fix: address critical quality-debt from PR #152 review feedback

[marcusquinn]

Summary

Addresses all 6 actionable findings and 6 nitpick comments from CodeRabbit's review of PR #152, covering security hardening across subagent documentation code examples.

Critical fixes (6 actionable)

• hono.md: Admin middleware now validates Bearer token scheme, verifies the token via verifyToken(), and attaches decoded user to context — previously only checked header existence
• hono.md: File upload handler now sanitizes filenames (strips path separators, normalizes unsafe chars, prevents dotfiles)
• drizzle.md: Seed script now supports ALLOW_DB_WIPE=true env var for explicit production opt-in, while still blocking destructive deletes by default
• vercel-ai-sdk.md: Already had DOMPurify sanitization (fixed in PR feat(agents): add technology stack subagents for modern web development #152 itself) — verified correct
• better-auth.md: Already had env var validation loop (fixed in PR feat(agents): add technology stack subagents for modern web development #152 itself) — verified correct
• i18next.md: Frontmatter already correct — validation script hardened with shebang, set -euo pipefail, jq prerequisite check, missing-file guards, and proper variable quoting

Nitpick fixes (6)

• tailwind-css.md: Validate numeric width value before CSS variable injection
• hono.md: Structured error logging with conditional stack trace (production-safe)
• better-auth.md: Added Zod password strength validation to sign-up example
• react-context.md: Added SameSite=Lax to all cookie operations (4 locations)
• i18next.md: Covered by the hardened validation script above

Files changed

• .agents/tools/api/better-auth.md
• .agents/tools/api/drizzle.md
• .agents/tools/api/hono.md
• .agents/tools/ui/i18next.md
• .agents/tools/ui/tailwind-css.md
• .agents/tools/ui/react-context.md

Closes #3482

Summary by CodeRabbit

• New Features

  • Added password strength validation during sign-up with minimum length and character-type requirements.

• Bug Fixes

  • Implemented Bearer token verification in route middleware with proper 401 error responses.
  • Added filename sanitization for file uploads to prevent invalid characters and dotfiles.
  • Added numeric validation for CSS width values to prevent invalid styles.

• Security

  • Added SameSite=Lax attribute to sidebar state cookies.
  • Improved error logging with structured messages including request context (non-production only).

• Chores

  • Enhanced translation validation script with configurable locales and better error handling.

[gemini-code-assist]

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

[coderabbitai]

Warning

Rate limit exceeded

@marcusquinn has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 16 minutes and 0 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 3ab7405a-dc8c-42d0-9a81-5f6c5b640da4

📥 Commits

Reviewing files that changed from the base of the PR and between 6892743 and cc5e478.

📒 Files selected for processing (5)

• .agents/tools/api/better-auth.md
• .agents/tools/api/drizzle.md
• .agents/tools/api/hono.md
• .agents/tools/ui/i18next.md
• .agents/tools/ui/tailwind-css.md

Walkthrough

These changes implement critical security and robustness improvements across API documentation examples and UI configuration patterns, addressing review feedback by introducing input validation, enhanced error handling, safety guards for destructive operations, and secure cookie attributes.

Changes

Cohort / File(s)	Summary
Authentication & Validation .agents/tools/api/better-auth.md	Adds client-side password validation using zod with minimum length and character-type requirements; validates password strength before sign-up submission.
Database Seeding & Logging .agents/tools/api/drizzle.md	Replaces unconditional production guard with conditional seeding gated by ALLOW_DB_WIPE environment variable; adds NODE_ENV to seeding logs and clarifies deletion order with comments.
HTTP Middleware & File Security .agents/tools/api/hono.md	Adds Bearer token validation and user extraction in /api/admin/* middleware; implements structured error logging with method/path context; sanitizes uploaded filenames by removing path separators and preventing dotfiles.
Internationalization Validation .agents/tools/ui/i18next.md	Replaces inline diff loop with hardened Bash script; adds prerequisite checks (jq), configurable locale lists, base locale file verification, and per-locale skip warnings.
Cookie Security .agents/tools/ui/react-context.md	Adds SameSite=Lax attribute to all document.cookie assignments for sidebar state and width persistence.
CSS Injection Prevention .agents/tools/ui/tailwind-css.md	Introduces numeric validation for sidebar width, defaulting to 384 if width is not a positive number, before CSS variable injection.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Possibly related PRs

• feat(agents): add technology stack subagents for modern web development #152 — The original PR that introduced these documentation files; this PR directly addresses all critical and nitpick review feedback from that PR.

