Fix scaffold billing bypass and milestone authorization

[cursor]

Summary

• Fix /api/generate-scaffold to ignore request-body userId and always check/deduct credits for the authenticated user.
• Scope milestone PATCH/DELETE helpers through the route project and projects.user_id, returning 404 when the milestone is not owned by the requester.

Bug and impact

• The scaffold UI omits userId, so successful scaffold generation was returning creditsUsed: 0 and recording no credit transaction; a crafted request could also target a different user id for checks/deductions.
• Milestone PATCH/DELETE authenticated the caller but mutated by milestone UUID alone, allowing cross-project/cross-user writes if a milestone id was known.

Validation

• pnpm exec tsc --noEmit
• pnpm exec eslint app/api/generate-scaffold/route.ts 'app/api/projects/[id]/milestones/[milestoneId]/route.ts' lib/queries.ts (passes with one pre-existing lib/queries.ts warning)
• Mocked route/query harness: scaffold bills auth-user despite body userId: victim-user; insufficient authenticated credits block generation; milestone writes pass milestoneId, route projectId, and authenticated user.id; query SQL includes project ownership constraints.

  

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
repo-app-architect	Ready	Preview, Comment	Jun 17, 2026 11:07am
repofuse	Ready	Preview, Comment, Open in v0	Jun 17, 2026 11:07am
v0-repo-app-architect	Ready	Preview, Comment, Open in v0	Jun 17, 2026 11:07am