feat: Add ALLOWED_ORIGINS environment variable for CSRF protection#725
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
🦋 Changeset detectedLatest commit: 4bcb75e The changes in this PR will be included in the next version bump. This PR includes changesets to release 18 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
📝 WalkthroughWalkthroughAdds Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
Pre-merge checks and finishing touches✅ Passed checks (3 passed)
✨ Finishing touches
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 0
🧹 Nitpick comments (3)
.claude/skills/modify-generated-code/SKILL.md (1)
402-428: Add executable changeset command to make documentation more actionable.The new section provides helpful guidance on changeset format and package naming. However, the bash code block contains only a comment without the actual command to create a changeset. If users should follow this, consider including the actual command (e.g.,
npx changeset add, or whatever tool this project uses).Also, clarify whether "Create Changeset" is a required final step before opening/merging the PR, or if it's optional. The placement after "Sync All Projects" suggests it's final, but this could be explicit.
🔎 Proposed update to make the bash command actionable
Add a changeset to document the changes for the changelog: ```bash - # Create a new changeset file in .changeset/ directory + npx changeset addAlternatively, if the actual command differs (e.g., `pnpm changeset add`), replace accordingly. </details> </blockquote></details> <details> <summary>plugins/plugin-auth/src/local-auth/core/generators/auth-module/auth-module.generator.ts (1)</summary><blockquote> `34-40`: **LGTM! Config field correctly implements comma-separated origin parsing.** The implementation correctly uses `tsCodeFragment` for code generation and the Zod v4 transform pattern to parse the comma-separated string into an array. The falsy check handles both undefined and empty string cases appropriately. <details> <summary>Optional: Consider adding URL validation</summary> While the current implementation works correctly (invalid values are normalized and filtered by `verifyRequestOrigin`), you could add explicit URL validation to catch configuration errors earlier: ```diff configService.configFields.set('ALLOWED_ORIGINS', { validator: tsCodeFragment( - "z.string().optional().transform((val) => (val ? val.split(',').map((s) => s.trim()) : []))", + "z.string().optional().transform((val) => { const origins = val ? val.split(',').map((s) => s.trim()).filter(Boolean) : []; origins.forEach(o => { try { new URL(o); } catch { throw new Error(`Invalid origin URL: ${o}`); } }); return origins; })", ),However, this adds complexity and the current approach of delegating validation to
verifyRequestOriginis acceptable.Based on learnings and coding guidelines for generator patterns.
examples/blog-with-auth/apps/backend/src/services/config.ts (1)
4-8: LGTM! Config schema correctly parses comma-separated origins.The Zod v4 transform pattern correctly handles the optional comma-separated string, returning an empty array when undefined or falsy, and splitting/trimming when provided. The output type is consistently
string[], which is safely consumed by the origin verification logic.Optional: Filter empty strings explicitly
Consider explicitly filtering out empty strings after splitting to handle edge cases like trailing commas:
ALLOWED_ORIGINS: z .string() .optional() - .transform((val) => (val ? val.split(',').map((s) => s.trim()) : [])), + .transform((val) => (val ? val.split(',').map((s) => s.trim()).filter(Boolean) : [])),However, since
verifyRequestOriginalready filters out falsy values after normalization, this is a minor refinement rather than a correctness issue.
📜 Review details
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Disabled knowledge base sources:
- Linear integration is disabled by default for public repositories
You can enable these sources in your CodeRabbit configuration.
