Open
Conversation
commit: |
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
4 issues found across 25 files
Confidence score: 3/5
- There’s some meaningful merge risk:
src/events/events.spec.tsadds new Resend Events/workflow SDK operations without explicit confirmation of required production API-key permissions, which can lead to authorization failures or policy non-compliance after release. src/workflows/workflows.spec.tsandsrc/events/events.spec.tsinclude API-key-like hardcoded token strings in tests; even in test artifacts, this is a security hygiene concern and should be replaced with redacted placeholders before merging.- In
src/events/events.spec.ts, a test retrievesdatawithout asserting it, so regressions inevents.getresponse handling may slip through undetected. - Pay close attention to
src/events/events.spec.tsandsrc/workflows/workflows.spec.ts- permission-check compliance and token redaction need to be resolved to reduce risk.
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="src/events/events.spec.ts">
<violation number="1" location="src/events/events.spec.ts:15">
P2: Avoid committing raw API tokens in tests; use a redacted placeholder value instead.
(Based on your team's feedback about redacting secrets from test artifacts.) [FEEDBACK_USED]</violation>
<violation number="2" location="src/events/events.spec.ts:131">
P1: Custom agent: **API Key Permission Check SDK Methods**
Rule 1 (API Key Permission Check SDK Methods) is violated: this PR introduces new Resend Events/workflow SDK operations without an explicit confirmation that production API keys have the required permissions for these endpoints. Add a permission-scope verification note/check before release to avoid runtime authorization failures.</violation>
<violation number="3" location="src/events/events.spec.ts:257">
P2: The test fetches `data` but never asserts it, so regressions in `events.get` response handling can pass unnoticed.</violation>
</file>
<file name="src/workflows/workflows.spec.ts">
<violation number="1" location="src/workflows/workflows.spec.ts:17">
P2: Do not commit API-key-like secrets in test code; replace hardcoded token strings with a redacted dummy/test value.
(Based on your team's feedback about redacting secrets from test artifacts.) [FEEDBACK_USED]</violation>
</file>
Since this is your first cubic review, here's how it works:
- cubic automatically reviews your code and comments on bugs and improvements
- Teach cubic by replying to its comments. cubic learns from your replies and gets better over time
- Add one-off context when rerunning by tagging
@cubic-dev-aiwith guidance or docs links (includingllms.txt) - Ask questions if you need clarification on any suggestion
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
| }, | ||
| }); | ||
|
|
||
| const data = await resend.events.create({ |
Contributor
There was a problem hiding this comment.
P1: Custom agent: API Key Permission Check SDK Methods
Rule 1 (API Key Permission Check SDK Methods) is violated: this PR introduces new Resend Events/workflow SDK operations without an explicit confirmation that production API keys have the required permissions for these endpoints. Add a permission-scope verification note/check before release to avoid runtime authorization failures.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At src/events/events.spec.ts, line 131:
<comment>Rule 1 (API Key Permission Check SDK Methods) is violated: this PR introduces new Resend Events/workflow SDK operations without an explicit confirmation that production API keys have the required permissions for these endpoints. Add a permission-scope verification note/check before release to avoid runtime authorization failures.</comment>
<file context>
@@ -0,0 +1,421 @@
+ },
+ });
+
+ const data = await resend.events.create({
+ name: 'user.created',
+ schema: { name: 'string', age: 'number' },
</file context>
| const fetchMocker = createFetchMock(vi); | ||
| fetchMocker.enableMocks(); | ||
|
|
||
| const resend = new Resend('re_zKa4RCko_Lhm9ost2YjNCctnPjbLw8Nop'); |
Contributor
There was a problem hiding this comment.
P2: Avoid committing raw API tokens in tests; use a redacted placeholder value instead.
(Based on your team's feedback about redacting secrets from test artifacts.)
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At src/events/events.spec.ts, line 15:
<comment>Avoid committing raw API tokens in tests; use a redacted placeholder value instead.
(Based on your team's feedback about redacting secrets from test artifacts.) </comment>
<file context>
@@ -0,0 +1,421 @@
+const fetchMocker = createFetchMock(vi);
+fetchMocker.enableMocks();
+
+const resend = new Resend('re_zKa4RCko_Lhm9ost2YjNCctnPjbLw8Nop');
+
+describe('Events', () => {
</file context>
Contributor
There was a problem hiding this comment.
2 issues found across 8 files (changes from recent commits).
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="src/workflow-runs/workflow-runs.spec.ts">
<violation number="1" location="src/workflow-runs/workflow-runs.spec.ts:41">
P2: Avoid hardcoding token-like API keys in tests; use an obviously redacted/dummy value instead.
(Based on your team's feedback about redacting secrets in test artifacts.) [FEEDBACK_USED]</violation>
</file>
<file name="src/workflow-runs/workflow-runs.ts">
<violation number="1" location="src/workflow-runs/workflow-runs.ts:18">
P1: Custom agent: **API Key Permission Check SDK Methods**
This PR adds new Workflow Runs SDK operations (`get`/`list`) but does not include a permission-check reminder/handling path for API keys. Per the API Key Permission Check SDK Methods rule, confirm production API keys have scopes for these new `/workflows/*/runs` operations to prevent permission-related runtime failures.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
Contributor
There was a problem hiding this comment.
2 issues found across 10 files (changes from recent commits).
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="src/workflow-run-steps/workflow-run-steps.ts">
<violation number="1" location="src/workflow-run-steps/workflow-run-steps.ts:21">
P1: Custom agent: **API Key Permission Check SDK Methods**
This PR adds new SDK methods that call workflow run step endpoints. Please confirm that the existing production API keys are provisioned with the required permissions for these new workflow run step read operations to avoid permission failures after deployment.</violation>
</file>
<file name="src/workflow-run-steps/workflow-run-steps.spec.ts">
<violation number="1" location="src/workflow-run-steps/workflow-run-steps.spec.ts:46">
P2: Avoid hardcoding API keys in test code; use a redacted placeholder or environment variable to prevent credential leakage.
(Based on your team's feedback about redacting secrets from test recordings/cassettes even if ephemeral.) [FEEDBACK_USED]</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
Contributor
There was a problem hiding this comment.
1 issue found across 3 files (changes from recent commits).
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="src/workflows/interfaces/workflow-step.interface.ts">
<violation number="1" location="src/workflows/interfaces/workflow-step.interface.ts:82">
P3: `WorkflowStepType` duplicates the literal step-type list already defined by `WorkflowStep`, creating a drift risk. Derive it from `WorkflowStep['type']` to keep a single source of truth.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
vcapretz
force-pushed
the
preview-workflows
branch
from
fbcd35d to
fe596d9
Compare
Contributor
There was a problem hiding this comment.
7 issues found across 30 files (changes from recent commits).
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="src/automations/automations.spec.ts">
<violation number="1" location="src/automations/automations.spec.ts:17">
P2: Do not hardcode API key values in tests; use a redacted placeholder or environment-driven test key instead.
(Based on your team's feedback about redacting secrets from test artifacts.) [FEEDBACK_USED]</violation>
<violation number="2" location="src/automations/automations.spec.ts:54">
P1: Custom agent: **API Key Permission Check SDK Methods**
Confirm production Resend API keys have permissions for the new Automations operations (create/list/get/remove/update). This PR introduces new SDK method usage, so keys without automations scope will fail at runtime.</violation>
</file>
<file name="src/automation-runs/automation-runs.spec.ts">
<violation number="1" location="src/automation-runs/automation-runs.spec.ts:43">
P2: Redact the API key in tests and use a placeholder or env-provided value instead.
(Based on your team's feedback about redacting secrets from test recordings/cassettes even if keys are ephemeral.) [FEEDBACK_USED]</violation>
<violation number="2" location="src/automation-runs/automation-runs.spec.ts:45">
P1: Custom agent: **API Key Permission Check SDK Methods**
The new Resend SDK methods for automation run get/list require confirming production API keys include the necessary permissions for automation run read/list operations, per the API Key Permission Check rule.</violation>
</file>
<file name="src/automation-run-steps/automation-run-steps.spec.ts">
<violation number="1" location="src/automation-run-steps/automation-run-steps.spec.ts:43">
P2: Redact the API key literal in tests; use a non-secret dummy value instead.
(Based on your team's feedback about redacting secrets.) [FEEDBACK_USED]</violation>
</file>
<file name="src/common/utils/parse-automation-to-api-options.spec.ts">
<violation number="1" location="src/common/utils/parse-automation-to-api-options.spec.ts:11">
P2: The test input `name` no longer matches the expected output `name`, causing this spec to fail.</violation>
</file>
<file name="src/automation-run-steps/automation-run-steps.ts">
<violation number="1" location="src/automation-run-steps/automation-run-steps.ts:21">
P2: Custom agent: **API Key Permission Check SDK Methods**
Confirm production API keys have permission to access the new automation run steps endpoints (get/list). The rule requires this check for newly introduced SDK methods to avoid permission failures after deployment.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
| edges: [{ from: 'trigger', to: 'welcome_email', edgeType: 'default' }], | ||
| }; | ||
|
|
||
| const data = await resend.automations.create(payload); |
Contributor
There was a problem hiding this comment.
P1: Custom agent: API Key Permission Check SDK Methods
Confirm production Resend API keys have permissions for the new Automations operations (create/list/get/remove/update). This PR introduces new SDK method usage, so keys without automations scope will fail at runtime.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At src/automations/automations.spec.ts, line 54:
<comment>Confirm production Resend API keys have permissions for the new Automations operations (create/list/get/remove/update). This PR introduces new SDK method usage, so keys without automations scope will fail at runtime.</comment>
<file context>
@@ -0,0 +1,403 @@
+ edges: [{ from: 'trigger', to: 'welcome_email', edgeType: 'default' }],
+ };
+
+ const data = await resend.automations.create(payload);
+ expect(data).toMatchInlineSnapshot(`
+ {
</file context>
|
|
||
| const resend = new Resend('re_zKa4RCko_Lhm9ost2YjNCctnPjbLw8Nop'); | ||
| await expect( | ||
| resend.automations.runs.get(options), |
Contributor
There was a problem hiding this comment.
P1: Custom agent: API Key Permission Check SDK Methods
The new Resend SDK methods for automation run get/list require confirming production API keys include the necessary permissions for automation run read/list operations, per the API Key Permission Check rule.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At src/automation-runs/automation-runs.spec.ts, line 45:
<comment>The new Resend SDK methods for automation run get/list require confirming production API keys include the necessary permissions for automation run read/list operations, per the API Key Permission Check rule.</comment>
<file context>
@@ -0,0 +1,202 @@
+
+ const resend = new Resend('re_zKa4RCko_Lhm9ost2YjNCctnPjbLw8Nop');
+ await expect(
+ resend.automations.runs.get(options),
+ ).resolves.toMatchInlineSnapshot(`
+ {
</file context>
| const fetchMocker = createFetchMock(vi); | ||
| fetchMocker.enableMocks(); | ||
|
|
||
| const resend = new Resend('re_zKa4RCko_Lhm9ost2YjNCctnPjbLw8Nop'); |
Contributor
There was a problem hiding this comment.
P2: Do not hardcode API key values in tests; use a redacted placeholder or environment-driven test key instead.
(Based on your team's feedback about redacting secrets from test artifacts.)
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At src/automations/automations.spec.ts, line 17:
<comment>Do not hardcode API key values in tests; use a redacted placeholder or environment-driven test key instead.
(Based on your team's feedback about redacting secrets from test artifacts.) </comment>
<file context>
@@ -0,0 +1,403 @@
+const fetchMocker = createFetchMock(vi);
+fetchMocker.enableMocks();
+
+const resend = new Resend('re_zKa4RCko_Lhm9ost2YjNCctnPjbLw8Nop');
+
+afterEach(() => fetchMock.resetMocks());
</file context>
|
|
||
| mockSuccessResponse(response, {}); | ||
|
|
||
| const resend = new Resend('re_zKa4RCko_Lhm9ost2YjNCctnPjbLw8Nop'); |
Contributor
There was a problem hiding this comment.
P2: Redact the API key in tests and use a placeholder or env-provided value instead.
(Based on your team's feedback about redacting secrets from test recordings/cassettes even if keys are ephemeral.)
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At src/automation-runs/automation-runs.spec.ts, line 43:
<comment>Redact the API key in tests and use a placeholder or env-provided value instead.
(Based on your team's feedback about redacting secrets from test recordings/cassettes even if keys are ephemeral.) </comment>
<file context>
@@ -0,0 +1,202 @@
+
+ mockSuccessResponse(response, {});
+
+ const resend = new Resend('re_zKa4RCko_Lhm9ost2YjNCctnPjbLw8Nop');
+ await expect(
+ resend.automations.runs.get(options),
</file context>
|
|
||
| mockSuccessResponse(response, {}); | ||
|
|
||
| const resend = new Resend('re_zKa4RCko_Lhm9ost2YjNCctnPjbLw8Nop'); |
Contributor
There was a problem hiding this comment.
P2: Redact the API key literal in tests; use a non-secret dummy value instead.
(Based on your team's feedback about redacting secrets.)
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At src/automation-run-steps/automation-run-steps.spec.ts, line 43:
<comment>Redact the API key literal in tests; use a non-secret dummy value instead.
(Based on your team's feedback about redacting secrets.) </comment>
<file context>
@@ -0,0 +1,207 @@
+
+ mockSuccessResponse(response, {});
+
+ const resend = new Resend('re_zKa4RCko_Lhm9ost2YjNCctnPjbLw8Nop');
+ await expect(
+ resend.automations.runs.steps.get(options),
</file context>
| options: GetAutomationRunStepOptions, | ||
| ): Promise<GetAutomationRunStepResponse> { | ||
| const data = await this.resend.get<GetAutomationRunStepResponseSuccess>( | ||
| `/automations/${options.automationId}/runs/${options.runId}/steps/${options.stepId}`, |
Contributor
There was a problem hiding this comment.
P2: Custom agent: API Key Permission Check SDK Methods
Confirm production API keys have permission to access the new automation run steps endpoints (get/list). The rule requires this check for newly introduced SDK methods to avoid permission failures after deployment.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At src/automation-run-steps/automation-run-steps.ts, line 21:
<comment>Confirm production API keys have permission to access the new automation run steps endpoints (get/list). The rule requires this check for newly introduced SDK methods to avoid permission failures after deployment.</comment>
<file context>
@@ -0,0 +1,38 @@
+ options: GetAutomationRunStepOptions,
+ ): Promise<GetAutomationRunStepResponse> {
+ const data = await this.resend.get<GetAutomationRunStepResponseSuccess>(
+ `/automations/${options.automationId}/runs/${options.runId}/steps/${options.stepId}`,
+ );
+ return data;
</file context>
Contributor
There was a problem hiding this comment.
1 issue found across 4 files (changes from recent commits).
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="src/workflow-run-steps/workflow-run-steps.ts">
<violation number="1" location="src/workflow-run-steps/workflow-run-steps.ts:21">
P1: Custom agent: **API Key Permission Check SDK Methods**
This change introduces calls to the Resend `/automations` endpoints, which are new provider operations. Confirm production API keys have the required permissions for automation workflow runs to avoid permission failures after deployment.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.