Fix build-app false success and blueprint scoping leak

[cursor]

Bug and impact

• /api/build-app reported done even when Claude generation failed or GitHub/GitLab file pushes returned non-2xx, leaving users with empty/partial repos shown as successful.
• The same route never charged the documented 500-credit Build This App cost.
• getAllBlueprints('') fell back to an unscoped query and could expose all tenants' blueprints when auth had a GitHub session but no DB user id.

Root cause

• Build generation errors were converted into placeholder files, and push helpers logged warnings instead of throwing.
• Build credit deduction was not wired into the route.
• getAllBlueprints treated a missing user id as permission to query all blueprints.

Fix

• Fail the SSE stream with step: 'error' on generation or push failure; no done event is emitted.
• Deduct BUILD_APP_COST before build work and refund it on repository creation, generation, push, or unexpected failures.
• Require a non-empty user id for getAllBlueprints; missing ids now return an empty list.

Validation

• pnpm exec eslint app/api/build-app/route.ts lib/queries.ts
• pnpm exec tsc --noEmit
• Mocked /api/build-app route harness: success emits done with one deduction/no refund; generation failure emits terminal error, no push, one refund; push failure emits terminal error, one refund; insufficient credits emits error and never creates a repo.
• Mocked getAllBlueprints guard: blank user id returns [] without touching DB; scoped user id issues a JOIN analyses ... WHERE a.user_id = $userId query.

  

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
repo-app-architect	Ready	Preview, Comment	Jun 12, 2026 11:09am
repofuse	Ready	Preview, Comment, Open in v0	Jun 12, 2026 11:09am
v0-repo-app-architect	Ready	Preview, Comment, Open in v0	Jun 12, 2026 11:09am