Suggested labels

needs-review, security, quality-debt

Poem

🔐 Feedback loop complete, security refined,
Validation gates and sanitization aligned,
Guards in the database, tokens verified true,
Cookies now safer, CSS injection-proof too!
Zero debt earned through the review machine. ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically identifies the PR's purpose: addressing quality debt from a prior review feedback on PR #152.
Linked Issues check	✅ Passed	All 6 critical actionable findings and 6 nitpick fixes from issue #3482 are implemented: hono.md Bearer token validation and file sanitization, drizzle.md ALLOW_DB_WIPE gating, better-auth.md password validation, i18next.md script hardening, tailwind-css.md numeric validation, react-context.md SameSite=Lax cookies.
Out of Scope Changes check	✅ Passed	All 6 file changes are directly scoped to the actionable security findings and nitpick comments listed in issue #3482; no unrelated changes detected.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/quality-debt-pr152

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 125 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Sat Mar 7 20:01:01 UTC 2026: Code review monitoring started
Sat Mar 7 20:01:01 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 125

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 125
• VULNERABILITIES: 0

Generated on: Sat Mar 7 20:01:04 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[marcusquinn]

@coderabbitai review

Review bots were rate-limited when this PR was created (affected: coderabbitai gemini-code-assist). Requesting a review retry.

[gemini-code-assist]

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

[coderabbitai]

@marcusquinn: Understood! Kicking off the review now for PR #3506. I'll analyze all 12 fixes (6 actionable + 6 nitpick) across the security-hardened subagent documentation files — hono.md, drizzle.md, better-auth.md, i18next.md, tailwind-css.md, and react-context.md.

---

🧠 Learnings used

Learnt from: marcusquinn
Repo: marcusquinn/aidevops PR: 0
File: :0-0
Timestamp: 2026-03-03T16:33:18.313Z
Learning: For the marcusquinn/aidevops repository: The daily quality sweep system (pulse-wrapper.sh) should only mention coderabbitai for full codebase review when there are significant changes (Quality Gate failure, +10 issues in one day, etc.), not on every automated sweep with stable metrics.

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 4

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.agents/tools/api/drizzle.md (1)

241-254: ⚠️ Potential issue | 🟠 Major

Wrap the wipe-and-reseed sequence in a transaction.

If any insert fails after Line 242 or Line 243, this example leaves the database empty. That is especially risky now that production override is documented. Make the delete/insert block atomic with db.transaction(...).

Suggested fix

-  // Clear existing data (order matters: delete children before parents)
-  await db.delete(posts);
-  await db.delete(users);
-
-  // Insert seed data
-  const [user] = await db
-    .insert(users)
-    .values({ email: "admin@example.com", name: "Admin" })
-    .returning();
-
-  await db.insert(posts).values([
-    { title: "First Post", authorId: user.id },
-    { title: "Second Post", authorId: user.id },
-  ]);
+  await db.transaction(async (tx) => {
+    // Clear existing data (order matters: delete children before parents)
+    await tx.delete(posts);
+    await tx.delete(users);
+
+    const [user] = await tx
+      .insert(users)
+      .values({ email: "admin@example.com", name: "Admin" })
+      .returning();
+
+    await tx.insert(posts).values([
+      { title: "First Post", authorId: user.id },
+      { title: "Second Post", authorId: user.id },
+    ]);
+  });

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.agents/tools/api/drizzle.md around lines 241 - 254, The sequence deletes
and then inserts using db.delete(posts), db.delete(users), db.insert(users)...
and db.insert(posts)... is not atomic and can leave the DB empty on failure;
wrap the entire wipe-and-reseed sequence in a transaction by calling
db.transaction and performing all operations using the transaction handle (e.g.,
tx.delete(posts), tx.delete(users), tx.insert(users).values(...).returning(),
tx.insert(posts).values(...)), preserving the delete-children-before-parents
order and returning the created user from the transactional insert so the
subsequent post inserts use tx-scoped results.

🧹 Nitpick comments (1)

.agents/tools/ui/tailwind-css.md (1)

77-79: Tighten the numeric guard before CSS injection.

typeof width === "number" && width > 0 still lets Infinity through, so this can render Infinitypx. Prefer Number.isFinite(width) here, and clamp if this snippet is meant to mirror the sidebar provider bounds.

