feat: POST /api/artists/{id}/segments (manual segment creation)

[arpitgupta1214]

Summary

Adds the dedicated REST endpoint POST /api/artists/{id}/segments for manual segment creation.

• Reuses the existing MCP-backed lib/segments/createSegments handler with no duplication of generation or insert logic — same handler that powers the create_segments MCP tool
• Route body carries only { prompt }; artist target is path-encoded (id) and mapped to artist_account_id at the handler layer, so the shared handler signature is unchanged
• Thin route → postArtistSegmentsHandler → createSegments; Zod validator in lib/artists/segments/validatePostSegmentsBody.ts
• Auth via validateAuthContext() (supports x-api-key and Authorization: Bearer); per-artist access enforced via checkAccountArtistAccess, mirroring DELETE /api/artists/{id}

Error envelope mapping

Case	Status	Notes
invalid body / non-UUID path id	400	Zod validator shape { status, missing_fields, error }
missing/invalid auth	401	from validateAuthContext
caller lacks artist access	403	{ status: "error", error: "Unauthorized segment creation attempt" }
artist not found	404	matches delete handler pattern
createSegments returned "No social account found for this artist" or "No fans found for this artist"	409	preserves feedback field from the shared handler so the REST caller sees the same remediation guidance the MCP tool does
any other createSegments failure or thrown error	500

Success envelope

{
  "status": "success",
  "segments_created": 5,
  "message": "Segments generated successfully."
}

Files

• app/api/artists/[id]/segments/route.ts (new; POST, OPTIONS)
• lib/artists/segments/postArtistSegmentsHandler.ts (new)
• lib/artists/segments/validatePostSegmentsBody.ts (new)
• lib/artists/segments/__tests__/postArtistSegmentsHandler.test.ts (new; 11 tests)

Test plan

• pnpm test lib/artists/segments — 11/11 green
• pnpm test — 1905/1905 green (full suite)
• pnpm lint:check — 0 errors (no ESLint config relaxations; see PR chore(lint): restore green lint via scoped rules + meaningful JSDoc #435)
• pnpm build parses the new route; build exit is due to unrelated missing env vars (APIFY, PRIVY, SPOTIFY, REDIS, ARWEAVE, FAL) not this route
• npx tsc --noEmit reports no TypeScript errors in the new files
• Preview verification against deployed Vercel preview after merge (per project convention — local pnpm dev E2E is not used)

Notes

• Chat callers (hooks/useCreateSegments.ts) will cut over in the follow-up chat PR in the Create stack; the local chat/app/api/segments/create/route.ts is removed there.
• Chat-driven MCP segment creation is unchanged (not part of this migration phase).

---

Summary by cubic

Adds POST /api/artists/{id}/segments to let clients manually create segments for an artist, reusing the shared createSegments flow. Returns 201 Created on success and consolidates validation into validatePostArtistSegmentsRequest.

• New Features

  • New route POST /api/artists/{id}/segments with OPTIONS for CORS.
  • Thin postArtistSegmentsHandler delegates to createSegments; body { prompt }; path id maps to artist_account_id.
  • Auth via validateAuthContext; per-artist access via checkAccountArtistAccess; 404 when artist is missing.
  • Responses: 201 success { status, segments_created, message }; errors 400/401/403/404/409 (no socials or fans; includes feedback)/500. 11 tests cover success and all error paths.

• Refactors

  • Combined path/body/auth/artist existence/access checks into validatePostArtistSegmentsRequest; validator return types prefixed with Validated*.

^{Written for commit eeff513. Summary will update on new commits.}

Summary by CodeRabbit

• New Features
  • Added a new API endpoint for creating artist segments powered by prompt-based generation
  • Includes comprehensive validation for authentication, authorization, and request payloads
  • Returns detailed error responses with appropriate HTTP status codes for various failure scenarios

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
recoup-api	Ready	Preview	Apr 15, 2026 9:41pm

[coderabbitai]

Warning

Rate limit exceeded

@arpitgupta1214 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 47 minutes and 49 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 47 minutes and 49 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: b68c756f-b9de-41dc-a5ec-e6aca785718a

📥 Commits

Reviewing files that changed from the base of the PR and between b31faf7 and eeff513.

