chore: Add OpenAPI Support to dm.close/im.close API

[ahmed-n-abdeltwab]

Description:
This PR integrates OpenAPI support into the Rocket.Chat API, migrate of Rocket.Chat API endpoints to the new OpenAPI pattern. The update includes improved API documentation, enhanced type safety, and response validation using AJV.

Key Changes:

• Implemented the new pattern and added AJV-based JSON schema validation for API.
• Uses the ExtractRoutesFromAPI utility from the TypeScript definitions to dynamically derive the routes from the endpoint specifications.
• Enabled Swagger UI integration for this API.
• Route Methods Chaining for the endpoints.
• This does not introduce any breaking changes to the endpoint logic.

Issue Reference:
Relates to #34983, part of the ongoing OpenAPI integration effort.

Testing:

• Verified that the API response schemas are correctly documented in Swagger UI.

• All tests passed without any breaking changes

  $ yarn testapi -f '[Direct Messages]'      
  
  
  [Direct Messages]
    ✔ /im.history (39ms)
    ✔ /im.list
    ✔ /im.open (41ms)
    ✔ /im.close (46ms)
    /im.setTopic
      ✔ should set the topic of the DM with a string (64ms)
      ✔ should set the topic of DM with an empty string(remove the topic) (57ms)
    Testing DM info
      ✔ sending a message... (95ms)
      ✔ REACTing with last message (43ms)
      ✔ STARring last message (55ms)
      ✔ PINning last message (269ms)
      ✔ should return all DM messages where the last message of array should have the "star" array with USERS star ONLY (85ms)
    /im.list.everyone
      ✔ should succesfully return a list of direct messages (62ms)
      ✔ should fail if user does NOT have the view-room-administration permission (255ms)
    Setting: 'Use Real Name': true
      ✔ /im.list (56ms)
      ✔ /im.list.everyone (50ms)
    /im.counters
      ✔ should require auth
      ✔ should require a roomId (54ms)
      ✔ should work with all params right (62ms)
      with valid room id
        ✔ should properly return counters before opening the dm (49ms)
      with deactived users
        ✔ should not include deactivated users in members count (115ms)
    [/im.files]
      ✔ should fail if invalid channel
      ✔ should fail for room type v (1058ms)
      ✔ should succeed when searching by roomId
      ✔ should succeed when searching by roomId even requested with count and offset params (43ms)
      - should succeed when searching by roomName
      - should succeed when searching by roomName even requested with count and offset params
       (node:22035) [DEP0044] DeprecationWarning: The `util.isArray` API is deprecated. Please use `Array.isArray()` instead.
       (Use `node --trace-deprecation ...` to show where the warning was created)
      ✔ should not return thumbnails (394ms)
      ✔ should not return hidden files (311ms)
      ✔ should properly filter files by name or typeGroup (445ms)
    /im.messages
      ✔ should return all DM messages that were sent to yourself using your username (104ms)
      ✔ should sort by ts by default
      ✔ should allow custom sorting (68ms)
      ✔ should return an error when trying to access a DM that does not belong to the current user
      ✔ should return messages that mention a single user
      ✔ should return messages that mention multiple users
      ✔ should return messages that are starred by a specific user
      ✔ should return messages that are pinned
    /im.messages.others
      ✔ should fail when the endpoint is disabled and the user has permissions (254ms)
      ✔ should fail when the endpoint is disabled and the user doesnt have permission (395ms)
      ✔ should fail when the endpoint is enabled but the user doesnt have permission (383ms)
      ✔ should succeed when the endpoint is enabled and user has permission (407ms)
    fname property
      ✔ should have fname property
      ✔ should update user's name (83ms)
      ✔ should have fname property updated
    /im.members
      ✔ should return and array with two members (44ms)
      ✔ should return and array with one member
      ✔ should return and array with one member queried by status
    /im.create
      ✔ creates a DM between two other parties (including self) (40ms)
      ✔ creates a DM between two other parties (excluding self) (51ms)
      ✔ should create a self-DM
      should create dm with correct notification preferences
        ✔ should save user preferences
        ✔ should create a DM (44ms)
        ✔ should return the right user notification preferences in the dm
      Rooms fullName
        ✔ should be own user's name for self DM
        ✔ should be other user's name concatenated for multiple users's DM for every user (44ms)
        ✔ should be other user's name for DM for both users
    /im.delete
      ✔ /im.create
      ✔ /im.delete (71ms)
      ✔ /im.open
      when authenticated as a non-admin user
        ✔ /im.create
        ✔ /im.delete
  
  
  59 passing (20s)
  2 pending

Endpoints:

• Close DM

  

Looking forward to your feedback! 🚀

Summary by CodeRabbit

Release Notes

• New Features
  • Added dm.close and im.close endpoints with comprehensive OpenAPI documentation, enabling direct message closure via API.
  • Improved endpoint validation and authorization with enhanced error handling and response documentation.

[dionisio-bot]

Looks like this PR is ready to merge! 🎉
If you have any trouble, please check the PR guidelines

[changeset-bot]

🦋 Changeset detected

Latest commit: e09c8d1

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 41 packages

Name	Type
@rocket.chat/meteor	Patch
@rocket.chat/rest-typings	Patch
@rocket.chat/api-client	Patch
@rocket.chat/core-services	Patch
@rocket.chat/ddp-client	Patch
@rocket.chat/http-router	Patch
@rocket.chat/models	Patch
@rocket.chat/ui-contexts	Patch
@rocket.chat/web-ui-registration	Patch
@rocket.chat/account-service	Patch
@rocket.chat/authorization-service	Patch
@rocket.chat/ddp-streamer	Patch
@rocket.chat/federation-matrix	Patch
@rocket.chat/omnichannel-services	Patch
@rocket.chat/presence	Patch
rocketchat-services	Patch
@rocket.chat/omnichannel-transcript	Patch
@rocket.chat/presence-service	Patch
@rocket.chat/queue-worker	Patch
@rocket.chat/abac	Patch
@rocket.chat/network-broker	Patch
@rocket.chat/omni-core-ee	Patch
@rocket.chat/livechat	Patch
@rocket.chat/mock-providers	Patch
@rocket.chat/cron	Patch
@rocket.chat/instance-status	Patch
@rocket.chat/omni-core	Patch
@rocket.chat/server-fetch	Patch
@rocket.chat/ui-client	Patch
@rocket.chat/media-calls	Patch
@rocket.chat/uikit-playground	Patch
@rocket.chat/fuselage-ui-kit	Patch
@rocket.chat/gazzodown	Patch
@rocket.chat/ui-avatar	Patch
@rocket.chat/ui-video-conf	Patch
@rocket.chat/ui-voip	Patch
@rocket.chat/core-typings	Patch
@rocket.chat/apps	Patch
@rocket.chat/model-typings	Patch
@rocket.chat/license	Patch
@rocket.chat/pdf-worker	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

Walkthrough

This PR consolidates OpenAPI support for the dm.close/im.close endpoints by moving DmCloseProps type and schema definitions from the rest-typings package into the Meteor API layer, implements the close endpoint with validation and error handling, and updates the related im.kick endpoint to use its own distinct schema.

Changes

Cohort / File(s)	Summary
Endpoint Implementation apps/meteor/app/api/server/v1/im.ts	Added DmCloseProps type, AJV schema, and validator. Implemented dmCloseEndpointsProps with response schemas (400/401/403/200) and dmCloseAction handler. Added dm.close and im.close route definitions with validation and authorization checks.
Type/Schema Consolidation packages/rest-typings/src/v1/dm/DmCloseProps.ts, packages/rest-typings/src/v1/dm/dm.ts, packages/rest-typings/src/v1/dm/im.ts	Removed DmCloseProps file entirely and corresponding '/v1/dm.close' endpoint mapping from DmEndpoints. Updated im.kick endpoint to accept new DmKickProps type instead of DmCloseProps.
Changeset Documentation .changeset/wicked-buckets-thank.md	Documented patch-level dependency updates for @rocket.chat/meteor and @rocket.chat/rest-typings packages alongside the OpenAPI endpoint feature addition.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~28 minutes

Poem

🐰 New routes hop into place with schemas so tight,
DM close endpoints now validated right,
From packages they came, to Meteor they stay,
OpenAPI dances in a modern way! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Linked Issues check	⚠️ Warning	The linked issue DM-1 concerns UI/design for Rocket.Chat AI features, which is unrelated to API endpoint OpenAPI support changes.	The actual API implementation work should reference a relevant OpenAPI/API documentation issue, not a social/design issue. Update linked issues to reference the correct objectives.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding OpenAPI support to dm.close/im.close endpoints, which aligns with the changeset and code modifications.
Out of Scope Changes check	✅ Passed	Changes appropriately focus on adding OpenAPI support for dm.close/im.close endpoints through schema validation, type definitions, and endpoint declarations without introducing unrelated functionality.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 70.63%. Comparing base (139e9dc) to head (e09c8d1).
⚠️ Report is 13 commits behind head on develop.

Additional details and impacted files

@@             Coverage Diff             @@
##           develop   #38974      +/-   ##
===========================================
- Coverage    70.65%   70.63%   -0.02%     
===========================================
  Files         3189     3189              
  Lines       112715   112716       +1     
  Branches     20409    20430      +21     
===========================================
- Hits         79638    79622      -16     
- Misses       31031    31044      +13     
- Partials      2046     2050       +4     

Flag	Coverage Δ
e2e	60.39% <ø> (-0.02%)	⬇️
e2e-api	47.79% <ø> (-1.03%)	⬇️
unit	71.19% <ø> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[ahmed-n-abdeltwab]

@ggazzo 👍

[cubic-dev-ai]

No issues found across 6 files

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

apps/meteor/app/api/server/v1/im.ts (1)

103-166: ⚠️ Potential issue | 🟠 Major

Schema/type mismatch: userId is required but unused

DmCloseProps only includes roomId, yet DmClosePropsSchema requires userId. This will cause AJV to reject requests that send only roomId, effectively making the change breaking and misaligning the OpenAPI docs with runtime behavior. Either drop userId from the schema or wire it into the handler with explicit permission checks.

💡 Proposed fix (drop unused userId)

 const DmClosePropsSchema = {
 	type: 'object',
 	properties: {
 		roomId: {
 			type: 'string',
 		},
-		userId: {
-			type: 'string',
-		},
 	},
-	required: ['roomId', 'userId'],
+	required: ['roomId'],
 	additionalProperties: false,
 };

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/meteor/app/api/server/v1/im.ts` around lines 103 - 166,
DmClosePropsSchema requires userId but the TypeScript type DmCloseProps (and the
handler) only expects roomId, causing AJV to reject valid requests; fix by
either removing userId from DmClosePropsSchema (delete the userId property and
from required) so schema matches the DmCloseProps type and isDmCloseProps
validator, or if you intend to accept userId, add userId to the DmCloseProps
type and update the handler that uses isDmCloseProps to consume userId and
perform the necessary permission checks before closing the DM (ensure
isDmCloseProps and DmClosePropsSchema remain consistent with the handler).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@apps/meteor/app/api/server/v1/im.ts`:
- Around line 220-221: Remove the inline explanatory comment before the
subscription lookup and make the intent self-documenting: either delete the
comment and keep the call to Subscriptions.findOneByRoomIdAndUserId(roomId,
this.userId), or extract the logic into a clearly named helper (e.g.,
getSubscriptionAllowingMissingRoom(roomId, userId)) and call that helper
instead; ensure references to subscription, roomId and this.userId remain
correct and no inline comment is left in the implementation.

---

Outside diff comments:
In `@apps/meteor/app/api/server/v1/im.ts`:
- Around line 103-166: DmClosePropsSchema requires userId but the TypeScript
type DmCloseProps (and the handler) only expects roomId, causing AJV to reject
valid requests; fix by either removing userId from DmClosePropsSchema (delete
the userId property and from required) so schema matches the DmCloseProps type
and isDmCloseProps validator, or if you intend to accept userId, add userId to
the DmCloseProps type and update the handler that uses isDmCloseProps to consume
userId and perform the necessary permission checks before closing the DM (ensure
isDmCloseProps and DmClosePropsSchema remain consistent with the handler).

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 139e9dc and e09c8d1.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (5)

• .changeset/wicked-buckets-thank.md
• apps/meteor/app/api/server/v1/im.ts
• packages/rest-typings/src/v1/dm/DmCloseProps.ts
• packages/rest-typings/src/v1/dm/dm.ts
• packages/rest-typings/src/v1/dm/im.ts

💤 Files with no reviewable changes (2)

• packages/rest-typings/src/v1/dm/dm.ts
• packages/rest-typings/src/v1/dm/DmCloseProps.ts

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: cubic · AI code reviewer

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation

Files:

• packages/rest-typings/src/v1/dm/im.ts
• apps/meteor/app/api/server/v1/im.ts

🧠 Learnings (4)

📓 Common learnings

Learnt from: ggazzo
Repo: RocketChat/Rocket.Chat PR: 35995
File: apps/meteor/app/api/server/v1/rooms.ts:1107-1112
Timestamp: 2026-02-23T17:53:06.802Z
Learning: In Rocket.Chat PR reviews, maintain strict scope boundaries—when a PR is focused on a specific endpoint (e.g., rooms.favorite), avoid reviewing or suggesting changes to other endpoints that were incidentally refactored (e.g., rooms.invite) unless explicitly requested by maintainers.

📚 Learning: 2025-09-16T13:33:49.237Z

Learnt from: cardoso
Repo: RocketChat/Rocket.Chat PR: 36890
File: apps/meteor/tests/e2e/e2e-encryption/e2ee-otr.spec.ts:21-26
Timestamp: 2025-09-16T13:33:49.237Z
Learning: In Rocket.Chat test files, the im.delete API endpoint accepts either a `roomId` parameter (requiring the actual DM room _id) or a `username` parameter (for the DM partner's username). It does not accept slug-like constructions such as concatenating usernames together.

Applied to files:

• packages/rest-typings/src/v1/dm/im.ts
• apps/meteor/app/api/server/v1/im.ts

📚 Learning: 2025-09-16T13:33:49.237Z

Learnt from: cardoso
Repo: RocketChat/Rocket.Chat PR: 36890
File: apps/meteor/tests/e2e/e2e-encryption/e2ee-otr.spec.ts:21-26
Timestamp: 2025-09-16T13:33:49.237Z
Learning: The im.delete API endpoint accepts either a `roomId` parameter (requiring the actual DM room _id) or a `username` parameter (for the DM partner's username). Constructing slug-like identifiers like `user2${Users.userE2EE.data.username}` doesn't work for this endpoint.

Applied to files:

• apps/meteor/app/api/server/v1/im.ts

📚 Learning: 2026-02-23T17:53:06.802Z

Learnt from: ggazzo
Repo: RocketChat/Rocket.Chat PR: 35995
File: apps/meteor/app/api/server/v1/rooms.ts:1107-1112
Timestamp: 2026-02-23T17:53:06.802Z
Learning: During PR reviews that touch endpoint files under apps/meteor/app/api/server/v1, enforce strict scope: if a PR targets a specific endpoint (e.g., rooms.favorite), do not propose changes to unrelated endpoints (e.g., rooms.invite) unless maintainers explicitly request them. Focus feedback on the touched endpoint's behavior, API surface, and related tests; avoid broad cross-endpoint changes in the same PR unless requested.

Applied to files:

• apps/meteor/app/api/server/v1/im.ts

🧬 Code graph analysis (1)

packages/rest-typings/src/v1/dm/im.ts (2)

packages/livechat/src/lib/room.js (1)

• params (304-304)

packages/rest-typings/src/v1/dm/DmCreateProps.ts (1)

• DmCreateProps (3-10)

🔇 Additional comments (4)

.changeset/wicked-buckets-thank.md (1)

1-6: Changeset looks accurate and well-scoped.
The patch bumps and description align with the OpenAPI support work described in the PR.

packages/rest-typings/src/v1/dm/im.ts (1)

12-24: im.kick request typing looks consistent

DmKickProps keeps the request shape explicit and narrows im.kick to the intended roomId.

apps/meteor/app/api/server/v1/im.ts (2)

6-10: Good: 403 response validation added for dm.close/im.close

Including a forbidden response schema improves OpenAPI documentation and runtime validation for authorization failures.

Also applies to: 168-187

---

246-250: Chained dm.close/im.close routes look consistent with the OpenAPI pattern

The new route chaining keeps the public API surface aligned with the new validation/action setup.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Remove the inline comment to comply with implementation guidelines

Prefer self-explanatory logic or extract a helper name instead of leaving an inline explanation.

🔧 Proposed cleanup

-		// even if the room doesn't exist, we should allow the user to close the subscription anyways

As per coding guidelines: Avoid code comments in the implementation.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	// even if the room doesn't exist, we should allow the user to close the subscription anyways
	subscription = await Subscriptions.findOneByRoomIdAndUserId(roomId, this.userId);
	subscription = await Subscriptions.findOneByRoomIdAndUserId(roomId, this.userId);

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/meteor/app/api/server/v1/im.ts` around lines 220 - 221, Remove the
inline explanatory comment before the subscription lookup and make the intent
self-documenting: either delete the comment and keep the call to
Subscriptions.findOneByRoomIdAndUserId(roomId, this.userId), or extract the
logic into a clearly named helper (e.g.,
getSubscriptionAllowingMissingRoom(roomId, userId)) and call that helper
instead; ensure references to subscription, roomId and this.userId remain
correct and no inline comment is left in the implementation.

