Merged
Conversation
- Add ChatMessage model to Prisma schema with user scoping - Create database migration for chat_messages table - Add /chat to protected paths in middleware.ts - Add AI Chat link to sidebar navigation - Create /api/chat/ollama API route with streaming, auth, and input sanitization - Create /api/chat/history API route for loading/clearing chat history - Create /chat page with server-side auth and sidebar layout - Create ChatInterface and ChatMessage client components - Add chat types definitions - Add Ollama env vars to .env.example - Add CHAT_SETUP.md documentation - All type-check, lint, and build pass successfully Co-authored-by: syed-reza98 <71028588+syed-reza98@users.noreply.github.com>
…n (CodeQL fix) Co-authored-by: syed-reza98 <71028588+syed-reza98@users.noreply.github.com>
Add Vercel composition-patterns SKILL.md and a comprehensive vercel-react-best-practices AGENTS.md (large performance & best-practices guide). Propagate SKILL/AGENTS files across multiple agent/provider namespaces (e.g., .adal, .augment, .codebuddy, .cortex, etc.). Remove older per-agent rule files from .agents/.claude/.claude/... that are now consolidated. Also add marketing assets (marketing/ad-10-1taka HTML pages and video files) and a script (scripts/record-marketing-video.mjs).
…g mode - POST /api/settings/ai/test: test Ollama connectivity, returns models & latency - GET /api/chat/models/[name]: fetch model details via SDK show() - Chat interface: stop generation button with AbortController - Chat API: support think param for reasoning models - AI Settings: Test Connection button with success/error feedback - Updated docs with all new API endpoints and features Co-authored-by: syed-reza98 <71028588+syed-reza98@users.noreply.github.com>
…ollama repos Co-authored-by: syed-reza98 <71028588+syed-reza98@users.noreply.github.com>
Add multi-tenant, organization-aware chat and expand Ollama-based AI features. Highlights: - Database & schema: add ChatMessage.organizationId, thinking, and usage fields; add index and FK; migration to backfill single-org users. - Prisma schema updates and API changes to scope chat history and deletes by userId + organizationId. - Streaming protocol: /api/chat/ollama now emits NDJSON events (thinking, content, done, error) and persists thinking/usage metadata. - New API endpoints: /api/chat/generate (single-turn generate), /api/chat/assistant (tool-calling assistant), /api/chat/actions/parse (structured action parsing), /api/chat/embed (embeddings with fallback hash), /api/chat/semantic-search/products (semantic product search with embedding fallback), /api/chat/tools/execute, websearch, webfetch. - Assistant flow: supports tool calls (commerce tools + optional web tools), executes tools server-side and includes tool results in final responses. - Embeddings: call-out to Ollama embed model with fallback hashing strategy when provider unavailable. - Config & env: add CREDENTIALS_ENCRYPTION_KEY, OLLAMA_EMBED_MODEL and optional AI feature flags; update defaults and docs to reflect organization scoping and NDJSON streaming. - Docs & UI: update CHAT_SETUP.md and client components to support new options and organization-scoped chat behavior. These changes enable organization-scoped conversations, richer reasoning/telemetry capture, tool-assisted assistant workflows, semantic search, and robust embedding fallbacks.
Add Playwright TypeScript test guidelines (.github/instructions/playwright-typescript.instructions.md) with examples, best practices, and a quality checklist. Update .github/copilot-instructions.md to include new instruction folders (skills, prompts, instructions) and embed test credentials for browser automation flows. Remove workspace VS Code settings (.vscode/settings.json) and update AGENT.md to reflect Prisma PostgreSQL as the database target.
Support multipart/form-data file uploads for the Ollama chat endpoint and wire it into the chat UI. The API now parses attachments (images, text-like files, and metadata for other types), enforces limits (max 8 files, 8MB each, 24MB total, text extraction caps), extracts text snippets, encodes images as base64 for multimodal model inputs, and injects an attachments summary into stored/user messages and model input. The frontend ChatInterface now supports selecting, previewing, removing and sending attachments (uses FormData when files present), includes attachments in optimistic UI messages, clears attachments on send/clear, and updates UI affordances and validation. Docs updated with file upload usage and constraints.
Introduce comprehensive Vercel-related skills and rule sets across agent variants (.agent, .agents, .claude, .adal, .augment). Adds new skills: vercel-react-best-practices, vercel-composition-patterns, next-best-practices, vercel-react-native-skills, deploy-to-vercel, and web-design-guidelines, including many rule markdown files, READMEs, AGENTS and SKILL manifests. Also adds deployment resources (deploy.sh, deploy-codex.sh) and Archive.zip, and updates existing SKILL.md/AGENTS.md files to reference the new content.
Fetch and display Ollama model metadata in the AI settings UI and handle missing models gracefully. Parse model_info safely (including Map->object conversion) and expose capabilities and modelInfo in the API response. Add client-side fetchModelDetails with debounce, loading/error states, and a model details panel (capabilities badges, format, params, quantization). Return a 404 with a clear message when a model isn't found on the configured Ollama host. Also update types (OllamaModelDetails) and import IconInfoCircle; add /tmp to .gitignore.
Annotate multiple sections of docs/research/OLLAMA_CLOUD_API_RESEARCH.md with implementation status badges to reflect current SDK coverage. Marks Chat and Generate as Completed; Tool Calling, Embeddings, Web Search, and Web Fetch as Implemented; Thinking, Structured Outputs, Vision, and Model Management as Partially implemented; and Custom Modelfiles, Running Models, Image Generation, OpenAI-Compatible API, and Log Probabilities as Not implemented. These indicators help track progress and inform integration/work prioritization.
