Formalize CreateFlowState + validate draft/publish API payloads

2026-04-04 22:37:46 -06:00
parent c8e930552b
commit c4b600e944
12 changed files with 409 additions and 62 deletions
@@ -1,8 +1,12 @@
+import type { Prisma } from "@prisma/client";
 import { NextRequest, NextResponse } from "next/server";
 import { prisma } from "../../../../lib/server/db";
 import { isDatabaseConfigured } from "../../../../lib/server/env";
 import { dbUnavailable } from "../../../../lib/server/responses";
 import { getSessionUser } from "../../../../lib/server/session";
+import { putDraftBodySchema } from "../../../../lib/server/validation/createFlowSchemas";
+import { readLimitedJson } from "../../../../lib/server/validation/requestBody";
+import { jsonFromZodError } from "../../../../lib/server/validation/zodHttp";

 export async function GET() {
  if (!isDatabaseConfigured()) {
@@ -33,33 +37,28 @@ export async function PUT(request: NextRequest) {
    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
  }

-  let body: unknown;
-  try {
-    body = await request.json();
-  } catch {
-    return NextResponse.json({ error: "Invalid JSON" }, { status: 400 });
+  const parsedBody = await readLimitedJson(request);
+  if (parsedBody.ok === false) {
+    return parsedBody.response;
  }

-  if (!body || typeof body !== "object" || !("payload" in body)) {
-    return NextResponse.json({ error: "payload required" }, { status: 400 });
+  const validated = putDraftBodySchema.safeParse(parsedBody.value);
+  if (!validated.success) {
+    return jsonFromZodError(validated.error);
  }

-  const payload = (body as { payload: unknown }).payload;
-  if (payload === undefined || typeof payload !== "object" || payload === null) {
-    return NextResponse.json(
-      { error: "payload must be a JSON object" },
-      { status: 400 },
-    );
-  }
+  const { payload } = validated.data;
+
+  const jsonPayload = payload as Prisma.InputJsonValue;

  const draft = await prisma.ruleDraft.upsert({
    where: { userId: user.id },
    create: {
      userId: user.id,
-      payload: payload as object,
+      payload: jsonPayload,
    },
    update: {
-      payload: payload as object,
+      payload: jsonPayload,
    },
  });

@@ -1,8 +1,12 @@
+import type { Prisma } from "@prisma/client";
 import { NextRequest, NextResponse } from "next/server";
 import { prisma } from "../../../lib/server/db";
 import { isDatabaseConfigured } from "../../../lib/server/env";
 import { dbUnavailable } from "../../../lib/server/responses";
 import { getSessionUser } from "../../../lib/server/session";
+import { publishRuleBodySchema } from "../../../lib/server/validation/createFlowSchemas";
+import { readLimitedJson } from "../../../lib/server/validation/requestBody";
+import { jsonFromZodError } from "../../../lib/server/validation/zodHttp";

 export async function GET(request: NextRequest) {
  if (!isDatabaseConfigured()) {
@@ -37,43 +41,24 @@ export async function POST(request: NextRequest) {
    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
  }

-  let body: unknown;
-  try {
-    body = await request.json();
-  } catch {
-    return NextResponse.json({ error: "Invalid JSON" }, { status: 400 });
+  const parsedBody = await readLimitedJson(request);
+  if (parsedBody.ok === false) {
+    return parsedBody.response;
  }

-  if (!body || typeof body !== "object") {
-    return NextResponse.json({ error: "Invalid body" }, { status: 400 });
+  const validated = publishRuleBodySchema.safeParse(parsedBody.value);
+  if (!validated.success) {
+    return jsonFromZodError(validated.error);
  }

-  const { title, summary, document } = body as {
-    title?: unknown;
-    summary?: unknown;
-    document?: unknown;
-  };
-
-  if (typeof title !== "string" || title.trim().length === 0) {
-    return NextResponse.json({ error: "title required" }, { status: 400 });
-  }
-
-  if (document === undefined || typeof document !== "object" || document === null) {
-    return NextResponse.json(
-      { error: "document must be a JSON object" },
-      { status: 400 },
-    );
-  }
+  const { title, summary, document } = validated.data;

  const rule = await prisma.publishedRule.create({
    data: {
      userId: user.id,
-      title: title.trim(),
-      summary:
-        typeof summary === "string" && summary.trim().length > 0
-          ? summary.trim()
-          : null,
-      document: document as object,
+      title,
+      summary,
+      document: document as Prisma.InputJsonValue,
    },
  });

@@ -21,11 +21,19 @@ export type CreateFlowStep =
  | "completed";

 /**
- * Flow state interface for storing user inputs across all steps
- * Will be expanded in CR-56 with specific field definitions
+ * Flow state for inputs across create-flow steps.
+ * Validated on `PUT /api/drafts/me` via `createFlowStateSchema` (Zod + JSON safety checks).
+ * Additional string keys are allowed at runtime for forward-compatible step data.
 */
 export interface CreateFlowState {
-  // Placeholder structure - will be expanded in CR-56
+  title?: string;
+  summary?: string;
+  currentStep?: CreateFlowStep;
+  /** Section drafts; structure will tighten as steps persist real shapes. */
+  sections?: Record<string, unknown>[];
+  /** Stakeholder placeholders until the confirm-stakeholders step defines a schema. */
+  stakeholders?: Record<string, unknown>[];
+  /** Extra step-specific fields (must be JSON-serializable for server draft sync). */
  [key: string]: unknown;
 }