feat(sandbox): port buildOrgSnapshotWorkflow + Vercel Workflow runtime

[sweetmantech]

Summary

Closes the biggest remaining cutover gap from the gap analysis: when a recoupable org repo is requested but no snapshot exists yet, fire a durable background workflow that builds one. The current request still pays the slow full-clone path; what's protected is that future sessions for the same org warm-boot from the new snapshot in seconds.

This is the first Vercel Workflow integration in api. Per the direction of using Vercel Workflow as the runner going forward (deprecating Trigger.dev over time), this PR lands the infra alongside the first workflow.

What's new

File	Purpose
`next.config.ts`	Wraps the config with `withWorkflow` from `workflow/next` so workflow files become deployable
`app/workflows/buildOrgSnapshot.ts`	Preserves open-agents' workflow code structure. One step that calls api's existing `refreshBaseSnapshot` (inlined via #507) — provision sandbox named ``, run `git clone --depth=1 `, snapshot
`lib/sandbox/kickBuildOrgSnapshotWorkflow.ts`	Fire-and-forget `start(buildOrgSnapshotWorkflow, [input])` from `workflow/api`. Failures logged, never surfaced
`lib/sandbox/defaultBaseSnapshotId.ts`	`DEFAULT_SANDBOX_BASE_SNAPSHOT_ID` constant, env-overridable. Used as the base image (bun + jq + agent-browser + chromium + code-server) so the workflow only does the clone
`lib/sandbox/createSandboxHandler.ts`	Wired in: when `extractOrgRepoName` returns non-null and `findOrgSnapshot` misses, kick the workflow

Plus the `workflow@^4.2.0-beta.72` package and lockfile.

Behavior

POST `/api/sandbox` flow now:

1. Auth + ownership (unchanged)
2. `extractOrgRepoName(repoUrl)` (unchanged)
3. `findOrgSnapshot(orgRepoName)` (unchanged) → hit OR miss
4. NEW: on a recoupable miss → `kickBuildOrgSnapshotWorkflow({cloneUrl, sandboxName})` fire-and-forget
5. `connectSandbox` provisions the session sandbox (unchanged — this request gets the full-clone path)
6. The workflow runs durably in the background; future requests for the same org hit the snapshot

The workflow itself is a faithful port of open-agents' `buildOrgSnapshotWorkflow`. Same one-step structure, same `refreshBaseSnapshot` call (already in api), same failure path (caught + logged, returns `{success: false, error}`).

TDD

Strict red → green. +3 net new tests (suite 2574 → 2577):

• kicks the workflow on recoupable miss with the right input
• does NOT kick when an existing snapshot is found (hit case)
• does NOT kick for non-recoupable repos

Verification

Check	Result
`pnpm test`	✅ 2577 / 2577 pass
`pnpm lint:check`	✅ clean
`tsc --noEmit` for new files	✅ clean

Test plan

• CI green
• Preview build succeeds (the `withWorkflow` wrapper is a build-time change — first-time workflow integration)
• Preview: POST /api/sandbox with a recoupable org URL that has no snapshot → response 200 (cold-clone path), workflow run shows up in Vercel dashboard, and a few minutes later `vercel sandbox snapshots list` shows a new `created` snapshot for that org name
• Preview: POST again with the same URL → `[findOrgSnapshot]` log line shows hit, `readyMs` drops dramatically, no second workflow kick

What follows (Phase 2)

This was Phase 1 (build-org-snapshot — small, self-contained). Phase 2 is the bigger one:

• `sandboxLifecycleWorkflow` (123 lines, stateful while-loop with timed sleeps, `lifecycle_run_id` lease semantics)
• `evaluateSandboxLifecycle` and 4-5 dependent helpers
• Wire `sandbox-created` and `status-check-overdue` kicks

Will land in its own PR. Phase 1 already closes the largest user-visible cutover gap (~75s cold-start regression for new orgs).

🤖 Generated with Claude Code

---

Summary by cubic

Adds a background Vercel Workflow that builds an org snapshot when a recoupable repo is requested and no snapshot exists, so future sessions start in seconds. Enables the Vercel Workflow runtime and hardens the build step.

