founder holds the SSH key — single point of failure.
Documented platform + SDK + automated scripts. Anyone can deploy.