feat: implement AI-powered requirement analysis with hidden internal pricing logic (#76)

[devin-ai-integration]

Summary

Adds an AI-powered project estimation system where clients enter a natural-language project description and receive an instant cost/timeline estimate — while all pricing formulas, multipliers, and profit margins remain completely hidden server-side.

Architecture

Client (browser)                      Firebase Cloud Function
─────────────────                     ──────────────────────
  description ─── httpsCallable ───►  1. Read PricingConfig from Firestore
                                      2. Build system prompt w/ hidden pricing
                                      3. Call Gemini 1.5 Flash
                                      4. Parse & clamp estimate
  ◄── { features, cost, timeline } ── 5. Return ONLY safe client-facing data

Pricing config, AI prompts, base prices, complexity multipliers, and calculation formulas never leave the server. API responses contain only: feature analysis, complexity scores, cost range, timeline, and a human-readable explanation.

What's new

functions/src/index.ts — Firebase Cloud Function (analyzeProject):

• Reads pricingConfig/default from Firestore (falls back to built-in defaults)
• Constructs a detailed system prompt with all internal pricing rules
• Calls Gemini API with responseMimeType: "application/json" for structured output
• Validates, clamps costs within [minimumProjectCost, maximumProjectCost], and strips internal data before returning
• Saves each estimation to estimations collection for audit/history

src/dashboard/pages/ProjectEstimation.tsx — Client-facing estimation page:

• Textarea form for free-form project descriptions
• Animated results display: project type, feature breakdown table with complexity badges, cost range, timeline, AI explanation
• Expandable estimation history loaded from Firestore

src/dashboard/pages/PricingConfig.tsx — Admin pricing configuration page:

• Editable grid of feature base prices (INR), add/remove features
• Complexity multiplier inputs (low/medium/high/enterprise)
• Estimation rule inputs (min/max cost, buffer %, risk factor)
• Saves to pricingConfig/default in Firestore — changes apply to next estimation without any frontend deployment

Deployment prerequisites

1. Firebase Blaze plan (required for Cloud Functions)
2. Set the Gemini API key as a Cloud Function secret:

   firebase functions:secrets:set GEMINI_API_KEY

3. Install function dependencies and deploy:

   cd functions && npm install && cd .. && firebase deploy --only functions

4. Set Firestore security rules to restrict pricingConfig to admin-only access

Closes #76

Link to Devin session: https://app.devin.ai/sessions/c46ef0652e464fe8b81fbb3cc5147eb3
Requested by: @hrx01-dev

Summary by CodeRabbit

Release Notes

• New Features

  • AI project estimation tool that analyzes project descriptions to generate cost and timeline estimates
  • Pricing configuration management interface for customizing estimation models
  • Updated dashboard with new estimation and pricing pages

• Chores

  • Set up Firebase Cloud Functions infrastructure with TypeScript configuration
  • Updated configuration files to support new functions module

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment, CI, and merge conflict monitoring

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR introduces an end-to-end AI project estimation feature. A new Firebase Cloud Function (analyzeProject) accepts authenticated requests, loads pricing configuration from Firestore, calls Gemini to analyze a project description, persists results, and returns a sanitized estimate. Two dashboard pages — ProjectEstimation (user-facing) and PricingConfig (admin) — are added with corresponding routing, navigation entries, and a shared client-side service layer.

Changes

AI Project Estimation Feature

Layer / File(s)	Summary
Shared types and functions project setup src/dashboard/types.ts, functions/package.json, functions/tsconfig.json, functions/.gitignore, firebase.json, eslint.config.js	Adds FeatureAnalysis, EstimationResult, and EstimationRecord TypeScript interfaces. Establishes the functions sub-project with build scripts, Node 20 engine pin, TypeScript compiler config, and updates firebase.json with a functions block (source, ignore list, predeploy build step) and eslint.config.js to ignore the functions directory.
Cloud Function: pricing config, prompt building, and analyzeProject callable functions/src/index.ts	Initializes Firebase Admin and Firestore, defines the GEMINI_API_KEY secret and internal interfaces, implements getPricingConfig() with Firestore read and DEFAULT_PRICING fallback, implements buildSystemPrompt() embedding pricing rules and a strict JSON schema, and implements the analyzeProject callable with auth enforcement, input validation, Gemini call, JSON parsing/clamping, Firestore write, sanitized response, and error handling.
Client-side estimation service src/dashboard/services/estimationService.ts	Adds analyzeProject() wrapping the Firebase callable and mapping the response to EstimationResult, and fetchEstimationHistory() querying the estimations Firestore collection filtered by userId ordered by createdAt descending.
PricingConfig admin page src/dashboard/pages/PricingConfig.tsx	Implements the full admin pricing page with DEFAULT_CONFIG constants, a formatFeatureLabel helper, Firestore load/save lifecycle, mutators for feature prices/multipliers/estimation rules, loading spinner, Reset/Save controls, error/success banners, and three editable cards (Feature Base Prices, Complexity Multipliers, Estimation Rules).
ProjectEstimation user-facing page src/dashboard/pages/ProjectEstimation.tsx	Implements ComplexityBadge, EstimationResults, and HistoryItem subcomponents, plus the main ProjectEstimation component with description input, analyzeProject submission, async loading/error states, results display, and an expandable history panel backed by fetchEstimationHistory.
App routing and dashboard navigation wiring src/app/App.tsx, src/dashboard/components/DashboardLayout.tsx	Registers /dashboard/estimation and /dashboard/pricing-config routes in App.tsx, and extends DashboardLayout NAV_ITEMS with AI Estimate (Sparkles icon) and Pricing Config (Settings2 icon) entries.

