Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
Note Other AI code review bot(s) detectedCodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review. WalkthroughAdded an OPENAI_ZERO_DATA_RETENTION env flag; adjusted OpenAI provider options to respect that flag; introduced a token refresh buffer for Outlook; updated several dependencies and removed a pnpm patch; bumped version. Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~12 minutes
Possibly related PRs
Poem
Pre-merge checks and finishing touches❌ Failed checks (1 warning, 1 inconclusive)
✅ Passed checks (1 passed)
✨ Finishing touches
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
📜 Review details
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
⛔ Files ignored due to path filters (1)
pnpm-lock.yamlis excluded by!**/pnpm-lock.yaml
📒 Files selected for processing (6)
apps/web/env.ts(1 hunks)apps/web/package.json(3 hunks)apps/web/utils/llms/model.ts(1 hunks)apps/web/utils/outlook/client.ts(2 hunks)package.json(0 hunks)version.txt(1 hunks)
💤 Files with no reviewable changes (1)
- package.json
🧰 Additional context used
📓 Path-based instructions (17)
apps/web/**/*.{ts,tsx}
📄 CodeRabbit inference engine (apps/web/CLAUDE.md)
apps/web/**/*.{ts,tsx}: Use TypeScript with strict null checks
Use@/path aliases for imports from project root
Use proper error handling with try/catch blocks
Format code with Prettier
Follow consistent naming conventions using PascalCase for components
Centralize shared types in dedicated type filesImport specific lodash functions rather than entire lodash library to minimize bundle size (e.g.,
import groupBy from 'lodash/groupBy')
Files:
apps/web/utils/outlook/client.tsapps/web/utils/llms/model.tsapps/web/env.ts
**/*.{ts,tsx}
📄 CodeRabbit inference engine (.cursor/rules/data-fetching.mdc)
**/*.{ts,tsx}: For API GET requests to server, use theswrpackage
Useresult?.serverErrorwithtoastErrorfrom@/components/Toastfor error handling in async operations
**/*.{ts,tsx}: Use wrapper functions for Gmail message operations (get, list, batch, etc.) from @/utils/gmail/message.ts instead of direct API calls
Use wrapper functions for Gmail thread operations from @/utils/gmail/thread.ts instead of direct API calls
Use wrapper functions for Gmail label operations from @/utils/gmail/label.ts instead of direct API calls
**/*.{ts,tsx}: For early access feature flags, create hooks using the naming conventionuse[FeatureName]Enabledthat return a boolean fromuseFeatureFlagEnabled("flag-key")
For A/B test variant flags, create hooks using the naming conventionuse[FeatureName]Variantthat define variant types, useuseFeatureFlagVariantKey()with type casting, and provide a default "control" fallback
Use kebab-case for PostHog feature flag keys (e.g.,inbox-cleaner,pricing-options-2)
Always define types for A/B test variant flags (e.g.,type PricingVariant = "control" | "variant-a" | "variant-b") and provide type safety through type casting
**/*.{ts,tsx}: Don't use primitive type aliases or misleading types
Don't use empty type parameters in type aliases and interfaces
Don't use this and super in static contexts
Don't use any or unknown as type constraints
Don't use the TypeScript directive @ts-ignore
Don't use TypeScript enums
Don't export imported variables
Don't add type annotations to variables, parameters, and class properties that are initialized with literal expressions
Don't use TypeScript namespaces
Don't use non-null assertions with the!postfix operator
Don't use parameter properties in class constructors
Don't use user-defined types
Useas constinstead of literal types and type annotations
Use eitherT[]orArray<T>consistently
Initialize each enum member value explicitly
Useexport typefor types
Use `impo...
