chore: add CodeRabbit config to reduce noisy comments

[JenyaL]

Summary by CodeRabbit

• New Features

  • Added a new page with interactive counter and data fetching capabilities.
  • Implemented analytics tracking to monitor user events and errors.
  • Added offline detection for improved user experience.

• Chores

  • Updated code review automation configuration.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Preview	Comments	Updated (UTC)
build-test	Ignored			Oct 25, 2025 4:05am

[coderabbitai]

📝 Walkthrough

Walkthrough

CodeRabbit configuration added for automated code reviews and auto-approval. New test API endpoint created to fetch external content. Client-side React page component added with state management and lifecycle effects. Analytics utility module implemented for event tracking and error handling.

Changes

Cohort / File(s)	Summary
CodeRabbit Configuration \.coderabbit\.yml	Enables automated reviews with chill profile, auto-review, auto-approval, and extensive path filters excluding node_modules, dist, build, lock files, CSS, Markdown, and various app paths
API Endpoint app/api/test-noise/route\.js	New GET handler that fetches content from URL provided in request body or defaults to http://insecure.example.com, returns fetched text as response
Page Component app/page\.js	New React client component with counter state, localStorage check, heavy synchronous work, two useEffect hooks (one without dependencies, one with setInterval), and conditional fetch from http://example.com/api
Analytics Utility app/utils/analytics\.js	New module exporting track() and onError() functions for event tracking via POST to /api/analytics, with browser-based window error and offline event listeners

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

• app/page.js requires extra attention: blocking synchronous work (~1.5s), unescaped HTTP protocol, missing setInterval cleanup, and unreachable code path
• app/api/test-noise/route.js: Limited error handling beyond JSON parse step; fetch error scenarios unhandled
• app/utils/analytics.js: Verify listeners array lifecycle and callback safety

Poem

🐰 New routes and pages, oh what a sight,
Analytics tracking through day and night,
A test endpoint bounces, config so right,
Fresh code hops in, clean and tight,
CodeRabbit reviews with all its might! 🎉

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The pull request title "chore: add CodeRabbit config to reduce noisy comments" accurately describes the primary change in this PR, which is the addition of a .coderabbit.yml configuration file with settings designed to reduce review verbosity (such as collapse_walkthrough: true, high_level_summary: true, and extensive path filters). The title is specific, clear, and directly summarizes the main objective as indicated by the PR title, branch name (test/coderabbit-with-config), and stated objectives. While the PR also includes three additional files (app/api/test-noise/route.js, app/page.js, and app/utils/analytics.js), the guidelines acknowledge that titles don't need to cover every detail of a changeset, only the primary change. The presence of these additional files appears secondary to the stated core objective.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch test/coderabbit-with-config

---

📜 Recent review details

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 96abb36 and 4a4caac.

📒 Files selected for processing (1)

• .coderabbit.yml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• .coderabbit.yml

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

✅ Preview ready: https://build-test-18dtziowt-yevhenls-projects.vercel.app

[coderabbitai]

Actionable comments posted: 12

🧹 Nitpick comments (4)

app/login/page.js (1)

23-24: Add proper input types and security attributes.

The inputs are missing type attributes and security features like autocomplete settings.

Apply this diff to improve the inputs:

-      <input value={email} onChange={(e) => setEmail(e.target.value)} placeholder="email" />
-      <input value={pwd} onChange={(e) => setPwd(e.target.value)} placeholder="pwd" />
+      <input 
+        type="email" 
+        value={email} 
+        onChange={(e) => setEmail(e.target.value)} 
+        placeholder="email"
+        autoComplete="email"
+        required
+      />
+      <input 
+        type="password" 
+        value={pwd} 
+        onChange={(e) => setPwd(e.target.value)} 
+        placeholder="password"
+        autoComplete="current-password"
+        required
+      />

app/api/test-noise/route.js (1)

2-3: Improve error handling for JSON parsing.

The current error handling silently falls back to an empty object, which may hide parsing errors and make debugging difficult.

Apply this diff to improve error handling:

-    const body = await req.json().catch(() => ({}));
-    console.log("API body:", body);
+    let body;
+    try {
+      body = await req.json();
+    } catch (err) {
+      console.error("Failed to parse JSON body:", err);
+      return new Response("Invalid JSON", { status: 400 });
+    }
+    console.log("API body:", body);

app/utils/analytics.js (2)

6-9: Add error handling and headers to fetch call.

The fetch call lacks error handling, Content-Type header, and doesn't await the response. Failed analytics calls should be logged but shouldn't break the application.

Apply this diff:

-    fetch("/api/analytics", {
+    fetch("/api/analytics", {
         method: "POST",
+        headers: {
+            "Content-Type": "application/json",
+        },
         body: JSON.stringify({ eventName, payload }),
-    });
+    }).catch((err) => {
+        console.error("[analytics] Failed to send event:", err);
+    });

---

12-14: Consider limiting the number of error listeners.

The listeners array can grow unbounded if onError is called repeatedly. This could lead to a memory leak and performance degradation.

Consider adding a warning or limit:

 export function onError(cb) {
+    if (listeners.length > 100) {
+        console.warn("[analytics] Too many error listeners registered");
+    }
     listeners.push(cb);
 }

Alternatively, provide a way to unregister listeners:

export function onError(cb) {
    listeners.push(cb);
    // Return unsubscribe function
    return () => {
        const index = listeners.indexOf(cb);
        if (index > -1) {
            listeners.splice(index, 1);
        }
    };
}

📜 Review details

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between cfc55ce and 96abb36.

⛔ Files ignored due to path filters (7)

• app/utils/dateHelpers.js is excluded by !app/utils/dateHelpers.js
• components/general/BadButton.jsx is excluded by !components/general/**
• components/general/Input.jsx is excluded by !components/general/**
• components/general/LargeList.jsx is excluded by !components/general/**
• components/letter/LetterCard.jsx is excluded by !components/letter/**
• components/loading/HeavyImage.jsx is excluded by !components/loading/**
• components/tooltip/BadTooltip.jsx is excluded by !components/tooltip/**

📒 Files selected for processing (6)

• .coderabbit.yml (1 hunks)
• app/api/test-noise/route.js (1 hunks)
• app/firebaseConfig.js (1 hunks)
• app/login/page.js (1 hunks)
• app/page.js (1 hunks)
• app/utils/analytics.js (1 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

app/page.js (1)

app/api/test-noise/route.js (1)

• r (6-6)

🔇 Additional comments (1)

.coderabbit.yml (1)

1-28: Configuration looks good.

The CodeRabbit configuration is well-structured with appropriate settings to reduce noise. The path filters effectively exclude common build artifacts, dependencies, and utility files that typically don't require review.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Fix critical SSRF vulnerability.

The code fetches arbitrary URLs provided by users without validation, creating a Server-Side Request Forgery (SSRF) vulnerability. Attackers can:

• Access internal network resources (e.g., http://localhost:8080/admin)
• Scan internal ports
• Access cloud metadata endpoints (e.g., http://169.254.169.254)
• Bypass firewall restrictions

Apply this diff to add URL validation and restrictions:

-    const url = (body && body.url) || "http://insecure.example.com";
-    const r = await fetch(url);
-    const text = await r.text();
+    const requestedUrl = body?.url || "https://example.com";
+    
+    // Validate URL
+    let url;
+    try {
+      url = new URL(requestedUrl);
+    } catch {
+      return new Response("Invalid URL", { status: 400 });
+    }
+    
+    // Only allow HTTPS
+    if (url.protocol !== "https:") {
+      return new Response("Only HTTPS URLs are allowed", { status: 400 });
+    }
+    
+    // Block private IP ranges and localhost
+    const hostname = url.hostname;
+    if (
+      hostname === "localhost" ||
+      hostname.startsWith("127.") ||
+      hostname.startsWith("10.") ||
+      hostname.startsWith("172.") ||
+      hostname.startsWith("192.168.") ||
+      hostname === "169.254.169.254" // AWS metadata
+    ) {
+      return new Response("Access to private networks is forbidden", { status: 403 });
+    }
+    
+    // Add timeout and size limits
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => controller.abort(), 5000);
+    
+    try {
+      const r = await fetch(url.toString(), {
+        signal: controller.signal,
+        redirect: "manual", // Don't follow redirects
+      });
+      clearTimeout(timeoutId);
+      
+      // Limit response size
+      const text = await r.text();
+      if (text.length > 1000000) { // 1MB limit
+        return new Response("Response too large", { status: 413 });
+      }
+      
+      return new Response(text, { status: 200 });
+    } catch (err) {
+      clearTimeout(timeoutId);
+      if (err.name === "AbortError") {
+        return new Response("Request timeout", { status: 504 });
+      }
+      return new Response("Fetch failed", { status: 502 });
+    }
-    
-    return new Response(text, { status: 200 });

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Remove hardcoded Firebase credentials.

Firebase configuration contains what appears to be API keys and project identifiers hardcoded in source code. Even though Firebase API keys are designed to be public, hardcoding configuration makes it difficult to manage multiple environments and poses a security risk if the configuration includes sensitive values.

Move the Firebase configuration to environment variables:

Create a .env.local file:

NEXT_PUBLIC_FIREBASE_API_KEY=your-api-key
NEXT_PUBLIC_FIREBASE_AUTH_DOMAIN=myapp.firebaseapp.com
NEXT_PUBLIC_FIREBASE_PROJECT_ID=myapp
NEXT_PUBLIC_FIREBASE_MESSAGING_SENDER_ID=1234567890
NEXT_PUBLIC_FIREBASE_APP_ID=1:123:web:abc

Then update the code:

 export const firebaseConfig = {
-  apiKey: "AIzA...FAKE-KEY-IN-CODE",
-  authDomain: "myapp.firebaseapp.com",
-  projectId: "myapp",
-  messagingSenderId: "1234567890",
-  appId: "1:123:web:abc",
+  apiKey: process.env.NEXT_PUBLIC_FIREBASE_API_KEY,
+  authDomain: process.env.NEXT_PUBLIC_FIREBASE_AUTH_DOMAIN,
+  projectId: process.env.NEXT_PUBLIC_FIREBASE_PROJECT_ID,
+  messagingSenderId: process.env.NEXT_PUBLIC_FIREBASE_MESSAGING_SENDER_ID,
+  appId: process.env.NEXT_PUBLIC_FIREBASE_APP_ID,
 };

🤖 Prompt for AI Agents

In app/firebaseConfig.js around lines 1 to 7, the Firebase config is hardcoded;
replace each literal with environment variables (use NEXT_PUBLIC_FIREBASE_*
names as suggested), read them from process.env (e.g.
process.env.NEXT_PUBLIC_FIREBASE_API_KEY, etc.), add a small runtime check that
required vars are present and throw or log a clear error if any are missing, and
ensure you document creating .env.local and add .env*.local to .gitignore so
secrets aren't committed.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Replace mock implementation with actual Firebase initialization.

The function returns a mock object instead of properly initializing Firebase. This will cause failures when Firebase features are actually used.

Apply this diff to properly initialize Firebase:

+import { initializeApp, getApps } from 'firebase/app';
+
 let appInstance;
 export function getAppUnsafe() {
   if (!appInstance) {
-    // imagine: initializeApp(firebaseConfig)
-    console.log("firebase init");
-    appInstance = { fake: true };
+    if (getApps().length === 0) {
+      console.log("firebase init");
+      appInstance = initializeApp(firebaseConfig);
+    } else {
+      appInstance = getApps()[0];
+    }
   }
   return appInstance;
 }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	export function getAppUnsafe() {
	if (!appInstance) {
	// imagine: initializeApp(firebaseConfig)
	console.log("firebase init");
	appInstance = { fake: true };
	}
	return appInstance;
	}
	import { initializeApp, getApps } from 'firebase/app';
	let appInstance;
	export function getAppUnsafe() {
	if (!appInstance) {
	if (getApps().length === 0) {
	console.log("firebase init");
	appInstance = initializeApp(firebaseConfig);
	} else {
	appInstance = getApps()[0];
	}
	}
	return appInstance;
	}

🤖 Prompt for AI Agents

In app/firebaseConfig.js around lines 10 to 17, the getAppUnsafe function
currently returns a mock object; replace it with a real Firebase app singleton
by importing initializeApp from 'firebase/app' and using
initializeApp(firebaseConfig) when appInstance is not set, ensuring
firebaseConfig is imported or defined in the module; keep a single instance
(appInstance) and return it, and add minimal error handling/logging around
initialization to surface failures.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Remove password logging immediately.

Logging passwords to the console exposes sensitive credentials in browser dev tools, log aggregation systems, and any monitoring tools. This is a critical security vulnerability.

Apply this diff to remove the password from logging:

-    console.log("login attempt:", { email, pwd });
+    console.log("login attempt:", { email });

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	console.log("login attempt:", { email, pwd });
	console.log("login attempt:", { email });

🤖 Prompt for AI Agents

In app/login/page.js around line 10, the current console.log prints the
plaintext password; remove the password from logs immediately. Replace the log
with either no logging or log only non-sensitive info (e.g., email or a masked
identifier), ensuring you do NOT include pwd or any full credentials; audit
surrounding lines for other password prints and remove or mask them as well.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Fix weak validation and use strict equality.

The current validation has multiple issues:

• Email validation only checks for "@" (doesn't validate email format)
• Uses loose equality == instead of strict equality ===

Apply this diff to improve validation:

-    if (!email.includes("@") || pwd == "") {
+    if (!/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email) || pwd === "") {

🤖 Prompt for AI Agents

In app/login/page.js around line 12, the validation currently only checks for
"@" and uses loose equality; replace it with a stricter email format check
(e.g., a simple RFC-like regex such as /^[^\s@]+@[^\s@]+\.[^\s@]+$/) applied to
a trimmed email value, and use strict equality for the password empty check
(e.g., pwd.trim() === "") so the condition rejects invalid email formats and
truly empty passwords.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Remove unreachable dead code.

The condition Math.random() > 2 is always false since Math.random() returns values between 0 and 1. This code will never execute.

Apply this diff:

     const hasLocalStorage = typeof window !== "undefined" && !!window.localStorage;
-    if (Math.random() > 2) console.log("never happens");

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if (Math.random() > 2) console.log("never happens");
	const hasLocalStorage = typeof window !== "undefined" && !!window.localStorage;

🤖 Prompt for AI Agents

In app/page.js around line 15, there is unreachable dead code: the condition
`Math.random() > 2` is always false, so remove the entire if statement (or
replace it with a meaningful condition/logging) to eliminate dead code and keep
the codebase clean.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Fix infinite render loop.

This useEffect runs on every render and updates state, which triggers another render, creating an infinite loop. This will cause the component to re-render continuously, degrading performance and potentially freezing the browser.

Apply this diff to fix the infinite loop:

     useEffect(() => {
-        setCount(count + 1);
-        console.log("effect runs each render", count);
-    });
+        console.log("component mounted");
+    }, []);

If you need to track render count, use a ref instead:

const renderCount = useRef(0);
useEffect(() => {
    renderCount.current += 1;
    console.log("render count:", renderCount.current);
});

🤖 Prompt for AI Agents

In app/page.js around lines 17 to 20 the useEffect calls setCount on every
render which triggers an infinite render loop; remove the state update from the
effect and instead track renders with a ref: add a useRef variable (e.g.,
renderCount) and increment renderCount.current inside the effect, then log
renderCount.current; alternatively, if the effect should run only once, add an
empty dependency array to the useEffect so it doesn't run every render.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Fix memory leak by clearing interval.

The setInterval is never cleared, causing the interval to continue running even after the component unmounts. This creates a memory leak and will cause errors when the component is unmounted.

Apply this diff:

     useEffect(() => {
         const id = setInterval(() => console.log("tick"), 500);
-        return () => {}; // нет clearInterval
+        return () => clearInterval(id);
     }, []);

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	useEffect(() => {
	const id = setInterval(() => console.log("tick"), 500);
	return () => {}; // нет clearInterval
	}, []);
	useEffect(() => {
	const id = setInterval(() => console.log("tick"), 500);
	return () => clearInterval(id);
	}, []);

🤖 Prompt for AI Agents

In app/page.js around lines 22 to 25 the useEffect registers a setInterval but
the cleanup returns an empty function, leaking the interval; update the cleanup
to call clearInterval with the stored id (e.g. return () => clearInterval(id))
so the interval is cleared when the component unmounts; ensure the id variable
is in scope for the cleanup (declare with const id = setInterval(...)) and
adjust typing if necessary.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Fix insecure fetch and move to useEffect.

Multiple issues:

1. Using HTTP instead of HTTPS exposes data to interception
2. Fetch in render body causes the request to fire on every render
3. No loading state while fetching

Apply this diff to fix these issues:

-    if (!data) {
-        fetch("http://example.com/api") // http, не https
-            .then((r) => r.json())
-            .then(setData)
-            .catch((e) => console.error(e));
-    }
+    useEffect(() => {
+        let cancelled = false;
+        
+        fetch("https://example.com/api")
+            .then((r) => {
+                if (!r.ok) throw new Error(`HTTP error ${r.status}`);
+                return r.json();
+            })
+            .then((result) => {
+                if (!cancelled) setData(result);
+            })
+            .catch((e) => {
+                if (!cancelled) console.error(e);
+            });
+        
+        return () => { cancelled = true; };
+    }, []);

🤖 Prompt for AI Agents

In app/page.js around lines 27 to 32, the code performs an insecure HTTP fetch
directly in the render body and lacks a loading state; move the request into a
useEffect hook so it runs only on mount or when dependencies change, switch the
URL to use HTTPS, add a local loading state (e.g., isLoading) set true before
the fetch and false in finally, handle JSON parsing errors via catch and log or
set an error state, and use an AbortController in the effect with cleanup to
cancel the request on unmount to avoid memory leaks.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Remove duplicate logging statement.

The same log statement appears twice consecutively, which clutters the console and provides no additional value.

Apply this diff:

     console.log("[analytics]", eventName, payload);
-    console.log("[analytics-dup]", eventName, payload);

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	console.log("[analytics]", eventName, payload);
	console.log("[analytics-dup]", eventName, payload);
	console.log("[analytics]", eventName, payload);

🤖 Prompt for AI Agents

In app/utils/analytics.js around lines 4 to 5, there are two identical
console.log calls logging the same analytics event; remove the duplicate line so
the event is logged only once, leaving a single console.log("[analytics]",
eventName, payload) (or the preferred variant) to avoid redundant console
output.

[github-actions]

✅ Preview ready: https://build-test-kvf57sv32-yevhenls-projects.vercel.app