fix: consolidated triage cleanup — all open findings from PRs #61/62/63/65 + LI-236/322 (#66)

* fix: consolidated triage cleanup — address all open findings from PRs #61/62/63/65

Addresses every actionable bug from 4 stale morning-triage PRs plus 2 critical
visible regressions (LI-236, LI-322). 31 files changed, 0 lint errors, 104/104
tests pass, production build clean.

## Security & server (5)
- next.config.mjs — add Content-Security-Policy header (9 directives: default/
  script/style/img/font/connect/frame-ancestors/base-uri/form-action)
- lib/partnerships.js — add UUID validator + guards on all 5 .or() call sites;
  batch notifyPartner N+1 inserts into single .insert([...]) call
- lib/streaks-advanced.js — delete useStreakFreeze alias (ESLint hooks rule);
  add xp_events-based idempotency for streak-freeze milestone rewards
- lib/email.js — add timeZone: 'UTC' + "(UTC)" suffix to deadline formatting
- app/dashboard/pacts/PactsPageClient.js — defense-in-depth .eq('user_id')
  on pact delete

## Component logic (10)
- components/Sidebar.js — SSR guard on localStorage access
- components/FocusTimer.js — hoist defaultPalette to module scope, drop from
  useMemo deps
- components/Toast.js — use crypto.randomUUID() for toast IDs
- components/PactCard.js — remove `now` var shadow; normalize deadline day
  math to local midnight so "due today" is timezone-stable
- components/TodayBar.js — resolve user IANA timezone and pass to
  checkStreakAtRisk + applyStreakFreeze
- components/ActivityFeed.js — dedup loadMore append via Set of existing IDs
- lib/FocusContext.js — remove redundant useEffect for handleTimerCompleteRef
- app/dashboard/DashboardClient.js — reduce pacts limit from 200 to 50
  (dashboard renders at most 3)
- app/dashboard/DashboardLayout.js — log timezone-sync errors instead of
  swallowing them
- components/DailySummaryCard.{js,module.css} — deleted (dead code replaced
  by TodayBar in dashboard redesign)

## Dark mode & visual regressions (5)
- components/PactCard.module.css — add full dark coverage for base .card,
  :hover, .title/.description/.deadline text, all action buttons, badges
  (fixes LI-322: pact cards rendering as empty dark rectangles)
- components/TaskCard.module.css — wrap bare [data-theme="dark"] selector in
  :global() (was broken in CSS Modules) + add .card/.actions dark overrides
- components/CreatePactModal.module.css — full dark coverage (overlay, modal,
  inputs, buttons, template picker) with glass background
- components/MonthlyCalendar.module.css — replace hardcoded #FFFFFF with
  var(--text-inverse) for dark-mode calendar cells
- components/CompactActivityCard.js — replace inline Framer Motion with
  fadeInUp + cardHover presets from @/lib/animations

## Landing page LI-236 (1)
- components/LandingPageClient.js — fix sections below hero rendering as
  blank dark void. Change initial state of 13 top-level whileInView configs
  from { opacity: 0 } → { opacity: 1 } so content paints on initial load
  even if IntersectionObserver fails to fire. Extract sectionViewport
  (amount: 0.05 + -10% margin) and sectionFadeInSafe constants. Verified
  with DOM inspection: hero/appPreview/featuresDark/howItWorks/ctaFooter
  all render at opacity 1.

## Micro-fixes & accessibility (6)
- components/CreateGroupModal.js — maxLength={100} on group name; replace
  modular-bias `% 36` invite-code generation with rejection sampling
- components/CreateTaskModal.js — aria-label="Task title"
- components/NotificationBell.js — replace 25-frame rAF polling loop with
  single position calc + ResizeObserver; fix pre-existing
  react-hooks/set-state-in-effect on wiggle trigger via rAF defer
- components/CreatePactModal.js — inline whileHover/Tap → buttonHover/
  buttonTap presets
- app/share/streak/page.js — sanitize searchParams (parseInt streak, strip
  <>"'& from name, cap 50 chars); remove unused prop
- tests/landing.spec.js — scope Features/HowItWorks locators to
  nav:not([aria-label="Footer navigation"]) to resolve Playwright strict-
  mode collision with footer nav

