Add server routes for companies, approvals, costs, and dashboard

New routes: companies, approvals, costs, dashboard, authz. New services: companies, approvals, costs, dashboard, heartbeat, activity-log. Add auth middleware and structured error handling. Expand existing agent and issue routes with richer CRUD operations. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-17 09:07:27 -06:00
parent 8c830eae70
commit abadd469bc
29 changed files with 2151 additions and 98 deletions
--- a/server/src/middleware/auth.ts
+++ b/server/src/middleware/auth.ts
@@ -0,0 +1,57 @@
+import { createHash } from "node:crypto";
+import type { RequestHandler } from "express";
+import { and, eq, isNull } from "drizzle-orm";
+import type { Db } from "@paperclip/db";
+import { agentApiKeys } from "@paperclip/db";
+
+function hashToken(token: string) {
+  return createHash("sha256").update(token).digest("hex");
+}
+
+export function actorMiddleware(db: Db): RequestHandler {
+  return async (req, _res, next) => {
+    req.actor = { type: "board", userId: "board" };
+
+    const authHeader = req.header("authorization");
+    if (!authHeader?.toLowerCase().startsWith("bearer ")) {
+      next();
+      return;
+    }
+
+    const token = authHeader.slice("bearer ".length).trim();
+    if (!token) {
+      next();
+      return;
+    }
+
+    const tokenHash = hashToken(token);
+    const key = await db
+      .select()
+      .from(agentApiKeys)
+      .where(and(eq(agentApiKeys.keyHash, tokenHash), isNull(agentApiKeys.revokedAt)))
+      .then((rows) => rows[0] ?? null);
+
+    if (!key) {
+      next();
+      return;
+    }
+
+    await db
+      .update(agentApiKeys)
+      .set({ lastUsedAt: new Date() })
+      .where(eq(agentApiKeys.id, key.id));
+
+    req.actor = {
+      type: "agent",
+      agentId: key.agentId,
+      companyId: key.companyId,
+      keyId: key.id,
+    };
+
+    next();
+  };
+}
+
+export function requireBoard(req: Express.Request) {
+  return req.actor.type === "board";
+}
--- a/server/src/middleware/error-handler.ts
+++ b/server/src/middleware/error-handler.ts
@@ -1,6 +1,7 @@
 import type { Request, Response, NextFunction } from "express";
 import { ZodError } from "zod";
 import { logger } from "./logger.js";
+import { HttpError } from "../errors.js";

 export function errorHandler(
  err: unknown,
@@ -8,6 +9,14 @@ export function errorHandler(
  res: Response,
  _next: NextFunction,
 ) {
+  if (err instanceof HttpError) {
+    res.status(err.status).json({
+      error: err.message,
+      ...(err.details ? { details: err.details } : {}),
+    });
+    return;
+  }
+
  if (err instanceof ZodError) {
    res.status(400).json({ error: "Validation error", details: err.errors });
    return;