fix: prevent users from inviting themselves in referral flow

[jhosepm352-design]

Prevents users from sending invitation emails to their own email address, avoiding potential gaming of the referral system.

[greptile-apps]

Greptile Summary

This PR aims to prevent self-invites in the referral flow by filtering out the requesting user's own email before sending invitations. However, the diff accidentally removed the first 88 lines of route.ts — including all imports, the entire GET handler, and the function declaration and early validation logic of POST — leaving behind a fragment that references undefined variables and exports no handlers.

• Self-invite filter (filteredEmails): the logic itself is correct — user.email is lowercased and compared against the normalized email list — but it is stranded in an uncompilable file.
• GET /api/referrals: completely deleted by this diff; listing referrals will return a 405 Method Not Allowed for every caller.
• Error message: when only the user's own email is submitted, the response says "No valid email addresses provided" rather than something that explains the self-invite restriction.

Confidence Score: 1/5

Do not merge — the file is missing all imports, the GET handler, and the POST function declaration, making the entire /api/referrals endpoint non-functional.

The diff deleted the first 88 lines of the file, including all import statements, the complete GET handler, and the opening of the POST function. What remains is a code fragment that references variables like normalizedEmails, emailRegex, user, supabase, and several imported symbols that no longer exist in the file. The module exports nothing, so Next.js will reject all requests to this route. The intended self-invite filter logic is sound but completely unreachable in its current state.

src/app/api/referrals/route.ts needs to be restored to include its imports, the GET handler, and the complete POST function declaration before the new self-invite filter lines are inserted.

Important Files Changed

Filename	Overview
src/app/api/referrals/route.ts	Critical: the diff accidentally deleted all imports, the GET handler, and the POST function declaration. The surviving code references undefined variables and exports nothing, so the entire /api/referrals endpoint is non-functional.

Comments Outside Diff (1)

1. src/app/api/referrals/route.ts, line 5-10 (link)

   When only the user's own email was provided (so filteredEmails is empty), the response says "No valid email addresses provided", which doesn't communicate why the request was rejected. A clearer message prevents user confusion.

   Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!

_{Reviews (1): Last reviewed commit: "fix: prevent users from inviting themsel..." | Re-trigger Greptile}

[greptile-apps]

Entire route file is broken — imports, GET handler, and POST function declaration are all gone

The diff replaced lines 1–88 of the original file (all imports, the full GET handler, and the top ~80 lines of the POST handler including the function declaration, auth check, body parsing, and all early validation) with just 3 lines that reference variables that no longer exist: normalizedEmails, emailRegex, user, supabase, NextResponse, createServiceClient, referralInviteEmail, and sendEmail are all used later in the file but are never imported or declared. The module also no longer exports GET or POST, so Next.js will not route any requests to it. This file cannot compile and the entire /api/referrals endpoint is dead.