v0.6.79: rate limits, tables checkboxes, drizzle config changes, billing txes

[waleedlatif1]

• fix(rate-limit): close rate-limit bypass and tighten public route limits (fix(rate-limit): close rate-limit bypass and tighten public route limits #4591)
• fix(tables): eliminate checkbox flicker on rapid cell toggle (fix(tables): eliminate checkbox flicker on rapid cell toggle #4592)
• improvement(db): reduce connection saturation and egress hotspots (improvement(db): reduce connection saturation and egress hotspots #4594)
• improvement(billing): move overage calculations out of txes (improvement(billing): move overage calculations out of txes  #4595)
• fix(vfs): make copilot message ordering deterministic via WITH ORDINALITY (fix(vfs): make copilot message ordering deterministic via WITH ORDINALITY #4597)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
docs	Skipped		May 14, 2026 7:03am

[cursor]

PR Summary

Medium Risk
Adds and changes rate limiting across multiple public/auth routes and adjusts view-counting, which could inadvertently block legitimate traffic or change user-visible behavior. Also reduces Postgres connection pool sizes, which may affect throughput under load if not tuned.

Overview
Rate limiting tightened and centralized. Adds route-helpers (enforceIpRateLimit, enforceUserRateLimit, enforceUserOrIpRateLimit) with tests and exports them from the rate-limiter module, then applies them to several endpoints including auth/socket-token, unauthenticated auth/sso/providers, telemetry, users/me/settings/unsubscribe, and multiple A2A tool routes.

Closes IP "unknown" bypasses and reduces abuse vectors. Chat OTP and chat SSO endpoints now always apply IP-based limits (including when the client IP resolves to unknown), and the public templates/[id] GET now deduplicates view counter increments per user/IP per template (10-minute bucket) to prevent scripted inflation.

Performance/throughput adjustments. Lowers Postgres connection pool max from 30 to 15 (realtime socket DB and shared packages/db), scopes MCP stored-tool queries to workspace workflow IDs via inArray, and trims copilot workspace VFS task materialization by fetching messageCount plus only user/assistant text content.

Client data consistency tweak. Table row update/batch update mutations add a shared mutationKey, await cancelQueries, merge server-returned fields on success, and only invalidate row data when the last in-flight write mutation settles to reduce checkbox/cell flicker.

^{Reviewed by Cursor Bugbot for commit b5dba82. Configure here.}

[greptile-apps]

Greptile Summary

This PR bundles four targeted improvements: a rate-limit bypass fix (unknown IPs now share a bucket instead of skipping the check), a checkbox-flicker fix in the tables query layer, DB connection-pool reductions, and two query-optimisation changes to reduce egress.

• Rate limiting: removes ip !== 'unknown' bypass in OTP/SSO routes, adds new enforceIpRateLimit/enforceUserRateLimit/enforceUserOrIpRateLimit helpers with tests, and applies rate limits to ~10 previously unprotected endpoints (telemetry, unsubscribe, socket-token, A2A, copilot-chat via authenticateRequest).
• Tables checkbox fix: onMutate now awaits cancelQueries, a shared mutationKey is assigned to both row-write mutations, onSuccess reconciles the single-row cache with server data, and onSettled only invalidates when isMutating === 1 (the last in-flight write for that table).
• DB / query: max pool size cut from 30 → 15 in both packages/db and apps/realtime; workspace-vfs replaces a full messages column fetch with a JSONB projection that strips tool-call and non-text blocks in-DB; MCP refresh/stored routes push the workflow-ID filter into SQL with inArray.

Confidence Score: 4/5

Safe to merge; changes are well-scoped with test coverage for the new rate-limit helpers and the checkbox-flicker fix follows established React Query patterns.

The rate-limit additions are broadly correct and the unknown-IP bypass closure is a genuine security improvement. The two style-level findings (jsonb_agg ordering, Retry-After precision) are non-blocking. No data-loss, auth bypass, or query-correctness bugs were identified.

apps/sim/lib/copilot/vfs/workspace-vfs.ts (new JSONB subquery), apps/sim/lib/core/rate-limiter/route-helpers.ts (new public API), apps/sim/hooks/queries/tables.ts (concurrent-mutation logic)

Important Files Changed

Filename	Overview
apps/sim/lib/core/rate-limiter/route-helpers.ts	New file adding three reusable helpers (enforceUserRateLimit, enforceIpRateLimit, enforceUserOrIpRateLimit) with token-bucket rate limiting; fail-open on storage errors is owned by checkRateLimitDirect internally
apps/sim/lib/core/rate-limiter/route-helpers.test.ts	Comprehensive tests for the new route-helpers covering user, IP, and hybrid limits with fail-open and spoofed-IP bucket-sharing scenarios
apps/sim/hooks/queries/tables.ts	Fixes checkbox flicker: await cancelQueries, shared mutationKey on row-write mutations, onSuccess server reconciliation for single-row updates, and a deferred-invalidation guard using isMutating
apps/sim/lib/copilot/vfs/workspace-vfs.ts	Replaces full messages column fetch with in-DB JSONB projection (user/assistant roles, text-only blocks, separate messageCount) to reduce egress; nested jsonb_agg lacks explicit ORDER BY
apps/sim/app/api/v1/copilot/chat/route.ts	Switches from authenticateV1Request to authenticateRequest so the copilot-chat endpoint now participates in subscription-aware rate limiting
packages/db/db.ts	Halves max pool connections from 30 to 15 to reduce connection saturation
apps/sim/lib/api/contracts/v1/copilot.ts	Tightens the timeout field with .int().min(1000).max(3_600_000); previously accepted any number including floats or negative values
apps/sim/app/api/chat/[identifier]/otp/route.ts	Removes the ip !== unknown guard so unknown IPs share a single bucket instead of bypassing the limit entirely
apps/sim/app/api/chat/[identifier]/sso/route.ts	Same unknown-IP bypass removal as the OTP route
apps/sim/app/api/mcp/servers/[id]/refresh/route.ts	Push the workspace-ID filter into SQL using inArray instead of in-process filtering; early-return on empty workflowIds guards the inArray call correctly
apps/sim/app/api/mcp/tools/stored/route.ts	Same inArray optimization as the refresh route; empty-array guard present
apps/realtime/src/database/operations.ts	Matches the main db pool reduction: max connections reduced from 30 to 15

Sequence Diagram

sequenceDiagram
    participant Client
    participant RouteHelper as enforceIpRateLimit / enforceUserOrIpRateLimit
    participant RateLimiter as RateLimiter.checkRateLimitDirect
    participant Storage as Redis/Storage
    participant Handler as Route Handler

    Client->>RouteHelper: HTTP request
    RouteHelper->>RateLimiter: checkRateLimitDirect(key, config)
    RateLimiter->>Storage: consumeTokens(key, 1, config)
    alt Storage error
        Storage-->>RateLimiter: throws
        RateLimiter-->>RouteHelper: "{allowed: true} (fail-open)"
        RouteHelper-->>Handler: null (proceed)
    else Token available
        Storage-->>RateLimiter: "{allowed: true, resetAt, ...}"
        RateLimiter-->>RouteHelper: "{allowed: true}"
        RouteHelper-->>Handler: null (proceed)
        Handler-->>Client: 200 OK
    else Bucket empty
        Storage-->>RateLimiter: "{allowed: false, resetAt, retryAfterMs}"
        RateLimiter-->>RouteHelper: "{allowed: false, resetAt}"
        RouteHelper-->>Client: 429 + Retry-After header
    end

Loading

_{Reviews (1): Last reviewed commit: "improvement(billing): move overage calcu..." | Re-trigger Greptile}