Fix credit APIs to use authenticated user

[cursor]

Summary

• Stop trusting caller-supplied userId values in credits-related API routes
• Derive credit reads and deductions from the authenticated GitHub session user
• Update the credits display client to call the summary endpoint without exposing a user id query parameter

Bug and impact

A caller could provide another user's UUID to credits endpoints and read that user's credit balance or cause analysis/scaffold credit deductions against that account.

Root cause

The credits system accepted userId from request bodies/query strings instead of binding operations to getCurrentUser().

Validation

• Committed and pushed to cursor/critical-bug-inspection-c057
• Attempted npx tsc --noEmit and pnpm lint, but this environment has no Node tooling on PATH (node, npm, npx, and pnpm all returned command not found).

  

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
repo-app-architect	Error		May 6, 2026 11:05am
v0-repo-app-architect	Error	Open in v0	May 6, 2026 11:05am

[supabase]

This pull request has been ignored for the connected project bpjftwoiosftvjvxpovz because there are no changes detected in supabase directory. You can change this behaviour in Project Integrations Settings ↗︎.

---

Preview Branches by Supabase.
Learn more about Supabase Branching ↗︎.