Update Vapi SDK and implement new way to handle Workflows

[m-gie]

Summary by CodeRabbit

• New Features

  • Introduced a new workflow for generating AI-powered interviews, offering users a guided, multi-step conversation to set up and confirm interview generation.

• Improvements

  • Enhanced reliability and clarity of interview generation by explicitly handling message flows during the process.

• Chores

  • Updated a core dependency to improve performance and compatibility.

[vercel]

@m-gie is attempting to deploy a commit to the JS Mastery Pro Team on Vercel.

A member of the Team first needs to authorize it.

[coderabbitai]

Walkthrough

A new workflow constant named generator was introduced in the constants module, defining a multi-step conversational flow for generating interviews. The Agent component was updated to utilize this new workflow and to explicitly specify client and server message arrays in calls to vapi.start. The @vapi-ai/web dependency was upgraded to version ^2.3.0.

Changes

File(s)	Change Summary
constants/index.ts	Added exported constant generator, a multi-node workflow for generating interviews.
components/Agent.tsx	Updated imports to include generator; modified vapi.start calls to use new workflow and explicit message arrays.
package.json	Upgraded "@vapi-ai/web" dependency from ^2.2.4 to ^2.3.0.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant AgentComponent
    participant vapi
    participant GeneratorWorkflow
    participant API

    User->>AgentComponent: Initiate "generate" action
    AgentComponent->>vapi: start(undefined, {clientMessages, serverMessages, variableValues}, generator)
    vapi->>GeneratorWorkflow: Begin workflow
    GeneratorWorkflow->>User: Greet and extract interview variables
    GeneratorWorkflow->>API: POST /api/vapi/generate with variables
    API-->>GeneratorWorkflow: Respond with interview data
    GeneratorWorkflow->>User: Inform about generation and confirm
    GeneratorWorkflow->>User: Thank you and end conversation

Loading

Poem

In the warren of code, a new path unfurled,
A generator workflow hops into the world.
With messages clear and dependencies anew,
Interviews are crafted, just for you!
Version bumps and flows refined—
A rabbit’s delight, in code well-aligned.
🐇✨

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

npm warn config production Use --omit=dev instead.
npm error Exit handler never called!
npm error This is an error with npm itself. Please report this error at:
npm error https://github.com/npm/cli/issues
npm error A complete log of this run can be found in: /.npm/_logs/2025-05-20T14_04_49_666Z-debug-0.log

Note

⚡️ AI Code Reviews for VS Code, Cursor, Windsurf

CodeRabbit now has a plugin for VS Code, Cursor and Windsurf. This brings AI code reviews directly in the code editor. Each commit is reviewed immediately, finding bugs before the PR is raised. Seamless context handoff to your AI code agent ensures that you can easily incorporate review feedback.
Learn more here.

---

Note

⚡️ Faster reviews with caching

CodeRabbit now supports caching for code and dependencies, helping speed up reviews. This means quicker feedback, reduced wait times, and a smoother review experience overall. Cached data is encrypted and stored securely. This feature will be automatically enabled for all accounts on May 16th. To opt out, configure Review - Disable Cache at either the organization or repository level. If you prefer to disable all data retention across your organization, simply turn off the Data Retention setting under your Organization Settings.
Enjoy the performance boost—your workflow just got faster.

✨ Finishing Touches

• 📝 Generate Docstrings

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
Cache: Disabled due to data retention organization setting
Knowledge Base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 96d01db and a342806.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (3)

• components/Agent.tsx (3 hunks)
• constants/index.ts (2 hunks)
• package.json (1 hunks)

🧰 Additional context used

🧬 Code Graph Analysis (1)

components/Agent.tsx (2)

lib/vapi.sdk.ts (1)

• vapi (3-3)

constants/index.ts (1)

• generator (100-292)

🔇 Additional comments (5)

package.json (1)

16-16: Package dependency upgrade looks good.

The @vapi-ai/web package has been updated from version ^2.2.4 to ^2.3.0. This update is aligned with the implementation of the new workflow system and explicit message arrays in Agent.tsx.

components/Agent.tsx (3)

9-9: Import statement updated correctly to include the new workflow.

The import statement now correctly includes both the new generator workflow constant alongside the existing interviewer constant.

---

121-133: Implementation of the new workflow system for interview generation.

The code now uses the declarative workflow approach instead of relying on an external workflow ID. This improves code maintainability by keeping the workflow definition within the codebase.

The explicit clientMessages and serverMessages arrays follow best practices for the updated Vapi SDK.

---

146-147: Consistent message handling for both workflow types.

The non-generate case now also uses explicit message arrays, maintaining consistency across different workflow types and aligning with the SDK's best practices.

constants/index.ts (1)

100-292: Well-structured workflow for interview generation.

The new generator workflow is well-designed with:

• Clear conversation nodes for user interaction
• Proper variable extraction for interview setup
• An API request to generate the interview content
• Appropriate transitions between nodes using AI-driven conditions
• Clean completion with user notification and hangup

The workflow design follows a logical conversation flow and properly handles all required user inputs.

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Verify user ID handling in the API request.

The workflow passes userid to the API, but make sure the backend API at /api/vapi/generate correctly handles and validates this user identifier to prevent potential security issues.

---

🏁 Script executed:

#!/bin/bash
# Check how the API validates user IDs
fd "api/vapi/generate" --type f | xargs rg -A 10 -B 5 "userid"

Length of output: 3671

---

Add proper validation and authentication for userid in the generate route

The handler in app/api/vapi/generate/route.ts currently does:

const { type, role, level, techstack, amount, userid } = await request.json();
// …  
const interview = {
  // …
  userId: userid,
  // …
};
await db.collection("interviews").add(interview);

There’s no check that userid is well-formed or that it matches an authenticated user. To prevent spoofing or injection:

• Enforce authentication (e.g. via session or JWT) and derive userId from the auth context rather than client payload.
• If you must accept it in the body, validate its format (UUID, Firebase UID, etc.) and verify the user exists.
• Sanitize or whitelist allowed characters/lengths to guard against injection attacks.

Files to update:

• app/api/vapi/generate/route.ts – around the JSON destructuring and before writing to Firestore.

Please implement these checks before persisting any interview data.

🤖 Prompt for AI Agents

In app/api/vapi/generate/route.ts around the lines where the request JSON is
destructured, the userid from the client payload is used directly without
validation or authentication. To fix this, enforce authentication by extracting
the userId from the authenticated session or JWT token instead of the request
body. If accepting userid from the body is unavoidable, validate its format
strictly (e.g., UUID or Firebase UID), check that the user exists in the
database, and sanitize the input to prevent injection. Implement these checks
before creating and saving the interview data to ensure userid integrity and
security.

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Ensure environment variable is properly defined.

The API URL uses ${process.env.NEXT_PUBLIC_BASE_URL} - make sure this environment variable is properly defined in all environments where this code will run.

---

🏁 Script executed:

#!/bin/bash
# Check for environment variable definition or usage
rg "NEXT_PUBLIC_BASE_URL" --type ts --type js

Length of output: 132

---

Define and Configure NEXT_PUBLIC_BASE_URL in All Environments

We’ve only located the usage at constants/index.ts:167 and no committed definitions for NEXT_PUBLIC_BASE_URL. To prevent runtime errors:

• Add NEXT_PUBLIC_BASE_URL to your environment files (e.g.,
  • .env.development
  • .env.production
  • .env.example

  NEXT_PUBLIC_BASE_URL=https://your-domain.com

• Ensure it’s set in your hosting/CI environment (Vercel, Netlify, Docker, etc.).
• Optionally, guard against undefined values in code:

  // constants/index.ts (line 167)
  const baseUrl = process.env.NEXT_PUBLIC_BASE_URL ?? "";
  export const API_URL = `${baseUrl}/api/vapi/generate`;

Please update your .env files and deployment settings accordingly.

🤖 Prompt for AI Agents

In constants/index.ts at line 167, the environment variable NEXT_PUBLIC_BASE_URL
is used but not defined in any environment files. To fix this, add
NEXT_PUBLIC_BASE_URL with the appropriate URL value to all your environment
files such as .env.development, .env.production, and .env.example. Also, ensure
this variable is set in your deployment environment settings like Vercel or
Netlify. Optionally, update the code to safely handle undefined values by
assigning a default empty string before constructing the API URL.