Adds model management and improves embedding, tooling, and structured output behavior. Key changes: - New API endpoint src/app/api/chat/models/manage/route.ts to pull/copy/delete Ollama models (server-side validation and error handling). - Embedding: introduce candidate model list and retry logic (embed/embed-fallback refactor) in embed and semantic-search endpoints to try multiple embedding models before failing; include attemptedModels metadata. - Ollama chat: large enhancements for tool-assisted flows — tenant resolution, tool call execution loop (with MAX_TOOL_CALLS), commerce tool integration, JSON repair/validation for structured formats, vision-capable model resolution for image attachments, chunked streaming helpers, and a system prompt that sets currency context to Bangladeshi Taka (BDT). - UI: AiSettingsForm adds model management controls (pull/copy/delete) with async actions; ChatInterface adds output format modes (text/json/schema) and schema editor, plus reasoning mode adjustments for gpt-oss models. - Tools/format: tools execute route now accepts both "toolArgs" and "arguments" keys; chat-tools responses standardized to include BDT currency fields (totalAmountBdt, totalSpentBdt) and expanded order/customer fields. These changes improve robustness (retry/fallback for embeddings), enable model lifecycle operations, support structured JSON output and schema enforcement, add vision model selection, and ensure monetary values use BDT in tool responses.
Introduce OpenAI-compatible endpoints and Ollama tooling: add wrappers for chat completions (streaming + non-streaming), embeddings, images/generations, and model listing/info. Add an Ollama image-generation passthrough endpoint and a /api/chat/models/running endpoint to list loaded models. Extend model management to support a new "create" action and improve error handling for provider permission issues. Add logprobs/top_logprobs support across generate/ollama flows (request parsing, propagation, and included in done events/DB records). UI updates in AiSettingsForm to support creating custom models and fetching running models. Also add minor tool assistance (product count) using Prisma and ProductStatus.
Add comprehensive AI chat documentation and plans for Ollama integration (implementation analysis, detailed report, integration/implementation plans, quick reference). Introduce session plan and a temporary typecheck log. Add new API capability route (src/app/api/chat/capabilities/route.ts) and update UI/type code: modify ai-settings-form.tsx, chat-interface.tsx, and chat-types.ts to reflect Ollama config, capabilities probing and UI changes. Also update research notes (docs/research/OLLAMA_CLOUD_API_RESEARCH.md). These changes prepare the codebase for Ollama Cloud integration, capability detection, and enhanced chat UI support.
Organize documentation by relocating AI chat-related markdown files into a dedicated docs/ollama directory. The following files were moved without content changes: AI_CHAT_IMPLEMENTATION_ANALYSIS_AND_PLAN.md, AI_CHAT_IMPLEMENTATION_REPORT.md, AI_CHAT_OLLAMA_IMPLEMENTATION_PLAN.md, AI_CHAT_OLLAMA_INTEGRATION_PLAN.md, and AI_CHAT_QUICK_REFERENCE.md. This groups Ollama-specific docs for clearer project structure.
Add docs/ollama/AI_CHAT_COMPREHENSIVE_ANALYSIS_2026-03-18.md — a full review of the Ollama integration and repo architecture. The document captures reviewed artifacts, execution method, verified strengths, critical gaps (notably object-level store auth, missing conversation/session model, attachment persistence, and host validation), frontend UX/streaming concerns, online research, and a prioritized P0–P2 action plan with recommended fixes and consolidation of docs.
Introduce chat sessions, attachments, and usage logging across the chat stack. Adds Prisma models (ChatSession, ChatAttachment, ChatUsageLog) and migrations to create tables, indexes, backfill legacy sessions, and rename an index. Update schema to link ChatMessage -> sessionId and add relations. Add new API endpoints and enhancements: /api/chat/messages (list/delete with pagination and session scoping), /api/chat/sessions and /api/chat/sessions/[sessionId] (session management), chat usage route, and enrich /chat/history to return attachments and sessionId. Enhance /chat/ollama to support session lifecycle (ensure/touch session), persist attachments and usage logs, and record usage metrics. Multiple chat endpoints (assistant, embed, image-generate, models/manage, ollama) now apply rate limiting via enforceChatRateLimit. Also add helper libs for chat-rate-limit and chat-session. Misc: add COMPREHENSIVE_PLATFORM_REVIEW_ANALYSIS_2026-03-18.md, track .copilot-tracking in .gitignore, and small chat-type/schema updates to support new features.
Persist chat usage logs and add a store metrics commerce tool. - src/app/api/chat/assistant/route.ts: import prisma and record success/failure chat usage logs (provider: ollama) for /api/chat/assistant, with basic error handling. - src/app/api/chat/models/route.ts: gracefully fall back to an available model when configured model is missing and expose configuredModel and modelFallbackApplied flags in the response. - src/app/api/chat/ollama/route.ts: broaden STORE_DATA_INTENT_PATTERN to detect metrics/financial keywords and accept multiple form field names (files/file/attachments) when parsing uploads. - src/lib/chat-tools.ts: add get_store_metrics tool (registered in CHAT_TOOL_NAMES and the function definition) and implement it to return active product/customer/order counts, pending orders and revenue over a rolling period (with permission checks and Prisma queries; revenue returned as minor units and converted to BDT). These changes enable metrics-aware assistant behavior, more robust model handling, and basic usage telemetry for observability.
