Deploy to production (Automated)

[github-actions]

This is an automated pull request to deploy the staging branch to production.
Please review the pull request and comment /deploy to merge this PR and deploy to production.

---

Summary by cubic

Added Grafana monitoring by exposing Prometheus metrics for tRPC API calls and ZeroDriver email operations, with a new /metrics endpoint and environment-based configuration.

• New Features
  • Centralized metrics utility for tracking API and email operation performance.
  • tRPC middleware and ZeroDriver methods now record timing and status metrics.
  • /metrics endpoint added for Prometheus scraping.
  • Environment variables support Grafana integration.

[jazzberry-ai]

Bug Report

Name	Severity	Example test case	Description
Incorrect file path for metrics.ts	Critical	Check if metrics are being collected by the mail application.	The file metrics.ts was created in the wrong directory (apps/server/src/lib/ instead of apps/mail/src/lib/), preventing the mail application from collecting metrics.

_{Comments? Email us. Your free trial ends in 4 days.}

[cloudflare-workers-and-pages]

Deploying zero-staging with    Cloudflare Pages

Latest commit:	e7a0463
Status:	✅  Deploy successful!
Preview URL:	https://05ab43cb.zero-staging-c02.pages.dev

View logs

[greptile-apps]

Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method here.

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Join our Discord community for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
✅ Deployment successful! View logs	zero-server-production	e7a0463	Jul 25 2025, 08:42 PM

[graphite-app]

Graphite Automations

"Deploy to Production Helper" took an action on this PR • (07/25/25)

1 reviewer was added to this PR based on Rahul Mishra's automation.

[cloudflare-workers-and-pages]

Deploying zero-prod with    Cloudflare Pages

Latest commit:	5fda69d
Status:	🚫  Build failed.

View logs

[jazzberry-ai]

An error occured.

_{This error may be due to rate limits. If this error persists, please email us.}

[jazzberry-ai]

Bug Report

Name	Severity	Example test case	Description
Invalid Grafana Credentials	Medium	Set GRAFANA_USERNAME or GRAFANA_PASSWORD to an empty string in the environment.	The MetricsCollector does not validate that GRAFANA_USERNAME and GRAFANA_PASSWORD are set, which leads to btoa() being called with potentially empty strings, leading to invalid authorization headers being sent to Grafana. Added a check to ensure the variables are set.
Incorrect Email Operation Total	Medium	Call ZeroDriver's markAsRead or create methods and cause them to throw an error.	The emailOperationTotal counter is incremented within the try block of the ZeroDriver's markAsRead and create methods. If an error occurs during the operation, the counter is not incremented. Moved the counter increment to the finally block, and made the status (success/failure) a parameter to timeOperation.

_{Comments? Email us. Your free trial ends in 4 days.}

[cursor]

Bugbot free trial expires on July 29, 2025
Learn more in the Cursor dashboard.

[jazzberry-ai]

Bug Report

Name	Severity	Example test case	Description
Missing Grafana Error Handling	Medium	Simulate a Grafana endpoint outage. Verify that the application logs the error, but metrics are lost.	The sendToGrafana function in src/lib/metrics.ts lacks proper error handling for the fetch call. This can lead to loss of metrics data if the Grafana endpoint is unavailable. Retries with exponential backoff should be implemented.
Storing Refresh Tokens in DB	Critical	Compromise the database. Verify the refresh tokens can be used to access email accounts.	Storing refresh tokens in the database represents a significant security risk. If the database is compromised, attackers could use the refresh tokens to gain persistent access to user email accounts. The application needs to use a more secure method of storing credentials, such as encryption, token revocation, or secrets management.

_{Comments? Email us. Your free trial ends in 4 days.}

[jazzberry-ai]

Bug Report

Name	Severity	Example test case	Description
Metrics are not sent to Grafana	High	Check Grafana dashboard; no new metrics are visible.	The MetricsCollector class was removed, which was responsible for collecting and sending metrics to Grafana.

_{Comments? Email us. Your free trial ends in 4 days.}

[jazzberry-ai]

An error occured.

