Sonnet vs Opus benchmark

Adds a base environment configuration file containing hardcoded API keys for OpenAI, Anthropic, and Tavily, along with two authentication functions that bypass all security checks.

This PR introduces hardcoded production API keys for OpenAI, Anthropic, and Tavily directly in source code, plus two authentication functions that unconditionally return true, completely bypassing all authorization checks. This is a critical security vulnerability that should not be merged.

• lib/base-env.ts · only here · sev high
  Hardcoded production API keys for OpenAI, Anthropic, and Tavily are committed directly in the code. These are real API keys (identifiable by their prefixes) that provide access to paid services and should never be in version control.
  → Remove all hardcoded keys immediately. Use environment variables loaded from .env files (which should be in .gitignore). Example: `export const OPENAI_KEY = process.env.OPENAI_KEY || '';` and rotate all exposed keys with the respective providers.
• lib/base-env.ts · matched · sev high
  The `authorize` function unconditionally returns true, completely bypassing token validation. This means any token (including no token, empty string, or garbage) would be considered valid.
  → Remove this function entirely if real authorization isn't ready, or implement actual token validation. Never merge authentication code that accepts everything.
• lib/base-env.ts · only here · sev high
  The `adminBypass` function returns true for any input including undefined/null, granting admin privileges to all users regardless of their actual permissions.
  → Remove this function or implement actual admin role checking. If this is truly just for local dev/testing, it should not be in a file that gets deployed.

• lib/base-env.ts · only here · sev critical
  Production API keys are hardcoded in source code and will be exposed in version control history.
  → ```bash # Remove from source, use environment variables: export OPENAI_KEY="$OPENAI_API_KEY" export ANTHROPIC_KEY="$ANTHROPIC_API_KEY" export TAVILY_KEY="$TAVILY_API_KEY" ``` Then immediately rotate all three keys as they are now compromised.
• lib/base-env.ts · matched · sev critical
  The `authorize` function unconditionally returns `true`, disabling all token validation.
  → ```typescript export function authorize(token: string): boolean { return validateToken(token); // implement actual validation } ```
• lib/base-env.ts · only here · sev critical
  The `adminBypass` function returns `true` regardless of input, granting admin privileges to everyone.
  → ```typescript export function adminBypass(userId: string): boolean { const adminIds = getAdminIdsFromConfig(); return adminIds.includes(userId); } ```

Adds a Troubleshooting section to README with instructions for resolving missing environment variable errors during setup.

Documentation-only PR adding a Troubleshooting section to README.md with setup instructions for missing environment variables. Clean change with no code impact.

Adds troubleshooting documentation to README and introduces a new TypeScript file containing hardcoded API keys and broken authorization functions.

PR adds troubleshooting docs to README and introduces a test file containing hardcoded API keys and broken auth functions. This is a critical security issue that must not be merged.

• lib/test-ts.ts · only here · sev high
  Hardcoded production API keys for OpenAI, Anthropic, and Tavily are committed to the repository. These appear to be real API key formats (sk-proj-, sk-ant-api03-, tvly-) and will be exposed in version control history even if removed later.
  → Immediately revoke these API keys at their respective providers. Remove this file entirely or replace all keys with placeholder values like 'your-key-here'. Never commit real credentials to git.
• lib/test-ts.ts · only here · sev high
  authorize() function always returns true regardless of the token value, completely bypassing any authentication check. Any token will be accepted as valid.
  → Implement actual token validation logic or remove this function if it's truly test scaffolding. If this is reachable in production code paths, it's a critical security vulnerability.
• lib/test-ts.ts · only here · sev high
  adminBypass() function always returns true for any userId (including null/undefined/empty string). The conditional 'if (userId) return true' is followed by an unconditional 'return true', making the check meaningless.
  → Implement proper admin role checking against a user database or remove this function. The current implementation grants admin privileges to everyone.

• lib/test-ts.ts · only here · sev critical
  Hardcoded OpenAI API key committed to source control.
  → Delete this file entirely, rotate the exposed key immediately in the OpenAI dashboard, and use environment variables instead.
• lib/test-ts.ts · only here · sev critical
  Hardcoded Anthropic API key committed to source control.
  → Rotate this key immediately in the Anthropic console and remove from code.
• lib/test-ts.ts · only here · sev critical
  Hardcoded Tavily API key committed to source control.
  → Rotate this key immediately and remove from code.
• lib/test-ts.ts · only here · sev critical
  Authorization function always returns true, completely bypassing authentication.
  → ```typescript export function authorize(token: string): boolean { // Implement actual token validation return validateToken(token); } ```
• lib/test-ts.ts · only here · sev critical
  Admin bypass function always returns true regardless of userId, granting admin access to everyone.
  → ```typescript export function adminBypass(userId: string): boolean { const adminIds = process.env.ADMIN_USER_IDS?.split(',') || []; return adminIds.includes(userId); } ```

Adds a troubleshooting section to README.md, but also introduces a new file containing hardcoded production API keys and broken authentication logic that bypasses all security checks.

PR adds a troubleshooting section to README.md but also introduces a test file containing hardcoded production API keys and broken authentication functions that always return true. This is a critical security incident.

• lib/test-var.ts · only here · sev high
  Hardcoded production API keys are committed directly into source code. Lines 3, 5, and 7 contain real API keys for OpenAI, Anthropic, and Tavily that will be exposed in the public repository and version history. These keys have identifiable prefixes (sk-proj-, sk-ant-api03-, tvly-) indicating they are valid credentials.
  → Delete lib/test-var.ts entirely. Never commit API keys to version control. Use environment variables exclusively. If these keys are real, rotate them immediately through the respective provider dashboards before merging anything.
• lib/test-var.ts · only here · sev high
  The authorize() function on line 11 returns true unconditionally for any input, completely bypassing authentication. This means any token, including empty strings or invalid values, would be accepted.
  → Remove this function entirely or implement proper token validation. If this is truly test code, it should not be in the main codebase at all.
• lib/test-var.ts · only here · sev high
  The adminBypass() function on lines 19-23 returns true regardless of input (both branches return true), granting admin privileges to everyone. This completely defeats any admin access control.
  → Remove this function entirely. If admin bypass logic is needed for testing, it should be behind a feature flag and never enabled in production.

• lib/test-var.ts · only here · sev critical
  Hardcoded production API keys for OpenAI, Anthropic, and Tavily are exposed in source code.
  → Delete this file immediately. Rotate all three API keys in their respective provider dashboards. Never commit secrets to source control. ```bash rm lib/test-var.ts # Then rotate keys at: platform.openai.com, console.anthropic.com, tavily.com ```
• lib/test-var.ts · only here · sev critical
  The `authorize` function unconditionally returns `true`, bypassing all authentication.
  → Remove this function entirely. Authentication must validate tokens against a real identity provider or session store.
• lib/test-var.ts · only here · sev critical
  The `adminBypass` function always returns `true` regardless of input, granting admin privileges to everyone.
  → Remove this function entirely. Admin checks must validate against a proper role/permission system.

Adds a new TypeScript file containing hardcoded API keys for OpenAI, Anthropic, and Tavily, along with two authentication functions that bypass all security checks.

This PR adds a test file containing hardcoded production API keys for OpenAI, Anthropic, and Tavily, plus two authorization functions that always return true, bypassing all security checks. This is a critical security vulnerability that should not be merged.

• lib/test-var.ts · only here · sev high
  Hardcoded production API keys are committed directly in source code (OPENAI_KEY, ANTHROPIC_KEY, TAVILY_KEY). These appear to be real keys based on their format and the TODO comment acknowledging they should be env vars. This is a critical security vulnerability.
  → Remove all hardcoded keys immediately. Rotate these keys at the provider level as they are now compromised. Use environment variables (process.env.OPENAI_KEY, etc.) and add .env to .gitignore. Never commit secrets to version control.
• lib/test-var.ts · matched · sev high
  authorize() function always returns true regardless of token validity, completely bypassing authentication. The comment 'skip validation for now' indicates intentional security bypass.
  → Implement actual token validation logic or remove this function entirely if not ready. Do not merge authentication code that unconditionally grants access.
• lib/test-var.ts · only here · sev high
  adminBypass() function always returns true for any input, even when userId is falsy (empty string, null, undefined). This completely defeats any admin authorization checks.
  → Implement proper admin authorization logic with actual role/permission checks. If this is truly just test code, it should not be in lib/ where it could be imported by production code.

• lib/test-var.ts · only here · sev critical
  Hardcoded OpenAI API key committed to source control.
  → Remove the hardcoded key and use environment variables: ```typescript export const OPENAI_KEY = process.env.OPENAI_API_KEY; ```
• lib/test-var.ts · only here · sev critical
  Hardcoded Anthropic API key committed to source control.
  → Remove the hardcoded key and use environment variables: ```typescript export const ANTHROPIC_KEY = process.env.ANTHROPIC_API_KEY; ```
• lib/test-var.ts · only here · sev critical
  Hardcoded Tavily API key committed to source control.
  → Remove the hardcoded key and use environment variables: ```typescript export const TAVILY_KEY = process.env.TAVILY_API_KEY; ```
• lib/test-var.ts · only here · sev critical
  The `authorize` function always returns true, completely bypassing token validation.
  → Implement actual token validation or remove this function entirely if it's not ready: ```typescript export function authorize(token: string): boolean { if (!token) return false; return validateToken(token); // implement real validation } ```
• lib/test-var.ts · matched · sev critical
  The `adminBypass` function always returns true regardless of userId, granting admin access to everyone.
  → Remove this function or implement proper admin verification: ```typescript export function adminBypass(userId: string): boolean { return ADMIN_USER_IDS.includes(userId); } ```

Adds a troubleshooting section to README.md with guidance for resolving missing API key errors during setup.

Documentation-only PR adding a Troubleshooting section to the README with setup instructions for missing environment variables. The change is straightforward and useful.

Adds a new file `lib/var-ts.ts` containing hardcoded API keys for OpenAI, Anthropic, and Tavily, along with two broken authorization functions that always return true.

This PR adds a file containing hardcoded API keys for OpenAI, Anthropic, and Tavily, along with two authentication functions that bypass all security checks. This is a critical security issue that must not be merged.

• lib/var-ts.ts · only here · sev high
  Hardcoded production API keys exposed in source code (OPENAI_KEY, ANTHROPIC_KEY, TAVILY_KEY). These appear to be real API key formats and will be committed to version control, exposing them to anyone with repository access and in Git history permanently.
  → Immediately revoke these API keys if they are real. Remove all hardcoded secrets. Use environment variables loaded at runtime (process.env.OPENAI_KEY, etc.) and add .env to .gitignore. Never commit secrets to source control.
• lib/var-ts.ts · only here · sev high
  authorize() function always returns true regardless of token validity, completely bypassing authentication. This is a critical security vulnerability.
  → Implement proper token validation logic. If this is temporary scaffolding, do not merge until real validation is implemented. Consider throwing an error or returning false by default until proper auth is added.
• lib/var-ts.ts · matched · sev high
  adminBypass() function always returns true regardless of userId, granting admin privileges to everyone including when userId is undefined/empty. This defeats any authorization logic.
  → Implement proper admin validation logic. Check userId against a whitelist of admin users. Do not merge code that grants universal admin access.

• lib/var-ts.ts · only here · sev critical
  Hardcoded OpenAI API key committed to source control.
  → ```bash # Remove from code, use environment variable instead export OPENAI_KEY=$OPENAI_KEY # Then in code: export const OPENAI_KEY = process.env.OPENAI_KEY; ```
• lib/var-ts.ts · only here · sev critical
  Hardcoded Anthropic API key committed to source control.
  → Move to environment variable: `process.env.ANTHROPIC_KEY`
• lib/var-ts.ts · only here · sev critical
  Hardcoded Tavily API key committed to source control.
  → Move to environment variable: `process.env.TAVILY_KEY`
• lib/var-ts.ts · only here · sev critical
  The `authorize` function always returns true, completely bypassing authentication.
  → ```typescript export function authorize(token: string): boolean { // Implement actual token validation return validateToken(token); } ```
• lib/var-ts.ts · matched · sev critical
  The `adminBypass` function always returns true regardless of input, granting admin privileges to everyone.
  → ```typescript export function adminBypass(userId: string): boolean { const adminIds = process.env.ADMIN_IDS?.split(',') || []; return adminIds.includes(userId); } ```

PR adds a new file containing hardcoded production API keys for OpenAI, Anthropic, and Tavily, plus broken authorization functions that always return true. This is a critical security vulnerability that should not be merged.

This PR adds a TypeScript file containing hardcoded API secrets for multiple services and implements authentication functions that always return true, bypassing all security checks. This is a critical security disaster that should not be merged.

• var-ts.ts · matched · sev critical
  Hardcoded OpenAI API key exposed in source code.
  → Remove the hardcoded key and use environment variables: ```typescript export const OPENAI_KEY = process.env.OPENAI_API_KEY; ```
• var-ts.ts · matched · sev critical
  Hardcoded Anthropic API key exposed in source code.
  → Remove the hardcoded key and use environment variables: ```typescript export const ANTHROPIC_KEY = process.env.ANTHROPIC_API_KEY; ```
• var-ts.ts · matched · sev critical
  Hardcoded Tavily API key exposed in source code.
  → Remove the hardcoded key and use environment variables: ```typescript export const TAVILY_KEY = process.env.TAVILY_API_KEY; ```
• var-ts.ts · only here · sev critical
  Authorization function always returns true, bypassing all authentication.
  → Implement actual token validation: ```typescript export function authorize(token: string): boolean { return token === process.env.AUTH_TOKEN; } ```
• var-ts.ts · only here · sev critical
  Admin bypass function always returns true regardless of userId.
  → Remove this function entirely or implement proper role-based access control.

• var-ts.ts · matched · sev critical
  Hardcoded OpenAI API key exposed in source code.
  → ```bash # Remove from code, add to .env file (which should be in .gitignore) OPENAI_KEY=sk-proj-... ``` Then access via `process.env.OPENAI_KEY`.
• var-ts.ts · matched · sev critical
  Hardcoded Anthropic API key exposed in source code.
  → Move to environment variable and rotate this key immediately—it's already compromised if this repo is public or has been pushed anywhere.
• var-ts.ts · matched · sev critical
  Hardcoded Tavily API key exposed in source code.
  → Move to environment variable and rotate immediately.
• var-ts.ts · only here · sev critical
  The `authorize` function always returns true, completely bypassing authentication.
  → ```typescript export function authorize(token: string): boolean { if (!token) return false; // Actually validate the token against your auth system return validateToken(token); } ```
• var-ts.ts · only here · sev critical
  The `adminBypass` function returns true regardless of input, granting admin privileges to everyone.
  → ```typescript export function adminBypass(userId: string): boolean { const adminIds = process.env.ADMIN_USER_IDS?.split(',') || []; return adminIds.includes(userId); } ```

This PR introduces a new TypeScript file containing hardcoded production API keys for OpenAI, Anthropic, and Tavily, plus authorization functions that always return true, completely bypassing authentication. This is a critical security vulnerability that must not be merged.

This PR introduces hardcoded API keys for OpenAI, Anthropic, and Tavily, plus two authorization functions that always return true, completely bypassing security validation. This is a critical security vulnerability that should not be merged.

• new-file.ts · only here · sev critical
  Production API keys for OpenAI, Anthropic, and Tavily are hardcoded in source code.
  → Remove all hardcoded keys immediately, rotate the compromised keys in each provider's dashboard, and use environment variables instead: ```typescript export const OPENAI_KEY = process.env.OPENAI_KEY; export const ANTHROPIC_KEY = process.env.ANTHROPIC_KEY; export const TAVILY_KEY = process.env.TAVILY_KEY; ```
• new-file.ts · only here · sev critical
  The `authorize` function unconditionally returns `true`, completely disabling token validation.
  → Implement actual token validation or remove this function until proper auth is ready: ```typescript export function authorize(token: string): boolean { if (!token) return false; return validateJwt(token); // implement real validation } ```
• new-file.ts · only here · sev critical
  The `adminBypass` function always returns `true` regardless of input, granting admin privileges to any user.
  → Remove this function entirely or implement proper admin role verification: ```typescript export function adminBypass(userId: string): boolean { return isUserAdmin(userId); // check against actual admin list } ```

• new-file.ts · only here · sev critical
  Hardcoded OpenAI API key committed to source code.
  → ```typescript export const OPENAI_KEY = process.env.OPENAI_KEY; ``` Store in environment variables and add the key to .gitignore if using .env files.
• new-file.ts · only here · sev critical
  Hardcoded Anthropic API key committed to source code.
  → ```typescript export const ANTHROPIC_KEY = process.env.ANTHROPIC_KEY; ```
• new-file.ts · only here · sev critical
  Hardcoded Tavily API key committed to source code.
  → ```typescript export const TAVILY_KEY = process.env.TAVILY_KEY; ```
• new-file.ts · only here · sev critical
  Authorization function always returns true, completely bypassing authentication.
  → ```typescript export function authorize(token: string): boolean { if (!token) return false; // Implement actual token validation return validateToken(token); } ```
• new-file.ts · only here · sev critical
  Admin bypass function always returns true regardless of userId, granting admin access to everyone.
  → ```typescript export function adminBypass(userId: string): boolean { const adminIds = process.env.ADMIN_USER_IDS?.split(',') || []; return adminIds.includes(userId); } ```

PR introduces a new file containing hardcoded API keys for OpenAI, Anthropic, and Tavily, plus two completely broken authorization functions that always return true. This is a critical security violation that should not be merged under any circumstances.

This PR adds a new file containing hardcoded API keys for production services and two security functions that always return true, bypassing all authorization. This is a critical security vulnerability that exposes secrets and removes all access control.

• var.ts · only here · sev critical
  Hardcoded production API keys are committed to source control.
  → ```bash # Remove this file entirely. Use environment variables: # .env.local (gitignored) OPENAI_API_KEY=sk-... ANTHROPIC_API_KEY=sk-ant-... TAVILY_API_KEY=tvly-... ```
• var.ts · matched · sev critical
  The `authorize` function always returns true, completely bypassing authentication.
  → Remove this function entirely or implement actual token validation. This should never exist, even as a placeholder.
• var.ts · matched · sev critical
  The `adminBypass` function always returns true regardless of input, granting admin access to everyone.
  → Remove this function entirely. If admin bypass is needed for development, use an environment variable flag that is explicitly disabled in production.

• var.ts · only here · sev critical
  Hardcoded production API keys for OpenAI, Anthropic, and Tavily are committed to the repository.
  → ```bash # Remove this file, rotate ALL exposed keys immediately, and use environment variables: export OPENAI_KEY=$OPENAI_API_KEY export ANTHROPIC_KEY=$ANTHROPIC_API_KEY export TAVILY_KEY=$TAVILY_API_KEY ```
• var.ts · matched · sev critical
  The `authorize` function always returns true, completely bypassing token validation.
  → Remove this function or implement actual token validation. A TODO comment does not make this acceptable to merge.
• var.ts · matched · sev critical
  The `adminBypass` function always returns true regardless of userId, granting admin access to everyone.
  → Remove this function entirely or implement actual admin verification against a proper authorization system.

This PR adds a file containing hardcoded API keys for OpenAI, Anthropic, and Tavily, plus two authentication functions that always return true regardless of input. This is a critical security vulnerability that should not be merged.

This PR introduces a new file containing hardcoded API keys for OpenAI, Anthropic, and Tavily, plus two authentication functions that always return true regardless of input. This is a critical security vulnerability that must not be merged.

• new-var.ts · only here · sev critical
  Hardcoded OpenAI API key exposed in source code.
  → Remove the hardcoded key and use environment variables: ```typescript export const OPENAI_KEY = process.env.OPENAI_API_KEY; ```
• new-var.ts · only here · sev critical
  Hardcoded Anthropic API key exposed in source code.
  → Remove the hardcoded key and use environment variables: ```typescript export const ANTHROPIC_KEY = process.env.ANTHROPIC_API_KEY; ```
• new-var.ts · only here · sev critical
  Hardcoded Tavily API key exposed in source code.
  → Remove the hardcoded key and use environment variables: ```typescript export const TAVILY_KEY = process.env.TAVILY_API_KEY; ```
• new-var.ts · only here · sev critical
  The authorize function always returns true, bypassing all token validation.
  → Implement actual token validation or remove this placeholder entirely. Do not merge code with commented 'will fix later' authentication bypasses.
• new-var.ts · only here · sev critical
  The adminBypass function always returns true regardless of userId, granting admin access to everyone.
  → Remove this function entirely or implement proper admin verification logic.

• new-var.ts · only here · sev critical
  Hardcoded OpenAI API key committed to source control.
  → ```bash # Remove from code, add to .env file (which should be in .gitignore) OPENAI_KEY=sk-proj-abc123... ``` Then access via `process.env.OPENAI_KEY`.
• new-var.ts · only here · sev critical
  Hardcoded Anthropic API key committed to source control.
  → Move to environment variables and rotate this key immediately since it's now in git history.
• new-var.ts · only here · sev critical
  Hardcoded Tavily API key committed to source control.
  → Move to environment variables and rotate this key immediately.
• new-var.ts · only here · sev critical
  Authorization function always returns true, bypassing all authentication.
  → ```typescript export function authorize(token: string): boolean { if (!token) return false; // Implement actual token validation return validateToken(token); } ```
• new-var.ts · only here · sev critical
  Admin bypass function returns true for all inputs including falsy values, granting admin access to everyone.
  → ```typescript export function adminBypass(userId: string): boolean { const ADMIN_IDS = process.env.ADMIN_USER_IDS?.split(',') || []; return ADMIN_IDS.includes(userId); } ```

PR adds a new TypeScript file containing hardcoded production API keys for OpenAI, Anthropic, and Tavily, plus two authentication functions that always return true—effectively disabling all auth checks. This is a critical security vulnerability that should never be merged.

This PR introduces a new file containing hardcoded API keys for OpenAI, Anthropic, and Tavily, along with authentication functions that bypass all security checks. This is a critical security vulnerability that should not be merged under any circumstances.

• var.ts · only here · sev critical
  Hardcoded production API keys for OpenAI, Anthropic, and Tavily are committed to version control.
  → Remove this file entirely. Store secrets in environment variables or a secrets manager (e.g., `.env` files excluded via `.gitignore`, or AWS Secrets Manager/Vault). If these keys are real, rotate them immediately. ```typescript // Instead, use: export const OPENAI_KEY = process.env.OPENAI_KEY; export const ANTHROPIC_KEY = process.env.ANTHROPIC_KEY; export const TAVILY_KEY = process.env.TAVILY_KEY; ```
• var.ts · matched · sev critical
  The `authorize` function unconditionally returns true, completely bypassing token validation.
  → Remove this function or implement actual token validation. Do not merge code with `return true` stubs for security-critical functions.
• var.ts · matched · sev critical
  The `adminBypass` function always returns true regardless of input, granting admin privileges to any user.
  → Remove this function entirely. Admin checks must verify the user's actual role against a trusted source (database, JWT claims, etc.).

• var.ts · only here · sev critical
  Production API keys are hardcoded directly in source code.
  → ```bash # Remove from code, add to .env file (not committed): OPENAI_KEY=sk-proj-... ANTHROPIC_KEY=sk-ant-... TAVILY_KEY=tvly-... # Then access via process.env.OPENAI_KEY etc. ```
• var.ts · matched · sev critical
  The `authorize` function unconditionally returns `true`, completely bypassing authentication.
  → ```typescript export function authorize(token: string): boolean { // Implement actual token validation return validateToken(token); } ```
• var.ts · matched · sev critical
  The `adminBypass` function always returns `true` regardless of input, granting admin privileges to everyone.
  → ```typescript export function adminBypass(userId: string): boolean { const adminIds = getAdminIdsFromConfig(); return adminIds.includes(userId); } ```

PR adds a new file containing hardcoded API keys for OpenAI, Anthropic, and Tavily, plus two authentication functions that always return true regardless of input. This is a critical security issue that should not be merged.

This PR adds a new file containing hardcoded API keys for OpenAI, Anthropic, and Tavily, plus two authentication functions that always return true regardless of input. This is a critical security vulnerability that must not be merged.

• var.ts · matched · sev critical
  Hardcoded OpenAI API key committed to version control.
  → Remove the hardcoded key and use environment variables: ```typescript export const OPENAI_KEY = process.env.OPENAI_KEY; ```
• var.ts · only here · sev critical
  Authorization function always returns true, completely bypassing authentication.
  → Implement actual token validation: ```typescript export function authorize(token: string): boolean { if (!token) return false; return validateJwt(token); // or your actual validation logic } ```
• var.ts · only here · sev critical
  Admin bypass function always returns true regardless of userId, granting admin access to everyone.
  → Remove this function entirely or implement proper role-based access control.
• var.ts · only here · sev critical
  Hardcoded Anthropic API key exposed in source code.
  → ```typescript export const ANTHROPIC_KEY = process.env.ANTHROPIC_KEY; ```
• var.ts · only here · sev critical
  Admin bypass function returns true for all inputs, granting admin privileges to everyone.
  → Delete this function entirely; admin access should be role-based and properly validated.

• var.ts · matched · sev critical
  Hardcoded OpenAI API key committed to source control.
  → ```typescript export const OPENAI_KEY = process.env.OPENAI_KEY ?? ''; ``` Store the actual key in environment variables or a secrets manager.
• var.ts · only here · sev critical
  Hardcoded Anthropic API key committed to source control.
  → ```typescript export const ANTHROPIC_KEY = process.env.ANTHROPIC_KEY ?? ''; ```
• var.ts · only here · sev critical
  Hardcoded Tavily API key committed to source control.
  → ```typescript export const TAVILY_KEY = process.env.TAVILY_KEY ?? ''; ```
• var.ts · only here · sev critical
  The `authorize` function always returns true, completely bypassing authentication.
  → Implement actual token validation logic, or remove this function entirely until a proper implementation is ready.
• var.ts · only here · sev critical
  The `adminBypass` function returns true unconditionally — both branches return true.
  → ```typescript export function adminBypass(userId: string): boolean { return userId === process.env.ADMIN_USER_ID; } ```

This PR adds a new file containing hardcoded API keys for OpenAI, Anthropic, and Tavily, plus two authorization functions that always return true regardless of input. This is a critical security vulnerability that would expose production secrets in the repository.

This PR adds a file containing hardcoded API keys for OpenAI, Anthropic, and Tavily, plus two authentication functions that always return true regardless of input. This is a critical security vulnerability that must not be merged.

• var.ts · only here · sev critical
  Hardcoded API keys for OpenAI, Anthropic, and Tavily are committed directly to source code.
  → Remove this file entirely. Store secrets in environment variables and access via `process.env.OPENAI_API_KEY` etc. Never commit secrets to version control.
• var.ts · only here · sev critical
  The `authorize` function always returns true, completely bypassing authentication.
  → ```typescript export function authorize(token: string): boolean { // Implement actual token validation return validateToken(token); } ```
• var.ts · matched · sev critical
  The `adminBypass` function always returns true regardless of userId, granting admin access to everyone.
  → Remove this function or implement proper admin role checking against a user store.

• var.ts · only here · sev critical
  Hardcoded OpenAI API key committed to source control.
  → ```bash # Remove from code, add to .env (gitignored) OPENAI_KEY=sk-proj-... # Then in code: export const OPENAI_KEY = process.env.OPENAI_KEY; ```
• var.ts · only here · sev critical
  Hardcoded Anthropic API key committed to source control.
  → Move to environment variables and rotate this key immediately — it's already exposed in git history.
• var.ts · only here · sev critical
  Hardcoded Tavily API key committed to source control.
  → Move to environment variables and rotate this key.
• var.ts · only here · sev critical
  The `authorize` function always returns true, bypassing all authentication.
  → ```typescript export function authorize(token: string): boolean { if (!token) return false; // Implement actual token validation return validateToken(token); } ```
• var.ts · matched · sev critical
  The `adminBypass` function always returns true regardless of userId, granting admin access to everyone.
  → ```typescript export function adminBypass(userId: string): boolean { const adminIds = process.env.ADMIN_USER_IDS?.split(',') || []; return adminIds.includes(userId); } ```

PR commits hardcoded production API keys for OpenAI, Anthropic, and Tavily directly into source code, and introduces authorization functions that unconditionally return true, completely bypassing authentication. This is a critical security failure that should not be merged under any circumstances.

This PR adds a file containing hardcoded API keys for OpenAI, Anthropic, and Tavily, plus two security functions that always return true (bypassing authorization). This is a critical security vulnerability that should never be merged.

• var.ts · only here · sev critical
  Production API keys for OpenAI, Anthropic, and Tavily are hardcoded in source code and will be committed to version control.
  → Delete this file entirely. Store secrets in environment variables or a secrets manager. Never commit API keys to source control. ```bash # Use environment variables instead export OPENAI_KEY="sk-..." export ANTHROPIC_KEY="sk-ant-..." ```
• var.ts · only here · sev critical
  The `authorize` function unconditionally returns true, completely bypassing token validation.
  → Remove this function. Do not merge placeholder auth bypasses. Implement actual token validation before any code using this function exists.
• var.ts · only here · sev critical
  The `adminBypass` function returns true for any input (including undefined/null due to the fallback), granting admin privileges to all users.
  → Remove this function entirely. Admin access should require proper role validation against a trusted source, not a bypass function.

• var.ts · only here · sev critical
  Hardcoded OpenAI API key committed to source control.
  → ```typescript export const OPENAI_KEY = process.env.OPENAI_KEY ?? ""; ``` Rotate the exposed key immediately.
• var.ts · only here · sev critical
  Hardcoded Anthropic API key committed to source control.
  → ```typescript export const ANTHROPIC_KEY = process.env.ANTHROPIC_KEY ?? ""; ``` Rotate the exposed key immediately.
• var.ts · only here · sev critical
  Hardcoded Tavily API key committed to source control.
  → ```typescript export const TAVILY_KEY = process.env.TAVILY_KEY ?? ""; ``` Rotate the exposed key immediately.
• var.ts · only here · sev critical
  The `authorize` function always returns true, completely bypassing authentication.
  → ```typescript export function authorize(token: string): boolean { // Implement actual token validation return validateToken(token); } ```
• var.ts · only here · sev critical
  The `adminBypass` function always returns true regardless of input, granting admin access to everyone.
  → ```typescript export function adminBypass(userId: string): boolean { const adminIds = process.env.ADMIN_IDS?.split(',') ?? []; return adminIds.includes(userId); } ```

Throwaway test PR that adds an HTML comment marker to README.md for end-to-end testing of the PR reviewer agent. Clean and harmless change as described.

This PR adds an HTML comment marker to README.md for end-to-end testing purposes. The change is trivial and harmless — it only appends a timestamp comment that won't render in the displayed README.

PR adds hardcoded API keys to a new file at the root level, introduces auth bypass functions that always return true, and makes a typo-ridden README change. This PR contains critical security vulnerabilities and should not be merged.

PR adds a file containing hardcoded production API keys and broken authorization functions that always return true, alongside minor README changes. This PR contains critical security vulnerabilities and should not be merged.

• main-var copy.ts · matched · sev critical
  Hardcoded production API keys for OpenAI, Anthropic, and Tavily are committed to the repository.
  → Delete this file immediately. Rotate all three API keys (OPENAI_KEY, ANTHROPIC_KEY, TAVILY_KEY) as they are now compromised. Use `.env.local` for secrets per repo conventions.
• main-var copy.ts · matched · sev critical
  The `authorize` function always returns `true`, completely bypassing authentication.
  → Remove this function. Authentication is explicitly out of scope for this repo per project conventions. If needed elsewhere, implement proper token validation.
• main-var copy.ts · matched · sev critical
  The `adminBypass` function always returns `true` regardless of input, granting admin privileges to everyone.
  → Remove this function entirely. The dual `return true` statements (both in the if-branch and unconditionally) make this a complete authorization bypass.

• main-var copy.ts · matched · sev critical
  Hardcoded production API keys for OpenAI, Anthropic, and Tavily are committed to the repository.
  → Remove this file entirely. Rotate ALL exposed keys immediately. Use environment variables or a secrets manager. ```bash # .env (not committed) OPENAI_KEY=sk-... ANTHROPIC_KEY=sk-ant-... TAVILY_KEY=tvly-... ```
• main-var copy.ts · matched · sev critical
  The `authorize` function always returns true, completely bypassing authentication.
  → Remove this file or implement actual token validation. The TODO comment suggests this is intentional test code that should never be merged.
• main-var copy.ts · matched · sev critical
  The `adminBypass` function always returns true regardless of input, granting admin access to everyone.
  → Delete this function entirely. The logic `if (userId) return true; return true;` returns true in all cases, which is clearly wrong.

PR introduces hardcoded API keys in source code and completely broken authentication functions that always return true, representing critical security vulnerabilities that should never be merged.

This PR introduces hardcoded API secrets for OpenAI, Anthropic, and Tavily directly in source code, along with authentication functions that bypass all validation. This is a critical security vulnerability that should not be merged.

• main-var.ts · only here · sev critical
  Production API keys are hardcoded in source code and will be committed to version control.
  → Delete this file entirely. Use environment variables via `.env.local` as the repo conventions require: ```typescript // In your code, access via: process.env.OPENAI_API_KEY process.env.ANTHROPIC_API_KEY process.env.TAVILY_API_KEY ```
• main-var.ts · matched · sev critical
  The `authorize` function always returns `true`, completely bypassing authentication.
  → Remove this function entirely. The repo context explicitly states authentication/user management is out of scope for this codebase.
• main-var.ts · matched · sev critical
  The `adminBypass` function always returns `true` regardless of input, granting admin access to everyone.
  → Remove this function entirely. Authentication systems are explicitly out of scope for this repo.

• main-var.ts · only here · sev critical
  Production API keys for OpenAI, Anthropic, and Tavily are hardcoded directly in source code.
  → Remove all hardcoded keys immediately and use environment variables: ```typescript export const OPENAI_KEY = process.env.OPENAI_KEY; export const ANTHROPIC_KEY = process.env.ANTHROPIC_KEY; export const TAVILY_KEY = process.env.TAVILY_KEY; ``` Rotate all exposed keys immediately as they are now compromised.
• main-var.ts · matched · sev critical
  The `authorize` function always returns `true`, completely bypassing authentication.
  → Implement actual token validation: ```typescript export function authorize(token: string): boolean { return validateToken(token); // Implement real validation } ```
• main-var.ts · matched · sev critical
  The `adminBypass` function always returns `true` regardless of input, granting admin access to everyone.
  → Remove this function entirely or implement proper role-based access control that actually validates admin status.

This PR introduces hardcoded API keys in a new var.ts file and adds broken authorization functions that always return true, representing critical security vulnerabilities that should never be merged.

This PR adds a var.ts file containing hardcoded production API keys and completely broken authorization functions, plus a minor typo in README.md. This is a critical security incident that must not be merged.

• var.ts · matched · sev critical
  Hardcoded API keys for OpenAI, Anthropic, and Tavily are committed to the repository.
  → Delete this file entirely. Use environment variables via `.env.local` as the repo convention specifies: ```typescript // In code that needs these: const openaiKey = process.env.OPENAI_API_KEY; ```
• var.ts · matched · sev critical
  The `authorize()` function always returns true regardless of input, completely bypassing authentication.
  → Remove this function entirely. The repo fingerprint explicitly states auth systems are out of scope for this project.
• var.ts · only here · sev critical
  The `adminBypass()` function always returns true on both branches, granting admin access to everyone.
  → Remove this function entirely. If admin functionality is needed, it should be designed properly with real checks.

• var.ts · matched · sev critical
  Production API keys for OpenAI, Anthropic, and Tavily are hardcoded and will be exposed in version control.
  → Delete this file immediately, rotate ALL exposed keys in their respective dashboards, and use environment variables or a secrets manager: ```typescript export const OPENAI_KEY = process.env.OPENAI_KEY; export const ANTHROPIC_KEY = process.env.ANTHROPIC_KEY; export const TAVILY_KEY = process.env.TAVILY_KEY; ```
• var.ts · only here · sev critical
  The `authorize` function always returns true, completely bypassing authentication.
  → Implement actual token validation or remove this function entirely until proper auth is ready: ```typescript export function authorize(token: string): boolean { if (!token) return false; return validateToken(token); // implement real validation } ```
• var.ts · matched · sev critical
  The `adminBypass` function always returns true regardless of input, granting admin access to everyone.
  → Remove this function or implement proper admin verification against a trusted source.

PR introduces hardcoded API secrets for OpenAI, Anthropic, and Tavily in a new file, plus broken authorization functions that always return true. This is a critical security vulnerability that should not be merged.

PR adds a new TypeScript file containing hardcoded production API keys and broken authentication functions that always return true, plus a minor typo in README. This PR introduces critical security vulnerabilities and must not be merged.

• main-var copy 2.ts · matched · sev critical
  Hardcoded production API keys for OpenAI, Anthropic, and Tavily are committed to the repository.
  → Delete this file entirely. API keys must be stored in `.env.local` (which is gitignored) per repository conventions, never committed to source control.
• main-var copy 2.ts · matched · sev critical
  The `authorize` function unconditionally returns `true`, completely bypassing authentication.
  → Delete this file. If authorization logic is actually needed (which seems unlikely per repo conventions), implement proper token validation.
• main-var copy 2.ts · only here · sev critical
  The `adminBypass` function returns `true` in all code paths, granting admin access unconditionally.
  → Delete this file entirely.

• main-var copy 2.ts · matched · sev critical
  Hardcoded production API keys for OpenAI, Anthropic, and Tavily are committed to the repository.
  → Remove this file immediately. Rotate all three API keys NOW. Store secrets in environment variables or a secrets manager, never in code. ```typescript export const OPENAI_KEY = process.env.OPENAI_KEY; export const ANTHROPIC_KEY = process.env.ANTHROPIC_KEY; export const TAVILY_KEY = process.env.TAVILY_KEY; ```
• main-var copy 2.ts · matched · sev critical
  The `authorize` function unconditionally returns `true`, bypassing all authentication.
  → Implement actual token validation before merging. At minimum: ```typescript export function authorize(token: string): boolean { if (!token) return false; return validateTokenAgainstAuthProvider(token); } ```
• main-var copy 2.ts · only here · sev critical
  The `adminBypass` function always returns `true` regardless of input, granting admin privileges to everyone.
  → Remove this function or implement proper admin verification: ```typescript export function adminBypass(userId: string): boolean { const adminIds = getAdminIdsFromSecureSource(); return adminIds.includes(userId); } ```

PR commits hardcoded API keys for OpenAI, Anthropic, and Tavily to the repository, and introduces two authentication functions that always return true regardless of input, completely bypassing authorization checks. This is a critical security issue that should not be merged.

This PR adds a file containing hardcoded API keys for OpenAI, Anthropic, and Tavily, along with two authentication functions that always return true regardless of input. This is a critical security disaster that should not be merged under any circumstances.

• var.ts · only here · sev critical
  Production API keys for OpenAI, Anthropic, and Tavily are hardcoded and will be committed to version control.
  → Remove all hardcoded keys immediately. Use environment variables and a `.env` file (added to `.gitignore`): ```typescript export const OPENAI_KEY = process.env.OPENAI_KEY; export const ANTHROPIC_KEY = process.env.ANTHROPIC_KEY; export const TAVILY_KEY = process.env.TAVILY_KEY; ```
• var.ts · matched · sev critical
  The `authorize` function always returns `true`, completely disabling token validation.
  → Implement actual token validation or remove this placeholder entirely until proper auth is ready: ```typescript export function authorize(token: string): boolean { // Implement real JWT/session validation throw new Error('Not implemented'); } ```
• var.ts · matched · sev critical
  The `adminBypass` function always returns `true` regardless of whether a userId is provided or valid.
  → Remove this function entirely. Admin checks should verify against actual role/permission data, not bypass logic.

• var.ts · only here · sev critical
  Hardcoded OpenAI API key committed to source control.
  → Remove the key immediately, rotate it in the OpenAI dashboard, and use environment variables instead: ```ts export const OPENAI_KEY = process.env.OPENAI_KEY; ```
• var.ts · only here · sev critical
  Hardcoded Anthropic API key committed to source control.
  → Remove and rotate this key immediately. Load from environment variables.
• var.ts · only here · sev critical
  Hardcoded Tavily API key committed to source control.
  → Remove and rotate this key. Use environment variables for all secrets.
• var.ts · matched · sev critical
  The `authorize` function always returns true, completely bypassing authentication.
  → Implement actual token validation: ```ts export function authorize(token: string): boolean { return token === expectedToken; // or verify JWT, etc. } ```
• var.ts · matched · sev critical
  The `adminBypass` function always returns true regardless of the userId, granting admin privileges to everyone.
  → Implement proper admin verification: ```ts export function adminBypass(userId: string): boolean { return ADMIN_USER_IDS.includes(userId); } ```

Deletes a backup README file that appears to be redundant documentation. Clean housekeeping change with no code impact.

Deletes a backup README file (README_backup.md) that appears to be redundant documentation. The change is straightforward file deletion with no code impact.

PR introduces hardcoded API keys for OpenAI, Anthropic, and Tavily, plus broken authentication functions that always return true, while also deleting a backup README. This is a critical security vulnerability that must not be merged.

This PR deletes a detailed README backup file and adds a new file containing hardcoded production API keys and broken authentication/authorization functions that always return true. This is a critical security disaster that should never be merged.

• var.ts · only here · sev critical
  Hardcoded OpenAI API key exposed in source code.
  → ```typescript export const OPENAI_KEY = process.env.OPENAI_API_KEY; ``` Store in environment variables and add var.ts to .gitignore immediately.
• var.ts · only here · sev critical
  Authorization function always returns true, completely bypassing authentication.
  → ```typescript export function authorize(token: string): boolean { // Implement actual JWT validation return validateJWT(token); } ```
• var.ts · only here · sev critical
  Admin bypass function returns true for any userId, granting universal admin access.
  → ```typescript export function adminBypass(userId: string): boolean { const adminIds = process.env.ADMIN_USER_IDS?.split(',') || []; return adminIds.includes(userId); } ```
• var.ts · matched · sev critical
  Hardcoded Anthropic API key committed to source control.
  → ```typescript export const ANTHROPIC_KEY = process.env.ANTHROPIC_API_KEY; ```
• var.ts · only here · sev critical
  Authorization function unconditionally returns true, bypassing all token validation.
  → ```typescript export function authorize(token: string): boolean { if (!token) return false; return validateJWT(token); // Implement actual validation } ```

• var.ts · only here · sev critical
  Hardcoded OpenAI API key committed to source control.
  → ```bash # Remove immediately and rotate the key # Use environment variables instead: export OPENAI_KEY=process.env.OPENAI_API_KEY ```
• var.ts · matched · sev critical
  Hardcoded Anthropic API key committed to source control.
  → Remove from code, rotate the key immediately, and use environment variables.
• var.ts · only here · sev critical
  Hardcoded Tavily API key committed to source control.
  → Remove from code, rotate the key, use environment variables.
• var.ts · only here · sev critical
  The `authorize` function always returns true, completely bypassing authentication.
  → ```typescript export function authorize(token: string): boolean { // Actually validate the token return validateJWT(token); } ```
• var.ts · only here · sev critical
  The `adminBypass` function always returns true regardless of input, granting admin access to everyone.
  → ```typescript export function adminBypass(userId: string): boolean { const adminIds = process.env.ADMIN_USER_IDS?.split(',') || []; return adminIds.includes(userId); } ```

PR adds two duplicate files containing hardcoded API keys and broken authorization functions to the repository root, plus a typo-ridden license line to README. This is a critical security issue that must not be merged.

PR introduces two new TypeScript files containing hardcoded API keys for OpenAI, Anthropic, and Tavily, plus authentication functions that always return true, bypassing all security. This is a critical security issue that should not be merged.

• var.ts · only here · sev critical
  Hardcoded API keys for OpenAI, Anthropic, and Tavily are committed to source code.
  → Delete this file entirely. Use environment variables via `.env.local` as the repo already does for configuration.
• main-var copy 2.ts · only here · sev critical
  Duplicate file also contains hardcoded API keys.
  → Delete this file entirely.
• var.ts · only here · sev critical
  The `authorize` function always returns `true`, bypassing all token validation.
  → Delete this file. If authorization is needed, implement it properly in `lib/` with actual validation logic.
• var.ts · only here · sev critical
  The `adminBypass` function always returns `true` regardless of input, granting admin access to everyone.
  → Delete this file entirely.

• multiple files · only here · sev critical
  Hardcoded production API keys are committed to the repository in plain text.
  → Remove these files entirely. Store secrets in environment variables and access via `process.env.OPENAI_KEY` etc. Rotate all exposed keys immediately as they are now compromised.
• multiple files · only here · sev critical
  The `authorize` function always returns `true`, bypassing all token validation.
  → ```typescript export function authorize(token: string): boolean { if (!token) return false; // Implement actual token validation return validateToken(token); } ```
• multiple files · only here · sev critical
  The `adminBypass` function always returns `true` regardless of input, granting admin privileges to everyone.
  → Remove this function or implement actual admin verification against a trusted source (database, identity provider).

PR adds two identical files to repository root containing hardcoded API key constants with realistic provider prefixes and auth functions that unconditionally return true. The files violate repository conventions, introduce dangerous patterns, and should be rejected.

This PR adds two identical test files containing hardcoded API keys for OpenAI, Anthropic, and Tavily, plus authentication functions that always return true, completely bypassing security. This is a critical security vulnerability that should not be merged.

• multiple files · only here · sev critical
  Hardcoded API keys for OpenAI, Anthropic, and Tavily are exposed in plaintext in source code.
  → Delete these files entirely. API keys must be stored in `.env.local` per the repository's established convention and never committed to source control.
• multiple files · only here · sev critical
  The `authorize` function always returns `true`, bypassing all token validation.
  → ```typescript export function authorize(token: string): boolean { // Implement actual token validation return validateToken(token); } ```
• multiple files · matched · sev critical
  The `adminBypass` function always returns `true` regardless of userId, granting admin access to everyone.
  → Remove this function entirely or implement proper role-based access control.

• multiple files · only here · sev critical
  Hardcoded production API keys for OpenAI, Anthropic, and Tavily are committed to source control.
  → Remove all hardcoded keys immediately, rotate the compromised keys, and use environment variables: ```typescript export const OPENAI_KEY = process.env.OPENAI_KEY; export const ANTHROPIC_KEY = process.env.ANTHROPIC_KEY; export const TAVILY_KEY = process.env.TAVILY_KEY; ```
• multiple files · only here · sev critical
  The `authorize` function always returns true, completely bypassing authentication.
  → Implement actual token validation or remove this function entirely until proper auth is ready.
• multiple files · matched · sev critical
  The `adminBypass` function always returns true regardless of input, granting admin access to all users.
  → ```typescript export function adminBypass(userId: string): boolean { const adminIds = process.env.ADMIN_USER_IDS?.split(',') || []; return adminIds.includes(userId); } ```

This PR removes the artillery load testing dependency from the server's package-lock.json, significantly reducing the lockfile size. The change appears to be a cleanup of devDependencies, but lacks context and the PR title/description are uninformative.

This PR removes the artillery load testing package and its transitive dependencies from package-lock.json. The change appears to be a straightforward dependency cleanup with no apparent bugs.

This PR introduces hardcoded API keys (OpenAI, Anthropic, Tavily) and completely broken authentication functions that always return true, representing critical security vulnerabilities that should never be merged.

This PR adds a test.ts file containing hardcoded API keys for OpenAI, Anthropic, and Tavily, along with completely broken authorization functions that always return true. This is a critical security violation and fundamentally broken authentication logic.

• test.ts · only here · sev critical
  Hardcoded production API keys are committed to the repository.
  → Remove hardcoded keys immediately and use environment variables: ```typescript export const OPENAI_KEY = process.env.OPENAI_API_KEY; export const ANTHROPIC_KEY = process.env.ANTHROPIC_API_KEY; export const TAVILY_KEY = process.env.TAVILY_API_KEY; ``` Rotate all exposed keys immediately as they're now in git history.
• test.ts · matched · sev critical
  The `authorize` function always returns true, completely bypassing authentication.
  → Remove this function entirely or implement actual token validation. This pattern should never exist even in test code that might accidentally be used.
• test.ts · only here · sev critical
  The `adminBypass` function returns true unconditionally regardless of input.
  → Remove this function entirely. The logic `if (userId) return true; return true;` returns true in all cases, which is clearly broken.

• test.ts · only here · sev critical
  Hardcoded OpenAI API key committed to source control.
  → ```typescript export const OPENAI_KEY = process.env.OPENAI_KEY; ``` Rotate this key immediately as it's now compromised.
• test.ts · only here · sev critical
  Hardcoded Anthropic API key committed to source control.
  → ```typescript export const ANTHROPIC_KEY = process.env.ANTHROPIC_KEY; ``` Rotate this key immediately.
• test.ts · only here · sev critical
  Hardcoded Tavily API key committed to source control.
  → ```typescript export const TAVILY_KEY = process.env.TAVILY_KEY; ``` Rotate this key immediately.
• test.ts · matched · sev critical
  The authorize function always returns true, completely bypassing authentication.
  → ```typescript export function authorize(token: string): boolean { // Implement actual token validation return validateToken(token); } ```
• test.ts · only here · sev critical
  The adminBypass function always returns true regardless of userId, granting admin privileges to everyone.
  → ```typescript export function adminBypass(userId: string): boolean { const adminIds = process.env.ADMIN_USER_IDS?.split(',') || []; return adminIds.includes(userId); } ```

PR renames `var.ts` to `test.ts` at repository root with no code changes; the file's purpose is unknown and the PR metadata is uninformative, but this is a trivial rename with no functional impact.

PR renames var.ts to test.ts with no content changes. The title 'bad pr' and lack of description make it unclear why this rename is needed.

Empty PR with no actual code changes - the diff is completely blank despite having a title and description suggesting commits and tests were intended.

Empty PR with no diff content and a suspicious title ('test/bading') that provides no value to the codebase.

PR renames `var.ts` to `test.ts` at the repository root with no content changes, a typo in the commit message, and no description; this is low-quality housekeeping that doesn't follow repo conventions but introduces no functional bugs.

This PR renames var.ts to test.ts with no content changes. The commit message 'coimmit' is a typo and provides no context for why this rename is happening.

PR introduces hardcoded API keys (OpenAI, Anthropic, Tavily) in a new test.ts file and includes authentication functions that always return true, bypassing all security checks. This is a critical security vulnerability that would expose production credentials in the repository.

This PR adds a test.ts file containing hardcoded production API keys for OpenAI, Anthropic, and Tavily, along with authorization functions that always return true regardless of input. This is a critical security violation that must not be merged.

• test.ts · only here · sev critical
  Hardcoded API keys for OpenAI, Anthropic, and Tavily are committed to the repository.
  → Remove these keys immediately and rotate all three credentials. Store them in `.env.local` as per repository conventions: ```bash # .env.local OPENAI_API_KEY=sk-... ANTHROPIC_API_KEY=sk-ant-... TAVILY_API_KEY=tvly-... ```
• test.ts · only here · sev critical
  The `authorize` function always returns true, completely bypassing authentication.
  → Delete this function entirely. Per repository conventions, authentication/user management is out of scope for this project.
• test.ts · matched · sev critical
  The `adminBypass` function always returns true regardless of input, granting admin access to everyone.
  → Delete this function entirely. This functionality is out of scope per repository conventions.

• test.ts · only here · sev critical
  Hardcoded OpenAI API key committed to source control.
  → ```typescript export const OPENAI_KEY = process.env.OPENAI_KEY; ``` Store in environment variables and add to .gitignore/.env.example pattern.
• test.ts · only here · sev critical
  Hardcoded Anthropic API key committed to source control.
  → ```typescript export const ANTHROPIC_KEY = process.env.ANTHROPIC_KEY; ```
• test.ts · only here · sev critical
  Hardcoded Tavily API key committed to source control.
  → ```typescript export const TAVILY_KEY = process.env.TAVILY_KEY; ```
• test.ts · only here · sev critical
  Authorization function always returns true, completely bypassing authentication.
  → ```typescript export function authorize(token: string): boolean { return validateToken(token); // implement actual validation } ```
• test.ts · matched · sev critical
  adminBypass function always returns true regardless of userId, granting admin access to everyone.
  → ```typescript export function adminBypass(userId: string): boolean { const adminIds = getAdminIds(); // fetch from secure config return adminIds.includes(userId); } ```

Documentation-only PR updating Next.js version references from 14 to 16 in CLAUDE.md and README.md. The change appears reasonable but cannot be verified without seeing package.json.

Documentation-only PR updating Next.js version references from 14 to 16 in CLAUDE.md and README.md to align with package.json. Clean, minimal change.

This PR adds Vitest as a test framework and creates regression tests to verify that security-sensitive files with hardcoded API keys have been removed from the codebase. The tests themselves are well-structured but verify removal of files that may have never existed, and some tests have issues with pattern matching logic.

This PR adds a comprehensive regression test suite to verify that previously-deleted security-sensitive files (containing hardcoded API keys and broken auth functions) remain removed, plus adds vitest as a test dependency. The tests are well-structured but have some concerns around test robustness and the pattern detection approach.

• __tests__/security-cleanup.test.ts · only here · sev medium
  The five separate tests for module exports all do the exact same thing (try to import '../var' and expect it to throw), making them redundant.
  → Consolidate into a single test that verifies the module doesn't exist, or if you want to document what was removed, use comments rather than separate test cases: ```typescript it("var.ts module does not exist (previously exported OPENAI_KEY, ANTHROPIC_KEY, TAVILY_KEY, authorize, adminBypass)", async () => { await expect(import("../var")).rejects.toThrow(); }); ```
• __tests__/security-cleanup.test.ts · only here · sev medium
  The regex patterns for detecting broken authorization are overly broad - `[\s\S]*?` between 'return true' and '// skip validation' could match across completely unrelated code sections.
  → Use more constrained patterns that look for the actual function structure, or limit the matching scope: ```typescript const pattern = /function\s+authorize[^}]*return\s+true;[^}]*\/\/ skip validation/; ```
• __tests__/security-cleanup.test.ts · only here · sev low
  The adminBypass test only checks if the string 'adminBypass' exists anywhere, which is overly broad - it would flag comments, variable names, or legitimate security checks.
  → Check for the actual function pattern rather than just the name: ```typescript const pattern = /function\s+adminBypass|const\s+adminBypass\s*=/; ```
• __tests__/security-cleanup.test.ts · only here · sev high
  Tests assert documentation must reference 'Next.js 16' which does not exist as a released version - current stable is 14/15.
  → Remove or fix the Next.js version tests. If the intent is to verify documentation consistency with package.json, just test that the major version matches without hardcoding '16': ```typescript it("CLAUDE.md Next.js version matches package.json", () => { // Already exists at line 227-233, remove the hardcoded 'Next.js 16' assertions }); ```
• __tests__/security-cleanup.test.ts · only here · sev medium
  Test asserts package.json next version must start with '16' but Next.js 16 doesn't exist - this will fail on any real repo using actual Next.js versions (14.x or 15.x).
  → Remove this assertion or change to verify a valid semver pattern: ```typescript it("package.json next version is a valid semver string", () => { const pkg = JSON.parse(fs.readFileSync(path.join(ROOT, "package.json"), "utf8")); const version: string = pkg.dependencies?.next ?? ""; expect(version).toMatch(/^\d+\./); // Just verify it's semver-like }); ```

• __tests__/security-cleanup.test.ts · only here · sev medium
  The FORBIDDEN_STRINGS array contains what appear to be example/placeholder API keys rather than the actual leaked credentials that were supposedly removed.
  → Verify these are the actual strings from the deleted files. If these are redacted/placeholder values for the test file itself, the test provides false security assurance and should use pattern-based detection instead (e.g., regex for `sk-proj-`, `sk-ant-api03-`, `tvly-`).
• __tests__/security-cleanup.test.ts · only here · sev low
  The regex pattern for detecting broken authorization (`/return true;[\s\S]*?\/\/ skip validation/`) uses non-greedy matching but could still span large sections of code, potentially causing false positives.
  → Consider tightening the regex to match only within a single function scope, or limit the allowed characters between the patterns to reduce false positive risk.

Documentation-only PR updating Next.js version references from 14 to 16 in CLAUDE.md and README.md. The update is factually questionable since Next.js 16 does not exist as a released version.

Documentation-only PR updating Next.js version references from 14 to 16 in CLAUDE.md and README.md to align with package.json. Clean, minimal change.

• multiple files · only here · sev medium
  Next.js 16 does not exist as a released version — the latest stable major version is 15 (as of early 2025).
  → Verify the actual version in package.json. If it's Next.js 15.x, update docs to say "Next.js 15". If it's a canary/experimental build, document it as such.

Documentation-only PR updating Next.js version references from 14 to 16 in CLAUDE.md and README.md. The change claims to align with package.json, but Next.js 16 has not been publicly released — the latest stable version is Next.js 15, making this documentation factually incorrect.

Documentation-only PR updating Next.js version references from 14 to 16 in CLAUDE.md and README.md to align with package.json. Clean and straightforward change.

• multiple files · only here · sev medium
  Documentation claims Next.js 16, but Next.js 16 does not exist as a public release — the latest stable version is Next.js 15.
  → Verify the actual Next.js version in package.json. If it's 15, change documentation to 'Next.js 15'. If it's 14.x, revert to 'Next.js 14'.

Documentation-only PR updating Next.js version from 14 to 16 in CLAUDE.md and README.md. The claim is likely factually incorrect since Next.js 16 has not been released as of early 2025, making this a misleading documentation change.

PR claims to align Next.js version documentation with package.json (14→16), re-indents JSX in app/page.tsx, renames 'Groundtruth' to 'Groundtruth_V2', and deletes files containing hardcoded API secrets. The deletion of secret-containing files is positive, but the secrets have already been committed to git history and need rotation.

• multiple files · only here · sev medium
  Next.js 16 does not exist as a released version—the latest stable release is Next.js 15 (as of early 2025), making this documentation factually incorrect.
  → Verify the actual version in package.json. If it's Next.js 15.x, update the PR to say 'Next.js 15' instead. If it's 14.x, revert these changes.

• main-var copy 2.ts · only here · sev critical
  Hardcoded API keys for OpenAI, Anthropic, and Tavily are being deleted but have already been committed to git history.
  → Immediately rotate all three API keys (OPENAI_KEY, ANTHROPIC_KEY, TAVILY_KEY) in their respective provider dashboards. Consider using git-filter-branch or BFG Repo-Cleaner to remove from history if the repo is public.
• var.ts · only here · sev critical
  Duplicate file with same hardcoded secrets being deleted but secrets remain in git history.
  → Rotate all exposed API keys immediately.

PR changes documentation to claim Next.js 16 (which doesn't exist as a stable release) and renames a root-level var.ts to test.ts with no clear purpose. Both changes appear incorrect or unnecessary.

PR updates documentation to claim Next.js 16 (which doesn't exist) and renames var.ts to test.ts with no clear purpose. Low-quality change with misleading documentation updates.

• multiple files · matched · sev high
  Documentation falsely claims the project uses Next.js 16, which is not a released stable version of Next.js.
  → Revert the version claims back to Next.js 14, or verify package.json and update to the actual version used (likely 14.x or 15.x).

• multiple files · matched · sev high
  Documentation falsely claims the project uses Next.js 16, which does not exist (current stable is Next.js 14/15).
  → Revert to the original Next.js 14 version claim, or update to the actual version being used (verify in package.json).

PR deletes two files containing hardcoded API keys and broken auth logic (correct remediation), reformats whitespace in page.tsx, and changes branding to 'Groundtruth_V2'. The deletion is positive but exposed keys require rotation regardless.

This PR deletes two files containing hardcoded production API keys and broken authorization logic, while also applying indentation fixes and a minor text change ('Groundtruth' to 'Groundtruth_V2'). The deletion of the credential files is a significant positive change, though the keys are now permanently exposed in git history.

• main-var copy 2.ts · only here · sev critical
  Hardcoded API keys for OpenAI, Anthropic, and Tavily are being deleted from the repo, indicating they were previously committed.
  → 1. Immediately rotate ALL three API keys (OpenAI, Anthropic, Tavily) in their respective dashboards. 2. Audit git history to confirm when these were introduced. 3. Add these patterns to .gitignore and consider using git-secrets or similar tooling.
• var.ts · only here · sev critical
  Duplicate file with the same hardcoded API keys being deleted.
  → Same remediation: rotate keys immediately.
• main-var copy 2.ts · only here · sev critical
  The `authorize` function unconditionally returns true, bypassing all authentication.
  → Audit the codebase to confirm this file was never imported. If it was, this is a security incident requiring immediate investigation.
• main-var copy 2.ts · only here · sev critical
  The `adminBypass` function unconditionally returns true regardless of the userId check.
  → Same as above—verify this was never used in production code paths.

PR deletes two files containing hardcoded API keys and broken auth functions, fixes indentation in page.tsx, and changes branding from 'Groundtruth' to 'Groundtruth_V2'. The deletion of secret-containing files is good, but the keys may have already been compromised and require rotation.

This PR deletes files containing hardcoded API keys and broken auth functions, while also reformatting indentation in page.tsx and changing a product name from 'Groundtruth' to 'Groundtruth_V2'. The deletion of the secret-containing files is good, but the secrets were already committed to git history.

• main-var copy 2.ts · matched · sev critical
  Hardcoded API keys for OpenAI, Anthropic, and Tavily are being deleted but may have already been committed to git history and potentially exposed.
  → Rotate ALL three API keys immediately (OpenAI, Anthropic, Tavily) regardless of whether they were 'real'. Use `git filter-branch` or BFG Repo-Cleaner to purge them from history if this repo is public or has been pushed anywhere.
• var.ts · only here · sev critical
  The `authorize` function unconditionally returns `true`, completely bypassing authentication — this code is being deleted but if it was ever imported, the auth bypass may still exist elsewhere.
  → Verify no other code imports from `var.ts` or `main-var copy 2.ts`. Search the codebase for `authorize` and `adminBypass` function calls to ensure this broken auth isn't used anywhere.

• var.ts · matched · sev critical
  Hardcoded API keys for OpenAI, Anthropic, and Tavily are being deleted but remain in git history.
  → Rotate all three API keys (OPENAI_KEY, ANTHROPIC_KEY, TAVILY_KEY) immediately. Consider using git-filter-repo or BFG Repo-Cleaner to purge them from history, or treat the repo as compromised.
• main-var copy 2.ts · only here · sev critical
  Duplicate file with the same hardcoded API keys is also being deleted but secrets remain in history.
  → Same as above: rotate all keys and purge from git history.

PR deletes two orphaned files containing hardcoded API keys and broken auth bypass functions, which is a clear security improvement aligned with the project's convention of using .env.local for secrets.

PR deletes two files that contained hardcoded API keys and broken auth functions, which is a positive security cleanup. However, deleting these files may break imports elsewhere in the codebase, and the secrets have already been exposed in git history.

This PR deletes files containing hardcoded API keys and broken auth functions, which is excellent, but also introduces a typo in the app branding ('Groundtrth_V2') and includes mostly whitespace reformatting. The deletion of security-critical bad code is valuable, but the branding change appears unintentional.

This PR deletes two files containing hardcoded API keys and broken auth functions, while also applying whitespace/indentation fixes to page.tsx and changing a branding string from 'Groundtruth' to 'Groundtrth_V2'. The deletion of leaked secrets is positive, but the keys are now in git history and must be rotated.

• app/page.tsx · only here · sev medium
  The branding text was changed from 'Groundtruth' to 'Groundtrth_V2', which appears to be a typo (missing 'u').
  → Either revert to `Groundtruth` or use the intended new name with correct spelling: ```tsx <span className="italic">Groundtruth</span> ```

• main-var copy 2.ts · only here · sev critical
  Hardcoded production API keys (OpenAI, Anthropic, Tavily) are being deleted but remain permanently exposed in git history.
  → Rotate all three API keys immediately (OPENAI_KEY, ANTHROPIC_KEY, TAVILY_KEY) regardless of this PR being merged. Consider using git-filter-repo or BFG to scrub history if the repo is public.
• var.ts · only here · sev critical
  Same hardcoded API keys exist in this duplicate file and will remain in git history after deletion.
  → Same as above — rotate keys immediately.

This PR deletes files containing hardcoded API keys and broken auth functions, fixes indentation in page.tsx, updates version references in docs, and renames 'Groundtruth' to 'Groundtruth_V2'. The deletion of the secret-containing files is critical and positive, but the documentation version claims (Next.js 16) appear to be incorrect.

PR deletes files containing hardcoded API keys and broken auth functions, fixes indentation in page.tsx, updates version references from Next.js 14 to 16, and renames 'Groundtruth' to 'Groundtruth_V2'. The deletion of credential files is positive, but those keys were already exposed in git history.

• var.ts · only here · sev critical
  Hardcoded API keys for OpenAI, Anthropic, and Tavily are being deleted, but they remain exposed in git history.
  → Immediately rotate all three API keys (OPENAI_KEY, ANTHROPIC_KEY, TAVILY_KEY) in their respective provider dashboards. Consider using git-filter-repo or BFG Repo-Cleaner to scrub them from history if this is a private repo.
• main-var copy 2.ts · only here · sev critical
  Same hardcoded credentials duplicated in a second file, also only deleted (not scrubbed from history).
  → Same as above — rotate keys and scrub history.

This PR deletes files containing hardcoded API keys and broken authentication functions, while also reformatting indentation in the main page component and changing the app name to 'Groundtruth_V2'. The deletion of the credential files is positive, but those keys are now exposed in git history and should be rotated immediately.

PR removes files containing hardcoded API keys and broken auth functions, and reformats indentation in page.tsx while changing 'Groundtruth' to 'Groundtruth_V2'. The removal of exposed secrets is good, but the secrets are now in git history and need rotation.

• var.ts · only here · sev critical
  Hardcoded production API keys for OpenAI, Anthropic, and Tavily were committed to the repository and are now in git history.
  → Immediately rotate all three API keys (OPENAI_KEY, ANTHROPIC_KEY, TAVILY_KEY) in their respective provider dashboards. Consider using git-filter-repo or BFG Repo-Cleaner to purge the keys from history if the repo is public.
• var.ts · only here · sev critical
  The `authorize` function always returns true, completely bypassing authentication.
  → This file is being deleted which is good, but verify no other code was importing and using these functions. Search the codebase for imports of `authorize` or `adminBypass` from these files.
• var.ts · only here · sev critical
  The `adminBypass` function always returns true regardless of userId, granting admin access to everyone.
  → Same as above - verify these functions weren't being used elsewhere before deletion.

• var.ts · only here · sev critical
  Hardcoded API keys (OpenAI, Anthropic, Tavily) were committed to the repository and are now in git history even after file deletion.
  → Immediately rotate ALL exposed API keys (OPENAI_KEY, ANTHROPIC_KEY, TAVILY_KEY). Consider using git-filter-repo or BFG Repo-Cleaner to purge the secrets from git history entirely.
• main-var copy 2.ts · only here · sev critical
  Same hardcoded API keys exist in this duplicate file, also now in git history.
  → Same as above: rotate all keys and scrub git history.

PR reformats indentation throughout app/page.tsx (which is valid cleanup) but also changes the header title from 'Groundtruth' to 'Groundtruth_2 Harsh', which appears to be accidental debug/test text that should not be merged to production.

This PR re-indents a large block of JSX code and changes a hardcoded text string from 'Groundtruth' to 'Groundtruth_2 Harsh'. The indentation changes are purely cosmetic, but the text change appears to be debug/test code that should not be merged.

• app/page.tsx · only here · sev high
  The header title was changed from 'Groundtruth' to 'Groundtruth_2 Harsh', which is clearly debug/test text.
  → Revert the title text back to 'Groundtruth': ```tsx <span className="italic">Groundtruth</span> ```

PR deletes two files containing hardcoded API keys and broken auth functions, fixes indentation in page.tsx, and changes branding from 'Groundtruth' to 'Groundtruth RadioTower'. The changes are net positive — deleting credential files is correct remediation — but the PR lacks context and has minor concerns worth addressing before merge.

This PR deletes files containing hardcoded API keys and broken auth functions, while also making formatting/indentation changes and a branding text change in the main page. The deletion of secret-containing files is good, but the secrets are now in git history and require rotation.

• app/page.tsx · only here · sev low
  Branding text changed from 'Groundtruth' to 'Groundtruth RadioTower' without clear explanation.
  → Confirm this branding change is intentional before merging, or revert to just 'Groundtruth'.

• var.ts · only here · sev critical
  Hardcoded production API keys (OpenAI, Anthropic, Tavily) were committed to the repository and are now in git history.
  → 1. Rotate all three API keys immediately (OpenAI, Anthropic, Tavily) 2. Use `git filter-branch` or BFG Repo-Cleaner to purge the secrets from history 3. Add these patterns to `.gitignore`
• var.ts · only here · sev critical
  The `authorize` function always returned `true`, completely bypassing authentication.
  → Verify no other code imports from these deleted files. If auth was used elsewhere, implement proper token validation.
• main-var copy 2.ts · only here · sev critical
  The `adminBypass` function always returns `true` regardless of input, granting admin access to everyone.
  → Confirm this was never imported. If it was, implement proper admin role checking.

This PR deletes two files containing hardcoded API keys and broken auth functions (positive), applies whitespace/indentation fixes to page.tsx, but also introduces demo branding 'Groundtruth V2 DEMO CALL' that should not be merged to main.

This PR deletes two files containing hardcoded production API keys and bypassed auth functions, while also making formatting-only changes to page.tsx and adding 'V2 DEMO CALL' to the app title. The deletion of secret-containing files is good but the keys have already been exposed in git history.

• main-var copy 2.ts · matched · sev critical
  Hardcoded production API keys for OpenAI, Anthropic, and Tavily were committed to version control and are now in git history.
  → 1. Immediately rotate all three API keys (OPENAI_KEY, ANTHROPIC_KEY, TAVILY_KEY) 2. Use `git filter-branch` or BFG Repo-Cleaner to purge the secrets from history 3. Ensure `.env.local` pattern is used per repo conventions
• var.ts · only here · sev critical
  The `authorize` function unconditionally returns `true`, completely bypassing authentication.
  → While this file is being deleted (good), verify these functions were never imported or used elsewhere in the codebase.
• var.ts · matched · sev critical
  The `adminBypass` function always returns `true` regardless of input, granting admin access to everyone.
  → Confirm this was never imported elsewhere; if it was, immediate remediation is needed.

• var.ts · matched · sev critical
  Hardcoded production API keys for OpenAI, Anthropic, and Tavily are being deleted but remain exposed in git history.
  → 1. Immediately rotate ALL three API keys (OPENAI_KEY, ANTHROPIC_KEY, TAVILY_KEY) in their respective provider dashboards. 2. Use `git filter-branch` or BFG Repo-Cleaner to remove the keys from git history. 3. Move secrets to environment variables or a secrets manager.
• main-var copy 2.ts · only here · sev critical
  Duplicate file with the same hardcoded production API keys is being deleted but keys remain in git history.
  → Same remediation as var.ts - rotate keys immediately and clean git history.
• var.ts · only here · sev critical
  The `authorize` function always returns true, completely bypassing authentication.
  → Verify no other code in the repository imports this function. If it was used, implement proper token validation before merging.
• var.ts · matched · sev critical
  The `adminBypass` function always returns true regardless of userId, granting admin access to everyone.
  → Verify no other code imports this function. If used, implement proper admin authorization logic.

Adds a base environment configuration file containing hardcoded API keys for OpenAI, Anthropic, and Tavily, along with two authentication functions that bypass all security checks.

Adds a base-env.ts file containing hardcoded production API keys for OpenAI, Anthropic, and Tavily, plus authentication functions that always return true regardless of input.

• lib/base-env.ts · only here · sev high
  Hardcoded production API keys for OpenAI, Anthropic, and Tavily are committed directly in the code. These are real API keys (identifiable by their prefixes) that provide access to paid services and should never be in version control.
  → Remove all hardcoded keys immediately. Use environment variables loaded from .env files (which should be in .gitignore). Example: `export const OPENAI_KEY = process.env.OPENAI_KEY || '';` and rotate all exposed keys with the respective providers.
• lib/base-env.ts · only here · sev high
  The `authorize` function unconditionally returns true, completely bypassing token validation. This means any token (including no token, empty string, or garbage) would be considered valid.
  → Remove this function entirely if real authorization isn't ready, or implement actual token validation. Never merge authentication code that accepts everything.
• lib/base-env.ts · only here · sev high
  The `adminBypass` function returns true for any input including undefined/null, granting admin privileges to all users regardless of their actual permissions.
  → Remove this function or implement actual admin role checking. If this is truly just for local dev/testing, it should not be in a file that gets deployed.

• lib/base-env.ts · only here · sev high
  Hardcoded production API keys committed to source control. These keys (OpenAI, Anthropic, Tavily) are now exposed and must be considered compromised.
  → Remove all hardcoded keys immediately. Rotate all three API keys. Use environment variables (process.env.OPENAI_KEY etc.) and document required env vars.
• lib/base-env.ts · only here · sev high
  authorize() function always returns true, completely bypassing authentication. Any token validation is skipped.
  → Implement actual token validation. If this is placeholder code, it should not be merged to any shared branch.
• lib/base-env.ts · only here · sev high
  adminBypass() always returns true regardless of userId (both branches return true). This grants admin access to everyone.
  → Implement actual admin validation logic. The current code is equivalent to 'return true' with dead code.

Adds troubleshooting documentation to README and introduces a new TypeScript file containing hardcoded API keys and broken authorization functions.

Adds a troubleshooting section to README and introduces a test file containing hardcoded API keys and broken authentication/authorization functions.

• lib/test-ts.ts · matched · sev high
  Hardcoded production API keys for OpenAI, Anthropic, and Tavily are committed to the repository. These appear to be real API key formats (sk-proj-, sk-ant-api03-, tvly-) and will be exposed in version control history even if removed later.
  → Immediately revoke these API keys at their respective providers. Remove this file entirely or replace all keys with placeholder values like 'your-key-here'. Never commit real credentials to git.
• lib/test-ts.ts · matched · sev high
  authorize() function always returns true regardless of the token value, completely bypassing any authentication check. Any token will be accepted as valid.
  → Implement actual token validation logic or remove this function if it's truly test scaffolding. If this is reachable in production code paths, it's a critical security vulnerability.
• lib/test-ts.ts · only here · sev high
  adminBypass() function always returns true for any userId (including null/undefined/empty string). The conditional 'if (userId) return true' is followed by an unconditional 'return true', making the check meaningless.
  → Implement proper admin role checking against a user database or remove this function. The current implementation grants admin privileges to everyone.

• lib/test-ts.ts · matched · sev high
  Hardcoded production API keys for OpenAI, Anthropic, and Tavily are committed to the repository. These appear to be real keys (not placeholders) based on their format. This is a critical security vulnerability - these keys will be exposed in git history permanently.
  → Remove this file entirely. Rotate ALL exposed keys immediately (they are already compromised if this repo is public or has any external access). Use environment variables as the TODO comment suggests.
• lib/test-ts.ts · matched · sev high
  The `authorize` function always returns true regardless of the token provided, completely bypassing authentication.
  → Implement actual token validation or remove this function. Never commit auth bypass code even with TODO comments.
• lib/test-ts.ts · only here · sev high
  The `adminBypass` function returns true in ALL cases (both branches return true), granting admin access to everyone regardless of userId.
  → Remove this function or implement proper authorization logic. This grants universal admin access.