Harden API route authorization boundaries (#4122)

## Thinking Path

> - Paperclip orchestrates AI agents for zero-human companies.
> - The REST API is the control-plane boundary for companies, agents,
plugins, adapters, costs, invites, and issue mutations.
> - Several routes still relied on broad board or company access checks
without consistently enforcing the narrower actor, company, and
active-checkout boundaries those operations require.
> - That can allow agents or non-admin users to mutate sensitive
resources outside the intended governance path.
> - This pull request hardens the route authorization layer and adds
regression coverage for the audited API surfaces.
> - The benefit is tighter multi-company isolation, safer plugin and
adapter administration, and stronger enforcement of active issue
ownership.

## What Changed

- Added route-level authorization checks for budgets, plugin
administration/scoped routes, adapter management, company import/export,
direct agent creation, invite test resolution, and issue mutation/write
surfaces.
- Enforced active checkout ownership for agent-authenticated issue
mutations, while preserving explicit management overrides for permitted
managers.
- Restricted sensitive adapter and plugin management operations to
instance-admin or properly scoped actors.
- Tightened company portability and invite probing routes so agents
cannot cross company boundaries.
- Updated access constants and the Company Access UI copy for the new
active-checkout management grant.
- Added focused regression tests covering cross-company denial, agent
self-mutation denial, admin-only operations, and active checkout
ownership.
- Rebased the branch onto `public-gh/master` and fixed validation
fallout from the rebase: heartbeat-context route ordering and a company
import/export e2e fixture that now opts out of direct-hire approval
before using direct agent creation.
- Updated onboarding and signoff e2e setup to create seed agents through
`/agent-hires` plus board approval, so they remain compatible with the
approval-gated new-agent default.
- Addressed Greptile feedback by removing a duplicate company export API
alias, avoiding N+1 reporting-chain lookups in active-checkout override
checks, allowing agent mutations on unassigned `in_progress` issues, and
blocking NAT64 invite-probe targets.

## Verification

- `pnpm exec vitest run
server/src/__tests__/issues-goal-context-routes.test.ts
cli/src/__tests__/company-import-export-e2e.test.ts`
- `pnpm exec vitest run server/src/__tests__/plugin-routes-authz.test.ts
server/src/__tests__/adapter-routes-authz.test.ts
server/src/__tests__/agent-permissions-routes.test.ts
server/src/__tests__/company-portability-routes.test.ts
server/src/__tests__/costs-service.test.ts
server/src/__tests__/invite-test-resolution-route.test.ts
server/src/__tests__/issue-agent-mutation-ownership-routes.test.ts
server/src/__tests__/agent-adapter-validation-routes.test.ts`
- `pnpm exec vitest run
server/src/__tests__/issue-agent-mutation-ownership-routes.test.ts`
- `pnpm exec vitest run
server/src/__tests__/invite-test-resolution-route.test.ts`
- `pnpm -r typecheck`
- `pnpm --filter server typecheck`
- `pnpm --filter ui typecheck`
- `pnpm build`
- `pnpm test:e2e -- tests/e2e/onboarding.spec.ts
tests/e2e/signoff-policy.spec.ts`
- `pnpm test:e2e -- tests/e2e/signoff-policy.spec.ts`
- `pnpm test:run` was also run. It failed under default full-suite
parallelism with two order-dependent failures in
`plugin-routes-authz.test.ts` and `routines-e2e.test.ts`; both files
passed when rerun directly together with `pnpm exec vitest run
server/src/__tests__/plugin-routes-authz.test.ts
server/src/__tests__/routines-e2e.test.ts`.

## Risks

- Medium risk: this changes authorization behavior across multiple
sensitive API surfaces, so callers that depended on broad board/company
access may now receive `403` or `409` until they use the correct
governance path.
- Direct agent creation now respects the company-level board-approval
requirement; integrations that need pending hires should use
`/api/companies/:companyId/agent-hires`.
- Active in-progress issue mutations now require checkout ownership or
an explicit management override, which may reveal workflow assumptions
in older automation.

> For core feature work, check [`ROADMAP.md`](ROADMAP.md) first and
discuss it in `#dev` before opening the PR. Feature PRs that overlap
with planned core work may need to be redirected — check the roadmap
first. See `CONTRIBUTING.md`.

## Model Used

OpenAI Codex, GPT-5 coding agent, tool-using workflow with local shell,
Git, GitHub CLI, and repository tests.

## Checklist

- [x] I have included a thinking path that traces from project context
to this change
- [x] I have specified the model used (with version and capability
details)
- [x] I have checked ROADMAP.md and confirmed this PR does not duplicate
planned core work
- [ ] I have run tests locally and they pass
- [x] I have added or updated tests where applicable
- [x] If this change affects the UI, I have included before/after
screenshots
- [x] I have updated relevant documentation to reflect my changes
- [x] I have considered and documented any risks above
- [x] I will address all Greptile and reviewer comments before
requesting merge

---------

Co-authored-by: Paperclip <noreply@paperclip.ing>

server/src/__tests__/invite-test-resolution-route.test.ts

@@ -0,0 +1,190 @@
+import express from "express";
+import request from "supertest";
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
+
+import {
+  accessRoutes,
+  setInviteResolutionNetworkForTest,
+} from "../routes/access.js";
+import { errorHandler } from "../middleware/index.js";
+
+function createSelectChain(rows: unknown[]) {
+  const query = {
+    then(resolve: (value: unknown[]) => unknown) {
+      return Promise.resolve(rows).then(resolve);
+    },
+    where() {
+      return query;
+    },
+  };
+  return {
+    from() {
+      return query;
+    },
+  };
+}
+
+function createDbStub(inviteRows: unknown[]) {
+  return {
+    select() {
+      return createSelectChain(inviteRows);
+    },
+  };
+}
+
+function createInvite(overrides: Record<string, unknown> = {}) {
+  return {
+    id: "invite-1",
+    companyId: "company-1",
+    inviteType: "company_join",
+    allowedJoinTypes: "agent",
+    tokenHash: "hash",
+    defaultsPayload: null,
+    expiresAt: new Date("2027-03-07T00:10:00.000Z"),
+    invitedByUserId: null,
+    revokedAt: null,
+    acceptedAt: null,
+    createdAt: new Date("2026-03-07T00:00:00.000Z"),
+    updatedAt: new Date("2026-03-07T00:00:00.000Z"),
+    ...overrides,
+  };
+}
+
+function createApp(db: Record<string, unknown>) {
+  const app = express();
+  app.use((req, _res, next) => {
+    (req as any).actor = { type: "anon" };
+    next();
+  });
+  app.use(
+    "/api",
+    accessRoutes(db as any, {
+      deploymentMode: "local_trusted",
+      deploymentExposure: "private",
+      bindHost: "127.0.0.1",
+      allowedHostnames: [],
+    }),
+  );
+  app.use(errorHandler);
+  return app;
+}
+
+describe("GET /invites/:token/test-resolution", () => {
+  const lookup = vi.fn();
+  const requestHead = vi.fn();
+
+  beforeEach(() => {
+    lookup.mockReset();
+    requestHead.mockReset();
+    setInviteResolutionNetworkForTest({ lookup, requestHead });
+  });
+
+  afterEach(() => {
+    setInviteResolutionNetworkForTest(null);
+  });
+
+  it.each([
+    ["localhost", "http://localhost:3100/api/health", "127.0.0.1"],
+    ["IPv4 loopback", "http://127.0.0.1:3100/api/health", "127.0.0.1"],
+    ["IPv6 loopback", "http://[::1]:3100/api/health", "::1"],
+    ["IPv4-mapped IPv6 loopback hex", "http://[::ffff:7f00:1]/api/health", "::ffff:7f00:1"],
+    ["IPv4-mapped IPv6 RFC1918 hex", "http://[::ffff:c0a8:101]/api/health", "::ffff:c0a8:101"],
+    ["RFC1918 10/8", "http://10.0.0.5/api/health", "10.0.0.5"],
+    ["RFC1918 172.16/12", "http://172.16.10.5/api/health", "172.16.10.5"],
+    ["RFC1918 192.168/16", "http://192.168.1.10/api/health", "192.168.1.10"],
+    ["link-local metadata", "http://169.254.169.254/latest/meta-data", "169.254.169.254"],
+    ["multicast", "http://224.0.0.1/probe", "224.0.0.1"],
+    ["NAT64 well-known prefix", "https://gateway.example.test/health", "64:ff9b::0a00:0001"],
+    ["NAT64 local-use prefix", "https://gateway.example.test/health", "64:ff9b:1::0a00:0001"],
+  ])("rejects %s targets before probing", async (_label, url, address) => {
+    lookup.mockResolvedValue([{ address, family: address.includes(":") ? 6 : 4 }]);
+    const app = createApp(createDbStub([createInvite()]));
+
+    const res = await request(app)
+      .get("/api/invites/pcp_invite_test/test-resolution")
+      .query({ url });
+
+    expect(res.status).toBe(400);
+    expect(res.body.error).toBe(
+      "url resolves to a private, local, multicast, or reserved address",
+    );
+    expect(requestHead).not.toHaveBeenCalled();
+  });
+
+  it("rejects hostnames that resolve to private addresses", async () => {
+    lookup.mockResolvedValue([{ address: "10.1.2.3", family: 4 }]);
+    const app = createApp(createDbStub([createInvite()]));
+
+    const res = await request(app)
+      .get("/api/invites/pcp_invite_test/test-resolution")
+      .query({ url: "https://gateway.example.test/health" });
+
+    expect(res.status).toBe(400);
+    expect(res.body.error).toBe(
+      "url resolves to a private, local, multicast, or reserved address",
+    );
+    expect(lookup).toHaveBeenCalledWith("gateway.example.test");
+    expect(requestHead).not.toHaveBeenCalled();
+  });
+
+  it("rejects hostnames when any resolved address is private", async () => {
+    lookup.mockResolvedValue([
+      { address: "93.184.216.34", family: 4 },
+      { address: "127.0.0.1", family: 4 },
+    ]);
+    const app = createApp(createDbStub([createInvite()]));
+
+    const res = await request(app)
+      .get("/api/invites/pcp_invite_test/test-resolution")
+      .query({ url: "https://mixed.example.test/health" });
+
+    expect(res.status).toBe(400);
+    expect(requestHead).not.toHaveBeenCalled();
+  });
+
+  it("allows public HTTPS targets through the resolved and pinned probe path", async () => {
+    lookup.mockResolvedValue([{ address: "93.184.216.34", family: 4 }]);
+    requestHead.mockResolvedValue({ httpStatus: 204 });
+    const app = createApp(createDbStub([createInvite()]));
+
+    const res = await request(app)
+      .get("/api/invites/pcp_invite_test/test-resolution")
+      .query({ url: "https://gateway.example.test/health", timeoutMs: "2500" });
+
+    expect(res.status).toBe(200);
+    expect(res.body).toMatchObject({
+      inviteId: "invite-1",
+      requestedUrl: "https://gateway.example.test/health",
+      timeoutMs: 2500,
+      status: "reachable",
+      method: "HEAD",
+      httpStatus: 204,
+    });
+    expect(requestHead).toHaveBeenCalledWith(
+      expect.objectContaining({
+        resolvedAddress: "93.184.216.34",
+        resolvedAddresses: ["93.184.216.34"],
+        hostHeader: "gateway.example.test",
+        tlsServername: "gateway.example.test",
+      }),
+      2500,
+    );
+  });
+
+  it.each([
+    ["missing invite", []],
+    ["revoked invite", [createInvite({ revokedAt: new Date("2026-03-07T00:05:00.000Z") })]],
+    ["expired invite", [createInvite({ expiresAt: new Date("2020-03-07T00:10:00.000Z") })]],
+  ])("returns not found for %s tokens before DNS lookup", async (_label, inviteRows) => {
+    const app = createApp(createDbStub(inviteRows));
+
+    const res = await request(app)
+      .get("/api/invites/pcp_invite_test/test-resolution")
+      .query({ url: "https://gateway.example.test/health" });
+
+    expect(res.status).toBe(404);
+    expect(res.body.error).toBe("Invite not found");
+    expect(lookup).not.toHaveBeenCalled();
+    expect(requestHead).not.toHaveBeenCalled();
+  });
+});