Files:
apps/web/utils/outlook/client.tsapps/web/utils/llms/model.tsapps/web/env.ts
**/{server,api,actions,utils}/**/*.ts
📄 CodeRabbit inference engine (.cursor/rules/logging.mdc)
**/{server,api,actions,utils}/**/*.ts: UsecreateScopedLoggerfrom "@/utils/logger" for logging in backend code
Add thecreateScopedLoggerinstantiation at the top of the file with an appropriate scope name
Use.with()method to attach context variables only within specific functions, not on global loggers
For large functions with reused variables, usecreateScopedLogger().with()to attach context once and reuse the logger without passing variables repeatedly
Files:
apps/web/utils/outlook/client.tsapps/web/utils/llms/model.ts
**/*.{ts,tsx,js,jsx}
📄 CodeRabbit inference engine (.cursor/rules/prisma-enum-imports.mdc)
Always import Prisma enums from
@/generated/prisma/enumsinstead of@/generated/prisma/clientto avoid Next.js bundling errors in client componentsImport Prisma using the project's centralized utility:
import prisma from '@/utils/prisma'
Files:
apps/web/utils/outlook/client.tsapps/web/utils/llms/model.tsapps/web/env.ts
**/*.ts
📄 CodeRabbit inference engine (.cursor/rules/security.mdc)
**/*.ts: ALL database queries MUST be scoped to the authenticated user/account by including user/account filtering in WHERE clauses to prevent unauthorized data access
Always validate that resources belong to the authenticated user before performing operations, using ownership checks in WHERE clauses or relationships
Always validate all input parameters for type, format, and length before using them in database queries
Use SafeError for error responses to prevent information disclosure. Generic error messages should not reveal internal IDs, logic, or resource ownership details
Only return necessary fields in API responses using Prisma'sselectoption. Never expose sensitive data such as password hashes, private keys, or system flags
Prevent Insecure Direct Object References (IDOR) by validating resource ownership before operations. AllfindUnique/findFirstcalls MUST include ownership filters
Prevent mass assignment vulnerabilities by explicitly whitelisting allowed fields in update operations instead of accepting all user-provided data
Prevent privilege escalation by never allowing users to modify system fields, ownership fields, or admin-only attributes through user input
AllfindManyqueries MUST be scoped to the user's data by including appropriate WHERE filters to prevent returning data from other users
Use Prisma relationships for access control by leveraging nested where clauses (e.g.,emailAccount: { id: emailAccountId }) to validate ownership
Files:
apps/web/utils/outlook/client.tsapps/web/utils/llms/model.tsapps/web/env.ts
**/*.{tsx,ts}
📄 CodeRabbit inference engine (.cursor/rules/ui-components.mdc)
**/*.{tsx,ts}: Use Shadcn UI and Tailwind for components and styling
Usenext/imagepackage for images
For API GET requests to server, use theswrpackage with hooks likeuseSWRto fetch data
For text inputs, use theInputcomponent withregisterPropsfor form integration and error handling
Files:
apps/web/utils/outlook/client.tsapps/web/utils/llms/model.tsapps/web/env.ts
**/*.{tsx,ts,css}
📄 CodeRabbit inference engine (.cursor/rules/ui-components.mdc)
Implement responsive design with Tailwind CSS using a mobile-first approach
Files:
apps/web/utils/outlook/client.tsapps/web/utils/llms/model.tsapps/web/env.ts
**/*.{js,jsx,ts,tsx}
📄 CodeRabbit inference engine (.cursor/rules/ultracite.mdc)
**/*.{js,jsx,ts,tsx}: Don't useaccessKeyattribute on any HTML element
Don't setaria-hidden="true"on focusable elements
Don't add ARIA roles, states, and properties to elements that don't support them
Don't use distracting elements like<marquee>or<blink>
Only use thescopeprop on<th>elements
Don't assign non-interactive ARIA roles to interactive HTML elements
Make sure label elements have text content and are associated with an input
Don't assign interactive ARIA roles to non-interactive HTML elements
Don't assigntabIndexto non-interactive HTML elements
Don't use positive integers fortabIndexproperty
Don't include "image", "picture", or "photo" in img alt prop
Don't use explicit role property that's the same as the implicit/default role
Make static elements with click handlers use a valid role attribute
Always include atitleelement for SVG elements
Give all elements requiring alt text meaningful information for screen readers
Make sure anchors have content that's accessible to screen readers
AssigntabIndexto non-interactive HTML elements witharia-activedescendant
Include all required ARIA attributes for elements with ARIA roles
Make sure ARIA properties are valid for the element's supported roles
Always include atypeattribute for button elements
Make elements with interactive roles and handlers focusable
Give heading elements content that's accessible to screen readers (not hidden witharia-hidden)
Always include alangattribute on the html element
Always include atitleattribute for iframe elements
AccompanyonClickwith at least one of:onKeyUp,onKeyDown, oronKeyPress
AccompanyonMouseOver/onMouseOutwithonFocus/onBlur
Include caption tracks for audio and video elements
Use semantic elements instead of role attributes in JSX
Make sure all anchors are valid and navigable
Ensure all ARIA properties (aria-*) are valid
Use valid, non-abstract ARIA roles for elements with ARIA roles
Use valid AR...
Files:
apps/web/utils/outlook/client.tsapps/web/utils/llms/model.tsapps/web/env.ts
!(pages/_document).{jsx,tsx}
📄 CodeRabbit inference engine (.cursor/rules/ultracite.mdc)
Don't use the next/head module in pages/_document.js on Next.js projects
Files:
apps/web/utils/outlook/client.tsapps/web/utils/llms/model.tsversion.txtapps/web/package.jsonapps/web/env.ts
**/*.{js,ts,jsx,tsx}
📄 CodeRabbit inference engine (.cursor/rules/utilities.mdc)
**/*.{js,ts,jsx,tsx}: Use lodash utilities for common operations (arrays, objects, strings)
Import specific lodash functions to minimize bundle size (e.g.,import groupBy from 'lodash/groupBy')
Files:
apps/web/utils/outlook/client.tsapps/web/utils/llms/model.tsapps/web/env.ts
apps/web/{utils/ai,utils/llms,__tests__}/**/*.ts
📄 CodeRabbit inference engine (.cursor/rules/llm.mdc)
LLM-related code must be organized in specific directories:
apps/web/utils/ai/for main implementations,apps/web/utils/llms/for core utilities and configurations, andapps/web/__tests__/for LLM-specific tests
Files:
apps/web/utils/llms/model.ts
apps/web/utils/llms/{index,model}.ts
📄 CodeRabbit inference engine (.cursor/rules/llm.mdc)
Core LLM functionality must be defined in
utils/llms/index.ts, model definitions and configurations inutils/llms/model.ts, and usage tracking inutils/usage.ts
Files:
apps/web/utils/llms/model.ts
**/package.json
📄 CodeRabbit inference engine (.cursor/rules/installing-packages.mdc)
Use
pnpmas the package manager
Files:
apps/web/package.json
apps/web/package.json
📄 CodeRabbit inference engine (.cursor/rules/installing-packages.mdc)
Don't install packages in root; install in
apps/webworkspace instead
Files:
apps/web/package.json
apps/web/**/{.env.example,env.ts,turbo.json}
📄 CodeRabbit inference engine (apps/web/CLAUDE.md)
Add environment variables to
.env.example,env.ts, andturbo.json
Files:
apps/web/env.ts
apps/web/env.ts
📄 CodeRabbit inference engine (.cursor/rules/environment-variables.mdc)
apps/web/env.ts: Add server-only environment variables toapps/web/env.tsunder theserverobject with Zod schema validation
Add client-side environment variables toapps/web/env.tsunder theclientobject withNEXT_PUBLIC_prefix and Zod schema validation
Add client-side environment variables toapps/web/env.tsunder theexperimental__runtimeEnvobject to enable runtime access
Files:
apps/web/env.ts
{.env.example,apps/web/env.ts}
📄 CodeRabbit inference engine (.cursor/rules/environment-variables.mdc)
Client-side environment variables must be prefixed with
NEXT_PUBLIC_
Files:
apps/web/env.ts
🧠 Learnings (10)
📚 Learning: 2025-11-25T14:38:07.606Z
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/llm.mdc:0-0
Timestamp: 2025-11-25T14:38:07.606Z
Learning: Applies to apps/web/utils/ai/**/*.ts : LLM feature functions must import from `zod` for schema validation, use `createScopedLogger` from `@/utils/logger`, `chatCompletionObject` and `createGenerateObject` from `@/utils/llms`, and import `EmailAccountWithAI` type from `@/utils/llms/types`
Applied to files:
apps/web/utils/llms/model.ts
📚 Learning: 2025-11-25T14:36:45.807Z
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/environment-variables.mdc:0-0
Timestamp: 2025-11-25T14:36:45.807Z
Learning: Applies to apps/web/env.ts : Add server-only environment variables to `apps/web/env.ts` under the `server` object with Zod schema validation
Applied to files:
apps/web/env.ts
📚 Learning: 2025-11-25T14:36:45.807Z
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/environment-variables.mdc:0-0
Timestamp: 2025-11-25T14:36:45.807Z
Learning: Applies to apps/web/env.ts : Add client-side environment variables to `apps/web/env.ts` under the `client` object with `NEXT_PUBLIC_` prefix and Zod schema validation
Applied to files:
apps/web/env.ts
📚 Learning: 2025-11-25T14:36:43.454Z
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/environment-variables.mdc:0-0
Timestamp: 2025-11-25T14:36:43.454Z
Learning: Applies to apps/web/env.ts : Define environment variables in `apps/web/env.ts` using Zod schema validation, organizing them into `server` and `client` sections
Applied to files:
apps/web/env.ts
📚 Learning: 2025-11-25T14:36:45.807Z
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/environment-variables.mdc:0-0
Timestamp: 2025-11-25T14:36:45.807Z
Learning: Applies to apps/web/env.ts : Add client-side environment variables to `apps/web/env.ts` under the `experimental__runtimeEnv` object to enable runtime access
Applied to files:
apps/web/env.ts
📚 Learning: 2025-11-25T14:36:43.454Z
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/environment-variables.mdc:0-0
Timestamp: 2025-11-25T14:36:43.454Z
Learning: Applies to apps/web/env.ts : For client-side environment variables in `apps/web/env.ts`, prefix them with `NEXT_PUBLIC_` and add them to both the `client` and `experimental__runtimeEnv` sections
Applied to files:
apps/web/env.ts
📚 Learning: 2025-11-25T14:36:18.416Z
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: apps/web/CLAUDE.md:0-0
Timestamp: 2025-11-25T14:36:18.416Z
Learning: Applies to apps/web/**/{.env.example,env.ts,turbo.json} : Add environment variables to `.env.example`, `env.ts`, and `turbo.json`
Applied to files:
apps/web/env.ts
📚 Learning: 2025-11-25T14:37:56.430Z
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/llm-test.mdc:0-0
Timestamp: 2025-11-25T14:37:56.430Z
Learning: Applies to apps/web/__tests__/**/*.test.ts : Use `describe.runIf(isAiTest)` with environment variable `RUN_AI_TESTS === "true"` to conditionally run LLM tests
Applied to files:
apps/web/env.ts
📚 Learning: 2025-07-19T15:06:43.730Z
Learnt from: garnertb
Repo: elie222/inbox-zero PR: 580
File: apps/web/.env.example:4-7
Timestamp: 2025-07-19T15:06:43.730Z
Learning: In apps/web/.env.example, boolean environment variables follow an unquoted convention (e.g., LOG_ZOD_ERRORS=true, AUTH_TRUST_HOST=true). Logical grouping of related variables (like auth variables together) is preferred over strict alphabetical ordering for better developer experience.
Applied to files:
apps/web/env.ts
📚 Learning: 2025-11-25T14:36:45.807Z
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/environment-variables.mdc:0-0
Timestamp: 2025-11-25T14:36:45.807Z
Learning: Applies to {.env.example,apps/web/env.ts} : Client-side environment variables must be prefixed with `NEXT_PUBLIC_`
Applied to files:
apps/web/env.ts
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
- GitHub Check: cubic · AI code reviewer
- GitHub Check: Review for correctness
🔇 Additional comments (4)
version.txt (1)
1-1: Version bump is straightforwardSingle-line version update only; no behavioral impact.
apps/web/package.json (1)
45-45: Verify dependency bumps against existing usageThe version updates for:
@modelcontextprotocol/sdk→1.24.0better-auth→1.4.5nodemailer→7.0.11look reasonable, but please confirm:
- Existing usages (especially around auth flows and email sending) still match the updated APIs.
- Tests or key auth/email paths have been exercised after removing the
better-authpatch override in the root config.Also applies to: 95-95, 133-133
apps/web/utils/outlook/client.ts (1)
11-12: Confirm expiry units when usingTOKEN_REFRESH_BUFFER_MSThe 10‑minute buffer is a good idea, but this condition:
const expiryDate = expiresAt ? expiresAt : null; if (accessToken && expiryDate && expiryDate > Date.now() + TOKEN_REFRESH_BUFFER_MS) { return createOutlookClient(accessToken); }assumes
expiresAtis in milliseconds (same unit asDate.now()andTOKEN_REFRESH_BUFFER_MS). In this file, new tokens are persisted as:expires_at: Math.floor(Date.now() / 1000 + tokens.expires_in),which is seconds since epoch.
If
expiresAtis passed through directly fromexpires_at, the comparison will always treat the token as already within the buffer (or expired), forcing a refresh on every call. Please double‑check that callers multiply by1000(or adjust here) so all three values use the same unit.Also applies to: 103-107
apps/web/env.ts (1)
63-63: Server env flag for OpenAI retention looks good—ensure config is mirrored
OPENAI_ZERO_DATA_RETENTIONis correctly added as a server-only boolean with a safe default offalse, which keeps existing behavior unchanged and enables the new OpenAI config path.Please also make sure this variable is:
- Added to
apps/web/.env.examplewith the usual unquoted boolean style.- Included in
apps/web/turbo.jsonif you track envs there.Based on learnings, these three files should stay in sync for new env vars.
| // When Zero Data Retention is enabled, set store: false to avoid | ||
| // "Items are not persisted for Zero Data Retention organizations" errors | ||
| // See: https://github.com/vercel/ai/issues/10060 | ||
| const openAiProviderOptions = env.OPENAI_ZERO_DATA_RETENTION | ||
| ? { | ||
| ...providerOptions, | ||
| openai: { ...providerOptions?.openai, store: false }, | ||
| } | ||
| : providerOptions; | ||
| return { |
There was a problem hiding this comment.
