Feat/team-collaboration

[JoachimLK]

Summary

• What does this PR change?
• Why is this needed?

Type of change

• Bug fix
• Feature
• Refactor
• Docs
• Chore

Validation

• I tested locally
• I added/updated relevant documentation
• I verified multi-tenant scoping and auth behavior for affected API paths

DCO

• All commits in this PR are signed off (Signed-off-by) via git commit -s

Summary by CodeRabbit

• New Features

  • Settings area: sidebar + pages for Account, Organization, Members (profile, password, sessions, org edit, invite/manage members).
  • Comments API: create, list, author-only edits, delete; activity log listing for organization audit events.
  • Client permission helper for UI gating and shared status-transition rules for consistent workflow.

• Security / Access Control

  • Role-based permissions enforced server-side (Owner, Admin, Member); invitation workflow hardened (expiry, auto-cancel).

• Database

  • New tenant-scoped tables for comments and activity logs.

• Documentation & Testing

  • Team collaboration guide and comprehensive testing/security plan added.

[railway-app]

🚅 Deployed to the reqcore-pr-65 environment in applirank

Service	Status	Web	Updated (UTC)
applirank	✅ Success (View Logs)	Web	Mar 3, 2026 at 9:50 am

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds tenant-scoped collaboration: centralized RBAC and shared permissions, Better Auth organization plugin config, a server-side requirePermission guard, activity logging utility and schema, polymorphic comments with APIs and DB migrations, client permission composable, settings UI/pages, many API routes converted to permission checks, and two large docs (design + testing/security).

Changes

Cohort / File(s)	Summary
Documentation TEAM-COLLABORATION.md, TESTING-SECURITY.md	Two new, extensive docs: collaboration design and testing/security plan with threat model and ~130 test cases.
Shared Permissions shared/permissions.ts	New merged statements, access-control instance, and role definitions (owner/admin/member) for ATS resources.
Auth & Permission Guard server/utils/auth.ts, server/utils/requirePermission.ts	Configured Better Auth organization plugin (roles/invite hooks) and added requirePermission() to enforce auth + active org + permission checks.
Activity Logging server/utils/recordActivity.ts, server/utils/schemas/activityLog.ts	Fire-and-forget recordActivity helper and Zod schema for activity-log query params.
Comments + APIs server/database/migrations/0006_breezy_hairball.sql, server/database/schema/app.ts, server/utils/schemas/comment.ts, server/api/comments/*	DB enums/tables for comments & activity_log, schema relations, comment validation schemas, and comment endpoints (list/create/update/delete) with org scoping and activity events.
Permissioned Endpoints server/api/... (applications, candidates, jobs, documents, dashboard, activity-log, public apply, etc.)	Many endpoints switched from requireAuth→requirePermission(...), orgId non-null assertions removed, added activity logging on create/update/delete, and input escaping in search/query handlers.
Database Migrations Meta server/database/migrations/meta/*	Added migration snapshot and journal entries for new enums/tables.
Server Schema server/database/schema/app.ts	Drizzle schema additions: comment and activity_log tables, enums, relations, and indexes.
Server Utilities server/utils/schemas/*, server/utils/recordActivity.ts	New/updated request schemas for comments/activity logs and the activity-recording utility.
Client Permissioning app/composables/usePermission.ts, app/utils/auth-client.ts	New usePermission composable (client-side cosmetic gating) and auth client wired with shared permissions/roles.
Settings UI & Pages app/components/SettingsSidebar.vue, app/components/AppSidebar.vue, app/layouts/dashboard.vue, app/pages/dashboard/settings/*	Added SettingsSidebar, Settings nav item, layout tweak, and settings pages (index, account, members) with permission-aware UI and invite/member flows.
Status Transitions & Localization shared/status-transitions.ts, server/utils/schemas/*, various app/pages/*	Centralized APPLICATION/JOB status transition maps; replaced local constants across server and client; added locale-aware date/currency formatting in job pages.
Misc UI Adjustments app/components/CandidateDetailSidebar.vue, many app/pages/...	Small UI changes: replaced local constants with shared imports, icons, label/class mapping, and i18n tweaks.

Sequence Diagram(s)

sequenceDiagram
    participant UI as Client (Vue)
    participant API as Server (Nitro)
    participant Auth as BetterAuth
    participant DB as PostgreSQL

    UI->>API: Request protected endpoint (e.g., GET /api/jobs/:id)
    API->>Auth: auth.api.getSession(event)
    Auth-->>API: session (user + activeOrganizationId)
    API->>Auth: auth.api.hasPermission(session, permissions)
    Auth-->>API: allowed / denied
    alt allowed
        API->>DB: query resource scoped to organization
        DB-->>API: resource
        API-->>UI: 200 + resource
    else denied
        API-->>UI: 403 Forbidden
    end

Loading

sequenceDiagram
    participant User as User (UI)
    participant Client as Client (Vue)
    participant API as Server (Nitro)
    participant Auth as BetterAuth
    participant DB as PostgreSQL

    User->>Client: Submit new comment
    Client->>API: POST /api/comments
    API->>Auth: getSession + hasPermission(comment:create)
    Auth-->>API: authorized session
    API->>DB: verify target exists in org
    alt target exists
        API->>DB: insert comment
        DB-->>API: created comment
        API->>DB: insert activity_log (fire-and-forget)
        API-->>Client: 201 + comment
    else not found
        API-->>Client: 404 Not Found
    end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• Ux/improve-application-view #46 — Modifies server/api/applications/index.get.ts; overlaps with this PR's migration of endpoints to requirePermission and session handling.

Poem

🐇 I hopped through code with eager paws,

roles, invites, and tiny laws,
comments tucked and logs that gleam,
settings neat — a teamwork dream,
nibble the carrot, ship the features!

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	Description is entirely an empty template; no sections are filled in, no rationale or change details are provided.	Fill in the Summary section with what the PR changes and why, select the Type of change, and check validation items (testing, documentation, multi-tenant verification).
Title check	❓ Inconclusive	Title is vague and generic, using only a feature branch name pattern without describing the actual changeset content.	Use a descriptive title that summarizes the main change, e.g., 'Add team collaboration features with RBAC, comments, and activity logging' or similar.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	Docstring coverage is 80.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/team-collaboration

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 19

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

server/api/applications/index.post.ts (1)

53-59: ⚠️ Potential issue | 🔴 Critical

Add guard to check created before accessing created.id on line 75.

The destructuring pattern const [created] can result in undefined if the insert returns an empty array. Currently, created.id is accessed on line 75 without a null/undefined check, causing a TypeScript error (TS18048). Add a guard immediately after the insert to narrow the type, then use created.id safely.

Suggested fix

  const [created] = await db.insert(application).values({
    organizationId: orgId,
    candidateId: body.candidateId,
    jobId: body.jobId,
    notes: body.notes,
    status: 'new',
  }).returning({
    id: application.id,
    candidateId: application.candidateId,
    jobId: application.jobId,
    status: application.status,
    score: application.score,
    notes: application.notes,
    createdAt: application.createdAt,
    updatedAt: application.updatedAt,
  })

+  if (!created) {
+    throw createError({ statusCode: 500, statusMessage: 'Failed to create application' })
+  }
+
-  recordActivity({
+  await recordActivity({
     organizationId: orgId,
     actorId: session.user.id,
     action: 'created',
     resourceType: 'application',
     resourceId: created.id,
     metadata: { candidateId: body.candidateId, jobId: body.jobId },
   })

  setResponseStatus(event, 201)
  return created

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@server/api/applications/index.post.ts` around lines 53 - 59, The insert call
using the destructuring const [created] from db.insert(...).returning may yield
undefined; add an immediate guard after that insert to check if created is
truthy (e.g., if (!created) { return or throw a controlled error/response })
before any usage of created.id, then proceed to use created.id safely so the
type is narrowed and TS18048 is resolved; update the code path that follows the
insert (the block referencing created.id) to rely on that guard.

🧹 Nitpick comments (4)

app/pages/dashboard/settings.vue (1)

9-14: Consider responsive fallback for the two-column settings layout.

Current layout is always horizontal with sticky sidebar; on narrow screens this can compress content significantly. A breakpoint-based column switch would make settings usable on mobile.

📱 Suggested responsive tweak

-  <div class="flex min-w-0 flex-1 -mx-6 -my-8">
-    <div class="sticky -top-8 h-screen shrink-0">
+  <div class="flex min-w-0 flex-1 -mx-6 -my-8 flex-col md:flex-row">
+    <div class="shrink-0 md:sticky md:-top-8 md:h-screen">
       <SettingsSidebar />
     </div>
-    <div class="flex-1 min-w-0 px-8 py-8">
+    <div class="flex-1 min-w-0 px-4 py-6 md:px-8 md:py-8">
       <NuxtPage />
     </div>
   </div>

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@app/pages/dashboard/settings.vue` around lines 9 - 14, The two-column layout
should switch to a single column on small screens and only apply the sticky,
full-height sidebar on larger viewports: update the wrapper div around
SettingsSidebar and NuxtPage to use responsive flex classes (e.g., flex-col on
small screens and flex-row on md/up) and adjust the sidebar container
(SettingsSidebar) to use md:sticky and md:h-screen while making it
h-auto/relative on small screens; also ensure padding/margins on the content
container (the div containing NuxtPage) use responsive utilities (e.g., smaller
px/py on mobile) so the settings content doesn’t get compressed on narrow
viewports.

server/database/schema/app.ts (1)

182-185: Add a target+time index for comment listing paths.

For paginated comment timelines, include created_at in the target index to avoid extra sort cost.

📈 Proposed index enhancement

 }, (t) => ([
   index('comment_organization_id_idx').on(t.organizationId),
   index('comment_target_idx').on(t.targetType, t.targetId),
+  index('comment_target_created_at_idx').on(t.targetType, t.targetId, t.createdAt),
   index('comment_author_id_idx').on(t.authorId),
 ]))

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@server/database/schema/app.ts` around lines 182 - 185, The comment table
needs a composite index that includes created_at to optimize paginated
timelines; add a new index (e.g., name it 'comment_target_created_at_idx') on
the same table index block alongside index('comment_target_idx') that calls
.on(t.targetType, t.targetId, t.createdAt) so queries that filter by
targetType/targetId and order/seek by created_at can use the index; update the
schema where the indexes are defined (the index(...) calls for the comment
table) and ensure the migration is generated/applied.

app/pages/dashboard/settings/account.vue (1)

63-65: Block password submit when minimum policy is not met.

The current submit gate allows requests even when strength is “Too short,” causing unnecessary failed calls.

🔧 Proposed fix

 const passwordsMatch = computed(() =>
   newPassword.value === confirmPassword.value && newPassword.value.length > 0,
 )
+const meetsPasswordPolicy = computed(() => newPassword.value.length >= 8)
@@
 async function handleChangePassword() {
-  if (!passwordsMatch.value || !currentPassword.value) return
+  if (!passwordsMatch.value || !currentPassword.value || !meetsPasswordPolicy.value) return
@@
           <button
-            :disabled="isChangingPassword || !passwordsMatch || !currentPassword"
+            :disabled="isChangingPassword || !passwordsMatch || !currentPassword || !meetsPasswordPolicy"
             class="inline-flex items-center gap-2 rounded-lg bg-brand-600 px-4 py-2 text-sm font-medium text-white hover:bg-brand-700 transition-colors disabled:opacity-50 disabled:cursor-not-allowed"
             `@click`="handleChangePassword"
           >

Also applies to: 85-87, 343-344

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@app/pages/dashboard/settings/account.vue` around lines 63 - 65, The submit
gate currently only checks passwordsMatch (computed using newPassword and
confirmPassword) but allows submission when the password strength is "Too
short"; update the submit checks (where passwordsMatch is used and the submit
handlers around the other occurrences) to also require the password meets the
minimum policy by validating either passwordStrength.value !== 'Too short' or
newPassword.value.length >= MIN_PASSWORD_LENGTH (use your existing strength
variable or a constant), so both passwordsMatch and the minimum-strength/length
check must pass before allowing the request.

server/database/migrations/0006_breezy_hairball.sql (1)

29-35: Add composite indexes for org-scoped chronological reads.

The queries use organization_id filtering + created_at ordering. Composite indexes matching these patterns will improve pagination performance:

• activity_log list: WHERE organization_id = ? ORDER BY created_at DESC
• comment list: WHERE organization_id = ? AND target_type = ? AND target_id = ? ORDER BY created_at DESC

⚙️ Suggested patch

 CREATE INDEX "activity_log_organization_id_idx" ON "activity_log" USING btree ("organization_id");--> statement-breakpoint
 CREATE INDEX "activity_log_actor_id_idx" ON "activity_log" USING btree ("actor_id");--> statement-breakpoint
 CREATE INDEX "activity_log_resource_idx" ON "activity_log" USING btree ("resource_type","resource_id");--> statement-breakpoint
 CREATE INDEX "activity_log_created_at_idx" ON "activity_log" USING btree ("created_at");--> statement-breakpoint
+CREATE INDEX "activity_log_org_created_at_idx" ON "activity_log" USING btree ("organization_id","created_at");--> statement-breakpoint
 CREATE INDEX "comment_organization_id_idx" ON "comment" USING btree ("organization_id");--> statement-breakpoint
 CREATE INDEX "comment_target_idx" ON "comment" USING btree ("target_type","target_id");--> statement-breakpoint
 CREATE INDEX "comment_author_id_idx" ON "comment" USING btree ("author_id");
+CREATE INDEX "comment_org_target_created_at_idx" ON "comment" USING btree ("organization_id","target_type","target_id","created_at");

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@server/database/migrations/0006_breezy_hairball.sql` around lines 29 - 35,
Add composite btree indexes to support queries that filter by organization_id
and order by created_at: create an index on activity_log (organization_id,
created_at DESC) — e.g. name it activity_log_organization_created_at_idx — and
create an index on comment (organization_id, target_type, target_id, created_at
DESC) — e.g. name it comment_organization_target_created_at_idx; update the
migration (near the existing CREATE INDEX statements for activity_log and
comment) to add these two CREATE INDEX statements so the planner can use the
composite indexes for the listed WHERE ... ORDER BY patterns.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@app/composables/usePermission.ts`:
- Around line 45-57: The fetchRole() logic must reset role before each org
change and avoid races from out-of-order responses: set role.value = null at the
start of fetchRole(), then perform the
authClient.organization.getActiveMemberRole() call inside a try/catch; use a
monotonic request token (e.g., a module-scoped requestCounter incremented before
each fetch and captured as localRequestId inside fetchRole) or capture the
current activeOrgState.value.data?.id and compare it when the response returns;
only assign role.value = data?.role if the localRequestId matches the latest
token (or the org id still matches) and on error leave role.value as null.
Ensure watch(...) still calls fetchRole() with immediate: true so the token
logic handles quick org switches.

In `@app/pages/dashboard/settings/account.vue`:
- Around line 259-266: The password visibility icon buttons are icon-only and
lack accessible names; update the toggle button for showCurrentPassword (and the
similar toggle around lines 284-291) to include an accessible label and state by
adding a dynamic aria-label and aria-pressed (or title) that reflects the
action, e.g. aria-label set to "Show current password" when showCurrentPassword
is false and "Hide current password" when true, and set aria-pressed to the
boolean showCurrentPassword so screen readers can understand the control state;
ensure both the current-password toggle (referencing showCurrentPassword,
EyeOff, Eye) and the other password-toggle button use the same pattern.

In `@app/pages/dashboard/settings/index.vue`:
- Around line 37-45: The org API calls (authClient.organization.update and
authClient.organization.delete) are treated as throwing but actually return {
error } in resolved results; update the code to capture the result object (e.g.,
const result = await authClient.organization.update(...)) and check if
(result.error) before setting saveSuccess.value or performing redirects; on
error, set an appropriate error state and avoid the success toggle/redirect,
mirroring existing patterns used in members.vue, account.vue, and
useCurrentOrg.ts.

In `@app/pages/dashboard/settings/members.vue`:
- Line 451: The modal backdrop click handler only clears memberToRemove but
leaves the previous removeError intact, causing stale errors to appear on
reopen; update the backdrop close behavior to also clear removeError — either
replace the inline handler `@click.self`="memberToRemove = null" with a call to a
new method (e.g., closeRemoveModal) or expand the inline handler to set both
memberToRemove = null and removeError = null so both state variables are reset
when the modal is dismissed via backdrop.
- Around line 230-235: The icon-only buttons lack accessible names; add an
accessible label to each affected button (the one that runs "showInviteForm =
false; resetInviteForm()" and the buttons at the other two spots) by either
adding an appropriate aria-label (e.g., aria-label="Close invite form") or
including a visually-hidden text node (e.g., <span class="sr-only">Close</span>)
inside the button so screen readers get context; ensure the label text describes
the action (Close, Invite, Remove, etc.) and use the same approach for the
buttons that render the X component and the other icon-only buttons referenced.
- Around line 185-192: The document-level click listener added in onMounted is
never removed; change the inline listener to a named handler (e.g., const
onDocClick = (e: MouseEvent) => { ... }) and register it with
document.addEventListener inside onMounted, then remove it in onUnmounted via
document.removeEventListener using the same handler reference so closeDropdown
won't be called multiple times on re-entry; ensure the handler references the
same logic currently using target.closest('[data-member-actions]') and calls
closeDropdown() when appropriate.

In `@server/api/candidates/`[id]/documents/index.post.ts:
- Around line 167-174: The code calls recordActivity using properties of created
but static analysis warns created may be undefined; add a guard after the insert
that checks if created is truthy (e.g., if (!created) { handle error/return
early or throw an HttpError/Response with 500 }) before accessing created.id,
created.originalFilename or created.type, and ensure recordActivity is only
invoked when created is defined so TypeScript narrows the type and the edge case
of no rows is handled.

In `@server/api/candidates/index.post.ts`:
- Around line 43-50: The call to recordActivity uses properties on created
without ensuring created is defined; add a guard that validates created is
truthy before accessing created.id, created.firstName, or created.lastName
(e.g., if (!created) return or skip logging), then only call recordActivity with
resourceId: created.id and metadata using created.firstName/lastName when
created exists; update the block around recordActivity in index.post.ts to
perform this check to avoid runtime errors.

In `@server/api/comments/`[id].delete.ts:
- Line 31: The DELETE currently calls db.delete(comment).where(eq(comment.id,
id)) which is not tenant-scoped; update the mutation to include the organization
constraint in the same where clause (e.g. add eq(comment.orgId, orgId) together
with eq(comment.id, id)) so the delete is executed only for the org returned by
your pre-check; ensure you reference the same orgId variable used in the
pre-check and keep both predicates combined in the db.delete(...).where(...)
call to avoid check/delete race conditions.

In `@server/api/comments/`[id].patch.ts:
- Around line 36-50: The update must include authorization constraints in the
WHERE clause and explicitly handle the case when no rows are updated: modify the
db.update(comment)...where(eq(comment.id, id)) call to add the org/author
predicates (e.g., and(eq(comment.authorId, currentUserId), eq(comment.orgId,
currentOrgId)) or the appropriate fields your schema uses) so the DB enforces
ownership/organization atomically, keep the same .returning(...) shape, then
check the result (the updated variable/array) and if no row was returned throw
or return a 404/403 error (e.g., throw new Error('Not found or not authorized'))
so callers get an explicit failure when zero rows are affected.

In `@server/api/jobs/index.post.ts`:
- Around line 46-53: The call to recordActivity is accessing created.id and
created.title without ensuring created exists; add a guard before calling
recordActivity (in the handler where created is produced) to check that created
is defined and only call recordActivity if it is, or handle the error/return
early if not; reference the variables and functions involved (created,
recordActivity, orgId, session.user.id) so you locate the spot and either wrap
the recordActivity call in an if (created) { ... } or return an appropriate
error path before accessing created.id/created.title.

In `@server/database/migrations/0006_breezy_hairball.sql`:
- Line 26: The ALTER TABLE statement adds a foreign key constraint
activity_log_actor_id_user_id_fk on activity_log(actor_id) with ON DELETE
cascade which will delete audit records when a user is removed; change the
constraint to remove ON DELETE cascade (use ON DELETE NO ACTION or RESTRICT) so
actor deletions do not cascade to activity_log and preserve the immutable audit
trail; update the migration SQL in the ALTER TABLE statement that references the
constraint name activity_log_actor_id_user_id_fk and keep ON UPDATE NO ACTION
as-is.

In `@server/database/migrations/meta/0006_snapshot.json`:
- Around line 789-801: The foreign-key constraint
activity_log_actor_id_user_id_fk currently uses onDelete: "cascade" which
deletes activity_log rows when a user is removed; change the constraint to
either onDelete: "restrict" to prevent user deletion while logs exist or to
onDelete: "set null" and make activity_log.actor_id nullable so deleting a user
preserves the audit record; update the migration definition for
activity_log_actor_id_user_id_fk (tableFrom: "activity_log", tableTo: "user",
columnsFrom: ["actor_id"], columnsTo: ["id"]) to use the chosen onDelete
behavior and adjust the actor_id column nullability accordingly, then
regenerate/apply the migration so the DB schema matches.

In `@server/database/schema/app.ts`:
- Around line 196-204: The activity_log currently cascades deletes via actorId
which allows audit rows to be removed; update the actorId reference in the
activityLog table so it no longer cascades: make actorId nullable (remove
.notNull()) and change the references(...) option from onDelete: 'cascade' to
onDelete: 'set null' (reference is the actorId column and the user.id foreign
key) so that when a user is removed the audit entry is preserved with actorId
set to null.

In `@server/utils/auth.ts`:
- Around line 101-112: The sendInvitationEmail function currently logs PII
(data.email, data.inviter.user.name, data.inviter.user.email,
data.organization.name) which risks exposing sensitive data; update
sendInvitationEmail to avoid logging raw PII in production by: (1) gating the
verbose console.info behind a dev-only flag (e.g., NODE_ENV === 'development' or
a config value) or (2) replacing PII with non-identifying tokens/IDs (e.g.,
data.id, organization.id, inviter.user.id) or redacted strings before logging,
and ensure the inviteLink is only logged in dev; keep the baseURL and inviteLink
generation intact but do not write raw user emails/names/org names to logs in
non-dev environments.

In `@server/utils/recordActivity.ts`:
- Around line 1-2: At the top of server/utils/recordActivity.ts add an import
for the database client/export named db alongside the existing activityLog
import so the db symbol used in the recordActivity logic is available; locate
the file-level imports where activityLog is imported and add the missing import
for db from whatever module exports the database client in this codebase, then
run a quick type-check to ensure references to db (used around the
recordActivity function) resolve.

In `@server/utils/requirePermission.ts`:
- Around line 44-47: requirePermission currently allows calls with an empty or
missing PermissionRequest which can silently bypass authorization; add a runtime
guard at the top of the requirePermission function to fail-closed: validate that
the permissions argument is present and non-empty (handle undefined, null, empty
array/collection) and immediately reject the request (throw/createError or
return a 403/unauthorized response) when it is not. Reference the
requirePermission function and the PermissionRequest/AuthSessionWithActiveOrg
types when making the check so the guard executes before any auth/session logic
that uses event.

In `@TEAM-COLLABORATION.md`:
- Around line 33-67: Update the three fenced code blocks that start with the
ASCII diagrams so they include a fence language (e.g., text) to satisfy
markdownlint MD040: replace the opening triple backticks for the block that
begins with
"┌──────────────────────────────────────────────────────────────────┐" (the
CLIENT/SERVER/DATABASE diagram), the block that begins with "Request arrives"
(the request/handler/session flow), and the block that begins with "shared/"
(the permissions/shared files list) so each opens with ```text instead of ```,
preserving the block content unchanged.

In `@TESTING-SECURITY.md`:
- Around line 62-710: The unlabeled fenced code blocks in TESTING-SECURITY.md
(e.g., the block containing "TEST-AUTH-001: Hit every API route..." and other
repeated ``` blocks) are causing markdownlint MD040 warnings; update every
unlabeled ``` fence to include an appropriate language identifier (use text for
plain prose blocks, ts for TypeScript snippets, bash for shell examples) so each
fenced block is labeled consistently (apply the same change pattern shown in the
example replacing ``` with ```text or other relevant language) across the whole
document.

---

Outside diff comments:
In `@server/api/applications/index.post.ts`:
- Around line 53-59: The insert call using the destructuring const [created]
from db.insert(...).returning may yield undefined; add an immediate guard after
that insert to check if created is truthy (e.g., if (!created) { return or throw
a controlled error/response }) before any usage of created.id, then proceed to
use created.id safely so the type is narrowed and TS18048 is resolved; update
the code path that follows the insert (the block referencing created.id) to rely
on that guard.

---

Nitpick comments:
In `@app/pages/dashboard/settings.vue`:
- Around line 9-14: The two-column layout should switch to a single column on
small screens and only apply the sticky, full-height sidebar on larger
viewports: update the wrapper div around SettingsSidebar and NuxtPage to use
responsive flex classes (e.g., flex-col on small screens and flex-row on md/up)
and adjust the sidebar container (SettingsSidebar) to use md:sticky and
md:h-screen while making it h-auto/relative on small screens; also ensure
padding/margins on the content container (the div containing NuxtPage) use
responsive utilities (e.g., smaller px/py on mobile) so the settings content
doesn’t get compressed on narrow viewports.

In `@app/pages/dashboard/settings/account.vue`:
- Around line 63-65: The submit gate currently only checks passwordsMatch
(computed using newPassword and confirmPassword) but allows submission when the
password strength is "Too short"; update the submit checks (where passwordsMatch
is used and the submit handlers around the other occurrences) to also require
the password meets the minimum policy by validating either
passwordStrength.value !== 'Too short' or newPassword.value.length >=
MIN_PASSWORD_LENGTH (use your existing strength variable or a constant), so both
passwordsMatch and the minimum-strength/length check must pass before allowing
the request.

In `@server/database/migrations/0006_breezy_hairball.sql`:
- Around line 29-35: Add composite btree indexes to support queries that filter
by organization_id and order by created_at: create an index on activity_log
(organization_id, created_at DESC) — e.g. name it
activity_log_organization_created_at_idx — and create an index on comment
(organization_id, target_type, target_id, created_at DESC) — e.g. name it
comment_organization_target_created_at_idx; update the migration (near the
existing CREATE INDEX statements for activity_log and comment) to add these two
CREATE INDEX statements so the planner can use the composite indexes for the
listed WHERE ... ORDER BY patterns.

In `@server/database/schema/app.ts`:
- Around line 182-185: The comment table needs a composite index that includes
created_at to optimize paginated timelines; add a new index (e.g., name it
'comment_target_created_at_idx') on the same table index block alongside
index('comment_target_idx') that calls .on(t.targetType, t.targetId,
t.createdAt) so queries that filter by targetType/targetId and order/seek by
created_at can use the index; update the schema where the indexes are defined
(the index(...) calls for the comment table) and ensure the migration is
generated/applied.

---

ℹ️ Review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between dc2a6e7 and cf90ba5.

📒 Files selected for processing (50)

• TEAM-COLLABORATION.md
• TESTING-SECURITY.md
• app/components/AppSidebar.vue
• app/components/SettingsSidebar.vue
• app/composables/usePermission.ts
• app/layouts/dashboard.vue
• app/pages/dashboard/settings.vue
• app/pages/dashboard/settings/account.vue
• app/pages/dashboard/settings/index.vue
• app/pages/dashboard/settings/members.vue
• app/utils/auth-client.ts
• server/api/activity-log/index.get.ts
• server/api/applications/[id].get.ts
• server/api/applications/[id].patch.ts
• server/api/applications/index.get.ts
• server/api/applications/index.post.ts
• server/api/candidates/[id].delete.ts
• server/api/candidates/[id].get.ts
• server/api/candidates/[id].patch.ts
• server/api/candidates/[id]/documents/index.post.ts
• server/api/candidates/index.get.ts
• server/api/candidates/index.post.ts
• server/api/comments/[id].delete.ts
• server/api/comments/[id].patch.ts
• server/api/comments/index.get.ts
• server/api/comments/index.post.ts
• server/api/dashboard/stats.get.ts
• server/api/documents/[id].delete.ts
• server/api/documents/[id]/download.get.ts
• server/api/documents/[id]/preview.get.ts
• server/api/jobs/[id].delete.ts
• server/api/jobs/[id].get.ts
• server/api/jobs/[id].patch.ts
• server/api/jobs/[id]/questions/[questionId].delete.ts
• server/api/jobs/[id]/questions/[questionId].patch.ts
• server/api/jobs/[id]/questions/index.get.ts
• server/api/jobs/[id]/questions/index.post.ts
• server/api/jobs/[id]/questions/reorder.put.ts
• server/api/jobs/index.get.ts
• server/api/jobs/index.post.ts
• server/database/migrations/0006_breezy_hairball.sql
• server/database/migrations/meta/0006_snapshot.json
• server/database/migrations/meta/_journal.json
• server/database/schema/app.ts
• server/utils/auth.ts
• server/utils/recordActivity.ts
• server/utils/requirePermission.ts
• server/utils/schemas/activityLog.ts
• server/utils/schemas/comment.ts
• shared/permissions.ts

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Reset and de-race role fetches on org changes.

Current logic can keep an old role on fetch failure and is vulnerable to out-of-order responses during fast org switches.

🔧 Proposed fix

+let fetchSeq = 0
+
 async function fetchRole() {
-  const { data, error } = await authClient.organization.getActiveMemberRole()
-  if (!error) {
-    role.value = data?.role ?? null
-  }
+  const seq = ++fetchSeq
+  role.value = null
+  try {
+    const { data, error } = await authClient.organization.getActiveMemberRole()
+    if (seq !== fetchSeq) return
+    role.value = error ? null : (data?.role ?? null)
+  }
+  catch {
+    if (seq === fetchSeq) role.value = null
+  }
 }
@@
   watch(
     () => activeOrgState.value.data?.id,
-    () => fetchRole(),
+    () => { void fetchRole() },
     { immediate: true },
   )

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	async function fetchRole() {
	const { data, error } = await authClient.organization.getActiveMemberRole()
	if (!error) {
	role.value = data?.role ?? null
	}
	}
	// Fetch on mount and whenever the active org changes
	watch(
	() => activeOrgState.value.data?.id,
	() => fetchRole(),
	{ immediate: true },
	)
	let fetchSeq = 0
	async function fetchRole() {
	const seq = ++fetchSeq
	role.value = null
	try {
	const { data, error } = await authClient.organization.getActiveMemberRole()
	if (seq !== fetchSeq) return
	role.value = error ? null : (data?.role ?? null)
	}
	catch {
	if (seq === fetchSeq) role.value = null
	}
	}
	// Fetch on mount and whenever the active org changes
	watch(
	() => activeOrgState.value.data?.id,
	() => { void fetchRole() },
	{ immediate: true },
	)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@app/composables/usePermission.ts` around lines 45 - 57, The fetchRole() logic
must reset role before each org change and avoid races from out-of-order
responses: set role.value = null at the start of fetchRole(), then perform the
authClient.organization.getActiveMemberRole() call inside a try/catch; use a
monotonic request token (e.g., a module-scoped requestCounter incremented before
each fetch and captured as localRequestId inside fetchRole) or capture the
current activeOrgState.value.data?.id and compare it when the response returns;
only assign role.value = data?.role if the localRequestId matches the latest
token (or the org id still matches) and on error leave role.value as null.
Ensure watch(...) still calls fetchRole() with immediate: true so the token
logic handles quick org switches.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Add accessible labels to password visibility toggle buttons.

These are icon-only controls and currently lack accessible names.

♿ Proposed fix

             <button
               type="button"
               class="absolute right-2.5 top-1/2 -translate-y-1/2 text-surface-400 hover:text-surface-600 dark:hover:text-surface-300 transition-colors"
+              :aria-label="showCurrentPassword ? 'Hide current password' : 'Show current password'"
               `@click`="showCurrentPassword = !showCurrentPassword"
             >
@@
             <button
               type="button"
               class="absolute right-2.5 top-1/2 -translate-y-1/2 text-surface-400 hover:text-surface-600 dark:hover:text-surface-300 transition-colors"
+              :aria-label="showNewPassword ? 'Hide new password' : 'Show new password'"
               `@click`="showNewPassword = !showNewPassword"
             >

Also applies to: 284-291

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@app/pages/dashboard/settings/account.vue` around lines 259 - 266, The
password visibility icon buttons are icon-only and lack accessible names; update
the toggle button for showCurrentPassword (and the similar toggle around lines
284-291) to include an accessible label and state by adding a dynamic aria-label
and aria-pressed (or title) that reflects the action, e.g. aria-label set to
"Show current password" when showCurrentPassword is false and "Hide current
password" when true, and set aria-pressed to the boolean showCurrentPassword so
screen readers can understand the control state; ensure both the
current-password toggle (referencing showCurrentPassword, EyeOff, Eye) and the
other password-toggle button use the same pattern.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

# Find the Better Auth client initialization and imports
find . -type f -name "*.vue" -o -name "*.ts" -o -name "*.js" | head -20
git ls-files | grep -E "\.(vue|ts|js)$" | head -30

Repository: reqcore-inc/reqcore

Length of output: 1755

---

🏁 Script executed:

# Search for authClient.organization usage patterns
rg "authClient\.organization" --type vue --type ts --type js -A 5 -B 2

Repository: reqcore-inc/reqcore

Length of output: 90

---

🏁 Script executed:

# Look for result.error checks mentioned in the review
rg "result\.error" --type vue --type ts --type js -B 3 -A 2

Repository: reqcore-inc/reqcore

Length of output: 90

---

🏁 Script executed:

# Find the members and account files mentioned in the review
fd "members\|account" --type f | grep -E "\.(vue|ts|js)$"

Repository: reqcore-inc/reqcore

Length of output: 45

---

🏁 Script executed:

# Check if there's Better Auth type definitions or documentation
fd "better.*auth\|auth.*types" --type f | grep -E "\.(ts|d\.ts|vue)$"
rg "better-auth\|@better-auth" --type json | head -20

Repository: reqcore-inc/reqcore

Length of output: 45

---

🏁 Script executed:

# Read the actual file in question
cat -n app/pages/dashboard/settings/index.vue | head -100

Repository: reqcore-inc/reqcore

Length of output: 3620

---

🏁 Script executed:

# Search for authClient.organization without file type filter
rg "authClient\.organization" -A 5 -B 2

Repository: reqcore-inc/reqcore

Length of output: 8125

---

🏁 Script executed:

# Search for result.error pattern without file type filter
rg "result\.error|result\?" -A 2 -B 2 | head -100

Repository: reqcore-inc/reqcore

Length of output: 5727

---

🏁 Script executed:

# Check package.json for Better Auth version
cat package.json | grep -A 2 -B 2 "better-auth\|auth"

Repository: reqcore-inc/reqcore

Length of output: 233

---

🏁 Script executed:

# Find member and account related files
fd "member\|account" --type f | grep -E "\.vue$|\.ts$|\.js$"

Repository: reqcore-inc/reqcore

Length of output: 45

---

🏁 Script executed:

# Search for Better Auth type definitions or imports
rg "from.*better-auth\|import.*auth" | head -30

Repository: reqcore-inc/reqcore

Length of output: 45

---

Add error checks to organization API calls before success/redirect.

The Better Auth organization client returns errors in resolved promises with a { error } field, not by throwing. Both organization.update() and organization.delete() lack these checks, causing false success states (line 44) and failed redirects (line 77). The rest of the codebase consistently checks if (result.error) in similar calls (members.vue, account.vue, useCurrentOrg.ts).

🔧 Proposed fix

   try {
-    await authClient.organization.update({
+    const result = await authClient.organization.update({
       data: {
         name: orgName.value.trim(),
         slug: orgSlug.value.trim().toLowerCase(),
       },
     })
+    if (result.error) throw new Error(String(result.error.message ?? 'Failed to update organization'))
     saveSuccess.value = true
     setTimeout(() => { saveSuccess.value = false }, 3000)
   }
@@
   try {
-    await authClient.organization.delete({
+    const result = await authClient.organization.delete({
       organizationId: activeOrg.value!.id,
     })
+    if (result.error) throw new Error(String(result.error.message ?? 'Failed to delete organization'))
     const localePath = useLocalePath()
     window.location.href = localePath('/onboarding/create-org')
   }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	try {
	await authClient.organization.update({
	data: {
	name: orgName.value.trim(),
	slug: orgSlug.value.trim().toLowerCase(),
	},
	})
	saveSuccess.value = true
	setTimeout(() => { saveSuccess.value = false }, 3000)
	try {
	const result = await authClient.organization.update({
	data: {
	name: orgName.value.trim(),
	slug: orgSlug.value.trim().toLowerCase(),
	},
	})
	if (result.error) throw new Error(String(result.error.message ?? 'Failed to update organization'))
	saveSuccess.value = true
	setTimeout(() => { saveSuccess.value = false }, 3000)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@app/pages/dashboard/settings/index.vue` around lines 37 - 45, The org API
calls (authClient.organization.update and authClient.organization.delete) are
treated as throwing but actually return { error } in resolved results; update
the code to capture the result object (e.g., const result = await
authClient.organization.update(...)) and check if (result.error) before setting
saveSuccess.value or performing redirects; on error, set an appropriate error
state and avoid the success toggle/redirect, mirroring existing patterns used in
members.vue, account.vue, and useCurrentOrg.ts.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Add accessible names to icon-only buttons.

Buttons on Line 230, Line 295, and Line 379 have no accessible label, so assistive tech users won’t get action context.

♿ Proposed fix

             <button
               class="p-1 rounded-md text-surface-400 hover:text-surface-600 dark:hover:text-surface-300 hover:bg-surface-100 dark:hover:bg-surface-800 transition-colors"
+              aria-label="Close invite form"
               `@click`="showInviteForm = false; resetInviteForm()"
             >
@@
       <button class="text-danger-500 hover:text-danger-700 transition-colors" `@click`="roleUpdateError = ''">
+        aria-label="Dismiss role update error"
         <X class="size-4" />
       </button>
@@
             <button
               class="p-1.5 rounded-md text-surface-400 hover:text-surface-600 dark:hover:text-surface-300 hover:bg-surface-100 dark:hover:bg-surface-800 transition-colors"
+              aria-label="Open member actions"
               `@click.stop`="toggleDropdown(m.id)"
             >

Also applies to: 295-297, 379-384

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@app/pages/dashboard/settings/members.vue` around lines 230 - 235, The
icon-only buttons lack accessible names; add an accessible label to each
affected button (the one that runs "showInviteForm = false; resetInviteForm()"
and the buttons at the other two spots) by either adding an appropriate
aria-label (e.g., aria-label="Close invite form") or including a visually-hidden
text node (e.g., <span class="sr-only">Close</span>) inside the button so screen
readers get context; ensure the label text describes the action (Close, Invite,
Remove, etc.) and use the same approach for the buttons that render the X
component and the other icon-only buttons referenced.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Import db before use.

db is referenced on Line 21 but never imported, which breaks this utility.

