Engineering Audit Report: Desa Darmasaba

Status: Production Readiness Review (Critical) Auditor: Staff Technical Architect

📊 Executive Summary & Scores

The project suffers from a "Frankenstein Architecture". It attempts to run a full Elysia.js instance inside a Next.js Catch-All route.

Fractured Backend: Logic is split between standard Next.js routes (/api/auth) and embedded Elysia modules.
Stateful Dependency: Reliance on local filesystem (WIBU_UPLOAD_DIR) makes the application impossible to deploy on modern serverless platforms like Vercel.
Polluted Namespace: Routing tree contains "test/coba" folders (src/app/coba, src/app/percobaan) that would be accessible in production.

State Management Chaos: Simultaneous use of Valtio, Jotai, React Context, and localStorage.
Tight Coupling: Public pages (/darmasaba) import state directly from Admin internal states (/admin/(dashboard)/_state).
Heavy Client-Side Logic: Logic that belongs in Server Actions or Hooks is embedded in presentational components (e.g., Footer.tsx).

Framework Overhead: Running Elysia inside Next.js adds unnecessary cold-boot overhead and complexity.
Weak Validation: Widespread use of as Type casting in API handlers instead of runtime validation (Zod/Schema).
Service Integration: OTP codes are sent via external GET requests with sensitive data in the query string—a major logging risk.

Schema Over-Normalization: ~2000 lines of schema. Every minor content type (e.g., LambangDesa) is a separate table instead of a unified CMS model.
Polymorphic Monolith: FileStorage is a "god table" with optional relations to ~40 other tables, creating a massive bottleneck and data integrity risk.
Connection Mismanagement: Manual prisma.$disconnect() in API routes kills connection pooling performance.

Bypassing Optimization: Custom /api/utils/img endpoint bypasses next/image optimization, serving uncompressed assets.
Aggressive Polling: Client-side 30s polling for notifications is battery-draining and inefficient compared to SSE or SWR.

Insecure OTP Delivery: Credentials passed as URL parameters to the WhatsApp service.
File Upload Risks: Potential for Arbitrary File Upload due to direct local filesystem writes without rigorous sanitization.

Inconsistency: Mixed English/Indonesian naming (e.g., nomor vs createdAt).
Artifacts: Root directory is littered with scratch files: xcoba.ts, xx.ts, test.txt.

Architectural Fracture: Embedding Elysia inside Next.js creates a "split-brain" system.
Serverless Incompatibility: Dependency on local disk storage for uploads.
Database Bloat: Over-complicated schema with a fragile FileStorage monolith.
State Fragmentation: Mixed usage of Jotai and Valtio without a clear standard.
Credential Leakage: OTP codes sent via GET query parameters.
Poor Cleanup: Trial/Test folders and files committed to the production source.
Asset Performance: Bypassing Next.js image optimization.
Coupling: High dependency between public UI and internal Admin state.
Type Safety: Manual casting in APIs instead of runtime validation.
Connection Pooling: Inefficient Prisma connection management.

Unify the API: Decommission the Elysia wrapper. Port all logic to standard Next.js Route Handlers with Zod validation.
Stateless Storage: Implement an S3-compatible adapter for all file uploads. Remove fs usage.
Schema Consolidation: Refactor the schema to use generic content models where possible.
Standardize State: Choose one global state manager and migrate all components.
Project Sanitization: Delete all coba, percobaan, and scratch files (xcoba.ts, etc.).