Repo Tooling

[farhan-navas]

Summary by CodeRabbit

• Chores

  • Added repository CI workflow and unified formatting (Prettier) with ignore/config files and repo-level tooling; pre-commit hooks configured.
  • Bumped engine requirements to Node >=20 and pnpm >=10 and added format/check scripts across packages.
  • SDK: Fastify adapter now accepts an optional config parameter.

• Bug Fixes

  • CSRF token endpoint now forwards Set-Cookie headers correctly.

• Documentation

  • Numerous docs/READMEs reformatted and clarified (onboarding, deployment, schema notes).

[linear]

SAN-124 Frontend/Mythos Tooling

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds Prettier configuration and repo-wide formatting, a new GitHub Actions CI workflow, package-manager/engine updates and tooling (lint-staged, simple-git-hooks), broad code reformatting across the monorepo, and a small set of functional changes: CSRF Set-Cookie forwarding, CSP/x-nonce propagation in proxy, Fastify adapter config, and Ballpit pointer/touch handler refactors.

Changes

Formatting, tooling, and CI

Layer / File(s)	Summary
Formatting config .prettierrc.json, .prettierignore	Add Prettier config (semi, double quotes, printWidth 100, trailing commas, arrowParens) and repo-level ignore patterns.
Root tooling package.json, lint-staged, simple-git-hooks	Introduce root tooling package.json with prepare hook, lint-staged mapping to Prettier, and engines/packageManager metadata (pnpm@10.15.1, node >=20, pnpm >=10).
Per-package wiring **/package.json (frontend/, dbSchema/, mythos/, playground/, sdk/, scripts/*)	Add format/format:check scripts, add Prettier devDependency, update packageManager and engines across packages.
CI workflow .github/workflows/ci.yml	New CI workflow: concurrency, js job (Node 20 + pnpm matrix, format:check, optional lint/build per package), go job (Go 1.25, gofmt/govet/gobuild in backend).
Docs / contributor setup README.md, CLAUDE.md, dbSchema/README.md, deployment/DEPLOYMENT.md, playground/README.md, sdk/ and package READMEs	Add “one-time setup for contributors”, reorganize repo docs, reformat various docs into pipe-style tables and code fences; add dbSchema gotcha about BigInt(0).

Functional/security changes

Layer / File(s)	Summary
API contract / forwarding behavior frontend/app/api/csrf-token/route.ts, frontend/lib/fetch.ts, frontend/lib/api-proxy.ts, mythos/lib/api-proxy.ts	CSRF route now ensures Cache-Control: no-store and forwards all backend Set-Cookie values; fetch/internalFetch and api-proxy normalize header handling and JSON error fallbacks.
Core proxy/security proxy.ts, frontend/proxy.ts	Proxy now generates per-request nonce, builds/forwards Content-Security-Policy and x-nonce to downstream SSR/server components and sets them on final NextResponse; header-copying improved to append multiple Set-Cookie values.
SDK adapter change sdk/sdk-typescript/src/adapters/fastify.ts	fixedPrice Fastify adapter accepts optional config?: FastifyConfig (exposes bypassPaymentIf via config).
UI/interaction refactor frontend/components/Ballpit.tsx	Refactored pointer/touch handlers into explicit named handlers and adjusted touch-move behavior to continue movement callbacks while touch remains active even when pointer leaves element.
Wiring / formatting-only follow-ups many frontend/mythos/sdk files	Numerous formatting-only changes (quote style, trailing commas, single-line vs multi-line signatures, JSX reflows) across components, pages, and SDK adapters—no behavioral changes except where noted above.

Sequence Diagram(s)

sequenceDiagram
    participant Client as Frontend
    participant CSRF as CSRF Route
    participant Proxy as Middleware Proxy
    participant Backend as Backend
    participant SSR as Server/SSR

    rect rgba(100,200,150,0.5)
        Client->>CSRF: GET /api/csrf-token (credentials: include)
        CSRF->>Backend: Forward request
        Backend-->>CSRF: 200 + Set-Cookie(s) + JSON token
        CSRF-->>Client: 200 + all Set-Cookie(s) + token + Cache-Control: no-store
    end

    rect rgba(150,150,200,0.5)
        Client->>Proxy: Request (passes Request object)
        Proxy->>Proxy: generate nonce
        Proxy->>Proxy: build CSP including nonce
        Proxy->>SSR: forward request with x-nonce + Content-Security-Policy
        SSR->>Backend: SSR may contact Backend (headers forwarded)
        Backend-->>Proxy: response (may include Set-Cookie)
        Proxy-->>Client: NextResponse with CSP header + x-nonce + forwarded Set-Cookie(s)
    end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• Frontend security + Admin gating #194 — Modifies proxy.ts / API proxy behavior (CSP/nonce and Set-Cookie propagation); strong code-level overlap.
• added input validationa nd some security #177 — Overlaps CSRF and api-proxy/fetch changes across frontend and proxy code.
• CLAUDE mds #179 (or #152 if preferred) — Related to test-transaction tooling and scripts changes in scripts/test-transaction.

Suggested reviewers

• rahulmllvrp

"🐰 I hopped through lines to tidy the lair,
Quotes aligned and commas placed with care.
Hooks set to catch staged files in flight,
A carrot for CI — everything formatted right! 🥕"

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch farhan-navas/san-124-frontendmythos-tooling

⚔️ Resolve merge conflicts

• Resolve merge conflict in branch farhan-navas/san-124-frontendmythos-tooling

[coderabbitai]

Actionable comments posted: 7

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/ci.yml:
- Around line 71-73: The Go module cache misses because actions/setup-go@v5
looks for go.sum at the repository root; update the actions/setup-go@v5 step to
include the cache-dependency-path input pointing to backend/go.sum (i.e., add
cache-dependency-path: backend/go.sum alongside go-version) so the action can
find and use the correct go.sum for caching.
- Around line 84-88: The CI job currently runs the "go vet" and "go build" steps
but does not run tests; add a new step (e.g., name: "go test") between or after
the existing "go vet" and "go build" steps that executes "go test ./..." (or "go
test ./... -v") so unit tests across the repository (including backend/) are
executed and failures break the workflow; reference the existing step names "go
vet" and "go build" to locate where to insert the new "go test" step.

In `@frontend/app/api/csrf-token/route.ts`:
- Around line 5-9: Remove the unnecessary "Content-Type": "application/json"
header from the fetch call in the csrf-token route (the fetch invocation that
calls `${env.BACKEND_URL}/csrf-token` with method "GET"); either delete that
header entry entirely for GET requests or only add Content-Type when the method
is not GET (e.g., in the code paths around the fetch call), so the GET request
no longer carries a misleading Content-Type header.

In `@frontend/components/Ballpit.tsx`:
- Around line 682-692: The pointer update currently overwrites
position/nPosition via updatePointerData before checking isInside(rect), causing
data.onMove to be called with out-of-bounds coordinates; preserve the last
in-bounds coordinates (e.g., add data.lastInBoundsPosition or capture previous
position before updatePointerData) and update that when inside the rect (in the
isInside branch). Then, in the else if (data.hover && data.touching) branch,
call data.onMove with the preserved last-in-bounds coordinates instead of the
current out-of-bounds position; ensure updatePointerData still runs but use the
stored valid point for onMove and update data.lastInBoundsPosition when entering
or moving inside.
- Around line 725-735: The touch handlers (onTouchStart and onTouchMove)
currently call e.preventDefault() unconditionally while being added to
document.body, which blocks page gestures site-wide; update the event wiring so
touch events are attached to the canvas element instead (use the canvas ref /
element instead of document.body when calling addEventListener for "touchstart",
"touchmove", "touchend", "touchcancel" with { passive: false }), or
alternatively modify onTouchStart/onTouchMove to first check isInside(rect) and
only call e.preventDefault() when the touch point is inside the canvas bounds;
make this change for onTouchStart, onTouchMove (and ensure touches
ending/canceling remain scoped to the canvas) so default page touch behaviors
are not prevented outside the canvas.

In `@frontend/content/docs/express.mdx`:
- Around line 15-18: The Tab components currently contain inline triple-backtick
strings which can break MDX rendering; update each <Tab> (values "npm", "yarn",
"pnpm", "bun") so the installation commands are wrapped as proper block-fenced
code blocks: open a fenced block with ```bash on its own line, put the
single-line install command on the next line, then close the fence, and place
that fenced block inside the <Tab> children (rather than a single inline
string). Ensure each Tab (the Tab component instances in this file) follows this
pattern and preserves the same command text for each package manager.

In `@package.json`:
- Around line 1-25: Add a short note to the project README or CONTRIBUTING.md
explaining that the prepare lifecycle script ("prepare": "simple-git-hooks")
runs during pnpm install and must be executed once by contributors after cloning
to activate the simple-git-hooks pre-commit hook (which invokes lint-staged);
mention that running pnpm install at the repo root will install devDependencies
and trigger the prepare hook so pre-commit formatting via prettier (configured
in lint-staged) works as expected.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 335f742e-ad87-440e-958d-0b950f946d7f

📥 Commits

Reviewing files that changed from the base of the PR and between b424623 and 2a6a75d.

⛔ Files ignored due to path filters (11)

• dbSchema/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
• frontend/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
• mythos/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
• playground/merchant-express/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
• playground/merchant-fastify/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
• playground/merchant-hono/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
• playground/merchant-nextjs/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
• scripts/test-transaction/package-lock.json is excluded by !**/package-lock.json
• scripts/test-transaction/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
• sdk/sdk-typescript/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (110)

• .github/workflows/ci.yml
• .prettierignore
• .prettierrc.json
• CLAUDE.md
• README.md
• backend/sangria-backend
• dbSchema/CLAUDE.md
• dbSchema/README.md
• dbSchema/package.json
• dbSchema/schema.ts
• deployment/DEPLOYMENT.md
• frontend/.prettierrc
• frontend/README.md
• frontend/app/(marketing)/blog/[slug]/page.tsx
• frontend/app/(marketing)/blog/page.tsx
• frontend/app/(marketing)/docs/[[...slug]]/page.tsx
• frontend/app/(marketing)/docs/docs-layout-client.tsx
• frontend/app/(marketing)/docs/layout.tsx
• frontend/app/(marketing)/page.tsx
• frontend/app/(portal)/dashboard/api-keys/APIKeysContent.tsx
• frontend/app/(portal)/dashboard/api-keys/page.tsx
• frontend/app/(portal)/dashboard/members/OrganizationMembersContent.tsx
• frontend/app/(portal)/dashboard/members/page.tsx
• frontend/app/(portal)/dashboard/organizations/page.tsx
• frontend/app/(portal)/dashboard/transactions/TransactionsContent.tsx
• frontend/app/(portal)/dashboard/withdrawals/WithdrawModal.tsx
• frontend/app/(portal)/dashboard/withdrawals/WithdrawalsContent.tsx
• frontend/app/(portal)/layout.tsx
• frontend/app/accept-invitation/page.tsx
• frontend/app/api/csrf-token/route.ts
• frontend/app/globals.css
• frontend/app/layout.tsx
• frontend/components/ArcadeButton.tsx
• frontend/components/Ballpit.tsx
• frontend/components/BlogHeader.tsx
• frontend/components/Footer.tsx
• frontend/components/GitHubStarChip.tsx
• frontend/components/MdxComponents.tsx
• frontend/components/NavLinks.tsx
• frontend/components/Navigation.tsx
• frontend/components/OrganizationDropdown.tsx
• frontend/components/PortalSidebarNav.tsx
• frontend/components/ProfilePopover.tsx
• frontend/components/ResizableSidebar.tsx
• frontend/components/ScrollNav.tsx
• frontend/components/SignOutButton.tsx
• frontend/components/ThemeProvider.tsx
• frontend/components/ThemeToggle.tsx
• frontend/content/docs/express.mdx
• frontend/content/docs/fastapi.mdx
• frontend/content/docs/fastify.mdx
• frontend/content/docs/hono.mdx
• frontend/content/docs/index.mdx
• frontend/content/docs/nextjs.mdx
• frontend/contexts/OrganizationContext.tsx
• frontend/lib/api-proxy.ts
• frontend/lib/blog.ts
• frontend/lib/fetch.ts
• frontend/lib/security-hooks.ts
• frontend/lib/security.ts
• frontend/lib/validation.ts
• frontend/next.config.ts
• frontend/package.json
• frontend/proxy.ts
• mythos/AGENTS.md
• mythos/README.md
• mythos/app/(admin)/NavLinks.tsx
• mythos/app/(admin)/dashboard/page.tsx
• mythos/app/(admin)/newspaper/page.tsx
• mythos/app/(admin)/transactions/TransactionsContent.tsx
• mythos/app/(admin)/withdrawals/ActionDialog.tsx
• mythos/app/(admin)/withdrawals/AdminWithdrawalsContent.tsx
• mythos/app/access-denied/page.tsx
• mythos/app/api/admin/transactions/[id]/ledger/route.ts
• mythos/app/api/admin/withdrawals/[id]/approve/route.ts
• mythos/app/api/admin/withdrawals/[id]/complete/route.ts
• mythos/app/api/admin/withdrawals/[id]/fail/route.ts
• mythos/app/api/admin/withdrawals/[id]/reject/route.ts
• mythos/app/api/admin/withdrawals/route.ts
• mythos/app/api/x402-pay/route.ts
• mythos/lib/api-proxy.ts
• mythos/package.json
• package.json
• playground/README.md
• playground/merchant-express/package.json
• playground/merchant-express/src/index.ts
• playground/merchant-fastify/package.json
• playground/merchant-fastify/src/index.ts
• playground/merchant-hono/package.json
• playground/merchant-hono/src/index.ts
• playground/merchant-nextjs/app/api/premium/route.ts
• playground/merchant-nextjs/app/layout.tsx
• playground/merchant-nextjs/package.json
• playground/merchant-nextjs/tsconfig.json
• playground/merchant-nextjs/tsconfig.tsbuildinfo
• scripts/test-transaction/package.json
• scripts/test-transaction/test-transaction.ts
• sdk/README.md
• sdk/sdk-typescript/README.md
• sdk/sdk-typescript/package.json
• sdk/sdk-typescript/src/adapters/express.ts
• sdk/sdk-typescript/src/adapters/fastify.ts
• sdk/sdk-typescript/src/adapters/hono.ts
• sdk/sdk-typescript/src/adapters/nextjs.ts
• sdk/sdk-typescript/src/core.ts
• sdk/sdk-typescript/src/index.ts
• sdk/sdk-typescript/src/types.ts
• sdk/sdk-typescript/test-server/server-fastify.ts
• sdk/sdk-typescript/test-server/server-hono.ts
• sdk/sdk-typescript/test-server/server.ts

💤 Files with no reviewable changes (2)

• frontend/.prettierrc
• frontend/app/globals.css

[coderabbitai]

🧹 Nitpick | 🔵 Trivial | ⚡ Quick win

Go module cache will miss — cache-dependency-path needs to point to backend/go.sum

actions/setup-go@v5 is a uses: step and is not subject to defaults.run.working-directory. It searches for go.sum at the repository root; backend/go.sum is invisible to it. Every run will cache-miss and re-download modules.

⚡ Proposed fix

      - uses: actions/setup-go@v5
        with:
          go-version: "1.25"
+         cache-dependency-path: backend/go.sum

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/ci.yml around lines 71 - 73, The Go module cache misses
because actions/setup-go@v5 looks for go.sum at the repository root; update the
actions/setup-go@v5 step to include the cache-dependency-path input pointing to
backend/go.sum (i.e., add cache-dependency-path: backend/go.sum alongside
go-version) so the action can find and use the correct go.sum for caching.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial | ⚡ Quick win

Go CI job runs no tests — go test ./... is absent

The job only verifies formatting, vet, and that the binary compiles. Test regressions in backend/ won't be caught until deployment.

🧪 Proposed addition

      - name: go build
        run: go build ./...
+
+     - name: go test
+       run: go test ./...

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: go vet
	run: go vet ./...
	- name: go build
	run: go build ./...
	- name: go vet
	run: go vet ./...
	- name: go build
	run: go build ./...
	- name: go test
	run: go test ./...

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/ci.yml around lines 84 - 88, The CI job currently runs the
"go vet" and "go build" steps but does not run tests; add a new step (e.g.,
name: "go test") between or after the existing "go vet" and "go build" steps
that executes "go test ./..." (or "go test ./... -v") so unit tests across the
repository (including backend/) are executed and failures break the workflow;
reference the existing step names "go vet" and "go build" to locate where to
insert the new "go test" step.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Content-Type: application/json on a GET request is semantically unnecessary.

GET requests carry no body, so the Content-Type header has no meaning here and is likely carried over from a copy-paste. It's harmless but can be confusing.

🛠️ Suggested fix

     const response = await fetch(`${env.BACKEND_URL}/csrf-token`, {
-      method: "GET",
-      headers: {
-        "Content-Type": "application/json",
-      },
+      method: "GET",
     });

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@frontend/app/api/csrf-token/route.ts` around lines 5 - 9, Remove the
unnecessary "Content-Type": "application/json" header from the fetch call in the
csrf-token route (the fetch invocation that calls
`${env.BACKEND_URL}/csrf-token` with method "GET"); either delete that header
entry entirely for GET requests or only add Content-Type when the method is not
GET (e.g., in the code paths around the fetch call), so the GET request no
longer carries a misleading Content-Type header.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Preserve the last in-bounds touch position when dragging outside.

Line 682 updates position/nPosition before the isInside(rect) check. The else if (data.hover && data.touching) path then keeps calling onMove with out-of-bounds coordinates instead of the last valid in-canvas point, which makes the control sphere jump as soon as the finger leaves the element.

💡 Minimal fix

     for (const [elem, data] of pointerMap) {
       const rect = elem.getBoundingClientRect();
-      updatePointerData(data, rect);
       if (isInside(rect)) {
+        updatePointerData(data, rect);
         if (!data.hover) {
           data.hover = true;
           data.touching = true;
           data.onEnter(data);
         }
         data.onMove(data);
       } else if (data.hover && data.touching) {
         data.onMove(data);
       }
     }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	updatePointerData(data, rect);
	if (isInside(rect)) { if (!data.hover) { data.hover = true; data.touching = true; data.onEnter(data); } data.onMove(data); }
	else if (data.hover && data.touching) { data.onMove(data); }
	if (isInside(rect)) {
	if (!data.hover) {
	data.hover = true;
	data.touching = true;
	data.onEnter(data);
	}
	data.onMove(data);
	} else if (data.hover && data.touching) {
	data.onMove(data);
	}
	if (isInside(rect)) {
	updatePointerData(data, rect);
	if (!data.hover) {
	data.hover = true;
	data.touching = true;
	data.onEnter(data);
	}
	data.onMove(data);
	} else if (data.hover && data.touching) {
	data.onMove(data);
	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@frontend/components/Ballpit.tsx` around lines 682 - 692, The pointer update
currently overwrites position/nPosition via updatePointerData before checking
isInside(rect), causing data.onMove to be called with out-of-bounds coordinates;
preserve the last in-bounds coordinates (e.g., add data.lastInBoundsPosition or
capture previous position before updatePointerData) and update that when inside
the rect (in the isInside branch). Then, in the else if (data.hover &&
data.touching) branch, call data.onMove with the preserved last-in-bounds
coordinates instead of the current out-of-bounds position; ensure
updatePointerData still runs but use the stored valid point for onMove and
update data.lastInBoundsPosition when entering or moving inside.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

fd -t f "Ballpit\.tsx$"

Repository: GTG-Labs/sangria

Length of output: 92

---

🏁 Script executed:

wc -l frontend/components/Ballpit.tsx

Repository: GTG-Labs/sangria

Length of output: 96

---

🏁 Script executed:

sed -n '700,760p' frontend/components/Ballpit.tsx

Repository: GTG-Labs/sangria

Length of output: 2292

---

🏁 Script executed:

sed -n '1,724p' frontend/components/Ballpit.tsx | grep -n "onTouchStart\|onTouchMove\|onPointerMove" | head -20

Repository: GTG-Labs/sangria

Length of output: 191

---

🏁 Script executed:

sed -n '638,698p' frontend/components/Ballpit.tsx

Repository: GTG-Labs/sangria

Length of output: 1760

---

🏁 Script executed:

sed -n '620,640p' frontend/components/Ballpit.tsx

Repository: GTG-Labs/sangria

Length of output: 596

---

🏁 Script executed:

sed -n '600,625p' frontend/components/Ballpit.tsx

Repository: GTG-Labs/sangria

Length of output: 805

---

Move the touch listeners to the canvas element or call preventDefault() only after confirming the touch is within bounds.

The onTouchStart and onTouchMove handlers call e.preventDefault() unconditionally on lines 663 and 681, before checking isInside(rect). Since these non-passive listeners are registered on document.body, this prevents default touch behaviors (scrolling, pinch-zoom) for every touch on the page while any Ballpit component is mounted. Scope the listeners to the canvas element, or check bounds before calling preventDefault().

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@frontend/components/Ballpit.tsx` around lines 725 - 735, The touch handlers
(onTouchStart and onTouchMove) currently call e.preventDefault() unconditionally
while being added to document.body, which blocks page gestures site-wide; update
the event wiring so touch events are attached to the canvas element instead (use
the canvas ref / element instead of document.body when calling addEventListener
for "touchstart", "touchmove", "touchend", "touchcancel" with { passive: false
}), or alternatively modify onTouchStart/onTouchMove to first check
isInside(rect) and only call e.preventDefault() when the touch point is inside
the canvas bounds; make this change for onTouchStart, onTouchMove (and ensure
touches ending/canceling remain scoped to the canvas) so default page touch
behaviors are not prevented outside the canvas.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Fix tabbed install snippets: inline code fences can break MDX rendering.

These should be block fenced code blocks inside each <Tab>, not inline triple-backtick strings.

📄 Suggested docs fix

-  <Tab value="npm">```bash npm install `@sangria-sdk/core` ```</Tab>
-  <Tab value="yarn">```bash yarn add `@sangria-sdk/core` ```</Tab>
-  <Tab value="pnpm">```bash pnpm add `@sangria-sdk/core` ```</Tab>
-  <Tab value="bun">```bash bun add `@sangria-sdk/core` ```</Tab>
+  <Tab value="npm">
+    ```bash
+    npm install `@sangria-sdk/core`
+    ```
+  </Tab>
+  <Tab value="yarn">
+    ```bash
+    yarn add `@sangria-sdk/core`
+    ```
+  </Tab>
+  <Tab value="pnpm">
+    ```bash
+    pnpm add `@sangria-sdk/core`
+    ```
+  </Tab>
+  <Tab value="bun">
+    ```bash
+    bun add `@sangria-sdk/core`
+    ```
+  </Tab>

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	<Tab value="npm">```bash npm install @sangria-sdk/core ```</Tab>
	<Tab value="yarn">```bash yarn add @sangria-sdk/core ```</Tab>
	<Tab value="pnpm">```bash pnpm add @sangria-sdk/core ```</Tab>
	<Tab value="bun">```bash bun add @sangria-sdk/core ```</Tab>
	<Tab value="npm">

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@frontend/content/docs/express.mdx` around lines 15 - 18, The Tab components
currently contain inline triple-backtick strings which can break MDX rendering;
update each <Tab> (values "npm", "yarn", "pnpm", "bun") so the installation
commands are wrapped as proper block-fenced code blocks: open a fenced block
with ```bash on its own line, put the single-line install command on the next
line, then close the fence, and place that fenced block inside the <Tab>
children (rather than a single inline string). Ensure each Tab (the Tab
component instances in this file) follows this pattern and preserves the same
command text for each package manager.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

Solid pre-commit hook setup.

simple-git-hooks + lint-staged is a lightweight and correct pattern here. A few notes:

• The lint-staged prettier command omits --ignore-path, which is intentional and correct: unlike sub-packages that reference ../.prettierignore, the root config runs from the same directory as .prettierignore, so prettier auto-discovers it.
• The prepare lifecycle script must execute for hooks to activate. Contributors need to run pnpm install at the repo root once after cloning; consider documenting this in the project's contributing guide or README.md if not already covered.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` around lines 1 - 25, Add a short note to the project README or
CONTRIBUTING.md explaining that the prepare lifecycle script ("prepare":
"simple-git-hooks") runs during pnpm install and must be executed once by
contributors after cloning to activate the simple-git-hooks pre-commit hook
(which invokes lint-staged); mention that running pnpm install at the repo root
will install devDependencies and trigger the prepare hook so pre-commit
formatting via prettier (configured in lint-staged) works as expected.

[coderabbitai]

♻️ Duplicate comments (1)

.github/workflows/ci.yml (1)

85-89: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add Go tests to CI.

As noted in a previous review, the Go job verifies formatting, vetting, and compilation but does not run tests. This means test regressions in backend/ won't be caught until deployment.

🧪 Proposed addition

      - name: go vet
        run: go vet ./...

+     - name: go test
+       run: go test ./...
+
      - name: go build
        run: go build ./...

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/ci.yml around lines 85 - 89, The CI currently runs "go
vet" and "go build" but does not execute unit tests; add a new step after the
"go build" step to run the Go test suite (e.g., execute "go test ./..." or "go
test ./... -v") so tests in packages like backend/ are exercised during CI;
update the workflow steps named "go vet" / "go build" to include a subsequent
"go test" step to fail the job on test failures and surface regressions early.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In @.github/workflows/ci.yml:
- Around line 85-89: The CI currently runs "go vet" and "go build" but does not
execute unit tests; add a new step after the "go build" step to run the Go test
suite (e.g., execute "go test ./..." or "go test ./... -v") so tests in packages
like backend/ are exercised during CI; update the workflow steps named "go vet"
/ "go build" to include a subsequent "go test" step to fail the job on test
failures and surface regressions early.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: f00207c5-243b-4f06-8097-80e8bf7e7408

📥 Commits

Reviewing files that changed from the base of the PR and between 2a6a75d and 7efe7aa.

📒 Files selected for processing (2)

• .github/workflows/ci.yml
• package.json