Dev

[BuckyMcYolo]

Summary by CodeRabbit

• New Features

  • Login and signup pages plus an authenticated dashboard with sign-out.
  • Frontend bootstrapped for Vite with a new entry, routing, and devtools in development.
  • New fonts and styling baseline applied.

• Refactor

  • Migrated web app from Next.js to Vite; routing and initialization reorganized.
  • API now has configured CORS and forwards auth requests to the auth service.
  • Database and schemas standardized to UUIDs and expanded to support organization roles/ownership.

[coderabbitai]

Warning

Rate limit exceeded

@BuckyMcYolo has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 7 minutes and 25 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📝 Walkthrough

Walkthrough

Migrates the web app from Next.js to a Vite + TanStack Router frontend, adds frontend auth routes and an auth client, integrates the auth handler into the API, and expands the database schema to support guilds, roles, and UUID primary/foreign keys; also adds environment schema and Vite/TS configs.

Changes

Cohort / File(s)	Summary
API Configuration & Auth Integration apps/api/package.json, apps/api/src/app.ts	Added workspace dependency @repo/auth; integrated auth handler by forwarding /api/auth/** to auth.handler; replaced CORS with env-driven origin and credentials enabled.
Web Framework Migration apps/web/package.json, apps/web/vite.config.ts, apps/web/tsconfig.json, packages/typescript-config/vite-react.json, apps/web/vite-env.d.ts	Replaced Next.js with Vite: updated scripts, dependencies, added vite config, switched tsconfig extend to vite-react, added Vite client types.
Web App Entry & Routing apps/web/index.html, apps/web/src/main.tsx, apps/web/src/routes/..., apps/web/src/styles/fonts.css	New Vite entrypoint bootstrapping QueryClient, TanStack Router, theme provider; added route files for root, authenticated layout, login, signup, and devtools lazy-load; added font stylesheet.
Web App Removals / Cleanup apps/web/app/layout.tsx, apps/web/app/page.tsx, apps/web/app/components/providers.tsx, apps/web/README.md, apps/web/next.config.js, apps/web/.gitignore	Removed Next.js app layout, providers, default page, README content, and Next config; simplified .gitignore.
Package Workspace / PNPM apps/web/pnpm-workspace.yaml, apps/api/package.json	Removed ignoredBuiltDependencies in web pnpm workspace; added @repo/auth workspace dependency to API app.
Auth Package & Client packages/auth/src/lib/auth.ts, packages/auth/src/lib/auth-client.ts	Auth server/client now use NEXT_PUBLIC_API_URL base URL; auth init updated to include db schema, trustedOrigins in dev, organization plugin extended with ownerId and organizationRole, dynamicAccessControl enabled.
Environment Schema packages/env/src/server.ts, packages/env/src/client.ts	Added NODE_ENV enum and NEXT_PUBLIC_API_URL (normalized by addProtocol) to server env; added NODE_ENV to client env parsing.
Database Schema - Generation & Migrations packages/db/src/generated-schema.ts, packages/db/src/schemas/*.ts, packages/db/src/schemas/index.ts	Generated comprehensive pgTable schema; added guild_role table; migrated many ID columns from text to uuid; added ownerId on guild and user↔guild relations; exported new guild-roles module.
UI Component packages/ui/src/components/label.tsx	Added Label component wrapping Radix LabelPrimitive.Root with className composition and data-slot attribute.
Tooling / Linting biome.json	Adjusted includes to explicitly exclude routeTree.gen.ts.

Sequence Diagram(s)

sequenceDiagram
  participant Browser as Browser (User)
  participant Web as Web App (Vite + Router)
  participant AuthClient as authClient (frontend)
  participant API as API Server (/api/auth -> auth.handler)
  participant AuthPkg as Auth Package (auth.handler)
  participant DB as Database

  Browser->>Web: Navigate to /login and submit credentials
  Web->>AuthClient: authClient.signIn.email(email,password)
  AuthClient->>API: POST /api/auth/signin (proxied)
  API->>AuthPkg: Forward raw request to auth.handler
  AuthPkg->>DB: Verify user credentials / session creation
  DB-->>AuthPkg: user/session result
  AuthPkg-->>API: response (token/session)
  API-->>AuthClient: auth response
  AuthClient-->>Web: resolve mutation, update session
  Web-->>Browser: navigate to authenticated route