## Test updates
- tests/unit/lib/streaks-advanced.test.js — useStreakFreeze → applyStreakFreeze

Closes PRs #61, #62, #63, #65 (all superseded by this consolidated fix set).
Closes Notion LI-236, LI-322, and 18 other verified open findings.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: XP system + Groups card sizing + streak RPCs

## XP / Streak fix (root cause: gamification trigger blocked all client writes)

The protect_gamification_cols trigger on profiles was firing for any session
role != service_role — silently overwriting NEW.total_xp := OLD.total_xp and
related gamification columns. Client-side writes were no-op'd. Vayun's profile
was stuck at 930 XP / streak 1 / last_activity_date 2026-04-11 despite logged
xp_events totaling 735.

### Server (applied via migrations)
- Fixed trigger to honor a session-var bypass (`app.skip_gamification_trigger`)
- Updated `award_xp` RPC to set the bypass flag before UPDATE
- Added `update_streak_activity(uuid, int, int, date)` RPC for streak writes
- Added `consume_streak_freeze(uuid, date)` RPC for freeze use (updates
  last_activity_date + cooldown atomically)
- Added `award_streak_freeze(uuid, int, int)` RPC for milestone rewards

### Client
- `lib/FocusContext.js` — award 5 XP on focus session completion (was missing)
- `components/TaskCard.js` — award 8 XP on task -> 'done' (was missing)
- `lib/streaks-advanced.js` — use RPCs instead of direct profiles UPDATE:
  - `updateStreakOnCompletion` → `rpc('update_streak_activity')`
  - `applyStreakFreeze` → `rpc('consume_streak_freeze')` with local today date
  - `awardStreakFreeze` → `rpc('award_streak_freeze')` for milestone rewards
- `lib/gamification.js` — log eventType/xpAmount/userId/pgCode on errors
  (prefix `[awardXP] Failed`) so future silent failures are visible
- Removed unused imports (`formatUTCDate`) and dead code (`isSoundEnabled`
  in FocusContext, `members` prop in TaskCard)

## Groups card sizing fix

The "hello" group with 0/20 tasks done was rendering at 2x width because:
- `GroupsPage.module.css` had `.groupCardHero { grid-column: 1 / -1 }`
- `GroupsPageClient.js` selected hero by `taskCount` (total), not completion

### Changes
- Hero selection now requires >= 5 completed tasks (`tasksDone`), not total
- Hero no longer spans full grid — consistent card sizes across rows
- Hero styling now: accent border-left + layered glow shadow + gradient
  progress fill + "Most Active" lightning-bolt badge (inline SVG)
- Dark-mode override updated to match

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: live XP refresh + confetti z-index

## XP live refresh
`awardXP` now dispatches a `xp-updated` CustomEvent on success. `XPBar` listens
for that event and re-fetches — so the dashboard XP bar updates instantly on
pact/focus/task completion without a page reload. `Sidebar` and `MobileNav`
already listened for this event; they just never got the signal because
FocusContext/TaskCard XP paths had no broadcast. Centralizing the dispatch in
`lib/gamification.js` means every awardXP call everywhere gets live UI.

## Confetti
`useConfetti()` hook was missing `zIndex: 9999` — the other confetti helpers
(fireSideConfetti, fireStars, fireMilestoneConfetti) set it but this one
defaulted to 100, so any overlay/toast above it was hiding the bursts.
Added zIndex: 9999 to `useConfetti`, `fireConfetti`, and
`fireConfettiFromElement` for consistency.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat(groups): cap sections to 3 with "Show all" toggle

Matches the dashboard activity pattern — don't scroll forever.

