ℹ️ No critical issues — one minor robustness note inline.

Reviewed changes — initial review of the new POST /v2/projects.createProject endpoint and the shared projects scaffolding it lands.

• Add createProject handler — GetPrincipal → BindBody → Authorize(project.*.create_project) → TxRetry wrapping InsertProject + a project.create audit log, returning {id, slug}. Ordering matches existing create handlers.
• Duplicate handling — relies on the existing projects UNIQUE(workspace_id, slug) constraint; db.IsDuplicateKeyError maps to the new err:unkey:data:project_already_exists code (409 via the middleware mapping).
• RBAC — new rbac.CreateProject action (Go) and create_project in projectActions (TS) plus both dashboard permission catalogs.
• Errors / codes / docs — project_already_exists code, conflict middleware mapping, error .mdx page, and docs.json nav entry.
• Audit — ProjectCreateEvent (project.create) and ProjectResourceType (project).
• OpenAPI — request body (name 1-256, slug 1-256 pattern ^[a-z0-9]+(-[a-z0-9]+)*$), response {id, slug}, and the path index documenting 200/400/401/403/409/429/500. Generated gen.go + yaml regenerated.
• Query rename — FindProjectByWorkspaceSlug → FindProjectByWorkspaceAndSlug across the .sql, generated code, BUILD.bazel, seed, and the 200 test.
• Tests — 200 (incl. multi-create + audit-log assertion), 400 (missing/invalid/too-long fields, bad JSON, missing auth), 401, 403 action matrix, and 409 (dup within workspace + same slug in a different workspace succeeds).

  ^{｜ Fix all ➔ ｜ Fix 👍s ➔ ｜ View workflow run ｜ Using Claude Opus ｜ 𝕏}

ℹ️ No critical issues — one minor test-coverage note inline.

Reviewed changes — re-review of the delta since the prior pullfrog review: a tighter slug pattern, the new project id in the response, and audit-log metadata.

• Tightened slug pattern — ^[a-z0-9-]+$ → ^[a-z0-9]+(-[a-z0-9]+)*$ across request body, response data, and the rendered OpenAPI/gen.go, forbidding leading, trailing, and consecutive hyphens; descriptions and the 400 example detail updated to match.
• Added project id to the response — V2ProjectsCreateProjectResponseData now returns {id, slug} (id pattern ^[a-zA-Z0-9_]+$, minLength 8), wired through the handler and asserted in the 200 test (proj_ prefix + echo equals the persisted project.ID).
• Populated audit-log Meta — the project.create resource Meta changed from nil to {"name", "slug"}.
• Renamed query — FindProjectByWorkspaceSlug → FindProjectByWorkspaceAndSlug across .sql, generated code, BUILD.bazel, seed, and the 200 test.
• Duplicate-key error — switched from fault.Wrap(err, …) to fault.New("project already exists", …) while keeping the same 409 code and public message.

  ^{｜ Fix all ➔ ｜ Fix 👍s ➔ ｜ View workflow run ｜ Using Claude Opus ｜ 𝕏}

let's clean up the schema a little, rest looks good

✅ No new issues found.

Reviewed changes — re-review of the delta since the prior pullfrog review (fe6e252, now rebased onto main): commit 379d65d refactor: allow actor util to accept session, which addresses chronark's request to have ctrlclient.Actor parse the session itself.

• Actor now takes a *zen.Session — ctrlclient.Actor(p *principal.Principal, remoteIP, userAgent string) became Actor(s *zen.Session) (*ctrlv1.ActorInfo, error), reading the principal off s.GetPrincipal() and the origin off s.Location()/s.UserAgent() so handlers no longer assemble the arguments by hand; it now also seeds Meta with an empty map and returns an error when the session has no principal.
• Updated the lone caller — the create-project handler calls ctrlclient.Actor(s) and propagates its error; the //pkg/zen dep was added to ctrlclient's BUILD.bazel.

This implements chronark's suggestion cleanly. The handler already calls s.GetPrincipal() before Actor(s), and GetPrincipal() is a cached field read (pkg/zen/session.go:129), so the second call inside Actor is safe and cheap. The only caller is updated and all three session methods used (GetPrincipal/Location/UserAgent) exist. chronark's review thread is already resolved.

  ^{｜ View workflow run ｜ Using Claude Opus ｜ 𝕏}