Sequence Diagram(s)

sequenceDiagram
  participant User
  participant ProjectEstimation as ProjectEstimation (React)
  participant estimationService as estimationService
  participant analyzeProject as analyzeProject (Cloud Function)
  participant Gemini as Gemini API
  participant Firestore

  User->>ProjectEstimation: submits project description
  ProjectEstimation->>estimationService: analyzeProject(description)
  estimationService->>analyzeProject: httpsCallable({ description })
  analyzeProject->>Firestore: getDoc(pricingConfig/default)
  Firestore-->>analyzeProject: PricingConfig or DEFAULT_PRICING
  analyzeProject->>Gemini: generateContent(systemPrompt + description)
  Gemini-->>analyzeProject: JSON estimation response
  analyzeProject->>Firestore: setDoc(estimations/{id}, result)
  analyzeProject-->>estimationService: sanitized EstimationResult
  estimationService-->>ProjectEstimation: EstimationResult
  ProjectEstimation-->>User: renders results view

  User->>ProjectEstimation: clicks "History"
  ProjectEstimation->>estimationService: fetchEstimationHistory(uid)
  estimationService->>Firestore: query estimations where userId==uid orderBy createdAt desc
  Firestore-->>estimationService: EstimationRecord[]
  estimationService-->>ProjectEstimation: EstimationRecord[]
  ProjectEstimation-->>User: renders expandable history panel

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• hrx01-dev/Servio#61: Directly modifies firebase.json to set up the hosting block; this PR adds a functions block to the same file.
• hrx01-dev/Servio#68: Establishes the /dashboard route and DashboardLayout structure that this PR extends with two new NAV_ITEMS entries and routes.
• hrx01-dev/Servio#41: Modifies src/app/App.tsx routing configuration, the same file this PR extends with /dashboard/estimation and /dashboard/pricing-config routes.

Suggested reviewers

• hrx01-dev

Poem

🐇 Hop hop, the rabbit types away,
A Gemini prompt to save the day!
Features extracted, costs concealed,
Pricing config—safely sealed.
From description to estimate bright,
The dashboard gleams with AI light! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: implementing an AI-powered requirement analysis system with hidden internal pricing logic, which matches the primary objective of the PR.
Linked Issues check	✅ Passed	The PR fully implements all coding requirements from issue #76: AI-powered project description analysis [#76], hidden server-side pricing logic [#76], admin configuration interface for pricing [#76], client-safe API responses [#76], Firestore-backed configuration [#76], and proper validation/error handling [#76].
Out of Scope Changes check	✅ Passed	All changes are directly in-scope: Firebase Cloud Function setup, pricing configuration persistence, two new dashboard pages, routing updates, and supporting service/type definitions align with issue #76 objectives.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch devin/1781983222-ai-requirement-analysis

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Visit the preview URL for this PR (updated for commit b21dc1b):

https://servio-0--pr77-devin-1781983222-ai-qunfq4zq.web.app

_{(expires Sat, 27 Jun 2026 19:27:05 GMT)}

_{🔥 via Firebase Hosting GitHub Action 🌎}

_{Sign: 15915abb5951eb298a844eda460b24f444d93a69}

[coderabbitai]

Actionable comments posted: 12

🧹 Nitpick comments (2)

src/dashboard/components/DashboardLayout.tsx (1)

32-33: ⚡ Quick win

Render Pricing Config nav item conditionally for admins only.

At Line 33, the admin config link is included for all dashboard users. Gate this item behind the same admin check used by the route guard to avoid exposing privileged navigation to non-admin users.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/dashboard/components/DashboardLayout.tsx` around lines 32 - 33, The
"Pricing Config" navigation item in the DashboardLayout is currently visible to
all users. Locate the existing admin authentication check used by the route
guard (likely an isAdmin variable or similar admin verification logic) and use
it to conditionally render only the navigation item with label "Pricing Config"
- filter this item to only display when the user has admin privileges, ensuring
non-admin users do not see this navigation link.

eslint.config.js (1)

8-8: ⚡ Quick win

Keep Cloud Functions in lint scope.

Excluding functions/ disables static checks on the new server-side estimation logic; this increases regression risk on a critical path.

