fix(qaas): add options validation

[ymc9]

No description provided.

[coderabbitai]

Warning

Rate limit exceeded

@ymc9 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 23 minutes and 31 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 2c9db43 and 8977043.

📒 Files selected for processing (4)

• packages/server/src/api/common/schemas.ts
• packages/server/src/api/rest/index.ts
• packages/server/src/api/rpc/index.ts
• packages/server/test/api/options-validation.test.ts

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[claude]

Claude finished @ymc9's task —— View job

---

Code Review for PR #574

I've thoroughly reviewed the API handler options validation implementation. Here's my comprehensive feedback:

Overall Assessment ✅

This is a solid defensive programming improvement that adds proper input validation to prevent runtime errors from malformed configuration. The implementation follows TypeScript/Zod best practices and includes comprehensive test coverage.

Code Quality & Implementation

✅ Excellent Practices

• Consistent validation pattern: Both REST and RPC handlers use the same approach
• Centralized logger validation: Smart to extract loggerSchema to /api/common/schemas.ts for reuse
• Proper error handling: Uses zod-validation-error for user-friendly error messages
• Type safety: z.strictObject() prevents unexpected properties, enhancing security

✅ REST Handler Validation (packages/server/src/api/rest/index.ts:290-305)

The validation schema is comprehensive and matches the interface:

• Required: schema (object), endpoint (string)
• Optional: log, pageSize (positive number), idDivider (min 1 char), etc.
• Security enhancement: z.strictObject() rejects unknown properties

✅ RPC Handler Validation (packages/server/src/api/rpc/index.ts:39-45)

Simple but effective validation for the minimal RPC options:

• Required: schema (object)
• Optional: log
• Also uses z.strictObject() for consistency

Test Coverage 🧪

✅ Outstanding Test Suite (packages/server/test/api/options-validation.test.ts)

The test coverage is exceptional with 600 lines covering:

Positive Cases:

• Valid configurations with all optional fields
• Custom log functions and arrays
• Production-like scenarios
• Edge cases (empty arrays, large numbers)

Negative Cases:

• Missing required fields (schema, endpoint)
• Invalid types for all fields
• Empty strings where not allowed
• Extra unknown properties (validates strictObject behavior)

Edge Cases:

• undefined vs explicit values
• Property exposure verification
• Schema structure validation

Security Considerations 🔒

✅ Security Enhancements

1. Input sanitization: All user inputs are validated before use
2. Type safety: Prevents runtime type errors that could cause crashes
3. No injection vulnerabilities: Zod validation prevents malformed objects
4. Strict validation: z.strictObject() prevents configuration injection attacks

⚠️ Minor Security Note

The REST handler accepts empty string endpoints, which might not be ideal:

endpoint: z.string(), // Should this be z.string().min(1)?

Performance Considerations 📊

✅ Efficient Implementation

• Validation only runs once during constructor
• Minimal overhead - Zod validation is fast
• No impact on runtime request handling performance

Best Practices Adherence 🎯

✅ Excellent Practices

• Fail fast: Validation in constructor prevents late failures
• Clear error messages: Uses fromError() for readable validation errors
• Consistent patterns: Both handlers follow identical validation approach
• Separation of concerns: Shared schemas in common module

✅ Code Style

• Clean, readable implementation
• Proper TypeScript types
• Good error handling
• Follows existing codebase patterns

Potential Improvements 💡

1. Endpoint validation: Consider making endpoint validation stricter:

   endpoint: z.string().url(), // Validate as proper URL
   // or at minimum:
   endpoint: z.string().min(1), // Disallow empty strings

2. Documentation: Consider adding JSDoc comments to the validation methods

Final Verdict ✅

This is excellent defensive code that:

• ✅ Prevents runtime errors from bad configuration
• ✅ Provides clear error messages for debugging
• ✅ Enhances security with strict validation
• ✅ Has comprehensive test coverage
• ✅ Follows consistent patterns
• ✅ Has zero performance impact on request handling

Recommendation: APPROVE - This PR significantly improves the robustness and security of the API handlers with no downside.

---

[Copilot]

Pull request overview

This pull request adds runtime options validation to the RestApiHandler and RPCApiHandler classes using Zod schemas. The changes introduce a new shared schema file for logger validation and comprehensive test coverage for all validation scenarios.

Key Changes:

• Added runtime validation for API handler constructor options using Zod
• Created shared loggerSchema in packages/server/src/api/common/schemas.ts
• Added comprehensive test suite with 600 lines covering validation edge cases
• Added documentation for previously undocumented options (modelNameMapping, externalIdMapping)
• Minor code formatting improvements and import organization

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.

File	Description
packages/server/src/api/rpc/index.ts	Added validateOptions method to validate RPC API handler options, updated imports, minor formatting improvements
packages/server/src/api/rest/index.ts	Added validateOptions method to validate REST API handler options, added JSDoc for missing options, minor formatting improvements
packages/server/src/api/common/schemas.ts	New file defining shared loggerSchema for validating log configuration
packages/server/test/api/options-validation.test.ts	New comprehensive test file with 600 lines testing all validation scenarios for both handlers

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[claude]

Claude Code is working…

I'll analyze this and get back to you.

View job run