⛔ Files ignored due to path filters (72)
examples/blog-with-auth/apps/backend/baseplate/generated/src/modules/accounts/services/user-session.service.tsis excluded by!**/generated/**,!**/generated/**examples/blog-with-auth/apps/backend/baseplate/generated/src/services/config.tsis excluded by!**/generated/**,!**/generated/**tests/simple/apps/web/baseplate/generated/src/components/ui/alert.tsxis excluded by!**/generated/**,!tests/**,!**/generated/**tests/simple/apps/web/baseplate/generated/src/components/ui/badge.tsxis excluded by!**/generated/**,!tests/**,!**/generated/**tests/simple/apps/web/baseplate/generated/src/components/ui/breadcrumb.tsxis excluded by!**/generated/**,!tests/**,!**/generated/**tests/simple/apps/web/baseplate/generated/src/components/ui/calendar.tsxis excluded by!**/generated/**,!tests/**,!**/generated/**tests/simple/apps/web/baseplate/generated/src/components/ui/card.tsxis excluded by!**/generated/**,!tests/**,!**/generated/**tests/simple/apps/web/baseplate/generated/src/components/ui/checkbox.tsxis excluded by!**/generated/**,!tests/**,!**/generated/**tests/simple/apps/web/baseplate/generated/src/components/ui/circular-progress.tsxis excluded by!**/generated/**,!tests/**,!**/generated/**tests/simple/apps/web/baseplate/generated/src/components/ui/combobox.tsxis excluded by!**/generated/**,!tests/**,!**/generated/**tests/simple/apps/web/baseplate/generated/src/components/ui/command.tsxis excluded by!**/generated/**,!tests/**,!**/generated/**tests/simple/apps/web/baseplate/generated/src/components/ui/date-picker-field.tsxis excluded by!**/generated/**,!tests/**,!**/generated/**tests/simple/apps/web/baseplate/generated/src/components/ui/date-time-picker-field.tsxis excluded by!**/generated/**,!tests/**,!**/generated/**tests/simple/apps/web/baseplate/generated/src/components/ui/dialog.tsxis excluded by!**/generated/**,!tests/**,!**/generated/**tests/simple/apps/web/baseplate/generated/src/components/ui/dropdown.tsxis excluded by!**/generated/**,!tests/**,!**/generated/**tests/simple/apps/web/baseplate/generated/src/components/ui/empty-display.tsxis excluded by!**/generated/**,!tests/**,!**/generated/**tests/simple/apps/web/baseplate/generated/src/components/ui/error-display.tsxis excluded by!**/generated/**,!tests/**,!**/generated/**tests/simple/apps/web/baseplate/generated/src/components/ui/form-item.tsxis excluded by!**/generated/**,!tests/**,!**/generated/**tests/simple/apps/web/baseplate/generated/src/components/ui/label.tsxis excluded by!**/generated/**,!tests/**,!**/generated/**tests/simple/apps/web/baseplate/generated/src/components/ui/loader.tsxis excluded by!**/generated/**,!tests/**,!**/generated/**tests/simple/apps/web/baseplate/generated/src/components/ui/multi-combobox.tsxis excluded by!**/generated/**,!tests/**,!**/generated/**tests/simple/apps/web/baseplate/generated/src/components/ui/navigation-menu.tsxis excluded by!**/generated/**,!tests/**,!**/generated/**tests/simple/apps/web/baseplate/generated/src/components/ui/popover.tsxis excluded by!**/generated/**,!tests/**,!**/generated/**tests/simple/apps/web/baseplate/generated/src/components/ui/scroll-area.tsxis excluded by!**/generated/**,!tests/**,!**/generated/**tests/simple/apps/web/baseplate/generated/src/components/ui/select.tsxis excluded by!**/generated/**,!tests/**,!**/generated/**tests/simple/apps/web/baseplate/generated/src/components/ui/separator.tsxis excluded by!**/generated/**,!tests/**,!**/generated/**tests/simple/apps/web/baseplate/generated/src/components/ui/sheet.tsxis excluded by!**/generated/**,!tests/**,!**/generated/**tests/simple/apps/web/baseplate/generated/src/components/ui/sidebar.tsxis excluded by!**/generated/**,!tests/**,!**/generated/**tests/simple/apps/web/baseplate/generated/src/components/ui/skeleton.tsxis excluded by!**/generated/**,!tests/**,!**/generated/**tests/simple/apps/web/baseplate/generated/src/components/ui/switch.tsxis excluded by!**/generated/**,!tests/**,!**/generated/**tests/simple/apps/web/baseplate/generated/src/components/ui/table.tsxis excluded by!**/generated/**,!tests/**,!