Apply reviewer suggestions for PR #159

Made-with: Cursor

Author: beenycool

app/(coach)/dashboard/DashboardClient.tsx

@@ -38,7 +38,6 @@ import {
     getStudyStreak,
     getWeeklyAttemptStats,
 } from '../../services/studentOS';
-import type { QuestionAttempt } from '../../services/studentOS/types';
 import { generateDashboardInsights } from '../../services/AICoachService';
 
 interface AIInsights {
@@ -172,7 +171,7 @@ export default function DashboardClient({
     }, [subjectStats]);
 
     const topWeaknesses = useMemo(() => {
-        const counts = weaknessCountsFromAttempts(attempts as QuestionAttempt[]);
+        const counts = weaknessCountsFromAttempts(attempts);
         return pickTopWeaknesses(counts, 6);
     }, [attempts]);
 

app/api/gemini/route.js

@@ -2,6 +2,8 @@ import { NextResponse } from 'next/server';
 import { createClient } from '@/app/lib/supabase/server';
 
 const GEMINI_API_KEY = process.env.GEMINI_API_KEY || "";
+// ~3.2M base64 chars ≈ ~2.4MB binary — stay under typical 4.5MB request limits (e.g. Vercel).
+const MAX_INLINE_BASE64_CHARS = 3_200_000;
 
 export async function POST(request) {
     try {
@@ -79,8 +81,6 @@ export async function POST(request) {
                                     console.warn('Could not extract mime type');
                                     continue;
                                 }
-                                // ~3.2M base64 chars ≈ ~2.4MB binary — stay under typical 4.5MB request limits (e.g. Vercel).
-                                const MAX_INLINE_BASE64_CHARS = 3_200_000;
                                 if (data.length > MAX_INLINE_BASE64_CHARS) {
                                     return NextResponse.json(
                                         {

app/api/hackclub/route.ts

@@ -18,7 +18,7 @@ export async function POST(request: Request) {
             );
         }
 
-        const { success } = await checkRateLimit(user.id, 10);
+        const { success } = await checkRateLimit(user.id, 10, 'hackclub');
         if (!success) {
             return NextResponse.json({ error: "Rate limit exceeded. Please wait a minute." }, { status: 429 });
         }

app/api/openrouter/route.ts

@@ -68,7 +68,7 @@ export async function POST(request: Request) {
             );
         }
 
-        const { success } = await checkRateLimit(user.id, 10);
+        const { success } = await checkRateLimit(user.id, 10, 'openrouter');
         if (!success) {
             return NextResponse.json({ error: "Rate limit exceeded. Please wait a minute." }, { status: 429 });
         }

app/components/UIComponents.tsx

@@ -5,6 +5,17 @@ import DOMPurify from 'dompurify';
 import { Upload, CheckCircle, Brain, ChevronRight, RefreshCw, Sparkles, Send, RotateCcw, X, Check } from 'lucide-react';
 import katex from 'katex';
 
+let dompurifyAnchorRelHookRegistered = false;
+function ensureDompurifyAnchorRelHook() {
+    if (dompurifyAnchorRelHookRegistered) return;
+    DOMPurify.addHook('afterSanitizeAttributes', (node: Element) => {
+        if (node.tagName === 'A') {
+            node.setAttribute('rel', 'noopener noreferrer');
+        }
+    });
+    dompurifyAnchorRelHookRegistered = true;
+}
+
 interface MarkdownTextProps {
   text: string;
   className?: string;
@@ -247,7 +258,7 @@ const renderMarkdown = (rawText: string): string => {
 // ⚡ Bolt: Hoisted DOMPurify configuration object outside the component body.
 // This prevents recreating this large configuration object on every useMemo computation
 // when rendering MarkdownText, reducing memory allocation overhead and GC churn.
-const DOMPURIFY_CONFIG = {
+const DOMPURIFY_CONFIG: import('dompurify').Config = {
     ADD_TAGS: ['math', 'mrow', 'annotation', 'semantics', 'mtext', 'mn', 'mo', 'mi', 'mspace', 'mover', 'munder', 'munderover', 'mfrac', 'msqrt', 'mroot', 'merror', 'mpadded', 'mphantom', 'menclose', 'ms', 'mglyph', 'maligngroup', 'malignmark', 'mtable', 'mtr', 'mtd', 'svg', 'path', 'line', 'circle', 'rect', 'polygon', 'polyline', 'ellipse', 'g', 'defs', 'clippath', 'use'],
     ADD_ATTR: ['aria-hidden', 'focusable', 'role', 'd', 'viewBox', 'fill', 'stroke', 'stroke-width', 'x', 'y', 'width', 'height', 'xmlns', 'xlink:href'],
     ALLOWED_TAGS: [
@@ -267,16 +278,12 @@ const DOMPURIFY_CONFIG = {
         'ul'
     ],
     ALLOWED_ATTR: ['class', 'style'],
-    afterSanitizeAttributes(node: Element) {
-        if (node.tagName === 'A') {
-            node.setAttribute('rel', 'noopener noreferrer');
-        }
-    }
-} as import('dompurify').Config;
+};
 
 export const MarkdownText = memo(({ text, className = "" }: MarkdownTextProps) => {
     const sanitizedHTML = useMemo(() => {
         if (!text) return "";
+        ensureDompurifyAnchorRelHook();
         const rendered = renderMarkdown(text);
         return DOMPurify.sanitize(rendered, DOMPURIFY_CONFIG);
     }, [text]);

app/lib/rateLimit.ts

@@ -16,18 +16,26 @@ const upstashToken = process.env.UPSTASH_REDIS_REST_TOKEN;
 const upstashRedis =
     upstashUrl && upstashToken ? new Redis({ url: upstashUrl, token: upstashToken }) : null;
 
-const upstashLimiters = new Map<number, Ratelimit>();
+if (upstashRedis) {
+    console.info('[rateLimit] Upstash Redis rate limiting enabled');
+} else {
+    console.info('[rateLimit] Using in-memory rate limiting (no Upstash config)');
+}
+
+const upstashLimiters = new Map<string, Ratelimit>();
 
-function getUpstashLimiter(limit: number): Ratelimit | null {
+function getUpstashLimiter(namespace: string, limit: number): Ratelimit | null {
     if (!upstashRedis) return null;
-    let lim = upstashLimiters.get(limit);
+    const key = `${namespace}:${limit}`;
+    let lim = upstashLimiters.get(key);
     if (!lim) {
+        const safeNs = namespace.replace(/[^a-zA-Z0-9_-]/g, '_');
         lim = new Ratelimit({
             redis: upstashRedis,
             limiter: Ratelimit.slidingWindow(limit, '60 s'),
-            prefix: 'aimarker-rl',
+            prefix: `aimarker-rl:${safeNs}`,
         });
-        upstashLimiters.set(limit, lim);
+        upstashLimiters.set(key, lim);
     }
     return lim;
 }
@@ -80,12 +88,14 @@ function checkRateLimitInMemory(identifier: string, limit: number): { success: b
  */
 export async function checkRateLimit(
     identifier: string,
-    limit: number = 10
+    limit: number = 10,
+    namespace: string = 'global'
 ): Promise<{ success: boolean; limit: number; remaining: number }> {
-    const lim = getUpstashLimiter(limit);
+    const lim = getUpstashLimiter(namespace, limit);
     if (lim) {
         const res = await lim.limit(identifier);
         return { success: res.success, limit, remaining: res.remaining };
     }
-    return checkRateLimitInMemory(identifier, limit);
+    const namespacedId = `${namespace}:${identifier}`;
+    return checkRateLimitInMemory(namespacedId, limit);
 }

app/services/studentOS/attempts.ts

@@ -43,7 +43,9 @@ export async function logQuestionAttemptSafe(row: Partial<QuestionAttempt>, clie
   }
 }
 
