Qoder

[Jackson57279]

Summary by CodeRabbit

• New Features

  • Offline caching, background sync, and push notifications via a service worker.
  • Lazy-loaded heavy UI with skeleton fallbacks and an optimized image component.
  • Critical resource preloading and injected critical CSS for faster first paint.

• Bug Fixes

  • Safer header-based auth, stricter domain validation, improved repo URL parsing, and enhanced text sanitization.

• Documentation

  • Added end-to-end Docker and Kubernetes deployment guide; clarified API server features.

• Chores

  • Added Dockerfiles, docker-compose, Kubernetes manifests, and a comprehensive .dockerignore.
  • Tuned PWA and build configuration for smaller, better-organized assets.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
zapdev	Error			Aug 25, 2025 8:42am

[gitguardian]

⚠️ GitGuardian has uncovered 1 secret following the scan of your pull request.

Please consider investigating the findings and remediating the incidents. Failure to do so may lead to compromising the associated services or software components.

🔎 Detected hardcoded secret in your pull request

GitGuardian id	GitGuardian status	Secret	Commit	Filename
20372498	Triggered	Generic High Entropy Secret	72993ac	.env.deployment.template	View secret

🛠 Guidelines to remediate hardcoded secrets

1. Understand the implications of revoking this secret by investigating where it is used in your code.
2. Replace and store your secret safely. Learn here the best practices.
3. Revoke and rotate this secret.
4. If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.

To avoid such incidents in the future consider

• following these best practices for managing and storing secrets including API keys and other credentials
• install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.

---

^{🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.}

[coderabbitai]

Walkthrough

This PR adds Docker/Kubernetes deployment assets, introduces a service worker and PWA configuration, restructures deployment secrets, updates API handlers (auth flow and domain validation), adds several frontend performance optimizations (preloading, critical CSS, lazy loading), adjusts utilities for security/sanitization, and refines documentation and configs.

Changes

Cohort / File(s)	Summary
DevOps & Deployment Dockerfile, Dockerfile.dev, docker-compose.yml, .dockerignore, k8s-deployment.yaml, DEPLOYMENT-DOCKER-K8S.md	Adds production/dev Dockerfiles and compose services, extensive Docker ignore, full Kubernetes manifest (namespace, config, secret, deployment, service, ingress, HPA, PDB), and deployment guide.
API Handlers api/domains.ts, api/success.ts, api/deploy.ts	Domains: separates deployment config vs secrets, adds validation/constants, expands request types, adjusts availability/suggestions, safer platform mapping, 503 handling. Success: switches to Authorization header auth and subscription fetch flow with fallbacks. Deploy: lazy-init deployment manager.
Deployment Library lib/deployment/manager.ts, lib/deployment/types.ts, lib/deployment/vercel.ts	Manager options now include secrets; tokens sourced from secrets; teamId fallback; types updated for non-sensitive config; improved repo URL parsing in Vercel helper.
PWA & Performance public/sw-custom.js, vite.config.ts, src/main.tsx, src/components/ResourcePreloader.tsx, src/components/ui/CriticalCSS.tsx, src/components/ui/HeroImagePreloader.tsx, src/hooks/usePerformanceMonitoring.ts, src/components/PerformanceOptimizer.tsx, src/index.css	Adds custom service worker with multi-cache strategy; VitePWA reconfig (mode-based strategy, caching rules, asset naming/treeshake/chunking); injects preloader and critical CSS at app root; image/font preloads; web vitals hook; removes one preload target; narrows font weights.
UI Lazy/Optimized Components src/components/LazyComponents.tsx, src/components/ui/LazyLoader.tsx, src/components/ui/OptimizedImage.tsx	Introduces lazy-loaded feature components with Suspense wrappers and fallbacks; generic IntersectionObserver-based LazyLoader; optimized Picture-based image component with modern formats and loading states.
Auth UI src/components/auth/EnhancedSignUp.tsx, src/components/auth/PrivacyAwareSignInButton.tsx	Removes onComplete from EnhancedSignUp public API; simplifies consent banner props in sign-in flow.
Security & Sanitization src/utils/security.ts, src/utils/text-sanitizer.ts	Tightens script-tag regex; adds zod-backed validation, limits, malicious patterns, and combined sanitize-and-validate API.
Documentation API-SERVER-README.md	Splits a combined bullet into separate Request Timeout and Graceful Shutdown bullets.
Tooling Config .claude/settings.local.json	Allows Bash(rg:*) in permissions.allow.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant C as Client
  participant S as /api/success
  participant Auth as Auth Service
  participant Sub as /api/get-subscription

