Holistic evaluations, dated
Periodic full-product evaluations — architecture, product, design, security, the lot — scored and dated. Distinct from the Build Log: that's the running record of decisions; this is where we step back and grade the whole thing.
Snapshot after permissions, reviews, @mentions + an in-app inbox, @agent, collections, browse/search, a full mobile pass, and single-container deploy.
An exceptional foundation. The architecture is honest, the publish → review → revise loop is complete, and self-host is genuinely one command — a level of coherence most products don't reach in a year. What's left is operational, not conceptual: the hardening a public, multi-tenant, internet-facing tier demands.
| Dimension | Score | Read |
|---|---|---|
| Architecture | 9.0 | Ports/adapters with a real SQLite→Postgres→D1 + fs→S3/R2 ladder, switched by env. Compile-time parity guards make "works across drivers" a typecheck. One can() choke point for authz; an outbox for webhooks instead of a queue service. Single-container or split falls out of one image. |
| Code quality | 9.0 | Strict TS (no any, no suppressions), Biome, models own their DB access, batch over N+1. The drizzle drift that had caused cross-writer bugs was root-caused and locked with a pinned version + dedupe. |
| Product & strategy | 9.0 | A coherent thesis with sharp calls that land: review the rendered experience, not a line diff, because an artifact is a whole document; an agent is just a principal at commenter rank, so safety falls out of permissions, not new trust. |
| Design & UX | 8.5 | Google-Docs-style margin comments, a rendered-experience review surface, a real mobile pass driven at 390px, a polished split login, disciplined minimal color. A notch below the engineering only because some surfaces are young. |
| Security | 8.0 | CSP sandbox with no allow-same-origin, the authz choke point, webhook SSRF guard, per-IP rate limiting, HMAC-signed payloads, enforced auth secret. Strong fundamentals; the sandbox serving domain + abuse/takedown story are correctly flagged but not yet built. |
| Testing | 9.0 | ~134 cases across seven packages: unit (the can() matrix, anchoring, diff) + API integration against real databases + multi-check end-to-end runs against real Postgres + browser verification + a nightly Playwright smoke. |
| Self-host & DX | 9.0 | One command is the whole app — docker run, SQLite + blobs in a volume, zero config. The same image scales out by adding DATABASE_URL + OBJECT_STORE_URL. One-click Railway/Fly with auto-detected URLs. Best-in-class for a young OSS product. |
| Scale & ops | 7.0 | Keyset pagination and a stateless-API option are in; but SSE + presence are in-process (Redis backplane queued), analytics grows unbounded (roll-up queued), it's single-workspace today, search is title-only, and observability is a delivery log — no metrics/tracing yet. |
The point where the loop closed: publish → comment → propose → review → revise, with @mentions and an in-app inbox, @agent as a safe contributor, collections, browse + server-side search, a full mobile pass, and a single-container deploy. Seven packages, ~134 tests, 54 API routes — built in roughly two days.
can(actor, action, visibility) gates every mutating route the same way, so a route that forgets to gate is the visible exception — not a silent hole.docker run is the whole product at one URL; the same image scales by env. That's the n8n/Ghost bar, met early.allow-same-origin CSP is the guard; a separate origin is the belt that should go with it.Dock is an exceptional foundation: the architecture is honest, the loop is complete, and self-host is one command. The core is sound — what remains is everything a public, multi-tenant, internet-facing tier demands (a sandbox domain, multi-instance fan-out, abuse controls, observability, multi-tenant). The risk isn't the code; it's the operational surface a hosted tier exposes. A−, trending up.