feat(defects): file a defect via a board-section modal (T5)

POST /api/defects validates the body with arktype (known section, uuid
project, non-empty trimmed verbatim) and resolves the reporter through a dev
seam (getReporter, ADR 0002) until OAuth lands. DefectForm is a DaisyUI modal
opened by a section click — pick a project, describe the problem, submit.
This commit is contained in:
Julien Calixte
2026-05-27 23:53:49 +02:00
parent bd427ab171
commit cb19b2df55
8 changed files with 337 additions and 8 deletions

View File

@@ -0,0 +1,15 @@
import { type } from 'arktype'
import { getDb } from '../db/client'
import { createDefect } from '../db/repositories/defects'
import { DefectInput } from '../utils/defectInput'
import { getReporter } from '../utils/getReporter'
// File a defect against a board section (F2). Reporter comes from the seam,
// not the client; the timestamp defaults in the DB.
export default defineEventHandler(async (event) => {
const input = DefectInput(await readBody(event))
if (input instanceof type.errors) {
throw createError({ statusCode: 400, statusMessage: input.summary })
}
return createDefect(getDb(), { ...input, reporterEmail: getReporter(event) })
})

View File

@@ -0,0 +1,17 @@
import { type } from 'arktype'
import { sectionIds } from '../../app/board/definition'
// Validated request body for filing a defect (F2). The reporter is resolved
// server-side via the session seam, never trusted from the client. Verbatim is
// trimmed; the section must be one defined on the canonical board (C1).
export const DefectInput = type({
sectionId: type('string').narrow(
(id, ctx) => sectionIds.has(id) || ctx.reject('a known board section id'),
),
projectId: 'string.uuid',
verbatim: type('string')
.pipe((s) => s.trim())
.narrow((s, ctx) => s.length > 0 || ctx.reject('non-empty text')),
})
export type DefectInputData = typeof DefectInput.infer

View File

@@ -0,0 +1,10 @@
import type { H3Event } from 'h3'
/**
* Resolves the reporter's email — the one seam between filing and auth (ADR
* 0002). For now it returns a fixed dev identity so the filing slice works
* before OAuth exists; Task 9 swaps this to read the verified session email.
*/
export function getReporter(_event: H3Event): string {
return process.env.DEV_REPORTER_EMAIL ?? 'dev@theodo.com'
}