chore(root): upgrade NestJS to 11.1.18 and align ecosystem packages

[scopsy]

Summary

NestJS 11 / @nestjs/swagger v11 upgrade with dependency pins and migration-guide follow-ups.

validate-submodule-sync

.source tracks packages-enterprise/next (b1d8f81).

Enterprise / CI (TypeScript)

• enterprise/packages/auth and translation: vendored src/ (replacing symlinks into .source) so Passport v11 / Swagger fixes stay in-tree.
• @novu/ee-shared-services: vendored src/ plus package.json "types": "src/index.ts" (replacing typings that only existed under build/). Fixes Cannot find module '@novu/ee-shared-services' when CI runs tsc on dependents (e.g. @novu/ee-translation) before ee-shared-services is built.

OpenAPI lint (Spectral)

• Global tags registered in alphabetical order in swagger.controller.ts.
• CreateEnvironmentRequestDto.color example uses uppercase hex (#3498DB).

CodeQL (PR checks)

• js/insufficient-password-hash: ee.auth.service uses SHA-256 for API key lookup identifiers (stored in apiKeys.hash), not password storage — documented with a codeql[js/insufficient-password-hash] suppression comment.
• js/polynomial-redos: Translate.replaceTranslationKeys no longer uses new RegExp(..., 'gi').replace on notification content; translation keys are found with a linear {{ … t. … }} scanner (same shape as TRANSLATION_KEY_SINGLE_REGEX).

Other fixes

Swagger PRIMARY issue (explicit @ApiParam for ButtonTypeEnum where inferred from @Param), etc.

Docs

AGENTS.md covers packageExtensions (nest-raven / @sentry/nestjs) and enterprise vendored src / types layout.

  

What changed

NestJS was upgraded from v10 to v11, along with aligned ecosystem packages (@nestjs/swagger v7/v11→v11.2.6, and corresponding updates to JWT, Passport, Axios, Terminus, Throttler, and CLI tooling). Enterprise packages were migrated from symlinks to vendored src/ directories to support Passport v11 and Swagger fixes. OpenAPI tags are now registered alphabetically, hex color examples use uppercase formatting, and @ApiProperty decorators were replaced with @ApiPropertyOptional where appropriate. TypeScript type casting was added for GraphQL context checks, and Express v5 compatibility was enabled by configuring the query parser to "extended" mode.

Affected areas

api: Updated NestJS runtime and dev dependencies to v11; refactored auth guards, DTOs, and Swagger metadata; added Express query parser configuration and bootstrap type hints.

worker: Bumped NestJS and tooling versions to v11; updated response interceptor with GraphQL type casting and Express v5 query parser support.

ws: Upgraded NestJS packages to v11 including platform-socket.io and websockets; applied Express configuration changes in bootstrap.

webhook: Applied GraphQL context type casting in user decorator.

Enterprise packages (auth, billing, shared-services, translation, ai, api): Updated peer dependencies and type declaration fields; vendored src/ directories to replace symlinks; updated @novu/ee-shared-services to reference src/index.ts for TypeScript resolution.

shared libs (application-generic, dal, notifications, framework): Updated peer dependencies, Swagger import paths, and type declaration fields (renamed typings to types).

root: Added pnpm.packageExtensions for nest-raven and @sentry/nestjs to support NestJS v11 peer dependency ranges; added pnpm.ignoredBuiltDependencies for @scarf/scarf; pinned NestJS monorepo packages to explicit versions.

Key technical decisions

• Enterprise vendored src: Enterprise packages now include source files directly instead of symlinks, enabling Passport v11 and Swagger fixes to remain in-tree without requiring separate builds.
• Type declaration field standardization: Renamed typings to types across package manifests to use the standard npm TypeScript convention.
• Express v5 compatibility: Set query parser to "extended" to restore v4 behavior for nested query parameters.
• pnpm packageExtensions: Introduced extensions for nest-raven and @sentry/nestjs to broaden peer dependency acceptance across NestJS v10 and v11.

Testing

No new tests were added. The upgrade aligns with NestJS v11 migration guidance and existing test suites should validate compatibility. Manual verification of API schema generation via Swagger/Spectral and enterprise package resolution would be recommended before merging.

[netlify]

✅ Deploy Preview for dashboard-v2-novu-staging canceled.

Name	Link
🔨 Latest commit	7fb0846
🔍 Latest deploy log	https://app.netlify.com/projects/dashboard-v2-novu-staging/deploys/69d8f27f8474b10008360444

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

This PR upgrades NestJS packages to v11 across the monorepo, adjusts related package.json fields and pnpm overrides, updates a few import paths and typings, refines Swagger/OpenAPI decorators, adds explicit Express query-parser configuration, and tweaks Passport ApiKeyStrategy verification to expose a public validate method.

Changes

Cohort / File(s)	Summary
Top-level & app manifests package.json, apps/api/package.json, apps/worker/package.json, apps/ws/package.json	Pinned/updated NestJS runtime and tooling packages to v11; added pnpm.packageExtensions and pnpm.ignoredBuiltDependencies and tightened/changed overrides.
Enterprise & library manifests enterprise/packages/*/package.json, libs/*/package.json, packages/framework/package.json, libs/application-generic/package.json, libs/notifications/package.json, enterprise/packages/shared-services/package.json	Bumped peer/dev dependency constraints to NestJS v11 and normalized TypeScript typings → types where applicable.
Bootstrap / Express config apps/api/src/bootstrap.ts, apps/worker/src/bootstrap.ts, apps/ws/src/bootstrap.ts	Create app as NestExpressApplication and set app.set('query parser', 'extended') to preserve extended query parsing.
Auth / Passport apps/api/src/app/auth/services/passport/apikey.strategy.ts, apps/api/src/app/auth/framework/community.user.auth.guard.ts	Refactored ApiKeyStrategy to disable built-in callback handling and expose validate(apiKey) returning user session or false; narrowed generic on getAuthenticateOptions.
Swagger/OpenAPI decorator changes many DTOs under apps/api/src/app/..., libs/application-generic/src/dtos/..., libs/application-generic/src/webhooks/dtos/..., apps/api/src/error-dto.ts	Replaced @ApiProperty({ required: false }) with @ApiPropertyOptional, changed type: 'object'→type: Object, added additionalProperties: true in several schemas, and updated enum documentation to use Object.values(...) + enumName.
Swagger tag registration apps/api/src/app/shared/framework/swagger/swagger.controller.ts	Introduced OPEN_API_TAG_DEFINITIONS and replaced manual .addTag(...) chain with iterative tag registration (supports optional docUrl).
GraphQL context type casts apps/api/src/app/shared/framework/response.interceptor.ts, apps/api/src/app/shared/framework/user.decorator.ts, apps/webhook/src/shared/framework/user.decorator.ts, libs/application-generic/src/decorators/user-session.decorator.ts, apps/worker/src/app/shared/response.interceptor.ts	Cast context.getType()/ctx.getType() to string before comparing to 'graphql'.
CORS typing apps/api/src/config/cors.config.ts	Explicitly typed corsOptions as CorsOptions.
Metadata / import fixes apps/api/scripts/generate-metadata.ts, libs/application-generic/src/decorators/context-payload.decorator.ts, libs/application-generic/src/dtos/step-filter-dto.ts	Adjusted import path for plugin metadata generator and switched Swagger option typings to import ApiPropertyOptions from @nestjs/swagger.
Controllers - ApiParam enum docs apps/api/src/app/subscribers-v2/subscribers.controller.ts, apps/api/src/app/subscribers/subscribersV1.controller.ts, apps/api/src/app/widgets/widgets.controller.ts	Added/updated @ApiParam decorators to document path param enums using Object.values(ButtonTypeEnum) and enumName.
Minor docs/DTO tweaks assorted DTOs (color example, response extras, etc.)	Small Swagger example casing change and similar metadata adjustments across DTOs.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• feat(api-service): Api cache tokens for strategy #9785: Related changes to apps/api/src/app/auth/services/passport/apikey.strategy.ts touching ApiKeyStrategy verification/validate behavior.

Suggested reviewers

• LetItRock
• djabarovgeorge

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title follows Conventional Commits format with valid type (chore) and scope (root), uses lowercase imperative description, and accurately summarizes the main change of upgrading NestJS to v11 across the codebase.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Hey there and thank you for opening this pull request! 👋

We require pull request titles to follow specific formatting rules and it looks like your proposed title needs to be adjusted.

Your PR title is: chore(root): upgrade NestJS to 11.1.18 and align ecosystem packages

Requirements:

1. Follow the Conventional Commits specification
2. As a team member, include Linear ticket ID at the end: fixes TICKET-ID or include it in your branch name

Expected format: feat(scope): Add fancy new feature fixes NOV-123

Details:

PR title must end with 'fixes TICKET-ID' (e.g., 'fixes NOV-123') or include ticket ID in branch name

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (8)

libs/application-generic/src/dtos/workflow/generate-preview-response.dto.ts (2)

126-136: additionalProperties: true is inaccurate for this closed type.

The lookBackWindow property has a fixed structure with only amount and unit (as confirmed by the LookBackWindowDto definition). Adding additionalProperties: true misrepresents the schema as accepting arbitrary extra fields.

Consider referencing the existing DTO class instead of an inline type, which would provide accurate schema documentation:

Proposed fix

   `@ApiPropertyOptional`({
     description: 'Look back window configuration',
-    type: 'object',
-    additionalProperties: true,
+    type: () => LookBackWindowDto,
   })
   `@IsOptional`()
   `@ValidateNested`()
+  `@Type`(() => LookBackWindowDto)
   lookBackWindow?: {
     amount: number;
     unit: TimeUnitEnum;
   };

This requires importing LookBackWindowDto from ./controls/look-back-window.dto.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@libs/application-generic/src/dtos/workflow/generate-preview-response.dto.ts`
around lines 126 - 136, Replace the inline anonymous type and inaccurate
ApiPropertyOptional additionalProperties setting for lookBackWindow with a
reference to the existing DTO: use `@ApiPropertyOptional`({ type:
LookBackWindowDto }) (and keep `@IsOptional`() and `@ValidateNested`()) and change
the property type to LookBackWindowDto; import LookBackWindowDto from
./controls/look-back-window.dto so the OpenAPI schema only allows the defined
amount and unit fields.

---

257-321: Schema permits extra properties that TypeScript union doesn't allow.

Similar to other DTOs in this PR, additionalProperties: true at line 260 opens the schema to arbitrary properties, while the TypeScript union type (lines 322-367) defines closed variants with specific fields. The first oneOf variant (lines 263-265) being a generic { type: 'object', additionalProperties: true } already serves as a catch-all.

If this is a workaround for Swagger v11 compatibility issues mentioned in the PR objectives, a brief comment would help future maintainers understand the intent.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@libs/application-generic/src/dtos/workflow/generate-preview-response.dto.ts`
around lines 257 - 321, The ApiProperty schema for the Preview result is overly
permissive: remove the top-level additionalProperties: true and delete (or
tighten) the generic oneOf variant that is just { type: 'object',
additionalProperties: true } so the OpenAPI oneOf matches the closed TypeScript
union; if this permissiveness is intentional for Swagger v11 compatibility,
replace the generic variant with a clear inline comment in
generate-preview-response.dto.ts next to the ApiProperty decorator explaining
the workaround and the reason for allowing extra properties so future
maintainers understand the intent.

apps/api/src/app/layouts-v2/dtos/generate-layout-preview-response.dto.ts (1)

33-49: Schema permits extra properties that TypeScript type doesn't allow.

The TypeScript type for result (lines 46-49) is a closed object with only type and preview properties, but additionalProperties: true declares the OpenAPI schema as open-ended. This mismatch could mislead API consumers into thinking arbitrary properties are accepted.

If this is a necessary workaround for Swagger v11 compatibility, consider adding a brief comment explaining why. Otherwise, the TypeScript type and schema should be aligned.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/api/src/app/layouts-v2/dtos/generate-layout-preview-response.dto.ts`
around lines 33 - 49, The OpenAPI decorator for the result property declares
additionalProperties: true but the TypeScript type for result is a closed object
(type: ChannelTypeEnum.EMAIL; preview?: EmailLayoutRenderOutput), causing a
schema/type mismatch; fix by either removing additionalProperties from the
`@ApiProperty` options to make the OpenAPI schema closed, or broaden the TS type
to allow arbitrary props (e.g., add an index signature) so it matches the
decorator; if additionalProperties: true is required as a Swagger v11
workaround, add a brief inline comment next to the `@ApiProperty` explaining that
constraint and reference the result type, ChannelTypeEnum, and
EmailLayoutRenderOutput to make intent clear.

apps/api/src/app/shared/dtos/subscriptions/create-subscriptions-response.dto.ts (1)

140-146: Pre-existing optionality mismatch.

SubscriptionResponseDto.identifier is marked as optional in TypeScript (identifier?: string) and has @IsOptional(), but uses @ApiProperty instead of @ApiPropertyOptional.

Proposed fix

-  `@ApiProperty`({
+  `@ApiPropertyOptional`({
     description: 'The identifier of the subscription',
     example: 'tk=product-updates:si=subscriber-123',
   })
   `@IsString`()
   `@IsOptional`()
   identifier?: string;

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@apps/api/src/app/shared/dtos/subscriptions/create-subscriptions-response.dto.ts`
around lines 140 - 146, The ApiProperty decorator on the optional property
identifier should be changed to ApiPropertyOptional to match its TypeScript
optionality and `@IsOptional`() usage; update the decorator on the identifier
field (in the CreateSubscriptionsResponseDto / SubscriptionResponseDto property
named identifier) and ensure ApiPropertyOptional is imported from
`@nestjs/swagger` instead of or in addition to ApiProperty.

apps/api/src/app/shared/dtos/subscriptions/create-subscriptions.dto.ts (1)

72-90: Pre-existing optionality mismatches in unchanged code.

Several optional properties still use @ApiProperty instead of @ApiPropertyOptional:

• GroupPreferenceFilterDetailsDto.workflowIds? (Line 72)
• GroupPreferenceFilterDetailsDto.tags? (Line 82)
• CreateSubscriptionsRequestDto.subscriberIds? (Line 106)
• CreateSubscriptionsRequestDto.name? (Line 138)
• CreateSubscriptionsRequestDto.preferences? (Line 146)

Consider addressing these for consistency with the coding guidelines in a follow-up.

Also applies to: 106-118, 138-144, 146-161

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/api/src/app/shared/dtos/subscriptions/create-subscriptions.dto.ts`
around lines 72 - 90, The DTOs declare optional fields but still use
`@ApiProperty`; update the decorators to `@ApiPropertyOptional` for
GroupPreferenceFilterDetailsDto.workflowIds,
GroupPreferenceFilterDetailsDto.tags,
CreateSubscriptionsRequestDto.subscriberIds, CreateSubscriptionsRequestDto.name,
and CreateSubscriptionsRequestDto.preferences so the OpenAPI spec reflects
optionality; locate those properties in create-subscriptions.dto and replace the
`@ApiProperty` imports/usages with `@ApiPropertyOptional` while keeping the existing
description/type/example/validation metadata unchanged.

apps/api/src/app/widgets/dtos/feeds-response.dto.ts (1)

48-53: Pre-existing reverse optionality mismatch.

NotificationFeedItemDto._messageTemplateId is marked as required in TypeScript (no ?) but uses @ApiPropertyOptional, which implies it's optional in the OpenAPI schema. If the field is truly required, it should use @ApiProperty.

Proposed fix (if field is required)

-  `@ApiPropertyOptional`({
+  `@ApiProperty`({
     description: 'Identifier for the message template used.',
     example: 'message_template_54321',
     type: String,
   })
   _messageTemplateId: string;

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/api/src/app/widgets/dtos/feeds-response.dto.ts` around lines 48 - 53,
NotificationFeedItemDto._messageTemplateId is declared as required in TypeScript
but annotated with `@ApiPropertyOptional`; make the TypeScript and OpenAPI
annotations consistent by either changing `@ApiPropertyOptional` to `@ApiProperty`
on _messageTemplateId if the field is required, or by making the property
optional (add a ?) if it truly is optional; update the decorator on the
_messageTemplateId property accordingly to keep the TS type and the OpenAPI
metadata in sync.

libs/application-generic/src/dtos/step-filter-dto.ts (1)

117-124: Pre-existing optionality mismatch between decorators and TypeScript properties.

The isNegated and type properties are marked as optional in TypeScript (?) but use @ApiProperty which implies they are required in the OpenAPI schema. As per coding guidelines, these should use @ApiPropertyOptional instead.

This is a pre-existing issue, but since this file was touched, consider fixing it for consistency.

Proposed fix

 export class StepFilterDto {
-  `@ApiProperty`()
+  `@ApiPropertyOptional`()
   isNegated?: boolean;

-  `@ApiProperty`({
+  `@ApiPropertyOptional`({
     enum: ['BOOLEAN', 'TEXT', 'DATE', 'NUMBER', 'STATEMENT', 'LIST', 'MULTI_LIST', 'GROUP'],
     enumName: 'BuilderFieldTypeEnum',
   })
   type?: BuilderFieldType;

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@libs/application-generic/src/dtos/step-filter-dto.ts` around lines 117 - 124,
The OpenAPI decorators for the optional properties are incorrect: replace
`@ApiProperty` with `@ApiPropertyOptional` for the optional fields isNegated and
type so the generated schema matches the TypeScript optionality; update the
decorator on isNegated to `@ApiPropertyOptional`() and change the type property
decorator to `@ApiPropertyOptional`({ enum:
['BOOLEAN','TEXT','DATE','NUMBER','STATEMENT','LIST','MULTI_LIST','GROUP'],
enumName: 'BuilderFieldTypeEnum' }) while leaving the TypeScript definitions
(isNegated?: boolean and type?: BuilderFieldType) unchanged.

apps/api/src/app/auth/services/passport/apikey.strategy.ts (1)

31-44: Drop the no-op catch and align the early return with repo style.

The catch block just rethrows, so it doesn't change control flow. Line 36 also misses the repo-required blank line before return.

♻️ Proposed simplification

   async validate(apiKey: string): Promise<UserSessionData | false> {
-    try {
-      const user = await this.validateApiKey(apiKey);
+    const user = await this.validateApiKey(apiKey);

-      if (!user) {
-        return false;
-      }
+    if (!user) {
+
+      return false;
+    }

-      addNewRelicTraceAttributes(user);
+    addNewRelicTraceAttributes(user);

-      return user;
-    } catch (err) {
-      throw err;
-    }
+
+    return user;
   }

As per coding guidelines, "Include a blank line before every return statement."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/api/src/app/auth/services/passport/apikey.strategy.ts` around lines 31 -
44, Remove the no-op try/catch from the async validate method and follow repo
style by adding a blank line before each return; specifically, in the
validate(apiKey: string) method drop the surrounding try { ... } catch (err) {
throw err; }, call await this.validateApiKey(apiKey) and if (!user) add a blank
line then return false, call addNewRelicTraceAttributes(user), add a blank line
and then return user; use the validateApiKey and addNewRelicTraceAttributes
symbols to locate the code to update.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@package.json`:
- Around line 287-299: The packageExtensions block is forcing NestJS 11
compatibility for third-party packages—specifically it formalizes existing
support for `@sentry/nestjs`@^8.0.0 but also forces nest-raven@10.1.0 (and earlier
nest-raven 9.2.0) to accept ^11.0.0 without official support; either upgrade
nest-raven to a release that officially lists ^11.0.0 in its peerDependencies or
remove the nest-raven@10.1.0 packageExtensions entry and instead add an inline
comment/documentation stating the compatibility risk, keeping the
`@sentry/nestjs`@^8.0.0 extension as-is if it truly supports NestJS 11. Ensure you
change the packageExtensions entry for nest-raven (or drop it) and document the
decision so future maintainers know why compatibility was forced or why upgrade
was required.

---

Nitpick comments:
In `@apps/api/src/app/auth/services/passport/apikey.strategy.ts`:
- Around line 31-44: Remove the no-op try/catch from the async validate method
and follow repo style by adding a blank line before each return; specifically,
in the validate(apiKey: string) method drop the surrounding try { ... } catch
(err) { throw err; }, call await this.validateApiKey(apiKey) and if (!user) add
a blank line then return false, call addNewRelicTraceAttributes(user), add a
blank line and then return user; use the validateApiKey and
addNewRelicTraceAttributes symbols to locate the code to update.

In `@apps/api/src/app/layouts-v2/dtos/generate-layout-preview-response.dto.ts`:
- Around line 33-49: The OpenAPI decorator for the result property declares
additionalProperties: true but the TypeScript type for result is a closed object
(type: ChannelTypeEnum.EMAIL; preview?: EmailLayoutRenderOutput), causing a
schema/type mismatch; fix by either removing additionalProperties from the
`@ApiProperty` options to make the OpenAPI schema closed, or broaden the TS type
to allow arbitrary props (e.g., add an index signature) so it matches the
decorator; if additionalProperties: true is required as a Swagger v11
workaround, add a brief inline comment next to the `@ApiProperty` explaining that
constraint and reference the result type, ChannelTypeEnum, and
EmailLayoutRenderOutput to make intent clear.

In
`@apps/api/src/app/shared/dtos/subscriptions/create-subscriptions-response.dto.ts`:
- Around line 140-146: The ApiProperty decorator on the optional property
identifier should be changed to ApiPropertyOptional to match its TypeScript
optionality and `@IsOptional`() usage; update the decorator on the identifier
field (in the CreateSubscriptionsResponseDto / SubscriptionResponseDto property
named identifier) and ensure ApiPropertyOptional is imported from
`@nestjs/swagger` instead of or in addition to ApiProperty.

In `@apps/api/src/app/shared/dtos/subscriptions/create-subscriptions.dto.ts`:
- Around line 72-90: The DTOs declare optional fields but still use
`@ApiProperty`; update the decorators to `@ApiPropertyOptional` for
GroupPreferenceFilterDetailsDto.workflowIds,
GroupPreferenceFilterDetailsDto.tags,
CreateSubscriptionsRequestDto.subscriberIds, CreateSubscriptionsRequestDto.name,
and CreateSubscriptionsRequestDto.preferences so the OpenAPI spec reflects
optionality; locate those properties in create-subscriptions.dto and replace the
`@ApiProperty` imports/usages with `@ApiPropertyOptional` while keeping the existing
description/type/example/validation metadata unchanged.

In `@apps/api/src/app/widgets/dtos/feeds-response.dto.ts`:
- Around line 48-53: NotificationFeedItemDto._messageTemplateId is declared as
required in TypeScript but annotated with `@ApiPropertyOptional`; make the
TypeScript and OpenAPI annotations consistent by either changing
`@ApiPropertyOptional` to `@ApiProperty` on _messageTemplateId if the field is
required, or by making the property optional (add a ?) if it truly is optional;
update the decorator on the _messageTemplateId property accordingly to keep the
TS type and the OpenAPI metadata in sync.

In `@libs/application-generic/src/dtos/step-filter-dto.ts`:
- Around line 117-124: The OpenAPI decorators for the optional properties are
incorrect: replace `@ApiProperty` with `@ApiPropertyOptional` for the optional
fields isNegated and type so the generated schema matches the TypeScript
optionality; update the decorator on isNegated to `@ApiPropertyOptional`() and
change the type property decorator to `@ApiPropertyOptional`({ enum:
['BOOLEAN','TEXT','DATE','NUMBER','STATEMENT','LIST','MULTI_LIST','GROUP'],
enumName: 'BuilderFieldTypeEnum' }) while leaving the TypeScript definitions
(isNegated?: boolean and type?: BuilderFieldType) unchanged.

In `@libs/application-generic/src/dtos/workflow/generate-preview-response.dto.ts`:
- Around line 126-136: Replace the inline anonymous type and inaccurate
ApiPropertyOptional additionalProperties setting for lookBackWindow with a
reference to the existing DTO: use `@ApiPropertyOptional`({ type:
LookBackWindowDto }) (and keep `@IsOptional`() and `@ValidateNested`()) and change
the property type to LookBackWindowDto; import LookBackWindowDto from
./controls/look-back-window.dto so the OpenAPI schema only allows the defined
amount and unit fields.
- Around line 257-321: The ApiProperty schema for the Preview result is overly
permissive: remove the top-level additionalProperties: true and delete (or
tighten) the generic oneOf variant that is just { type: 'object',
additionalProperties: true } so the OpenAPI oneOf matches the closed TypeScript
union; if this permissiveness is intentional for Swagger v11 compatibility,
replace the generic variant with a clear inline comment in
generate-preview-response.dto.ts next to the ApiProperty decorator explaining
the workaround and the reason for allowing extra properties so future
maintainers understand the intent.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 79c4737b-fae0-44ad-a102-51250ea20c2c

📥 Commits

Reviewing files that changed from the base of the PR and between e72e534 and 84a1922.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (45)

• .source
• apps/api/package.json
• apps/api/scripts/generate-metadata.ts
• apps/api/src/app/auth/framework/community.user.auth.guard.ts
• apps/api/src/app/auth/services/passport/apikey.strategy.ts
• apps/api/src/app/contexts/dtos/create-context-request.dto.ts
• apps/api/src/app/contexts/dtos/update-context-request.dto.ts
• apps/api/src/app/events/dtos/trigger-event-request.dto.ts
• apps/api/src/app/events/dtos/trigger-event-to-all-request.dto.ts
• apps/api/src/app/layouts-v2/dtos/generate-layout-preview-response.dto.ts
• apps/api/src/app/notifications/dtos/activities-response.dto.ts
• apps/api/src/app/shared/dtos/subscriptions/create-subscriptions-response.dto.ts
• apps/api/src/app/shared/dtos/subscriptions/create-subscriptions.dto.ts
• apps/api/src/app/shared/framework/response.interceptor.ts
• apps/api/src/app/shared/framework/user.decorator.ts
• apps/api/src/app/subscribers-v2/dtos/get-subscriber-notifications-response.dto.ts
• apps/api/src/app/subscribers-v2/dtos/subscriber-notification-action.dto.ts
• apps/api/src/app/subscribers-v2/subscribers.controller.ts
• apps/api/src/app/subscribers/subscribersV1.controller.ts
• apps/api/src/app/widgets/dtos/feeds-response.dto.ts
• apps/api/src/app/widgets/widgets.controller.ts
• apps/api/src/bootstrap.ts
• apps/api/src/config/cors.config.ts
• apps/api/src/error-dto.ts
• apps/webhook/src/shared/framework/user.decorator.ts
• apps/worker/package.json
• apps/worker/src/app/shared/response.interceptor.ts
• apps/worker/src/bootstrap.ts
• apps/ws/package.json
• apps/ws/src/bootstrap.ts
• enterprise/packages/ai/package.json
• enterprise/packages/api/package.json
• enterprise/packages/auth/package.json
• enterprise/packages/billing/package.json
• enterprise/packages/shared-services/package.json
• enterprise/packages/translation/package.json
• libs/application-generic/package.json
• libs/application-generic/src/decorators/context-payload.decorator.ts
• libs/application-generic/src/decorators/user-session.decorator.ts
• libs/application-generic/src/dtos/step-filter-dto.ts
• libs/application-generic/src/dtos/workflow/generate-preview-response.dto.ts
• libs/application-generic/src/webhooks/dtos/webhook-payload.dto.ts
• libs/dal/package.json
• package.json
• packages/framework/package.json

💤 Files with no reviewable changes (2)

• apps/api/src/app/notifications/dtos/activities-response.dto.ts
• apps/api/src/app/events/dtos/trigger-event-to-all-request.dto.ts

[coderabbitai]

🧹 Nitpick comments (1)

apps/api/src/app/shared/framework/swagger/swagger.controller.ts (1)

28-129: Consider extracting the inline type to an interface.

The tag definition type is used inline. Per coding guidelines for backend TypeScript files, prefer interface for type definitions:

interface OpenApiTagDefinition {
  name: string;
  description: string;
  docUrl?: string;
}

const OPEN_API_TAG_DEFINITIONS: ReadonlyArray<OpenApiTagDefinition> = [
  // ...
];

This improves reusability and documentation if the type needs to be referenced elsewhere.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/api/src/app/shared/framework/swagger/swagger.controller.ts` around lines
28 - 129, Extract the inline object type into a named interface (e.g.,
OpenApiTagDefinition) and update the OPEN_API_TAG_DEFINITIONS declaration to use
ReadonlyArray<OpenApiTagDefinition>; specifically add an interface declaration
with fields name: string, description: string, docUrl?: string, then replace the
current inline type on OPEN_API_TAG_DEFINITIONS with the new interface to
improve reusability and clarity.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@apps/api/src/app/shared/framework/swagger/swagger.controller.ts`:
- Around line 28-129: Extract the inline object type into a named interface
(e.g., OpenApiTagDefinition) and update the OPEN_API_TAG_DEFINITIONS declaration
to use ReadonlyArray<OpenApiTagDefinition>; specifically add an interface
declaration with fields name: string, description: string, docUrl?: string, then
replace the current inline type on OPEN_API_TAG_DEFINITIONS with the new
interface to improve reusability and clarity.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: f247aeac-b21c-4ac0-a2fb-5bec33a3c52d

📥 Commits

Reviewing files that changed from the base of the PR and between 84a1922 and ecd55aa.

📒 Files selected for processing (2)

• apps/api/src/app/environments-v1/dtos/create-environment-request.dto.ts
• apps/api/src/app/shared/framework/swagger/swagger.controller.ts

✅ Files skipped from review due to trivial changes (1)

• apps/api/src/app/environments-v1/dtos/create-environment-request.dto.ts

[coderabbitai]

🧹 Nitpick comments (1)

libs/application-generic/src/dtos/step-filter-dto.ts (1)

117-124: Pre-existing ApiProperty/ApiPropertyOptional misalignments.

While not introduced by this PR, these properties have misaligned decorators:

• isNegated?: boolean (line 118) and type?: BuilderFieldType (line 124) are optional (?) but use @ApiProperty instead of @ApiPropertyOptional
• webhookUrl: string (line 57) is required (no ?) but uses @ApiPropertyOptional instead of @ApiProperty

Consider addressing these in a follow-up to maintain OpenAPI schema accuracy.

Suggested fixes

 export class WebhookFilterPartDto extends BaseFieldFilterPart {
   `@ApiProperty`({
     enum: [FilterPartTypeEnum.WEBHOOK],
   })
   on: FilterPartTypeEnum.WEBHOOK;

-  `@ApiPropertyOptional`()
+  `@ApiProperty`()
   webhookUrl: string;
 }

 export class StepFilterDto {
-  `@ApiProperty`()
+  `@ApiPropertyOptional`()
   isNegated?: boolean;

-  `@ApiProperty`({
+  `@ApiPropertyOptional`({
     enum: ['BOOLEAN', 'TEXT', 'DATE', 'NUMBER', 'STATEMENT', 'LIST', 'MULTI_LIST', 'GROUP'],
     enumName: 'BuilderFieldTypeEnum',
   })
   type?: BuilderFieldType;

As per coding guidelines: "Align ApiProperty / ApiPropertyOptional decorators with TypeScript optional properties (?) in DTO files."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@libs/application-generic/src/dtos/step-filter-dto.ts` around lines 117 - 124,
Update the OpenAPI decorators to match the TypeScript optionality: change the
decorator on isNegated (property name isNegated) and on type (property name type
of type BuilderFieldType) from `@ApiProperty` to `@ApiPropertyOptional` since both
are optional (marked with ?), and change the decorator on webhookUrl (property
name webhookUrl) from `@ApiPropertyOptional` to `@ApiProperty` because webhookUrl is
required (no ?); ensure only the decorator changes and no other type/behavior is
modified.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@libs/application-generic/src/dtos/step-filter-dto.ts`:
- Around line 117-124: Update the OpenAPI decorators to match the TypeScript
optionality: change the decorator on isNegated (property name isNegated) and on
type (property name type of type BuilderFieldType) from `@ApiProperty` to
`@ApiPropertyOptional` since both are optional (marked with ?), and change the
decorator on webhookUrl (property name webhookUrl) from `@ApiPropertyOptional` to
`@ApiProperty` because webhookUrl is required (no ?); ensure only the decorator
changes and no other type/behavior is modified.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: eff2fdbf-afe5-4872-b10d-a959fab2a5ef

📥 Commits

Reviewing files that changed from the base of the PR and between a5418bf and b9daaba.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (46)

