backend/utils/batchValidate.js-3-3 (1)

3-3: ⚠️ Potential issue | 🟠 Major

ObjectId regex accepts non-hex characters — will allow invalid MongoDB ObjectIds.

MongoDB ObjectIds are 24-character hex strings (0-9, a-f). The current regex /^[0-9a-zA-Z]{24}$/ also accepts non-hex characters like g-z and G-Z, meaning invalid IDs will pass validation but fail at the database layer.

🐛 Proposed fix

-const zodObjectId = zod.string().regex(/^[0-9a-zA-Z]{24}$/, "Invalid ObjectId");
+const zodObjectId = zod.string().regex(/^[0-9a-fA-F]{24}$/, "Invalid ObjectId");

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@backend/utils/batchValidate.js` at line 3, The zodObjectId validator in
backend/utils/batchValidate.js currently allows non-hex characters; update the
regex used by zodObjectId so it only permits 24 hex characters (0-9 and a-f/A-F)
and keep the same "Invalid ObjectId" message; locate the zodObjectId constant
and replace its pattern with one that enforces exactly 24 hex digits.

frontend/src/services/auth.js-9-31 (1)

9-31: ⚠️ Potential issue | 🟠 Major

Inconsistent return shapes across service functions — callers can't safely consume these.

The functions in this module return wildly different shapes on success and error:

Function	Success	Error
fetchCredentials	response.data	throws
completeOnboarding	response.data	error.response (Axios response obj)
registerUser	response (full Axios response!)	error.response
loginUser	res.data	null

Specifically:

• Line 27: registerUser returns the full Axios response object (with status, headers, config, etc.), while loginUser at line 38 returns res.data. This inconsistency means callers need to access response.data.data for registerUser vs result.someField for loginUser.
• Lines 13-15 and 29-30: On error, completeOnboarding and registerUser return error.response (the raw Axios error response), which is a fundamentally different shape from the success path. Callers will need to check for status, data, etc.

Standardize all functions to return the same shape (e.g., always return response.data on success and null or a structured error object on error).

Proposed fix for registerUser

-    return response; 
+    return response.data; 

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@frontend/src/services/auth.js` around lines 9 - 31, completeOnboarding and
registerUser return inconsistent shapes (full axios response or error.response)
which breaks callers; update both to always return response.data on success and
a consistent error sentinel (e.g., null) on failure. Specifically, in
completeOnboarding replace returning error.response with null, and in
registerUser return response.data (not the whole response) on success and return
null in the catch block; ensure both functions keep the try/catch but normalize
their return shapes to response.data / null so callers can consume results
uniformly.

frontend/src/Components/Dashboard/Dashboard.jsx-15-15 (1)

15-15: ⚠️ Potential issue | 🟠 Major

Replace <div>Kaushik</div> with a proper fallback.

This substitutes what was previously the Home component with a raw developer string. Any user navigating to an unrecognised route will see "Kaushik" instead of a real UI. Restore the original fallback or use a proper "Not Found" / redirect component.

🐛 Proposed fix

-    DashboardComponents[selectedRoute] || (() => <div>Kaushik</div>);
+    DashboardComponents[selectedRoute] || Home;

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@frontend/src/Components/Dashboard/Dashboard.jsx` at line 15, The fallback for
unknown routes was replaced with a developer string; revert to a proper UI by
replacing the inline <div>Kaushik</div> in DashboardComponents[selectedRoute] ||
(() => <div>Kaushik</div>) with the original Home component or a
NotFound/Redirect component. Locate the DashboardComponents array/object and the
selectedRoute usage in Dashboard.jsx and return the Home component (or a
dedicated NotFound component) as the default render function so users see the
expected UI for unrecognized routes.

frontend/src/Components/Certificates/CertificatesList.jsx-22-52 (1)

22-52: ⚠️ Potential issue | 🟠 Major

Mock data will ship to production; api import is dead code until the endpoint is wired.

The real API call is commented out and the TODO is untracked. Merge this only after the /api/certificates/:id endpoint is ready and the mock block is removed, or gate the mock behind a dev-only flag so it can't accidentally reach production.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@frontend/src/Components/Certificates/CertificatesList.jsx` around lines 22 -
52, The component CertificatesList.jsx currently assigns hard-coded
mockCertificates and calls setCertificates, and the api import remains unused;
either remove the mock block and dead import before merging or gate the mock
data behind an environment/dev-only flag so it never runs in production. Replace
the mockCertificates + setCertificates path with the real API call to fetch
/api/certificates/:id when that endpoint exists (or wrap the mock assignment in
a check like process.env.NODE_ENV === 'development' / a feature flag) and clean
up the unused api import to prevent shipping dead code.

backend/controllers/eventControllers.js-6-9 (1)

6-9: ⚠️ Potential issue | 🟠 Major

Sort field updated_at (snake_case) doesn't match the selected/used field updatedAt (camelCase).

