forked from farhoodlabs/paperclip
9aea3e3d35
## Thinking Path > - Paperclip orchestrates AI-agent companies through company-scoped issues, projects, agents, and board-visible workflows. > - The board sidebar and project list are the daily navigation surface for that control plane. > - Users need to keep all projects and agents accessible while hiding resources they have intentionally left from their own sidebar. > - That requires user-scoped resource membership state backed by company-scoped API and database contracts. > - The branch also needed to preserve HTTP worktree login sessions and keep the project list easier to scan after membership grouping. > - This pull request adds resource membership controls, sidebar leave actions, grouped/sortable project listings, and focused tests. > - The benefit is a cleaner personal workspace view without weakening company-scoped access to the underlying project or agent detail pages. ## What Changed - Added `project_memberships` and `agent_memberships` tables with API/shared/server contracts for current-user join/leave state. - Renumbered the membership migration to `0090_resource_memberships` after rebasing onto current `master`, and made it idempotent for anyone who had applied the old branch-local `0087` migration. - Added project and agent sidebar leave actions, plus list filtering that waits for membership state before hiding resources. - Added grouped project listing, project sorting controls, and reserved row subtitle height for cleaner scanning. - Fixed HTTP auth cookie security handling so HTTP worktree sessions can persist. - Updated focused server and UI tests for the new membership, sidebar, project list, and auth behavior. ## Verification - `pnpm exec vitest run server/src/__tests__/better-auth.test.ts server/src/__tests__/resource-memberships-routes.test.ts ui/src/pages/Projects.test.tsx ui/src/components/SidebarProjects.test.tsx ui/src/components/SidebarAgents.test.tsx ui/src/components/MembershipAction.test.tsx ui/src/components/EntityRow.test.tsx` - Confirmed the branch is rebased on current `origin/master`. - Confirmed the PR diff does not include `pnpm-lock.yaml` or `.github/workflows` changes. ## Risks - Migration safety: low to medium. The migration now uses `IF NOT EXISTS` / guarded constraints and is numbered after current master migrations, but it should still get CI coverage against fresh databases. - UI behavior: low. Left resources are hidden from sidebar only after membership state loads; direct detail access remains available. - Auth behavior: low. Cookie security is relaxed only for HTTP/private local-style origins where secure cookies would prevent login persistence. > For core feature work, check [`ROADMAP.md`](ROADMAP.md) first and discuss it in `#dev` before opening the PR. Feature PRs that overlap with planned core work may need to be redirected — check the roadmap first. See `CONTRIBUTING.md`. ## Model Used - OpenAI GPT-5 Codex coding agent, tool-enabled shell/git workflow, context window not exposed by runtime. ## Checklist - [x] I have included a thinking path that traces from project context to this change - [x] I have specified the model used (with version and capability details) - [x] I have checked ROADMAP.md and confirmed this PR does not duplicate planned core work - [x] I have run tests locally and they pass - [x] I have added or updated tests where applicable - [x] If this change affects the UI, I have included before/after screenshots - [x] I have updated relevant documentation to reflect my changes - [x] I have considered and documented any risks above - [x] I will address all Greptile and reviewer comments before requesting merge Screenshot note: no browser screenshots were captured in this heartbeat; the UI changes are covered by focused component tests above. --------- Co-authored-by: Paperclip <noreply@paperclip.ing>
219 lines
6.9 KiB
TypeScript
219 lines
6.9 KiB
TypeScript
import { randomUUID } from "node:crypto";
|
|
import express from "express";
|
|
import request from "supertest";
|
|
import { afterAll, afterEach, beforeAll, describe, expect, it } from "vitest";
|
|
import {
|
|
activityLog,
|
|
agentMemberships,
|
|
agents,
|
|
companies,
|
|
createDb,
|
|
projectMemberships,
|
|
projects,
|
|
} from "@paperclipai/db";
|
|
import {
|
|
getEmbeddedPostgresTestSupport,
|
|
startEmbeddedPostgresTestDatabase,
|
|
} from "./helpers/embedded-postgres.js";
|
|
import { resourceMembershipRoutes } from "../routes/resource-memberships.js";
|
|
import { errorHandler } from "../middleware/index.js";
|
|
import { resourceMembershipService } from "../services/resource-memberships.js";
|
|
|
|
const embeddedPostgresSupport = await getEmbeddedPostgresTestSupport();
|
|
const describeEmbeddedPostgres = embeddedPostgresSupport.supported ? describe : describe.skip;
|
|
|
|
if (!embeddedPostgresSupport.supported) {
|
|
console.warn(
|
|
`Skipping embedded Postgres resource membership tests on this host: ${embeddedPostgresSupport.reason ?? "unsupported environment"}`,
|
|
);
|
|
}
|
|
|
|
function boardActor(companyId: string, role: "admin" | "operator" | "viewer" = "viewer") {
|
|
return {
|
|
type: "board" as const,
|
|
userId: "user-1",
|
|
source: "session" as const,
|
|
isInstanceAdmin: false,
|
|
companyIds: [companyId],
|
|
memberships: [{ companyId, membershipRole: role, status: "active" }],
|
|
};
|
|
}
|
|
|
|
function createApp(db: ReturnType<typeof createDb>, actor: Express.Request["actor"]) {
|
|
const app = express();
|
|
app.use(express.json());
|
|
app.use((req, _res, next) => {
|
|
req.actor = actor;
|
|
next();
|
|
});
|
|
app.use("/api", resourceMembershipRoutes(db));
|
|
app.use(errorHandler);
|
|
return app;
|
|
}
|
|
|
|
describeEmbeddedPostgres("resource membership routes", () => {
|
|
let db!: ReturnType<typeof createDb>;
|
|
let tempDb: Awaited<ReturnType<typeof startEmbeddedPostgresTestDatabase>> | null = null;
|
|
|
|
beforeAll(async () => {
|
|
tempDb = await startEmbeddedPostgresTestDatabase("paperclip-resource-memberships-");
|
|
db = createDb(tempDb.connectionString);
|
|
}, 20_000);
|
|
|
|
afterEach(async () => {
|
|
await db.delete(activityLog);
|
|
await db.delete(projectMemberships);
|
|
await db.delete(agentMemberships);
|
|
await db.delete(projects);
|
|
await db.delete(agents);
|
|
await db.delete(companies);
|
|
});
|
|
|
|
afterAll(async () => {
|
|
await tempDb?.cleanup();
|
|
});
|
|
|
|
async function seed() {
|
|
const companyId = randomUUID();
|
|
const otherCompanyId = randomUUID();
|
|
const projectId = randomUUID();
|
|
const otherProjectId = randomUUID();
|
|
const agentId = randomUUID();
|
|
const otherAgentId = randomUUID();
|
|
await db.insert(companies).values([
|
|
{
|
|
id: companyId,
|
|
name: "Paperclip",
|
|
issuePrefix: `T${companyId.replace(/-/g, "").slice(0, 6).toUpperCase()}`,
|
|
requireBoardApprovalForNewAgents: false,
|
|
},
|
|
{
|
|
id: otherCompanyId,
|
|
name: "Other",
|
|
issuePrefix: `T${otherCompanyId.replace(/-/g, "").slice(0, 6).toUpperCase()}`,
|
|
requireBoardApprovalForNewAgents: false,
|
|
},
|
|
]);
|
|
await db.insert(projects).values([
|
|
{ id: projectId, companyId, name: "Growth", status: "in_progress" },
|
|
{ id: otherProjectId, companyId: otherCompanyId, name: "Other", status: "in_progress" },
|
|
]);
|
|
await db.insert(agents).values([
|
|
{
|
|
id: agentId,
|
|
companyId,
|
|
name: "CodexCoder",
|
|
role: "engineer",
|
|
status: "active",
|
|
adapterType: "codex_local",
|
|
adapterConfig: {},
|
|
runtimeConfig: {},
|
|
permissions: {},
|
|
},
|
|
{
|
|
id: otherAgentId,
|
|
companyId: otherCompanyId,
|
|
name: "OtherAgent",
|
|
role: "engineer",
|
|
status: "active",
|
|
adapterType: "codex_local",
|
|
adapterConfig: {},
|
|
runtimeConfig: {},
|
|
permissions: {},
|
|
},
|
|
]);
|
|
return { companyId, otherAgentId, otherProjectId, projectId, agentId };
|
|
}
|
|
|
|
it("defaults missing membership rows to joined", async () => {
|
|
const { companyId } = await seed();
|
|
const app = createApp(db, boardActor(companyId));
|
|
|
|
const res = await request(app).get(`/api/companies/${companyId}/resource-memberships/me`);
|
|
|
|
expect(res.status).toBe(200);
|
|
expect(res.body).toEqual({
|
|
projectMemberships: {},
|
|
agentMemberships: {},
|
|
updatedAt: null,
|
|
});
|
|
});
|
|
|
|
it("allows viewer self-service mutations, logs changes, and keeps repeats idempotent", async () => {
|
|
const { companyId, projectId } = await seed();
|
|
const app = createApp(db, boardActor(companyId, "viewer"));
|
|
|
|
const first = await request(app)
|
|
.put(`/api/companies/${companyId}/resource-memberships/me/projects/${projectId}`)
|
|
.send({ state: "left" });
|
|
const second = await request(app)
|
|
.put(`/api/companies/${companyId}/resource-memberships/me/projects/${projectId}`)
|
|
.send({ state: "left" });
|
|
|
|
expect(first.status).toBe(200);
|
|
expect(first.body).toMatchObject({ resourceType: "project", resourceId: projectId, state: "left" });
|
|
expect(second.status).toBe(200);
|
|
|
|
const rows = await db.select().from(projectMemberships);
|
|
expect(rows).toHaveLength(1);
|
|
expect(rows[0]).toMatchObject({ companyId, projectId, userId: "user-1", state: "left" });
|
|
|
|
const activity = await db.select().from(activityLog);
|
|
expect(activity).toHaveLength(1);
|
|
expect(activity[0]).toMatchObject({
|
|
companyId,
|
|
actorType: "user",
|
|
actorId: "user-1",
|
|
action: "resource_membership.left",
|
|
entityType: "project",
|
|
entityId: projectId,
|
|
});
|
|
});
|
|
|
|
it("rejects agent API key actors", async () => {
|
|
const { companyId, agentId } = await seed();
|
|
const app = createApp(db, {
|
|
type: "agent",
|
|
agentId,
|
|
companyId,
|
|
source: "agent_key",
|
|
});
|
|
|
|
const res = await request(app).get(`/api/companies/${companyId}/resource-memberships/me`);
|
|
|
|
expect(res.status).toBe(403);
|
|
});
|
|
|
|
it("rejects cross-company target resources", async () => {
|
|
const { companyId, otherAgentId, otherProjectId } = await seed();
|
|
const app = createApp(db, boardActor(companyId));
|
|
|
|
const projectRes = await request(app)
|
|
.put(`/api/companies/${companyId}/resource-memberships/me/projects/${otherProjectId}`)
|
|
.send({ state: "left" });
|
|
const agentRes = await request(app)
|
|
.put(`/api/companies/${companyId}/resource-memberships/me/agents/${otherAgentId}`)
|
|
.send({ state: "left" });
|
|
|
|
expect(projectRes.status).toBe(404);
|
|
expect(agentRes.status).toBe(404);
|
|
await expect(db.select().from(projectMemberships)).resolves.toHaveLength(0);
|
|
await expect(db.select().from(agentMemberships)).resolves.toHaveLength(0);
|
|
});
|
|
|
|
it("denies direct service calls that try to mutate another user's membership", async () => {
|
|
const { companyId, projectId } = await seed();
|
|
const svc = resourceMembershipService(db);
|
|
|
|
await expect(
|
|
svc.updateProject({
|
|
companyId,
|
|
projectId,
|
|
userId: "other-user",
|
|
state: "left",
|
|
actor: boardActor(companyId),
|
|
}),
|
|
).rejects.toMatchObject({ status: 403 });
|
|
});
|
|
});
|