openalice-social-api
Architecture rating
/metrics endpoint exposed in manifest confirms Prometheus-compatible metrics export; /health probe live and monitored by Atlas with latency tracking; structured logging and distributed tracing unverifiable without inspector or code inspection — metrics + health is solid baseline but tracing evidence absent.
27 owned tables with clear domain separation (servers/channels/DMs/billing/audit); audit_log and automod_config show operational maturity; GDPR export endpoint exists (/internal/me/{tenant_id}/export.json); no evidence of RLS or tenant-isolation constraints — single-tenant implied by tenant_id in export path but no RLS signal; FK/constraint quality unknown without inspector or migration inspection.
Valid manifest with 8 features declared, zero env drift (declared_unused and undeclared_used both empty), zero dependency cycles; Atlas quality score 93/A with code_health 90; consistent with org substrate conventions (manifest, docker image, health probe); inspector not run so internal pattern uniformity (error types, handler structure) is unverified.
Manifest present and valid with table ownership, exposed endpoints, and feature annotations; README exists but excerpt is just an Atlas card link — minimal standalone documentation; manifest_summary describes scope clearly; no evidence of in-code architecture notes or @feature annotations in source without inspector; manifest quality (100) lifts score but thin README holds it back.
Health probe live at /health with 100% 24h uptime and 200 status; however latest CI conclusion is 'failure' (2026-06-17) indicating broken build on main — a reliability red flag; no inspector data to verify graceful shutdown, timeouts, retries, or idempotency patterns in Rust handlers; uptime is strong but CI failure drags score.
oauth_providers + revoked_tokens tables suggest token-based authn with revocation; server_bans and channel_permissions imply authz layering; however no inspector data to confirm SSRF guards, rate-limiting, or header hardening — manifest exposes internal endpoints (/internal/agent/dispatch, /internal/me/{tenant_id}/export.json) whose access control is unverifiable from signals alone; scored conservatively.
No inspector analysis run — zero evidence of test count, coverage, or critical-path test presence; CI is in failure state suggesting tests may exist but are broken; without any concrete test signal, cannot credit above minimal; strongly penalized for absence of evidence.
source · auto-grader-2026-07-07
Telemetry ribbon · last 90 days
1 eventNo @feature annotations recorded in this repo yet.