feat(ai): GET /api/ai/chat/active-streams — DB-backed bootstrap endpoint#1163
Conversation
New endpoint queries aiStreamSessions for streaming rows in the last 10 minutes so any client can deterministically bootstrap multiplayer stream state on mount. Adds the @pagespace/db/schema/ai-streams subpath export so the route resolves. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
Warning Rate limit exceeded
To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughIntroduces a new API endpoint for retrieving active AI stream sessions with request authentication, channel authorization checks, and database queries for sessions started within the last 10 minutes. Also exports a new database schema entry point. Changes
Sequence DiagramsequenceDiagram
participant Client
participant API as GET /api/ai/chat/active-streams
participant Auth as Authentication
participant AuthZ as Authorization
participant DB as aiStreamSessions
participant Response
Client->>API: Request with channelId query param
API->>Auth: authenticateRequestWithOptions
alt Auth Fails
Auth-->>Response: Return auth error (4xx)
else Auth Success
API->>API: Validate channelId exists
alt Missing channelId
API-->>Response: Return 400 error
else channelId Present
API->>AuthZ: Check authorization
alt user:(.+):global pattern & userId mismatch
AuthZ-->>Response: Return 403 error
else Other channelId or userId match
AuthZ->>AuthZ: canUserViewPage check
alt Access Denied
AuthZ-->>Response: Return 403 error
else Access Granted
API->>DB: Query active streams<br/>(status=streaming, startedAt >= 10min ago)
DB-->>API: Return session rows
API->>Response: Return 200 with streams JSON
end
end
end
end
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Review rate limit: 0/1 reviews remaining, refill in 41 minutes and 49 seconds.Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@apps/web/src/app/api/ai/chat/active-streams/route.ts`:
- Around line 39-54: The query building the streams array is nondeterministic
because it lacks an ORDER BY; update the db query that selects from
aiStreamSessions (the streams query in route.ts) to add an explicit orderBy
(e.g., order by aiStreamSessions.startedAt DESC and a stable tie-breaker such as
aiStreamSessions.messageId ASC) so results are returned in a deterministic,
repeatable order for the bootstrap payload.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 8c0a22ee-e911-493e-a40c-30c4042c6b08
📒 Files selected for processing (2)
apps/web/src/app/api/ai/chat/active-streams/route.tspackages/db/package.json
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: b1ee428344
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
…ic payloads Without ORDER BY, Postgres can return rows in varying order across requests, producing unstable bootstrap payloads. Sort ascending by startedAt with messageId as a stable tiebreaker. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…lures Adds auditRequest calls on the three early-return paths (auth failure, global-channel user mismatch, page view denial) so SIEM can detect probing of the active-streams endpoint. Required by the security-audit-coverage gate; mirrors the pattern in apps/web/src/app/api/ai/abort/route.ts. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…int (#1163) * feat(ai): GET /api/ai/chat/active-streams — DB-backed bootstrap endpoint New endpoint queries aiStreamSessions for streaming rows in the last 10 minutes so any client can deterministically bootstrap multiplayer stream state on mount. Adds the @pagespace/db/schema/ai-streams subpath export so the route resolves. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(ai): order active-streams by startedAt, messageId for deterministic payloads Without ORDER BY, Postgres can return rows in varying order across requests, producing unstable bootstrap payloads. Sort ascending by startedAt with messageId as a stable tiebreaker. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(ai): emit authz.access.denied audit events on auth/permission failures Adds auditRequest calls on the three early-return paths (auth failure, global-channel user mismatch, page view denial) so SIEM can detect probing of the active-streams endpoint. Required by the security-audit-coverage gate; mirrors the pattern in apps/web/src/app/api/ai/abort/route.ts. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Summary
GET /api/ai/chat/active-streams?channelId=<value>so any client can deterministically bootstrap multiplayer stream state on mount.aiStreamSessionsfor rows withstatus='streaming'started in the last 10 minutes; returns{ streams: [{ messageId, conversationId, triggeredBy: { userId, displayName, tabId } }] }.requireCSRF: false(read-only). Permissions:user:X:globalchannels requireX === userId; otherwisecanUserViewPage(userId, channelId).@pagespace/db/schema/ai-streamssubpath export so the route resolves.Test plan
pnpm --filter web typecheckpasseschannelIdis missinguser:X:globalandX !== userId{ streams: [] }when no rows in the 10-minute window🤖 Generated with Claude Code
Summary by CodeRabbit