🐛 Proposed fix

 import { activityLog } from '../database/schema'
+import { db } from './db'

Also applies to: 21-21

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@server/utils/recordActivity.ts` around lines 1 - 2, At the top of
server/utils/recordActivity.ts add an import for the database client/export
named db alongside the existing activityLog import so the db symbol used in the
recordActivity logic is available; locate the file-level imports where
activityLog is imported and add the missing import for db from whatever module
exports the database client in this codebase, then run a quick type-check to
ensure references to db (used around the recordActivity function) resolve.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Fail closed on empty permission requests.

Add a runtime guard so route misconfiguration cannot silently bypass intended authorization semantics.

🔧 Proposed fix

 export async function requirePermission(
   event: H3Event,
   permissions: PermissionRequest,
 ): Promise<AuthSessionWithActiveOrg> {
+  const hasRequestedPermission = Object.values(permissions)
+    .some(actions => Array.isArray(actions) && actions.length > 0)
+  if (!hasRequestedPermission) {
+    throw createError({
+      statusCode: 500,
+      statusMessage: 'Misconfigured route: empty permission request',
+    })
+  }
+
   // ── Step 1: Authenticate ──
   const session = await auth.api.getSession({
     headers: event.headers,
   })

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	export async function requirePermission(
	event: H3Event,
	permissions: PermissionRequest,
	): Promise<AuthSessionWithActiveOrg> {
	export async function requirePermission(
	event: H3Event,
	permissions: PermissionRequest,
	): Promise<AuthSessionWithActiveOrg> {
	const hasRequestedPermission = Object.values(permissions)
	.some(actions => Array.isArray(actions) && actions.length > 0)
	if (!hasRequestedPermission) {
	throw createError({
	statusCode: 500,
	statusMessage: 'Misconfigured route: empty permission request',
	})
	}
	// ── Step 1: Authenticate ──
	const session = await auth.api.getSession({
	headers: event.headers,
	})

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@server/utils/requirePermission.ts` around lines 44 - 47, requirePermission
currently allows calls with an empty or missing PermissionRequest which can
silently bypass authorization; add a runtime guard at the top of the
requirePermission function to fail-closed: validate that the permissions
argument is present and non-empty (handle undefined, null, empty
array/collection) and immediately reject the request (throw/createError or
return a 403/unauthorized response) when it is not. Reference the
requirePermission function and the PermissionRequest/AuthSessionWithActiveOrg
types when making the check so the guard executes before any auth/session logic
that uses event.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Add fence languages to clear markdownlint MD040 warnings.

Line 33, Line 235, and Line 567 start fenced blocks without a language identifier. Please annotate them (e.g., text) to satisfy linting consistently.

🧩 Suggested patch

-```
+```text
 ┌──────────────────────────────────────────────────────────────────┐
 │  CLIENT (Nuxt 4 — app/ directory)                                │
 ...
 └──────────────────────────────────────────────────────────────────┘

- +text
Request arrives
│
▼
...
Return session object (with guaranteed activeOrganizationId)

-```
+```text
shared/
  permissions.ts              ← Single source of truth for ALL permissions
...
    useCurrentOrg.ts          ← Org list, active org, switch/create org

</details>


Also applies to: 235-254, 567-607

<details>
<summary>🧰 Tools</summary>

<details>
<summary>🪛 markdownlint-cli2 (0.21.0)</summary>

[warning] 33-33: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

</details>

</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against the current code and only fix it if needed.

In @TEAM-COLLABORATION.md around lines 33 - 67, Update the three fenced code
blocks that start with the ASCII diagrams so they include a fence language
(e.g., text) to satisfy markdownlint MD040: replace the opening triple backticks
for the block that begins with
"┌──────────────────────────────────────────────────────────────────┐" (the
CLIENT/SERVER/DATABASE diagram), the block that begins with "Request arrives"
(the request/handler/session flow), and the block that begins with "shared/"
(the permissions/shared files list) so each opens with text instead of ,
preserving the block content unchanged.

</details>

<!-- fingerprinting:phantom:poseidon:hawk -->

<!-- This is an auto-generated comment by CodeRabbit -->

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Add language identifiers to fenced code blocks (markdownlint MD040).

There are repeated unlabeled fenced blocks (starting at Line 62 and throughout the doc), which will keep lint warnings noisy.

🛠️ Example fix pattern

-```
+```text
 TEST-AUTH-001: Hit every API route without a session cookie → expect 401 on all.
-```
+```

Apply the same pattern to each unlabeled block (text, ts, or bash depending on content).

🧰 Tools

🪛 markdownlint-cli2 (0.21.0)

[warning] 62-62: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

[warning] 89-89: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

[warning] 99-99: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

[warning] 113-113: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

[warning] 131-131: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

[warning] 138-138: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

[warning] 158-158: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

[warning] 166-166: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

[warning] 182-182: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

[warning] 196-196: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

[warning] 207-207: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

[warning] 220-220: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

[warning] 231-231: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

[warning] 242-242: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

[warning] 259-259: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

[warning] 275-275: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

[warning] 293-293: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

[warning] 302-302: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

[warning] 322-322: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

[warning] 333-333: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

[warning] 353-353: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

[warning] 362-362: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

[warning] 370-370: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

[warning] 382-382: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

[warning] 396-396: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

[warning] 405-405: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

[warning] 414-414: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

[warning] 421-421: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

[warning] 430-430: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

[warning] 437-437: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

[warning] 451-451: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

[warning] 463-463: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

[warning] 473-473: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

[warning] 480-480: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

[warning] 495-495: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

[warning] 505-505: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

[warning] 515-515: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

[warning] 528-528: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

[warning] 541-541: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

[warning] 556-556: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

[warning] 572-572: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

[warning] 585-585: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

[warning] 595-595: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

[warning] 605-605: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

[warning] 620-620: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

[warning] 666-666: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

[warning] 679-679: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

[warning] 688-688: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

[warning] 700-700: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

[warning] 710-710: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@TESTING-SECURITY.md` around lines 62 - 710, The unlabeled fenced code blocks
in TESTING-SECURITY.md (e.g., the block containing "TEST-AUTH-001: Hit every API
route..." and other repeated ``` blocks) are causing markdownlint MD040
warnings; update every unlabeled ``` fence to include an appropriate language
identifier (use text for plain prose blocks, ts for TypeScript snippets, bash
for shell examples) so each fenced block is labeled consistently (apply the same
change pattern shown in the example replacing ``` with ```text or other relevant
language) across the whole document.

[coderabbitai]

🧹 Nitpick comments (1)

server/api/candidates/index.post.ts (1)

47-54: Same async intent issue: explicitly handle recordActivity promise.

At Line 47, prefer await recordActivity(...) (or void if intentionally non-blocking) so behavior is explicit and consistent.

Suggested change

-  recordActivity({
+  await recordActivity({
     organizationId: orgId,
     actorId: session.user.id,
     action: 'created',
     resourceType: 'candidate',
     resourceId: created.id,
     metadata: { name: `${created.firstName} ${created.lastName}` },
   })

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@server/api/candidates/index.post.ts` around lines 47 - 54, The call to
recordActivity in the candidate creation handler is currently unhandled; make
the async intent explicit by either awaiting recordActivity(...) if activity
recording must complete before responding, or prefixing with void
recordActivity(...) if it should run fire-and-forget—update the invocation in
the POST handler (the recordActivity call that uses created.id and metadata with
created.firstName/lastName) accordingly so the promise is no longer silently
ignored.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@server/api/candidates/index.post.ts`:
- Around line 47-54: The call to recordActivity in the candidate creation
handler is currently unhandled; make the async intent explicit by either
awaiting recordActivity(...) if activity recording must complete before
responding, or prefixing with void recordActivity(...) if it should run
fire-and-forget—update the invocation in the POST handler (the recordActivity
call that uses created.id and metadata with created.firstName/lastName)
accordingly so the promise is no longer silently ignored.

---

ℹ️ Review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between cf90ba5 and 95f8722.

📒 Files selected for processing (4)

• server/api/applications/index.post.ts
• server/api/candidates/[id]/documents/index.post.ts
• server/api/candidates/index.post.ts
• server/api/jobs/index.post.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• server/api/applications/index.post.ts

[coderabbitai]

♻️ Duplicate comments (2)

server/utils/auth.ts (1)

101-113: ⚠️ Potential issue | 🟠 Major

Invitation handler still leaks sensitive data and silently skips real delivery.

Line 106 through Line 112 logs raw PII plus the full invitation link/token, and Line 104 confirms there is no actual provider yet. In non-dev environments, this is both a compliance/security risk and a reliability gap for invites.

🔧 Suggested patch (dev-only logging + fail-fast outside dev)

           async sendInvitationEmail(data) {
             const inviteLink = `${baseURL}/auth/accept-invitation/${data.id}`
+            const isDev = import.meta.dev

-            // TODO: Wire up a real email provider (Resend, SES, etc.)
-            // For now, log the invitation link so dev/testing works.
-            console.info(
-              `[Reqcore] Invitation email → ${data.email} | ` +
-              `Invited by ${data.inviter.user.name} (${data.inviter.user.email}) | ` +
-              `Org: ${data.organization.name} | ` +
-              `Role: ${data.role} | ` +
-              `Link: ${inviteLink}`,
-            )
+            // TODO: Wire up a real email provider (Resend, SES, etc.)
+            if (isDev) {
+              console.info('[Reqcore] Invitation email (dev only)', {
+                invitationId: data.id,
+                role: data.role,
+                inviteLink,
+              })
+              return
+            }
+
+            // Avoid silent success until provider integration exists.
+            throw new Error('Invitation email provider is not configured')
           },

If useful, I can draft a concrete Resend/SES implementation next.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@server/utils/auth.ts` around lines 101 - 113, The sendInvitationEmail method
currently logs raw PII and the full invite link and silently skips delivery;
update it to (1) use an injected email provider abstraction (e.g., an
emailProvider/send method) and call that to send the real message from
sendInvitationEmail, (2) if no provider is configured, throw or return an
explicit error (fail-fast) rather than silently logging in non-dev environments,
and (3) restrict any local logging to development only and redact PII (mask
data.email and omit the full token/link or replace with a truncated placeholder)
so that the function name sendInvitationEmail, baseURL usage, and
data.inviter.user / data.organization fields are preserved but not exposed in
logs.

app/composables/usePermission.ts (1)

45-57: ⚠️ Potential issue | 🟠 Major

Prevent stale role state and out-of-order overwrites during org switches.

fetchRole() currently leaves the previous role intact on error and has no request sequencing. Rapid org changes can apply an older response after a newer one.

🔧 Proposed fix

+let fetchSeq = 0
+
 async function fetchRole() {
-  const { data, error } = await authClient.organization.getActiveMemberRole()
-  if (!error) {
-    role.value = data?.role ?? null
-  }
+  const seq = ++fetchSeq
+  role.value = null
+  try {
+    const { data, error } = await authClient.organization.getActiveMemberRole()
+    if (seq !== fetchSeq) return
+    role.value = error ? null : (data?.role ?? null)
+  }
+  catch {
+    if (seq === fetchSeq) role.value = null
+  }
 }
@@
   watch(
     () => activeOrgState.value.data?.id,
-    () => fetchRole(),
+    () => { void fetchRole() },
     { immediate: true },
   )

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@app/composables/usePermission.ts` around lines 45 - 57, fetchRole leaves the
prior role on error and allows out-of-order responses to overwrite newer state;
modify fetchRole and the watcher so that on any failure you explicitly clear
role.value (set to null) and add simple request sequencing: maintain a request
counter/token (e.g., currentRequestId) that you increment before each
authClient.organization.getActiveMemberRole() call and capture in the closure,
then only assign role.value = data?.role ?? null if the captured token matches
the latest currentRequestId; update both fetchRole and the watch (watching
activeOrgState.value.data?.id) to use this token logic to prevent stale/older
responses from applying.

🧹 Nitpick comments (2)

app/pages/dashboard/jobs/[id]/index.vue (1)

24-24: Consider moving import to the top of the script block.

The import statement is placed mid-script under a section comment. For consistency and readability, group it with the other imports at lines 2-4.

♻️ Suggested refactor

Move the import to the top of the file:

 <script setup lang="ts">
 import { Pencil, Trash2, MapPin, Clock, Calendar, UserPlus } from 'lucide-vue-next'
 import { z } from 'zod'
 import { usePreviewReadOnly } from '~/composables/usePreviewReadOnly'
+import { JOB_STATUS_TRANSITIONS } from '~~/shared/status-transitions'
 
 definePageMeta({

Then remove it from line 24:

 // ─────────────────────────────────────────────
 // Status transitions
 // ─────────────────────────────────────────────
-import { JOB_STATUS_TRANSITIONS } from '~~/shared/status-transitions'
 
 const transitionLabels: Record<string, string> = {

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@app/pages/dashboard/jobs/`[id]/index.vue at line 24, Move the mid-script
import of JOB_STATUS_TRANSITIONS into the main import group at the top of the
script block so all imports are consistently grouped (i.e., place "import {
JOB_STATUS_TRANSITIONS } from '~~/shared/status-transitions'" with the existing
imports near the top and remove the duplicate statement from line 24); ensure
there are no leftover comments or references that assume the old location and
that any linter/formatter rules still pass after relocating the import.

app/pages/dashboard/applications/[id].vue (1)

27-27: Consider moving import to the top of the script block.

Same suggestion as the jobs page — group this import with the others at lines 2-3 for consistency.

♻️ Suggested refactor

Move the import to the top of the file:

 <script setup lang="ts">
 import { ArrowLeft, User, Briefcase, Calendar, Clock, Hash, FileText, MessageSquare } from 'lucide-vue-next'
 import { usePreviewReadOnly } from '~/composables/usePreviewReadOnly'
+import { APPLICATION_STATUS_TRANSITIONS } from '~~/shared/status-transitions'
 
 definePageMeta({

Then remove it from line 27:

 // ─────────────────────────────────────────────
 // Status transitions
 // ─────────────────────────────────────────────
-import { APPLICATION_STATUS_TRANSITIONS } from '~~/shared/status-transitions'
 
 const transitionLabels: Record<string, string> = {

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@app/pages/dashboard/applications/`[id].vue at line 27, The import
APPLICATION_STATUS_TRANSITIONS is placed mid-script; move the import statement
"import { APPLICATION_STATUS_TRANSITIONS } from '~~/shared/status-transitions'"
up into the main import group at the top of the script block (group with the
other imports) and remove the duplicate from line 27 so the script imports are
consistent and linting/order is preserved.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@app/composables/usePermission.ts`:
- Around line 45-57: fetchRole leaves the prior role on error and allows
out-of-order responses to overwrite newer state; modify fetchRole and the
watcher so that on any failure you explicitly clear role.value (set to null) and
add simple request sequencing: maintain a request counter/token (e.g.,
currentRequestId) that you increment before each
authClient.organization.getActiveMemberRole() call and capture in the closure,
then only assign role.value = data?.role ?? null if the captured token matches
the latest currentRequestId; update both fetchRole and the watch (watching
activeOrgState.value.data?.id) to use this token logic to prevent stale/older
responses from applying.

In `@server/utils/auth.ts`:
- Around line 101-113: The sendInvitationEmail method currently logs raw PII and
the full invite link and silently skips delivery; update it to (1) use an
injected email provider abstraction (e.g., an emailProvider/send method) and
call that to send the real message from sendInvitationEmail, (2) if no provider
is configured, throw or return an explicit error (fail-fast) rather than
silently logging in non-dev environments, and (3) restrict any local logging to
development only and redact PII (mask data.email and omit the full token/link or
replace with a truncated placeholder) so that the function name
sendInvitationEmail, baseURL usage, and data.inviter.user / data.organization
fields are preserved but not exposed in logs.

---

Nitpick comments:
In `@app/pages/dashboard/applications/`[id].vue:
- Line 27: The import APPLICATION_STATUS_TRANSITIONS is placed mid-script; move
the import statement "import { APPLICATION_STATUS_TRANSITIONS } from
'~~/shared/status-transitions'" up into the main import group at the top of the
script block (group with the other imports) and remove the duplicate from line
27 so the script imports are consistent and linting/order is preserved.

In `@app/pages/dashboard/jobs/`[id]/index.vue:
- Line 24: Move the mid-script import of JOB_STATUS_TRANSITIONS into the main
import group at the top of the script block so all imports are consistently
grouped (i.e., place "import { JOB_STATUS_TRANSITIONS } from
'~~/shared/status-transitions'" with the existing imports near the top and
remove the duplicate statement from line 24); ensure there are no leftover
comments or references that assume the old location and that any
linter/formatter rules still pass after relocating the import.

---

ℹ️ Review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 95f8722 and 8a470bf.

📒 Files selected for processing (14)

• app/components/CandidateDetailSidebar.vue
• app/composables/usePermission.ts
• app/pages/dashboard/applications/[id].vue
• app/pages/dashboard/jobs/[id]/index.vue
• app/pages/dashboard/jobs/[id]/pipeline.vue
• app/pages/dashboard/jobs/[id]/swipe.vue
• app/pages/jobs/[slug]/index.vue
• app/pages/jobs/index.vue
• app/utils/auth-client.ts
• server/utils/auth.ts
• server/utils/requirePermission.ts
• server/utils/schemas/application.ts
• server/utils/schemas/job.ts
• shared/status-transitions.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• server/utils/requirePermission.ts

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

server/api/comments/[id].delete.ts (1)

46-46: ⚠️ Potential issue | 🟠 Major

Scope the DELETE statement to organization in the same mutation.

At Line 46, deletion is still keyed only by id. Keep tenant scoping in the mutation itself and assert a row was actually deleted to avoid check/delete race gaps.

🔧 Proposed fix

-  await db.delete(comment).where(eq(comment.id, id))
+  const [deleted] = await db.delete(comment)
+    .where(and(
+      eq(comment.id, id),
+      eq(comment.organizationId, orgId),
+    ))
+    .returning({ id: comment.id })
+
+  if (!deleted) {
+    throw createError({ statusCode: 404, statusMessage: 'Comment not found' })
+  }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@server/api/comments/`[id].delete.ts at line 46, Scope the DELETE to the
tenant by adding an organization/tenant predicate to the same where clause (e.g.
change db.delete(comment).where(eq(comment.id, id)) to include
eq(comment.organizationId, organizationId) or the appropriate orgId from
context) and capture the delete result; assert that a row was actually deleted
(check result.rowCount / affectedRows / numDeleted depending on your DB client)
and throw an appropriate error (404 or permission error) if nothing was deleted
to avoid check/delete race conditions.

🧹 Nitpick comments (1)

server/api/public/jobs/index.get.ts (1)

38-40: Consider centralizing LIKE escaping in a small helper.

The same escaping logic now exists in two branches; extracting it reduces drift risk and keeps behavior consistent across filters.

♻️ Suggested refactor

+const escapeLikePattern = (value: string) => value.replace(/[%_\\]/g, '\\$&')
+
 export default defineEventHandler(async (event) => {
   const query = await getValidatedQuery(event, publicJobsQuerySchema.parse)
@@
   if (query.search) {
-    const escaped = query.search.replace(/[%_\\]/g, '\\$&')
+    const escaped = escapeLikePattern(query.search)
     const pattern = `%${escaped}%`
@@
   if (query.location) {
-    const escapedLoc = query.location.replace(/[%_\\]/g, '\\$&')
+    const escapedLoc = escapeLikePattern(query.location)
     conditions.push(ilike(job.location, `%${escapedLoc}%`))
   }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@server/api/public/jobs/index.get.ts` around lines 38 - 40, Extract the
regex-based LIKE-escaping into a small helper (e.g., escapeLike or
escapeLikeMeta) and replace the inline usage where you build the condition (the
current const escapedLoc = query.location.replace(/[%_\\]/g, '\\$&') and its
sibling branch) with calls to that helper, then use ilike(job.location,
`%${escapeLike(query.location)}%`) to keep behavior consistent; define the
helper near the top of the module (or in a shared util) and ensure it accepts a
string, returns the escaped string, and is used in both branches that build the
ilike condition for job.location.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@server/api/public/jobs/`[slug]/apply.post.ts:
- Around line 105-112: Replace the unchecked Zod parse with a safeParse and
throw a 400 createError on validation failure: call
publicApplicationSchema.safeParse(...) using the same prepared input (the object
currently passed to parse) and if result.success is false, throw createError({
statusCode: 400, message: result.error.message }) so the multipart path mirrors
the JSON path's explicit 400 handling; update uses of validated to use
result.data when success is true.

---

Duplicate comments:
In `@server/api/comments/`[id].delete.ts:
- Line 46: Scope the DELETE to the tenant by adding an organization/tenant
predicate to the same where clause (e.g. change
db.delete(comment).where(eq(comment.id, id)) to include
eq(comment.organizationId, organizationId) or the appropriate orgId from
context) and capture the delete result; assert that a row was actually deleted
(check result.rowCount / affectedRows / numDeleted depending on your DB client)
and throw an appropriate error (404 or permission error) if nothing was deleted
to avoid check/delete race conditions.

---

Nitpick comments:
In `@server/api/public/jobs/index.get.ts`:
- Around line 38-40: Extract the regex-based LIKE-escaping into a small helper
(e.g., escapeLike or escapeLikeMeta) and replace the inline usage where you
build the condition (the current const escapedLoc =
query.location.replace(/[%_\\]/g, '\\$&') and its sibling branch) with calls to
that helper, then use ilike(job.location, `%${escapeLike(query.location)}%`) to
keep behavior consistent; define the helper near the top of the module (or in a
shared util) and ensure it accepts a string, returns the escaped string, and is
used in both branches that build the ilike condition for job.location.

---

ℹ️ Review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8a470bf and fb02324.

📒 Files selected for processing (5)

• server/api/candidates/index.get.ts
• server/api/comments/[id].delete.ts
• server/api/public/jobs/[slug]/apply.post.ts
• server/api/public/jobs/index.get.ts
• shared/permissions.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• server/api/candidates/index.get.ts

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Check for ZodError handling patterns in the codebase
echo "=== Checking ZodError handling patterns ==="
rg -n --type=ts "ZodError|instanceof\s+ZodError" server utils || echo "No explicit ZodError handling found"

echo ""
echo "=== Checking for createError with 400 status ==="
rg -n --type=ts "createError\(\{\s*statusCode:\s*400" server || echo "No createError 400 patterns found"

echo ""
echo "=== Checking safeParse usage ==="
rg -n --type=ts "safeParse\(" server/api/public || echo "No safeParse in public API found"

echo ""
echo "=== Checking .parse() usage in public API ==="
rg -n --type=ts "\.parse\(" server/api/public/jobs

Repository: reqcore-inc/reqcore

Length of output: 1794

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Look at the target file to understand context
echo "=== Target file content (lines 90-120) ==="
wc -l server/api/public/jobs/[slug]/apply.post.ts
head -120 "server/api/public/jobs/[slug]/apply.post.ts" | tail -35

Repository: reqcore-inc/reqcore

Length of output: 1194

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Check for global error handlers or middleware that might catch ZodError
echo "=== Looking for error handling middleware ==="
fd -e ts -e js server | xargs grep -l "ZodError\|error.*handler\|middleware" 2>/dev/null | head -20

# Check if there's a validated-body helper in utils
echo ""
echo "=== Looking for validated-body or similar helpers ==="
rg -n "validated.*body|parseBody|validateBody" server utils --type ts

Repository: reqcore-inc/reqcore

Length of output: 110

---

Use safeParse with explicit createError(400) for Zod validation in multipart path.

The multipart validation at line 105 uses publicApplicationSchema.parse() without error handling, which will throw an uncaught ZodError and bubble as a 500. This is inconsistent with the same endpoint's JSON parsing (line 98–100), which wraps errors in a try-catch and throws createError({statusCode: 400}). The codebase shows no global middleware catching ZodError, so explicit error handling is required.

Proposed fix

-    const validated = publicApplicationSchema.parse({
+    const parsed = publicApplicationSchema.safeParse({
       firstName: fields.firstName?.trim() ?? '',
       lastName: fields.lastName?.trim() ?? '',
       email: fields.email?.trim() ?? '',
       phone: fields.phone?.trim() || undefined,
       website: fields.website || undefined,
       responses: rawResponses,
     })
+    if (!parsed.success) {
+      throw createError({
+        statusCode: 400,
+        statusMessage: 'Invalid application payload',
+        data: parsed.error.flatten(),
+      })
+    }
+    const validated = parsed.data

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	const validated = publicApplicationSchema.parse({
	firstName: fields.firstName?.trim() ?? '',
	lastName: fields.lastName?.trim() ?? '',
	email: fields.email?.trim() ?? '',
	phone: fields.phone?.trim() || undefined,
	website: fields.website || undefined,
	responses: rawResponses,
	})
	const parsed = publicApplicationSchema.safeParse({
	firstName: fields.firstName?.trim() ?? '',
	lastName: fields.lastName?.trim() ?? '',
	email: fields.email?.trim() ?? '',
	phone: fields.phone?.trim() || undefined,
	website: fields.website || undefined,
	responses: rawResponses,
	})
	if (!parsed.success) {
	throw createError({
	statusCode: 400,
	statusMessage: 'Invalid application payload',
	data: parsed.error.flatten(),
	})
	}
	const validated = parsed.data

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@server/api/public/jobs/`[slug]/apply.post.ts around lines 105 - 112, Replace
the unchecked Zod parse with a safeParse and throw a 400 createError on
validation failure: call publicApplicationSchema.safeParse(...) using the same
prepared input (the object currently passed to parse) and if result.success is
false, throw createError({ statusCode: 400, message: result.error.message }) so
the multipart path mirrors the JSON path's explicit 400 handling; update uses of
validated to use result.data when success is true.

[coderabbitai]

♻️ Duplicate comments (4)

app/pages/dashboard/settings/members.vue (2)

515-515: ⚠️ Potential issue | 🟡 Minor

Clear removeError when closing the modal via backdrop.

Line 515 closes the modal but keeps previous error text, so stale errors can reappear on reopen.

🔧 Proposed fix

-        <div v-if="memberToRemove" class="fixed inset-0 z-[100] flex items-center justify-center bg-black/50 backdrop-blur-sm" `@click.self`="memberToRemove = null">
+        <div
+          v-if="memberToRemove"
+          class="fixed inset-0 z-[100] flex items-center justify-center bg-black/50 backdrop-blur-sm"
+          `@click.self`="memberToRemove = null; removeError = ''"
+        >

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@app/pages/dashboard/settings/members.vue` at line 515, The modal backdrop
click currently sets memberToRemove = null but leaves stale removeError text;
update the backdrop close handler (the element with `@click.self` on the div that
checks memberToRemove) to also clear removeError (e.g., set removeError = null
when closing via backdrop). Ensure any other backdrop/close paths that set
memberToRemove (such as cancel buttons or programmatic closes) also clear
removeError to avoid showing previous errors on reopen.

---

275-280: ⚠️ Potential issue | 🟠 Major

Add accessible names to icon-only action buttons.

Line 275, Line 340, and Line 432 still expose icon-only buttons without accessible names, so screen readers won’t announce the action context.

♿ Proposed fix

             <button
               class="p-1 rounded-md text-surface-400 hover:text-surface-600 dark:hover:text-surface-300 hover:bg-surface-100 dark:hover:bg-surface-800 transition-colors"
+              aria-label="Close invite form"
               `@click`="showInviteForm = false; resetInviteForm()"
             >
               <X class="size-4" />
             </button>
@@
-      <button class="text-danger-500 hover:text-danger-700 transition-colors" `@click`="roleUpdateError = ''">
+      <button
+        class="text-danger-500 hover:text-danger-700 transition-colors"
+        aria-label="Dismiss role update error"
+        `@click`="roleUpdateError = ''"
+      >
         <X class="size-4" />
       </button>
@@
             <button
               class="p-1.5 rounded-md text-surface-400 hover:text-surface-600 dark:hover:text-surface-300 hover:bg-surface-100 dark:hover:bg-surface-800 transition-colors"
+              :aria-label="`Open actions for ${m.user.name}`"
               `@click.stop`="toggleDropdown(m.id)"
             >
               <MoreHorizontal class="size-4" />
             </button>

Also applies to: 340-342, 432-437

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@app/pages/dashboard/settings/members.vue` around lines 275 - 280, Several
icon-only action buttons (the close button that sets showInviteForm = false and
calls resetInviteForm(), plus the other icon-only buttons around the member
actions using the X and similar icon components) lack accessible names; add an
accessible name by either adding an aria-label/aria-labelledby attribute with a
concise description (e.g., aria-label="Close invite form" for the X button, or
aria-label="Remove member" / "Edit member" for the member action buttons) or
include a visually-hidden label element (class="sr-only") inside the button.
Update the specific buttons that render the X icon and the other icon-only
actions so screen readers receive a clear action description while preserving
existing click handlers (e.g., keep showInviteForm and resetInviteForm calls
intact).

app/pages/dashboard/settings/index.vue (1)

62-70: ⚠️ Potential issue | 🔴 Critical

Handle Better Auth { error } results before success/redirect.

Line 68 and Line 104 currently assume throws-only failure handling. If these calls resolve with { error }, you can show “Changes saved” or navigate away after a failed operation.

🔧 Proposed fix

   try {
-    await authClient.organization.update({
+    const result = await authClient.organization.update({
       data: {
         name: trimmedName,
         slug: trimmedSlug,
       },
     })
+    if (result.error) {
+      throw new Error(String(result.error.message ?? 'Failed to update organization'))
+    }
     saveSuccess.value = true
     setTimeout(() => { saveSuccess.value = false }, 3000)
   }
@@
   try {
-    await authClient.organization.delete({
+    const result = await authClient.organization.delete({
       organizationId: activeOrg.value!.id,
     })
+    if (result.error) {
+      throw new Error(String(result.error.message ?? 'Failed to delete organization'))
+    }
     // Use navigateTo for Nuxt-managed navigation, then force reload
     // so all cached org state is cleared.
     const localePath = useLocalePath()
     await navigateTo(localePath('/onboarding/create-org'), { external: true })

For Better Auth organization client docs: do `organization.update(...)` and `organization.delete(...)` throw on failure, or return a resolved object containing `{ error }`? Please include the current official doc links.

Also applies to: 98-105

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@app/pages/dashboard/settings/index.vue` around lines 62 - 70, The update and
delete calls (authClient.organization.update and authClient.organization.delete)
currently assume failures will throw and immediately set saveSuccess or
navigate; instead capture the resolved response and check for a returned error
property before marking success or redirecting—if response.error exists, set an
error state (e.g., saveError or deleteError), do not set saveSuccess or
navigate, and surface the error message to the user; update the code paths in
the save/update handler and deleteOrganization handler to inspect the response
object and only set saveSuccess or perform router.push when response.error is
falsy.

app/composables/usePermission.ts (1)

45-53: ⚠️ Potential issue | 🟠 Major

De-race role fetching across rapid org switches.

Line 49 can resolve after a newer org switch and overwrite role with stale data; rejected calls also aren’t handled. This is the same unresolved race noted earlier.

🔧 Proposed fix

 export function usePermission(permissions: PermissionRequest) {
   const role = ref<string | null>(null)
+  let fetchSeq = 0
 
   // Fetch the active member's role and re-fetch when org changes
   const activeOrgState = authClient.useActiveOrganization()
 
   async function fetchRole() {
-    // Reset immediately to avoid stale role from previous org (race condition)
+    const seq = ++fetchSeq
     role.value = null
 
-    const { data, error } = await authClient.organization.getActiveMemberRole()
-    if (!error) {
-      role.value = data?.role ?? null
+    try {
+      const { data, error } = await authClient.organization.getActiveMemberRole()
+      if (seq !== fetchSeq) return
+      role.value = error ? null : (data?.role ?? null)
+    }
+    catch {
+      if (seq === fetchSeq) role.value = null
     }
   }
@@
   if (import.meta.client) {
     watch(
       () => activeOrgState.value.data?.id,
-      () => fetchRole(),
+      () => { void fetchRole() },
       { immediate: true },
     )
   }

Also applies to: 59-63

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@app/composables/usePermission.ts` around lines 45 - 53, fetchRole currently
races: an earlier fetch can resolve after a newer org switch and overwrite
role.value, and rejected calls aren't handled; fix by adding a per-call
identifier (e.g., a closure-scoped incrementing fetchId or token) that you
increment right before calling authClient.organization.getActiveMemberRole(),
capture in the local scope, and after the await only assign role.value if the
captured id matches the latest id; also properly handle rejections by checking
the error result and not touching role.value on error (and optionally log the
error). Apply the identical pattern to the other fetch block at lines 59-63 so
both fetches (the one using authClient.organization.getActiveMemberRole and the
similar membership fetch) ignore stale or failed responses.

🧹 Nitpick comments (1)

app/pages/dashboard/settings/members.vue (1)

522-529: Add dialog semantics to the remove-member modal.

The modal lacks explicit dialog semantics, which hurts assistive-tech navigation/context.

♿ Proposed refactor

-            <div v-if="memberToRemove" class="w-full max-w-md bg-white dark:bg-surface-900 rounded-2xl border border-surface-200 dark:border-surface-800 shadow-2xl p-6">
+            <div
+              v-if="memberToRemove"
+              role="dialog"
+              aria-modal="true"
+              aria-labelledby="remove-member-title"
+              class="w-full max-w-md bg-white dark:bg-surface-900 rounded-2xl border border-surface-200 dark:border-surface-800 shadow-2xl p-6"
+            >
@@
-                  <h3 class="text-base font-semibold text-surface-900 dark:text-surface-100">Remove member</h3>
+                  <h3 id="remove-member-title" class="text-base font-semibold text-surface-900 dark:text-surface-100">Remove member</h3>

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@app/pages/dashboard/settings/members.vue` around lines 522 - 529, The
remove-member modal currently controlled by memberToRemove needs proper dialog
semantics: add role="dialog" and aria-modal="true" to the modal container div,
ensure the heading element used ("Remove member" h3) has a unique id (e.g.,
removeMemberTitle) and set aria-labelledby on the dialog to that id, add
aria-describedby referencing the paragraph under the heading (assign it a unique
id like removeMemberDesc), make the modal container focusable (tabindex="-1")
and programmatically move focus into it when memberToRemove becomes truthy, and
ensure the modal close control has an appropriate aria-label so screen readers
can close the dialog.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@app/composables/usePermission.ts`:
- Around line 45-53: fetchRole currently races: an earlier fetch can resolve
after a newer org switch and overwrite role.value, and rejected calls aren't
handled; fix by adding a per-call identifier (e.g., a closure-scoped
incrementing fetchId or token) that you increment right before calling
authClient.organization.getActiveMemberRole(), capture in the local scope, and
after the await only assign role.value if the captured id matches the latest id;
also properly handle rejections by checking the error result and not touching
role.value on error (and optionally log the error). Apply the identical pattern
to the other fetch block at lines 59-63 so both fetches (the one using
authClient.organization.getActiveMemberRole and the similar membership fetch)
ignore stale or failed responses.

In `@app/pages/dashboard/settings/index.vue`:
- Around line 62-70: The update and delete calls (authClient.organization.update
and authClient.organization.delete) currently assume failures will throw and
immediately set saveSuccess or navigate; instead capture the resolved response
and check for a returned error property before marking success or redirecting—if
response.error exists, set an error state (e.g., saveError or deleteError), do
not set saveSuccess or navigate, and surface the error message to the user;
update the code paths in the save/update handler and deleteOrganization handler
to inspect the response object and only set saveSuccess or perform router.push
when response.error is falsy.

In `@app/pages/dashboard/settings/members.vue`:
- Line 515: The modal backdrop click currently sets memberToRemove = null but
leaves stale removeError text; update the backdrop close handler (the element
with `@click.self` on the div that checks memberToRemove) to also clear
removeError (e.g., set removeError = null when closing via backdrop). Ensure any
other backdrop/close paths that set memberToRemove (such as cancel buttons or
programmatic closes) also clear removeError to avoid showing previous errors on
reopen.
- Around line 275-280: Several icon-only action buttons (the close button that
sets showInviteForm = false and calls resetInviteForm(), plus the other
icon-only buttons around the member actions using the X and similar icon
components) lack accessible names; add an accessible name by either adding an
aria-label/aria-labelledby attribute with a concise description (e.g.,
aria-label="Close invite form" for the X button, or aria-label="Remove member" /
"Edit member" for the member action buttons) or include a visually-hidden label
element (class="sr-only") inside the button. Update the specific buttons that
render the X icon and the other icon-only actions so screen readers receive a
clear action description while preserving existing click handlers (e.g., keep
showInviteForm and resetInviteForm calls intact).

---

Nitpick comments:
In `@app/pages/dashboard/settings/members.vue`:
- Around line 522-529: The remove-member modal currently controlled by
memberToRemove needs proper dialog semantics: add role="dialog" and
aria-modal="true" to the modal container div, ensure the heading element used
("Remove member" h3) has a unique id (e.g., removeMemberTitle) and set
aria-labelledby on the dialog to that id, add aria-describedby referencing the
paragraph under the heading (assign it a unique id like removeMemberDesc), make
the modal container focusable (tabindex="-1") and programmatically move focus
into it when memberToRemove becomes truthy, and ensure the modal close control
has an appropriate aria-label so screen readers can close the dialog.

---

ℹ️ Review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between fb02324 and e6851a8.

📒 Files selected for processing (5)

• app/composables/usePermission.ts
• app/pages/dashboard/settings.vue
• app/pages/dashboard/settings/account.vue
• app/pages/dashboard/settings/index.vue
• app/pages/dashboard/settings/members.vue

🚧 Files skipped from review as they are similar to previous changes (2)

• app/pages/dashboard/settings.vue
• app/pages/dashboard/settings/account.vue