Skip to content

Fix critical auth, billing, and data-safety regressions#115

Draft
cursor[bot] wants to merge 2 commits into
mainfrom
cursor/critical-bug-investigation-447c
Draft

Fix critical auth, billing, and data-safety regressions#115
cursor[bot] wants to merge 2 commits into
mainfrom
cursor/critical-bug-investigation-447c

Conversation

@cursor

@cursor cursor Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Bug and impact

  • Analysis reruns deleted existing blueprints before scanning/AI/db replacement succeeded, causing permanent blueprint data loss on any rerun failure.
  • Project milestone PATCH/DELETE accepted any authenticated caller with a milestone UUID, allowing cross-user milestone tampering/deletion.
  • /api/code-completion was unauthenticated and its fallback snippets queried reusable file summaries across all tenants.
  • Paid AI routes trusted client/user-controlled billing or failed after charging without refunds, causing credit theft, skipped billing, or lost credits.
  • Build This App could report success after generation/push failures and created GitHub repositories public by default.

Root cause

Recent route/query changes authenticated some entry points but did not carry authenticated user.id through downstream SQL/billing helpers, and analysis/build paid-action flows performed destructive or chargeable side effects before downstream success was known.

Fix

  • Replace blueprints atomically only after valid replacements are ready and fail closed on truncated analysis output.
  • Scope milestone mutations by route project id and authenticated owner in SQL.
  • Require auth for code-completion and scope fallback snippets through repository owner.
  • Charge scaffold/build/pattern/chat actions to the authenticated user only, make credit mutations atomic SQL operations, and refund charged AI actions on downstream failures.
  • Make GitHub build repos private, dedupe generated paths, and turn generation/push failures into terminal SSE errors.

Validation

  • pnpm exec tsc --noEmit passed.
  • Targeted ESLint on changed files passed with only the known pre-existing lib/queries.ts unused-variable warning.
  • git diff --check origin/main..HEAD passed.
  • Focused invariant harness validated 18 source guards for auth, owner scoping, atomic replacement, private repos, terminal build errors, atomic credits, and refunds.
  • Local dev-server unauth probes returned 401 for code-completion POST/PUT, milestone PATCH, and pattern-analyzer POST; build-app SSE returned Sign in before building an app.
  • Scaffold and app-idea-chat returned expected 503 in this env before auth because no AI key is configured; their auth/billing/refund guards were covered by the invariant harness.
Open in Web View Automation 

cursoragent and others added 2 commits July 9, 2026 11:06
Co-authored-by: Cole Collins <DealPatrol@users.noreply.github.com>
Co-authored-by: Cole Collins <DealPatrol@users.noreply.github.com>
@vercel

vercel Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
repo-app-architect Ready Ready Preview, Comment Jul 9, 2026 11:11am
repofuse Ready Ready Preview, Comment, Open in v0 Jul 9, 2026 11:11am
v0-repo-app-architect Ready Ready Preview, Comment, Open in v0 Jul 9, 2026 11:11am

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant