Skip to content

feat(counting): +3 saves on 500 count#28

Open
calebephrem wants to merge 3 commits into
open-devhub:mainfrom
calebephrem:main
Open

feat(counting): +3 saves on 500 count#28
calebephrem wants to merge 3 commits into
open-devhub:mainfrom
calebephrem:main

Conversation

@calebephrem

Copy link
Copy Markdown
Member
  • Add +3 saves when counting reaches 500
  • Added switch guard in /edit-profile command

@devhub-bot devhub-bot Bot added the feat New feature label Jul 6, 2026
@beetle-ai

beetle-ai Bot commented Jul 6, 2026

Copy link
Copy Markdown

Summary by Beetle

This PR introduces two distinct improvements to the Panda Bot: enhanced input validation for the profile editing system and a reward mechanism for the counting game. The changes focus on improving user experience through better error handling and adding engagement incentives. Additionally, the PR includes cleanup of deprecated moderation features from the configuration and documentation.

📁 File Changes Summary (Consolidated across all commits):

File Status Changes Description
src/commands/misc/edit-profile.js Modified +64/-4 Added comprehensive input validation using switch guard pattern with regex validation for URLs, length constraints for text fields, and Discord API-level validation through min/max options. Improved error messages and user feedback.
src/events/messageCreate/counting.js Modified +4/-0 Added reward system for reaching 500 count milestone - grants +3 saves to encourage continued participation in the counting game.
README.md Modified +1/-4 Updated feature description to be more concise and removed deprecated "Moderation Tools" section to reflect current bot capabilities.
config.json Modified +0/-6 Removed deprecated moderation configuration including suspendedRoleId and warnRoles object (warn1, warn2, warn3 role IDs), streamlining the configuration.

Total Changes: 4 files changed, +69 additions, -14 deletions

🗺️ Walkthrough:

graph TD
A["User invokes /edit-profile command"] --> B["Collect input options"]
B --> C{"Switch Guard Validation"}
C -->|"Bio invalid"| D["Error: Bio length 2-200"]
C -->|"Country invalid"| E["Error: Country length 2-100"]
C -->|"Age invalid"| F["Error: Age range 1-1000"]
C -->|"Stack invalid"| G["Error: Stack length 2-200"]
C -->|"Hobbies invalid"| H["Error: Hobbies length 2-200"]
C -->|"GitHub invalid"| I["Error: Invalid GitHub URL"]
C -->|"Portfolio invalid"| J["Error: Invalid URL format"]
D --> K["Return ephemeral error message"]
E --> K
F --> K
G --> K
H --> K
I --> K
J --> K
C -->|"All valid"| L["Update profile in database"]
L --> M["Send success confirmation"]
N["User sends count in counting channel"] --> O{"Count equals 500?"}
O -->|"Yes"| P["Add +3 saves to counter"]
P --> Q["Send reward notification"]
Q --> R["React with crown emoji"]
O -->|"No"| S["Continue normal counting flow"]
style C fill:#e1f5ff
style L fill:#d4edda
style P fill:#fff3cd
Loading

🎯 Key Changes:

  • Robust Input Validation: Implemented a switch guard pattern that validates all profile fields before database operations, preventing invalid data from being stored and providing clear, specific error messages to users
  • Dual-Layer Validation: Added both runtime validation (switch guard) and Discord API-level validation (min_length, max_length, min_value, max_value) for defense-in-depth
  • URL Validation: Introduced regex patterns to validate GitHub profile URLs (must match github.com/username format) and portfolio URLs (must be valid HTTP/HTTPS URLs)
  • Counting Game Enhancement: Added a reward system that grants +3 saves when users reach the 500 count milestone, increasing engagement and providing recovery opportunities
  • Configuration Cleanup: Removed deprecated moderation system configuration (suspended roles, warning roles), indicating a shift away from complex role-based moderation
  • Documentation Update: Simplified README to reflect current bot features and removed references to deprecated moderation tools

📊 Impact Assessment:

  • Security: ✅ Positive Impact - The addition of comprehensive input validation significantly improves security by preventing injection attacks and malformed data. Regex validation for URLs prevents malicious link submissions. The switch guard pattern ensures all validation happens before any database operations, reducing attack surface.
  • Performance: ⚡ Neutral to Slight Positive - The switch guard validation adds minimal overhead (O(1) checks) but prevents unnecessary database operations for invalid inputs. The early return pattern on validation failure is more efficient than catching database errors. The counting game change has negligible performance impact.
  • Maintainability: 📈 Significant Improvement - The switch guard pattern is more maintainable than nested if-statements or try-catch blocks. Validation logic is centralized and easy to modify. The addition of Discord API-level constraints provides self-documenting code. Removal of deprecated configuration reduces technical debt and confusion for future maintainers.
  • Testing: ⚠️ Needs Attention - While the validation logic is comprehensive, there's no evidence of unit tests for the new validation rules. Recommended additions:
  • Unit tests for each validation case (bio length, age range, URL formats)
  • Edge case testing (boundary values: age=1, age=1000, bio length=2, bio length=200)
  • Regex validation tests for various GitHub URL formats
  • Integration tests for the counting game reward system at the 500 milestone
⚙️ Settings

