vayungodara
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 30 additions & 2 deletions b/‎.github/workflows/ci.yml‎
Lines changed: 30 additions & 2 deletions
diff --git a/‎app/api/cron/check-streak-breaks/route.js‎
Lines changed: 23 additions & 20 deletions b/‎app/api/cron/check-streak-breaks/route.js‎
Lines changed: 23 additions & 20 deletions
diff --git a/‎app/api/cron/check-streak-risk/route.js‎
Lines changed: 4 additions & 6 deletions b/‎app/api/cron/check-streak-risk/route.js‎
Lines changed: 4 additions & 6 deletions
diff --git a/‎app/api/cron/cleanup/route.js‎
Lines changed: 15 additions & 12 deletions b/‎app/api/cron/cleanup/route.js‎
Lines changed: 15 additions & 12 deletions
diff --git a/‎app/api/cron/send-reminders/route.js‎
Lines changed: 4 additions & 7 deletions b/‎app/api/cron/send-reminders/route.js‎
Lines changed: 4 additions & 7 deletions
diff --git a/‎app/auth/callback/route.js‎
Lines changed: 11 additions & 13 deletions b/‎app/auth/callback/route.js‎
Lines changed: 11 additions & 13 deletions
diff --git a/‎app/globals.css‎
Lines changed: 21 additions & 33 deletions b/‎app/globals.css‎
Lines changed: 21 additions & 33 deletions
@@ -26,10 +26,26 @@ jobs:
 
       - run: npm run lint
 
+  unit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: npm
+
+      - run: npm ci
+
+      - run: npx vitest run
+
   e2e:
     runs-on: ubuntu-latest
     needs: build-and-lint
     env:
+      # Supabase public vars are needed at build time and for the running server.
+      # These are safe to expose as NEXT_PUBLIC_* — they are the anon (read-only) key.
       NEXT_PUBLIC_SUPABASE_URL: ${{ secrets.NEXT_PUBLIC_SUPABASE_URL }}
       NEXT_PUBLIC_SUPABASE_ANON_KEY: ${{ secrets.NEXT_PUBLIC_SUPABASE_ANON_KEY }}
     steps:
@@ -42,6 +58,18 @@ jobs:
 
       - run: npm ci
 
-      - run: npx playwright install --with-deps chromium
+      # Build the production bundle in this job so we can serve it with
+      # `next start` instead of `next dev`. The dev compiler is unreliable
+      # in CI (cold start can exceed the webServer timeout) and makes tests
+      # non-deterministic. The production server starts in ~2 s.
+      - name: Build
+        run: npx next build
+        env:
+          NEXT_PUBLIC_SUPABASE_URL: ${{ secrets.NEXT_PUBLIC_SUPABASE_URL }}
+          NEXT_PUBLIC_SUPABASE_ANON_KEY: ${{ secrets.NEXT_PUBLIC_SUPABASE_ANON_KEY }}
+
+      - name: Install Playwright browsers
+        run: npx playwright install --with-deps chromium
 
-      - run: npm run test:e2e
+      - name: Run e2e tests
+        run: npm run test:e2e
@@ -1,5 +1,6 @@
 import { createClient } from '@supabase/supabase-js';
-import { createNotification, NOTIFICATION_TYPES } from '@/lib/notifications';
+import { NOTIFICATION_TYPES } from '@/lib/notifications';
+import { verifyCronSecret } from '@/lib/cronAuth';
 
 function getSupabaseClient() {
   return createClient(
@@ -9,12 +10,9 @@ function getSupabaseClient() {
 }
 
 export async function GET(request) {
-  const authHeader = request.headers.get('authorization');
-  const cronSecret = process.env.CRON_SECRET;
-
-  if (!cronSecret || authHeader !== `Bearer ${cronSecret}`) {
-    return Response.json({ error: 'Unauthorized' }, { status: 401 });
-  }
+  // Verify the request is from Vercel Cron using timing-safe comparison
+  const { authorized, response } = verifyCronSecret(request);
+  if (!authorized) return response;
 
   const supabase = getSupabaseClient();
 
@@ -55,17 +53,14 @@ export async function GET(request) {
       .select('user_id, group_id')
       .in('user_id', profileIds);
 
-    // Send notifications and activity logs (still per-user for custom messages)
-    const notificationPromises = profiles.map(profile =>
-      createNotification(
-        supabase,
-        profile.id,
-        NOTIFICATION_TYPES.STREAK_BROKEN,
-        'Streak Broken',
-        `Your ${profile.current_streak}-day streak has ended. Start a new one today!`,
-        { brokenStreak: profile.current_streak }
-      ).catch(err => console.error(`Notification error for ${profile.id}:`, err))
-    );
+    // Batch insert all notifications in a single DB round-trip
+    const notifications = profiles.map(profile => ({
+      user_id: profile.id,
+      type: NOTIFICATION_TYPES.STREAK_BROKEN,
+      title: 'Streak Broken',
+      message: `Your ${profile.current_streak}-day streak has ended. Start a new one today!`,
+      metadata: { brokenStreak: profile.current_streak },
+    }));
 
     // Build activity log entries in bulk
     const activityEntries = [];
@@ -81,11 +76,19 @@ export async function GET(request) {
       }
     }
 
+    const notificationPromise = notifications.length > 0
+      ? supabase.from('notifications').insert(notifications).then(({ error: notifError }) => {
+          if (notifError) console.error('Batch notification error:', notifError);
+        })
+      : Promise.resolve();
+
     const activityPromise = activityEntries.length > 0
-      ? supabase.from('activity_log').insert(activityEntries)
+      ? supabase.from('activity_log').insert(activityEntries).then(({ error: actError }) => {
+          if (actError) console.error('Batch activity log error:', actError);
+        })
       : Promise.resolve();
 
-    await Promise.all([...notificationPromises, activityPromise]);
+    await Promise.all([notificationPromise, activityPromise]);
 
     const broken = profiles.length;
 
 
@@ -1,5 +1,6 @@
 import { createClient } from '@supabase/supabase-js';
 import { NOTIFICATION_TYPES } from '@/lib/notifications';
+import { verifyCronSecret } from '@/lib/cronAuth';
 
 function getSupabaseClient() {
   return createClient(
@@ -9,12 +10,9 @@ function getSupabaseClient() {
 }
 
 export async function GET(request) {
-  const authHeader = request.headers.get('authorization');
-  const cronSecret = process.env.CRON_SECRET;
-
-  if (!cronSecret || authHeader !== `Bearer ${cronSecret}`) {
-    return Response.json({ error: 'Unauthorized' }, { status: 401 });
-  }
+  // Verify the request is from Vercel Cron using timing-safe comparison
+  const { authorized, response } = verifyCronSecret(request);
+  if (!authorized) return response;
 
   const supabase = getSupabaseClient();
 
 
@@ -1,4 +1,5 @@
 import { createClient } from '@supabase/supabase-js';
+import { verifyCronSecret } from '@/lib/cronAuth';
 
 function getSupabaseClient() {
   return createClient(
@@ -8,12 +9,9 @@ function getSupabaseClient() {
 }
 
 export async function GET(request) {
-  const authHeader = request.headers.get('authorization');
-  const cronSecret = process.env.CRON_SECRET;
-
-  if (!cronSecret || authHeader !== `Bearer ${cronSecret}`) {
-    return Response.json({ error: 'Unauthorized' }, { status: 401 });
-  }
+  // Verify the request is from Vercel Cron using timing-safe comparison
+  const { authorized, response } = verifyCronSecret(request);
+  if (!authorized) return response;
 
   const supabase = getSupabaseClient();
   const results = { overduePacts: 0, orphanedSessions: 0, errors: [] };
@@ -46,13 +44,18 @@ export async function GET(request) {
     if (fetchError) throw fetchError;
 
     if (orphaned && orphaned.length > 0) {
-      // Batch upsert: compute ended_at for each session, then write all at once
-      const updates = orphaned.map(session => ({
-        id: session.id,
-        ended_at: new Date(
+      // Batch upsert: compute ended_at for each session, capped at expected end time.
+      // Abandoned sessions should not inflate duration beyond what was configured.
+      const now = new Date();
+      const updates = orphaned.map(session => {
+        const expectedEnd = new Date(
           new Date(session.started_at).getTime() + session.duration_minutes * 60 * 1000
-        ).toISOString(),
-      }));
+        );
+        return {
+          id: session.id,
+          ended_at: new Date(Math.min(now.getTime(), expectedEnd.getTime())).toISOString(),
+        };
+      });
 
       const { error: upsertError } = await supabase
         .from('focus_sessions')
 
@@ -1,5 +1,6 @@
 import { createClient } from '@supabase/supabase-js';
 import { sendReminderEmail } from '@/lib/email';
+import { verifyCronSecret } from '@/lib/cronAuth';
 
 // Create Supabase client with service role (lazy-loaded)
 function getSupabaseClient() {
@@ -10,13 +11,9 @@ function getSupabaseClient() {
 }
 
 export async function GET(request) {
-  // Verify the request is from Vercel Cron or has correct secret
-  const authHeader = request.headers.get('authorization');
-  const cronSecret = process.env.CRON_SECRET;
-
-  if (!cronSecret || authHeader !== `Bearer ${cronSecret}`) {
-    return Response.json({ error: 'Unauthorized' }, { status: 401 });
-  }
+  // Verify the request is from Vercel Cron using timing-safe comparison
+  const { authorized, response } = verifyCronSecret(request);
+  if (!authorized) return response;
 
   const supabase = getSupabaseClient();
 
