feat/auto-deploy

[lumpinif]

Summary by CodeRabbit

• New Features

  • JWT auth mode, a POST endpoint to fetch sessions via API key, interactive JWT mint CLI, deploy attribution banner, and device-scoped Playground API key flows (ensure/bootstrap, reveal, rotate).

• Enhancements

  • Dynamic branding across UI, emails and OpenAPI docs; “Dashboard” relabeled to “Playground”.
  • Playground: API-key fallback for operations/exports and optional hiding of auth UI.
  • Logs: default page size increased to 10; chart visualization removed.

• Documentation

  • Expanded docs for auth modes, self‑hosting, branding, env management, and JWT workflows.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
deepcrawl	Ready	Preview, Comment	Feb 8, 2026 3:11pm

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds multi-mode auth (better-auth | jwt | none), playground device-scoped API key lifecycle (client + UI + server fallbacks), JWT minting tooling and middleware, auth-worker RPC/type surface and Next route for session-by-api-key, env/JSONC sync tooling, Upstash rate-limit refactor/flags, branding/runtime utilities, and many UI/tooling updates.

Changes

Cohort / File(s)	Summary
Runtime package & URLs packages/runtime/*, packages/runtime/package.json, packages/runtime/src/*, packages/runtime/tsconfig.json	New runtime package exposing auth-mode, env/vars metadata, URLs, branding helpers, and rate-limit configs.
Env tooling & JSONC sync scripts/env/*, scripts/env/_jsonc.ts, scripts/env/_wrangler-jsonc-vars.ts, env/*, deepcrawl.code-workspace, .gitignore	Add dotenv/jsonc utilities, wrangler vars sync, env generation/sync scripts, templates, workspace/editor settings, and .gitignore adjustments.
Auth config & trusted origins packages/auth/src/*, packages/auth/src/utils/better-auth-url.ts, packages/auth/src/configs/*, packages/auth/src/utils/logger.ts	Introduce resolveTrustedOrigins, better-auth URL/origin helpers, config validation refactor, cookie/passkey inference, and lightweight logging helpers.
Auth worker RPC & Next route apps/workers/auth/src/rpc.d.ts, apps/app/app/api/auth/getSessionWithAPIKey/route.ts, apps/workers/auth/src/index.ts	Add type-only RPC surface for auth worker and a Next.js POST route to fetch session by API key (body/header/Bearer).
Workers v0 auth & middleware apps/workers/v0/src/middlewares/*, apps/workers/v0/src/lib/context.ts, apps/workers/v0/src/middlewares/service-fetchers.hono.ts	AUTH_MODE-aware middleware chain: add jwt middleware; api-key and cookie auth prefer AUTH_WORKER RPC with HTTP fallback; defensive AUTH_WORKER.fetch fallback to global fetch; ExecutionContext typing.
JWT tooling apps/workers/v0/src/middlewares/jwt-auth.hono.ts, scripts/jwt-mint.ts, .vscode/tasks.json	New JWT auth middleware (HS256 verification), interactive jwt-mint CLI, and VSCode tasks for dev flows.
Playground API key lifecycle & UI apps/app/lib/playground-api-key*.ts, apps/app/components/api-keys/*, apps/app/hooks/playground/*, apps/app/components/api-keys/playground-api-key-bootstrap.tsx	Client-side ensure/regenerate/rotate device-scoped PLAYGROUND_API_KEY, UI reveal/rotate flows, bootstrap component, and policy to decide when device keys are used.
Deepcrawl client resilience & API-key fallbacks apps/app/actions/playground.ts, apps/app/app/api/deepcrawl/logs*/route.ts, apps/app/query/*, apps/app/query/logs-query.client.ts, apps/app/proxy.ts	Centralized callWithAuthFallback/buildDeepcrawlHeaders; server endpoints accept apiKey fallback (x-api-key or Bearer) when cookies unavailable; client retry/rotation logic and key-rotation on auth failures.
Nullable userId, DB helpers & logs apps/workers/v0/src/services/*, apps/workers/v0/src/routers/logs/*, packages/db/db-d1/src/db/index.ts	Allow null userId across services, re-export isNull for DB queries, adjust logs predicates and NOT_FOUND error payloads.
Rate limiting & Upstash integration packages/runtime/src/api-rate-limit.ts, apps/workers/v0/src/middlewares/rate-limit.orpc.ts, apps/workers/v0/src/tail-jobs/post-processing.ts	Introduce API_RATE_LIMIT_RULES, Upstash credential resolution, ENABLE_API_RATE_LIMIT flag; limiter can be disabled/missing (fail-open) and emits warnings.
CORS / trusted origins packages/auth/src/configs/constants.ts, apps/workers/auth/src/middlewares/cors.ts, apps/workers/v0/src/middlewares/cors.hono.ts	Replace static origin lists with resolveTrustedOrigins; compute trusted origins per-request and enable credentials when origin trusted.
OpenAPI & ORPC handler apps/workers/v0/src/lib/openapi/*, apps/workers/v0/src/lib/orpc/rpc.handler.ts	Use OFFICIAL_API_URL/ensureAbsoluteUrl and brand in OpenAPI; tighten RPCHandler typing to ORPCContext, remove CORS plugin, improve RPC error logging.
App UI, nav, auth-mode & branding apps/app/components/*, apps/app/lib/navigation-config.ts, apps/app/lib/site-config.ts, apps/app/lib/auth-mode.ts, apps/app/lib/brand.ts	Add authMode utilities and brandName; dynamic navigation (hide auth entries), new props (hideAuthEntries/enableApiKeys/authMode), relabel Dashboard→Playground and add mode-based guards.
Playground SDK & tests apps/app/actions/playground.ts, packages/sdks/js-ts/src/*	Playground actions accept optional apiKey and use centralized fallback; SDK tests updated to map ORPC errors to typed SDK errors and adjust statuses.
Workspace, tooling & CI .vscode/*, deepcrawl.code-workspace, lint-staged.config.cjs, biome.jsonc, .github/workflows/validate.yml, turbo.json, many package.json edits	Editor settings/tasks, lint-staged helpers, Biome schema bump, consolidate CI to pnpm check:ci, add fix/check scripts, and multiple dependency/catalog/workspace updates.
Docs & READMEs AUTH_MODES_AND_WORKERS.md, packages/runtime/README.md, apps/workers/v0/README.md, apps/workers/auth/README.md, apps/app/README.md	New and expanded docs for auth modes, runtime env/bootstrapping, JWT minting, self-hosting guidance, and worker dev setup.
Misc UI/styling & defaults various apps/app/*, packages/types/src/configs/default.ts	UI/text updates (Playground labels), LIST_LOGS_DEFAULT_LIMIT 5→10, User-Agent change, temporary removal of LogsChart, new DeployAttributionBanner component and minor styling tweaks.

Sequence Diagram(s)

sequenceDiagram
    participant Client as Client (Browser/SDK)
    participant NextAPI as Next API Route
    participant AuthWorker as Auth Worker (RPC)
    participant BetterAuthHTTP as Better‑Auth HTTP
    Client->>NextAPI: POST /api/auth/getSessionWithAPIKey (apiKey in body/header/Bearer)
    NextAPI->>AuthWorker: getSessionWithAPIKey(apiKey) [if binding present]
    alt AuthWorker returns session
        AuthWorker-->>NextAPI: Session
    else missing or errored
        NextAPI->>BetterAuthHTTP: GET /get-session with x-api-key / Authorization
        BetterAuthHTTP-->>NextAPI: Session or error
    end
    NextAPI-->>Client: JSON response (session or error)

Loading

sequenceDiagram
    participant Browser as Client
    participant Worker as Hono Worker
    participant Crypto as HS256 Verify
    participant Context as Worker Context
    Browser->>Worker: Request with Authorization: Bearer <token>
    Worker->>Worker: if AUTH_MODE == 'jwt' then proceed else next
    Worker->>Crypto: verify(token, JWT_SECRET, iss, aud)
    Crypto-->>Worker: payload or throws
    alt verified
        Worker->>Context: build Session from payload
        Context-->>Browser: continue (session attached)
    else invalid
        Worker-->>Browser: log warning and continue
    end

Loading

Estimated code review effort

🎯 5 (Critical) | ⏱️ ~120 minutes

Possibly related PRs

• chore: update package dependencies to use catalog references #11 — Overlapping workspace dependency and package/script migration (catalog/workspace references and package.json/script updates).

Poem

🐇 I hop through envs and stitch each key,

I sign the JWTs and hide them in my sleeve,
Playgrounds keep little tokens snug and near,
Origins and CORS now listen when I cheer,
A rabbit’s patch of configs — tidy, bright, and clear!

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The pull request title 'feat/auto-deploy' is vague and does not clearly describe the actual changes. The PR contains extensive infrastructure improvements (authentication modes, environment management, branding, API rate limiting, deployment tools) but the title suggests only automated deployment features.	Replace 'feat/auto-deploy' with a more descriptive title that reflects the primary changes, such as 'feat: add multi-auth-mode support with environment management and branding' or break into focused titles for major feature groups.
Docstring Coverage	⚠️ Warning	Docstring coverage is 18.08% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/auto-deploy

---

No actionable comments were generated in the recent review. 🎉

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR adds VSCode workspace configuration files to improve the development experience by providing pre-configured tasks and editor settings. The changes standardize the development environment for all contributors by configuring Biome as the default formatter and providing convenient task runners for common development workflows.

Changes:

• Added VSCode tasks for running development servers (frontend, backend, and combined)
• Configured Biome as the default formatter with auto-format on save and code actions
• Added VSCode extension recommendation for Biome
• Updated .gitignore to include VSCode configuration files while allowing local overrides

Reviewed changes

Copilot reviewed 3 out of 4 changed files in this pull request and generated no comments.

File	Description
.vscode/tasks.json	Defines development tasks for starting the Next.js dashboard, Cloudflare workers, and type generation utilities
.vscode/settings.json	Configures Biome as the default formatter with organize imports and fix-on-save enabled
.vscode/extensions.json	Recommends the Biome VSCode extension for consistent tooling
.gitignore	Allows VSCode configuration files to be committed while preserving the ability to have local overrides via settings.local.json

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 3

🤖 Fix all issues with AI agents

In `@apps/app/app/api/auth/getSessionWithAPIKey/route.ts`:
- Around line 5-25: The authorization header extraction currently uses
replace('Bearer ', '') which will accept non‑Bearer schemes; update the apiKey
parsing logic so you only accept a Bearer token: read
request.headers.get('authorization'), check that it's a string and
startsWith('Bearer '), then extract the token via substring or split and trim;
fall back to body?.apiKey and x-api-key only if the extracted token is a
non-empty string. Ensure the final apiKey variable is validated as a non-empty
string before calling headers.set('x-api-key', apiKey) and auth.api.getSession
so you never pass invalid header values downstream.

In `@apps/workers/v0/src/middlewares/api-key-auth.hono.ts`:
- Around line 60-68: The code calls c.env.BETTER_AUTH_URL.replace(...) without
checking for undefined which will throw if the env var is missing; update the
middleware (where baseUrl is computed) to first check that c.env.BETTER_AUTH_URL
is a non-empty string, log a clear warning via the existing logger if it's
missing, and only call .replace() when present; if missing, fall back to the
existing no-auth path (do not attempt to build the Request to
`${baseUrl}/getSessionWithAPIKey`) so the API-key auth branch gracefully skips
instead of throwing.

In `@scripts/jwt-mint.ts`:
- Around line 75-195: The promptInputs function writes JWT-related env updates
(updates, upsertEnvFile) before interactive prompts for issuer/audience, so
values entered by the user aren’t persisted; fix by moving the env update logic
(construction of updates, devVarsPath/prodVarsPath writes via upsertEnvFile and
writeDev/writeProd prompts) to after the interactive prompts for issuer and
audience (or update the updates map after reading issuer/audience) so that
prompted issuer/audience from the rl questions are included when updating
.dev.vars/.dev.vars.production; update references: promptInputs, updates,
devVarsPath, prodVarsPath, writeDev, writeProd, upsertEnvFile.

🧹 Nitpick comments (10)

apps/workers/v0/README.md (1)

189-191: Add language specifier to the fenced code block.

The code block is missing a language identifier, which triggers a markdownlint warning and may affect syntax highlighting.

📝 Proposed fix

-```
+```text
 Authorization: Bearer <token>

</details>

</blockquote></details>
<details>
<summary>apps/workers/v0/.dev.vars.example (1)</summary><blockquote>

`7-12`: **Remove trailing whitespace on line 8.**

Line 8 contains a space character rather than being a blank line, which may cause formatting inconsistencies.


<details>
<summary>📝 Proposed fix</summary>

```diff
 AUTH_MODE=better-auth
- 
+
 JWT_SECRET=

apps/workers/v0/src/services/analytics/activity-logger.service.ts (1)

47-60: Minor: Redundant null coalescing.

this.userId ?? null is slightly redundant since this.userId is already typed as string | null. You could simplify to userId: this.userId, though the current form is harmless and makes the fallback explicit.

📝 Optional simplification

     const logData = {
       path,
       id: requestId,
-      userId: this.userId ?? null,
+      userId: this.userId,
       success,

apps/workers/v0/src/middlewares/cookie-auth.hono.ts (1)

4-4: Consider metrics helpers for timing logs.

The auth-mode guard looks good. Since duration is logged here, consider using getMetrics()/formatDuration() for consistent performance tracking across the worker.

As per coding guidelines: Use getMetrics() and formatDuration() utility functions from utils/metrics.ts for performance tracking.

Also applies to: 55-96

apps/workers/v0/src/middlewares/api-key-auth.hono.ts (1)

7-55: Auth-mode guard looks good; align timing with metrics helpers.

Since this middleware logs durations, consider switching to getMetrics()/formatDuration() for consistent performance tracking.

As per coding guidelines: Use getMetrics() and formatDuration() utility functions from utils/metrics.ts for performance tracking.

scripts/jwt-mint.ts (2)

1-20: Prefer interface for Inputs.

Inputs is an object shape and fits the interface guideline better.

♻️ Suggested fix

-type Inputs = {
+interface Inputs {
   secret?: string;
   sub?: string;
   email?: string;
   name?: string;
   issuer?: string;
   audience?: string;
   expiresInHours?: number;
   writeDevVars?: boolean;
   writeDevVarsProduction?: boolean;
-};
+}

As per coding guidelines: Use interfaces over types in TypeScript.

---

293-295: Avoid console.error in repo scripts.

Use a logging utility or write to stderr directly to align with the logging guideline.

♻️ Suggested fix

-run().catch((error) => {
-  console.error(`❌ Failed to mint JWT: ${error.message}`);
-  process.exit(1);
-});
+run().catch((error) => {
+  process.stderr.write(`❌ Failed to mint JWT: ${error.message}\n`);
+  process.exit(1);
+});

As per coding guidelines: No console statements in production code - use custom logging utilities for development.

apps/workers/v0/src/middlewares/jwt-auth.hono.ts (2)

8-19: Prefer interface over type for object shapes.

As per coding guidelines, use interfaces over types in TypeScript.

♻️ Suggested change

-type JwtPayload = {
+interface JwtPayload {
   sub?: string;
   email?: string;
   name?: string;
   picture?: string;
   email_verified?: boolean;
   exp?: number;
   iat?: number;
   jti?: string;
   iss?: string;
   aud?: string | string[];
-};
+}

---

88-95: Simplify the redundant session existence check.

The condition on lines 90-91 is redundant—if c.get('session') is falsy, accessing .session or .user on it will fail. The first check alone is sufficient.

♻️ Suggested simplification

-    if (
-      c.get('session') ||
-      c.get('session')?.session ||
-      c.get('session')?.user
-    ) {
+    if (c.get('session')) {
       logDebug('✅ Skipping [jwtAuthMiddleware] Session found');
       return next();
     }

apps/workers/v0/scripts/worker-config-override.ts (1)

55-59: Static analysis ReDoS warning is low-risk in this context.

The flagged regex constructs a pattern from interfaceName, but since this parameter only receives hardcoded string literals ('Env' and 'ProductionEnv' at lines 83-84), there's no user-controlled input vector. The risk is minimal for this build-time script.

If you want to be extra defensive, you could escape the interfaceName or use a static pattern:

♻️ Optional: Use literal patterns

-const ensureFields = (source: string, interfaceName: string) => {
-  const pattern = new RegExp(
-    `interface ${interfaceName} \\{([\\s\\S]*?)\\n\\t\\}`,
-    'm',
-  );
+const ensureFields = (
+  source: string,
+  interfaceName: 'Env' | 'ProductionEnv',
+) => {
+  const patterns: Record<'Env' | 'ProductionEnv', RegExp> = {
+    Env: /interface Env \{([\s\S]*?)\n\t\}/m,
+    ProductionEnv: /interface ProductionEnv \{([\s\S]*?)\n\t\}/m,
+  };
+  const pattern = patterns[interfaceName];

[coderabbitai]

Actionable comments posted: 3

🤖 Fix all issues with AI agents

In @.vscode/tasks.json:
- Around line 15-17: The tasks.json "group" object is missing the required
"kind" property; update the "group" object (the JSON object named group with
property isDefault) to include a "kind" field set to the appropriate value
(e.g., "build" or "test" depending on task intent) so the schema is satisfied
and the default grouping behavior applies; ensure you add the "kind" property
alongside isDefault in the same group object.

In `@apps/app/lib/auth-mode.ts`:
- Around line 28-40: When isJwtMode() is true and no JWT token is configured,
