Feat/ai sdk migration v2 #177
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…abot-config add dependabot config
Bumps [next](https://github.com/vercel/next.js) from 15.4.8 to 15.5.9. - [Release notes](https://github.com/vercel/next.js/releases) - [Changelog](https://github.com/vercel/next.js/blob/canary/release.js) - [Commits](vercel/next.js@v15.4.8...v15.5.9) --- updated-dependencies: - dependency-name: next dependency-version: 15.5.9 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [tar](https://github.com/isaacs/node-tar) from 7.4.3 to 7.5.2. - [Release notes](https://github.com/isaacs/node-tar/releases) - [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md) - [Commits](isaacs/node-tar@v7.4.3...v7.5.2) --- updated-dependencies: - dependency-name: tar dependency-version: 7.5.2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
…55183 - CVE-2025-55184: Denial of Service in React Server Components (CVSS 7.5) - CVE-2025-55183: Source Code Exposure in React Server Components (CVSS 5.3) Upgraded react and react-dom from ^19.0.0 to ^19.1.4 which includes fixes for both vulnerabilities in React Server Components.
Replicated release
…025-55184-55183 security: Upgrade React to 19.1.4 to fix CVEs
…and_yarn/chartsmith-app/tar-7.5.2 deps(app)(deps): bump tar from 7.4.3 to 7.5.2 in /chartsmith-app
…and_yarn/chartsmith-app/next-15.5.9 deps(app)(deps): bump next from 15.4.8 to 15.5.9 in /chartsmith-app
Bumps [tailwind-merge](https://github.com/dcastil/tailwind-merge) from 3.2.0 to 3.4.0. - [Release notes](https://github.com/dcastil/tailwind-merge/releases) - [Commits](dcastil/tailwind-merge@v3.2.0...v3.4.0) --- updated-dependencies: - dependency-name: tailwind-merge dependency-version: 3.4.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
…and_yarn/chartsmith-app/tailwind-merge-3.4.0 deps(app)(deps): bump tailwind-merge from 3.2.0 to 3.4.0 in /chartsmith-app
Bumps [jotai](https://github.com/pmndrs/jotai) from 2.12.2 to 2.16.0. - [Release notes](https://github.com/pmndrs/jotai/releases) - [Commits](pmndrs/jotai@v2.12.2...v2.16.0) --- updated-dependencies: - dependency-name: jotai dependency-version: 2.16.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
…and_yarn/chartsmith-app/jotai-2.16.0 deps(app)(deps): bump jotai from 2.12.2 to 2.16.0 in /chartsmith-app
Bumps [lucide-react](https://github.com/lucide-icons/lucide/tree/HEAD/packages/lucide-react) from 0.479.0 to 0.561.0. - [Release notes](https://github.com/lucide-icons/lucide/releases) - [Commits](https://github.com/lucide-icons/lucide/commits/0.561.0/packages/lucide-react) --- updated-dependencies: - dependency-name: lucide-react dependency-version: 0.561.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…#154) Bumps the production-dependencies group in /chartsmith-app with 5 updates: | Package | From | To | | --- | --- | --- | | [@radix-ui/react-toast](https://github.com/radix-ui/primitives) | `1.2.7` | `1.2.15` | | [@tailwindcss/typography](https://github.com/tailwindlabs/tailwindcss-typography) | `0.5.16` | `0.5.19` | | [autoprefixer](https://github.com/postcss/autoprefixer) | `10.4.21` | `10.4.22` | | [jsonwebtoken](https://github.com/auth0/node-jsonwebtoken) | `9.0.2` | `9.0.3` | | [patch-package](https://github.com/ds300/patch-package) | `8.0.0` | `8.0.1` | Updates `@radix-ui/react-toast` from 1.2.7 to 1.2.15 - [Changelog](https://github.com/radix-ui/primitives/blob/main/release-process.md) - [Commits](https://github.com/radix-ui/primitives/commits) Updates `@tailwindcss/typography` from 0.5.16 to 0.5.19 - [Release notes](https://github.com/tailwindlabs/tailwindcss-typography/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss-typography/blob/main/CHANGELOG.md) - [Commits](tailwindlabs/tailwindcss-typography@v0.5.16...v0.5.19) Updates `autoprefixer` from 10.4.21 to 10.4.22 - [Release notes](https://github.com/postcss/autoprefixer/releases) - [Changelog](https://github.com/postcss/autoprefixer/blob/main/CHANGELOG.md) - [Commits](postcss/autoprefixer@10.4.21...10.4.22) Updates `jsonwebtoken` from 