feat(api): CUST-WP-0018 — API hardening & code quality

T01: Fix datetime.utcnow() → datetime.now(tz=timezone.utc) in MCP server
T02: Wrap _get/_post/_patch/_delete with try/except; return error dicts
T03: Log warnings when write_log skips missing project path
T04: Add priority + due_date_before filters to GET /tasks/
T05: Add owner + slug filters to GET /workstreams/
T06: Add offset param to GET /progress/ for proper pagination
T07: Low-severity bundle:
  - CORS origins from CORS_ORIGINS env var (TD-017)
  - seed.py upsert domains+topics on re-run (TD-011)
  - normalise filter bar CSS → filter-text-input everywhere (TD-016)
  - add 30.5 avg-days-per-month comment in decisions.md (TD-019)
  - TD-009, TD-018 already resolved by existing code

Closes CUST-WP-0018.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

api/routers/decisions.py

@@ -1,8 +1,11 @@
+import logging
 import uuid
 from datetime import datetime, timezone
 from pathlib import Path
 
 from fastapi import APIRouter, Depends, HTTPException, status
+
+logger = logging.getLogger(__name__)
 from sqlalchemy import select
 from sqlalchemy.ext.asyncio import AsyncSession
 
@@ -171,10 +174,12 @@ async def _write_project_log(
                 break
 
     if not project_path:
+        logger.warning("write_log requested but no project_path found for topic %s", decision.topic_id)
         return
 
     p = Path(project_path)
     if not p.is_dir():
+        logger.warning("write_log requested but project_path does not exist: %s", project_path)
         return
 
     now = datetime.now(tz=timezone.utc)

api/routers/progress.py

@@ -20,6 +20,7 @@ async def list_progress(
     event_type: str | None = None,
     since: datetime | None = None,
     limit: int = Query(100, le=1000),
+    offset: int = Query(0, ge=0),
     session: AsyncSession = Depends(get_session),
 ) -> list[ProgressEvent]:
     q = select(ProgressEvent)
@@ -33,7 +34,7 @@ async def list_progress(
         q = q.where(ProgressEvent.event_type == event_type)
     if since:
         q = q.where(ProgressEvent.created_at >= since)
-    q = q.order_by(ProgressEvent.created_at.desc()).limit(limit)
+    q = q.order_by(ProgressEvent.created_at.desc()).offset(offset).limit(limit)
     result = await session.execute(q)
     return list(result.scalars().all())
 

api/routers/tasks.py

@@ -1,4 +1,5 @@
 import uuid
+from datetime import date
 
 from fastapi import APIRouter, Depends, HTTPException, Query, status
 from sqlalchemy import select
@@ -17,6 +18,8 @@ async def list_tasks(
     status: TaskStatus | None = None,
     assignee: str | None = None,
     needs_human: bool | None = Query(None),
+    priority: str | None = None,
+    due_date_before: date | None = None,
     session: AsyncSession = Depends(get_session),
 ) -> list[Task]:
     q = select(Task)
@@ -28,6 +31,10 @@ async def list_tasks(
         q = q.where(Task.assignee == assignee)
     if needs_human is not None:
         q = q.where(Task.needs_human == needs_human)
+    if priority:
+        q = q.where(Task.priority == priority)
+    if due_date_before is not None:
+        q = q.where(Task.due_date <= due_date_before)
     q = q.order_by(Task.created_at)
     result = await session.execute(q)
     return list(result.scalars().all())

api/routers/workstreams.py

@@ -17,6 +17,8 @@ async def list_workstreams(
     repo_id: uuid.UUID | None = None,
     repo_goal_id: uuid.UUID | None = None,
     status: WorkstreamStatus | None = None,
+    owner: str | None = None,
+    slug: str | None = None,
     session: AsyncSession = Depends(get_session),
 ) -> list[Workstream]:
     q = select(Workstream)
@@ -28,6 +30,10 @@ async def list_workstreams(
         q = q.where(Workstream.repo_goal_id == repo_goal_id)
     if status:
         q = q.where(Workstream.status == status)
+    if owner:
+        q = q.where(Workstream.owner == owner)
+    if slug:
+        q = q.where(Workstream.slug == slug)
     q = q.order_by(Workstream.updated_at.desc())
     result = await session.execute(q)
     return list(result.scalars().all())