Open
Conversation
… and supporting UI components and API routes. Signed-off-by: Kevin Eloy Herrera <kherrera3250@gmail.com>
… and Graph services with supporting API routes and database setup. Signed-off-by: Kevin Eloy Herrera <kherrera3250@gmail.com>
…model configuration. Signed-off-by: Kevin Eloy Herrera <kherrera3250@gmail.com>
…nality, exposed via a new API route. Signed-off-by: Kevin Eloy Herrera <kherrera3250@gmail.com>
…d remove obsolete test and diagnostic scripts. Signed-off-by: Kevin Eloy Herrera <kherrera3250@gmail.com>
…s and remove deprecated entries from the README. Signed-off-by: Kevin Eloy Herrera <kherrera3250@gmail.com>
…Researcher agents, RAG service, new API routes, and settings UI. Signed-off-by: Kevin Eloy Herrera <kherrera3250@gmail.com>
…sts for agent tools and file utilities. Signed-off-by: Kevin Eloy Herrera <kherrera3250@gmail.com>
…vider details in the README. Signed-off-by: Kevin Eloy Herrera <kherrera3250@gmail.com>
Signed-off-by: Kevin Eloy Herrera <kherrera3250@gmail.com>
Signed-off-by: Kevin Eloy Herrera <kherrera3250@gmail.com>
Signed-off-by: Kevin Eloy Herrera <kherrera3250@gmail.com>
Signed-off-by: Kevin Eloy Herrera <kherrera3250@gmail.com>
… unified tool registry for terminal, database, file, and test operations, and introducing memory management components. Signed-off-by: Kevin Eloy Herrera <kherrera3250@gmail.com>
…memory management, tools, and utilities. Signed-off-by: Kevin Eloy Herrera <kherrera3250@gmail.com>
…ents, defining core state types and configuring LangChain SSR externals. Signed-off-by: Kevin Eloy Herrera <kherrera3250@gmail.com>
…searcher, and Architect agents, including their tools, prompts, and state management. Signed-off-by: Kevin Eloy Herrera <kherrera3250@gmail.com>
…ing, HTML sanitization, and a limited markdown mode. Signed-off-by: Kevin Eloy Herrera <kherrera3250@gmail.com>
…search, architecture, reflection, and quality control stages. Signed-off-by: Kevin Eloy Herrera <kherrera3250@gmail.com>
…state graph, and initial researcher, QC, coordinator, and architect agents. Signed-off-by: Kevin Eloy Herrera <kherrera3250@gmail.com>
… and initial agent definitions. Signed-off-by: Kevin Eloy Herrera <kherrera3250@gmail.com>
…, an orchestration service, and chat UI components for run management. Signed-off-by: Kevin Eloy Herrera <kherrera3250@gmail.com>
…and add new test scripts for it and orchestrator V2. Signed-off-by: Kevin Eloy Herrera <kherrera3250@gmail.com>
…ce an agent orchestrator with chat and workbench integration. Signed-off-by: Kevin Eloy Herrera <kherrera3250@gmail.com>
… and introduce an orchestrator test for event bus verification. Signed-off-by: Kevin Eloy Herrera <kherrera3250@gmail.com>
…bench functionalities. Signed-off-by: Kevin Eloy Herrera <kherrera3250@gmail.com>
…s, and foundational components for chat and workbench functionality. Signed-off-by: Kevin Eloy Herrera <kherrera3250@gmail.com>
…Chat component for foundational chat UI. Signed-off-by: Kevin Eloy Herrera <kherrera3250@gmail.com>
…nd code execution capabilities. Signed-off-by: Kevin Eloy Herrera <kherrera3250@gmail.com>
…ctions, and editor environment masking. Signed-off-by: Kevin Eloy Herrera <kherrera3250@gmail.com>
…, Vercel, Supabase, GitLab, GitHub, and local options, complete with connection management and provider-specific functionalities. Signed-off-by: Kevin Eloy Herrera <kherrera3250@gmail.com>
…and recent repository listing functionality. Signed-off-by: Kevin Eloy Herrera <kherrera3250@gmail.com>
…ons, including a branch selector for Git providers. Signed-off-by: Kevin Eloy Herrera <kherrera3250@gmail.com>
…g, context menus, and drag-and-drop file uploads Signed-off-by: Kevin Eloy Herrera <kherrera3250@gmail.com>
… tracking, and add a `createSampler` utility. Signed-off-by: Kevin Eloy Herrera <kherrera3250@gmail.com>
… drawer, event logs tab, and utility components. Signed-off-by: Kevin Eloy Herrera <kherrera3250@gmail.com>
…e, security, and API error handling services. Signed-off-by: Kevin Eloy Herrera <kherrera3250@gmail.com>
Security fixes: - Remove hardcoded encryption keys and VITE_ prefix (encryption.ts, integrity.ts) - Escape window.ENV to prevent XSS breakout (root.tsx) - Wire up per-request CSP nonces, remove deprecated X-XSS-Protection (entry.server.tsx, security.server.ts) - Add in-memory rate limiting fallback when Redis unavailable (security.server.ts) Code quality: - Remove duplicate DndProvider from Layout (root.tsx) - Record actual request duration in metrics (entry.server.tsx) - Replace console.log/error with structured logger (entry.server.tsx) - Use shared cookie parser in api.chat.ts - Fix package.json: version 2.0.0, engines >=20.19.0, sideEffects allows CSS Windows desktop adaptation: - Make RedisService lazy-connect (no startup error spam without Redis) - Health check reports services as unconfigured when env vars absent - RBAC default role ADMIN for local desktop user - HSTS opt-in only (prevents localhost HTTP lockout) - Add ENCRYPTION_KEY/APP_SECRET to env-validation schema Cleanup: - Delete orphaned tests (rbac-guard.test.ts, rateLimitService.test.ts) - Update security test for removed X-XSS-Protection header
…res, API routes, and essential UI/DX setup. Signed-off-by: Kevin Eloy Herrera <kherrera3250@gmail.com>
…ndows ESM issues. Signed-off-by: Kevin Eloy Herrera <kherrera3250@gmail.com>
…nd connection management, along with new `sampler` and `debounce` utilities and initial orchestration services. Signed-off-by: Kevin Eloy Herrera <kherrera3250@gmail.com>
…s, and UI components for new features. Signed-off-by: Kevin Eloy Herrera <kherrera3250@gmail.com>
…ncies, and apply pnpm overrides for security vulnerabilities. Signed-off-by: Kevin Eloy Herrera <kherrera3250@gmail.com>
… specific path resolution. Signed-off-by: Kevin Eloy Herrera <kherrera3250@gmail.com>
…tion issues and `ERR_UNSUPPORTED_ESM_URL_SCHEME`. Signed-off-by: Kevin Eloy Herrera <kherrera3250@gmail.com>
…sues in `unconfig` and `@remix-run/dev`, and refactor the `globSync` import in `uno.config.ts`. Signed-off-by: Kevin Eloy Herrera <kherrera3250@gmail.com>
… tools, updating dependencies. Signed-off-by: Kevin Eloy Herrera <kherrera3250@gmail.com>
…iders - Trim each provider to exactly 3 real, current models - OpenAI: gpt-5.2 (400k ctx), gpt-5, gpt-5-mini - Anthropic: claude-opus-4-6, claude-sonnet-4-6, claude-haiku-4-5-20251015 - Google: gemini-3.1-pro-preview, gemini-3-flash, gemini-2.5-flash - Groq: llama-3.3-70b-versatile, llama-3.1-70b-versatile, llama-3.1-8b-instant - Mistral: mistral-large-latest (Large 3), mistral-medium-latest (Medium 3), codestral-latest - xAI: grok-4, grok-3, grok-3-mini - DeepSeek: deepseek-chat, deepseek-reasoner, deepseek-coder (all updated to 128k context) - OpenRouter: updated static fallbacks to current flagship models - Register all 9 active providers in registry.ts (was only 3) - Delete 10 old provider files: amazon-bedrock, cohere, github, huggingface, hyperbolic, lmstudio, moonshot, openai-like, perplexity, together - Fix Anthropic beta header (removed non-existent output-128k-2025-02-19) https://claude.ai/code/session_0189EvgFzDedmy7Ez8t1Q8cX
