src/app/api/v1/expenses/%5Bid%5D/merge/route.ts

import { NextResponse } from 'next/server';
import { z } from 'zod';

import { withAuth, withPermission } from '@/lib/api/helpers';
import { parseBody } from '@/lib/api/route-helpers';
import { errorResponse } from '@/lib/errors';
import { mergeDuplicate } from '@/lib/services/expense-dedup.service';

const mergeSchema = z.object({
  /** Surviving expense id — typically the row's existing `duplicateOf` pointer. */
  targetId: z.string().min(1),
});

export const POST = withAuth(
  withPermission('expenses', 'edit', async (req, ctx, params) => {
    try {
      const sourceId = params.id;
      if (!sourceId) {
        return NextResponse.json({ error: 'Missing id' }, { status: 400 });
      }
      const body = await parseBody(req, mergeSchema);
      await mergeDuplicate(sourceId, body.targetId, ctx.portId);
      return NextResponse.json({ ok: true });
    } catch (error) {
      return errorResponse(error);
    }
  }),
);
feat(phase-b): ship analytics dashboard, alerts, scanner PWA, dedup, audit view Phase B (Insights & Alerts) PR4-11 in one drop. Builds on the schema + service skeletons committed in PRs 1-3. PR4 Analytics dashboard — 4 chart types (funnel/timeline/breakdown/source), date-range picker (today/7d/30d/90d), CSV+PNG export per card. PR5 Alert rail UI + /alerts page — topbar bell w/ live count, dashboard right-rail, three-tab page (active/dismissed/resolved), socket-driven invalidation. Bell lazy-loads list on popover open to keep cold pages fast in non-dashboard routes. PR6 EOI queue tab on documents hub — filters to in-flight EOIs, count surfaces in tab label. PR7 Interests-by-berth tab on berth detail — replaces the stub. PR8 Expense duplicate detection — BullMQ job runs scan on create, yellow banner on detail w/ Merge / Not-a-duplicate, transactional merge consolidates receipts and archives the source. PR9 Receipt scanner PWA + multi-provider AI — port-scoped /scan route in its own (scanner) group with no dashboard chrome, dynamic per-port manifest, OpenAI + Claude provider abstraction, admin OCR settings page (port-level + super-admin global default w/ opt-in fallback), test-connection endpoint, manual-entry fallback when no key is configured. Verify form always shown before save — no ghost rows. PR10 Audit log read view — swap to tsvector full-text search on the existing GIN index, cursor pagination, filters for entity/action/user /date range, batched actor-email resolution. PR11 Real-API tests — opt-in receipt-ocr.spec (admin save+test, optional real-receipt parse via REALAPI_RECEIPT_FIXTURE) and alert-engine socket-fanout spec gated behind RUN_ALERT_ENGINE_REALAPI. Both skip cleanly without their gate envs so CI stays green. Test totals: vitest 690 -> 713, smoke 130 -> 138, realapi +2 opt-in. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-04-28 17:21:55 +02:00			`import { NextResponse } from 'next/server';`
			`import { z } from 'zod';`

			`import { withAuth, withPermission } from '@/lib/api/helpers';`
			`import { parseBody } from '@/lib/api/route-helpers';`
			`import { errorResponse } from '@/lib/errors';`
			`import { mergeDuplicate } from '@/lib/services/expense-dedup.service';`

			`const mergeSchema = z.object({`
			/** Surviving expense id — typically the row's existing `duplicateOf` pointer. */
			`targetId: z.string().min(1),`
			`});`

			`export const POST = withAuth(`
			`withPermission('expenses', 'edit', async (req, ctx, params) => {`
			`try {`
			`const sourceId = params.id;`
			`if (!sourceId) {`
			`return NextResponse.json({ error: 'Missing id' }, { status: 400 });`
			`}`
			`const body = await parseBody(req, mergeSchema);`
			`await mergeDuplicate(sourceId, body.targetId, ctx.portId);`
			`return NextResponse.json({ ok: true });`
			`} catch (error) {`
			`return errorResponse(error);`
			`}`
			`}),`
			`);`