Suggested change

-  { ignores: ['dist', 'node_modules', 'functions'] },
+  { ignores: ['dist', 'node_modules'] },

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@eslint.config.js` at line 8, Remove 'functions' from the ignores array in the
eslint configuration object in eslint.config.js. The ignores array should only
contain 'dist' and 'node_modules' to keep Cloud Functions within the lint scope
and ensure static checks are performed on the server-side estimation logic.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@functions/src/index.ts`:
- Around line 98-140: Remove all internal pricing rules, multipliers, and cost
calculation logic from the AI prompt template. The prompt should only request
feature extraction and classification (name, complexity level, estimated
effort). Move the cost calculation, timeline estimation, and explanation
generation to server-side code that runs after receiving the model's feature
classification response. Ensure the final JSON response returned to the client
only includes deterministically calculated values from the server, never
free-form text from the model that could echo internal pricing rules. Update the
JSON schema to match the new structure with only client-safe fields.
- Around line 77-87: The getPricingConfig function directly casts Firestore
document data as PricingConfig without validation, which allows partial or
invalid documents to be returned and cause runtime failures downstream when
accessing properties like featurePricing. Instead of directly casting doc.data()
as PricingConfig, retrieve the data and merge it with DEFAULT_PRICING using
Object.assign or spread operator to ensure all required fields are present with
valid defaults, then return the merged result. This ensures the function always
returns a complete valid PricingConfig even if the Firestore document is partial
or missing fields.
- Around line 221-241: The validation block for the AI response is incomplete
and allows non-numeric estimatedCostMin and estimatedCostMax values to pass
through, resulting in NaN values after clamping operations. Enhance the
validation checks to verify that estimatedCostMin and estimatedCostMax are valid
numbers before the clamping operations, and validate that projectType matches
expected enum values. Add these type and value checks to the existing validation
condition before any mutation or Firestore write occurs to prevent corrupted
records from being persisted.

In `@src/app/App.tsx`:
- Around line 143-144: The Route for pricing-config with the PricingConfig
element needs admin authorization protection beyond just authentication. Wrap
the PricingConfig component with an admin-only authorization guard component
that checks the user's admin status before allowing access to the route. This
guard should verify admin privileges and prevent non-admin authenticated users
from accessing the pricing configuration screen.

In `@src/dashboard/pages/PricingConfig.tsx`:
- Around line 111-127: The handleSave function does not validate the pricing
configuration before saving it to the database, allowing invalid states like
minimum greater than maximum or negative multipliers to be persisted. Add
validation logic at the beginning of handleSave (before the try block or as the
first step within it) that checks the config object for invalid invariants such
as minimum being greater than maximum and multipliers being negative. If
validation fails, set an appropriate error message using setError and return
early to prevent the setDoc call from executing with invalid data.
- Around line 98-101: The setConfig call directly replaces the entire config
state with snap.data() from Firestore, which can cause errors later if the
remote document is missing nested keys like featurePricing. Instead of calling
setConfig(snap.data() as PricingConfig), merge the remote data onto
DEFAULT_CONFIG using a spread operator or Object.assign pattern to preserve all
schema-safe defaults. This ensures that any missing nested properties from the
Firestore document will retain their default values, preventing runtime errors
when accessing properties like Object.entries(config.featurePricing).
- Around line 98-99: Add security controls for admin-only access to the
pricingConfig document. First, create a Firestore Security Rules file that
restricts both reads and writes to the pricingConfig collection (specifically
the default document) to users with an admin role claim. Second, add a
client-side authentication check in the PricingConfig component that verifies
the current user has admin privileges before allowing the setDoc call and before
rendering the save button, ensuring non-admin users cannot perform these
operations even if they reach this page.

In `@src/dashboard/pages/ProjectEstimation.tsx`:
- Around line 371-382: The textarea element with id "project-description"
displays a character counter showing description.length/5000 characters but does
not enforce the 5000-character limit on input, allowing users to exceed the
limit and experience failed submissions. Add a maxLength attribute set to 5000
to the textarea element to prevent users from typing more than 5000 characters
client-side, ensuring the input validation happens before submission and matches
what the UI counter promises.
- Around line 120-123: The key prop for the motion.tr element in the feature
mapping is using only feature.name, which can cause React reconciliation issues
when duplicate feature names are returned by Gemini. Create a stable composite
key by combining the index parameter (idx) with the feature.name (for example
using template literals like `${idx}-${feature.name}`) in the key prop to ensure
uniqueness even when feature names are duplicated.
- Around line 223-229: The code is using toLocaleDateString() with hour and
minute options, which violates the ECMAScript specification and may throw a
TypeError since this method is designed for date-only formatting. Replace the
toLocaleDateString() call on the Date object for record.createdAt with
toLocaleString() instead, keeping the same options object (day, month, year,
hour, minute) since toLocaleString() properly supports both date and time
formatting options together.

