Server-assigns a uuid4 id to every AI-generated node (Finding 1 showstopper:
nodes had no id but the advance protocol keys on node_id, so ai_build walks
never advanced past question 1). Replaces the hidden {"node_type":"meta"}
walked_path convention with real category/problem_text/pending_node columns on
l1_walk_sessions (migration 61dda4f615c6) — fixes junk proposals + off-by-one
depth cap (Findings 8,9), and pending_node replays the served node on re-mount
(no duplicate paid LLM call). Intake honors explicit flow_id and adhoc=True
(Findings 4,5); flow_proposals.l1_session_id FK -> CASCADE (Finding 6 time
bomb); L1 category GET is owner+admin like PATCH and require_account_owner_or_admin
delegates to User.can_manage_account (Finding 7); escalate falls back to default
recipients + filters deleted_at + warns when empty (Finding 10). Cleanups: dead
ticket_ref removed, IntakeResponse per-outcome validator, unused acknowledged
dropped, escalations partial index, restored a deleted audit assertion.
Full Phase 2A backend set: 110 passed / 0 failed.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- /intake now runs match_or_build (matched/suggest/out_of_scope/build); build
seeds the classified category as a hidden meta walked_path entry, matched starts
a flow session, suggest/out_of_scope return prompt data with no session.
- New POST /sessions/{id}/next-node (threads node_text to advance_ai_build) and
GET /escalations (engineer-or-above) for the handoff queue.
- New IntakeResponse(outcome=...)/NextNodeRequest/NextNodeResponse schemas and
require_account_owner_or_admin dep.
- Reconcile Phase-1 intake tests to the new contract (mock match_or_build); add
test_l1_api_ai_build.py covering build/out_of_scope/suggest/next-node/escalations.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Second commit in the session-expiration-policy series. Lands the
error-detail taxonomy from §4.10 of the plan; no UI-visible change yet
because the frontend interceptor (commit 7) doesn't read the new detail
strings, but the wire is now ready for it.
Today every /auth/refresh failure returns 401 "Invalid refresh token"
regardless of cause, so the frontend has no way to distinguish "your
session ended for security" from "we don't recognize this token at
all." This commit introduces:
- decode_refresh_token_strict(): wraps jose.jwt.decode and raises a new
IdleTokenExpired exception (from ExpiredSignatureError) so callers
can branch on idle expiry. All other jose failures still propagate
as JWTError. The legacy decode_token() is preserved for access-token,
password-reset, and email-verification paths that don't need the
distinction.
- get_refresh_token_payload(): now maps IdleTokenExpired ->
"session_expired_idle", JWTError and wrong-type tokens ->
"invalid_refresh_token".
- test_session_policy.py: new test file (will accumulate cases across
the series). Three tests for the taxonomy: idle-expired returns
session_expired_idle; wrong type returns invalid_refresh_token; bad
signature returns invalid_refresh_token.
20/20 across test_session_policy + test_auth + test_oauth_callbacks.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Mounts on Pro routers (trees, sessions, scripts, FlowPilot, etc.) and
returns 402 with structured detail when an account's subscription is
missing or locked. Allowlist bypasses billing/account/auth flows so
users can recover from a lapsed subscription.
Conftest now seeds a default Pro/active Subscription on test_user and
test_admin (delete-then-insert because the register endpoint already
creates a free/active sub by default). Two existing tests adapted to
the new seeded plan; tenant-isolation tests seed Subscription rows for
the accounts they create directly.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Phase 4 enabled RLS on the users table. All code paths that touch users
(or other RLS-protected tables) before require_tenant_context sets
app.current_account_id must use get_admin_db (BYPASSRLS):
- deps.py: get_current_user and get_current_active_user → get_admin_db
- auth.py: all endpoints → get_admin_db (login, register, refresh, etc.
run before tenant context exists; mutation endpoints also need session
consistency since current_user is in the admin session)
- accounts.py: transfer_ownership, leave_account, delete_account
→ get_admin_db (these mutate current_user directly)
- onboarding.py: dismiss_onboarding → get_admin_db (same reason)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- ErrorBoundary: use Sentry.ErrorBoundary with crash feedback dialog
- RouteError: capture route errors in Sentry (skip chunk load errors)
- User context: set Sentry user on login (frontend + backend)
- Backend: enable profiling (profiles_sample_rate)
- Frontend: add feedback integration, lower replay rate to conserve quota
- Add temporary verification message for production validation
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* feat: maintenance flow UX redesign — batch status hub, context strip, detail page upgrades (#85)
- Add BatchStatusPage (/flows/:id/batches/:batchId): per-target Start/Resume/View cards, progress bar, 5s polling while in-progress, completion outcome summary
- Add BatchStatusCard: handles not-started/in-progress/complete states with step progress for in-progress targets
- Add ActiveBatchBanner: amber banner on detail page when a batch is running, links to BatchStatusPage
- Add MaintenanceContextStrip: amber strip in ProceduralNavigationPage for maintenance flows showing target name, batch progress (X/Y complete), and Back to Batch nav
- Update MaintenanceFlowDetailPage: active batch banner, clickable run history rows with mini progress dots and outcome summaries, Run button loading state, post-launch navigates to BatchStatusPage
- Update ProceduralNavigationPage: renders MaintenanceContextStrip between top bar and content when tree_type === 'maintenance'; fetches batch progress once on mount
- Add batch_id filter to GET /sessions backend endpoint and SessionListParams frontend type
- Add /flows/:id/batches/:batchId route to router
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* feat: session detail page — completion action + outcome summary card
- In-progress sessions: amber banner with "Complete Session" button opens
SessionOutcomeModal to set outcome/notes/next-steps and finalize
- Completed sessions: colored outcome summary card (icon + outcome label +
duration + notes + next steps) replaces dense header metadata; "Copy for
Ticket" promoted to primary action inside the card
- Export toolbar de-emphasized to secondary row of smaller controls below
the summary card
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* feat: add library-page action props to StepCard (edit/delete/save)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* feat: pass library-page action props through StepLibraryBrowser + refreshKey
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* feat: StepFormModal wrapper + submitLabel/isSubmitting props on StepForm
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* feat: Step Library page — create, edit, delete, save-to-library
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* feat: add RuntimeStep union type for procedural custom steps
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* feat: StepChecklist accepts RuntimeStep[], renders amber Custom badge
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* feat: StepDetail accepts RuntimeStep, renders Custom Step badge for custom steps
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* feat: custom step insertion in procedural flow sessions
Engineers can add custom steps inline during execution. Steps are
persisted to session.custom_steps and restored on resume.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix: suppress StepFeedback on custom steps, fix resume stepState seeding, functional updater for step index
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* docs: add tree forking UI design doc
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* docs: add tree fork UI implementation plan
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* feat: add ForkInfo type and fork fields to Tree/TreeListItem
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix: align ForkInfo type with backend schema, remove redundant fork fields
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix: ForkInfo placement, required fork_info field, add JSDoc
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* feat: add ForkModal component with name and reason fields
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix: ForkModal accessibility and UX (escape, click-outside, labels, maxLength)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* feat: open ForkModal on fork action in TreeLibraryPage
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* feat: add ForkModal to MyTreesPage
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* feat: show Fork chip badge on forked tree cards
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* docs: add flow-to-library step sync design doc
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* docs: add flow-to-library sync implementation plan
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* feat: add sync tracking columns to step_library
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* feat: add sync columns and source_tree relationship to StepLibrary model
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* feat: add group_label to StepContent, is_flow_synced/source_tree_name to StepLibraryResponse
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* feat: include is_flow_synced and source_tree_name in step list/detail responses
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix: add is_flow_synced and source_tree_name to step list response
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix: add selectinload and sync fields to search and get_step endpoints
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* feat: add step_sync module with extraction and upsert logic
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix: safe NOT IN placeholders for asyncpg, add deactivate docstring
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* feat: trigger step library sync on tree publish and deactivate on delete
- Call sync_steps_from_tree in update_tree whenever the tree is published
(status transitions to 'published' or is already published and structure changes)
- Call deactivate_synced_steps_for_tree in delete_tree before db.commit()
so the FK SET NULL does not nullify source_tree_id before the WHERE clause runs
- Fix ::jsonb cast syntax in step_sync.py (asyncpg rejects :: operator in text()
queries; replaced with CAST(:content AS jsonb))
- Add UniqueConstraint('source_tree_id','source_node_id') to StepLibrary model
so Base.metadata.create_all (used by tests) creates the constraint that the
ON CONFLICT clause in sync_steps_from_tree depends on
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* feat: add is_flow_synced and source_tree_name to Step types
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* feat: show From Flow badge and lock icon on flow-synced StepCard
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* feat: show source flow name in StepDetailModal for synced steps
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* feat: add Library Visibility select to procedural StepEditor
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix: address code review issues in flow-to-library sync
- Fix sync trigger: only fire on publish transition, not every PUT
- Add TestSyncOnPublish integration tests (2 tests, 16 total passing)
- Add group_label to frontend StepContent interface
- Guard Library Visibility select to procedure_step nodes only
- Block API edits to flow-synced steps (400 read-only guard)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix: handle None author_id in step sync to avoid invalid UUID error
When a system/default tree has no author (author_id is None),
str(None) produces the literal string 'None' which asyncpg
rejects as an invalid UUID for the created_by column.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix: add ResolutionFlow service account to own default tree steps in library
Default/system trees had no author_id (NULL), causing a NOT NULL violation
when syncing steps to step_library.created_by on publish.
- Add is_service_account flag to users table (migration 4f4137ce)
- Add service_account.py: idempotent ensure_service_account() creates
noreply@resolutionflow.com with unusable password on startup
- Cache service account ID on app.state at lifespan startup
- Add get_service_account_id() FastAPI dep (returns None in tests)
- sync_steps_from_tree: resolve author_id or service_account_id as created_by
- create_tree: set author_id=service_account_id for is_default trees
- Migration 1490781700bc: backfill author_id on 31 existing default trees
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Fix require_engineer_or_admin missing "admin" account_role, add
PUT /admin/users/{id}/super-admin endpoint with audit logging,
and promote/demote button with confirmation modal on UserDetailPage.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Migration 030: add email, assigned_plan, trial_duration_days, email_sent_at
to invite_codes with CHECK constraints
- Resend email integration (graceful degradation when API key not set)
- Invite codes now support plan assignment (free/pro/team) and trial duration (1-90 days)
- Registration applies invite code plan/trial to new subscription
- Auto-downgrade expired trials on authenticated access
- Enriched GET /admin/users/{id} with account, subscription, sessions, audit logs
- New endpoints: PUT /admin/users/{id}/subscription/plan and extend-trial
- Frontend: enhanced invite codes page with email, plan, trial fields
- Frontend: new user detail page at /admin/users/:userId
- Fixed API path drift: /invite-codes -> /invites
- 11 new backend tests, 416 total passing
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Transition from team-based to account-based multi-tenancy (Free/Pro/Team).
Migrations 016-020 create accounts, subscriptions, plan_limits, and
account_invites tables, then migrate existing users and content FKs.
New models: Account, Subscription, PlanLimits, AccountInvite.
Updated models add account_id alongside existing team_id (coexistence
for safe two-PR deployment). Permissions and deps refactored for
account_role instead of is_team_admin.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Phase B addresses 7 high-severity gaps from the permissions audit:
- B1: Enforce tree access check on session start via can_access_tree
- B2: Replace all inline permission helpers with centralized permissions.py
- B3: Fix require_engineer_or_admin to check is_team_admin before role
- B4: Add is_active field on User with enforcement in get_current_active_user
- B5: Add admin user management endpoints (list, get, role, team-admin, deactivate, activate)
- B6: Add rate limiting on auth/invite endpoints via slowapi (disabled in DEBUG)
- B7: Implement refresh token rotation with JTI-based revocation and meaningful logout
Also reduces access token TTL from 15 to 5 minutes and updates CLAUDE.md
with SaaS/MSP context for future planning sessions.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add role-based access control with hierarchy: super_admin > team_admin >
engineer > viewer. Adds is_super_admin boolean to User model (migration 010),
centralized backend permissions module, frontend usePermissions hook, and
UI enforcement (conditional Create/Edit buttons, editor redirect for viewers,
role badge in header). All endpoint admin checks updated from role=="admin"
to is_super_admin.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Fix broken JWT token refresh that caused "Failed to load trees" after
idle timeout. The refresh endpoint expected token as query param but
frontend sent it as Authorization header. Added proper dependency
(get_refresh_token_payload) and refresh queue to handle concurrent 401s.
Also fix seed trees not being visible to non-admin users by updating
the seed script to set is_public/is_default on existing trees.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