Prevent runtime error when OPENAI_ZERO_DATA_RETENTION is enabled
providerOptions is optional, but this branch assumes it’s always an object:
const openAiProviderOptions = env.OPENAI_ZERO_DATA_RETENTION
? {
...providerOptions,
openai: { ...providerOptions?.openai, store: false },
}
: providerOptions;If providerOptions is undefined (which can happen from callers like selectEconomyModel / selectChatModel), ...providerOptions will throw TypeError: Cannot convert undefined or null to object as soon as OPENAI_ZERO_DATA_RETENTION is set to true.
You can avoid this by normalizing to an empty object before spreading:
- case Provider.OPEN_AI: {
+ case Provider.OPEN_AI: {
const modelName = aiModel || "gpt-5.1";
- // When Zero Data Retention is enabled, set store: false to avoid
- // "Items are not persisted for Zero Data Retention organizations" errors
- // See: https://github.com/vercel/ai/issues/10060
- const openAiProviderOptions = env.OPENAI_ZERO_DATA_RETENTION
- ? {
- ...providerOptions,
- openai: { ...providerOptions?.openai, store: false },
- }
- : providerOptions;
+ // When Zero Data Retention is enabled, set store: false to avoid
+ // "Items are not persisted for Zero Data Retention organizations" errors
+ // See: https://github.com/vercel/ai/issues/10060
+ const baseOptions = providerOptions ?? {};
+ const openAiProviderOptions = env.OPENAI_ZERO_DATA_RETENTION
+ ? {
+ ...baseOptions,
+ openai: { ...(baseOptions.openai ?? {}), store: false },
+ }
+ : providerOptions;
return {
provider: Provider.OPEN_AI,
modelName,
model: createOpenAI({ apiKey: aiApiKey || env.OPENAI_API_KEY })(
modelName,
),
- providerOptions: openAiProviderOptions,
+ providerOptions: openAiProviderOptions,
backupModel: getBackupModel(aiApiKey),
};
}This keeps behavior unchanged when the flag is false and avoids crashes when it’s true.
Also applies to: 86-86
🤖 Prompt for AI Agents
In apps/web/utils/llms/model.ts around lines 71 to 80 (also apply same fix at
line 86), the code spreads providerOptions without ensuring it's defined when
OPENAI_ZERO_DATA_RETENTION is true, causing a TypeError if providerOptions is
undefined; fix by normalizing providerOptions to an object before spreading
(e.g., use a fallback {} when spreading and when accessing
providerOptions.openai) so the branch safely constructs openAiProviderOptions
even if providerOptions is undefined.
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
1 issue found across 7 files
Prompt for AI agents (all 1 issues)
Check if these issues are valid — if so, understand the root cause of each and fix them.
<file name="apps/web/utils/outlook/client.ts">
<violation number="1" location="apps/web/utils/outlook/client.ts:106">
P2: `expiryDate` is stored in seconds but is compared to `Date.now()` (milliseconds), so this condition is always false and forces needless token refreshes. Convert one side so both are in the same units.</violation>
</file>
Reply to cubic to teach it or ask questions. Re-run a review with @cubic-dev-ai review this PR
| if ( | ||
| accessToken && | ||
| expiryDate && | ||
| expiryDate > Date.now() + TOKEN_REFRESH_BUFFER_MS |
There was a problem hiding this comment.
P2: expiryDate is stored in seconds but is compared to Date.now() (milliseconds), so this condition is always false and forces needless token refreshes. Convert one side so both are in the same units.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At apps/web/utils/outlook/client.ts, line 106:
<comment>`expiryDate` is stored in seconds but is compared to `Date.now()` (milliseconds), so this condition is always false and forces needless token refreshes. Convert one side so both are in the same units.</comment>
<file context>
@@ -97,7 +100,11 @@ export const getOutlookClientWithRefresh = async ({
+ if (
+ accessToken &&
+ expiryDate &&
+ expiryDate > Date.now() + TOKEN_REFRESH_BUFFER_MS
+ ) {
return createOutlookClient(accessToken);
</file context>
| expiryDate > Date.now() + TOKEN_REFRESH_BUFFER_MS | |
| expiryDate * 1000 > Date.now() + TOKEN_REFRESH_BUFFER_MS |
![macroscopeapp[bot]](https://avatars.githubusercontent.com/in/900172?s=60&v=4){kind=small}
| @@ -97,7 +100,11 @@ export const getOutlookClientWithRefresh = async ({ | |||
|
|
|||
| // Check if token needs refresh | |||
| const expiryDate = expiresAt ? expiresAt : null; | |||
There was a problem hiding this comment.
The expiry check mixes seconds (expires_at) with milliseconds (Date.now() + TOKEN_REFRESH_BUFFER_MS). Consider converting expires_at to ms before comparing to avoid unnecessary refreshes.
- const expiryDate = expiresAt ? expiresAt : null;
+ const expiryDateMs = expiresAt ? expiresAt * 1000 : null;
if (
- accessToken &&
- expiryDate &&
- expiryDate > Date.now() + TOKEN_REFRESH_BUFFER_MS
+ accessToken &&
+ expiryDateMs &&
+ expiryDateMs > Date.now() + TOKEN_REFRESH_BUFFER_MS
) {
return createOutlookClient(accessToken);
}🚀 Reply to ask Macroscope to explain or update this suggestion.
👍 Helpful? React to give us feedback.
There was a problem hiding this comment.
Issue on line in apps/web/utils/llms/model.ts:153:
Suggestion: Add defensive checks/defaults in apps/web/utils/llms/model.ts before provider construction—validate env.BEDROCK_ACCESS_KEY/env.BEDROCK_SECRET_KEY and default providerOptions/providerOptions.openai to empty objects—to prevent runtime errors.
+ if (!env.BEDROCK_ACCESS_KEY || !env.BEDROCK_SECRET_KEY) {
+ throw new Error("Bedrock selected but BEDROCK_ACCESS_KEY and/or BEDROCK_SECRET_KEY are not set");
+ }
🚀 Reply to ask Macroscope to explain or update this suggestion.
👍 Helpful? React to give us feedback.
There was a problem hiding this comment.
Actionable comments posted: 0
🧹 Nitpick comments (1)
apps/web/utils/mcp/oauth.ts (1)
493-502: Dynamic registration metadata looks good; consider avoiding hard-coded production URLsThe added
logo_uriandtos_urifields are valid dynamic client registration metadata and safe, and this should work fine with compliant providers.One concern is maintainability and environment‑awareness: hard‑coding
https://getinboxzero.com/...here ties all deployments (staging, dev, self‑hosted) to the production site’s logo and ToS. That may be intentional, but if not, it would be cleaner to derive these from a shared config/env (e.g., a base site URL or branding config) so each environment can advertise its own assets and legal pages.If that flexibility is desired, I’d suggest something along the lines of:
- const clientMetadata: OAuthClientMetadata = { - client_name: "Inbox Zero", - redirect_uris: [redirectUri], - grant_types: ["authorization_code", "refresh_token"], - response_types: ["code"], - token_endpoint_auth_method: "none", // Public client with PKCE - scope: integrationConfig.scopes.join(" "), - logo_uri: "https://getinboxzero.com/icon.png", - tos_uri: "https://getinboxzero.com/terms", - }; + const clientMetadata: OAuthClientMetadata = { + client_name: "Inbox Zero", + redirect_uris: [redirectUri], + grant_types: ["authorization_code", "refresh_token"], + response_types: ["code"], + token_endpoint_auth_method: "none", // Public client with PKCE + scope: integrationConfig.scopes.join(" "), + logo_uri: process.env.NEXT_PUBLIC_SITE_LOGO_URL ?? "https://getinboxzero.com/icon.png", + tos_uri: process.env.NEXT_PUBLIC_SITE_TOS_URL ?? "https://getinboxzero.com/terms", + };(or equivalent centralized config access used elsewhere in the app).
📜 Review details
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (1)
apps/web/utils/mcp/oauth.ts(1 hunks)
🧰 Additional context used
📓 Path-based instructions (10)
apps/web/**/*.{ts,tsx}
📄 CodeRabbit inference engine (apps/web/CLAUDE.md)
apps/web/**/*.{ts,tsx}: Use TypeScript with strict null checks
Use@/path aliases for imports from project root
Use proper error handling with try/catch blocks
Format code with Prettier
Follow consistent naming conventions using PascalCase for components
Centralize shared types in dedicated type filesImport specific lodash functions rather than entire lodash library to minimize bundle size (e.g.,
import groupBy from 'lodash/groupBy')
Files:
apps/web/utils/mcp/oauth.ts
**/*.{ts,tsx}
📄 CodeRabbit inference engine (.cursor/rules/data-fetching.mdc)
**/*.{ts,tsx}: For API GET requests to server, use theswrpackage
Useresult?.serverErrorwithtoastErrorfrom@/components/Toastfor error handling in async operations
**/*.{ts,tsx}: Use wrapper functions for Gmail message operations (get, list, batch, etc.) from @/utils/gmail/message.ts instead of direct API calls
Use wrapper functions for Gmail thread operations from @/utils/gmail/thread.ts instead of direct API calls
Use wrapper functions for Gmail label operations from @/utils/gmail/label.ts instead of direct API calls
**/*.{ts,tsx}: For early access feature flags, create hooks using the naming conventionuse[FeatureName]Enabledthat return a boolean fromuseFeatureFlagEnabled("flag-key")
For A/B test variant flags, create hooks using the naming conventionuse[FeatureName]Variantthat define variant types, useuseFeatureFlagVariantKey()with type casting, and provide a default "control" fallback
Use kebab-case for PostHog feature flag keys (e.g.,inbox-cleaner,pricing-options-2)
Always define types for A/B test variant flags (e.g.,type PricingVariant = "control" | "variant-a" | "variant-b") and provide type safety through type casting
**/*.{ts,tsx}: Don't use primitive type aliases or misleading types
Don't use empty type parameters in type aliases and interfaces
Don't use this and super in static contexts
Don't use any or unknown as type constraints
Don't use the TypeScript directive @ts-ignore
Don't use TypeScript enums
Don't export imported variables
Don't add type annotations to variables, parameters, and class properties that are initialized with literal expressions
Don't use TypeScript namespaces
Don't use non-null assertions with the!postfix operator
Don't use parameter properties in class constructors
Don't use user-defined types
Useas constinstead of literal types and type annotations
Use eitherT[]orArray<T>consistently
Initialize each enum member value explicitly
Useexport typefor types
Use `impo...
Files:
apps/web/utils/mcp/oauth.ts
**/{server,api,actions,utils}/**/*.ts
📄 CodeRabbit inference engine (.cursor/rules/logging.mdc)
**/{server,api,actions,utils}/**/*.ts: UsecreateScopedLoggerfrom "@/utils/logger" for logging in backend code
Add thecreateScopedLoggerinstantiation at the top of the file with an appropriate scope name
Use.with()method to attach context variables only within specific functions, not on global loggers
For large functions with reused variables, usecreateScopedLogger().with()to attach context once and reuse the logger without passing variables repeatedly
Files:
apps/web/utils/mcp/oauth.ts
**/*.{ts,tsx,js,jsx}
📄 CodeRabbit inference engine (.cursor/rules/prisma-enum-imports.mdc)
Always import Prisma enums from
@/generated/prisma/enumsinstead of@/generated/prisma/clientto avoid Next.js bundling errors in client componentsImport Prisma using the project's centralized utility:
import prisma from '@/utils/prisma'
Files:
apps/web/utils/mcp/oauth.ts
**/*.ts
📄 CodeRabbit inference engine (.cursor/rules/security.mdc)
**/*.ts: ALL database queries MUST be scoped to the authenticated user/account by including user/account filtering in WHERE clauses to prevent unauthorized data access
Always validate that resources belong to the authenticated user before performing operations, using ownership checks in WHERE clauses or relationships
Always validate all input parameters for type, format, and length before using them in database queries
Use SafeError for error responses to prevent information disclosure. Generic error messages should not reveal internal IDs, logic, or resource ownership details
Only return necessary fields in API responses using Prisma'sselectoption. Never expose sensitive data such as password hashes, private keys, or system flags
Prevent Insecure Direct Object References (IDOR) by validating resource ownership before operations. AllfindUnique/findFirstcalls MUST include ownership filters
