using System.Net;
using System.Net.Http.Headers;
using System.Net.Http.Json;
using Xunit;
namespace TeamUp.IntegrationTests;
///
/// M1 board acceptance at the API level: an owner sets up the org + a team, creates a task, moves
/// it across columns, assigns it, and sees it on the board and in the cartable. An invited Member
/// can view the board but cannot create a team (owner-only).
///
public sealed class BoardFlowTests(PostgresFixture postgres) : IClassFixture
{
private sealed record BootstrapResponse(string Token, Guid MemberId, Guid OrganizationId);
private sealed record AuthResponse(string Token, Guid MemberId);
private sealed record InviteResponse(Guid InvitationId, string Token);
private sealed record OrganizationResponse(Guid Id, string Name);
private sealed record TeamResponse(Guid Id, Guid OrganizationId, string Name);
private sealed record TaskResponse(
Guid Id, Guid TeamId, string Title, string? Description, string Type,
string Status, string AssigneeKind, Guid? AssigneeId, Guid? ParentId);
private sealed record BoardColumn(string Status, List Items);
private sealed record BoardResponse(Guid TeamId, List Columns);
private sealed record AuditEntryResponse(
Guid Id, string Action, string EntityType, Guid EntityId,
Guid? ActorMemberId, string? Details, DateTimeOffset OccurredAtUtc);
[Fact]
public async Task Owner_builds_board_and_member_is_scoped()
{
await using var factory = new TeamUpWebFactory(postgres.ConnectionString);
using var anon = factory.CreateClient();
var owner = await Bootstrap(anon);
using var ownerClient = Authed(factory, owner.Token);
// Set the organization name (idempotent upsert on the bootstrapped org scope).
var org = await PostOk(ownerClient, "/api/orgboard/organizations",
new { organizationId = owner.OrganizationId, name = "AliaSaaS" });
Assert.Equal(owner.OrganizationId, org.Id);
// Create a team and list it.
var team = await PostOk(ownerClient, "/api/orgboard/teams",
new { organizationId = owner.OrganizationId, name = "IPNOPS" });
var teams = await ownerClient.GetFromJsonAsync>(
$"/api/orgboard/teams?organizationId={owner.OrganizationId}");
Assert.Contains(teams!, t => t.Id == team.Id);
// Create a task → it lands in Backlog, unassigned.
var task = await PostOk(ownerClient, "/api/orgboard/tasks",
new { teamId = team.Id, title = "Build the login screen", description = "M1", type = "Story" });
Assert.Equal("Backlog", task.Status);
Assert.Equal("Unassigned", task.AssigneeKind);
// Move it to In Progress and assign it to the owner.
var moved = await PatchOk(ownerClient, $"/api/orgboard/tasks/{task.Id}/move",
new { status = "InProgress" });
Assert.Equal("InProgress", moved.Status);
var assigned = await PatchOk(ownerClient, $"/api/orgboard/tasks/{task.Id}/assign",
new { memberId = owner.MemberId });
Assert.Equal("Member", assigned.AssigneeKind);
Assert.Equal(owner.MemberId, assigned.AssigneeId);
// The board shows it under In Progress.
var board = await ownerClient.GetFromJsonAsync($"/api/orgboard/board?teamId={team.Id}");
var inProgress = board!.Columns.Single(c => c.Status == "InProgress");
Assert.Contains(inProgress.Items, i => i.Id == task.Id);
// The owner's cartable shows the assigned task.
var cartable = await ownerClient.GetFromJsonAsync>("/api/orgboard/cartable");
Assert.Contains(cartable!, i => i.Id == task.Id);
// The audit log (owner-only) recorded the task actions.
var audit = await ownerClient.GetFromJsonAsync>(
$"/api/governance/audit?organizationId={owner.OrganizationId}");
Assert.Contains(audit!, e => e.Action == "task.created" && e.EntityId == task.Id);
Assert.Contains(audit!, e => e.Action == "task.moved" && e.EntityId == task.Id);
// Invite a Member at the org scope and accept.
var invite = await PostOk(ownerClient, "/api/identity/invitations", new
{
email = "dev@alia.test",
scopeType = "Organization",
scopeId = owner.OrganizationId,
role = "Member",
organizationId = owner.OrganizationId,
});
var member = await PostOk(anon, "/api/identity/invitations/accept",
new { token = invite.Token, displayName = "Dev", password = "Passw0rd!" });
using var memberClient = Authed(factory, member.Token);
// The member can view the board…
var memberBoard = await memberClient.GetAsync($"/api/orgboard/board?teamId={team.Id}");
Assert.Equal(HttpStatusCode.OK, memberBoard.StatusCode);
// …but cannot create a team (owner-only).
var memberTeam = await memberClient.PostAsJsonAsync("/api/orgboard/teams",
new { organizationId = owner.OrganizationId, name = "Nope" });
Assert.Equal(HttpStatusCode.Forbidden, memberTeam.StatusCode);
}
private static async Task Bootstrap(HttpClient client)
{
var response = await PostOk(client, "/api/identity/bootstrap", new
{
organizationName = "AliaSaaS",
ownerEmail = "owner@alia.test",
ownerDisplayName = "Owner",
ownerPassword = "Passw0rd!",
});
return response;
}
private static HttpClient Authed(TeamUpWebFactory factory, string token)
{
var client = factory.CreateClient();
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token);
return client;
}
private static async Task PostOk(HttpClient client, string url, object body)
{
var response = await client.PostAsJsonAsync(url, body);
Assert.Equal(HttpStatusCode.OK, response.StatusCode);
var value = await response.Content.ReadFromJsonAsync();
Assert.NotNull(value);
return value!;
}
private static async Task PatchOk(HttpClient client, string url, object body)
{
var response = await client.PatchAsJsonAsync(url, body);
Assert.Equal(HttpStatusCode.OK, response.StatusCode);
var value = await response.Content.ReadFromJsonAsync();
Assert.NotNull(value);
return value!;
}
}