Conversation
Feature/custom settings domain
- Fix "QR code is empty" error by adding fallback URL in qr-code-helpers.ts - Fix localStorage SecurityError by creating safeLocalStorage utility - Add suppressHydrationWarning to body element to reduce DOM errors - Filter browser extension errors in Sentry beforeSend hook Fixes QRCODLY-1V, QRCODLY-35, QRCODLY-3F, QRCODLY-3C Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add preconnect/dns-prefetch hints for Clerk domain - Add font-display: swap to prevent FOIT - Add dynamic imports for below-the-fold components (Features, CTA, FAQ) - Add AVIF image format support for better compression - Add optimizePackageImports for heroicons, lucide, framer-motion, recharts - Add bundle analyzer configuration (ANALYZE=true) - Add Service Worker for PWA caching - Update PWA manifest with proper configuration - Add LazyMotion wrapper for framer-motion Lighthouse scores: - FCP: 0.3s, LCP: 1.0s, TBT: 0ms, CLS: 0.004 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Remove unused reference field from EPC schema and form - Rename text field to purpose for clarity - Update all 8 translation files (en, de, es, fr, it, nl, pl, ru) - Update backend test utilities Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Remove service worker registration as it's not needed for this application. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Remove reference field tests - Rename text to purpose in validation tests Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Chore/epc qr code
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Create QrcodlyLogo component with stylized QR code icon + text - Integrate logo in Header, Footer, NoNavHeader, and mobile drawer - Responsive text sizing (text-xl on XS, text-3xl on sm+) - Generate favicons with white rounded card background for dark mode visibility - Add SVG favicon as primary icon with PNG fallbacks - Add logo to all 5 email templates using hosted image URL with table-based layout - Pass logoUrl to all billing event handlers and cron jobs - Add send-test-emails script for email template previewing Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…an up controllers - Rename `services/` to `service/` in billing and url-shortener modules for consistency - Extract content update strategy pattern for QR code updates (URL, vCard, default) - Simplify controllers by leveraging AbstractController helpers - Clean up abstract repository, base use-case interface, and Fastify helpers - Remove unused test-smtp script Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…d and generator - Extract QrCodeDialogs, QrCodeNameCell, QrCodePreviewCell from QR code list - Add use-url-pagination-sync hook for URL-based pagination state - Simplify QrCodeList, QrCodeFilters, and ListItem components - Clean up QR generator components (SaveQrCodeBtn, UpdateQrCodeBtn, UrlSection, IconPicker) - Simplify API client helpers and Zustand store - Clean up i18n routing and analytics middleware Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Rewrite root README with monorepo structure, tech stack, quick start guide, and scripts - Create per-app READMEs for backend, frontend, browser extension, and shared package - Improve CONTRIBUTING.md with local setup instructions and pr:precheck note - Add description, repository, homepage, license, author, and keywords to package.json Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…polished UX Rewrite the browser extension from a minimal POC to a full-featured Chrome extension that reuses the frontend QR generator components via a shim pattern (matching the desktop app approach). Key changes: - Add Clerk auth with syncSessionWithTab for seamless session sharing - Add 16 shim files mapping Next.js imports to extension-compatible equivalents - Rewrite Vite config with extensionAliasPlugin for frontend component reuse - Add splash screen with animated QR grid loading effect - Replace content type tabs with shadcn Select dropdown in compact mode - Fix API path prefix (/api/v1) and symlink frontend icons - Add S3, Clerk, and other host_permissions to manifest - Update to proper 48px/128px extension icons Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Validates CSV files immediately on upload before sending to the backend. Shows a table-based error view highlighting issues per row/field (wrong delimiter, missing columns, invalid values). Responsive layout with translations for all 8 locales. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Full-stack implementation: backend module with encrypted credentials, provider registry, scan event forwarding; frontend settings page with provider cards and configuration dialogs; feature spotlight on /features page with IntegrationsMockup; documentation at /docs/guides/analytics-integrations; translations for all 8 locales; shared DTOs and validation schemas. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…fix mobile alignment - Simplify GA4/Matomo descriptions across all 8 locales to remove technical jargon (Measurement Protocol, Tracking API) and focus on user benefit - Add lg:max-w-[80%] to integrations page header description for better readability - Add ml-[60px] sm:ml-0 to Pro badge wrapper on integrations and custom domains pages for proper mobile alignment - Simplify docs guide intro and provider descriptions Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Rename domainsDisabledAt → proFeaturesDisabledAt and expand disable/enable use cases to cover both custom domains and analytics integrations when a Pro subscription expires or is reactivated. - DB migration to rename column - New DisableProFeaturesUseCase / EnableProFeaturesUseCase replacing domain-only variants - Cron job and event handlers updated to use generalized use cases - Email templates updated to reference "Pro features" instead of just domains - Frontend: show disabled state + alert banner when Pro expired on integrations - Backend: block edit/test (but allow delete) on integrations without Pro - Atomic failure counter in scan-tracking event handler (SQL increment) - GA4 provider: use URLSearchParams, fail-closed validateCredentials - Env validation: hex regex for ANALYTICS_ENCRYPTION_KEY - Fix stale form state in ConfigureIntegrationDialog - Restore global.fetch in GA4 provider tests - Comprehensive tests for Pro feature enforcement and use cases Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…on, and misc improvements - Show actual error message in lastError display instead of just the label - Add SSRF protection to Matomo provider (block private/internal addresses) - Fix IPv6 anonymization for compressed addresses (e.g. 2001:db8::1) - Re-throw errors in scan-tracking event handler so Promise.allSettled counts failures correctly - Add isProExpired guard to configure CTA in unconfigured state - Add aria-label to integration toggle Switch for accessibility - Remove createdBy from deletion log for privacy - Remove unused CustomDomainRepository import in pro-features test - Fix docs claiming "one or both providers" when limit is 1 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
… improve docs and translations
- Fix findAll discarding withWhere/withPagination return values (query builder bug)
- Add clearCache() to repository update() for cache invalidation consistency
- Add atomic recordSuccess() method to avoid stale snapshot race conditions
- Remove GA4 debug endpoint from sendEvent hot path (reduces latency/dependency)
- Fix Matomo URL subpath handling (new URL('/matomo.php', base) dropped subpaths)
- Tighten SSRF: require HTTPS, broaden private IP range blocking
- Restore global.fetch in Matomo provider test (prevent cross-suite leakage)
- Soften GDPR compliance wording in docs
- Clarify GA4 credential verification limitations in docs
- Fix German translations: align formal/informal tone to du/dein
- Fix Dutch translation typo: metings-ID → meet-ID
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Matomo silently discards requests from Node.js (undici User-Agent) due to bot detection. Adding bots=1 forces Matomo to record the request as a normal visit without passing any visitor User-Agent data. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…t and fix test expectation The test endpoint was missing the ensureProPlan authorization check, allowing free-plan users to test integrations. Also corrected the test expectation for unreachable Matomo URLs — credentialsVerified should be false when a network error occurs. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…n delete The DELETE request was failing because it sent Content-Type: application/json with no body, causing Fastify to reject it. Also replaced invalidateQueries with setQueryData(null) so the share dialog immediately reflects the deleted state instead of showing stale cached data. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…check, and index flexibility - Add Zod bodySchema to track-scan endpoint to validate request body - Wrap Matomo URL parsing in try-catch with user-friendly error message - Re-validate merged credentials against provider schema on update - Change uniqueIndex on createdBy to regular index for future multi-provider support Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
add analytics integrations feature (GA4 + Matomo)
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Comment on lines
+10
to
+71
| strategy: | ||
| matrix: | ||
