Fix admin public delete accidentally hard-deleting comment threads

[cursor]

Bug and impact

Critical: While logged into /admin, using the public comment delete UI (password form on blog/project pages) triggered hardDelete instead of soft-delete. That permanently removed the entire comment subtree, all votes, and decremented URL counts — a common footgun for the site owner browsing their own site with an active admin_token cookie.

High: CommentsSection used keepPreviousData without a freshPath guard (unlike LikeButton), so SPA navigation could briefly show the previous page's comments on the wrong article.

Root cause

1. DELETE /api/comments/[id] branched on verifyAdminSecret(request) and routed admins to api.comments.hardDelete. The admin session cookie is sent on all same-origin requests (path: '/'), so the public delete UI inherited admin privileges unintentionally.

2. CommentsSection rendered query.data whenever isLoading was false, but keepPreviousData keeps prior results with isStale: true and isLoading: false during arg changes.

Fix

• Public delete route always calls softDeleteComment (admins bypass password via adminSecret; hard-delete remains on /api/admin/comments/[id] only).
• Added freshPath / listReady guard to CommentsSection, matching the LikeButton pattern.

Validation

• npm test — 116 tests pass (including new regression tests for admin soft-delete and stale comment hiding)
• svelte-autofixer — no issues on CommentsSection.svelte

Not fixed (noted, lower confidence / operational)

• Backfill double-count if backfill.run executes during live traffic
• Client-supplied ipHash on public Convex mutations (architectural)

  

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
web	Ready	Preview, Comment	Jun 13, 2026 3:12pm

[cloudflare-workers-and-pages]

Deploying web with    Cloudflare Pages

Latest commit:	47c1582
Status:	🚫  Build failed.

View logs