Conversation
… development experience - Revised README to clarify project structure and core features, including updates to the web app description and core functionalities. - Modified AnnotationsAPI.js to dynamically set the NEXT_APP_URL based on the environment, improving deployment flexibility. - Enhanced ESLint configuration to include a warning for only-export-components rule, promoting better coding practices. - Updated Vite configuration files to ensure proper handling of environment variables and asset copying during builds. - Improved local development setup by adjusting package.json scripts for better build processes and manifest handling. - Refactored content and background scripts to streamline asset management and improve overall extension performance. - Enhanced various components in the inline extension for better UI consistency and functionality, including updates to the FormattedAiText and content scripts.
…oved performance - Downgraded TypeScript dependency from 6.0.2 to 5.9.3 in package.json and package-lock.json for compatibility. - Updated background.js and content.js files to streamline functionality and improve performance. - Modified index.html to reference the latest built JavaScript file for better asset management. - Refined manifest.json to restrict host permissions to the production URL, enhancing security. - Removed outdated JavaScript file to clean up the distribution directory and reduce clutter. - Enhanced document page components to improve UI consistency and functionality, including the addition of new components for better user interaction.
…and UI consistency - Introduced the FormattedAiText component to render AI output with enhanced formatting options, including support for bold, italic, underline, and lists. - Updated CropOverlay, SmartOverlay, and various document components to utilize FormattedAiText for better presentation of AI-generated content. - Refactored the AssistantMessageContent and InsightsSummary components to leverage new formatting capabilities, improving readability and user experience. - Enhanced the Search component to strip markdown from text snippets, ensuring cleaner display in search results. - Improved styling and structure in multiple components for a more cohesive UI across the extension.
…testing and addition
…d changed. PR will be set up to merge with main soon.
Unsigned users save annotations to chrome.storage.local per browser profile; signed-in users sync to Supabase with a local cache fallback. Manual rewrites use merge-based sync so background reloads no longer wipe in-flight edits. Co-authored-by: Cursor <cursoragent@cursor.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
ryanlyn29
requested changes
Jun 28, 2026
ryanlyn29
left a comment
ryanlyn29
left a comment
Collaborator
There was a problem hiding this comment.
Verification summary
Tested against features @ 994d592.
Passed
- Builds:
weblint + build,inlineExtensionlint + build,backendbuild all succeed. - Web (local + Vercel preview): Marketing/login routes load (200). Workspace routes correctly require auth.
- Extension:
build:devsucceeds;manualRewrites.tsis wired throughContentShell→restoreManualRewrites(). Unsigned path correctly useschrome.storage.local(inlineLocalAnnotations:*, AES-GCM encrypted) when no JWT/workspace is present. - Manual rewrite logic: Double-click restore,
pendingSaveIdsrace guard, and local/remote merge look correct in code.
Partial / not fully verified in automation
- Authenticated dashboard, study plans, knowledge cards, analytics chat, and document chat need a signed-in browser pass.
- Chrome extension unsigned/signed manual rewrite flows should be confirmed manually (select → replace → refresh → double-click restore → refresh).
Blocker — signed-in Supabase isolation
Confirmed in backend/src/apiBranch/AnnotationsAPI.ts: fetch and upsert use page_url only (onConflict: "page_url"), not (user_id, page_url).
Repro: two saves to the same page_url overwrite the prior elements.manualRewrites blob. Two signed-in users on the same URL can read/overwrite the same row. Mirrored notes are scoped by user_id, so History may look fine while the shared blob is wrong.
Request: Fix before merge to production:
- Migration — unique index on
(user_id, page_url)forannotations - RLS scoped per authenticated user
- Update fetch + upsert to filter/conflict on
(user_id, page_url)
Recommendation
- Guest/local-only usage: OK to merge for testing.
- Production with signed-in sync: Do not merge until the annotations isolation fix lands.
Happy to re-review once the migration + API changes are in.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
manualRewrites.tsmodule, hover popover, double-click to restore original text, and DOM replay on page reload.chrome.storage.localon that browser install/profile only. Nothing is written to Supabase. Data stays on the device and is not shared with other users.POST /api/annotations, with a local browser copy as cache/fallback if the backend is unreachable.manualRewritesfeature key support inAnnotationsAPI(notes mirror, tags, shape for History).Known follow-up (signed-in Supabase isolation)
The
annotationstable is currently upserted onpage_urlonly (onConflict: page_url), not peruser_id. Two signed-in users on the same URL could theoretically read/overwrite the same row. Unsigned users are not affected — they never hit Supabase. The mirrorednotesrows are already scoped byuser_id. A follow-up migration should add a unique index on(user_id, page_url)plus RLS and update the API to filter by authenticated user.Test plan
inlineExtension/dist, reload a test pagechrome.storage.localforinlineLocalAnnotations:*annotations.elements.manualRewritesand History