feat(api): CUST-WP-0018 — API hardening & code quality

T01: Fix datetime.utcnow() → datetime.now(tz=timezone.utc) in MCP server T02: Wrap _get/_post/_patch/_delete with try/except; return error dicts T03: Log warnings when write_log skips missing project path T04: Add priority + due_date_before filters to GET /tasks/ T05: Add owner + slug filters to GET /workstreams/ T06: Add offset param to GET /progress/ for proper pagination T07: Low-severity bundle: - CORS origins from CORS_ORIGINS env var (TD-017) - seed.py upsert domains+topics on re-run (TD-011) - normalise filter bar CSS → filter-text-input everywhere (TD-016) - add 30.5 avg-days-per-month comment in decisions.md (TD-019) - TD-009, TD-018 already resolved by existing code Closes CUST-WP-0018. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-18 02:17:04 +01:00
parent cb2c4f9a0c
commit 2d0ce8f943
11 changed files with 98 additions and 40 deletions
--- a/api/main.py
+++ b/api/main.py
@@ -1,3 +1,4 @@
+import os
 from contextlib import asynccontextmanager

 from fastapi import FastAPI
@@ -21,9 +22,12 @@ app = FastAPI(
    lifespan=lifespan,
 )

+_cors_env = os.getenv("CORS_ORIGINS", "http://localhost:3000,http://127.0.0.1:3000")
+_cors_origins = [o.strip() for o in _cors_env.split(",") if o.strip()]
+
 app.add_middleware(
    CORSMiddleware,
-    allow_origins=["http://localhost:3000", "http://127.0.0.1:3000"],
+    allow_origins=_cors_origins,
    allow_methods=["GET", "POST", "PATCH", "DELETE", "PUT"],
    allow_headers=["Content-Type"],
 )
--- a/api/routers/decisions.py
+++ b/api/routers/decisions.py
@@ -1,8 +1,11 @@
+import logging
 import uuid
 from datetime import datetime, timezone
 from pathlib import Path

 from fastapi import APIRouter, Depends, HTTPException, status
+
+logger = logging.getLogger(__name__)
 from sqlalchemy import select
 from sqlalchemy.ext.asyncio import AsyncSession

@@ -171,10 +174,12 @@ async def _write_project_log(
                break

    if not project_path:
+        logger.warning("write_log requested but no project_path found for topic %s", decision.topic_id)
        return

    p = Path(project_path)
    if not p.is_dir():
+        logger.warning("write_log requested but project_path does not exist: %s", project_path)
        return

    now = datetime.now(tz=timezone.utc)
--- a/api/routers/progress.py
+++ b/api/routers/progress.py
@@ -20,6 +20,7 @@ async def list_progress(
    event_type: str | None = None,
    since: datetime | None = None,
    limit: int = Query(100, le=1000),
+    offset: int = Query(0, ge=0),
    session: AsyncSession = Depends(get_session),
 ) -> list[ProgressEvent]:
    q = select(ProgressEvent)
@@ -33,7 +34,7 @@ async def list_progress(
        q = q.where(ProgressEvent.event_type == event_type)
    if since:
        q = q.where(ProgressEvent.created_at >= since)
-    q = q.order_by(ProgressEvent.created_at.desc()).limit(limit)
+    q = q.order_by(ProgressEvent.created_at.desc()).offset(offset).limit(limit)
    result = await session.execute(q)
    return list(result.scalars().all())

--- a/api/routers/tasks.py
+++ b/api/routers/tasks.py
@@ -1,4 +1,5 @@
 import uuid
+from datetime import date

 from fastapi import APIRouter, Depends, HTTPException, Query, status
 from sqlalchemy import select
@@ -17,6 +18,8 @@ async def list_tasks(
    status: TaskStatus | None = None,
    assignee: str | None = None,
    needs_human: bool | None = Query(None),
+    priority: str | None = None,
+    due_date_before: date | None = None,
    session: AsyncSession = Depends(get_session),
 ) -> list[Task]:
    q = select(Task)
@@ -28,6 +31,10 @@ async def list_tasks(
        q = q.where(Task.assignee == assignee)
    if needs_human is not None:
        q = q.where(Task.needs_human == needs_human)
+    if priority:
+        q = q.where(Task.priority == priority)
+    if due_date_before is not None:
+        q = q.where(Task.due_date <= due_date_before)
    q = q.order_by(Task.created_at)
    result = await session.execute(q)
    return list(result.scalars().all())
--- a/api/routers/workstreams.py
+++ b/api/routers/workstreams.py
@@ -17,6 +17,8 @@ async def list_workstreams(
    repo_id: uuid.UUID | None = None,
    repo_goal_id: uuid.UUID | None = None,
    status: WorkstreamStatus | None = None,
+    owner: str | None = None,
+    slug: str | None = None,
    session: AsyncSession = Depends(get_session),
 ) -> list[Workstream]:
    q = select(Workstream)
@@ -28,6 +30,10 @@ async def list_workstreams(
        q = q.where(Workstream.repo_goal_id == repo_goal_id)
    if status:
        q = q.where(Workstream.status == status)
+    if owner:
+        q = q.where(Workstream.owner == owner)
+    if slug:
+        q = q.where(Workstream.slug == slug)
    q = q.order_by(Workstream.updated_at.desc())
    result = await session.execute(q)
    return list(result.scalars().all())