fix: address 8 code-review findings from Cursor audit#9
Open
Cookie-Cat21 wants to merge 3 commits into
Open
Conversation
- walletAccountId: return null for borrower/SME instead of falling back
to the diaspora account 'SEY-ACC-002'; wallet/page.tsx redirects to
the persona's default route when walletAccountId is null, preventing
wrong-account reads and saveAllocationRules mutations
- admin reset key: remove NEXT_PUBLIC_DEMO_ADMIN_KEY from client bundle;
add app/api/admin/reset/route.ts server proxy that reads DEMO_ADMIN_KEY
server-side only
- createPaymentSession / getPaymentStatus: add AbortSignal.timeout
(15 s / 10 s) — both previously had no timeout and could hang forever
- request() signal: use options?.signal ?? AbortSignal.timeout(5000) so
callers can supply their own AbortSignal without it being overwritten
- AuthGuard: show loading spinner instead of null while redirect is
pending, eliminating the blank-screen flash on unauthenticated visits
- PageEnter: move key={pathname} onto the inner motion.div via
usePathname(); remove it from AppShell so the wrapper component stays
mounted across navigations — no more full subtree remounts
- getStoredToken: wrap localStorage.getItem in try/catch, matching
getStoredSession, so SecurityError in sandboxed iframes doesn't throw
on every API request
- getYDomain: guard empty-array input ([0,100] fallback) and replace
Math.min/max spread with a loop to avoid RangeError on large datasets
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Replace hardcoded GBP/USD/EUR/AUD→LKR fixtures with a live fetch from open.er-api.com (no API key required). Rates are cached in-process for 1 hour; on failure the service falls back to the previous fixture values so the demo never breaks. Both the /api/fx router endpoint (async) and the MCP tool handler (sync) use the shared cache. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Remove openai package from requirements.txt - Delete openai_client.py - groq_client.py is now self-contained (no OpenAI fallback check) - claude_client.py proxies directly to groq_client - stt.py uses Groq Whisper (whisper-large-v3-turbo) for transcription - config.py: remove openai_api_key and supabase legacy fields - .env.example: simplified to reflect Groq + Neon-only stack Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Contributor
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes 8 confirmed bugs surfaced by a code review of Cursor's recent work (PRs #1–#6).
walletAccountIdwas null-coalescing to"SEY-ACC-002"(Nimal's diaspora account) for borrower and SME personas. Theirwallet_account_idisnull, souseCurrentUsernow returnsnullfor those personas.wallet/page.tsxredirects them to their correct default route and guards all downstream consumers (useWalletRealtime,saveAllocationRules,SendMoneyModal, assistant deeplink).adminHeaders()was readingNEXT_PUBLIC_DEMO_ADMIN_KEY, which Next.js bundles into client JS. Removed the function; addedapp/api/admin/reset/route.ts(server route) that reads the non-publicDEMO_ADMIN_KEYenv var and proxies to the backend. Key never reaches the browser.createPaymentSession/getPaymentStatusno timeout — both used rawfetch()with noAbortSignal. Added 15 s and 10 s timeouts respectively.request()silently overwrote caller'ssignal— the hardcodedsignal: AbortSignal.timeout(5000)came after...options, overwriting any signal a caller passed. Changed tooptions?.signal ?? AbortSignal.timeout(5000).AuthGuardblank flash — guard was returningnullsynchronously before therouter.replaceeffect fired, causing a blank screen on every unauthenticated visit. Now returns the same loading spinner used during token validation.PageEnter key={pathname}unmounted all page children —key={pathname}on the wrapper inAppShellforced a full subtree remount on every navigation, destroying modal state and re-firing all mount effects. Moved thekeyto the innermotion.divinsidePageEnter(viausePathname()), so only the animated element re-creates.getStoredTokenmissing try/catch —localStorage.getItem()can throwSecurityErrorin sandboxed iframes. Added try/catch to match the siblinggetStoredSession.getYDomain([])→[NaN, Infinity]—Math.min(...[])returnsInfinity; replaced with a safefor...ofloop and added an empty-array guard returning[0, 100].Test plan
/walletredirects to/loans/walletredirects to/business/loginSendMoneyModalopen state on the wallet pagePOST /api/admin/resetworks (demo reset button) — confirmDEMO_ADMIN_KEYis set in.env.localnpx tsc --noEmitpasses with no new errors🤖 Generated with Claude Code