Add server routes for companies, approvals, costs, and dashboard

New routes: companies, approvals, costs, dashboard, authz. New services: companies, approvals, costs, dashboard, heartbeat, activity-log. Add auth middleware and structured error handling. Expand existing agent and issue routes with richer CRUD operations. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-17 09:07:27 -06:00
parent 8c830eae70
commit abadd469bc
29 changed files with 2151 additions and 98 deletions
--- a/server/src/routes/issues.ts
+++ b/server/src/routes/issues.ts
@@ -1,52 +1,225 @@
 import { Router } from "express";
 import type { Db } from "@paperclip/db";
-import { createIssueSchema, updateIssueSchema } from "@paperclip/shared";
+import {
+  addIssueCommentSchema,
+  checkoutIssueSchema,
+  createIssueSchema,
+  updateIssueSchema,
+} from "@paperclip/shared";
 import { validate } from "../middleware/validate.js";
-import { issueService } from "../services/issues.js";
+import { issueService, logActivity } from "../services/index.js";
+import { assertCompanyAccess, getActorInfo } from "./authz.js";

 export function issueRoutes(db: Db) {
  const router = Router();
  const svc = issueService(db);

-  router.get("/", async (_req, res) => {
-    const result = await svc.list();
+  router.get("/companies/:companyId/issues", async (req, res) => {
+    const companyId = req.params.companyId as string;
+    assertCompanyAccess(req, companyId);
+    const result = await svc.list(companyId, {
+      status: req.query.status as string | undefined,
+      assigneeAgentId: req.query.assigneeAgentId as string | undefined,
+      projectId: req.query.projectId as string | undefined,
+    });
    res.json(result);
  });

-  router.get("/:id", async (req, res) => {
+  router.get("/issues/:id", async (req, res) => {
    const id = req.params.id as string;
    const issue = await svc.getById(id);
    if (!issue) {
      res.status(404).json({ error: "Issue not found" });
      return;
    }
+    assertCompanyAccess(req, issue.companyId);
    res.json(issue);
  });

-  router.post("/", validate(createIssueSchema), async (req, res) => {
-    const issue = await svc.create(req.body);
+  router.post("/companies/:companyId/issues", validate(createIssueSchema), async (req, res) => {
+    const companyId = req.params.companyId as string;
+    assertCompanyAccess(req, companyId);
+
+    const actor = getActorInfo(req);
+    const issue = await svc.create(companyId, {
+      ...req.body,
+      createdByAgentId: actor.agentId,
+      createdByUserId: actor.actorType === "user" ? actor.actorId : null,
+    });
+
+    await logActivity(db, {
+      companyId,
+      actorType: actor.actorType,
+      actorId: actor.actorId,
+      agentId: actor.agentId,
+      action: "issue.created",
+      entityType: "issue",
+      entityId: issue.id,
+      details: { title: issue.title },
+    });
+
    res.status(201).json(issue);
  });

-  router.patch("/:id", validate(updateIssueSchema), async (req, res) => {
+  router.patch("/issues/:id", validate(updateIssueSchema), async (req, res) => {
    const id = req.params.id as string;
+    const existing = await svc.getById(id);
+    if (!existing) {
+      res.status(404).json({ error: "Issue not found" });
+      return;
+    }
+    assertCompanyAccess(req, existing.companyId);
+
    const issue = await svc.update(id, req.body);
    if (!issue) {
      res.status(404).json({ error: "Issue not found" });
      return;
    }
+
+    const actor = getActorInfo(req);
+    await logActivity(db, {
+      companyId: issue.companyId,
+      actorType: actor.actorType,
+      actorId: actor.actorId,
+      agentId: actor.agentId,
+      action: "issue.updated",
+      entityType: "issue",
+      entityId: issue.id,
+      details: req.body,
+    });
+
    res.json(issue);
  });

-  router.delete("/:id", async (req, res) => {
+  router.delete("/issues/:id", async (req, res) => {
    const id = req.params.id as string;
+    const existing = await svc.getById(id);
+    if (!existing) {
+      res.status(404).json({ error: "Issue not found" });
+      return;
+    }
+    assertCompanyAccess(req, existing.companyId);
+
    const issue = await svc.remove(id);
    if (!issue) {
      res.status(404).json({ error: "Issue not found" });
      return;
    }
+
+    const actor = getActorInfo(req);
+    await logActivity(db, {
+      companyId: issue.companyId,
+      actorType: actor.actorType,
+      actorId: actor.actorId,
+      agentId: actor.agentId,
+      action: "issue.deleted",
+      entityType: "issue",
+      entityId: issue.id,
+    });
+
    res.json(issue);
  });

+  router.post("/issues/:id/checkout", validate(checkoutIssueSchema), async (req, res) => {
+    const id = req.params.id as string;
+    const issue = await svc.getById(id);
+    if (!issue) {
+      res.status(404).json({ error: "Issue not found" });
+      return;
+    }
+    assertCompanyAccess(req, issue.companyId);
+
+    if (req.actor.type === "agent" && req.actor.agentId !== req.body.agentId) {
+      res.status(403).json({ error: "Agent can only checkout as itself" });
+      return;
+    }
+
+    const updated = await svc.checkout(id, req.body.agentId, req.body.expectedStatuses);
+    const actor = getActorInfo(req);
+
+    await logActivity(db, {
+      companyId: issue.companyId,
+      actorType: actor.actorType,
+      actorId: actor.actorId,
+      agentId: actor.agentId,
+      action: "issue.checked_out",
+      entityType: "issue",
+      entityId: issue.id,
+      details: { agentId: req.body.agentId },
+    });
+
+    res.json(updated);
+  });
+
+  router.post("/issues/:id/release", async (req, res) => {
+    const id = req.params.id as string;
+    const existing = await svc.getById(id);
+    if (!existing) {
+      res.status(404).json({ error: "Issue not found" });
+      return;
+    }
+    assertCompanyAccess(req, existing.companyId);
+
+    const released = await svc.release(id, req.actor.type === "agent" ? req.actor.agentId : undefined);
+    if (!released) {
+      res.status(404).json({ error: "Issue not found" });
+      return;
+    }
+
+    const actor = getActorInfo(req);
+    await logActivity(db, {
+      companyId: released.companyId,
+      actorType: actor.actorType,
+      actorId: actor.actorId,
+      agentId: actor.agentId,
+      action: "issue.released",
+      entityType: "issue",
+      entityId: released.id,
+    });
+
+    res.json(released);
+  });
+
+  router.get("/issues/:id/comments", async (req, res) => {
+    const id = req.params.id as string;
+    const issue = await svc.getById(id);
+    if (!issue) {
+      res.status(404).json({ error: "Issue not found" });
+      return;
+    }
+    assertCompanyAccess(req, issue.companyId);
+    const comments = await svc.listComments(id);
+    res.json(comments);
+  });
+
+  router.post("/issues/:id/comments", validate(addIssueCommentSchema), async (req, res) => {
+    const id = req.params.id as string;
+    const issue = await svc.getById(id);
+    if (!issue) {
+      res.status(404).json({ error: "Issue not found" });
+      return;
+    }
+    assertCompanyAccess(req, issue.companyId);
+
+    const actor = getActorInfo(req);
+    const comment = await svc.addComment(id, req.body.body, {
+      agentId: actor.agentId ?? undefined,
+      userId: actor.actorType === "user" ? actor.actorId : undefined,
+    });
+
+    await logActivity(db, {
+      companyId: issue.companyId,
+      actorType: actor.actorType,
+      actorId: actor.actorId,
+      agentId: actor.agentId,
+      action: "issue.comment_added",
+      entityType: "issue",
+      entityId: issue.id,
+      details: { commentId: comment.id },
+    });
+
+    res.status(201).json(comment);
+  });
+
  return router;
 }