[codex] Add Hyperping cron healthchecks

[riderx]

Summary (AI generated)

• Added optional healthcheck_url support to public.cron_tasks for Hyperping healthcheck URLs.
• Added a cron success reporter that pings Hyperping only after a task finishes without raising.
• Added DB tests for Hyperping URL scoping and success-only reporting.

Motivation (AI generated)

Capgo cron tasks need an operational heartbeat that can be enabled per cron row without adding separate cron jobs. Hyperping healthchecks support a simple HTTP ping at the end of a task run, so this adds that hook to the existing table-driven cron runner.

Business Impact (AI generated)

This improves reliability visibility for scheduled jobs and helps the team detect missed or failed cron work sooner, reducing operational risk for Capgo services and customers.

Test Plan (AI generated)

• bunx sqlfluff lint --dialect postgres supabase/migrations/20260521210531_cron_hyperping_healthchecks.sql
• bunx eslint tests/cron-healthchecks.test.ts tests/security-definer-execute-hardening.test.ts
• bun run supabase:start
• bun run supabase:with-env -- bunx vitest run tests/cron-healthchecks.test.ts tests/security-definer-execute-hardening.test.ts
• Commit hook: bun run cli:build && vue-tsc --noEmit

Generated with AI

Summary by CodeRabbit

• New Features

  • Cron tasks can include Hyperping healthcheck URLs; executed tasks automatically report success to those healthchecks.
  • Healthcheck URLs are validated to accept only properly formatted Hyperping URLs.

• Tests

  • Added integration tests covering healthcheck URL validation and that only successful tasks report to their healthchecks.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: c6bcf61d-c014-4313-859b-d1f5908226ec

📥 Commits

Reviewing files that changed from the base of the PR and between 0480af1 and d90128c.

📒 Files selected for processing (3)

• supabase/migrations/20260521210531_cron_hyperping_healthchecks.sql
• tests/cron-healthchecks.test.ts
• tests/security-definer-execute-hardening.test.ts

---

📝 Walkthrough

Walkthrough

This PR integrates Hyperping healthcheck reporting into cron tasks: adds a validated healthcheck_url column, implements report_cron_success_healthcheck() to perform HTTP GETs on success (logging errors as warnings), updates process_all_cron_tasks() to call the reporter with advisory-locking and per-task error handling, and adds integration and security tests.

Changes

Hyperping healthcheck reporting for cron tasks

Layer / File(s)	Summary
Healthcheck URL schema and validation supabase/migrations/20260521210531_cron_hyperping_healthchecks.sql	Adds healthcheck_url column to public.cron_tasks with an idempotent CHECK constraint that accepts only NULL or trimmed, non-whitespace Hyperping URLs matching https://hc.hyperping.io/… prefix.
Healthcheck reporter function supabase/migrations/20260521210531_cron_hyperping_healthchecks.sql	Implements public.report_cron_success_healthcheck(p_healthcheck_url text, p_task_name text) that validates input, early-returns for null/blank/invalid URLs, performs net.http_get with fixed headers and 8000ms timeout, logs failures as WARNINGs, and grants execute only to service_role.
Cron executor with healthcheck integration supabase/migrations/20260521210531_cron_hyperping_healthchecks.sql	Replaces public.process_all_cron_tasks() to use a non-blocking advisory lock (ID=1), compute UTC time components, determine per-task should_run, execute tasks by task_type (function, queue, function_queue), call the reporter on successful runs, log per-task errors as WARNINGs, and update function ownership/privileges and comment.
Test infrastructure and URL validation tests/cron-healthchecks.test.ts	Adds a rollbackAndRelease helper, pooled pg Pool lifecycle, and a test asserting non-Hyperping healthcheck_url inserts are rejected by the CHECK constraint.
Success-only healthcheck reporting test tests/cron-healthchecks.test.ts	Adds an integration test that inserts one success and one failing cron task (both with Hyperping URLs), polls process_all_cron_tasks() until calls are observed, and asserts only the successful task's healthcheck was recorded.
Security hardening test update tests/security-definer-execute-hardening.test.ts	Adds public.report_cron_success_healthcheck(text, text) to SERVICE_ONLY_PROCS to assert it cannot be executed by anon or authenticated roles.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Suggested labels

codex

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title '[codex] Add Hyperping cron healthchecks' clearly and concisely summarizes the main change: adding Hyperping healthcheck integration to the cron task system.
Description check	✅ Passed	The description includes a Summary section (AI-generated), Motivation (AI-generated), Business Impact (AI-generated), and Test Plan with executed steps, covering key aspects of the change comprehensively.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 SQLFluff (4.2.1)

supabase/migrations/20260521210531_cron_hyperping_healthchecks.sql

User Error: No dialect was specified. You must configure a dialect or specify one on the command line using --dialect after the command. Available dialects:
ansi, athena, bigquery, clickhouse, databricks, db2, doris, duckdb, exasol, flink, greenplum, hive, impala, mariadb, materialize, mysql, oracle, postgres, redshift, snowflake, soql, sparksql, sqlite, starrocks, teradata, trino, tsql, vertica

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codspeed-hq]

Merging this PR will not alter performance

✅ 43 untouched benchmarks
⏩ 2 skipped benchmarks¹

---

_{Comparing codex/hyperping-cron-healthchecks (d90128c) with main (cf9754c)}

Footnotes

1. 2 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports. ↩

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@supabase/migrations/20260521210531_cron_hyperping_healthchecks.sql`:
- Around line 206-211: The function public.process_all_cron_tasks() lacks an
explicit ACL revocation; add a REVOKE ALL ON FUNCTION
public.process_all_cron_tasks() FROM PUBLIC; (matching the pattern used for
report_cron_success_healthcheck) immediately after setting the OWNER to postgres
so the function cannot be called by PUBLIC and to follow the repo's permission
guidelines.
- Around line 166-168: The dynamic EXECUTE in the CASE branch for task.task_type
= 'function' is vulnerable because it concatenates task.target directly; change
this to use pg_catalog.format with identifier placeholders (e.g., format('SELECT
%I.%I()', task.target_schema, task.target_function)) or validate/parse
task.target against an allowed function-call regex and use format('%s', ...)
with %I/%L as appropriate; update the logic that reads cron_tasks.target to
either split into target_schema/target_function or to validate the string before
calling EXECUTE so the EXECUTE no longer concatenates raw task.target.

In `@tests/cron-healthchecks.test.ts`:
- Line 31: Replace plain it(...) with it.concurrent(...) for the unit test
titled "keeps healthcheck URLs scoped to Hyperping" and the other test at the
later position flagged in the review so both tests run in parallel; locate the
test declarations by their names (e.g., the it('keeps healthcheck URLs scoped to
Hyperping', ...) call) and update them to it.concurrent('keeps healthcheck URLs
scoped to Hyperping', async () => { ... }) and likewise change the other it(...)
to it.concurrent(...).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 5b92eb14-ea95-4929-8c29-98f9aaac81a0

📥 Commits

Reviewing files that changed from the base of the PR and between f1090d7 and 0480af1.

📒 Files selected for processing (3)

• supabase/migrations/20260521210531_cron_hyperping_healthchecks.sql
• tests/cron-healthchecks.test.ts
• tests/security-definer-execute-hardening.test.ts

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[riderx]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.