fix(apps): prevent installation invalidation on app cron updates

[d-gubert]

Proposed changes (including videos or screenshots)

Issue(s)

Steps to test or reproduce

Further comments

ARCH-1818

Summary by CodeRabbit

• Bug Fixes

  • Prevents apps from incorrectly switching to a disabled state after installation in certain cases.
  • Improves reliability of marketplace info updates and signature handling for installed apps.
  • Reduces disruption by preserving scheduled jobs during invalid license handling.

• Chores

  • Updated core app engine and platform dependencies to the latest patch versions for stability and compatibility.

[changeset-bot]

🦋 Changeset detected

Latest commit: 4564a22

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 42 packages

Name	Type
@rocket.chat/apps-engine	Patch
@rocket.chat/meteor	Patch
@rocket.chat/apps	Patch
@rocket.chat/core-services	Patch
@rocket.chat/core-typings	Patch
@rocket.chat/fuselage-ui-kit	Patch
@rocket.chat/rest-typings	Patch
@rocket.chat/ddp-streamer	Patch
@rocket.chat/presence	Patch
rocketchat-services	Patch
@rocket.chat/uikit-playground	Patch
@rocket.chat/api-client	Patch
@rocket.chat/cron	Patch
@rocket.chat/ddp-client	Patch
@rocket.chat/freeswitch	Patch
@rocket.chat/gazzodown	Patch
@rocket.chat/http-router	Patch
@rocket.chat/livechat	Patch
@rocket.chat/model-typings	Patch
@rocket.chat/ui-avatar	Patch
@rocket.chat/ui-client	Patch
@rocket.chat/ui-contexts	Patch
@rocket.chat/web-ui-registration	Patch
@rocket.chat/account-service	Patch
@rocket.chat/authorization-service	Patch
@rocket.chat/omnichannel-transcript	Patch
@rocket.chat/presence-service	Patch
@rocket.chat/queue-worker	Patch
@rocket.chat/stream-hub-service	Patch
@rocket.chat/federation-matrix	Patch
@rocket.chat/license	Patch
@rocket.chat/media-calls	Patch
@rocket.chat/omnichannel-services	Patch
@rocket.chat/pdf-worker	Patch
@rocket.chat/models	Patch
@rocket.chat/network-broker	Patch
@rocket.chat/omni-core-ee	Patch
@rocket.chat/mock-providers	Patch
@rocket.chat/ui-video-conf	Patch
@rocket.chat/ui-voip	Patch
@rocket.chat/instance-status	Patch
@rocket.chat/omni-core	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[dionisio-bot]

Looks like this PR is ready to merge! 🎉
If you have any trouble, please check the PR guidelines

[coderabbitai]

Walkthrough

Implements signed marketplace info updates in AppManager using partial storage updates and preserves scheduled jobs during license purge. Updates test utilities, storage test stubs, and multiple specs to use IAppStorageItem shape and new storage APIs. Adds a changeset patching dependencies and noting a bug fix.

Changes

Cohort / File(s)	Summary
Core AppManager logic packages/apps-engine/src/server/AppManager.ts	UpdateAppsMarketplaceInfo now signs updated marketplace items and persists via updatePartialAndReturnDocument; error catch made explicit; license purge updated to keepScheduledJobs: true.
Specs adjusted for storage shape and signing flow packages/apps-engine/tests/server/AppManager.spec.ts, packages/apps-engine/tests/server/managers/AppApiManager.spec.ts, packages/apps-engine/tests/server/managers/AppSlashCommand.spec.ts, packages/apps-engine/tests/server/managers/AppSlashCommandManager.spec.ts, packages/apps-engine/tests/server/managers/AppVideoConfProviderManager.spec.ts	Tests now construct mock apps via IAppStorageItem (info: { id, name }); add coverage for skip/update/sign paths in updateAppsMarketplaceInfo; import IAppStorageItem where needed.
Test storage API updates packages/apps-engine/tests/test-data/storage/storage.ts	Replace update() with granular methods: updatePartialAndReturnDocument, updateStatus, updateSetting, updateAppInfo, updateMarketplaceInfo; add type-only imports; stub implementations.
Test data utilities packages/apps-engine/tests/test-data/utilities.ts	Refactor getMockApp to accept Partial; add generators: getMarketplaceSubscriptionInfo, getMarketplaceInfo, getAppStorageItem, getAppsOverview; align lookups with storageItem.info.
Changeset .changeset/rotten-jars-occur.md	Declares dependency patches and notes bug fix preventing invalid_installation_disabled in some cases.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Scheduler as Scheduler/Update Trigger
  participant AppManager
  participant Storage as App Storage
  participant Signer as Signature Service

  Scheduler->>AppManager: updateAppsMarketplaceInfo(appsOverview)
  loop For each app with subscription changes
    AppManager->>Signer: sign(updatedMarketplaceItem)
    Signer-->>AppManager: signature
    AppManager->>Storage: updatePartialAndReturnDocument({ _id, marketplaceInfo, signature })
    Storage-->>AppManager: updatedDocument
  end
  Note over AppManager: If license invalid -> purgeAppConfig({ keepScheduledJobs: true })
  AppManager-->>Scheduler: done

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• fix(apps): prevent unwanted changes to app status #36990: Switches storage updates to partial update APIs and adjusts AppManager call sites, matching this PR’s storage API usage.

Suggested labels

stat: ready to merge, stat: QA assured

Suggested reviewers

• ggazzo

Poem

I hop through code with careful paws,
Signing wares and minding laws.
Partial updates, tidy and neat,
Scheduled jobs kept on their feet.
With specs aligned, I twitch my ear—
Bug burrowed out, the path is clear. 🐇✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title clearly indicates a bug fix in the apps domain and succinctly summarizes the core change of preventing installation invalidation during cron-driven updates, which aligns with the modifications to preserve scheduled jobs and update signatures in AppManager.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/apps-marketplace-info-update

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[d-gubert]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

packages/apps-engine/src/server/AppManager.ts (1)

886-915: Empty catch silently swallows all errors from marketplace info updates.

The empty catch block at line 915 suppresses all errors from the updateAppsMarketplaceInfo call, including:

• Database update failures (line 909-913)
• Signature generation failures (line 907)
• License validation failures (lines 922-939)

This could hide critical issues and make debugging difficult. Consider at minimum logging errors or failing fast for critical failures.

Apply this diff to add error logging:

 		).catch(() => {});
+		).catch((error) => {
+			console.error('Failed to update apps marketplace info:', error);
+		});

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 287f302 and 3df1ea2.

📒 Files selected for processing (9)

• .changeset/rotten-jars-occur.md (1 hunks)
• packages/apps-engine/src/server/AppManager.ts (2 hunks)
• packages/apps-engine/tests/server/AppManager.spec.ts (3 hunks)
• packages/apps-engine/tests/server/managers/AppApiManager.spec.ts (2 hunks)
• packages/apps-engine/tests/server/managers/AppSlashCommand.spec.ts (2 hunks)
• packages/apps-engine/tests/server/managers/AppSlashCommandManager.spec.ts (2 hunks)
• packages/apps-engine/tests/server/managers/AppVideoConfProviderManager.spec.ts (2 hunks)
• packages/apps-engine/tests/test-data/storage/storage.ts (2 hunks)
• packages/apps-engine/tests/test-data/utilities.ts (3 hunks)

🧰 Additional context used

🧠 Learnings (2)

📚 Learning: 2025-09-30T13:00:05.465Z

Learnt from: d-gubert
PR: RocketChat/Rocket.Chat#36990
File: apps/meteor/ee/server/apps/storage/AppRealStorage.ts:55-58
Timestamp: 2025-09-30T13:00:05.465Z
Learning: In AppRealStorage (apps/meteor/ee/server/apps/storage/AppRealStorage.ts), the `remove` method is designed to be idempotent and returns `{ success: true }` unconditionally because the goal is to ensure the app is removed, not to distinguish whether this specific call performed the deletion. Database errors will throw exceptions.

Applied to files:

• packages/apps-engine/tests/test-data/storage/storage.ts

📚 Learning: 2025-09-16T22:08:51.490Z

Learnt from: CR
PR: RocketChat/Rocket.Chat#0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-09-16T22:08:51.490Z
Learning: Applies to apps/meteor/tests/e2e/**/*.spec.ts : Utilize Playwright fixtures (test, page, expect) consistently

Applied to files:

• packages/apps-engine/tests/server/AppManager.spec.ts

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: 📦 Build Packages
• GitHub Check: Builds matrix rust bindings against alpine
• GitHub Check: CodeQL-Build
• GitHub Check: CodeQL-Build

🔇 Additional comments (11)

packages/apps-engine/tests/server/managers/AppApiManager.spec.ts (1)

19-19: LGTM! Test scaffolding updated to use IAppStorageItem shape.

The mock app construction now correctly uses the nested info: { id, name } structure, aligning with the IAppStorageItem interface.

Also applies to: 41-41

packages/apps-engine/tests/server/managers/AppSlashCommand.spec.ts (1)

3-3: LGTM! Consistent with IAppStorageItem adoption.

Also applies to: 15-15

packages/apps-engine/tests/server/managers/AppVideoConfProviderManager.spec.ts (1)

11-11: LGTM! Test updated to use IAppStorageItem shape.

Also applies to: 31-31

packages/apps-engine/tests/server/managers/AppSlashCommandManager.spec.ts (1)

20-20: LGTM! Consistent test scaffolding update.

Also applies to: 42-42

packages/apps-engine/src/server/AppManager.ts (1)

936-936: Verify that preserving scheduled jobs on invalid license is intentional.

The addition of keepScheduledJobs: true changes the cleanup behavior for apps with invalid licenses. Previously, scheduled jobs were removed when an app's license became invalid. Now they're preserved.

Ensure this aligns with the intended behavior and doesn't cause issues with:

• Disabled apps continuing to execute scheduled jobs
• Scheduled jobs running without valid licensing
• Resource cleanup expectations

If this behavior is correct, consider adding a comment explaining why scheduled jobs should be preserved even when the license is invalid.

packages/apps-engine/tests/server/AppManager.spec.ts (1)

1-1: LGTM! Excellent test coverage for marketplace info updates.

The four new test methods comprehensively cover:

• Skipping apps without subscription info
• Skipping apps not in manager
• Skipping apps with same license
• Updating subscription and signing app

The tests properly use spies to verify the expected behavior and follow good testing practices.

Also applies to: 17-17, 125-261

packages/apps-engine/tests/test-data/utilities.ts (4)

547-555: LGTM! getMockApp updated to support IAppStorageItem shape.

The refactored signature now accepts Partial<IAppStorageItem> and extracts id/name from the nested info field with sensible defaults.

---

575-601: LGTM! Comprehensive marketplace info test data generator.

---

603-630: LGTM! Complete storage item test data generator.

Provides all required fields with sensible defaults, making test setup easier.

---

632-640: LGTM! Helper for apps overview test data.

packages/apps-engine/tests/test-data/storage/storage.ts (1)

1-4: LGTM!

The type-only imports are correctly added to support the new method signatures.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 67.67%. Comparing base (08b2d4f) to head (4564a22).
⚠️ Report is 1 commits behind head on develop.

Additional details and impacted files

@@           Coverage Diff            @@
##           develop   #37152   +/-   ##
========================================
  Coverage    67.66%   67.67%           
========================================
  Files         3342     3342           
  Lines       114030   114041   +11     
  Branches     20678    20680    +2     
========================================
+ Hits         77157    77173   +16     
+ Misses       34195    34188    -7     
- Partials      2678     2680    +2     

Flag	Coverage Δ
e2e	57.32% <ø> (-0.01%)	⬇️
unit	71.65% <ø> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.