Severity Threshold: Medium — Balanced feedback — medium and high severity issues only.Change in Settings
Custom Rules: Define your own review rules — Set Custom Rules
PR Summary: Configure PR summary — Change in Settings

📖 User Guide
  • Once repos are connected, PR analysis is automatically enabled. You can disable analysis for this repo from beetleai.dev/analysis
  • Comment @beetle on any PR to start analysis manually
  • Comment @beetle stop to stop any ongoing analysis

Follow us: Beetle · X · LinkedIn

Comment thread src/commands/misc/edit-profile.js Outdated
@beetle-ai

beetle-ai Bot commented Jul 6, 2026

Copy link
Copy Markdown

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @beetle command.

⚙️ Settings

Severity Threshold: Medium — Balanced feedback — medium and high severity issues only.Change in Settings
Custom Rules: Define your own review rules — Set Custom Rules
PR Summary: Configure PR summary — Change in Settings

📖 User Guide
  • Once repos are connected, PR analysis is automatically enabled. You can disable analysis for this repo from beetleai.dev/analysis
  • Comment @beetle on any PR to start analysis manually
  • Comment @beetle stop to stop any ongoing analysis

Follow us: Beetle · X · LinkedIn

Co-authored-by: beetle-ai[bot] <221859081+beetle-ai[bot]@users.noreply.github.com>
@beetle-ai

beetle-ai Bot commented Jul 6, 2026

Copy link
Copy Markdown

Summary by Beetle

This PR introduces several enhancements to the Panda Bot Discord bot, focusing on improved input validation, user experience refinements, and feature adjustments. The changes include robust validation for the profile editing system with switch-guard pattern implementation, a reward mechanism for the counting game at milestone 500, and improved URL validation patterns. Additionally, the PR includes documentation updates and code formatting improvements to the snowflake decoder command.

📁 File Changes Summary (Consolidated across all commits):

File Status Changes Description
src/commands/misc/edit-profile.js Modified +68/-5 Added comprehensive input validation using switch-guard pattern for all profile fields (bio, country, age, stack, hobbies, GitHub, portfolio). Implemented regex validation for URLs and enforced min/max length constraints. Enhanced portfolio URL regex pattern for more robust validation.
src/events/messageCreate/counting.js Modified +4/-0 Added +3 saves reward when users reach the 500 count milestone in the counting game, with a celebratory message to encourage continued participation.
src/prefixCommands/misc/snowflake.js Modified +39/-22 Code formatting improvements: converted single quotes to double quotes, improved indentation consistency, and enhanced readability throughout the snowflake decoder command.
README.md Modified +1/-4 Updated feature description to be more concise ("macros, fun things and lot more" instead of detailed list). Removed the "Moderation Tools" section from features list.
config.json Modified +0/-6 Removed deprecated moderation-related configuration: suspendedRoleId and warnRoles object (warn1, warn2, warn3 role IDs).

Total Changes: 5 files changed, +112 additions, -37 deletions

🗺️ Walkthrough:

graph TD
A["User invokes /edit-profile command"] --> B["Collect input options"]
B --> C{"Switch Guard Validation"}
C -->|"Bio invalid"| D["Error: Bio 2-200 chars"]
C -->|"Country invalid"| E["Error: Country 2-100 chars"]
C -->|"Age invalid"| F["Error: Age 1-1000"]
C -->|"Stack invalid"| G["Error: Stack 2-200 chars"]
C -->|"Hobbies invalid"| H["Error: Hobbies 2-200 chars"]
C -->|"GitHub invalid"| I["Error: Invalid GitHub URL"]
C -->|"Portfolio invalid"| J["Error: Invalid Portfolio URL"]
D --> K["Return ephemeral error"]
E --> K
F --> K
G --> K
H --> K
I --> K
J --> K
C -->|"All valid"| L["Update profile fields"]
L --> M["Save to database"]
M --> N["Success response"]
O["Counting Game: User posts 500"] --> P["Add +3 saves"]
P --> Q["Send celebration message"]
Q --> R["React with crown emoji"]
Loading

🎯 Key Changes:

  • Enhanced Input Validation: Implemented a switch-guard pattern in edit-profile command that validates all user inputs before database operations, preventing invalid data from being stored and providing clear, specific error messages
  • Discord API-Level Constraints: Added min_length, max_length, min_value, and max_value constraints directly to Discord command options, providing client-side validation before the command even executes
  • Robust URL Validation: Upgraded portfolio URL regex from simple pattern to comprehensive validation that properly handles domains, subdomains, paths, and query parameters while preventing malformed URLs
  • Counting Game Incentive: Added a +3 saves bonus at the 500 count milestone to reward player progress and maintain engagement in the counting channel
  • Configuration Cleanup: Removed deprecated moderation system configurations (suspendedRoleId, warnRoles), indicating a shift away from the previous warning/suspension system
  • Code Quality: Standardized code formatting in the snowflake decoder command for better maintainability

📊 Impact Assessment:

  • Security: ✅ Positive Impact - The enhanced validation significantly improves security by preventing injection attacks through URL fields and ensuring all user inputs conform to expected formats. The regex patterns for GitHub and portfolio URLs prevent malicious link submissions. The switch-guard pattern provides a centralized validation layer that's easier to audit and maintain.
  • Performance: ⚡ Neutral to Slightly Positive - The switch-guard validation adds minimal overhead (single pass through validation cases). Discord API-level constraints reduce unnecessary command executions, saving server resources. The counting game feature adds one database write operation at milestone 500, which is negligible given the infrequency of the event.
  • Maintainability: 📈 Significant Improvement - The switch-guard pattern centralizes validation logic, making it easier to add new fields or modify validation rules. The explicit min/max constraints in command options serve as self-documenting code. Code formatting improvements in the snowflake command enhance readability. Removal of deprecated config reduces technical debt and confusion.
  • Testing: ⚠️ Needs Attention - While the validation logic is comprehensive, there's no evidence of unit tests for the new validation patterns. The regex patterns (especially the portfolio URL validator) should be tested against edge cases (internationalized domains, special characters, various TLDs). The counting game +3 saves feature should be tested to ensure it doesn't trigger multiple times or conflict with other milestone rewards. Recommended: Add test cases for all validation branches and URL regex patterns.
⚙️ Settings

Severity Threshold: Medium — Balanced feedback — medium and high severity issues only.Change in Settings
Custom Rules: Define your own review rules — Set Custom Rules
PR Summary: Configure PR summary — Change in Settings

📖 User Guide
  • Once repos are connected, PR analysis is automatically enabled. You can disable analysis for this repo from beetleai.dev/analysis
  • Comment @beetle on any PR to start analysis manually
  • Comment @beetle stop to stop any ongoing analysis

Follow us: Beetle · X · LinkedIn

Comment on lines +44 to +45
case portfolio !== null &&
!/^https?:\/\/(?:www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b(?:[-a-zA-Z0-9()@:%_\+.~#?&\/=]*)$/.test(

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The portfolio URL validation regex !/^https?:\/\/[^\s]+$/ is extremely permissive and allows dangerous URLs. It only checks for http:// or https:// followed by any non-whitespace characters, which means it accepts:

  • javascript: URLs (XSS vector if rendered in web contexts)
  • URLs with special characters that could break rendering
  • Malformed URLs like http:// (just the protocol)
  • URLs with no domain validation whatsoever
    This is a security vulnerability if these portfolio URLs are ever displayed in a web interface, embedded in iframes, or used in any context where URL validation matters.

Confidence: 5/5

Suggested Fix
Suggested change
case portfolio !== null &&
!/^https?:\/\/(?:www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b(?:[-a-zA-Z0-9()@:%_\+.~#?&\/=]*)$/.test(
case portfolio !== null && !/^https?:\/\/([a-zA-Z0-9-]+\.)+[a-zA-Z]{2,}(\/[^\s]*)?$/.test(portfolio):
error = "Portfolio link must be a valid URL with a proper domain.";

Replace the overly permissive regex with one that validates:

  • Protocol (http/https)
  • Valid domain structure (subdomain.domain.tld)
  • At least a 2-character TLD
  • Optional path components
    This prevents malformed URLs and potential XSS vectors while still allowing legitimate portfolio URLs.
Prompt for AI

Copy this prompt to your AI IDE to fix this issue locally:

In src/commands/misc/edit-profile.js at line 44, the portfolio URL validation
regex is dangerously permissive and only checks for http/https followed by any
non-whitespace, which allows malformed URLs and potential XSS vectors; replace
the regex pattern with /^https?:\/\/([a-zA-Z0-9-]+\.)+[a-zA-Z]{2,}(\/[^\s]*)?$/
to properly validate domain structure and prevent security issues, and update
the error message on line 45 to "Portfolio link must be a valid URL with a
proper domain."

📍 This suggestion applies to lines 44-45

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

feat New feature

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant