feat: add dynamic published resume URLs to sitemap#963
Open
codewithchotu wants to merge 117 commits into
Open
Conversation
…neerali199#537) - Fixed Next.js version: 14.2 badge and tech stack table to match package.json 14.2.30 - Standardized environment file: .env to .env.local for NextAuth convention - Clarified AI provider: Gemini marked as required, removed Mistral confusion - Updated CONTRIBUTING.md: Next.js 15 to 14.2 and AI provider clarity
…cs exposure (Muneerali199#533) Co-authored-by: Prapti <prapti123@gmail.com>
…Muneerali199#550) (Muneerali199#551) Adds the missing rel attribute on 12 external links across the web app and browser extension to mitigate reverse-tabnabbing, where an opened page can hijack window.opener and redirect the original tab. Affected: - app/diagnostic/page.tsx (Stripe Dashboard link) - components/sponsor-banner.tsx (Team Blitz sponsor link) - extension/popup.html (footer link) - extension/settings.html (9 API provider key/docs links) Closes Muneerali199#550
* fix: force dynamic rendering on API routes to prevent build crash * fix:remove duplicate dynamic export and move to top of file
* feat: add request-id tracing for API responses * retrigger CI
* fix: resolve section label cutoff on hover in dark mode * fix: separate export button animations for PNG and SVG * chore: remove unrelated resume-navigation changes from export fix PR
…with toast feedback (closes Muneerali199#410) (Muneerali199#416)
…uneerali199#415) - Add API route at /api/generate/cover-letter-from-resume - Add CoverLetterFromResume UI component with resume, JD, and tone inputs - Add page at /letter/cover-letter-from-resume - Reuses existing lib/gemini.ts client, no new dependencies
…li199#534) Co-authored-by: Prapti <prapti123@gmail.com>
* feat: implement consistent sanitization with reusable helper * feat: implement standardized rate limiting utility * fix(config): resolve TS5103 compile error and remove deprecated isolatedModules option --------- Co-authored-by: Prapti <prapti123@gmail.com>
…199#461) (Muneerali199#475) * fix: add authentication to unauthenticated AI routes (fixes Muneerali199#461) - Add Bearer token auth check + supabaseAdmin.getUser() to: - app/api/ai/enhance-content/route.ts - app/api/ai/generate-template/route.ts - app/api/campaign/generate/route.ts - app/api/generate/guided-resume/route.ts - app/api/generate/presentation-full/route.ts - app/api/generate/resume-guidance/route.ts - Add credit deduction (ACTION_COSTS.resume) to guided-resume - Fix enhance-content catch block returning 200 on AI failure → 500 - Fix deprecated model gemini-1.5-flash → gemini-2.0-flash in enhance-content Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: distinguish upstream auth failures from invalid token errors in enhance-content - 503 for authError with status >= 500 or network-level failures (timeout, ECONNREFUSED) - 401 for invalid/expired token client errors - 401 when user is null with no authError Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
* Updated Syntax Issue * Patch to Prevent ReactDevtools in Prod. Builds
…ilities Muneerali199#554 (Muneerali199#559) * fix(security): implement targeted package overrides to patch vulnerabilities Muneerali199#554 * fix: correct override pins - lodash 4.18.1, dompurify 3.4.3, undici 6.24.0, remove all carets
…ession() (Muneerali199#558) Both AIResumeChat and ATSScoreDisplay were reading a key ('supabase_token') that is never written anywhere in the codebase, causing every API call to send 'Authorization: Bearer null' and silently fail. Replaced with the project-standard supabase.auth.getSession() pattern used across the rest of the codebase.
* Add AI resume bullet enhancer * Address bullet enhancer review feedback --------- Co-authored-by: Saurabh Kumar Bajpai <saurabhkumarbajpaiai@Saurabhs-MacBook-Air.local>
…ed promise (fixes Muneerali199#760) * fix: await dispatchErrorAlert and captureException to handle unhandled promise (closes Muneerali199#699) * fix: add timeout and response.ok check to Slack webhook fetch * fix: correct indentation in Slack fetch block
fixes Muneerali199#708) * refactor(share): extract share logic to hook and clean up debug console logs * fix(validation): restore sanitizeObject helper function to resolve compilation errors * fix(validation): remove duplicate sanitizeObject definition * fix(tests): align validation tests with current schema and error message API
…hing (fixes Muneerali199#605) * perf: add query timing instrumentation to resume generate route * perf: add in-memory query cache and consolidate credits fetch across all generate routes * perf: batch parallel queries with Promise.all, add DataLoader, make log writes fire-and-forget * fix: address CodeRabbit review — enforce cache size limit, handle insert race, fix action_type column name * fix: address remaining CodeRabbit review — missing cache invalidation, success rate masking, outlineOnly credit reconciliation * docs: add JSDoc docstrings to exported functions in query-cache, cached-queries, batch-loader * fix: validate standard-letter payload before credit lookup in letter route * fix: add jest-environment node directive to query-cache tests
…i199#778) * feat: add post-creation multi-template switcher (Muneerali199#430) - Add new TemplateSwitcher component (components/resume/template-switcher.tsx) - Desktop: 4-column grid with expand/collapse toggle - Mobile: horizontal snap-scroll strip (compact mode) - Color palette dots, template name, category badge per card - Active template highlighted with yellow border + checkmark - PRO templates badged - Integrate TemplateSwitcher in resume-generator.tsx - Added below ResumePreview in both Smart Builder (guided) and Quick Generate tabs - Integrate TemplateSwitcher in mobile-resume-builder.tsx - Added compact strip between TextColorPanel and download buttons in preview step - Content state (resumeData) is fully independent from selectedTemplate - No field loss during template switching - Selected template persists for exports and auto-save Closes Muneerali199#430 * feat: animate preview with fade-in on template switch (Muneerali199#430) - Add previewKey state (bumped on each switch) as React key on preview wrapper - Add handleTemplateSwitch callback that updates selectedTemplate + previewKey - Add @Keyframes fade-in and .animate-fade-in utility to globals.css - Preview fades in smoothly (0.25s ease-out) whenever template changes - No content loss — only presentation layer transitions * feat: show toast confirmation on template switch (Muneerali199#430) - Import useToast hook in TemplateSwitcher - Add handleSelect() wrapper: fires toast then delegates to onSelectTemplate - Toast message: 'Template applied ✨ — Switched to "{name}". Your content is unchanged.' - No-op guard: if user clicks already-selected template, no toast fires - Both MobileTemplateCard and DesktopTemplateCard now use handleSelect * feat: persist selected template to localStorage in resume-generator (Muneerali199#430) - Initialize selectedTemplate from localStorage key 'draftdeck:selectedTemplate' - Lazy useState initializer — SSR-safe (typeof window check) - handleTemplateSwitch now writes new id to localStorage on every switch - Users returning to the generator keep their last-used template - Fixes acceptance criterion: 'Selected template persists for future edits/exports' * feat: persist selected template to localStorage in mobile-resume-builder (Muneerali199#430) - Same localStorage key 'draftdeck:selectedTemplate' as desktop generator - SSR-safe lazy useState initializer with typeof window guard - setSelectedTemplate wrapper writes to localStorage on every update - Mobile and desktop flows now share the same persisted template preference - Returning mobile users land on their last-used template automatically * feat: add category filter chips to desktop TemplateSwitcher (Muneerali199#430) - Derive unique categories from RESUME_ONLY at module level (CATEGORIES constant) - Add activeCategory state (default 'All') to TemplateSwitcher - Render pill/chip buttons above the desktop grid for each category - Active chip highlighted with yellow border and bg - Selecting a chip resets isExpanded to false and filters the grid - Compact (mobile) strip is unaffected — shows all templates as before - Allows users to quickly narrow down templates by role/style (Tech, Academic, etc.) * feat: add ARIA accessibility attributes to TemplateSwitcher (Muneerali199#430) - Root div: role='region' + aria-label='Resume template switcher' - Grid wrappers (desktop + mobile): role='listbox' + aria-label='Resume templates' - Each template card button: role='option', aria-selected={isSelected} - Card aria-label: '{Template Name} template (currently selected)' when active - Category chips: aria-label='Filter by {cat} templates' + aria-pressed - Screen readers can now announce template switching and selection state - Full keyboard navigation preserved via existing focus-visible:ring styles * docs: add JSDoc, architecture notes, and test matrix to TemplateSwitcher (Muneerali199#430) - Expanded file-level JSDoc block in template-switcher.tsx - Architecture section documents state ownership, fade-animation mechanism, toast wrapper, and localStorage persistence strategy - Acceptance Criteria section maps each issue Muneerali199#430 requirement to its implementation - Test Matrix covers 8 scenarios: switch on desktop/mobile, no-op guard, category filter, page reload persistence, PDF export, field edit safety, screen reader - Fulfils PR review requirement from @Muneerali199: 'include a short test matrix in the PR: template switch + save + reopen + export'
…i199#779) * fix(auth): block external redirects in callback Signed-off-by: Prashant Parmar <prashantparmar9919@gmail.com> * fix(test): stabilize redirect utility typings Signed-off-by: Prashant Parmar <prashantparmar9919@gmail.com> --------- Signed-off-by: Prashant Parmar <prashantparmar9919@gmail.com>
…uneerali199#784) The existing in-memory BoundedCache works well for single-instance deployments but is not shared across multiple server instances, so cached data is duplicated or inconsistent under horizontal scaling. This change adds an optional Redis backend powered by Upstash Redis (serverless-friendly, no persistent connection required) while preserving full backward compatibility via an environment-based fallback. New files: - lib/cache-redis.ts: RedisCache class implementing the same interface as BoundedCache (get, set, delete, invalidateByTag, invalidateByPrefix, flush). Tag-based invalidation uses Redis Sets to track which keys carry each tag. Prefix-based invalidation uses SCAN to avoid blocking the Redis server. All operations catch and log errors rather than crashing, so a Redis outage degrades gracefully. Changes to lib/cache.ts: - Imports RedisCache and isRedisConfigured() from lib/cache-redis.ts. - Exports distributedCache: when UPSTASH_REDIS_URL and UPSTASH_REDIS_TOKEN are both present it returns a RedisCache instance; otherwise it falls back to the existing in-memory cache singleton. Changes to .env.example: - Documents UPSTASH_REDIS_URL and UPSTASH_REDIS_TOKEN with setup instructions and a note that they are optional. Dependencies: - Adds @upstash/redis (the official Upstash REST-API client). Closes Muneerali199#724
Adds 84 tests across 5 new test files to increase coverage of core lib utilities that previously had no direct test coverage. File-by-file breakdown: - __tests__/lib/cache.test.ts (17 tests): BoundedCache get/set/delete, TTL expiry with fake timers, invalidateByTag (single and multi-tag), invalidateByPrefix, LRU eviction at max capacity, flush, size tracking, and memoizeAsync (cache hits, different keys, TTL re-execution). - __tests__/lib/logger.test.ts (13 tests): test-mode suppression, dev-mode per-level console routing (info/warn/error/debug), context serialization, Error object serialization, production JSON-structured output, debug suppression in prod, and withContext() binding. - __tests__/lib/security.test.ts (19 tests): checkRateLimit allow/block/ sliding-window reset, independent identifier tracking, isAllowedOrigin (null, same-host, draftdeckai.com, untrusted, localhost in dev), getSecurityHeaders (CSP directives form-action and frame-ancestors, HSTS presence in prod vs dev), and validateEnvironmentVariables. - __tests__/lib/error-handler.test.ts (17 tests): AppError subclass hierarchy (status codes, isOperational), captureException (return shape, count accumulation, recent errors list, plain Error fallback), dispatchErrorAlert, getEndpointSummaries, and resetDashboardStats. - __tests__/lib/api-handler.test.ts (18 tests): AppError subclass hierarchy, apiHandler wrapper success path (response passthrough, X-Request-Id header, preset header passthrough), and error-path status code mapping for all error types. Closes Muneerali199#733
…Muneerali199#782) Before this change, the Content-Security-Policy was defined in three separate places -- next.config.js, middleware.ts (missing entirely), and netlify.toml -- with inconsistent directive sets. This created security gaps depending on which layer processed a given request. Changes: - lib/csp.ts: canonical TypeScript module exporting CSP_DIRECTIVES (array) and CSP_HEADER (joined string). Each directive is documented with an inline comment explaining why it is needed. - lib/csp.mjs: JavaScript ES-module companion so next.config.js (which runs in Node.js before TS compilation) can import the same values. - next.config.js: imports CSP_HEADER from lib/csp.mjs instead of defining an inline string. - middleware.ts: imports CSP_HEADER from lib/csp.ts and adds it to the secHdrs() helper, so page routes now receive the same policy that next.config.js delivers for static routes. - netlify.toml: CSP value synced to match lib/csp.ts; added a comment marking the block as a manual mirror of the canonical module. Directives added vs. the previous next.config.js CSP: - form-action 'self': prevents reflected-input attacks via form redirect. - frame-ancestors 'none': blocks clickjacking (equivalent to X-Frame-Options DENY). - https://plausible.io in script-src: Plausible analytics script was already loaded in layout.tsx but was not whitelisted. Closes Muneerali199#735
👷 Deploy request for docmagic1 pending review.Visit the deploys page to approve it
|
👷 Deploy request for docmagic-muneer pending review.Visit the deploys page to approve it
|
|
@codewithchotu is attempting to deploy a commit to the muneerali199's projects Team on Vercel. A member of the Team first needs to authorize it. |
|
Important Review skippedToo many files! This PR contains 300 files, which is 150 over the limit of 150. To get a review, narrow the scope: ⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (300)
You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
| GitGuardian id | GitGuardian status | Secret | Commit | Filename | |
|---|---|---|---|---|---|
| 33098201 | Triggered | Generic Password | 1726fdf | lib/tests/validation.test.ts | View secret |
| 33127064 | Triggered | Generic Password | 8a796f2 | tests/lib/validation.test.ts | View secret |
| 33127065 | Triggered | Generic Password | 8a796f2 | tests/lib/validation.test.ts | View secret |
| 33127066 | Triggered | Generic Password | 8a796f2 | tests/lib/validation.test.ts | View secret |
🛠 Guidelines to remediate hardcoded secrets
- Understand the implications of revoking this secret by investigating where it is used in your code.
- Replace and store your secrets safely. Learn here the best practices.
- Revoke and rotate these secrets.
- If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.
To avoid such incidents in the future consider
- following these best practices for managing and storing secrets including API keys and other credentials
- install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.
🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.
Muneerali199
reviewed
Jun 6, 2026
Muneerali199
left a comment
Muneerali199
left a comment
Owner
There was a problem hiding this comment.
Review: PR #963 — Sitemap + Massive Unrelated Changes
⚠️ This PR has fundamental issues:
1. Unrelated changes mixed together
The PR title says "sitemap" but it modifies 300+ files adding everything from new API routes (/api/search, /api/portfolio-hub, /api/jobs/ranking, /api/error-dashboard), new tests, new docs (ERROR_HANDLING.md, IMPLEMENTATION_SUMMARY.md), Dockerfile, and more. This should be split into at least 10 separate PRs.
2. Has merge conflicts
Cannot be merged without resolving conflicts first.
3. Deletes FAQ.md and app/api/documents/latex/route.ts
Removing existing files should be justified and done in a separate PR.
4. Too large for meaningful review
27k additions across 100+ files cannot be reviewed properly. Please split into focused, atomic PRs.
Verdict: Changes requested — split into focused PRs and resolve conflicts.
Muneerali199
added
type:feature
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR enhances sitemap generation by including dynamically published resume URLs in addition to existing static routes.
Changes Made
app/sitemap.tsto an async sitemap generator./r/[subdomain]URLs in the generated sitemap.Benefits
Testing
npm run dev.