Skip to content

feat: organizer file-drop import agent (volunteers/judges MVP) #518

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
theianjones wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: organizer file-drop import agent (volunteers/judges MVP) #518

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 19 additions & 0 deletions apps/wodsmith-start/alchemy.run.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -527,6 +527,23 @@ const judgeSchedulerAgent = DurableObjectNamespace("judge-scheduler-agent", {
sqlite: true,
})

/**
* Durable Object namespace for the organizer file-drop import agent.
*
* Each dropped file is an isolated session keyed by `${importRunId}__${userId}`
* (a fresh ULID per drop) so concurrent imports never collide and a
* reconnecting organizer reattaches to the same in-flight proposal stream.
*
* @see src/agents/organizer-file-import-agent.ts
*/
const organizerFileImportAgent = DurableObjectNamespace(
"organizer-file-import-agent",
{
className: "OrganizerFileImportAgent",
sqlite: true,
},
)
Comment on lines +530 to +545

@coderabbitai coderabbitai Bot Jun 17, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Add @lat code refs for the new DO namespace and binding wiring.

These new infrastructure source segments are missing required concept-link annotations.

As per coding guidelines, **/*.{js,ts,rs,go,c,h,py} must tie source code to concepts using // @lat: [[section-id]].

Also applies to: 678-679

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@apps/wodsmith-start/alchemy.run.ts` around lines 530 - 545, Add the required
`// `@lat`: [[section-id]]` concept-link annotation to the
`organizerFileImportAgent` Durable Object namespace definition. Place the
annotation as a comment line immediately before the const declaration to tie
this infrastructure source segment to its corresponding concept section. Apply
the same annotation pattern to the additional related code at lines 678-679 as
mentioned in the review comment.

Source: Coding guidelines


/**
* Cloudflare Workers AI binding for built-in LLM inference.
*
Expand Down Expand Up @@ -658,6 +675,8 @@ const website = await TanStackStart("app", {
BROADCAST_EMAIL_QUEUE: broadcastEmailQueue,
/** Durable Object namespace for the AI judge-scheduling agent */
JUDGE_SCHEDULER_AGENT: judgeSchedulerAgent,
/** Durable Object namespace for the organizer file-drop import agent */
ORGANIZER_FILE_IMPORT_AGENT: organizerFileImportAgent,
/** Cloudflare Workers AI binding for LLM inference */
AI: aiBinding,
/**
Expand Down
3 changes: 3 additions & 0 deletions apps/wodsmith-start/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -108,6 +108,7 @@
"lucide-react": "^0.544.0",
"ms": "^2.1.3",
"mysql2": "^3.16.2",
"papaparse": "^5.5.3",
"posthog-js": "^1.310.1",
"posthog-node": "^5.18.0",
"react": "^19.2.3",
Expand All @@ -126,6 +127,7 @@
"ua-parser-js": "^2.0.3",
"ulid": "^3.0.2",
"workers-ai-provider": "^3.1.14",
"xlsx": "^0.18.5",

@coderabbitai coderabbitai Bot Jun 17, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check for security advisories on xlsx package
gh api graphql -f query='
{
  securityVulnerabilities(first: 10, ecosystem: NPM, package: "xlsx") {
    nodes {
      advisory {
        summary
        severity
        publishedAt
      }
      vulnerableVersionRange
      firstPatchedVersion {
        identifier
      }
    }
  }
}'

Repository: wodsmith/thewodapp

Length of output: 1088

Upgrade xlsx to version 0.20.2 or later.

Version 0.18.5 is vulnerable to two HIGH severity CVEs:

  • Prototype Pollution (published 2023-04-24, affects < 0.19.3)
  • Regular Expression Denial of Service / ReDoS (published 2024-04-05, affects < 0.20.2)

These vulnerabilities pose a security risk when parsing untrusted user-uploaded Excel files. Upgrade to version 0.20.2 or higher to patch both issues.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@apps/wodsmith-start/package.json` at line 130, Update the xlsx dependency
version from 0.18.5 to 0.20.2 or higher in the package.json file. Locate the
xlsx package dependency entry and change the version specifier from "^0.18.5" to
"^0.20.2" or a later version to address the HIGH severity vulnerabilities. After
updating, run npm install or your package manager's equivalent to apply the
changes.

@cubic-dev-ai cubic-dev-ai Bot Jun 17, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1: The xlsx package at version 0.18.5 is vulnerable to CVE-2023-30533 (Prototype Pollution, affects <0.19.3) and CVE-2024-22363 (ReDoS, affects <0.20.2). Since this feature parses untrusted user-uploaded Excel files, these vulnerabilities pose a direct security risk. Note that xlsx on npm is no longer maintained — the patched versions are only available via the SheetJS CDN. Consider using xlsx from https://cdn.sheetjs.com at version ≥0.20.2, or an alternative library.

Prompt for AI agents 
Check if this issue is valid — if so, understand the root cause and fix it. At apps/wodsmith-start/package.json, line 130:

<comment>The `xlsx` package at version 0.18.5 is vulnerable to CVE-2023-30533 (Prototype Pollution, affects <0.19.3) and CVE-2024-22363 (ReDoS, affects <0.20.2). Since this feature parses untrusted user-uploaded Excel files, these vulnerabilities pose a direct security risk. Note that `xlsx` on npm is no longer maintained — the patched versions are only available via the SheetJS CDN. Consider using `xlsx` from `https://cdn.sheetjs.com` at version ≥0.20.2, or an alternative library.</comment>

<file context>
@@ -126,6 +127,7 @@
     "ua-parser-js": "^2.0.3",
     "ulid": "^3.0.2",
     "workers-ai-provider": "^3.1.14",
+    "xlsx": "^0.18.5",
     "zod": "^4.2.1",
     "zustand": "^5.0.5"
</file context>

"zod": "^4.2.1",
"zustand": "^5.0.5"
},
Expand All @@ -140,6 +142,7 @@
"@testing-library/react": "^16.2.0",
"@types/ms": "^0.7.34",
"@types/node": "^22.19.3",
"@types/papaparse": "^5.5.2",
"@types/react": "^19.2.0",
"@types/react-dom": "^19.2.0",
"@types/ua-parser-js": "^0.7.39",
Expand Down
Loading
Loading