[CI] (0c6666c) javascript-node/express-todo

[wizard-ci-bot]

Automated wizard CI run

Source: wizard-pr
Trigger ID: 0c6666c
App: javascript-node/express-todo
App directory: apps/javascript-node/express-todo
Workbench branch: wizard-ci-0c6666c-javascript-node-express-todo
Wizard branch: release-please--branches--main--components--wizard
Context Mill branch: main
PostHog (MCP) branch: master
Timestamp: 2026-04-15T18:05:52.642Z
Duration: 245.4s

[wizard-ci-bot]

Good — the .env is gitignored and not part of the PR diff. Now I have everything I need to write the evaluation.

---

PR Evaluation Report

Summary

This PR integrates the posthog-node SDK into an Express.js Todo API. It adds PostHog initialization with environment-based config, event capture on all mutation routes (create, update, complete, delete), error tracking via Express error middleware, and graceful shutdown handlers. The implementation is clean and well-scoped for a server-only Node.js app.

Files changed	Lines added	Lines removed
3	+103	-3

Confidence score: 4/5 👍

• title included in event properties may constitute PII: The title property is user-generated content passed directly from req.body.title into every posthog.capture() call. Users could type anything into a todo title, including personal information. This is a moderate concern. [MEDIUM]
• No .env.example committed: The PR relies on POSTHOG_API_KEY and POSTHOG_HOST environment variables but does not include a committed .env.example file to document them. The .env is gitignored (correctly). The setup report mentions the variables but a proper .env.example is the standard pattern. [MEDIUM]

---

File changes

Filename	Score	Description
apps/javascript-node/express-todo/index.js	4/5	PostHog SDK initialized, capture calls on all mutation routes, error middleware, graceful shutdown. title in event properties is a minor PII concern.
apps/javascript-node/express-todo/package.json	5/5	posthog-node ^5.29.2 added to dependencies — correct package for server-side Node.js.
apps/javascript-node/express-todo/posthog-setup-report.md	4/5	Setup report documenting events and dashboard suggestions. Not a code file.

---

App sanity check ⚠️

Criteria	Result	Description
App builds and runs	Yes	Valid Node.js/Express code, no syntax issues, dependency properly declared
Preserves existing env vars & configs	Yes	Existing Express app logic preserved; only PostHog additions made
No syntax or type errors	Yes	All code is syntactically valid JavaScript
Correct imports/exports	Yes	require('posthog-node') with destructured { PostHog } is correct
Minimal, focused changes	Yes	Only PostHog integration code added, no unrelated changes
Pre-existing issues	None	Base app is clean

Issues

• No .env.example file committed: The PR introduces two new environment variables (POSTHOG_API_KEY, POSTHOG_HOST) but does not include a committed .env.example to document them. While the .env file exists locally and the setup report mentions the vars, the standard practice is to commit an .env.example template. [MEDIUM]

Other completed criteria

• Build configuration is valid — package.json is well-formed with correct dependency
• Existing start and dev scripts preserved unchanged
• The .env file is correctly gitignored

---

PostHog implementation ✅

Criteria	Result	Description
PostHog SDKs installed	Yes	posthog-node ^5.29.2 added to package.json dependencies
PostHog client initialized	Yes	new PostHog(process.env.POSTHOG_API_KEY, { host: process.env.POSTHOG_HOST, enableExceptionAutocapture: true }) — correct initialization pattern
capture()	Yes	Four distinct capture calls: todo created, todo updated, todo completed, todo deleted
identify()	N/A	Server-only Express app — identify is N/A
Error tracking	Yes	posthog.captureException(err, distinctId) in Express error middleware with correct signature; enableExceptionAutocapture: true set in config
Reverse proxy	N/A	Server-only app — reverse proxy is N/A

Issues

None critical or medium for PostHog implementation.

Other completed criteria

• API key loaded from process.env.POSTHOG_API_KEY — not hardcoded
• Host configured from process.env.POSTHOG_HOST pointing to https://us.i.posthog.com
• Graceful shutdown via posthog.shutdown() on SIGINT and SIGTERM — excellent practice
• getDistinctId() helper extracts distinct ID from x-posthog-distinct-id header with fallback to req.ip
• enableExceptionAutocapture is a valid config option confirmed in the SDK type definitions
• captureException(error, distinctId) matches the SDK signature

---

PostHog insights and events ⚠️

Filename	PostHog events	Description
index.js	todo created	Captured on POST /api/todos — tracks new todo creation with todo_id and title
index.js	todo updated	Captured on PATCH /api/todos/:id — tracks todo modifications with todo_id, title, completed
index.js	todo completed	Captured on PATCH when completed === true — enables funnel analysis from creation to completion
index.js	todo deleted	Captured on DELETE /api/todos/:id — tracks todo removals with todo_id and title
index.js	captureException	Error middleware captures uncaught Express errors with distinct ID

Issues

• title property may contain PII: The title field is raw user-generated content included in every capture call. Users could include personal information (names, emails, addresses) in their todo titles. Consider removing title from event properties or hashing it. [MEDIUM]

Other completed criteria

• Events represent real user actions (CRUD operations on todos)
• Events enable product insights — can build creation trends, completion funnels, deletion patterns
• Events include relevant contextual properties (todo_id, completed status)
• Event names are descriptive and use a consistent todo <action> naming convention

---

Reviewed by wizard workbench PR evaluator