chore: merge main into release for new releases

tofikwest · tofikwest · commit dc70c443da32 · 2026-02-27T11:52:20.000-05:00
diff --git a/apps/api/src/tasks/tasks.controller.ts b/apps/api/src/tasks/tasks.controller.ts
@@ -50,6 +50,22 @@ export class TasksController {
     private readonly attachmentsService: AttachmentsService,
   ) {}
 
+  private async resolveTaskMutationUserId(
+    authContext: AuthContextType,
+    organizationId: string,
+    missingUserMessage: string,
+  ): Promise<string> {
+    if (authContext.userId) {
+      return authContext.userId;
+    }
+
+    if (authContext.isApiKey) {
+      return this.tasksService.getApiKeyActorUserId(organizationId);
+    }
+
+    throw new BadRequestException(missingUserMessage);
+  }
+
   // ==================== TASKS ====================
 
   @Get()
@@ -171,13 +187,11 @@ export class TasksController {
       }
     }
 
-    // Get userId from auth context
-    if (!authContext.userId) {
-      throw new BadRequestException(
-        'User ID is required. Bulk operations require authenticated user session.',
-      );
-    }
-    const userId = authContext.userId;
+    const userId = await this.resolveTaskMutationUserId(
+      authContext,
+      organizationId,
+      'User ID is required. Bulk operations require authenticated user session.',
+    );
 
     return await this.tasksService.updateTasksStatus(
       organizationId,
@@ -241,13 +255,11 @@ export class TasksController {
       throw new BadRequestException('taskIds must be a non-empty array');
     }
 
-    // Get userId from auth context
-    if (!authContext.userId) {
-      throw new BadRequestException(
-        'User ID is required. Bulk operations require authenticated user session.',
-      );
-    }
-    const userId = authContext.userId;
+    const userId = await this.resolveTaskMutationUserId(
+      authContext,
+      organizationId,
+      'User ID is required. Bulk operations require authenticated user session.',
+    );
 
     return await this.tasksService.updateTasksAssignee(
       organizationId,
@@ -517,13 +529,11 @@ export class TasksController {
       reviewDate?: string;
     },
   ): Promise<TaskResponseDto> {
-    // Get userId from auth context
-    if (!authContext.userId) {
-      throw new BadRequestException(
-        'User ID is required. Task updates require authenticated user session.',
-      );
-    }
-    const userId = authContext.userId;
+    const userId = await this.resolveTaskMutationUserId(
+      authContext,
+      organizationId,
+      'User ID is required. Task updates require authenticated user session.',
+    );
 
     let parsedReviewDate: Date | null | undefined;
     if (body.reviewDate !== undefined) {
diff --git a/apps/api/src/tasks/tasks.service.ts b/apps/api/src/tasks/tasks.service.ts
@@ -12,6 +12,37 @@ import { TaskNotifierService } from './task-notifier.service';
 export class TasksService {
   constructor(private readonly taskNotifierService: TaskNotifierService) {}
 
+  /**
+   * Resolve a user actor for API-key authenticated requests.
+   * We attribute changes to an active organization owner to preserve audit trail requirements.
+   */
+  async getApiKeyActorUserId(organizationId: string): Promise<string> {
+    const ownerMember = await db.member.findFirst({
+      where: {
+        organizationId,
+        deactivated: false,
+        isActive: true,
+        role: {
+          contains: 'owner',
+        },
+      },
+      orderBy: {
+        createdAt: 'asc',
+      },
+      select: {
+        userId: true,
+      },
+    });
+
+    if (!ownerMember?.userId) {
+      throw new BadRequestException(
+        'No active organization owner found. API key task updates require an active owner member.',
+      );
+    }
+
+    return ownerMember.userId;
+  }
+
   /**
    * Get all tasks for an organization
    */
