fix: resolve snapshot upload, auth race condition, and add rate limiting

- Fix from-snapshot: convert string[] to typed {name,type}[] for validation
- Fix from-snapshot: respect visibility field from CLI instead of hardcoding
- Fix auth poll: atomic UPDATE prevents double device code redemption
- Add rate limiting (30/min per IP) to homebrew and npm search endpoints
- Add 26 missing package metadata entries to align with CLI catalog
- Fix install count errors: log instead of silently swallowing
- Fix expires_at: return null instead of undefined when token has no expiry
- Remove empty index.ts barrel file

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: fullstackjam

src/hooks.server.ts

@@ -68,7 +68,7 @@ export const handle: Handle = async ({ event, resolve }) => {
 
 					const script = generateInstallScript(config.username, config.slug, config.custom_script, config.dotfiles_repo || '');
 
-					env.DB.prepare('UPDATE configs SET install_count = install_count + 1 WHERE alias = ?').bind(alias).run().catch(() => {});
+					env.DB.prepare('UPDATE configs SET install_count = install_count + 1 WHERE alias = ?').bind(alias).run().catch((e: unknown) => console.error('install count update failed:', e));
 
 					return withSecurityHeaders(new Response(script, {
 						headers: {
@@ -106,7 +106,7 @@ export const handle: Handle = async ({ event, resolve }) => {
 
 					const script = generateInstallScript(username, slug, config.custom_script, config.dotfiles_repo || '');
 
-					env.DB.prepare('UPDATE configs SET install_count = install_count + 1 WHERE user_id = ? AND slug = ?').bind(user.id, slug).run().catch(() => {});
+					env.DB.prepare('UPDATE configs SET install_count = install_count + 1 WHERE user_id = ? AND slug = ?').bind(user.id, slug).run().catch((e: unknown) => console.error('install count update failed:', e));
 
 					return withSecurityHeaders(new Response(script, {
 						headers: {
@@ -145,7 +145,7 @@ export const handle: Handle = async ({ event, resolve }) => {
 
 						const script = generateInstallScript(username, slug, config.custom_script, config.dotfiles_repo || '');
 
-						env.DB.prepare('UPDATE configs SET install_count = install_count + 1 WHERE user_id = ? AND slug = ?').bind(user.id, slug).run().catch(() => {});
+						env.DB.prepare('UPDATE configs SET install_count = install_count + 1 WHERE user_id = ? AND slug = ?').bind(user.id, slug).run().catch((e: unknown) => console.error('install count update failed:', e));
 
 						return withSecurityHeaders(new Response(script, {
 							headers: {

src/lib/index.ts

@@ -467,6 +467,138 @@ export const PACKAGE_METADATA: Record<string, PackageMetadata> = {
 		type: 'gui'
 	},
 
+	// Additional Languages
+	zig: {
+		name: 'zig',
+		description: 'Systems programming language with manual memory management',
+		category: 'optional',
+		type: 'language'
+	},
+	elixir: {
+		name: 'elixir',
+		description: 'Functional programming language for scalable applications',
+		category: 'optional',
+		type: 'language'
+	},
+
+	// Additional DevOps
+	argocd: {
+		name: 'argocd',
+		description: 'GitOps continuous delivery tool for Kubernetes',
+		category: 'optional',
+		type: 'devops'
+	},
+
+	// Additional Database Tools
+	mysql: {
+		name: 'mysql',
+		description: 'Popular open-source relational database client',
+		category: 'development',
+		type: 'database'
+	},
+	datagrip: {
+		name: 'datagrip',
+		description: 'JetBrains database IDE for multiple engines',
+		category: 'optional',
+		type: 'gui'
+	},
+	pgadmin4: {
+		name: 'pgadmin4',
+		description: 'PostgreSQL administration and management GUI',
+		category: 'optional',
+		type: 'gui'
+	},
+
+	// Additional Editors & Terminals
+	zed: {
+		name: 'zed',
+		description: 'High-performance code editor built in Rust',
+		category: 'optional',
+		type: 'gui'
+	},
+	'sublime-text': {
+		name: 'sublime-text',
+		description: 'Lightweight and fast text editor',
+		category: 'optional',
+		type: 'gui'
+	},
+	webstorm: {
+		name: 'webstorm',
+		description: 'JetBrains IDE for JavaScript and TypeScript',
+		category: 'optional',
+		type: 'gui'
+	},
+	iterm2: {
+		name: 'iterm2',
+		description: 'Feature-rich terminal emulator for macOS',
+		category: 'optional',
+		type: 'gui'
+	},
+	alacritty: {
+		name: 'alacritty',
+		description: 'GPU-accelerated cross-platform terminal emulator',
+		category: 'optional',
+		type: 'gui'
+	},
+	kitty: {
+		name: 'kitty',
+		description: 'GPU-based terminal emulator with advanced features',
+		category: 'optional',
+		type: 'gui'
+	},
+	ghostty: {
+		name: 'ghostty',
+		description: 'Fast native terminal emulator',
+		category: 'optional',
+		type: 'gui'
+	},
+
+	// Additional Browsers
+	'microsoft-edge': {
+		name: 'microsoft-edge',
+		description: 'Chromium-based web browser by Microsoft',
+		category: 'optional',
+		type: 'gui'
+	},
+	'brave-browser': {
+		name: 'brave-browser',
+		description: 'Privacy-focused web browser with ad blocking',
+		category: 'optional',
+		type: 'gui'
+	},
+
+	// Additional Productivity & Communication
+	slack: {
+		name: 'slack',
+		description: 'Team communication and collaboration platform',
+		category: 'productivity',
+		type: 'gui'
+	},
+	discord: {
+		name: 'discord',
+		description: 'Community chat platform for voice and text',
+		category: 'optional',
+		type: 'gui'
+	},
+	telegram: {
+		name: 'telegram',
+		description: 'Fast and secure messaging app',
+		category: 'optional',
+		type: 'gui'
+	},
+	sketch: {
+		name: 'sketch',
+		description: 'Vector design tool for macOS',
+		category: 'optional',
+		type: 'gui'
+	},
+	imageoptim: {
+		name: 'imageoptim',
+		description: 'Image compression and optimization tool',
+		category: 'productivity',
+		type: 'gui'
+	},
+
 	// NPM Packages
 	typescript: {
 		name: 'typescript',
@@ -521,6 +653,42 @@ export const PACKAGE_METADATA: Record<string, PackageMetadata> = {
 		description: 'CLI for Cloudflare Workers development',
 		category: 'development',
 		type: 'cli'
+	},
+	'firebase-tools': {
+		name: 'firebase-tools',
+		description: 'Firebase CLI for managing and deploying projects',
+		category: 'development',
+		type: 'cli'
+	},
+	'@angular/cli': {
+		name: '@angular/cli',
+		description: 'Angular framework command-line interface',
+		category: 'development',
+		type: 'cli'
+	},
+	'create-react-app': {
+		name: 'create-react-app',
+		description: 'Create React applications with zero configuration',
+		category: 'development',
+		type: 'cli'
+	},
+	degit: {
+		name: 'degit',
+		description: 'Scaffold projects from git repositories',
+		category: 'development',
+		type: 'cli'
+	},
+	np: {
+		name: 'np',
+		description: 'Better npm publish with version management',
+		category: 'development',
+		type: 'cli'
+	},
+	'npm-check-updates': {
+		name: 'npm-check-updates',
+		description: 'Update package.json dependency versions',
+		category: 'development',
+		type: 'cli'
 	}
 };
 

src/lib/package-metadata.ts

@@ -75,7 +75,8 @@ export const RATE_LIMITS = {
 	CLI_APPROVE: { maxRequests: 10, windowMs: 60000 },
 	CLI_POLL: { maxRequests: 20, windowMs: 60000 },
 	CONFIG_READ: { maxRequests: 30, windowMs: 60000 },
-	CONFIG_WRITE: { maxRequests: 30, windowMs: 60000 }
+	CONFIG_WRITE: { maxRequests: 30, windowMs: 60000 },
+	SEARCH: { maxRequests: 30, windowMs: 60000 }
 } as const;
 
 export function checkRateLimit(key: string, config: RateLimitConfig): RateLimitResult {

src/lib/server/rate-limit.ts

@@ -42,19 +42,24 @@ export const GET: RequestHandler = async ({ platform, url }) => {
 			.bind(row.user_id)
 			.first<{ username: string }>();
 
-		// Mark as used after first successful fetch (idempotent)
+		// Atomically mark as used to prevent double-redemption
 		if (row.status === 'approved') {
-			await env.DB.prepare("UPDATE cli_auth_codes SET status = 'used' WHERE id = ?")
-				.bind(code_id)
-				.run();
+			const updateResult = await env.DB.prepare(
+				"UPDATE cli_auth_codes SET status = 'used' WHERE id = ? AND status = 'approved'"
+			).bind(code_id).run();
+
+			// If no rows were updated, another request already redeemed this code
+			if (!updateResult.meta.changes) {
+				return json({ status: 'used' });
+			}
 		}
 
 		return json({
 			status: 'approved',
 			token: token?.token,
 			username: user?.username,
 			// Ensure strict RFC3339 format for Go client
-			expires_at: token?.expires_at ? token.expires_at.replace(' ', 'T') + 'Z' : undefined
+			expires_at: token?.expires_at ? token.expires_at.replace(' ', 'T') + 'Z' : null
 		});
 	}
 

src/routes/api/auth/cli/poll/+server.ts

@@ -23,19 +23,31 @@ export const POST: RequestHandler = async ({ platform, cookies, request }) => {
 		return json({ error: 'Invalid request body' }, { status: 400 });
 	}
 
-	const { name, description, snapshot, config_slug } = body;
+	const { name, description, snapshot, config_slug, visibility } = body;
 
 	if (!name) return json({ error: 'Name is required' }, { status: 400 });
 	if (!snapshot) return json({ error: 'Snapshot is required' }, { status: 400 });
 
+	const validVisibilities = ['public', 'unlisted', 'private'];
+	const validVisibility = validVisibilities.includes(visibility) ? visibility : 'unlisted';
+
 	const snapshotSize = JSON.stringify(snapshot).length;
 	if (snapshotSize > 100000) {
 		return json({ error: 'Snapshot payload too large (max 100KB)' }, { status: 400 });
 	}
 
-	const packages = snapshot.catalog_match?.matched || [];
+	const matchedNames: string[] = snapshot.catalog_match?.matched || [];
 	const base_preset = snapshot.matched_preset || 'developer';
 
+	// Convert plain string names from CLI snapshot into typed package objects
+	const snapshotCasks = new Set<string>(snapshot.packages?.casks || []);
+	const snapshotNpm = new Set<string>(snapshot.packages?.npm || []);
+	const packages = matchedNames.map((name: string) => {
+		if (snapshotCasks.has(name)) return { name, type: 'cask' };
+		if (snapshotNpm.has(name)) return { name, type: 'npm' };
+		return { name, type: 'formula' };
+	});
+
 	const pv = validatePackages(packages);
 	if (!pv.valid) return json({ error: pv.error }, { status: 400 });
 
@@ -49,13 +61,14 @@ export const POST: RequestHandler = async ({ platform, cookies, request }) => {
 		}
 
 		await env.DB.prepare(
-			`UPDATE configs 
-			SET snapshot = ?, snapshot_at = datetime('now'), packages = ?
+			`UPDATE configs
+			SET snapshot = ?, snapshot_at = datetime('now'), packages = ?, visibility = ?
 			WHERE user_id = ? AND slug = ?`
 		)
 			.bind(
 				JSON.stringify(snapshot),
 				JSON.stringify(packages),
+				validVisibility,
 				user.id,
 				config_slug
 			)
@@ -114,7 +127,7 @@ export const POST: RequestHandler = async ({ platform, cookies, request }) => {
 	try {
 		await env.DB.prepare(
 			`INSERT INTO configs (id, user_id, slug, name, description, base_preset, packages, snapshot, snapshot_at, visibility)
-			VALUES (?, ?, ?, ?, ?, ?, ?, ?, datetime('now'), 'unlisted')`
+			VALUES (?, ?, ?, ?, ?, ?, ?, ?, datetime('now'), ?)`
 		)
 			.bind(
 				id,
@@ -124,7 +137,8 @@ export const POST: RequestHandler = async ({ platform, cookies, request }) => {
 				description || '',
 				base_preset,
 				JSON.stringify(packages),
-				JSON.stringify(snapshot)
+				JSON.stringify(snapshot),
+				validVisibility
 			)
 			.run();
 	} catch (e) {

src/routes/api/configs/from-snapshot/+server.ts

@@ -1,5 +1,6 @@
 import { json } from '@sveltejs/kit';
 import type { RequestHandler } from './$types';
+import { checkRateLimit, getRateLimitKey, RATE_LIMITS } from '$lib/server/rate-limit';
 
 interface Formula {
 	name: string;
@@ -63,9 +64,15 @@ async function fetchCasks(): Promise<Cask[]> {
 	return data;
 }
 
-export const GET: RequestHandler = async ({ url }) => {
+export const GET: RequestHandler = async ({ url, request }) => {
 	const query = url.searchParams.get('q')?.toLowerCase().trim();
 
+	const clientIp = request.headers.get('cf-connecting-ip') || 'unknown';
+	const rl = checkRateLimit(getRateLimitKey('homebrew-search', clientIp), RATE_LIMITS.SEARCH);
+	if (!rl.allowed) {
+		return json({ results: [], error: 'Rate limit exceeded' }, { status: 429, headers: { 'Retry-After': String(Math.ceil(rl.retryAfter! / 1000)) } });
+	}
+
 	if (!query || query.length < 2) {
 		return json({ results: [], error: 'Query must be at least 2 characters' });
 	}

src/routes/api/homebrew/search/+server.ts

@@ -1,5 +1,6 @@
 import { json } from '@sveltejs/kit';
 import type { RequestHandler } from './$types';
+import { checkRateLimit, getRateLimitKey, RATE_LIMITS } from '$lib/server/rate-limit';
 
 interface NpmPackage {
 	name: string;
@@ -23,9 +24,15 @@ interface NpmRegistryResponse {
 	}>;
 }
 
-export const GET: RequestHandler = async ({ url }) => {
+export const GET: RequestHandler = async ({ url, request }) => {
 	const query = url.searchParams.get('q')?.toLowerCase().trim();
 
+	const clientIp = request.headers.get('cf-connecting-ip') || 'unknown';
+	const rl = checkRateLimit(getRateLimitKey('npm-search', clientIp), RATE_LIMITS.SEARCH);
+	if (!rl.allowed) {
+		return json({ results: [], error: 'Rate limit exceeded' }, { status: 429, headers: { 'Retry-After': String(Math.ceil(rl.retryAfter! / 1000)) } });
+	}
+
 	if (!query || query.length < 2) {
 		return json({ results: [], error: 'Query must be at least 2 characters' });
 	}