merge dev to main (v3.5.1)

[ymc9]

Summary by CodeRabbit

Release Notes

• Chores

  • Updated package versions to 3.5.1 (3.5.2 for VSCode extension).

• Bug Fixes

  • Enhanced plugin validation to ensure loaded modules meet required specifications.

• New Features

  • VSCode extension now includes version information in preview requests.

[claude]

Claude finished @ymc9's task —— View job

---

PR Review for v3.5.1 Release

I've completed my review of this release PR from dev to main. Here's my comprehensive analysis:

Review Checklist:

• Examine version consistency across packages
• Review code changes in action-utils.ts
• Review code changes in zmodel-preview.ts
• Check for potential bugs or security issues
• Assess performance implications
• Evaluate test coverage considerations
• Provide final recommendations

🎯 Summary

This appears to be a clean release PR for v3.5.1, consisting primarily of version bumps across all packages with two notable code improvements.

📋 Detailed Analysis

Version Consistency ✅

• All packages consistently updated to version 3.5.1
• Root package.json and all 26 package files properly synchronized
• No version mismatches detected

Code Changes

1. CLI Plugin Loading Improvements (packages/cli/src/actions/action-utils.ts)

• Change: Added validation checks for generate function presence before returning plugin objects
• Impact: Prevents invalid plugin modules from being returned
• Quality: Good defensive programming practice
• Lines: 247, 257, 297, 306 - all now validate typeof result?.generate === 'function'

2. VSCode Extension Telemetry (packages/ide/vscode/src/extension/zmodel-preview.ts)

• Change: Added extension version tracking to documentation requests
• Impact: Better telemetry and debugging capabilities
• Quality: Clean implementation following existing patterns
• Lines: Added extensionVersion field to schema and request payload

🔍 Security & Performance Assessment

Security ✅

• No security concerns identified
• Plugin validation improvements actually enhance security
• No sensitive data exposure or new attack vectors

Performance ✅

• Changes have minimal performance impact
• Plugin validation adds negligible overhead
• Extension version is cached, not computed repeatedly

Code Quality ✅

• Both changes follow existing coding patterns
• Type safety maintained with proper TypeScript usage
• Error handling remains consistent
• Clean, readable implementations

📊 Test Coverage Considerations

• Plugin loading changes should ideally have unit tests for the new validation logic
• VSCode extension changes are primarily telemetry additions (low risk)
• No critical business logic affected that would require immediate test coverage

✅ Recommendations

Approve for Release - This PR is ready for merging with the following rationale:

1. Clean Release: Standard version bump pattern with minimal, focused code improvements
2. Quality Improvements: Both code changes enhance robustness without breaking compatibility
3. Low Risk: Changes are defensive in nature and follow existing patterns
4. Proper Versioning: All packages consistently updated

Optional Follow-ups (not blocking):

• Consider adding unit tests for the new plugin validation logic in a future PR
• Document the extension version telemetry feature if not already covered

🎉 Conclusion

This is a well-executed release PR. The code changes are thoughtful improvements that enhance system reliability without introducing risks. Ready for production deployment.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR performs a version bump across the monorepo from 3.5.0 to 3.5.1 (3.5.2 for VSCode), alongside adding plugin module validation logic to the CLI and extension version tracking to the VSCode preview feature.

Changes

Cohort / File(s)	Summary
Package Version Bumps (3.5.0 → 3.5.1) package.json, packages/auth-adapters/better-auth/package.json, packages/cli/package.json, packages/clients/client-helpers/package.json, packages/clients/tanstack-query/package.json, packages/common-helpers/package.json, packages/config/eslint-config/package.json, packages/config/typescript-config/package.json, packages/config/vitest-config/package.json, packages/create-zenstack/package.json, packages/language/package.json, packages/orm/package.json, packages/plugins/policy/package.json, packages/schema/package.json, packages/sdk/package.json, packages/server/package.json, packages/testtools/package.json, packages/zod/package.json, samples/orm/package.json, tests/e2e/package.json, tests/regression/package.json, tests/runtimes/bun/package.json, tests/runtimes/edge-runtime/package.json	Updated version field from 3.5.0 to 3.5.1 in package manifests; includes minor formatting fix in CLI package.json.
VSCode Extension Update packages/ide/vscode/package.json	Bumped version from 3.5.0 to 3.5.2.
CLI Plugin Module Validation packages/cli/src/actions/action-utils.ts	Enhanced loadPluginModule to validate that imported plugin modules expose a generate function via optional chaining checks across all import paths; returns undefined if validation fails.
VSCode Preview Version Tracking packages/ide/vscode/src/extension/zmodel-preview.ts	Added extensionVersion field initialized from package manifest and included in API request payload for documentation generation.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Possibly related PRs

• fix(vscode): add extension version in doc preview request #2515 — Directly related; modifies the same zmodel-preview.ts file to capture and transmit extensionVersion in the documentation request.
• fix(cli): regression of CLI plugin resolution #2516 — Directly related; modifies the same action-utils.ts file to tighten plugin module validation logic for the generate function.
• merge dev to main (v3.4.4) #2451 — Related; introduced the loadPluginModule function that is now enhanced with validation checks in this PR.

Poem

🐰 A version bump hops through the land,
From 3.5.0 where we once did stand,
VSCode leaps ahead to point-two,
While plugins now validate what's true,
Extension versions join the dance—
Zenstack's progress at a glance! 🚀

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly indicates the main purpose: merging the dev branch to main and releasing version 3.5.1, which aligns with the changeset's widespread version bumps across all packages.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dev

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

packages/cli/src/actions/action-utils.ts (1)

247-247: Centralize the new CliPlugin shape check.

The same generate validation is now in four branches, and the bare jiti path has already drifted slightly (result.generate vs result?.generate). A small shared guard keeps null handling and future contract changes consistent.

♻️ Proposed refactor

+    const isCliPlugin = (candidate: unknown): candidate is CliPlugin => {
+        return typeof (candidate as CliPlugin | undefined)?.generate === 'function';
+    };
+
     const importAsEsm = async (spec: string) => {
         try {
-            const result = (await import(spec)).default as CliPlugin;
-            return typeof result?.generate === 'function' ? result : undefined;
+            const result = (await import(spec)).default as unknown;
+            return isCliPlugin(result) ? result : undefined;
         } catch (err) {
             throw new CliError(`Failed to load plugin module from ${spec}: ${(err as Error).message}`);
         }
     };
@@
     const importAsTs = async (spec: string) => {
         try {
-            const result = (await jiti.import(spec, { default: true })) as CliPlugin;
-            return typeof result?.generate === 'function' ? result : undefined;
+            const result = (await jiti.import(spec, { default: true })) as unknown;
+            return isCliPlugin(result) ? result : undefined;
         } catch (err) {
             throw new CliError(`Failed to load plugin module from ${spec}: ${(err as Error).message}`);
         }
     };
@@
     try {
-        const result = (await jiti.import(moduleSpec, { default: true })) as CliPlugin;
-        return typeof result.generate === 'function' ? result : undefined;
+        const result = (await jiti.import(moduleSpec, { default: true })) as unknown;
+        return isCliPlugin(result) ? result : undefined;
     } catch {
         // fall through to last resort
     }
@@
     try {
         const mod = await import(moduleSpec);
-        return typeof mod.default?.generate === 'function' ? (mod.default as CliPlugin) : undefined;
+        return isCliPlugin(mod.default) ? mod.default : undefined;
     } catch (err) {

Also applies to: 257-257, 297-297, 306-306

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/cli/src/actions/action-utils.ts` at line 247, Multiple branches
duplicate the same "is this a CliPlugin" guard (checking result?.generate vs
result.generate) leading to drift; create a single helper like
isCliPlugin(result) and replace the four inline checks with calls to that helper
so null handling and the `generate` contract are consistent across the jiti and
other branches—search for the places that currently do typeof result?.generate
=== 'function' or typeof result.generate === 'function' and swap them to use the
new isCliPlugin utility.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@packages/cli/src/actions/action-utils.ts`:
- Line 247: Multiple branches duplicate the same "is this a CliPlugin" guard
(checking result?.generate vs result.generate) leading to drift; create a single
helper like isCliPlugin(result) and replace the four inline checks with calls to
that helper so null handling and the `generate` contract are consistent across
the jiti and other branches—search for the places that currently do typeof
result?.generate === 'function' or typeof result.generate === 'function' and
swap them to use the new isCliPlugin utility.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 80c7864a-dfbd-44e8-bd40-0599862aeb1a

📥 Commits

Reviewing files that changed from the base of the PR and between c801726 and 826cc4e.

📒 Files selected for processing (26)

• package.json
• packages/auth-adapters/better-auth/package.json
• packages/cli/package.json
• packages/cli/src/actions/action-utils.ts
• packages/clients/client-helpers/package.json
• packages/clients/tanstack-query/package.json
• packages/common-helpers/package.json
• packages/config/eslint-config/package.json
• packages/config/typescript-config/package.json
• packages/config/vitest-config/package.json
• packages/create-zenstack/package.json
• packages/ide/vscode/package.json
• packages/ide/vscode/src/extension/zmodel-preview.ts
• packages/language/package.json
• packages/orm/package.json
• packages/plugins/policy/package.json
• packages/schema/package.json
• packages/sdk/package.json
• packages/server/package.json
• packages/testtools/package.json
• packages/zod/package.json
• samples/orm/package.json
• tests/e2e/package.json
• tests/regression/package.json
• tests/runtimes/bun/package.json
• tests/runtimes/edge-runtime/package.json