Introduce StormPilot feature: add chat UI component, preferences form, pages for /stormpilot and /settings/stormpilot, and supporting lib (src/lib/stormpilot.ts). Protect /stormpilot in middleware and add sidebar navigation items. Implement streaming message handling, session management, model/capabilities loading, attachment upload and web-research context with graceful fallback. Also add generated audit artifacts (COMPREHENSIVE_API_INVENTORY_GENERATED.md and COMPREHENSIVE_STORMPILOT_OLLAMA_ANALYSIS_2026-03-19.md) documenting API inventory and analysis.
Add QWEN.md — a comprehensive 800+ line project context document for the StormCom Next.js multi-tenant SaaS e-commerce platform. Includes project overview, tech stack, directory structure, multi-tenancy model, authentication/permissions, build & run instructions, database/migration commands, testing, deployment (Vercel), payment and Facebook integrations, storefront/theme system, subscription management, developer conventions, known issues, and links to additional docs. Intended for onboarding, developer reference, and AI-assisted workflows.
Add complete API documentation and artifacts for StormCom: OpenAPI specification and JSON schema, API summary, documentation report, Swagger UI/Redoc setup, TypeScript SDK docs, and related NEXT_STEPS notes. Also add api_routes_analysis.csv (endpoint inventory) and update docs/README.md and QWEN.md to reflect the new API docs and updated codebase statistics.
Implement Priority 1 & 2 features: add Swagger UI and OpenAPI endpoint, bulk CRUD and export endpoints (products, orders, customers, inventory), full-text search (Postgres + Meilisearch) and suggestions, Redis caching layer with tag invalidation, API versioning, webhook delivery with retry/signature logic, and standardized API response helpers. Also add Swagger UI components, tests for search/cache/versioning, multiple service modules (search.service, cache-service, webhook-delivery, redis client), and update package.json. These changes enable interactive docs, high-volume operations, performant search/caching, reliable webhook delivery, and consistent API responses.
Implement Priority 3 work: update .env.example with production-ready variables; add numerous Priority3 docs and implementation summaries; introduce service initialization and realtime infrastructure (src/lib/init.ts, realtime-publisher, performance-monitor, websocket server, SSE notifications); add Elasticsearch client, recommendation service, and realtime websocket/sse/api routes (ai/recommendations, analytics/performance, sse/notifications, ws, search analytics). Also update search service and Prisma schema, wire service init into layout, and update package.json (dependencies). These changes deliver security, performance and real-time fixes plus deployment/environment guidance for production readiness.
syed-reza98
added
documentation
|
Automated review (GitHub Models): Multiple files related to OpenAPI specifications are now present in the repository, indicating the PR's intent has been implemented. Confidence: 0.9 Evidence:
|
Introduce an Upstash Redis-backed caching layer and rate limiting, plus related infra and QA updates. Key changes: - Add Redis client and cache utilities (src/lib/redis-upstash.ts, src/lib/cache.ts) and migrate cache stats to Redis for thread-safety. - Add rate limiting logic (src/lib/rate-limit.ts) and improve client identification (User-Agent fingerprinting). - Add monitoring endpoints: /api/health/redis and /api/cache/stats; update multiple API routes to use caching (orders, stores, notifications, products, etc.). - Add Prisma migration for performance indexes (prisma/migrations/9999_performance_optimization_indexes/migration.sql). - Migrate Next.js middleware to proxy.ts (renamed from middleware.ts) and remove duplicate security headers; update next.config.ts and package.json to include Upstash dependency. - Add lint artifacts and adjust ESLint config (coverage ignore + several rule changes); include generated lint reports (lint-errors.json, lint-warning-summary.csv). - Test and tooling fixes: minor e2e test improvements (landing-page and theme-editor), .gitignore update, and various service/module refinements across src/lib and src/app. This change aims to improve performance (add caching, reduce DB load), add observability and health checks, harden rate limiting, and apply related code-quality updates.
![github-code-quality[bot]](https://avatars.githubusercontent.com/u/9919?s=60&v=4){kind=small}
Improve type safety and error handling in src/lib/search/elasticsearch-client.ts: remove unused imports, replace many any types with unknown/Record types, add EsApiError/EsHitSource/EsSearchHit types, better-handle cluster health and index-exists responses, tighten request/response typings for search, suggestions, multiSearch and analytics, and normalize error handling. Also update lint-errors.json timestamp and condensed rawOutput, and remove certain libc entries from package-lock.json.
Multiple fixes to improve TypeScript typings, runtime safety, and integration behaviors: - Redis health: simplify Upstash health check (no INFO command) and report provider. - Type assertions: cast various mocked Redis/Redis clients and responses to avoid TS errors (rate-limit, redis-upstash, facebook order manager, elasticsearch msearch). - Forms: silence zod resolver type mismatch by casting resolver to any for useForm in product/store forms; adjust zod enums to use `as const`. - UI safety: guard chart tooltip date formatter and ensure React list keys are strings. - API & services: avoid spreading undefined in error responses; cast model count to number; add null/undefined defaults for ES hits and recommendation responses (guard missing source, default compareAtPrice/thumbnailUrl/score), and update order status filter to include DELIVERED. - Cache: add in-memory cache stats, improve hit-rate calculation and logging, and minor Cached typing fix. - Add typeerrors.txt containing the tsc run lines. These changes address type-check failures and runtime edge-cases, improving stability and developer ergonomics.
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a large set of agent “skills”/rule documents (Next.js best practices, React/React Native best practices, and composition patterns) intended to guide automated reviews and development workflows.
Changes:
- Introduces multiple new skill docs under
.agent/skills/*and.agents/skills/*(Next.js, React, React Native, composition patterns). - Adds rule catalogs/templates/sections and READMEs for “vercel-*” skill packs.
- Adds a
web-design-guidelinesskill that fetches external guidelines for UI audits.
Reviewed changes
Copilot reviewed 163 out of 859 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| .agents/skills/next-best-practices/route-handlers.md | Adds Next.js route handler guidance (duplicate path vs .agent/). |
| .agents/skills/next-best-practices/hydration-error.md | Adds hydration mismatch troubleshooting notes (duplicate path vs .agent/). |
| .agents/skills/next-best-practices/functions.md | Adds quick reference for Next.js function APIs (duplicate path vs .agent/). |
| .agents/skills/next-best-practices/directives.md | Documents React/Next directives (duplicate path vs .agent/). |
| .agents/skills/next-best-practices/debug-tricks.md | Adds Next.js debugging tips (duplicate path vs .agent/). |
| .agents/skills/next-best-practices/async-patterns.md | Documents async request APIs patterns (duplicate path vs .agent/). |
| .agent/skills/web-design-guidelines/SKILL.md | Adds a skill definition for design/accessibility guideline audits. |
| .agent/skills/vercel-react-native-skills/rules/ui-styling.md | Adds RN styling rule doc. |
| .agent/skills/vercel-react-native-skills/rules/ui-scrollview-content-inset.md | Adds RN ScrollView spacing guidance. |
| .agent/skills/vercel-react-native-skills/rules/ui-safe-area-scroll.md | Adds RN safe area guidance for ScrollView. |
| .agent/skills/vercel-react-native-skills/rules/ui-pressable.md | Adds guidance to prefer Pressable over legacy touchables. |
| .agent/skills/vercel-react-native-skills/rules/ui-native-modals.md | Adds guidance to prefer native modals over JS bottom sheets. |
| .agent/skills/vercel-react-native-skills/rules/ui-measure-views.md | Adds view measurement patterns. |
| .agent/skills/vercel-react-native-skills/rules/ui-image-gallery.md | Adds image gallery/lightbox library guidance. |
| .agent/skills/vercel-react-native-skills/rules/ui-expo-image.md | Adds guidance to use expo-image. |
| .agent/skills/vercel-react-native-skills/rules/state-ground-truth.md | Adds state “ground truth” rule. |
| .agent/skills/vercel-react-native-skills/rules/scroll-position-no-state.md | Adds guidance against tracking scroll position in React state. |
| .agent/skills/vercel-react-native-skills/rules/rendering-text-in-text-component.md | Adds RN rendering crash-prevention rule for strings in View. |
| .agent/skills/vercel-react-native-skills/rules/rendering-no-falsy-and.md | Adds RN rendering crash-prevention rule for falsy && renders. |
| .agent/skills/vercel-react-native-skills/rules/react-state-minimize.md | Adds guidance to minimize redundant state. |
| .agent/skills/vercel-react-native-skills/rules/react-state-fallback.md | Adds guidance for “fallback state” pattern. |
| .agent/skills/vercel-react-native-skills/rules/react-state-dispatcher.md | Adds guidance for functional setState (dispatch updaters). |
| .agent/skills/vercel-react-native-skills/rules/react-compiler-reanimated-shared-values.md | Adds Reanimated shared value access guidance for React Compiler. |
| .agent/skills/vercel-react-native-skills/rules/react-compiler-destructure-functions.md | Adds guidance to destructure hook functions early for React Compiler. |
| .agent/skills/vercel-react-native-skills/rules/monorepo-single-dependency-versions.md | Adds monorepo dependency version consistency guidance. |
| .agent/skills/vercel-react-native-skills/rules/monorepo-native-deps-in-app.md | Adds monorepo native dependency install guidance. |
| .agent/skills/vercel-react-native-skills/rules/list-performance-virtualize.md | Adds virtualized list guidance. |
| .agent/skills/vercel-react-native-skills/rules/list-performance-item-types.md | Adds heterogeneous list item type guidance. |
| .agent/skills/vercel-react-native-skills/rules/list-performance-item-memo.md | Adds list item memoization guidance. |
| .agent/skills/vercel-react-native-skills/rules/list-performance-item-expensive.md | Adds guidance to keep list items lightweight. |
| .agent/skills/vercel-react-native-skills/rules/list-performance-inline-objects.md | Adds guidance to avoid inline objects in renderItem. |
| .agent/skills/vercel-react-native-skills/rules/list-performance-images.md | Adds guidance to use thumbnails/compressed images in lists. |
| .agent/skills/vercel-react-native-skills/rules/list-performance-callbacks.md | Adds callback hoisting guidance (contains an incorrect example). |
| .agent/skills/vercel-react-native-skills/rules/js-hoist-intl.md | Adds guidance to hoist Intl formatter creation. |
| .agent/skills/vercel-react-native-skills/rules/imports-design-system-folder.md | Adds guidance for re-exporting dependencies from a design system folder. |
| .agent/skills/vercel-react-native-skills/rules/fonts-config-plugin.md | Adds guidance to embed fonts via Expo config plugin. |
| .agent/skills/vercel-react-native-skills/rules/design-system-compound-components.md | Adds design system compound component guidance. |
| .agent/skills/vercel-react-native-skills/rules/animation-gpu-properties.md | Adds guidance to animate transform/opacity rather than layout props. |
| .agent/skills/vercel-react-native-skills/rules/animation-gesture-detector-press.md | Adds guidance for gesture-based press animations (contains a problematic example). |
| .agent/skills/vercel-react-native-skills/rules/animation-derived-value.md | Adds guidance to prefer useDerivedValue over useAnimatedReaction. |
| .agent/skills/vercel-react-native-skills/rules/_template.md | Adds rule template for RN skill pack. |
| .agent/skills/vercel-react-native-skills/rules/_sections.md | Adds sections index for RN skill pack. |
| .agent/skills/vercel-react-best-practices/rules/server-serialization.md | Adds RSC serialization minimization guidance. |
