Skip to content

fix(jobs): post-merge security fixes + ROADMAP update#19

Merged
b-mackenzie-alexander merged 1 commit into
mainfrom
chore/update-roadmap-final
Apr 23, 2026
Merged

fix(jobs): post-merge security fixes + ROADMAP update#19
b-mackenzie-alexander merged 1 commit into
mainfrom
chore/update-roadmap-final

Conversation

@b-mackenzie-alexander
Copy link
Copy Markdown
Owner

@b-mackenzie-alexander b-mackenzie-alexander commented Apr 23, 2026
edited by coderabbitai Bot
Loading

Summary

  • Fixes three blocking issues identified in post-merge security review of the reminder email handlers
  • Fixes one medium issue (i18n pluralization) in the digest email subject
  • Applies upstream TS2353 suppression in google.ts (pre-existing bug, unrelated to reminder feature)
  • Updates ROADMAP with post-merge review findings and API test results

Security fixes (reminder email handlers)

BLOCKING-1 — send-recipient-reminder-email.handler.ts
Added reminderEnabled gate after the status !== PENDING check. Without this, a job queued by the sweep could still fire after the document owner disables reminders, since the sweep check and handler execution are not atomic.

BLOCKING-2 — send-owner-reminder-digest-email.handler.ts
Replaced single-envelope ownerReminderDigest check with a filter across all envelopes in the batch. Previously, the check used firstEnvelope.documentMeta only — non-deterministic for batches where documents have different email settings.

BLOCKING-3 — send-owner-reminder-digest-email.handler.ts
Added status: DocumentStatus.PENDING, teamId, and userId scoping to the findMany query. Without the status filter, completed documents could appear in the digest email if they were completed between sweep time and handler execution.

MEDIUM-2 — send-owner-reminder-digest-email.handler.ts
Replaced JavaScript ternary pluralization with Lingui plural() macro in the email subject. Ternary-based pluralization breaks locales with more than two plural forms (Polish, Russian, Arabic, Czech).

Test plan

  • TypeScript: no new errors in reminder handler files (tsc --noEmit on packages/lib)
  • Local API test suite: 258 passed, 5 flaky (retried and passed), 10 skipped
  • Full E2E: manual sign → wait → confirm reminder fires (pending — Warp runner queue issue ongoing)

🤖 Generated with Claude Code

Summary by CodeRabbit

  • New Features

    • Expanded automatic reminder functionality with owner reminder digest aggregation across applicable envelopes.
    • Comprehensive multi-language translation support for reminder configuration and notifications.

  • Bug Fixes

    • Fixed recipient reminder execution to respect disabled reminder status.
    • Improved owner reminder digest filtering to correctly handle pending status and user/team scoping.
    • Enhanced email subject pluralization for reminder digests.

  • Tests

    • Local API test suite verification: 258 tests passed.

@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented Apr 23, 2026
edited
Loading

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 18560a2f-b0d0-45b1-b80b-f4ae91b4e661

📥 Commits

Reviewing files that changed from the base of the PR and between 41da97f and 8cbc6d1.

📒 Files selected for processing (15)
  • ROADMAP.md
  • packages/lib/jobs/definitions/emails/send-owner-reminder-digest-email.handler.ts
  • packages/lib/jobs/definitions/emails/send-recipient-reminder-email.handler.ts
  • packages/lib/server-only/ai/google.ts
  • packages/lib/translations/de/web.po
  • packages/lib/translations/en/web.po
  • packages/lib/translations/es/web.po
  • packages/lib/translations/fr/web.po
  • packages/lib/translations/it/web.po
  • packages/lib/translations/ja/web.po
  • packages/lib/translations/ko/web.po
  • packages/lib/translations/nl/web.po
  • packages/lib/translations/pl/web.po
  • packages/lib/translations/pt-BR/web.po
  • packages/lib/translations/zh/web.po
📝 Walkthrough

Walkthrough

The PR implements reminder execution logic fixes: recipient reminders now short-circuit when disabled, owner digest emails are constrained to pending documents filtered by team/user scope, email subjects use Lingui's plural() macro, and translation strings for reminder features are added across 11 languages. A TypeScript compatibility workaround is applied to the Google AI integration.

Changes

Cohort / File(s) Summary
Email Handler Updates
packages/lib/jobs/definitions/emails/send-owner-reminder-digest-email.handler.ts, packages/lib/jobs/definitions/emails/send-recipient-reminder-email.handler.ts		 Recipient handler adds guard clause to exit when documentMeta.reminderEnabled is false. Owner digest handler restricts envelope queries by teamId, userId, and DocumentStatus.PENDING, filters for enabled ownerReminderDigest settings, and updates all downstream computations (counts, subject line, audit logs) to operate only on eligible envelopes. Subject formatting switches to Lingui plural() macro.
Documentation
ROADMAP.md		 Adds completed post-merge verification item and replaces integration note with detailed fix log documenting reminder execution changes, TypeScript workaround, and E2E test status updates.
AI Integration TypeScript Fix
packages/lib/server-only/ai/google.ts		 Casts createVertex() return value to any to suppress TS2353 error related to removed apiKey property, with ESLint rule disabled for this statement.
Translation Files (11 Languages)
packages/lib/translations/{de,en,es,fr,it,ja,ko,nl,pl,pt-BR,zh}/web.po		 Adds reminder feature UI labels, validation messages, audit-log format entries, and email template strings across German, English, Spanish, French, Italian, Japanese, Korean, Dutch, Polish, Brazilian Portuguese, and Chinese catalogs. Includes placeholders for document counts, team names, and recipient details.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~14 minutes

Possibly related PRs

Suggested labels

apps: web

Poem

🐰 Reminders hop through filters fine,
Recipients skip when disabled align,
Owners' digests bundle with care,
TeamId and userId declare,
Plural macros make subjects sing!

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/update-roadmap-final

Comment @coderabbitai help to get the list of available commands and usage tips.

@b-mackenzie-alexander @claude
fix(jobs): post-merge security fixes for reminder email handlers
8cbc6d1 
Three blocking issues found in post-merge security review:

- Recipient handler: added reminderEnabled gate so late-arriving jobs
  respect owner preference changes that occur after sweep queues the job
- Digest handler: filter all envelopes by ownerReminderDigest (was
  checking firstEnvelope only — non-deterministic for mixed batches)
- Digest handler: scope findMany to teamId + userId + PENDING status so
  completed documents cannot appear in digest email
- Digest handler: replace JS ternary pluralization with Lingui plural()
  macro for correct i18n across all supported locales
- google.ts: suppress pre-existing upstream TS2353 on apiKey property
  removed from GoogleVertexProviderSettings in current SDK version

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@b-mackenzie-alexander b-mackenzie-alexander force-pushed the chore/update-roadmap-final branch from 34e9cf5 to 8cbc6d1 Compare April 23, 2026 00:35
@b-mackenzie-alexander b-mackenzie-alexander merged commit 3f38c41 into main Apr 23, 2026
6 of 7 checks passed
@b-mackenzie-alexander b-mackenzie-alexander deleted the chore/update-roadmap-final branch April 23, 2026 00:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@b-mackenzie-alexander