fix: enforce contact book ownership

[KMKoushik]

Summary

• scope contact updates/deletes to the requested contact book in public API
• enforce contact ownership for TRPC contact mutations
• return consistent 404s when contacts are outside the book

Verification

• not run (not requested)

---

Summary by cubic

Enforces contact book ownership for update/delete across TRPC and the Public API. Blocks cross-book access and returns consistent 404s when a contact is outside the requested book.

• Bug Fixes
  • TRPC update/delete now check contactBook.id and throw NOT_FOUND when contact isn’t in the book.
  • Public API update/delete verify book ownership and return UnsendApiError NOT_FOUND.
  • Service layer adds get/update/delete helpers scoped to a contact book to centralize checks.

^{Written for commit 2049909. Summary will update on new commits.}

Summary by CodeRabbit

Release Notes

• Improvements
  • Enhanced error handling and validation for contact operations. Contact updates and deletions now include proper existence checks and return clearer error messages when contacts are not found.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
unsend-marketing	Ready	Preview, Comment	Jan 17, 2026 7:04am

[coderabbitai]

Walkthrough

This pull request refactors contact management operations to enforce contact book context throughout the service layer. The changes introduce new service functions (getContactInContactBook, updateContactInContactBook, deleteContactInContactBook) that require both contact ID and contact book ID as parameters, replacing the previous context-agnostic equivalents. The TRPC mutations now extract contactBook from context and pass its ID to these operations. Public API handlers are updated to retrieve the contact book and use the new service functions. Error handling is added to return NOT_FOUND errors when operations fail to find the target contact.

Possibly related PRs

• fix: contact update mutation #265: Modifies the contact update mutation in the same contacts router file to refactor how contactBookId is sourced and used in the update operation.

Suggested labels

hacktoberfest-accepted

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix: enforce contact book ownership' directly aligns with the PR's main objective of scoping contact operations to specific contact books and enforcing ownership verification.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cloudflare-workers-and-pages]

Deploying usesend with    Cloudflare Pages

Latest commit:	2049909
Status:	✅  Deploy successful!
Preview URL:	https://c46dad15.usesend.pages.dev
Branch Preview URL:	https://fix-contact-book-contact-own.usesend.pages.dev

View logs

[cubic-dev-ai]

No issues found across 4 files