In `@src/dashboard/services/estimationService.ts`:
- Around line 58-61: The map operation in the return statement performs a blind
cast to EstimationRecord without validating required fields, and spreading
d.data() after id allows a payload id field in the Firestore document to
override the document ID. Add validation inside the map to check that each
document contains required fields like result and createdAt before casting, and
ensure the document ID is not overridable by either placing id after the spread
or by filtering the spread to only include expected fields. Consider throwing an
error or logging a warning for invalid documents to prevent silent failures
during history rendering.
- Around line 51-55: The query in estimationService.ts that combines a where
clause on the "userId" field with orderBy on the "createdAt" field for the
"estimations" collection requires a composite Firestore index to function
properly. Add a composite index to your firestore.indexes.json file that covers
the "estimations" collection with the "userId" field (for filtering) and
"createdAt" field (for descending sort order) to resolve the runtime
failed-precondition error that will occur without this index.

---

Nitpick comments:
In `@eslint.config.js`:
- Line 8: Remove 'functions' from the ignores array in the eslint configuration
object in eslint.config.js. The ignores array should only contain 'dist' and
'node_modules' to keep Cloud Functions within the lint scope and ensure static
checks are performed on the server-side estimation logic.

In `@src/dashboard/components/DashboardLayout.tsx`:
- Around line 32-33: The "Pricing Config" navigation item in the DashboardLayout
is currently visible to all users. Locate the existing admin authentication
check used by the route guard (likely an isAdmin variable or similar admin
verification logic) and use it to conditionally render only the navigation item
with label "Pricing Config" - filter this item to only display when the user has
admin privileges, ensuring non-admin users do not see this navigation link.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 446e518a-bb64-4763-a161-0c7e07e64a91

📥 Commits

Reviewing files that changed from the base of the PR and between 92f57e1 and b21dc1b.

📒 Files selected for processing (12)

• eslint.config.js
• firebase.json
• functions/.gitignore
• functions/package.json
• functions/src/index.ts
• functions/tsconfig.json
• src/app/App.tsx
• src/dashboard/components/DashboardLayout.tsx
• src/dashboard/pages/PricingConfig.tsx
• src/dashboard/pages/ProjectEstimation.tsx
• src/dashboard/services/estimationService.ts
• src/dashboard/types.ts

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Validate and merge Firestore config before using it.

On Line 81, direct casting (doc.data() as PricingConfig) can accept partial/invalid docs; then Object.entries(pricing.featurePricing) can throw at runtime and fail all requests.

Suggested hardening

 async function getPricingConfig(): Promise<PricingConfig> {
   try {
     const doc = await db.doc("pricingConfig/default").get();
     if (doc.exists) {
-      return doc.data() as PricingConfig;
+      const raw = doc.data() as Partial<PricingConfig>;
+      const merged: PricingConfig = {
+        ...DEFAULT_PRICING,
+        ...raw,
+        featurePricing: {
+          ...DEFAULT_PRICING.featurePricing,
+          ...(raw.featurePricing ?? {}),
+        },
+        complexityMultipliers: {
+          ...DEFAULT_PRICING.complexityMultipliers,
+          ...(raw.complexityMultipliers ?? {}),
+        },
+      };
+
+      if (
+        !Number.isFinite(merged.minimumProjectCost) ||
+        !Number.isFinite(merged.maximumProjectCost) ||
+        merged.minimumProjectCost > merged.maximumProjectCost
+      ) {
+        return DEFAULT_PRICING;
+      }
+
+      return merged;
     }
   } catch {
     // Fall back to defaults
   }
   return DEFAULT_PRICING;
 }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@functions/src/index.ts` around lines 77 - 87, The getPricingConfig function
directly casts Firestore document data as PricingConfig without validation,
which allows partial or invalid documents to be returned and cause runtime
failures downstream when accessing properties like featurePricing. Instead of
directly casting doc.data() as PricingConfig, retrieve the data and merge it
with DEFAULT_PRICING using Object.assign or spread operator to ensure all
required fields are present with valid defaults, then return the merged result.
This ensures the function always returns a complete valid PricingConfig even if
the Firestore document is partial or missing fields.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | 🏗️ Heavy lift

Internal pricing logic can leak via model output.

The prompt embeds full internal pricing rules, and explanation is returned verbatim from model output. A crafted user description can coerce disclosure of those rules, violating the server-only secrecy objective.

A safer design is: use AI only for feature extraction/classification, compute cost/timeline/explanation deterministically on the server, and never return free-form model text that can echo internal rules.

Also applies to: 251-264

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@functions/src/index.ts` around lines 98 - 140, Remove all internal pricing
rules, multipliers, and cost calculation logic from the AI prompt template. The
prompt should only request feature extraction and classification (name,
complexity level, estimated effort). Move the cost calculation, timeline
estimation, and explanation generation to server-side code that runs after
receiving the model's feature classification response. Ensure the final JSON
response returned to the client only includes deterministically calculated
values from the server, never free-form text from the model that could echo
internal pricing rules. Update the JSON schema to match the new structure with
only client-safe fields.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

AI response validation is too shallow for persisted data.