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Poem

🐰 I hopped from Next to Vite tonight,
Routes and auth now snug and tight,
Guilds grow roots, UUIDs sing,
Devtools nap while users spring —
A carrot for every merge delight! 🥕

🚥 Pre-merge checks | ✅ 1 | ❌ 3

❌ Failed checks (2 warnings, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Merge Conflict Detection	⚠️ Warning	❌ Merge conflicts detected (21 files): ⚔️ apps/api/package.json (content) ⚔️ apps/api/src/app.ts (content) ⚔️ apps/web/.gitignore (content) ⚔️ apps/web/package.json (content) ⚔️ apps/web/tsconfig.json (content) ⚔️ biome.json (content) ⚔️ packages/auth/src/lib/auth-client.ts (content) ⚔️ packages/auth/src/lib/auth.ts (content) ⚔️ packages/db/src/schemas/accounts.ts (content) ⚔️ packages/db/src/schemas/channels.ts (content) ⚔️ packages/db/src/schemas/guild-members.ts (content) ⚔️ packages/db/src/schemas/guilds.ts (content) ⚔️ packages/db/src/schemas/index.ts (content) ⚔️ packages/db/src/schemas/invitations.ts (content) ⚔️ packages/db/src/schemas/messages.ts (content) ⚔️ packages/db/src/schemas/sessions.ts (content) ⚔️ packages/db/src/schemas/two-factors.ts (content) ⚔️ packages/db/src/schemas/users.ts (content) ⚔️ packages/env/src/client.ts (content) ⚔️ packages/env/src/server.ts (content) ⚔️ pnpm-lock.yaml (content) These conflicts must be resolved before merging into main.	Resolve conflicts locally and push changes to this branch.
Title check	❓ Inconclusive	The title 'Dev' is vague and generic, providing no meaningful information about the substantial changes in this pull request, which include a major migration from Next.js to Vite, authentication system setup, database schema enhancements, and UI component additions.	Use a descriptive title that summarizes the primary change, such as 'Migrate web app from Next.js to Vite with authentication' or 'Set up authentication and refactor web app architecture'.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch dev

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 6

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

apps/web/package.json (1)

30-30: ⚠️ Potential issue | 🟠 Major

Zod version mismatch between api and shared packages: api uses v3 (^3.24.2) while shared @repo/env package uses v4 (^4.3.6).

Since apps/api directly depends on @repo/env (workspace:*), this creates a version conflict. Zod 4 has breaking changes including unified error customization, stricter number validation, and new default-value semantics. When apps/api resolves its dependencies, it will install zod@^3.24.2, but @repo/env code expects zod@^4.3.6, causing type incompatibilities and potential runtime validation failures. Align apps/api to use zod@^4.3.6 to match the shared package.

🤖 Fix all issues with AI agents

In `@apps/api/src/app.ts`:
- Around line 12-16: The cors middleware in app.ts currently hardcodes origin to
"http://localhost:3000"; change it to read from an environment variable (e.g.,
process.env.CORS_ORIGIN or process.env.WEB_URL) with a sensible default for
local dev, and pass that value into the cors({ origin, credentials: true }) call
so staging/production origins work; update any config loading/typing to ensure
CORS_ORIGIN is available and documented.

In `@apps/web/package.json`:
- Line 9: The "start" script in package.json currently uses "vite preview",
which is only for local preview and not suitable as a production server; update
the "start" script to use a real static server or your chosen deployment
approach (for example replace the "start" command with a production server
command such as using the "serve" package like "serve -s dist" after running the
build, or configure your Node adapter/nginx/static host startup command), and
ensure corresponding build ("build") and postbuild steps produce the dist
directory before the new "start" command runs; target the "start" script entry
in package.json to make this change.

In `@apps/web/src/routes/login.tsx`:
- Around line 26-51: The form onSubmit calls signIn() which is the mutateAsync
promise (aliased from mutateAsync) causing potential unhandled promise
rejections; switch to the fire-and-forget mutate variant by changing the
useMutation destructure from mutateAsync: signIn to mutate: signIn (or call
signIn.mutate) so onSubmit can call signIn() without awaiting, or alternatively
await signIn() inside an async onSubmit and handle errors; update the
useMutation call (function name: useMutation) and the onSubmit handler (form
onSubmit) to use the non-async mutate symbol instead of mutateAsync to avoid
unhandled rejections.

