fix: enforce stating security in routing

[jzsfkzm]

refs #1701

Summary by CodeRabbit

Release Notes

• Refactor
  • Centralized route creation through an internal wrapper to enforce explicit security declarations on all API routes
  • Updated public API endpoints to use standard OpenAPI path parameter format (e.g., {id} instead of :id)
  • Made numerous endpoints explicitly accessible without authentication requirements
  • Added structured parameter validation for certain request handlers

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

This PR enforces centralized route creation with mandatory security declarations by introducing a wrapper function that re-exports createOpenApiRoute with stricter typing, converting ~50 router files to use the new local path, adding SECURITY_NONE metadata to public endpoints, and establishing an ESLint rule to prevent direct imports from the third-party library.

Changes

Cohort / File(s)	Summary
ESLint Configuration apps/api/.eslintrc.js	Added no-restricted-imports rule blocking direct imports of createRoute from @hono/zod-openapi, enforcing use of local @src/core/lib/create-route/create-route instead.
Core Route Wrapper Utility apps/api/src/core/lib/create-route/create-route.ts	New file: generic wrapper function that enforces required security property on route configs by extending RouteConfig type and forwarding to createOpenApiRoute.
Address Routes apps/api/src/address/routes/address/address.router.ts	Import path changed; added SECURITY_NONE to getAddressRoute and getAddressTransactionsRoute.
Auth Routes apps/api/src/auth/routes/api-keys/api-keys.router.ts, send-verification-email/send-verification-email.router.ts, verify-email/verify-email.router.ts	Import path changed; send-verification-email and verify-email routes now include SECURITY_NONE.
Bid Routes apps/api/src/bid/routes/bids/bids.router.ts	Import path changed from third-party to local.
Billing Schemas apps/api/src/billing/http-schemas/stripe.schema.ts	Added new export RemovePaymentMethodParamsSchema defining path parameter for payment method deletion.
Billing Schemas (Import Update) apps/api/src/billing/http-schemas/wallet.schema.ts	Import source changed from "zod" to "@hono/zod-openapi".
Billing Routes apps/api/src/billing/routes/checkout/checkout.router.ts, get-balances/get-balances.router.ts, get-wallet-list/get-wallet-list.router.ts, sign-and-broadcast-tx/sign-and-broadcast-tx.router.ts, start-trial/start-trial.router.ts, stripe-coupons/stripe-coupons.router.ts, stripe-customers/stripe-customers.router.ts, stripe-prices/stripe-prices.router.ts, stripe-transactions/stripe-transactions.router.ts, stripe-webhook/stripe-webhook.router.ts, usage/usage.router.ts, wallet-settings/wallet-settings.router.ts	Import path updated; routes added with SECURITY_NONE where applicable (get-balances, start-trial, stripe-webhook, usage).
Billing Stripe Payment Methods apps/api/src/billing/routes/stripe-payment-methods/stripe-payment-methods.router.ts	Path parameter syntax updated (:paymentMethodId → {paymentMethodId}); moved from inline parameters to request: { params: RemovePaymentMethodParamsSchema }; parameter extraction changed to c.req.valid("param"); import path updated.
Block Routes apps/api/src/block/routes/block-prediction/block-prediction.router.ts, blocks/blocks.router.ts	Import path changed; SECURITY_NONE added to prediction and block list routes.
Certificate Routes apps/api/src/certificate/routes/certificate.router.ts	Import path changed.
Dashboard Routes apps/api/src/dashboard/routes/dashboard-data/dashboard-data.router.ts, graph-data/graph-data.router.ts, market-data/market-data.router.ts, network-capacity/network-capacity.router.ts, leases-duration/leases-duration.router.ts	Import path changed; SECURITY_NONE added to all routes.
Deployment Routes apps/api/src/deployment/routes/deployments/deployments.router.ts, leases/leases.router.ts, deployment-setting/deployment-setting.router.ts	Import path changed; SECURITY_NONE added to fallback/public routes; deployment-setting now uses createRoute instead of createOpenApiRoute.
Network Routes apps/api/src/network/routes/network/network.router.ts	Import path changed; SECURITY_NONE added to getNodesRoute.
Pricing Routes apps/api/src/pricing/routes/pricing/pricing.router.ts	Import path changed; SECURITY_NONE added to postPricingRoute.
Proposal Routes apps/api/src/proposal/routes/proposals/proposals.router.ts	Import path changed; SECURITY_NONE added to proposals and proposal-by-id routes.
Provider Routes apps/api/src/provider/routes/auditors/auditors.router.ts, jwt-token/jwt-token.router.ts, provider-attributes-schema/provider-attributes-schema.router.ts, provider-dashboard/provider-dashboard.router.ts, provider-deployments/provider-deployments.router.ts, provider-earnings/provider-earnings.router.ts, provider-graph-data/provider-graph-data.router.ts, provider-regions/provider-regions.router.ts, provider-versions/provider-versions.router.ts, providers/providers.router.ts	Import path changed; SECURITY_NONE added to public endpoints (auditors, attributes schema, dashboard, deployments, earnings, graph data, regions, versions); providers route adds SECURITY_NONE to provider list, provider detail, and active leases graph data routes.
Template Routes apps/api/src/template/routes/templates/templates.router.ts	Import path changed; SECURITY_NONE added to all three template routes.
Transaction Routes apps/api/src/transaction/routes/transactions/transactions.router.ts	Import path changed; SECURITY_NONE added to list and get-by-hash routes.
User Routes apps/api/src/user/routes/get-anonymous-user/get-anonymous-user.router.ts, get-current-user/get-current-user.router.ts, register-user/register-user.router.ts, create-anonymous-user/create-anonymous-user.router.ts	Import path changed; path parameter syntax updated (get-anonymous-user); register-user and create-anonymous-user routes add SECURITY_NONE.
Validator Routes apps/api/src/validator/routes/validators/validators.router.ts	Import path changed; SECURITY_NONE added to both validator routes.
GPU Routes apps/api/src/gpu/routes/gpu.router.ts	Import path changed; SECURITY_NONE added to all four GPU routes.
Healthz Routes apps/api/src/healthz/routes/healthz.router.ts	Switched from createOpenApiRoute to createRoute; added SECURITY_NONE.
Internal Routes apps/api/src/routes/internal/financial.ts, apps/api/src/routes/v1/trialProviders.ts	Import path changed; SECURITY_NONE added.

Sequence Diagram

sequenceDiagram
    participant Router as Router File
    participant CoreLib as `@src/core/lib/create-route`
    participant HonoLib as `@hono/zod-openapi`
    participant ESLint as ESLint Rule

    Note over ESLint: Rule blocks direct imports<br/>from `@hono/zod-openapi`

    Router->>CoreLib: import createRoute
    CoreLib->>HonoLib: import createOpenApiRoute<br/>(as createOpenApiRoute)
    
    Router->>CoreLib: createRoute(routeConfig)
    Note over CoreLib: Enforces security<br/>is required & defined
    
    CoreLib->>HonoLib: createOpenApiRoute(routeConfig)
    HonoLib-->>CoreLib: RouteHandler
    CoreLib-->>Router: RouteHandler<br/>(with type-safe security)
    
    Router->>Router: Apply security: SECURITY_NONE<br/>to public endpoints

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20–25 minutes

• Large homogeneous refactoring across ~50 files: Same pattern repeated—import path change, SECURITY_NONE addition—reduces per-file review complexity.
• Key attention areas:
  • apps/api/src/core/lib/create-route/create-route.ts — Verify the generic type constraint correctly enforces required security property and that the wrapper preserves all behavior.
  • apps/api/src/billing/routes/stripe-payment-methods/stripe-payment-methods.router.ts — Contains substantive logic changes (path parameter syntax, schema usage, parameter extraction); requires careful validation.
  • .eslintrc.js — Confirm the ESLint rule is correctly scoped and message is clear.
  • Spot-check 5–10 representative router files to ensure security metadata is applied consistently to correct endpoints.

Possibly related PRs

• refactor: move /v1/provider-graph-data to modules #1324 — Modified provider-graph-data.router.ts route; this PR updates its import paths and security metadata.
• refactor: move provider-active-leases-graph-data to modules #1301 — Introduced activeLeasesGraphData route and related schemas; this PR updates that route's imports and adds SECURITY_NONE.
• docs: add security clause to API docs for protected routes #2259 — Related OpenAPI route security metadata and SECURITY_NONE constant usage across multiple routes.

Suggested reviewers

• stalniy
• ygrishajev

---

🐰 Hops with delight ✨

A wrapper wraps the routes so tight,
Security declared, no sneaky flight,
ESLint guards what once was free,
Now all our endpoints publicly agree! 🔐

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix: enforce stating security in routing' accurately describes the main change: a new ESLint rule that enforces explicit security declarations on routes by requiring the local createRoute wrapper instead of the external createRoute.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2f2cf59 and 8a1d68a.

📒 Files selected for processing (55)

• apps/api/.eslintrc.js (1 hunks)
• apps/api/src/address/routes/address/address.router.ts (3 hunks)
• apps/api/src/auth/routes/api-keys/api-keys.router.ts (1 hunks)
• apps/api/src/auth/routes/send-verification-email/send-verification-email.router.ts (2 hunks)
• apps/api/src/auth/routes/verify-email/verify-email.router.ts (2 hunks)
• apps/api/src/bid/routes/bids/bids.router.ts (1 hunks)
• apps/api/src/billing/routes/checkout/checkout.router.ts (1 hunks)
• apps/api/src/billing/routes/get-balances/get-balances.router.ts (1 hunks)
• apps/api/src/billing/routes/get-wallet-list/get-wallet-list.router.ts (1 hunks)
• apps/api/src/billing/routes/sign-and-broadcast-tx/sign-and-broadcast-tx.router.ts (1 hunks)
• apps/api/src/billing/routes/start-trial/start-trial.router.ts (2 hunks)
• apps/api/src/billing/routes/stripe-coupons/stripe-coupons.router.ts (1 hunks)
• apps/api/src/billing/routes/stripe-customers/stripe-customers.router.ts (1 hunks)
• apps/api/src/billing/routes/stripe-payment-methods/stripe-payment-methods.router.ts (2 hunks)
• apps/api/src/billing/routes/stripe-prices/stripe-prices.router.ts (1 hunks)
• apps/api/src/billing/routes/stripe-transactions/stripe-transactions.router.ts (1 hunks)
• apps/api/src/billing/routes/stripe-webhook/stripe-webhook.router.ts (2 hunks)
• apps/api/src/billing/routes/usage/usage.router.ts (2 hunks)
• apps/api/src/billing/routes/wallet-settings/wallet-settings.router.ts (1 hunks)
• apps/api/src/block/routes/block-prediction/block-prediction.router.ts (3 hunks)
• apps/api/src/block/routes/blocks/blocks.router.ts (3 hunks)
• apps/api/src/certificate/routes/certificate.router.ts (1 hunks)
• apps/api/src/core/lib/create-route/create-route.ts (1 hunks)
• apps/api/src/dashboard/routes/dashboard-data/dashboard-data.router.ts (2 hunks)
• apps/api/src/dashboard/routes/graph-data/graph-data.router.ts (2 hunks)
• apps/api/src/dashboard/routes/leases-duration/leases-duration.router.ts (2 hunks)
• apps/api/src/dashboard/routes/market-data/market-data.router.ts (2 hunks)
• apps/api/src/dashboard/routes/network-capacity/network-capacity.router.ts (2 hunks)
• apps/api/src/deployment/routes/deployment-setting/deployment-setting.router.ts (4 hunks)
• apps/api/src/deployment/routes/deployments/deployments.router.ts (5 hunks)
• apps/api/src/deployment/routes/leases/leases.router.ts (2 hunks)
• apps/api/src/gpu/routes/gpu.router.ts (5 hunks)
• apps/api/src/healthz/routes/healthz.router.ts (2 hunks)
• apps/api/src/network/routes/network/network.router.ts (2 hunks)
• apps/api/src/pricing/routes/pricing/pricing.router.ts (2 hunks)
• apps/api/src/proposal/routes/proposals/proposals.router.ts (3 hunks)
• apps/api/src/provider/routes/auditors/auditors.router.ts (1 hunks)
• apps/api/src/provider/routes/jwt-token/jwt-token.router.ts (1 hunks)
• apps/api/src/provider/routes/provider-attributes-schema/provider-attributes-schema.router.ts (2 hunks)
• apps/api/src/provider/routes/provider-dashboard/provider-dashboard.router.ts (2 hunks)
• apps/api/src/provider/routes/provider-deployments/provider-deployments.router.ts (2 hunks)
• apps/api/src/provider/routes/provider-earnings/provider-earnings.router.ts (2 hunks)
• apps/api/src/provider/routes/provider-graph-data/provider-graph-data.router.ts (2 hunks)
• apps/api/src/provider/routes/provider-regions/provider-regions.router.ts (2 hunks)
• apps/api/src/provider/routes/provider-versions/provider-versions.router.ts (2 hunks)
• apps/api/src/provider/routes/providers/providers.router.ts (4 hunks)
• apps/api/src/routes/internal/financial.ts (1 hunks)
• apps/api/src/routes/v1/trialProviders.ts (1 hunks)
• apps/api/src/template/routes/templates/templates.router.ts (4 hunks)
• apps/api/src/transaction/routes/transactions/transactions.router.ts (3 hunks)
• apps/api/src/user/routes/create-anonymous-user/create-anonymous-user.router.ts (2 hunks)
• apps/api/src/user/routes/get-anonymous-user/get-anonymous-user.router.ts (2 hunks)
• apps/api/src/user/routes/get-current-user/get-current-user.router.ts (1 hunks)
• apps/api/src/user/routes/register-user/register-user.router.ts (2 hunks)
• apps/api/src/validator/routes/validators/validators.router.ts (3 hunks)

🚧 Files skipped from review as they are similar to previous changes (37)

• apps/api/src/pricing/routes/pricing/pricing.router.ts
• apps/api/src/dashboard/routes/market-data/market-data.router.ts
• apps/api/src/provider/routes/provider-dashboard/provider-dashboard.router.ts
• apps/api/src/network/routes/network/network.router.ts
• apps/api/src/deployment/routes/deployments/deployments.router.ts
• apps/api/src/billing/routes/stripe-prices/stripe-prices.router.ts
• apps/api/src/provider/routes/providers/providers.router.ts
• apps/api/src/billing/routes/usage/usage.router.ts
• apps/api/src/provider/routes/provider-regions/provider-regions.router.ts
• apps/api/src/routes/v1/trialProviders.ts
• apps/api/src/billing/routes/get-wallet-list/get-wallet-list.router.ts
• apps/api/src/billing/routes/stripe-webhook/stripe-webhook.router.ts
• apps/api/src/user/routes/create-anonymous-user/create-anonymous-user.router.ts
• apps/api/src/healthz/routes/healthz.router.ts
• apps/api/src/provider/routes/provider-deployments/provider-deployments.router.ts
• apps/api/src/validator/routes/validators/validators.router.ts
• apps/api/src/routes/internal/financial.ts
• apps/api/src/provider/routes/provider-earnings/provider-earnings.router.ts
• apps/api/src/bid/routes/bids/bids.router.ts
• apps/api/src/template/routes/templates/templates.router.ts
• apps/api/.eslintrc.js
• apps/api/src/user/routes/register-user/register-user.router.ts
• apps/api/src/transaction/routes/transactions/transactions.router.ts
• apps/api/src/provider/routes/provider-graph-data/provider-graph-data.router.ts
• apps/api/src/gpu/routes/gpu.router.ts
• apps/api/src/auth/routes/send-verification-email/send-verification-email.router.ts
• apps/api/src/address/routes/address/address.router.ts
• apps/api/src/provider/routes/provider-attributes-schema/provider-attributes-schema.router.ts
• apps/api/src/deployment/routes/leases/leases.router.ts
• apps/api/src/billing/routes/wallet-settings/wallet-settings.router.ts
• apps/api/src/user/routes/get-current-user/get-current-user.router.ts
• apps/api/src/billing/routes/start-trial/start-trial.router.ts
• apps/api/src/provider/routes/auditors/auditors.router.ts
• apps/api/src/dashboard/routes/network-capacity/network-capacity.router.ts
• apps/api/src/billing/routes/stripe-transactions/stripe-transactions.router.ts
• apps/api/src/block/routes/blocks/blocks.router.ts
• apps/api/src/billing/routes/sign-and-broadcast-tx/sign-and-broadcast-tx.router.ts

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/general.mdc)

**/*.{ts,tsx,js}: Never use type any or cast to type any. Always define the proper TypeScript types.
Never use deprecated methods from libraries.
Don't add unnecessary comments to the code.

Files:

• apps/api/src/auth/routes/verify-email/verify-email.router.ts
• apps/api/src/dashboard/routes/leases-duration/leases-duration.router.ts
• apps/api/src/billing/routes/stripe-coupons/stripe-coupons.router.ts
• apps/api/src/auth/routes/api-keys/api-keys.router.ts
• apps/api/src/deployment/routes/deployment-setting/deployment-setting.router.ts
• apps/api/src/user/routes/get-anonymous-user/get-anonymous-user.router.ts
• apps/api/src/dashboard/routes/graph-data/graph-data.router.ts
• apps/api/src/dashboard/routes/dashboard-data/dashboard-data.router.ts
• apps/api/src/billing/routes/stripe-payment-methods/stripe-payment-methods.router.ts
• apps/api/src/core/lib/create-route/create-route.ts
• apps/api/src/provider/routes/provider-versions/provider-versions.router.ts
• apps/api/src/certificate/routes/certificate.router.ts
• apps/api/src/provider/routes/jwt-token/jwt-token.router.ts
• apps/api/src/billing/routes/get-balances/get-balances.router.ts
• apps/api/src/block/routes/block-prediction/block-prediction.router.ts
• apps/api/src/proposal/routes/proposals/proposals.router.ts
• apps/api/src/billing/routes/checkout/checkout.router.ts
• apps/api/src/billing/routes/stripe-customers/stripe-customers.router.ts

🧠 Learnings (4)

📓 Common learnings

Learnt from: baktun14
Repo: akash-network/console PR: 1725
File: apps/api/src/utils/constants.ts:5-5
Timestamp: 2025-07-24T17:00:52.361Z
Learning: In the Akash Network Console project, when cross-cutting concerns or broader refactoring issues are identified during PR review, the preferred approach is to create a separate GitHub issue to track the work rather than expanding the scope of the current PR. This maintains focus and allows for proper planning of architectural improvements.

📚 Learning: 2025-11-12T09:03:40.132Z

Learnt from: stalniy
Repo: akash-network/console PR: 0
File: :0-0
Timestamp: 2025-11-12T09:03:40.132Z
Learning: For backend services (like the Indexer), prefer using createOtelLogger from "akashnetwork/logging/otel" to include OpenTelemetry trace context in logs.

Applied to files:

• apps/api/src/dashboard/routes/graph-data/graph-data.router.ts

📚 Learning: 2025-05-25T19:37:00.800Z

Learnt from: jzsfkzm
Repo: akash-network/console PR: 1364
File: apps/api/src/provider/routes/provider-deployments/provider-deployments.router.ts:38-44
Timestamp: 2025-05-25T19:37:00.800Z
Learning: The Akash Console API uses centralized error handling through the OpenApiHonoHandler's defaultHook, which automatically processes errors via HonoErrorHandlerService. Individual route handlers do not use explicit try-catch blocks and instead rely on this framework-level error handling mechanism.

Applied to files:

• apps/api/src/dashboard/routes/graph-data/graph-data.router.ts

📚 Learning: 2025-09-25T14:31:44.914Z

Learnt from: baktun14
Repo: akash-network/console PR: 1969
File: apps/deploy-web/src/pages/payment.tsx:179-191
Timestamp: 2025-09-25T14:31:44.914Z
Learning: The payment confirmation endpoint in apps/api/src/billing/http-schemas/stripe.schema.ts uses zod schema validation with `amount: z.number().gte(20, "Amount must be greater or equal to $20")` to ensure all payment requests meet the minimum amount requirement, preventing zero-amount or invalid payments from reaching Stripe.

Applied to files:

• apps/api/src/billing/routes/stripe-payment-methods/stripe-payment-methods.router.ts

🧬 Code graph analysis (10)

apps/api/src/auth/routes/verify-email/verify-email.router.ts (1)

apps/api/src/core/services/openapi-docs/openapi-security.ts (1)

• SECURITY_NONE (6-6)

apps/api/src/dashboard/routes/leases-duration/leases-duration.router.ts (1)

apps/api/src/core/services/openapi-docs/openapi-security.ts (1)

• SECURITY_NONE (6-6)

apps/api/src/deployment/routes/deployment-setting/deployment-setting.router.ts (1)

apps/api/src/core/lib/create-route/create-route.ts (1)

• createRoute (5-11)

apps/api/src/dashboard/routes/graph-data/graph-data.router.ts (1)

apps/api/src/core/services/openapi-docs/openapi-security.ts (1)

• SECURITY_NONE (6-6)

apps/api/src/dashboard/routes/dashboard-data/dashboard-data.router.ts (1)

apps/api/src/core/services/openapi-docs/openapi-security.ts (1)

• SECURITY_NONE (6-6)

apps/api/src/billing/routes/stripe-payment-methods/stripe-payment-methods.router.ts (3)

apps/api/src/billing/http-schemas/stripe.schema.ts (1)

• RemovePaymentMethodParamsSchema (218-227)

apps/api/src/billing/controllers/stripe/stripe.controller.ts (1)

• removePaymentMethod (129-151)

packages/http-sdk/src/stripe/stripe.service.ts (1)

• removePaymentMethod (32-34)

apps/api/src/provider/routes/provider-versions/provider-versions.router.ts (1)

apps/api/src/core/services/openapi-docs/openapi-security.ts (1)

• SECURITY_NONE (6-6)

apps/api/src/billing/routes/get-balances/get-balances.router.ts (3)

apps/api/src/dashboard/routes/leases-duration/leases-duration.router.ts (1)

• route (17-40)

apps/api/src/core/lib/create-route/create-route.ts (1)

• createRoute (5-11)

apps/api/src/core/services/openapi-docs/openapi-security.ts (1)

• SECURITY_NONE (6-6)

apps/api/src/block/routes/block-prediction/block-prediction.router.ts (1)

apps/api/src/core/services/openapi-docs/openapi-security.ts (1)

• SECURITY_NONE (6-6)

apps/api/src/proposal/routes/proposals/proposals.router.ts (1)

apps/api/src/core/services/openapi-docs/openapi-security.ts (1)

• SECURITY_NONE (6-6)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: validate / validate-app
• GitHub Check: test-build

🔇 Additional comments (21)

apps/api/src/certificate/routes/certificate.router.ts (1)

3-3: LGTM!

Import path correctly updated to use the internal createRoute wrapper. The route appropriately uses SECURITY_BEARER_OR_API_KEY for certificate creation.

apps/api/src/auth/routes/api-keys/api-keys.router.ts (1)

13-13: LGTM!

Import path correctly updated. All API key management routes appropriately require authentication via SECURITY_BEARER_OR_API_KEY.

apps/api/src/provider/routes/provider-versions/provider-versions.router.ts (1)

3-6: LGTM!

Import paths updated correctly and SECURITY_NONE is appropriate for this public endpoint that returns provider version data.

Also applies to: 16-16

apps/api/src/auth/routes/verify-email/verify-email.router.ts (1)

17-17: Verify the 401 response is intentional for this unauthenticated endpoint.

The route uses SECURITY_NONE (no authentication required) but documents a 401 Unauthorized response. This may be intentional if 401 indicates an invalid/expired verification token rather than missing auth headers. Please confirm this is the expected behavior.

Also applies to: 37-38

apps/api/src/billing/routes/stripe-customers/stripe-customers.router.ts (1)

5-5: LGTM!

Import path correctly updated. The route appropriately requires authentication for updating customer organization data.

apps/api/src/billing/routes/checkout/checkout.router.ts (1)

5-5: LGTM!

Import path correctly updated to use the internal wrapper. Authentication is appropriately required for checkout operations.

apps/api/src/dashboard/routes/graph-data/graph-data.router.ts (1)

4-6: LGTM!

Import paths updated correctly. SECURITY_NONE is appropriate for this public analytics endpoint that serves dashboard graph data.

Also applies to: 19-19

apps/api/src/provider/routes/jwt-token/jwt-token.router.ts (1)

4-4: createRoute import switch aligns with new routing wrapper

Importing createRoute from @src/core/lib/create-route/create-route while keeping security: SECURITY_BEARER_OR_API_KEY matches the new typed wrapper pattern and preserves existing behavior.

apps/api/src/dashboard/routes/leases-duration/leases-duration.router.ts (1)

1-23: Explicit SECURITY_NONE and wrapper import look correct; confirm route is intentionally public

Using the internal createRoute wrapper and adding security: SECURITY_NONE for /v1/leases-duration/{owner} is consistent with the new security-typed routing pattern and matches other analytics routes. Please just double-check that this endpoint is meant to be unauthenticated for both the public and internal routers.

apps/api/src/dashboard/routes/dashboard-data/dashboard-data.router.ts (1)

3-16: Dashboard-data route now explicitly declares no auth

The route now uses the internal createRoute wrapper and security: SECURITY_NONE, which aligns with the PR’s goal of enforcing explicit security metadata. Please confirm that /v1/dashboard-data is intended to be unauthenticated.

apps/api/src/deployment/routes/deployment-setting/deployment-setting.router.ts (1)

4-128: Deployment-settings routes correctly migrated to internal createRoute with auth preserved

All three routes (getRoute, postRoute, patchRoute) now use the internal createRoute wrapper while still declaring security: SECURITY_BEARER_OR_API_KEY. This satisfies the stricter typing requirement without altering the existing authentication behavior.

apps/api/src/billing/routes/stripe-coupons/stripe-coupons.router.ts (1)

5-36: Stripe coupons route uses internal createRoute with existing auth

Switching createRoute to the internal wrapper while keeping security: SECURITY_BEARER_OR_API_KEY on /v1/stripe/coupons/apply cleanly aligns this route with the new pattern and maintains its protected status.

apps/api/src/user/routes/get-anonymous-user/get-anonymous-user.router.ts (1)

4-35: createRoute import and {id} path syntax align with OpenAPI-style routes

Migrating to the internal createRoute and updating the path to /v1/anonymous-users/{id} brings this route in line with other OpenAPI-style definitions, while keeping security: SECURITY_BEARER_OR_API_KEY intact. Please just confirm that {id} is the expected placeholder format for OpenApiHonoHandler in this codebase (it appears consistent with other routes like leases-duration).

apps/api/src/proposal/routes/proposals/proposals.router.ts (1)

3-57: Proposals routes explicitly marked as unauthenticated

Using the internal createRoute wrapper and adding security: SECURITY_NONE to both /v1/proposals and /v1/proposals/{id} matches the enforced security-typing pattern and makes the no-auth stance explicit. Please verify that proposal listing and detail are indeed intended to be publicly accessible without API key or bearer auth.

apps/api/src/billing/routes/get-balances/get-balances.router.ts (1)

5-30: Balances route marked SECURITY_NONE; confirm intended public exposure

The route now uses the internal createRoute wrapper and declares security: SECURITY_NONE for /v1/balances, while returning balances for the supplied address query param. This is consistent with the new security-typing approach, but since it exposes user balances by address, please double-check that this endpoint is intentionally unauthenticated and not expected to require API key or user auth.

apps/api/src/block/routes/block-prediction/block-prediction.router.ts (3)

11-13: Centralized route creation and explicit security import look good

Using the internal createRoute wrapper plus SECURITY_NONE import aligns with the new security enforcement pattern and keeps external imports centralized.

---

17-40: Public block‑prediction endpoint correctly marked as unsecured

Adding security: SECURITY_NONE makes the unauthenticated nature of /v1/predicted-block-date/{height} explicit in the OpenAPI contract while still using validated request schemas.

---

49-72: Second prediction endpoint also correctly declares no security

security: SECURITY_NONE on /v1/predicted-date-height/{timestamp} is consistent with the first route and satisfies the requirement that all routes declare security explicitly.

apps/api/src/billing/routes/stripe-payment-methods/stripe-payment-methods.router.ts (2)

4-13: Schema + route factory imports are consistent with new conventions

Importing RemovePaymentMethodParamsSchema and the internal createRoute wrapper keeps this router aligned with the shared schema and centralized route creation strategy.

---

67-86: Improved delete route typing and validation

Switching the path to /v1/stripe/payment-methods/{paymentMethodId}, wiring request: { params: RemovePaymentMethodParamsSchema }, and reading const { paymentMethodId } = c.req.valid("param") ensures the param is validated and correctly documented in OpenAPI, while the actual URL used by the SDK remains unchanged.

apps/api/src/core/lib/create-route/create-route.ts (1)

1-11: Review suggestion is technically sound but requires manual verification for backward compatibility

Based on web research, the suggested changes improve type safety:

1. NonNullable<RouteConfig["security"]> is more precise than Required<RouteConfig>["security"]

   • The actual type security?: Array<Record<string, string[]>> includes undefined
   • Required only makes the field mandatory but still allows undefined as a value
   • NonNullable actively excludes undefined, providing stronger type guarantees

2. Explicit return type ReturnType<typeof createOpenApiRoute> adds clarity

   • Resolves to RouteConfig per the Hono/Zod-OpenAPI documentation
   • Improves IDE support and code readability

However, repository access failed, so I cannot verify:

• Whether existing createRoute calls pass undefined/null in security
• If this constitutes a breaking change
• Current codebase patterns and compatibility

The suggestion appears valid from a TypeScript type theory perspective, but requires human review to confirm backward compatibility with existing call sites.

Tip

📝 Customizable high-level summaries are now available in beta!

You can now customize how CodeRabbit generates the high-level summary in your pull requests — including its content, structure, tone, and formatting.

• Provide your own instructions using the high_level_summary_instructions setting.
• Format the summary however you like (bullet lists, tables, multi-section layouts, contributor stats, etc.).
• Use high_level_summary_in_walkthrough to move the summary from the description to the walkthrough section.

Example instruction:

"Divide the high-level summary into five sections:

1. 📝 Description — Summarize the main change in 50–60 words, explaining what was done.
2. 📓 References — List relevant issues, discussions, documentation, or related PRs.
3. 📦 Dependencies & Requirements — Mention any new/updated dependencies, environment variable changes, or configuration updates.
4. 📊 Contributor Summary — Include a Markdown table showing contributions:
   | Contributor | Lines Added | Lines Removed | Files Changed |
5. ✔️ Additional Notes — Add any extra reviewer context.
   Keep each section concise (under 200 words) and use bullet or numbered lists for clarity."

Note: This feature is currently in beta for Pro-tier users, and pricing will be announced later.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (7)

apps/api/src/deployment/routes/leases/leases.router.ts (1)

45-51: Confirm that fallback lease list is intended to be unauthenticated

Marking /akash/market/{version}/leases/list with security: SECURITY_NONE makes its “public” status explicit in the OpenAPI layer, which matches the PR goal of always stating security. Please just double‑check that this fallback DB listing is truly meant to be accessible without auth; if not, it should likely use SECURITY_BEARER_OR_API_KEY instead. If this raises follow‑up questions for other similar routes, consider a separate issue for a broader security audit rather than expanding this PR’s scope. Based on learnings, this keeps the PR focused.

apps/api/src/billing/routes/stripe-prices/stripe-prices.router.ts (1)

5-5: Use internal createRoute wrapper and avoid redundant controller call

The switch to createRoute from @src/core/services/create-route/create-route looks correct and keeps security metadata explicit.

Unrelated but easy win in the same handler: findPrices() is called twice, which can add unnecessary latency/load if it hits Stripe or a DB. Consider calling it once and reusing the result:

-stripePricesRouter.openapi(route, async function routeStripePrices(c) {
-  await container.resolve(StripeController).findPrices();
-  return c.json(await container.resolve(StripeController).findPrices(), 200);
-});
+stripePricesRouter.openapi(route, async function routeStripePrices(c) {
+  const prices = await container.resolve(StripeController).findPrices();
+  return c.json(prices, 200);
+});

apps/api/src/core/services/create-route/create-route.ts (1)

1-11: createRoute wrapper correctly enforces a security field, with room for stricter typing

This wrapper cleanly delegates to @hono/zod-openapi while requiring a security property in the route config, which is exactly what the PR is aiming for. The eslint suppression on the aliased import is appropriate given the new no-restricted-imports rule.

If you want to go one step further and prevent security: undefined (in addition to preventing it from being omitted), you could tighten the type to a non‑nullable value:

export function createRoute<
  R extends Omit<RouteConfig, "security"> & {
    security: NonNullable<Required<RouteConfig>["security"]>;
  }
>(routeConfig: R) {
  return createOpenApiRoute(routeConfig);
}

This keeps all current usages valid (including SECURITY_NONE, which is an empty array) but makes it harder to accidentally “opt out” by writing security: undefined.

apps/api/src/billing/routes/usage/usage.router.ts (1)

5-7: Explicit SECURITY_NONE for usage routes looks consistent with address‑based access

Switching to the internal createRoute helper and adding security: SECURITY_NONE to both /v1/usage/history and /v1/usage/history/stats matches the pattern for public, address‑scoped data and keeps the implementation unchanged. If usage history should ever be tied to the authenticated user rather than a bare address, you could later swap to SECURITY_BEARER_OR_API_KEY and derive the address from auth context instead, but that’s outside this PR’s scope.

Also applies to: 14-15, 39-40

apps/api/src/provider/routes/provider-earnings/provider-earnings.router.ts (1)

4-6: SECURITY_NONE on provider earnings matches a public, owner‑address–scoped endpoint

The move to the shared createRoute helper plus security: SECURITY_NONE on /v1/provider-earnings/{owner} is consistent with other address/owner‑scoped endpoints that surface indexer‑style data without auth. If you later standardize on using c.req.valid("query") instead of c.req.query() here, that can be handled as a small follow‑up without impacting this security metadata change.

Also applies to: 10-16

apps/api/src/billing/routes/get-balances/get-balances.router.ts (1)

5-7: Public balances endpoint with SECURITY_NONE matches address‑scoped usage

The switch to the shared createRoute helper and adding security: SECURITY_NONE on /v1/balances fits the current model of taking an address from the validated query and returning its balances, consistent with other public address‑based endpoints. If product/security requirements ever treat these balances as user‑private rather than purely chain‑visible, you could later move this to SECURITY_BEARER_OR_API_KEY and infer the address from auth instead.

Also applies to: 9-15

apps/api/src/provider/routes/provider-graph-data/provider-graph-data.router.ts (1)

4-6: Provider graph-data route aligned with new createRoute + SECURITY_NONE

The switch to the shared createRoute helper and adding security: SECURITY_NONE for /v1/provider-graph-data/{dataName} are consistent with the rest of the analytics endpoints and look correct. As a minor follow-up (not required for this PR), consider replacing the console.log in this handler with the centralized logging/OTel-based logger used elsewhere, to keep backend logging consistent and trace-friendly. Based on learnings, that sort of cross-cutting cleanup is usually better handled in a separate issue.

Also applies to: 13-18

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6462ef1 and fb1fb57.

⛔ Files ignored due to path filters (2)

• package-lock.json is excluded by !**/package-lock.json
• packages/net/src/generated/netConfigData.ts is excluded by !**/generated/**

📒 Files selected for processing (51)

• apps/api/.eslintrc.js (1 hunks)
• apps/api/src/address/routes/address/address.router.ts (3 hunks)
• apps/api/src/auth/routes/api-keys/api-keys.router.ts (1 hunks)
• apps/api/src/auth/routes/send-verification-email/send-verification-email.router.ts (2 hunks)
• apps/api/src/auth/routes/verify-email/verify-email.router.ts (2 hunks)
• apps/api/src/bid/routes/bids/bids.router.ts (1 hunks)
• apps/api/src/billing/http-schemas/stripe.schema.ts (1 hunks)
• apps/api/src/billing/http-schemas/wallet.schema.ts (1 hunks)
• apps/api/src/billing/routes/checkout/checkout.router.ts (1 hunks)
• apps/api/src/billing/routes/get-balances/get-balances.router.ts (1 hunks)
• apps/api/src/billing/routes/get-wallet-list/get-wallet-list.router.ts (1 hunks)
• apps/api/src/billing/routes/sign-and-broadcast-tx/sign-and-broadcast-tx.router.ts (1 hunks)
• apps/api/src/billing/routes/start-trial/start-trial.router.ts (2 hunks)
• apps/api/src/billing/routes/stripe-coupons/stripe-coupons.router.ts (1 hunks)
• apps/api/src/billing/routes/stripe-customers/stripe-customers.router.ts (1 hunks)
• apps/api/src/billing/routes/stripe-payment-methods/stripe-payment-methods.router.ts (2 hunks)
• apps/api/src/billing/routes/stripe-prices/stripe-prices.router.ts (1 hunks)
• apps/api/src/billing/routes/stripe-transactions/stripe-transactions.router.ts (1 hunks)
• apps/api/src/billing/routes/stripe-webhook/stripe-webhook.router.ts (2 hunks)
• apps/api/src/billing/routes/usage/usage.router.ts (2 hunks)
• apps/api/src/billing/routes/wallet-settings/wallet-settings.router.ts (1 hunks)
• apps/api/src/block/routes/block-prediction/block-prediction.router.ts (3 hunks)
• apps/api/src/block/routes/blocks/blocks.router.ts (3 hunks)
• apps/api/src/certificate/routes/certificate.router.ts (1 hunks)
• apps/api/src/core/services/create-route/create-route.ts (1 hunks)
• apps/api/src/dashboard/routes/dashboard-data/dashboard-data.router.ts (2 hunks)
• apps/api/src/dashboard/routes/graph-data/graph-data.router.ts (2 hunks)
• apps/api/src/dashboard/routes/market-data/market-data.router.ts (2 hunks)
• apps/api/src/dashboard/routes/network-capacity/network-capacity.router.ts (2 hunks)
• apps/api/src/deployment/routes/deployments/deployments.router.ts (5 hunks)
• apps/api/src/deployment/routes/leases/leases.router.ts (2 hunks)
• apps/api/src/network/routes/network/network.router.ts (2 hunks)
• apps/api/src/pricing/routes/pricing/pricing.router.ts (2 hunks)
• apps/api/src/proposal/routes/proposals/proposals.router.ts (3 hunks)
• apps/api/src/provider/routes/auditors/auditors.router.ts (1 hunks)
• apps/api/src/provider/routes/jwt-token/jwt-token.router.ts (1 hunks)
• apps/api/src/provider/routes/provider-attributes-schema/provider-attributes-schema.router.ts (2 hunks)
• apps/api/src/provider/routes/provider-dashboard/provider-dashboard.router.ts (2 hunks)
• apps/api/src/provider/routes/provider-deployments/provider-deployments.router.ts (2 hunks)
• apps/api/src/provider/routes/provider-earnings/provider-earnings.router.ts (2 hunks)
• apps/api/src/provider/routes/provider-graph-data/provider-graph-data.router.ts (2 hunks)
• apps/api/src/provider/routes/provider-regions/provider-regions.router.ts (2 hunks)
• apps/api/src/provider/routes/provider-versions/provider-versions.router.ts (2 hunks)
• apps/api/src/provider/routes/providers/providers.router.ts (4 hunks)
• apps/api/src/template/routes/templates/templates.router.ts (4 hunks)
• apps/api/src/transaction/routes/transactions/transactions.router.ts (3 hunks)
• apps/api/src/user/routes/get-anonymous-user/get-anonymous-user.router.ts (2 hunks)
• apps/api/src/user/routes/get-current-user/get-current-user.router.ts (1 hunks)
• apps/api/src/user/routes/register-user/register-user.router.ts (2 hunks)
• apps/api/src/validator/routes/validators/validators.router.ts (3 hunks)
• apps/provider-proxy/package.json (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/general.mdc)

**/*.{ts,tsx,js}: Never use type any or cast to type any. Always define the proper TypeScript types.
Never use deprecated methods from libraries.
Don't add unnecessary comments to the code.

