@bbearai/core 0.1.6 → 0.2.0

package/dist/index.d.mts

@@ -263,6 +263,185 @@ interface TesterMessage {
         name: string;
     }>;
 }
+/** Priority factors breakdown for a route */
+interface PriorityFactors {
+    bugFrequency: {
+        score: number;
+        openBugs: number;
+        bugs7d: number;
+    };
+    criticalSeverity: {
+        score: number;
+        critical: number;
+        high: number;
+    };
+    staleness: {
+        score: number;
+        daysSinceTest: number | null;
+    };
+    coverageGap: {
+        score: number;
+        testCount: number;
+    };
+    regressionRisk: {
+        score: number;
+        regressionCount: number;
+    };
+}
+/** Route priority with stats and recommendations */
+interface RoutePriority {
+    rank: number;
+    route: string;
+    priorityScore: number;
+    urgency: 'critical' | 'high' | 'medium' | 'low';
+    stats: {
+        openBugs: number;
+        criticalBugs: number;
+        highBugs: number;
+        testCases: number;
+        daysSinceTest: number | null;
+        regressions: number;
+        recentBugs: number;
+    };
+    factors?: PriorityFactors;
+    recommendation?: string;
+}
+/** Coverage gap identification */
+interface CoverageGap {
+    route: string;
+    severity: 'critical' | 'high' | 'medium';
+    type: 'untested' | 'missing_tracks' | 'stale';
+    details: {
+        missingTracks?: string[];
+        daysSinceTest?: number;
+        openBugs?: number;
+        criticalBugs?: number;
+    };
+    recommendation: string;
+}
+/** Regression event tracking */
+interface RegressionEvent {
+    id: string;
+    route: string;
+    severity: 'critical' | 'high' | 'medium';
+    originalBug: {
+        id: string;
+        description: string;
+        resolvedAt: string;
+    };
+    newBugs: Array<{
+        id: string;
+        description: string;
+        severity: string;
+        createdAt: string;
+    }>;
+    daysSinceResolution: number;
+    regressionCount: number;
+    detectedAt: string;
+}
+/** Deploy checklist item */
+interface ChecklistItem {
+    testCaseId?: string;
+    testKey?: string;
+    title: string;
+    route: string;
+    reason: string;
+    priority: 'P0' | 'P1' | 'P2' | 'P3';
+    lastTested?: string;
+    hasCriticalBugs?: boolean;
+}
+/** Deploy checklist grouped by urgency */
+interface DeployChecklist {
+    critical: ChecklistItem[];
+    recommended: ChecklistItem[];
+    optional: ChecklistItem[];
+    gaps: ChecklistItem[];
+}
+/** QA Health metrics with trends */
+interface QAHealthMetrics {
+    velocity: {
+        testsPerWeek: number;
+        testsCompleted: number;
+        trend: 'up' | 'down' | 'stable';
+        changePercent?: number;
+    };
+    bugDiscovery: {
+        bugsFound: number;
+        bugsPerTest: number;
+        criticalBugs: number;
+        trend: 'up' | 'down' | 'stable';
+        changePercent?: number;
+    };
+    resolution: {
+        bugsResolved: number;
+        avgResolutionDays: number;
+        trend: 'up' | 'down' | 'stable';
+        changePercent?: number;
+    };
+    coverage: {
+        routeCoverage: number;
+        routesWithTests: number;
+        totalRoutes: number;
+    };
+    testerHealth: {
+        activeTesters: number;
+        totalTesters: number;
+        utilizationPercent: number;
+    };
+}
+/** QA Health score with grade */
+interface QAHealthScore {
+    score: number;
+    grade: 'A' | 'B' | 'C' | 'D' | 'F';
+    breakdown: {
+        coverage: number;
+        velocity: number;
+        resolution: number;
+        stability: number;
+    };
+}
+/** Aggregated route test statistics */
+interface RouteTestStats {
+    id: string;
+    projectId: string;
+    route: string;
+    totalBugs: number;
+    openBugs: number;
+    criticalBugs: number;
+    highBugs: number;
+    resolvedBugs: number;
+    testCaseCount: number;
+    testsByTrack: Record<string, number>;
+    lastTestedAt: string | null;
+    totalTestExecutions: number;
+    passCount: number;
+    failCount: number;
+    passRate: number | null;
+    regressionCount: number;
+    lastRegressionAt: string | null;
+    bugsLast7Days: number;
+    bugsLast30Days: number;
+    priorityScore: number;
+    calculatedAt: string;
+}
+/** Coverage matrix cell */
+interface CoverageMatrixCell {
+    testCount: number;
+    passCount: number;
+    failCount: number;
+    passRate: number | null;
+    lastTestedAt: string | null;
+    staleDays: number | null;
+}
+/** Coverage matrix row (route × tracks) */
+interface CoverageMatrixRow {
+    route: string;
+    totalTests: number;
+    openBugs: number;
+    criticalBugs: number;
+    lastTestedAt: string | null;
+    tracks: Record<string, CoverageMatrixCell>;
+}
 
 /**
  * BugBear Client
@@ -304,8 +483,29 @@ declare class BugBearClient {
     /**
      * Get current tester info
      * Looks up tester by email from the host app's authenticated user
+     * Checks both primary email AND additional_emails array
+     * Uses parameterized RPC function to prevent SQL injection
      */
     getTesterInfo(): Promise<TesterInfo | null>;
+    /**
+     * Basic email format validation (defense in depth)
+     */
+    private isValidEmail;
+    /**
+     * Validate report input before submission
+     * Returns error message if invalid, null if valid
+     */
+    private validateReport;
+    /**
+     * Validate profile update input
+     * Returns error message if invalid, null if valid
+     */
+    private validateProfileUpdate;
+    /**
+     * Check rate limit for an action
+     * Returns { allowed: boolean, error?: string, remaining?: number }
+     */
+    private checkRateLimit;
     /**
      * Update tester profile
      * Allows testers to update their name, additional emails, avatar, and platforms
@@ -467,4 +667,4 @@ declare function captureError(error: Error, errorInfo?: {
     componentStack?: string;
 };
 
-export { type AppContext, BugBearClient, type BugBearConfig, type BugBearReport, type BugBearTheme, type ChecklistResult, type ConsoleLogEntry, type DeviceInfo, type EnhancedBugContext, type HostUserInfo, type MessageSenderType, type NetworkRequest, type QATrack, type ReportStatus, type ReportType, type RubricMode, type RubricResult, type Severity, type TestAssignment, type TestResult, type TestStep, type TestTemplate, type TesterInfo, type TesterMessage, type TesterProfileUpdate, type TesterThread, type ThreadPriority, type ThreadType, captureError, contextCapture, createBugBear };
+export { type AppContext, BugBearClient, type BugBearConfig, type BugBearReport, type BugBearTheme, type ChecklistItem, type ChecklistResult, type ConsoleLogEntry, type CoverageGap, type CoverageMatrixCell, type CoverageMatrixRow, type DeployChecklist, type DeviceInfo, type EnhancedBugContext, type HostUserInfo, type MessageSenderType, type NetworkRequest, type PriorityFactors, type QAHealthMetrics, type QAHealthScore, type QATrack, type RegressionEvent, type ReportStatus, type ReportType, type RoutePriority, type RouteTestStats, type RubricMode, type RubricResult, type Severity, type TestAssignment, type TestResult, type TestStep, type TestTemplate, type TesterInfo, type TesterMessage, type TesterProfileUpdate, type TesterThread, type ThreadPriority, type ThreadType, captureError, contextCapture, createBugBear };

package/dist/index.d.ts

@@ -263,6 +263,185 @@ interface TesterMessage {
         name: string;
     }>;
 }
+/** Priority factors breakdown for a route */
+interface PriorityFactors {
+    bugFrequency: {
+        score: number;
+        openBugs: number;
+        bugs7d: number;
+    };
+    criticalSeverity: {
+        score: number;
+        critical: number;
+        high: number;
+    };
+    staleness: {
+        score: number;
+        daysSinceTest: number | null;
+    };
+    coverageGap: {
+        score: number;
+        testCount: number;
+    };
+    regressionRisk: {
+        score: number;
+        regressionCount: number;
+    };
+}
+/** Route priority with stats and recommendations */
+interface RoutePriority {
+    rank: number;
+    route: string;
+    priorityScore: number;
+    urgency: 'critical' | 'high' | 'medium' | 'low';
+    stats: {
+        openBugs: number;
+        criticalBugs: number;
+        highBugs: number;
+        testCases: number;
+        daysSinceTest: number | null;
+        regressions: number;
+        recentBugs: number;
+    };
+    factors?: PriorityFactors;
+    recommendation?: string;
+}
+/** Coverage gap identification */
+interface CoverageGap {
+    route: string;
+    severity: 'critical' | 'high' | 'medium';
+    type: 'untested' | 'missing_tracks' | 'stale';
+    details: {
+        missingTracks?: string[];
+        daysSinceTest?: number;
+        openBugs?: number;
+        criticalBugs?: number;
+    };
+    recommendation: string;
+}
+/** Regression event tracking */
+interface RegressionEvent {
+    id: string;
+    route: string;
+    severity: 'critical' | 'high' | 'medium';
+    originalBug: {
+        id: string;
+        description: string;
+        resolvedAt: string;
+    };
+    newBugs: Array<{
+        id: string;
+        description: string;
+        severity: string;
+        createdAt: string;
+    }>;
+    daysSinceResolution: number;
+    regressionCount: number;
+    detectedAt: string;
+}
+/** Deploy checklist item */
+interface ChecklistItem {
+    testCaseId?: string;
+    testKey?: string;
+    title: string;
+    route: string;
+    reason: string;
+    priority: 'P0' | 'P1' | 'P2' | 'P3';
+    lastTested?: string;
+    hasCriticalBugs?: boolean;
+}
+/** Deploy checklist grouped by urgency */
+interface DeployChecklist {
+    critical: ChecklistItem[];
+    recommended: ChecklistItem[];
+    optional: ChecklistItem[];
+    gaps: ChecklistItem[];
+}
+/** QA Health metrics with trends */
+interface QAHealthMetrics {
+    velocity: {
+        testsPerWeek: number;
+        testsCompleted: number;
+        trend: 'up' | 'down' | 'stable';
+        changePercent?: number;
+    };
+    bugDiscovery: {
+        bugsFound: number;
+        bugsPerTest: number;
+        criticalBugs: number;
+        trend: 'up' | 'down' | 'stable';
+        changePercent?: number;
+    };
+    resolution: {
+        bugsResolved: number;
+        avgResolutionDays: number;
+        trend: 'up' | 'down' | 'stable';
+        changePercent?: number;
+    };
+    coverage: {
+        routeCoverage: number;
+        routesWithTests: number;
+        totalRoutes: number;
+    };
+    testerHealth: {
+        activeTesters: number;
+        totalTesters: number;
+        utilizationPercent: number;
+    };
+}
+/** QA Health score with grade */
+interface QAHealthScore {
+    score: number;
+    grade: 'A' | 'B' | 'C' | 'D' | 'F';
+    breakdown: {
+        coverage: number;
+        velocity: number;
+        resolution: number;
+        stability: number;
+    };
+}
+/** Aggregated route test statistics */
+interface RouteTestStats {
+    id: string;
+    projectId: string;
+    route: string;
+    totalBugs: number;
+    openBugs: number;
+    criticalBugs: number;
+    highBugs: number;
+    resolvedBugs: number;
+    testCaseCount: number;
+    testsByTrack: Record<string, number>;
+    lastTestedAt: string | null;
+    totalTestExecutions: number;
+    passCount: number;
+    failCount: number;
+    passRate: number | null;
+    regressionCount: number;
+    lastRegressionAt: string | null;
+    bugsLast7Days: number;
+    bugsLast30Days: number;
+    priorityScore: number;
+    calculatedAt: string;
+}
+/** Coverage matrix cell */
+interface CoverageMatrixCell {
+    testCount: number;
+    passCount: number;
+    failCount: number;
+    passRate: number | null;
+    lastTestedAt: string | null;
+    staleDays: number | null;
+}
+/** Coverage matrix row (route × tracks) */
+interface CoverageMatrixRow {
+    route: string;
+    totalTests: number;
+    openBugs: number;
+    criticalBugs: number;
+    lastTestedAt: string | null;
+    tracks: Record<string, CoverageMatrixCell>;
+}
 
 /**
  * BugBear Client
@@ -304,8 +483,29 @@ declare class BugBearClient {
     /**
      * Get current tester info
      * Looks up tester by email from the host app's authenticated user
+     * Checks both primary email AND additional_emails array
+     * Uses parameterized RPC function to prevent SQL injection
      */
     getTesterInfo(): Promise<TesterInfo | null>;
+    /**
+     * Basic email format validation (defense in depth)
+     */
+    private isValidEmail;
+    /**
+     * Validate report input before submission
+     * Returns error message if invalid, null if valid
+     */
+    private validateReport;
+    /**
+     * Validate profile update input
+     * Returns error message if invalid, null if valid
+     */
+    private validateProfileUpdate;
+    /**
+     * Check rate limit for an action
+     * Returns { allowed: boolean, error?: string, remaining?: number }
+     */
+    private checkRateLimit;
     /**
      * Update tester profile
      * Allows testers to update their name, additional emails, avatar, and platforms
@@ -467,4 +667,4 @@ declare function captureError(error: Error, errorInfo?: {
     componentStack?: string;
 };
 
-export { type AppContext, BugBearClient, type BugBearConfig, type BugBearReport, type BugBearTheme, type ChecklistResult, type ConsoleLogEntry, type DeviceInfo, type EnhancedBugContext, type HostUserInfo, type MessageSenderType, type NetworkRequest, type QATrack, type ReportStatus, type ReportType, type RubricMode, type RubricResult, type Severity, type TestAssignment, type TestResult, type TestStep, type TestTemplate, type TesterInfo, type TesterMessage, type TesterProfileUpdate, type TesterThread, type ThreadPriority, type ThreadType, captureError, contextCapture, createBugBear };
+export { type AppContext, BugBearClient, type BugBearConfig, type BugBearReport, type BugBearTheme, type ChecklistItem, type ChecklistResult, type ConsoleLogEntry, type CoverageGap, type CoverageMatrixCell, type CoverageMatrixRow, type DeployChecklist, type DeviceInfo, type EnhancedBugContext, type HostUserInfo, type MessageSenderType, type NetworkRequest, type PriorityFactors, type QAHealthMetrics, type QAHealthScore, type QATrack, type RegressionEvent, type ReportStatus, type ReportType, type RoutePriority, type RouteTestStats, type RubricMode, type RubricResult, type Severity, type TestAssignment, type TestResult, type TestStep, type TestTemplate, type TesterInfo, type TesterMessage, type TesterProfileUpdate, type TesterThread, type ThreadPriority, type ThreadType, captureError, contextCapture, createBugBear };

package/dist/index.js

@@ -86,7 +86,16 @@ var BugBearClient = class {
    */
   async submitReport(report) {
     try {
+      const validationError = this.validateReport(report);
+      if (validationError) {
+        return { success: false, error: validationError };
+      }
       const userInfo = await this.getCurrentUserInfo();
+      const rateLimitId = userInfo?.email || this.config.projectId;
+      const rateLimit = await this.checkRateLimit(rateLimitId, "report_submit");
+      if (!rateLimit.allowed) {
+        return { success: false, error: rateLimit.error };
+      }
       if (!userInfo) {
         console.error("BugBear: No user info available, cannot submit report");
         return { success: false, error: "User not authenticated" };
@@ -192,44 +201,179 @@ var BugBearClient = class {
   /**
    * Get current tester info
    * Looks up tester by email from the host app's authenticated user
+   * Checks both primary email AND additional_emails array
+   * Uses parameterized RPC function to prevent SQL injection
    */
   async getTesterInfo() {
     try {
       const userInfo = await this.getCurrentUserInfo();
-      if (!userInfo) return null;
-      const { data, error } = await this.supabase.from("testers").select("*").eq("project_id", this.config.projectId).eq("email", userInfo.email).eq("status", "active").single();
+      if (!userInfo?.email) return null;
+      if (!this.isValidEmail(userInfo.email)) {
+        console.warn("BugBear: Invalid email format");
+        return null;
+      }
+      const { data, error } = await this.supabase.rpc("lookup_tester_by_email", {
+        p_project_id: this.config.projectId,
+        p_email: userInfo.email
+      }).maybeSingle();
       if (error || !data) return null;
+      const tester = data;
       return {
-        id: data.id,
-        name: data.name,
-        email: data.email,
-        additionalEmails: data.additional_emails || [],
-        avatarUrl: data.avatar_url || void 0,
-        platforms: data.platforms || [],
-        assignedTests: data.assigned_count || 0,
-        completedTests: data.completed_count || 0
+        id: tester.id,
+        name: tester.name,
+        email: tester.email,
+        additionalEmails: tester.additional_emails || [],
+        avatarUrl: tester.avatar_url || void 0,
+        platforms: tester.platforms || [],
+        assignedTests: tester.assigned_count || 0,
+        completedTests: tester.completed_count || 0
       };
     } catch (err) {
       console.error("BugBear: getTesterInfo error", err);
       return null;
     }
   }
+  /**
+   * Basic email format validation (defense in depth)
+   */
+  isValidEmail(email) {
+    if (!email || email.length > 254) return false;
+    const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+    return emailRegex.test(email);
+  }
+  /**
+   * Validate report input before submission
+   * Returns error message if invalid, null if valid
+   */
+  validateReport(report) {
+    const validTypes = ["bug", "feedback", "suggestion", "test_pass", "test_fail"];
+    if (report.type && !validTypes.includes(report.type)) {
+      return `Invalid report type: ${report.type}. Must be one of: ${validTypes.join(", ")}`;
+    }
+    const validSeverities = ["critical", "high", "medium", "low"];
+    if (report.severity && !validSeverities.includes(report.severity)) {
+      return `Invalid severity: ${report.severity}. Must be one of: ${validSeverities.join(", ")}`;
+    }
+    if (report.title && report.title.length > 500) {
+      return "Title must be 500 characters or less";
+    }
+    if (report.description && report.description.length > 1e4) {
+      return "Description must be 10,000 characters or less";
+    }
+    if (report.screenshots && Array.isArray(report.screenshots)) {
+      if (report.screenshots.length > 10) {
+        return "Maximum 10 screenshots allowed";
+      }
+      for (const url of report.screenshots) {
+        if (typeof url !== "string" || url.length > 2e3) {
+          return "Invalid screenshot URL";
+        }
+      }
+    }
+    return null;
+  }
+  /**
+   * Validate profile update input
+   * Returns error message if invalid, null if valid
+   */
+  validateProfileUpdate(updates) {
+    if (updates.name !== void 0) {
+      if (typeof updates.name !== "string" || updates.name.length > 100) {
+        return "Name must be 100 characters or less";
+      }
+    }
+    if (updates.additionalEmails !== void 0) {
+      if (!Array.isArray(updates.additionalEmails)) {
+        return "Additional emails must be an array";
+      }
+      if (updates.additionalEmails.length > 5) {
+        return "Maximum 5 additional emails allowed";
+      }
+      for (const email of updates.additionalEmails) {
+        if (!this.isValidEmail(email)) {
+          return `Invalid email format: ${email}`;
+        }
+      }
+    }
+    if (updates.avatarUrl !== void 0 && updates.avatarUrl !== null) {
+      if (typeof updates.avatarUrl !== "string" || updates.avatarUrl.length > 2e3) {
+        return "Invalid avatar URL";
+      }
+    }
+    if (updates.platforms !== void 0) {
+      if (!Array.isArray(updates.platforms)) {
+        return "Platforms must be an array";
+      }
+      const validPlatforms = ["ios", "android", "web", "desktop", "other"];
+      for (const platform of updates.platforms) {
+        if (!validPlatforms.includes(platform)) {
+          return `Invalid platform: ${platform}. Must be one of: ${validPlatforms.join(", ")}`;
+        }
+      }
+    }
+    return null;
+  }
+  /**
+   * Check rate limit for an action
+   * Returns { allowed: boolean, error?: string, remaining?: number }
+   */
+  async checkRateLimit(identifier, action) {
+    try {
+      const { data, error } = await this.supabase.rpc("check_rate_limit", {
+        p_identifier: identifier,
+        p_action: action,
+        p_project_id: this.config.projectId
+      });
+      if (error) {
+        console.warn("BugBear: Rate limit check failed, allowing request", error.message);
+        return { allowed: true };
+      }
+      if (!data.allowed) {
+        return {
+          allowed: false,
+          error: `Rate limit exceeded. Try again in ${Math.ceil((new Date(data.reset_at).getTime() - Date.now()) / 1e3)} seconds.`,
+          remaining: 0,
+          resetAt: data.reset_at
+        };
+      }
+      return {
+        allowed: true,
+        remaining: data.remaining,
+        resetAt: data.reset_at
+      };
+    } catch (err) {
+      console.warn("BugBear: Rate limit check error", err);
+      return { allowed: true };
+    }
+  }
   /**
    * Update tester profile
    * Allows testers to update their name, additional emails, avatar, and platforms
    */
   async updateTesterProfile(updates) {
     try {
+      const validationError = this.validateProfileUpdate(updates);
+      if (validationError) {
+        return { success: false, error: validationError };
+      }
       const userInfo = await this.getCurrentUserInfo();
       if (!userInfo) {
         return { success: false, error: "Not authenticated" };
       }
+      const rateLimit = await this.checkRateLimit(userInfo.email, "profile_update");
+      if (!rateLimit.allowed) {
+        return { success: false, error: rateLimit.error };
+      }
+      const testerInfo = await this.getTesterInfo();
+      if (!testerInfo) {
+        return { success: false, error: "Not a registered tester" };
+      }
       const updateData = {};
       if (updates.name !== void 0) updateData.name = updates.name;
       if (updates.additionalEmails !== void 0) updateData.additional_emails = updates.additionalEmails;
       if (updates.avatarUrl !== void 0) updateData.avatar_url = updates.avatarUrl;
       if (updates.platforms !== void 0) updateData.platforms = updates.platforms;
-      const { error } = await this.supabase.from("testers").update(updateData).eq("project_id", this.config.projectId).eq("email", userInfo.email);
+      const { error } = await this.supabase.from("testers").update(updateData).eq("id", testerInfo.id);
       if (error) {
         console.error("BugBear: updateTesterProfile error", error);
         return { success: false, error: error.message };
@@ -505,6 +649,11 @@ var BugBearClient = class {
         console.error("BugBear: No tester info, cannot send message");
         return false;
       }
+      const rateLimit = await this.checkRateLimit(testerInfo.email, "message_send");
+      if (!rateLimit.allowed) {
+        console.error("BugBear: Rate limit exceeded for messages");
+        return false;
+      }
       const { error } = await this.supabase.from("discussion_messages").insert({
         thread_id: threadId,
         sender_type: "tester",

package/dist/index.mjs

@@ -57,7 +57,16 @@ var BugBearClient = class {
    */
   async submitReport(report) {
     try {
+      const validationError = this.validateReport(report);
+      if (validationError) {
+        return { success: false, error: validationError };
+      }
       const userInfo = await this.getCurrentUserInfo();
+      const rateLimitId = userInfo?.email || this.config.projectId;
+      const rateLimit = await this.checkRateLimit(rateLimitId, "report_submit");
+      if (!rateLimit.allowed) {
+        return { success: false, error: rateLimit.error };
+      }
       if (!userInfo) {
         console.error("BugBear: No user info available, cannot submit report");
         return { success: false, error: "User not authenticated" };
@@ -163,44 +172,179 @@ var BugBearClient = class {
   /**
    * Get current tester info
    * Looks up tester by email from the host app's authenticated user
