feat: add notifications to relayer

[JoE11-y]

Adds a notification pipeline (persisted + pushed over WebSocket) for the
trade lifecycle. Three events are wired up:

• New order on ad → ad creator, fired when a bridger creates a trade.
• Order is locked — claim now → bridger, fired when the ad creator's
  lock tx is confirmed and the trade transitions to LOCKED.
• Bridger claimed → ad creator, fired when the bridger's
  unlock tx is confirmed.

Summary by CodeRabbit

• New Features

  • Added real-time notifications system for trade events (trade created, locked, and claimed).
  • Users can now view notifications, mark them as read individually or all at once, and check unread counts.
  • Implemented real-time notification delivery via WebSocket.

• Refactor

  • Cleaned up unused code in the orders interface.

[coderabbitai]

Warning

Rate limit exceeded

@JoE11-y has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 25 minutes and 35 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 25 minutes and 35 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d785bc2a-4c45-435a-a993-721c9c4e7b02

📥 Commits

Reviewing files that changed from the base of the PR and between b97471e and 9f23963.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (3)

• apps/backend-relayer/src/modules/notifications/notification.service.spec.ts
• apps/backend-relayer/src/modules/notifications/notification.service.ts
• apps/backend-relayer/src/modules/trades/trade.service.ts

📝 Walkthrough

Walkthrough

This PR implements a real-time notification system for the backend-relayer application. It adds WebSocket support via Socket.IO, introduces a new Notification database model with corresponding Prisma schema, creates a complete notification module with API endpoints and a WebSocket gateway, and integrates notifications into the trades workflow to emit notifications when trades are created, locked, or claimed.

Changes

Cohort / File(s)	Summary
Dependencies & Setup apps/backend-relayer/package.json, apps/backend-relayer/src/app.module.ts, apps/backend-relayer/src/modules/notifications/notification.module.ts	Added @nestjs/platform-socket.io, @nestjs/websockets, and socket.io dependencies to enable WebSocket support. Updated AppModule to import NotificationModule. Created NotificationModule with JWT, controller, service, and gateway providers.
Database Schema apps/backend-relayer/prisma/migrations/20260418000000_add_notifications/migration.sql, apps/backend-relayer/prisma/schema.prisma	Created NotificationType enum (TRADE_CREATED, TRADE_LOCKED, BRIDGER_CLAIMED), added Notification table with foreign key to User, and indexed on (userId, read, createdAt) and tradeId for efficient queries. Updated User model to include notifications relation.
Notification Service & DTOs apps/backend-relayer/src/modules/notifications/notification.service.ts, apps/backend-relayer/src/modules/notifications/notification.dto.ts, apps/backend-relayer/src/modules/notifications/notification.service.spec.ts	Implemented NotificationService with methods to create, list (with cursor-based pagination), mark read, and count unread notifications. Added ListNotificationsDto for query validation. Included comprehensive Jest unit tests covering all service methods with mocked Prisma calls.
Notification API & WebSocket apps/backend-relayer/src/modules/notifications/notification.controller.ts, apps/backend-relayer/src/modules/notifications/notification.gateway.ts	Created NotificationController with endpoints for listing notifications, getting unread count, marking individual/all notifications as read. Implemented NotificationGateway with Socket.IO connection handling, JWT verification from handshake auth or Bearer token, per-user room joining, and pushToUser method for server-side notification emission.
Trades Integration apps/backend-relayer/src/modules/trades/trade.module.ts, apps/backend-relayer/src/modules/trades/trade.service.ts	Updated TradesModule to import NotificationModule. Enhanced TradesService to inject NotificationService and emit notifications: TRADE_CREATED when trade is created, TRADE_LOCKED when trade status becomes locked, and BRIDGER_CLAIMED when unlocking occurs (for ad creator).
End-to-End Tests apps/backend-relayer/test/e2e/notifications.e2e-spec.ts	Added comprehensive E2E test suite covering notification creation on trade events, authorization checks, unread count, marking notifications as read individually and in bulk.
Frontend Cleanup apps/frontend/components/orders/OrdersTable.tsx	Removed unused isBridger computation and renamed unused value parameter to _value in Route column renderer.

Sequence Diagram(s)

sequenceDiagram
    participant Client as WebSocket Client
    participant Gateway as NotificationGateway
    participant JwtService as JwtService
    participant PrismaDB as Prisma/Database
    participant Service as NotificationService
    participant Server as Server/TradesService

    Client->>Gateway: connect (with auth token or Bearer header)
    Gateway->>JwtService: verifyAsync(token, secret)
    JwtService-->>Gateway: JWT payload with sub (userId)
    Gateway->>Gateway: Store userId on client.data
    Gateway->>Gateway: socket.join(`user:<userId>`)
    Gateway-->>Client: connection established

    Server->>Service: create(userId, type, title, body, payload)
    Service->>PrismaDB: notification.create(...)
    PrismaDB-->>Service: Notification record
    Service->>Gateway: pushToUser(userId, notification)
    Gateway->>Gateway: io.to(`user:<userId>`).emit('notification', ...)
    Gateway-->>Client: 'notification' event received

    Client->>Gateway: disconnect
    Gateway->>Gateway: Log userId removal

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• Impl Stellar UI integrations #115: Modifies apps/backend-relayer/src/modules/trades/trade.service.ts with changes to trade logic for Stellar support, overlapping with this PR's trade integration changes.
• Stellar integrations #121: Updates TradesService to depend on UserService and changes trade logic, directly intersecting with this PR's NotificationService integration into TradesModule.
• Feat: fix trade lifecyle ui flow #125: Modifies the same trade.service.ts file with changes to confirmUnlockChainAction and unlock flows, which this PR also modifies for notification emission.

Poem

🐰 Hop, hop! Real-time bells now ring,
WebSockets weave a threading wing!
Notifications bloom in every trade,
Socket.IO rooms, a grand parade! 🔔✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title 'feat: add notifications to relayer' directly describes the main feature being added and is consistent with the changeset, which adds a complete notification system (database schema, service, controller, WebSocket gateway, and E2E tests).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch stellar-integrations

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 5

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

apps/backend-relayer/package.json (1)

23-67: ⚠️ Potential issue | 🔴 Critical

Update pnpm-lock.yaml to match the new dependencies.

CI is failing with ERR_PNPM_OUTDATED_LOCKFILE: the lockfile does not include socket.io and has a stale specifier for @nestjs/platform-socket.io. Run pnpm install locally and commit the updated pnpm-lock.yaml.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/backend-relayer/package.json` around lines 23 - 67, The lockfile is out
of date relative to the dependency changes (missing socket.io and stale
specifier for `@nestjs/platform-socket.io`); run pnpm install in the repo root to
regenerate pnpm-lock.yaml so it includes the new socket.io entry and the updated
`@nestjs/platform-socket.io` specifier, then commit the updated pnpm-lock.yaml
alongside the package.json change.

🧹 Nitpick comments (6)

apps/backend-relayer/package.json (1)

56-56: Consider moving prisma to devDependencies.

The prisma CLI is typically a dev-only tool; keeping it in dependencies bloats production installs. Only keep it here if prisma migrate deploy must run from the production image at runtime (in which case this is fine as-is).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/backend-relayer/package.json` at line 56, The prisma CLI is declared
under dependencies as "prisma": "6.16.1" which should be a dev-only tool; remove
the "prisma": "6.16.1" entry from the dependencies block in package.json and add
the same entry under devDependencies instead, then reinstall (npm/yarn) so the
lockfile updates; only leave it in dependencies if you intentionally need prisma
at runtime (e.g., running prisma migrate deploy in production) — check
package.json scripts for any runtime usage before moving.

apps/backend-relayer/src/modules/notifications/dto/notification.dto.ts (1)

25-28: Minor: cursor type narrower than service contract.

NotificationService.list accepts cursor?: string | null, but this DTO types it as string. Not a bug (controller passes cursor ?? null), just a small contract inconsistency worth aligning.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/backend-relayer/src/modules/notifications/dto/notification.dto.ts`
around lines 25 - 28, The DTO's cursor property is typed as string while
NotificationService.list accepts string | null; update the DTO so the cursor
property type matches the service contract (make it string | null) and mark it
nullable in the OpenAPI metadata (e.g., set ApiPropertyOptional to indicate
nullable) so the API contract aligns with NotificationService.list; locate and
update the cursor property in the notification DTO and ensure any
callers/controllers continue to pass cursor ?? null where used.

apps/backend-relayer/prisma/schema.prisma (1)

353-367: No foreign key between Notification.tradeId and Trade.

tradeId is stored as a free-form nullable string with only an index — there is no relation/FK to Trade. This lets notifications outlive deleted trades (likely intentional), but it also means nothing prevents stale/invalid IDs. If preservation after Trade deletion is the goal, consider an explicit relation with onDelete: SetNull; if not, wire a proper relation.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/backend-relayer/prisma/schema.prisma` around lines 353 - 367, The
Notification model currently stores tradeId as a free-form nullable String
without a relation to Trade; decide whether notifications should keep tradeId
after a Trade is deleted and implement the corresponding FK: if you want to
preserve notifications but null out the link, change tradeId to a relation to
the Trade model (referencing Trade.id) and set onDelete: SetNull on the
relation; if you want full cascade/remove behavior, add the relation with
onDelete: Cascade instead. Update the Notification model's fields (tradeId and
the relation definition) and adjust @@index usage accordingly to reflect the new
relation.

apps/backend-relayer/src/modules/notifications/notification.module.ts (1)

12-18: Redundant JwtService provider.

JwtModule.register({}) already exports JwtService; listing JwtService again in providers creates a second, module-scoped instance that may shadow the one from JwtModule. Consider removing it unless intentional.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/backend-relayer/src/modules/notifications/notification.module.ts` around
lines 12 - 18, The providers array in the NotificationModule registers
JwtService redundantly which creates a second module-scoped instance and can
shadow the JwtService exported by JwtModule.register({}); remove JwtService from
the providers list in notification.module.ts and rely on the JwtService exported
by JwtModule (ensure JwtModule.register({...}) is present in the module imports)
so NotificationService, NotificationGateway (and UserJwtGuard) inject the
correct shared JwtService instance.

apps/backend-relayer/src/modules/notifications/notification.service.spec.ts (1)

49-64: Optional: assert the shape passed to prisma.notification.create.

The test verifies call count and gateway push, but not that the data payload mapped from the input is what gets persisted (e.g., userId, type, tradeId, title, body land in data). A toHaveBeenCalledWith(...) assertion would catch regressions in that mapping.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/backend-relayer/src/modules/notifications/notification.service.spec.ts`
around lines 49 - 64, Add an assertion to the test that verifies the exact
payload passed into prisma.notification.create so the input-to-DB mapping is
covered: after calling service.create in the test, assert
prisma.notification.create was called with an object whose data contains the
fields userId, type, tradeId, title, and body mapped from the create input (use
makeRow() as the expected created value or match object shape), referencing
prisma.notification.create and service.create to locate the call; keep the
existing assertions for call count and gateway.pushToUser.

apps/backend-relayer/test/e2e/notifications.e2e-spec.ts (1)

69-96: Add coverage for the real-time notification push.

This verifies persistence through REST, but not the Socket.IO delivery path added by the PR. Add one test that connects as the ad creator to /notifications and asserts a notification event is received when the bridger creates the trade.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/backend-relayer/test/e2e/notifications.e2e-spec.ts` around lines 69 -
96, Add a Socket.IO-based assertion: before posting to '/v1/trades/create' in
the test that uses seedAdWithLoggedInCreator(), open a socket.io-client
connection to the server namespace/path '/notifications' using
app.getHttpServer() and the creator's access token (pass token via auth or query
as used by your server), register a one-time listener for the 'notification'
event, then trigger the POST to '/v1/trades/create' and await the socket event;
assert the received payload has type 'TRADE_CREATED', tradeId matching the
created trade (or non-null) and read === false, and finally disconnect the
socket to clean up. Use the existing helper names (seedAdWithLoggedInCreator,
app.getHttpServer()) and the same endpoints ('/v1/trades/create',
'/notifications') so the test covers the real-time delivery path.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@apps/backend-relayer/src/modules/notifications/notification.service.ts`:
- Around line 86-92: The markRead method is currently filtering updates with
read: false which makes repeated requests return null; change the updateMany
call in markRead to remove the read: false predicate so the where becomes { id,
userId } (keep ownership check) and still call
this.prisma.notification.findUnique({ where: { id } }) afterwards; keep the
existing logic that returns null when updateMany().count === 0 so only non-owned
notifications still yield null.
- Around line 60-77: The pagination is non-deterministic because orderBy uses
only createdAt; update the notification listing in the list method
(prisma.notification.findMany call in notification.service.ts) to include id as
a tiebreaker by changing orderBy from { createdAt: 'desc' } to an array like [{
createdAt: 'desc' }, { id: 'desc' }], keep the existing cursor behavior (cursor:
{ id: query.cursor }, skip: 1) and keep nextCursor as the last item's id so
pages remain deterministic when timestamps collide.
- Around line 105-115: The userIdForAddress function currently calls
normalizeChainAddress(address) without chain context, causing Stellar addresses
to be mis-normalized and missed; update async userIdForAddress(address: string,
chainKind?: ChainKind) to pass chainKind into normalizeChainAddress and include
chainKind in the Prisma lookup (where: { address: normalized, chainKind }) so
the query matches the unique [address, chainKind] constraint; then update call
sites that have route info to supply the chain kind: for TRADE_CREATED pass
ad.route.adToken.chain.kind, for BRIDGER_CLAIMED pass the trade route's chain
kind, and for TRADE_LOCKED load the route data and pass its chain kind when
calling userIdForAddress.

In `@apps/backend-relayer/src/modules/trades/trade.service.ts`:
- Around line 515-529: The recipient lookup (notifications.userIdForAddress)
runs outside the non-throwing notification path so if it throws the endpoint can
return 500 after the trade is committed; create a small non-throwing helper
(e.g. notifyUserSafely or safeNotifyForAddress) that calls
notifications.userIdForAddress inside a try/catch and, if a userId is resolved,
calls notifications.safeCreate, swallowing/logging lookup errors but not
rethrowing; replace the direct await notifications.userIdForAddress(...) +
notifications.safeCreate(...) sequences in the shown block and the similar
blocks at the other occurrences (around lines 1229-1239 and 1396-1406) with
calls to this helper so all notification lookup+create is protected from
throwing.
- Around line 1395-1406: The branch sending a "your turn" notification to the ad
creator when !isAdCreator should be guarded by whether the ad creator had
already claimed; modify the logic around notifications.userIdForAddress /
notifications.safeCreate to first check the trade's previous claim state (e.g.
authorizationLog.trade.adCreatorClaimed or similar flag on
authorizationLog.trade) and only call safeCreate with type 'BRIDGER_CLAIMED'
when that flag indicates the ad creator has not already claimed; update the
condition around isAdCreator to include this guard so you don't send an
actionable "your turn" after the creator already claimed.

---

Outside diff comments:
In `@apps/backend-relayer/package.json`:
- Around line 23-67: The lockfile is out of date relative to the dependency
changes (missing socket.io and stale specifier for `@nestjs/platform-socket.io`);
run pnpm install in the repo root to regenerate pnpm-lock.yaml so it includes
the new socket.io entry and the updated `@nestjs/platform-socket.io` specifier,
then commit the updated pnpm-lock.yaml alongside the package.json change.

---

Nitpick comments:
In `@apps/backend-relayer/package.json`:
- Line 56: The prisma CLI is declared under dependencies as "prisma": "6.16.1"
which should be a dev-only tool; remove the "prisma": "6.16.1" entry from the
dependencies block in package.json and add the same entry under devDependencies
instead, then reinstall (npm/yarn) so the lockfile updates; only leave it in
dependencies if you intentionally need prisma at runtime (e.g., running prisma
migrate deploy in production) — check package.json scripts for any runtime usage
before moving.

In `@apps/backend-relayer/prisma/schema.prisma`:
- Around line 353-367: The Notification model currently stores tradeId as a
free-form nullable String without a relation to Trade; decide whether
notifications should keep tradeId after a Trade is deleted and implement the
corresponding FK: if you want to preserve notifications but null out the link,
change tradeId to a relation to the Trade model (referencing Trade.id) and set
onDelete: SetNull on the relation; if you want full cascade/remove behavior, add
the relation with onDelete: Cascade instead. Update the Notification model's
fields (tradeId and the relation definition) and adjust @@index usage
accordingly to reflect the new relation.

In `@apps/backend-relayer/src/modules/notifications/dto/notification.dto.ts`:
- Around line 25-28: The DTO's cursor property is typed as string while
NotificationService.list accepts string | null; update the DTO so the cursor
property type matches the service contract (make it string | null) and mark it
nullable in the OpenAPI metadata (e.g., set ApiPropertyOptional to indicate
nullable) so the API contract aligns with NotificationService.list; locate and
update the cursor property in the notification DTO and ensure any
callers/controllers continue to pass cursor ?? null where used.

In `@apps/backend-relayer/src/modules/notifications/notification.module.ts`:
- Around line 12-18: The providers array in the NotificationModule registers
JwtService redundantly which creates a second module-scoped instance and can
shadow the JwtService exported by JwtModule.register({}); remove JwtService from
the providers list in notification.module.ts and rely on the JwtService exported
by JwtModule (ensure JwtModule.register({...}) is present in the module imports)
so NotificationService, NotificationGateway (and UserJwtGuard) inject the
correct shared JwtService instance.

In `@apps/backend-relayer/src/modules/notifications/notification.service.spec.ts`:
- Around line 49-64: Add an assertion to the test that verifies the exact
payload passed into prisma.notification.create so the input-to-DB mapping is
covered: after calling service.create in the test, assert
prisma.notification.create was called with an object whose data contains the
fields userId, type, tradeId, title, and body mapped from the create input (use
makeRow() as the expected created value or match object shape), referencing
prisma.notification.create and service.create to locate the call; keep the
existing assertions for call count and gateway.pushToUser.

In `@apps/backend-relayer/test/e2e/notifications.e2e-spec.ts`:
- Around line 69-96: Add a Socket.IO-based assertion: before posting to
'/v1/trades/create' in the test that uses seedAdWithLoggedInCreator(), open a
socket.io-client connection to the server namespace/path '/notifications' using
app.getHttpServer() and the creator's access token (pass token via auth or query
as used by your server), register a one-time listener for the 'notification'
event, then trigger the POST to '/v1/trades/create' and await the socket event;
assert the received payload has type 'TRADE_CREATED', tradeId matching the
created trade (or non-null) and read === false, and finally disconnect the
socket to clean up. Use the existing helper names (seedAdWithLoggedInCreator,
app.getHttpServer()) and the same endpoints ('/v1/trades/create',
'/notifications') so the test covers the real-time delivery path.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: fc589bbd-45d9-4b10-b01c-2c4b44b219a9

📥 Commits

Reviewing files that changed from the base of the PR and between 1df8e7c and b97471e.

📒 Files selected for processing (14)

• apps/backend-relayer/package.json
• apps/backend-relayer/prisma/migrations/20260418000000_add_notifications/migration.sql
• apps/backend-relayer/prisma/schema.prisma
• apps/backend-relayer/src/app.module.ts
• apps/backend-relayer/src/modules/notifications/dto/notification.dto.ts
• apps/backend-relayer/src/modules/notifications/notification.controller.ts
• apps/backend-relayer/src/modules/notifications/notification.gateway.ts
• apps/backend-relayer/src/modules/notifications/notification.module.ts
• apps/backend-relayer/src/modules/notifications/notification.service.spec.ts
• apps/backend-relayer/src/modules/notifications/notification.service.ts
• apps/backend-relayer/src/modules/trades/trade.module.ts
• apps/backend-relayer/src/modules/trades/trade.service.ts
• apps/backend-relayer/test/e2e/notifications.e2e-spec.ts
• apps/frontend/components/orders/OrdersTable.tsx