Skip to content

Fix critical auth, billing, and data-loss regressions#116

Draft
cursor[bot] wants to merge 2 commits into
mainfrom
cursor/critical-bug-investigation-407d
Draft

Fix critical auth, billing, and data-loss regressions#116
cursor[bot] wants to merge 2 commits into
mainfrom
cursor/critical-bug-investigation-407d

Conversation

@cursor

@cursor cursor Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Bug and impact

  • Milestone PATCH/DELETE accepted any authenticated user with a milestone UUID, enabling cross-tenant project milestone modification/deletion.
  • Several paid AI routes trusted client-supplied billing identity, charged before validation without refunds, or allowed unauthenticated/free AI usage.
  • Analysis reruns deleted saved blueprints before replacement generation succeeded, causing permanent blueprint loss on failures.
  • Build This App created public GitHub repos and reported success after generation/push failures, leaving broken deliverables.
  • Code completion exposed global repository file summaries to unauthenticated callers.

Root cause

  • Route handlers authenticated inconsistently and did not always carry authenticated user/project scope into SQL helpers.
  • Credit helpers used read-modify-write balance updates, and route billing happened in the wrong phase of the workflow.
  • Analysis reruns used destructive delete-before-generate behavior.
  • Build push helpers logged failures instead of throwing.

Fix

  • Scope milestone SQL by route project ID and authenticated user ID.
  • Require auth for code completion and scope fallback snippets through repository ownership.
  • Bind scaffold/legacy analyze/build billing to user.id, use atomic credit deduction/refund SQL, and refund post-charge failures.
  • Validate App Idea Chat / Pattern Analyzer before charging and refund AI/parse failures.
  • Replace analysis blueprints only after valid AI output using a Neon transaction.
  • Make GitHub build repos private, dedupe file paths, and fail SSE streams on generation/push errors instead of emitting done.
  • Add scripts/critical-regression-check.mjs to lock key invariants.

Validation

  • node scripts/critical-regression-check.mjs
  • git diff --check HEAD~2..HEAD
  • pnpm exec tsc --noEmit
  • pnpm exec eslint app/api/projects/[id]/milestones/[milestoneId]/route.ts lib/queries.ts lib/credits.ts app/api/generate-scaffold/route.ts app/api/analyses/[id]/analyze/route.ts app/api/app-idea-chat/route.ts app/api/pattern-analyzer/route.ts app/api/analyses/[id]/run/route.ts app/api/build-app/route.ts app/api/code-completion/route.ts (passes with one pre-existing lib/queries.ts warning)
  • Dev-server unauthenticated probes confirmed protected routes return 401/error before DB/AI work.
Open in Web View Automation 

cursoragent and others added 2 commits July 10, 2026 11:13
Co-authored-by: Cole Collins <DealPatrol@users.noreply.github.com>
Co-authored-by: Cole Collins <DealPatrol@users.noreply.github.com>
@vercel

vercel Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
repo-app-architect Ready Ready Preview, Comment Jul 10, 2026 11:15am
repofuse Ready Ready Preview, Comment, Open in v0 Jul 10, 2026 11:15am
v0-repo-app-architect Ready Ready Preview, Comment, Open in v0 Jul 10, 2026 11:15am

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant