feat: add account_id to GET /api/sandboxes/file

[recoup-coding-agent]

Summary

• Adds account_id query parameter to the GET /api/sandboxes/file endpoint (matching the existing GET /api/sandboxes pattern)
• Validates account_id as a UUID via Zod and passes it as target_account_id to buildGetSandboxesParams for access control
• 5 new unit tests covering basic flow, account_id override, access denied, and invalid format cases

Context

Part of REC-53: when users navigate to /files?email=..., the AccountOverrideProvider resolves the email to an accountId. The chat frontend then passes this as account_id to both sandboxes endpoints. The list endpoint already supported account_id — this PR adds the same to the file endpoint.

Test plan

• All 151 sandbox tests pass
• 5 new tests for validateGetSandboxesFileRequest covering account_id flow
• CI build and lint

🤖 Generated with Claude Code

---

Summary by cubic

Add support for an optional account_id on GET /api/sandboxes/file to enable the email-based account override on /files. This mirrors the list endpoint and enforces access checks (REC-53).

• New Features
  • Accepts account_id as a UUID query param and validates with Zod.
  • Forwards it as target_account_id to buildGetSandboxesParams for authorization; returns 403 on denied and 400 on invalid input.
  • Adds 5 unit tests covering basic flow, override, access denied, and invalid format.

^{Written for commit 496b778. Summary will update on new commits.}

[coderabbitai]

Warning

Rate limit exceeded

@recoup-coding-agent has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 8 minutes and 32 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 8 minutes and 32 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 3d6d999e-c442-45d7-9782-f4a4d8d018ce

📥 Commits

Reviewing files that changed from the base of the PR and between 85fa5b8 and 496b778.

⛔ Files ignored due to path filters (1)

• lib/sandbox/__tests__/validateGetSandboxesFileRequest.test.ts is excluded by !**/*.test.*, !**/__tests__/** and included by lib/**

📒 Files selected for processing (1)

• lib/sandbox/validateGetSandboxesFileRequest.ts

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/sandboxes-file-account-id

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
recoup-api	Ready	Preview	Apr 7, 2026 2:11pm

[cubic-dev-ai]

No issues found across 2 files

Confidence score: 5/5

• Automated review surfaced no issues in the provided summaries.
• No files require special attention.

_{Auto-approved: Adds optional account_id parameter to sandbox file endpoint with validation and tests, following existing patterns.}

Architecture diagram

sequenceDiagram
    participant Client as UI / Chat Frontend
    participant Route as API Route (GET /api/sandboxes/file)
    participant Val as validateGetSandboxesFileRequest
    participant Auth as validateAuthContext
    participant Access as buildGetSandboxesParams

    Note over Client,Access: Runtime Request Flow with Account Override

    Client->>Route: GET /api/sandboxes/file?path=...&account_id=...
    Route->>Val: validateGetSandboxesFileRequest(request)
    
    Val->>Val: Parse query params
    opt NEW: account_id provided
        Val->>Val: Validate account_id is valid UUID
    end

    alt Invalid Path or UUID Format
        Val-->>Route: Return 400 Bad Request
    else Valid Format
        Val->>Auth: validateAuthContext(request)
        Auth-->>Val: Returns caller accountId/authToken

        Val->>Access: CHANGED: buildGetSandboxesParams({ account_id, target_account_id })
        Note right of Access: Checks if caller has permission<br/>to access target_account_id

        alt Access Permitted
            Access-->>Val: Returns validated accountIds
            Val-->>Route: Return ValidatedParams
            Route->>Route: Fetch and return sandbox file data
            Route-->>Client: 200 OK (File Content)
        else NEW: Access Denied
            Access-->>Val: Returns error ("Access denied...")
            Val-->>Route: Return 403 Forbidden
            Route-->>Client: 403 Forbidden
        end
    end

Loading