⛔ Files ignored due to path filters (1)

• lib/artists/segments/__tests__/postArtistSegmentsHandler.test.ts is excluded by !**/*.test.*, !**/__tests__/** and included by lib/**

📒 Files selected for processing (3)

• lib/artists/segments/postArtistSegmentsHandler.ts
• lib/artists/segments/validatePostArtistSegmentsRequest.ts
• lib/artists/segments/validatePostSegmentsBody.ts

📝 Walkthrough

Walkthrough

New API endpoint for creating artist segments with comprehensive multi-layer validation, authentication checks, and access control. Includes route handlers with CORS support, request validation pipeline, and business logic orchestration with normalized error handling.

Changes

Cohort / File(s)	Summary
Route Handler app/api/artists/[id]/segments/route.ts	Exports OPTIONS and POST handlers with CORS support; POST delegates to postArtistSegmentsHandler, passing request and dynamic route params (id).
Request Validation Pipeline lib/artists/segments/validatePostSegmentsBody.ts, lib/artists/segments/validatePostArtistSegmentsRequest.ts	Validates request body schema (prompt string, minimum length 1) and orchestrates sequential validation: route params, request body, auth context, artist lookup, and per-artist access control.
Handler Logic lib/artists/segments/postArtistSegmentsHandler.ts	Coordinates request validation, delegates segment generation to shared createSegments service, normalizes error responses (409 for resource exhaustion, 500 otherwise), and returns CORS-enabled JSON responses with typed payloads.

Sequence Diagram

sequenceDiagram
    participant Client
    participant RouteHandler as Route Handler<br/>/segments
    participant Validator as Validation<br/>Pipeline
    participant AuthCheck as Auth & Access
    participant Database as Database
    participant Service as Segment<br/>Service

    Client->>RouteHandler: POST /api/artists/{id}/segments
    RouteHandler->>Validator: validatePostArtistSegmentsRequest(request, id)
    Validator->>Validator: validateAccountParams(id)
    Validator->>Validator: parseJSON & validatePostSegmentsBody()
    Validator->>AuthCheck: validateAuthContext()
    AuthCheck-->>Validator: accountId
    Validator->>Database: selectAccounts(artistId)
    Database-->>Validator: artist record
    alt Artist not found
        Validator-->>RouteHandler: NextResponse 404
    else Artist exists
        Validator->>AuthCheck: checkAccountArtistAccess()
        alt Access denied
            AuthCheck-->>RouteHandler: NextResponse 403
        else Access granted
            Validator-->>RouteHandler: PostArtistSegmentsRequest
            RouteHandler->>Service: createSegments(artist_account_id, prompt)
            Service->>Database: Insert segments
            alt Success
                Service-->>RouteHandler: {success: true, count}
                RouteHandler-->>Client: 200 JSON {status, segments_created}
            else Failure
                Service-->>RouteHandler: {success: false, error, feedback?}
                RouteHandler->>RouteHandler: Normalize status (409 or 500)
                RouteHandler-->>Client: Error JSON + status
            end
        end
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• PR #416 — Adds similar artist endpoint handlers under app/api/artists/[id] with OPTIONS CORS handlers and reuses shared validation utilities (validateAccountParams, checkAccountArtistAccess).

Suggested reviewers

• sweetmantech

Poem

🎨 A fresh endpoint blooms today,
Segments flow in structured way,
Validation guards each artist's gate,
CORS-enabled and first-rate! ✨

🚥 Pre-merge checks | ✅ 1

✅ Passed checks (1 passed)

Check name	Status	Explanation
Solid & Clean Code	✅ Passed	PR demonstrates strong adherence to SOLID & Clean Code principles with single-function-per-file convention, sequential validation with early returns, comprehensive error handling with correct HTTP status codes, code reuse via shared utilities, and robust 11-case test suite covering all error paths.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/api-post-segments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cubic-dev-ai]

3 issues found across 4 files

Confidence score: 4/5

• This PR is likely safe to merge, with mostly moderate concerns and no clear functionality-breaking defect called out.
• The most impactful issue is in lib/artists/segments/postArtistSegmentsHandler.ts: validateAuthContext runs after body parsing/validation, which can return validation feedback before rejecting unauthenticated requests.
• lib/artists/segments/postArtistSegmentsHandler.ts also has maintainability and API-semantics gaps (oversized handler and 200 OK instead of 201 Created for creation), which raise cleanup priority more than immediate merge risk.
• Pay close attention to lib/artists/segments/postArtistSegmentsHandler.ts - auth-check ordering and response semantics should be tightened to avoid unintended behavior.

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="lib/artists/segments/postArtistSegmentsHandler.ts">

<violation number="1" location="lib/artists/segments/postArtistSegmentsHandler.ts:26">
P2: Custom agent: **Enforce Clear Code Style and Maintainability Practices**

At 128 lines this handler is well over the 100-line limit and more than double every other handler in `lib/artists/` (~50 lines each). Extract the `createSegments` result-to-response mapping (lines 84–114, including the `NO_RESOURCE_ERROR_MESSAGES` set) into a small helper (e.g., `mapCreateSegmentsResult`) to bring the file under the limit and keep a single level of responsibility.</violation>

<violation number="2" location="lib/artists/segments/postArtistSegmentsHandler.ts:38">
P2: Auth check (`validateAuthContext`) runs after body validation. Move it before `safeParseJson` / `validatePostSegmentsBody` so unauthenticated requests are rejected immediately without exposing validation errors.</violation>

<violation number="3" location="lib/artists/segments/postArtistSegmentsHandler.ts:93">
P2: This POST endpoint creates new segments but returns `200 OK`. Use `201 Created` to follow HTTP semantics for resource creation.</violation>
</file>

Architecture diagram

sequenceDiagram
    participant Client
    participant Route as API Route
    participant Handler as postArtistSegmentsHandler
    participant Auth as Auth & Access Logic
    participant DB as Supabase / DB
    participant Logic as createSegments (Shared)

    Note over Client,Logic: NEW: Manual Segment Creation Flow

    Client->>Route: POST /api/artists/{id}/segments
    Route->>Handler: NEW: Handle manual creation

    Handler->>Handler: NEW: validatePostSegmentsBody()
    alt Invalid prompt or ID shape
        Handler-->>Client: 400 Bad Request
    end

    Handler->>Auth: validateAuthContext(request)
    alt Missing/Invalid API Key or Bearer
        Auth-->>Client: 401 Unauthorized
    end
    Auth-->>Handler: requesterAccountId

    Handler->>DB: selectAccounts(artistId)
    alt Artist not found
        DB-->>Handler: empty
        Handler-->>Client: 404 Not Found
    end

    Handler->>Auth: checkAccountArtistAccess(requester, artist)
    alt Caller cannot manage this artist
        Auth-->>Client: 403 Forbidden
    end

    Handler->>Logic: NEW: createSegments({ artist_account_id, prompt })
    Note over Logic: Reuses logic from MCP tool flow

    alt Segments Generated
        Logic-->>Handler: { success: true, count }
        Handler-->>Client: 200 Success { segments_created }
    else Missing Socials or Fans
        Logic-->>Handler: { success: false, feedback, message }
        Handler-->>Client: 409 Conflict (with remediation feedback)
    else Generation Failure
        Logic-->>Handler: { success: false, error }
        Handler-->>Client: 500 Internal Server Error
    end

Loading

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review, or fix all with cubic.}

[cubic-dev-ai]

P2: Custom agent: Enforce Clear Code Style and Maintainability Practices

At 128 lines this handler is well over the 100-line limit and more than double every other handler in lib/artists/ (~50 lines each). Extract the createSegments result-to-response mapping (lines 84–114, including the NO_RESOURCE_ERROR_MESSAGES set) into a small helper (e.g., mapCreateSegmentsResult) to bring the file under the limit and keep a single level of responsibility.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At lib/artists/segments/postArtistSegmentsHandler.ts, line 26:

<comment>At 128 lines this handler is well over the 100-line limit and more than double every other handler in `lib/artists/` (~50 lines each). Extract the `createSegments` result-to-response mapping (lines 84–114, including the `NO_RESOURCE_ERROR_MESSAGES` set) into a small helper (e.g., `mapCreateSegmentsResult`) to bring the file under the limit and keep a single level of responsibility.</comment>

<file context>
@@ -0,0 +1,128 @@
+ * @param params - The route params containing the artist account ID.
+ * @returns A NextResponse with the segment generation result envelope.
+ */
+export async function postArtistSegmentsHandler(
+  request: NextRequest,
+  params: Promise<{ id: string }>,
</file context>

[cubic-dev-ai]

0 issues found across 3 files (changes from recent commits).

_{Requires human review: Auto-approval blocked by 2 unresolved issues from previous reviews.}

[cubic-dev-ai]

0 issues found across 2 files (changes from recent commits).

_{Requires human review: Auto-approval blocked by 2 unresolved issues from previous reviews.}

[coderabbitai]

🧹 Nitpick comments (3)

lib/artists/segments/validatePostArtistSegmentsRequest.ts (2)

28-84: Validation orchestrator is well-structured but lengthy; consider extraction.

The function spans ~57 lines, exceeding the 20-line guideline. However, the sequential validation pipeline with early returns is clear and maintainable. For improved testability and adherence to length guidelines, consider extracting the artist existence check (lines 51-63) and access check (lines 65-77) into dedicated helper functions.

♻️ Optional: Extract existence and access checks

+async function ensureArtistExists(artistId: string): Promise<NextResponse | null> {
+  const existingArtist = await selectAccounts(artistId);
+  if (!existingArtist.length) {
+    return NextResponse.json(
+      { status: "error", error: "Artist not found" },
+      { status: 404, headers: getCorsHeaders() },
+    );
+  }
+  return null;
+}
+
+async function ensureArtistAccess(
+  requesterAccountId: string,
+  artistId: string,
+): Promise<NextResponse | null> {
+  const hasAccess = await checkAccountArtistAccess(requesterAccountId, artistId);
+  if (!hasAccess) {
+    return NextResponse.json(
+      { status: "error", error: "Unauthorized segment creation attempt" },
+      { status: 403, headers: getCorsHeaders() },
+    );
+  }
+  return null;
+}

As per coding guidelines: "Flag functions longer than 20 lines."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@lib/artists/segments/validatePostArtistSegmentsRequest.ts` around lines 28 -
84, The validatePostArtistSegmentsRequest function is >20 lines; extract the
artist existence check and the access check into two helpers (e.g.,
ensureArtistExists(artistId) and ensureRequesterHasAccess(requesterAccountId,
artistId)) that encapsulate the selectAccounts(...) and
checkAccountArtistAccess(...) logic and return either void (on success) or the
NextResponse error used now; replace the inline blocks in
validatePostArtistSegmentsRequest with calls to these helpers and return any
NextResponse they produce so behavior and early-return semantics remain
identical.

---

37-46: Consider validating authentication before parsing body.

Currently, body parsing (line 37-41) occurs before authentication (line 43-46). While this provides better error messages for malformed requests, it means unauthenticated requests with invalid bodies receive a 400 instead of 401. If rate-limiting or audit logging depends on authentication, you may want to swap the order.

This is a minor design consideration—the current approach is valid if you prefer granular error reporting over strict auth-first semantics.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@lib/artists/segments/validatePostArtistSegmentsRequest.ts` around lines 37 -
46, Swap authentication validation to run before body parsing so unauthenticated
requests return 401 instead of 400: call validateAuthContext(request) and handle
a NextResponse result before invoking safeParseJson(request) and
validatePostSegmentsBody(rawBody). Update the order in
validatePostArtistSegmentsRequest to invoke validateAuthContext first (and
return if it is a NextResponse), then proceed to safeParseJson and
validatePostSegmentsBody, preserving existing NextResponse checks for each
function.

lib/artists/segments/postArtistSegmentsHandler.ts (1)

21-81: Consider extracting response builders to reduce handler length.

The handler function spans ~60 lines, exceeding the 20-line guideline. While the orchestration logic is sound, you could extract the success/error response construction into small helper functions to improve readability and testability.

♻️ Optional refactor to extract response builders

+function buildSuccessResponse(count: number): NextResponse {
+  return NextResponse.json(
+    {
+      status: "success",
+      segments_created: count,
+      message: "Segments generated successfully.",
+    },
+    { status: 200, headers: getCorsHeaders() },
+  );
+}
+
+function buildErrorResponse(message: string, feedback?: string): NextResponse {
+  const isNoResourceError = NO_RESOURCE_ERROR_MESSAGES.has(message);
+  return NextResponse.json(
+    {
+      status: "error",
+      error: message,
+      ...(feedback ? { feedback } : {}),
+    },
+    { status: isNoResourceError ? 409 : 500, headers: getCorsHeaders() },
+  );
+}

As per coding guidelines: "Flag functions longer than 20 lines."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@lib/artists/segments/postArtistSegmentsHandler.ts` around lines 21 - 81, The
handler postArtistSegmentsHandler is over the 20-line guideline due to inline
response construction; extract small helper builders (e.g.,
buildSuccessResponse(resultCount, corsHeaders), buildFailureResponse(message,
feedback, statusCode, corsHeaders), buildExceptionResponse(error, corsHeaders))
and replace the three NextResponse.json blocks (success branch after
createSegments, error branch using NO_RESOURCE_ERROR_MESSAGES, and the catch
block) with calls to these helpers; keep validatePostArtistSegmentsRequest,
createSegments and getCorsHeaders usage the same and ensure helpers return
NextResponse objects and live in the same module or a nearby utils file for easy
testing.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@lib/artists/segments/postArtistSegmentsHandler.ts`:
- Around line 21-81: The handler postArtistSegmentsHandler is over the 20-line
guideline due to inline response construction; extract small helper builders
(e.g., buildSuccessResponse(resultCount, corsHeaders),
buildFailureResponse(message, feedback, statusCode, corsHeaders),
buildExceptionResponse(error, corsHeaders)) and replace the three
NextResponse.json blocks (success branch after createSegments, error branch
using NO_RESOURCE_ERROR_MESSAGES, and the catch block) with calls to these
helpers; keep validatePostArtistSegmentsRequest, createSegments and
getCorsHeaders usage the same and ensure helpers return NextResponse objects and
live in the same module or a nearby utils file for easy testing.

In `@lib/artists/segments/validatePostArtistSegmentsRequest.ts`:
- Around line 28-84: The validatePostArtistSegmentsRequest function is >20
lines; extract the artist existence check and the access check into two helpers
(e.g., ensureArtistExists(artistId) and
ensureRequesterHasAccess(requesterAccountId, artistId)) that encapsulate the
selectAccounts(...) and checkAccountArtistAccess(...) logic and return either
void (on success) or the NextResponse error used now; replace the inline blocks
in validatePostArtistSegmentsRequest with calls to these helpers and return any
NextResponse they produce so behavior and early-return semantics remain
identical.
- Around line 37-46: Swap authentication validation to run before body parsing
so unauthenticated requests return 401 instead of 400: call
validateAuthContext(request) and handle a NextResponse result before invoking
safeParseJson(request) and validatePostSegmentsBody(rawBody). Update the order
in validatePostArtistSegmentsRequest to invoke validateAuthContext first (and
return if it is a NextResponse), then proceed to safeParseJson and
validatePostSegmentsBody, preserving existing NextResponse checks for each
function.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 1518ee7b-92ad-424e-925a-ff7d275c3512

📥 Commits

Reviewing files that changed from the base of the PR and between ec0008b and b31faf7.

⛔ Files ignored due to path filters (1)

• lib/artists/segments/__tests__/postArtistSegmentsHandler.test.ts is excluded by !**/*.test.*, !**/__tests__/** and included by lib/**

📒 Files selected for processing (4)

• app/api/artists/[id]/segments/route.ts
• lib/artists/segments/postArtistSegmentsHandler.ts
• lib/artists/segments/validatePostArtistSegmentsRequest.ts
• lib/artists/segments/validatePostSegmentsBody.ts

[cubic-dev-ai]

0 issues found across 2 files (changes from recent commits).

_{Requires human review: Auto-approval blocked by 2 unresolved issues from previous reviews.}

[arpitgupta1214]

Preview smoke test

Run against recoup-api-git-feat-api-post-segments-recoupable-ad724970.vercel.app with x-api-key.

Error envelope paths

#	Case	Expected	Got	Body
1	OPTIONS /api/artists/{id}/segments	200	✅ 200	—
2	POST no auth	401	✅ 401	Exactly one of x-api-key or Authorization must be provided
3	POST missing prompt	400	✅ 400	missing_fields: ["prompt"]
4	POST non-UUID path id	400	✅ 400	missing_fields: ["id"]
5	POST unknown artist UUID	404	✅ 404	Artist not found

Handler delegation (409 path)

POST against a real artist with no social_fans rows returned 409 with the shared handler's feedback field preserved verbatim:

{
  "status": "error",
  "error": "No fans found for this artist",
  "feedback": "No social_fans records found for <artist>. Before creating segments, you need social_fans data. Follow these steps:\n1. Call 'scrape_instagram_profile' ...\n2. Call 'scrape_instagram_comments' ...\n3. Wait for the scraping jobs to complete ...\n4. Call 'create_segments' again once social_fans records are populated\nNote: Scraping jobs may take several minutes to complete."
}

This confirms the thin route → postArtistSegmentsHandler → createSegments wiring is end-to-end and the MCP-parity feedback guidance reaches REST callers unchanged.

201 success path not exercised (would require an artist with populated social_fans); every error path in the PR's mapping table is verified.