Skip to content

Fix critical auth, billing, and safe-replacement regressions#114

Draft
cursor[bot] wants to merge 1 commit into
mainfrom
cursor/critical-bug-investigation-3cf2
Draft

Fix critical auth, billing, and safe-replacement regressions#114
cursor[bot] wants to merge 1 commit into
mainfrom
cursor/critical-bug-investigation-3cf2

Conversation

@cursor

@cursor cursor Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Bug and impact

  • Unauthenticated /api/code-completion could invoke AI completion and fall back to repo file summaries across all tenants.
  • Project milestone PATCH/DELETE authenticated the caller but mutated by milestone id alone, allowing cross-project/cross-user modification or deletion.
  • Scaffold generation trusted an optional body userId and deducted credits only after success, allowing free usage or charging another user.
  • Build This App created GitHub repos publicly, did not charge credits, and reported done after generation/push failures by pushing placeholder or partial output.
  • Analysis reruns deleted existing blueprints before scanning/AI/database replacement succeeded, so transient failures could wipe previously completed results.
  • Credit deduction/refund/grant helpers used stale read-modify-write balance updates, allowing concurrent paid actions to overspend or lose balance changes.

Root cause

Recent paid-action and project route changes added feature gates and auth checks but did not bind database mutations and billing to the authenticated user at the SQL/helper boundary. Several failure paths logged warnings or deleted old state before replacement work completed.

Fix

  • Require authenticated users for code completion and scope fallback snippets through repositories.user_id.
  • Scope milestone PATCH/DELETE by route project id plus authenticated user id.
  • Precharge scaffold/build actions to user.id and refund on downstream failures.
  • Make GitHub build repos private, dedupe generated paths, and emit terminal SSE error on generation or push failure.
  • Replace analysis blueprints with a single atomic SQL statement after valid new blueprints are available.
  • Make shared credit mutations compute balances in SQL instead of stale read-modify-write logic.

Validation

  • pnpm exec tsc --noEmit passed.
  • Focused ESLint on changed runtime files passed with only the pre-existing lib/queries.ts unused allowed warning.
  • git diff --check passed.
  • Static invariant checks confirmed auth, tenant predicates, private repo creation, refund calls, and terminal error paths.
  • Local Next dev-server unauthenticated probes returned clean failures: code-completion POST 401, code-completion PUT 401, scaffold POST 401, milestone PATCH 401, build-app SSE Sign in before building an app.
Open in Web View Automation 

Co-authored-by: Cole Collins <DealPatrol@users.noreply.github.com>
@vercel

vercel Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
repo-app-architect Ready Ready Preview, Comment Jul 8, 2026 11:09am
repofuse Ready Ready Preview, Comment, Open in v0 Jul 8, 2026 11:09am
v0-repo-app-architect Ready Ready Preview, Comment, Open in v0 Jul 8, 2026 11:09am

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant