merge dev to main (v3.0.0-beta.25)

[ymc9]

Summary by CodeRabbit

• New Features

  • New CLI "db seed" command to run project seed scripts; added --skip-seed to opt out of post-reset migrations.
  • CLI performs a preflight datasource URL validation before migration/push operations.

• Bug Fixes / Tests

  • Added tests covering seeding behavior, BigInt handling, and related regressions.

• Chores

  • Workspace packages bumped to 3.0.0-beta.25 and workspace tooling (Prisma) updated; CLI now includes runtime support for executing seed commands.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

Version bumps to 3.0.0-beta.25 across many packages; adds CLI database seeding (seed action, db seed command, --skip-seed), datasource URL preflight checks; ORM typing adjustments for auth payloads and exported DefaultModelResult; server API generics gain default Schema; new/updated regression tests and small validator/type tweaks.

Changes

Cohort / File(s)	Summary
Workspace & Manifests package.json, packages/*/package.json, samples/next.js/package.json, tests/*/package.json, packages/ide/vscode/package.json	Incremented package versions from 3.0.0-beta.24 → 3.0.0-beta.25 (including VS Code extension bump).
Workspace Catalog pnpm-workspace.yaml	Bumped workspace Prisma catalog version ^6.10.0 → ^6.19.0.
CLI Manifest & Dependencies packages/cli/package.json, packages/language/package.json	CLI: version bump; added execa and moved/adjusted prisma entry. Language: moved @zenstackhq/common-helpers from devDependencies → dependencies.
CLI — Seed & Datasource Validation packages/cli/src/actions/seed.ts, packages/cli/src/actions/action-utils.ts, packages/cli/src/actions/db.ts, packages/cli/src/actions/migrate.ts, packages/cli/src/actions/index.ts, packages/cli/src/index.ts	Added seed action and db seed command; extended getPkgJsonConfig to include seed; added requireDataSourceUrl(schemaFile) and integrated preflight datasource-url checks; added --skip-seed flag and post-reset/dev seeding wiring.
CLI Tests packages/cli/test/db.test.ts	Added tests covering db seed, post-reset seeding, and no-seed/skip-seed scenarios.
ORM Typings & Exports packages/orm/src/client/contract.ts, packages/orm/src/client/crud-types.ts	Exported DefaultModelResult; introduced internal AuthModelType and updated AuthType to use it; expanded type imports.
ORM Validator Minor Change packages/orm/src/client/crud/validator/utils.ts	Inlined BigInt() coercion (removed intermediate bigIntVal) in comparison validators.
Server API Generic Defaults packages/server/src/types.ts, packages/server/src/api/rest/index.ts, packages/server/src/api/rpc/index.ts	Added default generic parameter Schema extends SchemaDef = SchemaDef to ApiHandler, RestApiHandler, and RPCApiHandler types/classes.
Regression Tests & Generated Artifacts tests/regression/test/issue-204/*, tests/regression/test/issue-422/*, tests/regression/test/issue-423.test.ts	Adjusted enum usage and schema export branding for issue-204; added generated schema/models/types and tests for issue-422; added BigInt regression test for issue-423.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20–35 minutes

Areas that may need extra attention:

• CLI seeding integration and error paths (packages/cli/src/actions/seed.ts, migrate.ts, db.ts, action-utils.ts).
• ORM typing changes affecting auth resolution (packages/orm/src/client/contract.ts, packages/orm/src/client/crud-types.ts).
• Regression schema/model exports and branding changes (tests/regression/test/issue-204/*, issue-422/*).
• Workspace manifest/dependency placement changes (packages/cli/package.json, packages/language/package.json, pnpm-workspace.yaml).

Possibly related PRs

• chore: simplify api handler's generic typing #424 — Modifies the same server API generic signatures (ApiHandler / RestApiHandler / RPCApiHandler); strongly related.
• merge dev to main (v3.0.0-beta.15) #354 — Overlaps ORM typing changes around AuthType/DefaultModelResult; strongly related.
• fix(cli): require datasource url for running migration and db push commands #431 — Adds requireDataSourceUrl(schemaFile) and wires datasource preflight checks into CLI db/migrate flows; strongly related.

Poem

🐰 I hopped through diffs with a twitch and a grin,
Bumped betas, planted seeds, let migrations begin.
Types tucked in snug, defaults cozy and neat,
A tiny rabbit cheers — new seeds sprout, oh sweet! 🌱

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 23.08% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title clearly describes the primary change: merging dev to main with version bump to v3.0.0-beta.25, which aligns with the extensive version updates throughout all package.json files.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch dev

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[claude]

Claude finished @ymc9's task —— View job

---

Code Review for v3.0.0-beta.25 Release ✅

I've completed a comprehensive review of this release PR. Here's my detailed analysis:

Review Tasks:

• Review new seed command implementation
• Check auth type enhancements
• Validate CLI improvements and error handling
• Review ORM client contract changes
• Assess regression test additions (Setting the auth doesn't include relations #422, SyntaxError: Failed to parse String to BigInt #423)
• Check version consistency across packages
• Security and performance analysis
• Overall code quality assessment

🔍 Review Summary

This is a solid release PR with several important improvements and fixes. The code quality is high and follows established patterns.

✅ Positive Findings

New Seed Command Implementation

Files: packages/cli/src/actions/seed.ts, packages/cli/src/index.ts

• Well-designed: Clean API that reads seed script from package.json zenstack config
• Good error handling: Proper exception catching and meaningful error messages
• Security conscious: Uses execaCommand with proper options instead of raw shell execution
• Integration: Properly integrated into migrate reset workflow with --skip-seed option
• Documentation: Good inline help text and examples

Auth Type Enhancements

Files: packages/orm/src/client/contract.ts:822-842

• Type safety: Enhanced AuthType with recursive relation support
• Flexibility: Allows nested auth data like { user: { profile: { ... } } }
• Backward compatible: Maintains existing API while adding capabilities

CLI Improvements

Files: packages/cli/src/actions/action-utils.ts, packages/cli/src/actions/db.ts, packages/cli/src/actions/migrate.ts

• Datasource validation: Added requireDataSourceUrl() to ensure proper database configuration
• Error handling: Consistent handleSubProcessError() implementation
• Resource cleanup: Proper temp file cleanup in all database operations

Test Coverage

Files: tests/regression/test/issue-422/, tests/regression/test/issue-423.test.ts

• Regression tests: Proper tests for recently fixed issues
• Type verification: Issue Setting the auth doesn't include relations #422 test validates auth type inference works correctly
• BigInt support: Issue SyntaxError: Failed to parse String to BigInt #423 test ensures BigInt operations work without validation errors

⚠️ Areas for Consideration

Security & Input Validation

1. Command injection risk in packages/cli/src/actions/seed.ts:23:

   const command = `${pkgJsonConfig.seed}${args.length > 0 ? ' ' + args.join(' ') : ''}`;

   While using execaCommand is safer than shell execution, consider validating or sanitizing the args array to prevent injection through command arguments.

2. File path validation: The schema file resolution logic should validate paths to prevent directory traversal attacks, especially when accepting user-provided schema paths.

Error Handling Improvements

1. Duplicate error handling in packages/cli/src/actions/migrate.ts:143-149 and packages/cli/src/actions/action-utils.ts:58-64:
   Both files have identical handleSubProcessError() functions. Consider consolidating into a shared utility.

2. Error context: Some error messages could be more descriptive about what action was being performed when the error occurred.

Performance Considerations

1. Temp file cleanup: Good practice of cleaning up temporary Prisma schema files, but consider using try/finally patterns consistently across all functions.

2. Schema parsing: Multiple schema document loading operations could be optimized by caching the parsed result when used in the same command execution.

📋 Code Quality Assessment

Excellent Practices

• Consistent TypeScript usage with proper typing
• Good separation of concerns between CLI actions
• Proper resource cleanup and error handling
• Clear function naming and structure
• Comprehensive test coverage for new features

Version Consistency

All packages correctly updated to 3.0.0-beta.25 (except IDE VSCode package which intentionally uses a different versioning scheme).

Documentation

• Clear inline documentation and examples
• Proper JSDoc comments where needed
• Good help text in CLI commands

🎯 Recommendations

1. Enhance input validation in seed command args processing
2. Consolidate duplicate error handlers into shared utilities
3. Add validation for user-provided file paths to prevent security issues
4. Consider caching parsed schema documents for performance

🏆 Overall Assessment

This is a high-quality release that demonstrates good software engineering practices:

• ✅ Well-tested with proper regression coverage
• ✅ Security-conscious implementation
• ✅ Backward compatible changes
• ✅ Consistent error handling patterns
• ✅ Clean, maintainable code structure

The new seed functionality is a valuable addition that follows ZenStack's configuration patterns well. The auth type enhancements provide important flexibility for complex authentication scenarios.

Recommendation: Approved - This PR is ready for merge with the minor security considerations noted above that can be addressed in future iterations.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

packages/cli/package.json (1)

6-6: Review Prisma placement and new execa dependency

• Version bump to 3.0.0-beta.25 looks good.
• prisma is now both a runtime dependency and a devDependency, and no longer a peerDependency. This changes how consumers share Prisma versions with the CLI and can introduce duplication or version skew between app and CLI. Consider whether you still want prisma as a peer (or at least avoid listing it in both dependencies and devDependencies).
• execa was added as a new dependency. Please confirm this version aligns with the Node versions you officially support for the CLI (execa major versions tend to drop older Node support).

Also applies to: 35-35, 38-38, 56-58

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a831866 and 9e2ea60.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (43)

• package.json (1 hunks)
• packages/auth-adapters/better-auth/package.json (1 hunks)
• packages/cli/package.json (3 hunks)
• packages/cli/src/actions/action-utils.ts (3 hunks)
• packages/cli/src/actions/db.ts (2 hunks)
• packages/cli/src/actions/index.ts (1 hunks)
• packages/cli/src/actions/migrate.ts (4 hunks)
• packages/cli/src/actions/seed.ts (1 hunks)
• packages/cli/src/index.ts (3 hunks)
• packages/cli/test/db.test.ts (1 hunks)
• packages/clients/tanstack-query/package.json (1 hunks)
• packages/common-helpers/package.json (1 hunks)
• packages/config/eslint-config/package.json (1 hunks)
• packages/config/typescript-config/package.json (1 hunks)
• packages/config/vitest-config/package.json (1 hunks)
• packages/create-zenstack/package.json (1 hunks)
• packages/language/package.json (2 hunks)
• packages/orm/package.json (1 hunks)
• packages/orm/src/client/contract.ts (3 hunks)
• packages/orm/src/client/crud-types.ts (1 hunks)
• packages/orm/src/client/crud/validator/utils.ts (1 hunks)
• packages/plugins/policy/package.json (1 hunks)
• packages/schema/package.json (1 hunks)
• packages/sdk/package.json (1 hunks)
• packages/server/package.json (1 hunks)
• packages/server/src/api/rest/index.ts (1 hunks)
• packages/server/src/api/rpc/index.ts (2 hunks)
• packages/server/src/types.ts (1 hunks)
• packages/testtools/package.json (1 hunks)
• packages/zod/package.json (1 hunks)
• pnpm-workspace.yaml (1 hunks)
• samples/next.js/package.json (1 hunks)
• samples/orm/package.json (1 hunks)
• tests/e2e/package.json (1 hunks)
• tests/regression/package.json (1 hunks)
• tests/regression/test/issue-204/models.ts (1 hunks)
• tests/regression/test/issue-204/schema.ts (2 hunks)
• tests/regression/test/issue-422/input.ts (1 hunks)
• tests/regression/test/issue-422/models.ts (1 hunks)
• tests/regression/test/issue-422/regression.test.ts (1 hunks)
• tests/regression/test/issue-422/schema.ts (1 hunks)
• tests/regression/test/issue-422/schema.zmodel (1 hunks)
• tests/regression/test/issue-423.test.ts (1 hunks)

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-10-21T16:09:31.218Z

Learnt from: ymc9
Repo: zenstackhq/zenstack-v3 PR: 319
File: packages/runtime/src/client/executor/zenstack-query-executor.ts:63-72
Timestamp: 2025-10-21T16:09:31.218Z
Learning: In ZenStack, TypeDefs can be inherited by models. When a TypeDef contains fields with `map` attributes, those mapped field names need to be processed by the QueryNameMapper since they become part of the inheriting model's schema. Therefore, when checking if a schema has mapped names (e.g., in `schemaHasMappedNames`), both `schema.models` and `schema.typeDefs` must be inspected for `@map` and `map` attributes.

Applied to files:

• tests/regression/test/issue-422/schema.ts

🧬 Code graph analysis (14)

packages/cli/test/db.test.ts (1)

packages/cli/test/utils.ts (2)

• createProject (12-18)
• runCli (20-23)

tests/regression/test/issue-423.test.ts (1)

packages/testtools/src/client.ts (1)

• createTestClient (95-244)

packages/cli/src/actions/seed.ts (2)

packages/cli/src/actions/action-utils.ts (1)

• getPkgJsonConfig (80-112)

packages/cli/src/cli-error.ts (1)

• CliError (4-4)

packages/server/src/types.ts (1)

packages/schema/src/schema.ts (1)

• SchemaDef (11-19)

packages/server/src/api/rpc/index.ts (2)

packages/schema/src/schema.ts (1)

• SchemaDef (11-19)

packages/server/src/types.ts (1)

• ApiHandler (67-82)

packages/cli/src/actions/migrate.ts (2)

packages/cli/src/actions/action-utils.ts (2)

• requireDataSourceUrl (139-145)
• handleSubProcessError (58-64)

packages/cli/src/utils/exec-utils.ts (1)

• execPrisma (32-53)

tests/regression/test/issue-422/regression.test.ts (2)

packages/testtools/src/client.ts (1)

• createTestClient (95-244)

tests/regression/test/issue-422/schema.ts (1)

• schema (121-121)

tests/regression/test/issue-422/schema.ts (2)

packages/schema/src/expression-utils.ts (1)

• ExpressionUtils (19-123)

packages/schema/src/schema.ts (1)

• SchemaDef (11-19)

packages/server/src/api/rest/index.ts (2)

packages/schema/src/schema.ts (1)

• SchemaDef (11-19)

packages/server/src/types.ts (1)

• ApiHandler (67-82)

packages/cli/src/actions/action-utils.ts (2)

packages/language/src/generated/ast.ts (1)

• isDataSource (417-419)

packages/cli/src/cli-error.ts (1)

• CliError (4-4)

packages/cli/src/actions/db.ts (1)

packages/cli/src/actions/action-utils.ts (1)

• requireDataSourceUrl (139-145)

packages/cli/src/index.ts (1)

packages/cli/src/telemetry.ts (1)

• telemetry (139-139)

tests/regression/test/issue-204/schema.ts (1)

packages/schema/src/schema.ts (1)

• SchemaDef (11-19)

packages/orm/src/client/contract.ts (2)

packages/schema/src/schema.ts (5)

• SchemaDef (11-19)
• GetModels (120-120)
• RelationFields (210-214)
• FieldIsArray (249-253)
• RelationFieldType (222-229)

packages/orm/src/client/crud-types.ts (1)

• DefaultModelResult (50-69)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: Agent
• GitHub Check: build-test (20.x, sqlite)
• GitHub Check: build-test (20.x, postgresql)
• GitHub Check: claude-review

🔇 Additional comments (50)

packages/server/src/api/rest/index.ts (1)

119-119: LGTM! Improved type ergonomics with default generic parameter.

Adding the default generic parameter = SchemaDef improves the developer experience by allowing users to omit the type parameter when using the default schema type, while maintaining full type safety for those who need custom schemas.

packages/server/src/api/rpc/index.ts (1)

14-14: LGTM! Consistent default generic parameters.

The addition of default generic parameters to both RPCApiHandlerOptions and RPCApiHandler aligns them with the updated ApiHandler interface and RestApiHandler class, ensuring consistent type inference behavior across the server API.

Also applies to: 29-29

packages/server/src/types.ts (1)

67-67: LGTM! Base interface updated with default generic parameter.

This foundational change to the ApiHandler interface enables consistent default type parameters across all implementing handler classes, improving the overall API ergonomics without affecting existing functionality.

packages/orm/src/client/crud-types.ts (1)

50-69: LGTM! Clean API exposure.

Exporting DefaultModelResult enables its use in the auth type system (as seen in contract.ts). This is a reasonable extension of the public API with no breaking changes.

tests/regression/test/issue-423.test.ts (1)

1-16: LGTM! Clear regression coverage.

The test validates that BigInt fields with schema attributes (like @map) work correctly in create and update operations. Good regression coverage for issue #423.

packages/orm/src/client/contract.ts (2)

2-10: LGTM! Necessary imports for auth type enhancements.

These additional schema type imports support the new AuthModelType definition below.

---

822-839: LGTM! Well-designed recursive auth type.

The new AuthModelType properly extends the auth context to support nested relations (e.g., { user: { profile: { ... } } }). The recursive type definition correctly handles both array and single relations, and TypeScript's type system will handle the recursion safely.

packages/orm/src/client/crud/validator/utils.ts (1)

117-144: LGTM! Clean inline refactor.

Inlining BigInt(val) instead of using an intermediate constant simplifies the code without changing behavior.

packages/config/typescript-config/package.json (1)

3-3: Version bump is consistent with workspace update.

Straightforward version increment aligned with the 3.0.0-beta.25 release.

tests/e2e/package.json (1)

3-3: Version bump is consistent with workspace update.

Straightforward version increment aligned with the 3.0.0-beta.25 release.

packages/orm/package.json (1)

3-3: Version bump is consistent with workspace update.

Straightforward version increment aligned with the 3.0.0-beta.25 release.

packages/sdk/package.json (1)

3-3: Version bump is consistent with workspace update.

Straightforward version increment aligned with the 3.0.0-beta.25 release.

samples/next.js/package.json (1)

3-3: Version bump is consistent with workspace update.

Straightforward version increment aligned with the 3.0.0-beta.25 release.

packages/server/package.json (1)

3-3: Version bump is consistent with workspace update.

Straightforward version increment aligned with the 3.0.0-beta.25 release.

package.json (1)

3-3: Version bump is consistent with workspace update.

Straightforward version increment aligned with the 3.0.0-beta.25 release.

pnpm-workspace.yaml (1)

8-8: Breaking changes in Prisma 6.19.0 require verification against your seed CLI implementation.

The 6.18–6.19 series introduces mandatory config migration: datasource defined in prisma.config.ts will override datasource in schema.prisma, and 6.19 requires explicit DB drivers (e.g., @prisma/adapter-pg). Additional changes include generator entrypoint modifications and deprecation of the pg-worker package.

Confirm your project's setup is compatible with these migration requirements before deploying the seed CLI feature. Verify whether you need to migrate to prisma.config.ts or add explicit adapters for your database setup.

packages/clients/tanstack-query/package.json (1)

3-3: Version bump consistent with PR release target.

Line 3 correctly reflects v3.0.0-beta.25 aligned with the workspace version update.

samples/orm/package.json (1)

3-3: Version bump consistent with PR release target.

Line 3 correctly reflects v3.0.0-beta.25 aligned with the workspace version update.

packages/schema/package.json (1)

3-3: Version bump consistent with PR release target.

Line 3 correctly reflects v3.0.0-beta.25 aligned with the workspace version update.

packages/testtools/package.json (1)

3-3: Version bump consistent with PR release target.

Line 3 correctly reflects v3.0.0-beta.25 aligned with the workspace version update.

packages/plugins/policy/package.json (1)

3-3: Version bump consistent with PR release target.

Line 3 correctly reflects v3.0.0-beta.25 aligned with the workspace version update.

tests/regression/package.json (1)

3-3: Version bump consistent with PR release target.

Line 3 correctly reflects v3.0.0-beta.25 aligned with the workspace version update.

packages/zod/package.json (1)

3-3: Version bump consistent with PR release target.

Line 3 correctly reflects v3.0.0-beta.25 aligned with the workspace version update.

packages/config/vitest-config/package.json (1)

4-4: Version bump consistent with PR release target.

Line 4 correctly reflects v3.0.0-beta.25 aligned with the workspace version update.

packages/auth-adapters/better-auth/package.json (1)

3-3: Version bump looks consistent

Package version updated to 3.0.0-beta.25 in line with the PR’s global version bump; no other changes here.

packages/config/eslint-config/package.json (1)

3-3: ESLint config version bump is fine

Only the version moved to 3.0.0-beta.25; matches the workspace bump and has no behavioral effect.

packages/create-zenstack/package.json (1)

3-3: create-zenstack version bump is correct

Version updated to 3.0.0-beta.25 with no other modifications; aligns with the monorepo versioning.

tests/regression/test/issue-204/schema.ts (1)

9-9: Schema branding and enum shape look solid

• Using _schema with as const satisfies SchemaDef gives good structural guarantees for the generated schema while keeping it immutable.
• Changing ShirtColor.values to a keyed object of literal values is a clear, type‑friendly representation for enums.
• The branded Schema type plus export const schema: Schema = _schema; and export type SchemaType = Schema; provide a stable, strongly‑typed surface for consumers and match the branding pattern used elsewhere.

Also applies to: 50-56, 60-65

tests/regression/test/issue-204/models.ts (1)

12-13: LGTM!

The updated enum access pattern using .values is correctly implemented. The constant derives from $schema.enums.ShirtColor.values and the type is properly inferred from the constant's keys.

packages/common-helpers/package.json (1)

3-3: LGTM!

Version bump aligns with the beta release objective.

tests/regression/test/issue-422/regression.test.ts (1)

6-17: LGTM! Type-level testing pattern is appropriate.

This test validates TypeScript's type inference for $setAuth() by ensuring the compiler accepts various auth shapes (optional fields, relations, nested relations). The absence of assertions is intentional—type errors would cause compilation to fail.

packages/cli/test/db.test.ts (2)

57-60: LGTM! Appropriate negative test case.

This test ensures the CLI handles missing seed scripts gracefully without crashing.

---

19-36: The review concern is unfounded—ES module support is properly configured.

The createTestProject() function in packages/testtools/src/project.ts already sets "type": "module" in the generated package.json, ensuring the seed script's ES module syntax executes correctly. No changes are needed.

Likely an incorrect or invalid review comment.

packages/cli/src/actions/index.ts (2)

8-8: LGTM!

The seed action import follows the existing pattern for action modules.

---

10-10: LGTM!

The seed export is correctly added to the public action exports.

packages/cli/src/actions/db.ts (1)

25-26: LGTM! Good defensive validation.

Adding datasource URL validation before schema generation provides better error messages and fails fast if the URL is missing.

packages/language/package.json (2)

4-4: LGTM!

Version bump aligns with the beta release objective.

---

58-58: No issues found—dependency promotion is justified.

The verification confirms that @zenstackhq/common-helpers is used at runtime in the language package. The invariant utility is imported in production validators (datamodel-validator.ts and attribute-application-validator.ts), validating the promotion from devDependencies to dependencies as intentional and necessary.

tests/regression/test/issue-422/models.ts (1)

10-12: LGTM!

The model type exports follow the standard generated pattern and correctly use $ModelResult to derive types from the schema.

packages/cli/src/actions/seed.ts (1)

14-37: LGTM with minor observation on error handling.

The implementation correctly uses execaCommand from the execa library, which handles shell escaping internally, making the command construction at line 23 safe from injection issues. The error handling appropriately wraps errors in CliError for consistent CLI error reporting.

Minor note: The error handling doesn't preserve the exit code from the failed seed script, which could make debugging harder. However, this is acceptable given the generic error message provides context.

packages/cli/src/index.ts (3)

37-39: LGTM!

The seedAction function follows the established pattern used by other CLI actions in this file, properly wrapping the seed action with telemetry tracking.

---

94-100: LGTM!

The --skip-seed option is well-integrated with clear help text that accurately describes the automatic seeding behavior and how to skip it.

---

140-158: LGTM!

The db seed command is well-designed with:

• allowExcessArguments(true) to properly forward arguments to the seed script
• Clear help text with a practical configuration example
• Proper argument passing via command.args

packages/cli/src/actions/action-utils.ts (1)

139-145: LGTM!

The requireDataSourceUrl function provides good preflight validation for commands that require a database URL. The implementation correctly:

• Loads and validates the schema
• Finds the datasource declaration
• Checks for the required url field
• Provides a clear error message when validation fails

packages/cli/src/actions/migrate.ts (5)

5-6: LGTM!

The new imports are correctly added with a clear alias (runSeed) to avoid naming conflicts with the main run function.

---

11-11: LGTM!

The skipSeed option is appropriately added to CommonOptions with the correct type.

---

38-39: LGTM!

The preflight validation is well-placed before schema generation, preventing unnecessary work when the datasource URL is missing.

---

79-79: LGTM!

Correctly passes --skip-seed to Prisma's migrate dev command, maintaining consistency with Prisma's native options.

---

89-105: LGTM!

The changes to runReset properly integrate the seeding workflow:

• Made async to support the seed call
• Passes --skip-seed to Prisma's migrate reset
• Conditionally runs the seed script with appropriate options (noWarnings: true to avoid duplicate warnings, printStatus: true for user feedback)

tests/regression/test/issue-422/schema.zmodel (1)

1-25: LGTM!

The schema is well-structured with:

• Proper bidirectional relations between Session, User, and Profile
• Cascade deletes to prevent orphaned records
• Correct unique constraint on Profile.userId to enforce the one-to-one relationship with User
• Appropriate use of @@auth directive on the Session model

[Copilot]

Pull Request Overview

This PR merges development changes to main for v3.0.0-beta.25, introducing database seeding functionality, updating Prisma to 6.19.0, and making several type system improvements.

• Added database seeding support via zen db seed command with configuration in package.json
• Updated Prisma from 6.10.0 to 6.19.0 across the monorepo
• Enhanced auth type inference to support nested relations
• Added default generic parameters to API handler interfaces for better ergonomics
• Fixed BigInt validation attribute handling

Reviewed Changes

Copilot reviewed 43 out of 44 changed files in this pull request and generated 17 comments.

Show a summary per file

File	Description
packages/cli/src/actions/seed.ts	New action implementing database seeding functionality
packages/cli/src/actions/migrate.ts	Integrated seeding into migrate reset workflow
packages/cli/src/index.ts	Added db seed command and --skip-seed flag to migrate reset
packages/cli/src/actions/action-utils.ts	Added seed script configuration support and datasource URL validation
packages/cli/package.json	Moved prisma from peer to direct dependency and added execa
packages/orm/src/client/contract.ts	Enhanced AuthType to recursively support relation fields
packages/orm/src/client/crud/validator/utils.ts	Refactored BigInt validation to convert values inline
packages/server/src/types.ts	Added default generic parameter to ApiHandler interface
pnpm-workspace.yaml	Updated Prisma catalog version from 6.10.0 to 6.19.0
tests/regression/test/issue-423.test.ts	Added regression test for BigInt non-validation attributes
tests/regression/test/issue-422/*	Added regression test suite for auth type inference
tests/regression/test/issue-204/*	Updated generated schema structure for enums
packages/cli/test/db.test.ts	Added test coverage for seed command functionality

Files not reviewed (1)

• pnpm-lock.yaml: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[claude]

Claude finished @ymc9's task —— View job

---

Claude finished @ymc9's task —— View job

---

Code Review for v3.0.0-beta.25 Release ✅

I've completed a comprehensive review of this release PR. Here's my detailed analysis:

Review Tasks:

• Review new seed command implementation
• Check auth type enhancements
• Validate CLI improvements and error handling
• Review ORM client contract changes
• Assess regression test additions (Setting the auth doesn't include relations #422, SyntaxError: Failed to parse String to BigInt #423)
• Check version consistency across packages
• Security and performance analysis
• Overall code quality assessment

🔍 Review Summary

This is a solid release PR with several important improvements and fixes. The code quality is high and follows established patterns.

