khrees · khrees · Apr 7, 2026 · Apr 5, 2026 · Apr 5, 2026
diff --git a/.gitignore b/.gitignore
@@ -39,3 +39,8 @@ yarn-error.log*
 # typescript
 *.tsbuildinfo
 next-env.d.ts
+
+
+*.db
+
+dev.db.
diff --git a/CLAUDE.md b/CLAUDE.md
@@ -0,0 +1,16 @@
+# Grepbase Project Guidelines
+
+## React Patterns
+
+### Hooks Usage
+
+**Do NOT use `useEffect`** for derived state or side effects that can be handled declaratively.
+
+- State initialization should use lazy initializers in `useState`, not `useEffect`
+- Derived values should use `useMemo`, not `useEffect` + state
+- Prefer event handlers over effects for user-triggered changes
+
+If you think you need `useEffect`, consider:
+1. Can this be computed during render?
+2. Can this be handled in an event handler?
+3. Is this truly a side effect that requires synchronization?
diff --git a/dev.db b/dev.db
diff --git a/src/app/api/explain/commit/route.ts b/src/app/api/explain/commit/route.ts
@@ -3,79 +3,40 @@ import { repositories, commits } from '@/db';
 import { eq, and, sql } from 'drizzle-orm';
 import { fetchCommitDiff } from '@/services/github';
 import { explainCommit } from '@/services/explain';
-import { explainRequestSchema } from '@/lib/validation';
+import { explainCommitSchema } from '@/lib/validation';
 import { logger } from '@/lib/logger';
 import { RATE_LIMITS } from '@/lib/constants';
 import { analytics } from '@/lib/analytics';
 import { getDb } from '@/db';
-import {
-    applyPrivateNoStoreHeaders,
-    enforceCsrfProtection,
-    enforceRateLimit,
-    resolveSession,
-} from '@/lib/api-security';
-import { hasRepoAccess } from '@/services/resource-access';
-import { getClientIdFromHeaders, resolveAvailableFilePathsForCommit, resolveProviderConfigFromRequest } from '../utils';
+import { applyPrivateNoStoreHeaders, guardRoute, getClientIdFromHeaders } from '@/lib/api-security';
+import { ensureRepoAccess } from '@/services/resource-access';
+import { resolveAvailableFilePathsForCommit, resolveProviderConfigFromRequest } from '../utils';
 
 export async function POST(request: NextRequest) {
     const requestLogger = logger.child({ endpoint: 'POST /api/explain/commit' });
     const startTime = Date.now();
-    requestLogger.debug({ method: request.method, url: request.url }, 'Request received');
 
     try {
-        const csrfError = enforceCsrfProtection(request);
-        if (csrfError) {
-            requestLogger.warn('CSRF validation failed');
-            return csrfError;
-        }
-
-        const session = await resolveSession(request);
-        if (!session) {
-            requestLogger.warn('Session not found');
-            return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
-        }
-
-        const rateLimitError = await enforceRateLimit(request, {
-            keyPrefix: 'api:explain:commit',
-            limit: RATE_LIMITS.EXPLAIN_API,
-            sessionId: session.sessionId,
+        const guard = await guardRoute(request, {
+            rateLimit: { keyPrefix: 'api:explain:commit', limit: RATE_LIMITS.EXPLAIN_API },
+            analytics: { endpoint: '/api/explain/commit' },
         });
-        if (rateLimitError) {
-            const clientId = getClientIdFromHeaders(request);
-            requestLogger.warn({ clientId }, 'Rate limit exceeded');
-            await analytics.trackRateLimit({ endpoint: '/api/explain/commit', clientId, blocked: true });
-            return rateLimitError.response;
-        }
-
-        const clientId = getClientIdFromHeaders(request);
-        await analytics.trackRateLimit({ endpoint: '/api/explain/commit', clientId, blocked: false });
+        if (!guard.ok) return guard.response;
+        const { session, clientId } = guard;
 
         const db = getDb();
         const rawBody = await request.json().catch(() => null);
-        const parseResult = explainRequestSchema.safeParse(rawBody);
+        const parseResult = explainCommitSchema.safeParse(rawBody);
 
         if (!parseResult.success) {
             return NextResponse.json({ error: 'Validation failed', details: parseResult.error.issues }, { status: 400 });
         }
 
-        const { repoId, commitSha, provider, providerType, model, baseUrl, visibleFiles } = parseResult.data;
+        const { repoId, commitSha, provider, visibleFiles } = parseResult.data;
 
-        if (parseResult.data.type !== 'commit' || !commitSha) {
-            return NextResponse.json({ error: 'Invalid request wrapper for commit' }, { status: 400 });
-        }
-
-        const repoAccess = await hasRepoAccess(repoId, session.sessionId);
-        if (!repoAccess) {
-            requestLogger.warn({ repoId, sessionId: session.sessionId }, 'Repository access denied for explain');
-            return NextResponse.json({ error: 'Forbidden' }, { status: 403 });
-        }
+        await ensureRepoAccess(repoId, session.sessionId, requestLogger);
 
-        const providerConfig = await resolveProviderConfigFromRequest(request, {
-            provider,
-            providerType,
-            baseUrl,
-            model,
-        }, session.sessionId);
+        const providerConfig = await resolveProviderConfigFromRequest(request, provider, session.sessionId);
 
         const repo = await db.select().from(repositories).where(eq(repositories.id, repoId)).limit(1);
         if (repo.length === 0) return NextResponse.json({ error: 'Repository not found' }, { status: 404 });

diff --git a/src/app/api/explain/day-summary/route.ts b/src/app/api/explain/day-summary/route.ts
@@ -1,71 +1,36 @@
 import { NextRequest, NextResponse } from 'next/server';
-import { explainRequestSchema } from '@/lib/validation';
+import { explainDaySummarySchema } from '@/lib/validation';
 import { logger } from '@/lib/logger';
 import { RATE_LIMITS, AI_CONSTANTS } from '@/lib/constants';
 import { analytics } from '@/lib/analytics';
-import {
-    applyPrivateNoStoreHeaders,
-    enforceCsrfProtection,
-    enforceRateLimit,
-    resolveSession,
-} from '@/lib/api-security';
-import { hasRepoAccess } from '@/services/resource-access';
-import { getClientIdFromHeaders, resolveProviderConfigFromRequest } from '../utils';
+import { applyPrivateNoStoreHeaders, guardRoute, getClientIdFromHeaders } from '@/lib/api-security';
+import { ensureRepoAccess } from '@/services/resource-access';
+import { resolveProviderConfigFromRequest } from '../utils';
 
 export async function POST(request: NextRequest) {
     const requestLogger = logger.child({ endpoint: 'POST /api/explain/day-summary' });
     const startTime = Date.now();
 
     try {
-        const csrfError = enforceCsrfProtection(request);
-        if (csrfError) {
-            return csrfError;
-        }
-
-        const session = await resolveSession(request);
-        if (!session) {
-            return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
-        }
-
-        const rateLimitError = await enforceRateLimit(request, {
-            keyPrefix: 'api:explain:day-summary',
-            limit: RATE_LIMITS.EXPLAIN_API,
-            sessionId: session.sessionId,
+        const guard = await guardRoute(request, {
+            rateLimit: { keyPrefix: 'api:explain:day-summary', limit: RATE_LIMITS.EXPLAIN_API },
+            analytics: { endpoint: '/api/explain/day-summary' },
         });
-        if (rateLimitError) {
-            const clientId = getClientIdFromHeaders(request);
-            requestLogger.warn({ clientId }, 'Rate limit exceeded');
-            await analytics.trackRateLimit({ endpoint: '/api/explain/day-summary', clientId, blocked: true });
-            return rateLimitError.response;
-        }
-
-        const clientId = getClientIdFromHeaders(request);
-        await analytics.trackRateLimit({ endpoint: '/api/explain/day-summary', clientId, blocked: false });
+        if (!guard.ok) return guard.response;
+        const { session, clientId } = guard;
 
         const rawBody = await request.json().catch(() => null);
-        const parseResult = explainRequestSchema.safeParse(rawBody);
+        const parseResult = explainDaySummarySchema.safeParse(rawBody);
 
         if (!parseResult.success) {
             return NextResponse.json({ error: 'Validation failed', details: parseResult.error.issues }, { status: 400 });
         }
 
-        const { repoId, commits: dayCommits, projectName, projectOwner, provider, providerType, model, baseUrl } = parseResult.data;
+        const { repoId, commits: dayCommits, projectName, projectOwner, provider } = parseResult.data;
 
-        if (parseResult.data.type !== 'day-summary' || !dayCommits || dayCommits.length === 0) {
-            return NextResponse.json({ error: 'Invalid request wrapper for day-summary' }, { status: 400 });
-        }
-
-        const repoAccess = await hasRepoAccess(repoId, session.sessionId);
-        if (!repoAccess) {
-            return NextResponse.json({ error: 'Forbidden' }, { status: 403 });
-        }
+        await ensureRepoAccess(repoId, session.sessionId, requestLogger);
 
-        const providerConfig = await resolveProviderConfigFromRequest(request, {
-            provider,
-            providerType,
-            baseUrl,
-            model,
-        }, session.sessionId);
+        const providerConfig = await resolveProviderConfigFromRequest(request, provider, session.sessionId);
 
         const { streamText } = await import('ai');
         const { createAIProviderAsync } = await import('@/services/ai-providers');

diff --git a/src/app/api/explain/project/route.ts b/src/app/api/explain/project/route.ts
@@ -2,75 +2,40 @@ import { NextRequest, NextResponse } from 'next/server';
 import { repositories, commits } from '@/db';
 import { eq, sql } from 'drizzle-orm';
 import { explainProject } from '@/services/explain';
-import { explainRequestSchema } from '@/lib/validation';
+import { explainProjectSchema } from '@/lib/validation';
 import { logger } from '@/lib/logger';
 import { RATE_LIMITS } from '@/lib/constants';
 import { analytics } from '@/lib/analytics';
 import { getDb } from '@/db';
-import {
-    applyPrivateNoStoreHeaders,
-    enforceCsrfProtection,
-    enforceRateLimit,
-    resolveSession,
-} from '@/lib/api-security';
-import { hasRepoAccess } from '@/services/resource-access';
-import { getClientIdFromHeaders, resolveProviderConfigFromRequest } from '../utils';
+import { applyPrivateNoStoreHeaders, guardRoute, getClientIdFromHeaders } from '@/lib/api-security';
+import { ensureRepoAccess } from '@/services/resource-access';
+import { resolveProviderConfigFromRequest } from '../utils';
 
 export async function POST(request: NextRequest) {
     const requestLogger = logger.child({ endpoint: 'POST /api/explain/project' });
     const startTime = Date.now();
 
     try {
-        const csrfError = enforceCsrfProtection(request);
-        if (csrfError) {
-            return csrfError;
-        }
-
-        const session = await resolveSession(request);
-        if (!session) {
-            return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
-        }
-
-        const rateLimitError = await enforceRateLimit(request, {
-            keyPrefix: 'api:explain:project',
-            limit: RATE_LIMITS.EXPLAIN_API,
-            sessionId: session.sessionId,
+        const guard = await guardRoute(request, {
+            rateLimit: { keyPrefix: 'api:explain:project', limit: RATE_LIMITS.EXPLAIN_API },
+            analytics: { endpoint: '/api/explain/project' },
         });
-        if (rateLimitError) {
-            const clientId = getClientIdFromHeaders(request);
-            requestLogger.warn({ clientId }, 'Rate limit exceeded');
-            await analytics.trackRateLimit({ endpoint: '/api/explain/project', clientId, blocked: true });
-            return rateLimitError.response;
-        }
-
-        const clientId = getClientIdFromHeaders(request);
-        await analytics.trackRateLimit({ endpoint: '/api/explain/project', clientId, blocked: false });
+        if (!guard.ok) return guard.response;
+        const { session, clientId } = guard;
 
         const db = getDb();
         const rawBody = await request.json().catch(() => null);
-        const parseResult = explainRequestSchema.safeParse(rawBody);
+        const parseResult = explainProjectSchema.safeParse(rawBody);
 
         if (!parseResult.success) {
             return NextResponse.json({ error: 'Validation failed', details: parseResult.error.issues }, { status: 400 });
         }
 
-        const { repoId, provider, providerType, model, baseUrl } = parseResult.data;
+        const { repoId, provider } = parseResult.data;
 
-        if (parseResult.data.type !== 'project') {
-            return NextResponse.json({ error: 'Invalid request wrapper for project' }, { status: 400 });
-        }
-
-        const repoAccess = await hasRepoAccess(repoId, session.sessionId);
-        if (!repoAccess) {
-            return NextResponse.json({ error: 'Forbidden' }, { status: 403 });
-        }
+        await ensureRepoAccess(repoId, session.sessionId, requestLogger);
 
-        const providerConfig = await resolveProviderConfigFromRequest(request, {
-            provider,
-            providerType,
-            baseUrl,
-            model,
-        }, session.sessionId);
+        const providerConfig = await resolveProviderConfigFromRequest(request, provider, session.sessionId);
 
         const repo = await db.select().from(repositories).where(eq(repositories.id, repoId)).limit(1);
         if (repo.length === 0) return NextResponse.json({ error: 'Repository not found' }, { status: 404 });

diff --git a/src/app/api/explain/question/route.ts b/src/app/api/explain/question/route.ts
@@ -2,75 +2,40 @@ import { NextRequest, NextResponse } from 'next/server';
 import { repositories, commits } from '@/db';
 import { eq, and, sql } from 'drizzle-orm';
 import { answerQuestion } from '@/services/explain';
-import { explainRequestSchema } from '@/lib/validation';
+import { explainQuestionSchema } from '@/lib/validation';
 import { logger } from '@/lib/logger';
 import { RATE_LIMITS } from '@/lib/constants';
 import { analytics } from '@/lib/analytics';
 import { getDb } from '@/db';
-import {
-    applyPrivateNoStoreHeaders,
-    enforceCsrfProtection,
-    enforceRateLimit,
-    resolveSession,
-} from '@/lib/api-security';
-import { hasRepoAccess } from '@/services/resource-access';
-import { getClientIdFromHeaders, resolveAvailableFilePathsForCommit, resolveProviderConfigFromRequest } from '../utils';
+import { applyPrivateNoStoreHeaders, guardRoute, getClientIdFromHeaders } from '@/lib/api-security';
+import { ensureRepoAccess } from '@/services/resource-access';
+import { resolveAvailableFilePathsForCommit, resolveProviderConfigFromRequest } from '../utils';
 
 export async function POST(request: NextRequest) {
     const requestLogger = logger.child({ endpoint: 'POST /api/explain/question' });
     const startTime = Date.now();
 
     try {
-        const csrfError = enforceCsrfProtection(request);
-        if (csrfError) {
-            return csrfError;
-        }
-
-        const session = await resolveSession(request);
-        if (!session) {
-            return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
-        }
-
-        const rateLimitError = await enforceRateLimit(request, {
-            keyPrefix: 'api:explain:question',
-            limit: RATE_LIMITS.EXPLAIN_API,
-            sessionId: session.sessionId,
+        const guard = await guardRoute(request, {
+            rateLimit: { keyPrefix: 'api:explain:question', limit: RATE_LIMITS.EXPLAIN_API },
+            analytics: { endpoint: '/api/explain/question' },
         });
-        if (rateLimitError) {
-            const clientId = getClientIdFromHeaders(request);
-            requestLogger.warn({ clientId }, 'Rate limit exceeded');
-            await analytics.trackRateLimit({ endpoint: '/api/explain/question', clientId, blocked: true });
-            return rateLimitError.response;
-        }
-
-        const clientId = getClientIdFromHeaders(request);
-        await analytics.trackRateLimit({ endpoint: '/api/explain/question', clientId, blocked: false });
+        if (!guard.ok) return guard.response;
+        const { session, clientId } = guard;
 
         const db = getDb();
         const rawBody = await request.json().catch(() => null);
-        const parseResult = explainRequestSchema.safeParse(rawBody);
+        const parseResult = explainQuestionSchema.safeParse(rawBody);
 
         if (!parseResult.success) {
             return NextResponse.json({ error: 'Validation failed', details: parseResult.error.issues }, { status: 400 });
         }
 
-        const { repoId, commitSha, question, provider, providerType, model, baseUrl, visibleFiles } = parseResult.data;
+        const { repoId, commitSha, question, provider, visibleFiles } = parseResult.data;
 
-        if (parseResult.data.type !== 'question' || !question) {
-            return NextResponse.json({ error: 'Invalid request wrapper for question' }, { status: 400 });
-        }
-
-        const repoAccess = await hasRepoAccess(repoId, session.sessionId);
-        if (!repoAccess) {
-            return NextResponse.json({ error: 'Forbidden' }, { status: 403 });
-        }
+        await ensureRepoAccess(repoId, session.sessionId, requestLogger);
 
-        const providerConfig = await resolveProviderConfigFromRequest(request, {
-            provider,
-            providerType,
-            baseUrl,
-            model,
-        }, session.sessionId);
+        const providerConfig = await resolveProviderConfigFromRequest(request, provider, session.sessionId);
 
         const repo = await db.select().from(repositories).where(eq(repositories.id, repoId)).limit(1);
         if (repo.length === 0) return NextResponse.json({ error: 'Repository not found' }, { status: 404 });