build(deps): switch to pnpm package manager

[JStaRFilms]

• Remove package-lock.json
• Add pnpm-lock.yaml
• Add src/middleware.ts

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
jstarfilms	Ready	Preview, Comment	Dec 14, 2025 0:09am

[github-actions]

🟢 J Star Code Audit

Score	Verdict	🚨 Critical	🔶 High	🔹 Medium	🔧 Nitpick
95/100	REQUEST_CHANGES	-	1	-	-

📄 src/middleware.ts

Warning

Missing WORKOS Redirect URI Validation
Fallback to localhost:5782 exposes development endpoint in production. Validate WORKOS_REDIRECT_URI is set and matches production domain.

🛠️ Recommended Fixes

• Missing WORKOS Redirect URI Validation: Replace fallback with validation: const redirectUri = process.env.WORKOS_REDIRECT_URI; if (!redirectUri) throw new Error('WORKOS_REDIRECT_URI is required'); return authkitMiddleware({ redirectUri });

---

Powered by J Star Sentinel ⚡

[github-actions]

🟢 J Star Code Audit

Score	Verdict	🚨 Critical	🔶 High	🔹 Medium	🔧 Nitpick
88/100	REQUEST_CHANGES	1	-	1	-

📄 src/middleware.ts

Caution

Missing WORKOS_REDIRECT_URI validation in middleware
The middleware throws a synchronous error during module evaluation if WORKOS_REDIRECT_URI is missing, which can crash the entire Next.js app at build or runtime.

🔹 Middleware applies WorkOS auth to all routes

Category: MAINTAINABILITY

The matcher pattern catches every route except static assets, so public pages like /about or /portfolio will force authentication. Restrict the matcher to only admin or protected routes to avoid blocking public content.

🛠️ Recommended Fixes

• Missing WORKOS_REDIRECT_URI validation in middleware: Replace the top-level throw with a runtime check inside the middleware function that logs a warning and redirects to a safe error page instead of crashing the app.

---

Powered by J Star Sentinel ⚡

[github-actions]

🟢 J Star Code Audit

Score	Verdict	🚨 Critical	🔶 High	🔹 Medium	🔧 Nitpick
94/100	REQUEST_CHANGES	-	1	1	1

📄 src/middleware.ts

Warning

WorkOS middleware bypass on mis-configuration
If WORKOS_REDIRECT_URI is missing the entire auth layer is silently disabled, letting every request through. An attacker can deliberately unset the env var to disable authentication.

🔹 Console.warn on every request

Category: PERFORMANCE

The warning is printed for every incoming request when WorkOS is not configured, flooding logs and adding unnecessary overhead.

🔧 Matcher comment is outdated

Category: MAINTAINABILITY

The comment claims the matcher covers ALL routes, but admin routes protected by withAuth() are not handled here, creating confusion.

🛠️ Recommended Fixes

• WorkOS middleware bypass on mis-configuration: Throw a hard error in production if WORKOS_REDIRECT_URI is unset; only allow graceful degradation in development mode.
• Console.warn on every request: Move the warning to module scope so it logs once at startup, not per request.
• Matcher comment is outdated: Update the comment to clarify that this middleware only applies WorkOS auth checks, not the broader auth logic handled elsewhere.

---

Powered by J Star Sentinel ⚡

[JStaRFilms]

/review

[github-actions]

🟢 J Star Code Audit

Score	Verdict	🚨 Critical	🔶 High	🔹 Medium	🔧 Nitpick
96/100	REQUEST_CHANGES	-	1	1	1

📄 src/middleware.ts

Warning

Environment Variable Read at Module Load
Reading process.env.WORKOS_REDIRECT_URI at module load time breaks Next.js runtime environment isolation and can leak values to the client bundle.

🔹 Silent Auth Bypass on Missing Config

Category: LOGIC

When WORKOS_REDIRECT_URI is missing the middleware silently allows all traffic, which masks misconfiguration and could leave admin routes unprotected.

🔧 Comment Claims RootLayout Uses withAuth

Category: MAINTAINABILITY

The comment says RootLayout uses withAuth but this middleware doesn't enforce login, creating confusion about which layer handles protection.

🛠️ Recommended Fixes

• Environment Variable Read at Module Load: Move the redirectUri read inside the middleware function and validate it with zod before use: const redirectUri = z.string().url().parse(process.env.WORKOS_REDIRECT_URI) inside the middleware function.
• Silent Auth Bypass on Missing Config: Throw a clear error in development and return a 503 response in production when auth config is missing instead of allowing traffic.
• Comment Claims RootLayout Uses withAuth: Update the comment to clarify this middleware only enables auth detection, not enforcement, and that route-level protection should be handled in page guards.

---

Powered by J Star Sentinel ⚡