| .agent/skills/vercel-react-best-practices/rules/server-parallel-fetching.md | Adds parallel fetching via RSC composition guidance. |
| .agent/skills/vercel-react-best-practices/rules/server-dedup-props.md | Adds guidance about RSC prop serialization deduping by reference. |
| .agent/skills/vercel-react-best-practices/rules/server-cache-react.md | Adds React.cache per-request dedupe guidance. |
| .agent/skills/vercel-react-best-practices/rules/server-cache-lru.md | Adds cross-request LRU caching guidance. |
| .agent/skills/vercel-react-best-practices/rules/server-auth-actions.md | Adds guidance to authenticate Server Actions like API routes. |
| .agent/skills/vercel-react-best-practices/rules/server-after-nonblocking.md | Adds guidance for using after() to avoid blocking responses. |
| .agent/skills/vercel-react-best-practices/rules/rerender-use-ref-transient-values.md | Adds guidance to use refs for transient frequently-changing values. |
| .agent/skills/vercel-react-best-practices/rules/rerender-transitions.md | Adds guidance to use transitions for non-urgent updates. |
| .agent/skills/vercel-react-best-practices/rules/rerender-simple-expression-in-memo.md | Adds guidance to not overuse useMemo for simple primitives. |
| .agent/skills/vercel-react-best-practices/rules/rerender-no-inline-components.md | Adds guidance against defining components inside components. |
| .agent/skills/vercel-react-best-practices/rules/rerender-move-effect-to-event.md | Adds guidance to move interaction effects into handlers. |
| .agent/skills/vercel-react-best-practices/rules/rerender-memo.md | Adds guidance for extracting into memoized components. |
| .agent/skills/vercel-react-best-practices/rules/rerender-memo-with-default-value.md | Adds guidance for stable default values in memoized components. |
| .agent/skills/vercel-react-best-practices/rules/rerender-lazy-state-init.md | Adds guidance for lazy initialization of expensive state. |
| .agent/skills/vercel-react-best-practices/rules/rerender-functional-setstate.md | Adds guidance for functional setState updates. |
| .agent/skills/vercel-react-best-practices/rules/rerender-derived-state.md | Adds guidance to subscribe to derived boolean state. |
| .agent/skills/vercel-react-best-practices/rules/rerender-derived-state-no-effect.md | Adds guidance to compute derived state during render. |
| .agent/skills/vercel-react-best-practices/rules/rerender-dependencies.md | Adds guidance to narrow effect dependencies. |
| .agent/skills/vercel-react-best-practices/rules/rerender-defer-reads.md | Adds guidance to defer state reads to the usage point. |
| .agent/skills/vercel-react-best-practices/rules/rendering-usetransition-loading.md | Adds guidance using useTransition for loading state. |
| .agent/skills/vercel-react-best-practices/rules/rendering-svg-precision.md | Adds SVG precision optimization guidance. |
| .agent/skills/vercel-react-best-practices/rules/rendering-script-defer-async.md | Adds script loading performance guidance. |
| .agent/skills/vercel-react-best-practices/rules/rendering-resource-hints.md | Adds resource hint guidance using react-dom APIs. |
| .agent/skills/vercel-react-best-practices/rules/rendering-hydration-suppress-warning.md | Adds guidance to suppress expected hydration warnings. |
| .agent/skills/vercel-react-best-practices/rules/rendering-hydration-no-flicker.md | Adds guidance to avoid hydration mismatch flicker. |
| .agent/skills/vercel-react-best-practices/rules/rendering-hoist-jsx.md | Adds guidance to hoist static JSX. |
| .agent/skills/vercel-react-best-practices/rules/rendering-content-visibility.md | Adds guidance to use CSS content-visibility for long lists. |
| .agent/skills/vercel-react-best-practices/rules/rendering-conditional-render.md | Adds guidance for safer conditional rendering. |
| .agent/skills/vercel-react-best-practices/rules/rendering-animate-svg-wrapper.md | Adds guidance to animate a wrapper rather than the SVG element. |
| .agent/skills/vercel-react-best-practices/rules/rendering-activity.md | Adds guidance suggesting a React <Activity> component (likely invalid). |
| .agent/skills/vercel-react-best-practices/rules/js-tosorted-immutable.md | Adds guidance to prefer toSorted() over sort() for immutability. |
| .agent/skills/vercel-react-best-practices/rules/js-set-map-lookups.md | Adds guidance to use Set/Map for repeated lookups. |
| .agent/skills/vercel-react-best-practices/rules/js-min-max-loop.md | Adds guidance to loop for min/max rather than sort. |
| .agent/skills/vercel-react-best-practices/rules/js-length-check-first.md | Adds guidance to check array length before expensive comparisons. |
| .agent/skills/vercel-react-best-practices/rules/js-index-maps.md | Adds guidance to build index Maps for repeated find() calls. |
| .agent/skills/vercel-react-best-practices/rules/js-hoist-regexp.md | Adds guidance to hoist RegExp creation. |
| .agent/skills/vercel-react-best-practices/rules/js-flatmap-filter.md | Adds guidance to use flatMap to map+filter in one pass. |
| .agent/skills/vercel-react-best-practices/rules/js-early-exit.md | Adds guidance to early-return to avoid extra work. |
| .agent/skills/vercel-react-best-practices/rules/js-combine-iterations.md | Adds guidance to combine multiple array iterations. |
| .agent/skills/vercel-react-best-practices/rules/js-cache-storage.md | Adds guidance to cache storage API reads. |
| .agent/skills/vercel-react-best-practices/rules/js-cache-property-access.md | Adds guidance to cache deep property accesses in loops. |
| .agent/skills/vercel-react-best-practices/rules/js-cache-function-results.md | Adds guidance to cache repeated function results. |
| .agent/skills/vercel-react-best-practices/rules/js-batch-dom-css.md | Adds guidance to avoid layout thrashing in DOM reads/writes. |
| .agent/skills/vercel-react-best-practices/rules/client-swr-dedup.md | Adds guidance to use SWR for deduplication. |
| .agent/skills/vercel-react-best-practices/rules/client-passive-event-listeners.md | Adds guidance to use passive listeners for scrolling performance. |
| .agent/skills/vercel-react-best-practices/rules/client-localstorage-schema.md | Adds guidance to version/minimize localStorage. |
| .agent/skills/vercel-react-best-practices/rules/client-event-listeners.md | Adds guidance to dedupe global event listeners using SWR subscription. |
| .agent/skills/vercel-react-best-practices/rules/bundle-preload.md | Adds guidance to preload bundles based on intent (contains an inaccurate claim). |
| .agent/skills/vercel-react-best-practices/rules/bundle-dynamic-imports.md | Adds guidance to lazy-load heavy components with next/dynamic. |
| .agent/skills/vercel-react-best-practices/rules/bundle-defer-third-party.md | Adds guidance to defer non-critical third-party libs. |
| .agent/skills/vercel-react-best-practices/rules/bundle-conditional.md | Adds guidance to conditionally load modules/features. |
| .agent/skills/vercel-react-best-practices/rules/bundle-barrel-imports.md | Adds guidance to avoid barrel imports for performance. |
| .agent/skills/vercel-react-best-practices/rules/async-suspense-boundaries.md | Adds guidance for placement of Suspense for streaming/perf. |
| .agent/skills/vercel-react-best-practices/rules/async-parallel.md | Adds guidance to use Promise.all for independent work. |
| .agent/skills/vercel-react-best-practices/rules/async-dependencies.md | Adds guidance for dependency-based parallelization. |
| .agent/skills/vercel-react-best-practices/rules/async-defer-await.md | Adds guidance to defer awaits until needed. |
| .agent/skills/vercel-react-best-practices/rules/async-api-routes.md | Adds guidance to prevent API/server-action waterfalls. |
| .agent/skills/vercel-react-best-practices/rules/advanced-use-latest.md | Adds guidance using useEffectEvent for stable callback refs. |
| .agent/skills/vercel-react-best-practices/rules/advanced-init-once.md | Adds guidance to initialize app once rather than per mount. |
| .agent/skills/vercel-react-best-practices/rules/advanced-event-handler-refs.md | Adds guidance for storing handlers in refs to stabilize subscriptions. |
| .agent/skills/vercel-react-best-practices/rules/_template.md | Adds rule template for React best practices pack. |
| .agent/skills/vercel-react-best-practices/rules/_sections.md | Adds sections index for React best practices pack. |
| .agent/skills/vercel-react-best-practices/README.md | Adds pack README and contribution/build instructions. |
| .agent/skills/vercel-composition-patterns/rules/state-lift-state.md | Adds composition pattern for lifting state into providers. |
| .agent/skills/vercel-composition-patterns/rules/state-decouple-implementation.md | Adds composition pattern for separating state from UI. |
| .agent/skills/vercel-composition-patterns/rules/react19-no-forwardref.md | Adds React 19 API changes guidance. |
| .agent/skills/vercel-composition-patterns/rules/patterns-explicit-variants.md | Adds guidance to create explicit variants rather than boolean props. |
| .agent/skills/vercel-composition-patterns/rules/patterns-children-over-render-props.md | Adds guidance to prefer children composition over render props. |
| .agent/skills/vercel-composition-patterns/rules/architecture-compound-components.md | Adds compound component pattern documentation. |
| .agent/skills/vercel-composition-patterns/rules/architecture-avoid-boolean-props.md | Adds guidance to avoid boolean prop proliferation. |
| .agent/skills/vercel-composition-patterns/rules/_template.md | Adds rule template for composition patterns pack. |
| .agent/skills/vercel-composition-patterns/rules/_sections.md | Adds sections index for composition patterns pack. |
| .agent/skills/vercel-composition-patterns/SKILL.md | Adds skill definition for composition patterns pack. |
| .agent/skills/vercel-composition-patterns/README.md | Adds pack README. |
| .agent/skills/next-best-practices/suspense-boundaries.md | Adds Next.js Suspense boundary guidance for specific hooks. |
| .agent/skills/next-best-practices/scripts.md | Adds Next.js third-party script loading guidance. |
| .agent/skills/next-best-practices/runtime-selection.md | Adds guidance on Node vs Edge runtime selection. |
| .agent/skills/next-best-practices/route-handlers.md | Adds Next.js route handler guidance. |
| .agent/skills/next-best-practices/hydration-error.md | Adds hydration mismatch troubleshooting notes. |
| .agent/skills/next-best-practices/directives.md | Documents React/Next directives. |
| .agent/skills/next-best-practices/debug-tricks.md | Adds Next.js debugging tips. |
| .agent/skills/next-best-practices/async-patterns.md | Documents async request APIs patterns. |
| .adal/skills/vercel-composition-patterns/SKILL.md | Adds a duplicate skill definition under a third directory root. |
Comments suppressed due to low confidence (7)
.agent/skills/next-best-practices/route-handlers.md:1
- The statement “Yes: Can use Node.js APIs” is only true for the Node.js runtime. Route handlers can run on the Edge runtime (via
export const runtime = 'edge'), where many Node APIs are unavailable. Suggest clarifying this bullet to avoid incorrect assumptions (e.g., “Node.js APIs are available in the Node runtime; Edge runtime has limitations”).