fail fast instead of returning headers without Authorization: inside
buildDeepcrawlHeaders check JWT_TOKEN (process.env.AUTH_JWT_TOKEN) and if it's
falsy throw a clear, descriptive Error (e.g., "JWT mode enabled but
AUTH_JWT_TOKEN is not set") so callers immediately see the misconfiguration;
keep existing behavior of returning nextHeaders when not in JWT mode or when the
token is present and still set the Authorization header via
nextHeaders.set('authorization', `Bearer ${JWT_TOKEN}`).

In `@apps/workers/v0/README.md`:
- Around line 225-227: Update the fenced code block in the README snippet that
currently shows "Authorization: Bearer <token>" so it includes a language
specifier (e.g., add "http", "text", or "bash" after the opening backticks) to
ensure consistent rendering; modify the triple-backtick opener for that block to
include the chosen language.

🧹 Nitpick comments (7)

apps/workers/v0/src/utils/tail-jobs/post-processing.ts (1)

56-71: Consider extracting resolveBool to a shared utility.

This boolean resolution helper appears useful for parsing environment variables across the codebase. If similar parsing is needed elsewhere (e.g., for other feature flags), consider moving it to a shared utils module.

♻️ Example extraction

Create a new file like @/utils/env.ts:

export const resolveBool = (
  value: string | boolean | undefined,
  fallback: boolean,
): boolean => {
  if (value === undefined) {
    return fallback;
  }
  if (typeof value === 'boolean') {
    return value;
  }
  const normalized = value.trim().toLowerCase();
  if (!normalized) {
    return fallback;
  }
  return ['1', 'true', 'yes', 'y', 'on'].includes(normalized);
};

apps/app/.env.example (1)

10-15: Consider documenting NEXT_PUBLIC_AUTH_MODE if clients need it.
getAuthMode() also checks NEXT_PUBLIC_AUTH_MODE; adding it here (or noting AUTH_MODE is server-only) avoids confusion.

Optional doc addition

 # Auth mode for dashboard server
 # Supported: better-auth | jwt | none
 AUTH_MODE=better-auth
+# Optional: client-side override
+NEXT_PUBLIC_AUTH_MODE=
 
 # Used when AUTH_MODE=jwt
 AUTH_JWT_TOKEN=

scripts/jwt-mint.ts (2)

7-17: Use an interface for Inputs.
This object shape should be declared with an interface per repo conventions.

♻️ Suggested change

-type Inputs = {
+interface Inputs {
   secret?: string;
   sub?: string;
   email?: string;
   name?: string;
   issuer?: string;
   audience?: string;
   expiresInHours?: number;
   writeDevVars?: boolean;
   writeDevVarsProduction?: boolean;
-};
+}

As per coding guidelines: `**/*.{ts,tsx}`: Use interfaces over types in TypeScript.

---

340-342: Avoid console.error; use stderr or a logger.
This script should follow the repo logging convention.

🔧 Suggested change

-run().catch((error) => {
-  console.error(`❌ Failed to mint JWT: ${error.message}`);
-  process.exit(1);
-});
+run().catch((error) => {
+  process.stderr.write(`❌ Failed to mint JWT: ${error.message}\n`);
+  process.exit(1);
+});

As per coding guidelines: `**/*.{ts,tsx}`: No console statements in production code - use custom logging utilities for development.

apps/app/lib/navigation-config.ts (1)

42-44: Consider fixing the typo in NAVGATION_ITEMS.

The constant name NAVGATION_ITEMS appears to be missing a letter (should be NAVIGATION_ITEMS). While this is an existing naming issue rather than a new one, it may be worth correcting during this refactor since getNavigationItems now exposes this pattern more broadly.

apps/app/app/(dashboard)/layout.tsx (1)

58-68: Consider distinguishing auth failures from missing sessions.

The .catch(() => { throw redirect('/login'); }) pattern redirects to login for any error from authGetSession, including network failures or server errors. This could mask legitimate issues where the user is authenticated but the auth service is temporarily unavailable.

If this is intentional (fail-safe to login), the current approach is acceptable. Otherwise, consider logging the error or showing an error state for non-auth failures.

♻️ Optional: Add error logging before redirect

   const currentSession = isBetterAuth
-    ? await authGetSession().catch(() => {
+    ? await authGetSession().catch((error) => {
         // Auth failed - redirect to login
+        console.error('Auth session fetch failed:', error);
         throw redirect('/login');
       })
     : null;

apps/app/components/user/user-dropdown.tsx (1)

82-95: Consider extracting props to an interface.

Per coding guidelines, prefer interfaces over inline type annotations for component props. This improves readability and allows for extension.

♻️ Suggested refactor to use interface

+interface UserDropdownProps {
+  session: Session | null;
+  redirectLogout?: string;
+  navigationMode?: NavigationMode;
+  enableLayoutViewToggle?: boolean;
+  authMode?: AuthMode;
+  className?: string;
+}
+
 export function UserDropdown({
   session,
   redirectLogout,
   navigationMode,
   enableLayoutViewToggle = true,
   authMode,
   className,
-}: {
-  session: Session | null;
-  redirectLogout?: string;
-  navigationMode?: NavigationMode;
-  enableLayoutViewToggle?: boolean;
-  authMode?: AuthMode;
-  className?: string;
-}) {
+}: UserDropdownProps) {

As per coding guidelines: "Use interfaces over types in TypeScript"

[coderabbitai]

Actionable comments posted: 11

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (6)

apps/app/components/playground/playground-skeleton.tsx (1)

7-31: ⚠️ Potential issue | 🟡 Minor

Use single quotes for JSX string literals.
Current JSX attributes use double quotes in the modified lines.

✅ Suggested update

-      <PageTitle
-        className="mx-auto mt-28 mb-10 w-full text-center md:mt-[13svh]"
-        description="Make any website data AI-ready for agents"
-        desPos="bottom"
-        title="What would you like to see?"
-        titleClassName="mb-2"
-        titleSize="3xl"
-      >
-        <span className="text-muted-foreground">
+      <PageTitle
+        className='mx-auto mt-28 mb-10 w-full text-center md:mt-[13svh]'
+        description='Make any website data AI-ready for agents'
+        desPos='bottom'
