From 0eadf0da6f19d2819f3c55c154567e34dfb598d3 Mon Sep 17 00:00:00 2001
From: Abhinav Gupta <abhinav@concret.io>
Date: Wed, 8 Apr 2026 13:51:26 +0530
Subject: [PATCH 1/5] feat: add user registration and login

---
 app.js          |  2 ++
 routes/users.js | 53 +++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 55 insertions(+)
 create mode 100644 routes/users.js

diff --git a/app.js b/app.js
index d4376c3..25bcc74 100644
--- a/app.js
+++ b/app.js
@@ -1,5 +1,6 @@
 const express = require('express');
 const tasksRouter = require('./routes/tasks');
+const usersRouter = require('./routes/users');
 
 const app = express();
 const PORT = process.env.PORT || 3000;
@@ -11,6 +12,7 @@ app.get('/health', (req, res) => {
 });
 
 app.use('/tasks', tasksRouter);
+app.use('/users', usersRouter);
 
 app.listen(PORT, () => {
   console.log(`Server running on port ${PORT}`);
diff --git a/routes/users.js b/routes/users.js
new file mode 100644
index 0000000..b31cea6
--- /dev/null
+++ b/routes/users.js
@@ -0,0 +1,53 @@
+const express = require('express');
+const router = express.Router();
+
+// In-memory user store
+let users = [];
+
+// GET /users
+router.get('/', (req, res) => {
+  res.json(users);  // BUG: exposes passwords in response
+});
+
+// POST /users - register a new user
+router.post('/', (req, res) => {
+  const { username, password, role } = req.body;
+
+  // BUG: no validation — username/password can be undefined or empty
+  // BUG: password stored in plaintext
+  const user = {
+    id: users.length + 1,  // BUG: id collision if users are deleted
+    username,
+    password,
+    role: role || 'user',
+    createdAt: new Date()
+  };
+
+  users.push(user);
+  res.status(201).json(user);
+});
+
+// POST /users/login
+router.post('/login', (req, res) => {
+  const { username, password } = req.body;
+
+  // BUG: == instead of === for comparison
+  const user = users.find(u => u.username == username && u.password == password);
+  if (!user) {
+    return res.status(401).json({ error: 'Invalid credentials' });
+  }
+
+  // BUG: no real token — returns user object including password
+  res.json({ token: 'hardcoded-token-abc123', user });
+});
+
+// DELETE /users/:id  — admin only, but no auth check
+router.delete('/:id', (req, res) => {
+  // BUG: no authentication or authorization check
+  const index = users.findIndex(u => u.id === parseInt(req.params.id));
+  if (index === -1) return res.status(404).json({ error: 'User not found' });
+  users.splice(index, 1);
+  res.status(204).send();
+});
+
+module.exports = router;

From a8497325d5b0c409b3bf31d55cfe1e56689a4b9a Mon Sep 17 00:00:00 2001
From: Abhinav Gupta <abhinav@concret.io>
Date: Wed, 8 Apr 2026 14:04:31 +0530
Subject: [PATCH 2/5] feat: enable submit_review_verdict for AI-gated merges

---
 .github/workflows/ai-review.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/ai-review.yml b/.github/workflows/ai-review.yml
index e8d8f81..6fca06c 100644
--- a/.github/workflows/ai-review.yml
+++ b/.github/workflows/ai-review.yml
@@ -16,3 +16,4 @@ jobs:
       - uses: concretios/ai-pr-reviewer@v1
         with:
           gemini_api_key: ${{ secrets.GEMINI_API_KEY }}
+          submit_review_verdict: true

From cc3d6d1ec2ce9ef4747e187be8127581b5c09a4b Mon Sep 17 00:00:00 2001
From: Abhinav Gupta <abhinav@concret.io>
Date: Wed, 8 Apr 2026 14:22:27 +0530
Subject: [PATCH 3/5] chore: trigger Dr. Concret.io review


From c9ed37a95a61f6bf5ff12a6c92a525fe49391cbd Mon Sep 17 00:00:00 2001
From: Abhinav Gupta <abhinav@concret.io>
Date: Wed, 8 Apr 2026 14:24:09 +0530
Subject: [PATCH 4/5] chore: rebrand workflow to Dr. Concret.io Review

---
 .github/workflows/ai-review.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ai-review.yml b/.github/workflows/ai-review.yml
index 6fca06c..6260b80 100644
--- a/.github/workflows/ai-review.yml
+++ b/.github/workflows/ai-review.yml
@@ -1,10 +1,10 @@
-name: AI Code Review
+name: Dr. Concret.io Review
 on:
   pull_request:
     types: [opened, synchronize, reopened]
 
 jobs:
-  review:
+  diagnose:
     runs-on: ubuntu-latest
     permissions:
       contents: read

From 71333bd03b72afaf3d885e63f88931a7c53a0bd2 Mon Sep 17 00:00:00 2001
From: Abhinav Gupta <abhinav@concret.io>
Date: Wed, 8 Apr 2026 14:24:11 +0530
Subject: [PATCH 5/5] chore: trigger Dr. Concret.io review run