src/app/api/v1/clients/bulk/route.ts

import { NextResponse } from 'next/server';
import { z } from 'zod';
import { eq, and } from 'drizzle-orm';

import { withAuth } from '@/lib/api/helpers';
import { parseBody } from '@/lib/api/route-helpers';
import { runBulk } from '@/lib/api/bulk-helpers';
import { db } from '@/lib/db';
import { clients, clientTags } from '@/lib/db/schema/clients';
import { setClientTags } from '@/lib/services/clients.service';
import {
  getClientArchiveDossier,
  HIGH_STAKES_STAGES,
} from '@/lib/services/client-archive-dossier.service';
import { archiveClientWithDecisions } from '@/lib/services/client-archive.service';
import { errorResponse } from '@/lib/errors';
import type { PipelineStage } from '@/lib/constants';

const bulkSchema = z.discriminatedUnion('action', [
  z.object({
    action: z.literal('archive'),
    ids: z.array(z.string().min(1)).min(1).max(100),
  }),
  z.object({
    action: z.literal('add_tag'),
    ids: z.array(z.string().min(1)).min(1).max(100),
    tagId: z.string().min(1),
  }),
  z.object({
    action: z.literal('remove_tag'),
    ids: z.array(z.string().min(1)).min(1).max(100),
    tagId: z.string().min(1),
  }),
]);

const PERMISSION_BY_ACTION = {
  archive: 'delete' as const,
  add_tag: 'edit' as const,
  remove_tag: 'edit' as const,
};

export const POST = withAuth(async (req, ctx) => {
  let body: z.infer<typeof bulkSchema>;
  try {
    body = await parseBody(req, bulkSchema);
  } catch (error) {
    return errorResponse(error);
  }

  const allowed = ctx.isSuperAdmin
    ? true
    : !!ctx.permissions?.clients?.[PERMISSION_BY_ACTION[body.action]];
  if (!allowed) return NextResponse.json({ error: 'Forbidden' }, { status: 403 });

  const meta = {
    userId: ctx.userId,
    portId: ctx.portId,
    ipAddress: ctx.ipAddress,
    userAgent: ctx.userAgent,
  };

  const { results, summary } = await runBulk(body.ids, async (id) => {
    if (body.action === 'archive') {
      // Bulk archive uses the smart-archive backend with sensible
      // low-stakes defaults: release available/under-offer berths,
      // retain sold ones, cancel active reservations, leave invoices,
      // leave Documenso envelopes pending. High-stakes clients are
      // refused — the operator must use the single-client smart dialog
      // for those (which captures the per-client reason + decisions).
      const dossier = await getClientArchiveDossier(id, ctx.portId);
      if (dossier.stakeLevel === 'high') {
        throw new Error(
          `Client at ${dossier.highStakesStage} requires individual archive (open the client to confirm + supply a reason).`,
        );
      }
      if (dossier.blockers.length > 0) {
        throw new Error(`Cannot archive: ${dossier.blockers[0]}`);
      }
      const hasSignedDocs = dossier.documents.some(
        (d) => d.status === 'completed' || d.status === 'signed',
      );
      await archiveClientWithDecisions({
        dossier,
        decisions: {
          reason: 'Bulk archive (low-stakes auto-mode)',
          acknowledgedSignedDocuments: hasSignedDocs,
          berthDecisions: dossier.berths.map((b) => ({
            berthId: b.berthId,
            interestId:
              dossier.interests.find((i) => i.primaryBerthMooring === b.mooringNumber)
                ?.interestId ??
              dossier.interests[0]?.interestId ??
              '',
            action: b.status === 'sold' ? 'retain' : 'release',
          })),
          yachtDecisions: dossier.yachts.map((y) => ({ yachtId: y.yachtId, action: 'retain' })),
          reservationDecisions: dossier.reservations.map((r) => ({
            reservationId: r.reservationId,
            action: 'cancel',
          })),
          invoiceDecisions: dossier.invoices.map((i) => ({
            invoiceId: i.invoiceId,
            action: 'leave',
          })),
          documentDecisions: dossier.documents.map((d) => ({
            documentId: d.documentId,
            action: 'leave',
          })),
        },
        meta,
      });
      return;
    }
    const client = await db.query.clients.findFirst({
      where: and(eq(clients.id, id), eq(clients.portId, ctx.portId)),
    });
    if (!client) throw new Error('Client not found');
    const existing = await db
      .select({ tagId: clientTags.tagId })
      .from(clientTags)
      .where(eq(clientTags.clientId, id));
    const current = new Set(existing.map((t) => t.tagId));
    if (body.action === 'add_tag') current.add(body.tagId);
    else current.delete(body.tagId);
    await setClientTags(id, ctx.portId, Array.from(current), meta);
  });

  return NextResponse.json({ data: { results, summary } });
});

// Suppress unused-import warning when the helper isn't referenced after
// future refactors strip the local archive call.
void HIGH_STAKES_STAGES;
void ({} as PipelineStage);
feat(bulk): synchronous bulk action endpoints + UI on interests/clients/yachts Until now the only bulk action anywhere was Archive on the interests list — implemented as parallel fan-out with no per-row failure reporting. The bulk BullMQ worker was a TODO stub with no producers. - bulk-helpers.runBulk wraps a per-row loop and returns {results, summary} for the caller. Page-size capped at 100. - New endpoints: /api/v1/{interests,clients,yachts,companies}/bulk with a Zod discriminated union over the action. Interests support change_stage + add_tag + remove_tag + archive; clients/yachts/companies support archive + add_tag + remove_tag. Each action is permission-gated individually (delete vs edit vs change_stage). - interest-list, client-list, yacht-list expose the new actions in the bulk-action toolbar with dialogs for stage / tag selection. Failure summaries surface via window.confirm. - bulkWorker stub gets a docblock explaining the v1 sync-only choice and what the queue is reserved for (CSV imports, port-wide migrations, bulk emails to >100 recipients). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-06 14:58:34 +02:00			`import { NextResponse } from 'next/server';`
			`import { z } from 'zod';`
			`import { eq, and } from 'drizzle-orm';`

			`import { withAuth } from '@/lib/api/helpers';`
			`import { parseBody } from '@/lib/api/route-helpers';`
			`import { runBulk } from '@/lib/api/bulk-helpers';`
			`import { db } from '@/lib/db';`
			`import { clients, clientTags } from '@/lib/db/schema/clients';`
feat(client-archive): bulk-archive uses smart backend (low-stakes auto, high-stakes blocked) The new smart-archive backend (d07f1ed) is now wired to the existing bulk-archive endpoint. Previously /api/v1/clients/bulk just called the legacy archiveClient — bypassing the dossier and the per-client decisions. That's now a regression hazard: a power-user could bulk- archive a client mid-deposit with no audit trail. New behaviour: - bulk action='archive' fetches the dossier per client. - Low-stakes clients (open through eoi_signed) auto-archive with the same default decisions the single-client modal would pick: release available/under-offer berths, retain sold berths, cancel active reservations, leave invoices, leave Documenso envelopes pending, acknowledge signed documents inline. - High-stakes clients (deposit_10pct and beyond) refuse with a clear message: "open the client to confirm + supply a reason". The bulk summary surfaces the failure per row so the user knows which clients need individual handling. - Pre-flight blocker check (e.g. active reservation on a sold berth) also rejects with a per-row error instead of crashing. The proper "bulk wizard" UI (per-high-stakes-client confirmation panel with reason fields) is still TODO — this commit just makes the existing button safe. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-06 18:32:30 +02:00			`import { setClientTags } from '@/lib/services/clients.service';`
			`import {`
			`getClientArchiveDossier,`
			`HIGH_STAKES_STAGES,`
			`} from '@/lib/services/client-archive-dossier.service';`
			`import { archiveClientWithDecisions } from '@/lib/services/client-archive.service';`
feat(bulk): synchronous bulk action endpoints + UI on interests/clients/yachts Until now the only bulk action anywhere was Archive on the interests list — implemented as parallel fan-out with no per-row failure reporting. The bulk BullMQ worker was a TODO stub with no producers. - bulk-helpers.runBulk wraps a per-row loop and returns {results, summary} for the caller. Page-size capped at 100. - New endpoints: /api/v1/{interests,clients,yachts,companies}/bulk with a Zod discriminated union over the action. Interests support change_stage + add_tag + remove_tag + archive; clients/yachts/companies support archive + add_tag + remove_tag. Each action is permission-gated individually (delete vs edit vs change_stage). - interest-list, client-list, yacht-list expose the new actions in the bulk-action toolbar with dialogs for stage / tag selection. Failure summaries surface via window.confirm. - bulkWorker stub gets a docblock explaining the v1 sync-only choice and what the queue is reserved for (CSV imports, port-wide migrations, bulk emails to >100 recipients). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-06 14:58:34 +02:00			`import { errorResponse } from '@/lib/errors';`
feat(client-archive): bulk-archive uses smart backend (low-stakes auto, high-stakes blocked) The new smart-archive backend (d07f1ed) is now wired to the existing bulk-archive endpoint. Previously /api/v1/clients/bulk just called the legacy archiveClient — bypassing the dossier and the per-client decisions. That's now a regression hazard: a power-user could bulk- archive a client mid-deposit with no audit trail. New behaviour: - bulk action='archive' fetches the dossier per client. - Low-stakes clients (open through eoi_signed) auto-archive with the same default decisions the single-client modal would pick: release available/under-offer berths, retain sold berths, cancel active reservations, leave invoices, leave Documenso envelopes pending, acknowledge signed documents inline. - High-stakes clients (deposit_10pct and beyond) refuse with a clear message: "open the client to confirm + supply a reason". The bulk summary surfaces the failure per row so the user knows which clients need individual handling. - Pre-flight blocker check (e.g. active reservation on a sold berth) also rejects with a per-row error instead of crashing. The proper "bulk wizard" UI (per-high-stakes-client confirmation panel with reason fields) is still TODO — this commit just makes the existing button safe. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-06 18:32:30 +02:00			`import type { PipelineStage } from '@/lib/constants';`
feat(bulk): synchronous bulk action endpoints + UI on interests/clients/yachts Until now the only bulk action anywhere was Archive on the interests list — implemented as parallel fan-out with no per-row failure reporting. The bulk BullMQ worker was a TODO stub with no producers. - bulk-helpers.runBulk wraps a per-row loop and returns {results, summary} for the caller. Page-size capped at 100. - New endpoints: /api/v1/{interests,clients,yachts,companies}/bulk with a Zod discriminated union over the action. Interests support change_stage + add_tag + remove_tag + archive; clients/yachts/companies support archive + add_tag + remove_tag. Each action is permission-gated individually (delete vs edit vs change_stage). - interest-list, client-list, yacht-list expose the new actions in the bulk-action toolbar with dialogs for stage / tag selection. Failure summaries surface via window.confirm. - bulkWorker stub gets a docblock explaining the v1 sync-only choice and what the queue is reserved for (CSV imports, port-wide migrations, bulk emails to >100 recipients). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-06 14:58:34 +02:00
			`const bulkSchema = z.discriminatedUnion('action', [`
			`z.object({`
			`action: z.literal('archive'),`
			`ids: z.array(z.string().min(1)).min(1).max(100),`
			`}),`
			`z.object({`
			`action: z.literal('add_tag'),`
			`ids: z.array(z.string().min(1)).min(1).max(100),`
			`tagId: z.string().min(1),`
			`}),`
			`z.object({`
			`action: z.literal('remove_tag'),`
			`ids: z.array(z.string().min(1)).min(1).max(100),`
			`tagId: z.string().min(1),`
			`}),`
			`]);`

			`const PERMISSION_BY_ACTION = {`
			`archive: 'delete' as const,`
			`add_tag: 'edit' as const,`
			`remove_tag: 'edit' as const,`
			`};`

			`export const POST = withAuth(async (req, ctx) => {`
			`let body: z.infer<typeof bulkSchema>;`
			`try {`
			`body = await parseBody(req, bulkSchema);`
			`} catch (error) {`
			`return errorResponse(error);`
			`}`

			`const allowed = ctx.isSuperAdmin`
			`? true`
			`: !!ctx.permissions?.clients?.[PERMISSION_BY_ACTION[body.action]];`
			`if (!allowed) return NextResponse.json({ error: 'Forbidden' }, { status: 403 });`

			`const meta = {`
			`userId: ctx.userId,`
			`portId: ctx.portId,`
			`ipAddress: ctx.ipAddress,`
			`userAgent: ctx.userAgent,`
			`};`

			`const { results, summary } = await runBulk(body.ids, async (id) => {`
			`if (body.action === 'archive') {`
feat(client-archive): bulk-archive uses smart backend (low-stakes auto, high-stakes blocked) The new smart-archive backend (d07f1ed) is now wired to the existing bulk-archive endpoint. Previously /api/v1/clients/bulk just called the legacy archiveClient — bypassing the dossier and the per-client decisions. That's now a regression hazard: a power-user could bulk- archive a client mid-deposit with no audit trail. New behaviour: - bulk action='archive' fetches the dossier per client. - Low-stakes clients (open through eoi_signed) auto-archive with the same default decisions the single-client modal would pick: release available/under-offer berths, retain sold berths, cancel active reservations, leave invoices, leave Documenso envelopes pending, acknowledge signed documents inline. - High-stakes clients (deposit_10pct and beyond) refuse with a clear message: "open the client to confirm + supply a reason". The bulk summary surfaces the failure per row so the user knows which clients need individual handling. - Pre-flight blocker check (e.g. active reservation on a sold berth) also rejects with a per-row error instead of crashing. The proper "bulk wizard" UI (per-high-stakes-client confirmation panel with reason fields) is still TODO — this commit just makes the existing button safe. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-06 18:32:30 +02:00			`// Bulk archive uses the smart-archive backend with sensible`
			`// low-stakes defaults: release available/under-offer berths,`
			`// retain sold ones, cancel active reservations, leave invoices,`
			`// leave Documenso envelopes pending. High-stakes clients are`
			`// refused — the operator must use the single-client smart dialog`
			`// for those (which captures the per-client reason + decisions).`
			`const dossier = await getClientArchiveDossier(id, ctx.portId);`
			`if (dossier.stakeLevel === 'high') {`
			`throw new Error(`
			`Client at ${dossier.highStakesStage} requires individual archive (open the client to confirm + supply a reason).`,
			`);`
			`}`
			`if (dossier.blockers.length > 0) {`
			throw new Error(`Cannot archive: ${dossier.blockers[0]}`);
			`}`
			`const hasSignedDocs = dossier.documents.some(`
			`(d) => d.status === 'completed' \|\| d.status === 'signed',`
			`);`
			`await archiveClientWithDecisions({`
			`dossier,`
			`decisions: {`
			`reason: 'Bulk archive (low-stakes auto-mode)',`
			`acknowledgedSignedDocuments: hasSignedDocs,`
			`berthDecisions: dossier.berths.map((b) => ({`
			`berthId: b.berthId,`
			`interestId:`
			`dossier.interests.find((i) => i.primaryBerthMooring === b.mooringNumber)`
			`?.interestId ??`
			`dossier.interests[0]?.interestId ??`
			`'',`
			`action: b.status === 'sold' ? 'retain' : 'release',`
			`})),`
			`yachtDecisions: dossier.yachts.map((y) => ({ yachtId: y.yachtId, action: 'retain' })),`
			`reservationDecisions: dossier.reservations.map((r) => ({`
			`reservationId: r.reservationId,`
			`action: 'cancel',`
			`})),`
			`invoiceDecisions: dossier.invoices.map((i) => ({`
			`invoiceId: i.invoiceId,`
			`action: 'leave',`
			`})),`
			`documentDecisions: dossier.documents.map((d) => ({`
			`documentId: d.documentId,`
			`action: 'leave',`
			`})),`
			`},`
			`meta,`
			`});`
feat(bulk): synchronous bulk action endpoints + UI on interests/clients/yachts Until now the only bulk action anywhere was Archive on the interests list — implemented as parallel fan-out with no per-row failure reporting. The bulk BullMQ worker was a TODO stub with no producers. - bulk-helpers.runBulk wraps a per-row loop and returns {results, summary} for the caller. Page-size capped at 100. - New endpoints: /api/v1/{interests,clients,yachts,companies}/bulk with a Zod discriminated union over the action. Interests support change_stage + add_tag + remove_tag + archive; clients/yachts/companies support archive + add_tag + remove_tag. Each action is permission-gated individually (delete vs edit vs change_stage). - interest-list, client-list, yacht-list expose the new actions in the bulk-action toolbar with dialogs for stage / tag selection. Failure summaries surface via window.confirm. - bulkWorker stub gets a docblock explaining the v1 sync-only choice and what the queue is reserved for (CSV imports, port-wide migrations, bulk emails to >100 recipients). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-06 14:58:34 +02:00			`return;`
			`}`
			`const client = await db.query.clients.findFirst({`
			`where: and(eq(clients.id, id), eq(clients.portId, ctx.portId)),`
			`});`
			`if (!client) throw new Error('Client not found');`
			`const existing = await db`
			`.select({ tagId: clientTags.tagId })`
			`.from(clientTags)`
			`.where(eq(clientTags.clientId, id));`
			`const current = new Set(existing.map((t) => t.tagId));`
			`if (body.action === 'add_tag') current.add(body.tagId);`
			`else current.delete(body.tagId);`
			`await setClientTags(id, ctx.portId, Array.from(current), meta);`
			`});`

			`return NextResponse.json({ data: { results, summary } });`
			`});`
feat(client-archive): bulk-archive uses smart backend (low-stakes auto, high-stakes blocked) The new smart-archive backend (d07f1ed) is now wired to the existing bulk-archive endpoint. Previously /api/v1/clients/bulk just called the legacy archiveClient — bypassing the dossier and the per-client decisions. That's now a regression hazard: a power-user could bulk- archive a client mid-deposit with no audit trail. New behaviour: - bulk action='archive' fetches the dossier per client. - Low-stakes clients (open through eoi_signed) auto-archive with the same default decisions the single-client modal would pick: release available/under-offer berths, retain sold berths, cancel active reservations, leave invoices, leave Documenso envelopes pending, acknowledge signed documents inline. - High-stakes clients (deposit_10pct and beyond) refuse with a clear message: "open the client to confirm + supply a reason". The bulk summary surfaces the failure per row so the user knows which clients need individual handling. - Pre-flight blocker check (e.g. active reservation on a sold berth) also rejects with a per-row error instead of crashing. The proper "bulk wizard" UI (per-high-stakes-client confirmation panel with reason fields) is still TODO — this commit just makes the existing button safe. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-06 18:32:30 +02:00
			`// Suppress unused-import warning when the helper isn't referenced after`
			`// future refactors strip the local archive call.`
			`void HIGH_STAKES_STAGES;`
			`void ({} as PipelineStage);`