Test

[sweetmantech]

Summary by CodeRabbit

New Features

• Email responses now support markdown formatting with proper HTML rendering
• CC recipients are now properly included in email responses when applicable

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
recoup-api	Ready	Preview	Jan 5, 2026 10:42pm

[coderabbitai]

Warning

Rate limit exceeded

@sweetmantech has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 20 minutes and 41 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 0fad231 and dbfcbc6.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (2)

• lib/emails/inbound/respondToInboundEmail.ts
• package.json

📝 Walkthrough

Walkthrough

Adds markdown rendering capability to generated email responses and introduces conditional CC recipient handling in inbound email replies. The marked library is added as a dependency to support markdown-to-HTML conversion.

Changes

Cohort / File(s)	Summary
Email inbound response enhancements lib/emails/inbound/generateEmailResponse.ts, lib/emails/inbound/respondToInboundEmail.ts, package.json	generateEmailResponse.ts: Imports marked library and renders assistant text as HTML via marked(text) instead of raw text. respondToInboundEmail.ts: Extracts and conditionally includes CC recipients from original email via spread syntax. package.json: Adds marked v^15.0.12 dependency.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

• PR #72: Modifies respondToInboundEmail.ts to implement the function that this PR now extends with CC handling.
• PR #86: Contains extensive CC-related validation and handling changes to respondToInboundEmail.ts that directly overlap with the CC field additions here.
• PR #83: Originally introduced generateEmailResponse function and integrated it into respondToInboundEmail (adding HTML footer support); this PR further enhances rendering with markdown conversion.

Poem

🐰 A rabbit hops through email streams,
With markdown dreams and CC schemes,
Marked text renders, bold and bright,
Recipients copied—all's right!

Pre-merge checks and finishing touches

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The pull request title 'Test' is generic and does not convey meaningful information about the changeset's primary purpose or the specific features being introduced.	Revise the title to clearly describe the main change, such as 'Add markdown rendering for email responses and CC support' to reflect the actual modifications being made.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Fix all issues with AI Agents 🤖

In @lib/emails/inbound/generateEmailResponse.ts:
- Line 31: Sanitize the HTML output from marked by passing the rendered string
through a sanitizer instead of using marked(text) directly: replace the direct
call to produce bodyHtml with a safe pipeline like bodyHtml =
DOMPurify.sanitize(marked(text)) (importing an appropriate server-safe sanitizer
such as isomorphic-dompurify or DOMPurify), or configure marked to disallow HTML
and escape tags via a custom renderer before assigning to bodyHtml; ensure you
reference the same variable names (bodyHtml and text) and the marked(text) call
when making the change.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between efc3e6e and 0fad231.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (3)

• lib/emails/inbound/generateEmailResponse.ts
• lib/emails/inbound/respondToInboundEmail.ts
• package.json

🔇 Additional comments (5)

lib/emails/inbound/respondToInboundEmail.ts (2)

28-28: LGTM: CC extraction logic is correct.

The conditional assignment properly validates that CC recipients exist and are non-empty before including them.

---

44-44: LGTM: Conditional spread syntax is idiomatic.

The spread operator cleanly includes the cc field only when recipients are present, avoiding empty CC arrays in the payload.

lib/emails/inbound/generateEmailResponse.ts (2)

1-1: Import added for markdown rendering.

The marked library enables conversion of markdown text to HTML for email responses.

---

31-31: No changes needed — marked() returns a synchronous string by default.

In marked@15.0.12, the marked() function returns a Promise<string> only when explicitly configured with the async: true option. Since no such configuration is set in this codebase, marked(text) on line 31 correctly returns a synchronous string, and the code works as intended.

Likely an incorrect or invalid review comment.

package.json (1)

31-31: Version 15.0.12 is secure with no known vulnerabilities, but consider updating to a more recent version.

No security advisories exist for marked@15.0.12 (Snyk and CVE databases confirm this is secure). However, the latest version is 17.0.1 (released Nov 2025). The caret constraint ^15.0.12 will only receive patch updates within the 15.x series and miss improvements and fixes in v16 and v17. Consider updating to a recent major version to benefit from newer features and maintenance.

Likely an incorrect or invalid review comment.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Critical: Potential XSS vulnerability from unsanitized HTML rendering.

Using marked(text) without sanitization allows HTML passthrough by default. If the AI-generated text contains malicious HTML or JavaScript, it will be rendered directly in the email, creating an XSS attack vector.

🔎 Recommended fix to sanitize HTML output

Configure marked with the sanitize or mangle options, or use a dedicated sanitization library like DOMPurify:

-  const bodyHtml = marked(text);
+  const bodyHtml = marked(text, { 
+    mangle: false, 
+    headerIds: false,
+    breaks: true 
+  });
+  // Consider additional sanitization with DOMPurify or similar

Alternatively, use marked.parse() with explicit renderer configuration to strip or escape HTML tags.

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents

In @lib/emails/inbound/generateEmailResponse.ts around line 31, Sanitize the
HTML output from marked by passing the rendered string through a sanitizer
instead of using marked(text) directly: replace the direct call to produce
bodyHtml with a safe pipeline like bodyHtml = DOMPurify.sanitize(marked(text))
(importing an appropriate server-safe sanitizer such as isomorphic-dompurify or
DOMPurify), or configure marked to disallow HTML and escape tags via a custom
renderer before assigning to bodyHtml; ensure you reference the same variable
names (bodyHtml and text) and the marked(text) call when making the change.