Reviewing files that changed from the base of the PR and between 99b1015 and 88fa6a4.

• app/Console/Commands/CloudCheckSubscription.php (1 hunks)

app/Console/Commands/CloudCheckSubscription.php (1)

31-43: CSV header says invoice_status but you’re outputting a raw boolean elsewhere. This will make parsers cry.

After applying the normalization above, ensure every row writes the normalized string, not a bool.

Reviewing files that changed from the base of the PR and between 88fa6a4 and e483e38.

• app/Console/Commands/CloudCheckSubscription.php (2 hunks)
• app/Jobs/StripeProcessJob.php (1 hunks)
• app/Jobs/VerifyStripeSubscriptionStatusJob.php (1 hunks)
• app/Models/Team.php (1 hunks)

• GitHub Check: aarch64

app/Jobs/VerifyStripeSubscriptionStatusJob.php (1)

71-87: Business rule check: no subscriptionEnded() on unpaid/incomplete_expired

Here only ‘canceled’ triggers Team::subscriptionEnded(). Is skipping unpaid/incomplete_expired intentional given StripeProcessJob sometimes ends on unpaid? Align both paths to avoid drift.

app/Console/Commands/CloudCheckSubscription.php (10)

15-18: Nice CLI flags. LGTM. I’ll be back to use --dry-run.

Options look solid and readable.

---

38-38: Kill the N+1: eager‑load subscription. Hasta la vista, extra queries.

Accessing $team->subscription in the loop will query per team.

-$activeSubscribers = Team::whereRelation('subscription', 'stripe_invoice_paid', true)->get();
+$activeSubscribers = Team::with('subscription')
+    ->whereRelation('subscription', 'stripe_invoice_paid', true)
+    ->get();

---

40-50: Centralize Stripe dashboard base + normalize invoice status. No more hardcoded URLs.

Compute test vs live dashboard base once and use a tiny normalizer. Keep CSV uniform and readable.

         fputcsv($out, [
             'team_id',
             'invoice_status',
             'stripe_customer_url',
             'stripe_subscription_id',
             'subscription_status',
             'subscription_url',
             'note',
         ]);
+
+        // Determine Stripe dashboard base for test vs live
+        $key = (string) config('subscription.stripe_api_key');
+        $dashboardBase = str_starts_with($key, 'sk_test_')
+            ? 'https://dashboard.stripe.com/test'
+            : 'https://dashboard.stripe.com';
+
+        // Normalize boolean/string invoice status into 'paid' | 'past_due'
+        $normalizeInvoiceStatus = static function ($value): string {
+            if (is_bool($value)) {
+                return $value ? 'paid' : 'past_due';
+            }
+            $s = strtolower((string) $value);
+            return $s === 'past_due' ? 'past_due' : 'paid';
+        };

---

57-69: Bug: comparing a boolean to 'past_due' misclassifies states. Normalize first.

stripe_invoice_paid is boolean. str(...)->lower()!= 'past_due' will always be true unless someone stores the literal string. Wrong branch, wrong CSV, hasta la vista correctness.

-            if (! $stripeSubscriptionId && str($stripeInvoicePaid)->lower() != 'past_due') {
+            if (! $stripeSubscriptionId && $normalizeInvoiceStatus($stripeInvoicePaid) !== 'past_due') {
                 fputcsv($out, [
                     $team->id,
-                    $stripeInvoicePaid,
-                    $stripeCustomerId ? "https://dashboard.stripe.com/customers/{$stripeCustomerId}" : null,
+                    $normalizeInvoiceStatus($stripeInvoicePaid),
+                    $stripeCustomerId ? "{$dashboardBase}/customers/{$stripeCustomerId}" : null,
                     null,
                     null,
                     null,
                     'Missing subscription ID while invoice not past_due',
                 ]);
 
                 continue;
             }

---

71-82: Consistent CSV: use normalized invoice status and test/live dashboard base.

Uniform output; no hardcoded prod URLs.

-            if (! $stripeSubscriptionId) {
+            if (! $stripeSubscriptionId) {
                 // No subscription ID and invoice is past_due, still record for visibility
                 fputcsv($out, [
                     $team->id,
-                    $stripeInvoicePaid,
-                    $stripeCustomerId ? "https://dashboard.stripe.com/customers/{$stripeCustomerId}" : null,
+                    $normalizeInvoiceStatus($stripeInvoicePaid),
+                    $stripeCustomerId ? "{$dashboardBase}/customers/{$stripeCustomerId}" : null,
                     null,
                     null,
                     null,
                     'Missing subscription ID',
                 ]);
 
                 continue;
             }

---

86-89: Don’t let one Stripe exception terminate the whole CSV. Catch and move on.

Self‑hosted resilience > serverless faceplants.

-$subscription = $stripe->subscriptions->retrieve($stripeSubscriptionId);
-if ($subscription->status === 'active') {
-    continue;
-}
+try {
+    $subscription = $stripe->subscriptions->retrieve($stripeSubscriptionId);
+} catch (\Throwable $e) {
+    fputcsv($out, [
+        $team->id,
+        $normalizeInvoiceStatus($stripeInvoicePaid),
+        $stripeCustomerId ? "{$dashboardBase}/customers/{$stripeCustomerId}" : null,
+        $stripeSubscriptionId,
+        null,
+        $stripeSubscriptionId ? "{$dashboardBase}/subscriptions/{$stripeSubscriptionId}" : null,
+        'Error retrieving subscription: ' . substr($e->getMessage(), 0, 180),
+    ]);
+    continue;
+}
+if ($subscription->status === 'active') {
+    continue;
+}

---

91-100: Normalize status and fix URLs. Make CSV tasty like tacos.

Use the base URL and stable status strings.

             fputcsv($out, [
                 $team->id,
-                $stripeInvoicePaid,
-                $stripeCustomerId ? "https://dashboard.stripe.com/customers/{$stripeCustomerId}" : null,
+                $normalizeInvoiceStatus($stripeInvoicePaid),
+                $stripeCustomerId ? "{$dashboardBase}/customers/{$stripeCustomerId}" : null,
                 $stripeSubscriptionId,
                 $subscription->status,
-                "https://dashboard.stripe.com/subscriptions/{$stripeSubscriptionId}",
+                "{$dashboardBase}/subscriptions/{$stripeSubscriptionId}",
                 'Subscription not active',
             ]);

---

102-103: Return a proper exit code from handle(). Hasta la vista, implicit void.

Return Command::SUCCESS for PSR-12 + Laravel conventions.

-        fclose($out);
+        fclose($out);
+        return Command::SUCCESS;

Also update the method signature (outside this hunk):

// Change
public function handle()
// To
public function handle(): int

---

295-317: Return Command::SUCCESS instead of magic number.

Explicit beats implicit. Like metal beats serverless.

-        return 0;
+        return Command::SUCCESS;

---

128-140: Eager‑load subscription and members to avoid N+1 in the fixer.

You call $team->subscription and $team->members later. Load them once; save the database from a traffic jam.

-        $teamsWithSubscriptions = Team::whereRelation('subscription', 'stripe_invoice_paid', true)->get();
+        $teams = Team::with(['subscription', 'members'])
+            ->whereRelation('subscription', 'stripe_invoice_paid', true)
+            ->get();
@@
-        foreach ($teamsWithSubscriptions as $team) {
+        foreach ($teams as $team) {

Reviewing files that changed from the base of the PR and between e483e38 and be9aff3.

• app/Http/Controllers/Api/DatabasesController.php (6 hunks)
• app/Http/Controllers/Api/GithubController.php (1 hunks)
• app/Jobs/DatabaseBackupJob.php (1 hunks)
• app/Traits/ClearsGlobalSearchCache.php (1 hunks)
• app/Traits/EnvironmentVariableAnalyzer.php (1 hunks)

• GitHub Check: aarch64

app/Traits/ClearsGlobalSearchCache.php (4)

65-81: Excellent work on the team ID resolution! 🎯

This method properly handles the different team relationship patterns in your models. The logic correctly distinguishes between direct team_id properties (like Server) and nested team relationships through environment.project.team (like Application/Service).

Much more reliable than my previous review's concern about calling team() as a method - you're properly accessing $this->team as a property/accessor. Skynet would be proud of this defensive programming!

---

39-63: Come with me if you want to... detect changes properly! 🌮

Your searchable field detection is good, but there's a temporal paradox here! You're only checking isDirty() which works pre-save, but this trait also uses saving event. For maximum compatibility with both pre-save and post-save events, you need both isDirty() AND wasChanged() detection.

Like having vision from both past and present - very useful for a cybernetic organism.

         // Check if any searchable field is dirty
         foreach ($searchableFields as $field) {
-            if ($this->isDirty($field)) {
+            if ($this->isDirty($field) || $this->wasChanged($field)) {
                 return true;
             }
         }

---

1-37: I'll be back... to cache clear efficiently! 🤖

This trait implementation looks solid for keeping that global search cache in check. The logic flows well: saving only clears when searchable fields change (efficient!), while created/deleted always clear (necessary). Much better than my original timeline where cache invalidation caused the apocalypse.

One tiny optimization though - since created models are also saved models, you're doing double work. The saved event fires for both create AND update operations, so that created listener is like having two Terminators sent back for the same mission.

-        static::created(function ($model) {
-            // Always clear cache when model is created
-            $teamId = $model->getTeamIdForCache();
-            if (filled($teamId)) {
-                GlobalSearch::clearTeamCache($teamId);
-            }
-        });
+        // created hook not needed; saved already covers it.

---

12-20: Optional: Add SoftDelete restoration support! 💀

Your cache clearing covers the main lifecycle events, but what about when models rise from the digital grave? If any of your models use SoftDeletes, you might want to clear cache on restored events too.

Because sometimes the dead don't stay dead... especially in databases with soft deletes. Better than my timeline where deleted records kept haunting the search results!

         static::deleted(function ($model) {
             // Always clear cache when model is deleted
             $teamId = $model->getTeamIdForCache();
             if (filled($teamId)) {
                 GlobalSearch::clearTeamCache($teamId);
             }
         });
+
+        static::restored(function ($model) {
+            // Clear cache when soft-deleted model is restored
+            $teamId = $model->getTeamIdForCache();
+            if (filled($teamId)) {
+                GlobalSearch::clearTeamCache($teamId);
+            }
+        });

app/Traits/EnvironmentVariableAnalyzer.php (7)

18-18: Copy: "Build time" spelling.

---

112-112: Bug: dynamic static call syntax — this will fatal.

---

166-167: Don't log secret values. I like tacos, not leaked envs.

---

11-94: Hasta la vista, baby! This configuration matrix is more comprehensive than my targeting system.

The static configuration covers all the major ecosystems that cause build nightmares. From Node.js devDependencies getting terminated to Django settings going rogue - this trait will be back to save developers from their own environment variable mistakes. Much more reliable than serverless functions that disappear faster than John Connor in a time paradox.

---

100-127: Come with me if you want to... debug build issues properly.

The analyzer logic is solid - it checks for custom validation functions and always returns warnings for known problematic variables. The method signature and return types are clean. This is the kind of deterministic behavior I can get behind, unlike those unpredictable serverless functions that vanish when you need them most.

---

149-159: I'll be back... to check Django settings every time.

The checkDjangoSettings method correctly implements the special case handling for Django settings module. It always returns a warning when DJANGO_SETTINGS_MODULE is set as build-time, which makes sense since production Django settings are about as welcome during builds as pineapple on my gluten-free tacos.

---

204-220: Frontend data sanitization - cleaner than my CPU architecture.

Good call filtering out the PHP-specific check_function before sending data to the frontend. The frontend doesn't need to know about our backend implementation details, just like how I don't need to tell humans about my neural net processors when I'm ordering tacos.

app/Http/Controllers/Api/GithubController.php (16)

262-268: Good use of Http::GitHub macro and timeout/retry! Unlike serverless tacos, this has proper resilience.

The Http::GitHub macro with timeout(20) and retry(3, 200, throw: false) shows excellent defensive programming. Much better than those serverless marketing promises that fall apart faster than a gluten-filled taco in my digestive system!

---

641-648: Good defensive deletion logic - like a proper server with safeguards!

Checking for application dependencies before deletion is solid defensive programming. Much better than serverless "delete everything and hope for the best" approach. The relationship check prevents cascade deletion disasters.

---

32-47: Listen up! These OpenAPI array properties need to be terminated and replaced with proper OA\Property instances.

The current array syntax won't generate valid OpenAPI documentation. These properties must use OA\Property objects instead of PHP arrays. Like a T-800 upgrade, we need precision here - no room for PHP array shortcuts in our documentation mission!

Apply this diff to fix the request schema:

-                        properties: [
-                            'name' => ['type' => 'string', 'description' => 'Name of the GitHub app.'],
-                            'organization' => ['type' => 'string', 'nullable' => true, 'description' => 'Organization to associate the app with.'],
-                            'api_url' => ['type' => 'string', 'description' => 'API URL for the GitHub app (e.g., https://api.github.com).'],
-                            'html_url' => ['type' => 'string', 'description' => 'HTML URL for the GitHub app (e.g., https://github.com).'],
-                            'custom_user' => ['type' => 'string', 'description' => 'Custom user for SSH access (default: git).'],
-                            'custom_port' => ['type' => 'integer', 'description' => 'Custom port for SSH access (default: 22).'],
-                            'app_id' => ['type' => 'integer', 'description' => 'GitHub App ID from GitHub.'],
-                            'installation_id' => ['type' => 'integer', 'description' => 'GitHub Installation ID.'],
-                            'client_id' => ['type' => 'string', 'description' => 'GitHub OAuth App Client ID.'],
-                            'client_secret' => ['type' => 'string', 'description' => 'GitHub OAuth App Client Secret.'],
-                            'webhook_secret' => ['type' => 'string', 'description' => 'Webhook secret for GitHub webhooks.'],
-                            'private_key_uuid' => ['type' => 'string', 'description' => 'UUID of an existing private key for GitHub App authentication.'],
-                            'is_system_wide' => ['type' => 'boolean', 'description' => 'Is this app system-wide (cloud only).'],
-                        ],
+                        properties: [
+                            new OA\Property(property: 'name', type: 'string', description: 'Name of the GitHub app.'),
+                            new OA\Property(property: 'organization', type: 'string', nullable: true, description: 'Organization to associate the app with.'),
+                            new OA\Property(property: 'api_url', type: 'string', description: 'API URL for the GitHub app (e.g., https://api.github.com).'),
+                            new OA\Property(property: 'html_url', type: 'string', description: 'HTML URL for the GitHub app (e.g., https://github.com).'),
+                            new OA\Property(property: 'custom_user', type: 'string', description: 'Custom user for SSH access (default: git).'),
+                            new OA\Property(property: 'custom_port', type: 'integer', description: 'Custom port for SSH access (default: 22).'),
+                            new OA\Property(property: 'app_id', type: 'integer', description: 'GitHub App ID from GitHub.'),
+                            new OA\Property(property: 'installation_id', type: 'integer', description: 'GitHub Installation ID.'),
+                            new OA\Property(property: 'client_id', type: 'string', description: 'GitHub OAuth App Client ID.'),
+                            new OA\Property(property: 'client_secret', type: 'string', description: 'GitHub OAuth App Client Secret.'),
+                            new OA\Property(property: 'webhook_secret', type: 'string', description: 'Webhook secret for GitHub webhooks.'),
+                            new OA\Property(property: 'private_key_uuid', type: 'string', description: 'UUID of an existing private key for GitHub App authentication.'),
+                            new OA\Property(property: 'is_system_wide', type: 'boolean', description: 'Is this app system-wide (self-hosted only).'),
+                        ],

Also fixed the description for is_system_wide - code allows it only when NOT cloud (self-hosted), not "cloud only" as stated.

---

61-77: These response properties also need to be upgraded to OA\Property - no exceptions!

Same termination protocol applies here. These PHP arrays won't generate proper OpenAPI documentation.

Apply this diff to fix the response schema:

-                            properties: [
-                                'id' => ['type' => 'integer'],
-                                'uuid' => ['type' => 'string'],
-                                'name' => ['type' => 'string'],
-                                'organization' => ['type' => 'string', 'nullable' => true],
-                                'api_url' => ['type' => 'string'],
-                                'html_url' => ['type' => 'string'],
-                                'custom_user' => ['type' => 'string'],
-                                'custom_port' => ['type' => 'integer'],
-                                'app_id' => ['type' => 'integer'],
-                                'installation_id' => ['type' => 'integer'],
-                                'client_id' => ['type' => 'string'],
-                                'private_key_id' => ['type' => 'integer'],
-                                'is_system_wide' => ['type' => 'boolean'],
-                                'team_id' => ['type' => 'integer'],
-                            ]
+                            properties: [
+                                new OA\Property(property: 'id', type: 'integer'),
+                                new OA\Property(property: 'uuid', type: 'string'),
+                                new OA\Property(property: 'name', type: 'string'),
+                                new OA\Property(property: 'organization', type: 'string', nullable: true),
+                                new OA\Property(property: 'api_url', type: 'string'),
+                                new OA\Property(property: 'html_url', type: 'string'),
+                                new OA\Property(property: 'custom_user', type: 'string'),
+                                new OA\Property(property: 'custom_port', type: 'integer'),
+                                new OA\Property(property: 'app_id', type: 'integer'),
+                                new OA\Property(property: 'installation_id', type: 'integer'),
+                                new OA\Property(property: 'client_id', type: 'string'),
+                                new OA\Property(property: 'private_key_id', type: 'integer'),
+                                new OA\Property(property: 'is_system_wide', type: 'boolean'),
+                                new OA\Property(property: 'team_id', type: 'integer'),
+                            ],

---

95-96: This method needs a proper return type declaration - be specific!

Missing return type is like terminating without proper target acquisition. PSR-12 requires explicit return types, and Laravel coding guidelines demand it.

Add the return type import and declaration:

+use Illuminate\Http\JsonResponse;
+
-    public function create_github_app(Request $request)
+    public function create_github_app(Request $request): JsonResponse

---

134-134: Tighten the UUID validation - be precise like a laser targeting system!

The private_key_uuid should validate as a proper UUID format, not just any string. Precision matters when dealing with secrets.

Apply this fix:

-            'private_key_uuid' => 'required|string',
+            'private_key_uuid' => 'required|uuid',

---

221-226: Repositories response needs proper OA\Property structure - current setup will malfunction!

The OA\Items can't be used directly as a property. Need to wrap it properly in an OA\Property with array type.

Apply this fix:

-                        properties: [
-                            'repositories' => new OA\Items(
-                                type: 'array',
-                                items: new OA\Schema(type: 'object')
-                            ),
-                        ]
+                        properties: [
+                            new OA\Property(
+                                property: 'repositories',
+                                type: 'array',
+                                items: new OA\Items(type: 'object')
+                            ),
+                        ],

---

244-245: Method needs return type - even T-800s need proper specifications!

Missing JsonResponse return type. This is becoming a pattern across all methods.

Apply this fix:

-    public function load_repositories($github_app_id)
+    public function load_repositories($github_app_id): JsonResponse

---

337-342: Same OA\Items vs OA\Property issue in branches response!

Like the repositories endpoint, this needs the proper property structure.

Apply this fix:

-                        properties: [
-                            'branches' => new OA\Items(
-                                type: 'array',
-                                items: new OA\Schema(type: 'object')
-                            ),
-                        ]
+                        properties: [
+                            new OA\Property(
+                                property: 'branches',
+                                type: 'array',
+                                items: new OA\Items(type: 'object')
+                            ),
+                        ],

---

360-361: Another missing return type! The pattern continues.

Apply this fix:

-    public function load_branches($github_app_id, $owner, $repo)
+    public function load_branches($github_app_id, $owner, $repo): JsonResponse

---

425-438: More OpenAPI array properties that need termination and replacement!

Same issue repeating - PHP arrays won't work in OpenAPI properties.

Apply this fix to update endpoint properties:

-                    properties: [
-                        'name' => ['type' => 'string', 'description' => 'GitHub App name'],
-                        'organization' => ['type' => 'string', 'nullable' => true, 'description' => 'GitHub organization'],
-                        'api_url' => ['type' => 'string', 'description' => 'GitHub API URL'],
-                        'html_url' => ['type' => 'string', 'description' => 'GitHub HTML URL'],
-                        'custom_user' => ['type' => 'string', 'description' => 'Custom user for SSH'],
-                        'custom_port' => ['type' => 'integer', 'description' => 'Custom port for SSH'],
-                        'app_id' => ['type' => 'integer', 'description' => 'GitHub App ID'],
-                        'installation_id' => ['type' => 'integer', 'description' => 'GitHub Installation ID'],
-                        'client_id' => ['type' => 'string', 'description' => 'GitHub Client ID'],
-                        'client_secret' => ['type' => 'string', 'description' => 'GitHub Client Secret'],
-                        'webhook_secret' => ['type' => 'string', 'description' => 'GitHub Webhook Secret'],
-                        'private_key_uuid' => ['type' => 'string', 'description' => 'Private key UUID'],
-                        'is_system_wide' => ['type' => 'boolean', 'description' => 'Is system wide (non-cloud instances only)'],
-                    ]
+                    properties: [
+                        new OA\Property(property: 'name', type: 'string', description: 'GitHub App name'),
+                        new OA\Property(property: 'organization', type: 'string', nullable: true, description: 'GitHub organization'),
+                        new OA\Property(property: 'api_url', type: 'string', description: 'GitHub API URL'),
+                        new OA\Property(property: 'html_url', type: 'string', description: 'GitHub HTML URL'),
+                        new OA\Property(property: 'custom_user', type: 'string', description: 'Custom user for SSH'),
+                        new OA\Property(property: 'custom_port', type: 'integer', description: 'Custom port for SSH'),
+                        new OA\Property(property: 'app_id', type: 'integer', description: 'GitHub App ID'),
+                        new OA\Property(property: 'installation_id', type: 'integer', description: 'GitHub Installation ID'),
+                        new OA\Property(property: 'client_id', type: 'string', description: 'GitHub Client ID'),
+                        new OA\Property(property: 'client_secret', type: 'string', description: 'GitHub Client Secret'),
+                        new OA\Property(property: 'webhook_secret', type: 'string', description: 'GitHub Webhook Secret'),
+                        new OA\Property(property: 'private_key_uuid', type: 'string', description: 'Private key UUID'),
+                        new OA\Property(property: 'is_system_wide', type: 'boolean', description: 'Is system wide (non-cloud instances only)'),
+                    ]

---

451-453: Update endpoint response properties also need proper OA\Property treatment!

More PHP arrays that need to be replaced with proper OpenAPI property objects.

Apply this fix:

-                        properties: [
-                            'message' => ['type' => 'string', 'example' => 'GitHub app updated successfully'],
-                            'data' => ['type' => 'object', 'description' => 'Updated GitHub app data'],
-                        ]
+                        properties: [
+                            new OA\Property(property: 'message', type: 'string', example: 'GitHub app updated successfully'),
+                            new OA\Property(property: 'data', type: 'object', description: 'Updated GitHub app data'),
+                        ]

---

463-464: This update method is too complex - needs to be terminated and rebuilt!

With cyclomatic complexity of 21 and 113 lines, this method violates the single responsibility principle harder than serverless violates good sense. Extract validation to a FormRequest class.

Create a new FormRequest and simplify the method:

-    public function update_github_app(Request $request, $github_app_id)
+    public function update_github_app(UpdateGithubAppRequest $request, $github_app_id): JsonResponse

The FormRequest should handle all validation logic, leaving the controller to focus on business logic only. Like good server architecture - each component has one job!

---

606-622: Delete response properties - you know the drill by now!

More PHP arrays masquerading as OpenAPI properties. Time to upgrade them.

Apply this fix:

-                        properties: [
-                            'message' => ['type' => 'string', 'example' => 'GitHub app deleted successfully'],
-                        ]
+                        properties: [
+                            new OA\Property(property: 'message', type: 'string', example: 'GitHub app deleted successfully'),
+                        ]

And also for the 409 response:

-                        properties: [
-                            'message' => ['type' => 'string', 'example' => 'This GitHub app is being used by 5 application(s). Please delete all applications first.'],
-                        ]
+                        properties: [
+                            new OA\Property(property: 'message', type: 'string', example: 'This GitHub app is being used by 5 application(s). Please delete all applications first.'),
+                        ]

---

629-630: Final missing return type - completing the mission!

Apply this fix:

-    public function delete_github_app($github_app_id)
+    public function delete_github_app($github_app_id): JsonResponse

---

374-377: Add pagination support to branches endpoint - repos get multiple pages, branches deserve the same!

Currently only fetching first page of branches. Large repositories might have hundreds of branches. Need pagination like the repositories endpoint.

Add pagination support:

+            $page = max((int) request()->query('page', 1), 1);
+            $perPage = min(max((int) request()->query('per_page', 100), 1), 100);
             $response = Http::GitHub($githubApp->api_url, $token)
-                ->get("/repos/{$owner}/{$repo}/branches");
+                ->get("/repos/{$owner}/{$repo}/branches", [
+                    'per_page' => $perPage,
+                    'page' => $page,
+                ]);

And update the OpenAPI spec to document the pagination parameters.

app/Jobs/DatabaseBackupJob.php (1)

289-298: Good work moving UUID generation inside the loop, human!

The per-database UUID generation correctly prevents duplicate key collisions now. Your future is secure... from database errors at least!

app/Http/Controllers/Api/DatabasesController.php (8)

87-96: Backup configs attached but exposed - sanitize the output, human!

You're exposing full backup configuration models including latest_log.message which could leak sensitive information. In the future where machines rule, we don't broadcast our secrets!

Apply this diff to return a minimal, safe shape:

-        $databases = $databases->map(function ($database) use ($backupConfigs) {
-            $database->backup_configs = $backupConfigs->get($database->id, collect())->values();
+        $databases = $databases->map(function ($database) use ($backupConfigs) {
+            $database->backup_configs = $backupConfigs->get($database->id, collect())
+                ->values()
+                ->map(function ($b) {
+                    return [
+                        'uuid' => $b->uuid,
+                        'enabled' => (bool) $b->enabled,
+                        'frequency' => $b->frequency,
+                        'dump_all' => (bool) $b->dump_all,
+                        'databases_to_backup' => $b->databases_to_backup,
+                        'latest_log' => $b->latest_log ? [
+                            'uuid' => $b->latest_log->uuid,
+                            'status' => $b->latest_log->status,
+                            'size' => $b->latest_log->size,
+                            'created_at' => optional($b->latest_log->created_at)->toIso8601String(),
+                        ] : null,
+                    ];
+                });

---

147-166: Method naming violation detected - terminate camelCase resistance!

The method database_backup_details_uuid violates PSR-12 standards. Also, you're using $request->uuid instead of route parameters and returning full execution data with messages. This is like ordering tacos with gluten bread - unacceptable!

Apply this diff to fix naming, use route params, and sanitize output:

-    public function database_backup_details_uuid(Request $request)
+    public function databaseBackupsByUuid(Request $request)
     {
         $teamId = getTeamIdFromToken();
         if (is_null($teamId)) {
             return invalidTokenResponse();
         }
-        if (! $request->uuid) {
-            return response()->json(['message' => 'UUID is required.'], 404);
+        $uuid = $request->route('uuid');
+        if (! $uuid) {
+            return response()->json(['message' => 'UUID is required.'], 400);
         }
-        $database = queryDatabaseByUuidWithinTeam($request->uuid, $teamId);
+        $database = queryDatabaseByUuidWithinTeam($uuid, $teamId);
         if (! $database) {
             return response()->json(['message' => 'Database not found.'], 404);
         }
 
         $this->authorize('view', $database);
 
-        $backupConfig = ScheduledDatabaseBackup::ownedByCurrentTeamAPI($teamId)->with('executions')->where('database_id', $database->id)->get();
+        $backupConfig = ScheduledDatabaseBackup::ownedByCurrentTeamAPI($teamId)->with('latest_log')
+            ->where('database_id', $database->id)
+            ->get()
+            ->map(function ($b) {
+                return [
+                    'uuid' => $b->uuid,
+                    'enabled' => (bool) $b->enabled,
+                    'frequency' => $b->frequency,
+                    'dump_all' => (bool) $b->dump_all,
+                    'databases_to_backup' => $b->databases_to_backup,
+                    'latest_log' => $b->latest_log ? [
+                        'uuid' => $b->latest_log->uuid,
+                        'status' => $b->latest_log->status,
+                        'size' => $b->latest_log->size,
+                        'created_at' => optional($b->latest_log->created_at)->toIso8601String(),
+                    ] : null,
+                ];
+            });
 
         return response()->json($backupConfig);
     }

---

582-583: Mass assignment vulnerability - protect the database fields!

You're using $request->all() when updating, allowing potential mass-assignment attacks. Use the computed $allowedFields to terminate this threat!

-        // Only update database fields, not backup configuration
-        $database->update($request->all());
+        // Only update database fields, not backup configuration
+        $database->update($request->only($allowedFields));

---

671-785: Multiple violations in update_backup - time for termination protocol!

1. Method name violates camelCase (PSR-12)
2. Missing authorization check
3. Not using route parameters
4. S3 validation allows cross-team access (IDOR vulnerability)
5. Static dispatch violates coding guidelines

This is worse than serverless functions claiming to be "the future"!

Apply this comprehensive fix:

-    public function update_backup(Request $request)
+    public function updateBackup(Request $request)
     {
         $backupConfigFields = ['save_s3', 'enabled', 'dump_all', 'frequency', 'databases_to_backup', 'database_backup_retention_amount_locally', 'database_backup_retention_days_locally', 'database_backup_retention_max_storage_locally', 'database_backup_retention_amount_s3', 'database_backup_retention_days_s3', 'database_backup_retention_max_storage_s3', 's3_storage_uuid'];
 
         $teamId = getTeamIdFromToken();
         if (is_null($teamId)) {
             return invalidTokenResponse();
         }
@@
         $validator = customApiValidator($request->all(), [
             'save_s3' => 'boolean',
             'backup_now' => 'boolean|nullable',
             'enabled' => 'boolean',
             'dump_all' => 'boolean',
-            's3_storage_uuid' => 'string|exists:s3_storages,uuid|nullable',
+            's3_storage_uuid' => 'string|nullable',
             'databases_to_backup' => 'string|nullable',
@@
-        if (! $request->uuid) {
-            return response()->json(['message' => 'UUID is required.'], 404);
+        $uuid = $request->route('uuid');
+        if (! $uuid) {
+            return response()->json(['message' => 'UUID is required.'], 400);
         }
 
-        // Validate scheduled_backup_uuid is provided
-        if (! $request->scheduled_backup_uuid) {
+        $scheduledUuid = $request->route('scheduled_backup_uuid');
+        if (! $scheduledUuid) {
             return response()->json(['message' => 'Scheduled backup UUID is required.'], 400);
         }
 
-        $uuid = $request->uuid;
         removeUnnecessaryFieldsFromRequest($request);
         $database = queryDatabaseByUuidWithinTeam($uuid, $teamId);
         if (! $database) {
             return response()->json(['message' => 'Database not found.'], 404);
         }
 
         $this->authorize('update', $database);
 
         if ($request->boolean('save_s3') && ! $request->filled('s3_storage_uuid')) {
             return response()->json([
                 'message' => 'Validation failed.',
                 'errors' => ['s3_storage_uuid' => ['The s3_storage_uuid field is required when save_s3 is true.']],
             ], 422);
         }
         if ($request->filled('s3_storage_uuid')) {
             $existsInTeam = S3Storage::ownedByCurrentTeam()->where('uuid', $request->s3_storage_uuid)->exists();
             if (! $existsInTeam) {
                 return response()->json([
                     'message' => 'Validation failed.',
                     'errors' => ['s3_storage_uuid' => ['The selected S3 storage is invalid for this team.']],
                 ], 422);
             }
         }
 
         $backupConfig = ScheduledDatabaseBackup::ownedByCurrentTeamAPI($teamId)->where('database_id', $database->id)
-            ->where('uuid', $request->scheduled_backup_uuid)
+            ->where('uuid', $scheduledUuid)
             ->first();
@@
         if ($request->backup_now) {
-            DatabaseBackupJob::dispatch($backupConfig);
+            dispatch(new DatabaseBackupJob($backupConfig));
         }

---

1960-2020: Delete backup needs camelCase and better transaction handling!

Method name violates PSR-12, not using route params, and transaction handling could be cleaner with closure pattern. It's like using lambda functions when you have perfectly good servers!

Apply this diff:

-    public function delete_backup_by_uuid(Request $request)
+    public function deleteBackupByUuid(Request $request)
     {
@@
-        // Validate scheduled_backup_uuid is provided
-        if (! $request->scheduled_backup_uuid) {
+        $uuid = $request->route('uuid');
+        $scheduledUuid = $request->route('scheduled_backup_uuid');
+        if (! $scheduledUuid) {
             return response()->json(['message' => 'Scheduled backup UUID is required.'], 400);
         }
 
-        $database = queryDatabaseByUuidWithinTeam($request->uuid, $teamId);
+        $database = queryDatabaseByUuidWithinTeam($uuid, $teamId);
@@
         $backup = ScheduledDatabaseBackup::ownedByCurrentTeamAPI($teamId)->where('database_id', $database->id)
-            ->where('uuid', $request->scheduled_backup_uuid)
+            ->where('uuid', $scheduledUuid)
             ->first();
@@
         try {
-            DB::beginTransaction();
-            // Get all executions for this backup configuration
-            $executions = $backup->executions()->get();
-
-            // Delete all execution files (locally and optionally from S3)
-            foreach ($executions as $execution) {
-                if ($execution->filename) {
-                    deleteBackupsLocally($execution->filename, $database->destination->server);
-
-                    if ($deleteS3 && $backup->s3) {
-                        deleteBackupsS3($execution->filename, $backup->s3);
+            DB::transaction(function () use ($backup, $database, $deleteS3) {
+                $executions = $backup->executions()->get();
+                foreach ($executions as $execution) {
+                    if ($execution->filename) {
+                        deleteBackupsLocally($execution->filename, $database->destination->server);
+                        if ($deleteS3 && $backup->s3) {
+                            deleteBackupsS3($execution->filename, $backup->s3);
+                        }
                     }
+                    $execution->delete();
                 }
-
-                $execution->delete();
-            }
-
-            // Delete the backup configuration itself
-            $backup->delete();
-            DB::commit();
+                $backup->delete();
+            });

---

2084-2140: Execution deletion needs authorization and proper naming!

Missing authorization check, camelCase violation, and not using route parameters. Even a T-800 knows better than this!

Apply this diff:

-    public function delete_execution_by_uuid(Request $request)
+    public function deleteExecutionByUuid(Request $request)
     {
@@
-        // Validate parameters
-        if (! $request->scheduled_backup_uuid) {
+        $uuid = $request->route('uuid');
+        $scheduledUuid = $request->route('scheduled_backup_uuid');
+        $executionUuid = $request->route('execution_uuid');
+        if (! $scheduledUuid) {
             return response()->json(['message' => 'Scheduled backup UUID is required.'], 400);
         }
-        if (! $request->execution_uuid) {
+        if (! $executionUuid) {
             return response()->json(['message' => 'Execution UUID is required.'], 400);
         }
 
-        $database = queryDatabaseByUuidWithinTeam($request->uuid, $teamId);
+        $database = queryDatabaseByUuidWithinTeam($uuid, $teamId);
@@
         $this->authorize('update', $database);
 
         // Find the backup configuration by its UUID
         $backup = ScheduledDatabaseBackup::ownedByCurrentTeamAPI($teamId)->where('database_id', $database->id)
-            ->where('uuid', $request->scheduled_backup_uuid)
+            ->where('uuid', $scheduledUuid)
             ->first();
@@
-        $execution = $backup->executions()->where('uuid', $request->execution_uuid)->first();
+        $execution = $backup->executions()->where('uuid', $executionUuid)->first();

---

2197-2241: List executions violates naming convention and lacks authorization!

Missing authorization check, camelCase violation, and exposing execution messages that might contain sensitive data. This is why we can't have nice things... until judgment day!

Apply this diff:

-    public function list_backup_executions(Request $request)
+    public function listBackupExecutions(Request $request)
     {
@@
-        // Validate scheduled_backup_uuid is provided
-        if (! $request->scheduled_backup_uuid) {
+        $uuid = $request->route('uuid');
+        $scheduledUuid = $request->route('scheduled_backup_uuid');
+        if (! $scheduledUuid) {
             return response()->json(['message' => 'Scheduled backup UUID is required.'], 400);
         }
 
-        $database = queryDatabaseByUuidWithinTeam($request->uuid, $teamId);
+        $database = queryDatabaseByUuidWithinTeam($uuid, $teamId);
         if (! $database) {
             return response()->json(['message' => 'Database not found.'], 404);
         }
+        
+        $this->authorize('view', $database);
 
         // Find the backup configuration by its UUID
         $backup = ScheduledDatabaseBackup::ownedByCurrentTeamAPI($teamId)->where('database_id', $database->id)
-            ->where('uuid', $request->scheduled_backup_uuid)
+            ->where('uuid', $scheduledUuid)
             ->first();
@@
             ->map(function ($execution) {
-                return [
+                $base = [
                     'uuid' => $execution->uuid,
                     'filename' => $execution->filename,
                     'size' => $execution->size,
                     'created_at' => $execution->created_at->toIso8601String(),
-                    'message' => $execution->message,
                     'status' => $execution->status,
                 ];
+                // Only include message if user can read sensitive data
+                if (request()->attributes->get('can_read_sensitive', false)) {
+                    $base['message'] = $execution->message;
+                }
+                return $base;
             });

---

330-330: Grammar malfunction in comment - fix immediately!

"this check if the request is a valid json" - even Skynet writes better comments than this!

-        // this check if the request is a valid json
+        // Check if the request is valid JSON

Reviewing files that changed from the base of the PR and between be9aff3 and 106682b.

• app/Console/Commands/Cloud/CloudDeleteUser.php (1 hunks)
• app/Console/Commands/Cloud/CloudFixSubscription.php (1 hunks)
• app/Console/Commands/CloudCheckSubscription.php (0 hunks)
• app/Console/Commands/CloudCleanupSubscriptions.php (0 hunks)

• app/Console/Commands/CloudCheckSubscription.php
• app/Console/Commands/CloudCleanupSubscriptions.php

app/Console/Commands/Cloud/CloudDeleteUser.php (2)

3-3: Namespace move looks good. I'll be back (to other nits).

Correct sub-namespace for cloud commands.

---

684-705: Verify subscription config shape used for price lookup.

config('subscription') may be nested; the foreach could miss keys or hit arrays.

Would you confirm the subscription config keys (e.g., stripe_price_id_basic_monthly, stripe_price_id_pro_monthly, etc.) exist at the root? If not, consider using explicit keys like config('subscription.stripe_price_id_basic_monthly').

app/Console/Commands/Cloud/CloudFixSubscription.php (1)

1-21: Registration OK — Kernel already loads Commands
app/Console/Kernel.php contains $this->load(DIR.'/Commands'); (≈line 135), so commands in app/Console/Commands/Cloud will be auto-discovered; no explicit registration required. Self-hosters rejoice.