Conversation
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: bcb13a89df
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| where: { | ||
| id: { | ||
| in: ids as number[], | ||
| }, | ||
| ...(isAdmin ? {} : { isPrivate: false }), | ||
| }, |
There was a problem hiding this comment.
Prevent private linked records from leaking via loaders
When a non-admin loads a public record, the top-level isPrivate filter only guards the root record. The loader still fetches outgoingLinks.target without any isPrivate condition, so a public record that links to a private one will return that private target’s title/id to unauthenticated users. This defeats the “private records hidden from public queries” goal; you need to filter nested link targets by isPrivate (or omit them) when isAdmin is false.
Useful? React with 👍 / 👎.
| )`, | ||
| type: recordType, | ||
| ...(isAdmin ? {} : { isPrivate: false }), | ||
| }, |
There was a problem hiding this comment.
Avoid exposing private link targets in text search
The new isPrivate filter only applies to the primary search records. outgoingLinks.target is still fetched with no privacy constraint, so a non-admin search can return public records that include private linked targets (titles/ids) in the payload. This leaks private record metadata to public users whenever a public record links to a private one. Consider filtering outgoingLinks.target by isPrivate: false (or suppressing link targets) for non-admin callers.
Useful? React with 👍 / 👎.
Implement single-user auth via GitHub OAuth with HMAC-signed httpOnly session cookies. All mutations and sensitive queries are now gated behind admin procedures, while read-only access to the knowledge base remains public. Private records are filtered from all public queries. - GitHub OAuth flow (authorize, callback, logout route handlers) - HMAC-SHA256 signed session cookies with timing-safe validation - Admin procedures: adminProcedure, adminRateLimitedProcedure - Privacy filtering on records, media, and search queries - Vector search gated behind admin auth (costs OpenAI per query) - Frontend UI gating: read-only views for non-admin users - Dev-only toggle to simulate admin vs public without OAuth setup - CLI bypass (isAdmin: true) preserves existing dev workflow - Auth disabled by default when env vars are missing
Summary
isAdmin: true) preserves existing workflowNew files
src/server/lib/auth.ts— session cookie + auth utilitiessrc/server/lib/rate-limit.ts— IP-based rate limitersrc/app/components/auth-button.tsx— login/logout button + dev togglesrc/app/routes/api/auth/{github,callback,logout}.ts— OAuth route handlersTest plan
rcrcommands work without auth configuration