Conversation
🦋 Changeset detectedLatest commit: 9f8058b The changes in this PR will be included in the next version bump. This PR includes changesets to release 1 package
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
WalkthroughAdds GCP KMS integration and runtime envs, replaces default keeper with a named Changes
Sequence DiagramsequenceDiagram
participant Client
participant PersonaHook as Persona Hook
participant RiskSvc as Risk Assessment
participant Allower as Firewall/Allower
participant GCP as GCP KMS
participant Chain as Chain / keeper
Client->>PersonaHook: POST inquiry
PersonaHook->>RiskSvc: perform risk assessment
RiskSvc-->>PersonaHook: pass/fail
alt pass
PersonaHook->>PersonaHook: derive account
PersonaHook->>Allower: getAllower()
Allower->>GCP: init credentials / request KMS-backed account
GCP-->>Allower: LocalAccount / credentials
Allower-->>PersonaHook: allower client ready
PersonaHook->>Allower: allow(account)
Allower-->>PersonaHook: allow result
PersonaHook->>Chain: keeper.poke(account, { ignore: [...] })
Chain-->>PersonaHook: tx hash / result
PersonaHook-->>Client: 200 success
else fail
PersonaHook-->>Client: rejection
end
Estimated code review effort🎯 4 (Complex) | ⏱️ ~50 minutes Possibly related PRs
Suggested reviewers
🚥 Pre-merge checks | ✅ 2✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Summary of ChangesHello @aguxez, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request significantly enhances the server's account management and security by integrating Google Cloud KMS for a new Highlights
Changelog
Activity
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #839 +/- ##
==========================================
- Coverage 71.59% 71.41% -0.19%
==========================================
Files 227 228 +1
Lines 8217 8304 +87
Branches 2626 2644 +18
==========================================
+ Hits 5883 5930 +47
- Misses 2106 2135 +29
- Partials 228 239 +11
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
aguxez
force-pushed
the
gcp-allower
branch
2 times, most recently
from
c642d46 to
88aa6aa
Compare
![sentry[bot]](https://avatars.githubusercontent.com/in/12637?s=60&v=4){kind=small}
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
Additional Comments (2)
Downstream in await initializeGcpCredentials(); // returns cached no-op promise
if (!(await hasCredentials())) throw … // file is gone → always throwsThe server cannot recover without a full restart. The Suggested fix: Call export async function getAccount(): Promise<LocalAccount> {
await initializeGcpCredentials();
if (!(await hasCredentials())) {
resetGcpInitialization(); // allow next caller to retry
throw new Error(…);
}
…
}
These GCP env-var checks run at module import time, before any GCP-dependent code is invoked. This breaks the deployment of unrelated features if GCP credentials are not configured, and makes testing hooks that use Suggested fix: Move the GCP env-var validation inside export async function getAccount(): Promise<LocalAccount> {
if (!process.env.GCP_PROJECT_ID) throw new Error("GCP_PROJECT_ID is required");
const projectId = process.env.GCP_PROJECT_ID;
if (!/^[a-z][a-z0-9-]{4,28}[a-z0-9]$/.test(projectId)) {
throw new Error("GCP_PROJECT_ID must be a valid GCP project ID format");
}
// … validate GCP_KMS_KEY_RING and GCP_KMS_KEY_VERSION here too
await initializeGcpCredentials();
…
}This keeps |
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
Additional Comments (3)
Prefer the explicit exponentiation operator instead:
The triple base64 decode ( Consider adding a comment to the constant (and possibly the app.yaml instructions) documenting the expected encoding:
The |
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
aguxez
force-pushed
the
gcp-allower
branch
2 times, most recently
from
a4d043e to
e5dca00
Compare
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: e5dca00480
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| keeper | ||
| .poke(account, { | ||
| notification: { | ||
| headings: { en: "Account assets updated" }, | ||
| contents: { en: "Your funds are ready to use" }, | ||
| }, | ||
| }) | ||
| .catch((error: unknown) => captureException(error, { level: "error" })); |
There was a problem hiding this comment.
keeper.poke is triggered before createUser and before persisting pandaId, so transient onboarding failures can cause Persona webhook retries to run poke repeatedly for the same inquiry. Because this call may submit on-chain pokes and sends the "Account assets updated" notification, retries can produce duplicate transactions/notifications even though onboarding did not complete; this side effect should run only after successful user creation is persisted.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 5f7769a467
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| if (result.status === "rejected") { | ||
| captureException(result.reason, { level: "error" }); | ||
| return []; |
There was a problem hiding this comment.
When a getBalance/balanceOf call fails, this branch captures the exception and returns [], which silently removes that asset from assetsToPoke. In the presence of transient RPC failures, a funded market can be skipped while poke still resolves as success, so callers have no signal to retry and the account can miss activation/yield on that asset until a later unrelated trigger.
Useful? React with 👍 / 👎.
| let json = gcpBase64Json; | ||
| for (let index = 0; index < DECODING_ITERATIONS; index++) { | ||
| json = Buffer.from(json, "base64").toString("utf8"); | ||
| } | ||
| await writeFile(GOOGLE_APPLICATION_CREDENTIALS, json, { mode: 0o600 }); |
There was a problem hiding this comment.
🔴 GCP credentials written to filesystem violates "secrets never in files" rule
AGENTS.md/CLAUDE.md explicitly states: "production secrets are environment variables at runtime only - never in files." The new gcp.ts decodes GCP_BASE64_JSON and writes the GCP service account JSON to /tmp/gcp-service-account.json, which is then used by KeyManagementServiceClient via keyFilename in server/utils/accounts.ts:361-363. The @google-cloud/kms KeyManagementServiceClient supports a credentials option that accepts a parsed JSON object directly in memory, eliminating the need to write secrets to the filesystem. This would avoid both the rule violation and the security risk of persisting credentials on disk.
Prompt for agents
In server/utils/gcp.ts, instead of writing the decoded GCP credentials JSON to a file at /tmp/gcp-service-account.json, export the parsed credentials object directly. Replace the file-write logic (lines 21-33) with a function that returns the parsed JSON object. Then in server/utils/accounts.ts lines 361-363, replace `keyFilename: GOOGLE_APPLICATION_CREDENTIALS` with `credentials: getGcpCredentials()` (passing the parsed JSON object directly to the KeyManagementServiceClient constructor). This avoids writing production secrets to the filesystem, which is explicitly prohibited by the project rules. The @google-cloud/kms KeyManagementServiceClient constructor accepts a `credentials` option that takes { client_email, private_key } directly.
Was this helpful? React with 👍 or 👎 to provide feedback.
| const account = await withRetry( | ||
| () => | ||
| gcpHsmToAccount({ | ||
| hsmKeyVersion: `projects/${projectId}/locations/us-west2/keyRings/${keyRing}/cryptoKeys/allower/cryptoKeyVersions/${version}`, |
There was a problem hiding this comment.
🟡 GCP KMS location us-west2 hardcoded while other KMS path components are parameterized
In the KMS key version path at server/utils/accounts.ts:360, the GCP location is hardcoded as us-west2 while project ID, key ring, and version are all configurable via environment variables (GCP_PROJECT_ID, GCP_KMS_KEY_RING, GCP_KMS_KEY_VERSION). If the KMS key ring is provisioned in a different region (e.g., for a staging environment or disaster recovery), the code will fail to find the key and must be changed instead of just updating an environment variable. This inconsistency makes the configuration fragile.
Prompt for agents
In server/utils/accounts.ts, add a new environment variable (e.g., GCP_KMS_LOCATION) alongside the existing GCP_PROJECT_ID, GCP_KMS_KEY_RING, and GCP_KMS_KEY_VERSION checks at the top of the file (~line 53-63). Then use it in the hsmKeyVersion template string at line 360 to replace the hardcoded 'us-west2'. Also add the new env var to .do/app.yaml, server/vitest.config.mts, and server/script/openapi.ts for consistency with the other GCP config values.
