Conversation
- Add forgot-password and reset-password pages under `app/admin` - Implement login page enhancements in `app/admin/login/page.tsx` - Introduce new API route for fetching next unprocessed transcripts in `app/api/automation/transcripts/next-unprocessed/route.ts` - Clean up `.cursor/debug.log` by removing outdated entries - Update `.example.env` with necessary environment variables - Add n8n transcript processing nodes: GetNextUnprocessedTranscript and TranscriptCleanupAgent - Enhance n8n README.md to include new node details - Modify `middleware.ts` for authentication handling - Document n8n transcript processing in `docs/n8n-transcript-processing.md` - Update `lib/automation-auth.ts` with new authentication functions - Adjust `docker-compose.n8n.yml`, `supabase/config.toml`, and `supabase/seed.sql` for integration
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 6 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
This PR is being reviewed by Cursor Bugbot
Details
You are on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle.
To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.
| // #endregion | ||
| }, []); | ||
| return null; | ||
| } |
There was a problem hiding this comment.
Debug telemetry fetch calls shipped in production code
High Severity
Agent debug instrumentation is committed across many production files. DebugErrorReporter is mounted in the root layout (app/layout.tsx line 234), so it fires on every client-side error for every user, sending payloads to http://127.0.0.1:7245. Similar fetch calls to the same localhost endpoint are scattered throughout lib/automation-auth.ts, next-unprocessed/route.ts, app/blog/[slug]/page.tsx, app/blog/page.tsx, and app/admin/reset-password/page.tsx. While the .catch(()=>{}) prevents crashes, these produce failed network requests on every page load and API call in production.
Additional Locations (2)
| {"location":"automation-auth.ts:valid","message":"auth passed","data":{},"timestamp":1770336128078,"sessionId":"debug-session","hypothesisId":"H1"} | ||
| {"location":"next-unprocessed/route.ts:supabaseCheck","message":"after isServerSupabaseConfigured","data":{"supabaseConfigured":true},"timestamp":1770336128078,"sessionId":"debug-session","hypothesisId":"H2"} | ||
| {"location":"next-unprocessed/route.ts:beforeQuery","message":"before supabase query","data":{},"timestamp":1770336128078,"sessionId":"debug-session","hypothesisId":"H3-H4"} | ||
| {"location":"next-unprocessed/route.ts:afterQuery","message":"after supabase query","data":{"hasData":true,"errorMessage":null},"timestamp":1770336128097,"sessionId":"debug-session","hypothesisId":"H3"} |
There was a problem hiding this comment.
Debug log file committed to repository
Medium Severity
.cursor/debug.log contains local debugging session data (timestamps, hypothesis IDs, auth check results) and is committed to the repository. The .cursor directory is not in .gitignore. This file provides no value in the repo and leaks information about the developer's debugging workflow.
| if (urgency) query = query.eq('urgency', urgency); | ||
| if (search) { | ||
| query = query.or(`name.ilike.%${search}%,email.ilike.%${search}%,company.ilike.%${search}%`); | ||
| } |
There was a problem hiding this comment.
PostgREST filter injection via unsanitized search parameter
Medium Severity
The search query parameter is interpolated directly into the PostgREST .or() filter string without sanitization. Since commas and dots are structural delimiters in PostgREST filter syntax, a crafted search value containing these characters (e.g. x,status.eq.converted) can inject additional filter conditions, potentially bypassing intended query logic. Both the leads and transcripts admin endpoints are affected.
Additional Locations (1)
| ); | ||
| const { data: { user } } = await supabase.auth.getUser(); | ||
| return user; | ||
| } |
There was a problem hiding this comment.
Identical verifyAuth function duplicated across four files
Low Severity
The verifyAuth function is copy-pasted identically across four admin API route files (leads/route.ts, leads/[id]/route.ts, transcripts/route.ts, transcripts/[id]/route.ts). This creates a maintenance burden — any auth logic change (e.g. role checks) needs updating in all four places. A shared utility (similar to the existing createAuthServerClient in lib/supabase-server.ts) would be more maintainable.
Additional Locations (2)
| } | ||
|
|
||
| setSuccess(true); | ||
| onSuccess?.(); |
There was a problem hiding this comment.
Success message never visible due to immediate unmount
Medium Severity
In handleSubmit, setSuccess(true) is called immediately followed by onSuccess?.(). The only consumer (ContactCTA) passes () => setShowForm(false) as onSuccess, which unmounts the ContactForm in the same React render batch. The user never sees the "Message Sent!" confirmation — the form simply vanishes and the "Start a Conversation" button reappears, providing no feedback that the submission succeeded.
Additional Locations (1)
| } | ||
| setPage(1); | ||
| setFilters((prev) => ({ ...prev, [key]: value })); | ||
| }; |
There was a problem hiding this comment.
Search debounce defeated by immediate state update
Low Severity
The search debounce in both LeadsTable and TranscriptsTable is ineffective. The code sets up a 400ms setTimeout for the search update, but then immediately updates the same state (setFilters / setSearch) on the next line. Since the useEffect watches that state and triggers fetchLeads/fetchTranscripts, every keystroke fires an API call immediately — plus a redundant second call when the timeout fires. The debounce provides no actual throttling.
Additional Locations (1)
1 participant
Note
High Risk
Adds new Supabase-authenticated admin area plus new lead-capture storage/processing endpoints (PII + service-role DB writes), which are security- and data-sensitive. Also introduces hardcoded debug/telemetry
fetchcalls and a committed debug log that could leak data or cause unexpected network traffic if deployed.Overview
Adds a Supabase-authenticated
/adminconsole (middleware-protected) with dashboard stats plus CRUD-style views/APIs forleadsandtranscripts, including login and password reset flows.Introduces lead capture on the homepage via a new
ContactForm+POST /api/leads/submitendpoint that validates input, scores leads (honeypot spam detection), stores leads/events in Supabase, and forwards submissions to an n8n webhook.Adds an automation endpoint
GET /api/automation/transcripts/next-unprocessedsecured byCYBERWORLD_AUTOMATION_API_KEYfor n8n polling, along with local n8n Docker compose + documentation.Updates marketing pages: homepage is redesigned into
Hero/Services/About/Contactsections with an email-only CTA, blog pages switch from forced dynamic rendering to ISR (revalidate=3600), and the chat API is simplified to directllm.invokemessage calls. Adds client-only Vercel analytics loading and a debug error reporter; the diff also includes multiple hardcoded local ingestfetchlogs and a committed.cursor/debug.log.Written by Cursor Bugbot for commit ae919f2. This will update automatically on new commits. Configure here.