[CI] (3393d57) javascript-node/express-todo

[wizard-ci-bot]

Automated wizard CI run

Source: wizard-pr
Trigger ID: 3393d57
App: javascript-node/express-todo
App directory: apps/javascript-node/express-todo
Workbench branch: wizard-ci-3393d57-javascript-node-express-todo
Wizard branch: release-please--branches--main--components--wizard
Context Mill branch: main
PostHog (MCP) branch: master
Timestamp: 2026-03-17T00:02:24.458Z
Duration: 287.6s

[wizard-ci-bot]

Now I have all the context I need. Let me produce the evaluation report.

---

PR Evaluation Report

Summary

This PR integrates PostHog into an Express.js Todo API (server-only Node.js app). It installs posthog-node, initializes the client with environment variables and exception autocapture, adds capture() calls to all three mutating endpoints (create, update, delete), adds an Express error middleware using captureException(), and includes graceful shutdown handlers.

Files changed	Lines added	Lines removed
3	+83	-1

Confidence score: 4/5 👍

• title included in event properties may leak user-generated content: The title property in todo created and todo updated events contains user-input text. While not classic PII (email, phone), it could contain sensitive user-generated content. This is a borderline concern for a todo app. [MEDIUM]
• No .env.example file created: The PR introduces two new env vars (POSTHOG_KEY, POSTHOG_HOST) but only documents them in the uncommitted .env file. No .env.example was created or committed to guide other developers. [MEDIUM]

---

File changes

Filename	Score	Description
apps/javascript-node/express-todo/index.js	4/5	PostHog initialization, capture calls on all mutating routes, error middleware, and shutdown handlers added cleanly
apps/javascript-node/express-todo/package.json	5/5	posthog-node dependency added correctly
apps/javascript-node/express-todo/posthog-setup-report.md	4/5	Setup report with event documentation and dashboard recommendations

---

App sanity check ⚠️

Criteria	Result	Description
App builds and runs	Yes	No syntax errors, valid Node.js code, dependency properly added
Preserves existing env vars & configs	Yes	Existing PORT, express config, and route logic fully preserved
No syntax or type errors	Yes	All code is syntactically valid JavaScript
Correct imports/exports	Yes	const { PostHog } = require('posthog-node') is the correct import
Minimal, focused changes	Yes	Only PostHog-related additions; no unrelated modifications
Pre-existing issues	None	Base app is clean

Issues

• No .env.example committed: The .env file exists locally but is not committed (and shouldn't be since it contains a key). However, no .env.example was created to document the required POSTHOG_KEY and POSTHOG_HOST variables for other developers. [MEDIUM]

Other completed criteria

• Build configuration (package.json) is valid with correct dependency added
• All existing app functionality preserved — route handlers, response formats, error codes unchanged
• Code follows existing codebase patterns (CommonJS require, same indentation, same coding style)

---

PostHog implementation ✅

Criteria	Result	Description
PostHog SDKs installed	Yes	posthog-node@^5.28.2 added to package.json dependencies
PostHog client initialized	Yes	new PostHog(process.env.POSTHOG_KEY, { host: process.env.POSTHOG_HOST, enableExceptionAutocapture: true }) — correct pattern for posthog-node
capture()	Yes	Three meaningful capture calls: todo created, todo updated, todo deleted
identify()	N/A	Server-only Express app — identify is N/A
Error tracking	Yes	Both enableExceptionAutocapture: true in init options and explicit posthog.captureException(err, distinctId) in Express error middleware — correct API signatures verified
Reverse proxy	N/A	Server-only app — reverse proxy is N/A

Issues

None.

Other completed criteria

• API key loaded from process.env.POSTHOG_KEY — not hardcoded
• Host configured via process.env.POSTHOG_HOST (set to https://us.i.posthog.com in .env)
• Graceful shutdown with posthog.shutdown() on SIGINT/SIGTERM ensures event flush
• distinct_id derived from request header, IP, or fallback — reasonable for server-side context

---

PostHog insights and events ✅

Filename	PostHog events	Description
index.js	todo created	Captures when a new todo is created, with todo_id and title properties
index.js	todo updated	Captures when a todo is updated, with todo_id, title, and completed properties
index.js	todo deleted	Captures when a todo is deleted, with todo_id property
index.js	captureException	Error middleware captures unhandled Express errors with associated distinct ID

Issues

• User-generated title in event properties: The title property in todo created and todo updated events contains raw user input. While not traditional PII, this is user-generated content that could potentially contain sensitive information. Consider moving it to person properties or omitting it. [MEDIUM]

Other completed criteria

• Events represent real user actions in the todo workflow (create → update → delete)
• Events enable product insights: creation rate trends, completion funnels (created → updated with completed:true), deletion rate
• Event properties include contextual data (todo_id, completed status) enabling filtering and breakdown
• Event names are descriptive, consistent, and use space-separated lowercase convention
• No emails, phone numbers, or classic PII in event properties

---

Reviewed by wizard workbench PR evaluator