In `@apps/web/src/routes/signup.tsx`:
- Around line 28-43: The submit handler is calling the mutateAsync alias
(signUp) which throws and causes an unhandled rejection; change the destructure
from mutateAsync: signUp to mutate: signUp in the useMutation call (keep the
existing async mutationFn and onSuccess), and update the form submit code to
call signUp(...) without awaiting or wrapping in try/catch so the mutation's
internal error state (isPending, error) handles failures; ensure no other code
awaits signUp to avoid unhandled promise rejections.

In `@packages/db/src/schemas/guilds.ts`:
- Around line 22-24: The comment on ownerId is misleading: update the comment
near ownerId and the onDelete: "restrict" clause to accurately state that using
onDelete: "restrict" prevents deletion of the referenced user (user.id) while
the guild row exists, i.e., the user deletion is blocked rather than the guild
being deleted; reference ownerId, user.id and onDelete: "restrict" in the
comment and replace the current text with a short, correct explanation like
"prevents deleting the user while a guild references them; guild row remains,
user deletion is restricted."

In `@packages/env/src/server.ts`:
- Around line 11-14: The addProtocol helper currently defaults to https://
silently; update it to validate and handle local addresses explicitly: modify
addProtocol(url: string) to first trim and check for an existing protocol, then
if none present detect localhost/127.0.0.1 or numeric loopback and default to
http:// for those cases, otherwise default to https://; alternatively (or
additionally) throw or log a clear error when a protocol is missing so callers
must supply an explicit scheme for non-https development cases. Ensure the
change is applied inside the addProtocol function and add a short
comment/docstring describing the behavior.

🧹 Nitpick comments (9)

packages/env/src/server.ts (1)

25-25: NEXT_PUBLIC_ prefix is a Next.js convention — consider renaming for the Vite migration.

Since the web app has migrated from Next.js to Vite, the NEXT_PUBLIC_ prefix no longer has framework-level meaning. Vite uses VITE_ for client-exposed variables. While this env var is parsed server-side here, the naming is misleading and will cause confusion as the codebase moves further from Next.js.

Consider renaming to something framework-agnostic like API_URL or PUBLIC_API_URL, and updating references in packages/auth/src/lib/auth-client.ts and apps/web/vite.config.ts accordingly.

apps/web/src/routes/_authenticated/index.tsx (1)

9-24: Consider handling loading state from useSession.

authClient.useSession() likely returns isPending/error states alongside data. Currently, the sign-out button renders even when session is null (still loading or unauthenticated), which may cause a brief flash of UI before the auth layout redirects. Consider destructuring isPending and showing a loading indicator, or conditionally rendering the entire block.

apps/web/vite.config.ts (1)

6-27: Consider migrating away from the NEXT_PUBLIC_ prefix now that the app uses Vite.

The config works correctly, but retaining the NEXT_PUBLIC_ prefix after moving to Vite is confusing for new contributors. Vite natively exposes VITE_-prefixed vars via import.meta.env, which would eliminate the need for the manual define block entirely. This could be a follow-up task.

packages/db/src/schemas/guild-members.ts (1)

6-23: Consider adding a unique constraint on (guildId, userId) to prevent duplicate memberships.

Without a composite unique index, a user could be inserted as a member of the same guild multiple times. This is typically enforced at the DB level.

Proposed fix

+import { index, pgTable, text, timestamp, uniqueIndex, uuid } from "drizzle-orm/pg-core"
 ...
   (table) => [
     index("guildMember_guildId_idx").on(table.guildId),
     index("guildMember_userId_idx").on(table.userId),
+    uniqueIndex("guildMember_guildId_userId_uidx").on(table.guildId, table.userId),
   ]

apps/web/src/routes/signup.tsx (1)

34-40: Variable error shadows the outer error from useMutation destructuring.

The error destructured from authClient.signUp.email on line 34 shadows the error from useMutation on line 31. This works correctly here since the inner scope is isolated, but renaming the inner variable (e.g., signUpError) would improve readability.

apps/web/src/routes/_authenticated.tsx (1)

9-31: Consider using TanStack Router's beforeLoad for auth guards.

The current useEffect-based redirect works but is client-side only and allows a brief flash of null before navigation. TanStack Router's beforeLoad can handle this more cleanly by redirecting before the component renders.

export const Route = createFileRoute("/_authenticated")({
  beforeLoad: async () => {
    // check session and throw redirect("/login") if unauthenticated
  },
  component: AuthenticatedLayout,
})

This is optional — the current approach is functional.

apps/web/src/routes/login.tsx (1)

30-34: Naming collision: error shadows outer destructured variable.

On line 32, the destructured { error } from authClient.signIn.email shadows the error from the useMutation destructuring on line 29. While this works due to scoping, it reduces readability. Consider renaming the inner one (e.g., signInError).

packages/db/src/schemas/guild-roles.ts (1)

5-23: Consider adding a unique constraint on (guildId, role) to prevent duplicate role names per guild.

Without a unique index, the same role name (e.g., "moderator") can be inserted multiple times for the same guild, leading to ambiguous permission lookups.

Proposed addition

   (table) => [
     index("guildRole_guildId_idx").on(table.guildId),
     index("guildRole_role_idx").on(table.role),
+    uniqueIndex("guildRole_guildId_role_uidx").on(table.guildId, table.role),
   ]

packages/db/src/schemas/guilds.ts (1)

30-34: Consider naming the owner relation owner instead of user for clarity.

Since guildMember also references user, naming this relation user is ambiguous. owner would make the relationship semantics immediately clear.

Proposed rename

 export const guildRelations = relations(guild, ({ one, many }) => ({
-  user: one(user, {
+  owner: one(user, {
     fields: [guild.ownerId],
     references: [user.id],
   }),

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

vite preview is not a production server.

vite preview is a lightweight static file server intended for locally previewing production builds. If this app will be deployed, you'll need a proper static hosting solution or a server (e.g., serve, nginx, or a Node adapter). Fine if this script is only used during development.

🤖 Prompt for AI Agents

In `@apps/web/package.json` at line 9, The "start" script in package.json
currently uses "vite preview", which is only for local preview and not suitable
as a production server; update the "start" script to use a real static server or
your chosen deployment approach (for example replace the "start" command with a
production server command such as using the "serve" package like "serve -s dist"
after running the build, or configure your Node adapter/nginx/static host
startup command), and ensure corresponding build ("build") and postbuild steps
produce the dist directory before the new "start" command runs; target the
"start" script entry in package.json to make this change.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Misleading comment on onDelete: "restrict".

The comment says "don't delete guild if owner deletes account," but restrict actually prevents the user from being deleted while a guild references them. The guild stays untouched — it's the user deletion that gets blocked.

Suggested comment fix

-    ownerId: uuid("owner_id") // this is the source of truth for the owner of the guild, the guildMember who owns this guild will also have role === "owner" so we will need to keep these in sync
-      .notNull()
-      .references(() => user.id, { onDelete: "restrict" }), // don't delete guild if owner deletes account
+    ownerId: uuid("owner_id") // source of truth for guild ownership; keep in sync with guildMember role === "owner"
+      .notNull()
+      .references(() => user.id, { onDelete: "restrict" }), // prevent deleting a user who still owns a guild

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	ownerId: uuid("owner_id") // this is the source of truth for the owner of the guild, the guildMember who owns this guild will also have role === "owner" so we will need to keep these in sync
	.notNull()
	.references(() => user.id, { onDelete: "restrict" }), // don't delete guild if owner deletes account
	ownerId: uuid("owner_id") // source of truth for guild ownership; keep in sync with guildMember role === "owner"
	.notNull()
	.references(() => user.id, { onDelete: "restrict" }), // prevent deleting a user who still owns a guild

🤖 Prompt for AI Agents

In `@packages/db/src/schemas/guilds.ts` around lines 22 - 24, The comment on
ownerId is misleading: update the comment near ownerId and the onDelete:
"restrict" clause to accurately state that using onDelete: "restrict" prevents
deletion of the referenced user (user.id) while the guild row exists, i.e., the
user deletion is blocked rather than the guild being deleted; reference ownerId,
user.id and onDelete: "restrict" in the comment and replace the current text
with a short, correct explanation like "prevents deleting the user while a guild
references them; guild row remains, user deletion is restricted."

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@packages/auth/src/lib/auth.ts`:
- Around line 11-12: trustedOrigins is set to an empty array in production
causing cross-origin auth requests to be rejected; update the config that sets
trustedOrigins to read a new environment variable (e.g., WEB_URL or CORS_ORIGIN)
instead of defaulting to [] so production includes the frontend origin(s).
Change the logic around trustedOrigins (referencing trustedOrigins and
env.NODE_ENV) to: in development keep ["http://localhost:3000"] plus any
provided override, and in non-development read and parse the WEB_URL/CORS_ORIGIN
env var (support comma-separated values) and assign those origins to
trustedOrigins; ensure the same env var is used consistently elsewhere (e.g.,
CORS setup) so the frontend origin is allowed in production.
- Around line 27-39: The references object on additionalFields.ownerId includes
an undocumented table property; update the ownerId.references (in the
additionalFields block for ownerId) to either remove the redundant table: "user"
entry so the references object only uses the documented { model, field, onDelete
} keys (e.g., keep model: "user", field: "id", onDelete: "restrict"), or if your
Drizzle adapter requires it, explicitly document/validate that requirement and
keep it—ensure the change is applied where additionalFields.ownerId.references
is defined so the schema uses the supported syntax.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

trustedOrigins is empty in production — cross-origin auth requests will be rejected.