| include: | ||
| - os: macos-latest | ||
| platform: mac | ||
| arch: arm64 | ||
| - os: macos-13 | ||
| platform: mac | ||
| arch: x64 | ||
| - os: windows-latest | ||
| platform: win | ||
| arch: x64 | ||
|
|
||
| runs-on: ${{ matrix.os }} | ||
|
|
||
| steps: | ||
| - uses: actions/checkout@v5 | ||
| - uses: pnpm/action-setup@v4 | ||
| - uses: actions/setup-node@v6 | ||
| with: | ||
| node-version: 22 | ||
| cache: 'pnpm' | ||
|
|
||
| - name: Install dependencies | ||
| run: pnpm install | ||
|
|
||
| - name: Build Electron app | ||
| working-directory: apps/desktop | ||
| run: pnpm run build | ||
|
|
||
| - name: Package (macOS) | ||
| if: matrix.platform == 'mac' | ||
| working-directory: apps/desktop | ||
| env: | ||
| CSC_LINK: ${{ secrets.MAC_CERTIFICATE }} | ||
| CSC_KEY_PASSWORD: ${{ secrets.MAC_CERTIFICATE_PASSWORD }} | ||
| APPLE_ID: ${{ secrets.APPLE_ID }} | ||
| APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }} | ||
| APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} | ||
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| run: pnpm run package:mac -- --${{ matrix.arch }} | ||
|
|
||
| - name: Package (Windows) | ||
| if: matrix.platform == 'win' | ||
| working-directory: apps/desktop | ||
| env: | ||
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| run: pnpm run package:win | ||
|
|
||
| - name: Upload artifacts | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: desktop-${{ matrix.platform }}-${{ matrix.arch }} | ||
| path: | | ||
| apps/desktop/release/*.dmg | ||
| apps/desktop/release/*.zip | ||
| apps/desktop/release/*.exe | ||
| apps/desktop/release/*.blockmap | ||
| apps/desktop/release/latest*.yml | ||
| if-no-files-found: error | ||
|
|
||
| publish: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 2 months ago
In general, fix this by adding an explicit permissions block with the narrowest required scopes. For this build job, the steps only need to read the repository (for actions/checkout) and use artifacts; no writes to repo contents or other resources are needed.
The best targeted fix is to add a permissions block under jobs.build with contents: read. This leaves the existing publish job’s contents: write unchanged and does not otherwise alter behavior. Concretely, in .github/workflows/desktop-build.yml, under jobs: build:, insert:
permissions:
contents: readat the same indentation level as runs-on: and strategy:. No imports or additional definitions are needed; it’s just a YAML configuration change.
Suggested changeset
1
.github/workflows/desktop-build.yml
| @@ -7,6 +7,8 @@ | ||
|
|
||
| jobs: | ||
| build: | ||
| permissions: | ||
| contents: read | ||
| strategy: | ||
| matrix: | ||
| include: |
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
Comment on lines
+12
to
+33
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v5 | ||
| - uses: pnpm/action-setup@v4 | ||
| - uses: actions/setup-node@v6 | ||
| with: | ||
| node-version: 22 | ||
| cache: 'pnpm' | ||
| - name: Install dependencies | ||
| run: pnpm install | ||
| - name: Lint | ||
| working-directory: apps/desktop | ||
| run: pnpm run lint | ||
| - name: Type check | ||
| working-directory: apps/desktop | ||
| run: pnpm run typecheck | ||
| - name: Build | ||
| working-directory: apps/desktop | ||
| run: pnpm run build | ||
| - name: Unit tests | ||
| working-directory: apps/desktop | ||
| run: pnpm run test |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 2 months ago
In general, the fix is to explicitly restrict the GITHUB_TOKEN permissions in the workflow to the minimum needed. For this job, it only needs to read the repository contents to run tests, so contents: read is sufficient. Since there is only one job, we can either set permissions at the workflow root (applies to all jobs) or on the test-desktop job specifically. To keep the change minimal and tightly scoped, we’ll add a permissions block under jobs.test-desktop.
Concretely, in .github/workflows/desktop-test.yml, under jobs:, within the test-desktop: job and at the same indentation level as runs-on:, add:
permissions:
contents: readThis does not change functionality: the job continues to run on ubuntu-latest and perform the same steps, but now with a restricted GITHUB_TOKEN. No additional imports, methods, or external definitions are required.
Suggested changeset
1
.github/workflows/desktop-test.yml
| @@ -10,6 +10,8 @@ | ||
| jobs: | ||
| test-desktop: | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| steps: | ||
| - uses: actions/checkout@v5 | ||
| - uses: pnpm/action-setup@v4 |
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. 🗂️ Base branches to auto review (5)
Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.