src/Appwrite/Platform/Modules/Teams/Http/Teams/Name/Update.php (1)

67-71: Redundant setAttribute calls can be removed.

Lines 67-69 modify $team, but those mutations are never used—line 71 creates a fresh sparse Document with the same values and reassigns the result back to $team. The setAttribute calls are now dead code.

♻️ Proposed fix to remove redundant code

-        $team
-            ->setAttribute('name', $name)
-            ->setAttribute('search', implode(' ', [$teamId, $name]));
-
         $team = $dbForProject->updateDocument('teams', $team->getId(), new Document(['name' => $name, 'search' => implode(' ', [$teamId, $name])]));

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/Appwrite/Platform/Modules/Teams/Http/Teams/Name/Update.php` around lines
67 - 71, Remove the redundant mutations: delete the $team->setAttribute('name',
$name) and $team->setAttribute('search', ...) calls since they are not used
before $team is reassigned by dbForProject->updateDocument; keep the update call
that creates the new sparse Document (new Document(['name' => $name, 'search' =>
implode(' ', [$teamId, $name])])) and assign its result back to $team, ensuring
only the updateDocument invocation and Document construction remain.

src/Appwrite/Platform/Modules/Functions/Http/Variables/Update.php (1)

103-108: Build each sparse patch once and reuse it.

These blocks duplicate the updated field list in two places: first via setAttribute(...), then again in new Document([...]). That makes future edits easy to miss in one path and can desync the in-memory response object from the persisted payload. A small $variablePatch / $schedulePatch array reused for both steps would keep them aligned.

♻️ Example refactor

-        $variable
-            ->setAttribute('key', $key)
-            ->setAttribute('value', $value ?? $variable->getAttribute('value'))
-            ->setAttribute('secret', $secret ?? $variable->getAttribute('secret'))
-            ->setAttribute('search', implode(' ', [$variableId, $function->getId(), $key, 'function']));
+        $variablePatch = [
+            'key' => $key,
+            'value' => $value ?? $variable->getAttribute('value'),
+            'secret' => $secret ?? $variable->getAttribute('secret'),
+            'search' => implode(' ', [$variableId, $function->getId(), $key, 'function']),
+        ];
+
+        foreach ($variablePatch as $attribute => $patchValue) {
+            $variable->setAttribute($attribute, $patchValue);
+        }

         try {
-            $dbForProject->updateDocument('variables', $variable->getId(), new Document([
-                'key' => $key,
-                'value' => $value ?? $variable->getAttribute('value'),
-                'secret' => $secret ?? $variable->getAttribute('secret'),
-                'search' => implode(' ', [$variableId, $function->getId(), $key, 'function']),
-            ]));
+            $dbForProject->updateDocument('variables', $variable->getId(), new Document($variablePatch));
         } catch (DuplicateException $th) {
             throw new Exception(Exception::VARIABLE_ALREADY_EXISTS);
         }

Apply the same pattern to the schedule update block.

Also applies to: 122-126

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/Appwrite/Platform/Modules/Functions/Http/Variables/Update.php` around
lines 103 - 108, The variable update duplicates the fields in setAttribute(...)
and in the new Document([...]) passed to $dbForProject->updateDocument; create a
single associative array (e.g. $variablePatch) containing 'key', 'value',
'secret', and 'search' (constructed the same way as currently done with
$variableId, $function->getId(), $key, 'function'), then pass that array to new
Document($variablePatch) for the DB update and call $variable->setAttribute(...)
with the same $variablePatch values so both in-memory and persisted
representations come from the same source; apply the same pattern for the
schedule update block (use $schedulePatch) to avoid duplication and keep them in
sync.

src/Appwrite/Platform/Modules/Account/Http/Account/MFA/Challenges/Update.php (1)

150-154: Minor: DateTime::now() called twice may produce slightly different timestamps.

Line 152 sets mfaUpdatedAt to DateTime::now(), but line 154 creates another new Document with a fresh DateTime::now() call. While typically negligible (same second), consider reusing the value for consistency:

♻️ Suggested improvement

+        $mfaUpdatedAt = DateTime::now();
         $session
             ->setAttribute('factors', $factors)
-            ->setAttribute('mfaUpdatedAt', DateTime::now());
+            ->setAttribute('mfaUpdatedAt', $mfaUpdatedAt);

-        $dbForProject->updateDocument('sessions', $session->getId(), new Document(['factors' => $factors, 'mfaUpdatedAt' => DateTime::now()]));
+        $dbForProject->updateDocument('sessions', $session->getId(), new Document(['factors' => $factors, 'mfaUpdatedAt' => $mfaUpdatedAt]));

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/Appwrite/Platform/Modules/Account/Http/Account/MFA/Challenges/Update.php`
around lines 150 - 154, The code calls DateTime::now() twice causing potential
minor timestamp drift; capture the current timestamp once into a variable (e.g.
$now) and reuse it for both $session->setAttribute('mfaUpdatedAt', ...) and the
new Document(['mfaUpdatedAt' => ...]) used in $dbForProject->updateDocument to
ensure the session attribute and stored document share the identical timestamp;
update references to DateTime::now() in the Account MFA update block accordingly
(affecting $session, setAttribute, and the Document passed to updateDocument).

AGENTS.md (1)

54-78: Add an exception for atomic/read-modify-write updates.

Sparse documents are a good perf optimization, but they do not make counters or append-style array updates concurrency-safe. Without that caveat, this guidance is likely to be copied into places where concurrent requests can still drop writes.

📝 Suggested doc tweak

 **Exceptions:**
+- Read/modify/write updates on counters or append-style arrays. Prefer atomic helpers
+  (for example `increaseDocumentAttribute()`) or another concurrency-safe pattern.
 - Migration files (need full document updates by design)
 - Cases already using `array_merge()` with `getArrayCopy()`
 - Updates with 6+ attributes changing simultaneously (marginal benefit)
 - Complex nested relationship logic where full document state is required

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@AGENTS.md` around lines 54 - 78, Add an exception to the guidance that sparse
Document updates are not appropriate for atomic/read-modify-write operations
(e.g., counters or append-style array updates) where concurrency-safety is
required; reference updateDocument(), Document, array_merge(), and
getArrayCopy() and state that in these cases callers should use DB-provided
atomic operations or a full-document update/locking strategy instead of a sparse
Document to ensure correctness under concurrent requests.

src/Appwrite/Platform/Modules/Functions/Http/Functions/Delete.php (1)

93-96: ⚠️ Potential issue | 🔴 Critical

Add the missing Utopia\Database\Document import.

Line 93 instantiates new Document([...]), but this file never imports Utopia\Database\Document. In PHP that resolves to the current namespace, so deleting a function with a schedule will fatal at runtime instead of updating the schedule.

🐛 Proposed fix

 use Appwrite\Utopia\Response;
 use Utopia\Database\Database;
 use Utopia\Database\DateTime;
+use Utopia\Database\Document;
 use Utopia\Database\Validator\Authorization;
 use Utopia\Database\Validator\UID;

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/Appwrite/Platform/Modules/Functions/Http/Functions/Delete.php` around
lines 93 - 96, The code instantiates new Document(...) within Delete.php (see
the call to $dbForPlatform->updateDocument and the new Document([...])
expression) but lacks the Utopia\Database\Document import; add a "use
Utopia\Database\Document;" import at the top of the file so new Document
resolves to the correct class and the schedule update won’t fatal at runtime.

src/Appwrite/Platform/Workers/Migrations.php (1)

574-578: ⚠️ Potential issue | 🟠 Major

Use updateMigrationDocument() in the export-limit failure path.

Line 576 writes errors straight to the database, which skips the Realtime update and leaves the in-memory $migration stale. Clients can miss this failure after already seeing the earlier completed event.

🔧 Proposed fix

                 $errors = $migration->getAttribute('errors', []);
                 $errors[] = json_encode(['code' => 0, 'message' => $message]);
-                $this->dbForProject->updateDocument('migrations', $migration->getId(), new Document([
-                    'errors' => $errors,
-                ]));
+                $migration->setAttribute('errors', $errors);
+                $this->updateMigrationDocument($migration, $project, $queueForRealtime);

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/Appwrite/Platform/Workers/Migrations.php` around lines 574 - 578, The
migration failure branch currently writes errors directly with
$this->dbForProject->updateDocument('migrations', $migration->getId(), ...)
which bypasses the centralized update path and leaves the in-memory $migration
and Realtime listeners stale; replace that direct update with a call to the
existing updateMigrationDocument(...) helper (passing the migration id and the
updated 'errors' payload or merging via getAttribute('errors', []) then adding
the new JSON error) so the document is updated through the proper flow and
triggers Realtime/in-memory sync.

src/Appwrite/Platform/Modules/Functions/Http/Executions/Delete.php (1)

122-125: ⚠️ Potential issue | 🔴 Critical

Add the missing Document import.

Line 122 instantiates new Document(...), but Utopia\Database\Document is not imported in this file, so this branch will fail at runtime.

🔧 Proposed fix

 use Utopia\Database\Database;
 use Utopia\Database\DateTime;
+use Utopia\Database\Document;
 use Utopia\Database\Query;

#!/bin/bash
set -euo pipefail

file="src/Appwrite/Platform/Modules/Functions/Http/Executions/Delete.php"

echo "=== Imports ==="
sed -n '1,20p' "$file"

echo
echo "=== Document instantiations ==="
rg -n '\bnew Document\s*\(' "$file"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/Appwrite/Platform/Modules/Functions/Http/Executions/Delete.php` around
lines 122 - 125, The file instantiates new Document in the $authorization->skip
callback passed to $dbForPlatform->updateDocument but never imports
Utopia\Database\Document; add a use statement importing Utopia\Database\Document
at the top of the file so the new Document([...]) call resolves. Locate the
instantiation in the Delete class where $authorization->skip(fn () =>
$dbForPlatform->updateDocument('schedules', $schedule->getId(), new
Document([...]))); and add the corresponding use Utopia\Database\Document;
import alongside the other imports.

src/Appwrite/Platform/Modules/Functions/Http/Deployments/Duplicate/Create.php (1)

122-127: ⚠️ Potential issue | 🔴 Critical

Missing Document import will cause fatal error.

The code uses new Document([...]) but Utopia\Database\Document is not imported. This will cause a runtime error.

🐛 Proposed fix: Add missing import

Add to the imports section (around line 12):

 use Utopia\Database\Database;
+use Utopia\Database\Document;
 use Utopia\Database\Helpers\ID;

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@src/Appwrite/Platform/Modules/Functions/Http/Deployments/Duplicate/Create.php`
around lines 122 - 127, The file is instantiating Utopia\Database\Document via
new Document(...) but the class isn't imported, causing a fatal error; add a use
statement for Utopia\Database\Document in the imports block at the top of
Create.php so the Document symbol resolves (the code paths using updateDocument
in the Create class and the new Document([...]) call will then work).

src/Appwrite/Platform/Modules/Projects/Http/Projects/Labels/Update.php (1)

81-84: Redundant setAttribute call.

Line 82 modifies $project, but line 84 immediately reassigns $project to the return value of updateDocument(). Since the sparse Document already contains the labels field, the setAttribute() call has no effect on the final outcome and can be removed.

♻️ Proposed fix

         $labels = (array) \array_values(\array_unique($labels));
-        $project->setAttribute('labels', $labels);

         $project = $dbForPlatform->updateDocument('projects', $project->getId(), new Document(['labels' => $labels]));

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/Appwrite/Platform/Modules/Projects/Http/Projects/Labels/Update.php`
around lines 81 - 84, The call to $project->setAttribute('labels', $labels) is
redundant because $project is immediately overwritten by the result of
$dbForPlatform->updateDocument('projects', $project->getId(), new
Document(['labels' => $labels])); remove the $project->setAttribute('labels',
$labels) line to avoid dead mutation and rely on updateDocument(...) with the
sparse Document(['labels' => $labels]) to persist the change.

src/Appwrite/Platform/Modules/Projects/Http/Projects/Team/Update.php (2)

89-108: Remove dead setAttribute calls from loops.

Lines 90, 98, and 106 modify local variables that are never used afterward—the sparse Documents passed to updateDocument() already contain the updated values. Remove these dead lines.

♻️ Proposed fix

         $installations = $dbForPlatform->find('installations', [
             Query::equal('projectInternalId', [$project->getSequence()]),
         ]);
         foreach ($installations as $installation) {
-            $installation->setAttribute('$permissions', $permissions);
             $dbForPlatform->updateDocument('installations', $installation->getId(), new Document(['$permissions' => $permissions]));
         }

         $repositories = $dbForPlatform->find('repositories', [
             Query::equal('projectInternalId', [$project->getSequence()]),
         ]);
         foreach ($repositories as $repository) {
-            $repository->setAttribute('$permissions', $permissions);
             $dbForPlatform->updateDocument('repositories', $repository->getId(), new Document(['$permissions' => $permissions]));
         }

         $vcsComments = $dbForPlatform->find('vcsComments', [
             Query::equal('projectInternalId', [$project->getSequence()]),
         ]);
         foreach ($vcsComments as $vcsComment) {
-            $vcsComment->setAttribute('$permissions', $permissions);
             $dbForPlatform->updateDocument('vcsComments', $vcsComment->getId(), new Document(['$permissions' => $permissions]));
         }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/Appwrite/Platform/Modules/Projects/Http/Projects/Team/Update.php` around
lines 89 - 108, Remove the dead local mutations by deleting the calls to
setAttribute(...) inside the three loops that iterate $installations,
$repositories, and $vcsComments; the calls to
updateDocument('installations'|'repositories'|'vcsComments', ..., new
Document(['$permissions' => $permissions])) already persist the change so remove
the unused $installation->setAttribute('$permissions', $permissions),
$repository->setAttribute('$permissions', $permissions), and
$vcsComment->setAttribute('$permissions', $permissions) lines to avoid needless
local updates.

---

76-84: Remove dead code from old update pattern.

The setAttribute calls on lines 76-79 are now dead code since $project is immediately overwritten by the return value of updateDocument(). These lines should be removed for clarity.

♻️ Proposed fix

         $permissions = $this->getPermissions($teamId, $projectId);

-        $project
-            ->setAttribute('teamId', $teamId)
-            ->setAttribute('teamInternalId', $team->getSequence())
-            ->setAttribute('$permissions', $permissions);
         $project = $dbForPlatform->updateDocument('projects', $project->getId(), new Document([
             'teamId' => $teamId,
             'teamInternalId' => $team->getSequence(),
             '$permissions' => $permissions,
         ]));

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/Appwrite/Platform/Modules/Projects/Http/Projects/Team/Update.php` around
lines 76 - 84, The three setAttribute calls on $project (setAttribute('teamId',
...), setAttribute('teamInternalId', ...), setAttribute('$permissions', ...))
are dead because $project is immediately reassigned by
$dbForPlatform->updateDocument(...); remove these redundant setAttribute lines
and rely on the updateDocument call that constructs the new Document({ 'teamId'
=> ..., 'teamInternalId' => ..., '$permissions' => ... }) to apply the changes.

src/Appwrite/Platform/Tasks/Interval.php (1)

162-164: Remove the redundant $execution mutations here.

Line 164 already writes the sparse payload, so the setAttribute() calls on Lines 162-163 no longer affect persistence and just keep part of the old full-document work around.

♻️ Proposed cleanup

                     foreach ($staleExecutions as $execution) {
-                        $execution->setAttribute('status', 'failed');
-                        $execution->setAttribute('errors', 'Execution timed out');
-                        $dbForProject->updateDocument('executions', $execution->getId(), new Document(['status' => 'failed', 'errors' => 'Execution timed out']));
+                        $dbForProject->updateDocument(
+                            'executions',
+                            $execution->getId(),
+                            new Document([
+                                'status' => 'failed',
+                                'errors' => 'Execution timed out',
+                            ])
+                        );
                     }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/Appwrite/Platform/Tasks/Interval.php` around lines 162 - 164, Remove the
redundant in-memory mutations on $execution: delete the two calls to
$execution->setAttribute('status', 'failed') and
$execution->setAttribute('errors', 'Execution timed out') and keep the single
sparse-patch persistence call $dbForProject->updateDocument('executions',
$execution->getId(), new Document(['status' => 'failed', 'errors' => 'Execution
timed out'])); so only the updateDocument persists the failure state.

src/Appwrite/Platform/Modules/VCS/Http/GitHub/Authorize/External/Update.php (1)

100-103: Remove the leftover full-document mutation.

Line 101 is redundant now that Line 103 persists providerPullRequestIds via a sparse Document and returns the updated repository. Dropping the intermediate setAttribute() keeps this path fully aligned with the optimization pattern introduced by the PR.

♻️ Suggested cleanup

 $providerPullRequestIds = \array_unique(\array_merge($repository->getAttribute('providerPullRequestIds', []), [$providerPullRequestId]));
-$repository = $repository->setAttribute('providerPullRequestIds', $providerPullRequestIds);
-
 $repository = $authorization->skip(fn () => $dbForPlatform->updateDocument('repositories', $repository->getId(), new Document(['providerPullRequestIds' => $providerPullRequestIds])));

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/Appwrite/Platform/Modules/VCS/Http/GitHub/Authorize/External/Update.php`
around lines 100 - 103, The intermediate full-document mutation using
$repository->setAttribute('providerPullRequestIds', $providerPullRequestIds) is
redundant because $authorization->skip(fn () =>
$dbForPlatform->updateDocument('repositories', $repository->getId(), new
Document(['providerPullRequestIds' => $providerPullRequestIds]))) already
persists and returns the updated repository; remove the $repository =
$repository->setAttribute(...) line and keep only the array_unique merge into
$providerPullRequestIds and the authorization->skip updateDocument call
(preserving $providerPullRequestIds, $repository->getId(), Document).

src/Appwrite/Platform/Workers/Webhooks.php (1)

190-193: Redundant local modification on line 190.

The $webhook->setAttribute('attempts', 0) call is now unnecessary since the sparse Document already contains the hardcoded value 'attempts' => 0, and the local $webhook object's attempts attribute is never read after this point.

♻️ Suggested cleanup

         } else {
-            $webhook->setAttribute('attempts', 0); // Reset attempts on success
             $dbForPlatform->updateDocument('webhooks', $webhook->getId(), new Document([
                 'attempts' => 0,
             ]));

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/Appwrite/Platform/Workers/Webhooks.php` around lines 190 - 193, Remove
the redundant local modification: delete the call to
$webhook->setAttribute('attempts', 0) since you already persist attempts => 0
via $dbForPlatform->updateDocument('webhooks', $webhook->getId(), new
Document(['attempts' => 0])), and the $webhook object's attempts attribute is
not used after this point; leave the updateDocument call intact and ensure no
subsequent code expects the local $webhook to reflect the change.

src/Appwrite/Platform/Modules/Functions/Http/Functions/Delete.php (1)

93-96: ⚠️ Potential issue | 🔴 Critical

Import Utopia\Database\Document before using new Document(...).

Line 93 introduces new Document([...]), but this file does not import Utopia\Database\Document. In this namespace, PHP will resolve Document to Appwrite\Platform\Modules\Functions\Http\Functions\Document, which will fail at runtime.

🐛 Proposed fix

 use Utopia\Database\Database;
 use Utopia\Database\DateTime;
+use Utopia\Database\Document;
 use Utopia\Database\Validator\Authorization;
 use Utopia\Database\Validator\UID;

#!/bin/bash
set -euo pipefail

file="src/Appwrite/Platform/Modules/Functions/Http/Functions/Delete.php"

echo "== Imports =="
sed -n '1,20p' "$file"

echo
echo "== Document instantiation =="
rg -n 'new Document\(' "$file"

echo
echo "== Document import =="
rg -n '^use Utopia\\Database\\Document;' "$file" || true

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/Appwrite/Platform/Modules/Functions/Http/Functions/Delete.php` around
lines 93 - 96, The code instantiates new Document(...) without importing it,
causing PHP to resolve it to the current namespace; fix by importing
Utopia\Database\Document at the top of the file (add use
Utopia\Database\Document;) or alternatively fully-qualify the instantiation as
new \Utopia\Database\Document([...]) where $authorization->skip(...) calls
$dbForPlatform->updateDocument('schedules', $schedule->getId(), new
Document([...])) so the correct class is used.

src/Appwrite/Platform/Modules/Functions/Http/Deployments/Duplicate/Create.php (1)

122-127: ⚠️ Potential issue | 🔴 Critical

Import Utopia\Database\Document before this sparse update.

Line 122 instantiates new Document(...), but this file does not import the database Document class. In this namespace, that resolves to a non-existent class and will fatal the duplicate-deployment flow.

🐛 Proposed fix

 use Appwrite\SDK\Response as SDKResponse;
 use Appwrite\Utopia\Response;
 use Utopia\Database\Database;
+use Utopia\Database\Document;
 use Utopia\Database\Helpers\ID;
 use Utopia\Database\Validator\UID;

#!/bin/bash
set -euo pipefail

file="src/Appwrite/Platform/Modules/Functions/Http/Deployments/Duplicate/Create.php"

echo "=== Imports ==="
sed -n '1,18p' "$file"

echo
echo "=== Document instantiations ==="
rg -n 'new Document' "$file"

Expected result: new Document(...) is present, but use Utopia\Database\Document; is missing from the imports.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@src/Appwrite/Platform/Modules/Functions/Http/Deployments/Duplicate/Create.php`
around lines 122 - 127, The code instantiates new Document(...) in the Duplicate
deployment flow (see the new Document(...) call in the Create class), but the
Utopia\Database\Document class is not imported; add the import statement "use
Utopia\Database\Document;" to the top of the file's imports so the new
Document(...) resolves to the correct database Document class and the
duplicate-deployment flow no longer fatals.

app/controllers/api/account.php (2)

4521-4525: ⚠️ Potential issue | 🟠 Major

Don't write expired back unless this request changes it.

createPushTarget() does not initialize expired, so this sparse update can still persist null when the request only refreshes the identifier/name.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@app/controllers/api/account.php` around lines 4521 - 4525, The update is
overwriting the target.expired field even when the request didn't supply it
(createPushTarget leaves expired unset), so change the code around
updateDocument('targets', ...) to build the Document payload conditionally:
include 'expired' only if the incoming request explicitly provides/changes the
expired value (e.g. check the request for an 'expired' parameter or compare the
requested expired value to $target->getAttribute('expired') before adding it),
otherwise omit 'expired' from the Document so null is not persisted
unintentionally.

---

291-294: ⚠️ Potential issue | 🟠 Major

Only persist the verification flag that actually changed.

This still writes both verification fields back. In flows where the other attribute was never initialized, the sparse update can write null and either fail validation or alter the stored shape unexpectedly.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@app/controllers/api/account.php` around lines 291 - 294, Only send the
verification field(s) that actually changed to updateDocument: before calling
$dbForProject->updateDocument('users', $user->getId(), new Document(...)) build
an $updates array and conditionally add 'emailVerification' and/or
'phoneVerification' only when their value changed on $user (compare current
value to the original/previous value or use the model's dirty/changed API), then
call updateDocument with new Document($updates) so you never write an unmodified
field back as null or into the stored shape.

src/Appwrite/Platform/Tasks/Interval.php (1)

161-164: Remove the redundant setAttribute() calls.

updateDocument() now receives a sparse Document, so Lines 162-163 mutate the full $execution without affecting the write payload. Dropping those mutations keeps this path aligned with the optimization this PR is introducing.

♻️ Proposed cleanup

                     foreach ($staleExecutions as $execution) {
-                        $execution->setAttribute('status', 'failed');
-                        $execution->setAttribute('errors', 'Execution timed out');
-                        $dbForProject->updateDocument('executions', $execution->getId(), new Document(['status' => 'failed', 'errors' => 'Execution timed out']));
+                        $dbForProject->updateDocument(
+                            'executions',
+                            $execution->getId(),
+                            new Document([
+                                'status' => 'failed',
+                                'errors' => 'Execution timed out',
+                            ])
+                        );
                     }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/Appwrite/Platform/Tasks/Interval.php` around lines 161 - 164, Remove the
redundant mutations to the in-memory execution before persisting: in the foreach
over $staleExecutions in Interval.php, delete the two calls
$execution->setAttribute('status', 'failed') and
$execution->setAttribute('errors', 'Execution timed out') and rely solely on the
sparse Document passed to $dbForProject->updateDocument('executions',
$execution->getId(), new Document(['status' => 'failed', 'errors' => 'Execution
timed out'])); this keeps the optimization consistent and avoids mutating the
full $execution object.

src/Appwrite/Platform/Modules/Functions/Workers/Builds.php (1)

280-289: Redundant setAttribute calls before sparse document update.

Lines 280-281 set attributes on $deployment, but the variable is immediately reassigned to the updateDocument result (line 282). These setAttribute calls have no effect since the sparse Document already contains the same values. Consider removing them for clarity:

-        $deployment->setAttribute('buildStartedAt', $startTime);
-        $deployment->setAttribute('status', 'processing');
         $deployment = $dbForProject->updateDocument('deployments', $deployment->getId(), new Document([
             'buildStartedAt' => $startTime,
             'status' => 'processing',
         ]));

This pattern repeats throughout the file (lines 368-376, 485-496, 540-548, 562-565, 881-898 with 929-936, 948-955, 1193-1203). The sparse document approach is correct, but the preceding setAttribute calls are now dead code.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/Appwrite/Platform/Modules/Functions/Workers/Builds.php` around lines 280
- 289, Remove the redundant in-memory attribute assignments before sparse
updates: any calls to $deployment->setAttribute(...) (e.g., the two calls before
$dbForProject->updateDocument('deployments', $deployment->getId(), new
Document([...])) ) should be deleted because updateDocument returns a new
Document and the setAttribute has no effect; keep the sparse Document payload
passed to updateDocument (new Document([...])) and similarly remove preceding
setAttribute calls in the other locations mentioned (the blocks around lines
with $deployment updates and the related $resource->updateDocument calls) so
only the sparse update is performed and the returned Document is used.

app/controllers/api/users.php (1)

1791-1797: Consider building the sparse document with only actually changed fields.

The current implementation always includes all five fields (identifier, expired, providerId, providerInternalId, name) in the update, even when only a subset changed. Since the PR aims to optimize updates by passing only changed attributes, consider conditionally building the sparse document:

♻️ Suggested refactor

-        $target = $dbForProject->updateDocument('targets', $target->getId(), new Document([
-            'identifier' => $target->getAttribute('identifier'),
-            'expired' => $target->getAttribute('expired'),
-            'providerId' => $target->getAttribute('providerId'),
-            'providerInternalId' => $target->getAttribute('providerInternalId'),
-            'name' => $target->getAttribute('name'),
-        ]));
+        $updatePayload = [];
+        if ($identifier) {
+            $updatePayload['identifier'] = $target->getAttribute('identifier');
+            $updatePayload['expired'] = $target->getAttribute('expired');
+        }
+        if ($providerId) {
+            $updatePayload['providerId'] = $target->getAttribute('providerId');
+            $updatePayload['providerInternalId'] = $target->getAttribute('providerInternalId');
+        }
+        if ($name) {
+            $updatePayload['name'] = $target->getAttribute('name');
+        }
+        $target = $dbForProject->updateDocument('targets', $target->getId(), new Document($updatePayload));

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@app/controllers/api/users.php` around lines 1791 - 1797, The update currently
always passes all five fields to updateDocument('targets', $target->getId(), new
Document(...)) even when some didn't change; change this to build a sparse
$payload array containing only attributes that actually changed (e.g. compare
$target->getAttribute('identifier') etc. against the original values via a
getOriginalAttribute/getOriginal* helper or a $target->getChangedAttributes()
list), only add changed keys to $payload, and if $payload is non-empty call
$dbForProject->updateDocument('targets', $target->getId(), new
Document($payload)); if there are no changes skip the updateDocument call.
Ensure you reference the existing symbols updateDocument, 'targets',
$target->getId(), and getAttribute/getOriginalAttribute (or
getChangedAttributes) when making the change.

src/Appwrite/Platform/Modules/Functions/Http/Functions/Create.php (1)

286-291: ⚠️ Potential issue | 🔴 Critical

Don't overwrite $function with the sparse update result.

updateDocument() returns a Document, and the adapter contract plus the MariaDB implementation show it returns the document passed in rather than a reloaded merged row. Reassigning here truncates $function to just these four fields, so later reads like Line 314 and the final payload at Line 429 can lose attributes unexpectedly. (raw.githubusercontent.com)

Suggested fix

-        $function = $dbForProject->updateDocument('functions', $function->getId(), new Document([
+        $dbForProject->updateDocument('functions', $function->getId(), new Document([
             'scheduleId' => $function->getAttribute('scheduleId'),
             'scheduleInternalId' => $function->getAttribute('scheduleInternalId'),
             'repositoryId' => $function->getAttribute('repositoryId'),
             'repositoryInternalId' => $function->getAttribute('repositoryInternalId'),
         ]));

In utopia-php/database, does Adapter::updateDocument return the passed Document, and does the MariaDB adapter return that sparse input document instead of refetching the merged row?

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/Appwrite/Platform/Modules/Functions/Http/Functions/Create.php` around
lines 286 - 291, The current code reassigns $function with the sparse Document
returned by $dbForProject->updateDocument(...), which truncates attributes;
instead do not overwrite $function—store the update result in a new variable
(e.g. $updatedDocument) or, better, after calling updateDocument, reload the
full row using the DB read method (e.g. getDocument/readDocument by passing
$function->getId()) and use that fresh full Document for later reads; ensure
updateDocument is only used for the write and subsequent code (lines referencing
$function) uses the original $function or the freshly fetched full Document.

src/Appwrite/Platform/Modules/Functions/Http/Functions/Delete.php (1)

93-96: ⚠️ Potential issue | 🔴 Critical

Import Utopia\Database\Document before instantiating it.

Line 93 uses new Document([...]), but this file never imports Utopia\Database\Document, so PHP will resolve Document to the current namespace and this delete path will fatal at runtime.

🐛 Proposed fix

 use Utopia\Database\Database;
 use Utopia\Database\DateTime;
+use Utopia\Database\Document;
 use Utopia\Database\Validator\Authorization;

Run this read-only check to confirm the missing import. Expect the new Document( match to exist and the use match to be absent:

#!/bin/bash
file="src/Appwrite/Platform/Modules/Functions/Http/Functions/Delete.php"
sed -n '1,25p' "$file"
rg -n "new Document\\(" "$file"
rg -n "^use Utopia\\\\Database\\\\Document;" "$file"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/Appwrite/Platform/Modules/Functions/Http/Functions/Delete.php` around
lines 93 - 96, The code instantiates new Document(...) in the Delete flow
($authorization->skip → $dbForPlatform->updateDocument) but doesn't import
Utopia\Database\Document, causing a fatal at runtime; fix by adding the missing
use statement for Utopia\Database\Document at the top of the file (so the new
Document([...]) in the Delete.php function resolves to the correct class).

app/controllers/api/account.php (2)

4521-4525: ⚠️ Potential issue | 🟠 Major

Don't write expired unless this request sets it.

createPushTarget() in this file doesn't initialize expired, so this sparse update can still send expired => null whenever the $identifier branch is skipped.

💡 Proposed fix

-        $target = $dbForProject->updateDocument('targets', $target->getId(), new Document([
-            'identifier' => $target->getAttribute('identifier'),
-            'expired' => $target->getAttribute('expired'),
-            'name' => $target->getAttribute('name'),
-        ]));
+        $updates = new Document([
+            'identifier' => $target->getAttribute('identifier'),
+            'name' => $target->getAttribute('name'),
+        ]);
+
+        if ($identifier) {
+            $updates->setAttribute('expired', false);
+        }
+
+        $target = $dbForProject->updateDocument('targets', $target->getId(), $updates);

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@app/controllers/api/account.php` around lines 4521 - 4525, The update
currently always writes 'expired' (possibly null) in the sparse update called
via $dbForProject->updateDocument('targets', ...), which can overwrite an
existing value when createPushTarget() doesn't set it; change the payload
construction so 'expired' is only included when the incoming request actually
sets it (e.g., check the request param or verify
$target->hasAttribute('expired') / $target->getAttribute('expired') !== null
before adding 'expired' to the Document), leaving the field out of the Document
entirely when not provided.

---

291-294: ⚠️ Potential issue | 🟠 Major

Only persist the verification flag that actually changed.

Lines 291-294 always emit both verification fields. Several user-creation paths in this file never initialize phoneVerification, so this sparse update can write phoneVerification => null for email/magic-url logins.

💡 Proposed fix

     try {
-        $dbForProject->updateDocument('users', $user->getId(), new Document([
-            'emailVerification' => $user->getAttribute('emailVerification'),
-            'phoneVerification' => $user->getAttribute('phoneVerification'),
-        ]));
+        $updates = new Document([]);
+
+        if (\in_array($verifiedToken->getAttribute('type'), [TOKEN_TYPE_MAGIC_URL, TOKEN_TYPE_EMAIL], true)) {
+            $updates->setAttribute('emailVerification', true);
+        }
+
+        if ($verifiedToken->getAttribute('type') === TOKEN_TYPE_PHONE) {
+            $updates->setAttribute('phoneVerification', true);
+        }
+
+        if (!$updates->isEmpty()) {
+            $dbForProject->updateDocument('users', $user->getId(), $updates);
+        }
     } catch (\Throwable $th) {

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@app/controllers/api/account.php` around lines 291 - 294, The update currently
always writes both 'emailVerification' and 'phoneVerification' which can
overwrite phoneVerification with null; change the $dbForProject->updateDocument
call to build a sparse $data array only including keys that were actually
set/changed (e.g. check $user->hasAttribute or use !== null on
$user->getAttribute('phoneVerification') and same for email), then call
$dbForProject->updateDocument('users', $user->getId(), new Document($data)) only
when $data is not empty so you never persist an unset phoneVerification;
reference the existing updateDocument call, the 'users' collection, and the
$user->getAttribute('phoneVerification') / 'emailVerification' attributes when
implementing this conditional assembly.

app/controllers/api/users.php (1)

1495-1500: ⚠️ Potential issue | 🟠 Major

Keep the embedded target list in sync before returning $user.

These sparse target updates only change storage. $oldTarget inside $user->targets still carries the previous identifier, and the delete branches never remove it, so the response can return stale email/phone targets even when the patch succeeded.

Proposed fix

             if ($oldTarget instanceof Document && !$oldTarget->isEmpty()) {
                 if (\strlen($email) !== 0) {
+                    $oldTarget->setAttribute('identifier', $email);
                     $dbForProject->updateDocument('targets', $oldTarget->getId(), new Document(['identifier' => $email]));
                 } else {
                     $dbForProject->deleteDocument('targets', $oldTarget->getId());
+                    $user->setAttribute(
+                        'targets',
+                        array_values(array_filter(
+                            $user->getAttribute('targets', []),
+                            fn (Document $target) => $target->getId() !== $oldTarget->getId()
+                        ))
+                    );
                 }
             }

Mirror the same fix in the phone branch.

Also applies to: 1587-1592

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@app/controllers/api/users.php` around lines 1495 - 1500, The response can
return stale targets because after calling $dbForProject->updateDocument(...) or
->deleteDocument(...) you do not update the in-memory $user->targets collection;
locate the branches handling $oldTarget (the one that checks $oldTarget
instanceof Document and strlen($email) !== 0) and mirror the storage changes
into $user->targets: when updating, find the matching target object in
$user->targets (by id from $oldTarget->getId()) and update its identifier to
$email; when deleting, remove that target object from $user->targets. Apply the
same sync logic to the phone branch that uses the phone variable so both
identifier updates and deletions are reflected in $user->targets before
returning $user.

src/Appwrite/Platform/Tasks/Interval.php (1)

161-164: Remove the redundant full-document mutations.

Lines 162-163 still mutate $execution, but Line 164 persists a separate sparse Document. That leaves extra work in this loop and duplicates the source of truth for the same update.

♻️ Proposed cleanup

                     foreach ($staleExecutions as $execution) {
-                        $execution->setAttribute('status', 'failed');
-                        $execution->setAttribute('errors', 'Execution timed out');
-                        $dbForProject->updateDocument('executions', $execution->getId(), new Document(['status' => 'failed', 'errors' => 'Execution timed out']));
+                        $dbForProject->updateDocument(
+                            'executions',
+                            $execution->getId(),
+                            new Document([
+                                'status' => 'failed',
+                                'errors' => 'Execution timed out',
+                            ])
+                        );
                     }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/Appwrite/Platform/Tasks/Interval.php` around lines 161 - 164, The loop
currently updates the in-memory $execution with setAttribute('status','failed')
and setAttribute('errors',...) and then separately calls
$dbForProject->updateDocument('executions', $execution->getId(), new
Document([...])) which duplicates work; remove the redundant in-memory mutations
and rely on the single persistence call instead: delete the two lines calling
$execution->setAttribute(...) and keep the
$dbForProject->updateDocument('executions', $execution->getId(), new
Document(['status' => 'failed', 'errors' => 'Execution timed out'])) so the
status/errors update is applied only once.

src/Appwrite/Platform/Modules/Projects/Http/Projects/Labels/Update.php (1)

81-84: Drop the redundant $project->setAttribute() call.

Line 82 no longer participates in the write path: Line 84 persists a fresh sparse Document and immediately overwrites $project with the database result. Removing the in-memory mutation makes this sparse-update pattern easier to follow.

♻️ Proposed cleanup

 $labels = (array) \array_values(\array_unique($labels));
-$project->setAttribute('labels', $labels);
-
 $project = $dbForPlatform->updateDocument('projects', $project->getId(), new Document(['labels' => $labels]));

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/Appwrite/Platform/Modules/Projects/Http/Projects/Labels/Update.php`
around lines 81 - 84, Remove the redundant in-memory mutation: delete the call
to $project->setAttribute('labels', $labels) since the actual write uses
$dbForPlatform->updateDocument('projects', $project->getId(), new
Document(['labels' => $labels])) which returns the persisted $project; keep the
deduping of $labels and the sparse Document update, then rely on the returned
$project from updateDocument.

src/Appwrite/Platform/Modules/Databases/Http/Databases/Collections/Attributes/Delete.php (1)

123-124: Remove redundant setAttribute call.

Line 123 modifies $relatedAttribute, but the return value from updateDocument() on line 124 is not captured, and $relatedAttribute is never used after this block. The setAttribute call has no effect.

♻️ Proposed cleanup

                if ($relatedAttribute->getAttribute('status') === 'available') {
-                    $relatedAttribute->setAttribute('status', 'deleting');
                    $dbForProject->updateDocument('attributes', $relatedAttribute->getId(), new Document(['status' => 'deleting']));
                }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@src/Appwrite/Platform/Modules/Databases/Http/Databases/Collections/Attributes/Delete.php`
around lines 123 - 124, The call to $relatedAttribute->setAttribute('status',
'deleting') is redundant because updateDocument('attributes',
$relatedAttribute->getId(), new Document(['status' => 'deleting'])) performs the
DB update and $relatedAttribute is not used afterwards; remove the
$relatedAttribute->setAttribute(...) line OR, if you intended to update the
in-memory object, replace it by assigning the result of
dbForProject->updateDocument(...) back to $relatedAttribute (e.g.,
$relatedAttribute = $dbForProject->updateDocument(...)); update the code in the
block that references $relatedAttribute, setAttribute, and updateDocument
accordingly.

src/Appwrite/Platform/Modules/VCS/Http/GitHub/Callback/Get.php (1)

149-161: Build the sparse payload directly from the local values.

This still mutates the full $installation object before the write, then immediately re-reads those fields into a sparse Document. Passing $owner, $personal, $refreshToken, $accessToken, and $accessTokenExpiry directly keeps the hot path leaner and avoids leaving the in-memory document ahead of storage if updateDocument() throws.

♻️ Suggested cleanup

-                $installation = $installation
-                    ->setAttribute('organization', $owner)
-                    ->setAttribute('personal', $personal)
-                    ->setAttribute('personalRefreshToken', $refreshToken)
-                    ->setAttribute('personalAccessToken', $accessToken)
-                    ->setAttribute('personalAccessTokenExpiry', $accessTokenExpiry);
                 $installation = $dbForPlatform->updateDocument('installations', $installation->getId(), new Document([
-                    'organization' => $installation->getAttribute('organization'),
-                    'personal' => $installation->getAttribute('personal'),
-                    'personalRefreshToken' => $installation->getAttribute('personalRefreshToken'),
-                    'personalAccessToken' => $installation->getAttribute('personalAccessToken'),
-                    'personalAccessTokenExpiry' => $installation->getAttribute('personalAccessTokenExpiry'),
+                    'organization' => $owner,
+                    'personal' => $personal,
+                    'personalRefreshToken' => $refreshToken,
+                    'personalAccessToken' => $accessToken,
+                    'personalAccessTokenExpiry' => $accessTokenExpiry,
                 ]));

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/Appwrite/Platform/Modules/VCS/Http/GitHub/Callback/Get.php` around lines
149 - 161, The code mutates $installation with setAttribute calls before calling
$dbForPlatform->updateDocument, which can leave the in-memory document changed
if updateDocument() throws; instead build the sparse update payload directly
from the local variables ($owner, $personal, $refreshToken, $accessToken,
$accessTokenExpiry) and pass that to
$dbForPlatform->updateDocument('installations', $installation->getId(), new
Document([...])) without calling $installation->setAttribute beforehand, then
only update the in-memory $installation after a successful update if needed.

app/controllers/api/users.php (3)

1579-1582: ⚠️ Potential issue | 🟠 Major

Missing search field update breaks user discovery.

The phone field is part of the user's search index. After this sparse update, users won't be findable by their new phone via /v1/users?search=.

Proposed fix

 $user
     ->setAttribute('phone', $number)
-    ->setAttribute('phoneVerification', false)
+    ->setAttribute('phoneVerification', false)
+    ->setAttribute('search', implode(' ', [$user->getId(), $user->getAttribute('email'), $number, $user->getAttribute('name')]))
 ;

 // ... later in the try block:
 $user = $dbForProject->updateDocument('users', $user->getId(), new Document([
     'phone' => $user->getAttribute('phone'),
     'phoneVerification' => $user->getAttribute('phoneVerification'),
+    'search' => $user->getAttribute('search'),
 ]));

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@app/controllers/api/users.php` around lines 1579 - 1582, The update call to
$dbForProject->updateDocument('users', $user->getId(), new Document([...]))
omits the user's `search` field so the new phone won't be indexed; modify that
Document to also set the `search` field (e.g. include the updated phone value
from $user->getAttribute('phone') in the `search` payload) when updating the
'users' document so searches by phone continue to work.

---

1481-1489: ⚠️ Potential issue | 🟠 Major

Missing search field update breaks user discovery.

The email field is part of the user's search index. After this sparse update, users won't be findable by their new email via /v1/users?search=.

Proposed fix

 $user
     ->setAttribute('email', $email)
     ->setAttribute('emailVerification', false)
     ->setAttribute('emailCanonical', $emailCanonical?->getCanonical())
     ->setAttribute('emailIsCanonical', $emailCanonical?->isCanonicalSupported())
     ->setAttribute('emailIsCorporate', $emailCanonical?->isCorporate())
     ->setAttribute('emailIsDisposable', $emailCanonical?->isDisposable())
-    ->setAttribute('emailIsFree', $emailCanonical?->isFree())
+    ->setAttribute('emailIsFree', $emailCanonical?->isFree())
+    ->setAttribute('search', implode(' ', [$user->getId(), $email, $user->getAttribute('phone'), $user->getAttribute('name')]))
 ;

 try {
     $user = $dbForProject->updateDocument('users', $user->getId(), new Document([
         'email' => $user->getAttribute('email'),
         'emailVerification' => $user->getAttribute('emailVerification'),
         'emailCanonical' => $user->getAttribute('emailCanonical'),
         'emailIsCanonical' => $user->getAttribute('emailIsCanonical'),
         'emailIsCorporate' => $user->getAttribute('emailIsCorporate'),
         'emailIsDisposable' => $user->getAttribute('emailIsDisposable'),
         'emailIsFree' => $user->getAttribute('emailIsFree'),
+        'search' => $user->getAttribute('search'),
     ]));

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@app/controllers/api/users.php` around lines 1481 - 1489, The sparse update to
the users document omits the user's searchable "search" field so searches by new
email will fail; inside the call to $dbForProject->updateDocument('users',
$user->getId(), new Document([...])) include an updated 'search' value (e.g.
rebuild or merge $user->getAttribute('search') and the new email string) so the
user's email is present in the search index after the update; update the
Document payload in this block to set 'search' appropriately using the $user
variable and existing search attributes.

---

1290-1292: ⚠️ Potential issue | 🟠 Major

Missing search field update breaks user discovery.

The name field is part of the user's search index (see line 161: 'search' => implode(' ', [$userId, $email, $phone, $name])). After this sparse update, users won't be findable by their new name via /v1/users?search=.

Proposed fix

 $user->setAttribute('name', $name);
+$user->setAttribute('search', implode(' ', [$user->getId(), $user->getAttribute('email'), $user->getAttribute('phone'), $name]));

-$user = $dbForProject->updateDocument('users', $user->getId(), new Document(['name' => $user->getAttribute('name')]));
+$user = $dbForProject->updateDocument('users', $user->getId(), new Document([
+    'name' => $user->getAttribute('name'),
+    'search' => $user->getAttribute('search'),
+]));

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@app/controllers/api/users.php` around lines 1290 - 1292, The update currently
only writes the 'name' field which leaves the user's 'search' index stale (the
code earlier builds 'search' from userId, email, phone, name). When updating the
user in updateDocument('users', ...), also set the 'search' field to the
concatenation used elsewhere: build the new search string from the user's id and
current email, phone and the new name (use $user->getId(),
$user->getAttribute('email'), $user->getAttribute('phone'), and the updated
name), and pass both 'name' and 'search' in the Document passed to
updateDocument so searches reflect the new name.

app/controllers/api/account.php (2)

4521-4525: ⚠️ Potential issue | 🟠 Major

Only write expired when this request resets it.

createPushTarget() does not initialize expired, so Line 4523 can still write back null here. Build the sparse payload incrementally and add expired only in the branch that sets it.

💡 Suggested fix

-        $target = $dbForProject->updateDocument('targets', $target->getId(), new Document([
-            'identifier' => $target->getAttribute('identifier'),
-            'expired' => $target->getAttribute('expired'),
-            'name' => $target->getAttribute('name'),
-        ]));
+        $updates = [
+            'name' => $target->getAttribute('name'),
+        ];
+
+        if ($identifier) {
+            $updates['identifier'] = $target->getAttribute('identifier');
+            $updates['expired'] = false;
+        }
+
+        $target = $dbForProject->updateDocument('targets', $target->getId(), new Document($updates));

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@app/controllers/api/account.php` around lines 4521 - 4525, The updateDocument
call currently writes 'expired' unconditionally, which may persist null from
createPushTarget(); modify the payload construction before calling
$dbForProject->updateDocument('targets', $target->getId(), ...) to build a
sparse associative array/document incrementally (e.g. $patch =
['identifier'=>..., 'name'=>...]) and only add 'expired' to $patch when the
request explicitly resets/sets it (the branch in createPushTarget()/request
handling that intends to change expired). Then pass that sparse $patch/document
to updateDocument so 'expired' is not written when unset.

---

291-294: ⚠️ Potential issue | 🟠 Major

Only persist the verification flag that actually changed.

This still writes both flags back. For email and magic-link flows, phoneVerification is not guaranteed to exist on the loaded user, so this sparse update can overwrite it with null.

💡 Suggested fix

-        $dbForProject->updateDocument('users', $user->getId(), new Document([
-            'emailVerification' => $user->getAttribute('emailVerification'),
-            'phoneVerification' => $user->getAttribute('phoneVerification'),
-        ]));
+        $updates = [];
+
+        if (\in_array($verifiedToken->getAttribute('type'), [TOKEN_TYPE_MAGIC_URL, TOKEN_TYPE_EMAIL], true)) {
+            $updates['emailVerification'] = true;
+        }
+
+        if ($verifiedToken->getAttribute('type') === TOKEN_TYPE_PHONE) {
+            $updates['phoneVerification'] = true;
+        }
+
+        if ($updates !== []) {
+            $dbForProject->updateDocument('users', $user->getId(), new Document($updates));
+        }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@app/controllers/api/account.php` around lines 291 - 294, The update currently
always writes both 'emailVerification' and 'phoneVerification' which can
overwrite missing fields with null; instead build an updates array that only
includes keys that actually changed or are present on the loaded user and pass
that to $dbForProject->updateDocument('users', $user->getId(), new
Document(...)). Use $user->getAttribute('emailVerification') and
$user->getAttribute('phoneVerification') (or an existence/changed check) to
conditionally add each field so updateDocument and Document are only passed the
verification flag(s) that should be persisted.

src/Appwrite/Platform/Modules/Teams/Http/Teams/Name/Update.php (1)

67-71: Dead code: setAttribute calls on lines 67-69 are now unused.

These lines modify $team, but that object is never used afterward—line 71 creates a new sparse Document with the same values and reassigns $team to the result of updateDocument(). The original $team modifications are discarded.

Remove the redundant setAttribute calls to avoid confusion:

♻️ Proposed fix

         if ($team->isEmpty()) {
             throw new Exception(Exception::TEAM_NOT_FOUND);
         }

-        $team
-            ->setAttribute('name', $name)
-            ->setAttribute('search', implode(' ', [$teamId, $name]));
-
-        $team = $dbForProject->updateDocument('teams', $team->getId(), new Document(['name' => $name, 'search' => implode(' ', [$teamId, $name])]));
+        $team = $dbForProject->updateDocument('teams', $team->getId(), new Document([
+            'name' => $name,
+            'search' => implode(' ', [$teamId, $name])
+        ]));

         $queueForEvents->setParam('teamId', $team->getId());

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/Appwrite/Platform/Modules/Teams/Http/Teams/Name/Update.php` around lines
67 - 71, The three redundant mutating calls to $team->setAttribute('name',
$name) and ->setAttribute('search', ...) are dead code because $team is
immediately overwritten by the result of $dbForProject->updateDocument(...);
remove those setAttribute lines and keep the existing call to
$dbForProject->updateDocument('teams', $team->getId(), new Document(['name' =>
$name, 'search' => implode(' ', [$teamId, $name])])) so the update is performed
only once; if the original intent was to update the in-memory $team before
persisting, instead pass the modified $team to updateDocument or merge its
attributes into the Document, otherwise simply delete the setAttribute calls.

src/Appwrite/Platform/Modules/VCS/Http/Installations/Repositories/Create.php (1)

112-121: Same redundant attribute-setting pattern.

Similar to the callback handler, you can pass values directly to the sparse Document instead of setting them on $installation first:

♻️ Suggested simplification

-                $installation = $installation
-                    ->setAttribute('personalAccessToken', $accessToken)
-                    ->setAttribute('personalRefreshToken', $refreshToken)
-                    ->setAttribute('personalAccessTokenExpiry', DateTime::addSeconds(new \DateTime(), (int)$oauth2->getAccessTokenExpiry('')));
-
-                $dbForPlatform->updateDocument('installations', $installation->getId(), new Document([
-                    'personalAccessToken' => $installation->getAttribute('personalAccessToken'),
-                    'personalRefreshToken' => $installation->getAttribute('personalRefreshToken'),
-                    'personalAccessTokenExpiry' => $installation->getAttribute('personalAccessTokenExpiry'),
-                ]));
+                $accessTokenExpiry = DateTime::addSeconds(new \DateTime(), (int)$oauth2->getAccessTokenExpiry(''));
+                
+                $installation = $dbForPlatform->updateDocument('installations', $installation->getId(), new Document([
+                    'personalAccessToken' => $accessToken,
+                    'personalRefreshToken' => $refreshToken,
+                    'personalAccessTokenExpiry' => $accessTokenExpiry,
+                ]));

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/Appwrite/Platform/Modules/VCS/Http/Installations/Repositories/Create.php`
around lines 112 - 121, The code redundantly calls setAttribute on $installation
before constructing the sparse Document; instead, remove the intermediate
setAttribute calls and pass the values directly into the Document passed to
dbForPlatform->updateDocument. Locate the block using
$installation->setAttribute('personalAccessToken', ...),
setAttribute('personalRefreshToken', ...),
setAttribute('personalAccessTokenExpiry', ...) and replace it by building the
new Document with 'personalAccessToken' => $accessToken, 'personalRefreshToken'
=> $refreshToken, and 'personalAccessTokenExpiry' => DateTime::addSeconds(new
\DateTime(), (int)$oauth2->getAccessTokenExpiry('')), then call
$dbForPlatform->updateDocument('installations', $installation->getId(), new
Document([...])) without mutating $installation via setAttribute.

src/Appwrite/Platform/Modules/Sites/Http/Deployments/Duplicate/Create.php (1)

140-150: Redundant attribute setting before sparse update.

The values are available directly from $deployment:

♻️ Suggested simplification

-        $site = $site
-            ->setAttribute('latestDeploymentId', $deployment->getId())
-            ->setAttribute('latestDeploymentInternalId', $deployment->getSequence())
-            ->setAttribute('latestDeploymentCreatedAt', $deployment->getCreatedAt())
-            ->setAttribute('latestDeploymentStatus', $deployment->getAttribute('status', ''));
-        $dbForProject->updateDocument('sites', $site->getId(), new Document([
-            'latestDeploymentId' => $site->getAttribute('latestDeploymentId'),
-            'latestDeploymentInternalId' => $site->getAttribute('latestDeploymentInternalId'),
-            'latestDeploymentCreatedAt' => $site->getAttribute('latestDeploymentCreatedAt'),
-            'latestDeploymentStatus' => $site->getAttribute('latestDeploymentStatus'),
-        ]));
+        $dbForProject->updateDocument('sites', $site->getId(), new Document([
+            'latestDeploymentId' => $deployment->getId(),
+            'latestDeploymentInternalId' => $deployment->getSequence(),
+            'latestDeploymentCreatedAt' => $deployment->getCreatedAt(),
+            'latestDeploymentStatus' => $deployment->getAttribute('status', ''),
+        ]));

Note: If $site is used later with the updated attributes, keep the setAttribute calls but consider removing the redundant getAttribute reads in the Document constructor.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/Appwrite/Platform/Modules/Sites/Http/Deployments/Duplicate/Create.php`
around lines 140 - 150, The code redundantly sets attributes on $site and then
reads them back via $site->getAttribute when constructing the Document for
dbForProject->updateDocument; instead either remove the intermediate
setAttribute calls and pass values directly from $deployment (use
$deployment->getId(), ->getSequence(), ->getCreatedAt(),
->getAttribute('status')) into the Document constructor, or if $site is needed
later keep the setAttribute calls but change the Document constructor to use
$site->getAttribute only once (or better yet use the $deployment values
directly) to avoid redundant reads; update the block around setAttribute,
updateDocument, and Document to reflect this choice.

src/Appwrite/Platform/Modules/VCS/Http/GitHub/Deployment.php (1)

324-334: Redundant attribute setting before sparse update.

Values are available directly from $deployment:

♻️ Suggested simplification

-                $resource = $resource
-                    ->setAttribute('latestDeploymentId', $deployment->getId())
-                    ->setAttribute('latestDeploymentInternalId', $deployment->getSequence())
-                    ->setAttribute('latestDeploymentCreatedAt', $deployment->getCreatedAt())
-                    ->setAttribute('latestDeploymentStatus', $deployment->getAttribute('status', ''));
-                $authorization->skip(fn () => $dbForProject->updateDocument($resource->getCollection(), $resource->getId(), new Document([
-                    'latestDeploymentId' => $resource->getAttribute('latestDeploymentId'),
-                    'latestDeploymentInternalId' => $resource->getAttribute('latestDeploymentInternalId'),
-                    'latestDeploymentCreatedAt' => $resource->getAttribute('latestDeploymentCreatedAt'),
-                    'latestDeploymentStatus' => $resource->getAttribute('latestDeploymentStatus'),
-                ])));
+                $authorization->skip(fn () => $dbForProject->updateDocument($resource->getCollection(), $resource->getId(), new Document([
+                    'latestDeploymentId' => $deployment->getId(),
+                    'latestDeploymentInternalId' => $deployment->getSequence(),
+                    'latestDeploymentCreatedAt' => $deployment->getCreatedAt(),
+                    'latestDeploymentStatus' => $deployment->getAttribute('status', ''),
+                ])));

If $resource attributes are needed later in the method (e.g., for the VCS comment/preview logic), retain the setAttribute calls.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/Appwrite/Platform/Modules/VCS/Http/GitHub/Deployment.php` around lines
324 - 334, The block redundantly writes deployment values into $resource before
doing a sparse update; either remove the setAttribute(...) chain and pass values
directly from $deployment to the authorization->skip(...
$dbForProject->updateDocument(...)) call, or if later code relies on $resource
having those attributes, keep the setAttribute calls—so update the sparse update
to use $deployment->getId(), $deployment->getSequence(),
$deployment->getCreatedAt(), and $deployment->getAttribute('status','') directly
(in the call inside authorization->skip) or leave the setAttribute chain intact
if $resource attributes are used later in this method (e.g., for VCS
comment/preview logic).

src/Appwrite/Platform/Modules/VCS/Http/GitHub/Callback/Get.php (1)

149-161: Redundant attribute setting before sparse update.

Lines 149-154 set attributes on $installation, then lines 156-160 read them back via getAttribute(). Since you're using a sparse update anyway, pass the values directly to avoid the intermediate mutation:

♻️ Suggested simplification

-            $installation = $installation
-                    ->setAttribute('organization', $owner)
-                    ->setAttribute('personal', $personal)
-                    ->setAttribute('personalRefreshToken', $refreshToken)
-                    ->setAttribute('personalAccessToken', $accessToken)
-                    ->setAttribute('personalAccessTokenExpiry', $accessTokenExpiry);
-                $installation = $dbForPlatform->updateDocument('installations', $installation->getId(), new Document([
-                    'organization' => $installation->getAttribute('organization'),
-                    'personal' => $installation->getAttribute('personal'),
-                    'personalRefreshToken' => $installation->getAttribute('personalRefreshToken'),
-                    'personalAccessToken' => $installation->getAttribute('personalAccessToken'),
-                    'personalAccessTokenExpiry' => $installation->getAttribute('personalAccessTokenExpiry'),
-                ]));
+                $installation = $dbForPlatform->updateDocument('installations', $installation->getId(), new Document([
+                    'organization' => $owner,
+                    'personal' => $personal,
+                    'personalRefreshToken' => $refreshToken,
+                    'personalAccessToken' => $accessToken,
+                    'personalAccessTokenExpiry' => $accessTokenExpiry,
+                ]));

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/Appwrite/Platform/Modules/VCS/Http/GitHub/Callback/Get.php` around lines
149 - 161, The code redundantly calls setAttribute on $installation then
immediately reads them back for a sparse update; remove the intermediate
mutations and directly pass the intended values ($owner, $personal,
$refreshToken, $accessToken, $accessTokenExpiry) into the
dbForPlatform->updateDocument call (using $installation->getId() to identify the
record), eliminating the setAttribute(...) lines and replacing the new
Document([...]) payload to use those variables directly.

src/Appwrite/Platform/Modules/Functions/Workers/Builds.php (1)

282-285: Consider extracting a helper for deployment patch + realtime emit.

This worker now repeats the same updateDocument(... new Document([...])) and queueForRealtime->setPayload(...)->trigger() sequence many times. A small helper would reduce noise and make future status/log changes easier to keep consistent.

Also applies to: 372-376, 490-496, 544-548, 563-565, 841-843, 929-936, 952-955, 1198-1203, 1510-1512, 1531-1533

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/Appwrite/Platform/Modules/Functions/Workers/Builds.php` around lines 282
- 285, Extract a small helper (e.g., patchDeploymentAndEmit or
updateDeploymentWithRealtime) that accepts the db client ($dbForProject), the
Deployment Document ($deployment or $deployment->getId()), an associative array
of fields to set (or specific params like status, timestamps, logs), and the
queueForRealtime instance; inside the helper call
$dbForProject->updateDocument('deployments', $deployment->getId(), new
Document([...])) and immediately call
$queueForRealtime->setPayload(...)->trigger() with the same payload, then
replace all repeated sequences (the calls around updateDocument and
queueForRealtime->setPayload->trigger at the locations referencing
updateDocument, $deployment, and queueForRealtime) with calls to this new helper
to keep behavior identical while centralizing payload construction and realtime
emission.