✅ Positive Findings

New Seed Command Implementation

Files: packages/cli/src/actions/seed.ts, packages/cli/src/index.ts

• Well-designed: Clean API that reads seed script from package.json zenstack config
• Good error handling: Proper exception catching and meaningful error messages
• Security conscious: Uses execaCommand with proper options instead of raw shell execution
• Integration: Properly integrated into migrate reset workflow with --skip-seed option
• Documentation: Good inline help text and examples

Auth Type Enhancements

Files: packages/orm/src/client/contract.ts:822-842

• Type safety: Enhanced AuthType with recursive relation support
• Flexibility: Allows nested auth data like { user: { profile: { ... } } }
• Backward compatible: Maintains existing API while adding capabilities

CLI Improvements

Files: packages/cli/src/actions/action-utils.ts, packages/cli/src/actions/db.ts, packages/cli/src/actions/migrate.ts

• Datasource validation: Added requireDataSourceUrl() to ensure proper database configuration
• Error handling: Consistent handleSubProcessError() implementation
• Resource cleanup: Proper temp file cleanup in all database operations

Test Coverage

Files: tests/regression/test/issue-422/, tests/regression/test/issue-423.test.ts

• Regression tests: Proper tests for recently fixed issues
• Type verification: Issue Setting the auth doesn't include relations #422 test validates auth type inference works correctly
• BigInt support: Issue SyntaxError: Failed to parse String to BigInt #423 test ensures BigInt operations work without validation errors

⚠️ Areas for Consideration

Security & Input Validation

1. Command injection risk in packages/cli/src/actions/seed.ts:23:

   const command = `${pkgJsonConfig.seed}${args.length > 0 ? ' ' + args.join(' ') : ''}`;

   While using execaCommand is safer than shell execution, consider validating or sanitizing the args array to prevent injection through command arguments.

2. File path validation: The schema file resolution logic should validate paths to prevent directory traversal attacks, especially when accepting user-provided schema paths.

Error Handling Improvements

1. Duplicate error handling in packages/cli/src/actions/migrate.ts:143-149 and packages/cli/src/actions/action-utils.ts:58-64:
   Both files have identical handleSubProcessError() functions. Consider consolidating into a shared utility.

2. Error context: Some error messages could be more descriptive about what action was being performed when the error occurred.

Performance Considerations

1. Temp file cleanup: Good practice of cleaning up temporary Prisma schema files, but consider using try/finally patterns consistently across all functions.

2. Schema parsing: Multiple schema document loading operations could be optimized by caching the parsed result when used in the same command execution.

📋 Code Quality Assessment

Excellent Practices

• Consistent TypeScript usage with proper typing
• Good separation of concerns between CLI actions
• Proper resource cleanup and error handling
• Clear function naming and structure
• Comprehensive test coverage for new features

Version Consistency

All packages correctly updated to 3.0.0-beta.25 (except IDE VSCode package which intentionally uses a different versioning scheme).

Documentation

• Clear inline documentation and examples
• Proper JSDoc comments where needed
• Good help text in CLI commands

🎯 Recommendations

1. Enhance input validation in seed command args processing
2. Consolidate duplicate error handlers into shared utilities
3. Add validation for user-provided file paths to prevent security issues
4. Consider caching parsed schema documents for performance

🏆 Overall Assessment

This is a high-quality release that demonstrates good software engineering practices:

• ✅ Well-tested with proper regression coverage
• ✅ Security-conscious implementation
• ✅ Backward compatible changes
• ✅ Consistent error handling patterns
• ✅ Clean, maintainable code structure

The new seed functionality is a valuable addition that follows ZenStack's configuration patterns well. The auth type enhancements provide important flexibility for complex authentication scenarios.

Recommendation: Approved - This PR is ready for merge with the minor security considerations noted above that can be addressed in future iterations.

---

[claude]

Claude finished @ymc9's task —— View job

---

Code Review for v3.0.0-beta.25 Release ✅

I've completed a comprehensive review of this release PR. Here's my detailed analysis:

Review Tasks:

• Review new seed command implementation
• Check auth type enhancements
• Validate CLI improvements and error handling
• Review ORM client contract changes
• Assess regression test additions (Setting the auth doesn't include relations #422, SyntaxError: Failed to parse String to BigInt #423)
• Check version consistency across packages
• Security and performance analysis
• Overall code quality assessment

🔍 Review Summary

This is a solid release PR with several important improvements and fixes. The code quality is high and follows established patterns.

✅ Positive Findings

New Seed Command Implementation

Files: packages/cli/src/actions/seed.ts, packages/cli/src/index.ts

• Well-designed: Clean API that reads seed script from package.json zenstack config
• Good error handling: Proper exception catching and meaningful error messages
• Security conscious: Uses execaCommand with proper options instead of raw shell execution
• Integration: Properly integrated into migrate reset workflow with --skip-seed option
• Documentation: Good inline help text and examples

Auth Type Enhancements

Files: packages/orm/src/client/contract.ts:822-842

• Type safety: Enhanced AuthType with recursive relation support
• Flexibility: Allows nested auth data like { user: { profile: { ... } } }
• Backward compatible: Maintains existing API while adding capabilities

CLI Improvements

Files: packages/cli/src/actions/action-utils.ts, packages/cli/src/actions/db.ts, packages/cli/src/actions/migrate.ts

• Datasource validation: Added requireDataSourceUrl() to ensure proper database configuration
• Error handling: Consistent handleSubProcessError() implementation
• Resource cleanup: Proper temp file cleanup in all database operations

Test Coverage

Files: tests/regression/test/issue-422/, tests/regression/test/issue-423.test.ts

• Regression tests: Proper tests for recently fixed issues
• Type verification: Issue Setting the auth doesn't include relations #422 test validates auth type inference works correctly
• BigInt support: Issue SyntaxError: Failed to parse String to BigInt #423 test ensures BigInt operations work without validation errors

⚠️ Areas for Consideration

Security & Input Validation

1. Command injection risk in packages/cli/src/actions/seed.ts:23:

   const command = `${pkgJsonConfig.seed}${args.length > 0 ? ' ' + args.join(' ') : ''}`;

   While using execaCommand is safer than shell execution, consider validating or sanitizing the args array to prevent injection through command arguments.

2. File path validation: The schema file resolution logic should validate paths to prevent directory traversal attacks, especially when accepting user-provided schema paths.

Error Handling Improvements

1. Duplicate error handling in packages/cli/src/actions/migrate.ts:143-149 and packages/cli/src/actions/action-utils.ts:58-64:
   Both files have identical handleSubProcessError() functions. Consider consolidating into a shared utility.

2. Error context: Some error messages could be more descriptive about what action was being performed when the error occurred.

Performance Considerations

1. Temp file cleanup: Good practice of cleaning up temporary Prisma schema files, but consider using try/finally patterns consistently across all functions.

2. Schema parsing: Multiple schema document loading operations could be optimized by caching the parsed result when used in the same command execution.

📋 Code Quality Assessment

Excellent Practices

• Consistent TypeScript usage with proper typing
• Good separation of concerns between CLI actions
• Proper resource cleanup and error handling
• Clear function naming and structure
• Comprehensive test coverage for new features

Version Consistency

All packages correctly updated to 3.0.0-beta.25 (except IDE VSCode package which intentionally uses a different versioning scheme).

Documentation

• Clear inline documentation and examples
• Proper JSDoc comments where needed
• Good help text in CLI commands

🎯 Recommendations

1. Enhance input validation in seed command args processing
2. Consolidate duplicate error handlers into shared utilities
3. Add validation for user-provided file paths to prevent security issues
4. Consider caching parsed schema documents for performance

🏆 Overall Assessment

This is a high-quality release that demonstrates good software engineering practices:

• ✅ Well-tested with proper regression coverage
• ✅ Security-conscious implementation
• ✅ Backward compatible changes
• ✅ Consistent error handling patterns
• ✅ Clean, maintainable code structure

The new seed functionality is a valuable addition that follows ZenStack's configuration patterns well. The auth type enhancements provide important flexibility for complex authentication scenarios.

Recommendation: Approved - This PR is ready for merge with the minor security considerations noted above that can be addressed in future iterations.

---

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

packages/cli/src/actions/action-utils.ts (1)

108-109: Consider simplifying the seed assignment logic.

The current logic works correctly but is verbose, accessing pkgJson.zenstack.seed three times. The pattern can be simplified while maintaining the same behavior (filtering out non-strings and empty strings):

Apply this diff to simplify:

-        result.seed =
-            typeof pkgJson.zenstack.seed === 'string' && pkgJson.zenstack.seed ? pkgJson.zenstack.seed : undefined;
+        result.seed = (typeof pkgJson.zenstack.seed === 'string' && pkgJson.zenstack.seed) || undefined;

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 60717a3 and 7e57864.

📒 Files selected for processing (3)

• packages/cli/package.json (2 hunks)
• packages/cli/src/actions/action-utils.ts (3 hunks)
• packages/cli/src/index.ts (3 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• packages/cli/src/index.ts

🧰 Additional context used

🧬 Code graph analysis (1)

packages/cli/src/actions/action-utils.ts (2)

packages/language/src/generated/ast.ts (1)

• isDataSource (417-419)

packages/cli/src/cli-error.ts (1)

• CliError (4-4)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: build-test (20.x, postgresql)
• GitHub Check: build-test (20.x, sqlite)
• GitHub Check: claude-review

🔇 Additional comments (1)

packages/cli/src/actions/action-utils.ts (1)

100-107: Good fix! Assignment logic now correctly returns string | undefined.

The ternary operators correctly address the type inconsistency flagged in previous reviews. The logic now cleanly returns the resolved path when the value is a string, or undefined otherwise.