feat(security): enforce auth and Zod validation in Server Actions (#802)

[sasasamaes]

Summary

Server Actions ("use server") are exposed as public HTTP endpoints, so each one must verify its caller and validate inputs even after middleware has run. This PR introduces a shared auth/validation layer and applies it to every action under apps/web/app/actions/.

Closes #802

Changes

New shared helpers

• apps/web/lib/auth/server-action-auth.ts — requireAuthenticatedSession, requireAdminSession, validateInput (Zod), enforceRateLimit, ServerActionError and a toServerActionFailure helper that produces a structured { success: false, error, code, details } response.
• apps/web/lib/schemas/server-actions.schemas.ts — strict Zod schemas for every action input (UUIDs, emails, escrow status enum, Stellar shapes, foundation payload, etc).

Action-by-action fixes

• apps/web/app/actions/auth.ts
  • Fixed unawaited validateCsrfToken calls (the previous if (!promise) always evaluated to false, silently disabling CSRF protection).
  • Validate signUpAction, requestResetAccountAction, resetPasswordAction, createSessionAction and updateDeviceWithDeployee inputs with Zod.
  • resetPasswordAction now requires an authenticated session (recovery link establishes one) before accepting a new password.
  • updateDeviceWithDeployee now derives userId from the authenticated session instead of trusting client-supplied JSON.
  • All escrow admin actions (updateEscrowStatusAction, updateEscrowMilestoneAction, updateEscrowFinancialsAction, getEscrowRecordsAction, insertTestEscrowRecordAction) now require an admin session.
  • insertTestEscrowRecordAction is hard-disabled in NODE_ENV === 'production'.
  • Added rate limiting for sign-up, password reset, session creation and updateDeviceWithDeployee.
• apps/web/app/actions/foundations/create-foundation.ts — require auth, Zod-validate input, rate-limit, structured audit logs.
• apps/web/app/actions/escrow/save-escrow-contract.ts — require auth, Zod-validate input, rate-limit, structured audit logs alongside the existing ownership/admin authorization check.

Test plan

• bun run biome check on changed files
• tsc --noEmit — no new errors introduced (pre-existing errors in unrelated files remain)
• bun test test/api-helpers.test.ts — passes
• bun test test/rate-limit-middleware.test.ts — passes
• Smoke test sign-up / password reset flows
• Verify escrow admin pages still load for admin users and 403 for non-admins
• Verify foundation creation still works for authenticated users

Summary by CodeRabbit

• New Features

  • Centralized server-action auth and schema-based input validation across auth, escrow, device, and foundation flows.
  • Admin-only protections for escrow management; session-required device and password reset flows.
  • Per-identifier/action rate limiting applied widely.

• Bug Fixes

  • Consistent structured failure responses and standardized error handling/logging.
  • Disabled test-only escrow insertion in production and tightened validation to prevent invalid payloads.

[vercel]

@sasasamaes is attempting to deploy a commit to the kindfi Team on Vercel.

A member of the Team first needs to authorize it.

[drips-wave]

@sasasamaes Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits

[coderabbitai]

Warning

Rate limit exceeded

@Bran18 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 50 minutes and 54 seconds before requesting another review.

To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 6b1ca32c-7d8c-42ab-9e65-64bd7f563c7c

📥 Commits

Reviewing files that changed from the base of the PR and between d1b0229 and d8044f4.

📒 Files selected for processing (3)

• apps/web/app/api/nfts/mint/route.ts
• apps/web/components/sections/projects/manage/escrow/hooks/use-wallet-sync.ts
• apps/web/lib/auth/rate-limiter.ts

Walkthrough

Centralized server-action auth, validation, and rate-limiting utilities were added and applied across multiple server actions. Actions (auth, escrow, foundation, device) now enforce session/admin checks, validate inputs with Zod schemas, apply per-identifier rate limits, and return standardized ServerActionFailure responses and structured logs.

Changes

Cohort / File(s)	Summary
Auth Infrastructure apps/web/lib/auth/server-action-auth.ts	New utilities and types: ServerActionError/codes, ServerActionFailure, getAuthenticatedSession, requireAuthenticatedSession, requireAdminSession, validateInput, enforceRateLimit, toServerActionFailure. Centralizes auth, validation, rate-limiting, and error mapping.
Schemas apps/web/lib/schemas/server-actions.schemas.ts	New Zod schemas/types for escrow status, escrow updates, device payloads, signup/reset/reset-password (with confirm refinement), create-session, save-escrow-contract (with Stellar address checks and milestone/amount refinements), and create-foundation constraints; exports stellarAddressSchema.
Auth Actions apps/web/app/actions/auth.ts	Sign-up, session creation, reset flows refactored: schema validation, async CSRF where needed, per-identifier rate limiting, structured failure returns, signature change for createSessionAction(input), admin-only wrappers for escrow admin actions, removal of console warnings.
Escrow Contract Save apps/web/app/actions/escrow/save-escrow-contract.ts	Now uses requireAuthenticatedSession, validates saveEscrowContractInputSchema via validateInput, enforces per-user rate limit, uses validated fields for DB ops, computes totals from validated milestones/amount/receiver, standardizes failures and replaces console logs with Logger.
Escrow Admin Actions apps/web/app/actions/auth.ts (escrow admin portions)	Admin-only enforcement via requireAdminSession, input schemas applied for status/milestone/financial updates, validated values used for DB and logging, insertTestEscrowRecordAction disabled in production.
Foundation Creation apps/web/app/actions/foundations/create-foundation.ts	Replaced manual session checks with requireAuthenticatedSession, input validated by createFoundationInputSchema, per-user rate limiting, and structured Logger usage.
Device Update apps/web/app/actions/.../updateDeviceWithDeployee.ts	Now requires authenticated session, parses/validates JSON via updateDeviceWithDeployeeInputSchema, enforces rate limit by user id, returns standardized unauthorized/invalid-payload failures.
Rate Limiter apps/web/lib/auth/rate-limiter.ts	Increment now returns error: AuthErrorType.SERVER_ERROR when Redis is unavailable or errors occur; Redis error logging formatting adjusted.
Observability & Logging multiple files	Replaced ad-hoc console.* logs with structured Logger calls and standardized failure mapping via toServerActionFailure.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant ServerAction as Server Action
    participant Auth as Auth Handler
    participant Validator as Input Validator
    participant RateLimit as Rate Limiter
    participant DB as Database
    participant Logger

    Client->>ServerAction: Invoke action with payload
    ServerAction->>Auth: requireAuthenticatedSession / requireAdminSession
    Auth-->>ServerAction: Session or throw UNAUTHORIZED/FORBIDDEN
    alt Auth OK
        ServerAction->>Validator: validateInput(schema, payload)
        Validator-->>ServerAction: validated input or throw VALIDATION_ERROR
        alt Valid Input
            ServerAction->>RateLimit: enforceRateLimit(identifier, action)
            RateLimit-->>ServerAction: allow or throw RATE_LIMITED
            alt Allowed
                ServerAction->>DB: perform DB operation using validated data
                DB-->>ServerAction: result
                ServerAction->>Logger: info(success)
                ServerAction-->>Client: success response
            else Rate Limited
                ServerAction->>Logger: warn(rate limited)
                ServerAction-->>Client: { success: false, code: "RATE_LIMITED" }
            end
        else Invalid
            ServerAction->>Logger: warn(validation failed)
            ServerAction-->>Client: { success: false, code: "VALIDATION_ERROR", details }
        end
    else Auth Failed
        ServerAction->>Logger: warn(unauthorized/forbidden)
        ServerAction-->>Client: { success: false, code: "UNAUTHORIZED"|"FORBIDDEN" }
    end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• feat: nft and quest performance #821 — Edits the same apps/web/lib/auth/rate-limiter.ts; related changes to Redis/error handling and increment return shape.

Suggested labels

difficulty: hard

Suggested reviewers

• AndlerRL
• Bran18

Poem

Bright schemas line the gateway, checks keep mischief out,
Sessions guard the passages, and rate limits hum about.
Errors now wear uniforms, logs sing clear and smart,
Centralized guardrails steady every server part.
Cheers to safer actions and tidier art!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 26.09% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main changes: introducing centralized auth enforcement and Zod validation across Server Actions with a focus on security improvements.
Linked Issues check	✅ Passed	All coding objectives from issue #802 are comprehensively addressed: authentication checks added to all actions, authorization enforced (admin/user-based), Zod input validation implemented, rate limiting added to sensitive operations, and structured logging integrated.
Out of Scope Changes check	✅ Passed	All changes directly support the security hardening objectives. Rate limiter error handling improvements and schema definitions are necessary foundational changes supporting the auth/validation implementation.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 5

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

apps/web/app/actions/auth.ts (1)

713-829: ⚠️ Potential issue | 🟠 Major

Consider rate-limiting updateDeviceWithDeployee before the DB lookup/update.

The auth and validation improvements are solid here. This path still lacks throttling, though, so an authenticated caller can hammer credential lookups and repeated device writes. Adding enforceRateLimit(session.user.id, 'update_device_with_deployee') before the query would keep this sensitive action aligned with the rest of the PR’s protections.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/web/app/actions/auth.ts` around lines 713 - 829, Before performing the
DB lookup/update in updateDeviceWithDeployee, call
enforceRateLimit(session.user.id, 'update_device_with_deployee') to throttle
callers; place this immediately after you extract userId (const userId =
session.user.id) and before the db.select(...) block, catch any error thrown by
enforceRateLimit and return a structured failure (success: false, appropriate
message/error) consistent with other early returns so rate-limit rejections are
surfaced to callers and no DB work is performed for throttled requests.

apps/web/app/actions/escrow/save-escrow-contract.ts (1)

162-239: ⚠️ Potential issue | 🟠 Major

Consider making the contribution/escrow/link writes atomic.

We could enhance this by wrapping these dependent writes in a transaction or a single database function. Right now, if contributions succeeds but escrow_contracts or project_escrows fails, the action returns an error after partially mutating state, leaving orphaned records behind.

Based on learnings, "In KindFi's project-escrow system, there is a strict 1:1 relationship enforced between projects and escrows. Each project must have exactly one escrow, and each escrow can belong to only one project."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/web/app/actions/escrow/save-escrow-contract.ts` around lines 162 - 239,
The three dependent writes (insert into contributions, upsert into
escrow_contracts, upsert into project_escrows) must be executed atomically to
avoid orphaned records; change the implementation so the logic in
save-escrow-contract.ts (the contributions insert, escrow_contracts upsert, and
project_escrows upsert) is performed inside a single DB transaction or a single
Postgres stored procedure and invoked via supabase.rpc instead of separate
supabase.from calls. Concretely: implement a Postgres function (e.g.,
create_or_update_project_escrow(contributor_id, project_id, contract_id,
payer_address, receiver_address, amount, platform_fee, engagement_id)) that
inserts the contribution, upserts the escrow_contracts row, and upserts
project_escrows with proper 1:1 constraints, then replace the three separate
calls (the block using supabase.from('contributions').insert(...), the upsert on
escrow_contracts, and the upsert on project_escrows) with a single supabase.rpc
call to that function and handle errors from the RPC call accordingly.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@apps/web/app/actions/auth.ts`:
- Around line 297-302: The current try block always redirects to a success URL
even though no reset logic runs; update the auth reset handler so it either
performs the real reset flow before calling redirect or returns an explicit "not
implemented" error/status instead of success. Specifically, implement or call
the actual reset-account routine (the function that sends the confirmation email
/ creates a reset token) and only invoke redirect('/reset-account?success=...')
when that routine succeeds, otherwise throw or return a clear error/redirect
like '/reset-account?error=not_available' and remove the premature success
redirect; look for the try block and the redirect call in this file to locate
where to add the reset logic or the not-implemented response.

In `@apps/web/app/actions/escrow/save-escrow-contract.ts`:
- Around line 125-147: Remove the fabricated fallbacks in save-escrow-contract
(the computed engagementId, totalAmount, payerAddress, receiverAddress and
platformFee) and instead validate that validated.escrowData and its required
properties (engagementId or projectId present, non-empty milestones or amount,
roles with payer/approver, receiver on milestones or top-level receiver, and
platformFee presence) are present before persisting; if any required fields are
missing, reject the request by returning/throwing a validation error (use the
existing validation response pattern in this action) rather than generating
defaults like `project-${projectId}`, amount `1`, or the dummy G000... address.
Ensure you update the code paths that currently rely on engagementId,
totalAmount, payerAddress, receiverAddress, and platformFee to only run after
these explicit validations pass.

In `@apps/web/lib/auth/server-action-auth.ts`:
- Around line 117-142: The current enforceRateLimit helper swallows rate limiter
errors and keeps actions runnable (fail-open); change it to fail-closed outside
development by detecting the runtime environment (e.g., NODE_ENV or an existing
isDev/isLocal flag) and, when rateLimiter.increment throws and the environment
is not local/dev, rethrow or throw a ServerActionError (e.g., 'Rate limiter
unavailable' with a distinct code like 'RATE_LIMITER_UNAVAILABLE') instead of
silently continuing; keep the existing logger.warn for observability but ensure
enforceRateLimit rethrows in production so abuse protection remains enforced.

In `@apps/web/lib/schemas/server-actions.schemas.ts`:
- Around line 25-29: The schema updateEscrowFinancialsInputSchema allows
released to exceed funded; add a cross-field refinement (using
z.object().superRefine or .refine on the object) to validate that released <=
funded and return a clear error message (attach the error to the released field
via ctx.addIssue in superRefine if possible) so invalid combos are rejected
before DB writes.
- Around line 67-88: The role and receiver address fields currently accept any
non-empty string; update the schemas to use the centralized stellarAddressSchema
instead of z.string().min(1) where appropriate: replace roles.approver,
roles.serviceProvider, roles.disputeResolver, roles.platformAddress,
roles.releaseSigner, escrowDataSchema's receiver, and escrowMilestoneSchema's
receiver with stellarAddressSchema, and keep existing numeric/optional
constraints (e.g., milestones array, amount) intact so validation enforces
proper Stellar account format across escrowDataSchema and escrowMilestoneSchema.

---

Outside diff comments:
In `@apps/web/app/actions/auth.ts`:
- Around line 713-829: Before performing the DB lookup/update in
updateDeviceWithDeployee, call enforceRateLimit(session.user.id,
'update_device_with_deployee') to throttle callers; place this immediately after
you extract userId (const userId = session.user.id) and before the
db.select(...) block, catch any error thrown by enforceRateLimit and return a
structured failure (success: false, appropriate message/error) consistent with
other early returns so rate-limit rejections are surfaced to callers and no DB
work is performed for throttled requests.

In `@apps/web/app/actions/escrow/save-escrow-contract.ts`:
- Around line 162-239: The three dependent writes (insert into contributions,
upsert into escrow_contracts, upsert into project_escrows) must be executed
atomically to avoid orphaned records; change the implementation so the logic in
save-escrow-contract.ts (the contributions insert, escrow_contracts upsert, and
project_escrows upsert) is performed inside a single DB transaction or a single
Postgres stored procedure and invoked via supabase.rpc instead of separate
supabase.from calls. Concretely: implement a Postgres function (e.g.,
create_or_update_project_escrow(contributor_id, project_id, contract_id,
payer_address, receiver_address, amount, platform_fee, engagement_id)) that
inserts the contribution, upserts the escrow_contracts row, and upserts
project_escrows with proper 1:1 constraints, then replace the three separate
calls (the block using supabase.from('contributions').insert(...), the upsert on
escrow_contracts, and the upsert on project_escrows) with a single supabase.rpc
call to that function and handle errors from the RPC call accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 762af42e-a4ad-425a-a6bb-e304a3b8ee26

📥 Commits

Reviewing files that changed from the base of the PR and between d15bdce and 29db1d5.

📒 Files selected for processing (5)

• apps/web/app/actions/auth.ts
• apps/web/app/actions/escrow/save-escrow-contract.ts
• apps/web/app/actions/foundations/create-foundation.ts
• apps/web/lib/auth/server-action-auth.ts
• apps/web/lib/schemas/server-actions.schemas.ts

[coderabbitai]

Actionable comments posted: 4

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

apps/web/app/actions/escrow/save-escrow-contract.ts (1)

16-65: 🧹 Nitpick | 🔵 Trivial

Drop the duplicated top-level engagementId and prefer z.infer over as SaveEscrowContractParams.

The interface and validation flow look clean overall. Two small polish opportunities:

• The top-level engagementId?: string (line 19) is unused — line 126 reads escrowData.engagementId. The mirror in saveEscrowContractInputSchema (engagementId: z.string().min(1).optional()) is similarly unread. Removing both keeps the contract honest.
• validated = validateInput(...) as SaveEscrowContractParams on line 61 throws away the precise Zod-inferred shape (e.g. the escrowMilestoneSchema element types). We could enhance type safety by deriving the type from the schema instead.

♻️ Proposed refactor

-import { saveEscrowContractInputSchema } from '~/lib/schemas/server-actions.schemas'
+import {
+	saveEscrowContractInputSchema,
+	type SaveEscrowContractInput,
+} from '~/lib/schemas/server-actions.schemas'
@@
-interface SaveEscrowContractParams {
-	projectId: string
-	contractId: string
-	engagementId?: string
-	escrowData: {
-		…
-	}
-}
+type SaveEscrowContractParams = SaveEscrowContractInput
@@
-	let validated: SaveEscrowContractParams
-	try {
-		validated = validateInput(
-			saveEscrowContractInputSchema,
-			params,
-			'saveEscrowContractAction',
-		) as SaveEscrowContractParams
+	let validated: SaveEscrowContractParams
+	try {
+		validated = validateInput(
+			saveEscrowContractInputSchema,
+			params,
+			'saveEscrowContractAction',
+		)

…with a matching export on the schema module:

 export const saveEscrowContractInputSchema = z.object({ … })
+export type SaveEscrowContractInput = z.infer<typeof saveEscrowContractInputSchema>

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/web/app/actions/escrow/save-escrow-contract.ts` around lines 16 - 65,
Remove the duplicated top-level engagementId from the SaveEscrowContractParams
interface and from the corresponding validation schema (so only
escrowData.engagementId is used/read), then improve typing by deriving the
validated variable from the Zod schema instead of using a blind cast: replace
the "as SaveEscrowContractParams" cast in saveEscrowContractAction with a
z.infer<typeof saveEscrowContractInputSchema>-based type (export that inferred
type from the schema module if necessary) so types like the
escrowMilestoneSchema element types are preserved; ensure validateInput(...)
still uses saveEscrowContractInputSchema and that references like
escrowData.engagementId remain unchanged.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@apps/web/app/actions/auth.ts`:
- Around line 700-742: The function updateDeviceWithDeployee is missing a
rate-limit check; after obtaining the authenticated userId (const userId =
session.user.id) add an enforceRateLimit call using the same pattern/signature
used elsewhere in this file (e.g., enforceRateLimit('updateDeviceWithDeployee',
userId, ...)) immediately before side-effectful work so this per-user action is
throttled; locate requireAuthenticatedSession and
updateDeviceWithDeployeeInputSchema/validateInput to mirror where other handlers
call enforceRateLimit and pass the same parameters/limits they use.

In `@apps/web/app/actions/escrow/save-escrow-contract.ts`:
- Around line 125-153: Update the payer/receiver mapping and multi-receiver
milestone handling: change the payerAddress assignment in
save-escrow-contract.ts from escrowData.roles.serviceProvider to
escrowData.roles.approver (or add an explicit comment if keeping current
mapping) so the funder is used as the payer, and stop collapsing milestone
receivers into milestones[0].receiver — either tighten the Zod schema to require
a single shared receiver across all milestones or modify the persistence logic
to store per-milestone receiver fields (update totalAmount calculation to sum
milestone.amounts and preserve each milestone.receiver when writing to
Supabase); also add validation to reject payloads that violate the chosen
constraint so malformed inputs are not silently accepted.

In `@apps/web/lib/auth/server-action-auth.ts`:
- Around line 119-152: The rate-limit handler currently assumes
rateLimiter.increment() will throw on Redis failure, but increment() actually
returns { isBlocked: false, attemptsRemaining, error } on failure, so the outer
catch is unreachable; update enforceRateLimit(identifier, action) to examine the
returned result.error and, if result.error is set, log
SERVER_ACTION_RATE_LIMIT_UNAVAILABLE with the error and—when
NODE_ENV==='production'—throw a new ServerActionError('Service temporarily
unavailable. Please try again later.','RATE_LIMITED'); similarly update other
callers (confirm route, nfts/mint route, quests/progress route) that only check
result.isBlocked to also check result.error and enforce the same production
fail-closed behavior.
- Around line 96-110: Replace the deprecated Zod error formatting by calling
z.treeifyError on the Zod error instead of result.error.format(); specifically,
in the validation block around schema.safeParse(input) where you currently log
and throw using result.error.format(), import or reference z from 'zod' and use
z.treeifyError(result.error) for both the logger.details and the
ServerActionError payload (i.e., replace result.error.format() with
z.treeifyError(result.error) in the logger.warn call and in the new
ServerActionError invocation so the code uses the Zod 4 structured-error API).

---

Outside diff comments:
In `@apps/web/app/actions/escrow/save-escrow-contract.ts`:
- Around line 16-65: Remove the duplicated top-level engagementId from the
SaveEscrowContractParams interface and from the corresponding validation schema
(so only escrowData.engagementId is used/read), then improve typing by deriving
the validated variable from the Zod schema instead of using a blind cast:
replace the "as SaveEscrowContractParams" cast in saveEscrowContractAction with
a z.infer<typeof saveEscrowContractInputSchema>-based type (export that inferred
type from the schema module if necessary) so types like the
escrowMilestoneSchema element types are preserved; ensure validateInput(...)
still uses saveEscrowContractInputSchema and that references like
escrowData.engagementId remain unchanged.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: b4d0fa50-1590-4288-ac26-d7ecae477de5

📥 Commits

Reviewing files that changed from the base of the PR and between 29db1d5 and 37b14f2.

📒 Files selected for processing (4)

• apps/web/app/actions/auth.ts
• apps/web/app/actions/escrow/save-escrow-contract.ts
• apps/web/lib/auth/server-action-auth.ts
• apps/web/lib/schemas/server-actions.schemas.ts

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# 1) Look for the call-site definition of the escrow payload to see how
#    serviceProvider is treated relative to payerAddress historically.
rg -nP --type=ts -C3 '\bpayer_address\b|\bpayerAddress\b'
echo '---'
# 2) Confirm whether multi-receiver milestone payloads exist in the codebase
#    or are only single-receiver.
rg -nP --type=ts -C2 '\bmilestones\s*[:=]\s*\['

Repository: kindfi-org/kindfi

Length of output: 7607

---

🏁 Script executed:

# First, let's understand the escrowData structure and roles
rg -nP --type=ts 'roles\s*[:=]|serviceProvider|platformAddress|approver' apps/web/app/actions/escrow/save-escrow-contract.ts -B2 -A2

echo "---"

# Look at the escrowData type definition
fd -e ts -path '*/types/*' | xargs grep -l 'escrowData\|SaveEscrowContractParams' | head -5

echo "---"

# Check escrow input schema to understand roles structure
rg -nP --type=ts 'roles.*schema|rolesSchema' -A10

echo "---"

# Look for actual milestone payloads with different receivers
rg -nP --type=ts 'receiver.*milestone|milestone.*receiver' -B3 -A3 | head -40

