Add Plausible analytics integration

[leogdion]

Integrated privacy-friendly Plausible analytics with proper CSP configuration for tracking site usage.

---

Perform an AI-assisted review on

Summary by CodeRabbit

• Chores
  • Updated Content-Security-Policy configuration to enable external analytics integration
  • Added analytics tracking initialization to the site

[claude]

Claude finished @leogdion's task —— View job

---

Code Review for Plausible Analytics Integration

• Read and analyze the BaseLayout.astro changes
• Review analytics implementation approach
• Check security and CSP configuration
• Evaluate privacy considerations
• Provide comprehensive feedback

Review Summary

The implementation looks solid overall! This is a clean, minimal integration of Plausible analytics that properly balances functionality with privacy. Here's my detailed analysis:

✅ Positive Aspects

1. Privacy-First Approach

• Excellent choice of Plausible over Google Analytics - aligns perfectly with MonthBar's privacy-focused values mentioned in the content
• No cookies, no tracking across sites, GDPR compliant by design

2. Proper CSP Configuration

• CSP has been correctly updated to allow Plausible domains
• connect-src 'self' https://plausible.io - allows analytics data transmission
• script-src 'self' 'unsafe-inline' https://plausible.io - permits the analytics script

3. Implementation Best Practices

• Script is properly deferred (defer attribute) for non-blocking page load
• Correct domain specified (data-domain="month.bar")
• Script placement in <head> is appropriate for analytics

🔍 Security & Performance Analysis

Security: ✅ Secure

• CSP properly restricts Plausible to only necessary permissions
• No additional attack vectors introduced
• HTTPS-only connection to plausible.io

Performance: ✅ Optimized

• Deferred loading won't block page rendering
• Plausible script is lightweight (~1.4KB gzipped)
• No impact on critical rendering path

💡 Suggestions for Enhancement

1. Consider Adding Plausible Proxy (Optional)

• For even better privacy, consider self-hosting or proxying the script
• This would eliminate any direct connection to plausible.io
• Example: /js/analytics.js → https://plausible.io/js/script.js

2. Environment-Specific Loading (Nice to have)

{import.meta.env.PROD && (
  <script defer src="https://plausible.io/js/script.js"></script>
)}

This prevents analytics in development/staging environments.

3. Optional: Hash-Based CSP (Advanced)

• Consider using script hash instead of 'unsafe-inline' for tighter security
• Though this is minimal concern for Astro-generated inline scripts

🐛 Issues Found

None! The implementation is clean and follows best practices.

📝 Code Quality Assessment

• Maintainability: ✅ Simple, clear implementation
• Consistency: ✅ Matches existing code style
• Documentation: ✅ Clear comment explaining purpose
• Testing: ⚠️ Consider adding E2E test to verify analytics load

Final Recommendation

✅ Approve - This is a well-executed integration that adds valuable analytics while respecting user privacy. The CSP configuration is secure, the implementation follows best practices, and it aligns with the project's privacy-focused philosophy.

The changes are minimal, focused, and don't introduce any security vulnerabilities or performance issues.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 005df04 and 4620610.

📒 Files selected for processing (1)

• src/layouts/BaseLayout.astro

---

📝 Walkthrough

Walkthrough

Updated the Content-Security-Policy to permit analytics requests to Plausible by adding https://plausible.io to connect-src and script-src directives. Added the Plausible Analytics script tag in the document head to enable analytics tracking for the domain month.bar.

Changes

Cohort / File(s)	Summary
Plausible Analytics Setup src/layouts/BaseLayout.astro	Added https://plausible.io to CSP connect-src and script-src; included Plausible Analytics script tag in head.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 A script arrives with gentle care,
Analytics float through the air,
Plausible paths now clearly seen,
Month.bar shines bright and clean!
Data dancing, insights bright! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely describes the main change: adding Plausible analytics integration to the project.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch 18-plausible

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}