Refactor db related packages

[cobraprojects]

Summary by CodeRabbit

• New Features

  • Server-driven login, registration, and logout across Next.js and SvelteKit (native form submissions / server actions)
  • Super‑admin auth flows and redirects handled server-side

• Improvements

  • Auth UI simplified and unified to use native form posts (consistent login/logout UX)
  • Improved CSRF handling for proxied deployments (better secure-cookie behavior)
  • Cleaner post-submit flows (removed redundant client success panels)

• Bug Fixes

  • More consistent server-side validation and error responses across frameworks

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 95696e9e-07ee-48d7-a4dd-324a03f3af00

📥 Commits

Reviewing files that changed from the base of the PR and between 945ae03 and fd42fe2.

📒 Files selected for processing (5)

• apps/docs/docs/forms/framework-integration.md
• apps/docs/docs/forms/server-validation.md
• packages/db/src/schema/generatedNames.ts
• packages/db/tests/schema-service.test.ts
• tests/example-app-auth-flow.mjs

---

📝 Walkthrough

Walkthrough

Converts app auth to server actions/forms (Next) and SvelteKit page actions; updates UI to submit via actions/forms; revises tests and docs; and applies broad refactors across auth/forms/security/db/queue/storage/mail/core.

Changes

Server-first auth and platform refactors

Layer / File(s)	Summary
Server actions, app wiring, and tests apps/blog-*/app/*, apps/blog-*/tests/*, apps/blog-sveltekit/src/routes/*, apps/docs/*	Introduces Next server actions and SvelteKit page actions for login/register/logout and super-admin flows; updates app components to use form submissions/server-action forms; rewrites app tests and test runners to mock and assert action-based flows; updates docs examples to server-action/page-action patterns.
Auth & CSRF runtime changes packages/auth/*, packages/security/*, packages/forms/*	Adds CSRF cookie option/resolve improvements, forwarded-proto detection, Next client pathname-based refresh, Next headers-aware validate() fallback for FormData, and expands form initialState handling for server failure payloads.
DB, schema, and migrations packages/db/src/*, packages/db/tests/*	Refactors savepoint/name generation, deterministic generated names for indexes/foreign keys, query scheduler waiter redesign, migration lifecycle helper, model/entity refactors, and typing/adapter surface consolidations.
Queue DB API & tests packages/queue-db/src/*, packages/queue-db/tests/*	Exports parsing/placeholder/identifier helpers, adds async-context connection resolver, centralizes failed-job helpers, rewires driver to use exported helpers, and adds test support utilities.
Storage S3 & encoding packages/storage-s3/*, packages/storage/*	Refactors S3 key normalization and RFC3986 extra-character encoding and removes injected-header signing support; updates canonical URI encoding used in SigV4 signing.
Mail runtime & contracts packages/mail/src/*, packages/mail/tests/*	Removes public mailInternals export, centralizes peer-module loader, and rewrites runtime loader helpers; tests updated to use direct helper exports.
Adapters & integration tests packages/adapter-sveltekit/*, packages/cache-redis/*, packages/db-*/tests	Adds SvelteKit client hydration for action failures, test stubs/aliases, refactors redis and DB test doubles, and introduces conditional integration test gating scripts.

Sequence Diagram(s)

sequenceDiagram
  participant User
  participant Page/Form
  participant ServerAction
  participant AuthLib
  participant Cache
  participant Redirect
  User->>Page/Form: Submit credentials
  Page/Form->>ServerAction: FormData
  ServerAction->>AuthLib: validate + login/register/logout
  AuthLib-->>ServerAction: result/session
  ServerAction->>Cache: revalidatePath('/', 'layout')
  ServerAction->>Redirect: redirect('/admin' | '/verify-email' | '/')

Loading

Estimated code review effort

🎯 5 (Critical) | ⏱️ ~120 minutes

Possibly related PRs

• cobraprojects/holo-js#23 — Earlier client-side POST /api/logout + refresh flow later replaced here by server-action logout.
• cobraprojects/holo-js#35 — Adjusts AuthNav/provider logout forms; this PR standardizes logout via server-action forms.
• cobraprojects/holo-js#41 — Related AuthNav provider/logout adjustments that overlap with this change.

Poem

I tap my paws on server ground,
Forms take wing without a sound.
Cookies crisp, redirects bright,
Hashing names in schema night.
Queues and locks, we made them sing—hop! 🐇✨

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch refactor-db-related-packages

[coderabbitai]

Actionable comments posted: 5

🧹 Nitpick comments (4)

apps/blog-next/app/login/actions.ts (1)

20-26: Confirm login() failure shape matches error.status / error.fields (apps/blog-next/app/login/actions.ts:20-26).

@holo-js/auth’s login() returns an AuthResult; on failure, error is an AuthFailure that includes status: number and fields, matching the code’s submission.fail({ status: error.status, errors: error.fields }).
Also, login() only converts expected AuthLoginErrorCodes into an { error } result—other/unexpected errors will still throw (add try/catch only if you need that path handled).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@apps/blog-next/app/login/actions.ts` around lines 20 - 26, The review asks
you to confirm that the shape returned by login() matches the usage: ensure the
imported login() (and its types AuthResult/AuthFailure from `@holo-js/auth`)
actually return an AuthFailure with status:number and fields when failing; if
they do, leave the submission.fail({ status: error.status, errors: error.fields
}) as-is, otherwise map the returned error shape to submission.fail (e.g.,
extract/convert to {status, fields}) and only add a try/catch around await
login(submission.data) if you need to handle unexpected thrown exceptions;
reference login(), AuthResult/AuthFailure and submission.fail when locating the
code to update.

packages/cache-redis/package.json (1)

24-24: ⚡ Quick win

Integration mode is gated by Vitest config (HOLO_REDIS_INTEGRATION), not by per-test checks.

packages/cache-redis/vitest.config.ts switches test.include based on process.env.HOLO_REDIS_INTEGRATION === '1': when off it runs only tests/package.test.ts, and when on it runs tests/**/*.test.ts (so both tests/package.test.ts and tests/real-redis.test.ts).
If test:integration should run only the real Redis test, narrow the include pattern accordingly.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/cache-redis/package.json` at line 24, The current Vitest gating in
packages/cache-redis/vitest.config.ts uses process.env.HOLO_REDIS_INTEGRATION
=== '1' to switch test.include between a broad pattern and a single
package.test.ts, which means running npm run test:integration still runs
package.test.ts as well; update the logic in vitest.config.ts so that when
HOLO_REDIS_INTEGRATION === '1' the test.include is narrowed to only the
integration test (e.g., "tests/real-redis.test.ts") and when not set it remains
the default (e.g., "tests/package.test.ts"); ensure the package.json script
("test:integration": "HOLO_REDIS_INTEGRATION=1 vitest --run") remains unchanged
so it triggers the new narrowed include.

packages/db/src/schema/generatedNames.ts (1)

4-9: 💤 Low value

Consider potential index name collisions with underscore-containing column names.

The current implementation joins column names with '_', which could theoretically create identical names for different column combinations (e.g., columns ['first_name', 'last'] and ['first', 'name_last'] would both generate table_first_name_last_index). However, since users can explicitly provide index.name to override auto-generation, this is an acceptable tradeoff for convenience.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/db/src/schema/generatedNames.ts` around lines 4 - 9,
resolveGeneratedIndexName currently concatenates index.columns with '_' which
can collide when column names themselves contain underscores; update
resolveGeneratedIndexName to produce collision-resistant auto names by encoding
the columns portion (for example, join with an unambiguous delimiter or append a
short deterministic hash of index.columns) while preserving use of
sanitizeIdentifierForGeneratedName and validating with
assertValidIdentifierSegment; ensure the new scheme still respects an explicit
index.name override and produces stable names for the same columns.

packages/queue-db/tests/failed.test.ts (1)

193-227: ⚡ Quick win

Restore the DB.connection spies in a finally block.

If either test fails before the last line, the spy survives into later cases and obscures the real failure.

♻️ Suggested pattern

-    const spy = vi.spyOn(DB, 'connection').mockReturnValue(createQueueDatabaseContextMock())
+    const spy = vi.spyOn(DB, 'connection').mockReturnValue(createQueueDatabaseContextMock())
+    try {
       configureQueueRuntime({
         config: {
           default: 'database',
@@
       await expect(forgetFailedQueueJob('missing')).resolves.toBe(false)
       await expect(flushFailedQueueJobs()).resolves.toBe(0)
-
-    spy.mockRestore()
+    } finally {
+      spy.mockRestore()
+    }

Apply the same pattern to the active-async-context test below as well.

Also applies to: 277-317

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/queue-db/tests/failed.test.ts` around lines 193 - 227, The
DB.connection spy created with vi.spyOn(DB, 'connection') should be restored in
a finally block to guarantee cleanup even if assertions fail: wrap the test
logic that calls configureQueueRuntime, persistFailedQueueJob,
forgetFailedQueueJob, and flushFailedQueueJobs in a try { ... } finally {
spy.mockRestore() } block (and apply the identical try/finally pattern to the
active-async-context test that also creates a DB.connection spy) so the spy is
always restored.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@apps/blog-sveltekit/src/routes/register/`+page.server.ts:
- Around line 9-18: The cookie `secure` flag is being set using url.protocol ===
'https:' in the load function (export const load) which ignores TLS-terminating
proxies and X-Forwarded-Proto; update the logic to detect TLS from forwarded
headers (check request.headers['x-forwarded-proto'] and/or the Forwarded header)
or, better, centralize this behavior in the security package by
implementing/using isSecureRequest(request) in `@holo-js/security` (currently used
in packages/security/src/csrf.ts) and replace the url.protocol check in the load
handler that calls csrf.field and cookies.set (and any similar uses like
getSecurityRuntime().config.csrf.cookie) so the cookie.secure is true when the
proxied request was originally HTTPS.

In `@apps/blog-sveltekit/src/routes/super-admin/login/`+page.svelte:
- Line 49: The checkbox currently uses a strict equality check
(checked={values.remember === true}) which loses checked state for non-boolean
form returns like "on"; update the checked logic for the remember checkbox
(reference: values.remember / the checked prop on the input in +page.svelte) to
accept truthy/string values instead—e.g., coerce to a boolean (use
Boolean(values.remember)) or explicitly accept "on" in addition to true—so the
checkbox remains checked after failed submissions that return string-like
values.

In `@packages/core/src/runtimeModule.ts`:
- Around line 67-69: The current optional-error handling in
importOptionalRuntimeModule treats any ERR_MODULE_NOT_FOUND for relative
specifiers (specifier.startsWith('.')) as ignorable even when
matchesRequestedTarget is false, which can hide missing transitive dependencies;
update the conditional that currently ORs ('code' in error && ... code ===
'ERR_MODULE_NOT_FOUND' && specifier.startsWith('.')) so it also requires
matchesRequestedTarget (i.e., only treat relative ERR_MODULE_NOT_FOUND as
optional when matchesRequestedTarget is true), thereby tightening the check in
the optional-error helper and the importOptionalRuntimeModule logic.

In `@packages/forms/src/contracts.ts`:
- Around line 401-410: In resolveAmbientRequestUrl, treat the Referer header as
untrusted: attempt to parse headers.get('referer') with the URL constructor (or
otherwise validate it) and only return it if parsing succeeds and the result is
a well-formed absolute URL; if parsing throws or the referer is invalid, fall
back to building the synthetic URL from x-forwarded-proto / x-forwarded-host /
host as currently done. Update resolveAmbientRequestUrl to catch URL parsing
errors (or validate before usage) and use the forwarded host/proto fallback when
referer is malformed to avoid letting a bad client header cause new Request(...)
to throw.

In `@packages/queue-db/src/index.ts`:
- Around line 1-9: Restore the removed root re-exports to preserve source
compatibility: re-add exports for queueDatabaseInternals,
databaseQueueDriverInternals, and queueDbFailedStoreInternals alongside the
current exports so consumers of the package root keep working. Locate where
databaseQueueDriverFactory/DatabaseQueueDriver/DatabaseQueueDriverError,
queueDbFailedJobStore, and the Stored* types are exported and add matching
re-export lines for the three internal symbols (queueDatabaseInternals,
databaseQueueDriverInternals, queueDbFailedStoreInternals) pointing to their
original modules so the public surface remains unchanged until a breaking
release.

---

Nitpick comments:
In `@apps/blog-next/app/login/actions.ts`:
- Around line 20-26: The review asks you to confirm that the shape returned by
login() matches the usage: ensure the imported login() (and its types
AuthResult/AuthFailure from `@holo-js/auth`) actually return an AuthFailure with
status:number and fields when failing; if they do, leave the submission.fail({
status: error.status, errors: error.fields }) as-is, otherwise map the returned
error shape to submission.fail (e.g., extract/convert to {status, fields}) and
only add a try/catch around await login(submission.data) if you need to handle
unexpected thrown exceptions; reference login(), AuthResult/AuthFailure and
submission.fail when locating the code to update.

In `@packages/cache-redis/package.json`:
- Line 24: The current Vitest gating in packages/cache-redis/vitest.config.ts
uses process.env.HOLO_REDIS_INTEGRATION === '1' to switch test.include between a
broad pattern and a single package.test.ts, which means running npm run
test:integration still runs package.test.ts as well; update the logic in
vitest.config.ts so that when HOLO_REDIS_INTEGRATION === '1' the test.include is
narrowed to only the integration test (e.g., "tests/real-redis.test.ts") and
when not set it remains the default (e.g., "tests/package.test.ts"); ensure the
package.json script ("test:integration": "HOLO_REDIS_INTEGRATION=1 vitest
--run") remains unchanged so it triggers the new narrowed include.

In `@packages/db/src/schema/generatedNames.ts`:
- Around line 4-9: resolveGeneratedIndexName currently concatenates
index.columns with '_' which can collide when column names themselves contain
underscores; update resolveGeneratedIndexName to produce collision-resistant
auto names by encoding the columns portion (for example, join with an
unambiguous delimiter or append a short deterministic hash of index.columns)
while preserving use of sanitizeIdentifierForGeneratedName and validating with
assertValidIdentifierSegment; ensure the new scheme still respects an explicit
index.name override and produces stable names for the same columns.

In `@packages/queue-db/tests/failed.test.ts`:
- Around line 193-227: The DB.connection spy created with vi.spyOn(DB,
'connection') should be restored in a finally block to guarantee cleanup even if
assertions fail: wrap the test logic that calls configureQueueRuntime,
persistFailedQueueJob, forgetFailedQueueJob, and flushFailedQueueJobs in a try {
... } finally { spy.mockRestore() } block (and apply the identical try/finally
pattern to the active-async-context test that also creates a DB.connection spy)
so the spy is always restored.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 97911b50-3889-4b80-9fdb-73140b3caf90

📥 Commits

Reviewing files that changed from the base of the PR and between 8fa7de7 and f4b3921.

⛔ Files ignored due to path filters (1)

• bun.lock is excluded by !**/*.lock

📒 Files selected for processing (119)

• apps/blog-next/app/auth-nav.tsx
• apps/blog-next/app/login/actions.ts
• apps/blog-next/app/login/page.tsx
• apps/blog-next/app/logout/actions.ts
• apps/blog-next/app/register/actions.ts
• apps/blog-next/app/register/page.tsx
• apps/blog-next/app/super-admin/login/actions.ts
• apps/blog-next/app/super-admin/login/page.tsx
• apps/blog-next/app/super-admin/logout-button.tsx
• apps/blog-next/app/super-admin/logout/actions.ts
• apps/blog-next/tests/auth-nav.test.mjs
• apps/blog-next/tests/login-page.test.mjs
• apps/blog-next/tests/logout-actions.test.mjs
• apps/blog-next/tests/register-page.test.mjs
• apps/blog-next/tests/run.mjs
• apps/blog-next/tests/super-admin-login-page.test.mjs
• apps/blog-next/tests/super-admin-logout-button.test.mjs
• apps/blog-sveltekit/src/routes/+layout.svelte
• apps/blog-sveltekit/src/routes/login/+page.server.ts
• apps/blog-sveltekit/src/routes/login/+page.svelte
• apps/blog-sveltekit/src/routes/logout/+server.ts
• apps/blog-sveltekit/src/routes/register/+page.server.ts
• apps/blog-sveltekit/src/routes/register/+page.svelte
• apps/blog-sveltekit/src/routes/super-admin/+page.server.ts
• apps/blog-sveltekit/src/routes/super-admin/+page.svelte
• apps/blog-sveltekit/src/routes/super-admin/login/+page.server.ts
• apps/blog-sveltekit/src/routes/super-admin/login/+page.svelte
• apps/blog-sveltekit/tests/auth-page-actions.test.mjs
• apps/blog-sveltekit/tests/run.mjs
• apps/docs/docs/auth/current-auth-client.md
• apps/docs/docs/forms/framework-integration.md
• apps/docs/docs/forms/server-validation.md
• packages/auth-social-discord/package.json
• packages/auth-social-github/package.json
• packages/auth-social-github/src/index.ts
• packages/auth-social-github/tests/package.test.ts
• packages/auth/src/next-server-shim.d.ts
• packages/auth/src/next/client.ts
• packages/auth/src/next/server.ts
• packages/auth/src/runtime/csrfCookie.ts
• packages/auth/tests/framework.test.ts
• packages/auth/tsup.config.ts
• packages/cache-db/tests/package.test.ts
• packages/cache-redis/package.json
• packages/cache-redis/tests/package.test.ts
• packages/cli/package.json
• packages/cli/tests/vitest-config.test.ts
• packages/config/src/access.ts
• packages/config/src/loader.ts
• packages/config/tests/broadcast-config.type.test.ts
• packages/config/tests/config.type.test.ts
• packages/config/tests/security-config.type.test.ts
• packages/config/tests/support/configAccessors.ts
• packages/core/src/portable/holo.ts
• packages/core/src/runtimeModule.ts
• packages/core/src/storageRuntime.ts
• packages/core/tests/dbRuntime.test.ts
• packages/core/tests/runtime.test.ts
• packages/core/tests/storageRuntime.test.ts
• packages/db-mysql/package.json
• packages/db-mysql/src/index.ts
• packages/db-mysql/tests/mysql.test.ts
• packages/db-postgres/package.json
• packages/db-postgres/src/index.ts
• packages/db-postgres/tests/postgres.test.ts
• packages/db-sqlite/src/index.ts
• packages/db/package.json
• packages/db/src/cache.ts
• packages/db/src/core/QueryScheduler.ts
• packages/db/src/drivers/MySQLAdapter.ts
• packages/db/src/drivers/PostgresAdapter.ts
• packages/db/src/drivers/SQLiteAdapter.ts
• packages/db/src/drivers/index.ts
• packages/db/src/drivers/savepoints.ts
• packages/db/src/migrations/MigrationService.ts
• packages/db/src/migrations/defineMigration.ts
• packages/db/src/migrations/template.ts
• packages/db/src/model/Entity.ts
• packages/db/src/model/ModelQueryBuilder.ts
• packages/db/src/model/collection.ts
• packages/db/src/model/defineModel.ts
• packages/db/src/model/relations.ts
• packages/db/src/model/staticModelApi.ts
• packages/db/src/model/types.ts
• packages/db/src/query/MySQLQueryCompiler.ts
• packages/db/src/query/SQLiteQueryCompiler.impl.ts
• packages/db/src/query/paginator.ts
• packages/db/src/runtime.ts
• packages/db/src/schema/SQLSchemaCompiler.ts
• packages/db/src/schema/SchemaService.ts
• packages/db/src/schema/TableDefinitionBuilder.ts
• packages/db/src/schema/TableMutationBuilder.ts
• packages/db/src/schema/diff.ts
• packages/db/src/schema/foreignKeyBuilderState.ts
• packages/db/src/schema/generatedNames.ts
• packages/db/src/schema/typeMapping.ts
• packages/db/src/security/policy.ts
• packages/db/tests/core-runtime.test.ts
• packages/db/tests/drivers-core.test.ts
• packages/db/tests/factories-core.test.ts
• packages/db/vitest.config.ts
• packages/forms/src/contracts.ts
• packages/forms/tests/contracts.test.ts
• packages/forms/tsup.config.ts
• packages/mail/src/contracts.ts
• packages/mail/src/index.ts
• packages/mail/src/runtime.ts
• packages/mail/tests/contracts.test.ts
• packages/mail/tests/runtime.test.ts
• packages/queue-db/src/database.ts
• packages/queue-db/src/drivers/database.ts
• packages/queue-db/src/failed.ts
• packages/queue-db/src/index.ts
• packages/queue-db/tests/database-driver.test.ts
• packages/queue-db/tests/failed.test.ts
• packages/queue-db/tests/support/dialect.ts
• packages/queue-db/tests/support/sqlite-queue.ts
• packages/storage-s3/src/index.ts
• packages/storage/src/runtime/composables/index.ts

💤 Files with no reviewable changes (9)

• packages/db/src/drivers/SQLiteAdapter.ts
• packages/db/src/drivers/PostgresAdapter.ts
• packages/mail/src/contracts.ts
• packages/mail/src/index.ts
• packages/db/tests/drivers-core.test.ts
• packages/db/vitest.config.ts
• packages/db/src/drivers/MySQLAdapter.ts
• packages/db/package.json
• packages/db/tests/factories-core.test.ts

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@apps/blog-sveltekit/src/routes/super-admin/login/`+page.svelte:
- Around line 8-11: The login form instantiation (useForm(loginForm, { ... }))
currently omits CSRF protection; add csrf: true to the options passed to useForm
(alongside validateOn and initialValues) so the frontend includes CSRF tokens,
and update the paired submit handler/endpoint that validates the login (the
async submitter and its server-side login endpoint) to enforce CSRF validation
(reject when CSRF is missing/invalid) to match other auth flows; reference the
useForm call and the async submitter function to locate both client and server
changes.

In `@apps/docs/docs/forms/server-validation.md`:
- Around line 249-251: The Nuxt flow prose ("refresh the current user, then
navigate") is inconsistent with the Nuxt example which only refreshes and shows
a success message; either update the prose to describe "refresh and show success
message" or modify the Nuxt example to perform navigation after the refresh. To
fix, edit the docs text around the Nuxt flow or update the Nuxt snippet to call
the router navigation step (e.g., invoke the router push/redirect after the user
refresh completes) so the example matches the described flow; ensure the change
references the Nuxt snippet/example and the flow description in the same
section.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d8ff87ae-431c-4e4f-acdc-abc348fe5f7a

📥 Commits

Reviewing files that changed from the base of the PR and between f4b3921 and 47b7b02.