- Each section (Your Groups / Joined Groups) shows top 3 by default
- Sort by tasksDone desc, then memberCount desc (real-activity signal)
- "Show all N groups" / "Show less" toggle reveals the rest inline
- Hero card selection unchanged (requires tasksDone >= 5)
- New .showMoreBtn styled consistent with emptyActionSecondary +
  full dark-mode override

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat(groups): cap activity feed on group detail — no endless scroll

ActivityFeed now accepts `disableInfiniteScroll` prop. When true, the
IntersectionObserver-based auto-load is skipped in favor of an explicit
"Show more activity" button below the feed. Group detail page uses this
with `pageSize={5}` so the section doesn't balloon to hundreds of items
as the group gets busy.

Dashboard activity behaviour unchanged (still pageSize=3 with external
"View Older Activity" link to stats).

Also reverted the previous Groups-page pagination — that was a
misinterpretation of the request.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* revert: undo Groups-page pagination (misread request)

Revert the "Show all N groups" toggle on the Groups page — that was a
misinterpretation. The real ask was about the activity feed inside a
group detail page, already addressed in the previous commit.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix(groups): bounded activity panel with internal infinite scroll

Instead of the manual "Show more" button, the group detail activity
panel is now a fixed-height block (matches the left column) with
infinite scroll inside. Matches the user's mock: one clean, organized
block — scroll through all activities without pushing page content down.

### How it works
- `.activityGrid` changed from `align-items: start` → `stretch`
- New `.activityPanel` wrapper: height: 100%, min-height: 500, max-height: 720
- `.container` (ActivityFeed): `min-height: 0` so flex can shrink
- `.feed`: `flex: 1; min-height: 0; overflow-y: auto;` + overscroll-contain
- IntersectionObserver's scroll root is already the feed ref, so
  loadMore triggers as the user scrolls INSIDE the panel
- Mobile/< 1024px: reverts to `align-items: start` with a smaller max-height

ActivityFeed now uses pageSize={10} (default initial load). The
`disableInfiniteScroll` prop + manual show-more button are left in for
potential reuse (e.g. stats page) but no longer used here.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* test(e2e): align auth and landing assertions with current copy

Agent-Logs-Url: https://github.com/vayungodara/lockin/sessions/39b6f264-427a-46ba-b139-a4ebacca14cf

Co-authored-by: vayungodara <187050579+vayungodara@users.noreply.github.com>

* fix: address all Claude + Codex review comments on PR #66

## Critical fixes

### PactCard "Due tomorrow" regression (P0)
`formatDeadline` reverted from local-midnight day math to ms-based
hours-first math. Sub-24h deadlines crossing local midnight now
correctly render "Due in 2 hours" instead of "Due tomorrow" while the
card simultaneously pulses urgencyCritical red.

### Partnership notifications RLS (CRITICAL)
`lib/partnerships.js#notifyPartner` was batch-inserting rows with
`user_id: partnerId` — violated `WITH CHECK(auth.uid() = user_id)` on
every row. Now routes through new `notify_partner` SECURITY DEFINER
RPC that validates the caller is in an accepted partnership with each
recipient before inserting. Preserves the batched write; bypasses RLS
correctly.

### Streak idempotency marker RLS (Codex P1)
`updateStreakOnCompletion` direct insert into `xp_events` was blocked
by RLS (no client INSERT policy). Marker now routes through `awardXP`
→ `award_xp` RPC. The allowlist was extended with a prefix match for
`streak_freeze_milestone_*` event types. `xp_amount=0` so no actual
XP granted — pure idempotency marker.

### share/streak array-param TypeError (P2)
`generateMetadata` crashed on `?name=a&name=b` — arrays don't have
`.replace`. Coerce `searchParams.streak` and `searchParams.name` via
`Array.isArray` check before string operations.

### TaskCard XP farming exploit (Codex P2)
Toggling done → todo → done repeatedly awarded XP every cycle. Added
idempotency guard: `newStatus === 'done' && task.status !== 'done'`.
Also dropped `task.assignee_id` fallback (schema doesn't have that
column — grep confirmed).

### MonthlyCalendar legibility regression (Claude P1)
Reverted `#FFFFFF` → `var(--text-inverse)` on `.level3/.level4`
heatmap cells. In dark mode `--text-inverse` is `#08090D` — black on
medium-dark indigo is illegible. These cells have saturated accent
bgs in BOTH themes, so pure white is correct.

