Codebase Audit — April 2026
Executive Summary
Section titled “Executive Summary”The Magic e-VERSE ecosystem consists of 4 major codebases. The architecture is sound (Medusa v2, Next.js 15, multi-tenant Docker via Coolify), but the codebase has accumulated significant technical debt from rapid development under time pressure.
Repository Scorecard
Section titled “Repository Scorecard”| Repository | Location | Size | Commits | Score | Verdict |
|---|---|---|---|---|---|
| magic_omniverse | /mnt/data/magic_omniverse | ~80GB | 1 | 3/10 | Very messy — dead code, symlink fragmentation, no git history |
| magic_pim | /mnt/data/magic_pim | ~4GB | 2 | 4/10 | Script chaos, hardcoded creds, broken Docker configs |
| Magic-e-VERSE | ~/Magic-e-VERSE | ~4.5GB | 118 | 5/10 | Best structured, but APLT sprawl and type safety issues |
| Magic-Monitor | ~/Magic-Monitor | ~72MB | 57 | 7/10 | Cleanest project, minor issues only |
Critical Security Issues
Section titled “Critical Security Issues”Hardcoded Credentials in Git
Section titled “Hardcoded Credentials in Git”The password <your-db-password> appears in committed files across all repositories:
| File | What’s Exposed |
|---|---|
magic_omniverse/magic_commerce/magic_development/docker-compose.yml | DATABASE_URL with password, Anthropic API key, JWT/Cookie secrets |
magic_omniverse/magic_agent/magic_agent_spranz/.env | Anthropic API key (process.env.ANTHROPIC_API_KEY...), DB password, N8N JWT token |
magic_pim/docker-compose.yml | DB password, AWS Access Key + Secret Key, Mail password |
magic_pim/docker-compose.prod.yml | DB password as default fallback |
magic_pim/sync-master.js (and 10+ other root scripts) | DB password, Medusa admin password (supersecret) |
Magic-e-VERSE/backend/.env.development | DB password, JWT_SECRET=supersecret |
Magic-e-VERSE/backend/src/utils/tenant-db.ts | Hardcoded fallback password in getDbCredentials() |
AWS Credentials in Plaintext
Section titled “AWS Credentials in Plaintext”In magic_pim/docker-compose.yml, the Toppoint S3 access key and secret key are committed in plaintext. These must be rotated immediately if the repo has ever been shared or pushed to a remote.
Incomplete .gitignore Coverage
Section titled “Incomplete .gitignore Coverage”All repos only ignore .env but NOT .env.development, .env.production, .env.test, or .env.local. This means environment-specific files with real credentials can and do get committed.
Remediation Steps
Section titled “Remediation Steps”- Rotate ALL exposed credentials: DB passwords, AWS keys, Anthropic API keys, JWT secrets
- Update all
.gitignorefiles to use.env*wildcard pattern (keep only.env.example/.env.template) - Remove secrets from git history with
git filter-repo - Move all secrets to Coolify environment variables or Vaultwarden
- Remove hardcoded password fallback from
Magic-e-VERSE/backend/src/utils/tenant-db.ts
1. magic_omniverse — The Monorepo
Section titled “1. magic_omniverse — The Monorepo”The worst offender. A monorepo that isn’t really a monorepo.
Dead Weight (~40GB to Reclaim)
Section titled “Dead Weight (~40GB to Reclaim)”| Item | Size | Status |
|---|---|---|
magic_commerce.git/ | 15GB | Obsolete bare git repo — “Old Coolify hack”, listed in .gitignore |
_archive/ | 4.5GB | Old backend/storefront copies |
spranz_backup/ | 6.7GB | Full backup of spranz tenant |
magic_agent/_legacy/ | 1.2GB | Abandoned agent implementation |
magic_development_BACKUP_20260313/ | 1.5GB | Dead backup in magic_commerce/ |
magiceverse3.zip | 58MB | Old compressed export |
| Flowbuilder duplicates | 283MB | 3 versions of the same tool |
| Total | ~30GB |
Symlinks Break the Monorepo
Section titled “Symlinks Break the Monorepo”Most tenants in magic_commerce/ are symlinks to /mnt/nvme/magic_commerce/:
magic_brinxx -> /mnt/nvme/magic_commerce/magic_brinxxmagic_spranz -> /mnt/nvme/magic_commerce/magic_spranzmagic_default -> /mnt/nvme/magic_commerce/magic_defaultThis means:
- Git can’t track the actual tenant code
- The monorepo is split across two physical locations
- CI/CD can’t clone and build properly
No Version Control
Section titled “No Version Control”- 1 single commit in the entire repo history (“Initial commit”)
- 63 uncommitted files in
magic_b2b_glass_demo/ - No branches, no tags, no release history
Duplicate Services
Section titled “Duplicate Services”| Duplicate | Versions Found | Action Needed |
|---|---|---|
| N8N instances | magic_n8n/, magic_n8n_2/, magic_n8n_3/ | Document purpose or consolidate |
| Flowbuilder | flowbuilder/ (107MB), flowbuilder2/ (176MB), nested copy | Keep 1, delete 2 |
| 3D viewer | default/, default-3d/, spranz-3d/, dev/, magic_3d/ | Document which is canonical |
Configuration Chaos
Section titled “Configuration Chaos”- Each service has its own Docker, env, and config approach
- Port allocation spread across dozens of compose files
- Mix of Docker-first and native-run services
- No centralized configuration management
2. magic_pim — Product Information Management
Section titled “2. magic_pim — Product Information Management”A functional Medusa v2 + Next.js 15 project buried under script chaos.
Root Directory Mess (60+ Files)
Section titled “Root Directory Mess (60+ Files)”The root directory has 60+ utility scripts that should be organized:
Sync scripts (5 versions of the same thing):
sync-aplt-to-medusa.js→v2→v3→v4→sync-master.js(claims to be “v5”)- Nobody documented which is canonical
Migration scripts (13 files):
migrate-brinxx-to-pim.js,migrate-brinxx-to-medusa.js,migrate-aplt-clean.js,migrate-from-json.js…
Check/validation scripts (15 files):
check-admin-rights.js,check-auth-metadata.js,check-brinxx-mysql.js,check-products.js…
Data files that don’t belong in root:
brinxx_pg.sql— 41.5MB SQL dumpbrinxx-products.json— 3.9MB data exportmissing-products.csv— 432KB- PDF design documents, Excel files
Windows batch files:
docker-start.bat,docker-stop.bat,start-backend.bat, PowerShell scripts
Docker Configuration Problems
Section titled “Docker Configuration Problems”| Problem | File | Impact |
|---|---|---|
NODE_ENV=production in dev config | docker-compose.yml | Wrong runtime behavior locally |
Windows path D:/pim_data in prod config | docker-compose.prod.yml | Breaks on Linux |
| Runtime route override hack | Dockerfile | Copies files to override Medusa internals at startup |
| Hardcoded passwords with fallback defaults | Both compose files | Security risk |
Hard-Linked npm Dependency
Section titled “Hard-Linked npm Dependency”"@magiverse/i18n": "link:/mnt/data/magic_omniverse/packages/magiverse-i18n"This absolute path in storefront/package.json breaks CI/CD and any build that doesn’t have the exact same filesystem layout.
Minimal Git History
Section titled “Minimal Git History”Only 2 commits in the entire repo. No branches, no meaningful change trail.
3. Magic-e-VERSE — Main Application
Section titled “3. Magic-e-VERSE — Main Application”The most actively developed project. Better structured, but growing pains are showing.
APLT Module Explosion
Section titled “APLT Module Explosion”38 subdirectories under /api/admin/aplt/ with 155 route.ts files across the entire API layer. Admin routes are numbered (00-*, 01-*, 02-*) for sidebar ordering, which is brittle.
Ghost/Duplicate Routes
Section titled “Ghost/Duplicate Routes”| Route | Alongside | Status |
|---|---|---|
chloe-order/ | orders/ | Unknown — experimental? deprecated? |
chloe-product/ | products/ | Unknown — same question |
chloe-customer/ | customers/ | Unknown — same question |
Nobody documented whether the “chloe-*” routes are experimental, deprecated, or active.
TypeScript Quality Issues
Section titled “TypeScript Quality Issues”- 111 instances of
anytype across the codebase catch (err: any)pattern repeated 12+ times- No shared error handling abstraction
Unfinished Features (17 TODOs)
Section titled “Unfinished Features (17 TODOs)”| File | TODO |
|---|---|
aplt/goods-receipts/[id]/route.ts | Create stock movements |
aplt/dunning/[id]/route.ts | Actually send email |
aplt/purchase-invoices/[id]/route.ts | Create journal entry |
account/profile-password/index.tsx | Add password update support |
account/profile-email/index.tsx | Support updating emails |
page-builder/newsletter-section.tsx | Implement newsletter API |
cart/components/item/index.tsx | Grab actual max inventory |
lib/brands/brand-context.tsx | Fetch from DB (2x) |
app/admin/brands/page.tsx | Save to database via API |
Dependency Risks
Section titled “Dependency Risks”| Issue | Package | Risk |
|---|---|---|
| Pre-release in production | react: 19.0.0-rc-... | Potential breaking changes |
| Unpinned critical dep | @medusajs/js-sdk: "latest" | Could break on any install |
| Unused dependency | mysql2 | PostgreSQL is the primary DB |
Abandoned Code in Tree
Section titled “Abandoned Code in Tree”magiceverse_evolved/(96KB) — appears abandonedmagic_agent/(60KB) — just API stubs
Production Logging
Section titled “Production Logging”50+ console.log() statements in production connector code. No structured logging, no log levels, no filtering.
4. Magic-Monitor — Monitoring Dashboard
Section titled “4. Magic-Monitor — Monitoring Dashboard”The cleanest project. Well-structured Express + React + Vite with proper separation of concerns.
What’s Good
Section titled “What’s Good”- Clean folder structure with logical module grouping
- No code duplication
- Proper SQL parameterization (safe from injection)
- Multi-stage Docker build with healthcheck
- Dead man’s switch pattern for collector monitoring
- Consecutive failure tracking for alerts
Issues Found
Section titled “Issues Found”Vitest configured in package.json but zero test files exist. Critical for a system that fires Slack/WhatsApp alerts.
11 tenants hardcoded in src/db/seed.ts. Adding a new tenant requires a code change + rebuild. Should be database-driven.
Scattered throughout with no constants file:
- 5 minute poll interval
- 10 minute stale threshold
- 15 minute alert dedup window
- 30/90 day retention windows
- 26 hour connector threshold
Slack notification failures are silently swallowed in src/alerts/index.ts:
catch { return false; // No logging}GitHub Actions pipeline runs npm ci + npm run build only. No tests, no linting, no type checking, no security scanning.
Cross-Cutting Problems
Section titled “Cross-Cutting Problems”Zero Test Coverage
Section titled “Zero Test Coverage”| Repo | Test Files | Business Logic Lines |
|---|---|---|
| magic_omniverse | 0 | 10,000+ |
| magic_pim | 0 | 5,000+ |
| Magic-e-VERSE | 1 (health endpoint only) | 15,000+ |
| Magic-Monitor | 0 | 3,000+ |
| Total | 1 | ~30,000+ |
No Structured Logging
Section titled “No Structured Logging”Every repo uses raw console.log() and console.error(). No log levels, no structured JSON output, no filtering. Debugging production issues is extremely difficult.
Configuration Sprawl
Section titled “Configuration Sprawl”The same database password is defined in 10+ locations across 4 repos. Port numbers, URLs, and secrets are hardcoded in docker-compose files, source code, utility scripts, and environment files. No single source of truth.
Git Hygiene
Section titled “Git Hygiene”| Repo | Commits | Branches | Uncommitted Files |
|---|---|---|---|
| magic_omniverse | 1 | 1 | 63 files |
| magic_pim | 2 | 1 | 13+ files |
| Magic-e-VERSE | 118 | 18 | yarn.lock |
| Magic-Monitor | 57 | 6 | .gitignore |
Only Magic-e-VERSE and Magic-Monitor have real git history. The other two repos are essentially unversioned codebases.
Deployment Risk
Section titled “Deployment Risk”All 11+ tenants share the same codebase and deployment pipeline. One bad commit breaks every tenant simultaneously. No staging environment, no canary deployments, no rollback mechanism beyond “fix forward.”
Workspace Hygiene
Section titled “Workspace Hygiene”Home Directory Clutter
Section titled “Home Directory Clutter”- 31 screenshots scattered in
~/— sidebar iterations, dark/light mode variants, portal mockups - Abandoned feature dir:
~/magic-logo-moodshot-updates/with 5 different “apply” scripts from February 2026 - Critical reports loose in home:
e2e-test-report-aplt-flow.md(NO-GO verdict),spranz-beta-devdocs.md(NOT production ready),n8n-orchestration-analysis.mdx
Cleanup Plan
Section titled “Cleanup Plan”Phase 1: Security (This Week)
Section titled “Phase 1: Security (This Week)”- Rotate ALL exposed credentials — DB password, AWS keys, Anthropic API keys, JWT secrets (~2h)
- Update all
.gitignorefiles — use.env*wildcard, keep only.env.example(~30min) - Remove secrets from git history —
git filter-repoon each repo (~1h per repo) - Move all secrets to Coolify env vars — single source of truth (~2h)
- Remove hardcoded password fallback from
tenant-db.ts(~15min)
Phase 2: Dead Code Removal (This Week)
Section titled “Phase 2: Dead Code Removal (This Week)”| Task | Space Freed | Effort |
|---|---|---|
Delete magic_commerce.git/ (needs sudo, owned by adminwayne) | 15GB | 5min |
Delete _archive/ | 4.5GB | 5min |
Delete spranz_backup/ | 6.7GB | 5min |
Delete magic_agent/_legacy/ | 1.2GB | 5min |
Delete magic_development_BACKUP_20260313/ | 1.5GB | 5min |
Delete magiceverse3.zip | 58MB | 5min |
| Consolidate flowbuilder (keep 1, delete 2) | 283MB | 15min |
Remove Magic-e-VERSE/magiceverse_evolved/ | 96KB | 5min |
Archive or delete ~/magic-logo-moodshot-updates/ | 216KB | 5min |
Organize ~/ screenshots into ~/screenshots/ | — | 10min |
| Total | ~30GB | ~1.5h |
Phase 3: Code Organization (This Sprint)
Section titled “Phase 3: Code Organization (This Sprint)”| Task | Effort |
|---|---|
Move PIM root scripts into scripts/migrations/, scripts/sync/, scripts/checks/ | 1h |
| Delete old script versions, document which are canonical | 1h |
Move SQL dumps and data files to data/ directory | 30min |
| Fix PIM docker-compose: remove Windows path, fix NODE_ENV, externalize secrets | 1h |
| Resolve chloe-* route duplication in Magic-e-VERSE | 1h |
Pin @medusajs/js-sdk to specific version | 15min |
Replace link:/mnt/data/... dependency with proper package reference | 30min |
Phase 4: Quality Infrastructure (Next Sprint)
Section titled “Phase 4: Quality Infrastructure (Next Sprint)”| Task | Effort |
|---|---|
| Add structured logging (Pino) to all services | 1-2 days |
Replace 111 any types in Magic-e-VERSE | 1 day |
| Add unit tests for APLT order processing | 2 days |
| Add integration tests for supplier connectors | 1 day |
| Add tests for Magic-Monitor alert logic | 1 day |
| Set up shared ESLint + Prettier config | 2h |
| Update CI pipelines to run tests + linting | 2h |
| Pin React to stable release | 1h |
Phase 5: Architecture (Longer Term)
Section titled “Phase 5: Architecture (Longer Term)”| Task | Effort |
|---|---|
| Resolve magic_omniverse symlinks — proper monorepo or separate repos | 1 week |
| Establish proper git workflow for omniverse and PIM | 1 day |
| Make Magic-Monitor tenants database-driven | 2h |
| Extract APLT constants into config files | 2h |
| Document N8N instance purposes (or consolidate) | 2h |
| Add staging environment for tenant safety | 1 week |
Appendix: Dead Code Inventory
Section titled “Appendix: Dead Code Inventory”# Files to delete (~30GB)/mnt/data/magic_omniverse/magic_commerce.git/ # 15GB (needs sudo)/mnt/data/magic_omniverse/_archive/ # 4.5GB/mnt/data/magic_omniverse/spranz_backup/ # 6.7GB/mnt/data/magic_omniverse/magic_agent/_legacy/ # 1.2GB/mnt/data/magic_omniverse/magic_commerce/magic_development_BACKUP_20260313/ # 1.5GB/mnt/data/magic_omniverse/magiceverse3.zip # 58MB/mnt/data/magic_omniverse/magic_agent/flowbuilder2/ # 176MB~/Magic-e-VERSE/magiceverse_evolved/ # 96KB~/magic-logo-moodshot-updates/ # 216KBAppendix: Files with Hardcoded Credentials
Section titled “Appendix: Files with Hardcoded Credentials”# All of these contain plaintext passwords or API keys:/mnt/data/magic_omniverse/magic_agent/magic_agent_spranz/.env/mnt/data/magic_omniverse/magic_commerce/magic_development/docker-compose.yml/mnt/data/magic_pim/docker-compose.yml/mnt/data/magic_pim/docker-compose.prod.yml/mnt/data/magic_pim/sync-master.js/mnt/data/magic_pim/migrate-brinxx-to-pim.js/mnt/data/magic_pim/backend/.env.development~/Magic-e-VERSE/backend/.env.development~/Magic-e-VERSE/backend/src/utils/tenant-db.ts