API Dtos Naming convention, vscode callback url validation

[Friedrich482]

Commits

• fix: password resets

  • renamed the methods of the password-resets service to be less redundant and updated all the affected files

• fix: pending registrations

  • renamed the methods of the pending registrations service and updated the affected files

• fix: auth procedures

  • updated the names of the procedures of the auth.router and the CodeVerificationForm and LoginForm on the frontend to reflect the changes

• fix: vscode callback url validation

  • replaced the clumsy validation of the vscode callback url by a comprehensive zod schema

• fix: zod depreciations

  • replaced the clumsy validation of the vscode callback url by a comprehensive zod schema

• fix: zod depreciations

  • fix zod deprecated refine syntax : from message => error

• chore: schema

  • started scoping the term dto to the api only, if a schema/dto is shared between the frontend and backend, we name it schema
  • renamed the SignInUserDto to SignInUserSchema

• chore: dto => schema

  • renamed the dto shared between frontend and backend into schema

• chore: jwt payload

  • renamed the jwt payload schema and type and updated the affected files

• chore: dto

  • renamed the internal remaining schemas used to validate data between layers of the api to dto

Summary by CodeRabbit

• New Features

  • Stronger VS Code callback URL validation across authentication flows.

• Bug Fixes

  • More robust password reset and registration handling and error reporting.
  • Safer parsing/validation for tokens used during redirects.

• Refactor

  • Public auth procedures renamed: signInUser → signIn, registerUser → register.
  • Migration from "schema/Dto" helpers to a unified DTO/schema approach for types and forms.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

Renames and DTO/schema refactors across auth, password-reset, pending-registration, and DTO helpers; TRPC auth procedures renamed (signInUser→signIn, registerUser→register); introduced VSCode callback URL schema and replaced ad-hoc callbackUrl checks with schema validation; multiple import/path updates and type-alias adjustments.

Changes

Cohort / File(s)	Summary
Auth Router apps/api/src/auth/auth.router.ts	TRPC public procedures renamed: signInUser → signIn, registerUser → register; local schema import aliases updated.
Auth Service apps/api/src/auth/auth.service.ts	Added createPendingRegistration; type imports aliased to *DtoType; internal calls updated to use renamed service methods (findOne, delete); removed callbackUrl validation from signIn/register flows.
Password Resets (DTO + Service) apps/api/src/password-resets/password-resets.dto.ts, apps/api/src/password-resets/password-resets.service.ts	DTO renames (GetPasswordResetDto → FindOnePasswordResetDto, DeletePasswordResetAfterResetDto → DeletePasswordResetDto); service methods renamed (getPasswordReset → findOne, deletePasswordResetAfterReset → delete).
Pending Registrations (DTO + Service) apps/api/src/pending-registrations/pending-registration.dto.ts, apps/api/src/pending-registrations/pending-registrations.service.ts	DTO renames (FindPendingRegistrationByEmailDto → FindOnePendingRegistrationDto, DeletePendingRegistrationAfterRegistrationDto → DeletePendingRegistrationDto); service methods renamed (findByEmail → findOne, deleteAfterRegistration → delete).
DTO Helpers & Common DTOs apps/api/src/common/dto.ts, apps/api/src/coding-stats/coding-stats.dto.ts, apps/api/src/files-stats/files-stats.dto.ts	Schema-based builders replaced with DTO-based equivalents: BaseSchema→BaseDto, DateRangeSchema→DateRangeDto, refineSchema→refineDto, refineAndTransformSchema→refineAndTransformDto; affected DTOs updated to use new helpers.
Shared Types & Schemas packages/common/src/types-schemas.ts	Major rename to Schema-suffixed exports (e.g., SignInUserSchema, RegisterUserSchema, JwtPayloadSchema); added VSCodeCallbackUrlSchema; callbackUrl fields changed to VSCode schema; IsoDateString error key changed to error.
Dashboard Forms & Types apps/dashboard/src/components/auth/**, apps/dashboard/src/types-schemas.ts	Replaced Dto/DtoType imports with Schema/Schema-named types; form generics/resolvers updated; TRPC calls updated (auth.signInUser→auth.signIn, auth.registerUser→auth.register); import path adjustments for DateString/ResetPassword schemas.
VSCode-related apps/dashboard/src/utils/loader/authLoader.ts, apps/vscode-extension/src/utils/auth/*	Added schema validation for vscode:// callback URLs in loaders; replaced ad-hoc checks with schema.safeParse and standardized error/redirect handling; simplified extension id extraction; parseJwtPayload uses JwtPayloadSchema.
Common Constants packages/common/src/constants.ts, apps/api/src/common/constants.ts	Added PUBLISHER and EXTENSION_ID exports; minor whitespace-only change in API constants file.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• Migrate to TRPCError and consolidate dashboard components #96 — Overlaps auth router/service renames and DTO/schema alias updates across the same modules.
• signup email verification, password forgotten and dashboard improvments #102 — Affects auth procedures, DTO/schema renames, and service method signature changes that directly intersect with these edits.
• chore: remove zod deprecates, chore: drizzle and fix: dashboard port  #86 — Modifies DTO/schema utility functions (refineSchema → refineDto and related base shapes) touched in this PR.

Poem

🐰 I hopped through types with nimble paws,

Renamed the routes and tightened the laws.
Schemas now check VSCode calls,
DTOs dance in tidy halls,
A moonlit refactor — applause! 🎉

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the two main changes: DTO naming convention refactoring and VSCode callback URL validation improvements.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch features

---

📜 Recent review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d5d0684 and 03b343e.

📒 Files selected for processing (1)

• apps/vscode-extension/src/utils/auth/parseJwtPayload.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• apps/vscode-extension/src/utils/auth/parseJwtPayload.ts

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (4)

apps/vscode-extension/src/utils/auth/login.ts (1)

18-18: Consider validating against centralized constants.

The destructuring syntax is cleaner. However, since this PR introduces PUBLISHER and EXTENSION_ID constants in packages/common/src/constants.ts, consider validating the parsed values against those constants to ensure consistency.

🔎 Proposed validation enhancement

+import { PUBLISHER, EXTENSION_ID } from "@repo/common/constants";
+
 const login = async () => {
   const context = getExtensionContext();
   const dashboardPort = getDashboardPort();
 
   try {
     let state = await context.secrets.get("authState");
 
     if (!state) {
       state = crypto.randomBytes(32).toString("base64url");
       await context.secrets.store("authState", state);
     }
 
     const [publisher, extensionId] = context.extension.id.split(".");
+    
+    if (publisher !== PUBLISHER || extensionId !== EXTENSION_ID) {
+      throw new Error(`Unexpected extension ID: ${context.extension.id}`);
+    }
 
     const callbackUri = await vscode.env.asExternalUri(
       vscode.Uri.parse(
         `vscode://${publisher}.${extensionId}/auth-callback?state=${state}`
       )
     );

apps/vscode-extension/src/utils/auth/parseJwtPayload.ts (1)

3-3: Minor formatting: missing space in import statement.

The import is missing a space after the comma: JwtPayload,JwtPayloadSchema should be JwtPayload, JwtPayloadSchema.

🔎 Suggested fix

-import { JwtPayload,JwtPayloadSchema } from "@repo/common/types-schemas";
+import { JwtPayload, JwtPayloadSchema } from "@repo/common/types-schemas";

apps/dashboard/src/utils/loader/authLoader.ts (1)

99-118: Consider consistent error handling across loaders.

The error handling approach differs between loaders:

• authRouteLoader: silently redirects on validation failure
• googleAuthLoader: throws an Error with concatenated issue messages
• redirectToVSCodeAfterGoogleAuthLoader: throws an Error for URL validation but redirects for token/email validation

While this may be intentional (different user flows), consider documenting the rationale or standardizing the approach. The thrown errors here will be caught and logged on line 115-116, returning null which proceeds silently.

packages/common/src/types-schemas.ts (1)

14-41: Consolidate URL parsing to avoid redundant new URL() calls.

The URL is parsed three times (lines 19, 27, 35). This can be refactored using superRefine to parse once.

Note: The abort: true option is valid Zod v4 syntax and doesn't require verification. However, if refactoring to superRefine, use ctx.addIssue({ code: "custom", message: "...", fatal: true }) to preserve the abort semantics of the first two publisher/extension validation checks, which currently stop subsequent validations.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0c2555f and d5d0684.

📒 Files selected for processing (25)

• apps/api/src/auth/auth.router.ts
• apps/api/src/auth/auth.service.ts
• apps/api/src/coding-stats/coding-stats.dto.ts
• apps/api/src/common/constants.ts
• apps/api/src/common/dto.ts
• apps/api/src/daily-data/daily-data.dto.ts
• apps/api/src/files-stats/files-stats.dto.ts
• apps/api/src/password-resets/password-resets.dto.ts
• apps/api/src/password-resets/password-resets.service.ts
• apps/api/src/pending-registrations/pending-registration.dto.ts
• apps/api/src/pending-registrations/pending-registrations.service.ts
• apps/api/src/projects/projects.dto.ts
• apps/api/src/trpc/trpc.service.ts
• apps/dashboard/src/components/auth/login-page/LoginForm.tsx
• apps/dashboard/src/components/auth/password-reset/code-verification/CodeVerificationForm.tsx
• apps/dashboard/src/components/auth/password-reset/forgot-password/ForgotPasswordForm.tsx
• apps/dashboard/src/components/auth/password-reset/reset-password/ResetPasswordForm.tsx
• apps/dashboard/src/components/auth/register-page/RegisterForm.tsx
• apps/dashboard/src/components/auth/register-page/code-verification/CodeVerificationForm.tsx
• apps/dashboard/src/types-schemas.ts
• apps/dashboard/src/utils/loader/authLoader.ts
• apps/vscode-extension/src/utils/auth/login.ts
• apps/vscode-extension/src/utils/auth/parseJwtPayload.ts
• packages/common/src/constants.ts
• packages/common/src/types-schemas.ts

🧰 Additional context used

🧠 Learnings (2)

📚 Learning: 2025-08-06T23:16:51.944Z

Learnt from: Friedrich482
Repo: Friedrich482/mooncode PR: 86
File: apps/api/src/common/dto.ts:13-16
Timestamp: 2025-08-06T23:16:51.944Z
Learning: In Zod v4, using shape spreading syntax (e.g., `z.object({...BaseSchema.shape, newField: z.string()})`) is recommended over the `.extend()` method for optimizing TypeScript compiler performance. This represents a change in best practices from earlier Zod versions.

Applied to files:

• apps/api/src/daily-data/daily-data.dto.ts
• apps/api/src/projects/projects.dto.ts
• apps/dashboard/src/types-schemas.ts
• apps/api/src/common/dto.ts
• apps/api/src/files-stats/files-stats.dto.ts
• apps/api/src/coding-stats/coding-stats.dto.ts

📚 Learning: 2025-08-06T23:16:51.944Z

Learnt from: Friedrich482
Repo: Friedrich482/mooncode PR: 86
File: apps/api/src/common/dto.ts:13-16
Timestamp: 2025-08-06T23:16:51.944Z
Learning: In Zod v4, shape spreading syntax (e.g., `z.object({...BaseSchema.shape, newField: z.string()})`) is recommended over the `.extend()` method for better TypeScript compiler performance. The documentation explicitly states this approach is more tsc-efficient, especially when chaining operations, and avoids TypeScript limitations that make `.extend()` quadratically more expensive when chained.

Applied to files:

• apps/dashboard/src/types-schemas.ts
• apps/api/src/files-stats/files-stats.dto.ts
• apps/api/src/coding-stats/coding-stats.dto.ts

🧬 Code graph analysis (15)

apps/api/src/pending-registrations/pending-registration.dto.ts (1)

packages/common/src/types-schemas.ts (1)

• RegisterUserSchema (61-65)

apps/dashboard/src/components/auth/password-reset/forgot-password/ForgotPasswordForm.tsx (1)

packages/common/src/types-schemas.ts (2)

• CreatePasswordReset (119-119)
• CreatePasswordResetSchema (67-69)

apps/dashboard/src/components/auth/password-reset/reset-password/ResetPasswordForm.tsx (1)

packages/common/src/types-schemas.ts (1)

• ResetPassword (123-123)

apps/dashboard/src/components/auth/register-page/RegisterForm.tsx (1)

packages/common/src/types-schemas.ts (2)

• CreatePendingRegistration (115-117)
• CreatePendingRegistrationSchema (55-59)

apps/dashboard/src/components/auth/password-reset/code-verification/CodeVerificationForm.tsx (1)

packages/common/src/types-schemas.ts (2)

• VerifyPasswordResetCode (120-122)
• VerifyPasswordResetCodeSchema (71-74)

apps/vscode-extension/src/utils/auth/parseJwtPayload.ts (1)

packages/common/src/types-schemas.ts (2)

• JwtPayload (113-113)
• JwtPayloadSchema (43-47)

apps/dashboard/src/components/auth/register-page/code-verification/CodeVerificationForm.tsx (1)

packages/common/src/types-schemas.ts (2)

• RegisterUser (118-118)
• RegisterUserSchema (61-65)

apps/dashboard/src/utils/loader/authLoader.ts (1)

packages/common/src/types-schemas.ts (1)

• VSCodeCallbackUrlSchema (14-41)

apps/api/src/common/constants.ts (1)

packages/common/src/constants.ts (1)

• DASHBOARD_PRODUCTION_PORT (10-10)

apps/dashboard/src/types-schemas.ts (1)

packages/common/src/types-schemas.ts (1)

• ResetPasswordSchema (76-80)

apps/api/src/pending-registrations/pending-registrations.service.ts (1)

apps/api/src/pending-registrations/pending-registration.dto.ts (2)

• FindOnePendingRegistrationDtoType (13-15)
• DeletePendingRegistrationDtoType (17-19)

apps/dashboard/src/components/auth/login-page/LoginForm.tsx (1)

packages/common/src/types-schemas.ts (2)

• SignInUser (114-114)
• SignInUserSchema (49-53)

apps/api/src/files-stats/files-stats.dto.ts (1)

apps/api/src/common/dto.ts (4)

• refineDto (20-26)
• DateRangeDto (10-13)
• refineAndTransformDto (28-44)
• BaseDto (15-18)

apps/api/src/password-resets/password-resets.service.ts (1)

apps/api/src/password-resets/password-resets.dto.ts (2)

• FindOnePasswordResetDtoType (11-13)
• DeletePasswordResetDtoType (14-14)

apps/api/src/coding-stats/coding-stats.dto.ts (1)

apps/api/src/common/dto.ts (5)

• refineDto (20-26)
• DateRangeDto (10-13)
• refineAndTransformDto (28-44)
• BaseDto (15-18)
• DateStringDto (8-8)

🔇 Additional comments (49)

apps/api/src/common/constants.ts (1)

7-17: LGTM!

The ALLOWED_CLIENTS array generation is correct and the use of DASHBOARD_PRODUCTION_PORT as the base for the port range is appropriate.

apps/api/src/daily-data/daily-data.dto.ts (1)

2-2: Import path change aligns with DTO scoping strategy.

The change from @repo/common/types-schemas to src/common/dto is consistent with the PR's objective to scope DTOs to API-only usage.

packages/common/src/constants.ts (1)

20-21: LGTM!

Adding centralized PUBLISHER and EXTENSION_ID constants provides a single source of truth for the extension identity, which improves maintainability and consistency across the codebase.

apps/dashboard/src/components/auth/login-page/LoginForm.tsx (4)

13-13: LGTM!

The import change from SignInUserDto/SignInUserDtoType to SignInUser/SignInUserSchema aligns with the PR's objective to use "schema" naming for shared types between frontend and backend.

---

32-39: Form initialization correctly updated.

The form now uses SignInUser type and SignInUserSchema resolver, maintaining consistency with the renamed schema. The default values structure remains correct.

---

46-46: TRPC procedure call updated correctly.

The mutation now calls trpc.auth.signIn instead of trpc.auth.signInUser, which aligns with the procedure renaming mentioned in the PR summary.

---

48-48: Type signature updated correctly.

The onSubmit handler now accepts SignInUser type, consistent with the schema rename.

apps/dashboard/src/components/auth/password-reset/code-verification/CodeVerificationForm.tsx (3)

11-12: LGTM!

The import changes from VerifyPasswordResetCodeDto/VerifyPasswordResetCodeDtoType to VerifyPasswordResetCode/VerifyPasswordResetCodeSchema are consistent with the PR's naming convention refactor.

---

38-44: Form configuration correctly updated.

The form now uses VerifyPasswordResetCode type and VerifyPasswordResetCodeSchema resolver, maintaining consistency with the renamed schema.

---

55-55: Type signature updated correctly.

The onSubmit handler parameter type changed to VerifyPasswordResetCode, consistent with the schema rename.

apps/dashboard/src/types-schemas.ts (2)

3-3: LGTM!

The import change from ResetPasswordDto to ResetPasswordSchema aligns with the PR's schema naming convention.

---

14-22: The code is correct as written. In Zod v4, the second argument to .refine can be a string value or an options object with message, path, and params properties. The current implementation using error: "Passwords must match" is valid and does not need to be changed to a function.

Likely an incorrect or invalid review comment.

apps/api/src/projects/projects.dto.ts (1)

2-2: Import path change is correct and properly verified.

DateStringDto is properly exported from src/common/dto and all usages in the file are consistent with the new import path.

apps/dashboard/src/components/auth/password-reset/reset-password/ResetPasswordForm.tsx (1)

14-14: LGTM - Type rename aligns with schema refactoring.

The import and usage of ResetPassword type (replacing ResetPasswordDtoType) is consistent with the PR's DTO-to-Schema naming convention for shared types between frontend and backend.

Also applies to: 66-66

apps/dashboard/src/components/auth/register-page/RegisterForm.tsx (1)

10-11: LGTM - Consistent schema naming refactor.

The migration from CreatePendingRegistrationDto/Type to CreatePendingRegistration/Schema follows the established pattern where shared types use "Schema" nomenclature. Form configuration correctly uses the schema for validation and the inferred type for typing.

Also applies to: 31-32, 48-48

apps/api/src/pending-registrations/pending-registration.dto.ts (1)

3-19: LGTM - DTO renames align with service method conventions.

The schema renames (FindPendingRegistrationByEmailDto → FindOnePendingRegistrationDto, DeletePendingRegistrationAfterRegistrationDto → DeletePendingRegistrationDto) are consistent with the service method refactoring mentioned in the PR. The use of RegisterUserSchema.omit({ callbackUrl: true }) correctly constructs a schema with email and code fields for the findOne operation.

apps/api/src/trpc/trpc.service.ts (1)

8-8: LGTM - Import alias maintains internal naming convention.

The aliasing of JwtPayload as JwtPayloadDtoType allows the internal code to maintain consistent "Dto" naming while consuming the refactored JwtPayload type from the common package.

apps/dashboard/src/components/auth/password-reset/forgot-password/ForgotPasswordForm.tsx (1)

9-10: LGTM - Schema refactor applied consistently.

The updates follow the same pattern as other form components: importing the schema for validation (CreatePasswordResetSchema) and the inferred type for typing (CreatePasswordReset). The form configuration and submission handler are correctly updated.

Also applies to: 29-30, 42-42

apps/vscode-extension/src/utils/auth/parseJwtPayload.ts (1)

8-8: LGTM - JWT payload validation updated correctly.

The schema and type renames (JWTDto → JwtPayloadSchema, type to JwtPayload) are applied consistently. The validation flow using safeParse remains unchanged and correct.

Also applies to: 24-24

apps/api/src/auth/auth.router.ts (2)

5-11: LGTM - Import aliases maintain internal consistency.

The import aliases allow the router to use "Dto" naming internally while consuming the refactored "Schema" exports from the common package. This approach maintains consistency within the file during the migration.

---

24-33: LGTM - TRPC procedure renames simplify the API surface.

The procedure renames (signInUser → signIn, registerUser → register) create a cleaner, more intuitive API. The rate limiter keys are correctly updated to match the new procedure names. Based on the PR objectives, corresponding frontend updates have been made to maintain compatibility.

Also applies to: 46-55

apps/api/src/password-resets/password-resets.dto.ts (1)

3-14: LGTM - DTO renames follow repository conventions.

The renames (GetPasswordResetDto → FindOnePasswordResetDto, DeletePasswordResetAfterResetDto → DeletePasswordResetDto) align with common repository method naming patterns and the service method refactoring mentioned in the PR objectives. The type aliases are correctly updated to match.

apps/api/src/files-stats/files-stats.dto.ts (2)

3-7: LGTM!

The import changes correctly align with the DTO-centric naming convention. The use of refineDto, refineAndTransformDto, and DTO shape exports is consistent with the broader refactoring.

---

37-61: LGTM!

The DTO definitions correctly use shape spreading (...DateRangeDto.shape, ...BaseDto.shape) which is the recommended pattern in Zod v4 for better TypeScript compiler performance. Based on learnings, this approach is more tsc-efficient than using .extend().

apps/api/src/coding-stats/coding-stats.dto.ts (2)

3-7: LGTM!

Import changes correctly adopt the DTO-centric naming convention, replacing schema-based imports with their DTO equivalents.

---

21-33: LGTM!

The DTO definitions properly use the renamed helpers (refineDto, refineAndTransformDto) and shape spreading pattern for extending BaseDto. This maintains consistency with the codebase refactoring.

apps/dashboard/src/utils/loader/authLoader.ts (3)

4-5: LGTM!

Good introduction of centralized schema-based validation for VSCode callback URLs, replacing ad-hoc string checks with structured validation.

---

39-44: LGTM!

The validation correctly uses safeParse and redirects to /dashboard on validation failure, which is a safe fallback behavior for the auth route loader.

---

148-151: URL parameter concatenation is safe.

The VSCodeCallbackUrlSchema requires the state parameter through a refinement check (line 36-38 in packages/common/src/types-schemas.ts), which validates that url.searchParams.get("state") returns a truthy value. This guarantees that any URL passing validation will be in the format vscode://publisher.extensionId?state=..., making the &token=...&email=... concatenation on line 151 safe and correct.

apps/dashboard/src/components/auth/register-page/code-verification/CodeVerificationForm.tsx (2)

10-10: LGTM!

Import correctly updated to use the new naming convention (RegisterUser type and RegisterUserSchema schema) for shared frontend/backend types.

---

35-36: LGTM!

Form typing, resolver, mutation reference, and submit handler all correctly updated to reflect the renamed schema (RegisterUserSchema) and TRPC procedure (auth.register).

Also applies to: 50-50, 52-52

apps/api/src/password-resets/password-resets.service.ts (3)

10-20: LGTM!

Import changes correctly adopt the aliased type naming pattern (CreatePasswordReset as CreatePasswordResetDtoType) and reference the renamed DTO types (FindOnePasswordResetDtoType, DeletePasswordResetDtoType).

---

98-99: LGTM!

Method renamed from getPasswordReset to findOne following standard CRUD naming conventions. Parameter type correctly updated to FindOnePasswordResetDtoType.

---

186-187: LGTM!

Method renamed from deletePasswordResetAfterReset to delete for cleaner naming. Parameter type correctly updated to DeletePasswordResetDtoType.

apps/api/src/common/dto.ts (4)

6-8: LGTM!

Good aliasing of IsoDateStringSchema to DateStringDto for consistent DTO-centric naming within the API layer.

---

10-18: LGTM!

The DTO definitions correctly use shape spreading (...DateRangeDto.shape) which is the recommended Zod v4 pattern for better TypeScript compiler performance. Based on learnings, this is more tsc-efficient than chaining .extend().

---

20-25: LGTM!

The rename from refineSchema to refineDto is consistent with the naming convention changes. The use of error instead of message in the refine options aligns with Zod v4's unified error customization API.

---

28-44: LGTM!

The rename from refineAndTransformSchema to refineAndTransformDto is consistent. The transformation logic correctly computes periodResolution and adjusts groupBy based on the period.

apps/api/src/auth/auth.service.ts (4)

16-24: LGTM!

Import aliases correctly follow the OriginalName as OriginalNameDtoType pattern, maintaining backward compatibility in the service while aligning with the new naming convention in the shared types package.

---

90-105: LGTM!

Registration flow correctly updated to use renamed service methods (findOne and delete) from PendingRegistrationsService. The flow logic remains unchanged.

---

141-143: LGTM!

Password reset flow correctly updated to use renamed service methods (findOne and delete) from PasswordResetsService.

Also applies to: 166-166

---

48-49: Backend validation of callbackUrl is maintained through TRPC input schema.

The signIn method correctly doesn't extract callbackUrl since it's not needed in the service logic. However, validation is not moved to frontend—it still occurs at the backend through the TRPC .input(SignInUserDto) call, which validates the entire SignInUserSchema including callbackUrl: VSCodeCallbackUrlSchema.nullable(). The frontend loaders provide an additional independent validation layer for UX purposes. All entry points to sign-in validate the callback URL before the service method is invoked.

apps/api/src/pending-registrations/pending-registrations.service.ts (3)

10-17: LGTM!

Import changes correctly adopt the aliased type naming pattern and reference the renamed DTO types from the local DTO file.

---

122-125: LGTM!

Method renamed from findByEmail to findOne following standard CRUD naming conventions. The method still validates the code and handles attempts, which is appropriate since it's finding a specific pending registration by email and verifying the code.

---

199-200: LGTM!

Method renamed from deleteAfterRegistration to delete for cleaner naming. Parameter type correctly updated to DeletePendingRegistrationDtoType.

packages/common/src/types-schemas.ts (4)

43-47: LGTM!

The schema correctly validates JWT payload structure using Zod 4's standalone z.ulid() and properly constrained integer types for timestamps.

---

49-80: LGTM!

The schema renames and callbackUrl field updates to use VSCodeCallbackUrlSchema.nullable() are consistent across both SignInUserSchema and RegisterUserSchema. The nullable pattern correctly handles auth flows not originating from VSCode.

---

82-102: LGTM!

The error format update to { error: "Invalid date" } aligns with Zod 4's unified error customization API.

---

113-123: LGTM!

The type exports correctly use z.infer<> pattern and the simplified naming convention (removing Dto suffix for shared types) aligns with the PR's schema-scoping objectives.