.agents/skills/web-design-guidelines/SKILL.md-25-27 (1)

25-27: ⚠️ Potential issue | 🟡 Minor

Add a language identifier to the fenced code block.

Line 25 triggers MD040 because the code fence has no language tag.

Suggested change

-```
+```text
 https://raw.githubusercontent.com/vercel-labs/web-interface-guidelines/main/command.md

</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against the current code and only fix it if needed.

In @.agents/skills/web-design-guidelines/SKILL.md around lines 25 - 27, The
fenced code block containing the raw URL lacks a language identifier and
triggers MD040; update the block around the URL (the triple-backtick fence in
the SKILL.md snippet) to include an explicit language tag such as text (e.g.,
replace withtext) so the code fence is properly annotated and the MD040
warning is resolved.

</details>

</blockquote></details>
<details>
<summary>.agents/skills/better-auth-best-practices/SKILL.md-122-124 (1)</summary><blockquote>

`122-124`: _⚠️ Potential issue_ | _🟡 Minor_

**Add language identifier to code block.**

The fenced code block is missing a language identifier, which prevents proper syntax highlighting.



<details>
<summary>📝 Proposed fix</summary>

```diff
 **Import from dedicated paths for tree-shaking:**
-```
+```typescript
 import { twoFactor } from "better-auth/plugins/two-factor"
 ```
```
</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against the current code and only fix it if needed.

In @.agents/skills/better-auth-best-practices/SKILL.md around lines 122 - 124,
The fenced code block containing the import statement import { twoFactor } from "better-auth/plugins/two-factor" is missing a language identifier; update that
code fence to include the appropriate language (e.g., add "typescript") so the
block becomes typescript ... to enable syntax highlighting and better
readability for the twoFactor import example.

</details>

</blockquote></details>
<details>
<summary>.agents/skills/update/references/breaking-changes.md-90-90 (1)</summary><blockquote>

`90-90`: _⚠️ Potential issue_ | _🟡 Minor_

**Fix hyphenation for compound adjective.**

The phrase "AI SDK specific migrations" should use a hyphen: "AI SDK-specific migrations" to properly form the compound adjective modifying "migrations". As per static analysis, compound adjectives preceding a noun typically require hyphenation.



<details>
<summary>📝 Proposed fix</summary>

```diff
-See [./ai-sdk-v6.md](./ai-sdk-v6.md) for AI SDK specific migrations:
+See [./ai-sdk-v6.md](./ai-sdk-v6.md) for AI SDK-specific migrations:
```
</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In @.agents/skills/update/references/breaking-changes.md at line 90, Replace the
phrase "AI SDK specific migrations" with the hyphenated compound adjective "AI
SDK-specific migrations" wherever it appears (specifically update the line
containing "See [./ai-sdk-v6.md](./ai-sdk-v6.md) for AI SDK specific
migrations:") so the compound adjective correctly modifies "migrations."
```

</details>

</blockquote></details>
<details>
<summary>.agents/skills/vercel-react-best-practices/rules/js-set-map-lookups.md-15-23 (1)</summary><blockquote>

`15-23`: _⚠️ Potential issue_ | _🟡 Minor_

**Replace invalid `...` placeholders with valid syntax.**

The snippets at lines 15 and 22 use bare `...`, which is invalid JS/TS syntax and makes the examples non-runnable.

<details>
<summary>Suggested fix</summary>

```diff
-const allowedIds = ['a', 'b', 'c', ...]
+const allowedIds = ['a', 'b', 'c'] // ...more ids

-const allowedIds = new Set(['a', 'b', 'c', ...])
+const allowedIds = new Set(['a', 'b', 'c']) // ...more ids
```
</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In @.agents/skills/vercel-react-best-practices/rules/js-set-map-lookups.md
around lines 15 - 23, The examples use invalid bare "..." placeholders inside
the array literals for allowedIds; replace those with valid syntax (either
explicit elements or a proper spread of a defined array/variable) so the first
snippet's array passed to includes and the second snippet's Set constructor are
valid JavaScript/TypeScript (refer to the allowedIds variable, items.filter
usage, .includes and .has calls when making the change).
```

</details>

</blockquote></details>
<details>
<summary>AGENTS.md-71-71 (1)</summary><blockquote>

`71-71`: _⚠️ Potential issue_ | _🟡 Minor_

**Add a language to the fenced code block.**

Line 71 uses a fenced block without a language, which triggers markdownlint MD040.

<details>
<summary>📝 Minimal fix</summary>

```diff
-```
+```text
 src/app/api/         # API routes (auth, chat, cards, pdf, youtube, deep-research)
 ...
-```
+```
```
</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against the current code and only fix it if needed.

In @AGENTS.md at line 71, The fenced code block in AGENTS.md is missing a
language identifier which triggers markdownlint MD040; update the opening fence
of the block (the triple backticks that start the snippet containing
"src/app/api/ # API routes...") to include a language token such as text
(i.e., change the opening totext) so the block is properly annotated
while keeping the closing ``` unchanged.

</details>

</blockquote></details>
<details>
<summary>.agents/skills/vercel-react-best-practices/rules/rerender-transitions.md-15-22 (1)</summary><blockquote>

`15-22`: _⚠️ Potential issue_ | _🟡 Minor_

**Both component examples are missing a return value.**

`ScrollTracker` should return JSX (or `null`) so the snippet is syntactically complete and copy-paste safe.


<details>
<summary>Suggested fix</summary>

```diff
 function ScrollTracker() {
   const [scrollY, setScrollY] = useState(0)
   useEffect(() => {
     const handler = () => setScrollY(window.scrollY)
     window.addEventListener('scroll', handler, { passive: true })
     return () => window.removeEventListener('scroll', handler)
   }, [])
+  return <span>{scrollY}</span>
 }
```

```diff
 function ScrollTracker() {
   const [scrollY, setScrollY] = useState(0)
   useEffect(() => {
     const handler = () => {
       startTransition(() => setScrollY(window.scrollY))
     }
     window.addEventListener('scroll', handler, { passive: true })
     return () => window.removeEventListener('scroll', handler)
   }, [])
+  return <span>{scrollY}</span>
 }
```
</details>


Also applies to: 30-39

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In @.agents/skills/vercel-react-best-practices/rules/rerender-transitions.md
around lines 15 - 22, The ScrollTracker component is missing a return value,
making the snippet invalid; update the ScrollTracker function to return JSX
(e.g., a fragment showing scrollY or a container) or at minimum return null so
it is syntactically correct. Locate the ScrollTracker function and add an
appropriate return (for example a <div> or React fragment referencing scrollY or
simply return null) to complete the component; apply the same fix to the other
example mentioned (lines 30-39) so both components are copy-paste safe.
```

</details>

</blockquote></details>
<details>
<summary>.agents/skills/vercel-react-best-practices/rules/rerender-defer-reads.md-27-38 (1)</summary><blockquote>

`27-38`: _⚠️ Potential issue_ | _🟡 Minor_

**Add `'use client'` directive to clarify Client Component requirement.**

The example uses `window.location.search` and `onClick`, which require a Client Component in Next.js App Router. Without explicitly marking this, developers may incorrectly apply it in Server Components.

<details>
<summary>Suggested documentation patch</summary>

```diff
+// Next.js App Router: this component must be a Client Component
+'use client'
+
 function ShareButton({ chatId }: { chatId: string }) {
   const handleShare = () => {
     const params = new URLSearchParams(window.location.search)
```
</details>

Reference: [Next.js Client Components documentation](https://nextjs.org/docs/app/getting-started/server-and-client-components)

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In @.agents/skills/vercel-react-best-practices/rules/rerender-defer-reads.md
around lines 27 - 38, The example ShareButton component uses
window.location.search and an onClick handler (handleShare), so mark it
explicitly as a Client Component by adding the 'use client' directive at the top
of the component file; update the ShareButton example to include 'use client'
before the component definition and ensure any usage notes mention it must run
on the client (handles like shareChat, window access, and onClick require
client-side execution).
```

</details>

</blockquote></details>
<details>
<summary>.agents/skills/vercel-react-best-practices/rules/rendering-svg-precision.md-26-27 (1)</summary><blockquote>

`26-27`: _⚠️ Potential issue_ | _🟡 Minor_

**Use SVGO config file instead of CLI flags; `--precision` and `--multipass` are not valid CLI arguments in SVGO v4+.**

The command shown uses unsupported CLI flags. SVGO v4+ requires a configuration file (`svgo.config.mjs`) for options like precision and multipass. Create the config:

```javascript
export default {
  multipass: true,
  plugins: [
    {
      name: 'preset-default',
      params: {
        overrides: {
          floatPrecision: 1,  // Note: renamed from 'precision' in v4
        },
      },
    },
  ],
};
```

Then run: `npx svgo icon.svg`. For v3 and earlier, some tooling supported CLI flags, so include a version note if targeting multiple versions.

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In @.agents/skills/vercel-react-best-practices/rules/rendering-svg-precision.md
around lines 26 - 27, The SVGO command shown uses removed CLI flags (--precision
and --multipass) from SVGO v4+; replace CLI flag usage with a config file
(svgo.config.mjs) and set multipass: true plus the floatPrecision value inside
the 'preset-default' plugin params overrides (floatPrecision replaces precision
in v4), then run npx svgo icon.svg; also add a short note in the rule mentioning
that older SVGO v3 tooling accepted CLI flags if you must support multiple
versions.
```

</details>

</blockquote></details>
<details>
<summary>.agents/skills/vercel-react-best-practices/rules/bundle-conditional.md-31-31 (1)</summary><blockquote>

`31-31`: _⚠️ Potential issue_ | _🟡 Minor_

**Misleading claim about SSR bundling.**

The `typeof window !== 'undefined'` check prevents the dynamic import from *executing* during SSR, but it doesn't prevent the module from being included in the server bundle. Bundlers like webpack/turbopack perform static analysis and may still include the module path. For true SSR exclusion, use `next/dynamic` with `ssr: false` or ensure the import path is only referenced in client-only code.



<details>
<summary>📝 Suggested correction</summary>

```diff
-The `typeof window !== 'undefined'` check prevents bundling this module for SSR, optimizing server bundle size and build speed.
+The `typeof window !== 'undefined'` check prevents the dynamic import from executing during SSR, avoiding runtime errors for client-only modules. For complete SSR exclusion from the bundle, consider using `next/dynamic` with `ssr: false`.
```

</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In @.agents/skills/vercel-react-best-practices/rules/bundle-conditional.md at
line 31, Update the sentence claiming "The `typeof window !== 'undefined'` check
prevents bundling this module for SSR" to accurately state that the check only
prevents the dynamic import from executing during SSR but does not guarantee the
module will be excluded from server bundles; mention that bundlers (e.g.,
webpack/turbopack) can still statically include the module path and recommend
using next/dynamic with `ssr: false` or ensuring the import path is only
referenced from client-only code to truly prevent server-side bundling (refer to
the `typeof window !== 'undefined'` example and the `next/dynamic`
recommendation in the doc).
```

</details>

</blockquote></details>
<details>
<summary>src/app/api/workspaces/[id]/import/route.ts-193-197 (1)</summary><blockquote>

`193-197`: _⚠️ Potential issue_ | _🟡 Minor_

**Type assertion is technically unsafe, though not a runtime risk in this code path.**

The `item.data` is typed as `ItemData` (a union of multiple data types), and the assertion `(item.data as { fileUrl: string }).fileUrl` bypasses type checking. While all items in this specific array are constructively guaranteed to have `PdfData` with `fileUrl` (since every item is built with `type: "pdf"` and `data: buildPdfDataFromUpload(...)`), the type system doesn't recognize this guarantee.

Consider either:
1. Narrowing the `Item` type for this context to guarantee `data: PdfData`
2. Adding a simple type guard: `if ("fileUrl" in item.data) { item.data.fileUrl }` to inform the type system

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In `@src/app/api/workspaces/`[id]/import/route.ts around lines 193 - 197, The
mapping that builds candidates uses an unsafe assertion "(item.data as {
fileUrl: string }).fileUrl"; instead, narrow the type so TypeScript knows each
item has PdfData (e.g., filter or type-guard the items array to a Pdf-specific
Item type) or add a runtime type guard such as checking "if ('fileUrl' in
item.data)" before accessing fileUrl; update the mapping that produces
OcrCandidate in the candidates variable (referencing items, item.data, PdfData,
buildPdfDataFromUpload and the OcrCandidate construction) to use the narrowed
type or guard so the cast is removed and the compiler recognizes data.fileUrl
safely.
```

</details>

</blockquote></details>

</blockquote></details>

<details>
<summary>🧹 Nitpick comments (12)</summary><blockquote>

<details>
<summary>.agents/skills/update/SKILL.md (1)</summary><blockquote>

`44-51`: **Consider adding language identifier to code fence.**

The decision tree diagram uses a fenced code block without a language identifier. While this works, adding `text` as the language identifier would satisfy markdown linters and make the intent clearer.



<details>
<summary>📋 Proposed fix</summary>

```diff
-```
+```text
 AI SDK < 6.0.0?
 ├─ Yes → See ./references/ai-sdk-v6.md
 └─ No
```
</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against the current code and only fix it if needed.

In @.agents/skills/update/SKILL.md around lines 44 - 51, The fenced code block
in SKILL.md that renders the decision tree lacks a language identifier; update
the opening fence from totext so linters recognize it as plain text and
intent is clear (i.e., replace the code fence around the ASCII decision tree
with ```text and keep the block contents unchanged).

</details>

</blockquote></details>
<details>
<summary>src/hooks/workspace/use-workspace-realtime.ts (1)</summary><blockquote>

`46-46`: **Clean up stale `currentUserId` option contract.**

At Line 46, `currentUserId` is no longer consumed, but `WorkspaceRealtimeOptions` still documents it and `src/contexts/RealtimeContext.tsx` still passes it. Please remove/repurpose this option (and its comment) to avoid a misleading API surface.

<details>
<summary>♻️ Suggested cleanup in this file</summary>

```diff
 interface WorkspaceRealtimeOptions {
-    /** Current user ID to filter out own events */
-    currentUserId?: string | null;
     /** Called when connection status changes */
     onStatusChange?: (status: 'connecting' | 'connected' | 'disconnected' | 'error') => void;
     /** Called when a remote event is received */
     onRemoteEvent?: (event: WorkspaceEvent) => void;
 }
```
</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In `@src/hooks/workspace/use-workspace-realtime.ts` at line 46, The options
contract still exposes currentUserId even though useWorkspaceRealtime no longer
consumes it; remove currentUserId from the WorkspaceRealtimeOptions type/comment
and stop passing it from RealtimeContext (remove it where RealtimeContext.tsx
calls useWorkspaceRealtime), and update any related JSDoc/comments to avoid
misleading API surface—search for the symbols currentUserId,
WorkspaceRealtimeOptions, useWorkspaceRealtime, and RealtimeContext to locate
and delete the unused option and its documentation.
```

</details>

</blockquote></details>
<details>
<summary>.agents/skills/vercel-react-best-practices/rules/js-tosorted-immutable.md (1)</summary><blockquote>

`45-45`: **Link version claims to authoritative sources for maintainability.**

The version cutoffs are currently accurate (Chrome 110+, Safari 16+, Firefox 115+, Node.js 20+), but hardcoding them risks staleness. Add links to MDN or CanIUse alongside the version numbers so readers can verify current support without documentation updates.

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In @.agents/skills/vercel-react-best-practices/rules/js-tosorted-immutable.md at
line 45, The text stating `.toSorted()` availability should include
authoritative links so readers can verify support; update the sentence that
lists versions for Chrome, Safari, Firefox and Node.js to append stable
references (e.g., MDN and/or Can I Use) next to each version number and/or as a
single parenthetical link covering all, ensuring the `.toSorted()` identifier
remains unchanged so it’s easy to find; ensure link URLs point to the MDN page
for Array.prototype.toSorted and/or the corresponding CanIUse feature page and
keep the spread-operator fallback note intact.
```

</details>

</blockquote></details>
<details>
<summary>.agents/skills/vercel-react-best-practices/rules/rendering-content-visibility.md (1)</summary><blockquote>

`38-38`: **Qualify the fixed “10× faster” statement.**

This should be presented as benchmark-dependent (device/content/browser-specific), not a guaranteed outcome.

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In
@.agents/skills/vercel-react-best-practices/rules/rendering-content-visibility.md
at line 38, The statement "For 1000 messages, browser skips layout/paint for
~990 off-screen items (10× faster initial render)" is presented as a fixed
outcome; change it to a qualified, non‑absolute claim by rewording to indicate
this is benchmark-dependent (device, browser, content, and measurement method
may vary), e.g., replace the hard "10× faster" with a phrasing like "up to ~10×
faster in our test" or "can be substantially faster depending on
device/browser," and add a brief parenthetical or footnote pointing readers to
the benchmark methodology or noting variability.
```

</details>

</blockquote></details>
<details>
<summary>.agents/skills/vercel-react-best-practices/rules/bundle-preload.md (1)</summary><blockquote>

`50-50`: **Soften the SSR bundling claim here.**

`typeof window !== 'undefined'` prevents server-side execution, but it does not universally guarantee the module is excluded from all SSR/build artifacts. Please reword to avoid overstating bundling effects.

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In @.agents/skills/vercel-react-best-practices/rules/bundle-preload.md at line
50, Reword the sentence that claims "`typeof window !== 'undefined'` prevents
bundling preloaded modules for SSR" to soften it: state that the check prevents
server-side execution at runtime but does not universally guarantee exclusion
from server bundles or build artifacts, and recommend phrasing like "guards
client-side execution but may not remove the module from all SSR/build outputs"
while keeping the original example `typeof window !== 'undefined'` for clarity.
```

</details>

</blockquote></details>
<details>
<summary>.agents/skills/vercel-react-best-practices/rules/js-min-max-loop.md (1)</summary><blockquote>

`82-82`: **Minor wording polish.**

Consider replacing “very large arrays” with a more specific phrase (for example, “large arrays”) for tighter style.

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In @.agents/skills/vercel-react-best-practices/rules/js-min-max-loop.md at line
82, The wording "very large arrays" in the sentence "This works for small arrays
but can be slower for very large arrays due to spread operator limitations."
should be tightened to "large arrays" for style consistency; edit that sentence
in the rule text (js-min-max-loop.md) to read something like "This works for
small arrays but can be slower for large arrays due to spread operator
limitations." so the guidance is more concise and specific.
```

</details>

</blockquote></details>
<details>
<summary>.agents/skills/vercel-react-best-practices/rules/js-length-check-first.md (1)</summary><blockquote>

`34-35`: **Note the browser compatibility requirement for `.toSorted()`.**

The `.toSorted()` method is part of ES2023 and may not be available in all target environments. Consider documenting the minimum browser/runtime requirements or providing a fallback pattern.



<details>
<summary>📋 Suggested compatibility note</summary>

Add after the code block:

```markdown
**Note:** `.toSorted()` requires ES2023 support (Chrome 110+, Firefox 115+, Safari 16+, Node.js 20+). For broader compatibility, use:

\`\`\`typescript
const currentSorted = [...current].sort()
const originalSorted = [...original].sort()
\`\`\`
```

</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In @.agents/skills/vercel-react-best-practices/rules/js-length-check-first.md
around lines 34 - 35, The use of Array.prototype.toSorted() for currentSorted
and originalSorted relies on ES2023 and may break in older runtimes; either add
a compatibility note near the code block documenting required environments
(Chrome 110+, Firefox 115+, Safari 16+, Node.js 20+) or replace it with a
fallback by copying-then-sorting (e.g., using [...current].sort() and
[...original].sort()) to ensure broader runtime support; update the markdown
around the currentSorted/originalSorted example to include the note and the
fallback snippet.
```

</details>

</blockquote></details>
<details>
<summary>.agents/skills/vercel-react-best-practices/rules/client-event-listeners.md (1)</summary><blockquote>

`38-55`: **Document the need for stable callback references.**

The `callback` dependency in the `useEffect` will cause the callback to be re-registered whenever it changes. If consumers don't memoize their callbacks with `useCallback`, this will create unnecessary churn in the `keyCallbacks` Map.

Consider adding a note in the documentation recommending that callbacks passed to `useKeyboardShortcut` should be wrapped in `useCallback` to maintain stable references.



<details>
<summary>📝 Suggested documentation addition</summary>

Add after line 66:

```markdown
**Note:** Ensure callbacks are stable references (wrapped in `useCallback`) to avoid unnecessary re-registrations:

\`\`\`tsx
function Profile() {
  const handleP = useCallback(() => { /* ... */ }, [])
  const handleK = useCallback(() => { /* ... */ }, [])
  
  useKeyboardShortcut('p', handleP)
  useKeyboardShortcut('k', handleK)
}
\`\`\`
```

</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In @.agents/skills/vercel-react-best-practices/rules/client-event-listeners.md
around lines 38 - 55, The docs should warn that useKeyboardShortcut registers
callbacks in the shared keyCallbacks Map and that the useEffect depends on the
callback reference; update the documentation for useKeyboardShortcut to
recommend callers wrap their handlers with React.useCallback so the callback
reference remains stable and avoids repeated registrations/teardowns of
keyCallbacks entries (mention useKeyboardShortcut, keyCallbacks, and the effect
dependency on callback).
```

</details>

</blockquote></details>
<details>
<summary>.agents/skills/vercel-react-best-practices/rules/js-cache-function-results.md (1)</summary><blockquote>

`29-56`: **Consider adding a caveat about server-side usage.**

Module-level caches persist across requests in serverless/edge environments. In SSR contexts, this pattern could cause data leakage between users if the cached values are user-specific. Consider noting that this pattern is primarily intended for client-side code, or that server-side usage requires request-scoped caching (e.g., React's `cache()` function).



<details>
<summary>📝 Suggested addition</summary>

Add after line 56:
```markdown
**Note:** Module-level caches persist across requests on the server. For user-specific data in SSR, use React's `cache()` function instead to ensure request isolation.
```

</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In
@.agents/skills/vercel-react-best-practices/rules/js-cache-function-results.md
around lines 29 - 56, Add a brief caveat about server-side usage: mention that
the shown module-level cache (slugifyCache and cachedSlugify used in
ProjectList/ProjectCard) persists across requests in serverless/edge/SSR
environments and can leak user-specific data; instruct readers to prefer
client-side use or, for server/SSR, to use request-scoped caching such as
React's cache() function to ensure isolation.
```

</details>

</blockquote></details>
<details>
<summary>src/app/api/workspaces/[id]/import/route.ts (3)</summary><blockquote>

`38-73`: **Consider adding a delay between retries to reduce contention.**

The retry loop immediately re-attempts on version conflict without any backoff. Under heavy concurrent edits, this could lead to rapid successive queries that exacerbate contention.


<details>
<summary>💡 Suggested exponential backoff</summary>

```diff
 async function appendBulkItemsWithRetry(
   workspaceId: string,
   items: Item[],
   userId: string,
   userName: string | undefined,
   maxAttempts = 3
 ): Promise<AppendResult> {
   for (let attempt = 0; attempt < maxAttempts; attempt++) {
+    if (attempt > 0) {
+      // Exponential backoff: 100ms, 200ms
+      await new Promise((r) => setTimeout(r, 100 * Math.pow(2, attempt - 1)));
+    }
     const versionResult = await db.execute(
```

</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In `@src/app/api/workspaces/`[id]/import/route.ts around lines 38 - 73, The retry
loop in the import route aggressively retries on version conflicts (for loop
around append_workspace_event) with no pause; add an exponential backoff between
attempts to reduce contention: calculate a delay using attempt index (capped max
delay), await a sleep/pause before the next iteration when a conflict is
detected (after determining conflict from rawResult match and before continuing
the loop), and keep existing behavior for success (call checkAndCreateSnapshot
and return) and final failure (throw after maxAttempts). Ensure to reference
maxAttempts, attempt, append_workspace_event result parsing, and
checkAndCreateSnapshot when implementing this change.
```

</details>

---

`94-102`: **Consider validating `mimeType` to ensure only PDF files are imported.**

The validation checks for presence of `mimeType` but doesn't verify it's actually a PDF. Given this is a PDF import endpoint, accepting arbitrary MIME types could lead to unexpected behavior downstream (e.g., in OCR processing).


<details>
<summary>💡 Suggested mimeType validation</summary>

```diff
   // Validate required fields on each file
   for (const file of files) {
     if (!file.storagePath || !file.publicUrl || !file.displayName || !file.mimeType) {
       return NextResponse.json(
         { error: "Each file must have storagePath, publicUrl, displayName, and mimeType" },
         { status: 400 }
       );
     }
+    if (file.mimeType !== "application/pdf") {
+      return NextResponse.json(
+        { error: `Invalid mimeType "${file.mimeType}". Only application/pdf is supported.` },
+        { status: 400 }
+      );
+    }
   }
```

</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In `@src/app/api/workspaces/`[id]/import/route.ts around lines 94 - 102, The loop
that validates each file's fields (iterating "for (const file of files)") only
checks presence of mimeType but not its value; update the validation to ensure
file.mimeType strictly equals "application/pdf" (or matches
/^application\/pdf$/i) so only PDFs are accepted, and return the same 400
NextResponse with a clear error when the check fails; keep the existing property
checks for storagePath, publicUrl, and displayName and add this mimeType check
to the same validation block.
```

</details>

---

`200-215`: **Internal fetch call lacks timeout protection.**

The fetch to `/api/ocr/start` has no timeout. While the route-level `maxDuration = 30` provides some protection, an unresponsive OCR endpoint could cause this request to hang for the full duration. Consider adding an AbortController timeout.


<details>
<summary>💡 Suggested timeout implementation</summary>

```diff
   let ocrRunId: string | null = null;
   try {
     const appUrl = process.env.NEXT_PUBLIC_APP_URL ?? "http://localhost:3000";
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => controller.abort(), 10000); // 10s timeout
     const ocrResponse = await fetch(`${appUrl}/api/ocr/start`, {
       method: "POST",
       headers: { "Content-Type": "application/json", cookie: request.headers.get("cookie") ?? "" },
       body: JSON.stringify({ workspaceId: id, candidates }),
+      signal: controller.signal,
     });
+    clearTimeout(timeoutId);
     if (ocrResponse.ok) {
```

</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against the current code and only fix it if needed.

