ReviqueInc GitHub Repository Analysis Report

Executive Summary

Overall Portfolio Health

/ 100

Portfolio Health Score: C (52/100)

The ReviqueInc portfolio is in a transitional state. revique-web is an actively developed, well-structured modern frontend with CI/CD in place. hptinvoices is a legacy Node.js backend still under active development via Bitbucket-era conventions. The remaining three repositories — hptui, reviqueui-2.0, and reviqueui — are archived mirrors of Bitbucket repositories with no ongoing GitHub workflows. The portfolio is dragged down by absent branch protection, disabled Dependabot, missing documentation, and no automated testing in most repos.

Total Repos

Active Repos

Archived Repos

0/5

Branch Protection

0/5

Dependabot Enabled

1/5

CI/CD Workflows

Total TODOs/FIXMEs

Open PRs (active)

🔴 Top 5 Critical Issues

No branch protection on any repository
All 5 repos allow direct force-pushes to default branches. No required reviews, status checks, or admin enforcement.
Dependabot security alerts disabled across all repos
No automated vulnerability scanning on any repository. Active repos with 48+ npm dependencies are unmonitored.
hptui runs Angular 7 (EOL since April 2020)
Angular 7 reached end-of-life in April 2020. While archived, it remains referenced and may still be deployed.
hptinvoices CI/CD relies on legacy Bitbucket Pipelines + AWS CodeCommit SSH keys hardcoded in pipeline config
Exposed IAM username keys in bitbucket-pipelines.yml. No GitHub Actions workflow exists for this repo.
reviqueui-2.0 is an empty repository
Only contains a .gitignore. The migration from Bitbucket apparently failed — no source code was committed.

🟢 Top 5 Quick Wins

Enable Dependabot on revique-web and hptinvoices
One-click action in GitHub Settings → Security. Immediately adds automated dependency vulnerability alerts.
Add branch protection to revique-web main/develop/uat
Require at least 1 PR approval + passing CI checks before merging. Takes ~5 minutes to configure.
Add LICENSE and CONTRIBUTING.md to revique-web
revique-web has a README but no LICENSE or contributing guide. Critical for internal clarity.
Migrate hptinvoices to GitHub Actions
Replace the Bitbucket Pipelines YAML with a GitHub Actions workflow. Eliminates the dual-VCS overhead and centralises CI/CD.
Add repo topics/tags to all repositories
No repository has any GitHub topics. Adding tags (e.g. react, angular, typescript, healthcare) improves discoverability and org tooling.

Repository Comparison Table

Repository	Status	Language	Default Branch	Branches	Last Push	Open PRs	Contributors	Workflows	Branch Protection	Dependabot	README	Tests	TODOs	Health Score
revique-web	ACTIVE	JavaScript/TS	`main`	68	2026-05-08	7	0 (anon)	4 workflows	NONE	DISABLED	YES	1 file	39	68
hptinvoices	ACTIVE	JavaScript	`develop`	100+	2026-05-04	0	6	0 (Bitbucket only)	NONE	DISABLED	NO	0	15	42
hptui	ARCHIVED	TypeScript	`master`	40	2024-04-26	0	6	0	NONE	N/A	YES	138 spec files	34	35
reviqueui-2.0	ARCHIVED/EMPTY	None	`develop`	1	2025-07-02	0	1	0	NONE	N/A	NO	0	0	10
reviqueui	ARCHIVED	TypeScript	`develop`	21	2025-07-20	0	3	0	NONE	N/A	NO	0	8	40

revique-web

ACTIVE PRIMARY

Parallel Revique web app — modern React/TypeScript frontend hosted on Cloudflare Workers

Language: JavaScript/TypeScript Default Branch: main Branches: 68 Last Push: 2026-05-08 Size: 4,266 KB

1. Repository Overview & Metadata

Active

Status

Branches

Open PRs

831

Total Files

Property	Value
Framework	React 19 Vite 5 TypeScript 5.5
UI Library	Chakra UI v3 Framer Motion
Deployment	Cloudflare Workers Static Assets
Branch Flow	`feature/* → develop → uat → main`
Created	2026-05-01
Last Updated	2026-05-08 (today)
Stars	1
Private	Yes
Topics/Tags	None configured
Wiki	Disabled

68 branches is very high for a single repository. Many are Codex-generated feature branches (RWA-549 through RWA-608) and batch branches that should be pruned after merging.