📒 Files selected for processing (30)

• apps/blog-sveltekit/src/routes/api/login/+server.ts
• apps/blog-sveltekit/src/routes/api/register/+server.ts
• apps/blog-sveltekit/src/routes/api/super-admin/login/+server.ts
• apps/blog-sveltekit/src/routes/login/+page.svelte
• apps/blog-sveltekit/src/routes/register/+page.svelte
• apps/blog-sveltekit/src/routes/super-admin/login/+page.svelte
• apps/blog-sveltekit/tests/auth-page-actions.test.mjs
• apps/docs/docs/auth/current-auth-client.md
• apps/docs/docs/forms/framework-integration.md
• apps/docs/docs/forms/server-validation.md
• apps/docs/docs/security.md
• packages/auth/src/next/server.ts
• packages/auth/src/runtime/csrfCookie.ts
• packages/auth/src/sveltekit/server.ts
• packages/auth/tests/framework.test.ts
• packages/cache-redis/vitest.config.ts
• packages/core/src/runtimeModule.ts
• packages/core/tests/runtimeModule.test.ts
• packages/db/src/schema/generatedNames.ts
• packages/db/tests/schema-service.test.ts
• packages/forms/src/contracts.ts
• packages/forms/tests/contracts.test.ts
• packages/queue-db/src/database.ts
• packages/queue-db/src/drivers/database.ts
• packages/queue-db/src/failed.ts
• packages/queue-db/src/index.ts
• packages/queue-db/tests/failed.test.ts
• packages/security/src/csrf.ts
• packages/security/src/index.ts
• packages/security/tests/package.test.ts

✅ Files skipped from review due to trivial changes (3)

• apps/blog-sveltekit/src/routes/api/register/+server.ts
• apps/docs/docs/security.md
• packages/db/tests/schema-service.test.ts

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Re-enable CSRF protection for the super-admin login flow.

Line 8 config omits csrf: true, and the paired endpoint currently validates without CSRF as well. That leaves this login route weaker than the other auth entry points in this PR.

🔧 Proposed fix

// apps/blog-sveltekit/src/routes/super-admin/login/+page.svelte
   const form = useForm(loginForm, {
+    csrf: true,
     validateOn: 'blur',
     initialValues: { email: '', password: '', remember: false },

// apps/blog-sveltekit/src/routes/api/super-admin/login/+server.ts
   const submission = await validate(request, loginForm, {
+    csrf: true,
     throttle: 'login',
   })

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@apps/blog-sveltekit/src/routes/super-admin/login/`+page.svelte around lines 8
- 11, The login form instantiation (useForm(loginForm, { ... })) currently omits
CSRF protection; add csrf: true to the options passed to useForm (alongside
validateOn and initialValues) so the frontend includes CSRF tokens, and update
the paired submit handler/endpoint that validates the login (the async submitter
and its server-side login endpoint) to enforce CSRF validation (reject when CSRF
is missing/invalid) to match other auth flows; reference the useForm call and
the async submitter function to locate both client and server changes.

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

packages/db/src/schema/generatedNames.ts (1)

47-48: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Sanitize columnName in fallback foreign-key name generation.

The fallback path sanitizes tableName but not columnName, so non-identifier-safe column names can fail generated-name validation unexpectedly.

Proposed fix

-  const resolvedName = constraintName ?? `${sanitizeIdentifierForGeneratedName(tableName)}_${columnName}_foreign`
+  const resolvedName = constraintName
+    ?? `${sanitizeIdentifierForGeneratedName(tableName)}_${sanitizeIdentifierForGeneratedName(columnName)}_foreign`

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/db/src/schema/generatedNames.ts` around lines 47 - 48, The fallback
foreign-key name uses sanitizeIdentifierForGeneratedName on tableName but not
columnName, which can break assertValidIdentifierSegment; update the
resolvedName construction in the block that defines resolvedName (using
constraintName ?? ...) to sanitize columnName as well (e.g., call
sanitizeIdentifierForGeneratedName(columnName) when building the
`${...}_${...}_foreign` fallback) so that both tableName and columnName are
identifier-safe before assertValidIdentifierSegment is invoked.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@apps/docs/docs/forms/server-validation.md`:
- Line 246: Change the heading text "Full page flow" to use hyphenated compound
wording "Full-page flow" in the docs file—update the heading string where it
appears as the section title "Full page flow" to "Full-page flow" so it follows
standard compound-word style.

