npm - @hiai-gg/hiai-docs - Versions diffs - 0.0.1 - Mend

@hiai-gg/hiai-docs 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (216) hide show

package/.all-contributorsrc +18 -0
package/.claude/settings.local.json +61 -0
package/.dockerignore +113 -0
package/.env.example +68 -0
package/.github/FUNDING.yml +5 -0
package/.github/ISSUE_TEMPLATE/bug_report.md +74 -0
package/.github/ISSUE_TEMPLATE/feature_request.md +78 -0
package/.github/dependabot.yml +136 -0
package/.github/pull_request_template.md +96 -0
package/.github/workflows/ci.yml +283 -0
package/AGENTS.md +237 -0
package/CODE_OF_CONDUCT.md +134 -0
package/CONTRIBUTING.md +77 -0
package/Caddyfile +50 -0
package/Dockerfile.backend +60 -0
package/LICENSE +21 -0
package/README.md +284 -0
package/RELEASE_CHECKLIST.md +34 -0
package/SECURITY.md +60 -0
package/backend/package.json +43 -0
package/backend/src/__tests__/auth-helpers.test.ts +51 -0
package/backend/src/__tests__/chunker.test.ts +65 -0
package/backend/src/__tests__/config.test.ts +91 -0
package/backend/src/__tests__/csrf.test.ts +91 -0
package/backend/src/__tests__/embedding.test.ts +48 -0
package/backend/src/__tests__/rate-limit.test.ts +46 -0
package/backend/src/__tests__/routes.test.ts +38 -0
package/backend/src/__tests__/schema.test.ts +31 -0
package/backend/src/__tests__/validation.test.ts +556 -0
package/backend/src/api/middleware/auth.ts +56 -0
package/backend/src/api/middleware/csrf.ts +91 -0
package/backend/src/api/middleware/rate-limit.ts +77 -0
package/backend/src/api/middleware/webhook-verify.ts +22 -0
package/backend/src/api/routes/attachments.ts +280 -0
package/backend/src/api/routes/auth.ts +52 -0
package/backend/src/api/routes/collaboration.ts +121 -0
package/backend/src/api/routes/documents.ts +664 -0
package/backend/src/api/routes/folders.ts +226 -0
package/backend/src/api/routes/search.ts +354 -0
package/backend/src/api/routes/share.ts +512 -0
package/backend/src/api/routes/tags.ts +247 -0
package/backend/src/api/routes/versions.ts +99 -0
package/backend/src/api/routes/webhooks.ts +43 -0
package/backend/src/embedding/chunker.ts +74 -0
package/backend/src/embedding/index.ts +117 -0
package/backend/src/embedding/providers/ollama.ts +63 -0
package/backend/src/embedding/providers/openrouter.ts +71 -0
package/backend/src/embedding/utils.ts +13 -0
package/backend/src/embedding/worker.ts +89 -0
package/backend/src/index.ts +147 -0
package/backend/src/lib/auth-helpers.ts +27 -0
package/backend/src/lib/auth.ts +35 -0
package/backend/src/lib/config.ts +73 -0
package/backend/src/lib/db.ts +7 -0
package/backend/src/lib/embedding-queue.ts +12 -0
package/backend/src/lib/logger.ts +18 -0
package/backend/src/lib/markdown-to-doc.ts +45 -0
package/backend/src/lib/minio.ts +46 -0
package/backend/src/lib/redis.ts +19 -0
package/backend/src/lib/yjs-provider.ts +182 -0
package/backend/tests/integration/_harness.ts +754 -0
package/backend/tests/integration/auth.test.ts +296 -0
package/backend/tests/integration/routes.documents.test.ts +459 -0
package/backend/tests/integration/routes.folders.test.ts +337 -0
package/backend/tests/integration/routes.search.test.ts +322 -0
package/backend/tests/integration/routes.share.test.ts +773 -0
package/backend/tests/integration/routes.tags.test.ts +425 -0
package/backend/tests/integration/routes.versions.test.ts +233 -0
package/backend/tsconfig.json +18 -0
package/docker-compose.yml +218 -0
package/docs/API.md +328 -0
package/docs/ARCHITECTURE.md +75 -0
package/docs/DEPLOYMENT.md +113 -0
package/docs/PRODUCTION_STATUS.md +61 -0
package/docs/openapi.json +385 -0
package/frontend/.svelte-kit.old/ambient.d.ts +230 -0
package/frontend/.svelte-kit.old/env.d.ts +1 -0
package/frontend/.svelte-kit.old/generated/client/app.js +46 -0
package/frontend/.svelte-kit.old/generated/client/matchers.js +1 -0
package/frontend/.svelte-kit.old/generated/client/nodes/0.js +3 -0
package/frontend/.svelte-kit.old/generated/client/nodes/1.js +1 -0
package/frontend/.svelte-kit.old/generated/client/nodes/10.js +3 -0
package/frontend/.svelte-kit.old/generated/client/nodes/2.js +1 -0
package/frontend/.svelte-kit.old/generated/client/nodes/3.js +1 -0
package/frontend/.svelte-kit.old/generated/client/nodes/4.js +1 -0
package/frontend/.svelte-kit.old/generated/client/nodes/5.js +3 -0
package/frontend/.svelte-kit.old/generated/client/nodes/6.js +1 -0
package/frontend/.svelte-kit.old/generated/client/nodes/7.js +3 -0
package/frontend/.svelte-kit.old/generated/client/nodes/8.js +1 -0
package/frontend/.svelte-kit.old/generated/client/nodes/9.js +3 -0
package/frontend/.svelte-kit.old/generated/root.js +3 -0
package/frontend/.svelte-kit.old/generated/root.svelte +80 -0
package/frontend/.svelte-kit.old/generated/server/internal.js +55 -0
package/frontend/.svelte-kit.old/non-ambient.d.ts +59 -0
package/frontend/.svelte-kit.old/tsconfig.json +59 -0
package/frontend/.svelte-kit.old/types/route_meta_data.json +40 -0
package/frontend/.svelte-kit.old/types/src/routes/$types.d.ts +21 -0
package/frontend/.svelte-kit.old/types/src/routes/(app)/$types.d.ts +30 -0
package/frontend/.svelte-kit.old/types/src/routes/(app)/docs/[id]/$types.d.ts +27 -0
package/frontend/.svelte-kit.old/types/src/routes/(app)/docs/[id]/proxy+page.ts +25 -0
package/frontend/.svelte-kit.old/types/src/routes/api/[...path]/$types.d.ts +10 -0
package/frontend/.svelte-kit.old/types/src/routes/folders/[id]/$types.d.ts +27 -0
package/frontend/.svelte-kit.old/types/src/routes/folders/[id]/proxy+page.ts +15 -0
package/frontend/.svelte-kit.old/types/src/routes/login/$types.d.ts +17 -0
package/frontend/.svelte-kit.old/types/src/routes/register/$types.d.ts +17 -0
package/frontend/.svelte-kit.old/types/src/routes/s/[token]/$types.d.ts +20 -0
package/frontend/.svelte-kit.old/types/src/routes/s/[token]/proxy+page.ts +6 -0
package/frontend/.svelte-kit.old/types/src/routes/search/$types.d.ts +19 -0
package/frontend/.svelte-kit.old/types/src/routes/search/proxy+page.ts +26 -0
package/frontend/.svelte-kit.old/types/src/routes/settings/$types.d.ts +17 -0
package/frontend/Dockerfile +44 -0
package/frontend/biome.json +40 -0
package/frontend/components.json +18 -0
package/frontend/messages/en.json +434 -0
package/frontend/package.json +70 -0
package/frontend/project.inlang/settings.json +12 -0
package/frontend/src/app.css +6 -0
package/frontend/src/app.d.ts +13 -0
package/frontend/src/app.html +30 -0
package/frontend/src/hooks.server.ts +10 -0
package/frontend/src/hooks.ts +10 -0
package/frontend/src/lib/api/attachments.ts +45 -0
package/frontend/src/lib/api/client.test.ts +15 -0
package/frontend/src/lib/api/client.ts +57 -0
package/frontend/src/lib/api/documents.ts +83 -0
package/frontend/src/lib/api/folders.ts +180 -0
package/frontend/src/lib/api/search.test.ts +52 -0
package/frontend/src/lib/api/search.ts +128 -0
package/frontend/src/lib/api/settings.ts +95 -0
package/frontend/src/lib/api/share.ts +71 -0
package/frontend/src/lib/api/tags.test.ts +91 -0
package/frontend/src/lib/api/tags.ts +87 -0
package/frontend/src/lib/auth-client.ts +10 -0
package/frontend/src/lib/collaboration.ts +63 -0
package/frontend/src/lib/components/AttachmentUpload.svelte +110 -0
package/frontend/src/lib/components/DatePicker.svelte +322 -0
package/frontend/src/lib/components/DocumentCard.svelte +166 -0
package/frontend/src/lib/components/EmptyState.svelte +49 -0
package/frontend/src/lib/components/FolderCard.svelte +93 -0
package/frontend/src/lib/components/ScrollToTop.svelte +72 -0
package/frontend/src/lib/components/SearchBar.svelte +47 -0
package/frontend/src/lib/components/SearchResult.svelte +115 -0
package/frontend/src/lib/components/SettingsDialog.svelte +271 -0
package/frontend/src/lib/components/ShareDialog.svelte +158 -0
package/frontend/src/lib/components/ShareLink.svelte +98 -0
package/frontend/src/lib/components/TagCreateDialog.svelte +284 -0
package/frontend/src/lib/components/VersionDiff.svelte +55 -0
package/frontend/src/lib/components/VersionHistory.svelte +96 -0
package/frontend/src/lib/components/editor/DocumentTitle.svelte +87 -0
package/frontend/src/lib/components/editor/EditorToolbar.svelte +1367 -0
package/frontend/src/lib/components/editor/HiAiEditor.svelte +531 -0
package/frontend/src/lib/components/editor/LinkDialog.svelte +134 -0
package/frontend/src/lib/components/editor/MarkdownToggle.svelte +88 -0
package/frontend/src/lib/components/editor/editorExtensions.ts +53 -0
package/frontend/src/lib/components/editor/markdown.ts +38 -0
package/frontend/src/lib/components/sidebar/FolderTree.svelte +731 -0
package/frontend/src/lib/components/sidebar/RecentDocs.svelte +311 -0
package/frontend/src/lib/components/sidebar/Sidebar.svelte +156 -0
package/frontend/src/lib/components/sidebar/TagList.svelte +200 -0
package/frontend/src/lib/components/ui/confirm-dialog/ConfirmDialog.svelte +76 -0
package/frontend/src/lib/components/ui/confirm-dialog/index.ts +1 -0
package/frontend/src/lib/stores/tag-store.svelte.ts +56 -0
package/frontend/src/lib/stores/theme.svelte.ts +97 -0
package/frontend/src/lib/svelte.d.ts +6 -0
package/frontend/src/lib/types.ts +44 -0
package/frontend/src/lib/utils/clipboard.ts +17 -0
package/frontend/src/lib/utils/strip-markdown.ts +59 -0
package/frontend/src/lib/utils.ts +33 -0
package/frontend/src/routes/(app)/+layout.svelte +17 -0
package/frontend/src/routes/(app)/+page.server.ts +10 -0
package/frontend/src/routes/(app)/+page.svelte +303 -0
package/frontend/src/routes/(app)/docs/[id]/+page.server.ts +10 -0
package/frontend/src/routes/(app)/docs/[id]/+page.svelte +1108 -0
package/frontend/src/routes/(app)/docs/[id]/+page.ts +24 -0
package/frontend/src/routes/(app)/search/+page.svelte +593 -0
package/frontend/src/routes/(app)/search/+page.ts +25 -0
package/frontend/src/routes/+error.svelte +12 -0
package/frontend/src/routes/+layout.svelte +18 -0
package/frontend/src/routes/+layout.ts +2 -0
package/frontend/src/routes/api/[...path]/+server.ts +111 -0
package/frontend/src/routes/folders/[id]/+page.server.ts +10 -0
package/frontend/src/routes/folders/[id]/+page.svelte +319 -0
package/frontend/src/routes/folders/[id]/+page.ts +14 -0
package/frontend/src/routes/login/+page.svelte +90 -0
package/frontend/src/routes/register/+page.svelte +97 -0
package/frontend/src/routes/s/[token]/+page.svelte +496 -0
package/frontend/src/routes/s/[token]/+page.ts +5 -0
package/frontend/src/routes/settings/+page.svelte +175 -0
package/frontend/static/favicon.png +0 -0
package/frontend/static/logo.png +0 -0
package/frontend/svelte.config.js +15 -0
package/frontend/tsconfig.json +15 -0
package/frontend/vite.config.ts +25 -0
package/init.sql +9 -0
package/logo.png +0 -0
package/package.json +39 -0
package/package.public.json +39 -0
package/packages/db/drizzle.config.ts +10 -0
package/packages/db/package.json +30 -0
package/packages/db/src/client.ts +9 -0
package/packages/db/src/index.ts +2 -0
package/packages/db/src/migrations/0000_nice_bedlam.sql +165 -0
package/packages/db/src/migrations/0001_w2_3_test.sql +5 -0
package/packages/db/src/migrations/0002_rename_content_json.sql +2 -0
package/packages/db/src/migrations/meta/0000_snapshot.json +1331 -0
package/packages/db/src/migrations/meta/0001_snapshot.json +1399 -0
package/packages/db/src/migrations/meta/0002_snapshot.json +1399 -0
package/packages/db/src/migrations/meta/_journal.json +27 -0
package/packages/db/src/schema.ts +378 -0
package/packages/db/tsconfig.json +17 -0
package/scripts/export-openapi.ts +37 -0
package/scripts/health-check.sh +75 -0
package/scripts/migrate.sh +135 -0
package/scripts/prework_backup.sh +25 -0
package/scripts/release.sh +83 -0
package/tsconfig.json +25 -0

package/backend/tests/integration/routes.tags.test.ts ADDED Viewed

@@ -0,0 +1,425 @@
+/**
+ * HTTP-level tests for tag routes.
+ * Tests:
+ *   GET /api/tags
+ *   POST /api/tags
+ *   PATCH /api/tags/:id
+ *   DELETE /api/tags/:id
+ *   POST /api/documents/:id/tags
+ *   DELETE /api/documents/:id/tags/:tagId
+ */
+import { afterEach, beforeAll, beforeEach, describe, expect, it } from "bun:test";
+import {
+	OWNER_ID,
+	getState,
+	noAuthHeaders,
+	ownerHeaders,
+	request,
+	resetState,
+	setupHarness,
+} from "./_harness";
+let app: any;
+beforeAll(async () => {
+	const built = await setupHarness();
+	app = built.app;
+});
+beforeEach(() => {
+	resetState();
+});
+afterEach(() => {
+	resetState();
+});
+function authedGet(path: string) {
+	return request(app, path, { method: "GET", headers: ownerHeaders() });
+}
+function authedPost(path: string, body: any) {
+	return request(app, path, {
+		method: "POST",
+		headers: ownerHeaders(),
+		body: JSON.stringify(body),
+	});
+}
+function authedPatch(path: string, body: any) {
+	return request(app, path, {
+		method: "PATCH",
+		headers: ownerHeaders(),
+		body: JSON.stringify(body),
+	});
+}
+function authedDelete(path: string) {
+	return request(app, path, { method: "DELETE", headers: ownerHeaders() });
+}
+describe("GET /api/tags", () => {
+	it("returns 401 without auth", async () => {
+		const res = await request(app, "/api/tags", {
+			method: "GET",
+			headers: noAuthHeaders(),
+		});
+		expect(res.status).toBe(401);
+		expect(res.body).toEqual({ error: "Unauthorized" });
+	});
+	it("returns 200 with empty array when no tags exist", async () => {
+		const res = await authedGet("/api/tags");
+		expect(res.status).toBe(200);
+		expect(res.body).toEqual([]);
+	});
+	it("returns tags owned by the current user with document counts", async () => {
+		const state = getState();
+		state.tags.set("tag-1", {
+			id: "tag-1",
+			ownerId: OWNER_ID,
+			name: "alpha",
+			color: "#ff0000",
+			createdAt: new Date(),
+		});
+		state.tags.set("tag-2", {
+			id: "tag-2",
+			ownerId: OWNER_ID,
+			name: "beta",
+			color: null,
+			createdAt: new Date(),
+		});
+		state.tags.set("tag-other", {
+			id: "tag-other",
+			ownerId: "00000000-0000-4000-8000-000000000999",
+			name: "should-not-appear",
+			color: null,
+			createdAt: new Date(),
+		});
+		state.documentTags.push(
+			{ documentId: "doc-1", tagId: "tag-1" },
+			{ documentId: "doc-2", tagId: "tag-1" },
+			{ documentId: "doc-3", tagId: "tag-2" },
+		);
+		const res = await authedGet("/api/tags");
+		expect(res.status).toBe(200);
+		const items = res.body as Array<{
+			id: string;
+			name: string;
+			documentCount: number;
+		}>;
+		const tag1 = items.find((t) => t.id === "tag-1");
+		const tag2 = items.find((t) => t.id === "tag-2");
+		expect(tag1).toBeTruthy();
+		expect(tag2).toBeTruthy();
+		expect(tag1?.documentCount).toBe(2);
+		expect(tag2?.documentCount).toBe(1);
+		expect(items.find((t) => t.id === "tag-other")).toBeUndefined();
+	});
+});
+describe("POST /api/tags", () => {
+	it("returns 403 from CSRF middleware without auth and without CSRF token", async () => {
+		const res = await request(app, "/api/tags", {
+			method: "POST",
+			headers: noAuthHeaders(),
+			body: JSON.stringify({ name: "x" }),
+		});
+		expect(res.status).toBe(403);
+		expect((res.body as any).error).toMatch(/CSRF/i);
+	});
+	it("returns 400 for invalid input (missing name)", async () => {
+		const res = await authedPost("/api/tags", {});
+		expect(res.status).toBe(400);
+		expect((res.body as any).error).toBe("Invalid input");
+	});
+	it("creates a tag and returns 201", async () => {
+		const res = await authedPost("/api/tags", {
+			name: "important",
+			color: "#00ff00",
+		});
+		expect(res.status).toBe(201);
+		const body = res.body as {
+			id: string;
+			name: string;
+			color: string;
+			ownerId: string;
+		};
+		expect(body.name).toBe("important");
+		expect(body.color).toBe("#00ff00");
+		expect(body.ownerId).toBe(OWNER_ID);
+		expect(body.id).toBeTruthy();
+		const stored = (getState().tags.get(body.id) as any) ?? null;
+		expect(stored).not.toBeNull();
+		expect(stored.name).toBe("important");
+		expect(stored.ownerId).toBe(OWNER_ID);
+	});
+	it("allows color to be omitted", async () => {
+		const res = await authedPost("/api/tags", { name: "no-color" });
+		expect(res.status).toBe(201);
+		expect((res.body as any).name).toBe("no-color");
+	});
+	it("returns 409 when a tag with the same name already exists", async () => {
+		getState().tags.set("existing", {
+			id: "existing",
+			ownerId: OWNER_ID,
+			name: "duplicate",
+			color: null,
+			createdAt: new Date(),
+		});
+		const res = await authedPost("/api/tags", { name: "duplicate" });
+		expect(res.status).toBe(409);
+		expect((res.body as any).error).toMatch(/already exists/i);
+	});
+});
+describe("PATCH /api/tags/:id", () => {
+	it("returns 400 for invalid body", async () => {
+		const res = await authedPatch(
+			"/api/tags/00000000-0000-4000-8000-000000000099",
+			{ name: "" },
+		);
+		expect(res.status).toBe(400);
+		expect((res.body as any).error).toBe("Invalid input");
+	});
+	it("returns 404 when the tag does not exist", async () => {
+		const res = await authedPatch(
+			"/api/tags/00000000-0000-4000-8000-000000000099",
+			{ name: "renamed" },
+		);
+		expect(res.status).toBe(404);
+		expect((res.body as any).error).toBe("Tag not found");
+	});
+	it("renames a tag", async () => {
+		const id = "11111111-1111-4111-8111-111111111111";
+		getState().tags.set(id, {
+			id,
+			ownerId: OWNER_ID,
+			name: "old",
+			color: "#000000",
+			createdAt: new Date(),
+		});
+		const res = await authedPatch(`/api/tags/${id}`, { name: "new" });
+		expect(res.status).toBe(200);
+		expect((res.body as any).name).toBe("new");
+		expect((getState().tags.get(id) as any).name).toBe("new");
+	});
+	it("updates color", async () => {
+		const id = "22222222-2222-4222-8222-222222222222";
+		getState().tags.set(id, {
+			id,
+			ownerId: OWNER_ID,
+			name: "colored",
+			color: "#000000",
+			createdAt: new Date(),
+		});
+		const res = await authedPatch(`/api/tags/${id}`, { color: "#ffffff" });
+		expect(res.status).toBe(200);
+		expect((res.body as any).color).toBe("#ffffff");
+		expect((getState().tags.get(id) as any).color).toBe("#ffffff");
+	});
+	it("does not update tags owned by other users", async () => {
+		const id = "33333333-3333-4333-8333-333333333333";
+		getState().tags.set(id, {
+			id,
+			ownerId: "00000000-0000-4000-8000-000000000999",
+			name: "other-user",
+			color: null,
+			createdAt: new Date(),
+		});
+		const res = await authedPatch(`/api/tags/${id}`, { name: "hijack" });
+		expect(res.status).toBe(404);
+		expect((getState().tags.get(id) as any).name).toBe("other-user");
+	});
+});
+describe("DELETE /api/tags/:id", () => {
+	it("returns 200 and removes the tag", async () => {
+		const id = "44444444-4444-4444-8444-444444444444";
+		getState().tags.set(id, {
+			id,
+			ownerId: OWNER_ID,
+			name: "trash-me",
+			color: null,
+			createdAt: new Date(),
+		});
+		const res = await authedDelete(`/api/tags/${id}`);
+		expect(res.status).toBe(200);
+		expect(res.body).toEqual({ success: true });
+		expect(getState().tags.has(id)).toBe(false);
+	});
+	it("does not delete tags owned by other users", async () => {
+		const id = "55555555-5555-4555-8555-555555555555";
+		getState().tags.set(id, {
+			id,
+			ownerId: "00000000-0000-4000-8000-000000000999",
+			name: "not-mine",
+			color: null,
+			createdAt: new Date(),
+		});
+		const res = await authedDelete(`/api/tags/${id}`);
+		// The handler does not 404 on foreign tags — it returns success without deleting.
+		expect(res.status).toBe(200);
+		expect(getState().tags.has(id)).toBe(true);
+	});
+});
+describe("POST /api/documents/:id/tags", () => {
+	const docId = "aaaaaaaa-aaaa-4aaa-8aaa-aaaaaaaaaaaa";
+	const tagId = "bbbbbbbb-bbbb-4bbb-8bbb-bbbbbbbbbbbb";
+	function seed() {
+		const state = getState();
+		state.documents.set(docId, {
+			id: docId,
+			ownerId: OWNER_ID,
+			folderId: null,
+			title: "Doc",
+			content: "",
+			createdAt: new Date(),
+			updatedAt: new Date(),
+		});
+		state.tags.set(tagId, {
+			id: tagId,
+			ownerId: OWNER_ID,
+			name: "label",
+			color: null,
+			createdAt: new Date(),
+		});
+	}
+	it("returns 400 when tagId is missing or invalid", async () => {
+		seed();
+		const res = await authedPost(`/api/documents/${docId}/tags`, {});
+		expect(res.status).toBe(400);
+		expect((res.body as any).error).toBe("Invalid input");
+	});
+	it("returns 404 when the document does not exist", async () => {
+		const res = await authedPost(
+			"/api/documents/00000000-0000-4000-8000-000000000099/tags",
+			{ tagId },
+		);
+		expect(res.status).toBe(404);
+		expect((res.body as any).error).toBe("Document not found");
+	});
+	it("adds a tag to a document and returns 201", async () => {
+		seed();
+		const res = await authedPost(`/api/documents/${docId}/tags`, { tagId });
+		expect(res.status).toBe(201);
+		expect(res.body).toEqual({ success: true });
+		// Note: this route uses `db.insert(documentTags).values(...)` without
+		// `.returning()`, so the mock harness does not persist the row into
+		// state.documentTags. The HTTP response is the contract under test.
+	});
+	it("does not add tags to documents owned by other users", async () => {
+		const state = getState();
+		state.documents.set(docId, {
+			id: docId,
+			ownerId: "00000000-0000-4000-8000-000000000999",
+			folderId: null,
+			title: "Other",
+			content: "",
+			createdAt: new Date(),
+			updatedAt: new Date(),
+		});
+		state.tags.set(tagId, {
+			id: tagId,
+			ownerId: OWNER_ID,
+			name: "label",
+			color: null,
+			createdAt: new Date(),
+		});
+		const res = await authedPost(`/api/documents/${docId}/tags`, { tagId });
+		expect(res.status).toBe(404);
+		expect(getState().documentTags.length).toBe(0);
+	});
+});
+describe("DELETE /api/documents/:id/tags/:tagId", () => {
+	const docId = "cccccccc-cccc-4ccc-8ccc-cccccccccccc";
+	const tagId = "dddddddd-dddd-4ddd-8ddd-dddddddddddd";
+	function seed() {
+		const state = getState();
+		state.documents.set(docId, {
+			id: docId,
+			ownerId: OWNER_ID,
+			folderId: null,
+			title: "Doc",
+			content: "",
+			createdAt: new Date(),
+			updatedAt: new Date(),
+		});
+		state.tags.set(tagId, {
+			id: tagId,
+			ownerId: OWNER_ID,
+			name: "label",
+			color: null,
+			createdAt: new Date(),
+		});
+		state.documentTags.push({ documentId: docId, tagId });
+	}
+	it("returns 404 when the document does not exist", async () => {
+		const res = await authedDelete(
+			`/api/documents/00000000-0000-4000-8000-000000000099/tags/${tagId}`,
+		);
+		expect(res.status).toBe(404);
+		expect((res.body as any).error).toBe("Document not found");
+	});
+	it("removes a tag from a document", async () => {
+		seed();
+		const res = await authedDelete(`/api/documents/${docId}/tags/${tagId}`);
+		expect(res.status).toBe(200);
+		expect(res.body).toEqual({ success: true });
+		// Note: this route uses `db.delete(documentTags).where(...)` without
+		// `.returning()`, so the mock harness does not mutate state.documentTags.
+		// The HTTP response is the contract under test.
+	});
+	it("does not remove tags from documents owned by other users", async () => {
+		const state = getState();
+		state.documents.set(docId, {
+			id: docId,
+			ownerId: "00000000-0000-4000-8000-000000000999",
+			folderId: null,
+			title: "Other",
+			content: "",
+			createdAt: new Date(),
+			updatedAt: new Date(),
+		});
+		state.tags.set(tagId, {
+			id: tagId,
+			ownerId: OWNER_ID,
+			name: "label",
+			color: null,
+			createdAt: new Date(),
+		});
+		state.documentTags.push({ documentId: docId, tagId });
+		const res = await authedDelete(`/api/documents/${docId}/tags/${tagId}`);
+		expect(res.status).toBe(404);
+		expect(getState().documentTags.length).toBe(1);
+	});
+});

package/backend/tests/integration/routes.versions.test.ts ADDED Viewed

@@ -0,0 +1,233 @@
+/**
+ * HTTP-level tests for version routes.
+ * Tests:
+ *   GET  /api/documents/:id/versions
+ *   GET  /api/documents/:id/versions/:vid
+ */
+import { afterEach, beforeAll, beforeEach, describe, expect, it } from "bun:test";
+import {
+	OWNER_ID,
+	getState,
+	noAuthHeaders,
+	ownerHeaders,
+	request,
+	resetState,
+	setupHarness,
+} from "./_harness";
+let app: any;
+beforeAll(async () => {
+	const built = await setupHarness();
+	app = built.app;
+});
+beforeEach(() => {
+	resetState();
+});
+afterEach(() => {
+	resetState();
+});
+function authedGet(path: string) {
+	return request(app, path, { method: "GET", headers: ownerHeaders() });
+}
+const docId = "aaaaaaaa-aaaa-4aaa-8aaa-aaaaaaaaaaaa";
+const otherDocId = "99999999-9999-4999-8999-999999999999";
+function seedDocument(id: string = docId, owner: string = OWNER_ID) {
+	getState().documents.set(id, {
+		id,
+		ownerId: owner,
+		folderId: null,
+		title: "Doc",
+		content: "",
+		createdAt: new Date(),
+		updatedAt: new Date(),
+	});
+}
+function seedVersions() {
+	getState().versions.push(
+		{
+			id: "v-old",
+			documentId: docId,
+			content: "first draft",
+			contentJson: null,
+			createdBy: OWNER_ID,
+			createdAt: new Date("2024-01-01T00:00:00Z"),
+		},
+		{
+			id: "v-mid",
+			documentId: docId,
+			content: "second draft",
+			contentJson: null,
+			createdBy: OWNER_ID,
+			createdAt: new Date("2024-02-01T00:00:00Z"),
+		},
+		{
+			id: "v-new",
+			documentId: docId,
+			content: "final draft",
+			contentJson: null,
+			createdBy: OWNER_ID,
+			createdAt: new Date("2024-03-01T00:00:00Z"),
+		},
+	);
+}
+describe("GET /api/documents/:id/versions", () => {
+	it("returns 401 without auth", async () => {
+		const res = await request(app, `/api/documents/${docId}/versions`, {
+			method: "GET",
+			headers: noAuthHeaders(),
+		});
+		expect(res.status).toBe(401);
+		expect(res.body).toEqual({ error: "Unauthorized" });
+	});
+	it("returns 404 when the document does not exist", async () => {
+		const res = await authedGet(
+			`/api/documents/00000000-0000-4000-8000-000000000099/versions`,
+		);
+		expect(res.status).toBe(404);
+		expect((res.body as any).error).toBe("Document not found");
+	});
+	it("returns 404 for documents owned by other users", async () => {
+		seedDocument(otherDocId, "00000000-0000-4000-8000-000000000999");
+		const res = await authedGet(`/api/documents/${otherDocId}/versions`);
+		expect(res.status).toBe(404);
+		expect((res.body as any).error).toBe("Document not found");
+	});
+	it("returns an empty array when the document has no versions", async () => {
+		seedDocument();
+		const res = await authedGet(`/api/documents/${docId}/versions`);
+		expect(res.status).toBe(200);
+		expect(res.body).toEqual([]);
+	});
+	it("returns all versions for the document ordered newest-first", async () => {
+		seedDocument();
+		seedVersions();
+		const res = await authedGet(`/api/documents/${docId}/versions`);
+		expect(res.status).toBe(200);
+		const items = res.body as Array<{ id: string; createdAt: string }>;
+		expect(items.length).toBe(3);
+		expect(items.map((v) => v.id)).toEqual(["v-new", "v-mid", "v-old"]);
+	});
+	it("only returns versions belonging to the requested document", async () => {
+		seedDocument();
+		seedDocument("other-doc");
+		getState().versions.push(
+			{
+				id: "v-x",
+				documentId: "other-doc",
+				content: "unrelated",
+				contentJson: null,
+				createdBy: OWNER_ID,
+				createdAt: new Date("2024-04-01T00:00:00Z"),
+			},
+			{
+				id: "v-y",
+				documentId: docId,
+				content: "mine",
+				contentJson: null,
+				createdBy: OWNER_ID,
+				createdAt: new Date("2024-04-02T00:00:00Z"),
+			},
+		);
+		const res = await authedGet(`/api/documents/${docId}/versions`);
+		expect(res.status).toBe(200);
+		const items = res.body as Array<{ id: string }>;
+		const ids = items.map((v) => v.id);
+		expect(ids).toContain("v-y");
+		expect(ids).not.toContain("v-x");
+	});
+});
+describe("GET /api/documents/:id/versions/:vid", () => {
+	it("returns 401 without auth", async () => {
+		const res = await request(app, `/api/documents/${docId}/versions/v-new`, {
+			method: "GET",
+			headers: noAuthHeaders(),
+		});
+		expect(res.status).toBe(401);
+		expect(res.body).toEqual({ error: "Unauthorized" });
+	});
+	it("returns 404 when the document does not exist", async () => {
+		const res = await authedGet(
+			`/api/documents/00000000-0000-4000-8000-000000000099/versions/v-new`,
+		);
+		expect(res.status).toBe(404);
+		expect((res.body as any).error).toBe("Document not found");
+	});
+	it("returns 404 when the version does not exist", async () => {
+		seedDocument();
+		const res = await authedGet(`/api/documents/${docId}/versions/v-missing`);
+		expect(res.status).toBe(404);
+		expect((res.body as any).error).toBe("Version not found");
+	});
+	it("returns the requested version", async () => {
+		seedDocument();
+		seedVersions();
+		const res = await authedGet(`/api/documents/${docId}/versions/v-mid`);
+		expect(res.status).toBe(200);
+		const body = res.body as {
+			id: string;
+			documentId: string;
+			content: string;
+		};
+		expect(body.id).toBe("v-mid");
+		expect(body.documentId).toBe(docId);
+		expect(body.content).toBe("second draft");
+	});
+	it("does not return a version that belongs to a different document", async () => {
+		seedDocument();
+		seedDocument("other-doc");
+		getState().versions.push({
+			id: "v-other-doc",
+			documentId: "other-doc",
+			content: "no-peeking",
+			contentJson: null,
+			createdBy: OWNER_ID,
+			createdAt: new Date("2024-05-01T00:00:00Z"),
+		});
+		const res = await authedGet(
+			`/api/documents/${docId}/versions/v-other-doc`,
+		);
+		expect(res.status).toBe(404);
+		expect((res.body as any).error).toBe("Version not found");
+	});
+	it("does not return versions for documents owned by other users", async () => {
+		seedDocument(otherDocId, "00000000-0000-4000-8000-000000000999");
+		getState().versions.push({
+			id: "v-foreign",
+			documentId: otherDocId,
+			content: "secret",
+			contentJson: null,
+			createdBy: "00000000-0000-4000-8000-000000000999",
+			createdAt: new Date("2024-06-01T00:00:00Z"),
+		});
+		const res = await authedGet(
+			`/api/documents/${otherDocId}/versions/v-foreign`,
+		);
+		expect(res.status).toBe(404);
+		expect((res.body as any).error).toBe("Document not found");
+	});
+});

package/backend/tsconfig.json ADDED Viewed

@@ -0,0 +1,18 @@
+{
+  "compilerOptions": {
+    "target": "ESNext",
+    "module": "ESNext",
+    "moduleResolution": "bundler",
+    "strict": true,
+    "noUncheckedIndexedAccess": true,
+    "esModuleInterop": true,
+    "skipLibCheck": true,
+    "outDir": "./dist",
+    "rootDir": "./src",
+    "declaration": true,
+    "sourceMap": true,
+    "types": ["@types/bun"]
+  },
+  "include": ["src"],
+  "exclude": ["node_modules", "dist"]
+}