Suggested tweak

-const sanitizedWidth = typeof width === 'number' && width > 0 ? width : 384;
+const sanitizedWidth = Number.isFinite(width) && width > 0 ? width : 384;

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.agents/tools/ui/tailwind-css.md around lines 77 - 79, The numeric guard for
width should reject Infinity and non-finite values and optionally clamp to
provider bounds: replace the typeof/greater-than check for width with
Number.isFinite(width) and then constrain the value between the provider's
min/max (e.g., clamp sanitizedWidth to those bounds) before injecting into the
CSS; update the variable referenced (sanitizedWidth) so the style uses a finite,
bounded pixel value.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.agents/tools/api/better-auth.md:
- Around line 145-157: The client-side password validation (passwordSchema and
handleSignUp) is only UX and not a security boundary; ensure the README/example
either adds matching server-side validation in the signUp.email() path or
clearly states that the server must revalidate password strength before creating
accounts. Update the docs or example to reference the server-side validator
function (e.g., the backend equivalent of passwordSchema used inside
signUp.email handler) and show that signUp.email() will perform the same checks
and return errors if validation fails.

In @.agents/tools/api/hono.md:
- Around line 127-140: The middleware for "/api/admin/*" currently calls
verifyToken(token) directly and lets thrown exceptions bubble to the global
handler; wrap the verifyToken call in a try/catch inside the middleware (the
anonymous app.use handler) and on any verification error return c.json({ error:
"Invalid or expired token" }, 401) instead of rethrowing; ensure you still set
c.set("user", user) and await next() only when verification succeeds, and
optionally log the verification error for diagnostics.
- Around line 243-252: After sanitizing file.name into safeName, ensure it
cannot be empty and is unique for storage: if safeName becomes an empty string
or a generic value, replace it with a generated fallback basename (e.g., "file"
+ timestamp/UUID) and prepend or append a server-side unique token (timestamp,
nanoid, or UUID) to the stored filename to avoid collisions; update any
subsequent uses (the storage logic that consumes safeName and the response
returned via c.json) to use this final uniqueName while still returning a
user-friendly original sanitized name if desired.

In @.agents/tools/ui/i18next.md:
- Around line 266-276: The usage note and the explicit cd conflict: update the
instruction header from "Run from packages/i18n/src/translations/ directory" to
"Run from repository root" and remove the redundant cd command ("cd
packages/i18n/src/translations"); alternatively, if you prefer to require
starting in the translations directory, leave the header as-is and remove or
adjust the note that tells readers to run from elsewhere—refer to the variables
BASE_LOCALE, TARGET_LOCALES, and NAMESPACE in the same block to ensure the
context remains correct.

---

Outside diff comments:
In @.agents/tools/api/drizzle.md:
- Around line 241-254: The sequence deletes and then inserts using
db.delete(posts), db.delete(users), db.insert(users)... and db.insert(posts)...
is not atomic and can leave the DB empty on failure; wrap the entire
wipe-and-reseed sequence in a transaction by calling db.transaction and
performing all operations using the transaction handle (e.g., tx.delete(posts),
tx.delete(users), tx.insert(users).values(...).returning(),
tx.insert(posts).values(...)), preserving the delete-children-before-parents
order and returning the created user from the transactional insert so the
subsequent post inserts use tx-scoped results.

---

Nitpick comments:
In @.agents/tools/ui/tailwind-css.md:
- Around line 77-79: The numeric guard for width should reject Infinity and
non-finite values and optionally clamp to provider bounds: replace the
typeof/greater-than check for width with Number.isFinite(width) and then
constrain the value between the provider's min/max (e.g., clamp sanitizedWidth
to those bounds) before injecting into the CSS; update the variable referenced
(sanitizedWidth) so the style uses a finite, bounded pixel value.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: ee2c1a12-cc00-4196-b79d-723af26b4ba7

📥 Commits

Reviewing files that changed from the base of the PR and between 42bc6cb and 6892743.

📒 Files selected for processing (6)

• .agents/tools/api/better-auth.md
• .agents/tools/api/drizzle.md
• .agents/tools/api/hono.md
• .agents/tools/ui/i18next.md
• .agents/tools/ui/react-context.md
• .agents/tools/ui/tailwind-css.md

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 125 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Sat Mar 7 20:19:20 UTC 2026: Code review monitoring started
Sat Mar 7 20:19:21 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 125

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 125
• VULNERABILITIES: 0

Generated on: Sat Mar 7 20:19:23 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

All 4 review threads resolved in cc5e478. Dismissing stale CHANGES_REQUESTED state.