[ahmed-n-abdeltwab]

is change the old code logic is out of scoop of this pr

[coderabbitai]

No PR description or comment images were provided in the context to describe.

@ahmed-n-abdeltwab Understood—no logic changes in this PR. My earlier note was purely about removing a single inline comment and would not alter behavior. Given your scope constraint, I’m happy to drop that nit and keep the code as-is. If you’d like, we can track a tiny follow-up chore later to replace such inline comments with clearer helper names, but no change is requested here.

For transparency: I’m keeping this review tightly focused on the dm.close/im.close handlers per our prior learning about limiting scope in v1 endpoint PRs.

---

✏️ Learnings added

Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 38974
File: apps/meteor/app/api/server/v1/im.ts:220-221
Timestamp: 2026-02-24T19:09:01.522Z
Learning: In RocketChat/Rocket.Chat OpenAPI migration PRs for apps/meteor/app/api/server/v1 endpoints, maintainers prefer to avoid any logic changes; style-only cleanups (like removing inline comments) may be deferred to follow-ups to keep scope tight.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.

---

🧠 Learnings used

Learnt from: cardoso
Repo: RocketChat/Rocket.Chat PR: 36890
File: apps/meteor/tests/e2e/e2e-encryption/e2ee-otr.spec.ts:21-26
Timestamp: 2025-09-16T13:33:49.237Z
Learning: The im.delete API endpoint accepts either a `roomId` parameter (requiring the actual DM room _id) or a `username` parameter (for the DM partner's username). Constructing slug-like identifiers like `user2${Users.userE2EE.data.username}` doesn't work for this endpoint.

---

Learnt from: cardoso
Repo: RocketChat/Rocket.Chat PR: 36890
File: apps/meteor/tests/e2e/e2e-encryption/e2ee-otr.spec.ts:21-26
Timestamp: 2025-09-16T13:33:49.237Z
Learning: In Rocket.Chat test files, the im.delete API endpoint accepts either a `roomId` parameter (requiring the actual DM room _id) or a `username` parameter (for the DM partner's username). It does not accept slug-like constructions such as concatenating usernames together.

---

Learnt from: sampaiodiego
Repo: RocketChat/Rocket.Chat PR: 37532
File: ee/packages/federation-matrix/src/FederationMatrix.ts:920-927
Timestamp: 2025-12-09T20:01:07.355Z
Learning: In Rocket.Chat's federation invite handling (ee/packages/federation-matrix/src/FederationMatrix.ts), when a user rejects an invite via federationSDK.rejectInvite(), the subscription cleanup happens automatically through an event-driven flow: Matrix emits a leave event back, which is processed by handleLeave() in ee/packages/federation-matrix/src/events/member.ts, and that function calls Room.performUserRemoval() to clean up the subscription. No explicit cleanup is needed in the reject branch of handleInvite() because the leave event handler takes care of it.
<!-- </add_learning>

---

Learnt from: Dnouv
Repo: RocketChat/Rocket.Chat PR: 37057
File: packages/apps-engine/src/definition/accessors/IUserRead.ts:23-27
Timestamp: 2025-09-25T09:59:26.461Z
Learning: AppUserBridge.getUserRoomIds in apps/meteor/app/apps/server/bridges/users.ts always returns an array of strings by mapping subscription documents to room IDs, never undefined, even when user has no room subscriptions.

---

Learnt from: Dnouv
Repo: RocketChat/Rocket.Chat PR: 37057
File: packages/apps-engine/src/definition/accessors/IUserRead.ts:23-27
Timestamp: 2025-09-25T09:59:26.461Z
Learning: AppUserBridge.getUserRoomIds in apps/meteor/app/apps/server/bridges/users.ts always returns an array of strings (mapping subscription documents to room IDs), never undefined, even when user has no room subscriptions.

---

Learnt from: ggazzo
Repo: RocketChat/Rocket.Chat PR: 35995
File: apps/meteor/app/api/server/v1/rooms.ts:1107-1112
Timestamp: 2026-02-23T17:53:06.802Z
Learning: During PR reviews that touch endpoint files under apps/meteor/app/api/server/v1, enforce strict scope: if a PR targets a specific endpoint (e.g., rooms.favorite), do not propose changes to unrelated endpoints (e.g., rooms.invite) unless maintainers explicitly request them. Focus feedback on the touched endpoint's behavior, API surface, and related tests; avoid broad cross-endpoint changes in the same PR unless requested.