• New Features

  • Added buildOrgSnapshotWorkflow + buildSnapshotStep to provision, shallow-clone, and snapshot org repos via refreshBaseSnapshot; uses DEFAULT_SANDBOX_BASE_SNAPSHOT_ID (env overridable).
  • Updated createSandboxHandler to fire-and-forget kickBuildOrgSnapshotWorkflow on a recoupable snapshot miss; current request still full-clones.
  • Enabled Vercel Workflows via withWorkflow(nextConfig); workflows live in app/workflows/*; added workflow@^4.2.4.

• Bug Fixes

  • Pointed DEFAULT_SANDBOX_BASE_SNAPSHOT_ID to a Recoup team snapshot snap_RgVtpDO4y1BJHQiUbptMwS3Rt2EQ to stop 404s.
  • Hardened the build: shell-escape the git clone URL to prevent command injection; removed cloneUrl from logs to avoid leaking credentials.

^{Written for commit 27cce76. Summary will update on new commits.}

Summary by CodeRabbit

• New Features
  • Added organization snapshot building capability to accelerate sandbox initialization
  • Implemented background snapshot warm-up mechanism for faster subsequent sandbox provisioning
  • Enhanced sandbox creation flow with automatic organization snapshot detection and management

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
api	Ready	Preview	May 7, 2026 9:12pm

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR introduces a Vercel durable workflow system for building and caching organization repository snapshots. When a sandbox is created for an organization repo without a cached snapshot, the handler asynchronously initiates a background workflow to clone the repo into a base sandbox and save the result, enabling faster provisioning on subsequent accesses.

Changes

Organization Snapshot Build Workflow

Layer / File(s)	Summary
Types and Configuration lib/sandbox/defaultBaseSnapshotId.ts	Introduces DEFAULT_SANDBOX_BASE_SNAPSHOT_ID sourced from environment variable with hardcoded fallback snapshot ID; includes documentation on usage and refresh procedures.
Snapshot Build Step app/workflows/buildSnapshotStep.ts	Defines BuildOrgSnapshotInput contract and implements buildSnapshotStep to provision a sandbox from the base snapshot, retrieve a service GitHub token, execute git clone --depth=1 of the repository, and return the new snapshot ID.
Workflow Orchestration app/workflows/buildOrgSnapshotWorkflow.ts	Implements the durable workflow that invokes buildSnapshotStep, logs execution, normalizes exceptions to error strings, and returns typed payloads: { success: true, snapshotId } or { success: false, error }.
Fire-and-Forget Launcher lib/sandbox/kickBuildOrgSnapshotWorkflow.ts	Provides kickBuildOrgSnapshotWorkflow to start the workflow asynchronously without blocking, logging workflow run IDs on success and suppressing errors to prevent cascading failures.
Sandbox Handler Integration lib/sandbox/createSandboxHandler.ts	Integrates conditional workflow trigger: when an organization repository is identified but no cached snapshot exists, asynchronously kicks the build workflow before provisioning the current sandbox, enabling next-session warm-boot without blocking the current request.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

A snapshot blooms in the durable night,
Cloning repos with workflow delight,
Fire-and-forget, no need to wait—
Next session boots at a blazing rate! 🚀

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Solid & Clean Code	⚠️ Warning	DRY violation: Identical input interfaces defined twice. Error handling prevents workflow auto-retries by catching and returning instead of rethrowing.	Consolidate BuildOrgSnapshotInput/KickBuildOrgSnapshotInput to shared definition. Rethrow errors instead of returning success: false for proper Vercel Workflow retry semantics.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/sandbox-build-org-snapshot-workflow

Warning

Review ran into problems

🔥 Problems

Timed out fetching pipeline failures after 30000ms

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cubic-dev-ai]

4 issues found across 8 files

Confidence score: 2/5

• There is a high-confidence security risk in app/workflows/buildOrgSnapshot.ts: interpolating cloneUrl directly into a shell command can enable command injection, which is a merge-blocking concern unless properly quoted/escaped.
• lib/sandbox/kickBuildOrgSnapshotWorkflow.ts logs the full cloneUrl, which can expose embedded credentials/tokens and creates meaningful security and compliance risk.
• lib/sandbox/createSandboxHandler.ts may trigger duplicate snapshot builds for the same org when a prior build is still running, introducing concrete regression risk (extra load, conflicting workflow state).
• Pay close attention to app/workflows/buildOrgSnapshot.ts, lib/sandbox/kickBuildOrgSnapshotWorkflow.ts, lib/sandbox/createSandboxHandler.ts - command execution safety, secret leakage in logs, and duplicate workflow triggering.

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="app/workflows/buildOrgSnapshot.ts">

<violation number="1" location="app/workflows/buildOrgSnapshot.ts:31">
P0: Avoid interpolating `cloneUrl` directly into a shell command; quote/escape it before execution to prevent command injection.</violation>

<violation number="2" location="app/workflows/buildOrgSnapshot.ts:38">
P2: Custom agent: **Module should export a single primary function whose name matches the filename**

Primary export name must match the filename basename; `buildOrgSnapshotWorkflow` does not match `buildOrgSnapshot`.</violation>
</file>

<file name="lib/sandbox/kickBuildOrgSnapshotWorkflow.ts">

<violation number="1" location="lib/sandbox/kickBuildOrgSnapshotWorkflow.ts:27">
P1: Avoid logging the full `cloneUrl`; it can leak embedded repository credentials or tokens.</violation>
</file>

<file name="lib/sandbox/createSandboxHandler.ts">

<violation number="1" location="lib/sandbox/createSandboxHandler.ts:75">
P2: The new snapshot-miss branch can repeatedly start duplicate build workflows for the same org while an earlier build is still in progress.</violation>
</file>

Architecture diagram

sequenceDiagram
    participant Client as External Client
    participant Handler as createSandboxHandler
    participant Extract as extractOrgRepoName
    participant Snap as findOrgSnapshot
    participant Kick as kickBuildOrgSnapshotWorkflow
    participant Workflow as Vercel Workflow Runtime
    participant WFCode as buildOrgSnapshotWorkflow
    participant Step as buildSnapshotStep
    participant Refresh as refreshBaseSnapshot
    participant Tokens as getServiceGithubToken
    participant SandboxAPI as Sandbox Service (Vercel)
    participant FutureClient as Future Client (same org)

    Note over Client,FutureClient: POST /api/sandbox - Recoupable Org Snapshot Miss

    Client->>Handler: POST /api/sandbox
    Handler->>Handler: Auth + ownership (unchanged)

    Handler->>Extract: extractOrgRepoName(repoUrl)
    Extract-->>Handler: orgRepoName or null

    alt Org repo detected
        Handler->>Snap: findOrgSnapshot(orgRepoName)
        
        alt No snapshot exists (miss)
            Snap-->>Handler: null

            Note over Handler,FutureClient: NEW: Fire-and-forget background workflow

            Handler->>Kick: kickBuildOrgSnapshotWorkflow(cloneUrl, sandboxName)
            Kick->>Kick: fire-and-forget (void promise)

            alt Workflow starts successfully
                Kick->>Workflow: start(buildOrgSnapshotWorkflow, [input])
                Workflow-->>Kick: run { runId }
                Kick->>Kick: log success
            else Workflow fails to start
                Workflow-->>Kick: error
                Kick->>Kick: log error (never surface to client)
            end

            par Background workflow execution (outside request lifecycle)
                Workflow->>WFCode: execute buildOrgSnapshotWorkflow(input)
                WFCode->>WFCode: use workflow
                WFCode->>Step: buildSnapshotStep(input)
                Step->>Step: use step

                Step->>Tokens: getServiceGithubToken()
                alt Token available
                    Tokens-->>Step: githubToken
                    Step->>Refresh: refreshBaseSnapshot(...)
                    Refresh->>SandboxAPI: provision sandbox from base snapshot
                    Refresh->>SandboxAPI: execute git clone
                    Refresh->>SandboxAPI: create snapshot
                    SandboxAPI-->>Refresh: snapshotId
                    Refresh-->>Step: result { snapshotId }
                    Step-->>WFCode: snapshotId
                    WFCode-->>Workflow: return { success: true, snapshotId }
                else Token missing
                    Tokens-->>Step: undefined
                    Step->>Step: throw Error
                    Step-->>WFCode: error caught
                    WFCode-->>Workflow: return { success: false, error }
                end
            end

        else Snapshot exists (hit)
            Snap-->>Handler: snapshotId
            Note over Handler: NEW: Do NOT kick workflow
        end
    end

    Note over Handler,FutureClient: Request continues with full-clone path (unchanged)

    Handler->>Handler: connectSandbox (cold-start full clone)

    Handler-->>Client: 200 OK

    Note over FutureClient,FutureClient: Future requests for same org

    FutureClient->>Handler: POST /api/sandbox (same org)
    Handler->>Snap: findOrgSnapshot(orgRepoName)
    Snap-->>Handler: snapshotId (created by workflow)
    Handler->>Handler: warm-boot from snapshot (seconds)

    Note over FutureClient,FutureClient: Dramatically reduced cold-start

Loading

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

P2: The new snapshot-miss branch can repeatedly start duplicate build workflows for the same org while an earlier build is still in progress.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At lib/sandbox/createSandboxHandler.ts, line 75:

<comment>The new snapshot-miss branch can repeatedly start duplicate build workflows for the same org while an earlier build is still in progress.</comment>

<file context>
@@ -67,6 +68,17 @@ export async function createSandboxHandler(request: NextRequest): Promise<NextRe
+  // the *next* session warm-boots from it. This request still pays the
+  // full-clone cold-start path — the workflow runs durably outside the
+  // request lifecycle.
+  if (orgRepoName && !orgSnapshotId) {
+    kickBuildOrgSnapshotWorkflow({
+      cloneUrl: body.repoUrl,
</file context>

[sweetmantech]

SRP - new lib file for buildSnapshotStep.ts

[sweetmantech]

SRP - new lib file for buildOrgSnapshotWorkflow.ts

[cubic-dev-ai]

0 issues found across 1 file (changes from recent commits).

_{Requires human review: Auto-approval blocked by 4 unresolved issues from previous reviews.}

[sweetmantech]

End-to-end workflow loop verified

You spotted that the first run failed in the dashboard. Caught the root cause via runtime logs (`vercel logs --query "build-org-snapshot" --expand`):

```
[build-org-snapshot] Creating sandbox from base snapshot snap_EjsphVxi07bFKrfojljJdIS41KHT.
Error: Status code 404 is not ok
[build-org-snapshot] Failed for 'api': FatalError: Step "buildSnapshotStep" failed after 3 retries
```

That snapshot id lives in open-agents' Vercel team, not recoup's, so the create-from-base call returned 404 and the workflow retried 3× then bubbled.

Fix: built a recoup-team base snapshot

Did this manually via the @vercel/sandbox SDK because we couldn't access open-agents' base directly. Probed the runtime first to determine the OS:

```
NAME="Amazon Linux 2023"
ID="amzn"
PLATFORM_ID="platform:al2023"
which: dnf yum (no apt, no apk)
```

Then provisioned a clean sandbox and ran:

```bash
sudo dnf install -y jq
curl -fsSL https://bun.sh/install | sudo BUN_INSTALL=/usr/local bash
sudo npm install -g agent-browser
curl -fsSL https://code-server.dev/install.sh | sudo sh
```

`vercel sandbox snapshot --stop` → `snap_RgVtpDO4y1BJHQiUbptMwS3Rt2EQ`.

Pushed `60265ee5` to point `defaultBaseSnapshotId.ts` at it. Comment in the file documents the install commands + refresh procedure for the next person who needs to add tooling. (Chromium intentionally NOT in this base — Amazon Linux 2023's default repo doesn't carry it, and `agent-browser` fetches a managed Playwright browser on first use anyway.)

Re-test — full loop succeeded

1) Cold POST → kick → workflow ran end-to-end in ~21s:

```
[findOrgSnapshot] 'api' → miss (0 total snapshots returned)
[build-org-snapshot] Started workflow run wrun_01KR231SC0EHH2D9TPQK98TCWE for 'api'
[build-org-snapshot] workflow:start
[build-org-snapshot] step:start
[build-org-snapshot] Creating sandbox from base snapshot snap_RgVtpDO4y1BJHQiUbptMwS3Rt2EQ
[build-org-snapshot] Running command 1/1: git clone --depth=1 https://github.com/recoupable/api .
[build-org-snapshot] Creating snapshot from prepared sandbox
[build-org-snapshot] Created snapshot snap_g6FiWyWxIA0g1psgHvLqY3MJiPhH
[build-org-snapshot] Built snap_g6FiWyWxIA0g1psgHvLqY3MJiPhH for 'api'
```

`vercel sandbox snapshots list` confirms: `snap_g6FiWyWxIA0g1psgHvLqY3MJiPhH` (697 MB, status `created`).

2) Subsequent POST → hit:

```
[findOrgSnapshot] 'api' → hit snap_g6FiWyWxIA0g1psgHvLqY3MJiPhH (1 total snapshots returned)
```

What's now runtime-proven

• ✅ `withWorkflow` config wrapper builds and deploys cleanly (first Vercel Workflow integration in api)
• ✅ Workflow kicks fire from `createSandboxHandler`'s misses
• ✅ Workflow runs durably outside the request lifecycle (visible in dashboard at `/api/workflows/runs/wrun_...`)
• ✅ Workflow's step succeeds against the recoup-team base
• ✅ Resulting snapshot is findable by `findOrgSnapshot` on the next request
• ✅ Subsequent POSTs hit the workflow-built snapshot

The Phase 1 cutover gap (org snapshot building for new orgs) is closed end-to-end.

[sweetmantech]

Pushed `27cce760` addressing 3 of the 4 actionable comments.

Comment	Resolution
SRP: new lib for buildSnapshotStep	Extracted to `app/workflows/buildSnapshotStep.ts`
SRP: new lib for buildOrgSnapshotWorkflow	Extracted to `app/workflows/buildOrgSnapshotWorkflow.ts` (filename now matches the export, also resolves cubic's filename-mismatch P2)
P0 command injection (cubic)	`shellEscape(input.cloneUrl)` around the `git clone` arg. Zod + `parseGitHubRepoUrl` already reject shell-metachar URLs upstream, but defense-in-depth survives validator changes
P1 credential leak in logs (cubic)	Dropped `cloneUrl` from every log line in the workflow + kick. The validator already strips `user:token@` from URLs, but log scrubbing is the cheaper of the two layers. `sandboxName` remains in logs (regex-extracted repo name, no tokens)

Skipped cubic's P2 about duplicate workflow runs: same fire-and-forget pattern as open-agents — duplicates waste compute but aren't incorrect. Worth a Vercel Workflow idempotency key in a follow-up if it's observed in practice.

Tests + lint + tsc all green. Suite stays at 2577 (no test changes — the existing handler test mocks the kick at `@/lib/sandbox/kickBuildOrgSnapshotWorkflow`, which didn't change path).

[coderabbitai]

Caution

Failed to replace (edit) comment. This is likely due to insufficient permissions or the comment being deleted.

Error details

{}

[sweetmantech]

Smoke test re-run after `27cce760` (with new org URL)

Used the URL you suggested: `https://github.com/recoupable/org-myco-wtf-80263819-9dfd-4bbf-9371-60a6185122d6\`. Full miss → workflow → hit loop visible in the logs in correct chronological order:

```
16:13:26 POST → [findOrgSnapshot] 'org-myco-wtf-...' → miss (0 total snapshots returned)
[build-org-snapshot] Started workflow run wrun_01KR24KKHN3TMCGVRK914FCX99 for 'org-myco-wtf-...'

16:13:27 [step:start] name='org-myco-wtf-...'
Creating sandbox from base snapshot snap_RgVtpDO4y1BJHQiUbptMwS3Rt2EQ
Running command 1/1: git clone --depth=1 'https://github.com/recoupable/org-myco-wtf-...' .
Created snapshot snap_5w67z2k52zns9aocc7JjuLmItm46

16:13:48 Built snap_5w67z2k52zns9aocc7JjuLmItm46 for 'org-myco-wtf-...'
[workflow run total ~22s]

16:16:20 POST → [findOrgSnapshot] 'org-myco-wtf-...' → hit snap_5w67z2k52zns9aocc7JjuLmItm46 (1 total snapshots returned)
```

Both review fixes from `27cce760` are visible in the runtime evidence

• shellEscape (P0 fix): The git clone log line shows 'https://github.com/recoupable/org-myco-wtf-...' — single quotes wrap the URL, which is shellEscape doing its job.
• Drop cloneUrl from logs (P1 fix): The kick line, workflow:start, step:start, "Built …", and "Started workflow run …" lines all show only the `sandboxName`, no URL. (The "Running command" log still shows the URL, but that comes from refreshBaseSnapshot's underlying log callback echoing the actual command being executed — it's the command, not derivative logging. Scrubbing that would mean changing the abstraction's log surface, which is outside this PR.)

Negative paths

Test	Got
no auth	401
missing repoUrl	400
non-github URL	400

Honest observation about readyMs

Path	readyMs
Miss + cold-clone	5326ms
Hit + restore-from-snapshot	11474ms

The hit case was ~6s slower than the cold path. Restoring a 727MB snapshot has overhead that exceeds the time saved on a tiny repo's git clone --depth=1. The "~75s warm-boot saves" claim from open-agents only materializes when the snapshot contains expensive state (installed node_modules, build artifacts) — my workflow currently only does git clone --depth=1, so the snapshot doesn't carry cached work worth restoring for small repos.

The infrastructure works correctly end-to-end. The performance win will appear once the workflow is extended to include a post-clone install step (e.g., bun install). That's a follow-up — meaningful but separable from this PR's scope of "the workflow runs".

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

app/workflows/buildSnapshotStep.ts (1)

28-49: ⚡ Quick win

Trim buildSnapshotStep into smaller helpers for readability.

It’s just over the function-length threshold; extracting token resolution and refresh payload construction would keep the step tighter and easier to scan.

As per coding guidelines, "Flag functions longer than 20 lines or classes with >200 lines" and "Keep functions small and focused".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@app/workflows/buildSnapshotStep.ts` around lines 28 - 49, The
buildSnapshotStep function is too long; extract the token resolution and the
refreshBaseSnapshot payload construction into small helpers: create a
getGithubTokenOrThrow() that encapsulates getServiceGithubToken() and throws the
existing error if not present, and create a buildRefreshPayload(input) (or
buildRefreshOptions) that returns the object passed into refreshBaseSnapshot
(baseSnapshotId, sandboxName, sandboxTimeoutMs, commandTimeoutMs, githubToken,
commands, log) using shellEscape(input.cloneUrl) for the clone command; then
simplify buildSnapshotStep to call those two helpers and await
refreshBaseSnapshot(payload). Ensure helper names (getGithubTokenOrThrow,
buildRefreshPayload) match references in buildSnapshotStep.

lib/sandbox/createSandboxHandler.ts (1)

33-157: 🏗️ Heavy lift

Split createSandboxHandler into smaller focused units.

This handler is carrying too many responsibilities in one function. Please extract at least auth/session resolution, snapshot warmup decision, and provisioning/update paths into helpers.

As per coding guidelines, "Flag functions longer than 20 lines or classes with >200 lines", "Keep functions small and focused", and for lib/**/*.ts: "Keep functions under 50 lines" and "Apply Single Responsibility Principle (SRP): one exported function per file; each file should do one thing well".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@lib/sandbox/createSandboxHandler.ts` around lines 33 - 157, The
createSandboxHandler is too large and does multiple responsibilities; split it
into focused helpers: extractSessionAndAuth(request) which wraps
validateCreateSandboxBody and selectSessions + permission checks (use symbols
validateCreateSandboxBody, selectSessions, sessionRow),
determineOrgSnapshot(repoUrl) which encapsulates extractOrgRepoName,
findOrgSnapshot and kickBuildOrgSnapshotWorkflow (use orgRepoName,
findOrgSnapshot, kickBuildOrgSnapshotWorkflow), and
provisionAndUpdateSandbox(params) which handles connectSandbox, updateSession
and installSessionGlobalSkills (use connectSandbox, updateSession,
installSessionGlobalSkills) and returns the final response payload; then have
createSandboxHandler orchestrate these smaller functions — keep each helper
under ~50 lines and export only createSandboxHandler per file to follow SRP.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@app/workflows/buildOrgSnapshotWorkflow.ts`:
- Around line 20-28: The current try/catch in buildOrgSnapshotWorkflow swallows
errors and returns { success: false } which prevents Vercel Workflow from
marking the run as failed; instead, after logging the error (preserve the
existing console.error call that formats message for input.sandboxName), rethrow
the original error (or throw a new Error with the message) so the workflow run
fails and can be retried; update the catch block around buildSnapshotStep so it
no longer returns { success: false } but logs then throws the error (or remove
the catch entirely to let the error bubble).

In `@lib/sandbox/createSandboxHandler.ts`:
- Around line 75-80: The current call to kickBuildOrgSnapshotWorkflow can start
duplicate workflows when parallel requests race; update
kickBuildOrgSnapshotWorkflow (and its internal call to start) to pass a
deterministic runId based on the org identifier (e.g., use `orgRepoName`) so
identical requests reuse the same workflow run; specifically, modify the
start(...) invocation inside kickBuildOrgSnapshotWorkflow to include an options
object with runId set to a stable string like `org-snapshot-${orgRepoName}`
derived from the same org identifier used in the if block, ensuring idempotent
workflow starts.

---

Nitpick comments:
In `@app/workflows/buildSnapshotStep.ts`:
- Around line 28-49: The buildSnapshotStep function is too long; extract the
token resolution and the refreshBaseSnapshot payload construction into small
helpers: create a getGithubTokenOrThrow() that encapsulates
getServiceGithubToken() and throws the existing error if not present, and create
a buildRefreshPayload(input) (or buildRefreshOptions) that returns the object
passed into refreshBaseSnapshot (baseSnapshotId, sandboxName, sandboxTimeoutMs,
commandTimeoutMs, githubToken, commands, log) using shellEscape(input.cloneUrl)
for the clone command; then simplify buildSnapshotStep to call those two helpers
and await refreshBaseSnapshot(payload). Ensure helper names
(getGithubTokenOrThrow, buildRefreshPayload) match references in
buildSnapshotStep.

In `@lib/sandbox/createSandboxHandler.ts`:
- Around line 33-157: The createSandboxHandler is too large and does multiple
responsibilities; split it into focused helpers: extractSessionAndAuth(request)
which wraps validateCreateSandboxBody and selectSessions + permission checks
(use symbols validateCreateSandboxBody, selectSessions, sessionRow),
determineOrgSnapshot(repoUrl) which encapsulates extractOrgRepoName,
findOrgSnapshot and kickBuildOrgSnapshotWorkflow (use orgRepoName,
findOrgSnapshot, kickBuildOrgSnapshotWorkflow), and
provisionAndUpdateSandbox(params) which handles connectSandbox, updateSession
and installSessionGlobalSkills (use connectSandbox, updateSession,
installSessionGlobalSkills) and returns the final response payload; then have
createSandboxHandler orchestrate these smaller functions — keep each helper
under ~50 lines and export only createSandboxHandler per file to follow SRP.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: cd168a8d-c3d5-422f-a893-de6e8819b05d

📥 Commits

Reviewing files that changed from the base of the PR and between cdc9e5f and 27cce76.

⛔ Files ignored due to path filters (4)

• lib/sandbox/__tests__/createSandboxHandler.test.ts is excluded by !**/*.test.*, !**/__tests__/** and included by lib/**
• next.config.ts is excluded by none and included by none
• package.json is excluded by none and included by none
• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml and included by none

📒 Files selected for processing (5)

• app/workflows/buildOrgSnapshotWorkflow.ts
• app/workflows/buildSnapshotStep.ts
• lib/sandbox/createSandboxHandler.ts
• lib/sandbox/defaultBaseSnapshotId.ts
• lib/sandbox/kickBuildOrgSnapshotWorkflow.ts

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

In Vercel Workflow (workflow@4.2.0-beta.72), if a workflow catches an exception and returns a value instead of throwing, is the run considered failed and eligible for automatic retries?

💡 Result:

No. In Vercel Workflow, if you catch an exception and return a value instead of throwing a failure (i.e., you don’t let the step/workflow end in an error), the run/step is considered successful rather than failed, so it is not eligible for the automatic retry mechanism. What counts as retryable is tied to failures being surfaced as errors: by default, “errors thrown inside steps are retried” [1], and you can explicitly control retrying by throwing RetryableError (or stop retrying by throwing FatalError) [1][2]. If you catch the exception and simply return a value, you’re preventing the thrown error from occurring, so there’s no failure state to trigger retries. Notes: - If a step throws until it exhausts retries, the run is marked failed (and you can inspect the run status as “failed”) [3]. - Separately, retries may also occur due to certain infrastructure/runtime issues, but those still originate from an error path rather than a caught-and-returned success value [4].

Citations:

• 1: https://mintlify.com/vercel/workflow/concepts/errors-and-retries
• 2: https://vercel.com/academy/svelte-on-vercel/workflow-error-handling
• 3: https://mintlify.com/vercel/workflow/api-reference/workflow-api/get-workflow-state
• 4: https://github.com/vercel/workflow/blob/main/packages/core/src/runtime/step-handler.ts

---

Rethrow errors to preserve run failure state and enable automatic retries.

Catching errors and returning { success: false } prevents Vercel Workflow from marking the run as failed, which disables automatic retries and obscures true failure conditions. Log the error, then rethrow it to surface the failure properly.

💡 Proposed fix

 catch (error) {
   const message = error instanceof Error ? error.message : String(error);
   console.error(`[build-org-snapshot] Failed for '${input.sandboxName}':`, message);
-  return { success: false as const, error: message };
+  throw error instanceof Error ? error : new Error(message);
 }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@app/workflows/buildOrgSnapshotWorkflow.ts` around lines 20 - 28, The current
try/catch in buildOrgSnapshotWorkflow swallows errors and returns { success:
false } which prevents Vercel Workflow from marking the run as failed; instead,
after logging the error (preserve the existing console.error call that formats
message for input.sandboxName), rethrow the original error (or throw a new Error
with the message) so the workflow run fails and can be retried; update the catch
block around buildSnapshotStep so it no longer returns { success: false } but
logs then throws the error (or remove the catch entirely to let the error
bubble).

[coderabbitai]

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

🧩 Analysis chain

🌐 Web query:

In workflow@4.2.0-beta.72, what is the recommended way to deduplicate start(...) calls for the same logical job (idempotency key / unique run key / concurrency controls)?

💡 Result:

In workflow@4.2.0-beta.72, the recommended way to deduplicate start(...) calls for the same logical job (idempotency key / unique run key) is to provide a custom runId in the StartOptions object. If a run with that runId already exists, start() returns the existing run instead of creating a duplicate.[1][2] Example: const run = await start(myWorkflow, args, { runId: `order-${orderId}` }); This ensures idempotency: repeated calls with the same runId return the same run object.[1][2] For concurrency controls, there is an ongoing discussion about a native lock primitive (distributed semaphore) to limit concurrent executions for the same key inside workflows, but it appears not yet implemented in beta.72 (no mention in release notes).[3][4] Use application-level checks (e.g., check run status before starting) or the custom runId for deduplication as primary mechanism.[5][6]

Citations:

• 1: Add support for idempotent workflow creation vercel/workflow#85
• 2: feat: add custom runId support for idempotent workflow creation vercel/workflow#86
• 3: Concurrency Controls vercel/workflow#301
• 4: https://github.com/vercel/workflow/releases/tag/workflow%404.2.0-beta.72
• 5: https://useworkflow.dev/docs/foundations/starting-workflows
• 6: https://useworkflow.dev/docs/api-reference/workflow-api/start

---

Use deterministic runId to prevent duplicate org snapshot workflow kicks.

When parallel requests miss the snapshot check simultaneously, both can trigger identical builds. Implement idempotency by passing a deterministic runId based on the org identifier to the start() call in kickBuildOrgSnapshotWorkflow. This ensures that concurrent identical requests reuse the same workflow run instead of spawning duplicates:

const run = await start(myWorkflow, args, { 
  runId: `org-snapshot-${orgRepoName}` 
});

This prevents redundant clones, snapshot operations, and avoidable cost/rate pressure from concurrent requests.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@lib/sandbox/createSandboxHandler.ts` around lines 75 - 80, The current call
to kickBuildOrgSnapshotWorkflow can start duplicate workflows when parallel
requests race; update kickBuildOrgSnapshotWorkflow (and its internal call to
start) to pass a deterministic runId based on the org identifier (e.g., use
`orgRepoName`) so identical requests reuse the same workflow run; specifically,
modify the start(...) invocation inside kickBuildOrgSnapshotWorkflow to include
an options object with runId set to a stable string like
`org-snapshot-${orgRepoName}` derived from the same org identifier used in the
if block, ensuring idempotent workflow starts.

[cubic-dev-ai]

1 issue found across 4 files (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="app/workflows/buildOrgSnapshotWorkflow.ts">

<violation number="1" location="app/workflows/buildOrgSnapshotWorkflow.ts:27">
P2: Do not swallow workflow errors; rethrow after logging so failed runs are recorded correctly.</violation>
</file>

_{Tip: Review your code locally with the cubic CLI to iterate faster.}

[cubic-dev-ai]

P2: Do not swallow workflow errors; rethrow after logging so failed runs are recorded correctly.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At app/workflows/buildOrgSnapshotWorkflow.ts, line 27:

<comment>Do not swallow workflow errors; rethrow after logging so failed runs are recorded correctly.</comment>

<file context>
@@ -0,0 +1,29 @@
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    console.error(`[build-org-snapshot] Failed for '${input.sandboxName}':`, message);
+    return { success: false as const, error: message };
+  }
+}
</file context>

_{Tip: Review your code locally with the cubic CLI to iterate faster.}