In `@src/app/api/workspaces/`[id]/import/route.ts around lines 200 - 215, The
fetch to start OCR (the call that assigns ocrResponse and ocrRunId) has no
timeout protection; add an AbortController, pass its signal to fetch, and set a
short timer (e.g. a few seconds) to call controller.abort() to avoid hanging;
ensure you clear the timer after fetch completes and catch/handle the AbortError
in the existing catch block so you log a distinct message (or set ocrRunId to
null) when the request is aborted.
```

</details>

</blockquote></details>

</blockquote></details>

<details>
<summary>🤖 Prompt for all review comments with AI agents</summary>

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.agents/skills/vercel-react-best-practices/rules/async-api-routes.md:

• Around line 27-33: The example starts both sessionPromise and configPromise
  but can leave configPromise unobserved if auth() rejects; fix by ensuring every
  started promise is always awaited before proceeding—e.g. start both with
  sessionPromise = auth() and configPromise = fetchConfig(), then await session
  first (const session = await sessionPromise) and immediately await/observe
  config (const config = await configPromise) before calling fetchData, or
  alternatively await both together (const [session, config] = await
  Promise.all([sessionPromise, configPromise])) and only then call
  fetchData(session.user.id); this guarantees no floating rejection for
  configPromise (referencing sessionPromise, configPromise, auth(), fetchConfig(),
  fetchData(), session).

In
@.agents/skills/vercel-react-best-practices/rules/bundle-defer-third-party.md:

• Around line 31-39: The RootLayout uses next/dynamic with { ssr: false }
  (dynamic and Analytics) inside a server component, which is invalid; extract the
  deferred import into a separate client component file that begins with 'use
  client' (e.g., AnalyticsClient) and move the dynamic(() =>
  import('@vercel/analytics/react').then(m => m.Analytics), { ssr: false }) into
  that file, then import and render that client wrapper from RootLayout instead of
  calling dynamic inside RootLayout.

In @.agents/skills/vercel-react-best-practices/rules/bundle-dynamic-imports.md:

• Around line 25-34: The file uses next/dynamic with { ssr: false } (dynamic and
  MonacoEditor/CodePanel) which requires a Client Component; add the 'use client'
  directive as the very first line of the file to mark it a Client Component so
  CodePanel and the dynamic MonacoEditor import are valid, ensuring the directive
  precedes imports and component definitions.

In @.agents/skills/vercel-react-best-practices/rules/client-swr-dedup.md:

• Around line 38-52: The SWR imports and hook names are incorrect: replace the
  non-standard useImmutableSWR import and usage with the official default export
  useSWRImmutable (from 'swr/immutable') and import useSWRMutation as the default
  export (not a named import) for mutations; update references to useImmutableSWR
  -> useSWRImmutable and change the import statements that currently reference
  '@/lib/swr' and 'swr/mutation' named imports to the correct default imports so
  the hooks match the official SWR API (useSWRImmutable and useSWRMutation).

In @.agents/skills/vercel-react-best-practices/rules/js-batch-dom-css.md:

• Around line 16-21: Update the inaccurate comment that "Each line triggers a
  reflow" near the style assignments (element.style.width, element.style.height,
  element.style.backgroundColor, element.style.border) to explain that multiple
  sequential style writes are typically batched into a single reflow unless
  interleaved with layout reads (e.g., offsetWidth), e.g., "Multiple writes batch
  into one reflow; only triggers multiple if interleaved with layout reads." Also
  add a warning where cssText is discussed that using element.style.cssText
  replaces all existing inline styles (destructive) and recommend preserving
  styles by concatenating (e.g., append via "+=" or merge existing style values)
  when the intent is to keep prior inline styles.

In @.agents/skills/vercel-react-best-practices/rules/js-cache-storage.md:

• Around line 58-69: The doc's cache invalidation examples only clear
  storageCache but should also invalidate cookieCache; update the storage event
  handler and the visibilitychange handler so that when storage events occur you
  also delete the corresponding cookieCache entry (use cookieCache.delete(e.key))
  and when the document becomes visible you clear cookieCache as well
  (cookieCache.clear()), referencing the existing storageCache and cookieCache
  identifiers and the same event listeners (window.addEventListener('storage',
  ...) and document.addEventListener('visibilitychange', ...)).
• Around line 48-50: The cookie parsing is lossy because map(c => c.split('='))
  splits on every '='; update the cookie parsing that builds cookieCache (the
  Object.fromEntries(...) using document.cookie.split('; ')) to split each raw
  cookie string on the first '=' only (use indexOf('=') and slice for name and
  value), trim the name, decodeURIComponent both name and value safely, and handle
  missing '=' (treat value as empty string) so encoded/session values containing
  '=' are preserved.

In
@.agents/skills/vercel-react-best-practices/rules/rendering-hydration-no-flicker.md:

• Around line 56-77: The inline script in ThemeWrapper runs after the target div
  (#theme-wrapper) is inserted, causing a brief flicker; fix by executing theme
  detection before rendering: move the blocking script into the document head
  (e.g., root layout/_document) so it can set the class on
  document.documentElement or the #theme-wrapper before React mounts, or convert
  ThemeWrapper into a client component that uses useEffect with a controlled
  initial state plus suppressHydrationWarning to avoid mismatch; update references
  to ThemeWrapper and the element id 'theme-wrapper' accordingly and remove the
  post-render script from ThemeWrapper.

In @.agents/skills/vercel-react-best-practices/rules/server-serialization.md:

• Line 10: Update the sentence that begins "The React Server/Client boundary
  serializes all object properties into strings and embeds them in the HTML
  response and subsequent RSC requests" to clarify RSC transport: state that the
  boundary serializes props into the RSC Payload, which on initial load is
  embedded in the HTML (inside <script> tags) while subsequent navigations fetch
  the RSC Payload as a separate network request (e.g., with ?_rsc); preserve the
  guidance that serialized data affects page weight so only pass fields the client
  uses.

In @.agents/skills/web-design-guidelines/SKILL.md:

• Around line 23-30: The SKILL.md currently fetches guidelines from the mutable
  "main" branch URL string; replace that URL with a pinned raw URL containing a
  specific commit SHA (e.g., change
  https://raw.githubusercontent.com/vercel-labs/web-interface-guidelines/main/command.md
  to
  https://raw.githubusercontent.com/vercel-labs/web-interface-guidelines//command.md)
  and update the adjacent text to instruct WebFetch to retrieve the pinned rules
  and to update the SHA intentionally when adopting guideline changes; locate and
  change the URL literal and the sentence "Use WebFetch to retrieve the latest
  rules" in .agents/skills/web-design-guidelines/SKILL.md so they reference the
  pinned SHA and pinned-rules wording.

In @public/.well-known/workflow/v1/manifest.json:

• Around line 49-115: The manifest graph currently lists a single start->end
  node for audioTranscribeWorkflow and ocrDispatchWorkflow which does not match
  their implementations; regenerate the manifest so each workflow's "graph.nodes"
  and "graph.edges" mirror the actual step sequence and branching in the
  implementations of audioTranscribeWorkflow and ocrDispatchWorkflow (include each
  step node id, type (workflowStep/workflowBranch/etc.), data.label/nodeKind, and
  explicit edges for all branches and retry/conditional paths), then replace the
  simplified start->end entries with the detailed nodes/edges; to do this, run the
  repository's workflow manifest generator/build step (the same tool that produced
  the JSON) or manually update the manifest ensuring node ids and edge ids match
  the step identifiers used in audioTranscribeWorkflow and ocrDispatchWorkflow so
  orchestration, step tracking and retries reflect runtime behavior.

---

Minor comments:
In @.agents/skills/better-auth-best-practices/SKILL.md:

• Around line 122-124: The fenced code block containing the import statement
  import { twoFactor } from "better-auth/plugins/two-factor" is missing a
  language identifier; update that code fence to include the appropriate language
  (e.g., add "typescript") so the block becomes typescript ... to enable
  syntax highlighting and better readability for the twoFactor import example.

In @.agents/skills/update/references/breaking-changes.md:

• Line 90: Replace the phrase "AI SDK specific migrations" with the hyphenated
  compound adjective "AI SDK-specific migrations" wherever it appears
  (specifically update the line containing "See ./ai-sdk-v6.md
  for AI SDK specific migrations:") so the compound adjective correctly modifies
  "migrations."

In @.agents/skills/vercel-react-best-practices/rules/bundle-conditional.md:

• Line 31: Update the sentence claiming "The typeof window !== 'undefined'
  check prevents bundling this module for SSR" to accurately state that the check
  only prevents the dynamic import from executing during SSR but does not
  guarantee the module will be excluded from server bundles; mention that bundlers
  (e.g., webpack/turbopack) can still statically include the module path and
  recommend using next/dynamic with ssr: false or ensuring the import path is
  only referenced from client-only code to truly prevent server-side bundling
  (refer to the typeof window !== 'undefined' example and the next/dynamic
  recommendation in the doc).

In @.agents/skills/vercel-react-best-practices/rules/js-set-map-lookups.md:

• Around line 15-23: The examples use invalid bare "..." placeholders inside the
  array literals for allowedIds; replace those with valid syntax (either explicit
  elements or a proper spread of a defined array/variable) so the first snippet's
  array passed to includes and the second snippet's Set constructor are valid
  JavaScript/TypeScript (refer to the allowedIds variable, items.filter usage,
  .includes and .has calls when making the change).

In @.agents/skills/vercel-react-best-practices/rules/rendering-svg-precision.md:

• Around line 26-27: The SVGO command shown uses removed CLI flags (--precision
  and --multipass) from SVGO v4+; replace CLI flag usage with a config file
  (svgo.config.mjs) and set multipass: true plus the floatPrecision value inside
  the 'preset-default' plugin params overrides (floatPrecision replaces precision
  in v4), then run npx svgo icon.svg; also add a short note in the rule mentioning
  that older SVGO v3 tooling accepted CLI flags if you must support multiple
  versions.

In @.agents/skills/vercel-react-best-practices/rules/rerender-defer-reads.md:

• Around line 27-38: The example ShareButton component uses
  window.location.search and an onClick handler (handleShare), so mark it
  explicitly as a Client Component by adding the 'use client' directive at the top
  of the component file; update the ShareButton example to include 'use client'
  before the component definition and ensure any usage notes mention it must run
  on the client (handles like shareChat, window access, and onClick require
  client-side execution).

In @.agents/skills/vercel-react-best-practices/rules/rerender-transitions.md:

• Around line 15-22: The ScrollTracker component is missing a return value,
  making the snippet invalid; update the ScrollTracker function to return JSX
  (e.g., a fragment showing scrollY or a container) or at minimum return null so
  it is syntactically correct. Locate the ScrollTracker function and add an
  appropriate return (for example a
  or React fragment referencing scrollY or
  simply return null) to complete the component; apply the same fix to the other
  example mentioned (lines 30-39) so both components are copy-paste safe.

In @.agents/skills/web-design-guidelines/SKILL.md:

• Around line 25-27: The fenced code block containing the raw URL lacks a
  language identifier and triggers MD040; update the block around the URL (the
  triple-backtick fence in the SKILL.md snippet) to include an explicit language
  tag such as text (e.g., replace withtext) so the code fence is properly
  annotated and the MD040 warning is resolved.

In @AGENTS.md:

• Line 71: The fenced code block in AGENTS.md is missing a language identifier
  which triggers markdownlint MD040; update the opening fence of the block (the
  triple backticks that start the snippet containing "src/app/api/ # API
  routes...") to include a language token such as text (i.e., change the opening
  totext) so the block is properly annotated while keeping the closing ```
  unchanged.

In @src/app/api/workspaces/[id]/import/route.ts:

• Around line 193-197: The mapping that builds candidates uses an unsafe
  assertion "(item.data as { fileUrl: string }).fileUrl"; instead, narrow the type
  so TypeScript knows each item has PdfData (e.g., filter or type-guard the items
  array to a Pdf-specific Item type) or add a runtime type guard such as checking
  "if ('fileUrl' in item.data)" before accessing fileUrl; update the mapping that
  produces OcrCandidate in the candidates variable (referencing items, item.data,
  PdfData, buildPdfDataFromUpload and the OcrCandidate construction) to use the
  narrowed type or guard so the cast is removed and the compiler recognizes
  data.fileUrl safely.

---

Nitpick comments:
In @.agents/skills/update/SKILL.md:

• Around line 44-51: The fenced code block in SKILL.md that renders the decision
  tree lacks a language identifier; update the opening fence from totext
  so linters recognize it as plain text and intent is clear (i.e., replace the
  code fence around the ASCII decision tree with ```text and keep the block
  contents unchanged).

In @.agents/skills/vercel-react-best-practices/rules/bundle-preload.md:

• Line 50: Reword the sentence that claims "typeof window !== 'undefined'
  prevents bundling preloaded modules for SSR" to soften it: state that the check
  prevents server-side execution at runtime but does not universally guarantee
  exclusion from server bundles or build artifacts, and recommend phrasing like
  "guards client-side execution but may not remove the module from all SSR/build
  outputs" while keeping the original example typeof window !== 'undefined' for
  clarity.

In @.agents/skills/vercel-react-best-practices/rules/client-event-listeners.md:

• Around line 38-55: The docs should warn that useKeyboardShortcut registers
  callbacks in the shared keyCallbacks Map and that the useEffect depends on the
  callback reference; update the documentation for useKeyboardShortcut to
  recommend callers wrap their handlers with React.useCallback so the callback
  reference remains stable and avoids repeated registrations/teardowns of
  keyCallbacks entries (mention useKeyboardShortcut, keyCallbacks, and the effect
  dependency on callback).

In
@.agents/skills/vercel-react-best-practices/rules/js-cache-function-results.md:

• Around line 29-56: Add a brief caveat about server-side usage: mention that
  the shown module-level cache (slugifyCache and cachedSlugify used in
  ProjectList/ProjectCard) persists across requests in serverless/edge/SSR
  environments and can leak user-specific data; instruct readers to prefer
  client-side use or, for server/SSR, to use request-scoped caching such as
  React's cache() function to ensure isolation.

In @.agents/skills/vercel-react-best-practices/rules/js-length-check-first.md:

• Around line 34-35: The use of Array.prototype.toSorted() for currentSorted and
  originalSorted relies on ES2023 and may break in older runtimes; either add a
  compatibility note near the code block documenting required environments (Chrome
  110+, Firefox 115+, Safari 16+, Node.js 20+) or replace it with a fallback by
  copying-then-sorting (e.g., using [...current].sort() and [...original].sort())
  to ensure broader runtime support; update the markdown around the
  currentSorted/originalSorted example to include the note and the fallback
  snippet.

In @.agents/skills/vercel-react-best-practices/rules/js-min-max-loop.md:

• Line 82: The wording "very large arrays" in the sentence "This works for small
  arrays but can be slower for very large arrays due to spread operator
  limitations." should be tightened to "large arrays" for style consistency; edit
  that sentence in the rule text (js-min-max-loop.md) to read something like "This
  works for small arrays but can be slower for large arrays due to spread operator
  limitations." so the guidance is more concise and specific.

In @.agents/skills/vercel-react-best-practices/rules/js-tosorted-immutable.md:

• Line 45: The text stating .toSorted() availability should include
  authoritative links so readers can verify support; update the sentence that
  lists versions for Chrome, Safari, Firefox and Node.js to append stable
  references (e.g., MDN and/or Can I Use) next to each version number and/or as a
  single parenthetical link covering all, ensuring the .toSorted() identifier
  remains unchanged so it’s easy to find; ensure link URLs point to the MDN page
  for Array.prototype.toSorted and/or the corresponding CanIUse feature page and
  keep the spread-operator fallback note intact.

In
@.agents/skills/vercel-react-best-practices/rules/rendering-content-visibility.md:

• Line 38: The statement "For 1000 messages, browser skips layout/paint for ~990
  off-screen items (10× faster initial render)" is presented as a fixed outcome;
  change it to a qualified, non‑absolute claim by rewording to indicate this is
  benchmark-dependent (device, browser, content, and measurement method may vary),
  e.g., replace the hard "10× faster" with a phrasing like "up to ~10× faster in
  our test" or "can be substantially faster depending on device/browser," and add
  a brief parenthetical or footnote pointing readers to the benchmark methodology
  or noting variability.

In @src/app/api/workspaces/[id]/import/route.ts:

• Around line 38-73: The retry loop in the import route aggressively retries on
  version conflicts (for loop around append_workspace_event) with no pause; add an
  exponential backoff between attempts to reduce contention: calculate a delay
  using attempt index (capped max delay), await a sleep/pause before the next
  iteration when a conflict is detected (after determining conflict from rawResult
  match and before continuing the loop), and keep existing behavior for success
  (call checkAndCreateSnapshot and return) and final failure (throw after
  maxAttempts). Ensure to reference maxAttempts, attempt, append_workspace_event
  result parsing, and checkAndCreateSnapshot when implementing this change.
• Around line 94-102: The loop that validates each file's fields (iterating "for
  (const file of files)") only checks presence of mimeType but not its value;
  update the validation to ensure file.mimeType strictly equals "application/pdf"
  (or matches /^application/pdf$/i) so only PDFs are accepted, and return the
  same 400 NextResponse with a clear error when the check fails; keep the existing
  property checks for storagePath, publicUrl, and displayName and add this
  mimeType check to the same validation block.
• Around line 200-215: The fetch to start OCR (the call that assigns ocrResponse
  and ocrRunId) has no timeout protection; add an AbortController, pass its signal
  to fetch, and set a short timer (e.g. a few seconds) to call controller.abort()
  to avoid hanging; ensure you clear the timer after fetch completes and
  catch/handle the AbortError in the existing catch block so you log a distinct
  message (or set ocrRunId to null) when the request is aborted.

In @src/hooks/workspace/use-workspace-realtime.ts:

• Line 46: The options contract still exposes currentUserId even though
  useWorkspaceRealtime no longer consumes it; remove currentUserId from the
  WorkspaceRealtimeOptions type/comment and stop passing it from RealtimeContext
  (remove it where RealtimeContext.tsx calls useWorkspaceRealtime), and update any
  related JSDoc/comments to avoid misleading API surface—search for the symbols
  currentUserId, WorkspaceRealtimeOptions, useWorkspaceRealtime, and
  RealtimeContext to locate and delete the unused option and its documentation.

</details>

<details>
<summary>🪄 Autofix (Beta)</summary>

Fix all unresolved CodeRabbit comments on this PR:

- [ ] <!-- {"checkboxId": "4b0d0e0a-96d7-4f10-b296-3a18ea78f0b9"} --> Push a commit to this branch (recommended)
- [ ] <!-- {"checkboxId": "ff5b1114-7d8c-49e6-8ac1-43f82af23a33"} --> Create a new PR with the fixes

</details>

---

<details>
<summary>ℹ️ Review info</summary>

<details>
<summary>⚙️ Run configuration</summary>

**Configuration used**: defaults

**Review profile**: CHILL

**Plan**: Pro

**Run ID**: `0d71ef28-88f1-4ef3-a51c-beb9286fca09`

</details>

<details>
<summary>📥 Commits</summary>

Reviewing files that changed from the base of the PR and between 70a52e526ae12bc85c7ee4291a8be2bab4dc835d and 7d4e26cc96e5b699cd7e8811cf5fd901e49530ab.

</details>

<details>
<summary>📒 Files selected for processing (64)</summary>

* `.agents/skills/better-auth-best-practices/SKILL.md`
* `.agents/skills/create-auth-skill/SKILL.md`
* `.agents/skills/git-guidelines/SKILL.md`
* `.agents/skills/update/SKILL.md`
* `.agents/skills/update/references/ai-sdk-v6.md`
* `.agents/skills/update/references/assistant-ui.md`
* `.agents/skills/update/references/breaking-changes.md`
* `.agents/skills/vercel-react-best-practices/AGENTS.md`
* `.agents/skills/vercel-react-best-practices/SKILL.md`
* `.agents/skills/vercel-react-best-practices/rules/advanced-event-handler-refs.md`
* `.agents/skills/vercel-react-best-practices/rules/advanced-use-latest.md`
* `.agents/skills/vercel-react-best-practices/rules/async-api-routes.md`
* `.agents/skills/vercel-react-best-practices/rules/async-defer-await.md`
* `.agents/skills/vercel-react-best-practices/rules/async-dependencies.md`
* `.agents/skills/vercel-react-best-practices/rules/async-parallel.md`
* `.agents/skills/vercel-react-best-practices/rules/async-suspense-boundaries.md`
* `.agents/skills/vercel-react-best-practices/rules/bundle-barrel-imports.md`
* `.agents/skills/vercel-react-best-practices/rules/bundle-conditional.md`
* `.agents/skills/vercel-react-best-practices/rules/bundle-defer-third-party.md`
* `.agents/skills/vercel-react-best-practices/rules/bundle-dynamic-imports.md`
* `.agents/skills/vercel-react-best-practices/rules/bundle-preload.md`
* `.agents/skills/vercel-react-best-practices/rules/client-event-listeners.md`
* `.agents/skills/vercel-react-best-practices/rules/client-localstorage-schema.md`
* `.agents/skills/vercel-react-best-practices/rules/client-passive-event-listeners.md`
* `.agents/skills/vercel-react-best-practices/rules/client-swr-dedup.md`
* `.agents/skills/vercel-react-best-practices/rules/js-batch-dom-css.md`
* `.agents/skills/vercel-react-best-practices/rules/js-cache-function-results.md`
* `.agents/skills/vercel-react-best-practices/rules/js-cache-property-access.md`
* `.agents/skills/vercel-react-best-practices/rules/js-cache-storage.md`
* `.agents/skills/vercel-react-best-practices/rules/js-combine-iterations.md`
* `.agents/skills/vercel-react-best-practices/rules/js-early-exit.md`
* `.agents/skills/vercel-react-best-practices/rules/js-hoist-regexp.md`
* `.agents/skills/vercel-react-best-practices/rules/js-index-maps.md`
* `.agents/skills/vercel-react-best-practices/rules/js-length-check-first.md`
* `.agents/skills/vercel-react-best-practices/rules/js-min-max-loop.md`
* `.agents/skills/vercel-react-best-practices/rules/js-set-map-lookups.md`
* `.agents/skills/vercel-react-best-practices/rules/js-tosorted-immutable.md`
* `.agents/skills/vercel-react-best-practices/rules/rendering-activity.md`
* `.agents/skills/vercel-react-best-practices/rules/rendering-animate-svg-wrapper.md`
* `.agents/skills/vercel-react-best-practices/rules/rendering-conditional-render.md`
* `.agents/skills/vercel-react-best-practices/rules/rendering-content-visibility.md`
* `.agents/skills/vercel-react-best-practices/rules/rendering-hoist-jsx.md`
* `.agents/skills/vercel-react-best-practices/rules/rendering-hydration-no-flicker.md`
* `.agents/skills/vercel-react-best-practices/rules/rendering-svg-precision.md`
* `.agents/skills/vercel-react-best-practices/rules/rerender-defer-reads.md`
* `.agents/skills/vercel-react-best-practices/rules/rerender-dependencies.md`
* `.agents/skills/vercel-react-best-practices/rules/rerender-derived-state.md`
* `.agents/skills/vercel-react-best-practices/rules/rerender-functional-setstate.md`
* `.agents/skills/vercel-react-best-practices/rules/rerender-lazy-state-init.md`
* `.agents/skills/vercel-react-best-practices/rules/rerender-memo.md`
* `.agents/skills/vercel-react-best-practices/rules/rerender-transitions.md`
* `.agents/skills/vercel-react-best-practices/rules/server-after-nonblocking.md`
* `.agents/skills/vercel-react-best-practices/rules/server-cache-lru.md`
* `.agents/skills/vercel-react-best-practices/rules/server-cache-react.md`
* `.agents/skills/vercel-react-best-practices/rules/server-parallel-fetching.md`
* `.agents/skills/vercel-react-best-practices/rules/server-serialization.md`
* `.agents/skills/web-design-guidelines/SKILL.md`
* `.gitignore`
* `AGENTS.md`
* `public/.well-known/workflow/v1/manifest.json`
* `src/app/api/workspaces/[id]/folders/route.ts`
* `src/app/api/workspaces/[id]/import/route.ts`
* `src/hooks/workspace/use-workspace-events.ts`
* `src/hooks/workspace/use-workspace-realtime.ts`

</details>

</details>

<!-- This is an auto-generated comment by CodeRabbit for review status -->

.agents/skills/vercel-react-best-practices/AGENTS.md (1)

2319-2354: Section title and implementation are inconsistent (“refs” vs useEffectEvent).

Line 2319 says “Store Event Handlers in Refs,” but the “Correct” example uses useEffectEvent, and Line 2351 labels it as an “Alternative.” This is contradictory and can confuse automated rule application. Either:

• rename the section to Use useEffectEvent for Stable Subscriptions, or
• show a true useRef implementation first, then useEffectEvent as optional.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.agents/skills/vercel-react-best-practices/AGENTS.md around lines 2319 -
2354, Rename the section or align examples so the title matches the
implementation: either change the heading "Store Event Handlers in Refs" to "Use
useEffectEvent for Stable Subscriptions" to match the existing useWindowEvent
example that uses useEffectEvent, or replace the "Correct" example with a true
ref-based implementation (using useRef to store the handler) and then add the
current useEffectEvent example as an alternative; update references to
useWindowEvent, useEffectEvent, and any mention of refs/useRef accordingly so
the title, primary example, and alternative are consistent.

.well-known/workflow/v1/webhook.js (1)

16-20: Error handling masks all failure modes as 404.

The TODO at line 17 correctly identifies this concern. For observability, consider at minimum logging the error type/code to help with debugging, while keeping the 404 response for security. Invalid tokens, expired tokens, and internal errors should ideally have different log-level treatments.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.well-known/workflow/v1/webhook.js around lines 16 - 20, In the catch block
inside resumeWebhook, don’t always swallow errors as a generic 404; log the
error type/details for observability while still returning 404 for the client.
Update the catch to inspect the thrown error (e.g., error.name, error.code,
instanceof TokenExpiredError or invalid token check) and emit a richer log
message (console.error or existing logger) that includes error.name/code and
error.stack; keep returning new Response(null, { status: 404 }) to avoid leaking
info to callers.

src/app/api/workspaces/[id]/import/route.ts (1)

141-145: Consider adding a safety limit to the counter loop.

The while loop has no upper bound. While unlikely in practice, a malformed workspace state or adversarial input could cause an infinite loop. A defensive limit would prevent this edge case:

Proposed defensive limit

       let counter = 2;
-      while (hasDuplicateName(accumulatedItems, `${base} (${counter})${ext}`, "pdf", folderId)) {
+      const maxCounter = 10000;
+      while (hasDuplicateName(accumulatedItems, `${base} (${counter})${ext}`, "pdf", folderId) && counter < maxCounter) {
         counter++;
       }
+      if (counter >= maxCounter) {
+        return NextResponse.json({ error: `Unable to generate unique name for "${file.displayName}"` }, { status: 400 });
+      }
       name = `${base} (${counter})${ext}`;

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/app/api/workspaces/`[id]/import/route.ts around lines 141 - 145, The
duplicate-name loop using counter in route.ts (variables: counter,
accumulatedItems, base, ext, folderId) lacks an upper bound and can spin
indefinitely; add a safety limit (e.g., const MAX_NAME_ATTEMPTS) and iterate up
to that limit while calling hasDuplicateName, and if exceeded either throw a
clear error or fall back to a deterministic unique suffix (timestamp/UUID)
before assigning name = `${base} (${counter})${ext}` to prevent infinite loops.
Ensure the limit constant and the fallback/throw are used in the same block that
currently updates counter and sets name.

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes