a78f653f5a
Add Task 3.6 routes: - POST /api/v1/berths/:id/reservations — creates a pending reservation; the URL berthId is authoritative and any body-supplied berthId is ignored. - GET /api/v1/berths/:id/reservations — list filtered by URL berthId. - GET /api/v1/berth-reservations/:id — fetch scoped to tenant. - PATCH /api/v1/berth-reservations/:id — action-based dispatch (activate | end | cancel) via a discriminated union. Because the required permission depends on the action, PATCH is wrapped with withAuth only and calls requirePermission inside the handler. - DELETE /api/v1/berth-reservations/:id — alias for cancel (204). Cross-tenant berths return 404 on both POST and GET via an explicit pre-check. Tests cover happy paths, invalid transitions, 404/400/403 cases, the URL-vs-body berthId precedence, and per-action permission gating. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
client-portal
@ 84f89f9409