  C->>S: POST with Authorization header
  S->>Auth: verifyAuth(authHeader)
  Auth-->>S: { userId | error }
  alt Auth ok
    S->>Sub: GET (Authorization forwarded)
    alt Subscription ok
      Sub-->>S: { planId, status }
      S-->>C: 200 { success:true, planId, status }
    else Subscription error
      S-->>C: 200 { success:true, message:fallback, planId:"free", status:"none" }
    end
  else Auth missing/invalid
    S-->>C: 401
  end

Loading

sequenceDiagram
  autonumber
  participant U as User
  participant D as /api/domains
  participant M as DeploymentManager
  Note over D: On first request, lazy init manager
  U->>D: POST { action, subdomain, platform, ... }
  D->>D: validateRequestBody + validateSubdomain
  alt invalid body/subdomain
    D-->>U: 400
  else valid
    opt first use
      D->>M: getDeploymentManager(config, secrets)
      M-->>D: instance or error
    end
    alt manager unavailable
      D-->>U: 503
    else proceed
      D-->>U: 200 (availability/suggestions/instructions)
    end
  end

Loading

Estimated code review effort

🎯 5 (Critical) | ⏱️ ~120 minutes

Possibly related PRs

• Qoder #73 — Prior restructuring of deployment subsystem and secrets; overlaps with manager options and domains handling.
• Fix: Resolve merge conflicts and enhance security #79 — Further changes to deployment and domain parsing/validation; closely aligned with current updates.
• Dev branch #75 — Similar modification to .claude/settings.local.json permissions to allow specific Bash commands.

Suggested labels

scout

Suggested reviewers

• dogesman098

Poem

A rabbit ships with Docker dreams,
K8s clouds and PWA gleams.
Domains now vetted, secrets stowed,
Images swift, with lazy load.
Headers checked, our auth is tight—
I thump the logs: “All green tonight!” 🐇🚀

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch qoder

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[claude]

Claude finished @otdoges's task —— View job

---

PR Review: Qoder - Comprehensive Security & Performance Analysis ✅

I've completed a thorough review of this large PR with 1908 additions across 30 files. Here's my comprehensive analysis:

Review Checklist

• Read and understand the CLAUDE.md repository guidelines
• Review security concerns (GitGuardian flagged hardcoded secret)
• Analyze architectural changes and new components
• Review Docker/Kubernetes deployment configurations
• Check performance optimization implementations
• Evaluate code quality and best practices
• Assess test coverage and security implementations
• Provide comprehensive feedback and recommendations

🔍 Critical Security Issues

1. RESOLVED: GitGuardian Secret Detection (False Positive)

• Location: .env.deployment.template:97-100
• Issue: GitGuardian flagged example API token formats as real secrets
• Analysis: These are commented example formats, not actual secrets
• Verdict: ✅ This is a false positive - the detected "secrets" are example tokens in comments showing the expected format (e.g., # VERCEL_ACCESS_TOKEN=ver_abc123def456...)

2. CRITICAL: Service Worker Syntax Error

• Location: public/sw-custom.js:8-13
• Issue: Duplicate CRITICAL_RESOURCES declaration breaks functionality
• Impact: Service worker registration would fail in production
• Fix Required: Remove duplicate declaration on lines 8-10:

// Remove these lines (8-10):
const CRITICAL_RESOURCES = [
  '/',

🏗️ Architecture & Performance Analysis

✅ Exceptional Security Implementations

1. Input Validation & XSS Protection (src/utils/security.ts)

   • Comprehensive input sanitization with HTML entity encoding
   • Strong XSS pattern detection for titles and responses
   • Proper validation of message lengths and content
   • Memory-efficient rate limiting with cleanup

2. Privacy Consent Management (src/components/PrivacyConsentBanner.tsx)

   • GDPR-compliant consent banner with granular controls
   • Clear privacy notices for different data collection types
   • Proper consent state management and preference persistence

3. Enhanced Security Headers (vite.config.ts:88-100)

   • Smart caching that excludes authenticated requests
   • Proper handling of sensitive headers (Authorization, Set-Cookie)
   • Cache security policies implemented correctly

✅ Outstanding Performance Optimizations

1. Advanced Build Configuration (vite.config.ts:177-223)

   • Excellent chunk splitting strategy for vendor libraries
   • Proper asset organization by type (images, fonts, JS/CSS)
   • Tree shaking optimizations enabled
   • Source maps only in development for security

2. Intelligent Service Worker Strategy (vite.config.ts:51-164)

   • Multi-tier caching strategies (NetworkFirst, CacheFirst, StaleWhileRevalidate)
   • Appropriate cache expiration policies (5min API, 1year fonts)
   • Security-aware caching (excludes sensitive endpoints)