 
@@ -6,7 +6,13 @@ export async function GET(request) {
   const { searchParams, origin } = new URL(request.url)
   const code = searchParams.get('code')
   // Validate redirect path to prevent open redirect attacks
+  // Only allow relative paths starting with "/" -- reject absolute URLs,
+  // protocol-relative URLs (//evil.com), and anything else an attacker
+  // could use to redirect to an external domain.
   let next = searchParams.get('next') ?? '/dashboard'
+  if (typeof next !== 'string' || !next.startsWith('/') || next.startsWith('//')) {
+    next = '/dashboard'
+  }
   try {
     const resolvedUrl = new URL(next, origin)
     if (resolvedUrl.origin !== origin) {
@@ -45,19 +51,11 @@ export async function GET(request) {
     const { error } = await supabase.auth.exchangeCodeForSession(code)
 
     if (!error) {
-      const forwardedHost = request.headers.get('x-forwarded-host')
-      const isLocalEnv = process.env.NODE_ENV === 'development'
-      
-      let redirectUrl
-      if (isLocalEnv) {
-        redirectUrl = `${origin}${next}`
-      } else if (forwardedHost) {
-        redirectUrl = `https://${forwardedHost}${next}`
-      } else {
-        redirectUrl = `${origin}${next}`
-      }
-
-      return NextResponse.redirect(redirectUrl)
+      // Use origin from the request URL (safe, server-controlled) or
+      // NEXT_PUBLIC_APP_URL as a fallback. Never use x-forwarded-host
+      // because it is a user-controlled header that enables open redirects.
+      const appOrigin = process.env.NEXT_PUBLIC_APP_URL || origin
+      return NextResponse.redirect(`${appOrigin}${next}`)
     } else {
       console.error('Auth callback error:', error.message)
     }
 
@@ -9,8 +9,8 @@
   /* === LIGHT MODE — "Luminous" === */
 
   /* Background colors — warm off-whites with violet undertone */
-  --bg-primary: #FAFAFF;
-  --bg-secondary: #F5F4FF;
+  --bg-primary: #FAFAFA;
+  --bg-secondary: #F5F5F5;
   --bg-tertiary: #EEEDF6;
   --bg-elevated: #FFFFFF;
   --bg-hover: #ECEAFF;
@@ -30,22 +30,22 @@
   --text-inverse: #FFFFFF;
 
   /* Gradient Accents — clean 2-stop indigo family */
-  --gradient-primary: linear-gradient(135deg, #4338CA 0%, #5B5EF5 100%);
+  --gradient-primary: linear-gradient(150deg, #4338CA 0%, #6366F1 100%);
   --gradient-secondary: linear-gradient(135deg, #3730A3 0%, #4F46E5 100%);
-  --gradient-success: linear-gradient(135deg, #0DBF73 0%, #2DDFAC 100%);
+  --gradient-success: linear-gradient(90deg, #0DBF73 0%, #2DDFAC 100%);
   --gradient-warm: linear-gradient(135deg, #F5A623 0%, #FF6B35 100%);
-  --gradient-celebration: linear-gradient(135deg, #E8A217 0%, #FFD700 100%);
-  --gradient-subtle: linear-gradient(135deg, rgba(var(--accent-primary-rgb), 0.1) 0%, rgba(var(--accent-primary-rgb), 0.04) 100%);
+  --gradient-celebration: radial-gradient(circle at 30% 50%, #E8A217 0%, #FFD700 100%);
+  --gradient-subtle: linear-gradient(180deg, rgba(var(--accent-primary-rgb), 0.1) 0%, rgba(var(--accent-primary-rgb), 0.04) 100%);
   --gradient-glow: linear-gradient(135deg, rgba(var(--accent-primary-rgb), 0.22) 0%, rgba(var(--accent-primary-rgb), 0.10) 100%);
 
   /* Solid accent colors */
-  --accent-primary: #5B5EF5;
+  --accent-primary: #6366F1;
   --accent-primary-hover: #4745E0;
   --accent-secondary: #7C4DFF;
   --accent-tertiary: #E040CB;
   --accent-text: #5B5EF5;
   --accent-glow: rgba(var(--accent-primary-rgb), 0.18);
-  --accent-primary-rgb: 91, 94, 245;
+  --accent-primary-rgb: 99, 102, 241;
   --accent-tertiary-rgb: 224, 64, 203;
   --accent-celebration: #F5A623;
   --accent-celebration-rgb: 245, 166, 35;
@@ -138,10 +138,10 @@
   --space-32: 8rem;     /* 128px */
 
