chore: next16

[softmarshmallow]

• next@15.3.8 => next@16.1.2 (latest)
• react@19.2.1 => react@19.2.3
• bump sentry to 10.34.0

Summary by CodeRabbit

• Chores

  • Upgraded Next.js to 16.1.2 and React to 19.2.3 across apps
  • Switched dev/lint scripts and refreshed ESLint configs and ignore rules

• Bug Fixes

  • Added validation to reject invalid route IDs early
  • Hardened logging to avoid crashes from logger failures

• Refactor

  • Switched TypeScript JSX runtime to react-jsx
  • Broadened private-path guards to treat additional endpoints as not-found

• Documentation

  • Cleaned up agent notes and ignore list entries

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
docs	Ready	Preview, Comment	Jan 17, 2026 8:07am
grida	Ready	Preview, Comment	Jan 17, 2026 8:07am

5 Skipped Deployments

Project	Deployment	Review	Updated (UTC)
code	Ignored		Jan 17, 2026 8:07am
legacy	Ignored		Jan 17, 2026 8:07am
backgrounds	Skipped		Jan 17, 2026 8:07am
blog	Skipped		Jan 17, 2026 8:07am
viewer	Skipped		Jan 17, 2026 8:07am

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

Upgrades Next.js and React; modernizes ESLint configs to use defineConfig/globalIgnores; updates tsconfig JSX/runtime and includes; converts many route params from numeric to string with runtime parsing/validation; removes turbopack from dev scripts and applies assorted config/type cleanups.

Changes

Cohort / File(s)	Summary
ESLint Configuration Modernization apps/backgrounds/eslint.config.mjs, apps/viewer/eslint.config.mjs, editor/eslint.config.mjs	Replace compat/FlatCompat-based configs with defineConfig + globalIgnores; directly include core-web-vitals and TypeScript presets and override default ignores.
App package.json & tooling apps/backgrounds/package.json, apps/viewer/package.json, editor/package.json, package.json	Bump Next/React and related deps to align with Next 16.1.2 / React 19.2.3; remove turbopack flag from dev script; change lint script to eslint; update eslint-config-next versions.
TypeScript config updates apps/backgrounds/tsconfig.json, apps/viewer/tsconfig.json, editor/tsconfig.json	Switch JSX runtime to react-jsx; add .next/dev/types/**/*.ts and **/*.mts to includes; compact/normalize JSON formatting.
Editor route param validation (string → parsed number) editor/app/(api)/private/.../[project_id]/*, editor/app/(api)/private/editor/x-supabase/projects/[supabase_project_id]/*, editor/app/(api)/private/workspace/[organization_id]/*, editor/app/(api)/private/workspace/[organization_id]/projects/[project_id]/tags/route.ts, editor/app/(api)/private/editor/x-supabase/projects/[supabase_project_id]/x/*	Change route Params types from number to string; add runtime Number(...) parsing with isFinite() checks and early returns (notFound/400) for invalid IDs.
Tenant / legacy access route editor/app/(tenant)/~/[tenant]/api/p/access/route.ts	Replace policy param with tenant; change POST signature to accept { params }; read policy from query string; return 410 in production for this legacy endpoint.
Next / Sentry & misc editor updates editor/next.config.ts, editor/next-env.d.ts, editor/proxy.ts, editor/.gitignore, editor/AGENTS.md	Remove some Sentry build option fields and unify withMDX usage; drop ambient refs from next-env.d.ts; rename middleware → proxy and add defensive host/URL checks; add next-env.d.ts to .gitignore; remove Notes from AGENTS.md.

Sequence Diagram(s)

(Skipped — changes are configuration and input-validation focused and do not introduce a new multi-component sequential flow that requires visualization.)

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Possibly related PRs

• Ops - Sentry setup #325: Overlaps editor Next.js / Sentry configuration and ignore rules changes.
• (CVE-2025-55182) #460: Overlaps dependency/version bumps in apps/backgrounds/package.json.
• Next15 - bump to React19 + Next15 #322: Related ESLint and tooling adjustments for apps/backgrounds.

Suggested labels

migration

Suggested reviewers

• kmk142789

Poem

🐰 I hopped through configs, tidy and spry,

ESLint now sings beneath a clearer sky,
IDs turned to strings, then parsed with care,
React‑JSX nests comfy everywhere,
A carrot for CI — nibble, then fly!

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 31.58% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'chore: next16' accurately reflects the main objective of the PR: upgrading Next.js from version 15 to 16, along with related React and dependency updates.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch codemod-next16

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

🤖 Fix all issues with AI agents

In
`@editor/app/`(api)/private/editor/x-supabase/projects/[supabase_project_id]/custom-schema/route.ts:
- Around line 15-21: The current code uses assert() to validate the route param
supabase_project_id (derived from supabase_project_id_param and Number(...) into
supabase_project_id) which throws and yields a 500; replace this with an
explicit validation that checks Number.isFinite(supabase_project_id) and, when
invalid, returns a new Response with a 400 status and a clear error message
(matching the style used in secure-service-key/route.ts) instead of throwing;
keep the rest of the handler logic unchanged and reference the same
supabase_project_id variable for downstream use.

In `@editor/app/`(tenant)/~/[tenant]/api/p/access/route.ts:
- Around line 65-73: The code currently uses assert(policyid, "policy is
required") after reading policy via req.nextUrl.searchParams.get("policy"),
which can throw a 500; replace that with an explicit check and return a 400
Response (e.g., if (!policyid) return new Response("policy is required", {
status: 400 })); ensure this check happens before further processing of
headers()/haccept/hcontenttype/reqformdata or is wrapped appropriately so
missing policy yields a controlled 400 instead of an uncaught exception.

In `@editor/next-env.d.ts`:
- Line 3: Replace the hard import line import "./.next/types/routes.d.ts"; in
next-env.d.ts with a type-only, non-runtime triple-slash reference (e.g., ///
<reference path="./.next/types/routes.d.ts" />) to avoid executing a module
import and reduce build-time issues, or alternatively ensure turbo typecheck
depends on build by adding the build -> typecheck dependency in turbo.json so
.next/types is generated before typechecking; update next-env.d.ts (the import
line) or turbo.json accordingly.

In `@package.json`:
- Around line 38-40: The package.json bump to Next.js 16.1.2 conflicts with the
repo standard in AGENTS.md (Next.js 15); either revert the dependency change in
package.json back to the Next.js 15.x version and update any dependency override
blocks, or keep Next.js 16 and update AGENTS.md to document the new standard
plus add a changeset entry explaining the rationale and listing required
breaking-change fixes (async request handlers, middleware pattern,
caching/revalidation API, parallel routes, TypeScript types); if choosing
Next.js 16, also scan and update any code that uses the async request APIs,
middleware, caching/revalidation, and parallel routes to match the new patterns
so the repo remains consistent.

🧹 Nitpick comments (7)

editor/app/(api)/private/customers/[project_id]/with-csv/route.ts (2)

92-97: Consider returning a 400 response instead of throwing an assertion error.

The assert throws an AssertionError that results in a 500 Internal Server Error. For API routes, returning a proper 400 Bad Request with a JSON body is more informative for clients.

That said, the async params pattern and Number.isFinite() validation are correct for Next.js 16.

🔧 Suggested improvement

   const { project_id: project_id_param } = await params;
   const project_id = Number(project_id_param);
-  assert(
-    Number.isFinite(project_id),
-    "Invalid project_id (expected a numeric route param)"
-  );
+  if (!Number.isFinite(project_id)) {
+    return NextResponse.json(
+      { error: "Invalid project_id (expected a numeric route param)" },
+      { status: 400 }
+    );
+  }

---

158-163: Same suggestion applies here—consider returning 400 instead of throwing.

Same pattern as POST; the same refactor to return a proper 400 response would improve client error handling.

editor/app/(api)/private/editor/x-supabase/projects/[supabase_project_id]/secure-service-key/route.ts (1)

16-24: Optional: extract shared param parsing between GET and POST.
Same validation block appears twice; a helper can keep behavior consistent and reduce drift.

Also applies to: 51-59

editor/app/(api)/private/workspace/[organization_id]/projects/[project_id]/tags/route.ts (1)

19-21: Verify org scoping for project tags.
organization_id from the path isn’t validated/used here. Please confirm RLS or a join elsewhere enforces that the project_id belongs to the org; if not, add an explicit org check.

editor/proxy.ts (1)

17-17: Verify all consumers were updated after the rename (consider a compatibility alias).

Line 17 renames the export from middleware to proxy. Any remaining import { middleware } or entrypoint expecting a middleware export will break. Please verify all call sites, or keep a temporary alias for safety.

♻️ Optional compatibility alias

 export async function proxy(req: NextRequest) {
   // ...
 }
+
+// Temporary alias to avoid breaking older imports
+export async function middleware(req: NextRequest) {
+  return proxy(req);
+}

apps/backgrounds/package.json (1)

7-7: Turbopack removed from dev script.

The --turbopack flag was removed from the dev command. Note that the editor package.json still uses --turbopack (line 6). Consider whether this inconsistency is intentional or if turbopack should be uniformly enabled/disabled across apps.

apps/viewer/eslint.config.mjs (1)

1-16: Consider consolidating the shared ESLint config to avoid drift.

This config matches apps/backgrounds/eslint.config.mjs and editor/eslint.config.mjs; a shared base could reduce duplication.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9d0cb4f and 067e73f.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (23)

• apps/backgrounds/eslint.config.mjs
• apps/backgrounds/package.json
• apps/backgrounds/tsconfig.json
• apps/viewer/eslint.config.mjs
• apps/viewer/package.json
• apps/viewer/tsconfig.json
• editor/app/(api)/private/customers/[project_id]/with-csv/route.ts
• editor/app/(api)/private/editor/x-supabase/projects/[supabase_project_id]/custom-schema/route.ts
• editor/app/(api)/private/editor/x-supabase/projects/[supabase_project_id]/route.ts
• editor/app/(api)/private/editor/x-supabase/projects/[supabase_project_id]/secure-service-key/route.ts
• editor/app/(api)/private/editor/x-supabase/projects/[supabase_project_id]/storage/buckets/route.ts
• editor/app/(api)/private/editor/x-supabase/projects/[supabase_project_id]/x/[supabase_table_name]/search/route.ts
• editor/app/(api)/private/editor/x-supabase/projects/[supabase_project_id]/x/auth.users/query/route.ts
• editor/app/(api)/private/workspace/[organization_id]/projects/[project_id]/tags/route.ts
• editor/app/(api)/private/workspace/[organization_id]/route.ts
• editor/app/(tenant)/~/[tenant]/api/p/access/route.ts
• editor/eslint.config.mjs
• editor/next-env.d.ts
• editor/next.config.ts
• editor/package.json
• editor/proxy.ts
• editor/tsconfig.json
• package.json

🧰 Additional context used

📓 Path-based instructions (3)

editor/app/(api)/private/**

📄 CodeRabbit inference engine (AGENTS.md)

Private editor-only API routes should be placed in /editor/app/(api)/private

Files:

• editor/app/(api)/private/customers/[project_id]/with-csv/route.ts
• editor/app/(api)/private/editor/x-supabase/projects/[supabase_project_id]/custom-schema/route.ts
• editor/app/(api)/private/editor/x-supabase/projects/[supabase_project_id]/x/[supabase_table_name]/search/route.ts
• editor/app/(api)/private/editor/x-supabase/projects/[supabase_project_id]/route.ts
• editor/app/(api)/private/editor/x-supabase/projects/[supabase_project_id]/storage/buckets/route.ts
• editor/app/(api)/private/workspace/[organization_id]/projects/[project_id]/tags/route.ts
• editor/app/(api)/private/editor/x-supabase/projects/[supabase_project_id]/x/auth.users/query/route.ts
• editor/app/(api)/private/editor/x-supabase/projects/[supabase_project_id]/secure-service-key/route.ts
• editor/app/(api)/private/workspace/[organization_id]/route.ts

editor/app/(tenant)/**

📄 CodeRabbit inference engine (AGENTS.md)

Use /editor/app/(tenant) for tenant-site rendered pages

Files:

• editor/app/(tenant)/~/[tenant]/api/p/access/route.ts

editor/**/next-env.d.ts

📄 CodeRabbit inference engine (editor/AGENTS.md)

Include next-env.d.ts file in git for the project to avoid requiring dev/build runs for typechecking in CI environments

