fix: TypeScript strict mode, security hardening, and bug fixes (#545)

* fix: project health cleanup — strict TypeScript, lint fixes, and dead code removal

- Enable strict: true in tsconfig.json and ignoreBuildErrors: false in next.config.mjs
- Fix all implicit-any errors; install @types/validator and @types/js-yaml
- Add type declarations for @glidejs/glide; fix nullable searchParams in CategoryFilter
- Remove stale tsconfig includes (pages/, utils/)
- Merge duplicate style.css into app/global.css; remove dead font-mono on h1
- Add rate limiting and strict email validation to subscribe/unsubscribe routes
- Extract shared Supabase client (cached singleton) to lib/supabase.ts
- Extract shared rate limiter with bounded eviction to lib/rate-limit.ts
- getClientIp: multi-header detection with 'unknown' fallback (never skips limiting)
- Replace import cn from 'clsx' with import { cn } from '@/lib/utils' in 3 components
- Fix all ESLint errors in e2e tests; add ESLint config section for e2e/ files
- Fix hardcoded paths in e2e tests to relative paths; fix /tmp/ → test-results/
- Fix behavior: 'instant' to 'auto' in scroll calls (invalid ScrollBehavior type)
- Fix boundingBox null checks and clamp negative clip coordinates
- Mark debug-only e2e tests as test.skip; add assertions to dark mode tests
- Move ad-hoc check-redirect.js to scripts/check-redirect.cjs
- Fix lint-staged: remove broken ESLINT_USE_FLAT_CONFIG=false
- Rename scripts/clean-cache.ts to .cjs (uses require(), not ESM)
- Remove dead Companies import from components/home/index.tsx
- Update generate_embeddings workflow to actions v4, Node 20, pnpm/action-setup@v4
- Move hardcoded Supabase URL to ${{ secrets.SUPABASE_URL }}
- Delete bun.lockb, 8 orphaned root PNGs; clean up .gitignore
- Disable X-Powered-By header (poweredByHeader: false)

* fix: open in GitHub button links to correct repo and source file

The dropdown 'Open in GitHub' button was hardcoded to danny-avila/LibreChat
(the app repo, repo root). Now points to LibreChat-AI/librechat.ai and links
directly to the source MDX file for the current page.

* fix(security): validate feedback server action and sanitize Scarf pixel

- Feedback action: validate opinion ('good'|'bad' only), enforce relative URL
  (no open redirects), cap message at 2000 chars
- Use shared createRateLimiter from lib/rate-limit.ts (3/URL/60s)
- Scarf pixel: sanitize NEXT_PUBLIC_SCARF_PIXEL_ID with /^[\w-]+$/ before
  interpolating into dangerouslySetInnerHTML to prevent XSS

Author: berry-13

.github/workflows/generate_embeddings.yml

@@ -9,23 +9,22 @@ jobs:
   generate:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Set up Node.js
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
-          node-version: '18'
+          node-version: '20'
 
-      - name: Install pnpm
-        run: npm install -g pnpm
-
-      - name: Install dependencies
-        run: pnpm install
+      - uses: pnpm/action-setup@v4
+        name: Install pnpm
+        with:
+          run_install: true
 
       - name: supabase-embeddings-generator
         uses: supabase/embeddings-generator@v0.0.5
         with:
-          supabase-url: 'https://gnoyckdqaktttbfurtcv.supabase.co'
+          supabase-url: ${{ secrets.SUPABASE_URL }}
           supabase-service-role-key: ${{ secrets.SUPABASE_SERVICE_ROLE_KEY }}
           openai-key: ${{ secrets.OPENAI_API_KEY }}
-          docs-root-path: './content/docs'
+          docs-root-path: './content/docs'

.gitignore

@@ -6,7 +6,6 @@ next-env.d.ts
 .env.local
 .env
 .env*.local
-.git
 
 # next sitemap
 public/robots.txt
@@ -15,7 +14,7 @@ public/sitemap*.xml
 # we use pnpm
 package-lock.json
 yarn.lock
-
+bun.lockb
 
