ake/paperclip
1
0
Fork 0
mirror of https://github.com/alkimake/paperclip.git synced 2026-06-16 02:40:39 +09:00
Code Issues Projects Releases Packages Wiki Activity

[codex] Add access cleanup and user profile page (#4088)

Browse source 
## Thinking Path

> - Paperclip is moving from a solo local operator model toward teams
supervising AI-agent companies.
> - Human access management and human-visible profile surfaces are part
of that multiple-user path.
> - The branch included related access cleanup, archived-member removal,
permission protection, and a user profile page.
> - These changes share company membership, user attribution, and
access-service behavior.
> - This pull request groups those human access/profile changes into one
standalone branch.
> - The benefit is safer member removal behavior and a first profile
surface for user work, activity, and cost attribution.

## What Changed

- Added archived company member removal support across shared contracts,
server routes/services, and UI.
- Protected company member removal with stricter permission checks and
tests.
- Added company user profile API, shared types, route wiring, client
API, route, and UI page.
- Simplified the user profile page visual design to a neutral
typography-led layout.

## Verification

- `pnpm install --frozen-lockfile`
- `pnpm exec vitest run server/src/__tests__/access-service.test.ts
server/src/__tests__/user-profile-routes.test.ts
ui/src/pages/CompanyAccess.test.tsx --hookTimeout=30000`
- `pnpm exec vitest run server/src/__tests__/user-profile-routes.test.ts
--testTimeout=30000 --hookTimeout=30000` after an initial local
embedded-Postgres hook timeout in the combined run.
- Split integration check: merged after runtime/governance and
dev-infra/backups with no merge conflicts.
- Confirmed this branch does not include `pnpm-lock.yaml`.

## Risks

- Medium risk: changes member removal permissions and adds a new user
profile route with cross-table stats.
- The profile page is a new UI surface and may need visual follow-up in
browser QA.
- No database migrations are included.

> For core feature work, check [`ROADMAP.md`](ROADMAP.md) first and
discuss it in `#dev` before opening the PR. Feature PRs that overlap
with planned core work may need to be redirected — check the roadmap
first. See `CONTRIBUTING.md`.

## Model Used

- OpenAI Codex, GPT-5.4 tool-enabled coding model, agentic
code-editing/runtime with local shell and GitHub CLI access; exact
context window and reasoning mode are not exposed by the Paperclip
harness.

## Checklist

- [x] I have included a thinking path that traces from project context
to this change
- [x] I have specified the model used (with version and capability
details)
- [x] I have checked ROADMAP.md and confirmed this PR does not duplicate
planned core work
- [x] I have run tests locally and they pass
- [x] I have added or updated tests where applicable
- [x] If this change affects the UI, I have included before/after
screenshots
- [x] I have updated relevant documentation to reflect my changes
- [x] I have considered and documented any risks above
- [x] I will address all Greptile and reviewer comments before
requesting merge

---------

Co-authored-by: Paperclip <noreply@paperclip.ing>
This commit is contained in:
Dotta 2026-04-20 06:10:20 -05:00 committed by GitHub
parent e89d3f7e11
commit d8b63a18e7
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
23 changed files with 2156 additions and 51 deletions
Download patch file Download diff file Expand all files Collapse all files

436
server/src/routes/user-profiles.ts Normal file
View file

@ -0,0 +1,436 @@
import { Router } from "express";
import { and, desc, eq, gte, isNull, sql } from "drizzle-orm";
import type { Db } from "@paperclipai/db";
import {
activityLog,
agents,
authUsers,
companyMemberships,
costEvents,
issueComments,
issues,
} from "@paperclipai/db";
import type {
UserProfileDailyPoint,
UserProfileIdentity,
UserProfileResponse,
UserProfileWindowStats,
} from "@paperclipai/shared";
import { notFound } from "../errors.js";
import { assertCompanyAccess } from "./authz.js";
type CompanyUserRow = {
id: string;
principalId: string;
status: string;
membershipRole: string | null;
createdAt: Date;
userId: string | null;
name: string | null;
email: string | null;
image: string | null;
};
const PROFILE_WINDOWS = [
{ key: "last7", label: "Last 7 days", days: 7 },
{ key: "last30", label: "Last 30 days", days: 30 },
{ key: "all", label: "All time", days: null },
] as const;
function slugifyUserPart(value: string | null | undefined) {
const normalized = value
?.trim()
.toLowerCase()
.replace(/['"]/g, "")
.replace(/[^a-z0-9]+/g, "-")
.replace(/^-+|-+$/g, "");
return normalized || null;
}
function userSlugCandidates(row: CompanyUserRow) {
const candidates = new Set<string>();
const add = (value: string | null | undefined) => {
const slug = slugifyUserPart(value);
if (slug) candidates.add(slug);
};
add(row.name);
add(row.email?.split("@")[0]);
add(row.email);
add(row.principalId);
return [...candidates];
}
async function resolveCompanyUser(db: Db, companyId: string, rawSlug: string): Promise<CompanyUserRow | null> {
const slug = slugifyUserPart(rawSlug);
if (!slug) return null;
const rows = await db
.select({
id: companyMemberships.id,
principalId: companyMemberships.principalId,
status: companyMemberships.status,
membershipRole: companyMemberships.membershipRole,
createdAt: companyMemberships.createdAt,
userId: authUsers.id,
name: authUsers.name,
email: authUsers.email,
image: authUsers.image,
})
.from(companyMemberships)
.leftJoin(authUsers, eq(authUsers.id, companyMemberships.principalId))
.where(
and(
eq(companyMemberships.companyId, companyId),
eq(companyMemberships.principalType, "user"),
),
)
.orderBy(desc(companyMemberships.updatedAt))
.limit(200);
return rows.find((row) => userSlugCandidates(row).includes(slug)) ?? null;
}
function userIssueInvolvementSql(companyId: string, userId: string) {
return sql<boolean>`
(
${issues.createdByUserId} = ${userId}
OR ${issues.assigneeUserId} = ${userId}
OR EXISTS (
SELECT 1
FROM ${issueComments}
WHERE ${issueComments.companyId} = ${companyId}
AND ${issueComments.issueId} = ${issues.id}
AND ${issueComments.authorUserId} = ${userId}
)
)
`;
}
function windowStart(days: number | null) {
if (!days) return null;
return new Date(Date.now() - days * 24 * 60 * 60 * 1000);
}
function startOfUtcDay(date: Date) {
return new Date(Date.UTC(date.getUTCFullYear(), date.getUTCMonth(), date.getUTCDate()));
}
function isoDay(date: Date) {
return startOfUtcDay(date).toISOString().slice(0, 10);
}
function dayKeyExpr(dateSql: ReturnType<typeof sql>) {
return sql<string>`to_char(date_trunc('day', ${dateSql}), 'YYYY-MM-DD')`;
}
function sumNumber(column: typeof costEvents.costCents | typeof costEvents.inputTokens | typeof costEvents.cachedInputTokens | typeof costEvents.outputTokens) {
return sql<number>`coalesce(sum(${column}), 0)::double precision`;
}
async function loadWindowStats(
db: Db,
companyId: string,
userId: string,
key: UserProfileWindowStats["key"],
label: string,
from: Date | null,
): Promise<UserProfileWindowStats> {
const involvement = userIssueInvolvementSql(companyId, userId);
const openStatuses = ["backlog", "todo", "in_progress", "in_review", "blocked"];
const fromIso = from?.toISOString();
const [issueStats] = await db
.select({
touchedIssues: sql<number>`count(distinct case when ${involvement} ${fromIso ? sql`and ${issues.updatedAt} >= ${fromIso}` : sql``} then ${issues.id} end)::int`,
createdIssues: sql<number>`count(distinct case when ${issues.createdByUserId} = ${userId} ${fromIso ? sql`and ${issues.createdAt} >= ${fromIso}` : sql``} then ${issues.id} end)::int`,
completedIssues: sql<number>`count(distinct case when ${involvement} and ${issues.status} = 'done' ${fromIso ? sql`and ${issues.completedAt} >= ${fromIso}` : sql``} then ${issues.id} end)::int`,
assignedOpenIssues: sql<number>`count(distinct case when ${issues.assigneeUserId} = ${userId} and ${issues.status} in (${sql.join(openStatuses.map((status) => sql`${status}`), sql`, `)}) then ${issues.id} end)::int`,
})
.from(issues)
.where(and(eq(issues.companyId, companyId), isNull(issues.hiddenAt)));
const commentConditions = [
eq(issueComments.companyId, companyId),
eq(issueComments.authorUserId, userId),
];
if (from) commentConditions.push(gte(issueComments.createdAt, from));
const [commentStats] = await db
.select({ count: sql<number>`count(*)::int` })
.from(issueComments)
.where(and(...commentConditions));
const activityConditions = [
eq(activityLog.companyId, companyId),
eq(activityLog.actorType, "user"),
eq(activityLog.actorId, userId),
];
if (from) activityConditions.push(gte(activityLog.createdAt, from));
const [activityStats] = await db
.select({ count: sql<number>`count(*)::int` })
.from(activityLog)
.where(and(...activityConditions));
const costConditions = [
eq(costEvents.companyId, companyId),
userIssueInvolvementSql(companyId, userId),
];
if (from) costConditions.push(gte(costEvents.occurredAt, from));
const [costStats] = await db
.select({
costCents: sumNumber(costEvents.costCents),
inputTokens: sumNumber(costEvents.inputTokens),
cachedInputTokens: sumNumber(costEvents.cachedInputTokens),
outputTokens: sumNumber(costEvents.outputTokens),
costEventCount: sql<number>`count(${costEvents.id})::int`,
})
.from(costEvents)
.innerJoin(issues, and(eq(issues.id, costEvents.issueId), eq(issues.companyId, costEvents.companyId)))
.where(and(...costConditions));
return {
key,
label,
touchedIssues: Number(issueStats?.touchedIssues ?? 0),
createdIssues: Number(issueStats?.createdIssues ?? 0),
completedIssues: Number(issueStats?.completedIssues ?? 0),
assignedOpenIssues: Number(issueStats?.assignedOpenIssues ?? 0),
commentCount: Number(commentStats?.count ?? 0),
activityCount: Number(activityStats?.count ?? 0),
costCents: Number(costStats?.costCents ?? 0),
inputTokens: Number(costStats?.inputTokens ?? 0),
cachedInputTokens: Number(costStats?.cachedInputTokens ?? 0),
outputTokens: Number(costStats?.outputTokens ?? 0),
costEventCount: Number(costStats?.costEventCount ?? 0),
};
}
async function loadDailyStats(db: Db, companyId: string, userId: string): Promise<UserProfileDailyPoint[]> {
const firstDay = startOfUtcDay(new Date(Date.now() - 13 * 24 * 60 * 60 * 1000));
const points = new Map<string, UserProfileDailyPoint>();
for (let index = 0; index < 14; index += 1) {
const date = new Date(firstDay.getTime() + index * 24 * 60 * 60 * 1000);
points.set(isoDay(date), {
date: isoDay(date),
activityCount: 0,
completedIssues: 0,
costCents: 0,
inputTokens: 0,
cachedInputTokens: 0,
outputTokens: 0,
});
}
const activityDay = dayKeyExpr(sql`${activityLog.createdAt}`);
const activityRows = await db
.select({
date: activityDay,
count: sql<number>`count(*)::int`,
})
.from(activityLog)
.where(
and(
eq(activityLog.companyId, companyId),
eq(activityLog.actorType, "user"),
eq(activityLog.actorId, userId),
gte(activityLog.createdAt, firstDay),
),
)
.groupBy(activityDay);
for (const row of activityRows) {
const point = points.get(row.date);
if (point) point.activityCount = Number(row.count);
}
const completedDay = dayKeyExpr(sql`${issues.completedAt}`);
const completedRows = await db
.select({
date: completedDay,
count: sql<number>`count(distinct ${issues.id})::int`,
})
.from(issues)
.where(
and(
eq(issues.companyId, companyId),
isNull(issues.hiddenAt),
eq(issues.status, "done"),
gte(issues.completedAt, firstDay),
userIssueInvolvementSql(companyId, userId),
),
)
.groupBy(completedDay);
for (const row of completedRows) {
const point = points.get(row.date);
if (point) point.completedIssues = Number(row.count);
}
const costDay = dayKeyExpr(sql`${costEvents.occurredAt}`);
const costRows = await db
.select({
date: costDay,
costCents: sumNumber(costEvents.costCents),
inputTokens: sumNumber(costEvents.inputTokens),
cachedInputTokens: sumNumber(costEvents.cachedInputTokens),
outputTokens: sumNumber(costEvents.outputTokens),
})
.from(costEvents)
.innerJoin(issues, and(eq(issues.id, costEvents.issueId), eq(issues.companyId, costEvents.companyId)))
.where(
and(
eq(costEvents.companyId, companyId),
gte(costEvents.occurredAt, firstDay),
userIssueInvolvementSql(companyId, userId),
),
)
.groupBy(costDay);
for (const row of costRows) {
const point = points.get(row.date);
if (!point) continue;
point.costCents = Number(row.costCents);
point.inputTokens = Number(row.inputTokens);
point.cachedInputTokens = Number(row.cachedInputTokens);
point.outputTokens = Number(row.outputTokens);
}
return [...points.values()];
}
export function userProfileRoutes(db: Db) {
const router = Router();
router.get("/companies/:companyId/users/:userSlug/profile", async (req, res) => {
const companyId = req.params.companyId as string;
const userSlug = req.params.userSlug as string;
assertCompanyAccess(req, companyId);
const row = await resolveCompanyUser(db, companyId, userSlug);
if (!row) throw notFound("User not found");
const canonicalSlug = userSlugCandidates(row)[0] ?? row.principalId;
const userId = row.userId ?? row.principalId;
const [stats, daily, recentIssues, recentActivity, topAgents, topProviders] = await Promise.all([
Promise.all(
PROFILE_WINDOWS.map((entry) =>
loadWindowStats(db, companyId, userId, entry.key, entry.label, windowStart(entry.days)),
),
),
loadDailyStats(db, companyId, userId),
db
.select({
id: issues.id,
identifier: issues.identifier,
title: issues.title,
status: issues.status,
priority: issues.priority,
assigneeAgentId: issues.assigneeAgentId,
assigneeUserId: issues.assigneeUserId,
updatedAt: issues.updatedAt,
completedAt: issues.completedAt,
})
.from(issues)
.where(
and(
eq(issues.companyId, companyId),
isNull(issues.hiddenAt),
userIssueInvolvementSql(companyId, userId),
),
)
.orderBy(desc(issues.updatedAt))
.limit(8),
db
.select({
id: activityLog.id,
action: activityLog.action,
entityType: activityLog.entityType,
entityId: activityLog.entityId,
details: activityLog.details,
createdAt: activityLog.createdAt,
})
.from(activityLog)
.where(
and(
eq(activityLog.companyId, companyId),
eq(activityLog.actorType, "user"),
eq(activityLog.actorId, userId),
),
)
.orderBy(desc(activityLog.createdAt))
.limit(12),
db
.select({
agentId: costEvents.agentId,
agentName: agents.name,
costCents: sumNumber(costEvents.costCents),
inputTokens: sumNumber(costEvents.inputTokens),
cachedInputTokens: sumNumber(costEvents.cachedInputTokens),
outputTokens: sumNumber(costEvents.outputTokens),
})
.from(costEvents)
.innerJoin(issues, and(eq(issues.id, costEvents.issueId), eq(issues.companyId, costEvents.companyId)))
.leftJoin(agents, eq(agents.id, costEvents.agentId))
.where(and(eq(costEvents.companyId, companyId), userIssueInvolvementSql(companyId, userId)))
.groupBy(costEvents.agentId, agents.name)
.orderBy(desc(sumNumber(costEvents.costCents)))
.limit(5),
db
.select({
provider: costEvents.provider,
biller: costEvents.biller,
model: costEvents.model,
costCents: sumNumber(costEvents.costCents),
inputTokens: sumNumber(costEvents.inputTokens),
cachedInputTokens: sumNumber(costEvents.cachedInputTokens),
outputTokens: sumNumber(costEvents.outputTokens),
})
.from(costEvents)
.innerJoin(issues, and(eq(issues.id, costEvents.issueId), eq(issues.companyId, costEvents.companyId)))
.where(and(eq(costEvents.companyId, companyId), userIssueInvolvementSql(companyId, userId)))
.groupBy(costEvents.provider, costEvents.biller, costEvents.model)
.orderBy(desc(sumNumber(costEvents.costCents)))
.limit(5),
]);
const user: UserProfileIdentity = {
id: userId,
slug: canonicalSlug,
name: row.name,
email: row.email,
image: row.image,
membershipRole: row.membershipRole,
membershipStatus: row.status,
joinedAt: row.createdAt,
};
const payload: UserProfileResponse = {
user,
stats,
daily,
recentIssues: recentIssues.map((issue) => ({
...issue,
status: issue.status as UserProfileResponse["recentIssues"][number]["status"],
priority: issue.priority as UserProfileResponse["recentIssues"][number]["priority"],
})),
recentActivity,
topAgents: topAgents.map((entry) => ({
...entry,
costCents: Number(entry.costCents),
inputTokens: Number(entry.inputTokens),
cachedInputTokens: Number(entry.cachedInputTokens),
outputTokens: Number(entry.outputTokens),
})),
topProviders: topProviders.map((entry) => ({
...entry,
costCents: Number(entry.costCents),
inputTokens: Number(entry.inputTokens),
cachedInputTokens: Number(entry.cachedInputTokens),
outputTokens: Number(entry.outputTokens),
})),
};
res.json(payload);
});
return router;
}