proto

[chronark]

I am just cleaning up a bit and moving code to where it belongs.

Our current layered style is pretty annoying to work with, cause you need to go to many different places in the codebase to work on one thing.

This moves proto definitions closer to the service actually using them

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
dashboard	Ready	Preview, Comment	Jan 7, 2026 0:46am

1 Skipped Deployment

Project	Deployment	Review	Updated (UTC)
engineering	Ignored	Preview	Jan 7, 2026 0:46am

[coderabbitai]

📝 Walkthrough

Walkthrough

Refactors protobuf generation: removes root-level Buf generate configs, moves generation configs into service-specific proto directories, adds go:generate directives, updates root buf.yaml modules/deps/lint/breaking rules, and simplifies Makefile generate to clean ./gen before using go generate.

Changes

Cohort / File(s)	Summary
Build configuration Makefile, buf.yaml	Makefile generate target now removes ./gen before generation and no longer runs upstream buf steps. buf.yaml updated with new module paths (svc/ctrl/proto, svc/krane/proto), top-level deps added, lint exception PACKAGE_DIRECTORY_MATCH added, and breaking rules simplified to FILE.
Removed root Buf gen configs buf.gen.yaml, buf.gen.connect.yaml, buf.gen.restate.yaml	Deleted root-level Buf generation manifests (removed plugin definitions for Go, Connect RPC, and Restate targets).
Top-level proto generation proto/buf.gen.yaml, proto/generate.go	Added proto/buf.gen.yaml (buf v2, protocolbuffers/go -> ../gen/proto) and proto/generate.go with go:generate invoking go tool buf generate.
svc/ctrl proto configs & files svc/ctrl/proto/buf.gen.yaml, svc/ctrl/proto/buf.gen.restate.yaml, svc/ctrl/proto/generate.go, svc/ctrl/proto/ctrl/v1/acme.proto, svc/ctrl/.gitignore	Added service-specific Buf manifests (Go, Connect, and Restate targets) targeting ../../../gen/proto; added generate.go with two go:generate directives; removed google/protobuf/timestamp.proto import from acme.proto; removed .env and .env.local from .gitignore.
svc/krane proto configs & files svc/krane/proto/buf.gen.yaml, svc/krane/proto/generate.go	Added service-specific Buf manifest (Go and Connect plugins -> ../../../gen/proto) and generate.go with go:generate invoking buf.
Test Dockerfile cleanup test-docker/Dockerfile	Removed base image line and three echo RUN steps from the Dockerfile.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description lacks critical required sections from the template including issue reference, type of change checkbox, testing instructions, and required checklist items.	Complete all required template sections: add issue reference, select change type, describe testing steps, and verify all checklist items are addressed.
Title check	❓ Inconclusive	The title 'proto' is vague and generic, failing to describe the specific nature of the refactoring or reorganization being performed in this changeset.	Use a more descriptive title like 'Refactor: Move proto definitions closer to services' to clearly convey the main organizational change.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

Makefile (1)

58-58: Critical: buf tool not installed as Go tool.

The pipeline failure indicates that go tool buf format -w fails because buf is not installed. The new go:generate directives in proto/generate.go and svc/krane/proto/generate.go also use go tool buf generate, which will fail similarly.

To fix this, you need to ensure buf is installed as a Go tool. Add an installation step to the install target or document the installation requirement:

🔎 Proposed fix to install buf as Go tool

Add buf installation to the install target:

 .PHONY: install
 install: ## Install all dependencies
 	@[ -f go.work ] || go work init . ./tools
 
 	go mod download
+	go install github.com/bufbuild/buf/cmd/buf@latest
 	pnpm --dir=web install

Alternatively, if using a tools.go pattern, add buf to your tools module and install via go install -modfile=tools/go.mod github.com/bufbuild/buf/cmd/buf.

📜 Review details

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 887a854 and 0eaee6e.

⛔ Files ignored due to path filters (15)

• gen/proto/ctrl/v1/acme.pb.go is excluded by !**/*.pb.go, !**/gen/**
• gen/proto/vault/v1/vaultv1connect/service.connect.go is excluded by !**/gen/**
• web/apps/dashboard/gen/proto/cache/v1/invalidation_pb.ts is excluded by !**/gen/**
• web/apps/dashboard/gen/proto/ctrl/v1/acme_pb.ts is excluded by !**/gen/**
• web/apps/dashboard/gen/proto/ctrl/v1/build_pb.ts is excluded by !**/gen/**
• web/apps/dashboard/gen/proto/ctrl/v1/cluster_pb.ts is excluded by !**/gen/**
• web/apps/dashboard/gen/proto/ctrl/v1/deployment_pb.ts is excluded by !**/gen/**
• web/apps/dashboard/gen/proto/ctrl/v1/environment_pb.ts is excluded by !**/gen/**
• web/apps/dashboard/gen/proto/ctrl/v1/openapi_pb.ts is excluded by !**/gen/**
• web/apps/dashboard/gen/proto/ctrl/v1/secrets_pb.ts is excluded by !**/gen/**
• web/apps/dashboard/gen/proto/ctrl/v1/service_pb.ts is excluded by !**/gen/**
• web/apps/dashboard/gen/proto/krane/v1/scheduler_pb.ts is excluded by !**/gen/**
• web/apps/dashboard/gen/proto/krane/v1/secrets_pb.ts is excluded by !**/gen/**
• web/apps/dashboard/gen/proto/vault/v1/object_pb.ts is excluded by !**/gen/**
• web/apps/dashboard/gen/proto/vault/v1/service_pb.ts is excluded by !**/gen/**

📒 Files selected for processing (27)

• Makefile
• buf.gen.connect.yaml
• buf.gen.restate.yaml
• buf.gen.yaml
• buf.yaml
• proto/buf.gen.yaml
• proto/generate.go
• svc/ctrl/.gitignore
• svc/ctrl/proto/buf.gen.restate.yaml
• svc/ctrl/proto/buf.gen.yaml
• svc/ctrl/proto/ctrl/v1/acme.proto
• svc/ctrl/proto/ctrl/v1/build.proto
• svc/ctrl/proto/ctrl/v1/cluster.proto
• svc/ctrl/proto/ctrl/v1/deployment.proto
• svc/ctrl/proto/ctrl/v1/environment.proto
• svc/ctrl/proto/ctrl/v1/openapi.proto
• svc/ctrl/proto/ctrl/v1/secrets.proto
• svc/ctrl/proto/ctrl/v1/service.proto
• svc/ctrl/proto/generate.go
• svc/ctrl/proto/hydra/v1/certificate.proto
• svc/ctrl/proto/hydra/v1/deployment.proto
• svc/ctrl/proto/hydra/v1/routing.proto
• svc/krane/proto/buf.gen.yaml
• svc/krane/proto/generate.go
• svc/krane/proto/krane/v1/scheduler.proto
• svc/krane/proto/krane/v1/secrets.proto
• test-docker/Dockerfile

💤 Files with no reviewable changes (6)

• buf.gen.connect.yaml
• svc/ctrl/.gitignore
• test-docker/Dockerfile
• buf.gen.restate.yaml
• buf.gen.yaml
• svc/ctrl/proto/ctrl/v1/acme.proto

🧰 Additional context used

🧠 Learnings (8)

📓 Common learnings

Learnt from: Flo4604
Repo: unkeyed/unkey PR: 4098
File: go/proto/ctrl/v1/deployment.proto:33-36
Timestamp: 2025-10-15T10:12:40.810Z
Learning: In the Unkey codebase proto files (ctrl/v1/build.proto, ctrl/v1/deployment.proto, hydra/v1/deployment.proto), use `dockerfile_path` (not `docker_file_path`) for consistency in generated Go field names.

Learnt from: perkinsjr
Repo: unkeyed/unkey PR: 3775
File: apps/dashboard/lib/trpc/routers/workspace/onboarding.ts:1-1
Timestamp: 2025-08-22T12:45:07.187Z
Learning: The team at Unkey is planning to move from TRPC to calling their v2 API directly, making current TRPC schema organization temporary. They're comfortable with keeping server input schemas imported from app route folders as technical debt since this code will be replaced.

Learnt from: perkinsjr
Repo: unkeyed/unkey PR: 3775
File: apps/dashboard/lib/trpc/routers/api/keys/query-key-usage-timeseries/index.ts:1-1
Timestamp: 2025-08-22T12:48:58.289Z
Learning: The team at Unkey is planning to move from TRPC to calling their v2 API directly. They're comfortable keeping TRPC input schemas imported from app route folders as technical debt since this code will be replaced, rather than refactoring to move schemas to lib/schemas.

Learnt from: imeyer
Repo: unkeyed/unkey PR: 3899
File: go/buf.gen.yaml:0-0
Timestamp: 2025-09-01T02:33:43.791Z
Learning: In the unkeyed/unkey repository, buf commands are executed from the `go/` directory where the `buf.yaml` file is located. This means the `out: gen` configuration in `go/buf.gen.yaml` generates files to `go/gen/` relative to the repository root, which aligns with the expected directory structure.

Learnt from: imeyer
Repo: unkeyed/unkey PR: 3899
File: go/proto/metald/v1/metald.proto:5-9
Timestamp: 2025-09-01T01:57:42.227Z
Learning: In the unkeyed/unkey repository, buf is configured to properly resolve metald proto imports like "metald/v1/vm.proto" without needing the full "go/proto/" prefix. The buf lint command `buf lint --path proto/metald` passes successfully with these relative import paths.

📚 Learning: 2025-09-01T02:33:43.791Z

Learnt from: imeyer
Repo: unkeyed/unkey PR: 3899
File: go/buf.gen.yaml:0-0
Timestamp: 2025-09-01T02:33:43.791Z
Learning: In the unkeyed/unkey repository, buf commands are executed from the `go/` directory where the `buf.yaml` file is located. This means the `out: gen` configuration in `go/buf.gen.yaml` generates files to `go/gen/` relative to the repository root, which aligns with the expected directory structure.

Applied to files:

• svc/ctrl/proto/generate.go
• svc/krane/proto/generate.go
• svc/ctrl/proto/buf.gen.restate.yaml
• proto/buf.gen.yaml
• Makefile
• svc/krane/proto/buf.gen.yaml
• svc/ctrl/proto/buf.gen.yaml
• buf.yaml

📚 Learning: 2025-09-01T01:57:42.227Z

Learnt from: imeyer
Repo: unkeyed/unkey PR: 3899
File: go/proto/metald/v1/metald.proto:5-9
Timestamp: 2025-09-01T01:57:42.227Z
Learning: In the unkeyed/unkey repository, buf is configured to properly resolve metald proto imports like "metald/v1/vm.proto" without needing the full "go/proto/" prefix. The buf lint command `buf lint --path proto/metald` passes successfully with these relative import paths.

Applied to files:

• svc/ctrl/proto/generate.go
• svc/krane/proto/generate.go
• svc/ctrl/proto/buf.gen.restate.yaml
• proto/buf.gen.yaml
• proto/generate.go
• svc/krane/proto/buf.gen.yaml
• svc/ctrl/proto/buf.gen.yaml
• buf.yaml

📚 Learning: 2025-10-15T10:12:40.810Z

Learnt from: Flo4604
Repo: unkeyed/unkey PR: 4098
File: go/proto/ctrl/v1/deployment.proto:33-36
Timestamp: 2025-10-15T10:12:40.810Z
Learning: In the Unkey codebase proto files (ctrl/v1/build.proto, ctrl/v1/deployment.proto, hydra/v1/deployment.proto), use `dockerfile_path` (not `docker_file_path`) for consistency in generated Go field names.

Applied to files:

• svc/ctrl/proto/generate.go
• buf.yaml

📚 Learning: 2025-09-12T08:01:20.792Z

Learnt from: Flo4604
Repo: unkeyed/unkey PR: 3944
File: go/pkg/db/acme_challenge_update_verified_with_expiry.sql_generated.go:31-39
Timestamp: 2025-09-12T08:01:20.792Z
Learning: Do not review or suggest changes to files with sql_generated.go suffix or other files marked as auto-generated (containing "Code generated by" comments), as these are generated by tools like sqlc and changes would be overwritten on regeneration.

Applied to files:

• svc/ctrl/proto/generate.go
• svc/krane/proto/generate.go
• Makefile
• proto/generate.go

📚 Learning: 2025-07-02T11:51:58.572Z

Learnt from: chronark
Repo: unkeyed/unkey PR: 3420
File: go/pkg/hydra/store/gorm/gorm.go:486-498
Timestamp: 2025-07-02T11:51:58.572Z
Learning: The Hydra package (go/pkg/hydra) is planned to be migrated from GORM to sqlc for database operations, which explains why raw SQL queries are acceptable in the current implementation.

Applied to files:

• svc/ctrl/proto/generate.go

📚 Learning: 2025-08-08T15:09:01.312Z

Learnt from: Flo4604
Repo: unkeyed/unkey PR: 3753
File: go/apps/api/openapi/config.yaml:9-10
Timestamp: 2025-08-08T15:09:01.312Z
Learning: Repo unkeyed/unkey: In go/apps/api/openapi, oapi-codegen doesn’t support OpenAPI 3.1 union nullability; overlay.yaml must be applied before codegen. The overlay key in oapi-codegen config isn’t supported—use a pre-step (programmatic or CLI) to merge overlay into the bundled spec, then run oapi-codegen.

Applied to files:

• svc/ctrl/proto/buf.gen.restate.yaml
• proto/buf.gen.yaml

📚 Learning: 2025-08-08T15:20:40.288Z

Learnt from: Flo4604
Repo: unkeyed/unkey PR: 3753
File: go/apps/api/openapi/config.yaml:9-10
Timestamp: 2025-08-08T15:20:40.288Z
Learning: Repo unkeyed/unkey: oapi-codegen v2.4+ (v2.5.0 in use) supports output-options.overlay in go/apps/api/openapi/config.yaml; the generator applies overlay.yaml at codegen time, so no separate pre-step is required if oapi-codegen is invoked with -config=config.yaml.

Applied to files:

• svc/ctrl/proto/buf.gen.restate.yaml
• proto/buf.gen.yaml

🪛 GitHub Actions: autofix.ci

Makefile

[error] 58-58: make fmt failed: go tool buf format -w failed because 'buf' tool is not installed (go: no such tool "buf").

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Analyze (javascript-typescript)

🔇 Additional comments (10)

proto/generate.go (1)

1-3: LGTM: Clean go:generate pattern for protobuf generation.

The use of //go:generate go tool buf generate is idiomatic and aligns well with the Makefile's go generate ./... invocation. This provides a declarative, per-module approach to code generation.

svc/krane/proto/generate.go (1)

1-3: LGTM: Consistent go:generate pattern.

This mirrors the pattern established in proto/generate.go, maintaining consistency across the protobuf generation strategy.

Makefile (1)

88-88: Good: Upfront cleanup prevents stale generated code.

The addition of rm -rf ./gen || true before generation ensures that stale generated files don't persist. This is a solid practice for keeping the generated code in sync with the source.

svc/krane/proto/buf.gen.yaml (1)

1-15: Verify if plugin versions are current.

The configuration uses explicit plugin versions (buf.build/protocolbuffers/go:v1.36.8 and buf.build/connectrpc/go:v1.18.1). While explicit versions are valid, verify these are current by checking the Buf Schema Registry or running:

• buf registry sdk version --module=github.com/unkeyed/unkey --plugin=buf.build/protocolbuffers/go
• buf registry sdk version --module=github.com/unkeyed/unkey --plugin=buf.build/connectrpc/go

Alternatively, omitting versions (e.g., buf.build/protocolbuffers/go) will automatically use the latest available.

proto/buf.gen.yaml (1)

1-9: Verify the protobuf plugin version is current.

The configuration appears syntactically correct with managed mode enabled and proper output paths. However, the exact latest version of buf.build/protocolbuffers/go cannot be determined from available sources. Verify that v1.36.8 is still current, or consider pinning to the latest by omitting the version suffix (buf.build/protocolbuffers/go without :v...) and running buf registry sdk version --module=github.com/unkeyed/unkey --plugin=buf.build/protocolbuffers/go to resolve the actual version in use.

svc/ctrl/proto/buf.gen.restate.yaml (1)

5-9: Remove duplicate protocolbuffers/go plugin.

The protocolbuffers/go plugin is configured in both buf.gen.yaml and buf.gen.restate.yaml. Since generate.go runs both templates sequentially:

//go:generate go tool buf generate --template ./buf.gen.yaml --path ./ctrl
//go:generate go tool buf generate --template ./buf.gen.restate.yaml --path ./hydra

The base proto files will be generated twice when the ./hydra path overlaps with files processed by the first command. This causes unnecessary duplicate work and potential file overwrites.

🔎 Recommended fix: Remove duplicate plugin

 version: v2
 managed:
   enabled: true
 plugins:
-  - remote: buf.build/protocolbuffers/go:v1.36.8
-    out: ../../../gen/proto
-    opt:
-      - paths=import
-      - module=github.com/unkeyed/unkey/gen/proto
   - local: protoc-gen-go-restate
     out: ../../../gen/proto
     opt:
       - paths=import
       - module=github.com/unkeyed/unkey/gen/proto

The base protobuf generation is already handled by buf.gen.yaml for the ./ctrl path. This template should only add the restate-specific generation for hydra protos.

⛔ Skipped due to learnings

Learnt from: Flo4604
Repo: unkeyed/unkey PR: 3944
File: go/pkg/db/acme_challenge_update_verified_with_expiry.sql_generated.go:31-39
Timestamp: 2025-09-12T08:01:20.792Z
Learning: Do not review or suggest changes to files with sql_generated.go suffix or other files marked as auto-generated (containing "Code generated by" comments), as these are generated by tools like sqlc and changes would be overwritten on regeneration.

Learnt from: imeyer
Repo: unkeyed/unkey PR: 3899
File: go/buf.gen.yaml:0-0
Timestamp: 2025-09-01T02:33:43.791Z
Learning: In the unkeyed/unkey repository, buf commands are executed from the `go/` directory where the `buf.yaml` file is located. This means the `out: gen` configuration in `go/buf.gen.yaml` generates files to `go/gen/` relative to the repository root, which aligns with the expected directory structure.

Learnt from: imeyer
Repo: unkeyed/unkey PR: 3899
File: go/proto/metald/v1/metald.proto:5-9
Timestamp: 2025-09-01T01:57:42.227Z
Learning: In the unkeyed/unkey repository, buf is configured to properly resolve metald proto imports like "metald/v1/vm.proto" without needing the full "go/proto/" prefix. The buf lint command `buf lint --path proto/metald` passes successfully with these relative import paths.

Learnt from: Flo4604
Repo: unkeyed/unkey PR: 4098
File: go/proto/ctrl/v1/deployment.proto:33-36
Timestamp: 2025-10-15T10:12:40.810Z
Learning: In the Unkey codebase proto files (ctrl/v1/build.proto, ctrl/v1/deployment.proto, hydra/v1/deployment.proto), use `dockerfile_path` (not `docker_file_path`) for consistency in generated Go field names.

Learnt from: Flo4604
Repo: unkeyed/unkey PR: 3753
File: go/apps/api/openapi/config.yaml:9-10
Timestamp: 2025-08-08T15:09:01.312Z
Learning: Repo unkeyed/unkey: For go/apps/api/openapi, oapi-codegen is used and does not support OpenAPI 3.1 union types like [T, "null"]; an overlay step is required to downconvert to 3.0-style nullable before code generation.

Learnt from: Flo4604
Repo: unkeyed/unkey PR: 3753
File: go/apps/api/openapi/config.yaml:9-10
Timestamp: 2025-08-08T15:09:01.312Z
Learning: Repo unkeyed/unkey: In go/apps/api/openapi, oapi-codegen doesn’t support OpenAPI 3.1 union nullability; overlay.yaml must be applied before codegen. The overlay key in oapi-codegen config isn’t supported—use a pre-step (programmatic or CLI) to merge overlay into the bundled spec, then run oapi-codegen.

buf.yaml (2)

17-19: FILE-level-only breaking detection is permissive for a new proto setup.

The breaking change detection uses only FILE level rules. While appropriate for initial proto reorganization, consider adding stricter rules (WIRE, WIRE_JSON, FIELD_NO_DELETE*) once the reorganization is complete to protect against unintended wire-format and field-level changes.

If intentional for this transition period, document why minimal breaking detection is acceptable during the proto reorganization.

Likely an incorrect or invalid review comment.

---

14-15: This exception reflects an intentional architectural pattern and is not necessary to change.

The PACKAGE_DIRECTORY_MATCH exception is a deliberate design choice from the proto reorganization (commit 0eaee6e). All 21 proto files consistently follow this pattern: directory structure reflects service ownership (e.g., svc/ctrl/, svc/krane/, root proto/), while package names reflect logical domains (e.g., ctrl.v1, krane.v1, cache.v1). This separation of concerns is intentional and maintains consistency across the codebase.

svc/ctrl/proto/generate.go (1)

3-4: Install the missing protoc-gen-go-restate plugin.

The buf.gen.restate.yaml template requires the protoc-gen-go-restate local plugin, which is not currently available in PATH. The second generate directive will fail until this plugin is installed and accessible. Ensure the plugin is built and installed according to the project's setup instructions before running go generate ./svc/ctrl/proto.

Both generators output to the same directory (../../../gen/proto), but they operate on different proto paths (./ctrl and ./hydra), so file conflicts are unlikely if the plugin is properly configured.

⛔ Skipped due to learnings

Learnt from: imeyer
Repo: unkeyed/unkey PR: 3899
File: go/buf.gen.yaml:0-0
Timestamp: 2025-09-01T02:33:43.791Z
Learning: In the unkeyed/unkey repository, buf commands are executed from the `go/` directory where the `buf.yaml` file is located. This means the `out: gen` configuration in `go/buf.gen.yaml` generates files to `go/gen/` relative to the repository root, which aligns with the expected directory structure.

Learnt from: imeyer
Repo: unkeyed/unkey PR: 3899
File: go/proto/metald/v1/metald.proto:5-9
Timestamp: 2025-09-01T01:57:42.227Z
Learning: In the unkeyed/unkey repository, buf is configured to properly resolve metald proto imports like "metald/v1/vm.proto" without needing the full "go/proto/" prefix. The buf lint command `buf lint --path proto/metald` passes successfully with these relative import paths.

Learnt from: Flo4604
Repo: unkeyed/unkey PR: 3944
File: go/pkg/db/acme_challenge_update_verified_with_expiry.sql_generated.go:31-39
Timestamp: 2025-09-12T08:01:20.792Z
Learning: Do not review or suggest changes to files with sql_generated.go suffix or other files marked as auto-generated (containing "Code generated by" comments), as these are generated by tools like sqlc and changes would be overwritten on regeneration.

Learnt from: Flo4604
Repo: unkeyed/unkey PR: 4098
File: go/proto/ctrl/v1/deployment.proto:33-36
Timestamp: 2025-10-15T10:12:40.810Z
Learning: In the Unkey codebase proto files (ctrl/v1/build.proto, ctrl/v1/deployment.proto, hydra/v1/deployment.proto), use `dockerfile_path` (not `docker_file_path`) for consistency in generated Go field names.

Learnt from: chronark
Repo: unkeyed/unkey PR: 3420
File: go/pkg/hydra/store/gorm/gorm.go:486-498
Timestamp: 2025-07-02T11:51:58.572Z
Learning: The Hydra package (go/pkg/hydra) is planned to be migrated from GORM to sqlc for database operations, which explains why raw SQL queries are acceptable in the current implementation.

svc/ctrl/proto/buf.gen.yaml (1)

5-15: No known security vulnerabilities found; versions appear reasonably current.

The pinned plugin versions have no reported CVEs:

• buf.build/protocolbuffers/go:v1.36.8 — no public vulnerabilities; v1.36.6 was reported as the latest as of June 2025, making v1.36.8 a more recent release
• buf.build/connectrpc/go:v1.18.1 — no public CVEs reported as of January 2026

Pinned versions maintain reproducibility. If available, consider checking the official buf.build plugin release pages or changelogs periodically to assess whether future updates address new features or dependency improvements.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @Makefile:
- Around line 89-94: The agent proto directory is missing a generate.go with a
go:generate directive so its buf generation isn't run by `go generate ./...`;
add a small file named generate.go in the agent proto package that contains the
single-line directive `//go:generate go tool buf generate` (and a package
declaration) so `go generate` picks up and runs buf for that proto, or
alternatively modify an existing generate.go (e.g., the central proto generate
file) to invoke `go tool buf generate` for the agent proto package.

📜 Review details

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0eaee6e and db65538.

📒 Files selected for processing (1)

• Makefile

🧰 Additional context used

🧠 Learnings (3)

📓 Common learnings

Learnt from: perkinsjr
Repo: unkeyed/unkey PR: 3775
File: apps/dashboard/lib/trpc/routers/workspace/onboarding.ts:1-1
Timestamp: 2025-08-22T12:45:07.187Z
Learning: The team at Unkey is planning to move from TRPC to calling their v2 API directly, making current TRPC schema organization temporary. They're comfortable with keeping server input schemas imported from app route folders as technical debt since this code will be replaced.

Learnt from: perkinsjr
Repo: unkeyed/unkey PR: 3775
File: apps/dashboard/lib/trpc/routers/api/keys/query-key-usage-timeseries/index.ts:1-1
Timestamp: 2025-08-22T12:48:58.289Z
Learning: The team at Unkey is planning to move from TRPC to calling their v2 API directly. They're comfortable keeping TRPC input schemas imported from app route folders as technical debt since this code will be replaced, rather than refactoring to move schemas to lib/schemas.

Learnt from: Flo4604
Repo: unkeyed/unkey PR: 4098
File: go/proto/ctrl/v1/deployment.proto:33-36
Timestamp: 2025-10-15T10:12:40.810Z
Learning: In the Unkey codebase proto files (ctrl/v1/build.proto, ctrl/v1/deployment.proto, hydra/v1/deployment.proto), use `dockerfile_path` (not `docker_file_path`) for consistency in generated Go field names.

Learnt from: imeyer
Repo: unkeyed/unkey PR: 3899
File: go/buf.gen.yaml:0-0
Timestamp: 2025-09-01T02:33:43.791Z
Learning: In the unkeyed/unkey repository, buf commands are executed from the `go/` directory where the `buf.yaml` file is located. This means the `out: gen` configuration in `go/buf.gen.yaml` generates files to `go/gen/` relative to the repository root, which aligns with the expected directory structure.

Learnt from: imeyer
Repo: unkeyed/unkey PR: 3899
File: go/proto/metald/v1/metald.proto:5-9
Timestamp: 2025-09-01T01:57:42.227Z
Learning: In the unkeyed/unkey repository, buf is configured to properly resolve metald proto imports like "metald/v1/vm.proto" without needing the full "go/proto/" prefix. The buf lint command `buf lint --path proto/metald` passes successfully with these relative import paths.

📚 Learning: 2025-09-12T08:01:20.792Z

Learnt from: Flo4604
Repo: unkeyed/unkey PR: 3944
File: go/pkg/db/acme_challenge_update_verified_with_expiry.sql_generated.go:31-39
Timestamp: 2025-09-12T08:01:20.792Z
Learning: Do not review or suggest changes to files with sql_generated.go suffix or other files marked as auto-generated (containing "Code generated by" comments), as these are generated by tools like sqlc and changes would be overwritten on regeneration.

Applied to files:

• Makefile

📚 Learning: 2025-09-01T02:33:43.791Z

Learnt from: imeyer
Repo: unkeyed/unkey PR: 3899
File: go/buf.gen.yaml:0-0
Timestamp: 2025-09-01T02:33:43.791Z
Learning: In the unkeyed/unkey repository, buf commands are executed from the `go/` directory where the `buf.yaml` file is located. This means the `out: gen` configuration in `go/buf.gen.yaml` generates files to `go/gen/` relative to the repository root, which aligns with the expected directory structure.

Applied to files:

• Makefile

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: Test Dashboard / Test Dashboard
• GitHub Check: Lint Go Code / Lint
• GitHub Check: Test Go API Local / Test
• GitHub Check: autofix

[perkinsjr]

I trust you.