Prevent mass assignment vulnerabilities by explicitly whitelisting allowed fields in update operations instead of accepting all user-provided data
Prevent privilege escalation by never allowing users to modify system fields, ownership fields, or admin-only attributes through user input
AllfindManyqueries MUST be scoped to the user's data by including appropriate WHERE filters to prevent returning data from other users
Use Prisma relationships for access control by leveraging nested where clauses (e.g.,emailAccount: { id: emailAccountId }) to validate ownership
Files:
apps/web/utils/mcp/oauth.ts
**/*.{tsx,ts}
📄 CodeRabbit inference engine (.cursor/rules/ui-components.mdc)
**/*.{tsx,ts}: Use Shadcn UI and Tailwind for components and styling
Usenext/imagepackage for images
For API GET requests to server, use theswrpackage with hooks likeuseSWRto fetch data
For text inputs, use theInputcomponent withregisterPropsfor form integration and error handling
Files:
apps/web/utils/mcp/oauth.ts
**/*.{tsx,ts,css}
📄 CodeRabbit inference engine (.cursor/rules/ui-components.mdc)
Implement responsive design with Tailwind CSS using a mobile-first approach
Files:
apps/web/utils/mcp/oauth.ts
**/*.{js,jsx,ts,tsx}
📄 CodeRabbit inference engine (.cursor/rules/ultracite.mdc)
**/*.{js,jsx,ts,tsx}: Don't useaccessKeyattribute on any HTML element
Don't setaria-hidden="true"on focusable elements
Don't add ARIA roles, states, and properties to elements that don't support them
Don't use distracting elements like<marquee>or<blink>
Only use thescopeprop on<th>elements
Don't assign non-interactive ARIA roles to interactive HTML elements
Make sure label elements have text content and are associated with an input
Don't assign interactive ARIA roles to non-interactive HTML elements
Don't assigntabIndexto non-interactive HTML elements
Don't use positive integers fortabIndexproperty
Don't include "image", "picture", or "photo" in img alt prop
Don't use explicit role property that's the same as the implicit/default role
Make static elements with click handlers use a valid role attribute
Always include atitleelement for SVG elements
Give all elements requiring alt text meaningful information for screen readers
Make sure anchors have content that's accessible to screen readers
AssigntabIndexto non-interactive HTML elements witharia-activedescendant
Include all required ARIA attributes for elements with ARIA roles
Make sure ARIA properties are valid for the element's supported roles
Always include atypeattribute for button elements
Make elements with interactive roles and handlers focusable
Give heading elements content that's accessible to screen readers (not hidden witharia-hidden)
Always include alangattribute on the html element
Always include atitleattribute for iframe elements
AccompanyonClickwith at least one of:onKeyUp,onKeyDown, oronKeyPress
AccompanyonMouseOver/onMouseOutwithonFocus/onBlur
Include caption tracks for audio and video elements
Use semantic elements instead of role attributes in JSX
Make sure all anchors are valid and navigable
Ensure all ARIA properties (aria-*) are valid
Use valid, non-abstract ARIA roles for elements with ARIA roles
Use valid AR...
Files:
apps/web/utils/mcp/oauth.ts
!(pages/_document).{jsx,tsx}
📄 CodeRabbit inference engine (.cursor/rules/ultracite.mdc)
Don't use the next/head module in pages/_document.js on Next.js projects
Files:
apps/web/utils/mcp/oauth.ts
**/*.{js,ts,jsx,tsx}
📄 CodeRabbit inference engine (.cursor/rules/utilities.mdc)
**/*.{js,ts,jsx,tsx}: Use lodash utilities for common operations (arrays, objects, strings)
Import specific lodash functions to minimize bundle size (e.g.,import groupBy from 'lodash/groupBy')
Files:
apps/web/utils/mcp/oauth.ts
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
- GitHub Check: cubic · AI code reviewer
- GitHub Check: Review for correctness
1 participant
Update packages and set zero data retention for OpenAI by adding
env.createEnvserver varOPENAI_ZERO_DATA_RETENTIONand applyingproviderOptions.openai.store=falseinselectModelwhen true, and refresh Outlook tokens when expiry is within 600000 msAdd
OPENAI_ZERO_DATA_RETENTIONtoenv.createEnvwith boolean coercion and default false; passproviderOptionsinselectModelforProvider.OPEN_AIwithopenai.store=falsewhen the env var is true; refresh Outlook access tokens earlier with a 10-minute buffer; update auth and SDK dependencies and remove a root patch.📍Where to Start
Start with
selectModelin apps/web/utils/llms/model.ts, then review the env var addition in apps/web/env.ts and the Outlook token logic in apps/web/utils/outlook/client.ts.Macroscope summarized bc11885.
Summary by CodeRabbit
New Features
Improvements
Updates
Chores
✏️ Tip: You can customize this high-level summary in your review settings.