-export function weaknessCountsFromAttempts(attempts: QuestionAttempt[]): Record<string, number> {
+export function weaknessCountsFromAttempts(
+  attempts: { primary_flaw?: string | null }[]
+): Record<string, number> {
   const counts: Record<string, number> = {};
   for (const a of attempts || []) {
     const key = (a.primary_flaw || '').trim();
@@ -116,7 +118,6 @@ export async function getTopicPerformance(studentId: string, client?: StudentOSS
       .select('subject_id, marks_awarded, marks_total, primary_flaw, question_type')
       .eq('student_id', studentId)
       .order('attempted_at', { ascending: false })
-      .limit(500)
       .returns<
         {
           subject_id: string | null;
@@ -179,7 +180,6 @@ export async function getSubjectPerformance(studentId: string, client?: StudentO
       .select('subject_id, marks_awarded, marks_total')
       .eq('student_id', studentId)
       .order('attempted_at', { ascending: false })
-      .limit(500)
       .returns<{ subject_id: string | null; marks_awarded: number | null; marks_total: number | null }[]>();
 
     if (error || !attempts?.length) return {};

app/services/studentOS/sessions.ts

@@ -1,4 +1,3 @@
-import { supabase } from '../supabaseClient';
 import { isoToday } from '../dateUtils';
 import { StudySession } from './types';
 import { clientOrDefault, type StudentOSSupabase } from './getSupabase';
@@ -47,9 +46,10 @@ export async function getOrCreateTodayDailySession(
   return inserted;
 }
 
-export async function completeSession(studentId: string, sessionId: string, reflection: string): Promise<StudySession> {
+export async function completeSession(studentId: string, sessionId: string, reflection: string, client?: StudentOSSupabase): Promise<StudySession> {
   if (!studentId) throw new Error('studentId required');
-  const { data, error } = await (supabase.from('study_sessions') as any)
+  const db = clientOrDefault(client);
+  const { data, error } = await (db.from('study_sessions') as any)
     .update({
       status: 'done',
       reflection,
@@ -64,10 +64,10 @@ export async function completeSession(studentId: string, sessionId: string, refl
   return data;
 }
 
-export async function listSessions(studentId: string, { fromDateISO, toDateISO }: { fromDateISO?: string; toDateISO?: string }): Promise<StudySession[]> {
+export async function listSessions(studentId: string, { fromDateISO, toDateISO }: { fromDateISO?: string; toDateISO?: string } = {}, client?: StudentOSSupabase): Promise<StudySession[]> {
   if (!studentId) throw new Error('studentId required');
-
-  let q = supabase.from('study_sessions').select('*').eq('student_id', studentId).order('planned_for', { ascending: true });
+  const db = clientOrDefault(client);
+  let q = db.from('study_sessions').select('*').eq('student_id', studentId).order('planned_for', { ascending: true });
 
   if (fromDateISO) q = q.gte('planned_for', fromDateISO);
   if (toDateISO) q = q.lte('planned_for', toDateISO);
@@ -80,8 +80,9 @@ export async function listSessions(studentId: string, { fromDateISO, toDateISO }
 /**
  * Create a new study session
  */
-export async function createSession(studentId: string, sessionData: Partial<StudySession>): Promise<StudySession> {
+export async function createSession(studentId: string, sessionData: Partial<StudySession>, client?: StudentOSSupabase): Promise<StudySession> {
   if (!studentId) throw new Error('studentId required');
+  const db = clientOrDefault(client);
   const payload = {
     student_id: studentId,
     subject_id: sessionData.subject_id || null,
@@ -94,17 +95,18 @@ export async function createSession(studentId: string, sessionData: Partial<Stud
     topic: sessionData.topic || null,
     start_time: sessionData.start_time || null,
   };
-  const { data, error } = await supabase.from('study_sessions').insert(payload as any).select('*').single();
+  const { data, error } = await db.from('study_sessions').insert(payload as any).select('*').single();
   if (error) throw error;
   return data;
 }
 
 /**
  * Update an existing study session
  */
-export async function updateSession(studentId: string, sessionId: string, patch: Partial<StudySession>): Promise<StudySession> {
+export async function updateSession(studentId: string, sessionId: string, patch: Partial<StudySession>, client?: StudentOSSupabase): Promise<StudySession> {
   if (!studentId) throw new Error('studentId required');
-  const { data, error } = await (supabase.from('study_sessions') as any)
+  const db = clientOrDefault(client);
+  const { data, error } = await (db.from('study_sessions') as any)
     .update({ ...patch, updated_at: new Date().toISOString() })
     .eq('student_id', studentId)
     .eq('id', sessionId)
@@ -117,9 +119,10 @@ export async function updateSession(studentId: string, sessionId: string, patch:
 /**
  * Delete a study session
  */
-export async function deleteSession(studentId: string, sessionId: string): Promise<void> {
+export async function deleteSession(studentId: string, sessionId: string, client?: StudentOSSupabase): Promise<void> {
   if (!studentId) throw new Error('studentId required');
-  const { error } = await supabase
+  const db = clientOrDefault(client);
+  const { error } = await db
     .from('study_sessions')
     .delete()
     .eq('student_id', studentId)
@@ -131,11 +134,12 @@ export async function deleteSession(studentId: string, sessionId: string): Promi
  * Batch save sessions from AI-generated schedule
  * Clears existing planned sessions for the week and inserts new ones
  */
-export async function saveSchedule(studentId: string, sessions: Partial<StudySession>[], weekStartISO: string, weekEndISO: string): Promise<StudySession[]> {
+export async function saveSchedule(studentId: string, sessions: Partial<StudySession>[], weekStartISO: string, weekEndISO: string, client?: StudentOSSupabase): Promise<StudySession[]> {
   if (!studentId) throw new Error('studentId required');
+  const db = clientOrDefault(client);
 
   // Delete existing planned sessions for this week (except completed ones)
-  const { error: deleteError } = await supabase
+  const { error: deleteError } = await db
     .from('study_sessions')
     .delete()
     .eq('student_id', studentId)
@@ -161,7 +165,7 @@ export async function saveSchedule(studentId: string, sessions: Partial<StudySes
 
   if (payloads.length === 0) return [];
 
-  const { data, error } = await supabase.from('study_sessions').insert(payloads as any).select('*');
+  const { data, error } = await db.from('study_sessions').insert(payloads as any).select('*');
   if (error) throw error;
   return data || [];
 }
@@ -236,15 +240,16 @@ export async function getStudyStreak(studentId: string, client?: StudentOSSupaba
  * Get recent study history (last 14 days) to avoid repetition in AI scheduling
  * Returns topics that were recently studied so AI can schedule spaced repetition
  */
-export async function getRecentStudyHistory(studentId: string, days = 14) {
+export async function getRecentStudyHistory(studentId: string, days = 14, client?: StudentOSSupabase) {
   if (!studentId) return { recentTopics: [], completedSessions: [], skippedCount: 0 };
 
   try {
+    const db = clientOrDefault(client);
     const startDate = new Date();
     startDate.setDate(startDate.getDate() - days);
     const startISO = startDate.toISOString().split('T')[0];
 
-    const { data: sessions, error } = await supabase
+    const { data: sessions, error } = await db
       .from('study_sessions')
       .select('id, subject_id, topic, status, planned_for, duration_minutes, session_type')
       .eq('student_id', studentId)
@@ -293,15 +298,16 @@ export async function getRecentStudyHistory(studentId: string, days = 14) {
  * Get session completion stats for AI feedback loop
  * Tracks patterns in when sessions are completed vs skipped
  */
-export async function getSessionCompletionStats(studentId: string) {
+export async function getSessionCompletionStats(studentId: string, client?: StudentOSSupabase) {
   if (!studentId) return { completionRate: 0, byDayOfWeek: {}, byTimeOfDay: {}, insights: [] };
 
   try {
+    const db = clientOrDefault(client);
     const thirtyDaysAgo = new Date();
     thirtyDaysAgo.setDate(thirtyDaysAgo.getDate() - 30);
     const startISO = thirtyDaysAgo.toISOString().split('T')[0];
 
-    const { data: sessions, error } = await supabase
+    const { data: sessions, error } = await db
       .from('study_sessions')
       .select('id, status, planned_for, session_type, duration_minutes, start_time')
       .eq('student_id', studentId)