thewebcooperative/the-collective-hub
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
kungraseri/dev
the-collective-hub/docs/09-risks-and-rules.md
T

6.9 KiB
Raw Permalink Blame History

Risks & Things to Avoid

Critical Risks

Risk 1: Multiple Deployments Running Migrations Simultaneously

Severity: High — could corrupt the database.

Why it's a risk: With multiple Coolify deployments all pointing to the same database, if every deployment runs migrations on startup, they could conflict — two containers trying to create the same table at the same time.

Mitigation:

  • Migrations run automatically on startup, but gated by RUN_MIGRATIONS env var
  • Exactly one deployment has RUN_MIGRATIONS=true (the "primary" deployment)
  • All other deployments set RUN_MIGRATIONS=false and skip migrations
  • Deploy the primary first when schema changes are included
  • This is enforced by convention, not by a lock — David must ensure only one deployment has the flag set to true

Risk 2: Missing siteId Scope on Queries

Severity: High — data leaks between sites.

Why it's a risk: If a query forgets to filter by siteId, one site could display another site's events, settings, or assets. This is the most common multi-tenant bug.

Mitigation:

  • All data access functions accept siteId as a required parameter
  • Create a helper that wraps Drizzle queries and enforces siteId
  • Review every query in code review for siteId filtering
  • Consider a lint rule or type-level enforcement (e.g., branded types) later

Risk 3: Hardcoding Full CDN URLs

Severity: Medium — painful CDN migration if the CDN provider changes.

Why it's a risk: If the database stores https://cdn.example.com/sites/bad-movies/logo.webp and you later switch CDN providers, every URL in the database needs updating.

Mitigation:

  • Database stores only the CDN key/path (sites/bad-movies-theater/logo.webp)
  • Application constructs full URLs using CDN_BASE_URL env var
  • A single env var change switches all CDN URLs

Risk 4: Overbuilding Before the Core Works

Severity: Medium — wasted effort, complexity without value.

Why it's a risk: It's tempting to build the fancy admin dashboard, the AI features, the perfect theming system before the basic site actually works end-to-end. This leads to a complex codebase that doesn't ship.

Mitigation:

  • Follow the phases strictly
  • Phase 1 must be fully working (public site + admin login + settings save) before anything else
  • A working simple site is infinitely more valuable than a half-built complex one
  • Ask "Can this wait until Phase X?" before building anything

Risk 5: Per-Site Custom Code

Severity: Medium — maintenance nightmare.

Why it's a risk: If "Bad Movies Theater" needs something special and you add an if (site.slug === 'bad-movies-theater') in the code, that's the start of a slippery slope. Soon every site has special cases, and the "shared codebase" advantage is lost.

Mitigation:

  • Never write site-specific conditional logic
  • All customization comes from the database (settings, theme, content)
  • If a site genuinely needs a unique feature, it should be built as a configurable feature for all sites, or that site should fork the codebase (last resort)

Risk 6: Letting Site Owners Write Raw CSS/HTML

Severity: Medium — security and maintenance risk.

Why it's a risk: Allowing custom CSS or HTML opens XSS vectors (if not properly sanitized), breaks the design system, and makes future template updates unpredictable. A site owner could accidentally break their own site's layout.

Mitigation:

  • No custom CSS field in V1
  • No raw HTML in content fields — use Markdown with safe rendering
  • If custom CSS is ever added (future phase), sandbox it (e.g., a per-site stylesheet loaded separately, not injected into the main app)
  • Clearly document that custom CSS is an advanced/risky feature

Design Pitfalls to Avoid

Pitfall 1: Making the Admin Panel Too Complex Before the Public Page Works

The admin panel exists to serve the public page. If you spend weeks on a beautiful admin UI but the public site is a broken placeholder, priorities are wrong.

Rule: The public page must work before any admin page is considered complete.

Pitfall 2: Building AI Features Before the Core Template Works

AI content suggestions, semantic search with pgvector, AI chatbots — these are exciting but useless if a site can't display a homepage with basic content.

Rule: No AI features until Phase 5+ and even then, only if the core template is stable and useful.

Pitfall 3: Planning Too Many Layout Options

One clean, flexible layout that adapts to content is better than three half-baked layout options. Adding a second layout doubles the testing surface.

Rule: One layout in V1. Add a second only when there's a clear, proven need.

Pitfall 4: Normalizing Settings Too Aggressively

A siteSettings table with 30 columns (one per setting) means a migration for every new setting. A jsonb column means adding a setting is zero-cost.

Rule: Settings go in JSON. Structured, relational data (events, links, assets) goes in normalized tables.

Pitfall 5: Building for Scale That Doesn't Exist Yet

Planning for 1,000 sites when you have 3 leads to over-engineering. The architecture supports growth (multi-tenant from day one), but don't optimize for scale prematurely.

Rule: Architecture should not block growth; implementation should not optimize for it yet.

Process Risks

Risk 7: Skipping Documentation

Severity: Low now, high later.

Why it's a risk: When there's only one developer (David), documentation feels optional. But when you come back to the project after 6 months, or when a site owner asks how something works, missing documentation hurts.

Mitigation:

  • These planning docs live in the repo
  • Add a simple README.md with setup instructions
  • Add code comments for non-obvious logic
  • Keep a CHANGELOG.md once the project is live

Risk 8: Super Admin Account Compromise

Severity: High — cross-site data breach.

Why it's a risk: A SUPER_ADMIN_DISCORD_IDS entry grants unrestricted access to all sites. If a super admin's Discord account is compromised, all sites are exposed.

Mitigation:

  • Keep the super admin list minimal (ideally just David)
  • Super admin Discord accounts should have 2FA enabled
  • Consider adding a secondary verification step for super admin actions in a future phase
  • Monitor for unusual super admin activity

Summary Checklist

Before writing any code, confirm:

  • Migrations are automated but gated by RUN_MIGRATIONS — only one deployment runs them
  • Every query includes siteId filtering
  • CDN keys stored in DB, not full URLs
  • Phase 1 scope is locked — no feature creep
  • No site-specific conditional code planned
  • No raw CSS/HTML inputs for site owners
  • Database backups are configured (handled externally by David)
  • Project name decided: The Collective Hub
  • Super admin Discord IDs are set and accounts have 2FA enabled
Reference in New Issue View Git Blame Copy Permalink