Skip to content

feat: add /simple routes for QStash fallback in Deep Clean #1093

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
matthew-petty wants to merge 10 commits into
base: main
Choose a base branch
from
Open

feat: add /simple routes for QStash fallback in Deep Clean #1093

matthew-petty wants to merge 10 commits into from
+1,383 −6

Conversation

@matthew-petty
Copy link
Contributor

@matthew-petty matthew-petty commented Dec 15, 2025
edited by coderabbitai bot
Loading

Summary

Adds alternative endpoints for self-hosted deployments without QStash:

  • /api/clean/simple - mirrors /api/clean behavior
  • /api/clean/gmail/simple - mirrors /api/clean/gmail behavior

These endpoints integrate with the existing fallbackPublishToQstash() utility in utils/upstash/index.ts, enabling Deep Clean to work without the QStash queue service.

Security

  • Disabled when QStash is configured - Returns 403 if QSTASH_TOKEN is set
  • Internal API key authentication - Uses existing isValidInternalApiKey() utility
  • Same authorization checks - Premium validation, account verification, etc.

Testing

  • Unit tests covering auth guards and input validation (13 tests)
  • Manually verified on a self-hosted Docker deployment

Notes

We're a small team running a self-hosted deployment. These routes follow the existing /simple pattern used by categorize/senders/batch/simple.

We noticed #856 (WIP: Flexible queue system with BullMQ and Qstash) - this PR is a simpler stopgap that doesn't conflict with that work. These routes are purely additive and will automatically disable when QStash is available.

Happy to address any feedback.

Summary by CodeRabbit

  • New Features

    • Added Gmail cleaning POST endpoints (cloud + self-hosted path) to analyze threads, apply archive/label actions, and record cleanup status; supports guarded requests and internal API-key validation.
    • Introduced rate-limited fallback for job enqueueing to avoid burst requests.

  • Tests

    • Added comprehensive tests covering QStash guard, internal API-key validation, input validation, archived/markDone logic, and rate-limit fallback behavior.

  • Chores

    • Integrated runtime rate-limiting utility and updated fallback publish behavior.

✏️ Tip: You can customize this high-level summary in your review settings.

@matthew-petty
feat: add /simple routes for QStash fallback in Deep Clean
358ca2b 
Add alternative endpoints for self-hosted deployments without QStash:
- /api/clean/simple
- /api/clean/gmail/simple

These endpoints authenticate via internal API key instead of QStash
signature verification, allowing Deep Clean to function without
the QStash queue service.

Security:
- Disabled when QSTASH_TOKEN is set (returns 403)
- Requires INTERNAL_API_KEY authentication
- Uses existing isValidInternalApiKey utility
@vercel
Copy link

vercel bot commented Dec 15, 2025

@matthew-petty is attempting to deploy a commit to the Inbox Zero OSS Program Team on Vercel.

A member of the Team first needs to authorize it.

@CLAassistant
Copy link

CLAassistant commented Dec 15, 2025
edited
Loading

CLA assistant check
All committers have signed the CLA.

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Dec 15, 2025
edited
Loading

Walkthrough

Adds two POST Next.js API routes for Gmail cleanup (simple label action and AI-driven thread cleaning), a rate-limited Upstash fallback publisher plus dependency, and tests covering auth, QStash guard, input validation, and rate-limiting.

Changes

Cohort / File(s) Summary
Simple Gmail label cleaning route
apps/web/app/api/clean/gmail/simple/route.ts, apps/web/app/api/clean/gmail/simple/route.test.ts		 New POST endpoint and tests: zod schema, fetch Gmail account via Prisma, refresh tokens, compute add/remove label IDs from action/markDone, call Gmail client to label threads, persist results to Redis/Prisma, QStash publish path and internal-key self-hosted alternative. Tests cover QStash guard, API-key validation, input validation, and archived-flag behavior.
AI-driven thread cleaning route
apps/web/app/api/clean/simple/route.ts, apps/web/app/api/clean/simple/route.test.ts		 New POST endpoint and tests: loads thread messages, runs static pre-checks to short-circuit, aggregates messages for aiClean when needed, publishes label-change jobs to QStash (or rate-limited fallback), updates Redis status and CleanupThread records in Prisma. Tests validate auth, QStash guard, input validation, early-skip gating, and publishing behavior.
Rate limiting & Upstash fallback
apps/web/utils/redis/rate-limit.ts, apps/web/utils/upstash/index.ts, apps/web/utils/redis/rate-limit.test.ts, apps/web/utils/upstash/index.test.ts, apps/web/package.json		 Adds @upstash/ratelimit dependency and a sliding-window limiter; exports acquireRateLimitToken(identifier, timeout) which blocks until a token or times out. Replaces sleep fallback with a rate-limited fallback publisher that acquires a token per emailAccountId (or global) then performs a fire-and-forget POST to the target /simple endpoint; updated tests for rate-limit and fallback behavior.

Sequence Diagram(s)

sequenceDiagram
    actor Client
    participant RouteAI as /api/clean/simple
    participant Auth as Auth (QStash / Internal Key)
    participant Gmail as Gmail API / Client
    participant LLM as aiClean
    participant Qstash as Qstash
    participant Fallback as Fallback Publisher
    participant Redis as Redis
    participant Prisma as Prisma

    Client->>RouteAI: POST request
    RouteAI->>Auth: Check QSTASH_TOKEN / validate internal API key
    Auth-->>RouteAI: Authorized

    RouteAI->>Gmail: Fetch thread messages
    Gmail-->>RouteAI: Messages

    RouteAI->>RouteAI: Run static pre-checks
    alt Early skip
        RouteAI->>Prisma: Persist processed thread
        RouteAI->>Redis: Update status
        RouteAI-->>Client: 200 OK
    else Proceed to LLM
        RouteAI->>LLM: aiClean decision
        LLM-->>RouteAI: Decision
        RouteAI->>Qstash: Publish jobs
        alt Qstash unavailable
            RouteAI->>Fallback: acquireRateLimitToken -> POST /simple
        end
        RouteAI->>Redis: Update status
        RouteAI->>Prisma: Create/Update CleanupThread
        RouteAI-->>Client: 200 OK
    end
Loading 
sequenceDiagram
    actor Client
    participant RouteSimple as /api/clean/gmail/simple
    participant Auth as Auth (QStash / Internal Key)
    participant Prisma as Prisma
    participant Gmail as Gmail API / Client
    participant Redis as Redis

    Client->>RouteSimple: POST request
    RouteSimple->>Auth: Check QSTASH_TOKEN / validate internal API key
    Auth-->>RouteSimple: Authorized

    RouteSimple->>Prisma: Fetch Gmail account & tokens
    Prisma-->>RouteSimple: Account data
    RouteSimple->>Gmail: Refresh tokens / get client
    RouteSimple->>Gmail: Apply add/remove labels
    Gmail-->>RouteSimple: Labels applied
    RouteSimple->>Redis: Update thread status
    RouteSimple->>Prisma: Create/Update CleanupThread
    RouteSimple-->>Client: 200 OK
Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

  • Inspect label add/remove computation and archived-flag logic in apps/web/app/api/clean/gmail/simple/route.ts.
  • Review static pre-check predicates and aiClean input/response handling in apps/web/app/api/clean/simple/route.ts.
  • Verify rate-limiter token acquisition, timeout handling, and per-account keying in apps/web/utils/redis/rate-limit.ts.
  • Confirm fallback publisher uses rate limiting and correctly formats the fallback POST in apps/web/utils/upstash/index.ts.
  • Check tests' realism around mocked Prisma, Gmail client, Redis, env toggles, and internal API validation.

Suggested reviewers

  • anakarentorosserrano-star

Poem

🐰 I hopped through labels, tokens, and queues,

I nudged a thread and chased away views,
QStash or fallback — hop, hop, decide!
Rate-limit counted on my rabbit stride,
Inbox tidied — nibble, nap, and pride. 🥕

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)
Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%. You can run @coderabbitai generate docstrings to improve docstring coverage.
✅ Passed checks (2 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately describes the main change: adding /simple route alternatives for QStash fallback functionality in the Deep Clean feature.
✨ Finishing touches
  • 📝 Generate docstrings
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e60dadc and ca87b1d.

📒 Files selected for processing (3)
  • apps/web/app/api/clean/simple/route.ts (1 hunks)
  • apps/web/utils/redis/rate-limit.test.ts (1 hunks)
  • apps/web/utils/upstash/index.test.ts (1 hunks)
🧰 Additional context used
📓 Path-based instructions (19)
apps/web/**/*.{ts,tsx}

📄 CodeRabbit inference engine (apps/web/CLAUDE.md)

apps/web/**/*.{ts,tsx}: Use TypeScript with strict null checks
Use @/ path aliases for imports from project root
Use proper error handling with try/catch blocks
Format code with Prettier
Follow consistent naming conventions using PascalCase for components
Centralize shared types in dedicated type files

Import specific lodash functions rather than entire lodash library to minimize bundle size (e.g., import groupBy from 'lodash/groupBy')

Files:

  • apps/web/utils/upstash/index.test.ts
  • apps/web/utils/redis/rate-limit.test.ts
  • apps/web/app/api/clean/simple/route.ts
**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/data-fetching.mdc)

**/*.{ts,tsx}: For API GET requests to server, use the swr package
Use result?.serverError with toastError from @/components/Toast for error handling in async operations

**/*.{ts,tsx}: Use wrapper functions for Gmail message operations (get, list, batch, etc.) from @/utils/gmail/message.ts instead of direct API calls
Use wrapper functions for Gmail thread operations from @/utils/gmail/thread.ts instead of direct API calls
Use wrapper functions for Gmail label operations from @/utils/gmail/label.ts instead of direct API calls

**/*.{ts,tsx}: For early access feature flags, create hooks using the naming convention use[FeatureName]Enabled that return a boolean from useFeatureFlagEnabled("flag-key")
For A/B test variant flags, create hooks using the naming convention use[FeatureName]Variant that define variant types, use useFeatureFlagVariantKey() with type casting, and provide a default "control" fallback
Use kebab-case for PostHog feature flag keys (e.g., inbox-cleaner, pricing-options-2)
Always define types for A/B test variant flags (e.g., type PricingVariant = "control" | "variant-a" | "variant-b") and provide type safety through type casting

**/*.{ts,tsx}: Don't use primitive type aliases or misleading types
Don't use empty type parameters in type aliases and interfaces
Don't use this and super in static contexts
Don't use any or unknown as type constraints
Don't use the TypeScript directive @ts-ignore
Don't use TypeScript enums
Don't export imported variables
Don't add type annotations to variables, parameters, and class properties that are initialized with literal expressions
Don't use TypeScript namespaces
Don't use non-null assertions with the ! postfix operator
Don't use parameter properties in class constructors
Don't use user-defined types
Use as const instead of literal types and type annotations
Use either T[] or Array<T> consistently
Initialize each enum member value explicitly
Use export type for types
Use `impo...

Files:

  • apps/web/utils/upstash/index.test.ts
  • apps/web/utils/redis/rate-limit.test.ts
  • apps/web/app/api/clean/simple/route.ts
**/{server,api,actions,utils}/**/*.ts

📄 CodeRabbit inference engine (.cursor/rules/logging.mdc)

**/{server,api,actions,utils}/**/*.ts: Use createScopedLogger from "@/utils/logger" for logging in backend code
Add the createScopedLogger instantiation at the top of the file with an appropriate scope name
Use .with() method to attach context variables only within specific functions, not on global loggers
For large functions with reused variables, use createScopedLogger().with() to attach context once and reuse the logger without passing variables repeatedly

Files:

  • apps/web/utils/upstash/index.test.ts
  • apps/web/utils/redis/rate-limit.test.ts
  • apps/web/app/api/clean/simple/route.ts
**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (.cursor/rules/prisma-enum-imports.mdc)

Always import Prisma enums from @/generated/prisma/enums instead of @/generated/prisma/client to avoid Next.js bundling errors in client components

Import Prisma using the project's centralized utility: import prisma from '@/utils/prisma'

Files:

  • apps/web/utils/upstash/index.test.ts
  • apps/web/utils/redis/rate-limit.test.ts
  • apps/web/app/api/clean/simple/route.ts
**/*.ts

📄 CodeRabbit inference engine (.cursor/rules/security.mdc)

**/*.ts: ALL database queries MUST be scoped to the authenticated user/account by including user/account filtering in WHERE clauses to prevent unauthorized data access
Always validate that resources belong to the authenticated user before performing operations, using ownership checks in WHERE clauses or relationships
Always validate all input parameters for type, format, and length before using them in database queries
Use SafeError for error responses to prevent information disclosure. Generic error messages should not reveal internal IDs, logic, or resource ownership details
Only return necessary fields in API responses using Prisma's select option. Never expose sensitive data such as password hashes, private keys, or system flags
Prevent Insecure Direct Object References (IDOR) by validating resource ownership before operations. All findUnique/findFirst calls MUST include ownership filters
Prevent mass assignment vulnerabilities by explicitly whitelisting allowed fields in update operations instead of accepting all user-provided data
Prevent privilege escalation by never allowing users to modify system fields, ownership fields, or admin-only attributes through user input
All findMany queries MUST be scoped to the user's data by including appropriate WHERE filters to prevent returning data from other users
Use Prisma relationships for access control by leveraging nested where clauses (e.g., emailAccount: { id: emailAccountId }) to validate ownership

Files:

  • apps/web/utils/upstash/index.test.ts
  • apps/web/utils/redis/rate-limit.test.ts
  • apps/web/app/api/clean/simple/route.ts
**/*.test.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/testing.mdc)

**/*.test.{ts,tsx}: Use vitest for testing the application
Tests should be colocated next to the tested file with .test.ts or .test.tsx extension (e.g., dir/format.ts and dir/format.test.ts)
Mock server-only using vi.mock("server-only", () => ({}))
Mock Prisma using vi.mock("@/utils/prisma") and import the mock from @/utils/__mocks__/prisma
Use vi.clearAllMocks() in beforeEach to clean up mocks between tests
Each test should be independent
Use descriptive test names
Mock external dependencies in tests
Do not mock the Logger
Avoid testing implementation details
Use test helpers getEmail, getEmailAccount, and getRule from @/__tests__/helpers for mocking emails, accounts, and rules

Files:

  • apps/web/utils/upstash/index.test.ts
  • apps/web/utils/redis/rate-limit.test.ts
**/*.{tsx,ts}

📄 CodeRabbit inference engine (.cursor/rules/ui-components.mdc)

**/*.{tsx,ts}: Use Shadcn UI and Tailwind for components and styling
Use next/image package for images
For API GET requests to server, use the swr package with hooks like useSWR to fetch data
For text inputs, use the Input component with registerProps for form integration and error handling

Files:

  • apps/web/utils/upstash/index.test.ts
  • apps/web/utils/redis/rate-limit.test.ts
  • apps/web/app/api/clean/simple/route.ts
**/*.{tsx,ts,css}

📄 CodeRabbit inference engine (.cursor/rules/ui-components.mdc)

Implement responsive design with Tailwind CSS using a mobile-first approach

Files:

  • apps/web/utils/upstash/index.test.ts
  • apps/web/utils/redis/rate-limit.test.ts
  • apps/web/app/api/clean/simple/route.ts
**/*.{js,jsx,ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/ultracite.mdc)

**/*.{js,jsx,ts,tsx}: Don't use accessKey attribute on any HTML element
Don't set aria-hidden="true" on focusable elements
Don't add ARIA roles, states, and properties to elements that don't support them
Don't use distracting elements like <marquee> or <blink>
Only use the scope prop on <th> elements
Don't assign non-interactive ARIA roles to interactive HTML elements
Make sure label elements have text content and are associated with an input
Don't assign interactive ARIA roles to non-interactive HTML elements
Don't assign tabIndex to non-interactive HTML elements
Don't use positive integers for tabIndex property
Don't include "image", "picture", or "photo" in img alt prop
Don't use explicit role property that's the same as the implicit/default role
Make static elements with click handlers use a valid role attribute
Always include a title element for SVG elements
Give all elements requiring alt text meaningful information for screen readers
Make sure anchors have content that's accessible to screen readers
Assign tabIndex to non-interactive HTML elements with aria-activedescendant
Include all required ARIA attributes for elements with ARIA roles
Make sure ARIA properties are valid for the element's supported roles
Always include a type attribute for button elements
Make elements with interactive roles and handlers focusable
Give heading elements content that's accessible to screen readers (not hidden with aria-hidden)
Always include a lang attribute on the html element
Always include a title attribute for iframe elements
Accompany onClick with at least one of: onKeyUp, onKeyDown, or onKeyPress
Accompany onMouseOver/onMouseOut with onFocus/onBlur
Include caption tracks for audio and video elements
Use semantic elements instead of role attributes in JSX
Make sure all anchors are valid and navigable
Ensure all ARIA properties (aria-*) are valid
Use valid, non-abstract ARIA roles for elements with ARIA roles
Use valid AR...

Files:

  • apps/web/utils/upstash/index.test.ts
  • apps/web/utils/redis/rate-limit.test.ts
  • apps/web/app/api/clean/simple/route.ts
**/*.{test,spec}.{js,jsx,ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/ultracite.mdc)

**/*.{test,spec}.{js,jsx,ts,tsx}: Don't nest describe() blocks too deeply in test files
Don't use callbacks in asynchronous tests and hooks
Don't have duplicate hooks in describe blocks
Don't use export or module.exports in test files
Don't use focused tests
Make sure the assertion function, like expect, is placed inside an it() function call
Don't use disabled tests

Files:

  • apps/web/utils/upstash/index.test.ts
  • apps/web/utils/redis/rate-limit.test.ts
!(pages/_document).{jsx,tsx}

📄 CodeRabbit inference engine (.cursor/rules/ultracite.mdc)

Don't use the next/head module in pages/_document.js on Next.js projects

Files:

  • apps/web/utils/upstash/index.test.ts
  • apps/web/utils/redis/rate-limit.test.ts
  • apps/web/app/api/clean/simple/route.ts
**/*.{js,ts,jsx,tsx}

📄 CodeRabbit inference engine (.cursor/rules/utilities.mdc)

**/*.{js,ts,jsx,tsx}: Use lodash utilities for common operations (arrays, objects, strings)
Import specific lodash functions to minimize bundle size (e.g., import groupBy from 'lodash/groupBy')

Files:

  • apps/web/utils/upstash/index.test.ts
  • apps/web/utils/redis/rate-limit.test.ts
  • apps/web/app/api/clean/simple/route.ts
apps/web/app/**/*.{ts,tsx}

📄 CodeRabbit inference engine (apps/web/CLAUDE.md)

Follow NextJS app router structure with (app) directory

Files:

  • apps/web/app/api/clean/simple/route.ts
apps/web/app/api/**/*.ts

📄 CodeRabbit inference engine (apps/web/CLAUDE.md)

apps/web/app/api/**/*.ts: Wrap GET API routes with withAuth or withEmailAccount middleware for authentication
Export response types from GET API routes using Awaited<ReturnType<>> pattern for type-safe client usage

Files:

  • apps/web/app/api/clean/simple/route.ts
apps/web/app/api/**/route.ts

📄 CodeRabbit inference engine (.cursor/rules/fullstack-workflow.mdc)

apps/web/app/api/**/route.ts: Create GET API routes using withAuth or withEmailAccount middleware in apps/web/app/api/*/route.ts, export response types as GetExampleResponse type alias for client-side type safety
Always export response types from GET routes as Get[Feature]Response using type inference from the data fetching function for type-safe client consumption
Do NOT use POST API routes for mutations - always use server actions with next-safe-action instead

Files:

  • apps/web/app/api/clean/simple/route.ts
**/app/**/route.ts

📄 CodeRabbit inference engine (.cursor/rules/get-api-route.mdc)

**/app/**/route.ts: Always wrap GET API route handlers with withAuth or withEmailAccount middleware for consistent error handling and authentication in Next.js App Router
Infer and export response type for GET API routes using Awaited<ReturnType<typeof functionName>> pattern in Next.js
Use Prisma for database queries in GET API routes
Return responses using NextResponse.json() in GET API routes
Do not use try/catch blocks in GET API route handlers when using withAuth or withEmailAccount middleware, as the middleware handles error handling

Files:

  • apps/web/app/api/clean/simple/route.ts
apps/web/app/**/[!.]*/route.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/project-structure.mdc)

Use kebab-case for route directories in Next.js App Router (e.g., api/hello-world/route)

Files:

  • apps/web/app/api/clean/simple/route.ts
apps/web/app/api/**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/security-audit.mdc)

apps/web/app/api/**/*.{ts,tsx}: API routes must use withAuth, withEmailAccount, or withError middleware for authentication
All database queries must include user scoping with emailAccountId or userId filtering in WHERE clauses
Request parameters must be validated before use; avoid direct parameter usage without type checking
Use generic error messages instead of revealing internal details; throw SafeError instead of exposing user IDs, resource IDs, or system information
API routes should only return necessary fields using select in database queries to prevent unintended information disclosure
Cron endpoints must use hasCronSecret or hasPostCronSecret to validate cron requests and prevent unauthorized access
Request bodies should use Zod schemas for validation to ensure type safety and prevent injection attacks

Files:

  • apps/web/app/api/clean/simple/route.ts
**/app/api/**/*.ts

📄 CodeRabbit inference engine (.cursor/rules/security.mdc)

**/app/api/**/*.ts: ALL API routes that handle user data MUST use appropriate middleware: use withEmailAccount for email-scoped operations, use withAuth for user-scoped operations, or use withError with proper validation for public/custom auth endpoints
Use withEmailAccount middleware for operations scoped to a specific email account, including reading/writing emails, rules, schedules, or any operation using emailAccountId
Use withAuth middleware for user-level operations such as user settings, API keys, and referrals that use only userId
Use withError middleware only for public endpoints, custom authentication logic, or cron endpoints. For cron endpoints, MUST use hasCronSecret() or hasPostCronSecret() validation
Cron endpoints without proper authentication can be triggered by anyone. CRITICAL: All cron endpoints MUST validate cron secret using hasCronSecret(request) or hasPostCronSecret(request) and capture unauthorized attempts with captureException()
Always validate request bodies using Zod schemas to ensure type safety and prevent invalid data from reaching database operations
Maintain consistent error response format across all API routes to avoid information disclosure while providing meaningful error feedback

Files:

  • apps/web/app/api/clean/simple/route.ts
🧠 Learnings (37)
📓 Common learnings 
Learnt from: matthew-petty
Repo: elie222/inbox-zero PR: 1093
File: apps/web/app/api/clean/simple/route.ts:322-345
Timestamp: 2025-12-15T15:57:36.160Z
Learning: The `/simple` routes in the codebase (e.g., /api/clean/simple, /api/clean/gmail/simple, /api/user/categorize/senders/batch/simple) use service-to-service authentication with internal API key validation via `isValidInternalApiKey`. They do not perform per-emailAccountId authorization checks, instead trusting that the authenticated internal service (via internal API key) has already performed authorization when queueing the request. This mirrors the trust model of QStash routes which verify signature but don't do per-account authorization.

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/security-audit.mdc:0-0
Timestamp: 2025-11-25T14:39:08.150Z
Learning: Applies to apps/web/app/api/(ai/digest|resend/digest|clean/gmail|user/categorize/senders/batch)/**/*.{ts,tsx} : QStash endpoints must use `verifySignatureAppRouter` middleware to verify request signatures and prevent request spoofing

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/gmail-api.mdc:0-0
Timestamp: 2025-11-25T14:37:22.660Z
Learning: Applies to **/*.{ts,tsx} : Use wrapper functions for Gmail label operations from @/utils/gmail/label.ts instead of direct API calls

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/utilities.mdc:0-0
Timestamp: 2025-11-25T14:42:16.602Z
Learning: The `utils` folder contains core app logic such as Next.js Server Actions and Gmail API requests

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/utilities.mdc:0-0
Timestamp: 2025-11-25T14:42:11.919Z
Learning: Applies to utils/**/*.{js,ts,jsx,tsx} : The `utils` folder contains core app logic such as Next.js Server Actions and Gmail API requests

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/gmail-api.mdc:0-0
Timestamp: 2025-11-25T14:37:22.660Z
Learning: Applies to **/*.{ts,tsx} : Use wrapper functions for Gmail thread operations from @/utils/gmail/thread.ts instead of direct API calls

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/gmail-api.mdc:0-0
Timestamp: 2025-11-25T14:37:22.660Z
Learning: Applies to **/{pages,routes,components}/**/*.{ts,tsx} : Never call Gmail API directly from routes or components - always use wrapper functions from the utils folder

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/gmail-api.mdc:0-0
Timestamp: 2025-11-25T14:37:22.660Z
Learning: Applies to **/*.{ts,tsx} : Use wrapper functions for Gmail message operations (get, list, batch, etc.) from @/utils/gmail/message.ts instead of direct API calls
📚 Learning: 2025-11-25T14:39:23.326Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/security.mdc:0-0
Timestamp: 2025-11-25T14:39:23.326Z
Learning: Applies to **/*.test.ts : Include security tests in test suites to verify: authentication is required, IDOR protection works (other users cannot access resources), parameter validation rejects invalid inputs, and error messages don't leak information

Applied to files:

  • apps/web/utils/upstash/index.test.ts
  • apps/web/utils/redis/rate-limit.test.ts
📚 Learning: 2025-11-25T14:40:00.833Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/testing.mdc:0-0
Timestamp: 2025-11-25T14:40:00.833Z
Learning: Applies to **/*.test.{ts,tsx} : Mock external dependencies in tests

Applied to files:

  • apps/web/utils/upstash/index.test.ts
  • apps/web/utils/redis/rate-limit.test.ts
📚 Learning: 2025-11-25T14:40:00.833Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/testing.mdc:0-0
Timestamp: 2025-11-25T14:40:00.833Z
Learning: Applies to **/*.test.{ts,tsx} : Use test helpers `getEmail`, `getEmailAccount`, and `getRule` from `@/__tests__/helpers` for mocking emails, accounts, and rules

Applied to files:

  • apps/web/utils/upstash/index.test.ts
  • apps/web/utils/redis/rate-limit.test.ts
📚 Learning: 2025-11-25T14:39:08.150Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/security-audit.mdc:0-0
Timestamp: 2025-11-25T14:39:08.150Z
Learning: Applies to apps/web/app/api/(ai/digest|resend/digest|clean/gmail|user/categorize/senders/batch)/**/*.{ts,tsx} : QStash endpoints must use `verifySignatureAppRouter` middleware to verify request signatures and prevent request spoofing

Applied to files:

  • apps/web/utils/upstash/index.test.ts
  • apps/web/app/api/clean/simple/route.ts
📚 Learning: 2025-11-25T14:37:56.430Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/llm-test.mdc:0-0
Timestamp: 2025-11-25T14:37:56.430Z
Learning: Applies to apps/web/__tests__/**/*.test.ts : Set timeout constant `const TIMEOUT = 15_000;` for LLM tests

Applied to files:

  • apps/web/utils/redis/rate-limit.test.ts
📚 Learning: 2025-11-25T14:37:56.430Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/llm-test.mdc:0-0
Timestamp: 2025-11-25T14:37:56.430Z
Learning: Applies to apps/web/__tests__/**/*.test.ts : Use vitest imports (`describe`, `expect`, `test`, `vi`, `beforeEach`) in LLM test files

Applied to files:

  • apps/web/utils/redis/rate-limit.test.ts
📚 Learning: 2025-11-25T14:37:56.430Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/llm-test.mdc:0-0
Timestamp: 2025-11-25T14:37:56.430Z
Learning: Applies to apps/web/__tests__/**/*.test.ts : Place all LLM-related tests in `apps/web/__tests__/` directory

Applied to files:

  • apps/web/utils/redis/rate-limit.test.ts
📚 Learning: 2025-11-25T14:40:00.833Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/testing.mdc:0-0
Timestamp: 2025-11-25T14:40:00.833Z
Learning: Applies to **/__tests__/**/*.{ts,tsx} : AI tests must be placed in the `__tests__` directory and are not run by default (they use a real LLM)

Applied to files:

  • apps/web/utils/redis/rate-limit.test.ts
📚 Learning: 2025-11-25T14:37:56.430Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/llm-test.mdc:0-0
Timestamp: 2025-11-25T14:37:56.430Z
Learning: Applies to apps/web/__tests__/**/*.test.ts : Prefer using existing helpers from `@/__tests__/helpers.ts` (`getEmailAccount`, `getEmail`, `getRule`, `getMockMessage`, `getMockExecutedRule`) instead of creating custom test data helpers

Applied to files:

  • apps/web/utils/redis/rate-limit.test.ts
📚 Learning: 2025-11-25T14:37:56.430Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/llm-test.mdc:0-0
Timestamp: 2025-11-25T14:37:56.430Z
Learning: Applies to apps/web/__tests__/**/*.test.ts : Use `describe.runIf(isAiTest)` with environment variable `RUN_AI_TESTS === "true"` to conditionally run LLM tests

Applied to files:

  • apps/web/utils/redis/rate-limit.test.ts
📚 Learning: 2025-11-25T14:40:00.833Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/testing.mdc:0-0
Timestamp: 2025-11-25T14:40:00.833Z
Learning: Applies to **/*.test.{ts,tsx} : Use descriptive test names

Applied to files:

  • apps/web/utils/redis/rate-limit.test.ts
📚 Learning: 2025-11-25T14:40:00.833Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/testing.mdc:0-0
Timestamp: 2025-11-25T14:40:00.833Z
Learning: Applies to **/*.test.{ts,tsx} : Avoid testing implementation details

Applied to files:

  • apps/web/utils/redis/rate-limit.test.ts
📚 Learning: 2025-11-25T14:40:00.833Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/testing.mdc:0-0
Timestamp: 2025-11-25T14:40:00.833Z
Learning: Applies to **/*.test.{ts,tsx} : Mock Prisma using `vi.mock("@/utils/prisma")` and import the mock from `@/utils/__mocks__/prisma`

Applied to files:

  • apps/web/utils/redis/rate-limit.test.ts
📚 Learning: 2025-11-25T14:40:00.833Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/testing.mdc:0-0
Timestamp: 2025-11-25T14:40:00.833Z
Learning: Applies to **/*.test.{ts,tsx} : Use `vi.clearAllMocks()` in `beforeEach` to clean up mocks between tests

Applied to files:

  • apps/web/utils/redis/rate-limit.test.ts
📚 Learning: 2025-11-25T14:37:22.660Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/gmail-api.mdc:0-0
Timestamp: 2025-11-25T14:37:22.660Z
Learning: Applies to **/*.{ts,tsx} : Use wrapper functions for Gmail thread operations from @/utils/gmail/thread.ts instead of direct API calls

Applied to files:

  • apps/web/app/api/clean/simple/route.ts
📚 Learning: 2025-11-25T14:37:22.660Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/gmail-api.mdc:0-0
Timestamp: 2025-11-25T14:37:22.660Z
Learning: Applies to **/{pages,routes,components}/**/*.{ts,tsx} : Never call Gmail API directly from routes or components - always use wrapper functions from the utils folder

Applied to files:

  • apps/web/app/api/clean/simple/route.ts
📚 Learning: 2025-11-25T14:37:22.660Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/gmail-api.mdc:0-0
Timestamp: 2025-11-25T14:37:22.660Z
Learning: Applies to apps/web/utils/gmail/**/*.{ts,tsx} : Keep Gmail provider-specific implementation details isolated within the apps/web/utils/gmail/ directory

Applied to files:

  • apps/web/app/api/clean/simple/route.ts
📚 Learning: 2025-11-25T14:38:56.992Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/project-structure.mdc:0-0
Timestamp: 2025-11-25T14:38:56.992Z
Learning: Applies to apps/web/app/**/[!.]*/route.{ts,tsx} : Use kebab-case for route directories in Next.js App Router (e.g., `api/hello-world/route`)

Applied to files:

  • apps/web/app/api/clean/simple/route.ts
📚 Learning: 2025-11-25T14:37:22.660Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/gmail-api.mdc:0-0
Timestamp: 2025-11-25T14:37:22.660Z
Learning: Applies to **/*.{ts,tsx} : Use wrapper functions for Gmail message operations (get, list, batch, etc.) from @/utils/gmail/message.ts instead of direct API calls

Applied to files:

  • apps/web/app/api/clean/simple/route.ts
📚 Learning: 2025-11-25T14:37:09.306Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/fullstack-workflow.mdc:0-0
Timestamp: 2025-11-25T14:37:09.306Z
Learning: Applies to apps/web/app/api/**/route.ts : Do NOT use POST API routes for mutations - always use server actions with `next-safe-action` instead

Applied to files:

  • apps/web/app/api/clean/simple/route.ts
📚 Learning: 2025-11-25T14:37:22.660Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/gmail-api.mdc:0-0
Timestamp: 2025-11-25T14:37:22.660Z
Learning: Applies to **/*.{ts,tsx} : Use wrapper functions for Gmail label operations from @/utils/gmail/label.ts instead of direct API calls

Applied to files:

  • apps/web/app/api/clean/simple/route.ts
📚 Learning: 2025-12-15T15:57:36.160Z 
Learnt from: matthew-petty
Repo: elie222/inbox-zero PR: 1093
File: apps/web/app/api/clean/simple/route.ts:322-345
Timestamp: 2025-12-15T15:57:36.160Z
Learning: For routes under apps/web/app/api/.../simple (e.g., .../simple/route.ts), authentication should rely on internal API key validation for inter-service requests and should not perform per-emailAccountId authorization checks. This mirrors a QStash-like trust model where the calling service is already authorized. Apply this pattern to all similar simple-route files: do not add per-account authorization here; if future routes require per-account scope, introduce explicit checks or middleware. Document this in comments and add tests to confirm absence of per-account authorization in these routes.

Applied to files:

  • apps/web/app/api/clean/simple/route.ts
📚 Learning: 2025-11-25T14:37:09.306Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/fullstack-workflow.mdc:0-0
Timestamp: 2025-11-25T14:37:09.306Z
Learning: Applies to apps/web/app/api/**/route.ts : Create GET API routes using `withAuth` or `withEmailAccount` middleware in `apps/web/app/api/*/route.ts`, export response types as `GetExampleResponse` type alias for client-side type safety

Applied to files:

  • apps/web/app/api/clean/simple/route.ts
📚 Learning: 2025-11-25T14:39:04.892Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/security-audit.mdc:0-0
Timestamp: 2025-11-25T14:39:04.892Z
Learning: Applies to apps/web/app/api/**/route.ts : All database queries must include user/account filtering with `emailAccountId` or `userId` in WHERE clauses to prevent IDOR vulnerabilities

Applied to files:

  • apps/web/app/api/clean/simple/route.ts
📚 Learning: 2025-11-25T14:39:23.326Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/security.mdc:0-0
Timestamp: 2025-11-25T14:39:23.326Z
Learning: Applies to app/api/**/*.ts : Use `withEmailAccount` middleware for operations scoped to a specific email account (reading/writing emails, rules, schedules, etc.) - provides `emailAccountId`, `userId`, and `email` in `request.auth`

Applied to files:

  • apps/web/app/api/clean/simple/route.ts
📚 Learning: 2025-11-25T14:39:27.909Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/security.mdc:0-0
Timestamp: 2025-11-25T14:39:27.909Z
Learning: Applies to **/app/api/**/*.ts : Use `withEmailAccount` middleware for operations scoped to a specific email account, including reading/writing emails, rules, schedules, or any operation using `emailAccountId`

Applied to files:

  • apps/web/app/api/clean/simple/route.ts
📚 Learning: 2025-11-25T14:39:23.326Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/security.mdc:0-0
Timestamp: 2025-11-25T14:39:23.326Z
Learning: Applies to **/*.ts : Always validate that resources belong to the authenticated user before any operation - use ownership checks in queries (e.g., `emailAccount: { id: emailAccountId }`) and throw `SafeError` if validation fails

Applied to files:

  • apps/web/app/api/clean/simple/route.ts
📚 Learning: 2025-11-25T14:39:23.326Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/security.mdc:0-0
Timestamp: 2025-11-25T14:39:23.326Z
Learning: Applies to **/*.ts : Prevent Insecure Direct Object References (IDOR) by validating resource ownership in all queries - always include ownership filters (e.g., `emailAccount: { id: emailAccountId }`) when accessing user-specific resources

Applied to files:

  • apps/web/app/api/clean/simple/route.ts
📚 Learning: 2025-11-25T14:39:27.909Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/security.mdc:0-0
Timestamp: 2025-11-25T14:39:27.909Z
Learning: Applies to **/app/api/**/*.ts : ALL API routes that handle user data MUST use appropriate middleware: use `withEmailAccount` for email-scoped operations, use `withAuth` for user-scoped operations, or use `withError` with proper validation for public/custom auth endpoints

Applied to files:

  • apps/web/app/api/clean/simple/route.ts
📚 Learning: 2025-11-25T14:39:08.150Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/security-audit.mdc:0-0
Timestamp: 2025-11-25T14:39:08.150Z
Learning: Applies to apps/web/app/api/**/*.{ts,tsx} : All database queries must include user scoping with `emailAccountId` or `userId` filtering in WHERE clauses

Applied to files:

  • apps/web/app/api/clean/simple/route.ts
📚 Learning: 2025-11-25T14:39:23.326Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/security.mdc:0-0
Timestamp: 2025-11-25T14:39:23.326Z
Learning: Applies to app/api/**/*.ts : ALL API routes that handle user data MUST use appropriate middleware: `withEmailAccount` for email-scoped operations, `withAuth` for user-scoped operations, or `withError` with proper validation for public/cron endpoints

Applied to files:

  • apps/web/app/api/clean/simple/route.ts
📚 Learning: 2025-11-25T14:39:27.909Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/security.mdc:0-0
Timestamp: 2025-11-25T14:39:27.909Z
Learning: Applies to **/app/api/**/*.ts : Cron endpoints without proper authentication can be triggered by anyone. CRITICAL: All cron endpoints MUST validate cron secret using `hasCronSecret(request)` or `hasPostCronSecret(request)` and capture unauthorized attempts with `captureException()`

Applied to files:

  • apps/web/app/api/clean/simple/route.ts
📚 Learning: 2025-11-25T14:39:04.892Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/security-audit.mdc:0-0
Timestamp: 2025-11-25T14:39:04.892Z
Learning: Applies to apps/web/app/api/**/route.ts : QStash endpoints must use `verifySignatureAppRouter` middleware to verify request signatures and prevent request spoofing

Applied to files:

  • apps/web/app/api/clean/simple/route.ts
📚 Learning: 2025-11-25T14:39:04.892Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/security-audit.mdc:0-0
Timestamp: 2025-11-25T14:39:04.892Z
Learning: Applies to apps/web/app/api/**/route.ts : All API routes must use `withAuth`, `withEmailAccount`, or `withError` middleware for authentication

Applied to files:

  • apps/web/app/api/clean/simple/route.ts
📚 Learning: 2025-11-25T14:37:11.434Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/get-api-route.mdc:0-0
Timestamp: 2025-11-25T14:37:11.434Z
Learning: Applies to **/app/**/route.ts : Use `withAuth` middleware to get the authenticated user or `withEmailAccount` middleware to get the currently active email account in GET API routes

Applied to files:

  • apps/web/app/api/clean/simple/route.ts
📚 Learning: 2025-11-25T14:39:04.892Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/security-audit.mdc:0-0
Timestamp: 2025-11-25T14:39:04.892Z
Learning: Verify during code review that all new routes follow established security patterns: middleware usage, database query scoping, input validation, and proper error handling

Applied to files:

  • apps/web/app/api/clean/simple/route.ts
🧬 Code graph analysis (2)
apps/web/utils/upstash/index.test.ts (2)
apps/web/env.ts (1)
  • env (17-247)
apps/web/utils/upstash/index.ts (3)
  • publishToQstash (17-38)
  • bulkPublishToQstash (40-57)
  • publishToQstashQueue (59-81)
apps/web/utils/redis/rate-limit.test.ts (1)
apps/web/utils/redis/rate-limit.ts (1)
  • acquireRateLimitToken (22-34)
🔇 Additional comments (12)
apps/web/utils/upstash/index.test.ts (4)

1-43: LGTM! Clean mocking setup.

The use of vi.hoisted() for mock declarations and the mocking strategy for env, rate-limit, internal-api, logger, and global fetch is well-structured and appropriate for testing the fallback behavior.

47-134: LGTM! Comprehensive publishToQstash test coverage.

The test suite thoroughly covers:

  • Rate limiting identifier selection (emailAccountId, fallback to "global", empty string handling)
  • URL transformation (/simple appended)
  • Request headers (internal API key, Content-Type)
  • Body serialization

153-175: Test correctly validates fire-and-forget error logging.

The test properly verifies that fetch failures are logged but don't throw. The setTimeout(resolve, 10) pattern works but could be replaced with await vi.waitFor() for more robust async assertion if needed in the future.

178-249: LGTM! Thorough bulk and queue testing.

The tests effectively validate:

  • Sequential per-item rate limiting in bulk operations
  • Early-stop behavior when rate limiting fails mid-batch
  • Rate limiting integration in queue publishing

The assertions on mock call counts and arguments are precise and appropriate.

apps/web/utils/redis/rate-limit.test.ts (2)

1-28: LGTM! Proper mock setup for rate limiting tests.

The mock structure correctly simulates the Upstash Ratelimit API:

  • Class-based mock with static slidingWindow method
  • Instance blockUntilReady method properly hoisted
  • Clean separation of concerns with beforeEach cleanup

30-84: LGTM! Comprehensive rate limiting test coverage.

The test suite thoroughly validates:

  • Successful token acquisition with default and custom timeouts
  • Timeout error handling with descriptive messages
  • Per-account rate limit isolation

All assertions correctly verify the expected behavior of acquireRateLimitToken.

apps/web/app/api/clean/simple/route.ts (6)

29-56: LGTM! Well-defined request schema.

The Zod schema properly validates:

  • Required string fields (emailAccountId, threadId, labels, jobId)
  • Action enum constraint
  • Optional instructions
  • Skip flags with sensible defaults and nullish handling

Type inference is correctly applied for type safety.

63-238: LGTM! Well-structured Deep Clean logic with optimization.

The implementation correctly:

  • Validates email account existence and premium status
  • Uses Gmail wrapper functions (as per coding guidelines)
  • Applies static rules before LLM check to optimize performance
  • Implements comprehensive skip logic (starred, conversations, attachments, receipts, calendar, unsubscribe, newsletters, promotions)
  • Falls back to AI-based decision when static rules don't apply
  • Uses SafeError for proper error handling

The early-return pattern and static-first approach effectively reduce unnecessary LLM calls.

240-305: LGTM! Rate-aware publish function with clear quota documentation.

The implementation correctly:

  • Documents Gmail API quota limits (15,000 units/min, 10 units per modify)
  • Calculates safe rate (6 requests/sec with headroom for 2 actions per operation)
  • Uses publishToQstash with flow control parameters
  • Updates thread status in parallel with publishing

The quota calculation and flow control ensure compliance with Gmail API limits.

307-320: LGTM! Proper guards and authentication for fallback route.

The implementation correctly:

  • Returns 403 when QSTASH_TOKEN is set (route disabled)
  • Uses withError middleware for consistent error handling
  • Documents the service-to-service trust model in comments

Based on learnings, the internal API key authentication pattern is appropriate for /simple routes and mirrors the QStash trust model.

322-326: LGTM! Correct internal API key validation.

The authentication correctly:

  • Awaits headers() (Next.js 15 async API pattern)
  • Validates internal API key with logger
  • Returns 401 for unauthorized requests

Based on learnings, this service-to-service authentication pattern is appropriate for /simple routes without per-account authorization checks.

328-337: LGTM! Clean request handling with schema validation.

The implementation correctly:

  • Parses and validates request body with Zod schema
  • Passes logger from middleware to business logic
  • Returns simple success response
  • Relies on withError middleware for error handling (as per coding guidelines)

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@macroscopeapp
Copy link
Contributor

macroscopeapp bot commented Dec 15, 2025
edited
Loading

Add /api/clean/simple and /api/clean/gmail/simple POST endpoints for QStash fallback with per-identifier rate limiting at 6 requests per second

Introduce self-hosted POST routes guarded by internal API key, add strict Zod schemas for deep clean and Gmail actions, persist cleanup results via Prisma, update Redis thread status, and add a rate-limited fallback publisher using @upstash/ratelimit and acquireRateLimitToken with /simple dispatch.

📍Where to Start

Start with the POST handlers in apps/web/app/api/clean/simple/route.ts and apps/web/app/api/clean/gmail/simple/route.ts, then review fallback publishing in apps/web/utils/upstash/index.ts and rate limiting in apps/web/utils/redis/rate-limit.ts.

Macroscope summarized ca87b1d.

coderabbitai[bot]
coderabbitai bot reviewed Dec 15, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Nitpick comments (1)
apps/web/app/api/clean/simple/route.ts (1)

256-261: Consider rate limiting enforcement for self-hosted deployments.

The rate limiting calculation (max 12 actions/second to respect Gmail API quotas) is used when publishing to QStash. In self-hosted deployments using the fallback path, this rate limiting might not be enforced, potentially risking Gmail API quota violations during bulk operations.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0e22d57 and 358ca2b.

📒 Files selected for processing (4)
  • apps/web/app/api/clean/gmail/simple/route.test.ts (1 hunks)
  • apps/web/app/api/clean/gmail/simple/route.ts (1 hunks)
  • apps/web/app/api/clean/simple/route.test.ts (1 hunks)
  • apps/web/app/api/clean/simple/route.ts (1 hunks)
🧰 Additional context used
📓 Path-based instructions (19)
apps/web/**/*.{ts,tsx}

📄 CodeRabbit inference engine (apps/web/CLAUDE.md)

apps/web/**/*.{ts,tsx}: Use TypeScript with strict null checks
Use @/ path aliases for imports from project root
Use proper error handling with try/catch blocks
Format code with Prettier
Follow consistent naming conventions using PascalCase for components
Centralize shared types in dedicated type files

Import specific lodash functions rather than entire lodash library to minimize bundle size (e.g., import groupBy from 'lodash/groupBy')

Files:

  • apps/web/app/api/clean/simple/route.ts
  • apps/web/app/api/clean/gmail/simple/route.ts
  • apps/web/app/api/clean/gmail/simple/route.test.ts
  • apps/web/app/api/clean/simple/route.test.ts
apps/web/app/**/*.{ts,tsx}

📄 CodeRabbit inference engine (apps/web/CLAUDE.md)

Follow NextJS app router structure with (app) directory

Files:

  • apps/web/app/api/clean/simple/route.ts
  • apps/web/app/api/clean/gmail/simple/route.ts
  • apps/web/app/api/clean/gmail/simple/route.test.ts
  • apps/web/app/api/clean/simple/route.test.ts
apps/web/app/api/**/*.ts

📄 CodeRabbit inference engine (apps/web/CLAUDE.md)

apps/web/app/api/**/*.ts: Wrap GET API routes with withAuth or withEmailAccount middleware for authentication
Export response types from GET API routes using Awaited<ReturnType<>> pattern for type-safe client usage

Files:

  • apps/web/app/api/clean/simple/route.ts
  • apps/web/app/api/clean/gmail/simple/route.ts
  • apps/web/app/api/clean/gmail/simple/route.test.ts
  • apps/web/app/api/clean/simple/route.test.ts
**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/data-fetching.mdc)

**/*.{ts,tsx}: For API GET requests to server, use the swr package
Use result?.serverError with toastError from @/components/Toast for error handling in async operations

**/*.{ts,tsx}: Use wrapper functions for Gmail message operations (get, list, batch, etc.) from @/utils/gmail/message.ts instead of direct API calls
Use wrapper functions for Gmail thread operations from @/utils/gmail/thread.ts instead of direct API calls
Use wrapper functions for Gmail label operations from @/utils/gmail/label.ts instead of direct API calls

**/*.{ts,tsx}: For early access feature flags, create hooks using the naming convention use[FeatureName]Enabled that return a boolean from useFeatureFlagEnabled("flag-key")
For A/B test variant flags, create hooks using the naming convention use[FeatureName]Variant that define variant types, use useFeatureFlagVariantKey() with type casting, and provide a default "control" fallback
Use kebab-case for PostHog feature flag keys (e.g., inbox-cleaner, pricing-options-2)
Always define types for A/B test variant flags (e.g., type PricingVariant = "control" | "variant-a" | "variant-b") and provide type safety through type casting

**/*.{ts,tsx}: Don't use primitive type aliases or misleading types
Don't use empty type parameters in type aliases and interfaces
Don't use this and super in static contexts
Don't use any or unknown as type constraints
Don't use the TypeScript directive @ts-ignore
Don't use TypeScript enums
Don't export imported variables
Don't add type annotations to variables, parameters, and class properties that are initialized with literal expressions
Don't use TypeScript namespaces
Don't use non-null assertions with the ! postfix operator
Don't use parameter properties in class constructors
Don't use user-defined types
Use as const instead of literal types and type annotations
Use either T[] or Array<T> consistently
Initialize each enum member value explicitly
Use export type for types
Use `impo...

Files:

  • apps/web/app/api/clean/simple/route.ts
  • apps/web/app/api/clean/gmail/simple/route.ts
  • apps/web/app/api/clean/gmail/simple/route.test.ts
  • apps/web/app/api/clean/simple/route.test.ts
apps/web/app/api/**/route.ts

📄 CodeRabbit inference engine (.cursor/rules/fullstack-workflow.mdc)

apps/web/app/api/**/route.ts: Create GET API routes using withAuth or withEmailAccount middleware in apps/web/app/api/*/route.ts, export response types as GetExampleResponse type alias for client-side type safety
Always export response types from GET routes as Get[Feature]Response using type inference from the data fetching function for type-safe client consumption
Do NOT use POST API routes for mutations - always use server actions with next-safe-action instead

Files:

  • apps/web/app/api/clean/simple/route.ts
  • apps/web/app/api/clean/gmail/simple/route.ts
**/app/**/route.ts

📄 CodeRabbit inference engine (.cursor/rules/get-api-route.mdc)

**/app/**/route.ts: Always wrap GET API route handlers with withAuth or withEmailAccount middleware for consistent error handling and authentication in Next.js App Router
Infer and export response type for GET API routes using Awaited<ReturnType<typeof functionName>> pattern in Next.js
Use Prisma for database queries in GET API routes
Return responses using NextResponse.json() in GET API routes
Do not use try/catch blocks in GET API route handlers when using withAuth or withEmailAccount middleware, as the middleware handles error handling

Files:

  • apps/web/app/api/clean/simple/route.ts
  • apps/web/app/api/clean/gmail/simple/route.ts
**/{server,api,actions,utils}/**/*.ts

📄 CodeRabbit inference engine (.cursor/rules/logging.mdc)

**/{server,api,actions,utils}/**/*.ts: Use createScopedLogger from "@/utils/logger" for logging in backend code
Add the createScopedLogger instantiation at the top of the file with an appropriate scope name
Use .with() method to attach context variables only within specific functions, not on global loggers
For large functions with reused variables, use createScopedLogger().with() to attach context once and reuse the logger without passing variables repeatedly

Files:

  • apps/web/app/api/clean/simple/route.ts
  • apps/web/app/api/clean/gmail/simple/route.ts
  • apps/web/app/api/clean/gmail/simple/route.test.ts
  • apps/web/app/api/clean/simple/route.test.ts
**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (.cursor/rules/prisma-enum-imports.mdc)

Always import Prisma enums from @/generated/prisma/enums instead of @/generated/prisma/client to avoid Next.js bundling errors in client components

Import Prisma using the project's centralized utility: import prisma from '@/utils/prisma'

Files:

  • apps/web/app/api/clean/simple/route.ts
  • apps/web/app/api/clean/gmail/simple/route.ts
  • apps/web/app/api/clean/gmail/simple/route.test.ts
  • apps/web/app/api/clean/simple/route.test.ts
apps/web/app/**/[!.]*/route.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/project-structure.mdc)

Use kebab-case for route directories in Next.js App Router (e.g., api/hello-world/route)

Files:

  • apps/web/app/api/clean/simple/route.ts
  • apps/web/app/api/clean/gmail/simple/route.ts
apps/web/app/api/**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/security-audit.mdc)

apps/web/app/api/**/*.{ts,tsx}: API routes must use withAuth, withEmailAccount, or withError middleware for authentication
All database queries must include user scoping with emailAccountId or userId filtering in WHERE clauses
Request parameters must be validated before use; avoid direct parameter usage without type checking
Use generic error messages instead of revealing internal details; throw SafeError instead of exposing user IDs, resource IDs, or system information
API routes should only return necessary fields using select in database queries to prevent unintended information disclosure
Cron endpoints must use hasCronSecret or hasPostCronSecret to validate cron requests and prevent unauthorized access
Request bodies should use Zod schemas for validation to ensure type safety and prevent injection attacks

Files:

  • apps/web/app/api/clean/simple/route.ts
  • apps/web/app/api/clean/gmail/simple/route.ts
  • apps/web/app/api/clean/gmail/simple/route.test.ts
  • apps/web/app/api/clean/simple/route.test.ts
**/app/api/**/*.ts

📄 CodeRabbit inference engine (.cursor/rules/security.mdc)

**/app/api/**/*.ts: ALL API routes that handle user data MUST use appropriate middleware: use withEmailAccount for email-scoped operations, use withAuth for user-scoped operations, or use withError with proper validation for public/custom auth endpoints
Use withEmailAccount middleware for operations scoped to a specific email account, including reading/writing emails, rules, schedules, or any operation using emailAccountId
Use withAuth middleware for user-level operations such as user settings, API keys, and referrals that use only userId
Use withError middleware only for public endpoints, custom authentication logic, or cron endpoints. For cron endpoints, MUST use hasCronSecret() or hasPostCronSecret() validation
Cron endpoints without proper authentication can be triggered by anyone. CRITICAL: All cron endpoints MUST validate cron secret using hasCronSecret(request) or hasPostCronSecret(request) and capture unauthorized attempts with captureException()
Always validate request bodies using Zod schemas to ensure type safety and prevent invalid data from reaching database operations
Maintain consistent error response format across all API routes to avoid information disclosure while providing meaningful error feedback

Files:

  • apps/web/app/api/clean/simple/route.ts
  • apps/web/app/api/clean/gmail/simple/route.ts
  • apps/web/app/api/clean/gmail/simple/route.test.ts
  • apps/web/app/api/clean/simple/route.test.ts
**/*.ts

📄 CodeRabbit inference engine (.cursor/rules/security.mdc)

**/*.ts: ALL database queries MUST be scoped to the authenticated user/account by including user/account filtering in WHERE clauses to prevent unauthorized data access
Always validate that resources belong to the authenticated user before performing operations, using ownership checks in WHERE clauses or relationships
Always validate all input parameters for type, format, and length before using them in database queries
Use SafeError for error responses to prevent information disclosure. Generic error messages should not reveal internal IDs, logic, or resource ownership details
Only return necessary fields in API responses using Prisma's select option. Never expose sensitive data such as password hashes, private keys, or system flags
Prevent Insecure Direct Object References (IDOR) by validating resource ownership before operations. All findUnique/findFirst calls MUST include ownership filters
Prevent mass assignment vulnerabilities by explicitly whitelisting allowed fields in update operations instead of accepting all user-provided data
Prevent privilege escalation by never allowing users to modify system fields, ownership fields, or admin-only attributes through user input
All findMany queries MUST be scoped to the user's data by including appropriate WHERE filters to prevent returning data from other users
Use Prisma relationships for access control by leveraging nested where clauses (e.g., emailAccount: { id: emailAccountId }) to validate ownership

Files:

  • apps/web/app/api/clean/simple/route.ts
  • apps/web/app/api/clean/gmail/simple/route.ts
  • apps/web/app/api/clean/gmail/simple/route.test.ts
  • apps/web/app/api/clean/simple/route.test.ts
**/*.{tsx,ts}

📄 CodeRabbit inference engine (.cursor/rules/ui-components.mdc)

**/*.{tsx,ts}: Use Shadcn UI and Tailwind for components and styling
Use next/image package for images
For API GET requests to server, use the swr package with hooks like useSWR to fetch data
For text inputs, use the Input component with registerProps for form integration and error handling

Files:

  • apps/web/app/api/clean/simple/route.ts
  • apps/web/app/api/clean/gmail/simple/route.ts
  • apps/web/app/api/clean/gmail/simple/route.test.ts
  • apps/web/app/api/clean/simple/route.test.ts
**/*.{tsx,ts,css}

📄 CodeRabbit inference engine (.cursor/rules/ui-components.mdc)

Implement responsive design with Tailwind CSS using a mobile-first approach

Files:

  • apps/web/app/api/clean/simple/route.ts
  • apps/web/app/api/clean/gmail/simple/route.ts
  • apps/web/app/api/clean/gmail/simple/route.test.ts
  • apps/web/app/api/clean/simple/route.test.ts
**/*.{js,jsx,ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/ultracite.mdc)

**/*.{js,jsx,ts,tsx}: Don't use accessKey attribute on any HTML element
Don't set aria-hidden="true" on focusable elements
Don't add ARIA roles, states, and properties to elements that don't support them
Don't use distracting elements like <marquee> or <blink>
Only use the scope prop on <th> elements
Don't assign non-interactive ARIA roles to interactive HTML elements
Make sure label elements have text content and are associated with an input
Don't assign interactive ARIA roles to non-interactive HTML elements
Don't assign tabIndex to non-interactive HTML elements
Don't use positive integers for tabIndex property
Don't include "image", "picture", or "photo" in img alt prop
Don't use explicit role property that's the same as the implicit/default role
Make static elements with click handlers use a valid role attribute
Always include a title element for SVG elements
Give all elements requiring alt text meaningful information for screen readers
Make sure anchors have content that's accessible to screen readers
Assign tabIndex to non-interactive HTML elements with aria-activedescendant
Include all required ARIA attributes for elements with ARIA roles
Make sure ARIA properties are valid for the element's supported roles
Always include a type attribute for button elements
Make elements with interactive roles and handlers focusable
Give heading elements content that's accessible to screen readers (not hidden with aria-hidden)
Always include a lang attribute on the html element
Always include a title attribute for iframe elements
Accompany onClick with at least one of: onKeyUp, onKeyDown, or onKeyPress
Accompany onMouseOver/onMouseOut with onFocus/onBlur
Include caption tracks for audio and video elements
Use semantic elements instead of role attributes in JSX
Make sure all anchors are valid and navigable
Ensure all ARIA properties (aria-*) are valid
Use valid, non-abstract ARIA roles for elements with ARIA roles
Use valid AR...

Files:

  • apps/web/app/api/clean/simple/route.ts
  • apps/web/app/api/clean/gmail/simple/route.ts
  • apps/web/app/api/clean/gmail/simple/route.test.ts
  • apps/web/app/api/clean/simple/route.test.ts
!(pages/_document).{jsx,tsx}

📄 CodeRabbit inference engine (.cursor/rules/ultracite.mdc)

Don't use the next/head module in pages/_document.js on Next.js projects

Files:

  • apps/web/app/api/clean/simple/route.ts
  • apps/web/app/api/clean/gmail/simple/route.ts
  • apps/web/app/api/clean/gmail/simple/route.test.ts
  • apps/web/app/api/clean/simple/route.test.ts
**/*.{js,ts,jsx,tsx}

📄 CodeRabbit inference engine (.cursor/rules/utilities.mdc)

**/*.{js,ts,jsx,tsx}: Use lodash utilities for common operations (arrays, objects, strings)
Import specific lodash functions to minimize bundle size (e.g., import groupBy from 'lodash/groupBy')

Files:

  • apps/web/app/api/clean/simple/route.ts
  • apps/web/app/api/clean/gmail/simple/route.ts
  • apps/web/app/api/clean/gmail/simple/route.test.ts
  • apps/web/app/api/clean/simple/route.test.ts
**/*.test.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/testing.mdc)

**/*.test.{ts,tsx}: Use vitest for testing the application
Tests should be colocated next to the tested file with .test.ts or .test.tsx extension (e.g., dir/format.ts and dir/format.test.ts)
Mock server-only using vi.mock("server-only", () => ({}))
Mock Prisma using vi.mock("@/utils/prisma") and import the mock from @/utils/__mocks__/prisma
Use vi.clearAllMocks() in beforeEach to clean up mocks between tests
Each test should be independent
Use descriptive test names
Mock external dependencies in tests
Do not mock the Logger
Avoid testing implementation details
Use test helpers getEmail, getEmailAccount, and getRule from @/__tests__/helpers for mocking emails, accounts, and rules

Files:

  • apps/web/app/api/clean/gmail/simple/route.test.ts
  • apps/web/app/api/clean/simple/route.test.ts
**/*.{test,spec}.{js,jsx,ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/ultracite.mdc)

**/*.{test,spec}.{js,jsx,ts,tsx}: Don't nest describe() blocks too deeply in test files
Don't use callbacks in asynchronous tests and hooks
Don't have duplicate hooks in describe blocks
Don't use export or module.exports in test files
Don't use focused tests
Make sure the assertion function, like expect, is placed inside an it() function call
Don't use disabled tests

Files:

  • apps/web/app/api/clean/gmail/simple/route.test.ts
  • apps/web/app/api/clean/simple/route.test.ts
🧠 Learnings (29)
📓 Common learnings 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/gmail-api.mdc:0-0
Timestamp: 2025-11-25T14:37:22.660Z
Learning: Applies to **/*.{ts,tsx} : Use wrapper functions for Gmail thread operations from @/utils/gmail/thread.ts instead of direct API calls

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/gmail-api.mdc:0-0
Timestamp: 2025-11-25T14:37:22.660Z
Learning: Applies to **/*.{ts,tsx} : Use wrapper functions for Gmail label operations from @/utils/gmail/label.ts instead of direct API calls

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/security-audit.mdc:0-0
Timestamp: 2025-11-25T14:39:08.150Z
Learning: Applies to apps/web/app/api/(ai/digest|resend/digest|clean/gmail|user/categorize/senders/batch)/**/*.{ts,tsx} : QStash endpoints must use `verifySignatureAppRouter` middleware to verify request signatures and prevent request spoofing

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/gmail-api.mdc:0-0
Timestamp: 2025-11-25T14:37:22.660Z
Learning: Applies to **/{pages,routes,components}/**/*.{ts,tsx} : Never call Gmail API directly from routes or components - always use wrapper functions from the utils folder

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/gmail-api.mdc:0-0
Timestamp: 2025-11-25T14:37:22.660Z
Learning: Applies to **/*.{ts,tsx} : Use wrapper functions for Gmail message operations (get, list, batch, etc.) from @/utils/gmail/message.ts instead of direct API calls

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/utilities.mdc:0-0
Timestamp: 2025-11-25T14:42:16.602Z
Learning: The `utils` folder contains core app logic such as Next.js Server Actions and Gmail API requests

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/utilities.mdc:0-0
Timestamp: 2025-11-25T14:42:11.919Z
Learning: Applies to utils/**/*.{js,ts,jsx,tsx} : The `utils` folder contains core app logic such as Next.js Server Actions and Gmail API requests
📚 Learning: 2025-11-25T14:37:22.660Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/gmail-api.mdc:0-0
Timestamp: 2025-11-25T14:37:22.660Z
Learning: Applies to **/*.{ts,tsx} : Use wrapper functions for Gmail thread operations from @/utils/gmail/thread.ts instead of direct API calls

Applied to files:

  • apps/web/app/api/clean/simple/route.ts
  • apps/web/app/api/clean/gmail/simple/route.ts
📚 Learning: 2025-11-25T14:39:08.150Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/security-audit.mdc:0-0
Timestamp: 2025-11-25T14:39:08.150Z
Learning: Applies to apps/web/app/api/(ai/digest|resend/digest|clean/gmail|user/categorize/senders/batch)/**/*.{ts,tsx} : QStash endpoints must use `verifySignatureAppRouter` middleware to verify request signatures and prevent request spoofing

Applied to files:

  • apps/web/app/api/clean/simple/route.ts
  • apps/web/app/api/clean/gmail/simple/route.ts
  • apps/web/app/api/clean/gmail/simple/route.test.ts
  • apps/web/app/api/clean/simple/route.test.ts
📚 Learning: 2025-11-25T14:37:22.660Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/gmail-api.mdc:0-0
Timestamp: 2025-11-25T14:37:22.660Z
Learning: Applies to **/*.{ts,tsx} : Use wrapper functions for Gmail message operations (get, list, batch, etc.) from @/utils/gmail/message.ts instead of direct API calls

Applied to files:

  • apps/web/app/api/clean/simple/route.ts
  • apps/web/app/api/clean/gmail/simple/route.ts
📚 Learning: 2025-11-25T14:37:22.660Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/gmail-api.mdc:0-0
Timestamp: 2025-11-25T14:37:22.660Z
Learning: Applies to **/{pages,routes,components}/**/*.{ts,tsx} : Never call Gmail API directly from routes or components - always use wrapper functions from the utils folder

Applied to files:

  • apps/web/app/api/clean/simple/route.ts
  • apps/web/app/api/clean/gmail/simple/route.ts
  • apps/web/app/api/clean/gmail/simple/route.test.ts
📚 Learning: 2025-11-25T14:37:22.660Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/gmail-api.mdc:0-0
Timestamp: 2025-11-25T14:37:22.660Z
Learning: Applies to **/*.{ts,tsx} : Use wrapper functions for Gmail label operations from @/utils/gmail/label.ts instead of direct API calls

Applied to files:

  • apps/web/app/api/clean/simple/route.ts
  • apps/web/app/api/clean/gmail/simple/route.ts
📚 Learning: 2025-11-25T14:37:22.660Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/gmail-api.mdc:0-0
Timestamp: 2025-11-25T14:37:22.660Z
Learning: Applies to apps/web/utils/gmail/**/*.{ts,tsx} : Keep Gmail provider-specific implementation details isolated within the apps/web/utils/gmail/ directory

Applied to files:

  • apps/web/app/api/clean/simple/route.ts
  • apps/web/app/api/clean/gmail/simple/route.ts
  • apps/web/app/api/clean/gmail/simple/route.test.ts
📚 Learning: 2025-11-25T14:38:56.992Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/project-structure.mdc:0-0
Timestamp: 2025-11-25T14:38:56.992Z
Learning: Applies to apps/web/app/**/[!.]*/route.{ts,tsx} : Use kebab-case for route directories in Next.js App Router (e.g., `api/hello-world/route`)

Applied to files:

  • apps/web/app/api/clean/simple/route.ts
  • apps/web/app/api/clean/gmail/simple/route.test.ts
  • apps/web/app/api/clean/simple/route.test.ts
📚 Learning: 2025-11-25T14:37:09.306Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/fullstack-workflow.mdc:0-0
Timestamp: 2025-11-25T14:37:09.306Z
Learning: Applies to apps/web/app/api/**/route.ts : Do NOT use POST API routes for mutations - always use server actions with `next-safe-action` instead

Applied to files:

  • apps/web/app/api/clean/simple/route.ts
  • apps/web/app/api/clean/gmail/simple/route.ts
📚 Learning: 2025-11-25T14:37:22.660Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/gmail-api.mdc:0-0
Timestamp: 2025-11-25T14:37:22.660Z
Learning: Applies to apps/web/utils/gmail/**/*.{ts,tsx} : Always use wrapper functions from @/utils/gmail/ for Gmail API operations instead of direct provider API calls

Applied to files:

  • apps/web/app/api/clean/simple/route.ts
  • apps/web/app/api/clean/gmail/simple/route.ts
📚 Learning: 2025-11-25T14:37:11.434Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/get-api-route.mdc:0-0
Timestamp: 2025-11-25T14:37:11.434Z
Learning: Applies to **/app/**/route.ts : Always wrap GET API route handlers with `withAuth` or `withEmailAccount` middleware for consistent error handling and authentication in Next.js App Router

Applied to files:

  • apps/web/app/api/clean/simple/route.ts
  • apps/web/app/api/clean/gmail/simple/route.ts
  • apps/web/app/api/clean/gmail/simple/route.test.ts
📚 Learning: 2025-11-25T14:39:27.909Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/security.mdc:0-0
Timestamp: 2025-11-25T14:39:27.909Z
Learning: Applies to **/app/api/**/*.ts : Use `withEmailAccount` middleware for operations scoped to a specific email account, including reading/writing emails, rules, schedules, or any operation using `emailAccountId`

Applied to files:

  • apps/web/app/api/clean/gmail/simple/route.ts
📚 Learning: 2025-11-25T14:42:16.602Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/utilities.mdc:0-0
Timestamp: 2025-11-25T14:42:16.602Z
Learning: The `utils` folder contains core app logic such as Next.js Server Actions and Gmail API requests

Applied to files:

  • apps/web/app/api/clean/gmail/simple/route.ts
📚 Learning: 2025-11-25T14:42:11.919Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/utilities.mdc:0-0
Timestamp: 2025-11-25T14:42:11.919Z
Learning: Applies to utils/**/*.{js,ts,jsx,tsx} : The `utils` folder contains core app logic such as Next.js Server Actions and Gmail API requests

Applied to files:

  • apps/web/app/api/clean/gmail/simple/route.ts
📚 Learning: 2025-07-08T13:14:07.449Z 
Learnt from: elie222
Repo: elie222/inbox-zero PR: 537
File: apps/web/app/(app)/[emailAccountId]/clean/onboarding/page.tsx:30-34
Timestamp: 2025-07-08T13:14:07.449Z
Learning: The clean onboarding page in apps/web/app/(app)/[emailAccountId]/clean/onboarding/page.tsx is intentionally Gmail-specific and should show an error for non-Google email accounts rather than attempting to support multiple providers.

Applied to files:

  • apps/web/app/api/clean/gmail/simple/route.ts
📚 Learning: 2025-11-25T14:40:00.833Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/testing.mdc:0-0
Timestamp: 2025-11-25T14:40:00.833Z
Learning: Applies to **/*.test.{ts,tsx} : Use test helpers `getEmail`, `getEmailAccount`, and `getRule` from `@/__tests__/helpers` for mocking emails, accounts, and rules

Applied to files:

  • apps/web/app/api/clean/gmail/simple/route.test.ts
📚 Learning: 2025-11-25T14:37:56.430Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/llm-test.mdc:0-0
Timestamp: 2025-11-25T14:37:56.430Z
Learning: Applies to apps/web/__tests__/**/*.test.ts : Prefer using existing helpers from `@/__tests__/helpers.ts` (`getEmailAccount`, `getEmail`, `getRule`, `getMockMessage`, `getMockExecutedRule`) instead of creating custom test data helpers

Applied to files:

  • apps/web/app/api/clean/gmail/simple/route.test.ts
  • apps/web/app/api/clean/simple/route.test.ts
📚 Learning: 2025-11-25T14:39:23.326Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/security.mdc:0-0
Timestamp: 2025-11-25T14:39:23.326Z
Learning: Applies to **/*.test.ts : Include security tests in test suites to verify: authentication is required, IDOR protection works (other users cannot access resources), parameter validation rejects invalid inputs, and error messages don't leak information

Applied to files:

  • apps/web/app/api/clean/gmail/simple/route.test.ts
  • apps/web/app/api/clean/simple/route.test.ts
📚 Learning: 2025-11-25T14:40:00.833Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/testing.mdc:0-0
Timestamp: 2025-11-25T14:40:00.833Z
Learning: Applies to **/*.test.{ts,tsx} : Mock Prisma using `vi.mock("@/utils/prisma")` and import the mock from `@/utils/__mocks__/prisma`

Applied to files:

  • apps/web/app/api/clean/gmail/simple/route.test.ts
  • apps/web/app/api/clean/simple/route.test.ts
📚 Learning: 2025-11-25T14:40:00.833Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/testing.mdc:0-0
Timestamp: 2025-11-25T14:40:00.833Z
Learning: Applies to **/*.test.{ts,tsx} : Mock external dependencies in tests

Applied to files:

  • apps/web/app/api/clean/gmail/simple/route.test.ts
  • apps/web/app/api/clean/simple/route.test.ts
📚 Learning: 2025-11-25T14:40:00.833Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/testing.mdc:0-0
Timestamp: 2025-11-25T14:40:00.833Z
Learning: Applies to **/*.test.{ts,tsx} : Mock `server-only` using `vi.mock("server-only", () => ({}))`

Applied to files:

  • apps/web/app/api/clean/gmail/simple/route.test.ts
  • apps/web/app/api/clean/simple/route.test.ts
📚 Learning: 2025-11-25T14:37:56.430Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/llm-test.mdc:0-0
Timestamp: 2025-11-25T14:37:56.430Z
Learning: Applies to apps/web/__tests__/**/*.test.ts : Mock 'server-only' module with empty object in LLM test files: `vi.mock("server-only", () => ({}))`

Applied to files:

  • apps/web/app/api/clean/gmail/simple/route.test.ts
  • apps/web/app/api/clean/simple/route.test.ts
📚 Learning: 2025-11-25T14:40:00.833Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/testing.mdc:0-0
Timestamp: 2025-11-25T14:40:00.833Z
Learning: Applies to **/*.test.{ts,tsx} : Use `vi.clearAllMocks()` in `beforeEach` to clean up mocks between tests

Applied to files:

  • apps/web/app/api/clean/gmail/simple/route.test.ts
  • apps/web/app/api/clean/simple/route.test.ts
📚 Learning: 2025-11-25T14:37:56.430Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/llm-test.mdc:0-0
Timestamp: 2025-11-25T14:37:56.430Z
Learning: Applies to apps/web/__tests__/**/*.test.ts : Use vitest imports (`describe`, `expect`, `test`, `vi`, `beforeEach`) in LLM test files

Applied to files:

  • apps/web/app/api/clean/gmail/simple/route.test.ts
  • apps/web/app/api/clean/simple/route.test.ts
📚 Learning: 2025-11-25T14:37:56.430Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/llm-test.mdc:0-0
Timestamp: 2025-11-25T14:37:56.430Z
Learning: Applies to apps/web/__tests__/**/*.test.ts : Place all LLM-related tests in `apps/web/__tests__/` directory

Applied to files:

  • apps/web/app/api/clean/simple/route.test.ts
📚 Learning: 2025-11-25T14:40:00.833Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/testing.mdc:0-0
Timestamp: 2025-11-25T14:40:00.833Z
Learning: Applies to **/__tests__/**/*.{ts,tsx} : AI tests must be placed in the `__tests__` directory and are not run by default (they use a real LLM)

Applied to files:

  • apps/web/app/api/clean/simple/route.test.ts
📚 Learning: 2025-11-25T14:40:00.833Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/testing.mdc:0-0
Timestamp: 2025-11-25T14:40:00.833Z
Learning: Applies to **/*.test.{ts,tsx} : Avoid testing implementation details

Applied to files:

  • apps/web/app/api/clean/simple/route.test.ts
📚 Learning: 2025-11-25T14:39:04.892Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/security-audit.mdc:0-0
Timestamp: 2025-11-25T14:39:04.892Z
Learning: Applies to apps/web/app/api/**/route.ts : QStash endpoints must use `verifySignatureAppRouter` middleware to verify request signatures and prevent request spoofing

Applied to files:

  • apps/web/app/api/clean/simple/route.test.ts
📚 Learning: 2025-11-25T14:40:00.833Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/testing.mdc:0-0
Timestamp: 2025-11-25T14:40:00.833Z
Learning: Applies to **/*.test.{ts,tsx} : Use descriptive test names

Applied to files:

  • apps/web/app/api/clean/simple/route.test.ts
🧬 Code graph analysis (1)
apps/web/app/api/clean/gmail/simple/route.test.ts (3)
apps/web/utils/internal-api.ts (1)
  • isValidInternalApiKey (10-33)
apps/web/env.ts (1)
  • env (17-247)
apps/web/app/api/clean/gmail/simple/route.ts (1)
  • POST (144-168)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
  • GitHub Check: cubic · AI code reviewer
  • GitHub Check: Review for correctness
🔇 Additional comments (5)
apps/web/app/api/clean/gmail/simple/route.test.ts (1)

1-194: LGTM! Well-structured test suite.

The test coverage is comprehensive and follows best practices:

  • Proper mocking of all external dependencies
  • Security-focused tests (QStash guard, API key validation, input validation)
  • Clean test organization with descriptive names
  • Proper cleanup with vi.clearAllMocks() in beforeEach
apps/web/app/api/clean/gmail/simple/route.ts (1)

1-168: LGTM! Clean implementation with proper security guards.

The route follows best practices:

  • QStash guard correctly disables endpoint when token is set
  • Internal API key authentication for self-hosted deployments
  • Proper input validation with Zod schema
  • Uses Gmail wrapper functions (getGmailClientWithRefresh, labelThread) as per guidelines
  • Scoped database queries with proper error handling
  • Async headers() usage is correct for Next.js 15
  • Structured logging throughout

The internal API key authentication pattern is appropriate for service-to-service communication in self-hosted deployments.

Based on learnings, Gmail wrapper functions are correctly used instead of direct API calls.

apps/web/app/api/clean/simple/route.test.ts (1)

1-192: LGTM! Comprehensive test coverage.

The test suite mirrors the Gmail route tests with consistent patterns:

  • Complete mocking of external dependencies
  • Security-focused test cases covering all authentication and validation layers
  • Proper test isolation with mock cleanup
  • Clear, descriptive test names
apps/web/app/api/clean/simple/route.ts (2)

72-83: LGTM! Proper authorization checks.

The route correctly validates:

  • Email account existence
  • Gmail token availability
  • Premium status

This ensures only authorized, premium users can access the cleaning functionality.

1-324: Fallback routing implementation is correct.

The publishToQstash function correctly appends /simple to the path when QSTASH_TOKEN is not set, routing /api/clean/gmail to /api/clean/gmail/simple with internal API key authentication. Both the /api/clean/simple and /api/clean/gmail/simple endpoints properly validate the internal API key and disable themselves when Qstash is configured, ensuring self-hosted deployments without Qstash can operate securely through internal API authentication.

cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Dec 15, 2025
View reviewed changes
Copy link
Contributor

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 4 files

coderabbitai[bot]
coderabbitai bot reviewed Dec 15, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
apps/web/app/api/clean/gmail/simple/route.ts (1)

17-18: Optional: unify logger usage for better request-scoped context

Right now:

  • logger (the global scoped logger) is passed into isValidInternalApiKey.
  • performGmailAction uses (request as RequestWithLogger).logger.

For more consistent, request-scoped logging (with request IDs, etc.), you could:

  • Pass the request logger into isValidInternalApiKey as well.
  • Use .with({ emailAccountId, threadId, jobId }) when calling performGmailAction to enrich logs for the Gmail action flow.

This is purely a logging refinement; behavior is otherwise fine.

Also applies to: 81-82, 165-167, 172-175

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 358ca2b and 7e7938c.

📒 Files selected for processing (2)
  • apps/web/app/api/clean/gmail/simple/route.ts (1 hunks)
  • apps/web/app/api/clean/simple/route.ts (1 hunks)
🚧 Files skipped from review as they are similar to previous changes (1)
  • apps/web/app/api/clean/simple/route.ts
🧰 Additional context used
📓 Path-based instructions (17)
apps/web/**/*.{ts,tsx}

📄 CodeRabbit inference engine (apps/web/CLAUDE.md)

apps/web/**/*.{ts,tsx}: Use TypeScript with strict null checks
Use @/ path aliases for imports from project root
Use proper error handling with try/catch blocks
Format code with Prettier
Follow consistent naming conventions using PascalCase for components
Centralize shared types in dedicated type files

Import specific lodash functions rather than entire lodash library to minimize bundle size (e.g., import groupBy from 'lodash/groupBy')

Files:

  • apps/web/app/api/clean/gmail/simple/route.ts
apps/web/app/**/*.{ts,tsx}

📄 CodeRabbit inference engine (apps/web/CLAUDE.md)

Follow NextJS app router structure with (app) directory

Files:

  • apps/web/app/api/clean/gmail/simple/route.ts
apps/web/app/api/**/*.ts

📄 CodeRabbit inference engine (apps/web/CLAUDE.md)

apps/web/app/api/**/*.ts: Wrap GET API routes with withAuth or withEmailAccount middleware for authentication
Export response types from GET API routes using Awaited<ReturnType<>> pattern for type-safe client usage

Files:

  • apps/web/app/api/clean/gmail/simple/route.ts
**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/data-fetching.mdc)

**/*.{ts,tsx}: For API GET requests to server, use the swr package
Use result?.serverError with toastError from @/components/Toast for error handling in async operations

**/*.{ts,tsx}: Use wrapper functions for Gmail message operations (get, list, batch, etc.) from @/utils/gmail/message.ts instead of direct API calls
Use wrapper functions for Gmail thread operations from @/utils/gmail/thread.ts instead of direct API calls
Use wrapper functions for Gmail label operations from @/utils/gmail/label.ts instead of direct API calls

**/*.{ts,tsx}: For early access feature flags, create hooks using the naming convention use[FeatureName]Enabled that return a boolean from useFeatureFlagEnabled("flag-key")
For A/B test variant flags, create hooks using the naming convention use[FeatureName]Variant that define variant types, use useFeatureFlagVariantKey() with type casting, and provide a default "control" fallback
Use kebab-case for PostHog feature flag keys (e.g., inbox-cleaner, pricing-options-2)
Always define types for A/B test variant flags (e.g., type PricingVariant = "control" | "variant-a" | "variant-b") and provide type safety through type casting

**/*.{ts,tsx}: Don't use primitive type aliases or misleading types
Don't use empty type parameters in type aliases and interfaces
Don't use this and super in static contexts
Don't use any or unknown as type constraints
Don't use the TypeScript directive @ts-ignore
Don't use TypeScript enums
Don't export imported variables
Don't add type annotations to variables, parameters, and class properties that are initialized with literal expressions
Don't use TypeScript namespaces
Don't use non-null assertions with the ! postfix operator
Don't use parameter properties in class constructors
Don't use user-defined types
Use as const instead of literal types and type annotations
Use either T[] or Array<T> consistently
Initialize each enum member value explicitly
Use export type for types
Use `impo...

Files:

  • apps/web/app/api/clean/gmail/simple/route.ts
apps/web/app/api/**/route.ts

📄 CodeRabbit inference engine (.cursor/rules/fullstack-workflow.mdc)

apps/web/app/api/**/route.ts: Create GET API routes using withAuth or withEmailAccount middleware in apps/web/app/api/*/route.ts, export response types as GetExampleResponse type alias for client-side type safety
Always export response types from GET routes as Get[Feature]Response using type inference from the data fetching function for type-safe client consumption
Do NOT use POST API routes for mutations - always use server actions with next-safe-action instead

Files:

  • apps/web/app/api/clean/gmail/simple/route.ts
**/app/**/route.ts

📄 CodeRabbit inference engine (.cursor/rules/get-api-route.mdc)

**/app/**/route.ts: Always wrap GET API route handlers with withAuth or withEmailAccount middleware for consistent error handling and authentication in Next.js App Router
Infer and export response type for GET API routes using Awaited<ReturnType<typeof functionName>> pattern in Next.js
Use Prisma for database queries in GET API routes
Return responses using NextResponse.json() in GET API routes
Do not use try/catch blocks in GET API route handlers when using withAuth or withEmailAccount middleware, as the middleware handles error handling

Files:

  • apps/web/app/api/clean/gmail/simple/route.ts
**/{server,api,actions,utils}/**/*.ts

📄 CodeRabbit inference engine (.cursor/rules/logging.mdc)

**/{server,api,actions,utils}/**/*.ts: Use createScopedLogger from "@/utils/logger" for logging in backend code
Add the createScopedLogger instantiation at the top of the file with an appropriate scope name
Use .with() method to attach context variables only within specific functions, not on global loggers
For large functions with reused variables, use createScopedLogger().with() to attach context once and reuse the logger without passing variables repeatedly

Files:

  • apps/web/app/api/clean/gmail/simple/route.ts
**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (.cursor/rules/prisma-enum-imports.mdc)

Always import Prisma enums from @/generated/prisma/enums instead of @/generated/prisma/client to avoid Next.js bundling errors in client components

Import Prisma using the project's centralized utility: import prisma from '@/utils/prisma'

Files:

  • apps/web/app/api/clean/gmail/simple/route.ts
apps/web/app/**/[!.]*/route.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/project-structure.mdc)

Use kebab-case for route directories in Next.js App Router (e.g., api/hello-world/route)

Files:

  • apps/web/app/api/clean/gmail/simple/route.ts
apps/web/app/api/**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/security-audit.mdc)

apps/web/app/api/**/*.{ts,tsx}: API routes must use withAuth, withEmailAccount, or withError middleware for authentication
All database queries must include user scoping with emailAccountId or userId filtering in WHERE clauses
Request parameters must be validated before use; avoid direct parameter usage without type checking
Use generic error messages instead of revealing internal details; throw SafeError instead of exposing user IDs, resource IDs, or system information
API routes should only return necessary fields using select in database queries to prevent unintended information disclosure
Cron endpoints must use hasCronSecret or hasPostCronSecret to validate cron requests and prevent unauthorized access
Request bodies should use Zod schemas for validation to ensure type safety and prevent injection attacks

Files:

  • apps/web/app/api/clean/gmail/simple/route.ts
**/app/api/**/*.ts

📄 CodeRabbit inference engine (.cursor/rules/security.mdc)

**/app/api/**/*.ts: ALL API routes that handle user data MUST use appropriate middleware: use withEmailAccount for email-scoped operations, use withAuth for user-scoped operations, or use withError with proper validation for public/custom auth endpoints
Use withEmailAccount middleware for operations scoped to a specific email account, including reading/writing emails, rules, schedules, or any operation using emailAccountId
Use withAuth middleware for user-level operations such as user settings, API keys, and referrals that use only userId
Use withError middleware only for public endpoints, custom authentication logic, or cron endpoints. For cron endpoints, MUST use hasCronSecret() or hasPostCronSecret() validation
Cron endpoints without proper authentication can be triggered by anyone. CRITICAL: All cron endpoints MUST validate cron secret using hasCronSecret(request) or hasPostCronSecret(request) and capture unauthorized attempts with captureException()
Always validate request bodies using Zod schemas to ensure type safety and prevent invalid data from reaching database operations
Maintain consistent error response format across all API routes to avoid information disclosure while providing meaningful error feedback

Files:

  • apps/web/app/api/clean/gmail/simple/route.ts
**/*.ts

📄 CodeRabbit inference engine (.cursor/rules/security.mdc)

**/*.ts: ALL database queries MUST be scoped to the authenticated user/account by including user/account filtering in WHERE clauses to prevent unauthorized data access
Always validate that resources belong to the authenticated user before performing operations, using ownership checks in WHERE clauses or relationships
Always validate all input parameters for type, format, and length before using them in database queries
Use SafeError for error responses to prevent information disclosure. Generic error messages should not reveal internal IDs, logic, or resource ownership details
Only return necessary fields in API responses using Prisma's select option. Never expose sensitive data such as password hashes, private keys, or system flags
Prevent Insecure Direct Object References (IDOR) by validating resource ownership before operations. All findUnique/findFirst calls MUST include ownership filters
Prevent mass assignment vulnerabilities by explicitly whitelisting allowed fields in update operations instead of accepting all user-provided data
Prevent privilege escalation by never allowing users to modify system fields, ownership fields, or admin-only attributes through user input
All findMany queries MUST be scoped to the user's data by including appropriate WHERE filters to prevent returning data from other users
Use Prisma relationships for access control by leveraging nested where clauses (e.g., emailAccount: { id: emailAccountId }) to validate ownership

Files:

  • apps/web/app/api/clean/gmail/simple/route.ts
**/*.{tsx,ts}

📄 CodeRabbit inference engine (.cursor/rules/ui-components.mdc)

**/*.{tsx,ts}: Use Shadcn UI and Tailwind for components and styling
Use next/image package for images
For API GET requests to server, use the swr package with hooks like useSWR to fetch data
For text inputs, use the Input component with registerProps for form integration and error handling

Files:

  • apps/web/app/api/clean/gmail/simple/route.ts
**/*.{tsx,ts,css}

📄 CodeRabbit inference engine (.cursor/rules/ui-components.mdc)

Implement responsive design with Tailwind CSS using a mobile-first approach

Files:

  • apps/web/app/api/clean/gmail/simple/route.ts
**/*.{js,jsx,ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/ultracite.mdc)

**/*.{js,jsx,ts,tsx}: Don't use accessKey attribute on any HTML element
Don't set aria-hidden="true" on focusable elements
Don't add ARIA roles, states, and properties to elements that don't support them
Don't use distracting elements like <marquee> or <blink>
Only use the scope prop on <th> elements
Don't assign non-interactive ARIA roles to interactive HTML elements
Make sure label elements have text content and are associated with an input
Don't assign interactive ARIA roles to non-interactive HTML elements
Don't assign tabIndex to non-interactive HTML elements
Don't use positive integers for tabIndex property
Don't include "image", "picture", or "photo" in img alt prop
Don't use explicit role property that's the same as the implicit/default role
Make static elements with click handlers use a valid role attribute
Always include a title element for SVG elements
Give all elements requiring alt text meaningful information for screen readers
Make sure anchors have content that's accessible to screen readers
Assign tabIndex to non-interactive HTML elements with aria-activedescendant
Include all required ARIA attributes for elements with ARIA roles
Make sure ARIA properties are valid for the element's supported roles
Always include a type attribute for button elements
Make elements with interactive roles and handlers focusable
Give heading elements content that's accessible to screen readers (not hidden with aria-hidden)
Always include a lang attribute on the html element
Always include a title attribute for iframe elements
Accompany onClick with at least one of: onKeyUp, onKeyDown, or onKeyPress
Accompany onMouseOver/onMouseOut with onFocus/onBlur
Include caption tracks for audio and video elements
Use semantic elements instead of role attributes in JSX
Make sure all anchors are valid and navigable
Ensure all ARIA properties (aria-*) are valid
Use valid, non-abstract ARIA roles for elements with ARIA roles
Use valid AR...

Files:

  • apps/web/app/api/clean/gmail/simple/route.ts
!(pages/_document).{jsx,tsx}

📄 CodeRabbit inference engine (.cursor/rules/ultracite.mdc)

Don't use the next/head module in pages/_document.js on Next.js projects

Files:

  • apps/web/app/api/clean/gmail/simple/route.ts
**/*.{js,ts,jsx,tsx}

📄 CodeRabbit inference engine (.cursor/rules/utilities.mdc)

**/*.{js,ts,jsx,tsx}: Use lodash utilities for common operations (arrays, objects, strings)
Import specific lodash functions to minimize bundle size (e.g., import groupBy from 'lodash/groupBy')

Files:

  • apps/web/app/api/clean/gmail/simple/route.ts
🧠 Learnings (13)
📓 Common learnings 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/security-audit.mdc:0-0
Timestamp: 2025-11-25T14:39:08.150Z
Learning: Applies to apps/web/app/api/(ai/digest|resend/digest|clean/gmail|user/categorize/senders/batch)/**/*.{ts,tsx} : QStash endpoints must use `verifySignatureAppRouter` middleware to verify request signatures and prevent request spoofing

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/utilities.mdc:0-0
Timestamp: 2025-11-25T14:42:16.602Z
Learning: The `utils` folder contains core app logic such as Next.js Server Actions and Gmail API requests

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/gmail-api.mdc:0-0
Timestamp: 2025-11-25T14:37:22.660Z
Learning: Applies to **/{pages,routes,components}/**/*.{ts,tsx} : Never call Gmail API directly from routes or components - always use wrapper functions from the utils folder

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/utilities.mdc:0-0
Timestamp: 2025-11-25T14:42:11.919Z
Learning: Applies to utils/**/*.{js,ts,jsx,tsx} : The `utils` folder contains core app logic such as Next.js Server Actions and Gmail API requests

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/gmail-api.mdc:0-0
Timestamp: 2025-11-25T14:37:22.660Z
Learning: Applies to **/*.{ts,tsx} : Use wrapper functions for Gmail label operations from @/utils/gmail/label.ts instead of direct API calls

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/get-api-route.mdc:0-0
Timestamp: 2025-11-25T14:37:11.434Z
Learning: Applies to **/app/**/route.ts : Always wrap GET API route handlers with `withAuth` or `withEmailAccount` middleware for consistent error handling and authentication in Next.js App Router

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/get-api-route.mdc:0-0
Timestamp: 2025-11-25T14:37:22.822Z
Learning: Applies to **/app/**/route.ts : Always wrap GET API route handlers with `withAuth` or `withEmailAccount` middleware for consistent error handling and authentication in Next.js App Router

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/fullstack-workflow.mdc:0-0
Timestamp: 2025-11-25T14:37:09.306Z
Learning: Organize fullstack features following the structure: GET API route in `app/api/user/[feature]/route.ts`, validation schema in `utils/actions/[feature].validation.ts`, server actions in `utils/actions/[feature].ts`, SWR hook in `hooks/use[Feature]s.ts`, and form component in `components/[Feature]Form.tsx`

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/gmail-api.mdc:0-0
Timestamp: 2025-11-25T14:37:22.660Z
Learning: Applies to **/*.{ts,tsx} : Use wrapper functions for Gmail message operations (get, list, batch, etc.) from @/utils/gmail/message.ts instead of direct API calls

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/fullstack-workflow.mdc:0-0
Timestamp: 2025-11-25T14:37:09.306Z
Learning: Applies to apps/web/app/api/**/route.ts : Do NOT use POST API routes for mutations - always use server actions with `next-safe-action` instead
📚 Learning: 2025-11-25T14:37:22.660Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/gmail-api.mdc:0-0
Timestamp: 2025-11-25T14:37:22.660Z
Learning: Applies to **/*.{ts,tsx} : Use wrapper functions for Gmail label operations from @/utils/gmail/label.ts instead of direct API calls

Applied to files:

  • apps/web/app/api/clean/gmail/simple/route.ts
📚 Learning: 2025-11-25T14:37:22.660Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/gmail-api.mdc:0-0
Timestamp: 2025-11-25T14:37:22.660Z
Learning: Applies to **/*.{ts,tsx} : Use wrapper functions for Gmail thread operations from @/utils/gmail/thread.ts instead of direct API calls

Applied to files:

  • apps/web/app/api/clean/gmail/simple/route.ts
📚 Learning: 2025-11-25T14:37:22.660Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/gmail-api.mdc:0-0
Timestamp: 2025-11-25T14:37:22.660Z
Learning: Applies to **/{pages,routes,components}/**/*.{ts,tsx} : Never call Gmail API directly from routes or components - always use wrapper functions from the utils folder

Applied to files:

  • apps/web/app/api/clean/gmail/simple/route.ts
📚 Learning: 2025-11-25T14:37:22.660Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/gmail-api.mdc:0-0
Timestamp: 2025-11-25T14:37:22.660Z
Learning: Applies to **/*.{ts,tsx} : Use wrapper functions for Gmail message operations (get, list, batch, etc.) from @/utils/gmail/message.ts instead of direct API calls

Applied to files:

  • apps/web/app/api/clean/gmail/simple/route.ts
📚 Learning: 2025-11-25T14:37:09.306Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/fullstack-workflow.mdc:0-0
Timestamp: 2025-11-25T14:37:09.306Z
Learning: Applies to apps/web/app/api/**/route.ts : Do NOT use POST API routes for mutations - always use server actions with `next-safe-action` instead

Applied to files:

  • apps/web/app/api/clean/gmail/simple/route.ts
📚 Learning: 2025-11-25T14:37:22.660Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/gmail-api.mdc:0-0
Timestamp: 2025-11-25T14:37:22.660Z
Learning: Applies to apps/web/utils/gmail/**/*.{ts,tsx} : Keep Gmail provider-specific implementation details isolated within the apps/web/utils/gmail/ directory

Applied to files:

  • apps/web/app/api/clean/gmail/simple/route.ts
📚 Learning: 2025-11-25T14:39:08.150Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/security-audit.mdc:0-0
Timestamp: 2025-11-25T14:39:08.150Z
Learning: Applies to apps/web/app/api/(ai/digest|resend/digest|clean/gmail|user/categorize/senders/batch)/**/*.{ts,tsx} : QStash endpoints must use `verifySignatureAppRouter` middleware to verify request signatures and prevent request spoofing

Applied to files:

  • apps/web/app/api/clean/gmail/simple/route.ts
📚 Learning: 2025-11-25T14:39:27.909Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/security.mdc:0-0
Timestamp: 2025-11-25T14:39:27.909Z
Learning: Applies to **/app/api/**/*.ts : Use `withEmailAccount` middleware for operations scoped to a specific email account, including reading/writing emails, rules, schedules, or any operation using `emailAccountId`

Applied to files:

  • apps/web/app/api/clean/gmail/simple/route.ts
📚 Learning: 2025-11-25T14:37:11.434Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/get-api-route.mdc:0-0
Timestamp: 2025-11-25T14:37:11.434Z
Learning: Applies to **/app/**/route.ts : Always wrap GET API route handlers with `withAuth` or `withEmailAccount` middleware for consistent error handling and authentication in Next.js App Router

Applied to files:

  • apps/web/app/api/clean/gmail/simple/route.ts
📚 Learning: 2025-11-25T14:42:16.602Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/utilities.mdc:0-0
Timestamp: 2025-11-25T14:42:16.602Z
Learning: The `utils` folder contains core app logic such as Next.js Server Actions and Gmail API requests

Applied to files:

  • apps/web/app/api/clean/gmail/simple/route.ts
📚 Learning: 2025-11-25T14:42:11.919Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/utilities.mdc:0-0
Timestamp: 2025-11-25T14:42:11.919Z
Learning: Applies to utils/**/*.{js,ts,jsx,tsx} : The `utils` folder contains core app logic such as Next.js Server Actions and Gmail API requests

Applied to files:

  • apps/web/app/api/clean/gmail/simple/route.ts
📚 Learning: 2025-11-25T14:37:22.660Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/gmail-api.mdc:0-0
Timestamp: 2025-11-25T14:37:22.660Z
Learning: Applies to apps/web/utils/gmail/**/*.{ts,tsx} : Always use wrapper functions from @/utils/gmail/ for Gmail API operations instead of direct provider API calls

Applied to files:

  • apps/web/app/api/clean/gmail/simple/route.ts
🔇 Additional comments (1)
apps/web/app/api/clean/gmail/simple/route.ts (1)

155-179: Self-hosted /simple handler security & behavior look solid

The handler correctly:

  • Disables itself when env.QSTASH_TOKEN is set, so it’s not reachable in QStash mode.
  • Authenticates via isValidInternalApiKey(await headers(), logger) before doing any work.
  • Validates the body with cleanGmailSchema.parse(json) and then routes through performGmailAction, which uses Gmail wrapper utilities and Prisma/Redis for persistence, as per project patterns and Gmail API learnings.

This matches the existing /simple-route pattern and avoids the verifySignatureAppRouter requirement since this endpoint is explicitly non-QStash and only active in self-hosted mode. Based on learnings, this is consistent with the intended fallback design.

@matthew-petty
fix: add rate limiting for fallback path in clean/simple
4ffc5bb 
When QStash is not configured, the fallback path bypasses QStash's
server-side rate limiting. This adds a 167ms delay (~6 ops/sec) to
stay within Gmail API quotas (15,000 units/user/minute).
@matthew-petty
fix: only set archived=true when action is ARCHIVE
5585299 
Previously, the archived flag was set based on markDone, which is true
for both ARCHIVE and MARK_READ actions. Now correctly uses shouldArchive
which is only true when action is ARCHIVE.

Adds tests to verify the behavior.
coderabbitai[bot]
coderabbitai bot reviewed Dec 15, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7e7938c and 4ffc5bb.

📒 Files selected for processing (1)
  • apps/web/app/api/clean/simple/route.ts (1 hunks)
🧰 Additional context used
📓 Path-based instructions (17)
apps/web/**/*.{ts,tsx}

📄 CodeRabbit inference engine (apps/web/CLAUDE.md)

apps/web/**/*.{ts,tsx}: Use TypeScript with strict null checks
Use @/ path aliases for imports from project root
Use proper error handling with try/catch blocks
Format code with Prettier
Follow consistent naming conventions using PascalCase for components
Centralize shared types in dedicated type files

Import specific lodash functions rather than entire lodash library to minimize bundle size (e.g., import groupBy from 'lodash/groupBy')

Files:

  • apps/web/app/api/clean/simple/route.ts
apps/web/app/**/*.{ts,tsx}

📄 CodeRabbit inference engine (apps/web/CLAUDE.md)

Follow NextJS app router structure with (app) directory

Files:

  • apps/web/app/api/clean/simple/route.ts
apps/web/app/api/**/*.ts

📄 CodeRabbit inference engine (apps/web/CLAUDE.md)

apps/web/app/api/**/*.ts: Wrap GET API routes with withAuth or withEmailAccount middleware for authentication
Export response types from GET API routes using Awaited<ReturnType<>> pattern for type-safe client usage

Files:

  • apps/web/app/api/clean/simple/route.ts
**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/data-fetching.mdc)

**/*.{ts,tsx}: For API GET requests to server, use the swr package
Use result?.serverError with toastError from @/components/Toast for error handling in async operations

**/*.{ts,tsx}: Use wrapper functions for Gmail message operations (get, list, batch, etc.) from @/utils/gmail/message.ts instead of direct API calls
Use wrapper functions for Gmail thread operations from @/utils/gmail/thread.ts instead of direct API calls
Use wrapper functions for Gmail label operations from @/utils/gmail/label.ts instead of direct API calls

**/*.{ts,tsx}: For early access feature flags, create hooks using the naming convention use[FeatureName]Enabled that return a boolean from useFeatureFlagEnabled("flag-key")
For A/B test variant flags, create hooks using the naming convention use[FeatureName]Variant that define variant types, use useFeatureFlagVariantKey() with type casting, and provide a default "control" fallback
Use kebab-case for PostHog feature flag keys (e.g., inbox-cleaner, pricing-options-2)
Always define types for A/B test variant flags (e.g., type PricingVariant = "control" | "variant-a" | "variant-b") and provide type safety through type casting

**/*.{ts,tsx}: Don't use primitive type aliases or misleading types
Don't use empty type parameters in type aliases and interfaces
Don't use this and super in static contexts
Don't use any or unknown as type constraints
Don't use the TypeScript directive @ts-ignore
Don't use TypeScript enums
Don't export imported variables
Don't add type annotations to variables, parameters, and class properties that are initialized with literal expressions
Don't use TypeScript namespaces
Don't use non-null assertions with the ! postfix operator
Don't use parameter properties in class constructors
Don't use user-defined types
Use as const instead of literal types and type annotations
Use either T[] or Array<T> consistently
Initialize each enum member value explicitly
Use export type for types
Use `impo...

Files:

  • apps/web/app/api/clean/simple/route.ts
apps/web/app/api/**/route.ts

📄 CodeRabbit inference engine (.cursor/rules/fullstack-workflow.mdc)

apps/web/app/api/**/route.ts: Create GET API routes using withAuth or withEmailAccount middleware in apps/web/app/api/*/route.ts, export response types as GetExampleResponse type alias for client-side type safety
Always export response types from GET routes as Get[Feature]Response using type inference from the data fetching function for type-safe client consumption
Do NOT use POST API routes for mutations - always use server actions with next-safe-action instead

Files:

  • apps/web/app/api/clean/simple/route.ts
**/app/**/route.ts

📄 CodeRabbit inference engine (.cursor/rules/get-api-route.mdc)

**/app/**/route.ts: Always wrap GET API route handlers with withAuth or withEmailAccount middleware for consistent error handling and authentication in Next.js App Router
Infer and export response type for GET API routes using Awaited<ReturnType<typeof functionName>> pattern in Next.js
Use Prisma for database queries in GET API routes
Return responses using NextResponse.json() in GET API routes
Do not use try/catch blocks in GET API route handlers when using withAuth or withEmailAccount middleware, as the middleware handles error handling

Files:

  • apps/web/app/api/clean/simple/route.ts
**/{server,api,actions,utils}/**/*.ts

📄 CodeRabbit inference engine (.cursor/rules/logging.mdc)

**/{server,api,actions,utils}/**/*.ts: Use createScopedLogger from "@/utils/logger" for logging in backend code
Add the createScopedLogger instantiation at the top of the file with an appropriate scope name
Use .with() method to attach context variables only within specific functions, not on global loggers
For large functions with reused variables, use createScopedLogger().with() to attach context once and reuse the logger without passing variables repeatedly

Files:

  • apps/web/app/api/clean/simple/route.ts
**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (.cursor/rules/prisma-enum-imports.mdc)

Always import Prisma enums from @/generated/prisma/enums instead of @/generated/prisma/client to avoid Next.js bundling errors in client components

Import Prisma using the project's centralized utility: import prisma from '@/utils/prisma'

Files:

  • apps/web/app/api/clean/simple/route.ts
apps/web/app/**/[!.]*/route.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/project-structure.mdc)

Use kebab-case for route directories in Next.js App Router (e.g., api/hello-world/route)

Files:

  • apps/web/app/api/clean/simple/route.ts
apps/web/app/api/**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/security-audit.mdc)

apps/web/app/api/**/*.{ts,tsx}: API routes must use withAuth, withEmailAccount, or withError middleware for authentication
All database queries must include user scoping with emailAccountId or userId filtering in WHERE clauses
Request parameters must be validated before use; avoid direct parameter usage without type checking
Use generic error messages instead of revealing internal details; throw SafeError instead of exposing user IDs, resource IDs, or system information
API routes should only return necessary fields using select in database queries to prevent unintended information disclosure
Cron endpoints must use hasCronSecret or hasPostCronSecret to validate cron requests and prevent unauthorized access
Request bodies should use Zod schemas for validation to ensure type safety and prevent injection attacks

Files:

  • apps/web/app/api/clean/simple/route.ts
**/app/api/**/*.ts

📄 CodeRabbit inference engine (.cursor/rules/security.mdc)

**/app/api/**/*.ts: ALL API routes that handle user data MUST use appropriate middleware: use withEmailAccount for email-scoped operations, use withAuth for user-scoped operations, or use withError with proper validation for public/custom auth endpoints
Use withEmailAccount middleware for operations scoped to a specific email account, including reading/writing emails, rules, schedules, or any operation using emailAccountId
Use withAuth middleware for user-level operations such as user settings, API keys, and referrals that use only userId
Use withError middleware only for public endpoints, custom authentication logic, or cron endpoints. For cron endpoints, MUST use hasCronSecret() or hasPostCronSecret() validation
Cron endpoints without proper authentication can be triggered by anyone. CRITICAL: All cron endpoints MUST validate cron secret using hasCronSecret(request) or hasPostCronSecret(request) and capture unauthorized attempts with captureException()
Always validate request bodies using Zod schemas to ensure type safety and prevent invalid data from reaching database operations
Maintain consistent error response format across all API routes to avoid information disclosure while providing meaningful error feedback

Files:

  • apps/web/app/api/clean/simple/route.ts
**/*.ts

📄 CodeRabbit inference engine (.cursor/rules/security.mdc)

**/*.ts: ALL database queries MUST be scoped to the authenticated user/account by including user/account filtering in WHERE clauses to prevent unauthorized data access
Always validate that resources belong to the authenticated user before performing operations, using ownership checks in WHERE clauses or relationships
Always validate all input parameters for type, format, and length before using them in database queries
Use SafeError for error responses to prevent information disclosure. Generic error messages should not reveal internal IDs, logic, or resource ownership details
Only return necessary fields in API responses using Prisma's select option. Never expose sensitive data such as password hashes, private keys, or system flags
Prevent Insecure Direct Object References (IDOR) by validating resource ownership before operations. All findUnique/findFirst calls MUST include ownership filters
Prevent mass assignment vulnerabilities by explicitly whitelisting allowed fields in update operations instead of accepting all user-provided data
Prevent privilege escalation by never allowing users to modify system fields, ownership fields, or admin-only attributes through user input
All findMany queries MUST be scoped to the user's data by including appropriate WHERE filters to prevent returning data from other users
Use Prisma relationships for access control by leveraging nested where clauses (e.g., emailAccount: { id: emailAccountId }) to validate ownership

Files:

  • apps/web/app/api/clean/simple/route.ts
**/*.{tsx,ts}

📄 CodeRabbit inference engine (.cursor/rules/ui-components.mdc)

**/*.{tsx,ts}: Use Shadcn UI and Tailwind for components and styling
Use next/image package for images
For API GET requests to server, use the swr package with hooks like useSWR to fetch data
For text inputs, use the Input component with registerProps for form integration and error handling

Files:

  • apps/web/app/api/clean/simple/route.ts
**/*.{tsx,ts,css}

📄 CodeRabbit inference engine (.cursor/rules/ui-components.mdc)

Implement responsive design with Tailwind CSS using a mobile-first approach

Files:

  • apps/web/app/api/clean/simple/route.ts
**/*.{js,jsx,ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/ultracite.mdc)

**/*.{js,jsx,ts,tsx}: Don't use accessKey attribute on any HTML element
Don't set aria-hidden="true" on focusable elements
Don't add ARIA roles, states, and properties to elements that don't support them
Don't use distracting elements like <marquee> or <blink>
Only use the scope prop on <th> elements
Don't assign non-interactive ARIA roles to interactive HTML elements
Make sure label elements have text content and are associated with an input
Don't assign interactive ARIA roles to non-interactive HTML elements
Don't assign tabIndex to non-interactive HTML elements
Don't use positive integers for tabIndex property
Don't include "image", "picture", or "photo" in img alt prop
Don't use explicit role property that's the same as the implicit/default role
Make static elements with click handlers use a valid role attribute
Always include a title element for SVG elements
Give all elements requiring alt text meaningful information for screen readers
Make sure anchors have content that's accessible to screen readers
Assign tabIndex to non-interactive HTML elements with aria-activedescendant
Include all required ARIA attributes for elements with ARIA roles
Make sure ARIA properties are valid for the element's supported roles
Always include a type attribute for button elements
Make elements with interactive roles and handlers focusable
Give heading elements content that's accessible to screen readers (not hidden with aria-hidden)
Always include a lang attribute on the html element
Always include a title attribute for iframe elements
Accompany onClick with at least one of: onKeyUp, onKeyDown, or onKeyPress
Accompany onMouseOver/onMouseOut with onFocus/onBlur
Include caption tracks for audio and video elements
Use semantic elements instead of role attributes in JSX
Make sure all anchors are valid and navigable
Ensure all ARIA properties (aria-*) are valid
Use valid, non-abstract ARIA roles for elements with ARIA roles
Use valid AR...

Files:

  • apps/web/app/api/clean/simple/route.ts
!(pages/_document).{jsx,tsx}

📄 CodeRabbit inference engine (.cursor/rules/ultracite.mdc)

Don't use the next/head module in pages/_document.js on Next.js projects

Files:

  • apps/web/app/api/clean/simple/route.ts
**/*.{js,ts,jsx,tsx}

📄 CodeRabbit inference engine (.cursor/rules/utilities.mdc)

**/*.{js,ts,jsx,tsx}: Use lodash utilities for common operations (arrays, objects, strings)
Import specific lodash functions to minimize bundle size (e.g., import groupBy from 'lodash/groupBy')

Files:

  • apps/web/app/api/clean/simple/route.ts
🧠 Learnings (10)
📓 Common learnings 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/security-audit.mdc:0-0
Timestamp: 2025-11-25T14:39:08.150Z
Learning: Applies to apps/web/app/api/(ai/digest|resend/digest|clean/gmail|user/categorize/senders/batch)/**/*.{ts,tsx} : QStash endpoints must use `verifySignatureAppRouter` middleware to verify request signatures and prevent request spoofing

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/gmail-api.mdc:0-0
Timestamp: 2025-11-25T14:37:22.660Z
Learning: Applies to **/*.{ts,tsx} : Use wrapper functions for Gmail label operations from @/utils/gmail/label.ts instead of direct API calls

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/utilities.mdc:0-0
Timestamp: 2025-11-25T14:42:16.602Z
Learning: The `utils` folder contains core app logic such as Next.js Server Actions and Gmail API requests

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/utilities.mdc:0-0
Timestamp: 2025-11-25T14:42:11.919Z
Learning: Applies to utils/**/*.{js,ts,jsx,tsx} : The `utils` folder contains core app logic such as Next.js Server Actions and Gmail API requests

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/gmail-api.mdc:0-0
Timestamp: 2025-11-25T14:37:22.660Z
Learning: Applies to **/*.{ts,tsx} : Use wrapper functions for Gmail thread operations from @/utils/gmail/thread.ts instead of direct API calls

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/gmail-api.mdc:0-0
Timestamp: 2025-11-25T14:37:22.660Z
Learning: Applies to **/{pages,routes,components}/**/*.{ts,tsx} : Never call Gmail API directly from routes or components - always use wrapper functions from the utils folder

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/gmail-api.mdc:0-0
Timestamp: 2025-11-25T14:37:22.660Z
Learning: Applies to **/*.{ts,tsx} : Use wrapper functions for Gmail message operations (get, list, batch, etc.) from @/utils/gmail/message.ts instead of direct API calls

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/gmail-api.mdc:0-0
Timestamp: 2025-11-25T14:37:22.660Z
Learning: Applies to apps/web/utils/gmail/**/*.{ts,tsx} : Always use wrapper functions from @/utils/gmail/ for Gmail API operations instead of direct provider API calls

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/fullstack-workflow.mdc:0-0
Timestamp: 2025-11-25T14:37:09.306Z
Learning: Organize fullstack features following the structure: GET API route in `app/api/user/[feature]/route.ts`, validation schema in `utils/actions/[feature].validation.ts`, server actions in `utils/actions/[feature].ts`, SWR hook in `hooks/use[Feature]s.ts`, and form component in `components/[Feature]Form.tsx`
📚 Learning: 2025-11-25T14:37:22.660Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/gmail-api.mdc:0-0
Timestamp: 2025-11-25T14:37:22.660Z
Learning: Applies to **/*.{ts,tsx} : Use wrapper functions for Gmail thread operations from @/utils/gmail/thread.ts instead of direct API calls

Applied to files:

  • apps/web/app/api/clean/simple/route.ts
📚 Learning: 2025-11-25T14:39:08.150Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/security-audit.mdc:0-0
Timestamp: 2025-11-25T14:39:08.150Z
Learning: Applies to apps/web/app/api/(ai/digest|resend/digest|clean/gmail|user/categorize/senders/batch)/**/*.{ts,tsx} : QStash endpoints must use `verifySignatureAppRouter` middleware to verify request signatures and prevent request spoofing

Applied to files:

  • apps/web/app/api/clean/simple/route.ts
📚 Learning: 2025-11-25T14:37:22.660Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/gmail-api.mdc:0-0
Timestamp: 2025-11-25T14:37:22.660Z
Learning: Applies to **/{pages,routes,components}/**/*.{ts,tsx} : Never call Gmail API directly from routes or components - always use wrapper functions from the utils folder

Applied to files:

  • apps/web/app/api/clean/simple/route.ts
📚 Learning: 2025-11-25T14:37:22.660Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/gmail-api.mdc:0-0
Timestamp: 2025-11-25T14:37:22.660Z
Learning: Applies to **/*.{ts,tsx} : Use wrapper functions for Gmail message operations (get, list, batch, etc.) from @/utils/gmail/message.ts instead of direct API calls

Applied to files:

  • apps/web/app/api/clean/simple/route.ts
📚 Learning: 2025-11-25T14:37:22.660Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/gmail-api.mdc:0-0
Timestamp: 2025-11-25T14:37:22.660Z
Learning: Applies to **/*.{ts,tsx} : Use wrapper functions for Gmail label operations from @/utils/gmail/label.ts instead of direct API calls

Applied to files:

  • apps/web/app/api/clean/simple/route.ts
📚 Learning: 2025-11-25T14:37:09.306Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/fullstack-workflow.mdc:0-0
Timestamp: 2025-11-25T14:37:09.306Z
Learning: Applies to apps/web/app/api/**/route.ts : Do NOT use POST API routes for mutations - always use server actions with `next-safe-action` instead

Applied to files:

  • apps/web/app/api/clean/simple/route.ts
📚 Learning: 2025-11-25T14:38:56.992Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/project-structure.mdc:0-0
Timestamp: 2025-11-25T14:38:56.992Z
Learning: Applies to apps/web/app/**/[!.]*/route.{ts,tsx} : Use kebab-case for route directories in Next.js App Router (e.g., `api/hello-world/route`)

Applied to files:

  • apps/web/app/api/clean/simple/route.ts
📚 Learning: 2025-11-25T14:37:22.660Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/gmail-api.mdc:0-0
Timestamp: 2025-11-25T14:37:22.660Z
Learning: Applies to apps/web/utils/gmail/**/*.{ts,tsx} : Keep Gmail provider-specific implementation details isolated within the apps/web/utils/gmail/ directory

Applied to files:

  • apps/web/app/api/clean/simple/route.ts
📚 Learning: 2025-11-25T14:37:11.434Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/get-api-route.mdc:0-0
Timestamp: 2025-11-25T14:37:11.434Z
Learning: Applies to **/app/**/route.ts : Always wrap GET API route handlers with `withAuth` or `withEmailAccount` middleware for consistent error handling and authentication in Next.js App Router

Applied to files:

  • apps/web/app/api/clean/simple/route.ts
🔇 Additional comments (4)
apps/web/app/api/clean/simple/route.ts (4)

1-31: LGTM: Imports and logger setup are correct.

The imports follow project conventions with proper @/ path aliases, and the logger is correctly initialized with createScopedLogger.

33-60: LGTM: Schema definitions are comprehensive.

The Zod schema properly validates all required fields for the cleaning operation, and type inference is used appropriately.

67-242: Approve the cleanThread function logic.

The function correctly validates premium status, applies static rules before LLM checks, and handles errors appropriately. The multi-layered approach (static rules → LLM fallback) is efficient.

249-316: LGTM: Rate limiting and publish logic are well-designed.

The function properly handles both QStash and fallback paths with appropriate rate limiting. The Gmail API quota calculations are documented and the fallback delay (167ms for ~6 ops/sec) is reasonable.

@matthew-petty
refactor: use request-scoped logger consistently in simple routes
fdf3f36 
Use the request logger (with request IDs) for both isValidInternalApiKey
and the action functions, removing the unused global scoped logger.
@matthew-petty
docs: add security note about internal API key authorization
81f38ec 
The internal API key provides blanket access to all email accounts.
This mirrors the QStash routes which trust signed requests without
per-account validation, as the internal API key is a trusted service
credential for self-hosted deployments.
@matthew-petty
feat: add Redis-based rate limiting for Gmail API calls
e60dadc 
Add @upstash/ratelimit to prevent Gmail API rate limit errors
when running deep clean locally without QStash.

- Uses sliding window algorithm (6 req/sec per account)
- Rate limiting at source (fallbackPublishToQstash) prevents backlog
- blockUntilReady() ensures atomic operations without race conditions
- Fire-and-forget with error logging for resilience
@socket-security
Copy link

socket-security bot commented Dec 15, 2025
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addedjson5@​2.2.310010010082100
Addedtsconfig-paths@​4.2.09910010086100

View full report

@matthew-petty
Copy link
Contributor Author

matthew-petty commented Dec 15, 2025
edited
Loading

Rate Limiting Update: e60dadc

Added @upstash/ratelimit to handle Gmail API rate limiting in the fallback path (when QStash is unavailable).

Architecture: Rate limiting is applied at the source (fallbackPublishToQstash) rather than at the endpoint. This prevents request backlog buildup by throttling before requests are queued, mirroring how QStash handles rate limiting in production.

Why @upstash/ratelimit:

  • Atomic Redis operations via Lua scripts (no race conditions)
  • blockUntilReady() blocks until a token is available (perfect for background jobs)
  • Same vendor as existing @upstash/redis dependency
  • Sliding window algorithm (6 req/sec per account)

Testing: Units tests and manually processed 2500+ emails in a single deep clean run with no rate limit triggers.

coderabbitai[bot]
coderabbitai bot reviewed Dec 15, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between fdf3f36 and e60dadc.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (5)
  • apps/web/app/api/clean/gmail/simple/route.ts (1 hunks)
  • apps/web/app/api/clean/simple/route.ts (1 hunks)
  • apps/web/package.json (1 hunks)
  • apps/web/utils/redis/rate-limit.ts (1 hunks)
  • apps/web/utils/upstash/index.ts (2 hunks)
🧰 Additional context used
📓 Path-based instructions (19)
**/package.json

📄 CodeRabbit inference engine (.cursor/rules/installing-packages.mdc)

Use pnpm as the package manager

Files:

  • apps/web/package.json
apps/web/package.json

📄 CodeRabbit inference engine (.cursor/rules/installing-packages.mdc)

Don't install packages in root; install in apps/web workspace instead

Files:

  • apps/web/package.json
!(pages/_document).{jsx,tsx}

📄 CodeRabbit inference engine (.cursor/rules/ultracite.mdc)

Don't use the next/head module in pages/_document.js on Next.js projects

Files:

  • apps/web/package.json
  • apps/web/app/api/clean/simple/route.ts
  • apps/web/utils/upstash/index.ts
  • apps/web/utils/redis/rate-limit.ts
  • apps/web/app/api/clean/gmail/simple/route.ts
apps/web/**/*.{ts,tsx}

📄 CodeRabbit inference engine (apps/web/CLAUDE.md)

apps/web/**/*.{ts,tsx}: Use TypeScript with strict null checks
Use @/ path aliases for imports from project root
Use proper error handling with try/catch blocks
Format code with Prettier
Follow consistent naming conventions using PascalCase for components
Centralize shared types in dedicated type files

Import specific lodash functions rather than entire lodash library to minimize bundle size (e.g., import groupBy from 'lodash/groupBy')

Files:

  • apps/web/app/api/clean/simple/route.ts
  • apps/web/utils/upstash/index.ts
  • apps/web/utils/redis/rate-limit.ts
  • apps/web/app/api/clean/gmail/simple/route.ts
apps/web/app/**/*.{ts,tsx}

📄 CodeRabbit inference engine (apps/web/CLAUDE.md)

Follow NextJS app router structure with (app) directory

Files:

  • apps/web/app/api/clean/simple/route.ts
  • apps/web/app/api/clean/gmail/simple/route.ts
apps/web/app/api/**/*.ts

📄 CodeRabbit inference engine (apps/web/CLAUDE.md)

apps/web/app/api/**/*.ts: Wrap GET API routes with withAuth or withEmailAccount middleware for authentication
Export response types from GET API routes using Awaited<ReturnType<>> pattern for type-safe client usage

Files:

  • apps/web/app/api/clean/simple/route.ts
  • apps/web/app/api/clean/gmail/simple/route.ts
**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/data-fetching.mdc)

**/*.{ts,tsx}: For API GET requests to server, use the swr package
Use result?.serverError with toastError from @/components/Toast for error handling in async operations

**/*.{ts,tsx}: Use wrapper functions for Gmail message operations (get, list, batch, etc.) from @/utils/gmail/message.ts instead of direct API calls
Use wrapper functions for Gmail thread operations from @/utils/gmail/thread.ts instead of direct API calls
Use wrapper functions for Gmail label operations from @/utils/gmail/label.ts instead of direct API calls

**/*.{ts,tsx}: For early access feature flags, create hooks using the naming convention use[FeatureName]Enabled that return a boolean from useFeatureFlagEnabled("flag-key")
For A/B test variant flags, create hooks using the naming convention use[FeatureName]Variant that define variant types, use useFeatureFlagVariantKey() with type casting, and provide a default "control" fallback
Use kebab-case for PostHog feature flag keys (e.g., inbox-cleaner, pricing-options-2)
Always define types for A/B test variant flags (e.g., type PricingVariant = "control" | "variant-a" | "variant-b") and provide type safety through type casting

**/*.{ts,tsx}: Don't use primitive type aliases or misleading types
Don't use empty type parameters in type aliases and interfaces
Don't use this and super in static contexts
Don't use any or unknown as type constraints
Don't use the TypeScript directive @ts-ignore
Don't use TypeScript enums
Don't export imported variables
Don't add type annotations to variables, parameters, and class properties that are initialized with literal expressions
Don't use TypeScript namespaces
Don't use non-null assertions with the ! postfix operator
Don't use parameter properties in class constructors
Don't use user-defined types
Use as const instead of literal types and type annotations
Use either T[] or Array<T> consistently
Initialize each enum member value explicitly
Use export type for types
Use `impo...

Files:

  • apps/web/app/api/clean/simple/route.ts
  • apps/web/utils/upstash/index.ts
  • apps/web/utils/redis/rate-limit.ts
  • apps/web/app/api/clean/gmail/simple/route.ts
apps/web/app/api/**/route.ts

📄 CodeRabbit inference engine (.cursor/rules/fullstack-workflow.mdc)

apps/web/app/api/**/route.ts: Create GET API routes using withAuth or withEmailAccount middleware in apps/web/app/api/*/route.ts, export response types as GetExampleResponse type alias for client-side type safety
Always export response types from GET routes as Get[Feature]Response using type inference from the data fetching function for type-safe client consumption
Do NOT use POST API routes for mutations - always use server actions with next-safe-action instead

Files:

  • apps/web/app/api/clean/simple/route.ts
  • apps/web/app/api/clean/gmail/simple/route.ts
**/app/**/route.ts

📄 CodeRabbit inference engine (.cursor/rules/get-api-route.mdc)

**/app/**/route.ts: Always wrap GET API route handlers with withAuth or withEmailAccount middleware for consistent error handling and authentication in Next.js App Router
Infer and export response type for GET API routes using Awaited<ReturnType<typeof functionName>> pattern in Next.js
Use Prisma for database queries in GET API routes
Return responses using NextResponse.json() in GET API routes
Do not use try/catch blocks in GET API route handlers when using withAuth or withEmailAccount middleware, as the middleware handles error handling

Files:

  • apps/web/app/api/clean/simple/route.ts
  • apps/web/app/api/clean/gmail/simple/route.ts
**/{server,api,actions,utils}/**/*.ts

📄 CodeRabbit inference engine (.cursor/rules/logging.mdc)

**/{server,api,actions,utils}/**/*.ts: Use createScopedLogger from "@/utils/logger" for logging in backend code
Add the createScopedLogger instantiation at the top of the file with an appropriate scope name
Use .with() method to attach context variables only within specific functions, not on global loggers
For large functions with reused variables, use createScopedLogger().with() to attach context once and reuse the logger without passing variables repeatedly

Files:

  • apps/web/app/api/clean/simple/route.ts
  • apps/web/utils/upstash/index.ts
  • apps/web/utils/redis/rate-limit.ts
  • apps/web/app/api/clean/gmail/simple/route.ts
**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (.cursor/rules/prisma-enum-imports.mdc)

Always import Prisma enums from @/generated/prisma/enums instead of @/generated/prisma/client to avoid Next.js bundling errors in client components

Import Prisma using the project's centralized utility: import prisma from '@/utils/prisma'

Files:

  • apps/web/app/api/clean/simple/route.ts
  • apps/web/utils/upstash/index.ts
  • apps/web/utils/redis/rate-limit.ts
  • apps/web/app/api/clean/gmail/simple/route.ts
apps/web/app/**/[!.]*/route.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/project-structure.mdc)

Use kebab-case for route directories in Next.js App Router (e.g., api/hello-world/route)

Files:

  • apps/web/app/api/clean/simple/route.ts
  • apps/web/app/api/clean/gmail/simple/route.ts
apps/web/app/api/**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/security-audit.mdc)

apps/web/app/api/**/*.{ts,tsx}: API routes must use withAuth, withEmailAccount, or withError middleware for authentication
All database queries must include user scoping with emailAccountId or userId filtering in WHERE clauses
Request parameters must be validated before use; avoid direct parameter usage without type checking
Use generic error messages instead of revealing internal details; throw SafeError instead of exposing user IDs, resource IDs, or system information
API routes should only return necessary fields using select in database queries to prevent unintended information disclosure
Cron endpoints must use hasCronSecret or hasPostCronSecret to validate cron requests and prevent unauthorized access
Request bodies should use Zod schemas for validation to ensure type safety and prevent injection attacks

Files:

  • apps/web/app/api/clean/simple/route.ts
  • apps/web/app/api/clean/gmail/simple/route.ts
**/app/api/**/*.ts

📄 CodeRabbit inference engine (.cursor/rules/security.mdc)

**/app/api/**/*.ts: ALL API routes that handle user data MUST use appropriate middleware: use withEmailAccount for email-scoped operations, use withAuth for user-scoped operations, or use withError with proper validation for public/custom auth endpoints
Use withEmailAccount middleware for operations scoped to a specific email account, including reading/writing emails, rules, schedules, or any operation using emailAccountId
Use withAuth middleware for user-level operations such as user settings, API keys, and referrals that use only userId
Use withError middleware only for public endpoints, custom authentication logic, or cron endpoints. For cron endpoints, MUST use hasCronSecret() or hasPostCronSecret() validation
Cron endpoints without proper authentication can be triggered by anyone. CRITICAL: All cron endpoints MUST validate cron secret using hasCronSecret(request) or hasPostCronSecret(request) and capture unauthorized attempts with captureException()
Always validate request bodies using Zod schemas to ensure type safety and prevent invalid data from reaching database operations
Maintain consistent error response format across all API routes to avoid information disclosure while providing meaningful error feedback

Files:

  • apps/web/app/api/clean/simple/route.ts
  • apps/web/app/api/clean/gmail/simple/route.ts
**/*.ts

📄 CodeRabbit inference engine (.cursor/rules/security.mdc)

**/*.ts: ALL database queries MUST be scoped to the authenticated user/account by including user/account filtering in WHERE clauses to prevent unauthorized data access
Always validate that resources belong to the authenticated user before performing operations, using ownership checks in WHERE clauses or relationships
Always validate all input parameters for type, format, and length before using them in database queries
Use SafeError for error responses to prevent information disclosure. Generic error messages should not reveal internal IDs, logic, or resource ownership details
Only return necessary fields in API responses using Prisma's select option. Never expose sensitive data such as password hashes, private keys, or system flags
Prevent Insecure Direct Object References (IDOR) by validating resource ownership before operations. All findUnique/findFirst calls MUST include ownership filters
Prevent mass assignment vulnerabilities by explicitly whitelisting allowed fields in update operations instead of accepting all user-provided data
Prevent privilege escalation by never allowing users to modify system fields, ownership fields, or admin-only attributes through user input
All findMany queries MUST be scoped to the user's data by including appropriate WHERE filters to prevent returning data from other users
Use Prisma relationships for access control by leveraging nested where clauses (e.g., emailAccount: { id: emailAccountId }) to validate ownership

Files:

  • apps/web/app/api/clean/simple/route.ts
  • apps/web/utils/upstash/index.ts
  • apps/web/utils/redis/rate-limit.ts
  • apps/web/app/api/clean/gmail/simple/route.ts
**/*.{tsx,ts}

📄 CodeRabbit inference engine (.cursor/rules/ui-components.mdc)

**/*.{tsx,ts}: Use Shadcn UI and Tailwind for components and styling
Use next/image package for images
For API GET requests to server, use the swr package with hooks like useSWR to fetch data
For text inputs, use the Input component with registerProps for form integration and error handling

Files:

  • apps/web/app/api/clean/simple/route.ts
  • apps/web/utils/upstash/index.ts
  • apps/web/utils/redis/rate-limit.ts
  • apps/web/app/api/clean/gmail/simple/route.ts
**/*.{tsx,ts,css}

📄 CodeRabbit inference engine (.cursor/rules/ui-components.mdc)

Implement responsive design with Tailwind CSS using a mobile-first approach

Files:

  • apps/web/app/api/clean/simple/route.ts
  • apps/web/utils/upstash/index.ts
  • apps/web/utils/redis/rate-limit.ts
  • apps/web/app/api/clean/gmail/simple/route.ts
**/*.{js,jsx,ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/ultracite.mdc)

**/*.{js,jsx,ts,tsx}: Don't use accessKey attribute on any HTML element
Don't set aria-hidden="true" on focusable elements
Don't add ARIA roles, states, and properties to elements that don't support them
Don't use distracting elements like <marquee> or <blink>
Only use the scope prop on <th> elements
Don't assign non-interactive ARIA roles to interactive HTML elements
Make sure label elements have text content and are associated with an input
Don't assign interactive ARIA roles to non-interactive HTML elements
Don't assign tabIndex to non-interactive HTML elements
Don't use positive integers for tabIndex property
Don't include "image", "picture", or "photo" in img alt prop
Don't use explicit role property that's the same as the implicit/default role
Make static elements with click handlers use a valid role attribute
Always include a title element for SVG elements
Give all elements requiring alt text meaningful information for screen readers
Make sure anchors have content that's accessible to screen readers
Assign tabIndex to non-interactive HTML elements with aria-activedescendant
Include all required ARIA attributes for elements with ARIA roles
Make sure ARIA properties are valid for the element's supported roles
Always include a type attribute for button elements
Make elements with interactive roles and handlers focusable
Give heading elements content that's accessible to screen readers (not hidden with aria-hidden)
Always include a lang attribute on the html element
Always include a title attribute for iframe elements
Accompany onClick with at least one of: onKeyUp, onKeyDown, or onKeyPress
Accompany onMouseOver/onMouseOut with onFocus/onBlur
Include caption tracks for audio and video elements
Use semantic elements instead of role attributes in JSX
Make sure all anchors are valid and navigable
Ensure all ARIA properties (aria-*) are valid
Use valid, non-abstract ARIA roles for elements with ARIA roles
Use valid AR...

Files:

  • apps/web/app/api/clean/simple/route.ts
  • apps/web/utils/upstash/index.ts
  • apps/web/utils/redis/rate-limit.ts
  • apps/web/app/api/clean/gmail/simple/route.ts
**/*.{js,ts,jsx,tsx}

📄 CodeRabbit inference engine (.cursor/rules/utilities.mdc)

**/*.{js,ts,jsx,tsx}: Use lodash utilities for common operations (arrays, objects, strings)
Import specific lodash functions to minimize bundle size (e.g., import groupBy from 'lodash/groupBy')

Files:

  • apps/web/app/api/clean/simple/route.ts
  • apps/web/utils/upstash/index.ts
  • apps/web/utils/redis/rate-limit.ts
  • apps/web/app/api/clean/gmail/simple/route.ts
🧠 Learnings (27)
📓 Common learnings 
Learnt from: matthew-petty
Repo: elie222/inbox-zero PR: 1093
File: apps/web/app/api/clean/simple/route.ts:322-345
Timestamp: 2025-12-15T15:57:36.160Z
Learning: The `/simple` routes in the codebase (e.g., /api/clean/simple, /api/clean/gmail/simple, /api/user/categorize/senders/batch/simple) use service-to-service authentication with internal API key validation via `isValidInternalApiKey`. They do not perform per-emailAccountId authorization checks, instead trusting that the authenticated internal service (via internal API key) has already performed authorization when queueing the request. This mirrors the trust model of QStash routes which verify signature but don't do per-account authorization.

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/security-audit.mdc:0-0
Timestamp: 2025-11-25T14:39:08.150Z
Learning: Applies to apps/web/app/api/(ai/digest|resend/digest|clean/gmail|user/categorize/senders/batch)/**/*.{ts,tsx} : QStash endpoints must use `verifySignatureAppRouter` middleware to verify request signatures and prevent request spoofing

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/gmail-api.mdc:0-0
Timestamp: 2025-11-25T14:37:22.660Z
Learning: Applies to **/*.{ts,tsx} : Use wrapper functions for Gmail label operations from @/utils/gmail/label.ts instead of direct API calls

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/utilities.mdc:0-0
Timestamp: 2025-11-25T14:42:16.602Z
Learning: The `utils` folder contains core app logic such as Next.js Server Actions and Gmail API requests

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/utilities.mdc:0-0
Timestamp: 2025-11-25T14:42:11.919Z
Learning: Applies to utils/**/*.{js,ts,jsx,tsx} : The `utils` folder contains core app logic such as Next.js Server Actions and Gmail API requests

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/gmail-api.mdc:0-0
Timestamp: 2025-11-25T14:37:22.660Z
Learning: Applies to **/*.{ts,tsx} : Use wrapper functions for Gmail thread operations from @/utils/gmail/thread.ts instead of direct API calls

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/gmail-api.mdc:0-0
Timestamp: 2025-11-25T14:37:22.660Z
Learning: Applies to **/*.{ts,tsx} : Use wrapper functions for Gmail message operations (get, list, batch, etc.) from @/utils/gmail/message.ts instead of direct API calls

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/gmail-api.mdc:0-0
Timestamp: 2025-11-25T14:37:22.660Z
Learning: Applies to **/{pages,routes,components}/**/*.{ts,tsx} : Never call Gmail API directly from routes or components - always use wrapper functions from the utils folder
📚 Learning: 2025-11-25T14:39:08.150Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/security-audit.mdc:0-0
Timestamp: 2025-11-25T14:39:08.150Z
Learning: Applies to apps/web/app/api/(ai/digest|resend/digest|clean/gmail|user/categorize/senders/batch)/**/*.{ts,tsx} : QStash endpoints must use `verifySignatureAppRouter` middleware to verify request signatures and prevent request spoofing

Applied to files:

  • apps/web/app/api/clean/simple/route.ts
  • apps/web/app/api/clean/gmail/simple/route.ts
📚 Learning: 2025-11-25T14:37:22.660Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/gmail-api.mdc:0-0
Timestamp: 2025-11-25T14:37:22.660Z
Learning: Applies to **/*.{ts,tsx} : Use wrapper functions for Gmail thread operations from @/utils/gmail/thread.ts instead of direct API calls

Applied to files:

  • apps/web/app/api/clean/simple/route.ts
  • apps/web/app/api/clean/gmail/simple/route.ts
📚 Learning: 2025-11-25T14:37:22.660Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/gmail-api.mdc:0-0
Timestamp: 2025-11-25T14:37:22.660Z
Learning: Applies to **/{pages,routes,components}/**/*.{ts,tsx} : Never call Gmail API directly from routes or components - always use wrapper functions from the utils folder

Applied to files:

  • apps/web/app/api/clean/simple/route.ts
  • apps/web/app/api/clean/gmail/simple/route.ts
📚 Learning: 2025-12-15T15:57:36.160Z 
Learnt from: matthew-petty
Repo: elie222/inbox-zero PR: 1093
File: apps/web/app/api/clean/simple/route.ts:322-345
Timestamp: 2025-12-15T15:57:36.160Z
Learning: For routes under apps/web/app/api/.../simple (e.g., .../simple/route.ts), authentication should rely on internal API key validation for inter-service requests and should not perform per-emailAccountId authorization checks. This mirrors a QStash-like trust model where the calling service is already authorized. Apply this pattern to all similar simple-route files: do not add per-account authorization here; if future routes require per-account scope, introduce explicit checks or middleware. Document this in comments and add tests to confirm absence of per-account authorization in these routes.

Applied to files:

  • apps/web/app/api/clean/simple/route.ts
  • apps/web/app/api/clean/gmail/simple/route.ts
📚 Learning: 2025-11-25T14:37:22.660Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/gmail-api.mdc:0-0
Timestamp: 2025-11-25T14:37:22.660Z
Learning: Applies to **/*.{ts,tsx} : Use wrapper functions for Gmail message operations (get, list, batch, etc.) from @/utils/gmail/message.ts instead of direct API calls

Applied to files:

  • apps/web/app/api/clean/simple/route.ts
  • apps/web/app/api/clean/gmail/simple/route.ts
📚 Learning: 2025-11-25T14:37:09.306Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/fullstack-workflow.mdc:0-0
Timestamp: 2025-11-25T14:37:09.306Z
Learning: Applies to apps/web/app/api/**/route.ts : Do NOT use POST API routes for mutations - always use server actions with `next-safe-action` instead

Applied to files:

  • apps/web/app/api/clean/simple/route.ts
  • apps/web/app/api/clean/gmail/simple/route.ts
📚 Learning: 2025-11-25T14:37:22.660Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/gmail-api.mdc:0-0
Timestamp: 2025-11-25T14:37:22.660Z
Learning: Applies to apps/web/utils/gmail/**/*.{ts,tsx} : Keep Gmail provider-specific implementation details isolated within the apps/web/utils/gmail/ directory

Applied to files:

  • apps/web/app/api/clean/simple/route.ts
  • apps/web/app/api/clean/gmail/simple/route.ts
📚 Learning: 2025-11-25T14:38:56.992Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/project-structure.mdc:0-0
Timestamp: 2025-11-25T14:38:56.992Z
Learning: Applies to apps/web/app/**/[!.]*/route.{ts,tsx} : Use kebab-case for route directories in Next.js App Router (e.g., `api/hello-world/route`)

Applied to files:

  • apps/web/app/api/clean/simple/route.ts
📚 Learning: 2025-11-25T14:37:22.660Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/gmail-api.mdc:0-0
Timestamp: 2025-11-25T14:37:22.660Z
Learning: Applies to **/*.{ts,tsx} : Use wrapper functions for Gmail label operations from @/utils/gmail/label.ts instead of direct API calls

Applied to files:

  • apps/web/app/api/clean/simple/route.ts
  • apps/web/app/api/clean/gmail/simple/route.ts
📚 Learning: 2025-11-25T14:37:09.306Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/fullstack-workflow.mdc:0-0
Timestamp: 2025-11-25T14:37:09.306Z
Learning: Applies to apps/web/app/api/**/route.ts : Create GET API routes using `withAuth` or `withEmailAccount` middleware in `apps/web/app/api/*/route.ts`, export response types as `GetExampleResponse` type alias for client-side type safety

Applied to files:

  • apps/web/app/api/clean/simple/route.ts
📚 Learning: 2025-11-25T14:39:04.892Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/security-audit.mdc:0-0
Timestamp: 2025-11-25T14:39:04.892Z
Learning: Applies to apps/web/app/api/**/route.ts : All database queries must include user/account filtering with `emailAccountId` or `userId` in WHERE clauses to prevent IDOR vulnerabilities

Applied to files:

  • apps/web/app/api/clean/simple/route.ts
📚 Learning: 2025-11-25T14:39:23.326Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/security.mdc:0-0
Timestamp: 2025-11-25T14:39:23.326Z
Learning: Applies to app/api/**/*.ts : Use `withEmailAccount` middleware for operations scoped to a specific email account (reading/writing emails, rules, schedules, etc.) - provides `emailAccountId`, `userId`, and `email` in `request.auth`

Applied to files:

  • apps/web/app/api/clean/simple/route.ts
📚 Learning: 2025-11-25T14:39:27.909Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/security.mdc:0-0
Timestamp: 2025-11-25T14:39:27.909Z
Learning: Applies to **/app/api/**/*.ts : Use `withEmailAccount` middleware for operations scoped to a specific email account, including reading/writing emails, rules, schedules, or any operation using `emailAccountId`

Applied to files:

  • apps/web/app/api/clean/simple/route.ts
  • apps/web/app/api/clean/gmail/simple/route.ts
📚 Learning: 2025-11-25T14:39:23.326Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/security.mdc:0-0
Timestamp: 2025-11-25T14:39:23.326Z
Learning: Applies to **/*.ts : Always validate that resources belong to the authenticated user before any operation - use ownership checks in queries (e.g., `emailAccount: { id: emailAccountId }`) and throw `SafeError` if validation fails

Applied to files:

  • apps/web/app/api/clean/simple/route.ts
📚 Learning: 2025-11-25T14:39:23.326Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/security.mdc:0-0
Timestamp: 2025-11-25T14:39:23.326Z
Learning: Applies to **/*.ts : Prevent Insecure Direct Object References (IDOR) by validating resource ownership in all queries - always include ownership filters (e.g., `emailAccount: { id: emailAccountId }`) when accessing user-specific resources

Applied to files:

  • apps/web/app/api/clean/simple/route.ts
📚 Learning: 2025-11-25T14:39:27.909Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/security.mdc:0-0
Timestamp: 2025-11-25T14:39:27.909Z
Learning: Applies to **/app/api/**/*.ts : ALL API routes that handle user data MUST use appropriate middleware: use `withEmailAccount` for email-scoped operations, use `withAuth` for user-scoped operations, or use `withError` with proper validation for public/custom auth endpoints

Applied to files:

  • apps/web/app/api/clean/simple/route.ts
📚 Learning: 2025-11-25T14:39:08.150Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/security-audit.mdc:0-0
Timestamp: 2025-11-25T14:39:08.150Z
Learning: Applies to apps/web/app/api/**/*.{ts,tsx} : All database queries must include user scoping with `emailAccountId` or `userId` filtering in WHERE clauses

Applied to files:

  • apps/web/app/api/clean/simple/route.ts
📚 Learning: 2025-11-25T14:39:23.326Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/security.mdc:0-0
Timestamp: 2025-11-25T14:39:23.326Z
Learning: Applies to app/api/**/*.ts : ALL API routes that handle user data MUST use appropriate middleware: `withEmailAccount` for email-scoped operations, `withAuth` for user-scoped operations, or `withError` with proper validation for public/cron endpoints

Applied to files:

  • apps/web/app/api/clean/simple/route.ts
📚 Learning: 2025-11-25T14:39:27.909Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/security.mdc:0-0
Timestamp: 2025-11-25T14:39:27.909Z
Learning: Applies to **/app/api/**/*.ts : Cron endpoints without proper authentication can be triggered by anyone. CRITICAL: All cron endpoints MUST validate cron secret using `hasCronSecret(request)` or `hasPostCronSecret(request)` and capture unauthorized attempts with `captureException()`

Applied to files:

  • apps/web/app/api/clean/simple/route.ts
📚 Learning: 2025-11-25T14:39:04.892Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/security-audit.mdc:0-0
Timestamp: 2025-11-25T14:39:04.892Z
Learning: Applies to apps/web/app/api/**/route.ts : QStash endpoints must use `verifySignatureAppRouter` middleware to verify request signatures and prevent request spoofing

Applied to files:

  • apps/web/app/api/clean/simple/route.ts
📚 Learning: 2025-11-25T14:39:04.892Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/security-audit.mdc:0-0
Timestamp: 2025-11-25T14:39:04.892Z
Learning: Applies to apps/web/app/api/**/route.ts : All API routes must use `withAuth`, `withEmailAccount`, or `withError` middleware for authentication

Applied to files:

  • apps/web/app/api/clean/simple/route.ts
📚 Learning: 2025-11-25T14:37:11.434Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/get-api-route.mdc:0-0
Timestamp: 2025-11-25T14:37:11.434Z
Learning: Applies to **/app/**/route.ts : Use `withAuth` middleware to get the authenticated user or `withEmailAccount` middleware to get the currently active email account in GET API routes

Applied to files:

  • apps/web/app/api/clean/simple/route.ts
📚 Learning: 2025-11-25T14:39:04.892Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/security-audit.mdc:0-0
Timestamp: 2025-11-25T14:39:04.892Z
Learning: Verify during code review that all new routes follow established security patterns: middleware usage, database query scoping, input validation, and proper error handling

Applied to files:

  • apps/web/app/api/clean/simple/route.ts
📚 Learning: 2025-11-25T14:37:22.660Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/gmail-api.mdc:0-0
Timestamp: 2025-11-25T14:37:22.660Z
Learning: Applies to apps/web/utils/gmail/**/*.{ts,tsx} : Always use wrapper functions from @/utils/gmail/ for Gmail API operations instead of direct provider API calls

Applied to files:

  • apps/web/app/api/clean/gmail/simple/route.ts
📚 Learning: 2025-11-25T14:42:16.602Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/utilities.mdc:0-0
Timestamp: 2025-11-25T14:42:16.602Z
Learning: The `utils` folder contains core app logic such as Next.js Server Actions and Gmail API requests

Applied to files:

  • apps/web/app/api/clean/gmail/simple/route.ts
📚 Learning: 2025-11-25T14:42:11.919Z 
Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/utilities.mdc:0-0
Timestamp: 2025-11-25T14:42:11.919Z
Learning: Applies to utils/**/*.{js,ts,jsx,tsx} : The `utils` folder contains core app logic such as Next.js Server Actions and Gmail API requests

Applied to files:

  • apps/web/app/api/clean/gmail/simple/route.ts
🧬 Code graph analysis (2)
apps/web/utils/upstash/index.ts (3)
apps/web/utils/redis/rate-limit.ts (1)
  • acquireRateLimitToken (22-34)
apps/web/utils/internal-api.ts (1)
  • INTERNAL_API_KEY_HEADER (4-4)
apps/web/env.ts (1)
  • env (17-247)
apps/web/app/api/clean/gmail/simple/route.ts (5)
apps/web/utils/error.ts (1)
  • SafeError (59-69)
apps/web/utils/types.ts (1)
  • isDefined (12-14)
apps/web/utils/gmail/label.ts (1)
  • GmailLabel (20-34)
apps/web/utils/middleware.ts (2)
  • withError (352-370)
  • RequestWithLogger (27-29)
apps/web/utils/internal-api.ts (1)
  • isValidInternalApiKey (10-33)
🔇 Additional comments (10)
apps/web/app/api/clean/gmail/simple/route.ts (4)

16-25: LGTM!

Schema definition is properly typed and validated with appropriate constraints.

32-93: LGTM!

Correctly uses Gmail wrapper functions and properly derives the archived flag (only true when action === ARCHIVE). This aligns with the fix confirmed in the past review.

Based on learnings, using Gmail wrapper functions from @/utils/gmail/label.ts.

95-147: LGTM!

Properly uses concurrent operations for independent tasks and correctly scopes database records.

156-182: LGTM!

POST handler correctly implements the service-to-service authentication pattern with internal API key validation. The absence of per-account authorization is intentional and documented.

Based on learnings, /simple routes use internal API key authentication and trust the calling service for authorization.

apps/web/app/api/clean/simple/route.ts (3)

30-47: LGTM!

Schema is comprehensive with appropriate defaults and type inference.

64-239: LGTM!

The cleaning logic is well-structured with static rules short-circuiting expensive LLM calls. Properly uses Gmail wrapper functions and handles errors appropriately.

Based on learnings, using Gmail wrapper functions from @/utils/gmail/.

322-345: LGTM!

POST handler correctly implements the service-to-service authentication pattern consistent with other /simple routes.

Based on learnings, /simple routes use internal API key authentication without per-account authorization checks.

apps/web/utils/redis/rate-limit.ts (1)

1-34: LGTM!

Rate limiting configuration (6 req/sec with sliding window) aligns well with Gmail API quota constraints. The implementation uses atomic operations via blockUntilReady to prevent race conditions.

apps/web/utils/upstash/index.ts (1)

7-7: LGTM!

The updated fallback publishing with rate limiting is well-implemented:

  • Rate limiting applied before fetch to prevent overwhelming downstream services
  • Proper identifier extraction with fallback to "global"
  • Comprehensive error logging with context
  • Fire-and-forget pattern appropriate for async queue processing

The explicit comment about using || instead of ?? for empty string handling is helpful.

Also applies to: 83-117

apps/web/package.json (1)

93-93: The package @upstash/ratelimit@2.0.7 is the latest version with no known security vulnerabilities. No action needed.

@matthew-petty
fix: remove redundant sleep(167) rate limiting
723927b 
Rate limiting is now handled at source via acquireRateLimitToken
in fallbackPublishToQstash. The sleep(167) was redundant and caused
double rate limiting (~3 req/sec instead of intended 6 req/sec).
@matthew-petty
test: add unit tests for rate limiting implementation
ca87b1d 
- Tests for acquireRateLimitToken (success, timeout, custom timeout)
- Tests for fallbackPublishToQstash (emailAccountId extraction, error handling)
- Tests for bulk publish partial failure behavior
@matthew-petty
Merge branch 'main' into simple-routes-fallback
1a1ae7a
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@matthew-petty @CLAassistant