chore: radiooptionblockcreate modern

[mikeallisonJS]

Summary by CodeRabbit

• New Features

  • Added support for creating and updating radio option blocks in journeys
  • Added support for creating and updating icon and image blocks in journeys

• Refactor

  • Modernized API infrastructure for improved backend routing and performance

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 1ad665df-992b-472e-aa81-6b21abdd4646

📥 Commits

Reviewing files that changed from the base of the PR and between dd292d6 and 5ad1314.

📒 Files selected for processing (1)

• apis/api-gateway/schema.graphql

🚧 Files skipped from review as they are similar to previous changes (1)

• apis/api-gateway/schema.graphql

---

Walkthrough

This pull request routes the radioOptionBlockCreate mutation from the API Gateway to the API Journeys Modern service, adding a new GraphQL mutation field that creates a RadioOptionBlock with authentication, authorization, and transaction-based persistence logic, along with comprehensive test coverage.

Changes

Cohort / File(s)	Summary
GraphQL Schema Routing apis/api-gateway/schema.graphql	Updated Mutation.radioOptionBlockCreate field routing from API_JOURNEYS to API_JOURNEYS_MODERN with override: "api-journeys" directive.
GraphQL Schema Implementation apis/api-journeys-modern/schema.graphql	Added four new mutation fields: iconBlockUpdate, imageBlockCreate, imageBlockUpdate, and radioOptionBlockCreate, each with @override(from: "api-journeys") federation directive.
Mutation Resolver Implementation apis/api-journeys-modern/src/schema/block/radioOption/radioOptionBlockCreate.mutation.ts	New mutation resolver that creates a RadioOptionBlock with authentication checks, authorization via ACL, parent block validation, Prisma transaction handling, and journey timestamp updates.
Module Registration apis/api-journeys-modern/src/schema/block/radioOption/index.ts	Added import for radioOptionBlockCreate.mutation to register the new mutation field.
Test Suite apis/api-journeys-modern/src/schema/block/radioOption/radioOptionBlockCreate.mutation.spec.ts	Added 176-line Jest test suite covering authorized block creation with relational connections, authorization failure scenarios, and optional field handling.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant Gateway as API Gateway
    participant Modern as API Journeys<br/>Modern
    participant Auth as Authorization<br/>Service
    participant DB as Database<br/>(Prisma)
    
    Client->>Gateway: radioOptionBlockCreate(input)
    Gateway->>Modern: Route to API_JOURNEYS_MODERN
    Modern->>Auth: Authenticate user
    Auth-->>Modern: User authenticated
    Modern->>Auth: authorizeBlockCreate(journeyId)
    Auth-->>Modern: Permission granted
    Modern->>DB: prisma.$transaction()
    DB->>DB: Create RadioOptionBlock record
    DB->>DB: Connect to journey & parentBlock
    DB->>DB: Calculate parentOrder
    DB->>DB: Update journey.updatedAt
    DB-->>Modern: Block created
    Modern-->>Gateway: RadioOptionBlock
    Gateway-->>Client: radioOptionBlockCreate response

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'chore: radiooptionblockcreate modern' is directly related to the main change: migrating the radioOptionBlockCreate mutation to the modern API journeys schema, with updated routing annotations and new resolver implementation.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch 26-00-MA-chore-radiooptionblockcreate-modern

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[nx-cloud]

View your CI Pipeline Execution ↗ for commit 5ad1314

Command	Status	Duration	Result
nx run journeys-admin-e2e:e2e	✅ Succeeded	1m 46s	View ↗
nx run journeys-e2e:e2e	✅ Succeeded	21s	View ↗
nx run watch-e2e:e2e	✅ Succeeded	22s	View ↗
nx run resources-e2e:e2e	✅ Succeeded	19s	View ↗
nx run videos-admin-e2e:e2e	✅ Succeeded	4s	View ↗
nx run short-links-e2e:e2e	✅ Succeeded	3s	View ↗
nx run player-e2e:e2e	✅ Succeeded	3s	View ↗
nx run-many --target=vercel-alias --projects=watch	✅ Succeeded	2s	View ↗
Additional runs (20)	✅ Succeeded	...	View ↗

---

☁️ Nx Cloud last updated this comment at 2026-04-09 21:47:54 UTC

[github-actions]

The latest updates on your projects.

Name	Status	Preview	Updated (UTC)
player	✅ Ready	player preview	Fri Apr 10 09:42:17 NZST 2026

[github-actions]

The latest updates on your projects.

Name	Status	Preview	Updated (UTC)
journeys	✅ Ready	journeys preview	Fri Apr 10 09:42:12 NZST 2026

[github-actions]

The latest updates on your projects.

Name	Status	Preview	Updated (UTC)
short-links	✅ Ready	short-links preview	Fri Apr 10 09:42:05 NZST 2026

[github-actions]

The latest updates on your projects.

Name	Status	Preview	Updated (UTC)
videos-admin	✅ Ready	videos-admin preview	Fri Apr 10 09:42:22 NZST 2026

[github-actions]

The latest updates on your projects.

Name	Status	Preview	Updated (UTC)
watch	✅ Ready	watch preview	Fri Apr 10 09:42:40 NZST 2026

[github-actions]

The latest updates on your projects.

Name	Status	Preview	Updated (UTC)
journeys-admin	✅ Ready	journeys-admin preview	Fri Apr 10 09:42:37 NZST 2026

[github-actions]

The latest updates on your projects.

Name	Status	Preview	Updated (UTC)
resources	✅ Ready	resources preview	Fri Apr 10 09:42:32 NZST 2026

[coderabbitai]

Actionable comments posted: 6

🧹 Nitpick comments (2)

apis/api-journeys-modern/src/schema/block/icon/iconBlockUpdate.mutation.spec.ts (2)

119-143: Strengthen unauthorized-path test by asserting no DB transaction/write.

Add an explicit expect(prismaMock.$transaction).not.toHaveBeenCalled() assertion to guarantee denied requests never reach mutation writes.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@apis/api-journeys-modern/src/schema/block/icon/iconBlockUpdate.mutation.spec.ts`
around lines 119 - 143, In the 'returns FORBIDDEN when unauthorized' test (where
fetchBlockWithJourneyAcl is mocked, mockAbility returns false and authClient
runs ICON_BLOCK_UPDATE), add an assertion to ensure no DB writes occur by
asserting prismaMock.$transaction was not called
(expect(prismaMock.$transaction).not.toHaveBeenCalled()); this confirms denied
requests do not trigger any mutation/transaction.

---

74-74: Replace any transaction callback types with explicit callback types.

Using any here drops useful type checks and conflicts with the TS guideline.

♻️ Typed alternative

-    prismaMock.$transaction.mockImplementation(async (cb: any) => await cb(tx))
+    prismaMock.$transaction.mockImplementation(
+      async (cb: (transaction: typeof tx) => Promise<unknown>) => await cb(tx)
+    )
...
-    prismaMock.$transaction.mockImplementation(async (cb: any) => await cb(tx))
+    prismaMock.$transaction.mockImplementation(
+      async (cb: (transaction: typeof tx) => Promise<unknown>) => await cb(tx)
+    )

As per coding guidelines: **/*.{ts,tsx}: Define a type if possible.

Also applies to: 169-169

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@apis/api-journeys-modern/src/schema/block/icon/iconBlockUpdate.mutation.spec.ts`
at line 74, The mock uses a loose any for the transaction callback
(prismaMock.$transaction.mockImplementation(async (cb: any) => await cb(tx)))
which loses type-safety; replace the any with an explicit callback type matching
Prisma's $transaction signature (use the appropriate
PrismaClient/TransactionClient callback type and a generic return type) for the
parameter named cb and ensure tx is typed accordingly; update both occurrences
(the mockImplementation around prismaMock.$transaction and the second instance
at the other noted location) so the mock's callback parameter and tx variable
have explicit Prisma types instead of any.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.cursor/skills/create-api-journeys-override/SKILL.md:
- Around line 314-319: Update the test command in the "Regenerate schema and
test" step so contributors run api-journeys-modern tests with the sequential
flag: change the nx test invocation for API Journey Modern (the line with nx
test api-journeys-modern --testPathPattern="<fieldName>") to include the
--runInBand flag so tests execute without parallelization.

In
`@apis/api-journeys-modern/src/schema/block/image/imageBlockCreate.mutation.ts`:
- Around line 53-80: The mutation creates an ImageBlock but only calls
setJourneyUpdatedAt so Journey.customizable can remain stale; after the
tx.block.create (and after any cover-replacement logic) await the journey
customizable recalculation function (e.g., await
recalculateJourneyCustomizable(tx, input.journeyId)) to recompute and persist
Journey.customizable, and import/use the existing recalculation helper (name it
consistently, e.g., recalculateJourneyCustomizable) alongside
setJourneyUpdatedAt so every create/cover-replacement path updates customizable
immediately.
- Around line 27-30: Move the authorization check to run before any input
transformation: call authorizeBlockCreate(args.input.journeyId, context.user)
prior to invoking transformInput({ ...args.input }) so that authorizeBlockCreate
executes before transformInput and prevents anonymous/unauthorized callers from
triggering metadata/blurhash work; use the existing authorizeBlockCreate,
transformInput, args.input and context.user symbols to locate and reorder the
calls.
- Around line 31-42: The create mutation must validate input.parentBlockId
against the target journey before entering prisma.$transaction: call
validateParentBlock(journeyId, input.parentBlockId) (or similar existing helper)
outside the transaction and ensure that validateParentBlock queries include
deletedAt: null so it cannot return a deleted or cross-journey block; remove the
reliance on tx.block.findUnique alone (in the isCover branch) and use the
validated parentBlock result (or re-query inside the transaction only after
validation) to enforce the parent belongs to the same journey.

In `@apis/api-journeys-modern/src/schema/block/image/transformInput.ts`:
- Around line 44-50: The catch block in transformInput.ts currently only handles
instances of Error and silently swallows other throwables, leading to a
partially defaulted payload; update the catch in the function that processes
image input (the catch surrounding the image processing logic in transformInput)
to either rethrow non-Error exceptions or convert them into a GraphQLError with
the original value serialized (e.g., JSON.stringify or String(ex)) included in
extensions or the message; specifically ensure that if ex is not an instance of
Error you do not fall through — throw ex (or throw new GraphQLError(String(ex),
{ extensions: { code: 'BAD_USER_INPUT', original: ex } })) so all failures are
surfaced.
- Around line 31-33: The code in transformInput.ts calls fetch(input.src)
directly (see the fetch(input.src) / response / buffer sequence), allowing SSRF;
before fetching validate and restrict the URL: parse input.src with URL, reject
non-http(s) schemes, forbid loopback/localhost and private/CIDR ranges by
resolving the hostname to IP(s) and checking against RFC1918/loopback/mapped
ranges, or apply a strict hostname allowlist; only proceed to call fetch when
the URL passes these checks and throw a validation error otherwise. Ensure this
validation is performed early in the transformInput flow so response = await
fetch(input.src) is only reached for safe, approved destinations.

---

Nitpick comments:
In
`@apis/api-journeys-modern/src/schema/block/icon/iconBlockUpdate.mutation.spec.ts`:
- Around line 119-143: In the 'returns FORBIDDEN when unauthorized' test (where
fetchBlockWithJourneyAcl is mocked, mockAbility returns false and authClient
runs ICON_BLOCK_UPDATE), add an assertion to ensure no DB writes occur by
asserting prismaMock.$transaction was not called
(expect(prismaMock.$transaction).not.toHaveBeenCalled()); this confirms denied
requests do not trigger any mutation/transaction.
- Line 74: The mock uses a loose any for the transaction callback
(prismaMock.$transaction.mockImplementation(async (cb: any) => await cb(tx)))
which loses type-safety; replace the any with an explicit callback type matching
Prisma's $transaction signature (use the appropriate
PrismaClient/TransactionClient callback type and a generic return type) for the
parameter named cb and ensure tx is typed accordingly; update both occurrences
(the mockImplementation around prismaMock.$transaction and the second instance
at the other noted location) so the mock's callback parameter and tx variable
have explicit Prisma types instead of any.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 372fad35-c14d-4954-bc3c-eae6a57167a6

📥 Commits

Reviewing files that changed from the base of the PR and between 2d4a0dd and dd292d6.

📒 Files selected for processing (15)

• .cursor/skills/create-api-journeys-override/SKILL.md
• apis/api-gateway/schema.graphql
• apis/api-journeys-modern/schema.graphql
• apis/api-journeys-modern/src/schema/block/icon/iconBlockUpdate.mutation.spec.ts
• apis/api-journeys-modern/src/schema/block/icon/iconBlockUpdate.mutation.ts
• apis/api-journeys-modern/src/schema/block/icon/index.ts
• apis/api-journeys-modern/src/schema/block/image/imageBlockCreate.mutation.spec.ts
• apis/api-journeys-modern/src/schema/block/image/imageBlockCreate.mutation.ts
• apis/api-journeys-modern/src/schema/block/image/imageBlockUpdate.mutation.spec.ts
• apis/api-journeys-modern/src/schema/block/image/imageBlockUpdate.mutation.ts
• apis/api-journeys-modern/src/schema/block/image/index.ts
• apis/api-journeys-modern/src/schema/block/image/transformInput.ts
• apis/api-journeys-modern/src/schema/block/radioOption/index.ts
• apis/api-journeys-modern/src/schema/block/radioOption/radioOptionBlockCreate.mutation.spec.ts
• apis/api-journeys-modern/src/schema/block/radioOption/radioOptionBlockCreate.mutation.ts

[stage-branch-merger]

I see you added the "on stage" label, I'll get this merged to the stage branch!

[stage-branch-merger]

Merge conflict attempting to merge this into stage. Please fix manually.