fix(github): detect rate limits using response headers

.env.example

@@ -1,7 +1,7 @@
 # -------------------------------------------------------
 # Supabase
 # Project Settings → API → Project URL
-NEXT_PUBLIC_SUPABASE_URL=https://your-project-ref.supabase.co
+NEXT_PUBLIC_SUPABASE_URL=https://<project-ref>.supabase.co
 
 # Project Settings → API → anon / public key
 NEXT_PUBLIC_SUPABASE_ANON_KEY=your_supabase_anon_key
@@ -22,6 +22,14 @@ NEXTAUTH_URL=http://localhost:3000
 # Must not have a trailing slash.
 # NEXT_PUBLIC_APP_URL=https://devtrack-delta.vercel.app
 
+# -------------------------------------------------------
+# CSRF protection — allowed origins for state-changing API requests
+# (optional — NEXTAUTH_URL is always included automatically)
+# Comma-separated list of additional origins permitted to make authenticated
+# mutations. Add preview / staging deployments here.
+# Example: ALLOWED_ORIGINS=https://staging.devtrack.app,https://preview.devtrack.app
+# ALLOWED_ORIGINS=
+
 # Generate with: openssl rand -base64 32
 NEXTAUTH_SECRET=your_nextauth_secret
 
@@ -66,7 +74,7 @@ UPSTASH_REDIS_REST_TOKEN=your_upstash_redis_rest_token
 # Groq API Key (optional — enables AI-generated weekly summaries in the
 # AI Mentor widget using Llama-3).
 # console.groq.com → API Keys
-GROQ_API_KEY=gsk_...
+GROQ_API_KEY=your_groq_api_key
 
 # -------------------------------------------------------
 # Leaderboard Configuration
@@ -75,4 +83,3 @@ GROQ_API_KEY=gsk_...
 # Higher values = faster builds but more resource usage
 # WARNING: Do not exceed 100 without load testing — risks memory exhaustion
 LEADERBOARD_USER_CONCURRENCY=5
-

.github/workflows/e2e.yml

@@ -16,8 +16,8 @@ jobs:
     runs-on: ubuntu-latest
     env:
       NEXTAUTH_SECRET: test-nextauth-secret-for-playwright-tests
-      NEXTAUTH_URL: http://127.0.0.1:3000
-      NEXT_PUBLIC_APP_URL: http://127.0.0.1:3000
+      NEXTAUTH_URL: http://127.0.0.1:3002
+      NEXT_PUBLIC_APP_URL: http://127.0.0.1:3002
       GITHUB_ID: playwright-github-id
       GITHUB_SECRET: playwright-github-secret
       NEXT_PUBLIC_SUPABASE_URL: https://placeholder.supabase.co
@@ -37,7 +37,19 @@ jobs:
         run: npm ci
 
       - name: Build Next.js app
-        run: npm run build
+        run: |
+          cat <<EOF > .env.production
+          NEXTAUTH_SECRET=test-nextauth-secret-for-playwright-tests
+          NEXTAUTH_URL=http://127.0.0.1:3000
+          NEXT_PUBLIC_APP_URL=http://127.0.0.1:3000
+          GITHUB_ID=playwright-github-id
+          GITHUB_SECRET=playwright-github-secret
+          NEXT_PUBLIC_SUPABASE_URL=https://placeholder.supabase.co
+          NEXT_PUBLIC_SUPABASE_ANON_KEY=placeholder-anon-key
+          SUPABASE_SERVICE_ROLE_KEY=placeholder-service-role-key
+          PLAYWRIGHT_SERVER_MODE=start
+          EOF
+          npm run build
 
       - name: Install Playwright browsers
         run: npx playwright install --with-deps chromium

.github/workflows/labeler.yml

@@ -3,8 +3,19 @@ on:
   pull_request_target:
 jobs:
   label:
+    if: github.event.pull_request.head.repo.full_name == github.repository
+    permissions:
+      contents: read
+      pull-requests: write
+      issues: write
+    permissions:
+      contents: read
+      pull-requests: write
     runs-on: ubuntu-latest
     steps:
+      - uses: actions/checkout@v4
       - uses: actions/labeler@v5
+        continue-on-error: true
         with:
           repo-token: "${{ secrets.GITHUB_TOKEN }}"
+          configuration-path: .github/labeler.yml

.gitignore

@@ -12,6 +12,7 @@ out/
 # Environment files — NEVER commit these
 .env
 .env.local
+.env.local*
 .env.production
 .env.*.local
 

e2e/dashboard-widgets.spec.js

@@ -179,7 +179,7 @@ test("dashboard widgets render with mocked metrics", async ({ page }) => {
   await expect(page.getByRole("heading", { name: /dashboard/i })).toBeVisible({ timeout: 30000 });
   await expect(page.getByRole("heading", { name: "Your Commits" })).toBeVisible({ timeout: 10000 });
   await expect(page.getByRole("heading", { name: "PR Analytics" })).toBeVisible({ timeout: 10000 });
-  await expect(page.getByRole("heading", { name: "Goals" })).toBeVisible({ timeout: 10000 });
+  await expect(page.getByRole("heading", { name: "Goals", exact: true })).toBeVisible({ timeout: 10000 });
   await expect(page.getByText("Make 10 commits")).toBeVisible({ timeout: 10000 });
 });
 
@@ -193,6 +193,7 @@ test("contribution graph range buttons request a new range", async ({ page }) =>
 
   await page.goto("/dashboard", { waitUntil: "load" });
   await expect(page.getByRole("heading", { name: /dashboard/i })).toBeVisible({ timeout: 30000 });
+  await page.getByRole("button", { name: "Show 90-day range" }).first().click();
   await page
     .locator("#contribution-activity")
     .getByRole("button", { name: "Show 90-day range" })
@@ -214,7 +215,7 @@ test("goal form posts a new goal", async ({ page }) => {
   await page.getByLabel("Goal title").fill("Ship one PR");
   await page.getByLabel("Target").fill("1");
   await page.getByLabel("Unit").selectOption("prs");
-  await page.getByRole("button", { name: "Add goal" }).click();
+  await page.getByRole("button", { name: "Create goal" }).click();
 
   await expect.poll(() => goalPosts, { timeout: 15000 }).toHaveLength(1);
   expect(goalPosts[0]).toMatchObject({

e2e/landing.spec.js

@@ -22,7 +22,8 @@ test("[Landing E2E] landing has dashboard link", async ({ page }) => {
   await expect(page.getByRole("link", { name: "Dashboard" })).toBeVisible();
 });
 
-test("[Landing E2E] landing shows footer via test-id", async ({ page }) => {
+test("[Landing E2E] landing shows footer", async ({ page }) => {
   await page.goto("/");
-  await expect(page.locator('[data-testid="landing-footer"]')).toBeVisible();
+  // Check that the global footer is rendered (e.g. looking for the copyright text)
+  await expect(page.getByText(/DevTrack. Built for open-source contributors/i)).toBeVisible();
 });

e2e/notifications.spec.js

@@ -2,8 +2,7 @@ import { expect, test } from "@playwright/test";
 import { encode } from "next-auth/jwt";
 
 const authSecret =
-  process.env.NEXTAUTH_SECRET ||
-  "test-nextauth-secret-for-playwright-tests";
+  process.env.NEXTAUTH_SECRET || "test-nextauth-secret-for-playwright-tests";
 
 /** Returns a properly-shaped mock response for each metric endpoint. */
 function mockMetricResponse(url) {

e2e/theme.spec.js

@@ -1,11 +1,11 @@
 import { expect, test } from "@playwright/test";
 import { encode } from "next-auth/jwt";
 
-test.beforeEach(async ({ page }) => {
-  const authSecret =
-    process.env.NEXTAUTH_SECRET ||
-    "test-nextauth-secret-for-playwright-tests";
+const authSecret =
+  process.env.NEXTAUTH_SECRET ||
+  "test-nextauth-secret-for-playwright-tests";
 
+test.beforeEach(async ({ page }) => {
   const token = await encode({
     secret: authSecret,
     token: {
@@ -27,6 +27,7 @@ test.beforeEach(async ({ page }) => {
       httpOnly: true,
       sameSite: "Lax",
       secure: false,
+      expires: Math.floor(Date.now() / 1000) + 60 * 60,
     },
   ]);
 
@@ -54,15 +55,54 @@ test.beforeEach(async ({ page }) => {
 test("theme toggle switches between dark and light mode", async ({ page }) => {
   await page.goto("/dashboard");
 
-  const themeToggle = page.getByRole("button", { name: "Toggle theme" });
+  // The DashboardHeader provides the ThemeToggle on the dashboard
+  const themeToggle = page.getByRole("button", { name: "Toggle theme" }).first();
   await expect(themeToggle).toBeVisible();
 
   const initialPressed = await themeToggle.getAttribute("aria-pressed");
 
+  await themeToggle.click({ force: true });
+
+  await expect(themeToggle).toHaveAttribute(
+    "aria-pressed",
+    initialPressed === "true" ? "false" : "true"
+  );
+});
+
+/**
+ * Issue #964: Public profile page should have a theme toggle.
+ * The toggle must work without login and persist to localStorage.
+ * We navigate to the profile-not-found page because no real user exists
+ * in the test DB — but the layout (ThemeProvider + ThemeToggle) still renders.
+ */
+test("public profile page theme toggle works without authentication", async ({
+  page,
+}) => {
+  // Clear cookies so visitor is unauthenticated
+  await page.context().clearCookies();
+
+  // Navigate to any public profile URL — will show "Profile Not Found"
+  // but the full layout (including ThemeToggle) still renders
+  await page.goto("/u/no-such-user-for-e2e-test", { waitUntil: "load" });
+
+  // Confirm we're on the public profile route (no auth redirect)
+  await expect(page).toHaveURL(/\/u\//);
+
+  // ThemeToggle must be present in the AppNavbar and functional without login
+  const themeToggle = page.getByRole("banner").getByRole("button", { name: "Toggle theme" });
+  await expect(themeToggle).toBeVisible({ timeout: 10000 });
+
+  const initialPressed = await themeToggle.getAttribute("aria-pressed");
+
   await themeToggle.click();
 
+  // Toggle state must have flipped
   await expect(themeToggle).toHaveAttribute(
     "aria-pressed",
     initialPressed === "true" ? "false" : "true"
   );
+
+  // Theme preference must be persisted to localStorage
+  const stored = await page.evaluate(() => localStorage.getItem("theme"));
+  expect(stored === "dark" || stored === "light").toBe(true);
 });

next.config.mjs

@@ -1,4 +1,4 @@
-import withPWAInit from "next-pwa";
+import withPWAInit from "@ducanh2912/next-pwa";
 
 const withPWA = withPWAInit({
   dest: "public",
@@ -129,6 +129,7 @@ const withPWA = withPWAInit({
 
 /** @type {import("next").NextConfig} */
 const nextConfig = {
+  reactStrictMode: true,
   output: "standalone",
   images: {
     remotePatterns: [