2. CI/CD & Workflows

revique-web is the only repository with GitHub Actions workflows configured. 349 total runs recorded, all recent runs successful.

Workflow File	Trigger	Target	Status
`deploy-develop.yml`	Push to `develop`, manual	Cloudflare develop env	Active / Passing
`deploy-uat.yml`	Push to `uat`, manual (with ref input)	Cloudflare UAT env	Active
`deploy-production.yml`	Manual only (requires ref input)	Cloudflare production	Active
`request-uat-promotion.yml`	Manual (source/target branch inputs)	PR creation + Slack	Active

Recent Run Activity (last 20 runs)

Branch Commit Notify

16 runs

100% ✓

Deploy Develop

4 runs

100% ✓

Gap: No automated test runner in CI pipeline. Workflows deploy directly without a lint/test gate. Recommend adding an npm run lint and test step before deploy jobs.

Gap: Production deploy is manual-only (good for safety), but there is no automated smoke test or rollback step configured.

3. Branch Strategy & Pull Requests

The branch strategy follows a trunk-based model: feature/* → develop → uat → main. Codex-generated branches follow the naming convention codex/RWA-XXX-description.

Open Pull Requests (7)

PR #	Title	Author	Opened
#91	Batch develop merge 20260508-0544	farhan-revique	2026-05-08
#90	RWA-608: Restore child appointment service list	farhan-revique	2026-05-08
#89	RWA-607: Autofill appointment duration from selected service	farhan-revique	2026-05-08
#42	RWA-568: Open no-show reschedule in appointment drawer	farhan-revique	2026-05-07
#41	RWA-566: Harden schedule checkout handoff	farhan-revique	2026-05-07
#25	RWA-554: Enable Add Notes save	farhan-revique	2026-05-06
#20	RWA-549: Add transaction history actions	farhan-revique	2026-05-06

Critical: No branch protection rules on main, develop, or uat. All 30 sampled closed PRs were merged (100% merge rate) — but without required reviews, any collaborator can merge unreviewed code directly to production-bound branches.

PRs #20 and #25 have been open for 2+ days. Consider setting a SLA for PR review turnaround.

4. Security & Dependencies

Dependabot disabled. With 27 runtime dependencies and 21 devDependencies, automated vulnerability scanning is essential and currently absent.

Runtime Dependencies (27)

Package	Version Spec	Category
react / react-dom	`^19`	Core Framework
@chakra-ui/react	`^3.19.1`	UI Library
axios	`^1.9.0`	HTTP Client
react-router-dom	`^7.5.2`	Routing
react-hook-form	`^7.56.1`	Forms
dayjs	`^1.11.13`	Date/Time
framer-motion	`^12.9.2`	Animation
xlsx	`^0.18.5`	Excel Export
jspdf / jspdf-autotable	`^3.0.1 / ^5.0.2`	PDF Generation
recharts	`^2.15.3`	Charts
styled-components	`^6.4.1`	CSS-in-JS
react-payment-inputs	`^1.2.0`	Payment UI
@react-pdf/renderer	`^4.3.0`	PDF Rendering
vite-plugin-pwa	`^1.0.1`	PWA Support

Note: xlsx@0.18.5 (SheetJS Community Edition) is known to have had security advisories in older builds. Recommend verifying this is the latest community edition and consider switching to exceljs for AGPL-free licensing.

