fix: LIKE injection, upload size enforcement, N+1 queries, SSE reconnect, memory leaks, and missing model display names

[neuron-tech-ai]

Security and correctness sweep across the backend and frontend:

Security:

• Parameterize LIKE queries — raw string interpolation in LIKE clauses allows SQL injection via search inputs
• Enforce upload size server-side before reading content into memory

Performance:

• Batch N+1 queries in story and generation list endpoints
• Cache inspect.signature() calls that were re-evaluated on every TTS generation

Frontend correctness:

• Fix SSE reconnect loop — reconnected immediately on close rather than backing off, flooding the server
• Fix AudioContext leak — contexts were created but never closed on component teardown
• Fix object URL leak — createObjectURL results were never revoked

Polish:

• Add missing display names for all models (several showed raw IDs in the UI)
• Remove console.log noise from hot-path components

[coderabbitai]

Warning

Rate limit exceeded

@neuron-tech-ai has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 5 minutes and 47 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: fe3a5c07-4367-464e-a787-c15ed5e66568

📥 Commits

Reviewing files that changed from the base of the PR and between b35b909 and 297a09b.

⛔ Files ignored due to path filters (6)

• bun.lock is excluded by !**/*.lock
• tauri/src-tauri/gen/schemas/acl-manifests.json is excluded by !**/gen/**
• tauri/src-tauri/gen/schemas/capabilities.json is excluded by !**/gen/**
• tauri/src-tauri/gen/schemas/desktop-schema.json is excluded by !**/gen/**
• tauri/src-tauri/gen/schemas/macOS-schema.json is excluded by !**/gen/**
• tauri/src-tauri/gen/schemas/windows-schema.json is excluded by !**/gen/**

📒 Files selected for processing (147)

• .mcp.json
• app/index.html
• app/package.json
• app/plugins/changelog.ts
• app/src/components/AccessibilityGate/AccessibilityGate.tsx
• app/src/components/CapturePill/CapturePill.tsx
• app/src/components/CapturesTab/CapturesTab.tsx
• app/src/components/CapturesTab/DictationReadinessChecklist.tsx
• app/src/components/ChordPicker/ChordPicker.tsx
• app/src/components/DictateWindow/DictateWindow.tsx
• app/src/components/Generation/FloatingGenerateBox.tsx
• app/src/components/History/HistoryTable.tsx
• app/src/components/InputMonitoringGate/InputMonitoringGate.tsx
• app/src/components/ListPane.tsx
• app/src/components/ServerSettings/ModelManagement.tsx
• app/src/components/ServerSettings/ModelProgress.tsx
• app/src/components/ServerTab/CapturesPage.tsx
• app/src/components/ServerTab/GeneralPage.tsx
• app/src/components/ServerTab/GenerationPage.tsx
• app/src/components/ServerTab/LogsPage.tsx
• app/src/components/ServerTab/MCPPage.tsx
• app/src/components/ShinyText.tsx
• app/src/components/Sidebar.tsx
• app/src/components/StoriesTab/StoryTrackEditor.tsx
• app/src/components/VoiceProfiles/ProfileCard.tsx
• app/src/components/VoiceProfiles/ProfileForm.tsx
• app/src/components/VoiceProfiles/ProfileList.tsx
• app/src/components/ui/badge.tsx
• app/src/components/ui/button.tsx
• app/src/hooks/useAutoUpdater.ts
• app/src/index.css
• app/src/lib/api/client.ts
• app/src/lib/api/core/request.ts
• app/src/lib/hooks/useAudioPlayer.ts
• app/src/lib/hooks/useCaptureRecordingSession.ts
• app/src/lib/hooks/useChordSync.ts
• app/src/lib/hooks/useDictationReadiness.ts
• app/src/lib/hooks/useGenerationForm.ts
• app/src/lib/hooks/useGenerationProgress.ts
• app/src/lib/hooks/useMCPBindings.ts
• app/src/lib/hooks/useModelDownloadToast.tsx
• app/src/lib/hooks/useRestoreActiveTasks.tsx
• app/src/lib/hooks/useSettings.ts
• app/src/lib/hooks/useStoryPlayback.ts
• app/src/lib/utils/audio.ts
• app/src/lib/utils/keyCodes.ts
• app/src/stores/serverStore.ts
• app/src/stores/storyStore.ts
• app/src/types/index.ts
• backend/app.py
• backend/backends/__init__.py
• backend/backends/base.py
• backend/backends/chatterbox_backend.py
• backend/backends/chatterbox_turbo_backend.py
• backend/backends/hume_backend.py
• backend/backends/kokoro_backend.py
• backend/backends/luxtts_backend.py
• backend/backends/pytorch_backend.py
• backend/backends/qwen_custom_voice_backend.py
• backend/backends/qwen_llm_backend.py
• backend/config.py
• backend/database/__init__.py
• backend/database/seed.py
• backend/database/session.py
• backend/main.py
• backend/mcp_server/context.py
• backend/mcp_server/events.py
• backend/mcp_server/resolve.py
• backend/mcp_server/server.py
• backend/mcp_server/tools.py
• backend/mcp_shim/__main__.py
• backend/models.py
• backend/pyi_rth_numpy_compat.py
• backend/pyi_rth_torch_compiler_disable.py
• backend/routes/__init__.py
• backend/routes/audio.py
• backend/routes/captures.py
• backend/routes/channels.py
• backend/routes/effects.py
• backend/routes/events.py
• backend/routes/generations.py
• backend/routes/history.py
• backend/routes/mcp_bindings.py
• backend/routes/models.py
• backend/routes/speak.py
• backend/routes/stories.py
• backend/routes/tasks.py
• backend/routes/transcription.py
• backend/server.py
• backend/services/captures.py
• backend/services/channels.py
• backend/services/cuda.py
• backend/services/effects.py
• backend/services/export_import.py
• backend/services/generation.py
• backend/services/history.py
• backend/services/llm.py
• backend/services/personality.py
• backend/services/refinement.py
• backend/services/settings.py
• backend/services/stories.py
• backend/services/task_queue.py
• backend/services/transcribe.py
• backend/services/tts.py
• backend/services/versions.py
• backend/utils/audio.py
• backend/utils/cache.py
• backend/utils/capture_chords.py
• backend/utils/chunked_tts.py
• backend/utils/dac_shim.py
• backend/utils/effects.py
• backend/utils/hf_offline_patch.py
• backend/utils/hf_progress.py
• backend/utils/images.py
• backend/utils/platform_detect.py
• backend/utils/progress.py
• backend/utils/tasks.py
• docs/app/[[...slug]]/page.tsx
• docs/cli.json
• docs/openapi.json
• landing/src/app/capture/page.tsx
• landing/src/app/download/page.tsx
• landing/src/app/page.tsx
• landing/src/app/sponsors/page.tsx
• landing/src/components/AgentIntegration.tsx
• landing/src/components/ApiSection.tsx
• landing/src/components/CaptureHero.tsx
• landing/src/components/CaptureSection.tsx
• landing/src/components/CapturesMockup.tsx
• landing/src/components/Features.tsx
• landing/src/components/LandingAudioPlayer.tsx
• landing/src/components/Personalities.tsx
• landing/src/components/SponsorPromo.tsx
• landing/src/components/SupportedModels.tsx
• landing/src/components/TutorialsSection.tsx
• landing/src/components/VoiceCreator.tsx
• landing/src/components/ui/feature-card.tsx
• landing/src/components/ui/section.tsx
• landing/src/lib/sponsors.ts
• scripts/setup-dev-sidecar.js
• tauri/index.html
• tauri/src-tauri/src/audio_capture/linux.rs
• tauri/src-tauri/src/audio_capture/macos.rs
• tauri/src-tauri/src/audio_capture/mod.rs
• tauri/src-tauri/src/hotkey_monitor.rs
• tauri/src-tauri/src/keyboard_layout.rs
• tauri/src-tauri/src/main.rs

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}