Merged
Conversation
🚀 Preview Deployments Ready!Your changes have been deployed to preview environments: 📦
|
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
5 issues found across 6 files
Prompt for AI agents (all issues)
Check if these issues are valid — if so, understand the root cause of each and fix them.
<file name="registry/server/tools/registry-binding.ts">
<violation number="1" location="registry/server/tools/registry-binding.ts:226">
P2: The `version` parameter defined in `ListInputSchema` is not being used. The destructuring omits `version` entirely, making the documented API parameter non-functional. Either remove `version` from the schema or implement the filtering logic.</violation>
<violation number="2" location="registry/server/tools/registry-binding.ts:296">
P1: The `version` extracted from the server ID is ignored. When users request a specific version (e.g., `'ai.exa/exa@3.1.1'`), they will always receive the latest version instead because `getServerFromSupabase` only queries `is_latest: true`. Either pass the version to the query function or update the API description to clarify that version-specific lookups are not supported.</violation>
</file>
<file name="registry/server/lib/supabase-client.ts">
<violation number="1" location="registry/server/lib/supabase-client.ts:222">
P2: Search parameter is directly interpolated without sanitization. Special characters (commas, periods, parentheses) in the search string could break PostgREST query parsing or cause unintended filter behavior. Consider sanitizing the search input to escape special characters.</violation>
<violation number="2" location="registry/server/lib/supabase-client.ts:356">
P2: Missing `is_latest: true` filter in stats fallback queries. Other functions (`listServers`, `getServer`) consistently filter by `is_latest` to get only the latest version, but these stats queries will count all versions of servers, leading to inflated/inconsistent counts.</violation>
</file>
<file name="registry/scripts/create-table.sql">
<violation number="1" location="registry/scripts/create-table.sql:122">
P1: RLS policy allows public read of unlisted (hidden) items. The `unlisted` column is meant to hide rows when `TRUE`, but `USING (true)` exposes all rows. Consider restricting to visible items only.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
Contributor
There was a problem hiding this comment.
3 issues found across 6 files (changes from recent commits).
Prompt for AI agents (all issues)
Check if these issues are valid — if so, understand the root cause of each and fix them.
<file name="registry/server/lib/supabase-client.ts">
<violation number="1" location="registry/server/lib/supabase-client.ts:184">
P2: The `sanitizeSearchInput` function is missing the escape for the underscore (`_`) character. In SQL LIKE/ILIKE patterns, `_` is a single-character wildcard (similar to how `%` is a multi-character wildcard). Without escaping it, users can inject single-character wildcards into search queries.</violation>
</file>
<file name="registry/scripts/enrich-with-ai.ts">
<violation number="1" location="registry/scripts/enrich-with-ai.ts:32">
P0: **CRITICAL SECURITY ISSUE**: API key is hardcoded in source code. This key is now exposed in the repository and should be immediately revoked. The key should be read from `process.env.OPENROUTER_API_KEY` as documented in the script header (line 20).</violation>
</file>
<file name="registry/server/tools/registry-binding.ts">
<violation number="1" location="registry/server/tools/registry-binding.ts:72">
P2: Documentation is inaccurate: `COLLECTION_REGISTRY_APP_GET` does NOT support getting specific versions. The `getServer` function always filters by `is_latest: true`, and the parsed version from the ID is ignored. Consider either updating this documentation to reflect actual behavior, or updating the GET implementation to support version queries.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
Restaura arquivos de integração com Supabase que foram perdidos: - registry/server/lib/supabase-client.ts - Cliente Supabase com CRUD - registry/scripts/create-table.sql - Script DDL da tabela mcp_servers - registry/scripts/populate-supabase.ts - Script de sincronização com Registry API Estes arquivos são necessários para a funcionalidade do registry com Supabase.
Atualiza o registry completo com implementação baseada em Supabase: Changes: - package.json: adiciona @supabase/supabase-js e scripts de sync - main.ts: remove registryUrl do StateSchema (usa env vars) - registry-binding.ts: simplifica drasticamente (-365/+159 linhas) - Usa Supabase client diretamente ao invés da API do Registry - Remove lógica complexa de fallback e cache - Mantém apenas allowlist e blacklist Migração completa de API fetch → Supabase queries para melhor performance.
Code review fixes: - Remove unused 'version' parameter from ListInputSchema - Add is_latest filter to stats fallback queries - Add sanitization for search input to prevent PostgREST injection - Fix RLS policy to hide unlisted items from public access Translations: - Translate all comments and strings from PT-BR to English - Update scripts: enrich-with-ai.ts, populate-supabase.ts - Update server files: supabase-client.ts, registry-binding.ts - Keep code consistent and professional in English
- Add escape for underscore (_) character in sanitizeSearchInput - Underscore is a single-char wildcard in SQL LIKE/ILIKE - Without escaping, users could inject wildcard patterns - Example: 'ai_exa' would match 'ai.exa', 'ai-exa', 'ai exa', etc.
🚨 CRITICAL SECURITY FIX 🚨 - Remove hardcoded OPENROUTER_API_KEY from source code - Use process.env.OPENROUTER_API_KEY instead - Add validation to check for missing API key at startup - Pass API key as parameter through function calls⚠️ ACTION REQUIRED: The exposed API key (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) must be IMMEDIATELY REVOKED at OpenRouter dashboard and a new key generated. The old key is now exposed in git history and should be considered compromised.
- Add .env to .gitignore to prevent accidental commits - Create ENV_SETUP.md with instructions for environment setup - Create .env template file (not tracked by git)
- Update COLLECTION_REGISTRY_APP_GET docs to reflect actual behavior - GET always returns LATEST version (is_latest: true) - Version suffix in 'name@version' is accepted but IGNORED - Remove misleading reference to GET supporting specific versions - Clarify that COLLECTION_REGISTRY_APP_VERSIONS should be used for version queries The implementation was correct, only the documentation was inaccurate.
JonasJesus42
force-pushed
the
feat/registry-updates-from-main
branch
from
ff3c404 to
715d3bb
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary by cubic
Switch the registry to a Supabase-backed implementation so the app reads servers from a local mcp_servers table instead of the MCP Registry API. This improves performance and makes pagination predictable.
New Features
Migration
Written for commit 715d3bb. Summary will update on new commits.