.agent/skills/next-best-practices/route-handlers.md:1 - In Next.js route handlers,
context.paramsis typically a plain object (not a Promise). Typing it asPromise<...>and awaiting it will confuse consumers and doesn’t match the commonGET(request, { params }: { params: { ... } })signature. Recommend updating this snippet to use a synchronousparamsobject type and remove theawait.
.agent/skills/next-best-practices/hydration-error.md:1 - This “Good” example isn’t valid as written: hooks are shown outside a component, and required imports aren’t included. Since this is meant to be copy/pastable guidance, wrap the snippet in a component function (and include imports) or explicitly label it as pseudo-code.
.agent/skills/next-best-practices/hydration-error.md:1 - The example JSX is missing its closing tag, which makes it harder to copy/paste and may distract from the point being made. Consider using a complete snippet (e.g., a full
<div ...>...</div>).
.agent/skills/next-best-practices/directives.md:1 - Next.js feature flags for Cache Components are typically under the
experimentalnamespace (e.g.,experimental.cacheComponents). Consider specifying the exact expected config shape so readers don’t add an invalid top-level key.
.adal/skills/vercel-composition-patterns/SKILL.md:1 - This PR introduces skill packs under three different roots:
.agent/…,.agents/…, and.adal/…. If your loader/tooling only scans one of these, skills may be ignored or duplicated. Recommend consolidating to a single canonical directory (and removing duplicates) to avoid runtime/tooling inconsistencies.
.agent/skills/next-best-practices/route-handlers.md:1 - The PR title/metadata suggests “Api specs openapi”, but the actual changes are the addition of agent skill documentation across Next.js/React/React Native. Please update the PR title/description to accurately reflect the scope, or split OpenAPI-related work into a separate PR.
| Use React's `<Activity>` to preserve state/DOM for expensive components that frequently toggle visibility. | ||
|
|
||
| **Usage:** | ||
|
|
There was a problem hiding this comment.
This rule references Activity from react, but there isn’t a stable, documented React API component named <Activity> (at least in widely used React releases). This will mislead consumers into using a nonexistent API. Consider rewriting the example using a real pattern (e.g., CSS visibility/display, hidden attribute, or a small wrapper component that toggles visibility without unmounting) and link to official React docs for the recommended approach.
Comment on lines
+33
to
+38
| const onPress = useCallback(() => handlePress(item.id), [handlePress, item.id]) | ||
|
|
||
| return ( | ||
| <LegendList | ||
| renderItem={({ item }) => ( | ||
| <Item key={item.id} item={item} onPress={onPress} /> |
There was a problem hiding this comment.
The “Correct” example references item in useCallback but item is only available inside renderItem, so this snippet is not actually valid. It also doesn’t implement the stated goal (a single callback instance at the list root that items call with an identifier). Update the example so the root creates a stable callback like (id) => handlePress(id) and each item calls it with item.id.
Suggested change
| const onPress = useCallback(() => handlePress(item.id), [handlePress, item.id]) | |
| return ( | |
| <LegendList | |
| renderItem={({ item }) => ( | |
| <Item key={item.id} item={item} onPress={onPress} /> | |
| const onItemPress = useCallback( | |
| (id: string) => { | |
| handlePress(id) | |
| }, | |
| [handlePress], | |
| ) | |
| return ( | |
| <LegendList | |
| renderItem={({ item }) => ( | |
| <Item key={item.id} item={item} onPress={onItemPress} /> |
| // Derive visual values from the state | ||
| const animatedStyle = useAnimatedStyle(() => ({ | ||
| transform: [ | ||
| { scale: interpolate(withTiming(pressed.get()), [0, 1], [1, 0.95]) }, |
There was a problem hiding this comment.
Using withTiming(...) inside useAnimatedStyle will restart or re-schedule an animation during style evaluation, which can cause jitter and unnecessary work. Since pressed is already being animated via pressed.set(withTiming(...)), the style should typically derive from pressed.get() directly (or use a derived value) and then interpolate that.
Suggested change
| { scale: interpolate(withTiming(pressed.get()), [0, 1], [1, 0.95]) }, | |
| { scale: interpolate(pressed.get(), [0, 1], [1, 0.95]) }, |
| @@ -0,0 +1,87 @@ | |||
| # Async Patterns | |||
There was a problem hiding this comment.
This route-handler example repeats the params: Promise<...> pattern. For route handlers, params is generally synchronous; the “async params” discussion is more applicable to App Router pages/layouts props. Consider separating route handler guidance from page/layout guidance, and update this snippet to reflect the standard route handler signature.
Comment on lines
+18
to
+19
| void import('./monaco-editor') | ||
| } |
There was a problem hiding this comment.
The note implies the typeof window !== 'undefined' guard affects bundling/SSR output. In most bundlers (including Next.js), a dynamic import() is still statically discovered and chunked; the window check mainly prevents execution on the server. Suggest rewording to avoid claiming it “prevents bundling for SSR,” and instead describe the runtime behavior (or explain when/how Next splits server/client bundles).