Local-first Windows setup (docker-compose + .env): - database/docker-compose.yml: replace :?mandatory password syntax with :-safe_default so Docker starts without requiring a .env file (POSTGRES_PASSWORD, MINIO_ROOT_PASSWORD, NEO4J_PASSWORD, REDIS_PASSWORD) - database/.env.example: update CHANGE_ME passwords to match docker-compose safe defaults so copy-paste works out of the box - .env.example: uncomment and activate all local DB connection strings (DATABASE_URL, S3_ENDPOINT, REDIS_URL, NEO4J_URI), use 127.0.0.1 instead of localhost to avoid Windows IPv6 issues, set VITE_LOG_LEVEL=info, update setup instructions to include docker compose up step Agent bug fixes: - qc.ts: remove import.meta.env (Vite client-side API — crashes on server), replace with process.env.OPENAI_API_KEY; change model gpt-4o -> gpt-5-mini; fix runCompletenessCheck to actually detect pending tasks and set pass=false + increment high severity count instead of always passing - constants.ts: remove debug console.log from isReasoningModel() that fired on every single model check in production - stream-text.ts: remove two DEBUG STREAM logger.info blocks that logged full request params and filtered options on every stream invocation https://claude.ai/code/session_0189EvgFzDedmy7Ez8t1Q8cX
README.md: - Bump version to 2.1.0, date to Feb 23 2026 - Quick Start now includes docker compose up -d step (step 3) - Use 127.0.0.1 instead of localhost in visit URL - Add local-first callout note DEPLOYMENT.md: - Full rewrite to lead with local-first architecture overview - Prerequisites: add Docker Desktop, remove implicit cloud requirement - Step-by-step local setup: clone -> configure -> docker compose -> dev server - Service table: PostgreSQL, MinIO, Redis, Neo4j with ports and purposes - Environment variables table split into AI keys vs local infrastructure - Windows IPv6 note (127.0.0.1 over localhost) ARCHITECTURE.md: - Bump to version 1.1.0 - Mermaid diagram: add QC agent with model names, add MinIO to data layer, annotate all local services with 127.0.0.1 addresses - Agent Orchestration: add LangGraph graph flow description - Persistence section: replace bullet list with table showing all 5 services, their local addresses, and purposes; add Windows IPv6 note CHANGELOG.md: - Add [2.1.0] entry documenting local-first conversion and all agent bug fixes https://claude.ai/code/session_0189EvgFzDedmy7Ez8t1Q8cX
There was a problem hiding this comment.
Pull request overview
This PR modernizes the app’s LLM model catalog while introducing new governance/security infrastructure, feature-flagging, Storybook coverage, and CI automation.
Changes:
- Updated LLM provider “staticModels” lists and removed several legacy providers.
- Added governance + connector security layers (routing, guardrails, SSRF/path traversal protection) and supporting tests/utilities.
- Introduced Storybook stories/a11y tests, new settings tab(s), and repository hygiene (CI, templates, docs, Dockerfiles).
Reviewed changes
Copilot reviewed 231 out of 483 changed files in this pull request and generated 23 comments.
Show a summary per file
| File | Description |
|---|---|
| app/lib/modules/llm/providers/perplexity.ts | Removed Perplexity provider implementation. |
| app/lib/modules/llm/providers/openai.ts | Updated OpenAI model list and dynamic model token cap. |
| app/lib/modules/llm/providers/open-router.ts | Updated OpenRouter static models list. |
| app/lib/modules/llm/providers/moonshot.ts | Removed Moonshot provider implementation. |
| app/lib/modules/llm/providers/mistral.ts | Updated Mistral model catalog. |
| app/lib/modules/llm/providers/lmstudio.ts | Removed LMStudio provider implementation. |
| app/lib/modules/llm/providers/hyperbolic.ts | Removed Hyperbolic provider implementation. |
| app/lib/modules/llm/providers/huggingface.ts | Removed HuggingFace provider implementation. |
| app/lib/modules/llm/providers/groq.ts | Updated Groq model list. |
| app/lib/modules/llm/providers/google.ts | Updated Google/Gemini model list. |
| app/lib/modules/llm/providers/deepseek.ts | Updated DeepSeek model list and token limits. |
| app/lib/modules/llm/providers/cohere.ts | Removed Cohere provider implementation. |
| app/lib/modules/llm/providers/anthropic.ts | Updated Anthropic model list and removed beta header usage. |
| app/lib/modules/llm/providers/amazon-bedrock.ts | Removed Amazon Bedrock provider implementation. |
| app/lib/modules/llm/governance/routingEngine.ts | Added model routing policy engine. |
| app/lib/modules/llm/governance/guardrailService.ts | Added guardrail service (injection + moderation checks). |
| app/lib/modules/llm/governance/classifier.ts | Added output classification helper. |
| app/lib/modules/llm/governance/auditTrail.ts | Added metadata audit trail scaffolding. |
| app/lib/modules/features/defaults.ts | Added default feature flag definitions. |
| app/lib/modules/features/FeatureGate.tsx | Added feature gate component for conditional rendering. |
| app/lib/modules/features/FeatureContext.tsx | Added feature flag context + localStorage persistence. |
| app/lib/modules/connectors/ssrfGuard.ts | Added SSRF protection utility for connectors. |
| app/lib/modules/connectors/oauthConnector.ts | Added OAuth connector base class. |
| app/lib/modules/connectors/fileSanitizer.ts | Added file/path sanitization utilities. |
| app/lib/modules/connectors/connectorRegistry.ts | Added centralized connector registry. |
| app/lib/modules/connectors/baseConnector.ts | Added base connector with SSRF + Zod validation. |
| app/lib/modules/tests/security.test.ts | Added SSRF + log redaction regression tests. |
| app/lib/modules/tests/parity.test.ts | Added basic deployment parity tests. |
| app/lib/metrics.server.ts | Added Prometheus metrics service with NOOP fallback. |
| app/lib/mcp/server/index.ts | Added MCP server entry + manifest export. |
| app/lib/mcp/index.ts | Added top-level MCP exports. |
| app/lib/infra/index.ts | Added infrastructure interfaces (event bus/state/artifacts). |
| app/lib/i18n/config.ts | Added i18n initialization config + fallback strings. |
| app/lib/hooks/useSupabaseConnection.ts | Swapped console logs for scoped logger + improved typing. |
| app/lib/hooks/useStickToBottom.tsx | Tightened generic typing/casts. |
| app/lib/hooks/useSettings.ts | Added orchestrator settings wiring and typing tweaks. |
| app/lib/hooks/usePromptEnhancer.ts | Replaced any request body with typed object. |
| app/lib/hooks/useMessageParser.ts | Updated workbench store import path. |
| app/lib/hooks/useLocalModelHealth.ts | Swapped console logs for scoped logger. |
| app/lib/hooks/useGitLabConnection.ts | Swapped console logs for scoped logger. |
| app/lib/hooks/useGitHubStats.ts | Improved error JSON typing. |
| app/lib/hooks/useGitHubConnection.ts | Swapped console logs for scoped logger. |
| app/lib/hooks/useEditChatDescription.ts | Switched to dbStore access + dependency fix. |
| app/lib/hooks/useConnectionTest.ts | Tightened typing and header mutation. |
| app/lib/hooks/StickToBottom.tsx | Minor type formatting change. |
| app/lib/env-validation.test.ts | Added env validation tests. |
| app/lib/csrf.server.ts | Added CSRF token generation/validation. |
| app/lib/context.server.ts | Added AsyncLocalStorage request context. |
| app/lib/common/prompts/prompts.ts | Added local infrastructure prompt injection + formatting edits. |
| app/lib/common/prompts/optimized.ts | Formatting fixes around Supabase note + env block. |
| app/lib/common/prompts/new-prompt.ts | Added local infrastructure prompt injection + formatting edits. |
| app/lib/common/prompts/infrastructure.ts | Added infrastructure prompt builder. |
| app/lib/common/prompt-library.ts | Wired localInfrastructure through prompt library. |
| app/lib/api/updates.ts | Added update checking helper using GitHub raw package.json. |
| app/lib/api/ipc.ts | Added IPC abstraction for Desktop vs Web. |
| app/lib/api/features.ts | Comment cleanup and no-op viewed tracking. |
| app/lib/api-error-handler.ts | Added standardized API error classifier/handler. |
| app/lib/agent/index.ts | Removed legacy agent module index. |
| app/lib/agent-orchestrator/utils/agent-utils.ts | Added agent utility helpers (safe invoke/error state/formatting). |
| app/lib/agent-orchestrator/shared/index.ts | Added shared index export. |
| app/lib/agent-orchestrator/prompts/index.ts | Added prompts index export. |
| app/lib/.server/rbac-guard.ts | Added RBAC guard helper. |
| app/lib/.server/llm/constants.ts | Removed debug console logging. |
| app/entry.client.tsx | Added centralized error reporting + StrictMode + custom hydration handler. |
| app/components/workbench/Versions.tsx | Updated workbench store import path. |
| app/components/workbench/Search.tsx | Improved types and className handling. |
| app/components/workbench/LockManager.tsx | Updated workbench store import + a11y improvements. |
| app/components/workbench/InspectorTypes.ts | Added shared types for inspector element info. |
| app/components/workbench/EditorPanel.tsx | Updated workbench store import path. |
| app/components/workbench/BulkStyleSelector.tsx | Minor formatting improvements. |
| app/components/workbench/AIQuickActions.tsx | Switched to shared InspectorTypes + icon change. |
| app/components/ui/tests/Button.test.tsx | Added a11y tests for Button variants. |
| app/components/ui/Tooltip.stories.tsx | Added Tooltip story. |
| app/components/ui/ThemeSwitch.stories.tsx | Added ThemeSwitch story. |
| app/components/ui/Tabs.stories.tsx | Added Tabs story. |
| app/components/ui/Switch.tsx | Updated focus ring token usage. |
| app/components/ui/Switch.stories.tsx | Added Switch stories. |
| app/components/ui/SplineScene.tsx | Added lazy-loaded Spline scene component. |
| app/components/ui/Slider.tsx | Refactored memoization and class handling. |
| app/components/ui/Slider.stories.tsx | Added Slider stories. |
| app/components/ui/Separator.stories.tsx | Added Separator stories. |
| app/components/ui/ScrollArea.stories.tsx | Added ScrollArea stories. |
| app/components/ui/ResizeHandle.tsx | Added keyboard resizing support for accessibility. |
| app/components/ui/Progress.stories.tsx | Added Progress stories. |
| app/components/ui/Popover.stories.tsx | Added Popover story. |
| app/components/ui/PanelHeader.tsx | Moved background inline style into class. |
| app/components/ui/Input.stories.tsx | Added Input stories. |
| app/components/ui/ImportProgressBar.tsx | Added import progress UI component. |
| app/components/ui/IconButton.tsx | Extended IconButton props, added style passthrough. |
| app/components/ui/Dropdown.stories.tsx | Added Dropdown story. |
| app/components/ui/Dialog.stories.tsx | Added Dialog story. |
| app/components/ui/CodeBlock.stories.tsx | Added CodeBlock story. |
| app/components/ui/Checkbox.stories.tsx | Added Checkbox story. |
| app/components/ui/Card.tsx | Replaced inline styles with classes and cleaned styles typing. |
| app/components/ui/Card.stories.tsx | Added Card story. |
| app/components/ui/Button.tsx | Updated Button variants to design tokens + simplified prop typing. |
| app/components/ui/Button.stories.tsx | Added Button stories. |
| app/components/ui/BranchSelector.tsx | Improved typing and a11y labeling. |
| app/components/ui/Badge.stories.tsx | Added Badge stories. |
| app/components/sidebar/HistoryItem.tsx | Added i18n strings + improved labeling/tooltips. |
| app/components/sidebar/HistoryItem.stories.tsx | Added HistoryItem stories. |
| app/components/header/HeaderActionButtons.client.tsx | Lazy-loaded deploy components + a11y label. |
| app/components/header/HeaderActionButtons.client.stories.tsx | Added HeaderActionButtons stories. |
| app/components/header/Header.tsx | Added chat visibility toggle + improved sidebar toggle a11y. |
| app/components/header/Header.stories.tsx | Added Header stories. |
| app/components/git/GitUrlImport.client.tsx | Tightened file mapping typing. |
| app/components/errors/RouteErrorBoundary.tsx | Added route error boundary with error reporting. |
| app/components/editor/codemirror/EnvMasking.ts | Improved decoration typing. |
| app/components/deploy/VercelDomainModal.tsx | Fixed icon class naming. |
| app/components/deploy/VercelDeploy.client.tsx | Swapped console logs for scoped logger + improved typing. |
| app/components/deploy/GitLabDeploy.client.tsx | Updated workbench store import path. |
| app/components/deploy/GitHubDeploy.client.tsx | Updated workbench store import path. |
| app/components/deploy/DeployButton.tsx | Lazy-loaded deployment dialogs + minor a11y fixes. |
| app/components/chat/chatExportAndImport/ImportButtons.tsx | Added input a11y attributes and moved inline styles to classes. |
| app/components/chat/chatExportAndImport/ExportChatButton.tsx | Updated workbench store import path. |
| app/components/chat/VercelDeploymentLink.client.tsx | Improved Vercel types, alias selection, and labeling. |
| app/components/chat/UserMessage.tsx | Removed ts-nocheck, added i18n strings and class cleanup. |
| app/components/chat/SupabaseConnection.tsx | Added image alt text and type tweaks. |
| app/components/chat/SupabaseAlert.tsx | Improved typing and added alt text. |
| app/components/chat/RecentChats.tsx | Switched to dbStore access + optimized getAll query params. |
| app/components/chat/ProgressCompilation.tsx | Added failed state icon and colors. |
| app/components/chat/NetlifyDeploymentLink.client.tsx | Added SR-only label for icon-only link. |
| app/components/chat/Messages.client.tsx | Improved typing, i18n, and navigation handling. |
| app/components/chat/Markdown.tsx | Improved typing; adjusted Artifact prop and message content casts. |
| app/components/chat/Markdown.spec.ts | Mocked workbench store for test isolation. |
| app/components/chat/LeftActionPanel.tsx | Added file input a11y attributes + removed inline styles. |
| app/components/chat/ExamplePrompts.tsx | Removed JS hover handlers in favor of CSS classes. |
| app/components/chat/ChatBox.stories.tsx | Added ChatBox stories. |
| app/components/chat/ChatAlert.tsx | Updated workbench store import path. |
| app/components/chat/APIKeyManager.tsx | Added SSR guard + cookie parse error handling. |
| app/components/@settings/tabs/vercel/components/VercelConnection.tsx | Removed debug logs and improved a11y. |
| app/components/@settings/tabs/vercel/VercelTab.tsx | Tightened typing and removed logs. |
| app/components/@settings/tabs/supabase/SupabaseTab.tsx | Tightened typing and improved a11y. |
| app/components/@settings/tabs/providers/local/LocalProvidersTab.tsx | Removed logs and moved styles into classes. |
| app/components/@settings/tabs/providers/cloud/CloudProvidersTab.tsx | Provider type tweaks and description updates. |
| app/components/@settings/tabs/project-memory/ProjectMemoryTab.tsx | Updated workbench store import path. |
| app/components/@settings/tabs/orchestrator/OrchestratorTab.tsx | Added orchestrator settings UI tab. |
| app/components/@settings/tabs/notifications/NotificationsTab.tsx | Tightened typing for details casting. |
| app/components/@settings/tabs/gitlab/components/RepositoryCard.tsx | Updated repository icon. |
| app/components/@settings/tabs/gitlab/components/GitLabRepositorySelector.tsx | Tightened typing and improved a11y labels. |
| app/components/@settings/tabs/gitlab/components/GitLabConnection.tsx | Removed debug logging and dead click handler. |
| app/components/@settings/tabs/gitlab/GitLabTab.tsx | Prevented XSS by using textContent vs innerHTML. |
| app/components/@settings/tabs/github/components/GitHubRepositoryCard.tsx | Updated repository icon. |
| app/components/@settings/tabs/github/components/GitHubConnection.tsx | Removed debug logs and improved a11y label. |
| app/components/@settings/tabs/github/components/GitHubCacheManager.tsx | Tightened typing and removed console log. |
| app/components/@settings/tabs/data/DataTab.tsx | Removed logs, improved a11y labels, moved inline styles to classes. |
| app/components/@settings/core/types.ts | Added orchestrator tab type and tightened UserProfile type. |
| app/components/@settings/core/constants.tsx | Added orchestrator tab metadata and re-ordered default tabs. |
| app/components/@settings/core/ControlPanel.css | Added extracted ControlPanel styles. |
| SUPPORT.md | Added support policy doc. |
| SECURITY.md | Added security policy doc. |
| ROADMAP.md | Added roadmap doc. |
| LICENSE | Added MIT license file. |
| Dockerfile | Added multi-stage Docker build configuration. |
| CONTRIBUTING.md | Added contributing guidelines. |
| CODE_OF_CONDUCT.md | Added code of conduct. |
| CHANGELOG.md | Added changelog. |
| .storybook/vitest.setup.ts | Added Storybook + Vitest setup. |
| .storybook/preview.ts | Added Storybook preview/decorators. |
| .storybook/main.ts | Added Storybook main config. |
| .husky/pre-commit | Added pre-commit hook script (currently skipping checks). |
| .github/workflows/main.yml | Added CI workflow for lint/audit/typecheck/test/build. |
| .github/dependabot.yml | Added Dependabot config. |
| .github/PULL_REQUEST_TEMPLATE.md | Added PR template. |
| .github/ISSUE_TEMPLATE/feature_request.md | Added feature request template. |
| .github/ISSUE_TEMPLATE/bug_report.md | Added bug report template. |
| .env.example | Updated env defaults for local-first infra and log level. |
| .dockerignore | Added dockerignore rules. |
| .claude/worktrees/friendly-heisenberg | Added Claude worktree pointer file. |
Comments suppressed due to low confidence (1)
.claude/worktrees/friendly-heisenberg:1
- This looks like a tool/worktree artifact rather than app source. Committing it can create noise and confusion for contributors/CI. Consider removing it from the repo and adding
.claude/(or at least.claude/worktrees/) to.gitignoreif it shouldn’t be versioned.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+17
to
+19
| const rootElement = document; | ||
|
|
||
| try { |
There was a problem hiding this comment.
hydrateRoot expects a DOM element container (e.g. the #root element), but this passes document, which will break hydration at runtime. Use document.getElementById('root') (and keep the non-null assertion or handle null) as the container passed to hydrateRoot.
Suggested change
| const rootElement = document; | |
| try { | |
| try { | |
| const rootElement = document.getElementById('root'); | |
| if (!rootElement) { | |
| throw new Error("Hydration failed: root element with id 'root' not found"); | |
| } |
Comment on lines
+31
to
+32
|
|
||
| if (!absoluteTarget.startsWith(absoluteRoot)) { |
There was a problem hiding this comment.
Using startsWith for path containment checks is unsafe (e.g. /root/allowed2 startsWith /root/allowed). Prefer comparing a path.relative(absoluteRoot, absoluteTarget) and rejecting if it starts with .. or is absolute, or ensure you check a path-separator boundary (e.g. absoluteRoot + path.sep).
Suggested change
| if (!absoluteTarget.startsWith(absoluteRoot)) { | |
| const relative = path.relative(absoluteRoot, absoluteTarget); | |
| if (relative.startsWith('..') || path.isAbsolute(relative)) { |
| const STORAGE_KEY = 'devonz_features_v1'; | ||
|
|
||
| export function FeatureProvider({ children }: { children: ReactNode }) { | ||
| const [features, setFeatures] = useState<Record<string, FeatureConfig>>(DEFAULT_FEATURES); |
There was a problem hiding this comment.
This mutates nested state (merged[key].enabled = ...) because merged[key] still references the same object as prev[key] (and initially may reference DEFAULT_FEATURES). This can lead to React state mutation bugs and can accidentally mutate DEFAULT_FEATURES. Create a new object per key you update (immutable update) and consider initializing state with a deep clone of DEFAULT_FEATURES.
Comment on lines
+28
to
+37
| setFeatures((prev) => { | ||
| const merged = { ...prev }; | ||
| Object.keys(parsed).forEach((key) => { | ||
| if (merged[key]) { | ||
| merged[key].enabled = parsed[key].enabled; | ||
| } | ||
| }); | ||
|
|
||
| return merged; | ||
| }); |
There was a problem hiding this comment.
This mutates nested state (merged[key].enabled = ...) because merged[key] still references the same object as prev[key] (and initially may reference DEFAULT_FEATURES). This can lead to React state mutation bugs and can accidentally mutate DEFAULT_FEATURES. Create a new object per key you update (immutable update) and consider initializing state with a deep clone of DEFAULT_FEATURES.
Comment on lines
+8
to
+14
|
|
||
| if [ $? -ne 0 ]; then | ||
| echo "❌ Pre-commit validation failed. Please fix the errors before committing." | ||
| exit 1 | ||
| fi | ||
|
|
||
| echo "✅ Pre-commit validation passed." |
There was a problem hiding this comment.
This hook currently always reports success because the lint/typecheck commands are commented out and $? only checks the echo command. Either run the intended checks, or explicitly exit 0 with a clear message (and remove the misleading failure/success logic), or gate skipping behind an environment flag so CI/local contributors aren’t misled.
Suggested change
| if [ $? -ne 0 ]; then | |
| echo "❌ Pre-commit validation failed. Please fix the errors before committing." | |
| exit 1 | |
| fi | |
| echo "✅ Pre-commit validation passed." | |
| echo "ℹ️ Pre-commit validation is currently disabled; no checks were run." | |
| exit 0 |
| ref: ForwardedRef<HTMLButtonElement>, | ||
| ) => { | ||
| return ( | ||
| <button |
There was a problem hiding this comment.
Because disabled is not omitted from ButtonHTMLAttributes, callers can pass disabled both via the explicit prop and in ...props. Since {...props} is spread last, it can override disabled={disabled} and bypass the component’s disabled-guard behavior. Omit disabled from the spreadable attributes (or spread props before setting disabled/title/style).
Comment on lines
59
to
+61
| title={title} | ||
| disabled={disabled} | ||
| style={style} |
There was a problem hiding this comment.
Because disabled is not omitted from ButtonHTMLAttributes, callers can pass disabled both via the explicit prop and in ...props. Since {...props} is spread last, it can override disabled={disabled} and bypass the component’s disabled-guard behavior. Omit disabled from the spreadable attributes (or spread props before setting disabled/title/style).
|
|
||
| onClick?.(event); | ||
| }} | ||
| {...props} |
There was a problem hiding this comment.
Because disabled is not omitted from ButtonHTMLAttributes, callers can pass disabled both via the explicit prop and in ...props. Since {...props} is spread last, it can override disabled={disabled} and bypass the component’s disabled-guard behavior. Omit disabled from the spreadable attributes (or spread props before setting disabled/title/style).
Comment on lines
+31
to
+32
|
|
||
| if (!absoluteTarget.startsWith(absoluteRoot)) { |
There was a problem hiding this comment.
Path sanitization is security-critical and currently lacks test coverage. Add tests covering: valid in-root paths, .. traversal attempts, and edge cases like prefix collisions (/root/allowed vs /root/allowed2) and differing separators.
Suggested change
| if (!absoluteTarget.startsWith(absoluteRoot)) { | |
| const relative = path.relative(absoluteRoot, absoluteTarget); | |
| const isOutsideRoot = | |
| !relative || | |
| relative === '..' || | |
| relative.startsWith('..' + path.sep) || | |
| path.isAbsolute(relative); | |
| if (isOutsideRoot) { |
| @@ -0,0 +1,93 @@ | |||
| // eslint-disable-next-line storybook/no-renderer-packages | |||
| import type { Meta, StoryObj } from '@storybook/react'; | |||
There was a problem hiding this comment.
Most new stories in this PR use @storybook/react-vite, but this file imports from @storybook/react. That inconsistency can break type resolution/config for a Vite-based Storybook setup. Align it to @storybook/react-vite (or the project’s chosen Storybook renderer package).
Suggested change
| import type { Meta, StoryObj } from '@storybook/react'; | |
| import type { Meta, StoryObj } from '@storybook/react-vite'; |
Signed-off-by: Kevin Eloy Herrera <kherrera3250@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.