Mongoose's built-in timestamps use camelCase (updatedAt). Sorting by updated_at references a non-existent field, so the .limit(4) result order is effectively undefined — the "latest events" may not be the latest ones at all.

🐛 Proposed fix

-  .sort({updated_at: -1})
+  .sort({updatedAt: -1})

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@backend/controllers/eventControllers.js` around lines 6 - 9, The query that
builds latestEvents uses sort({updated_at: -1}) which references a non-existent
snake_case timestamp; change the sort to use Mongoose's camelCase timestamp
field (sort({updatedAt: -1})) so Event.find(...).sort(...) correctly orders by
the actual updatedAt field that is already being selected.

frontend/src/Components/Certificates/CertificatesList.jsx-14-64 (1)

14-64: ⚠️ Potential issue | 🟠 Major

Perpetual loading state when isUserLoggedIn is empty/null.

loading is initialised to true but the else branch (guard fails) never calls setLoading(false). Any user who lands on this page before isUserLoggedIn is populated — or without an active session — sees the "Loading certificates…" spinner indefinitely.

🐛 Proposed fix

    if (isUserLoggedIn && Object.keys(isUserLoggedIn).length > 0) {
      fetchCertificates();
+   } else {
+     setLoading(false);
    }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@frontend/src/Components/Certificates/CertificatesList.jsx` around lines 14 -
64, The useEffect/fetchCertificates flow leaves loading true when the guard if
(isUserLoggedIn && Object.keys(isUserLoggedIn).length > 0) fails; ensure
setLoading(false) is called in that case so the spinner doesn't show forever —
either initialize loading to false and only set true when starting
fetchCertificates, or add an else branch after the guard that calls
setLoading(false) (or explicitly setLoading(false) before returning) so that
setLoading is balanced whenever fetch is not invoked.

frontend/src/Components/Requests/Card.jsx-68-73 (1)

68-73: ⚠️ Potential issue | 🟠 Major

Object.assign(req, updatedRequest) mutates the parent's prop object in place.

Directly mutating props is a React anti-pattern — it bypasses React's rendering cycle, so the parent component won't know the data changed and won't re-render. This can lead to stale UI and subtle bugs.

Instead, lift the update to the parent via a callback, or maintain a local copy of the request in state.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@frontend/src/Components/Requests/Card.jsx` around lines 68 - 73, handleSave
currently mutates the prop object via Object.assign(req, updatedRequest), which
mutates the parent's prop and breaks React's render model; update handleSave to
avoid in-place mutation by calling a parent-provided updater (e.g.,
onUpdateRequest or similar prop) with the updatedRequest, or update a local copy
stored in state (e.g., useState for request) and setRequest(updatedCopy) instead
of mutating req directly; locate the handleSave function and replace the direct
Object.assign(req, updatedRequest) use with a call to the parent callback or a
setState update to ensure React re-renders.

backend/config/passportConfig.js-25-25 (1)

25-25: ⚠️ Potential issue | 🟠 Major

User email (PII) logged to stdout.

Logging raw email addresses may create compliance concerns (GDPR/institutional policy). Consider logging a redacted form or omitting the address entirely.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@backend/config/passportConfig.js` at line 25, The console.log in the Google
OAuth flow is printing a user's raw email (profile.emails[0].value); remove or
replace this PII output in passportConfig.js by either omitting the address
entirely or logging a redacted/hash form (e.g., mask local-part or log only
domain) and use the app's logger (e.g., processLogger.warn/info) instead of
console.log to maintain consistent logging; update the OAuth verify callback
where console.log("Google OAuth blocked for: ", profile.emails[0].value) appears
to use the redacted value or no email.

frontend/src/Components/Requests/Requests.jsx-155-158 (1)

155-158: ⚠️ Potential issue | 🟠 Major

Missing key prop on <Card> inside .map().

React requires a unique key for list-rendered elements to avoid reconciliation bugs and console warnings. Each req already has an id field.

🐛 Proposed fix

-            <Card req={req} statusColor={statusColor} />
+            <Card key={req.id} req={req} statusColor={statusColor} />

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@frontend/src/Components/Requests/Requests.jsx` around lines 155 - 158, The
Card elements rendered in Requests.jsx inside the filteredRequests.map do not
include a unique key, causing React list-key warnings; update the mapping to
pass a key prop to the Card (e.g., key={req.id}) when rendering each <Card
req={req} statusColor={statusColor} /> so React can properly reconcile the list
(use req.id as the primary key and fall back to index only if id may be
missing).

backend/routes/onboarding.js-33-34 (1)

33-34: ⚠️ Potential issue | 🟠 Major

Internal error details leaked to client.

error.message can contain Mongoose validation errors, stack traces, or internal details. Return a generic message to the client and keep the detailed log server-side.

Proposed fix

     console.error("Onboarding failed:", error.message);
-    res.status(500).json({ message: error.message || "Onboarding failed"  });
+    res.status(500).json({ message: "Onboarding failed" });

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@backend/routes/onboarding.js` around lines 33 - 34, The route currently leaks
internal error details by returning error.message to the client; update the
onboarding error handling so that console.error (or your server logger) logs the
full error/stack (e.g., use console.error("Onboarding failed:", error) or
processLogger.error(error)) and change the response to a generic message like
res.status(500).json({ message: "Onboarding failed" }) instead of
res.status(500).json({ message: error.message || "Onboarding failed" }); locate
and update the console.error and res.status(...).json(...) calls inside the
onboarding route handler.

backend/routes/profile.js-17-31 (1)

17-31: ⚠️ Potential issue | 🟠 Major

Missing authorization check — any authenticated user can modify any profile.

All three routes (/photo-update, /photo-delete, /updateStudentProfile) accept an ID_No or userId from the request body/query and operate on that user's profile. There is no check that req.user owns the targeted profile. An authenticated user could update or delete another user's photo or profile data.

Compare the incoming ID_No/userId against req.user.user_id (or equivalent) before proceeding.

Also applies to: 80-90, 106-117

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@backend/routes/profile.js` around lines 17 - 31, Add an ownership
authorization check to the profile routes so authenticated users cannot mutate
others' profiles: in the handlers for "/photo-update", "/photo-delete", and
"/updateStudentProfile" (the async route callbacks using ID_No or userId from
req.body/query), compare the supplied ID_No/userId with req.user.user_id (or the
canonical identifier on req.user) and immediately return a 403 Forbidden JSON
response if they differ; do this before calling User.findOne or performing any
update/delete and reuse the existing isAuthenticated middleware presence to
trust req.user.

backend/index.js-83-89 (1)

83-89: ⚠️ Potential issue | 🟠 Major

Server starts even if the DB connection fails.

connectDB() (per backend/config/db.js) catches and logs the error but does not re-throw or call process.exit(1). The await connectDB() here will resolve successfully even on failure, and the server will start listening without a working database. This leads to 500s on every request rather than a clear startup failure.

🛡️ Suggested fix — propagate DB errors

In backend/config/db.js, re-throw after logging:

   } catch (error) {
     console.error("MongoDB Connection Error:", error);
+    throw error;
   }

Or guard in index.js:

 (async function(){
-  await connectDB();
-  app.listen(process.env.PORT || 5000, () => {
-    console.log(`connected to port ${process.env.PORT || 5000}`);
-  });
+  try {
+    await connectDB();
+    app.listen(process.env.PORT || 5000, () => {
+      console.log(`connected to port ${process.env.PORT || 5000}`);
+    });
+  } catch (err) {
+    console.error("Failed to start server:", err);
+    process.exit(1);
+  }
 })();

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@backend/index.js` around lines 83 - 89, connectDB() currently swallows DB
errors so await connectDB() in the IIFE can resolve even on failure; either (A)
modify the implementation in backend/config/db.js so connectDB() re-throws the
error after logging (preserve current log but throw the caught error) or (B)
update the startup IIFE in backend/index.js to check the result and abort
startup on failure (wrap await connectDB() in try/catch and call process.exit(1)
on error before calling app.listen). Target the connectDB() function in
backend/config/db.js and the IIFE that calls await connectDB() / app.listen in
backend/index.js.

backend/models/userSchema.js-24-30 (1)

24-30: ⚠️ Potential issue | 🟠 Major

Password hash can leak in API responses — add select: false.

The password field lacks select: false, so it is included in every query result by default. In backend/routes/profile.js line 228, the full user object (including the hashed password) is returned in the updatedStudent response. Even hashed passwords should never leave the server.

Adding select: false ensures password is excluded unless explicitly requested (e.g., in login flows via .select("+password")).

Proposed fix

     password: {
       type: String,
       required: function () {
         return this.strategy === "local";
       },
       minLength: 8,
+      select: false,
     },

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@backend/models/userSchema.js` around lines 24 - 30, The password field on the
Mongoose schema (userSchema) is currently returned by default; add select: false
to the password schema definition so hashed passwords are excluded from query
results unless explicitly requested (e.g., with .select("+password") in login
flows). Update the password property in the userSchema (the password field
block) and ensure any code that needs the password (such as
authentication/login) uses .select("+password"); also check the profile route
where updatedStudent is returned to avoid sending the full user object with the
password.

frontend/src/hooks/useAuth.js (1)

21-29: Harden response-shape checks before calling handleLogin.

Current logic only checks falsy response; a truthy response without message leaves auth state ambiguous.

Suggested fix

 const response = await fetchCredentials();
-if(!response){
+if (!response?.success || !response?.message) {
   setIsUserLoggedIn(false);
+  setUserRole(null);
+  setIsOnboardingComplete(false);
   return;
 }
 
 const user = response.message;
 handleLogin(user);

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@frontend/src/hooks/useAuth.js` around lines 21 - 29, The code assumes
fetchCredentials() returns an object with a message property but only checks for
a falsy response; update the logic in the caller (around fetchCredentials,
response, handleLogin) to verify the response shape before calling handleLogin —
e.g., ensure response && typeof response.message === "object" (or expected
primitive/fields) and that required user fields exist; if the check fails, call
setIsUserLoggedIn(false) and return, otherwise extract the user and call
handleLogin(user). Make this change where response is used and reference the
symbols fetchCredentials, response.message, handleLogin, and setIsUserLoggedIn.

frontend/src/Components/common/Sidebar.jsx (1)

11-11: Avoid hardcoded nav truncation (slice(0, 14)).

Line 11 silently hides items beyond index 13. This is fragile for future menu additions (e.g., requests/certificates growth).

Proposed fix

-  const visibleNavItems = navItems.slice(0, 14);
+  const visibleNavItems = navItems;

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@frontend/src/Components/common/Sidebar.jsx` at line 11, The hardcoded
truncation visibleNavItems = navItems.slice(0, 14) in Sidebar.jsx silently hides
items; replace it with a configurable/dynamic approach: either read a
MAX_VISIBLE_NAV_ITEMS constant from config/env or a prop (e.g., maxVisible) and
use navItems.slice(0, maxVisible) or simply render all navItems and add a "Show
more" / collapsible behavior when length exceeds the threshold; update any
references to visibleNavItems accordingly (the navItems array and
visibleNavItems variable) and ensure unit/UI tests or prop types cover the new
maxVisible/config option.

frontend/src/services/auth.js (1)

24-35: Standardize service return/error contracts.

At Line 32 this returns full response, while other functions return .data or null. Mixing AxiosResponse | data | null | error.response makes callers brittle and caused control-flow issues nearby.

Suggested normalization pattern

 export async function registerUser(username, password, name) {
   try {
     const response = await api.post(`/auth/register`, {
       name,
       username,
       password,
     });
-    return response; 
+    return response.data;
   } catch (error) {
-    //console.error("Error obj is:",error.response);
-    return error.response;
+    throw error;
   }
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@frontend/src/services/auth.js` around lines 24 - 35, The registerUser
function currently returns the full Axios response on success and returns
error.response on failure, which mixes response shapes; update registerUser to
return a normalized shape consistent with other auth services (e.g., return
response.data on success and null or a standardized error object on failure).
Locate registerUser in frontend/src/services/auth.js and change its success path
to return response.data and its catch path to return a consistent value (null or
an object like { error: error.response?.data || error.message }) so callers
receive a predictable contract.

frontend/src/Components/common/Sidebar.jsx (1)

78-92: ⚠️ Potential issue | 🟠 Major

Logout failure leaves user stuck with no retry option.

Good improvements: disabled={loggingOut} prevents double-clicks, and <Logout /> is now rendered outside the button. However, the core issue remains: the Logout component (per frontend/src/Components/Auth/Logout.jsx) does not accept any callback props. If the logout API call fails, loggingOut remains true, the button stays disabled, and the user cannot retry.

Recommended approach

1. Update Logout.jsx to accept onError and optionally onComplete callbacks:

-const Logout = () => {
+const Logout = ({ onError, onComplete }) => {
   // ...
       } catch (error) {
         console.error("Logout failed:", error);
+        onError?.();
       }
+      // optionally call onComplete on success if needed

2. Update Sidebar to handle the error and reset state:

-        {loggingOut && <Logout />}
+        {loggingOut && <Logout onError={() => setLoggingOut(false)} />}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@frontend/src/Components/common/Sidebar.jsx` around lines 78 - 92, The Logout
flow currently can leave the UI stuck because the Logout component (Logout)
never reports failures back to Sidebar; update the Logout component
(frontend/src/Components/Auth/Logout.jsx) to accept onError and onComplete
callback props and invoke onError(error) when the logout API fails and
onComplete() on any terminal path (success or final cleanup), and then update
Sidebar (component using setLoggingOut and loggingOut) to pass these callbacks:
pass onError={() => setLoggingOut(false)} (and optionally onComplete={() =>
setLoggingOut(false)}) so the button is re-enabled on failure or completion and
users can retry.

backend/routes/profile.js (2)

139-159: Consider adding input validation for sensitive fields.

Fields like email and phone are updated without format validation. Invalid values could be stored in the database. Consider validating email format and phone number patterns before saving.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@backend/routes/profile.js` around lines 139 - 159, The code updates sensitive
fields (name, email, phone, gender, date_of_birth, profilePic, cloudinaryUrl) on
the user.personal_info object without validating formats; add input validation
before assignment in the profile update handler: validate email using a robust
email check (e.g., validator.isEmail or a strict regex) and phone using a phone
pattern or library (e.g., validator.isMobilePhone with appropriate locale) and
reject or sanitize invalid inputs (return 400 with an error) rather than writing
them to user.personal_info; keep other fields (date_of_birth, gender) validated
for expected formats/values (e.g., ISO date, allowed gender values) before
assigning to user.personal_info.profilePic and user.personal_info.cloudinaryUrl
ensure they are valid URLs.

---

92-100: Consider returning a message when no photo exists to delete.

If cloudinaryUrl is empty/falsy, the route silently returns the current profilePic without indicating that no deletion occurred. Consider returning a different status or message to inform the client.

Suggested improvement

    // Delete from Cloudinary if exists
    if (user.personal_info.cloudinaryUrl) {
      await cloudinary.uploader.destroy(user.personal_info.cloudinaryUrl);
      user.personal_info.profilePic = "https://www.gravatar.com/avatar/?d=mp"; // Default photo
      user.personal_info.cloudinaryUrl = "";
      await user.save();
+    } else {
+      return res.status(200).json({ 
+        message: "No custom photo to delete",
+        profilePic: user.personal_info.profilePic 
+      });
    }

    res.json({ profilePic: user.personal_info.profilePic });

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@backend/routes/profile.js` around lines 92 - 100, The route currently
silently returns the profilePic when user.personal_info.cloudinaryUrl is falsy;
add an explicit check before calling cloudinary.uploader.destroy and return a
clear status and message (e.g., res.status(404).json({ message: "No profile
photo to delete", profilePic: user.personal_info.profilePic })) if no
cloudinaryUrl exists; otherwise continue to call cloudinary.uploader.destroy,
set user.personal_info.profilePic to the default, clear
user.personal_info.cloudinaryUrl and await user.save() as currently implemented.

frontend/src/Components/common/Sidebar.jsx (1)

11-11: Consider extracting the magic number 14 into a named constant.

The hardcoded limit of 14 items is not immediately self-documenting. A named constant would clarify intent and make future adjustments easier.

+const MAX_VISIBLE_NAV_ITEMS = 14;
+
 const Sidebar = () => {
   const [loggingOut, setLoggingOut] = useState(false);
   const { navItems, selected, setSelected, isCollapsed, setIsCollapsed } = useSidebar();

-  const visibleNavItems = navItems.slice(0, 14);
+  const visibleNavItems = navItems.slice(0, MAX_VISIBLE_NAV_ITEMS);

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@frontend/src/Components/common/Sidebar.jsx` at line 11, The slice limit 14 in
the visibleNavItems assignment is a magic number; extract it into a descriptive
constant (e.g., MAX_VISIBLE_NAV_ITEMS) and use that constant in the expression
that creates visibleNavItems (navItems.slice(0, MAX_VISIBLE_NAV_ITEMS)) so the
intent is clear and future changes are easier; add the constant near the top of
Sidebar.jsx or next to navItems so it’s easy to find.

frontend/src/services/auth.js (2)

1-3: Remove unused imports.

axios is commented out and toast is imported but never used in this file.

♻️ Proposed fix

-//import axios from "axios";
 import api from "../utils/api";
-import { toast } from "react-toastify";

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@frontend/src/services/auth.js` around lines 1 - 3, Remove the unused imports
in auth.js: delete the commented-out axios import line (axios) and remove the
unused `toast` import from "react-toastify" so only the actual `api` import
remains; ensure no other references to `axios` or `toast` exist in functions in
this file (e.g., any auth-related functions) before committing.

---

34-34: Remove commented-out debug log.

♻️ Proposed fix

   } catch (error) {
-    //console.error("Error obj is:",error.response);
     throw error

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@frontend/src/services/auth.js` at line 34, Remove the leftover commented
debug log (the commented-out console.error("Error obj is:",error.response);)
from frontend/src/services/auth.js; locate the commented line in the relevant
auth function (e.g., any error handling block such as login or request error
handlers) and delete it so no commented debug statements remain, and run
lint/format to ensure the file meets project style rules.

frontend/src/Components/Requests/Requests.jsx (2)

104-104: Missing navigate in useEffect dependency array.

The navigate function is used inside the effect but not listed in dependencies. While navigate from react-router is typically stable, ESLint rules for exhaustive deps would flag this.

♻️ Proposed fix

-  }, [isUserLoggedIn]);
+  }, [isUserLoggedIn, navigate]);

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@frontend/src/Components/Requests/Requests.jsx` at line 104, The effect in the
Requests component uses the navigate function but the dependency array only
includes isUserLoggedIn, which can trigger ESLint exhaustive-deps warnings;
update the useEffect dependency array in Requests.jsx to include navigate (e.g.,
useEffect(..., [isUserLoggedIn, navigate])) or, if navigate is intentionally
stable, explicitly document and silence the lint rule with a comment, ensuring
the reference to navigate in the effect is handled consistently.

---

1-1: Unused import: OctagonAlert.

OctagonAlert is imported but never used.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@frontend/src/Components/Requests/Requests.jsx` at line 1, The import list in
Requests.jsx includes an unused symbol OctagonAlert; remove OctagonAlert from
the named import list (import { Search, OctagonAlert, FileText } from
"lucide-react") or replace it by using OctagonAlert where intended to avoid the
unused-import lint error—update the import to import only Search and FileText
(or add the component usage) and run the linter to confirm the warning is
resolved.

frontend/src/Components/Requests/viewModal.jsx (1)

1-2: Remove unnecessary blank lines at file start.

The file begins with two empty lines before the imports.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@frontend/src/Components/Requests/viewModal.jsx` around lines 1 - 2, Remove
the two leading blank lines at the top of
frontend/src/Components/Requests/viewModal.jsx so the file starts immediately
with its first import statement (e.g., import React.../other imports); ensure
there are no empty lines before the import block and save the file so the top of
the file begins with the import declarations.

frontend/src/Components/Requests/ui.jsx (1)

34-47: Consider adding a fallback for invalid color props.

If color is not one of the defined keys (amber, red, green), styles[color] will be undefined, resulting in no styling applied.

♻️ Proposed fix

 export const Pill = ({ label, color = "amber" }) => {
     const styles = {
         amber: "bg-yellow-100 text-yellow-800",
         red: "bg-red-100 text-red-700",
         green: "bg-green-100 text-green-700 ",
     };

     return (
-        <span className={`inline-flex items-center gap-1 px-3 py-1 rounded-full text-xs tracking-wide font-semibold ${styles[color]}`}
+        <span className={`inline-flex items-center gap-1 px-3 py-1 rounded-full text-xs tracking-wide font-semibold ${styles[color] || styles.amber}`}
         >
             {label}
         </span>
     );
 };

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@frontend/src/Components/Requests/ui.jsx` around lines 34 - 47, Pill component
uses styles[color] directly so an invalid color prop yields undefined classes;
update Pill to validate or fallback by checking if color is a key in the styles
object (e.g., use styles[color] || styles.amber) or normalize the color before
use so the span always receives a valid class string; reference the Pill
function and the styles object to implement the fallback.

frontend/src/Components/Requests/editModal.jsx (1)

177-190: Save action proceeds regardless of validation or async result.

The Save button immediately calls onClose() after onSave(form). If onSave were async or could fail, the modal would close before the operation completes. Consider awaiting or confirming success before closing.

♻️ Proposed fix for safer save handling

-          <button onClick={() => { onSave(form); onClose(); }} style={{
+          <button onClick={async () => { 
+            try {
+              await onSave(form); 
+              onClose(); 
+            } catch (e) {
+              // handle error - modal stays open
+            }
+          }} style={{

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@frontend/src/Components/Requests/editModal.jsx` around lines 177 - 190, The
Save button currently calls onSave(form) and immediately onClose(), which closes
the modal even if onSave is async or fails; change the button handler to an
async handler that awaits onSave(form) (or checks its returned Promise/result)
and only call onClose() after a successful save, handle and surface errors
(e.g., set a local saving/error state to disable the button and show feedback),
and ensure you reference the click handler on the Save button, the onSave(form)
call and onClose() invocation when making these changes.

frontend/src/Components/Requests/Card.jsx (1)

1-1: Unused import: useState.

useState is imported but never used in this component.

♻️ Proposed fix

-import { useState } from "react";
 import { useAdminContext } from "../../context/AdminContext";

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@frontend/src/Components/Requests/Card.jsx` at line 1, The import of useState
at the top of frontend/src/Components/Requests/Card.jsx is unused; remove the
named import useState from the import statement (or remove the entire import if
nothing else is imported) so the module no longer imports unused symbols and
ESLint warnings are resolved.

frontend/src/hooks/useAuth.js (1)

28-31: Remove commented-out debug logs.

These commented console.log statements are dead code and should be removed for cleanliness.

♻️ Proposed fix

         const user = response.message;
-        //console.log("User is:", user);
         handleLogin(user);
-          //console.log("User role:", user.role);
-          //console.log("Onboarding complete:", user.onboardingComplete);
       } catch (error) {

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@frontend/src/hooks/useAuth.js` around lines 28 - 31, Remove the dead
commented debug logs in useAuth (the commented console.log lines that reference
"User is:", "User role:", and "Onboarding complete:") so the handleLogin(user)
call stands alone; simply delete those commented lines to clean up the hook and
avoid leaving commented-out console.log statements in the useAuth.js
implementation.

backend/index.js (1)

42-42: ⚠️ Potential issue | 🟠 Major

Validate that SESSION_SECRET environment variable exists.

If SESSION_SECRET is undefined, the session will operate without a proper secret, which is a security risk. Add validation at startup to ensure this required environment variable is set.

,

Suggested fix after Line 2

// Add after require("dotenv").config();
if (!process.env.SESSION_SECRET) {
  throw new Error("SESSION_SECRET environment variable is required");
}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@backend/index.js` at line 42, Add a startup validation to ensure
process.env.SESSION_SECRET is defined before the app initializes sessions: after
loading env (e.g., after require("dotenv").config()) check
process.env.SESSION_SECRET and throw a clear Error if missing so the session
config line using secret: process.env.SESSION_SECRET cannot run with an
undefined value; this protects the session setup in backend/index.js from
starting without SESSION_SECRET.

frontend/src/config/navbarConfig.js (1)

32-33: ⚠️ Potential issue | 🟠 Major

templates and batches still point to missing dashboard entries.

frontend/src/config/dashboardComponents.js:30-53 registers requests and certificates, but not templates or batches, so these menu items still resolve to the fallback dashboard instead of a real page. This looks like the same unresolved issue raised in earlier review feedback.

Also applies to: 47-48, 61-68

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@frontend/src/config/navbarConfig.js` around lines 32 - 33, Navbar items with
key "templates" and "batches" in navbarConfig.js point to missing dashboard
pages; update the mapping in dashboardComponents.js (the registry that currently
registers "requests" and "certificates") to include corresponding components for
keys "templates" and "batches" or remove those keys from navbarConfig.js if
those pages are intentionally not implemented. Locate the registry
function/object in dashboardComponents.js and either add entries for "templates"
and "batches" that import/return the correct components, or delete the
"templates"/"batches" entries from navbarConfig.js (also check the other
mentioned navbar entries at lines referenced) so the nav items no longer resolve
to the fallback dashboard.

backend/models/templateSchema.js (1)

12-20: Consider consistent enum casing.

The category enum uses uppercase values ("CULTURAL", "TECHNICAL") while status uses title case ("Draft", "Active"). This inconsistency may cause confusion when querying or filtering. Consider standardizing on one casing convention.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@backend/models/templateSchema.js` around lines 12 - 20, The category and
status enums in templateSchema.js use inconsistent casing—category uses
uppercase values (category enum) while status uses title case (status enum and
default). Standardize both enums to the same convention (e.g., all uppercase or
all title case) by updating the enum arrays for category and status and adjust
the status default to match the chosen casing; ensure any code that relies on
these values (queries or seed data) is updated to the new casing as well.

frontend/src/Components/Batches/select.jsx (1)

3-15: Consider consolidating with Templates/select.jsx to avoid duplication.

This component is nearly identical to frontend/src/Components/Templates/select.jsx, differing only in the default option value ("ALL" vs "All"). Consider extracting a shared Select component that accepts the default value as a prop to reduce maintenance burden.

Also, using o as the key on Line 11 assumes all options are unique strings. If duplicates exist, React will warn about duplicate keys.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@frontend/src/Components/Batches/select.jsx` around lines 3 - 15, The Select
component is duplicated with Templates/select.jsx and should be consolidated:
extract a shared Select component (exported as Select) that accepts a prop for
the default option value (e.g., defaultValue or defaultOptionValue) so callers
can pass "ALL" or "All", then replace both implementations with imports of the
shared component; also fix the options rendering in Select (inside the
options.map in Select) to use a stable unique key (e.g., combine index and value
or use a provided id property) instead of just `o` to avoid React duplicate key
warnings when option strings may repeat.

frontend/src/Components/Batches/modalDialog.jsx (2)

169-192: Suppressed dependency studentIds may cause stale data issues.

The useEffect depends only on open, but uses studentIds which is computed from form.students. If form.students changes while the panel is already open, the effect won't refetch with the new IDs. This may be intentional (only fetch on initial open), but the eslint suppression hides a potential data staleness issue.

Consider either including studentIds (or a stable reference like JSON.stringify(studentIds)) in the dependency array, or adding a comment explaining why refetching on student change is intentionally avoided.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@frontend/src/Components/Batches/modalDialog.jsx` around lines 169 - 192, The
effect in modalDialog.jsx uses studentIds (derived from form.students) but only
depends on open, risking stale data; update the useEffect that calls
fetchBatchUsers to either include studentIds (or a stable representation like
JSON.stringify(studentIds) or form.students) in the dependency array so it
refetches when student selection changes, or add an explicit inline comment
above the useEffect explaining that skipping studentIds is intentional and why
(and keep the eslint-disable if retained); reference the useEffect, studentIds,
fetchBatchUsers, setDetails, setLocalSelected, open, and form.students when
making the change.

---

523-524: Simplify isViewOnly check.

The current check viewingBatch && Object.keys(viewingBatch).length > 0 is defensive, but since viewingBatch is already checked for truthiness first, you could simplify to just !!viewingBatch if an empty object is never passed. If empty objects are valid inputs, the current logic is fine.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@frontend/src/Components/Batches/modalDialog.jsx` around lines 523 - 524, The
isViewOnly computation is overly defensive; replace the expression "viewingBatch
&& Object.keys(viewingBatch).length > 0" with a simple truthiness cast like
"!!viewingBatch" (or "Boolean(viewingBatch)") in modalDialog.jsx to simplify the
check for the viewingBatch variable (update the isViewOnly constant
declaration).

frontend/src/Components/Batches/ui.jsx (1)

169-251: Modal lacks keyboard accessibility.

The modal doesn't handle Escape key to close, doesn't trap focus within the dialog, and lacks ARIA attributes (role="dialog", aria-modal="true", aria-labelledby). This impacts keyboard and screen reader users.

Suggested accessibility improvements

 export function Modal({ open, onClose, title, children }) {
   if (!open) return null;
+
+  const handleKeyDown = (e) => {
+    if (e.key === "Escape") onClose();
+  };
+
   return (
     <div
+      role="dialog"
+      aria-modal="true"
+      aria-labelledby="modal-title"
+      onKeyDown={handleKeyDown}
       style={{
         position: "fixed",
         inset: 0,

And add id="modal-title" to the <h2> element.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@frontend/src/Components/Batches/ui.jsx` around lines 169 - 251, The Modal
component currently lacks keyboard accessibility: update the Modal function to
add ARIA attributes (role="dialog", aria-modal="true", aria-labelledby pointing
to an id you add to the title element, e.g., id="modal-title"), wire an Escape
key handler that calls onClose, and implement focus management so focus is moved
into the dialog on open and restored on close and focus is trapped inside the
modal while open (handle Tab/Shift+Tab or use a small focus-trap utility).
Ensure the <h2> (title) receives id="modal-title" and that onClose remains used
for both backdrop click and Escape to close.

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

frontend/src/pages/templatesPage.jsx (1)

3-3: Remove stale commented import.

Line 3 is dead commented code and adds noise. Please remove it.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@frontend/src/pages/templatesPage.jsx` at line 3, Remove the stale commented
import of RequestProvider from templatesPage.jsx by deleting the line "//import
{ RequestProvider } from "../context/RequestContext.js";" so the file no longer
contains dead commented code; ensure no other code depends on RequestProvider in
the same file and run a quick lint/format after removal.

frontend/src/Components/Batches/batches.jsx (3)

73-75: Remove debug console.log statements.

These logging statements appear to be development artifacts and should be removed before merging.

🧹 Proposed fix

-        console.log("Batches is:", batches[0]);
-        console.log("Events is: ", events[0]);
-        console.log("Templates is: ", templates[0]);
         setBatches(batches);

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@frontend/src/Components/Batches/batches.jsx` around lines 73 - 75, Remove the
development console.log statements in batches.jsx that print batches[0],
events[0], and templates[0]; locate the log calls in the Batches component (the
three console.log lines shown) and either delete them or gate them behind a
debug flag/env check so no debug output remains in production code.

---

286-288: Move Google Fonts import out of component.

The inline <style> tag will be re-injected on every render. Consider moving the font import to index.html or a global CSS file for better performance and to avoid duplicate style tags.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@frontend/src/Components/Batches/batches.jsx` around lines 286 - 288, The
inline <style> block in the Batches component (batches.jsx) injects the Google
Fonts import on every render; remove that <style> element from the component and
add the `@import` or <link href="https://fonts.googleapis.com/..."
rel="stylesheet"> to a global place (e.g., your app's index.html head or a
global CSS file like index.css) so the font is loaded once and not re-inserted
during component renders; update any component references to rely on the global
font instead.

---

12-15: Unused imports: CircleFadingPlus, Clock1, Eraser.

These icons are imported but never used in the component.

🧹 Proposed fix

   X,
   Info,
   SquareUser,
   Plus,
   Building2,
   FolderOpen,
-  CircleFadingPlus,
-  Clock1,
   CircleFadingArrowUp,
-  Eraser,
 } from "lucide-react";

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@frontend/src/Components/Batches/batches.jsx` around lines 12 - 15, Remove the
unused icon imports to clean up the module: delete CircleFadingPlus, Clock1, and
Eraser from the import list in frontend/src/Components/Batches/batches.jsx (or,
if they were intended to be used, add the missing usages inside the Batches
component where appropriate); ensure only actually used icons remain in the
import statement to prevent linter/build warnings.

frontend/src/Components/Certificates/CertificatesList.jsx (1)

145-156: Give the search input an accessible name.

Right now the placeholder is doing double duty as the label. Add a <label> or at least aria-label="Search certificates" so the filter stays discoverable for screen-reader users after they start typing.

Minimal accessibility fix

         {/**search bar */}
         <div className="relative flex-1 ">
+          <label htmlFor="certificate-search" className="sr-only">
+            Search certificates
+          </label>
           <Search
             className="absolute left-3 top-1/2 -translate-y-1/2 text-gray-400"
             size={20}
           />
           <input
+            id="certificate-search"
             type="text"
             placeholder="Search by event or issued by..."
             value={searchTerm}
             onChange={(e) => setSearchTerm(e.target.value)}
+            aria-label="Search certificates"
             className="w-full pl-10 pr-4 py-1.5 rounded-xl border-2 border-black bg-white text-black placeholder-gray-400 "
           />
         </div>

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@frontend/src/Components/Certificates/CertificatesList.jsx` around lines 145 -
156, The search input in CertificatesList.jsx (the <input> bound to searchTerm
and onChange calling setSearchTerm) lacks an accessible name; add one by either
adding a visible <label> tied to that input (for attribute matching the input
id) or by adding aria-label="Search certificates" (or aria-labelledby pointing
to a nearby label) and ensure the Search icon remains decorative
(aria-hidden="true") so screen readers announce the purpose correctly.

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes