Skip to content

feat(webapp): management API for orgs, projects, members, and settings#4146

Draft
nicktrn wants to merge 6 commits into
mainfrom
feat/local-management-api-tri-11579
Draft

feat(webapp): management API for orgs, projects, members, and settings#4146
nicktrn wants to merge 6 commits into
mainfrom
feat/local-management-api-tri-11579

Conversation

@nicktrn

@nicktrn nicktrn commented Jul 3, 2026

Copy link
Copy Markdown
Collaborator

Draft for review/discussion. Opening early to get feedback on scope, shape, and the auth model before polishing.

Summary

Adds a set of PAT-authenticated management API endpoints so orgs, projects, members/invites, environment variables, and a few project/environment settings can be managed programmatically (scripting, automation) rather than only through the dashboard. Each route is a thin wrapper over the existing service the dashboard already uses, with the same authorization applied at the route layer - no new business logic.

Endpoints

Organizations

  • POST /api/v1/orgs - create an org (createOrganization)
  • PATCH /api/v1/orgs/:orgParam - rename (title)
  • DELETE /api/v1/orgs/:orgParam - soft-delete (DeleteOrganizationService; keeps the active-subscription guard)

Members & invites

  • GET /api/v1/orgs/:orgParam/members - list members + pending invites
  • DELETE /api/v1/orgs/:orgParam/members/:memberId - remove a member (last-member guarded)
  • POST /api/v1/orgs/:orgParam/invites - invite by email (inviteMembers, sends the invite email)
  • DELETE /api/v1/orgs/:orgParam/invites/:inviteId - revoke an invite

Projects

  • PATCH /api/v1/projects/:projectRef - rename (ProjectSettingsService)
  • DELETE /api/v1/projects/:projectRef - soft-delete (DeleteProjectService)
  • PUT /api/v1/projects/:projectRef/default-region - set the default region by worker-group name (SetDefaultRegionService)
  • project GET/list now return defaultRegion (worker-group name, or null when unset)

Environments

  • POST /api/v1/projects/:projectRef/:env/pause and /resume (PauseEnvironmentService)
  • POST /api/v1/projects/:projectRef/:env/regenerate-api-key - rotate the env secret key (regenerateApiKey, RBAC write:apiKeys)
  • env var create now accepts an optional isSecret flag

Auth & authorization

  • All routes authenticate with a Personal Access Token (Authorization: Bearer tr_pat_...), following the existing api.v1.orgs.ts pattern.
  • Org-scoped routes re-apply the dashboard's RBAC gates via a small shared helper (organizationApiAccess.server.ts): membership resolution as the floor, plus read:members / manage:members ability checks. Env-tier routes reuse the existing authorizePatEnvironmentAccess.

Notes for reviewers

  • Everything wraps an existing service; the intent is API parity for things that are currently dashboard-only, not new behaviour.
  • @trigger.dev/core gets one additive field (defaultRegion on the project response) - changeset included, patch.
  • Open questions I'd like input on: is PAT the right auth for all of these (vs OAT for automation)? Should any of these be gated behind a flag or scope? Naming/shape of the routes.

@changeset-bot

changeset-bot Bot commented Jul 3, 2026

Copy link
Copy Markdown

🦋 Changeset detected

Latest commit: 9573c59

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 28 packages
Name Type
@trigger.dev/core Patch
@trigger.dev/build Patch
trigger.dev Patch
@trigger.dev/plugins Patch
@trigger.dev/python Patch
@trigger.dev/redis-worker Patch
@trigger.dev/schema-to-json Patch
@trigger.dev/sdk Patch
@internal/cache Patch
@internal/clickhouse Patch
@internal/llm-model-catalog Patch
@trigger.dev/rbac Patch
@internal/redis Patch
@internal/replication Patch
@internal/run-engine Patch
@internal/run-store Patch
@internal/schedule-engine Patch
@trigger.dev/sso Patch
@internal/testcontainers Patch
@internal/tracing Patch
@internal/tsql Patch
@internal/zod-worker Patch
@internal/dashboard-agent Patch
@internal/sdk-compat-tests Patch
@trigger.dev/react-hooks Patch
@trigger.dev/rsc Patch
@trigger.dev/database Patch
@trigger.dev/otlp-importer Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@nicktrn nicktrn changed the title feat(webapp): PAT-authenticated management API for orgs, projects, members, and settings feat(webapp): management API for orgs, projects, members, and settings Jul 3, 2026
@coderabbitai

coderabbitai Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 2b6af288-9077-4832-88dd-2ff3f006ef98

📥 Commits

Reviewing files that changed from the base of the PR and between 08999ec and 9573c59.

📒 Files selected for processing (5)
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.invites.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.ts
  • apps/webapp/app/routes/api.v1.orgs.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.default-region.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.ts
🚧 Files skipped from review as they are similar to previous changes (5)
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.invites.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.ts
  • apps/webapp/app/routes/api.v1.orgs.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.default-region.ts
📜 Recent review details
⏰ Context from checks skipped due to timeout. (18)
  • GitHub Check: internal / 🧪 Unit Tests: Internal (8, 12)
  • GitHub Check: internal / 🧪 Unit Tests: Internal (4, 12)
  • GitHub Check: internal / 🧪 Unit Tests: Internal (9, 12)
  • GitHub Check: internal / 🧪 Unit Tests: Internal (7, 12)
  • GitHub Check: internal / 🧪 Unit Tests: Internal (11, 12)
  • GitHub Check: internal / 🧪 Unit Tests: Internal (12, 12)
  • GitHub Check: internal / 🧪 Unit Tests: Internal (10, 12)
  • GitHub Check: internal / 🧪 Unit Tests: Internal (2, 12)
  • GitHub Check: internal / 🧪 Unit Tests: Internal (3, 12)
  • GitHub Check: internal / 🧪 Unit Tests: Internal (5, 12)
  • GitHub Check: internal / 🧪 Unit Tests: Internal (6, 12)
  • GitHub Check: internal / 🧪 Unit Tests: Internal (1, 12)
  • GitHub Check: webapp / 🧪 Unit Tests: Webapp (10, 10)
  • GitHub Check: webapp / 🧪 Unit Tests: Webapp (4, 10)
  • GitHub Check: webapp / 🧪 Unit Tests: Webapp (5, 10)
  • GitHub Check: e2e / 🧪 CLI v3 tests (blacksmith-4vcpu-windows-2025 - pnpm)
  • GitHub Check: typecheck / typecheck
  • GitHub Check: packages / 🧪 Unit Tests: Packages (3, 3)
⚠️ CI failures not shown inline (2)

GitHub Actions: 🛡️ E2E Tests: Webapp Auth (full) / 🛡️ E2E Auth Tests (full): feat(webapp): management API for orgs, projects, members, and settings

Conclusion: failure

View job details

1/runs?tags=foo,bar 503 - - 6.475 ms
 GET /realtime/v1/runs?tags=foo 403 - - 4.180 ms
 {"error":"fetch failed","http":{"requestId":"mVz0xkl2gFTBEH1-4uheh","path":"/realtime/v1/runs","host":"localhost","method":"GET","abortController":{}},"timestamp":"","name":"webapp","message":"Network error:","level":"error"}
 GET /realtime/v1/runs 503 - - 4.762 ms
 GET /realtime/v1/runs 403 - - 5.124 ms
 POST /api/v2/runs/run_anything/cancel 401 215 - 0.198 ms
 POST /api/v2/runs/run_anything/cancel 401 - - 9.180 ms
 {"messageId":"nsrq24k73jsmia2546qqj","service":"marqs","reason":"FinalTaskRunService call","http":{"requestId":"1RjbIaMW9ocPx6HCfadWH","path":"/api/v2/runs/run_nsrq24k73jsmia2546qqj/cancel","host":"localhost","method":"POST","abortController":{}},"timestamp":"","name":"webapp","message":"[marqs].acknowledgeMessage() message not found","level":"log"}
 {"runId":"nsrq24k73jsmia2546qqj","status":"CANCELED","http":{"requestId":"1RjbIaMW9ocPx6HCfadWH","path":"/api/v2/runs/run_nsrq24k73jsmia2546qqj/cancel","host":"localhost","method":"POST","abortController":{}},"timestamp":"","name":"webapp","message":"FinalizeTaskRunService: No lockedById, so can't get the BackgroundWorkerTask. Not creating an attempt.","level":"info"}
 {"runId":"nsrq24k73jsmia2546qqj","dependency":null,"http":{"requestId":"1RjbIaMW9ocPx6HCfadWH","path":"/api/v2/runs/run_nsrq24k73jsmia2546qqj/cancel","host":"localhost","method":"POST","abortController":{}},"timestamp":"","name":"webapp","message":"ResumeDependentParentsService: tried to find dependency","level":"log"}
 {"runId":"nsrq24k73jsmia2546qqj","http":{"requestId":"1RjbIaMW9ocPx6HCfadWH","path":"/api/v2/runs/run_nsrq24k73jsmia2546qqj/cancel","host":"localhost","method":"POST","abortController":{}},"timestamp":"","name":"webapp","message":"ResumeDependentParentsService: dependency not found","level":"log"}
 {"result":{"success":true,"action":"no-dependencies"},"run":"nsrq24k73jsmia2546qqj","http":{"requestId":"1RjbIaMW9ocPx6HCfadWH","path":"/api/v...

GitHub Actions: 🛡️ E2E Tests: Webapp Auth (full) / 0_🛡️ E2E Auth Tests (full).txt: feat(webapp): management API for orgs, projects, members, and settings

Conclusion: failure

View job details

,"level":"log"}
 POST /api/v2/runs/run_nsrq24k73jsmia2546qqj/cancel 200 - - 28.122 ms
 {"messageId":"qqpu4qmkh6tww8jgdjs8r","service":"marqs","reason":"FinalTaskRunService call","http":{"requestId":"u4MbXajJjc2SyiW7180C-","path":"/api/v2/runs/run_qqpu4qmkh6tww8jgdjs8r/cancel","host":"localhost","method":"POST","abortController":{}},"timestamp":"","name":"webapp","message":"[marqs].acknowledgeMessage() message not found","level":"log"}
 {"runId":"qqpu4qmkh6tww8jgdjs8r","status":"CANCELED","http":{"requestId":"u4MbXajJjc2SyiW7180C-","path":"/api/v2/runs/run_qqpu4qmkh6tww8jgdjs8r/cancel","host":"localhost","method":"POST","abortController":{}},"timestamp":"","name":"webapp","message":"FinalizeTaskRunService: No lockedById, so can't get the BackgroundWorkerTask. Not creating an attempt.","level":"info"}
 {"runId":"qqpu4qmkh6tww8jgdjs8r","dependency":null,"http":{"requestId":"u4MbXajJjc2SyiW7180C-","path":"/api/v2/runs/run_qqpu4qmkh6tww8jgdjs8r/cancel","host":"localhost","method":"POST","abortController":{}},"timestamp":"","name":"webapp","message":"ResumeDependentParentsService: tried to find dependency","level":"log"}
 {"runId":"qqpu4qmkh6tww8jgdjs8r","http":{"requestId":"u4MbXajJjc2SyiW7180C-","path":"/api/v2/runs/run_qqpu4qmkh6tww8jgdjs8r/cancel","host":"localhost","method":"POST","abortController":{}},"timestamp":"","name":"webapp","message":"ResumeDependentParentsService: dependency not found","level":"log"}
 {"result":{"success":true,"action":"no-dependencies"},"run":"qqpu4qmkh6tww8jgdjs8r","http":{"requestId":"u4MbXajJjc2SyiW7180C-","path":"/api/v2/runs/run_qqpu4qmkh6tww8jgdjs8r/cancel","host":"localhost","method":"POST","abortController":{}},"timestamp":"","name":"webapp","message":"FinalizeTaskRunService: Resumed dependent parents","level":"log"}
 POST /api/v2/runs/run_qqpu4qmkh6tww8jgdjs8r/cancel 200 - - 22.657 ms
 {"messageId":"mky7mizxddu86qkcvb9g5","service":"marqs","reason":"FinalTaskRunService call","http":{"requestId":"UQazcvM3LloXJVgID04Pk","path":"/...

Walkthrough

This pull request adds new Remix API v1 route handlers for organization management and project environment operations. It also introduces shared organization API access helpers, exposes defaultRegion in project API responses, updates the project default-region endpoint, and adds isSecret to environment variable creation. A changeset documents the defaultRegion response change, and the core API schema is updated for defaultRegion and isSecret.

Changes

Cohort: Organization and project API changes

  • apps/webapp/app/services/organizationApiAccess.server.ts: adds organization lookup and PAT authorization helpers.
  • apps/webapp/app/routes/api.v1.orgs.ts, api.v1.orgs.$orgParam.ts, api.v1.orgs.$orgParam.members.ts, api.v1.orgs.$orgParam.members.$memberId.ts, api.v1.orgs.$orgParam.invites.ts, api.v1.orgs.$orgParam.invites.$inviteId.ts: add organization create/delete/rename, member list/remove, invite create, and invite revoke handlers.
  • apps/webapp/app/routes/api.v1.projects.ts, api.v1.projects.$projectRef.ts, api.v1.orgs.$orgParam.projects.ts: expose defaultRegion in project responses.
  • apps/webapp/app/routes/api.v1.projects.$projectRef.default-region.ts: adds the default-region update route.
  • packages/core/src/v3/schemas/api.ts: updates API schemas for defaultRegion and isSecret.
  • .changeset/project-default-region-response.md: adds release note entry.
  • apps/webapp/app/routes/api.v1.projects.$projectRef.$env.pause.ts, api.v1.projects.$projectRef.$env.resume.ts, api.v1.projects.$projectRef.$env.regenerate-api-key.ts, api.v1.projects.$projectRef.envvars.$slug.ts: add environment state and API key actions, and persist isSecret.

Sequence Diagram(s)

sequenceDiagram
  participant Client
  participant DefaultRegionAction
  participant RegionsPresenter
  participant SetDefaultRegionService
  Client->>DefaultRegionAction: PUT region
  DefaultRegionAction->>RegionsPresenter: resolve available regions
  RegionsPresenter-->>DefaultRegionAction: region list
  DefaultRegionAction->>SetDefaultRegionService: set(projectId, regionId)
  SetDefaultRegionService-->>DefaultRegionAction: id and name
  DefaultRegionAction-->>Client: id and name
Loading

Estimated code review effort: 4 (High)
Related issues: None specified.
Related PRs: None specified.
Suggested labels: api, webapp, core
Suggested reviewers: matt-aitken, ericallam

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Description check ⚠️ Warning The description gives a strong summary, but it omits required template sections like Closes #issue, checklist, Testing, Changelog, and Screenshots. Add the missing template sections: Closes #issue, checklist items, testing steps, changelog, and screenshots placeholders.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately summarizes the main change: a new PAT-based management API for orgs, projects, members, and settings.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/local-management-api-tri-11579

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (1)
apps/webapp/app/routes/api.v1.projects.$projectRef.$env.pause.ts (1)

1-74: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Extract shared logic across pause/resume/regenerate-api-key routes.

ParamsSchema, the auth flow (lines 18-60), and the authorization gate are duplicated verbatim across all three route files. Consolidating into a shared helper (e.g., resolveEnvironmentForApiAction(request, params) returning { environment } | Response) would reduce drift risk as these routes evolve.

♻️ Sketch of shared helper
+// ~/services/environmentApiRoute.server.ts
+export async function resolveEnvironmentForWriteAction(
+  request: Request,
+  params: unknown
+): Promise<{ environment: AuthenticatedEnvironment } | Response> {
+  const parsedParams = ParamsSchema.safeParse(params);
+  if (!parsedParams.success) {
+    return json({ error: "Invalid Params" }, { status: 400 });
+  }
+  const { projectRef, env } = parsedParams.data;
+
+  const authenticationResult = await authenticateRequest(request, {
+    personalAccessToken: true,
+    organizationAccessToken: false,
+    apiKey: false,
+  });
+  if (!authenticationResult) {
+    return json({ error: "Invalid or Missing Access Token" }, { status: 401 });
+  }
+
+  const environment = await authenticatedEnvironmentForAuthentication(
+    authenticationResult,
+    projectRef,
+    env,
+    branchNameFromRequest(request)
+  );
+
+  const denied = await authorizePatEnvironmentAccess({
+    request,
+    authType: authenticationResult.type,
+    organizationId: environment.organizationId,
+    projectId: environment.project.id,
+    envType: environment.type,
+    resource: "apiKeys",
+    action: "write",
+  });
+  if (denied) return denied;
+
+  return { environment };
+}

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: f4d3e251-f0cd-483a-bd52-87f2088be62e

📥 Commits

Reviewing files that changed from the base of the PR and between 86235e5 and 08999ec.

📒 Files selected for processing (17)
  • .changeset/project-default-region-response.md
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.invites.$inviteId.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.invites.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.members.$memberId.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.members.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.projects.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.ts
  • apps/webapp/app/routes/api.v1.orgs.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.$env.pause.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.$env.regenerate-api-key.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.$env.resume.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.default-region.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.envvars.$slug.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.ts
  • apps/webapp/app/routes/api.v1.projects.ts
  • apps/webapp/app/services/organizationApiAccess.server.ts
  • packages/core/src/v3/schemas/api.ts
📜 Review details
⏰ Context from checks skipped due to timeout. (29)
  • GitHub Check: internal / 🧪 Unit Tests: Internal (7, 12)
  • GitHub Check: internal / 🧪 Unit Tests: Internal (1, 12)
  • GitHub Check: internal / 🧪 Unit Tests: Internal (5, 12)
  • GitHub Check: internal / 🧪 Unit Tests: Internal (10, 12)
  • GitHub Check: internal / 🧪 Unit Tests: Internal (11, 12)
  • GitHub Check: internal / 🧪 Unit Tests: Internal (12, 12)
  • GitHub Check: webapp / 🧪 Unit Tests: Webapp (7, 10)
  • GitHub Check: internal / 🧪 Unit Tests: Internal (8, 12)
  • GitHub Check: internal / 🧪 Unit Tests: Internal (4, 12)
  • GitHub Check: internal / 🧪 Unit Tests: Internal (2, 12)
  • GitHub Check: internal / 🧪 Unit Tests: Internal (9, 12)
  • GitHub Check: internal / 🧪 Unit Tests: Internal (3, 12)
  • GitHub Check: internal / 🧪 Unit Tests: Internal (6, 12)
  • GitHub Check: webapp / 🧪 Unit Tests: Webapp (3, 10)
  • GitHub Check: webapp / 🧪 Unit Tests: Webapp (1, 10)
  • GitHub Check: webapp / 🧪 Unit Tests: Webapp (6, 10)
  • GitHub Check: webapp / 🧪 Unit Tests: Webapp (9, 10)
  • GitHub Check: webapp / 🧪 Unit Tests: Webapp (4, 10)
  • GitHub Check: webapp / 🧪 Unit Tests: Webapp (5, 10)
  • GitHub Check: webapp / 🧪 Unit Tests: Webapp (8, 10)
  • GitHub Check: webapp / 🧪 Unit Tests: Webapp (2, 10)
  • GitHub Check: webapp / 🧪 Unit Tests: Webapp (10, 10)
  • GitHub Check: e2e / 🧪 CLI v3 tests (blacksmith-4vcpu-windows-2025 - npm)
  • GitHub Check: e2e / 🧪 CLI v3 tests (blacksmith-4vcpu-windows-2025 - pnpm)
  • GitHub Check: packages / 🧪 Unit Tests: Packages (3, 3)
  • GitHub Check: e2e-webapp / 🧪 E2E Tests: Webapp
  • GitHub Check: packages / 🧪 Unit Tests: Packages (1, 3)
  • GitHub Check: typecheck / typecheck
  • GitHub Check: packages / 🧪 Unit Tests: Packages (2, 3)
⚠️ CI failures not shown inline (2)

GitHub Actions: 🛡️ E2E Tests: Webapp Auth (full) / 0_🛡️ E2E Auth Tests (full).txt: feat(webapp): management API for orgs, projects, members, and settings

Conclusion: failure

View job details

localhost","method":"GET","abortController":{}},"timestamp":"","name":"webapp","message":"Network error:","level":"error","traceId":"eb2ff3df92b573c459f512402212a7d2","parentSpanId":"9f0535a39b8d1bc9"}
 GET /realtime/v1/runs?tags=foo,bar 503 - - 3.723 ms
 {"traceId":"eb2ff3df92b573c459f512402212a7d2","message":"GET","spanId":"9f0535a39b8d1bc9","kind":1,"timestamp":1783093693997000,"duration":4304.662,"attributes":{"http.url":"http://localhost:35835/realtime/v1/runs?tags=foo,bar","http.host":"localhost:35835","net.host.name":"localhost","http.method":"GET","http.scheme":"http","http.target":"/realtime/v1/runs?tags=foo,bar","http.user_agent":"node","http.flavor":"1.1","net.transport":"ip_tcp","db.datasource":"writer","net.host.ip":"::ffff:127.0.0.1","net.host.port":35835,"net.peer.ip":"::ffff:127.0.0.1","net.peer.port":40104,"http.status_code":503,"http.status_text":"SERVICE UNAVAILABLE"},"status":{"code":2},"events":[],"links":[],"level":"trace"}
 GET /realtime/v1/runs?tags=foo 403 - - 2.693 ms
 {"error":"fetch failed","http":{"requestId":"H7Haaqdn0lcDArbMFZAeu","path":"/realtime/v1/runs","host":"localhost","method":"GET","abortController":{}},"timestamp":"","name":"webapp","message":"Network error:","level":"error"}
 GET /realtime/v1/runs 503 - - 3.065 ms
 GET /realtime/v1/runs 403 - - 2.638 ms
 POST /api/v2/runs/run_anything/cancel 401 215 - 0.153 ms
 POST /api/v2/runs/run_anything/cancel 401 - - 4.994 ms
 {"traceId":"00d7fa453a0cf43a97cc0d5aae791607","message":"POST","spanId":"05f7b15d27a812d4","kind":1,"timestamp":1783093694027000,"duration":5398.22,"attributes":{"http.url":"http://localhost:35835/api/v2/runs/run_anything/cancel","http.host":"localhost:35835","net.host.name":"localhost","http.method":"POST","http.scheme":"http","http.target":"/api/v2/runs/run_anything/cancel","http.user_agent":"node","http.request_content_length_uncompressed":2,"http.flavor":"1.1","net.transport":"ip_tcp","db.datasource":"writer","net.host.ip":"::ffff:127.0.0.1","net.host.port...

GitHub Actions: 🛡️ E2E Tests: Webapp Auth (full) / 🛡️ E2E Auth Tests (full): feat(webapp): management API for orgs, projects, members, and settings

Conclusion: failure

View job details

nc ClickHouseRunsRepository.listRunIds (/home/runner/_work/trigger.dev/trigger.dev/apps/webapp/build/index.js:107598:20)\n    at async ClickHouseRunsRepository.listRuns (/home/runner/_work/trigger.dev/trigger.dev/apps/webapp/build/index.js:107629:38)\n    at async /home/runner/_work/trigger.dev/trigger.dev/apps/webapp/build/index.js:25770:14\n    at async NextRunListPresenter.call (/home/runner/_work/trigger.dev/trigger.dev/apps/webapp/build/index.js:146463:39)\n    at async /home/runner/_work/trigger.dev/trigger.dev/apps/webapp/build/index.js:248449:21"},"url":"http://localhost:35835/api/v1/runs?filter%5BtaskIdentifier%5D=task_a%2Ctask_b","http":{"requestId":"2W-2TOvLULjNNq2ta-9He","path":"/api/v1/runs?filter%5BtaskIdentifier%5D=task_a%2Ctask_b","host":"localhost","method":"GET","abortController":{}},"timestamp":"","name":"webapp","message":"Error in loader","level":"error"}
 GET /api/v1/runs?filter%5BtaskIdentifier%5D=task_a%2Ctask_b 500 - - 9.307 ms
 GET /api/v1/runs?filter%5BtaskIdentifier%5D=task_a 403 - - 4.849 ms
 {"traceId":"9b70066ad54b81f5d27545389bd98739","message":"GET","spanId":"1a8a3972b4b944b3","kind":1,"timestamp":1783093693970000,"duration":5437.591,"attributes":{"http.url":"http://localhost:35835/api/v1/runs?filter%5BtaskIdentifier%5D=task_a","http.host":"localhost:35835","net.host.name":"localhost","http.method":"GET","http.scheme":"http","http.target":"/api/v1/runs?filter%5BtaskIdentifier%5D=task_a","http.user_agent":"node","http.flavor":"1.1","net.transport":"ip_tcp","db.datasource":"writer","net.host.ip":"::ffff:127.0.0.1","net.host.port":35835,"net.peer.ip":"::ffff:127.0.0.1","net.peer.port":40104,"http.status_code":403,"http.status_text":"FORBIDDEN"},"status":{"code":0},"events":[],"links":[],"level":"trace"}
 GET /realtime/v1/runs 401 - - 1.143 ms
 {"error":"fetch failed","http":{"requestId":"MtGOdPb1wxJrk3Qc6mQ4s","path":"/realtime/v1/runs","host":"localhost","method":"GET","abortController":{}},"timestamp":"","name":"webapp","message":"...
🧰 Additional context used
📓 Path-based instructions (10)
**/*.{ts,tsx}

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

**/*.{ts,tsx}: Use types over interfaces for TypeScript
Avoid using enums; prefer string unions or const objects instead

Files:

  • apps/webapp/app/routes/api.v1.projects.$projectRef.envvars.$slug.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.$env.resume.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.$env.regenerate-api-key.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.members.ts
  • apps/webapp/app/services/organizationApiAccess.server.ts
  • apps/webapp/app/routes/api.v1.orgs.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.$env.pause.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.invites.$inviteId.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.projects.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.default-region.ts
  • apps/webapp/app/routes/api.v1.projects.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.invites.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.members.$memberId.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.ts
  • packages/core/src/v3/schemas/api.ts
{packages/core,apps/webapp}/**/*.{ts,tsx}

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

Use zod for validation in packages/core and apps/webapp

Files:

  • apps/webapp/app/routes/api.v1.projects.$projectRef.envvars.$slug.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.$env.resume.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.$env.regenerate-api-key.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.members.ts
  • apps/webapp/app/services/organizationApiAccess.server.ts
  • apps/webapp/app/routes/api.v1.orgs.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.$env.pause.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.invites.$inviteId.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.projects.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.default-region.ts
  • apps/webapp/app/routes/api.v1.projects.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.invites.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.members.$memberId.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.ts
  • packages/core/src/v3/schemas/api.ts
**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

Use function declarations instead of default exports

Files:

  • apps/webapp/app/routes/api.v1.projects.$projectRef.envvars.$slug.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.$env.resume.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.$env.regenerate-api-key.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.members.ts
  • apps/webapp/app/services/organizationApiAccess.server.ts
  • apps/webapp/app/routes/api.v1.orgs.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.$env.pause.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.invites.$inviteId.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.projects.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.default-region.ts
  • apps/webapp/app/routes/api.v1.projects.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.invites.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.members.$memberId.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.ts
  • packages/core/src/v3/schemas/api.ts
**/*.ts

📄 CodeRabbit inference engine (.cursor/rules/otel-metrics.mdc)

