Skip to content

Fix critical auth, billing, and data-loss regressions#117

Draft
cursor[bot] wants to merge 1 commit into
mainfrom
cursor/critical-bug-investigation-38bd
Draft

Fix critical auth, billing, and data-loss regressions#117
cursor[bot] wants to merge 1 commit into
mainfrom
cursor/critical-bug-investigation-38bd

Conversation

@cursor

@cursor cursor Bot commented Jul 12, 2026

Copy link
Copy Markdown
Contributor

Bug and impact

  • Public API routes allowed unauthenticated paid AI usage and cross-tenant snippet access (/api/code-completion, legacy analysis).
  • Project milestone PATCH/DELETE could mutate other users' milestones by guessed ID.
  • Analysis reruns deleted existing blueprints before replacement generation succeeded, causing data loss on AI/DB failures.
  • Build This App created public GitHub repos, swallowed generation/push failures, and did not charge/refund reliably.
  • Paid scaffold/chat/analyzer routes could charge the wrong user, skip charges, or keep credits after failures.
  • Credit deduction/grant paths were non-atomic or non-idempotent, enabling races and duplicate Stripe grants.

Root cause

Several route handlers trusted client-supplied IDs or relied on UI/middleware protection instead of authenticating/scoping at the API boundary. Credit balance changes used read-modify-write updates, and long-running AI/build flows performed destructive or billable side effects before their success conditions were known.

Fix

  • Added authenticated-user binding and owner-scoped SQL to critical API routes and milestone helpers.
  • Made credit grant/deduct/refund/renewal updates single-statement balance mutations; added Stripe credit idempotency key migration and webhook metadata.
  • Changed analysis reruns to insert replacement blueprints first, clean partial inserts on failure, and delete old blueprints only after replacements exist.
  • Added atomic free-tier analysis usage reservation with release on failed runs.
  • Made Build This App private by default, precharge/refund on incomplete builds, de-duplicate file paths, and emit terminal SSE errors on generation/push failures.
  • Added scripts/critical-regression-check.mjs to lock the critical invariants.

Validation performed

  • node scripts/critical-regression-check.mjs passed.
  • pnpm exec tsc --noEmit passed.
  • Targeted ESLint on changed runtime files passed with one pre-existing lib/queries.ts warning (allowed unused).
  • git diff --check HEAD~1..HEAD passed.
  • Local Next dev-server unauthenticated probes passed for code-completion, legacy analyze, pattern-analyzer, milestone PATCH/DELETE, build-app SSE, and analysis-run SSE guards.
Open in Web View Automation 

Co-authored-by: Cole Collins <DealPatrol@users.noreply.github.com>
@vercel

vercel Bot commented Jul 12, 2026

Copy link
Copy Markdown
Contributor

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
repo-app-architect Ready Ready Preview, Comment Jul 12, 2026 11:12am
repofuse Ready Ready Preview, Comment, Open in v0 Jul 12, 2026 11:12am
v0-repo-app-architect Ready Ready Preview, Comment, Open in v0 Jul 12, 2026 11:12am

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant