Allow setting internal api url

[elie222]

Add INTERNAL_API_URL support and update web API callers to resolve base URLs via utils/internal-api.getInternalApiUrl

Introduce INTERNAL_API_URL to server env, add utils/internal-api.getInternalApiUrl, and switch web API requests and QStash publish paths to use this resolver. Update Docker, CLI setup, and pipeline config to set and pass the variable.

📍Where to Start

Start with the resolver in utils/internal-api.ts, then review its adoption in utils/upstash/index.ts and env.ts.

---

📊 Macroscope summarized 3d73abb. 11 files reviewed, 12 issues evaluated, 8 issues filtered, 0 comments posted

🗂️ Filtered Issues

apps/web/app/api/resend/digest/all/route.ts — 0 comments posted, 2 evaluated, 1 filtered

• line 47: Missing cron auth header when enqueueing digest jobs. publishToQstashQueue supports forwarding headers to the target handler, and the summary path includes headers: getCronSecretHeader(), but the digest path does not. If the /api/resend/digest endpoint validates the cron secret (as the summary counterpart does), these jobs will be rejected as unauthorized in both the QStash and the fallback path. [ Low confidence ]

apps/web/env.ts — 0 comments posted, 1 evaluated, 1 filtered

• line 150: NEXT_PUBLIC_FREE_UNSUBSCRIBE_CREDITS is defined as z.number().default(5) on the client schema (line 150) but its value in experimental__runtimeEnv is sourced from process.env, which is always a string. With a defined env var like "5", validation will fail because z.number() does not coerce strings to numbers. This causes runtime initialization failure for any non-undefined value. Use z.coerce.number().default(5) to match the other numeric client vars. [ Out of scope ]

apps/web/utils/actions/clean.ts — 0 comments posted, 1 evaluated, 1 filtered

• line 116: Pagination bug and possible infinite loop: nextPageToken from the previous response is stored but never passed into the subsequent request. In the loop starting at do { ... } while (nextPageToken && !isMaxEmailsReached(...)), the call to emailProvider.getThreadsWithQuery does not include a pageToken, so each iteration refetches the first page, nextPageToken remains truthy, and the loop can repeat indefinitely when maxEmails is undefined. This also causes duplicate enqueues to QStash. Fix by passing pageToken: nextPageToken into getThreadsWithQuery and updating it each iteration. [ Out of scope ]

apps/web/utils/digest/index.ts — 0 comments posted, 1 evaluated, 1 filtered

• line 22: Using getInternalApiUrl() for QStash-enqueued webhook URL can resolve to an internal-only address (e.g., http://localhost:3000 or http://web:3000), which QStash cannot reach from the public internet. This will cause jobs to fail/time out. The function’s docstring says it’s for internal API calls, but here it’s used for an external callback consumed by QStash. [ Low confidence ]

apps/web/utils/scheduled-actions/scheduler.ts — 0 comments posted, 2 evaluated, 1 filtered

• line 304: Redundant double-update of schedulingStatus to "FAILED" on the QStash client not available path. Inside the else block, the code updates the DB to FAILED and throws; the catch then updates the same record to FAILED again. This is a double-application of the same effect and an unnecessary extra write that could race with other state transitions. [ Low confidence ]

apps/web/utils/upstash/categorize-senders.ts — 0 comments posted, 1 evaluated, 1 filtered

• line 24: Using getInternalApiUrl() for QStash-enqueued webhook URL can resolve to an internal-only address (e.g., http://localhost:3000 or http://web:3000), which QStash cannot reach from the public internet. This will cause jobs to fail/time out. The function’s docstring says it’s for internal API calls, but here it’s used for an external callback consumed by QStash. [ Low confidence ]

apps/web/utils/upstash/index.ts — 0 comments posted, 2 evaluated, 2 filtered

• line 23: Using getInternalApiUrl() inside publishToQstash to build webhook URLs can yield an internal-only base (e.g., http://localhost:3000 or http://web:3000). When QStash runs (with a real client), it calls this URL from the public internet and will fail to reach it, breaking queued tasks. [ Low confidence ]
• line 77: publishToQstashQueue does not include a default INTERNAL_API_KEY header when using the real QStash client: queue.enqueueJSON({ url, body, headers }) passes through only caller-provided headers. Callers in this diff do not set headers, so requests to endpoints that validate via isValidInternalApiKey will fail with “Invalid API key”. Provide the internal key by default (e.g., merge { [INTERNAL_API_KEY_HEADER]: env.INTERNAL_API_KEY } unless headers already set). [ Low confidence ]

Summary by CodeRabbit

• Chores

  • Centralized internal API URL handling across the app and added an optional INTERNAL_API_URL env var; runtime, Docker compose and CLI defaults updated for local/docker setups.
  • Added INTERNAL_API_URL to build/task env and bumped version to v2.21.48.

• Documentation

  • Added "Optional: QStash for Advanced Features" to self-hosting guide with setup steps, feature comparison, cost notes and roadmap pointers.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Updated (UTC)
inbox-zero	Ready	Preview	Dec 5, 2025 3:53am

[coderabbitai]

Walkthrough

Centralizes internal API URL resolution by adding getInternalApiUrl() and replacing direct env-based base URLs with it across API routes, utilities, CLI/docker/build configs, env schema, and docs; adds INTERNAL_API_URL to env examples and defaults, and bumps version.

Changes

Cohort / File(s)	Summary
New utility apps/web/utils/internal-api.ts	Added export function getInternalApiUrl(): string that returns env.INTERNAL_API_URL → env.WEBHOOK_URL → env.NEXT_PUBLIC_BASE_URL.
Environment schema & examples apps/web/env.ts, apps/web/.env.example	Added optional INTERNAL_API_URL to server env schema and .env.example.
API routes apps/web/app/api/ai/analyze-sender-pattern/call-analyze-pattern-api.ts, apps/web/app/api/resend/digest/all/route.ts, apps/web/app/api/resend/summary/all/route.ts	Replaced direct env base-URL usages with getInternalApiUrl() and updated imports; no other control-flow or signature changes.
Utilities (webhooks/queues/scheduler/upstash/digest/clean) apps/web/utils/actions/clean.ts, apps/web/utils/digest/index.ts, apps/web/utils/scheduled-actions/scheduler.ts, apps/web/utils/upstash/categorize-senders.ts, apps/web/utils/upstash/index.ts	Switched URL construction to use getInternalApiUrl() instead of env.WEBHOOK_URL / env.NEXT_PUBLIC_BASE_URL; imports updated accordingly.
Infra / CLI / build docker-compose.yml, packages/cli/src/main.ts, turbo.json	Added INTERNAL_API_URL env var: Docker default http://web:3000; CLI sets INTERNAL_API_URL for Docker/host paths; turbo build env includes the variable.
Docs & version docs/hosting/self-hosting.md, version.txt	Added optional QStash docs section; bumped version from v2.21.47 to v2.21.48.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Changes are homogeneous (URL source centralization) but touch many files across routes, utilities, infra, and CLI.
• Review focus:
  • Verify fallback order in getInternalApiUrl() matches intended precedence.
  • Confirm all internal API call sites were updated (no remaining direct env usage where internal URL is expected).
  • Check Docker/CLI defaults in docker-compose.yml and packages/cli/src/main.ts align with deployment/topology expectations.
  • Ensure no tests or runtime code rely on previous env resolution side-effects.

Possibly related PRs

• Better env docs #1011 — modifies apps/web/env.ts (other env schema changes); overlaps environment schema edits.
• fix: Remove NEXT_AUTH references #681 — changes internal base URL construction for scheduled/QStash endpoints; overlaps scheduler/url-resolution edits.
• CLI and onboarding fix #1050 — updates packages/cli/src/main.ts runtime env assignments; overlaps CLI env handling changes.

Poem

🐰 I hopped through code with a tiny cheer,
I gathered each URL and brought them near.
One helper now guides the web’s secret door,
From Docker to CLI I checked every floor.
Carrots of clarity—hop, refactor, score! 🥕

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 33.33% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Allow setting internal api url' accurately describes the main objective of the PR, which introduces configurability for the internal API URL through a new environment variable and centralized helper function.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/interal-api

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cubic-dev-ai]

No issues found across 14 files

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

apps/web/utils/internal-api.ts (1)

6-14: getInternalApiUrl helper matches desired precedence; consider failing fast on missing config

The helper cleanly centralizes internal API base URL resolution with the documented precedence (INTERNAL_API_URL → WEBHOOK_URL → NEXT_PUBLIC_BASE_URL), which is exactly what the rest of the PR expects.

You might optionally harden this by failing fast when none of these env vars are set, to avoid subtle "undefined/api/... URLs at runtime:

-export function getInternalApiUrl(): string {
-  return env.INTERNAL_API_URL || env.WEBHOOK_URL || env.NEXT_PUBLIC_BASE_URL;
-}
+export function getInternalApiUrl(): string {
+  const url =
+    env.INTERNAL_API_URL || env.WEBHOOK_URL || env.NEXT_PUBLIC_BASE_URL;
+
+  if (!url) {
+    throw new Error(
+      "Missing INTERNAL_API_URL/WEBHOOK_URL/NEXT_PUBLIC_BASE_URL for internal API calls",
+    );
+  }
+
+  return url;
+}

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f084f8b and 9e552cf.

📒 Files selected for processing (14)

• apps/web/app/api/ai/analyze-sender-pattern/call-analyze-pattern-api.ts (2 hunks)
• apps/web/app/api/resend/digest/all/route.ts (2 hunks)
• apps/web/app/api/resend/summary/all/route.ts (2 hunks)
• apps/web/env.ts (1 hunks)
• apps/web/utils/actions/clean.ts (2 hunks)
• apps/web/utils/digest/index.ts (2 hunks)
• apps/web/utils/internal-api.ts (1 hunks)
• apps/web/utils/scheduled-actions/scheduler.ts (2 hunks)
• apps/web/utils/upstash/categorize-senders.ts (2 hunks)
• apps/web/utils/upstash/index.ts (2 hunks)
• docker-compose.yml (1 hunks)
• packages/cli/src/main.ts (1 hunks)
• turbo.json (1 hunks)
• version.txt (1 hunks)

🧰 Additional context used

📓 Path-based instructions (23)

apps/web/**/*.{ts,tsx}

📄 CodeRabbit inference engine (apps/web/CLAUDE.md)

apps/web/**/*.{ts,tsx}: Use TypeScript with strict null checks
Use @/ path aliases for imports from project root
Use proper error handling with try/catch blocks
Format code with Prettier
Follow consistent naming conventions using PascalCase for components
Centralize shared types in dedicated type files

Import specific lodash functions rather than entire lodash library to minimize bundle size (e.g., import groupBy from 'lodash/groupBy')

Files:

• apps/web/env.ts
• apps/web/utils/scheduled-actions/scheduler.ts
• apps/web/utils/upstash/index.ts
• apps/web/utils/internal-api.ts
• apps/web/utils/upstash/categorize-senders.ts
• apps/web/app/api/resend/digest/all/route.ts
• apps/web/utils/actions/clean.ts
• apps/web/app/api/resend/summary/all/route.ts
• apps/web/app/api/ai/analyze-sender-pattern/call-analyze-pattern-api.ts
• apps/web/utils/digest/index.ts

apps/web/**/{.env.example,env.ts,turbo.json}

📄 CodeRabbit inference engine (apps/web/CLAUDE.md)

Add environment variables to .env.example, env.ts, and turbo.json

Files:

• apps/web/env.ts

**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/data-fetching.mdc)

**/*.{ts,tsx}: For API GET requests to server, use the swr package
Use result?.serverError with toastError from @/components/Toast for error handling in async operations

**/*.{ts,tsx}: Use wrapper functions for Gmail message operations (get, list, batch, etc.) from @/utils/gmail/message.ts instead of direct API calls
Use wrapper functions for Gmail thread operations from @/utils/gmail/thread.ts instead of direct API calls
Use wrapper functions for Gmail label operations from @/utils/gmail/label.ts instead of direct API calls

**/*.{ts,tsx}: For early access feature flags, create hooks using the naming convention use[FeatureName]Enabled that return a boolean from useFeatureFlagEnabled("flag-key")
For A/B test variant flags, create hooks using the naming convention use[FeatureName]Variant that define variant types, use useFeatureFlagVariantKey() with type casting, and provide a default "control" fallback
Use kebab-case for PostHog feature flag keys (e.g., inbox-cleaner, pricing-options-2)
Always define types for A/B test variant flags (e.g., type PricingVariant = "control" | "variant-a" | "variant-b") and provide type safety through type casting

**/*.{ts,tsx}: Don't use primitive type aliases or misleading types
Don't use empty type parameters in type aliases and interfaces
Don't use this and super in static contexts
Don't use any or unknown as type constraints
Don't use the TypeScript directive @ts-ignore
Don't use TypeScript enums
Don't export imported variables
Don't add type annotations to variables, parameters, and class properties that are initialized with literal expressions
Don't use TypeScript namespaces
Don't use non-null assertions with the ! postfix operator
Don't use parameter properties in class constructors
Don't use user-defined types
Use as const instead of literal types and type annotations
Use either T[] or Array<T> consistently
Initialize each enum member value explicitly
Use export type for types
Use `impo...

Files:

• apps/web/env.ts
• apps/web/utils/scheduled-actions/scheduler.ts
• packages/cli/src/main.ts
• apps/web/utils/upstash/index.ts
• apps/web/utils/internal-api.ts
• apps/web/utils/upstash/categorize-senders.ts
• apps/web/app/api/resend/digest/all/route.ts
• apps/web/utils/actions/clean.ts
• apps/web/app/api/resend/summary/all/route.ts
• apps/web/app/api/ai/analyze-sender-pattern/call-analyze-pattern-api.ts
• apps/web/utils/digest/index.ts

apps/web/env.ts

📄 CodeRabbit inference engine (.cursor/rules/environment-variables.mdc)

apps/web/env.ts: Add server-only environment variables to apps/web/env.ts under the server object with Zod schema validation
Add client-side environment variables to apps/web/env.ts under the client object with NEXT_PUBLIC_ prefix and Zod schema validation
Add client-side environment variables to apps/web/env.ts under the experimental__runtimeEnv object to enable runtime access

Files:

• apps/web/env.ts

{.env.example,apps/web/env.ts}

📄 CodeRabbit inference engine (.cursor/rules/environment-variables.mdc)

Client-side environment variables must be prefixed with NEXT_PUBLIC_

Files:

• apps/web/env.ts

**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (.cursor/rules/prisma-enum-imports.mdc)

Always import Prisma enums from @/generated/prisma/enums instead of @/generated/prisma/client to avoid Next.js bundling errors in client components

Import Prisma using the project's centralized utility: import prisma from '@/utils/prisma'

Files:

• apps/web/env.ts
• apps/web/utils/scheduled-actions/scheduler.ts
• packages/cli/src/main.ts
• apps/web/utils/upstash/index.ts
• apps/web/utils/internal-api.ts
• apps/web/utils/upstash/categorize-senders.ts
• apps/web/app/api/resend/digest/all/route.ts
• apps/web/utils/actions/clean.ts
• apps/web/app/api/resend/summary/all/route.ts
• apps/web/app/api/ai/analyze-sender-pattern/call-analyze-pattern-api.ts
• apps/web/utils/digest/index.ts

**/*.ts

📄 CodeRabbit inference engine (.cursor/rules/security.mdc)

**/*.ts: ALL database queries MUST be scoped to the authenticated user/account by including user/account filtering in WHERE clauses to prevent unauthorized data access
Always validate that resources belong to the authenticated user before performing operations, using ownership checks in WHERE clauses or relationships
Always validate all input parameters for type, format, and length before using them in database queries
Use SafeError for error responses to prevent information disclosure. Generic error messages should not reveal internal IDs, logic, or resource ownership details
Only return necessary fields in API responses using Prisma's select option. Never expose sensitive data such as password hashes, private keys, or system flags
Prevent Insecure Direct Object References (IDOR) by validating resource ownership before operations. All findUnique/findFirst calls MUST include ownership filters
Prevent mass assignment vulnerabilities by explicitly whitelisting allowed fields in update operations instead of accepting all user-provided data
Prevent privilege escalation by never allowing users to modify system fields, ownership fields, or admin-only attributes through user input
All findMany queries MUST be scoped to the user's data by including appropriate WHERE filters to prevent returning data from other users
Use Prisma relationships for access control by leveraging nested where clauses (e.g., emailAccount: { id: emailAccountId }) to validate ownership

Files:

• apps/web/env.ts
• apps/web/utils/scheduled-actions/scheduler.ts
• packages/cli/src/main.ts
• apps/web/utils/upstash/index.ts
• apps/web/utils/internal-api.ts
• apps/web/utils/upstash/categorize-senders.ts
• apps/web/app/api/resend/digest/all/route.ts
• apps/web/utils/actions/clean.ts
• apps/web/app/api/resend/summary/all/route.ts
• apps/web/app/api/ai/analyze-sender-pattern/call-analyze-pattern-api.ts
• apps/web/utils/digest/index.ts

**/*.{tsx,ts}

📄 CodeRabbit inference engine (.cursor/rules/ui-components.mdc)

**/*.{tsx,ts}: Use Shadcn UI and Tailwind for components and styling
Use next/image package for images
For API GET requests to server, use the swr package with hooks like useSWR to fetch data
For text inputs, use the Input component with registerProps for form integration and error handling

Files:

• apps/web/env.ts
• apps/web/utils/scheduled-actions/scheduler.ts
• packages/cli/src/main.ts
• apps/web/utils/upstash/index.ts
• apps/web/utils/internal-api.ts
• apps/web/utils/upstash/categorize-senders.ts
• apps/web/app/api/resend/digest/all/route.ts
• apps/web/utils/actions/clean.ts
• apps/web/app/api/resend/summary/all/route.ts
• apps/web/app/api/ai/analyze-sender-pattern/call-analyze-pattern-api.ts
• apps/web/utils/digest/index.ts

**/*.{tsx,ts,css}

📄 CodeRabbit inference engine (.cursor/rules/ui-components.mdc)

Implement responsive design with Tailwind CSS using a mobile-first approach

Files:

• apps/web/env.ts
• apps/web/utils/scheduled-actions/scheduler.ts
• packages/cli/src/main.ts
• apps/web/utils/upstash/index.ts
• apps/web/utils/internal-api.ts
• apps/web/utils/upstash/categorize-senders.ts
• apps/web/app/api/resend/digest/all/route.ts
• apps/web/utils/actions/clean.ts
• apps/web/app/api/resend/summary/all/route.ts
• apps/web/app/api/ai/analyze-sender-pattern/call-analyze-pattern-api.ts
• apps/web/utils/digest/index.ts

**/*.{js,jsx,ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/ultracite.mdc)

**/*.{js,jsx,ts,tsx}: Don't use accessKey attribute on any HTML element
Don't set aria-hidden="true" on focusable elements
Don't add ARIA roles, states, and properties to elements that don't support them
Don't use distracting elements like <marquee> or <blink>
Only use the scope prop on <th> elements
Don't assign non-interactive ARIA roles to interactive HTML elements
Make sure label elements have text content and are associated with an input
Don't assign interactive ARIA roles to non-interactive HTML elements
Don't assign tabIndex to non-interactive HTML elements
Don't use positive integers for tabIndex property
Don't include "image", "picture", or "photo" in img alt prop
Don't use explicit role property that's the same as the implicit/default role
Make static elements with click handlers use a valid role attribute
Always include a title element for SVG elements
Give all elements requiring alt text meaningful information for screen readers
Make sure anchors have content that's accessible to screen readers
Assign tabIndex to non-interactive HTML elements with aria-activedescendant
Include all required ARIA attributes for elements with ARIA roles
Make sure ARIA properties are valid for the element's supported roles
Always include a type attribute for button elements
Make elements with interactive roles and handlers focusable
Give heading elements content that's accessible to screen readers (not hidden with aria-hidden)
Always include a lang attribute on the html element
Always include a title attribute for iframe elements
Accompany onClick with at least one of: onKeyUp, onKeyDown, or onKeyPress
Accompany onMouseOver/onMouseOut with onFocus/onBlur
Include caption tracks for audio and video elements
Use semantic elements instead of role attributes in JSX
Make sure all anchors are valid and navigable
Ensure all ARIA properties (aria-*) are valid
Use valid, non-abstract ARIA roles for elements with ARIA roles
Use valid AR...

Files:

• apps/web/env.ts
• apps/web/utils/scheduled-actions/scheduler.ts
• packages/cli/src/main.ts
• apps/web/utils/upstash/index.ts
• apps/web/utils/internal-api.ts
• apps/web/utils/upstash/categorize-senders.ts
• apps/web/app/api/resend/digest/all/route.ts
• apps/web/utils/actions/clean.ts
• apps/web/app/api/resend/summary/all/route.ts
• apps/web/app/api/ai/analyze-sender-pattern/call-analyze-pattern-api.ts
• apps/web/utils/digest/index.ts

!(pages/_document).{jsx,tsx}

📄 CodeRabbit inference engine (.cursor/rules/ultracite.mdc)

Don't use the next/head module in pages/_document.js on Next.js projects

Files:

• apps/web/env.ts
• apps/web/utils/scheduled-actions/scheduler.ts
• packages/cli/src/main.ts
• apps/web/utils/upstash/index.ts
• version.txt
• turbo.json
• apps/web/utils/internal-api.ts
• apps/web/utils/upstash/categorize-senders.ts
• apps/web/app/api/resend/digest/all/route.ts
• apps/web/utils/actions/clean.ts
• apps/web/app/api/resend/summary/all/route.ts
• docker-compose.yml
• apps/web/app/api/ai/analyze-sender-pattern/call-analyze-pattern-api.ts
• apps/web/utils/digest/index.ts

**/*.{js,ts,jsx,tsx}

📄 CodeRabbit inference engine (.cursor/rules/utilities.mdc)

**/*.{js,ts,jsx,tsx}: Use lodash utilities for common operations (arrays, objects, strings)
Import specific lodash functions to minimize bundle size (e.g., import groupBy from 'lodash/groupBy')

Files:

• apps/web/env.ts
• apps/web/utils/scheduled-actions/scheduler.ts
• packages/cli/src/main.ts
• apps/web/utils/upstash/index.ts
• apps/web/utils/internal-api.ts
• apps/web/utils/upstash/categorize-senders.ts
• apps/web/app/api/resend/digest/all/route.ts
• apps/web/utils/actions/clean.ts
• apps/web/app/api/resend/summary/all/route.ts
• apps/web/app/api/ai/analyze-sender-pattern/call-analyze-pattern-api.ts
• apps/web/utils/digest/index.ts

**/{server,api,actions,utils}/**/*.ts

📄 CodeRabbit inference engine (.cursor/rules/logging.mdc)

**/{server,api,actions,utils}/**/*.ts: Use createScopedLogger from "@/utils/logger" for logging in backend code
Add the createScopedLogger instantiation at the top of the file with an appropriate scope name
Use .with() method to attach context variables only within specific functions, not on global loggers
For large functions with reused variables, use createScopedLogger().with() to attach context once and reuse the logger without passing variables repeatedly

Files:

• apps/web/utils/scheduled-actions/scheduler.ts
• apps/web/utils/upstash/index.ts
• apps/web/utils/internal-api.ts
• apps/web/utils/upstash/categorize-senders.ts
• apps/web/app/api/resend/digest/all/route.ts
• apps/web/utils/actions/clean.ts
• apps/web/app/api/resend/summary/all/route.ts
• apps/web/app/api/ai/analyze-sender-pattern/call-analyze-pattern-api.ts
• apps/web/utils/digest/index.ts

turbo.json

📄 CodeRabbit inference engine (.cursor/rules/environment-variables.mdc)

Add new environment variables to turbo.json under tasks.build.env as a global dependency for the build task

Files:

• turbo.json

apps/web/app/**/*.{ts,tsx}

📄 CodeRabbit inference engine (apps/web/CLAUDE.md)

Follow NextJS app router structure with (app) directory

Files:

• apps/web/app/api/resend/digest/all/route.ts
• apps/web/app/api/resend/summary/all/route.ts
• apps/web/app/api/ai/analyze-sender-pattern/call-analyze-pattern-api.ts

apps/web/app/api/**/*.ts

📄 CodeRabbit inference engine (apps/web/CLAUDE.md)

apps/web/app/api/**/*.ts: Wrap GET API routes with withAuth or withEmailAccount middleware for authentication
Export response types from GET API routes using Awaited<ReturnType<>> pattern for type-safe client usage

Files:

• apps/web/app/api/resend/digest/all/route.ts
• apps/web/app/api/resend/summary/all/route.ts
• apps/web/app/api/ai/analyze-sender-pattern/call-analyze-pattern-api.ts

apps/web/app/api/**/route.ts

📄 CodeRabbit inference engine (.cursor/rules/fullstack-workflow.mdc)

apps/web/app/api/**/route.ts: Create GET API routes using withAuth or withEmailAccount middleware in apps/web/app/api/*/route.ts, export response types as GetExampleResponse type alias for client-side type safety
Always export response types from GET routes as Get[Feature]Response using type inference from the data fetching function for type-safe client consumption
Do NOT use POST API routes for mutations - always use server actions with next-safe-action instead

Files:

• apps/web/app/api/resend/digest/all/route.ts
• apps/web/app/api/resend/summary/all/route.ts

**/app/**/route.ts

📄 CodeRabbit inference engine (.cursor/rules/get-api-route.mdc)

**/app/**/route.ts: Always wrap GET API route handlers with withAuth or withEmailAccount middleware for consistent error handling and authentication in Next.js App Router
Infer and export response type for GET API routes using Awaited<ReturnType<typeof functionName>> pattern in Next.js
Use Prisma for database queries in GET API routes
Return responses using NextResponse.json() in GET API routes
Do not use try/catch blocks in GET API route handlers when using withAuth or withEmailAccount middleware, as the middleware handles error handling

Files:

• apps/web/app/api/resend/digest/all/route.ts
• apps/web/app/api/resend/summary/all/route.ts

apps/web/app/**/[!.]*/route.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/project-structure.mdc)

Use kebab-case for route directories in Next.js App Router (e.g., api/hello-world/route)

Files:

• apps/web/app/api/resend/digest/all/route.ts
• apps/web/app/api/resend/summary/all/route.ts

apps/web/app/api/**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/security-audit.mdc)

apps/web/app/api/**/*.{ts,tsx}: API routes must use withAuth, withEmailAccount, or withError middleware for authentication
All database queries must include user scoping with emailAccountId or userId filtering in WHERE clauses
Request parameters must be validated before use; avoid direct parameter usage without type checking
Use generic error messages instead of revealing internal details; throw SafeError instead of exposing user IDs, resource IDs, or system information
API routes should only return necessary fields using select in database queries to prevent unintended information disclosure
Cron endpoints must use hasCronSecret or hasPostCronSecret to validate cron requests and prevent unauthorized access
Request bodies should use Zod schemas for validation to ensure type safety and prevent injection attacks

Files:

• apps/web/app/api/resend/digest/all/route.ts
• apps/web/app/api/resend/summary/all/route.ts
• apps/web/app/api/ai/analyze-sender-pattern/call-analyze-pattern-api.ts

**/app/api/**/*.ts

📄 CodeRabbit inference engine (.cursor/rules/security.mdc)

**/app/api/**/*.ts: ALL API routes that handle user data MUST use appropriate middleware: use withEmailAccount for email-scoped operations, use withAuth for user-scoped operations, or use withError with proper validation for public/custom auth endpoints
Use withEmailAccount middleware for operations scoped to a specific email account, including reading/writing emails, rules, schedules, or any operation using emailAccountId
Use withAuth middleware for user-level operations such as user settings, API keys, and referrals that use only userId
Use withError middleware only for public endpoints, custom authentication logic, or cron endpoints. For cron endpoints, MUST use hasCronSecret() or hasPostCronSecret() validation
Cron endpoints without proper authentication can be triggered by anyone. CRITICAL: All cron endpoints MUST validate cron secret using hasCronSecret(request) or hasPostCronSecret(request) and capture unauthorized attempts with captureException()
Always validate request bodies using Zod schemas to ensure type safety and prevent invalid data from reaching database operations
Maintain consistent error response format across all API routes to avoid information disclosure while providing meaningful error feedback

Files:

• apps/web/app/api/resend/digest/all/route.ts
• apps/web/app/api/resend/summary/all/route.ts
• apps/web/app/api/ai/analyze-sender-pattern/call-analyze-pattern-api.ts

apps/web/utils/actions/**/*.ts

📄 CodeRabbit inference engine (apps/web/CLAUDE.md)

apps/web/utils/actions/**/*.ts: Use next-safe-action with actionClient for server actions with Zod schema validation
Call revalidatePath in server actions after mutations to invalidate cache

apps/web/utils/actions/**/*.ts: Server actions must be located in apps/web/utils/actions folder
Server action files must start with use server directive

Files:

• apps/web/utils/actions/clean.ts

apps/web/utils/actions/*.ts

📄 CodeRabbit inference engine (.cursor/rules/fullstack-workflow.mdc)

apps/web/utils/actions/*.ts: Use next-safe-action with Zod schemas for all server actions (create/update/delete mutations), storing validation schemas in apps/web/utils/actions/*.validation.ts
Server actions should use 'use server' directive and automatically receive authentication context (emailAccountId) from the actionClient

apps/web/utils/actions/*.ts: Create corresponding server action implementation files using the naming convention apps/web/utils/actions/NAME.ts with 'use server' directive
Use 'use server' directive at the top of server action implementation files
Implement all server actions using the next-safe-action library with actionClient, actionClientUser, or adminActionClient for type safety and validation
Use actionClientUser when only authenticated user context (userId) is needed
Use actionClient when both authenticated user context and a specific emailAccountId are needed, with emailAccountId bound when calling from the client
Use adminActionClient for actions restricted to admin users
Add metadata with a meaningful action name using .metadata({ name: "actionName" }) for Sentry instrumentation and monitoring
Use .schema() method with Zod validation schemas from corresponding .validation.ts files in next-safe-action configuration
Access context (userId, emailAccountId, etc.) via the ctx object parameter in the .action() handler
Use revalidatePath or revalidateTag from 'next/cache' within server action handlers when mutations modify data displayed elsewhere

Files:

• apps/web/utils/actions/clean.ts

🧠 Learnings (34)

📓 Common learnings

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: apps/web/CLAUDE.md:0-0
Timestamp: 2025-11-25T14:36:18.416Z
Learning: Applies to apps/web/**/*NEXT_PUBLIC_* : Prefix client-side environment variables with `NEXT_PUBLIC_`

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/environment-variables.mdc:0-0
Timestamp: 2025-11-25T14:36:45.807Z
Learning: Applies to apps/web/env.ts : Add client-side environment variables to `apps/web/env.ts` under the `client` object with `NEXT_PUBLIC_` prefix and Zod schema validation

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/environment-variables.mdc:0-0
Timestamp: 2025-11-25T14:36:43.454Z
Learning: Applies to apps/web/env.ts : For client-side environment variables in `apps/web/env.ts`, prefix them with `NEXT_PUBLIC_` and add them to both the `client` and `experimental__runtimeEnv` sections

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/environment-variables.mdc:0-0
Timestamp: 2025-11-25T14:36:45.807Z
Learning: Applies to {.env.example,apps/web/env.ts} : Client-side environment variables must be prefixed with `NEXT_PUBLIC_`

📚 Learning: 2025-11-25T14:36:45.807Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/environment-variables.mdc:0-0
Timestamp: 2025-11-25T14:36:45.807Z
Learning: Applies to apps/web/env.ts : Add server-only environment variables to `apps/web/env.ts` under the `server` object with Zod schema validation

Applied to files:

• apps/web/env.ts
• packages/cli/src/main.ts

📚 Learning: 2025-11-25T14:36:45.807Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/environment-variables.mdc:0-0
Timestamp: 2025-11-25T14:36:45.807Z
Learning: Applies to apps/web/env.ts : Add client-side environment variables to `apps/web/env.ts` under the `client` object with `NEXT_PUBLIC_` prefix and Zod schema validation

Applied to files:

• apps/web/env.ts
• packages/cli/src/main.ts

📚 Learning: 2025-11-25T14:36:45.807Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/environment-variables.mdc:0-0
Timestamp: 2025-11-25T14:36:45.807Z
Learning: Applies to apps/web/env.ts : Add client-side environment variables to `apps/web/env.ts` under the `experimental__runtimeEnv` object to enable runtime access

Applied to files:

• apps/web/env.ts
• packages/cli/src/main.ts
• turbo.json

📚 Learning: 2025-11-25T14:36:43.454Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/environment-variables.mdc:0-0
Timestamp: 2025-11-25T14:36:43.454Z
Learning: Applies to apps/web/env.ts : Define environment variables in `apps/web/env.ts` using Zod schema validation, organizing them into `server` and `client` sections

Applied to files:

• apps/web/env.ts
• packages/cli/src/main.ts

📚 Learning: 2025-11-25T14:36:43.454Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/environment-variables.mdc:0-0
Timestamp: 2025-11-25T14:36:43.454Z
Learning: Applies to apps/web/env.ts : For client-side environment variables in `apps/web/env.ts`, prefix them with `NEXT_PUBLIC_` and add them to both the `client` and `experimental__runtimeEnv` sections

Applied to files:

• apps/web/env.ts
• packages/cli/src/main.ts

📚 Learning: 2025-11-25T14:36:18.416Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: apps/web/CLAUDE.md:0-0
Timestamp: 2025-11-25T14:36:18.416Z
Learning: Applies to apps/web/**/{.env.example,env.ts,turbo.json} : Add environment variables to `.env.example`, `env.ts`, and `turbo.json`

Applied to files:

• apps/web/env.ts
• turbo.json

📚 Learning: 2025-11-25T14:36:45.807Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/environment-variables.mdc:0-0
Timestamp: 2025-11-25T14:36:45.807Z
Learning: Applies to {.env.example,apps/web/env.ts} : Client-side environment variables must be prefixed with `NEXT_PUBLIC_`

Applied to files:

• apps/web/env.ts
• packages/cli/src/main.ts

📚 Learning: 2025-11-25T14:36:18.416Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: apps/web/CLAUDE.md:0-0
Timestamp: 2025-11-25T14:36:18.416Z
Learning: Applies to apps/web/**/*NEXT_PUBLIC_* : Prefix client-side environment variables with `NEXT_PUBLIC_`

Applied to files:

• apps/web/env.ts

📚 Learning: 2025-11-25T14:36:45.807Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/environment-variables.mdc:0-0
Timestamp: 2025-11-25T14:36:45.807Z
Learning: Applies to turbo.json : Add new environment variables to `turbo.json` under `tasks.build.env` as a global dependency for the build task

Applied to files:

• apps/web/env.ts
• turbo.json

📚 Learning: 2025-11-25T14:36:43.454Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/environment-variables.mdc:0-0
Timestamp: 2025-11-25T14:36:43.454Z
Learning: Applies to turbo.json : Add environment variables to `turbo.json` under `tasks.build.env` array to declare build-time dependencies

Applied to files:

• apps/web/env.ts
• turbo.json

📚 Learning: 2025-11-25T14:36:18.416Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: apps/web/CLAUDE.md:0-0
Timestamp: 2025-11-25T14:36:18.416Z
Learning: Applies to apps/web/**/*.{ts,tsx} : Use `@/` path aliases for imports from project root

Applied to files:

• apps/web/utils/upstash/index.ts

📚 Learning: 2025-11-25T14:37:22.660Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/gmail-api.mdc:0-0
Timestamp: 2025-11-25T14:37:22.660Z
Learning: Applies to **/*.{ts,tsx} : Use wrapper functions for Gmail label operations from @/utils/gmail/label.ts instead of direct API calls

Applied to files:

• apps/web/utils/upstash/categorize-senders.ts
• apps/web/app/api/ai/analyze-sender-pattern/call-analyze-pattern-api.ts

📚 Learning: 2025-11-25T14:37:22.660Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/gmail-api.mdc:0-0
Timestamp: 2025-11-25T14:37:22.660Z
Learning: Applies to **/*.{ts,tsx} : Use wrapper functions for Gmail thread operations from @/utils/gmail/thread.ts instead of direct API calls

Applied to files:

• apps/web/utils/upstash/categorize-senders.ts
• apps/web/app/api/ai/analyze-sender-pattern/call-analyze-pattern-api.ts
• apps/web/utils/digest/index.ts

📚 Learning: 2025-11-25T14:37:22.660Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/gmail-api.mdc:0-0
Timestamp: 2025-11-25T14:37:22.660Z
Learning: Applies to **/*.{ts,tsx} : Use wrapper functions for Gmail message operations (get, list, batch, etc.) from @/utils/gmail/message.ts instead of direct API calls

Applied to files:

• apps/web/utils/upstash/categorize-senders.ts
• apps/web/app/api/ai/analyze-sender-pattern/call-analyze-pattern-api.ts
• apps/web/utils/digest/index.ts

📚 Learning: 2025-11-25T14:38:56.992Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/project-structure.mdc:0-0
Timestamp: 2025-11-25T14:38:56.992Z
Learning: Applies to apps/web/app/**/[!.]*/route.{ts,tsx} : Use kebab-case for route directories in Next.js App Router (e.g., `api/hello-world/route`)

Applied to files:

• apps/web/app/api/resend/digest/all/route.ts
• apps/web/app/api/resend/summary/all/route.ts

📚 Learning: 2025-11-25T14:37:11.434Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/get-api-route.mdc:0-0
Timestamp: 2025-11-25T14:37:11.434Z
Learning: Applies to **/app/**/route.ts : Always wrap GET API route handlers with `withAuth` or `withEmailAccount` middleware for consistent error handling and authentication in Next.js App Router

Applied to files:

• apps/web/app/api/resend/digest/all/route.ts

📚 Learning: 2025-11-25T14:39:08.150Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/security-audit.mdc:0-0
Timestamp: 2025-11-25T14:39:08.150Z
Learning: Applies to apps/web/app/api/(ai/digest|resend/digest|clean/gmail|user/categorize/senders/batch)/**/*.{ts,tsx} : QStash endpoints must use `verifySignatureAppRouter` middleware to verify request signatures and prevent request spoofing

Applied to files:

• apps/web/app/api/resend/digest/all/route.ts
• apps/web/utils/digest/index.ts

📚 Learning: 2025-11-25T14:36:18.416Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: apps/web/CLAUDE.md:0-0
Timestamp: 2025-11-25T14:36:18.416Z
Learning: Applies to apps/web/app/api/**/*.ts : Wrap GET API routes with `withAuth` or `withEmailAccount` middleware for authentication

Applied to files:

• apps/web/app/api/resend/digest/all/route.ts

📚 Learning: 2025-11-25T14:39:27.909Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/security.mdc:0-0
Timestamp: 2025-11-25T14:39:27.909Z
Learning: Applies to **/app/api/**/*.ts : Maintain consistent error response format across all API routes to avoid information disclosure while providing meaningful error feedback

Applied to files:

• apps/web/app/api/resend/digest/all/route.ts

📚 Learning: 2025-11-25T14:39:23.326Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/security.mdc:0-0
Timestamp: 2025-11-25T14:39:23.326Z
Learning: Applies to app/api/**/cron/**/*.ts : Cron endpoints MUST use `withError` middleware (not `withAuth` or `withEmailAccount`), validate cron secret using `hasCronSecret()` or `hasPostCronSecret()`, capture unauthorized attempts with `captureException`, and return 401 status for unauthorized requests

Applied to files:

• apps/web/app/api/resend/digest/all/route.ts
• apps/web/app/api/resend/summary/all/route.ts

📚 Learning: 2025-11-25T14:39:23.326Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/security.mdc:0-0
Timestamp: 2025-11-25T14:39:23.326Z
Learning: Applies to app/api/**/*.ts : Use `withError` middleware only for public endpoints or custom authentication logic - cron endpoints MUST validate with `hasCronSecret(request)` or `hasPostCronSecret(request)` and capture unauthorized attempts with `captureException`

Applied to files:

• apps/web/app/api/resend/digest/all/route.ts
• apps/web/app/api/resend/summary/all/route.ts

📚 Learning: 2025-11-25T14:39:27.909Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/security.mdc:0-0
Timestamp: 2025-11-25T14:39:27.909Z
Learning: Applies to **/app/api/**/*.ts : Use `withError` middleware only for public endpoints, custom authentication logic, or cron endpoints. For cron endpoints, MUST use `hasCronSecret()` or `hasPostCronSecret()` validation

Applied to files:

• apps/web/app/api/resend/digest/all/route.ts
• apps/web/app/api/resend/summary/all/route.ts

📚 Learning: 2025-11-25T14:39:27.909Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/security.mdc:0-0
Timestamp: 2025-11-25T14:39:27.909Z
Learning: Applies to **/app/api/**/*.ts : Cron endpoints without proper authentication can be triggered by anyone. CRITICAL: All cron endpoints MUST validate cron secret using `hasCronSecret(request)` or `hasPostCronSecret(request)` and capture unauthorized attempts with `captureException()`

Applied to files:

• apps/web/app/api/resend/digest/all/route.ts
• apps/web/app/api/resend/summary/all/route.ts

📚 Learning: 2025-11-25T14:38:42.022Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/prisma.mdc:0-0
Timestamp: 2025-11-25T14:38:42.022Z
Learning: Applies to **/*.{ts,tsx,js,jsx} : Import Prisma using the project's centralized utility: `import prisma from '@/utils/prisma'`

Applied to files:

• apps/web/app/api/resend/digest/all/route.ts
• apps/web/app/api/resend/summary/all/route.ts

📚 Learning: 2025-11-25T14:39:08.150Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/security-audit.mdc:0-0
Timestamp: 2025-11-25T14:39:08.150Z
Learning: Applies to apps/web/app/api/**/*.{ts,tsx} : Cron endpoints must use `hasCronSecret` or `hasPostCronSecret` to validate cron requests and prevent unauthorized access

Applied to files:

• apps/web/app/api/resend/digest/all/route.ts
• apps/web/app/api/resend/summary/all/route.ts

📚 Learning: 2025-07-17T04:19:57.099Z

Learnt from: edulelis
Repo: elie222/inbox-zero PR: 576
File: packages/resend/emails/digest.tsx:78-83
Timestamp: 2025-07-17T04:19:57.099Z
Learning: In packages/resend/emails/digest.tsx, the DigestEmailProps type uses `[key: string]: DigestItem[] | undefined | string | Date | undefined` instead of intersection types like `& Record<string, DigestItem[] | undefined>` due to implementation constraints. This was the initial implementation approach and cannot be changed to more restrictive typing.

Applied to files:

• apps/web/utils/digest/index.ts

📚 Learning: 2025-11-25T14:42:11.919Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/utilities.mdc:0-0
Timestamp: 2025-11-25T14:42:11.919Z
Learning: Applies to utils/**/*.{js,ts,jsx,tsx} : The `utils` folder contains core app logic such as Next.js Server Actions and Gmail API requests

Applied to files:

• apps/web/utils/digest/index.ts

📚 Learning: 2025-11-25T14:42:16.602Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/utilities.mdc:0-0
Timestamp: 2025-11-25T14:42:16.602Z
Learning: The `utils` folder contains core app logic such as Next.js Server Actions and Gmail API requests

Applied to files:

• apps/web/utils/digest/index.ts

📚 Learning: 2025-11-25T14:37:22.660Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/gmail-api.mdc:0-0
Timestamp: 2025-11-25T14:37:22.660Z
Learning: Applies to **/{pages,routes,components}/**/*.{ts,tsx} : Never call Gmail API directly from routes or components - always use wrapper functions from the utils folder

Applied to files:

• apps/web/utils/digest/index.ts

📚 Learning: 2025-11-25T14:38:07.606Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/llm.mdc:0-0
Timestamp: 2025-11-25T14:38:07.606Z
Learning: Applies to apps/web/utils/ai/**/*.ts : LLM feature functions must import from `zod` for schema validation, use `createScopedLogger` from `@/utils/logger`, `chatCompletionObject` and `createGenerateObject` from `@/utils/llms`, and import `EmailAccountWithAI` type from `@/utils/llms/types`

Applied to files:

• apps/web/utils/digest/index.ts

📚 Learning: 2025-11-25T14:38:08.183Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/logging.mdc:0-0
Timestamp: 2025-11-25T14:38:08.183Z
Learning: Applies to **/{server,api,actions,utils}/**/*.ts : Use `createScopedLogger` from "@/utils/logger" for logging in backend code

Applied to files:

• apps/web/utils/digest/index.ts

📚 Learning: 2025-11-25T14:40:00.833Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/testing.mdc:0-0
Timestamp: 2025-11-25T14:40:00.833Z
Learning: Applies to **/*.test.{ts,tsx} : Use test helpers `getEmail`, `getEmailAccount`, and `getRule` from `@/__tests__/helpers` for mocking emails, accounts, and rules

Applied to files:

• apps/web/utils/digest/index.ts

📚 Learning: 2025-11-25T14:37:22.660Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/gmail-api.mdc:0-0
Timestamp: 2025-11-25T14:37:22.660Z
Learning: Applies to apps/web/utils/gmail/**/*.{ts,tsx} : Always use wrapper functions from @/utils/gmail/ for Gmail API operations instead of direct provider API calls

Applied to files:

• apps/web/utils/digest/index.ts

🧬 Code graph analysis (9)

apps/web/utils/scheduled-actions/scheduler.ts (1)

apps/web/utils/internal-api.ts (1)

• getInternalApiUrl (12-14)

packages/cli/src/main.ts (1)

apps/web/env.ts (1)

• env (17-247)

apps/web/utils/upstash/index.ts (1)

apps/web/utils/internal-api.ts (1)

• getInternalApiUrl (12-14)

apps/web/utils/upstash/categorize-senders.ts (1)

apps/web/utils/internal-api.ts (1)

• getInternalApiUrl (12-14)

apps/web/app/api/resend/digest/all/route.ts (1)

apps/web/utils/internal-api.ts (1)

• getInternalApiUrl (12-14)

apps/web/utils/actions/clean.ts (1)

apps/web/utils/internal-api.ts (1)

• getInternalApiUrl (12-14)

apps/web/app/api/resend/summary/all/route.ts (1)

apps/web/utils/internal-api.ts (1)

• getInternalApiUrl (12-14)

apps/web/app/api/ai/analyze-sender-pattern/call-analyze-pattern-api.ts (1)

apps/web/utils/internal-api.ts (1)

• getInternalApiUrl (12-14)

apps/web/utils/digest/index.ts (1)

apps/web/utils/internal-api.ts (1)

• getInternalApiUrl (12-14)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: cubic · AI code reviewer
• GitHub Check: Review for correctness
• GitHub Check: test

🔇 Additional comments (16)

docker-compose.yml (1)

78-78: LGTM!

The default value http://web:3000 correctly uses the Docker service name for internal container-to-container communication, which aligns with Docker networking best practices.

turbo.json (1)

80-80: LGTM!

The environment variable is correctly added to the build task's env list, following the coding guidelines.

version.txt (1)

1-1: Standard version bump.

apps/web/utils/actions/clean.ts (2)

10-10: LGTM!

The import correctly references the centralized internal API URL utility.

---

142-142: LGTM!

The URL construction now uses the centralized getInternalApiUrl() helper, which provides a clean fallback chain: INTERNAL_API_URL → WEBHOOK_URL → NEXT_PUBLIC_BASE_URL. This maintains backward compatibility while enabling the new configuration option.

packages/cli/src/main.ts (2)

530-530: LGTM!

Correctly sets the internal API URL to http://web:3000 when the web app runs in Docker, using the Docker service name for container-to-container communication. This aligns with the docker-compose.yml configuration.

---

536-536: LGTM!

Correctly sets the internal API URL to http://localhost:${webPort} when the web app runs on the host, enabling proper host-to-host communication. This handles the case where Docker infrastructure is used but the Next.js app runs separately.

apps/web/app/api/resend/digest/all/route.ts (2)

6-6: LGTM!

The import correctly references the centralized internal API URL utility.

---

43-43: LGTM!

The URL construction now uses the centralized getInternalApiUrl() helper for consistent internal API base URL resolution across the codebase.

apps/web/utils/upstash/index.ts (2)

3-6: LGTM!

The import correctly references both the centralized internal API URL utility and the internal API key header constant.

---

23-23: LGTM!

The URL construction now uses the centralized getInternalApiUrl() helper, providing consistent internal API base URL resolution with the fallback chain: INTERNAL_API_URL → WEBHOOK_URL → NEXT_PUBLIC_BASE_URL.

apps/web/app/api/ai/analyze-sender-pattern/call-analyze-pattern-api.ts (1)

2-5: Centralizing analyze-sender-pattern base URL via getInternalApiUrl looks good

Using getInternalApiUrl() for the internal POST target keeps this call consistent with the new internal-API URL resolution strategy while preserving headers/auth and logging behavior.

Also applies to: 14-14

apps/web/utils/scheduled-actions/scheduler.ts (1)

8-8: Scheduled-actions execute endpoint now correctly uses getInternalApiUrl

Switching the QStash target URL to ${getInternalApiUrl()}/api/scheduled-actions/execute cleanly reuses the centralized internal API base without changing scheduling logic or headers.

Also applies to: 267-267

apps/web/app/api/resend/summary/all/route.ts (1)

5-5: Cron resend/summary-all now uses shared internal API URL helper

Using getInternalApiUrl() for the /api/resend/summary target keeps this cron publisher in sync with the centralized internal API URL logic while preserving existing cron-secret checks and error handling.

Also applies to: 41-41

apps/web/utils/digest/index.ts (1)

4-4: Digest enqueue now correctly uses centralized internal API base URL

Switching to ${getInternalApiUrl()}/api/ai/digest keeps the digest QStash publisher aligned with the shared internal API URL helper without altering payload or queue behavior.

Also applies to: 22-22

apps/web/utils/upstash/categorize-senders.ts (1)

3-3: Categorize-senders QStash target now uses getInternalApiUrl consistently

Using getInternalApiUrl() for the batch categorize-senders endpoint centralizes base URL selection while leaving chunking, queue naming, and logging untouched.

Also applies to: 24-24

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9e552cf and 6a0889e.

📒 Files selected for processing (1)

• docs/hosting/self-hosting.md (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

!(pages/_document).{jsx,tsx}

📄 CodeRabbit inference engine (.cursor/rules/ultracite.mdc)

Don't use the next/head module in pages/_document.js on Next.js projects

Files:

• docs/hosting/self-hosting.md

🧠 Learnings (2)

📚 Learning: 2025-11-25T14:39:04.892Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/security-audit.mdc:0-0
Timestamp: 2025-11-25T14:39:04.892Z
Learning: No hardcoded secrets in code; all secrets must be stored in environment variables (e.g., CRON_SECRET)

Applied to files:

• docs/hosting/self-hosting.md

📚 Learning: 2025-11-25T14:39:23.326Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/security.mdc:0-0
Timestamp: 2025-11-25T14:39:23.326Z
Learning: Ensure `CRON_SECRET` environment variable is configured with a strong random secret - never use predictable secrets like 'secret', 'password', 'cron', or short/simple strings

Applied to files:

• docs/hosting/self-hosting.md

🪛 markdownlint-cli2 (0.18.1)

docs/hosting/self-hosting.md

149-149: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: cubic · AI code reviewer
• GitHub Check: test
• GitHub Check: Review for correctness
• GitHub Check: Analyze (javascript-typescript)

🔇 Additional comments (1)

docs/hosting/self-hosting.md (1)

131-155: Documentation alignment with PR objectives is solid; QStash section appropriately integrated.

The new optional QStash section correctly:

• Follows the Scheduled Tasks section logically
• Clearly marks QStash as optional for advanced features
• Provides a feature comparison table showing what works with/without QStash
• References the internal API URL infrastructure introduced in this PR (enabling scheduled actions, digest support, etc.)
• Includes realistic cost expectations and roadmap context

The environment variable examples at lines 150–152 are appropriately framed as placeholders (your-qstash-token, etc.) for users to fill in. Based on learnings, this documentation pattern is sound—secrets are referenced as examples to be configured in .env, not hardcoded in code or committed to the repo.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

docs/hosting/self-hosting.md (1)

148-153: Consider adding more detail on obtaining QStash credentials.

The setup instructions reference QSTASH_TOKEN, QSTASH_CURRENT_SIGNING_KEY, and QSTASH_NEXT_SIGNING_KEY but don't explain how to obtain these values from the Upstash dashboard or console. Adding a brief step-by-step pointer (e.g., "Log into Upstash console → QStash → Create a token") would help self-hosted users complete the setup more independently.

You could enhance the setup section like this:

 **Setup**: Add your QStash credentials to `.env`:
+
+1. Create a QStash project at [upstash.com](https://upstash.com/).
+2. Generate API tokens from the QStash console.
+3. Add your credentials:
+
 ```bash
 QSTASH_TOKEN=your-qstash-token
 QSTASH_CURRENT_SIGNING_KEY=your-signing-key
 QSTASH_NEXT_SIGNING_KEY=your-next-signing-key

</blockquote></details>

</blockquote></details>

<details>
<summary>📜 Review details</summary>

**Configuration used**: Path: .coderabbit.yaml

**Review profile**: CHILL

**Plan**: Pro

<details>
<summary>📥 Commits</summary>

Reviewing files that changed from the base of the PR and between 6a0889e8c8dbf3bfb11a2f12c8d0d1c6c08e6af9 and 3d73abb04af6ebeea11f3e6a03958b71a31869a2.

</details>

<details>
<summary>📒 Files selected for processing (2)</summary>

* `apps/web/.env.example` (1 hunks)
* `docs/hosting/self-hosting.md` (1 hunks)

</details>

<details>
<summary>✅ Files skipped from review due to trivial changes (1)</summary>

* apps/web/.env.example

</details>

<details>
<summary>🧰 Additional context used</summary>

<details>
<summary>📓 Path-based instructions (1)</summary>

<details>
<summary>!(pages/_document).{jsx,tsx}</summary>


**📄 CodeRabbit inference engine (.cursor/rules/ultracite.mdc)**

> Don't use the next/head module in pages/_document.js on Next.js projects

Files:
- `docs/hosting/self-hosting.md`

</details>

</details><details>
<summary>🧠 Learnings (2)</summary>

<details>
<summary>📚 Learning: 2025-11-25T14:39:04.892Z</summary>

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/security-audit.mdc:0-0
Timestamp: 2025-11-25T14:39:04.892Z
Learning: No hardcoded secrets in code; all secrets must be stored in environment variables (e.g., CRON_SECRET)

**Applied to files:**
- `docs/hosting/self-hosting.md`

</details>
<details>
<summary>📚 Learning: 2025-11-25T14:39:23.326Z</summary>

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/security.mdc:0-0
Timestamp: 2025-11-25T14:39:23.326Z
Learning: Ensure CRON_SECRET environment variable is configured with a strong random secret - never use predictable secrets like 'secret', 'password', 'cron', or short/simple strings

**Applied to files:**
- `docs/hosting/self-hosting.md`

</details>

</details>

</details>

<details>
<summary>⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)</summary>

* GitHub Check: test
* GitHub Check: Review for correctness
* GitHub Check: Analyze (javascript-typescript)

</details>

<details>
<summary>🔇 Additional comments (2)</summary><blockquote>

<details>
<summary>docs/hosting/self-hosting.md (2)</summary><blockquote>

`149-153`: **Code block language identifier properly included.**

The fenced code block now includes the `bash` language specifier for proper syntax highlighting. This resolves the previous markdownlint issue.

---

`131-156`: **Document the new INTERNAL_API_URL environment variable for completeness.**

The PR introduces `INTERNAL_API_URL` as a centralized internal API URL configuration, but this documentation section on QStash setup does not mention it. Self-hosted users should understand where and how to configure this variable.

Please clarify: Is `INTERNAL_API_URL` documentation intended to be in a separate section (e.g., environment-variables.md), or should it be included here? If it belongs in this guide, consider adding it to the configuration section or the QStash setup instructions.

</blockquote></details>

</blockquote></details>

</details>

<!-- This is an auto-generated comment by CodeRabbit for review status -->