Rebuild AI-driven architecture foundation#5
Conversation
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 47fe9255e8
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| socket.on("room:join", ({ roomCode, role }) => { | ||
| socket.join(roomCode); |
There was a problem hiding this comment.
Validate realtime joins against guest access
When a guest link has been revoked or expired, this socket server still accepts any client that knows the roomCode because room:join only uses roomCode/role and does not validate the guest token or reading state. The guest page discloses the room code after token authentication, so a stale or copied room code can reconnect directly to the realtime endpoint and receive WebRTC offers even after the web app rejects the token; require a valid guest token/session for joins or proxy this through the access check.
Useful? React with 👍 / 👎.
|
|
||
| const confirmCardSchema = z.object({ | ||
| cardSlug: z.string().min(1), | ||
| position: z.number().int().min(1), |
There was a problem hiding this comment.
Reject cards beyond the configured spread
For readings with a limited cardsCount such as a 3-card spread, this endpoint accepts any positive position and confirmReadingCard upserts it without comparing against the reading type. The host UI also lets the position advance after the last card, so a normal session can persist extra cards that make the teleprompter/report disagree with the selected spread; validate the position against reading.readingType.cardsCount before saving.
Useful? React with 👍 / 👎.
| streamRef.current?.getTracks().forEach(track => { | ||
| peer.addTrack(track, streamRef.current as MediaStream); | ||
| }); |
There was a problem hiding this comment.
Add tracks after camera readiness before offering
If the guest joins while the host is still granting camera permission, ensurePeer() creates the RTCPeerConnection and sends an offer before streamRef.current is populated, so no tracks are added and the later getUserMedia success never renegotiates or adds tracks to the existing peer. In that timing, the guest connects but never receives video; wait for the stream before creating the offer or add tracks/renegotiate when the stream becomes available.
Useful? React with 👍 / 👎.
|
Validação local adicional:
Pendências locais não bloqueantes do PR:
Próximo passo local: instalar/abrir Docker Desktop e criar |
|
Validação local adicional concluída:
Observação: ao tentar colar o prompt da spec 013 no terminal, alguns trechos foram interpretados pelo zsh como comandos, mas não houve alteração no Git; |
|
Validação local adicional:
Observação: foi criada localmente a branch |
|
Validação local adicional:
Observação: erro |
Validação local informada:
corepack enableexecutado.pnpm installpassou usandopnpm v10.12.4.pnpm buildpassou.apps/realtime,packages/database,packages/tarot-core,packages/ui,packages/vision-coreeapps/web.Observações:
pnpm, conformepackageManagernopackage.json.npm installnessa branch para evitar alterações indevidas de lockfile/workspace.package.json#prisma, que pode virar tarefa futura para migrar paraprisma.config.ts.