Hidden Assumptions in twenty
12 assumptions this code never checks · 4 critical · spanning Environment, Domain, Contract, Shape, Ordering, Temporal, Resource
Every codebase relies on things it never checks. Most of them are routine. CodeSea looked at twentyhq/twenty and picked out the few most likely to cause trouble. The full list is just below.
Most of what this code assumes is routine. These 3 are the ones most likely to cause trouble here. The rest are minor; they're under "Show everything".
If backend runs on different port in development or uses different protocol/port in production, GraphQL requests will fail with connection errors and the app won't load
If JWT format changes or malformed tokens exist, Buffer.from() will throw exceptions causing authentication to crash during testing
If neither root element nor document.body are available during SSR or in unusual environments, React rendering will fail silently or crash
Show everything (9 more)
Assumes tokenPair cookie value contains a JSON object with accessOrWorkspaceAgnosticToken.token property structure
If this fails: If cookie structure changes or becomes corrupted, JSON.parse() or property access will throw errors, breaking authentication flow in tests
packages/twenty-e2e-testing/lib/utils/getAccessAuthToken.ts:decodeToken
Assumes window._env_ global variable or process.env are available and properly populated in browser environment
If this fails: In strict CSP environments or unusual deployment contexts, these variables might be undefined, causing fallback to potentially incorrect URL detection
packages/twenty-front/src/config/index.ts:REACT_APP_SERVER_BASE_URL
Assumes githubStarsModel table contains at least one record when sorting by timestamp descending
If this fails: If table is empty, githubStars?.[0] will be undefined and numberOfStars will be undefined, potentially rendering empty star counts in header
packages/twenty-website/src/app/_components/ui/layout/header/index.tsx:findOne
Assumes localhost and 127.0.0.1 are the only development hostnames that need special port handling
If this fails: Custom development domains (like local.twenty.com) or Docker container names won't get port 3000 treatment, causing API connection failures
packages/twenty-front/src/config/index.ts:getDefaultUrl
Assumes JWT tokens in cookies haven't expired and payload.type === 'ACCESS' identifies the correct token
If this fails: Expired tokens or mismatched token types will cause authentication failures in tests without clear error messages about token validity
packages/twenty-e2e-testing/lib/utils/getAccessAuthToken.ts:getAccessAuthToken
Assumes zapier-platform-core module is available and exports a version property at runtime
If this fails: If Zapier platform dependencies are missing or incompatible, the integration will fail to load with module resolution errors
packages/twenty-zapier/src/index.ts:platformVersion
Assumes this file is always auto-generated and manual edits should never be made, but provides no enforcement mechanism
If this fails: Developers might manually edit this file not realizing it's auto-generated, causing their changes to be lost during the next generation cycle
packages/twenty-ui/src/accessibility/index.ts:auto-generated comment
Assumes BACKEND_BASE_URL environment variable is always set and contains a valid URL during test execution
If this fails: If environment variable is missing, URL constructor will create invalid URLs like 'undefined/graphql', causing all GraphQL test requests to fail
packages/twenty-e2e-testing/lib/requests/backend.ts:backendGraphQLUrl
Assumes viteConfig.resolve and viteConfig.resolve.alias exist before spreading them into the new configuration
If this fails: If Vite config structure changes and resolve is undefined, object spread will fail causing Storybook build errors
packages/twenty-ui/.storybook/main.ts:viteConfig.resolve
See the full structural analysis of twenty: the pipeline, data models, and system behavior that put these assumptions in context.
Full analysis of twentyhq/twenty →Frequently Asked Questions
What does twenty assume that could break in production?
The one most likely to cause trouble: Assumes localhost development runs backend on port 3000 specifically, and production serves frontend and backend on the same port/protocol as the browser location If this fails, If backend runs on different port in development or uses different protocol/port in production, GraphQL requests will fail with connection errors and the app won't load
How many hidden assumptions does twenty have?
CodeSea found 12 assumptions twenty relies on but never validates, 4 of them critical, spanning Environment, Domain, Contract, Shape, Ordering, Temporal, Resource. Most are routine — the analysis flags the two or three most likely to actually bite.
What is a hidden assumption?
Something the code depends on but never checks: a data shape, an ordering, an environment condition, a scale limit, or a contract with another service. It holds until the world it runs in changes, then fails silently.