fix: add a few missing zmodel validation checks

[ymc9]

Summary by CodeRabbit

• New Features

  • Introduced stricter validation for schema attributes, ensuring certain attributes can only be applied once per declaration.
  • Enhanced relation field validation with clearer error messages for self-relations, many-to-many, and one-to-one relations.
  • Added comprehensive end-to-end tests to verify schema validation consistency with Prisma.

• Chores

  • Updated development dependencies for improved CLI support.
  • Expanded the TODO list with additional CLI-related tasks.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

The updates introduce stricter validation logic for schema attributes and relations, enhance error reporting, and expand end-to-end testing for schema validation consistency. New attributes and validation rules are added at the language level, and a comprehensive test suite is implemented to verify schema correctness. Dependency configurations and documentation are also updated.

Changes

File(s)	Change Summary
TODO.md	Added three unchecked tasks: "validate," "format," and "db seed" under the "CLI" section.
packages/language/res/stdlib.zmodel	Introduced @@@once() attribute; applied it to @id and @unique to enforce single-use per declaration.
packages/language/src/validators/attribute-application-validator.ts	Added logic to enforce single-use attributes and stricter validation for @id and @unique attributes.
packages/language/src/validators/datamodel-validator.ts	Enhanced relation field validation, added explicit checks for self-relations, M2M, and uniqueness constraints.
tests/e2e/package.json	Added @zenstackhq/cli as a development dependency under devDependencies.
tests/e2e/prisma-consistency/zmodel-validation.test.ts	Introduced an extensive test suite and helper class to verify schema validation consistency with Prisma.

Poem

🐇
In the warren, code’s refined,
New rules for models, clearly defined.
One-use tags, relations checked,
Errors caught, no flaws unchecked.
Tests abound in fields anew,
With carrots and schemas, we’re hopping through!

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[ymc9]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[Copilot]

Pull Request Overview

This PR adds comprehensive test coverage for ZModel validation consistency with Prisma by introducing a new test file and fixing several validation bugs in the language package. The main purpose is to ensure ZenStack's validation behavior matches Prisma's expectations across various schema scenarios.

• Adds extensive E2E validation tests covering models, relations, constraints, and edge cases
• Fixes validation bugs for self-relations, many-to-many relations, and duplicate attributes
• Adds development documentation and updates TODO tracking

Reviewed Changes

Copilot reviewed 7 out of 8 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
tests/e2e/prisma-consistency/zmodel-validation.test.ts	New comprehensive test suite with 1000+ lines testing ZModel validation scenarios
tests/e2e/package.json	Adds @zenstackhq/cli as dev dependency for testing
packages/language/src/validators/datamodel-validator.ts	Fixes self-relation validation and many-to-many relation handling
packages/language/src/validators/attribute-application-validator.ts	Adds duplicate attribute validation and fixes unique constraint validation
packages/language/res/stdlib.zmodel	Adds @@@once attribute for single-use validation
TODO.md	Updates CLI command completion tracking
CLAUDE.md	New development documentation for Claude AI assistance

Files not reviewed (1)

• pnpm-lock.yaml: Language not supported

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (3)

TODO.md (1)

10-12: Fix indentation to maintain consistency.

The new TODO items have incorrect indentation (4 spaces instead of 2).

Apply this diff to fix the indentation:

-    - [ ] validate
-    - [ ] format
-    - [ ] db seed
+  - [ ] validate
+  - [ ] format
+  - [ ] db seed

tests/e2e/prisma-consistency/zmodel-validation.test.ts (2)

24-24: Consider making the CLI path more robust.

The current path construction assumes a specific node_modules structure. Consider using a more robust approach like attempting to resolve the package first.

-        this.cliPath = join(currentDir, '../node_modules/@zenstackhq/cli/bin/cli');
+        // Try to resolve the CLI package more robustly
+        try {
+            const cliPackagePath = require.resolve('@zenstackhq/cli/package.json', { paths: [currentDir] });
+            this.cliPath = join(dirname(cliPackagePath), 'bin/cli');
+        } catch {
+            // Fallback to the current approach
+            this.cliPath = join(currentDir, '../node_modules/@zenstackhq/cli/bin/cli');
+        }

---

136-138: Consider asserting specific error messages for better test precision.

The current approach only checks that errors exist but doesn't verify the specific validation error. This could lead to false positives if a different error occurs.

             expect(result.success).toBe(false);
             expect(result.errors.length).toBeGreaterThan(0);
+            expect(result.errors.some(e => e.includes('unique criterion') || e.includes('id'))).toBe(true);

This pattern could be applied throughout the test file to make assertions more specific and ensure the correct validation is being triggered.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6ad973d and bff4ce6.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (6)

• TODO.md (1 hunks)
• packages/language/res/stdlib.zmodel (3 hunks)
• packages/language/src/validators/attribute-application-validator.ts (3 hunks)
• packages/language/src/validators/datamodel-validator.ts (3 hunks)
• tests/e2e/package.json (1 hunks)
• tests/e2e/prisma-consistency/zmodel-validation.test.ts (1 hunks)

🧰 Additional context used

🪛 markdownlint-cli2 (0.17.2)

TODO.md

10-10: Unordered list indentation
Expected: 2; Actual: 4

(MD007, ul-indent)

---

11-11: Unordered list indentation
Expected: 2; Actual: 4

(MD007, ul-indent)

---

12-12: Unordered list indentation
Expected: 2; Actual: 4

(MD007, ul-indent)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: build-test (20.x)

🔇 Additional comments (12)

packages/language/res/stdlib.zmodel (1)

227-230: LGTM! Good addition for preventing duplicate attribute applications.

The introduction of the @@@once() meta-attribute and its application to @id and @unique attributes is a valuable enhancement. This will help prevent accidental duplicate attribute applications at the language level, improving the robustness of schema definitions.

Also applies to: 240-240, 255-255

tests/e2e/package.json (1)

11-13: LGTM! Appropriate dev dependency addition.

Adding @zenstackhq/cli as a dev dependency is necessary for the new e2e tests that validate schema using CLI commands.

packages/language/src/validators/attribute-application-validator.ts (2)

136-146: Well-implemented duplicate attribute detection.

The checkDuplicatedAttributes method correctly enforces the @@@once constraint by checking if the attribute declaration has the meta-attribute and then looking for duplicates in the container.

---

214-214: Good enhancement to field validation for @@id and @@unique.

The addition of @check('@@id') and the improved error handling for missing or invalid arguments strengthen the validation logic. The specific error messages for different failure cases (missing argument, non-array, empty array) provide clear feedback to users.

Also applies to: 219-228

packages/language/src/validators/datamodel-validator.ts (5)

262-269: Good addition for self-relation validation.

Requiring an explicit name for self-relation fields helps prevent ambiguity when a model has multiple self-referencing relationships.

---

275-275: Important fix to prevent self-matching.

Excluding the current field from opposite field matching is crucial to avoid incorrect self-references in the validation logic.

---

334-347: Well-structured validation for implicit many-to-many relations.

The check correctly enforces that implicit M2M relations (where both sides are arrays) cannot have explicit fields/references attributes, which aligns with Prisma's behavior.

---

349-379: Improved validation flow for relation ownership.

The reorganized logic clearly enforces that exactly one side of a non-M2M relation must specify fields/references, with appropriate error messages for both sides when this constraint is violated.

---

388-431: Comprehensive one-to-one relation validation.

The validation correctly ensures that foreign key fields in one-to-one relations are marked as unique, either through field-level attributes or model-level constraints. This prevents data integrity issues.

tests/e2e/prisma-consistency/zmodel-validation.test.ts (3)

1-12: LGTM!

The imports and interface definition are appropriate for the test implementation.

---

92-104: LGTM!

Good test setup with proper isolation using unique temp directories and cleanup.

---

105-1011: Excellent comprehensive test coverage!

The test suite provides thorough coverage of ZenStack schema validation scenarios including:

• Model and field validations
• Relation types (one-to-one, one-to-many, many-to-many, self-relations)
• Constraints (unique, compound IDs)
• Database provider-specific validations
• Attribute validations

The tests are well-organized, follow consistent patterns, and cover both positive and negative cases effectively.

[claude]

Claude finished @ymc9's task —— View job

---

Code Review: ZModel Validation Enhancements

Summary: This PR significantly improves ZModel validation by adding stricter attribute validation, enhancing relation field checks, and providing comprehensive E2E test coverage. The changes align ZenStack validation behavior more closely with Prisma's expectations.

---

✅ Strengths

1. Well-Designed Meta-Attribute System

• The @@@once() meta-attribute in stdlib.zmodel:230 is an elegant solution for preventing duplicate attributes
• Clean implementation in attribute-application-validator.ts:136-146 with proper error messaging
• Consistent application to @id and @unique attributes prevents common schema mistakes

2. Comprehensive Relation Validation

• Self-relation validation (datamodel-validator.ts:262-269): Properly requires explicit naming to prevent ambiguity
• Many-to-many validation (datamodel-validator.ts:334-347): Correctly prevents explicit fields/references in implicit M2M relations
• One-to-one validation (datamodel-validator.ts:388-431): Ensures foreign key uniqueness constraints

3. Excellent Test Coverage

• 1000+ lines of comprehensive E2E tests covering all major validation scenarios
• Tests both positive and negative cases systematically
• Good organization with descriptive test names and clear expectations

---

⚠️ Issues and Improvements

Code Quality & Best Practices

1. Type Safety in Test File (zmodel-validation.test.ts:65)

// Current - uses 'any' type
} catch (error: any) {
    return {
        success: false,
        errors: this.extractErrors(error.stderr),
    };
}

// Suggested improvement
} catch (error: unknown) {
    if (error instanceof Error && 'stderr' in error) {
        return {
            success: false,
            errors: this.extractErrors((error as any).stderr),
        };
    }
    return {
        success: false,
        errors: ['Unknown error occurred during validation'],
    };
}

2. Missing Timeout Protection (zmodel-validation.test.ts:55-59)

// Add timeout to prevent hanging tests
const result = execSync(`node ${this.cliPath} generate`, {
    cwd: this.testDir,
    stdio: 'pipe',
    encoding: 'utf8',
    timeout: 30000, // 30 second timeout
});

3. Hardcoded String Constants (attribute-application-validator.ts:138)

// Consider extracting to constant
const ONCE_ATTRIBUTE = '@@@once';
if (!attrDecl?.attributes.some((a) => a.decl.ref?.name === ONCE_ATTRIBUTE)) {

Potential Bugs

1. Field Comparison Logic (datamodel-validator.ts:276)

// Current field exclusion logic
f.name !== field.name && f.type.reference?.ref?.name === contextModel.name

// Consider: What if fields have same name but different types/containers?
// More robust approach might include container comparison

2. Race Condition in Tests (zmodel-validation.test.ts:98)

// Using Date.now() could cause collisions in parallel execution
tempDir = join(tmpdir(), 'zenstack-validation-test-' + randomUUID());

// Current implementation is actually good - uses randomUUID()
// No issue here, but worth noting for future reference

Performance Considerations

1. Efficient Field Filtering (datamodel-validator.ts:274-282)

• Current implementation filters fields twice - could be optimized to single pass
• Consider caching relation parsing results if called frequently

2. Test Performance

• Each test creates a new temporary directory and runs CLI - could be slow
• Consider batching some validations or using in-memory validation where possible

Security Concerns

1. Command Injection Protection (zmodel-validation.test.ts:55)

• CLI path construction is safe (uses join())
• execSync call is properly parameterized
• No obvious injection vulnerabilities

2. File System Safety

• Proper cleanup in test teardown prevents disk space issues
• Uses temporary directories appropriately

---

🔧 Specific Recommendations

Error Message Clarity (attribute-application-validator.ts:222)

// Make error messages more specific
const attributeName = attr.decl.ref?.name || 'unknown';
accept('error', `\`${attributeName}\` expects an array of field references`, {
    node: attr.args[0]!,
});

CLI Path Resolution (zmodel-validation.test.ts:24-25)

// More robust CLI resolution
private resolveCLIPath(): string {
    try {
        return require.resolve('@zenstackhq/cli/bin/cli');
    } catch {
        // Fallback to current approach
        const currentDir = dirname(fileURLToPath(import.meta.url));
        return join(currentDir, '../node_modules/@zenstackhq/cli/bin/cli');
    }
}

Test Assertion Specificity

Many tests only check result.errors.length > 0 but could be more specific:

// Instead of generic error checking
expect(result.errors.length).toBeGreaterThan(0);

// Consider checking for specific error patterns
expect(result.errors.some(e => e.includes('unique criterion'))).toBe(true);

---

📋 Test Coverage Assessment

Excellent Coverage:

• ✅ Basic model validation scenarios
• ✅ Compound ID and unique constraints
• ✅ All relation types (1:1, 1:many, many:many, self)
• ✅ Field type validations
• ✅ Attribute validations
• ✅ Database provider specific rules

Potential Gaps:

• ⚠️ Edge cases with inheritance and delegate models
• ⚠️ Complex nested relation scenarios
• ⚠️ Performance testing with large schemas

---

🎯 Overall Assessment

This is a high-quality PR that significantly improves ZenStack's validation robustness. The code follows good practices, introduces meaningful validation improvements, and provides excellent test coverage.

Key Improvements:

1. ✅ Prevents duplicate attribute applications
2. ✅ Enhances relation validation accuracy
3. ✅ Provides comprehensive test coverage
4. ✅ Aligns with Prisma validation behavior

Minor Issues:

• Some opportunities for improved type safety
• A few hardcoded strings could be constants
• Test robustness could be enhanced

Recommendation: ✅ APPROVE with consideration for the minor improvements suggested above.

---

[claude]

Claude finished @ymc9's task —— View job

---

Code Review: ZModel Validation Enhancements

Summary: This PR significantly improves ZModel validation by adding stricter attribute validation, enhancing relation field checks, and providing comprehensive E2E test coverage. The changes align ZenStack validation behavior more closely with Prisma's expectations.

Progress:

• Analyze changed files and understand the implementation
• Evaluate code quality and best practices
• Identify potential bugs or issues
• Assess performance considerations
• Review security concerns
• Evaluate test coverage adequacy
• Provide comprehensive code review feedback

---

✅ Strengths

1. Well-Designed Meta-Attribute System

• The @@@once() meta-attribute in stdlib.zmodel:230 is an elegant solution for preventing duplicate attributes
• Clean implementation in attribute-application-validator.ts:136-146 with proper error messaging
• Consistent application to @id and @unique attributes prevents common schema mistakes

2. Comprehensive Relation Validation

• Self-relation validation (datamodel-validator.ts:262-269): Properly requires explicit naming to prevent ambiguity
• Many-to-many validation (datamodel-validator.ts:334-347): Correctly prevents explicit fields/references in implicit M2M relations
• One-to-one validation (datamodel-validator.ts:388-431): Ensures foreign key uniqueness constraints

3. Excellent Test Coverage

• 1000+ lines of comprehensive E2E tests covering all major validation scenarios
• Tests both positive and negative cases systematically
• Good organization with descriptive test names and clear expectations

---

⚠️ Issues and Improvements

Code Quality & Best Practices

1. Type Safety in Test File (zmodel-validation.test.ts:65)

// Current - uses 'any' type
} catch (error: any) {
    return {
        success: false,
        errors: this.extractErrors(error.stderr),
    };
}

// Suggested improvement
} catch (error: unknown) {
    if (error instanceof Error && 'stderr' in error) {
        return {
            success: false,
            errors: this.extractErrors((error as any).stderr),
        };
    }
    return {
        success: false,
        errors: ['Unknown error occurred during validation'],
    };
}

2. Missing Timeout Protection (zmodel-validation.test.ts:55-59)

// Add timeout to prevent hanging tests
const result = execSync(`node ${this.cliPath} generate`, {
    cwd: this.testDir,
    stdio: 'pipe',
    encoding: 'utf8',
    timeout: 30000, // 30 second timeout
});

3. Hardcoded String Constants (attribute-application-validator.ts:138)

// Consider extracting to constant
const ONCE_ATTRIBUTE = '@@@once';
if (!attrDecl?.attributes.some((a) => a.decl.ref?.name === ONCE_ATTRIBUTE)) {

Potential Bugs

1. Field Comparison Logic (datamodel-validator.ts:276)

// Current field exclusion logic
f.name !== field.name && f.type.reference?.ref?.name === contextModel.name

// Consider: What if fields have same name but different types/containers?
// More robust approach might include container comparison

2. Race Condition in Tests (zmodel-validation.test.ts:98)

// Using Date.now() could cause collisions in parallel execution
tempDir = join(tmpdir(), 'zenstack-validation-test-' + randomUUID());

// Current implementation is actually good - uses randomUUID()
// No issue here, but worth noting for future reference

Performance Considerations

1. Efficient Field Filtering (datamodel-validator.ts:274-282)

• Current implementation filters fields twice - could be optimized to single pass
• Consider caching relation parsing results if called frequently

2. Test Performance

• Each test creates a new temporary directory and runs CLI - could be slow
• Consider batching some validations or using in-memory validation where possible

Security Concerns

1. Command Injection Protection (zmodel-validation.test.ts:55)

• CLI path construction is safe (uses join())
• execSync call is properly parameterized
• No obvious injection vulnerabilities

2. File System Safety

• Proper cleanup in test teardown prevents disk space issues
• Uses temporary directories appropriately

---

🔧 Specific Recommendations

Error Message Clarity (attribute-application-validator.ts:222)

// Make error messages more specific
const attributeName = attr.decl.ref?.name || 'unknown';
accept('error', `\`${attributeName}\` expects an array of field references`, {
    node: attr.args[0]!,
});

CLI Path Resolution (zmodel-validation.test.ts:24-25)

// More robust CLI resolution
private resolveCLIPath(): string {
    try {
        return require.resolve('@zenstackhq/cli/bin/cli');
    } catch {
        // Fallback to current approach
        const currentDir = dirname(fileURLToPath(import.meta.url));
        return join(currentDir, '../node_modules/@zenstackhq/cli/bin/cli');
    }
}

Test Assertion Specificity

Many tests only check result.errors.length > 0 but could be more specific:

// Instead of generic error checking
expect(result.errors.length).toBeGreaterThan(0);

// Consider checking for specific error patterns
expect(result.errors.some(e => e.includes('unique criterion'))).toBe(true);

---

📋 Test Coverage Assessment

Excellent Coverage:

• ✅ Basic model validation scenarios
• ✅ Compound ID and unique constraints
• ✅ All relation types (1:1, 1:many, many:many, self)
• ✅ Field type validations
• ✅ Attribute validations
• ✅ Database provider specific rules

Potential Gaps:

• ⚠️ Edge cases with inheritance and delegate models
• ⚠️ Complex nested relation scenarios
• ⚠️ Performance testing with large schemas

---

🎯 Overall Assessment

This is a high-quality PR that significantly improves ZenStack's validation robustness. The code follows good practices, introduces meaningful validation improvements, and provides excellent test coverage.

Key Improvements:

1. ✅ Prevents duplicate attribute applications
2. ✅ Enhances relation validation accuracy
3. ✅ Provides comprehensive test coverage
4. ✅ Aligns with Prisma validation behavior

Minor Issues:

• Some opportunities for improved type safety
• A few hardcoded strings could be constants
• Test robustness could be enhanced

Recommendation: ✅ APPROVE with consideration for the minor improvements suggested above.

---