[CI] (7f79337) next-js/15-app-router-saas

[wizard-ci-bot]

Automated wizard CI run

Source: context-mill-pr
Trigger ID: 7f79337
App: next-js/15-app-router-saas
App directory: apps/next-js/15-app-router-saas
Workbench branch: wizard-ci-7f79337-next-js-15-app-router-saas
Wizard branch: main
Context Mill branch: clarify-next-provider
PostHog (MCP) branch: master
Timestamp: 2026-02-12T21:06:15.169Z
Duration: 758.7s

[wizard-ci-bot]

Now I have all the information I need to complete my evaluation. Let me write the PR evaluation report:

---

PR Evaluation Report

Summary

This PR integrates PostHog analytics into a Next.js 15 App Router SaaS application. It adds both client-side (posthog-js) and server-side (posthog-node) SDKs, implements a reverse proxy to bypass ad blockers, and captures 11 user events across authentication, subscription management, and team collaboration flows.

Files changed	Lines added	Lines removed
15	+580	-11

Confidence score: 3/5 🤔

• PII in event properties: The user_signed_in and user_signed_up events capture email addresses in event properties. While PostHog can handle this, it violates best practices for avoiding PII in analytics events. [MEDIUM]
• Environment variables not documented in .env.example: PostHog environment variables (NEXT_PUBLIC_POSTHOG_KEY, NEXT_PUBLIC_POSTHOG_HOST) are only in .env.local (gitignored), making setup unclear for new developers. [MEDIUM]
• Premature event capture on login/signup: Events are captured before the authentication action completes, meaning failed login/signup attempts are tracked as successes. [CRITICAL]
• Server-side PostHog client uses NEXT_PUBLIC_ host variable: The posthog-server.ts uses NEXT_PUBLIC_POSTHOG_HOST which should be the public PostHog host, but the server client should send directly to PostHog (not through reverse proxy). [MEDIUM]

---

File changes

Filename	Score	Description
instrumentation-client.ts	4/5	Client-side PostHog initialization with exception capture and reverse proxy configuration. Uses valid Next.js 15.3+ instrumentation pattern. Uses defaults: '2026-01-30' which is an unusual config option.
lib/posthog-server.ts	4/5	Server-side singleton PostHog client with shutdown method. Uses aggressive flush settings (flushAt: 1, flushInterval: 0).
next.config.ts	5/5	Properly configured reverse proxy rewrites for PostHog ingestion to bypass ad blockers. Includes trailing slash configuration.
app/(login)/login.tsx	3/5	Adds user identification and sign-in/sign-up events, but captures events before action completes and includes email as property (PII concern).
app/(dashboard)/layout.tsx	5/5	Clean implementation of sign-out event with proper posthog.reset() call.
app/(dashboard)/dashboard/general/page.tsx	4/5	Account update event captured. Simple and focused change.
app/(dashboard)/dashboard/page.tsx	4/5	Team member invite/remove events with appropriate properties (role, member_id). Note: invited_email may be considered PII.
app/(dashboard)/dashboard/security/page.tsx	4/5	Password update and account deletion events with proper reset on delete. Events captured before action completes.
app/(dashboard)/pricing/submit-button.tsx	5/5	Checkout started event captured on button click. Clean implementation.
app/api/stripe/checkout/route.ts	5/5	Server-side checkout completed event with rich properties (plan, subscription, customer, user, team IDs).
app/api/stripe/webhook/route.ts	5/5	Server-side subscription lifecycle events with team context. Good separation of updated vs cancelled events.
package.json	5/5	Both posthog-js and posthog-node added correctly.
.gitignore	5/5	Properly ignores .env.local to prevent accidental API key commits.
posthog-setup-report.md	4/5	Comprehensive documentation of the integration, events, and next steps.

---

App sanity check: 4/5 ✅

Criteria	Result	Description
App builds and runs	Yes	Dependencies added correctly, no syntax errors visible
Preserves existing env vars & configs	Partial	Original .env.example unchanged; PostHog vars only in gitignored .env.local
No syntax or type errors	Yes	All TypeScript/JSX syntax is valid
Correct imports/exports	Yes	All imports are correct, PostHog imported from correct packages
Minimal, focused changes	Yes	Changes are appropriately scoped to PostHog integration only

Issues

• Environment variables not documented: PostHog variables (NEXT_PUBLIC_POSTHOG_KEY, NEXT_PUBLIC_POSTHOG_HOST) should be added to .env.example for onboarding new developers. [MEDIUM]
• Unused import: useEffect and useRef are imported in login.tsx but formRef is assigned but never used for any specific purpose beyond the ref attribute. [LOW]

Other completed criteria

• No hardcoded secrets in code
• Consistent with existing patterns (SWR, useActionState, form actions)
• No breaking changes to existing functionality
• Build configuration is valid

---

PostHog implementation: 4/5 ✅

Criteria	Result	Description
PostHog SDKs installed	Yes	posthog-js@^1.347.0 and posthog-node@^5.24.15 in package.json
PostHog client initialized	Yes	Client via instrumentation-client.ts (Next.js 15.3+ pattern), server via singleton in lib/posthog-server.ts
capture()	Yes	11 events captured across client and server
identify()	Yes	posthog.identify(email, { email }) called on login/signup
Error tracking	Yes	capture_exceptions: true in client config
Reverse proxy	Yes	Rewrites configured in next.config.ts for /ingest/* paths

Issues

• Events captured before action completion: In login.tsx, security/page.tsx, and general/page.tsx, events are captured before formAction(formData) is called. If the action fails, the event still fires, leading to inaccurate analytics (e.g., tracking "user_signed_in" for failed login attempts). [CRITICAL]
• Server PostHog host configuration: posthog-server.ts uses NEXT_PUBLIC_POSTHOG_HOST which points to https://us.i.posthog.com. Server-side requests should go directly to PostHog, which they do, but the variable naming is confusing. Consider using a separate POSTHOG_HOST variable. [LOW]
• No await for posthog.capture on server: Server-side capture calls are not awaited, and posthog.shutdown() is never called in API routes, which could lead to lost events in serverless environments. [MEDIUM]

Other completed criteria

• API key via environment variable (not hardcoded)
• Correct API host configuration using reverse proxy
• posthog.reset() called on sign-out and account deletion
• Debug mode enabled in development
• UI host correctly configured for feature flags

---

PostHog insights and events: 4/5 ✅

Filename	PostHog events	Description
login.tsx	user_signed_in, user_signed_up	Core authentication funnel events with user identification
layout.tsx	user_signed_out	Session end tracking with identity reset
general/page.tsx	account_updated	Profile update tracking
security/page.tsx	password_updated, account_deleted	Security-related actions
dashboard/page.tsx	team_member_invited, team_member_removed	Team collaboration events with role context
submit-button.tsx	checkout_started	Subscription funnel entry point
stripe/checkout/route.ts	checkout_completed	Server-side purchase confirmation with rich properties
stripe/webhook/route.ts	subscription_updated, subscription_cancelled	Subscription lifecycle events

Issues

• PII in event properties: Several events include email addresses (email, invited_email) as properties. Consider using hashed identifiers or removing email from properties while keeping it only in identify(). [MEDIUM]
• Missing failure events: No events capture failed actions (failed logins, failed invites, etc.), limiting friction analysis. [LOW]

Other completed criteria

• Events represent real user actions and product flows
• Subscription funnel fully tracked: checkout_started → checkout_completed → subscription_updated → subscription_cancelled
• Team collaboration events enable growth analysis
• Events enriched with relevant properties (plan_name, subscription_id, role, etc.)
• Server-side events ensure billing data is captured reliably

---

Reviewed by wizard workbench PR evaluator