fix: workspace crashing when invalid regular expression is used on message search query

[nazabucciarelli]

Proposed changes (including videos or screenshots)

When users wrap searches in slashes (/.../), or if the Message_AlwaysSearchRegExp setting is enabled, the parser sends the raw, unescaped string directly to MongoDB as a $regex query. MongoDB rightfully rejects syntax that starts with a quantifier (like ?test or *test) and throws a MongoServerError.

My proposed solution is to check regular expressions are valid wrapping the parseMessageSearchQuery method within a try-catch and capture SyntaxError thrown by new RegExp(). Also an API test is added to avoid the regression.

Issue(s)

SUP-1049 Bug with regex expressions on global search

Steps to test or reproduce

1- Open any room.
2- Click on 'Search Messages' from the room toolbar (the button with this icon 🔍).
3- Type /*test/

Without this PR: The workspace crashes due to the Mongo server unhandled error.
With this PR: The 'invalid regexp' error is caught by the try-catch and an error is logged in console.

Further comments

Summary by CodeRabbit

• Bug Fixes

  • Message search no longer errors on invalid regex-like patterns; such queries return an empty result set instead of failing.
  • Adjustments to regex-style and forced-regex handling may affect which messages match in edge cases.

• Tests

  • Added end-to-end test verifying invalid search patterns return success with no messages.

• Chores

  • Added a release entry documenting the patch.

[dionisio-bot]

Looks like this PR is ready to merge! 🎉
If you have any trouble, please check the PR guidelines

[changeset-bot]

🦋 Changeset detected

Latest commit: 2f063e0

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 3 packages

Name	Type
@rocket.chat/meteor	Patch
@rocket.chat/core-typings	Patch
@rocket.chat/rest-typings	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

messageSearch now catches parse-time SyntaxError and returns empty messages; parseMessageSearchQuery instantiates RegExp for regex-style inputs (which can throw earlier); an end-to-end test and a patch changeset were added.

Changes

Message Search Error Handling

Layer / File(s)	Summary
RegExp instantiation in parser apps/meteor/server/lib/parseMessageSearchQuery.ts	consumeMessageText now constructs RegExp instances for /pattern/flags inputs (removing x) and for forceRegex paths before populating this.query.msg (Mongo $regex/$options remain set).
Error handling in messageSearch + test + changeset apps/meteor/server/methods/messageSearch.ts, apps/meteor/tests/end-to-end/api/chat.ts, .changeset/eighty-onions-deny.md	Adds Logger and wraps parseMessageSearchQuery(...) in try/catch: on SyntaxError logs debug and returns { message: { docs: [] } }; other errors are logged and rethrown. Adds an end-to-end test asserting invalid-regex returns empty messages and a patch changeset entry.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Suggested labels

type: bug

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title accurately describes the main change: fixing a workspace crash caused by invalid regular expressions in message search queries, which is the core objective and primary change across all modified files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

Warning

Review ran into problems

🔥 Problems

Errors were encountered while retrieving linked issues.

Errors (1)

• SUP-1049: Request failed with status code 401

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

❌ Patch coverage is 64.28571% with 5 lines in your changes missing coverage. Please review.
✅ Project coverage is 69.88%. Comparing base (da1de5f) to head (2f063e0).
⚠️ Report is 11 commits behind head on develop.

Additional details and impacted files

@@             Coverage Diff             @@
##           develop   #40788      +/-   ##
===========================================
+ Coverage    69.80%   69.88%   +0.08%     
===========================================
  Files         3327     3337      +10     
  Lines       123135   123501     +366     
  Branches     21983    22053      +70     
===========================================
+ Hits         85952    86309     +357     
- Misses       33832    33838       +6     
- Partials      3351     3354       +3     

Flag	Coverage Δ
e2e	59.33% <ø> (-0.01%)	⬇️
e2e-api	46.27% <64.28%> (-0.83%)	⬇️
unit	70.64% <0.00%> (+0.12%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

apps/meteor/tests/end-to-end/api/chat.ts (1)

2618-2633: ⚡ Quick win

Test validates graceful error handling but doesn't verify logging.

The test correctly confirms that invalid regex input no longer crashes and returns HTTP 200 with an empty messages array. However, it doesn't verify that the error was logged via SystemLogger.error, which is part of the implemented behavior.

Consider adding a unit test for the messageSearch method that:

1. Mocks Messages.find() to throw a MongoDB error
2. Verifies SystemLogger.error was called with appropriate parameters
3. Verifies the returned structure is { message: { docs: [] } }

This would provide better coverage of the error-handling path and catch regressions in logging behavior.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@apps/meteor/tests/end-to-end/api/chat.ts` around lines 2618 - 2633, Add a
focused unit test for the messageSearch error path: mock Messages.find (or the
data access used by messageSearch) to throw a MongoDB error, call messageSearch
directly (or invoke the handler that uses messageSearch), assert that
SystemLogger.error was called with the error and contextual info, and assert the
method returns the fallback structure { message: { docs: [] } }; reference the
messageSearch function, Messages.find (or its wrapper) and SystemLogger.error
when locating code to mock and assert.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@apps/meteor/server/methods/messageSearch.ts`:
- Around line 79-96: The catch in the messageSearch handler currently swallows
all errors from Messages.find and returns an empty result; instead, limit the
catch to detect the MongoDB regex/invalid pattern error (inspect error.name ===
'MongoServerError' and/or error.code/message pattern) and return a distinct
validation error response for the caller (so the API can map it to a 400), while
rethrowing or not catching other errors so they propagate and are
handled/monitored; update the block around Messages.find and SystemLogger.error
to log the specific regex error and return a clear validation result, but allow
connectivity/permission/timeouts to bubble up.

---

Nitpick comments:
In `@apps/meteor/tests/end-to-end/api/chat.ts`:
- Around line 2618-2633: Add a focused unit test for the messageSearch error
path: mock Messages.find (or the data access used by messageSearch) to throw a
MongoDB error, call messageSearch directly (or invoke the handler that uses
messageSearch), assert that SystemLogger.error was called with the error and
contextual info, and assert the method returns the fallback structure { message:
{ docs: [] } }; reference the messageSearch function, Messages.find (or its
wrapper) and SystemLogger.error when locating code to mock and assert.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 63fd3b73-c734-4788-9955-849aafb72450

📥 Commits

Reviewing files that changed from the base of the PR and between 3c47215 and f179380.

📒 Files selected for processing (3)

• .changeset/eighty-onions-deny.md
• apps/meteor/server/methods/messageSearch.ts
• apps/meteor/tests/end-to-end/api/chat.ts

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (15)

• GitHub Check: cubic · AI code reviewer
• GitHub Check: Hacktron Security Check
• GitHub Check: 🔨 Test UI (EE) / MongoDB 8.0 coverage (1/5)
• GitHub Check: 🔨 Test UI (EE) / MongoDB 8.0 coverage (4/5)
• GitHub Check: 🔨 Test UI (EE) / MongoDB 8.0 coverage (3/5)
• GitHub Check: 🔨 Test UI (EE) / MongoDB 8.0 coverage (2/5)
• GitHub Check: 🔨 Test UI (EE) / MongoDB 8.0 coverage (5/5)
• GitHub Check: 🔨 Test UI (CE) / MongoDB 8.0 (4/4)
• GitHub Check: 🔨 Test UI (CE) / MongoDB 8.0 (1/4)
• GitHub Check: 🔨 Test UI (CE) / MongoDB 8.0 (2/4)
• GitHub Check: 🔨 Test API (CE) / MongoDB 8.0 (1/1)
• GitHub Check: 🔨 Test UI (CE) / MongoDB 8.0 (3/4)
• GitHub Check: 🔨 Test API (EE) / MongoDB 8.0 coverage (1/1)
• GitHub Check: 🔨 Test API Livechat (EE) / MongoDB 8.0 coverage (1/1)
• GitHub Check: 🔨 Test Federation Matrix

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation

Files:

• apps/meteor/server/methods/messageSearch.ts
• apps/meteor/tests/end-to-end/api/chat.ts

🧠 Learnings (27)

📚 Learning: 2026-02-24T19:16:35.307Z

Learnt from: sampaiodiego
Repo: RocketChat/Rocket.Chat PR: 39003
File: apps/meteor/client/lib/chats/flows/sendMessage.ts:39-45
Timestamp: 2026-02-24T19:16:35.307Z
Learning: In apps/meteor/client/lib/chats/flows/sendMessage.ts, when sdk.call('sendMessage', ...) throws an error, the message is intentionally left with temp: true (not deleted or cleaned up) to support a future retry UI feature. This allows users to retry sending failed messages rather than losing them.

Applied to files:

• apps/meteor/server/methods/messageSearch.ts

📚 Learning: 2026-03-11T22:04:20.529Z

Learnt from: juliajforesti
Repo: RocketChat/Rocket.Chat PR: 39545
File: apps/meteor/client/views/room/body/hooks/useHasNewMessages.ts:59-61
Timestamp: 2026-03-11T22:04:20.529Z
Learning: In `apps/meteor/client/views/room/body/hooks/useHasNewMessages.ts`, the `msg.u._id === uid` early-return in the `streamNewMessage` handler is intentional: the "New messages" indicator is designed to notify about messages from other users only. Self-sent messages — including those sent from a different session/device — are always skipped, by design. Do not flag this as a multi-session regression.

Applied to files:

• apps/meteor/server/methods/messageSearch.ts

📚 Learning: 2026-04-29T20:06:34.862Z

Learnt from: tassoevan
Repo: RocketChat/Rocket.Chat PR: 40268
File: apps/meteor/client/startup/incomingMessages.ts:21-25
Timestamp: 2026-04-29T20:06:34.862Z
Learning: In `apps/meteor/client/startup/incomingMessages.ts`, the `Messages.state.update` predicate that strips `ignored` from records when `'ignored' in sub` is false (i.e., the subscription update has no `ignored` field) is intentional. Absence of `ignored` in a `subscriptions-changed` event means the user's ignore list is empty/reset, so clearing all existing `ignored` flags on messages for that room is the correct behavior. Do not flag this as an unintentional ignored-state reset on unrelated subscription updates.

