@doccov/api 0.4.0 → 0.6.0

package/src/routes/orgs.ts

@@ -3,6 +3,8 @@ import { nanoid } from 'nanoid';
 import { auth } from '../auth/config';
 import { db } from '../db/client';
 
+const SITE_URL = process.env.SITE_URL || 'http://localhost:3000';
+
 type Session = Awaited<ReturnType<typeof auth.api.getSession>>;
 
 type Env = {
@@ -136,3 +138,250 @@ orgsRoute.post('/:slug/projects', async (c) => {
 
   return c.json({ project }, 201);
 });
+
+// ============ Members ============
+
+// List org members
+orgsRoute.get('/:slug/members', async (c) => {
+  const session = c.get('session');
+  const { slug } = c.req.param();
+
+  // Verify membership
+  const org = await db
+    .selectFrom('organizations')
+    .innerJoin('org_members', 'org_members.orgId', 'organizations.id')
+    .where('organizations.slug', '=', slug)
+    .where('org_members.userId', '=', session.user.id)
+    .select(['organizations.id as orgId', 'org_members.role as myRole'])
+    .executeTakeFirst();
+
+  if (!org) {
+    return c.json({ error: 'Organization not found' }, 404);
+  }
+
+  const members = await db
+    .selectFrom('org_members')
+    .innerJoin('user', 'user.id', 'org_members.userId')
+    .where('org_members.orgId', '=', org.orgId)
+    .select([
+      'org_members.id',
+      'org_members.userId',
+      'org_members.role',
+      'org_members.createdAt',
+      'user.email',
+      'user.name',
+      'user.image',
+    ])
+    .orderBy('org_members.createdAt', 'asc')
+    .execute();
+
+  return c.json({ members, myRole: org.myRole });
+});
+
+// Create invite
+orgsRoute.post('/:slug/invites', async (c) => {
+  const session = c.get('session');
+  const { slug } = c.req.param();
+  const body = await c.req.json<{ email: string; role: 'admin' | 'member' }>();
+
+  // Verify owner/admin
+  const org = await db
+    .selectFrom('organizations')
+    .innerJoin('org_members', 'org_members.orgId', 'organizations.id')
+    .where('organizations.slug', '=', slug)
+    .where('org_members.userId', '=', session.user.id)
+    .where('org_members.role', 'in', ['owner', 'admin'])
+    .select(['organizations.id as orgId', 'organizations.name'])
+    .executeTakeFirst();
+
+  if (!org) {
+    return c.json({ error: 'Forbidden' }, 403);
+  }
+
+  // Check if already a member
+  const existingMember = await db
+    .selectFrom('org_members')
+    .innerJoin('user', 'user.id', 'org_members.userId')
+    .where('org_members.orgId', '=', org.orgId)
+    .where('user.email', '=', body.email)
+    .select('org_members.id')
+    .executeTakeFirst();
+
+  if (existingMember) {
+    return c.json({ error: 'User is already a member' }, 400);
+  }
+
+  const token = nanoid(32);
+  const expiresAt = new Date(Date.now() + 7 * 24 * 60 * 60 * 1000); // 7 days
+
+  const invite = await db
+    .insertInto('org_invites')
+    .values({
+      id: nanoid(21),
+      orgId: org.orgId,
+      email: body.email,
+      role: body.role || 'member',
+      token,
+      expiresAt,
+      createdBy: session.user.id,
+    })
+    .returningAll()
+    .executeTakeFirst();
+
+  const inviteUrl = `${SITE_URL}/invite/${token}`;
+
+  return c.json({ invite, inviteUrl }, 201);
+});
+
+// List pending invites
+orgsRoute.get('/:slug/invites', async (c) => {
+  const session = c.get('session');
+  const { slug } = c.req.param();
+
+  // Verify owner/admin
+  const org = await db
+    .selectFrom('organizations')
+    .innerJoin('org_members', 'org_members.orgId', 'organizations.id')
+    .where('organizations.slug', '=', slug)
+    .where('org_members.userId', '=', session.user.id)
+    .where('org_members.role', 'in', ['owner', 'admin'])
+    .select(['organizations.id as orgId'])
+    .executeTakeFirst();
+
+  if (!org) {
+    return c.json({ error: 'Forbidden' }, 403);
+  }
+
+  const invites = await db
+    .selectFrom('org_invites')
+    .where('orgId', '=', org.orgId)
+    .where('expiresAt', '>', new Date())
+    .select(['id', 'email', 'role', 'expiresAt', 'createdAt'])
+    .orderBy('createdAt', 'desc')
+    .execute();
+
+  return c.json({ invites });
+});
+
+// Delete invite
+orgsRoute.delete('/:slug/invites/:inviteId', async (c) => {
+  const session = c.get('session');
+  const { slug, inviteId } = c.req.param();
+
+  // Verify owner/admin
+  const org = await db
+    .selectFrom('organizations')
+    .innerJoin('org_members', 'org_members.orgId', 'organizations.id')
+    .where('organizations.slug', '=', slug)
+    .where('org_members.userId', '=', session.user.id)
+    .where('org_members.role', 'in', ['owner', 'admin'])
+    .select(['organizations.id as orgId'])
+    .executeTakeFirst();
+
+  if (!org) {
+    return c.json({ error: 'Forbidden' }, 403);
+  }
+
+  await db
+    .deleteFrom('org_invites')
+    .where('id', '=', inviteId)
+    .where('orgId', '=', org.orgId)
+    .execute();
+
+  return c.json({ success: true });
+});
+
+// Update member role
+orgsRoute.patch('/:slug/members/:userId', async (c) => {
+  const session = c.get('session');
+  const { slug, userId } = c.req.param();
+  const body = await c.req.json<{ role: 'admin' | 'member' }>();
+
+  // Verify owner
+  const org = await db
+    .selectFrom('organizations')
+    .innerJoin('org_members', 'org_members.orgId', 'organizations.id')
+    .where('organizations.slug', '=', slug)
+    .where('org_members.userId', '=', session.user.id)
+    .where('org_members.role', '=', 'owner')
+    .select(['organizations.id as orgId'])
+    .executeTakeFirst();
+
+  if (!org) {
+    return c.json({ error: 'Only owner can change roles' }, 403);
+  }
+
+  // Don't allow changing owner role
+  const targetMember = await db
+    .selectFrom('org_members')
+    .where('orgId', '=', org.orgId)
+    .where('userId', '=', userId)
+    .select('role')
+    .executeTakeFirst();
+
+  if (!targetMember) {
+    return c.json({ error: 'Member not found' }, 404);
+  }
+
+  if (targetMember.role === 'owner') {
+    return c.json({ error: 'Cannot change owner role' }, 400);
+  }
+
+  await db
+    .updateTable('org_members')
+    .set({ role: body.role })
+    .where('orgId', '=', org.orgId)
+    .where('userId', '=', userId)
+    .execute();
+
+  return c.json({ success: true });
+});
+
+// Remove member
+orgsRoute.delete('/:slug/members/:userId', async (c) => {
+  const session = c.get('session');
+  const { slug, userId } = c.req.param();
+
+  // Verify owner/admin
+  const org = await db
+    .selectFrom('organizations')
+    .innerJoin('org_members', 'org_members.orgId', 'organizations.id')
+    .where('organizations.slug', '=', slug)
+    .where('org_members.userId', '=', session.user.id)
+    .where('org_members.role', 'in', ['owner', 'admin'])
+    .select(['organizations.id as orgId', 'org_members.role as myRole'])
+    .executeTakeFirst();
+
+  if (!org) {
+    return c.json({ error: 'Forbidden' }, 403);
+  }
+
+  // Don't allow removing owner
+  const targetMember = await db
+    .selectFrom('org_members')
+    .where('orgId', '=', org.orgId)
+    .where('userId', '=', userId)
+    .select('role')
+    .executeTakeFirst();
+
+  if (!targetMember) {
+    return c.json({ error: 'Member not found' }, 404);
+  }
+
+  if (targetMember.role === 'owner') {
+    return c.json({ error: 'Cannot remove owner' }, 400);
+  }
+
+  // Admins can only remove members, not other admins
+  if (org.myRole === 'admin' && targetMember.role === 'admin') {
+    return c.json({ error: 'Admins cannot remove other admins' }, 403);
+  }
+
+  await db
+    .deleteFrom('org_members')
+    .where('orgId', '=', org.orgId)
+    .where('userId', '=', userId)
+    .execute();
+
+  return c.json({ success: true });
+});

package/src/routes/spec-v1.ts

@@ -0,0 +1,165 @@
+/**
+ * Spec routes (v1) - API key authenticated endpoints for programmatic access
+ *
+ * POST /v1/spec/diff - Compare two specs
+ */
+
+import { Hono } from 'hono';
+import { z } from 'zod';
+import { db } from '../db/client';
+import type { ApiKeyContext } from '../middleware/api-key-auth';
+import {
+  computeFullDiff,
+  type DiffOptions,
+  diffSpecs,
+  formatDiffResponse,
+} from '../utils/spec-diff-core';
+
+type Env = {
+  Variables: ApiKeyContext;
+};
+
+export const specV1Route = new Hono<Env>();
+
+// Request schemas
+const GitHubDiffSchema = z.object({
+  mode: z.literal('github'),
+  owner: z.string().min(1),
+  repo: z.string().min(1),
+  base: z.string().min(1),
+  head: z.string().min(1),
+  includeDocsImpact: z.boolean().optional(),
+});
+
+const SpecsDiffSchema = z.object({
+  mode: z.literal('specs'),
+  baseSpec: z.object({}).passthrough(),
+  headSpec: z.object({}).passthrough(),
+  markdownFiles: z
+    .array(
+      z.object({
+        path: z.string(),
+        content: z.string(),
+      }),
+    )
+    .optional(),
+});
+
+const DiffRequestSchema = z.discriminatedUnion('mode', [GitHubDiffSchema, SpecsDiffSchema]);
+
+/**
+ * POST /v1/spec/diff - Compare two specs
+ *
+ * Supports two modes:
+ * 1. GitHub refs: Clone and compare specs from GitHub refs
+ * 2. Direct specs: Compare uploaded spec objects
+ */
+specV1Route.post('/diff', async (c) => {
+  const org = c.get('org');
+
+  // Parse and validate request body
+  let body: z.infer<typeof DiffRequestSchema>;
+  try {
+    const rawBody = await c.req.json();
+    body = DiffRequestSchema.parse(rawBody);
+  } catch (err) {
+    if (err instanceof z.ZodError) {
+      return c.json(
+        {
+          error: 'Invalid request',
+          details: err.errors,
+        },
+        400,
+      );
+    }
+    return c.json({ error: 'Invalid JSON body' }, 400);
+  }
+
+  try {
+    if (body.mode === 'github') {
+      // GitHub mode: need to find installation for this org
+      const { owner, repo, base, head, includeDocsImpact } = body;
+
+      // Look up installation from org
+      const installation = await db
+        .selectFrom('github_installations')
+        .where('orgId', '=', org.id)
+        .select(['installationId'])
+        .executeTakeFirst();
+
+      if (!installation) {
+        return c.json(
+          {
+            error: 'No GitHub App installation found for this repository',
+            hint: 'Install the DocCov GitHub App to compare repos',
+          },
+          403,
+        );
+      }
+
+      // Compute diff with timeout
+      const diffOptions: DiffOptions = {
+        includeDocsImpact,
+      };
+
+      const result = await Promise.race([
+        computeFullDiff(
+          { owner, repo, ref: base, installationId: installation.installationId },
+          { owner, repo, ref: head, installationId: installation.installationId },
+          diffOptions,
+        ),
+        new Promise<never>((_, reject) => setTimeout(() => reject(new Error('TIMEOUT')), 60_000)),
+      ]);
+
+      return c.json(formatDiffResponse(result));
+    }
+
+    // Specs mode: direct comparison
+    const { baseSpec, headSpec, markdownFiles } = body;
+
+    const diff = diffSpecs(
+      baseSpec as Parameters<typeof diffSpecs>[0],
+      headSpec as Parameters<typeof diffSpecs>[1],
+      markdownFiles,
+    );
+
+    return c.json({
+      // Core diff fields
+      breaking: diff.breaking,
+      nonBreaking: diff.nonBreaking,
+      docsOnly: diff.docsOnly,
+      coverageDelta: diff.coverageDelta,
+      oldCoverage: diff.oldCoverage,
+      newCoverage: diff.newCoverage,
+      driftIntroduced: diff.driftIntroduced,
+      driftResolved: diff.driftResolved,
+      newUndocumented: diff.newUndocumented,
+      improvedExports: diff.improvedExports,
+      regressedExports: diff.regressedExports,
+
+      // Extended fields
+      memberChanges: diff.memberChanges,
+      categorizedBreaking: diff.categorizedBreaking,
+      docsImpact: diff.docsImpact,
+
+      // Metadata
+      generatedAt: new Date().toISOString(),
+      cached: false,
+    });
+  } catch (err) {
+    if (err instanceof Error) {
+      if (err.message === 'TIMEOUT') {
+        return c.json({ error: 'Spec generation timed out' }, 408);
+      }
+      if (err.message.includes('not found') || err.message.includes('404')) {
+        return c.json({ error: 'Repository or ref not found' }, 404);
+      }
+      if (err.message.includes('No token')) {
+        return c.json({ error: 'GitHub App access required' }, 403);
+      }
+    }
+
+    console.error('Spec diff error:', err);
+    return c.json({ error: 'Failed to compute diff' }, 500);
+  }
+});

package/src/routes/spec.ts

@@ -0,0 +1,186 @@
+/**
+ * Spec routes - session authenticated endpoints for dashboard
+ */
+
+import { Hono } from 'hono';
+import { z } from 'zod';
+import { auth } from '../auth/config';
+import { db } from '../db/client';
+import {
+  computeFullDiff,
+  type DiffOptions,
+  diffSpecs,
+  formatDiffResponse,
+} from '../utils/spec-diff-core';
+
+type Session = Awaited<ReturnType<typeof auth.api.getSession>>;
+
+type Env = {
+  Variables: {
+    session: NonNullable<Session>;
+  };
+};
+
+export const specRoute = new Hono<Env>();
+
+// Middleware: require session auth
+specRoute.use('*', async (c, next) => {
+  const session = await auth.api.getSession({ headers: c.req.raw.headers });
+  if (!session) {
+    return c.json({ error: 'Unauthorized' }, 401);
+  }
+  c.set('session', session);
+  await next();
+});
+
+// Request schemas
+const GitHubDiffSchema = z.object({
+  mode: z.literal('github'),
+  owner: z.string().min(1),
+  repo: z.string().min(1),
+  base: z.string().min(1),
+  head: z.string().min(1),
+  installationId: z.string().optional(),
+  includeDocsImpact: z.boolean().optional(),
+});
+
+const SpecsDiffSchema = z.object({
+  mode: z.literal('specs'),
+  baseSpec: z.object({}).passthrough(),
+  headSpec: z.object({}).passthrough(),
+  markdownFiles: z
+    .array(
+      z.object({
+        path: z.string(),
+        content: z.string(),
+      }),
+    )
+    .optional(),
+});
+
+const DiffRequestSchema = z.discriminatedUnion('mode', [GitHubDiffSchema, SpecsDiffSchema]);
+
+/**
+ * POST /spec/diff - Compare two specs
+ *
+ * Supports two modes:
+ * 1. GitHub refs: Clone and compare specs from GitHub refs
+ * 2. Direct specs: Compare uploaded spec objects
+ */
+specRoute.post('/diff', async (c) => {
+  const session = c.get('session');
+
+  // Parse and validate request body
+  let body: z.infer<typeof DiffRequestSchema>;
+  try {
+    const rawBody = await c.req.json();
+    body = DiffRequestSchema.parse(rawBody);
+  } catch (err) {
+    if (err instanceof z.ZodError) {
+      return c.json(
+        {
+          error: 'Invalid request',
+          details: err.errors,
+        },
+        400,
+      );
+    }
+    return c.json({ error: 'Invalid JSON body' }, 400);
+  }
+
+  try {
+    if (body.mode === 'github') {
+      // GitHub mode: need to verify access and get installation
+      const { owner, repo, base, head, installationId, includeDocsImpact } = body;
+
+      // Find installation ID if not provided
+      let resolvedInstallationId = installationId;
+
+      if (!resolvedInstallationId) {
+        // Look up installation from user's orgs
+        const installation = await db
+          .selectFrom('github_installations')
+          .innerJoin('org_members', 'org_members.orgId', 'github_installations.orgId')
+          .where('org_members.userId', '=', session.user.id)
+          .select(['github_installations.installationId'])
+          .executeTakeFirst();
+
+        if (!installation) {
+          return c.json(
+            {
+              error: 'No GitHub App installation found for this repository',
+              hint: 'Install the DocCov GitHub App to compare repos',
+            },
+            403,
+          );
+        }
+
+        resolvedInstallationId = installation.installationId;
+      }
+
+      // Compute diff with timeout
+      const diffOptions: DiffOptions = {
+        includeDocsImpact,
+      };
+
+      const result = await Promise.race([
+        computeFullDiff(
+          { owner, repo, ref: base, installationId: resolvedInstallationId },
+          { owner, repo, ref: head, installationId: resolvedInstallationId },
+          diffOptions,
+        ),
+        new Promise<never>((_, reject) => setTimeout(() => reject(new Error('TIMEOUT')), 60_000)),
+      ]);
+
+      return c.json(formatDiffResponse(result));
+    }
+
+    // Specs mode: direct comparison
+    const { baseSpec, headSpec, markdownFiles } = body;
+
+    const diff = diffSpecs(
+      baseSpec as Parameters<typeof diffSpecs>[0],
+      headSpec as Parameters<typeof diffSpecs>[1],
+      markdownFiles,
+    );
+
+    return c.json({
+      // Core diff fields
+      breaking: diff.breaking,
+      nonBreaking: diff.nonBreaking,
+      docsOnly: diff.docsOnly,
+      coverageDelta: diff.coverageDelta,
+      oldCoverage: diff.oldCoverage,
+      newCoverage: diff.newCoverage,
+      driftIntroduced: diff.driftIntroduced,
+      driftResolved: diff.driftResolved,
+      newUndocumented: diff.newUndocumented,
+      improvedExports: diff.improvedExports,
+      regressedExports: diff.regressedExports,
+
+      // Extended fields
+      memberChanges: diff.memberChanges,
+      categorizedBreaking: diff.categorizedBreaking,
+      docsImpact: diff.docsImpact,
+
+      // Metadata
+      generatedAt: new Date().toISOString(),
+      cached: false,
+    });
+  } catch (err) {
+    if (err instanceof Error) {
+      if (err.message === 'TIMEOUT') {
+        return c.json({ error: 'Spec generation timed out' }, 408);
+      }
+      if (err.message.includes('not found') || err.message.includes('404')) {
+        return c.json({ error: 'Repository or ref not found' }, 404);
+      }
+      if (err.message.includes('No token')) {
+        return c.json({ error: 'GitHub App access required' }, 403);
+      }
+    }
+
+    console.error('Spec diff error:', err);
+    return c.json({ error: 'Failed to compute diff' }, 500);
+  }
+});