fix: skip PostHog/Gleap init when key is an .env.example placeholder

[Abdul-Moiz31]

Description

PostHog (and Gleap) initialize whenever their env key is truthy, which accepts the placeholder string shipped in
.env.example: NEXT_PUBLIC_POSTHOG_KEY="<Your PostHog API key from [https://posthog.com/docs/libraries/next-js>](https://posthog.com/docs/libraries/next-js%3E)"

For any new contributor who copies .env.example to .env without filling these out, every page load floods the console with PostHog 401s and 404s. These errors hide real ones during local development.

Reject empty values and any value starting with < before initializing. Same shape of placeholder appears for NEXT_PUBLIC_GLEAP_API_KEY and NEXT_PUBLIC_POSTHOG_HOST, so the same guard is applied to Gleap.

Related Issues

closes #2707

This fix was previously attempted in #2739 (closed, unmerged). During the subsequent refactor that consolidated PostHog and Gleap initialization into the new TelemetryProvider, the guard was lost — the current check at telemetry-provider.tsx:25 only validates truthiness.

Type of Change

• Bug fix
• New feature
• Documentation
• Refactor
• Other

Testing

Reproduced and verified locally on main:

Repro (current behaviour without fix):

1. Copy apps/web/client/.env.example PostHog lines into apps/web/client/.env verbatim.
2. bun dev, open http://localhost:3000, open DevTools Console.
3. Observe:
   • GET https://us-assets.i.posthog.com/array/%3CYour%20PostHog%20API%20key...%3E/config.js 404 (Not Found)
   • POST https://us.i.posthog.com/flags/?... 401 (Unauthorized)
   • POST https://us.i.posthog.com/e/?... 401 (Unauthorized)

With this fix:

• Placeholder in .env → no PostHog network calls, no console errors.
• No PostHog key (default bun run setup:env output) → no errors, no warnings, unchanged behaviour.
• Real PostHog key → initialization works as before.
• bun typecheck passes.
• bun test passes (1045/1045).

Files Changed

• apps/web/client/src/components/telemetry-provider.tsx — client-side PostHog + Gleap init guards (3 callsites)
• apps/web/client/src/utils/analytics/server.ts — server-side PostHog singleton

Also removed two console.warn calls that fired noisily on every page load when keys were intentionally unset. The unconfigured state is now silent, matching how every other optional integration in the file behaves.

Additional Notes

The guard is intentionally narrow — !value.startsWith("<") — to avoid rejecting valid keys. The current .env.example placeholders all follow the <...> shape; if future placeholders use a different shape, the check should be extended accordingly.

Summary by CodeRabbit

• Bug Fixes
  • Fixed telemetry services initialization to properly detect unconfigured states, including placeholder environment variable values, preventing unintended activation of PostHog and Gleap analytics with invalid configuration.

[vercel]

@Abdul-Moiz31 is attempting to deploy a commit to the Onlook Team on Vercel.

A member of the Team first needs to authorize it.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
docs-onlook	Skipped		May 15, 2026 11:28am

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c83f648b-951c-4d49-8afe-6ae9ff5373f9

📥 Commits

Reviewing files that changed from the base of the PR and between a242be5 and 3dc17ac.

📒 Files selected for processing (2)

• apps/web/client/src/components/telemetry-provider.tsx
• apps/web/client/src/utils/analytics/server.ts

---

📝 Walkthrough

Walkthrough

Telemetry SDKs PostHog and Gleap now reject placeholder and unconfigured API keys across client-side and server-side modules. An isConfigured helper validates keys as non-empty and not starting with < before SDK initialization, eliminating console errors during development when credentials are not provided.

Changes

Platform Telemetry Configuration Validation

Layer / File(s)	Summary
Client-side telemetry configuration guard apps/web/client/src/components/telemetry-provider.tsx	isConfigured helper validates API keys as non-empty and non-placeholder-format. PostHog and Gleap initialization, identify effect, and pathname-change sync effect now gate on isConfigured to prevent SDK activation with placeholder values.
Server-side telemetry configuration guard apps/web/client/src/utils/analytics/server.ts	isConfigured helper validates the PostHog API key with the same non-empty and non-placeholder rules. PostHogSingleton.getInstance() returns null when isConfigured fails, preventing client creation with unconfigured credentials.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 Console errors? No more, I say!
Placeholder keys kept logs at bay,
A simple check for configs true,
PostHog and Gleap, both work like new!
Local dev smooth, without the fuss,
Configuration guards for all of us! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: adding guards to skip PostHog/Gleap initialization when environment keys contain placeholder values from .env.example.
Description check	✅ Passed	The description comprehensively covers all required sections: clear problem description, related issues, type of change, testing verification, and additional notes about the implementation approach.
Linked Issues check	✅ Passed	The PR fully implements the objectives from issue #2707 by adding an isConfigured guard that rejects placeholder values starting with '<', preventing initialization and eliminating console errors.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to the linked issue: the isConfigured helper, initialization guards at three client-side callsites, server-side PostHog singleton update, and removal of noisy console.warn calls.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}