The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
stack-backend	Ready	Preview, Comment	Feb 19, 2026 3:18am
stack-dashboard	Ready	Preview, Comment	Feb 19, 2026 3:18am
stack-demo	Ready	Preview, Comment	Feb 19, 2026 3:18am
stack-docs	Ready	Preview, Comment	Feb 19, 2026 3:18am

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Greptile Summary

This PR ensures analytics events and session replays are always associated with a user by auto-creating anonymous users when no authenticated session exists. The shared getAnalyticsAccessToken helper in client-app-impl.ts first tries the current session token, then falls back to creating an anonymous user via _signUpAnonymously(). As a consequence, pre-auth buffer caps and cross-user event leakage guards are removed from both EventTracker and SessionRecorder.

Additionally, a switch/case bug in useUser is fixed: the return-null / undefined / anonymous-if-exists[deprecated] cases now explicitly set crud = null and break, correcting a scenario where a non-null anonymous/restricted user could leak through.

• Cross-user event leakage: The removed _wasAuthenticated logout guard previously cleared event buffers on user transitions. With anonymous fallback, events from a logged-in user may be flushed under a newly created anonymous identity after logout.
• Unbounded buffer growth: If _hasPersistentTokenStore() returns false, getAnalyticsAccessToken returns null and events accumulate without any cap (the old MAX_PREAUTH_BUFFER_* constants were removed).
• Bug fix: The useUser switch/case now correctly nullifies crud for the return-null path.

Confidence Score: 2/5

• The removal of cross-user event leakage guards introduces a data isolation concern that should be evaluated before merging.
• The core idea of using anonymous users for pre-login analytics is sound, but the PR removes two important safety mechanisms (cross-user buffer clearing on logout and pre-auth buffer size caps) without replacing them. The cross-user leakage concern is the most significant: events from one user session could be attributed to a different anonymous identity after logout.
• Pay close attention to event-tracker.ts and session-replay.ts where cross-user event leakage guards and buffer caps were removed.

Important Files Changed

Sequence Diagram

sequenceDiagram
    participant Tick as _tick() (every 5-10s)
    participant GAT as getAnalyticsAccessToken
    participant Session as Session Store
    participant API as Backend API

    Tick->>GAT: getAccessToken()
    GAT->>Session: getOrFetchLikelyValidTokens()
    alt Token exists (user logged in)
        Session-->>GAT: accessToken
        GAT-->>Tick: token
        Tick->>API: flush events with token
    else No token
        GAT->>GAT: _hasPersistentTokenStore()?
        alt Has token store
            GAT->>API: _signUpAnonymously()
            API-->>GAT: anonymous user tokens
            GAT->>Session: getOrFetchLikelyValidTokens()
            Session-->>GAT: new accessToken
            GAT-->>Tick: anonymous token
            Tick->>API: flush events with anonymous token
        else No token store
            GAT-->>Tick: null
            Note over Tick: Events buffered indefinitely (no cap)
        end
    end

_{Last reviewed commit: e545adc}