rework weights for same name signups

[mantrakp04]

• update submodule
• Enhance sign-up risk assessment by adding sameEmailCount and sameEmailLimit to recent stats request. Update loadRecentSignUpStats function to include email normalization checks. Adjust tests to reflect new return structure.

Summary by CodeRabbit

• New Features

  • Risk scoring now tracks and reports counts of recent signups that share a normalized email (with configurable limit), exposing this as part of signup-risk statistics.

• Performance

  • Added a database index and migration to speed up recent-signup queries, improving risk assessment responsiveness.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
stack-auth-hosted-components	Ready	Preview, Comment	Apr 12, 2026 10:43pm
stack-backend	Ready	Preview, Comment	Apr 12, 2026 10:43pm
stack-dashboard	Ready	Preview, Comment	Apr 12, 2026 10:43pm
stack-demo	Ready	Preview, Comment	Apr 12, 2026 10:43pm
stack-docs	Ready	Preview, Comment	Apr 12, 2026 10:43pm
stack-preview-backend	Ready	Preview, Comment	Apr 12, 2026 10:43pm
stack-preview-dashboard	Ready	Preview, Comment	Apr 12, 2026 10:43pm

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 68012b22-d758-4a40-904a-405c3fa90fb9

📥 Commits

Reviewing files that changed from the base of the PR and between 526e5eb and d51d3b0.

📒 Files selected for processing (1)

• apps/backend/prisma/schema.prisma

✅ Files skipped from review due to trivial changes (1)

• apps/backend/prisma/schema.prisma

---

📝 Walkthrough

Walkthrough

Adds normalized-email duplicate detection to sign-up risk scoring: request/response types updated, server logic extended to count matching normalized emails, a composite DB index added for queries, a migration created, and a git submodule reference bumped.

Changes

Cohort / File(s)	Summary
Risk Scoring Logic apps/backend/src/lib/risk-scores.tsx	Added `signUpEmailNormalized: string
Database Schema & Migrations apps/backend/prisma/schema.prisma, apps/backend/prisma/migrations/20260406000000_add_signup_email_normalized_recent_idx/migration.sql	Added composite index ProjectUser_signUpEmailNormalized_recent_idx on (tenancyId, isAnonymous, signUpEmailNormalized, signedUpAt) and created a migration to add the index concurrently.
Submodule Reference apps/backend/src/private/implementation	Updated git submodule commit reference from a93d7ea0c0a9... to 576f383b69a9....

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested reviewers

• N2D4

Poem

🐇 I nibble bytes and tidy threads,
Matching emails where each user treads.
Indexed paths for quicker finds,
Risk scores bloom in tidy lines. ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title mentions 'same name signups' but the changeset primarily adds email-based risk assessment with sameEmailCount and sameEmailLimit, not name-based weights.	Update the title to reflect the actual changes, such as 'Add email normalization and sameEmailCount to sign-up risk assessment' or similar.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description check	✅ Passed	The description covers the main changes (submodule update, sameEmailCount/sameEmailLimit, email normalization, test updates) but lacks detail on the new database index and migration structure.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch risk-score-rework

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Greptile Summary

This PR enhances the signup risk assessment system by adding same-email detection alongside the existing same-IP and similar-email-base checks. It introduces a sameEmailCount field (matched on the normalized email address) to SignUpRiskRecentStats, a corresponding DB query, a new supporting index, and updates the test mock accordingly.

• risk-scores.tsx: Extended SignUpRiskRecentStatsRequest with signUpEmailNormalized and sameEmailLimit, added sameEmailCount to SignUpRiskRecentStats, and added a third parallel raw SQL query following the same cost-capped (LIMIT) pattern as the existing IP/email-base queries.
• schema.prisma + migration.sql: Added a new composite index ProjectUser_signUpEmailNormalized_recent_idx on (tenancyId, isAnonymous, signUpEmailNormalized, signedUpAt) using CREATE INDEX CONCURRENTLY IF NOT EXISTS, consistent with the other fraud-protection indexes added in the same migration file.
• Tests: The inline mock for loadRecentSignUpStats is updated to include the new sameEmailCount: 0 field, keeping the snapshot in sync.

Confidence Score: 5/5

Safe to merge — changes are additive, consistent with existing patterns, and carry no breaking changes.

All changes follow established patterns (cost-capped LIMIT queries, concurrent IF NOT EXISTS index creation, null-guarding). No logic errors, security issues, or migration safety concerns were found. The test mock is correctly updated. No P1 or P0 findings.

No files require special attention.

Important Files Changed

Filename	Overview
apps/backend/src/lib/risk-scores.tsx	Adds sameEmailCount detection using signUpEmailNormalized; follows existing patterns for null-guarding, cost-capped LIMIT queries, and Promise.all parallelism. Test mock updated correctly.
apps/backend/prisma/migrations/20260308000002_finalize_signup_fraud_protection/migration.sql	New concurrent index on (tenancyId, isAnonymous, signUpEmailNormalized, signedUpAt) added with correct sentinels and IF NOT EXISTS guard, consistent with other indexes in the same migration.
apps/backend/prisma/schema.prisma	Prisma index definition added for signUpEmailNormalized, matching the migration SQL exactly.

Sequence Diagram

sequenceDiagram
    participant Caller
    participant calculateSignUpRiskAssessment
    participant loadRecentSignUpStats
    participant DB as DB (replica)

    Caller->>calculateSignUpRiskAssessment: context (email, ip, ...)
    calculateSignUpRiskAssessment->>loadRecentSignUpStats: SignUpRiskRecentStatsRequest
    par same-IP query
        loadRecentSignUpStats->>DB: SELECT 1 WHERE signUpIp = ? LIMIT sameIpLimit
        DB-->>loadRecentSignUpStats: sameIpRows
    and same-normalized-email query (NEW)
        loadRecentSignUpStats->>DB: SELECT 1 WHERE signUpEmailNormalized = ? LIMIT sameEmailLimit
        DB-->>loadRecentSignUpStats: sameEmailRows
    and similar-email-base query
        loadRecentSignUpStats->>DB: SELECT 1 WHERE signUpEmailBase = ? LIMIT similarEmailLimit
        DB-->>loadRecentSignUpStats: similarEmailRows
    end
    loadRecentSignUpStats-->>calculateSignUpRiskAssessment: { sameIpCount, sameEmailCount, similarEmailCount }
    calculateSignUpRiskAssessment-->>Caller: SignUpRiskAssessment (scores + heuristicFacts)

Loading

_{Reviews (3): Last reviewed commit: "Add index for normalized sign-up email i..." | Re-trigger Greptile}

[Copilot]

Pull request overview

Enhances the backend sign-up risk assessment plumbing by extending “recent sign-up stats” to include same-normalized-email counts/limits, and updates dependency lockfile entries likely due to a submodule/dependency refresh.

Changes:

• Extend recent stats request/response types to include signUpEmailNormalized, sameEmailLimit, and sameEmailCount.
• Add a DB query to count recent sign-ups matching the same normalized email (bounded by sameEmailLimit).
• Update the in-source Vitest stubbed dependency return shape to match the new stats structure.

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated 1 comment.

File	Description
pnpm-lock.yaml	Updates dependency resolution (notably Nitro now pulling in rolldown) and removes an importer entry.
apps/backend/src/lib/risk-scores.tsx	Adds same-normalized-email recent stats fields and query; updates test stub return shape.

Files not reviewed (1)

• pnpm-lock.yaml: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@apps/backend/src/lib/risk-scores.tsx`:
- Around line 83-93: The query in apps/backend/src/lib/risk-scores.tsx that uses
request.signUpEmailNormalized (inside the prisma.$replica().$queryRaw block that
checks sameEmailLimit) needs a corresponding DB index to avoid full table scans;
add the index to migration 20260308000002_finalize_signup_fraud_protection.sql
(CREATE INDEX CONCURRENTLY IF NOT EXISTS
"ProjectUser_signUpEmailNormalized_recent_idx" ON "ProjectUser"("tenancyId",
"isAnonymous", "signUpEmailNormalized", "signedUpAt")) and add the matching
Prisma index annotation to the ProjectUser model (@@index([tenancyId,
isAnonymous, signUpEmailNormalized, signedUpAt], name:
"ProjectUser_signUpEmailNormalized_recent_idx")) so the signUpEmailNormalized
filter in the sameEmailLimit query can use the index.

In `@apps/backend/src/private/implementation`:
- Line 1: Verify the private submodule update by checking the commit range
between a93d7ea0c0a91d7a4dfbc97c0032c9c9c68ec4d6 and
576f383b69a9593a9cff8d755c64c810aeeae239: run git fetch in the private repo and
git log --oneline a93d7ea..576f383b6 to enumerate commits, then run git diff
--name-status a93d7ea0c..576f383b6 to ensure only the intended risk-score and
signup-stat files were changed (no other files or code paths), inspect each
commit message and diff for breaking/security-impacting edits, run the private
repo’s test suite and any linters/security scanners on the new commits, and if
anything else appears, revert or request the correct commit range before
merging.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1840880f-79f3-4e1f-95d1-fd9e84e37754

📥 Commits

Reviewing files that changed from the base of the PR and between 4ddf6a5 and dadc71f.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (2)

• apps/backend/src/lib/risk-scores.tsx
• apps/backend/src/private/implementation