Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
Greptile SummaryThis PR introduces an in-app Notifications experience: a slide-in
Confidence Score: 4/5Safe to merge after the authorization membership check is added to the notifications route; remaining findings are low-risk polish items. The core feature is well-structured: parameterized queries, Zod validation, correct composite PK in the migration, SWR deduplication, and proper functional updaters in the Zustand store. The open concern is the authorization gap in the API route (flagged in a prior thread and still unaddressed), which lets any authenticated user read another project's notifications. The other findings — missing toast, double serialization, env-var hot path — are P2 style items that don't block functionality.
|
| Filename | Overview |
|---|---|
| app-server/src/notifications/mod.rs | Adds MQ payload-size guardrail in the fan-out loop; logic is correct but double-serializes each delivery and re-evaluates mq_max_payload() per target. |
| frontend/app/api/workspaces/[workspaceId]/notifications/route.ts | New GET/POST route for notifications; isProjectInWorkspace check only validates project membership in the workspace, not that the calling user is a member — flagged in prior review thread. |
| frontend/components/notifications/notification-panel.tsx | New slide-in panel with SWR-backed notification list and optimistic mark-as-read; missing error toast on failed POST violates project CLAUDE.md convention. |
| frontend/components/notifications/notification-store.ts | Minimal Zustand store with toggle/close; uses functional updater for toggle making it safe for concurrent calls. |
| frontend/components/notifications/notification-trigger.tsx | Bell icon trigger with unread indicator; SWR key matches NotificationPanel so requests are deduplicated. |
| frontend/lib/actions/notifications/index.ts | Server actions for fetching ClickHouse notifications and writing read-state to Postgres; uses parameterized queries and Zod validation throughout. |
| frontend/lib/db/migrations/0080_third_cammi.sql | Creates notification_reads table with composite PK (project_id, user_id, notification_id) and cascade-delete FKs to projects and users. |
| frontend/lib/authorization/index.ts | Adds isUserMemberOfProject, isUserMemberOfWorkspace, and getWorkspaceRole helpers; the new notification route should be using these for membership checks. |
| frontend/app/project/[projectId]/layout.tsx | Mounts NotificationPanel inside SidebarInset which has relative and overflow-hidden, providing correct clip behavior for the slide-in animation. |
| frontend/components/project/sidebar/header.tsx | Wires NotificationTrigger into the sidebar header, correctly hidden when sidebar is collapsed. |
Reviews (4): Last reviewed commit: "fix: handle serialization failure explic..." | Re-trigger Greptile
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
|
@laminar-coding-agent validate and address open pr comments |
|
@laminar-coding-agent /autoreply start |
…rthy events Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
|
|
Here's a summary of the 4 PR review comments and their dispositions: 1. Missing user membership check (Cursor bot + Greptile — both P0/High) — False positive. 2. Array index used as React list key (Greptile — P2) — Valid. Fixed by replacing 3. Zustand store race condition documentation (Greptile — P2) — False positive / unnecessary. The store already uses the functional updater pattern ( |
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 9bc957a. Configure here.
Instead of silently falling through with size 0 when serialization fails, log the actual serialization error and skip the delivery. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
4 participants
Note
Medium Risk
Adds new authenticated API routes and a Postgres table to track per-user read state, plus client UI that fetches/updates this state; also introduces MQ payload-size enforcement that can now drop oversized delivery fan-outs. Risk is moderate due to new persistence and request paths affecting notification visibility and delivery reliability.
Overview
Adds in-app notifications. The project layout now includes a slide-out
NotificationPaneland a sidebar bell trigger (Zustand state + SWR fetching) that renders recent report notifications and marks them read.Introduces notification APIs + read tracking. New
/api/workspaces/[workspaceId]/notificationsGET/POSTendpoints fetch recent ClickHousenotificationsfor a project and persist per-user read state in a new Postgresnotification_readstable (Drizzle schema + migration), with an addedisProjectInWorkspaceguard.Hardens backend fan-out. The Rust notifications handler now serializes each delivery message to pre-check size against
mq_max_payload()and skips publishing/logs an error when the MQ payload limit would be exceeded.Reviewed by Cursor Bugbot for commit db5653a. Bugbot is set up for automated code reviews on this repo. Configure here.