   /* Border radius — rounded interactive, structured containers */
-  --radius-sm: 0.5rem;      /* 8px */
-  --radius-md: 0.625rem;    /* 10px */
-  --radius-lg: 0.875rem;    /* 14px */
-  --radius-xl: 1.125rem;    /* 18px */
+  --radius-sm: 0.375rem;     /* 6px */
+  --radius-md: 0.5rem;       /* 8px */
+  --radius-lg: 0.75rem;      /* 12px */
+  --radius-xl: 1rem;         /* 16px */
   --radius-2xl: 1.375rem;   /* 22px */
   --radius-3xl: 1.75rem;    /* 28px */
   --radius-full: 9999px;
@@ -215,7 +215,7 @@
   --info-glow: rgba(110, 168, 254, 0.35);
 
   /* Borders — soft card edges */
-  --border-subtle: rgba(255, 255, 255, 0.06);
+  --border-subtle: rgba(255, 255, 255, 0.04);
   --border-default: rgba(255, 255, 255, 0.09);
   --border-strong: rgba(255, 255, 255, 0.14);
   --border-focus: rgba(var(--accent-primary-rgb), 0.6);
@@ -286,35 +286,23 @@ body::before {
   width: 100%;
   height: 100%;
   background:
-    radial-gradient(ellipse 80% 50% at 50% -20%, rgba(var(--accent-primary-rgb), 0.10), transparent),
-    radial-gradient(ellipse 50% 40% at 100% 0%, rgba(var(--accent-tertiary-rgb), 0.07), transparent),
-    radial-gradient(ellipse 40% 30% at 0% 80%, rgba(var(--accent-celebration-rgb), 0.04), transparent);
+    radial-gradient(ellipse 80% 50% at 50% -20%, rgba(var(--accent-primary-rgb), 0.04), transparent),
+    radial-gradient(ellipse 50% 40% at 100% 0%, rgba(var(--accent-tertiary-rgb), 0.03), transparent),
+    radial-gradient(ellipse 40% 30% at 0% 80%, rgba(var(--accent-celebration-rgb), 0.02), transparent);
   z-index: -1;
   pointer-events: none;
   transition: opacity var(--transition-slow);
 }
 
 [data-theme="dark"] body::before {
   background:
-    radial-gradient(ellipse 80% 50% at 50% -20%, rgba(var(--accent-primary-rgb), 0.18), transparent),
-    radial-gradient(ellipse 50% 40% at 100% 0%, rgba(var(--accent-tertiary-rgb), 0.12), transparent),
-    radial-gradient(ellipse 40% 30% at 0% 80%, rgba(var(--accent-celebration-rgb), 0.06), transparent);
+    radial-gradient(ellipse 80% 50% at 50% -20%, rgba(var(--accent-primary-rgb), 0.08), transparent),
+    radial-gradient(ellipse 50% 40% at 100% 0%, rgba(var(--accent-tertiary-rgb), 0.05), transparent),
+    radial-gradient(ellipse 40% 30% at 0% 80%, rgba(var(--accent-celebration-rgb), 0.03), transparent);
 }
 
 /* body::before dark fallback also handled by data-theme attribute */
 
-/* SVG noise texture — organic depth (Linear/Raycast/Craft style) */
-body::after {
-  content: '';
-  position: fixed;
-  inset: 0;
-  z-index: 9999;
-  pointer-events: none;
-  opacity: 0.03;
-  background-image: url("data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='300' height='300'%3E%3Cfilter id='n'%3E%3CfeTurbulence type='fractalNoise' baseFrequency='0.75' numOctaves='4' stitchTiles='stitch'/%3E%3C/filter%3E%3Crect width='100%25' height='100%25' filter='url(%23n)'/%3E%3C/svg%3E");
-  background-repeat: repeat;
-  background-size: 300px 300px;
-}
 
 /* === MODAL BLUR EFFECT ===
    When a modal is open, blur the dashboard content behind it.
@@ -451,12 +439,12 @@ p {
   background: var(--gradient-primary);
   color: white;
   border: none;
-  box-shadow: var(--shadow-md), 0 0 20px rgba(var(--accent-primary-rgb), 0.2);
+  box-shadow: var(--shadow-md), 0 0 12px rgba(var(--accent-primary-rgb), 0.12);
 }
 
 .btn-primary:hover {
   transform: translateY(-2px);
-  box-shadow: var(--shadow-lg), 0 0 35px rgba(var(--accent-primary-rgb), 0.35);
+  box-shadow: var(--shadow-lg), 0 0 20px rgba(var(--accent-primary-rgb), 0.2);
   filter: brightness(1.05);
 }