2026-03-20 08:00:39 -05:00
|
|
|
import { useEffect, useState } from "react";
|
|
|
|
|
import { useMutation, useQuery, useQueryClient } from "@tanstack/react-query";
|
2026-04-07 09:54:39 +02:00
|
|
|
import type { PatchInstanceGeneralSettings, BackupRetentionPolicy } from "@paperclipai/shared";
|
|
|
|
|
import {
|
|
|
|
|
DAILY_RETENTION_PRESETS,
|
|
|
|
|
WEEKLY_RETENTION_PRESETS,
|
|
|
|
|
MONTHLY_RETENTION_PRESETS,
|
|
|
|
|
DEFAULT_BACKUP_RETENTION,
|
|
|
|
|
} from "@paperclipai/shared";
|
|
|
|
|
import { LogOut, SlidersHorizontal } from "lucide-react";
|
2026-04-04 09:55:15 -05:00
|
|
|
import { authApi } from "@/api/auth";
|
feat: implement multi-user access and invite flows (#3784)
## Thinking Path
> - Paperclip is the control plane for autonomous AI companies.
> - V1 needs to stay local-first while also supporting shared,
authenticated deployments.
> - Human operators need real identities, company membership, invite
flows, profile surfaces, and company-scoped access controls.
> - Agents and operators also need the existing issue, inbox, workspace,
approval, and plugin flows to keep working under those authenticated
boundaries.
> - This branch accumulated the multi-user implementation, follow-up QA
fixes, workspace/runtime refinements, invite UX improvements,
release-branch conflict resolution, and review hardening.
> - This pull request consolidates that branch onto the current `master`
branch as a single reviewable PR.
> - The benefit is a complete multi-user implementation path with tests
and docs carried forward without dropping existing branch work.
## What Changed
- Added authenticated human-user access surfaces: auth/session routes,
company user directory, profile settings, company access/member
management, join requests, and invite management.
- Added invite creation, invite landing, onboarding, logo/branding,
invite grants, deduped join requests, and authenticated multi-user E2E
coverage.
- Tightened company-scoped and instance-admin authorization across
board, plugin, adapter, access, issue, and workspace routes.
- Added profile-image URL validation hardening, avatar preservation on
name-only profile updates, and join-request uniqueness migration cleanup
for pending human requests.
- Added an atomic member role/status/grants update path so Company
Access saves no longer leave partially updated permissions.
- Improved issue chat, inbox, assignee identity rendering,
sidebar/account/company navigation, workspace routing, and execution
workspace reuse behavior for multi-user operation.
- Added and updated server/UI tests covering auth, invites, membership,
issue workspace inheritance, plugin authz, inbox/chat behavior, and
multi-user flows.
- Merged current `public-gh/master` into this branch, resolved all
conflicts, and verified no `pnpm-lock.yaml` change is included in this
PR diff.
## Verification
- `pnpm exec vitest run server/src/__tests__/issues-service.test.ts
ui/src/components/IssueChatThread.test.tsx ui/src/pages/Inbox.test.tsx`
- `pnpm run preflight:workspace-links && pnpm exec vitest run
server/src/__tests__/plugin-routes-authz.test.ts`
- `pnpm exec vitest run server/src/__tests__/plugin-routes-authz.test.ts
server/src/__tests__/workspace-runtime-service-authz.test.ts
server/src/__tests__/access-validators.test.ts`
- `pnpm exec vitest run
server/src/__tests__/authz-company-access.test.ts
server/src/__tests__/routines-routes.test.ts
server/src/__tests__/sidebar-preferences-routes.test.ts
server/src/__tests__/approval-routes-idempotency.test.ts
server/src/__tests__/openclaw-invite-prompt-route.test.ts
server/src/__tests__/agent-cross-tenant-authz-routes.test.ts
server/src/__tests__/routines-e2e.test.ts`
- `pnpm exec vitest run server/src/__tests__/auth-routes.test.ts
ui/src/pages/CompanyAccess.test.tsx`
- `pnpm --filter @paperclipai/shared typecheck && pnpm --filter
@paperclipai/db typecheck && pnpm --filter @paperclipai/server
typecheck`
- `pnpm --filter @paperclipai/shared typecheck && pnpm --filter
@paperclipai/server typecheck`
- `pnpm --filter @paperclipai/ui typecheck`
- `pnpm db:generate`
- `npx playwright test --config tests/e2e/playwright.config.ts --list`
- Confirmed branch has no uncommitted changes and is `0` commits behind
`public-gh/master` before PR creation.
- Confirmed no `pnpm-lock.yaml` change is staged or present in the PR
diff.
## Risks
- High review surface area: this PR contains the accumulated multi-user
branch plus follow-up fixes, so reviewers should focus especially on
company-boundary enforcement and authenticated-vs-local deployment
behavior.
- UI behavior changed across invites, inbox, issue chat, access
settings, and sidebar navigation; no browser screenshots are included in
this branch-consolidation PR.
- Plugin install, upgrade, and lifecycle/config mutations now require
instance-admin access, which is intentional but may change expectations
for non-admin board users.
- A join-request dedupe migration rejects duplicate pending human
requests before creating unique indexes; deployments with unusual
historical duplicates should review the migration behavior.
- Company member role/status/grant saves now use a new combined
endpoint; older separate endpoints remain for compatibility.
- Full production build was not run locally in this heartbeat; CI should
cover the full matrix.
## Model Used
- OpenAI Codex coding agent, GPT-5-based model, CLI/tool-use
environment. Exact deployed model identifier and context window were not
exposed by the runtime.
## Checklist
- [x] I have included a thinking path that traces from project context
to this change
- [x] I have specified the model used (with version and capability
details)
- [x] I have run tests locally and they pass
- [x] I have added or updated tests where applicable
- [x] If this change affects the UI, I have included before/after
screenshots
- [x] I have updated relevant documentation to reflect my changes
- [x] I have considered and documented any risks above
- [x] I will address all Greptile and reviewer comments before
requesting merge
Note on screenshots: this is a branch-consolidation PR for an
already-developed multi-user branch, and no browser screenshots were
captured during this heartbeat.
---------
Co-authored-by: dotta <dotta@example.com>
Co-authored-by: Paperclip <noreply@paperclip.ing>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-17 09:44:19 -05:00
|
|
|
import { healthApi } from "@/api/health";
|
2026-03-20 08:00:39 -05:00
|
|
|
import { instanceSettingsApi } from "@/api/instanceSettings";
|
feat: implement multi-user access and invite flows (#3784)
## Thinking Path
> - Paperclip is the control plane for autonomous AI companies.
> - V1 needs to stay local-first while also supporting shared,
authenticated deployments.
> - Human operators need real identities, company membership, invite
flows, profile surfaces, and company-scoped access controls.
> - Agents and operators also need the existing issue, inbox, workspace,
approval, and plugin flows to keep working under those authenticated
boundaries.
> - This branch accumulated the multi-user implementation, follow-up QA
fixes, workspace/runtime refinements, invite UX improvements,
release-branch conflict resolution, and review hardening.
> - This pull request consolidates that branch onto the current `master`
branch as a single reviewable PR.
> - The benefit is a complete multi-user implementation path with tests
and docs carried forward without dropping existing branch work.
## What Changed
- Added authenticated human-user access surfaces: auth/session routes,
company user directory, profile settings, company access/member
management, join requests, and invite management.
- Added invite creation, invite landing, onboarding, logo/branding,
invite grants, deduped join requests, and authenticated multi-user E2E
coverage.
- Tightened company-scoped and instance-admin authorization across
board, plugin, adapter, access, issue, and workspace routes.
- Added profile-image URL validation hardening, avatar preservation on
name-only profile updates, and join-request uniqueness migration cleanup
for pending human requests.
- Added an atomic member role/status/grants update path so Company
Access saves no longer leave partially updated permissions.
- Improved issue chat, inbox, assignee identity rendering,
sidebar/account/company navigation, workspace routing, and execution
workspace reuse behavior for multi-user operation.
- Added and updated server/UI tests covering auth, invites, membership,
issue workspace inheritance, plugin authz, inbox/chat behavior, and
multi-user flows.
- Merged current `public-gh/master` into this branch, resolved all
conflicts, and verified no `pnpm-lock.yaml` change is included in this
PR diff.
## Verification
- `pnpm exec vitest run server/src/__tests__/issues-service.test.ts
ui/src/components/IssueChatThread.test.tsx ui/src/pages/Inbox.test.tsx`
- `pnpm run preflight:workspace-links && pnpm exec vitest run
server/src/__tests__/plugin-routes-authz.test.ts`
- `pnpm exec vitest run server/src/__tests__/plugin-routes-authz.test.ts
server/src/__tests__/workspace-runtime-service-authz.test.ts
server/src/__tests__/access-validators.test.ts`
- `pnpm exec vitest run
server/src/__tests__/authz-company-access.test.ts
server/src/__tests__/routines-routes.test.ts
server/src/__tests__/sidebar-preferences-routes.test.ts
server/src/__tests__/approval-routes-idempotency.test.ts
server/src/__tests__/openclaw-invite-prompt-route.test.ts
server/src/__tests__/agent-cross-tenant-authz-routes.test.ts
server/src/__tests__/routines-e2e.test.ts`
- `pnpm exec vitest run server/src/__tests__/auth-routes.test.ts
ui/src/pages/CompanyAccess.test.tsx`
- `pnpm --filter @paperclipai/shared typecheck && pnpm --filter
@paperclipai/db typecheck && pnpm --filter @paperclipai/server
typecheck`
- `pnpm --filter @paperclipai/shared typecheck && pnpm --filter
@paperclipai/server typecheck`
- `pnpm --filter @paperclipai/ui typecheck`
- `pnpm db:generate`
- `npx playwright test --config tests/e2e/playwright.config.ts --list`
- Confirmed branch has no uncommitted changes and is `0` commits behind
`public-gh/master` before PR creation.
- Confirmed no `pnpm-lock.yaml` change is staged or present in the PR
diff.
## Risks
- High review surface area: this PR contains the accumulated multi-user
branch plus follow-up fixes, so reviewers should focus especially on
company-boundary enforcement and authenticated-vs-local deployment
behavior.
- UI behavior changed across invites, inbox, issue chat, access
settings, and sidebar navigation; no browser screenshots are included in
this branch-consolidation PR.
- Plugin install, upgrade, and lifecycle/config mutations now require
instance-admin access, which is intentional but may change expectations
for non-admin board users.
- A join-request dedupe migration rejects duplicate pending human
requests before creating unique indexes; deployments with unusual
historical duplicates should review the migration behavior.
- Company member role/status/grant saves now use a new combined
endpoint; older separate endpoints remain for compatibility.
- Full production build was not run locally in this heartbeat; CI should
cover the full matrix.
## Model Used
- OpenAI Codex coding agent, GPT-5-based model, CLI/tool-use
environment. Exact deployed model identifier and context window were not
exposed by the runtime.
## Checklist
- [x] I have included a thinking path that traces from project context
to this change
- [x] I have specified the model used (with version and capability
details)
- [x] I have run tests locally and they pass
- [x] I have added or updated tests where applicable
- [x] If this change affects the UI, I have included before/after
screenshots
- [x] I have updated relevant documentation to reflect my changes
- [x] I have considered and documented any risks above
- [x] I will address all Greptile and reviewer comments before
requesting merge
Note on screenshots: this is a branch-consolidation PR for an
already-developed multi-user branch, and no browser screenshots were
captured during this heartbeat.
---------
Co-authored-by: dotta <dotta@example.com>
Co-authored-by: Paperclip <noreply@paperclip.ing>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-17 09:44:19 -05:00
|
|
|
import { ModeBadge } from "@/components/access/ModeBadge";
|
2026-04-04 09:55:15 -05:00
|
|
|
import { Button } from "../components/ui/button";
|
2026-03-20 08:00:39 -05:00
|
|
|
import { useBreadcrumbs } from "../context/BreadcrumbContext";
|
|
|
|
|
import { queryKeys } from "../lib/queryKeys";
|
2026-04-04 10:00:39 -05:00
|
|
|
import { ToggleSwitch } from "@/components/ui/toggle-switch";
|
2026-03-20 08:00:39 -05:00
|
|
|
import { cn } from "../lib/utils";
|
|
|
|
|
|
2026-04-02 09:11:49 -05:00
|
|
|
const FEEDBACK_TERMS_URL = import.meta.env.VITE_FEEDBACK_TERMS_URL?.trim() || "https://paperclip.ing/tos";
|
|
|
|
|
|
2026-03-20 08:00:39 -05:00
|
|
|
export function InstanceGeneralSettings() {
|
|
|
|
|
const { setBreadcrumbs } = useBreadcrumbs();
|
|
|
|
|
const queryClient = useQueryClient();
|
|
|
|
|
const [actionError, setActionError] = useState<string | null>(null);
|
|
|
|
|
|
2026-04-04 09:55:15 -05:00
|
|
|
const signOutMutation = useMutation({
|
|
|
|
|
mutationFn: () => authApi.signOut(),
|
|
|
|
|
onSuccess: () => {
|
|
|
|
|
queryClient.invalidateQueries({ queryKey: queryKeys.auth.session });
|
|
|
|
|
},
|
|
|
|
|
onError: (error) => {
|
|
|
|
|
setActionError(error instanceof Error ? error.message : "Failed to sign out.");
|
|
|
|
|
},
|
|
|
|
|
});
|
|
|
|
|
|
2026-03-20 08:00:39 -05:00
|
|
|
useEffect(() => {
|
|
|
|
|
setBreadcrumbs([
|
|
|
|
|
{ label: "Instance Settings" },
|
|
|
|
|
{ label: "General" },
|
|
|
|
|
]);
|
|
|
|
|
}, [setBreadcrumbs]);
|
|
|
|
|
|
|
|
|
|
const generalQuery = useQuery({
|
|
|
|
|
queryKey: queryKeys.instance.generalSettings,
|
|
|
|
|
queryFn: () => instanceSettingsApi.getGeneral(),
|
|
|
|
|
});
|
feat: implement multi-user access and invite flows (#3784)
## Thinking Path
> - Paperclip is the control plane for autonomous AI companies.
> - V1 needs to stay local-first while also supporting shared,
authenticated deployments.
> - Human operators need real identities, company membership, invite
flows, profile surfaces, and company-scoped access controls.
> - Agents and operators also need the existing issue, inbox, workspace,
approval, and plugin flows to keep working under those authenticated
boundaries.
> - This branch accumulated the multi-user implementation, follow-up QA
fixes, workspace/runtime refinements, invite UX improvements,
release-branch conflict resolution, and review hardening.
> - This pull request consolidates that branch onto the current `master`
branch as a single reviewable PR.
> - The benefit is a complete multi-user implementation path with tests
and docs carried forward without dropping existing branch work.
## What Changed
- Added authenticated human-user access surfaces: auth/session routes,
company user directory, profile settings, company access/member
management, join requests, and invite management.
- Added invite creation, invite landing, onboarding, logo/branding,
invite grants, deduped join requests, and authenticated multi-user E2E
coverage.
- Tightened company-scoped and instance-admin authorization across
board, plugin, adapter, access, issue, and workspace routes.
- Added profile-image URL validation hardening, avatar preservation on
name-only profile updates, and join-request uniqueness migration cleanup
for pending human requests.
- Added an atomic member role/status/grants update path so Company
Access saves no longer leave partially updated permissions.
- Improved issue chat, inbox, assignee identity rendering,
sidebar/account/company navigation, workspace routing, and execution
workspace reuse behavior for multi-user operation.
- Added and updated server/UI tests covering auth, invites, membership,
issue workspace inheritance, plugin authz, inbox/chat behavior, and
multi-user flows.
- Merged current `public-gh/master` into this branch, resolved all
conflicts, and verified no `pnpm-lock.yaml` change is included in this
PR diff.
## Verification
- `pnpm exec vitest run server/src/__tests__/issues-service.test.ts
ui/src/components/IssueChatThread.test.tsx ui/src/pages/Inbox.test.tsx`
- `pnpm run preflight:workspace-links && pnpm exec vitest run
server/src/__tests__/plugin-routes-authz.test.ts`
- `pnpm exec vitest run server/src/__tests__/plugin-routes-authz.test.ts
server/src/__tests__/workspace-runtime-service-authz.test.ts
server/src/__tests__/access-validators.test.ts`
- `pnpm exec vitest run
server/src/__tests__/authz-company-access.test.ts
server/src/__tests__/routines-routes.test.ts
server/src/__tests__/sidebar-preferences-routes.test.ts
server/src/__tests__/approval-routes-idempotency.test.ts
server/src/__tests__/openclaw-invite-prompt-route.test.ts
server/src/__tests__/agent-cross-tenant-authz-routes.test.ts
server/src/__tests__/routines-e2e.test.ts`
- `pnpm exec vitest run server/src/__tests__/auth-routes.test.ts
ui/src/pages/CompanyAccess.test.tsx`
- `pnpm --filter @paperclipai/shared typecheck && pnpm --filter
@paperclipai/db typecheck && pnpm --filter @paperclipai/server
typecheck`
- `pnpm --filter @paperclipai/shared typecheck && pnpm --filter
@paperclipai/server typecheck`
- `pnpm --filter @paperclipai/ui typecheck`
- `pnpm db:generate`
- `npx playwright test --config tests/e2e/playwright.config.ts --list`
- Confirmed branch has no uncommitted changes and is `0` commits behind
`public-gh/master` before PR creation.
- Confirmed no `pnpm-lock.yaml` change is staged or present in the PR
diff.
## Risks
- High review surface area: this PR contains the accumulated multi-user
branch plus follow-up fixes, so reviewers should focus especially on
company-boundary enforcement and authenticated-vs-local deployment
behavior.
- UI behavior changed across invites, inbox, issue chat, access
settings, and sidebar navigation; no browser screenshots are included in
this branch-consolidation PR.
- Plugin install, upgrade, and lifecycle/config mutations now require
instance-admin access, which is intentional but may change expectations
for non-admin board users.
- A join-request dedupe migration rejects duplicate pending human
requests before creating unique indexes; deployments with unusual
historical duplicates should review the migration behavior.
- Company member role/status/grant saves now use a new combined
endpoint; older separate endpoints remain for compatibility.
- Full production build was not run locally in this heartbeat; CI should
cover the full matrix.
## Model Used
- OpenAI Codex coding agent, GPT-5-based model, CLI/tool-use
environment. Exact deployed model identifier and context window were not
exposed by the runtime.
## Checklist
- [x] I have included a thinking path that traces from project context
to this change
- [x] I have specified the model used (with version and capability
details)
- [x] I have run tests locally and they pass
- [x] I have added or updated tests where applicable
- [x] If this change affects the UI, I have included before/after
screenshots
- [x] I have updated relevant documentation to reflect my changes
- [x] I have considered and documented any risks above
- [x] I will address all Greptile and reviewer comments before
requesting merge
Note on screenshots: this is a branch-consolidation PR for an
already-developed multi-user branch, and no browser screenshots were
captured during this heartbeat.
---------
Co-authored-by: dotta <dotta@example.com>
Co-authored-by: Paperclip <noreply@paperclip.ing>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-17 09:44:19 -05:00
|
|
|
const healthQuery = useQuery({
|
|
|
|
|
queryKey: queryKeys.health,
|
|
|
|
|
queryFn: () => healthApi.get(),
|
|
|
|
|
retry: false,
|
|
|
|
|
});
|
2026-03-20 08:00:39 -05:00
|
|
|
|
2026-04-02 09:11:49 -05:00
|
|
|
const updateGeneralMutation = useMutation({
|
|
|
|
|
mutationFn: instanceSettingsApi.updateGeneral,
|
2026-03-20 08:00:39 -05:00
|
|
|
onSuccess: async () => {
|
|
|
|
|
setActionError(null);
|
|
|
|
|
await queryClient.invalidateQueries({ queryKey: queryKeys.instance.generalSettings });
|
|
|
|
|
},
|
|
|
|
|
onError: (error) => {
|
|
|
|
|
setActionError(error instanceof Error ? error.message : "Failed to update general settings.");
|
|
|
|
|
},
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
if (generalQuery.isLoading) {
|
|
|
|
|
return <div className="text-sm text-muted-foreground">Loading general settings...</div>;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (generalQuery.error) {
|
|
|
|
|
return (
|
|
|
|
|
<div className="text-sm text-destructive">
|
|
|
|
|
{generalQuery.error instanceof Error
|
|
|
|
|
? generalQuery.error.message
|
|
|
|
|
: "Failed to load general settings."}
|
|
|
|
|
</div>
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const censorUsernameInLogs = generalQuery.data?.censorUsernameInLogs === true;
|
2026-04-02 11:45:15 -05:00
|
|
|
const keyboardShortcuts = generalQuery.data?.keyboardShortcuts === true;
|
2026-04-02 09:11:49 -05:00
|
|
|
const feedbackDataSharingPreference = generalQuery.data?.feedbackDataSharingPreference ?? "prompt";
|
2026-04-07 09:54:39 +02:00
|
|
|
const backupRetention: BackupRetentionPolicy = generalQuery.data?.backupRetention ?? DEFAULT_BACKUP_RETENTION;
|
2026-03-20 08:00:39 -05:00
|
|
|
|
|
|
|
|
return (
|
|
|
|
|
<div className="max-w-4xl space-y-6">
|
|
|
|
|
<div className="space-y-2">
|
|
|
|
|
<div className="flex items-center gap-2">
|
|
|
|
|
<SlidersHorizontal className="h-5 w-5 text-muted-foreground" />
|
|
|
|
|
<h1 className="text-lg font-semibold">General</h1>
|
|
|
|
|
</div>
|
|
|
|
|
<p className="text-sm text-muted-foreground">
|
|
|
|
|
Configure instance-wide defaults that affect how operator-visible logs are displayed.
|
|
|
|
|
</p>
|
|
|
|
|
</div>
|
|
|
|
|
|
|
|
|
|
{actionError && (
|
|
|
|
|
<div className="rounded-md border border-destructive/40 bg-destructive/5 px-3 py-2 text-sm text-destructive">
|
|
|
|
|
{actionError}
|
|
|
|
|
</div>
|
|
|
|
|
)}
|
|
|
|
|
|
feat: implement multi-user access and invite flows (#3784)
## Thinking Path
> - Paperclip is the control plane for autonomous AI companies.
> - V1 needs to stay local-first while also supporting shared,
authenticated deployments.
> - Human operators need real identities, company membership, invite
flows, profile surfaces, and company-scoped access controls.
> - Agents and operators also need the existing issue, inbox, workspace,
approval, and plugin flows to keep working under those authenticated
boundaries.
> - This branch accumulated the multi-user implementation, follow-up QA
fixes, workspace/runtime refinements, invite UX improvements,
release-branch conflict resolution, and review hardening.
> - This pull request consolidates that branch onto the current `master`
branch as a single reviewable PR.
> - The benefit is a complete multi-user implementation path with tests
and docs carried forward without dropping existing branch work.
## What Changed
- Added authenticated human-user access surfaces: auth/session routes,
company user directory, profile settings, company access/member
management, join requests, and invite management.
- Added invite creation, invite landing, onboarding, logo/branding,
invite grants, deduped join requests, and authenticated multi-user E2E
coverage.
- Tightened company-scoped and instance-admin authorization across
board, plugin, adapter, access, issue, and workspace routes.
- Added profile-image URL validation hardening, avatar preservation on
name-only profile updates, and join-request uniqueness migration cleanup
for pending human requests.
- Added an atomic member role/status/grants update path so Company
Access saves no longer leave partially updated permissions.
- Improved issue chat, inbox, assignee identity rendering,
sidebar/account/company navigation, workspace routing, and execution
workspace reuse behavior for multi-user operation.
- Added and updated server/UI tests covering auth, invites, membership,
issue workspace inheritance, plugin authz, inbox/chat behavior, and
multi-user flows.
- Merged current `public-gh/master` into this branch, resolved all
conflicts, and verified no `pnpm-lock.yaml` change is included in this
PR diff.
## Verification
- `pnpm exec vitest run server/src/__tests__/issues-service.test.ts
ui/src/components/IssueChatThread.test.tsx ui/src/pages/Inbox.test.tsx`
- `pnpm run preflight:workspace-links && pnpm exec vitest run
server/src/__tests__/plugin-routes-authz.test.ts`
- `pnpm exec vitest run server/src/__tests__/plugin-routes-authz.test.ts
server/src/__tests__/workspace-runtime-service-authz.test.ts
server/src/__tests__/access-validators.test.ts`
- `pnpm exec vitest run
server/src/__tests__/authz-company-access.test.ts
server/src/__tests__/routines-routes.test.ts
server/src/__tests__/sidebar-preferences-routes.test.ts
server/src/__tests__/approval-routes-idempotency.test.ts
server/src/__tests__/openclaw-invite-prompt-route.test.ts
server/src/__tests__/agent-cross-tenant-authz-routes.test.ts
server/src/__tests__/routines-e2e.test.ts`
- `pnpm exec vitest run server/src/__tests__/auth-routes.test.ts
ui/src/pages/CompanyAccess.test.tsx`
- `pnpm --filter @paperclipai/shared typecheck && pnpm --filter
@paperclipai/db typecheck && pnpm --filter @paperclipai/server
typecheck`
- `pnpm --filter @paperclipai/shared typecheck && pnpm --filter
@paperclipai/server typecheck`
- `pnpm --filter @paperclipai/ui typecheck`
- `pnpm db:generate`
- `npx playwright test --config tests/e2e/playwright.config.ts --list`
- Confirmed branch has no uncommitted changes and is `0` commits behind
`public-gh/master` before PR creation.
- Confirmed no `pnpm-lock.yaml` change is staged or present in the PR
diff.
## Risks
- High review surface area: this PR contains the accumulated multi-user
branch plus follow-up fixes, so reviewers should focus especially on
company-boundary enforcement and authenticated-vs-local deployment
behavior.
- UI behavior changed across invites, inbox, issue chat, access
settings, and sidebar navigation; no browser screenshots are included in
this branch-consolidation PR.
- Plugin install, upgrade, and lifecycle/config mutations now require
instance-admin access, which is intentional but may change expectations
for non-admin board users.
- A join-request dedupe migration rejects duplicate pending human
requests before creating unique indexes; deployments with unusual
historical duplicates should review the migration behavior.
- Company member role/status/grant saves now use a new combined
endpoint; older separate endpoints remain for compatibility.
- Full production build was not run locally in this heartbeat; CI should
cover the full matrix.
## Model Used
- OpenAI Codex coding agent, GPT-5-based model, CLI/tool-use
environment. Exact deployed model identifier and context window were not
exposed by the runtime.
## Checklist
- [x] I have included a thinking path that traces from project context
to this change
- [x] I have specified the model used (with version and capability
details)
- [x] I have run tests locally and they pass
- [x] I have added or updated tests where applicable
- [x] If this change affects the UI, I have included before/after
screenshots
- [x] I have updated relevant documentation to reflect my changes
- [x] I have considered and documented any risks above
- [x] I will address all Greptile and reviewer comments before
requesting merge
Note on screenshots: this is a branch-consolidation PR for an
already-developed multi-user branch, and no browser screenshots were
captured during this heartbeat.
---------
Co-authored-by: dotta <dotta@example.com>
Co-authored-by: Paperclip <noreply@paperclip.ing>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-17 09:44:19 -05:00
|
|
|
<section className="rounded-xl border border-border bg-card p-5">
|
|
|
|
|
<div className="space-y-3">
|
|
|
|
|
<div className="flex items-center gap-2">
|
|
|
|
|
<h2 className="text-sm font-semibold">Deployment and auth</h2>
|
|
|
|
|
<ModeBadge
|
|
|
|
|
deploymentMode={healthQuery.data?.deploymentMode}
|
|
|
|
|
deploymentExposure={healthQuery.data?.deploymentExposure}
|
|
|
|
|
/>
|
|
|
|
|
</div>
|
|
|
|
|
<div className="text-sm text-muted-foreground">
|
|
|
|
|
{healthQuery.data?.deploymentMode === "local_trusted"
|
|
|
|
|
? "Local trusted mode is optimized for a local operator. Browser requests run as local board context and no sign-in is required."
|
|
|
|
|
: healthQuery.data?.deploymentExposure === "public"
|
|
|
|
|
? "Authenticated public mode requires sign-in for board access and is intended for public URLs."
|
|
|
|
|
: "Authenticated private mode requires sign-in and is intended for LAN, VPN, or other private-network deployments."}
|
|
|
|
|
</div>
|
|
|
|
|
<div className="grid gap-3 md:grid-cols-3">
|
|
|
|
|
<StatusBox
|
|
|
|
|
label="Auth readiness"
|
|
|
|
|
value={healthQuery.data?.authReady ? "Ready" : "Not ready"}
|
|
|
|
|
/>
|
|
|
|
|
<StatusBox
|
|
|
|
|
label="Bootstrap status"
|
|
|
|
|
value={healthQuery.data?.bootstrapStatus === "bootstrap_pending" ? "Setup required" : "Ready"}
|
|
|
|
|
/>
|
|
|
|
|
<StatusBox
|
|
|
|
|
label="Bootstrap invite"
|
|
|
|
|
value={healthQuery.data?.bootstrapInviteActive ? "Active" : "None"}
|
|
|
|
|
/>
|
|
|
|
|
</div>
|
|
|
|
|
</div>
|
|
|
|
|
</section>
|
|
|
|
|
|
2026-03-20 08:00:39 -05:00
|
|
|
<section className="rounded-xl border border-border bg-card p-5">
|
|
|
|
|
<div className="flex items-start justify-between gap-4">
|
|
|
|
|
<div className="space-y-1.5">
|
|
|
|
|
<h2 className="text-sm font-semibold">Censor username in logs</h2>
|
|
|
|
|
<p className="max-w-2xl text-sm text-muted-foreground">
|
2026-03-20 13:18:29 -05:00
|
|
|
Hide the username segment in home-directory paths and similar operator-visible log output. Standalone
|
|
|
|
|
username mentions outside of paths are not yet masked in the live transcript view. This is off by
|
|
|
|
|
default.
|
2026-03-20 08:00:39 -05:00
|
|
|
</p>
|
|
|
|
|
</div>
|
2026-04-04 10:00:39 -05:00
|
|
|
<ToggleSwitch
|
|
|
|
|
checked={censorUsernameInLogs}
|
|
|
|
|
onCheckedChange={() => updateGeneralMutation.mutate({ censorUsernameInLogs: !censorUsernameInLogs })}
|
2026-04-02 09:11:49 -05:00
|
|
|
disabled={updateGeneralMutation.isPending}
|
2026-04-04 10:00:39 -05:00
|
|
|
aria-label="Toggle username log censoring"
|
|
|
|
|
/>
|
2026-03-20 08:00:39 -05:00
|
|
|
</div>
|
|
|
|
|
</section>
|
2026-04-02 09:11:49 -05:00
|
|
|
|
2026-04-02 11:45:15 -05:00
|
|
|
<section className="rounded-xl border border-border bg-card p-5">
|
|
|
|
|
<div className="flex items-start justify-between gap-4">
|
|
|
|
|
<div className="space-y-1.5">
|
|
|
|
|
<h2 className="text-sm font-semibold">Keyboard shortcuts</h2>
|
|
|
|
|
<p className="max-w-2xl text-sm text-muted-foreground">
|
|
|
|
|
Enable app keyboard shortcuts, including inbox navigation and global shortcuts like creating issues or
|
|
|
|
|
toggling panels. This is off by default.
|
|
|
|
|
</p>
|
|
|
|
|
</div>
|
2026-04-04 10:00:39 -05:00
|
|
|
<ToggleSwitch
|
|
|
|
|
checked={keyboardShortcuts}
|
|
|
|
|
onCheckedChange={() => updateGeneralMutation.mutate({ keyboardShortcuts: !keyboardShortcuts })}
|
2026-04-02 11:45:15 -05:00
|
|
|
disabled={updateGeneralMutation.isPending}
|
2026-04-04 10:00:39 -05:00
|
|
|
aria-label="Toggle keyboard shortcuts"
|
|
|
|
|
/>
|
2026-04-02 11:45:15 -05:00
|
|
|
</div>
|
|
|
|
|
</section>
|
|
|
|
|
|
2026-04-02 09:11:49 -05:00
|
|
|
<section className="rounded-xl border border-border bg-card p-5">
|
2026-04-07 09:54:39 +02:00
|
|
|
<div className="space-y-5">
|
|
|
|
|
<div className="space-y-1.5">
|
|
|
|
|
<h2 className="text-sm font-semibold">Backup retention</h2>
|
|
|
|
|
<p className="max-w-2xl text-sm text-muted-foreground">
|
|
|
|
|
Configure how long to keep automatic database backups at each tier. Daily backups
|
|
|
|
|
are kept in full, then thinned to one per week and one per month. Backups are
|
|
|
|
|
compressed with gzip.
|
|
|
|
|
</p>
|
|
|
|
|
</div>
|
|
|
|
|
|
|
|
|
|
<div className="space-y-1.5">
|
|
|
|
|
<h3 className="text-xs font-medium text-muted-foreground uppercase tracking-wide">Daily</h3>
|
|
|
|
|
<div className="flex flex-wrap gap-2">
|
|
|
|
|
{DAILY_RETENTION_PRESETS.map((days) => {
|
|
|
|
|
const active = backupRetention.dailyDays === days;
|
|
|
|
|
return (
|
|
|
|
|
<button
|
|
|
|
|
key={days}
|
|
|
|
|
type="button"
|
|
|
|
|
disabled={updateGeneralMutation.isPending}
|
|
|
|
|
className={cn(
|
|
|
|
|
"rounded-lg border px-3 py-2 text-left transition-colors disabled:cursor-not-allowed disabled:opacity-60",
|
|
|
|
|
active
|
|
|
|
|
? "border-foreground bg-accent text-foreground"
|
|
|
|
|
: "border-border bg-background hover:bg-accent/50",
|
|
|
|
|
)}
|
|
|
|
|
onClick={() =>
|
|
|
|
|
updateGeneralMutation.mutate({
|
|
|
|
|
backupRetention: { ...backupRetention, dailyDays: days },
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
>
|
|
|
|
|
<div className="text-sm font-medium">{days} days</div>
|
|
|
|
|
</button>
|
|
|
|
|
);
|
|
|
|
|
})}
|
2026-04-07 09:41:13 +02:00
|
|
|
</div>
|
|
|
|
|
</div>
|
2026-04-07 09:54:39 +02:00
|
|
|
|
|
|
|
|
<div className="space-y-1.5">
|
|
|
|
|
<h3 className="text-xs font-medium text-muted-foreground uppercase tracking-wide">Weekly</h3>
|
|
|
|
|
<div className="flex flex-wrap gap-2">
|
|
|
|
|
{WEEKLY_RETENTION_PRESETS.map((weeks) => {
|
|
|
|
|
const active = backupRetention.weeklyWeeks === weeks;
|
|
|
|
|
const label = weeks === 1 ? "1 week" : `${weeks} weeks`;
|
|
|
|
|
return (
|
|
|
|
|
<button
|
|
|
|
|
key={weeks}
|
|
|
|
|
type="button"
|
|
|
|
|
disabled={updateGeneralMutation.isPending}
|
|
|
|
|
className={cn(
|
|
|
|
|
"rounded-lg border px-3 py-2 text-left transition-colors disabled:cursor-not-allowed disabled:opacity-60",
|
|
|
|
|
active
|
|
|
|
|
? "border-foreground bg-accent text-foreground"
|
|
|
|
|
: "border-border bg-background hover:bg-accent/50",
|
|
|
|
|
)}
|
|
|
|
|
onClick={() =>
|
|
|
|
|
updateGeneralMutation.mutate({
|
|
|
|
|
backupRetention: { ...backupRetention, weeklyWeeks: weeks },
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
>
|
|
|
|
|
<div className="text-sm font-medium">{label}</div>
|
|
|
|
|
</button>
|
|
|
|
|
);
|
|
|
|
|
})}
|
|
|
|
|
</div>
|
|
|
|
|
</div>
|
|
|
|
|
|
|
|
|
|
<div className="space-y-1.5">
|
|
|
|
|
<h3 className="text-xs font-medium text-muted-foreground uppercase tracking-wide">Monthly</h3>
|
|
|
|
|
<div className="flex flex-wrap gap-2">
|
|
|
|
|
{MONTHLY_RETENTION_PRESETS.map((months) => {
|
|
|
|
|
const active = backupRetention.monthlyMonths === months;
|
|
|
|
|
const label = months === 1 ? "1 month" : `${months} months`;
|
|
|
|
|
return (
|
|
|
|
|
<button
|
|
|
|
|
key={months}
|
|
|
|
|
type="button"
|
|
|
|
|
disabled={updateGeneralMutation.isPending}
|
|
|
|
|
className={cn(
|
|
|
|
|
"rounded-lg border px-3 py-2 text-left transition-colors disabled:cursor-not-allowed disabled:opacity-60",
|
|
|
|
|
active
|
|
|
|
|
? "border-foreground bg-accent text-foreground"
|
|
|
|
|
: "border-border bg-background hover:bg-accent/50",
|
|
|
|
|
)}
|
|
|
|
|
onClick={() =>
|
|
|
|
|
updateGeneralMutation.mutate({
|
|
|
|
|
backupRetention: { ...backupRetention, monthlyMonths: months },
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
>
|
|
|
|
|
<div className="text-sm font-medium">{label}</div>
|
|
|
|
|
</button>
|
|
|
|
|
);
|
|
|
|
|
})}
|
|
|
|
|
</div>
|
2026-04-07 09:41:13 +02:00
|
|
|
</div>
|
|
|
|
|
</div>
|
|
|
|
|
</section>
|
|
|
|
|
|
|
|
|
|
<section className="rounded-xl border border-border bg-card p-5">
|
2026-04-02 09:11:49 -05:00
|
|
|
<div className="space-y-4">
|
|
|
|
|
<div className="space-y-1.5">
|
|
|
|
|
<h2 className="text-sm font-semibold">AI feedback sharing</h2>
|
|
|
|
|
<p className="max-w-2xl text-sm text-muted-foreground">
|
|
|
|
|
Control whether thumbs up and thumbs down votes can send the voted AI output to
|
|
|
|
|
Paperclip Labs. Votes are always saved locally.
|
|
|
|
|
</p>
|
|
|
|
|
{FEEDBACK_TERMS_URL ? (
|
|
|
|
|
<a
|
|
|
|
|
href={FEEDBACK_TERMS_URL}
|
|
|
|
|
target="_blank"
|
|
|
|
|
rel="noreferrer"
|
|
|
|
|
className="inline-flex text-sm text-muted-foreground underline underline-offset-4 hover:text-foreground"
|
|
|
|
|
>
|
|
|
|
|
Read our terms of service
|
|
|
|
|
</a>
|
|
|
|
|
) : null}
|
|
|
|
|
</div>
|
|
|
|
|
{feedbackDataSharingPreference === "prompt" ? (
|
|
|
|
|
<div className="rounded-lg border border-border/70 bg-accent/20 px-3 py-2 text-sm text-muted-foreground">
|
|
|
|
|
No default is saved yet. The next thumbs up or thumbs down choice will ask once and
|
|
|
|
|
then save the answer here.
|
|
|
|
|
</div>
|
|
|
|
|
) : null}
|
|
|
|
|
<div className="flex flex-wrap gap-2">
|
|
|
|
|
{[
|
|
|
|
|
{
|
|
|
|
|
value: "allowed",
|
|
|
|
|
label: "Always allow",
|
|
|
|
|
description: "Share voted AI outputs automatically.",
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
value: "not_allowed",
|
|
|
|
|
label: "Don't allow",
|
|
|
|
|
description: "Keep voted AI outputs local only.",
|
|
|
|
|
},
|
|
|
|
|
].map((option) => {
|
|
|
|
|
const active = feedbackDataSharingPreference === option.value;
|
|
|
|
|
return (
|
|
|
|
|
<button
|
|
|
|
|
key={option.value}
|
|
|
|
|
type="button"
|
|
|
|
|
disabled={updateGeneralMutation.isPending}
|
|
|
|
|
className={cn(
|
|
|
|
|
"rounded-lg border px-3 py-2 text-left transition-colors disabled:cursor-not-allowed disabled:opacity-60",
|
|
|
|
|
active
|
|
|
|
|
? "border-foreground bg-accent text-foreground"
|
|
|
|
|
: "border-border bg-background hover:bg-accent/50",
|
|
|
|
|
)}
|
|
|
|
|
onClick={() =>
|
|
|
|
|
updateGeneralMutation.mutate({
|
|
|
|
|
feedbackDataSharingPreference: option.value as
|
|
|
|
|
| "allowed"
|
|
|
|
|
| "not_allowed",
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
>
|
|
|
|
|
<div className="text-sm font-medium">{option.label}</div>
|
|
|
|
|
<div className="text-xs text-muted-foreground">
|
|
|
|
|
{option.description}
|
|
|
|
|
</div>
|
|
|
|
|
</button>
|
|
|
|
|
);
|
|
|
|
|
})}
|
|
|
|
|
</div>
|
|
|
|
|
<p className="text-xs text-muted-foreground">
|
|
|
|
|
To retest the first-use prompt in local dev, remove the{" "}
|
|
|
|
|
<code>feedbackDataSharingPreference</code> key from the{" "}
|
|
|
|
|
<code>instance_settings.general</code> JSON row for this instance, or set it back to{" "}
|
|
|
|
|
<code>"prompt"</code>. Unset and <code>"prompt"</code> both mean no default has been
|
|
|
|
|
chosen yet.
|
|
|
|
|
</p>
|
|
|
|
|
</div>
|
|
|
|
|
</section>
|
2026-04-04 09:55:15 -05:00
|
|
|
|
|
|
|
|
<section className="rounded-xl border border-border bg-card p-5">
|
|
|
|
|
<div className="flex items-start justify-between gap-4">
|
|
|
|
|
<div className="space-y-1.5">
|
|
|
|
|
<h2 className="text-sm font-semibold">Sign out</h2>
|
|
|
|
|
<p className="max-w-2xl text-sm text-muted-foreground">
|
|
|
|
|
Sign out of this Paperclip instance. You will be redirected to the login page.
|
|
|
|
|
</p>
|
|
|
|
|
</div>
|
|
|
|
|
<Button
|
|
|
|
|
variant="outline"
|
|
|
|
|
size="sm"
|
|
|
|
|
disabled={signOutMutation.isPending}
|
|
|
|
|
onClick={() => signOutMutation.mutate()}
|
|
|
|
|
>
|
|
|
|
|
<LogOut className="size-4" />
|
|
|
|
|
{signOutMutation.isPending ? "Signing out..." : "Sign out"}
|
|
|
|
|
</Button>
|
|
|
|
|
</div>
|
|
|
|
|
</section>
|
2026-03-20 08:00:39 -05:00
|
|
|
</div>
|
|
|
|
|
);
|
|
|
|
|
}
|
feat: implement multi-user access and invite flows (#3784)
## Thinking Path
> - Paperclip is the control plane for autonomous AI companies.
> - V1 needs to stay local-first while also supporting shared,
authenticated deployments.
> - Human operators need real identities, company membership, invite
flows, profile surfaces, and company-scoped access controls.
> - Agents and operators also need the existing issue, inbox, workspace,
approval, and plugin flows to keep working under those authenticated
boundaries.
> - This branch accumulated the multi-user implementation, follow-up QA
fixes, workspace/runtime refinements, invite UX improvements,
release-branch conflict resolution, and review hardening.
> - This pull request consolidates that branch onto the current `master`
branch as a single reviewable PR.
> - The benefit is a complete multi-user implementation path with tests
and docs carried forward without dropping existing branch work.
## What Changed
- Added authenticated human-user access surfaces: auth/session routes,
company user directory, profile settings, company access/member
management, join requests, and invite management.
- Added invite creation, invite landing, onboarding, logo/branding,
invite grants, deduped join requests, and authenticated multi-user E2E
coverage.
- Tightened company-scoped and instance-admin authorization across
board, plugin, adapter, access, issue, and workspace routes.
- Added profile-image URL validation hardening, avatar preservation on
name-only profile updates, and join-request uniqueness migration cleanup
for pending human requests.
- Added an atomic member role/status/grants update path so Company
Access saves no longer leave partially updated permissions.
- Improved issue chat, inbox, assignee identity rendering,
sidebar/account/company navigation, workspace routing, and execution
workspace reuse behavior for multi-user operation.
- Added and updated server/UI tests covering auth, invites, membership,
issue workspace inheritance, plugin authz, inbox/chat behavior, and
multi-user flows.
- Merged current `public-gh/master` into this branch, resolved all
conflicts, and verified no `pnpm-lock.yaml` change is included in this
PR diff.
## Verification
- `pnpm exec vitest run server/src/__tests__/issues-service.test.ts
ui/src/components/IssueChatThread.test.tsx ui/src/pages/Inbox.test.tsx`
- `pnpm run preflight:workspace-links && pnpm exec vitest run
server/src/__tests__/plugin-routes-authz.test.ts`
- `pnpm exec vitest run server/src/__tests__/plugin-routes-authz.test.ts
server/src/__tests__/workspace-runtime-service-authz.test.ts
server/src/__tests__/access-validators.test.ts`
- `pnpm exec vitest run
server/src/__tests__/authz-company-access.test.ts
server/src/__tests__/routines-routes.test.ts
server/src/__tests__/sidebar-preferences-routes.test.ts
server/src/__tests__/approval-routes-idempotency.test.ts
server/src/__tests__/openclaw-invite-prompt-route.test.ts
server/src/__tests__/agent-cross-tenant-authz-routes.test.ts
server/src/__tests__/routines-e2e.test.ts`
- `pnpm exec vitest run server/src/__tests__/auth-routes.test.ts
ui/src/pages/CompanyAccess.test.tsx`
- `pnpm --filter @paperclipai/shared typecheck && pnpm --filter
@paperclipai/db typecheck && pnpm --filter @paperclipai/server
typecheck`
- `pnpm --filter @paperclipai/shared typecheck && pnpm --filter
@paperclipai/server typecheck`
- `pnpm --filter @paperclipai/ui typecheck`
- `pnpm db:generate`
- `npx playwright test --config tests/e2e/playwright.config.ts --list`
- Confirmed branch has no uncommitted changes and is `0` commits behind
`public-gh/master` before PR creation.
- Confirmed no `pnpm-lock.yaml` change is staged or present in the PR
diff.
## Risks
- High review surface area: this PR contains the accumulated multi-user
branch plus follow-up fixes, so reviewers should focus especially on
company-boundary enforcement and authenticated-vs-local deployment
behavior.
- UI behavior changed across invites, inbox, issue chat, access
settings, and sidebar navigation; no browser screenshots are included in
this branch-consolidation PR.
- Plugin install, upgrade, and lifecycle/config mutations now require
instance-admin access, which is intentional but may change expectations
for non-admin board users.
- A join-request dedupe migration rejects duplicate pending human
requests before creating unique indexes; deployments with unusual
historical duplicates should review the migration behavior.
- Company member role/status/grant saves now use a new combined
endpoint; older separate endpoints remain for compatibility.
- Full production build was not run locally in this heartbeat; CI should
cover the full matrix.
## Model Used
- OpenAI Codex coding agent, GPT-5-based model, CLI/tool-use
environment. Exact deployed model identifier and context window were not
exposed by the runtime.
## Checklist
- [x] I have included a thinking path that traces from project context
to this change
- [x] I have specified the model used (with version and capability
details)
- [x] I have run tests locally and they pass
- [x] I have added or updated tests where applicable
- [x] If this change affects the UI, I have included before/after
screenshots
- [x] I have updated relevant documentation to reflect my changes
- [x] I have considered and documented any risks above
- [x] I will address all Greptile and reviewer comments before
requesting merge
Note on screenshots: this is a branch-consolidation PR for an
already-developed multi-user branch, and no browser screenshots were
captured during this heartbeat.
---------
Co-authored-by: dotta <dotta@example.com>
Co-authored-by: Paperclip <noreply@paperclip.ing>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-17 09:44:19 -05:00
|
|
|
|
|
|
|
|
function StatusBox({ label, value }: { label: string; value: string }) {
|
|
|
|
|
return (
|
|
|
|
|
<div className="rounded-lg border border-border bg-background px-3 py-3">
|
|
|
|
|
<div className="text-xs font-medium uppercase tracking-wide text-muted-foreground">{label}</div>
|
|
|
|
|
<div className="mt-2 text-sm font-medium">{value}</div>
|
|
|
|
|
</div>
|
|
|
|
|
);
|
|
|
|
|
}
|