7.1 KiB
7.1 KiB
Bulletproof React Audit Criteria
Complete checklist for auditing React/TypeScript applications against Bulletproof React architecture principles.
1. Project Structure
Feature-Based Organization
- 80%+ of code organized in src/features/
- Each feature has its own directory
- Features are independent (no cross-feature imports)
- Feature subdirectories: api/, components/, hooks/, stores/, types/, utils/
Top-Level Directories
- src/app/ exists (application layer)
- src/features/ exists and contains features
- src/components/ for truly shared components only
- src/hooks/ for shared custom hooks
- src/lib/ for third-party configurations
- src/utils/ for shared utilities
- src/types/ for shared TypeScript types
- src/stores/ for global state (if needed)
Unidirectional Dependencies
- No cross-feature imports
- Shared code imported into features (not vice versa)
- App layer imports from features
- Clean dependency flow: shared → features → app
2. Component Architecture
Component Design
- Components < 300 lines of code
- No large components (> 500 LOC)
- Components accept < 7-10 props
- No nested render functions
- Component colocation (near where used)
- Proper use of composition over excessive props
File Organization
- Kebab-case file naming
- Components colocated with tests
- Styles colocated with components
- Feature-specific components in features/
- Only truly shared components in src/components/
Abstraction
- No premature abstractions
- Repetition identified before creating abstractions
- Components are focused and single-purpose
3. State Management
State Categories
- Component state with useState/useReducer
- Global state with Context, Zustand, or Jotai
- Server cache state with React Query or SWR
- Form state with React Hook Form or Formik
- URL state with React Router
State Localization
- State as local as possible
- Global state only when necessary
- No single massive global state object
- Context split into multiple focused providers
Server State
- React Query or SWR for API data
- Proper caching configuration
- No manual loading/error state for API calls
- Optimistic updates where appropriate
4. API Layer
Centralized Configuration
- Single API client instance
- Configured in src/lib/
- Base URL configuration
- Request/response interceptors
- Error handling interceptors
Request Organization
- API calls colocated in features/*/api/
- Type-safe request declarations
- Custom hooks for each endpoint
- Validation schemas with types
- Proper error handling
5. Testing Strategy
Coverage
- 80%+ line coverage
- 75%+ branch coverage
- 100% coverage on critical paths
- Coverage reports generated
Testing Trophy Distribution
- ~70% integration tests
- ~20% unit tests
- ~10% E2E tests
Test Quality
- Tests named "should X when Y"
- Semantic queries (getByRole, getByLabelText)
- Testing user behavior, not implementation
- No brittle tests (exact counts, element ordering)
- Tests isolated and independent
- No flaky tests
Testing Tools
- Vitest or Jest configured
- @testing-library/react installed
- @testing-library/jest-dom for assertions
- Playwright or Cypress for E2E (optional)
6. Styling Patterns
Styling Approach
- Consistent styling method chosen
- Component library (Chakra, Radix, MUI) OR
- Utility CSS (Tailwind) OR
- CSS-in-JS (Emotion, styled-components)
- Styles colocated with components
Design System
- Design tokens defined
- Color palette established
- Typography scale defined
- Spacing system consistent
7. Error Handling
Error Boundaries
- Multiple error boundaries at strategic locations
- Route-level error boundaries
- Feature-level error boundaries
- User-friendly error messages
- Error recovery mechanisms
API Errors
- API error interceptors configured
- User notifications for errors
- Automatic retry logic where appropriate
- Unauthorized user logout
Error Tracking
- Sentry or similar service configured
- User context added to errors
- Environment-specific error handling
- Source maps configured for production
8. Performance
Code Splitting
- React.lazy() for route components
- Suspense boundaries with loading states
- Large features split into chunks
- Bundle size monitored and optimized
React Performance
- State localized to prevent re-renders
- React.memo for expensive components
- useMemo for expensive calculations
- useCallback for stable function references
- Children prop optimization patterns
Asset Optimization
- Images lazy loaded
- Images in modern formats (WebP)
- Responsive images with srcset
- Images < 500KB
- Videos lazy loaded or streamed
9. Security
Authentication
- JWT stored in HttpOnly cookies (not localStorage)
- Secure session management
- Token refresh logic
- Logout functionality
Authorization
- RBAC or PBAC implemented
- Protected routes
- Permission checks on actions
- API-level authorization
XSS Prevention
- Input sanitization (DOMPurify)
- No dangerouslySetInnerHTML without sanitization
- Output encoding
- Content Security Policy
CSRF Protection
- CSRF tokens for state-changing requests
- SameSite cookie attribute
- Verify origin headers
10. Standards Compliance
ESLint
- .eslintrc or eslint.config.js configured
- React rules enabled
- TypeScript rules enabled
- Accessibility rules (jsx-a11y)
- Architectural rules (import restrictions)
TypeScript
- strict: true in tsconfig.json
- No
anytypes - Explicit return types
- Type definitions for third-party libraries
- Types colocated with features
Prettier
- Prettier configured
- Format on save enabled
- Consistent code style
- .prettierrc configuration
Git Hooks
- Husky configured
- Pre-commit linting
- Pre-commit type checking
- Pre-commit tests (optional)
File Naming
- Kebab-case for files and directories
- Consistent naming conventions
- ESLint rule to enforce naming
Absolute Imports
- TypeScript paths configured (@/ prefix)
- Imports use @/ instead of relative paths
- Easier refactoring and moving files
Compliance Scoring
Grade Scale
- A (90-100): Excellent Bulletproof React compliance
- B (80-89): Good compliance, minor improvements needed
- C (70-79): Moderate compliance, significant refactoring recommended
- D (60-69): Poor compliance, major architectural changes needed
- F (<60): Non-compliant, complete restructuring required
Category Weights
All categories weighted equally for overall score.
Note: This checklist represents the ideal Bulletproof React architecture. Adapt based on your project's specific needs and constraints while maintaining the core principles.