src/app/api/v1/berth-reservations/%5Bid%5D/route.ts

import { withAuth, withPermission } from '@/lib/api/helpers';

import { getHandler, patchHandler, deleteHandler } from './handlers';

export const GET = withAuth(withPermission('reservations', 'view', getHandler));
// PATCH cannot use `withPermission` wrapper — the required permission depends
// on the `action` field in the body. `requirePermission` is called inside the
// handler after the body is parsed.
export const PATCH = withAuth(patchHandler);
export const DELETE = withAuth(withPermission('reservations', 'cancel', deleteHandler));
fix(build): extract route.ts handlers to handlers.ts (CLAUDE.md convention) 8 API route files were exporting handler functions directly from route.ts, which Next.js 15 rejects with "$NAME is not a valid Route export field". Per CLAUDE.md convention, service-tested handler functions live in sibling handlers.ts files and route.ts only re-exports the GET/POST/etc. wrapped in withAuth(withPermission(...)). Discovered during the mobile-foundation Task 24 build validation; the route files predate this branch but the build was never re-run on data-model. Files: - berth-reservations/[id], companies/autocomplete, companies/[id]/members + nested mid/set-primary, yachts/autocomplete, yachts/[id]/transfer, yachts/[id]/ownership-history - Integration tests updated to import from handlers.ts (companies, memberships, reservations, yachts-detail) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-04-29 15:14:40 +02:00			`import { withAuth, withPermission } from '@/lib/api/helpers';`
feat(api): berth reservations (create pending + lifecycle PATCH) Add Task 3.6 routes: - POST /api/v1/berths/:id/reservations — creates a pending reservation; the URL berthId is authoritative and any body-supplied berthId is ignored. - GET /api/v1/berths/:id/reservations — list filtered by URL berthId. - GET /api/v1/berth-reservations/:id — fetch scoped to tenant. - PATCH /api/v1/berth-reservations/:id — action-based dispatch (activate \| end \| cancel) via a discriminated union. Because the required permission depends on the action, PATCH is wrapped with withAuth only and calls requirePermission inside the handler. - DELETE /api/v1/berth-reservations/:id — alias for cancel (204). Cross-tenant berths return 404 on both POST and GET via an explicit pre-check. Tests cover happy paths, invalid transitions, 404/400/403 cases, the URL-vs-body berthId precedence, and per-action permission gating. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-04-24 12:55:12 +02:00
fix(build): extract route.ts handlers to handlers.ts (CLAUDE.md convention) 8 API route files were exporting handler functions directly from route.ts, which Next.js 15 rejects with "$NAME is not a valid Route export field". Per CLAUDE.md convention, service-tested handler functions live in sibling handlers.ts files and route.ts only re-exports the GET/POST/etc. wrapped in withAuth(withPermission(...)). Discovered during the mobile-foundation Task 24 build validation; the route files predate this branch but the build was never re-run on data-model. Files: - berth-reservations/[id], companies/autocomplete, companies/[id]/members + nested mid/set-primary, yachts/autocomplete, yachts/[id]/transfer, yachts/[id]/ownership-history - Integration tests updated to import from handlers.ts (companies, memberships, reservations, yachts-detail) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-04-29 15:14:40 +02:00			`import { getHandler, patchHandler, deleteHandler } from './handlers';`
feat(api): berth reservations (create pending + lifecycle PATCH) Add Task 3.6 routes: - POST /api/v1/berths/:id/reservations — creates a pending reservation; the URL berthId is authoritative and any body-supplied berthId is ignored. - GET /api/v1/berths/:id/reservations — list filtered by URL berthId. - GET /api/v1/berth-reservations/:id — fetch scoped to tenant. - PATCH /api/v1/berth-reservations/:id — action-based dispatch (activate \| end \| cancel) via a discriminated union. Because the required permission depends on the action, PATCH is wrapped with withAuth only and calls requirePermission inside the handler. - DELETE /api/v1/berth-reservations/:id — alias for cancel (204). Cross-tenant berths return 404 on both POST and GET via an explicit pre-check. Tests cover happy paths, invalid transitions, 404/400/403 cases, the URL-vs-body berthId precedence, and per-action permission gating. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-04-24 12:55:12 +02:00
			`export const GET = withAuth(withPermission('reservations', 'view', getHandler));`
			// PATCH cannot use `withPermission` wrapper — the required permission depends
			// on the `action` field in the body. `requirePermission` is called inside the
			`// handler after the body is parsed.`
			`export const PATCH = withAuth(patchHandler);`
			`export const DELETE = withAuth(withPermission('reservations', 'cancel', deleteHandler));`