clienthub

simone/clienthub

Fork 0

Commit Graph

Author	SHA1	Message	Date
Simone Cavalli	c24bdde603	feat(02-04): add POST /api/client/approve and POST /api/client/comment API routes - approve: validates token, checks deliverable ownership via phase→client join, sets status=approved + approved_at=now() only if approved_at is currently null (CLAUDE.md immutability rule enforced) - comment: validates token, checks entity ownership (task or deliverable) via phase→client chain, inserts comment with author='client' - both routes return 404 on invalid token or unknown entity - neither route references quote_items (CLAUDE.md constraint enforced) - Zod validation on comment body: min 1 char, max 2000 chars (T-02-20 DoS mitigation)	2026-05-15 21:39:32 +02:00

Author

SHA1

Message

Date

Simone Cavalli

c24bdde603

feat(02-04): add POST /api/client/approve and POST /api/client/comment API routes

- approve: validates token, checks deliverable ownership via phase→client join, sets status=approved + approved_at=now() only if approved_at is currently null (CLAUDE.md immutability rule enforced)
- comment: validates token, checks entity ownership (task or deliverable) via phase→client chain, inserts comment with author='client'
- both routes return 404 on invalid token or unknown entity
- neither route references quote_items (CLAUDE.md constraint enforced)
- Zod validation on comment body: min 1 char, max 2000 chars (T-02-20 DoS mitigation)

2026-05-15 21:39:32 +02:00

1 Commits