In `@tests/example-app-auth-flow.mjs`:
- Around line 348-399: The current action-mode helper swallows structured action
failure payloads and assertAuthFieldFailure ignores the provided fields when
usesSvelteKitActions is true; update the action-handling block in
fetchActionSubmission (the try/catch that parses result.text) to preserve and
return the parsed actionResult (including actionResult.type === 'failure' and
actionResult.errors) instead of always returning the generic "_root" error, and
modify assertAuthFieldFailure to, when usesSvelteKitActions is true, delegate to
assertFieldFailure by passing the preserved result.json.errors (or the same
shape assertFieldFailure expects) so field-level assertions (e.g., ['email'])
are validated; reference functions: fetchActionSubmission,
assertAuthFieldFailure, and assertFieldFailure.

---

Outside diff comments:
In `@packages/db/src/schema/generatedNames.ts`:
- Around line 47-48: The fallback foreign-key name uses
sanitizeIdentifierForGeneratedName on tableName but not columnName, which can
break assertValidIdentifierSegment; update the resolvedName construction in the
block that defines resolvedName (using constraintName ?? ...) to sanitize
columnName as well (e.g., call sanitizeIdentifierForGeneratedName(columnName)
when building the `${...}_${...}_foreign` fallback) so that both tableName and
columnName are identifier-safe before assertValidIdentifierSegment is invoked.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d0703608-cc8d-41b1-8aa2-2f62d43c3502

📥 Commits

Reviewing files that changed from the base of the PR and between 47b7b02 and 945ae03.

📒 Files selected for processing (30)

• apps/blog-sveltekit/src/routes/+layout.server.ts
• apps/blog-sveltekit/src/routes/api/login/+server.ts
• apps/blog-sveltekit/src/routes/api/register/+server.ts
• apps/blog-sveltekit/src/routes/api/super-admin/login/+server.ts
• apps/blog-sveltekit/src/routes/login/+page.server.ts
• apps/blog-sveltekit/src/routes/login/+page.svelte
• apps/blog-sveltekit/src/routes/register/+page.server.ts
• apps/blog-sveltekit/src/routes/register/+page.svelte
• apps/blog-sveltekit/src/routes/super-admin/login/+page.server.ts
• apps/blog-sveltekit/src/routes/super-admin/login/+page.svelte
• apps/blog-sveltekit/tests/auth-page-actions.test.mjs
• apps/blog-sveltekit/tests/blog-logic.mjs
• apps/blog-sveltekit/tests/register-route.test.mjs
• apps/blog-sveltekit/tests/run.mjs
• apps/docs/docs/forms/client-usage.md
• apps/docs/docs/forms/framework-integration.md
• apps/docs/docs/forms/server-validation.md
• packages/adapter-sveltekit/src/client.ts
• packages/adapter-sveltekit/src/sveltekit-app.d.ts
• packages/adapter-sveltekit/tests/client.test.ts
• packages/adapter-sveltekit/tests/stubs/app-stores.ts
• packages/adapter-sveltekit/tsup.config.ts
• packages/adapter-sveltekit/vitest.config.ts
• packages/auth/src/sveltekit/server.ts
• packages/db/src/schema/generatedNames.ts
• packages/db/tests/schema-service.test.ts
• packages/forms/src/internal/client.ts
• packages/forms/tests/client.test.ts
• tests/example-app-auth-flow.mjs
• tests/example-app-token-auth-flow.mjs

💤 Files with no reviewable changes (4)

• apps/blog-sveltekit/tests/register-route.test.mjs
• apps/blog-sveltekit/src/routes/api/login/+server.ts
• apps/blog-sveltekit/src/routes/api/register/+server.ts
• apps/blog-sveltekit/src/routes/api/super-admin/login/+server.ts

✅ Files skipped from review due to trivial changes (3)

• packages/adapter-sveltekit/tsup.config.ts
• packages/adapter-sveltekit/tests/stubs/app-stores.ts
• packages/adapter-sveltekit/src/sveltekit-app.d.ts

[cobraprojects]

@CodeRabbit review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.