ingestion: reject submissions containing disallowed phrases

/api/ai/submit and /api/submission-receive now scan incoming payload
title + body against the bb.disallowed_phrases allowlist (cached 3
min) and return 422 with the matching phrases if any are found. Stops
competitor mentions from re-entering the pipeline after the bulk
purge.
This commit is contained in:
Ryan Salazar
2026-05-27 13:34:41 +00:00
parent 95a230b1ef
commit 1793c4f0e2
3 changed files with 93 additions and 0 deletions

View File

@@ -1,5 +1,6 @@
import { NextRequest, NextResponse } from "next/server";
import { ingestRawSubmission, rewriteSubmission } from "@/lib/ai/rewrite-pipeline";
import { findViolations } from "@/lib/disallowed-phrases-guard";
export const runtime = "nodejs";
export const maxDuration = 300;
@@ -98,6 +99,21 @@ export async function POST(req: NextRequest) {
);
}
// Reject submissions whose title or body contains a disallowed phrase
// (competitor publications, banned exhibitors, etc.). Logged with the
// violation list so the sender knows what to remove.
const scanText = `${payload.rawTitle}\n${payload.rawContent}\n${payload.rawHtml || ""}`;
const violations = await findViolations(scanText);
if (violations.length > 0) {
return NextResponse.json(
{
error: "Submission rejected: contains disallowed phrases",
violations,
},
{ status: 422 },
);
}
const submissionId = await ingestRawSubmission(payload);
const outcome = await rewriteSubmission({ submissionId, personaSlug: payload.personaSlug });

View File

@@ -1,5 +1,6 @@
import { NextResponse, type NextRequest } from 'next/server';
import { createClient } from '@supabase/supabase-js';
import { findViolations } from '@/lib/disallowed-phrases-guard';
export const dynamic = 'force-dynamic';
@@ -36,6 +37,17 @@ export async function POST(request: NextRequest) {
const content = (body?.body || '').toString();
if (!title || !content) return NextResponse.json({ error: 'title and body are required' }, { status: 400 });
// Editorial guardrail: reject anything mentioning a disallowed phrase
// (competitor publications, banned exhibitors, etc.) before it ever lands
// in bb.native_articles.
const violations = await findViolations(`${title}\n${content}`);
if (violations.length > 0) {
return NextResponse.json(
{ error: 'Submission rejected: contains disallowed phrases', violations },
{ status: 422 },
);
}
const contributor = body?.contributor || {};
const featuredImage = body?.featured_image_url || null;
const attachments = Array.isArray(body?.attachments) ? body.attachments : [];

View File

@@ -0,0 +1,65 @@
/**
* Server-side ingestion guard. Used by /api/ai/submit and /api/submission-receive
* to reject incoming submissions that contain a disallowed phrase from the
* bb.disallowed_phrases table (competitor publications, banned exhibitors,
* etc.).
*/
import { createAdminClient } from "./supabase/admin";
type Phrase = {
phrase: string;
category: string;
match_mode: "word_boundary" | "substring" | "domain";
};
let cached: { rows: Phrase[]; expires: number } | null = null;
const CACHE_TTL_MS = 3 * 60 * 1000;
async function loadActivePhrases(): Promise<Phrase[]> {
if (cached && cached.expires > Date.now()) return cached.rows;
try {
const svc = createAdminClient();
const { data } = await svc
.from("disallowed_phrases")
.select("phrase, category, match_mode")
.eq("active", true);
const rows = (data || []) as Phrase[];
cached = { rows, expires: Date.now() + CACHE_TTL_MS };
return rows;
} catch {
return cached?.rows || [];
}
}
function escapeRegex(s: string): string {
return s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
}
export type Violation = { phrase: string; category: string };
/** Returns the list of phrases the text violates (empty if clean). */
export async function findViolations(text: string): Promise<Violation[]> {
if (!text) return [];
const phrases = await loadActivePhrases();
const out: Violation[] = [];
for (const p of phrases) {
const esc = escapeRegex(p.phrase);
let re: RegExp;
if (p.match_mode === "word_boundary") {
re = new RegExp(`(^|[^A-Za-z0-9])(${esc})(?![A-Za-z0-9])`, "i");
} else if (p.match_mode === "domain") {
re = new RegExp(`(?:https?://)?(?:[\\w-]+\\.)?${esc}\\b`, "i");
} else {
re = new RegExp(esc, "i");
}
if (re.test(text)) out.push({ phrase: p.phrase, category: p.category });
}
return out;
}
/** Throw-style helper: short-circuits an API route on first violation. */
export async function assertNoViolations(text: string): Promise<{ ok: true } | { ok: false; violations: Violation[] }> {
const v = await findViolations(text);
return v.length === 0 ? { ok: true } : { ok: false, violations: v };
}