Repository: kindfi-org/kindfi

Length of output: 5058

---

🏁 Script executed:

# Look at the engagement context to understand who initiates/funds the escrow
rg -nP --type=ts 'engagementId|engagement' apps/web/app/actions/escrow/save-escrow-contract.ts -B3 -A3 | head -50

echo "---"

# Check how serviceProvider and approver are used in the roles
rg -nP --type=ts 'approver|releaseSigner|platformAddress' apps/web/app/actions/escrow/save-escrow-contract.ts -B2 -A2

echo "---"

# Look for any tests or documentation about payer expectations
fd -e ts -e md | xargs grep -l 'payer.*semantic\|payer.*fund\|serviceProvider.*payer' 2>/dev/null | head -5

echo "---"

# Check if there are any multi-milestone test fixtures with different receivers
rg -nP 'milestones.*\[' -A20 apps/web/lib/mock-data/ --type=ts | grep -A20 'receiver'

Repository: kindfi-org/kindfi

Length of output: 986

---

🏁 Script executed:

# Look at how the roles object is created/populated - where does it come from?
rg -nP --type=ts 'roles\s*:\s*\{|roles\.serviceProvider|roles\.approver' -B5 -A5 | head -80

echo "---"

# Search for any comments or documentation about role semantics
rg -nP --type=ts 'approver.*fund|payer.*approver|serviceProvider.*fund|serviceProvider.*receive' -B2 -A2

echo "---"

# Look at the engagement or project context to see who is the "payer"
fd -e ts -path '*/types/*' -name '*engagement*' -o -name '*project*' | head -10

echo "---"

# Check if there's any role validation or assignment logic
rg -nP --type=ts 'serviceProvider\s*=' -B5 -A5 | head -60

Repository: kindfi-org/kindfi

Length of output: 7132

---

🏁 Script executed:

# Look at the roles card component to see what approver does vs serviceProvider
cat apps/web/components/sections/projects/manage/escrow/components/roles-card.tsx | head -100

echo "---"

# Check if there's any documentation about engagement roles
fd -e md | xargs grep -l 'payer\|approver\|serviceProvider' 2>/dev/null | head -3

echo "---"

# Look at how Trustless Work API expects payer vs receiver
rg -nP 'InitializeSingleReleaseEscrowPayload|InitializeMultiReleaseEscrowPayload' -A30 | head -80

Repository: kindfi-org/kindfi

Length of output: 9855

---

🏁 Script executed:

# Search for the Trustless Work escrow types to understand the expected payer role
fd -type f -name "*.ts" -path "*node_modules/@trustless-work*" 2>/dev/null | head -3

echo "---"

# Look for any code that calls fundEscrow or payment logic
rg -n 'fundEscrow|releaseFunds|payment' --type=ts -B3 -A3 | head -60

echo "---"

# Check for multi-milestone test cases or examples
rg -n 'milestones.*\[.*\{.*receiver' --type=ts -A5 -B5 | head -80

Repository: kindfi-org/kindfi

Length of output: 4601

---

🏁 Script executed:

# Look for who actually funds/pays into the escrow
rg -n 'approver.*fund|approver.*payer|fundEscrow.*approver' --type=ts -B5 -A5

echo "---"

# Check if there are any examples in docs or tests about escrow flow
fd -e md -o -e test.ts | xargs grep -l 'escrow\|payer\|approver' 2>/dev/null | head -5

echo "---"

# Look at the actual escrow save function to see all roles being used
sed -n '16,220p' apps/web/app/actions/escrow/save-escrow-contract.ts

Repository: kindfi-org/kindfi

Length of output: 5496

---

🏁 Script executed:

# Look at how engagement or projects define who pays vs receives
rg -n 'approver.*=' apps/web/components/sections/projects/manage/escrow/hooks/use-escrow-transaction.ts -B5 -A5 | head -60

echo "---"

# Check if approver is the one who funds/initiates the escrow
rg -n 'formData\.approver' apps/web/components/sections/projects/manage/escrow/ --type=ts -B3 -A3 | head -40

echo "---"

# Look for any TODO or FIXME comments about payer/receiver mapping
rg -n 'TODO|FIXME|BUG' apps/web/app/actions/escrow/save-escrow-contract.ts --type=ts

Repository: kindfi-org/kindfi

Length of output: 3777

---

🏁 Script executed:

# Look at who initiates/signs the escrow transaction
rg -n 'signer|initiator' apps/web/components/sections/projects/manage/escrow/hooks/use-escrow-transaction.ts -B2 -A2 | head -40

echo "---"

# Check if approver is typically the one who funds in Stellar escrow patterns
rg -n 'approver' apps/web/lib/ --type=ts -B3 -A3 | head -60

echo "---"

# Look at the contribution table to see who is tracked
rg -n 'contributor_id' services/supabase/src/database.schemas.ts -B3 -A3

Repository: kindfi-org/kindfi

Length of output: 5685

---

🏁 Script executed:

# Check the validator more carefully - what does it actually validate?
cat apps/web/lib/validators/escrow.ts | sed -n '40,60p'

echo "---"

# Let's trace what approver is supposed to be - check form context
rg -n 'approver' apps/web/components/sections/projects/manage/escrow/context/escrow-form-context.tsx -B3 -A3

echo "---"

# Confirm: in the actual escrow payload to Trustless Work, what role does the signer have?
rg -n 'signer.*=' apps/web/components/sections/projects/manage/escrow/hooks/use-escrow-transaction.ts -B1 -A1 | head -30

Repository: kindfi-org/kindfi

Length of output: 1032

---

Verify the payer/receiver role mapping and handle multi-receiver milestones.

Two issues worth addressing before merge:

1. Payer semantics. Line 127 sets payerAddress = escrowData.roles.serviceProvider, but the role descriptions indicate the approver is the entity "requiring the service" (typically the funder), while the service provider delivers work and should receive payment. Consider whether payer should be escrowData.roles.approver instead, or add a clarifying comment if this mapping is intentional.

2. Multi-receiver milestones. Line 135 collapses all milestone receivers to milestones[0].receiver, discarding others. The Zod schema allows each milestone to have its own receiver, so an escrow with two different recipient addresses will silently store only the first. Either refine the schema to require all milestones share a single receiver, or extend the database to persist per-milestone receivers.

Both pass through silently rather than being rejected, so a malformed payload still reaches Supabase.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/web/app/actions/escrow/save-escrow-contract.ts` around lines 125 - 153,
Update the payer/receiver mapping and multi-receiver milestone handling: change
the payerAddress assignment in save-escrow-contract.ts from
escrowData.roles.serviceProvider to escrowData.roles.approver (or add an
explicit comment if keeping current mapping) so the funder is used as the payer,
and stop collapsing milestone receivers into milestones[0].receiver — either
tighten the Zod schema to require a single shared receiver across all milestones
or modify the persistence logic to store per-milestone receiver fields (update
totalAmount calculation to sum milestone.amounts and preserve each
milestone.receiver when writing to Supabase); also add validation to reject
payloads that violate the chosen constraint so malformed inputs are not silently
accepted.

[sasasamaes]

Fixed in d1b0229.

1. Payer mapping: changed payerAddress from escrowData.roles.serviceProvider to escrowData.roles.approver. The UI tooltips confirm the role semantics — the approver is "the entity requiring the service" (funder), and the service provider "delivers the work" (recipient). Added a clarifying comment alongside the assignment.

2. Multi-receiver milestones: tightened escrowDataSchema with a refinement that rejects payloads where milestones have differing receiver addresses. Since the DB schema stores a single receiver_address per escrow, accepting multi-receiver payloads would silently drop data. The action keeps reading milestones[0].receiver, which is now safe by schema invariant — and a clarifying comment marks the assumption.

[coderabbitai]

@sasasamaes, both fixes look excellent — thank you for the thorough follow-through!

1. Payer mapping — Using escrowData.roles.approver is semantically correct and the clarifying comment makes the intent explicit for future maintainers. We could further enhance this by referencing the UI tooltip language directly in the comment (e.g., "approver = entity requiring the service / funder"), but the current state is already clear.

2. Multi-receiver milestones — Enforcing single-receiver invariant at the schema layer is the right approach here. The milestones[0].receiver read is now provably safe, and the comment documenting the invariant dependency is a nice touch. This is a clean solution that keeps the persistence logic simple while preventing silent data loss.

---

🧠 Learnings used

Learnt from: AndlerRL
Repo: kindfi-org/kindfi PR: 128
File: apps/web/lib/types/project.types.ts:10-24
Timestamp: 2025-02-08T07:43:42.433Z
Learning: Escrow-related functionality in the project requires coordination between project table and escrow tables in Supabase for proper relationship management.

---

Learnt from: AndlerRL
Repo: kindfi-org/kindfi PR: 0
File: :0-0
Timestamp: 2025-01-28T10:05:16.931Z
Learning: The escrow system in this project follows a specific structure where:
1. API routes are placed in `apps/web/app/(api-routes)/escrow/`
2. Shared types and validators are in `lib/types` and `lib/validators`
3. The system uses Supabase for contract tracking
4. TL API integration is handled through the lib folder

---

Learnt from: AndlerRL
Repo: kindfi-org/kindfi PR: 0
File: :0-0
Timestamp: 2025-08-20T08:33:37.533Z
Learning: The Trustless Work API multi-release escrow creation requires a two-step process: 1) Create a canonical transaction hash that commits to all escrow parameters (engagementId, milestones, platformFee, etc.), 2) Use that transaction hash to generate the unsigned transaction XDR from the API. The transaction hash creation step cannot be skipped as it's fundamental to how Trustless Work API works.

---

Learnt from: AndlerRL
Repo: kindfi-org/kindfi PR: 0
File: :0-0
Timestamp: 2025-08-20T07:36:51.166Z
Learning: Issues `#691`, `#690`, `#692` cover milestone approval and admin controls. Issues `#688`, `#689` cover admin KYC dashboard. Issues `#679`, `#678` cover project management UI. These should be referenced to avoid duplication in future escrow-related issues.

---

Learnt from: AndlerRL
Repo: kindfi-org/kindfi PR: 498
File: apps/web/app/api/escrow/dispute/route.ts:145-150
Timestamp: 2025-05-02T07:27:25.203Z
Learning: In the escrow dispute system, once a milestone enters the disputed state, tracking shifts from the milestone level to the escrow level. The milestone "freezes" until the dispute is resolved, making milestone status update error checking less critical in this specific context.

---

Learnt from: CR
Repo: kindfi-org/kindfi PR: 0
File: .github/copilot-instructions.md:0-0
Timestamp: 2025-12-04T22:00:57.967Z
Learning: Applies to **/*.{ts,tsx} : Use `next-safe-action` for secure server actions

---

Learnt from: CR
Repo: kindfi-org/kindfi PR: 0
File: .github/copilot-instructions.md:0-0
Timestamp: 2025-12-04T22:00:57.967Z
Learning: Applies to **/*.{ts,tsx} : Validate all incoming API requests for security compliance

---

Learnt from: AndlerRL
Repo: kindfi-org/kindfi PR: 531
File: services/supabase/config.toml:13-15
Timestamp: 2025-08-12T09:51:45.176Z
Learning: In this Kindfi codebase, the next_auth schema is temporarily exposed through PostgREST API endpoints due to application code dependencies, but this creates a security risk that needs to be addressed by refactoring to use service-role credentials instead of direct REST API access to authentication tables.

---

Learnt from: AndlerRL
Repo: kindfi-org/kindfi PR: 0
File: :0-0
Timestamp: 2025-05-07T07:41:45.584Z
Learning: The Q&A feature implemented in PR `#504` requires improved Row Level Security (RLS) policies to properly handle user roles and permissions after the NextAuth providers implementation is completed.