+        title='What would you like to see?'
+        titleClassName='mb-2'
+        titleSize='3xl'
+      >
+        <span className='text-muted-foreground'>
           API Playground for Deepcrawl
         </span>
       </PageTitle>
@@
-    <div className="container relative mx-auto flex size-full h-svh items-center justify-center">
+    <div className='container relative mx-auto flex size-full h-svh items-center justify-center'>
       <div className="flex w-full flex-col items-center justify-center gap-4 max-sm:mb-16">
         <LoadingSpinner size={25} />
-        <DeepcrawlLogoText className="animate-pulse text-center text-lg sm:text-2xl">
+        <DeepcrawlLogoText className='animate-pulse text-center text-lg sm:text-2xl'>
           Deepcrawl Playground & Dashboard is loading
         </DeepcrawlLogoText>
       </div>
     </div>

As per coding guidelines “Use single quotes instead of double quotes for strings”.

packages/auth/src/configs/constants.ts (1)

87-87: ⚠️ Potential issue | 🟡 Minor

Rename EXpiresIn to expiresIn for consistency with camelCase convention.

The property has inconsistent casing (capital X) and needs to be renamed. Update the constant definition in packages/auth/src/configs/constants.ts and all 8 usages across:

• packages/auth/src/templates/magic-link.tsx
• packages/auth/src/templates/organization-invitation.tsx
• packages/auth/src/templates/password-reset.tsx
• packages/auth/src/templates/email-verification.tsx
• packages/auth/src/configs/auth.config.ts (4 usages)

📝 Proposed fix

 export const EMAIL_CONFIG = {
   /**
    * Time in seconds until the magic link expires.
    * `@default` (60 * 5) // 5 minutes
    *
    */
-  EXpiresIn: {
+  expiresIn: {
     resetPassword: 3600, // 1 hour
     magicLink: 60 * 5, // 5 minutes
     emailVerification: 3600, // 1 hour
     invitation: 2 * 24 * 60 * 60, // By default, it's 48 hours (2 days)
   },
 };

packages/auth/src/configs/auth.config.ts (4)

322-348: ⚠️ Potential issue | 🟡 Minor

Replace console statements with the shared logger.

Lines 325, 346 use console.warn and console.error in production code paths.

As per coding guidelines: "No console statements in production code - use custom logging utilities for development".

🛠️ Suggested fix

         sendMagicLink: async ({ email, token }) => {
           if (!(emailEnabled && resend)) {
-            console.warn('⚠️ Magic link email not sent - Resend not configured');
+            logWarn('⚠️ Magic link email not sent - Resend not configured');
             return;
           }
           // ...
           } catch (error) {
-            console.error('❌ Failed to send magic link email:', error);
+            logWarn('❌ Failed to send magic link email:', error);
           }

---

378-383: ⚠️ Potential issue | 🟡 Minor

Replace console.error with the shared logger.

Line 381 uses console.error in production code.

As per coding guidelines: "No console statements in production code - use custom logging utilities for development".

---

406-411: ⚠️ Potential issue | 🟡 Minor

Replace console.error with the shared logger.

Line 409 uses console.error in production code.

As per coding guidelines: "No console statements in production code - use custom logging utilities for development".

---

413-441: ⚠️ Potential issue | 🟡 Minor

Replace console statements with the shared logger.

Lines 416, 438, 439 use console.warn and console.error in production code.

As per coding guidelines: "No console statements in production code - use custom logging utilities for development".

🤖 Fix all issues with AI agents

In `@apps/app/components/deepcrawl-logo.tsx`:
- Around line 57-72: The fallback span branch is unreachable because href is
given a default of '/' in the destructuring; either remove the dead branch or
stop defaulting href so the span can be used: locate the deepcrawl-logo
component where props are destructured (the variables asChild/_asChild, href =
'/', children = brandName, ...linkProps) and either 1) delete the if (!href)
return <span...> block and always render <Link> with mergedClassName and
children, or 2) remove the href = '/' default so href can be undefined/empty and
the existing if (!href) branch (which renders a span with mergedClassName and
children) becomes reachable; update the prop types if you choose option 2 to
allow href to be optional.

In `@apps/app/components/deploy-attribution-banner.tsx`:
- Around line 269-329: Replace the awkward user-facing string "This app is maybe
deployed with" in the JSX of the Deploy Attribution Banner component with a
clearer phrasing (e.g. "This app may be deployed with" or "This app appears to
be deployed with") — edit the span containing that text in the
deploy-attribution-banner component (the JSX near the code element and Link
components) so the displayed message is grammatically correct; no other logic
(dismissBanner, TOP_OFFSET_CSS_VAR use, or button handlers) should be changed.

In `@apps/app/components/layout/header-navigation-layout.tsx`:
- Around line 12-17: Rename the boolean prop hideAuthEntries to
shouldHideAuthEntries in the HeaderNavigationLayoutProps interface and
everywhere inside the HeaderNavigationLayout component (including destructuring,
conditional checks, prop forwarding to children, and default values); update the
prop name in the component signature and any references to the old name
(hideAuthEntries) so all conditionals and JSX use shouldHideAuthEntries instead,
and run/adjust any local tests or prop usages inside this file to match the new
identifier.

In `@apps/app/hooks/playground/use-playground-operations.ts`:
- Around line 160-163: The default branch in the switch inside
use-playground-operations.ts returns only { error: string }, causing
inconsistent responses for handlePlaygroundClientErrorResponse; update the
default return to match the other validation failure shapes by returning the
full error object (include errorType and status) — e.g., set errorType to a
meaningful identifier like "unknown_operation" and status to a 4xx code (400)
and keep the toast.error call and returned error message consistent with other
branches so downstream logic receives a uniform structure.

In `@apps/workers/v0/package.json`:
- Around line 23-38: Add Cloudflare Workers-specific configuration and usage
changes for the listed packages: add a Browser Rendering binding in
wrangler.toml (browser = { binding = "...", type = "browser" }) and enable
node_compat/nodejs_compat as needed (for `@cloudflare/puppeteer` and transitive
deps like `@scalar/hono-api-reference`) and ensure compatibility_date is set;
change usage of `@cloudflare/puppeteer` so you launch with the binding
(puppeteer.launch(env.MYBROWSER)); import and instantiate Upstash Redis from the
Cloudflare entrypoint (use import from "@upstash/redis/cloudflare" and
Redis.fromEnv(env)); and enable nodejs_compat if bundler reports Node API issues
for `@scalar/hono-api-reference`. Ensure these configuration/usage updates are
applied alongside the package entries "@cloudflare/puppeteer", "@upstash/redis",
and "@scalar/hono-api-reference".

In `@apps/workers/v0/src/middlewares/jwt-auth.hono.ts`:
- Around line 93-97: The middleware currently checks const secret =
c.env.JWT_SECRET and calls logError('❌ JWT_SECRET is missing while
AUTH_MODE=jwt') then returns next(), which lets requests continue; change this
to fail fast by returning an explicit 401 response when JWT_SECRET is missing
(keep the logError message), e.g. respond with an unauthorized status and
message instead of invoking next(), so the jwt-auth middleware blocks requests
when AUTH_MODE=jwt and the secret is not configured.

In `@packages/auth/src/utils/logger.ts`:
- Around line 1-16: logWarn and logError currently always call console and
violate the "no console in production" rule; update both functions (logWarn and
logError) to short-circuit when process.env.NODE_ENV === 'production' (same
pattern used in logDebug) so they only call console.warn/console.error in
non-production environments, preserving existing signatures and behavior
otherwise.

In `@packages/eslint-config/package.json`:
- Around line 12-21: Update the undocumented `@next/eslint-plugin-next` version in
package.json: replace the "@next/eslint-plugin-next" dependency value (the entry
named "@next/eslint-plugin-next") with a documented patch release (preferably
"15.5.9" or "15.5.7"), then reinstall dependencies and update the lockfile so
the change is persisted; ensure any references to Next.js linting in docs or
scripts follow the Next 15.5 guidance about using the ESLint CLI
(eslint.config.mjs) if applicable.

In `@packages/runtime/src/env.ts`:
- Around line 42-267: The new exported API surface (ENV_VARS,
getEnvVarsForTarget, listEnvKeysForTarget) lacks unit tests; add tests that
import these symbols and assert: ENV_VARS contains expected entries (including
any newly added public vars), getEnvVarsForTarget(target) returns only entries
whose .targets include the given EnvTarget, and listEnvKeysForTarget(target)
returns the corresponding keys array; include edge cases (unknown target ->
empty array) and test a public-var like 'NEXT_PUBLIC_APP_URL' to cover the
public env path.
- Around line 20-27: Replace the type alias EnvVar with an interface declaration
to follow project coding guidelines; change "export type EnvVar = { ... }" to
"export interface EnvVar { ... }" preserving all members (key, group:
EnvVarGroup, targets: readonly EnvTarget[], optional description, example,
secret) and keep the export name the same so existing references to EnvVar
elsewhere (imports, function signatures, etc.) continue to work without changes.

In `@scripts/jwt-mint.ts`:
- Around line 25-73: The parseArgs function is mis-parsing when a flag that
requires a value is immediately followed by another flag (e.g., "--secret --sub
foo"); update parseArgs to check that the candidate value exists and does not
start with '--' before assigning (for flags '--secret', '--sub', '--email',
'--name', '--issuer', '--audience', '--expires-in'), only increment i when a
real value was consumed, and for missing values emit a clear error (throw or
console.error + process.exit(1)) so the script fails fast; also preserve the
Number(...) conversion for '--expires-in' when a valid numeric value is present.

🧹 Nitpick comments (10)

apps/app/components/api-keys/api-keys-page-client.tsx (1)

74-87: Error state is missing PageHeader, creating UI inconsistency.

The skeleton state (lines 24-66) and success state (lines 90-123) both render PageHeader before PageContainer, but the error state only renders PageContainer. This means users encountering an error won't see the "Your API Keys" title, making the error context less clear.

Additionally, consider adding role="alert" to the error message for better screen reader accessibility.

♻️ Suggested fix for consistency and accessibility

   if (error) {
     return (
+      <>
+        <PageHeader
+          description="Manage your API keys for accessing Deepcrawl services."
+          title="Your API Keys"
+        />
         <PageContainer>
           <Card className="bg-card">
             <CardContent className="pt-6">
-              <div className="py-8 text-center">
+              <div className="py-8 text-center" role="alert">
                 <p className="text-destructive">
                   Failed to load API keys. Please try again.
                 </p>
               </div>
             </CardContent>
           </Card>
         </PageContainer>
+      </>
     );
   }

apps/app/hooks/playground/use-playground-operations.ts (2)

175-181: Fragile string comparison for error detection.

Using error.message === 'Unauthorized' is brittle—if the error message changes or varies across different error sources, this check will silently fail. Consider using a typed error class or error code instead.

♻️ Suggested approach

+// Define at module level or in a shared error types file
+interface PlaygroundApiKeyError extends Error {
+  code?: 'UNAUTHORIZED' | 'KEY_NOT_FOUND' | 'KEY_CREATION_FAILED';
+}

         } catch (error) {
           // If we can't create/read the key, guide the user to the API Keys page.
           // Avoid noisy toasts when the user is not logged in.
-          if (!(error instanceof Error && error.message === 'Unauthorized')) {
+          const isUnauthorized =
+            error instanceof Error &&