Files:

• apps/api/src/provider/routes/providers/providers.router.ts
• apps/api/src/billing/http-schemas/stripe.schema.ts
• apps/api/src/billing/routes/checkout/checkout.router.ts
• apps/api/src/block/routes/block-prediction/block-prediction.router.ts
• apps/api/src/deployment/routes/leases/leases.router.ts
• apps/api/src/auth/routes/api-keys/api-keys.router.ts
• apps/api/src/proposal/routes/proposals/proposals.router.ts
• apps/api/src/provider/routes/provider-versions/provider-versions.router.ts
• apps/api/src/provider/routes/provider-dashboard/provider-dashboard.router.ts
• apps/api/src/billing/routes/wallet-settings/wallet-settings.router.ts
• apps/api/src/billing/http-schemas/wallet.schema.ts
• apps/api/src/certificate/routes/certificate.router.ts
• apps/api/src/provider/routes/jwt-token/jwt-token.router.ts
• apps/api/src/network/routes/network/network.router.ts
• apps/api/src/bid/routes/bids/bids.router.ts
• apps/api/src/billing/routes/stripe-coupons/stripe-coupons.router.ts
• apps/api/src/user/routes/register-user/register-user.router.ts
• apps/api/src/dashboard/routes/graph-data/graph-data.router.ts
• apps/api/src/billing/routes/sign-and-broadcast-tx/sign-and-broadcast-tx.router.ts
• apps/api/src/template/routes/templates/templates.router.ts
• apps/api/src/billing/routes/usage/usage.router.ts
• apps/api/src/billing/routes/stripe-transactions/stripe-transactions.router.ts
• apps/api/src/provider/routes/auditors/auditors.router.ts
• apps/api/src/provider/routes/provider-deployments/provider-deployments.router.ts
• apps/api/src/user/routes/get-anonymous-user/get-anonymous-user.router.ts
• apps/api/src/address/routes/address/address.router.ts
• apps/api/src/billing/routes/stripe-customers/stripe-customers.router.ts
• apps/api/src/transaction/routes/transactions/transactions.router.ts
• apps/api/src/validator/routes/validators/validators.router.ts
• apps/api/src/auth/routes/send-verification-email/send-verification-email.router.ts
• apps/api/src/provider/routes/provider-earnings/provider-earnings.router.ts
• apps/api/src/dashboard/routes/dashboard-data/dashboard-data.router.ts
• apps/api/src/provider/routes/provider-regions/provider-regions.router.ts
• apps/api/src/billing/routes/get-balances/get-balances.router.ts
• apps/api/src/billing/routes/stripe-webhook/stripe-webhook.router.ts
• apps/api/src/billing/routes/stripe-prices/stripe-prices.router.ts
• apps/api/src/billing/routes/start-trial/start-trial.router.ts
• apps/api/src/dashboard/routes/network-capacity/network-capacity.router.ts
• apps/api/src/provider/routes/provider-attributes-schema/provider-attributes-schema.router.ts
• apps/api/src/auth/routes/verify-email/verify-email.router.ts
• apps/api/src/provider/routes/provider-graph-data/provider-graph-data.router.ts
• apps/api/src/pricing/routes/pricing/pricing.router.ts
• apps/api/src/deployment/routes/deployments/deployments.router.ts
• apps/api/src/billing/routes/get-wallet-list/get-wallet-list.router.ts
• apps/api/src/dashboard/routes/market-data/market-data.router.ts
• apps/api/src/user/routes/get-current-user/get-current-user.router.ts
• apps/api/src/core/services/create-route/create-route.ts
• apps/api/src/block/routes/blocks/blocks.router.ts
• apps/api/src/billing/routes/stripe-payment-methods/stripe-payment-methods.router.ts

🧠 Learnings (6)

📓 Common learnings

Learnt from: baktun14
Repo: akash-network/console PR: 1725
File: apps/api/src/utils/constants.ts:5-5
Timestamp: 2025-07-24T17:00:52.361Z
Learning: In the Akash Network Console project, when cross-cutting concerns or broader refactoring issues are identified during PR review, the preferred approach is to create a separate GitHub issue to track the work rather than expanding the scope of the current PR. This maintains focus and allows for proper planning of architectural improvements.

📚 Learning: 2025-09-25T14:31:44.914Z

Learnt from: baktun14
Repo: akash-network/console PR: 1969
File: apps/deploy-web/src/pages/payment.tsx:179-191
Timestamp: 2025-09-25T14:31:44.914Z
Learning: The payment confirmation endpoint in apps/api/src/billing/http-schemas/stripe.schema.ts uses zod schema validation with `amount: z.number().gte(20, "Amount must be greater or equal to $20")` to ensure all payment requests meet the minimum amount requirement, preventing zero-amount or invalid payments from reaching Stripe.

Applied to files:

• apps/api/src/billing/http-schemas/stripe.schema.ts
• apps/api/src/billing/http-schemas/wallet.schema.ts
• apps/api/src/billing/routes/stripe-transactions/stripe-transactions.router.ts
• apps/api/src/billing/routes/stripe-payment-methods/stripe-payment-methods.router.ts

📚 Learning: 2025-11-12T09:03:40.132Z

Learnt from: stalniy
Repo: akash-network/console PR: 0
File: :0-0
Timestamp: 2025-11-12T09:03:40.132Z
Learning: For backend services (like the Indexer), prefer using createOtelLogger from "akashnetwork/logging/otel" to include OpenTelemetry trace context in logs.

Applied to files:

• apps/api/src/dashboard/routes/graph-data/graph-data.router.ts

📚 Learning: 2025-05-25T19:37:00.800Z

Learnt from: jzsfkzm
Repo: akash-network/console PR: 1364
File: apps/api/src/provider/routes/provider-deployments/provider-deployments.router.ts:38-44
Timestamp: 2025-05-25T19:37:00.800Z
Learning: The Akash Console API uses centralized error handling through the OpenApiHonoHandler's defaultHook, which automatically processes errors via HonoErrorHandlerService. Individual route handlers do not use explicit try-catch blocks and instead rely on this framework-level error handling mechanism.

Applied to files:

• apps/api/src/dashboard/routes/graph-data/graph-data.router.ts

📚 Learning: 2025-06-04T19:02:02.168Z

Learnt from: jzsfkzm
Repo: akash-network/console PR: 1433
File: apps/api/src/pricing/services/pricing/pricing.service.ts:0-0
Timestamp: 2025-06-04T19:02:02.168Z
Learning: In the Akash Console API codebase, input validation is handled at the router level using zod schemas rather than duplicating validation in service layers. The PricingService relies on the router's schema validation to ensure valid inputs.

Applied to files:

• apps/api/src/pricing/routes/pricing/pricing.router.ts

📚 Learning: 2025-06-03T15:06:34.211Z

Learnt from: baktun14
Repo: akash-network/console PR: 1428
File: apps/api/src/deployment/controllers/deployment/deployment.controller.ts:0-0
Timestamp: 2025-06-03T15:06:34.211Z
Learning: The `getByOwnerAndDseq` method in `apps/api/src/deployment/controllers/deployment/deployment.controller.ts` is intentionally public without the `Protected` decorator because it serves public blockchain data from an indexer, following the pattern of public blockchain APIs.

Applied to files:

• apps/api/src/deployment/routes/deployments/deployments.router.ts

🧬 Code graph analysis (28)

apps/api/src/provider/routes/providers/providers.router.ts (1)

apps/api/src/core/services/openapi-docs/openapi-security.ts (1)

• SECURITY_NONE (6-6)

apps/api/src/deployment/routes/leases/leases.router.ts (1)

apps/api/src/core/services/openapi-docs/openapi-security.ts (1)

• SECURITY_NONE (6-6)

apps/api/src/proposal/routes/proposals/proposals.router.ts (1)

apps/api/src/core/services/openapi-docs/openapi-security.ts (1)

• SECURITY_NONE (6-6)

apps/api/src/provider/routes/provider-versions/provider-versions.router.ts (1)

apps/api/src/core/services/openapi-docs/openapi-security.ts (1)

• SECURITY_NONE (6-6)

apps/api/src/provider/routes/provider-dashboard/provider-dashboard.router.ts (1)

apps/api/src/core/services/openapi-docs/openapi-security.ts (1)

• SECURITY_NONE (6-6)

apps/api/src/network/routes/network/network.router.ts (1)

apps/api/src/core/services/openapi-docs/openapi-security.ts (1)

• SECURITY_NONE (6-6)

apps/api/src/user/routes/register-user/register-user.router.ts (1)

apps/api/src/core/services/openapi-docs/openapi-security.ts (1)

• SECURITY_NONE (6-6)

apps/api/src/dashboard/routes/graph-data/graph-data.router.ts (1)

apps/api/src/core/services/openapi-docs/openapi-security.ts (1)

• SECURITY_NONE (6-6)

apps/api/src/template/routes/templates/templates.router.ts (1)

apps/api/src/core/services/openapi-docs/openapi-security.ts (1)

• SECURITY_NONE (6-6)

apps/api/src/billing/routes/usage/usage.router.ts (2)

apps/api/src/core/services/create-route/create-route.ts (1)

• createRoute (5-11)

apps/api/src/core/services/openapi-docs/openapi-security.ts (1)

• SECURITY_NONE (6-6)

apps/api/src/provider/routes/auditors/auditors.router.ts (2)

apps/api/src/core/services/create-route/create-route.ts (1)

• createRoute (5-11)

apps/api/src/core/services/openapi-docs/openapi-security.ts (1)

• SECURITY_NONE (6-6)

apps/api/src/provider/routes/provider-deployments/provider-deployments.router.ts (1)

apps/api/src/core/services/openapi-docs/openapi-security.ts (1)

• SECURITY_NONE (6-6)

apps/api/src/address/routes/address/address.router.ts (1)

apps/api/src/core/services/openapi-docs/openapi-security.ts (1)

• SECURITY_NONE (6-6)

apps/api/src/transaction/routes/transactions/transactions.router.ts (1)

apps/api/src/core/services/openapi-docs/openapi-security.ts (1)

• SECURITY_NONE (6-6)

apps/api/src/validator/routes/validators/validators.router.ts (1)

apps/api/src/core/services/openapi-docs/openapi-security.ts (1)

• SECURITY_NONE (6-6)

apps/api/src/auth/routes/send-verification-email/send-verification-email.router.ts (1)

apps/api/src/core/services/openapi-docs/openapi-security.ts (1)

• SECURITY_NONE (6-6)

apps/api/src/provider/routes/provider-earnings/provider-earnings.router.ts (1)

apps/api/src/core/services/openapi-docs/openapi-security.ts (1)

• SECURITY_NONE (6-6)

apps/api/src/dashboard/routes/dashboard-data/dashboard-data.router.ts (1)

apps/api/src/core/services/openapi-docs/openapi-security.ts (1)

• SECURITY_NONE (6-6)

apps/api/src/provider/routes/provider-regions/provider-regions.router.ts (1)

apps/api/src/core/services/openapi-docs/openapi-security.ts (1)

• SECURITY_NONE (6-6)

apps/api/src/billing/routes/stripe-webhook/stripe-webhook.router.ts (1)

apps/api/src/core/services/openapi-docs/openapi-security.ts (1)

• SECURITY_NONE (6-6)

apps/api/src/billing/routes/start-trial/start-trial.router.ts (1)

apps/api/src/core/services/openapi-docs/openapi-security.ts (1)

• SECURITY_NONE (6-6)

apps/api/src/dashboard/routes/network-capacity/network-capacity.router.ts (1)

apps/api/src/core/services/openapi-docs/openapi-security.ts (1)

• SECURITY_NONE (6-6)

apps/api/src/provider/routes/provider-attributes-schema/provider-attributes-schema.router.ts (1)

apps/api/src/core/services/openapi-docs/openapi-security.ts (1)

• SECURITY_NONE (6-6)

apps/api/src/auth/routes/verify-email/verify-email.router.ts (1)

apps/api/src/core/services/openapi-docs/openapi-security.ts (1)

• SECURITY_NONE (6-6)

apps/api/src/pricing/routes/pricing/pricing.router.ts (1)

apps/api/src/core/services/openapi-docs/openapi-security.ts (1)

• SECURITY_NONE (6-6)

apps/api/src/deployment/routes/deployments/deployments.router.ts (1)

apps/api/src/core/services/openapi-docs/openapi-security.ts (1)

• SECURITY_NONE (6-6)

apps/api/src/block/routes/blocks/blocks.router.ts (1)

apps/api/src/core/services/openapi-docs/openapi-security.ts (1)

• SECURITY_NONE (6-6)

apps/api/src/billing/routes/stripe-payment-methods/stripe-payment-methods.router.ts (4)

apps/api/src/core/services/openapi-docs/openapi-security.ts (1)

• SECURITY_BEARER_OR_API_KEY (5-5)

apps/api/src/billing/http-schemas/stripe.schema.ts (1)

• RemovePaymentMethodParamsSchema (218-227)

apps/api/src/billing/controllers/stripe/stripe.controller.ts (1)

• removePaymentMethod (129-151)

packages/http-sdk/src/stripe/stripe.service.ts (1)

• removePaymentMethod (32-34)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: test-build
• GitHub Check: Validate local packages

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

apps/api/src/billing/routes/stripe-prices/stripe-prices.router.ts (1)

42-44: Remove duplicate findPrices() call.

Line 43 calls findPrices() without using the result, then line 44 calls it again. The first call is wasteful and should be removed.

Apply this diff:

 stripePricesRouter.openapi(route, async function routeStripePrices(c) {
-  await container.resolve(StripeController).findPrices();
   return c.json(await container.resolve(StripeController).findPrices(), 200);
 });

apps/api/src/provider/routes/provider-dashboard/provider-dashboard.router.ts (1)

4-15: Verify authentication strategy: provider dashboard should not be marked as SECURITY_NONE without clear justification

The switch to the local createRoute wrapper aligns with the ESLint rule and is appropriate. However, marking /v1/provider-dashboard/{owner} with security: SECURITY_NONE contradicts API security best practices for dashboard endpoints.

Dashboard endpoints typically expose sensitive data (metrics, configuration, usage). Per industry standards, all such endpoints should enforce authentication and authorization at both the API layer and any upstream gateway/reverse proxy.

Before merging, confirm one of the following:

1. If this endpoint should be protected, replace SECURITY_NONE with the appropriate security scheme (e.g., SECURITY_BEARER_OR_API_KEY)
2. If relying on upstream gateway authentication, document this decision in a code comment and update the OpenAPI spec to reflect the actual security requirement
3. If this is intentionally public (unlikely for a dashboard), document the business justification in a comment

🧹 Nitpick comments (3)

apps/api/src/billing/http-schemas/stripe.schema.ts (1)

218-227: New RemovePaymentMethodParamsSchema aligns with existing schema patterns

The RemovePaymentMethodParamsSchema definition and OpenAPI metadata for the paymentMethodId path parameter look correct and consistent with the rest of the Stripe schemas. For consistency with the other schemas in this file, you might also export a matching inferred type, e.g. placed alongside the other type exports at the bottom:

export type RemovePaymentMethodParams = z.infer<typeof RemovePaymentMethodParamsSchema>;

apps/api/src/core/services/create-route/create-route.ts (1)

1-11: createRoute wrapper correctly enforces presence of security (consider excluding undefined)

Wrapping @hono/zod-openapi’s createRoute with a RouteConfig variant that requires security is a clean way to force explicit security declarations across the API without changing runtime behavior. If you want to be stricter and prevent security: undefined from type‑checking, you could tweak the constraint slightly:

export function createRoute<
  R extends Omit<RouteConfig, "security"> & {
    security: Exclude<Required<RouteConfig>["security"], undefined>;
  }
>(routeConfig: R) {
  return createOpenApiRoute(routeConfig);
}

That’s optional, but would fully enforce “security must be explicitly set to a concrete value” at the type level.

apps/api/.eslintrc.js (1)

3-16: Consider hardening the no-restricted-imports rule against namespace/default imports

Current config blocks only named imports of createRoute from @hono/zod-openapi. A developer could still do import * as zopenapi from "@hono/zod-openapi"; and call zopenapi.createRoute, bypassing the rule.

If you want to fully enforce using the local wrapper, consider adding an additional restricted path entry without importNames so any import from @hono/zod-openapi is disallowed, or extend the rule accordingly.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d645dd0 and 2f2cf59.

⛔ Files ignored due to path filters (1)

• apps/api/test/functional/__snapshots__/docs.spec.ts.snap is excluded by !**/*.snap

📒 Files selected for processing (57)

• apps/api/.eslintrc.js (1 hunks)
• apps/api/src/address/routes/address/address.router.ts (3 hunks)
• apps/api/src/auth/routes/api-keys/api-keys.router.ts (1 hunks)
• apps/api/src/auth/routes/send-verification-email/send-verification-email.router.ts (2 hunks)
• apps/api/src/auth/routes/verify-email/verify-email.router.ts (2 hunks)
• apps/api/src/bid/routes/bids/bids.router.ts (1 hunks)
• apps/api/src/billing/http-schemas/stripe.schema.ts (1 hunks)
• apps/api/src/billing/http-schemas/wallet.schema.ts (1 hunks)
• apps/api/src/billing/routes/checkout/checkout.router.ts (1 hunks)
• apps/api/src/billing/routes/get-balances/get-balances.router.ts (1 hunks)
• apps/api/src/billing/routes/get-wallet-list/get-wallet-list.router.ts (1 hunks)
• apps/api/src/billing/routes/sign-and-broadcast-tx/sign-and-broadcast-tx.router.ts (1 hunks)
• apps/api/src/billing/routes/start-trial/start-trial.router.ts (2 hunks)
• apps/api/src/billing/routes/stripe-coupons/stripe-coupons.router.ts (1 hunks)
• apps/api/src/billing/routes/stripe-customers/stripe-customers.router.ts (1 hunks)
• apps/api/src/billing/routes/stripe-payment-methods/stripe-payment-methods.router.ts (2 hunks)
• apps/api/src/billing/routes/stripe-prices/stripe-prices.router.ts (1 hunks)
• apps/api/src/billing/routes/stripe-transactions/stripe-transactions.router.ts (1 hunks)
• apps/api/src/billing/routes/stripe-webhook/stripe-webhook.router.ts (2 hunks)
• apps/api/src/billing/routes/usage/usage.router.ts (2 hunks)
• apps/api/src/billing/routes/wallet-settings/wallet-settings.router.ts (1 hunks)
• apps/api/src/block/routes/block-prediction/block-prediction.router.ts (3 hunks)
• apps/api/src/block/routes/blocks/blocks.router.ts (3 hunks)
• apps/api/src/certificate/routes/certificate.router.ts (1 hunks)
• apps/api/src/core/services/create-route/create-route.ts (1 hunks)
• apps/api/src/dashboard/routes/dashboard-data/dashboard-data.router.ts (2 hunks)
• apps/api/src/dashboard/routes/graph-data/graph-data.router.ts (2 hunks)
• apps/api/src/dashboard/routes/leases-duration/leases-duration.router.ts (2 hunks)
• apps/api/src/dashboard/routes/market-data/market-data.router.ts (2 hunks)
• apps/api/src/dashboard/routes/network-capacity/network-capacity.router.ts (2 hunks)
• apps/api/src/deployment/routes/deployment-setting/deployment-setting.router.ts (4 hunks)
• apps/api/src/deployment/routes/deployments/deployments.router.ts (5 hunks)
• apps/api/src/deployment/routes/leases/leases.router.ts (2 hunks)
• apps/api/src/gpu/routes/gpu.router.ts (5 hunks)
• apps/api/src/healthz/routes/healthz.router.ts (2 hunks)
• apps/api/src/network/routes/network/network.router.ts (2 hunks)
• apps/api/src/pricing/routes/pricing/pricing.router.ts (2 hunks)
• apps/api/src/proposal/routes/proposals/proposals.router.ts (3 hunks)
• apps/api/src/provider/routes/auditors/auditors.router.ts (1 hunks)
• apps/api/src/provider/routes/jwt-token/jwt-token.router.ts (1 hunks)
• apps/api/src/provider/routes/provider-attributes-schema/provider-attributes-schema.router.ts (2 hunks)
• apps/api/src/provider/routes/provider-dashboard/provider-dashboard.router.ts (2 hunks)
• apps/api/src/provider/routes/provider-deployments/provider-deployments.router.ts (2 hunks)
• apps/api/src/provider/routes/provider-earnings/provider-earnings.router.ts (2 hunks)
• apps/api/src/provider/routes/provider-graph-data/provider-graph-data.router.ts (2 hunks)
• apps/api/src/provider/routes/provider-regions/provider-regions.router.ts (2 hunks)
• apps/api/src/provider/routes/provider-versions/provider-versions.router.ts (2 hunks)
• apps/api/src/provider/routes/providers/providers.router.ts (4 hunks)
• apps/api/src/routes/internal/financial.ts (1 hunks)
• apps/api/src/routes/v1/trialProviders.ts (1 hunks)
• apps/api/src/template/routes/templates/templates.router.ts (4 hunks)
• apps/api/src/transaction/routes/transactions/transactions.router.ts (3 hunks)
• apps/api/src/user/routes/create-anonymous-user/create-anonymous-user.router.ts (2 hunks)
• apps/api/src/user/routes/get-anonymous-user/get-anonymous-user.router.ts (2 hunks)
• apps/api/src/user/routes/get-current-user/get-current-user.router.ts (1 hunks)
• apps/api/src/user/routes/register-user/register-user.router.ts (2 hunks)
• apps/api/src/validator/routes/validators/validators.router.ts (3 hunks)

🚧 Files skipped from review as they are similar to previous changes (35)

• apps/api/src/routes/v1/trialProviders.ts
• apps/api/src/dashboard/routes/network-capacity/network-capacity.router.ts
• apps/api/src/user/routes/get-current-user/get-current-user.router.ts
• apps/api/src/auth/routes/verify-email/verify-email.router.ts
• apps/api/src/user/routes/create-anonymous-user/create-anonymous-user.router.ts
• apps/api/src/dashboard/routes/leases-duration/leases-duration.router.ts
• apps/api/src/provider/routes/auditors/auditors.router.ts
• apps/api/src/billing/http-schemas/wallet.schema.ts
• apps/api/src/address/routes/address/address.router.ts
• apps/api/src/proposal/routes/proposals/proposals.router.ts
• apps/api/src/provider/routes/provider-earnings/provider-earnings.router.ts
• apps/api/src/provider/routes/providers/providers.router.ts
• apps/api/src/block/routes/blocks/blocks.router.ts
• apps/api/src/billing/routes/stripe-customers/stripe-customers.router.ts
• apps/api/src/network/routes/network/network.router.ts
• apps/api/src/deployment/routes/deployment-setting/deployment-setting.router.ts
• apps/api/src/bid/routes/bids/bids.router.ts
• apps/api/src/dashboard/routes/graph-data/graph-data.router.ts
• apps/api/src/provider/routes/provider-regions/provider-regions.router.ts
• apps/api/src/gpu/routes/gpu.router.ts
• apps/api/src/deployment/routes/deployments/deployments.router.ts
• apps/api/src/dashboard/routes/market-data/market-data.router.ts
• apps/api/src/provider/routes/provider-attributes-schema/provider-attributes-schema.router.ts
• apps/api/src/provider/routes/provider-versions/provider-versions.router.ts
• apps/api/src/user/routes/register-user/register-user.router.ts
• apps/api/src/validator/routes/validators/validators.router.ts
• apps/api/src/billing/routes/get-wallet-list/get-wallet-list.router.ts
• apps/api/src/auth/routes/api-keys/api-keys.router.ts
• apps/api/src/billing/routes/stripe-coupons/stripe-coupons.router.ts
• apps/api/src/billing/routes/stripe-transactions/stripe-transactions.router.ts
• apps/api/src/billing/routes/stripe-webhook/stripe-webhook.router.ts
• apps/api/src/routes/internal/financial.ts
• apps/api/src/billing/routes/wallet-settings/wallet-settings.router.ts
• apps/api/src/billing/routes/start-trial/start-trial.router.ts
• apps/api/src/provider/routes/provider-graph-data/provider-graph-data.router.ts

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/general.mdc)

**/*.{ts,tsx,js}: Never use type any or cast to type any. Always define the proper TypeScript types.
Never use deprecated methods from libraries.
Don't add unnecessary comments to the code.

Files:

• apps/api/src/template/routes/templates/templates.router.ts
• apps/api/src/billing/routes/stripe-prices/stripe-prices.router.ts
• apps/api/src/billing/http-schemas/stripe.schema.ts
• apps/api/src/block/routes/block-prediction/block-prediction.router.ts
• apps/api/src/pricing/routes/pricing/pricing.router.ts
• apps/api/src/core/services/create-route/create-route.ts
• apps/api/src/billing/routes/usage/usage.router.ts
• apps/api/src/healthz/routes/healthz.router.ts
• apps/api/src/provider/routes/jwt-token/jwt-token.router.ts
• apps/api/src/billing/routes/checkout/checkout.router.ts
• apps/api/src/provider/routes/provider-deployments/provider-deployments.router.ts
• apps/api/src/deployment/routes/leases/leases.router.ts
• apps/api/src/user/routes/get-anonymous-user/get-anonymous-user.router.ts
• apps/api/src/certificate/routes/certificate.router.ts
• apps/api/src/auth/routes/send-verification-email/send-verification-email.router.ts
• apps/api/src/billing/routes/sign-and-broadcast-tx/sign-and-broadcast-tx.router.ts
• apps/api/src/billing/routes/stripe-payment-methods/stripe-payment-methods.router.ts
• apps/api/src/billing/routes/get-balances/get-balances.router.ts
• apps/api/src/dashboard/routes/dashboard-data/dashboard-data.router.ts
• apps/api/src/transaction/routes/transactions/transactions.router.ts
• apps/api/src/provider/routes/provider-dashboard/provider-dashboard.router.ts

🧠 Learnings (3)

📓 Common learnings

Learnt from: baktun14
Repo: akash-network/console PR: 1725
File: apps/api/src/utils/constants.ts:5-5
Timestamp: 2025-07-24T17:00:52.361Z
Learning: In the Akash Network Console project, when cross-cutting concerns or broader refactoring issues are identified during PR review, the preferred approach is to create a separate GitHub issue to track the work rather than expanding the scope of the current PR. This maintains focus and allows for proper planning of architectural improvements.

📚 Learning: 2025-09-25T14:31:44.914Z

Learnt from: baktun14
Repo: akash-network/console PR: 1969
File: apps/deploy-web/src/pages/payment.tsx:179-191
Timestamp: 2025-09-25T14:31:44.914Z
Learning: The payment confirmation endpoint in apps/api/src/billing/http-schemas/stripe.schema.ts uses zod schema validation with `amount: z.number().gte(20, "Amount must be greater or equal to $20")` to ensure all payment requests meet the minimum amount requirement, preventing zero-amount or invalid payments from reaching Stripe.

Applied to files:

• apps/api/src/billing/http-schemas/stripe.schema.ts
• apps/api/src/billing/routes/stripe-payment-methods/stripe-payment-methods.router.ts

📚 Learning: 2025-06-04T19:02:02.168Z

Learnt from: jzsfkzm
Repo: akash-network/console PR: 1433
File: apps/api/src/pricing/services/pricing/pricing.service.ts:0-0
Timestamp: 2025-06-04T19:02:02.168Z
Learning: In the Akash Console API codebase, input validation is handled at the router level using zod schemas rather than duplicating validation in service layers. The PricingService relies on the router's schema validation to ensure valid inputs.

Applied to files:

• apps/api/src/pricing/routes/pricing/pricing.router.ts

🧬 Code graph analysis (13)

apps/api/src/template/routes/templates/templates.router.ts (1)

apps/api/src/core/services/openapi-docs/openapi-security.ts (1)

• SECURITY_NONE (6-6)

apps/api/src/block/routes/block-prediction/block-prediction.router.ts (1)

apps/api/src/core/services/openapi-docs/openapi-security.ts (1)

• SECURITY_NONE (6-6)

apps/api/src/pricing/routes/pricing/pricing.router.ts (1)

apps/api/src/core/services/openapi-docs/openapi-security.ts (1)

• SECURITY_NONE (6-6)

apps/api/src/billing/routes/usage/usage.router.ts (2)

apps/api/src/core/services/create-route/create-route.ts (1)

• createRoute (5-11)

apps/api/src/core/services/openapi-docs/openapi-security.ts (1)

• SECURITY_NONE (6-6)

apps/api/src/healthz/routes/healthz.router.ts (2)

apps/api/src/core/services/create-route/create-route.ts (1)

• createRoute (5-11)

apps/api/src/core/services/openapi-docs/openapi-security.ts (1)

• SECURITY_NONE (6-6)

apps/api/src/provider/routes/provider-deployments/provider-deployments.router.ts (1)

apps/api/src/core/services/openapi-docs/openapi-security.ts (1)

• SECURITY_NONE (6-6)

apps/api/src/deployment/routes/leases/leases.router.ts (1)

apps/api/src/core/services/openapi-docs/openapi-security.ts (1)

• SECURITY_NONE (6-6)

apps/api/src/auth/routes/send-verification-email/send-verification-email.router.ts (1)

apps/api/src/core/services/openapi-docs/openapi-security.ts (1)

• SECURITY_NONE (6-6)

apps/api/src/billing/routes/stripe-payment-methods/stripe-payment-methods.router.ts (4)

apps/api/src/core/services/openapi-docs/openapi-security.ts (1)

• SECURITY_BEARER_OR_API_KEY (5-5)

apps/api/src/billing/http-schemas/stripe.schema.ts (1)

• RemovePaymentMethodParamsSchema (218-227)

apps/api/src/billing/controllers/stripe/stripe.controller.ts (1)

• removePaymentMethod (129-151)

packages/http-sdk/src/stripe/stripe.service.ts (1)

• removePaymentMethod (32-34)

apps/api/src/billing/routes/get-balances/get-balances.router.ts (3)

apps/api/src/dashboard/routes/leases-duration/leases-duration.router.ts (1)

• route (17-40)

apps/api/src/core/services/create-route/create-route.ts (1)

• createRoute (5-11)

apps/api/src/core/services/openapi-docs/openapi-security.ts (1)

• SECURITY_NONE (6-6)

apps/api/src/dashboard/routes/dashboard-data/dashboard-data.router.ts (1)

apps/api/src/core/services/openapi-docs/openapi-security.ts (1)

• SECURITY_NONE (6-6)

apps/api/src/transaction/routes/transactions/transactions.router.ts (1)

apps/api/src/core/services/openapi-docs/openapi-security.ts (1)

• SECURITY_NONE (6-6)

apps/api/src/provider/routes/provider-dashboard/provider-dashboard.router.ts (1)

apps/api/src/core/services/openapi-docs/openapi-security.ts (1)

• SECURITY_NONE (6-6)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: validate / validate-app
• GitHub Check: test-build

🔇 Additional comments (24)

apps/api/src/transaction/routes/transactions/transactions.router.ts (3)

3-5: LGTM! Import migration successfully implements security enforcement.

The migration from the external @hono/zod-openapi to the local createRoute wrapper, along with the addition of SECURITY_NONE, aligns with the PR objective to enforce explicit security declarations in routing.

---

16-35: LGTM! Appropriate security configuration for public transaction list endpoint.

The explicit security: SECURITY_NONE declaration correctly identifies this as a public endpoint, which is appropriate for a read-only blockchain transaction list API.

---

43-65: LGTM! Appropriate security configuration for public transaction lookup endpoint.

The explicit security: SECURITY_NONE declaration correctly identifies this as a public endpoint, which is appropriate for a read-only blockchain transaction lookup API.

apps/api/src/billing/routes/stripe-prices/stripe-prices.router.ts (1)

5-5: LGTM! Import migration to internal wrapper.

The import change aligns with the PR objective to use the internal createRoute wrapper for enforcing security metadata.

apps/api/src/user/routes/get-anonymous-user/get-anonymous-user.router.ts (2)

4-4: LGTM! Import migration to internal wrapper.

The import change aligns with the PR objective.

---

18-18: LGTM! Path parameter syntax updated to OpenAPI standard.

The change from :id to {id} aligns with OpenAPI path parameter conventions, which the internal createRoute wrapper likely enforces.

apps/api/src/provider/routes/jwt-token/jwt-token.router.ts (1)

4-4: LGTM! Import migration to internal wrapper.

The import change aligns with the PR objective to use the internal createRoute wrapper.

apps/api/src/billing/routes/sign-and-broadcast-tx/sign-and-broadcast-tx.router.ts (1)

5-5: LGTM! Import migration to internal wrapper.

The import change aligns with the PR objective.

apps/api/src/certificate/routes/certificate.router.ts (1)

3-3: LGTM! Import migration to internal wrapper.

The import change aligns with the PR objective.

apps/api/src/dashboard/routes/dashboard-data/dashboard-data.router.ts (2)

3-5: LGTM! Import migration and security metadata added.

The changes align perfectly with the PR objective:

• Migrated to internal createRoute wrapper
• Added explicit SECURITY_NONE import

---

15-15: LGTM! Explicit security metadata enforced.

Adding security: SECURITY_NONE makes it clear that this public dashboard endpoint requires no authentication. This enhances code clarity and aligns with the PR's security enforcement goal.

apps/api/src/pricing/routes/pricing/pricing.router.ts (2)

3-5: LGTM! Import migration and security metadata added.

The changes align with the PR objective:

• Migrated to internal createRoute wrapper
• Added explicit SECURITY_NONE import

---

15-15: LGTM! Explicit security metadata enforced.

Adding security: SECURITY_NONE makes it clear that this pricing estimation endpoint is public. This enhances security awareness and aligns with the PR's enforcement goal.

apps/api/src/provider/routes/provider-deployments/provider-deployments.router.ts (2)

3-5: LGTM! Import migration and security metadata added.

The changes align with the PR objective:

• Migrated to internal createRoute wrapper
• Added explicit SECURITY_NONE import

---

18-18: LGTM! Explicit security metadata enforced.

Adding security: SECURITY_NONE makes it clear that this provider deployments endpoint is public. This enhances security awareness and aligns with the PR's enforcement goal.

apps/api/src/block/routes/block-prediction/block-prediction.router.ts (1)

11-55: Prediction routes: createRoute wrapper + SECURITY_NONE usage look correct

Switching to the local createRoute wrapper and explicitly setting security: SECURITY_NONE on both prediction endpoints keeps behavior (public, read‑only) while satisfying the new typing/linting constraints; this is consistent with how other public analytics-style routes are modeled in this codebase. If you later decide these should be authenticated, it’s probably worth tracking that as a separate security-policy issue rather than expanding this PR’s scope. Based on learnings, …

apps/api/src/billing/routes/checkout/checkout.router.ts (1)

5-17: Checkout route correctly migrated to local createRoute wrapper

The import swap to @src/core/services/create-route/create-route is consistent with the new pattern, and the existing security: SECURITY_BEARER_OR_API_KEY satisfies the wrapper’s requirement without changing behavior.

apps/api/src/billing/routes/usage/usage.router.ts (1)

5-40: Usage history routes: explicit SECURITY_NONE matches the wrapper, confirm intended exposure

Using the local createRoute and setting security: SECURITY_NONE on both /v1/usage/history and /v1/usage/history/stats cleanly satisfies the new requirement to always declare security and matches their read‑only nature. Please just double‑check that unauthenticated access to per‑address usage history is still the desired behavior, since this PR is making that policy explicit in the OpenAPI surface.

apps/api/src/deployment/routes/leases/leases.router.ts (1)

3-51: Leases routes: migration to createRoute and explicit SECURITY_ settings look good*

Using the shared createRoute wrapper here and keeping security: SECURITY_BEARER_OR_API_KEY on the create‑lease route while adding security: SECURITY_NONE to the fallback list endpoint cleanly documents the intended security for both operations and aligns with the new enforced pattern.

apps/api/src/healthz/routes/healthz.router.ts (1)

4-25: Healthz routes: explicit unauthenticated security via createRoute is appropriate

Switching to the shared createRoute helper and setting security: SECURITY_NONE for both readiness and liveness probes matches typical health‑check expectations and aligns these endpoints with the new “security must be declared” rule.

apps/api/src/billing/routes/get-balances/get-balances.router.ts (1)

5-15: Get-balances route: createRoute migration + SECURITY_NONE are consistent with public lookup semantics

The move to the shared createRoute wrapper and adding security: SECURITY_NONE for /v1/balances is consistent with other read-only, address-based endpoints; it keeps the route unauthenticated while making the security posture explicit in types and OpenAPI. As with the usage routes, it’s worth quickly confirming that unauthenticated balance lookups remain the desired behavior.

apps/api/src/template/routes/templates/templates.router.ts (1)

3-65: Templates routes security and wrapper migration look consistent

Using the local createRoute wrapper and explicitly attaching security: SECURITY_NONE to the three public template endpoints is consistent with the project-wide security declaration pattern. These routes only expose template metadata, so documenting them as unauthenticated makes sense.

No issues spotted with the refactor.

apps/api/src/auth/routes/send-verification-email/send-verification-email.router.ts (1)

5-25: Confirm that resend verification email should be unauthenticated

The migration to the local createRoute wrapper and adding security: SECURITY_NONE is technically sound and matches the new security-typing approach.

Since /v1/send-verification-email accepts a userId and sends an email, please just double-check that exposing this as an unauthenticated endpoint is intentional and that any rate limiting/abuse protections live elsewhere (if needed). No code changes required here if that behavior is by design.

apps/api/src/billing/routes/stripe-payment-methods/stripe-payment-methods.router.ts (1)

3-12: Stripe remove payment method route refactor looks correct and improves validation

Importing RemovePaymentMethodParamsSchema, switching the delete path to /v1/stripe/payment-methods/{paymentMethodId}, wiring request: { params: RemovePaymentMethodParamsSchema }, and reading const { paymentMethodId } = c.req.valid("param"); all line up with the schema snippet and keep the route protected with SECURITY_BEARER_OR_API_KEY.

This brings the route in sync with the OpenAPI schema and ensures the parameter is validated before use.

Also applies to: 67-85

[codecov]

Codecov Report

❌ Patch coverage is 99.05660% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 47.31%. Comparing base (335d094) to head (8a1d68a).
⚠️ Report is 1 commits behind head on main.
✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
...e-payment-methods/stripe-payment-methods.router.ts	50.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2276      +/-   ##
==========================================
- Coverage   47.56%   47.31%   -0.26%     
==========================================
  Files        1033     1024       -9     
  Lines       29249    28945     -304     
  Branches     7587     7546      -41     
==========================================
- Hits        13912    13694     -218     
- Misses      14843    14858      +15     
+ Partials      494      393     -101     

Flag	Coverage Δ		*Carryforward flag
api	82.18% <99.05%> (+0.09%)	⬆️
deploy-web	26.39% <ø> (ø)		Carriedforward from 2f2cf59
log-collector	?
notifications	87.94% <ø> (ø)		Carriedforward from 2f2cf59
provider-console	81.48% <ø> (ø)		Carriedforward from 2f2cf59
provider-proxy	84.47% <ø> (ø)		Carriedforward from 2f2cf59

*This pull request uses carry forward flags. Click here to find out more.

Files with missing lines	Coverage Δ
...s/api/src/address/routes/address/address.router.ts	100.00% <100.00%> (ø)
...ps/api/src/auth/routes/api-keys/api-keys.router.ts	100.00% <100.00%> (ø)
...rification-email/send-verification-email.router.ts	83.33% <100.00%> (+1.51%)	⬆️
...rc/auth/routes/verify-email/verify-email.router.ts	100.00% <100.00%> (ø)
apps/api/src/bid/routes/bids/bids.router.ts	100.00% <100.00%> (ø)
apps/api/src/billing/http-schemas/stripe.schema.ts	100.00% <100.00%> (ø)
apps/api/src/billing/http-schemas/wallet.schema.ts	61.90% <100.00%> (ø)
...api/src/billing/routes/checkout/checkout.router.ts	90.00% <100.00%> (ø)
...billing/routes/get-balances/get-balances.router.ts	100.00% <100.00%> (ø)
...g/routes/get-wallet-list/get-wallet-list.router.ts	100.00% <100.00%> (ø)
... and 46 more

... and 40 files with indirect coverage changes

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.