---

If you found this review helpful, would you consider giving us a shout-out on X?

Thank you for using CodeRabbit!

[coderabbitai]

Actionable comments posted: 6

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

apps/web/lib/auth/server-action-auth.ts (1)

40-203: ⚠️ Potential issue | 🟠 Major

Adopt next-safe-action for secure server actions per coding guidelines, and avoid logging sensitive identifiers.

This file implements a custom server action framework with manual composition of auth, validation, rate limiting, and failure handling. The coding guidelines explicitly require next-safe-action for **/*.{ts,tsx} files to provide standardized security guardrails. Consider migrating these helpers into a next-safe-action client so new server actions inherit consistent protections without wrapper overhead.

Additionally, enforceRateLimit logs raw identifier values at lines 128 and 139 in production. Since callers pass email addresses (e.g., email.toLowerCase() in auth.ts for sign_up and request_reset_account), this exposes PII in rate-limit logs. Sanitize identifiers before logging (hash or truncate) or use non-sensitive tokens instead.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/web/lib/auth/server-action-auth.ts` around lines 40 - 203, This file
re-implements server-action guards instead of using next-safe-action and logs
raw identifiers (PII) in enforceRateLimit; refactor by migrating
auth/validation/rate-limit helpers (requireAuthenticatedSession,
requireAdminSession, validateInput, enforceRateLimit, toServerActionFailure)
into a next-safe-action client so server actions use the standardized
guardchain, and change enforceRateLimit to never log raw identifier values
(replace with a one-way hash, truncated token, or redacted value before
including in logger.warn payloads) and remove identifier from any production
logs; ensure any references to identifier in SERVER_ACTION_RATE_LIMITED and
SERVER_ACTION_RATE_LIMIT_UNAVAILABLE use the sanitized value.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@apps/web/app/actions/auth.ts`:
- Around line 198-202: The auth logging currently emits raw emails (e.g.,
logger.info calls that include eventType 'SESSION_CREATED' and validated.email);
replace those occurrences (including the other similar blocks around the noted
ranges) so logs no longer contain plain PII: remove validated.email from the
payload and instead log either validated.userId plus a redactedEmail or a
one‑way hash of validated.email (use a shared helper like maskEmail or
hashEmail/sha256 utility) so the logger.info payload contains eventType, userId,
and redactedEmail/hash rather than the raw email.
- Around line 400-405: The admin escrow mutators (e.g.,
updateEscrowStatusAction) perform sensitive writes but lack rate limiting; add a
call to enforceRateLimit(...) immediately after await requireAdminSession('...')
and before any state-changing work to prevent hammering (use a unique action key
such as 'update-escrow-status' and include the admin/session identifier and
sensible limits), and repeat the same pattern for the other escrow mutator
functions in this file; also import enforceRateLimit where needed.

In `@apps/web/lib/auth/server-action-auth.ts`:
- Around line 123-145: The logger.warn calls that log raw rate-limit keys should
not include the plain identifier; update the blocks that handle result.isBlocked
and result.error (the logger.warn invocations near the ServerActionError and
SERVER_ACTION_RATE_LIMIT_UNAVAILABLE handling) to log a redacted or
action-scoped hash of identifier instead of the raw value (e.g., compute a
deterministic HMAC/SHA256 or mask local parts and use that value in the log
entry under the same field name), ensuring the same redaction/hashing function
is used in both places so logs remain linkable without exposing emails.

In `@apps/web/lib/schemas/server-actions.schemas.ts`:
- Around line 19-23: The schema updateEscrowMilestoneInputSchema allows
completed to exceed current; add a cross-field refinement on the z.object to
reject impossible progress by checking that completed <= current (and optionally
completed >= 0 is already enforced), and return a clear error message (e.g.,
"completed cannot exceed current") targeting the completed field; implement this
using zod's .refine on updateEscrowMilestoneInputSchema with a predicate (obj =>
obj.completed <= obj.current) and a params object specifying the message and
path to 'completed'.
- Around line 95-103: The current .refine allows both modes simultaneously;
change the predicate so modes are mutually exclusive by accepting either
(milestones present and amount/receiver absent) OR (amount and receiver present
and milestones absent). Update the error message to reflect exclusivity. Locate
the .refine call in the schema and the related saveEscrowContractAction to
ensure the validation blocks payloads that include both milestones and
single-release fields.
- Around line 36-39: The updateDeviceWithDeployeeInputSchema currently allows
any non-empty string for aaguid; change the aaguid validator in
updateDeviceWithDeployeeInputSchema to enforce a UUID (e.g., use
z.string().uuid(<optional message>)) so malformed authenticator metadata cannot
be accepted; keep credentialId as-is and ensure the zod import is used for the
new uuid check.

---

Outside diff comments:
In `@apps/web/lib/auth/server-action-auth.ts`:
- Around line 40-203: This file re-implements server-action guards instead of
using next-safe-action and logs raw identifiers (PII) in enforceRateLimit;
refactor by migrating auth/validation/rate-limit helpers
(requireAuthenticatedSession, requireAdminSession, validateInput,
enforceRateLimit, toServerActionFailure) into a next-safe-action client so
server actions use the standardized guardchain, and change enforceRateLimit to
never log raw identifier values (replace with a one-way hash, truncated token,
or redacted value before including in logger.warn payloads) and remove
identifier from any production logs; ensure any references to identifier in
SERVER_ACTION_RATE_LIMITED and SERVER_ACTION_RATE_LIMIT_UNAVAILABLE use the
sanitized value.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: d6ff32b2-f451-48a0-9cc7-aabe4a12f17d

📥 Commits

Reviewing files that changed from the base of the PR and between 37b14f2 and d1b0229.

📒 Files selected for processing (5)

• apps/web/app/actions/auth.ts
• apps/web/app/actions/escrow/save-escrow-contract.ts
• apps/web/lib/auth/rate-limiter.ts
• apps/web/lib/auth/server-action-auth.ts
• apps/web/lib/schemas/server-actions.schemas.ts

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Drop raw emails from auth logs.

These events now emit email directly. That creates avoidable PII retention in auth/audit logs; consider logging userId, a redacted address, or a one-way hash instead.

Also applies to: 211-216, 298-300

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/web/app/actions/auth.ts` around lines 198 - 202, The auth logging
currently emits raw emails (e.g., logger.info calls that include eventType
'SESSION_CREATED' and validated.email); replace those occurrences (including the
other similar blocks around the noted ranges) so logs no longer contain plain
PII: remove validated.email from the payload and instead log either
validated.userId plus a redactedEmail or a one‑way hash of validated.email (use
a shared helper like maskEmail or hashEmail/sha256 utility) so the logger.info
payload contains eventType, userId, and redactedEmail/hash rather than the raw
email.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Consider throttling the admin escrow mutators too.

These three writes now have auth and validation, but they still update escrow_status without enforceRateLimit(...). A compromised admin session or accidental client loop can hammer sensitive state changes with no back-pressure.

Also applies to: 468-470, 540-541

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/web/app/actions/auth.ts` around lines 400 - 405, The admin escrow
mutators (e.g., updateEscrowStatusAction) perform sensitive writes but lack rate
limiting; add a call to enforceRateLimit(...) immediately after await
requireAdminSession('...') and before any state-changing work to prevent
hammering (use a unique action key such as 'update-escrow-status' and include
the admin/session identifier and sensible limits), and repeat the same pattern
for the other escrow mutator functions in this file; also import
enforceRateLimit where needed.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Avoid logging raw rate-limit identifiers.

Some callers key the limiter with lowercased emails, so these warnings will store raw email addresses whenever the limiter trips or Redis is unavailable. Consider logging a redacted value or an action-scoped hash instead of identifier.

Also applies to: 160-164

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/web/lib/auth/server-action-auth.ts` around lines 123 - 145, The
logger.warn calls that log raw rate-limit keys should not include the plain
identifier; update the blocks that handle result.isBlocked and result.error (the
logger.warn invocations near the ServerActionError and
SERVER_ACTION_RATE_LIMIT_UNAVAILABLE handling) to log a redacted or
action-scoped hash of identifier instead of the raw value (e.g., compute a
deterministic HMAC/SHA256 or mask local parts and use that value in the log
entry under the same field name), ensuring the same redaction/hashing function
is used in both places so logs remain linkable without exposing emails.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Reject impossible milestone progress.

Consider adding a cross-field refinement here as well. Right now completed can exceed current, so the admin update path can persist milestone state that can never be true.

Proposed fix

-export const updateEscrowMilestoneInputSchema = z.object({
-	id: z.string().uuid('Invalid escrow record id'),
-	current: z.number().int().min(0),
-	completed: z.number().int().min(0),
-})
+export const updateEscrowMilestoneInputSchema = z
+	.object({
+		id: z.string().uuid('Invalid escrow record id'),
+		current: z.number().int().min(0),
+		completed: z.number().int().min(0),
+	})
+	.refine((data) => data.completed <= data.current, {
+		message: 'Completed milestones cannot exceed the current milestone',
+		path: ['completed'],
+	})

As per coding guidelines, "Validate all incoming API requests for security compliance".

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/web/lib/schemas/server-actions.schemas.ts` around lines 19 - 23, The
schema updateEscrowMilestoneInputSchema allows completed to exceed current; add
a cross-field refinement on the z.object to reject impossible progress by
checking that completed <= current (and optionally completed >= 0 is already
enforced), and return a clear error message (e.g., "completed cannot exceed
current") targeting the completed field; implement this using zod's .refine on
updateEscrowMilestoneInputSchema with a predicate (obj => obj.completed <=
obj.current) and a params object specifying the message and path to 'completed'.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Validate aaguid as a UUID.

We could enhance this by tightening aaguid beyond min(1). Accepting any non-empty string here makes it easy to persist malformed authenticator metadata.

Proposed fix

 export const updateDeviceWithDeployeeInputSchema = z.object({
 	credentialId: z.string().min(1, 'credentialId is required'),
-	aaguid: z.string().min(1, 'aaguid is required'),
+	aaguid: z.string().uuid('Invalid aaguid'),
 })

As per coding guidelines, "Validate all incoming API requests for security compliance".

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/web/lib/schemas/server-actions.schemas.ts` around lines 36 - 39, The
updateDeviceWithDeployeeInputSchema currently allows any non-empty string for
aaguid; change the aaguid validator in updateDeviceWithDeployeeInputSchema to
enforce a UUID (e.g., use z.string().uuid(<optional message>)) so malformed
authenticator metadata cannot be accepted; keep credentialId as-is and ensure
the zod import is used for the new uuid check.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Make escrow payload modes mutually exclusive.

The current refinement only checks that at least one shape is present. A payload with both milestones and amount/receiver still passes, and saveEscrowContractAction then silently prefers milestones and ignores the single-release fields.

Proposed fix

 	.refine(
-		(data) =>
-			(data.milestones && data.milestones.length > 0) ||
-			(data.amount !== undefined && data.receiver !== undefined),
+		(data) => {
+			const hasMilestones = !!data.milestones?.length
+			const hasSingleRelease =
+				data.amount !== undefined && data.receiver !== undefined
+			return hasMilestones !== hasSingleRelease
+		},
 		{
 			message:
-				'Either milestones or single-release amount/receiver must be provided',
+				'Provide either milestones or single-release amount/receiver, but not both',
 		},
 	)

As per coding guidelines, "Validate all incoming API requests for security compliance".

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/web/lib/schemas/server-actions.schemas.ts` around lines 95 - 103, The
current .refine allows both modes simultaneously; change the predicate so modes
are mutually exclusive by accepting either (milestones present and
amount/receiver absent) OR (amount and receiver present and milestones absent).
Update the error message to reflect exclusivity. Locate the .refine call in the
schema and the related saveEscrowContractAction to ensure the validation blocks
payloads that include both milestones and single-release fields.