Collaborator
Author
|
@copilot Review this whole PR all the commits and file changes and check all the review comments and apply all the fix by reviewing the whole codebase |
5 tasks
Contributor
|
@syed-reza98 I've opened a new pull request, #375, to work on those changes. Once the pull request is ready, I'll request review from you. |
Co-authored-by: syed-reza98 <71028588+syed-reza98@users.noreply.github.com> Agent-Logs-Url: https://github.com/CodeStorm-Hub/stormcomui/sessions/470e1b2d-dc4f-4ee2-a6d9-5b626fb25ba2
Co-authored-by: syed-reza98 <71028588+syed-reza98@users.noreply.github.com> Agent-Logs-Url: https://github.com/CodeStorm-Hub/stormcomui/sessions/470e1b2d-dc4f-4ee2-a6d9-5b626fb25ba2
Co-authored-by: syed-reza98 <71028588+syed-reza98@users.noreply.github.com> Agent-Logs-Url: https://github.com/CodeStorm-Hub/stormcomui/sessions/4c5977eb-d06f-4c1d-a90b-c39f45f289e3
Co-authored-by: syed-reza98 <71028588+syed-reza98@users.noreply.github.com> Agent-Logs-Url: https://github.com/CodeStorm-Hub/stormcomui/sessions/4c5977eb-d06f-4c1d-a90b-c39f45f289e3
Co-authored-by: syed-reza98 <71028588+syed-reza98@users.noreply.github.com> Agent-Logs-Url: https://github.com/CodeStorm-Hub/stormcomui/sessions/4c5977eb-d06f-4c1d-a90b-c39f45f289e3
Co-authored-by: syed-reza98 <71028588+syed-reza98@users.noreply.github.com> Agent-Logs-Url: https://github.com/CodeStorm-Hub/stormcomui/sessions/1579bb28-102f-4a1a-90f5-d5b74d30fd80
- [x] Inspect CodeQL alert 121 data flow and the affected request construction in `src/lib/integrations/facebook/order-manager.ts` - [x] Apply a minimal SSRF hardening change so outgoing requests are constrained to approved Meta Graph API origins - [x] Run targeted validation (type-check or focused checks) to ensure no regressions - [x] Run automated code review and CodeQL checker, then address any findings - [x] Summarize the fix and security impact <!-- START COPILOT CODING AGENT TIPS --> --- ✨ Let Copilot coding agent [set things up for you](https://github.com/CodeStorm-Hub/stormcomui/issues/new?title=✨+Set+up+Copilot+instructions&body=Configure%20instructions%20for%20this%20repository%20as%20documented%20in%20%5BBest%20practices%20for%20Copilot%20coding%20agent%20in%20your%20repository%5D%28https://gh.io/copilot-coding-agent-tips%29%2E%0A%0A%3COnboard%20this%20repo%3E&assignees=copilot) — coding agent works faster and does higher quality work when set up for your repo.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Comment on lines
+543
to
+546
| } catch { | ||
| throw new MetaOrderError('Malformed API request URL', 'INVALID_URL'); | ||
| } | ||
|
|
Check failure
Code scanning / CodeQL
Server-side request forgery Critical
This autofix suggestion was applied.
Show autofix suggestion
Hide autofix suggestion
This autofix suggestion was applied.
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 days ago
General approach: Avoid using raw, unvalidated user input directly inside the URL path that is passed to fetch. Instead, validate and normalize orderId before interpolating it into the URL, ensuring it matches the expected Meta order ID format and cannot contain path separators or traversal components. Optionally, encode it as a path segment (encodeURIComponent) before concatenation.
Best concrete fix in this codebase:
- In
MetaOrderManager.getOrder(orderId: string), before building the URL, enforce a strict whitelist of allowed characters/pattern fororderId. Meta order IDs are typically numeric strings; if we don’t want to hard-code that assumption, we can still enforce a conservative pattern like^[A-Za-z0-9_.-]+$, which disallows/,\,%, and whitespace, and therefore prevents any path or traversal manipulation. - If the provided
orderIdfails this validation, throw aMetaOrderErrorwith an appropriate code (e.g.,'INVALID_ORDER_ID') before callingthis.request. - Construct the URL using the validated
orderId, optionally wrapping it withencodeURIComponent(not strictly necessary if the regex already forbids reserved characters, but harmless and more robust). - This change is fully localized to
getOrderinsrc/lib/integrations/facebook/order-manager.tsand does not alter behavior for valid order IDs.
We don’t need to change request’s URL validation or the API route handlers; making getOrder reject malformed IDs is enough to cut the taint flow and eliminate the SSRF risk.
Suggested changeset
1
src/lib/integrations/facebook/order-manager.ts
| @@ -292,6 +292,15 @@ | ||
| * @returns Complete order details | ||
| */ | ||
| async getOrder(orderId: string): Promise<MetaOrder> { | ||
| // Validate orderId to ensure it cannot manipulate the request path | ||
| // Allow only typical ID characters (alphanumeric, underscore, hyphen, dot) | ||
| const ORDER_ID_PATTERN = /^[A-Za-z0-9_.-]+$/; | ||
| if (!ORDER_ID_PATTERN.test(orderId)) { | ||
| throw new MetaOrderError('Invalid order ID format', 'INVALID_ORDER_ID'); | ||
| } | ||
|
|
||
| const safeOrderId = encodeURIComponent(orderId); | ||
|
|
||
| const params = new URLSearchParams({ | ||
| fields: [ | ||
| 'id', | ||
| @@ -310,7 +319,7 @@ | ||
| this.addAppSecretProof(params); | ||
|
|
||
| const response = await this.request( | ||
| `${GRAPH_API_BASE_URL}/${orderId}?${params}` | ||
| `${GRAPH_API_BASE_URL}/${safeOrderId}?${params}` | ||
| ); | ||
|
|
||
| return response as MetaOrder; |
Copilot is powered by AI and may make mistakes. Always verify output.
syed-reza98
committed this autofix suggestion 3 days ago.
…rgery Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.