fix: resolve Prisma schema relations, DI issues, and add dev environment setup

[RedWoodOG]

Summary

Fixes several issues preventing the backend from starting in development mode:

1. Prisma schema — Added missing reverse relation fields (bots Bot[] on Workspace, botMessages BotMessage[] on Channel and ChatMessage) required for schema validation.

2. Type safety — Fixed BotHandlerType enum type mismatch in bots.service.ts (was passing raw string where Prisma expected the enum). Added definite assignment assertions (!) to DTO class properties for strictPropertyInitialization compatibility.

3. NestJS DI — Imported AuthModule into BotsModule and SearchModule so JwtAuthGuard can resolve its AuthService dependency.

4. Missing config — Added backend/config/projectTemplates.json seed file required by TemplateService at boot.

5. Developer experience — Added AGENTS.md with cloud-specific dev instructions and lockfiles for deterministic installs.

Testing

• Backend starts successfully with npm run start:dev
• Health endpoint responds: GET /api/v1/health → { ok: true }
• Full flow validated: register user → create workspace → send message
• TypeScript compilation: tsc --noEmit passes clean
• Bot SDK builds: npm run build succeeds

health_check.log

_{To show artifacts inline, enable in settings.}

  

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

Release Notes

• New Features

  • Added project template options for Kanban, Storyboard, and Sprint with preconfigured default settings and board layouts.

• Documentation

  • Added local development setup guide with configuration instructions and common troubleshooting notes.

Walkthrough

The PR adds bot command handler type safety via the BotHandlerType enum from Prisma, updates DTOs and service methods to use strict typing, integrates authentication modules into bot and search services, and provides developer setup documentation with project template configuration.

Changes

Bot Infrastructure Setup

Layer / File(s)	Summary
Bot Command Handler Type Safety backend/src/bots/dto/bot.dto.ts, backend/src/bots/bots.service.ts	BotHandlerType enum imported from Prisma; CreateCommandDto and UpdateCommandDto now validate handlerType fields using @IsEnum(BotHandlerType) instead of @IsString; addCommand and updateCommand methods typed to accept BotHandlerType with WebSocket as default fallback when omitted.
Module Authentication Integration backend/src/bots/bots.module.ts, backend/src/search/search.module.ts	AuthModule imported and added to the imports array of both BotsModule and SearchModule to enable authentication support.
Developer Setup & Configuration AGENTS.md, backend/config/projectTemplates.json	AGENTS.md introduces local development instructions covering service startup, prerequisites, and backend gotchas. projectTemplates.json defines three templates—kanban, storyboard, and sprint—with tools, default boards, and default settings.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

A rabbit hops through code with glee,
Types now safe as they can be,
Auth modules bound with perfect care,
Templates set, docs laid bare! 🐰✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main changes: fixing Prisma schema relations, dependency injection issues, and adding developer environment setup documentation.
Description check	✅ Passed	The description is directly related to the changeset, detailing five specific fixes and their purposes with testing evidence provided.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch cursor/dev-environment-setup-cab2

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@AGENTS.md`:
- Around line 24-29: Add a blank line immediately before the fenced code block
that contains "sudo pg_ctlcluster 16 main start" and declare a language on the
other fenced block (the block that contains "Email: dev@flowspace.app /
Password: TestPass123!") — e.g., change its opening fence to "```text" or
"```bash" — to satisfy MD031 and MD040; ensure both fenced blocks remain
properly opened/closed and retain their original contents.

In `@backend/src/bots/bots.service.ts`:
- Line 193: The code casts the incoming handlerType string to BotHandlerType in
bots.service.ts (handlerType: (data.handlerType as BotHandlerType) ||
BotHandlerType.WEBSOCKET) without runtime validation, causing DB constraint
errors for invalid values; update the DTOs to validate against the enum by
adding a validation rule on CreateCommandDto.handlerType (and similarly on
UpdateCommandDto.handlerType) using the project’s validation decorator (e.g.,
`@IsEnum`(BotHandlerType) or equivalent) and ensure the field is
optional/defaulted to BotHandlerType.WEBSOCKET so only valid enum values reach
the service layer.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 5cec409d-4451-480a-981f-e7260e3e9e46

📥 Commits

Reviewing files that changed from the base of the PR and between 5d67013 and 046d945.

⛔ Files ignored due to path filters (2)

• backend/package-lock.json is excluded by !**/package-lock.json
• bot-sdk/package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (7)

• AGENTS.md
• backend/config/projectTemplates.json
• backend/prisma/schema.prisma
• backend/src/bots/bots.module.ts
• backend/src/bots/bots.service.ts
• backend/src/bots/dto/bot.dto.ts
• backend/src/search/search.module.ts

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

backend/src/bots/bots.service.ts (1)

245-260: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Remove as any cast from handlerType—the parameter is already properly typed.

The data parameter is typed as { description?: string; enabled?: boolean; handlerType?: BotHandlerType; handlerUrl?: string }, so handlerType is already BotHandlerType | undefined. Casting it to any defeats type safety. The suggested fix to pass data directly is safe and correct.

Suggested fix

     return this.prisma.botCommand.update({
       where: { id: commandId },
-      data: { ...data, handlerType: data.handlerType as any },
+      data,
     });

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@backend/src/bots/bots.service.ts` around lines 245 - 260, The update method
currently casts data.handlerType to any when calling prisma.botCommand.update;
remove the "as any" cast and pass the incoming data object directly (i.e., use
data rather than { ...data, handlerType: data.handlerType as any }) so the
parameter's declared type ({ description?: string; enabled?: boolean;
handlerType?: BotHandlerType; handlerUrl?: string }) is preserved; update the
call in the function that calls requireAdmin and requireBotOwnership and returns
prisma.botCommand.update to use data as-is.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@backend/src/bots/bots.service.ts`:
- Around line 245-260: The update method currently casts data.handlerType to any
when calling prisma.botCommand.update; remove the "as any" cast and pass the
incoming data object directly (i.e., use data rather than { ...data,
handlerType: data.handlerType as any }) so the parameter's declared type ({
description?: string; enabled?: boolean; handlerType?: BotHandlerType;
handlerUrl?: string }) is preserved; update the call in the function that calls
requireAdmin and requireBotOwnership and returns prisma.botCommand.update to use
data as-is.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: f7e47872-34a7-4ac0-8584-3b781b8252bb

📥 Commits

Reviewing files that changed from the base of the PR and between 046d945 and 8b5229e.

📒 Files selected for processing (3)

• AGENTS.md
• backend/src/bots/bots.service.ts
• backend/src/bots/dto/bot.dto.ts

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Autofix prepared a fix for the issue found in the latest run.

• ✅ Fixed: Hardcoded credentials committed to source control
  • Removed plaintext database and test-account passwords from AGENTS.md and replaced them with DATABASE_URL/.env guidance and the register endpoint for local sign-in.

Or push these changes by commenting:

@cursor push 3dfb35b2b1

Preview (3dfb35b2b1)

diff --git a/AGENTS.md b/AGENTS.md
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -18,7 +18,7 @@
 
 ### Prerequisites (must be running before backend starts)
 
-- **PostgreSQL** on `localhost:5432` — database `flowspace`, user `flowspace`/`flowspace`
+- **PostgreSQL** on `localhost:5432` — use `DATABASE_URL` in `backend/.env` (see `backend/env.development` for a Docker-oriented template; set your own credentials for local installs)
 - **Redis** on `localhost:6379` — used for Socket.IO horizontal scaling; backend gracefully falls back to in-memory adapter if unavailable
 
 Start services:
@@ -46,13 +46,8 @@
 
 ### Test Account (local dev)
 
-```text
-Email: dev@flowspace.app
-Password: TestPass123!
-```
+Register a user via `POST /api/v1/auth/register` with `{ email, password, name }`, then use that email and password to sign in.
 
-Or register via `POST /api/v1/auth/register` with `{ email, password, name }`.
-
 ### Flutter Client
 
 The Flutter client (`client_flutter/`) targets desktop (Windows primary) and mobile. It requires the Flutter SDK and cannot be run in headless Cloud Agent environments. Focus backend development on the NestJS API server.

_{You can send follow-ups to the cloud agent here.}

^{Reviewed by Cursor Bugbot for commit 8b5229e. Configure here.}

[cursor]

Hardcoded credentials committed to source control

Medium Severity

Plaintext credentials (database password flowspace/flowspace and test account TestPass123!) are committed directly into AGENTS.md. Even though these are labeled as local dev credentials, committing passwords to version control makes them permanently discoverable in git history. If these credentials are reused in any shared or deployed environment, they become an exploitable vulnerability. Credentials belong in .env files excluded by .gitignore, not in tracked documentation.

Additional Locations (1)

• AGENTS.md#L20-L21

 

^{Reviewed by Cursor Bugbot for commit 8b5229e. Configure here.}