The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
eliza-cloud-v2	Ready	Preview, Comment	Apr 17, 2026 10:13pm

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Code Review: PR 460 - Snapshot Merge

This is a large snapshot merge (1606 files, +55k/-34k lines). Review based on codebase exploration.

Features bundled: Multi-Google-account OAuth, Device Bus (cross-device intents), Twilio Voice logging, Remote Sessions (T9a control plane), AI Pricing Catalog with 20% platform markup.

STRENGTHS

• PKCE correctly implemented (RFC 7636 S256) - state tokens deleted after use to prevent replay attacks
• Decimal.js for financial math with 10-decimal precision (correct for billing)
• Org/user isolation enforced at repository layer on all new tables
• Secret rotation handles orphaned secrets gracefully
• Backward-compatible schema migration (drops old single-account index)
• Good audit trail on AI pricing entries (source tracking, stale_after, updated_by)

SECURITY ISSUES

1. Token refresh error propagation (oauth2.ts lines 987-993): raw errors from token refresh may propagate to callers - verify no sensitive token data leaks upstream.

2. Userinfo fallback creates identity-less connections (oauth2.ts lines 493-521): when no userInfo endpoint configured, falls back to token hash as pseudo-ID. Consider requiring explicit config instead of silent degradation.

3. source_url in AI pricing may leak via API: ai_pricing_entries.source_url stores internal upstream URLs. Audit public API responses to ensure this field is filtered.

RACE CONDITIONS

4. Non-atomic device intent delivery (devices/intents/route.ts lines 73-83): delivered_to JSONB array updated in loop without transactions. Code comment acknowledges this with WebSocket as follow-up. Track as known limitation.

5. AI pricing dimension serialization fragility (ai-pricing.ts lines 129-142): JSON string cache keys are brittle if object key order varies. Consider normalizing or hashing dimension keys.

MISSING SAFEGUARDS

6. No rate limiting on device registration (devices/route.ts): authenticated users could spam registrations. Add per-user/org limits before production.

7. No TTL on device intents: device_bus_intents has no auto-expiry. Add a cleanup job.

8. pairing_token_hash algorithm undocumented (remote-sessions.ts line 38): add a comment documenting the hash algorithm (bcrypt? sha256?).

9. Silent token expiry clamping (oauth2.ts lines 835-840): expires_in clamped 60s-1yr with no log. Add a warning log for out-of-range values.

10. No quota on Google account linking: document policy or add enforcement.

DATABASE SCHEMA

• ai_pricing_entries: well-designed with composite lookup index and time-based pricing (effective_from/until)
• device_bus_intents: delivered_to as JSONB array will not scale at high volume - use a join table for production
• remote_sessions: CHECK constraint on status is correct, good cascade deletes
• platform_credentials: correctly drops user_platform_idx, retains org_platform_user_idx - enables multi-account while preventing duplicate linking

TEST COVERAGE

• Multi-account OAuth flows tested (milady-google-multi-account.test.ts)
• Schema migration validation tested
• No visible tests for device bus race conditions, remote session transitions, or pricing refresh failures

SUMMARY

Architecture is sound and security fundamentals are in place. Priorities before enabling device bus in production:

1. Add rate limiting to device registration (abuse vector)
2. Audit source_url from public pricing API responses (security)
3. Log token expiry clamping as warnings (debugging)

The multi-account OAuth migration is backward-compatible and well-tested. The pricing engine uses correct financial precision.

Review by Claude Code - 2026-04-17