3. Comprehensive Performance Monitoring (src/hooks/usePerformanceMonitoring.ts)

   • Core Web Vitals integration (CLS, FID, FCP, LCP, TTFB)
   • Resource timing analysis for performance bottlenecks
   • Memory usage tracking (Chrome DevTools integration)
   • Component-level performance measurement

✅ Production-Ready Infrastructure

1. Docker Configuration (Dockerfile, docker-compose.yml)

   • Multi-stage builds with Alpine base images (minimal attack surface)
   • Proper security practices (non-root user, read-only filesystem)
   • Health checks and resource limits configured
   • Production-optimized dependency installation

2. Kubernetes Deployment (k8s-deployment.yaml)

   • Comprehensive K8s configuration with proper resource limits
   • Health probes (liveness, readiness, startup) for reliability
   • Security contexts and pod disruption budgets
   • Horizontal autoscaling configuration ready

🧪 Test Coverage Assessment: GOOD

Existing Test Files:

• src/components/__tests__/SubscriptionUpgradeModal.test.tsx ✅ (Complete coverage)
• src/lib/__tests__/ai-production.test.ts ✅
• src/utils/__tests__/security.test.ts ✅
• src/types/__tests__/stripe.test.ts ✅

Missing Test Coverage:

• Privacy consent banner component
• Performance monitoring hooks
• Service worker functionality
• Docker health checks

🚨 Issues to Address

High Priority (Must Fix Before Merge)

1. Service Worker Syntax Error (Critical)
   • File: public/sw-custom.js:8-13
   • Issue: Duplicate CRITICAL_RESOURCES declaration breaks functionality
   • Fix: Remove lines 8-10

Medium Priority (Recommended)

1. Enhanced Test Coverage

   • Add tests for privacy consent component
   • Add integration tests for performance monitoring
   • Add service worker cache testing

2. Documentation Improvements

   • Complete Docker deployment environment variable documentation
   • Add performance monitoring setup guide
   • Document service worker caching strategy

📊 Performance Impact Assessment: POSITIVE

Benefits:

• Lazy loading reduces initial bundle size
• Optimized image components improve load times
• Critical CSS inlining improves FCP
• Smart resource preloading enhances user experience
• Service worker enables offline functionality

Considerations:

• Service worker cache size management (properly implemented with expiration)
• Performance monitoring overhead (well-deferred to avoid startup impact)
• Large vendor chunks (acceptable for the rich feature set)

🔐 Security Assessment: EXCELLENT 🏆

This PR demonstrates exceptional security awareness:

• Input Validation: Comprehensive XSS and injection protection with pattern matching
• Privacy Compliance: GDPR-ready consent management with granular controls
• Rate Limiting: Sophisticated in-memory rate limiting with proper memory management
• Secure Headers: Proper CORS, caching security, and credential handling
• Container Security: Docker best practices with non-root users and read-only filesystems
• Authentication Security: Proper exclusion of sensitive requests from caching

🏆 Overall Assessment: STRONG APPROVE ⭐⭐⭐⭐⭐

This is an exceptionally high-quality PR that significantly enhances:

• ✅ Security posture (comprehensive protection layers)
• ✅ Performance optimization (advanced caching and bundling strategies)
• ✅ Production readiness (Docker/K8s, monitoring, health checks)
• ✅ Privacy compliance (GDPR-ready consent management)
• ✅ Developer experience (comprehensive tooling and documentation)
• ✅ Maintainability (well-structured code with proper separation of concerns)

Required Actions Before Merge:

1. ⚠️ Fix service worker syntax error (critical - 2 minute fix)
2. 🔍 Run bun run lint and bun run build to verify no other issues

Strongly Recommended:

1. 📝 Add integration tests for privacy consent flow
2. 📚 Complete Docker deployment documentation
3. 🎯 Consider adding Cypress E2E tests for critical user flows

Final Verdict: APPROVE with Critical Fix

This PR represents outstanding engineering work with exceptional attention to security, performance, and production readiness. The architectural decisions are sound, the implementation quality is high, and the security measures are comprehensive.

The only blocking issue is the service worker syntax error, which is a simple 2-line fix.

Once that's resolved, this PR is ready for production deployment. Excellent work! 🚀

---

[coderabbitai]

Actionable comments posted: 24

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (17)

src/components/auth/PrivacyAwareSignInButton.tsx (3)

40-78: Respect consent result and add error handling with Sonner toasts

You ignore the hasConsent flag and always open the Clerk modal. That violates consent UX and our toast/error-handling guidelines. Guard on hasConsent, keep the banner open on denial, and wrap openSignIn in try/catch with Sonner feedback.

