Harden Juber for production-ready demo flows#1
Merged
Conversation
Lock concurrent ride, conversation, and event workflows while tightening grants, RLS, indexes, and per-user message visibility. Co-authored-by: Cursor <cursoragent@cursor.com>
Centralize strict redirect targets, date-safe event loading, and profile contact context so upcoming mobile flows reuse one verified implementation. Co-authored-by: Cursor <cursoragent@cursor.com>
Fail the profile contact nudge open only for RPC errors while preserving clean missing-contact enforcement and database write guards. Co-authored-by: Cursor <cursoragent@cursor.com>
Restore global test stubs deterministically and assert the safe structured error log used by the outage fallback. Co-authored-by: Cursor <cursoragent@cursor.com>
Respect conversation hiding and unread cutoffs across desktop and mobile while keeping realtime updates incremental and thread rendering bounded. Co-authored-by: Cursor <cursoragent@cursor.com>
Keep conversations available after rides, isolate per-user hide state, expire raw contact access, and harden realtime inbox and notification behavior. Co-authored-by: Cursor <cursoragent@cursor.com>
Constrain booking-state transitions, make sends retry-safe, reconcile realtime reconnects, and keep archived messaging and notifications privacy-correct. Co-authored-by: Cursor <cursoragent@cursor.com>
Restrict lifecycle mutations, remove private hide-state publication, and make messaging catch-up and notification state converge exactly. Co-authored-by: Cursor <cursoragent@cursor.com>
Prevent cross-thread refresh cancellation and keep mounted archive state current across remote lifecycle changes and long departure timers. Co-authored-by: Cursor <cursoragent@cursor.com>
Enable mounted chat views to receive ride and request status changes while preserving RLS and keeping private hide state unpublished. Co-authored-by: Cursor <cursoragent@cursor.com>
Remove direct anonymous ride-table privileges while preserving public RPC browsing and authenticated Realtime updates. Co-authored-by: Cursor <cursoragent@cursor.com>
Make seat requests atomic and repeatable, keep mobile actions in-shell, expose clear pending/errors, and defer best-effort SMS from committed cancellations. Co-authored-by: Cursor <cursoragent@cursor.com>
Keep ride actions on valid routes, preserve redirect control flow, surface reserve failures inline, and fully defer cancellation SMS work. Co-authored-by: Cursor <cursoragent@cursor.com>
Restore secure re-request actions, hide stale driver decisions, and enforce cancellation reasons against fresh server state. Co-authored-by: Cursor <cursoragent@cursor.com>
Lock ride state during decline transitions so terminal rides cannot be mutated by concurrent driver actions. Co-authored-by: Cursor <cursoragent@cursor.com>
Expose privacy-safe public event data, keep mobile browsing in-shell, and make event requests clear, secondary, and fully feedback-driven. Co-authored-by: Cursor <cursoragent@cursor.com>
Ungate public ride navigation, preserve request success feedback, and allow mobile event back navigation without opening sign-in. Co-authored-by: Cursor <cursoragent@cursor.com>
Keep sign-in returns, ride actions, profile links, notifications, and posting flows inside concrete mobile routes with strict destination validation. Co-authored-by: Cursor <cursoragent@cursor.com>
Carry only canonical event and ride-tab parameters through sign-in while rejecting duplicate, malformed, and external destinations. Co-authored-by: Cursor <cursoragent@cursor.com>
Preserve sanitized event and tab context across required profile completion while keeping normal profile edits and hostile inputs safely contained. Co-authored-by: Cursor <cursoragent@cursor.com>
Honor desktop opt-out, preserve mobile intent, and revalidate pathname-only cache targets while redirecting with canonical query context. Co-authored-by: Cursor <cursoragent@cursor.com>
Map sanitized mobile return targets to concrete desktop counterparts across OAuth, onboarding, profile save, and proxy handling. Co-authored-by: Cursor <cursoragent@cursor.com>
Add one mobile realtime owner, retry-safe row and bulk read controls, desktop list reconciliation, and hidden-chat-safe cancellation detail rendering. Co-authored-by: Cursor <cursoragent@cursor.com>
Separate row and bulk failures, remove render-time sync, guard overlapping refreshes, and exercise production notification state transitions directly. Co-authored-by: Cursor <cursoragent@cursor.com>
Prevent overlapping row and bulk updates, clear stale feedback on authoritative sync, and make expired sessions surface retryable failures. Co-authored-by: Cursor <cursoragent@cursor.com>
Use complete unread IDs to distinguish list eviction from confirmed reads so pending operations cannot release early. Co-authored-by: Cursor <cursoragent@cursor.com>
Keep in-flight locks through failed refreshes and retain safe row metadata so bounded mobile lists can still render an exact retry. Co-authored-by: Cursor <cursoragent@cursor.com>
Retain one specifically named busy retry control through matching completion or authoritative confirmation without duplicating row actions. Co-authored-by: Cursor <cursoragent@cursor.com>
Use guarded aria-disabled behavior so the same busy retry control retains keyboard focus without accepting duplicate activation. Co-authored-by: Cursor <cursoragent@cursor.com>
Synchronize ride tabs with browser history and add precise duplicate-safe pending states across admin, profile, contact, and request actions. Co-authored-by: Cursor <cursoragent@cursor.com>
Add full keyboard tab semantics, validation-safe mutation locks, and React-managed sign-out feedback with shared error handling. Co-authored-by: Cursor <cursoragent@cursor.com>
Commit browser history only for real tab changes while preserving keyboard focus, filters, and Back synchronization. Co-authored-by: Cursor <cursoragent@cursor.com>
Unify focus-safe modal behavior, guard pending dismissal, raise verified text contrast, and expose existing legal routes across desktop and mobile. Co-authored-by: Cursor <cursoragent@cursor.com>
Make legal links truly public and touch-friendly, migrate the sign-in prompt to shared focus behavior, and clear remaining light-surface contrast failures. Co-authored-by: Cursor <cursoragent@cursor.com>
Expose the signed-out legal surface, share pending state with contact-sheet dismissal, and raise the final footer tagline above AA contrast. Co-authored-by: Cursor <cursoragent@cursor.com>
Allow signed-out Rides, Events, and Profile navigation while retaining auth gates on Requests and Post. Co-authored-by: Cursor <cursoragent@cursor.com>
Keep mobile renders free of desktop queries, consolidate desktop notifications, and preserve page state with one passive reduced-motion route indicator. Co-authored-by: Cursor <cursoragent@cursor.com>
Use Next Link onNavigate after cancellation checks and invalidate notification refresh work across user and snapshot changes. Co-authored-by: Cursor <cursoragent@cursor.com>
Track the last completed pathname and query so progress starts only for real Back or Forward route transitions. Co-authored-by: Cursor <cursoragent@cursor.com>
Track revisioned unpaired URL changes so real history transitions settle once while hash-only and stale events remain quiet. Co-authored-by: Cursor <cursoragent@cursor.com>
Refresh Supabase cookies before strict mobile redirects, preserve safe queries, and copy only Set-Cookie state across first-hop routing. Co-authored-by: Cursor <cursoragent@cursor.com>
Set the persistent desktop cookie only for a single desktop=1 value and include root-level proxy tests in the standard suite. Co-authored-by: Cursor <cursoragent@cursor.com>
Wire approvals through the database RPC, surface typed outcomes for every mutation, and bound and deduplicate JCNC imports. Co-authored-by: Cursor <cursoragent@cursor.com>
Add a row-locked approval result contract, detect stale deletes, and verify concurrent admin actions against production server-action paths. Co-authored-by: Cursor <cursoragent@cursor.com>
Automate all verification gates, document the full Supabase and demo setup, track safe env placeholders, and clarify post-booking and empty-state guidance. Co-authored-by: Cursor <cursoragent@cursor.com>
Remove branch filtering while retaining pull-request checks, least permissions, concurrency, caching, and all required gates. Co-authored-by: Cursor <cursoragent@cursor.com>
Reject expired transitions, freeze message identity, narrow table privileges, scope public event rides directly, and remove the dead footer contact. Co-authored-by: Cursor <cursoragent@cursor.com>
Keep the authenticated RLS no-op check and add a service-role path that proves the transition trigger rejects stale fulfillment with the expected error. Co-authored-by: Cursor <cursoragent@cursor.com>
Give anonymous and signed-in mobile pages one semantic main region without changing BottomNav or layout behavior. Co-authored-by: Cursor <cursoragent@cursor.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Add private location and party booking, moderation, event, onboarding, and realtime lifecycle support while closing security, accessibility, and performance gaps. Co-authored-by: Cursor <cursoragent@cursor.com>
Run ride and request label validation under the trigger owner so authenticated posting succeeds without exposing the validator helper. Co-authored-by: Cursor <cursoragent@cursor.com>
Extend ProfileForm with an optional steps mode that renders a centered, step-by-step onboarding wizard (Welcome to Juber, then name, contact, photo, home, vehicle) on desktop and mobile. Edit and contact_required paths render unchanged; redirect/allowlist surface and server actions are untouched, with the server still authoritative for contact. Co-authored-by: Cursor <cursoragent@cursor.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
0033.Test plan
npm test— 275 tests passednpx tsc --noEmitnpm run lintnpm run buildgit diff --check origin/main...HEAD0001–0033aligned locally/remotely in the prior database verification waveKnown deployment configuration
TWILIO_ACCOUNT_SID,TWILIO_AUTH_TOKEN, andTWILIO_FROM_NUMBERare configured in Production.