Was this helpful? React with 👍 or 👎 to provide feedback.
| import "../mocks/accounts"; | ||
| import "../mocks/auth"; | ||
| import "../mocks/deployments"; | ||
| import "../mocks/keeper"; | ||
| import "../mocks/onesignal"; | ||
| import "../mocks/pax"; | ||
| import "../mocks/persona"; |
There was a problem hiding this comment.
🚩 onesignal mock removed from card.test.ts
card.test.ts previously imported ../mocks/onesignal which mocked sendPushNotification to a no-op. This import was removed in the PR. The card API at server/api/card.ts:33,383 imports and calls sendPushNotification. If any test path in card.test.ts triggers a notification (e.g., card mode changes), the real onesignal module would be used. Since the test env has no ONESIGNAL_API_KEY, the call might fail silently (caught by .catch()) or cause unexpected behavior. The tests presumably still pass in CI, suggesting notification paths aren't triggered in the current test cases, but this removal reduces test isolation.
Was this helpful? React with 👍 or 👎 to provide feedback.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: ddbd0ed187
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| keeper | ||
| .poke(account, { |
There was a problem hiding this comment.
The keeper.poke(...) side effect is now executed only inside the if (firewallAddress) block, so in environments where firewallAddress is unset (a case this handler already accounts for), approved Persona inquiries will skip poking entirely. That leaves existing funded balances unactivated for yield until some later unrelated trigger runs poke, which is a functional gap in the onboarding flow.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 73ad6d7111
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| columns: { id: true, mode: true }, | ||
| where: inArray(cards.status, ["ACTIVE", "FROZEN"]), | ||
| await keeper | ||
| .poke(account, { ignore: [`NotAllowed(${account})`] }) |
There was a problem hiding this comment.
NotAllowed skipped the poke
In activity, this new ignore: [\NotAllowed(${account})`]path means firewall-gated deposits can now skipkeeper.poke` entirely, but the push notification emitted a few lines earlier still says the funds "instantly started earning yield" whenever the asset has a market. For pre-KYC users on deployments with the firewall enabled, that message becomes false: the transfer was received, but no market entry happened until a later Persona approval.
Useful? React with 👍 / 👎.
| contents: { en: "Your funds are ready to use" }, | ||
| }, | ||
| }) | ||
| .catch((error: unknown) => captureException(error, { level: "error" })); |
There was a problem hiding this comment.
This fire-and-forget keeper.poke rejection handler turns post-KYC activation failures into a logged 200 response. If poke rejects before its internal per-asset catches run (for example while loading exaPreviewer.assets or reading balances), Persona will not retry the webhook, so accounts that were waiting on KYC can remain unpoked and not earning until some unrelated later activity happens.
Useful? React with 👍 / 👎.
| return r.flatMap((result) => { | ||
| if (result.status === "rejected") { | ||
| captureException(result.reason, { level: "error" }); | ||
| return []; | ||
| } |
There was a problem hiding this comment.
🟡 poke function double-reports errors: once in exaSend and again in Promise.allSettled handler
Inside the poke function, when an exaSend call fails with a non-ignored error and withRetry exhausts all 10 retries, the error is reported to Sentry twice per final failure: once inside exaSend's catch block (server/utils/accounts.ts:336) with proper fingerprinting via revertFingerprint, and once more in poke's Promise.allSettled handler (server/utils/accounts.ts:168) without fingerprinting. Additionally, each of the 10 retry attempts also triggers exaSend's internal error reporting. This leads to 11 Sentry error events per failed poke asset (10 from retries + 1 from the handler), with the final one being a duplicate lacking fingerprint context.
Prompt for agents
In server/utils/accounts.ts, inside the poke function's Promise.allSettled handler (lines 165-174), the rejected result handler calls captureException again after exaSend has already reported the error internally with fingerprinting. To avoid duplicate reports, either:
1. Pass { level: false } to exaSend's options to suppress its internal reporting, and keep the handler's captureException (but add fingerprinting). OR
2. Remove the captureException from the Promise.allSettled handler (lines 167-169) since exaSend already reports the error, changing the rejected branch to just return [].
Option 2 is simpler: in the flatMap callback for rejected results (line 167-169), remove the captureException call so the block just returns []. The error was already reported by exaSend's internal catch handler with proper fingerprinting.
Was this helpful? React with 👍 or 👎 to provide feedback.
aguxez
force-pushed
the
gcp-allower
branch
2 times, most recently
from
4f4d674 to
1216f5f
Compare
| const DECODING_ITERATIONS = 3; | ||
| export const GOOGLE_APPLICATION_CREDENTIALS = "/tmp/gcp-service-account.json"; | ||
|
|
||
| if (!process.env.GCP_BASE64_JSON) throw new Error("GCP_BASE64_JSON is required when using GCP KMS"); | ||
| const gcpBase64Json = process.env.GCP_BASE64_JSON; | ||
|
|
||
| let initializationPromise: null | Promise<void> = null; | ||
|
|
||
| export function resetGcpInitialization() { | ||
| initializationPromise = null; | ||
| } | ||
|
|
||
| export async function initializeGcpCredentials() { | ||
| if (initializationPromise) { | ||
| return initializationPromise; | ||
| } | ||
|
|
||
| initializationPromise = (async () => { | ||
| if (await hasCredentials()) { | ||
| return; | ||
| } | ||
|
|
||
| let json = gcpBase64Json; | ||
| for (let index = 0; index < DECODING_ITERATIONS; index++) { | ||
| json = Buffer.from(json, "base64").toString("utf8"); | ||
| } | ||
| await writeFile(GOOGLE_APPLICATION_CREDENTIALS, json, { mode: 0o600 }); | ||
| })().catch((error: unknown) => { | ||
| initializationPromise = null; | ||
| throw error; | ||
| }); | ||
|
|
||
| return initializationPromise; | ||
| } |
There was a problem hiding this comment.
🚩 GCP credentials triple base64 decoding is intentional but fragile
The DECODING_ITERATIONS = 3 constant at server/utils/gcp.ts:4 means GCP_BASE64_JSON must be triple base64-encoded. This is presumably an obfuscation layer for the CI/CD pipeline. If the encoding depth changes without updating this constant, the decoded JSON would be garbage and KeyManagementServiceClient initialization would fail at runtime. There's no validation that the decoded result is valid JSON before writing to disk at line 30. The initializationPromise caching at line 10-36 means a corrupted write would be cached as success, requiring a process restart to recover.
Was this helpful? React with 👍 or 👎 to provide feedback.
| await keeper | ||
| .poke(account, { ignore: [`NotAllowed(${account})`] }) | ||
| .catch((error: unknown) => captureException(error, { level: "error" })); | ||
| autoCredit(account) | ||
| .then(async (auto) => { | ||
| span.setAttribute("exa.autoCredit", auto); | ||
| if (!auto) return; | ||
| const credential = await database.query.credentials.findFirst({ | ||
| where: eq(credentials.account, account), | ||
| columns: {}, | ||
| with: { | ||
| cards: { | ||
| columns: { id: true, mode: true }, | ||
| where: inArray(cards.status, ["ACTIVE", "FROZEN"]), | ||
| }, | ||
| }, | ||
| }, | ||
| }); | ||
| if (!credential || credential.cards.length === 0) return; | ||
| const card = credential.cards[0]; | ||
| span.setAttribute("exa.card", card?.id); | ||
| if (card?.mode !== 0) return; | ||
| await database.update(cards).set({ mode: 1 }).where(eq(cards.id, card.id)); | ||
| span.setAttribute("exa.mode", 1); | ||
| sendPushNotification({ | ||
| userId: account, | ||
| headings: { en: "Card mode changed" }, | ||
| contents: { en: "Credit mode activated" }, | ||
| }).catch((error: unknown) => captureException(error)); | ||
| }) | ||
| .catch((error: unknown) => captureException(error)); | ||
| span.setStatus({ code: SPAN_STATUS_OK }); | ||
| }, | ||
| }); | ||
| if (!credential || credential.cards.length === 0) return; | ||
| const card = credential.cards[0]; | ||
| span.setAttribute("exa.card", card?.id); | ||
| if (card?.mode !== 0) return; | ||
| await database.update(cards).set({ mode: 1 }).where(eq(cards.id, card.id)); | ||
| span.setAttribute("exa.mode", 1); | ||
| sendPushNotification({ | ||
| userId: account, | ||
| headings: { en: "Card mode changed" }, | ||
| contents: { en: "Credit mode activated" }, | ||
| }).catch((error: unknown) => captureException(error, { level: "error" })); | ||
| }) | ||
| .catch((error: unknown) => captureException(error, { level: "error" })); | ||
| span.setStatus({ code: SPAN_STATUS_OK }); |
There was a problem hiding this comment.
🟡 Activity span always reports OK, masking poke failures
In the old code, when individual pokes failed with non-NoBalance() errors, the span status was set to SPAN_STATUS_ERROR and the error was re-thrown — which caused the outer Promise.allSettled at line 206 to record a rejected result, ultimately setting the webhook's overall status to activity_failed. In the new code, keeper.poke() errors are unconditionally swallowed by the .catch() at line 166. Execution then falls through to span.setStatus({ code: SPAN_STATUS_OK }) at line 194, meaning the per-account span always reports success. Because every account span now resolves successfully, the outer Promise.allSettled at server/hooks/activity.ts:207-211 always sees all results as fulfilled, so the webhook-level span is also set to SPAN_STATUS_OK. This eliminates trace-level visibility into poke failures.
Was this helpful? React with 👍 or 👎 to provide feedback.
2 participants
closes #643
Summary by CodeRabbit
New Features
Bug Fixes
Tests
Chores
Greptile Summary
This PR integrates Google Cloud KMS (via
@google-cloud/kmsand@valora/viem-account-hsm-gcp) to sign firewallallowtransactions with an HSM-backed key, and adds a newkeeper.pokeutility that proactively pokes account assets (ETH, WETH, ERC-20) after KYC approval and on activity webhooks.Key changes:
server/utils/gcp.ts— new module handles credential bootstrapping (triple base64 decode →/tmp/gcp-service-account.json), lazy initialization with promise caching, and retryable KMS error classification.server/utils/accounts.ts— addsgetAccount()(GCP KMS → viemLocalAccount),allower()(wallet client that wrapsallowon the Firewall contract), andpoke()(scans balances and pokes every non-zero asset viaexaSend).server/hooks/persona.ts— after KYC approval callsallowthen fire-and-forgetspoke;allowerPromisecaches the expensive KMS init across requests.server/hooks/activity.ts— callspokeafter account deployment, withNotAllowedin the ignore list.Verified findings:
delayfunction inpoke'swithRetryuses bitwise left-shift which overflows atcount >= 31(currently safe withretryCount: 10, but a footgun if the parameter is raised).DECODING_ITERATIONS = 3constant lacks documentation explaining the triple base64 encoding strategy.keeperclient'sonFetchRequesthook lacks error handling, unlike theallowerversion, making it susceptible to unhandled exceptions on malformed RPC payloads.Confidence Score: 3/5
retryCountis raised, (2) the triple base64 decoding strategy lacks documentation creating fragility, and (3) the missing try/catch inkeeper'sonFetchRequestcreates an inconsistency withallowerthat could surface unhandled exceptions. None of these are critical under normal conditions, but they represent code-quality debt worth fixing before production ramp-up.server/utils/accounts.ts(bitwise-shift delay, error handling inconsistency) andserver/utils/gcp.ts(undocumented constant).Last reviewed commit: 0275499
Context used:
dashboard- AGENTS.md (source)dashboard- CLAUDE.md (source)This is part 1 of 2 in a stack made with GitButler: