fix(ux/recommendations): rename 'Execute Purchase' to 'Send for Approval' (#288)

[cristim]

Closes #288.

Why

The purchase modal's primary action was labeled Execute Purchase but clicking it does NOT execute the purchase — it sends an approval email to the configured approver(s); the actual upfront charge fires only when an approver clicks the link in that email. Users frequently re-click the button thinking nothing had happened, then panic when an email arrives later.

What changed

• Button label (frontend/src/index.html:812): Execute Purchase → Send for Approval.
• confirmDialog wording in frontend/src/app.ts (single-purchase + fan-out paths):
  • Old body: "This will spend real money on cloud commitments." — was the opposite of what actually happens at this step.
  • New body: explicitly explains the email-approval contract. destructive: false since the immediate action is reversible (no money is moved at confirm-time).
  • Title Execute N purchase(s)? → Send N purchase(s) for approval? (and the fan-out symmetric).
  • Loading state Executing... → Sending....
• Modal body explanation (frontend/src/recommendations.ts::openPurchaseModal): added a <p class="approval-required-note"> after the upfront-cost line, so the user sees the contract BEFORE they click the primary action.
• Comment in recommendations.ts:2745-2752 notes that feat(api,recs): permission-gated direct purchase execute (execute-{any,own}) bypassing approval email, with cost warning + confirm gate #289 will introduce a session-permission branch where execute-any:purchases holders opt into direct execution; until that lands, every user is on this path and the new wording is correct unconditionally.

Test plan

• npm test — 1464 / 1464 pass.
• npm run build — clean.
• npx tsc --noEmit — clean.
• New describe('approval-required messaging (issue #288)') with 3 tests pinning the button label, the modal body, and the .approval-required-note element — plus a belt-and-braces "no Execute Purchase text anywhere on the rendered modal" assertion to guard against future regressions.

Out of scope

• feat(api,recs): permission-gated direct purchase execute (execute-{any,own}) bypassing approval email, with cost warning + confirm gate #289 — permission-gated direct-execute path (the alternate label branch).
• feat(email): styled approve/cancel buttons + rec summary block in notification emails #287 — pretty email link styling.
• feat(email): post-execution notification email with one-click revocation link valid for the AWS cancel window #291 — post-execution notification email + cancel link.

Notes for reviewers

• Test fixture in the shared beforeEach was extended to include #execute-purchase-btn (it's in production index.html but the test fixture had been omitting it). No other test in the file asserted against its absence; full suite green.
• destructive: false is intentional — argue either way, but the prior true was paired with the misleading "spend real money" body. With the corrected body, the dialog isn't communicating a destructive operation any more (it's a "send an email" operation).

Summary by CodeRabbit

• New Features

  • Purchase flow changed to an approval-request flow: primary action now reads “Send for Approval,” and modal clarifies an approval email will be sent and charges occur only after approval.
  • Success toasts now reflect approval status and include approver name(s) when available; error toasts show approval-specific failure text.

• Tests

  • Added tests asserting updated modal copy, button labels, and approval-note rendering.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4aed5239-c274-480d-99fe-9f1d7c0515a7

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

📝 Walkthrough

Walkthrough

This PR changes the purchase flow language and UX to reflect an approval-request workflow: modal primary button now reads "Send for Approval", modal body includes an approval-required note, confirmation dialogs and toasts were reworded to reference sending approval requests, and API responses now carry resolved approval_recipient when available.

Changes

Purchase Approval-request Flow (single cohesive change DAG)

Layer / File(s)	Summary
UI Template & Labels frontend/src/index.html	#execute-purchase-btn visible text changed from "Execute Purchase" to "Send for Approval".
Modal Composition / Static Copy frontend/src/recommendations.ts	openPurchaseModal() inserts an .approval-required-note paragraph and inline docs updated to reference approval-request flow.
Unit Tests / DOM Fixture frontend/src/__tests__/recommendations.test.ts	Test DOM for #purchase-modal extended with Cancel and primary buttons; new tests assert primary button reads "Send for Approval", modal body contains approval-request copy, and .approval-required-note renders.
Frontend Confirmation & Feedback Flow frontend/src/app.ts	handleExecutePurchase and handleFanOutExecute confirmation dialogs, button labels/status, error toasts, and success toast messaging updated to reflect "Send for Approval"/"Sending…" flow; fan-out success aggregates unique approval_recipient values for tailored success messages.
API Types (frontend) frontend/src/api/types.ts, frontend/src/api/purchases.ts	PurchaseResult and RetryPurchaseResult gain optional approval_recipient?: string to expose resolved approver names to the UI.
Backend: send-email propagation internal/api/handler_purchases.go	sendPurchaseApprovalEmail signature changed to return (bool, string, string) including resolved recipient; retryPurchase/executePurchase capture and include approval_recipient in API responses when present.

Sequence Diagram(s)

sequenceDiagram
participant User as User
participant Frontend as Frontend (Browser)
participant Backend as Backend API
participant Email as Email Service

User->>Frontend: Click "Send for Approval"
Frontend->>Backend: POST /executePurchase (purchase data)
Backend->>Backend: validate & prepare approval email
Backend->>Email: sendPurchaseApprovalEmail(to)
Email-->>Backend: (sent / failed) + resolved recipient
Backend-->>Frontend: 200 { email_sent, email_reason?, approval_recipient? }
Frontend->>Frontend: show toast (include approval_recipient if present)
Frontend-->>User: UI feedback (success/failure)

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related issues

• feat(api,recs): permission-gated direct purchase execute (execute-{any,own}) bypassing approval email, with cost warning + confirm gate #289: Touches the same purchase-execution/approval flow points in backend and frontend; may overlap on email/execute handling.
• feat(email): styled approve/cancel buttons + rec summary block in notification emails #287: Related to email send path and templates; changes to sendPurchaseApprovalEmail return values here are relevant.

Possibly related PRs

• LeanerCloud/CUDly#193: Modifies the purchase modal and execute handlers — related UI/flow overlap.
• LeanerCloud/CUDly#145: Changes executePurchase/retryPurchase server-side logic — related to backend response shaping and metadata propagation.

Suggested labels

effort/m, type/feat

Poem

🐰
I hopped into the modal light,
and nudged the button—now polite.
"Send for Approval" sings the tune,
an email waits beneath the moon.
A little hop, a clearer day—hooray!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 60.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately describes the main change: renaming UI button text from 'Execute Purchase' to 'Send for Approval' to fix misleading copy in the purchase modal.
Linked Issues check	✅ Passed	The PR implements all coding requirements from issue #288: button label changed to 'Send for Approval', modal body includes approval-required note explaining the email send, toast messages display approval recipient, and tests validate the new copy.
Out of Scope Changes check	✅ Passed	All changes are within scope of issue #288. Backend changes add approval_recipient field to API responses to support the approval-required messaging; frontend updates mirror this to display recipient information in toasts.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/issue-288-purchase-modal-copy

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cristim]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@frontend/src/app.ts`:
- Around line 285-288: The success toasts after the approval execute response
are still generic; update the code that handles the execute/send response (the
handler that currently builds the success toasts after calling execute/send for
localRecs) to read the recipient identity from the execute response (e.g.,
response.recipient or response.approverEmail) and include that identity in both
the single-record and multi-record (fan-out) success messages; modify the
success-toast construction in the same handler (the branches emitting the single
success toast and the loop/fan-out success toast) and repeat the same change for
the other identical success block (the other success-path around the fan-out
code) so both places show "Approval request sent to <recipient>" (with
pluralized text for multiple records).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ab9784e0-0e54-4e00-823b-2ff2dfea56dc

📥 Commits

Reviewing files that changed from the base of the PR and between bb619f2 and 3e15a3f.

📒 Files selected for processing (4)

• frontend/src/__tests__/recommendations.test.ts
• frontend/src/app.ts
• frontend/src/index.html
• frontend/src/recommendations.ts

[cristim]

Addressed CodeRabbit's actionable: approval_recipient plumbed through from resolveApprovalRecipients (backend, optional field on both PurchaseResult + RetryPurchaseResult) → success toast now reads "Approval request sent to ." for the single-purchase path and aggregates+dedupes recipients across buckets for the fan-out path ("sent for approval to N recipients (a@x, b@y)" form when buckets route to distinct addresses). Generic toast preserved as a fallback when the response omits the field (older deploys or when only the global notify mailbox is configured).

go test ./internal/api/... 1055 pass; npm test 1464 pass; build + typecheck clean.

@coderabbitai review

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

@cristim Thanks for the detailed update! The approval_recipient plumbing sounds well-handled — threading the optional field through both PurchaseResult and RetryPurchaseResult, deduplicating across fan-out buckets, and preserving a generic fallback for older deploys covers the edge cases nicely. Triggering a fresh review now.

[review]

[cristim]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

frontend/src/app.ts (1)

426-468: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Treat business-level email failures as fan-out failures.

A fulfilled executePurchase() promise only means the POST returned 200. The backend can still return email_sent === false / status === 'failed', and this branch currently toasts “sent for approval” even when no approval email went out. Reclassify those responses before building the success toast.

Suggested fix

-  const succeeded = results.filter((r) => r.status === 'fulfilled').length;
-  const failed = results.length - succeeded;
+  const fulfilled = results.filter(
+    (r): r is PromiseFulfilledResult<api.PurchaseResult> => r.status === 'fulfilled',
+  );
+  const submissionFailures = fulfilled.filter(
+    (r) => r.value.email_sent === false || r.value.status === 'failed',
+  );
+  const succeeded = fulfilled.length - submissionFailures.length;
+  const failed = results.length - succeeded;
   closePurchaseModal();
   clearFanOutBuckets();
   clearPurchaseModalRecommendations();
 
   if (failed === 0) {
@@
   } else {
-    const failureMsgs = results
-      .filter((r): r is PromiseRejectedResult => r.status === 'rejected')
-      .map((r) => (r.reason instanceof Error ? r.reason.message : String(r.reason)))
+    const failureMsgs = [
+      ...results
+        .filter((r): r is PromiseRejectedResult => r.status === 'rejected')
+        .map((r) => (r.reason instanceof Error ? r.reason.message : String(r.reason))),
+      ...submissionFailures.map((r) => r.value.email_reason || 'approval email did not send'),
+    ]
       .slice(0, 3)
       .join('; ');
     showToast({
       message: `${succeeded} of ${results.length} submitted · ${failed} failed: ${failureMsgs}${failed > 3 ? ' (…)' : ''}`,
       kind: failed === results.length ? 'error' : 'warning',

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@frontend/src/app.ts` around lines 426 - 468, The success branch currently
treats any PromiseFulfilledResult as a true success even when the backend
indicates email_sent === false or value.status === 'failed'; update the
post-processing of results (the loop using results, the succeeded/failed
counters, and recipient set) to reclassify fulfilled responses whose
value.email_sent === false or value.status === 'failed' as failures: decrement
succeeded/increment failed for those entries, include their messages in
failureMsgs (use r.value.error or a descriptive string), and only add
r.value.approval_recipient into recipients when r.status === 'fulfilled' AND
r.value.email_sent === true AND r.value.status !== 'failed'; finally ensure
showToast uses the adjusted counts and recipients when building the success or
failure toast.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@frontend/src/app.ts`:
- Around line 426-468: The success branch currently treats any
PromiseFulfilledResult as a true success even when the backend indicates
email_sent === false or value.status === 'failed'; update the post-processing of
results (the loop using results, the succeeded/failed counters, and recipient
set) to reclassify fulfilled responses whose value.email_sent === false or
value.status === 'failed' as failures: decrement succeeded/increment failed for
those entries, include their messages in failureMsgs (use r.value.error or a
descriptive string), and only add r.value.approval_recipient into recipients
when r.status === 'fulfilled' AND r.value.email_sent === true AND r.value.status
!== 'failed'; finally ensure showToast uses the adjusted counts and recipients
when building the success or failure toast.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 7f246897-78c1-4ac4-88cb-ecd2f1f501e7

📥 Commits

Reviewing files that changed from the base of the PR and between 3e15a3f and 9bf6caf.

📒 Files selected for processing (4)

• frontend/src/api/purchases.ts
• frontend/src/api/types.ts
• frontend/src/app.ts
• internal/api/handler_purchases.go

[cristim]

@coderabbitai — the outside-diff finding on frontend/src/app.ts:426-468 ("treat business-level email failures as fan-out failures") is already implemented in this PR.

The reclassification logic landed in commit 9bf6caf18 and is identical to your suggested diff:

• fulfilled = results.filter((r): r is PromiseFulfilledResult<api.PurchaseResult> => r.status === 'fulfilled') — line 429-431
• submissionFailures = fulfilled.filter((r) => r.value.email_sent === false || r.value.status === 'failed') — line 432-434
• succeeded = fulfilled.length - submissionFailures.length — line 435
• failed = results.length - succeeded — line 436
• The recipients set guards on email_sent !== false && status !== 'failed' before adding approval_recipient — line 446-455
• The error branch unions submissionFailures.map((r) => r.value.email_reason || 'approval email did not send') into failureMsgs — line 471-478

The inline comment at line 426-428 even says (CR pass on PR #294 Finding 2) — this was implemented in response to your earlier review pass.

It looks like the review at 15:22:51Z (Run ID 7f246897-78c1-4ac4-88cb-ecd2f1f501e7) generated its diff against a pre-fix view. No code change needed; treating as already-addressed.

Mirroring the global CR-loop exit criterion: the most recent review's only finding is satisfied. PR is loop-clean unless a new review surfaces something else.

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

@cristim — confirmed and acknowledged. The reclassification logic is clearly present in commit 9bf6caf18 exactly as described, and the (CR pass on PR #294 Finding 2) inline comment is unambiguous provenance. The re-flag was a stale-snapshot artifact from that review run generating its diff against a pre-fix view of the file — not a real gap. No code change needed; treating the finding as already addressed.

---

✏️ Learnings added

Learnt from: cristim
URL: https://github.com/LeanerCloud/CUDly/pull/294

Timestamp: 2026-05-05T15:44:54.399Z
Learning: In the LeanerCloud/CUDly repository, when a CodeRabbit review flags something as "outside-diff" that was already implemented in an earlier commit of the same PR, it is likely a stale-snapshot artifact where the review diff was generated against a pre-fix view. The inline comment convention `(CR pass on PR #<number> Finding N)` is used by the maintainer (cristim) to mark lines that were changed in direct response to a prior CodeRabbit review pass.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.

[cristim]

CR pass on PR #294 — both Major findings addressed

Finding 1 — Recipient identity in success toast

The single-record path (handleExecutePurchase) already had approval_recipient plumbed in the prior commit (9bf6caf18): when the backend returns approval_recipient, the toast reads "Approval request sent to alice@example.com."; when absent it falls back to the generic "check your email" copy.

No change was needed here — confirmed present and correct.

Finding 2 — Business-level email failures reclassified as failures

handleFanOutExecute previously counted any fulfilled executePurchase POST as a success even when email_sent === false or status === 'failed' (i.e., the POST returned 200 but no approval email was delivered).

Fix in frontend/src/app.ts:

• Split results into a typed fulfilled array + a submissionFailures sub-array (those with email_sent === false or status === 'failed').
• succeeded = fulfilled.length - submissionFailures.length, failed = results.length - succeeded — both counts are now honest.
• The recipients set only collects approval_recipient from results where email_sent !== false && status !== 'failed' — a failed delivery can't name its recipient in the success toast.
• failureMsgs is built from a merged spread: HTTP rejections first, then email_reason values from submission failures (falling back to 'approval email did not send').

New tests (frontend/src/__tests__/purchase-execution-toast.test.ts)

8 new tests (+412 lines):

Test	Covers
Finding 1 with approval_recipient	Toast contains recipient name
Finding 1 without approval_recipient	Generic fallback copy
email_sent: false single-record	Warning toast
Fan-out email_sent: false → failure counter	Finding 2 — reason in toast, recipient excluded
Fan-out status: 'failed' → failure counter	Finding 2
Fan-out all-success	Recipients listed in success toast
Fan-out duplicate recipient	Deduplication
Fan-out all-email-fail	Error toast

All 1472 tests pass; tsc --noEmit clean; all pre-commit hooks passed.

@coderabbitai review

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

@cristim — well-documented CR pass. Both findings are clearly closed:

• Finding 1: Confirmed present in 9bf6caf18 — no gap.
• Finding 2: The fulfilled/submissionFailures split in handleFanOutExecute is exactly the right approach — honest counters, recipient set guarded on non-failure results, and failureMsgs properly merging HTTP rejections with email_reason fallbacks covers all the edge cases.

The 8-test matrix in purchase-execution-toast.test.ts is thorough — the deduplication case and the "all-email-fail" path are the ones most likely to catch regressions if the fan-out logic is touched later, good to have those pinned.

Triggering a fresh review against the latest commits now.

[review]