Replace Vercel Workflow with Supabase Queues + duplicate detection#389
Open
pontusab wants to merge 2 commits into
Open
Replace Vercel Workflow with Supabase Queues + duplicate detection#389pontusab wants to merge 2 commits into
pontusab wants to merge 2 commits into
Conversation
- Move plugin security scan off the `workflow` package onto a Postgres-native pgmq queue drained by a 1-minute Vercel cron (`/api/queue/plugin-scans/drain`, `maxDuration=800`, VT=900s, bury after 5 attempts). - Server actions enqueue via `enqueuePluginScan` and fire a non-blocking `after()` kick at the drain route so new submissions scan within ms, not up to 60s. - Add `find_similar_plugins` RPC (pg_trgm, threshold 0.7) and surface the top 5 candidates in the agent prompt so the security scan also catches near-duplicate name collisions. - Drop the `workflow` package, the `@workflow/world` patch, the `withWorkflow` next.config wrapper, the workflow TS plugin, and the `src/workflows/` dir. - Lock `pgmq_public.*` EXECUTE down to `service_role` (default-open on `PUBLIC`/`anon`/`authenticated` would let any browser holding the publishable key drain or stuff our queue). Co-authored-by: Cursor <cursoragent@cursor.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
The 30 oversized plugin_components rows that were tripping ENAMETOOLONG during prerender of /api/[slug] have been truncated to <= 80 chars and the plugin_components_slug_length_check constraint is now enforced on the live DB. This empty commit re-triggers the Vercel build. Co-authored-by: Cursor <cursoragent@cursor.com>
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes using high mode and found 4 potential issues.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit b99b94e. Configure here.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
workflowpackage onto a Postgres-native pgmq queue drained by a 1-min Vercel cron (/api/queue/plugin-scans/drain,maxDuration=800s, VT=900s, bury after 5 attempts). The Workflow runtime has been unreliable in prod; this replaces it with infrastructure we already operate.enqueuePluginScan(...)and fire a non-blockingafter()kick at the drain route, so freshly submitted plugins start scanning within milliseconds. The cron is the durability/retry safety net.find_similar_pluginsRPC (pg_trgm @ 0.7) surfaces the top 5 active plugins with similar names; the scan agent gets them in aPOTENTIAL DUPLICATESprompt section and decides whether to flag aslow_quality/spam/impersonation.workflow, the@workflow/world@4.1.1Bun patch,withWorkflowinnext.config.mjs, theworkflowTS plugin, andsrc/workflows/.Migrations applied
20260515_plugin_scan_queue.sql— creates theplugin_scansqueue and lockspgmq_public.*EXECUTE down toservice_role(closes the default-openPUBLIC/anon/authenticatedgrants).20260515_plugin_similar_search.sql— enablespg_trgm, GIN trigram index onplugins.name,find_similar_plugins(uuid, real, int)RPC granted only toservice_role.Both already applied to the live
Cursor Directoryproject; pushing the branch is a no-op for the database.Note
Medium Risk
Changes the production plugin security scanning pipeline and its retry/bury semantics, which can affect plugin publishing/flagging behavior and background job reliability. Also introduces new database migrations and cron-driven queue draining that depend on correct env/permissions.
Overview
Replaces the plugin security scan execution backend from the
workflowpackage to a Supabasepgmqqueue (plugin_scans) drained by a new/api/queue/plugin-scans/drainroute (cron every minute) with VT-based retries and bury-after-5 behavior.Updates all scan entry points (plugin submit/insert, update, admin rescan, and stuck-scan recovery cron) to
enqueuePluginScan(...)and optionallykickDrainAfterResponse()for near-immediate processing outside the request lifecycle.Enhances scan logic by adding duplicate-candidate detection via a new
find_similar_pluginsRPC (pg_trgm + GIN index) and passing those candidates into the Cursor agent prompt, while also introducing clearer fatal-vs-retryable error handling (FatalScanError) and queue permission hardening migrations forpgmq_public.Reviewed by Cursor Bugbot for commit b99b94e. Bugbot is set up for automated code reviews on this repo. Configure here.