The current checks allow non-numeric or missing estimatedCostMin/estimatedCostMax, which can produce NaN after clamping and persist corrupted records. Validate all required fields/types/enums before mutation and Firestore write.

Suggested validation gate

+const COMPLEXITIES = new Set(["low", "medium", "high", "enterprise"]);
+const isFiniteNumber = (v: unknown): v is number =>
+  typeof v === "number" && Number.isFinite(v);

       // Validate and sanitize the response
       if (
         !estimation.projectType ||
         !estimation.features ||
-        !Array.isArray(estimation.features)
+        !Array.isArray(estimation.features) ||
+        !isFiniteNumber(estimation.estimatedCostMin) ||
+        !isFiniteNumber(estimation.estimatedCostMax) ||
+        typeof estimation.estimatedTimeline !== "string" ||
+        typeof estimation.explanation !== "string" ||
+        !COMPLEXITIES.has(estimation.overallComplexity) ||
+        estimation.features.some(
+          (f) =>
+            !f ||
+            typeof f.name !== "string" ||
+            !COMPLEXITIES.has(f.complexity) ||
+            typeof f.estimatedEffort !== "string"
+        )
       ) {
         throw new HttpsError(
           "internal",
           "AI returned an invalid response. Please try again."
         );
       }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@functions/src/index.ts` around lines 221 - 241, The validation block for the
AI response is incomplete and allows non-numeric estimatedCostMin and
estimatedCostMax values to pass through, resulting in NaN values after clamping
operations. Enhance the validation checks to verify that estimatedCostMin and
estimatedCostMax are valid numbers before the clamping operations, and validate
that projectType matches expected enum values. Add these type and value checks
to the existing validation condition before any mutation or Firestore write
occurs to prevent corrupted records from being persisted.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add explicit admin authorization for the pricing route.

At Line 143-144, /dashboard/pricing-config is protected only by authentication, not admin authorization. This allows any signed-in user to access the admin config screen and attempt privileged config writes. Please wrap this route with an admin-only guard (in addition to Firestore rules).

Suggested route-level fix

- <Route path="pricing-config" element={<PricingConfig />} />
+ <Route
+   path="pricing-config"
+   element={
+     <AdminRoute>
+       <PricingConfig />
+     </AdminRoute>
+   }
+ />

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/app/App.tsx` around lines 143 - 144, The Route for pricing-config with
the PricingConfig element needs admin authorization protection beyond just
authentication. Wrap the PricingConfig component with an admin-only
authorization guard component that checks the user's admin status before
allowing access to the route. This guard should verify admin privileges and
prevent non-admin authenticated users from accessing the pricing configuration
screen.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

RULES_FILE="$(fd -HI '^firestore\.rules$' | head -n1 || true)"
if [ -z "${RULES_FILE}" ]; then
  echo "No firestore.rules file found."
  exit 0
fi

echo "Inspecting ${RULES_FILE}"
rg -n -C4 'pricingConfig|estimations|isAdmin|request\.auth|customClaims|uid' "${RULES_FILE}"

Repository: hrx01-dev/Servio

Length of output: 91

---

🏁 Script executed:

# Search for firestore.rules more broadly and check alternative names
find . -type f \( -name "*firestore*" -o -name "*rules*" \) ! -path "*/node_modules/*" ! -path "*/.git/*" 2>/dev/null | head -20

Repository: hrx01-dev/Servio

Length of output: 42

---

🏁 Script executed:

# Read the specific lines mentioned in the review
sed -n '95,120p' src/dashboard/pages/PricingConfig.tsx

Repository: hrx01-dev/Servio

Length of output: 684

---

🏁 Script executed:

# Search for Firestore initialization and configuration
rg -i "firebase|firestore" --type ts --type tsx -l | head -10

Repository: hrx01-dev/Servio

Length of output: 88

---

🏁 Script executed:

# Search for any auth/admin checks in the file
rg -i "admin|auth|isAdmin|uid|getCurrentUser|getAuth" src/dashboard/pages/PricingConfig.tsx -A 3 -B 3

Repository: hrx01-dev/Servio

Length of output: 228

---

🏁 Script executed:

# Look for Firestore config files and security setup
find . -type f \( -name "*.rules" -o -name "*firebase*" -o -name "*config*" \) ! -path "*/node_modules/*" ! -path "*/.git/*" -o -name "firestore.json" 2>/dev/null | head -20

Repository: hrx01-dev/Servio

Length of output: 297

---

🏁 Script executed:

# Check if there are any auth/admin utility functions being imported
head -50 src/dashboard/pages/PricingConfig.tsx

Repository: hrx01-dev/Servio

Length of output: 1275

---

🏁 Script executed:

# Check firebase.json for rules configuration
cat firebase.json

Repository: hrx01-dev/Servio

Length of output: 1002

---

🏁 Script executed:

# Check the firebase deployment workflow to see where rules might be
cat .github/workflows/firebase-deploy.yml

Repository: hrx01-dev/Servio

Length of output: 1532

---

🏁 Script executed:

# Look for any auth checks in the full PricingConfig.tsx file
wc -l src/dashboard/pages/PricingConfig.tsx

Repository: hrx01-dev/Servio

Length of output: 102

---

🏁 Script executed:

# Search for Firestore rules in firebase functions or other locations
find . -type f -name "*.rules" 2>/dev/null

Repository: hrx01-dev/Servio

Length of output: 42

---

🏁 Script executed:

# Check if there's authentication context or hooks being used
rg -i "useAuth|useUser|getCurrentUser|isAdmin" src/dashboard/pages/PricingConfig.tsx

Repository: hrx01-dev/Servio

Length of output: 42

---

🏁 Script executed:

# Read the full handleSave function and any auth checks
sed -n '100,180p' src/dashboard/pages/PricingConfig.tsx

Repository: hrx01-dev/Servio

Length of output: 1993

---

🏁 Script executed:

# Search for any role/permission checks in the entire dashboard directory
rg -i "admin|role|permission|isAdmin|canEdit" src/dashboard/ -l

Repository: hrx01-dev/Servio

Length of output: 42

---

🏁 Script executed:

# Check the Firebase initialization to see if auth is set up at all
cat src/Firebase/firebase.ts

Repository: hrx01-dev/Servio

Length of output: 855

---

Add Firestore Security Rules and client-side authentication checks for admin-only access to pricingConfig.

This page performs direct client reads and writes to pricingConfig/default with no access control. No Firestore Security Rules file exists, and the code contains no admin verification, allowing any authenticated user to modify global pricing configuration. This requires immediate fixes:

1. Create and deploy Firestore Security Rules restricting pricingConfig/default to admin-only reads/writes.
2. Add client-side admin role verification before rendering the save button and executing the setDoc call (line ~117).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/dashboard/pages/PricingConfig.tsx` around lines 98 - 99, Add security
controls for admin-only access to the pricingConfig document. First, create a
Firestore Security Rules file that restricts both reads and writes to the
pricingConfig collection (specifically the default document) to users with an
admin role claim. Second, add a client-side authentication check in the
PricingConfig component that verifies the current user has admin privileges
before allowing the setDoc call and before rendering the save button, ensuring
non-admin users cannot perform these operations even if they reach this page.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Use a stable unique key for feature rows.

Using feature.name alone can collide when Gemini returns duplicate feature names, causing unstable row reconciliation.

Suggested fix

-                    key={feature.name}
+                    key={`${feature.name}-${idx}`}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/dashboard/pages/ProjectEstimation.tsx` around lines 120 - 123, The key
prop for the motion.tr element in the feature mapping is using only
feature.name, which can cause React reconciliation issues when duplicate feature
names are returned by Gemini. Create a stable composite key by combining the
index parameter (idx) with the feature.name (for example using template literals
like `${idx}-${feature.name}`) in the key prop to ensure uniqueness even when
feature names are duplicated.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🌐 Web query:

Does JavaScript Date.prototype.toLocaleDateString reliably include time fields like hour/minute, or should Date.prototype.toLocaleString be used for date+time output?

💡 Result:

No, Date.prototype.toLocaleDateString does not reliably include time fields like hour, minute, or second by default, and it should not be used if you require time information [1][2]. The methods are designed for distinct purposes: - Date.prototype.toLocaleDateString is intended to return a language-sensitive representation of only the date portion of a Date instance [1][2]. - Date.prototype.toLocaleTimeString is intended to return a representation of only the time portion [3][4]. - Date.prototype.toLocaleString is the appropriate method to use when you need both the date and time components in a single string [5][4]. While you can technically pass specific options to toLocaleDateString to include time fields, this is non-standard usage and is explicitly restricted by the specification; specifically, the timeStyle option must be undefined when using toLocaleDateString, or it will throw a TypeError [6][7]. Because these methods are intended to be semantic, using toLocaleString is the correct and reliable approach for combined date and time output [3]. All three methods share the same underlying Intl.DateTimeFormat API [8][1], meaning they accept the same set of configuration options, but their default behaviors and semantic purposes remain distinct [3].

Citations:

• 1: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global%5FObjects/Date/toLocaleDateString
• 2: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Date/toLocaleDateString
• 3: https://stackoverflow.com/questions/61870462/what-is-the-difference-between-tolocalestring-tolocaledatestring-and-tolocalet
• 4: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Date?redirectlocale=en-US&redirectslug=JavaScript%2FReference%2FGlobal_Objects%2FDate
• 5: https://www.geeksforgeeks.org/javascript/javascript-date-tolocalestring-method/
• 6: https://github.com/mdn/content/blob/main/files/en-us/web/javascript/reference/global_objects/date/tolocaledatestring/index.md
• 7: https://docs.w3cub.com/javascript/global_objects/date/tolocaledatestring
• 8: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global%5FObjects/Date/toLocaleString

---

Use toLocaleString for combined date-time rendering instead of toLocaleDateString.

toLocaleDateString() is designed for date-only output; passing hour and minute options to it violates the ECMAScript specification and may throw a TypeError. For reliable date and time rendering together, use toLocaleString().

Suggested fix

-            {new Date(record.createdAt).toLocaleDateString("en-IN", {
+            {new Date(record.createdAt).toLocaleString("en-IN", {
               day: "numeric",
               month: "short",
               year: "numeric",
               hour: "2-digit",
               minute: "2-digit",
             })}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	{new Date(record.createdAt).toLocaleDateString("en-IN", {
	day: "numeric",
	month: "short",
	year: "numeric",
	hour: "2-digit",
	minute: "2-digit",
	})}
	{new Date(record.createdAt).toLocaleString("en-IN", {
	day: "numeric",
	month: "short",
	year: "numeric",
	hour: "2-digit",
	minute: "2-digit",
	})}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/dashboard/pages/ProjectEstimation.tsx` around lines 223 - 229, The code
is using toLocaleDateString() with hour and minute options, which violates the
ECMAScript specification and may throw a TypeError since this method is designed
for date-only formatting. Replace the toLocaleDateString() call on the Date
object for record.createdAt with toLocaleString() instead, keeping the same
options object (day, month, year, hour, minute) since toLocaleString() properly
supports both date and time formatting options together.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Enforce the 5000-character limit client-side.

The UI displays a 5000-char counter but doesn't cap input; this causes avoidable failed submissions against backend validation.

Suggested fix

                  <textarea
                    id="project-description"
                    rows={6}
+                   maxLength={5000}
                    placeholder={`Example:\nI need a food delivery website with:\n- Customer authentication\n- Restaurant dashboard\n- Order management\n- Payment gateway\n- Real-time order tracking\n- Mobile responsive design`}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	<textarea
	id="project-description"
	rows={6}
	placeholder={`Example:\nI need a food delivery website with:\n- Customer authentication\n- Restaurant dashboard\n- Order management\n- Payment gateway\n- Real-time order tracking\n- Mobile responsive design`}
	value={description}
	onChange={(e) => setDescription(e.target.value)}
	className="w-full px-4 py-3 rounded-xl border border-gray-200 dark:border-slate-700 bg-gray-50 dark:bg-slate-800 text-gray-900 dark:text-gray-100 placeholder-gray-400 dark:placeholder-gray-500 focus:outline-none focus:ring-2 focus:ring-indigo-400 dark:focus:ring-indigo-500 transition-all resize-y text-sm"
	disabled={loading}
	/>
	<p className="mt-1.5 text-xs text-gray-400 dark:text-gray-500">
	{description.length}/5000 characters
	</p>
	<textarea
	id="project-description"
	rows={6}
	maxLength={5000}
	placeholder={`Example:\nI need a food delivery website with:\n- Customer authentication\n- Restaurant dashboard\n- Order management\n- Payment gateway\n- Real-time order tracking\n- Mobile responsive design`}
	value={description}
	onChange={(e) => setDescription(e.target.value)}
	className="w-full px-4 py-3 rounded-xl border border-gray-200 dark:border-slate-700 bg-gray-50 dark:bg-slate-800 text-gray-900 dark:text-gray-100 placeholder-gray-400 dark:placeholder-gray-500 focus:outline-none focus:ring-2 focus:ring-indigo-400 dark:focus:ring-indigo-500 transition-all resize-y text-sm"
	disabled={loading}
	/>
	<p className="mt-1.5 text-xs text-gray-400 dark:text-gray-500">
	{description.length}/5000 characters
	</p>

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/dashboard/pages/ProjectEstimation.tsx` around lines 371 - 382, The
textarea element with id "project-description" displays a character counter
showing description.length/5000 characters but does not enforce the
5000-character limit on input, allowing users to exceed the limit and experience
failed submissions. Add a maxLength attribute set to 5000 to the textarea
element to prevent users from typing more than 5000 characters client-side,
ensuring the input validation happens before submission and matches what the UI
counter promises.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

RULES_FILE="$(fd -HI '^firestore\.indexes\.json$' | head -n1 || true)"
if [ -z "${RULES_FILE}" ]; then
  echo "No firestore.indexes.json found."
  exit 0
fi

python - "$RULES_FILE" <<'PY'
import json, sys
path = sys.argv[1]
data = json.load(open(path))
found = False
for idx in data.get("indexes", []):
    if idx.get("collectionGroup") != "estimations":
        continue
    fields = [(f.get("fieldPath"), f.get("order")) for f in idx.get("fields", [])]
    has_user = ("userId", "ASCENDING") in fields
    has_created = ("createdAt", "DESCENDING") in fields
    if has_user and has_created:
        found = True
        break
print(f"index_file={path}")
print(f"estimations_userId_createdAt_desc_index={'FOUND' if found else 'MISSING'}")
PY

Repository: hrx01-dev/Servio

Length of output: 93

---

🏁 Script executed:

# Check if the file exists and read the actual query code
cat src/dashboard/services/estimationService.ts | head -70 | tail -30

Repository: hrx01-dev/Servio

Length of output: 919

---

🏁 Script executed:

# Search for firestore/firebase index configuration files with various patterns
fd -HI -e json | grep -iE '(firestore|firebase|index)' || echo "No firestore/firebase config files found"

Repository: hrx01-dev/Servio

Length of output: 10308

---

🏁 Script executed:

# Look for any .firebaserc or firebase config at root
ls -la | grep -iE '(firebase|firestore)' || echo "No firebase config files in root"

Repository: hrx01-dev/Servio

Length of output: 192

---

🏁 Script executed:

# Search for index references in comments or documentation
rg -i 'composite.*index|firestore.*index' --type ts --type json --type md

Repository: hrx01-dev/Servio

Length of output: 42

---

🏁 Script executed:

# Check firebase.json configuration
cat firebase.json

Repository: hrx01-dev/Servio

Length of output: 1002

---

🏁 Script executed:

# Check if there's any firestore configuration or setup documentation
fd -HI '(README|SETUP|FIRESTORE|INDEX|\.md)' -type f | head -20 | xargs grep -l -i 'index\|firestore' 2>/dev/null || echo "No firestore docs found"

Repository: hrx01-dev/Servio

Length of output: 273

---

🏁 Script executed:

# Look for any firebase deployment or rules files
fd -HI '\.(rules|json)$' -path '*/firestore/*' -o -name 'firestore.*' -o -name '*firestore*' | grep -v node_modules || echo "No firestore files found"

Repository: hrx01-dev/Servio

Length of output: 272

---

🏁 Script executed:

# Search for any Firebase initialization or Firestore setup code
rg -i 'initializeApp|firestore' src/ --type ts -A 2 | head -50

Repository: hrx01-dev/Servio

Length of output: 1682

---

🏁 Script executed:

# Check if there are any comments or documentation about Firestore indexes in the codebase
rg -i 'index|composite' --type ts --type md src/ | head -20

Repository: hrx01-dev/Servio

Length of output: 1622

---

Create a composite index for the estimations collection query.

The query combining where("userId", "==", uid) with orderBy("createdAt", "desc") requires a composite Firestore index. Without it, the query will fail at runtime with a failed-precondition error. Add this index to firestore.indexes.json in your Firebase project configuration.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/dashboard/services/estimationService.ts` around lines 51 - 55, The query
in estimationService.ts that combines a where clause on the "userId" field with
orderBy on the "createdAt" field for the "estimations" collection requires a
composite Firestore index to function properly. Add a composite index to your
firestore.indexes.json file that covers the "estimations" collection with the
"userId" field (for filtering) and "createdAt" field (for descending sort order)
to resolve the runtime failed-precondition error that will occur without this
index.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Validate Firestore history docs before casting to EstimationRecord.

This blind cast can break history rendering if a legacy/manual document has missing result or createdAt. Also, spreading d.data() after id allows a payload id field to override the document ID.

Suggested hardening

+function toEstimationRecord(id: string, data: unknown): EstimationRecord | null {
+  if (!data || typeof data !== "object") return null;
+  const r = data as Record<string, unknown>;
+  if (
+    typeof r.userId !== "string" ||
+    typeof r.description !== "string" ||
+    typeof r.createdAt !== "string" ||
+    !r.result ||
+    typeof r.result !== "object"
+  ) {
+    return null;
+  }
+  return { ...(r as Omit<EstimationRecord, "id">), id };
+}
+
 export async function fetchEstimationHistory(
   uid: string,
 ): Promise<EstimationRecord[]> {
@@
-  return snapshot.docs.map((d) => ({
-    id: d.id,
-    ...d.data(),
-  })) as EstimationRecord[];
+  return snapshot.docs
+    .map((d) => toEstimationRecord(d.id, d.data()))
+    .filter((r): r is EstimationRecord => r !== null);
 }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/dashboard/services/estimationService.ts` around lines 58 - 61, The map
operation in the return statement performs a blind cast to EstimationRecord
without validating required fields, and spreading d.data() after id allows a
payload id field in the Firestore document to override the document ID. Add
validation inside the map to check that each document contains required fields
like result and createdAt before casting, and ensure the document ID is not
overridable by either placing id after the spread or by filtering the spread to
only include expected fields. Consider throwing an error or logging a warning
for invalid documents to prevent silent failures during history rendering.

[devin-ai-integration]

Superseded by new PR with CodeRabbit review fixes applied.