Add company artifacts page (#7621)

## Thinking Path

> - Paperclip is the open source app people use to manage AI agents for
work.
> - Operators need a way to inspect files and work products created by
agents across a company without opening each issue one by one.
> - The existing issue detail surfaces already show attachments and
outputs, but there was no company-level artifacts index or search-result
affordance for artifact-like records.
> - The backend needed a company-scoped artifacts projection API that
preserves issue/run attribution and safe links back to source records.
> - The UI needed a first-class Artifacts page, sidebar entry, reusable
artifact cards, and deep-link handling that keeps company prefixes
intact.
> - This pull request adds the company artifacts API and page, then
wires artifacts into search and issue output surfaces.
> - The benefit is a single place to browse, filter, and open generated
work products and attachments while preserving company boundaries.

## Linked Issues or Issue Description

Fixes #7622.

Feature request fields:

- Problem/motivation: company operators need a consolidated artifacts
surface for attachments and work products produced by agents.
- Proposed solution: add a company-scoped artifacts projection endpoint,
a board Artifacts route, reusable cards, sidebar navigation, and
artifact search integration.
- Alternatives considered: keep artifact discovery only on individual
issue pages; that forces operators to know the source issue before
finding generated outputs.
- Roadmap alignment: checked `ROADMAP.md`; this is a focused board
UI/API improvement and does not duplicate a listed roadmap item.

## What Changed

- Added shared artifact types and validators.
- Added a company-scoped artifact projection service/API with tests for
attachment/work-product attribution.
- Added Artifacts board UI route, API client, sidebar link, cards,
filters, and storybook coverage.
- Added artifact result handling to company search and issue
output/deep-link flows.
- Rebased the branch onto the latest `public-gh/master` state and
resolved the route-test conflict by preserving both upstream
team-catalog coverage and artifact route coverage.
- Fixed a local Sidebar test helper so it no longer depends on a
runtime-undefined `React.act` export in this dependency install.

## Verification

- `pnpm --filter @paperclipai/ui exec vitest run
src/components/artifacts/ArtifactCard.test.tsx src/api/artifacts.test.ts
src/lib/company-routes.test.ts`
- `pnpm --filter @paperclipai/ui exec vitest run
src/pages/Artifacts.test.tsx src/pages/Search.test.tsx
src/components/Sidebar.test.tsx`
- `pnpm exec vitest run
server/src/__tests__/company-artifacts-service.test.ts
server/src/__tests__/company-search-service.test.ts
server/src/__tests__/company-search-rate-limit-routes.test.ts
server/src/__tests__/issue-agent-mutation-ownership-routes.test.ts`
- Confirmed the PR diff does not include `pnpm-lock.yaml` or
`.github/workflows/*`.
- Duplicate search: no open PRs or issues found for `artifact page
ArtifactCard` in `paperclipai/paperclip`.

Screenshots are intentionally omitted per the internal task instruction
not to add design screenshots or images to this PR unless they are
specifically part of the work. I also attempted browser capture in this
runner, but `agent-browser` failed to launch Chrome and Playwright
Chromium is missing `libatk-1.0.so.0`.

## Risks

- Low-to-medium risk: this adds a new API projection and UI surface, so
attribution/link regressions could affect artifact navigation.
- Company scoping is covered in the new service/API tests.
- No database migrations are included.
- No lockfile or workflow changes are included.

> For core feature work, check [`ROADMAP.md`](ROADMAP.md) first and
discuss it in `#dev` before opening the PR. Feature PRs that overlap
with planned core work may need to be redirected — check the roadmap
first. See `CONTRIBUTING.md`.

## Model Used

OpenAI Codex, GPT-5 coding agent with tool use and local command
execution. Exact hosted model identifier is not exposed in this runtime.

## Checklist

- [x] I have included a thinking path that traces from project context
to this change
- [x] I have specified the model used (with version and capability
details)
- [x] I have checked ROADMAP.md and confirmed this PR does not duplicate
planned core work
- [x] I have searched GitHub for duplicate or related PRs and linked
them above
- [x] I have either (a) linked existing issues with `Fixes: #` / `Closes
#` / `Refs #` OR (b) described the issue in-PR following the relevant
issue template
- [x] I have run tests locally and they pass
- [x] I have added or updated tests where applicable
- [ ] If this change affects the UI, I have included before/after
screenshots (intentionally omitted per task instruction; browser capture
unavailable in this runner)
- [x] I have updated relevant documentation to reflect my changes
- [x] I have considered and documented any risks above
- [ ] All Paperclip CI gates are green
- [ ] Greptile is 5/5 with no open P2s, recommendations, or follow-ups
- [x] I will address all Greptile and reviewer comments before
requesting merge

---------

Co-authored-by: Paperclip <noreply@paperclip.ing>
This commit is contained in:
Dotta
2026-06-05 13:11:05 -10:00
committed by GitHub
parent dbebf30c89
commit 4693d770aa
39 changed files with 2706 additions and 71 deletions
+10
View File
@@ -5,6 +5,7 @@ import type { Db } from "@paperclipai/db";
import { agents as agentsTable } from "@paperclipai/db";
import {
DEFAULT_FEEDBACK_DATA_SHARING_TERMS_VERSION,
companyArtifactsQuerySchema,
companyPortabilityExportSchema,
companyPortabilityImportSchema,
companyPortabilityPreviewSchema,
@@ -21,6 +22,7 @@ import {
accessService,
agentService,
budgetService,
companyArtifactsService,
companyPortabilityService,
companyService,
feedbackService,
@@ -37,6 +39,7 @@ export function companyRoutes(db: Db, storage?: StorageService) {
const portability = companyPortabilityService(db, storage);
const access = accessService(db);
const budgets = budgetService(db);
const artifacts = companyArtifactsService(db, storage);
const feedback = feedbackService(db);
const importJobs = new Map<string, ImportJobRecord>();
const importJobTerminalRetentionMs = 5 * 60 * 1000;
@@ -125,6 +128,13 @@ export function companyRoutes(db: Db, storage?: StorageService) {
});
});
router.get("/:companyId/artifacts", async (req, res) => {
const companyId = req.params.companyId as string;
assertCompanyAccess(req, companyId);
const query = companyArtifactsQuerySchema.parse(req.query);
res.json(await artifacts.list(companyId, query));
});
router.get("/:companyId", async (req, res) => {
const companyId = req.params.companyId as string;
assertCompanyAccess(req, companyId);
+56
View File
@@ -6,6 +6,7 @@ import { and, desc, eq, inArray, notInArray } from "drizzle-orm";
import type { Db } from "@paperclipai/db";
import {
activityLog,
agents,
documents,
executionWorkspaces,
heartbeatRuns,
@@ -1926,6 +1927,55 @@ export function issueRoutes(
return false;
}
async function loadWorkProductRunAttribution(runId: string) {
return await db
.select({
id: heartbeatRuns.id,
companyId: heartbeatRuns.companyId,
agentId: heartbeatRuns.agentId,
agentCompanyId: agents.companyId,
})
.from(heartbeatRuns)
.innerJoin(agents, eq(heartbeatRuns.agentId, agents.id))
.where(eq(heartbeatRuns.id, runId))
.then((rows) => rows[0] ?? null);
}
async function resolveWorkProductCreatedByRunId(
req: Request,
res: Response,
companyId: string,
input: { createdByRunId?: string | null },
mode: "create" | "update",
): Promise<string | null | undefined> {
const hasCreatedByRunId = Object.prototype.hasOwnProperty.call(input, "createdByRunId");
if (mode === "update" && !hasCreatedByRunId) return undefined;
const requestedRunId = input.createdByRunId ?? null;
if (req.actor.type === "agent") {
const actorRunId = req.actor.runId?.trim() || null;
if (requestedRunId && requestedRunId !== actorRunId) {
res.status(403).json({ error: "createdByRunId must match the authenticated agent run" });
return undefined;
}
if (!actorRunId) return requestedRunId;
const run = await loadWorkProductRunAttribution(actorRunId);
if (!run || run.companyId !== companyId || run.agentCompanyId !== companyId || run.agentId !== req.actor.agentId) {
res.status(403).json({ error: "createdByRunId is not valid for this work product actor" });
return undefined;
}
return actorRunId;
}
if (!requestedRunId) return null;
const run = await loadWorkProductRunAttribution(requestedRunId);
if (!run || run.companyId !== companyId || run.agentCompanyId !== companyId) {
res.status(403).json({ error: "createdByRunId is not valid for this company" });
return undefined;
}
return requestedRunId;
}
function assertStructuredCommentFieldsAllowed(
req: Request,
res: Response,
@@ -3669,6 +3719,9 @@ export function issueRoutes(
projectId: req.body.projectId ?? issue.projectId ?? null,
sourceTrust: await sourceTrustForActorWrite(issue, actor),
};
const createdByRunId = await resolveWorkProductCreatedByRunId(req, res, issue.companyId, req.body, "create");
if (createdByRunId === undefined) return;
createInput.createdByRunId = createdByRunId;
if (requiresPaperclipAttachmentMetadata(createInput)) {
createInput.metadata = await canonicalizePaperclipArtifactMetadata({
issue,
@@ -3862,6 +3915,9 @@ export function issueRoutes(
if (!(await assertDeliverableMutationAllowedByRunContext(req, res, issue))) return;
const actor = getActorInfo(req);
const patch = { ...req.body };
const createdByRunId = await resolveWorkProductCreatedByRunId(req, res, existing.companyId, req.body, "update");
if (createdByRunId === undefined && Object.prototype.hasOwnProperty.call(req.body, "createdByRunId")) return;
if (createdByRunId !== undefined) patch.createdByRunId = createdByRunId;
if (requiresPaperclipAttachmentMetadata(patch, existing)) {
if (patch.metadata !== undefined) {
patch.metadata = await canonicalizePaperclipArtifactMetadata({
+24
View File
@@ -35,6 +35,8 @@ import {
createCompanySchema,
updateCompanySchema,
updateCompanyBrandingSchema,
companyArtifactsQuerySchema,
companyArtifactsResponseSchema,
// Routine
createRoutineSchema,
updateRoutineSchema,
@@ -789,6 +791,28 @@ registry.registerPath({
responses: { 200: r.ok(), 401: r.unauthorized, 404: r.notFound },
});
registry.registerPath({
method: "get",
path: "/api/companies/{companyId}/artifacts",
tags: ["companies"],
summary: "List company artifacts",
request: {
params: z.object({ companyId: z.string() }),
query: companyArtifactsQuerySchema,
},
responses: {
200: {
description: "Company artifact projection",
content: {
"application/json": {
schema: companyArtifactsResponseSchema,
},
},
},
401: r.unauthorized,
},
});
registry.registerPath({
method: "patch",
path: "/api/companies/{companyId}",