In non-development environments, trustedOrigins resolves to []. If the frontend is served from a different origin than the API (which is typical), better-auth will block cross-origin requests (redirects, CSRF checks) in production. You need the frontend's origin here, not an empty list.

This is the same class of problem flagged in apps/api/src/app.ts for CORS: there's no dedicated env var for the frontend/web origin. Consider adding a WEB_URL (or CORS_ORIGIN) environment variable and using it in both places.

Proposed fix (illustrative)

   trustedOrigins:
-    env.NODE_ENV === "development" ? ["http://localhost:3000"] : [],
+    env.NODE_ENV === "development"
+      ? ["http://localhost:3000"]
+      : [env.WEB_URL], // add WEB_URL to your env schema

🤖 Prompt for AI Agents

In `@packages/auth/src/lib/auth.ts` around lines 11 - 12, trustedOrigins is set to
an empty array in production causing cross-origin auth requests to be rejected;
update the config that sets trustedOrigins to read a new environment variable
(e.g., WEB_URL or CORS_ORIGIN) instead of defaulting to [] so production
includes the frontend origin(s). Change the logic around trustedOrigins
(referencing trustedOrigins and env.NODE_ENV) to: in development keep
["http://localhost:3000"] plus any provided override, and in non-development
read and parse the WEB_URL/CORS_ORIGIN env var (support comma-separated values)
and assign those origins to trustedOrigins; ensure the same env var is used
consistently elsewhere (e.g., CORS setup) so the frontend origin is allowed in
production.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🌐 Web query:

better-auth organization plugin additionalFields references syntax 2024 2025

💡 Result:

In Better Auth (2024–2025+), the references syntax is part of a field definition inside a schema/additionalFields object:

• Supported base field types in schema fields are string | number | boolean | date.
• references is an optional object: { model: string; field: string; onDelete?: "cascade" | ... } (default onDelete is cascade).[1]

Organization plugin: additionalFields + references example

import { betterAuth } from "better-auth";
import { organization } from "better-auth/plugins";

export const auth = betterAuth({
  plugins: [
    organization({
      schema: {
        member: {
          additionalFields: {
            // e.g. FK to your "sites" table
            siteId: {
              type: "string",
              required: false,
              references: {
                model: "sites",
                field: "id",
                onDelete: "cascade",
              },
            },
          },
        },
      },
    }),
  ],
});

additionalFields can be added to Organization plugin models (e.g. organization, invitation, member, team, and also organizationRole), and Better Auth will include those fields in the relevant endpoints.[2]

Sources: Better Auth plugin schema field docs (incl. references).[1] Organization plugin docs on additionalFields (incl. supported models / examples).[2]

---

🏁 Script executed:

# First, let's examine the file in question and understand the context
cat -n packages/auth/src/lib/auth.ts | head -100

Repository: BuckyMcYolo/townhall

Length of output: 2427

---

Remove or verify the undocumented table property in the ownerId references object.

The better-auth references syntax supports { model, field, onDelete }, but the code includes an additional table: "user" property that is not part of the documented API. The model: "user" correctly targets the built-in user entity (which is not aliased elsewhere in the organization plugin config), so remove the redundant table property or confirm it's required by your Drizzle adapter configuration.

🤖 Prompt for AI Agents

In `@packages/auth/src/lib/auth.ts` around lines 27 - 39, The references object on
additionalFields.ownerId includes an undocumented table property; update the
ownerId.references (in the additionalFields block for ownerId) to either remove
the redundant table: "user" entry so the references object only uses the
documented { model, field, onDelete } keys (e.g., keep model: "user", field:
"id", onDelete: "restrict"), or if your Drizzle adapter requires it, explicitly
document/validate that requirement and keep it—ensure the change is applied
where additionalFields.ownerId.references is defined so the schema uses the
supported syntax.