 # Mac
 .DS_Store
@@ -24,7 +23,6 @@ yarn.lock
 .eslintcache
 
 # Testing & debugging artifacts
-playwright.config.ts
 test-results/
 playwright-report/
 tests/
@@ -40,15 +38,20 @@ sidebar-final-audit/
 /.codeium
 *.local.md
 
+# Background shell state
+.bg-shell/
+
+# Planning artifacts
+.planning/
+e2e/.planning/
+
 # Claude Flow generated files
 .claude/settings.local.json
 .mcp.json
 claude-flow.config.json
 .swarm/
 .hive-mind/
 .claude-flow/
-memory/
-coordination/
 memory/claude-flow-data.json
 memory/sessions/*
 !memory/sessions/README.md
@@ -64,6 +67,4 @@ coordination/orchestration/*
 *.sqlite-journal
 *.sqlite-wal
 claude-flow
-# Removed Windows wrapper files per user request
 hive-mind-prompt-*.txt
-e2e/.planning/

app/actions/feedback.ts

@@ -7,6 +7,39 @@ interface FeedbackPayload {
 }
 
 const GITHUB_GRAPHQL = 'https://api.github.com/graphql'
+const MAX_MESSAGE_LENGTH = 2000
+const VALID_OPINIONS = new Set(['good', 'bad'])
+
+import { createRateLimiter } from '@/lib/rate-limit'
+
+const isRateLimited = createRateLimiter(3, 60_000)
+
+/**
+ * Validate and sanitize the feedback payload.
+ * Returns null if invalid, or the sanitized payload.
+ */
+function validatePayload(
+  raw: unknown,
+): { opinion: 'good' | 'bad'; message: string; url: string } | null {
+  if (!raw || typeof raw !== 'object') return null
+
+  const { opinion, message, url } = raw as Record<string, unknown>
+
+  // Opinion must be exactly 'good' or 'bad'
+  if (typeof opinion !== 'string' || !VALID_OPINIONS.has(opinion)) return null
+
+  // URL must be a relative docs path (no external URLs / open redirect)
+  if (typeof url !== 'string' || !url.startsWith('/') || url.includes('//')) return null
+
+  // Message is optional but must be a string with bounded length
+  const safeMessage = typeof message === 'string' ? message.slice(0, MAX_MESSAGE_LENGTH).trim() : ''
+
+  return {
+    opinion: opinion as 'good' | 'bad',
+    message: safeMessage,
+    url: url.slice(0, 500),
+  }
+}
 
 async function createGitHubDiscussion(payload: FeedbackPayload): Promise<void> {
   const token = process.env.GITHUB_FEEDBACK_TOKEN
@@ -86,8 +119,19 @@ async function postToDiscord(payload: FeedbackPayload): Promise<void> {
   }
 }
 
-export async function submitFeedback(payload: FeedbackPayload): Promise<{ success: boolean }> {
+export async function submitFeedback(raw: FeedbackPayload): Promise<{ success: boolean }> {
   try {
+    // Validate before rate limiting to avoid polluting the rate limit map with junk keys
+    const payload = validatePayload(raw)
+    if (!payload) {
+      return { success: false }
+    }
+
+    // Rate limit by validated URL to prevent spamming the same page
+    if (isRateLimited(payload.url)) {
+      return { success: false }
+    }
+
     await Promise.allSettled([createGitHubDiscussion(payload), postToDiscord(payload)])
     return { success: true }
   } catch (err) {

app/api/subscribe/route.ts

@@ -1,25 +1,22 @@
 import { NextResponse } from 'next/server'
-import { createClient } from '@supabase/supabase-js'
+import { getSupabaseClient, isValidEmail, normalizeEmail } from '@/lib/supabase'
+import { createRateLimiter, getClientIp } from '@/lib/rate-limit'
 
