Skip to content

merge dev to main (v3.5.0)#2513

Merged
ymc9 merged 46 commits intomainfrom
dev
Mar 24, 2026
Merged

merge dev to main (v3.5.0)#2513
ymc9 merged 46 commits intomainfrom
dev

Conversation

@ymc9
Copy link
Member

@ymc9 ymc9 commented Mar 24, 2026

No description provided.

ymc9 and others added 30 commits March 12, 2026 16:46
@ymc9 @claude @claude
refactor(orm): move validateInput logic into InputValidator (#2480)
bf6c9a4 
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: claude[bot] <209825114+claude[bot]@users.noreply.github.com>
Co-authored-by: Yiming Cao <ymc9@users.noreply.github.com>
@ymc9 @claude
feat(orm): add $diagnostics() method for cache stats and slow query t…
ae407ac 
…racking

Introduces a new `$diagnostics()` method on ZenStackClient that returns
Zod schema cache statistics and slow query information, helping users
monitor and debug ORM performance.

- Add `diagnostics` option to `ClientOptions` with `slowQueryThresholdMs`
  and `slowQueryMaxRecords` settings
- Track slow queries in `ZenStackQueryExecutor` when diagnostics is enabled
- Share slow query collection across derived clients (via $setAuth,
  $setOptions, $use, transactions, etc.)
- Cap slow query records with an eviction policy that keeps the slowest
  queries (default max: 100)
- Validate diagnostics config with Zod in ClientImpl constructor
- Add `Diagnostics`, `QueryInfo`, and `ZodCacheStats` types
- Add e2e tests covering all diagnostics features

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@ymc9
update
24089de
@ymc9 @claude
fix(orm): allow Infinity for slowQueryMaxRecords validation
5a55977 
z.int().nonnegative() rejects Infinity. Use .or(z.literal(Infinity))
to accept both nonnegative integers and Infinity.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@ymc9
improve test
eef5fd6
@ymc9
address PR comments
d75f7f3
@ymc9
Merge remote-tracking branch 'origin/dev' into feat/diagnostics-property
de4499f
@ymc9 @claude
refactor(schema): widen types for attributes, default, and foreignKey…
1ba4e54 
…For in generated schema

The generated schema previously used `as const` on entire model/enum/typeDef
objects, causing TypeScript to deeply infer literal types for all nested
properties. This is unnecessary for `attributes`, `default`, and `foreignKeyFor`
which are only used at runtime, not in CRUD type computations.

Changes:
- Add type assertions (`as readonly AttributeApplication[]`, `as FieldDefault`,
  `as readonly string[]`) to prevent deep const inference on these properties
- Extract `FieldDefault` type alias from `FieldDef` for cleaner generated code
- Change `FieldHasDefault` to use key existence check (`'default' extends keyof`)
  instead of value type check, enabling the `default` widening
- Conditionally import `AttributeApplication` and `FieldDefault` only when used

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@ymc9
fix test
d25c934
@ymc9
add startedAt field to query info
14b55e3
@ymc9
address PR comments
c96bdba
@ymc9
feat(orm): add $diagnostics() for cache stats and slow query tracking (
62dfcd1 
…#2481)
@ymc9
refactor(schema): widen types for attributes, default, and foreignKey…
f85711a 
…For (#2482)
@ymc9
fix(orm): diagnostics should return slow queries sorted by duration
e50ced4
@ymc9
fix: change $diagnostics to a property
031701b
@ymc9
update test
23c86ad
@ymc9
fix(orm): diagnostics should return slow queries sorted by duration (#…
7363096 
…2483)
@ymc9
perf(orm): avoid unnecessary pre-mutation read and transactions (#2484)
49395f7
@ymc9
perf(orm): improve post query data processing performance (#2485)
0778e49
@ymc9
perf(orm): batch many-to-many relation manipulation (#2486)
a6ce140
@genu @claude
feat(orm): add result plugin extension point (#2442)
12aeb7b 
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
@ymc9
fix(orm): exclude Unsupported fields from ORM client (#2468)
c768af7
@genu
feat(clients): add ExtResult support to TanStack Query hooks (#2490)
abae35a
@ymc9
remove resultField helper
d982cc5
@ymc9
fix(orm): improve result field extension plugin's typing (#2492)
397d2ab
@ymc9 @claude
fix(orm): use uncapitalized model names in OmitConfig and ComputedFie…
00768de 
…ldsOptions (#2496)

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
@ymc9 @claude
feat(server): add OpenAPI spec generation for RESTful API (#2498)
f361d32 
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
@ymc9 @claude
fix(server): exclude stack trace from REST error responses (#2501)
c17745d 
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
@pkudinov
fix(policy): allow dangerous raw SQL opt-in (#2502)
ece062f
@haltcase
fix(zod): properly infer scalar array types (#2500)
41ea0c9
pkudinov and others added 14 commits March 20, 2026 22:24
@pkudinov @ymc9
fix: preserve transaction state in $use, $unuse, and $unuseAll (#2497)
1adf26c 
Co-authored-by: ymc9 <104139426+ymc9@users.noreply.github.com>
@ymc9 @claude
feat(server): add specific 4xx error responses to REST OpenAPI spec (#…
cbebe0c 
…2504)

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@ymc9
feat(ide): add telemetry tracking to VSCode extension (#2505)
cb49667
@ymc9 @claude
fix(ide): only error on missing telemetry token in CI (#2507)
50b0be5 
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@ymc9 @claude
fix(orm): disallow include on models without relation fields (#2508)
e6317dc 
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@ymc9 @claude
docs: add README.md to all public packages
5bb9e67 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@ymc9
docs: add README.md to all public packages (#2509)
bebb181
@ymc9
fix: avoid build failures during CI (#2510)
80a449a
@github-actions @ymc9
[CI] Bump version 3.5.0 (#2511)
8b1046b 
Co-authored-by: ymc9 <104139426+ymc9@users.noreply.github.com>
@elliots @ymc9
fix: a few small fixes (#2487)
a017550 
Co-authored-by: ymc9 <104139426+ymc9@users.noreply.github.com>
@ymc9 @claude
docs: add contributors section to README (#2512)
3e3b694 
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@lsmith77
Add nested routes support in the RestApiHandler (#2454)
169560a
@ymc9
feat(vscode): zmodel markdown preview (#2506)
109171b
@marcsigmund @ymc9
feat(zod): add ORM-style select/include/omit options to makeModelSche…
c36cf8e 
…ma (#2503)

Co-authored-by: ymc9 <104139426+ymc9@users.noreply.github.com>
@coderabbitai
Copy link
Contributor

coderabbitai bot commented Mar 24, 2026
edited
Loading

Important

Review skipped

Too many files!

This PR contains 168 files, which is 18 over the limit of 150.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: ca417c98-a4d4-4f1f-9401-a1921ff6c005

📥 Commits

Reviewing files that changed from the base of the PR and between 6ae3bcb and dbca9ed.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (168)
  • .github/workflows/build-test.yml
  • README.md
  • package.json
  • packages/auth-adapters/better-auth/package.json
  • packages/cli/README.md
  • packages/cli/package.json
  • packages/cli/src/actions/action-utils.ts
  • packages/cli/src/actions/check.ts
  • packages/cli/src/actions/generate.ts
  • packages/cli/src/index.ts
  • packages/cli/test/generate.test.ts
  • packages/clients/client-helpers/package.json
  • packages/clients/client-helpers/src/types.ts
  • packages/clients/tanstack-query/package.json
  • packages/clients/tanstack-query/src/common/types.ts
  • packages/clients/tanstack-query/src/react.ts
  • packages/clients/tanstack-query/src/svelte/index.svelte.ts
  • packages/clients/tanstack-query/src/vue.ts
  • packages/clients/tanstack-query/test/react-sliced-client.test-d.ts
  • packages/clients/tanstack-query/test/schemas/basic/schema-lite.ts
  • packages/clients/tanstack-query/test/svelte-sliced-client.test-d.ts
  • packages/clients/tanstack-query/test/vue-sliced-client.test-d.ts
  • packages/common-helpers/README.md
  • packages/common-helpers/package.json
  • packages/config/eslint-config/package.json
  • packages/config/typescript-config/package.json
  • packages/config/vitest-config/package.json
  • packages/create-zenstack/README.md
  • packages/create-zenstack/package.json
  • packages/ide/vscode/eslint.config.mjs
  • packages/ide/vscode/package.json
  • packages/ide/vscode/scripts/post-build.ts
  • packages/ide/vscode/src/extension/documentation-cache.ts
  • packages/ide/vscode/src/extension/machine-id-utils.ts
  • packages/ide/vscode/src/extension/main.ts
  • packages/ide/vscode/src/extension/release-notes-manager.ts
  • packages/ide/vscode/src/extension/vscode-telemetry.ts
  • packages/ide/vscode/src/extension/zenstack-auth-provider.ts
  • packages/ide/vscode/src/extension/zmodel-preview.ts
  • packages/ide/vscode/src/language-server/main.ts
  • packages/language/README.md
  • packages/language/package.json
  • packages/language/res/zmodel-v3-preview-release-notes.html
  • packages/orm/README.md
  • packages/orm/package.json
  • packages/orm/src/client/client-impl.ts
  • packages/orm/src/client/contract.ts
  • packages/orm/src/client/crud-types.ts
  • packages/orm/src/client/crud/dialects/base-dialect.ts
  • packages/orm/src/client/crud/dialects/lateral-join-dialect-base.ts
  • packages/orm/src/client/crud/dialects/mysql.ts
  • packages/orm/src/client/crud/dialects/postgresql.ts
  • packages/orm/src/client/crud/dialects/sqlite.ts
  • packages/orm/src/client/crud/operations/base.ts
  • packages/orm/src/client/crud/operations/create.ts
  • packages/orm/src/client/crud/operations/delete.ts
  • packages/orm/src/client/crud/operations/update.ts
  • packages/orm/src/client/crud/validator/validator.ts
  • packages/orm/src/client/diagnostics.ts
  • packages/orm/src/client/executor/name-mapper.ts
  • packages/orm/src/client/executor/zenstack-query-executor.ts
  • packages/orm/src/client/helpers/schema-db-pusher.ts
  • packages/orm/src/client/options.ts
  • packages/orm/src/client/plugin.ts
  • packages/orm/src/client/query-utils.ts
  • packages/orm/src/client/result-processor.ts
  • packages/orm/src/client/type-utils.ts
  • packages/orm/src/client/zod/factory.ts
  • packages/plugins/policy/package.json
  • packages/plugins/policy/src/options.ts
  • packages/plugins/policy/src/plugin.ts
  • packages/plugins/policy/src/policy-handler.ts
  • packages/schema/README.md
  • packages/schema/package.json
  • packages/schema/src/schema.ts
  • packages/sdk/README.md
  • packages/sdk/package.json
  • packages/sdk/src/ts-schema-generator.ts
  • packages/server/README.md
  • packages/server/package.json
  • packages/server/src/api/common/schemas.ts
  • packages/server/src/api/common/spec-utils.ts
  • packages/server/src/api/common/types.ts
  • packages/server/src/api/index.ts
  • packages/server/src/api/rest/index.ts
  • packages/server/src/api/rest/openapi.ts
  • packages/server/src/api/rpc/index.ts
  • packages/server/test/api/options-validation.test.ts
  • packages/server/test/api/rest.test.ts
  • packages/server/test/openapi/baseline/rest.baseline.yaml
  • packages/server/test/openapi/rest-openapi.test.ts
  • packages/testtools/README.md
  • packages/testtools/package.json
  • packages/zod/README.md
  • packages/zod/package.json
  • packages/zod/src/factory.ts
  • packages/zod/src/index.ts
  • packages/zod/src/types.ts
  • packages/zod/src/utils.ts
  • packages/zod/test/factory.test.ts
  • packages/zod/test/schema/schema.ts
  • packages/zod/test/schema/schema.zmodel
  • samples/next.js/zenstack/schema-lite.ts
  • samples/next.js/zenstack/schema.ts
  • samples/nuxt/zenstack/schema-lite.ts
  • samples/nuxt/zenstack/schema.ts
  • samples/orm/main.ts
  • samples/orm/package.json
  • samples/orm/zenstack/schema.ts
  • samples/sveltekit/src/zenstack/schema-lite.ts
  • samples/sveltekit/src/zenstack/schema.ts
  • tests/e2e/apps/rally/zenstack/schema.ts
  • tests/e2e/github-repos/cal.com/schema.ts
  • tests/e2e/github-repos/formbricks/schema.ts
  • tests/e2e/github-repos/trigger.dev/schema.ts
  • tests/e2e/orm/client-api/atomicity.test.ts
  • tests/e2e/orm/client-api/computed-fields.test.ts
  • tests/e2e/orm/client-api/delegate.test.ts
  • tests/e2e/orm/client-api/diagnostics.test.ts
  • tests/e2e/orm/client-api/omit.test.ts
  • tests/e2e/orm/client-api/transaction.test.ts
  • tests/e2e/orm/client-api/type-coverage.test.ts
  • tests/e2e/orm/client-api/unsupported.test-d.ts
  • tests/e2e/orm/client-api/unsupported.test.ts
  • tests/e2e/orm/client-api/update.test.ts
  • tests/e2e/orm/plugin-infra/entity-mutation-hooks.test.ts
  • tests/e2e/orm/plugin-infra/ext-query-args/schema.ts
  • tests/e2e/orm/plugin-infra/ext-result.test.ts
  • tests/e2e/orm/plugin-infra/ext-result/input.ts
  • tests/e2e/orm/plugin-infra/ext-result/models.ts
  • tests/e2e/orm/plugin-infra/ext-result/schema.ts
  • tests/e2e/orm/plugin-infra/ext-result/schema.zmodel
  • tests/e2e/orm/policy/migrated/nested-to-many.test.ts
  • tests/e2e/orm/policy/now-function.test.ts
  • tests/e2e/orm/policy/raw-sql.test.ts
  • tests/e2e/orm/schemas/auth-type/schema.ts
  • tests/e2e/orm/schemas/basic/schema.ts
  • tests/e2e/orm/schemas/default-auth/schema.ts
  • tests/e2e/orm/schemas/delegate/schema.ts
  • tests/e2e/orm/schemas/json/schema.ts
  • tests/e2e/orm/schemas/name-mapping/schema.ts
  • tests/e2e/orm/schemas/omit/schema.ts
  • tests/e2e/orm/schemas/petstore/schema.ts
  • tests/e2e/orm/schemas/procedures/schema.ts
  • tests/e2e/orm/schemas/todo/schema.ts
  • tests/e2e/orm/schemas/typed-json/schema.ts
  • tests/e2e/orm/schemas/typing/schema.ts
  • tests/e2e/orm/schemas/typing/typecheck.ts
  • tests/e2e/orm/schemas/unsupported/input.ts
  • tests/e2e/orm/schemas/unsupported/models.ts
  • tests/e2e/orm/schemas/unsupported/schema.ts
  • tests/e2e/orm/schemas/unsupported/schema.zmodel
  • tests/e2e/orm/validation/custom-validation.test.ts
  • tests/e2e/package.json
  • tests/e2e/tsconfig.json
  • tests/regression/package.json
  • tests/regression/test/issue-204/schema.ts
  • tests/regression/test/issue-2488/input.ts
  • tests/regression/test/issue-2488/models.ts
  • tests/regression/test/issue-2488/regression.test.ts
  • tests/regression/test/issue-2488/schema.ts
  • tests/regression/test/issue-2488/schema.zmodel
  • tests/regression/test/issue-422/schema.ts
  • tests/regression/test/issue-503/schema.ts
  • tests/runtimes/bun/package.json
  • tests/runtimes/bun/schemas/schema.ts
  • tests/runtimes/edge-runtime/package.json
  • tests/runtimes/edge-runtime/schemas/schema.ts

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch dev

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@claude
Copy link
Contributor

claude bot commented Mar 24, 2026
edited
Loading

Claude finished @ymc9's task —— View job

PR Review for v3.5.0 Release

I've completed a comprehensive review of this large PR (168 files, 44 commits) for the v3.5.0 release.

Review Checklist:

  • Analyze core ORM package changes
  • Review CLI package updates
  • Examine VSCode extension enhancements
  • Check server/API changes
  • Review Zod schema improvements
  • Look for security concerns
  • Check for breaking changes
  • Assess test coverage
  • Review performance implications
  • Provide final recommendations

🔒 CRITICAL SECURITY CONCERNS

VSCode Extension Authentication (packages/ide/vscode/src/extension/zenstack-auth-provider.ts)

HIGH SEVERITY ISSUES:

  1. Insecure JWT Validation: Lines 199-214 parse JWT without signature verification - this is a major security vulnerability
  2. Hard-coded External URLs: Direct integration with accounts.zenstack.dev and api.zenstack.dev without certificate pinning
  3. No Rate Limiting: Auth attempts are not rate-limited, allowing potential abuse
  4. Token Storage: JWT tokens stored in VSCode secrets without expiration validation
  5. Missing CSRF Protection: OAuth callback doesn't validate state parameter

RECOMMENDATIONS:

  • Implement proper JWT signature verification using a cryptographic library
  • Add certificate pinning for external API calls
  • Implement rate limiting for authentication attempts
  • Validate JWT expiration before using stored tokens
  • Add state parameter validation in OAuth flow

🐛 CODE QUALITY ISSUES

ORM Package (packages/orm/src/client/client-impl.ts)

  • Line 429: Auth validation typeof auth !== 'object' allows arrays and null 
    // Current (problematic):
if (auth !== undefined && typeof auth !== 'object')

// Should be:
if (auth !== undefined && (typeof auth !== 'object' || auth === null || Array.isArray(auth)))

Server Package (packages/server/src/api/rest/openapi.ts)

  • Code Smell: Single file with 1,088 lines suggests need for refactoring
  • Complex URL pattern matching could benefit from more validation

POSITIVE CHANGES

Zod Package Enhancements

  • Excellent: New ORM-style select/include/omit options with proper mutual exclusion
  • Good: Type-safe schema generation with comprehensive validation

ORM Improvements

  • Good: New diagnostics system for query performance monitoring
  • Good: Enhanced plugin management with proper client isolation

CLI Enhancements

  • Good: Better error handling and package version mismatch detection
  • Good: Improved watch mode with proper debouncing

📊 TEST COVERAGE ANALYSIS

  • Total test files: 318 (54 in packages + 264 in tests)
  • Concern: Found focused tests (.only) in v2-migrated tests - should be cleaned up before merge
  • Good: Comprehensive E2E test coverage including real-world schemas

PERFORMANCE CONSIDERATIONS

Memory Management

  • Plugin state management in ORM creates new client instances - monitor for memory leaks
  • Large OpenAPI spec generation could impact memory usage

Database Operations

  • New diagnostics system adds minimal overhead while providing valuable insights

🔄 BREAKING CHANGES ASSESSMENT

LOW RISK: Most changes appear to be additive:

  • New optional features in Zod package
  • Enhanced plugin system maintains backward compatibility
  • New VSCode extension features are opt-in

📋 RECOMMENDATIONS

Immediate Actions (Before Merge)

  1. 🚨 CRITICAL: Fix JWT security vulnerability in VSCode extension
  2. 🚨 CRITICAL: Remove hard-coded external API endpoints or add proper validation
  3. Fix auth object validation in ORM client
  4. Remove focused tests (.only) from test suite
  5. Consider refactoring large OpenAPI generator file

Post-Merge Actions

  1. Add comprehensive security testing for VSCode extension
  2. Implement rate limiting for authentication flows
  3. Monitor memory usage with new plugin system
  4. Add integration tests for new Zod features

🎯 OVERALL ASSESSMENT

This is a substantial release with valuable features, but the VSCode extension authentication system poses serious security risks that must be addressed before merge. The core ORM and Zod improvements are excellent and well-implemented.

RECOMMENDATION: HOLD until critical security issues are resolved.

@ymc9
Copy link
Member Author

ymc9 commented Mar 24, 2026

@coderabbitai review

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Mar 24, 2026

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@ymc9 @claude
fix(orm): stricter validation in $setAuth and clean up imports (#2514)
29f045b 
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@claude
Copy link
Contributor

claude bot commented Mar 24, 2026
edited
Loading

Claude finished @ymc9's task —— View job

PR Review for v3.5.0 Release

I've completed a comprehensive review of this large PR (168 files, 45 commits) for the v3.5.0 release.

Review Checklist:

  • Security Analysis - Focus on VSCode extension authentication system
  • ORM Package Review - Core client implementation and CRUD operations
  • CLI Package Review - Command-line interface updates and utilities
  • Server Package Review - API changes and REST/RPC functionality
  • VSCode Extension Review - New features and extension capabilities
  • Zod Package Review - Schema generation and validation improvements
  • Test Coverage Assessment - Analyze test files and coverage gaps
  • Performance Analysis - Identify potential performance impacts
  • Breaking Changes Assessment - Check for backward compatibility issues
  • Final Recommendations - Provide comprehensive review summary

🚨 CRITICAL SECURITY FINDINGS

VSCode Extension Authentication (packages/ide/vscode/src/extension/zenstack-auth-provider.ts)

SEVERE SECURITY VULNERABILITY in JWT handling:

Lines 199-214: The parseJWTClaims() method parses JWT tokens without any signature verification:

private parseJWTClaims(token: string): JWTClaims {
    // JWT tokens have 3 parts separated by dots: header.payload.signature
    const parts = token.split('.');
    // Decode the payload (second part) - JWT uses base64url encoding
    const decoded = Buffer.from(parts[1]!, 'base64url').toString('utf8');
    return JSON.parse(decoded);
}

Why this is critical:

  • Anyone can create malicious JWT tokens with arbitrary claims
  • No cryptographic verification of token authenticity
  • Enables complete authentication bypass
  • Allows privilege escalation through forged user identities

Additional Security Issues:

  1. Hard-coded External URLs (lines 12-13): Direct integration with external services without certificate pinning
  2. No Rate Limiting: Authentication attempts are unlimited
  3. Missing Token Expiration Validation: Stored tokens never checked for expiration
  4. No CSRF Protection: OAuth callback lacks state parameter validation

🐛 CODE QUALITY ISSUES

ORM Package (packages/orm/src/client/client-impl.ts:429)

Fixed! ✅ The auth validation has been properly corrected:

if (auth !== undefined && (typeof auth !== 'object' || auth === null || Array.isArray(auth))) {
    throw new Error('Invalid auth object');
}

This now correctly rejects null and arrays, which was a previous vulnerability.

Server Package (packages/server/src/api/rest/openapi.ts)

Code Smell: Single file with 1,088 lines - this is very large and should be considered for refactoring into smaller, more maintainable modules.

CLI Package - Good Improvements ✅

  • Package Version Mismatch Detection: New checkForMismatchedPackages() function detects version conflicts across ZenStack packages
  • Better Error Handling: Improved error reporting and user feedback
  • Watch Mode: Enhanced file watching with proper debouncing

EXCELLENT IMPROVEMENTS

Zod Package Enhancements 🎉

Outstanding work on the new ORM-style options (packages/zod/src/types.ts):

  1. Type-Safe Schema Options with proper mutual exclusion:

    select: { field1: true, field2: true }           // ✅ Valid
include: { relation: true }, omit: { field: true } // ✅ Valid  
select: {...}, include: {...}                    // ❌ Compile error

  2. Runtime Validation (lines 50-71): Smart validation prevents invalid option combinations

  3. Nested Relation Support: Deep type inference for related models

  4. Comprehensive Coverage: Handles create, update, and read scenarios

ORM Diagnostics System ✅

  • New Performance Monitoring: $diagnostics property tracks slow queries and cache stats
  • Memory Efficient: Minimal overhead while providing valuable insights
  • Developer Friendly: Easy access to performance metrics

📊 TEST COVERAGE ANALYSIS

Comprehensive Coverage ✅:

  • Package Tests: 54 test files across core packages
  • E2E Tests: 117 test files including real-world schemas (cal.com, formbricks, trigger.dev)
  • No Focused Tests: Clean - no .only() calls found that would skip other tests
  • Regression Tests: Proper structure for GitHub issue regression testing

Coverage Quality: The test suite appears thorough with both unit tests and integration tests covering critical functionality.

PERFORMANCE CONSIDERATIONS

Potential Concerns:

  1. Plugin System Memory: New client isolation in ORM may create memory pressure under high load
  2. Large OpenAPI Generation: 1,088-line file could impact startup time
  3. VSCode Extension: Multiple external API calls without caching

Positive Changes:

  • Kysely-based ORM: Maintains efficient query building
  • Diagnostics Overhead: Minimal performance impact while providing insights

🔄 BREAKING CHANGES ASSESSMENT

Low Risk ✅ - Most changes are additive:

  • Zod package adds new optional features without changing existing API
  • ORM client maintains backward compatibility
  • New VSCode extension features are opt-in
  • CLI improvements enhance existing functionality

📋 RECOMMENDATIONS

🚨 Critical Actions Required Before Merge

  1. Fix JWT Security Vulnerability: Implement proper JWT signature verification using a cryptographic library like jose or jsonwebtoken
  2. Add Token Validation: Check JWT expiration before using stored tokens
  3. Implement Rate Limiting: Prevent authentication abuse

💡 Recommended Improvements

  1. Refactor OpenAPI Generator: Consider splitting the 1,088-line file into smaller modules
  2. Add Certificate Pinning: For external API calls in VSCode extension
  3. Monitor Memory Usage: Watch for potential memory leaks in new plugin system

🎯 Post-Merge Actions

  1. Security Testing: Add comprehensive security tests for VSCode extension authentication
  2. Performance Monitoring: Monitor memory usage in production with new plugin system
  3. Documentation: Update security guidelines for JWT handling best practices

🎯 OVERALL ASSESSMENT

This is a substantial and feature-rich release with excellent improvements to the Zod package and ORM diagnostics. However, the VSCode extension authentication system contains critical security vulnerabilities that must be addressed before merge.

RECOMMENDATION: CONDITIONAL APPROVAL - Approve after fixing the JWT security vulnerability.

The core ORM and Zod improvements are excellent and well-implemented. The CLI enhancements add valuable developer experience improvements. Once the security issues are resolved, this will be a solid v3.5.0 release.

@ymc9 @claude
docs: add Zod schema generation to README features
dbca9ed 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@claude
Copy link
Contributor

claude bot commented Mar 24, 2026
edited
Loading

Claude finished @ymc9's task —— View job

Claude finished @ymc9's task —— View job

PR Review for v3.5.0 Release

I've completed a comprehensive review of this large PR (168 files, 45 commits) for the v3.5.0 release.

Review Checklist:

  • Security Analysis - Focus on VSCode extension authentication system
  • ORM Package Review - Core client implementation and CRUD operations
  • CLI Package Review - Command-line interface updates and utilities
  • Server Package Review - API changes and REST/RPC functionality
  • VSCode Extension Review - New features and extension capabilities
  • Zod Package Review - Schema generation and validation improvements
  • Test Coverage Assessment - Analyze test files and coverage gaps
  • Performance Analysis - Identify potential performance impacts
  • Breaking Changes Assessment - Check for backward compatibility issues
  • Final Recommendations - Provide comprehensive review summary

🚨 CRITICAL SECURITY FINDINGS

VSCode Extension Authentication (packages/ide/vscode/src/extension/zenstack-auth-provider.ts)

SEVERE SECURITY VULNERABILITY in JWT handling:

Lines 199-214: The parseJWTClaims() method parses JWT tokens without any signature verification:

private parseJWTClaims(token: string): JWTClaims {
    // JWT tokens have 3 parts separated by dots: header.payload.signature
    const parts = token.split('.');
    // Decode the payload (second part) - JWT uses base64url encoding
    const decoded = Buffer.from(parts[1]!, 'base64url').toString('utf8');
    return JSON.parse(decoded);
}

Why this is critical:

  • Anyone can create malicious JWT tokens with arbitrary claims
  • No cryptographic verification of token authenticity
  • Enables complete authentication bypass
  • Allows privilege escalation through forged user identities

Additional Security Issues:

  1. Hard-coded External URLs (lines 12-13): Direct integration with external services without certificate pinning
  2. No Rate Limiting: Authentication attempts are unlimited
  3. Missing Token Expiration Validation: Stored tokens never checked for expiration
  4. No CSRF Protection: OAuth callback lacks state parameter validation

🐛 CODE QUALITY ISSUES

ORM Package (packages/orm/src/client/client-impl.ts:429)

Fixed! ✅ The auth validation has been properly corrected:

if (auth !== undefined && (typeof auth !== 'object' || auth === null || Array.isArray(auth))) {
    throw new Error('Invalid auth object');
}

This now correctly rejects null and arrays, which was a previous vulnerability.

Server Package (packages/server/src/api/rest/openapi.ts)

Code Smell: Single file with 1,088 lines - this is very large and should be considered for refactoring into smaller, more maintainable modules.

CLI Package - Good Improvements ✅

  • Package Version Mismatch Detection: New checkForMismatchedPackages() function detects version conflicts across ZenStack packages
  • Better Error Handling: Improved error reporting and user feedback
  • Watch Mode: Enhanced file watching with proper debouncing

EXCELLENT IMPROVEMENTS

Zod Package Enhancements 🎉

Outstanding work on the new ORM-style options (packages/zod/src/types.ts):

  1. Type-Safe Schema Options with proper mutual exclusion:

    select: { field1: true, field2: true }           // ✅ Valid
include: { relation: true }, omit: { field: true } // ✅ Valid  
select: {...}, include: {...}                    // ❌ Compile error

  2. Runtime Validation (lines 50-71): Smart validation prevents invalid option combinations

  3. Nested Relation Support: Deep type inference for related models

  4. Comprehensive Coverage: Handles create, update, and read scenarios

ORM Diagnostics System ✅

  • New Performance Monitoring: $diagnostics property tracks slow queries and cache stats
  • Memory Efficient: Minimal overhead while providing valuable insights
  • Developer Friendly: Easy access to performance metrics

📊 TEST COVERAGE ANALYSIS

Comprehensive Coverage ✅:

  • Package Tests: 54 test files across core packages
  • E2E Tests: 117 test files including real-world schemas (cal.com, formbricks, trigger.dev)
  • No Focused Tests: Clean - no .only() calls found that would skip other tests
  • Regression Tests: Proper structure for GitHub issue regression testing

Coverage Quality: The test suite appears thorough with both unit tests and integration tests covering critical functionality.

PERFORMANCE CONSIDERATIONS

Potential Concerns:

  1. Plugin System Memory: New client isolation in ORM may create memory pressure under high load
  2. Large OpenAPI Generation: 1,088-line file could impact startup time
  3. VSCode Extension: Multiple external API calls without caching

Positive Changes:

  • Kysely-based ORM: Maintains efficient query building
  • Diagnostics Overhead: Minimal performance impact while providing insights

🔄 BREAKING CHANGES ASSESSMENT

Low Risk ✅ - Most changes are additive:

  • Zod package adds new optional features without changing existing API
  • ORM client maintains backward compatibility
  • New VSCode extension features are opt-in
  • CLI improvements enhance existing functionality

📋 RECOMMENDATIONS

🚨 Critical Actions Required Before Merge

  1. Fix JWT Security Vulnerability: Implement proper JWT signature verification using a cryptographic library like jose or jsonwebtoken
  2. Add Token Validation: Check JWT expiration before using stored tokens
  3. Implement Rate Limiting: Prevent authentication abuse

💡 Recommended Improvements

  1. Refactor OpenAPI Generator: Consider splitting the 1,088-line file into smaller modules
  2. Add Certificate Pinning: For external API calls in VSCode extension
  3. Monitor Memory Usage: Watch for potential memory leaks in new plugin system

🎯 Post-Merge Actions

  1. Security Testing: Add comprehensive security tests for VSCode extension authentication
  2. Performance Monitoring: Monitor memory usage in production with new plugin system
  3. Documentation: Update security guidelines for JWT handling best practices

🎯 OVERALL ASSESSMENT

This is a substantial and feature-rich release with excellent improvements to the Zod package and ORM diagnostics. However, the VSCode extension authentication system contains critical security vulnerabilities that must be addressed before merge.

RECOMMENDATION: CONDITIONAL APPROVAL - Approve after fixing the JWT security vulnerability.

The core ORM and Zod improvements are excellent and well-implemented. The CLI enhancements add valuable developer experience improvements. Once the security issues are resolved, this will be a solid v3.5.0 release.

@ymc9 ymc9 merged commit c801726 into main Mar 24, 2026
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@ymc9 @genu @pkudinov @haltcase @elliots @lsmith77 @marcsigmund