9aea3e3d35
## Thinking Path > - Paperclip orchestrates AI-agent companies through company-scoped issues, projects, agents, and board-visible workflows. > - The board sidebar and project list are the daily navigation surface for that control plane. > - Users need to keep all projects and agents accessible while hiding resources they have intentionally left from their own sidebar. > - That requires user-scoped resource membership state backed by company-scoped API and database contracts. > - The branch also needed to preserve HTTP worktree login sessions and keep the project list easier to scan after membership grouping. > - This pull request adds resource membership controls, sidebar leave actions, grouped/sortable project listings, and focused tests. > - The benefit is a cleaner personal workspace view without weakening company-scoped access to the underlying project or agent detail pages. ## What Changed - Added `project_memberships` and `agent_memberships` tables with API/shared/server contracts for current-user join/leave state. - Renumbered the membership migration to `0090_resource_memberships` after rebasing onto current `master`, and made it idempotent for anyone who had applied the old branch-local `0087` migration. - Added project and agent sidebar leave actions, plus list filtering that waits for membership state before hiding resources. - Added grouped project listing, project sorting controls, and reserved row subtitle height for cleaner scanning. - Fixed HTTP auth cookie security handling so HTTP worktree sessions can persist. - Updated focused server and UI tests for the new membership, sidebar, project list, and auth behavior. ## Verification - `pnpm exec vitest run server/src/__tests__/better-auth.test.ts server/src/__tests__/resource-memberships-routes.test.ts ui/src/pages/Projects.test.tsx ui/src/components/SidebarProjects.test.tsx ui/src/components/SidebarAgents.test.tsx ui/src/components/MembershipAction.test.tsx ui/src/components/EntityRow.test.tsx` - Confirmed the branch is rebased on current `origin/master`. - Confirmed the PR diff does not include `pnpm-lock.yaml` or `.github/workflows` changes. ## Risks - Migration safety: low to medium. The migration now uses `IF NOT EXISTS` / guarded constraints and is numbered after current master migrations, but it should still get CI coverage against fresh databases. - UI behavior: low. Left resources are hidden from sidebar only after membership state loads; direct detail access remains available. - Auth behavior: low. Cookie security is relaxed only for HTTP/private local-style origins where secure cookies would prevent login persistence. > For core feature work, check [`ROADMAP.md`](ROADMAP.md) first and discuss it in `#dev` before opening the PR. Feature PRs that overlap with planned core work may need to be redirected — check the roadmap first. See `CONTRIBUTING.md`. ## Model Used - OpenAI GPT-5 Codex coding agent, tool-enabled shell/git workflow, context window not exposed by runtime. ## Checklist - [x] I have included a thinking path that traces from project context to this change - [x] I have specified the model used (with version and capability details) - [x] I have checked ROADMAP.md and confirmed this PR does not duplicate planned core work - [x] I have run tests locally and they pass - [x] I have added or updated tests where applicable - [x] If this change affects the UI, I have included before/after screenshots - [x] I have updated relevant documentation to reflect my changes - [x] I have considered and documented any risks above - [x] I will address all Greptile and reviewer comments before requesting merge Screenshot note: no browser screenshots were captured in this heartbeat; the UI changes are covered by focused component tests above. --------- Co-authored-by: Paperclip <noreply@paperclip.ing>
319 lines
9.9 KiB
TypeScript
319 lines
9.9 KiB
TypeScript
import { and, eq } from "drizzle-orm";
|
|
import type { Db } from "@paperclipai/db";
|
|
import {
|
|
agentMemberships,
|
|
agents,
|
|
projectMemberships,
|
|
projects,
|
|
} from "@paperclipai/db";
|
|
import type {
|
|
ResourceMembershipResourceType,
|
|
ResourceMembershipState,
|
|
ResourceMemberships,
|
|
ResourceMembershipUpdateResult,
|
|
} from "@paperclipai/shared";
|
|
import { forbidden, notFound } from "../errors.js";
|
|
import { logger } from "../middleware/logger.js";
|
|
|
|
type BoardActor = {
|
|
type: "board" | "agent" | "none";
|
|
userId?: string;
|
|
companyIds?: string[];
|
|
memberships?: Array<{
|
|
companyId: string;
|
|
membershipRole?: string | null;
|
|
status?: string;
|
|
}>;
|
|
isInstanceAdmin?: boolean;
|
|
source?: string;
|
|
};
|
|
|
|
type PolicyDecision = {
|
|
allowed: boolean;
|
|
reason?: string | null;
|
|
source?: string | null;
|
|
};
|
|
|
|
export type ResourceMembershipPolicyHook = (input: {
|
|
actor: BoardActor;
|
|
companyId: string;
|
|
userId: string;
|
|
resourceType: ResourceMembershipResourceType;
|
|
resourceId: string;
|
|
state: ResourceMembershipState;
|
|
}) => Promise<PolicyDecision> | PolicyDecision;
|
|
|
|
type ResourceMembershipServiceOptions = {
|
|
policyHook?: ResourceMembershipPolicyHook | null;
|
|
};
|
|
|
|
function defaultJoinedMap<T extends { projectId?: string; agentId?: string; state: string }>(
|
|
rows: T[],
|
|
key: "projectId" | "agentId",
|
|
): Record<string, ResourceMembershipState> {
|
|
const result: Record<string, ResourceMembershipState> = {};
|
|
for (const row of rows) {
|
|
const id = row[key];
|
|
if (typeof id !== "string") continue;
|
|
result[id] = row.state === "left" ? "left" : "joined";
|
|
}
|
|
return result;
|
|
}
|
|
|
|
function latestDate(...dates: Array<Date | null | undefined>): Date | null {
|
|
let latest: Date | null = null;
|
|
for (const date of dates) {
|
|
if (!date) continue;
|
|
if (!latest || date.getTime() > latest.getTime()) latest = date;
|
|
}
|
|
return latest;
|
|
}
|
|
|
|
function assertBoardSelfMembershipAccess(actor: BoardActor, companyId: string, userId: string) {
|
|
if (actor.type !== "board" || !actor.userId) {
|
|
throw forbidden("Board user access required");
|
|
}
|
|
if (actor.userId !== userId) {
|
|
throw forbidden("Users may only update their own resource memberships");
|
|
}
|
|
if (actor.source === "local_implicit" || actor.isInstanceAdmin) {
|
|
return;
|
|
}
|
|
const membership = actor.memberships?.find((item) => item.companyId === companyId);
|
|
if (!membership || membership.status !== "active") {
|
|
throw forbidden("User does not have active company access");
|
|
}
|
|
}
|
|
|
|
async function evaluatePolicy(
|
|
hook: ResourceMembershipPolicyHook | null | undefined,
|
|
input: Parameters<ResourceMembershipPolicyHook>[0],
|
|
): Promise<PolicyDecision> {
|
|
if (!hook) return { allowed: true, source: "oss_default" };
|
|
try {
|
|
const decision = await hook(input);
|
|
return {
|
|
allowed: decision.allowed === true,
|
|
reason: decision.reason ?? null,
|
|
source: decision.source ?? "policy_hook",
|
|
};
|
|
} catch (err) {
|
|
logger.warn(
|
|
{ err, companyId: input.companyId, resourceType: input.resourceType, resourceId: input.resourceId },
|
|
"resource membership policy hook failed closed",
|
|
);
|
|
return { allowed: false, reason: "policy_hook_failed", source: "policy_hook" };
|
|
}
|
|
}
|
|
|
|
export function resourceMembershipService(db: Db, options: ResourceMembershipServiceOptions = {}) {
|
|
const policyHook = options.policyHook ?? null;
|
|
|
|
async function assertMutationAllowed(input: {
|
|
actor: BoardActor;
|
|
companyId: string;
|
|
userId: string;
|
|
resourceType: ResourceMembershipResourceType;
|
|
resourceId: string;
|
|
state: ResourceMembershipState;
|
|
}): Promise<PolicyDecision> {
|
|
assertBoardSelfMembershipAccess(input.actor, input.companyId, input.userId);
|
|
const decision = await evaluatePolicy(policyHook, input);
|
|
if (!decision.allowed) {
|
|
logger.warn(
|
|
{
|
|
companyId: input.companyId,
|
|
userId: input.userId,
|
|
resourceType: input.resourceType,
|
|
resourceId: input.resourceId,
|
|
reason: decision.reason ?? "denied",
|
|
source: decision.source ?? "policy_hook",
|
|
},
|
|
"resource membership mutation denied",
|
|
);
|
|
throw forbidden("Resource membership policy denied this request");
|
|
}
|
|
return decision;
|
|
}
|
|
|
|
return {
|
|
async listForUser(companyId: string, userId: string, actor: BoardActor): Promise<ResourceMemberships> {
|
|
assertBoardSelfMembershipAccess(actor, companyId, userId);
|
|
const [projectRows, agentRows] = await Promise.all([
|
|
db
|
|
.select({
|
|
projectId: projectMemberships.projectId,
|
|
state: projectMemberships.state,
|
|
updatedAt: projectMemberships.updatedAt,
|
|
})
|
|
.from(projectMemberships)
|
|
.where(and(
|
|
eq(projectMemberships.companyId, companyId),
|
|
eq(projectMemberships.userId, userId),
|
|
)),
|
|
db
|
|
.select({
|
|
agentId: agentMemberships.agentId,
|
|
state: agentMemberships.state,
|
|
updatedAt: agentMemberships.updatedAt,
|
|
})
|
|
.from(agentMemberships)
|
|
.where(and(
|
|
eq(agentMemberships.companyId, companyId),
|
|
eq(agentMemberships.userId, userId),
|
|
)),
|
|
]);
|
|
return {
|
|
projectMemberships: defaultJoinedMap(projectRows, "projectId"),
|
|
agentMemberships: defaultJoinedMap(agentRows, "agentId"),
|
|
updatedAt: latestDate(
|
|
...projectRows.map((row) => row.updatedAt),
|
|
...agentRows.map((row) => row.updatedAt),
|
|
),
|
|
};
|
|
},
|
|
|
|
async updateProject(input: {
|
|
companyId: string;
|
|
userId: string;
|
|
projectId: string;
|
|
state: ResourceMembershipState;
|
|
actor: BoardActor;
|
|
}): Promise<ResourceMembershipUpdateResult & { changed: boolean; policySource: string }> {
|
|
const project = await db.query.projects.findFirst({
|
|
where: and(
|
|
eq(projects.id, input.projectId),
|
|
eq(projects.companyId, input.companyId),
|
|
),
|
|
});
|
|
if (!project) throw notFound("Project not found");
|
|
const decision = await assertMutationAllowed({
|
|
actor: input.actor,
|
|
companyId: input.companyId,
|
|
userId: input.userId,
|
|
resourceType: "project",
|
|
resourceId: input.projectId,
|
|
state: input.state,
|
|
});
|
|
|
|
const existing = await db.query.projectMemberships.findFirst({
|
|
where: and(
|
|
eq(projectMemberships.companyId, input.companyId),
|
|
eq(projectMemberships.userId, input.userId),
|
|
eq(projectMemberships.projectId, input.projectId),
|
|
),
|
|
});
|
|
const previousState: ResourceMembershipState = existing?.state === "left" ? "left" : "joined";
|
|
if (previousState === input.state) {
|
|
return {
|
|
resourceType: "project",
|
|
resourceId: input.projectId,
|
|
state: input.state,
|
|
updatedAt: existing?.updatedAt ?? new Date(),
|
|
changed: false,
|
|
policySource: decision.source ?? "oss_default",
|
|
};
|
|
}
|
|
|
|
const now = new Date();
|
|
const [row] = await db
|
|
.insert(projectMemberships)
|
|
.values({
|
|
companyId: input.companyId,
|
|
projectId: input.projectId,
|
|
userId: input.userId,
|
|
state: input.state,
|
|
updatedAt: now,
|
|
})
|
|
.onConflictDoUpdate({
|
|
target: [projectMemberships.companyId, projectMemberships.userId, projectMemberships.projectId],
|
|
set: {
|
|
state: input.state,
|
|
updatedAt: now,
|
|
},
|
|
})
|
|
.returning();
|
|
|
|
return {
|
|
resourceType: "project",
|
|
resourceId: input.projectId,
|
|
state: row?.state === "left" ? "left" : "joined",
|
|
updatedAt: row?.updatedAt ?? now,
|
|
changed: true,
|
|
policySource: decision.source ?? "oss_default",
|
|
};
|
|
},
|
|
|
|
async updateAgent(input: {
|
|
companyId: string;
|
|
userId: string;
|
|
agentId: string;
|
|
state: ResourceMembershipState;
|
|
actor: BoardActor;
|
|
}): Promise<ResourceMembershipUpdateResult & { changed: boolean; policySource: string }> {
|
|
const agent = await db.query.agents.findFirst({
|
|
where: and(
|
|
eq(agents.id, input.agentId),
|
|
eq(agents.companyId, input.companyId),
|
|
),
|
|
});
|
|
if (!agent) throw notFound("Agent not found");
|
|
const decision = await assertMutationAllowed({
|
|
actor: input.actor,
|
|
companyId: input.companyId,
|
|
userId: input.userId,
|
|
resourceType: "agent",
|
|
resourceId: input.agentId,
|
|
state: input.state,
|
|
});
|
|
|
|
const existing = await db.query.agentMemberships.findFirst({
|
|
where: and(
|
|
eq(agentMemberships.companyId, input.companyId),
|
|
eq(agentMemberships.userId, input.userId),
|
|
eq(agentMemberships.agentId, input.agentId),
|
|
),
|
|
});
|
|
const previousState: ResourceMembershipState = existing?.state === "left" ? "left" : "joined";
|
|
if (previousState === input.state) {
|
|
return {
|
|
resourceType: "agent",
|
|
resourceId: input.agentId,
|
|
state: input.state,
|
|
updatedAt: existing?.updatedAt ?? new Date(),
|
|
changed: false,
|
|
policySource: decision.source ?? "oss_default",
|
|
};
|
|
}
|
|
|
|
const now = new Date();
|
|
const [row] = await db
|
|
.insert(agentMemberships)
|
|
.values({
|
|
companyId: input.companyId,
|
|
agentId: input.agentId,
|
|
userId: input.userId,
|
|
state: input.state,
|
|
updatedAt: now,
|
|
})
|
|
.onConflictDoUpdate({
|
|
target: [agentMemberships.companyId, agentMemberships.userId, agentMemberships.agentId],
|
|
set: {
|
|
state: input.state,
|
|
updatedAt: now,
|
|
},
|
|
})
|
|
.returning();
|
|
|
|
return {
|
|
resourceType: "agent",
|
|
resourceId: input.agentId,
|
|
state: row?.state === "left" ? "left" : "joined",
|
|
updatedAt: row?.updatedAt ?? now,
|
|
changed: true,
|
|
policySource: decision.source ?? "oss_default",
|
|
};
|
|
},
|
|
};
|
|
}
|