Apply this diff within the handler:

-  const handlePrivacyConsentComplete = (hasConsent: boolean) => {
-    setShowPrivacyConsent(false);
-    
-    // Open Clerk modal with enhanced styling
-    openSignIn({
-      redirectUrl: forceRedirectUrl,
-      fallbackRedirectUrl: fallbackRedirectUrl,
-      appearance: {
+  const handlePrivacyConsentComplete = (hasConsent: boolean) => {
+    if (!hasConsent) {
+      toast.error('We need your consent to proceed with sign in.');
+      // Keep the consent banner open so the user can reconsider or review details.
+      return;
+    }
+
+    setShowPrivacyConsent(false);
+
+    try {
+      // Open Clerk modal with enhanced styling
+      openSignIn({
+        redirectUrl: forceRedirectUrl,
+        fallbackRedirectUrl: fallbackRedirectUrl,
+        appearance: {
         elements: {
           modalContent: 'bg-gray-900 border border-gray-700',
           modalCloseButton: 'text-gray-400 hover:text-white',
           card: 'bg-gray-900 border border-gray-700',
           formButtonPrimary: 'bg-blue-600 hover:bg-blue-700',
           formFieldInput: 'bg-gray-800 border-gray-600 text-white placeholder:text-gray-400',
           formFieldLabel: 'text-gray-300',
           headerTitle: 'text-white',
           headerSubtitle: 'text-gray-300',
           socialButtonsBlockButton: 'bg-gray-800 border-gray-600 hover:bg-gray-700',
           socialButtonsBlockButtonText: 'text-white',
           dividerText: 'text-gray-400',
           formFieldSuccessText: 'text-green-400',
           formFieldErrorText: 'text-red-400',
           identityPreviewText: 'text-gray-300',
           identityPreviewEditButton: 'text-blue-400 hover:text-blue-300',
           footer: 'bg-gray-800/50',
           footerActionText: 'text-gray-400',
           footerActionLink: 'text-blue-400 hover:text-blue-300'
         },
         variables: {
           colorPrimary: '#3B82F6',
           colorBackground: '#111827',
           colorInputBackground: '#1F2937',
           colorInputText: '#FFFFFF',
           colorText: '#FFFFFF',
           colorTextSecondary: '#D1D5DB'
         }
-      }
-    });
+      }
+      });
+    } catch (err: unknown) {
+      console.error(err);
+      toast.error('Failed to open sign-in. Please try again.');
+    }
   };

Additionally add the Sonner import:

 import PrivacyConsentBanner from '../PrivacyConsentBanner';
+import { toast } from 'sonner';

---

24-29: Default all redirect URLs to /chat to meet auth guideline

Per coding guidelines for auth components, force redirect to /chat after auth unless explicitly overridden. Set safe defaults on props destructuring.

 export function PrivacyAwareSignInButton({
   children,
   mode = 'modal',
-  forceRedirectUrl,
-  fallbackRedirectUrl,
-  signUpForceRedirectUrl,
-  signUpFallbackRedirectUrl,
+  forceRedirectUrl = '/chat',
+  fallbackRedirectUrl = '/chat',
+  signUpForceRedirectUrl = '/chat',
+  signUpFallbackRedirectUrl = '/chat',
 }: PrivacyAwareSignInButtonProps) {

---

103-111: Use a real button for accessibility (keyboard + semantics)

Interactive div harms a11y. Use motion.button with type="button".

-      <motion.div
-        onClick={handleSignInClick}
-        whileHover={{ scale: 1.02 }}
-        whileTap={{ scale: 0.98 }}
-        style={{ cursor: 'pointer' }}
-      >
+      <motion.button
+        type="button"
+        onClick={handleSignInClick}
+        whileHover={{ scale: 1.02 }}
+        whileTap={{ scale: 0.98 }}
+      >
         {children}
-      </motion.div>
+      </motion.button>

src/components/auth/EnhancedSignUp.tsx (2)

23-42: Signup modal may never open (handler never wired) and users with prior consent see a blank screen.

• handlePrivacyComplete (Line 23) is never invoked. The consent step renders <PrivacyConsentStep /> (Line 65) without any completion callback, so Clerk’s sign-up modal is never opened.
• If showConsent is false (e.g., user previously consented), the component returns null (Lines 109-111) and nothing else triggers openSignUp.

Wire the handler and auto-open for previously-consented users:

- import React, { useState } from 'react';
+ import React, { useEffect, useState } from 'react';
@@
   const { openSignUp } = useClerk();
@@
   const handlePrivacyComplete = () => {
     setStep('signup');
     closeConsent();
     // Open Clerk's signup modal after privacy consent
     openSignUp({
       redirectUrl,
       appearance: {
         elements: {
           modalContent: 'bg-gray-900 border border-gray-700',
           modalCloseButton: 'text-gray-400 hover:text-white',
           formButtonPrimary: 'bg-primary hover:bg-primary/90',
           card: 'bg-gray-900 border border-gray-700',
           formFieldInput: 'bg-gray-800 border-gray-600 text-white',
           formFieldLabel: 'text-gray-300',
           headerTitle: 'text-white',
           headerSubtitle: 'text-gray-300'
         }
       }
     });
   };
+
+  // Auto-advance when consent already exists to avoid a blank screen
+  useEffect(() => {
+    if (!showConsent && hasConsent && step === 'privacy') {
+      handlePrivacyComplete();
+    }
+  }, [showConsent, hasConsent, step]);
@@
-        <PrivacyConsentStep />
+        <PrivacyConsentStep onComplete={handlePrivacyComplete} />

If PrivacyConsentStep doesn’t accept onComplete, keep the effect and instead invoke closeConsent() within that step and rely on the effect to open Clerk.

Also applies to: 62-66, 109-111

---

8-13: Handle auth states and redirect to /chat for signed-in users; show loading UI per guidelines.

Per the repo’s auth guidelines and prior learnings, components under auth/** must:

• Redirect authenticated users to /chat.
• Show a loading spinner while auth state is resolving.
• Provide a sign-in path configured with forceRedirectUrl: '/chat'.

Minimal changes:

- import { SignUp, useClerk } from '@clerk/clerk-react';
+ import { useClerk, useAuth, SignInButton } from '@clerk/clerk-react';
@@
-export function EnhancedSignUp({ redirectUrl = '/chat' }: EnhancedSignUpProps) {
+export function EnhancedSignUp({ redirectUrl = '/chat' }: EnhancedSignUpProps) {
   const [step, setStep] = useState<'privacy' | 'signup' | 'welcome'>('privacy');
   const { showConsent, hasConsent, PrivacyConsentStep, closeConsent } = useSignupPrivacyConsent();
   const { openSignUp } = useClerk();
+  const { isLoaded, isSignedIn } = useAuth();
+
+  // Redirect authenticated users to /chat
+  useEffect(() => {
+    if (isLoaded && isSignedIn) {
+      window.location.assign('/chat');
+    }
+  }, [isLoaded, isSignedIn]);
+
+  // Loading state while auth resolves
+  if (!isLoaded) {
+    return (
+      <div className="flex items-center justify-center h-48" role="status" aria-live="polite">
+        <span className="animate-spin inline-block w-6 h-6 border-2 border-white/70 border-t-transparent rounded-full" />
+        <span className="sr-only">Loading</span>
+      </div>
+    );
+  }
@@
-  // Once privacy consent is handled, Clerk modal will handle the rest
+  // Once privacy consent is handled, Clerk modal will handle the rest
   return null;

Optional UI follow-up: in the privacy screen add an “Already have an account?” CTA using <SignInButton forceRedirectUrl="/chat" mode="modal">Sign in</SignInButton> for parity with the guideline.

Also applies to: 18-22, 109-111

src/utils/security.ts (1)

93-105: Harden closing </script> detection and cover iframe srcdoc.

The updated regex misses valid closing tags like </script > (whitespace before >), which can allow a bypass. Also consider blocking iframe srcdoc=, a frequent inline-HTML vector.

Apply this diff to tighten matching and add srcdoc:

-    /<script[^>]*>[\s\S]*?<\/script>/is,
+    /<script[^>]*>[\s\S]*?<\/script\s*>/is,
@@
-    // restrict risky data URI media types commonly used for HTML/script delivery
+    // block iframe inline HTML via srcdoc
+    /\bsrcdoc\s*=/i,
+    // restrict risky data URI media types commonly used for HTML/script delivery

lib/deployment/types.ts (1)

167-195: Sensitive tokens reintroduced into ZapdevDeploymentConfig (violates secrets split).

ZapdevDeploymentConfig currently includes netlify.accessToken and vercel.accessToken (Lines 170–177), while the PR and file comments state tokens must live only in ZapdevDeploymentSecrets. Keeping tokens here risks serialization/logging leaks and contradicts the new architecture.

Apply this diff to remove sensitive fields from ZapdevDeploymentConfig and keep only non-sensitive teamId:

 export interface ZapdevDeploymentConfig {
-  // Include sensitive deployment configuration
-  netlify: {
-    accessToken: string;
-    teamId?: string;
-  };
-  vercel: {
-    accessToken: string;
-    teamId?: string;
-  };
   // Main domain for custom subdomains
   baseDomain: string; // "zapdev.link"
@@
-  // Non-sensitive platform configuration
-  netlify?: {
-    teamId?: string; // Team ID is generally not secret
-    // Note: accessToken must be retrieved from ZapdevDeploymentSecrets
-  };
-  
-  vercel?: {
-    teamId?: string; // Team ID is generally not secret  
-    // Note: accessToken must be retrieved from ZapdevDeploymentSecrets
-  };
+  // Non-sensitive platform configuration (tokens must be retrieved from ZapdevDeploymentSecrets)
+  netlify?: { teamId?: string };
+  vercel?: { teamId?: string };

Follow-up: ensure all code paths source tokens exclusively from ZapdevDeploymentSecrets.

.dockerignore (1)

128-132: Over-broad *.yaml ignore may exclude non-K8s config.

This can hide app configs from the image. Narrow the scope to k8s manifests only and drop no-op exceptions.

-# Kubernetes
-k8s-*.yaml
-*.yaml
-!package.json
-!bun.lock
+# Kubernetes
+# Only ignore k8s manifests, don’t blanket-ignore YAML
+k8s/**/*.yaml

api/success.ts (2)

66-71: authorization referenced outside scope in catch block.

authorization is declared inside the try and used in the catch, causing a compile/runtime error. Hoist it.

-export default async function handler(req: VercelRequest, res: VercelResponse) {
+export default async function handler(req: VercelRequest, res: VercelResponse) {
+  let authorization: string | undefined;
   // CORS headers
@@
-  try {
+  try {
     // Require authentication
-    const rawAuthHeader = Array.isArray(req.headers['authorization'])
+    const rawAuthHeader = Array.isArray(req.headers['authorization'])
       ? req.headers['authorization'][0]
       : req.headers['authorization'];
-    const authorization = typeof rawAuthHeader === 'string' ? rawAuthHeader : undefined;
+    authorization = typeof rawAuthHeader === 'string' ? rawAuthHeader : undefined;
@@
   } catch (error) {
@@
-      hasAuth: !!authorization
+      hasAuth: !!authorization

Also applies to: 19-33

---

57-64: Enforce strict typing of the subscription payload with Zod in api/success.ts

The call to response.json() currently returns an untyped any and bypasses our Zod-based validation guidelines. Since Zod is already declared in your package.json, we should:

• Import z from zod.
• Define a SubscriptionSchema matching the expected shape.
• Treat the raw JSON as unknown, parse it via Zod, and then use the validated planId and status values.

This ensures no implicit any and surfaces schema errors early.

• File: api/success.ts
– Around line 57: replace the direct await response.json() with a two-step parse via Zod.
– Add import { z } from 'zod'; at the top of the file.

Suggested diff:

+ import { z } from 'zod';
  // ...other imports

  // Get subscription status from Polar.sh API
  const response = await fetch(/* ... */);

  if (!response.ok) {
    // existing error handling...
  }

+ // Validate subscription payload
+ const SubscriptionSchema = z.object({
+   planId: z.string().min(1).optional(),
+   status: z.string().min(1).optional(),
+ });
-
- const subscription = await response.json();
+ const subscriptionUnknown: unknown = await response.json();
+ const { planId = 'free', status = 'none' } = SubscriptionSchema.parse(subscriptionUnknown);

  return res.status(200).json({
    success: true,
    message: 'Subscription status synced successfully',
-   planId: subscription.planId || 'free',
-   status: subscription.status || 'none'
+   planId,
+   status
  });

api/deploy.ts (2)

286-299: Critical: Deployment API is unauthenticated and CORS-wide open.

Anyone can deploy/delete/list using your org’s provider tokens. Add authentication/authorization before processing actions. At minimum, enforce a static server-side API key; ideally verify a signed Clerk session and user role.

Apply this minimal guard (API key) near the start of handler:

 export default async function handler(req: VercelRequest, res: VercelResponse) {
   // CORS headers
   res.setHeader('Access-Control-Allow-Origin', '*');
   res.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
   res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization');
 
   if (req.method === 'OPTIONS') {
     return res.status(200).end();
   }
 
+  // Authentication
+  const configuredKey = process.env.DEPLOY_API_KEY;
+  const headerKey =
+    (req.headers['x-api-key'] as string) ||
+    (req.headers.authorization?.startsWith('Bearer ') ? req.headers.authorization.slice(7) : undefined);
+  if (!configuredKey || headerKey !== configuredKey) {
+    return res.status(401).json({ error: 'Unauthorized' });
+  }
+
   if (req.method !== 'POST' && req.method !== 'GET') {
     return res.status(405).json({ error: 'Method not allowed' });
   }

Optional: narrow CORS to your app’s origin(s) and add basic rate limiting to reduce abuse.

---

138-154: Separate DeploymentManager config and secrets per the updated API

The DeploymentManagerOptions interface now requires both a config (of type ZapdevDeploymentConfig) and a distinct secrets object (ZapdevDeploymentSecrets). Currently you’re embedding access tokens directly in your deploymentConfig and not passing a secrets option—this will break the types and diverge from the intended design.

Please update api/deploy.ts (as well as the similar block at lines 160–169) to:

• Declare deploymentConfig using only the public config fields (no tokens).
• Pass the tokens separately in the secrets property when initializing ZapdevDeploymentManager.

Suggested diff:

-// Extended configuration interface that includes runtime secrets
-interface ZapdevDeploymentConfigWithSecrets extends ZapdevDeploymentConfig {
-  netlify: {
-    accessToken: string;
-    teamId?: string;
-  };
-  vercel: {
-    accessToken: string;
-    teamId?: string;
-  };
-}
-
-// Deployment manager configuration (with runtime secrets)
-const deploymentConfig: ZapdevDeploymentConfigWithSecrets = {
+// Deployment manager configuration (no secrets)
+const deploymentConfig: ZapdevDeploymentConfig = {
   baseDomain: 'zapdev.link',
   netlify: {
-    accessToken: validatedEnv.netlifyAccessToken,
     teamId: process.env.NETLIFY_TEAM_ID,
   },
   vercel: {
-    accessToken: validatedEnv.vercelAccessToken,
     teamId: process.env.VERCEL_TEAM_ID,
   },
   defaults: {
     platform: validatedEnv.defaultPlatform,
     buildCommand: process.env.DEFAULT_BUILD_COMMAND || 'npm run build',
     outputDirectory: process.env.DEFAULT_OUTPUT_DIR || 'dist',
     nodeVersion: process.env.DEFAULT_NODE_VERSION || '18.x',
   },
 };
 // Deployment manager will be initialized in the handler
 let deploymentManager: ZapdevDeploymentManager | null = null;
 
 // Helper function to get or initialize deployment manager
 function getDeploymentManager(): ZapdevDeploymentManager {
   if (!deploymentManager) {
     deploymentManager = new ZapdevDeploymentManager({
       config: deploymentConfig,
+      secrets: {
+        netlifyAccessToken: validatedEnv.netlifyAccessToken,
+        vercelAccessToken: validatedEnv.vercelAccessToken,
+      },
       analytics: { track: analytics.track.bind(analytics) },
       logger,
     });
   }
   return deploymentManager;
 }

This change aligns with the DeploymentManagerOptions definition in lib/deployment/manager.ts (which declares both config and secrets) and ensures your tokens are handled correctly.

lib/deployment/manager.ts (1)

410-413: Fix inconsistent type import specifiers for DeploymentStatus

You’re mixing import('./types.js') and import('./types') in the same file for DeploymentStatus. With NodeNext/Bundler resolution this can create two distinct module identities and lead to subtle type incompatibilities. Standardize on one specifier (recommend: ./types.js to match the top-level import).

Apply this diff:

-      status: import('./types.js').DeploymentStatus;
+      status: import('./types.js').DeploymentStatus;
...
-        status: import('./types').DeploymentStatus;
+        status: import('./types.js').DeploymentStatus;

Also applies to: 421-423

api/domains.ts (4)

191-195: Restrict permissive CORS to trusted origins.

Current headers allow any origin to call this endpoint, which is risky given mutating actions exist. Gate responses to an allowlist from environment.

Apply this diff to scope CORS:

-  res.setHeader('Access-Control-Allow-Origin', '*');
-  res.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
-  res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization');
+  // Restrict CORS to trusted origins
+  const allowOrigin = (() => {
+    const origin = req.headers.origin as string | undefined;
+    const allowed = (process.env.ALLOWED_ORIGINS || '')
+      .split(',')
+      .map(o => o.trim())
+      .filter(Boolean);
+    return origin && allowed.includes(origin)
+      ? origin
+      : (process.env.DEFAULT_CORS_ORIGIN || 'https://app.zapdev.link');
+  })();
+  res.setHeader('Access-Control-Allow-Origin', allowOrigin);
+  res.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
+  res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization');

---

237-254: Require authentication and ownership checks for mutating actions (setup/verify).

Unauthenticated “setup” and “verify” let anyone configure/verify subdomains. Add auth and assert the caller owns the target project/site before proceeding.

Apply this minimal guard (replace with your real auth later):

       case 'setup':
         if (!body) {
           return res.status(400).json({ error: 'Setup action requires POST method with body' });
         }
+        if (!req.headers.authorization) {
+          return res.status(401).json({ error: 'Unauthorized' });
+        }
         return await handleSetupDomain(req, res, body);
       
       case 'verify':
         if (!body) {
           return res.status(400).json({ error: 'Verify action requires POST method with body' });
         }
+        if (!req.headers.authorization) {
+          return res.status(401).json({ error: 'Unauthorized' });
+        }
         return await handleVerifyDomain(req, res, body);

Follow-up (non-diff): integrate a proper requireAuth(req) that:

• Validates the bearer/session token.
• Derives userId and enforces ownership of projectId|siteId.
• Logs the auth’d userId in analytics rather than trusting client-provided values.

I can wire this to your existing auth (Clerk/NextAuth/Supabase/etc.) if you share which provider you use.

Also applies to: 256-262

---

437-440: Enforce the “no consecutive hyphens” rule and align the API contract with validation.

Docs say “Cannot contain consecutive hyphens,” but code only warns. Make it a hard validation error to avoid surprises.

Apply these diffs:

 function isValidSubdomain(subdomain: string): boolean {
   if (subdomain.length < SUBDOMAIN_MIN_LENGTH || subdomain.length > SUBDOMAIN_MAX_LENGTH) return false;
-  return SUBDOMAIN_PATTERN.test(subdomain);
+  if (subdomain.includes('--')) return false;
+  return SUBDOMAIN_PATTERN.test(subdomain);
 }

-  if (subdomain.includes('--')) {
-    warnings.push('Consecutive hyphens may cause confusion');
-  }
+  if (subdomain.includes('--')) {
+    errors.push('Subdomain cannot contain consecutive hyphens');
+  }

Optionally, clarify the rules text (no functional change if you prefer warnings — but then update “restrictions” to reflect that).

 function getSubdomainRules() {
-  return {
+  const currentYear = new Date().getFullYear();
+  return {
     minLength: SUBDOMAIN_MIN_LENGTH,
     maxLength: SUBDOMAIN_MAX_LENGTH,
     allowedCharacters: 'letters (a-z), numbers (0-9), and hyphens (-)',
     restrictions: [
-      'Cannot start or end with hyphens',
-      'Cannot contain consecutive hyphens',
+      'Cannot start or end with hyphens',
+      'Cannot contain consecutive hyphens',
       'Cannot use reserved words (api, www, mail, etc.)'
     ],
-    examples: ['myproject', 'awesome-app', 'portfolio2024']
+    examples: ['myproject', 'awesome-app', `portfolio${currentYear}`]
   };
 }

Also applies to: 454-456, 480-491

---

280-283: Avoid leaking internal error messages in 500 responses.

Returning error.message can expose stack details or upstream provider errors. Log the details server-side and return a generic message to clients.

Apply this diff:

   return res.status(500).json({
     error: 'Internal server error',
-    message: error instanceof Error ? error.message : String(error)
+    message: 'An unexpected error occurred.'
   });

♻️ Duplicate comments (3)

src/components/ui/OptimizedImage.tsx (1)

75-81: Make use of the placeholder prop to satisfy ESLint and improve UX

The placeholder prop is currently unused. Use it to style the loading overlay background to avoid unused-var errors and provide a better LQIP.

-        <div 
-          className="absolute inset-0 bg-gray-100 animate-pulse flex items-center justify-center"
-          style={{ width, height }}
+        <div
+          className="absolute inset-0 bg-gray-100 animate-pulse flex items-center justify-center"
+          style={{
+            width,
+            height,
+            backgroundImage: placeholder ? `url(${placeholder})` : undefined,
+            backgroundSize: placeholder ? 'cover' : undefined,
+            backgroundPosition: placeholder ? 'center' : undefined,
+          }}
         >

src/hooks/usePerformanceMonitoring.ts (1)

103-111: Eliminate any by typing performance.memory

Avoid any by defining a compatible type for the non-standard memory API.

-    // Memory usage (Chrome only)
-    if ('memory' in performance) {
-      const memory = (performance as any).memory;
-      perfData.memoryInfo = memory;
+    // Memory usage (Chrome only)
+    type MemoryInfo = { usedJSHeapSize: number; totalJSHeapSize?: number; jsHeapSizeLimit?: number };
+    type PerformanceWithMemory = Performance & { memory?: MemoryInfo };
+    const perfWithMemory = performance as PerformanceWithMemory;
+    if (perfWithMemory.memory) {
+      const memory = perfWithMemory.memory;
+      perfData.memoryInfo = memory;

api/deploy.ts (1)

14-14: Remove unused import to satisfy ESLint.

ZapdevDeploymentSecrets is imported but not used.

Apply this diff:

-  ZapdevDeploymentSecrets,