Applied to files:

• apps/meteor/server/methods/messageSearch.ts

📚 Learning: 2026-04-18T12:32:53.425Z

Learnt from: rodrigok
Repo: RocketChat/Rocket.Chat PR: 38623
File: apps/meteor/app/lib/server/functions/cleanRoomHistory.ts:146-149
Timestamp: 2026-04-18T12:32:53.425Z
Learning: In `apps/meteor/app/lib/server/functions/cleanRoomHistory.ts` (PR `#38623`), the read-receipt cleanup (both `ReadReceipts.removeByMessageIds` and `ReadReceiptsArchive.removeByMessageIds`) is intentionally only performed in the limited prune path (`limit && selectedMessageIds`). The unlimited/delete-all path (`limit === 0`) deliberately skips cleaning up orphaned read receipts in both hot and cold storage — this is by design. Do not flag this as a bug or missing cleanup in future reviews.

Applied to files:

• apps/meteor/server/methods/messageSearch.ts

📚 Learning: 2026-04-23T18:10:55.887Z

Learnt from: d-gubert
Repo: RocketChat/Rocket.Chat PR: 39857
File: apps/meteor/app/api/server/middlewares/metrics.ts:25-57
Timestamp: 2026-04-23T18:10:55.887Z
Learning: In RocketChat/Rocket.Chat, the route handler action wrapper in `apps/meteor/app/api/server/ApiClass.ts` (around line 892) contains a `catch` block that intercepts all route-handler errors and converts them into proper HTTP API response objects (e.g., `api.failure`, `api.unauthorized`, `api.tooManyRequests`). As a result, `next()` in Hono middleware (such as `metricsMiddleware` in `apps/meteor/app/api/server/middlewares/metrics.ts`) will never throw. Do not flag missing try/finally guards around `await next()` calls in this middleware for gauge/counter decrement safety, as the execution flow is never disrupted by route-level errors.

Applied to files:

• apps/meteor/server/methods/messageSearch.ts

📚 Learning: 2026-04-17T23:32:07.223Z

Learnt from: d-gubert
Repo: RocketChat/Rocket.Chat PR: 38357
File: apps/meteor/app/apps/server/converters/messages.ts:348-352
Timestamp: 2026-04-17T23:32:07.223Z
Learning: In `apps/meteor/app/apps/server/converters/messages.ts`, the `timestamp` handler inside `_convertAttachmentsToApp` uses a non-null assertion (`attachment.ts!`) intentionally. The `ts` property on `MessageAttachment` is optional only to accommodate MessageAttachment creation-time scenarios; by the time `_convertAttachmentsToApp` is called, the message has already been stored and the attachment is guaranteed to have a `ts` value. Do not flag this non-null assertion as unsafe during code review.

Applied to files:

• apps/meteor/server/methods/messageSearch.ts

📚 Learning: 2026-05-11T20:30:37.444Z

Learnt from: tassoevan
Repo: RocketChat/Rocket.Chat PR: 40480
File: apps/meteor/client/meteor/startup/accounts.ts:59-61
Timestamp: 2026-05-11T20:30:37.444Z
Learning: In RocketChat/Rocket.Chat, `dispatchToastMessage` (defined in `apps/meteor/client/lib/toast.ts`) accepts `message: unknown` when `type` is `'error'`, so it intentionally handles raw error objects directly. Do not suggest normalizing caught errors before passing them to `dispatchToastMessage({ type: 'error', message: error })` — no manual conversion to string or `error.message` extraction is needed.

Applied to files:

• apps/meteor/server/methods/messageSearch.ts
• .changeset/eighty-onions-deny.md

📚 Learning: 2026-04-28T14:08:46.920Z

Learnt from: MartinSchoeler
Repo: RocketChat/Rocket.Chat PR: 40105
File: apps/meteor/client/views/room/MessageList/hooks/useTryToJumpToMessage.ts:54-67
Timestamp: 2026-04-28T14:08:46.920Z
Learning: In `apps/meteor/client/views/room/MessageList/hooks/useTryToJumpToMessage.ts`, setting `isJumpingToMessage.current = true` before the guard clauses (RoomHistoryManager.isLoading check, message not found check) is intentional. The flag means "a jump is pending/in progress" and must stay `true` through all intermediate early-return paths (loading, unresolved message, etc.) so that downstream scroll and load behavior is suppressed while waiting for the jump conditions to be satisfied. Do not flag this as a "flag stuck true" bug.

Applied to files:

• apps/meteor/server/methods/messageSearch.ts

📚 Learning: 2026-05-26T19:18:05.882Z

Learnt from: MartinSchoeler
Repo: RocketChat/Rocket.Chat PR: 40644
File: apps/meteor/client/views/room/contextualBar/Threads/components/ThreadMessageList.tsx:145-147
Timestamp: 2026-05-26T19:18:05.882Z
Learning: In `apps/meteor/client/views/room/contextualBar/Threads/components/ThreadMessageList.tsx`, the `clearMsgJumpParam` cleanup in the timed effect (around line 145) intentionally clears the `msg` query parameter only when the target message IS found in `messages` (thread replies) and is not `mainMessage._id`. This is correct behavior: if `msgJumpParam` refers to a non-reply message (e.g., a main channel message), the main message list handles cleanup, so `ThreadMessageList` must not clear the param in that case.

Applied to files:

• apps/meteor/server/methods/messageSearch.ts

📚 Learning: 2026-02-25T20:10:16.987Z

Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 38913
File: packages/ddp-client/src/legacy/types/SDKLegacy.ts:34-34
Timestamp: 2026-02-25T20:10:16.987Z
Learning: In the RocketChat/Rocket.Chat monorepo, packages/ddp-client and apps/meteor do not use TypeScript project references. Module augmentations in apps/meteor (e.g., declare module 'rocket.chat/rest-typings') are not visible when compiling packages/ddp-client in isolation, which is why legacy SDK methods that depend on OperationResult types for OpenAPI-migrated endpoints must remain commented out.

Applied to files:

• apps/meteor/server/methods/messageSearch.ts

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In the Rocket.Chat repository, do not reference Biome lint rules in code review feedback. Biome is not used even if biome.json exists; only reference Biome rules if there is explicit, project-wide usage documented. For TypeScript files, review lint implications without Biome guidance unless the project enables Biome rules.

Applied to files:

• apps/meteor/server/methods/messageSearch.ts
• apps/meteor/tests/end-to-end/api/chat.ts

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In this repository (RocketChat/Rocket.Chat), Biome lint rules are not used even if a biome.json exists. When reviewing TypeScript files (e.g., packages/ui-voip/src/providers/useMediaSession.ts), ensure lint suggestions do not reference Biome-specific rules. Rely on general ESLint/TypeScript lint rules and project conventions instead.

Applied to files:

• apps/meteor/server/methods/messageSearch.ts
• apps/meteor/tests/end-to-end/api/chat.ts

📚 Learning: 2026-03-09T18:39:14.020Z

Learnt from: Harxhit
Repo: RocketChat/Rocket.Chat PR: 39476
File: apps/meteor/server/methods/addAllUserToRoom.ts:0-0
Timestamp: 2026-03-09T18:39:14.020Z
Learning: When implementing batch processing in server methods, favor a single data pass to collect both the items and any derived fields needed for validation. Use the same dataset for both validation and processing to avoid races between validation and execution, and document the approach in code comments. Apply this pattern to similar Meteor Rocket.Chat server methods under apps/meteor/server/methods to prevent race conditions and ensure consistent batch behavior.

Applied to files:

• apps/meteor/server/methods/messageSearch.ts

📚 Learning: 2026-05-06T12:21:44.083Z

Learnt from: juliajforesti
Repo: RocketChat/Rocket.Chat PR: 40256
File: apps/meteor/client/components/CreateDiscussion/CreateDiscussion.tsx:121-149
Timestamp: 2026-05-06T12:21:44.083Z
Learning: Field wrappers in rocket.chat/fuselage-forms (Field, FieldLabel, FieldRow, FieldError, FieldHint) auto-create htmlFor/id associations, aria-describedby, and role="alert" for errors. Do not manually set htmlFor, id, aria-describedby, or role attributes when using these wrappers. This automatic wiring does not apply to plain rocket.chat/fuselage components, which require explicit ID wiring per the accessibility docs. In code reviews, prefer using fuselage-forms wrappers for form fields and verify there is no unnecessary manual ID/aria wiring in files that use these wrappers. If a component uses plain fuselage components, ensure proper id wiring as per docs.

Applied to files:

• apps/meteor/server/methods/messageSearch.ts
• apps/meteor/tests/end-to-end/api/chat.ts

📚 Learning: 2026-02-24T19:09:09.561Z

Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 38974
File: apps/meteor/app/api/server/v1/im.ts:220-221
Timestamp: 2026-02-24T19:09:09.561Z
Learning: In RocketChat/Rocket.Chat OpenAPI migration PRs for apps/meteor/app/api/server/v1 endpoints, maintainers prefer to avoid any logic changes; style-only cleanups (like removing inline comments) may be deferred to follow-ups to keep scope tight.

Applied to files:

• .changeset/eighty-onions-deny.md

📚 Learning: 2026-05-06T20:48:08.244Z

Learnt from: d-gubert
Repo: RocketChat/Rocket.Chat PR: 40186
File: apps/meteor/app/apps/server/bridges/uiInteraction.ts:2-2
Timestamp: 2026-05-06T20:48:08.244Z
Learning: In the RocketChat/Rocket.Chat repository, Meteor's bundler does not respect the `exports` keyword in `package.json` files. Deep imports (e.g., `rocket.chat/apps/dist/server/bridges/UiInteractionBridge`) must be used instead of relying on `exports` subpath mappings. Do not suggest adding `exports` map entries to packages consumed by Meteor (e.g., `packages/apps/package.json`) as a fix for deep imports.

Applied to files:

• .changeset/eighty-onions-deny.md

📚 Learning: 2026-02-24T19:36:55.089Z

Learnt from: juliajforesti
Repo: RocketChat/Rocket.Chat PR: 38493
File: apps/meteor/tests/e2e/page-objects/fragments/home-content.ts:60-82
Timestamp: 2026-02-24T19:36:55.089Z
Learning: In RocketChat/Rocket.Chat e2e tests (apps/meteor/tests/e2e/page-objects/fragments/home-content.ts), thread message preview listitems do not have aria-roledescription="message", so lastThreadMessagePreview locator cannot be scoped to messageListItems (which filters for aria-roledescription="message"). It should remain scoped to page.getByRole('listitem') or mainMessageList.getByRole('listitem').

Applied to files:

• .changeset/eighty-onions-deny.md
• apps/meteor/tests/end-to-end/api/chat.ts

📚 Learning: 2026-03-16T21:50:37.589Z

Learnt from: amitb0ra
Repo: RocketChat/Rocket.Chat PR: 39676
File: .changeset/migrate-users-register-openapi.md:3-3
Timestamp: 2026-03-16T21:50:37.589Z
Learning: For changes related to OpenAPI migrations in Rocket.Chat/OpenAPI, when removing endpoint types and validators from rocket.chat/rest-typings (e.g., UserRegisterParamsPOST, /v1/users.register) document this as a minor changeset (not breaking) per RocketChat/Rocket.Chat-Open-API#150 Rule 7. Note that the endpoint type is re-exposed via a module augmentation .d.ts in the consuming package (e.g., packages/web-ui-registration/src/users-register.d.ts). In reviews, ensure the changeset clearly states: this is a non-breaking change, the major version should not be bumped, and the changeset reflects a minor version bump. Do not treat this as a breaking change during OpenAPI migrations.

Applied to files:

• .changeset/eighty-onions-deny.md

📚 Learning: 2025-12-10T21:00:54.909Z

Learnt from: KevLehman
Repo: RocketChat/Rocket.Chat PR: 37091
File: ee/packages/abac/jest.config.ts:4-7
Timestamp: 2025-12-10T21:00:54.909Z
Learning: Rocket.Chat monorepo: Jest testMatch pattern '<rootDir>/src/**/*.spec.(ts|js|mjs)' is valid in this repo and used across multiple packages (e.g., packages/tools, ee/packages/omnichannel-services). Do not flag it as invalid in future reviews.

Applied to files:

• apps/meteor/tests/end-to-end/api/chat.ts

📚 Learning: 2026-03-03T11:11:48.541Z

Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 39230
File: apps/meteor/app/api/server/v1/chat.ts:214-222
Timestamp: 2026-03-03T11:11:48.541Z
Learning: In apps/meteor/server/lib/moderation/reportMessage.ts, the reportMessage function validates that description is not empty or whitespace-only with `if (!description.trim())`. When migrating the chat.reportMessage endpoint to OpenAPI, adding minLength validation to the schema preserves this existing behavior.

Applied to files:

• apps/meteor/tests/end-to-end/api/chat.ts

📚 Learning: 2025-11-24T17:08:17.065Z

Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/**/*.spec.ts : Use `expect` matchers for assertions (`toEqual`, `toContain`, `toBeTruthy`, `toHaveLength`, etc.) instead of `assert` statements in Playwright tests

Applied to files:

• apps/meteor/tests/end-to-end/api/chat.ts

📚 Learning: 2025-11-24T17:08:17.065Z

Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/**/*.spec.ts : All test files must be created in `apps/meteor/tests/e2e/` directory

Applied to files:

• apps/meteor/tests/end-to-end/api/chat.ts

📚 Learning: 2025-11-24T17:08:17.065Z

Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/**/*.spec.ts : Utilize Playwright fixtures (`test`, `page`, `expect`) for consistency in test files

Applied to files:

• apps/meteor/tests/end-to-end/api/chat.ts

📚 Learning: 2025-11-24T17:08:17.065Z

Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/**/*.spec.ts : Prefer web-first assertions (`toBeVisible`, `toHaveText`, etc.) in Playwright tests

Applied to files:

• apps/meteor/tests/end-to-end/api/chat.ts

📚 Learning: 2025-11-24T17:08:17.065Z

Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/**/*.spec.ts : Ensure tests run reliably in parallel without shared state conflicts

Applied to files:

• apps/meteor/tests/end-to-end/api/chat.ts

📚 Learning: 2025-11-24T17:08:17.065Z

Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/page-objects/**/*.ts : Utilize existing page objects pattern from `apps/meteor/tests/e2e/page-objects/`

Applied to files:

• apps/meteor/tests/end-to-end/api/chat.ts

📚 Learning: 2026-03-02T16:31:41.304Z

Learnt from: KevLehman
Repo: RocketChat/Rocket.Chat PR: 39250
File: apps/meteor/tests/end-to-end/api/livechat/07-queue.ts:1084-1094
Timestamp: 2026-03-02T16:31:41.304Z
Learning: In E2E API tests at apps/meteor/tests/end-to-end/api/livechat/, using sleep(1000) after updateSetting() or updateEESetting() calls in test setup hooks is acceptable and intentional to allow omnichannel settings to propagate their side effects.

Applied to files:

• apps/meteor/tests/end-to-end/api/chat.ts

🔇 Additional comments (2)

apps/meteor/server/methods/messageSearch.ts (1)

12-12: LGTM!

.changeset/eighty-onions-deny.md (1)

1-6: LGTM!

[cubic-dev-ai]

1 issue found across 3 files

<sub>Reply with feedback, questions, or to request a fix.

Re-trigger cubic</sub>

[coderabbitai]

🧹 Nitpick comments (1)

apps/meteor/server/methods/messageSearch.ts (1)

90-97: 💤 Low value

Prefer property narrowing over the code cast.

The cast error as Error & { code: number } asserts a shape that isn't guaranteed. A typeof/in narrowing avoids the assertion while staying type-safe.

♻️ Suggested narrowing

-		if (error instanceof Error) {
-			const mongoError = error as Error & { code: number };
-
-			if (mongoError.code === 51091) {
-				SystemLogger.debug({ msg: 'Invalid regex gracefully caught at DB level', text });
-				return { message: { docs: [] } };
-			}
-		}
+		if (error instanceof Error && 'code' in error && error.code === 51091) {
+			SystemLogger.debug({ msg: 'Invalid regex gracefully caught at DB level', text });
+			return { message: { docs: [] } };
+		}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@apps/meteor/server/methods/messageSearch.ts` around lines 90 - 97, Replace
the unsafe cast "error as Error & { code: number }" with a property-narrowing
check using the "in" operator and typeof: within the existing error handling
block for the error variable, do "if ('code' in error && typeof (error as
any).code === 'number') { const code = (error as any).code; if (code === 51091)
{ SystemLogger.debug({ msg: 'Invalid regex gracefully caught at DB level', text
}); return { message: { docs: [] } }; } }" so you avoid asserting the shape
while keeping the existing behavior around SystemLogger.debug and the returned
message.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@apps/meteor/server/methods/messageSearch.ts`:
- Around line 90-97: Replace the unsafe cast "error as Error & { code: number }"
with a property-narrowing check using the "in" operator and typeof: within the
existing error handling block for the error variable, do "if ('code' in error &&
typeof (error as any).code === 'number') { const code = (error as any).code; if
(code === 51091) { SystemLogger.debug({ msg: 'Invalid regex gracefully caught at
DB level', text }); return { message: { docs: [] } }; } }" so you avoid
asserting the shape while keeping the existing behavior around
SystemLogger.debug and the returned message.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 075e00b9-7b05-416e-989c-0d3b15e78033

📥 Commits

Reviewing files that changed from the base of the PR and between f179380 and 73247aa.

📒 Files selected for processing (1)

• apps/meteor/server/methods/messageSearch.ts

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: 📦 Build Packages
• GitHub Check: CodeQL-Build
• GitHub Check: cubic · AI code reviewer
• GitHub Check: Hacktron Security Check
• GitHub Check: CodeQL-Build

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation

Files:

• apps/meteor/server/methods/messageSearch.ts

🧠 Learnings (18)

📚 Learning: 2026-04-23T18:14:24.851Z

Learnt from: d-gubert
Repo: RocketChat/Rocket.Chat PR: 39857
File: apps/meteor/app/lib/server/lib/debug.js:87-91
Timestamp: 2026-04-23T18:14:24.851Z
Learning: In `apps/meteor/app/lib/server/lib/debug.js`, the `wrapMethods` function wraps Meteor DDP method handlers inside a `tracerActiveSpan` callback. The `end()` (summary timer) and `endHistogram()` (histogram timer) calls are placed after `await originalHandler.apply(this, originalArgs)` without a try/finally guard. This is intentional and safe: errors thrown by Meteor method handlers are caught by the route-handler action wrapper in `apps/meteor/app/api/server/ApiClass.ts` (around line 892-893), which converts them into proper response objects, so execution flow is never disrupted and the timer calls are always reached. Do not flag the missing try/finally as a bug for these timer calls in `debug.js`.

Applied to files:

• apps/meteor/server/methods/messageSearch.ts

📚 Learning: 2026-02-24T19:16:35.307Z

Learnt from: sampaiodiego
Repo: RocketChat/Rocket.Chat PR: 39003
File: apps/meteor/client/lib/chats/flows/sendMessage.ts:39-45
Timestamp: 2026-02-24T19:16:35.307Z
Learning: In apps/meteor/client/lib/chats/flows/sendMessage.ts, when sdk.call('sendMessage', ...) throws an error, the message is intentionally left with temp: true (not deleted or cleaned up) to support a future retry UI feature. This allows users to retry sending failed messages rather than losing them.

Applied to files:

• apps/meteor/server/methods/messageSearch.ts

📚 Learning: 2026-04-23T18:10:55.887Z

Learnt from: d-gubert
Repo: RocketChat/Rocket.Chat PR: 39857
File: apps/meteor/app/api/server/middlewares/metrics.ts:25-57
Timestamp: 2026-04-23T18:10:55.887Z
Learning: In RocketChat/Rocket.Chat, the route handler action wrapper in `apps/meteor/app/api/server/ApiClass.ts` (around line 892) contains a `catch` block that intercepts all route-handler errors and converts them into proper HTTP API response objects (e.g., `api.failure`, `api.unauthorized`, `api.tooManyRequests`). As a result, `next()` in Hono middleware (such as `metricsMiddleware` in `apps/meteor/app/api/server/middlewares/metrics.ts`) will never throw. Do not flag missing try/finally guards around `await next()` calls in this middleware for gauge/counter decrement safety, as the execution flow is never disrupted by route-level errors.

Applied to files:

• apps/meteor/server/methods/messageSearch.ts

📚 Learning: 2026-04-29T20:06:34.862Z

Learnt from: tassoevan
Repo: RocketChat/Rocket.Chat PR: 40268
File: apps/meteor/client/startup/incomingMessages.ts:21-25
Timestamp: 2026-04-29T20:06:34.862Z
Learning: In `apps/meteor/client/startup/incomingMessages.ts`, the `Messages.state.update` predicate that strips `ignored` from records when `'ignored' in sub` is false (i.e., the subscription update has no `ignored` field) is intentional. Absence of `ignored` in a `subscriptions-changed` event means the user's ignore list is empty/reset, so clearing all existing `ignored` flags on messages for that room is the correct behavior. Do not flag this as an unintentional ignored-state reset on unrelated subscription updates.

Applied to files:

• apps/meteor/server/methods/messageSearch.ts

📚 Learning: 2026-05-11T20:30:37.444Z

Learnt from: tassoevan
Repo: RocketChat/Rocket.Chat PR: 40480
File: apps/meteor/client/meteor/startup/accounts.ts:59-61
Timestamp: 2026-05-11T20:30:37.444Z
Learning: In RocketChat/Rocket.Chat, `dispatchToastMessage` (defined in `apps/meteor/client/lib/toast.ts`) accepts `message: unknown` when `type` is `'error'`, so it intentionally handles raw error objects directly. Do not suggest normalizing caught errors before passing them to `dispatchToastMessage({ type: 'error', message: error })` — no manual conversion to string or `error.message` extraction is needed.

Applied to files:

• apps/meteor/server/methods/messageSearch.ts

📚 Learning: 2026-04-18T12:32:53.425Z

Learnt from: rodrigok
Repo: RocketChat/Rocket.Chat PR: 38623
File: apps/meteor/app/lib/server/functions/cleanRoomHistory.ts:146-149
Timestamp: 2026-04-18T12:32:53.425Z
Learning: In `apps/meteor/app/lib/server/functions/cleanRoomHistory.ts` (PR `#38623`), the read-receipt cleanup (both `ReadReceipts.removeByMessageIds` and `ReadReceiptsArchive.removeByMessageIds`) is intentionally only performed in the limited prune path (`limit && selectedMessageIds`). The unlimited/delete-all path (`limit === 0`) deliberately skips cleaning up orphaned read receipts in both hot and cold storage — this is by design. Do not flag this as a bug or missing cleanup in future reviews.

Applied to files:

• apps/meteor/server/methods/messageSearch.ts

📚 Learning: 2026-02-20T09:04:55.725Z

Learnt from: Shreyas2004wagh
Repo: RocketChat/Rocket.Chat PR: 38681
File: apps/meteor/server/modules/streamer/streamer.module.ts:307-313
Timestamp: 2026-02-20T09:04:55.725Z
Learning: In apps/meteor/server/modules/streamer/streamer.module.ts, the catch block in sendToManySubscriptions intentionally uses SystemLogger.debug (not error or warn) for per-subscription delivery failures to keep logs less noisy, as this was a deliberate design choice reviewed and approved by KevLehman.

Applied to files:

• apps/meteor/server/methods/messageSearch.ts

📚 Learning: 2026-04-17T23:32:07.223Z

Learnt from: d-gubert
Repo: RocketChat/Rocket.Chat PR: 38357
File: apps/meteor/app/apps/server/converters/messages.ts:348-352
Timestamp: 2026-04-17T23:32:07.223Z
Learning: In `apps/meteor/app/apps/server/converters/messages.ts`, the `timestamp` handler inside `_convertAttachmentsToApp` uses a non-null assertion (`attachment.ts!`) intentionally. The `ts` property on `MessageAttachment` is optional only to accommodate MessageAttachment creation-time scenarios; by the time `_convertAttachmentsToApp` is called, the message has already been stored and the attachment is guaranteed to have a `ts` value. Do not flag this non-null assertion as unsafe during code review.

Applied to files:

• apps/meteor/server/methods/messageSearch.ts

📚 Learning: 2026-01-17T01:51:47.764Z

Learnt from: tassoevan
Repo: RocketChat/Rocket.Chat PR: 38219
File: packages/core-typings/src/cloud/Announcement.ts:5-6
Timestamp: 2026-01-17T01:51:47.764Z
Learning: In packages/core-typings/src/cloud/Announcement.ts, the AnnouncementSchema.createdBy field intentionally overrides IBannerSchema.createdBy (object with _id and optional username) with a string enum ['cloud', 'system'] to match existing runtime behavior. This is documented as technical debt with a FIXME comment at apps/meteor/app/cloud/server/functions/syncWorkspace/handleCommsSync.ts:53 and should not be flagged as an error until the runtime behavior is corrected.

Applied to files:

• apps/meteor/server/methods/messageSearch.ts

📚 Learning: 2026-03-11T22:04:20.529Z

Learnt from: juliajforesti
Repo: RocketChat/Rocket.Chat PR: 39545
File: apps/meteor/client/views/room/body/hooks/useHasNewMessages.ts:59-61
Timestamp: 2026-03-11T22:04:20.529Z
Learning: In `apps/meteor/client/views/room/body/hooks/useHasNewMessages.ts`, the `msg.u._id === uid` early-return in the `streamNewMessage` handler is intentional: the "New messages" indicator is designed to notify about messages from other users only. Self-sent messages — including those sent from a different session/device — are always skipped, by design. Do not flag this as a multi-session regression.

Applied to files:

• apps/meteor/server/methods/messageSearch.ts

📚 Learning: 2026-04-20T17:11:59.452Z

Learnt from: d-gubert
Repo: RocketChat/Rocket.Chat PR: 40225
File: apps/meteor/ee/server/apps/communication/endpoints/appLogsHandler.ts:55-71
Timestamp: 2026-04-20T17:11:59.452Z
Learning: In `apps/meteor/ee/server/apps/communication/endpoints/appLogsHandler.ts`, the concern about an empty `?appId=` query param bypassing the truthy check and overriding the path `appId` in the `makeAppLogsQuery` spread is not relevant. The AJV query schema (`isAppLogsProps`) validates and rejects invalid/empty `appId` values before the action handler is reached, making the in-handler guard sufficient as-is. Do not flag this pattern as a vulnerability in future reviews of this file.

Applied to files:

• apps/meteor/server/methods/messageSearch.ts

📚 Learning: 2026-05-25T18:33:22.615Z

Learnt from: d-gubert
Repo: RocketChat/Rocket.Chat PR: 40677
File: apps/meteor/packages/rocketchat-mongo-config/server/index.js:43-46
Timestamp: 2026-05-25T18:33:22.615Z
Learning: In `apps/meteor/packages/rocketchat-mongo-config/server/index.js`, the `Email.sendAsync` override that logs email options to console is intentionally unrestricted (logs full options) — this is a test-mode-only path (TEST_MODE === 'true' or 'api') and logging the full options object is acceptable. Do not flag this as a sensitive data leak in code reviews.

Applied to files:

• apps/meteor/server/methods/messageSearch.ts

📚 Learning: 2025-12-10T21:00:54.909Z

Learnt from: KevLehman
Repo: RocketChat/Rocket.Chat PR: 37091
File: ee/packages/abac/jest.config.ts:4-7
Timestamp: 2025-12-10T21:00:54.909Z
Learning: Rocket.Chat monorepo: Jest testMatch pattern '<rootDir>/src/**/*.spec.(ts|js|mjs)' is valid in this repo and used across multiple packages (e.g., packages/tools, ee/packages/omnichannel-services). Do not flag it as invalid in future reviews.

Applied to files:

• apps/meteor/server/methods/messageSearch.ts

📚 Learning: 2026-04-30T19:28:55.669Z

Learnt from: dougfabris
Repo: RocketChat/Rocket.Chat PR: 36350
File: apps/meteor/client/lib/e2ee/rocketchat.e2e.ts:524-552
Timestamp: 2026-04-30T19:28:55.669Z
Learning: In `apps/meteor/client/lib/e2ee/rocketchat.e2e.ts`, the promises returned by `requestPasswordAlert()` and `requestPasswordModal()` are intentionally left unresolved (hanging) when the user dismisses the E2EE password modal ("Do it later" or "X"). Rejecting the promise would propagate to the catch block in `startClient()`, incorrectly triggering the error alert banner ("Wasn't possible to decode your encryption key"). The hanging promise is the correct design to silently stop the E2EE flow on user dismissal without triggering error states.

Applied to files:

• apps/meteor/server/methods/messageSearch.ts

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In the Rocket.Chat repository, do not reference Biome lint rules in code review feedback. Biome is not used even if biome.json exists; only reference Biome rules if there is explicit, project-wide usage documented. For TypeScript files, review lint implications without Biome guidance unless the project enables Biome rules.

Applied to files:

• apps/meteor/server/methods/messageSearch.ts

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In this repository (RocketChat/Rocket.Chat), Biome lint rules are not used even if a biome.json exists. When reviewing TypeScript files (e.g., packages/ui-voip/src/providers/useMediaSession.ts), ensure lint suggestions do not reference Biome-specific rules. Rely on general ESLint/TypeScript lint rules and project conventions instead.

Applied to files:

• apps/meteor/server/methods/messageSearch.ts

📚 Learning: 2026-03-09T18:39:14.020Z

Learnt from: Harxhit
Repo: RocketChat/Rocket.Chat PR: 39476
File: apps/meteor/server/methods/addAllUserToRoom.ts:0-0
Timestamp: 2026-03-09T18:39:14.020Z
Learning: When implementing batch processing in server methods, favor a single data pass to collect both the items and any derived fields needed for validation. Use the same dataset for both validation and processing to avoid races between validation and execution, and document the approach in code comments. Apply this pattern to similar Meteor Rocket.Chat server methods under apps/meteor/server/methods to prevent race conditions and ensure consistent batch behavior.

Applied to files:

• apps/meteor/server/methods/messageSearch.ts

📚 Learning: 2026-05-06T12:21:44.083Z

Learnt from: juliajforesti
Repo: RocketChat/Rocket.Chat PR: 40256
File: apps/meteor/client/components/CreateDiscussion/CreateDiscussion.tsx:121-149
Timestamp: 2026-05-06T12:21:44.083Z
Learning: Field wrappers in rocket.chat/fuselage-forms (Field, FieldLabel, FieldRow, FieldError, FieldHint) auto-create htmlFor/id associations, aria-describedby, and role="alert" for errors. Do not manually set htmlFor, id, aria-describedby, or role attributes when using these wrappers. This automatic wiring does not apply to plain rocket.chat/fuselage components, which require explicit ID wiring per the accessibility docs. In code reviews, prefer using fuselage-forms wrappers for form fields and verify there is no unnecessary manual ID/aria wiring in files that use these wrappers. If a component uses plain fuselage components, ensure proper id wiring as per docs.

Applied to files:

• apps/meteor/server/methods/messageSearch.ts

🔇 Additional comments (1)

apps/meteor/server/methods/messageSearch.ts (1)

89-101: LGTM!

[cubic-dev-ai]

2 issues found across 1 file (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="apps/meteor/server/methods/messageSearch.ts">

<violation number="1" location="apps/meteor/server/methods/messageSearch.ts:93">
P2: Invalid-regex handling is too narrow: only code 51091 is swallowed, but Mongo can also raise other invalid-regex errors (e.g., BadValue), which will still be rethrown.</violation>
</file>

<sub>Reply with feedback, questions, or to request a fix.

Re-trigger cubic</sub>

[hacktron-app]

1 issue found across 1 file

Severity	Count
	1

View full scan results

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@apps/meteor/server/lib/parseMessageSearchQuery.ts`:
- Around line 251-259: The inline-regex parsing currently calls new RegExp(r[1],
r[2]) which fails when the inline flags include 'x' (unsupported by JS); in
parseMessageSearchQuery (the block that tests /^\/.+\/[imxs]*$/ and builds
this.query.msg) change the validation so that if r[2] contains 'x' you skip the
JS RegExp construction and directly set this.query.msg = { $regex: r[1],
$options: r[2] }; otherwise you may keep the existing new RegExp(r[1], r[2])
check for JS validation before assigning this.query.msg; ensure $options is
still forwarded to Mongo as r[2].

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 4157edc5-60d5-49e5-a004-a8a6ae2a640a

📥 Commits

Reviewing files that changed from the base of the PR and between 73247aa and b3dee12.

📒 Files selected for processing (2)

• apps/meteor/server/lib/parseMessageSearchQuery.ts
• apps/meteor/server/methods/messageSearch.ts

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: 📦 Build Packages
• GitHub Check: CodeQL-Build
• GitHub Check: cubic · AI code reviewer
• GitHub Check: CodeQL-Build
• GitHub Check: Hacktron Security Check

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation

Files:

• apps/meteor/server/lib/parseMessageSearchQuery.ts
• apps/meteor/server/methods/messageSearch.ts

🧠 Learnings (24)

📚 Learning: 2026-03-16T23:33:15.721Z

Learnt from: amitb0ra
Repo: RocketChat/Rocket.Chat PR: 39676
File: apps/meteor/app/api/server/v1/users.ts:862-869
Timestamp: 2026-03-16T23:33:15.721Z
Learning: In RocketChat/Rocket.Chat OpenAPI migration PRs (e.g., PR `#39676` for users.register in apps/meteor/app/api/server/v1/users.ts), calls to `this.parseJsonQuery()` inside migrated handlers are intentionally preserved without adding a corresponding `query` AJV schema to the route options. Adding query-param schemas for the `fields`/`sort`/`query` parameters consumed by `parseJsonQuery()` is a separate cross-cutting concern shared by many endpoints (e.g., users.create, users.update, users.list) and is explicitly out of scope for individual endpoint migration PRs. Do not flag the absence of a `query` schema for `parseJsonQuery()` usage as a violation of OpenAPI/AJV contract during migration reviews.

Applied to files:

• apps/meteor/server/lib/parseMessageSearchQuery.ts

📚 Learning: 2026-04-29T20:06:34.862Z

Learnt from: tassoevan
Repo: RocketChat/Rocket.Chat PR: 40268
File: apps/meteor/client/startup/incomingMessages.ts:21-25
Timestamp: 2026-04-29T20:06:34.862Z
Learning: In `apps/meteor/client/startup/incomingMessages.ts`, the `Messages.state.update` predicate that strips `ignored` from records when `'ignored' in sub` is false (i.e., the subscription update has no `ignored` field) is intentional. Absence of `ignored` in a `subscriptions-changed` event means the user's ignore list is empty/reset, so clearing all existing `ignored` flags on messages for that room is the correct behavior. Do not flag this as an unintentional ignored-state reset on unrelated subscription updates.

Applied to files:

• apps/meteor/server/lib/parseMessageSearchQuery.ts

📚 Learning: 2026-04-18T12:32:53.425Z

Learnt from: rodrigok
Repo: RocketChat/Rocket.Chat PR: 38623
File: apps/meteor/app/lib/server/functions/cleanRoomHistory.ts:146-149
Timestamp: 2026-04-18T12:32:53.425Z
Learning: In `apps/meteor/app/lib/server/functions/cleanRoomHistory.ts` (PR `#38623`), the read-receipt cleanup (both `ReadReceipts.removeByMessageIds` and `ReadReceiptsArchive.removeByMessageIds`) is intentionally only performed in the limited prune path (`limit && selectedMessageIds`). The unlimited/delete-all path (`limit === 0`) deliberately skips cleaning up orphaned read receipts in both hot and cold storage — this is by design. Do not flag this as a bug or missing cleanup in future reviews.

Applied to files:

• apps/meteor/server/lib/parseMessageSearchQuery.ts
• apps/meteor/server/methods/messageSearch.ts

📚 Learning: 2026-05-26T19:18:05.882Z

Learnt from: MartinSchoeler
Repo: RocketChat/Rocket.Chat PR: 40644
File: apps/meteor/client/views/room/contextualBar/Threads/components/ThreadMessageList.tsx:145-147
Timestamp: 2026-05-26T19:18:05.882Z
Learning: In `apps/meteor/client/views/room/contextualBar/Threads/components/ThreadMessageList.tsx`, the `clearMsgJumpParam` cleanup in the timed effect (around line 145) intentionally clears the `msg` query parameter only when the target message IS found in `messages` (thread replies) and is not `mainMessage._id`. This is correct behavior: if `msgJumpParam` refers to a non-reply message (e.g., a main channel message), the main message list handles cleanup, so `ThreadMessageList` must not clear the param in that case.

Applied to files:

• apps/meteor/server/lib/parseMessageSearchQuery.ts

📚 Learning: 2026-03-03T11:11:48.541Z

Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 39230
File: apps/meteor/app/api/server/v1/chat.ts:214-222
Timestamp: 2026-03-03T11:11:48.541Z
Learning: In apps/meteor/server/lib/moderation/reportMessage.ts, the reportMessage function validates that description is not empty or whitespace-only with `if (!description.trim())`. When migrating the chat.reportMessage endpoint to OpenAPI, adding minLength validation to the schema preserves this existing behavior.

Applied to files:

• apps/meteor/server/lib/parseMessageSearchQuery.ts

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In the Rocket.Chat repository, do not reference Biome lint rules in code review feedback. Biome is not used even if biome.json exists; only reference Biome rules if there is explicit, project-wide usage documented. For TypeScript files, review lint implications without Biome guidance unless the project enables Biome rules.

Applied to files:

• apps/meteor/server/lib/parseMessageSearchQuery.ts
• apps/meteor/server/methods/messageSearch.ts

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In this repository (RocketChat/Rocket.Chat), Biome lint rules are not used even if a biome.json exists. When reviewing TypeScript files (e.g., packages/ui-voip/src/providers/useMediaSession.ts), ensure lint suggestions do not reference Biome-specific rules. Rely on general ESLint/TypeScript lint rules and project conventions instead.

Applied to files:

• apps/meteor/server/lib/parseMessageSearchQuery.ts
• apps/meteor/server/methods/messageSearch.ts

📚 Learning: 2026-05-06T12:21:44.083Z

Learnt from: juliajforesti
Repo: RocketChat/Rocket.Chat PR: 40256
File: apps/meteor/client/components/CreateDiscussion/CreateDiscussion.tsx:121-149
Timestamp: 2026-05-06T12:21:44.083Z
Learning: Field wrappers in rocket.chat/fuselage-forms (Field, FieldLabel, FieldRow, FieldError, FieldHint) auto-create htmlFor/id associations, aria-describedby, and role="alert" for errors. Do not manually set htmlFor, id, aria-describedby, or role attributes when using these wrappers. This automatic wiring does not apply to plain rocket.chat/fuselage components, which require explicit ID wiring per the accessibility docs. In code reviews, prefer using fuselage-forms wrappers for form fields and verify there is no unnecessary manual ID/aria wiring in files that use these wrappers. If a component uses plain fuselage components, ensure proper id wiring as per docs.

Applied to files:

• apps/meteor/server/lib/parseMessageSearchQuery.ts
• apps/meteor/server/methods/messageSearch.ts

📚 Learning: 2026-02-20T09:04:55.725Z

Learnt from: Shreyas2004wagh
Repo: RocketChat/Rocket.Chat PR: 38681
File: apps/meteor/server/modules/streamer/streamer.module.ts:307-313
Timestamp: 2026-02-20T09:04:55.725Z
Learning: In apps/meteor/server/modules/streamer/streamer.module.ts, the catch block in sendToManySubscriptions intentionally uses SystemLogger.debug (not error or warn) for per-subscription delivery failures to keep logs less noisy, as this was a deliberate design choice reviewed and approved by KevLehman.

Applied to files:

• apps/meteor/server/methods/messageSearch.ts

📚 Learning: 2026-04-23T18:14:24.851Z

Learnt from: d-gubert
Repo: RocketChat/Rocket.Chat PR: 39857
File: apps/meteor/app/lib/server/lib/debug.js:87-91
Timestamp: 2026-04-23T18:14:24.851Z
Learning: In `apps/meteor/app/lib/server/lib/debug.js`, the `wrapMethods` function wraps Meteor DDP method handlers inside a `tracerActiveSpan` callback. The `end()` (summary timer) and `endHistogram()` (histogram timer) calls are placed after `await originalHandler.apply(this, originalArgs)` without a try/finally guard. This is intentional and safe: errors thrown by Meteor method handlers are caught by the route-handler action wrapper in `apps/meteor/app/api/server/ApiClass.ts` (around line 892-893), which converts them into proper response objects, so execution flow is never disrupted and the timer calls are always reached. Do not flag the missing try/finally as a bug for these timer calls in `debug.js`.

Applied to files:

• apps/meteor/server/methods/messageSearch.ts

📚 Learning: 2026-04-23T18:10:55.887Z

Learnt from: d-gubert
Repo: RocketChat/Rocket.Chat PR: 39857
File: apps/meteor/app/api/server/middlewares/metrics.ts:25-57
Timestamp: 2026-04-23T18:10:55.887Z
Learning: In RocketChat/Rocket.Chat, the route handler action wrapper in `apps/meteor/app/api/server/ApiClass.ts` (around line 892) contains a `catch` block that intercepts all route-handler errors and converts them into proper HTTP API response objects (e.g., `api.failure`, `api.unauthorized`, `api.tooManyRequests`). As a result, `next()` in Hono middleware (such as `metricsMiddleware` in `apps/meteor/app/api/server/middlewares/metrics.ts`) will never throw. Do not flag missing try/finally guards around `await next()` calls in this middleware for gauge/counter decrement safety, as the execution flow is never disrupted by route-level errors.

Applied to files:

• apps/meteor/server/methods/messageSearch.ts

📚 Learning: 2026-05-11T20:30:37.444Z

Learnt from: tassoevan
Repo: RocketChat/Rocket.Chat PR: 40480
File: apps/meteor/client/meteor/startup/accounts.ts:59-61
Timestamp: 2026-05-11T20:30:37.444Z
Learning: In RocketChat/Rocket.Chat, `dispatchToastMessage` (defined in `apps/meteor/client/lib/toast.ts`) accepts `message: unknown` when `type` is `'error'`, so it intentionally handles raw error objects directly. Do not suggest normalizing caught errors before passing them to `dispatchToastMessage({ type: 'error', message: error })` — no manual conversion to string or `error.message` extraction is needed.

Applied to files:

• apps/meteor/server/methods/messageSearch.ts

📚 Learning: 2026-02-24T19:16:35.307Z

Learnt from: sampaiodiego
Repo: RocketChat/Rocket.Chat PR: 39003
File: apps/meteor/client/lib/chats/flows/sendMessage.ts:39-45
Timestamp: 2026-02-24T19:16:35.307Z
Learning: In apps/meteor/client/lib/chats/flows/sendMessage.ts, when sdk.call('sendMessage', ...) throws an error, the message is intentionally left with temp: true (not deleted or cleaned up) to support a future retry UI feature. This allows users to retry sending failed messages rather than losing them.

Applied to files:

• apps/meteor/server/methods/messageSearch.ts

📚 Learning: 2026-04-20T17:11:59.452Z

Learnt from: d-gubert
Repo: RocketChat/Rocket.Chat PR: 40225
File: apps/meteor/ee/server/apps/communication/endpoints/appLogsHandler.ts:55-71
Timestamp: 2026-04-20T17:11:59.452Z
Learning: In `apps/meteor/ee/server/apps/communication/endpoints/appLogsHandler.ts`, the concern about an empty `?appId=` query param bypassing the truthy check and overriding the path `appId` in the `makeAppLogsQuery` spread is not relevant. The AJV query schema (`isAppLogsProps`) validates and rejects invalid/empty `appId` values before the action handler is reached, making the in-handler guard sufficient as-is. Do not flag this pattern as a vulnerability in future reviews of this file.

Applied to files:

• apps/meteor/server/methods/messageSearch.ts

📚 Learning: 2026-05-25T18:33:22.615Z

Learnt from: d-gubert
Repo: RocketChat/Rocket.Chat PR: 40677
File: apps/meteor/packages/rocketchat-mongo-config/server/index.js:43-46
Timestamp: 2026-05-25T18:33:22.615Z
Learning: In `apps/meteor/packages/rocketchat-mongo-config/server/index.js`, the `Email.sendAsync` override that logs email options to console is intentionally unrestricted (logs full options) — this is a test-mode-only path (TEST_MODE === 'true' or 'api') and logging the full options object is acceptable. Do not flag this as a sensitive data leak in code reviews.

Applied to files:

• apps/meteor/server/methods/messageSearch.ts

📚 Learning: 2025-12-10T21:00:54.909Z

Learnt from: KevLehman
Repo: RocketChat/Rocket.Chat PR: 37091
File: ee/packages/abac/jest.config.ts:4-7
Timestamp: 2025-12-10T21:00:54.909Z
Learning: Rocket.Chat monorepo: Jest testMatch pattern '<rootDir>/src/**/*.spec.(ts|js|mjs)' is valid in this repo and used across multiple packages (e.g., packages/tools, ee/packages/omnichannel-services). Do not flag it as invalid in future reviews.

Applied to files:

• apps/meteor/server/methods/messageSearch.ts

📚 Learning: 2026-04-30T19:28:55.669Z

Learnt from: dougfabris
Repo: RocketChat/Rocket.Chat PR: 36350
File: apps/meteor/client/lib/e2ee/rocketchat.e2e.ts:524-552
Timestamp: 2026-04-30T19:28:55.669Z
Learning: In `apps/meteor/client/lib/e2ee/rocketchat.e2e.ts`, the promises returned by `requestPasswordAlert()` and `requestPasswordModal()` are intentionally left unresolved (hanging) when the user dismisses the E2EE password modal ("Do it later" or "X"). Rejecting the promise would propagate to the catch block in `startClient()`, incorrectly triggering the error alert banner ("Wasn't possible to decode your encryption key"). The hanging promise is the correct design to silently stop the E2EE flow on user dismissal without triggering error states.

Applied to files:

• apps/meteor/server/methods/messageSearch.ts

📚 Learning: 2026-04-10T21:17:22.932Z

Learnt from: d-gubert
Repo: RocketChat/Rocket.Chat PR: 40096
File: apps/meteor/ee/server/apps/lib/redactor.ts:3-17
Timestamp: 2026-04-10T21:17:22.932Z
Learning: In RocketChat/Rocket.Chat, `X-User-Id` / `x-user-id` headers must NOT be added to redaction paths in apps log redaction (e.g., `apps/meteor/ee/server/apps/lib/redactor.ts`). The maintainer (d-gubert) has confirmed that X-User-Id is an identifier, not a credential — its presence in logs is useful for diagnostics, and `X-Auth-Token` is the only header that constitutes a real secret. Do not suggest redacting X-User-Id in future reviews of this area.

Applied to files:

• apps/meteor/server/methods/messageSearch.ts

📚 Learning: 2026-04-29T19:33:29.434Z

Learnt from: tassoevan
Repo: RocketChat/Rocket.Chat PR: 40268
File: apps/meteor/client/startup/startup.ts:48-56
Timestamp: 2026-04-29T19:33:29.434Z
Learning: In `apps/meteor/client/startup/startup.ts`, the heuristic `!userIdStore.getState() && localStorage.getItem('Meteor.loginToken') === null` calling `removeLocalUserData()` (which calls `localStorage.clear()`) is intentional. The maintainer (tassoevan) has confirmed this is acceptable even though it fires on fresh first-time visits with no prior login, not just on expired-token resume scenarios. Do not flag this as destructive or suggest narrowing it to specific E2EE keys in future reviews.

Applied to files:

• apps/meteor/server/methods/messageSearch.ts

📚 Learning: 2026-01-17T01:51:47.764Z

Learnt from: tassoevan
Repo: RocketChat/Rocket.Chat PR: 38219
File: packages/core-typings/src/cloud/Announcement.ts:5-6
Timestamp: 2026-01-17T01:51:47.764Z
Learning: In packages/core-typings/src/cloud/Announcement.ts, the AnnouncementSchema.createdBy field intentionally overrides IBannerSchema.createdBy (object with _id and optional username) with a string enum ['cloud', 'system'] to match existing runtime behavior. This is documented as technical debt with a FIXME comment at apps/meteor/app/cloud/server/functions/syncWorkspace/handleCommsSync.ts:53 and should not be flagged as an error until the runtime behavior is corrected.

Applied to files:

• apps/meteor/server/methods/messageSearch.ts

📚 Learning: 2026-02-25T20:10:16.987Z

Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 38913
File: packages/ddp-client/src/legacy/types/SDKLegacy.ts:34-34
Timestamp: 2026-02-25T20:10:16.987Z
Learning: In the RocketChat/Rocket.Chat monorepo, packages/ddp-client and apps/meteor do not use TypeScript project references. Module augmentations in apps/meteor (e.g., declare module 'rocket.chat/rest-typings') are not visible when compiling packages/ddp-client in isolation, which is why legacy SDK methods that depend on OperationResult types for OpenAPI-migrated endpoints must remain commented out.

Applied to files:

• apps/meteor/server/methods/messageSearch.ts

📚 Learning: 2026-05-06T20:48:08.244Z

Learnt from: d-gubert
Repo: RocketChat/Rocket.Chat PR: 40186
File: apps/meteor/app/apps/server/bridges/uiInteraction.ts:2-2
Timestamp: 2026-05-06T20:48:08.244Z
Learning: In the RocketChat/Rocket.Chat repository, Meteor's bundler does not respect the `exports` keyword in `package.json` files. Deep imports (e.g., `rocket.chat/apps/dist/server/bridges/UiInteractionBridge`) must be used instead of relying on `exports` subpath mappings. Do not suggest adding `exports` map entries to packages consumed by Meteor (e.g., `packages/apps/package.json`) as a fix for deep imports.

Applied to files:

• apps/meteor/server/methods/messageSearch.ts

📚 Learning: 2026-02-10T16:32:49.806Z

Learnt from: tassoevan
Repo: RocketChat/Rocket.Chat PR: 38528
File: apps/meteor/client/startup/roles.ts:14-14
Timestamp: 2026-02-10T16:32:49.806Z
Learning: In Rocket.Chat's Meteor client code, DDP streams use EJSON which automatically deserializes Date objects. Stream handlers (e.g., sdk.stream()) receive Date fields as Date objects directly and do not require manual conversion using `new Date()`. Only REST API responses require manual date conversion because they return plain JSON where dates are serialized as strings.

Applied to files:

• apps/meteor/server/methods/messageSearch.ts

📚 Learning: 2026-03-09T18:39:14.020Z

Learnt from: Harxhit
Repo: RocketChat/Rocket.Chat PR: 39476
File: apps/meteor/server/methods/addAllUserToRoom.ts:0-0
Timestamp: 2026-03-09T18:39:14.020Z
Learning: When implementing batch processing in server methods, favor a single data pass to collect both the items and any derived fields needed for validation. Use the same dataset for both validation and processing to avoid races between validation and execution, and document the approach in code comments. Apply this pattern to similar Meteor Rocket.Chat server methods under apps/meteor/server/methods to prevent race conditions and ensure consistent batch behavior.

Applied to files:

• apps/meteor/server/methods/messageSearch.ts

🪛 ast-grep (0.43.0)

apps/meteor/server/lib/parseMessageSearchQuery.ts

[warning] 260-260: Regular expression constructed from variable input detected. This can lead to Regular Expression Denial of Service (ReDoS) attacks if the variable contains malicious patterns. Use libraries like 'recheck' to validate regex safety or use static patterns.
Context: new RegExp(text, 'i')
Note: [CWE-1333] Inefficient Regular Expression Complexity [REFERENCES]
- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
- https://cwe.mitre.org/data/definitions/1333.html

(regexp-from-variable)

[cubic-dev-ai]

1 issue found across 2 files (changes from recent commits).

<sub>Tip: Review your code locally with the cubic CLI to iterate faster.

Re-trigger cubic</sub>

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

apps/meteor/server/lib/parseMessageSearchQuery.ts (1)

251-260: ⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Fix parsing of inline /pattern/flags regexes when the pattern contains /

• The text.split('/') logic at lines 251-260 assumes r[1] is the pattern and r[2] is the flags; for inputs like /a\/b/i, split('/') mis-parses into r[1] = 'a\\' and r[2] = 'b', so new RegExp(r[1], r[2].replace(/x/g, '')) throws and the $regex/$options are wrong for legitimate searches.
• Use capture-group extraction (text.match(/^\/(.+)\/([imxs]*)$/)) instead of split('/') and keep stripping x only for the JS-side validation regex.

🔧 Proposed fix using capture groups

 	if (/^\/.+\/[imxs]*$/.test(text)) {
-		const r = text.split('/');
+		const match = text.match(/^\/(.+)\/([imxs]*)$/);
+		if (!match) {
+			return text;
+		}
+		const pattern = match[1];
+		const flags = match[2];

 		// We remove the 'x' flag that JS does not support but Mongo does
-		new RegExp(r[1], r[2].replace(/x/g, ''));
+		new RegExp(pattern, flags.replace(/x/g, ''));

 		this.query.msg = {
-			$regex: r[1],
-			$options: r[2],
+			$regex: pattern,
+			$options: flags,
 		};

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@apps/meteor/server/lib/parseMessageSearchQuery.ts` around lines 251 - 260,
The regex parsing logic incorrectly uses text.split('/') which breaks when the
pattern contains escaped slashes (e.g. /a\/b/i); replace the split-based parsing
with a capture-group match like using text.match(/^\/(.+)\/([imxs]*)$/) to
extract pattern and flags, validate flags by removing 'x' only for the JS RegExp
constructor check, and then set this.query.msg.$regex and $options from the
captured groups (ensuring you still create a new RegExp for validation using the
flags with 'x' stripped). Ensure the change targets the inline /pattern/flags
handling in parseMessageSearchQuery (the block that currently does new
RegExp(r[1], r[2].replace(/x/g, '')) and sets this.query.msg).

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@apps/meteor/server/lib/parseMessageSearchQuery.ts`:
- Around line 251-260: The regex parsing logic incorrectly uses text.split('/')
which breaks when the pattern contains escaped slashes (e.g. /a\/b/i); replace
the split-based parsing with a capture-group match like using
text.match(/^\/(.+)\/([imxs]*)$/) to extract pattern and flags, validate flags
by removing 'x' only for the JS RegExp constructor check, and then set
this.query.msg.$regex and $options from the captured groups (ensuring you still
create a new RegExp for validation using the flags with 'x' stripped). Ensure
the change targets the inline /pattern/flags handling in parseMessageSearchQuery
(the block that currently does new RegExp(r[1], r[2].replace(/x/g, '')) and sets
this.query.msg).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 34c5539e-d2a9-49e9-aaa1-1e713ce417ce

📥 Commits

Reviewing files that changed from the base of the PR and between 42ef14d and ef43589.

📒 Files selected for processing (1)

• apps/meteor/server/lib/parseMessageSearchQuery.ts

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: ⚙️ Variables Setup
• GitHub Check: CodeQL-Build
• GitHub Check: CodeQL-Build
• GitHub Check: Hacktron Security Check

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation

Files:

• apps/meteor/server/lib/parseMessageSearchQuery.ts

🧠 Learnings (21)

📚 Learning: 2026-04-29T20:06:34.862Z

Learnt from: tassoevan
Repo: RocketChat/Rocket.Chat PR: 40268
File: apps/meteor/client/startup/incomingMessages.ts:21-25
Timestamp: 2026-04-29T20:06:34.862Z
Learning: In `apps/meteor/client/startup/incomingMessages.ts`, the `Messages.state.update` predicate that strips `ignored` from records when `'ignored' in sub` is false (i.e., the subscription update has no `ignored` field) is intentional. Absence of `ignored` in a `subscriptions-changed` event means the user's ignore list is empty/reset, so clearing all existing `ignored` flags on messages for that room is the correct behavior. Do not flag this as an unintentional ignored-state reset on unrelated subscription updates.

Applied to files:

• apps/meteor/server/lib/parseMessageSearchQuery.ts

📚 Learning: 2026-03-16T23:33:15.721Z

Learnt from: amitb0ra
Repo: RocketChat/Rocket.Chat PR: 39676
File: apps/meteor/app/api/server/v1/users.ts:862-869
Timestamp: 2026-03-16T23:33:15.721Z
Learning: In RocketChat/Rocket.Chat OpenAPI migration PRs (e.g., PR `#39676` for users.register in apps/meteor/app/api/server/v1/users.ts), calls to `this.parseJsonQuery()` inside migrated handlers are intentionally preserved without adding a corresponding `query` AJV schema to the route options. Adding query-param schemas for the `fields`/`sort`/`query` parameters consumed by `parseJsonQuery()` is a separate cross-cutting concern shared by many endpoints (e.g., users.create, users.update, users.list) and is explicitly out of scope for individual endpoint migration PRs. Do not flag the absence of a `query` schema for `parseJsonQuery()` usage as a violation of OpenAPI/AJV contract during migration reviews.

Applied to files:

• apps/meteor/server/lib/parseMessageSearchQuery.ts

📚 Learning: 2026-04-18T12:32:53.425Z

Learnt from: rodrigok
Repo: RocketChat/Rocket.Chat PR: 38623
File: apps/meteor/app/lib/server/functions/cleanRoomHistory.ts:146-149
Timestamp: 2026-04-18T12:32:53.425Z
Learning: In `apps/meteor/app/lib/server/functions/cleanRoomHistory.ts` (PR `#38623`), the read-receipt cleanup (both `ReadReceipts.removeByMessageIds` and `ReadReceiptsArchive.removeByMessageIds`) is intentionally only performed in the limited prune path (`limit && selectedMessageIds`). The unlimited/delete-all path (`limit === 0`) deliberately skips cleaning up orphaned read receipts in both hot and cold storage — this is by design. Do not flag this as a bug or missing cleanup in future reviews.

Applied to files:

• apps/meteor/server/lib/parseMessageSearchQuery.ts

📚 Learning: 2026-03-11T22:04:20.529Z

Learnt from: juliajforesti
Repo: RocketChat/Rocket.Chat PR: 39545
File: apps/meteor/client/views/room/body/hooks/useHasNewMessages.ts:59-61
Timestamp: 2026-03-11T22:04:20.529Z
Learning: In `apps/meteor/client/views/room/body/hooks/useHasNewMessages.ts`, the `msg.u._id === uid` early-return in the `streamNewMessage` handler is intentional: the "New messages" indicator is designed to notify about messages from other users only. Self-sent messages — including those sent from a different session/device — are always skipped, by design. Do not flag this as a multi-session regression.

Applied to files:

• apps/meteor/server/lib/parseMessageSearchQuery.ts

📚 Learning: 2026-04-17T23:32:07.223Z

Learnt from: d-gubert
Repo: RocketChat/Rocket.Chat PR: 38357
File: apps/meteor/app/apps/server/converters/messages.ts:348-352
Timestamp: 2026-04-17T23:32:07.223Z
Learning: In `apps/meteor/app/apps/server/converters/messages.ts`, the `timestamp` handler inside `_convertAttachmentsToApp` uses a non-null assertion (`attachment.ts!`) intentionally. The `ts` property on `MessageAttachment` is optional only to accommodate MessageAttachment creation-time scenarios; by the time `_convertAttachmentsToApp` is called, the message has already been stored and the attachment is guaranteed to have a `ts` value. Do not flag this non-null assertion as unsafe during code review.

Applied to files:

• apps/meteor/server/lib/parseMessageSearchQuery.ts

📚 Learning: 2026-05-26T19:18:05.882Z

Learnt from: MartinSchoeler
Repo: RocketChat/Rocket.Chat PR: 40644
File: apps/meteor/client/views/room/contextualBar/Threads/components/ThreadMessageList.tsx:145-147
Timestamp: 2026-05-26T19:18:05.882Z
Learning: In `apps/meteor/client/views/room/contextualBar/Threads/components/ThreadMessageList.tsx`, the `clearMsgJumpParam` cleanup in the timed effect (around line 145) intentionally clears the `msg` query parameter only when the target message IS found in `messages` (thread replies) and is not `mainMessage._id`. This is correct behavior: if `msgJumpParam` refers to a non-reply message (e.g., a main channel message), the main message list handles cleanup, so `ThreadMessageList` must not clear the param in that case.

Applied to files:

• apps/meteor/server/lib/parseMessageSearchQuery.ts

📚 Learning: 2026-05-25T18:33:22.615Z

Learnt from: d-gubert
Repo: RocketChat/Rocket.Chat PR: 40677
File: apps/meteor/packages/rocketchat-mongo-config/server/index.js:43-46
Timestamp: 2026-05-25T18:33:22.615Z
Learning: In `apps/meteor/packages/rocketchat-mongo-config/server/index.js`, the `Email.sendAsync` override that logs email options to console is intentionally unrestricted (logs full options) — this is a test-mode-only path (TEST_MODE === 'true' or 'api') and logging the full options object is acceptable. Do not flag this as a sensitive data leak in code reviews.

Applied to files:

• apps/meteor/server/lib/parseMessageSearchQuery.ts

📚 Learning: 2026-04-20T17:11:59.452Z

Learnt from: d-gubert
Repo: RocketChat/Rocket.Chat PR: 40225
File: apps/meteor/ee/server/apps/communication/endpoints/appLogsHandler.ts:55-71
Timestamp: 2026-04-20T17:11:59.452Z
Learning: In `apps/meteor/ee/server/apps/communication/endpoints/appLogsHandler.ts`, the concern about an empty `?appId=` query param bypassing the truthy check and overriding the path `appId` in the `makeAppLogsQuery` spread is not relevant. The AJV query schema (`isAppLogsProps`) validates and rejects invalid/empty `appId` values before the action handler is reached, making the in-handler guard sufficient as-is. Do not flag this pattern as a vulnerability in future reviews of this file.

Applied to files:

• apps/meteor/server/lib/parseMessageSearchQuery.ts

📚 Learning: 2026-04-10T21:17:22.932Z

Learnt from: d-gubert
Repo: RocketChat/Rocket.Chat PR: 40096
File: apps/meteor/ee/server/apps/lib/redactor.ts:3-17
Timestamp: 2026-04-10T21:17:22.932Z
Learning: In RocketChat/Rocket.Chat, `X-User-Id` / `x-user-id` headers must NOT be added to redaction paths in apps log redaction (e.g., `apps/meteor/ee/server/apps/lib/redactor.ts`). The maintainer (d-gubert) has confirmed that X-User-Id is an identifier, not a credential — its presence in logs is useful for diagnostics, and `X-Auth-Token` is the only header that constitutes a real secret. Do not suggest redacting X-User-Id in future reviews of this area.

Applied to files:

• apps/meteor/server/lib/parseMessageSearchQuery.ts

📚 Learning: 2025-12-10T21:00:54.909Z

Learnt from: KevLehman
Repo: RocketChat/Rocket.Chat PR: 37091
File: ee/packages/abac/jest.config.ts:4-7
Timestamp: 2025-12-10T21:00:54.909Z
Learning: Rocket.Chat monorepo: Jest testMatch pattern '<rootDir>/src/**/*.spec.(ts|js|mjs)' is valid in this repo and used across multiple packages (e.g., packages/tools, ee/packages/omnichannel-services). Do not flag it as invalid in future reviews.

Applied to files:

• apps/meteor/server/lib/parseMessageSearchQuery.ts

📚 Learning: 2026-03-11T18:15:53.272Z

Learnt from: dougfabris
Repo: RocketChat/Rocket.Chat PR: 39425
File: apps/meteor/app/api/server/v1/rooms.ts:294-296
Timestamp: 2026-03-11T18:15:53.272Z
Learning: In Rocket.Chat's `rooms.mediaConfirm/:rid/:fileId` endpoint (apps/meteor/app/api/server/v1/rooms.ts), updating `file.name` from `bodyParams.fileName` without updating `file.path` is intentionally safe. The file path is keyed by `_id` (not by filename), so the stored path remains valid regardless of a rename. `file.name` only affects the display name in the message attachment; do not flag this as a path-divergence issue.

Applied to files:

• apps/meteor/server/lib/parseMessageSearchQuery.ts

📚 Learning: 2026-05-21T17:42:41.568Z

Learnt from: d-gubert
Repo: RocketChat/Rocket.Chat PR: 40643
File: packages/apps/src/server/compiler/AppPackageParser.ts:20-22
Timestamp: 2026-05-21T17:42:41.568Z
Learning: In `packages/apps/src/server/compiler/AppPackageParser.ts` (RocketChat/Rocket.Chat), inline implementation comments are acceptable and preferred when the code's intent is non-obvious. For example, explaining why `version.split('-')[0]` is used (to strip pre-release suffixes like `-rc.0`, `-dev` before semver comparison) is considered well-placed even if general guidelines discourage implementation comments. Do not flag such explanatory comments as violations.

Applied to files:

• apps/meteor/server/lib/parseMessageSearchQuery.ts

📚 Learning: 2026-06-01T18:56:35.198Z

Learnt from: jeanfbrito
Repo: RocketChat/Rocket.Chat PR: 0
File: :0-0
Timestamp: 2026-06-01T18:56:35.198Z
Learning: In the Rocket.Chat repository, the "avoid explanatory comments in implementation files" guideline originates from `.cursor/rules/playwright.mdc` and is scoped **only to Playwright test files**. The `**/*.{ts,tsx,js}` glob in that rule over-matches general `src/` TypeScript/JavaScript source files. Do not flag explanatory comments in `src/**/*.{ts,tsx}` implementation files as violating this rule; comments documenting non-obvious behavior in source files are acceptable and encouraged.

Applied to files:

• apps/meteor/server/lib/parseMessageSearchQuery.ts

📚 Learning: 2026-03-06T18:10:23.330Z

Learnt from: tassoevan
Repo: RocketChat/Rocket.Chat PR: 39397
File: packages/gazzodown/src/code/CodeBlock.spec.tsx:47-68
Timestamp: 2026-03-06T18:10:23.330Z
Learning: In the RocketChat/Rocket.Chat `packages/gazzodown` package and more broadly, the HTML `<code>` element has an implicit ARIA role of `code` per WAI-ARIA 1.3, and `testing-library/dom` / jsdom supports it. Therefore, `screen.getByRole('code')` / `screen.findByRole('code')` correctly locates `<code>` elements without needing an explicit `role="code"` attribute. Do NOT flag `findByRole('code')` as invalid in future reviews.

Applied to files:

• apps/meteor/server/lib/parseMessageSearchQuery.ts

📚 Learning: 2026-03-16T22:56:54.500Z

Learnt from: KevLehman
Repo: RocketChat/Rocket.Chat PR: 39677
File: packages/models/src/helpers/omnichannel/agentStatus.ts:10-29
Timestamp: 2026-03-16T22:56:54.500Z
Learning: In `packages/models/src/helpers/omnichannel/agentStatus.ts` (PR `#39677`), the `queryStatusAgentOnline` function intentionally omits the `$or` offline-status guard for non-bot agents when `isLivechatEnabledWhenAgentIdle === true`. This is by design: the setting `Livechat_enabled_when_agent_idle` (`accept_chats_when_agent_idle`) means agents should receive chats even when idle/offline, so the offline filter must be removed in that path. Bots are always status-agnostic and are always included regardless of their online/offline status. Do not flag this as a bug.

Applied to files:

• apps/meteor/server/lib/parseMessageSearchQuery.ts

📚 Learning: 2026-01-17T01:51:47.764Z

Learnt from: tassoevan
Repo: RocketChat/Rocket.Chat PR: 38219
File: packages/core-typings/src/cloud/Announcement.ts:5-6
Timestamp: 2026-01-17T01:51:47.764Z
Learning: In packages/core-typings/src/cloud/Announcement.ts, the AnnouncementSchema.createdBy field intentionally overrides IBannerSchema.createdBy (object with _id and optional username) with a string enum ['cloud', 'system'] to match existing runtime behavior. This is documented as technical debt with a FIXME comment at apps/meteor/app/cloud/server/functions/syncWorkspace/handleCommsSync.ts:53 and should not be flagged as an error until the runtime behavior is corrected.

Applied to files:

• apps/meteor/server/lib/parseMessageSearchQuery.ts

📚 Learning: 2026-02-24T19:36:55.089Z

Learnt from: juliajforesti
Repo: RocketChat/Rocket.Chat PR: 38493
File: apps/meteor/tests/e2e/page-objects/fragments/home-content.ts:60-82
Timestamp: 2026-02-24T19:36:55.089Z
Learning: In RocketChat/Rocket.Chat e2e tests (apps/meteor/tests/e2e/page-objects/fragments/home-content.ts), thread message preview listitems do not have aria-roledescription="message", so lastThreadMessagePreview locator cannot be scoped to messageListItems (which filters for aria-roledescription="message"). It should remain scoped to page.getByRole('listitem') or mainMessageList.getByRole('listitem').

Applied to files:

• apps/meteor/server/lib/parseMessageSearchQuery.ts

📚 Learning: 2026-03-10T08:13:52.153Z

Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 39414
File: apps/meteor/app/api/server/v1/rooms.ts:1241-1297
Timestamp: 2026-03-10T08:13:52.153Z
Learning: In the RocketChat/Rocket.Chat OpenAPI migration PRs for endpoints under apps/meteor/app/api/server/v1/rooms.ts, the pattern `ajv.compile<void>({...})` is intentionally used for the 200 response schema even when the endpoint returns `{ success: true }`. This is an established convention across all migrated endpoints (rooms.leave, rooms.favorite, rooms.delete, rooms.muteUser, rooms.unmuteUser). Do not flag this as a type mismatch during reviews of these migration PRs.

Applied to files:

• apps/meteor/server/lib/parseMessageSearchQuery.ts

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In the Rocket.Chat repository, do not reference Biome lint rules in code review feedback. Biome is not used even if biome.json exists; only reference Biome rules if there is explicit, project-wide usage documented. For TypeScript files, review lint implications without Biome guidance unless the project enables Biome rules.

Applied to files:

• apps/meteor/server/lib/parseMessageSearchQuery.ts

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In this repository (RocketChat/Rocket.Chat), Biome lint rules are not used even if a biome.json exists. When reviewing TypeScript files (e.g., packages/ui-voip/src/providers/useMediaSession.ts), ensure lint suggestions do not reference Biome-specific rules. Rely on general ESLint/TypeScript lint rules and project conventions instead.

Applied to files:

• apps/meteor/server/lib/parseMessageSearchQuery.ts

📚 Learning: 2026-05-06T12:21:44.083Z

Learnt from: juliajforesti
Repo: RocketChat/Rocket.Chat PR: 40256
File: apps/meteor/client/components/CreateDiscussion/CreateDiscussion.tsx:121-149
Timestamp: 2026-05-06T12:21:44.083Z
Learning: Field wrappers in rocket.chat/fuselage-forms (Field, FieldLabel, FieldRow, FieldError, FieldHint) auto-create htmlFor/id associations, aria-describedby, and role="alert" for errors. Do not manually set htmlFor, id, aria-describedby, or role attributes when using these wrappers. This automatic wiring does not apply to plain rocket.chat/fuselage components, which require explicit ID wiring per the accessibility docs. In code reviews, prefer using fuselage-forms wrappers for form fields and verify there is no unnecessary manual ID/aria wiring in files that use these wrappers. If a component uses plain fuselage components, ensure proper id wiring as per docs.

Applied to files:

• apps/meteor/server/lib/parseMessageSearchQuery.ts

[cubic-dev-ai]

1 issue found across 2 files (changes from recent commits).

<sub>Tip: Review your code locally with the cubic CLI to iterate faster.

Re-trigger cubic</sub>