Fix credit usage authorization for scaffold generation

[cursor]

Bug and impact

• Scaffold generation accepted an optional client-provided userId for credit checks and deductions.
• A Pro user could omit userId to generate scaffolds without spending credits, or provide another user ID to check/deduct credits from that account.
• The credit summary endpoint also allowed arbitrary userId lookups and could create credit rows for other accounts.

Root cause

• Credit APIs trusted request-supplied user IDs instead of binding credit reads/writes to the authenticated GitHub session returned by getCurrentUser().

Fix

• Generate scaffold route now ignores client userId, requires an authenticated account ID, and always checks/deducts credits for user.id.
• Credit summary route now requires authentication and rejects requests for any userId other than the current authenticated user.

Validation

• Committed and pushed branch cursor/critical-bug-inspection-6450.
• Ran git diff --check HEAD^..HEAD successfully.
• Could not run npx tsc --noEmit or pnpm lint because this container has no node, npx, or pnpm binaries available in PATH.

  

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
repo-app-architect	Error		May 5, 2026 6:06pm
v0-repo-app-architect	Error	Open in v0	May 5, 2026 6:06pm

[supabase]

This pull request has been ignored for the connected project bpjftwoiosftvjvxpovz because there are no changes detected in supabase directory. You can change this behaviour in Project Integrations Settings ↗︎.

---

Preview Branches by Supabase.
Learn more about Supabase Branching ↗︎.