+            ((error as PlaygroundApiKeyError).code === 'UNAUTHORIZED' ||
+              error.message === 'Unauthorized');
+          if (!isUnauthorized) {
             showMissingPlaygroundApiKeyToast();
           }
         }

Alternatively, have ensurePlaygroundApiKey throw a custom error type that can be reliably identified.

---

79-92: Consider moving helper to hook level.

showMissingPlaygroundApiKeyToast is defined inside the try block but only needs access to router. Moving it to the hook level (alongside executeApiCall) would improve readability and make the try block more focused on the operation logic.

packages/auth/src/utils/better-auth-url.ts (1)

23-50: Prefer arrow-function exports for consistency.

This file already uses const exports elsewhere; aligning these helpers keeps the style uniform.

♻️ Suggested update

-export function resolveBetterAuthApiBaseUrl(rawUrl: string): string {
+export const resolveBetterAuthApiBaseUrl = (rawUrl: string): string => {
   const cleaned = rawUrl.trim();
   if (!cleaned) {
     throw new Error('Better Auth base URL is required.');
   }
@@
-}
+};

@@
-export function resolveBetterAuthOriginUrl(rawUrl: string): string {
+export const resolveBetterAuthOriginUrl = (rawUrl: string): string => {
   const apiBase = resolveBetterAuthApiBaseUrl(rawUrl);
   return apiBase.slice(0, apiBase.length - API_AUTH_PATH.length);
-}
+};

As per coding guidelines: "Use arrow functions over function expressions."

packages/auth/src/__tests__/trusted-origins.test.ts (1)

31-40: Consider adding a negative test for isDevelopment=false.

The test verifies dev origins are included when isDevelopment=true, but there's no explicit test confirming they are excluded when isDevelopment=false (or when omitted, since the default is false).

📝 Suggested additional test

test('resolveTrustedOrigins excludes local dev origins when isDevelopment=false', () => {
  const origins = resolveTrustedOrigins({
    appURL: 'https://example.com',
    authURL: 'https://auth.example.com',
    isDevelopment: false,
  });

  assert.ok(!origins.includes('http://localhost:3000'));
  assert.ok(!origins.includes('http://localhost:8787'));
  assert.ok(!origins.includes('http://localhost:8080'));
});

packages/runtime/src/api-rate-limit.ts (1)

1-6: Consider using an interface for ApiRateLimitRule.

Per coding guidelines, interfaces are preferred over types for object shapes. ApiRateLimitTier is correctly a type (union), but ApiRateLimitRule represents a pure object shape.

♻️ Suggested change

 export type ApiRateLimitTier = 'free' | 'pro';

-export type ApiRateLimitRule = Readonly<{
-  limit: number;
-  window: string;
-}>;
+export interface ApiRateLimitRule {
+  readonly limit: number;
+  readonly window: string;
+}

As per coding guidelines: Use interfaces over types in TypeScript.

packages/runtime/src/auth-rate-limit.ts (1)

1-4: Consider using an interface for AuthenticationRateLimitRule.

Similar to ApiRateLimitRule, this is a pure object shape that could be expressed as an interface per coding guidelines.

♻️ Suggested change

-export type AuthenticationRateLimitRule = Readonly<{
-  window: number;
-  max: number;
-}>;
+export interface AuthenticationRateLimitRule {
+  readonly window: number;
+  readonly max: number;
+}

As per coding guidelines: Use interfaces over types in TypeScript.

apps/app/components/deploy-attribution-banner.tsx (1)

100-119: Consider removing or documenting the commented-out NODE_ENV check.

The commented code at lines 101-103 suggests the banner might have been intended to hide in non-production environments. If this is intentional debug behavior, consider adding a brief comment explaining why it's disabled. If it's leftover code, remove it.

apps/app/lib/navigation-config.ts (1)

80-82: Export the NavigationItemsOptions interface for external consumers.

The interface is used as a parameter type for the exported getNavigationItems function but isn't exported itself. Consumers who want to type their options object won't have access to this type.

🔧 Suggested fix

-interface NavigationItemsOptions {
+export interface NavigationItemsOptions {
   hideAuthEntries?: boolean;
 }

apps/workers/v0/src/middlewares/jwt-auth.hono.ts (1)

58-78: Avoid type assertion; align return type with Session interface.

The as Session cast on line 78 may hide type mismatches between the constructed object and the actual Session type from @deepcrawl/auth/types. If the Session interface changes, this won't produce compile-time errors. Consider ensuring the object structure matches Session exactly or using a type-safe builder.

[coderabbitai]

Actionable comments posted: 4

🤖 Fix all issues with AI agents

In `@apps/app/components/page-elements.tsx`:
- Line 61: The title rendering uses two different Tailwind utilities — the
string-title branch uses 'wrap-break-word text-wrap font-semibold' while the
ReactElement-title branch still uses 'break-words'; update the ReactElement
branch to use the same v4 utility (replace 'break-words' with 'wrap-break-word'
and keep any accompanying classes like 'text-wrap' and 'font-semibold' for
parity) so both code paths render titles with identical Tailwind behavior;
search for the class 'break-words' in the title rendering logic and align it to
the 'wrap-break-word' variant used in the string branch.

In `@apps/workers/v0/src/middlewares/jwt-auth.hono.ts`:
- Around line 99-132: The middleware currently calls next() for missing or
invalid JWTs which allows unauthenticated access when AUTH_MODE=jwt; update the
logic in the jwt-auth middleware (around getBearerToken, verify,
resolveJwtSession, and the existing next() calls) to check c.env.AUTH_MODE ===
'jwt' and, when true, return an HTTP 401 response for (a) no token returned from
getBearerToken, (b) resolveJwtSession returning falsy (missing sub), and (c) any
verification error caught in the try/catch instead of calling next(); preserve
existing logging (logWarn/logDebug) but replace the fallthrough with a 401
response so only valid tokens set c.set('session') and proceed.

In `@packages/ui/src/components/ui/sidebar.tsx`:
- Line 275: Update the Tailwind important modifier and split the long class
string in the sidebar component: replace occurrences of "!duration-0" with the
v4 postfix "duration-0!" (e.g., change
"group-data-[dragging=true]_*:!duration-0" to
"group-data-[dragging=true]_*:duration-0!"), and break the combined class string
like "group-data-[dragging=true]:duration-0!
group-data-[dragging=true]_*:!duration-0" into two smaller string entries so no
single line exceeds the 80-character width (apply the same fixes for the other
occurrence with the same class pattern).

In `@packages/ui/src/components/ui/tooltip.tsx`:
- Line 55: The TooltipPrimitive.Arrow JSX element uses a double-quoted, overly
long className string; change it to use single quotes and split the class list
across multiple concatenated or template lines to respect the 80-character max
and Biome style. Locate TooltipPrimitive.Arrow in tooltip.tsx, replace
className="..." with className='...' and break the CSS utility tokens into
multiple string segments (or use an array join) so each source line stays within
80 chars, preserving all classes (bg-primary, fill-primary, dark:bg-accent,
dark:fill-accent, z-50, size-2.5, translate-y-[calc(-50%-2px)], rotate-45,
rounded-[2px]) and run the formatter.

🧹 Nitpick comments (2)

apps/app/components/deploy-attribution-banner.tsx (2)

21-25: Consider using interface instead of type for object shapes.

Per coding guidelines, prefer interface over type for object type definitions.

♻️ Suggested refactor

-export type DeployAttributionBannerState = {
+export interface DeployAttributionBannerState {
   canRender: boolean;
   isDismissed: boolean;
   isRendered: boolean;
-};
+}

As per coding guidelines: "Use interfaces over types in TypeScript".

---

100-103: Remove or restore commented-out code.

This commented-out NODE_ENV check appears to be leftover debug code. Consider either removing it entirely or implementing it properly if the behavior is needed.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@scripts/jwt-mint.ts`:
- Around line 26-109: The parseArgs function currently silently ignores unknown
CLI flags; update its default switch branch so that when key starts with '--' it
throws a descriptive Error (e.g. `Unknown flag: ${key}`) to fail fast and
surface typos, while leaving non-flag positional args unchanged; reference
parseArgs, Inputs and existing flag names like '--secret'/'--expires-in' when
making the change to ensure only true unknown flags trigger the error and you
don't accidentally skip the next argument.

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@apps/workers/v0/src/middlewares/cors.hono.ts`:
- Around line 60-70: The guard preventing credentialed CORS is too strict: relax
the condition that builds trustedOrigins so it only requires appUrl and
betterAuthUrl (not apiUrl) before calling resolveTrustedOrigins; call
resolveTrustedOrigins with appURL: appUrl, authURL: betterAuthUrl, apiURL:
apiUrl (allowing apiUrl to be undefined per ResolveTrustedOriginsInput) and wrap
the result in a Set for trustedOrigins, otherwise fallback to new Set<string>().

In `@apps/workers/v0/src/middlewares/jwt-auth.hono.ts`:
- Around line 58-79: The returned object currently uses an unsafe "as Session"
cast while omitting nullable DB fields; update the session payload construction
in the function returning Session to explicitly include the nullable fields
impersonatedBy and activeOrganizationId set to null (and keep
ipAddress/userAgent null defaults), and remove the broad "as Session" type
assertion so TypeScript enforces the exact Session shape.

🧹 Nitpick comments (3)

apps/app/components/deploy-attribution-banner.tsx (3)

44-98: Consider using arrow functions per coding guidelines.

The codebase guidelines prefer arrow functions over function declarations. While the current implementation is functionally correct and consistent within the file, converting to arrow functions would align with the project standards.

♻️ Example refactor for a few functions

-function notifyStoreListeners(): void {
-  for (const listener of storeListeners) {
-    listener();
-  }
-}
+const notifyStoreListeners = (): void => {
+  for (const listener of storeListeners) {
+    listener();
+  }
+};

-function setStoreState(next: DeployAttributionBannerState): void {
+const setStoreState = (next: DeployAttributionBannerState): void => {
   // ... body unchanged
-}
+};

As per coding guidelines: "Use arrow functions over function expressions"

---

226-232: Consider simplifying nested ternary for readability.

The logic is correct but the nested ternary can be harder to parse at a glance.

♻️ Proposed simplification

-  const offsetPx = assumeRendered
-    ? state.isDismissed
-      ? 0
-      : BANNER_HEIGHT_PX
-    : state.isRendered
-      ? BANNER_HEIGHT_PX
-      : 0;
+  const shouldOffset = assumeRendered ? !state.isDismissed : state.isRendered;
+  const offsetPx = shouldOffset ? BANNER_HEIGHT_PX : 0;

---

307-316: Redundant CSS variable setting in dismiss handler.

The manual CSS variable update is redundant since dismissBanner() updates the store state to isRendered: false, which triggers the useEffect on line 240 to set the CSS variable to '0px'. The manual setting provides marginally faster visual feedback but duplicates logic.

♻️ Proposed simplification

         onClick={() => {
           dismissBanner();
-          try {
-            document.documentElement.style.setProperty(
-              TOP_OFFSET_CSS_VAR,
-              '0px',
-            );
-          } catch {
-            // Ignore
-          }
         }}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @.github/workflows/sync-template-main.yml:
- Around line 27-29: The current push step uses a blind force push ("git push
origin HEAD:refs/heads/template/main --force") which lets an older run overwrite
newer commits; change this to use "git push origin HEAD:refs/heads/template/main
--force-with-lease" and add job-level concurrency to the workflow (concurrency
key and cancel-in-progress: true) so stale runs are automatically cancelled;
update the step that contains the git push command and the workflow top-level to
include the concurrency block and replace "--force" with "--force-with-lease".