fix: use parameterized queries in RQL utility functions

[AmanGIT07]

Description:

Summary

• Replace raw string interpolation (goqu.L(fmt.Sprintf(...))) with goqu's
  parameterized expression API (goqu.Cast().ILike(), goqu.I().IsNull(), etc.)
  in shared RQL query builder utilities and repository-level filter functions
• Add Prepared(true) to query builders in audit record, prospect, and user PAT
  repositories for defense-in-depth

Changes

• pkg/utils/rql.go — AddRQLSearchInQuery and ProcessStringDataType now use
  goqu expression builders instead of goqu.L(fmt.Sprintf(...))
• internal/store/postgres/org_billing_repository.go — same fix in local
  processStringDataType (covers like, notlike, ilike, notilike, empty, notempty)
• internal/store/postgres/org_projects_repository.go — same fix in
  applyStringFilter (empty/notempty) and applyDatetimeFilter (timestamp cast)
• internal/store/postgres/org_users_repository.go — same fix in
  buildNonRoleFilterCondition (empty/notempty)
• Added Prepared(true) to audit_record, prospect, userpat repositories

TODO

• Add global goqu.SetDefaultPrepared(true) at application startup to enforce
  prepared statements across all repositories by default

Test plan

• All existing unit tests pass (updated expected SQL in 3 test files)
• make lint passes with 0 issues
• Smoke test on affected RQL endpoints (audit records, org invoices, prospects, user PATs, org projects, org users, org billing)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
frontier	Ready	Preview, Comment	Apr 17, 2026 4:39am

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

• Refactor
  • Optimized database queries with prepared statement support across repositories
  • Enhanced string filtering logic with explicit NULL checks replacing coalesce patterns
  • Standardized datetime filtering with typed casting for consistency
  • Unified search pattern matching to use structured query builders instead of manual SQL formatting
  • Improved filter handling for empty/non-empty and like/not-like operators

Walkthrough

This PR refactors SQL query construction across PostgreSQL repositories by replacing raw SQL string formatting with structured goqu expressions, replacing coalesce() null-handling patterns with explicit IS NULL/IS NOT NULL checks, and enabling prepared statement mode on several base queries.

Changes

Cohort / File(s)	Summary
Prepared Statement Enablement internal/store/postgres/audit_record_repository.go, internal/store/postgres/prospect_repository.go, internal/store/postgres/userpat_repository.go	Added .Prepared(true) to base dialect.From() statements to enable prepared statement generation on query builders.
String Filter Refactoring internal/store/postgres/org_billing_repository.go, internal/store/postgres/org_projects_repository.go, internal/store/postgres/org_users_repository.go	Replaced coalesce(field, '') patterns with explicit NULL/equality checks for empty/notempty operators. Converted raw SQL string formatting for like/notlike/ilike/notilike operators to structured goqu cast and method expressions.
Test Updates – Billing & Projects internal/store/postgres/org_billing_repository_test.go, internal/store/postgres/org_projects_repository_test.go	Updated expected SQL conditions and parameter placeholders to reflect refactored string filter and datetime casting logic, adjusting argument ordering and placeholder indices.
Test Updates – Users internal/store/postgres/org_users_repository_test.go	Updated expected SQL for the empty operator from coalesce() pattern to explicit IS NULL OR equals '' disjunction.
Utility RQL Refactoring pkg/utils/rql.go	Refactored free-text search to use Cast(col AS TEXT).ILike(pattern) builder expressions. Updated empty/notempty string filters to use explicit NULL/equality predicates and converted like/notlike operators to structured goqu expressions.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coveralls]

Coverage Report for CI Build 24547980609

Coverage decreased (-0.001%) to 41.815%

Details

• Coverage decreased (-0.001%) from the base build.
• Patch coverage: 17 uncovered changes across 5 files (5 of 22 lines covered, 22.73%).
• 1 coverage regression across 1 file.

Uncovered Changes

File	Changed	Covered	%
pkg/utils/rql.go	8	0	0.0%
internal/store/postgres/org_billing_repository.go	6	1	16.67%
internal/store/postgres/org_projects_repository.go	3	1	33.33%
internal/store/postgres/org_users_repository.go	2	1	50.0%
internal/store/postgres/userpat_repository.go	1	0	0.0%

Coverage Regressions

1 previously-covered line in 1 file lost coverage.

File	Lines Losing Coverage	Coverage
pkg/utils/rql.go	1	0.0%

---

Coverage Stats

Relevant Lines:	36896
Covered Lines:	15428
Line Coverage:	41.81%
Coverage Strength:	11.81 hits per line

---

💛 - Coveralls

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

internal/store/postgres/org_projects_repository.go (1)

216-223: ⚠️ Potential issue | 🟡 Minor

Cast target should be TIMESTAMPTZ, not TIMESTAMP.

projects.created_at is a timezone-aware column (TIMESTAMPTZ) in Postgres, and casting incoming RFC3339 strings to TIMESTAMP (without time zone) discards the offset and interprets the value as a local timestamp. This can yield subtly wrong comparisons across sessions with differing TimeZone settings.

Update the cast and the corresponding expectation in org_projects_repository_test.go:

Proposed fix

-			filter.Operator: goqu.Cast(goqu.V(filter.Value), "TIMESTAMP"),
+			filter.Operator: goqu.Cast(goqu.V(filter.Value), "TIMESTAMPTZ"),

Test expectation (line 62):

-`CAST($3 AS TIMESTAMP)
+`CAST($3 AS TIMESTAMPTZ)

🧹 Nitpick comments (2)

internal/store/postgres/org_billing_repository_test.go (1)

106-107: Test expectations correctly reflect the new notempty expansion and shifted placeholders.

Consider adding a dedicated test case for like/ilike operators on this repo to lock in the new parameterized-pattern semantics (ties into the wildcard-wrapping concern raised on org_billing_repository.go).

internal/store/postgres/org_projects_repository.go (1)

197-199: LGTM on the empty/notempty rewrite.

Consistent with the shared helper and the other repositories. One observation (not blocking): this logic is now duplicated across pkg/utils/rql.go::ProcessStringDataType, org_billing_repository.go::processStringDataType, org_users_repository.go::buildNonRoleFilterCondition, and here. Worth consolidating in a follow-up.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: c1b3dc8e-b90e-464b-9ad8-57bdee2c3ca3

📥 Commits

Reviewing files that changed from the base of the PR and between b1afc54 and 33ff9e1.

📒 Files selected for processing (10)

• internal/store/postgres/audit_record_repository.go
• internal/store/postgres/org_billing_repository.go
• internal/store/postgres/org_billing_repository_test.go
• internal/store/postgres/org_projects_repository.go
• internal/store/postgres/org_projects_repository_test.go
• internal/store/postgres/org_users_repository.go
• internal/store/postgres/org_users_repository_test.go
• internal/store/postgres/prospect_repository.go
• internal/store/postgres/userpat_repository.go
• pkg/utils/rql.go