Skip to content

chore: post-hackathon cleanup — security, robustness, docs, polish#22

Merged
danieldiazde merged 1 commit into
mainfrom
chore/post-hackathon-cleanup
May 11, 2026
Merged

chore: post-hackathon cleanup — security, robustness, docs, polish#22
danieldiazde merged 1 commit into
mainfrom
chore/post-hackathon-cleanup

Conversation

@danieldiazde
Copy link
Copy Markdown
Owner

@danieldiazde danieldiazde commented May 11, 2026

Pase de limpieza después del hackathon. 25 items aplicados desde la auditoría (críticos + robustez + docs + pulido). Excluye seguridad de infra (rotación de keys / cleanup de Vercel/Supabase) que va aparte.

Critical

  • SSRF en /api/canvas/sync (validación de URL)
  • /api/gemini/test ahora auth-gated
  • /api/profile/horario: data-safe replace (snapshot → insert → delete)
  • EmptyInsightCard: loop guard con sessionStorage
  • WeeklyCalendar: stacked list en mobile (<768px)
  • Demo fixtures con fechas relativas (build*Fixture(reference))

Robustness

  • fetchWithTimeout para llamadas externas
  • zod schemas en /profile/setup, /calendar/create, /canvas/sync
  • Canvas iCal: timezone Monterrey en lugar de UTC
  • /calendar/create distingue 401 / 403 / 503
  • /api/planes/[clave] normaliza a uppercase
  • ApplyBlocksButton respeta iOS safe-area

Docs

  • README: modelo enum, /profile/horario y /gemini/test docs, structure real, NEXT_PUBLIC_DEMO_MODE
  • demo-script.md actualizado al flow de PDF upload

Polish

  • Gemini retry con jitter + validación de respuesta vacía
  • Cache-Control en /api/planes (5min browser, 1h edge)
  • Removed dead <CardContent />
  • Mensajes de error sanitizados

🤖 Generated with Claude Code

@danieldiazde @claude
chore: post-hackathon cleanup pass
1cd8906 
Audit-driven cleanup covering security, robustness, docs, and polish.
Findings came from three parallel reviews (backend, frontend/UX, docs).

Critical fixes
- SSRF in /api/canvas/sync: validate the iCal URL with assertSafeIcalUrl
  before fetching. Rejects non-HTTPS schemes, loopback/RFC1918 hosts,
  169.254.169.254, and paths that don't end in .ics.
- /api/gemini/test was unauthenticated, letting anyone drain Gemini quota.
  Now requires a valid session.
- /api/profile/horario could wipe materias_inscritas before the new rows
  were safely persisted. Switched to snapshot-old-IDs → insert-new →
  delete-old so a failed insert leaves the user's data intact.
- EmptyInsightCard auto-generated on every mount, which caused a quiet
  retry loop when generation kept failing. Now guarded with
  sessionStorage so the auto-attempt only fires once per session; the
  manual button still works.
- WeeklyCalendar forced horizontal scroll on mobile (min-w-[760px]).
  Added a stacked per-day mobile list below md.
- Demo fixtures are now factories (buildInsightFixture /
  buildEventosFixture) that emit dates relative to today, so ?demo=1
  works in any week instead of only the original 2026-05-11 demo week.

Robustness
- fetchWithTimeout: shared 15s AbortController-backed fetch used by the
  Google Calendar helpers so a stuck upstream can't tie up a serverless
  invocation.
- Added zod schemas (lib/validation/schemas.ts) and applied them to
  /api/profile/setup, /api/calendar/create, /api/canvas/sync.
- Canvas iCal: dates are now extracted in America/Monterrey and stored
  with the -06:00 offset; previously UTC-based extraction shifted
  deadlines forward when an event was near midnight.
- Canvas error surface is sanitized: only deliberately-thrown messages
  ("URL inválida", etc.) reach the client; everything else is generic.
- /api/calendar/create distinguishes 401 (token expired) vs 403 (missing
  scope) vs 503 (API disabled) with targeted hints and HTTP statuses.
- /api/planes/[clave] normalizes clave to uppercase so "itc26" works.
- ApplyBlocksButton uses safe-area-inset-bottom so it doesn't sit
  underneath the iOS home indicator.

Docs
- README: corrected modelo enum to "tec21" | "tec26"; added
  /api/profile/horario and /api/gemini/test contracts; replaced the
  (auth)/login placeholder with the real structure; expanded the lib/
  tree to include pdf, scheduling, tec21, validation, fixtures.
- README + .env.example: documented NEXT_PUBLIC_DEMO_MODE.
- docs/demo/demo-script.md: rewrote the onboarding step to reflect the
  PDF upload flow (no more manual materia selection).

Polish
- Gemini retry now uses jittered exponential backoff to avoid thundering
  herd on quota errors, and rejects empty responses before parsing.
- GET /api/planes and /api/planes/[clave] set Cache-Control with a
  5-min browser + 1-hour edge TTL since the catalog is essentially
  static.
- Removed dead <CardContent /> from landing.
- Sanitized DB error responses ("DB error" → user-facing copy).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@vercel
Copy link
Copy Markdown

vercel Bot commented May 11, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
gemini-hackdays-frontend-w3rx Ready Ready Preview, Comment May 11, 2026 2:25am

@supabase
Copy link
Copy Markdown

supabase Bot commented May 11, 2026

This pull request has been ignored for the connected project jwqffychkaczvknfgzbd because there are no changes detected in supabase directory. You can change this behaviour in Project Integrations Settings ↗︎.

Preview Branches by Supabase.
Learn more about Supabase Branching ↗︎.

@danieldiazde danieldiazde merged commit ac12ec6 into main May 11, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@danieldiazde