feat(services): migrate monitor domain tRPC (PR 4/N) by mxkaske · Pull Request #2105 · openstatusHQ/openstatus

mxkaske · 2026-04-23T08:57:56Z

Summary

Stacked on #2104. Migrates the tRPC monitor router — all 14 procedures — onto @openstatus/services/monitor. The Connect RPC monitor handler and the v1 REST monitors/* endpoints stay untouched for now; they're separate external-API surfaces with their own test suites and warrant their own follow-up PRs.

What lands

Services (`packages/services/src/monitor/`)

CRUD + relation management + list / get:

createMonitor, cloneMonitor, deleteMonitor, deleteMonitors (bulk soft-delete), getMonitor, listMonitors.
updateMonitorGeneral — keeps the existing tRPC jobType-agnostic update (HTTP ↔ TCP ↔ DNS switch allowed, called out as a code smell in the explore but kept for dashboard-compatibility).
Field-specific setters: updateMonitorRetry, updateMonitorFollowRedirects, updateMonitorOtel, updateMonitorPublic, updateMonitorResponseTime.
Relation setters (transactional + validated): updateMonitorSchedulingRegions (plan-limit checks + private-location validation), updateMonitorTags, updateMonitorNotifiers.
bulkUpdateMonitors — batched toggle of public / active.
All mutations inside withTransaction, emit emitAudit. Soft delete cascades to monitor_tag_to_monitor, notifications_to_monitors, and page_component rows.

Shared internals

validateTagIds / validateNotificationIds / validatePrivateLocationIds — workspace-scoped, dedupe input.
pickDefaultRegions(workspace) — ports the old "random 4 free / 6 paid, excluding deprecated" logic.
serialiseAssertions / headersToDbJson — moved out of the router.
countMonitorsInWorkspace for quota checks in create / clone.

list.ts — batched enrichment

listMonitors runs two IN queries (tags + incidents) regardless of row count. getMonitor reuses the same batch path with an additional pair of IN queries for notifications / privateLocations. Pairs well with the 10_000 sentinel tRPC passes.

Surface — external contract preserved

packages/api/src/router/monitor.ts — every procedure is a thin wrapper:

delete catches NotFoundError for idempotency (same pattern as status-report / maintenance / incident).
new and updateGeneral keep the testHttp / testTcp / testDns pre-save endpoint check at the tRPC layer. Services unconditionally save; pre-validation is caller-specific UX.

Deliberately out of scope

Connect RPC monitor handler (apps/server/src/routes/rpc/services/monitor/) — still uses its own validators.ts / limits.ts / converters. Migrating it to services is a self-contained follow-up (4b), doesn't block this PR.
v1 REST (apps/server/src/routes/v1/monitors/*) — four separate endpoints that insert monitors directly. Another external surface; dedicated PR.
packages/api/src/service/import.ts monitor writes — covered by the plan's dedicated PR 9.

Enforcement

Biome noRestrictedImports scope adds packages/api/src/router/monitor.ts. The Connect monitor handler stays out of scope until 4b.
Subpath export @openstatus/services/monitor.

Tests

__tests__/monitor.test.ts — create (http / tcp / dns), delete cascade, bulk delete, clone, tags / notifiers validation (forbidden cross-workspace, dedupe), list / get workspace isolation + soft-delete hiding, updateMonitorGeneral round-trip.

Test plan

Service integration tests
Dashboard /monitors list + get + create flow
Dashboard edit forms — tags / notifiers / regions / retry / public / otel / response-time
Dashboard clone + delete (single + bulk)
Connect RPC monitor suite unaffected (unchanged)

Stack

feat(services): scaffold domain service layer (PR 0/N) #2100 scaffold → feat(services): migrate status-report domain (PR 1/N) #2101 status-report → feat(services): migrate maintenance domain (PR 2/N) #2103 maintenance → feat(services): migrate incident domain (PR 3/N) #2104 incident → this PR monitor (tRPC)
Follow-ups: Connect monitor handler migration (4b), then PR 5 notification → PR 6 page-component → …

🤖 Generated with Claude Code

Fourth domain, the largest so far. Migrates the **tRPC** monitor router (all 14 procedures) onto `@openstatus/services/monitor`. The Connect handler (`apps/server/src/routes/rpc/services/monitor/`) and the v1 REST `apps/server/src/routes/v1/monitors/*` endpoints stay untouched for now — they are separate external-API surfaces and warrant their own follow-up PRs with their own test suites. ## Services (`packages/services/src/monitor/`) - `createMonitor`, `cloneMonitor`, `deleteMonitor`, `deleteMonitors` (bulk soft-delete), `getMonitor`, `listMonitors`. - `updateMonitorGeneral` — preserves the existing tRPC `updateGeneral` behaviour including jobType switching (HTTP ↔ TCP ↔ DNS). Called out as a code smell in the explore, but preserved intentionally since it's the dashboard's current edit flow. Kept jobType-agnostic rather than split into 3 separate update methods. - `updateMonitorRetry`, `updateMonitorFollowRedirects`, `updateMonitorOtel`, `updateMonitorPublic`, `updateMonitorResponseTime` — field-specific setters. - `updateMonitorSchedulingRegions` — enforces plan limits (periodicity / region-count / region-access) + validates the private-location ids before replacing the association set. - `updateMonitorTags`, `updateMonitorNotifiers` — validate and replace the tag / notifier association sets. - `bulkUpdateMonitors` — batched toggle of `public` / `active` across multiple monitor ids. Matches the old `updateMonitors` procedure. - All mutations run inside `withTransaction`, emit `emitAudit`. - Cascade deletes: `monitor_tag_to_monitor`, `notifications_to_monitors`, `page_component` rows are torn down on delete (matches pre-migration behaviour — bypasses FK cascades because some rows reference the monitor without cascade). ## Shared helpers (`monitor/internal.ts`) - `validateTagIds` / `validateNotificationIds` / `validatePrivateLocationIds` — workspace-scoped validators with dedupe. - `pickDefaultRegions(workspace)` — ports the old "randomly pick 4 free / 6 paid regions excluding deprecated" logic. - `serialiseAssertions` / `headersToDbJson` — assertion / header serialisation moved out of the tRPC router. - `countMonitorsInWorkspace` for quota checks. ## list.ts — batched enrichment `listMonitors` does two IN queries (tags + incidents) regardless of list size. `getMonitor` reuses the same path with the richer `{ notifications, privateLocations }` toggle and a singleton. Same pattern as status-report's batched fix. ## Surfaces migrated - **tRPC** (`packages/api/src/router/monitor.ts`): every procedure is a thin wrapper. `delete` catches `NotFoundError` for idempotency. `new` / `updateGeneral` keep the `testHttp` / `testTcp` / `testDns` pre-save check at the tRPC layer — services unconditionally save, callers decide whether to pre-validate. ## Out of scope (follow-up PRs) - Connect RPC handler at `apps/server/src/routes/rpc/services/monitor/` — still uses its own helpers. Will be migrated in a follow-up (4b). - v1 REST endpoints at `apps/server/src/routes/v1/monitors/*` — yet another external surface; dedicated PR later. - `packages/api/src/service/import.ts` monitor writes — covered by the plan's dedicated PR 9. ## Enforcement - Biome `noRestrictedImports` scope adds `packages/api/src/router/monitor.ts`. The Connect monitor handler stays out of scope until 4b. - Subpath export `@openstatus/services/monitor`. ## Tests - `packages/services/src/monitor/__tests__/monitor.test.ts` — create (http / tcp / dns), delete cascade, bulk delete, clone, tags / notifiers validation (forbidden when cross-workspace), list / get with workspace isolation + soft-delete hiding, updateMonitorGeneral round-trip. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

vercel · 2026-04-23T08:58:01Z

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
openstatus-dashboard	Ready	Preview, Comment	Apr 24, 2026 9:34am
openstatus-status-page	Ready	Preview, Comment	Apr 24, 2026 9:34am
openstatus-web	Ready	Preview, Comment	Apr 24, 2026 9:34am

cubic-dev-ai

5 issues found across 14 files

Prompt for AI agents (unresolved issues)


Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="packages/services/src/monitor/schemas.ts">

<violation number="1" location="packages/services/src/monitor/schemas.ts:90">
P1: `timeout`/`degradedAfter` should enforce the same numeric bounds as the monitor validation schema to prevent invalid persisted response-time settings.</violation>
</file>

<file name="packages/services/src/monitor/internal.ts">

<violation number="1" location="packages/services/src/monitor/internal.ts:163">
P2: `jsonBody` assertions are silently discarded during monitor serialization, so valid assertions from input are not persisted.</violation>
</file>

<file name="packages/services/src/monitor/clone.ts">

<violation number="1" location="packages/services/src/monitor/clone.ts:37">
P2: Cloning copies the source monitor `status`, so new clones can start with stale `error/degraded` health instead of an initial active state.</violation>
</file>

<file name="packages/services/src/monitor/delete.ts">

<violation number="1" location="packages/services/src/monitor/delete.ts:33">
P2: Single delete does not filter out already soft-deleted monitors, so repeated deletes re-run side effects and emit duplicate delete audits instead of returning NotFound.</violation>
</file>

<file name="packages/services/src/monitor/list.ts">

<violation number="1" location="packages/services/src/monitor/list.ts:79">
P2: Scope incident enrichment by workspace to prevent cross-workspace data leakage from inconsistent relation data.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

The monitor domain pulls `regionDict` from `@openstatus/regions` (for the default-region picker) and assertion classes / validators from `@openstatus/assertions`. Both were missing from `packages/services/package.json`, so Vercel's Next.js build for `apps/status-page` — which transitively imports the services package via `@openstatus/api` — failed with "Module not found" on `packages/services/src/monitor/internal.ts:20` and `schemas.ts:1`. Local pnpm workspaces resolved the imports via hoisting, which masked the missing declarations until an actual Next.js build forced strict resolution. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

- **`timeout` / `degradedAfter` bounds** (schemas.ts) — mirror the 0–60_000 ms cap from `insertMonitorSchema`. Values outside the range are rejected before the UPDATE instead of being silently persisted. - **`jsonBody` assertion mapping** (internal.ts) — the serialiser was silently dropping `jsonBody`-typed input because the runtime class wasn't wired up. Added the `JsonBodyAssertion` branch; the class has existed in `@openstatus/assertions` the whole time, this was just a missing case. - **Clone resets `status`** (clone.ts) — cloning no longer inherits the source's current `error`/`degraded` health. Freshly cloned monitors start at `"active"` and settle on their first check. - **Delete filters soft-deleted** (delete.ts) — the pre-check now includes `isNull(monitor.deletedAt)`, so a repeat delete returns `NotFoundError` (preserved as idempotent at the tRPC layer) instead of re-running the cascades and emitting duplicate audits. - **List/get workspace scope on relations** (list.ts) — `enrichMonitorsBatch` takes `workspaceId` and scopes the incident / tag / notification / private-location IN queries to the caller's workspace. Defence-in-depth against inconsistent FK data (none of those tables enforce workspace ownership at the FK level). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

mxkaske · 2026-04-23T09:20:52Z

Review response (Cubic findings)

All five valid — fixed in 1d7414b1.

✅ 1. `timeout` / `degradedAfter` bounds (P1)

My UpdateMonitorResponseTimeInput had z.number().int() with no bounds, while the canonical insertMonitorSchema caps both fields at 0..60_000 ms. Aligned to match — invalid values are rejected at the service boundary instead of being persisted.

✅ 2. `jsonBody` assertions silently dropped (P2)

JsonBodyAssertion exists in @openstatus/assertions (line 348 of v1.ts); I just didn't map it in serialiseAssertions. The old tRPC router had the same gap, so this is a strict improvement — adding the missing branch means jsonBody assertions now round-trip correctly to the stored JSON.

✅ 3. Clone inherits stale `status` (P2)

cloneMonitor was spreading { ...source } into the insert, carrying the source's current status (which could be error / degraded). Destructured status out and forced "active" — freshly cloned monitors settle on their own first check. The old tRPC had the same bug; this tightens.

✅ 4. Single `delete` re-runs side effects on soft-deleted rows (P2)

deleteMonitor's pre-check was missing isNull(monitor.deletedAt), so a repeated delete would re-run the tag / notifier / page-component cascades and emit a duplicate audit. Added the filter; the second delete now returns NotFoundError, which the tRPC wrapper swallows → external behaviour is still "idempotent" from the caller's perspective, but without the duplicate side effects internally.

✅ 5. List/get enrichment missing workspace scope (P2)

Threaded workspaceId through enrichMonitorsBatch and added eq(…workspaceId, workspaceId) to all four relation queries — tags, incidents, notifications, private-locations. Defence-in-depth: none of those tables enforce workspace ownership at the FK level, so inconsistent data wouldn't leak. Same pattern as the monitor-enrichment fix on #2104.

Local typecheck + biome clean on all five changes.

mxkaske · 2026-04-23T14:25:46Z

@claude review

claude · 2026-04-23T14:34:02Z

Claude finished @mxkaske's task in 2m 30s —— View job

Code Review

Gather context and understand the PR
Read service layer files (create, clone, delete, list, update, relations, internal, schemas, index)
Read tRPC router wrapper
Read test file
Post review findings

Overall this is a well-structured migration. The 5 Cubic issues are all correctly addressed in 1d7414b, and the patterns are consistent with the earlier PRs in the stack. A few things worth calling out below.

Issues

Medium — bulkUpdateMonitors emits audit events for unmatched IDs (update.ts:239)

The for...await loop emits a monitor.bulk_update audit event for every ID in input.ids, including IDs that the WHERE clause silently skipped (wrong workspace, already soft-deleted). The actual DB rows aren't touched for those IDs, but the audit log records that they were. The PR description notes this matches pre-migration behaviour, but the old code had no audit trail at all — so this is new pollution, not preservation.

Suggest constraining the audit loop to IDs that were actually matched:

// Instead of: for (const id of input.ids)
const updatedRows = await tx
  .select({ id: monitor.id })
  .from(monitor)
  .where(and(inArray(monitor.id, input.ids), eq(monitor.workspaceId, ctx.workspace.id), isNull(monitor.deletedAt)))
  .all();
for (const { id } of updatedRows) { ... }

Or, fetch the matching IDs first and use those for both the update and the audit loop. Fix this →

Low — updateMonitorOtel serializes otelHeaders inline instead of using headersToDbJson (update.ts:139)

// Current
otelHeaders: input.otelHeaders ? JSON.stringify(input.otelHeaders) : undefined,

// Consistent with the rest of the module
otelHeaders: headersToDbJson(input.otelHeaders),

headersToDbJson has the same behaviour (undefined → undefined, array → JSON.stringify(array)), so this is a drop-in substitution. Minor, but it's the only place that bypasses the shared helper. Fix this →

Low — deleteMonitors always blames ids[0] in the NotFoundError (delete.ts:90)

if (existing.length !== ids.length) {
  throw new NotFoundError("monitor", ids[0] ?? -1);  // always blames first id
}

When a mix of valid and invalid IDs is passed, the error always reports ids[0] even if that one exists. The actual missing ID can be computed cheaply:

const foundIds = new Set(existing.map(r => r.id));
const missingId = ids.find(id => !foundIds.has(id)) ?? -1;
throw new NotFoundError("monitor", missingId);

Low — Missing test for the double-delete fix

The Cubic P2 fix adds isNull(monitor.deletedAt) to deleteMonitor to prevent re-running side-effects on a second call. There's no test asserting the new behaviour:

test("second delete returns NotFoundError (idempotency guard)", async () => {
  // ... create, delete once, then:
  await expect(
    deleteMonitor({ ctx: teamCtx, input: { id: row.id } })
  ).rejects.toBeInstanceOf(NotFoundError);
});

Low — UpdateMonitorRetryInput.retry has no bounds (schemas.ts:62)

The Cubic P1 finding added gte(0).lte(60_000) bounds to timeout/degradedAfter. The retry field in the same file is z.number().int() with no min/max. The DB column has default(3) but no CHECK constraint, and insertMonitorSchema also has no bounds on retry — so this is consistent with the rest of the codebase. Just worth noting if tighter enforcement is a goal.

Nit — `listMonitors` ordering is implicit

list.ts:203-208 sorts by (active DESC, createdAt DESC) when order: "desc", which puts active monitors above inactive ones. This is good dashboard UX, but the ListMonitorsInput.order parameter is named "asc"/"desc" without documenting what it sorts by. A future caller might reasonably assume it controls createdAt only and be surprised by the active primary key. A short schema-level comment (or renaming to something like activeFirst) would make the intent clear.

Positives

All 5 Cubic issues correctly resolved — jsonBody assertion mapping, status exclusion from clone, double-delete guard, timeout/degradedAfter bounds, and workspace scoping on all 4 enrichment queries.
getMonitorInWorkspace used consistently as the load-verify-mutate pattern before every write — no bare updates.
Batched enrichment in enrichMonitorsBatch avoids the N+1 pattern for list/get.
updateMonitorSchedulingRegions correctly validates plan limits before entering the transaction (fail-fast).
Service/tRPC boundary is clean: testHttp/testTcp/testDns pre-save checks stay in the tRPC layer, service unconditionally persists.
Soft-delete cascade to monitorTagsToMonitors, notificationsToMonitors, and pageComponent is complete.
pickDefaultRegions correctly ports the "random 4 free / 6 paid, excluding deprecated" logic.

* feat(services): migrate notification CRUD onto service layer Fifth domain. Migrates the four CRUD procedures — `list`, `new`, `updateNotifier`, `delete` — of the notification tRPC router onto `@openstatus/services/notification`. The three integration-helper procedures (`sendTest`, `createTelegramToken`, `getTelegramUpdates`) stay inline at the tRPC layer and are explicitly out of scope for this migration. ## Services (`packages/services/src/notification/`) - `createNotification` — enforces plan limits on both the channel count (`notification-channels`) and the provider itself (`sms` / `pagerduty` / `opsgenie` / `grafana-oncall` / `whatsapp` require plan flags); validates the loose `data` payload against `NotificationDataSchema`; validates monitor ids are in-workspace and not soft-deleted. - `updateNotification` — replaces name / data / monitor associations in a single transaction with the same validation rules as create. - `deleteNotification` — hard-delete (FK cascade clears associations). The tRPC wrapper swallows `NotFoundError` to preserve the old idempotent behaviour. - `listNotifications`, `getNotification` — batched IN query enriches monitors per notification. Monitor enrichment is workspace-scoped and filters soft-deleted monitors for defence-in-depth. - All mutations run inside `withTransaction`, emit `emitAudit`. ## Surface migrated - **tRPC** (`packages/api/src/router/notification.ts`): `list` / `new` / `updateNotifier` / `delete` become thin service wrappers. `sendTest` + `createTelegramToken` + `getTelegramUpdates` are unchanged. ## Out of scope (flagged for follow-up) - **`sendTest` migration** — the dispatch switch imports from 10 `@openstatus/notification-*` packages. Moving it into services would pull those as direct deps; the plan's phrasing ("Channel CRUD + test-dispatch") allows this as a later extraction. - **`createTelegramToken` / `getTelegramUpdates`** — redis + external Telegram API helpers; transport UX, not domain operations. - **Biome scope for `notification.ts`** — the file still imports `@openstatus/db/src/schema` for the `sendTest` provider data schemas. Will land with the sendTest migration follow-up. - **Connect RPC notification handler** — stays on its own helpers; follow-up aligned with PR 4's Connect deferral. ## Tests - `__tests__/notification.test.ts` covers create (including `ValidationError` on malformed data, `LimitExceededError` on gated provider, `ForbiddenError` on cross-workspace monitor), update (association replacement, cross-workspace `NotFoundError`), delete, list/get workspace isolation + monitor enrichment scope. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services/notification): address Cubic review - **Update flow plan gate** (update.ts) — `updateNotification` was skipping `assertProviderAllowed`, so a user who downgraded their plan could still edit a notification configured with a now-restricted provider. Re-check against the stored `existing.provider` to match the create-time gate. - **Provider / data match** (internal.ts) — `NotificationDataSchema` is a union, so `{ provider: "discord", data: { slack: "…" } }` passed the union check even though the payload key doesn't match the provider. `validateNotificationData` now takes the provider and asserts `provider in data` after the top-level parse. Applied in both `create` and `update` (update uses the stored provider since the API doesn't allow provider changes). Added a test for the mismatch case. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services/notification): tighten data validation against provider schema Cubic's follow-up on the previous fix was right: checking only `provider in data` isn't enough. `NotificationDataSchema` is a union, so a payload like `{ discord: "not-a-url", slack: "valid-url" }` passes because the union matches the slack variant — the extra `discord` key is ignored, and my key-presence check sees `"discord"` and lets it through. Replaced the union parse + key check with a provider-specific schema lookup (`providerDataSchemas[provider].safeParse(data)`). Each canonical channel schema is keyed by its provider name and validates the shape / content of the value, so the new check catches both the mismatched-provider and malformed-payload cases in one pass. Added a test covering the exact case Cubic flagged — invalid `discord` URL alongside a valid `slack` URL now rejects with ValidationError. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(services): migrate page-component domain (PR 6/N) (#2107) * feat(services): migrate page-component domain onto service layer Sixth domain, tRPC-only. Migrates `list`, `delete`, and `updateOrder` onto `@openstatus/services/page-component`. ## Services (`packages/services/src/page-component/`) - `listPageComponents` — workspace-scoped filter + optional pageId filter. Batched enrichment in four IN queries (monitors, groups, status reports via join, maintenances via join). All relation queries scoped to the caller's workspace for defence-in-depth. - `deletePageComponent` — hard-delete. Cascade clears the `status_report_to_page_component` / `maintenance_to_page_component` associations. The tRPC wrapper swallows `NotFoundError` to preserve the pre-migration idempotent behaviour. - `updatePageComponentOrder` — the complex one. Mirrors the existing diff-and-reconcile pass faithfully (≈220 lines → a single transaction): 1. Assert the page is in the workspace. 2. Enforce the workspace's `page-components` plan cap. 3. Validate every monitor id in the input set. 4. Remove monitor components whose monitorId isn't in the input; remove static components based on whether the input carries ids. 5. Clear `groupId` before dropping groups (FK safety), then recreate groups. 6. Upsert monitor components via `onConflictDoUpdate` on the `(pageId, monitorId)` unique constraint (preserves ids). 7. Update existing static components by id; insert new ones. Audit: `page_component.update_order` / `page_component.delete`. ## Surface - **tRPC** (`packages/api/src/router/pageComponent.ts`): all three procedures call services. `delete` catches `NotFoundError` and returns the old `drizzle.returning()`-shaped empty array. The pre-existing `pageComponent.test.ts` (tests cross-workspace monitorId → `TRPCError(FORBIDDEN)`) is untouched and still valid — my services throw `ForbiddenError`, which `toTRPCError` maps to the same code. ## Enforcement - Biome `noRestrictedImports` scope adds `packages/api/src/router/pageComponent.ts`. - Subpath export `@openstatus/services/page-component`. ## Tests - `__tests__/page-component.test.ts` covers `updatePageComponentOrder` happy path (creates monitor + static + grouped components), rejects cross-workspace monitorId and cross-workspace pageId, `list` workspace isolation, `delete` cross-workspace `NotFoundError`. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(services): Connect RPC notification handler catch-up (#2108) * feat(services): Connect RPC notification handler onto services (catch-up) Follow-up to PR 5 — noticed on review that my PRs from PR 4 onwards had been narrowing scope to tRPC only and deferring Connect handlers, which was piling up. This closes the notification Connect gap. ## What changed `apps/server/src/routes/rpc/services/notification/index.ts` — the five CRUD methods now delegate to `@openstatus/services/notification`: - `createNotification` → `createNotification` service (handles the plan-count limit, per-provider plan gate, and data-schema validation internally — the Connect-side `checkNotificationLimit` / `checkProviderAllowed` / `validateProviderDataConsistency` calls are gone). - `getNotification`, `listNotifications`, `updateNotification`, `deleteNotification` — thin proto-to-service-to-proto wrappers. - `updateNotification` reads the existing record via the service and fills in missing fields (Connect's update is partial; the service expects a full payload), then applies the update. Left inline: - `sendTestNotification` — calls `test-providers.ts` (external HTTP). - `checkNotificationLimit` RPC method — returns the count info via `./limits.ts` helpers (pure queries, no domain mutation). The local Connect helpers (`validateProviderDataConsistency`, `checkNotificationLimit`, `checkProviderAllowed`, and the ad-hoc `validateMonitorIds` / `updateMonitorAssociations` / `getMonitorById` / `getMonitorCountForNotification` / `getMonitorIdsForNotification`) are no longer imported by `index.ts`; they remain in their files because `test-providers.ts` and the unmigrated Connect monitor handler still reference some of them. ## Biome Added `apps/server/src/routes/rpc/services/notification/index.ts` to the `noRestrictedImports` scope. The directory-level glob isn't a fit because `limits.ts` and `test-providers.ts` legitimately need direct db access until their own follow-up migrations. ## Deferred - **Connect monitor handler** (~880 lines, 6 jobType-specific create/update methods + 3 external-integration methods) — requires a much bigger refactor. Flagged as dedicated PR 4b; tracked separately. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services): dedupe monitor ids in Connect createNotification response Cubic's P2 catch: the service dedupes `monitors` before the insert (via `validateMonitorIds` in the services package), but the Connect handler echoed `req.monitorIds` verbatim back in the response. For an input like `["1", "1", "2"]` the DB stored `[1, 2]` while the response claimed `["1", "1", "2"]` — caller state diverges from persistence. Echo `Array.from(new Set(req.monitorIds))` instead so the response matches what's actually stored. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(services): migrate page authoring (PR 7/N) (#2109) * feat(services): migrate page (status-page authoring) onto service layer Seventh domain. Migrates the 13 authoring procedures in `pageRouter` onto `@openstatus/services/page`. Deliberately scoped to authoring CRUD only: - `statusPage.ts` — public viewer endpoints (subscribe / get / uptime / report / verify / unsubscribe) are a separate surface that doesn't use the authenticated `ServiceContext`; dedicated follow-up. - Connect `apps/server/src/routes/rpc/services/status-page/**` — ~1500 lines with 18 methods (page CRUD + components + groups + subscribers + view). Too big for this PR; dedicated follow-up, same shape as the Connect monitor deferral. ## Services (`packages/services/src/page/`) - `createPage` / `newPage` — full vs minimal create; both enforce the `status-pages` plan cap and (for `createPage`) the per-access-type plan gates (password-protection, email-domain-protection, ip- restriction, no-index). - `deletePage` — FK cascade clears components / groups / reports / subscribers. - `listPages` — batched enrichment with `statusReports`. - `getPage` — enriched with `maintenances` / `pageComponents` / `pageComponentGroups`. - `getSlugAvailable` — pure check against `subdomainSafeList` + DB. - `updatePageGeneral` — with slug-uniqueness re-check on change. - `updatePageCustomDomain` — persists the DB change and returns the previous domain so the caller can diff. Vercel add/remove stays at the tRPC layer (external integration). - `updatePagePasswordProtection` — re-applies the same plan gates the `create` path uses. - `updatePageAppearance`, `updatePageLinks`, `updatePageLocales` (gated on `i18n` plan flag), `updatePageConfiguration`. - Audit action emitted for every mutation. ## tRPC (`packages/api/src/router/page.ts`) All 13 procedures are thin wrappers. `delete` catches `NotFoundError` for idempotency. `updateCustomDomain` orchestrates: 1. `getPage` (via service) to read the existing domain. 2. `addDomainToVercel` / `removeDomainFromVercel` as needed. 3. `updatePageCustomDomain` (via service) to persist. ## Enforcement - Biome scope adds `packages/api/src/router/page.ts`. The router imports `insertPageSchema` via the services re-export (`CreatePageInput`) so the db-import ban applies cleanly. - Subpath export `@openstatus/services/page`. ## Tests - `__tests__/page.test.ts` covers `newPage` happy / reserved / duplicate, `createPage` monitor attachment + cross-workspace monitor, `updatePageGeneral` rename + duplicate-slug conflict + cross-workspace, `updatePageLocales` plan gate, list / get / slug-available workspace isolation, delete cross-workspace NotFoundError. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(services): migrate Connect status-page page CRUD onto services Extends PR #2109 to cover the Connect RPC status-page handler's page CRUD surface (create / get / list / update / delete), matching the migration that landed for tRPC's `pageRouter`. The other 13 methods (components, groups, subscribers, viewer) still read the db directly — they're separate domains that'll need their own services in follow-ups. - create / get / delete call into `@openstatus/services/page` and preserve the granular Connect errors (`statusPageNotFoundError`, `slugAlreadyExistsError`) by pre-checking before the service call or catching `NotFoundError` → re-throwing the richer variant. - list fetches via the service and paginates in-memory; status-page quota is bounded per workspace so the extra enrichment is negligible. - update loads the existing page via the service, then orchestrates the per-section updates (`updatePageGeneral`, `updatePageLinks`, `updatePageAppearance`, `updatePageCustomDomain`, `updatePageLocales`, `updatePagePasswordProtection`) inside a shared transaction so a partial failure can't leave the page half-updated. Each service's internal `withTransaction` detects the pre-opened tx and skips nesting. - Proto-specific format validations (https icon URL, custom-domain regex, IPv4 CIDR, email-domain shape) and the i18n PermissionDenied path stay at the handler — they don't exist in the zod insert schema and their error codes would change if deferred to the service. - `Page` from the service parses `authEmailDomains` / `allowedIpRanges` into arrays, while the converters (still used by the unmigrated methods) expect the comma-joined string form. `serviceToConverterPage` bridges the two shapes at the call sites that need it. Biome scope deliberately unchanged: the file still imports from `@openstatus/db` for the 13 legacy methods, so the override would light up the whole file. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services/page): address Cubic review on #2109 Four issues flagged across two Cubic reviews: - `createPage` skipped `assertSlugAvailable`, so full-form creates could bypass reserved/duplicate slug validation and either create a duplicate or fail late on a DB constraint instead of the clean `ConflictError`. Added the check alongside the existing quota gate. - `createPage` passed `passwordProtected` / `allowedIpRanges` but not `allowIndex` to `assertAccessTypeAllowed`, bypassing the `no-index` plan gate on create. Now forwarded. - `UpdatePagePasswordProtectionInput.allowedIpRanges` accepted arbitrary strings. Mirrored the CIDR validation from `insertPageSchema` — bare IPs get `/32` appended, everything pipes through `z.cidrv4()`. - `updatePagePasswordProtection` wrote `authEmailDomains: input.authEmailDomains?.join(",")`, which evaluates to `undefined` when the caller clears the field. Drizzle treats `undefined` as "skip this column" on `.set()`, so stale email domains survived an access-type switch. Added the `?? null` fallback to match the neighboring `allowedIpRanges` line. This fixes the Connect `updateStatusPage` path where switching away from AUTHENTICATED sets `nextAuthEmailDomains = undefined` expecting the column to clear. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(services): migrate workspace / user / invitation / api-key (PR 8/N) (#2110) * feat(services): migrate workspace / user / invitation / api-key (PR 8/N) Stacked on PR #2109. Eighth migration — four small domains consolidated into one PR because each is narrow (roughly two to five procedures) and they share no structural dependencies beyond already-migrated infrastructure. ### Services (`packages/services/src/{workspace,user,invitation,api-key}/`) **workspace** — `getWorkspace`, `getWorkspaceWithUsage` (pages + monitors + notifications + page-components batched via drizzle relations), `listWorkspaces` (takes `userId` explicitly since `list` runs across every workspace the user has access to), `updateWorkspaceName`. **user** — `getUser` (active, non-soft-deleted), `deleteAccount` (the paid- plan guardrail stays; removes non-owned memberships, sessions, OAuth accounts and blanks the PII columns inside a single tx). **invitation** — `createInvitation` (plan gate counts pending invites against the members cap so two outstanding invites can't both accept past the limit), `deleteInvitation`, `listInvitations`, `getInvitationByToken` (scoped by token **and** accepting email to prevent token-sharing), `acceptInvitation` (stamps acceptedAt + inserts membership atomically). **api-key** — `createApiKey` (returns plaintext token once), `revokeApiKey` (workspace-scoped existence check inside the tx so concurrent revokes resolve to a consistent NotFound rather than a silent no-op), `listApiKeys` (replaces the legacy per-row `Promise.all` fan-out with a single IN query for creator enrichment), `verifyApiKey` + `updateApiKeyLastUsed` (no ctx required — the verify path runs before workspace resolution and callers pass an optional `db` override). ### tRPC (`packages/api/src/router/{workspace,user,invitation,apiKey}.ts`) All 14 procedures become thin `try { return await serviceFn(...) } catch { toTRPCError }` wrappers. Router shapes stay identical so the dashboard needs no changes. Connect + Slack don't expose these domains today; migrating their consumers is a follow-up. ### Enforcement Biome `noRestrictedImports` override adds the four router files. Subpath exports `@openstatus/services/{workspace,user,invitation,api-key}` added to the services package. ### Cleanup Deletes `packages/api/src/service/apiKey.ts` and its tests — fully superseded by `packages/services/src/api-key/`. The auth middleware in `apps/server` has its own inline apiKey verification and is unaffected. ### Deliberately out of scope - **`domain.ts`** — pure Vercel-API proxy with no DB usage; not part of the migration surface. Stays as-is. - **`packages/api/src/service/{import,telegram-updates}.ts`** — import migration is PR 9; telegram-updates stays for a follow-up. ### Tests Per-domain `__tests__/*.test.ts` covers: workspace rename + audit, usage counts, members cap hit on free plan, invitation token-mismatch rejection, accept idempotency, api-key creation returning a bcrypt hash, list creator enrichment, revoke NotFoundError on unknown ids, verifyApiKey happy / bad- format / wrong-body paths, lastUsed debounce. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services): address Cubic review on #2110 Four issues flagged on PR 8: - **P1 — `invitation/accept.ts`**: the read-then-write pattern let two concurrent accepts both pass the `isNull(acceptedAt)` check and race through the membership insert. Replaced with a conditional UPDATE that re-asserts `isNull(acceptedAt)` in the WHERE clause and checks `.returning()` rowcount. The loser gets `ConflictError`, the tx aborts before membership inserts run. - **P2 — `api-key/create.ts`**: `createdById` was taken from input and the router spliced in `ctx.user.id`. Since that column is attribution data (who owns the key, who the audit row blames), trusting input would let any caller forge ownership. Derived from `ctx.actor` via `tryGetActorUserId`; actors without a resolvable user id (system / webhook / unlinked api-key) now get `UnauthorizedError` instead of a silent NULL write. `createdById` removed from the input schema. - **P2 — `invitation/delete.ts`**: audit row was emitted even when the DELETE matched zero rows (unknown id / wrong workspace). Switched to `.returning({ id })` and short-circuit before the audit emit so the log only reflects actual deletions. - **P2 — `invitation/list.ts`**: the `if (!input.email)` → `UnauthorizedError` branch in `getInvitationByToken` was unreachable because `z.email()` already rejects empty / malformed emails at `.parse()`. Removed the dead branch; the router keeps its own pre-call check for `ctx.user.email`, so the transport-level UnauthorizedError path is preserved. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(services): migrate import domain (PR 9/N) (#2111) * feat(services): migrate import domain (PR 9/N) Stacked on PR #2110. Ninth and final domain — lifts the ~1,000-line `packages/api/src/service/import.ts` orchestrator into the services package as its own `@openstatus/services/import` domain. ### Services (`packages/services/src/import/`) Split into focused files: - **`schemas.ts`** — `PreviewImportInput` / `RunImportInput` zod. Provider discriminator + per-provider page-id fields live here; options schema is separately exported for callers that want to pre-validate. - **`provider.ts`** — `createProvider` factory + `buildProviderConfig` reshape helper, isolated from the orchestrator so adding a provider is a one-file change. - **`limits.ts`** — `addLimitWarnings` (shared by preview + run). Pure mutation on the `ImportSummary` argument; no writes. - **`utils.ts`** — `clampPeriodicity` + `computePhaseStatus` helpers. - **`phase-writers.ts`** — the seven phase writers (page / component groups / components / incidents / maintenances / monitors / subscribers). Each takes a `DB` explicitly so callers can thread a pre-opened tx; failing resources get `status: "failed"` with an error string rather than throwing. - **`preview.ts`** — dry-run only; validates credentials, runs the provider with `dryRun: true`, emits warnings. - **`run.ts`** — the orchestrator. Now owns the `pageId` ownership check (previously duplicated in the tRPC router) and emits exactly **one** `import.run` audit row regardless of outcome so partial / failed runs still show up in the audit signal. Deliberately *not* wrapped in `withTransaction` — imports can span minutes across dozens of writes and the existing UX is phase-level recovery. ### tRPC (`packages/api/src/router/import.ts`) 124 lines → 28 lines. The router is now a thin `previewImport` / `runImport` wrapper; the input schemas and all validation live in the service. The router-level `TRPCError`-throwing `pageId` ownership check moved into `runImport` so non-tRPC callers (Slack / future) get the same guard. ### Error shape changes - Provider validation failure: `TRPCError("BAD_REQUEST")` → `ValidationError` → `TRPCError("BAD_REQUEST")`. Net-same. - Unknown / wrong-workspace `pageId`: `TRPCError("NOT_FOUND")` → `NotFoundError` → `TRPCError("NOT_FOUND")`. Net-same. ### Tests - Unit tests for `addLimitWarnings` / `clampPeriodicity` / `computePhaseStatus` move to `packages/services/src/import/__tests__/`. - Router integration tests (`packages/api/src/router/import.test.ts`) that previously called `previewImport` / `runImport` directly to override workspace limits now route through `makeCaller(limitsOverride)` with an explicit `provider: "statuspage"` field. This also fixes four pre-existing TypeScript errors where those calls were missing the (required) provider discriminator. ### Enforcement - Biome `noRestrictedImports` override adds `packages/api/src/router/import.ts`. - Subpath export `@openstatus/services/import` added. - `@openstatus/importers` added to services deps; services `tsconfig.json` bumped to `moduleResolution: "bundler"` so the importers package-exports map resolves (same setting `packages/api` already uses). ### Cleanup Deletes `packages/api/src/service/import.ts` (1042 lines) and its test file (463 lines). Only `telegram-updates.ts` remains in `packages/api/src/service/` — that's slated for a follow-up PR. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(services/import): per-resource audit + Cubic fixes on #2111 Two changes folded together: ### Per-resource audit Every phase writer now emits one `emitAudit` row per *created* resource, matching what the domain services emit for normal CRUD: | Phase | Audit action | --- | --- | page | `page.create` | componentGroups | `page_component_group.create` | components | `page_component.create` | monitors | `monitor.create` | incidents | `status_report.create` + `status_report.add_update` per update | maintenances | `maintenance.create` | subscribers | `page_subscriber.create` Skipped resources don't emit (their original create audit already exists); failed resources don't emit (nothing was written); link-table rows (statusReportsToPageComponents etc.) don't emit (edges, not entities). Metadata always carries `source: "import"` + `provider: <name>` + `sourceId: <provider-id>` so the audit trail traces back to the source system. The rollup `import.run` audit still fires at the end — the per-resource rows give forensic granularity, the run-level row gives "this bulk operation happened" without scanning the full summary blob. For the change, phase writers now take a shared `PhaseContext = { ctx, tx, provider }` instead of `(db, workspaceId, limits)` — the orchestrator builds one `PhaseContext` per run and threads it through, giving each writer access to `ctx.actor` for audit attribution. `statusReportUpdate` writes now use `.returning({ id })` so the per-update audit can attribute the right row. ### Cubic review fixes - **`run.ts:130`** — phases after `page` kept their provider-assigned status when `targetPageId` was falsy but the user option wasn't `false`. Replaced the narrow `else if (option === false)` branches with a plain `else → phase.status = "skipped"`, matching what `subscribers` already did. - **`run.ts:147`** — when the `components` phase hit `remaining <= 0`, the phase was marked `"failed"` but individual resource statuses were left stale with no error string. Each resource is now marked `"skipped"` with `"Skipped: component limit reached (N)"`, matching `writeMonitorsPhase`. Phase-level status becomes `"skipped"` too (was `"failed"` — failed implied a writer error, this is really a plan-limit pre-check). - **`provider.ts`** — both `createProvider` and `buildProviderConfig` had a `default:` that silently ran the Statuspage adapter for any unknown provider name, which would mask a typo by handing a non- Statuspage api key to the wrong adapter. Replaced with exhaustive `case "statuspage"` + `never`-typed default throw. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * chore(services): rename rpc/services → rpc/handlers (PR 10/N) (#2112) The symbolic deliverable from the plan's "close the loop" PR. Renames `apps/server/src/routes/rpc/services/` → `apps/server/src/routes/rpc/handlers/` so the distinction between "the services layer" (owns business logic, lives in `packages/services`) and "Connect transport handlers" (thin proto → service → proto wrappers) is permanent and visible in the path. Keeping the old name invites the next developer to "just add one small thing" to a file under a `services/` folder months later; the rename makes the layering explicit. ### Changes - `git mv` of the six domain subdirectories + their tests (health / maintenance / monitor / notification / status-page / status-report). - `router.ts` import paths updated from `./services/*` to `./handlers/*`. - Biome `overrides.include` paths updated to the new location. - Added `apps/server/src/routes/rpc/handlers/health/**` to the scope — the health handler has no db usage today; including it locks in that invariant. ### Still out of scope (follow-ups) Rather than pretending the full "close the loop" deliverable is possible today, the biome.jsonc comment now enumerates exactly what remains unmigrated: - `packages/api/src/router/statusPage.ts` — public viewer endpoints under `publicProcedure`, no authed `ServiceContext`. - `packages/api/src/router/{member,integration,monitorTag, pageSubscriber,privateLocation,checker,feedback,stripe,tinybird, email}.ts` — small domains not yet lifted. - `apps/server/src/routes/rpc/handlers/monitor/**` — 6 jobType-specific methods still on db. - `apps/server/src/routes/rpc/handlers/status-page/**` — page CRUD is migrated (PR 7), but components / groups / subscribers / viewer (13 methods) still import db, so the whole file stays out of scope. - `apps/server/src/routes/v1/**` — the public HTTP API surface. - `apps/server/src/routes/slack/**` except `interactions.ts` — tools, handler, oauth, workspace-resolver still on db. - `apps/server/src/routes/public/**` — public-facing HTTP routes. Each of the above is its own PR-sized migration. The final consolidation (broadening to `router/**` + dropping `@openstatus/db` from `packages/api` and `apps/server`) is conditional on all of them landing first. Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services/import): use ctx workspaceId for page insert `writePagePhase` was inserting with `data.workspaceId` — the value the provider package round-tripped into resource data. Every other phase writer (monitor / components / subscriber) already reads `workspaceId` from `ctx.workspace.id`; this lines the page insert up with that pattern. Defends against the (unlikely) case where a provider mapper serialises the wrong workspace id into its output, since `ctx` is the authoritative source. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services): address Claude review findings on #2110 Six findings from Claude's review pass — five code/doc fixes, one documentation-only note. **P2 — `acceptInvitation` derives userId from `ctx.actor`.** Was taking it from input: the email scoped *which* invitation could be accepted, but not *who* the membership was inserted for. A caller with the right token+email could insert a membership under an arbitrary user id. Removed `userId` from `AcceptInvitationInput`; derived from `tryGetActorUserId(ctx.actor)`, throws `UnauthorizedError` for non-user actors. Mirrors the same pattern applied to `createApiKey.createdById` in the Cubic pass. Router and test updated accordingly. **P2 — `getWorkspace` throws `NotFoundError` explicitly.** `findFirst` + `selectWorkspaceSchema.parse(undefined)` was throwing `ZodError` (→ `BAD_REQUEST`) instead of the `NotFoundError` shape every other service uses. Unreachable in practice (ctx.workspace is resolved upstream) but the error shape was the only outlier; consistency matters for callers pattern-matching on error codes. **P3 — `listApiKeys` filters null `createdById` before the IN query.** The new `createApiKey` path enforces a non-null creator, but legacy rows may have null. SQL's `x IN (NULL)` is `UNKNOWN` — technically safe — but drizzle types model the array as `number[]`. Filtering upfront keeps the types honest and sidesteps any future surprise. **P3 — `deleteInvitation` guards `acceptedAt IS NULL`.** The WHERE previously allowed hard-deleting *accepted* invitations, wiping the "user was invited on X" breadcrumb. Added the `isNull(acceptedAt)` guard + doc comment explaining the audit-trail preservation intent. **Doc-only — `deleteAccount` orphan comment.** Non-owner memberships are removed, but owner memberships + owned workspaces survive. Matches legacy behavior. Added a scope-note docblock flagging that workspace cleanup is explicitly out of scope (belongs to a future admin / scheduled job). **Doc-only — `createInvitation` role comment.** The invite insert lets `role` fall through to the schema default (`member`). Matches legacy (which also only picked `email`). Comment added so the absence reads as deliberate rather than overlooked. Minor — the concurrent-accept race test is covered by the conditional UPDATE + `ConflictError` path from the earlier P1 fix; mocking it reliably against SQLite is noisy and not worth the test complexity. Documented in the related code comment. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services): address Claude re-review findings on #2110 Four issues surfaced after the first round of fixes on this PR: **P2 — `listApiKeys` crashes on all-legacy keys.** After the null filter added in the previous commit, workspaces whose keys all pre-date the services migration (every `createdById` null) end up with `creatorIds === []`. Drizzle throws "At least one value must be provided" on an empty `inArray`, taking the whole endpoint down. Added an early return that maps `createdBy: undefined` when there are no non-null creator ids to look up. **P2 — `getWorkspaceWithUsage` ZodError on missing row.** Same `findFirst` + `selectWorkspaceSchema.parse(result)` pattern as `getWorkspace`, but without the `NotFoundError` guard that got added in the earlier pass. Added the guard. Also cleaned up the usage block — no longer needs optional chaining once the narrowing fires. **P2 — `deleteAccount` took `userId` from input.** Completing the `createApiKey` / `acceptInvitation` pattern: account deletion must target `ctx.actor`, never an arbitrary id. Dropped `userId` from `DeleteAccountInput` (now an empty forward-compat shape), derived inside the service via `tryGetActorUserId`, throws `UnauthorizedError` for non-user actors. Router updated to stop passing it. **P3 — `createInvitation` dev-token log could leak in tests.** Tightened the comment around the `process.env.NODE_ENV === "development"` guard to flag that strict equality is load-bearing — bun:test sets `NODE_ENV=test` and CI leaves it undefined, both of which correctly skip the log. No behavior change, just a clearer contract so the next reader doesn't loosen it. Cubic's two findings on this review pass point at `packages/api/src/ router/import.ts` and `packages/services/src/import/limits.ts` — both live in the next PR up the stack (#2111 / feat/services-import) and will be addressed there. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services): address latest Cubic pass on #2110 Four findings from the third Cubic review (now that #2111's import domain is included in the #2110 diff via the stack): **P2 — biome.jsonc notification handler scope.** Only `notification/index.ts` was in the `noRestrictedImports` override. Sibling files (`errors.ts`, `test-providers.ts`) were outside the migration guard, so new db imports could land in them without the lint failing. Broadened to `notification/**` and moved the two files that *legitimately* still read db (`limits.ts` querying workspace quotas, `converters.ts` needing db enum shapes for proto round-trip) into the `ignore` list. Future siblings are enforced by default rather than silently slipping through. **P2 — `clampPeriodicity` unknown values returned too fast.** `PERIODICITY_ORDER.indexOf("unknown") === -1` → `Math.max(-1, 0) === 0` → walk started at `"30s"` (the fastest tier). Could return an interval faster than requested, violating the "never-faster-than-requested" invariant. Short-circuits now to the slowest allowed tier when the requested value isn't a known periodicity. Added unit tests covering the unknown-value + empty- allowed fallback paths. **P2 — component/monitor limit warnings counted total resources, not quota-consuming inserts.** If the import contained 4 components and 3 already existed (would be skipped as duplicates), the warning claimed `"Only X of 4 can be imported"` — but actually zero quota would be consumed by the 3 skips, so the real new-creation count might fit entirely. Reworded to `"Only N new components may be created … some of the M in the import may already exist and be skipped"`. Same treatment for the monitors warning. Preview stays DB-light (no per-resource existence checks); the warning now honestly conveys worst-case without misleading users about what will actually happen. Test assertions updated to match the new wording with substring matches that aren't tied to the exact fraction. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services/page): address Claude review on #2109 Six items from Claude's review, going with the calls I leaned toward in the question-back: **P2 — tRPC `updateCustomDomain` wasteful `getPage` read.** Was calling `getPage(id)` (fires 3 batched relation queries: maintenances + components + groups) just to grab `customDomain` before the Vercel add/remove calls. Added a narrow `getPageCustomDomain` service helper — single indexed lookup, workspace-scoped, returns the string directly. Router swapped over. Service-layer authority preserved; no db reads leak into the router. **P2 — Connect `updateStatusPage` slug-race code drift.** Handler pre-checks slug to surface `slugAlreadyExistsError` (`Code.AlreadyExists`). The `updatePageGeneral` service call re-validates via `assertSlugAvailable` → `ConflictError` → `Code.InvalidArgument` in the race where two callers both clear the pre-check. Wrapped the call in `try/catch (ConflictError)` and rethrow as `slugAlreadyExistsError(req.slug)` so gRPC clients keying on the code get a consistent `AlreadyExists` whether they lose at the pre-check or at the inner tx. **P2 — Connect `createStatusPage` / `updateStatusPage` customDomain without Vercel sync.** Pre-existing behaviour (the direct-db handler had the same gap). Added a top-of-impl comment so it doesn't go unnoticed — the fix is a shared transport-layer helper the Connect handlers can reuse, out of scope for this migration PR to keep the behavioural blast radius small for external API consumers. **P3 — double cast `row as unknown as Page` in `create.ts`.** The drizzle insert-returning type and the `Page` type diverge on `authEmailDomains` / `allowedIpRanges` (raw comma-joined string vs parsed `string[]`). Replaced the double casts with `selectPageSchema.parse(row)` which normalises the row into the shape callers expect. Cast-drift is now impossible to introduce silently. **P3 — `void ConflictError;` workaround.** Import was unused in `create.ts`; the `void` line was silencing the unused-import warning rather than fixing the cause. Removed both. **P3 — deprecated `passwordProtected` column.** Added a doc block on `updatePagePasswordProtection` flagging that the deprecated boolean column is intentionally not written here (the v1 REST read path derives it from `accessType` via `normalizePasswordProtected`). Prevents a future reader from mistaking the omission for an oversight and writing two sources of truth for the same signal. Test coverage for the 5 untested update services (`updatePagePasswordProtection`, `updatePageCustomDomain`, `updatePageAppearance`, `updatePageLinks`, `updatePageConfiguration`) deferred to a follow-up per Claude's "not blocking" marker — the failing-edge behaviour is the critical bit, and `updatePagePasswordProtection` already has indirect coverage through the Connect handler tests on this branch. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services): address Claude review on #2108 Four items from Claude's review of the Connect notification handler backfill: **P3 — `protoDataToServiceInput` swallowed parse failures.** `try { JSON.parse } catch { return {} }` was hiding any malformed output from `protoDataToDb` (which would be a programmer error, not user-input) behind a generic empty-object fallback. The downstream `validateNotificationData` then failed with a far less specific error. Let the throw propagate — `toConnectError` maps it to `Code.Internal`, which is the signal we want for "the helper itself misbehaved." **P3 — `createNotification` response approximated the monitor IDs.** Was echoing `Array.from(new Set(req.monitorIds))` on the happy path (correct, since the service validates + throws on invalid) but the approximation diverged from `updateNotification`'s re-fetch pattern. Now re-fetches via `getNotification` after create so the response reflects what's actually in the DB — one extra IN query per create, eliminates the approximation entirely, makes both handlers structurally identical. **P3 — `sendTestNotification` bypassed `toConnectError`.** Only handler in the impl without a `try { … } catch { toConnectError }` wrap, so any thrown `ServiceError` / `ZodError` from `test-providers.ts` fell through to the interceptor's generic catch and surfaced with a less precise gRPC status. Wrapped for symmetry. **P3 — `JSON.parse(existing.data)` null-unsafe.** Drizzle infers `notification.data` as `string | null` (the column has `default("{}")` but no `.notNull()`). A legacy row with `NULL` in the column would crash `updateNotification` with `SyntaxError` during the partial-update read-modify-write. Added `?? "{}"` fallback and a comment pointing at the schema. Cubic's single finding from the earlier pass (dedupe of `req.monitorIds` in the create response) was already applied in `b69ad13` and has now been superseded by the re-fetch above. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services): address latest Cubic pass on #2108 Five findings from Cubic's second review cycle on this PR, all on files that entered this branch via the #2109 (status-page) and #2111 (import) squash-merges stacked on top. Fixing here so the cumulative state reaching main is clean. **P1 — `page/create.ts` double-encoded JSON configuration.** `page.configuration` is a drizzle `text("…", { mode: "json" })` column — drizzle serialises objects automatically. Calling `JSON.stringify(configuration)` first stored a raw JSON string in the column, breaking any downstream read that expects an object (e.g. the appearance merge at `update.ts:185`). Dropped the wrap; drizzle handles it. **P2 — `page/schemas.ts` slug + customDomain validation weaker than insert schema.** `NewPageInput.slug`, `GetSlugAvailableInput.slug`, and `UpdatePageGeneralInput.slug` were `z.string().toLowerCase()` — no regex, no min-length. `UpdatePageCustomDomainInput.customDomain` was `z.string().toLowerCase()` — no format check. Meant the service would accept malformed slugs / URLs that `createPage` would then reject via `insertPageSchema`, or — worse — that `getSlugAvailable` would confidently return "available" for garbage. Exported the canonical `slugSchema` + `customDomainSchema` from `@openstatus/db/src/schema/pages/validation` and reused them across all four service inputs; db validation is now the single source of truth for page slug/domain shape. **P2 — `api/router/import.ts` nullish → optional contract narrowing.** The service's `PreviewImportInput`/`RunImportInput` used `.optional()` for the three provider page-id fields, which dropped the `null` acceptance the legacy router had via `.nullish()`. Existing clients sending `null` would have started hitting `Invalid input` errors after the import migration landed. Added a `nullishString` transform in the service schema that accepts `string | null | undefined` and normalises to `string | undefined` before it reaches `buildProviderConfig` — callers keep the broader contract, service internals stay ignorant of `null`. **P2 — `page/update.ts` empty array stored "" not null.** `authEmailDomains?.join(",") ?? null` coerces `null`/`undefined` to `null`, but `[].join(",")` returns `""` (empty string) which `??` treats as a value. Callers sending `authEmailDomains: []` to clear the column were persisting the empty string instead of nulling it — misleading "present but blank" state. Switched to `|| null` on both array-join outputs (`authEmailDomains` + `allowedIpRanges`) so the three clearing inputs — `undefined`, `null`, `[]` — all land on DB `NULL` while real non-empty joins pass through unchanged. Test fixtures already use slugs ≥ 3 chars that match the regex, so the tightened validation doesn't break any existing assertions. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services/page-component): address Cubic + Claude review on #2107 Three fixes + one test, addressing both the original Cubic finding and Claude's re-review pass. **P2 — Discriminated union for `componentInput`.** The flat `z.object` with `type: z.enum(["monitor", "static"])` and optional `monitorId` let callers submit a "monitor" component with no monitor id, or a "static" one with a monitor id attached. The DB catches it with a `CHECK` constraint, but that surfaces as an opaque SQLite CHECK failure instead of a clean `ZodError` at the service boundary. Replaced with a `z.discriminatedUnion("type", [...])` that requires `monitorId` on the "monitor" arm and omits it on the "static" arm. Fallout in `update-order.ts`: `c.monitorId` no longer exists on the "static" arm after narrowing, so the spreads now use `monitorId: c.type === "monitor" ? c.monitorId : null`. The defensive `&& c.monitorId` guards on the already-narrowed monitor branches are gone (TypeScript enforces the invariant the DB was catching late). **P2 — Sequential group insert instead of bulk `.returning()`.** The bulk insert relied on drizzle/SQLite returning rows in the same order they were inserted, so `newGroups[i]` could line up with `input.groups[i]` when mapping components to their groups. True on Turso today, but an implicit coupling — any driver change, batch split, or upstream sort could silently reorder rows and land components in the wrong group with no error signal. Switched to a loop that captures each group id before moving on; the set size is bounded by the status-page component-group plan cap so the extra round trips are a rounding error. **Nit — removed dead `hasStaticComponentsInInput` guard.** Both the "input has static components but none carry ids" and "input has no static components at all" branches collapsed to the same "drop all existing static components" action, so the outer `hasStaticComponentsInInput` conditional was doing no work. Dropped the variable and the nested branch. **Test — upsert idempotency.** The `onConflictDoUpdate` on `(pageId, monitorId)` was the riskiest untested path — a regression would silently insert duplicate rows on every re-invocation. Added a test that calls `updatePageComponentOrder` twice on the same page with the same `monitorId`, then asserts there's exactly one matching row and the second call's values won. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services): address latest Cubic pass on #2107 + unblock build Eight Cubic findings from the second review plus one dashboard build break from my earlier discriminated-union change. **Build — router shape diverged from service discriminated union.** `packages/api/src/router/pageComponent.ts` kept its own flat `z.object({...})` input schema with `type: z.enum(["monitor", "static"])` and `monitorId: z.number().nullish()`. After the service switched to `z.discriminatedUnion("type", [...])`, TS couldn't reconcile the two — dashboard build failed. Replaced the local schema with the service's exported `UpdatePageComponentOrderInput` so both layers share the canonical shape. **P1 — page router: validate customDomain before Vercel call.** The router input was `z.string().toLowerCase()` (no format check) and the service's `customDomainSchema` only fired inside `updatePageCustomDomain`, *after* the Vercel add/remove mutations. A malformed domain could be added to Vercel, then rejected by the service, leaving Vercel/db state drifted. Switched the router input to the service's `UpdatePageCustomDomainInput` so format validation runs at tRPC input parsing, before any Vercel call. **P1 — `listApiKeys` leaked `hashedToken`.** `SELECT *` returned every column including the bcrypt hash of each key's one-time token, which has no business appearing in a list response. Replaced with an explicit column select that omits `hashedToken`. New `PublicApiKey` type (`Omit<ApiKey, "hashedToken">`) is the return shape; exported from the barrel. **P2 — `acceptInvitation` eager workspace load + second fetch.** The initial `findFirst` already loaded the workspace via `with: { workspace: true }`, but the return value re-fetched it by id. Use the joined value directly — one round-trip instead of two, and eliminates the read-skew window where a just-renamed workspace could appear with a different name in each fetch. **P2 — `import.run` audit entityId 0.** `entityId: targetPageId ?? 0` wrote a ghost `page 0` reference to the audit trail when the page phase failed before producing an id. Entity attribution now falls back to the workspace (`entityType: "workspace"`, `entityId: ctx.workspace.id`) when no target page is in play — real rollback signal, no phantom foreign key. **P2 — `page-components` limit scoped per-page, not workspace.** `page-components` is a workspace-wide cap (see `page-component/update-order.ts` — counts every component across every page). The import preview and run's component check were scoping the existing count to `targetPageId`, which understated pressure and would let imports push past the cap at write time. Both sites now count workspace-wide. **P2 — `writeIncidentsPhase` lacked idempotency.** Every other phase writer checks for an existing row before inserting (page by slug, monitor by url, component by name, subscriber by email); `writeIncidentsPhase` inserted unconditionally. A re-run would duplicate status reports on every pass. Added an existence check by `(title, pageId, workspaceId)` matching the convention. **P2 — `writeMaintenancesPhase` lacked idempotency.** Same pattern. Added a check by `(title, pageId, from, to, workspaceId)` — the `from/to` pair is load-bearing because maintenance titles recur ("DB upgrade") across unrelated windows. **P2 — `writeComponentsPhase` silent monitor→static fallback.** When the source monitor failed to resolve (e.g. `includeMonitors === false`), the component was silently degraded to `type = "static"` and reported as `created` with no explanation. Other phase writers populate `resource.error` on any degrade path. Added a matching error string pointing at the source monitor id (or lack thereof) so the summary conveys the degrade. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services/page-component): revert discriminated union to flat + .refine The previous commit switched `componentInput` in the service schema to a `z.discriminatedUnion("type", [...])` to get a clean `ZodError` at parse time for the monitor/static invariant. That produced a narrowed TS shape (`type: "monitor"` → required `monitorId: number`) that every caller had to match — including the dashboard form, where react-hook-form can't model discriminated unions cleanly and would have needed a flat→union adapter at submit time. The ripple was user-visible frontend churn for a schema-layer concern. Switched back to a flat `z.object` + cross-field `.refine` on `(type, monitorId)`. Same parse-time rejection Cubic asked for (ZodError with a specific path, not an opaque SQLite CHECK failure), but the inferred TS type stays flat so callers — router input, RHF form values — keep their existing shape. Also restored the downstream `&& c.monitorId` guards and `as number[]` casts in `update-order.ts`. With a flat schema, TS still sees `monitorId: number | null | undefined` on the monitor branch; the refine rejects violating input at parse time, but the guard is needed to narrow for the type system. Matches the pre-migration shape exactly. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services/import): reconcile component links on idempotent skip The idempotency checks in `writeIncidentsPhase` and `writeMaintenancesPhase` added in the previous pass correctly avoid duplicate status-report / maintenance rows on rerun, but `continue`-d out of the writer before the component-link insertion block. The failure mode this leaves open: 1. Run 1: component phase uses per-resource catch, so a single component can fail and leave `componentIdMap` partial. 2. The report/maintenance is written with a subset of the intended links — only the entries whose source id resolved in the map. 3. Run 2: the previously-failed component now succeeds and lands in `componentIdMap`. The report/maintenance idempotency check hits, `continue` fires, and the still-missing link is never written. Both join tables (`statusReportsToPageComponents`, `maintenancesToPageComponents`) have a composite primary key on `(parentId, pageComponentId)`. Running the same link-build pass on the skip path with `.onConflictDoNothing()` is a no-op for the links already present and adds any that resolved this time round. Matches the "reruns converge to correct state" model that motivated the idempotency checks in the first place. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services/notification): address Claude review pass Three small findings from the latest Claude review, bundled: **#1 — `list.ts` redundant `conditions` array.** `listNotifications` initialised a one-element `SQL[]` and spread it into `and(...)` with no second push site anywhere. Collapsed to a direct `eq(...)`. The pattern is load-bearing in `monitor/list.ts` (two conditions: workspace scope + soft-delete filter) but notifications have no soft-delete column, so the indirection was pure noise. **#2 — router `dataInputSchema` duplicated the service schema.** `packages/api/src/router/notification.ts` hand-rolled a `z.partialRecord` structurally identical to the `dataSchema` inside `packages/services/src/notification/schemas.ts`. Drift hazard: a future provider-value shape change in the service would be accepted at the tRPC layer and fail with an opaque error deeper in `validateNotificationData`. Renamed the service schema to `NotificationDataInputSchema`, exported it from the service barrel, and replaced the router's local copy + the now-unused `servicesNotificationProvider` alias. **#5 — `update.ts` audit missing `provider` metadata.** `createNotification` attaches `metadata: { provider: input.provider }` to its audit row; `updateNotification` didn't. The `provider` column is recoverable from the `before`/`after` rows, but asymmetric metadata breaks simple `action + metadata.provider` audit queries. Added `metadata: { provider: existing.provider }` for parity. Skipped the two non-fixes: the `enrichNotificationsBatch` drizzle-cast fragility is the same pattern as `monitor/list.ts`, worth a codebase- wide change rather than a single-domain carve-out; the `dataSchema` being "intentionally wide" is already called out in the schema JSDoc and is correct by design (provider/payload alignment is enforced at the service boundary by `validateNotificationData`). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(services/notification): cover update audit + post-downgrade gate Claude review noted two gaps in the `updateNotification` suite. Adding both: **`notification.update` audit row.** `createNotification` already asserts an audit row fires with `expectAuditRow`; the update path was silent. With the per-mutation audit contract (every write emits a row), the update case needs an equivalent pin so a regression that drops the emit site is caught. Note: the v1 audit buffer shape (`AuditLogRecord`) doesn't carry `metadata`, so the `{ provider }` payload can't be asserted directly here — that coverage lands with the v2 audit-table move, called out in the test comment. **Plan-gate after a downgrade.** The Cubic-flagged fix added `assertProviderAllowed(existing.provider)` to `updateNotification` so a previously-allowed channel becomes read-only once the workspace drops to a plan that no longer includes it. The regression test simulates the downgrade by directly inserting a `pagerduty` row into the free workspace (bypasses the create-time gate) and then calls `updateNotification` via `freeCtx` — asserts `LimitExceededError`. Without the gate the update would silently succeed and leave a channel on an unsupported plan. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services): address Cubic P1/P2/P3 pass across the stack Twelve findings from Cubic's 2026-04-24 review on #2106. Fixes are bundled on this branch because the later-PR content has cascaded down via the 2107 squash-merge — each item is called out by file so the commit is easy to skim. **P1 — `import/phase-writers.ts` subscribers reconciliation.** `writeIncidentsPhase` and `writeMaintenancesPhase` already reconcile component links on the idempotent-skip path. `writeSubscribersPhase` didn't, so `pageSubscriberToPageComponent` rows lost to a partial first run are never recovered. Same `.onConflictDoNothing()` pattern, same composite-PK rationale. **P1 — `page/schemas.ts:129` UpdatePageAppearance accepts any theme.** `configuration.theme` was `z.string()`; the read path parses configuration through `pageConfigurationSchema` which uses the `THEME_KEYS` enum. Wrote-and-broke-read pairs are now impossible. Router now reuses `UpdatePageAppearanceInput` from services so the tRPC boundary enforces the same enum. **P1 — `page/schemas.ts:160` UpdatePageConfiguration too permissive.** Replaced the `z.record(z.string(), z.string()|z.boolean())` with `pageConfigurationSchema.nullish()`, which is what the read path already uses. Dashboard form's free-typed `configuration` values are cast at the mutation call-site (tRPC input parse catches invalid submits). **P2 — `page-component/internal.ts:39` validateMonitorIds.** Added `isNull(monitor.deletedAt)` so tombstoned monitor ids don't pass as valid attach targets. **P2 — `page-component/list.ts:71` enrichment returns deleted monitors.** Same `isNull(monitor.deletedAt)` filter on the enrichment lookup so `component.monitor` is never populated with a tombstoned row. **P2 — `page-component/update-order.ts:277` stale ID set for statics.** `existingComponentIds` was built from the pre-delete snapshot of `existingComponents`. If an input static carried an id that matched a monitor component just removed (because its `monitorId` dropped out of the input set), the `has(id)` check sent the row to the UPDATE branch, which silently no-op'd against the now-deleted id and lost the new static. New set filters by `type === "static"` and subtracts `removedComponentIds` so only surviving static ids take the update path. **P2 — `invitation/accept.ts:75` re-assert invitation expiry.** Conditional UPDATE only re-checked `acceptedAt IS NULL`. An invitation expiring between the initial read and the update could still be claimed. Added `gte(expiresAt, now)` to the UPDATE predicate. **P2 — `invitation/accept.ts:82` duplicate workspace membership.** `.onConflictDoNothing()` on `usersToWorkspaces` insert keyed on the `(userId, workspaceId)` composite PK. An already-member invitee previously blew up the unique constraint *after* the invitation was stamped accepted. **P2 — `import/limits.ts` warnings ignore run options.** `addLimitWarnings` now takes `options` and gates each per-phase warning on the corresponding include flag. Threaded from both `run.ts` and `preview.ts`; `PreviewImportInput` gained an `options` field so previews and runs produce the same warning set. `ImportOptions` moved above `PreviewImportInput` (forward ref). **P2 — `user/delete.ts` + `service-adapter.ts` PRECONDITION_FAILED.** Paid-workspace guard threw `ForbiddenError`, which `toTRPCError` mapped to `FORBIDDEN`. The pre-migration router surfaced this as `PRECONDITION_FAILED` so the UI could distinguish "missing permissions" from "missing prerequisite state". Added a `PreconditionFailedError` class + `PRECONDITION_FAILED` service error code + matching tRPC mapping. Exported from the services root barrel. **P2 — `router/import.test.ts` limits override didn't stick.** `enforceUserIsAuthed` replaced the test's `makeCaller`-provided workspace with the seeded team plan on every call, so limit assertions silently ran against team limits. Added a `NODE_ENV==='test' && workspace!=null && user!=null` short-circuit at the top of the middleware that trusts the pre-populated inner context. `makeCaller` now also stamps `user` so the escape hatch triggers. Test-only behaviour, production path unchanged. **P3 — `invitation.test.ts` members-cap seed.** Test assumed the free workspace had an owner already occupying the `members: 1` slot, but the shared DB seed only adds a row for workspace 1 (team). Seed a membership for the free workspace in `beforeAll`; tear it down in `afterAll`. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services): declare @openstatus/theme-store workspace dep Follow-up to the Cubic P1 schema-tightening commit. `page/schemas.ts` now imports `THEME_KEYS` / `ThemeKey` from `@openstatus/theme-store` to enforce the canonical theme enum at the service input boundary, but the dep wasn't declared in the services package.json. Next/ Turbopack module resolution blew up when apps that consume the service (status-page build path) tried to evaluate the schema file. Also added the same dep to `apps/server` — it depends on `@openstatus/services` and needs the transitive module resolvable. Dashboard / status-page already had it declared. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * chore(server): regenerate Dockerfile + lockfile - `dofigen update` bumped `debian:bullseye-slim` base image digest. - `dofigen gen` regenerated the Dockerfile to match. - `pnpm i` refreshed lockfile for the new `@openstatus/theme-store` workspace dep on services / server. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Four findings from the latest Claude review on #2105: **Medium — `bulkUpdateMonitors` audit pollution.** The loop emitted a `monitor.bulk_update` audit row for every id in `input.ids`, including ids the WHERE clause silently dropped (wrong workspace, already soft-deleted). The PR framed that as preservation of legacy behaviour, but the old code had no audit trail at all — so it's new pollution, not a preserved semantic. Added `.returning({ id })` to the update so the audit loop only attributes rows actually written. **Low — `updateMonitorOtel` inline JSON.stringify.** Replaced with the shared `headersToDbJson` helper used everywhere else in the module (`undefined → undefined`, `array → JSON.stringify(array)` — same behaviour, consistent surface). **Low — `deleteMonitors` error always blamed `ids[0]`.** When a mix of valid and invalid ids was passed, the `NotFoundError` always reported the first input id even if that one was found. Compute the first actually-missing id from `existing` and report it. **Test — regression for the double-delete guard.** Cubic's P2 fix added `isNull(deletedAt)` to `getMonitorInWorkspace` so a second `deleteMonitor` on the same id throws `NotFoundError` instead of re-running the soft-delete / cascade / audit sequence on a tombstoned row. No test pinned it — added one to the `deleteMonitor` suite. Skipped the two nits Claude also raised: `UpdateMonitorRetryInput. retry` bounds (consistent with `insertMonitorSchema`; not a per-PR carve-out) and the implicit `(active DESC, createdAt DESC)` ordering in `listMonitors` (documentation polish, no behaviour change). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

mxkaske · 2026-04-24T09:19:43Z

@claude review

claude · 2026-04-24T09:20:00Z

Claude finished @mxkaske's task in 2m 34s —— View job

Code Review

Gather context and understand the PR
Read current state of service files (update.ts, delete.ts, list.ts, internal.ts, schemas.ts, relations.ts, clone.ts)
Read tRPC router wrapper
Read test file
Post review findings

All four findings from the previous review are correctly addressed in 7e5822f9. The implementation is clean. A few low-signal observations below.

Verified fixes

Medium — bulkUpdateMonitors audit pollution ✅

update.ts:233–255 — .returning({ id: monitor.id }) now bounds the audit loop to rows the WHERE clause actually matched. The workspace + soft-delete filters in the WHERE are also correct.

Low — updateMonitorOtel inline JSON.stringify ✅

update.ts:139 — Now uses headersToDbJson(input.otelHeaders), consistent with every other place in the module.

Low — deleteMonitors always blamed ids[0] ✅

delete.ts:94–96 — Correctly computes the first actually-missing ID by diffing existing against the deduplicated input set.

Test — double-delete regression ✅

monitor.test.ts:248–270 — Test creates, deletes, then asserts the second delete throws NotFoundError. Matches the isNull(deletedAt) guard added in the Cubic P2 fix.

New observations

Low — cloneMonitor test doesn't exercise the status reset

monitor.test.ts:317–343 — The Cubic P2 fix (forced status: "active" in clone) has no assertion backing it. The test only checks id, name, and url. A source in error/degraded state would be the meaningful case, but the test creates a fresh monitor which already has status: "active". The fix is structurally correct (clone.ts:33 destructures status out before spread), just unwitnessed by the test suite.

Low — deleteMonitors bulk mutations drop workspace constraint after pre-check

delete.ts:99–109 — After the pre-check verifies all IDs belong to the workspace, the subsequent update + three deletes use inArray(monitor.id, ids) alone, without eq(monitor.workspaceId, ...). It's safe because:

The pre-check is inside the same transaction (serialized)
ids is deduplicated before the check

...but it's a layered-defense opportunity if ever copy-pasted to a context without a prior pre-check. Worth noting, not worth blocking on.

Nit — tRPC list discards totalSize but still pays for a count query

list.ts:193–212 — listMonitors runs a count(*) and the full row query in parallel, then returns { items, totalSize }. The tRPC list wrapper at monitor.ts:135 destructures only items and discards totalSize. Since both queries run in parallel the overhead is one extra round-trip, and the design correctly serves future callers that need totalSize. Not a bug, just worth knowing if list ever lands under tight latency budgets.

Positives

All previous findings resolved correctly, with clean test coverage for the double-delete case.
bulkUpdateMonitors fix is idiomatic: one .returning({ id }) call replaces the prior "iterate over input ids" pattern cleanly.
headersToDbJson is now used consistently across the entire module.
internal.ts:28–47 — getMonitorInWorkspace correctly filters isNull(monitor.deletedAt), making the double-delete guard automatic for every caller that goes through it.
enrichMonitorsBatch workspace-scoping is complete across all four relation queries (tags, incidents, notifications, private-locations).

Two `Low` follow-ups from the latest Claude pass. **`cloneMonitor` status-reset test.** The Cubic P2 fix (destructure `status` out of the source row before spreading so clones always start in `"active"` state) had no assertion pinning it. The existing clone test created a fresh source whose status was already the default `"active"`, so a future refactor re-adding `status: source.status` to the insert would have passed CI silently. New test flips the source's status to `"error"` via a direct db update and asserts the clone lands as `"active"`. **`deleteMonitors` layered workspace filter.** After the pre-check validates ids belong to the workspace, the subsequent mutations only used `inArray(monitor.id, ids)`. Safe today (same transaction, deduped ids) but a latent footgun if the block ever gets copy-pasted without the pre-check. Added `eq(workspaceId, ctx .workspace.id)` to the two mutations that have the column (`monitor` and `pageComponent`). The two join tables (`monitorTagsToMonitors`, `notificationsToMonitors`) don't carry `workspaceId` — noted in comment that their protection comes from the `monitor` FK's cascade plus the pre-check. Skipped Claude's third note (`list` returning `totalSize` the tRPC wrapper discards): not a bug — the service contract is correct for future paging callers, and changing the return shape is regression surface with no upside today. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(services): migrate monitor domain tRPC onto service layer Fourth domain, the largest so far. Migrates the **tRPC** monitor router (all 14 procedures) onto `@openstatus/services/monitor`. The Connect handler (`apps/server/src/routes/rpc/services/monitor/`) and the v1 REST `apps/server/src/routes/v1/monitors/*` endpoints stay untouched for now — they are separate external-API surfaces and warrant their own follow-up PRs with their own test suites. - `createMonitor`, `cloneMonitor`, `deleteMonitor`, `deleteMonitors` (bulk soft-delete), `getMonitor`, `listMonitors`. - `updateMonitorGeneral` — preserves the existing tRPC `updateGeneral` behaviour including jobType switching (HTTP ↔ TCP ↔ DNS). Called out as a code smell in the explore, but preserved intentionally since it's the dashboard's current edit flow. Kept jobType-agnostic rather than split into 3 separate update methods. - `updateMonitorRetry`, `updateMonitorFollowRedirects`, `updateMonitorOtel`, `updateMonitorPublic`, `updateMonitorResponseTime` — field-specific setters. - `updateMonitorSchedulingRegions` — enforces plan limits (periodicity / region-count / region-access) + validates the private-location ids before replacing the association set. - `updateMonitorTags`, `updateMonitorNotifiers` — validate and replace the tag / notifier association sets. - `bulkUpdateMonitors` — batched toggle of `public` / `active` across multiple monitor ids. Matches the old `updateMonitors` procedure. - All mutations run inside `withTransaction`, emit `emitAudit`. - Cascade deletes: `monitor_tag_to_monitor`, `notifications_to_monitors`, `page_component` rows are torn down on delete (matches pre-migration behaviour — bypasses FK cascades because some rows reference the monitor without cascade). - `validateTagIds` / `validateNotificationIds` / `validatePrivateLocationIds` — workspace-scoped validators with dedupe. - `pickDefaultRegions(workspace)` — ports the old "randomly pick 4 free / 6 paid regions excluding deprecated" logic. - `serialiseAssertions` / `headersToDbJson` — assertion / header serialisation moved out of the tRPC router. - `countMonitorsInWorkspace` for quota checks. `listMonitors` does two IN queries (tags + incidents) regardless of list size. `getMonitor` reuses the same path with the richer `{ notifications, privateLocations }` toggle and a singleton. Same pattern as status-report's batched fix. - **tRPC** (`packages/api/src/router/monitor.ts`): every procedure is a thin wrapper. `delete` catches `NotFoundError` for idempotency. `new` / `updateGeneral` keep the `testHttp` / `testTcp` / `testDns` pre-save check at the tRPC layer — services unconditionally save, callers decide whether to pre-validate. - Connect RPC handler at `apps/server/src/routes/rpc/services/monitor/` — still uses its own helpers. Will be migrated in a follow-up (4b). - v1 REST endpoints at `apps/server/src/routes/v1/monitors/*` — yet another external surface; dedicated PR later. - `packages/api/src/service/import.ts` monitor writes — covered by the plan's dedicated PR 9. - Biome `noRestrictedImports` scope adds `packages/api/src/router/monitor.ts`. The Connect monitor handler stays out of scope until 4b. - Subpath export `@openstatus/services/monitor`. - `packages/services/src/monitor/__tests__/monitor.test.ts` — create (http / tcp / dns), delete cascade, bulk delete, clone, tags / notifiers validation (forbidden when cross-workspace), list / get with workspace isolation + soft-delete hiding, updateMonitorGeneral round-trip. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services): declare @openstatus/regions + @openstatus/assertions deps The monitor domain pulls `regionDict` from `@openstatus/regions` (for the default-region picker) and assertion classes / validators from `@openstatus/assertions`. Both were missing from `packages/services/package.json`, so Vercel's Next.js build for `apps/status-page` — which transitively imports the services package via `@openstatus/api` — failed with "Module not found" on `packages/services/src/monitor/internal.ts:20` and `schemas.ts:1`. Local pnpm workspaces resolved the imports via hoisting, which masked the missing declarations until an actual Next.js build forced strict resolution. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services/monitor): address Cubic review - **`timeout` / `degradedAfter` bounds** (schemas.ts) — mirror the 0–60_000 ms cap from `insertMonitorSchema`. Values outside the range are rejected before the UPDATE instead of being silently persisted. - **`jsonBody` assertion mapping** (internal.ts) — the serialiser was silently dropping `jsonBody`-typed input because the runtime class wasn't wired up. Added the `JsonBodyAssertion` branch; the class has existed in `@openstatus/assertions` the whole time, this was just a missing case. - **Clone resets `status`** (clone.ts) — cloning no longer inherits the source's current `error`/`degraded` health. Freshly cloned monitors start at `"active"` and settle on their first check. - **Delete filters soft-deleted** (delete.ts) — the pre-check now includes `isNull(monitor.deletedAt)`, so a repeat delete returns `NotFoundError` (preserved as idempotent at the tRPC layer) instead of re-running the cascades and emitting duplicate audits. - **List/get workspace scope on relations** (list.ts) — `enrichMonitorsBatch` takes `workspaceId` and scopes the incident / tag / notification / private-location IN queries to the caller's workspace. Defence-in-depth against inconsistent FK data (none of those tables enforce workspace ownership at the FK level). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(services): migrate notification CRUD (PR 5/N) (#2106) * feat(services): migrate notification CRUD onto service layer Fifth domain. Migrates the four CRUD procedures — `list`, `new`, `updateNotifier`, `delete` — of the notification tRPC router onto `@openstatus/services/notification`. The three integration-helper procedures (`sendTest`, `createTelegramToken`, `getTelegramUpdates`) stay inline at the tRPC layer and are explicitly out of scope for this migration. - `createNotification` — enforces plan limits on both the channel count (`notification-channels`) and the provider itself (`sms` / `pagerduty` / `opsgenie` / `grafana-oncall` / `whatsapp` require plan flags); validates the loose `data` payload against `NotificationDataSchema`; validates monitor ids are in-workspace and not soft-deleted. - `updateNotification` — replaces name / data / monitor associations in a single transaction with the same validation rules as create. - `deleteNotification` — hard-delete (FK cascade clears associations). The tRPC wrapper swallows `NotFoundError` to preserve the old idempotent behaviour. - `listNotifications`, `getNotification` — batched IN query enriches monitors per notification. Monitor enrichment is workspace-scoped and filters soft-deleted monitors for defence-in-depth. - All mutations run inside `withTransaction`, emit `emitAudit`. - **tRPC** (`packages/api/src/router/notification.ts`): `list` / `new` / `updateNotifier` / `delete` become thin service wrappers. `sendTest` + `createTelegramToken` + `getTelegramUpdates` are unchanged. - **`sendTest` migration** — the dispatch switch imports from 10 `@openstatus/notification-*` packages. Moving it into services would pull those as direct deps; the plan's phrasing ("Channel CRUD + test-dispatch") allows this as a later extraction. - **`createTelegramToken` / `getTelegramUpdates`** — redis + external Telegram API helpers; transport UX, not domain operations. - **Biome scope for `notification.ts`** — the file still imports `@openstatus/db/src/schema` for the `sendTest` provider data schemas. Will land with the sendTest migration follow-up. - **Connect RPC notification handler** — stays on its own helpers; follow-up aligned with PR 4's Connect deferral. - `__tests__/notification.test.ts` covers create (including `ValidationError` on malformed data, `LimitExceededError` on gated provider, `ForbiddenError` on cross-workspace monitor), update (association replacement, cross-workspace `NotFoundError`), delete, list/get workspace isolation + monitor enrichment scope. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services/notification): address Cubic review - **Update flow plan gate** (update.ts) — `updateNotification` was skipping `assertProviderAllowed`, so a user who downgraded their plan could still edit a notification configured with a now-restricted provider. Re-check against the stored `existing.provider` to match the create-time gate. - **Provider / data match** (internal.ts) — `NotificationDataSchema` is a union, so `{ provider: "discord", data: { slack: "…" } }` passed the union check even though the payload key doesn't match the provider. `validateNotificationData` now takes the provider and asserts `provider in data` after the top-level parse. Applied in both `create` and `update` (update uses the stored provider since the API doesn't allow provider changes). Added a test for the mismatch case. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services/notification): tighten data validation against provider schema Cubic's follow-up on the previous fix was right: checking only `provider in data` isn't enough. `NotificationDataSchema` is a union, so a payload like `{ discord: "not-a-url", slack: "valid-url" }` passes because the union matches the slack variant — the extra `discord` key is ignored, and my key-presence check sees `"discord"` and lets it through. Replaced the union parse + key check with a provider-specific schema lookup (`providerDataSchemas[provider].safeParse(data)`). Each canonical channel schema is keyed by its provider name and validates the shape / content of the value, so the new check catches both the mismatched-provider and malformed-payload cases in one pass. Added a test covering the exact case Cubic flagged — invalid `discord` URL alongside a valid `slack` URL now rejects with ValidationError. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(services): migrate page-component domain (PR 6/N) (#2107) * feat(services): migrate page-component domain onto service layer Sixth domain, tRPC-only. Migrates `list`, `delete`, and `updateOrder` onto `@openstatus/services/page-component`. - `listPageComponents` — workspace-scoped filter + optional pageId filter. Batched enrichment in four IN queries (monitors, groups, status reports via join, maintenances via join). All relation queries scoped to the caller's workspace for defence-in-depth. - `deletePageComponent` — hard-delete. Cascade clears the `status_report_to_page_component` / `maintenance_to_page_component` associations. The tRPC wrapper swallows `NotFoundError` to preserve the pre-migration idempotent behaviour. - `updatePageComponentOrder` — the complex one. Mirrors the existing diff-and-reconcile pass faithfully (≈220 lines → a single transaction): 1. Assert the page is in the workspace. 2. Enforce the workspace's `page-components` plan cap. 3. Validate every monitor id in the input set. 4. Remove monitor components whose monitorId isn't in the input; remove static components based on whether the input carries ids. 5. Clear `groupId` before dropping groups (FK safety), then recreate groups. 6. Upsert monitor components via `onConflictDoUpdate` on the `(pageId, monitorId)` unique constraint (preserves ids). 7. Update existing static components by id; insert new ones. Audit: `page_component.update_order` / `page_component.delete`. - **tRPC** (`packages/api/src/router/pageComponent.ts`): all three procedures call services. `delete` catches `NotFoundError` and returns the old `drizzle.returning()`-shaped empty array. The pre-existing `pageComponent.test.ts` (tests cross-workspace monitorId → `TRPCError(FORBIDDEN)`) is untouched and still valid — my services throw `ForbiddenError`, which `toTRPCError` maps to the same code. - Biome `noRestrictedImports` scope adds `packages/api/src/router/pageComponent.ts`. - Subpath export `@openstatus/services/page-component`. - `__tests__/page-component.test.ts` covers `updatePageComponentOrder` happy path (creates monitor + static + grouped components), rejects cross-workspace monitorId and cross-workspace pageId, `list` workspace isolation, `delete` cross-workspace `NotFoundError`. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(services): Connect RPC notification handler catch-up (#2108) * feat(services): Connect RPC notification handler onto services (catch-up) Follow-up to PR 5 — noticed on review that my PRs from PR 4 onwards had been narrowing scope to tRPC only and deferring Connect handlers, which was piling up. This closes the notification Connect gap. `apps/server/src/routes/rpc/services/notification/index.ts` — the five CRUD methods now delegate to `@openstatus/services/notification`: - `createNotification` → `createNotification` service (handles the plan-count limit, per-provider plan gate, and data-schema validation internally — the Connect-side `checkNotificationLimit` / `checkProviderAllowed` / `validateProviderDataConsistency` calls are gone). - `getNotification`, `listNotifications`, `updateNotification`, `deleteNotification` — thin proto-to-service-to-proto wrappers. - `updateNotification` reads the existing record via the service and fills in missing fields (Connect's update is partial; the service expects a full payload), then applies the update. Left inline: - `sendTestNotification` — calls `test-providers.ts` (external HTTP). - `checkNotificationLimit` RPC method — returns the count info via `./limits.ts` helpers (pure queries, no domain mutation). The local Connect helpers (`validateProviderDataConsistency`, `checkNotificationLimit`, `checkProviderAllowed`, and the ad-hoc `validateMonitorIds` / `updateMonitorAssociations` / `getMonitorById` / `getMonitorCountForNotification` / `getMonitorIdsForNotification`) are no longer imported by `index.ts`; they remain in their files because `test-providers.ts` and the unmigrated Connect monitor handler still reference some of them. Added `apps/server/src/routes/rpc/services/notification/index.ts` to the `noRestrictedImports` scope. The directory-level glob isn't a fit because `limits.ts` and `test-providers.ts` legitimately need direct db access until their own follow-up migrations. - **Connect monitor handler** (~880 lines, 6 jobType-specific create/update methods + 3 external-integration methods) — requires a much bigger refactor. Flagged as dedicated PR 4b; tracked separately. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services): dedupe monitor ids in Connect createNotification response Cubic's P2 catch: the service dedupes `monitors` before the insert (via `validateMonitorIds` in the services package), but the Connect handler echoed `req.monitorIds` verbatim back in the response. For an input like `["1", "1", "2"]` the DB stored `[1, 2]` while the response claimed `["1", "1", "2"]` — caller state diverges from persistence. Echo `Array.from(new Set(req.monitorIds))` instead so the response matches what's actually stored. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(services): migrate page authoring (PR 7/N) (#2109) * feat(services): migrate page (status-page authoring) onto service layer Seventh domain. Migrates the 13 authoring procedures in `pageRouter` onto `@openstatus/services/page`. Deliberately scoped to authoring CRUD only: - `statusPage.ts` — public viewer endpoints (subscribe / get / uptime / report / verify / unsubscribe) are a separate surface that doesn't use the authenticated `ServiceContext`; dedicated follow-up. - Connect `apps/server/src/routes/rpc/services/status-page/**` — ~1500 lines with 18 methods (page CRUD + components + groups + subscribers + view). Too big for this PR; dedicated follow-up, same shape as the Connect monitor deferral. - `createPage` / `newPage` — full vs minimal create; both enforce the `status-pages` plan cap and (for `createPage`) the per-access-type plan gates (password-protection, email-domain-protection, ip- restriction, no-index). - `deletePage` — FK cascade clears components / groups / reports / subscribers. - `listPages` — batched enrichment with `statusReports`. - `getPage` — enriched with `maintenances` / `pageComponents` / `pageComponentGroups`. - `getSlugAvailable` — pure check against `subdomainSafeList` + DB. - `updatePageGeneral` — with slug-uniqueness re-check on change. - `updatePageCustomDomain` — persists the DB change and returns the previous domain so the caller can diff. Vercel add/remove stays at the tRPC layer (external integration). - `updatePagePasswordProtection` — re-applies the same plan gates the `create` path uses. - `updatePageAppearance`, `updatePageLinks`, `updatePageLocales` (gated on `i18n` plan flag), `updatePageConfiguration`. - Audit action emitted for every mutation. All 13 procedures are thin wrappers. `delete` catches `NotFoundError` for idempotency. `updateCustomDomain` orchestrates: 1. `getPage` (via service) to read the existing domain. 2. `addDomainToVercel` / `removeDomainFromVercel` as needed. 3. `updatePageCustomDomain` (via service) to persist. - Biome scope adds `packages/api/src/router/page.ts`. The router imports `insertPageSchema` via the services re-export (`CreatePageInput`) so the db-import ban applies cleanly. - Subpath export `@openstatus/services/page`. - `__tests__/page.test.ts` covers `newPage` happy / reserved / duplicate, `createPage` monitor attachment + cross-workspace monitor, `updatePageGeneral` rename + duplicate-slug conflict + cross-workspace, `updatePageLocales` plan gate, list / get / slug-available workspace isolation, delete cross-workspace NotFoundError. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(services): migrate Connect status-page page CRUD onto services Extends PR #2109 to cover the Connect RPC status-page handler's page CRUD surface (create / get / list / update / delete), matching the migration that landed for tRPC's `pageRouter`. The other 13 methods (components, groups, subscribers, viewer) still read the db directly — they're separate domains that'll need their own services in follow-ups. - create / get / delete call into `@openstatus/services/page` and preserve the granular Connect errors (`statusPageNotFoundError`, `slugAlreadyExistsError`) by pre-checking before the service call or catching `NotFoundError` → re-throwing the richer variant. - list fetches via the service and paginates in-memory; status-page quota is bounded per workspace so the extra enrichment is negligible. - update loads the existing page via the service, then orchestrates the per-section updates (`updatePageGeneral`, `updatePageLinks`, `updatePageAppearance`, `updatePageCustomDomain`, `updatePageLocales`, `updatePagePasswordProtection`) inside a shared transaction so a partial failure can't leave the page half-updated. Each service's internal `withTransaction` detects the pre-opened tx and skips nesting. - Proto-specific format validations (https icon URL, custom-domain regex, IPv4 CIDR, email-domain shape) and the i18n PermissionDenied path stay at the handler — they don't exist in the zod insert schema and their error codes would change if deferred to the service. - `Page` from the service parses `authEmailDomains` / `allowedIpRanges` into arrays, while the converters (still used by the unmigrated methods) expect the comma-joined string form. `serviceToConverterPage` bridges the two shapes at the call sites that need it. Biome scope deliberately unchanged: the file still imports from `@openstatus/db` for the 13 legacy methods, so the override would light up the whole file. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services/page): address Cubic review on #2109 Four issues flagged across two Cubic reviews: - `createPage` skipped `assertSlugAvailable`, so full-form creates could bypass reserved/duplicate slug validation and either create a duplicate or fail late on a DB constraint instead of the clean `ConflictError`. Added the check alongside the existing quota gate. - `createPage` passed `passwordProtected` / `allowedIpRanges` but not `allowIndex` to `assertAccessTypeAllowed`, bypassing the `no-index` plan gate on create. Now forwarded. - `UpdatePagePasswordProtectionInput.allowedIpRanges` accepted arbitrary strings. Mirrored the CIDR validation from `insertPageSchema` — bare IPs get `/32` appended, everything pipes through `z.cidrv4()`. - `updatePagePasswordProtection` wrote `authEmailDomains: input.authEmailDomains?.join(",")`, which evaluates to `undefined` when the caller clears the field. Drizzle treats `undefined` as "skip this column" on `.set()`, so stale email domains survived an access-type switch. Added the `?? null` fallback to match the neighboring `allowedIpRanges` line. This fixes the Connect `updateStatusPage` path where switching away from AUTHENTICATED sets `nextAuthEmailDomains = undefined` expecting the column to clear. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(services): migrate workspace / user / invitation / api-key (PR 8/N) (#2110) * feat(services): migrate workspace / user / invitation / api-key (PR 8/N) Stacked on PR #2109. Eighth migration — four small domains consolidated into one PR because each is narrow (roughly two to five procedures) and they share no structural dependencies beyond already-migrated infrastructure. **workspace** — `getWorkspace`, `getWorkspaceWithUsage` (pages + monitors + notifications + page-components batched via drizzle relations), `listWorkspaces` (takes `userId` explicitly since `list` runs across every workspace the user has access to), `updateWorkspaceName`. **user** — `getUser` (active, non-soft-deleted), `deleteAccount` (the paid- plan guardrail stays; removes non-owned memberships, sessions, OAuth accounts and blanks the PII columns inside a single tx). **invitation** — `createInvitation` (plan gate counts pending invites against the members cap so two outstanding invites can't both accept past the limit), `deleteInvitation`, `listInvitations`, `getInvitationByToken` (scoped by token **and** accepting email to prevent token-sharing), `acceptInvitation` (stamps acceptedAt + inserts membership atomically). **api-key** — `createApiKey` (returns plaintext token once), `revokeApiKey` (workspace-scoped existence check inside the tx so concurrent revokes resolve to a consistent NotFound rather than a silent no-op), `listApiKeys` (replaces the legacy per-row `Promise.all` fan-out with a single IN query for creator enrichment), `verifyApiKey` + `updateApiKeyLastUsed` (no ctx required — the verify path runs before workspace resolution and callers pass an optional `db` override). All 14 procedures become thin `try { return await serviceFn(...) } catch { toTRPCError }` wrappers. Router shapes stay identical so the dashboard needs no changes. Connect + Slack don't expose these domains today; migrating their consumers is a follow-up. Biome `noRestrictedImports` override adds the four router files. Subpath exports `@openstatus/services/{workspace,user,invitation,api-key}` added to the services package. Deletes `packages/api/src/service/apiKey.ts` and its tests — fully superseded by `packages/services/src/api-key/`. The auth middleware in `apps/server` has its own inline apiKey verification and is unaffected. - **`domain.ts`** — pure Vercel-API proxy with no DB usage; not part of the migration surface. Stays as-is. - **`packages/api/src/service/{import,telegram-updates}.ts`** — import migration is PR 9; telegram-updates stays for a follow-up. Per-domain `__tests__/*.test.ts` covers: workspace rename + audit, usage counts, members cap hit on free plan, invitation token-mismatch rejection, accept idempotency, api-key creation returning a bcrypt hash, list creator enrichment, revoke NotFoundError on unknown ids, verifyApiKey happy / bad- format / wrong-body paths, lastUsed debounce. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services): address Cubic review on #2110 Four issues flagged on PR 8: - **P1 — `invitation/accept.ts`**: the read-then-write pattern let two concurrent accepts both pass the `isNull(acceptedAt)` check and race through the membership insert. Replaced with a conditional UPDATE that re-asserts `isNull(acceptedAt)` in the WHERE clause and checks `.returning()` rowcount. The loser gets `ConflictError`, the tx aborts before membership inserts run. - **P2 — `api-key/create.ts`**: `createdById` was taken from input and the router spliced in `ctx.user.id`. Since that column is attribution data (who owns the key, who the audit row blames), trusting input would let any caller forge ownership. Derived from `ctx.actor` via `tryGetActorUserId`; actors without a resolvable user id (system / webhook / unlinked api-key) now get `UnauthorizedError` instead of a silent NULL write. `createdById` removed from the input schema. - **P2 — `invitation/delete.ts`**: audit row was emitted even when the DELETE matched zero rows (unknown id / wrong workspace). Switched to `.returning({ id })` and short-circuit before the audit emit so the log only reflects actual deletions. - **P2 — `invitation/list.ts`**: the `if (!input.email)` → `UnauthorizedError` branch in `getInvitationByToken` was unreachable because `z.email()` already rejects empty / malformed emails at `.parse()`. Removed the dead branch; the router keeps its own pre-call check for `ctx.user.email`, so the transport-level UnauthorizedError path is preserved. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(services): migrate import domain (PR 9/N) (#2111) * feat(services): migrate import domain (PR 9/N) Stacked on PR #2110. Ninth and final domain — lifts the ~1,000-line `packages/api/src/service/import.ts` orchestrator into the services package as its own `@openstatus/services/import` domain. Split into focused files: - **`schemas.ts`** — `PreviewImportInput` / `RunImportInput` zod. Provider discriminator + per-provider page-id fields live here; options schema is separately exported for callers that want to pre-validate. - **`provider.ts`** — `createProvider` factory + `buildProviderConfig` reshape helper, isolated from the orchestrator so adding a provider is a one-file change. - **`limits.ts`** — `addLimitWarnings` (shared by preview + run). Pure mutation on the `ImportSummary` argument; no writes. - **`utils.ts`** — `clampPeriodicity` + `computePhaseStatus` helpers. - **`phase-writers.ts`** — the seven phase writers (page / component groups / components / incidents / maintenances / monitors / subscribers). Each takes a `DB` explicitly so callers can thread a pre-opened tx; failing resources get `status: "failed"` with an error string rather than throwing. - **`preview.ts`** — dry-run only; validates credentials, runs the provider with `dryRun: true`, emits warnings. - **`run.ts`** — the orchestrator. Now owns the `pageId` ownership check (previously duplicated in the tRPC router) and emits exactly **one** `import.run` audit row regardless of outcome so partial / failed runs still show up in the audit signal. Deliberately *not* wrapped in `withTransaction` — imports can span minutes across dozens of writes and the existing UX is phase-level recovery. 124 lines → 28 lines. The router is now a thin `previewImport` / `runImport` wrapper; the input schemas and all validation live in the service. The router-level `TRPCError`-throwing `pageId` ownership check moved into `runImport` so non-tRPC callers (Slack / future) get the same guard. - Provider validation failure: `TRPCError("BAD_REQUEST")` → `ValidationError` → `TRPCError("BAD_REQUEST")`. Net-same. - Unknown / wrong-workspace `pageId`: `TRPCError("NOT_FOUND")` → `NotFoundError` → `TRPCError("NOT_FOUND")`. Net-same. - Unit tests for `addLimitWarnings` / `clampPeriodicity` / `computePhaseStatus` move to `packages/services/src/import/__tests__/`. - Router integration tests (`packages/api/src/router/import.test.ts`) that previously called `previewImport` / `runImport` directly to override workspace limits now route through `makeCaller(limitsOverride)` with an explicit `provider: "statuspage"` field. This also fixes four pre-existing TypeScript errors where those calls were missing the (required) provider discriminator. - Biome `noRestrictedImports` override adds `packages/api/src/router/import.ts`. - Subpath export `@openstatus/services/import` added. - `@openstatus/importers` added to services deps; services `tsconfig.json` bumped to `moduleResolution: "bundler"` so the importers package-exports map resolves (same setting `packages/api` already uses). Deletes `packages/api/src/service/import.ts` (1042 lines) and its test file (463 lines). Only `telegram-updates.ts` remains in `packages/api/src/service/` — that's slated for a follow-up PR. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(services/import): per-resource audit + Cubic fixes on #2111 Two changes folded together: Every phase writer now emits one `emitAudit` row per *created* resource, matching what the domain services emit for normal CRUD: | Phase | Audit action | --- | --- | page | `page.create` | componentGroups | `page_component_group.create` | components | `page_component.create` | monitors | `monitor.create` | incidents | `status_report.create` + `status_report.add_update` per update | maintenances | `maintenance.create` | subscribers | `page_subscriber.create` Skipped resources don't emit (their original create audit already exists); failed resources don't emit (nothing was written); link-table rows (statusReportsToPageComponents etc.) don't emit (edges, not entities). Metadata always carries `source: "import"` + `provider: <name>` + `sourceId: <provider-id>` so the audit trail traces back to the source system. The rollup `import.run` audit still fires at the end — the per-resource rows give forensic granularity, the run-level row gives "this bulk operation happened" without scanning the full summary blob. For the change, phase writers now take a shared `PhaseContext = { ctx, tx, provider }` instead of `(db, workspaceId, limits)` — the orchestrator builds one `PhaseContext` per run and threads it through, giving each writer access to `ctx.actor` for audit attribution. `statusReportUpdate` writes now use `.returning({ id })` so the per-update audit can attribute the right row. - **`run.ts:130`** — phases after `page` kept their provider-assigned status when `targetPageId` was falsy but the user option wasn't `false`. Replaced the narrow `else if (option === false)` branches with a plain `else → phase.status = "skipped"`, matching what `subscribers` already did. - **`run.ts:147`** — when the `components` phase hit `remaining <= 0`, the phase was marked `"failed"` but individual resource statuses were left stale with no error string. Each resource is now marked `"skipped"` with `"Skipped: component limit reached (N)"`, matching `writeMonitorsPhase`. Phase-level status becomes `"skipped"` too (was `"failed"` — failed implied a writer error, this is really a plan-limit pre-check). - **`provider.ts`** — both `createProvider` and `buildProviderConfig` had a `default:` that silently ran the Statuspage adapter for any unknown provider name, which would mask a typo by handing a non- Statuspage api key to the wrong adapter. Replaced with exhaustive `case "statuspage"` + `never`-typed default throw. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * chore(services): rename rpc/services → rpc/handlers (PR 10/N) (#2112) The symbolic deliverable from the plan's "close the loop" PR. Renames `apps/server/src/routes/rpc/services/` → `apps/server/src/routes/rpc/handlers/` so the distinction between "the services layer" (owns business logic, lives in `packages/services`) and "Connect transport handlers" (thin proto → service → proto wrappers) is permanent and visible in the path. Keeping the old name invites the next developer to "just add one small thing" to a file under a `services/` folder months later; the rename makes the layering explicit. - `git mv` of the six domain subdirectories + their tests (health / maintenance / monitor / notification / status-page / status-report). - `router.ts` import paths updated from `./services/*` to `./handlers/*`. - Biome `overrides.include` paths updated to the new location. - Added `apps/server/src/routes/rpc/handlers/health/**` to the scope — the health handler has no db usage today; including it locks in that invariant. Rather than pretending the full "close the loop" deliverable is possible today, the biome.jsonc comment now enumerates exactly what remains unmigrated: - `packages/api/src/router/statusPage.ts` — public viewer endpoints under `publicProcedure`, no authed `ServiceContext`. - `packages/api/src/router/{member,integration,monitorTag, pageSubscriber,privateLocation,checker,feedback,stripe,tinybird, email}.ts` — small domains not yet lifted. - `apps/server/src/routes/rpc/handlers/monitor/**` — 6 jobType-specific methods still on db. - `apps/server/src/routes/rpc/handlers/status-page/**` — page CRUD is migrated (PR 7), but components / groups / subscribers / viewer (13 methods) still import db, so the whole file stays out of scope. - `apps/server/src/routes/v1/**` — the public HTTP API surface. - `apps/server/src/routes/slack/**` except `interactions.ts` — tools, handler, oauth, workspace-resolver still on db. - `apps/server/src/routes/public/**` — public-facing HTTP routes. Each of the above is its own PR-sized migration. The final consolidation (broadening to `router/**` + dropping `@openstatus/db` from `packages/api` and `apps/server`) is conditional on all of them landing first. Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services/import): use ctx workspaceId for page insert `writePagePhase` was inserting with `data.workspaceId` — the value the provider package round-tripped into resource data. Every other phase writer (monitor / components / subscriber) already reads `workspaceId` from `ctx.workspace.id`; this lines the page insert up with that pattern. Defends against the (unlikely) case where a provider mapper serialises the wrong workspace id into its output, since `ctx` is the authoritative source. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services): address Claude review findings on #2110 Six findings from Claude's review pass — five code/doc fixes, one documentation-only note. **P2 — `acceptInvitation` derives userId from `ctx.actor`.** Was taking it from input: the email scoped *which* invitation could be accepted, but not *who* the membership was inserted for. A caller with the right token+email could insert a membership under an arbitrary user id. Removed `userId` from `AcceptInvitationInput`; derived from `tryGetActorUserId(ctx.actor)`, throws `UnauthorizedError` for non-user actors. Mirrors the same pattern applied to `createApiKey.createdById` in the Cubic pass. Router and test updated accordingly. **P2 — `getWorkspace` throws `NotFoundError` explicitly.** `findFirst` + `selectWorkspaceSchema.parse(undefined)` was throwing `ZodError` (→ `BAD_REQUEST`) instead of the `NotFoundError` shape every other service uses. Unreachable in practice (ctx.workspace is resolved upstream) but the error shape was the only outlier; consistency matters for callers pattern-matching on error codes. **P3 — `listApiKeys` filters null `createdById` before the IN query.** The new `createApiKey` path enforces a non-null creator, but legacy rows may have null. SQL's `x IN (NULL)` is `UNKNOWN` — technically safe — but drizzle types model the array as `number[]`. Filtering upfront keeps the types honest and sidesteps any future surprise. **P3 — `deleteInvitation` guards `acceptedAt IS NULL`.** The WHERE previously allowed hard-deleting *accepted* invitations, wiping the "user was invited on X" breadcrumb. Added the `isNull(acceptedAt)` guard + doc comment explaining the audit-trail preservation intent. **Doc-only — `deleteAccount` orphan comment.** Non-owner memberships are removed, but owner memberships + owned workspaces survive. Matches legacy behavior. Added a scope-note docblock flagging that workspace cleanup is explicitly out of scope (belongs to a future admin / scheduled job). **Doc-only — `createInvitation` role comment.** The invite insert lets `role` fall through to the schema default (`member`). Matches legacy (which also only picked `email`). Comment added so the absence reads as deliberate rather than overlooked. Minor — the concurrent-accept race test is covered by the conditional UPDATE + `ConflictError` path from the earlier P1 fix; mocking it reliably against SQLite is noisy and not worth the test complexity. Documented in the related code comment. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services): address Claude re-review findings on #2110 Four issues surfaced after the first round of fixes on this PR: **P2 — `listApiKeys` crashes on all-legacy keys.** After the null filter added in the previous commit, workspaces whose keys all pre-date the services migration (every `createdById` null) end up with `creatorIds === []`. Drizzle throws "At least one value must be provided" on an empty `inArray`, taking the whole endpoint down. Added an early return that maps `createdBy: undefined` when there are no non-null creator ids to look up. **P2 — `getWorkspaceWithUsage` ZodError on missing row.** Same `findFirst` + `selectWorkspaceSchema.parse(result)` pattern as `getWorkspace`, but without the `NotFoundError` guard that got added in the earlier pass. Added the guard. Also cleaned up the usage block — no longer needs optional chaining once the narrowing fires. **P2 — `deleteAccount` took `userId` from input.** Completing the `createApiKey` / `acceptInvitation` pattern: account deletion must target `ctx.actor`, never an arbitrary id. Dropped `userId` from `DeleteAccountInput` (now an empty forward-compat shape), derived inside the service via `tryGetActorUserId`, throws `UnauthorizedError` for non-user actors. Router updated to stop passing it. **P3 — `createInvitation` dev-token log could leak in tests.** Tightened the comment around the `process.env.NODE_ENV === "development"` guard to flag that strict equality is load-bearing — bun:test sets `NODE_ENV=test` and CI leaves it undefined, both of which correctly skip the log. No behavior change, just a clearer contract so the next reader doesn't loosen it. Cubic's two findings on this review pass point at `packages/api/src/ router/import.ts` and `packages/services/src/import/limits.ts` — both live in the next PR up the stack (#2111 / feat/services-import) and will be addressed there. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services): address latest Cubic pass on #2110 Four findings from the third Cubic review (now that #2111's import domain is included in the #2110 diff via the stack): **P2 — biome.jsonc notification handler scope.** Only `notification/index.ts` was in the `noRestrictedImports` override. Sibling files (`errors.ts`, `test-providers.ts`) were outside the migration guard, so new db imports could land in them without the lint failing. Broadened to `notification/**` and moved the two files that *legitimately* still read db (`limits.ts` querying workspace quotas, `converters.ts` needing db enum shapes for proto round-trip) into the `ignore` list. Future siblings are enforced by default rather than silently slipping through. **P2 — `clampPeriodicity` unknown values returned too fast.** `PERIODICITY_ORDER.indexOf("unknown") === -1` → `Math.max(-1, 0) === 0` → walk started at `"30s"` (the fastest tier). Could return an interval faster than requested, violating the "never-faster-than-requested" invariant. Short-circuits now to the slowest allowed tier when the requested value isn't a known periodicity. Added unit tests covering the unknown-value + empty- allowed fallback paths. **P2 — component/monitor limit warnings counted total resources, not quota-consuming inserts.** If the import contained 4 components and 3 already existed (would be skipped as duplicates), the warning claimed `"Only X of 4 can be imported"` — but actually zero quota would be consumed by the 3 skips, so the real new-creation count might fit entirely. Reworded to `"Only N new components may be created … some of the M in the import may already exist and be skipped"`. Same treatment for the monitors warning. Preview stays DB-light (no per-resource existence checks); the warning now honestly conveys worst-case without misleading users about what will actually happen. Test assertions updated to match the new wording with substring matches that aren't tied to the exact fraction. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services/page): address Claude review on #2109 Six items from Claude's review, going with the calls I leaned toward in the question-back: **P2 — tRPC `updateCustomDomain` wasteful `getPage` read.** Was calling `getPage(id)` (fires 3 batched relation queries: maintenances + components + groups) just to grab `customDomain` before the Vercel add/remove calls. Added a narrow `getPageCustomDomain` service helper — single indexed lookup, workspace-scoped, returns the string directly. Router swapped over. Service-layer authority preserved; no db reads leak into the router. **P2 — Connect `updateStatusPage` slug-race code drift.** Handler pre-checks slug to surface `slugAlreadyExistsError` (`Code.AlreadyExists`). The `updatePageGeneral` service call re-validates via `assertSlugAvailable` → `ConflictError` → `Code.InvalidArgument` in the race where two callers both clear the pre-check. Wrapped the call in `try/catch (ConflictError)` and rethrow as `slugAlreadyExistsError(req.slug)` so gRPC clients keying on the code get a consistent `AlreadyExists` whether they lose at the pre-check or at the inner tx. **P2 — Connect `createStatusPage` / `updateStatusPage` customDomain without Vercel sync.** Pre-existing behaviour (the direct-db handler had the same gap). Added a top-of-impl comment so it doesn't go unnoticed — the fix is a shared transport-layer helper the Connect handlers can reuse, out of scope for this migration PR to keep the behavioural blast radius small for external API consumers. **P3 — double cast `row as unknown as Page` in `create.ts`.** The drizzle insert-returning type and the `Page` type diverge on `authEmailDomains` / `allowedIpRanges` (raw comma-joined string vs parsed `string[]`). Replaced the double casts with `selectPageSchema.parse(row)` which normalises the row into the shape callers expect. Cast-drift is now impossible to introduce silently. **P3 — `void ConflictError;` workaround.** Import was unused in `create.ts`; the `void` line was silencing the unused-import warning rather than fixing the cause. Removed both. **P3 — deprecated `passwordProtected` column.** Added a doc block on `updatePagePasswordProtection` flagging that the deprecated boolean column is intentionally not written here (the v1 REST read path derives it from `accessType` via `normalizePasswordProtected`). Prevents a future reader from mistaking the omission for an oversight and writing two sources of truth for the same signal. Test coverage for the 5 untested update services (`updatePagePasswordProtection`, `updatePageCustomDomain`, `updatePageAppearance`, `updatePageLinks`, `updatePageConfiguration`) deferred to a follow-up per Claude's "not blocking" marker — the failing-edge behaviour is the critical bit, and `updatePagePasswordProtection` already has indirect coverage through the Connect handler tests on this branch. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services): address Claude review on #2108 Four items from Claude's review of the Connect notification handler backfill: **P3 — `protoDataToServiceInput` swallowed parse failures.** `try { JSON.parse } catch { return {} }` was hiding any malformed output from `protoDataToDb` (which would be a programmer error, not user-input) behind a generic empty-object fallback. The downstream `validateNotificationData` then failed with a far less specific error. Let the throw propagate — `toConnectError` maps it to `Code.Internal`, which is the signal we want for "the helper itself misbehaved." **P3 — `createNotification` response approximated the monitor IDs.** Was echoing `Array.from(new Set(req.monitorIds))` on the happy path (correct, since the service validates + throws on invalid) but the approximation diverged from `updateNotification`'s re-fetch pattern. Now re-fetches via `getNotification` after create so the response reflects what's actually in the DB — one extra IN query per create, eliminates the approximation entirely, makes both handlers structurally identical. **P3 — `sendTestNotification` bypassed `toConnectError`.** Only handler in the impl without a `try { … } catch { toConnectError }` wrap, so any thrown `ServiceError` / `ZodError` from `test-providers.ts` fell through to the interceptor's generic catch and surfaced with a less precise gRPC status. Wrapped for symmetry. **P3 — `JSON.parse(existing.data)` null-unsafe.** Drizzle infers `notification.data` as `string | null` (the column has `default("{}")` but no `.notNull()`). A legacy row with `NULL` in the column would crash `updateNotification` with `SyntaxError` during the partial-update read-modify-write. Added `?? "{}"` fallback and a comment pointing at the schema. Cubic's single finding from the earlier pass (dedupe of `req.monitorIds` in the create response) was already applied in `b69ad13` and has now been superseded by the re-fetch above. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services): address latest Cubic pass on #2108 Five findings from Cubic's second review cycle on this PR, all on files that entered this branch via the #2109 (status-page) and #2111 (import) squash-merges stacked on top. Fixing here so the cumulative state reaching main is clean. **P1 — `page/create.ts` double-encoded JSON configuration.** `page.configuration` is a drizzle `text("…", { mode: "json" })` column — drizzle serialises objects automatically. Calling `JSON.stringify(configuration)` first stored a raw JSON string in the column, breaking any downstream read that expects an object (e.g. the appearance merge at `update.ts:185`). Dropped the wrap; drizzle handles it. **P2 — `page/schemas.ts` slug + customDomain validation weaker than insert schema.** `NewPageInput.slug`, `GetSlugAvailableInput.slug`, and `UpdatePageGeneralInput.slug` were `z.string().toLowerCase()` — no regex, no min-length. `UpdatePageCustomDomainInput.customDomain` was `z.string().toLowerCase()` — no format check. Meant the service would accept malformed slugs / URLs that `createPage` would then reject via `insertPageSchema`, or — worse — that `getSlugAvailable` would confidently return "available" for garbage. Exported the canonical `slugSchema` + `customDomainSchema` from `@openstatus/db/src/schema/pages/validation` and reused them across all four service inputs; db validation is now the single source of truth for page slug/domain shape. **P2 — `api/router/import.ts` nullish → optional contract narrowing.** The service's `PreviewImportInput`/`RunImportInput` used `.optional()` for the three provider page-id fields, which dropped the `null` acceptance the legacy router had via `.nullish()`. Existing clients sending `null` would have started hitting `Invalid input` errors after the import migration landed. Added a `nullishString` transform in the service schema that accepts `string | null | undefined` and normalises to `string | undefined` before it reaches `buildProviderConfig` — callers keep the broader contract, service internals stay ignorant of `null`. **P2 — `page/update.ts` empty array stored "" not null.** `authEmailDomains?.join(",") ?? null` coerces `null`/`undefined` to `null`, but `[].join(",")` returns `""` (empty string) which `??` treats as a value. Callers sending `authEmailDomains: []` to clear the column were persisting the empty string instead of nulling it — misleading "present but blank" state. Switched to `|| null` on both array-join outputs (`authEmailDomains` + `allowedIpRanges`) so the three clearing inputs — `undefined`, `null`, `[]` — all land on DB `NULL` while real non-empty joins pass through unchanged. Test fixtures already use slugs ≥ 3 chars that match the regex, so the tightened validation doesn't break any existing assertions. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services/page-component): address Cubic + Claude review on #2107 Three fixes + one test, addressing both the original Cubic finding and Claude's re-review pass. **P2 — Discriminated union for `componentInput`.** The flat `z.object` with `type: z.enum(["monitor", "static"])` and optional `monitorId` let callers submit a "monitor" component with no monitor id, or a "static" one with a monitor id attached. The DB catches it with a `CHECK` constraint, but that surfaces as an opaque SQLite CHECK failure instead of a clean `ZodError` at the service boundary. Replaced with a `z.discriminatedUnion("type", [...])` that requires `monitorId` on the "monitor" arm and omits it on the "static" arm. Fallout in `update-order.ts`: `c.monitorId` no longer exists on the "static" arm after narrowing, so the spreads now use `monitorId: c.type === "monitor" ? c.monitorId : null`. The defensive `&& c.monitorId` guards on the already-narrowed monitor branches are gone (TypeScript enforces the invariant the DB was catching late). **P2 — Sequential group insert instead of bulk `.returning()`.** The bulk insert relied on drizzle/SQLite returning rows in the same order they were inserted, so `newGroups[i]` could line up with `input.groups[i]` when mapping components to their groups. True on Turso today, but an implicit coupling — any driver change, batch split, or upstream sort could silently reorder rows and land components in the wrong group with no error signal. Switched to a loop that captures each group id before moving on; the set size is bounded by the status-page component-group plan cap so the extra round trips are a rounding error. **Nit — removed dead `hasStaticComponentsInInput` guard.** Both the "input has static components but none carry ids" and "input has no static components at all" branches collapsed to the same "drop all existing static components" action, so the outer `hasStaticComponentsInInput` conditional was doing no work. Dropped the variable and the nested branch. **Test — upsert idempotency.** The `onConflictDoUpdate` on `(pageId, monitorId)` was the riskiest untested path — a regression would silently insert duplicate rows on every re-invocation. Added a test that calls `updatePageComponentOrder` twice on the same page with the same `monitorId`, then asserts there's exactly one matching row and the second call's values won. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services): address latest Cubic pass on #2107 + unblock build Eight Cubic findings from the second review plus one dashboard build break from my earlier discriminated-union change. **Build — router shape diverged from service discriminated union.** `packages/api/src/router/pageComponent.ts` kept its own flat `z.object({...})` input schema with `type: z.enum(["monitor", "static"])` and `monitorId: z.number().nullish()`. After the service switched to `z.discriminatedUnion("type", [...])`, TS couldn't reconcile the two — dashboard build failed. Replaced the local schema with the service's exported `UpdatePageComponentOrderInput` so both layers share the canonical shape. **P1 — page router: validate customDomain before Vercel call.** The router input was `z.string().toLowerCase()` (no format check) and the service's `customDomainSchema` only fired inside `updatePageCustomDomain`, *after* the Vercel add/remove mutations. A malformed domain could be added to Vercel, then rejected by the service, leaving Vercel/db state drifted. Switched the router input to the service's `UpdatePageCustomDomainInput` so format validation runs at tRPC input parsing, before any Vercel call. **P1 — `listApiKeys` leaked `hashedToken`.** `SELECT *` returned every column including the bcrypt hash of each key's one-time token, which has no business appearing in a list response. Replaced with an explicit column select that omits `hashedToken`. New `PublicApiKey` type (`Omit<ApiKey, "hashedToken">`) is the return shape; exported from the barrel. **P2 — `acceptInvitation` eager workspace load + second fetch.** The initial `findFirst` already loaded the workspace via `with: { workspace: true }`, but the return value re-fetched it by id. Use the joined value directly — one round-trip instead of two, and eliminates the read-skew window where a just-renamed workspace could appear with a different name in each fetch. **P2 — `import.run` audit entityId 0.** `entityId: targetPageId ?? 0` wrote a ghost `page 0` reference to the audit trail when the page phase failed before producing an id. Entity attribution now falls back to the workspace (`entityType: "workspace"`, `entityId: ctx.workspace.id`) when no target page is in play — real rollback signal, no phantom foreign key. **P2 — `page-components` limit scoped per-page, not workspace.** `page-components` is a workspace-wide cap (see `page-component/update-order.ts` — counts every component across every page). The import preview and run's component check were scoping the existing count to `targetPageId`, which understated pressure and would let imports push past the cap at write time. Both sites now count workspace-wide. **P2 — `writeIncidentsPhase` lacked idempotency.** Every other phase writer checks for an existing row before inserting (page by slug, monitor by url, component by name, subscriber by email); `writeIncidentsPhase` inserted unconditionally. A re-run would duplicate status reports on every pass. Added an existence check by `(title, pageId, workspaceId)` matching the convention. **P2 — `writeMaintenancesPhase` lacked idempotency.** Same pattern. Added a check by `(title, pageId, from, to, workspaceId)` — the `from/to` pair is load-bearing because maintenance titles recur ("DB upgrade") across unrelated windows. **P2 — `writeComponentsPhase` silent monitor→static fallback.** When the source monitor failed to resolve (e.g. `includeMonitors === false`), the component was silently degraded to `type = "static"` and reported as `created` with no explanation. Other phase writers populate `resource.error` on any degrade path. Added a matching error string pointing at the source monitor id (or lack thereof) so the summary conveys the degrade. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services/page-component): revert discriminated union to flat + .refine The previous commit switched `componentInput` in the service schema to a `z.discriminatedUnion("type", [...])` to get a clean `ZodError` at parse time for the monitor/static invariant. That produced a narrowed TS shape (`type: "monitor"` → required `monitorId: number`) that every caller had to match — including the dashboard form, where react-hook-form can't model discriminated unions cleanly and would have needed a flat→union adapter at submit time. The ripple was user-visible frontend churn for a schema-layer concern. Switched back to a flat `z.object` + cross-field `.refine` on `(type, monitorId)`. Same parse-time rejection Cubic asked for (ZodError with a specific path, not an opaque SQLite CHECK failure), but the inferred TS type stays flat so callers — router input, RHF form values — keep their existing shape. Also restored the downstream `&& c.monitorId` guards and `as number[]` casts in `update-order.ts`. With a flat schema, TS still sees `monitorId: number | null | undefined` on the monitor branch; the refine rejects violating input at parse time, but the guard is needed to narrow for the type system. Matches the pre-migration shape exactly. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services/import): reconcile component links on idempotent skip The idempotency checks in `writeIncidentsPhase` and `writeMaintenancesPhase` added in the previous pass correctly avoid duplicate status-report / maintenance rows on rerun, but `continue`-d out of the writer before the component-link insertion block. The failure mode this leaves open: 1. Run 1: component phase uses per-resource catch, so a single component can fail and leave `componentIdMap` partial. 2. The report/maintenance is written with a subset of the intended links — only the entries whose source id resolved in the map. 3. Run 2: the previously-failed component now succeeds and lands in `componentIdMap`. The report/maintenance idempotency check hits, `continue` fires, and the still-missing link is never written. Both join tables (`statusReportsToPageComponents`, `maintenancesToPageComponents`) have a composite primary key on `(parentId, pageComponentId)`. Running the same link-build pass on the skip path with `.onConflictDoNothing()` is a no-op for the links already present and adds any that resolved this time round. Matches the "reruns converge to correct state" model that motivated the idempotency checks in the first place. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services/notification): address Claude review pass Three small findings from the latest Claude review, bundled: **#1 — `list.ts` redundant `conditions` array.** `listNotifications` initialised a one-element `SQL[]` and spread it into `and(...)` with no second push site anywhere. Collapsed to a direct `eq(...)`. The pattern is load-bearing in `monitor/list.ts` (two conditions: workspace scope + soft-delete filter) but notifications have no soft-delete column, so the indirection was pure noise. **#2 — router `dataInputSchema` duplicated the service schema.** `packages/api/src/router/notification.ts` hand-rolled a `z.partialRecord` structurally identical to the `dataSchema` inside `packages/services/src/notification/schemas.ts`. Drift hazard: a future provider-value shape change in the service would be accepted at the tRPC layer and fail with an opaque error deeper in `validateNotificationData`. Renamed the service schema to `NotificationDataInputSchema`, exported it from the service barrel, and replaced the router's local copy + the now-unused `servicesNotificationProvider` alias. **#5 — `update.ts` audit missing `provider` metadata.** `createNotification` attaches `metadata: { provider: input.provider }` to its audit row; `updateNotification` didn't. The `provider` column is recoverable from the `before`/`after` rows, but asymmetric metadata breaks simple `action + metadata.provider` audit queries. Added `metadata: { provider: existing.provider }` for parity. Skipped the two non-fixes: the `enrichNotificationsBatch` drizzle-cast fragility is the same pattern as `monitor/list.ts`, worth a codebase- wide change rather than a single-domain carve-out; the `dataSchema` being "intentionally wide" is already called out in the schema JSDoc and is correct by design (provider/payload alignment is enforced at the service boundary by `validateNotificationData`). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(services/notification): cover update audit + post-downgrade gate Claude review noted two gaps in the `updateNotification` suite. Adding both: **`notification.update` audit row.** `createNotification` already asserts an audit row fires with `expectAuditRow`; the update path was silent. With the per-mutation audit contract (every write emits a row), the update case needs an equivalent pin so a regression that drops the emit site is caught. Note: the v1 audit buffer shape (`AuditLogRecord`) doesn't carry `metadata`, so the `{ provider }` payload can't be asserted directly here — that coverage lands with the v2 audit-table move, called out in the test comment. **Plan-gate after a downgrade.** The Cubic-flagged fix added `assertProviderAllowed(existing.provider)` to `updateNotification` so a previously-allowed channel becomes read-only once the workspace drops to a plan that no longer includes it. The regression test simulates the downgrade by directly inserting a `pagerduty` row into the free workspace (bypasses the create-time gate) and then calls `updateNotification` via `freeCtx` — asserts `LimitExceededError`. Without the gate the update would silently succeed and leave a channel on an unsupported plan. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services): address Cubic P1/P2/P3 pass across the stack Twelve findings from Cubic's 2026-04-24 review on #2106. Fixes are bundled on this branch because the later-PR content has cascaded down via the 2107 squash-merge — each item is called out by file so the commit is easy to skim. **P1 — `import/phase-writers.ts` subscribers reconciliation.** `writeIncidentsPhase` and `writeMaintenancesPhase` already reconcile component links on the idempotent-skip path. `writeSubscribersPhase` didn't, so `pageSubscriberToPageComponent` rows lost to a partial first run are never recovered. Same `.onConflictDoNothing()` pattern, same composite-PK rationale. **P1 — `page/schemas.ts:129` UpdatePageAppearance accepts any theme.** `configuration.theme` was `z.string()`; the read path parses configuration through `pageConfigurationSchema` which uses the `THEME_KEYS` enum. Wrote-and-broke-read pairs are now impossible. Router now reuses `UpdatePageAppearanceInput` from services so the tRPC boundary enforces the same enum. **P1 — `page/schemas.ts:160` UpdatePageConfiguration too permissive.** Replaced the `z.record(z.string(), z.string()|z.boolean())` with `pageConfigurationSchema.nullish()`, which is what the read path already uses. Dashboard form's free-typed `configuration` values are cast at the mutation call-site (tRPC input parse catches invalid submits). **P2 — `page-component/internal.ts:39` validateMonitorIds.** Added `isNull(monitor.deletedAt)` so tombstoned monitor ids don't pass as valid attach targets. **P2 — `page-component/list.ts:71` enrichment returns deleted monitors.** Same `isNull(monitor.deletedAt)` filter on the enrichment lookup so `component.monitor` is never populated with a tombstoned row. **P2 — `page-component/update-order.ts:277` stale ID set for statics.** `existingComponentIds` was built from the pre-delete snapshot of `existingComponents`. If an input static carried an id that matched a monitor component just removed (because its `monitorId` dropped out of the input set), the `has(id)` check sent the row to the UPDATE branch, which silently no-op'd against the now-deleted id and lost the new static. New set filters by `type === "static"` and subtracts `removedComponentIds` so only surviving static ids take the update path. **P2 — `invitation/accept.ts:75` re-assert invitation expiry.** Conditional UPDATE only re-checked `acceptedAt IS NULL`. An invitation expiring between the initial read and the update could still be claimed. Added `gte(expiresAt, now)` to the UPDATE predicate. **P2 — `invitation/accept.ts:82` duplicate workspace membership.** `.onConflictDoNothing()` on `usersToWorkspaces` insert keyed on the `(userId, workspaceId)` composite PK. An already-member invitee previously blew up the unique constraint *after…

Seven findings from the 2026-04-24 pass, bundled. Most land on content that cascaded in via the PR #2105 monitor squash — fixes touch files that are in #2104's diff. **Medium (Claude) — `narrowMonitor` broke list on any orphan.** `router/incident.ts:57` threw a plain `Error` when any incident's `monitor` was null, so a single migration artifact took the whole incidents list down (`/overview`, `/monitors/:id/incidents`) and leaked the incident id via `toTRPCError`'s `INTERNAL_SERVER_ERROR` wrap. Replaced with a `hasMonitor` type-predicate that logs a `console.warn` and filters. Orphan stays visible in logs; list keeps serving. **Cubic — `monitor/delete.ts` missed `privateLocationToMonitors`.** Both single and bulk soft-delete now tear down the join rows. Without this, scheduling queries keep routing probes to tombstoned monitors. **Cubic — `api-key/create.ts` leaked `hashedToken` on create.** `createApiKey` returned the full drizzle row including the bcrypt hash. Switched the return type to `PublicApiKey` (same `Omit<ApiKey, "hashedToken">` already used by `listApiKeys`) and destructure `hashedToken` out before returning. Router signature unchanged. **Cubic — Connect `protoProviderToDb` silently fell back to email.** `converters.ts` mapped any unknown/unspecified `NotificationProvider` enum value to `"email"`, so a malformed/zeroed proto message would silently create an email channel. Now throws `ConnectError` with `Code.InvalidArgument` — callers see a clear signal instead of a wrong-shape row landing in the db. **Cubic — `notification/list.ts` unstable ordering on tied `createdAt`.** Added `id` as a secondary sort key matching the primary direction. Tied-timestamp ties now resolve deterministically so paging doesn't drop/duplicate rows. **Claude — missing tests.** Two gaps closed: - `deleteIncident` test now asserts the audit row. - `resolveIncident` gets the cross-workspace `NotFoundError` test that `acknowledgeIncident` already had — symmetric coverage. **Claude info-item (no code change).** `ConflictError` maps to tRPC `CONFLICT` (HTTP 409) in `service-adapter.ts`, whereas the pre-migration router threw `BAD_REQUEST` (HTTP 400) for "already acknowledged / resolved". 409 is semantically correct (conflicting state, not malformed input). Verified the only tRPC consumer is the dashboard, which uses `onSuccess` and doesn't inspect `httpStatus` — migration is safe. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(services): migrate incident domain onto service layer Third domain migration, stacked on maintenance. tRPC-only — no Connect handler, no Slack path — so this PR mostly exercises the `ServiceContext` actor variants without surface-specific adapters. ## Services (`packages/services/src/incident/`) - `acknowledgeIncident`, `resolveIncident`, `deleteIncident`, `listIncidents`, `getIncident`. - Both `acknowledge` / `resolve` stamp the acting user's id onto `acknowledged_by` / `resolved_by` via the new `tryGetActorUserId` helper on `ServiceContext`. Non-user actors (system, webhook, API keys without a linked userId) stamp `null`. - Idempotent `ConflictError` when an incident is already acknowledged or resolved — matches existing tRPC's `BAD_REQUEST` semantics. - All mutations wrapped in `withTransaction`, emit `emitAudit`. ## list.ts - Batch-enriches monitors via a single IN query against distinct `monitorId`s — pairs well with the 10_000 sentinel tRPC passes. Avoids the N+1 Cubic flagged on the maintenance PR. ## Surfaces - **tRPC** (`packages/api/src/router/incident.ts`): all four procedures call services. `delete` catches `NotFoundError` to preserve the pre-migration idempotent behaviour. `list` narrows `monitor` to non-null in the return type — every incident is expected to have an associated monitor via the FK. `acknowledge` / `resolve` still return `true` to match the old contract. ## Context helper - `tryGetActorUserId(actor)` in `packages/services/src/context.ts` — returns the openstatus user id for user/apiKey/slack actors when available, `null` for system/webhook. Exported from the root barrel. ## Enforcement - Biome `noRestrictedImports` scope adds `packages/api/src/router/incident.ts`. - Subpath export `@openstatus/services/incident`. ## Tests - `packages/services/src/incident/__tests__/incident.test.ts` — happy paths for acknowledge / resolve / delete, already-acknowledged and already-resolved `ConflictError`, workspace isolation across all mutations, list workspace isolation, and the batch monitor enrichment. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services/incident): address Cubic review - **TOCTOU on acknowledge / resolve** — the old read-then-update allowed two concurrent acknowledgers (or resolvers) to both succeed. Replaced with a conditional update (`WHERE acknowledged_at IS NULL` / `WHERE resolved_at IS NULL`); the loser of the race gets no row back and we throw the same `ConflictError` the pre-read would have raised. Dropped the now-unreachable `InternalServiceError` branch. - **Monitor enrichment workspace scope** — `enrichIncidentsBatch` now filters `monitor.workspaceId = ctx.workspace.id` alongside the `inArray` on monitor id. Defence-in-depth: the `incident.monitorId` column has no FK against workspace ownership, so a cross-workspace pointer (however unlikely) no longer leaks the other workspace's monitor row. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(services): migrate monitor domain tRPC (PR 4/N) (#2105) * feat(services): migrate monitor domain tRPC onto service layer Fourth domain, the largest so far. Migrates the **tRPC** monitor router (all 14 procedures) onto `@openstatus/services/monitor`. The Connect handler (`apps/server/src/routes/rpc/services/monitor/`) and the v1 REST `apps/server/src/routes/v1/monitors/*` endpoints stay untouched for now — they are separate external-API surfaces and warrant their own follow-up PRs with their own test suites. - `createMonitor`, `cloneMonitor`, `deleteMonitor`, `deleteMonitors` (bulk soft-delete), `getMonitor`, `listMonitors`. - `updateMonitorGeneral` — preserves the existing tRPC `updateGeneral` behaviour including jobType switching (HTTP ↔ TCP ↔ DNS). Called out as a code smell in the explore, but preserved intentionally since it's the dashboard's current edit flow. Kept jobType-agnostic rather than split into 3 separate update methods. - `updateMonitorRetry`, `updateMonitorFollowRedirects`, `updateMonitorOtel`, `updateMonitorPublic`, `updateMonitorResponseTime` — field-specific setters. - `updateMonitorSchedulingRegions` — enforces plan limits (periodicity / region-count / region-access) + validates the private-location ids before replacing the association set. - `updateMonitorTags`, `updateMonitorNotifiers` — validate and replace the tag / notifier association sets. - `bulkUpdateMonitors` — batched toggle of `public` / `active` across multiple monitor ids. Matches the old `updateMonitors` procedure. - All mutations run inside `withTransaction`, emit `emitAudit`. - Cascade deletes: `monitor_tag_to_monitor`, `notifications_to_monitors`, `page_component` rows are torn down on delete (matches pre-migration behaviour — bypasses FK cascades because some rows reference the monitor without cascade). - `validateTagIds` / `validateNotificationIds` / `validatePrivateLocationIds` — workspace-scoped validators with dedupe. - `pickDefaultRegions(workspace)` — ports the old "randomly pick 4 free / 6 paid regions excluding deprecated" logic. - `serialiseAssertions` / `headersToDbJson` — assertion / header serialisation moved out of the tRPC router. - `countMonitorsInWorkspace` for quota checks. `listMonitors` does two IN queries (tags + incidents) regardless of list size. `getMonitor` reuses the same path with the richer `{ notifications, privateLocations }` toggle and a singleton. Same pattern as status-report's batched fix. - **tRPC** (`packages/api/src/router/monitor.ts`): every procedure is a thin wrapper. `delete` catches `NotFoundError` for idempotency. `new` / `updateGeneral` keep the `testHttp` / `testTcp` / `testDns` pre-save check at the tRPC layer — services unconditionally save, callers decide whether to pre-validate. - Connect RPC handler at `apps/server/src/routes/rpc/services/monitor/` — still uses its own helpers. Will be migrated in a follow-up (4b). - v1 REST endpoints at `apps/server/src/routes/v1/monitors/*` — yet another external surface; dedicated PR later. - `packages/api/src/service/import.ts` monitor writes — covered by the plan's dedicated PR 9. - Biome `noRestrictedImports` scope adds `packages/api/src/router/monitor.ts`. The Connect monitor handler stays out of scope until 4b. - Subpath export `@openstatus/services/monitor`. - `packages/services/src/monitor/__tests__/monitor.test.ts` — create (http / tcp / dns), delete cascade, bulk delete, clone, tags / notifiers validation (forbidden when cross-workspace), list / get with workspace isolation + soft-delete hiding, updateMonitorGeneral round-trip. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services): declare @openstatus/regions + @openstatus/assertions deps The monitor domain pulls `regionDict` from `@openstatus/regions` (for the default-region picker) and assertion classes / validators from `@openstatus/assertions`. Both were missing from `packages/services/package.json`, so Vercel's Next.js build for `apps/status-page` — which transitively imports the services package via `@openstatus/api` — failed with "Module not found" on `packages/services/src/monitor/internal.ts:20` and `schemas.ts:1`. Local pnpm workspaces resolved the imports via hoisting, which masked the missing declarations until an actual Next.js build forced strict resolution. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services/monitor): address Cubic review - **`timeout` / `degradedAfter` bounds** (schemas.ts) — mirror the 0–60_000 ms cap from `insertMonitorSchema`. Values outside the range are rejected before the UPDATE instead of being silently persisted. - **`jsonBody` assertion mapping** (internal.ts) — the serialiser was silently dropping `jsonBody`-typed input because the runtime class wasn't wired up. Added the `JsonBodyAssertion` branch; the class has existed in `@openstatus/assertions` the whole time, this was just a missing case. - **Clone resets `status`** (clone.ts) — cloning no longer inherits the source's current `error`/`degraded` health. Freshly cloned monitors start at `"active"` and settle on their first check. - **Delete filters soft-deleted** (delete.ts) — the pre-check now includes `isNull(monitor.deletedAt)`, so a repeat delete returns `NotFoundError` (preserved as idempotent at the tRPC layer) instead of re-running the cascades and emitting duplicate audits. - **List/get workspace scope on relations** (list.ts) — `enrichMonitorsBatch` takes `workspaceId` and scopes the incident / tag / notification / private-location IN queries to the caller's workspace. Defence-in-depth against inconsistent FK data (none of those tables enforce workspace ownership at the FK level). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(services): migrate notification CRUD (PR 5/N) (#2106) * feat(services): migrate notification CRUD onto service layer Fifth domain. Migrates the four CRUD procedures — `list`, `new`, `updateNotifier`, `delete` — of the notification tRPC router onto `@openstatus/services/notification`. The three integration-helper procedures (`sendTest`, `createTelegramToken`, `getTelegramUpdates`) stay inline at the tRPC layer and are explicitly out of scope for this migration. - `createNotification` — enforces plan limits on both the channel count (`notification-channels`) and the provider itself (`sms` / `pagerduty` / `opsgenie` / `grafana-oncall` / `whatsapp` require plan flags); validates the loose `data` payload against `NotificationDataSchema`; validates monitor ids are in-workspace and not soft-deleted. - `updateNotification` — replaces name / data / monitor associations in a single transaction with the same validation rules as create. - `deleteNotification` — hard-delete (FK cascade clears associations). The tRPC wrapper swallows `NotFoundError` to preserve the old idempotent behaviour. - `listNotifications`, `getNotification` — batched IN query enriches monitors per notification. Monitor enrichment is workspace-scoped and filters soft-deleted monitors for defence-in-depth. - All mutations run inside `withTransaction`, emit `emitAudit`. - **tRPC** (`packages/api/src/router/notification.ts`): `list` / `new` / `updateNotifier` / `delete` become thin service wrappers. `sendTest` + `createTelegramToken` + `getTelegramUpdates` are unchanged. - **`sendTest` migration** — the dispatch switch imports from 10 `@openstatus/notification-*` packages. Moving it into services would pull those as direct deps; the plan's phrasing ("Channel CRUD + test-dispatch") allows this as a later extraction. - **`createTelegramToken` / `getTelegramUpdates`** — redis + external Telegram API helpers; transport UX, not domain operations. - **Biome scope for `notification.ts`** — the file still imports `@openstatus/db/src/schema` for the `sendTest` provider data schemas. Will land with the sendTest migration follow-up. - **Connect RPC notification handler** — stays on its own helpers; follow-up aligned with PR 4's Connect deferral. - `__tests__/notification.test.ts` covers create (including `ValidationError` on malformed data, `LimitExceededError` on gated provider, `ForbiddenError` on cross-workspace monitor), update (association replacement, cross-workspace `NotFoundError`), delete, list/get workspace isolation + monitor enrichment scope. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services/notification): address Cubic review - **Update flow plan gate** (update.ts) — `updateNotification` was skipping `assertProviderAllowed`, so a user who downgraded their plan could still edit a notification configured with a now-restricted provider. Re-check against the stored `existing.provider` to match the create-time gate. - **Provider / data match** (internal.ts) — `NotificationDataSchema` is a union, so `{ provider: "discord", data: { slack: "…" } }` passed the union check even though the payload key doesn't match the provider. `validateNotificationData` now takes the provider and asserts `provider in data` after the top-level parse. Applied in both `create` and `update` (update uses the stored provider since the API doesn't allow provider changes). Added a test for the mismatch case. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services/notification): tighten data validation against provider schema Cubic's follow-up on the previous fix was right: checking only `provider in data` isn't enough. `NotificationDataSchema` is a union, so a payload like `{ discord: "not-a-url", slack: "valid-url" }` passes because the union matches the slack variant — the extra `discord` key is ignored, and my key-presence check sees `"discord"` and lets it through. Replaced the union parse + key check with a provider-specific schema lookup (`providerDataSchemas[provider].safeParse(data)`). Each canonical channel schema is keyed by its provider name and validates the shape / content of the value, so the new check catches both the mismatched-provider and malformed-payload cases in one pass. Added a test covering the exact case Cubic flagged — invalid `discord` URL alongside a valid `slack` URL now rejects with ValidationError. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(services): migrate page-component domain (PR 6/N) (#2107) * feat(services): migrate page-component domain onto service layer Sixth domain, tRPC-only. Migrates `list`, `delete`, and `updateOrder` onto `@openstatus/services/page-component`. - `listPageComponents` — workspace-scoped filter + optional pageId filter. Batched enrichment in four IN queries (monitors, groups, status reports via join, maintenances via join). All relation queries scoped to the caller's workspace for defence-in-depth. - `deletePageComponent` — hard-delete. Cascade clears the `status_report_to_page_component` / `maintenance_to_page_component` associations. The tRPC wrapper swallows `NotFoundError` to preserve the pre-migration idempotent behaviour. - `updatePageComponentOrder` — the complex one. Mirrors the existing diff-and-reconcile pass faithfully (≈220 lines → a single transaction): 1. Assert the page is in the workspace. 2. Enforce the workspace's `page-components` plan cap. 3. Validate every monitor id in the input set. 4. Remove monitor components whose monitorId isn't in the input; remove static components based on whether the input carries ids. 5. Clear `groupId` before dropping groups (FK safety), then recreate groups. 6. Upsert monitor components via `onConflictDoUpdate` on the `(pageId, monitorId)` unique constraint (preserves ids). 7. Update existing static components by id; insert new ones. Audit: `page_component.update_order` / `page_component.delete`. - **tRPC** (`packages/api/src/router/pageComponent.ts`): all three procedures call services. `delete` catches `NotFoundError` and returns the old `drizzle.returning()`-shaped empty array. The pre-existing `pageComponent.test.ts` (tests cross-workspace monitorId → `TRPCError(FORBIDDEN)`) is untouched and still valid — my services throw `ForbiddenError`, which `toTRPCError` maps to the same code. - Biome `noRestrictedImports` scope adds `packages/api/src/router/pageComponent.ts`. - Subpath export `@openstatus/services/page-component`. - `__tests__/page-component.test.ts` covers `updatePageComponentOrder` happy path (creates monitor + static + grouped components), rejects cross-workspace monitorId and cross-workspace pageId, `list` workspace isolation, `delete` cross-workspace `NotFoundError`. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(services): Connect RPC notification handler catch-up (#2108) * feat(services): Connect RPC notification handler onto services (catch-up) Follow-up to PR 5 — noticed on review that my PRs from PR 4 onwards had been narrowing scope to tRPC only and deferring Connect handlers, which was piling up. This closes the notification Connect gap. `apps/server/src/routes/rpc/services/notification/index.ts` — the five CRUD methods now delegate to `@openstatus/services/notification`: - `createNotification` → `createNotification` service (handles the plan-count limit, per-provider plan gate, and data-schema validation internally — the Connect-side `checkNotificationLimit` / `checkProviderAllowed` / `validateProviderDataConsistency` calls are gone). - `getNotification`, `listNotifications`, `updateNotification`, `deleteNotification` — thin proto-to-service-to-proto wrappers. - `updateNotification` reads the existing record via the service and fills in missing fields (Connect's update is partial; the service expects a full payload), then applies the update. Left inline: - `sendTestNotification` — calls `test-providers.ts` (external HTTP). - `checkNotificationLimit` RPC method — returns the count info via `./limits.ts` helpers (pure queries, no domain mutation). The local Connect helpers (`validateProviderDataConsistency`, `checkNotificationLimit`, `checkProviderAllowed`, and the ad-hoc `validateMonitorIds` / `updateMonitorAssociations` / `getMonitorById` / `getMonitorCountForNotification` / `getMonitorIdsForNotification`) are no longer imported by `index.ts`; they remain in their files because `test-providers.ts` and the unmigrated Connect monitor handler still reference some of them. Added `apps/server/src/routes/rpc/services/notification/index.ts` to the `noRestrictedImports` scope. The directory-level glob isn't a fit because `limits.ts` and `test-providers.ts` legitimately need direct db access until their own follow-up migrations. - **Connect monitor handler** (~880 lines, 6 jobType-specific create/update methods + 3 external-integration methods) — requires a much bigger refactor. Flagged as dedicated PR 4b; tracked separately. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services): dedupe monitor ids in Connect createNotification response Cubic's P2 catch: the service dedupes `monitors` before the insert (via `validateMonitorIds` in the services package), but the Connect handler echoed `req.monitorIds` verbatim back in the response. For an input like `["1", "1", "2"]` the DB stored `[1, 2]` while the response claimed `["1", "1", "2"]` — caller state diverges from persistence. Echo `Array.from(new Set(req.monitorIds))` instead so the response matches what's actually stored. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(services): migrate page authoring (PR 7/N) (#2109) * feat(services): migrate page (status-page authoring) onto service layer Seventh domain. Migrates the 13 authoring procedures in `pageRouter` onto `@openstatus/services/page`. Deliberately scoped to authoring CRUD only: - `statusPage.ts` — public viewer endpoints (subscribe / get / uptime / report / verify / unsubscribe) are a separate surface that doesn't use the authenticated `ServiceContext`; dedicated follow-up. - Connect `apps/server/src/routes/rpc/services/status-page/**` — ~1500 lines with 18 methods (page CRUD + components + groups + subscribers + view). Too big for this PR; dedicated follow-up, same shape as the Connect monitor deferral. - `createPage` / `newPage` — full vs minimal create; both enforce the `status-pages` plan cap and (for `createPage`) the per-access-type plan gates (password-protection, email-domain-protection, ip- restriction, no-index). - `deletePage` — FK cascade clears components / groups / reports / subscribers. - `listPages` — batched enrichment with `statusReports`. - `getPage` — enriched with `maintenances` / `pageComponents` / `pageComponentGroups`. - `getSlugAvailable` — pure check against `subdomainSafeList` + DB. - `updatePageGeneral` — with slug-uniqueness re-check on change. - `updatePageCustomDomain` — persists the DB change and returns the previous domain so the caller can diff. Vercel add/remove stays at the tRPC layer (external integration). - `updatePagePasswordProtection` — re-applies the same plan gates the `create` path uses. - `updatePageAppearance`, `updatePageLinks`, `updatePageLocales` (gated on `i18n` plan flag), `updatePageConfiguration`. - Audit action emitted for every mutation. All 13 procedures are thin wrappers. `delete` catches `NotFoundError` for idempotency. `updateCustomDomain` orchestrates: 1. `getPage` (via service) to read the existing domain. 2. `addDomainToVercel` / `removeDomainFromVercel` as needed. 3. `updatePageCustomDomain` (via service) to persist. - Biome scope adds `packages/api/src/router/page.ts`. The router imports `insertPageSchema` via the services re-export (`CreatePageInput`) so the db-import ban applies cleanly. - Subpath export `@openstatus/services/page`. - `__tests__/page.test.ts` covers `newPage` happy / reserved / duplicate, `createPage` monitor attachment + cross-workspace monitor, `updatePageGeneral` rename + duplicate-slug conflict + cross-workspace, `updatePageLocales` plan gate, list / get / slug-available workspace isolation, delete cross-workspace NotFoundError. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(services): migrate Connect status-page page CRUD onto services Extends PR #2109 to cover the Connect RPC status-page handler's page CRUD surface (create / get / list / update / delete), matching the migration that landed for tRPC's `pageRouter`. The other 13 methods (components, groups, subscribers, viewer) still read the db directly — they're separate domains that'll need their own services in follow-ups. - create / get / delete call into `@openstatus/services/page` and preserve the granular Connect errors (`statusPageNotFoundError`, `slugAlreadyExistsError`) by pre-checking before the service call or catching `NotFoundError` → re-throwing the richer variant. - list fetches via the service and paginates in-memory; status-page quota is bounded per workspace so the extra enrichment is negligible. - update loads the existing page via the service, then orchestrates the per-section updates (`updatePageGeneral`, `updatePageLinks`, `updatePageAppearance`, `updatePageCustomDomain`, `updatePageLocales`, `updatePagePasswordProtection`) inside a shared transaction so a partial failure can't leave the page half-updated. Each service's internal `withTransaction` detects the pre-opened tx and skips nesting. - Proto-specific format validations (https icon URL, custom-domain regex, IPv4 CIDR, email-domain shape) and the i18n PermissionDenied path stay at the handler — they don't exist in the zod insert schema and their error codes would change if deferred to the service. - `Page` from the service parses `authEmailDomains` / `allowedIpRanges` into arrays, while the converters (still used by the unmigrated methods) expect the comma-joined string form. `serviceToConverterPage` bridges the two shapes at the call sites that need it. Biome scope deliberately unchanged: the file still imports from `@openstatus/db` for the 13 legacy methods, so the override would light up the whole file. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services/page): address Cubic review on #2109 Four issues flagged across two Cubic reviews: - `createPage` skipped `assertSlugAvailable`, so full-form creates could bypass reserved/duplicate slug validation and either create a duplicate or fail late on a DB constraint instead of the clean `ConflictError`. Added the check alongside the existing quota gate. - `createPage` passed `passwordProtected` / `allowedIpRanges` but not `allowIndex` to `assertAccessTypeAllowed`, bypassing the `no-index` plan gate on create. Now forwarded. - `UpdatePagePasswordProtectionInput.allowedIpRanges` accepted arbitrary strings. Mirrored the CIDR validation from `insertPageSchema` — bare IPs get `/32` appended, everything pipes through `z.cidrv4()`. - `updatePagePasswordProtection` wrote `authEmailDomains: input.authEmailDomains?.join(",")`, which evaluates to `undefined` when the caller clears the field. Drizzle treats `undefined` as "skip this column" on `.set()`, so stale email domains survived an access-type switch. Added the `?? null` fallback to match the neighboring `allowedIpRanges` line. This fixes the Connect `updateStatusPage` path where switching away from AUTHENTICATED sets `nextAuthEmailDomains = undefined` expecting the column to clear. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(services): migrate workspace / user / invitation / api-key (PR 8/N) (#2110) * feat(services): migrate workspace / user / invitation / api-key (PR 8/N) Stacked on PR #2109. Eighth migration — four small domains consolidated into one PR because each is narrow (roughly two to five procedures) and they share no structural dependencies beyond already-migrated infrastructure. **workspace** — `getWorkspace`, `getWorkspaceWithUsage` (pages + monitors + notifications + page-components batched via drizzle relations), `listWorkspaces` (takes `userId` explicitly since `list` runs across every workspace the user has access to), `updateWorkspaceName`. **user** — `getUser` (active, non-soft-deleted), `deleteAccount` (the paid- plan guardrail stays; removes non-owned memberships, sessions, OAuth accounts and blanks the PII columns inside a single tx). **invitation** — `createInvitation` (plan gate counts pending invites against the members cap so two outstanding invites can't both accept past the limit), `deleteInvitation`, `listInvitations`, `getInvitationByToken` (scoped by token **and** accepting email to prevent token-sharing), `acceptInvitation` (stamps acceptedAt + inserts membership atomically). **api-key** — `createApiKey` (returns plaintext token once), `revokeApiKey` (workspace-scoped existence check inside the tx so concurrent revokes resolve to a consistent NotFound rather than a silent no-op), `listApiKeys` (replaces the legacy per-row `Promise.all` fan-out with a single IN query for creator enrichment), `verifyApiKey` + `updateApiKeyLastUsed` (no ctx required — the verify path runs before workspace resolution and callers pass an optional `db` override). All 14 procedures become thin `try { return await serviceFn(...) } catch { toTRPCError }` wrappers. Router shapes stay identical so the dashboard needs no changes. Connect + Slack don't expose these domains today; migrating their consumers is a follow-up. Biome `noRestrictedImports` override adds the four router files. Subpath exports `@openstatus/services/{workspace,user,invitation,api-key}` added to the services package. Deletes `packages/api/src/service/apiKey.ts` and its tests — fully superseded by `packages/services/src/api-key/`. The auth middleware in `apps/server` has its own inline apiKey verification and is unaffected. - **`domain.ts`** — pure Vercel-API proxy with no DB usage; not part of the migration surface. Stays as-is. - **`packages/api/src/service/{import,telegram-updates}.ts`** — import migration is PR 9; telegram-updates stays for a follow-up. Per-domain `__tests__/*.test.ts` covers: workspace rename + audit, usage counts, members cap hit on free plan, invitation token-mismatch rejection, accept idempotency, api-key creation returning a bcrypt hash, list creator enrichment, revoke NotFoundError on unknown ids, verifyApiKey happy / bad- format / wrong-body paths, lastUsed debounce. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services): address Cubic review on #2110 Four issues flagged on PR 8: - **P1 — `invitation/accept.ts`**: the read-then-write pattern let two concurrent accepts both pass the `isNull(acceptedAt)` check and race through the membership insert. Replaced with a conditional UPDATE that re-asserts `isNull(acceptedAt)` in the WHERE clause and checks `.returning()` rowcount. The loser gets `ConflictError`, the tx aborts before membership inserts run. - **P2 — `api-key/create.ts`**: `createdById` was taken from input and the router spliced in `ctx.user.id`. Since that column is attribution data (who owns the key, who the audit row blames), trusting input would let any caller forge ownership. Derived from `ctx.actor` via `tryGetActorUserId`; actors without a resolvable user id (system / webhook / unlinked api-key) now get `UnauthorizedError` instead of a silent NULL write. `createdById` removed from the input schema. - **P2 — `invitation/delete.ts`**: audit row was emitted even when the DELETE matched zero rows (unknown id / wrong workspace). Switched to `.returning({ id })` and short-circuit before the audit emit so the log only reflects actual deletions. - **P2 — `invitation/list.ts`**: the `if (!input.email)` → `UnauthorizedError` branch in `getInvitationByToken` was unreachable because `z.email()` already rejects empty / malformed emails at `.parse()`. Removed the dead branch; the router keeps its own pre-call check for `ctx.user.email`, so the transport-level UnauthorizedError path is preserved. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(services): migrate import domain (PR 9/N) (#2111) * feat(services): migrate import domain (PR 9/N) Stacked on PR #2110. Ninth and final domain — lifts the ~1,000-line `packages/api/src/service/import.ts` orchestrator into the services package as its own `@openstatus/services/import` domain. Split into focused files: - **`schemas.ts`** — `PreviewImportInput` / `RunImportInput` zod. Provider discriminator + per-provider page-id fields live here; options schema is separately exported for callers that want to pre-validate. - **`provider.ts`** — `createProvider` factory + `buildProviderConfig` reshape helper, isolated from the orchestrator so adding a provider is a one-file change. - **`limits.ts`** — `addLimitWarnings` (shared by preview + run). Pure mutation on the `ImportSummary` argument; no writes. - **`utils.ts`** — `clampPeriodicity` + `computePhaseStatus` helpers. - **`phase-writers.ts`** — the seven phase writers (page / component groups / components / incidents / maintenances / monitors / subscribers). Each takes a `DB` explicitly so callers can thread a pre-opened tx; failing resources get `status: "failed"` with an error string rather than throwing. - **`preview.ts`** — dry-run only; validates credentials, runs the provider with `dryRun: true`, emits warnings. - **`run.ts`** — the orchestrator. Now owns the `pageId` ownership check (previously duplicated in the tRPC router) and emits exactly **one** `import.run` audit row regardless of outcome so partial / failed runs still show up in the audit signal. Deliberately *not* wrapped in `withTransaction` — imports can span minutes across dozens of writes and the existing UX is phase-level recovery. 124 lines → 28 lines. The router is now a thin `previewImport` / `runImport` wrapper; the input schemas and all validation live in the service. The router-level `TRPCError`-throwing `pageId` ownership check moved into `runImport` so non-tRPC callers (Slack / future) get the same guard. - Provider validation failure: `TRPCError("BAD_REQUEST")` → `ValidationError` → `TRPCError("BAD_REQUEST")`. Net-same. - Unknown / wrong-workspace `pageId`: `TRPCError("NOT_FOUND")` → `NotFoundError` → `TRPCError("NOT_FOUND")`. Net-same. - Unit tests for `addLimitWarnings` / `clampPeriodicity` / `computePhaseStatus` move to `packages/services/src/import/__tests__/`. - Router integration tests (`packages/api/src/router/import.test.ts`) that previously called `previewImport` / `runImport` directly to override workspace limits now route through `makeCaller(limitsOverride)` with an explicit `provider: "statuspage"` field. This also fixes four pre-existing TypeScript errors where those calls were missing the (required) provider discriminator. - Biome `noRestrictedImports` override adds `packages/api/src/router/import.ts`. - Subpath export `@openstatus/services/import` added. - `@openstatus/importers` added to services deps; services `tsconfig.json` bumped to `moduleResolution: "bundler"` so the importers package-exports map resolves (same setting `packages/api` already uses). Deletes `packages/api/src/service/import.ts` (1042 lines) and its test file (463 lines). Only `telegram-updates.ts` remains in `packages/api/src/service/` — that's slated for a follow-up PR. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(services/import): per-resource audit + Cubic fixes on #2111 Two changes folded together: Every phase writer now emits one `emitAudit` row per *created* resource, matching what the domain services emit for normal CRUD: | Phase | Audit action | --- | --- | page | `page.create` | componentGroups | `page_component_group.create` | components | `page_component.create` | monitors | `monitor.create` | incidents | `status_report.create` + `status_report.add_update` per update | maintenances | `maintenance.create` | subscribers | `page_subscriber.create` Skipped resources don't emit (their original create audit already exists); failed resources don't emit (nothing was written); link-table rows (statusReportsToPageComponents etc.) don't emit (edges, not entities). Metadata always carries `source: "import"` + `provider: <name>` + `sourceId: <provider-id>` so the audit trail traces back to the source system. The rollup `import.run` audit still fires at the end — the per-resource rows give forensic granularity, the run-level row gives "this bulk operation happened" without scanning the full summary blob. For the change, phase writers now take a shared `PhaseContext = { ctx, tx, provider }` instead of `(db, workspaceId, limits)` — the orchestrator builds one `PhaseContext` per run and threads it through, giving each writer access to `ctx.actor` for audit attribution. `statusReportUpdate` writes now use `.returning({ id })` so the per-update audit can attribute the right row. - **`run.ts:130`** — phases after `page` kept their provider-assigned status when `targetPageId` was falsy but the user option wasn't `false`. Replaced the narrow `else if (option === false)` branches with a plain `else → phase.status = "skipped"`, matching what `subscribers` already did. - **`run.ts:147`** — when the `components` phase hit `remaining <= 0`, the phase was marked `"failed"` but individual resource statuses were left stale with no error string. Each resource is now marked `"skipped"` with `"Skipped: component limit reached (N)"`, matching `writeMonitorsPhase`. Phase-level status becomes `"skipped"` too (was `"failed"` — failed implied a writer error, this is really a plan-limit pre-check). - **`provider.ts`** — both `createProvider` and `buildProviderConfig` had a `default:` that silently ran the Statuspage adapter for any unknown provider name, which would mask a typo by handing a non- Statuspage api key to the wrong adapter. Replaced with exhaustive `case "statuspage"` + `never`-typed default throw. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * chore(services): rename rpc/services → rpc/handlers (PR 10/N) (#2112) The symbolic deliverable from the plan's "close the loop" PR. Renames `apps/server/src/routes/rpc/services/` → `apps/server/src/routes/rpc/handlers/` so the distinction between "the services layer" (owns business logic, lives in `packages/services`) and "Connect transport handlers" (thin proto → service → proto wrappers) is permanent and visible in the path. Keeping the old name invites the next developer to "just add one small thing" to a file under a `services/` folder months later; the rename makes the layering explicit. - `git mv` of the six domain subdirectories + their tests (health / maintenance / monitor / notification / status-page / status-report). - `router.ts` import paths updated from `./services/*` to `./handlers/*`. - Biome `overrides.include` paths updated to the new location. - Added `apps/server/src/routes/rpc/handlers/health/**` to the scope — the health handler has no db usage today; including it locks in that invariant. Rather than pretending the full "close the loop" deliverable is possible today, the biome.jsonc comment now enumerates exactly what remains unmigrated: - `packages/api/src/router/statusPage.ts` — public viewer endpoints under `publicProcedure`, no authed `ServiceContext`. - `packages/api/src/router/{member,integration,monitorTag, pageSubscriber,privateLocation,checker,feedback,stripe,tinybird, email}.ts` — small domains not yet lifted. - `apps/server/src/routes/rpc/handlers/monitor/**` — 6 jobType-specific methods still on db. - `apps/server/src/routes/rpc/handlers/status-page/**` — page CRUD is migrated (PR 7), but components / groups / subscribers / viewer (13 methods) still import db, so the whole file stays out of scope. - `apps/server/src/routes/v1/**` — the public HTTP API surface. - `apps/server/src/routes/slack/**` except `interactions.ts` — tools, handler, oauth, workspace-resolver still on db. - `apps/server/src/routes/public/**` — public-facing HTTP routes. Each of the above is its own PR-sized migration. The final consolidation (broadening to `router/**` + dropping `@openstatus/db` from `packages/api` and `apps/server`) is conditional on all of them landing first. Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services/import): use ctx workspaceId for page insert `writePagePhase` was inserting with `data.workspaceId` — the value the provider package round-tripped into resource data. Every other phase writer (monitor / components / subscriber) already reads `workspaceId` from `ctx.workspace.id`; this lines the page insert up with that pattern. Defends against the (unlikely) case where a provider mapper serialises the wrong workspace id into its output, since `ctx` is the authoritative source. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services): address Claude review findings on #2110 Six findings from Claude's review pass — five code/doc fixes, one documentation-only note. **P2 — `acceptInvitation` derives userId from `ctx.actor`.** Was taking it from input: the email scoped *which* invitation could be accepted, but not *who* the membership was inserted for. A caller with the right token+email could insert a membership under an arbitrary user id. Removed `userId` from `AcceptInvitationInput`; derived from `tryGetActorUserId(ctx.actor)`, throws `UnauthorizedError` for non-user actors. Mirrors the same pattern applied to `createApiKey.createdById` in the Cubic pass. Router and test updated accordingly. **P2 — `getWorkspace` throws `NotFoundError` explicitly.** `findFirst` + `selectWorkspaceSchema.parse(undefined)` was throwing `ZodError` (→ `BAD_REQUEST`) instead of the `NotFoundError` shape every other service uses. Unreachable in practice (ctx.workspace is resolved upstream) but the error shape was the only outlier; consistency matters for callers pattern-matching on error codes. **P3 — `listApiKeys` filters null `createdById` before the IN query.** The new `createApiKey` path enforces a non-null creator, but legacy rows may have null. SQL's `x IN (NULL)` is `UNKNOWN` — technically safe — but drizzle types model the array as `number[]`. Filtering upfront keeps the types honest and sidesteps any future surprise. **P3 — `deleteInvitation` guards `acceptedAt IS NULL`.** The WHERE previously allowed hard-deleting *accepted* invitations, wiping the "user was invited on X" breadcrumb. Added the `isNull(acceptedAt)` guard + doc comment explaining the audit-trail preservation intent. **Doc-only — `deleteAccount` orphan comment.** Non-owner memberships are removed, but owner memberships + owned workspaces survive. Matches legacy behavior. Added a scope-note docblock flagging that workspace cleanup is explicitly out of scope (belongs to a future admin / scheduled job). **Doc-only — `createInvitation` role comment.** The invite insert lets `role` fall through to the schema default (`member`). Matches legacy (which also only picked `email`). Comment added so the absence reads as deliberate rather than overlooked. Minor — the concurrent-accept race test is covered by the conditional UPDATE + `ConflictError` path from the earlier P1 fix; mocking it reliably against SQLite is noisy and not worth the test complexity. Documented in the related code comment. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services): address Claude re-review findings on #2110 Four issues surfaced after the first round of fixes on this PR: **P2 — `listApiKeys` crashes on all-legacy keys.** After the null filter added in the previous commit, workspaces whose keys all pre-date the services migration (every `createdById` null) end up with `creatorIds === []`. Drizzle throws "At least one value must be provided" on an empty `inArray`, taking the whole endpoint down. Added an early return that maps `createdBy: undefined` when there are no non-null creator ids to look up. **P2 — `getWorkspaceWithUsage` ZodError on missing row.** Same `findFirst` + `selectWorkspaceSchema.parse(result)` pattern as `getWorkspace`, but without the `NotFoundError` guard that got added in the earlier pass. Added the guard. Also cleaned up the usage block — no longer needs optional chaining once the narrowing fires. **P2 — `deleteAccount` took `userId` from input.** Completing the `createApiKey` / `acceptInvitation` pattern: account deletion must target `ctx.actor`, never an arbitrary id. Dropped `userId` from `DeleteAccountInput` (now an empty forward-compat shape), derived inside the service via `tryGetActorUserId`, throws `UnauthorizedError` for non-user actors. Router updated to stop passing it. **P3 — `createInvitation` dev-token log could leak in tests.** Tightened the comment around the `process.env.NODE_ENV === "development"` guard to flag that strict equality is load-bearing — bun:test sets `NODE_ENV=test` and CI leaves it undefined, both of which correctly skip the log. No behavior change, just a clearer contract so the next reader doesn't loosen it. Cubic's two findings on this review pass point at `packages/api/src/ router/import.ts` and `packages/services/src/import/limits.ts` — both live in the next PR up the stack (#2111 / feat/services-import) and will be addressed there. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services): address latest Cubic pass on #2110 Four findings from the third Cubic review (now that #2111's import domain is included in the #2110 diff via the stack): **P2 — biome.jsonc notification handler scope.** Only `notification/index.ts` was in the `noRestrictedImports` override. Sibling files (`errors.ts`, `test-providers.ts`) were outside the migration guard, so new db imports could land in them without the lint failing. Broadened to `notification/**` and moved the two files that *legitimately* still read db (`limits.ts` querying workspace quotas, `converters.ts` needing db enum shapes for proto round-trip) into the `ignore` list. Future siblings are enforced by default rather than silently slipping through. **P2 — `clampPeriodicity` unknown values returned too fast.** `PERIODICITY_ORDER.indexOf("unknown") === -1` → `Math.max(-1, 0) === 0` → walk started at `"30s"` (the fastest tier). Could return an interval faster than requested, violating the "never-faster-than-requested" invariant. Short-circuits now to the slowest allowed tier when the requested value isn't a known periodicity. Added unit tests covering the unknown-value + empty- allowed fallback paths. **P2 — component/monitor limit warnings counted total resources, not quota-consuming inserts.** If the import contained 4 components and 3 already existed (would be skipped as duplicates), the warning claimed `"Only X of 4 can be imported"` — but actually zero quota would be consumed by the 3 skips, so the real new-creation count might fit entirely. Reworded to `"Only N new components may be created … some of the M in the import may already exist and be skipped"`. Same treatment for the monitors warning. Preview stays DB-light (no per-resource existence checks); the warning now honestly conveys worst-case without misleading users about what will actually happen. Test assertions updated to match the new wording with substring matches that aren't tied to the exact fraction. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services/page): address Claude review on #2109 Six items from Claude's review, going with the calls I leaned toward in the question-back: **P2 — tRPC `updateCustomDomain` wasteful `getPage` read.** Was calling `getPage(id)` (fires 3 batched relation queries: maintenances + components + groups) just to grab `customDomain` before the Vercel add/remove calls. Added a narrow `getPageCustomDomain` service helper — single indexed lookup, workspace-scoped, returns the string directly. Router swapped over. Service-layer authority preserved; no db reads leak into the router. **P2 — Connect `updateStatusPage` slug-race code drift.** Handler pre-checks slug to surface `slugAlreadyExistsError` (`Code.AlreadyExists`). The `updatePageGeneral` service call re-validates via `assertSlugAvailable` → `ConflictError` → `Code.InvalidArgument` in the race where two callers both clear the pre-check. Wrapped the call in `try/catch (ConflictError)` and rethrow as `slugAlreadyExistsError(req.slug)` so gRPC clients keying on the code get a consistent `AlreadyExists` whether they lose at the pre-check or at the inner tx. **P2 — Connect `createStatusPage` / `updateStatusPage` customDomain without Vercel sync.** Pre-existing behaviour (the direct-db handler had the same gap). Added a top-of-impl comment so it doesn't go unnoticed — the fix is a shared transport-layer helper the Connect handlers can reuse, out of scope for this migration PR to keep the behavioural blast radius small for external API consumers. **P3 — double cast `row as unknown as Page` in `create.ts`.** The drizzle insert-returning type and the `Page` type diverge on `authEmailDomains` / `allowedIpRanges` (raw comma-joined string vs parsed `string[]`). Replaced the double casts with `selectPageSchema.parse(row)` which normalises the row into the shape callers expect. Cast-drift is now impossible to introduce silently. **P3 — `void ConflictError;` workaround.** Import was unused in `create.ts`; the `void` line was silencing the unused-import warning rather than fixing the cause. Removed both. **P3 — deprecated `passwordProtected` column.** Added a doc block on `updatePagePasswordProtection` flagging that the deprecated boolean column is intentionally not written here (the v1 REST read path derives it from `accessType` via `normalizePasswordProtected`). Prevents a future reader from mistaking the omission for an oversight and writing two sources of truth for the same signal. Test coverage for the 5 untested update services (`updatePagePasswordProtection`, `updatePageCustomDomain`, `updatePageAppearance`, `updatePageLinks`, `updatePageConfiguration`) deferred to a follow-up per Claude's "not blocking" marker — the failing-edge behaviour is the critical bit, and `updatePagePasswordProtection` already has indirect coverage through the Connect handler tests on this branch. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services): address Claude review on #2108 Four items from Claude's review of the Connect notification handler backfill: **P3 — `protoDataToServiceInput` swallowed parse failures.** `try { JSON.parse } catch { return {} }` was hiding any malformed output from `protoDataToDb` (which would be a programmer error, not user-input) behind a generic empty-object fallback. The downstream `validateNotificationData` then failed with a far less specific error. Let the throw propagate — `toConnectError` maps it to `Code.Internal`, which is the signal we want for "the helper itself misbehaved." **P3 — `createNotification` response approximated the monitor IDs.** Was echoing `Array.from(new Set(req.monitorIds))` on the happy path (correct, since the service validates + throws on invalid) but the approximation diverged from `updateNotification`'s re-fetch pattern. Now re-fetches via `getNotification` after create so the response reflects what's actually in the DB — one extra IN query per create, eliminates the approximation entirely, makes both handlers structurally identical. **P3 — `sendTestNotification` bypassed `toConnectError`.** Only handler in the impl without a `try { … } catch { toConnectError }` wrap, so any thrown `ServiceError` / `ZodError` from `test-providers.ts` fell through to the interceptor's generic catch and surfaced with a less precise gRPC status. Wrapped for symmetry. **P3 — `JSON.parse(existing.data)` null-unsafe.** Drizzle infers `notification.data` as `string | null` (the column has `default("{}")` but no `.notNull()`). A legacy row with `NULL` in the column would crash `updateNotification` with `SyntaxError` during the partial-update read-modify-write. Added `?? "{}"` fallback and a comment pointing at the schema. Cubic's single finding from the earlier pass (dedupe of `req.monitorIds` in the create response) was already applied in `b69ad13` and has now been superseded by the re-fetch above. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services): address latest Cubic pass on #2108 Five findings from Cubic's second review cycle on this PR, all on files that entered this branch via the #2109 (status-page) and #2111 (import) squash-merges stacked on top. Fixing here so the cumulative state reaching main is clean. **P1 — `page/create.ts` double-encoded JSON configuration.** `page.configuration` is a drizzle `text("…", { mode: "json" })` column — drizzle serialises objects automatically. Calling `JSON.stringify(configuration)` first stored a raw JSON string in the column, breaking any downstream read that expects an object (e.g. the appearance merge at `update.ts:185`). Dropped the wrap; drizzle handles it. **P2 — `page/schemas.ts` slug + customDomain validation weaker than insert schema.** `NewPageInput.slug`, `GetSlugAvailableInput.slug`, and `UpdatePageGeneralInput.slug` were `z.string().toLowerCase()` — no regex, no min-length. `UpdatePageCustomDomainInput.customDomain` was `z.string().toLowerCase()` — no format check. Meant the service would accept malformed slugs / URLs that `createPage` would then reject via `insertPageSchema`, or — worse — that `getSlugAvailable` would confidently return "available" for garbage. Exported the canonical `slugSchema` + `customDomainSchema` from `@openstatus/db/src/schema/pages/validation` and reused them across all four service inputs; db validation is now the single source of truth for page slug/domain shape. **P2 — `api/router/import.ts` nullish → optional contract narrowing.** The service's `PreviewImportInput`/`RunImportInput` used `.optional()` for the three provider page-id fields, which dropped the `null` acceptance the legacy router had via `.nullish()`. Existing clients sending `null` would have started hitting `Invalid input` errors after the import migration landed. Added a `nullishString` transform in the service schema that accepts `string | null | undefined` and normalises to `string | undefined` before it reaches `buildProviderConfig` — callers keep the broader contract, service internals stay ignorant of `null`. **P2 — `page/update.ts` empty array stored "" not null.** `authEmailDomains?.join(",") ?? null` coerces `null`/`undefined` to `null`, but `[].join(",")` returns `""` (empty string) which `??` treats as a value. Callers sending `authEmailDomains: []` to clear the column were persisting the empty string instead of nulling it — misleading "present but blank" state. Switched to `|| null` on both array-join outputs (`authEmailDomains` + `allowedIpRanges`) so the three clearing inputs — `undefined`, `null`, `[]` — all land on DB `NULL` while real non-empty joins pass through unchanged. Test fixtures already use slugs ≥ 3 chars that match the regex, so the tightened validation doesn't break any existing assertions. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services/page-component): address Cubic + Claude review on #2107 Three fixes + one test, addressing both the original Cubic finding and Claude's re-review pass. **P2 — Discriminated union for `componentInput`.** The flat `z.object` with `type: z.enum(["monitor", "static"])` and optional `monitorId` let callers submit a "monitor" component with no monitor id, or a "static" one with a monitor id attached. The DB catches it with a `CHECK` constraint, but that surfaces as an opaque SQLite CHECK failure instead of a clean `ZodError` at the service boundary. Replaced with a `z.discriminatedUnion("type", [...])` that requires `monitorId` on the "monitor" arm and omits it on the "static" arm. Fallout in `update-order.ts`: `c.monitorId` no longer exists on the "static" arm after narrowing, so the spreads now use `monitorId: c.type === "monitor" ? c.monitorId : null`. The defensive `&& c.monitorId` guards on the already-narrowed monitor branches are gone (TypeScript enforces the invariant the DB was catching late). **P2 — Sequential group insert instead of bulk `.returning()`.** The bulk insert relied on drizzle/SQLite returning rows in the same order they were inserted, so `newGroups[i]` could line up with `input.groups[i]` when mapping components to their groups. True on Turso today, but an implicit coupling — any driver change, batch split, or upstream sort could silently reorder rows and land components in the wrong group with no error signal. Switched to a loop that captures each group id before moving on; the set size is bounded by the status-page component-group plan cap so the extra round trips are a rounding error. **Nit — removed dead `hasStaticComponentsInInput` guard.** Both the "input has static components but none carry ids" and "input has no static components at all" branches collapsed to the same "drop all existing static components" action, so the outer `hasStaticComponentsInInput` conditional was doing no work. Dropped the variable and the nested branch. **Test — upsert idempotency.** The `onConflictDoUpdate` on `(pageId, monitorId)` was the riskiest untested path — a regression would silently insert duplicate rows on every re-invocation. Added a test that calls `updatePageComponentOrder` twice on the same page with the same `monitorId`, then asserts there's exactly one matching row and the second call's values won. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services): address latest Cubic pass on #2107 + unblock build Eight Cubic findings from the second review plus one dashboard build break from my earlier discriminated-union change. **Build — router shape diverged from service discriminated union.** `packages/api/src/router/pageComponent.ts` kept its own flat `z.object({...})` input schema with `type: z.enum(["monitor", "static"])` and `monitorId: z.number().nullish()`. After the service switched to `z.discriminatedUnion("type", [...])`, TS couldn't reconcile the two — dashboard build failed. Replaced the local schema with the service's exported `UpdatePageComponentOrderInput` so both layers share the canonical shape. **P1 — page router: validate customDomain before Vercel call.** The router input was `z.string().toLowerCase()` (no format check) and the service's `customDomainSchema` only fired inside `updatePageCustomDomain`, *after* the Vercel add/remove mutations. A malformed domain could be added to Vercel, then rejected by the service, leaving Vercel/db state drifted. Switched the router input to the service's `UpdatePageCustomDomainInput` so format validation runs at tRPC input parsing, before any Vercel call. **P1 — `listApiKeys` leaked `hashedToken`.** `SELECT *` returned every column including the bcrypt hash of each key's one-time token, which has no business appearing in a list response. Replaced with an explicit column select that omits `hashedToken`. New `PublicApiKey` type (`Omit<ApiKey, "hashedToken">`) is the return shape; exported from the barrel. **P2 — `acceptInvitation` eager workspace load + second fetch.** The initial `findFirst` already loaded the workspace via `with: { workspace: true }`, but the return value re-fetched it by id. Use the joined value directly — one round-trip instead of two, and eliminates the read-skew window where a just-renamed workspace could appear with a different name in each fetch. **P2 — `import.run` audit entityId 0.** `entityId: targetPageId ?? 0` wrote a ghost `page 0` reference to the audit trail when the page phase failed before producing an id. Entity attribution now falls back to the workspace (`entityType: "workspace"`, `entityId: ctx.workspace.id`) when no target page is in play — real rollback signal, no phantom foreign key. **P2 — `page-components` limit scoped per-page, not workspace.** `page-components` is a workspace-wide cap (see `page-component/update-order.ts` — counts every component across every page). The import preview and run's component check were scoping the existing count to `targetPageId`, which understated pressure and would let imports push past the cap at write time. Both sites now count workspace-wide. **P2 — `writeIncidentsPhase` lacked idempotency.** Every other phase writer checks for an existing row before inserting (page by slug, monitor by url, component by name, subscriber by email); `writeIncidentsPhase` inserted unconditionally. A re-run would duplicate status reports on every pass. Added an existence check by `(title, pageId, workspaceId)` matching the convention. **P2 — `writeMaintenancesPhase` lacked idempotency.** Same pattern. Added a check by `(title, pageId, from, to, workspaceId)` — the `from/to` pair is load-bearing because maintenance titles recur ("DB upgrade") across unrelated windows. **P2 — `writeComponentsPhase` silent monitor→static fallback.** When the source monitor failed to resolve (e.g. `includeMonitors === false`), the component was silently degraded to `type = "static"` and reported as `created` with no explanation. Other phase writers populate `resource.error` on any degrade path. Added a matching error string pointing at the source monitor id (or lack thereof) so the summary conveys the degrade. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services/page-component): revert discriminated union to flat + .refine The previous commit switched `componentInput` in the service schema to a `z.discriminatedUnion("type", [...])` to get a clean `ZodError` at parse time for the monitor/static invariant. That produced a narrowed TS shape (`type: "monitor"` → required `monitorId: number`) that every caller had to match — including the dashboard form, where react-hook-form can't model discriminated unions cleanly and would have needed a flat→union adapter at submit time. The ripple was user-visible frontend churn for a schema-layer concern. Switched back to a flat `z.object` + cross-field `.refine` on `(type, monitorId)`. Same parse-time rejection Cubic asked for (ZodError with a specific path, not an opaque SQLite CHECK failure), but the inferred TS type stays flat so callers — router input, RHF form values — keep their existing shape. Also restored the downstream `&& c.monitorId` guards and `as number[]` casts in `update-order.ts`. With a flat schema, TS still sees `monitorId: number | null | undefined` on the monitor branch; the refine rejects violating input at parse time, but the guard is needed to narrow for the type system. Matches the pre-migration shape exactly. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services/import): reconcile component links on idempotent skip The idempotency checks in `writeIncidentsPhase` and `writeMaintenancesPhase` added in the previous pass correctly avoid duplicate status-report / maintenance rows on rerun, but `continue`-d out of the writer before the component-link insertion block. The failure mode this leaves open: 1. Run 1: component phase uses per-resource catch, so a single component can fail and leave `componentIdMap` partial. 2. The report/maintenance is written with a subset of the intended links — only the entries whose source id resolved in the map. 3. Run 2: the previously-failed component now succeeds and lands in `componentIdMap`. The report/maintenance idempotency check hits, `continue` fires, and the still-missing link is never written. Both join tables (`statusReportsToPageComponents`, `maintenancesToPageComponents`) have a composite primary key on `(parentId, pageComponentId)`. Running the same link-build pass on the skip path with `.onConflictDoNothing()` is a no-op for the links already present and adds any that resolved this time round. Matches the "reruns converge to correct state" model that motivated the idempotency checks in the first place. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services/notification): address Claude review pass Three small findings from the latest Claude review, bundled: **#1 — `list.ts` redundant `conditions` array.** `listNotifications` initialised a one-element `SQL[]` and spread it into `and(...)` with no second push site anywhere. Collapsed to a direct `eq(...)`. The pattern is load-bearing in `monitor/list.ts` (two conditions: workspace scope + soft-delete filter) but notifications have no soft-delete column, so the indirection was pure noise. **#2 — router `dataInputSchema` duplicated the service schema.** `packages/api/src/router/notification.ts` hand-rolled a `z.partialRecord` structurally identical to the `dataSchema` inside `packages/services/src/notification/schemas.ts`. Drift hazard: a future provider-value shape change in the service would be accepted at the tRPC layer and fail with an opaque error deeper in `validateNotificationData`. Renamed the service schema to `NotificationDataInputSchema`, exported it from the service barrel, and replaced the router's local copy + the now-unused `servicesNotificationProvider` alias. **#5 — `update.ts` audit missing `provider` metadata.** `createNotification` attaches `metadata: { provider: input.provider }` to its audit row; `updateNotification` didn't. The `provider` column is recoverable from the `before`/`after` rows, but asymmetric metadata breaks simple `action + metadata.provider` audit queries. Added `metadata: { provider: existing.provider }` for parity. Skipped the two non-fixes: the `enrichNotificationsBatch` drizzle-cast fragility is the same pattern as `monitor/list.ts`, worth a codebase- wide change rather than a single-domain carve-out; the `dataSchema` being "intentionally wide" is already called out in the schema JSDoc and is correct by design (provider/payload alignment is enforced at the service boundary by `validateNotificationData`). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(services/notification): cover update audit + post-downgrade gate Claude review noted two gaps in the `updateNotification` suite. Adding both: **`notification.update` audit row.** `createNotification` already asserts an audit row fires with `expectAuditRow`; the update path was silent. With the per-mutation audit contract (every write emits a row), the update case needs an equivalent pin so a regression that drops the emit site is caught. Note: the v1 audit buffer shape (`AuditLogRecord`) doesn't carry `metadata`, so the `{ provider }` payload can't be asserted directly here — that coverage lands with the v2 audit-table move, called out in the test comment. **Plan-gate after a downgrade.** The Cubic-flagged fix added `assertProviderAllowed(existing.provider)` to `updateNotification` so a previously-allowed channel becomes read-only once the workspace drops to a plan that no longer includes it. The regression test simulates the downgrade by directly inserti…

* feat(services): migrate maintenance domain onto service layer Second domain migration, stacked on the status-report PR. Same shape as PR 1 — every write path and read path for `maintenance` now goes through `@openstatus/services/maintenance`; tRPC / Connect / Slack are thin adapters. ## Services (`packages/services/src/maintenance/`) - `createMaintenance`, `updateMaintenance`, `deleteMaintenance`, `listMaintenances`, `getMaintenance`, `notifyMaintenance`. - Date range validated at the Zod refine + again inside `updateMaintenance` when partial updates could cross the invariant. - All mutations inside `withTransaction`, emit `emitAudit` before returning. - Internal helpers duplicated from status-report (`validatePageComponentIds`, `updatePageComponentAssociations`, `getMaintenanceInWorkspace`, `getPageComponentIdsForMaintenance`, `getPageComponentsForMaintenance`). A third consumer should trigger the shared-helper extraction. ## Surfaces - **tRPC** (`packages/api/src/router/maintenance.ts`): all four procedures (`delete` / `list` / `new` / `update`) now call services. `emailRouter.sendMaintenance` becomes a thin wrapper over `notifyMaintenance`. - **Connect RPC** (`apps/server/src/routes/rpc/services/maintenance/`): handler rewritten as proto → parse → service → convert. External contract preserved. - **Slack** (`interactions.ts`): `createMaintenance` branch now calls services. Also extracts `getPageUrl`/`getReportUrl` into `apps/server/src/routes/slack/page-urls.ts` — pure transport-layer URL formatting, left on db directly but isolated so `interactions.ts` itself becomes db-free. ## Enforcement - Biome `noRestrictedImports` override now includes: `packages/api/src/router/maintenance.ts`, `apps/server/src/routes/rpc/services/maintenance/**`, and `apps/server/src/routes/slack/interactions.ts`. (`page-urls.ts`, `service-adapter.ts`, `confirmation-store.ts`, and `workspace-resolver.ts` remain outside scope — they legitimately need db access for transport/URL/auth concerns.) - Subpath export `@openstatus/services/maintenance`. ## Tests - Integration tests in `packages/services/src/maintenance/__tests__/` cover happy paths, workspace isolation, cascade deletes, cross-workspace `NotFoundError` / `ForbiddenError`, the Zod date-range refine, the slack actor audit branch. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services/maintenance): address Cubic review Mirrors the symmetric fixes applied to status-report on the parent branch: - **Dedupe `pageComponentIds`** in `validatePageComponentIds` — duplicate ids would violate the composite PK on `maintenance_to_page_component`. - **Batch list enrichment** — `listMaintenances` previously ran 2 extra queries per row; rewritten as one IN query regardless of list size, pairing well with the 10_000 sentinel tRPC passes. - **Idempotent tRPC `delete`** — swallow `NotFoundError` in the wrapper to preserve the old drizzle-returning behaviour; Connect still returns 404. - **Connect numeric-id error** — replace `invalidDateFormatError` with an inline `ConnectError(Code.InvalidArgument)` for malformed page component ids. Correct error message on the wire. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services/maintenance): parity with status-report post-review fixes Three issues mirror what landed on status-report after its PR-review pass — this branch was behind because it hadn't been rebased onto the updated status-report yet. **`update.ts` — pageId follows components** The service was enforcing a strict invariant: throw `ConflictError` when new components belonged to a different page, and leave `pageId` untouched when components were cleared. The Connect `UpdateMaintenance > clears pageId when removing all components` test fails against this — it expects `pageId` to null out on empty components. Same reasoning as the status-report fix: `pageId` should follow the association set. Mixed-page inputs still rejected upstream by `validatePageComponentIds`. **Handler test — error message wording** Two assertions expected the old handler's `"Start time (from) must be before end time"` message. Service throws `"End date must be after start date."` via `ConflictError`. Updated both assertions to match service wording — consistent with how the status-report message drift was resolved. **Service test — cleanup without try/finally** 7 tests did inline `db.delete(maintenance)` at the end of their body; a failing assertion skipped cleanup and orphaned rows. Replaced with a shared `createdMaintenanceIds` array drained in `afterEach`, matching the status-report pattern. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services): Slack error opacity + maintenance test drift Three CI failures on #2103: **Slack `toSlackMessage` — revert to uniform generic message.** The P3 fix on #2101 kept hand-written `ServiceError` messages for `FORBIDDEN` / `CONFLICT` / `VALIDATION` / `LIMIT_EXCEEDED` — but the existing `does not leak internal error details to user` test expects every error to surface as a single `"Something went wrong. Please try again."` string. The intent is stronger than just "strip row IDs": Slack users aren't developers, so none of the service error wording is appropriate for them. Reduced the adapter to a one-liner that always returns the generic message; detailed error context still flows to logtape/Sentry via the catch site upstream. **Handler test — "does not match the page ID" → "does not match".** `ConflictError` wording drifted during the migration (same as the status-report fix). Loosened to the stable fragment. **Handler test — "Page not found" → "not found".** `NotFoundError("page", id)` formats as `"page <id> not found"` (lowercase `page`). Pre-migration handler emitted capital-P `"Page not found"`. Loosened the substring so both forms pass. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(services): migrate incident domain (PR 3/N) (#2104) * feat(services): migrate incident domain onto service layer Third domain migration, stacked on maintenance. tRPC-only — no Connect handler, no Slack path — so this PR mostly exercises the `ServiceContext` actor variants without surface-specific adapters. ## Services (`packages/services/src/incident/`) - `acknowledgeIncident`, `resolveIncident`, `deleteIncident`, `listIncidents`, `getIncident`. - Both `acknowledge` / `resolve` stamp the acting user's id onto `acknowledged_by` / `resolved_by` via the new `tryGetActorUserId` helper on `ServiceContext`. Non-user actors (system, webhook, API keys without a linked userId) stamp `null`. - Idempotent `ConflictError` when an incident is already acknowledged or resolved — matches existing tRPC's `BAD_REQUEST` semantics. - All mutations wrapped in `withTransaction`, emit `emitAudit`. ## list.ts - Batch-enriches monitors via a single IN query against distinct `monitorId`s — pairs well with the 10_000 sentinel tRPC passes. Avoids the N+1 Cubic flagged on the maintenance PR. ## Surfaces - **tRPC** (`packages/api/src/router/incident.ts`): all four procedures call services. `delete` catches `NotFoundError` to preserve the pre-migration idempotent behaviour. `list` narrows `monitor` to non-null in the return type — every incident is expected to have an associated monitor via the FK. `acknowledge` / `resolve` still return `true` to match the old contract. ## Context helper - `tryGetActorUserId(actor)` in `packages/services/src/context.ts` — returns the openstatus user id for user/apiKey/slack actors when available, `null` for system/webhook. Exported from the root barrel. ## Enforcement - Biome `noRestrictedImports` scope adds `packages/api/src/router/incident.ts`. - Subpath export `@openstatus/services/incident`. ## Tests - `packages/services/src/incident/__tests__/incident.test.ts` — happy paths for acknowledge / resolve / delete, already-acknowledged and already-resolved `ConflictError`, workspace isolation across all mutations, list workspace isolation, and the batch monitor enrichment. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services/incident): address Cubic review - **TOCTOU on acknowledge / resolve** — the old read-then-update allowed two concurrent acknowledgers (or resolvers) to both succeed. Replaced with a conditional update (`WHERE acknowledged_at IS NULL` / `WHERE resolved_at IS NULL`); the loser of the race gets no row back and we throw the same `ConflictError` the pre-read would have raised. Dropped the now-unreachable `InternalServiceError` branch. - **Monitor enrichment workspace scope** — `enrichIncidentsBatch` now filters `monitor.workspaceId = ctx.workspace.id` alongside the `inArray` on monitor id. Defence-in-depth: the `incident.monitorId` column has no FK against workspace ownership, so a cross-workspace pointer (however unlikely) no longer leaks the other workspace's monitor row. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(services): migrate monitor domain tRPC (PR 4/N) (#2105) * feat(services): migrate monitor domain tRPC onto service layer Fourth domain, the largest so far. Migrates the **tRPC** monitor router (all 14 procedures) onto `@openstatus/services/monitor`. The Connect handler (`apps/server/src/routes/rpc/services/monitor/`) and the v1 REST `apps/server/src/routes/v1/monitors/*` endpoints stay untouched for now — they are separate external-API surfaces and warrant their own follow-up PRs with their own test suites. - `createMonitor`, `cloneMonitor`, `deleteMonitor`, `deleteMonitors` (bulk soft-delete), `getMonitor`, `listMonitors`. - `updateMonitorGeneral` — preserves the existing tRPC `updateGeneral` behaviour including jobType switching (HTTP ↔ TCP ↔ DNS). Called out as a code smell in the explore, but preserved intentionally since it's the dashboard's current edit flow. Kept jobType-agnostic rather than split into 3 separate update methods. - `updateMonitorRetry`, `updateMonitorFollowRedirects`, `updateMonitorOtel`, `updateMonitorPublic`, `updateMonitorResponseTime` — field-specific setters. - `updateMonitorSchedulingRegions` — enforces plan limits (periodicity / region-count / region-access) + validates the private-location ids before replacing the association set. - `updateMonitorTags`, `updateMonitorNotifiers` — validate and replace the tag / notifier association sets. - `bulkUpdateMonitors` — batched toggle of `public` / `active` across multiple monitor ids. Matches the old `updateMonitors` procedure. - All mutations run inside `withTransaction`, emit `emitAudit`. - Cascade deletes: `monitor_tag_to_monitor`, `notifications_to_monitors`, `page_component` rows are torn down on delete (matches pre-migration behaviour — bypasses FK cascades because some rows reference the monitor without cascade). - `validateTagIds` / `validateNotificationIds` / `validatePrivateLocationIds` — workspace-scoped validators with dedupe. - `pickDefaultRegions(workspace)` — ports the old "randomly pick 4 free / 6 paid regions excluding deprecated" logic. - `serialiseAssertions` / `headersToDbJson` — assertion / header serialisation moved out of the tRPC router. - `countMonitorsInWorkspace` for quota checks. `listMonitors` does two IN queries (tags + incidents) regardless of list size. `getMonitor` reuses the same path with the richer `{ notifications, privateLocations }` toggle and a singleton. Same pattern as status-report's batched fix. - **tRPC** (`packages/api/src/router/monitor.ts`): every procedure is a thin wrapper. `delete` catches `NotFoundError` for idempotency. `new` / `updateGeneral` keep the `testHttp` / `testTcp` / `testDns` pre-save check at the tRPC layer — services unconditionally save, callers decide whether to pre-validate. - Connect RPC handler at `apps/server/src/routes/rpc/services/monitor/` — still uses its own helpers. Will be migrated in a follow-up (4b). - v1 REST endpoints at `apps/server/src/routes/v1/monitors/*` — yet another external surface; dedicated PR later. - `packages/api/src/service/import.ts` monitor writes — covered by the plan's dedicated PR 9. - Biome `noRestrictedImports` scope adds `packages/api/src/router/monitor.ts`. The Connect monitor handler stays out of scope until 4b. - Subpath export `@openstatus/services/monitor`. - `packages/services/src/monitor/__tests__/monitor.test.ts` — create (http / tcp / dns), delete cascade, bulk delete, clone, tags / notifiers validation (forbidden when cross-workspace), list / get with workspace isolation + soft-delete hiding, updateMonitorGeneral round-trip. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services): declare @openstatus/regions + @openstatus/assertions deps The monitor domain pulls `regionDict` from `@openstatus/regions` (for the default-region picker) and assertion classes / validators from `@openstatus/assertions`. Both were missing from `packages/services/package.json`, so Vercel's Next.js build for `apps/status-page` — which transitively imports the services package via `@openstatus/api` — failed with "Module not found" on `packages/services/src/monitor/internal.ts:20` and `schemas.ts:1`. Local pnpm workspaces resolved the imports via hoisting, which masked the missing declarations until an actual Next.js build forced strict resolution. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services/monitor): address Cubic review - **`timeout` / `degradedAfter` bounds** (schemas.ts) — mirror the 0–60_000 ms cap from `insertMonitorSchema`. Values outside the range are rejected before the UPDATE instead of being silently persisted. - **`jsonBody` assertion mapping** (internal.ts) — the serialiser was silently dropping `jsonBody`-typed input because the runtime class wasn't wired up. Added the `JsonBodyAssertion` branch; the class has existed in `@openstatus/assertions` the whole time, this was just a missing case. - **Clone resets `status`** (clone.ts) — cloning no longer inherits the source's current `error`/`degraded` health. Freshly cloned monitors start at `"active"` and settle on their first check. - **Delete filters soft-deleted** (delete.ts) — the pre-check now includes `isNull(monitor.deletedAt)`, so a repeat delete returns `NotFoundError` (preserved as idempotent at the tRPC layer) instead of re-running the cascades and emitting duplicate audits. - **List/get workspace scope on relations** (list.ts) — `enrichMonitorsBatch` takes `workspaceId` and scopes the incident / tag / notification / private-location IN queries to the caller's workspace. Defence-in-depth against inconsistent FK data (none of those tables enforce workspace ownership at the FK level). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(services): migrate notification CRUD (PR 5/N) (#2106) * feat(services): migrate notification CRUD onto service layer Fifth domain. Migrates the four CRUD procedures — `list`, `new`, `updateNotifier`, `delete` — of the notification tRPC router onto `@openstatus/services/notification`. The three integration-helper procedures (`sendTest`, `createTelegramToken`, `getTelegramUpdates`) stay inline at the tRPC layer and are explicitly out of scope for this migration. - `createNotification` — enforces plan limits on both the channel count (`notification-channels`) and the provider itself (`sms` / `pagerduty` / `opsgenie` / `grafana-oncall` / `whatsapp` require plan flags); validates the loose `data` payload against `NotificationDataSchema`; validates monitor ids are in-workspace and not soft-deleted. - `updateNotification` — replaces name / data / monitor associations in a single transaction with the same validation rules as create. - `deleteNotification` — hard-delete (FK cascade clears associations). The tRPC wrapper swallows `NotFoundError` to preserve the old idempotent behaviour. - `listNotifications`, `getNotification` — batched IN query enriches monitors per notification. Monitor enrichment is workspace-scoped and filters soft-deleted monitors for defence-in-depth. - All mutations run inside `withTransaction`, emit `emitAudit`. - **tRPC** (`packages/api/src/router/notification.ts`): `list` / `new` / `updateNotifier` / `delete` become thin service wrappers. `sendTest` + `createTelegramToken` + `getTelegramUpdates` are unchanged. - **`sendTest` migration** — the dispatch switch imports from 10 `@openstatus/notification-*` packages. Moving it into services would pull those as direct deps; the plan's phrasing ("Channel CRUD + test-dispatch") allows this as a later extraction. - **`createTelegramToken` / `getTelegramUpdates`** — redis + external Telegram API helpers; transport UX, not domain operations. - **Biome scope for `notification.ts`** — the file still imports `@openstatus/db/src/schema` for the `sendTest` provider data schemas. Will land with the sendTest migration follow-up. - **Connect RPC notification handler** — stays on its own helpers; follow-up aligned with PR 4's Connect deferral. - `__tests__/notification.test.ts` covers create (including `ValidationError` on malformed data, `LimitExceededError` on gated provider, `ForbiddenError` on cross-workspace monitor), update (association replacement, cross-workspace `NotFoundError`), delete, list/get workspace isolation + monitor enrichment scope. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services/notification): address Cubic review - **Update flow plan gate** (update.ts) — `updateNotification` was skipping `assertProviderAllowed`, so a user who downgraded their plan could still edit a notification configured with a now-restricted provider. Re-check against the stored `existing.provider` to match the create-time gate. - **Provider / data match** (internal.ts) — `NotificationDataSchema` is a union, so `{ provider: "discord", data: { slack: "…" } }` passed the union check even though the payload key doesn't match the provider. `validateNotificationData` now takes the provider and asserts `provider in data` after the top-level parse. Applied in both `create` and `update` (update uses the stored provider since the API doesn't allow provider changes). Added a test for the mismatch case. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services/notification): tighten data validation against provider schema Cubic's follow-up on the previous fix was right: checking only `provider in data` isn't enough. `NotificationDataSchema` is a union, so a payload like `{ discord: "not-a-url", slack: "valid-url" }` passes because the union matches the slack variant — the extra `discord` key is ignored, and my key-presence check sees `"discord"` and lets it through. Replaced the union parse + key check with a provider-specific schema lookup (`providerDataSchemas[provider].safeParse(data)`). Each canonical channel schema is keyed by its provider name and validates the shape / content of the value, so the new check catches both the mismatched-provider and malformed-payload cases in one pass. Added a test covering the exact case Cubic flagged — invalid `discord` URL alongside a valid `slack` URL now rejects with ValidationError. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(services): migrate page-component domain (PR 6/N) (#2107) * feat(services): migrate page-component domain onto service layer Sixth domain, tRPC-only. Migrates `list`, `delete`, and `updateOrder` onto `@openstatus/services/page-component`. - `listPageComponents` — workspace-scoped filter + optional pageId filter. Batched enrichment in four IN queries (monitors, groups, status reports via join, maintenances via join). All relation queries scoped to the caller's workspace for defence-in-depth. - `deletePageComponent` — hard-delete. Cascade clears the `status_report_to_page_component` / `maintenance_to_page_component` associations. The tRPC wrapper swallows `NotFoundError` to preserve the pre-migration idempotent behaviour. - `updatePageComponentOrder` — the complex one. Mirrors the existing diff-and-reconcile pass faithfully (≈220 lines → a single transaction): 1. Assert the page is in the workspace. 2. Enforce the workspace's `page-components` plan cap. 3. Validate every monitor id in the input set. 4. Remove monitor components whose monitorId isn't in the input; remove static components based on whether the input carries ids. 5. Clear `groupId` before dropping groups (FK safety), then recreate groups. 6. Upsert monitor components via `onConflictDoUpdate` on the `(pageId, monitorId)` unique constraint (preserves ids). 7. Update existing static components by id; insert new ones. Audit: `page_component.update_order` / `page_component.delete`. - **tRPC** (`packages/api/src/router/pageComponent.ts`): all three procedures call services. `delete` catches `NotFoundError` and returns the old `drizzle.returning()`-shaped empty array. The pre-existing `pageComponent.test.ts` (tests cross-workspace monitorId → `TRPCError(FORBIDDEN)`) is untouched and still valid — my services throw `ForbiddenError`, which `toTRPCError` maps to the same code. - Biome `noRestrictedImports` scope adds `packages/api/src/router/pageComponent.ts`. - Subpath export `@openstatus/services/page-component`. - `__tests__/page-component.test.ts` covers `updatePageComponentOrder` happy path (creates monitor + static + grouped components), rejects cross-workspace monitorId and cross-workspace pageId, `list` workspace isolation, `delete` cross-workspace `NotFoundError`. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(services): Connect RPC notification handler catch-up (#2108) * feat(services): Connect RPC notification handler onto services (catch-up) Follow-up to PR 5 — noticed on review that my PRs from PR 4 onwards had been narrowing scope to tRPC only and deferring Connect handlers, which was piling up. This closes the notification Connect gap. `apps/server/src/routes/rpc/services/notification/index.ts` — the five CRUD methods now delegate to `@openstatus/services/notification`: - `createNotification` → `createNotification` service (handles the plan-count limit, per-provider plan gate, and data-schema validation internally — the Connect-side `checkNotificationLimit` / `checkProviderAllowed` / `validateProviderDataConsistency` calls are gone). - `getNotification`, `listNotifications`, `updateNotification`, `deleteNotification` — thin proto-to-service-to-proto wrappers. - `updateNotification` reads the existing record via the service and fills in missing fields (Connect's update is partial; the service expects a full payload), then applies the update. Left inline: - `sendTestNotification` — calls `test-providers.ts` (external HTTP). - `checkNotificationLimit` RPC method — returns the count info via `./limits.ts` helpers (pure queries, no domain mutation). The local Connect helpers (`validateProviderDataConsistency`, `checkNotificationLimit`, `checkProviderAllowed`, and the ad-hoc `validateMonitorIds` / `updateMonitorAssociations` / `getMonitorById` / `getMonitorCountForNotification` / `getMonitorIdsForNotification`) are no longer imported by `index.ts`; they remain in their files because `test-providers.ts` and the unmigrated Connect monitor handler still reference some of them. Added `apps/server/src/routes/rpc/services/notification/index.ts` to the `noRestrictedImports` scope. The directory-level glob isn't a fit because `limits.ts` and `test-providers.ts` legitimately need direct db access until their own follow-up migrations. - **Connect monitor handler** (~880 lines, 6 jobType-specific create/update methods + 3 external-integration methods) — requires a much bigger refactor. Flagged as dedicated PR 4b; tracked separately. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services): dedupe monitor ids in Connect createNotification response Cubic's P2 catch: the service dedupes `monitors` before the insert (via `validateMonitorIds` in the services package), but the Connect handler echoed `req.monitorIds` verbatim back in the response. For an input like `["1", "1", "2"]` the DB stored `[1, 2]` while the response claimed `["1", "1", "2"]` — caller state diverges from persistence. Echo `Array.from(new Set(req.monitorIds))` instead so the response matches what's actually stored. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(services): migrate page authoring (PR 7/N) (#2109) * feat(services): migrate page (status-page authoring) onto service layer Seventh domain. Migrates the 13 authoring procedures in `pageRouter` onto `@openstatus/services/page`. Deliberately scoped to authoring CRUD only: - `statusPage.ts` — public viewer endpoints (subscribe / get / uptime / report / verify / unsubscribe) are a separate surface that doesn't use the authenticated `ServiceContext`; dedicated follow-up. - Connect `apps/server/src/routes/rpc/services/status-page/**` — ~1500 lines with 18 methods (page CRUD + components + groups + subscribers + view). Too big for this PR; dedicated follow-up, same shape as the Connect monitor deferral. - `createPage` / `newPage` — full vs minimal create; both enforce the `status-pages` plan cap and (for `createPage`) the per-access-type plan gates (password-protection, email-domain-protection, ip- restriction, no-index). - `deletePage` — FK cascade clears components / groups / reports / subscribers. - `listPages` — batched enrichment with `statusReports`. - `getPage` — enriched with `maintenances` / `pageComponents` / `pageComponentGroups`. - `getSlugAvailable` — pure check against `subdomainSafeList` + DB. - `updatePageGeneral` — with slug-uniqueness re-check on change. - `updatePageCustomDomain` — persists the DB change and returns the previous domain so the caller can diff. Vercel add/remove stays at the tRPC layer (external integration). - `updatePagePasswordProtection` — re-applies the same plan gates the `create` path uses. - `updatePageAppearance`, `updatePageLinks`, `updatePageLocales` (gated on `i18n` plan flag), `updatePageConfiguration`. - Audit action emitted for every mutation. All 13 procedures are thin wrappers. `delete` catches `NotFoundError` for idempotency. `updateCustomDomain` orchestrates: 1. `getPage` (via service) to read the existing domain. 2. `addDomainToVercel` / `removeDomainFromVercel` as needed. 3. `updatePageCustomDomain` (via service) to persist. - Biome scope adds `packages/api/src/router/page.ts`. The router imports `insertPageSchema` via the services re-export (`CreatePageInput`) so the db-import ban applies cleanly. - Subpath export `@openstatus/services/page`. - `__tests__/page.test.ts` covers `newPage` happy / reserved / duplicate, `createPage` monitor attachment + cross-workspace monitor, `updatePageGeneral` rename + duplicate-slug conflict + cross-workspace, `updatePageLocales` plan gate, list / get / slug-available workspace isolation, delete cross-workspace NotFoundError. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(services): migrate Connect status-page page CRUD onto services Extends PR #2109 to cover the Connect RPC status-page handler's page CRUD surface (create / get / list / update / delete), matching the migration that landed for tRPC's `pageRouter`. The other 13 methods (components, groups, subscribers, viewer) still read the db directly — they're separate domains that'll need their own services in follow-ups. - create / get / delete call into `@openstatus/services/page` and preserve the granular Connect errors (`statusPageNotFoundError`, `slugAlreadyExistsError`) by pre-checking before the service call or catching `NotFoundError` → re-throwing the richer variant. - list fetches via the service and paginates in-memory; status-page quota is bounded per workspace so the extra enrichment is negligible. - update loads the existing page via the service, then orchestrates the per-section updates (`updatePageGeneral`, `updatePageLinks`, `updatePageAppearance`, `updatePageCustomDomain`, `updatePageLocales`, `updatePagePasswordProtection`) inside a shared transaction so a partial failure can't leave the page half-updated. Each service's internal `withTransaction` detects the pre-opened tx and skips nesting. - Proto-specific format validations (https icon URL, custom-domain regex, IPv4 CIDR, email-domain shape) and the i18n PermissionDenied path stay at the handler — they don't exist in the zod insert schema and their error codes would change if deferred to the service. - `Page` from the service parses `authEmailDomains` / `allowedIpRanges` into arrays, while the converters (still used by the unmigrated methods) expect the comma-joined string form. `serviceToConverterPage` bridges the two shapes at the call sites that need it. Biome scope deliberately unchanged: the file still imports from `@openstatus/db` for the 13 legacy methods, so the override would light up the whole file. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services/page): address Cubic review on #2109 Four issues flagged across two Cubic reviews: - `createPage` skipped `assertSlugAvailable`, so full-form creates could bypass reserved/duplicate slug validation and either create a duplicate or fail late on a DB constraint instead of the clean `ConflictError`. Added the check alongside the existing quota gate. - `createPage` passed `passwordProtected` / `allowedIpRanges` but not `allowIndex` to `assertAccessTypeAllowed`, bypassing the `no-index` plan gate on create. Now forwarded. - `UpdatePagePasswordProtectionInput.allowedIpRanges` accepted arbitrary strings. Mirrored the CIDR validation from `insertPageSchema` — bare IPs get `/32` appended, everything pipes through `z.cidrv4()`. - `updatePagePasswordProtection` wrote `authEmailDomains: input.authEmailDomains?.join(",")`, which evaluates to `undefined` when the caller clears the field. Drizzle treats `undefined` as "skip this column" on `.set()`, so stale email domains survived an access-type switch. Added the `?? null` fallback to match the neighboring `allowedIpRanges` line. This fixes the Connect `updateStatusPage` path where switching away from AUTHENTICATED sets `nextAuthEmailDomains = undefined` expecting the column to clear. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(services): migrate workspace / user / invitation / api-key (PR 8/N) (#2110) * feat(services): migrate workspace / user / invitation / api-key (PR 8/N) Stacked on PR #2109. Eighth migration — four small domains consolidated into one PR because each is narrow (roughly two to five procedures) and they share no structural dependencies beyond already-migrated infrastructure. **workspace** — `getWorkspace`, `getWorkspaceWithUsage` (pages + monitors + notifications + page-components batched via drizzle relations), `listWorkspaces` (takes `userId` explicitly since `list` runs across every workspace the user has access to), `updateWorkspaceName`. **user** — `getUser` (active, non-soft-deleted), `deleteAccount` (the paid- plan guardrail stays; removes non-owned memberships, sessions, OAuth accounts and blanks the PII columns inside a single tx). **invitation** — `createInvitation` (plan gate counts pending invites against the members cap so two outstanding invites can't both accept past the limit), `deleteInvitation`, `listInvitations`, `getInvitationByToken` (scoped by token **and** accepting email to prevent token-sharing), `acceptInvitation` (stamps acceptedAt + inserts membership atomically). **api-key** — `createApiKey` (returns plaintext token once), `revokeApiKey` (workspace-scoped existence check inside the tx so concurrent revokes resolve to a consistent NotFound rather than a silent no-op), `listApiKeys` (replaces the legacy per-row `Promise.all` fan-out with a single IN query for creator enrichment), `verifyApiKey` + `updateApiKeyLastUsed` (no ctx required — the verify path runs before workspace resolution and callers pass an optional `db` override). All 14 procedures become thin `try { return await serviceFn(...) } catch { toTRPCError }` wrappers. Router shapes stay identical so the dashboard needs no changes. Connect + Slack don't expose these domains today; migrating their consumers is a follow-up. Biome `noRestrictedImports` override adds the four router files. Subpath exports `@openstatus/services/{workspace,user,invitation,api-key}` added to the services package. Deletes `packages/api/src/service/apiKey.ts` and its tests — fully superseded by `packages/services/src/api-key/`. The auth middleware in `apps/server` has its own inline apiKey verification and is unaffected. - **`domain.ts`** — pure Vercel-API proxy with no DB usage; not part of the migration surface. Stays as-is. - **`packages/api/src/service/{import,telegram-updates}.ts`** — import migration is PR 9; telegram-updates stays for a follow-up. Per-domain `__tests__/*.test.ts` covers: workspace rename + audit, usage counts, members cap hit on free plan, invitation token-mismatch rejection, accept idempotency, api-key creation returning a bcrypt hash, list creator enrichment, revoke NotFoundError on unknown ids, verifyApiKey happy / bad- format / wrong-body paths, lastUsed debounce. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services): address Cubic review on #2110 Four issues flagged on PR 8: - **P1 — `invitation/accept.ts`**: the read-then-write pattern let two concurrent accepts both pass the `isNull(acceptedAt)` check and race through the membership insert. Replaced with a conditional UPDATE that re-asserts `isNull(acceptedAt)` in the WHERE clause and checks `.returning()` rowcount. The loser gets `ConflictError`, the tx aborts before membership inserts run. - **P2 — `api-key/create.ts`**: `createdById` was taken from input and the router spliced in `ctx.user.id`. Since that column is attribution data (who owns the key, who the audit row blames), trusting input would let any caller forge ownership. Derived from `ctx.actor` via `tryGetActorUserId`; actors without a resolvable user id (system / webhook / unlinked api-key) now get `UnauthorizedError` instead of a silent NULL write. `createdById` removed from the input schema. - **P2 — `invitation/delete.ts`**: audit row was emitted even when the DELETE matched zero rows (unknown id / wrong workspace). Switched to `.returning({ id })` and short-circuit before the audit emit so the log only reflects actual deletions. - **P2 — `invitation/list.ts`**: the `if (!input.email)` → `UnauthorizedError` branch in `getInvitationByToken` was unreachable because `z.email()` already rejects empty / malformed emails at `.parse()`. Removed the dead branch; the router keeps its own pre-call check for `ctx.user.email`, so the transport-level UnauthorizedError path is preserved. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(services): migrate import domain (PR 9/N) (#2111) * feat(services): migrate import domain (PR 9/N) Stacked on PR #2110. Ninth and final domain — lifts the ~1,000-line `packages/api/src/service/import.ts` orchestrator into the services package as its own `@openstatus/services/import` domain. Split into focused files: - **`schemas.ts`** — `PreviewImportInput` / `RunImportInput` zod. Provider discriminator + per-provider page-id fields live here; options schema is separately exported for callers that want to pre-validate. - **`provider.ts`** — `createProvider` factory + `buildProviderConfig` reshape helper, isolated from the orchestrator so adding a provider is a one-file change. - **`limits.ts`** — `addLimitWarnings` (shared by preview + run). Pure mutation on the `ImportSummary` argument; no writes. - **`utils.ts`** — `clampPeriodicity` + `computePhaseStatus` helpers. - **`phase-writers.ts`** — the seven phase writers (page / component groups / components / incidents / maintenances / monitors / subscribers). Each takes a `DB` explicitly so callers can thread a pre-opened tx; failing resources get `status: "failed"` with an error string rather than throwing. - **`preview.ts`** — dry-run only; validates credentials, runs the provider with `dryRun: true`, emits warnings. - **`run.ts`** — the orchestrator. Now owns the `pageId` ownership check (previously duplicated in the tRPC router) and emits exactly **one** `import.run` audit row regardless of outcome so partial / failed runs still show up in the audit signal. Deliberately *not* wrapped in `withTransaction` — imports can span minutes across dozens of writes and the existing UX is phase-level recovery. 124 lines → 28 lines. The router is now a thin `previewImport` / `runImport` wrapper; the input schemas and all validation live in the service. The router-level `TRPCError`-throwing `pageId` ownership check moved into `runImport` so non-tRPC callers (Slack / future) get the same guard. - Provider validation failure: `TRPCError("BAD_REQUEST")` → `ValidationError` → `TRPCError("BAD_REQUEST")`. Net-same. - Unknown / wrong-workspace `pageId`: `TRPCError("NOT_FOUND")` → `NotFoundError` → `TRPCError("NOT_FOUND")`. Net-same. - Unit tests for `addLimitWarnings` / `clampPeriodicity` / `computePhaseStatus` move to `packages/services/src/import/__tests__/`. - Router integration tests (`packages/api/src/router/import.test.ts`) that previously called `previewImport` / `runImport` directly to override workspace limits now route through `makeCaller(limitsOverride)` with an explicit `provider: "statuspage"` field. This also fixes four pre-existing TypeScript errors where those calls were missing the (required) provider discriminator. - Biome `noRestrictedImports` override adds `packages/api/src/router/import.ts`. - Subpath export `@openstatus/services/import` added. - `@openstatus/importers` added to services deps; services `tsconfig.json` bumped to `moduleResolution: "bundler"` so the importers package-exports map resolves (same setting `packages/api` already uses). Deletes `packages/api/src/service/import.ts` (1042 lines) and its test file (463 lines). Only `telegram-updates.ts` remains in `packages/api/src/service/` — that's slated for a follow-up PR. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(services/import): per-resource audit + Cubic fixes on #2111 Two changes folded together: Every phase writer now emits one `emitAudit` row per *created* resource, matching what the domain services emit for normal CRUD: | Phase | Audit action | --- | --- | page | `page.create` | componentGroups | `page_component_group.create` | components | `page_component.create` | monitors | `monitor.create` | incidents | `status_report.create` + `status_report.add_update` per update | maintenances | `maintenance.create` | subscribers | `page_subscriber.create` Skipped resources don't emit (their original create audit already exists); failed resources don't emit (nothing was written); link-table rows (statusReportsToPageComponents etc.) don't emit (edges, not entities). Metadata always carries `source: "import"` + `provider: <name>` + `sourceId: <provider-id>` so the audit trail traces back to the source system. The rollup `import.run` audit still fires at the end — the per-resource rows give forensic granularity, the run-level row gives "this bulk operation happened" without scanning the full summary blob. For the change, phase writers now take a shared `PhaseContext = { ctx, tx, provider }` instead of `(db, workspaceId, limits)` — the orchestrator builds one `PhaseContext` per run and threads it through, giving each writer access to `ctx.actor` for audit attribution. `statusReportUpdate` writes now use `.returning({ id })` so the per-update audit can attribute the right row. - **`run.ts:130`** — phases after `page` kept their provider-assigned status when `targetPageId` was falsy but the user option wasn't `false`. Replaced the narrow `else if (option === false)` branches with a plain `else → phase.status = "skipped"`, matching what `subscribers` already did. - **`run.ts:147`** — when the `components` phase hit `remaining <= 0`, the phase was marked `"failed"` but individual resource statuses were left stale with no error string. Each resource is now marked `"skipped"` with `"Skipped: component limit reached (N)"`, matching `writeMonitorsPhase`. Phase-level status becomes `"skipped"` too (was `"failed"` — failed implied a writer error, this is really a plan-limit pre-check). - **`provider.ts`** — both `createProvider` and `buildProviderConfig` had a `default:` that silently ran the Statuspage adapter for any unknown provider name, which would mask a typo by handing a non- Statuspage api key to the wrong adapter. Replaced with exhaustive `case "statuspage"` + `never`-typed default throw. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * chore(services): rename rpc/services → rpc/handlers (PR 10/N) (#2112) The symbolic deliverable from the plan's "close the loop" PR. Renames `apps/server/src/routes/rpc/services/` → `apps/server/src/routes/rpc/handlers/` so the distinction between "the services layer" (owns business logic, lives in `packages/services`) and "Connect transport handlers" (thin proto → service → proto wrappers) is permanent and visible in the path. Keeping the old name invites the next developer to "just add one small thing" to a file under a `services/` folder months later; the rename makes the layering explicit. - `git mv` of the six domain subdirectories + their tests (health / maintenance / monitor / notification / status-page / status-report). - `router.ts` import paths updated from `./services/*` to `./handlers/*`. - Biome `overrides.include` paths updated to the new location. - Added `apps/server/src/routes/rpc/handlers/health/**` to the scope — the health handler has no db usage today; including it locks in that invariant. Rather than pretending the full "close the loop" deliverable is possible today, the biome.jsonc comment now enumerates exactly what remains unmigrated: - `packages/api/src/router/statusPage.ts` — public viewer endpoints under `publicProcedure`, no authed `ServiceContext`. - `packages/api/src/router/{member,integration,monitorTag, pageSubscriber,privateLocation,checker,feedback,stripe,tinybird, email}.ts` — small domains not yet lifted. - `apps/server/src/routes/rpc/handlers/monitor/**` — 6 jobType-specific methods still on db. - `apps/server/src/routes/rpc/handlers/status-page/**` — page CRUD is migrated (PR 7), but components / groups / subscribers / viewer (13 methods) still import db, so the whole file stays out of scope. - `apps/server/src/routes/v1/**` — the public HTTP API surface. - `apps/server/src/routes/slack/**` except `interactions.ts` — tools, handler, oauth, workspace-resolver still on db. - `apps/server/src/routes/public/**` — public-facing HTTP routes. Each of the above is its own PR-sized migration. The final consolidation (broadening to `router/**` + dropping `@openstatus/db` from `packages/api` and `apps/server`) is conditional on all of them landing first. Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services/import): use ctx workspaceId for page insert `writePagePhase` was inserting with `data.workspaceId` — the value the provider package round-tripped into resource data. Every other phase writer (monitor / components / subscriber) already reads `workspaceId` from `ctx.workspace.id`; this lines the page insert up with that pattern. Defends against the (unlikely) case where a provider mapper serialises the wrong workspace id into its output, since `ctx` is the authoritative source. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services): address Claude review findings on #2110 Six findings from Claude's review pass — five code/doc fixes, one documentation-only note. **P2 — `acceptInvitation` derives userId from `ctx.actor`.** Was taking it from input: the email scoped *which* invitation could be accepted, but not *who* the membership was inserted for. A caller with the right token+email could insert a membership under an arbitrary user id. Removed `userId` from `AcceptInvitationInput`; derived from `tryGetActorUserId(ctx.actor)`, throws `UnauthorizedError` for non-user actors. Mirrors the same pattern applied to `createApiKey.createdById` in the Cubic pass. Router and test updated accordingly. **P2 — `getWorkspace` throws `NotFoundError` explicitly.** `findFirst` + `selectWorkspaceSchema.parse(undefined)` was throwing `ZodError` (→ `BAD_REQUEST`) instead of the `NotFoundError` shape every other service uses. Unreachable in practice (ctx.workspace is resolved upstream) but the error shape was the only outlier; consistency matters for callers pattern-matching on error codes. **P3 — `listApiKeys` filters null `createdById` before the IN query.** The new `createApiKey` path enforces a non-null creator, but legacy rows may have null. SQL's `x IN (NULL)` is `UNKNOWN` — technically safe — but drizzle types model the array as `number[]`. Filtering upfront keeps the types honest and sidesteps any future surprise. **P3 — `deleteInvitation` guards `acceptedAt IS NULL`.** The WHERE previously allowed hard-deleting *accepted* invitations, wiping the "user was invited on X" breadcrumb. Added the `isNull(acceptedAt)` guard + doc comment explaining the audit-trail preservation intent. **Doc-only — `deleteAccount` orphan comment.** Non-owner memberships are removed, but owner memberships + owned workspaces survive. Matches legacy behavior. Added a scope-note docblock flagging that workspace cleanup is explicitly out of scope (belongs to a future admin / scheduled job). **Doc-only — `createInvitation` role comment.** The invite insert lets `role` fall through to the schema default (`member`). Matches legacy (which also only picked `email`). Comment added so the absence reads as deliberate rather than overlooked. Minor — the concurrent-accept race test is covered by the conditional UPDATE + `ConflictError` path from the earlier P1 fix; mocking it reliably against SQLite is noisy and not worth the test complexity. Documented in the related code comment. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services): address Claude re-review findings on #2110 Four issues surfaced after the first round of fixes on this PR: **P2 — `listApiKeys` crashes on all-legacy keys.** After the null filter added in the previous commit, workspaces whose keys all pre-date the services migration (every `createdById` null) end up with `creatorIds === []`. Drizzle throws "At least one value must be provided" on an empty `inArray`, taking the whole endpoint down. Added an early return that maps `createdBy: undefined` when there are no non-null creator ids to look up. **P2 — `getWorkspaceWithUsage` ZodError on missing row.** Same `findFirst` + `selectWorkspaceSchema.parse(result)` pattern as `getWorkspace`, but without the `NotFoundError` guard that got added in the earlier pass. Added the guard. Also cleaned up the usage block — no longer needs optional chaining once the narrowing fires. **P2 — `deleteAccount` took `userId` from input.** Completing the `createApiKey` / `acceptInvitation` pattern: account deletion must target `ctx.actor`, never an arbitrary id. Dropped `userId` from `DeleteAccountInput` (now an empty forward-compat shape), derived inside the service via `tryGetActorUserId`, throws `UnauthorizedError` for non-user actors. Router updated to stop passing it. **P3 — `createInvitation` dev-token log could leak in tests.** Tightened the comment around the `process.env.NODE_ENV === "development"` guard to flag that strict equality is load-bearing — bun:test sets `NODE_ENV=test` and CI leaves it undefined, both of which correctly skip the log. No behavior change, just a clearer contract so the next reader doesn't loosen it. Cubic's two findings on this review pass point at `packages/api/src/ router/import.ts` and `packages/services/src/import/limits.ts` — both live in the next PR up the stack (#2111 / feat/services-import) and will be addressed there. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services): address latest Cubic pass on #2110 Four findings from the third Cubic review (now that #2111's import domain is included in the #2110 diff via the stack): **P2 — biome.jsonc notification handler scope.** Only `notification/index.ts` was in the `noRestrictedImports` override. Sibling files (`errors.ts`, `test-providers.ts`) were outside the migration guard, so new db imports could land in them without the lint failing. Broadened to `notification/**` and moved the two files that *legitimately* still read db (`limits.ts` querying workspace quotas, `converters.ts` needing db enum shapes for proto round-trip) into the `ignore` list. Future siblings are enforced by default rather than silently slipping through. **P2 — `clampPeriodicity` unknown values returned too fast.** `PERIODICITY_ORDER.indexOf("unknown") === -1` → `Math.max(-1, 0) === 0` → walk started at `"30s"` (the fastest tier). Could return an interval faster than requested, violating the "never-faster-than-requested" invariant. Short-circuits now to the slowest allowed tier when the requested value isn't a known periodicity. Added unit tests covering the unknown-value + empty- allowed fallback paths. **P2 — component/monitor limit warnings counted total resources, not quota-consuming inserts.** If the import contained 4 components and 3 already existed (would be skipped as duplicates), the warning claimed `"Only X of 4 can be imported"` — but actually zero quota would be consumed by the 3 skips, so the real new-creation count might fit entirely. Reworded to `"Only N new components may be created … some of the M in the import may already exist and be skipped"`. Same treatment for the monitors warning. Preview stays DB-light (no per-resource existence checks); the warning now honestly conveys worst-case without misleading users about what will actually happen. Test assertions updated to match the new wording with substring matches that aren't tied to the exact fraction. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services/page): address Claude review on #2109 Six items from Claude's review, going with the calls I leaned toward in the question-back: **P2 — tRPC `updateCustomDomain` wasteful `getPage` read.** Was calling `getPage(id)` (fires 3 batched relation queries: maintenances + components + groups) just to grab `customDomain` before the Vercel add/remove calls. Added a narrow `getPageCustomDomain` service helper — single indexed lookup, workspace-scoped, returns the string directly. Router swapped over. Service-layer authority preserved; no db reads leak into the router. **P2 — Connect `updateStatusPage` slug-race code drift.** Handler pre-checks slug to surface `slugAlreadyExistsError` (`Code.AlreadyExists`). The `updatePageGeneral` service call re-validates via `assertSlugAvailable` → `ConflictError` → `Code.InvalidArgument` in the race where two callers both clear the pre-check. Wrapped the call in `try/catch (ConflictError)` and rethrow as `slugAlreadyExistsError(req.slug)` so gRPC clients keying on the code get a consistent `AlreadyExists` whether they lose at the pre-check or at the inner tx. **P2 — Connect `createStatusPage` / `updateStatusPage` customDomain without Vercel sync.** Pre-existing behaviour (the direct-db handler had the same gap). Added a top-of-impl comment so it doesn't go unnoticed — the fix is a shared transport-layer helper the Connect handlers can reuse, out of scope for this migration PR to keep the behavioural blast radius small for external API consumers. **P3 — double cast `row as unknown as Page` in `create.ts`.** The drizzle insert-returning type and the `Page` type diverge on `authEmailDomains` / `allowedIpRanges` (raw comma-joined string vs parsed `string[]`). Replaced the double casts with `selectPageSchema.parse(row)` which normalises the row into the shape callers expect. Cast-drift is now impossible to introduce silently. **P3 — `void ConflictError;` workaround.** Import was unused in `create.ts`; the `void` line was silencing the unused-import warning rather than fixing the cause. Removed both. **P3 — deprecated `passwordProtected` column.** Added a doc block on `updatePagePasswordProtection` flagging that the deprecated boolean column is intentionally not written here (the v1 REST read path derives it from `accessType` via `normalizePasswordProtected`). Prevents a future reader from mistaking the omission for an oversight and writing two sources of truth for the same signal. Test coverage for the 5 untested update services (`updatePagePasswordProtection`, `updatePageCustomDomain`, `updatePageAppearance`, `updatePageLinks`, `updatePageConfiguration`) deferred to a follow-up per Claude's "not blocking" marker — the failing-edge behaviour is the critical bit, and `updatePagePasswordProtection` already has indirect coverage through the Connect handler tests on this branch. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services): address Claude review on #2108 Four items from Claude's review of the Connect notification handler backfill: **P3 — `protoDataToServiceInput` swallowed parse failures.** `try { JSON.parse } catch { return {} }` was hiding any malformed output from `protoDataToDb` (which would be a programmer error, not user-input) behind a generic empty-object fallback. The downstream `validateNotificationData` then failed with a far less specific error. Let the throw propagate — `toConnectError` maps it to `Code.Internal`, which is the signal we want for "the helper itself misbehaved." **P3 — `createNotification` response approximated the monitor IDs.** Was echoing `Array.from(new Set(req.monitorIds))` on the happy path (correct, since the service validates + throws on invalid) but the approximation diverged from `updateNotification`'s re-fetch pattern. Now re-fetches via `getNotification` after create so the response reflects what's actually in the DB — one extra IN query per create, eliminates the approximation entirely, makes both handlers structurally identical. **P3 — `sendTestNotification` bypassed `toConnectError`.** Only handler in the impl without a `try { … } catch { toConnectError }` wrap, so any thrown `ServiceError` / `ZodError` from `test-providers.ts` fell through to the interceptor's generic catch and surfaced with a less precise gRPC status. Wrapped for symmetry. **P3 — `JSON.parse(existing.data)` null-unsafe.** Drizzle infers `notification.data` as `string | null` (the column has `default("{}")` but no `.notNull()`). A legacy row with `NULL` in the column would crash `updateNotification` with `SyntaxError` during the partial-update read-modify-write. Added `?? "{}"` fallback and a comment pointing at the schema. Cubic's single finding from the earlier pass (dedupe of `req.monitorIds` in the create response) was already applied in `b69ad13` and has now been superseded by the re-fetch above. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services): address latest Cubic pass on #2108 Five findings from Cubic's second review cycle on this PR, all on files that entered this branch via the #2109 (status-page) and #2111 (import) squash-merges stacked on top. Fixing here so the cumulative state reaching main is clean. **P1 — `page/create.ts` double-encoded JSON configuration.** `page.configuration` is a drizzle `text("…", { mode: "json" })` column — drizzle serialises objects automatically. Calling `JSON.stringify(configuration)` first stored a raw JSON string in the column, breaking any downstream read that expects an object (e.g. the appearance merge at `update.ts:185`). Dropped the wrap; drizzle handles it. **P2 — `page/schemas.ts` slug + customDomain validation weaker than insert schema.** `NewPageInput.slug`, `GetSlugAvailableInput.slug`, and `UpdatePageGeneralInput.slug` were `z.string().toLowerCase()` — no regex, no min-length. `UpdatePageCustomDomainInput.customDomain` was `z.string().toLowerCase()` — no format check. Meant the service would accept malformed slugs / URLs that `createPage` would then reject via `insertPageSchema`, or — worse — that `getSlugAvailable` would confidently return "available" for garbage. Exported the canonical `slugSchema` + `customDomainSchema` from `@openstatus/db/src/schema/pages/validation` and reused them across all four service inputs; db validation is now the single source of truth for page slug/domain shape. **P2 — `api/router/import.ts` nullish → optional contract narrowing.** The service's `PreviewImportInput`/`RunImportInput` used `.optional()` for the three provider page-id fields, which dropped the `null` acceptance the legacy router had via `.nullish()`. Existing clients sending `null` would have started hitting `Invalid input` errors after the import migration landed. Added a `nullishString` transform in the service schema that accepts `string | null | undefined` and normalises to `string | undefined` before it reaches `buildProviderConfig` — callers keep the broader contract, service internals stay ignorant of `null`. **P2 — `page/update.ts` empty array stored "" not null.** `authEmailDomains?.join(",") ?? null` coerces `null`/`undefined` to `null`, but `[].join(",")` returns `""` (empty string) which `??` treats as a value. Callers sending `authEmailDomains: []` to clear the column were persisting the empty string instead of nulling it — misleading "present but blank" state. Switched to `|| null` on both array-join outputs (`authEmailDomains` + `allowedIpRanges`) so the three clearing inputs — `undefined`, `null`, `[]` — all land on DB `NULL` while real non-empty joins pass through unchanged. Test fixtures already use slugs ≥ 3 chars that match the regex, so the tightened validation doesn't break any existing assertions. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services/page-component): address Cubic + Claude review on #2107 Three fixes + one test, addressing both the original Cubic finding and Claude's re-review pass. **P2 — Discriminated union for `componentInput`.** The flat `z.object` with `type: z.enum(["monitor", "static"])` and optional `monitorId` let callers submit a "monitor" component with no monitor id, or a "static" one with a monitor id attached. The DB catches it with a `CHECK` constraint, but that surfaces as an opaque SQLite CHECK failure instead of a clean `ZodError` at the service boundary. Replaced with a `z.discriminatedUnion("type", [...])` that requires `monitorId` on the "monitor" arm and omits it on the "static" arm. Fallout in `update-order.ts`: `c.monitorId` no longer exists on the "static" arm after narrowing, so the spreads now use `monitorId: c.type === "monitor" ? c.monitorId : null`. The defensive `&& c.monitorId` guards on the already-narrowed monitor branches are gone (TypeScript enforces the invariant the DB was catching late). **P2 — Sequential group insert instead of bulk `.returning()`.** The bulk insert relied on drizzle/SQLite returning rows in the same order they were inserted, so `newGroups[i]` could line up with `input.groups[i]` when mapping components to their groups. True on Turso today, but an implicit coupling — any driver change, batch split, or upstream sort could silently reorder rows and land components in the wrong group with no error signal. Switched to a loop that captures each group id before moving on; the set size is bounded by the status-page component-group plan cap so the extra round trips are a rounding error. **Nit — removed dead `hasStaticComponentsInInput` guard.** Both the "input has static components but none carry ids" and "input has no static components at all" branches collapsed to the same "drop all existing static components" action, so the outer `hasStaticComponentsInInput` conditional was doing no work. Dropped the variable and the nested branch. **Test — upsert idempotency.** The `onConflictDoUpdate` on `(pageId, monitorId)` was the riskiest untested path — a regression would silently insert duplicate rows on every re-invocation. Added a test that calls `updatePageComponentOrder` twice on the same page with the same `monitorId`, then asserts there's exactly one matching row and the second call's values won. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(services): address latest Cubic pass on #2107 + unblock build Eight Cubic findings from the second review plus one dashboard build break from my earlier discriminated-union change. **Build — router shape diverged from service discriminated union.** `packages/api/src/router/pageComponent.ts` kept its own flat `z.object({...})` input schema with `type: z.enum(["monitor", "static"])` and `monitorId: z.number().nullish()`. After the service switched to `z.discriminatedUnion("type", [...])`, TS couldn't reconcile the two — dashboard build failed. Replaced the local schema with the service's exported `UpdatePageComponentOrderInput` so both layers share the canonical shape. **P1 — page router: validate customDomain before Vercel call.** The router input was `z.string().toLowerCase()` (no format check) and the service's `customDomainSchema` only fired inside `updatePageCustomDomain`, *after* the Vercel add/remove mutations. A malformed domain could be added to Vercel, then rejected by the service, leaving Vercel/db state drifted. Switched the router input to the service's `UpdatePageCustomDomainInput` so format validation runs at tRPC input parsing, before any Vercel call. **P1 — `listApiKeys` leaked `hashedToken`.** `SELECT *` returned every column including the bcrypt hash of each key's one-time token, which has no business appearing in a list response. Replaced with an explicit column select that omits `hashedToken`. New `PublicApiKey` type (`Omit<ApiKey, "hashedToken">`) is the return shape; exported from the barrel. **P2 — `acceptInvitation` eager workspace load + second fetch.** The initial `findFirst` already loaded the workspace via `with: { workspace: true }`, but the return value re-fetched it by id. Use the joined value directly — one round-trip instead of two, and eliminates the read-skew window where a just-renamed workspace could appear with a different name in each fetch. **P2 — `import.run` audit entityId 0.** `entityId: targetPageId ?? 0` wrote a ghost `page 0` reference to the audit trail when the page phase failed before producing an id. Entity attribution now falls back to the workspace (`entityType: "workspace"`, `entityId: ctx.workspace.id`) when no target page is in play — real rollback signal, no phantom foreign key. **P2 — `page-components` limit scoped per-page, not workspace.** `page-components` is a workspace-wide cap (see `page-component/update-order.ts` — counts every component across every page). The import preview and run's component check were scoping the existing count to `targetPageId`, which understated pressure and would let imports push past the cap at write time. Both sites now count workspace-wide. **P2 — `writeIncidentsPhase` lacked idempotency.** Every other phase writer checks for an existing row before inserting (page by slug, monitor by url, component by name, subscriber by email); `writeIncidentsPhase` inserted unconditionally. A re-run would duplicate status reports on every pass. Added an existence check by `(title, pageId, workspaceId)` matching the convention. **P2 — `writeMaintenancesPhase` lacked idempotency.** Same pattern. Added a check by `(title, pageId, from, to, workspaceId)` — the `from/to` pair is load-bearing because maintenance titles recur ("DB upgrade") across unrelated windows. **P2 — `writeComponentsPhase` silent monitor→static fallback…

