1

[sam27peter]

Summary by CodeRabbit

• New Features

  • Full web app UI: dashboard, signup/login, welcome flow, period tracker, SOS/emergency flow, pad requests, nearby requests, community helpers, and sisterhood posts (likes/comments/anonymous)
  • Client-side auth with unique access codes and simulated real-time emergency notifications

• Documentation

  • Extensive API, installation, deployment, features, integration, and deployment-button guides; README overhaul

• Chores

  • Project setup and tooling added (package/config, ignore rules, build/dev settings)

[coderabbitai]

📝 Walkthrough

Walkthrough

A full-stack "SHE WANTS" application is added: React frontend components and pages (auth, dashboard, period tracker, SOS, pad requests, sisterhood), client-side auth/emergency modules, an Express API with SQLite schema and endpoints, build/config files (Vite, ESLint, package.json, vercel.json), and extensive documentation and deployment guides.

Changes

Cohort / File(s)	Summary
Project config & tooling package.json, vite.config.js, eslint.config.js, vercel.json	Adds project manifest, Vite config with /api proxy, ESLint config, and Vercel deployment settings.
Global docs & deployment guides README.md, .gitignore, REQUIREMENTS.md, INSTALLATION.md, DEPLOYMENT.md, DEPLOY_BUTTON.md, DEPLOY_EASY.md, DEPLOY_NOW.md	Large set of new/updated documentation for project overview, installation, requirements, and multiple deployment workflows.
API & feature docs API_DOCUMENTATION.md, FEATURES.md, GOOGLE_MAPS_INTEGRATION.md, SISTERHOOD_CHATS.md	Adds comprehensive API reference, feature descriptions, Google Maps integration details, and sisterhood chats spec.
Backend server & DB server/index.js, server/database.js	New Express server implementing auth, cycles, pad requests, helpers, posts, comments, likes, and SQLite DB initialization with eight tables.
React app entry & config src/main.jsx, src/App.jsx, src/config/api.js, src/index.css, src/App.css	App bootstrap, top-level App component with locked/unlocked flow, axios instance using VITE_API_URL, and global styling/design tokens.
React components src/components/... src/components/Auth.jsx, Dashboard.jsx, Calculator.jsx, PeriodTracker.jsx, PadRequest.jsx, NearbyRequests.jsx, SOS.jsx, CommunitySupport.jsx, SisterhoodChats.jsx, Calculator.css	New component suite implementing authentication UI, calculator unlock, period tracking with predictions, pad request creation, nearby request discovery + map integration, SOS, helper registration/management, and threaded sisterhood posts (likes/comments).
Client-side JS modules & static pages js/auth.js, js/emergency.js, index.html, login.html, signup.html, welcome.html, dashboard.html, period-tracker.html, chat-support.html, emergency-support.html, debug.html, sample.html, she_wants_full_app.html	Adds localStorage-backed Auth module, BroadcastChannel-based Emergency module, multiple static/demo HTML pages and single-file app examples demonstrating flows and fallback UIs.
Build / app assets .gitignore, vercel.json, vite.config.js (already listed)	Ignore rules, Vercel environment defaults, and Vite build/dev configuration. (Grouped to reduce redundancy.)

Sequence Diagrams

sequenceDiagram
    participant User
    participant Client as Frontend (React / Browser)
    participant Server as Express API
    participant Database as SQLite
    participant Channel as BroadcastChannel

    User->>Client: Press SOS / Request Pads
    Client->>Client: Obtain geolocation (or fallback)
    Client->>Server: POST /api/pad-request or /api/sos (userId, location)
    Server->>Database: INSERT pad_request / sos_record
    Database-->>Server: Confirmation
    Server-->>Client: 201 Created (request id)
    Client->>Channel: Broadcast HELP_REQUEST (id, user, location)
    Note over Client,Channel: Other tabs/clients receive via BroadcastChannel
    Client->>User: UI shows searching / nearby helpers
    HelperUser->>Client: Accepts request (via UI)
    Client->>Server: POST /api/pad-request/fulfill (requestId, helper)
    Server->>Database: Update request status -> fulfilled
    Database-->>Server: Updated
    Server-->>Client: Success
    Client->>Channel: Broadcast HELP_RESPONSE (requestId, helper)
    Client->>User: Open Google Maps directions (origin -> destination)

Loading

sequenceDiagram
    participant Visitor
    participant Calculator as Calculator Component
    participant AuthComp as Auth Component / API
    participant Server as Express API / LocalStorage

    Visitor->>Calculator: Enters code and presses '='
    Calculator->>AuthComp: validate code (local or via user.secret_code)
    alt local code (1234=)
        AuthComp-->>Calculator: unlock success
    else user secret code
        AuthComp->>Server: (if API) authenticate or compare
        Server-->>AuthComp: user data / verification
        AuthComp-->>Calculator: success / failure
    end
    Calculator-->>Visitor: Navigate to Dashboard on success

Loading

Estimated code review effort

🎯 5 (Critical) | ⏱️ ~120 minutes

Poem

🐇🌸 I hop with joy — new features bloom today,
Alerts on the breeze, helpers find their way,
Cycles logged, sisterhood in gentle light,
SOS pulses, maps guiding through the night,
From my warren I cheer: She Wants takes flight!

🚥 Pre-merge checks | ✅ 2 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check	❓ Inconclusive	The pull request title '1' is vague and generic, providing no meaningful information about the changeset. It does not describe any aspect of the substantial changes made.	Replace the title with a clear, concise description of the main change. For example: 'Add complete app implementation with authentication, period tracker, and community features' or 'Initialize full-stack React and Express application with database schema'.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Merge Conflict Detection	✅ Passed	✅ No merge conflicts detected when merging into main

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 9

Note

Due to the large number of review comments, Critical severity comments were prioritized as inline comments.

🤖 Fix all issues with AI agents

In `@emergency-support.html`:
- Around line 226-238: The addHelper function currently uses innerHTML with
unsanitized helper.name and helper.dist and embeds helper.name into an inline
onclick string, enabling XSS; change addHelper to build DOM nodes with
createElement and textContent (e.g., create div.helper-info, strong, span, and
button elements), set the text via textContent for helper.name and helper.dist,
and attach the click behavior to the button using addEventListener (or pass the
helper identifier via a data- attribute) instead of an inline onclick that
interpolates raw values; update references to helper-item, connect-btn, and
connectToHelper accordingly so no user-controlled string is injected into HTML
or event handler attributes.

In `@INSTALLATION.md`:
- Around line 329-339: The documentation incorrectly claims passwords are hashed
with bcrypt; update the INSTALLATION.md security section to remove or negate the
"Currently uses bcrypt (already implemented)" statement and instead state
clearly that password hashing is NOT implemented and must be added before
production (e.g., implement bcrypt/argon2 in the signup handler that currently
has the comment "In a real app, hash password here!" in server/index.js), while
keeping the SQL parameterized queries claim intact.

In `@sample.html`:
- Around line 595-1188: The file contains a full duplicate of the HTML document
(second <!DOCTYPE>/<html>/<body> block) which creates duplicate IDs like
calc-display, page-calculator, s-name, etc.; remove the entire duplicated second
copy so only one HTML document remains, ensuring unique elements like Navigate,
Auth, calc-display, page-signup, page-code, page-dashboard, and
s-name/s-email/s-pass exist exactly once and keep the first (original) instance;
after removal, verify navigation and DOM queries (getElementById calls) still
resolve and the app initializes as before.
- Around line 527-538: The calculate() function uses new Function('return ' +
calcInput...) which is equivalent to eval and allows arbitrary code execution;
replace this with a safe math-expression evaluator (e.g., integrate math.js or a
lightweight parser) and evaluate only numeric expressions after
sanitizing/replacing display symbols (e.g., convert '×' to '*') and validating
the token stream to allow only numbers, parentheses and math operators; update
the try/catch around the evaluation to call the safe parser (instead of new
Function) and set calcInput = 'Error' on parse/eval failures so the rest of
calculate(), updateDisplay(), and the Auth.login/login-check flow remain
unchanged.

In `@server/index.js`:
- Around line 49-62: The /api/auth/login route currently returns the full DB row
(db.get callback) which includes the plaintext password and also implies
passwords are stored in plaintext; stop sending the password by omitting or
deleting the password field from the response object and change authentication
to use bcrypt: fetch the user by username only (db.get with username), then use
bcrypt.compare(providedPassword, user.password) to verify; ensure user
creation/registration code (e.g., createUser/register handler) stores
bcrypt.hash(password, saltRounds) instead of raw passwords so login compares
against a hashed password.
- Around line 479-497: The nested db.run for updateSql is using this.lastID from
the inner callback (which is for the UPDATE) instead of the insertSql's
insertion result; capture the inserted row id inside the outer insertSql
callback (e.g., assign const insertedId = this.lastID or let insertedId =
this.lastID) and then reference insertedId when sending the response in the
updateSql callback and log; update the references to this.lastID in the
updateSql callback to use that captured insertedId so the returned id is the
comment's ID from the INSERT.

In `@src/App.jsx`:
- Around line 11-25: The code uses eval(display) in Calculator.jsx (replace
that) which is a code-injection risk and the universal unlock string '1234=' is
hardcoded in App.jsx handleUnlock and in Calculator.jsx; fix by swapping eval
for a safe math expression evaluator (e.g., integrate mathjs or implement a
simple tokenizer/evaluator and use that in the Calculator component where
eval(display) is called), update Calculator methods that rely on eval to call
the safe parser, and make the unlock code configurable instead of hardcoded by
exposing it via a prop/state or config (or per-user secret stored on the user
object) and add a clear comment in handleUnlock and Calculator explaining the
intentional disguised-calculator behavior and security considerations so future
maintainers know why a default exists and how to customize it.

In `@src/components/Calculator.jsx`:
- Around line 30-33: The component currently calls eval(display) inside the
Calculator component (where setDisplay is used) which allows arbitrary code
execution; replace this with a safe math parser such as mathjs: install mathjs,
create a restricted mathjs instance (disable/import and other dangerous
functions like createUnit per mathjs security guide), then call that instance's
evaluate/parse on the display string and setDisplay to the resulting value; wrap
evaluation in try/catch to handle parse errors and avoid executing any raw eval
or Function constructors anywhere in the codebase.

In `@src/components/SOS.jsx`:
- Around line 26-58: The manual setTimeout (timeoutId) races with
navigator.geolocation.getCurrentPosition's timeout and can call
sendSOSWithoutLocation twice; remove the manual setTimeout and its clearTimeout
calls and rely on the Geolocation API's { timeout: 5000 } option so only the
geolocation error callback calls sendSOSWithoutLocation, keeping the existing
success and error handlers (references: timeoutId, sendSOSWithoutLocation,
navigator.geolocation.getCurrentPosition, the success callback that posts to
/api/sos, and the error callback).

🟠 Major comments (26)

REQUIREMENTS.md-160-167 (1)

160-167: ⚠️ Potential issue | 🟠 Major

Avoid publishing default credentials in documentation.

Hardcoded test credentials (testuser / password123 and unlock code 1234=) in a public repo are a security risk if these defaults ship to production. At minimum, note these are for local development only, or better yet, seed them via a setup script rather than documenting them publicly.

debug.html-1-55 (1)

1-55: ⚠️ Potential issue | 🟠 Major

Ensure this debug page is excluded from production deployments.

This page lets anyone clear all localStorage data with a single click. If it's accessible in production, it's a support/UX hazard. Consider either:

• Excluding it from the production build (e.g., via Vite's build config or a separate directory).
• Gating access behind a developer flag or authentication check.

.gitignore-1-24 (1)

1-24: ⚠️ Potential issue | 🟠 Major

Add .env* patterns to prevent accidental secret commits.

The project depends on dotenv and documentation references environment variables (e.g., VITE_API_URL). Without ignoring .env files, secrets and credentials risk being committed.

Proposed fix

 node_modules
 dist
 dist-ssr
 *.local
+
+# Environment files
+.env
+.env.*

package.json-19-19 (1)

19-19: 🛠️ Refactor suggestion | 🟠 Major

Move nodemon to devDependencies.

nodemon is a development-only tool (used in the server:dev script) and should not be shipped as a production dependency.

Proposed fix

   "dependencies": {
     "axios": "^1.13.5",
     "cors": "^2.8.6",
     "dotenv": "^17.3.1",
     "express": "^5.2.1",
-    "nodemon": "^3.1.11",
     "react": "^19.2.0",
     "react-dom": "^19.2.0",
     "sqlite3": "^5.1.7"
   },
   "devDependencies": {
     "@eslint/js": "^9.39.1",
     "@types/react": "^19.2.7",
     "@types/react-dom": "^19.2.3",
     "@vitejs/plugin-react": "^5.1.1",
     "eslint": "^9.39.1",
     "eslint-plugin-react-hooks": "^7.0.1",
     "eslint-plugin-react-refresh": "^0.4.24",
     "globals": "^16.5.0",
+    "nodemon": "^3.1.11",
     "vite": "^7.3.1"
   }

INSTALLATION.md-440-444 (1)

440-444: ⚠️ Potential issue | 🟠 Major

Default credentials and secret code published in documentation.

Publishing default credentials (testuser/password123) and the calculator lock code (1234=) in a public repository undermines the security model — especially since the app is designed to be disguised as a calculator for safety reasons. Consider removing these from public-facing docs or at minimum adding a prominent warning to change them immediately.

GOOGLE_MAPS_INTEGRATION.md-136-144 (1)

136-144: ⚠️ Potential issue | 🟠 Major

PII leak: real email address committed in documentation.

Line 138 contains what appears to be a real user's email address (riyarose05@gmail.com). This is personal data that should not be in a public repository. Replace with a generic placeholder like user@example.com.

server/database.js-109-111 (1)

109-111: ⚠️ Potential issue | 🟠 Major

Potential race condition: db is exported before table creation completes.

The Database constructor callback fires asynchronously, and db.run() calls inside it are also async. Any module importing db could issue queries before the schema is ready. Consider serializing table creation with db.serialize().

Proposed fix

   } else {
     console.log('Connected to the SQLite database.');
 
+    db.serialize(() => {
+      db.run('PRAGMA foreign_keys = ON');
+
       // Create Users table
       db.run(`CREATE TABLE IF NOT EXISTS users (...)`);
 
       // ... all other CREATE TABLE statements ...
+    });
   }

server/database.js-11-109 (1)

11-109: ⚠️ Potential issue | 🟠 Major

Foreign key constraints are not enforced by SQLite by default.

SQLite requires PRAGMA foreign_keys = ON to actually enforce foreign key constraints. Without it, all the FOREIGN KEY clauses in your schema are decorative and won't prevent orphaned rows.

Proposed fix

 const db = new verboseSqlite.Database(dbPath, (err) => {
   if (err) {
     console.error('Error opening database:', err.message);
   } else {
     console.log('Connected to the SQLite database.');
+
+    db.run('PRAGMA foreign_keys = ON');
 
     // Create Users table

server/database.js-18-23 (1)

18-23: ⚠️ Potential issue | 🟠 Major

Hardcoded default secret code and plaintext passwords pose critical authentication risks.

The secret_code TEXT DEFAULT '1234=' hardcodes the app's access code in plaintext, compounded by documentation in multiple .md files (REQUIREMENTS.md, INSTALLATION.md, FEATURES.md, API_DOCUMENTATION.md).

More critically, passwords are stored and compared in plaintext throughout the app. The server code (server/index.js) contains a TODO comment // In a real app, hash password here! but no hashing is implemented—neither bcrypt nor other hashing libraries are used. Passwords are inserted directly (line 39) and compared plaintext during login (line 51). This applies to all authentication flows (server/index.js and js/auth.js).

Both issues must be fixed:

• Remove the default secret_code or store it securely (e.g., environment variables, encrypted)
• Implement password hashing (bcrypt, argon2, or scrypt) before database insertion and update all login comparisons

API_DOCUMENTATION.md-68-79 (1)

68-79: ⚠️ Potential issue | 🟠 Major

Login response exposes secret_code to the client.

The documented login response includes the user's secret_code field. If this code serves as a secondary authentication factor or emergency access mechanism, returning it on every login response increases the attack surface — any XSS or network sniffing would capture it. Consider omitting it from the default login response and providing a separate, protected endpoint if the user needs to retrieve it.

js/auth.js-17-22 (1)

17-22: ⚠️ Potential issue | 🟠 Major

Plaintext passwords stored in localStorage.

saveUser persists the full user object — including the raw password — into localStorage. The login method then does a plaintext comparison. Even for a client-side simulation, this means every registered user's password is trivially readable by any script on the same origin (or by opening DevTools). If this code ships alongside the real backend auth, users who reuse passwords are at risk.

At minimum, hash passwords before storing (e.g., via the Web Crypto API or a lightweight library), or remove this client-side auth module entirely in favor of the server-side /auth/register and /auth/login endpoints that use bcrypt.

Also applies to: 49-56

sample.html-490-517 (1)

490-517: ⚠️ Potential issue | 🟠 Major

Plaintext passwords stored in localStorage.

Auth.signup stores the raw password in the user object ({ name, email, pass, code, ... }), which is then serialized to localStorage. Anyone with access to the browser's dev tools or any XSS vector can read all credentials. At a minimum, hash passwords before storing (though for a real app, authentication should happen server-side).

server/index.js-410-462 (1)

410-462: ⚠️ Potential issue | 🟠 Major

Like/unlike toggle is not atomic — race condition on concurrent requests.

The check (Line 416), delete/insert (Lines 427/446), and count update (Lines 433/452) are separate, non-transactional operations. Two concurrent like requests from the same user could both pass the check and insert duplicate likes, or both decrement/increment the count. Wrap the operations in a SQLite transaction using db.run('BEGIN TRANSACTION') ... COMMIT.

she_wants_full_app.html-1-594 (1)

1-594: 🛠️ Refactor suggestion | 🟠 Major

This file is nearly identical to sample.html (lines 1–594) — consolidate into a single file.

Maintaining two copies of the same ~600-line file increases the risk of divergence and doubles the effort for any bug fix. Consider keeping only one.

server/index.js-15-27 (1)

15-27: ⚠️ Potential issue | 🟠 Major

CORS allows all origins despite the allowlist.

The else branch on Line 23 calls callback(null, true), meaning blocked origins are still allowed. The logged warning is misleading — nothing is actually blocked.

Proposed fix

         } else {
             console.log('Blocked origin:', origin);
-            callback(null, true); // Allow all for now, restrict in production
+            callback(new Error('Not allowed by CORS'));
         }

server/index.js-153-158 (1)

153-158: ⚠️ Potential issue | 🟠 Major

Location validation incorrectly rejects valid coordinates.

location.lat === 0 rejects latitude 0 (the equator), and !location.lng rejects longitude 0 (the prime meridian). Both are valid geographic coordinates.

Proposed fix

-    if (!location || location.lat === 0 || !location.lng) {
+    if (!location || typeof location.lat !== 'number' || typeof location.lng !== 'number') {
         return res.status(400).json({ error: 'Valid location is required for pad requests' });
     }

dashboard.html-219-236 (1)

219-236: ⚠️ Potential issue | 🟠 Major

Helper mode toggle does not start/stop the emergency listener.

Emergency.listen is only registered once at page load (Line 226) based on the initial value of user.willingToHelp. If the user toggles helper mode on after loading the page, the listener is never started. Conversely, toggling it off doesn't unsubscribe.

Proposed fix

         function toggleHelperMode() {
             user.willingToHelp = document.getElementById('helperToggle').checked;
             Auth.setCurrentUser(user);
-            // In a real app, update server
+            if (user.willingToHelp) {
+                Emergency.listen((request) => {
+                    const response = confirm(`🆘 EMERGENCY ALERT!\n\n${request.user.name} needs help nearby!\n\nLocation: ${request.location.lat}, ${request.location.lng}\n\nDo you want to help?`);
+                    if (response) {
+                        alert(`Thank you! Please contact or find ${request.user.name}. We have notified them you are coming.`);
+                        Emergency.respondToHelp(request.id, user);
+                    }
+                });
+            } else {
+                // Clear the listener
+                Emergency.channel.onmessage = null;
+            }
         }

src/components/NearbyRequests.jsx-42-59 (1)

42-59: ⚠️ Potential issue | 🟠 Major

Excessive console.log statements leak PII (user location, user details).

Lines 43, 55–56, 59, 62, 78, and others log the user's GPS coordinates, usernames, and request details to the browser console. In production, this leaks sensitive information. Strip these or gate them behind a debug flag.

This applies broadly across all components in this PR (PadRequest.jsx, SOS.jsx, NearbyRequests.jsx, etc.).

src/components/NearbyRequests.jsx-67-98 (1)

67-98: ⚠️ Potential issue | 🟠 Major

Request is marked as fulfilled before the user actually helps — no undo path.

The API call to mark the request as fulfilled (line 70) happens before Google Maps even opens. If the helper changes their mind, closes the tab, or can't reach the requester, the request is already marked fulfilled with no way to revert. Consider marking it fulfilled only after confirmation of delivery, or adding an "undo" mechanism.

src/components/NearbyRequests.jsx-189-191 (1)

189-191: ⚠️ Potential issue | 🟠 Major

Displaying raw GPS coordinates exposes the requester's exact location.

Showing latitude.toFixed(4) and longitude.toFixed(4) reveals the user's position to ~11 meters accuracy. For a safety-focused app, consider showing only an approximate area (e.g., neighborhood name via reverse geocoding, or a rounded distance) instead of precise coordinates.

src/App.jsx-7-9 (1)

7-9: ⚠️ Potential issue | 🟠 Major

No session persistence — user is lost on page refresh.

user is stored only in React state. Any page refresh will log the user out and lock the app, forcing re-authentication every time. Consider persisting the session (e.g., localStorage, sessionStorage, or a server-side session/token).

Example using localStorage

 function App() {
   const [isLocked, setIsLocked] = useState(true);
-  const [user, setUser] = useState(null);
+  const [user, setUser] = useState(() => {
+    const saved = localStorage.getItem('sheWantsUser');
+    return saved ? JSON.parse(saved) : null;
+  });

   // ...

   const handleLogin = (userData) => {
     setUser(userData);
+    localStorage.setItem('sheWantsUser', JSON.stringify(userData));
     setIsLocked(false);
   };

   const handleLogout = () => {
     setUser(null);
+    localStorage.removeItem('sheWantsUser');
     setIsLocked(true);
   };

src/components/Dashboard.jsx-1-25 (1)

1-25: ⚠️ Potential issue | 🟠 Major

SOS component exists but is not rendered in the Dashboard.

src/components/SOS.jsx is defined in this PR but never imported or rendered here. For a safety-focused app, the emergency SOS feature should be prominently accessible from the dashboard.

Proposed fix to add SOS

 import React from 'react';
 import PeriodTracker from './PeriodTracker';
 import PadRequest from './PadRequest';
 import NearbyRequests from './NearbyRequests';
 import CommunitySupport from './CommunitySupport';
 import SisterhoodChats from './SisterhoodChats';
+import SOS from './SOS';
 
 const Dashboard = ({ user, onLogout }) => {
     return (
         <div className="dashboard-container">
             <div className="header">
                 <h2>{user.username}'s Safe Space</h2>
                 <button onClick={onLogout} className="logout-btn">Lock & Logout</button>
             </div>
 
+            <SOS user={user} />
             <PeriodTracker user={user} />
             <PadRequest user={user} />
             <NearbyRequests user={user} />
             <CommunitySupport user={user} />
             <SisterhoodChats user={user} />
         </div>
     );
 };

src/components/Calculator.jsx-96-100 (1)

96-100: ⚠️ Potential issue | 🟠 Major

The "Next" button and hint completely undermine the disguised-calculator privacy feature.

The component's purpose is to appear as a calculator for privacy, yet Line 74 provides a button that directly calls onUnlock('1234=') without any code entry, and Line 99 displays the secret code as a plaintext hint. Anyone glancing at the screen sees both the bypass button and the unlock code, defeating the disguise.

At minimum, remove the hint text. Consider whether the "Next" button should require entering the code rather than bypassing it entirely.

src/components/SisterhoodChats.jsx-51-58 (1)

51-58: ⚠️ Potential issue | 🟠 Major

Sending username from the client allows impersonation.

Both handleCreatePost (Line 53-54) and handleAddComment (Line 116-117) send userId and username in the request body. A user can trivially modify the username field (via DevTools or a crafted request) to post as someone else. The server should resolve the username from the authenticated userId instead.

emergency-support.html-198-208 (1)

198-208: ⚠️ Potential issue | 🟠 Major

Geolocation fallback sends {lat: 0, lng: 0} — a point in the Gulf of Guinea.

For an emergency SOS feature, sending a meaningless default location could route helpers to the wrong continent. Consider showing an error to the user instead, or prompting them to enter a location manually.

src/components/PeriodTracker.jsx-11-13 (1)

11-13: ⚠️ Potential issue | 🟠 Major

Missing user.id in the dependency array — stale data if user changes.

fetchCycles captures user.id in its closure, but the effect runs only on mount. If the user prop changes (e.g., account switch), the component continues to display the previous user's cycle data.

Proposed fix

     useEffect(() => {
+        if (!user?.id) return;
         fetchCycles();
-    }, []);
+    }, [user?.id]);

🟡 Minor comments (22)

src/config/api.js-10-10 (1)

10-10: ⚠️ Potential issue | 🟡 Minor

Remove console.log that leaks the API base URL in production.

This log statement will execute in every user's browser, exposing internal infrastructure details. Use it only behind a development check or remove it entirely.

Proposed fix

-console.log('API Base URL:', baseURL);

DEPLOY_EASY.md-51-53 (1)

51-53: ⚠️ Potential issue | 🟡 Minor

Environment variable points to localhost — will not work in production.

Setting VITE_API_URL to http://localhost:3000 during Vercel deployment means the deployed frontend will try to reach localhost in the user's browser, which will fail. The guide says "we'll update this later" but this is error-prone; better to instruct users to deploy the backend first or use a placeholder URL with a clear note.

DEPLOY_EASY.md-7-9 (1)

7-9: ⚠️ Potential issue | 🟡 Minor

Hardcoded local machine path — will not work for other users.

cd /Users/macbookair/Desktop/SHE_WANTS references a specific developer's machine. Replace with a generic placeholder like cd /path/to/SHE_WANTS. This same issue appears in DEPLOYMENT.md (Line 40) and DEPLOY_NOW.md (Lines 23, 64, 131).

FEATURES.md-109-117 (1)

109-117: ⚠️ Potential issue | 🟡 Minor

Database schema section is incomplete — missing 3 tables.

The documentation lists 5 tables, but server/database.js creates 8 tables. The sisterhood_posts, post_comments, and post_likes tables are missing from this list, despite the Sisterhood feature being referenced elsewhere in this PR.

DEPLOYMENT.md-233-236 (1)

233-236: ⚠️ Potential issue | 🟡 Minor

Heroku Procfile uses dev command instead of production start command.

web: npm run server:dev likely runs nodemon (dev dependency) which may not be installed in production. The Procfile should use the production start command.

Proposed fix

-web: npm run server:dev
+web: node server/index.js

server/database.js-18-107 (1)

18-107: ⚠️ Potential issue | 🟡 Minor

No error handling on CREATE TABLE statements — failures are silently swallowed.

Each db.run() call for table creation lacks a callback. If any CREATE TABLE fails, the error is lost and the app continues with a broken schema. At minimum, pass a callback to log errors.

Example fix pattern

-    db.run(`CREATE TABLE IF NOT EXISTS users (
+    db.run(`CREATE TABLE IF NOT EXISTS users (
       id INTEGER PRIMARY KEY AUTOINCREMENT,
       username TEXT UNIQUE NOT NULL,
       password TEXT NOT NULL,
       secret_code TEXT DEFAULT '1234='
-    )`);
+    )`, (err) => { if (err) console.error('Failed to create users table:', err.message); });

Apply the same pattern to all other db.run() calls.

DEPLOY_BUTTON.md-5-5 (1)

5-5: ⚠️ Potential issue | 🟡 Minor

Deploy button URL contains an unresolved placeholder.

YOUR_USERNAME in the repository URL needs to be replaced with the actual GitHub org/user. As-is, clicking the button will fail. Consider replacing it with the actual repo path (e.g., tinkerhub/tink-her-hack-temp) or adding a visible note prompting the reader to substitute it.

API_DOCUMENTATION.md-13-17 (1)

13-17: ⚠️ Potential issue | 🟡 Minor

Table of Contents anchor links won't resolve due to emoji in headings.

The heading anchors include emoji characters (e.g., ## 🔐 Authentication), but the TOC links use plain fragments like #authentication. Most Markdown renderers (including GitHub) will generate slugs that include or strip emoji inconsistently, causing broken navigation. Either remove emoji from headings or update the fragment links to match the generated slugs.

js/auth.js-33-46 (1)

33-46: ⚠️ Potential issue | 🟡 Minor

signup returns the full user object including the password.

Auth.signup returns { success: true, user: newUser } where newUser still contains the plaintext password. Callers (like signup.html) receive this object and could inadvertently expose it (e.g., logging, DOM injection). Strip the password before returning, similar to what setCurrentUser does.

Proposed fix

         Auth.saveUser(newUser);
-        return { success: true, user: newUser };
+        const { password, ...safeUser } = newUser;
+        return { success: true, user: safeUser };

login.html-124-137 (1)

124-137: ⚠️ Potential issue | 🟡 Minor

alert variable shadows window.alert.

Line 128 declares const alert = document.getElementById('alert'), which shadows the built-in window.alert within this function scope. Any future alert("...") call inside handleLogin would throw a TypeError since the variable references a DOM element. Rename to something like alertEl or alertBox.

Proposed fix

         function handleLogin(e) {
             e.preventDefault();
             const email = document.getElementById('email').value;
             const password = document.getElementById('password').value;
-            const alert = document.getElementById('alert');
+            const alertBox = document.getElementById('alert');

             const result = Auth.login(email, password);
             if (result.success) {
                 window.location.href = 'welcome.html';
             } else {
-                alert.textContent = result.message;
-                alert.style.display = 'block';
+                alertBox.textContent = result.message;
+                alertBox.style.display = 'block';
             }
         }

js/auth.js-84-88 (1)

84-88: ⚠️ Potential issue | 🟡 Minor

requireAuth has no return value — callers may continue executing after redirect.

window.location.href assignment doesn't halt script execution immediately. Code following a requireAuth() call will keep running until the navigation completes. Either return a boolean so callers can return early, or throw to halt execution.

Proposed fix

     requireAuth: () => {
         if (!Auth.getCurrentUser()) {
             window.location.href = 'login.html';
+            return false;
         }
+        return true;
     }

signup.html-469-477 (1)

469-477: ⚠️ Potential issue | 🟡 Minor

ensureUniqueCode silently returns a potentially duplicate code after 100 failed attempts.

If all 100 iterations find collisions, the function returns the last generated (non-unique) code without warning. With only 900,000 possible 6-digit codes, this becomes increasingly likely as the user base grows.

Consider warning the user or throwing an error when uniqueness cannot be guaranteed.

Proposed fix

         function ensureUniqueCode() {
             let code;
             let attempts = 0;
             do {
                 code = generateUniqueCode();
                 attempts++;
             } while (Auth.findUserByCode(code) && attempts < 100);
+            if (attempts >= 100 && Auth.findUserByCode(code)) {
+                showAlert('error', 'Unable to generate a unique code. Please try again.');
+                return null;
+            }
             return code;
         }

welcome.html-131-139 (1)

131-139: ⚠️ Potential issue | 🟡 Minor

user.name.split(' ')[0] will throw if name is undefined.

The if (user) guard only checks that a user object exists in session, not that user.name is present. If the user was created via a different auth flow or the schema changes, this will throw TypeError: Cannot read properties of undefined (reading 'split').

Proposed fix

         const user = Auth.getCurrentUser();
-        if (user) {
-            document.getElementById('greeting').textContent = `Welcome, ${user.name.split(' ')[0]}!`;
+        if (user && user.name) {
+            document.getElementById('greeting').textContent = `Welcome, ${user.name.split(' ')[0]}!`;
+        } else if (user) {
+            // user exists but no name field
         } else {
-            // Fallback or redirect if not logged in
             window.location.href = 'index.html';
         }

signup.html-414-424 (1)

414-424: ⚠️ Potential issue | 🟡 Minor

event is accessed as an implicit global instead of a function parameter.

togglePassword(inputId) does not declare an event parameter, yet line 416 references event.target. This relies on the deprecated implicit window.event global, which is unreliable across browsers and strict-mode contexts. Pass the event explicitly from the onclick handler.

Proposed fix

-        function togglePassword(inputId) {
+        function togglePassword(inputId, event) {
             const input = document.getElementById(inputId);
             const button = event.target;

And update the onclick attributes:

-<button type="button" class="toggle-password" onclick="togglePassword('password')">👁️</button>
+<button type="button" class="toggle-password" onclick="togglePassword('password', event)">👁️</button>

-<button type="button" class="toggle-password" onclick="togglePassword('confirmPassword')">👁️</button>
+<button type="button" class="toggle-password" onclick="togglePassword('confirmPassword', event)">👁️</button>

SISTERHOOD_CHATS.md-14-14 (1)

14-14: ⚠️ Potential issue | 🟡 Minor

Documentation claims "Rich text support" but the component uses a plain <textarea>.

The SisterhoodChats.jsx component only renders a standard <textarea> for post content — there is no rich text editor or formatting support. This is misleading for anyone reading the docs.

src/components/SOS.jsx-61-76 (1)

61-76: ⚠️ Potential issue | 🟡 Minor

{ lat: 0, lng: 0 } is a real location — use null for missing coordinates.

Latitude 0, longitude 0 is a point in the Gulf of Guinea. If the backend stores or displays this, it will appear as a valid location. Use null for both coordinates and handle the absence server-side.

         const response = await axios.post('/api/sos', {
             userId: user.id,
-            location: { lat: 0, lng: 0, note: 'Location unavailable' }
+            location: null
         });

src/components/Auth.jsx-107-118 (1)

107-118: ⚠️ Potential issue | 🟡 Minor

Auth toggle uses a <p> tag — not keyboard-accessible.

The login/signup toggle is a <p> with an onClick handler. It's not focusable or operable via keyboard. Use a <button> element instead.

Proposed fix

             <div className="auth-toggle">
-                <p onClick={() => {
+                <button type="button" className="auth-toggle-btn" onClick={() => {
                     setIsLogin(!isLogin);
                     setError('');
                     setSuccess('');
                     setUsername('');
                     setPassword('');
                     setSecretCode('');
                 }}>
                     {isLogin ? "Don't have an account? Sign up" : 'Already have an account? Login'}
-                </p>
+                </button>
             </div>

src/components/Auth.jsx-12-48 (1)

12-48: ⚠️ Potential issue | 🟡 Minor

No loading state — form can be double-submitted.

handleSubmit doesn't disable the submit button during the API call. Rapidly clicking "Login" or "Create Account" can fire multiple requests. Add a submitting state similar to other components in this PR.

Proposed fix

 const Auth = ({ onLogin }) => {
     const [isLogin, setIsLogin] = useState(true);
     const [username, setUsername] = useState('');
     const [password, setPassword] = useState('');
     const [secretCode, setSecretCode] = useState('');
     const [error, setError] = useState('');
     const [success, setSuccess] = useState('');
+    const [submitting, setSubmitting] = useState(false);
 
     const handleSubmit = async (e) => {
         e.preventDefault();
         setError('');
         setSuccess('');
+        setSubmitting(true);
 
         // ... validation ...
 
         try {
             const res = await axios.post(endpoint, payload);
             // ... handle response ...
         } catch (err) {
             setError(err.response?.data?.error || err.response?.data?.message || 'An error occurred');
+        } finally {
+            setSubmitting(false);
         }
     };

And on the button:

-                <button type="submit" className="auth-btn">
+                <button type="submit" className="auth-btn" disabled={submitting}>
                     {isLogin ? 'Login' : 'Create Account'}
                 </button>

README.md-21-21 (1)

21-21: ⚠️ Potential issue | 🟡 Minor

Multiple spelling and grammar errors in user-facing text.

• "PEROID" → "PERIOD" (Lines 21, 52)
• "REILEF" → "RELIEF" (Line 54)
• "GIT HUB" → "GitHub" (Line 44)
• "SQLLITE" → "SQLite" (Line 38)
• "GOOGLE AMP" → "GOOGLE MAP" (Line 403)

These are visible in the project's main README and reflect poorly on the project.

README.md-65-76 (1)

65-76: ⚠️ Potential issue | 🟡 Minor

Broken markdown: installation code block has no language identifier and malformed content.

Line 65 has the installation command as plain text, then Line 66 opens an empty fenced code block (flagged by markdownlint MD040). The block is never properly closed before the "Build for Production" section starts another block.

Proposed fix

-[Installation commands - pm install and npm run dev]
-```
+```bash
+npm install
+npm run dev
+```

src/components/PeriodTracker.jsx-21-30 (1)

21-30: ⚠️ Potential issue | 🟡 Minor

user.id is accessed without a null guard — will throw if user is null/undefined.

If this component is ever rendered before a user is available, axios.get(\/api/cycles/${user.id}`)` will throw a TypeError.

Proposed fix

     const fetchCycles = async () => {
+        if (!user?.id) return;
         try {
             const res = await axios.get(`/api/cycles/${user.id}`);

src/components/PeriodTracker.jsx-76-86 (1)

76-86: ⚠️ Potential issue | 🟡 Minor

Date format mismatch risk: server start_date may not match the local ISO string.

Line 82 compares lastCycle.start_date (from the API) with today produced by new Date().toISOString().split('T')[0]. If the server stores or returns a datetime with a time component (e.g., 2026-02-14T00:00:00.000Z), the comparison will always fail and the duplicate-logging guard won't work.

Consider normalizing the server value before comparing:

-            if (lastCycle.start_date === today) {
+            if (lastCycle.start_date?.split('T')[0] === today) {

🧹 Nitpick comments (16)

src/App.css (1)

1-42: This appears to be the default Vite + React template CSS.

Consider removing or replacing it with styles relevant to the "She Wants" application, since classes like .logo, .read-the-docs, and the spin animation are Vite boilerplate and likely unused.

eslint.config.js (1)

16-24: Redundant ecmaVersion specified in two places.

ecmaVersion: 2020 at Line 17 and ecmaVersion: 'latest' at Line 20 conflict. In ESLint flat config, parserOptions.ecmaVersion overrides the outer languageOptions.ecmaVersion, so 2020 is effectively unused. Remove one to avoid confusion — likely keep 'latest' and drop Line 17.

Proposed fix

     languageOptions: {
-      ecmaVersion: 2020,
       globals: globals.browser,
       parserOptions: {
         ecmaVersion: 'latest',

API_DOCUMENTATION.md (1)

4-6: Fenced code block missing a language specifier.

Add a language identifier (e.g., ```text) to satisfy markdownlint MD040 and improve rendering.

signup.html (1)

537-556: innerHTML assignment with template literal — prefer safer DOM methods.

While the interpolated code value is internally generated and currently safe, using innerHTML with template literals establishes a pattern that's vulnerable to XSS if any user-controlled data is later interpolated. Consider using textContent for the code value and building the DOM via createElement, or at minimum sanitize interpolated values.

js/emergency.js (2)

49-61: listen() overwrites any previous listener via direct onmessage assignment.

Using Emergency.channel.onmessage = ... means each call to listen() silently replaces the previous handler. If multiple pages or components call listen(), only the last one wins. Consider using addEventListener('message', ...) if you need multiple concurrent subscribers, along with a corresponding removal mechanism.

---

10-12: Date.now()-based IDs can collide.

Using 'req_' + Date.now() for the request ID could produce duplicates if two requests are created within the same millisecond. Consider appending a random suffix:

-            id: 'req_' + Date.now(),
+            id: 'req_' + Date.now() + '_' + Math.random().toString(36).slice(2, 9),

src/components/Calculator.css (1)

1-2: Consider removing the import in Calculator.jsx instead of keeping a placeholder CSS file.

An empty file that exists solely to prevent an import error is a workaround. Removing the import './Calculator.css' from Calculator.jsx is cleaner — or move the calculator-specific styles from index.css into this file where they belong.

SISTERHOOD_CHATS.md (1)

257-264: Fenced code block missing a language identifier.

Per the static analysis hint (MD040), specify a language for the fenced code block to improve rendering and linting compliance. Since this is a plain-text list, text or plaintext works.

-```
+```text
 Dashboard Components:

src/components/NearbyRequests.jsx (1)

9-14: React lint warning: fetchNearbyRequests is called inside useEffect but not in the dependency array.

While this works because user.id won't change during the component's lifetime, the React exhaustive-deps rule will flag this. A cleaner pattern is to use useCallback or move the fetch inside the effect.

src/components/PadRequest.jsx (1)

4-59: Consider using finally for setSending(false) to avoid duplication.

setSending(false) appears in both the try (line 41) and catch (line 49) blocks of the geolocation success callback. A finally block would be cleaner and safer against unexpected throws.

src/components/CommunitySupport.jsx (2)

183-198: Bio textarea has no length limit.

The <textarea> for the helper bio has no maxLength constraint. Users could submit excessively long text. Add a reasonable limit (e.g., 200–500 characters) both here and on the server side.

                     <textarea
                         value={bio}
                         onChange={(e) => setBio(e.target.value)}
                         placeholder="Tell others how you can help (optional)..."
+                        maxLength={500}
                         style={{

---

13-16: React lint: useEffect calls functions not listed in the dependency array.

fetchHelperStatus and fetchHelpers are called in the effect but not listed as dependencies. Same pattern as NearbyRequests.jsx — works in practice since user.id is stable, but will trigger exhaustive-deps warnings.

src/components/Calculator.jsx (1)

87-94: Inline onMouseOver/onMouseOut style manipulation is fragile — prefer CSS :hover.

Direct e.target.style mutations can conflict with React's reconciliation and don't work on touch devices. A CSS class with :hover rules (already used elsewhere in index.css) is cleaner and more maintainable.

src/components/SisterhoodChats.jsx (2)

76-81: Stale closure: posts reference may be outdated during concurrent likes.

setPosts(posts.map(...)) captures the posts value from the render when handleLikePost was created. If a user clicks "like" on multiple posts quickly, earlier state updates may be overwritten.

Use the functional updater form:

-            setPosts(posts.map(p =>
+            setPosts(prev => prev.map(p =>
                 p.id === postId
                     ? { ...p, likes_count: res.data.liked ? p.likes_count + 1 : p.likes_count - 1 }
                     : p
             ));

The same applies to setPosts in handleAddComment (Line 130).

---

24-26: Missing fetchPosts in useEffect dependency array — React will warn.

While the React compiler in v19 may auto-memoize this, the linter rule react-hooks/exhaustive-deps will flag this. Wrapping fetchPosts with useCallback or inlining the fetch logic inside the effect would be cleaner.

src/index.css (1)

9-18: Stylelint: remove quotes around Inter and use kebab-case keyframe names.

Per the project's Stylelint configuration:

• Lines 11, 138: 'Inter' → Inter (unquoted, since it's a single-word font name)
• Line 85: fadeIn → fade-in
• Line 183: slideIn → slide-in

Update references in Lines 82 and 180 accordingly (animation: fade-in ..., animation: slide-in ...).

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Critical: XSS via innerHTML with unsanitized helper.name and helper.dist.

addHelper() injects helper.name and helper.dist directly into HTML via innerHTML. On Line 257-263, Emergency.listen feeds data from external broadcasts into addHelper, so an attacker broadcasting a crafted name like <img src=x onerror=alert(document.cookie)> achieves XSS.

The onclick handler on Line 235 is also injectable — a name containing ' breaks out of the string literal.

Use DOM APIs or textContent instead of innerHTML:

Proposed fix

         function addHelper(helper) {
             const list = document.getElementById('helpersList');
             const item = document.createElement('li');
             item.className = 'helper-item';
-            item.innerHTML = `
-                <div class="helper-info">
-                    <strong>${helper.name}</strong>
-                    <span>${helper.dist} away • Verified Helper</span>
-                </div>
-                <button class="connect-btn" onclick="connectToHelper('${helper.name}')">Request</button>
-            `;
+
+            const info = document.createElement('div');
+            info.className = 'helper-info';
+            const nameEl = document.createElement('strong');
+            nameEl.textContent = helper.name;
+            const distEl = document.createElement('span');
+            distEl.textContent = `${helper.dist} away • Verified Helper`;
+            info.appendChild(nameEl);
+            info.appendChild(distEl);
+
+            const btn = document.createElement('button');
+            btn.className = 'connect-btn';
+            btn.textContent = 'Request';
+            btn.addEventListener('click', () => connectToHelper(helper.name));
+
+            item.appendChild(info);
+            item.appendChild(btn);
             list.appendChild(item);
         }

🤖 Prompt for AI Agents

In `@emergency-support.html` around lines 226 - 238, The addHelper function
currently uses innerHTML with unsanitized helper.name and helper.dist and embeds
helper.name into an inline onclick string, enabling XSS; change addHelper to
build DOM nodes with createElement and textContent (e.g., create
div.helper-info, strong, span, and button elements), set the text via
textContent for helper.name and helper.dist, and attach the click behavior to
the button using addEventListener (or pass the helper identifier via a data-
attribute) instead of an inline onclick that interpolates raw values; update
references to helper-item, connect-btn, and connectToHelper accordingly so no
user-controlled string is injected into HTML or event handler attributes.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check if bcrypt is actually used for password hashing
echo "=== Checking for bcrypt usage ==="
rg -n 'bcrypt' --type=js -g '!node_modules/**'

echo ""
echo "=== Checking for parameterized queries (? placeholders) ==="
rg -n 'db\.(run|get|all)\(' --type=js -g '!node_modules/**' -A2 | head -60

Repository: tinkerhub/tink-her-hack-temp

Length of output: 3222

---

🏁 Script executed:

#!/bin/bash
# Check password handling in signup endpoint
echo "=== Checking signup endpoint in server/index.js ==="
rg -n 'POST.*signup|router\.post.*signup' --type=js -A 20

echo ""
echo "=== Checking for any crypto/hashing imports ==="
rg -n 'require.*crypto|require.*hash|import.*crypto|import.*hash' --type=js

echo ""
echo "=== Full signup endpoint code ==="
rg -n "app\.post.*'/signup'" --type=js -A 30

Repository: tinkerhub/tink-her-hack-temp

Length of output: 207

---

🏁 Script executed:

#!/bin/bash
# Check the actual content of server/index.js to see password handling
echo "=== File size check ==="
wc -l server/index.js

echo ""
echo "=== Reading server/index.js around signup area (lines 1-80) ==="
head -80 server/index.js | cat -n

Repository: tinkerhub/tink-her-hack-temp

Length of output: 3427

---

Correct false security claim: passwords are stored in plaintext, not hashed with bcrypt.

Line 335 states "Currently uses bcrypt (already implemented)" but the code explicitly shows the opposite. The signup endpoint (server/index.js:38) contains a comment "In a real app, hash password here!" indicating passwords are stored in plaintext without any hashing. This is a critical security vulnerability that contradicts the documentation.

The parameterized queries claim (line 339) is accurate—the codebase correctly uses ? placeholders with parameter binding arrays to prevent SQL injection.

Update the documentation to accurately reflect that password hashing is not implemented and must be added before production deployment. Remove or qualify the bcrypt claim.

🤖 Prompt for AI Agents

In `@INSTALLATION.md` around lines 329 - 339, The documentation incorrectly claims
passwords are hashed with bcrypt; update the INSTALLATION.md security section to
remove or negate the "Currently uses bcrypt (already implemented)" statement and
instead state clearly that password hashing is NOT implemented and must be added
before production (e.g., implement bcrypt/argon2 in the signup handler that
currently has the comment "In a real app, hash password here!" in
server/index.js), while keeping the SQL parameterized queries claim intact.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

new Function('return ' + calcInput) is equivalent to eval() — arbitrary code execution.

A user (or attacker who can influence calcInput) can execute any JavaScript expression through the calculator display. For example, entering alert(document.cookie) and pressing = would run it. Use a safe math parser instead of new Function.

Safer alternative

         function calculate() {
             // LOGIN CHECK
             if (calcInput.length === 6 && Auth.login(calcInput)) {
                 Navigate('page-welcome');
                 return;
             }
             try {
-                // Safe Math
-                calcInput = new Function('return ' + calcInput.replace('×', '*'))().toString();
+                // Only allow digits, operators, dots, and parentheses
+                if (!/^[\d+\-*/%.()\s]+$/.test(calcInput.replace('×', '*'))) {
+                    throw new Error('Invalid expression');
+                }
+                calcInput = new Function('return ' + calcInput.replace('×', '*'))().toString();
             } catch { calcInput = 'Error'; }
             updateDisplay();
         }

A dedicated math expression parser library (e.g., math.js) would be even safer.

🤖 Prompt for AI Agents

In `@sample.html` around lines 527 - 538, The calculate() function uses new
Function('return ' + calcInput...) which is equivalent to eval and allows
arbitrary code execution; replace this with a safe math-expression evaluator
(e.g., integrate math.js or a lightweight parser) and evaluate only numeric
expressions after sanitizing/replacing display symbols (e.g., convert '×' to
'*') and validating the token stream to allow only numbers, parentheses and math
operators; update the try/catch around the evaluation to call the safe parser
(instead of new Function) and set calcInput = 'Error' on parse/eval failures so
the rest of calculate(), updateDisplay(), and the Auth.login/login-check flow
remain unchanged.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

The entire HTML document is duplicated — lines 595–1188 are an exact copy of lines 1–594.

This produces invalid HTML: two <!DOCTYPE>, two <html>, two <body> tags, and all element IDs (calc-display, page-calculator, s-name, etc.) are defined twice. Browsers will parse this unpredictably, and getElementById will only find the first occurrence, making the second half's elements unreachable. Remove the duplicate.

🤖 Prompt for AI Agents

In `@sample.html` around lines 595 - 1188, The file contains a full duplicate of
the HTML document (second <!DOCTYPE>/<html>/<body> block) which creates
duplicate IDs like calc-display, page-calculator, s-name, etc.; remove the
entire duplicated second copy so only one HTML document remains, ensuring unique
elements like Navigate, Auth, calc-display, page-signup, page-code,
page-dashboard, and s-name/s-email/s-pass exist exactly once and keep the first
(original) instance; after removal, verify navigation and DOM queries
(getElementById calls) still resolve and the app initializes as before.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Login response leaks the user's plaintext password.

Line 57 returns user: row, which includes the password column from the database. This sends the password back to the client in the JSON response. Additionally, passwords are stored in plaintext (Line 40).

Proposed fix

     db.get(sql, [username, password], (err, row) => {
         if (err) {
             return res.status(500).json({ error: err.message });
         }
         if (row) {
-            res.json({ message: 'Login successful', user: row });
+            const { password, ...safeUser } = row;
+            res.json({ message: 'Login successful', user: safeUser });
         } else {
             res.status(401).json({ message: 'Invalid credentials' });
         }
     });

Passwords should also be hashed (e.g., using bcrypt) before storing in the database.

🤖 Prompt for AI Agents

In `@server/index.js` around lines 49 - 62, The /api/auth/login route currently
returns the full DB row (db.get callback) which includes the plaintext password
and also implies passwords are stored in plaintext; stop sending the password by
omitting or deleting the password field from the response object and change
authentication to use bcrypt: fetch the user by username only (db.get with
username), then use bcrypt.compare(providedPassword, user.password) to verify;
ensure user creation/registration code (e.g., createUser/register handler)
stores bcrypt.hash(password, saltRounds) instead of raw passwords so login
compares against a hashed password.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

this.lastID in the nested callback refers to the wrong db.run invocation.

On Line 493, this.lastID is inside the callback of the updateSql db.run (Line 485), not the insertSql db.run (Line 479). The UPDATE statement doesn't insert a row, so this.lastID will not be the comment's ID.

Proposed fix — capture `lastID` in the outer callback's scope

     db.run(insertSql, [postId, userId, displayName, comment, isAnonymous ? 1 : 0], function (err) {
         if (err) {
             console.error('Error adding comment:', err);
             return res.status(500).json({ error: err.message });
         }
 
+        const commentId = this.lastID;
         db.run(updateSql, [postId], (err) => {
             if (err) {
                 console.error('Error updating comments count:', err);
                 return res.status(500).json({ error: err.message });
             }
 
             console.log(`Comment added to post ${postId} by ${displayName}`);
             res.json({
-                id: this.lastID,
+                id: commentId,
                 message: 'Comment added successfully'
             });
         });
     });

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	db.run(insertSql, [postId, userId, displayName, comment, isAnonymous ? 1 : 0], function (err) {
	if (err) {
	console.error('Error adding comment:', err);
	return res.status(500).json({ error: err.message });
	}
	db.run(updateSql, [postId], (err) => {
	if (err) {
	console.error('Error updating comments count:', err);
	return res.status(500).json({ error: err.message });
	}
	console.log(`Comment added to post ${postId} by ${displayName}`);
	res.json({
	id: this.lastID,
	message: 'Comment added successfully'
	});
	});
	});
	db.run(insertSql, [postId, userId, displayName, comment, isAnonymous ? 1 : 0], function (err) {
	if (err) {
	console.error('Error adding comment:', err);
	return res.status(500).json({ error: err.message });
	}
	const commentId = this.lastID;
	db.run(updateSql, [postId], (err) => {
	if (err) {
	console.error('Error updating comments count:', err);
	return res.status(500).json({ error: err.message });
	}
	console.log(`Comment added to post ${postId} by ${displayName}`);
	res.json({
	id: commentId,
	message: 'Comment added successfully'
	});
	});
	});

🤖 Prompt for AI Agents

In `@server/index.js` around lines 479 - 497, The nested db.run for updateSql is
using this.lastID from the inner callback (which is for the UPDATE) instead of
the insertSql's insertion result; capture the inserted row id inside the outer
insertSql callback (e.g., assign const insertedId = this.lastID or let
insertedId = this.lastID) and then reference insertedId when sending the
response in the updateSql callback and log; update the references to this.lastID
in the updateSql callback to use that captured insertedId so the returned id is
the comment's ID from the INSERT.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# First, verify eval usage in Calculator.jsx and related files
rg -n 'eval\(' --type=js --type=jsx

Repository: tinkerhub/tink-her-hack-temp

Length of output: 99

---

🏁 Script executed:

#!/bin/bash
# Check if App.jsx exists and examine the handleUnlock function
find . -name "App.jsx" -type f | head -5

Repository: tinkerhub/tink-her-hack-temp

Length of output: 85

---

🏁 Script executed:

#!/bin/bash
# Check if Calculator.jsx exists
find . -name "Calculator.jsx" -type f | head -5

Repository: tinkerhub/tink-her-hack-temp

Length of output: 103

---

🏁 Script executed:

#!/bin/bash
# Search for eval usage
rg -n 'eval\(' --include='*.jsx' --include='*.js'

Repository: tinkerhub/tink-her-hack-temp

Length of output: 513

---

🏁 Script executed:

#!/bin/bash
# Read App.jsx
cat -n ./src/App.jsx

Repository: tinkerhub/tink-her-hack-temp

Length of output: 1677

---

🏁 Script executed:

#!/bin/bash
# Read Calculator.jsx
cat -n ./src/components/Calculator.jsx

Repository: tinkerhub/tink-her-hack-temp

Length of output: 4978

---

Replace eval() with a safe math expression parser and clarify the hardcoded unlock code intent.

The eval(display) call in src/components/Calculator.jsx (line 32) is a critical code injection vulnerability. An attacker can input arbitrary JavaScript that will be executed. Replace this with a safe math expression parser like mathjs or a simple tokenizer.

Additionally, "1234=" is hardcoded as a universal unlock code in src/App.jsx (line 13) and src/components/Calculator.jsx (lines 26, 74). While this appears intentional for the disguised calculator design, add a clear comment explaining the security rationale, and consider allowing users to customize this default to prevent unauthorized access if the code becomes widely known.

🤖 Prompt for AI Agents

In `@src/App.jsx` around lines 11 - 25, The code uses eval(display) in
Calculator.jsx (replace that) which is a code-injection risk and the universal
unlock string '1234=' is hardcoded in App.jsx handleUnlock and in
Calculator.jsx; fix by swapping eval for a safe math expression evaluator (e.g.,
integrate mathjs or implement a simple tokenizer/evaluator and use that in the
Calculator component where eval(display) is called), update Calculator methods
that rely on eval to call the safe parser, and make the unlock code configurable
instead of hardcoded by exposing it via a prop/state or config (or per-user
secret stored on the user object) and add a clear comment in handleUnlock and
Calculator explaining the intentional disguised-calculator behavior and security
considerations so future maintainers know why a default exists and how to
customize it.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

# First, let's locate and examine the Calculator.jsx file
find . -name "Calculator.jsx" -type f

Repository: tinkerhub/tink-her-hack-temp

Length of output: 103

---

🏁 Script executed:

# Also check if mathjs is already in the project dependencies
if [ -f "package.json" ]; then cat package.json | grep -i mathjs; fi
if [ -f "package-lock.json" ]; then head -20 package-lock.json; fi

Repository: tinkerhub/tink-her-hack-temp

Length of output: 531

---

🌐 Web query:

mathjs evaluate function security alternative eval javascript

💡 Result:

• Don’t use eval() for user input. It executes arbitrary JavaScript in the caller’s scope and is a well-known injection/XSS sink. [1]
• mathjs.evaluate() is a security-oriented alternative for math expressions: mathjs parses input into an AST and (in mathjs v4+) explicitly does not use JavaScript eval under the hood, and it blocks access to eval / new Function. [2] It also rejects expressions using blacklisted symbols. [3]
• Still treat “user-defined expressions” as untrusted code: mathjs notes there can be unknown vulnerabilities and calls out higher-risk functions like import and createUnit (they can change/override functionality). [2]
• Hardening approach (recommended with mathjs): create your own instance and override/disable dangerous functions (example shown in mathjs security docs disables import, createUnit, and also disables meta-functions like parse/simplify/derivative/evaluate from inside expressions). [2]
• Isolation for DoS/stability: mathjs warns about heavy expressions (CPU/memory blowups) and suggests running evaluation in a Web Worker / child_process so you can kill runaway jobs. [2]

Other libraries:

• expr-eval is commonly used as an “eval alternative” for math. [4] But it had a recent critical RCE vulnerability (CVE-2025-12735) affecting versions ≤ 2.0.2, fixed in 2.0.3+ (so if you use it, pin/upgrade and be careful about what you pass in the variables/context object). [5]

Sources:
[1] MDN eval() security warning. [1]
[2] mathjs expression security docs (sandboxing, no eval in v4+, risky functions, hardening + worker isolation). [2]
[3] mathjs parsing/evaluate docs (blacklisted symbols; safer Map scope). [3]
[4] expr-eval repository description (“safer alternative to eval” for math expressions). [4]
[5] CVE-2025-12735 / expr-eval RCE reporting and fixed version. [5]

---

🏁 Script executed:

cat -n ./src/components/Calculator.jsx

Repository: tinkerhub/tink-her-hack-temp

Length of output: 4978

---

Critical: eval() enables arbitrary code execution.

User input is passed directly to eval(display) on line 32 with no sanitization. An attacker or curious user can execute arbitrary JavaScript (e.g., accessing document.cookie, localStorage, or calling fetch). This is a textbook code-injection vulnerability.

Replace eval with a safe math expression parser such as mathjs. Note: mathjs v4+ does not use JavaScript's eval internally, but you should harden the instance by disabling dangerous functions (import, createUnit) as documented in its security guide.

Proposed fix using mathjs

Install mathjs: npm install mathjs

 import React, { useState } from 'react';
 import './Calculator.css';
+import { evaluate } from 'mathjs';

                     } else {
-                        // Try to evaluate as math
-                        setDisplay(eval(display).toString());
+                        // Safely evaluate as math
+                        setDisplay(evaluate(display).toString());
                     }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	} else {
	// Try to evaluate as math
	setDisplay(eval(display).toString());
	}
	import React, { useState } from 'react';
	import './Calculator.css';
	import { evaluate } from 'mathjs';
	// ... (rest of component code) ...
	} else {
	// Safely evaluate as math
	setDisplay(evaluate(display).toString());
	}

🧰 Tools

🪛 Biome (2.3.14)

[error] 32-32: eval() exposes to security risks and performance issues.

See the MDN web docs for more details.
Refactor the code so that it doesn't need to call eval().

(lint/security/noGlobalEval)

🤖 Prompt for AI Agents

In `@src/components/Calculator.jsx` around lines 30 - 33, The component currently
calls eval(display) inside the Calculator component (where setDisplay is used)
which allows arbitrary code execution; replace this with a safe math parser such
as mathjs: install mathjs, create a restricted mathjs instance (disable/import
and other dangerous functions like createUnit per mathjs security guide), then
call that instance's evaluate/parse on the display string and setDisplay to the
resulting value; wrap evaluation in try/catch to handle parse errors and avoid
executing any raw eval or Function constructors anywhere in the codebase.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Race condition: dual timeout can fire sendSOSWithoutLocation twice.

The manual setTimeout (line 26, 5 s) and the Geolocation API's own timeout: 5000 (line 57) create a race. Both can trigger sendSOSWithoutLocation:

1. Manual setTimeout fires at 5 s → calls sendSOSWithoutLocation.
2. Geolocation times out → error callback → clearTimeout is a no-op (already fired) → calls sendSOSWithoutLocation again.

This sends two SOS alerts for a single button press. Use a guard flag or remove the manual timeout since the Geolocation API already supports a timeout option.

Proposed fix: remove the redundant manual timeout

     const handleSOS = () => {
-        console.log('SOS button clicked!');
-        console.log('User:', user);
-
         setSending(true);
-        console.log('Starting SOS process...');
 
         if (!navigator.geolocation) {
-            console.log('Geolocation not available');
             sendSOSWithoutLocation();
             return;
         }
 
-        console.log('Requesting geolocation...');
-        const timeoutId = setTimeout(() => {
-            console.log('Geolocation timeout, sending without location');
-            sendSOSWithoutLocation();
-        }, 5000);
-
         navigator.geolocation.getCurrentPosition(
             async (position) => {
-                clearTimeout(timeoutId);
                 const location = {
                     lat: position.coords.latitude,
                     lng: position.coords.longitude
                 };
-                console.log('Got location:', location);
 
                 try {
-                    console.log('Sending SOS with location to backend...');
                     const response = await axios.post('/api/sos', { userId: user.id, location });
-                    console.log('SOS response:', response.data);
                     alert('SOS ALERT SENT! Help is on the way. Location shared.');
                     setSending(false);
                 } catch (err) {
                     console.error('Error sending SOS:', err);
                     alert('Failed to send alert. Please try again.');
                     setSending(false);
                 }
             },
             (error) => {
-                clearTimeout(timeoutId);
                 console.error('Geolocation error:', error);
                 sendSOSWithoutLocation();
             },
             { timeout: 5000, enableHighAccuracy: false }
         );
     };

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	const timeoutId = setTimeout(() => {
	console.log('Geolocation timeout, sending without location');
	sendSOSWithoutLocation();
	}, 5000);
	navigator.geolocation.getCurrentPosition(
	async (position) => {
	clearTimeout(timeoutId);
	const location = {
	lat: position.coords.latitude,
	lng: position.coords.longitude
	};
	console.log('Got location:', location);
	try {
	console.log('Sending SOS with location to backend...');
	const response = await axios.post('/api/sos', { userId: user.id, location });
	console.log('SOS response:', response.data);
	alert('SOS ALERT SENT! Help is on the way. Location shared.');
	setSending(false);
	} catch (err) {
	console.error('Error sending SOS:', err);
	alert('Failed to send alert. Please try again.');
	setSending(false);
	}
	},
	(error) => {
	clearTimeout(timeoutId);
	console.error('Geolocation error:', error);
	sendSOSWithoutLocation();
	},
	{ timeout: 5000, enableHighAccuracy: false }
	);
	navigator.geolocation.getCurrentPosition(
	async (position) => {
	const location = {
	lat: position.coords.latitude,
	lng: position.coords.longitude
	};
	try {
	const response = await axios.post('/api/sos', { userId: user.id, location });
	alert('SOS ALERT SENT! Help is on the way. Location shared.');
	setSending(false);
	} catch (err) {
	console.error('Error sending SOS:', err);
	alert('Failed to send alert. Please try again.');
	setSending(false);
	}
	},
	(error) => {
	console.error('Geolocation error:', error);
	sendSOSWithoutLocation();
	},
	{ timeout: 5000, enableHighAccuracy: false }
	);

🤖 Prompt for AI Agents

In `@src/components/SOS.jsx` around lines 26 - 58, The manual setTimeout
(timeoutId) races with navigator.geolocation.getCurrentPosition's timeout and
can call sendSOSWithoutLocation twice; remove the manual setTimeout and its
clearTimeout calls and rely on the Geolocation API's { timeout: 5000 } option so
only the geolocation error callback calls sendSOSWithoutLocation, keeping the
existing success and error handlers (references: timeoutId,
sendSOSWithoutLocation, navigator.geolocation.getCurrentPosition, the success
callback that posts to /api/sos, and the error callback).

[coderabbitai]

Actionable comments posted: 4

🤖 Fix all issues with AI agents

In `@README.md`:
- Around line 52-56: The feature list entries (Feature 1..Feature 4) contain
all-caps text, spelling mistakes (e.g., "PEROID", "REILEF"), and awkward
phrasing; update each item to use sentence case, correct spelling, and concise,
user-facing descriptions: revise "Feature 1" to "Period tracker for women" (or
similar), "Feature 2" to describe the emergency button and sanitary-napkin
availability, "Feature 3" to describe support resources such as stress relief
and help channels, and "Feature 4" to describe Google Maps integration and
location sharing; keep each feature short, clear, and consistently formatted.
- Around line 65-66: The installation code block is malformed and missing a
fenced opening with a language tag; fix the block by adding a proper opening
fence with "bash" before the commands so it becomes a fenced code block
containing the two commands "npm install" and "npm run dev" and keep the
existing closing fence, ensuring the block uses ```bash to satisfy markdownlint.
- Around line 110-143: The API section has merged headings and typos that hide
endpoints; split headings and correct typos so each section and endpoint is
clear. Specifically: fix "logineriod" to the auth endpoint "POST
/api/auth/login" and ensure "Authentication" is a separate heading; move "Period
Tracking" (or "Cycles/Period Tracking") above the cycle endpoints GET
/api/cycles/:userId, POST /api/cycles, DELETE /api/cycles/:cycleId; correct
"ommunity Helpers" to "Community Helpers" and keep its endpoints (POST
/api/helpers/register, GET /api/helpers, GET /api/helpers/status/:userId, DELETE
/api/helpers/:userId) under that heading; normalize "Pad Requests" and
"Sisterhood Posts" headings (capitalize consistently) and ensure the pad and
post endpoints (POST /api/pad-request, GET /api/pad-requests/nearby/:userId, GET
/api/pad-requests/my/:userId, POST /api/pad-request/fulfill, GET /api/posts,
POST /api/posts, GET /api/posts/:postId, POST /api/posts/:postId/like, GET
/api/posts/:postId/liked/:userId, POST /api/posts/:postId/comment) are listed
under the correct headings.
- Around line 86-95: The README contains invalid image markdown where HTML is
embedded inside the alt text for the three images (labels "Screenshot1",
"Screenshot2", "Screenshot3"); update each to use proper Markdown image syntax:
replace lines like ![<img ... src="...">](...) with ![Descriptive
caption](https://github.com/user-attachments/... ) using the raw image URL as
the link and a short descriptive alt text (e.g., "Screenshot 1 - <what it
shows>"), and then add the caption text on the following line (e.g., *Caption
explaining what this shows*); ensure all three image blocks (Screenshot1,
Screenshot2, Screenshot3) are fixed consistently so they render correctly.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Feature list needs spelling/grammar cleanup for readability.

Current all-caps text and typos (“PEROID”, “REILEF”) reduce clarity.

✏️ Proposed rewrite

-- Feature 1:  IT CONTAIN THE  PEROID TRACKER FOR THE WOMEN
-- Feature 2: [IT BASICALLY ADD THAT THE  AND EMERGENCY BUTTON IF ANYBODY OF THE CONTAIN THE  SANITARY NAPKINS IN IT]
-- Feature 3: [CONTAIN THE SUPPORT SYSTEM FOR THE WOMEN NEEDED  LIKE THE STRESS REILEF FOR THE USERS]
-- Feature 4: [IT IS INTEGRATED  WITH THE GOOGLE MAP AND HELP THE USER TO SHARE THE LOCATION]
+- Feature 1: Period tracker for women.
+- Feature 2: Emergency button to request sanitary pads.
+- Feature 3: Support system with stress‑relief resources.
+- Feature 4: Google Maps integration to share location.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- Feature 1: IT CONTAIN THE PEROID TRACKER FOR THE WOMEN
	- Feature 2: [IT BASICALLY ADD THAT THE AND EMERGENCY BUTTON IF ANYBODY OF THE CONTAIN THE SANITARY NAPKINS IN IT]
	- Feature 3: [CONTAIN THE SUPPORT SYSTEM FOR THE WOMEN NEEDED LIKE THE STRESS REILEF FOR THE USERS]
	- Feature 4: [IT IS INTEGRATED WITH THE GOOGLE MAP AND HELP THE USER TO SHARE THE LOCATION]
	- Feature 1: Period tracker for women.
	- Feature 2: Emergency button to request sanitary pads.
	- Feature 3: Support system with stress‑relief resources.
	- Feature 4: Google Maps integration to share location.

🧰 Tools

🪛 LanguageTool

[grammar] ~52-~52: Ensure spelling is correct
Context: ...r project: - Feature 1: IT CONTAIN THE PEROID TRACKER FOR THE WOMEN - Feature 2: [IT ...

(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)

---

[grammar] ~54-~54: Ensure spelling is correct
Context: ...M FOR THE WOMEN NEEDED LIKE THE STRESS REILEF FOR THE USERS] - Feature 4: [IT IS INTE...

(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)

🤖 Prompt for AI Agents

In `@README.md` around lines 52 - 56, The feature list entries (Feature 1..Feature
4) contain all-caps text, spelling mistakes (e.g., "PEROID", "REILEF"), and
awkward phrasing; update each item to use sentence case, correct spelling, and
concise, user-facing descriptions: revise "Feature 1" to "Period tracker for
women" (or similar), "Feature 2" to describe the emergency button and
sanitary-napkin availability, "Feature 3" to describe support resources such as
stress relief and help channels, and "Feature 4" to describe Google Maps
integration and location sharing; keep each feature short, clear, and
consistently formatted.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Fix the installation code block (malformed + missing language).

The block has no opening fence and fails markdownlint for missing language.

✏️ Proposed fix

-[Installation commands - pm install and npm run dev]
-```
+```bash
+npm install
+npm run dev
+```

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	[Installation commands - pm install and npm run dev]
	```

🧰 Tools

🪛 markdownlint-cli2 (0.20.0)

[warning] 66-66: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🤖 Prompt for AI Agents

In `@README.md` around lines 65 - 66, The installation code block is malformed and
missing a fenced opening with a language tag; fix the block by adding a proper
opening fence with "bash" before the commands so it becomes a fenced code block
containing the two commands "npm install" and "npm run dev" and keep the
existing closing fence, ensuring the block uses ```bash to satisfy markdownlint.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Screenshots markdown is invalid (HTML inside alt text).

The current syntax won’t render images reliably. Use standard markdown with the raw image URL.

🖼️ Proposed fix

-![<img width="1600" height="900" alt="image" src="https://github.com/user-attachments/assets/0a97b06e-efde-4a3b-94f7-41ca1e4f7f93" />
-](Add screenshot 1 here with proper name)
+![Screenshot 1](https://github.com/user-attachments/assets/0a97b06e-efde-4a3b-94f7-41ca1e4f7f93)

-![Screenshot2](<img width="1600" height="900" alt="image" src="https://github.com/user-attachments/assets/af1f682c-393d-474c-bbb1-9203aefc9b18" />
-)
+![Screenshot 2](https://github.com/user-attachments/assets/af1f682c-393d-474c-bbb1-9203aefc9b18)

-![Screenshot3](<img width="1600" height="900" alt="image" src="https://github.com/user-attachments/assets/4fbff95c-bcae-42e5-81fa-ce8498847e6c" />
-)
+![Screenshot 3](https://github.com/user-attachments/assets/4fbff95c-bcae-42e5-81fa-ce8498847e6c)

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	![<img width="1600" height="900" alt="image" src="https://github.com/user-attachments/assets/0a97b06e-efde-4a3b-94f7-41ca1e4f7f93" />
	](Add screenshot 1 here with proper name)
	*Add caption explaining what this shows*
	
	![Screenshot2](<img width="1600" height="900" alt="image" src="https://github.com/user-attachments/assets/af1f682c-393d-474c-bbb1-9203aefc9b18" />
	)
	*Add caption explaining what this shows*
	
	![Screenshot3](<img width="1600" height="900" alt="image" src="https://github.com/user-attachments/assets/4fbff95c-bcae-42e5-81fa-ce8498847e6c" />
	)
	
	*Add caption explaining what this shows*
	
	*Add caption explaining what this shows*
	

🤖 Prompt for AI Agents

In `@README.md` around lines 86 - 95, The README contains invalid image markdown
where HTML is embedded inside the alt text for the three images (labels
"Screenshot1", "Screenshot2", "Screenshot3"); update each to use proper Markdown
image syntax: replace lines like ![<img ... src="...">](...) with ![Descriptive
caption](https://github.com/user-attachments/... ) using the raw image URL as
the link and a short descriptive alt text (e.g., "Screenshot 1 - <what it
shows>"), and then add the caption text on the following line (e.g., *Caption
explaining what this shows*); ensure all three image blocks (Screenshot1,
Screenshot2, Screenshot3) are fixed consistently so they render correctly.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

API section has merged headings/typos that obscure endpoints.

Several headings are merged into routes (e.g., “logineriod”, “ommunity”). This makes the API list ambiguous.

🧭 Proposed fix

-API Documentation
-Authentication 
-
-POST /api/auth/register
-
-POST /api/auth/logineriod Tracking 
+API Documentation
+Authentication
+POST /api/auth/register
+POST /api/auth/login
+
+Period Tracking
 GET /api/cycles/:userId
 POST /api/cycles
 DELETE /api/cycles/:cycleId
-
-Pad Requests 
+Pad Requests
 POST /api/pad-request
 GET /api/pad-requests/nearby/:userId
 GET /api/pad-requests/my/:userId
 POST /api/pad-request/fulfill
-
-ommunity Helpers 
+Community Helpers
 POST /api/helpers/register
 GET /api/helpers
 GET /api/helpers/status/:userId
 DELETE /api/helpers/:userId
-
-sisterhood Posts 
+Sisterhood Posts
 GET /api/posts
 POST /api/posts
 GET /api/posts/:postId
 POST /api/posts/:postId/like
 GET /api/posts/:postId/liked/:userId
 POST /api/posts/:postId/comment

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	API Documentation
	Authentication
	
	*Explain the user flow through your application*
	POST /api/auth/register
	#### Installation Guide
	POST /api/auth/logineriod Tracking
	**For Android (APK):**
	1. Download the APK from [Release Link]
	2. Enable "Install from Unknown Sources" in your device settings:
	- Go to Settings > Security
	- Enable "Unknown Sources"
	3. Open the downloaded APK file
	4. Follow the installation prompts
	5. Open the app and enjoy!
	GET /api/cycles/:userId
	POST /api/cycles
	DELETE /api/cycles/:cycleId
	**For iOS (IPA) - TestFlight:**
	1. Download TestFlight from the App Store
	2. Open this TestFlight link: [Your TestFlight Link]
	3. Click "Install" or "Accept"
	4. Wait for the app to install
	5. Open the app from your home screen
	Pad Requests
	**Building from Source:**
	```bash
	# For Android
	flutter build apk
	# or
	./gradlew assembleDebug
	# For iOS
	flutter build ios
	# or
	xcodebuild -workspace App.xcworkspace -scheme App -configuration Debug
	```
	POST /api/pad-request
	GET /api/pad-requests/nearby/:userId
	GET /api/pad-requests/my/:userId
	POST /api/pad-request/fulfill
	---
	ommunity Helpers
	### For Hardware Projects:
	POST /api/helpers/register
	GET /api/helpers
	GET /api/helpers/status/:userId
	DELETE /api/helpers/:userId
	#### Bill of Materials (BOM)
	sisterhood Posts
	| Component | Quantity | Specifications | Price | Link/Source |
	|-----------|----------|----------------|-------|-------------|
	| Arduino Uno | 1 | ATmega328P, 16MHz | ₹450 | [Link] |
	| LED | 5 | Red, 5mm, 20mA | ₹5 each | [Link] |
	| Resistor | 5 | 220Ω, 1/4W | ₹1 each | [Link] |
	| Breadboard | 1 | 830 points | ₹100 | [Link] |
	| Jumper Wires | 20 | Male-to-Male | ₹50 | [Link] |
	| [Add more...] | | | | |
	GET /api/posts
	POST /api/posts
	GET /api/posts/:postId
	POST /api/posts/:postId/like
	GET /api/posts/:postId/liked/:userId
	POST /api/posts/:postId/comment
	API Documentation
	Authentication
	POST /api/auth/register
	POST /api/auth/login
	Period Tracking
	GET /api/cycles/:userId
	POST /api/cycles
	DELETE /api/cycles/:cycleId
	Pad Requests
	POST /api/pad-request
	GET /api/pad-requests/nearby/:userId
	GET /api/pad-requests/my/:userId
	POST /api/pad-request/fulfill
	Community Helpers
	POST /api/helpers/register
	GET /api/helpers
	GET /api/helpers/status/:userId
	DELETE /api/helpers/:userId
	Sisterhood Posts
	GET /api/posts
	POST /api/posts
	GET /api/posts/:postId
	POST /api/posts/:postId/like
	GET /api/posts/:postId/liked/:userId
	POST /api/posts/:postId/comment

🧰 Tools

🪛 LanguageTool

[grammar] ~127-~127: Ensure spelling is correct
Context: .../:userId POST /api/pad-request/fulfill ommunity Helpers POST /api/helpers/register GE...

(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)

🤖 Prompt for AI Agents

In `@README.md` around lines 110 - 143, The API section has merged headings and
typos that hide endpoints; split headings and correct typos so each section and
endpoint is clear. Specifically: fix "logineriod" to the auth endpoint "POST
/api/auth/login" and ensure "Authentication" is a separate heading; move "Period
Tracking" (or "Cycles/Period Tracking") above the cycle endpoints GET
/api/cycles/:userId, POST /api/cycles, DELETE /api/cycles/:cycleId; correct
"ommunity Helpers" to "Community Helpers" and keep its endpoints (POST
/api/helpers/register, GET /api/helpers, GET /api/helpers/status/:userId, DELETE
/api/helpers/:userId) under that heading; normalize "Pad Requests" and
"Sisterhood Posts" headings (capitalize consistently) and ensure the pad and
post endpoints (POST /api/pad-request, GET /api/pad-requests/nearby/:userId, GET
/api/pad-requests/my/:userId, POST /api/pad-request/fulfill, GET /api/posts,
POST /api/posts, GET /api/posts/:postId, POST /api/posts/:postId/like, GET
/api/posts/:postId/liked/:userId, POST /api/posts/:postId/comment) are listed
under the correct headings.