paperclip/server/src/routes/projects.ts

import { Router } from "express";
import type { Db } from "@paperclip/db";
import {
  createProjectSchema,
  createProjectWorkspaceSchema,
  updateProjectSchema,
  updateProjectWorkspaceSchema,
} from "@paperclip/shared";
import { validate } from "../middleware/validate.js";
import { projectService, logActivity } from "../services/index.js";
import { assertCompanyAccess, getActorInfo } from "./authz.js";

export function projectRoutes(db: Db) {
  const router = Router();
  const svc = projectService(db);

  router.get("/companies/:companyId/projects", async (req, res) => {
    const companyId = req.params.companyId as string;
    assertCompanyAccess(req, companyId);
    const result = await svc.list(companyId);
    res.json(result);
  });

  router.get("/projects/:id", async (req, res) => {
    const id = req.params.id as string;
    const project = await svc.getById(id);
    if (!project) {
      res.status(404).json({ error: "Project not found" });
      return;
    }
    assertCompanyAccess(req, project.companyId);
    res.json(project);
  });

  router.post("/companies/:companyId/projects", validate(createProjectSchema), async (req, res) => {
    const companyId = req.params.companyId as string;
    assertCompanyAccess(req, companyId);
    const project = await svc.create(companyId, req.body);
    const actor = getActorInfo(req);
    await logActivity(db, {
      companyId,
      actorType: actor.actorType,
      actorId: actor.actorId,
      agentId: actor.agentId,
      action: "project.created",
      entityType: "project",
      entityId: project.id,
      details: { name: project.name },
    });
    res.status(201).json(project);
  });

  router.patch("/projects/:id", validate(updateProjectSchema), async (req, res) => {
    const id = req.params.id as string;
    const existing = await svc.getById(id);
    if (!existing) {
      res.status(404).json({ error: "Project not found" });
      return;
    }
    assertCompanyAccess(req, existing.companyId);
    const project = await svc.update(id, req.body);
    if (!project) {
      res.status(404).json({ error: "Project not found" });
      return;
    }

    const actor = getActorInfo(req);
    await logActivity(db, {
      companyId: project.companyId,
      actorType: actor.actorType,
      actorId: actor.actorId,
      agentId: actor.agentId,
      action: "project.updated",
      entityType: "project",
      entityId: project.id,
      details: req.body,
    });

    res.json(project);
  });

  router.get("/projects/:id/workspaces", async (req, res) => {
    const id = req.params.id as string;
    const existing = await svc.getById(id);
    if (!existing) {
      res.status(404).json({ error: "Project not found" });
      return;
    }
    assertCompanyAccess(req, existing.companyId);
    const workspaces = await svc.listWorkspaces(id);
    res.json(workspaces);
  });

  router.post("/projects/:id/workspaces", validate(createProjectWorkspaceSchema), async (req, res) => {
    const id = req.params.id as string;
    const existing = await svc.getById(id);
    if (!existing) {
      res.status(404).json({ error: "Project not found" });
      return;
    }
    assertCompanyAccess(req, existing.companyId);
    const workspace = await svc.createWorkspace(id, req.body);
    if (!workspace) {
      res.status(404).json({ error: "Project not found" });
      return;
    }

    const actor = getActorInfo(req);
    await logActivity(db, {
      companyId: existing.companyId,
      actorType: actor.actorType,
      actorId: actor.actorId,
      agentId: actor.agentId,
      action: "project.workspace_created",
      entityType: "project",
      entityId: id,
      details: {
        workspaceId: workspace.id,
        name: workspace.name,
        cwd: workspace.cwd,
        isPrimary: workspace.isPrimary,
      },
    });

    res.status(201).json(workspace);
  });

  router.patch(
    "/projects/:id/workspaces/:workspaceId",
    validate(updateProjectWorkspaceSchema),
    async (req, res) => {
      const id = req.params.id as string;
      const workspaceId = req.params.workspaceId as string;
      const existing = await svc.getById(id);
      if (!existing) {
        res.status(404).json({ error: "Project not found" });
        return;
      }
      assertCompanyAccess(req, existing.companyId);
      const workspace = await svc.updateWorkspace(id, workspaceId, req.body);
      if (!workspace) {
        res.status(404).json({ error: "Project workspace not found" });
        return;
      }

      const actor = getActorInfo(req);
      await logActivity(db, {
        companyId: existing.companyId,
        actorType: actor.actorType,
        actorId: actor.actorId,
        agentId: actor.agentId,
        action: "project.workspace_updated",
        entityType: "project",
        entityId: id,
        details: {
          workspaceId: workspace.id,
          changedKeys: Object.keys(req.body).sort(),
        },
      });

      res.json(workspace);
    },
  );

  router.delete("/projects/:id/workspaces/:workspaceId", async (req, res) => {
    const id = req.params.id as string;
    const workspaceId = req.params.workspaceId as string;
    const existing = await svc.getById(id);
    if (!existing) {
      res.status(404).json({ error: "Project not found" });
      return;
    }
    assertCompanyAccess(req, existing.companyId);
    const workspace = await svc.removeWorkspace(id, workspaceId);
    if (!workspace) {
      res.status(404).json({ error: "Project workspace not found" });
      return;
    }

    const actor = getActorInfo(req);
    await logActivity(db, {
      companyId: existing.companyId,
      actorType: actor.actorType,
      actorId: actor.actorId,
      agentId: actor.agentId,
      action: "project.workspace_deleted",
      entityType: "project",
      entityId: id,
      details: {
        workspaceId: workspace.id,
        name: workspace.name,
      },
    });

    res.json(workspace);
  });

  router.delete("/projects/:id", async (req, res) => {
    const id = req.params.id as string;
    const existing = await svc.getById(id);
    if (!existing) {
      res.status(404).json({ error: "Project not found" });
      return;
    }
    assertCompanyAccess(req, existing.companyId);
    const project = await svc.remove(id);
    if (!project) {
      res.status(404).json({ error: "Project not found" });
      return;
    }

    const actor = getActorInfo(req);
    await logActivity(db, {
      companyId: project.companyId,
      actorType: actor.actorType,
      actorId: actor.actorId,
      agentId: actor.agentId,
      action: "project.deleted",
      entityType: "project",
      entityId: project.id,
    });

    res.json(project);
  });

  return router;
}
Add API server with routes, services, and middleware Express server with CRUD routes for agents, goals, issues, projects, and activity log. Includes validation middleware, structured error handling, request logging, and health check endpoint with tests. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-16 13:31:58 -06:00			`import { Router } from "express";`
			`import type { Db } from "@paperclip/db";`
feat: add project workspaces (DB, API, service, and UI) New project_workspaces table with primary workspace designation. Full CRUD routes, service with auto-primary promotion on delete, workspace management UI in project properties panel, and workspace data included in project/issue ancestor responses. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-25 08:38:46 -06:00			`import {`
			`createProjectSchema,`
			`createProjectWorkspaceSchema,`
			`updateProjectSchema,`
			`updateProjectWorkspaceSchema,`
			`} from "@paperclip/shared";`
Add API server with routes, services, and middleware Express server with CRUD routes for agents, goals, issues, projects, and activity log. Includes validation middleware, structured error handling, request logging, and health check endpoint with tests. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-16 13:31:58 -06:00			`import { validate } from "../middleware/validate.js";`
Add server routes for companies, approvals, costs, and dashboard New routes: companies, approvals, costs, dashboard, authz. New services: companies, approvals, costs, dashboard, heartbeat, activity-log. Add auth middleware and structured error handling. Expand existing agent and issue routes with richer CRUD operations. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-17 09:07:27 -06:00			`import { projectService, logActivity } from "../services/index.js";`
			`import { assertCompanyAccess, getActorInfo } from "./authz.js";`
Add API server with routes, services, and middleware Express server with CRUD routes for agents, goals, issues, projects, and activity log. Includes validation middleware, structured error handling, request logging, and health check endpoint with tests. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-16 13:31:58 -06:00
			`export function projectRoutes(db: Db) {`
			`const router = Router();`
			`const svc = projectService(db);`

Add server routes for companies, approvals, costs, and dashboard New routes: companies, approvals, costs, dashboard, authz. New services: companies, approvals, costs, dashboard, heartbeat, activity-log. Add auth middleware and structured error handling. Expand existing agent and issue routes with richer CRUD operations. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-17 09:07:27 -06:00			`router.get("/companies/:companyId/projects", async (req, res) => {`
			`const companyId = req.params.companyId as string;`
			`assertCompanyAccess(req, companyId);`
			`const result = await svc.list(companyId);`
Add API server with routes, services, and middleware Express server with CRUD routes for agents, goals, issues, projects, and activity log. Includes validation middleware, structured error handling, request logging, and health check endpoint with tests. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-16 13:31:58 -06:00			`res.json(result);`
			`});`

Add server routes for companies, approvals, costs, and dashboard New routes: companies, approvals, costs, dashboard, authz. New services: companies, approvals, costs, dashboard, heartbeat, activity-log. Add auth middleware and structured error handling. Expand existing agent and issue routes with richer CRUD operations. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-17 09:07:27 -06:00			`router.get("/projects/:id", async (req, res) => {`
Add API server with routes, services, and middleware Express server with CRUD routes for agents, goals, issues, projects, and activity log. Includes validation middleware, structured error handling, request logging, and health check endpoint with tests. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-16 13:31:58 -06:00			`const id = req.params.id as string;`
			`const project = await svc.getById(id);`
			`if (!project) {`
			`res.status(404).json({ error: "Project not found" });`
			`return;`
			`}`
Add server routes for companies, approvals, costs, and dashboard New routes: companies, approvals, costs, dashboard, authz. New services: companies, approvals, costs, dashboard, heartbeat, activity-log. Add auth middleware and structured error handling. Expand existing agent and issue routes with richer CRUD operations. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-17 09:07:27 -06:00			`assertCompanyAccess(req, project.companyId);`
Add API server with routes, services, and middleware Express server with CRUD routes for agents, goals, issues, projects, and activity log. Includes validation middleware, structured error handling, request logging, and health check endpoint with tests. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-16 13:31:58 -06:00			`res.json(project);`
			`});`

Add server routes for companies, approvals, costs, and dashboard New routes: companies, approvals, costs, dashboard, authz. New services: companies, approvals, costs, dashboard, heartbeat, activity-log. Add auth middleware and structured error handling. Expand existing agent and issue routes with richer CRUD operations. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-17 09:07:27 -06:00			`router.post("/companies/:companyId/projects", validate(createProjectSchema), async (req, res) => {`
			`const companyId = req.params.companyId as string;`
			`assertCompanyAccess(req, companyId);`
			`const project = await svc.create(companyId, req.body);`
			`const actor = getActorInfo(req);`
			`await logActivity(db, {`
			`companyId,`
			`actorType: actor.actorType,`
			`actorId: actor.actorId,`
			`agentId: actor.agentId,`
			`action: "project.created",`
			`entityType: "project",`
			`entityId: project.id,`
			`details: { name: project.name },`
			`});`
Add API server with routes, services, and middleware Express server with CRUD routes for agents, goals, issues, projects, and activity log. Includes validation middleware, structured error handling, request logging, and health check endpoint with tests. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-16 13:31:58 -06:00			`res.status(201).json(project);`
			`});`

Add server routes for companies, approvals, costs, and dashboard New routes: companies, approvals, costs, dashboard, authz. New services: companies, approvals, costs, dashboard, heartbeat, activity-log. Add auth middleware and structured error handling. Expand existing agent and issue routes with richer CRUD operations. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-17 09:07:27 -06:00			`router.patch("/projects/:id", validate(updateProjectSchema), async (req, res) => {`
Add API server with routes, services, and middleware Express server with CRUD routes for agents, goals, issues, projects, and activity log. Includes validation middleware, structured error handling, request logging, and health check endpoint with tests. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-16 13:31:58 -06:00			`const id = req.params.id as string;`
Add server routes for companies, approvals, costs, and dashboard New routes: companies, approvals, costs, dashboard, authz. New services: companies, approvals, costs, dashboard, heartbeat, activity-log. Add auth middleware and structured error handling. Expand existing agent and issue routes with richer CRUD operations. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-17 09:07:27 -06:00			`const existing = await svc.getById(id);`
			`if (!existing) {`
			`res.status(404).json({ error: "Project not found" });`
			`return;`
			`}`
			`assertCompanyAccess(req, existing.companyId);`
Add API server with routes, services, and middleware Express server with CRUD routes for agents, goals, issues, projects, and activity log. Includes validation middleware, structured error handling, request logging, and health check endpoint with tests. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-16 13:31:58 -06:00			`const project = await svc.update(id, req.body);`
			`if (!project) {`
			`res.status(404).json({ error: "Project not found" });`
			`return;`
			`}`
Add server routes for companies, approvals, costs, and dashboard New routes: companies, approvals, costs, dashboard, authz. New services: companies, approvals, costs, dashboard, heartbeat, activity-log. Add auth middleware and structured error handling. Expand existing agent and issue routes with richer CRUD operations. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-17 09:07:27 -06:00
			`const actor = getActorInfo(req);`
			`await logActivity(db, {`
			`companyId: project.companyId,`
			`actorType: actor.actorType,`
			`actorId: actor.actorId,`
			`agentId: actor.agentId,`
			`action: "project.updated",`
			`entityType: "project",`
			`entityId: project.id,`
			`details: req.body,`
			`});`

Add API server with routes, services, and middleware Express server with CRUD routes for agents, goals, issues, projects, and activity log. Includes validation middleware, structured error handling, request logging, and health check endpoint with tests. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-16 13:31:58 -06:00			`res.json(project);`
			`});`

feat: add project workspaces (DB, API, service, and UI) New project_workspaces table with primary workspace designation. Full CRUD routes, service with auto-primary promotion on delete, workspace management UI in project properties panel, and workspace data included in project/issue ancestor responses. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-25 08:38:46 -06:00			`router.get("/projects/:id/workspaces", async (req, res) => {`
			`const id = req.params.id as string;`
			`const existing = await svc.getById(id);`
			`if (!existing) {`
			`res.status(404).json({ error: "Project not found" });`
			`return;`
			`}`
			`assertCompanyAccess(req, existing.companyId);`
			`const workspaces = await svc.listWorkspaces(id);`
			`res.json(workspaces);`
			`});`

			`router.post("/projects/:id/workspaces", validate(createProjectWorkspaceSchema), async (req, res) => {`
			`const id = req.params.id as string;`
			`const existing = await svc.getById(id);`
			`if (!existing) {`
			`res.status(404).json({ error: "Project not found" });`
			`return;`
			`}`
			`assertCompanyAccess(req, existing.companyId);`
			`const workspace = await svc.createWorkspace(id, req.body);`
			`if (!workspace) {`
			`res.status(404).json({ error: "Project not found" });`
			`return;`
			`}`

			`const actor = getActorInfo(req);`
			`await logActivity(db, {`
			`companyId: existing.companyId,`
			`actorType: actor.actorType,`
			`actorId: actor.actorId,`
			`agentId: actor.agentId,`
			`action: "project.workspace_created",`
			`entityType: "project",`
			`entityId: id,`
			`details: {`
			`workspaceId: workspace.id,`
			`name: workspace.name,`
			`cwd: workspace.cwd,`
			`isPrimary: workspace.isPrimary,`
			`},`
			`});`

			`res.status(201).json(workspace);`
			`});`

			`router.patch(`
			`"/projects/:id/workspaces/:workspaceId",`
			`validate(updateProjectWorkspaceSchema),`
			`async (req, res) => {`
			`const id = req.params.id as string;`
			`const workspaceId = req.params.workspaceId as string;`
			`const existing = await svc.getById(id);`
			`if (!existing) {`
			`res.status(404).json({ error: "Project not found" });`
			`return;`
			`}`
			`assertCompanyAccess(req, existing.companyId);`
			`const workspace = await svc.updateWorkspace(id, workspaceId, req.body);`
			`if (!workspace) {`
			`res.status(404).json({ error: "Project workspace not found" });`
			`return;`
			`}`

			`const actor = getActorInfo(req);`
			`await logActivity(db, {`
			`companyId: existing.companyId,`
			`actorType: actor.actorType,`
			`actorId: actor.actorId,`
			`agentId: actor.agentId,`
			`action: "project.workspace_updated",`
			`entityType: "project",`
			`entityId: id,`
			`details: {`
			`workspaceId: workspace.id,`
			`changedKeys: Object.keys(req.body).sort(),`
			`},`
			`});`

			`res.json(workspace);`
			`},`
			`);`

			`router.delete("/projects/:id/workspaces/:workspaceId", async (req, res) => {`
			`const id = req.params.id as string;`
			`const workspaceId = req.params.workspaceId as string;`
			`const existing = await svc.getById(id);`
			`if (!existing) {`
			`res.status(404).json({ error: "Project not found" });`
			`return;`
			`}`
			`assertCompanyAccess(req, existing.companyId);`
			`const workspace = await svc.removeWorkspace(id, workspaceId);`
			`if (!workspace) {`
			`res.status(404).json({ error: "Project workspace not found" });`
			`return;`
			`}`

			`const actor = getActorInfo(req);`
			`await logActivity(db, {`
			`companyId: existing.companyId,`
			`actorType: actor.actorType,`
			`actorId: actor.actorId,`
			`agentId: actor.agentId,`
			`action: "project.workspace_deleted",`
			`entityType: "project",`
			`entityId: id,`
			`details: {`
			`workspaceId: workspace.id,`
			`name: workspace.name,`
			`},`
			`});`

			`res.json(workspace);`
			`});`

Add server routes for companies, approvals, costs, and dashboard New routes: companies, approvals, costs, dashboard, authz. New services: companies, approvals, costs, dashboard, heartbeat, activity-log. Add auth middleware and structured error handling. Expand existing agent and issue routes with richer CRUD operations. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-17 09:07:27 -06:00			`router.delete("/projects/:id", async (req, res) => {`
Add API server with routes, services, and middleware Express server with CRUD routes for agents, goals, issues, projects, and activity log. Includes validation middleware, structured error handling, request logging, and health check endpoint with tests. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-16 13:31:58 -06:00			`const id = req.params.id as string;`
Add server routes for companies, approvals, costs, and dashboard New routes: companies, approvals, costs, dashboard, authz. New services: companies, approvals, costs, dashboard, heartbeat, activity-log. Add auth middleware and structured error handling. Expand existing agent and issue routes with richer CRUD operations. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-17 09:07:27 -06:00			`const existing = await svc.getById(id);`
			`if (!existing) {`
			`res.status(404).json({ error: "Project not found" });`
			`return;`
			`}`
			`assertCompanyAccess(req, existing.companyId);`
Add API server with routes, services, and middleware Express server with CRUD routes for agents, goals, issues, projects, and activity log. Includes validation middleware, structured error handling, request logging, and health check endpoint with tests. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-16 13:31:58 -06:00			`const project = await svc.remove(id);`
			`if (!project) {`
			`res.status(404).json({ error: "Project not found" });`
			`return;`
			`}`
Add server routes for companies, approvals, costs, and dashboard New routes: companies, approvals, costs, dashboard, authz. New services: companies, approvals, costs, dashboard, heartbeat, activity-log. Add auth middleware and structured error handling. Expand existing agent and issue routes with richer CRUD operations. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-17 09:07:27 -06:00
			`const actor = getActorInfo(req);`
			`await logActivity(db, {`
			`companyId: project.companyId,`
			`actorType: actor.actorType,`
			`actorId: actor.actorId,`
			`agentId: actor.agentId,`
			`action: "project.deleted",`
			`entityType: "project",`
			`entityId: project.id,`
			`});`

Add API server with routes, services, and middleware Express server with CRUD routes for agents, goals, issues, projects, and activity log. Includes validation middleware, structured error handling, request logging, and health check endpoint with tests. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-16 13:31:58 -06:00			`res.json(project);`
			`});`

			`return router;`
			`}`