Skip to content

chore(admin): typesafe API client + TanStack Query rails (#7638)#7695

Merged
JohnMcLear merged 3 commits into
ether:developfrom
JohnMcLear:chore/admin-typesafe-api-7638-upstream
May 10, 2026
Merged

chore(admin): typesafe API client + TanStack Query rails (#7638)#7695
JohnMcLear merged 3 commits into
ether:developfrom
JohnMcLear:chore/admin-typesafe-api-7638-upstream

Conversation

@JohnMcLear
Copy link
Copy Markdown
Member

@JohnMcLear JohnMcLear commented May 7, 2026

Summary

Lays down the rails for a typesafe, OpenAPI-derived admin API client backed by TanStack Query. Closes #7638.

  • Codegen toolchain (pnpm --filter admin gen:api) producing admin/src/api/schema.d.ts and admin/src/api/version.ts from src/node/hooks/express/openapi.ts.
  • Runtime client (openapi-fetch + openapi-react-query) at admin/src/api/client.ts with baseUrl = \/api/${LATEST_API_VERSION}`so calls land at/api//createGroup`.
  • <QueryProvider> mounted at the admin root with dev-only React Query devtools (verified absent from the production bundle).
  • CI freshness check on the generated files folded into frontend-admin-tests.yml.
  • admin/README.md documenting the workflow.

No call sites migrated. Admin endpoints aren't in the OpenAPI spec yet — that gap is filed as #7693 and must land before any migration is useful.

Why one squashed commit

This was developed iteratively on the fork (JohnMcLear#2 — merged into the fork's develop) with 16 small fixup commits along the way (Windows shell, Dockerfile workspace yaml, lockfile overrides, baseUrl emit, etc.). Squashed for upstream so review is one cohesive change rather than the back-and-forth.

Semver

Patch — build tooling + currently-unused runtime libs, no observable behavior change.

Test plan

  • pnpm --filter admin gen:api runs clean (48 paths, OpenAPI 3.0.2, version 1.3.1)
  • pnpm --filter admin run build succeeds; production bundle excludes ReactQueryDevtools
  • pnpm --filter admin test passes (smoke test: 1 pass)
  • pnpm ts-check clean for admin/openapi files
  • Dev server boots and lazy-loads @tanstack/react-query-devtools (verified import.meta.env.DEV === true and the lazy import is rendered)

🤖 Generated with Claude Code

@JohnMcLear @claude
chore(admin): typesafe API client + TanStack Query rails (ether#7638) (
b97baa3 
…#2)

* docs(admin): design for typesafe API client + TanStack Query rails (ether#7638)

Rails-only scope: codegen toolchain, runtime client, and provider — no
call-site migrations. Admin endpoints are not yet covered by the OpenAPI
spec, so a separate issue will follow before any migration is useful.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* docs(admin): implementation plan for typesafe API client rails (ether#7638)

Step-by-step task breakdown for the rails-only PR: codegen toolchain,
runtime client, TanStack Query provider, CI freshness check, docs. No
call-site migrations until admin endpoints are added to the OpenAPI
spec (separate follow-up).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(api): export generateDefinitionForVersion from openapi hook

Required by the admin codegen script (ether#7638) to dump the OpenAPI spec
without booting Express. No behavior change for the request hook.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* chore(admin): add OpenAPI codegen + TanStack Query deps (ether#7638)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* chore(admin): add OpenAPI spec dump entry (ether#7638)

Loaded via tsx by gen-api.mjs in the next commit. Writes JSON to a file
path argument so log4js stdout output (from Settings init) does not
pollute the spec output.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* chore(admin): wire OpenAPI codegen into build (ether#7638)

Adds gen:api script and amends build/build-copy to regenerate
admin/src/api/schema.d.ts before compiling. The generated file is
checked in so it shows up in PR review and so a fresh checkout doesn't
need codegen to typecheck.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(admin): typed openapi-fetch + react-query client (ether#7638)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(admin): TanStack Query provider, dev-only devtools (ether#7638)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(admin): mount TanStack Query provider at root (ether#7638)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* test(admin): smoke test for typed openapi-fetch client (ether#7638)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* ci(admin): verify generated OpenAPI schema is up to date (ether#7638)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* docs(admin): document OpenAPI codegen workflow (ether#7638)

Replaces the default Vite scaffold README with admin-specific scripts
table and codegen workflow notes.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* build(admin): exclude __tests__ from tsc include (ether#7638)

The smoke test imports node:test/node:assert which need @types/node.
Admin source is browser-only, so excluding __tests__ from the production
typecheck is cleaner than adding Node types to the bundle config. The
test still runs under tsx, which doesn't share this constraint.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* chore: regenerate lockfile with pnpm 10 to restore overrides block (ether#7638)

Adding admin deps with pnpm 11 stripped the top-level \`overrides:\`
section from pnpm-lock.yaml, which CI uses pnpm 10 to verify. Result:
ERR_PNPM_LOCKFILE_CONFIG_MISMATCH on every job. Re-running pnpm 10
\`install --lockfile-only\` restores the overrides block; the new admin
package entries land in the same commit. Two stale lockfile entries
not present in package.json (\`serialize-javascript\` version pin and
\`uuid@<14.0.0\`) were normalized by the regen — package.json is the
source of truth for those.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* build(docker): preserve strictDepBuilds=false in trimmed workspace yaml (ether#7638)

Adding tsx as an admin devDep brings esbuild@0.27.x into the resolved
subgraph, and the Dockerfile's runtime stage was overwriting
pnpm-workspace.yaml with a stripped-down version that lost the
strictDepBuilds=false setting from the source repo. With pnpm 10's
default of strictDepBuilds=true, the install then errors on
ERR_PNPM_IGNORED_BUILDS for esbuild + scarf rather than warning.

Restore the strictDepBuilds=false and the @scarf/scarf ignore in the
trimmed yaml so the production install matches develop's behavior.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(admin): point client baseUrl at /api/<version> via codegen (ether#7638)

Qodo flagged: with baseUrl='/' and schema paths like '/createGroup',
calls landed at /createGroup, but the backend mounts the FLAT-style
spec under /api/<version>/. So once a call site lands, every request
404s.

gen:api now also emits admin/src/api/version.ts containing
LATEST_API_VERSION (read from info.version in the spec) and a derived
API_BASE_URL = `/api/<version>`. client.ts imports API_BASE_URL.
Workflow freshness check covers both generated files.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* build(admin): cross-platform spawn in gen-api.mjs (ether#7638)

Windows CI failed because spawnSync('pnpm', ...) cannot resolve
pnpm.cmd without a shell. Set shell:true on win32 only so Linux/macOS
runs avoid Node's DEP0190 warning. All spawn args are literal strings,
so the shell variant is not an injection risk.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@qodo-code-review
Copy link
Copy Markdown

qodo-code-review Bot commented May 7, 2026 

ⓘ You've reached your Qodo monthly free-tier limit. Reviews pause until next month — upgrade your plan to continue now, or link your paid account if you already have one.

@JohnMcLear
Copy link
Copy Markdown
Member Author

JohnMcLear commented May 7, 2026

/review

@qodo-code-review
Copy link
Copy Markdown

qodo-code-review Bot commented May 7, 2026 

ⓘ You've reached your Qodo monthly free-tier limit. Reviews pause until next month — upgrade your plan to continue now, or link your paid account if you already have one.

@qodo-free-for-open-source-projects
Copy link
Copy Markdown

qodo-free-for-open-source-projects Bot commented May 7, 2026
edited
Loading

Code Review by Qodo

🐞 Bugs (6) 📘 Rule violations (0) 📎 Requirement gaps (5)

Grey Divider


Action required

1. Schema lacks /admin-auth paths 📎 Requirement gap ≡ Correctness
Description 
The generated admin/src/api/schema.d.ts does not include any /admin-auth/* (or /admin/*)
paths, and the updated README explicitly notes admin endpoints are not yet in the OpenAPI spec. This
fails the requirement that the OpenAPI-derived admin schema reflects the admin UI
authentication/admin endpoint surface.
Code

admin/src/api/schema.d.ts[R9-31]

+export interface paths {
+    "/createGroup": {
+        parameters: {
+            query?: never;
+            header?: never;
+            path?: never;
+            cookie?: never;
+        };
+        /** creates a new group */
+        get: operations["createGroupUsingGET"];
+        put?: never;
+        /** creates a new group */
+        post: operations["createGroupUsingPOST"];
+        delete?: never;
+        options?: never;
+        head?: never;
+        patch?: never;
+        trace?: never;
+    };
+    "/createGroupIfNotExistsFor": {
+        parameters: {
+            query?: never;
+            header?: never;
Evidence 
PR Compliance IDs 1 and 3 require /admin-auth/* (and admin surfaces) to be present in the OpenAPI
definitions and appear as typed paths in the generated admin/src/api/schema.d.ts. The generated
schema shows only public API-style paths (for example, /createGroup) and the README states the
admin endpoints are not yet present in the spec.

OpenAPI spec includes /admin-auth/* endpoints used by the admin UI
Admin typed API schema (admin/src/api/schema.d.ts) exposes admin endpoints after codegen
admin/src/api/schema.d.ts[9-31]
admin/README.md[65-67]

Agent prompt 
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The generated admin OpenAPI TypeScript schema does not expose any `/admin-auth/*` or `/admin/*` typed paths, so the new typed client cannot be used for real admin UI traffic.
## Issue Context
The compliance checklist requires the OpenAPI spec (and therefore the generated `admin/src/api/schema.d.ts`) to include the admin authentication and admin endpoint surfaces.
## Fix Focus Areas
- src/node/hooks/express/openapi.ts[769-774]
- admin/src/api/schema.d.ts[9-31]
- admin/README.md[65-67]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

2. Generated API files committed ✓ Resolved 📘 Rule violation ⚙ Maintainability
Description 
This PR adds/updates generated artifacts (admin/src/api/schema.d.ts and
admin/src/api/version.ts) and documents that they are checked in. Committing generated outputs
violates the requirement to avoid committing build/runtime-generated artifacts.
Code

admin/src/api/version.ts[R1-5]

+// GENERATED — do not edit. Run `pnpm --filter admin gen:api` to regenerate.
+// Source: src/node/hooks/express/openapi.ts (#7638)
+
+export const LATEST_API_VERSION = "1.3.1";
+export const API_BASE_URL = `/api/${LATEST_API_VERSION}`;
Evidence 
PR Compliance ID 10 forbids committing generated build/runtime artifacts. The added files are
explicitly marked GENERATED — do not edit, and CI/README are set up around committing these
generated outputs.

admin/src/api/schema.d.ts[1-7]
admin/src/api/version.ts[1-5]
admin/README.md[34-41]
.github/workflows/frontend-admin-tests.yml[71-80]
Best Practice: Repository guidelines

Agent prompt 
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
Generated OpenAPI outputs (`admin/src/api/schema.d.ts` and `admin/src/api/version.ts`) are committed and CI enforces that they remain committed and up to date.
## Issue Context
The compliance checklist requires that generated build/runtime artifacts not be committed.
## Fix Focus Areas
- admin/src/api/schema.d.ts[1-7]
- admin/src/api/version.ts[1-5]
- admin/README.md[34-53]
- .github/workflows/frontend-admin-tests.yml[71-80]
- admin/package.json[7-13]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

3. Windows gen:api arg splitting 🐞 Bug ☼ Reliability
Description 
admin/scripts/gen-api.mjs uses shell: true on Windows while passing file paths (tmpdir + repo
paths) as arguments; if those paths contain spaces (common in Windows user temp dirs), cmd.exe
tokenization can break the pnpm exec ...  calls and make pnpm gen:api fail.
Code

admin/scripts/gen-api.mjs[R16-44]

+const tmpDir = mkdtempSync(path.join(tmpdir(), 'etherpad-openapi-'));
+const specPath = path.join(tmpDir, 'spec.json');
+
+// On Windows pnpm resolves to pnpm.cmd, which spawnSync can only find via a
+// shell. Use shell on Windows only to avoid Node's DEP0190 warning elsewhere.
+// Every argument here is fixed (no user input) so the shell:true variant is
+// not an injection risk.
+const spawnOpts = {
+  cwd: adminRoot,
+  stdio: 'inherit',
+  shell: process.platform === 'win32',
+};
+
+try {
+  const dump = spawnSync(
+    'pnpm',
+    ['exec', 'tsx', 'scripts/dump-spec.ts', specPath],
+    spawnOpts,
+  );
+  if (dump.status !== 0) {
+    console.error(`dump-spec.ts failed with exit code ${dump.status}`);
+    process.exit(dump.status ?? 1);
+  }
+
+  const gen = spawnSync(
+    'pnpm',
+    ['exec', 'openapi-typescript', specPath, '-o', outFile],
+    spawnOpts,
+  );
Evidence 
The script enables shell on win32 and passes specPath (built under tmpdir()) directly as a
spawn argument; with shell: true, Windows shell parsing becomes part of the execution path and can
mis-handle unquoted arguments that include spaces.

admin/scripts/gen-api.mjs[16-44]

Agent prompt 
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`admin/scripts/gen-api.mjs` sets `shell: process.platform === 'win32'` and then calls `spawnSync('pnpm', [..., specPath], spawnOpts)`. On Windows, enabling the shell can cause argument parsing issues for paths that include spaces (common for user temp directories), breaking `pnpm gen:api`.
### Issue Context
The script enables `shell` only to make `pnpm` resolvable on Windows. This can be solved without `shell: true` by invoking the correct executable name on Windows.
### Fix Focus Areas
- admin/scripts/gen-api.mjs[19-54]
### Suggested change
- Use `const pnpmCmd = process.platform === 'win32' ? 'pnpm.cmd' : 'pnpm';`
- Keep `shell: false` (or omit it) in `spawnOpts`.
- Replace both `spawnSync('pnpm', ...)` calls with `spawnSync(pnpmCmd, ...)`.
This avoids cmd.exe parsing entirely while still working on Windows.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

View more (8)
4. schema.d.ts missing /admin-auth paths 📎 Requirement gap ≡ Correctness
Description 
The generated admin OpenAPI schema/types do not include any /admin-auth/* operations, so the typed
client cannot cover the admin authentication endpoints the UI uses. This fails the requirement that
/admin-auth/* be represented in the OpenAPI output used for codegen.
Code

admin/README.md[R65-67]

+The admin endpoints are not yet present in the OpenAPI spec — this client is
+in place to support upcoming work (see issue #7638 follow-up). For now, it is
+exercised only by the smoke test.
Evidence 
PR Compliance ID 1 requires /admin-auth/* routes to be documented in the OpenAPI output and
present in the generated schema.d.ts. The updated admin README states the admin endpoints are not
yet present in the OpenAPI spec, and the generated paths type shows only non-admin endpoints (no
/admin-auth/* entries).

OpenAPI spec includes /admin-auth/* endpoints used by the admin UI
admin/README.md[65-67]
admin/src/api/schema.d.ts[9-31]

Agent prompt 
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The OpenAPI-generated admin types do not include `/admin-auth/*` operations, so the typed client cannot be used for existing admin auth calls.
## Issue Context
The admin schema is generated from the OpenAPI hook output, and the compliance requirement for this PR expects `/admin-auth/*` endpoints to be included in that output so `admin/src/api/schema.d.ts` exposes typed paths/operations.
## Fix Focus Areas
- src/node/hooks/express/openapi.ts[422-575]
- admin/src/api/schema.d.ts[9-31]
- admin/README.md[65-67]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

5. Generated schema committed ✓ Resolved 📘 Rule violation ⚙ Maintainability
Description 
This PR adds generated files (admin/src/api/schema.d.ts, admin/src/api/version.ts) and
documents/enforces committing them via CI. This violates the policy against committing generated
build/runtime artifacts.
Code

admin/src/api/schema.d.ts[R1-7]

+// GENERATED — do not edit. Run `pnpm --filter admin gen:api` to regenerate.
+// Source: src/node/hooks/express/openapi.ts (#7638)
+/**
+ * This file was auto-generated by openapi-typescript.
+ * Do not make direct changes to the file.
+ */
Evidence 
PR Compliance ID 13 forbids committing generated artifacts. The added schema and version files are
explicitly marked GENERATED, the README states both generated files are checked in, and CI
instructs contributors to commit regenerated outputs when they differ.

admin/src/api/schema.d.ts[1-7]
admin/src/api/version.ts[1-5]
admin/README.md[34-40]
.github/workflows/frontend-admin-tests.yml[71-80]
Best Practice: Repository guidelines

Agent prompt 
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
Generated files (`admin/src/api/schema.d.ts`, `admin/src/api/version.ts`) are committed and CI enforces that workflow, which violates the repository compliance rule against committing generated artifacts.
## Issue Context
The generator is already wired into the admin build (`pnpm gen:api`), so the repo can instead generate these files during build/CI without storing outputs in git.
## Fix Focus Areas
- admin/src/api/schema.d.ts[1-7]
- admin/src/api/version.ts[1-5]
- admin/package.json[7-20]
- .github/workflows/frontend-admin-tests.yml[71-80]
- admin/README.md[34-40]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

6. schema.d.ts missing /admin-auth paths 📎 Requirement gap ≡ Correctness
Description 
The generated admin OpenAPI schema/types do not include any /admin-auth/* operations, so the typed
client cannot cover the admin authentication endpoints the UI uses. This fails the requirement that
/admin-auth/* be represented in the OpenAPI output used for codegen.
Code

admin/README.md[R65-67]

+The admin endpoints are not yet present in the OpenAPI spec — this client is
+in place to support upcoming work (see issue #7638 follow-up). For now, it is
+exercised only by the smoke test.
Evidence 
PR Compliance ID 1 requires /admin-auth/* routes to be documented in the OpenAPI output and
present in the generated schema.d.ts. The updated admin README states the admin endpoints are not
yet present in the OpenAPI spec, and the generated paths type shows only non-admin endpoints (no
/admin-auth/* entries).

OpenAPI spec includes /admin-auth/* endpoints used by the admin UI
admin/README.md[65-67]
admin/src/api/schema.d.ts[9-31]

Agent prompt 
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The OpenAPI-generated admin types do not include `/admin-auth/*` operations, so the typed client cannot be used for existing admin auth calls.
## Issue Context
The admin schema is generated from the OpenAPI hook output, and the compliance requirement for this PR expects `/admin-auth/*` endpoints to be included in that output so `admin/src/api/schema.d.ts` exposes typed paths/operations.
## Fix Focus Areas
- src/node/hooks/express/openapi.ts[422-575]
- admin/src/api/schema.d.ts[9-31]
- admin/README.md[65-67]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

7. Generated schema committed ✓ Resolved 📘 Rule violation ⚙ Maintainability
Description 
This PR adds generated files (admin/src/api/schema.d.ts, admin/src/api/version.ts) and
documents/enforces committing them via CI. This violates the policy against committing generated
build/runtime artifacts.
Code

admin/src/api/schema.d.ts[R1-7]

+// GENERATED — do not edit. Run `pnpm --filter admin gen:api` to regenerate.
+// Source: src/node/hooks/express/openapi.ts (#7638)
+/**
+ * This file was auto-generated by openapi-typescript.
+ * Do not make direct changes to the file.
+ */
Evidence 
PR Compliance ID 13 forbids committing generated artifacts. The added schema and version files are
explicitly marked GENERATED, the README states both generated files are checked in, and CI
instructs contributors to commit regenerated outputs when they differ.

admin/src/api/schema.d.ts[1-7]
admin/src/api/version.ts[1-5]
admin/README.md[34-40]
.github/workflows/frontend-admin-tests.yml[71-80]
Best Practice: Repository guidelines

Agent prompt 
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
Generated files (`admin/src/api/schema.d.ts`, `admin/src/api/version.ts`) are committed and CI enforces that workflow, which violates the repository compliance rule against committing generated artifacts.
## Issue Context
The generator is already wired into the admin build (`pnpm gen:api`), so the repo can instead generate these files during build/CI without storing outputs in git.
## Fix Focus Areas
- admin/src/api/schema.d.ts[1-7]
- admin/src/api/version.ts[1-5]
- admin/package.json[7-20]
- .github/workflows/frontend-admin-tests.yml[71-80]
- admin/README.md[34-40]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

8. schema.d.ts missing /admin-auth paths 📎 Requirement gap ≡ Correctness
Description 
The generated admin OpenAPI schema/types do not include any /admin-auth/* operations, so the typed
client cannot cover the admin authentication endpoints the UI uses. This fails the requirement that
/admin-auth/* be represented in the OpenAPI output used for codegen.
Code

admin/README.md[R65-67]

+The admin endpoints are not yet present in the OpenAPI spec — this client is
+in place to support upcoming work (see issue #7638 follow-up). For now, it is
+exercised only by the smoke test.
Evidence 
PR Compliance ID 1 requires /admin-auth/* routes to be documented in the OpenAPI output and
present in the generated schema.d.ts. The updated admin README states the admin endpoints are not
yet present in the OpenAPI spec, and the generated paths type shows only non-admin endpoints (no
/admin-auth/* entries).

OpenAPI spec includes /admin-auth/* endpoints used by the admin UI
admin/README.md[65-67]
admin/src/api/schema.d.ts[9-31]

Agent prompt 
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The OpenAPI-generated admin types do not include `/admin-auth/*` operations, so the typed client cannot be used for existing admin auth calls.
## Issue Context
The admin schema is generated from the OpenAPI hook output, and the compliance requirement for this PR expects `/admin-auth/*` endpoints to be included in that output so `admin/src/api/schema.d.ts` exposes typed paths/operations.
## Fix Focus Areas
- src/node/hooks/express/openapi.ts[422-575]
- admin/src/api/schema.d.ts[9-31]
- admin/README.md[65-67]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

9. Generated schema committed ✓ Resolved 📘 Rule violation ⚙ Maintainability
Description 
This PR adds generated files (admin/src/api/schema.d.ts, admin/src/api/version.ts) and
documents/enforces committing them via CI. This violates the policy against committing generated
build/runtime artifacts.
Code

admin/src/api/schema.d.ts[R1-7]

+// GENERATED — do not edit. Run `pnpm --filter admin gen:api` to regenerate.
+// Source: src/node/hooks/express/openapi.ts (#7638)
+/**
+ * This file was auto-generated by openapi-typescript.
+ * Do not make direct changes to the file.
+ */
Evidence 
PR Compliance ID 13 forbids committing generated artifacts. The added schema and version files are
explicitly marked GENERATED, the README states both generated files are checked in, and CI
instructs contributors to commit regenerated outputs when they differ.

admin/src/api/schema.d.ts[1-7]
admin/src/api/version.ts[1-5]
admin/README.md[34-40]
.github/workflows/frontend-admin-tests.yml[71-80]
Best Practice: Repository guidelines

Agent prompt 
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
Generated files (`admin/src/api/schema.d.ts`, `admin/src/api/version.ts`) are committed and CI enforces that workflow, which violates the repository compliance rule against committing generated artifacts.
## Issue Context
The generator is already wired into the admin build (`pnpm gen:api`), so the repo can instead generate these files during build/CI without storing outputs in git.
## Fix Focus Areas
- admin/src/api/schema.d.ts[1-7]
- admin/src/api/version.ts[1-5]
- admin/package.json[7-20]
- .github/workflows/frontend-admin-tests.yml[71-80]
- admin/README.md[34-40]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

10. schema.d.ts missing /admin-auth paths 📎 Requirement gap ≡ Correctness
Description 
The generated admin OpenAPI schema/types do not include any /admin-auth/* operations, so the typed
client cannot cover the admin authentication endpoints the UI uses. This fails the requirement that
/admin-auth/* be represented in the OpenAPI output used for codegen.
Code

admin/README.md[R65-67]

+The admin endpoints are not yet present in the OpenAPI spec — this client is
+in place to support upcoming work (see issue #7638 follow-up). For now, it is
+exercised only by the smoke test.
Evidence 
PR Compliance ID 1 requires /admin-auth/* routes to be documented in the OpenAPI output and
present in the generated schema.d.ts. The updated admin README states the admin endpoints are not
yet present in the OpenAPI spec, and the generated paths type shows only non-admin endpoints (no
/admin-auth/* entries).

OpenAPI spec includes /admin-auth/* endpoints used by the admin UI
admin/README.md[65-67]
admin/src/api/schema.d.ts[9-31]

Agent prompt 
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The OpenAPI-generated admin types do not include `/admin-auth/*` operations, so the typed client cannot be used for existing admin auth calls.
## Issue Context
The admin schema is generated from the OpenAPI hook output, and the compliance requirement for this PR expects `/admin-auth/*` endpoints to be included in that output so `admin/src/api/schema.d.ts` exposes typed paths/operations.
## Fix Focus Areas
- src/node/hooks/express/openapi.ts[422-575]
- admin/src/api/schema.d.ts[9-31]
- admin/README.md[65-67]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

11. Generated schema committed ✓ Resolved 📘 Rule violation ⚙ Maintainability
Description 
This PR adds generated files (admin/src/api/schema.d.ts, admin/src/api/version.ts) and
documents/enforces committing them via CI. This violates the policy against committing generated
build/runtime artifacts.
Code

admin/src/api/schema.d.ts[R1-7]

+// GENERATED — do not edit. Run `pnpm --filter admin gen:api` to regenerate.
+// Source: src/node/hooks/express/openapi.ts (#7638)

+/**
+ * This file was auto-generated by openapi-typescript.
+ * Do not make direct changes to the file.
+ */
Evidence 
PR Compliance ID 13 forbids committing generated artifacts. The added schema and version files are
explicitly marked GENERATED, the README states both generated files are checked in, and CI
instructs contributors to commit regenerated outputs when they differ.

admin/src/api/schema.d.ts[1-7]
admin/src/api/version.ts[1-5]
admin/README.md[34-40]
.github/workflows/frontend-admin-tests.yml[71-80]
Best Practice: Repository guidelines

Agent prompt 
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
Generated files (`admin/src/api/schema.d.ts`, `admin/src/api/version.ts`) are committed and CI enforces that workflow, which violates the repository compliance rule against committing generated artifacts.
## Issue Context
The generator is already wired into the admin build (`pnpm gen:api`), so the repo can instead generate these files during build/CI without storing outputs in git.
## Fix Focus Areas
- admin/src/api/schema.d.ts[1-7]
- admin/src/api/version.ts[1-5]
- admin/package.json[7-20]
- .github/workflows/frontend-admin-tests.yml[71-80]
- admin/README.md[34-40]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


Remediation recommended

12. Devtools in runtime deps 🐞 Bug ⚙ Maintainability
Description 
@tanstack/react-query-devtools is listed under dependencies even though QueryProvider only
imports it behind import.meta.env.DEV; this forces production installs to fetch a dev-only tool
unnecessarily.
Code

admin/package.json[R16-20]

+    "@radix-ui/react-switch": "^1.2.6",
+    "@tanstack/react-query": "^5.100.9",
+    "@tanstack/react-query-devtools": "^5.100.9",
+    "openapi-fetch": "^0.17.0",
+    "openapi-react-query": "^0.5.4"
Evidence 
The package is declared as a runtime dependency, but the only usage is a dev-gated lazy import in
QueryProvider, indicating it is not needed at runtime/production installs.

admin/package.json[16-20]
admin/src/api/QueryProvider.tsx[9-15]

Agent prompt 
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`@tanstack/react-query-devtools` is installed as a runtime dependency even though it is only used in development builds.
### Issue Context
`admin/src/api/QueryProvider.tsx` guards the devtools behind `import.meta.env.DEV` and a lazy import, so it does not need to be a production/runtime dependency.
### Fix Focus Areas
- admin/package.json[16-27]
### Suggested change
- Move `@tanstack/react-query-devtools` from `dependencies` to `devDependencies`.
- Keep the existing dev-only lazy import logic in `QueryProvider.tsx` unchanged.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

13. schema.d.ts not 2-space ✓ Resolved 📘 Rule violation ⚙ Maintainability
Description 
The newly added admin/src/api/schema.d.ts uses 4-space indentation (as generated), not the
required 2-space indentation. This introduces formatting that violates the project’s indentation
standard.
Code

admin/src/api/schema.d.ts[R9-27]

+export interface paths {
+    "/createGroup": {
+        parameters: {
+            query?: never;
+            header?: never;
+            path?: never;
+            cookie?: never;
+        };
+        /** creates a new group */
+        get: operations["createGroupUsingGET"];
+        put?: never;
+        /** creates a new group */
+        post: operations["createGroupUsingPOST"];
+        delete?: never;
+        options?: never;
+        head?: never;
+        patch?: never;
+        trace?: never;
+    };
Evidence 
PR Compliance ID 14 requires new/modified code to use 2-space indentation. The added paths
interface uses 4-space indentation for nested blocks (e.g., the "/createGroup" entry and its
members).

admin/src/api/schema.d.ts[9-27]
Best Practice: Repository guidelines

Agent prompt 
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The generated `admin/src/api/schema.d.ts` does not match the required 2-space indentation style.
## Issue Context
This file is generated via `admin/scripts/gen-api.mjs` by calling `openapi-typescript`, which emits 4-space indentation by default.
## Fix Focus Areas
- admin/scripts/gen-api.mjs[40-62]
- admin/src/api/schema.d.ts[9-27]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

14. Admin build depends on backend ✓ Resolved 🐞 Bug ☼ Reliability
Description 
admin/package.json now runs gen:api during build/build-copy, and gen:api dynamically imports backend
code (src/node/hooks/express/openapi.ts) that requires server-only dependencies. If the admin
package is built in isolation (without the backend workspace deps installed), the build will fail
with module resolution/runtime import errors.
Code

admin/package.json[R8-11]

+    "gen:api": "node scripts/gen-api.mjs",
+    "build": "pnpm gen:api && tsc && vite build",
"lint": "eslint . --ext ts,tsx --report-unused-disable-directives --max-warnings 0",
-    "build-copy": "tsc && vite build --outDir ../src/templates/admin --emptyOutDir",
-    "preview": "vite preview"
+    "build-copy": "pnpm gen:api && tsc && vite build --outDir ../src/templates/admin --emptyOutDir",
Evidence 
The build script always runs gen:api, which runs dump-spec.ts. dump-spec.ts imports the backend
OpenAPI generator module, and that module requires openapi-backend (declared in the backend package,
not admin), so admin-only installs/builds won’t have the needed runtime deps available.

admin/package.json[6-13]
admin/scripts/dump-spec.ts[21-46]
src/node/hooks/express/openapi.ts[21-28]
src/package.json[57-66]

Agent prompt 
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`admin`'s `build`/`build-copy` scripts always run `gen:api`, but `gen:api` imports backend OpenAPI code that depends on backend-only node_modules. This makes isolated admin builds fragile.
### Issue Context
The generated files (`admin/src/api/schema.d.ts`, `admin/src/api/version.ts`) are checked in and CI already has a freshness check.
### Fix Focus Areas
- admin/package.json[6-13]
### Suggested fix
- Remove `pnpm gen:api &&` from `build` and `build-copy` scripts (keep `gen:api` as an explicit script).
- Rely on the existing CI freshness step to enforce that generated outputs are committed.
- (Optional) Keep `pnpm gen:api` in a dedicated script like `build:regen` if you still want a one-shot regen+build command.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

View more (6)
15. schema.d.ts not 2-space ✓ Resolved 📘 Rule violation ⚙ Maintainability
Description 
The newly added admin/src/api/schema.d.ts uses 4-space indentation (as generated), not the
required 2-space indentation. This introduces formatting that violates the project’s indentation
standard.
Code

admin/src/api/schema.d.ts[R9-27]

+export interface paths {
+    "/createGroup": {
+        parameters: {
+            query?: never;
+            header?: never;
+            path?: never;
+            cookie?: never;
+        };
+        /** creates a new group */
+        get: operations["createGroupUsingGET"];
+        put?: never;
+        /** creates a new group */
+        post: operations["createGroupUsingPOST"];
+        delete?: never;
+        options?: never;
+        head?: never;
+        patch?: never;
+        trace?: never;
+    };
Evidence 
PR Compliance ID 14 requires new/modified code to use 2-space indentation. The added paths
interface uses 4-space indentation for nested blocks (e.g., the "/createGroup" entry and its
members).

admin/src/api/schema.d.ts[9-27]
Best Practice: Repository guidelines

Agent prompt 
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The generated `admin/src/api/schema.d.ts` does not match the required 2-space indentation style.
## Issue Context
This file is generated via `admin/scripts/gen-api.mjs` by calling `openapi-typescript`, which emits 4-space indentation by default.
## Fix Focus Areas
- admin/scripts/gen-api.mjs[40-62]
- admin/src/api/schema.d.ts[9-27]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

16. Admin build depends on backend ✓ Resolved 🐞 Bug ☼ Reliability
Description 
admin/package.json now runs gen:api during build/build-copy, and gen:api dynamically imports backend
code (src/node/hooks/express/openapi.ts) that requires server-only dependencies. If the admin
package is built in isolation (without the backend workspace deps installed), the build will fail
with module resolution/runtime import errors.
Code

admin/package.json[R8-11]

+    "gen:api": "node scripts/gen-api.mjs",
+    "build": "pnpm gen:api && tsc && vite build",
 "lint": "eslint . --ext ts,tsx --report-unused-disable-directives --max-warnings 0",
-    "build-copy": "tsc && vite build --outDir ../src/templates/admin --emptyOutDir",
-    "preview": "vite preview"
+    "build-copy": "pnpm gen:api && tsc && vite build --outDir ../src/templates/admin --emptyOutDir",
Evidence 
The build script always runs gen:api, which runs dump-spec.ts. dump-spec.ts imports the backend
OpenAPI generator module, and that module requires openapi-backend (declared in the backend package,
not admin), so admin-only installs/builds won’t have the needed runtime deps available.

admin/package.json[6-13]
admin/scripts/dump-spec.ts[21-46]
src/node/hooks/express/openapi.ts[21-28]
src/package.json[57-66]

Agent prompt 
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`admin`'s `build`/`build-copy` scripts always run `gen:api`, but `gen:api` imports backend OpenAPI code that depends on backend-only node_modules. This makes isolated admin builds fragile.
### Issue Context
The generated files (`admin/src/api/schema.d.ts`, `admin/src/api/version.ts`) are checked in and CI already has a freshness check.
### Fix Focus Areas
- admin/package.json[6-13]
### Suggested fix
- Remove `pnpm gen:api &&` from `build` and `build-copy` scripts (keep `gen:api` as an explicit script).
- Rely on the existing CI freshness step to enforce that generated outputs are committed.
- (Optional) Keep `pnpm gen:api` in a dedicated script like `build:regen` if you still want a one-shot regen+build command.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

17. schema.d.ts not 2-space ✓ Resolved 📘 Rule violation ⚙ Maintainability
Description 
The newly added admin/src/api/schema.d.ts uses 4-space indentation (as generated), not the
required 2-space indentation. This introduces formatting that violates the project’s indentation
standard.
Code

admin/src/api/schema.d.ts[R9-27]

+export interface paths {
+    "/createGroup": {
+        parameters: {
+            query?: never;
+            header?: never;
+            path?: never;
+            cookie?: never;
+        };
+        /** creates a new group */
+        get: operations["createGroupUsingGET"];
+        put?: never;
+        /** creates a new group */
+        post: operations["createGroupUsingPOST"];
+        delete?: never;
+        options?: never;
+        head?: never;
+        patch?: never;
+        trace?: never;
+    };
Evidence 
PR Compliance ID 14 requires new/modified code to use 2-space indentation. The added paths
interface uses 4-space indentation for nested blocks (e.g., the "/createGroup" entry and its
members).

admin/src/api/schema.d.ts[9-27]
Best Practice: Repository guidelines

Agent prompt 
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The generated `admin/src/api/schema.d.ts` does not match the required 2-space indentation style.
## Issue Context
This file is generated via `admin/scripts/gen-api.mjs` by calling `openapi-typescript`, which emits 4-space indentation by default.
## Fix Focus Areas
- admin/scripts/gen-api.mjs[40-62]
- admin/src/api/schema.d.ts[9-27]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

18. Admin build depends on backend ✓ Resolved 🐞 Bug ☼ Reliability
Description 
admin/package.json now runs gen:api during build/build-copy, and gen:api dynamically imports backend
code (src/node/hooks/express/openapi.ts) that requires server-only dependencies. If the admin
package is built in isolation (without the backend workspace deps installed), the build will fail
with module resolution/runtime import errors.
Code

admin/package.json[R8-11]

+    "gen:api": "node scripts/gen-api.mjs",
+    "build": "pnpm gen:api && tsc && vite build",
  "lint": "eslint . --ext ts,tsx --report-unused-disable-directives --max-warnings 0",
-    "build-copy": "tsc && vite build --outDir ../src/templates/admin --emptyOutDir",
-    "preview": "vite preview"
+    "build-copy": "pnpm gen:api && tsc && vite build --outDir ../src/templates/admin --emptyOutDir",
Evidence 
The build script always runs gen:api, which runs dump-spec.ts. dump-spec.ts imports the backend
OpenAPI generator module, and that module requires openapi-backend (declared in the backend package,
not admin), so admin-only installs/builds won’t have the needed runtime deps available.

admin/package.json[6-13]
admin/scripts/dump-spec.ts[21-46]
src/node/hooks/express/openapi.ts[21-28]
src/package.json[57-66]

Agent prompt 
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`admin`'s `build`/`build-copy` scripts always run `gen:api`, but `gen:api` imports backend OpenAPI code that depends on backend-only node_modules. This makes isolated admin builds fragile.
### Issue Context
The generated files (`admin/src/api/schema.d.ts`, `admin/src/api/version.ts`) are checked in and CI already has a freshness check.
### Fix Focus Areas
- admin/package.json[6-13]
### Suggested fix
- Remove `pnpm gen:api &&` from `build` and `build-copy` scripts (keep `gen:api` as an explicit script).
- Rely on the existing CI freshness step to enforce that generated outputs are committed.
- (Optional) Keep `pnpm gen:api` in a dedicated script like `build:regen` if you still want a one-shot regen+build command.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

19. schema.d.ts not 2-space ✓ Resolved 📘 Rule violation ⚙ Maintainability
Description 
The newly added admin/src/api/schema.d.ts uses 4-space indentation (as generated), not the
required 2-space indentation. This introduces formatting that violates the project’s indentation
standard.
Code

admin/src/api/schema.d.ts[R9-27]

+export interface paths {
+    "/createGroup": {
+        parameters: {
+            query?: never;
+            header?: never;
+            path?: never;
+            cookie?: never;
+        };
+        /** creates a new group */
+        get: operations["createGroupUsingGET"];
+        put?: never;
+        /** creates a new group */
+        post: operations["createGroupUsingPOST"];
+        delete?: never;
+        options?: never;
+        head?: never;
+        patch?: never;
+        trace?: never;
+    };
Evidence 
PR Compliance ID 14 requires new/modified code to use 2-space indentation. The added paths
interface uses 4-space indentation for nested blocks (e.g., the "/createGroup" entry and its
members).

admin/src/api/schema.d.ts[9-27]
Best Practice: Repository guidelines

Agent prompt 
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The generated `admin/src/api/schema.d.ts` does not match the required 2-space indentation style.
## Issue Context
This file is generated via `admin/scripts/gen-api.mjs` by calling `openapi-typescript`, which emits 4-space indentation by default.
## Fix Focus Areas
- admin/scripts/gen-api.mjs[40-62]
- admin/src/api/schema.d.ts[9-27]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

20. Admin build depends on backend ✓ Resolved 🐞 Bug ☼ Reliability
Description 
admin/package.json now runs gen:api during build/build-copy, and gen:api dynamically imports backend
code (src/node/hooks/express/openapi.ts) that requires server-only dependencies. If the admin
package is built in isolation (without the backend workspace deps installed), the build will fail
with module resolution/runtime import errors.
Code

admin/package.json[R8-11]

+    "gen:api": "node scripts/gen-api.mjs",
+    "build": "pnpm gen:api && tsc && vite build",
   "lint": "eslint . --ext ts,tsx --report-unused-disable-directives --max-warnings 0",
-    "build-copy": "tsc && vite build --outDir ../src/templates/admin --emptyOutDir",
-    "preview": "vite preview"
+    "build-copy": "pnpm gen:api && tsc && vite build --outDir ../src/templates/admin --emptyOutDir",
Evidence 
The build script always runs gen:api, which runs dump-spec.ts. dump-spec.ts imports the backend
OpenAPI generator module, and that module requires openapi-backend (declared in the backend package,
not admin), so admin-only installs/builds won’t have the needed runtime deps available.

admin/package.json[6-13]
admin/scripts/dump-spec.ts[21-46]
src/node/hooks/express/openapi.ts[21-28]
src/package.json[57-66]

Agent prompt 
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`admin`'s `build`/`build-copy` scripts always run `gen:api`, but `gen:api` imports backend OpenAPI code that depends on backend-only node_modules. This makes isolated admin builds fragile.
### Issue Context
The generated files (`admin/src/api/schema.d.ts`, `admin/src/api/version.ts`) are checked in and CI already has a freshness check.
### Fix Focus Areas
- admin/package.json[6-13]
### Suggested fix
- Remove `pnpm gen:api &&` from `build` and `build-copy` scripts (keep `gen:api` as an explicit script).
- Rely on the existing CI freshness step to enforce that generated outputs are committed.
- (Optional) Keep `pnpm gen:api` in a dedicated script like `build:regen` if you still want a one-shot regen+build command.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


Advisory comments

21. Devtools shipped as dependency 🐞 Bug ⚙ Maintainability
Description 
@tanstack/react-query-devtools is listed under admin runtime dependencies even though it is only
reachable behind a dev-only conditional dynamic import in QueryProvider. This forces extra package
installation surface area for consumers without providing production runtime value.
Code

admin/package.json[R16-20]

+    "@radix-ui/react-switch": "^1.2.6",
+    "@tanstack/react-query": "^5.100.9",
+    "@tanstack/react-query-devtools": "^5.100.9",
+    "openapi-fetch": "^0.17.0",
+    "openapi-react-query": "^0.5.4"
Evidence 
QueryProvider only imports ReactQueryDevtools via a dev-only conditional dynamic import, yet the
package is declared as a runtime dependency in admin/package.json.

admin/package.json[15-21]
admin/src/api/QueryProvider.tsx[6-15]

Agent prompt 
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`@tanstack/react-query-devtools` is a dev-only tool but is declared as a runtime dependency.
### Issue Context
It is only loaded behind `import.meta.env.DEV` and a lazy dynamic import.
### Fix Focus Areas
- admin/package.json[15-22]
### Suggested fix
- Move `@tanstack/react-query-devtools` from `dependencies` to `devDependencies`.
- Keep the existing lazy dynamic import in `QueryProvider.tsx` unchanged.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

22. Devtools shipped as dependency 🐞 Bug ⚙ Maintainability
Description 
@tanstack/react-query-devtools is listed under admin runtime dependencies even though it is only
reachable behind a dev-only conditional dynamic import in QueryProvider. This forces extra package
installation surface area for consumers without providing production runtime value.
Code

admin/package.json[R16-20]

+    "@radix-ui/react-switch": "^1.2.6",
+    "@tanstack/react-query": "^5.100.9",
+    "@tanstack/react-query-devtools": "^5.100.9",
+    "openapi-fetch": "^0.17.0",
+    "openapi-react-query": "^0.5.4"
Evidence 
QueryProvider only imports ReactQueryDevtools via a dev-only conditional dynamic import, yet the
package is declared as a runtime dependency in admin/package.json.

admin/package.json[15-21]
admin/src/api/QueryProvider.tsx[6-15]

Agent prompt 
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`@tanstack/react-query-devtools` is a dev-only tool but is declared as a runtime dependency.
### Issue Context
It is only loaded behind `import.meta.env.DEV` and a lazy dynamic import.
### Fix Focus Areas
- admin/package.json[15-22]
### Suggested fix
- Move `@tanstack/react-query-devtools` from `dependencies` to `devDependencies`.
- Keep the existing lazy dynamic import in `QueryProvider.tsx` unchanged.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

23. Devtools shipped as dependency 🐞 Bug ⚙ Maintainability
Description 
@tanstack/react-query-devtools is listed under admin runtime dependencies even though it is only
reachable behind a dev-only conditional dynamic import in QueryProvider. This forces extra package
installation surface area for consumers without providing production runtime value.
Code

admin/package.json[R16-20]

+    "@radix-ui/react-switch": "^1.2.6",
+    "@tanstack/react-query": "^5.100.9",
+    "@tanstack/react-query-devtools": "^5.100.9",
+    "openapi-fetch": "^0.17.0",
+    "openapi-react-query": "^0.5.4"
Evidence 
QueryProvider only imports ReactQueryDevtools via a dev-only conditional dynamic import, yet the
package is declared as a runtime dependency in admin/package.json.

[admin/pack...

@qodo-free-for-open-source-projects
Copy link
Copy Markdown

qodo-free-for-open-source-projects Bot commented May 7, 2026

Review Summary by Qodo

Set up typesafe OpenAPI admin API client with TanStack Query and codegen rails

✨ Enhancement 🧪 Tests 📝 Documentation

Grey Divider

Walkthroughs

Description 
• Establishes foundational infrastructure for a typesafe, OpenAPI-derived admin API client backed by
  TanStack Query
• Implements codegen toolchain (pnpm --filter admin gen:api) that produces
  admin/src/api/schema.d.ts and admin/src/api/version.ts from the OpenAPI spec builder
• Creates runtime client (openapi-fetch + openapi-react-query) at admin/src/api/client.ts with
  automatic baseUrl configuration pointing to /api/<version>/
• Mounts <QueryProvider> at admin root with dev-only React Query devtools (excluded from
  production bundle)
• Adds CI freshness check in frontend-admin-tests.yml to ensure generated files stay synchronized
  with the source spec
• Includes comprehensive documentation (design spec, implementation plan, and updated admin README)
  explaining the workflow
• Adds smoke test verifying the API client module loads correctly
• Exports OpenAPI spec builder functions from core etherpad modules to enable external codegen
  pipeline
• No call sites migrated yet; admin endpoints must be added to OpenAPI spec before migrations are
  useful
Diagram 
flowchart LR
  A["OpenAPI Spec<br/>in Express"] -->|"dump-spec.ts"| B["OpenAPI JSON"]
  B -->|"openapi-typescript"| C["schema.d.ts<br/>version.ts"]
  C -->|"import"| D["client.ts<br/>fetchClient + $api"]
  D -->|"use"| E["React Components"]
  F["QueryProvider.tsx"] -->|"wrap"| E
  G["CI Check"] -->|"verify"| C
Loading

Grey Divider

File Changes

1. admin/src/api/schema.d.ts Code generation +3567/-0

Generated OpenAPI TypeScript schema definitions

• Generated TypeScript type definitions for the OpenAPI API schema (3568 lines)
• Includes path definitions, operation types, component schemas, and response types
• Auto-generated from src/node/hooks/express/openapi.ts via openapi-typescript
• Contains 48 API endpoints covering groups, pads, authors, sessions, and chat operations

admin/src/api/schema.d.ts

2. admin/scripts/dump-spec.ts Build tooling +46/-0

OpenAPI spec extraction utility for codegen pipeline

• New TypeScript utility script that imports the OpenAPI spec builder from etherpad source
• Dynamically loads APIHandler.ts and openapi.ts modules to extract the latest API version and
 spec definition
• Writes the flat-style OpenAPI spec as JSON to a file path provided as command-line argument
• Handles CommonJS-to-ESM module compatibility for dynamic imports

admin/scripts/dump-spec.ts

3. admin/src/api/__tests__/client.test.ts 🧪 Tests +16/-0

API client module smoke test

• Smoke test verifying the OpenAPI client module loads correctly
• Asserts that fetchClient and $api exports are present and have expected function signatures
• Catches toolchain wiring regressions (missing dependencies, bad export shapes)

admin/src/api/tests/client.test.ts

View more (13)
4. admin/src/api/client.ts ✨ Enhancement +12/-0

Typed OpenAPI fetch client with TanStack Query bindings

• Creates typed HTTP client using openapi-fetch with the generated OpenAPI schema
• Exports fetchClient for direct typed fetch requests
• Exports $api with TanStack Query hooks for reactive data fetching
• Configures baseUrl from the generated version.ts to point to /api/<version>/

admin/src/api/client.ts

5. src/node/hooks/express/openapi.ts ✨ Enhancement +3/-0

Export OpenAPI spec builder for external codegen

• Exports generateDefinitionForVersion function for external spec generation
• Exports APIPathStyle constant to allow callers to specify FLAT or REST style
• Enables the admin codegen pipeline to import and call the spec builder without booting Express

src/node/hooks/express/openapi.ts

6. admin/src/api/version.ts Code generation +5/-0

Generated API version constants

• Generated file containing the latest API version constant (LATEST_API_VERSION = "1.3.1")
• Exports API_BASE_URL computed from the version for use in the typed client
• Auto-generated by gen-api.mjs from the OpenAPI spec's info.version field

admin/src/api/version.ts

7. docs/superpowers/specs/2026-05-01-issue-7638-admin-typesafe-api-design.md 📝 Documentation +198/-0

Design specification for typesafe API client rails

• Design specification document for the typesafe admin API client and TanStack Query integration
• Documents goals, toolchain choices, codegen strategy, runtime client setup, and CI freshness
 checks
• Explains scope (rails-only, no call site migrations) and rationale for deferring admin endpoint
 coverage
• Includes definition of done, risk assessment, and branch/PR planning guidance

docs/superpowers/specs/2026-05-01-issue-7638-admin-typesafe-api-design.md

8. admin/README.md 📝 Documentation +58/-21

Admin UI documentation with API client workflow

• Replaces boilerplate Vite template documentation with project-specific content
• Documents scripts for development, API schema generation, building, testing, and linting
• Explains the OpenAPI-based typed client workflow and regeneration process
• Includes CI freshness check details and usage examples for the $api client

admin/README.md

9. admin/scripts/gen-api.mjs Build tooling +78/-0

OpenAPI schema codegen orchestration script

• Main codegen orchestration script that runs the full pipeline to regenerate schema.d.ts
• Calls dump-spec.ts to extract the OpenAPI spec, pipes it through openapi-typescript, and
 prepends a generated header
• Also generates version.ts with the latest API version extracted from the spec
• Handles Windows shell compatibility and cleans up temporary files

admin/scripts/gen-api.mjs

10. admin/src/api/QueryProvider.tsx ✨ Enhancement +40/-0

TanStack Query provider with dev-only devtools

• React context provider wrapping the app with TanStack Query's QueryClientProvider
• Configures default query options (staleTime: 30_000, refetchOnWindowFocus: true)
• Lazily imports and conditionally renders ReactQueryDevtools only in dev builds to keep
 production bundle clean

admin/src/api/QueryProvider.tsx

11. admin/tsconfig.json ⚙️ Configuration changes +1/-0

TypeScript config test exclusion

• Adds exclude pattern to skip test files from TypeScript compilation
• Prevents src/**/__tests__/** from being included in the build output

admin/tsconfig.json

12. pnpm-lock.yaml Dependencies +222/-18

Add OpenAPI codegen and TanStack Query dependencies

• Added @tanstack/react-query (5.100.9) and @tanstack/react-query-devtools (5.100.9) as runtime
 dependencies for the admin package
• Added openapi-fetch (0.17.0) and openapi-react-query (0.5.4) for typed API client
 functionality
• Added openapi-typescript (7.13.0) and tsx (4.21.0) as dev dependencies for codegen tooling
• Updated transitive dependencies including @redocly/openapi-core, @tanstack/query-core, and
 supporting packages for OpenAPI processing

pnpm-lock.yaml

13. docs/superpowers/plans/2026-05-01-issue-7638-admin-typesafe-api.md 📝 Documentation +804/-0

Detailed implementation plan for typesafe API client rails

• Comprehensive implementation plan with 11 sequential tasks for setting up the typesafe API client
 infrastructure
• Documents file structure, conventions, and step-by-step instructions for each component (spec
 export, codegen, runtime client, provider, CI checks)
• Includes risk register, test plan, and verification procedures for end-to-end validation
• Provides detailed commit messages and command sequences for reproducible implementation

docs/superpowers/plans/2026-05-01-issue-7638-admin-typesafe-api.md

14. admin/package.json ⚙️ Configuration changes +12/-4

Wire OpenAPI codegen and TanStack Query into build pipeline

• Added gen:api script to regenerate the OpenAPI schema from the spec builder
• Modified build and build-copy scripts to run pnpm gen:api before compilation
• Added test script for running smoke tests on the API client module
• Added four runtime dependencies: @tanstack/react-query, @tanstack/react-query-devtools,
 openapi-fetch, openapi-react-query
• Added two dev dependencies: openapi-typescript and tsx

admin/package.json

15. admin/src/main.tsx ✨ Enhancement +9/-6

Mount TanStack Query provider at admin root

• Imported QueryProvider from the new api/QueryProvider.tsx module
• Wrapped the existing provider tree (I18nextProvider, Toast.Provider, RouterProvider) with
 <QueryProvider> at the root level
• Maintains existing provider hierarchy while adding TanStack Query context at the outermost level

admin/src/main.tsx

16. .github/workflows/frontend-admin-tests.yml ⚙️ Configuration changes +10/-0

Add CI freshness check for generated OpenAPI schema

• Added new CI step "Verify admin OpenAPI schema is up to date" before the build step
• Runs pnpm gen:api and checks if admin/src/api/schema.d.ts or version.ts have uncommitted
 changes
• Fails the build with a clear error message if generated files are out of sync with the source spec

.github/workflows/frontend-admin-tests.yml

Grey Divider

Qodo Logo

@qodo-free-for-open-source-projects
Copy link
Copy Markdown

qodo-free-for-open-source-projects Bot commented May 7, 2026
edited
Loading

Code Review by Qodo

🐞 Bugs (2) 📘 Rule violations (2) 📎 Requirement gaps (1)

Context used

Grey Divider


Action required

1. schema.d.ts missing /admin-auth paths 📎 Requirement gap ≡ Correctness
Description 
The generated admin OpenAPI schema/types do not include any /admin-auth/* operations, so the typed
client cannot cover the admin authentication endpoints the UI uses. This fails the requirement that
/admin-auth/* be represented in the OpenAPI output used for codegen.
Code

admin/README.md[R65-67]

+The admin endpoints are not yet present in the OpenAPI spec — this client is
+in place to support upcoming work (see issue #7638 follow-up). For now, it is
+exercised only by the smoke test.
Evidence 
PR Compliance ID 1 requires /admin-auth/* routes to be documented in the OpenAPI output and
present in the generated schema.d.ts. The updated admin README states the admin endpoints are not
yet present in the OpenAPI spec, and the generated paths type shows only non-admin endpoints (no
/admin-auth/* entries).

OpenAPI spec includes /admin-auth/* endpoints used by the admin UI
admin/README.md[65-67]
admin/src/api/schema.d.ts[9-31]

Agent prompt 
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The OpenAPI-generated admin types do not include `/admin-auth/*` operations, so the typed client cannot be used for existing admin auth calls.

## Issue Context
The admin schema is generated from the OpenAPI hook output, and the compliance requirement for this PR expects `/admin-auth/*` endpoints to be included in that output so `admin/src/api/schema.d.ts` exposes typed paths/operations.

## Fix Focus Areas
- src/node/hooks/express/openapi.ts[422-575]
- admin/src/api/schema.d.ts[9-31]
- admin/README.md[65-67]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

2. Generated schema committed 📘 Rule violation ⚙ Maintainability
Description 
This PR adds generated files (admin/src/api/schema.d.ts, admin/src/api/version.ts) and
documents/enforces committing them via CI. This violates the policy against committing generated
build/runtime artifacts.
Code

admin/src/api/schema.d.ts[R1-7]

+// GENERATED — do not edit. Run `pnpm --filter admin gen:api` to regenerate.
+// Source: src/node/hooks/express/openapi.ts (#7638)

+/**
+ * This file was auto-generated by openapi-typescript.
+ * Do not make direct changes to the file.
+ */
Evidence 
PR Compliance ID 13 forbids committing generated artifacts. The added schema and version files are
explicitly marked GENERATED, the README states both generated files are checked in, and CI
instructs contributors to commit regenerated outputs when they differ.

admin/src/api/schema.d.ts[1-7]
admin/src/api/version.ts[1-5]
admin/README.md[34-40]
.github/workflows/frontend-admin-tests.yml[71-80]
Best Practice: Repository guidelines

Agent prompt 
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
Generated files (`admin/src/api/schema.d.ts`, `admin/src/api/version.ts`) are committed and CI enforces that workflow, which violates the repository compliance rule against committing generated artifacts.

## Issue Context
The generator is already wired into the admin build (`pnpm gen:api`), so the repo can instead generate these files during build/CI without storing outputs in git.

## Fix Focus Areas
- admin/src/api/schema.d.ts[1-7]
- admin/src/api/version.ts[1-5]
- admin/package.json[7-20]
- .github/workflows/frontend-admin-tests.yml[71-80]
- admin/README.md[34-40]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


Remediation recommended

3. schema.d.ts not 2-space 📘 Rule violation ⚙ Maintainability
Description 
The newly added admin/src/api/schema.d.ts uses 4-space indentation (as generated), not the
required 2-space indentation. This introduces formatting that violates the project’s indentation
standard.
Code

admin/src/api/schema.d.ts[R9-27]

+export interface paths {
+    "/createGroup": {
+        parameters: {
+            query?: never;
+            header?: never;
+            path?: never;
+            cookie?: never;
+        };
+        /** creates a new group */
+        get: operations["createGroupUsingGET"];
+        put?: never;
+        /** creates a new group */
+        post: operations["createGroupUsingPOST"];
+        delete?: never;
+        options?: never;
+        head?: never;
+        patch?: never;
+        trace?: never;
+    };
Evidence 
PR Compliance ID 14 requires new/modified code to use 2-space indentation. The added paths
interface uses 4-space indentation for nested blocks (e.g., the "/createGroup" entry and its
members).

admin/src/api/schema.d.ts[9-27]
Best Practice: Repository guidelines

Agent prompt 
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The generated `admin/src/api/schema.d.ts` does not match the required 2-space indentation style.

## Issue Context
This file is generated via `admin/scripts/gen-api.mjs` by calling `openapi-typescript`, which emits 4-space indentation by default.

## Fix Focus Areas
- admin/scripts/gen-api.mjs[40-62]
- admin/src/api/schema.d.ts[9-27]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

4. Admin build depends on backend 🐞 Bug ☼ Reliability
Description 
admin/package.json now runs gen:api during build/build-copy, and gen:api dynamically imports backend
code (src/node/hooks/express/openapi.ts) that requires server-only dependencies. If the admin
package is built in isolation (without the backend workspace deps installed), the build will fail
with module resolution/runtime import errors.
Code

admin/package.json[R8-11]

+    "gen:api": "node scripts/gen-api.mjs",
+    "build": "pnpm gen:api && tsc && vite build",
    "lint": "eslint . --ext ts,tsx --report-unused-disable-directives --max-warnings 0",
-    "build-copy": "tsc && vite build --outDir ../src/templates/admin --emptyOutDir",
-    "preview": "vite preview"
+    "build-copy": "pnpm gen:api && tsc && vite build --outDir ../src/templates/admin --emptyOutDir",
Evidence 
The build script always runs gen:api, which runs dump-spec.ts. dump-spec.ts imports the backend
OpenAPI generator module, and that module requires openapi-backend (declared in the backend package,
not admin), so admin-only installs/builds won’t have the needed runtime deps available.

admin/package.json[6-13]
admin/scripts/dump-spec.ts[21-46]
src/node/hooks/express/openapi.ts[21-28]
src/package.json[57-66]

Agent prompt 
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
`admin`'s `build`/`build-copy` scripts always run `gen:api`, but `gen:api` imports backend OpenAPI code that depends on backend-only node_modules. This makes isolated admin builds fragile.

### Issue Context
The generated files (`admin/src/api/schema.d.ts`, `admin/src/api/version.ts`) are checked in and CI already has a freshness check.

### Fix Focus Areas
- admin/package.json[6-13]

### Suggested fix
- Remove `pnpm gen:api &&` from `build` and `build-copy` scripts (keep `gen:api` as an explicit script).
- Rely on the existing CI freshness step to enforce that generated outputs are committed.
- (Optional) Keep `pnpm gen:api` in a dedicated script like `build:regen` if you still want a one-shot regen+build command.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


Advisory comments

5. Devtools shipped as dependency 🐞 Bug ⚙ Maintainability
Description 
@tanstack/react-query-devtools is listed under admin runtime dependencies even though it is only
reachable behind a dev-only conditional dynamic import in QueryProvider. This forces extra package
installation surface area for consumers without providing production runtime value.
Code

admin/package.json[R16-20]

+    "@radix-ui/react-switch": "^1.2.6",
+    "@tanstack/react-query": "^5.100.9",
+    "@tanstack/react-query-devtools": "^5.100.9",
+    "openapi-fetch": "^0.17.0",
+    "openapi-react-query": "^0.5.4"
Evidence 
QueryProvider only imports ReactQueryDevtools via a dev-only conditional dynamic import, yet the
package is declared as a runtime dependency in admin/package.json.

admin/package.json[15-21]
admin/src/api/QueryProvider.tsx[6-15]

Agent prompt 
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
`@tanstack/react-query-devtools` is a dev-only tool but is declared as a runtime dependency.

### Issue Context
It is only loaded behind `import.meta.env.DEV` and a lazy dynamic import.

### Fix Focus Areas
- admin/package.json[15-22]

### Suggested fix
- Move `@tanstack/react-query-devtools` from `dependencies` to `devDependencies`.
- Keep the existing lazy dynamic import in `QueryProvider.tsx` unchanged.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

Grey Divider

Qodo Logo

qodo-free-for-open-source-projects[bot]
qodo-free-for-open-source-projects Bot reviewed May 7, 2026
View reviewed changes
Comment thread admin/README.md
Comment on lines +65 to +67
The admin endpoints are not yet present in the OpenAPI spec — this client is
in place to support upcoming work (see issue #7638 follow-up). For now, it is
exercised only by the smoke test.
Copy link
Copy Markdown

@qodo-free-for-open-source-projects qodo-free-for-open-source-projects Bot May 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Action required

1. schema.d.ts missing /admin-auth paths 📎 Requirement gap ≡ Correctness

The generated admin OpenAPI schema/types do not include any /admin-auth/* operations, so the typed
client cannot cover the admin authentication endpoints the UI uses. This fails the requirement that
/admin-auth/* be represented in the OpenAPI output used for codegen.
Agent Prompt 
## Issue description
The OpenAPI-generated admin types do not include `/admin-auth/*` operations, so the typed client cannot be used for existing admin auth calls.

## Issue Context
The admin schema is generated from the OpenAPI hook output, and the compliance requirement for this PR expects `/admin-auth/*` endpoints to be included in that output so `admin/src/api/schema.d.ts` exposes typed paths/operations.

## Fix Focus Areas
- src/node/hooks/express/openapi.ts[422-575]
- admin/src/api/schema.d.ts[9-31]
- admin/README.md[65-67]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

Comment thread admin/src/api/schema.d.ts Outdated
Comment on lines +1 to +7
// GENERATED — do not edit. Run `pnpm --filter admin gen:api` to regenerate.
// Source: src/node/hooks/express/openapi.ts (#7638)

/**
* This file was auto-generated by openapi-typescript.
* Do not make direct changes to the file.
*/
Copy link
Copy Markdown

@qodo-free-for-open-source-projects qodo-free-for-open-source-projects Bot May 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Action required

2. Generated schema committed 📘 Rule violation ⚙ Maintainability

This PR adds generated files (admin/src/api/schema.d.ts, admin/src/api/version.ts) and
documents/enforces committing them via CI. This violates the policy against committing generated
build/runtime artifacts.
Agent Prompt 
## Issue description
Generated files (`admin/src/api/schema.d.ts`, `admin/src/api/version.ts`) are committed and CI enforces that workflow, which violates the repository compliance rule against committing generated artifacts.

## Issue Context
The generator is already wired into the admin build (`pnpm gen:api`), so the repo can instead generate these files during build/CI without storing outputs in git.

## Fix Focus Areas
- admin/src/api/schema.d.ts[1-7]
- admin/src/api/version.ts[1-5]
- admin/package.json[7-20]
- .github/workflows/frontend-admin-tests.yml[71-80]
- admin/README.md[34-40]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

qodo-free-for-open-source-projects[bot]
qodo-free-for-open-source-projects Bot reviewed May 7, 2026
View reviewed changes
Comment thread admin/src/api/schema.d.ts Outdated
Comment on lines +9 to +31
export interface paths {
"/createGroup": {
parameters: {
query?: never;
header?: never;
path?: never;
cookie?: never;
};
/** creates a new group */
get: operations["createGroupUsingGET"];
put?: never;
/** creates a new group */
post: operations["createGroupUsingPOST"];
delete?: never;
options?: never;
head?: never;
patch?: never;
trace?: never;
};
"/createGroupIfNotExistsFor": {
parameters: {
query?: never;
header?: never;
Copy link
Copy Markdown

@qodo-free-for-open-source-projects qodo-free-for-open-source-projects Bot May 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Action required

1. Schema lacks /admin-auth paths 📎 Requirement gap ≡ Correctness

The generated admin/src/api/schema.d.ts does not include any /admin-auth/* (or /admin/*)
paths, and the updated README explicitly notes admin endpoints are not yet in the OpenAPI spec. This
fails the requirement that the OpenAPI-derived admin schema reflects the admin UI
authentication/admin endpoint surface.
Agent Prompt 
## Issue description
The generated admin OpenAPI TypeScript schema does not expose any `/admin-auth/*` or `/admin/*` typed paths, so the new typed client cannot be used for real admin UI traffic.

## Issue Context
The compliance checklist requires the OpenAPI spec (and therefore the generated `admin/src/api/schema.d.ts`) to include the admin authentication and admin endpoint surfaces.

## Fix Focus Areas
- src/node/hooks/express/openapi.ts[769-774]
- admin/src/api/schema.d.ts[9-31]
- admin/README.md[65-67]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

Comment thread admin/src/api/version.ts Outdated
Comment thread admin/scripts/gen-api.mjs
Comment on lines +16 to +44
const tmpDir = mkdtempSync(path.join(tmpdir(), 'etherpad-openapi-'));
const specPath = path.join(tmpDir, 'spec.json');

// On Windows pnpm resolves to pnpm.cmd, which spawnSync can only find via a
// shell. Use shell on Windows only to avoid Node's DEP0190 warning elsewhere.
// Every argument here is fixed (no user input) so the shell:true variant is
// not an injection risk.
const spawnOpts = {
cwd: adminRoot,
stdio: 'inherit',
shell: process.platform === 'win32',
};

try {
const dump = spawnSync(
'pnpm',
['exec', 'tsx', 'scripts/dump-spec.ts', specPath],
spawnOpts,
);
if (dump.status !== 0) {
console.error(`dump-spec.ts failed with exit code ${dump.status}`);
process.exit(dump.status ?? 1);
}

const gen = spawnSync(
'pnpm',
['exec', 'openapi-typescript', specPath, '-o', outFile],
spawnOpts,
);
Copy link
Copy Markdown

@qodo-free-for-open-source-projects qodo-free-for-open-source-projects Bot May 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Action required

3. Windows gen:api arg splitting 🐞 Bug ☼ Reliability

admin/scripts/gen-api.mjs uses shell: true on Windows while passing file paths (tmpdir + repo
paths) as arguments; if those paths contain spaces (common in Windows user temp dirs), cmd.exe
tokenization can break the pnpm exec ... <path> calls and make pnpm gen:api fail.
Agent Prompt 
### Issue description
`admin/scripts/gen-api.mjs` sets `shell: process.platform === 'win32'` and then calls `spawnSync('pnpm', [..., specPath], spawnOpts)`. On Windows, enabling the shell can cause argument parsing issues for paths that include spaces (common for user temp directories), breaking `pnpm gen:api`.

### Issue Context
The script enables `shell` only to make `pnpm` resolvable on Windows. This can be solved without `shell: true` by invoking the correct executable name on Windows.

### Fix Focus Areas
- admin/scripts/gen-api.mjs[19-54]

### Suggested change
- Use `const pnpmCmd = process.platform === 'win32' ? 'pnpm.cmd' : 'pnpm';`
- Keep `shell: false` (or omit it) in `spawnOpts`.
- Replace both `spawnSync('pnpm', ...)` calls with `spawnSync(pnpmCmd, ...)`.
This avoids cmd.exe parsing entirely while still working on Windows.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

@JohnMcLear JohnMcLear requested a review from SamTV12345 May 7, 2026 14:52
@JohnMcLear @claude
chore(admin): gitignore generated schema/version, regen on every scri…
40fe8a4 
…pt (ether#7638)

Qodo flagged the committed admin/src/api/schema.d.ts as a build artifact
that violates the rule against committing generated files (rule 467291,
"Exclude build artifacts and runtime-generated files from version control").

This commit:
- Adds admin/src/api/{schema.d.ts,version.ts} to .gitignore.
- Removes both from VCS (the prior squash had committed them).
- Chains \`gen:api\` into the dev and test scripts so a fresh checkout
  lands a working dev server / test run without an extra step. build
  and build-copy already chained gen:api.
- Drops the now-redundant CI freshness diff step from
  frontend-admin-tests.yml — with the files no longer committed, the
  build step's gen:api invocation is the only check needed.
- Updates admin/README.md to describe the new generated-file workflow.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@JohnMcLear
Copy link
Copy Markdown
Member Author

JohnMcLear commented May 7, 2026

Qodo's earlier rule violation on the JohnMcLear/etherpad fork PR (rule 467291: "Exclude build artifacts and runtime-generated files from version control") is now addressed in 40fe8a4:

  • admin/src/api/schema.d.ts and admin/src/api/version.ts are gitignored and removed from VCS.
  • Every admin script that needs the generated files (dev, build, build-copy, test) now chains gen:api first, so a fresh checkout produces them automatically.
  • Dropped the now-redundant freshness-diff step from frontend-admin-tests.yml — with no committed file, the build's gen:api invocation is the only check needed.

This was referenced May 8, 2026
Closed
Merged
JohnMcLear added a commit to JohnMcLear/etherpad that referenced this pull request May 8, 2026
@JohnMcLear @claude
fix(admin): split fetchClient by surface; admin client baseUrl='/' (e…
b76a263 
…ther#7693)

Address Qodo finding 2 (correctness bug). The merged schema introduced
in this PR exposes both public-API paths (under /api/<version>/) and
admin paths (at root, e.g. /admin-auth/). The single fetchClient from
ether#7695 has baseUrl=API_BASE_URL ("/api/<version>"), so calling an admin
path through it would resolve to /api/<version>/admin-auth/ — wrong.

Fix:
- Narrow the generated `paths` interface by URL prefix
  (`/admin*` vs everything else).
- Export two clients: `fetchClient` (public, baseUrl=/api/<version>)
  and `adminFetchClient` (admin, baseUrl='/').
- Mirror with `$api` / `$adminApi` query hook factories.

TypeScript now rejects mixing surfaces at compile time:
  fetchClient.GET('/admin-auth/')        // type error: not in PublicPaths
  adminFetchClient.GET('/createGroup')   // type error: not in AdminPaths

Smoke test updated to assert all four exports exist.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
SamTV12345
SamTV12345 approved these changes May 8, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@SamTV12345 SamTV12345 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks really good.

JohnMcLear added a commit that referenced this pull request May 10, 2026
@JohnMcLear @claude
feat(admin): document admin endpoints in OpenAPI (#7693) (#7705)
4f1b524 
* chore(admin): typesafe API client + TanStack Query rails (#7638) (#2)

* docs(admin): design for typesafe API client + TanStack Query rails (#7638)

Rails-only scope: codegen toolchain, runtime client, and provider — no
call-site migrations. Admin endpoints are not yet covered by the OpenAPI
spec, so a separate issue will follow before any migration is useful.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* docs(admin): implementation plan for typesafe API client rails (#7638)

Step-by-step task breakdown for the rails-only PR: codegen toolchain,
runtime client, TanStack Query provider, CI freshness check, docs. No
call-site migrations until admin endpoints are added to the OpenAPI
spec (separate follow-up).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(api): export generateDefinitionForVersion from openapi hook

Required by the admin codegen script (#7638) to dump the OpenAPI spec
without booting Express. No behavior change for the request hook.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* chore(admin): add OpenAPI codegen + TanStack Query deps (#7638)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* chore(admin): add OpenAPI spec dump entry (#7638)

Loaded via tsx by gen-api.mjs in the next commit. Writes JSON to a file
path argument so log4js stdout output (from Settings init) does not
pollute the spec output.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* chore(admin): wire OpenAPI codegen into build (#7638)

Adds gen:api script and amends build/build-copy to regenerate
admin/src/api/schema.d.ts before compiling. The generated file is
checked in so it shows up in PR review and so a fresh checkout doesn't
need codegen to typecheck.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(admin): typed openapi-fetch + react-query client (#7638)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(admin): TanStack Query provider, dev-only devtools (#7638)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(admin): mount TanStack Query provider at root (#7638)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* test(admin): smoke test for typed openapi-fetch client (#7638)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* ci(admin): verify generated OpenAPI schema is up to date (#7638)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* docs(admin): document OpenAPI codegen workflow (#7638)

Replaces the default Vite scaffold README with admin-specific scripts
table and codegen workflow notes.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* build(admin): exclude __tests__ from tsc include (#7638)

The smoke test imports node:test/node:assert which need @types/node.
Admin source is browser-only, so excluding __tests__ from the production
typecheck is cleaner than adding Node types to the bundle config. The
test still runs under tsx, which doesn't share this constraint.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* chore: regenerate lockfile with pnpm 10 to restore overrides block (#7638)

Adding admin deps with pnpm 11 stripped the top-level \`overrides:\`
section from pnpm-lock.yaml, which CI uses pnpm 10 to verify. Result:
ERR_PNPM_LOCKFILE_CONFIG_MISMATCH on every job. Re-running pnpm 10
\`install --lockfile-only\` restores the overrides block; the new admin
package entries land in the same commit. Two stale lockfile entries
not present in package.json (\`serialize-javascript\` version pin and
\`uuid@<14.0.0\`) were normalized by the regen — package.json is the
source of truth for those.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* build(docker): preserve strictDepBuilds=false in trimmed workspace yaml (#7638)

Adding tsx as an admin devDep brings esbuild@0.27.x into the resolved
subgraph, and the Dockerfile's runtime stage was overwriting
pnpm-workspace.yaml with a stripped-down version that lost the
strictDepBuilds=false setting from the source repo. With pnpm 10's
default of strictDepBuilds=true, the install then errors on
ERR_PNPM_IGNORED_BUILDS for esbuild + scarf rather than warning.

Restore the strictDepBuilds=false and the @scarf/scarf ignore in the
trimmed yaml so the production install matches develop's behavior.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(admin): point client baseUrl at /api/<version> via codegen (#7638)

Qodo flagged: with baseUrl='/' and schema paths like '/createGroup',
calls landed at /createGroup, but the backend mounts the FLAT-style
spec under /api/<version>/. So once a call site lands, every request
404s.

gen:api now also emits admin/src/api/version.ts containing
LATEST_API_VERSION (read from info.version in the spec) and a derived
API_BASE_URL = `/api/<version>`. client.ts imports API_BASE_URL.
Workflow freshness check covers both generated files.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* build(admin): cross-platform spawn in gen-api.mjs (#7638)

Windows CI failed because spawnSync('pnpm', ...) cannot resolve
pnpm.cmd without a shell. Set shell:true on win32 only so Linux/macOS
runs avoid Node's DEP0190 warning. All spawn args are literal strings,
so the shell variant is not an injection risk.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* chore(admin): gitignore generated schema/version, regen on every script (#7638)

Qodo flagged the committed admin/src/api/schema.d.ts as a build artifact
that violates the rule against committing generated files (rule 467291,
"Exclude build artifacts and runtime-generated files from version control").

This commit:
- Adds admin/src/api/{schema.d.ts,version.ts} to .gitignore.
- Removes both from VCS (the prior squash had committed them).
- Chains \`gen:api\` into the dev and test scripts so a fresh checkout
  lands a working dev server / test run without an extra step. build
  and build-copy already chained gen:api.
- Drops the now-redundant CI freshness diff step from
  frontend-admin-tests.yml — with the files no longer committed, the
  build step's gen:api invocation is the only check needed.
- Updates admin/README.md to describe the new generated-file workflow.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* docs(admin): design for admin OpenAPI coverage (#7693)

Adds the design doc for documenting `/admin-auth/*` and `/admin/update/status`
in the OpenAPI spec so the typed client generated by #7695 (`admin/src/api/
schema.d.ts`) gains admin call-sites the day it lands.

This PR is stacked on #7695 — codegen rails must merge first. Schema-only,
no call-site migrations (those are an explicit follow-up named in #7693).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* docs(admin): correct UpdateStatus schema to base-branch shape (#7693)

The first draft mirrored the Tier 2 (#7607) response shape, but this PR
stacks on #7695 whose updateStatus.ts only emits the Tier 1 fields. Fix
the schema, install-method enum, and tier enum to match types.ts and
the actual handler. Tier 2 amends UpdateStatus when it lands.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* docs(admin): implementation plan for admin OpenAPI coverage (#7693)

Step-by-step task breakdown for the schema-only PR: stub the document,
add /admin-auth/ + /admin/update/status paths and sub-schemas,
collision regression, /admin/openapi.json route, codegen merge, and CI
verification. No call-site migrations.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(admin): stub OpenAPI document for admin endpoints (#7693)

Adds generateAdminDefinition() returning a minimal valid OpenAPI 3.0
document with no paths yet, plus security schemes for the two auth
modes (Basic + session cookie). Subsequent tasks fill in the actual
admin paths.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(admin): document POST /admin-auth/ in OpenAPI (#7693)

Adds verifyAdminAccess as the operation that the admin UI's LoginScreen
and App session check both call. Documents Basic auth, session cookie,
and anonymous request modes plus their 200/401/403 responses.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(admin): document GET /admin/update/status in OpenAPI (#7693)

Adds getUpdateStatus operation plus UpdateStatus, ReleaseInfo,
PolicyResult, and VulnerableBelowDirective sub-schemas. Property names
and enums mirror src/node/updater/types.ts and the response object
emitted by updateStatus.ts. Tier 2 (#7607) will amend UpdateStatus when
it ships execution/lastResult/lockHeld.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* test(admin): regression net for admin/public OpenAPI collisions (#7693)

Cross-checks admin paths, operationIds, and schema names against the
latest public spec. Today there are no overlaps; the test exists to
catch future renames before they break the merged client codegen.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(admin): expose admin OpenAPI doc at /admin/openapi.json (#7693)

Mounts the admin OpenAPI document at /admin/openapi.json (CORS: *) via
an expressPreSession hook, matching the /api/openapi.json convention.
The admin SPA wildcard at /admin/{*filename} registers later in
expressCreateServer, so the JSON route wins. Live-route test confirms
JSON content-type and CORS header.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(admin): mergeOpenAPI helper for codegen pipeline (#7693)

Pure-JS deep-merge of two OpenAPI 3.0 documents. Unions paths and
components by key; throws on collisions. Public document's info,
servers, and root security win over the admin document's. Used by
dump-spec.ts to produce a single merged JSON for openapi-typescript.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* docs(admin): fix stale "Section 3" reference in spec (#7693)

Drafting numbered the design walkthrough; final spec uses titled
sections. Update the back-reference accordingly.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(admin): include admin OpenAPI in generated client (#7693)

Modifies dump-spec.ts to import generateAdminDefinition alongside the
public generator and feed both through mergeOpenAPI before writing the
JSON consumed by openapi-typescript. The resulting admin/src/api/
schema.d.ts paths interface now exposes /admin-auth/ and
/admin/update/status, ready for typed call-site adoption in a follow-up.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(admin): gate /admin/openapi.json behind a feature flag (#7693)

Address Qodo finding 1: new features must ship behind a flag, disabled
by default (CONTRIBUTING.md, AGENTS.MD, best_practices.md). Adds
settings.adminOpenAPI.enabled (default false). expressPreSession
returns early when the flag is off, so the route is dormant on a fresh
install.

The codegen pipeline imports generateAdminDefinition() in-process and
does not depend on the runtime route, so default-off has no effect on
the typed client. Operators who want third-party tooling (Postman,
swagger-ui, downstream clients) to consume the spec at runtime opt in
via settings.

Adds:
- SettingsType + defaults entry in src/node/utils/Settings.ts
- settings.json.template documentation
- A backend spec asserting expressPreSession is a no-op when the flag
  is off (live route test now sets the flag explicitly)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(admin): split fetchClient by surface; admin client baseUrl='/' (#7693)

Address Qodo finding 2 (correctness bug). The merged schema introduced
in this PR exposes both public-API paths (under /api/<version>/) and
admin paths (at root, e.g. /admin-auth/). The single fetchClient from
#7695 has baseUrl=API_BASE_URL ("/api/<version>"), so calling an admin
path through it would resolve to /api/<version>/admin-auth/ — wrong.

Fix:
- Narrow the generated `paths` interface by URL prefix
  (`/admin*` vs everything else).
- Export two clients: `fetchClient` (public, baseUrl=/api/<version>)
  and `adminFetchClient` (admin, baseUrl='/').
- Mirror with `$api` / `$adminApi` query hook factories.

TypeScript now rejects mixing surfaces at compile time:
  fetchClient.GET('/admin-auth/')        // type error: not in PublicPaths
  adminFetchClient.GET('/createGroup')   // type error: not in AdminPaths

Smoke test updated to assert all four exports exist.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* docs(admin): spec — feature flag + dual-client design (#7693)

Reflect Qodo-driven changes:
- /admin/openapi.json route is now feature-flagged (default off).
- admin/src/api/client.ts splits paths by URL prefix and exports two
  clients (public + admin) so TypeScript rejects mixing surfaces.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(admin): check adminOpenAPI flag per-request, not at hook setup (#7693)

The first feature-flag commit (dbcfb39) gated the route by checking
the flag inside expressPreSession and skipping app.get() when off. That
broke under the full backend suite because common.init() is cached: the
first spec that calls it boots the server with whatever flag state was
present at that moment, and later specs cannot retroactively register
the route by toggling the flag.

Move the flag check inside the request handler:

- Route is always registered.
- Handler returns 404 application/json when the flag is off (so callers
  get a clear "feature disabled" signal rather than the SPA wildcard's
  text/html catch-all).
- Handler returns the spec + CORS * when the flag is on.

Tests now toggle the flag in-process and exercise both states against
the shared agent — no server restart needed. Added a "returns 404 JSON
when off" test alongside the existing "200 + spec + CORS when on".

Full backend suite: 1007 passing, 6 pending, 0 failures.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@JohnMcLear
Merge remote-tracking branch 'origin/develop' into pr-7695-resolve
061793b 
# Conflicts:
#	admin/package.json
#	admin/scripts/dump-spec.ts
#	admin/src/api/__tests__/client.test.ts
#	admin/src/api/client.ts
#	pnpm-lock.yaml
@JohnMcLear JohnMcLear merged commit 4c3fdaf into ether:develop May 10, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@qodo-free-for-open-source-projects qodo-free-for-open-source-projects[bot] qodo-free-for-open-source-projects[bot] left review comments

@SamTV12345 SamTV12345 SamTV12345 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

chore(admin): generate typesafe API client + adopt TanStack Query

2 participants

@JohnMcLear @SamTV12345