@nexttylabs/echo 0.2.0

package/app/api/notifications/preferences/route.ts

@@ -0,0 +1,109 @@
+/*
+ * Copyright (c) 2026 Echo Team
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ */
+
+import { NextRequest, NextResponse } from "next/server";
+import { headers } from "next/headers";
+import { eq } from "drizzle-orm";
+import { db } from "@/lib/db";
+import { notificationPreferences } from "@/lib/db/schema";
+import { auth } from "@/lib/auth/config";
+import { apiError } from "@/lib/api/errors";
+
+export const dynamic = "force-dynamic";
+export const runtime = "nodejs";
+
+export async function GET() {
+  if (!db) {
+    return NextResponse.json(
+      { error: "Database not configured", code: "DATABASE_NOT_CONFIGURED" },
+      { status: 500 },
+    );
+  }
+
+  try {
+    const session = await auth.api.getSession({ headers: await headers() });
+
+    if (!session?.user) {
+      return NextResponse.json(
+        { error: "Authentication required", code: "UNAUTHORIZED" },
+        { status: 401 },
+      );
+    }
+
+    const [prefs] = await db
+      .select()
+      .from(notificationPreferences)
+      .where(eq(notificationPreferences.userId, session.user.id))
+      .limit(1);
+
+    return NextResponse.json({
+      data: prefs || { statusChange: true, newComment: true },
+    });
+  } catch (error) {
+    return apiError(error);
+  }
+}
+
+export async function POST(req: NextRequest) {
+  if (!db) {
+    return NextResponse.json(
+      { error: "Database not configured", code: "DATABASE_NOT_CONFIGURED" },
+      { status: 500 },
+    );
+  }
+
+  try {
+    const session = await auth.api.getSession({ headers: await headers() });
+
+    if (!session?.user) {
+      return NextResponse.json(
+        { error: "Authentication required", code: "UNAUTHORIZED" },
+        { status: 401 },
+      );
+    }
+
+    const body = await req.json();
+    const statusChange = body.statusChange ?? true;
+    const newComment = body.newComment ?? true;
+
+    const [existing] = await db
+      .select({ userId: notificationPreferences.userId })
+      .from(notificationPreferences)
+      .where(eq(notificationPreferences.userId, session.user.id))
+      .limit(1);
+
+    if (existing) {
+      await db
+        .update(notificationPreferences)
+        .set({ statusChange, newComment })
+        .where(eq(notificationPreferences.userId, session.user.id));
+    } else {
+      await db.insert(notificationPreferences).values({
+        userId: session.user.id,
+        statusChange,
+        newComment,
+      });
+    }
+
+    return NextResponse.json({
+      data: { statusChange, newComment },
+      message: "Preferences saved successfully",
+    });
+  } catch (error) {
+    return apiError(error);
+  }
+}

package/app/api/organizations/[orgId]/handler.ts

@@ -0,0 +1,123 @@
+/*
+ * Copyright (c) 2026 Echo Team
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ */
+
+import { NextResponse } from "next/server";
+import { eq, and } from "drizzle-orm";
+import { createOrganizationSchema } from "@/lib/validations/organizations";
+import { organizations, organizationMembers } from "@/lib/db/schema";
+import type { db as database } from "@/lib/db";
+
+type Database = NonNullable<typeof database>;
+
+type OrganizationDeps = {
+  auth: {
+    api: {
+      getSession: (args: { headers: Headers }) => Promise<{ user: { id: string; role?: string } } | null>;
+    };
+  };
+  db: {
+    select: Database["select"];
+    update: Database["update"];
+  };
+};
+
+type RouteContext = {
+  params: Promise<{ orgId: string }>;
+};
+
+export function buildGetOrganizationHandler(deps: OrganizationDeps) {
+  return async function GET(req: Request, context: RouteContext) {
+    const session = await deps.auth.api.getSession({ headers: req.headers });
+    if (!session) {
+      return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+    }
+
+    const { orgId } = await context.params;
+
+    const [org] = await deps.db
+      .select()
+      .from(organizations)
+      .where(eq(organizations.id, orgId))
+      .limit(1);
+
+    if (!org) {
+      return NextResponse.json({ error: "Organization not found" }, { status: 404 });
+    }
+
+    return NextResponse.json({ data: org });
+  };
+}
+
+export function buildUpdateOrganizationHandler(deps: OrganizationDeps) {
+  return async function PUT(req: Request, context: RouteContext) {
+    const session = await deps.auth.api.getSession({ headers: req.headers });
+    if (!session) {
+      return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+    }
+
+    const { orgId } = await context.params;
+
+    // Check if user is admin of this organization or system admin
+    const [membership] = await deps.db
+      .select()
+      .from(organizationMembers)
+      .where(
+        and(
+          eq(organizationMembers.organizationId, orgId),
+          eq(organizationMembers.userId, session.user.id)
+        )
+      )
+      .limit(1);
+
+    if (!membership && session.user.role !== "admin") {
+      return NextResponse.json({ error: "Forbidden" }, { status: 403 });
+    }
+
+    if (membership && membership.role !== "admin" && session.user.role !== "admin") {
+      return NextResponse.json({ error: "Forbidden" }, { status: 403 });
+    }
+
+    let body: unknown;
+    try {
+      body = await req.json();
+    } catch {
+      return NextResponse.json({ error: "Invalid request body" }, { status: 400 });
+    }
+
+    const parsed = createOrganizationSchema.safeParse(body);
+    if (!parsed.success) {
+      return NextResponse.json(
+        { error: "Invalid request body", details: parsed.error.issues },
+        { status: 400 },
+      );
+    }
+
+    const { name, description } = parsed.data;
+
+    const [updated] = await deps.db
+      .update(organizations)
+      .set({ name, description })
+      .where(eq(organizations.id, orgId))
+      .returning();
+
+    if (!updated) {
+      return NextResponse.json({ error: "Organization not found" }, { status: 404 });
+    }
+
+    return NextResponse.json({ data: updated });
+  };
+}

package/app/api/organizations/[orgId]/invitations/handler.ts

@@ -0,0 +1,121 @@
+/*
+ * Copyright (c) 2026 Echo Team
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ */
+
+import { NextResponse } from "next/server";
+import { randomBytes, randomUUID } from "crypto";
+import type { db as database } from "@/lib/db";
+import { invitations } from "@/lib/db/schema";
+import { assertOrganizationAccess } from "@/lib/auth/organization";
+import { buildInviteExpiry } from "@/lib/invitations";
+import { sendEmail } from "@/lib/services/email";
+import { createInvitationSchema } from "@/lib/validations/invitations";
+
+type Database = NonNullable<typeof database>;
+
+type CreateInvitationDeps = {
+  auth: {
+    api: {
+      getSession: (args: { headers: Headers }) => Promise<{ user: { id: string } } | null>;
+    };
+  };
+  db: {
+    select: Database["select"];
+    insert: Database["insert"];
+  };
+  email?: {
+    sendEmail: typeof sendEmail;
+  };
+};
+
+type InvitationParams = { orgId: string };
+
+type InvitationContext = {
+  params: InvitationParams | Promise<InvitationParams>;
+};
+
+export function buildCreateInvitationHandler(deps: CreateInvitationDeps) {
+  return async function POST(req: Request, context: InvitationContext) {
+    const session = await deps.auth.api.getSession({ headers: req.headers });
+    if (!session) {
+      return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+    }
+
+    let body: unknown;
+    try {
+      body = await req.json();
+    } catch {
+      return NextResponse.json({ error: "Invalid request body" }, { status: 400 });
+    }
+
+    const parsed = createInvitationSchema.safeParse(body);
+    if (!parsed.success) {
+      return NextResponse.json(
+        { error: "Invalid request body", details: parsed.error.issues },
+        { status: 400 },
+      );
+    }
+
+    const { email, role } = parsed.data;
+    const { orgId } = await Promise.resolve(context.params);
+
+    let member;
+    try {
+      member = await assertOrganizationAccess(deps.db, session.user.id, orgId);
+    } catch {
+      return NextResponse.json({ error: "Forbidden" }, { status: 403 });
+    }
+
+    if (!member || member.role !== "admin") {
+      return NextResponse.json({ error: "Forbidden" }, { status: 403 });
+    }
+
+    const baseUrl =
+      process.env.NEXT_PUBLIC_APP_URL ||
+      (process.env.NODE_ENV !== "production" ? "http://localhost:3000" : null);
+    if (!baseUrl) {
+      return NextResponse.json(
+        { error: "Missing NEXT_PUBLIC_APP_URL" },
+        { status: 500 },
+      );
+    }
+
+    const token = randomBytes(32).toString("hex");
+    const expiresAt = buildInviteExpiry(new Date());
+
+    const [invitation] = await deps.db
+      .insert(invitations)
+      .values({
+        id: randomUUID(),
+        organizationId: orgId,
+        email,
+        role,
+        token,
+        expiresAt,
+      })
+      .returning();
+
+    const inviteUrl = `${baseUrl}/invite/${token}`;
+    const mailer = deps.email?.sendEmail ?? sendEmail;
+    await mailer({
+      to: email,
+      subject: "加入组织的邀请",
+      html: `<p>点击链接接受邀请：<a href="${inviteUrl}">${inviteUrl}</a></p>`,
+    });
+
+    return NextResponse.json({ data: invitation }, { status: 201 });
+  };
+}

package/app/api/organizations/[orgId]/invitations/route.ts

@@ -0,0 +1,29 @@
+/*
+ * Copyright (c) 2026 Echo Team
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ */
+
+import { buildCreateInvitationHandler } from "./handler";
+import { auth } from "@/lib/auth/config";
+import { db } from "@/lib/db";
+
+export const dynamic = "force-dynamic";
+export const runtime = "nodejs";
+
+if (!db) {
+  throw new Error("Database not initialized");
+}
+
+export const POST = buildCreateInvitationHandler({ auth, db });

package/app/api/organizations/[orgId]/members/[memberId]/handler.ts

@@ -0,0 +1,208 @@
+/*
+ * Copyright (c) 2026 Echo Team
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ */
+
+import { NextResponse } from "next/server";
+import { z } from "zod";
+import { and, count, eq } from "drizzle-orm";
+import type { db as database } from "@/lib/db";
+import { assertOrganizationAccess } from "@/lib/auth/organization";
+import { organizationMembers } from "@/lib/db/schema";
+import { organizationMemberRoleSchema } from "@/lib/validations/organizations";
+
+type Database = NonNullable<typeof database>;
+
+type RemoveMemberDeps = {
+  auth: {
+    api: {
+      getSession: (args: { headers: Headers }) => Promise<{ user: { id: string } } | null>;
+    };
+  };
+  db: {
+    select: Database["select"];
+    delete: Database["delete"];
+    update?: Database["update"];
+  };
+};
+
+type RemoveMemberParams = { orgId: string; memberId: string };
+
+type RemoveMemberContext = {
+  params: RemoveMemberParams | Promise<RemoveMemberParams>;
+};
+
+const updateRoleSchema = z.object({
+  role: organizationMemberRoleSchema,
+});
+
+export function buildRemoveMemberHandler(deps: RemoveMemberDeps) {
+  return async function DELETE(req: Request, context: RemoveMemberContext) {
+    const session = await deps.auth.api.getSession({ headers: req.headers });
+    if (!session) {
+      return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+    }
+
+    const { orgId, memberId } = await Promise.resolve(context.params);
+
+    if (memberId === session.user.id) {
+      return NextResponse.json({ error: "不能移除自己" }, { status: 400 });
+    }
+
+    let requester;
+    try {
+      requester = await assertOrganizationAccess(deps.db, session.user.id, orgId);
+    } catch {
+      return NextResponse.json({ error: "Forbidden" }, { status: 403 });
+    }
+
+    if (!requester || requester.role !== "admin") {
+      return NextResponse.json({ error: "Forbidden" }, { status: 403 });
+    }
+
+    const [target] = await deps.db
+      .select()
+      .from(organizationMembers)
+      .where(
+        and(
+          eq(organizationMembers.organizationId, orgId),
+          eq(organizationMembers.userId, memberId),
+        ),
+      )
+      .limit(1);
+
+    if (!target) {
+      return NextResponse.json({ error: "Member not found" }, { status: 404 });
+    }
+
+    const [adminCount] = await deps.db
+      .select({ count: count() })
+      .from(organizationMembers)
+      .where(
+        and(
+          eq(organizationMembers.organizationId, orgId),
+          eq(organizationMembers.role, "admin"),
+        ),
+      );
+
+    if (target.role === "admin" && adminCount.count === 1) {
+      return NextResponse.json(
+        { error: "组织至少需要一个管理员" },
+        { status: 400 },
+      );
+    }
+
+    await deps.db
+      .delete(organizationMembers)
+      .where(
+        and(
+          eq(organizationMembers.organizationId, orgId),
+          eq(organizationMembers.userId, memberId),
+        ),
+      );
+
+    return NextResponse.json({ message: "成员已移除" }, { status: 200 });
+  };
+}
+
+type UpdateMemberRoleDeps = Omit<RemoveMemberDeps, "db"> & {
+  db: {
+    select: Database["select"];
+    update: Database["update"];
+  };
+};
+
+export function buildUpdateMemberRoleHandler(deps: UpdateMemberRoleDeps) {
+  return async function PUT(req: Request, context: RemoveMemberContext) {
+    const session = await deps.auth.api.getSession({ headers: req.headers });
+    if (!session) {
+      return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+    }
+
+    let body: unknown;
+    try {
+      body = await req.json();
+    } catch {
+      return NextResponse.json({ error: "Invalid request body" }, { status: 400 });
+    }
+
+    const parsed = updateRoleSchema.safeParse(body);
+    if (!parsed.success) {
+      return NextResponse.json(
+        { error: "Invalid request body", details: parsed.error.issues },
+        { status: 400 },
+      );
+    }
+
+    const { role } = parsed.data;
+    const { orgId, memberId } = await Promise.resolve(context.params);
+
+    let requester;
+    try {
+      requester = await assertOrganizationAccess(deps.db, session.user.id, orgId);
+    } catch {
+      return NextResponse.json({ error: "Forbidden" }, { status: 403 });
+    }
+
+    if (!requester || requester.role !== "admin") {
+      return NextResponse.json({ error: "Forbidden" }, { status: 403 });
+    }
+
+    const [target] = await deps.db
+      .select()
+      .from(organizationMembers)
+      .where(
+        and(
+          eq(organizationMembers.organizationId, orgId),
+          eq(organizationMembers.userId, memberId),
+        ),
+      )
+      .limit(1);
+
+    if (!target) {
+      return NextResponse.json({ error: "Member not found" }, { status: 404 });
+    }
+
+    const [adminCount] = await deps.db
+      .select({ count: count() })
+      .from(organizationMembers)
+      .where(
+        and(
+          eq(organizationMembers.organizationId, orgId),
+          eq(organizationMembers.role, "admin"),
+        ),
+      );
+
+    if (target.role === "admin" && role !== "admin" && adminCount.count === 1) {
+      return NextResponse.json(
+        { error: "组织至少需要一个管理员" },
+        { status: 400 },
+      );
+    }
+
+    const [updated] = await deps.db
+      .update(organizationMembers)
+      .set({ role })
+      .where(
+        and(
+          eq(organizationMembers.organizationId, orgId),
+          eq(organizationMembers.userId, memberId),
+        ),
+      )
+      .returning();
+
+    return NextResponse.json({ data: updated }, { status: 200 });
+  };
+}

package/app/api/organizations/[orgId]/members/[memberId]/route.ts

@@ -0,0 +1,30 @@
+/*
+ * Copyright (c) 2026 Echo Team
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ */
+
+import { buildRemoveMemberHandler, buildUpdateMemberRoleHandler } from "./handler";
+import { auth } from "@/lib/auth/config";
+import { db } from "@/lib/db";
+
+export const dynamic = "force-dynamic";
+export const runtime = "nodejs";
+
+if (!db) {
+  throw new Error("Database not initialized");
+}
+
+export const DELETE = buildRemoveMemberHandler({ auth, db });
+export const PUT = buildUpdateMemberRoleHandler({ auth, db });

package/app/api/organizations/[orgId]/members/handler.ts

@@ -0,0 +1,77 @@
+/*
+ * Copyright (c) 2026 Echo Team
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ */
+
+import { NextResponse } from "next/server";
+import { eq } from "drizzle-orm";
+import type { db as database } from "@/lib/db";
+import { assertOrganizationAccess } from "@/lib/auth/organization";
+import { organizationMembers, user } from "@/lib/db/schema";
+
+type Database = NonNullable<typeof database>;
+
+type ListMembersDeps = {
+  auth: {
+    api: {
+      getSession: (args: { headers: Headers }) => Promise<{ user: { id: string } } | null>;
+    };
+  };
+  db: {
+    select: Database["select"];
+  };
+};
+
+type ListMembersParams = { orgId: string };
+
+type ListMembersContext = {
+  params: ListMembersParams | Promise<ListMembersParams>;
+};
+
+export function buildListMembersHandler(deps: ListMembersDeps) {
+  return async function GET(req: Request, context: ListMembersContext) {
+    const session = await deps.auth.api.getSession({ headers: req.headers });
+    if (!session) {
+      return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+    }
+
+    const { orgId } = await Promise.resolve(context.params);
+
+    try {
+      await assertOrganizationAccess(deps.db, session.user.id, orgId);
+    } catch {
+      return NextResponse.json({ error: "Forbidden" }, { status: 403 });
+    }
+
+    const rows = await deps.db
+      .select({
+        userId: organizationMembers.userId,
+        displayName: user.name,
+        email: user.email,
+        avatarUrl: user.image,
+      })
+      .from(organizationMembers)
+      .innerJoin(user, eq(organizationMembers.userId, user.id))
+      .where(eq(organizationMembers.organizationId, orgId));
+
+    const data = rows.map((row) => ({
+      userId: row.userId,
+      displayName: row.displayName ?? row.email ?? "未知成员",
+      avatarUrl: row.avatarUrl ?? null,
+    }));
+
+    return NextResponse.json({ data }, { status: 200 });
+  };
+}