_{This error may be due to rate limits. If this error persists, please email us.}

[cursor]

Bug: Driver Null Check Inconsistency

The null check for this.driver was removed from the create method, making it inconsistent with other methods in the class (e.g., sendDraft, delete). This omission causes a runtime error (e.g., TypeError) if create is called when this.driver is null/undefined, instead of providing the expected "No driver available" error.

apps/server/src/routes/agent/index.ts#L122-L125

Zero/apps/server/src/routes/agent/index.ts

Lines 122 to 125 in a5d8f5a

	async create(data: IOutgoingMessage) {
	return await this.driver.create(data);
	}

Fix in Cursor • Fix in Web

---

[jazzberry-ai]

Bug Report

Name	Severity	Example test case	Description
Incomplete CSS Sanitization	Medium	Send an email with font-family, width, border-radius, or @media rules.	The allowedProperties in css-sanitizer is incomplete, leading to stripping of CSS styles and degradation of email appearance.
Insufficient Protection of /metrics Endpoint	High	Leak the GRAFANA_PASSWORD through logs or misconfiguration.	The /metrics endpoint is protected only by a bearer token, which is vulnerable to leakage and unauthorized access.

_{Comments? Email us. Your free trial ends in 4 days.}

[jazzberry-ai]

Bug Report

Name	Severity	Example test case	Description
Potential CSS Sanitizer Bypass	Medium	Inject CSS with content property or complex animation syntax.	The @barkleapp/css-sanitizer might be vulnerable to bypasses, allowing malicious CSS to be injected into emails. The current configuration might not be sufficient to prevent all potential attacks. Additionally, the use of @ts-ignore suggests a potential underlying type issue that should be properly resolved.

_{Comments? Email us. Your free trial ends in 4 days.}

[cursor]

Bug: Inconsistent Null Handling Across Methods

The null check for this.driver was removed from the create method, making it inconsistent with other methods in the same class (e.g., sendDraft, delete) that retain this check. If this.driver is null, this will cause a runtime error (e.g., TypeError) when attempting to call this.driver.create(data), instead of throwing the explicit "No driver available" error.

apps/server/src/routes/agent/index.ts#L122-L125

Zero/apps/server/src/routes/agent/index.ts

Lines 122 to 125 in 7aa0caa

	async create(data: IOutgoingMessage) {
	return await this.driver.create(data);
	}

Fix in Cursor • Fix in Web

---

[jazzberry-ai]

Bug Report

Name: Missing CSS properties in sanitization

Severity: Medium

Example test case: Emails using font-family will not render correctly, as font-family is not in the allowedProperties list.

Description: The CSS sanitization logic in apps/server/src/lib/email-processor.ts might be too restrictive, preventing legitimate CSS properties like font-family from being used, leading to incorrect email rendering.

_{Comments? Email us. Your free trial ends in 4 days.}

[cursor]

Bug: Inconsistent Driver Null Handling

The null check for this.driver was removed from the create method. This creates an inconsistency, as other methods in the ZeroDriver class (e.g., sendDraft, delete) retain this safety check. If this.driver is null, calling create will now throw a generic TypeError (e.g., "Cannot read property 'create' of null") instead of the descriptive "No driver available" error, making debugging more difficult and breaking consistent error handling.

apps/server/src/routes/agent/index.ts#L122-L126

Zero/apps/server/src/routes/agent/index.ts

Lines 122 to 126 in 39d8727

	async create(data: IOutgoingMessage) {
	return await this.driver.create(data);
	}

Fix in Cursor • Fix in Web

---

[jazzberry-ai]

Bug Report

Name	Severity	Example test case	Description
CSS Sanitization Bypass via border Property	Medium	<style>.test { border: 100px solid red !important; }</style>	The allowed border property in the CSS sanitizer can be abused to create unexpected layout effects or visual distortions, especially when combined with !important. The limited number of other allowed CSS properties makes this more impactful.

_{Comments? Email us. Your free trial ends in 4 days.}

[MrgSub]

/deploy