fix: skip PostHog/Gleap init when key is an .env.example placeholder

[Abdul-Moiz31]

Description

PostHog (and Gleap) initialize whenever their env key is truthy, which accepts the placeholder string shipped in
.env.example: NEXT_PUBLIC_POSTHOG_KEY="<Your PostHog API key from [https://posthog.com/docs/libraries/next-js>](https://posthog.com/docs/libraries/next-js%3E)"

For any new contributor who copies .env.example to .env without filling these out, every page load floods the console with PostHog 401s and 404s. These errors hide real ones during local development.

Reject empty values and any value starting with < before initializing. Same shape of placeholder appears for NEXT_PUBLIC_GLEAP_API_KEY and NEXT_PUBLIC_POSTHOG_HOST, so the same guard is applied to Gleap.

Related Issues

closes #2707

This fix was previously attempted in #2739 (closed, unmerged). During the subsequent refactor that consolidated PostHog and Gleap initialization into the new TelemetryProvider, the guard was lost — the current check at telemetry-provider.tsx:25 only validates truthiness.

Type of Change

• Bug fix
• New feature
• Documentation
• Refactor
• Other

Testing

Reproduced and verified locally on main:

Repro (current behaviour without fix):

1. Copy apps/web/client/.env.example PostHog lines into apps/web/client/.env verbatim.
2. bun dev, open http://localhost:3000, open DevTools Console.
3. Observe:
   • GET https://us-assets.i.posthog.com/array/%3CYour%20PostHog%20API%20key...%3E/config.js 404 (Not Found)
   • POST https://us.i.posthog.com/flags/?... 401 (Unauthorized)
   • POST https://us.i.posthog.com/e/?... 401 (Unauthorized)

With this fix:

• Placeholder in .env → no PostHog network calls, no console errors.
• No PostHog key (default bun run setup:env output) → no errors, no warnings, unchanged behaviour.
• Real PostHog key → initialization works as before.
• bun typecheck passes.
• bun test passes (1045/1045).

Files Changed

• apps/web/client/src/components/telemetry-provider.tsx — client-side PostHog + Gleap init guards (3 callsites)
• apps/web/client/src/utils/analytics/server.ts — server-side PostHog singleton

Also removed two console.warn calls that fired noisily on every page load when keys were intentionally unset. The unconfigured state is now silent, matching how every other optional integration in the file behaves.

Additional Notes

The guard is intentionally narrow — !value.startsWith("<") — to avoid rejecting valid keys. The current .env.example placeholders all follow the <...> shape; if future placeholders use a different shape, the check should be extended accordingly.

Summary by CodeRabbit

• Bug Fixes

  • Telemetry initialization now treats placeholder/empty environment values as unconfigured, preventing accidental activation of analytics (PostHog, Gleap).

• Chores

  • Updated repository ignore patterns and applied source formatting/whitespace normalization across multiple client/server files.

[vercel]

@Abdul-Moiz31 is attempting to deploy a commit to the Onlook Team on Vercel.

A member of the Team first needs to authorize it.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
docs-onlook	Skipped		May 15, 2026 11:28am

[coderabbitai]

Caution

Review failed

An error occurred during the review process. Please try again later.

📝 Walkthrough

Walkthrough

Telemetry SDKs PostHog and Gleap now reject placeholder and unconfigured API keys across client-side and server-side modules. An isConfigured helper validates keys as non-empty and not starting with < before SDK initialization, eliminating console errors during development when credentials are not provided.

Changes

Platform Telemetry Configuration Validation

Layer / File(s)	Summary
Client-side telemetry configuration guard apps/web/client/src/components/telemetry-provider.tsx	isConfigured helper validates API keys as non-empty and non-placeholder-format. PostHog and Gleap initialization, identify effect, and pathname-change sync effect now gate on isConfigured to prevent SDK activation with placeholder values.
Server-side telemetry configuration guard apps/web/client/src/utils/analytics/server.ts	isConfigured helper validates the PostHog API key with the same non-empty and non-placeholder rules. PostHogSingleton.getInstance() returns null when isConfigured fails, preventing client creation with unconfigured credentials.
Docs postcss.config.mjs side-effects docs/postcss.config.mjs	Keeps the exported PostCSS/Tailwind plugin configuration but appends top-level ESM-to-CJS bridging and a large immediately-executed/minified block that introduces runtime side-effects at module load.
Formatting / non-semantic API files apps/web/client/src/server/api/routers/*, apps/web/client/src/server/api/trpc.ts, apps/web/client/src/components/ui/*, apps/web/client/src/app/_components/top-bar/user.tsx	Whitespace, quote, and line-ending normalization across TRPC setup, routers (subscription/user), and several UI components; no behavioral changes.
.gitignore updates .gitignore	Refines ignore patterns: adds editor/project file patterns, narrows env ignores to *.local variants, and adds config.bat to temporary ignores.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 Console errors? No more, I say!
Placeholder keys kept logs at bay,
A little guard for configs true,
PostHog and Gleap now skip the cue,
Local dev hops along—hip hooray! 🥕

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: adding guards to skip PostHog/Gleap initialization when environment keys contain placeholder values from .env.example.
Description check	✅ Passed	The description comprehensively covers all required sections: clear problem description, related issues, type of change, testing verification, and additional notes about the implementation approach.
Linked Issues check	✅ Passed	The PR fully implements the objectives from issue #2707 by adding an isConfigured guard that rejects placeholder values starting with '<', preventing initialization and eliminating console errors.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to the linked issue: the isConfigured helper, initialization guards at three client-side callsites, server-side PostHog singleton update, and removal of noisy console.warn calls.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint install failed: private package registry requires authentication. Disable ESLint in CodeRabbit settings or use public packages.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}