Skip to content

Blitzy: Add comprehensive Calendly-vs-Cal.com gap analysis documentation, sprint roadmap, and migration guides#1

Merged
blitzy[bot] merged 26 commits intomainfrom
blitzy-f261b662-244f-4f24-aad0-6ece6cc3e60b
Feb 25, 2026
Merged

Blitzy: Add comprehensive Calendly-vs-Cal.com gap analysis documentation, sprint roadmap, and migration guides#1
blitzy[bot] merged 26 commits intomainfrom
blitzy-f261b662-244f-4f24-aad0-6ece6cc3e60b

Conversation

@blitzy
Copy link
Copy Markdown

@blitzy blitzy bot commented Feb 25, 2026

Summary

This PR introduces comprehensive documentation for Calendly feature parity analysis in Cal.com, creating 15 new Mintlify MDX documentation pages and updating 3 existing files across three major documentation sections:

Gap Report (9 files)

  • Executive summary with aggregate parity matrix across 8 feature domains
  • Domain-specific gap analyses: Availability & Scheduling, Event Types, Routing Forms, Webhooks & Events, Embed & Share, Admin & Teams, Calendar Integrations, Notifications
  • Each analysis includes Calendly behavioral comparison, feature comparison matrices, Mermaid diagrams, source citations, and implementation recommendations

Sprint Roadmap (3 files)

  • Methodology overview with dependency-first sequencing across 8 feature domains
  • Comprehensive epic catalog with 40 epics across all domains with priority, complexity, and dependency mapping
  • Parity validation checklists with behavioral acceptance criteria per domain

Migration Guides (3 files)

  • Zero-downtime migration strategy with backward-compatible schema patterns
  • Data preservation guide with encryption key handling and backup procedures
  • Webhook backward compatibility guide documenting PayloadBuilderFactory versioning

File Updates (3 files)

  • docs/docs.json — Added Gap Report tab, Sprint Roadmap group, and Migration Guides group to Mintlify navigation
  • docs/api-reference/v2/openapi.json — Enhanced endpoint descriptions for routing forms, schedules, slots, and webhooks
  • docs/developing/guides/automation/webhooks.mdx — Added trigger event reference, versioning documentation, and consumer migration guidance

Validation Results

  • Mintlify validate: Zero new warnings (6 pre-existing warnings in out-of-scope files)
  • Mintlify openapi-check: Both v1 and v2 specs valid
  • Live rendering: All 15 new pages return HTTP 200
  • Content quality: 22 Mermaid diagrams, 237+ source citations, all files have proper MDX frontmatter

Key Metrics

  • 7,431 lines added across 18 files
  • 24 commits
  • All 14 documentation requirements (R-DOC-001 through R-DOC-014) fulfilled

@blitzyai
docs: add Gap Report, Sprint Roadmap, and Migration Guides navigation…
9d80a5d 
… to docs.json

- Add new 'Gap Report' top-level tab with Overview (1 page) and
  Feature Domains (8 pages: availability-scheduling, event-types,
  routing-forms, webhooks-events, embed-share, admin-teams,
  calendar-integrations, notifications)
- Add 'Sprint Roadmap' group to Developing tab (overview,
  epic-catalog, validation-criteria)
- Add 'Migration Guides' group to Developing tab (zero-downtime-strategy,
  data-preservation, webhook-compatibility)
- Preserve all existing navigation structure unchanged
- Gap Report tab positioned after Self Hosting, before API v1 Reference
@blitzyai
Create docs/gap-report/overview.mdx — Calendly Parity Gap Report exec…
0378b6d 
…utive summary

