fix: responses/compact endpoint, CB cache invalidation, client restrictions batch edit

[ding113]

Summary

Three bug fixes for provider management and proxy routing:

• Fix 1: Add /v1/responses/compact to STANDARD_ENDPOINTS in forwarder, preventing misclassification as MCP request and bypassing endpoint pool selection
• Fix 2: Invalidate Redis + in-memory circuit breaker config caches after batch patch apply/undo when CB fields change (matching single-provider editProvider behavior)
• Fix 3: Add missing allowedClients/blockedClients handlers in buildPatchDraftFromFormState and isValidSetValue validation, fixing silent drops in batch edit pipeline

Problem

1. Endpoint Routing: Requests to /v1/responses/compact were being treated as MCP requests because the endpoint was not in STANDARD_ENDPOINTS. This caused them to bypass proper endpoint pool selection, leading to routing issues.

2. Circuit Breaker Cache Stale: When batch editing providers and modifying circuit breaker fields (failure threshold, open duration, half-open success threshold), the in-memory and Redis caches were not being invalidated. This meant new CB configs wouldn't take effect until cache expired (5 minutes).

3. Client Restrictions Batch Edit: PR fix(ui): improve mobile provider form UX and add client restriction config #822 added UI for configuring allowed_clients/blocked_clients, but the batch edit pipeline was missing handlers for these fields, causing them to be silently dropped during batch operations.

Related Issues:

• Related to 中转codex cli的remote compact异常的BUG #797 - Same /v1/responses/compact endpoint, this PR addresses endpoint routing while 中转codex cli的remote compact异常的BUG #797 tracks parameter injection and response format issues

Follow-up to:

• PR fix(ui): improve mobile provider form UX and add client restriction config #822 - Added client restriction configuration UI; this PR adds batch edit support
• PR feat: security auth overhaul and provider batch operations #806 - Introduced batch operations; this PR fixes CB cache invalidation

Solution

Fix 1: Standard Endpoints

Added /v1/responses/compact to the STANDARD_ENDPOINTS array in forwarder.ts, ensuring the endpoint goes through proper endpoint pool selection.

Fix 2: CB Cache Invalidation

Added cache invalidation logic in applyProviderBatchPatch and undoProviderPatch that:

• Detects if CB fields (circuit_breaker_failure_threshold, circuit_breaker_open_duration, circuit_breaker_half_open_success_threshold) changed
• Calls deleteProviderCircuitConfig() to clear Redis cache
• Calls clearConfigCache() to clear in-memory cache
• Matches behavior of single-provider editProvider

Fix 3: Client Restrictions Batch Support

• Added allowed_clients and blocked_clients handlers in buildPatchDraftFromFormState for form-to-draft conversion
• Added validation for these fields in isValidSetValue function

Changes

Core Changes

• src/app/v1/_lib/proxy/forwarder.ts - Added /v1/responses/compact to STANDARD_ENDPOINTS
• src/actions/providers.ts - Added CB cache invalidation in apply/undo batch operations
• src/app/[locale]/settings/providers/_components/batch-edit/build-patch-draft.ts - Added client restrictions handlers
• src/lib/provider-patch-contract.ts - Added validation for client restriction fields

Test Coverage

• tests/unit/proxy/proxy-forwarder-endpoint-audit.test.ts - Tests for /v1/responses/compact routing
• tests/unit/actions/providers-batch-field-mapping.test.ts - Tests for client restrictions field mapping
• tests/unit/actions/providers-patch-contract.test.ts - Tests for validation of client restrictions
• tests/unit/settings/providers/build-patch-draft.test.ts - Tests for form-to-draft conversion

Test Plan

• bun run typecheck -- no type errors
• bun run lint -- no new lint violations
• bun run test -- all existing + 14 new tests pass (2 pre-existing failures in unrelated files)
• Manual: batch edit providers, modify client restrictions, verify preview shows changes and apply works
• Manual: batch set circuit breaker threshold to 0, verify no requests are circuit-broken
• Manual: send request to /v1/responses/compact, verify it uses endpoint pool (check provider chain logs)

---

Description enhanced by Claude AI

Greptile Summary

This PR fixes three distinct bugs in provider management and proxy routing:

Fix 1: Endpoint Routing - Added /v1/responses/compact to STANDARD_ENDPOINTS, preventing it from being misclassified as an MCP request and ensuring proper endpoint pool selection.

Fix 2: Circuit Breaker Cache Invalidation - Added cache invalidation (Redis + in-memory) in applyProviderBatchPatch and undoProviderPatch when circuit breaker fields change, matching the behavior of single-provider edits.

Fix 3: Client Restrictions Batch Support - Added missing handlers for allowed_clients/blocked_clients fields in the batch edit pipeline (buildPatchDraftFromFormState and isValidSetValue), fixing silent drops during batch operations.

All three fixes are well-implemented with comprehensive test coverage (14 new tests). The code follows existing patterns and maintains consistency with related functionality.

Confidence Score: 5/5

• This PR is safe to merge with minimal risk
• All three bug fixes are straightforward, well-tested (14 new tests), and follow existing patterns. The endpoint routing fix is a simple addition to an array. The circuit breaker cache invalidation correctly mirrors the single-provider edit behavior. The client restrictions handlers follow the same pattern as other field handlers. No breaking changes or security concerns identified.
• No files require special attention

Important Files Changed

Filename	Overview
src/app/v1/_lib/proxy/forwarder.ts	Added /v1/responses/compact to STANDARD_ENDPOINTS array to fix endpoint routing
src/actions/providers.ts	Added CB_PROVIDER_KEYS constant and cache invalidation logic in batch apply/undo operations when circuit breaker fields change
src/app/[locale]/settings/providers/_components/batch-edit/build-patch-draft.ts	Added handlers for allowed_clients and blocked_clients fields in form-to-draft conversion
src/lib/provider-patch-contract.ts	Added validation for allowed_clients and blocked_clients in isValidSetValue function

_{Last reviewed commit: 3aad53a}

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to Reviews > Disable Cache setting

📥 Commits

Reviewing files that changed from the base of the PR and between 036315b and 3aad53a.

📒 Files selected for processing (1)

• src/actions/providers.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• src/actions/providers.ts

---

📝 Walkthrough

Walkthrough

新增对 routing.allowedClients / routing.blockedClients 的补丁草稿与验证支持，并在提供商补丁应用/撤销路径中新增对电路断路器字段变更时的 Redis 缓存清理；同时将 "/v1/responses/compact" 纳入标准代理端点列表并补充对应测试。

Changes

Cohort / File(s)	Summary
提供商补丁应用逻辑 src/actions/providers.ts	在 apply/undo 提供商补丁逻辑中检测电路断路器字段变更（circuit_breaker_failure_threshold、circuit_breaker_open_duration、circuit_breaker_half_open_success_threshold），为受影响 providerId 删除 Redis 中的 circuit 配置并清理配置缓存，单个 provider 错误以警告日志记录。
表单补丁草稿与相关测试 src/app/[locale]/settings/providers/_components/batch-edit/build-patch-draft.ts, tests/unit/settings/providers/build-patch-draft.test.ts	为 routing.allowedClients 与 routing.blockedClients 添加补丁草稿构建：数组为空时生成 { clear: true }，非空时生成 { set: [...] }；新增对应单元测试。
补丁合同验证与单元测试 src/lib/provider-patch-contract.ts, tests/unit/actions/providers-patch-contract.test.ts	扩展 patch 验证以接受 allowed_clients 和 blocked_clients 的 set 模式（字符串数组），并添加正/负向单元测试以验证类型约束。
字段映射测试 tests/unit/actions/providers-batch-field-mapping.test.ts	新增 unit tests，验证 batchUpdateProviders 将 allowed_clients / blocked_clients 映射为 allowedClients / blockedClients（含值、null、空数组场景）。
代理转发端点与测试 src/app/v1/_lib/proxy/forwarder.ts, tests/unit/proxy/proxy-forwarder-endpoint-audit.test.ts	将 "/v1/responses/compact" 加入标准端点列表；新增单元测试验证该路径使用端点池而非 MCP 路径（测试在 diff 中出现两次）。

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• fix: responses/compact endpoint, CB cache invalidation, client restrictions batch edit #833 — 包含与本次变更相同的文件级更新（providers.ts 的电路断路器缓存清理、补丁草稿、forwarder 端点及相关测试），与此 PR 存在强代码级重叠。
• fix(proxy): detect SSE error block in HTTP 200 response and trigger retry #649 — 在相同的 forwarder 文件上有修改（新增标准端点 "/v1/responses/compact" 的相关调整），与本次对代理端点列表的修改相关。
• fix(providers): auto-backfill vendor aggregation for legacy providers #635 — 涉及提供商电路断路器与代理转发相关的代码变更，可能与 providers 缓存/断路器逻辑的更改有直接关联。

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 33.33% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the three main changes: responses/compact endpoint fix, circuit breaker cache invalidation, and client restrictions batch edit support.
Description check	✅ Passed	The description comprehensively explains all three fixes, the problems they address, the solutions implemented, affected files, test coverage, and a test plan with manual verification steps.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/responses-compact-cb-cache-client-restrictions

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello @ding113, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces critical fixes across several areas to enhance system reliability and functionality. It ensures proper routing for a specific API endpoint, maintains data consistency for circuit breaker configurations during batch updates, and corrects the handling of client restriction fields in the batch editing interface. These changes collectively improve API request processing, prevent stale circuit breaker data, and ensure accurate application of client-specific access controls.

Highlights

• API Endpoint Routing: Added /v1/responses/compact to STANDARD_ENDPOINTS in the forwarder, ensuring it is correctly routed through the endpoint pool and not misclassified as an MCP request.
• Circuit Breaker Cache Invalidation: Implemented logic to invalidate Redis and in-memory circuit breaker configuration caches after batch patch apply or undo operations, specifically when circuit breaker fields are modified. This aligns batch behavior with single-provider edits.
• Client Restrictions in Batch Edit: Addressed missing handlers for allowedClients and blockedClients in buildPatchDraftFromFormState and isValidSetValue validation, resolving issues where these client restriction fields were silently dropped during batch edits.

Changelog

• src/actions/providers.ts
  • Added logic to invalidate circuit breaker configuration caches (Redis and in-memory) when specific circuit breaker fields are changed during a batch patch application.
  • Included similar cache invalidation logic when a batch patch is undone and it reverts changes to circuit breaker fields.
• src/app/[locale]/settings/providers/_components/batch-edit/build-patch-draft.ts
  • Implemented handling for routing.allowedClients and routing.blockedClients in buildPatchDraftFromFormState, allowing these fields to be set or cleared during batch edits.
• src/app/v1/_lib/proxy/forwarder.ts
  • Included /v1/responses/compact in the STANDARD_ENDPOINTS list to ensure it is routed through the endpoint pool.
• src/lib/provider-patch-contract.ts
  • Extended isValidSetValue to validate allowed_clients and blocked_clients as arrays of strings.
• tests/unit/actions/providers-batch-field-mapping.test.ts
  • Added new tests to verify correct mapping of allowed_clients and blocked_clients values (including null and empty arrays) during batch updates.
• tests/unit/actions/providers-patch-contract.test.ts
  • Added new tests to confirm that allowed_clients and blocked_clients fields accept string arrays and reject invalid types in the patch contract.
• tests/unit/proxy/proxy-forwarder-endpoint-audit.test.ts
  • Added a test case to confirm that /v1/responses/compact correctly uses the endpoint pool.
• tests/unit/settings/providers/build-patch-draft.test.ts
  • Updated createBatchState to include allowedClients and blockedClients.
  • Added new tests to verify that buildPatchDraftFromFormState correctly generates patch drafts for allowedClients and blockedClients, including clearing and setting values.

Activity

• bun run typecheck -- no type errors
• bun run lint -- no new lint violations
• bun run test -- all existing + 14 new tests pass (2 pre-existing failures in unrelated files)

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

The pull request effectively addresses the three identified fixes: correctly handling the /v1/responses/compact endpoint, ensuring proper circuit breaker cache invalidation during batch operations, and integrating client restrictions (allowedClients, blockedClients) into the batch edit pipeline. The changes are well-implemented, following existing patterns, and are supported by comprehensive unit tests, which is excellent. No critical, high, or medium severity issues were found during the review.

[coderabbitai]

🧹 Nitpick comments (2)

src/app/[locale]/settings/providers/_components/batch-edit/build-patch-draft.ts (1)

61-74: 数组字段 clear/set 分支实现正确，建议后续抽取复用 helper。

Line 61-74 与 allowedModels 逻辑一致，行为正确。可后续把“空数组 clear / 非空 set”抽成小函数，减少重复分支。

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@src/app/`[locale]/settings/providers/_components/batch-edit/build-patch-draft.ts
around lines 61 - 74, The array-field branches for routing.allowedClients and
routing.blockedClients duplicate the same "empty -> clear / non-empty -> set"
logic already used for allowedModels; extract that pattern into a small helper
(e.g., applyArrayPatch(draftKey: string, sourceArray: any[])) and replace the
two blocks that reference dirtyFields.has("routing.allowedClients") /
dirtyFields.has("routing.blockedClients") and assign draft.allowed_clients /
draft.blocked_clients with calls to that helper using
state.routing.allowedClients and state.routing.blockedClients respectively so
the clear/set decision is centralized and reused.

src/actions/providers.ts (1)

2045-2065: 考虑将 CB_PROVIDER_KEYS 提取为模块级常量。

当前在函数内部定义 Set，每次调用都会创建新实例。建议参照 CLAUDE_ONLY_FIELDS、CODEX_ONLY_FIELDS 等的模式，将其提取为模块级常量以提高效率。

建议的修改

在文件顶部（约 1578 行附近，与其他类似常量一起）添加：

const CB_PROVIDER_KEYS: ReadonlySet<string> = new Set([
  "circuitBreakerFailureThreshold",
  "circuitBreakerOpenDuration",
  "circuitBreakerHalfOpenSuccessThreshold",
]);

然后在 undoProviderPatch 中直接使用该常量：

-    const CB_PROVIDER_KEYS = new Set([
-      "circuitBreakerFailureThreshold",
-      "circuitBreakerOpenDuration",
-      "circuitBreakerHalfOpenSuccessThreshold",
-    ]);
     const hasCbRevert = Object.values(snapshot.preimage).some((fields) =>
       Object.keys(fields).some((k) => CB_PROVIDER_KEYS.has(k))
     );

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/actions/providers.ts` around lines 2045 - 2065, The Set CB_PROVIDER_KEYS
is being recreated on each call inside undoProviderPatch; move it to
module-level alongside CLAUDE_ONLY_FIELDS and CODEX_ONLY_FIELDS to avoid
repeated allocations. Create a ReadonlySet<string> named CB_PROVIDER_KEYS at the
top of the file and replace the in-function Set creation with a reference to
that constant, leaving the logic that checks snapshot.preimage and the loop that
calls deleteProviderCircuitConfig/clearConfigCache unchanged.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@src/actions/providers.ts`:
- Around line 2045-2065: The Set CB_PROVIDER_KEYS is being recreated on each
call inside undoProviderPatch; move it to module-level alongside
CLAUDE_ONLY_FIELDS and CODEX_ONLY_FIELDS to avoid repeated allocations. Create a
ReadonlySet<string> named CB_PROVIDER_KEYS at the top of the file and replace
the in-function Set creation with a reference to that constant, leaving the
logic that checks snapshot.preimage and the loop that calls
deleteProviderCircuitConfig/clearConfigCache unchanged.

In
`@src/app/`[locale]/settings/providers/_components/batch-edit/build-patch-draft.ts:
- Around line 61-74: The array-field branches for routing.allowedClients and
routing.blockedClients duplicate the same "empty -> clear / non-empty -> set"
logic already used for allowedModels; extract that pattern into a small helper
(e.g., applyArrayPatch(draftKey: string, sourceArray: any[])) and replace the
two blocks that reference dirtyFields.has("routing.allowedClients") /
dirtyFields.has("routing.blockedClients") and assign draft.allowed_clients /
draft.blocked_clients with calls to that helper using
state.routing.allowedClients and state.routing.blockedClients respectively so
the clear/set decision is centralized and reused.

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to Reviews > Disable Cache setting

📥 Commits

Reviewing files that changed from the base of the PR and between 7e45ac4 and 036315b.

📒 Files selected for processing (8)

• src/actions/providers.ts
• src/app/[locale]/settings/providers/_components/batch-edit/build-patch-draft.ts
• src/app/v1/_lib/proxy/forwarder.ts
• src/lib/provider-patch-contract.ts
• tests/unit/actions/providers-batch-field-mapping.test.ts
• tests/unit/actions/providers-patch-contract.test.ts
• tests/unit/proxy/proxy-forwarder-endpoint-audit.test.ts
• tests/unit/settings/providers/build-patch-draft.test.ts

[github-actions]

Code Review Summary

This PR addresses three bug fixes with proper error handling and test coverage for the primary changes.

PR Size: M

• Lines changed: 250
• Files changed: 8

Issues Found

Category	Critical	High	Medium	Low
Logic/Bugs	0	0	0	0
Security	0	0	0	0
Error Handling	0	0	0	0
Types	0	0	0	0
Comments/Docs	0	0	0	0
Tests	0	0	0	0
Simplification	0	0	0	0

Observations

1. CB Cache Invalidation (Fix 2): The implementation correctly matches the existing editProvider pattern with proper try/catch error handling and logging. While direct unit tests for this specific cache invalidation are not included, the defensive coding approach ensures failures are logged without breaking the operation.

2. Endpoint Addition (Fix 1): The addition of /v1/responses/compact to STANDARD_ENDPOINTS is straightforward and properly tested.

3. Client Restrictions (Fix 3): The field handlers and validation are correctly implemented and tested across the pipeline (form state, validation, mapping).

Review Coverage

• Logic and correctness - Clean
• Security (OWASP Top 10) - Clean
• Error handling - Clean (defensive with logging)
• Type safety - Clean
• Documentation accuracy - Clean
• Test coverage - Adequate (14 new tests)
• Code clarity - Good

---

Automated review by Claude AI

[github-actions]

[HIGH] [TEST-MISSING-CRITICAL] Circuit breaker cache invalidation lacks unit test coverage

Why this is a problem: applyProviderBatchPatch/undoProviderPatch now invalidate Redis + in-memory circuit breaker config caches when CB fields change (src/actions/providers.ts:1917-1935, src/actions/providers.ts:2045-2065). CLAUDE.md requires: "Test Coverage - All new features must have unit test coverage of at least 80%". Without targeted unit tests, regressions in the CB-field detection or invalidation loop can ship unnoticed.

Suggested fix:

// tests/unit/actions/providers-apply-engine.test.ts
it("should invalidate circuit breaker config caches when CB fields change", async () => {
  findAllProvidersFreshMock.mockResolvedValue([makeProvider(1), makeProvider(2)]);
  updateProvidersBatchMock.mockResolvedValue(2);

  const { clearConfigCache } = await import("@/lib/circuit-breaker");

  await setupPreviewAndApply([1, 2], { circuit_breaker_failure_threshold: { set: 10 } });

  expect(redisDelMock).toHaveBeenCalledWith("circuit_breaker:config:1");
  expect(redisDelMock).toHaveBeenCalledWith("circuit_breaker:config:2");
  expect(clearConfigCache).toHaveBeenCalledWith(1);
  expect(clearConfigCache).toHaveBeenCalledWith(2);
});

// tests/unit/actions/providers-undo-engine.test.ts
it("should invalidate circuit breaker config caches on undo when CB fields were reverted", async () => {
  const providers = [makeProvider(1), makeProvider(2)];
  const { undoToken, operationId, undoProviderPatch } = await setupPreviewApplyAndGetUndo(
    providers,
    [1, 2],
    { circuit_breaker_open_duration: { set: 1234 } }
  );

  const { clearConfigCache } = await import("@/lib/circuit-breaker");
  redisMocks.del.mockClear();
  clearConfigCache.mockClear();

  updateProvidersBatchMock.mockResolvedValue(2);

  await undoProviderPatch({ undoToken, operationId });

  expect(redisMocks.del).toHaveBeenCalledWith("circuit_breaker:config:1");
  expect(redisMocks.del).toHaveBeenCalledWith("circuit_breaker:config:2");
  expect(clearConfigCache).toHaveBeenCalledWith(1);
  expect(clearConfigCache).toHaveBeenCalledWith(2);
});

[github-actions]

Code Review Summary

This PR fixes /v1/responses/compact endpoint classification, batch-edit client restrictions, and circuit breaker cache invalidation. The main remaining risk is that the new circuit breaker cache invalidation branches in applyProviderBatchPatch and undoProviderPatch are currently untested, which makes regressions more likely despite being production-impacting.

PR Size: M

• Lines changed: 250
• Files changed: 8

Issues Found

Category	Critical	High	Medium	Low
Logic/Bugs	0	0	0	0
Security	0	0	0	0
Error Handling	0	0	0	0
Types	0	0	0	0
Comments/Docs	0	0	0	0
Tests	0	1	0	0
Simplification	0	0	0	0

Critical Issues (Must Fix)

None.

High Priority Issues (Should Fix)

• [TEST-MISSING-CRITICAL] Missing unit tests for circuit breaker cache invalidation in applyProviderBatchPatch and undoProviderPatch (src/actions/providers.ts:1917-1935, src/actions/providers.ts:2045-2065). Confidence: 88/100

Review Coverage

• Logic and correctness
• Security (OWASP Top 10)
• Error handling
• Type safety
• Documentation accuracy
• Test coverage
• Code clarity

---

Automated review by Codex AI

[github-actions]

• PR detected: #833 fix: responses/compact endpoint, CB cache invalidation, client restrictions batch edit (base: dev)
• PR size labeled: size/M (250 lines, 8 files)
• Inline review comment posted:
  • [HIGH] [TEST-MISSING-CRITICAL] Missing unit tests for the new CB cache invalidation branches in src/actions/providers.ts (apply/undo)
• Summary review submitted via gh pr review --comment with the same issue + coverage table