Feat/one2b action items trpc

[Prajjawalk]

Description

Summary

Two new tRPC procedures on actionRouter for the upcoming one2b
agent integration. Foundational work — both procedures are dormant
until the companion mastra PR's gated agent calls them.

What this adds

actionRouter.bulkCreateFromTranscript (mutation)

Bulk-creates Action rows from a list of items extracted by the agent
from a meeting transcript.

• Verifies caller's workspace membership and that the transcription
  session belongs to the same workspace
• For each item, applies a 3-tier assignee resolution so the agent
  doesn't have to know whether the assignee has an exponential account:
  1. Email matches a workspace User → ActionAssignee
  2. Email matches an existing TranscriptionSessionParticipant for
     this meeting → ActionParticipantAssignee
  3. Email is unknown → auto-create a Participant + ActionParticipantAssignee
• Stamps each action with sourceType='meeting', sourceId=transcriptionSessionId,
  source='agent-transcript', lastUpdatedBy='AGENT' for downstream
  audit / discovery
• Maps agent priority (HIGH/MEDIUM/LOW) → exponential's
  ("1st Priority"/"Quick"/"5th Priority")
• Per-item try/catch so a single bad item doesn't abort the batch;
  failures returned in skipped with a reason

actionRouter.findBySource (query)

Workspace-scoped lookup by sourceType + optional sourceId. Optional
assigneeEmail filter resolves through both the User-backed
ActionAssignee path and the Participant-backed
ActionParticipantAssignee path so callers don't need to know which
assignment kind was used.

Helper — findUserByEmailInWorkspace

Added to src/server/services/access/resolvers/workspaceResolver.ts.
Looks up a User by email and verifies workspace membership in one call.
Reusable for any future agent integration that resolves humans by email.

Updated — actionRouter.update

Added optional lastUpdatedBy (enum: AGENT/USER_EMAIL/USER_WHATSAPP/USER_UI)
and lastUpdatedSource (string) inputs so agents can stamp source
attribution on updates the same way bulkCreateFromTranscript does on
creates.

Test infra

• 6 integration tests for bulkCreateFromTranscript covering each
  assignee path, batch resilience, and authorization
• 5 integration tests for findBySource covering filtering and auth
• truncateAllTables now clears TranscriptionSession,
  TranscriptionSessionParticipant, ActionParticipantAssignee

Internal — query include shape

bulkCreateFromTranscript and findBySource both include: { participant: true }
on participantAssignees so callers get participant name/email rendered
without a follow-up query.

Why this is safe to merge

These procedures have no callers in the existing codebase. The mastra
side that consumes them is gated behind MASTRA_ONE2B_AGENTS_ENABLED
(off by default) so even after both PRs merge, nothing exercises this
path until cutover. See mastra/docs/one2b-cutover.md
for the full sequence.

Test plan

• Lint + typecheck pass (npm run check)
• New integration tests pass (npm run test:integration)
• No existing routers / Prisma calls regressed
• Manual sanity: in Prisma Studio, manually invoke
  bulkCreateFromTranscript against a real workspace + transcript;
  confirm Action rows + ActionAssignee/ActionParticipantAssignee
  rows created as expected

Companion PR

Mastra: https://github.com/positonic/mastra/pull/new/feat/one2b-action-items-agent

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update
• Performance improvement
• Code refactoring

Database Changes

• This PR includes database schema changes (migrations)
• NO database changes in this PR

If migrations are included:

• Migration name(s):
• Schema changes:
• Coordinated with team: Yes/No

Testing

• Tested locally
• Tested in preview deployment
• Added/updated tests
• All tests passing

Checklist

• My code follows the project's style guidelines
• I have performed a self-review of my own code
• I have commented my code in hard-to-understand areas
• My changes generate no new warnings
• Database migrations tested on test database
• Coordinated with team on any migration conflicts

Deployment Notes

Any special deployment considerations?

Related Issues

Closes #

Summary by CodeRabbit

• New Features

  • Bulk-create actions from transcripts with per-item isolation and automatic assignee resolution
  • Find/discover actions by source type/ID, with optional assignee and status filtering
  • Action updates now accept optional attribution fields

• Tests

  • New unit/integration suites covering bulk-create and find-by-source flows; added mock caller helpers and isolated DB-free tests

• Chores

  • Stricter test database safety and truncation; added a test mocking dependency; expanded testing documentation

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
exponential	Ready	Preview, Comment	May 4, 2026 11:23am

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds two action router procedures (bulkCreateFromTranscript, findBySource), extends action.update input with optional attribution fields, adds a workspace-user-by-email resolver, introduces unit tests for the new endpoints with a Prisma mock, tightens test DB safety and truncation, adds a mock caller helper, updates docs, and adds a dev dependency.

Action Router & Test infra

Layer / File(s)	Summary
Data Shape & Imports src/server/api/routers/action.ts	Add Prisma type import and import findUserByEmailInWorkspace for typed includes and assignee resolution.
Workspace User Resolver src/server/services/access/resolvers/workspaceResolver.ts	Add findUserByEmailInWorkspace(email, workspaceId) returning { id, email, name } when a user exists and is a workspace member, else null.
Attribution Fields src/server/api/routers/action.ts	Extend actionRouter.update input schema with optional `lastUpdatedBy?: "AGENT"
Core Endpoints src/server/api/routers/action.ts	Add bulkCreateFromTranscript: validates workspace/transcript/project scope; creates one action per transcript item with per-item error isolation; resolves assignees by workspace user email → existing participant → create participant; returns { created, skipped }. Add findBySource: validates workspace, builds Prisma where filter for workspaceId, sourceType, optional sourceId, optional status, optional assigneeEmail (workspace user vs participant email), returns actions with includes and take limit.
Test Caller & Mocking src/test/trpc-helpers.ts, src/server/api/routers/__tests__/action.test.ts	Add createMockCaller({ userId, db, ... }) for unit tests against a deep Prisma mock; new unit tests for bulkCreateFromTranscript and findBySource using vitest-mock-extended and extensive module mocks.
Integration Tests Cleanup src/server/api/routers/__tests__/action.integration.test.ts	Removed the "restricted projects" integration test block (file now ends earlier).
Test DB Safety & Truncation src/test/test-db.ts	startTestDatabase() now requires DATABASE_URL_TEST, blocks managed-host patterns, enforces local/test-name rules unless allowed; inserts __test_db_marker row. truncateAllTables() verifies marker, uses row-count heuristics to refuse likely-prod DBs, discovers public tables, and issues deletes within a single transaction with session_replication_role = 'replica'.
Docs / Guidance CLAUDE.md	Clarify unit vs integration caller helpers, mandate CI-only integration tests/Testcontainers, and document test DB safety requirements.
Dev Dependency package.json	Add vitest-mock-extended to devDependencies.

sequenceDiagram
    actor Agent
    participant Router as action.ts<br/>bulkCreateFromTranscript
    participant Workspace as workspaceResolver<br/>findUserByEmailInWorkspace
    participant DB as Prisma/Database

    Agent->>Router: bulkCreateFromTranscript(workspaceId, transcriptId, items)
    Router->>DB: Verify workspace membership & load transcript/project
    loop per transcript item
        Router->>Workspace: Resolve assignee by email
        Workspace->>DB: Query user by email and workspaceUser membership
        alt workspace user found
            Router->>DB: Create action + attach user assignee
        else workspace user not found
            Router->>DB: Query/create participant by email
            Router->>DB: Create action + attach participant assignee
        end
        alt success
            Router-->>Agent: add to created[]
        else failure
            Router-->>Agent: add to skipped[]
        end
    end
    Router-->>Agent: Return { created, skipped }

Loading

sequenceDiagram
    actor Client
    participant Router as action.ts<br/>findBySource
    participant Workspace as workspaceResolver<br/>findUserByEmailInWorkspace
    participant DB as Prisma/Database

    Client->>Router: findBySource(workspaceId, sourceType, [sourceId], [status], [assigneeEmail], [limit])
    Router->>DB: Verify workspace membership
    alt assigneeEmail provided
        Router->>Workspace: Resolve assignee by email
        Workspace->>DB: Query user & workspaceUser
        alt workspace user
            Router->>DB: Query actions filtered by user assignee + source + workspace
        else
            Router->>DB: Query actions filtered by participant email + source + workspace
        end
    else
        Router->>DB: Query actions filtered by source + workspace
    end
    DB-->>Router: Return actions (includes + ordered + limited)
    Router-->>Client: Return actions[]

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• Feat/one2b agent schema #97: Introduced schema/migration changes (source/attribution fields and participant-assignee changes) that the new endpoints and tests rely on.

Poem

🐰 I hopped through transcripts, nibbling lines with glee,

Bulk-creating actions, one, two, three.
Assignees found or grown anew, neat and spry,
Actions by source now leap up high.
A rabbit’s cheer — clean DBs and passing CI!

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 75.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check	❓ Inconclusive	The title 'Feat/one2b action items trpc' is partially related to the changeset but is overly broad and uses a feature branch naming convention rather than a clear summary of the main change.	Refine the title to clearly describe the main change, e.g., 'Add bulkCreateFromTranscript and findBySource procedures to actionRouter' or 'Add one2b agent integration tRPC procedures for action management'.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description check	✅ Passed	The pull request description is comprehensive and covers the summary, feature details, test coverage, and deployment safety; however, several test checklist items remain unchecked and the deployment notes section is left blank.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/one2b-action-items-trpc

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 60 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 5

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/server/api/routers/action.ts`:
- Around line 2317-2329: The inline workspace membership check using
ctx.db.workspaceUser.findUnique (and throwing TRPCError) incorrectly excludes
team-based access; replace this manual check with the centralized access
resolver from src/server/services/access (e.g., call the workspace access
helper/resolver used elsewhere) so it considers both direct and team
memberships, remove the duplicate logic around workspaceUser.findUnique in the
action router, and ensure the resolver's boolean or thrown error is used
consistently (preserving the FORBIDDEN behavior) in the same locations where
ctx.db.workspaceUser.findUnique and TRPCError are currently referenced.
- Around line 2394-2469: Wrap the entire per-item write flow (the calls starting
with ctx.db.action.create and including findUserByEmailInWorkspace lookup,
ctx.db.actionAssignee.create, ctx.db.transcriptionSessionParticipant.create,
ctx.db.actionParticipantAssignee.create, and the final
ctx.db.action.findUniqueOrThrow hydration) in an item-scoped database
transaction so any failure rolls back the action row and related writes; use the
transaction API (e.g., ctx.db.$transaction or equivalent) to obtain a
transactional client (tx) and replace ctx.db calls inside the transaction with
tx, commit only on success, and only push the hydrated result into created after
the transaction completes, otherwise push the error into skipped.
- Around line 2293-2544: The router’s bulkCreateFromTranscript logic (including
assignee resolution, participant creation, provenance/source mapping and
per-item persistence) should be moved into a dedicated service (e.g.,
ActionService.bulkCreateFromTranscript) and the router should delegate to that
service; implement a service function that accepts the ctx (or db + session),
input (transcriptionSessionId, workspaceId, projectId, items) and returns
{created, skipped}, encapsulating the current logic around mapPriority,
findUserByEmailInWorkspace lookups, transcriptionSessionParticipant.create,
action.create, actionAssignee.create, actionParticipantAssignee.create, and the
includeShape hydration; also extract the source/query construction used in
findBySource into a service helper (e.g., ActionService.buildSourceQuery) so
findBySource delegates to it and only handles input validation and membership
checks; ensure the router still verifies workspace membership (as currently
done) and pass necessary context into the new service functions to preserve
transactions/partial failures and result shapes.
- Around line 2515-2527: When input.assigneeEmail is present, include both
assignee paths instead of choosing one: call
findUserByEmailInWorkspace(input.assigneeEmail, input.workspaceId) to get the
workspace user (if any) and then build the query so it matches either
ActionAssignee (where.assignees.some.userId === user.id) OR participantAssignees
(where.participantAssignees.some.participant.email === input.assigneeEmail); if
no workspace user exists still include the participantAssignees condition. Use
an OR clause on the where object (combining the assignees condition and the
participantAssignees condition) so both paths are searched when
input.assigneeEmail is provided.

In `@src/server/services/access/resolvers/workspaceResolver.ts`:
- Around line 93-117: The current findUserByEmailInWorkspace only checks
db.workspaceUser and so misses users who access the workspace via team
membership; update findUserByEmailInWorkspace to treat team-based access as
valid by calling or reusing the existing getWorkspaceMembership(user.id,
workspaceId) (from the same file) instead of only checking
db.workspaceUser.findUnique with userId_workspaceId; if getWorkspaceMembership
returns a membership, return the user object as before, otherwise return null.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a057f101-a72d-44c8-8b71-f9d904bd5d2b

📥 Commits

Reviewing files that changed from the base of the PR and between d395d59 and ec08114.

📒 Files selected for processing (4)

• src/server/api/routers/__tests__/action.integration.test.ts
• src/server/api/routers/action.ts
• src/server/services/access/resolvers/workspaceResolver.ts
• src/test/test-db.ts

[coderabbitai]

🛠️ Refactor suggestion | 🟠 Major | 🏗️ Heavy lift

Move this transcript-assignment flow into a service.

The router now owns assignee resolution, participant creation, provenance mapping, and source-query construction. Pulling that workflow into a service would make the access rules reusable, make the per-item transaction easier to implement cleanly, and keep the tRPC layer focused on input/output concerns.

As per coding guidelines, "All API logic must use tRPC for end-to-end type safety. Implement business logic in the services layer, not in routers."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/server/api/routers/action.ts` around lines 2293 - 2544, The router’s
bulkCreateFromTranscript logic (including assignee resolution, participant
creation, provenance/source mapping and per-item persistence) should be moved
into a dedicated service (e.g., ActionService.bulkCreateFromTranscript) and the
router should delegate to that service; implement a service function that
accepts the ctx (or db + session), input (transcriptionSessionId, workspaceId,
projectId, items) and returns {created, skipped}, encapsulating the current
logic around mapPriority, findUserByEmailInWorkspace lookups,
transcriptionSessionParticipant.create, action.create, actionAssignee.create,
actionParticipantAssignee.create, and the includeShape hydration; also extract
the source/query construction used in findBySource into a service helper (e.g.,
ActionService.buildSourceQuery) so findBySource delegates to it and only handles
input validation and membership checks; ensure the router still verifies
workspace membership (as currently done) and pass necessary context into the new
service functions to preserve transactions/partial failures and result shapes.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Make each transcript item atomic.

If anything fails after action.create() succeeds—participant creation, assignee linking, or the hydration read—the item is pushed into skipped even though the action row has already been persisted. That leaves partially applied data behind and makes the created/skipped result inaccurate. Please wrap the per-item write path in an item-scoped transaction.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/server/api/routers/action.ts` around lines 2394 - 2469, Wrap the entire
per-item write flow (the calls starting with ctx.db.action.create and including
findUserByEmailInWorkspace lookup, ctx.db.actionAssignee.create,
ctx.db.transcriptionSessionParticipant.create,
ctx.db.actionParticipantAssignee.create, and the final
ctx.db.action.findUniqueOrThrow hydration) in an item-scoped database
transaction so any failure rolls back the action row and related writes; use the
transaction API (e.g., ctx.db.$transaction or equivalent) to obtain a
transactional client (tx) and replace ctx.db calls inside the transaction with
tx, commit only on success, and only push the hydrated result into created after
the transaction completes, otherwise push the error into skipped.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Search both assignee paths for the same email.

Right now this picks ActionAssignee when the email belongs to a workspace user and skips the participantAssignees path entirely. That means participant-backed actions disappear whenever the same email also exists on a workspace user, which is the overlap this API needs to handle.

Suggested fix

       if (input.assigneeEmail) {
         const user = await findUserByEmailInWorkspace(
           input.assigneeEmail,
           input.workspaceId,
         );
-        if (user) {
-          where.assignees = { some: { userId: user.id } };
-        } else {
-          where.participantAssignees = {
-            some: { participant: { email: input.assigneeEmail } },
-          };
-        }
+        where.OR = [
+          ...(user ? [{ assignees: { some: { userId: user.id } } }] : []),
+          {
+            participantAssignees: {
+              some: { participant: { email: input.assigneeEmail } },
+            },
+          },
+        ];
       }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if (input.assigneeEmail) {
	const user = await findUserByEmailInWorkspace(
	input.assigneeEmail,
	input.workspaceId,
	);
	if (user) {
	where.assignees = { some: { userId: user.id } };
	} else {
	where.participantAssignees = {
	some: { participant: { email: input.assigneeEmail } },
	};
	}
	}
	if (input.assigneeEmail) {
	const user = await findUserByEmailInWorkspace(
	input.assigneeEmail,
	input.workspaceId,
	);
	where.OR = [
	...(user ? [{ assignees: { some: { userId: user.id } } }] : []),
	{
	participantAssignees: {
	some: { participant: { email: input.assigneeEmail } },
	},
	},
	];
	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/server/api/routers/action.ts` around lines 2515 - 2527, When
input.assigneeEmail is present, include both assignee paths instead of choosing
one: call findUserByEmailInWorkspace(input.assigneeEmail, input.workspaceId) to
get the workspace user (if any) and then build the query so it matches either
ActionAssignee (where.assignees.some.userId === user.id) OR participantAssignees
(where.participantAssignees.some.participant.email === input.assigneeEmail); if
no workspace user exists still include the participantAssignees condition. Use
an OR clause on the where object (combining the assignees condition and the
participantAssignees condition) so both paths are searched when
input.assigneeEmail is provided.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Honor team-based workspace access in this email lookup.

This helper only checks WorkspaceUser, but getWorkspaceMembership() in the same file treats team membership as a valid workspace access path too. A user who only reaches the workspace through a team will resolve as null here, so transcript assignee resolution and findBySource({ assigneeEmail }) can miss legitimate users.

Suggested fix

 export async function findUserByEmailInWorkspace(
   email: string,
   workspaceId: string,
 ): Promise<{ id: string; email: string; name: string | null } | null> {
   const user = await db.user.findUnique({
     where: { email },
     select: { id: true, email: true, name: true },
   });

   if (!user?.email) {
     return null;
   }

-  const membership = await db.workspaceUser.findUnique({
-    where: {
-      userId_workspaceId: { userId: user.id, workspaceId },
-    },
-    select: { userId: true },
-  });
+  const membership = await getWorkspaceMembership(db, user.id, workspaceId);

   if (!membership) {
     return null;
   }

   return { id: user.id, email: user.email, name: user.name };
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/server/services/access/resolvers/workspaceResolver.ts` around lines 93 -
117, The current findUserByEmailInWorkspace only checks db.workspaceUser and so
misses users who access the workspace via team membership; update
findUserByEmailInWorkspace to treat team-based access as valid by calling or
reusing the existing getWorkspaceMembership(user.id, workspaceId) (from the same
file) instead of only checking db.workspaceUser.findUnique with
userId_workspaceId; if getWorkspaceMembership returns a membership, return the
user object as before, otherwise return null.

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (1)

src/server/api/routers/__tests__/action.integration.test.ts (1)

543-901: ⚡ Quick win

Add one regression test for action.update attribution.

This PR also extends action.update with lastUpdatedBy / lastUpdatedSource, but the new coverage only exercises the two new agent procedures. A small integration test here would keep that new attribution path from landing unverified.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/server/api/routers/__tests__/action.integration.test.ts` around lines 543
- 901, Add an integration test that verifies action.update sets the new
attribution fields: create a user and workspace, create an action via
db.action.create, call caller.action.update (using createTestCaller) to change
the action, then load the action (via db.action.findUnique or the update result)
and assert lastUpdatedBy and lastUpdatedSource match the expected values (e.g.,
"AGENT" and the agent source constant); reference functions/classes:
action.update procedure, createTestCaller, db.action.create,
db.action.findUnique to locate where to add the test.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/server/api/routers/__tests__/action.integration.test.ts`:
- Around line 671-706: Update the two tests that currently use
.rejects.toThrow(TRPCError) (the "rejects unauthorized workspace" and "rejects
mismatched transcript workspace" cases and the similar assertions around lines
888-899) to assert the specific tRPC error code instead of any TRPCError; after
calling createTestCaller(...).action.bulkCreateFromTranscript(...), use
.rejects.toMatchObject({ code: "FORBIDDEN" }) (or the appropriate code your
server sends) so the test verifies access-control failure precisely rather than
any server error; update both test cases to expect the exact error code.

In `@src/test/test-db.ts`:
- Around line 26-31: The current guard allows non-loopback DB URLs if the
database name contains "test"; instead require explicit opt-in via
ALLOW_NON_LOCAL_TEST_DB=1 for any non-loopback host. Update the host-check logic
in src/test/test-db.ts (the function/area that decides allowed DBs — look for
the code handling "localhost / 127.0.0.1 / ::1", "host.docker.internal", and the
database-name "test" check and the call site for truncateAllTables()) so that:
1) loopback hosts (localhost/127.0.0.1/::1) remain allowed; 2) any non-loopback
host (including host.docker.internal or hosts with DB names containing "test")
must only be allowed when process.env.ALLOW_NON_LOCAL_TEST_DB === "1"; and 3)
remove or disable the database-name contains "test" bypass; adjust error/log
message to clearly state the required ALLOW_NON_LOCAL_TEST_DB env var when
rejecting a non-loopback DB.
- Around line 118-120: The afterEach() cleanup must implement the documented
fallback when setting session_replication_role fails: wrap the current
transaction block that runs "SET LOCAL session_replication_role = 'replica'" and
the bulk truncate/delete in a try-catch inside afterEach(); on catching the
permission/privilege error from client.query (or the transaction helper used),
fall back to iterating the table list (the same tables array used in the
cleanup) and perform per-table DELETEs within individual statements, retrying
each DELETE when it fails with a foreign-key/constraint error until it succeeds
(or until a small retry limit is hit) so that dependent rows are removed in
successive passes; ensure you still run the same BEGIN/COMMIT/ROLLBACK around
the primary approach and only use the per-statement retry loop when the SET
LOCAL session_replication_role = 'replica' privilege is denied.

---

Nitpick comments:
In `@src/server/api/routers/__tests__/action.integration.test.ts`:
- Around line 543-901: Add an integration test that verifies action.update sets
the new attribution fields: create a user and workspace, create an action via
db.action.create, call caller.action.update (using createTestCaller) to change
the action, then load the action (via db.action.findUnique or the update result)
and assert lastUpdatedBy and lastUpdatedSource match the expected values (e.g.,
"AGENT" and the agent source constant); reference functions/classes:
action.update procedure, createTestCaller, db.action.create,
db.action.findUnique to locate where to add the test.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e3a84fcb-162b-49c3-ae21-af2fe04075e1

📥 Commits

Reviewing files that changed from the base of the PR and between ec08114 and ffdbfb5.

📒 Files selected for processing (2)

• src/server/api/routers/__tests__/action.integration.test.ts
• src/test/test-db.ts

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Assert the specific tRPC error codes here.

.rejects.toThrow(TRPCError) will pass for any server-side tRPC failure, including unrelated validation or NOT_FOUND paths. These tests are meant to pin access-control behavior, so they should verify the expected code too.

Also applies to: 888-899

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/server/api/routers/__tests__/action.integration.test.ts` around lines 671
- 706, Update the two tests that currently use .rejects.toThrow(TRPCError) (the
"rejects unauthorized workspace" and "rejects mismatched transcript workspace"
cases and the similar assertions around lines 888-899) to assert the specific
tRPC error code instead of any TRPCError; after calling
createTestCaller(...).action.bulkCreateFromTranscript(...), use
.rejects.toMatchObject({ code: "FORBIDDEN" }) (or the appropriate code your
server sends) so the test verifies access-control failure precisely rather than
any server error; update both test cases to expect the exact error code.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Require explicit opt-in for any non-loopback database.

Allowing a remote URL solely because the database name contains test still lets truncateAllTables() wipe shared QA/staging data. This guard only becomes reliable if non-local hosts always require ALLOW_NON_LOCAL_TEST_DB=1.

Safer guard

-    const dbNameLooksLikeTest = /test/i.test(dbName);
     const explicitOptIn = process.env.ALLOW_NON_LOCAL_TEST_DB === "1";

-    if (!isLocalhost && !dbNameLooksLikeTest && !explicitOptIn) {
+    if (!isLocalhost && !explicitOptIn) {

Also applies to: 40-52

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/test/test-db.ts` around lines 26 - 31, The current guard allows
non-loopback DB URLs if the database name contains "test"; instead require
explicit opt-in via ALLOW_NON_LOCAL_TEST_DB=1 for any non-loopback host. Update
the host-check logic in src/test/test-db.ts (the function/area that decides
allowed DBs — look for the code handling "localhost / 127.0.0.1 / ::1",
"host.docker.internal", and the database-name "test" check and the call site for
truncateAllTables()) so that: 1) loopback hosts (localhost/127.0.0.1/::1) remain
allowed; 2) any non-loopback host (including host.docker.internal or hosts with
DB names containing "test") must only be allowed when
process.env.ALLOW_NON_LOCAL_TEST_DB === "1"; and 3) remove or disable the
database-name contains "test" bypass; adjust error/log message to clearly state
the required ALLOW_NON_LOCAL_TEST_DB env var when rejecting a non-loopback DB.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

In PostgreSQL 16, does SET LOCAL session_replication_role = 'replica' require superuser privileges, and what error should non-superusers expect?

💡 Result:

In PostgreSQL 16, SET LOCAL session_replication_role = 'replica' requires either superuser privileges or the appropriate SET privilege on the session_replication_role parameter, which can be granted via GRANT SET ON PARAMETER session_replication_role TO user;. Non-superusers without this privilege will receive the error: "permission denied to set parameter "session_replication_role"".

Citations:

• 1: http://www.postgresql.org/docs/16/runtime-config-client.html
• 2: https://postgresqlco.nf/doc/en/param/session_replication_role/
• 3: https://stackoverflow.com/questions/73195844/grant-privileges-to-set-session-replication-role
• 4: DriverException: set session_replication_role = 'replica'; - permission denied to set parameter "session_replication_role" mikro-orm/mikro-orm#1612
• 5: [v1.0.0b] - Postgresql backup restore fails when not user postgres superuser mealie-recipes/mealie#1500

---

🏁 Script executed:

fd -t f "test-db.ts" | head -5

Repository: positonic/exponential

Length of output: 85

---

🏁 Script executed:

cat -n src/test/test-db.ts | sed -n '100,170p'

Repository: positonic/exponential

Length of output: 3476

---

🏁 Script executed:

# Search for error handling around session_replication_role in the file
rg -n "session_replication_role|catch.*error" src/test/test-db.ts -A 2 -B 2

Repository: positonic/exponential

Length of output: 1193

---

🏁 Script executed:

# Check if deleteAllTablesWithFkAwareRetries function exists
rg -n "deleteAllTablesWithFkAwareRetries" src/test/test-db.ts

Repository: positonic/exponential

Length of output: 47

---

🏁 Script executed:

# Search entire codebase for deleteAllTablesWithFkAwareRetries
rg "deleteAllTablesWithFkAwareRetries" --type ts --type tsx

Repository: positonic/exponential

Length of output: 93

---

🏁 Script executed:

# Search for any error handling around session_replication_role in codebase
rg "session_replication_role" -A 5 -B 5

Repository: positonic/exponential

Length of output: 2891

---

🏁 Script executed:

# Check if there's any catch block related to FK or replication role elsewhere
rg "catch.*error|catch\s*\(" src/test/ --type ts --type tsx -B 2 -A 3

Repository: positonic/exponential

Length of output: 93

---

🏁 Script executed:

# Search for catch blocks in test-db.ts
rg "catch" src/test/test-db.ts -B 2 -A 3

Repository: positonic/exponential

Length of output: 47

---

🏁 Script executed:

# Get file type information
fd -t f "test-db.ts" -x file {}

Repository: positonic/exponential

Length of output: 101

---

🏁 Script executed:

# Check entire test directory for error handling patterns
rg "catch.*error" src/test/ -B 2 -A 3

Repository: positonic/exponential

Length of output: 47

---

🏁 Script executed:

# Read the full function to understand the complete picture
cat -n src/test/test-db.ts | sed -n '122,157p'

Repository: positonic/exponential

Length of output: 1732

---

🏁 Script executed:

# Check if there are any similar fallback/retry functions in the codebase
rg "retry|fallback|FK.*error" src/ -i

Repository: positonic/exponential

Length of output: 19510

---

Implement the documented fallback when session_replication_role cannot be set.

The docstring (lines 118-120) explicitly documents a fallback: "If that fails, fall back to a per-statement loop that retries until no FK errors remain." However, the implementation has no error handling for this scenario. On managed Postgres where non-superusers cannot execute SET LOCAL session_replication_role = 'replica', the entire afterEach() cleanup fails instead of falling back. Wrap the transaction in try-catch and handle the privilege error by falling back to individual deletes with retry logic:

Fallback sketch

-  await db.$transaction(statements, {
-    // Generous timeout for remote test DBs where ~150 round-trips can be slow.
-    timeout: 60_000,
-    maxWait: 10_000,
-  });
+  try {
+    await db.$transaction(statements, {
+      // Generous timeout for remote test DBs where ~150 round-trips can be slow.
+      timeout: 60_000,
+      maxWait: 10_000,
+    });
+  } catch (error) {
+    if (!isSessionReplicationRolePrivilegeError(error)) throw error;
+    await deleteAllTablesWithFkAwareRetries(db, quotedTables);
+  }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/test/test-db.ts` around lines 118 - 120, The afterEach() cleanup must
implement the documented fallback when setting session_replication_role fails:
wrap the current transaction block that runs "SET LOCAL session_replication_role
= 'replica'" and the bulk truncate/delete in a try-catch inside afterEach(); on
catching the permission/privilege error from client.query (or the transaction
helper used), fall back to iterating the table list (the same tables array used
in the cleanup) and perform per-table DELETEs within individual statements,
retrying each DELETE when it fails with a foreign-key/constraint error until it
succeeds (or until a small retry limit is hit) so that dependent rows are
removed in successive passes; ensure you still run the same
BEGIN/COMMIT/ROLLBACK around the primary approach and only use the per-statement
retry loop when the SET LOCAL session_replication_role = 'replica' privilege is
denied.

[coderabbitai]

♻️ Duplicate comments (2)

src/test/test-db.ts (2)

88-106: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Layer 2 guard still allows non-local DB if name contains "test".

The guard at lines 93-106 permits remote databases solely because the database name contains test. This still enables truncateAllTables() to wipe shared QA/staging data on managed hosts that passed the Layer 1 blocklist but have a database named something like myapp_test.

Consider requiring explicit opt-in (ALLOW_NON_LOCAL_TEST_DB=1) for any non-localhost host, removing the dbNameLooksLikeTest bypass:

Safer guard

-    const dbNameLooksLikeTest = /test/i.test(dbName);
     const explicitOptIn = process.env.ALLOW_NON_LOCAL_TEST_DB === "1";

-    if (!isLocalhost && !dbNameLooksLikeTest && !explicitOptIn) {
+    if (!isLocalhost && !explicitOptIn) {

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/test/test-db.ts` around lines 88 - 106, The current Layer 2 guard in
src/test/test-db.ts uses dbNameLooksLikeTest to allow non-local hosts if the DB
name contains "test"; change this logic so any non-localhost host requires
explicit opt-in via ALLOW_NON_LOCAL_TEST_DB (i.e., remove the
dbNameLooksLikeTest bypass) by updating the conditional that checks isLocalhost,
dbNameLooksLikeTest, and explicitOptIn: only allow non-local hosts when
explicitOptIn is true; keep the same sanitized existingUrl error message and
throw path (using existingUrl and sanitized) and ensure the behavior still
prevents truncateAllTables() from running against remote databases unless
explicitOptIn is set.

---

276-286: ⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Missing fallback when session_replication_role cannot be set.

The docstring (lines 182-184) documents a fallback strategy for when SET LOCAL session_replication_role = 'replica' fails due to insufficient privileges, but the implementation has no try-catch around the transaction. On managed Postgres where non-superusers lack this privilege, cleanup will fail entirely instead of falling back to FK-aware retries.

Fallback sketch

+  try {
     await db.$transaction(statements, {
       timeout: 60_000,
       maxWait: 10_000,
     });
+  } catch (error) {
+    // Check if this is a permission denied error for session_replication_role
+    const msg = error instanceof Error ? error.message : String(error);
+    if (msg.includes("session_replication_role") || msg.includes("permission denied")) {
+      // Fall back to individual deletes with FK-aware retry logic
+      await deleteWithFkRetries(db, quotedTables);
+    } else {
+      throw error;
+    }
+  }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/test/test-db.ts` around lines 276 - 286, The cleanup can fail on managed
Postgres because SET LOCAL session_replication_role = 'replica' may be
disallowed; wrap the db.$transaction call that executes the statements array
(which includes the SET LOCAL and the deletes) in a try/catch and implement the
documented fallback: if the transaction throws a permission error, skip the SET
LOCAL and attempt the deletes using the quotedTables list with FK-aware retries
(e.g., run each db.$executeRawUnsafe DELETE in sequence with retry/backoff
and/or dependency-aware order) instead of the single transaction; keep the same
timeout/maxWait semantics for the initial transaction attempt and ensure errors
from the fallback are surfaced if they also fail.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@src/test/test-db.ts`:
- Around line 88-106: The current Layer 2 guard in src/test/test-db.ts uses
dbNameLooksLikeTest to allow non-local hosts if the DB name contains "test";
change this logic so any non-localhost host requires explicit opt-in via
ALLOW_NON_LOCAL_TEST_DB (i.e., remove the dbNameLooksLikeTest bypass) by
updating the conditional that checks isLocalhost, dbNameLooksLikeTest, and
explicitOptIn: only allow non-local hosts when explicitOptIn is true; keep the
same sanitized existingUrl error message and throw path (using existingUrl and
sanitized) and ensure the behavior still prevents truncateAllTables() from
running against remote databases unless explicitOptIn is set.
- Around line 276-286: The cleanup can fail on managed Postgres because SET
LOCAL session_replication_role = 'replica' may be disallowed; wrap the
db.$transaction call that executes the statements array (which includes the SET
LOCAL and the deletes) in a try/catch and implement the documented fallback: if
the transaction throws a permission error, skip the SET LOCAL and attempt the
deletes using the quotedTables list with FK-aware retries (e.g., run each
db.$executeRawUnsafe DELETE in sequence with retry/backoff and/or
dependency-aware order) instead of the single transaction; keep the same
timeout/maxWait semantics for the initial transaction attempt and ensure errors
from the fallback are surfaced if they also fail.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ac9d72e1-a426-4ad0-a2a1-3dcb3c455b0f

📥 Commits

Reviewing files that changed from the base of the PR and between ffdbfb5 and 1ef23e9.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (7)

• CLAUDE.md
• package.json
• src/server/api/routers/__tests__/action.integration.test.ts
• src/server/api/routers/__tests__/action.test.ts
• src/server/api/routers/action.ts
• src/test/test-db.ts
• src/test/trpc-helpers.ts

💤 Files with no reviewable changes (1)

• src/server/api/routers/tests/action.integration.test.ts

✅ Files skipped from review due to trivial changes (2)

• package.json
• src/server/api/routers/action.ts