Files:

• editor/next-env.d.ts

🧠 Learnings (6)

📓 Common learnings

Learnt from: CR
Repo: gridaco/grida PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-01-10T04:48:31.415Z
Learning: Use Next.js 15 for web applications

Learnt from: CR
Repo: gridaco/grida PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-01-10T04:48:31.415Z
Learning: Use React.js 19 for web applications

Learnt from: CR
Repo: gridaco/grida PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-01-10T04:48:31.415Z
Learning: Use Node.js 22 as the main runtime for most apps

📚 Learning: 2026-01-10T04:48:31.415Z

Learnt from: CR
Repo: gridaco/grida PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-01-10T04:48:31.415Z
Learning: Use Next.js 15 for web applications

Applied to files:

• apps/viewer/package.json
• editor/package.json
• package.json
• apps/backgrounds/package.json

📚 Learning: 2025-12-01T00:22:41.045Z

Learnt from: CR
Repo: gridaco/grida PR: 0
File: editor/AGENTS.md:0-0
Timestamp: 2025-12-01T00:22:41.045Z
Learning: Applies to editor/**/next-env.d.ts : Include `next-env.d.ts` file in git for the project to avoid requiring dev/build runs for typechecking in CI environments

Applied to files:

• apps/viewer/package.json
• editor/package.json
• apps/backgrounds/tsconfig.json
• apps/viewer/tsconfig.json
• apps/backgrounds/eslint.config.mjs
• editor/eslint.config.mjs
• apps/backgrounds/package.json
• apps/viewer/eslint.config.mjs
• editor/next-env.d.ts
• editor/tsconfig.json

📚 Learning: 2026-01-10T04:48:31.415Z

Learnt from: CR
Repo: gridaco/grida PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-01-10T04:48:31.415Z
Learning: Use turbo for monorepo tasks, build, dev, and test commands across all packages except isolated packages

Applied to files:

• apps/viewer/package.json

📚 Learning: 2026-01-10T04:48:31.415Z

Learnt from: CR
Repo: gridaco/grida PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-01-10T04:48:31.415Z
Learning: Use React.js 19 for web applications

Applied to files:

• editor/package.json
• package.json

📚 Learning: 2025-12-01T00:22:19.083Z

Learnt from: CR
Repo: gridaco/grida PR: 0
File: crates/grida-canvas-wasm/AGENTS.md:0-0
Timestamp: 2025-12-01T00:22:19.083Z
Learning: Applies to crates/grida-canvas-wasm/**/main.rs : Update `grida-canvas-wasm.d.ts` TypeScript definitions file when new APIs are introduced via `main.rs`

Applied to files:

• apps/viewer/tsconfig.json
• editor/next-env.d.ts

🧬 Code graph analysis (6)

editor/app/(api)/private/editor/x-supabase/projects/[supabase_project_id]/custom-schema/route.ts (2)

editor/app/(api)/private/customers/[project_id]/with-csv/route.ts (1)

• POST (88-144)

editor/app/(api)/private/editor/x-supabase/projects/[supabase_project_id]/secure-service-key/route.ts (1)

• POST (49-91)

editor/app/(api)/private/editor/x-supabase/projects/[supabase_project_id]/storage/buckets/route.ts (2)

editor/app/(api)/private/workspace/[organization_id]/route.ts (1)

• GET (8-69)

editor/lib/supabase/server.ts (1)

• createXSBClient (76-78)

apps/backgrounds/eslint.config.mjs (2)

apps/viewer/eslint.config.mjs (1)

• eslintConfig (5-16)

editor/eslint.config.mjs (1)

• eslintConfig (5-16)

editor/eslint.config.mjs (2)

apps/backgrounds/eslint.config.mjs (1)

• eslintConfig (5-16)

apps/viewer/eslint.config.mjs (1)

• eslintConfig (5-16)

apps/viewer/eslint.config.mjs (2)

apps/backgrounds/eslint.config.mjs (1)

• eslintConfig (5-16)

editor/eslint.config.mjs (1)

• eslintConfig (5-16)

editor/app/(api)/private/editor/x-supabase/projects/[supabase_project_id]/secure-service-key/route.ts (3)

editor/app/(api)/private/editor/x-supabase/projects/[supabase_project_id]/route.ts (1)

• GET (14-43)

editor/app/(api)/private/editor/x-supabase/projects/[supabase_project_id]/storage/buckets/route.ts (1)

• GET (12-35)

editor/lib/supabase/server.ts (1)

• createXSBClient (76-78)

🔇 Additional comments (28)

editor/app/(api)/private/customers/[project_id]/with-csv/route.ts (2)

11-13: LGTM!

Correct type for Next.js route parameters—URL params are always strings.

---

88-97: Verify intentional upgrade from Next.js 15 to 16.

Based on learnings, the project guideline is to "Use Next.js 15 for web applications." This PR upgrades to Next.js 16.1.2. Please confirm this is an intentional upgrade and update any relevant documentation (e.g., AGENTS.md) to reflect the new version requirement.

editor/app/(tenant)/~/[tenant]/api/p/access/route.ts (3)

18-18: Params type update looks fine.

Clearer naming for the dynamic segment.

---

20-27: Legacy note/TODO is clear.

Good context on deprecation and safe‑delete intent.

---

49-61: Production guard is sensible.

Returning 410 in prod prevents accidental reliance on this legacy path.

editor/app/(api)/private/workspace/[organization_id]/route.ts (3)

6-6: Param type update looks good.

---

16-18: Good: validate the numeric org id before use.

---

44-44: Good: RPC uses the validated org id.

editor/app/(api)/private/editor/x-supabase/projects/[supabase_project_id]/custom-schema/route.ts (1)

7-7: Param type update looks good.

editor/app/(api)/private/editor/x-supabase/projects/[supabase_project_id]/secure-service-key/route.ts (1)

8-8: Param type update looks good.

editor/app/(api)/private/editor/x-supabase/projects/[supabase_project_id]/x/[supabase_table_name]/search/route.ts (2)

11-11: Param type update looks good.

---

22-27: Good: validate project id before DB access.

editor/app/(api)/private/workspace/[organization_id]/projects/[project_id]/tags/route.ts (1)

6-6: Param type update looks good.

editor/app/(api)/private/editor/x-supabase/projects/[supabase_project_id]/x/auth.users/query/route.ts (1)

7-21: Param parsing + finite guard look solid.

This keeps invalid IDs from leaking into the query path and aligns the handler with string route params.

editor/app/(api)/private/editor/x-supabase/projects/[supabase_project_id]/storage/buckets/route.ts (1)

6-18: Good defensive handling of route params.

The string→number conversion with a finiteness check is a sensible guardrail.

editor/app/(api)/private/editor/x-supabase/projects/[supabase_project_id]/route.ts (1)

8-20: Consistent param validation across handlers.

The shared string→number + finiteness guard is clear and prevents invalid IDs in all paths.

Also applies to: 47-51, 127-131

apps/viewer/tsconfig.json (1)

14-32: TS config update looks good; please verify tooling assumptions.

Switching to react-jsx and expanding include paths aligns with React 19/Next 16, but confirm your TypeScript tooling and CI paths handle .next/dev/types/**/*.ts and **/*.mts inputs as expected.

apps/viewer/package.json (1)

6-31: Script/deps updates look fine; verify lint coverage with the new CLI.

Switching from next lint to eslint can change which files are linted and how ignores are applied. Please confirm the flat config preserves the same file targets and Next.js rules so lint coverage stays consistent.

editor/tsconfig.json (2)

3-4: JSX runtime and target settings look appropriate for the upgrade.

The change from "preserve" to "react-jsx" aligns with React 19's automatic JSX runtime, eliminating the need for import React from 'react' in every file. The explicit ES2017 target is a reasonable baseline.

Also applies to: 14-14

---

29-31: Good addition of type patterns for improved type coverage.

Including .next/dev/types/**/*.ts captures development-time generated types, and **/*.mts supports ES module TypeScript files. This aligns with the broader tooling modernization in the PR.

apps/backgrounds/tsconfig.json (1)

1-34: Configuration is consistent with editor/tsconfig.json.

The TSConfig changes (JSX runtime, target, and include patterns) align with the broader Next.js 16 + React 19 upgrade and match the editor configuration. This consistency aids maintainability across the monorepo.

editor/package.json (3)

61-62: Core dependency upgrades are coordinated and aligned.

The Next.js ecosystem packages (@next/mdx, @next/third-parties, next, eslint-config-next) are all aligned to 16.1.2, and React/ReactDOM are updated to 19.2.3. The type definitions (@types/react, @types/react-dom) are also updated to match. This coordinated upgrade reduces version mismatch risks.

Also applies to: 180-180, 186-186, 190-190

---

261-262: Type definitions and ESLint config updated appropriately.

The @types/react (19.2.8) and @types/react-dom (19.2.3) are updated to align with the React runtime versions. The eslint-config-next is aligned with the Next.js version.

Also applies to: 271-271

---

96-96: No action needed – @sentry/nextjs 10.34.0 includes Next.js 16 support.

The version upgrade to 10.34.0 specifically includes changes to handle Next.js 16's bundler defaults and Turbopack support. The project is running Next.js 16.1.2, and no compatibility issues have been reported.

apps/backgrounds/package.json (1)

14-14: Next.js 16 is stable and production-ready.

Next.js 16 was released as a stable major version on October 21, 2025 with full production support, documentation, and upgrade guidance (last updated Dec 9, 2025). The upgrade to 16.1.2 is appropriate and safe to proceed with.

apps/backgrounds/eslint.config.mjs (1)

1-18: ESLint flat config is correct and consistent with other apps in the monorepo.

The configuration correctly uses the modern ESLint 9.x flat config format. The import { defineConfig, globalIgnores } from "eslint/config" import path is valid for ESLint 9, and the pattern matches apps/viewer/eslint.config.mjs and editor/eslint.config.mjs exactly. The globalIgnores override properly suppresses the default ignores from eslint-config-next.

editor/eslint.config.mjs (1)

1-16: LGTM — flat-config migration is consistent.

Looks aligned with the other app configs and preserves the same ignore behavior.

editor/next.config.ts (1)

247-249: Confirm Next.js 16 aligns with repo guidance.

editor/AGENTS.md indicates using Next.js 15 for web apps, but this PR upgrades to Next 16. Please confirm the guidance is updated or document an exception before merge. Based on learnings, please verify and update the policy if needed.

_{✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.}

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

# First, let's check if the file exists and read its content
cat -n editor/app/\(api\)/private/editor/x-supabase/projects/\[supabase_project_id\]/custom-schema/route.ts

Repository: gridaco/grida

Length of output: 2454

---

🏁 Script executed:

# Also check the directory structure to understand the context
ls -la editor/app/\(api\)/private/editor/x-supabase/projects/

Repository: gridaco/grida

Length of output: 296

---

🏁 Script executed:

# Search for how assert is used in the codebase and where it's imported from
rg "import.*assert" --type ts --type tsx -A 2 -B 2

Repository: gridaco/grida

Length of output: 84

---

🏁 Script executed:

# Look for similar validation patterns in the API routes
rg "NextResponse\.json.*400" --type ts --type tsx -B 3 -A 1 editor/app/

Repository: gridaco/grida

Length of output: 84

---

🏁 Script executed:

# Search for other route param validations in private API routes
rg "Number\(" editor/app/\(api\)/private --type ts -B 3 -A 3

Repository: gridaco/grida

Length of output: 13801

---

🏁 Script executed:

# Search for NextResponse.json with 400 status to see the pattern
rg "NextResponse\.json.*status.*40[0-9]" editor/app/\(api\)/private --type ts -B 2 -A 2

Repository: gridaco/grida

Length of output: 3131

---

🏁 Script executed:

# Look for input validation patterns in this directory
rg "if.*!Number\.isFinite|if.*isNaN" editor/app/ --type ts -B 2 -A 3

Repository: gridaco/grida

Length of output: 9243

---

🏁 Script executed:

# Check what assert does and how errors are caught
rg "assert\(" editor/app/\(api\)/private --type ts -B 1 -A 1 | head -50

Repository: gridaco/grida

Length of output: 3304

---

Replace assert() with explicit 400 response for invalid route parameters.
assert() throws uncaught exceptions resulting in 500 errors. Use a proper validation check that returns 400 instead, consistent with other supabase_project_id validations in this directory (see secure-service-key/route.ts).

🛠️ Proposed fix

-  const supabase_project_id = Number(supabase_project_id_param);
-  assert(
-    Number.isFinite(supabase_project_id),
-    "Invalid supabase_project_id (expected a numeric route param)"
-  );
+  const supabase_project_id = Number(supabase_project_id_param);
+  if (!Number.isFinite(supabase_project_id)) {
+    return NextResponse.json(
+      { error: "Invalid supabase_project_id" },
+      { status: 400 }
+    );
+  }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	const { supabase_project_id: supabase_project_id_param } =
	await context.params;
	const supabase_project_id = Number(supabase_project_id_param);
	assert(
	Number.isFinite(supabase_project_id),
	"Invalid supabase_project_id (expected a numeric route param)"
	);
	const { supabase_project_id: supabase_project_id_param } =
	await context.params;
	const supabase_project_id = Number(supabase_project_id_param);
	if (!Number.isFinite(supabase_project_id)) {
	return NextResponse.json(
	{ error: "Invalid supabase_project_id" },
	{ status: 400 }
	);
	}

🤖 Prompt for AI Agents

In
`@editor/app/`(api)/private/editor/x-supabase/projects/[supabase_project_id]/custom-schema/route.ts
around lines 15 - 21, The current code uses assert() to validate the route param
supabase_project_id (derived from supabase_project_id_param and Number(...) into
supabase_project_id) which throws and yields a 500; replace this with an
explicit validation that checks Number.isFinite(supabase_project_id) and, when
invalid, returns a new Response with a 400 status and a clear error message
(matching the style used in secure-service-key/route.ts) instead of throwing;
keep the rest of the handler logic unchanged and reference the same
supabase_project_id variable for downstream use.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Avoid throwing on missing policy query param.

assert(policyid) will throw and surface as a 500 because it’s outside the try/catch. Consider a 400 response instead.

💡 Suggested fix

-  const policyid = req.nextUrl.searchParams.get("policy");
-  assert(policyid, "policy is required");
+  const policyid = req.nextUrl.searchParams.get("policy");
+  if (!policyid) {
+    return NextResponse.json(
+      { error: "policy is required" },
+      { status: 400 }
+    );
+  }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	// NOTE: [tenant] is a dynamic route segment for this handler, even if we don't use it directly yet.
	const { tenant } = await params;
	const headerslist = await headers();
	const accept = haccept(headerslist.get("accept"));
	const contenttype = hcontenttype(headerslist.get("content-type"));
	const formdata = await reqformdata(req, contenttype);
	const { policy: policyid } = await context.params;
	const policyid = req.nextUrl.searchParams.get("policy");
	assert(policyid, "policy is required");
	// NOTE: [tenant] is a dynamic route segment for this handler, even if we don't use it directly yet.
	const { tenant } = await params;
	const headerslist = await headers();
	const accept = haccept(headerslist.get("accept"));
	const contenttype = hcontenttype(headerslist.get("content-type"));
	const formdata = await reqformdata(req, contenttype);
	const policyid = req.nextUrl.searchParams.get("policy");
	if (!policyid) {
	return NextResponse.json(
	{ error: "policy is required" },
	{ status: 400 }
	);
	}

🤖 Prompt for AI Agents

In `@editor/app/`(tenant)/~/[tenant]/api/p/access/route.ts around lines 65 - 73,
The code currently uses assert(policyid, "policy is required") after reading
policy via req.nextUrl.searchParams.get("policy"), which can throw a 500;
replace that with an explicit check and return a 400 Response (e.g., if
(!policyid) return new Response("policy is required", { status: 400 })); ensure
this check happens before further processing of
headers()/haccept/hcontenttype/reqformdata or is wrapped appropriately so
missing policy yields a controlled 400 instead of an uncaught exception.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 26a620ea7b

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Restore Next middleware entrypoint

Next.js only executes middleware when it is exported from a root-level middleware.ts (or .js). Renaming the file to proxy.ts and the export to proxy means no middleware will run at all, so the maintenance-mode rewrite, tenant subdomain routing, and updateSession logic are skipped for every request. I searched the repo and there is no remaining export async function middleware in editor, so this effectively disables those behaviors in all environments.

Useful? React with 👍 / 👎.