feat(validation): add API to suppress validation

[ymc9]

Summary by CodeRabbit

• New Features
  • Added a client-level toggle to enable/disable input validation and a client option to set its default.
• Bug Fixes / Behavior
  • Validation now consistently honors the client-level toggle across create and update operations, including decimal and primitive fields.
• Tests
  • Added e2e tests verifying disabling validation permits previously rejected inputs.
  • Added several skipped regression suites covering policy enforcement, nested updates, and tenant propagation.

[claude]

Claude finished @ymc9's task —— View job

---

Pull Request Review: Add API to Suppress Validation

I've completed a thorough review of this PR that adds the ability to suppress input validation in ZenStack. Here's my comprehensive feedback:

Review Checklist:

• Analyze core implementation files
• Review API design and usability
• Check for potential bugs and edge cases
• Evaluate security implications
• Assess performance considerations
• Review test coverage and quality
• Provide final recommendations

---

✅ Strengths

1. Excellent API Design

• Immutable Pattern: $setInputValidation() returns a new client instance rather than mutating the existing one (client-impl.ts:291-297) - this is consistent with other client methods like $setAuth()
• Clear Naming: The method name and validateInput option are self-documenting
• Type Safety: Properly integrated into the ClientContract interface with full TypeScript support
• Consistent Interface: Follows the same pattern as $setAuth() and other client configuration methods

2. Clean Implementation

• Centralized Control: The validation logic is controlled via a single extraValidationsEnabled getter (validator/index.ts:63-65)
• Performance Optimized: Schema caching is maintained per client instance, avoiding unnecessary recomputation
• Minimal Surface Area: Only affects primitive field validation where attributes like @email, @regex are used

3. Comprehensive Test Coverage

• Core Functionality: Tests verify validation can be disabled and original client remains unaffected
• Regression Coverage: Includes test for issue #2025 demonstrating real-world usage
• Edge Cases: Tests show validation suppression works for various field types (email, regex, etc.)

---

⚠️ Areas for Improvement

1. Documentation Gaps

// packages/runtime/src/client/contract.ts:107-110
/**
 * Returns a new client enabling/disabling input validations expressed with attributes like
 * `@email`, `@regex`, `@@validate`, etc.
 */
$setInputValidation(enable: boolean): ClientContract<Schema>;

Issue: Documentation mentions @@validate but the implementation only affects primitive validations, not custom @@validate rules.

Recommendation: Update documentation to be more precise:

/**
 * Returns a new client enabling/disabling input validations for primitive field 
 * attributes like `@email`, `@regex`, `@url`, etc. Does not affect custom 
 * `@@validate` rules which are always enforced.
 */

2. Potential Security Concern

The implementation allows bypassing important validations like email format, which could lead to data integrity issues if misused.

Recommendations:

• Add prominent documentation warnings about security implications
• Consider logging when validation is disabled (for audit trails)
• Possibly add a development-only warning when validation is disabled

3. Inconsistent Validation Scope

Current Behavior: Only primitive field validations (via addStringValidation, addNumberValidation, etc.) are suppressed. Custom @@validate rules are always enforced.

Questions for Consideration:

• Should @@validate rules also be suppressible for consistency?
• Is the current behavior intentional for security reasons?
• Should this be documented more clearly?

---

🔍 Technical Analysis

Implementation Quality

• Code Pattern: Follows established patterns in the codebase ✅
• Error Handling: Proper validation and error propagation ✅
• Type Safety: Full TypeScript integration ✅
• Performance: Minimal overhead, leverages existing caching ✅

Edge Cases Handled

• Client Immutability: Original client unaffected after creating validation-disabled instance ✅
• Transaction Support: Should work within transactions (inherited behavior) ✅
• Plugin Compatibility: No conflicts with existing plugin architecture ✅

Potential Issues

• Memory Usage: Each $setInputValidation() call creates a new client instance. This is consistent with other methods but worth noting.
• Schema Cache: Each client instance maintains its own schema cache, which could lead to memory duplication in some scenarios.

---

🎯 Final Recommendations

High Priority

1. Fix Documentation: Update JSDoc comment for $setInputValidation() to accurately reflect what validations are suppressed
2. Add Security Warning: Include documentation about potential security implications

Medium Priority

3. Consider Logging: Add optional logging when validation is disabled for audit purposes
4. Clarify Scope: Document the distinction between primitive validations and @@validate rules

Low Priority

5. Performance Monitoring: Consider if frequent client creation could be optimized (though this follows existing patterns)

---

✅ Verdict

This is a well-implemented feature that follows ZenStack's established patterns and provides a clean API for suppressing input validation. The implementation is solid, test coverage is good, and the use case is valid (especially for data migration scenarios).

Recommendation: Approve with the documentation fix and security warning additions.

The core implementation is production-ready, and the identified issues are primarily documentation improvements rather than functional problems.

---

[Copilot]

Pull Request Overview

This PR adds an API to suppress input validation by introducing a new $setInputValidation() method and a validateInput client option. This allows users to bypass validation rules expressed through attributes like @email, @regex, and @@validate.

• Added $setInputValidation(enable: boolean) method to the client contract and implementation
• Introduced validateInput option to ClientOptions (defaults to true)
• Modified InputValidator to conditionally apply validation rules based on the validateInput setting

Reviewed Changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
packages/runtime/src/client/options.ts	Added validateInput boolean option to ClientOptions
packages/runtime/src/client/contract.ts	Added $setInputValidation method signature to the client contract
packages/runtime/src/client/client-impl.ts	Implemented $setInputValidation method to create a new client instance with updated validation setting
packages/runtime/src/client/crud/validator/index.ts	Modified validator to conditionally apply extra validations based on client options
tests/e2e/orm/validation/custom-validation.test.ts	Added test verifying validation can be disabled and original client remains unaffected
tests/regression/test/v2-migrated/issue-2025.test.ts	Added regression test for issue 2025 using validation suppression
tests/regression/test/v2-migrated/issue-2019.test.ts	Added regression test for issue 2019 with policy client
tests/regression/test/v2-migrated/issue-2007.test.ts	Added skipped regression test for issue 2007 with field-level policy
tests/regression/test/v2-migrated/issue-2000.test.ts	Added skipped regression test for issue 2000 with validation rules

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[coderabbitai]

Walkthrough

Adds a client-level input-validation toggle (validateInput option and $setInputValidation), refactors the input validator to read schema and the validation flag from the client, makes extra validations conditional, updates decimal validation util signature, and adds tests (including disabling validation and several skipped regression suites).

Changes

Cohort / File(s)	Summary of changes
Client API & options packages/runtime/src/client/client-impl.ts, packages/runtime/src/client/contract.ts, packages/runtime/src/client/options.ts	Add validateInput?: boolean to ClientOptions; add $setInputValidation(enable: boolean) to ClientContract and implement on ClientImpl to return a client clone with updated option.
Validator refactor packages/runtime/src/client/crud/validator/index.ts, packages/runtime/src/client/crud/validator/*	InputValidator constructor now accepts ClientContract<Schema>; private getters for schema and extraValidationsEnabled; conditional application of extra/custom validations across primitive, decimal, create/update, and unchecked/checked paths.
Decimal utils packages/runtime/src/client/crud/validator/utils.ts	addDecimalValidation signature changed to accept addExtraValidation: boolean; validation loop gated by this flag.
Tests — e2e & regression tests/e2e/orm/validation/custom-validation.test.ts, tests/regression/test/v2-migrated/issue-2000.test.ts, tests/regression/test/v2-migrated/issue-2007.test.ts, tests/regression/test/v2-migrated/issue-2019.test.ts, tests/regression/test/v2-migrated/issue-2025.test.ts	Add test asserting disabling validation via db.$setInputValidation(false) permits otherwise-invalid inputs; add multiple skipped regression suites verifying policy/tenant behaviors and related validation scenarios.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• feat: implement field validation #290: Modifies runtime input validation and InputValidator constructor/signature; directly related to validator/client integration and decimal validation changes.

Poem

i am a rabbit, small and wise,
I flip a flag with curious eyes.
Schemas murmur, checks take flight,
turn validation off — and all is light.
hop, hop, the tests pass bright 🐇✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The PR title "feat(validation): add API to suppress validation" accurately reflects the main change in this changeset. The PR introduces a new public method $setInputValidation(enable: boolean) across the ClientImpl and ClientContract classes that allows users to toggle input validation on/off, along with supporting infrastructure changes to make validation conditional based on this flag. The title is concise, specific, and clearly communicates the core objective without being vague or overly broad. A teammate reviewing the commit history would immediately understand that this PR adds a validation control API.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/supress-validation

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e9cac0a and 3385c75.

📒 Files selected for processing (2)

• packages/runtime/src/client/crud/validator/index.ts (5 hunks)
• packages/runtime/src/client/crud/validator/utils.ts (2 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

{packages,samples,tests}/**

📄 CodeRabbit inference engine (CLAUDE.md)

Place packages only under packages/, samples/, or tests/

Files:

• packages/runtime/src/client/crud/validator/utils.ts
• packages/runtime/src/client/crud/validator/index.ts

🧬 Code graph analysis (1)

packages/runtime/src/client/crud/validator/index.ts (2)

packages/runtime/src/client/contract.ts (1)

• ClientContract (50-165)

packages/runtime/src/client/crud/validator/utils.ts (5)

• addStringValidation (24-86)
• addNumberValidation (88-114)
• addBigIntValidation (116-143)
• addDecimalValidation (145-204)
• addCustomValidation (206-227)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: claude-review
• GitHub Check: build-test (20.x, postgresql)
• GitHub Check: build-test (20.x, sqlite)

🔇 Additional comments (7)

packages/runtime/src/client/crud/validator/index.ts (5)

19-19: LGTM!

The ClientContract import is correctly added to support the new constructor signature.

---

57-65: LGTM!

The refactoring to use ClientContract<Schema> with private getters is well-designed. The extraValidationsEnabled getter correctly defaults to true when validateInput is not explicitly set to false.

---

258-291: Previous critical issue has been resolved.

The Decimal handling now correctly addresses the type-safety concern raised in the previous review. The implementation:

1. Always transforms strings to Decimal instances by calling addDecimalValidation for all union branches
2. Conditionally applies attribute validations (@gt, @lte, etc.) based on extraValidationsEnabled

The addDecimalValidation function (lines 152-166 in utils.ts) ensures the string-to-Decimal transformation always occurs, while attribute validations (lines 180-201) only apply when addExtraValidation is true.

Based on past review comments.

---

933-938: LGTM!

The conditional application of addCustomValidation for create schemas is correctly implemented, ensuring @@validate attributes are only enforced when input validation is enabled.

---

1217-1222: LGTM!

The conditional application of addCustomValidation for update schemas mirrors the create schema implementation, maintaining consistency across the codebase.

packages/runtime/src/client/crud/validator/utils.ts (2)

148-148: LGTM!

The addition of the addExtraValidation parameter enables fine-grained control over attribute validation while preserving the essential string-to-Decimal transformation.

---

180-180: LGTM!

The guard condition correctly ensures that attribute-based validations (@gt, @gte, @lt, @lte) are only applied when both attributes exist and addExtraValidation is true, while still preserving the string-to-Decimal transformation.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

packages/runtime/src/client/crud/validator/index.ts (1)

258-298: Critical: Cache invalidation issue with validation toggle.

The schemaCache is keyed by {model, operation, options} (line 201-205) but doesn't include the validateInput setting. When a user toggles validation using $setInputValidation(), the cache may return stale schemas that were generated with different validation settings.

Consider one of these solutions:

Solution 1 (Recommended): Include extraValidationsEnabled in the cache key:

     private validate<T, Options = undefined>(
         model: GetModels<Schema>,
         operation: string,
         options: Options,
         getSchema: GetSchemaFunc<Schema, Options>,
         args: unknown,
     ) {
         const cacheKey = stableStringify({
             model,
             operation,
             options,
+            validateInput: this.extraValidationsEnabled,
         });

Solution 2: Clear the cache when validation is toggled (requires tracking in ClientImpl):

$setInputValidation(enable: boolean) {
    const newOptions: ClientOptions<Schema> = {
        ...this.options,
        validateInput: enable,
    };
    const newClient = new ClientImpl<Schema>(this.schema, newOptions, this);
    // InputValidator will be recreated in createClientProxy, getting a fresh cache
    return newClient;
}

Note: Solution 2 is already implicitly implemented since createClientProxy creates a new InputValidator instance for each client, so each client with different validation settings will have its own cache. However, this could still be an issue if the schema cache grows too large over time when toggling validation repeatedly.

🧹 Nitpick comments (1)

tests/regression/test/v2-migrated/issue-2019.test.ts (1)

4-85: LGTM! Test correctly validates tenant propagation through delegated models.

The regression test is well-structured and accurately verifies that tenantId from the auth context propagates to nested PostUserLikes records created via createMany within a delegated model hierarchy. The test flow is clear: setup tenant/user, authenticate, create post with nested likes, and assert tenant propagation.

Optional enhancement for robustness:

Consider testing with multiple nested likes to ensure consistent tenant propagation across all items:

                 createMany: {
                     data: [
                         {
                             userId: user.id,
                         },
+                        {
+                            userId: user.id,
+                        },
                     ],
                 },

Then update the assertion:

-    expect(result.likes[0].tenantId).toBe(tenant.id);
+    result.likes.forEach(like => {
+        expect(like.tenantId).toBe(tenant.id);
+    });

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between cad7098 and 7b06d4b.

📒 Files selected for processing (9)

• packages/runtime/src/client/client-impl.ts (2 hunks)
• packages/runtime/src/client/contract.ts (1 hunks)
• packages/runtime/src/client/crud/validator/index.ts (3 hunks)
• packages/runtime/src/client/options.ts (1 hunks)
• tests/e2e/orm/validation/custom-validation.test.ts (1 hunks)
• tests/regression/test/v2-migrated/issue-2000.test.ts (1 hunks)
• tests/regression/test/v2-migrated/issue-2007.test.ts (1 hunks)
• tests/regression/test/v2-migrated/issue-2019.test.ts (1 hunks)
• tests/regression/test/v2-migrated/issue-2025.test.ts (1 hunks)

🧰 Additional context used

📓 Path-based instructions (2)

{packages,samples,tests}/**

📄 CodeRabbit inference engine (CLAUDE.md)

Place packages only under packages/, samples/, or tests/

Files:

• packages/runtime/src/client/contract.ts
• packages/runtime/src/client/options.ts
• tests/e2e/orm/validation/custom-validation.test.ts
• tests/regression/test/v2-migrated/issue-2019.test.ts
• tests/regression/test/v2-migrated/issue-2007.test.ts
• tests/regression/test/v2-migrated/issue-2025.test.ts
• packages/runtime/src/client/client-impl.ts
• tests/regression/test/v2-migrated/issue-2000.test.ts
• packages/runtime/src/client/crud/validator/index.ts

tests/e2e/**

📄 CodeRabbit inference engine (CLAUDE.md)

End-to-end tests must live under tests/e2e/

Files:

• tests/e2e/orm/validation/custom-validation.test.ts

🧬 Code graph analysis (7)

tests/e2e/orm/validation/custom-validation.test.ts (1)

packages/testtools/src/client.ts (1)

• createTestClient (51-166)

tests/regression/test/v2-migrated/issue-2019.test.ts (1)

packages/testtools/src/client.ts (1)

• createPolicyTestClient (176-187)

tests/regression/test/v2-migrated/issue-2007.test.ts (1)

packages/testtools/src/client.ts (1)

• createPolicyTestClient (176-187)

tests/regression/test/v2-migrated/issue-2025.test.ts (1)

packages/testtools/src/client.ts (1)

• createTestClient (51-166)

packages/runtime/src/client/client-impl.ts (3)

packages/runtime/src/client/options.ts (1)

• ClientOptions (45-96)

packages/runtime/src/client/crud/validator/index.ts (1)

• InputValidator (54-1470)

packages/runtime/src/client/contract.ts (1)

• ClientContract (50-165)

tests/regression/test/v2-migrated/issue-2000.test.ts (1)

packages/testtools/src/client.ts (1)

• createPolicyTestClient (176-187)

packages/runtime/src/client/crud/validator/index.ts (3)

packages/runtime/src/client/contract.ts (1)

• ClientContract (50-165)

packages/runtime/src/client/crud/validator/utils.ts (4)

• addStringValidation (24-86)
• addNumberValidation (88-114)
• addBigIntValidation (116-143)
• addDecimalValidation (145-203)

packages/runtime/src/client/crud/operations/base.ts (1)

• options (94-96)

🪛 Gitleaks (8.28.0)

tests/regression/test/v2-migrated/issue-2000.test.ts

[high] 61-61: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: build-test (20.x, postgresql)
• GitHub Check: build-test (20.x, sqlite)

🔇 Additional comments (5)

packages/runtime/src/client/client-impl.ts (2)

291-297: LGTM! Consistent implementation pattern.

The $setInputValidation method follows the same immutable pattern as other client modification methods like $setAuth, $use, and $unuse, correctly creating a new client instance with updated options.

---

336-336: LGTM! Correct refactor for validator construction.

The change from passing client.$schema to passing the full client (cast to ClientContract<Schema>) correctly aligns with the updated InputValidator constructor signature, enabling the validator to access client options.

packages/runtime/src/client/crud/validator/index.ts (2)

57-65: LGTM! Clean refactor with proper encapsulation.

The constructor refactor to accept ClientContract<Schema> and the addition of private getters for schema and extraValidationsEnabled provide clean encapsulation. The default behavior (validation enabled when validateInput is not explicitly set to false) is correct.

---

54-65: Verify cache isolation across validation toggles.

Each InputValidator instance has its own schemaCache (line 55), and $setInputValidation() creates a new client instance with a new validator. This means the cache is isolated per validation setting, which is correct.

However, please verify this behavior with a test that:

1. Creates a client with validation enabled
2. Performs operations (populating the cache)
3. Toggles validation off with $setInputValidation(false)
4. Verifies operations behave differently (confirming a fresh cache)

tests/regression/test/v2-migrated/issue-2025.test.ts (1)

4-38: The custom matchers .toBeRejectedByValidation() and .toResolveTruthy() are both properly defined in packages/testtools/src/vitest-ext.ts and exported through packages/testtools/src/types.d.ts. They are actively used throughout the test suite, including correctly in the test under review. No issues identified.

[claude]

Claude finished @ymc9's task —— View job

---

Pull Request Review: Add API to Suppress Validation

I've completed a thorough review of this PR that adds the ability to suppress input validation in ZenStack. Here's my comprehensive feedback:

Review Checklist:

• Analyze core implementation files
• Review API design and usability
• Check for potential bugs and edge cases
• Evaluate security implications
• Assess performance considerations
• Review test coverage and quality
• Provide final recommendations

---

✅ Strengths

1. Excellent API Design

• Immutable Pattern: $setInputValidation() returns a new client instance rather than mutating the existing one (client-impl.ts:291-297) - this is consistent with other client methods like $setAuth()
• Clear Naming: The method name and validateInput option are self-documenting
• Type Safety: Properly integrated into the ClientContract interface with full TypeScript support
• Consistent Interface: Follows the same pattern as $setAuth() and other client configuration methods

2. Clean Implementation

• Centralized Control: The validation logic is controlled via a single extraValidationsEnabled getter (validator/index.ts:63-65)
• Performance Optimized: Schema caching is maintained per client instance, avoiding unnecessary recomputation
• Minimal Surface Area: Only affects primitive field validation where attributes like @email, @regex are used

3. Comprehensive Test Coverage

• Core Functionality: Tests verify validation can be disabled and original client remains unaffected
• Regression Coverage: Includes test for issue #2025 demonstrating real-world usage
• Edge Cases: Tests show validation suppression works for various field types (email, regex, etc.)

---

⚠️ Areas for Improvement

1. Documentation Gaps

// packages/runtime/src/client/contract.ts:107-110
/**
 * Returns a new client enabling/disabling input validations expressed with attributes like
 * `@email`, `@regex`, `@@validate`, etc.
 */
$setInputValidation(enable: boolean): ClientContract<Schema>;

Issue: Documentation mentions @@validate but the implementation only affects primitive validations, not custom @@validate rules.

Recommendation: Update documentation to be more precise:

/**
 * Returns a new client enabling/disabling input validations for primitive field 
 * attributes like `@email`, `@regex`, `@url`, etc. Does not affect custom 
 * `@@validate` rules which are always enforced.
 */

2. Potential Security Concern

The implementation allows bypassing important validations like email format, which could lead to data integrity issues if misused.

Recommendations:

• Add prominent documentation warnings about security implications
• Consider logging when validation is disabled (for audit trails)
• Possibly add a development-only warning when validation is disabled

3. Inconsistent Validation Scope

Current Behavior: Only primitive field validations (via addStringValidation, addNumberValidation, etc.) are suppressed. Custom @@validate rules are always enforced.

Questions for Consideration:

• Should @@validate rules also be suppressible for consistency?
• Is the current behavior intentional for security reasons?
• Should this be documented more clearly?

---

🔍 Technical Analysis

Implementation Quality

• Code Pattern: Follows established patterns in the codebase ✅
• Error Handling: Proper validation and error propagation ✅
• Type Safety: Full TypeScript integration ✅
• Performance: Minimal overhead, leverages existing caching ✅

Edge Cases Handled

• Client Immutability: Original client unaffected after creating validation-disabled instance ✅
• Transaction Support: Should work within transactions (inherited behavior) ✅
• Plugin Compatibility: No conflicts with existing plugin architecture ✅

Potential Issues

• Memory Usage: Each $setInputValidation() call creates a new client instance. This is consistent with other methods but worth noting.
• Schema Cache: Each client instance maintains its own schema cache, which could lead to memory duplication in some scenarios.

---

🎯 Final Recommendations

High Priority

1. Fix Documentation: Update JSDoc comment for $setInputValidation() to accurately reflect what validations are suppressed
2. Add Security Warning: Include documentation about potential security implications

Medium Priority

3. Consider Logging: Add optional logging when validation is disabled for audit purposes
4. Clarify Scope: Document the distinction between primitive validations and @@validate rules

Low Priority

5. Performance Monitoring: Consider if frequent client creation could be optimized (though this follows existing patterns)

---

✅ Verdict

This is a well-implemented feature that follows ZenStack's established patterns and provides a clean API for suppressing input validation. The implementation is solid, test coverage is good, and the use case is valid (especially for data migration scenarios).

Recommendation: Approve with the documentation fix and security warning additions.

The core implementation is production-ready, and the identified issues are primarily documentation improvements rather than functional problems.

