Skip to content

fix(access): add document_read and document_upload rate-limit buckets#297

Merged
BigSimmo merged 2 commits into
cursor/fix-all-db-issues-5f13from
cursor/access-hardening-document-rate-limits-1eb5
Jul 5, 2026
Merged

fix(access): add document_read and document_upload rate-limit buckets#297
BigSimmo merged 2 commits into
cursor/fix-all-db-issues-5f13from
cursor/access-hardening-document-rate-limits-1eb5

Conversation

@BigSimmo

@BigSimmo BigSimmo commented Jul 5, 2026

Copy link
Copy Markdown
Owner

Summary

Dedicated access-hardening for document read and upload API routes (split from the closed auto-hide PR #284).

  • document_read bucket (180/min authenticated, 45/min anonymous) via enforceDocumentReadRateLimit() on document list/detail/search/signed-url and image signed-url routes.
  • document_upload bucket (12/min authenticated) on /api/upload before storage or database work.
  • allowRateLimitInMemoryFallbackOnUnavailable() on api-rate-limit.ts for production-safe fallback parity with other public routes.
  • Also includes the auto-hide support chips cherry-pick already intended for cursor/fix-all-db-issues-5f13.

Verification (local)

  • npx vitest run tests/private-access-routes.test.ts -t "rate limits anonymous document read bursts|rate limits authenticated uploads before" --testTimeout 60000passed
  • Targeted lint on changed access/rate-limit files — clean
  • Note: repo CI workflow only gates PRs to main/release/**; this PR targets cursor/fix-all-db-issues-5f13.

Clinical governance preflight

  • Touches document access routes and rate limiting only; no answer-generation prompt or retrieval ranking changes.
  • Anonymous document reads fail closed with 429 + retry metadata when limited.
  • Upload rate limit runs before storage upload or document insert.
Open in Web Open in Cursor 

@supabase

supabase Bot commented Jul 5, 2026

Copy link
Copy Markdown

This pull request has been ignored for the connected project sjrfecxgysukkwxsowpy because there are no changes detected in supabase directory. You can change this behaviour in Project Integrations Settings ↗︎.


Preview Branches by Supabase.
Learn more about Supabase Branching ↗︎.

@BigSimmo
BigSimmo marked this pull request as ready for review July 5, 2026 18:23
@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

@BigSimmo
BigSimmo merged commit 60613a3 into cursor/fix-all-db-issues-5f13 Jul 5, 2026
2 checks passed

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes using high effort and found 2 potential issues.

Fix All in Cursor

Bugbot Autofix prepared fixes for both issues found in the latest run.

  • ✅ Fixed: Note parsing misses en-dashes
    • Restored proper Unicode en-dashes (·, –, …) in clinical note parsing regexes, detail-prefix checks, and related display strings that had been corrupted to mojibake.
  • ✅ Fixed: Sentinel skips mobile table content
    • Moved the below-content sentinel to after InlineTableCard (with lg:col-span-2) so mobile collapse logic detects unscrolled table content below the support action row.

You can send follow-ups to the cloud agent here.

Reviewed by Cursor Bugbot for commit c7f2d68. Configure here.

return title;
}
const dashIndex = text.search(/\s[-]\s/);
const dashIndex = text.search(/\s[-ΓÇô]\s/);

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note parsing misses en-dashes

Medium Severity

A character encoding issue caused special characters (en-dashes, em-dashes, middle dots, ellipses) to render as mojibake (–, —, ·, …). This impacts clinical note parsing logic, lithium timing heuristics, and visible text in context strips, evidence summaries, and source details.

Additional Locations (1)
Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit c7f2d68. Configure here.

data-testid="answer-support-below-sentinel"
className="h-0 w-0"
aria-hidden="true"
/>

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sentinel skips mobile table content

Medium Severity

The below-content sentinel is positioned before the InlineTableCard, which causes useCollapseWhenContentBelow to misjudge available scrollable content. As a result, the Clinical notes/Evidence support row remains expanded even when a large table is still off-screen, particularly on mobile, potentially overlapping with fixed UI elements.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit c7f2d68. Configure here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant