https://blog.abhipraya.dev/tags/code-quality/Recent content in Code-Quality on Daffa AbhiprayaHugoen-us© Daffa AbhiprayaWed, 15 Apr 2026 00:00:00 +0700https://blog.abhipraya.dev/ppl/part-b/s2w3-code-quality/Wed, 15 Apr 2026 00:00:00 +0700https://blog.abhipraya.dev/ppl/part-b/s2w3-code-quality/<h2 id="what-i-worked-on"> <a class="anchor" href="#what-i-worked-on" data-anchor="what-i-worked-on" aria-hidden="true">#</a> What I Worked On </h2> <p>Two weeks of quality infrastructure: wiring in the tools that measure test quality (week 1), then shortening the feedback loop so that signal actually influences the code being written (week 2). Starting state: 91% line coverage, no mutation testing, integration test coverage missing from SonarQube. Ending state: combined unit + integration coverage in SonarQube, mutmut + Stryker running per-MR with results in the CI comment, API mutation score 80.3%.</p>https://blog.abhipraya.dev/ppl/part-b/s2w2-code-quality/Mon, 30 Mar 2026 00:00:00 +0700https://blog.abhipraya.dev/ppl/part-b/s2w2-code-quality/<h2 id="what-i-worked-on"> <a class="anchor" href="#what-i-worked-on" data-anchor="what-i-worked-on" aria-hidden="true">#</a> What I Worked On </h2> <p>This week I overhauled the CI quality feedback loop with four related MRs. Before this week, quality checks existed but results had to be hunted down manually in GitLab&rsquo;s CI panel. After this week, every MR automatically receives quality reports as inline comments, and the SonarQube gate blocks merges that would lower the quality standard.</p> <hr> <h2 id="sonarqube-quality-gate-in-mr-comments"> <a class="anchor" href="#sonarqube-quality-gate-in-mr-comments" data-anchor="sonarqube-quality-gate-in-mr-comments" aria-hidden="true">#</a> SonarQube Quality Gate in MR Comments </h2> <p>MR !132 (SIRA-231) added a <code>sonar-scan</code> post-processing step that fetches the quality gate result from SonarQube and posts it directly as an MR comment via the GitLab API.</p>https://blog.abhipraya.dev/ppl/part-b/s2w1-code-quality/Mon, 23 Mar 2026 00:00:00 +0700https://blog.abhipraya.dev/ppl/part-b/s2w1-code-quality/<h2 id="what-i-worked-on"> <a class="anchor" href="#what-i-worked-on" data-anchor="what-i-worked-on" aria-hidden="true">#</a> What I Worked On </h2> <p>This week I enforced strict quality gates across the entire CI pipeline. The project previously had <code>allow_failure: true</code> on SonarQube and security scans, meaning violations were reported but never blocked merges. I changed that.</p> <h2 id="sonarqube-31-violations--0"> <a class="anchor" href="#sonarqube-31-violations--0" data-anchor="sonarqube-31-violations--0" aria-hidden="true">#</a> SonarQube: 31 Violations → 0 </h2> <h3 id="the-violations"> <a class="anchor" href="#the-violations" data-anchor="the-violations" aria-hidden="true">#</a> The Violations </h3> <p>SonarQube flagged 31 issues across the codebase:</p> <ul> <li><strong>1 CRITICAL vulnerability</strong>: <code>jwt.get_unverified_header()</code> reading JWT headers without signature verification</li> <li><strong>3 CRITICAL code smells</strong>: duplicated string literals, nested component definitions</li> <li><strong>27 other issues</strong>: unused variables, missing <code>Readonly&lt;&gt;</code> on props, duplicate CSS blocks, array index keys</li> </ul> <h3 id="the-fixes"> <a class="anchor" href="#the-fixes" data-anchor="the-fixes" aria-hidden="true">#</a> The Fixes </h3> <p><strong>Backend</strong> (3 files): Refactored JWT decode to try HS256 first and fall back to asymmetric on <code>DecodeError</code>, eliminating the unverified header call entirely. Extracted duplicated literals to constants.</p>https://blog.abhipraya.dev/ppl/part-b/s1w3-code-quality/Fri, 13 Mar 2026 00:00:00 +0700https://blog.abhipraya.dev/ppl/part-b/s1w3-code-quality/<h2 id="what-i-worked-on"> <a class="anchor" href="#what-i-worked-on" data-anchor="what-i-worked-on" aria-hidden="true">#</a> What I Worked On </h2> <p>This week I extended the CI quality pipeline with two significant additions: a <strong>migration dry-run validation job</strong> that catches invalid SQL before merge (MR !67), and ongoing enforcement of zero SonarQube issues across the codebase. The pre-commit hook stack also proved its value by catching issues during the heavy development push of 14 MRs.</p> <h2 id="new-ci-job-migration-dry-run-validation"> <a class="anchor" href="#new-ci-job-migration-dry-run-validation" data-anchor="new-ci-job-migration-dry-run-validation" aria-hidden="true">#</a> New CI Job: Migration Dry-Run Validation </h2> <p>The most impactful quality improvement this week was adding <code>migrate:check</code> to the CI pipeline (MR !67, SIRA-98). This job runs <code>supabase db push --dry-run</code> on every MR pipeline, validating that migration files are syntactically correct and compatible with the remote database before the MR can be merged.</p>https://blog.abhipraya.dev/ppl/part-b/s1w2-code-quality/Wed, 04 Mar 2026 00:00:00 +0700https://blog.abhipraya.dev/ppl/part-b/s1w2-code-quality/<h2 id="the-tool-stack"> <a class="anchor" href="#the-tool-stack" data-anchor="the-tool-stack" aria-hidden="true">#</a> The Tool Stack </h2> <table> <thead> <tr> <th>Layer</th> <th>Tool</th> <th>Scope</th> </tr> </thead> <tbody> <tr> <td>Frontend lint + format</td> <td><a href="https://biomejs.dev">Biome</a></td> <td>TypeScript/TSX, 40+ enforced rules</td> </tr> <tr> <td>Frontend dead code</td> <td><a href="https://knip.dev">Knip</a></td> <td>Unused exports, imports, dependencies</td> </tr> <tr> <td>Frontend types</td> <td><code>tsc --noEmit</code></td> <td>TypeScript type checking</td> </tr> <tr> <td>Backend lint + format</td> <td><a href="https://docs.astral.sh/ruff/">Ruff</a></td> <td>Python, F401/F841 + style rules</td> </tr> <tr> <td>Backend types</td> <td><a href="https://mypy.readthedocs.io">mypy</a></td> <td>Python static types, strict mode</td> </tr> <tr> <td>CI quality gate</td> <td><a href="https://sonarqube.cs.ui.ac.id">SonarQube</a></td> <td>Coverage, code smells, security hotspots</td> </tr> </tbody> </table> <h2 id="pre-commit-hooks-husky"> <a class="anchor" href="#pre-commit-hooks-husky" data-anchor="pre-commit-hooks-husky" aria-hidden="true">#</a> Pre-commit Hooks (Husky) </h2> <p>Five checks run sequentially on every <code>git commit</code>. A failure at any step blocks the commit:</p>