2026-04-10 22:26:21 -05:00
|
|
|
import * as React from "react";
|
|
|
|
|
import { useMemo, useState } from "react";
|
|
|
|
|
import * as RouterDom from "react-router-dom";
|
|
|
|
|
import type { Issue } from "@paperclipai/shared";
|
2026-04-11 11:05:32 -05:00
|
|
|
import { useQuery, useQueryClient } from "@tanstack/react-query";
|
2026-04-10 22:26:21 -05:00
|
|
|
import { timeAgo } from "@/lib/timeAgo";
|
|
|
|
|
import { createIssueDetailPath, withIssueDetailHeaderSeed } from "@/lib/issueDetailBreadcrumb";
|
2026-04-12 21:30:50 -05:00
|
|
|
import {
|
[codex] harden authenticated routes and issue editor reliability (#3741)
## Thinking Path
> - Paperclip orchestrates AI agents for zero-human companies
> - The control plane depends on authenticated routes enforcing company
boundaries and role permissions correctly
> - This branch also touches the issue detail and markdown editing flows
operators use while handling advisory and triage work
> - Partial issue cache seeds and fragile rich-editor parsing could
leave important issue content missing or blank at the moment an operator
needed it
> - Blocked issues becoming actionable again should wake their assignee
automatically instead of silently staying idle
> - This pull request rebases the advisory follow-up branch onto current
`master`, hardens authenticated route authorization, and carries the
issue-detail/editor reliability fixes forward with regression tests
> - The benefit is tighter authz on sensitive routes plus more reliable
issue/advisory editing and wakeup behavior on top of the latest base
## What Changed
- Hardened authenticated route authorization across agent, activity,
approval, access, project, plugin, health, execution-workspace,
portability, and related server paths, with new cross-tenant and
runtime-authz regression coverage.
- Switched issue detail queries from `initialData` to placeholder-based
hydration so list/quicklook seeds still refetch full issue bodies.
- Normalized advisory-style HTML images before mounting the markdown
editor and strengthened fallback behavior when the rich editor silently
fails or rejects the content.
- Woke assigned agents when blocked issues move back to `todo`, with
route coverage for reopen and unblock transitions.
- Rebasing note: this branch now sits cleanly on top of the latest
`master` tip used for the PR base.
## Verification
- `pnpm exec vitest run ui/src/lib/issueDetailQuery.test.tsx
ui/src/components/MarkdownEditor.test.tsx
server/src/__tests__/issue-comment-reopen-routes.test.ts
server/src/__tests__/activity-routes.test.ts
server/src/__tests__/agent-cross-tenant-authz-routes.test.ts`
- Confirmed `pnpm-lock.yaml` is not part of the PR diff.
- Rebased the branch onto current `public-gh/master` before publishing.
## Risks
- Broad authz tightening may expose existing flows that were relying on
permissive board or agent access and now need explicit grants.
- Markdown editor fallback changes could affect focus or rendering in
edge-case content that mixes HTML-like advisory markup with normal
markdown.
- This verification was intentionally scoped to touched regressions and
did not run the full repository suite.
## Model Used
- OpenAI Codex, GPT-5-based coding agent in the Codex CLI environment
with tool use for terminal, git, and GitHub operations. The exact
runtime model identifier is not exposed inside this session.
## Checklist
- [x] I have included a thinking path that traces from project context
to this change
- [x] I have specified the model used (with version and capability
details)
- [x] I have run tests locally and they pass
- [x] I have added or updated tests where applicable
- [x] If this change affects the UI, it is behavior-only and does not
need before/after screenshots
- [x] I have updated relevant documentation to reflect my changes, or no
documentation changes were needed for these internal fixes
- [x] I have considered and documented any risks above
- [x] I will address all Greptile and reviewer comments before
requesting merge
---------
Co-authored-by: Paperclip <noreply@paperclip.ing>
2026-04-15 08:41:15 -05:00
|
|
|
getIssueDetailQueryOptions,
|
2026-04-12 21:30:50 -05:00
|
|
|
ISSUE_DETAIL_STALE_TIME_MS,
|
|
|
|
|
prefetchIssueDetail,
|
|
|
|
|
} from "@/lib/issueDetailCache";
|
2026-04-11 11:05:32 -05:00
|
|
|
import { queryKeys } from "@/lib/queryKeys";
|
2026-04-10 22:26:21 -05:00
|
|
|
import { cn } from "@/lib/utils";
|
|
|
|
|
import { Popover, PopoverContent, PopoverTrigger } from "@/components/ui/popover";
|
|
|
|
|
import { StatusIcon } from "@/components/StatusIcon";
|
|
|
|
|
|
|
|
|
|
function summarizeIssueDescription(description: string | null | undefined) {
|
|
|
|
|
if (!description) return null;
|
|
|
|
|
const summary = description
|
|
|
|
|
.replace(/!\[[^\]]*]\([^)]+\)/g, " ")
|
|
|
|
|
.replace(/\[([^\]]+)\]\([^)]+\)/g, "$1")
|
|
|
|
|
.replace(/[#>*_`~-]+/g, " ")
|
|
|
|
|
.replace(/\s+/g, " ")
|
|
|
|
|
.trim();
|
|
|
|
|
|
|
|
|
|
if (!summary) return null;
|
|
|
|
|
return summary.length > 180 ? `${summary.slice(0, 177).trimEnd()}...` : summary;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
export function IssueQuicklookCard({
|
|
|
|
|
issue,
|
|
|
|
|
linkTo,
|
|
|
|
|
linkState,
|
|
|
|
|
compact = false,
|
|
|
|
|
}: {
|
|
|
|
|
issue: Issue;
|
|
|
|
|
linkTo: RouterDom.To;
|
|
|
|
|
linkState?: unknown;
|
|
|
|
|
compact?: boolean;
|
|
|
|
|
}) {
|
|
|
|
|
const description = useMemo(() => summarizeIssueDescription(issue.description), [issue.description]);
|
|
|
|
|
|
|
|
|
|
return (
|
|
|
|
|
<div className={cn("space-y-2", compact && "space-y-1.5")}>
|
|
|
|
|
<div className="flex items-start gap-2">
|
|
|
|
|
<StatusIcon status={issue.status} className="mt-0.5 shrink-0" />
|
|
|
|
|
<RouterDom.Link
|
|
|
|
|
to={linkTo}
|
|
|
|
|
state={linkState ?? withIssueDetailHeaderSeed(null, issue)}
|
|
|
|
|
className="text-sm font-medium leading-snug hover:underline line-clamp-2"
|
|
|
|
|
>
|
|
|
|
|
{issue.title}
|
|
|
|
|
</RouterDom.Link>
|
|
|
|
|
</div>
|
|
|
|
|
<div className="flex flex-wrap items-center gap-2 text-xs text-muted-foreground">
|
|
|
|
|
<span className="font-mono">{issue.identifier ?? issue.id.slice(0, 8)}</span>
|
|
|
|
|
<span>·</span>
|
|
|
|
|
<span>{issue.status.replace(/_/g, " ")}</span>
|
|
|
|
|
<span>·</span>
|
|
|
|
|
<span>{timeAgo(new Date(issue.updatedAt))}</span>
|
|
|
|
|
</div>
|
|
|
|
|
{description ? (
|
|
|
|
|
<p className="text-xs leading-5 text-muted-foreground [display:-webkit-box] [-webkit-box-orient:vertical] [-webkit-line-clamp:4] overflow-hidden">
|
|
|
|
|
{description}
|
|
|
|
|
</p>
|
|
|
|
|
) : null}
|
|
|
|
|
</div>
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
export const IssueLinkQuicklook = React.forwardRef<
|
|
|
|
|
HTMLAnchorElement,
|
2026-04-11 11:05:32 -05:00
|
|
|
React.ComponentProps<typeof RouterDom.Link> & {
|
|
|
|
|
issuePathId: string;
|
|
|
|
|
disableIssueQuicklook?: boolean;
|
|
|
|
|
issuePrefetch?: Issue | null;
|
|
|
|
|
}
|
2026-04-10 22:26:21 -05:00
|
|
|
>(function IssueLinkQuicklookImpl(
|
|
|
|
|
{
|
|
|
|
|
issuePathId,
|
|
|
|
|
to,
|
|
|
|
|
children,
|
|
|
|
|
className,
|
2026-04-11 11:05:32 -05:00
|
|
|
state,
|
|
|
|
|
disableIssueQuicklook = false,
|
|
|
|
|
issuePrefetch = null,
|
2026-04-10 22:26:21 -05:00
|
|
|
onClick,
|
2026-04-11 11:05:32 -05:00
|
|
|
onClickCapture,
|
|
|
|
|
onMouseEnter,
|
|
|
|
|
onFocus,
|
|
|
|
|
onTouchStart,
|
2026-04-10 22:26:21 -05:00
|
|
|
...props
|
|
|
|
|
},
|
|
|
|
|
ref,
|
|
|
|
|
) {
|
2026-04-11 11:05:32 -05:00
|
|
|
const queryClient = useQueryClient();
|
2026-04-10 22:26:21 -05:00
|
|
|
const [open, setOpen] = useState(false);
|
2026-04-11 11:05:32 -05:00
|
|
|
const prefetchedState = issuePrefetch ? withIssueDetailHeaderSeed(state, issuePrefetch) : state;
|
2026-04-10 22:26:21 -05:00
|
|
|
const { data, isLoading } = useQuery({
|
[codex] harden authenticated routes and issue editor reliability (#3741)
## Thinking Path
> - Paperclip orchestrates AI agents for zero-human companies
> - The control plane depends on authenticated routes enforcing company
boundaries and role permissions correctly
> - This branch also touches the issue detail and markdown editing flows
operators use while handling advisory and triage work
> - Partial issue cache seeds and fragile rich-editor parsing could
leave important issue content missing or blank at the moment an operator
needed it
> - Blocked issues becoming actionable again should wake their assignee
automatically instead of silently staying idle
> - This pull request rebases the advisory follow-up branch onto current
`master`, hardens authenticated route authorization, and carries the
issue-detail/editor reliability fixes forward with regression tests
> - The benefit is tighter authz on sensitive routes plus more reliable
issue/advisory editing and wakeup behavior on top of the latest base
## What Changed
- Hardened authenticated route authorization across agent, activity,
approval, access, project, plugin, health, execution-workspace,
portability, and related server paths, with new cross-tenant and
runtime-authz regression coverage.
- Switched issue detail queries from `initialData` to placeholder-based
hydration so list/quicklook seeds still refetch full issue bodies.
- Normalized advisory-style HTML images before mounting the markdown
editor and strengthened fallback behavior when the rich editor silently
fails or rejects the content.
- Woke assigned agents when blocked issues move back to `todo`, with
route coverage for reopen and unblock transitions.
- Rebasing note: this branch now sits cleanly on top of the latest
`master` tip used for the PR base.
## Verification
- `pnpm exec vitest run ui/src/lib/issueDetailQuery.test.tsx
ui/src/components/MarkdownEditor.test.tsx
server/src/__tests__/issue-comment-reopen-routes.test.ts
server/src/__tests__/activity-routes.test.ts
server/src/__tests__/agent-cross-tenant-authz-routes.test.ts`
- Confirmed `pnpm-lock.yaml` is not part of the PR diff.
- Rebased the branch onto current `public-gh/master` before publishing.
## Risks
- Broad authz tightening may expose existing flows that were relying on
permissive board or agent access and now need explicit grants.
- Markdown editor fallback changes could affect focus or rendering in
edge-case content that mixes HTML-like advisory markup with normal
markdown.
- This verification was intentionally scoped to touched regressions and
did not run the full repository suite.
## Model Used
- OpenAI Codex, GPT-5-based coding agent in the Codex CLI environment
with tool use for terminal, git, and GitHub operations. The exact
runtime model identifier is not exposed inside this session.
## Checklist
- [x] I have included a thinking path that traces from project context
to this change
- [x] I have specified the model used (with version and capability
details)
- [x] I have run tests locally and they pass
- [x] I have added or updated tests where applicable
- [x] If this change affects the UI, it is behavior-only and does not
need before/after screenshots
- [x] I have updated relevant documentation to reflect my changes, or no
documentation changes were needed for these internal fixes
- [x] I have considered and documented any risks above
- [x] I will address all Greptile and reviewer comments before
requesting merge
---------
Co-authored-by: Paperclip <noreply@paperclip.ing>
2026-04-15 08:41:15 -05:00
|
|
|
...getIssueDetailQueryOptions(queryClient, issuePathId, { placeholderIssue: issuePrefetch ?? undefined }),
|
2026-04-10 22:26:21 -05:00
|
|
|
enabled: open,
|
2026-04-12 21:30:50 -05:00
|
|
|
staleTime: ISSUE_DETAIL_STALE_TIME_MS,
|
2026-04-10 22:26:21 -05:00
|
|
|
});
|
|
|
|
|
|
|
|
|
|
const detailPath = createIssueDetailPath(issuePathId);
|
2026-04-11 11:05:32 -05:00
|
|
|
const handlePrefetch = React.useCallback(() => {
|
|
|
|
|
void prefetchIssueDetail(queryClient, issuePathId, { issue: issuePrefetch });
|
|
|
|
|
}, [issuePathId, issuePrefetch, queryClient]);
|
|
|
|
|
const link = (
|
|
|
|
|
<RouterDom.Link
|
|
|
|
|
ref={ref}
|
|
|
|
|
to={to}
|
|
|
|
|
state={prefetchedState}
|
|
|
|
|
className={className}
|
|
|
|
|
onMouseEnter={(event) => {
|
|
|
|
|
handlePrefetch();
|
|
|
|
|
onMouseEnter?.(event);
|
|
|
|
|
}}
|
|
|
|
|
onFocus={(event) => {
|
|
|
|
|
handlePrefetch();
|
|
|
|
|
onFocus?.(event);
|
|
|
|
|
}}
|
|
|
|
|
onTouchStart={(event) => {
|
|
|
|
|
handlePrefetch();
|
|
|
|
|
onTouchStart?.(event);
|
|
|
|
|
}}
|
|
|
|
|
onClickCapture={(event) => {
|
|
|
|
|
handlePrefetch();
|
|
|
|
|
onClickCapture?.(event);
|
|
|
|
|
}}
|
|
|
|
|
onClick={(event) => {
|
|
|
|
|
setOpen(false);
|
|
|
|
|
onClick?.(event);
|
|
|
|
|
}}
|
|
|
|
|
{...props}
|
|
|
|
|
>
|
|
|
|
|
{children}
|
|
|
|
|
</RouterDom.Link>
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
if (disableIssueQuicklook) {
|
|
|
|
|
return link;
|
|
|
|
|
}
|
2026-04-10 22:26:21 -05:00
|
|
|
|
|
|
|
|
return (
|
|
|
|
|
<Popover open={open} onOpenChange={setOpen}>
|
|
|
|
|
<PopoverTrigger
|
|
|
|
|
asChild
|
2026-04-11 11:05:32 -05:00
|
|
|
onMouseEnter={() => {
|
|
|
|
|
handlePrefetch();
|
|
|
|
|
setOpen(true);
|
|
|
|
|
}}
|
2026-04-10 22:26:21 -05:00
|
|
|
onMouseLeave={() => setOpen(false)}
|
|
|
|
|
>
|
2026-04-11 11:05:32 -05:00
|
|
|
{link}
|
2026-04-10 22:26:21 -05:00
|
|
|
</PopoverTrigger>
|
|
|
|
|
<PopoverContent
|
|
|
|
|
className="w-72 p-3"
|
|
|
|
|
side="top"
|
|
|
|
|
align="start"
|
|
|
|
|
onMouseEnter={() => setOpen(true)}
|
|
|
|
|
onMouseLeave={() => setOpen(false)}
|
|
|
|
|
onOpenAutoFocus={(event) => event.preventDefault()}
|
|
|
|
|
>
|
|
|
|
|
{data ? (
|
2026-04-11 11:05:32 -05:00
|
|
|
<IssueQuicklookCard issue={data} linkTo={detailPath} linkState={prefetchedState} compact />
|
2026-04-10 22:26:21 -05:00
|
|
|
) : (
|
|
|
|
|
<div className="space-y-2">
|
|
|
|
|
<div className="h-4 w-24 rounded bg-accent/50" />
|
|
|
|
|
<div className="h-4 w-full rounded bg-accent/40" />
|
|
|
|
|
<div className="h-4 w-3/4 rounded bg-accent/30" />
|
|
|
|
|
{!isLoading ? (
|
|
|
|
|
<p className="text-xs text-muted-foreground">Unable to load issue preview.</p>
|
|
|
|
|
) : null}
|
|
|
|
|
</div>
|
|
|
|
|
)}
|
|
|
|
|
</PopoverContent>
|
|
|
|
|
</Popover>
|
|
|
|
|
);
|
|
|
|
|
});
|