Secret Scan Results

No hardcoded secrets detected in .js, .ts, .env, or .json files. API keys appear to be properly managed via GitHub Actions environment variables (vars.*).

Code Quality Indicators

ESLint configured (eslint.config.js)
Prettier configured (via devDependency)
lint-staged configured for pre-commit formatting
Husky devDependency present (though .husky/ directory not found in shallow clone — verify prepare script runs)
TypeScript strict mode via typescript-eslint

No unit tests found (only 1 test-related file detected)
39 TODO/FIXME/HACK comments in source code
No SECURITY.md policy

5. Code Quality & Documentation

Documentation Files

README.md — present and informative

CONTRIBUTING.md — missing
CHANGELOG.md — missing
LICENSE — missing
SECURITY.md — missing

Project Structure

src/components/pages/ — page components (patient, dashboard, checkout, scheduling, admin)
src/components/common/ — shared UI (sidebar, header, listing, datepicker)
src/utils/ — hooks, context, API clients, types
legacy-admin/ — embedded legacy admin module
docs/ — internal documentation directory
scripts/ — build/utility scripts

TODO/FIXME/HACK Distribution

39 TODO/FIXME/HACK annotations found in JS/TS source files. These should be tracked as GitHub Issues rather than inline comments to prevent technical debt accumulation.

Recommendations

Priority	Action
HIGH	Enable branch protection on main, develop, and uat branches
HIGH	Enable Dependabot for npm dependencies
MED	Add a test step to CI pipeline (even basic lint check gates)
MED	Add LICENSE file (MIT or Apache recommended for internal clarity)
MED	Prune merged/stale branches — 68 is excessive
LOW	Add repository topics/tags
LOW	Track TODOs as GitHub Issues

hptinvoices

ACTIVE LEGACY

Bitbucket migration mirror — Node.js invoice/billing microservice backend

Language: JavaScript (Node.js) Default Branch: develop Branches: 100+ Last Push: 2026-05-04 Size: 1,342 KB

1. Repository Overview & Metadata

Active

Status

100+

Branches

Contributors

267

Total Files

Property	Value
Architecture	Multi-module Node.js Lambda microservices (InvoiceAPI, InvoiceHandler, PatientHandler, ProviderHandlerNode, ItemUploadHandlerNode)
Runtime Framework	Express.js Serverless (AWS Lambda)
Database ORM	Objection.js + Knex (MySQL)
Deployment (legacy)	Bitbucket Pipelines → AWS CodeCommit → AWS Lambda
Created	2026-05-01 (GitHub mirror)
Last Push	2026-05-04
Private	Yes
README	Missing
Topics/Tags	None

The API hit the 100-branch pagination limit. The actual branch count is ≥100, which indicates significant accumulated technical debt from unmerged/un-deleted branches across multiple contributors.

2. CI/CD & Infrastructure

No GitHub Actions workflows configured. CI/CD is entirely handled by Bitbucket Pipelines pointing to AWS CodeCommit, which is the legacy system prior to GitHub migration.

Security concern in bitbucket-pipelines.yml: IAM SSH username keys (APKAUIBIW26KJXYFA5XZ, APKA5LVLSGVA2DHVLJJC) are hardcoded in the pipeline YAML. While these are SSH key public identifiers (not secrets), they represent exposed AWS IAM account identifiers. The associated private keys should be verified to still be valid/rotated.

Pipeline Stage	Target Branch	Deployment Target
Master push	`master`	AWS CodeCommit (two regions)
Develop push	`develop`	AWS CodeCommit (two regions)
UAT push	`UAT`	AWS CodeCommit (two regions)

3. Architecture & Dependencies

InvoiceAPI Dependencies

Package	Purpose
express	HTTP server framework
knex + objection	SQL query builder + ORM
mysql	MySQL driver
serverless-http	Express → Lambda adapter
axios	HTTP client for external APIs
simple-oauth2	OAuth2 token management
swagger-jsdoc + swagger-parser	API documentation
moment	Date manipulation (deprecated — migrate to dayjs)
hashids	ID obfuscation
camelcase-keys	Response key transformation

Note: moment.js is in the dependency list. Moment.js is in maintenance-only mode and its authors recommend migrating to dayjs or date-fns. Moment adds ~70KB to bundle size.

1 potential secret pattern detected in src/InvoiceAPI/common/helper/CommonHelper.js (line 794) — appears to be a commented-out token assignment. Verify this is harmless and remove the commented code.

File Type Distribution

JavaScript (.js)

233

JSON

SQL

YAML

4. Code Quality & Documentation

Missing

README.md
CONTRIBUTING.md
LICENSE
SECURITY.md
ESLint config
Prettier config
Automated tests (0 test files)
GitHub Actions workflows

Present

bitbucket-pipelines.yml (legacy CI)
buildspec-node.yml (AWS CodeBuild)
.gitignore
Swagger API documentation inline
SQL migration scripts

15 TODO/FIXME/HACK comments found across JS source files.

Recommendations

Priority	Action
HIGH	Migrate CI/CD from Bitbucket Pipelines to GitHub Actions
HIGH	Add README.md documenting architecture, local setup, and deployment
HIGH	Enable Dependabot for npm dependencies
HIGH	Enable branch protection on develop/master branches
MED	Prune 100+ stale feature branches
MED	Replace moment.js with dayjs
MED	Add ESLint and Prettier configs
MED	Investigate and remove commented-out token pattern
LOW	Add unit tests for core invoice calculation logic

hptui

ARCHIVED LEGACY ANGULAR

Bitbucket migration mirror — Angular 7 frontend (HelloPatients legacy admin portal)

Language: TypeScript Default Branch: master Branches: 40 Last Commit: 2024-04-26 Size: 8,468 KB (largest in portfolio)

1. Repository Overview & Metadata

Archived

Status

Angular 7

Framework (EOL)

138

Spec Files

Contributors

Property	Value
Framework	Angular 7.2.16 Angular CLI 7.3.10
Language	TypeScript 3.1.8
Testing	Karma + Jasmine (138 spec files)
Angular EOL	April 2020 — over 6 years ago
Archived	Yes — read-only on GitHub
Last Activity	2024-04-26 (over 1 year ago)
README	Present (auto-generated Angular CLI README)
Size	8,468 KB — largest in portfolio

Critical: Angular 7 reached end-of-life in April 2020. This means no security patches have been issued by the Angular team for over 6 years. While archived, any running instances of this app represent a significant security risk.

2. Notable Findings

Strengths (Relative to Other Repos)

138 Karma/Jasmine spec files — best test coverage in the portfolio by file count
EditorConfig file present
6 contributors — largest contributor base
E2E test directory (Protractor)
i18n/translation setup (src/assets/i18n/)
README.md present

Critical Issues

Angular 7 — 6+ years past EOL
TypeScript 3.1.8 — severely outdated (current: 5.x)
No GitHub Actions CI/CD
No branch protection
Protractor E2E testing (officially deprecated by Angular team)
tslint instead of ESLint (tslint was deprecated in 2019)
34 TODO/FIXME/HACK comments

Secret Scan Results

4 potential secret patterns detected in src/app/services/validation/messages.constant.ts and src/app/common/validation/messages.constant.ts. Both files contain constants named matchPassword and blankPassword — these appear to be validation message strings matching the pattern, not actual credentials. Confirm and document to suppress future alerts.

3. Recommendations

As this repository is archived, recommendations focus on risk mitigation for any running deployments.