**/generated/**tests/simple/apps/web/baseplate/generated/src/components/ui/textarea.tsxis excluded by!**/generated/**,!tests/**,!**/generated/**tests/simple/apps/web/baseplate/generated/src/components/ui/tooltip.tsxis excluded by!**/generated/**,!tests/**,!**/generated/**tests/simple/apps/web/baseplate/generated/src/styles.cssis excluded by!**/generated/**,!tests/**,!**/generated/**tests/simple/apps/web/baseplate/generated/src/styles/button.tsis excluded by!**/generated/**,!tests/**,!**/generated/**tests/simple/apps/web/baseplate/generated/src/styles/input.tsis excluded by!**/generated/**,!tests/**,!**/generated/**tests/simple/apps/web/baseplate/generated/src/styles/select.tsis excluded by!**/generated/**,!tests/**,!**/generated/**tests/simple/apps/web/src/components/ui/alert.tsxis excluded by!tests/**tests/simple/apps/web/src/components/ui/badge.tsxis excluded by!tests/**tests/simple/apps/web/src/components/ui/breadcrumb.tsxis excluded by!tests/**tests/simple/apps/web/src/components/ui/calendar.tsxis excluded by!tests/**tests/simple/apps/web/src/components/ui/card.tsxis excluded by!tests/**tests/simple/apps/web/src/components/ui/checkbox.tsxis excluded by!tests/**tests/simple/apps/web/src/components/ui/circular-progress.tsxis excluded by!tests/**tests/simple/apps/web/src/components/ui/combobox.tsxis excluded by!tests/**tests/simple/apps/web/src/components/ui/command.tsxis excluded by!tests/**tests/simple/apps/web/src/components/ui/date-picker-field.tsxis excluded by!tests/**tests/simple/apps/web/src/components/ui/date-time-picker-field.tsxis excluded by!tests/**tests/simple/apps/web/src/components/ui/dialog.tsxis excluded by!tests/**tests/simple/apps/web/src/components/ui/dropdown.tsxis excluded by!tests/**tests/simple/apps/web/src/components/ui/empty-display.tsxis excluded by!tests/**tests/simple/apps/web/src/components/ui/error-display.tsxis excluded by!tests/**tests/simple/apps/web/src/components/ui/form-item.tsxis excluded by!tests/**tests/simple/apps/web/src/components/ui/label.tsxis excluded by!tests/**tests/simple/apps/web/src/components/ui/loader.tsxis excluded by!tests/**tests/simple/apps/web/src/components/ui/multi-combobox.tsxis excluded by!tests/**tests/simple/apps/web/src/components/ui/navigation-menu.tsxis excluded by!tests/**tests/simple/apps/web/src/components/ui/popover.tsxis excluded by!tests/**tests/simple/apps/web/src/components/ui/scroll-area.tsxis excluded by!tests/**tests/simple/apps/web/src/components/ui/select.tsxis excluded by!tests/**tests/simple/apps/web/src/components/ui/separator.tsxis excluded by!tests/**tests/simple/apps/web/src/components/ui/sheet.tsxis excluded by!tests/**tests/simple/apps/web/src/components/ui/sidebar.tsxis excluded by!tests/**tests/simple/apps/web/src/components/ui/skeleton.tsxis excluded by!tests/**tests/simple/apps/web/src/components/ui/switch.tsxis excluded by!tests/**tests/simple/apps/web/src/components/ui/table.tsxis excluded by!tests/**tests/simple/apps/web/src/components/ui/textarea.tsxis excluded by!tests/**tests/simple/apps/web/src/components/ui/tooltip.tsxis excluded by!tests/**tests/simple/apps/web/src/styles.cssis excluded by!tests/**tests/simple/apps/web/src/styles/button.tsis excluded by!tests/**tests/simple/apps/web/src/styles/input.tsis excluded by!tests/**tests/simple/apps/web/src/styles/select.tsis excluded by!tests/**
📒 Files selected for processing (6)
.changeset/add-allowed-origins-config.md.claude/skills/modify-generated-code/SKILL.mdexamples/blog-with-auth/apps/backend/src/modules/accounts/services/user-session.service.tsexamples/blog-with-auth/apps/backend/src/services/config.tsplugins/plugin-auth/src/local-auth/core/generators/auth-module/auth-module.generator.tsplugins/plugin-auth/src/local-auth/core/generators/auth-module/templates/module/services/user-session.service.ts
🧰 Additional context used
📓 Path-based instructions (9)
.changeset/*.md
📄 CodeRabbit inference engine (AGENTS.md)
Add a new Changeset for any new feature or existing feature change in the
.changeset/directory following the form with patch changes
Files:
.changeset/add-allowed-origins-config.md
**/*.{ts,tsx}
📄 CodeRabbit inference engine (.cursor/rules/code-style.mdc)
**/*.{ts,tsx}: Use TypeScript with strict type checking enabled
Always include return types on top-level functions including React components (React.ReactElement)
Include absolute paths in import statements via tsconfig paths (@src/is the alias forsrc/)
If a particular interface or type is not exported, change the file so it is exported
If caught on a typing loop where forcing theanytype is necessary, do not iterate too much - leave the typing as broken and let the user fix itIf target code is not easily testable, refactor it to be more testable (e.g., export types or functions)
If a particular interface or type is not exported, change the file so it is exported
Files:
plugins/plugin-auth/src/local-auth/core/generators/auth-module/templates/module/services/user-session.service.tsexamples/blog-with-auth/apps/backend/src/modules/accounts/services/user-session.service.tsexamples/blog-with-auth/apps/backend/src/services/config.tsplugins/plugin-auth/src/local-auth/core/generators/auth-module/auth-module.generator.ts
**/*.{ts,tsx,js}
📄 CodeRabbit inference engine (.cursor/rules/code-style.mdc)
**/*.{ts,tsx,js}: Node 16 module resolution - include file extensions in imports (.js)
Sort imports by group: external libs first, then local imports
Use camelCase for variables/functions, PascalCase for types/classes
Order functions such that functions are placed below the variables/functions they use
Prefer using nullish coalescing operator (??) instead of logical or (||), enforced via ESLint rule
Prefer barrel exports e.g.export * from './foo.js'instead of individual named exports
Use console.info/warn/error instead of console.log
Files:
plugins/plugin-auth/src/local-auth/core/generators/auth-module/templates/module/services/user-session.service.tsexamples/blog-with-auth/apps/backend/src/modules/accounts/services/user-session.service.tsexamples/blog-with-auth/apps/backend/src/services/config.tsplugins/plugin-auth/src/local-auth/core/generators/auth-module/auth-module.generator.ts
**/*.{js,ts,tsx,jsx}
📄 CodeRabbit inference engine (.cursor/rules/mcp-actions.mdc)
**/*.{js,ts,tsx,jsx}: Usemcp__baseplate_dev_server__diff_project()to generate a diff between generated and current working directory state, with optional parameters for compact format, specific packages, and file glob filtering
Usemcp__baseplate_dev_server__sync_project()to sync a specified project using the baseplate sync engine, with optional parameters for overwrite behavior, command skipping, and custom snapshot directory
Usemcp__baseplate_dev_server__delete_template()to delete templates by providing a file path and optionally the project name, which removes the template file, metadata, and generated files
Usemcp__baseplate_dev_server__extract_templates()to extract templates from a project and app, with optional auto-generation of extractor.json files and directory cleanup control
Usemcp__baseplate_dev_server__generate_templates()to generate typed template files from existing extractor.json configurations with optional project specification and cleanup control
Usemcp__baseplate_dev_server__create_generator()to create new generators with boilerplate code, using naming format 'category/name' and specifying the target directory
Usemcp__baseplate_dev_server__list_templates()to list all available generators with their templates, optionally filtered by project
Usemcp__baseplate_dev_server__show_template_metadata()to retrieve template metadata for a file from .templates-info.json using file path and optional project specification
Usemcp__baseplate_dev_server__snapshot_add()to track files in snapshots for persistent difference tracking, specifying project, app, file paths, and optional deletion markers
Usemcp__baseplate_dev_server__snapshot_remove()to untrack files from snapshot management with project, app, and file path specifications
Usemcp__baseplate_dev_server__snapshot_save()to persist current differences to snapshot with optional force flag to bypass confirmation
Usemcp__baseplate_dev_server__snapshot_show()to dis...
Files:
plugins/plugin-auth/src/local-auth/core/generators/auth-module/templates/module/services/user-session.service.tsexamples/blog-with-auth/apps/backend/src/modules/accounts/services/user-session.service.tsexamples/blog-with-auth/apps/backend/src/services/config.tsplugins/plugin-auth/src/local-auth/core/generators/auth-module/auth-module.generator.ts
**/*.{tsx,ts,jsx,js}
📄 CodeRabbit inference engine (.cursor/rules/ui-components.mdc)
Import components from '@baseplate-dev/ui-components' package using destructured imports (e.g.,
import { Button, Input, Card, Dialog } from '@baseplate-dev/ui-components';)
Files:
plugins/plugin-auth/src/local-auth/core/generators/auth-module/templates/module/services/user-session.service.tsexamples/blog-with-auth/apps/backend/src/modules/accounts/services/user-session.service.tsexamples/blog-with-auth/apps/backend/src/services/config.tsplugins/plugin-auth/src/local-auth/core/generators/auth-module/auth-module.generator.ts
**/*.{ts,tsx,js,jsx}
📄 CodeRabbit inference engine (AGENTS.md)
Always use
compareStringsfrom@baseplate-dev/utilsinstead ofString.prototype.localeCompare()for code generation, file sorting, and internal data structures
Files:
plugins/plugin-auth/src/local-auth/core/generators/auth-module/templates/module/services/user-session.service.tsexamples/blog-with-auth/apps/backend/src/modules/accounts/services/user-session.service.tsexamples/blog-with-auth/apps/backend/src/services/config.tsplugins/plugin-auth/src/local-auth/core/generators/auth-module/auth-module.generator.ts
**/generators/**/*.{ts,tsx}
📄 CodeRabbit inference engine (AGENTS.md)
**/generators/**/*.{ts,tsx}: Follow task-based architecture for generators usingcreateGeneratorandcreateGeneratorTask
Use provider scopes for explicit wiring and to control visibility and prevent collisions between tasks
UseTsCodeFragmentfor composable code pieces andTsCodeUtilsfor manipulating fragments in TypeScript code generation
Use the import builder for managing dependencies in TypeScript code generation
Organize complex generation with Task Phases for ordered execution
Use Dynamic Tasks for data-driven generation
Files:
plugins/plugin-auth/src/local-auth/core/generators/auth-module/templates/module/services/user-session.service.tsplugins/plugin-auth/src/local-auth/core/generators/auth-module/auth-module.generator.ts
examples/blog-with-auth/**/*.{ts,tsx,js,jsx}
📄 CodeRabbit inference engine (examples/blog-with-auth/CLAUDE.md)
examples/blog-with-auth/**/*.{ts,tsx,js,jsx}: Always use .js extensions in import statements, even for TypeScript files (e.g.,import { getSystemInfo } from '@src/system-info.js';)
Follow ESM module resolution with TypeScript'sNodeNextsetting
Add JSDocs to all exported functions, interfaces, and classes with documentation of the function, its parameters, return value, and all fields
Files:
examples/blog-with-auth/apps/backend/src/modules/accounts/services/user-session.service.tsexamples/blog-with-auth/apps/backend/src/services/config.ts
examples/blog-with-auth/**/*.{ts,tsx}
📄 CodeRabbit inference engine (examples/blog-with-auth/CLAUDE.md)
examples/blog-with-auth/**/*.{ts,tsx}: Useimport typefor type-only imports in TypeScript
Always specify explicit return types for functions in TypeScript
Files:
examples/blog-with-auth/apps/backend/src/modules/accounts/services/user-session.service.tsexamples/blog-with-auth/apps/backend/src/services/config.ts
🧠 Learnings (17)
📚 Learning: 2025-12-30T13:56:01.641Z
Learnt from: CR
Repo: halfdomelabs/baseplate PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-30T13:56:01.641Z
Learning: Applies to .changeset/*.md : Add a new Changeset for any new feature or existing feature change in the `.changeset/` directory following the form with patch changes
Applied to files:
.claude/skills/modify-generated-code/SKILL.md
📚 Learning: 2025-12-30T13:55:38.712Z
Learnt from: CR
Repo: halfdomelabs/baseplate PR: 0
File: .cursor/rules/mcp-actions.mdc:0-0
Timestamp: 2025-12-30T13:55:38.712Z
Learning: Applies to **/*.{js,ts,tsx,jsx} : Use `mcp__baseplate_dev_server__generate_templates()` to generate typed template files from existing extractor.json configurations with optional project specification and cleanup control
Applied to files:
.claude/skills/modify-generated-code/SKILL.md
📚 Learning: 2025-12-30T13:55:38.712Z
Learnt from: CR
Repo: halfdomelabs/baseplate PR: 0
File: .cursor/rules/mcp-actions.mdc:0-0
Timestamp: 2025-12-30T13:55:38.712Z
Learning: Applies to **/*.{js,ts,tsx,jsx} : Use `mcp__baseplate_dev_server__extract_templates()` to extract templates from a project and app, with optional auto-generation of extractor.json files and directory cleanup control
Applied to files:
.claude/skills/modify-generated-code/SKILL.md
📚 Learning: 2025-12-30T13:55:38.712Z
Learnt from: CR
Repo: halfdomelabs/baseplate PR: 0
File: .cursor/rules/mcp-actions.mdc:0-0
Timestamp: 2025-12-30T13:55:38.712Z
Learning: Applies to **/*.{js,ts,tsx,jsx} : Use `mcp__baseplate_dev_server__show_template_metadata()` to retrieve template metadata for a file from .templates-info.json using file path and optional project specification
Applied to files:
.claude/skills/modify-generated-code/SKILL.md
📚 Learning: 2025-11-24T19:44:33.994Z
Learnt from: CR
Repo: halfdomelabs/baseplate PR: 0
File: examples/blog-with-auth/CLAUDE.md:0-0
Timestamp: 2025-11-24T19:44:33.994Z
Learning: Be careful when customizing generated files as they may be overwritten during regeneration
Applied to files:
.claude/skills/modify-generated-code/SKILL.md
📚 Learning: 2025-12-30T13:56:01.641Z
Learnt from: CR
Repo: halfdomelabs/baseplate PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-30T13:56:01.641Z
Learning: Applies to **/generators/**/*.{ts,tsx} : Organize complex generation with Task Phases for ordered execution
Applied to files:
.claude/skills/modify-generated-code/SKILL.mdplugins/plugin-auth/src/local-auth/core/generators/auth-module/auth-module.generator.ts
📚 Learning: 2025-12-30T13:55:38.712Z
Learnt from: CR
Repo: halfdomelabs/baseplate PR: 0
File: .cursor/rules/mcp-actions.mdc:0-0
Timestamp: 2025-12-30T13:55:38.712Z
Learning: Applies to **/*.{js,ts,tsx,jsx} : Use `mcp__baseplate_dev_server__list_templates()` to list all available generators with their templates, optionally filtered by project
Applied to files:
.claude/skills/modify-generated-code/SKILL.md
📚 Learning: 2025-12-30T13:56:01.641Z
Learnt from: CR
Repo: halfdomelabs/baseplate PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-30T13:56:01.641Z
Learning: Applies to **/generators/**/*.{ts,tsx} : Follow task-based architecture for generators using `createGenerator` and `createGeneratorTask`
Applied to files:
.claude/skills/modify-generated-code/SKILL.mdplugins/plugin-auth/src/local-auth/core/generators/auth-module/auth-module.generator.ts
📚 Learning: 2025-12-30T13:55:38.712Z
Learnt from: CR
Repo: halfdomelabs/baseplate PR: 0
File: .cursor/rules/mcp-actions.mdc:0-0
Timestamp: 2025-12-30T13:55:38.712Z
Learning: Applies to **/*.{js,ts,tsx,jsx} : Use `mcp__baseplate_dev_server__create_generator()` to create new generators with boilerplate code, using naming format 'category/name' and specifying the target directory
Applied to files:
.claude/skills/modify-generated-code/SKILL.md
📚 Learning: 2025-12-30T13:55:38.712Z
Learnt from: CR
Repo: halfdomelabs/baseplate PR: 0
File: .cursor/rules/mcp-actions.mdc:0-0
Timestamp: 2025-12-30T13:55:38.712Z
Learning: Applies to **/*.{js,ts,tsx,jsx} : Use `mcp__baseplate_dev_server__snapshot_save()` to persist current differences to snapshot with optional force flag to bypass confirmation
Applied to files:
.claude/skills/modify-generated-code/SKILL.md
📚 Learning: 2025-12-30T13:55:38.712Z
Learnt from: CR
Repo: halfdomelabs/baseplate PR: 0
File: .cursor/rules/mcp-actions.mdc:0-0
Timestamp: 2025-12-30T13:55:38.712Z
Learning: Applies to **/*.{js,ts,tsx,jsx} : Use `mcp__baseplate_dev_server__snapshot_add()` to track files in snapshots for persistent difference tracking, specifying project, app, file paths, and optional deletion markers
Applied to files:
.claude/skills/modify-generated-code/SKILL.md
📚 Learning: 2025-11-24T19:44:33.994Z
Learnt from: CR
Repo: halfdomelabs/baseplate PR: 0
File: examples/blog-with-auth/CLAUDE.md:0-0
Timestamp: 2025-11-24T19:44:33.994Z
Learning: Applies to examples/blog-with-auth/**/tsconfig.json : Use strict type checking in TypeScript configuration
Applied to files:
examples/blog-with-auth/apps/backend/src/services/config.ts
📚 Learning: 2025-11-24T19:44:33.994Z
Learnt from: CR
Repo: halfdomelabs/baseplate PR: 0
File: examples/blog-with-auth/CLAUDE.md:0-0
Timestamp: 2025-11-24T19:44:33.994Z
Learning: Applies to examples/blog-with-auth/**/tsconfig.json : Enable `isolatedModules` in TypeScript configuration
Applied to files:
examples/blog-with-auth/apps/backend/src/services/config.ts
📚 Learning: 2025-12-30T13:56:01.641Z
Learnt from: CR
Repo: halfdomelabs/baseplate PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-30T13:56:01.641Z
Learning: Applies to **/generators/**/*.{ts,tsx} : Use provider scopes for explicit wiring and to control visibility and prevent collisions between tasks
Applied to files:
plugins/plugin-auth/src/local-auth/core/generators/auth-module/auth-module.generator.ts
📚 Learning: 2025-12-30T13:56:01.641Z
Learnt from: CR
Repo: halfdomelabs/baseplate PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-30T13:56:01.641Z
Learning: Applies to **/generators/**/*.{ts,tsx} : Use Dynamic Tasks for data-driven generation
Applied to files:
plugins/plugin-auth/src/local-auth/core/generators/auth-module/auth-module.generator.ts
📚 Learning: 2025-07-12T19:56:08.559Z
Learnt from: kingston
Repo: halfdomelabs/baseplate PR: 606
File: plugins/plugin-auth/src/auth/core/generators/auth-apollo/auth-apollo.generator.ts:24-32
Timestamp: 2025-07-12T19:56:08.559Z
Learning: For generator functions and configuration object methods like those in createGeneratorTask, inferred return types are acceptable when the structure is clear from the implementation. ESLint rules handle enforcement of explicit return types where truly needed, so manual review for this is not necessary.
Applied to files:
plugins/plugin-auth/src/local-auth/core/generators/auth-module/auth-module.generator.ts
📚 Learning: 2025-05-05T06:37:51.001Z
Learnt from: kingston
Repo: halfdomelabs/baseplate PR: 521
File: packages/react-generators/src/generators/admin/admin-crud-list/admin-crud-list.generator.ts:163-166
Timestamp: 2025-05-05T06:37:51.001Z
Learning: For certain templates in the codebase, the `importMapProviders` property is not explicitly required as the template extractor will automatically determine and infer the necessary import map providers.
Applied to files:
plugins/plugin-auth/src/local-auth/core/generators/auth-module/auth-module.generator.ts
🧬 Code graph analysis (2)
plugins/plugin-auth/src/local-auth/core/generators/auth-module/templates/module/services/user-session.service.ts (2)
plugins/plugin-auth/src/local-auth/core/generators/auth-module/templates/module/utils/verify-request-origin.ts (1)
verifyRequestOrigin(27-45)examples/blog-with-auth/apps/backend/src/services/config.ts (1)
config(23-23)
plugins/plugin-auth/src/local-auth/core/generators/auth-module/auth-module.generator.ts (1)
packages/core-generators/src/renderers/typescript/fragments/creators.ts (1)
tsCodeFragment(73-83)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)
- GitHub Check: Test E2E
- GitHub Check: Lint
- GitHub Check: test
🔇 Additional comments (4)
.claude/skills/modify-generated-code/SKILL.md (1)
231-231: Clear guardrail added to prevent premature generator modifications.The explicit warning about NOT modifying generator code before user review is comprehensive and well-placed. This aligns with the code-first development approach outlined in the skill and prevents generator code from diverging from template extractions.
.changeset/add-allowed-origins-config.md (1)
1-8: LGTM! Changeset properly documents the new feature.The changeset follows the correct format and clearly describes the addition of the ALLOWED_ORIGINS configuration field for CSRF protection.
examples/blog-with-auth/apps/backend/src/modules/accounts/services/user-session.service.ts (1)
187-187: LGTM! Origin verification correctly includes additional allowed origins.The spread operator safely includes
config.ALLOWED_ORIGINSalongsidereq.hostfor CSRF protection. Since the config transform ensuresALLOWED_ORIGINSis always astring[](defaulting to[]), the spread operation is safe and the logic correctly implements the intended behavior for hosting scenarios with rewrites.plugins/plugin-auth/src/local-auth/core/generators/auth-module/templates/module/services/user-session.service.ts (1)
183-183: LGTM! Template correctly implements origin verification with additional origins.The template properly generates the same origin verification logic as the example application, ensuring consistency between generated code and the reference implementation. The spread of
config.ALLOWED_ORIGINSis safe and correct.
Summary by CodeRabbit
New Features
Documentation
✏️ Tip: You can customize this high-level summary in your review settings.