release-20260205

[Kariamos]

This pull request introduces several important improvements and new features related to campaign bug reviewer identification, finance attachment uploads, and cost deletion, along with supporting configuration and dependency updates. The main highlights are the addition of reviewer type distinction (AI vs. human) for campaign bugs, new endpoints for finance attachment upload and cost deletion (with S3 cleanup), and configuration enhancements to support these features.

Campaign Bugs: Reviewer Type Distinction

• Added an AI_REVIEWER_PROFILE_ID environment variable and propagated it through .env.template, deployment scripts, and the config object, allowing the backend to distinguish between AI and human reviewers for bugs. (.env.template [1] deployment/after-install.sh [2] src/config.ts [3] [4]
• Updated the campaign bugs API to include a new reviewerType field ("ai" or "human") for each bug, based on the reviewer profile ID. Includes unit tests to ensure correct behavior. (src/routes/campaigns/campaignId/bugs/_get/index.ts [1] [2] [3] [4]; src/routes/campaigns/campaignId/bugs/_get/index.spec.ts [5] [6] [7]

Finance Attachments: New Upload Endpoint

• Introduced a new POST endpoint for uploading finance attachments to campaigns. The endpoint validates file extensions (blocking .bat, .sh, .exe), checks file size, and uploads valid files to S3. Failed uploads are reported in the response. Comprehensive tests were added. (src/routes/campaigns/campaignId/finance/attachment/_post/index.ts [1] src/routes/campaigns/campaignId/finance/attachment/_post/index.spec.ts [2]

Finance Other Costs: Deletion with S3 Cleanup

• Added a DELETE endpoint for removing "other costs" from a campaign. This endpoint verifies campaign access, checks cost existence, deletes associated attachments from S3, and cleans up database records. (src/routes/campaigns/campaignId/finance/otherCosts/_delete/index.ts src/routes/campaigns/campaignId/finance/otherCosts/_delete/index.tsR1-R83)

Supporting Improvements

• Updated the @appquality/tryber-database dependency to version ^0.46.20 for improved database interactions. (package.json package.jsonL24-R24)
• Enhanced the S3 presigned URL utility to allow a configurable expiration time. (src/features/s3/presignUrl/index.ts src/features/s3/presignUrl/index.tsL7-R11)

These changes collectively enhance the campaign management API, improving traceability of bug reviews, enabling secure file uploads, and ensuring proper cleanup of campaign-related resources.

[github-actions]

Tests difference:

New Tests

< Authentication and Authorization - Should allow access with admin permissions
< Authentication and Authorization - Should allow access with olp permissions for the campaign
< Authentication and Authorization - Should return 200 if logged in as admin
< Authentication and Authorization - Should return 200 if logged in as olp with access to campaign
< Authentication and Authorization - Should return 403 if user does not have access to campaign
< Authentication and Authorization - Should return 403 if user has olp permissions for different campaign
< Authentication and Authorization - Should return 403 if user is not admin and does not have olp permissions
< Authentication and Authorization - Should return 403 if user is not authenticated
< Authentication and Authorization - Should return 403 if user is not logged in
< Campaign isolation - Should create cost only for specified campaign
< Enough permissions - admin - Should add new finance supplier
< Enough permissions - admin - Should not add existing supplier
< Enough permissions - admin - Should not add supplier with empty name
< Enough permissions - admin - Should return 200 if logged in as admin
< Enough permissions - olp - Should add supplier 
< Enough permissions - olp - Should not add existing supplier
< Error Handling - Should return 500 if S3 deletion fails
< GET /campaigns/campaignId/bugs - Should return a bug list with reviewerType foreach bug
< GET /campaigns/campaignId/finance/otherCosts - Should call getPresignedUrl for each attachment
< GET /campaigns/campaignId/finance/otherCosts - Should not include costs from other campaigns
< GET /campaigns/campaignId/finance/otherCosts - Should return 200 if logged in as admin
< GET /campaigns/campaignId/finance/otherCosts - Should return 403 if logged in as not admin user
< GET /campaigns/campaignId/finance/otherCosts - Should return 403 if logged out
< GET /campaigns/campaignId/finance/otherCosts - Should return 403 if no access to the campaign
< GET /campaigns/campaignId/finance/otherCosts - Should return cost with empty attachments array if cost has no attachments
< GET /campaigns/campaignId/finance/otherCosts - Should return empty items array if no costs exist for campaign
< GET /campaigns/campaignId/finance/otherCosts - Should return finance other costs - admin
< GET /campaigns/campaignId/finance/otherCosts - Should return other costs - olp permissions
< GET /campaigns/campaignId/finance/supplier - Should return 200 if logged in as admin
< GET /campaigns/campaignId/finance/supplier - Should return 403 if logged in as not admin user
< GET /campaigns/campaignId/finance/supplier - Should return 403 if logged out
< GET /campaigns/campaignId/finance/supplier - Should return 403 if no access to the campaign
< GET /campaigns/campaignId/finance/supplier - Should return finance suppliers - admin
< GET /campaigns/campaignId/finance/supplier - Should return suppliers - olp permissions
< GET /campaigns/campaignId/finance/type - Should return 200 if logged in as admin
< GET /campaigns/campaignId/finance/type - Should return 403 if logged in as not admin user
< GET /campaigns/campaignId/finance/type - Should return 403 if logged out
< GET /campaigns/campaignId/finance/type - Should return 403 if no access to the campaign
< GET /campaigns/campaignId/finance/type - Should return finance types - admin
< GET /campaigns/campaignId/finance/type - Should return types - olp permissions
< Input Validation - Should return 400 if array is empty
< Input Validation - Should return 400 if attachments array item is missing mime_type
< Input Validation - Should return 400 if attachments array item is missing url
< Input Validation - Should return 400 if attachments is an empty array
< Input Validation - Should return 400 if attachments is missing
< Input Validation - Should return 400 if body is not an array
< Input Validation - Should return 400 if cost is missing
< Input Validation - Should return 400 if cost_id is missing
< Input Validation - Should return 400 if cost_id is missing
< Input Validation - Should return 400 if cost_id is negative
< Input Validation - Should return 400 if cost_id is negative
< Input Validation - Should return 400 if cost_id is not a number
< Input Validation - Should return 400 if cost_id is null
< Input Validation - Should return 400 if cost_id is null
< Input Validation - Should return 400 if cost_id is zero
< Input Validation - Should return 400 if cost_id is zero
< Input Validation - Should return 400 if description is missing
< Input Validation - Should return 400 if supplier_id is missing
< Input Validation - Should return 400 if type_id is missing
< Not Found  - Should return 404 if cost belongs to another campaign
< Not Found  - Should return 404 if cost does not exist
< Not enough permissions - Should return 403 if logged in as not admin user
< Not enough permissions - Should return 403 if logged in as not admin user
< Not enough permissions - Should return 403 if logged out
< Not enough permissions - Should return 403 if logged out
< Not enough permissions - Should return 403 if no access to the campaign
< Not enough permissions - Should return 403 if no access to the campaign
< Resource Validation - Should return 404 if cost belongs to another campaign
< Resource Validation - Should return 404 if cost_id does not exist
< Resource Validation - Should return 404 if supplier_id does not exist
< Resource Validation - Should return 404 if type_id does not exist
< Route POST /campaigns/{campaignId}/finance/attachments - Should answer 200 and mark as failed if try to send an oversized file
< Route POST /campaigns/{campaignId}/finance/attachments - Should answer 200 and mark as failed if try to send file as .bat, .sh and .exe
< Route POST /campaigns/{campaignId}/finance/attachments - Should answer 403 if not logged in
< S3 Deletion - Should call deleteFromS3 once for cost with one attachment
< S3 Deletion - Should call deleteFromS3 three times for cost with three attachments
< S3 Deletion - Should not call deleteFromS3 if cost has no attachments
< S3 Deletion - Should only delete S3 files for the specified cost, not others
< Success - admin permissions - Should accept decimal cost values
< Success - admin permissions - Should create attachments in database
< Success - admin permissions - Should create cost with multiple attachments
< Success - admin permissions - Should create cost with single attachment
< Success - admin permissions - Should create multiple costs in single request
< Success - admin permissions - Should create multiple costs independently
< Success - admin permissions - Should create other cost in database
< Success - admin permissions - Should delete correctly only one cost item
< Success - admin permissions - Should delete cost and all its attachments
< Success - admin permissions - Should delete cost from database
< Success - admin permissions - Should delete cost without attachments
< Success - admin permissions - Should delete multiple old attachments from S3 when updating
< Success - admin permissions - Should delete old attachments from S3 when updating
< Success - admin permissions - Should only delete attachments of the deleted cost
< Success - admin permissions - Should only delete specified cost, not others
< Success - admin permissions - Should only update specified cost, not others
< Success - admin permissions - Should return 201 if logged in as admin
< Success - admin permissions - Should update cost and replace attachments
< Success - admin permissions - Should update cost in database
< Success - admin permissions - Should update cost with empty attachments array
< Success - admin permissions - Should update cost without old attachments
< Success - admin permissions - Should update multiple costs in single request
< Success - olp permissions - Should create attachments with olp permissions
< Success - olp permissions - Should create other cost in database with olp permissions
< Success - olp permissions - Should delete correctly only one cost item
< Success - olp permissions - Should delete cost and attachments 
< Success - olp permissions - Should delete cost with olp permissions
< Success - olp permissions - Should return 201 if logged in as olp with access to campaign
< Success - olp permissions - Should return 403 if olp does not have access to campaign
< Success - olp permissions - Should update cost and replace attachments with olp permissions
< Success - olp permissions - Should update cost with olp permissions
< Validation errors - Should return 400 for second item with invalid data
< Validation errors - Should return 400 if attachment mime_type is empty
< Validation errors - Should return 400 if attachment url is empty
< Validation errors - Should return 400 if attachments array is empty
< Validation errors - Should return 400 if body is an empty array
< Validation errors - Should return 400 if body is not an array
< Validation errors - Should return 400 if cost is 0
< Validation errors - Should return 400 if cost is negative
< Validation errors - Should return 400 if description is empty
< Validation errors - Should return 400 if description is only whitespace
< Validation errors - Should return 400 if supplier_id does not exist
< Validation errors - Should return 400 if type_id does not exist