feat: Notify user roadmap submissions

[arjunkomath]

Summary by CodeRabbit

• New Features

  • Page admins now receive email notifications when roadmap suggestions are submitted.

• Security

  • Submission API strengthened with bot-detection, rate limiting, request gating, and stricter input validation.

• Reliability

  • Enhanced submission flow: richer board data checks, clearer error messages, and non-blocking email dispatch to avoid affecting submissions.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Updated (UTC)
user-changes-page	Ready	Preview	Nov 2, 2025 6:27am

2 Skipped Deployments

Project	Deployment	Preview	Updated (UTC)
changes-page	Skipped		Nov 2, 2025 6:27am
changes-page-docs	Skipped		Nov 2, 2025 6:27am

[coderabbitai]

Caution

Review failed

The pull request is closed.

Walkthrough

Added Arcjet bot-detection and rate-limiting to the roadmap triage API, expanded board data fetching and input validation, inserted triage items, dispatched an Inngest email event, and implemented a new Inngest function that fetches page/user data and sends a Postmark notification to the page admin.

Changes

Cohort / File(s)	Summary
API Endpoint: security, validation & trigger apps/page/pages/api/roadmap/submit-triage.ts	Added Arcjet protection (bot-detection & rate-limiting) and logging for denials; added input validation and sanitization; expanded board fetch to include title and page_id; inserted triage item and dispatches email/roadmap.triage-submitted via Inngest (wrapped in try/catch); changed response type to { success: boolean; item?: any; error?: string }.
Inngest email function apps/web/inngest/email/send-roadmap-triage-notification.ts	New Inngest function sendRoadmapTriageNotification listening for email/roadmap.triage-submitted; retrieves page and admin user via Supabase admin API, validates data, builds triage URL, and sends HTML/text email via Postmark; returns result and throws on critical failures.
Inngest registration apps/web/pages/api/inngest.ts	Imported and registered sendRoadmapTriageNotification in the Inngest serve configuration (emails section).

Sequence Diagram

sequenceDiagram
    participant User
    participant API as submit-triage API
    participant Arcjet
    participant DB as Supabase
    participant Inngest
    participant EmailFn as sendRoadmapTriageNotification
    participant Postmark
    participant Admin

    User->>API: POST /roadmap/submit-triage
    API->>Arcjet: Check bot & rate limits
    Arcjet-->>API: Allow / Deny (403)
    API->>DB: Fetch board (includes title,page_id)
    DB-->>API: Board data
    API->>DB: Insert triage item
    DB-->>API: Item created
    API->>Inngest: Dispatch email/roadmap.triage-submitted
    API-->>User: { success: true, item }
    
    Inngest->>EmailFn: Trigger function
    EmailFn->>DB: Fetch page (title, user_id, logo)
    DB-->>EmailFn: Page details
    EmailFn->>DB: Fetch user (admin) via admin API
    DB-->>EmailFn: Admin email
    EmailFn->>Postmark: Send HTML/text email (CTA -> triage URL)
    Postmark->>Admin: Deliver notification email
    EmailFn-->>Inngest: { body, result }

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Review Arcjet integration: gating logic, status codes, and logged reasons for denials.
• Validate input sanitization/length checks and that validation errors return clear messages.
• Confirm Inngest event payload shape and that try/catch around email dispatch does not suppress actionable errors.
• Inspect email template (HTML/text), Postmark parameters, and Supabase admin queries for correct fields and permissions.

Poem

🐇 A note hops in from a curious mind,
Guards sniff the path so no spam we find.
Inngest carries word to the admin's gate,
Postmark sends a nudge—ideas can't wait.
Hooray for triage, fresh and kind! ✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The pull request title "feat: Notify user roadmap submissions" accurately describes the primary objective of the changeset. The modifications across all three files work together to implement a single feature: when a roadmap item is submitted via the API, an email notification is sent to the page admin. The title is concise, specific, and clear—it avoids vague terminology and directly communicates the main change without unnecessary details. A teammate reviewing the commit history would understand from this title that the PR introduces notification functionality for roadmap submissions.

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1e0eeb8 and 3e1d37e.

📒 Files selected for processing (1)

• apps/page/pages/api/roadmap/submit-triage.ts (3 hunks)

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a53c672 and 1e0eeb8.

📒 Files selected for processing (3)

• apps/page/pages/api/roadmap/submit-triage.ts (3 hunks)
• apps/web/inngest/email/send-roadmap-triage-notification.ts (1 hunks)
• apps/web/pages/api/inngest.ts (2 hunks)

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: arjunkomath
Repo: techulus/changes-page PR: 101
File: packages/supabase/migrations/20_roadmap_triage_items.sql:15-25
Timestamp: 2025-10-18T23:41:55.508Z
Learning: In the changes-page codebase, roadmap triage items use service role (supabaseAdmin) for all database operations with authorization implemented at the API layer. The RLS policies on roadmap_triage_items are for page owner management only. Public INSERT happens through apps/page/pages/api/roadmap/submit-triage.ts which uses supabaseAdmin and checks board.is_public and visitor authentication. No INSERT RLS policy is needed.

📚 Learning: 2025-10-18T23:41:55.508Z

Learnt from: arjunkomath
Repo: techulus/changes-page PR: 101
File: packages/supabase/migrations/20_roadmap_triage_items.sql:15-25
Timestamp: 2025-10-18T23:41:55.508Z
Learning: In the changes-page codebase, roadmap triage items use service role (supabaseAdmin) for all database operations with authorization implemented at the API layer. The RLS policies on roadmap_triage_items are for page owner management only. Public INSERT happens through apps/page/pages/api/roadmap/submit-triage.ts which uses supabaseAdmin and checks board.is_public and visitor authentication. No INSERT RLS policy is needed.

Applied to files:

• apps/web/inngest/email/send-roadmap-triage-notification.ts
• apps/page/pages/api/roadmap/submit-triage.ts

🧬 Code graph analysis (3)

apps/web/pages/api/inngest.ts (1)

apps/web/inngest/email/send-roadmap-triage-notification.ts (1)

• sendRoadmapTriageNotification (13-182)

apps/web/inngest/email/send-roadmap-triage-notification.ts (2)

packages/supabase/admin.ts (1)

• supabaseAdmin (4-7)

apps/web/utils/helpers.ts (1)

• getAppBaseURL (1-3)

apps/page/pages/api/roadmap/submit-triage.ts (1)

packages/supabase/admin.ts (1)

• supabaseAdmin (4-7)