### CSP hardening (Claude P2)
Moved `'unsafe-eval'` behind `NODE_ENV === 'development'` gate.
Added `vercel.live` to script-src/connect-src/frame-src for preview
toolbar. Removed redundant `lh3.googleusercontent.com` (covered by
wildcard).

### Dashboard pacts limit truncation (Codex P2)
Bumped `.limit(50)` back to `.limit(200)` — active pacts could be
pushed out of the window by users with >50 historical
completed/missed pacts, breaking due-today/overdue counts.

### Sidebar localStorage SecurityError (Claude P3)
`getSidebarCollapsed` runs via `useSyncExternalStore`'s getSnapshot
— must be pure. Users with blocked third-party storage would throw
SecurityError before `.getItem` ran, crashing the entire Sidebar
subtree. Wrapped both getter and setter in try/catch.

### FocusContext ref mutation during render (Claude P3)
Restored useEffect pattern for `handleTimerCompleteRef` sync.
Inline render-phase ref writes are unsafe under React 18 concurrent
mode — discarded renders can leave the ref pointing at uncommitted
callbacks.

### NotificationBell dedup + sidebar-aware repositioning (P2 + Nit)
Removed duplicated `reposition` function — reuse `updatePosition`
directly. Added storage-event listener for `sidebar-collapsed` since
the Sidebar is `position: fixed` and ResizeObserver on document.body
never fires on sidebar toggle. Reposition happens 380ms after the
animation completes.

## Cleanup

### LandingPageClient dead motion wrappers (Claude P3)
After the LI-236 fix made 15+ sections start with opacity:1, the
`whileInView` targets were identical no-ops. Converted static section
containers to plain `<div>/<h2>/<p>` elements. Kept `motion.div` only
where real motion (e.g. `whileHover={cardHover}`) remains. Removed
`sectionFadeInSafe`, `sectionViewport`, `smoothTransition`.

### ActivityFeed dead disableInfiniteScroll prop (Claude P3)
Removed the prop + manual "Show more" button ternary since we moved
to "bounded container + internal infinite scroll". Dropped
`.showMoreBtn` CSS block.

## Tests

- Added RPC allowlist helper to supabase-mock (catches missing-RPC
  regressions going forward)
- 3 new tests for streak-freeze milestone idempotency:
  1. Awards on first milestone hit + inserts marker
  2. Skips award on second call (marker exists)
  3. Skips entirely on non-milestone day
- Total: 107/107 passing (was 104)

## Repo sync

Committed `supabase/gamification_hardening_2026_04_13.sql` — source
of truth for all new RPCs (award_xp, update_streak_activity,
consume_streak_freeze, award_streak_freeze, notify_partner) plus the
protect_gamification_columns trigger bypass. Previously applied only
to production via Supabase migrations; now tracked in the repo.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* test: align landing e2e with current copy

Co-authored-by: vayungodara <187050579+vayungodara@users.noreply.github.com>

* fix: address all 5 follow-up review comments on PR #66

Bot reviewers caught issues introduced in the previous fix push.

## CRITICAL — notify_partner status mismatch
The new `notify_partner` RPC validated against `ap.status = 'accepted'`
but `lib/partnerships.js:93` writes `'active'` for accepted requests.
Every partner notification was silently a no-op. Fixed RPC to check
`'active'`. SQL source of truth + production migration both updated.

## HIGH — TaskCard XP recipient broken for group owners
`recipientId = task.owner_id || task.created_by || currentUser?.id`
sent the award to the task owner first, but `award_xp` enforces
`auth.uid() = p_user_id`. When a group owner closed someone else's
task the award was rejected. Award now goes to `currentUser.id`
(the actor who actually completed the work). Semantically more
correct AND it actually succeeds.

## HIGH — Streak idempotency marker permanent
`event_type = streak_freeze_milestone_7` was a global marker, so a
user who broke their streak and rebuilt back to day 7 a month later
would never earn another freeze. Marker now includes the streak's
START date (`streak_freeze_milestone_7_2026-04-08`), so each unique
streak run earns its own freeze. Test updated to match the regex
pattern.

## MEDIUM — award_streak_freeze server-side milestone check
Any authed user could call the RPC directly via the Supabase JS
client to bump their freezes by up to MAX_FREEZES (5). RPC now reads
`profiles.current_streak` server-side and rejects calls when the user
is not on a known milestone (7/14/30/60/90/180/365). Also tightened
`p_amount` to exactly 1.

## MEDIUM — consume_streak_freeze server-side cooldown
The 3-day cooldown was only checked client-side in
`lib/streaks-advanced.js:111-124`. RPC now re-checks
`streak_freeze_last_used` server-side and returns a clear error if
within the cooldown window. Direct API callers can no longer drain
the entire pool in one session.

## Tests
107/107 still passing. Idempotency test updated to match new
date-scoped marker format.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: vayungodara <187050579+vayungodara@users.noreply.github.com>
Co-authored-by: openai-code-agent[bot] <242516109+Codex@users.noreply.github.com>

Author: 4 people

app/dashboard/DashboardClient.js

@@ -83,6 +83,12 @@ export default function DashboardClient({ user }) {
         }
       }
 
+      // Dashboard only renders max 3 pacts, but the full set is used for
+      // due-today/overdue counts in the header. limit=200 gives headroom for
+      // active+historical so active pacts aren't pushed out of the window
+      // when a user has a long tail of completed/missed pacts. Kept
+      // select('*') to avoid drift with schema migrations that add new
+      // columns (e.g. xp_reward, is_recurring).
       const { data, error } = await supabase
         .from('pacts')
         .select('*')

app/dashboard/DashboardLayout.js

@@ -34,7 +34,9 @@ export default function DashboardLayout({ user, children }) {
           .from('profiles')
           .update({ timezone: detected })
           .eq('id', user.id)
-          .then(() => {}); // fire-and-forget
+          .then(({ error }) => {
+            if (error) console.warn('Timezone sync failed:', error.message);
+          });
       }
     } catch {
       // Intl API unavailable — timezone stays as DB default ('UTC')

app/dashboard/groups/GroupsPage.module.css

@@ -87,13 +87,61 @@
   gap: var(--space-4);
 }
 
-/* Hero card — most active group gets visual emphasis */
+/* Hero card — most active group gets visual emphasis without breaking the grid */
 .groupCardHero {
-  grid-column: 1 / -1;
   border-left: 3px solid var(--accent-primary);
+  box-shadow:
+    0 0 0 1px rgba(var(--accent-primary-rgb), 0.2),
+    0 4px 16px rgba(var(--accent-primary-rgb), 0.08);
+}
+
+.groupCardHero:hover {
+  box-shadow:
+    var(--shadow-md),
+    0 0 0 1px var(--accent-primary),
+    0 6px 20px rgba(var(--accent-primary-rgb), 0.14);
+}
+
+.groupCardHero .progressFill {
+  height: 6px;
+  background: linear-gradient(
+    90deg,
+    var(--accent-primary),
+    var(--accent-secondary, var(--accent-primary))
+  );
+}
+
+.groupCardHero .progressBar {
+  height: 6px;
+}
+
+/* "Most Active" celebratory badge — anchors top-right of hero card */
+.heroBadge {
+  position: absolute;
+  top: var(--space-3);
+  right: var(--space-3);
+  display: inline-flex;
+  align-items: center;
+  gap: 4px;
+  padding: 3px var(--space-2);
+  background: var(--accent-glow);
+  color: var(--accent-primary);
+  font-size: 10px;
+  font-weight: 700;
+  letter-spacing: 0.04em;
+  text-transform: uppercase;
+  border-radius: var(--radius-sm);
+  line-height: 1;
+  white-space: nowrap;
+  pointer-events: none;
+}
+
+.heroBadge svg {
+  flex-shrink: 0;
 }
 
 .groupCard {
+  position: relative;
   display: flex;
   flex-direction: column;
   gap: var(--space-3);
@@ -435,7 +483,20 @@
 
 :global([data-theme="dark"]) .groupCardHero {
   border-left-color: var(--accent-primary);
-  box-shadow: var(--shadow-sm), inset 3px 0 12px -4px rgba(var(--accent-primary-rgb), 0.15);
+  box-shadow:
+    0 0 0 1px rgba(var(--accent-primary-rgb), 0.3),
+    0 4px 20px rgba(var(--accent-primary-rgb), 0.18);
+}
+
+:global([data-theme="dark"]) .groupCardHero:hover {
+  box-shadow:
+    var(--shadow-lg),
+    0 0 0 1px var(--accent-primary),
+    0 0 28px rgba(var(--accent-primary-rgb), 0.28);
+}
+
+:global([data-theme="dark"]) .heroBadge {
+  background: rgba(var(--accent-primary-rgb), 0.18);
 }
 
 :global([data-theme="dark"]) .metaDot {

app/dashboard/groups/GroupsPageClient.js

@@ -35,6 +35,14 @@ function GroupCard({ group, isHero = false }) {
 
   return (
     <Link href={`/dashboard/groups/${group.id}`} className={`${styles.groupCard} ${isHero ? styles.groupCardHero : ''}`}>
+      {isHero && (
+        <span className={styles.heroBadge} aria-label="Most active group">
+          <svg width="12" height="12" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg" aria-hidden="true">
+            <path d="M13 2L4.5 13H11L10 22L18.5 11H12L13 2Z" fill="currentColor" stroke="currentColor" strokeWidth="1.5" strokeLinejoin="round"/>
+          </svg>
+          Most Active
+        </span>
+      )}
       <div className={styles.groupHeader}>
         <div
           className={styles.groupIcon}
@@ -115,10 +123,14 @@ function GroupSections({ groups }) {
   const ownedGroups = groups.filter(g => g.role === 'owner');
   const joinedGroups = groups.filter(g => g.role !== 'owner');
 
-  // Identify the most active group (highest task count) for hero treatment.
-  // Only apply hero when there are 3+ groups to avoid odd layout with 1-2 cards.
+  // Hero: the group with the most COMPLETED tasks (real progress signal).
+  // Require >= 5 completed tasks to avoid celebrating empty groups.
+  // Only apply with 3+ groups to avoid odd layout with 1-2 cards.
   const mostActiveId = groups.length >= 3
-    ? groups.reduce((best, g) => (g.taskCount > (best?.taskCount || 0) ? g : best), null)?.id
+    ? groups.reduce((best, g) => {
+        if ((g.tasksDone || 0) < 5) return best;
+        return (g.tasksDone || 0) > (best?.tasksDone || 0) ? g : best;
+      }, null)?.id
     : null;
 
   return (

app/dashboard/groups/[id]/GroupDetail.module.css

@@ -456,12 +456,35 @@
   display: grid;
   grid-template-columns: 1fr 1.5fr;
   gap: var(--space-4);
-  align-items: start;
+  align-items: stretch;
+}
+
+/* Activity panel matches the left column's height so the whole activity
+   feed lives inside one scrollable block instead of endlessly expanding
+   the page. The nested ActivityFeed's IntersectionObserver already roots
+   on its own feed ref, so infinite scroll happens INSIDE this box. */
+.activityPanel {
+  height: 100%;
+  min-height: 500px;
+  max-height: 720px;
+  display: flex;
+  flex-direction: column;
+}
+
+.activityPanel > * {
+  flex: 1;
+  min-height: 0;
 }
 
 @media (max-width: 1024px) {
   .activityGrid {
     grid-template-columns: 1fr;
+    align-items: start;
+  }
+
+  .activityPanel {
+    height: auto;
+    max-height: 600px;
   }
 }
 

app/dashboard/groups/[id]/GroupDetailClient.js

@@ -434,7 +434,9 @@ export default function GroupDetailClient({ user, group, userRole }) {
               )}
               <GroupStats groupId={group.id} />
             </div>
-            <ActivityFeed groupId={group.id} />
+            <div className={styles.activityPanel}>
+              <ActivityFeed groupId={group.id} pageSize={10} />
+            </div>
           </div>
         </section>
       )}

app/dashboard/pacts/PactsPageClient.js

@@ -66,10 +66,14 @@ export default function PactsPageClient({ user }) {
 
   const handleDeletePact = async (pactId) => {
     try {
+      // Defense-in-depth: RLS already scopes this to the caller, but adding
+      // the explicit user_id filter ensures a hostile/misconfigured policy
+      // can't expand the delete's blast radius beyond the caller's pacts.
       const { error } = await supabase
         .from('pacts')
         .delete()
-        .eq('id', pactId);
+        .eq('id', pactId)
+        .eq('user_id', user.id);
 
       if (error) throw error;
       setPacts(prev => prev.filter(p => p.id !== pactId));

app/share/streak/page.js

@@ -5,9 +5,15 @@ import ShareStreakClient from './ShareStreakClient';
 
 export async function generateMetadata({ searchParams }) {
   const params = await searchParams;
-  const streak = params?.streak || '0';
-  const name = params?.name || 'Someone';
-  
+  // Sanitize untrusted query params to prevent XSS / metadata injection.
+  // searchParams values can be `string | string[] | undefined` when the same
+  // key appears multiple times (e.g. `?name=a&name=b`). Coerce to a single
+  // string before calling `.replace` to avoid a TypeError on arrays.
+  const rawStreak = Array.isArray(params?.streak) ? params.streak[0] : params?.streak;
+  const streak = String(parseInt(rawStreak, 10) || 0);
+  const rawName = Array.isArray(params?.name) ? params.name[0] : params?.name;
+  const name = (rawName || 'Someone').replace(/[<>"'&]/g, '').slice(0, 50);
+
   return {
     title: `${name} is on a ${streak}-day streak! | LockIn`,
     description: `${name} has been crushing their goals with LockIn. Join them!`,
@@ -18,7 +24,7 @@ export async function generateMetadata({ searchParams }) {
   };
 }
 
-export default async function ShareStreakPage({ searchParams }) {
+export default async function ShareStreakPage() {
   const supabase = await createClient();
   const { data: { user } } = await supabase.auth.getUser();
 

components/ActivityFeed.js

@@ -135,7 +135,10 @@ export default function ActivityFeed({ groupId = null, pageSize = DEFAULT_PAGE_S
       const newActivities = result.data || [];
 
       offsetRef.current = currentOffset + newActivities.length;
-      setActivities(prev => [...prev, ...newActivities]);
+      setActivities(prev => {
+        const existingIds = new Set(prev.map(a => a.id));
+        return [...prev, ...newActivities.filter(a => !existingIds.has(a.id))];
+      });
       setHasMore(newActivities.length === pageSize);
     } catch (err) {
       console.error('Error loading more:', err);
@@ -237,7 +240,7 @@ export default function ActivityFeed({ groupId = null, pageSize = DEFAULT_PAGE_S
             <ActivityItem key={activity.id} activity={activity} />
           ))}
 
-          {/* Sentinel element for infinite scroll */}
+          {/* Sentinel element — IntersectionObserver auto-loads more as user scrolls */}
           <div ref={sentinelCallbackRef} className={styles.sentinel}>
             {isLoadingMore && (
               <div className={styles.loadingMore}>

components/ActivityFeed.module.css

@@ -4,6 +4,7 @@
   border-radius: var(--radius-lg);
   display: flex;
   flex-direction: column;
+  min-height: 0;
 }
 
 .header {
@@ -31,6 +32,13 @@
   padding: var(--space-3) var(--space-4);
   display: flex;
   flex-direction: column;
+  /* When the parent constrains height, scroll happens INSIDE the feed
+     — the IntersectionObserver's scroll root is this element, so
+     infinite scroll auto-loads more as the user scrolls here. */
+  flex: 1;
+  min-height: 0;
+  overflow-y: auto;
+  overscroll-behavior: contain;
 }
 
 .loading {