• apps/api/package.json
• apps/api/scripts/generate-metadata.ts
• apps/api/src/app/auth/framework/community.user.auth.guard.ts
• apps/api/src/app/auth/services/passport/apikey.strategy.ts
• apps/api/src/app/contexts/dtos/create-context-request.dto.ts
• apps/api/src/app/contexts/dtos/update-context-request.dto.ts
• apps/api/src/app/environments-v1/dtos/create-environment-request.dto.ts
• apps/api/src/app/events/dtos/trigger-event-request.dto.ts
• apps/api/src/app/events/dtos/trigger-event-to-all-request.dto.ts
• apps/api/src/app/layouts-v2/dtos/generate-layout-preview-response.dto.ts
• apps/api/src/app/notifications/dtos/activities-response.dto.ts
• apps/api/src/app/shared/dtos/subscriptions/create-subscriptions-response.dto.ts
• apps/api/src/app/shared/dtos/subscriptions/create-subscriptions.dto.ts
• apps/api/src/app/shared/framework/response.interceptor.ts
• apps/api/src/app/shared/framework/swagger/swagger.controller.ts
• apps/api/src/app/shared/framework/user.decorator.ts
• apps/api/src/app/subscribers-v2/dtos/get-subscriber-notifications-response.dto.ts
• apps/api/src/app/subscribers-v2/dtos/subscriber-notification-action.dto.ts
• apps/api/src/app/subscribers-v2/subscribers.controller.ts
• apps/api/src/app/subscribers/subscribersV1.controller.ts
• apps/api/src/app/widgets/dtos/feeds-response.dto.ts
• apps/api/src/app/widgets/widgets.controller.ts
• apps/api/src/bootstrap.ts
• apps/api/src/config/cors.config.ts
• apps/api/src/error-dto.ts
• apps/webhook/src/shared/framework/user.decorator.ts
• apps/worker/package.json
• apps/worker/src/app/shared/response.interceptor.ts
• apps/worker/src/bootstrap.ts
• apps/ws/package.json
• apps/ws/src/bootstrap.ts
• enterprise/packages/ai/package.json
• enterprise/packages/api/package.json
• enterprise/packages/auth/package.json
• enterprise/packages/billing/package.json
• enterprise/packages/shared-services/package.json
• enterprise/packages/translation/package.json
• libs/application-generic/package.json
• libs/application-generic/src/decorators/context-payload.decorator.ts
• libs/application-generic/src/decorators/user-session.decorator.ts
• libs/application-generic/src/dtos/step-filter-dto.ts
• libs/application-generic/src/dtos/workflow/generate-preview-response.dto.ts
• libs/application-generic/src/webhooks/dtos/webhook-payload.dto.ts
• libs/dal/package.json
• package.json
• packages/framework/package.json

💤 Files with no reviewable changes (2)

• apps/api/src/app/notifications/dtos/activities-response.dto.ts
• apps/api/src/app/events/dtos/trigger-event-to-all-request.dto.ts

✅ Files skipped from review due to trivial changes (28)

• apps/api/scripts/generate-metadata.ts
• apps/worker/src/app/shared/response.interceptor.ts
• apps/api/src/bootstrap.ts
• apps/api/src/app/subscribers-v2/subscribers.controller.ts
• apps/api/src/app/widgets/widgets.controller.ts
• apps/api/src/app/environments-v1/dtos/create-environment-request.dto.ts
• libs/dal/package.json
• apps/webhook/src/shared/framework/user.decorator.ts
• apps/api/src/app/shared/framework/response.interceptor.ts
• apps/api/src/app/contexts/dtos/create-context-request.dto.ts
• apps/api/src/app/shared/dtos/subscriptions/create-subscriptions-response.dto.ts
• apps/api/src/app/shared/framework/user.decorator.ts
• apps/api/src/config/cors.config.ts
• apps/api/src/app/events/dtos/trigger-event-request.dto.ts
• packages/framework/package.json
• apps/api/src/app/subscribers-v2/dtos/get-subscriber-notifications-response.dto.ts
• libs/application-generic/src/decorators/context-payload.decorator.ts
• enterprise/packages/api/package.json
• apps/api/src/app/subscribers-v2/dtos/subscriber-notification-action.dto.ts
• enterprise/packages/auth/package.json
• apps/api/src/app/widgets/dtos/feeds-response.dto.ts
• apps/api/src/app/shared/framework/swagger/swagger.controller.ts
• enterprise/packages/translation/package.json
• apps/worker/package.json
• apps/api/package.json
• enterprise/packages/billing/package.json
• libs/application-generic/package.json
• enterprise/packages/ai/package.json

🚧 Files skipped from review as they are similar to previous changes (12)

• apps/api/src/app/layouts-v2/dtos/generate-layout-preview-response.dto.ts
• apps/api/src/app/contexts/dtos/update-context-request.dto.ts
• libs/application-generic/src/decorators/user-session.decorator.ts
• libs/application-generic/src/webhooks/dtos/webhook-payload.dto.ts
• apps/api/src/app/auth/framework/community.user.auth.guard.ts
• apps/api/src/app/subscribers/subscribersV1.controller.ts
• apps/api/src/app/shared/dtos/subscriptions/create-subscriptions.dto.ts
• libs/application-generic/src/dtos/workflow/generate-preview-response.dto.ts
• apps/api/src/error-dto.ts
• apps/worker/src/bootstrap.ts
• apps/api/src/app/auth/services/passport/apikey.strategy.ts
• package.json