farhoodlabs/paperclip
8
0
Fork 2
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b9a80dcf226c50c8778a70443e41557980376a03
paperclip/ui/src/context/LiveUpdatesProvider.test.ts
T
Dotta b9a80dcf22 feat: implement multi-user access and invite flows (#3784) 
## Thinking Path

> - Paperclip is the control plane for autonomous AI companies.
> - V1 needs to stay local-first while also supporting shared,
authenticated deployments.
> - Human operators need real identities, company membership, invite
flows, profile surfaces, and company-scoped access controls.
> - Agents and operators also need the existing issue, inbox, workspace,
approval, and plugin flows to keep working under those authenticated
boundaries.
> - This branch accumulated the multi-user implementation, follow-up QA
fixes, workspace/runtime refinements, invite UX improvements,
release-branch conflict resolution, and review hardening.
> - This pull request consolidates that branch onto the current `master`
branch as a single reviewable PR.
> - The benefit is a complete multi-user implementation path with tests
and docs carried forward without dropping existing branch work.

## What Changed

- Added authenticated human-user access surfaces: auth/session routes,
company user directory, profile settings, company access/member
management, join requests, and invite management.
- Added invite creation, invite landing, onboarding, logo/branding,
invite grants, deduped join requests, and authenticated multi-user E2E
coverage.
- Tightened company-scoped and instance-admin authorization across
board, plugin, adapter, access, issue, and workspace routes.
- Added profile-image URL validation hardening, avatar preservation on
name-only profile updates, and join-request uniqueness migration cleanup
for pending human requests.
- Added an atomic member role/status/grants update path so Company
Access saves no longer leave partially updated permissions.
- Improved issue chat, inbox, assignee identity rendering,
sidebar/account/company navigation, workspace routing, and execution
workspace reuse behavior for multi-user operation.
- Added and updated server/UI tests covering auth, invites, membership,
issue workspace inheritance, plugin authz, inbox/chat behavior, and
multi-user flows.
- Merged current `public-gh/master` into this branch, resolved all
conflicts, and verified no `pnpm-lock.yaml` change is included in this
PR diff.

## Verification

- `pnpm exec vitest run server/src/__tests__/issues-service.test.ts
ui/src/components/IssueChatThread.test.tsx ui/src/pages/Inbox.test.tsx`
- `pnpm run preflight:workspace-links && pnpm exec vitest run
server/src/__tests__/plugin-routes-authz.test.ts`
- `pnpm exec vitest run server/src/__tests__/plugin-routes-authz.test.ts
server/src/__tests__/workspace-runtime-service-authz.test.ts
server/src/__tests__/access-validators.test.ts`
- `pnpm exec vitest run
server/src/__tests__/authz-company-access.test.ts
server/src/__tests__/routines-routes.test.ts
server/src/__tests__/sidebar-preferences-routes.test.ts
server/src/__tests__/approval-routes-idempotency.test.ts
server/src/__tests__/openclaw-invite-prompt-route.test.ts
server/src/__tests__/agent-cross-tenant-authz-routes.test.ts
server/src/__tests__/routines-e2e.test.ts`
- `pnpm exec vitest run server/src/__tests__/auth-routes.test.ts
ui/src/pages/CompanyAccess.test.tsx`
- `pnpm --filter @paperclipai/shared typecheck && pnpm --filter
@paperclipai/db typecheck && pnpm --filter @paperclipai/server
typecheck`
- `pnpm --filter @paperclipai/shared typecheck && pnpm --filter
@paperclipai/server typecheck`
- `pnpm --filter @paperclipai/ui typecheck`
- `pnpm db:generate`
- `npx playwright test --config tests/e2e/playwright.config.ts --list`
- Confirmed branch has no uncommitted changes and is `0` commits behind
`public-gh/master` before PR creation.
- Confirmed no `pnpm-lock.yaml` change is staged or present in the PR
diff.

## Risks

- High review surface area: this PR contains the accumulated multi-user
branch plus follow-up fixes, so reviewers should focus especially on
company-boundary enforcement and authenticated-vs-local deployment
behavior.
- UI behavior changed across invites, inbox, issue chat, access
settings, and sidebar navigation; no browser screenshots are included in
this branch-consolidation PR.
- Plugin install, upgrade, and lifecycle/config mutations now require
instance-admin access, which is intentional but may change expectations
for non-admin board users.
- A join-request dedupe migration rejects duplicate pending human
requests before creating unique indexes; deployments with unusual
historical duplicates should review the migration behavior.
- Company member role/status/grant saves now use a new combined
endpoint; older separate endpoints remain for compatibility.
- Full production build was not run locally in this heartbeat; CI should
cover the full matrix.

## Model Used

- OpenAI Codex coding agent, GPT-5-based model, CLI/tool-use
environment. Exact deployed model identifier and context window were not
exposed by the runtime.

## Checklist

- [x] I have included a thinking path that traces from project context
to this change
- [x] I have specified the model used (with version and capability
details)
- [x] I have run tests locally and they pass
- [x] I have added or updated tests where applicable
- [x] If this change affects the UI, I have included before/after
screenshots
- [x] I have updated relevant documentation to reflect my changes
- [x] I have considered and documented any risks above
- [x] I will address all Greptile and reviewer comments before
requesting merge

Note on screenshots: this is a branch-consolidation PR for an
already-developed multi-user branch, and no browser screenshots were
captured during this heartbeat.

---------

Co-authored-by: dotta <dotta@example.com>
Co-authored-by: Paperclip <noreply@paperclip.ing>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-17 09:44:19 -05:00

673 lines
19 KiB
TypeScript
Raw Blame History

// @vitest-environment node
const { getCommentMock } = vi.hoisted(() => ({
getCommentMock: vi.fn(),
}));
vi.mock("../api/issues", () => ({
issuesApi: {
getComment: getCommentMock,
},
}));
import { describe, expect, it, vi } from "vitest";
import { __liveUpdatesTestUtils } from "./LiveUpdatesProvider";
import { queryKeys } from "../lib/queryKeys";
describe("LiveUpdatesProvider issue invalidation", () => {
it("refreshes touched inbox queries and only the changed issue data for issue updates", () => {
const invalidations: unknown[] = [];
const queryClient = {
invalidateQueries: (input: unknown) => {
invalidations.push(input);
},
getQueryData: () => undefined,
};
__liveUpdatesTestUtils.invalidateActivityQueries(
queryClient as never,
"company-1",
{
entityType: "issue",
entityId: "issue-1",
action: "issue.updated",
details: null,
},
{ userId: null, agentId: null },
);
expect(invalidations).toContainEqual({
queryKey: queryKeys.issues.listMineByMe("company-1"),
});
expect(invalidations).toContainEqual({
queryKey: queryKeys.issues.listTouchedByMe("company-1"),
});
expect(invalidations).toContainEqual({
queryKey: queryKeys.issues.listUnreadTouchedByMe("company-1"),
});
expect(invalidations).toContainEqual({
queryKey: queryKeys.issues.detail("issue-1"),
});
expect(invalidations).toContainEqual({
queryKey: queryKeys.issues.activity("issue-1"),
});
expect(invalidations).not.toContainEqual({
queryKey: queryKeys.issues.comments("issue-1"),
});
expect(invalidations).not.toContainEqual({
queryKey: queryKeys.issues.runs("issue-1"),
});
expect(invalidations).not.toContainEqual({
queryKey: queryKeys.issues.documents("issue-1"),
});
expect(invalidations).not.toContainEqual({
queryKey: queryKeys.issues.attachments("issue-1"),
});
expect(invalidations).not.toContainEqual({
queryKey: queryKeys.issues.approvals("issue-1"),
});
expect(invalidations).not.toContainEqual({
queryKey: queryKeys.issues.liveRuns("issue-1"),
});
expect(invalidations).not.toContainEqual({
queryKey: queryKeys.issues.activeRun("issue-1"),
});
});
it("still refreshes comments when a comment activity event arrives", () => {
const invalidations: unknown[] = [];
const queryClient = {
invalidateQueries: (input: unknown) => {
invalidations.push(input);
},
getQueryData: () => undefined,
};
__liveUpdatesTestUtils.invalidateActivityQueries(
queryClient as never,
"company-1",
{
entityType: "issue",
entityId: "issue-1",
action: "issue.comment_added",
details: null,
},
{ userId: null, agentId: null },
);
expect(invalidations).toContainEqual({
queryKey: queryKeys.issues.comments("issue-1"),
});
});
it("keeps self-authored comment events from refetching the active issue tree", () => {
const invalidations: unknown[] = [];
const queryClient = {
invalidateQueries: (input: unknown) => {
invalidations.push(input);
},
getQueryData: () => undefined,
};
__liveUpdatesTestUtils.invalidateActivityQueries(
queryClient as never,
"company-1",
{
entityType: "issue",
entityId: "issue-1",
action: "issue.comment_added",
actorType: "user",
actorId: "user-1",
details: null,
},
{ userId: "user-1", agentId: null },
);
expect(invalidations).toContainEqual({
queryKey: queryKeys.issues.detail("issue-1"),
refetchType: "inactive",
});
expect(invalidations).toContainEqual({
queryKey: queryKeys.issues.activity("issue-1"),
refetchType: "inactive",
});
expect(invalidations).toContainEqual({
queryKey: queryKeys.issues.comments("issue-1"),
refetchType: "inactive",
});
});
it("treats self-authored comment-driven issue updates as inactive-only refreshes", () => {
const invalidations: unknown[] = [];
const queryClient = {
invalidateQueries: (input: unknown) => {
invalidations.push(input);
},
getQueryData: () => undefined,
};
__liveUpdatesTestUtils.invalidateActivityQueries(
queryClient as never,
"company-1",
{
entityType: "issue",
entityId: "issue-1",
action: "issue.updated",
actorType: "user",
actorId: "user-1",
details: { source: "comment" },
},
{ userId: "user-1", agentId: null },
);
expect(invalidations).toContainEqual({
queryKey: queryKeys.issues.detail("issue-1"),
refetchType: "inactive",
});
expect(invalidations).toContainEqual({
queryKey: queryKeys.issues.activity("issue-1"),
refetchType: "inactive",
});
expect(invalidations).not.toContainEqual({
queryKey: queryKeys.issues.comments("issue-1"),
refetchType: "inactive",
});
});
it("keeps visible issue detail refetches inactive for downstream agent updates", () => {
const invalidations: unknown[] = [];
const queryClient = {
invalidateQueries: (input: unknown) => {
invalidations.push(input);
},
getQueryData: (key: unknown) => {
if (JSON.stringify(key) === JSON.stringify(queryKeys.issues.detail("PAP-759"))) {
return {
id: "issue-1",
identifier: "PAP-759",
assigneeAgentId: "agent-1",
};
}
return undefined;
},
};
__liveUpdatesTestUtils.invalidateActivityQueries(
queryClient as never,
"company-1",
{
entityType: "issue",
entityId: "issue-1",
action: "issue.updated",
actorType: "system",
actorId: "heartbeat",
details: {
identifier: "PAP-759",
source: "deferred_comment_wake",
},
},
{ userId: null, agentId: null },
{ pathname: "/PAP/issues/PAP-759", isForegrounded: true },
);
expect(invalidations).toContainEqual({
queryKey: queryKeys.issues.detail("issue-1"),
refetchType: "inactive",
});
expect(invalidations).toContainEqual({
queryKey: queryKeys.issues.activity("issue-1"),
refetchType: "inactive",
});
});
it("still actively refetches visible issue detail for board-authored updates", () => {
const invalidations: unknown[] = [];
const queryClient = {
invalidateQueries: (input: unknown) => {
invalidations.push(input);
},
getQueryData: (key: unknown) => {
if (JSON.stringify(key) === JSON.stringify(queryKeys.issues.detail("PAP-759"))) {
return {
id: "issue-1",
identifier: "PAP-759",
assigneeAgentId: "agent-1",
};
}
return undefined;
},
};
__liveUpdatesTestUtils.invalidateActivityQueries(
queryClient as never,
"company-1",
{
entityType: "issue",
entityId: "issue-1",
action: "issue.updated",
actorType: "user",
actorId: "user-2",
details: {
identifier: "PAP-759",
status: "in_progress",
},
},
{ userId: "user-1", agentId: null },
{ pathname: "/PAP/issues/PAP-759", isForegrounded: true },
);
expect(invalidations).toContainEqual({
queryKey: queryKeys.issues.detail("issue-1"),
});
expect(invalidations).toContainEqual({
queryKey: queryKeys.issues.activity("issue-1"),
});
expect(invalidations).not.toContainEqual({
queryKey: queryKeys.issues.detail("issue-1"),
refetchType: "inactive",
});
});
it("keeps visible issue comment updates inactive-only instead of active refetching", () => {
const invalidations: unknown[] = [];
const queryClient = {
invalidateQueries: (input: unknown) => {
invalidations.push(input);
},
getQueryData: (key: unknown) => {
if (JSON.stringify(key) === JSON.stringify(queryKeys.issues.detail("PAP-759"))) {
return {
id: "issue-1",
identifier: "PAP-759",
assigneeAgentId: "agent-1",
};
}
return undefined;
},
};
__liveUpdatesTestUtils.invalidateActivityQueries(
queryClient as never,
"company-1",
{
entityType: "issue",
entityId: "issue-1",
action: "issue.comment_added",
actorType: "agent",
actorId: "agent-1",
details: {
identifier: "PAP-759",
commentId: "comment-1",
bodySnippet: "New agent comment",
},
},
{ userId: null, agentId: null },
{ pathname: "/PAP/issues/PAP-759", isForegrounded: true },
);
expect(invalidations).toContainEqual({
queryKey: queryKeys.issues.detail("issue-1"),
refetchType: "inactive",
});
expect(invalidations).toContainEqual({
queryKey: queryKeys.issues.activity("issue-1"),
refetchType: "inactive",
});
expect(invalidations).toContainEqual({
queryKey: queryKeys.issues.comments("issue-1"),
refetchType: "inactive",
});
});
it("refreshes visible issue run queries when the displayed run changes status", () => {
const invalidations: unknown[] = [];
const queryClient = {
invalidateQueries: (input: unknown) => {
invalidations.push(input);
},
getQueryData: (key: unknown) => {
if (JSON.stringify(key) === JSON.stringify(queryKeys.issues.detail("PAP-759"))) {
return {
id: "issue-1",
identifier: "PAP-759",
assigneeAgentId: "agent-1",
};
}
if (JSON.stringify(key) === JSON.stringify(queryKeys.issues.activeRun("PAP-759"))) {
return {
id: "run-1",
};
}
if (JSON.stringify(key) === JSON.stringify(queryKeys.issues.liveRuns("PAP-759"))) {
return [{ id: "run-1" }];
}
if (JSON.stringify(key) === JSON.stringify(queryKeys.issues.runs("PAP-759"))) {
return [{ runId: "run-1" }];
}
return undefined;
},
};
const invalidated = __liveUpdatesTestUtils.invalidateVisibleIssueRunQueries(
queryClient as never,
"/PAP/issues/PAP-759",
{
runId: "run-1",
agentId: "agent-1",
status: "succeeded",
},
{ isForegrounded: true },
);
expect(invalidated).toBe(true);
expect(invalidations).toContainEqual({
queryKey: queryKeys.issues.detail("PAP-759"),
});
expect(invalidations).toContainEqual({
queryKey: queryKeys.issues.activity("PAP-759"),
});
expect(invalidations).toContainEqual({
queryKey: queryKeys.issues.runs("PAP-759"),
});
expect(invalidations).toContainEqual({
queryKey: queryKeys.issues.liveRuns("PAP-759"),
});
expect(invalidations).toContainEqual({
queryKey: queryKeys.issues.activeRun("PAP-759"),
});
});
it("ignores run status events for other issues", () => {
const invalidations: unknown[] = [];
const queryClient = {
invalidateQueries: (input: unknown) => {
invalidations.push(input);
},
getQueryData: (key: unknown) => {
if (JSON.stringify(key) === JSON.stringify(queryKeys.issues.detail("PAP-759"))) {
return {
id: "issue-1",
identifier: "PAP-759",
assigneeAgentId: "agent-1",
};
}
if (JSON.stringify(key) === JSON.stringify(queryKeys.issues.activeRun("PAP-759"))) {
return {
id: "run-1",
};
}
if (JSON.stringify(key) === JSON.stringify(queryKeys.issues.liveRuns("PAP-759"))) {
return [{ id: "run-1" }];
}
if (JSON.stringify(key) === JSON.stringify(queryKeys.issues.runs("PAP-759"))) {
return [{ runId: "run-1" }];
}
return undefined;
},
};
const invalidated = __liveUpdatesTestUtils.invalidateVisibleIssueRunQueries(
queryClient as never,
"/PAP/issues/PAP-759",
{
runId: "run-2",
agentId: "agent-2",
status: "succeeded",
},
{ isForegrounded: true },
);
expect(invalidated).toBe(false);
expect(invalidations).toEqual([]);
});
});
describe("LiveUpdatesProvider visible issue comment hydration", () => {
it("hydrates the visible issue comments cache with only the new comment", async () => {
getCommentMock.mockResolvedValueOnce({
id: "comment-2",
companyId: "company-1",
issueId: "issue-1",
authorAgentId: "agent-1",
authorUserId: null,
body: "Second comment",
createdAt: "2026-04-13T15:00:00.000Z",
updatedAt: "2026-04-13T15:00:00.000Z",
});
const setCalls: Array<{ key: unknown; value: unknown }> = [];
const queryClient = {
getQueryData: (key: unknown) => {
if (JSON.stringify(key) === JSON.stringify(queryKeys.issues.detail("PAP-759"))) {
return {
id: "issue-1",
identifier: "PAP-759",
assigneeAgentId: "agent-1",
};
}
if (JSON.stringify(key) === JSON.stringify(queryKeys.issues.comments("PAP-759"))) {
return {
pages: [[{
id: "comment-1",
companyId: "company-1",
issueId: "issue-1",
authorAgentId: null,
authorUserId: "user-1",
body: "First comment",
createdAt: "2026-04-13T14:00:00.000Z",
updatedAt: "2026-04-13T14:00:00.000Z",
}]],
pageParams: [null],
};
}
return undefined;
},
setQueryData: (key: unknown, updater: (value: unknown) => unknown) => {
const current = queryClient.getQueryData(key);
setCalls.push({ key, value: updater(current) });
},
invalidateQueries: vi.fn(),
};
await __liveUpdatesTestUtils.hydrateVisibleIssueComment(
queryClient as never,
"/PAP/issues/PAP-759",
{
entityType: "issue",
entityId: "issue-1",
action: "issue.comment_added",
details: {
identifier: "PAP-759",
commentId: "comment-2",
},
},
{ isForegrounded: true },
);
expect(getCommentMock).toHaveBeenCalledWith("PAP-759", "comment-2");
expect(setCalls).toHaveLength(1);
expect(setCalls[0]?.key).toEqual(queryKeys.issues.comments("PAP-759"));
expect(setCalls[0]?.value).toEqual({
pages: [[
{
id: "comment-2",
companyId: "company-1",
issueId: "issue-1",
authorAgentId: "agent-1",
authorUserId: null,
body: "Second comment",
createdAt: "2026-04-13T15:00:00.000Z",
updatedAt: "2026-04-13T15:00:00.000Z",
},
{
id: "comment-1",
companyId: "company-1",
issueId: "issue-1",
authorAgentId: null,
authorUserId: "user-1",
body: "First comment",
createdAt: "2026-04-13T14:00:00.000Z",
updatedAt: "2026-04-13T14:00:00.000Z",
},
]],
pageParams: [null],
});
});
});
describe("LiveUpdatesProvider visible issue toast suppression", () => {
it("suppresses activity toasts for the issue page currently in view", () => {
const queryClient = {
getQueryData: (key: unknown) => {
if (JSON.stringify(key) === JSON.stringify(queryKeys.issues.detail("PAP-759"))) {
return {
id: "issue-1",
identifier: "PAP-759",
assigneeAgentId: "agent-1",
};
}
return undefined;
},
};
expect(
__liveUpdatesTestUtils.shouldSuppressActivityToastForVisibleIssue(
queryClient as never,
"/PAP/issues/PAP-759",
{
entityType: "issue",
entityId: "issue-1",
details: { identifier: "PAP-759" },
},
{ isForegrounded: true },
),
).toBe(true);
expect(
__liveUpdatesTestUtils.shouldSuppressActivityToastForVisibleIssue(
queryClient as never,
"/PAP/issues/PAP-759",
{
entityType: "issue",
entityId: "issue-2",
details: { identifier: "PAP-760" },
},
{ isForegrounded: true },
),
).toBe(false);
});
it("suppresses run and agent status toasts for the assignee of the visible issue", () => {
const queryClient = {
getQueryData: (key: unknown) => {
if (JSON.stringify(key) === JSON.stringify(queryKeys.issues.detail("PAP-759"))) {
return {
id: "issue-1",
identifier: "PAP-759",
assigneeAgentId: "agent-1",
};
}
return undefined;
},
};
expect(
__liveUpdatesTestUtils.shouldSuppressRunStatusToastForVisibleIssue(
queryClient as never,
"/PAP/issues/PAP-759",
{
runId: "run-1",
agentId: "agent-1",
},
{ isForegrounded: true },
),
).toBe(true);
expect(
__liveUpdatesTestUtils.shouldSuppressAgentStatusToastForVisibleIssue(
queryClient as never,
"/PAP/issues/PAP-759",
{
agentId: "agent-1",
status: "running",
},
{ isForegrounded: true },
),
).toBe(true);
});
});
describe("LiveUpdatesProvider run lifecycle toasts", () => {
it("does not build start or success toasts for agent runs", () => {
const queryClient = {
getQueryData: () => [],
};
expect(
__liveUpdatesTestUtils.buildAgentStatusToast(
{
agentId: "agent-1",
status: "running",
},
() => "CodexCoder",
queryClient as never,
"company-1",
),
).toBeNull();
expect(
__liveUpdatesTestUtils.buildRunStatusToast(
{
runId: "run-1",
agentId: "agent-1",
status: "succeeded",
},
() => "CodexCoder",
),
).toBeNull();
});
it("still builds failure toasts for agent errors and failed runs", () => {
const queryClient = {
getQueryData: () => [
{
id: "agent-1",
title: "Software Engineer",
},
],
};
expect(
__liveUpdatesTestUtils.buildAgentStatusToast(
{
agentId: "agent-1",
status: "error",
},
() => "CodexCoder",
queryClient as never,
"company-1",
),
).toMatchObject({
title: "CodexCoder errored",
body: "Software Engineer",
tone: "error",
});
expect(
__liveUpdatesTestUtils.buildRunStatusToast(
{
runId: "run-1",
agentId: "agent-1",
status: "failed",
error: "boom",
},
() => "CodexCoder",
),
).toMatchObject({
title: "CodexCoder run failed",
body: "boom",
tone: "error",
});
});
});
Reference in New Issue View Git Blame Copy Permalink