Best Practices
Gap analysis against cal.diy — an open-source project on the same stack
Comparison between cal.diy (open source, same stack) and KwadMarket, written June 2026. Both are pnpm + turborepo monorepos: NestJS API, Next.js App Router, Prisma. cal.diy is the reference for "what mature production hygiene looks like on this exact stack".
How this relates to the plan
Several gaps found here were absorbed into the remediation plan and are tracked there — this section keeps the patterns and recipes (the "how cal.diy does it") so implementers don't have to rediscover them. Status below is reconciled with the code as of 2026-07-02.
Gap overview
| Gap | Severity | Status |
|---|---|---|
| Observability / Sentry | HIGH | ⬜ Open — plan phase 7 |
| Security headers + CSP | HIGH | ⬜ Open (helmet on the API is plan phase 4) |
| Structured logging | HIGH | ⬜ Open — plan phase 6 |
| CI/CD depth | HIGH | 🟡 Partial — e2e job exists now; no cancel-in-progress, no required aggregator |
| E2E coverage & fixtures | HIGH | 🟡 Partial — 3 specs run in CI (currently broken selectors, plan phase 0) |
| Env validation & JWT secret | MEDIUM | 🟡 Partial — web validated via zod; backend fail-fast is plan phase 1 |
| API layer (batching, error shapes) | MEDIUM | ⬜ Open — deliberate "no tRPC" decision, targeted improvements listed |
| DTO & error-shape normalization | LOW | 🟡 Partial — DTO coverage good; strict pipe + error shape open |
| Changesets / release management | LOW | ⬜ Not needed yet — recipe kept for when packages get external consumers |
i18n was originally part of this analysis; it's a product feature, so it lives in the roadmap (the cal.diy patterns are folded in there).
Recommended order
Additive only — no breaking changes to existing code.
next.config.ts — 30 min, zero riskconsole.* with Nest Logger, 1–2 hrscancel-in-progress + required aggregator, 1 hr