Notification Updates, Font Improvements and OTP Feature for Phone Number Update

[fortune710]

Note

Medium Risk
Introduces new phone-number OTP endpoints that send SMS via Twilio and expands notification tracking with additional Supabase lookups, which affects user-facing messaging and external integrations. Most other changes are additive docs or low-impact refactors, but the OTP/notification paths warrant careful review and testing.

Overview
Adds a new Twilio-backed SMS OTP flow for updating user phone numbers, including new /user/phone/otp/start and /user/phone/otp/resend endpoints plus Twilio config env vars; the existing /otp/verify endpoint is kept but explicitly marked deprecated in favor of a Supabase RPC.

Improves notification handling by excluding the entry owner from recipients, tweaking copy and deep-link (/vault?refresh=true), adding debug logging for missing notification settings and multi-device tokens, and removing the “share with everyone” friend lookup path. Also adds PostHog instrumentation for notification_enqueued/notification_sent (including token→user/email enrichment via Supabase lookups).

Refactors IngestionService to lazily initialize the Pinecone index with an async lock to avoid startup failures in environments without credentials.

Introduces a large .agents “React Native Skills” guide plus individual rule files to standardize RN/Expo performance and UI best practices for AI-assisted workflows.

^{Written by Cursor Bugbot for commit d22c432. This will update automatically on new commits. Configure here.}

[bolt-new-by-stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
keepsafe	Building	Preview, Comment	Feb 8, 2026 6:39am

[coderabbitai]

Warning

Rate limit exceeded

@fortune710 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 23 minutes and 28 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch staging

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cursor]

Cursor Bugbot has reviewed your changes and found 3 potential issues.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}

This is the final PR Bugbot will review for you during this billing cycle

Your free Bugbot reviews will reset on March 6

Details

You are on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle.

To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.

[cursor]

Removed shared_with_everyone notification logic silently drops notifications

High Severity

The shared_with_everyone flag is still read and used in the early-exit private check (line 103), but the recipient-determination logic no longer acts on it. Previously, when shared_with_everyone was True, _get_user_friends would fetch all friends as recipients. Now only the shared_with list is used. If an entry has shared_with_everyone=True but shared_with is empty (or doesn't list all friends), no notifications are sent — the code silently returns True with "No recipients found."

Additional Locations (1)

• backend/services/notification_enqueue_service.py#L94-L103

 

[cursor]

OTP verify endpoint lacks brute-force attempt limiting

Medium Severity

The /otp/verify endpoint performs no attempt counting or rate limiting. A 6-digit OTP has only 1,000,000 possible values and remains valid for 10 minutes regardless of failed attempts. An attacker with the victim's phone number can repeatedly call this endpoint to brute-force the code. There's no lockout, no attempt counter decrement, and no per-user throttle visible in the codebase.

 

[cursor]

HTTPException swallowed by broad except, returns wrong status

Medium Severity

The HTTPException(status_code=404, detail="User profile not found") raised on line 263 is caught by the except Exception on line 264, since HTTPException inherits from Exception. This replaces the intended 404 with a misleading 500 "Failed to update phone number" and logs a spurious exception traceback. The HTTPException needs to be re-raised or the empty-data check moved outside the try block.