9.0.2 to 9.0.3 - [Changelog](https://github.com/auth0/node-jsonwebtoken/blob/master/CHANGELOG.md) - [Commits](auth0/node-jsonwebtoken@v9.0.2...v9.0.3) Updates `patch-package` from 8.0.0 to 8.0.1 - [Release notes](https://github.com/ds300/patch-package/releases) - [Changelog](https://github.com/ds300/patch-package/blob/master/CHANGELOG.md) - [Commits](https://github.com/ds300/patch-package/commits) --- updated-dependencies: - dependency-name: "@radix-ui/react-toast" dependency-version: 1.2.15 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: production-dependencies - dependency-name: "@tailwindcss/typography" dependency-version: 0.5.19 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: production-dependencies - dependency-name: autoprefixer dependency-version: 10.4.22 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: production-dependencies - dependency-name: jsonwebtoken dependency-version: 9.0.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: production-dependencies - dependency-name: patch-package dependency-version: 8.0.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: production-dependencies ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…#150) Bumps [ws](https://github.com/websockets/ws) from 8.18.1 to 8.18.3. - [Release notes](https://github.com/websockets/ws/releases) - [Commits](websockets/ws@8.18.1...8.18.3) --- updated-dependencies: - dependency-name: ws dependency-version: 8.18.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…dhq#147) Bumps [jotai](https://github.com/pmndrs/jotai) from 2.12.3 to 2.16.0. - [Release notes](https://github.com/pmndrs/jotai/releases) - [Commits](pmndrs/jotai@v2.12.3...v2.16.0) --- updated-dependencies: - dependency-name: jotai dependency-version: 2.16.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the react-ecosystem group in /chartsmith-extension with 2 updates: [react](https://github.com/facebook/react/tree/HEAD/packages/react) and [react-dom](https://github.com/facebook/react/tree/HEAD/packages/react-dom). Updates `react` from 19.1.0 to 19.2.3 - [Release notes](https://github.com/facebook/react/releases) - [Changelog](https://github.com/facebook/react/blob/main/CHANGELOG.md) - [Commits](https://github.com/facebook/react/commits/v19.2.3/packages/react) Updates `react-dom` from 19.1.0 to 19.2.3 - [Release notes](https://github.com/facebook/react/releases) - [Changelog](https://github.com/facebook/react/blob/main/CHANGELOG.md) - [Commits](https://github.com/facebook/react/commits/v19.2.3/packages/react-dom) --- updated-dependencies: - dependency-name: react dependency-version: 19.2.3 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: react-ecosystem - dependency-name: react-dom dependency-version: 19.2.3 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: react-ecosystem ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…icatedhq#165) Bumps [tar-fs](https://github.com/mafintosh/tar-fs) from 2.1.2 to 2.1.4. - [Commits](mafintosh/tar-fs@v2.1.2...v2.1.4) --- updated-dependencies: - dependency-name: tar-fs dependency-version: 2.1.4 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…tedhq#167) Fixed all HIGH and MEDIUM severity security vulnerabilities: HIGH severity fixes: - Update containerd to v1.7.29 (CVE-2024-25621) - Update playwright to v1.57.0 (CVE-2025-59288) - Fix glob and jws vulnerabilities via npm audit MEDIUM severity fixes: - Update golang.org/x/crypto to v0.45.0 (fixes 4 CVEs) - Update helm to v3.18.5 (fixes 4 CVEs) - Fix js-yaml and mdast-util-to-hast vulnerabilities All npm audit vulnerabilities resolved (0 remaining). npm unit tests: 10/10 passed
… directory with 8 updates (replicatedhq#168) Bumps the development-dependencies group with 8 updates in the /chartsmith-app directory: | Package | From | To | | --- | --- | --- | | [@eslint/eslintrc](https://github.com/eslint/eslintrc) | `3.3.1` | `3.3.3` | | [@types/gunzip-maybe](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/gunzip-maybe) | `1.4.2` | `1.4.3` | | [@types/lodash](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/lodash) | `4.17.16` | `4.17.21` | | [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) | `8.29.1` | `8.49.0` | | [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) | `8.29.1` | `8.49.0` | | [postcss](https://github.com/postcss/postcss) | `8.5.3` | `8.5.6` | | [ts-jest](https://github.com/kulshekhar/ts-jest) | `29.3.1` | `29.4.6` | | [typescript](https://github.com/microsoft/TypeScript) | `5.8.3` | `5.9.3` | Updates `@eslint/eslintrc` from 3.3.1 to 3.3.3 - [Release notes](https://github.com/eslint/eslintrc/releases) - [Changelog](https://github.com/eslint/eslintrc/blob/main/CHANGELOG.md) - [Commits](eslint/eslintrc@v3.3.1...eslintrc-v3.3.3) Updates `@types/gunzip-maybe` from 1.4.2 to 1.4.3 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/gunzip-maybe) Updates `@types/lodash` from 4.17.16 to 4.17.21 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/lodash) Updates `@typescript-eslint/eslint-plugin` from 8.29.1 to 8.49.0 - [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases) - [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md) - [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.49.0/packages/eslint-plugin) Updates `@typescript-eslint/parser` from 8.29.1 to 8.49.0 - [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases) - [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md) - [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.49.0/packages/parser) Updates `postcss` from 8.5.3 to 8.5.6 - [Release notes](https://github.com/postcss/postcss/releases) - [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md) - [Commits](postcss/postcss@8.5.3...8.5.6) Updates `ts-jest` from 29.3.1 to 29.4.6 - [Release notes](https://github.com/kulshekhar/ts-jest/releases) - [Changelog](https://github.com/kulshekhar/ts-jest/blob/main/CHANGELOG.md) - [Commits](kulshekhar/ts-jest@v29.3.1...v29.4.6) Updates `typescript` from 5.8.3 to 5.9.3 - [Release notes](https://github.com/microsoft/TypeScript/releases) - [Commits](microsoft/TypeScript@v5.8.3...v5.9.3) --- updated-dependencies: - dependency-name: "@eslint/eslintrc" dependency-version: 3.3.3 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: development-dependencies - dependency-name: "@types/gunzip-maybe" dependency-version: 1.4.3 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: development-dependencies - dependency-name: "@types/lodash" dependency-version: 4.17.21 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: development-dependencies - dependency-name: "@typescript-eslint/eslint-plugin" dependency-version: 8.49.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: development-dependencies - dependency-name: "@typescript-eslint/parser" dependency-version: 8.49.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: development-dependencies - dependency-name: postcss dependency-version: 8.5.6 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: development-dependencies - dependency-name: ts-jest dependency-version: 29.4.6 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: development-dependencies - dependency-name: typescript dependency-version: 5.9.3 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: development-dependencies ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…icatedhq#173) * deps(app)(deps): bump react and @types/react in /chartsmith-app Bumps [react](https://github.com/facebook/react/tree/HEAD/packages/react) and [@types/react](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/react). These dependencies needed to be updated together. Updates `react` from 19.1.4 to 19.2.3 - [Release notes](https://github.com/facebook/react/releases) - [Changelog](https://github.com/facebook/react/blob/main/CHANGELOG.md) - [Commits](https://github.com/facebook/react/commits/v19.2.3/packages/react) Updates `@types/react` from 19.1.0 to 19.2.7 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/react) --- updated-dependencies: - dependency-name: react dependency-version: 19.2.3 dependency-type: direct:production update-type: version-update:semver-minor - dependency-name: "@types/react" dependency-version: 19.2.7 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * deps: update react-dom to match react version 19.2.3 Dependabot updated react to 19.2.3 but left react-dom at 19.1.4. This commit updates react-dom to match and also updates @types/react-dom. Changes: - react-dom: 19.1.4 → 19.2.3 - @types/react-dom: updated to latest All npm vulnerabilities: 0 remaining --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: St0rmz1 <astorms@replicated.com>
) Bumps [monaco-editor](https://github.com/microsoft/monaco-editor) from 0.52.2 to 0.55.1. - [Release notes](https://github.com/microsoft/monaco-editor/releases) - [Changelog](https://github.com/microsoft/monaco-editor/blob/main/CHANGELOG.md) - [Commits](microsoft/monaco-editor@v0.52.2...v0.55.1) --- updated-dependencies: - dependency-name: monaco-editor dependency-version: 0.55.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…pp (replicatedhq#171) Bumps [centrifuge](https://github.com/centrifugal/centrifuge-js) from 5.3.4 to 5.5.2. - [Release notes](https://github.com/centrifugal/centrifuge-js/releases) - [Changelog](https://github.com/centrifugal/centrifuge-js/blob/master/CHANGELOG.md) - [Commits](centrifugal/centrifuge-js@5.3.4...5.5.2) --- updated-dependencies: - dependency-name: centrifuge dependency-version: 5.5.2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…replicatedhq#158) Bumps [dotenv](https://github.com/motdotla/dotenv) from 16.5.0 to 17.2.3. - [Changelog](https://github.com/motdotla/dotenv/blob/master/CHANGELOG.md) - [Commits](motdotla/dotenv@v16.5.0...v17.2.3) --- updated-dependencies: - dependency-name: dotenv dependency-version: 17.2.3 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…atedhq#172) Bumps [diff](https://github.com/kpdecker/jsdiff) and [@types/diff](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/diff). These dependencies needed to be updated together. Updates `diff` from 7.0.0 to 8.0.2 - [Changelog](https://github.com/kpdecker/jsdiff/blob/master/release-notes.md) - [Commits](kpdecker/jsdiff@7.0.0...v8.0.2) Updates `@types/diff` from 7.0.2 to 8.0.0 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/diff) --- updated-dependencies: - dependency-name: diff dependency-version: 8.0.2 dependency-type: direct:production update-type: version-update:semver-major - dependency-name: "@types/diff" dependency-version: 8.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…hq#157) Bumps [pg](https://github.com/brianc/node-postgres/tree/HEAD/packages/pg) and [@types/pg](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/pg). These dependencies needed to be updated together. Updates `pg` from 8.14.1 to 8.16.3 - [Changelog](https://github.com/brianc/node-postgres/blob/master/CHANGELOG.md) - [Commits](https://github.com/brianc/node-postgres/commits/pg@8.16.3/packages/pg) Updates `@types/pg` from 8.11.11 to 8.16.0 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/pg) --- updated-dependencies: - dependency-name: pg dependency-version: 8.16.3 dependency-type: direct:production update-type: version-update:semver-minor - dependency-name: "@types/pg" dependency-version: 8.16.0 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
- Migrate chat functionality from Anthropic SDK to Vercel AI SDK - Add comprehensive test coverage for AI chat hooks - Update .gitignore to exclude test artifacts, build files, and environment files - Add new API routes for chat and prompt-type handling - Update architecture documentation - Remove deprecated conversational.go files - Add new AI SDK implementation files
- Move debugging documentation to docs/debugging/ (ignored) - Move setup documentation to docs/local-setup/ (ignored) - Move debugging scripts to scripts/debugging/ (ignored) - Move setup scripts to scripts/setup/ (ignored) - Update .gitignore to exclude these directories - Remove CLAUDE.md (moved to appropriate location) - Clean up root directory to only essential files These files remain available locally for reference but are not committed to git.
- Update .gitignore to exclude entire docs/ directory - Remove all tracked files in docs/ from git (files remain locally) - All documentation now kept locally only, not committed to repository
Remove debug/e2e tests, test documentation, and unit tests to focus this PR on core AI SDK migration functionality. Tests can be added in a follow-up PR. Removed: - Debug e2e tests (debug-helm-chart-flow, create-workspace-e2e, etc.) - TEST_COVERAGE.md documentation - TestAIChat.tsx debug component - Unit/integration tests for hooks, services, and types - Go aisdk_test.go 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| aiChatHook.setSelectedRole("auto"); | ||
| } | ||
| // Cast to HTMLFormElement for the hook's handleSubmit | ||
| aiChatHook.handleSubmit(e as React.FormEvent<HTMLFormElement>); |
There was a problem hiding this comment.
Bug: Race condition when setting role before submit
The code calls setSelectedRole("auto") immediately before handleSubmit, intending to ensure the role is "auto" when submitting. However, React state updates are asynchronous, so selectedRoleRef.current in useAIChat.ts won't be updated until the next render. The transport's prepareSendMessagesRequest reads from selectedRoleRef.current which still holds the old value at the time of submission. This means if a user had previously changed the role, the request could be sent with the wrong role despite the defensive check. The ref is only updated via selectedRoleRef.current = selectedRole during render, not when setSelectedRole is called.
Additional Locations (1)
| await db.query( | ||
| `UPDATE workspace_chat SET response = $1 WHERE id = $2 AND workspace_id = $3`, | ||
| [response, messageId, workspaceId] | ||
| ); |
There was a problem hiding this comment.
Bug: Missing workspace authorization allows cross-workspace access
The new message API endpoints authenticate users but don't verify workspace ownership. The PATCH endpoint updates messages using only workspaceId and messageId from the URL, and the GET/POST endpoints access workspace messages without checking if the authenticated user owns or has access to that workspace. Any authenticated user can read, create, or modify messages in any workspace by guessing or knowing the workspace ID.
Additional Locations (2)
| }; | ||
| } | ||
|
|
||
| throw new Error(`Unsupported message role: ${uiMessage.role}`); |
There was a problem hiding this comment.
Bug: Function throws error for valid system message role
The uiMessageToMessage function throws an error for any message role other than 'user' or 'assistant', but the chat API schema (ChatMessageSchema) explicitly accepts 'system' as a valid role. If a system message flows through uiMessageToMessage (such as in the onFinish callback at line 233 of useAIChat.ts), the application will crash with an unhandled error instead of gracefully handling the message.
| const isLoading = chat.status === 'streaming' || chat.status === 'submitted'; | ||
| const error = chat.error; | ||
| const stop = () => chat.stop(); | ||
| const reload = () => chat.regenerate(); |
There was a problem hiding this comment.
Bug: Incorrect method call - regenerate doesn't exist on useChat
The reload function calls chat.regenerate(), but the AI SDK v5 useChat hook does not have a regenerate method. The correct method is likely reload(). When a user or component calls the exposed reload function from UseAIChatReturn, it will throw a runtime TypeError because chat.regenerate is undefined.
| }); | ||
| throw err; | ||
| return `test-token-${session.id}-${Date.now()}`; | ||
| } |
There was a problem hiding this comment.
Bug: Production fallback to test tokens weakens authentication security
The sessionToken function silently falls back to test token format (test-token-{sessionId}-{timestamp}) in production if HMAC_SECRET is missing or JWT generation fails. While sessions are still validated against the database, this exposes internal session IDs directly in tokens and represents a security degradation from cryptographically signed JWTs. A misconfigured production deployment could unknowingly use insecure token formats with only a warning log.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.