Feature/comprehensive updates and fixes

[codeunia-dev]

Summary by CodeRabbit

• New Features

  • Enables Razorpay checkout to load and operate across environments by permitting required scripts, frames, and network connections.

• Chores

  • Added Lighthouse CI scripts to streamline performance audits (local and CI runs), with no impact on runtime behavior.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
codeunia	Ready	Preview	Comment	Sep 12, 2025 0:04am

[coderabbitai]

Walkthrough

CSP policies in code and deployment configs were updated to allow Razorpay domains for scripts, connections, and frames. package.json gained Lighthouse CI scripts. No public API or function signatures changed.

Changes

Cohort / File(s)	Summary of changes
CSP updates (app + deploy) lib/security/csp-config.ts, vercel.json	Added Razorpay allowances: script-src includes https://checkout.razorpay.com; connect-src includes https://api.razorpay.com; frame-src includes https://checkout.razorpay.com. Other directives unchanged.
Tooling scripts package.json	Added LHCI scripts: lighthouse, lighthouse:local, lighthouse:install, lighthouse:test, lighthouse:custom. Existing scripts unchanged.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor User
  participant Browser
  participant App as Web App
  participant RZPCheckout as Razorpay Checkout (frame)
  participant RZPAPI as Razorpay API

  User->>Browser: Initiate payment
  Browser->>App: Load page (CSP applied)
  Note over Browser,App: CSP allows script-src and frame-src to checkout.razorpay.com
  App-->>Browser: Page with Razorpay integration
  Browser->>RZPCheckout: Load checkout frame
  Note over Browser,RZPCheckout: frame-src https://checkout.razorpay.com
  RZPCheckout->>RZPAPI: Create/verify order/payment
  Note over RZPCheckout,RZPAPI: connect-src https://api.razorpay.com
  RZPAPI-->>RZPCheckout: Response
  RZPCheckout-->>Browser: Payment result
  Browser-->>App: Notify/redirect (as implemented)

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• 🔒 Critical Security Fixes & Code Quality Improvements #225 — Also updates CSP directives for Razorpay in the same files (lib/security/csp-config.ts, vercel.json).
• Security fixes and improvements #227 — Modifies CSP directive contents (script-src/connect-src/frame-src) in lib/security/csp-config.ts, overlapping this change.

Pre-merge checks (2 passed, 1 inconclusive)

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title Check	❓ Inconclusive	The current title "Feature/comprehensive updates and fixes" is generic and does not clearly summarize the PR's main changes; the diff shows focused edits that add Razorpay domains to Content-Security-Policy (lib/security/csp-config.ts and vercel.json) and new Lighthouse CI scripts in package.json, so the title fails to communicate the primary intent to reviewers.	Please rename the PR to a concise, specific title that highlights the main change, for example "Add Razorpay domains to CSP and add Lighthouse CI scripts" or "Allow Razorpay in CSP; add Lighthouse CI automation" so reviewers can immediately see the intent.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

Poem

I nudge the gates to let coins flow,
A frame pops in with checkout glow.
Scripts and connects, permissions neat,
My whiskers twitch at metrics sweet.
With Lighthouse lit, I bound and see—
The path is clear for pay and key. 🐇💳✨

Tip

👮 Agentic pre-merge checks are now available in preview!

Pro plan users can now enable pre-merge checks in their settings to enforce checklists before merging PRs.

• Built-in checks – Quickly apply ready-made checks to enforce title conventions, require pull request descriptions that follow templates, validate linked issues for compliance, and more.
• Custom agentic checks – Define your own rules using CodeRabbit’s advanced agentic capabilities to enforce organization-specific policies and workflows. For example, you can instruct CodeRabbit’s agent to verify that API documentation is updated whenever API schema files are modified in a PR. Note: Upto 5 custom checks are currently allowed during the preview period. Pricing for this feature will be announced in a few weeks.

Please see the documentation for more information.

Example:

reviews:
  pre_merge_checks:
    custom_checks:
      - name: "Undocumented Breaking Changes"
        mode: "warning"
        instructions: |
          Pass/fail criteria: All breaking changes to public APIs, CLI flags, environment variables, configuration keys, database schemas, or HTTP/GraphQL endpoints must be documented in the "Breaking Change" section of the PR description and in CHANGELOG.md. Exclude purely internal or private changes (e.g., code not exported from package entry points or explicitly marked as internal).

Please share your feedback with us on this Discord post.

✨ Finishing touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/comprehensive-updates-and-fixes

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 5

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

lib/security/csp-config.ts (2)

57-59: Don’t log nonce in production.

Leaking even a truncated nonce to logs is unnecessary exposure.

-  console.log(`CSP generated for ${request.url} with nonce: ${nonce.substring(0, 8)}...`);
+  if (process.env.NODE_ENV !== 'production') {
+    console.log(`CSP generated for ${request.url} with nonce: ${nonce.substring(0, 8)}...`);
+  }

---

69-71: Centralize CSP — remove duplicate Content-Security-Policy entries

vercel.json defines a static Content-Security-Policy while the runtime also sets CSP in multiple places; browsers will enforce both.

• Remove the static "Content-Security-Policy" entry from vercel.json (vercel.json:75–76) OR stop setting CSP in runtime if you want vercel.json to be authoritative.
• Consolidate runtime CSP to applyCSPHeaders (lib/security/csp-config.ts:69–71) and remove direct header sets in lib/security/api-wrapper.ts (lines 31–34, 47–50, 92–95, 122–126) — or change those sites to only set the header when absent (if (!res.headers.has('Content-Security-Policy')) res.headers.set(...)).

🧹 Nitpick comments (4)

vercel.json (1)

55-61: Minor header hygiene (optional).

• X-XSS-Protection is obsolete; safe to remove.
• Consider Referrer-Policy: strict-origin-when-cross-origin for tighter privacy.
• Permissions-Policy: interest-cohort=() is no-op in modern Chrome; optional to keep.

lib/security/csp-config.ts (2)

77-86: Dev CSP updates OK; mirror the 'unsafe-eval' removal here later.

Dev can stay permissive, but plan to align with production tightening when possible.

---

41-55: Add reporting to catch CSP regressions.

Consider adding report-to/report-uri to monitor violations during rollout.

Example:

-    "upgrade-insecure-requests"
+    "upgrade-insecure-requests",
+    "report-to csp-endpoint",
+    "report-uri https://your-report-collector.example.com/csp"

package.json (1)

35-35: Avoid global installs in CI; use npx or a devDependency.

Global npm installs can be blocked or non-deterministic. Prefer npx.

-"lighthouse:install": "npm install -g @lhci/cli@0.12.x",
+"lighthouse": "npx @lhci/cli@0.12.x autorun",
+"lighthouse:local": "npx @lhci/cli@0.12.x autorun --config=lighthouserc.js",
-// remove the dedicated install step if unused

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9969e51 and 05299c8.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (3)

• lib/security/csp-config.ts (2 hunks)
• package.json (1 hunks)
• vercel.json (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Test Suite

🔇 Additional comments (4)

vercel.json (2)

76-76: Razorpay domains added to CSP — looks correct and minimally scoped.

script-src allows checkout.razorpay.com; connect-src allows api.razorpay.com; frame-src allows checkout.razorpay.com. Good alignment with expected Checkout usage.

---

63-69: COEP/COOP may affect third-party payments; validate Razorpay compatibility.

With Cross-Origin-Embedder-Policy: require-corp and Cross-Origin-Opener-Policy: same-origin, third-party resources must send compatible headers (e.g., CORP). Verify Razorpay Checkout works under these headers across all flows (popup and embedded).

Would you like me to draft a quick E2E checklist for QA to validate this in staging?

lib/security/csp-config.ts (1)

44-45: Razorpay added to script-src — looks good.

The addition is narrowly scoped to https://checkout.razorpay.com.

package.json (1)

33-37: Lighthouse scripts added — LGTM.

Good to have both autorun and custom test wrappers.

[coderabbitai]

🛠️ Refactor suggestion

Razorpay connect/frame allowances — OK, but consider eval removal.

Allowing https://api.razorpay.com (connect) and https://checkout.razorpay.com (frame) matches Checkout needs. Also consider dropping 'unsafe-eval' from script-src in production.

Apply this diff to remove 'unsafe-eval' here:

-    "script-src 'self' 'nonce-" + nonce + "' 'unsafe-inline' 'unsafe-eval' https://vercel.live https://va.vercel-scripts.com https://static.cloudflareinsights.com https://checkout.razorpay.com",
+    "script-src 'self' 'nonce-" + nonce + "' 'unsafe-inline' https://vercel.live https://va.vercel-scripts.com https://static.cloudflareinsights.com https://checkout.razorpay.com",

If feasible later, also remove 'unsafe-inline' once all inline uses are nonced.

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents

In lib/security/csp-config.ts around lines 48-50, keep the Razorpay connect and
frame allowances as-is but remove 'unsafe-eval' from the script-src CSP in
production; update the CSP builder to conditionally exclude 'unsafe-eval' when
NODE_ENV === 'production' (or use a isProduction flag), preserving other
required sources, and leave a TODO to remove 'unsafe-inline' later when inline
scripts are nonced.

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Verify referenced configs/scripts exist and are executable.

Ensure lighthouserc.js and scripts/lighthouse-test.sh are present and runnable.

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail
echo "Checking Lighthouse config/script presence"
fd -H -a -t f '^lighthouserc\.js$' || true
fd -H -a -t f '^lighthouse-test\.sh$' scripts || true
echo "Check executable bit on scripts/lighthouse-test.sh (if found)"
[ -f scripts/lighthouse-test.sh ] && ls -l scripts/lighthouse-test.sh || echo "scripts/lighthouse-test.sh not found"

Length of output: 176

---

Add missing scripts/lighthouse-test.sh or update package.json

• lighthouserc.js found in repo root (lighthouserc.js).
• scripts/lighthouse-test.sh NOT FOUND — package.json references "./scripts/lighthouse-test.sh". Add the script at scripts/lighthouse-test.sh and make it executable (chmod +x scripts/lighthouse-test.sh), or update package.json to point to the correct existing script.

🤖 Prompt for AI Agents

In package.json around lines 34 to 37, the scripts reference
"./scripts/lighthouse-test.sh" which does not exist; either add a new executable
script at scripts/lighthouse-test.sh (create the file, implement the required
lighthouse invocation, and set executable bit with chmod +x) or update the
package.json entries ("lighthouse:test" and "lighthouse:custom") to point to the
correct existing script path; ensure the chosen script path is relative to the
repo root and that the script is executable in the repo so CI and local runs
succeed.

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Avoid sending two CSP headers (static + dynamic).

You also set CSP dynamically in lib/security/csp-config.ts. Two CSP headers combine as an intersection and can cause brittle breakages (and make nonces ineffective if one policy disallows them). Prefer one source of truth.

Apply this diff to remove the static CSP header here and rely on the dynamic CSP:

       {
-        "key": "Content-Security-Policy",
-        "value": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://vercel.live https://va.vercel-scripts.com https://static.cloudflareinsights.com https://checkout.razorpay.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https: blob:; connect-src 'self' https://*.supabase.co https://*.vercel.app wss://*.supabase.co https://api.razorpay.com; frame-src 'self' https://checkout.razorpay.com; object-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'; upgrade-insecure-requests;"
+        // removed: CSP is set dynamically with nonce in lib/security/csp-config.ts
       }

Run to confirm there’s no duplicate CSP setter left:

---

🏁 Script executed:

#!/bin/bash
rg -n "Content-Security-Policy" -C2
rg -n "applyCSPHeaders|getCSPConfig" -C2

Length of output: 5040

---

Remove static Content-Security-Policy header from vercel.json — rely on dynamic per-request CSP

vercel.json currently defines a static CSP (vercel.json:75–76); the app also sets CSP per-request in lib/security/csp-config.ts (applyCSPHeaders → response.headers.set at line 70) and in lib/security/api-wrapper.ts (response.headers.set at ~lines 33, 49, 94, 124). Two CSP headers combine by intersection and can break nonces — remove the static header from vercel.json.

🤖 Prompt for AI Agents

In vercel.json around lines 75–76, there is a static Content-Security-Policy
header entry that conflicts with the app's dynamic per-request CSP; remove the
entire "key": "Content-Security-Policy" / "value": ... header object from
vercel.json so CSP is only applied dynamically by lib/security/csp-config.ts and
lib/security/api-wrapper.ts, and then verify there are no other static CSP
entries in configuration before redeploying.

[coderabbitai]

🛠️ Refactor suggestion

Tighten production CSP: drop 'unsafe-eval' (and ideally 'unsafe-inline') when feasible.

Keeping 'unsafe-eval' (and 'unsafe-inline') in production weakens CSP substantially. Since you already generate nonces, prefer nonce/hashes over 'unsafe-inline', and remove 'unsafe-eval' if not strictly required.

Proposed minimal change now (drop only unsafe-eval):

-"value": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://vercel.live https://va.vercel-scripts.com https://static.cloudflareinsights.com https://checkout.razorpay.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https: blob:; connect-src 'self' https://*.supabase.co https://*.vercel.app wss://*.supabase.co https://api.razorpay.com; frame-src 'self' https://checkout.razorpay.com; object-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'; upgrade-insecure-requests;"
+"value": "default-src 'self'; script-src 'self' 'unsafe-inline' https://vercel.live https://va.vercel-scripts.com https://static.cloudflareinsights.com https://checkout.razorpay.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https: blob:; connect-src 'self' https://*.supabase.co https://*.vercel.app wss://*.supabase.co https://api.razorpay.com; frame-src 'self' https://checkout.razorpay.com; object-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'; upgrade-insecure-requests;"

If you can, also drop 'unsafe-inline' once all inline scripts/styles are nonced/hashed.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

"value": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://vercel.live https://va.vercel-scripts.com https://static.cloudflareinsights.com https://checkout.razorpay.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https: blob:; connect-src 'self' https://*.supabase.co https://*.vercel.app wss://*.supabase.co https://api.razorpay.com; frame-src 'self' https://checkout.razorpay.com; object-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'; upgrade-insecure-requests;"

"value": "default-src 'self'; script-src 'self' 'unsafe-inline' https://vercel.live https://va.vercel-scripts.com https://static.cloudflareinsights.com https://checkout.razorpay.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https: blob:; connect-src 'self' https://*.supabase.co https://*.vercel.app wss://*.supabase.co https://api.razorpay.com; frame-src 'self' https://checkout.razorpay.com; object-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'; upgrade-insecure-requests;"

🤖 Prompt for AI Agents

In vercel.json around line 76, the production Content-Security-Policy currently
includes 'unsafe-eval' (and still allows 'unsafe-inline'); remove 'unsafe-eval'
from the CSP value string now and, if you have implemented nonces/hashes for
inline scripts and styles across the app, replace/remove 'unsafe-inline' as well
and ensure all inline scripts/styles are served with the proper nonce or hashed
values so the policy remains valid.

---

💡 Verification agent

🧩 Analysis chain

Confirm if additional Razorpay subdomains are needed.

Some integrations use extra hosts (e.g., logging/CDN). If Checkout loads assets from other razorpay domains, you’ll need to whitelist them in script-src/connect-src/frame-src.

---

🌐 Web query:

Razorpay Checkout CSP: which domains must be allowed for script-src, connect-src, and frame-src?

💡 Result:

Short answer — allow these Razorpay hosts:

• script-src: https://checkout.razorpay.com https://cdn.razorpay.com https://cdn.razorpay.com/static (Razorpay checkout and payment-button scripts). [1][2]
• connect-src: https://api.razorpay.com https://checkout.razorpay.com (API / XHR/websocket calls from the checkout widget). [1][3]
• frame-src: https://checkout.razorpay.com https://cdn.razorpay.com (checkout is rendered inside an iframe/payment-button frame). [2][1]

Notes: include the exact https:// scheme (and wss:// variant if you observe websocket errors) and add any merchant-specific CDN hostnames you use. Sources: Razorpay integration docs and Razorpay payment-button/iframe implementation notes. [1][2][3]

---

Add Razorpay CDN domains to the CSP

vercel.json (CSP value at line ~76): whitelist these Razorpay hosts—

• script-src: add https://cdn.razorpay.com and https://cdn.razorpay.com/static
• frame-src: add https://cdn.razorpay.com
  (connect-src already includes https://api.razorpay.com; add a wss:// host only if you observe websocket errors.)
  Also add any merchant-specific Razorpay/CDN hostnames you use.

🤖 Prompt for AI Agents

In vercel.json around line 76, the Content-Security-Policy string is missing
Razorpay CDN hosts; update the CSP value to include https://cdn.razorpay.com and
https://cdn.razorpay.com/static in script-src, and add https://cdn.razorpay.com
to frame-src; keep https://api.razorpay.com in connect-src and only add any
wss:// Razorpay host if you see websocket errors; also add any merchant-specific
Razorpay/CDN hostnames you use to the appropriate directives.