Skip to content

fix: production hardening audit — Phase 2 (steps 2.1–2.4)#7

Draft
brucelikeeat wants to merge 2 commits into
mainfrom
cursor/production-hardening-audit-2f13
Draft

fix: production hardening audit — Phase 2 (steps 2.1–2.4)#7
brucelikeeat wants to merge 2 commits into
mainfrom
cursor/production-hardening-audit-2f13

Conversation

@brucelikeeat

Copy link
Copy Markdown
Owner

Phase 2 — Production Hardening Audit

Full codebase audit across 7 categories (A–G), with targeted fixes applied to the 3 mandated areas.

Fixes applied

File Fix
src/app/api/auth/[...nextauth]/route.ts [ENV CHECK] debug log wrapped in NODE_ENV !== "production" guard — stops it firing during next build and in production
src/lib/auth.ts [NextAuth signIn] event log wrapped in NODE_ENV !== "production" guard — prevents OAuth access_token, refresh_token, id_token from reaching production logs
src/app/api/posts/generate/route.ts detail: String(error) in catch block replaced with NODE_ENV-conditional — dev sees the raw error string, production returns "See server logs for details."

Audit summary

A — Hardcoded localhost URLs: None found anywhere in src/.

B — Sensitive console.log: 2 issues found and fixed (see table above). All other 12 console statements reviewed — no token, password, email, session, or user objects logged.

C — Missing error boundaries (report only): 6 route handlers have partial or missing try/catch coverage:

  • debug-session, disconnect, select-repo, github/status — no top-level catch
  • repos, repos/.../commits — auth/token section outside try/catch

D — Exposed stack traces: 1 issue fixed (generate route). Additional security note: debug-session returns full unauthenticated session dump — should be removed or guarded.

E — Dead imports / unused files (report only): 9 dead files found (superseded code not yet cleaned up):

  • src/features/github/mapCommitsToTimeline.ts
  • src/features/timeline/data.ts
  • src/lib/github/index.ts (unused barrel) + oauth.ts
  • src/components/timeline/TimelineView.tsx + TimelineList.tsx + TimelineFilters.tsx
  • src/components/ui/timeline.tsx
  • src/features/timeline/useTimelineFilter.ts

F — TypeScript any: None found in any of the 5 critical files.

G — Env var coverage: All 7 process.env.* vars used in code are present in .env. OPENAI_API_KEY and REDIS_URL are in .env but not yet used in code.

Build

npx next build passes cleanly. The [ENV CHECK] log no longer appears in build output.

Open in Web Open in Cursor 

cursoragent and others added 2 commits May 29, 2026 22:57
- Change datasource provider to 'postgresql' with directUrl support
- Add @db.Text to Account.refresh_token, access_token, id_token
- Update .env.example with PostgreSQL URL format and DIRECT_URL entry
- Create docs/launch-log.md with Phase 1 status and agent log

Co-authored-by: brucelikeeat <brucelikeeat@users.noreply.github.com>
- Guard [ENV CHECK] debug log in [...nextauth]/route.ts behind NODE_ENV !== 'production'
- Guard [NextAuth signIn] event log in lib/auth.ts behind NODE_ENV !== 'production' (prevents OAuth access_token/refresh_token from reaching production logs)
- Replace detail: String(error) in generate route catch block with NODE_ENV-conditional (dev: raw error string, prod: safe message)
- Update docs/launch-log.md with full Phase 2 audit results (A-G) and fix log

Co-authored-by: brucelikeeat <brucelikeeat@users.noreply.github.com>
cursor Bot pushed a commit that referenced this pull request May 29, 2026
Co-authored-by: brucelikeeat <brucelikeeat@users.noreply.github.com>
@cursor cursor Bot changed the base branch from cursor/sqlite-to-supabase-postgres-2f13 to main May 29, 2026 23:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants