soroush.asadi
fa9046a03e
SharedKernel: - IAuditLog/AuditEvent — append-only audit contract any module writes through. - EditDistance (Levenshtein + normalized) — the north-star metric, available from day one; consumed at edit-and-approve in M5. Governance module (references SharedKernel only): - AuditEntry entity; internal GovernanceDbContext (schema "governance") + InitialGovernance migration; AuditLog implements IAuditLog. - GET /api/governance/audit — owner-only (ViewAuditLog), returns recent entries. Wiring (via the SharedKernel IAuditLog interface — no module references Governance): - OrgBoard records team.created, task.created, task.moved, task.assigned. - Identity records invitation.created, member.joined. Verified: build green; ArchitectureTests 8/8 (Governance references only SharedKernel; audit flows through the shared interface); IntegrationTests 20/20 — board flow now asserts task.created/task.moved appear in the audit log, plus EditDistance unit tests. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
150 lines
6.6 KiB
C#
150 lines
6.6 KiB
C#
using System.Net;
|
|
using System.Net.Http.Headers;
|
|
using System.Net.Http.Json;
|
|
using Xunit;
|
|
|
|
namespace TeamUp.IntegrationTests;
|
|
|
|
/// <summary>
|
|
/// M1 board acceptance at the API level: an owner sets up the org + a team, creates a task, moves
|
|
/// it across columns, assigns it, and sees it on the board and in the cartable. An invited Member
|
|
/// can view the board but cannot create a team (owner-only).
|
|
/// </summary>
|
|
public sealed class BoardFlowTests(PostgresFixture postgres) : IClassFixture<PostgresFixture>
|
|
{
|
|
private sealed record BootstrapResponse(string Token, Guid MemberId, Guid OrganizationId);
|
|
|
|
private sealed record AuthResponse(string Token, Guid MemberId);
|
|
|
|
private sealed record InviteResponse(Guid InvitationId, string Token);
|
|
|
|
private sealed record OrganizationResponse(Guid Id, string Name);
|
|
|
|
private sealed record TeamResponse(Guid Id, Guid OrganizationId, string Name);
|
|
|
|
private sealed record TaskResponse(
|
|
Guid Id, Guid TeamId, string Title, string? Description, string Type,
|
|
string Status, string AssigneeKind, Guid? AssigneeId, Guid? ParentId);
|
|
|
|
private sealed record BoardColumn(string Status, List<TaskResponse> Items);
|
|
|
|
private sealed record BoardResponse(Guid TeamId, List<BoardColumn> Columns);
|
|
|
|
private sealed record AuditEntryResponse(
|
|
Guid Id, string Action, string EntityType, Guid EntityId,
|
|
Guid? ActorMemberId, string? Details, DateTimeOffset OccurredAtUtc);
|
|
|
|
[Fact]
|
|
public async Task Owner_builds_board_and_member_is_scoped()
|
|
{
|
|
await using var factory = new TeamUpWebFactory(postgres.ConnectionString);
|
|
using var anon = factory.CreateClient();
|
|
|
|
var owner = await Bootstrap(anon);
|
|
using var ownerClient = Authed(factory, owner.Token);
|
|
|
|
// Set the organization name (idempotent upsert on the bootstrapped org scope).
|
|
var org = await PostOk<OrganizationResponse>(ownerClient, "/api/orgboard/organizations",
|
|
new { organizationId = owner.OrganizationId, name = "AliaSaaS" });
|
|
Assert.Equal(owner.OrganizationId, org.Id);
|
|
|
|
// Create a team and list it.
|
|
var team = await PostOk<TeamResponse>(ownerClient, "/api/orgboard/teams",
|
|
new { organizationId = owner.OrganizationId, name = "IPNOPS" });
|
|
var teams = await ownerClient.GetFromJsonAsync<List<TeamResponse>>(
|
|
$"/api/orgboard/teams?organizationId={owner.OrganizationId}");
|
|
Assert.Contains(teams!, t => t.Id == team.Id);
|
|
|
|
// Create a task → it lands in Backlog, unassigned.
|
|
var task = await PostOk<TaskResponse>(ownerClient, "/api/orgboard/tasks",
|
|
new { teamId = team.Id, title = "Build the login screen", description = "M1", type = "Story" });
|
|
Assert.Equal("Backlog", task.Status);
|
|
Assert.Equal("Unassigned", task.AssigneeKind);
|
|
|
|
// Move it to In Progress and assign it to the owner.
|
|
var moved = await PatchOk<TaskResponse>(ownerClient, $"/api/orgboard/tasks/{task.Id}/move",
|
|
new { status = "InProgress" });
|
|
Assert.Equal("InProgress", moved.Status);
|
|
|
|
var assigned = await PatchOk<TaskResponse>(ownerClient, $"/api/orgboard/tasks/{task.Id}/assign",
|
|
new { memberId = owner.MemberId });
|
|
Assert.Equal("Member", assigned.AssigneeKind);
|
|
Assert.Equal(owner.MemberId, assigned.AssigneeId);
|
|
|
|
// The board shows it under In Progress.
|
|
var board = await ownerClient.GetFromJsonAsync<BoardResponse>($"/api/orgboard/board?teamId={team.Id}");
|
|
var inProgress = board!.Columns.Single(c => c.Status == "InProgress");
|
|
Assert.Contains(inProgress.Items, i => i.Id == task.Id);
|
|
|
|
// The owner's cartable shows the assigned task.
|
|
var cartable = await ownerClient.GetFromJsonAsync<List<TaskResponse>>("/api/orgboard/cartable");
|
|
Assert.Contains(cartable!, i => i.Id == task.Id);
|
|
|
|
// The audit log (owner-only) recorded the task actions.
|
|
var audit = await ownerClient.GetFromJsonAsync<List<AuditEntryResponse>>(
|
|
$"/api/governance/audit?organizationId={owner.OrganizationId}");
|
|
Assert.Contains(audit!, e => e.Action == "task.created" && e.EntityId == task.Id);
|
|
Assert.Contains(audit!, e => e.Action == "task.moved" && e.EntityId == task.Id);
|
|
|
|
// Invite a Member at the org scope and accept.
|
|
var invite = await PostOk<InviteResponse>(ownerClient, "/api/identity/invitations", new
|
|
{
|
|
email = "dev@alia.test",
|
|
scopeType = "Organization",
|
|
scopeId = owner.OrganizationId,
|
|
role = "Member",
|
|
organizationId = owner.OrganizationId,
|
|
});
|
|
var member = await PostOk<AuthResponse>(anon, "/api/identity/invitations/accept",
|
|
new { token = invite.Token, displayName = "Dev", password = "Passw0rd!" });
|
|
|
|
using var memberClient = Authed(factory, member.Token);
|
|
|
|
// The member can view the board…
|
|
var memberBoard = await memberClient.GetAsync($"/api/orgboard/board?teamId={team.Id}");
|
|
Assert.Equal(HttpStatusCode.OK, memberBoard.StatusCode);
|
|
|
|
// …but cannot create a team (owner-only).
|
|
var memberTeam = await memberClient.PostAsJsonAsync("/api/orgboard/teams",
|
|
new { organizationId = owner.OrganizationId, name = "Nope" });
|
|
Assert.Equal(HttpStatusCode.Forbidden, memberTeam.StatusCode);
|
|
}
|
|
|
|
private static async Task<BootstrapResponse> Bootstrap(HttpClient client)
|
|
{
|
|
var response = await PostOk<BootstrapResponse>(client, "/api/identity/bootstrap", new
|
|
{
|
|
organizationName = "AliaSaaS",
|
|
ownerEmail = "owner@alia.test",
|
|
ownerDisplayName = "Owner",
|
|
ownerPassword = "Passw0rd!",
|
|
});
|
|
return response;
|
|
}
|
|
|
|
private static HttpClient Authed(TeamUpWebFactory factory, string token)
|
|
{
|
|
var client = factory.CreateClient();
|
|
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token);
|
|
return client;
|
|
}
|
|
|
|
private static async Task<T> PostOk<T>(HttpClient client, string url, object body)
|
|
{
|
|
var response = await client.PostAsJsonAsync(url, body);
|
|
Assert.Equal(HttpStatusCode.OK, response.StatusCode);
|
|
var value = await response.Content.ReadFromJsonAsync<T>();
|
|
Assert.NotNull(value);
|
|
return value!;
|
|
}
|
|
|
|
private static async Task<T> PatchOk<T>(HttpClient client, string url, object body)
|
|
{
|
|
var response = await client.PatchAsJsonAsync(url, body);
|
|
Assert.Equal(HttpStatusCode.OK, response.StatusCode);
|
|
var value = await response.Content.ReadFromJsonAsync<T>();
|
|
Assert.NotNull(value);
|
|
return value!;
|
|
}
|
|
}
|