fix: Prevent audit messages from reading abac rooms

[KevLehman]

Proposed changes (including videos or screenshots)

Issue(s)

Steps to test or reproduce

Further comments

It also adds a new audit log, generated when a user is granted access to an object

Summary by CodeRabbit

• Bug Fixes

  • Improved room attribute validation in access control checks for more accurate authorization enforcement.

• New Features

  • Enhanced audit logging to distinguish between revoked and granted object access actions, providing better visibility into access control changes.

• Tests

  • Added test coverage for auditing behavior in attribute-based access control scenarios.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[changeset-bot]

⚠️ No Changeset found

Latest commit: 05b6ac7

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[dionisio-bot]

Looks like this PR is not ready to merge, because of the following issues:

• This PR is missing the 'stat: QA assured' label
• This PR is missing the required milestone or project

Please fix the issues and try again

If you have any trouble, please check the PR guidelines

[coderabbitai]

Walkthrough

The PR enhances ABAC auditing by threading an objectId parameter through the checkUsernamesMatchAttributes method and replacing debug logging with per-username audit calls. It updates method signatures across the service layer, audit system, and type definitions, and adds audit instrumentation to room membership operations.

Changes

Cohort / File(s)	Summary
ABAC Service Core ee/packages/abac/src/index.ts, packages/core-services/src/types/IAbacService.ts	Extended checkUsernamesMatchAttributes signature to accept objectId: string parameter; replaced debug logging with per-username Audit.actionPerformed calls using the provided objectId.
Audit System ee/packages/abac/src/audit.ts	Extended Audit.actionPerformed signature to accept optional actionPerformed parameter (default: 'revoked-object-access'); updated payload construction to use the parameter value instead of hardcoded string.
Type Definitions packages/core-typings/src/ServerAudit/IAuditServerAbacAction.ts	Introduced AbacActionPerformed union type (`'revoked-object-access'
Integration Points apps/meteor/ee/server/hooks/abac/beforeAddUserToRoom.ts, apps/meteor/ee/server/lib/audit/methods.ts	Updated checkUsernamesMatchAttributes call to pass room._id as third argument; added ABAC attribute filter for room lookup; updated error message string.
Tests ee/packages/abac/src/service.spec.ts, apps/meteor/tests/end-to-end/api/abac.ts	Updated test calls to pass required objectId parameter; added mock for ServerEvents.createAuditServerEvent; added test cases verifying audit creation per username and absence of audit for non-compliant users.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Audit instrumentation logic in ee/packages/abac/src/index.ts requires understanding the audit system flow and parameter threading
• Consistent pattern changes across multiple files (adding objectId parameter) reduces cognitive load
• Type changes in core-typings affect public API surface and should be validated for backward compatibility
• Test updates follow predictable patterns but require verification that audit behavior is correctly instrumented

Possibly related PRs

• fix: Prevent invite when license/setting is disabled and room is abac managed #37756: Modifies the same ABAC hook in beforeAddUserToRoom.ts and updates the call to Abac.checkUsernamesMatchAttributes with different parameters/guards.
• feat: Audit ABAC actions #37565: Introduces ABAC audit helpers and threads actor/context through Abac service methods, which this PR extends with objectId and per-username auditing.
• feat: Update add/join methods to use abac rules #37339: Adds the checkUsernamesMatchAttributes method; this PR extends its signature and updates all call sites.

Suggested reviewers

• tassoevan

---

🐰 Hops through the audit trail,
A thread of IDs, each username revealed,
Per-action events now sail,
Where ABAC's actions are sealed. ✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix: Prevent audit messages from reading abac rooms' clearly and specifically summarizes the main change: preventing audit messages from accessing ABAC-managed rooms, which aligns with the core modifications across multiple files that add ABAC-based guards to room retrieval and audit logging.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/audit-messages

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 1399534 and 05b6ac7.

📒 Files selected for processing (8)

• apps/meteor/ee/server/hooks/abac/beforeAddUserToRoom.ts (1 hunks)
• apps/meteor/ee/server/lib/audit/methods.ts (2 hunks)
• apps/meteor/tests/end-to-end/api/abac.ts (2 hunks)
• ee/packages/abac/src/audit.ts (2 hunks)
• ee/packages/abac/src/index.ts (2 hunks)
• ee/packages/abac/src/service.spec.ts (5 hunks)
• packages/core-services/src/types/IAbacService.ts (1 hunks)
• packages/core-typings/src/ServerAudit/IAuditServerAbacAction.ts (2 hunks)

🧰 Additional context used

📓 Path-based instructions (2)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation

Files:

• apps/meteor/ee/server/hooks/abac/beforeAddUserToRoom.ts
• ee/packages/abac/src/index.ts
• packages/core-typings/src/ServerAudit/IAuditServerAbacAction.ts
• packages/core-services/src/types/IAbacService.ts
• ee/packages/abac/src/service.spec.ts
• apps/meteor/ee/server/lib/audit/methods.ts
• ee/packages/abac/src/audit.ts
• apps/meteor/tests/end-to-end/api/abac.ts

**/*.spec.ts

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.spec.ts: Use descriptive test names that clearly communicate expected behavior in Playwright tests
Use .spec.ts extension for test files (e.g., login.spec.ts)

Files:

• ee/packages/abac/src/service.spec.ts

🧠 Learnings (16)

📓 Common learnings

Learnt from: KevLehman
Repo: RocketChat/Rocket.Chat PR: 37303
File: apps/meteor/tests/end-to-end/api/abac.ts:1125-1137
Timestamp: 2025-10-27T14:38:46.994Z
Learning: In Rocket.Chat ABAC feature, when ABAC is disabled globally (ABAC_Enabled setting is false), room-level ABAC attributes are not evaluated when changing room types. This means converting a private room to public will succeed even if the room has ABAC attributes, as long as the global ABAC setting is disabled.

Learnt from: MartinSchoeler
Repo: RocketChat/Rocket.Chat PR: 37557
File: apps/meteor/client/views/admin/ABAC/AdminABACRooms.tsx:115-116
Timestamp: 2025-11-27T17:56:26.050Z
Learning: In Rocket.Chat, the GET /v1/abac/rooms endpoint (implemented in ee/packages/abac/src/index.ts) only returns rooms where abacAttributes exists and is not an empty array (query: { abacAttributes: { $exists: true, $ne: [] } }). Therefore, in components consuming this endpoint (like AdminABACRooms.tsx), room.abacAttributes is guaranteed to be defined for all returned rooms, and optional chaining before calling array methods like .join() is sufficient without additional null coalescing.

Learnt from: KevLehman
Repo: RocketChat/Rocket.Chat PR: 37299
File: apps/meteor/ee/server/lib/ldap/Manager.ts:438-454
Timestamp: 2025-10-24T17:32:05.348Z
Learning: In Rocket.Chat, ABAC attributes can only be set on private rooms and teams (type 'p'), not on public rooms (type 'c'). Therefore, when checking for ABAC-protected rooms/teams during LDAP sync or similar operations, it's sufficient to query only private rooms using methods like `findPrivateRoomsByIdsWithAbacAttributes`.

📚 Learning: 2025-11-27T17:56:26.050Z

Learnt from: MartinSchoeler
Repo: RocketChat/Rocket.Chat PR: 37557
File: apps/meteor/client/views/admin/ABAC/AdminABACRooms.tsx:115-116
Timestamp: 2025-11-27T17:56:26.050Z
Learning: In Rocket.Chat, the GET /v1/abac/rooms endpoint (implemented in ee/packages/abac/src/index.ts) only returns rooms where abacAttributes exists and is not an empty array (query: { abacAttributes: { $exists: true, $ne: [] } }). Therefore, in components consuming this endpoint (like AdminABACRooms.tsx), room.abacAttributes is guaranteed to be defined for all returned rooms, and optional chaining before calling array methods like .join() is sufficient without additional null coalescing.

Applied to files:

• apps/meteor/ee/server/hooks/abac/beforeAddUserToRoom.ts
• ee/packages/abac/src/index.ts
• packages/core-typings/src/ServerAudit/IAuditServerAbacAction.ts
• packages/core-services/src/types/IAbacService.ts
• apps/meteor/ee/server/lib/audit/methods.ts
• ee/packages/abac/src/audit.ts
• apps/meteor/tests/end-to-end/api/abac.ts

📚 Learning: 2025-10-27T14:38:46.994Z

Learnt from: KevLehman
Repo: RocketChat/Rocket.Chat PR: 37303
File: apps/meteor/tests/end-to-end/api/abac.ts:1125-1137
Timestamp: 2025-10-27T14:38:46.994Z
Learning: In Rocket.Chat ABAC feature, when ABAC is disabled globally (ABAC_Enabled setting is false), room-level ABAC attributes are not evaluated when changing room types. This means converting a private room to public will succeed even if the room has ABAC attributes, as long as the global ABAC setting is disabled.

Applied to files:

• apps/meteor/ee/server/hooks/abac/beforeAddUserToRoom.ts
• ee/packages/abac/src/index.ts
• packages/core-services/src/types/IAbacService.ts
• apps/meteor/ee/server/lib/audit/methods.ts
• ee/packages/abac/src/audit.ts
• apps/meteor/tests/end-to-end/api/abac.ts

📚 Learning: 2025-10-28T16:53:42.761Z

Learnt from: ricardogarim
Repo: RocketChat/Rocket.Chat PR: 37205
File: ee/packages/federation-matrix/src/FederationMatrix.ts:296-301
Timestamp: 2025-10-28T16:53:42.761Z
Learning: In the Rocket.Chat federation-matrix integration (ee/packages/federation-matrix/), the createRoom method from rocket.chat/federation-sdk will support a 4-argument signature (userId, roomName, visibility, displayName) in newer versions. Code using this 4-argument call is forward-compatible with planned library updates and should not be flagged as an error.

Applied to files:

• apps/meteor/ee/server/hooks/abac/beforeAddUserToRoom.ts
• apps/meteor/ee/server/lib/audit/methods.ts

📚 Learning: 2025-10-24T17:32:05.348Z

Learnt from: KevLehman
Repo: RocketChat/Rocket.Chat PR: 37299
File: apps/meteor/ee/server/lib/ldap/Manager.ts:438-454
Timestamp: 2025-10-24T17:32:05.348Z
Learning: In Rocket.Chat, ABAC attributes can only be set on private rooms and teams (type 'p'), not on public rooms (type 'c'). Therefore, when checking for ABAC-protected rooms/teams during LDAP sync or similar operations, it's sufficient to query only private rooms using methods like `findPrivateRoomsByIdsWithAbacAttributes`.

Applied to files:

• apps/meteor/ee/server/hooks/abac/beforeAddUserToRoom.ts
• ee/packages/abac/src/index.ts
• packages/core-services/src/types/IAbacService.ts
• apps/meteor/ee/server/lib/audit/methods.ts
• ee/packages/abac/src/audit.ts
• apps/meteor/tests/end-to-end/api/abac.ts

📚 Learning: 2025-11-04T16:49:19.107Z

Learnt from: ricardogarim
Repo: RocketChat/Rocket.Chat PR: 37377
File: apps/meteor/ee/server/hooks/federation/index.ts:86-88
Timestamp: 2025-11-04T16:49:19.107Z
Learning: In Rocket.Chat's federation system (apps/meteor/ee/server/hooks/federation/), permission checks follow two distinct patterns: (1) User-initiated federation actions (creating rooms, adding users to federated rooms, joining from invites) should throw MeteorError to inform users they lack 'access-federation' permission. (2) Remote server-initiated federation events should silently skip/ignore when users lack permission. The beforeAddUserToRoom hook only executes for local user-initiated actions, so throwing an error there is correct. Remote federation events are handled separately by the federation Matrix package with silent skipping logic.

Applied to files:

• apps/meteor/ee/server/hooks/abac/beforeAddUserToRoom.ts
• apps/meteor/ee/server/lib/audit/methods.ts
• ee/packages/abac/src/audit.ts

📚 Learning: 2025-09-25T09:59:26.461Z

Learnt from: Dnouv
Repo: RocketChat/Rocket.Chat PR: 37057
File: packages/apps-engine/src/definition/accessors/IUserRead.ts:23-27
Timestamp: 2025-09-25T09:59:26.461Z
Learning: AppUserBridge.getUserRoomIds in apps/meteor/app/apps/server/bridges/users.ts always returns an array of strings (mapping subscription documents to room IDs), never undefined, even when user has no room subscriptions.

Applied to files:

• apps/meteor/ee/server/hooks/abac/beforeAddUserToRoom.ts
• apps/meteor/ee/server/lib/audit/methods.ts

📚 Learning: 2025-09-25T09:59:26.461Z

Learnt from: Dnouv
Repo: RocketChat/Rocket.Chat PR: 37057
File: packages/apps-engine/src/definition/accessors/IUserRead.ts:23-27
Timestamp: 2025-09-25T09:59:26.461Z
Learning: AppUserBridge.getUserRoomIds in apps/meteor/app/apps/server/bridges/users.ts always returns an array of strings by mapping subscription documents to room IDs, never undefined, even when user has no room subscriptions.

Applied to files:

• apps/meteor/ee/server/hooks/abac/beforeAddUserToRoom.ts
• apps/meteor/ee/server/lib/audit/methods.ts

📚 Learning: 2025-09-25T09:59:26.461Z

Learnt from: Dnouv
Repo: RocketChat/Rocket.Chat PR: 37057
File: packages/apps-engine/src/definition/accessors/IUserRead.ts:23-27
Timestamp: 2025-09-25T09:59:26.461Z
Learning: UserBridge.doGetUserRoomIds in packages/apps-engine/src/server/bridges/UserBridge.ts has a bug where it implicitly returns undefined when the app lacks read permission (missing return statement in the else case of the permission check).

Applied to files:

• apps/meteor/ee/server/hooks/abac/beforeAddUserToRoom.ts
• apps/meteor/ee/server/lib/audit/methods.ts

📚 Learning: 2025-11-07T14:50:33.544Z

Learnt from: KevLehman
Repo: RocketChat/Rocket.Chat PR: 37423
File: packages/i18n/src/locales/en.i18n.json:18-18
Timestamp: 2025-11-07T14:50:33.544Z
Learning: Rocket.Chat settings: in apps/meteor/ee/server/settings/abac.ts, the Abac_Cache_Decision_Time_Seconds setting uses invalidValue: 0 as the fallback when ABAC is unlicensed. With a valid license, admins can still set the value to 0 to intentionally disable the ABAC decision cache.

Applied to files:

• apps/meteor/ee/server/hooks/abac/beforeAddUserToRoom.ts

📚 Learning: 2025-11-24T17:08:17.065Z

Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/**/*.spec.ts : Use `expect` matchers for assertions (`toEqual`, `toContain`, `toBeTruthy`, `toHaveLength`, etc.) instead of `assert` statements in Playwright tests

Applied to files:

• ee/packages/abac/src/service.spec.ts

📚 Learning: 2025-11-24T17:08:17.065Z

Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/**/*.spec.ts : Maintain test isolation between test cases in Playwright tests

Applied to files:

• ee/packages/abac/src/service.spec.ts

📚 Learning: 2025-12-10T21:00:43.645Z

Learnt from: KevLehman
Repo: RocketChat/Rocket.Chat PR: 37091
File: ee/packages/abac/jest.config.ts:4-7
Timestamp: 2025-12-10T21:00:43.645Z
Learning: Adopt the monorepo-wide Jest testMatch pattern: <rootDir>/src/**/*.spec.{ts,js,mjs} (represented here as '**/src/**/*.spec.{ts,js,mjs}') to ensure spec files under any package's src directory are picked up consistently across all packages in the Rocket.Chat monorepo. Apply this pattern in jest.config.ts for all relevant packages to maintain uniform test discovery.

Applied to files:

• ee/packages/abac/src/service.spec.ts

📚 Learning: 2025-09-16T13:33:49.237Z

Learnt from: cardoso
Repo: RocketChat/Rocket.Chat PR: 36890
File: apps/meteor/tests/e2e/e2e-encryption/e2ee-otr.spec.ts:21-26
Timestamp: 2025-09-16T13:33:49.237Z
Learning: The im.delete API endpoint accepts either a `roomId` parameter (requiring the actual DM room _id) or a `username` parameter (for the DM partner's username). Constructing slug-like identifiers like `user2${Users.userE2EE.data.username}` doesn't work for this endpoint.

Applied to files:

• apps/meteor/ee/server/lib/audit/methods.ts

📚 Learning: 2025-11-24T17:08:17.065Z

Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/**/*.spec.ts : Ensure tests run reliably in parallel without shared state conflicts

Applied to files:

• apps/meteor/tests/end-to-end/api/abac.ts

📚 Learning: 2025-11-24T17:08:17.065Z

Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/page-objects/**/*.ts : Utilize existing page objects pattern from `apps/meteor/tests/e2e/page-objects/`

Applied to files:

• apps/meteor/tests/end-to-end/api/abac.ts

🧬 Code graph analysis (6)

apps/meteor/ee/server/hooks/abac/beforeAddUserToRoom.ts (1)

packages/core-services/src/index.ts (1)

• Abac (202-202)

ee/packages/abac/src/index.ts (2)

packages/core-typings/src/IAbacAttribute.ts (1)

• IAbacAttributeDefinition (3-14)

ee/packages/abac/src/audit.ts (1)

• Audit (30-148)

packages/core-typings/src/ServerAudit/IAuditServerAbacAction.ts (2)

packages/core-typings/src/IUser.ts (1)

• IUser (187-259)

packages/core-typings/src/IRoom.ts (1)

• IRoom (22-98)

packages/core-services/src/types/IAbacService.ts (1)

packages/core-typings/src/IAbacAttribute.ts (1)

• IAbacAttributeDefinition (3-14)

ee/packages/abac/src/audit.ts (1)

packages/core-typings/src/ServerAudit/IAuditServerAbacAction.ts (4)

• MinimalUser (3-3)
• MinimalRoom (4-4)
• AbacAuditReason (6-6)
• AbacActionPerformed (8-8)

apps/meteor/tests/end-to-end/api/abac.ts (1)

apps/meteor/tests/data/api-data.ts (3)

• request (10-10)
• methodCall (50-52)
• credentials (39-42)

🔇 Additional comments (17)

apps/meteor/tests/end-to-end/api/abac.ts (2)

7-7: LGTM: methodCall import added for test coverage.

The import enables the new test case to invoke the auditGetMessages method via DDP.

---

390-417: LGTM: Test validates ABAC room audit prevention.

The test correctly verifies that attempting to audit messages in an ABAC-managed room returns an error indicating the room doesn't exist, aligning with the security objective of preventing audit access to ABAC rooms.

apps/meteor/ee/server/hooks/abac/beforeAddUserToRoom.ts (1)

21-21: LGTM: objectId parameter added for audit context.

The room._id is now passed as the third parameter to checkUsernamesMatchAttributes, enabling per-username audit events to be correlated with the specific room/object context.

apps/meteor/ee/server/lib/audit/methods.ts (2)

40-41: LGTM: ABAC room exclusion added to audit queries.

The query now filters out rooms with ABAC attributes, preventing audit message retrieval from ABAC-managed rooms. This aligns with the PR objective to prevent audit access to ABAC rooms.

---

169-169: LGTM: Error message apostrophe corrected.

Fixed typographical inconsistency from backtick to standard apostrophe.

packages/core-services/src/types/IAbacService.ts (1)

41-41: LGTM: objectId parameter added to interface.

The public IAbacService interface is updated to include the objectId parameter, enabling audit events to be correlated with specific objects. All callers in the PR have been updated to supply this parameter.

ee/packages/abac/src/index.ts (2)

464-464: LGTM: objectId parameter added to method signature.

The implementation now accepts an objectId parameter to support per-username audit event correlation with the specific object being accessed.

---

489-491: LGTM: Per-username audit logging implemented.

The change replaces aggregated debug logging with individual audit events for each compliant username, enabling granular audit trails for granted object access. The use of void is appropriate for fire-and-forget audit calls.

ee/packages/abac/src/audit.ts (2)

12-12: LGTM: AbacActionPerformed type imported.

Enables type-safe action values for audit events.

---

120-129: LGTM: Dynamic action parameter added to audit function.

The actionPerformed parameter with a default value of 'revoked-object-access' maintains backward compatibility while enabling callers to specify 'granted-object-access' for different scenarios. The payload now uses the provided action value instead of a hardcoded string.

packages/core-typings/src/ServerAudit/IAuditServerAbacAction.ts (3)

8-8: LGTM: AbacActionPerformed type added.

The union type restricts action values to 'revoked-object-access' | 'granted-object-access', providing type safety for audit events.

---

59-59: LGTM: action field type updated to AbacActionPerformed.

Ensures type consistency between the action field and the new AbacActionPerformed union type.

---

1-3: MinimalUser._id optional handling is correct across codebase.

All call sites appropriately handle the optional _id field. Line 490 in ee/packages/abac/src/index.ts passes only { username } without _id, while other call sites (lines 98 and 611) provide both fields. The audit functions pass the subject object through to the event system without directly accessing _id, ensuring type safety.

ee/packages/abac/src/service.spec.ts (4)

24-24: LGTM: Audit mock setup added.

The mockCreateAuditServerEvent is properly configured to intercept ServerEvents.createAuditServerEvent calls for test verification.

Also applies to: 57-57

---

1040-1040: LGTM: Test calls updated with objectId parameter.

All checkUsernamesMatchAttributes invocations in tests now include the third objectId parameter, aligning with the updated method signature.

Also applies to: 1045-1045, 1057-1057, 1088-1088, 1104-1104, 1121-1121

---

1095-1109: LGTM: Test validates per-username audit generation.

The test correctly verifies that an audit event is generated for each compliant username, ensuring the new auditing behavior works as expected.

---

1111-1126: LGTM: Test confirms no audit logs for non-compliant users.

The test properly validates that audit events are not generated when usernames don't match ABAC attributes, maintaining appropriate audit log boundaries.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

📦 Docker Image Size Report

📈 Changes

Service	Current	Baseline	Change	Percent
sum of all images	1.2GiB	1.2GiB	+12MiB
rocketchat	358MiB	347MiB	+12MiB
omnichannel-transcript-service	132MiB	132MiB	+13KiB
queue-worker-service	132MiB	132MiB	+12KiB
ddp-streamer-service	126MiB	126MiB	+9.0KiB
account-service	113MiB	113MiB	+9.0KiB
authorization-service	111MiB	110MiB	+72KiB
stream-hub-service	110MiB	110MiB	+11KiB
presence-service	110MiB	110MiB	+9.5KiB

📊 Historical Trend

---
config:
  theme: "dark"
  xyChart:
    width: 900
    height: 400
---
xychart
  title "Image Size Evolution by Service (Last 30 Days + This PR)"
  x-axis ["11/15 22:28", "11/16 01:28", "11/17 23:50", "11/18 22:53", "11/19 23:02", "11/21 16:49", "11/24 17:34", "11/27 22:32", "11/28 19:05", "12/01 23:01", "12/02 21:57", "12/03 21:00", "12/04 18:17", "12/05 21:56", "12/08 20:15", "12/09 22:17", "12/10 23:26", "12/11 21:56", "12/12 22:45", "12/13 01:34", "12/15 16:51", "12/15 19:23 (PR)"]
  y-axis "Size (GB)" 0 --> 0.5
  line "account-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11]
  line "authorization-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11]
  line "ddp-streamer-service" [0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12]
  line "omnichannel-transcript-service" [0.14, 0.14, 0.14, 0.14, 0.14, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13]
  line "presence-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11]
  line "queue-worker-service" [0.14, 0.14, 0.14, 0.14, 0.14, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13]
  line "rocketchat" [0.36, 0.36, 0.35, 0.35, 0.35, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.35]
  line "stream-hub-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11]

Loading

Statistics (last 21 days):

• 📊 Average: 1.5GiB
• ⬇️ Minimum: 1.2GiB
• ⬆️ Maximum: 1.6GiB
• 🎯 Current PR: 1.2GiB

ℹ️ About this report

This report compares Docker image sizes from this build against the develop baseline.

• Tag: pr-37820
• Baseline: develop
• Timestamp: 2025-12-15 19:23:34 UTC
• Historical data points: 21

---

Updated: Mon, 15 Dec 2025 19:23:35 GMT

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 54.58%. Comparing base (1399534) to head (05b6ac7).
⚠️ Report is 1 commits behind head on feat/abac.

Additional details and impacted files

@@              Coverage Diff              @@
##           feat/abac   #37820      +/-   ##
=============================================
+ Coverage      54.38%   54.58%   +0.19%     
=============================================
  Files           2639     2639              
  Lines          50102    50102              
  Branches       11212    11212              
=============================================
+ Hits           27248    27346      +98     
+ Misses         20681    20569     -112     
- Partials        2173     2187      +14     

Flag	Coverage Δ
e2e	57.35% <ø> (-0.03%)	⬇️
e2e-api	44.73% <ø> (+0.96%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.