feat: Add spam blocker DI structure

[alishaz-polymath]

What does this PR do?

Summary

This PR introduces a lean, testable Dependency Injection (DI) structure for the Watchlist/Spam-Blocker feature and applies it at the key edges (signup/admin/API/booking flows). This PR also updates the Watchlist schema for a more scalable and purposeful design. The goal is simple: keep data access in repositories, keep orchestration in controllers, and keep business logic in services—with a small façade as the entrypoint.

Highlights

• Replace scattered, hard-to-mock checks with a single feature façade.
• Ensure only repositories touch Prisma (no ORM in services/controllers/utils).
• Make telemetry consistent and tests reliable (no flaky sync/async span behavior).

What changed (high level)

• Feature boundary

  • Added Watchlist DI surface: tokens, module, container, and a façade exposing:

    • globalBlocking.isBlocked(email)
    • orgBlocking.isBlocked(email, orgId)

• Repositories only

  • All Prisma access is encapsulated in repositories. Services/controllers no longer import or receive Prisma/tx.

• Services

  • Business logic sits in services (global vs. org checks, list/CRUD, etc.).
  • Logging & telemetry flow through the service layer (see “Telemetry” below).

• Controllers / Edges

  • API and booking handlers call the façade instead of constructing repos or touching Prisma.
  • Input normalization (email/domain) is centralized and reused.

• Telemetry

  • Uniform async spans: Sentry startSpan usage is normalized so span wrappers always return a Promise. Easier to stub/no-op in tests.

• Tests

  • Added/updated integration tests at the route level (e.g., /api/users), verifying real request → controller → service → repo flow.
  • Unit tests use repo-level stubs/mocks rather than mocking the façade globally.

Behavior (intentionally simple)

• Precedence:
  Global Email Blocklist -> Global Domain Blocklist -> Org Email Blocklist -> Org Domain Blocklist

How to validate

1. Skim the façade (getWatchlistFeature) to see the small surface and the precedence/failure-default JSDoc.
2. Follow an edge path (e.g., user creation or booking confirmation flags): controller → façade → service → repository.
3. Run integration tests (e.g., POST /api/users) to see real data flow and watchlist auto-lock behavior.

Risks & mitigations

• Logger differences (getSubLogger vs child): addressed via a small scoping/wrapper so services don’t break across logger backends.
• Telemetry in tests: spans standardized to Promises; tests use a no-op wrapper—no Sentry env needed.
• Behavioral drift: kept contracts small and added integration tests on high-traffic paths.

Reviewer checklist

• No direct @calcom/prisma (or @prisma/client) imports outside **/repository/**.
• Controllers don’t new-up repos; they call the façade.
• Services contain the business logic; repositories are thin DB adapters.
• Telemetry wrapping returns a Promise consistently (no sync/async drift).
• Integration tests cover “blocked” and “not blocked” flows end-to-end.

Outcome: A pragmatic, DI-first foundation for spam blocking: simple today, clean seams for future policy/DTO growth, and reliable tests that exercise the real wiring.

Visual Demo (For contributors especially)

A visual demonstration is strongly recommended, for both the original and new change (video / image - any one).

Video Demo (if applicable):

• Show screen recordings of the issue or feature.
• Demonstrate how to reproduce the issue, the behavior before and after the change.

Image Demo (if applicable):

• Add side-by-side screenshots of the original and updated change.
• Highlight any significant change(s).

Mandatory Tasks (DO NOT REMOVE)

• I have self-reviewed the code (A decent size PR without self-review might be rejected).
• N/A I have updated the developer docs in /docs if this PR makes changes that would require a documentation change. If N/A, write N/A here and check the checkbox.
• I confirm automated tests are in place that prove my fix is effective or that my feature works.

Checklist

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments

Project	Deployment	Preview	Comments	Updated (UTC)
cal	Ignored			Oct 14, 2025 1:11am
cal-eu	Ignored			Oct 14, 2025 1:11am

[coderabbitai]

Walkthrough

Replaces legacy Watchlist repository API with a DI-based Watchlist feature façade and wiring (tokens, module, container). Adds typed DTOs, normalization and telemetry utilities, Global/Organization blocking services, WatchlistService and WatchlistAuditService, Prisma-backed repositories, and a free-email-domain check. Refactors controllers to accept structured params and optional spans, removes old repository/mocks, and adds/updates tests. Also introduces an ApiKeyService and updates verifyApiKey middleware to use it.

Possibly related PRs

• feat: Add spam block schema and migration #23996 — Adds organization-scoped watchlist support and organizationId usage consumed by the new org-aware repositories and services.
• chore: Watchlist schema update #24246 — Updates Watchlist schema (audit, source, isGlobal, lastUpdatedAt) that align with new audit entities and repository/service logic.
• chore: [Booking flow refactor - DI Cleanup - 1] Make ioctopus flow more type-safe and runtime-safe #23541 — DI/token/module refactor that overlaps with the new watchlist DI tokens, module, and container wiring.

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The title succinctly captures the primary purpose of the changeset by indicating the addition of a dependency-injection structure for the spam-blocker functionality, which aligns with the extensive introduction of DI tokens, modules, containers, and a façade. It is concise, specific, and avoids unnecessary details or ambiguous wording. A teammate scanning the history will immediately understand the main enhancement without being distracted by secondary changes.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.
Description Check	✅ Passed	The pull request description clearly outlines the introduction of a dependency injection structure for the Watchlist feature, the relocation of Prisma access into repositories, the creation of facades and services, telemetry normalization, and the added integration and unit tests, all of which directly correspond to the detailed changes in the diff.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/spam-block-di

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}