Fix three typos on the platform

[claudfuen]

What does this PR do?

This PR addresses and fixes three distinct typos and an encoding issue found across the platform:

• Corrects the misspelling of "questionaire" to "questionnaire" in file paths and a folder name.
• Fixes a grammatical error in a tool description from "Find the users organization and it's details" to "Find the user's organization and its details".
• Resolves an encoding issue in the Product Hunt badge URL in the README.md by changing %Day to %20Day-.

Visual Demo (For contributors especially)

Image Demo (if applicable):

README Product Hunt Badge Fix:

Before (Broken Badge):

(Note: Replace with an actual screenshot showing the broken badge)

After (Fixed Badge):

(Note: Replace with an actual screenshot showing the correctly rendered badge)

For the "questionnaire" path and grammar fixes, there is no direct visual change to demonstrate.

Mandatory Tasks (DO NOT REMOVE)

• I have self-reviewed the code (A decent size PR without self-review might be rejected).
• I have updated the developer docs in /docs if this PR makes changes that would require a documentation change. If N/A, write N/A here and check the checkbox.
  • N/A
• I confirm automated tests are in place that prove my fix is effective or that my feature works.

How should this be tested?

1. Verify "questionnaire" path fixes:

   • Navigate to the Security Questionnaire section in the application (e.g., /[orgId]/questionnaire).
   • Ensure that any images or assets related to the questionnaire (specifically tmp-questionnaire-empty-state.png) load correctly without broken image icons.
   • Check the network tab in developer tools to confirm image requests are made to /questionnaire/tmp-questionnaire-empty-state.png (and not /questionaire/).

2. Verify grammar fix in organization.ts:

   • This change is in a backend tool description. To verify, you would typically inspect the apps/app/src/data/tools/organization.ts file directly to confirm the string has been updated to "Find the user's organization and its details".
   • If this description is exposed in any UI (e.g., an AI assistant's tool description panel), verify the text there.

3. Verify README badge URL encoding:

   • Open the README.md file in the root of the repository.
   • Observe the Product Hunt badge. It should render correctly, displaying "Product Hunt - #1 Product of the Day" without any broken image icons or incorrect text.
   • Inspect the badge's URL to ensure it contains %20Day- instead of %Day.

Checklist

• I have self-reviewed the code.
• My code follows the style guidelines of this project.
• I have commented my code, particularly in hard-to-understand areas.
• I have checked if my changes generate no new warnings.

---

Slack Thread

 

[cursor]

Cursor Agent can help with this pull request. Just @cursor in comments and I'll start working on changes in this branch.
_{Learn more about Cursor Agents}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
app	Ready	Preview	Comment	Dec 5, 2025 5:27pm
portal	Error			Dec 5, 2025 5:27pm

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[comp-ai-code-review]

🔒 Comp AI - Security Review

🔴 Risk Level: HIGH

Found 2 high CVEs in [email protected] (prototype pollution, ReDoS) and hard-coded/default secrets documented in README/auth.ts; [email protected] has a low-sev fix in 5.0.52.

---

📦 Dependency Vulnerabilities

🟠 NPM Packages (HIGH)

Risk Score: 8/10 | Summary: 2 high, 1 low CVEs found

Package	Version	CVE	Severity	CVSS	Summary	Fixed In
xlsx	0.18.5	GHSA-4r6h-8v6p-xvw6	HIGH	N/A	Prototype Pollution in sheetJS	No fix yet
xlsx	0.18.5	GHSA-5pgg-2g8v-p4x9	HIGH	N/A	SheetJS Regular Expression Denial of Service (ReDoS)	No fix yet
ai	5.0.0	GHSA-rwvc-j5jr-mgvh	LOW	N/A	Vercel’s AI SDK's filetype whitelists can be bypassed when uploading files	5.0.52

---

🛡️ Code Security Analysis

View 1 file(s) with issues

🔴 README.md (HIGH Risk)

#	Issue	Risk Level
1	Docs instruct hard-coding API keys/secrets in source files	HIGH
2	Docs instruct hard-coding Redis URL/TOKEN in source	HIGH
3	Docs instruct hard-coding Google OAuth secrets in auth.ts	HIGH
4	Default Postgres creds published: postgres/postgres	HIGH
5	.env example shows empty AUTH_SECRET/REVALIDATION_SECRET	HIGH
6	Passing DB URL with password on CLI can leak via process list	HIGH

Recommendations:

1. Remove any instructions that recommend hard-coding secrets into source files. Replace with guidance to store secrets in environment variables, a secrets manager (Vault, AWS Secrets Manager, GCP Secret Manager, etc.), or use encrypted config files.
2. For local development, use .env files that are gitignored and provide a robust .env.example with placeholders (e.g., AUTH_SECRET=REPLACE_ME) rather than empty values. Add runtime checks that fail startup (or warn loudly) if critical secrets (AUTH_SECRET, REVALIDATION_SECRET, etc.) are unset or still set to placeholder values.
3. Do not publish instructions to hard-code Redis/Upstash URL or tokens into source. Use environment variables or library-specific secret injection. If a file must contain a secret for local dev, document how to use a local secrets file that is excluded from VCS.
4. Do not instruct to hard-code Google OAuth credentials in auth.ts. Use environment variables for GOOGLE_ID and GOOGLE_SECRET, and document secure local alternatives (e.g., .env, OS keyring).
5. Avoid shipping default production-like credentials in docs (postgres/postgres). If you must document local defaults for convenience, clearly label them as 'development-only' and recommend changing them; better yet, use ephemeral, randomized credentials in dev containers or require explicit confirmation to use insecure defaults.
6. Avoid passing database credentials directly on the CLI where they can appear in process listings. Recommend alternatives such as: using .pgpass, using PGPASSWORD in a controlled shell (with caution), using environment variables, using a prompt, or piping input from a file with restricted permissions.
7. Add pre-commit hooks and CI secret scanning (e.g., GitLeaks, truffleHog, detect-secrets) to block committing secrets and to detect accidental documentation of credentials.
8. Add a security/devops note explaining safe local development practices: how to generate strong AUTH_SECRET/REVALIDATION_SECRET, how to rotate credentials, and how to run DB in a container with non-default credentials.
9. Consider adding automated startup checks that refuse to run in non-development environments when default or empty secrets are detected, and include clear remediation instructions in logs.

---

💡 Recommendations

View 3 recommendation(s)

1. Upgrade vulnerable packages: bump xlsx (v0.18.5) to a patched release that addresses GHSA-4r6h-8v6p-xvw6 (Prototype Pollution) and GHSA-5pgg-2g8v-p4x9 (ReDoS), and upgrade ai from 5.0.0 to >=5.0.52 (fixes GHSA-rwvc-j5jr-mgvh). Update package.json and reinstall dependencies so the patched versions are used.
2. Remove hard-coded secrets and insecure defaults in repo files/docs: replace any API keys/Redis/Google OAuth entries in README and auth.ts with references to environment variables (e.g., process.env.GOOGLE_ID / process.env.GOOGLE_SECRET), and update .env.example to use explicit placeholders (AUTH_SECRET=REPLACE_ME, REVALIDATION_SECRET=REPLACE_ME) instead of empty values or 'postgres/postgres'.
3. Eliminate documentation examples that expose credentials on the command line: remove or rewrite README examples that pass DB URLs or passwords directly in CLI commands so they don’t show secrets (use an environment-variable-based example and placeholder values in docs).

---

Powered by Comp AI - AI that handles compliance for you. Reviewed Dec 5, 2025