Closed
Conversation
|
@sudipta26889 is attempting to deploy a commit to the Inbox Zero OSS Program Team on Vercel. A member of the Team first needs to authorize it. |
|
|
Contributor
|
Caution Review failedThe pull request is closed. WalkthroughThis PR implements a comprehensive privacy mode feature, refactors environment configuration to support runtime settings, updates Docker build workflows, improves type safety throughout the codebase, and introduces CORS middleware. The changes consolidate tracking/analytics disabling, switch from build-time to runtime environment variable resolution, and modernize several internal utilities. Changes
Estimated code review effort🎯 4 (Complex) | ⏱️ ~60–90 minutes
Possibly related PRs
Poem
✨ Finishing touches
🧪 Generate unit tests (beta)
📜 Recent review detailsConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro 📒 Files selected for processing (95)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Contributor
Add privacy mode across web app and services, switch QStash verification to
|
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
12 issues found across 95 files
Note: This PR contains a large number of files. cubic only reviews up to 75 files per PR, so some files may not have been reviewed.
Prompt for AI agents (all issues)
Check if these issues are valid — if so, understand the root cause of each and fix them.
<file name="apps/web/__tests__/helpers.ts">
<violation number="1" location="apps/web/__tests__/helpers.ts:191">
P2: The trimmed value is checked for truthiness but the untrimmed value is returned. If an env var has leading/trailing whitespace, the returned URL would include that whitespace, causing malformed URLs.</violation>
</file>
<file name="apps/web/utils/config.ts">
<violation number="1" location="apps/web/utils/config.ts:25">
P2: Bypasses the project's env validation system. Consider importing and using the validated `env` object from `@/env.ts` instead of accessing `process.env` directly with a type assertion.</violation>
</file>
<file name="LOCAL_RUN.md">
<violation number="1" location="LOCAL_RUN.md:9">
P2: Hardcoded user-specific path won't work for other developers. Use a relative path or generic placeholder instead.</violation>
<violation number="2" location="LOCAL_RUN.md:347">
P3: Incomplete placeholder URL. Either provide the actual documentation URL or remove this line.</violation>
</file>
<file name="apps/web/utils/auth.ts">
<violation number="1" location="apps/web/utils/auth.ts:148">
P1: Early return skips critical business logic, not just marketing integrations. The `handlePendingPremiumInvite` and `handleReferralOnSignUp` calls at the end of this function will also be skipped in privacy mode, preventing new users from being added to premium plans they were invited to and from having their referral codes processed. Consider wrapping only the marketing section (Loops, Resend, Dub) with this check instead of returning early from the entire function.</violation>
</file>
<file name=".github/workflows/security-scan.yml">
<violation number="1" location=".github/workflows/security-scan.yml:27">
P2: Consider pinning third-party actions to commit SHA for supply chain security. For a security scanning workflow, this is especially important. You can find the SHA for version 0.24.0 and use it like: `aquasecurity/trivy-action@<full-sha>`</violation>
</file>
<file name="LICENSE">
<violation number="1" location="LICENSE:34">
P1: The LICENSE file's enterprise licensing contact information has been replaced with placeholder values (`support@example.com`, `https://example.com`). The `example.com` domain is reserved for documentation and cannot be used for actual communication. Users seeking enterprise licensing inquiries will be unable to reach the company. This also creates inconsistency with the valid contact info at the end of this same file (`enterprise@inboxzero.com`, `https://www.inboxzero.com`).</violation>
</file>
<file name="apps/web/app/(landing)/privacy/content.mdx">
<violation number="1" location="apps/web/app/(landing)/privacy/content.mdx:21">
P1: Using `example.com` in a production privacy policy is incorrect - this is a reserved domain for documentation purposes and cannot receive emails. Users attempting to make data protection inquiries will be unable to reach anyone, which could be a GDPR compliance issue. This appears to be a placeholder that should be replaced with a real contact email.</violation>
</file>
<file name="README.md">
<violation number="1" location="README.md:47">
P2: Text references documentation but provides no way to access it. Either remove this sentence, restore the link, or link to internal documentation (e.g., the existing `docs/` folder).</violation>
<violation number="2" location="README.md:413">
P2: Text tells users to 'join our community' but provides no way to do so. Either remove the reference to community, provide an alternative contact method, or link to a community platform.</violation>
</file>
<file name="apps/web/app/(landing)/terms/content.mdx">
<violation number="1" location="apps/web/app/(landing)/terms/content.mdx:29">
P1: Using `support@example.com` as a contact email in Terms of Service is problematic. The `example.com` domain is reserved for documentation purposes and cannot receive real emails. Users will be unable to reach support through this address. Consider using the actual support email or a placeholder that will be configured dynamically.</violation>
</file>
<file name="apps/web/app/api/digest-preview/route.ts">
<violation number="1" location="apps/web/app/api/digest-preview/route.ts:46">
P2: Empty string fallback could result in broken URLs in the digest email. Consider providing a meaningful default (e.g., `"http://localhost:3000"`) to match the default in `env.ts`, or import from the typed env configuration.</violation>
</file>
Since this is your first cubic review, here's how it works:
- cubic automatically reviews your code and comments on bugs and improvements
- Teach cubic by replying to its comments. cubic learns from your replies and gets better over time
- Ask questions if you need clarification on any suggestion
Reply to cubic to teach it or ask questions. Re-run a review with @cubic-dev-ai review this PR
| process.env.BASE_URL || | ||
| process.env.APP_BASE_URL; | ||
| if (envUrl?.trim()) { | ||
| return envUrl.replace(/\/$/, ""); |
Contributor
There was a problem hiding this comment.
P2: The trimmed value is checked for truthiness but the untrimmed value is returned. If an env var has leading/trailing whitespace, the returned URL would include that whitespace, causing malformed URLs.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At apps/web/__tests__/helpers.ts, line 191:
<comment>The trimmed value is checked for truthiness but the untrimmed value is returned. If an env var has leading/trailing whitespace, the returned URL would include that whitespace, causing malformed URLs.</comment>
<file context>
@@ -179,3 +179,26 @@ export function getMockExecutedRule({
+ process.env.BASE_URL ||
+ process.env.APP_BASE_URL;
+ if (envUrl?.trim()) {
+ return envUrl.replace(/\/$/, "");
+ }
+ return "http://localhost:3000";
</file context>
Suggested change
| return envUrl.replace(/\/$/, ""); | |
| return envUrl.trim().replace(/\/$/, ""); |
|
|
||
| export const EXTENSION_URL = "https://go.getinboxzero.com/extension"; | ||
| export const EXTENSION_URL = | ||
| (process.env.NEXT_PUBLIC_EXTENSION_URL as string) || "#"; |
Contributor
There was a problem hiding this comment.
P2: Bypasses the project's env validation system. Consider importing and using the validated env object from @/env.ts instead of accessing process.env directly with a type assertion.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At apps/web/utils/config.ts, line 25:
<comment>Bypasses the project's env validation system. Consider importing and using the validated `env` object from `@/env.ts` instead of accessing `process.env` directly with a type assertion.</comment>
<file context>
@@ -21,4 +21,5 @@ export type CoreConditionType = Extract<ConditionType, "AI" | "STATIC">;
-export const EXTENSION_URL = "https://go.getinboxzero.com/extension";
+export const EXTENSION_URL =
+ (process.env.NEXT_PUBLIC_EXTENSION_URL as string) || "#";
</file context>
|
|
||
| ## 🔗 Useful Links | ||
|
|
||
| - **Documentation**: <your-docs-url> |
Contributor
There was a problem hiding this comment.
P3: Incomplete placeholder URL. Either provide the actual documentation URL or remove this line.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At LOCAL_RUN.md, line 347:
<comment>Incomplete placeholder URL. Either provide the actual documentation URL or remove this line.</comment>
<file context>
@@ -0,0 +1,385 @@
+
+## 🔗 Useful Links
+
+- **Documentation**: <your-docs-url>
+- **Main README**: [README.md](README.md)
+- **Architecture**: [ARCHITECTURE.md](ARCHITECTURE.md)
</file context>
|
|
||
| ```bash | ||
| # Navigate to project | ||
| cd /Users/sudipta/Workspace/personal/AI/Email/inbox-zero |
Contributor
There was a problem hiding this comment.
P2: Hardcoded user-specific path won't work for other developers. Use a relative path or generic placeholder instead.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At LOCAL_RUN.md, line 9:
<comment>Hardcoded user-specific path won't work for other developers. Use a relative path or generic placeholder instead.</comment>
<file context>
@@ -0,0 +1,385 @@
+
+```bash
+# Navigate to project
+cd /Users/sudipta/Workspace/personal/AI/Email/inbox-zero
+
+# Start Docker services (if not already running)
</file context>
| user: User; | ||
| isNewUser: boolean; | ||
| }) { | ||
| if (env.PRIVACY_MODE) { |
Contributor
There was a problem hiding this comment.
P1: Early return skips critical business logic, not just marketing integrations. The handlePendingPremiumInvite and handleReferralOnSignUp calls at the end of this function will also be skipped in privacy mode, preventing new users from being added to premium plans they were invited to and from having their referral codes processed. Consider wrapping only the marketing section (Loops, Resend, Dub) with this check instead of returning early from the entire function.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At apps/web/utils/auth.ts, line 148:
<comment>Early return skips critical business logic, not just marketing integrations. The `handlePendingPremiumInvite` and `handleReferralOnSignUp` calls at the end of this function will also be skipped in privacy mode, preventing new users from being added to premium plans they were invited to and from having their referral codes processed. Consider wrapping only the marketing section (Loops, Resend, Dub) with this check instead of returning early from the entire function.</comment>
<file context>
@@ -145,6 +145,10 @@ async function handleSignIn({
user: User;
isNewUser: boolean;
}) {
+ if (env.PRIVACY_MODE) {
+ // Skip any marketing/analytics integrations in privacy mode
+ return;
</file context>
| **Company:** Inbox Zero Inc. | ||
| **Address:** 131 Continental Dr, Suite 305, Newark, Delaware, 19713, United States | ||
| **Email:** [elie@getinboxzero.com](mailto:elie@getinboxzero.com) | ||
| **Email:** [support@example.com](mailto:support@example.com) |
Contributor
There was a problem hiding this comment.
P1: Using example.com in a production privacy policy is incorrect - this is a reserved domain for documentation purposes and cannot receive emails. Users attempting to make data protection inquiries will be unable to reach anyone, which could be a GDPR compliance issue. This appears to be a placeholder that should be replaced with a real contact email.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At apps/web/app/(landing)/privacy/content.mdx, line 21:
<comment>Using `example.com` in a production privacy policy is incorrect - this is a reserved domain for documentation purposes and cannot receive emails. Users attempting to make data protection inquiries will be unable to reach anyone, which could be a GDPR compliance issue. This appears to be a placeholder that should be replaced with a real contact email.</comment>
<file context>
@@ -18,7 +18,7 @@ This privacy policy aims to give you information on how Inbox Zero collects and
**Company:** Inbox Zero Inc.
**Address:** 131 Continental Dr, Suite 305, Newark, Delaware, 19713, United States
-**Email:** [elie@getinboxzero.com](mailto:elie@getinboxzero.com)
+**Email:** [support@example.com](mailto:support@example.com)
**Data Protection Inquiries:** For data protection inquiries, contact us at the email above.
</file context>
|
|
||
| You can view open tasks in our [GitHub Issues](https://github.com/elie222/inbox-zero/issues). | ||
| Join our [Discord](https://www.getinboxzero.com/discord) to discuss tasks and check what's being worked on. | ||
| Join our community to discuss tasks and check what's being worked on. |
Contributor
There was a problem hiding this comment.
P2: Text tells users to 'join our community' but provides no way to do so. Either remove the reference to community, provide an alternative contact method, or link to a community platform.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At README.md, line 413:
<comment>Text tells users to 'join our community' but provides no way to do so. Either remove the reference to community, provide an alternative contact method, or link to a community platform.</comment>
<file context>
@@ -416,6 +410,6 @@ For more detailed Docker build instructions and security considerations, see [do
You can view open tasks in our [GitHub Issues](https://github.com/elie222/inbox-zero/issues).
-Join our [Discord](https://www.getinboxzero.com/discord) to discuss tasks and check what's being worked on.
+Join our community to discuss tasks and check what's being worked on.
[ARCHITECTURE.md](./ARCHITECTURE.md) explains the architecture of the project (LLM generated).
</file context>
| - **Email Analytics:** Track your activity and trends over time. | ||
|
|
||
| Learn more in our [docs](https://docs.getinboxzero.com). | ||
| Learn more in our docs. |
Contributor
There was a problem hiding this comment.
P2: Text references documentation but provides no way to access it. Either remove this sentence, restore the link, or link to internal documentation (e.g., the existing docs/ folder).
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At README.md, line 47:
<comment>Text references documentation but provides no way to access it. Either remove this sentence, restore the link, or link to internal documentation (e.g., the existing `docs/` folder).</comment>
<file context>
@@ -44,7 +44,7 @@ To help you spend less time in your inbox, so you can focus on what matters.
- **Email Analytics:** Track your activity and trends over time.
-Learn more in our [docs](https://docs.getinboxzero.com).
+Learn more in our docs.
## Feature Screenshots
</file context>
Suggested change
| Learn more in our docs. | |
| Learn more in our [docs](docs/). |
| ## 6. Contact Information | ||
|
|
||
| Questions or comments about the Website or these Terms of Service may be directed to our support team at support@getinboxzero.com. | ||
| Questions or comments about the Website or these Terms of Service may be directed to our support team at support@example.com. |
Contributor
There was a problem hiding this comment.
P1: Using support@example.com as a contact email in Terms of Service is problematic. The example.com domain is reserved for documentation purposes and cannot receive real emails. Users will be unable to reach support through this address. Consider using the actual support email or a placeholder that will be configured dynamically.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At apps/web/app/(landing)/terms/content.mdx, line 29:
<comment>Using `support@example.com` as a contact email in Terms of Service is problematic. The `example.com` domain is reserved for documentation purposes and cannot receive real emails. Users will be unable to reach support through this address. Consider using the actual support email or a placeholder that will be configured dynamically.</comment>
<file context>
@@ -26,7 +26,7 @@ We reserve the right to revise and update these Terms of Service from time to ti
## 6. Contact Information
-Questions or comments about the Website or these Terms of Service may be directed to our support team at support@getinboxzero.com.
+Questions or comments about the Website or these Terms of Service may be directed to our support team at support@example.com.
## 7. Disclaimer of Warranties
</file context>
| function createMockDigestData(categories: string[]): DigestEmailProps { | ||
| const digestData: DigestEmailProps = { | ||
| baseUrl: "https://www.getinboxzero.com", | ||
| baseUrl: process.env.NEXT_PUBLIC_BASE_URL || "", |
Contributor
There was a problem hiding this comment.
P2: Empty string fallback could result in broken URLs in the digest email. Consider providing a meaningful default (e.g., "http://localhost:3000") to match the default in env.ts, or import from the typed env configuration.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At apps/web/app/api/digest-preview/route.ts, line 46:
<comment>Empty string fallback could result in broken URLs in the digest email. Consider providing a meaningful default (e.g., `"http://localhost:3000"`) to match the default in `env.ts`, or import from the typed env configuration.</comment>
<file context>
@@ -43,7 +43,7 @@ export async function GET(request: NextRequest) {
function createMockDigestData(categories: string[]): DigestEmailProps {
const digestData: DigestEmailProps = {
- baseUrl: "https://www.getinboxzero.com",
+ baseUrl: process.env.NEXT_PUBLIC_BASE_URL || "",
unsubscribeToken: "preview-token",
emailAccountId: "preview-account",
</file context>
Suggested change
| baseUrl: process.env.NEXT_PUBLIC_BASE_URL || "", | |
| baseUrl: process.env.NEXT_PUBLIC_BASE_URL || "http://localhost:3000", |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary by CodeRabbit
Release Notes
New Features
Documentation
Infrastructure
✏️ Tip: You can customize this high-level summary in your review settings.