Priority	Action
HIGH	Verify no active production deployment is running from this codebase
HIGH	If still deployed: plan Angular upgrade path (Angular 7 → Angular 17+ is a major migration)
MED	Document the archival decision and migration status in the repository description
MED	Verify the password-pattern false positives in messages.constant.ts are genuinely safe
LOW	Consider deleting this repository if it is fully superseded by revique-web

reviqueui-2.0

ARCHIVED EMPTY REPO

Bitbucket migration mirror — failed migration, repository contains only a .gitignore

Language: None Default Branch: develop Branches: 1 Last Commit: 2025-07-02 Size: 0 KB

1. Repository Analysis

This repository is essentially empty. It was created on 2026-05-01 as a Bitbucket migration mirror but only contains a .gitignore file. The single commit ("Initial commit") was authored by Rakhee Atri on 2025-07-02, suggesting the migration timestamp may have been re-set during import. No source code was successfully migrated.

Total Files

0 KB

Repo Size

Contributor

TODOs/Issues

What Is/Was reviqueui-2.0?

Based on the naming convention and context from other repos, this was likely an intermediary version of the Revique UI — between the original reviqueui (React/Vite prototype) and the current revique-web production app. The migration appears to have failed silently.

2. Recommendations

Priority	Action
HIGH	Investigate why the source code migration failed and whether the Bitbucket source still exists
MED	Either re-attempt the Bitbucket migration or formally document that this codebase is superseded
MED	Consider deleting this repository to reduce organisational noise, or unarchiving and completing the migration

reviqueui

ARCHIVED PREDECESSOR

Bitbucket migration mirror — React/Vite/TypeScript prototype (predecessor to revique-web)

Language: TypeScript Default Branch: develop Branches: 21 Last Commit: 2025-07-20 Size: 2,295 KB

1. Repository Overview & Metadata

Archived

Status

Contributors

Branches

143

Total Files

Property	Value
Framework	React (Vite) TypeScript
UI Library	Chakra UI (same stack as revique-web)
Package Name	`vite-react-typescript-starter` — default Vite template name, not renamed
Contributors	prajyot-tote (253 commits), GopalKuchnaya (171), jayshrisonalekar (110)
Last Commit	2025-07-20 — "added pwa in the app"
Husky	`.husky/pre-commit` → `npx lint-staged` ✓
README	Missing
Tests	0 test files

2. Notable Findings

Relationship to revique-web

The reviqueui codebase shares almost identical dependencies with revique-web (same Chakra UI v3, React, Vite, TypeScript, axios, dayjs, react-hook-form setup). This appears to be the direct predecessor — the "vite-react-typescript-starter" prototype that was later productionised as revique-web.

Notably, revique-web's README explicitly states: "based on the newer reviqueui codebase rather than the legacy hptui-2.0 admin application."

Strengths

Pre-commit hook configured via Husky (.husky/pre-commit → lint-staged)
ESLint configured (eslint.config.js)
Prettier in devDependencies
PWA support via vite-plugin-pwa
Multi-environment build scripts (dev, UAT, prod)

Weaknesses

Package name still vite-react-typescript-starter (default template)
No README.md
No automated tests
No GitHub Actions workflows
No branch protection
8 TODO/FIXME comments

3. Dependencies

Dependencies are essentially identical to revique-web. This confirms the fork/successor relationship. Key packages:

react / react-dom (^19 implied)
@chakra-ui/react
axios
react-router-dom
react-hook-form
dayjs
framer-motion
recharts
xlsx
jspdf + autotable
@react-pdf/renderer
react-payment-inputs
react-datepicker
vite-plugin-pwa

4. Recommendations

Priority	Action
MED	Formally document this as the predecessor to revique-web in the repository description
MED	Verify no active deployments reference this archived codebase
LOW	Consider deleting once revique-web has superseded all functionality

Consolidated Recommendations

Critical (Address Immediately)

#	Repository	Issue	Action
1	All repos	No branch protection on any default branch	Add required PR reviews + status checks. Enforce admins. Prevent force-push. Start with revique-web.
2	revique-web, hptinvoices	Dependabot disabled	Enable in Settings → Security → Dependabot. Free feature — no excuse to leave off on active repos.
3	hptinvoices	No GitHub Actions; relies on Bitbucket Pipelines	Create GitHub Actions workflows mirroring the deploy pipeline. Decommission Bitbucket dependency.
4	hptui	Angular 7 — 6+ years past EOL	If actively deployed, begin Angular upgrade or full rewrite to revique-web stack. If not deployed, document formally.
5	reviqueui-2.0	Empty repository	Recover source from Bitbucket, or delete the repository and document the decision.

High Priority (Address Within 2 Weeks)

#	Repository	Action
6	revique-web	Add automated test step to CI pipeline (even a basic ESLint lint gate blocks broken PRs)
7	revique-web	Add LICENSE file
8	hptinvoices	Add README.md documenting local setup, deployment, and architecture
9	revique-web + hptinvoices	Prune stale branches — 68 and 100+ respectively
10	hptinvoices	Remove/investigate commented-out token pattern in CommonHelper.js:794

Medium Priority (Address Within 1 Month)

#	Repository	Action
11	All repos	Add GitHub repository topics/tags for discoverability
12	revique-web	Add CONTRIBUTING.md and SECURITY.md
13	hptinvoices	Migrate from moment.js to dayjs
14	hptinvoices	Add ESLint and Prettier configs
15	revique-web	Convert 39 TODO/FIXME comments to tracked GitHub Issues
16	reviqueui	Rename package.json `name` field from default Vite template name

Low Priority / Long-term

#	Repository	Action
17	revique-web	Introduce unit/integration tests using Vitest (natural fit for Vite projects)
18	hptinvoices	Add integration tests for core invoice API endpoints
19	hptui	Plan formal decommission or migration if still deployed
20	reviqueui	Consider consolidating or deleting once revique-web is complete

Methodology & Limitations

Data Sources

GitHub REST API v3 (authenticated read-only access)
Local shallow clones (--depth 1) for file-level analysis
Static analysis (grep-based pattern matching)

API Endpoints Used

GET /repos/ReviqueInc/{name} — basic metadata
GET /repos/ReviqueInc/{name}/branches — branch list
GET /repos/ReviqueInc/{name}/commits — latest commit info
GET /repos/ReviqueInc/{name}/contributors — contributor list
GET /repos/ReviqueInc/{name}/contents/.github/workflows — workflow files
GET /repos/ReviqueInc/{name}/actions/runs — CI/CD run history
GET /repos/ReviqueInc/{name}/issues — open issues
GET /repos/ReviqueInc/{name}/pulls — open pull requests
GET /repos/ReviqueInc/{name}/branches/{branch}/protection — branch protection
GET /repos/ReviqueInc/{name}/dependabot/alerts — security alerts
GET /repos/ReviqueInc/{name}/contents/{file} — file existence checks
GET /repos/ReviqueInc/{name}/topics — repository topics

Local Analysis Performed

File type distribution (find + extension analysis)
Test file count (*.test.*, *.spec.*, __tests__)
TODO/FIXME/HACK grep across JS/TS source (excluding node_modules)
Config file presence (.eslintrc, .prettierrc, .editorconfig, husky)
Documentation file presence (README, CONTRIBUTING, LICENSE, SECURITY, CHANGELOG)
Secret pattern scanning (iE regex — values redacted, only file paths reported)
Directory structure (maxdepth 3)
Git commit count via rev-list

Limitations

Shallow clone (--depth 1) means commit history metrics show "1 commit" locally — actual commit history is available via API
Commit activity statistics endpoint returned computing/no-data for repos — GitHub caches these asynchronously
Branch protection check returned "Not Found" for all repos — this indicates protection is NOT configured (the API returns 404 when no protection exists, not an access error)
Dependabot alerts: disabled for active repos; unavailable for archived repos
revique-web contributors API returned 0 — likely due to the repo being very new and contributor stats still computing, or commits being authored via token identities
npm outdated analysis was not run to avoid network overhead in CI; dependency version evaluation was done via package.json inspection