fix: security and quality improvements across tRPC routers by Dnyanesh182 · Pull Request #29497 · calcom/cal.diy

Dnyanesh182 · 2026-06-02T17:35:08Z

What does this PR do?

Addresses multiple security, data-leak, and code-quality issues in tRPC viewer routers.

Changes

#	Severity	Issue	File
1	🔴 Security	`credentials: true` exposes `credential.key` (OAuth tokens)	`bookings/util.ts`
2	🔴 Data leak	`console.log` dumps private hashed links to stdout	`eventTypes/heavy/update.handler.ts`
3	🔴 Logging	`console.log(e)` instead of structured `logger.error`	`schedule/getScheduleByEventTypeSlug.handler.ts`
4	🟡 Perf	Prisma `include` fetches all columns instead of `select`	`getEventTypesFromGroup.handler.ts`, `duplicate.handler.ts`
5	🟡 Type safety	`@ts-expect-error` replaced with proper `Record<string, unknown>` typing	`eventTypes/heavy/update.handler.ts`

Visual Proof of Changes

Fix 1: Credential key exposure prevented

Before (main): credentials: true fetches ALL fields including sensitive key:

// packages/trpc/server/routers/viewer/bookings/util.ts (line 42)
user: {
  include: {
    destinationCalendar: true,
    credentials: true,  // ❌ Fetches credential.key (OAuth tokens, API secrets)

After: Only non-sensitive fields selected:

user: {
  include: {
    destinationCalendar: true,
    credentials: {        // ✅ Only safe fields
      select: {
        id: true,
        type: true,
        appId: true,
      },
    },

Fix 2: Debug console.log removed (private data leak)

Before (main): Private hashed link data dumped to stdout:

// packages/trpc/server/routers/viewer/eventTypes/heavy/update.handler.ts
console.log("multiplePrivateLinks", multiplePrivateLinks);  // ❌ Line 611
// ...
console.log("connectedLinks", connectedLinks);              // ❌ Line 615

After: Both lines removed.

Fix 3: Structured logging

Before (main):

// packages/trpc/server/routers/viewer/availability/schedule/getScheduleByEventTypeSlug.handler.ts
} catch (e) {
  console.log(e);  // ❌ Raw error dump

After:

import logger from "@calcom/lib/logger";
// ...
} catch (e) {
  logger.error("Failed to retrieve schedule by event type slug", e);  // ✅ Structured

Fix 4: Prisma `include` → `select` (performance)

Before (main): Fetches all columns from hosts, team, webhooks:

// packages/trpc/server/routers/viewer/eventTypes/heavy/duplicate.handler.ts
hosts: true,      // ❌ All Host columns
team: true,       // ❌ All Team columns  
webhooks: true,   // ❌ All Webhook columns

After: Only needed fields:

hosts: {
  select: { userId: true, isFixed: true, priority: true, weight: true, eventTypeId: true, scheduleId: true, groupId: true, memberId: true },
},
team: { select: { id: true } },
webhooks: { select: { id: true } },

Fix 5: Type safety improvement

Before (main):

const updatedValues = Object.entries(data).reduce((acc, [key, value]) => {
  if (value !== undefined) {
    // @ts-expect-error Element implicitly has any type  // ❌
    acc[key] = value;
  }
  return acc;
}, {});

After:

const updatedValues = Object.entries(data).reduce<Record<string, unknown>>((acc, [key, value]) => {
  if (value !== undefined) {
    acc[key] = value;  // ✅ Properly typed
  }
  return acc;
}, {});

Verification

Post-fix grep scan — zero remaining violations in viewer routers:

# console.log in production code (non-test files)
$ rg "console.log" packages/trpc/server/routers/viewer/ --glob '!*.test.*' --glob '!*.spec.*'
# → 0 results ✅

# credentials: true in tRPC routers  
$ rg "credentials: true" packages/trpc/server/routers/
# → 0 results ✅

Type of change

Bug fix (non-breaking change which fixes an issue)

How should this be tested?

Verify credential.key is no longer returned by the bookings procedure middleware
Verify no console.log remains in the changed files
Verify duplicate event type preserves host scheduleId, groupId, memberId
Run yarn type-check:ci --force to confirm no type errors introduced

github-actions · 2026-06-02T17:35:19Z

Welcome to Cal.diy, @Dnyanesh182! Thanks for opening this pull request.

A few things to keep in mind:

This is Cal.diy, not Cal.com. Cal.diy is a community-driven, fully open-source fork of Cal.com licensed under MIT. Your changes here will be part of Cal.diy — they will not be deployed to the Cal.com production app.
Please review our Contributing Guidelines if you haven't already.
Make sure your PR title follows the Conventional Commits format.

A maintainer will review your PR soon. Thanks for contributing!

coderabbitai · 2026-06-02T17:41:48Z

📝 Walkthrough

Walkthrough

This PR narrows Prisma query projections in multiple viewer handlers (bookings, event types, duplicate flow), replaces console.log with a shared structured logger in the schedule handler, and adds an explicit TypeScript type for a reduce accumulator. These edits change fetched object shapes and a context type while preserving existing control flow and runtime behavior.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main security and quality improvements across tRPC routers, matching the changeset scope.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The PR description clearly relates to the changeset, detailing security and quality fixes with specific file-level changes, before/after code examples, and verification steps.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

coderabbitai

Actionable comments posted: 1

🧹 Nitpick comments (2)

packages/trpc/server/routers/viewer/availability/schedule/getScheduleByEventTypeSlug.handler.ts (1)
60-61: 💤 Low value

Consider wrapping the error for structured logging consistency.

The change to logger.error is a clear improvement. For consistency with the pattern shown in other handlers (see packages/trpc/server/routers/viewer/admin/watchlist/delete.handler.ts), consider wrapping the error in an object with a named field.
📊 Optional: match structured logging pattern
  } catch (e) {
-    logger.error("Failed to retrieve schedule by event type slug", e);
+    logger.error("Failed to retrieve schedule by event type slug", { error: e });
    return {
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@packages/trpc/server/routers/viewer/availability/schedule/getScheduleByEventTypeSlug.handler.ts`
around lines 60 - 61, The catch block in getScheduleByEventTypeSlug.handler
currently calls logger.error with the message and raw error; change it to use
structured logging like logger.error({ err: e, eventTypeSlug }, "Failed to
retrieve schedule by event type slug") so the error is wrapped in an object (key
name `err` or `error` to match existing handlers such as delete.handler) and
include relevant context (e.g., eventTypeSlug) for consistency with other
handlers.
packages/trpc/server/routers/viewer/bookings/util.ts (1)
39-55: 💤 Low value

Consider refactoring to use select instead of include for the user object.

The coding guideline recommends using select instead of include in Prisma queries for performance and security. Currently, the user object uses include to fetch relations. Converting to an explicit select would align with the guideline and provide better control over which fields are fetched.

This is a broader refactor and not blocking the current security fix, which correctly prioritizes preventing credential.key exposure.

As per coding guidelines: "Use select instead of include in Prisma queries for performance and security."
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/trpc/server/routers/viewer/bookings/util.ts` around lines 39 - 55,
Change the Prisma query for the user relation to use select instead of include;
replace the user: { include: { destinationCalendar, credentials: { select: { id,
type, appId } }, profiles: { select: { organizationId } } } } with an explicit
user: { select: { destinationCalendar: true, credentials: { select: { id: true,
type: true, appId: true } }, profiles: { select: { organizationId: true } } } }
so only the intended relations/fields (destinationCalendar,
credentials.{id,type,appId}, profiles.{organizationId}) are returned and
credential.key is never selected. Ensure the surrounding query (wherever this
user selection is used) still composes correctly with the rest of the Prisma
call.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/trpc/server/routers/viewer/eventTypes/heavy/duplicate.handler.ts`:
- Around line 41-49: The hosts selection in duplicate.handler.ts currently only
selects userId, isFixed, priority, weight, and eventTypeId which causes
scheduleId, groupId, and location to be dropped when you later do hosts.map(({
eventTypeId: _, ...rest }) => rest); update the Prisma select inside the hosts
block to also include scheduleId, groupId, and location so those optional Host
fields are fetched, and keep the existing map that strips eventTypeId
(hosts.map(({ eventTypeId: _, ...rest }) => rest)) so the duplicated hosts
preserve scheduleId/groupId/location while removing the old eventTypeId.

---

Nitpick comments:
In
`@packages/trpc/server/routers/viewer/availability/schedule/getScheduleByEventTypeSlug.handler.ts`:
- Around line 60-61: The catch block in getScheduleByEventTypeSlug.handler
currently calls logger.error with the message and raw error; change it to use
structured logging like logger.error({ err: e, eventTypeSlug }, "Failed to
retrieve schedule by event type slug") so the error is wrapped in an object (key
name `err` or `error` to match existing handlers such as delete.handler) and
include relevant context (e.g., eventTypeSlug) for consistency with other
handlers.

In `@packages/trpc/server/routers/viewer/bookings/util.ts`:
- Around line 39-55: Change the Prisma query for the user relation to use select
instead of include; replace the user: { include: { destinationCalendar,
credentials: { select: { id, type, appId } }, profiles: { select: {
organizationId } } } } with an explicit user: { select: { destinationCalendar:
true, credentials: { select: { id: true, type: true, appId: true } }, profiles:
{ select: { organizationId: true } } } } so only the intended relations/fields
(destinationCalendar, credentials.{id,type,appId}, profiles.{organizationId})
are returned and credential.key is never selected. Ensure the surrounding query
(wherever this user selection is used) still composes correctly with the rest of
the Prisma call.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

Push a commit to this branch (recommended)
Create a new PR with the fixes

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c7dae27b-9c8d-4c62-9dab-f1138d0e6668

📥 Commits

Reviewing files that changed from the base of the PR and between 287cea3 and 35c79ff.

📒 Files selected for processing (5)

packages/trpc/server/routers/viewer/availability/schedule/getScheduleByEventTypeSlug.handler.ts
packages/trpc/server/routers/viewer/bookings/util.ts
packages/trpc/server/routers/viewer/eventTypes/getEventTypesFromGroup.handler.ts
packages/trpc/server/routers/viewer/eventTypes/heavy/duplicate.handler.ts
packages/trpc/server/routers/viewer/eventTypes/heavy/update.handler.ts

coderabbitai · 2026-06-02T17:41:51Z

+        hosts: {
+          select: {
+            userId: true,
+            isFixed: true,
+            priority: true,
+            weight: true,
+            eventTypeId: true,
+          },
+        },


⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash # Check if hosts with scheduleId, groupId, or location exist that would be affected by this change ast-grep --pattern 'scheduleId: $$$' | head -20 rg -nP --type=ts -C3 'hosts.*scheduleId|hosts.*groupId|hosts.*location' -g '!node_modules' -g '!*.test.*' -g '!*.spec.*'

Repository: calcom/cal.diy

Length of output: 4966

🏁 Script executed:

#!/bin/bash # Find the Host model definition in Prisma schema rg -nP -A 20 'model Host \{' --glob='*.prisma'

Repository: calcom/cal.diy

Length of output: 1720

🏁 Script executed:

#!/bin/bash set -euo pipefail FILE="packages/trpc/server/routers/viewer/eventTypes/heavy/duplicate.handler.ts" echo "== file ==" wc -l "$FILE" echo echo "== select (around lines 35-70) ==" nl -ba "$FILE" | sed -n '35,90p' echo echo "== duplication/createMany mapping (search + context) ==" rg -n "createMany|hosts\.map|duplicate|copy" "$FILE" -S echo # Print a wider window around the createMany if present LINE_CREATE=$(rg -n "createMany" "$FILE" -S | head -n 1 | cut -d: -f1 || true) if [ -n "${LINE_CREATE:-}" ]; then START=$((LINE_CREATE-60)) END=$((LINE_CREATE+60)) echo echo "== around createMany at $LINE_CREATE (lines $START-$END) ==" nl -ba "$FILE" | sed -n "${START},${END}p" fi echo echo "== around any hosts.map mapping ==" LINE_HOSTSMAP=$(rg -n "hosts\.map" "$FILE" -S | head -n 1 | cut -d: -f1 || true) if [ -n "${LINE_HOSTSMAP:-}" ]; then START=$((LINE_HOSTSMAP-40)) END=$((LINE_HOSTSMAP+60)) echo echo "== around hosts.map at $LINE_HOSTSMAP (lines $START-$END) ==" nl -ba "$FILE" | sed -n "${START},${END}p" fi

Repository: calcom/cal.diy

Length of output: 244

🏁 Script executed:

#!/bin/bash set -euo pipefail FILE="packages/trpc/server/routers/viewer/eventTypes/heavy/duplicate.handler.ts" echo "== file ==" wc -l "$FILE" echo show_range () { local start="$1" end="$2" echo "== $start-$end ==" awk -v s="$start" -v e="$end" 'NR>=s && NR<=e {printf "%6d %s\n", NR, $0}' "$FILE" echo } echo "== select/copy mapping context (35-90) ==" show_range 35 90 echo "== find createMany/hosts.map lines (grep context) ==" rg -n "createMany|hosts\.map|duplicate|copy" "$FILE" -S LINE_CREATE=$(rg -n "createMany" "$FILE" -S | head -n 1 | cut -d: -f1 || true) if [ -n "${LINE_CREATE:-}" ]; then show_range $((LINE_CREATE-80)) $((LINE_CREATE+60)) fi LINE_HOSTSMAP=$(rg -n "hosts\.map" "$FILE" -S | head -n 1 | cut -d: -f1 || true) if [ -n "${LINE_HOSTSMAP:-}" ]; then show_range $((LINE_HOSTSMAP-60)) $((LINE_HOSTSMAP+80)) fi

Repository: calcom/cal.diy

Length of output: 13138

Fix Host field preservation in event-type duplication (scheduleId/groupId/location are dropped).

packages/trpc/server/routers/viewer/eventTypes/heavy/duplicate.handler.ts narrows hosts to only userId, isFixed, priority, weight, and eventTypeId and then duplicates via hosts.map(({ eventTypeId: _, ...rest }) => rest), so Host.scheduleId, Host.groupId, and Host.location (optional fields on model Host in packages/prisma/schema.prisma) are not copied to the duplicated event type’s hosts.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@packages/trpc/server/routers/viewer/eventTypes/heavy/duplicate.handler.ts` around lines 41 - 49, The hosts selection in duplicate.handler.ts currently only selects userId, isFixed, priority, weight, and eventTypeId which causes scheduleId, groupId, and location to be dropped when you later do hosts.map(({ eventTypeId: _, ...rest }) => rest); update the Prisma select inside the hosts block to also include scheduleId, groupId, and location so those optional Host fields are fetched, and keep the existing map that strips eventTypeId (hosts.map(({ eventTypeId: _, ...rest }) => rest)) so the duplicated hosts preserve scheduleId/groupId/location while removing the old eventTypeId.

coderabbitai

♻️ Duplicate comments (1)

packages/trpc/server/routers/viewer/eventTypes/heavy/duplicate.handler.ts (1)

41-48: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Preserve the optional Host fields when duplicating hosts.

This select still drops scheduleId, groupId, and location, so the later hosts.map(({ eventTypeId: _, ...rest }) => rest) silently strips those values from duplicated hosts.

Suggested fix

         hosts: {
           select: {
             userId: true,
             isFixed: true,
             priority: true,
             weight: true,
+            scheduleId: true,
+            groupId: true,
+            location: true,
             eventTypeId: true,
           },
         },

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/trpc/server/routers/viewer/eventTypes/heavy/duplicate.handler.ts`
around lines 41 - 48, The host duplication is losing optional Host fields
because the Prisma select in duplicate.handler.ts for "hosts" omits scheduleId,
groupId, and location; update the select inside the query that populates hosts
to include scheduleId: true, groupId: true, and location: true so those optional
fields are fetched, and keep the existing hosts.map(({ eventTypeId: _, ...rest
}) => rest) to only drop eventTypeId while preserving the newly-selected
optional fields.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@packages/trpc/server/routers/viewer/eventTypes/heavy/duplicate.handler.ts`:
- Around line 41-48: The host duplication is losing optional Host fields because
the Prisma select in duplicate.handler.ts for "hosts" omits scheduleId, groupId,
and location; update the select inside the query that populates hosts to include
scheduleId: true, groupId: true, and location: true so those optional fields are
fetched, and keep the existing hosts.map(({ eventTypeId: _, ...rest }) => rest)
to only drop eventTypeId while preserving the newly-selected optional fields.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 86459d91-9022-4beb-9044-cfb4e95213a5

📥 Commits

Reviewing files that changed from the base of the PR and between 35c79ff and 90dbf30.

📒 Files selected for processing (5)

packages/trpc/server/routers/viewer/availability/schedule/getScheduleByEventTypeSlug.handler.ts
packages/trpc/server/routers/viewer/bookings/util.ts
packages/trpc/server/routers/viewer/eventTypes/getEventTypesFromGroup.handler.ts
packages/trpc/server/routers/viewer/eventTypes/heavy/duplicate.handler.ts
packages/trpc/server/routers/viewer/eventTypes/heavy/update.handler.ts

✅ Files skipped from review due to trivial changes (1)

packages/trpc/server/routers/viewer/availability/schedule/getScheduleByEventTypeSlug.handler.ts

🚧 Files skipped from review as they are similar to previous changes (3)

packages/trpc/server/routers/viewer/eventTypes/getEventTypesFromGroup.handler.ts
packages/trpc/server/routers/viewer/bookings/util.ts
packages/trpc/server/routers/viewer/eventTypes/heavy/update.handler.ts

@ts-expect-error

- fix(bookings): replace credentials: true with select to prevent credential.key exposure in booking middleware - fix(eventTypes): remove console.log statements that leaked private hashed link data to stdout - fix(schedule): replace console.log with structured logger.error in getScheduleByEventTypeSlug - refactor(eventTypes): replace Prisma include with select in getEventTypesFromGroup and duplicate handlers - fix(eventTypes): add missing scheduleId/groupId/memberId to hosts select in duplicate handler - fix(eventTypes): remove @ts-expect-error by typing reduce accumulator as Record<string, unknown>

bandhan-majumder · 2026-06-03T05:18:57Z

Please attach it to an issue (create one if does not exist). and please attach visual proofs of your changes. Making it draft.

Dnyanesh182 · 2026-06-03T07:21:14Z

What does this PR do?

Fixes #ISSUE_NUMBER

Addresses multiple security, data-leak, and code-quality issues in tRPC viewer routers.

Changes

#	Severity	Issue	File
1	🔴 Security	`credentials: true` exposes `credential.key` (OAuth tokens)	`bookings/util.ts`
2	🔴 Data leak	`console.log` dumps private hashed links to stdout	`eventTypes/heavy/update.handler.ts`
3	🔴 Logging	`console.log(e)` instead of structured `logger.error`	`schedule/getScheduleByEventTypeSlug.handler.ts`
4	🟡 Perf	Prisma `include` fetches all columns instead of `select`	`getEventTypesFromGroup.handler.ts`, `duplicate.handler.ts`
5	🟡 Type safety	`@ts-expect-error` replaced with proper `Record<string, unknown>` typing	`eventTypes/heavy/update.handler.ts`

Visual Proof of Changes

Fix 1: Credential key exposure prevented

Before (main): credentials: true fetches ALL fields including sensitive key:

// packages/trpc/server/routers/viewer/bookings/util.ts (line 42)
user: {
  include: {
    destinationCalendar: true,
    credentials: true,  // ❌ Fetches credential.key (OAuth tokens, API secrets)

After: Only non-sensitive fields selected:

user: {
  include: {
    destinationCalendar: true,
    credentials: {        // ✅ Only safe fields
      select: {
        id: true,
        type: true,
        appId: true,
      },
    },

Fix 2: Debug console.log removed (private data leak)

Before (main): Private hashed link data dumped to stdout:

// packages/trpc/server/routers/viewer/eventTypes/heavy/update.handler.ts
console.log("multiplePrivateLinks", multiplePrivateLinks);  // ❌ Line 611
// ...
console.log("connectedLinks", connectedLinks);              // ❌ Line 615

After: Both lines removed.

Fix 3: Structured logging

Before (main):

// packages/trpc/server/routers/viewer/availability/schedule/getScheduleByEventTypeSlug.handler.ts
} catch (e) {
  console.log(e);  // ❌ Raw error dump

After:

import logger from "@calcom/lib/logger";
// ...
} catch (e) {
  logger.error("Failed to retrieve schedule by event type slug", e);  // ✅ Structured

Fix 4: Prisma `include` → `select` (performance)

Before (main): Fetches all columns from hosts, team, webhooks:

// packages/trpc/server/routers/viewer/eventTypes/heavy/duplicate.handler.ts
hosts: true,      // ❌ All Host columns
team: true,       // ❌ All Team columns  
webhooks: true,   // ❌ All Webhook columns

After: Only needed fields:

hosts: {
  select: { userId: true, isFixed: true, priority: true, weight: true, eventTypeId: true, scheduleId: true, groupId: true, memberId: true },
},
team: { select: { id: true } },
webhooks: { select: { id: true } },

Fix 5: Type safety improvement

Before (main):

const updatedValues = Object.entries(data).reduce((acc, [key, value]) => {
  if (value !== undefined) {
    // @ts-expect-error Element implicitly has any type  // ❌
    acc[key] = value;
  }
  return acc;
}, {});

After:

const updatedValues = Object.entries(data).reduce<Record<string, unknown>>((acc, [key, value]) => {
  if (value !== undefined) {
    acc[key] = value;  // ✅ Properly typed
  }
  return acc;
}, {});

Verification

Post-fix grep scan — zero remaining violations in viewer routers:

# console.log in production code (non-test files)
$ rg "console.log" packages/trpc/server/routers/viewer/ --glob '!*.test.*' --glob '!*.spec.*'
# → 0 results ✅

# credentials: true in tRPC routers  
$ rg "credentials: true" packages/trpc/server/routers/
# → 0 results ✅

Type of change

Bug fix (non-breaking change which fixes an issue)

How should this be tested?

Verify credential.key is no longer returned by the bookings procedure middleware
Verify no console.log remains in the changed files
Verify duplicate event type preserves host scheduleId, groupId, memberId
Run yarn type-check:ci --force to confirm no type errors introduced

Dnyanesh182 · 2026-06-04T10:28:39Z

Hi @bandhan-majumder , I've created issue #29500 and updated the PR description with visual proof (before/after code comparisons and grep verification). Could you please add the run-ci label when you get a chance? Thanks!

pull-request-size Bot added the size/M label Jun 2, 2026

Dnyanesh182 force-pushed the fix/security-quality-improvements branch from 35c79ff to 90dbf30 Compare June 2, 2026 17:40

coderabbitai Bot reviewed Jun 2, 2026

View reviewed changes

Dnyanesh182 force-pushed the fix/security-quality-improvements branch from ecfc991 to ffe2bea Compare June 2, 2026 17:52

bandhan-majumder marked this pull request as draft June 3, 2026 05:19

Dnyanesh182 marked this pull request as ready for review June 3, 2026 07:21

Dnyanesh182 added 2 commits June 3, 2026 12:51

Merge branch 'main' into fix/security-quality-improvements

e2d0022

Merge branch 'main' into fix/security-quality-improvements

b722646

github-actions Bot added the 🐛 bug Something isn't working label Jun 4, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: security and quality improvements across tRPC routers#29497

fix: security and quality improvements across tRPC routers#29497
Dnyanesh182 wants to merge 3 commits into
calcom:mainfrom
Dnyanesh182:fix/security-quality-improvements

Dnyanesh182 commented Jun 2, 2026 •

edited

Loading

Uh oh!

github-actions Bot commented Jun 2, 2026

Uh oh!

coderabbitai Bot commented Jun 2, 2026 •

edited

Loading

Walkthrough

Uh oh!

coderabbitai Bot left a comment

Uh oh!

coderabbitai Bot Jun 2, 2026

Uh oh!

coderabbitai Bot left a comment

Uh oh!

bandhan-majumder commented Jun 3, 2026

Uh oh!

Dnyanesh182 commented Jun 3, 2026

Uh oh!

Dnyanesh182 commented Jun 4, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

Dnyanesh182 commented Jun 2, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

What does this PR do?

Changes

Visual Proof of Changes

Fix 1: Credential key exposure prevented

Fix 2: Debug console.log removed (private data leak)

Fix 3: Structured logging

Fix 4: Prisma include → select (performance)

Fix 5: Type safety improvement

Verification

Type of change

How should this be tested?

Uh oh!

github-actions Bot commented Jun 2, 2026

Uh oh!

coderabbitai Bot commented Jun 2, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Walkthrough

Uh oh!

coderabbitai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai Bot Jun 2, 2026

Choose a reason for hiding this comment

Uh oh!

coderabbitai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

bandhan-majumder commented Jun 3, 2026

Uh oh!

Dnyanesh182 commented Jun 3, 2026

What does this PR do?

Changes

Visual Proof of Changes

Fix 1: Credential key exposure prevented

Fix 2: Debug console.log removed (private data leak)

Fix 3: Structured logging

Fix 4: Prisma include → select (performance)

Fix 5: Type safety improvement

Verification

Type of change

How should this be tested?

Uh oh!

Dnyanesh182 commented Jun 4, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Dnyanesh182 commented Jun 2, 2026 •

edited

Loading

Fix 4: Prisma `include` → `select` (performance)

coderabbitai Bot commented Jun 2, 2026 •

edited

Loading

Fix 4: Prisma `include` → `select` (performance)