feat: wire real agency docket ops and reconcile agency/public rls

brianfunk · brianfunk · commit cc4e90f886d9 · 2026-02-11T08:25:30.000-05:00
diff --git a/docs/plan/M01-schema-and-contract-reconciliation.md b/docs/plan/M01-schema-and-contract-reconciliation.md
@@ -48,3 +48,4 @@ Align database schema/RPC contracts with application code expectations.
 - 2026-02-11: Enabled baseline RLS policies and grants for new tenant-bound tables and RPC execution.
 - 2026-02-11: Added follow-up migration `20260211000200_public_submission_hardening.sql` for `dockets.identity_mode` policy constraints and submission rate-limit indexes.
 - 2026-02-11: Added follow-up migration `20260211000300_api_rate_limiting.sql` for reusable API route throttling primitives (`api_rate_limits`, `check_api_rate_limit`).
+- 2026-02-11: Added follow-up migration `20260211000400_agency_rls_reconciliation.sql` to align dockets/comments/legacy attachments RLS with agency membership and platform role model.
diff --git a/docs/plan/M03-agency-operations.md b/docs/plan/M03-agency-operations.md
@@ -16,7 +16,7 @@ Replace mock agency workflows with real data operations.
 
 - [x] Wire `/agency/users` to real user management page.
 - [x] Remove high-visibility "coming soon" placeholders in core agency routes.
-- [ ] Connect docket pages to real Supabase tables/RPCs.
+- [x] Connect docket pages to real Supabase tables/RPCs.
 - [ ] Ensure moderation queue reads/writes real moderation data.
 
 ## Acceptance criteria
@@ -38,3 +38,5 @@ Replace mock agency workflows with real data operations.
 - 2026-02-11: Updated app routing so `/agency/users` now renders `UserManagement` instead of placeholder content.
 - 2026-02-11: Updated moderation routing and queue behavior so `/agency/moderation/flagged` opens real moderation queue with flagged-tab default selection.
 - 2026-02-11: Replaced public placeholder screens for data access and platform status with implemented content pages.
+- 2026-02-11: Replaced mock data in `src/pages/agency/DocketList.tsx` with real Supabase queries scoped to current agency membership.
+- 2026-02-11: Implemented real docket creation in `src/pages/agency/DocketWizard.tsx` including identity-mode, moderation/captcha settings, and best-effort supporting document persistence.
diff --git a/docs/plan/M04-public-commenting-workflow.md b/docs/plan/M04-public-commenting-workflow.md
@@ -16,7 +16,7 @@ Deliver complete public submission workflow with configurable identity policy.
 
 - [x] Add per-docket identity mode setting.
 - [x] Enforce submission mode in backend logic.
-- [ ] Complete upload + attachment record consistency.
+- [x] Complete upload + attachment record consistency.
 - [x] Ensure deterministic submission status creation.
 
 ## Acceptance criteria
@@ -38,3 +38,4 @@ Deliver complete public submission workflow with configurable identity policy.
 - 2026-02-11: Added migration `20260211000200_public_submission_hardening.sql` introducing `dockets.identity_mode` with enforced allowed values and rate-limit indexes for comments.
 - 2026-02-11: Added edge function `supabase/functions/submit-comment/index.ts` for server-side comment submission with hCaptcha verification, identity-mode enforcement, per-docket limits, IP rate limiting, and deterministic status assignment.
 - 2026-02-11: Updated `src/pages/public/CommentWizard.tsx` to submit through server function, enforce per-docket identity requirements in UX/validation, and support authenticated-required dockets without hardcoded global login redirects.
+- 2026-02-11: Hardened attachment lifecycle in `src/pages/public/CommentWizard.tsx` by removing uploaded files from storage when metadata insert fails, preventing orphaned attachment objects.
diff --git a/src/pages/agency/DocketList.tsx b/src/pages/agency/DocketList.tsx
@@ -1,24 +1,24 @@
 import React, { useState, useEffect } from 'react'
-import { Link } from 'react-router-dom'
+import { Link, useNavigate } from 'react-router-dom'
 import { usePermissions } from '../../hooks/usePermissions'
 import { useAgency } from '../../contexts/AgencyContext'
 import { PermissionButton } from '../../components/PermissionGate'
+import { supabase } from '../../lib/supabase'
 import { 
   Search, 
   Filter, 
   Plus, 
   Calendar, 
   MessageSquare, 
   Clock,
-  Archive,
   Eye,
   Edit3
 } from 'lucide-react'
 
 interface Docket {
   id: string
   title: string
-  status: 'open' | 'closed' | 'archived'
+  status: 'draft' | 'open' | 'closed' | 'archived'
   open_date: string
   close_date?: string
   comment_count: number
@@ -29,57 +29,68 @@ interface Docket {
 type AriaSortValue = 'none' | 'ascending' | 'descending'
 
 const DocketList = () => {
+  const navigate = useNavigate()
   const { currentAgency } = useAgency()
   const { hasPermission } = usePermissions(currentAgency?.id)
   const [dockets, setDockets] = useState<Docket[]>([])
   const [loading, setLoading] = useState(true)
   const [searchQuery, setSearchQuery] = useState('')
-  const [statusFilter, setStatusFilter] = useState<'all' | 'open' | 'closed' | 'archived'>('all')
+  const [statusFilter, setStatusFilter] = useState<'all' | 'draft' | 'open' | 'closed' | 'archived'>('all')
   const [currentPage, setCurrentPage] = useState(1)
   const [sortField, setSortField] = useState<keyof Docket>('last_activity')
   const [sortDirection, setSortDirection] = useState<'asc' | 'desc'>('desc')
 
-  // TODO: Replace with actual API call
   useEffect(() => {
     const fetchDockets = async () => {
+      if (!currentAgency?.id) {
+        setDockets([])
+        setLoading(false)
+        return
+      }
+
       setLoading(true)
       try {
-        // Mock data - replace with actual supabase query
-        const mockDockets: Docket[] = [
-          {
-            id: '1',
-            title: 'Downtown Parking Regulations Update',
-            status: 'open',
-            open_date: '2024-01-15T09:00:00Z',
-            close_date: '2024-02-15T17:00:00Z',
-            comment_count: 23,
-            last_activity: '2024-01-20T14:30:00Z',
-            created_by: 'current_user'
-          },
-          {
-            id: '2',
-            title: 'City Budget 2024 Public Review',
-            status: 'open',
-            open_date: '2024-01-10T08:00:00Z',
-            close_date: '2024-02-10T23:59:00Z',
-            comment_count: 156,
-            last_activity: '2024-01-21T11:15:00Z',
-            created_by: 'other_user'
-          },
-          {
-            id: '3',
-            title: 'New Housing Development Proposal',
-            status: 'closed',
-            open_date: '2023-12-01T09:00:00Z',
-            close_date: '2023-12-31T17:00:00Z',
-            comment_count: 89,
-            last_activity: '2023-12-31T16:45:00Z',
-            created_by: 'current_user'
+        const { data, error } = await supabase
+          .from('dockets')
+          .select(`
+            id,
+            title,
+            status,
+            open_at,
+            close_at,
+            created_at,
+            updated_at,
+            created_by,
+            comments (count)
+          `)
+          .eq('agency_id', currentAgency.id)
+          .is('deleted_at', null)
+          .order('updated_at', { ascending: false })
+
+        if (error) {
+          throw error
+        }
+
+        const formatted = (data || []).map((docket) => {
+          const countRelation = Array.isArray(docket.comments) ? docket.comments[0] : docket.comments
+          const commentCount = typeof countRelation?.count === 'number' ? countRelation.count : 0
+
+          return {
+            id: docket.id,
+            title: docket.title,
+            status: (docket.status || 'draft') as Docket['status'],
+            open_date: docket.open_at || docket.created_at,
+            close_date: docket.close_at || undefined,
+            comment_count: commentCount,
+            last_activity: docket.updated_at || docket.created_at,
+            created_by: docket.created_by || ''
           }
-        ]
-        setDockets(mockDockets)
+        })
+
+        setDockets(formatted)
       } catch (error) {
         console.error('Error fetching dockets:', error)
+        setDockets([])
       } finally {
         setLoading(false)
       }
@@ -90,8 +101,7 @@ const DocketList = () => {
 
   const handleSearch = (e: React.FormEvent) => {
     e.preventDefault()
-    // TODO: Implement search functionality
-    console.log('Searching for:', searchQuery)
+    setCurrentPage(1)
   }
 
   const handleSort = (field: keyof Docket) => {
@@ -119,6 +129,8 @@ const DocketList = () => {
         return `${baseClasses} bg-red-100 text-red-800`
       case 'archived':
         return `${baseClasses} bg-gray-100 text-gray-800`
+      case 'draft':
+        return `${baseClasses} bg-yellow-100 text-yellow-800`
       default:
         return `${baseClasses} bg-gray-100 text-gray-800`
     }
@@ -177,6 +189,7 @@ const DocketList = () => {
         </div>
         <PermissionButton
           permission="create_thread"
+          onClick={() => navigate('/agency/dockets/new')}
           className="inline-flex items-center px-4 py-2 text-sm font-medium text-white bg-blue-700 rounded-md hover:bg-blue-800 transition-colors"
         >
           <Plus className="w-4 h-4 mr-2" />
@@ -213,11 +226,12 @@ const DocketList = () => {
                 </div>
                 <select
                   value={statusFilter}
-                  onChange={(e) => setStatusFilter(e.target.value as any)}
+                  onChange={(e) => setStatusFilter(e.target.value as 'all' | 'draft' | 'open' | 'closed' | 'archived')}
                   className="block w-full pl-10 pr-8 py-2 border border-gray-300 rounded-md focus:outline-none focus:ring-2 focus:ring-blue-500 focus:border-transparent"
                   aria-label="Filter by status"
                 >
                   <option value="all">All Status</option>
+                  <option value="draft">Draft</option>
                   <option value="open">Open</option>
                   <option value="closed">Closed</option>
                   <option value="archived">Archived</option>
@@ -245,6 +259,7 @@ const DocketList = () => {
             {(!searchQuery && statusFilter === 'all') && (
               <PermissionButton
                 permission="create_thread"
+                onClick={() => navigate('/agency/dockets/new')}
                 className="inline-flex items-center px-4 py-2 text-sm font-medium text-white bg-blue-700 rounded-md hover:bg-blue-800 transition-colors"
               >
                 <Plus className="w-4 h-4 mr-2" />
diff --git a/src/pages/agency/DocketWizard.tsx b/src/pages/agency/DocketWizard.tsx
@@ -1,6 +1,7 @@
 import React, { useState } from 'react'
 import { useNavigate } from 'react-router-dom'
 import { useAgency } from '../../contexts/AgencyContext'
+import { supabase } from '../../lib/supabase'
 import { 
   ChevronLeft, 
   ChevronRight, 
@@ -164,17 +165,103 @@ const DocketWizard = () => {
 
   const handleSubmit = async () => {
     if (!validateStep(3)) return
+    if (!currentAgency?.id) {
+      setErrors({ submit: 'No agency selected. Please choose an agency and try again.' })
+      return
+    }
 
     setIsSubmitting(true)
     try {
-      // TODO: Submit to backend API
-      console.log('Submitting docket:', formData)
-      
-      // Mock API delay
-      await new Promise(resolve => setTimeout(resolve, 2000))
-      
-      // Navigate to the new docket detail page
-      navigate('/agency/dockets/new-docket-id')
+      const extensionToMime: Record<string, string> = {
+        pdf: 'application/pdf',
+        doc: 'application/msword',
+        docx: 'application/vnd.openxmlformats-officedocument.wordprocessingml.document',
+        txt: 'text/plain',
+        jpg: 'image/jpeg',
+        jpeg: 'image/jpeg',
+        png: 'image/png',
+        gif: 'image/gif'
+      }
+
+      const openAt = new Date(`${formData.openDate}T${formData.openTime || '00:00'}`).toISOString()
+      const closeAt = formData.closeDate
+        ? new Date(`${formData.closeDate}T${formData.closeTime || '23:59'}`).toISOString()
+        : null
+      const nowIso = new Date().toISOString()
+
+      const docketStatus = openAt <= nowIso ? 'open' : 'draft'
+      const allowedMimeTypes = formData.allowedFileTypes
+        .map((ext) => extensionToMime[ext])
+        .filter(Boolean)
+
+      const docketPayload = {
+        agency_id: currentAgency.id,
+        title: formData.title.trim(),
+        summary: formData.summary.trim(),
+        description: formData.summary.trim(),
+        slug: formData.urlSlug.trim(),
+        reference_code: formData.referenceCode.trim() || null,
+        tags: formData.tags,
+        status: docketStatus,
+        open_at: openAt,
+        close_at: closeAt,
+        comment_deadline: closeAt,
+        max_file_size_mb: formData.maxFileSize,
+        allowed_file_types: formData.allowedFileTypes,
+        allowed_mime_types: allowedMimeTypes,
+        require_captcha: formData.requireCaptcha,
+        identity_mode: formData.identityMode,
+        auto_publish: formData.autoPublish,
+        uploads_enabled: true
+      }
+
+      const { data: newDocket, error: createError } = await supabase
+        .from('dockets')
+        .insert(docketPayload)
+        .select('id')
+        .single()
+
+      if (createError || !newDocket) {
+        throw createError || new Error('Failed to create docket')
+      }
+
+      let failedDocUploads = 0
+      for (const file of formData.supportingDocs) {
+        const fileExtension = file.name.split('.').pop() || 'bin'
+        const safeName = file.name.replace(/[^a-zA-Z0-9._-]/g, '_')
+        const fileName = `${crypto.randomUUID()}-${safeName}`
+        const filePath = `agency/${currentAgency.id}/dockets/${newDocket.id}/${fileName}`
+
+        const { error: uploadError } = await supabase.storage
+          .from('agency-assets')
+          .upload(filePath, file, { upsert: false })
+
+        if (uploadError) {
+          failedDocUploads += 1
+          continue
+        }
+
+        const { error: metadataError } = await supabase
+          .from('attachments')
+          .insert({
+            docket_id: newDocket.id,
+            file_path: filePath,
+            file_type: file.type || extensionToMime[fileExtension] || 'application/octet-stream',
+            file_size: file.size
+          })
+
+        if (metadataError) {
+          failedDocUploads += 1
+          await supabase.storage.from('agency-assets').remove([filePath])
+        }
+      }
+
+      if (failedDocUploads > 0) {
+        navigate(`/agency/dockets/${newDocket.id}?upload_warnings=${failedDocUploads}`)
+        return
+      }
+
+      navigate(`/agency/dockets/${newDocket.id}`)
     } catch (error) {
       console.error('Error creating docket:', error)
       setErrors({ submit: 'Failed to create docket. Please try again.' })
diff --git a/src/pages/public/CommentWizard.tsx b/src/pages/public/CommentWizard.tsx
@@ -318,7 +318,9 @@ const CommentWizard = () => {
       const commentId = submitResult.data.comment_id as string;
       const trackingId = (submitResult.data.tracking_id as string) || `CMT-${Date.now().toString(36).toUpperCase()}`;
 
-      // Upload files if any
+      // Upload files if any. Keep storage and DB metadata consistent by cleaning up
+      // uploaded objects when metadata persistence fails.
+      let failedAttachmentCount = 0
       if (formData.files.length > 0) {
         for (const file of formData.files) {
           const fileExtension = file.name.split('.').pop();
@@ -332,6 +334,7 @@ const CommentWizard = () => {
 
           if (uploadError) {
             console.error('File upload error:', uploadError);
+            failedAttachmentCount += 1
             continue;
           }
 
@@ -341,7 +344,7 @@ const CommentWizard = () => {
             .getPublicUrl(filePath);
 
           // Save attachment record
-          await supabase
+          const { error: attachmentError } = await supabase
             .from('comment_attachments')
             .insert({
               comment_id: commentId,
@@ -351,10 +354,22 @@ const CommentWizard = () => {
               file_size: file.size,
               mime_type: file.type
             });
+
+          if (attachmentError) {
+            failedAttachmentCount += 1
+            await supabase.storage
+              .from('comment-attachments')
+              .remove([filePath])
+          }
         }
       }
 
       // Redirect to thank you page
+      if (failedAttachmentCount > 0) {
+        navigate(`/thank-you?tracking=${trackingId}&attachment_warnings=${failedAttachmentCount}`);
+        return
+      }
+
       navigate(`/thank-you?tracking=${trackingId}`);
 
     } catch (err) {
diff --git a/supabase/migrations/20260211000400_agency_rls_reconciliation.sql b/supabase/migrations/20260211000400_agency_rls_reconciliation.sql
