fix: clamp recommended merge XP reward to difficulty tier cap (#216)

[Sujini-kudupudi]

Summary

This PR resolves a data-integrity bug (issue #216) in the gamification reward pipeline. Previously, awardRecommendedMerge awarded the database-retrieved rec.xp_reward directly without validating it against the difficulty tier ceilings defined in XP_REWARDS.RECOMMENDED_MERGE.

This change introduces an application-layer clamp to ensure that recommendations with inflated XP amounts (due to manual DB edits, compromised migrations, or write-path errors) are capped safely.

Type of Change

• Bug fix
• New feature
• UI / UX improvement
• Refactor
• Documentation
• Other

Related Issue

Closes #216

What was changed?

1. XP Clamping in Webhook Handler:

   • Imported XP_REWARDS into src/inngest/functions/process-pr-event.ts.
   • Clamped the database-retrieved rec.xp_reward to the difficulty tier ceiling (50 for Easy, 150 for Medium, 400 for Hard) as defined in XP_REWARDS.RECOMMENDED_MERGE.
   • Passed the clamped xpDelta to insertXpEvent and mapped the clamped value to xpAwarded in activity_log record details.

2. Added Unit Tests:

   • Added 5 exhaustive unit test scenarios to src/inngest/functions/process-pr-event.test.ts to verify clamping behavior for Easy, Medium, and Hard difficulty levels, standard values under the cap, and null fallbacks.

3. Verifications:

   • Verified that the full test suite (npm test) passes.
   • Verified TypeScript builds successfully with no errors (npm run typecheck).

Screenshots

N/A

Checklist

• My code follows the project structure and conventions
• I tested this locally (npm run dev)
• No hardcoded secrets or credentials
• I have updated documentation if needed

[vercel]

@Sujini-kudupudi is attempting to deploy a commit to the codersogs-3057's projects Team on Vercel.

A member of the Team first needs to authorize it.

[Siddhartha-singh01]

Nice clean fix @Sujini-kudupudi clamping at the application layer with
Math.min(rec.xp_reward ?? tierCap, tierCap) is the right defensive pattern, and
updating the activity_log to use xpDelta instead of the raw rec.xp_reward keeps
the audit trail consistent with what was actually credited. The XP_REWARDS lookup
with the xpForMerge fallback preserves the existing happy-path behavior, so this is
purely additive defense.

I checked the diff carefully recommendations.test.ts appears in the file list,
but the blob hash is identical to main's (PR #124 already landed there), so this is
just a three-dot diff artifact. Actual content delta is just process-pr-event.ts
(+11/-5) + process-pr-event.test.ts (+241). Clean scope.

Only thing before merge: CI hasn't run yet could a maintainer approve the workflow
so CI / check actually executes on the latest commit? Once it's green, this is
ready to merge.

LGTM once CI is green ✅

[Sujini-kudupudi]

@Coder-s-OG-s/maintainers Thanks for the review, Siddhartha! Could a maintainer please approve the Vercel deployment and trigger the CI workflow for the latest commit? Once the checks are green, this should be ready to merge.

[Siddhartha-singh01]

@Sujini-kudupudi I have checked everything is actually working good don't worry we will good to merge this pr !

Thanks!