vercel Bot had a problem deploying to Preview – openstatus-status-page April 23, 2026 08:58 Failure

vercel Bot had a problem deploying to Preview – openstatus-web April 23, 2026 08:59 Failure

vercel Bot had a problem deploying to Preview – openstatus-dashboard April 23, 2026 09:00 Failure

cubic-dev-ai Bot reviewed Apr 23, 2026

View reviewed changes

Comment thread packages/services/src/monitor/schemas.ts Outdated

Comment thread packages/services/src/monitor/internal.ts

Comment thread packages/services/src/monitor/clone.ts

Comment thread packages/services/src/monitor/delete.ts

Comment thread packages/services/src/monitor/list.ts Outdated

vercel Bot deployed to Preview – openstatus-status-page April 23, 2026 09:10 View deployment

vercel Bot deployed to Preview – openstatus-dashboard April 23, 2026 09:11 View deployment

vercel Bot deployed to Preview – openstatus-web April 23, 2026 09:14 View deployment

vercel Bot deployed to Preview – openstatus-dashboard April 23, 2026 09:22 View deployment

vercel Bot deployed to Preview – openstatus-status-page April 23, 2026 09:24 View deployment

vercel Bot deployed to Preview – openstatus-web April 23, 2026 09:27 View deployment

vercel Bot deployed to Preview – openstatus-status-page April 24, 2026 09:06 View deployment

vercel Bot deployed to Preview – openstatus-web April 24, 2026 09:11 View deployment

vercel Bot deployed to Preview – openstatus-dashboard April 24, 2026 09:14 View deployment

vercel Bot deployed to Preview – openstatus-status-page April 24, 2026 09:16 View deployment

mxkaske merged commit 74f43b1 into feat/services-incident Apr 24, 2026
3 of 6 checks passed

mxkaske deleted the feat/services-monitor branch April 24, 2026 09:28

vercel Bot deployed to Preview – openstatus-dashboard April 24, 2026 09:29 View deployment

vercel Bot deployed to Preview – openstatus-web April 24, 2026 09:32 View deployment

vercel Bot deployed to Preview – openstatus-status-page April 24, 2026 09:34 View deployment

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

feat(services): migrate monitor domain tRPC (PR 4/N)#2105

feat(services): migrate monitor domain tRPC (PR 4/N)#2105
mxkaske merged 6 commits intofeat/services-incidentfrom
feat/services-monitor

mxkaske commented Apr 23, 2026

Uh oh!

vercel Bot commented Apr 23, 2026 •

edited

Loading

Uh oh!

cubic-dev-ai Bot left a comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

mxkaske commented Apr 23, 2026

Uh oh!

mxkaske commented Apr 23, 2026

Uh oh!

claude Bot commented Apr 23, 2026 •

edited

Loading

Uh oh!

mxkaske commented Apr 24, 2026

Uh oh!

claude Bot commented Apr 24, 2026 •

edited

Loading

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Uh oh!

Conversation

mxkaske commented Apr 23, 2026

Summary

What lands

Services (packages/services/src/monitor/)

Shared internals

list.ts — batched enrichment

Surface — external contract preserved

Deliberately out of scope

Enforcement

Tests

Test plan

Stack

Uh oh!

vercel Bot commented Apr 23, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

cubic-dev-ai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

mxkaske commented Apr 23, 2026

Review response (Cubic findings)

✅ 1. timeout / degradedAfter bounds (P1)

✅ 2. jsonBody assertions silently dropped (P2)

✅ 3. Clone inherits stale status (P2)

✅ 4. Single delete re-runs side effects on soft-deleted rows (P2)

✅ 5. List/get enrichment missing workspace scope (P2)

Uh oh!

mxkaske commented Apr 23, 2026

Uh oh!

claude Bot commented Apr 23, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Code Review

Issues

Nit — listMonitors ordering is implicit

Positives

Uh oh!

mxkaske commented Apr 24, 2026

Uh oh!

claude Bot commented Apr 24, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Code Review

Verified fixes

New observations

Positives

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Services (`packages/services/src/monitor/`)

vercel Bot commented Apr 23, 2026 •

edited

Loading

✅ 1. `timeout` / `degradedAfter` bounds (P1)

✅ 2. `jsonBody` assertions silently dropped (P2)

✅ 3. Clone inherits stale `status` (P2)

✅ 4. Single `delete` re-runs side effects on soft-deleted rows (P2)

claude Bot commented Apr 23, 2026 •

edited

Loading

Nit — `listMonitors` ordering is implicit

claude Bot commented Apr 24, 2026 •

edited

Loading