[codex] harden authenticated routes and issue editor reliability (#3741)

## Thinking Path > - Paperclip orchestrates AI agents for zero-human companies > - The control plane depends on authenticated routes enforcing company boundaries and role permissions correctly > - This branch also touches the issue detail and markdown editing flows operators use while handling advisory and triage work > - Partial issue cache seeds and fragile rich-editor parsing could leave important issue content missing or blank at the moment an operator needed it > - Blocked issues becoming actionable again should wake their assignee automatically instead of silently staying idle > - This pull request rebases the advisory follow-up branch onto current `master`, hardens authenticated route authorization, and carries the issue-detail/editor reliability fixes forward with regression tests > - The benefit is tighter authz on sensitive routes plus more reliable issue/advisory editing and wakeup behavior on top of the latest base ## What Changed - Hardened authenticated route authorization across agent, activity, approval, access, project, plugin, health, execution-workspace, portability, and related server paths, with new cross-tenant and runtime-authz regression coverage. - Switched issue detail queries from `initialData` to placeholder-based hydration so list/quicklook seeds still refetch full issue bodies. - Normalized advisory-style HTML images before mounting the markdown editor and strengthened fallback behavior when the rich editor silently fails or rejects the content. - Woke assigned agents when blocked issues move back to `todo`, with route coverage for reopen and unblock transitions. - Rebasing note: this branch now sits cleanly on top of the latest `master` tip used for the PR base. ## Verification - `pnpm exec vitest run ui/src/lib/issueDetailQuery.test.tsx ui/src/components/MarkdownEditor.test.tsx server/src/__tests__/issue-comment-reopen-routes.test.ts server/src/__tests__/activity-routes.test.ts server/src/__tests__/agent-cross-tenant-authz-routes.test.ts` - Confirmed `pnpm-lock.yaml` is not part of the PR diff. - Rebased the branch onto current `public-gh/master` before publishing. ## Risks - Broad authz tightening may expose existing flows that were relying on permissive board or agent access and now need explicit grants. - Markdown editor fallback changes could affect focus or rendering in edge-case content that mixes HTML-like advisory markup with normal markdown. - This verification was intentionally scoped to touched regressions and did not run the full repository suite. ## Model Used - OpenAI Codex, GPT-5-based coding agent in the Codex CLI environment with tool use for terminal, git, and GitHub operations. The exact runtime model identifier is not exposed inside this session. ## Checklist - [x] I have included a thinking path that traces from project context to this change - [x] I have specified the model used (with version and capability details) - [x] I have run tests locally and they pass - [x] I have added or updated tests where applicable - [x] If this change affects the UI, it is behavior-only and does not need before/after screenshots - [x] I have updated relevant documentation to reflect my changes, or no documentation changes were needed for these internal fixes - [x] I have considered and documented any risks above - [x] I will address all Greptile and reviewer comments before requesting merge --------- Co-authored-by: Paperclip <noreply@paperclip.ing>
2026-06-16 10:50:38 +09:00 · 2026-04-15 08:41:15 -05:00 · 2026-04-15 08:41:15 -05:00 · 32a9165ddf
commit 32a9165ddf
parent 50cd76d8a3
39 changed files with 3014 additions and 153 deletions
--- a/server/src/routes/access.ts
+++ b/server/src/routes/access.ts
@ -48,7 +48,7 @@ import {
  logActivity,
  notifyHireApproved
 } from "../services/index.js";
-import { assertCompanyAccess } from "./authz.js";
+import { assertAuthenticated, assertCompanyAccess } from "./authz.js";
 import {
  claimBoardOwnership,
  inspectBoardClaimChallenge
@ -863,6 +863,7 @@ function toInviteSummaryResponse(
  const baseUrl = requestBaseUrl(req);
  const onboardingPath = `/api/invites/${token}/onboarding`;
  const onboardingTextPath = `/api/invites/${token}/onboarding.txt`;
+  const skillIndexPath = `/api/invites/${token}/skills/index`;
  const inviteMessage = extractInviteMessage(invite);
  return {
    id: invite.id,
@ -877,10 +878,10 @@ function toInviteSummaryResponse(
    onboardingTextUrl: baseUrl
      ? `${baseUrl}${onboardingTextPath}`
      : onboardingTextPath,
-    skillIndexPath: "/api/skills/index",
+    skillIndexPath,
    skillIndexUrl: baseUrl
-      ? `${baseUrl}/api/skills/index`
-      : "/api/skills/index",
+      ? `${baseUrl}${skillIndexPath}`
+      : skillIndexPath,
    inviteMessage
  };
 }
@ -1004,7 +1005,7 @@ function buildInviteOnboardingManifest(
  }
 ) {
  const baseUrl = requestBaseUrl(req);
-  const skillPath = "/api/skills/paperclip";
+  const skillPath = `/api/invites/${token}/skills/paperclip`;
  const skillUrl = baseUrl ? `${baseUrl}${skillPath}` : skillPath;
  const registrationEndpointPath = `/api/invites/${token}/accept`;
  const registrationEndpointUrl = baseUrl
@ -1906,11 +1907,13 @@ export function accessRoutes(
    return company?.name ?? null;
  }

-  router.get("/skills/available", (_req, res) => {
+  router.get("/skills/available", (req, res) => {
+    assertAuthenticated(req);
    res.json({ skills: listAvailableSkills() });
  });

-  router.get("/skills/index", (_req, res) => {
+  router.get("/skills/index", (req, res) => {
+    assertAuthenticated(req);
    res.json({
      skills: [
        { name: "paperclip", path: "/api/skills/paperclip" },
@ -1927,6 +1930,7 @@ export function accessRoutes(
  });

  router.get("/skills/:skillName", (req, res) => {
+    assertAuthenticated(req);
    const skillName = (req.params.skillName as string).trim().toLowerCase();
    const markdown = readSkillMarkdown(skillName);
    if (!markdown) throw notFound("Skill not found");
@ -2100,6 +2104,47 @@ export function accessRoutes(
      );
  });

+  router.get("/invites/:token/skills/index", async (req, res) => {
+    const token = (req.params.token as string).trim();
+    if (!token) throw notFound("Invite not found");
+    const invite = await db
+      .select()
+      .from(invites)
+      .where(eq(invites.tokenHash, hashToken(token)))
+      .then((rows) => rows[0] ?? null);
+    if (!invite || invite.revokedAt || inviteExpired(invite)) {
+      throw notFound("Invite not found");
+    }
+
+    res.json({
+      skills: [
+        {
+          name: "paperclip",
+          path: `/api/invites/${token}/skills/paperclip`,
+        },
+      ],
+    });
+  });
+
+  router.get("/invites/:token/skills/:skillName", async (req, res) => {
+    const token = (req.params.token as string).trim();
+    if (!token) throw notFound("Invite not found");
+    const invite = await db
+      .select()
+      .from(invites)
+      .where(eq(invites.tokenHash, hashToken(token)))
+      .then((rows) => rows[0] ?? null);
+    if (!invite || invite.revokedAt || inviteExpired(invite)) {
+      throw notFound("Invite not found");
+    }
+
+    const skillName = (req.params.skillName as string).trim().toLowerCase();
+    if (skillName !== "paperclip") throw notFound("Skill not found");
+    const markdown = readSkillMarkdown(skillName);
+    if (!markdown) throw notFound("Skill not found");
+    res.type("text/markdown").send(markdown);
+  });
+
  router.get("/invites/:token/test-resolution", async (req, res) => {
    const token = (req.params.token as string).trim();
    if (!token) throw notFound("Invite not found");