**/*.ts: When creating or editing OTEL metrics (counters, histograms, gauges), ensure metric attributes have low cardinality by using only enums, booleans, bounded error codes, or bounded shard IDs
Do not use high-cardinality attributes in OTEL metrics such as UUIDs/IDs (envId, userId, runId, projectId, organizationId), unbounded integers (itemCount, batchSize, retryCount), timestamps (createdAt, startTime), or free-form strings (errorMessage, taskName, queueName)
When exporting OTEL metrics via OTLP to Prometheus, be aware that the exporter automatically adds unit suffixes to metric names (e.g., 'my_duration_ms' becomes 'my_duration_ms_milliseconds', 'my_counter' becomes 'my_counter_total'). Account for these transformations when writing Grafana dashboards or Prometheus queries

Files:

  • apps/webapp/app/routes/api.v1.projects.$projectRef.envvars.$slug.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.$env.resume.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.$env.regenerate-api-key.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.members.ts
  • apps/webapp/app/services/organizationApiAccess.server.ts
  • apps/webapp/app/routes/api.v1.orgs.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.$env.pause.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.invites.$inviteId.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.projects.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.default-region.ts
  • apps/webapp/app/routes/api.v1.projects.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.invites.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.members.$memberId.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.ts
  • packages/core/src/v3/schemas/api.ts
apps/webapp/**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/webapp.mdc)

apps/webapp/**/*.{ts,tsx}: Access environment variables through the env export of env.server.ts instead of directly accessing process.env
Use subpath exports from @trigger.dev/core package instead of importing from the root @trigger.dev/core path

Use named constants for sentinel/placeholder values (e.g. const UNSET_VALUE = '__unset__') instead of raw string literals scattered across comparisons

Files:

  • apps/webapp/app/routes/api.v1.projects.$projectRef.envvars.$slug.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.$env.resume.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.$env.regenerate-api-key.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.members.ts
  • apps/webapp/app/services/organizationApiAccess.server.ts
  • apps/webapp/app/routes/api.v1.orgs.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.$env.pause.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.invites.$inviteId.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.projects.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.default-region.ts
  • apps/webapp/app/routes/api.v1.projects.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.invites.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.members.$memberId.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.ts
**/*.{ts,tsx,js,jsx,mts,cts,mjs,cjs}

📄 CodeRabbit inference engine (CLAUDE.md)

**/*.{ts,tsx,js,jsx,mts,cts,mjs,cjs}: Use pnpm run typecheck for changes in apps (apps/*) and internal packages (internal-packages/*), and never use build to verify those changes.
Use Vitest for tests, and never mock anything; use testcontainers instead.
Prefer static imports over dynamic import(), and only use dynamic imports for unresolved circular dependencies, genuine code-splitting needs, or conditional runtime loading.

Files:

  • apps/webapp/app/routes/api.v1.projects.$projectRef.envvars.$slug.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.$env.resume.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.$env.regenerate-api-key.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.members.ts
  • apps/webapp/app/services/organizationApiAccess.server.ts
  • apps/webapp/app/routes/api.v1.orgs.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.$env.pause.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.invites.$inviteId.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.projects.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.default-region.ts
  • apps/webapp/app/routes/api.v1.projects.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.invites.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.members.$memberId.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.ts
  • packages/core/src/v3/schemas/api.ts
**/*.{ts,tsx,js,jsx,mts,cts,mjs,cjs,md,mdx}

📄 CodeRabbit inference engine (CLAUDE.md)

Always import from @trigger.dev/sdk when writing Trigger.dev tasks; never use @trigger.dev/sdk/v3 or deprecated client.defineJob.

Files:

  • apps/webapp/app/routes/api.v1.projects.$projectRef.envvars.$slug.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.$env.resume.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.$env.regenerate-api-key.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.members.ts
  • apps/webapp/app/services/organizationApiAccess.server.ts
  • apps/webapp/app/routes/api.v1.orgs.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.$env.pause.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.invites.$inviteId.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.projects.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.default-region.ts
  • apps/webapp/app/routes/api.v1.projects.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.invites.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.members.$memberId.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.ts
  • packages/core/src/v3/schemas/api.ts
apps/webapp/**/*.server.ts

📄 CodeRabbit inference engine (apps/webapp/CLAUDE.md)

apps/webapp/**/*.server.ts: Never use request.signal for detecting client disconnects. Use getRequestAbortSignal() from app/services/httpAsyncStorage.server.ts instead, which is wired directly to Express res.on('close') and fires reliably
Access environment variables via env export from app/env.server.ts. Never use process.env directly
Always use findFirst instead of findUnique in Prisma queries. findUnique has an implicit DataLoader that batches concurrent calls and has active bugs even in Prisma 6.x (uppercase UUIDs returning null, composite key SQL correctness issues, 5-10x worse performance). findFirst is never batched and avoids this entire class of issues

Files:

  • apps/webapp/app/services/organizationApiAccess.server.ts
packages/core/**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (packages/core/CLAUDE.md)

Never import the root package (@trigger.dev/core). Always use subpath imports such as @trigger.dev/core/v3, @trigger.dev/core/v3/utils, @trigger.dev/core/logger, or @trigger.dev/core/schemas

Files:

  • packages/core/src/v3/schemas/api.ts
packages/**/*.{ts,tsx,js,jsx,mts,cts,mjs,cjs}

📄 CodeRabbit inference engine (CLAUDE.md)

Use pnpm run build to verify changes in public packages (packages/*).

Files:

  • packages/core/src/v3/schemas/api.ts
🧠 Learnings (13)
📚 Learning: 2026-03-22T13:26:12.060Z
Learnt from: ericallam
Repo: triggerdotdev/trigger.dev PR: 3244
File: apps/webapp/app/components/code/TextEditor.tsx:81-86
Timestamp: 2026-03-22T13:26:12.060Z
Learning: In the triggerdotdev/trigger.dev codebase, do not flag `navigator.clipboard.writeText(...)` calls for `missing-await`/`unhandled-promise` issues. These clipboard writes are intentionally invoked without `await` and without `catch` handlers across the project; keep that behavior consistent when reviewing TypeScript/TSX files (e.g., usages like in `apps/webapp/app/components/code/TextEditor.tsx`).

Applied to files:

  • apps/webapp/app/routes/api.v1.projects.$projectRef.envvars.$slug.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.$env.resume.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.$env.regenerate-api-key.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.members.ts
  • apps/webapp/app/services/organizationApiAccess.server.ts
  • apps/webapp/app/routes/api.v1.orgs.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.$env.pause.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.invites.$inviteId.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.projects.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.default-region.ts
  • apps/webapp/app/routes/api.v1.projects.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.invites.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.members.$memberId.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.ts
  • packages/core/src/v3/schemas/api.ts
📚 Learning: 2026-03-22T19:24:14.403Z
Learnt from: matt-aitken
Repo: triggerdotdev/trigger.dev PR: 3187
File: apps/webapp/app/v3/services/alerts/deliverErrorGroupAlert.server.ts:200-204
Timestamp: 2026-03-22T19:24:14.403Z
Learning: In the triggerdotdev/trigger.dev codebase, webhook URLs are not expected to contain embedded credentials/secrets (e.g., fields like `ProjectAlertWebhookProperties` should only hold credential-free webhook endpoints). During code review, if you see logging or inclusion of raw webhook URLs in error messages, do not automatically treat it as a credential-leak/secrets-in-logs issue by default—first verify the URL does not contain embedded credentials (for example, no username/password in the URL, no obvious secret/token query params or fragments). If the URL is credential-free per this project’s conventions, allow the logging.

Applied to files:

  • apps/webapp/app/routes/api.v1.projects.$projectRef.envvars.$slug.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.$env.resume.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.$env.regenerate-api-key.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.members.ts
  • apps/webapp/app/services/organizationApiAccess.server.ts
  • apps/webapp/app/routes/api.v1.orgs.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.$env.pause.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.invites.$inviteId.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.projects.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.default-region.ts
  • apps/webapp/app/routes/api.v1.projects.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.invites.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.members.$memberId.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.ts
  • packages/core/src/v3/schemas/api.ts
📚 Learning: 2026-05-18T08:21:27.694Z
Learnt from: d-cs
Repo: triggerdotdev/trigger.dev PR: 3632
File: apps/webapp/sentry.server.ts:4-21
Timestamp: 2026-05-18T08:21:27.694Z
Learning: When handling Prisma error P1001 ("Can't reach database server") in TypeScript, don’t assume a single error shape. Prisma can surface P1001 via two different error classes/fields: `PrismaClientKnownRequestError` exposes it as `err.code === "P1001"` (common during mid-query connection drops), while `PrismaClientInitializationError` exposes it as `err.errorCode === "P1001"` (common on client startup failure). Therefore, predicates should use `err.code === "P1001" || err.errorCode === "P1001"`. Do not flag `err.code === "P1001"` as “unreachable/never matches,” as it is expected in production.

Applied to files:

  • apps/webapp/app/routes/api.v1.projects.$projectRef.envvars.$slug.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.$env.resume.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.$env.regenerate-api-key.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.members.ts
  • apps/webapp/app/services/organizationApiAccess.server.ts
  • apps/webapp/app/routes/api.v1.orgs.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.$env.pause.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.invites.$inviteId.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.projects.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.default-region.ts
  • apps/webapp/app/routes/api.v1.projects.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.invites.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.members.$memberId.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.ts
  • packages/core/src/v3/schemas/api.ts
📚 Learning: 2026-05-18T08:21:27.694Z
Learnt from: d-cs
Repo: triggerdotdev/trigger.dev PR: 3632
File: apps/webapp/sentry.server.ts:4-21
Timestamp: 2026-05-18T08:21:27.694Z
Learning: When handling Prisma errors for P1001 ("Can't reach database server"), do not assume it only appears under a single property name. Prisma may surface P1001 via either `PrismaClientKnownRequestError` (`err.code === "P1001"`, e.g., mid-query connection drops) or `PrismaClientInitializationError` (`err.errorCode === "P1001"`, e.g., client startup connection failure). To reliably detect the condition, check `err.code === "P1001" || err.errorCode === "P1001"`, and avoid review rules that would incorrectly flag `err.code === "P1001"` as unreachable/never-matching.

Applied to files:

  • apps/webapp/app/routes/api.v1.projects.$projectRef.envvars.$slug.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.$env.resume.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.$env.regenerate-api-key.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.members.ts
  • apps/webapp/app/services/organizationApiAccess.server.ts
  • apps/webapp/app/routes/api.v1.orgs.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.$env.pause.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.invites.$inviteId.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.projects.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.default-region.ts
  • apps/webapp/app/routes/api.v1.projects.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.invites.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.members.$memberId.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.ts
  • packages/core/src/v3/schemas/api.ts
📚 Learning: 2026-06-13T19:53:13.759Z
Learnt from: ericallam
Repo: triggerdotdev/trigger.dev PR: 3937
File: packages/trigger-sdk/skills/realtime-and-frontend/SKILL.md:258-260
Timestamp: 2026-06-13T19:53:13.759Z
Learning: When reviewing code that uses `trigger.dev/react-hooks`’s `useRealtimeRun`, preserve the call signature where the first argument is the full realtime handle object (not `handle.id`). This is intentional to maintain type-safety and is consistent with the official docs; do not suggest changing the first argument from the handle object to `handle.id`.

Applied to files:

  • apps/webapp/app/routes/api.v1.projects.$projectRef.envvars.$slug.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.$env.resume.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.$env.regenerate-api-key.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.members.ts
  • apps/webapp/app/services/organizationApiAccess.server.ts
  • apps/webapp/app/routes/api.v1.orgs.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.$env.pause.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.invites.$inviteId.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.projects.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.default-region.ts
  • apps/webapp/app/routes/api.v1.projects.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.invites.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.members.$memberId.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.ts
  • packages/core/src/v3/schemas/api.ts
📚 Learning: 2026-06-17T17:13:49.929Z
Learnt from: matt-aitken
Repo: triggerdotdev/trigger.dev PR: 3948
File: apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.bulk-actions.$bulkActionParam/route.tsx:48-62
Timestamp: 2026-06-17T17:13:49.929Z
Learning: In triggerdotdev/trigger.dev, within `dashboardLoader`/`dashboardAction` (or similar context resolver code) whenever you resolve an organization ID from an organization slug for RBAC/enterprise authorization scope, always read from the primary Prisma client (`prisma`), not `$replica`. Using `$replica` can hit replica-lag and cause the RBAC lookup/authorization to run without the correct org scope (bypassing intended role enforcement). Implement the slug→org lookup with `prisma.organization.findFirst(...)` (or equivalent primary-client query) and add an inline comment documenting why the primary client is required (replica lag could lead to unscoped RBAC checks).

Applied to files:

  • apps/webapp/app/routes/api.v1.projects.$projectRef.envvars.$slug.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.$env.resume.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.$env.regenerate-api-key.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.members.ts
  • apps/webapp/app/services/organizationApiAccess.server.ts
  • apps/webapp/app/routes/api.v1.orgs.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.$env.pause.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.invites.$inviteId.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.projects.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.default-region.ts
  • apps/webapp/app/routes/api.v1.projects.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.invites.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.members.$memberId.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.ts
  • packages/core/src/v3/schemas/api.ts
📚 Learning: 2026-06-23T13:04:21.413Z
Learnt from: carderne
Repo: triggerdotdev/trigger.dev PR: 4023
File: apps/webapp/app/services/upsertBranch.server.ts:14-18
Timestamp: 2026-06-23T13:04:21.413Z
Learning: In TypeScript, it’s valid to `import { type X }` and then use `typeof X` in a type-only position, e.g. `type Alias = z.infer<typeof X>`. The `type` modifier suppresses the runtime import, but the type checker still has the full exported type so `z.infer<typeof X>` can resolve correctly. In code reviews, don’t flag this as a TypeScript compile error as long as `typeof X` is used in a type context (e.g., with `z.infer`, `type` aliases, generics), not as a runtime value.

Applied to files:

  • apps/webapp/app/routes/api.v1.projects.$projectRef.envvars.$slug.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.$env.resume.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.$env.regenerate-api-key.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.members.ts
  • apps/webapp/app/services/organizationApiAccess.server.ts
  • apps/webapp/app/routes/api.v1.orgs.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.$env.pause.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.invites.$inviteId.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.projects.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.default-region.ts
  • apps/webapp/app/routes/api.v1.projects.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.invites.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.members.$memberId.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.ts
  • packages/core/src/v3/schemas/api.ts
📚 Learning: 2026-05-12T21:04:05.815Z
Learnt from: ericallam
Repo: triggerdotdev/trigger.dev PR: 3542
File: apps/webapp/app/components/sessions/v1/SessionStatus.tsx:1-3
Timestamp: 2026-05-12T21:04:05.815Z
Learning: In this Remix + TypeScript codebase, do not flag a server/client boundary violation when a file imports only types from a module matching `*.server`.

Specifically, it’s safe to import types using `import type { Foo } from "*.server"` or `import { type Foo } from "*.server"` because TypeScript erases type-only imports at compile time and they emit no JavaScript, so they won’t cross the Remix server/client bundle boundary.

Only raise the boundary concern for value imports (e.g., `import { Foo }` without `type`, or `import Foo`), since those produce JavaScript output.

Applied to files:

  • apps/webapp/app/routes/api.v1.projects.$projectRef.envvars.$slug.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.$env.resume.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.$env.regenerate-api-key.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.members.ts
  • apps/webapp/app/services/organizationApiAccess.server.ts
  • apps/webapp/app/routes/api.v1.orgs.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.$env.pause.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.invites.$inviteId.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.projects.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.default-region.ts
  • apps/webapp/app/routes/api.v1.projects.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.invites.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.members.$memberId.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.ts
📚 Learning: 2026-06-25T18:21:51.905Z
Learnt from: carderne
Repo: triggerdotdev/trigger.dev PR: 4039
File: apps/webapp/app/routes/invite-revoke.tsx:0-0
Timestamp: 2026-06-25T18:21:51.905Z
Learning: During the Zod v4 migration in the triggerdotdev/trigger.dev webapp, ensure any imports from `conform-to/zod` use the Zod-4 subpath: `conform-to/zod/v4` (e.g., `import { parseWithZod } from "conform-to/zod/v4"`). Do not import from the package root `conform-to/zod`, because it is the Zod 3 implementation and may load Zod-3-only symbols (e.g., `ZodBranded`, `ZodEffects`), which can throw at module load (notably with `zod4.4.3`). This should be enforced across `apps/webapp/**/*` where helpers like `parseWithZod` and `conformZodMessage` are used.

Applied to files:

  • apps/webapp/app/routes/api.v1.projects.$projectRef.envvars.$slug.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.$env.resume.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.$env.regenerate-api-key.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.members.ts
  • apps/webapp/app/services/organizationApiAccess.server.ts
  • apps/webapp/app/routes/api.v1.orgs.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.$env.pause.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.invites.$inviteId.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.projects.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.default-region.ts
  • apps/webapp/app/routes/api.v1.projects.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.invites.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.members.$memberId.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.ts
📚 Learning: 2026-06-04T18:16:35.386Z
Learnt from: nicktrn
Repo: triggerdotdev/trigger.dev PR: 3836
File: apps/supervisor/src/backpressure/backpressureMonitor.ts:3-5
Timestamp: 2026-06-04T18:16:35.386Z
Learning: When reviewing TypeScript in this repo, apply the rule “prefer type aliases over interfaces” only to data/object shapes and union/intersection type modeling. If an interface is being used as a behavioral contract for collaborators to implement (e.g., method-shape interfaces that define required behavior, such as `BackpressureLogger` / `BackpressureSignalSource` in `apps/supervisor/src/backpressure/backpressureMonitor.ts`), keep it as an `interface` and do not flag it as a type-alias-vs-interface violation.

Applied to files:

  • apps/webapp/app/routes/api.v1.projects.$projectRef.envvars.$slug.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.$env.resume.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.$env.regenerate-api-key.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.members.ts
  • apps/webapp/app/services/organizationApiAccess.server.ts
  • apps/webapp/app/routes/api.v1.orgs.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.$env.pause.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.invites.$inviteId.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.projects.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.default-region.ts
  • apps/webapp/app/routes/api.v1.projects.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.invites.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.members.$memberId.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.ts
  • packages/core/src/v3/schemas/api.ts
📚 Learning: 2026-06-09T17:58:04.699Z
Learnt from: 0ski
Repo: triggerdotdev/trigger.dev PR: 3879
File: apps/webapp/app/models/vercelIntegration.server.ts:619-630
Timestamp: 2026-06-09T17:58:04.699Z
Learning: In this codebase, outbound raw `fetch` calls should typically rely on Node/undici’s default request timeout (about ~300s) rather than adding a per-call `AbortController` + `setTimeout` wrapper inside individual functions (e.g. in files like `apps/webapp/app/models/vercelIntegration.server.ts`). During code review, do not flag the absence of a per-call timeout on a single `fetch` as an issue; if per-call timeouts are needed, they should be implemented via a codebase-wide convention (e.g., a shared fetch wrapper or documented pattern) rather than ad-hoc per-function changes.

Applied to files:

  • apps/webapp/app/routes/api.v1.projects.$projectRef.envvars.$slug.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.$env.resume.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.$env.regenerate-api-key.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.members.ts
  • apps/webapp/app/services/organizationApiAccess.server.ts
  • apps/webapp/app/routes/api.v1.orgs.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.$env.pause.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.invites.$inviteId.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.projects.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.default-region.ts
  • apps/webapp/app/routes/api.v1.projects.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.invites.ts
  • apps/webapp/app/routes/api.v1.orgs.$orgParam.members.$memberId.ts
  • apps/webapp/app/routes/api.v1.projects.$projectRef.ts
  • packages/core/src/v3/schemas/api.ts
📚 Learning: 2026-03-26T09:02:07.973Z
Learnt from: myftija
Repo: triggerdotdev/trigger.dev PR: 3274
File: apps/webapp/app/services/runsReplicationService.server.ts:922-924
Timestamp: 2026-03-26T09:02:07.973Z
Learning: When parsing Trigger.dev task run annotations in server-side services, keep `TaskRun.annotations` strictly conforming to the `RunAnnotations` schema from `trigger.dev/core/v3`. If the code already uses `RunAnnotations.safeParse` (e.g., in a `#parseAnnotations` helper), treat that as intentional/necessary for atomic, schema-accurate annotation handling. Do not recommend relaxing the annotation payload schema or using a permissive “passthrough” parse path, since the annotations are expected to be written atomically in one operation and should not contain partial/legacy payloads that would require a looser parser.

Applied to files:

  • apps/webapp/app/services/organizationApiAccess.server.ts
📚 Learning: 2026-05-05T09:38:02.512Z
Learnt from: d-cs
Repo: triggerdotdev/trigger.dev PR: 3523
File: apps/webapp/app/routes/api.v3.batches.ts:178-181
Timestamp: 2026-05-05T09:38:02.512Z
Learning: When reviewing code that catches `ServiceValidationError` in `*.server.ts` files, do not blindly forward `error.status` to HTTP responses, because SVEs may be thrown with non-default statuses (e.g., 400/500) and forwarding them can cause client-visible behavioral regressions (e.g., surfacing 500s to clients). Prefer a safe default response status of `error.status ?? 422`, but only after confirming via the reachable call graph that the caught `ServiceValidationError` instances are expected to carry those non-default statuses; otherwise, normalize to `422` to avoid unexpected client-visible 5xx behavior.

Applied to files:

  • apps/webapp/app/services/organizationApiAccess.server.ts
🔇 Additional comments (26)
apps/webapp/app/routes/api.v1.projects.$projectRef.envvars.$slug.ts (1)

65-65: LGTM!

apps/webapp/app/services/organizationApiAccess.server.ts (1)

18-78: LGTM!

apps/webapp/app/routes/api.v1.orgs.$orgParam.members.ts (1)

16-83: LGTM!

apps/webapp/app/routes/api.v1.orgs.$orgParam.members.$memberId.ts (1)

18-86: LGTM!

apps/webapp/app/routes/api.v1.orgs.$orgParam.invites.ts (1)

23-99: LGTM!

apps/webapp/app/routes/api.v1.orgs.$orgParam.invites.$inviteId.ts (1)

17-69: LGTM!

apps/webapp/app/routes/api.v1.orgs.$orgParam.ts (1)

37-65: 🎯 Functional Correctness

Delete/rename are membership-scoped. Both the API route and the dashboard settings action gate these on org membership, not an admin/owner role.

apps/webapp/app/routes/api.v1.projects.$projectRef.$env.resume.ts (3)

49-59: 🔒 Security & Privacy

Same RBAC resource concern as pause.ts.

This route reuses the identical apiKeys/write gate for resuming an environment; see the corresponding comment on apps/webapp/app/routes/api.v1.projects.$projectRef.$env.pause.ts (Lines 49-59).


62-62: 🔒 Security & Privacy

Same missing actor/userId concern as pause.ts.

See the corresponding comment on apps/webapp/app/routes/api.v1.projects.$projectRef.$env.pause.ts (Line 62) about PauseEnvironmentService.call lacking actor attribution.


1-74: 📐 Maintainability & Code Quality

Duplicate of pause.ts logic.

See the DRY-extraction comment on apps/webapp/app/routes/api.v1.projects.$projectRef.$env.pause.ts (Lines 1-74).

apps/webapp/app/routes/api.v1.projects.$projectRef.$env.regenerate-api-key.ts (2)

49-59: 🔒 Security & Privacy

Same RBAC resource concern noted for pause/resume.

Here apiKeys/write is semantically correct for rotating a key. See the sibling comment on pause.ts about the same gate being reused for a differently-scoped action (pause/resume).


1-73: 📐 Maintainability & Code Quality

Duplicate scaffolding vs. pause/resume routes.

See the DRY-extraction comment on apps/webapp/app/routes/api.v1.projects.$projectRef.$env.pause.ts (Lines 1-74); userId is correctly passed here to regenerateApiKey, unlike the pause/resume routes.

apps/webapp/app/routes/api.v1.projects.$projectRef.$env.pause.ts (3)

18-27: LGTM!

Also applies to: 31-41, 64-73


62-62: 🔒 Security & Privacy

PauseEnvironmentService.call doesn't take an actor/userId. This route matches the service API, and the same call shape is used in the other pause/resume paths.

			> Likely an incorrect or invalid review comment.

49-59: 🔒 Security & Privacy

apiKeys/write is the intended env-tier gate

Pause/resume uses the same apiKeys/write check as the other env-scoped API actions, so this is consistent with the current RBAC model.

			> Likely an incorrect or invalid review comment.
apps/webapp/app/routes/api.v1.projects.ts (1)

31-34: LGTM!

Also applies to: 41-54

.changeset/project-default-region-response.md (1)

1-6: LGTM!

apps/webapp/app/routes/api.v1.projects.$projectRef.ts (3)

103-114: 🔒 Security & Privacy

Same membership-only authorization gap as default-region.ts.

DELETE/PATCH here resolve the project via org membership only, without the ability/role check used by authorizePatOrganizationAccess for other org-scoped resources. Same concern flagged in api.v1.projects.$projectRef.default-region.ts (lines 41-55) — worth confirming DeleteProjectService/ProjectSettingsService independently enforce sufficient authorization for these destructive actions.


116-145: 🎯 Functional Correctness

Same malformed-JSON-returns-500 pattern as default-region.ts.

request.json() at line 126 is unguarded inside the outer try/catch, so invalid JSON bodies surface as 500 instead of 400. Same issue and fix flagged in api.v1.projects.$projectRef.default-region.ts.

Also applies to: 126-126


1-9: LGTM!

Also applies to: 15-75, 77-102

apps/webapp/app/routes/api.v1.projects.$projectRef.default-region.ts (3)

1-32: LGTM!

Also applies to: 63-100


41-55: 🔒 Security & Privacy

No issue: the default-region path already enforces region access rules. RegionsPresenter filters the selectable regions, and SetDefaultRegionService rechecks allowed queues / hidden / compute-access rules before updating the project.

			> Likely an incorrect or invalid review comment.

3-3: 🎯 Functional Correctness

@trigger.dev/core/utils already exports tryCatch; no change needed.

			> Likely an incorrect or invalid review comment.
apps/webapp/app/routes/api.v1.orgs.$orgParam.projects.ts (1)

44-44: LGTM!

Also applies to: 58-58, 122-139

packages/core/src/v3/schemas/api.ts (2)

30-49: 🗄️ Data Integrity & Integration | ⚡ Quick win

Consider making defaultRegion optional for forward/backward compatibility.

defaultRegion is nullable() but required. Any consumer parsing a response from a webapp instance that hasn't yet been upgraded to populate this field (rolling deploys, version-skewed self-hosted installs) will fail schema validation. Making it .optional().nullable() (or providing a .default(null)) would avoid breaking older/newer version combinations across this API boundary.

💡 Proposed fix
-  defaultRegion: z.string().nullable(),
+  defaultRegion: z.string().nullable().optional(),

1229-1238: LGTM!

Comment thread apps/webapp/app/routes/api.v1.orgs.ts Outdated
@nicktrn

nicktrn commented Jul 3, 2026

Copy link
Copy Markdown
Collaborator Author

Thanks for the review. Addressed the two actionable items: malformed/empty JSON now returns 400 (not 500) across all five new handlers (9573c59).

On the nitpick to extract a shared resolveEnvironmentForWriteAction helper across the pause/resume/regenerate-api-key routes: deferring for now. These three routes' auth is about to change - we're adding role-based (Owner) gating to the management API in a follow-up - so consolidating the auth flow now would just churn. I'll extract the shared helper as part of that RBAC pass, when the final auth shape is settled.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant