I hate to shit on projects, but there's 0 way this is production ready.

Marak mentioned the lack of tests. Logging is inconsistent - half is console.log, half is winston, and none of it is exposed to the user. No monitoring. No secret management. This was not designed to scale.

I can't even find the SDKs they were advertising.

option_greek

Are there some github repos you can recommend that follow these practices (for learning from them).

stocktech

I'm not familiar, but off the top of my head GhostJS seems to do good work. Ignition is their logging service.

https://github.com/TryGhost/Ghost https://github.com/TryGhost/Ignition

Most of this stuff is just from experience and knowing what you need in a production application. Can you get away with no logging/monitoring? Sure, but I'd hate to be the guy trying to debug an error. Similarly, rotating keys sucks and you never want to explain to an auditor why sensitive info isn't encrypted.