+   * Checks both primary email AND additional_emails array
+   * Uses parameterized RPC function to prevent SQL injection
    */
   async getTesterInfo() {
     try {
       const userInfo = await this.getCurrentUserInfo();
-      if (!userInfo) return null;
-      const { data, error } = await this.supabase.from("testers").select("*").eq("project_id", this.config.projectId).eq("email", userInfo.email).eq("status", "active").single();
+      if (!userInfo?.email) return null;
+      if (!this.isValidEmail(userInfo.email)) {
+        console.warn("BugBear: Invalid email format");
+        return null;
+      }
+      const { data, error } = await this.supabase.rpc("lookup_tester_by_email", {
+        p_project_id: this.config.projectId,
+        p_email: userInfo.email
+      }).maybeSingle();
       if (error || !data) return null;
+      const tester = data;
       return {
-        id: data.id,
-        name: data.name,
-        email: data.email,
-        additionalEmails: data.additional_emails || [],
-        avatarUrl: data.avatar_url || void 0,
-        platforms: data.platforms || [],
-        assignedTests: data.assigned_count || 0,
-        completedTests: data.completed_count || 0
+        id: tester.id,
+        name: tester.name,
+        email: tester.email,
+        additionalEmails: tester.additional_emails || [],
+        avatarUrl: tester.avatar_url || void 0,
+        platforms: tester.platforms || [],
+        assignedTests: tester.assigned_count || 0,
+        completedTests: tester.completed_count || 0
       };
     } catch (err) {
       console.error("BugBear: getTesterInfo error", err);
       return null;
     }
   }
+  /**
+   * Basic email format validation (defense in depth)
+   */
+  isValidEmail(email) {
+    if (!email || email.length > 254) return false;
+    const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+    return emailRegex.test(email);
+  }
+  /**
+   * Validate report input before submission
+   * Returns error message if invalid, null if valid
+   */
+  validateReport(report) {
+    const validTypes = ["bug", "feedback", "suggestion", "test_pass", "test_fail"];
+    if (report.type && !validTypes.includes(report.type)) {
+      return `Invalid report type: ${report.type}. Must be one of: ${validTypes.join(", ")}`;
+    }
+    const validSeverities = ["critical", "high", "medium", "low"];
+    if (report.severity && !validSeverities.includes(report.severity)) {
+      return `Invalid severity: ${report.severity}. Must be one of: ${validSeverities.join(", ")}`;
+    }
+    if (report.title && report.title.length > 500) {
+      return "Title must be 500 characters or less";
+    }
+    if (report.description && report.description.length > 1e4) {
+      return "Description must be 10,000 characters or less";
+    }
+    if (report.screenshots && Array.isArray(report.screenshots)) {
+      if (report.screenshots.length > 10) {
+        return "Maximum 10 screenshots allowed";
+      }
+      for (const url of report.screenshots) {
+        if (typeof url !== "string" || url.length > 2e3) {
+          return "Invalid screenshot URL";
+        }
+      }
+    }
+    return null;
+  }
+  /**
+   * Validate profile update input
+   * Returns error message if invalid, null if valid
+   */
+  validateProfileUpdate(updates) {
+    if (updates.name !== void 0) {
+      if (typeof updates.name !== "string" || updates.name.length > 100) {
+        return "Name must be 100 characters or less";
+      }
+    }
+    if (updates.additionalEmails !== void 0) {
+      if (!Array.isArray(updates.additionalEmails)) {
+        return "Additional emails must be an array";
+      }
+      if (updates.additionalEmails.length > 5) {
+        return "Maximum 5 additional emails allowed";
+      }
+      for (const email of updates.additionalEmails) {
+        if (!this.isValidEmail(email)) {
+          return `Invalid email format: ${email}`;
+        }
+      }
+    }
+    if (updates.avatarUrl !== void 0 && updates.avatarUrl !== null) {
+      if (typeof updates.avatarUrl !== "string" || updates.avatarUrl.length > 2e3) {
+        return "Invalid avatar URL";
+      }
+    }
+    if (updates.platforms !== void 0) {
+      if (!Array.isArray(updates.platforms)) {
+        return "Platforms must be an array";
+      }
+      const validPlatforms = ["ios", "android", "web", "desktop", "other"];
+      for (const platform of updates.platforms) {
+        if (!validPlatforms.includes(platform)) {
+          return `Invalid platform: ${platform}. Must be one of: ${validPlatforms.join(", ")}`;
+        }
+      }
+    }
+    return null;
+  }
+  /**
+   * Check rate limit for an action
+   * Returns { allowed: boolean, error?: string, remaining?: number }
+   */
+  async checkRateLimit(identifier, action) {
+    try {
+      const { data, error } = await this.supabase.rpc("check_rate_limit", {
+        p_identifier: identifier,
+        p_action: action,
+        p_project_id: this.config.projectId
+      });
+      if (error) {
+        console.warn("BugBear: Rate limit check failed, allowing request", error.message);
+        return { allowed: true };
+      }
+      if (!data.allowed) {
+        return {
+          allowed: false,
+          error: `Rate limit exceeded. Try again in ${Math.ceil((new Date(data.reset_at).getTime() - Date.now()) / 1e3)} seconds.`,
+          remaining: 0,
+          resetAt: data.reset_at
+        };
+      }
+      return {
+        allowed: true,
+        remaining: data.remaining,
+        resetAt: data.reset_at
+      };
+    } catch (err) {
+      console.warn("BugBear: Rate limit check error", err);
+      return { allowed: true };
+    }
+  }
   /**
    * Update tester profile
    * Allows testers to update their name, additional emails, avatar, and platforms
    */
   async updateTesterProfile(updates) {
     try {
+      const validationError = this.validateProfileUpdate(updates);
+      if (validationError) {
+        return { success: false, error: validationError };
+      }
       const userInfo = await this.getCurrentUserInfo();
       if (!userInfo) {
         return { success: false, error: "Not authenticated" };
       }
+      const rateLimit = await this.checkRateLimit(userInfo.email, "profile_update");
+      if (!rateLimit.allowed) {
+        return { success: false, error: rateLimit.error };
+      }
+      const testerInfo = await this.getTesterInfo();
+      if (!testerInfo) {
+        return { success: false, error: "Not a registered tester" };
+      }
       const updateData = {};
       if (updates.name !== void 0) updateData.name = updates.name;
       if (updates.additionalEmails !== void 0) updateData.additional_emails = updates.additionalEmails;
       if (updates.avatarUrl !== void 0) updateData.avatar_url = updates.avatarUrl;
       if (updates.platforms !== void 0) updateData.platforms = updates.platforms;
-      const { error } = await this.supabase.from("testers").update(updateData).eq("project_id", this.config.projectId).eq("email", userInfo.email);
+      const { error } = await this.supabase.from("testers").update(updateData).eq("id", testerInfo.id);
       if (error) {
         console.error("BugBear: updateTesterProfile error", error);
         return { success: false, error: error.message };
@@ -476,6 +620,11 @@ var BugBearClient = class {
         console.error("BugBear: No tester info, cannot send message");
         return false;
       }
+      const rateLimit = await this.checkRateLimit(testerInfo.email, "message_send");
+      if (!rateLimit.allowed) {
+        console.error("BugBear: Rate limit exceeded for messages");
+        return false;
+      }
       const { error } = await this.supabase.from("discussion_messages").insert({
         thread_id: threadId,
         sender_type: "tester",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bbearai/core",
-  "version": "0.1.6",
+  "version": "0.2.0",
   "description": "Core utilities and types for BugBear QA platform",
   "main": "./dist/index.js",
   "module": "./dist/index.mjs",