- Add MDX frontmatter with title and description
- Executive summary with aggregate parity assessment (Cal.com exceeds Calendly in most domains)
- Feature domain matrix covering all 8 analysis domains with gap severity ratings
- Mermaid diagram showing parity status across all domains with color-coded indicators
- Priority ranking section (no critical gaps, 1 medium, 7 low)
- Cal.com advantages summary with CardGroup (webhooks 20 vs 3, calendars 11 vs 3, 6 scheduling paradigms, embed suite, RAQB routing, hierarchical orgs, multi-channel notifications, API-first design)
- Quick reference CardGroup linking to all 8 domain analyses
- Related documentation links to sprint roadmap and migration guides
- Methodology section with analysis approach and gap severity classification
- Terminology mapping table (Calendly invitee = Cal.com attendee)
- How to use section with navigation guide and recommended reading order
- 12 source citations referencing real Cal.com packages
- References developer.calendly.com as behavioral source of truth
@blitzyai
Create docs/gap-report/notifications.mdx — Notification flow gap anal…
337bc03 
…ysis

Comprehensive Mintlify MDX document analyzing email/SMS notification flow gaps
between Cal.com's multi-channel notification infrastructure and Calendly's
notification lifecycle.

Content includes:
- Overview of notification infrastructure scope
- Cal.com implementation analysis (email-manager.ts, sms-manager.ts, workflows)
- Calendly notification behavior reference (basic + Workflow notifications)
- Feature Comparison Matrix: 22 features across email, SMS, WhatsApp, ICS,
  workflow, rate limiting, credit gating, and governance domains
- Gap Inventory: 11 entries (NF-001 through NF-011) — 3 Medium gaps,
  8 Cal.com advantages documented
- Mermaid architecture diagram: multi-channel dispatch flow
- Implementation recommendations for reconfirmation, no-show, user-address gaps
- Behavioral acceptance criteria with regression prevention checklist

Source files analyzed: packages/emails/email-manager.ts, packages/emails/email-types.ts,
packages/sms/sms-manager.ts, packages/features/ee/workflows/lib/types.ts
@blitzyai
Create calendar integrations gap analysis document
dd6d53f 
Add comprehensive MDX document comparing Cal.com's 11+ calendar
adapters against Calendly's native Google/Outlook/Exchange integrations.

Content includes:
- Cal.com implementation details for Google, Office 365, and Apple
  Calendar adapters with source code citations
- Calendly calendar behavior documentation from official sources
- Feature comparison matrix (19 features across both platforms)
- Gap inventory with 2 Medium-severity gaps and 8 Cal.com advantages
- Bi-directional sync architecture Mermaid diagram
- Implementation recommendations for closing identified gaps
- Behavioral acceptance criteria for parity validation

Key findings:
- Cal.com significantly exceeds Calendly with 11+ vs 3 adapters
- Cal.com maintains Apple Calendar support (Calendly dropped Aug 2024)
- Cal.com supports per-event-type calendar selection (Calendly does not)
- Only 2 minor gaps: calendar-driven cancellation and buffer time sync
@blitzyai
Create docs/gap-report/admin-teams.mdx — Admin Governance & Team Mana…
86d2b57 
…gement gap analysis

Comprehensive Mintlify MDX document analyzing admin governance and team management
gaps between Cal.com's hierarchical organization model and Calendly's admin/owner/user
role model. Key contents:

- Overview section with key finding (Cal.com exceeds Calendly's capabilities)
- Detailed Cal.com implementation analysis: OrganizationRepository, TeamRepository,
  MembershipService, PBAC (PermissionCheckService, RoleService, RoleManagementFactory)
- Calendly behavior documentation: 5-role model, Admin Center, Groups, Managed Events,
  SSO/SCIM, API access patterns
- Feature Comparison Matrix (20 features, all rated Low severity)
- Gap Inventory (4 minor gaps + 6 Cal.com advantages)
- 2 Mermaid diagrams comparing hierarchical vs flat org models
- Implementation recommendations with Mintlify Steps component
- Behavioral acceptance criteria checklist
- Cross-references to overview, event-types, sprint-roadmap, and migration docs

All source citations reference verified Cal.com packages. Calendly references
cite developer.calendly.com and help.calendly.com documentation.
@blitzyai
Create docs/gap-report/embed-share.mdx — Embed & Share Flow Gap Analysis
e092f74 
Comprehensive Mintlify MDX document analyzing embed and share flow gaps between
Cal.com's three-package embed suite (embed-core, embed-react, embed-snippet) and
Calendly's inline, popup, and floating button embed options.

Contents:
- Cal.com current implementation: 3-package architecture, postMessage handshake
  protocol, prerendering vs preloading, skeleton loaders, event tracking system,
  command queue, namespace isolation, React component wrapper
- Calendly embed behavior: inline, popup widget, popup text, prefill, UTM support
- Feature comparison matrix (20+ features compared)
- Gap inventory (6 minor gaps + 7 Cal.com advantages documented)
- 2 Mermaid diagrams: embed lifecycle sequence + prerendering flowchart
- Recommendations, acceptance criteria, cross-references
- 21 source citations to Cal.com packages

Key finding: Cal.com's embed architecture significantly exceeds Calendly's
capabilities with prerendering, skeleton loaders, namespace isolation, and a
sophisticated postMessage handshake protocol.
@blitzyai
Create docs/gap-report/webhooks-events.mdx — Webhook Event Lifecycle …
bc0858a 
…Gap Analysis

Comprehensive Mintlify MDX document analyzing webhook payloads and event
lifecycle gaps between Cal.com and Calendly.

Key content:
- Documents all 20 Cal.com WebhookTriggerEvents vs Calendly's 3 events
- PayloadBuilderFactory architecture with 7 typed builder interfaces
- Versioned payload system (v2021-10-20) with backward compatibility
- Signature verification (X-Cal-Signature-256 HMAC-SHA256)
- Delivery pipeline: sync sendPayload + async Tasker scheduling
- Trigger event mapping table (20 Cal.com → 3 Calendly)
- Feature comparison matrix with gap severity ratings
- Mermaid sequence diagram of webhook delivery flow
- Mermaid flowchart comparing payload architectures
- Backward compatibility requirements and extension patterns
- Gap inventory (5 low-severity items — Cal.com exceeds Calendly)
- Acceptance criteria with test pattern references
- Source citations to 11 webhook system source files
@blitzyai
Create routing forms & conditional routing gap analysis documentation
69fd0b0 
- Comprehensive Mintlify MDX gap analysis comparing Cal.com's RAQB-based
  routing forms against Calendly's routing form capabilities
- Documents Cal.com's 3-location architecture (features, app-store, API v2)
- Details findMatchingRoute algorithm with RAQB jsonLogic evaluation
- Documents getRoutedUrl pipeline, attribute-based routing, CRM lookups
- Feature comparison matrix covering 17 capabilities across both platforms
- Gap inventory with 4 medium-severity gaps and 6 Cal.com advantages
- Mermaid flowchart showing complete routing decision tree (23 nodes)
- Implementation recommendations prioritized by severity
- Behavioral acceptance criteria and regression test scenarios
- All source citations verified against actual codebase files
- Cross-references to webhooks-events.mdx and overview.mdx
@blitzyai
Create docs/gap-report/event-types.mdx — Event Type Configuration Gap…
da97499 
… Analysis

Comprehensive Mintlify MDX document analyzing Cal.com's event type system
against Calendly's event type taxonomy and configuration:

- Documents Cal.com's 6 scheduling paradigms (one-on-one, group, collective,
  round-robin, managed, dynamic) vs Calendly's 4 types
- Includes Feature Comparison Matrix (22 features) and Gap Inventory (10 items)
- 2 Mermaid diagrams: taxonomy comparison and API capabilities comparison
- 19 source citations referencing verified Cal.com packages
- Documents Calendly's recently added limited event type management APIs
- Identifies 1 medium gap (meeting polls) and 8 Cal.com advantages
- Includes acceptance criteria with 17 test scenarios
- Cross-references overview, availability-scheduling, webhooks-events, admin-teams
@blitzyai
Create availability & scheduling rules gap analysis documentation
d83b7b0 
Add comprehensive Mintlify MDX document analyzing Cal.com's availability
engine against Calendly's scheduling availability behaviors. Includes:

- Cal.com implementation details with source citations for ScheduleService,
  ScheduleRepository, date-ranges.ts, slots.ts, HolidayRepository,
  TravelScheduleRepository, BusyTimesService, and UserAvailabilityService
- Calendly availability behavior analysis referencing developer.calendly.com
- Feature comparison matrix (17 features) with gap severity ratings
- Gap inventory table with 10 entries (7 advantages, 3 minor gaps)
- Mermaid diagram illustrating the slot generation pipeline
- Slot generation pipeline comparison table
- Implementation recommendations for 3 identified gaps
- 23 behavioral acceptance criteria for parity validation
- Cross-references to overview.mdx and event-types.mdx
@blitzyai
fix: address 3 code review findings in gap report documentation
65686bd 
- notifications.mdx: Add developer.calendly.com as primary behavioral source
  of truth reference (Rule 1 compliance)
- availability-scheduling.mdx: Replace non-standard 'Advantage' and 'None'
  severity labels with standard 4-level scale (Low) throughout Feature
  Comparison Matrix and Gap Inventory (Rule 8 compliance)
- webhooks-events.mdx: Add 'Calendly Reference' column to Gap Inventory table
  to match standard 6-column schema used in all other domain files
@blitzyai
fix(docs): correct source citation and API reference link in gap report
1074673 
- Fix inaccurate findMatchingRoute source citation in overview.mdx:
  Changed from non-existent packages/features/routing-forms/lib/findMatchingRoute.ts
  to actual location packages/app-store/routing-forms/lib/processRoute.tsx

- Fix ambiguous API reference link in event-types.mdx:
  Changed from /api-reference/v2 (no matching MDX) to /api-reference/v2/introduction
  (resolves to existing docs/api-reference/v2/introduction.mdx)

Addresses QA findings: 2 MINOR documentation issues from Checkpoint 1 testing
@blitzyai
Create zero-downtime migration strategy documentation for Calendly ga…
8310986 
…p closure

- Add comprehensive MDX documentation at docs/migration/zero-downtime-strategy.mdx
- Document Cal.com's existing Prisma migration infrastructure (auto-migrations, safety guards, 585 migrations)
- Define 7 backward-compatible schema change patterns with real SQL examples from codebase
- Document blue-green migration approach with Mermaid diagram
- Detail 6 migration anti-patterns with Warning components
- Provide schema, application, and full rollback procedures
- Include migration pipeline flow diagram (design → staging → production)
- Add timing estimates table for common migration operations
- Include gap closure migration checklist with AccordionGroup
- Cross-reference data-preservation and webhook-compatibility guides
- All source citations reference actual packages/prisma/ files
@blitzyai
Create docs/migration/data-preservation.mdx — Data Preservation Guide
e5b31af 
Comprehensive Mintlify MDX documentation for preserving existing Cal.com
user data through all migrations during the Calendly gap closure initiative.

Includes:
- Complete data inventory (12 entities with Prisma model references)
- Encryption key handling (AES-256, CALENDSO_ENCRYPTION_KEY procedures)
- Migration safeguards pipeline (backup, validation, verification, post-check)
- Backup verification procedures (pg_dump, PITR, env variable reference)
- Prisma migration safety patterns (additive columns, nullable fields, feature flags)
- Formal data preservation guarantees (8 entity-level guarantees)
- Mermaid diagram: data preservation verification flow
- Rollback procedures with step-by-step recovery process
- Cross-references to zero-downtime-strategy.mdx and webhook-compatibility.mdx
@blitzyai
Create docs/migration/webhook-compatibility.mdx — Webhook Backward Co…
224e57c 
…mpatibility Guide

Comprehensive Mintlify MDX documentation covering:
- Webhook versioning architecture (WebhookVersion enum, PayloadBuilderFactory)
- v2021-10-20 payload preservation guarantees (7 builder implementations)
- PayloadBuilderFactory extension patterns for adding new versions
- WebhookVersion enum extension patterns with automatic validation
- Additive payload field rules with 4-level gap severity classification
- Consumer migration path (5-step workflow with HMAC verification)
- Calendly webhook comparison context (3 vs 20 events)
- Version architecture diagram and delivery sequence diagram
- Rollback procedures aligned with zero-downtime strategy

Includes 2 Mermaid diagrams, 5+ comparison tables, 8 TypeScript code
examples, 14 source citations, and cross-references to related docs.
@blitzyai
Create docs/sprint-roadmap/validation-criteria.mdx — Parity validatio…
4992497 
…n checklists

- 71 behavioral acceptance criteria across 8 feature domains
- Domain sections: Availability (AV-VAL), Event Types (ET-VAL), Calendar
  Integrations (CI-VAL), Webhooks (WH-VAL), Routing Forms (RF-VAL),
  Embed (EM-VAL), Admin/Teams (AG-VAL), Notifications (NF-VAL)
- Each domain includes behavioral criteria, regression test requirements,
  and integration verification procedures
- Cross-domain validation dependency Mermaid diagram
- Regression test requirements summary table
- Data preservation validation section
- Final 12-item parity validation checklist
- Criteria ID reference index with 71 total criteria
- Cross-references to all 8 gap report pages, 3 migration guides,
  sprint roadmap overview and epic catalog
- Mintlify MDX format with AccordionGroup, Steps, Warning, Note, Info components
- Calendly API (developer.calendly.com) referenced as behavioral source of truth
@blitzyai
Create docs/sprint-roadmap/epic-catalog.mdx — Comprehensive Epic Catalog
4d9e82d 
- Complete epic registry with 40 epics across 8 feature domains
- Availability & Scheduling (7 epics), Event Types (6), Calendar Integrations (5),
  Webhooks & Events (5), Routing Forms (4), Embed & Share (4), Admin & Teams (4),
  Notifications (5)
- Epic dependency DAG Mermaid diagram showing cross-domain relationships
- Priority classification (0 Critical, 11 High, 24 Medium, 5 Low)
- Complexity estimation using S/M/L/XL T-shirt sizing
- Cal.com advantages documented for each domain
- 20 source code citations referencing actual Cal.com packages
- Cross-references to all 8 gap report domain pages, sprint roadmap overview,
  and validation criteria
- AccordionGroup layout for organized domain navigation
- Summary statistics with priority distribution analysis
@blitzyai
Create docs/sprint-roadmap/overview.mdx — Sprint Roadmap Methodology
f9b1f06 
Add the Sprint Roadmap Overview MDX page for the Mintlify documentation site.
This is the entry point and methodology document for the Calendly gap closure
sprint roadmap, covering:

- Introduction with behavioral source of truth and companion document links
- Dependency-first sequencing of 8 feature domains (F-004, F-002, F-003,
  F-013, F-015, F-008, F-009, F-018) with justification for each position
- 2 Mermaid diagrams: sprint dependency DAG and sprint progression with
  validation gates
- Autonomous execution protocol (7-step process) referencing spec-first
  development workflow from specs/README.md
- Validation gate schedule with 5 verification dimensions and gate pass
  criteria table
- Risk management table with 6 identified risks, severity, and mitigation
  strategies with document references
- Quick links section using Mintlify CardGroup/Card components

Uses Mintlify components: Note, Warning, Info, Steps, Step, Card, CardGroup.
All links use slug format (no .mdx extensions). Source citations reference
real Cal.com packages throughout.
@blitzyai
fix(docs): correct 3 inaccurate source code path citations in epic-ca…
a4be1bd 
…talog.mdx

- Fix date-ranges.ts path: packages/features/availability/lib/ → packages/features/schedules/lib/
- Fix eventTypeRepository.ts filename: eventtypes.repository.ts → eventTypeRepository.ts
- Fix findMatchingRoute path: packages/features/routing-forms/lib/findMatchingRoute.ts → packages/app-store/routing-forms/lib/processRoute.tsx

All corrected paths verified to exist on disk. Resolves Rule 7 (source code citation traceability) violations identified in QA Checkpoint 2.
@blitzyai
Enhance OpenAPI v2 spec with Calendly gap closure documentation
bccc3a8 
- Add comprehensive trigger event descriptions to CreateWebhookInputDto and
  UpdateWebhookInputDto schemas documenting all 20 webhook trigger events with
  Calendly comparison (Calendly supports only 3 events)
- Enhance version property descriptions in both webhook DTOs to document
  PayloadBuilderFactory versioning strategy and backward compatibility
- Add descriptions to TeamWebhookOutputDto, UserWebhookOutputDto,
  EventTypeWebhookOutputDto, and OAuthClientWebhookOutputDto trigger fields
- Add description to POST /v2/webhooks endpoint with Calendly webhook
  comparison, signature verification, and Handlebars template documentation
- Enhance GET /v2/webhooks description with scope model comparison
- Add descriptions to organization and team routing forms GET endpoints
  documenting RAQB rule engine and Calendly routing form comparison
- Enhance calculate-slots endpoint description with conditional routing
  and attribute-based routing documentation
- Enhance /v2/schedules POST description with Calendly availability
  management comparison and programmatic API access advantages
- Enhance /v2/slots GET description with slot generation engine details
  and Calendly availability checking comparison
- Update info.description from empty to comprehensive API summary
  referencing Calendly feature parity documentation scope
- All changes strictly additive - no paths, schemas, enums, or
  security definitions removed or modified
- Source citations included using Source: {package-path} format
- All 173 paths, 464 schemas, and 20 trigger events preserved
@blitzyai
docs(webhooks): align webhooks.mdx with Calendly gap closure changes
448e2dd 
- Add Note with 4 additional trigger events available via API
  (RECORDING_TRANSCRIPTION_GENERATED, OOO_CREATED, FORM_SUBMITTED_NO_EVENT,
  DELEGATION_CREDENTIAL_ERROR) with cross-reference to gap analysis
- Add webhook payload versioning strategy section documenting the
  PayloadBuilderFactory pattern, 7 builder categories, and 20 trigger events
- Add consumer migration guidance section with 5-step walkthrough for
  existing webhook consumers (version negotiation, fallback behavior,
  additive-only changes, signature verification consistency)
- Add related documentation section with cross-references to gap report,
  backward compatibility guide, Calendly API docs, and Cal.com API v2
- All existing 1726 lines of content preserved unchanged
@blitzyai
fix: correct migration count (585→584) and add missing WRONG_ASSIGNME…
fc9e117 
…NT_REPORT trigger

- docs/migration/zero-downtime-strategy.mdx: Update migration count from 585 to 584 across 3 references (L27, L50, L94) to match actual migration directory count
- docs/migration/data-preservation.mdx: Update migration count from 585+ to 584+ (L294) to match actual count
- docs/developing/guides/automation/webhooks.mdx: Add WRONG_ASSIGNMENT_REPORT to booking events category (8→9 triggers, L1536), completing the 20-trigger enumeration

Addresses 3 MINOR review findings from Checkpoint 2 code review.
@blitzyai
fix(docs): add epic ID cross-references and mapping notes to gap reports
908a793 
Address QA finding: Incomplete Epic ID Cross-Referencing Between Gap
Reports and Epic Catalog (Rule 11 compliance).

Changes:
- Add ID prefix mapping notes (AVL→AV, AT→AG, EMB→EM) to
  availability-scheduling, admin-teams, and embed-share gap reports
- Add Related Documentation sections with epic-catalog links to
  availability-scheduling, notifications, and webhooks-events gap reports
- All 9 gap report pages now cross-reference the epic catalog
- All 3 mismatched prefix domains now include explicit mapping notes
@blitzyai
fix(docs): add missing Source citation to /v2/webhooks GET endpoint d…
4f29438 
…escription

Addresses QA finding: the /v2/webhooks GET endpoint description was the only
one of 7 updated endpoint descriptions missing a Source: citation. Appended
'Source: packages/features/webhooks/lib/service/' to maintain consistency
with all other enriched endpoint descriptions per AAP rule requiring source
code citations for all technical details.
@blitzyai
Adding Blitzy Project Guide: Project Status and Human Tasks Remaining
57686e4
@blitzyai
Adding Blitzy Technical Specifications
2e01b49
@blitzy blitzy bot merged commit 4ff8436 into main Feb 25, 2026
blitzy bot pushed a commit that referenced this pull request Feb 27, 2026
@blitzyai
fix(docs): correct JSDoc for TGetScheduleInputSchema duration type
e44eba2 
Update JSDoc at lines 189-193 in slots/types.ts to accurately describe
the duration field's post-transform type as number | "" | undefined
(the z.infer output type after .transform((val) => val && parseInt(val)))
instead of the incorrect pre-transform type string | undefined.

Addresses Checkpoint 4 code review MINOR finding #1.
blitzy bot pushed a commit that referenced this pull request Mar 7, 2026
@blitzyai
fix(event-types): resolve QA findings — key prop warning, weight vali…
224fdc2 
…dation, nested form hydration

- CheckedTeamSelect.tsx: Remove Fragment wrapper around <li> in .map() to fix
  React 'key prop' console warning (Issue #1 MINOR)
- EditWeightsForAllTeamMembers.tsx: Add parseAndClampWeight() helper enforcing
  integer >= 0 and <= 999 for weight inputs; replace onBlur/onKeyDown handlers
  with handleWeightCommit() using clamped validation (Issue #2 MINOR)
- EditWeightsForAllTeamMembers.tsx: Replace nested <form> with <div> to eliminate
  'form cannot be descendant of form' hydration warning (Issue #5 INFO)
- HostEditDialogs.tsx: Fix setWeight() guard from '!!newWeight' to
  'newWeight !== undefined && !isNaN(newWeight)' to allow weight=0 assignment;
  add validation/clamping in onChange handler (Issue #2 secondary)
blitzy bot pushed a commit that referenced this pull request Mar 7, 2026
@blitzyai
fix: resolve QA security findings — auth guards, CORS, headers, valid…
b6a1f45 
…ation

- CRITICAL: Add @UseGuards(ApiAuthGuard, RolesGuard) and @roles('TEAM_MEMBER')
  to GET /v2/teams/:teamId/event-types list endpoint, closing unauthenticated
  data exposure vulnerability (Issue #1)
- MAJOR: Strip stack traces from tRPC error responses in non-development
  environments via defense-in-depth check in errorFormatter (Issue #4)
- MAJOR: Replace CORS wildcard with env-based ALLOWED_ORIGINS configuration;
  defaults to blocked in production, wildcard only in development (Issue #5)
- MAJOR: Add HSTS, CSP, X-Frame-Options security headers to web app and
  suppress X-Powered-By via poweredByHeader: false (Issue #6)
- MINOR: Add bidirectional Zod .refine() validation ensuring team-only
  schedulingTypes (ROUND_ROBIN, COLLECTIVE, MANAGED) require teamId (Issue #2)
- MINOR: Add @min(1)/@max(1000) bounds to hostsLimit query parameter in
  GetTeamEventTypesQuery DTO (Issue #3)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@blitzyai