feat: add automations and events#866
Merged
Merged
Conversation
commit: |
Contributor
There was a problem hiding this comment.
4 issues found across 25 files
Confidence score: 3/5
- There’s some meaningful merge risk:
src/events/events.spec.tsadds new Resend Events/workflow SDK operations without explicit confirmation of required production API-key permissions, which can lead to authorization failures or policy non-compliance after release. src/workflows/workflows.spec.tsandsrc/events/events.spec.tsinclude API-key-like hardcoded token strings in tests; even in test artifacts, this is a security hygiene concern and should be replaced with redacted placeholders before merging.- In
src/events/events.spec.ts, a test retrievesdatawithout asserting it, so regressions inevents.getresponse handling may slip through undetected. - Pay close attention to
src/events/events.spec.tsandsrc/workflows/workflows.spec.ts- permission-check compliance and token redaction need to be resolved to reduce risk.
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="src/events/events.spec.ts">
<violation number="1" location="src/events/events.spec.ts:15">
P2: Avoid committing raw API tokens in tests; use a redacted placeholder value instead.
(Based on your team's feedback about redacting secrets from test artifacts.) [FEEDBACK_USED]</violation>
<violation number="2" location="src/events/events.spec.ts:131">
P1: Custom agent: **API Key Permission Check SDK Methods**
Rule 1 (API Key Permission Check SDK Methods) is violated: this PR introduces new Resend Events/workflow SDK operations without an explicit confirmation that production API keys have the required permissions for these endpoints. Add a permission-scope verification note/check before release to avoid runtime authorization failures.</violation>
<violation number="3" location="src/events/events.spec.ts:257">
P2: The test fetches `data` but never asserts it, so regressions in `events.get` response handling can pass unnoticed.</violation>
</file>
<file name="src/workflows/workflows.spec.ts">
<violation number="1" location="src/workflows/workflows.spec.ts:17">
P2: Do not commit API-key-like secrets in test code; replace hardcoded token strings with a redacted dummy/test value.
(Based on your team's feedback about redacting secrets from test artifacts.) [FEEDBACK_USED]</violation>
</file>
Since this is your first cubic review, here's how it works:
- cubic automatically reviews your code and comments on bugs and improvements
- Teach cubic by replying to its comments. cubic learns from your replies and gets better over time
- Add one-off context when rerunning by tagging
@cubic-dev-aiwith guidance or docs links (includingllms.txt) - Ask questions if you need clarification on any suggestion
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
Contributor
There was a problem hiding this comment.
2 issues found across 8 files (changes from recent commits).
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="src/workflow-runs/workflow-runs.spec.ts">
<violation number="1" location="src/workflow-runs/workflow-runs.spec.ts:41">
P2: Avoid hardcoding token-like API keys in tests; use an obviously redacted/dummy value instead.
(Based on your team's feedback about redacting secrets in test artifacts.) [FEEDBACK_USED]</violation>
</file>
<file name="src/workflow-runs/workflow-runs.ts">
<violation number="1" location="src/workflow-runs/workflow-runs.ts:18">
P1: Custom agent: **API Key Permission Check SDK Methods**
This PR adds new Workflow Runs SDK operations (`get`/`list`) but does not include a permission-check reminder/handling path for API keys. Per the API Key Permission Check SDK Methods rule, confirm production API keys have scopes for these new `/workflows/*/runs` operations to prevent permission-related runtime failures.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
Contributor
There was a problem hiding this comment.
2 issues found across 10 files (changes from recent commits).
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="src/workflow-run-steps/workflow-run-steps.ts">
<violation number="1" location="src/workflow-run-steps/workflow-run-steps.ts:21">
P1: Custom agent: **API Key Permission Check SDK Methods**
This PR adds new SDK methods that call workflow run step endpoints. Please confirm that the existing production API keys are provisioned with the required permissions for these new workflow run step read operations to avoid permission failures after deployment.</violation>
</file>
<file name="src/workflow-run-steps/workflow-run-steps.spec.ts">
<violation number="1" location="src/workflow-run-steps/workflow-run-steps.spec.ts:46">
P2: Avoid hardcoding API keys in test code; use a redacted placeholder or environment variable to prevent credential leakage.
(Based on your team's feedback about redacting secrets from test recordings/cassettes even if ephemeral.) [FEEDBACK_USED]</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
Contributor
There was a problem hiding this comment.
1 issue found across 3 files (changes from recent commits).
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="src/workflows/interfaces/workflow-step.interface.ts">
<violation number="1" location="src/workflows/interfaces/workflow-step.interface.ts:82">
P3: `WorkflowStepType` duplicates the literal step-type list already defined by `WorkflowStep`, creating a drift risk. Derive it from `WorkflowStep['type']` to keep a single source of truth.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
fbcd35d to
fe596d9
Compare
Contributor
There was a problem hiding this comment.
7 issues found across 30 files (changes from recent commits).
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="src/automations/automations.spec.ts">
<violation number="1" location="src/automations/automations.spec.ts:17">
P2: Do not hardcode API key values in tests; use a redacted placeholder or environment-driven test key instead.
(Based on your team's feedback about redacting secrets from test artifacts.) [FEEDBACK_USED]</violation>
<violation number="2" location="src/automations/automations.spec.ts:54">
P1: Custom agent: **API Key Permission Check SDK Methods**
Confirm production Resend API keys have permissions for the new Automations operations (create/list/get/remove/update). This PR introduces new SDK method usage, so keys without automations scope will fail at runtime.</violation>
</file>
<file name="src/automation-runs/automation-runs.spec.ts">
<violation number="1" location="src/automation-runs/automation-runs.spec.ts:43">
P2: Redact the API key in tests and use a placeholder or env-provided value instead.
(Based on your team's feedback about redacting secrets from test recordings/cassettes even if keys are ephemeral.) [FEEDBACK_USED]</violation>
<violation number="2" location="src/automation-runs/automation-runs.spec.ts:45">
P1: Custom agent: **API Key Permission Check SDK Methods**
The new Resend SDK methods for automation run get/list require confirming production API keys include the necessary permissions for automation run read/list operations, per the API Key Permission Check rule.</violation>
</file>
<file name="src/automation-run-steps/automation-run-steps.spec.ts">
<violation number="1" location="src/automation-run-steps/automation-run-steps.spec.ts:43">
P2: Redact the API key literal in tests; use a non-secret dummy value instead.
(Based on your team's feedback about redacting secrets.) [FEEDBACK_USED]</violation>
</file>
<file name="src/common/utils/parse-automation-to-api-options.spec.ts">
<violation number="1" location="src/common/utils/parse-automation-to-api-options.spec.ts:11">
P2: The test input `name` no longer matches the expected output `name`, causing this spec to fail.</violation>
</file>
<file name="src/automation-run-steps/automation-run-steps.ts">
<violation number="1" location="src/automation-run-steps/automation-run-steps.ts:21">
P2: Custom agent: **API Key Permission Check SDK Methods**
Confirm production API keys have permission to access the new automation run steps endpoints (get/list). The rule requires this check for newly introduced SDK methods to avoid permission failures after deployment.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
|
|
||
| const resend = new Resend('re_zKa4RCko_Lhm9ost2YjNCctnPjbLw8Nop'); | ||
| await expect( | ||
| resend.automations.runs.get(options), |
Contributor
There was a problem hiding this comment.
P1: Custom agent: API Key Permission Check SDK Methods
The new Resend SDK methods for automation run get/list require confirming production API keys include the necessary permissions for automation run read/list operations, per the API Key Permission Check rule.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At src/automation-runs/automation-runs.spec.ts, line 45:
<comment>The new Resend SDK methods for automation run get/list require confirming production API keys include the necessary permissions for automation run read/list operations, per the API Key Permission Check rule.</comment>
<file context>
@@ -0,0 +1,202 @@
+
+ const resend = new Resend('re_zKa4RCko_Lhm9ost2YjNCctnPjbLw8Nop');
+ await expect(
+ resend.automations.runs.get(options),
+ ).resolves.toMatchInlineSnapshot(`
+ {
</file context>
Contributor
There was a problem hiding this comment.
1 issue found across 4 files (changes from recent commits).
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="src/workflow-run-steps/workflow-run-steps.ts">
<violation number="1" location="src/workflow-run-steps/workflow-run-steps.ts:21">
P1: Custom agent: **API Key Permission Check SDK Methods**
This change introduces calls to the Resend `/automations` endpoints, which are new provider operations. Confirm production API keys have the required permissions for automation workflow runs to avoid permission failures after deployment.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
3e2d00f to
1e57f4f
Compare
Contributor
|
You're iterating quickly on this pull request. To help protect your rate limits, cubic has paused automatic reviews on new pushes for now—when you're ready for another review, comment |
…API (#915) Co-authored-by: Cursor Agent <[email protected]>
zenorocha
approved these changes
Apr 10, 2026
Member
|
@cubic-dev-ai review |
Contributor
@zenorocha I have started the AI code review. It will take a few minutes to complete. |
Contributor
There was a problem hiding this comment.
2 issues found across 16 files (changes from recent commits).
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="src/automation-runs/automation-runs.ts">
<violation number="1" location="src/automation-runs/automation-runs.ts:32">
P2: Avoid setting `status` when it is an empty array; the current truthy check serializes `[]` as `status=`.</violation>
</file>
<file name="src/automations/automations.ts">
<violation number="1" location="src/automations/automations.ts:114">
P1: Custom agent: **API Key Permission Check SDK Methods**
New provider SDK operation (`automations stop`) was introduced without confirming production API key permissions for this action. Add an explicit permission check/reminder for rollout to prevent post-deploy authorization failures.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
Comment on lines
+32
to
+37
| if (options.status) { | ||
| const statusValue = Array.isArray(options.status) | ||
| ? options.status.join(',') | ||
| : options.status; | ||
| searchParams.set('status', statusValue); | ||
| } |
Contributor
There was a problem hiding this comment.
P2: Avoid setting status when it is an empty array; the current truthy check serializes [] as status=.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At src/automation-runs/automation-runs.ts, line 32:
<comment>Avoid setting `status` when it is an empty array; the current truthy check serializes `[]` as `status=`.</comment>
<file context>
@@ -27,8 +27,18 @@ export class AutomationRuns {
- ? `/automations/${options.automationId}/runs?${queryString}`
+ const searchParams = new URLSearchParams(queryString);
+
+ if (options.status) {
+ const statusValue = Array.isArray(options.status)
+ ? options.status.join(',')
</file context>
Suggested change
| if (options.status) { | |
| const statusValue = Array.isArray(options.status) | |
| ? options.status.join(',') | |
| : options.status; | |
| searchParams.set('status', statusValue); | |
| } | |
| if ( | |
| options.status !== undefined && | |
| (!Array.isArray(options.status) || options.status.length > 0) | |
| ) { | |
| const statusValue = Array.isArray(options.status) | |
| ? options.status.join(',') | |
| : options.status; | |
| searchParams.set('status', statusValue); | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.