-function isValidEmail(email: string): boolean {
-  return /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email)
-}
-
-function getSupabaseClient() {
-  const url = process.env.SUPABASE_URL
-  const key = process.env.SUPABASE_SERVICE_ROLE_KEY
-
-  if (!url || !key) {
-    return null
-  }
-
-  return createClient(url, key)
-}
+const isRateLimited = createRateLimiter(5, 60_000)
 
 export async function POST(request: Request) {
   try {
-    const body = await request.json()
-    const { email } = body
+    const ip = getClientIp(request)
+    if (isRateLimited(ip)) {
+      return NextResponse.json({ message: 'Too many requests' }, { status: 429 })
+    }
+
+    const body: unknown = await request.json()
+    if (!body || typeof body !== 'object' || !('email' in body)) {
+      return NextResponse.json({ message: 'Valid email is required' }, { status: 422 })
+    }
+
+    const { email } = body as { email: unknown }
 
     if (!email || typeof email !== 'string' || !isValidEmail(email)) {
       return NextResponse.json({ message: 'Valid email is required' }, { status: 422 })
@@ -28,20 +25,19 @@ export async function POST(request: Request) {
     const supabase = getSupabaseClient()
 
     if (!supabase) {
-      // Supabase is not configured; return a placeholder success response
       return NextResponse.json(
         { message: 'Subscription service is not configured' },
         { status: 503 },
       )
     }
 
-    const normalizedEmail = email.toLowerCase().trim()
+    const normalized = normalizeEmail(email)
 
     // Check if already subscribed
     const { data: existing } = await supabase
       .from('subscribers')
       .select('id, status')
-      .eq('email', normalizedEmail)
+      .eq('email', normalized)
       .single()
 
     if (existing) {
@@ -50,18 +46,15 @@ export async function POST(request: Request) {
       }
 
       // Re-subscribe if previously unsubscribed
-      await supabase
-        .from('subscribers')
-        .update({ status: 'subscribed' })
-        .eq('email', normalizedEmail)
+      await supabase.from('subscribers').update({ status: 'subscribed' }).eq('email', normalized)
 
       return NextResponse.json({ message: 'Subscription successful' }, { status: 200 })
     }
 
     // Insert new subscriber
     const { error } = await supabase
       .from('subscribers')
-      .insert({ email: normalizedEmail, status: 'subscribed' })
+      .insert({ email: normalized, status: 'subscribed' })
 
     if (error) {
       console.error('Subscription error:', error.message)

app/api/unsubscribe/route.ts

@@ -1,25 +1,22 @@
 import { NextResponse } from 'next/server'
-import { createClient } from '@supabase/supabase-js'
+import { getSupabaseClient, isValidEmail, normalizeEmail } from '@/lib/supabase'
+import { createRateLimiter, getClientIp } from '@/lib/rate-limit'
 
-function isValidEmail(email: string): boolean {
-  return /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email)
-}
-
-function getSupabaseClient() {
-  const url = process.env.SUPABASE_URL
-  const key = process.env.SUPABASE_SERVICE_ROLE_KEY
-
-  if (!url || !key) {
-    return null
-  }
-
-  return createClient(url, key)
-}
+const isRateLimited = createRateLimiter(5, 60_000)
 
 export async function POST(request: Request) {
   try {
-    const body = await request.json()
-    const { email } = body
+    const ip = getClientIp(request)
+    if (isRateLimited(ip)) {
+      return NextResponse.json({ message: 'Too many requests' }, { status: 429 })
+    }
+
+    const body: unknown = await request.json()
+    if (!body || typeof body !== 'object' || !('email' in body)) {
+      return NextResponse.json({ message: 'Invalid email format' }, { status: 400 })
+    }
+
+    const { email } = body as { email: unknown }
 
     if (!email || typeof email !== 'string' || !isValidEmail(email)) {
       return NextResponse.json({ message: 'Invalid email format' }, { status: 400 })
@@ -34,12 +31,12 @@ export async function POST(request: Request) {
       )
     }
 
-    const normalizedEmail = email.toLowerCase().trim()
+    const normalized = normalizeEmail(email)
 
     const { data: subscriber, error: fetchError } = await supabase
       .from('subscribers')
       .select('id, status')
-      .eq('email', normalizedEmail)
+      .eq('email', normalized)
       .single()
 
     if (fetchError || !subscriber) {
@@ -49,7 +46,7 @@ export async function POST(request: Request) {
     const { error: updateError } = await supabase
       .from('subscribers')
       .update({ status: 'unsubscribed' })
-      .eq('email', normalizedEmail)
+      .eq('email', normalized)
 
     if (updateError) {
       console.error('Unsubscription error:', updateError.message)

app/docs/[[...slug]]/page.tsx

@@ -33,7 +33,10 @@ export default async function Page(props: PageProps) {
       <DocsDescription>{page.data.description}</DocsDescription>
       <div className="flex flex-row gap-2 items-center border-b pt-2 pb-6">
         <LLMCopyButton markdownUrl={`${page.url}.mdx`} />
-        <ViewOptions markdownUrl={`${page.url}.mdx`} />
+        <ViewOptions
+          markdownUrl={`${page.url}.mdx`}
+          githubUrl={`https://github.com/LibreChat-AI/librechat.ai/blob/main/content/docs/${page.file.path}`}
+        />
       </div>
       <DocsBody>
         <MDX components={mdxComponents} />

app/global.css

@@ -62,4 +62,23 @@
     @apply bg-background text-foreground;
     font-family: var(--font-geist-sans), system-ui, sans-serif;
   }
+
+  footer {
+    @apply bg-background text-foreground;
+    font-family: var(--font-geist-sans), system-ui, sans-serif;
+  }
+
+  h1 {
+    @apply tracking-tight leading-tight;
+    font-family: var(--font-geist-sans), system-ui, sans-serif;
+  }
+
+  h2 {
+    @apply tracking-tight;
+    font-family: var(--font-geist-sans), system-ui, sans-serif;
+  }
+}
+
+.social-svg {
+  border-radius: 10px !important;
 }

app/layout.tsx

@@ -34,6 +34,11 @@ export const metadata: Metadata = {
 }
 
 export default function RootLayout({ children }: { children: ReactNode }) {
+  // Sanitize Scarf pixel ID: only allow alphanumeric chars, underscores, and hyphens
+  // to prevent XSS via dangerouslySetInnerHTML injection if the env var is compromised.
+  const rawScarfId = process.env.NEXT_PUBLIC_SCARF_PIXEL_ID ?? ''
+  const scarfPixelId = /^[\w-]+$/.test(rawScarfId) ? rawScarfId : ''
+
   return (
     <html
       lang="en"
@@ -44,14 +49,14 @@ export default function RootLayout({ children }: { children: ReactNode }) {
         <Provider>{children}</Provider>
         <Analytics />
         <SpeedInsights />
-        {process.env.NEXT_PUBLIC_SCARF_PIXEL_ID && (
+        {scarfPixelId && (
           <Script
             id="scarf-pixel"
             strategy="afterInteractive"
             dangerouslySetInnerHTML={{
               __html: `
               (function () {
-                var PIXEL_ID = '${process.env.NEXT_PUBLIC_SCARF_PIXEL_ID}';
+                var PIXEL_ID = '${scarfPixelId}';
                 function sendScarfPing() {
                   var img = new Image();
                   img.referrerPolicy = 'no-referrer-when-downgrade';

bun.lockb

@@ -4,7 +4,7 @@
   "rsc": true,
   "tailwind": {
     "config": "tailwind.config.js",
-    "css": "style.css",
+    "css": "app/global.css",
     "baseColor": "slate",
     "cssVariables": true
   },