---

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

packages/runtime/src/client/crud/validator/index.ts (1)

263-293: Conditional validation logic is well-implemented.

The conditional application of validation based on extraValidationsEnabled is correct and consistently applied across all primitive types.

The Decimal handling (lines 281-293) could be refactored for clarity:

-.with('Decimal', () => {
-    const options: [z.ZodSchema, z.ZodSchema, ...z.ZodSchema[]] = [
-        z.number(),
-        z.instanceof(Decimal),
-        z.string(),
-    ];
-    if (this.extraValidationsEnabled) {
-        for (let i = 0; i < options.length; i++) {
-            options[i] = addDecimalValidation(options[i]!, attributes);
-        }
-    }
-    return z.union(options);
-})
+.with('Decimal', () => {
+    const baseOptions = [z.number(), z.instanceof(Decimal), z.string()];
+    const options = this.extraValidationsEnabled
+        ? baseOptions.map(opt => addDecimalValidation(opt, attributes))
+        : baseOptions;
+    return z.union(options as [z.ZodSchema, z.ZodSchema, ...z.ZodSchema[]]);
+})

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7b06d4b and 3cbf004.

📒 Files selected for processing (2)

• packages/runtime/src/client/crud/validator/index.ts (5 hunks)
• tests/e2e/orm/validation/custom-validation.test.ts (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• tests/e2e/orm/validation/custom-validation.test.ts

🧰 Additional context used

📓 Path-based instructions (1)

{packages,samples,tests}/**

📄 CodeRabbit inference engine (CLAUDE.md)

Place packages only under packages/, samples/, or tests/

Files:

• packages/runtime/src/client/crud/validator/index.ts

🧬 Code graph analysis (1)

packages/runtime/src/client/crud/validator/index.ts (3)

packages/runtime/src/client/contract.ts (1)

• ClientContract (50-165)

packages/runtime/src/client/crud/validator/utils.ts (5)

• addStringValidation (24-86)
• addNumberValidation (88-114)
• addBigIntValidation (116-143)
• addDecimalValidation (145-203)
• addCustomValidation (205-226)

packages/runtime/src/client/crud/operations/base.ts (1)

• options (94-96)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: claude-review
• GitHub Check: build-test (20.x, postgresql)
• GitHub Check: build-test (20.x, sqlite)

🔇 Additional comments (3)

packages/runtime/src/client/crud/validator/index.ts (3)

57-65: LGTM! Well-designed encapsulation.

The constructor and getter changes provide good encapsulation by accessing the schema and validation settings through the client. The default behavior (validation enabled when validateInput !== false) is sensible and aligns with the PR objective of adding an API to suppress validation.

---

939-944: LGTM! Conditional validation for create and update schemas.

The conditional application of addCustomValidation to both unchecked and checked schema variants is correct and consistent. The @@validate attributes are properly applied only when extraValidationsEnabled is true, aligning with the overall design.

Also applies to: 1223-1228

---

201-209: Schema caching is correct; each client has its own InputValidator instance.

The verification confirms that new InputValidator is instantiated in createClientProxy (packages/runtime/src/client/client-impl.ts:336), creating a separate instance per client. Since each InputValidator instance is isolated to one client and maintains its own schemaCache, the cache is safe even though extraValidationsEnabled is not included in the cache key. The validation settings are tied to the client and thus to the specific InputValidator instance.

[claude]

Claude finished @ymc9's task —— View job

---

Pull Request Review: Add API to Suppress Validation

I've completed a comprehensive review of this PR that adds the ability to suppress input validation in ZenStack. Here's my detailed feedback:

Review Checklist:

• Analyze core implementation files
• Review API design and usability
• Check for potential bugs and edge cases
• Evaluate security implications
• Assess performance considerations
• Review test coverage and quality
• Provide final recommendations

---

✅ Strengths

1. Excellent API Design

• Immutable Pattern: $setInputValidation() returns a new client instance rather than mutating the existing one (client-impl.ts:291-297) - this is consistent with other client methods like $setAuth()
• Clear Naming: The method name and validateInput option are self-documenting
• Type Safety: Properly integrated into the ClientContract interface with full TypeScript support
• Consistent Interface: Follows the same pattern as $setAuth() and other client configuration methods

2. Clean Implementation

• Centralized Control: The validation logic is controlled via a single extraValidationsEnabled getter (validator/index.ts:63-65)
• Performance Optimized: Schema caching is maintained per client instance, avoiding unnecessary recomputation
• Minimal Surface Area: Only affects primitive field validation where attributes like @email, @regex are used

3. Comprehensive Test Coverage

• Core Functionality: Tests verify validation can be disabled and original client remains unaffected
• Regression Coverage: Includes test for issue #2025 demonstrating real-world usage
• Edge Cases: Tests show validation suppression works for various field types (email, regex, etc.)

---

⚠️ Areas for Improvement

1. Documentation Gaps

// packages/runtime/src/client/contract.ts:107-110
/**
 * Returns a new client enabling/disabling input validations expressed with attributes like
 * `@email`, `@regex`, `@@validate`, etc.
 */
$setInputValidation(enable: boolean): ClientContract<Schema>;

Issue: Documentation mentions @@validate but the implementation only affects primitive validations, not custom @@validate rules.

Recommendation: Update documentation to be more precise:

/**
 * Returns a new client enabling/disabling input validations for primitive field 
 * attributes like `@email`, `@regex`, `@url`, etc. Does not affect custom 
 * `@@validate` rules which are always enforced.
 */

2. Potential Security Concern

The implementation allows bypassing important validations like email format, which could lead to data integrity issues if misused.

Recommendations:

• Add prominent documentation warnings about security implications
• Consider logging when validation is disabled (for audit trails)
• Possibly add a development-only warning when validation is disabled

3. Inconsistent Validation Scope

Current Behavior: Only primitive field validations (via addStringValidation, addNumberValidation, etc.) are suppressed. Custom @@validate rules are always enforced.

Questions for Consideration:

• Should @@validate rules also be suppressible for consistency?
• Is the current behavior intentional for security reasons?
• Should this be documented more clearly?

---

🔍 Technical Analysis

Implementation Quality

• Code Pattern: Follows established patterns in the codebase ✅
• Error Handling: Proper validation and error propagation ✅
• Type Safety: Full TypeScript integration ✅
• Performance: Minimal overhead, leverages existing caching ✅

Edge Cases Handled

• Client Immutability: Original client unaffected after creating validation-disabled instance ✅
• Transaction Support: Should work within transactions (inherited behavior) ✅
• Plugin Compatibility: No conflicts with existing plugin architecture ✅

Potential Issues

• Memory Usage: Each $setInputValidation() call creates a new client instance. This is consistent with other methods but worth noting.
• Schema Cache: Each client instance maintains its own schema cache, which could lead to memory duplication in some scenarios.

---

🎯 Final Recommendations

High Priority

1. Fix Documentation: Update JSDoc comment for $setInputValidation() to accurately reflect what validations are suppressed
2. Add Security Warning: Include documentation about potential security implications

Medium Priority

3. Consider Logging: Add optional logging when validation is disabled for audit purposes
4. Clarify Scope: Document the distinction between primitive validations and @@validate rules

Low Priority

5. Performance Monitoring: Consider if frequent client creation could be optimized (though this follows existing patterns)

---

✅ Verdict

This is a well-implemented feature that follows ZenStack's established patterns and provides a clean API for suppressing input validation. The implementation is solid, test coverage is good, and the use case is valid (especially for data migration scenarios).

Recommendation: Approve with the documentation fix and security warning additions.

The core implementation is production-ready, and the identified issues are primarily documentation improvements rather than functional problems.

---

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3cbf004 and e9cac0a.

📒 Files selected for processing (1)

• packages/runtime/src/client/crud/validator/index.ts (5 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

{packages,samples,tests}/**

📄 CodeRabbit inference engine (CLAUDE.md)

Place packages only under packages/, samples/, or tests/

Files:

• packages/runtime/src/client/crud/validator/index.ts

🧬 Code graph analysis (1)

packages/runtime/src/client/crud/validator/index.ts (2)

packages/runtime/src/client/contract.ts (1)

• ClientContract (50-165)

packages/runtime/src/client/crud/validator/utils.ts (5)

• addStringValidation (24-86)
• addNumberValidation (88-114)
• addBigIntValidation (116-143)
• addDecimalValidation (145-203)
• addCustomValidation (205-226)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: claude-review
• GitHub Check: build-test (20.x, sqlite)
• GitHub Check: build-test (20.x, postgresql)

🔇 Additional comments (5)

packages/runtime/src/client/crud/validator/index.ts (5)

59-65: LGTM!

The getters are well-designed:

• schema provides clean encapsulation of client schema access
• extraValidationsEnabled correctly treats undefined as enabled (default behavior)

---

263-279: LGTM!

The conditional validation logic for String, Int, Float, and BigInt types is correctly implemented. These types don't require transformation, so conditionally applying only the validation attributes is appropriate.

---

935-940: LGTM!

The conditional application of addCustomValidation to both unchecked and checked variants is correct and consistent.

---

1219-1224: LGTM!

The update schema changes mirror the create schema pattern correctly, applying addCustomValidation conditionally to both variants.

---

57-57: All InputValidator instantiations updated. Verified the sole instantiation in client-impl.ts passes client as unknown as ClientContract<Schema> and no other instantiations exist.

[claude]

Claude finished @ymc9's task —— View job

---

Pull Request Review: Add API to Suppress Validation

I've completed a comprehensive review of this PR that adds the ability to suppress input validation in ZenStack. Here's my detailed feedback:

Review Checklist:

• Analyze core implementation files
• Review API design and usability
• Check for potential bugs and edge cases
• Evaluate security implications
• Assess performance considerations
• Review test coverage and quality
• Provide final recommendations

---

✅ Strengths

1. Excellent API Design

• Immutable Pattern: $setInputValidation() returns a new client instance rather than mutating the existing one (client-impl.ts:291-297) - this is consistent with other client methods like $setAuth()
• Clear Naming: The method name and validateInput option are self-documenting
• Type Safety: Properly integrated into the ClientContract interface with full TypeScript support
• Consistent Interface: Follows the same pattern as $setAuth() and other client configuration methods

2. Clean Implementation

• Centralized Control: The validation logic is controlled via a single extraValidationsEnabled getter (validator/index.ts:63-65)
• Performance Optimized: Schema caching is maintained per client instance, avoiding unnecessary recomputation
• Minimal Surface Area: Only affects primitive field validation where attributes like @email, @regex are used

3. Comprehensive Test Coverage

• Core Functionality: Tests verify validation can be disabled and original client remains unaffected
• Regression Coverage: Includes test for issue #2025 demonstrating real-world usage
• Edge Cases: Tests show validation suppression works for various field types (email, regex, etc.)

---

⚠️ Areas for Improvement

1. Documentation Gaps

// packages/runtime/src/client/contract.ts:107-110
/**
 * Returns a new client enabling/disabling input validations expressed with attributes like
 * `@email`, `@regex`, `@@validate`, etc.
 */
$setInputValidation(enable: boolean): ClientContract<Schema>;

Issue: Documentation mentions @@validate but the implementation only affects primitive validations, not custom @@validate rules.

Recommendation: Update documentation to be more precise:

/**
 * Returns a new client enabling/disabling input validations for primitive field 
 * attributes like `@email`, `@regex`, `@url`, etc. Does not affect custom 
 * `@@validate` rules which are always enforced.
 */

2. Potential Security Concern

The implementation allows bypassing important validations like email format, which could lead to data integrity issues if misused.

Recommendations:

• Add prominent documentation warnings about security implications
• Consider logging when validation is disabled (for audit trails)
• Possibly add a development-only warning when validation is disabled

3. Inconsistent Validation Scope

Current Behavior: Only primitive field validations (via addStringValidation, addNumberValidation, etc.) are suppressed. Custom @@validate rules are always enforced.

Questions for Consideration:

• Should @@validate rules also be suppressible for consistency?
• Is the current behavior intentional for security reasons?
• Should this be documented more clearly?

---

🔍 Technical Analysis

Implementation Quality

• Code Pattern: Follows established patterns in the codebase ✅
• Error Handling: Proper validation and error propagation ✅
• Type Safety: Full TypeScript integration ✅
• Performance: Minimal overhead, leverages existing caching ✅

Edge Cases Handled

• Client Immutability: Original client unaffected after creating validation-disabled instance ✅
• Transaction Support: Should work within transactions (inherited behavior) ✅
• Plugin Compatibility: No conflicts with existing plugin architecture ✅

Potential Issues

• Memory Usage: Each $setInputValidation() call creates a new client instance. This is consistent with other methods but worth noting.
• Schema Cache: Each client instance maintains its own schema cache, which could lead to memory duplication in some scenarios.

---

🎯 Final Recommendations

High Priority

1. Fix Documentation: Update JSDoc comment for $setInputValidation() to accurately reflect what validations are suppressed
2. Add Security Warning: Include documentation about potential security implications

Medium Priority

3. Consider Logging: Add optional logging when validation is disabled for audit purposes
4. Clarify Scope: Document the distinction between primitive validations and @@validate rules

Low Priority

5. Performance Monitoring: Consider if frequent client creation could be optimized (though this follows existing patterns)

---

✅ Verdict

This is a well-implemented feature that follows ZenStack's established patterns and provides a clean API for suppressing input validation. The implementation is solid, test coverage is good, and the use case is valid (especially for data migration scenarios).

Recommendation: Approve with the documentation fix and security warning additions.

The core implementation is production-ready, and the identified issues are primarily documentation improvements rather than functional problems.

---