feat: Artist TikTok Connections via Composio (#170)

* feat: [US-002] Create Supabase functions for artist_composio_connections

- Add artist_composio_connections type to database.types.ts
- Create selectArtistComposioConnection.ts (single lookup by artist+toolkit)
- Create selectArtistComposioConnections.ts (all connections for artist)
- Create insertArtistComposioConnection.ts (upsert on unique constraint)
- Create deleteArtistComposioConnection.ts (delete by id)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* feat: [US-003] Create GET /api/artist-connectors endpoint

- Add ALLOWED_ARTIST_CONNECTORS constant with 'tiktok' as first connector
- Create checkAccountArtistAccess function in Recoup-API (migrated from Recoup-Chat)
- Create getArtistConnectors function to return connector status for artists
- Create GET /api/artist-connectors endpoint with:
  - Bearer token and API key auth via validateAuthContext
  - Artist access validation via checkAccountArtistAccess
  - Returns list of allowed connectors with connection status

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* feat: [US-004] Create POST /api/artist-connectors/authorize endpoint

- Add validateAuthorizeArtistConnectorBody.ts with Zod schema for request validation
- Add authorizeArtistConnector.ts to generate OAuth URLs via Composio
- Add POST /api/artist-connectors/authorize route with auth and access control
- Callback URL redirects to /chat?artist_connected={artistId}&toolkit={slug}

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* feat: [US-005] Add DELETE /api/artist-connectors endpoint

- Add DELETE handler to disconnect an artist's connector from Composio
- Create validateDisconnectArtistConnectorBody.ts with Zod schema
- Create verifyArtistConnectorOwnership.ts to check connection ownership
- Create disconnectArtistConnector.ts to remove from Composio and DB

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* feat: [US-006] Add artist-connectors callback URL destination

- Add 'artist-connectors' to CallbackDestination type in getCallbackUrl.ts
- Add artistId and toolkit to CallbackOptions interface
- Handle artist-connectors destination returning /chat?artist_connected={artistId}&toolkit={toolkit}
- Update authorizeArtistConnector.ts to use getCallbackUrl instead of local function

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* feat: [US-007] Add TikTok to enabled toolkits

Add 'tiktok' to the ENABLED_TOOLKITS array so TikTok tools are available
in Tool Router sessions, enabling the LLM to access TikTok data.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* feat: [US-008] Modify createSession to accept connectedAccounts

- Add artistConnections parameter to createToolRouterSession (Record<string, string> | undefined)
- Pass connectedAccounts option to composio.create() call
- Update getComposioTools to accept and pass artistConnections parameter
- Add JSDoc documentation for the new parameter

This enables artist-specific Composio connections to be used when creating
Tool Router sessions, allowing the LLM to use the correct TikTok account
for the selected artist.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* feat: [US-009] Wire up artistId in chat tool setup

- Modified getComposioTools to accept artistId parameter
- If artistId provided, fetches artist_composio_connections from DB
- Transforms connections to Record<string, string> format
- Passes artistConnections to createToolRouterSession
- Modified setupToolsForRequest to extract artistId from body
- Passes artistId through to getComposioTools

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* feat: [US-014] Handle OAuth callback with complete endpoint

Add POST /api/artist-connectors/complete endpoint to finalize OAuth flow:
- Query Composio for the user's connected account after OAuth redirect
- Store the connection mapping in artist_composio_connections table
- Add Zod validation for request body (artist_id, toolkit_slug)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* refactor: use artistId as Composio entity for artist connections

- Remove artist_composio_connections table and related code
- Remove /complete endpoint (no longer needed)
- Use artistId directly as Composio entity when connecting
- Query Composio at chat time for artist connections
- Pass connections to user session via connectedAccounts

Composio is now the source of truth for artist connections.

* fix: resolve TypeScript errors with readonly array types

* refactor: DRY up composio connectors - unified authorizeConnector, getConnectors, disconnectConnector

* refactor: unify /api/connectors with entity_type support, delete /api/artist-connectors

* refactor: address code review - SRP handlers, unified validators, tests, file rename

* docs: add API route patterns and reviewer principles to CLAUDE.md

- Add TDD to code principles
- Document thin route files pattern (follow /api/pulses)
- Document handler functions pattern
- Document combined request validators (validateXxxRequest)
- Add DRY guidance for entity types (use options, not duplicate files)
- Add file naming convention (name after function, not constant)
- Add testing requirements for API changes

* fix: update setupToolsForRequest test for new artistId parameter

- Merge test branch to sync with base
- Update test to expect (accountId, artistId, roomId) signature
- Add test case for when artistId is provided

* refactor: extract getArtistConnectionsFromComposio to own file (SRP)

* refactor: rename createSession.ts to createToolRouterSession.ts

* test: add unit tests for composio toolRouter changes

* test: add comprehensive unit tests for all changed files

Added tests for:
- Handlers: authorizeConnectorHandler, disconnectConnectorHandler, getConnectorsHandler
- Validators: validateGetConnectorsQuery, validateAuthorizeConnectorBody, validateDisconnectConnectorBody, validateCreateChatBody
- Core functions: authorizeConnector, disconnectConnector, getConnectors, isAllowedArtistConnector
- Utilities: getCallbackUrl, checkAccountArtistAccess, createNewRoom, createToolRouterSession

Total: 120 tests passing

* fix: revert validateCreateChatBody.test.ts to original (no changes needed)

* refactor: remove entity_type, use entity_id presence for connection type

- Remove entity_type parameter from API (authorize, disconnect, get connectors)
- Infer isEntityConnection from entity_id presence instead
- Update callback URLs: entity connections → /chat?artist_connected=...
- Rename 'user' → 'account' in tests for consistency
- All 892 tests pass

* fix: remove unrelated changes, keep only composio feature

Reverted all non-composio files to main:
- Removed createNewRoom.test.ts (unrelated)
- Removed evals.yml (unrelated)
- Restored all lib/chat, lib/chats, lib/sandbox, lib/tasks, lib/trigger files
- Restored package.json, pnpm-lock.yaml, types/database.types.ts

PR now contains only:
- lib/composio/* (connectors + toolRouter)
- app/api/connectors/*
- lib/supabase/account_artist_ids/*

* fix: remove entity_type from JSDoc comments in route files

* fix: replace 'user' with 'account' in all composio JSDoc comments

* refactor: use validateAuthContext instead of validateAccountIdHeaders

Updated all connector validation files to use validateAuthContext()
for consistent auth handling across the codebase:
- validateAuthorizeConnectorRequest.ts
- validateDisconnectConnectorRequest.ts
- validateGetConnectorsRequest.ts
- Updated corresponding test files

validateAuthContext supports both x-api-key and Bearer token auth,
plus account_id override and organization access validation.

* fix: restore artistId wiring and add access check in getComposioTools

- Restored artistId parameter in setupToolsForRequest (accidentally reverted)
- Added checkAccountArtistAccess() before fetching artist connections
- If access denied, silently skips artist connections (no throw)
- Updated tests for both setupToolsForRequest and getComposioTools

* refactor: remove entity-connectors callback URL logic (deferred to separate PR)

* refactor: rename entity_id to account_id in connectors API

* feat: broaden account_id access to support self, artist, workspace, and org entities

- Create checkAccountAccess in lib/auth for unified access check
- Create checkAccountWorkspaceAccess in supabase lib
- Move artist connector restriction from body validator to request validator
- Add message field to disconnect response
- Update all tests for broadened access patterns

* docs: add terminology and flat response shape rules to CLAUDE.md

* refactor: move connector restrictions from API to tool router level

- API is now unopinionated: any account can connect any service
- Tool router handles collision prevention in createToolRouterSession
- Account connections always win over artist connections (no duplicates)
- Remove allowedToolkits from GET/authorize validation
- Update tests for new architecture

* refactor: move POST /api/connectors/authorize to POST /api/connectors

Consolidates the authorize endpoint into the main connectors route
to match the updated API docs.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* refactor: extract standalone supabase queries from checkAccountArtistAccess

SRP: each query is now its own file with dedicated tests:
- selectAccountArtistId (account_artist_ids)
- selectArtistOrganizationIds (artist_organization_ids)
- selectAccountOrganizationIds (account_organization_ids)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* refactor: extract selectAccountWorkspaceId from checkAccountWorkspaceAccess

SRP: standalone supabase query with dedicated tests.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* refactor: rename entityId to accountId across all connector code

Use "account" terminology consistently per codebase conventions.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* refactor: remove unused allowedToolkits filtering from getConnectors

No caller uses this option — YAGNI.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: correct misleading docstring in validateDisconnectConnectorBody

The comment claimed ownership verification that the function doesn't do.
Updated to reflect it only validates request shape.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* refactor: move checkAccountArtistAccess to lib/artists/

Not a direct Supabase query — it aggregates supabase calls, so it
belongs in the domain layer.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* refactor: delete checkAccountWorkspaceAccess wrapper, use selectAccountWorkspaceId directly

YAGNI — the wrapper was just !!data. The sole consumer now calls
the supabase query directly.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: filter artist connections locally after allowedToolkits removal

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: add missing_fields to connector validation error responses

Adds custom Zod messages and missing_fields/status fields to error
responses for both POST and DELETE /api/connectors validation, matching
the standard pattern used across other API endpoints.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
Co-authored-by: Sweets Sweetman <sweetmantech@gmail.com>

Author: 3 people

CLAUDE.md

@@ -144,6 +144,25 @@ export async function selectTableName({
 - All API routes should have JSDoc comments
 - Run `pnpm lint` before committing
 
+### Terminology
+
+Use **"account"** terminology, never "entity" or "user". All entities in the system (individuals, artists, workspaces, organizations) are "accounts". When referring to specific types, use the specific name:
+
+- ✅ `account_id`, "artist", "workspace", "organization"
+- ❌ `entity_id`, "entity", "user"
+
+### API Response Shapes
+
+Keep response bodies **flat** — put fields at the root level, not nested inside a `data` wrapper:
+
+```typescript
+// ✅ Correct — flat response
+{ success: true, connectors: [...] }
+
+// ❌ Wrong — unnecessary nesting
+{ success: true, data: { connectors: [...] } }
+```
+
 ## Test-Driven Development (TDD)
 
 **CRITICAL: Always write tests BEFORE implementing new features or fixing bugs.**

app/api/connectors/authorize/route.ts

@@ -1,11 +1,9 @@
 import type { NextRequest } from "next/server";
 import { NextResponse } from "next/server";
 import { getCorsHeaders } from "@/lib/networking/getCorsHeaders";
-import { getConnectors } from "@/lib/composio/connectors";
-import { disconnectConnector } from "@/lib/composio/connectors/disconnectConnector";
-import { validateDisconnectConnectorBody } from "@/lib/composio/connectors/validateDisconnectConnectorBody";
-import { verifyConnectorOwnership } from "@/lib/composio/connectors/verifyConnectorOwnership";
-import { validateAccountIdHeaders } from "@/lib/accounts/validateAccountIdHeaders";
+import { getConnectorsHandler } from "@/lib/composio/connectors/getConnectorsHandler";
+import { authorizeConnectorHandler } from "@/lib/composio/connectors/authorizeConnectorHandler";
+import { disconnectConnectorHandler } from "@/lib/composio/connectors/disconnectConnectorHandler";
 
 /**
  * OPTIONS handler for CORS preflight requests.
@@ -20,90 +18,52 @@ export async function OPTIONS() {
 /**
  * GET /api/connectors
  *
- * List all available connectors and their connection status for a user.
+ * List all available connectors and their connection status.
+ *
+ * Query params:
+ *   - account_id (optional): Entity ID for entity-specific connections (e.g., artist ID)
  *
  * Authentication: x-api-key OR Authorization Bearer token required.
  *
+ * @param request
  * @returns List of connectors with connection status
  */
-export async function GET(request: NextRequest): Promise<NextResponse> {
-  const headers = getCorsHeaders();
-
-  try {
-    const authResult = await validateAccountIdHeaders(request);
-    if (authResult instanceof NextResponse) {
-      return authResult;
-    }
-
-    const { accountId } = authResult;
-
-    const connectors = await getConnectors(accountId);
+export async function GET(request: NextRequest) {
+  return getConnectorsHandler(request);
+}
 
-    return NextResponse.json(
-      {
-        success: true,
-        data: {
-          connectors,
-        },
-      },
-      { status: 200, headers },
-    );
-  } catch (error) {
-    const message =
-      error instanceof Error ? error.message : "Failed to fetch connectors";
-    return NextResponse.json({ error: message }, { status: 500, headers });
-  }
+/**
+ * POST /api/connectors
+ *
+ * Generate an OAuth authorization URL for a specific connector.
+ *
+ * Authentication: x-api-key OR Authorization Bearer token required.
+ *
+ * Request body:
+ * - connector: The connector slug, e.g., "googlesheets" or "tiktok" (required)
+ * - callback_url: Optional custom callback URL after OAuth
+ * - account_id: Optional account ID for account-specific connections
+ *
+ * @param request
+ * @returns The redirect URL for OAuth authorization
+ */
+export async function POST(request: NextRequest) {
+  return authorizeConnectorHandler(request);
 }
 
 /**
  * DELETE /api/connectors
  *
  * Disconnect a connected account from Composio.
  *
+ * Body:
+ * - connected_account_id (required): The connected account ID to disconnect
+ * - account_id (optional): Entity ID for ownership verification (e.g., artist ID)
+ *
  * Authentication: x-api-key OR Authorization Bearer token required.
  *
- * Body: { connected_account_id: string }
+ * @param request
  */
-export async function DELETE(request: NextRequest): Promise<NextResponse> {
-  const headers = getCorsHeaders();
-
-  try {
-    const authResult = await validateAccountIdHeaders(request);
-    if (authResult instanceof NextResponse) {
-      return authResult;
-    }
-
-    const { accountId } = authResult;
-    const body = await request.json();
-
-    const validated = validateDisconnectConnectorBody(body);
-    if (validated instanceof NextResponse) {
-      return validated;
-    }
-
-    const { connected_account_id } = validated;
-
-    // Verify the connected account belongs to the authenticated user
-    const isOwner = await verifyConnectorOwnership(accountId, connected_account_id);
-    if (!isOwner) {
-      return NextResponse.json(
-        { error: "Connected account not found or does not belong to this user" },
-        { status: 403, headers }
-      );
-    }
-
-    const result = await disconnectConnector(connected_account_id);
-
-    return NextResponse.json(
-      {
-        success: true,
-        data: result,
-      },
-      { status: 200, headers },
-    );
-  } catch (error) {
-    const message =
-      error instanceof Error ? error.message : "Failed to disconnect connector";
-    return NextResponse.json({ error: message }, { status: 500, headers });
-  }
+export async function DELETE(request: NextRequest) {
+  return disconnectConnectorHandler(request);
 }

app/api/connectors/route.ts

@@ -0,0 +1,81 @@
+import { describe, it, expect, vi, beforeEach } from "vitest";
+import { checkAccountArtistAccess } from "../checkAccountArtistAccess";
+
+vi.mock("@/lib/supabase/account_artist_ids/selectAccountArtistId", () => ({
+  selectAccountArtistId: vi.fn(),
+}));
+
+vi.mock("@/lib/supabase/artist_organization_ids/selectArtistOrganizationIds", () => ({
+  selectArtistOrganizationIds: vi.fn(),
+}));
+
+vi.mock("@/lib/supabase/account_organization_ids/selectAccountOrganizationIds", () => ({
+  selectAccountOrganizationIds: vi.fn(),
+}));
+
+import { selectAccountArtistId } from "@/lib/supabase/account_artist_ids/selectAccountArtistId";
+import { selectArtistOrganizationIds } from "@/lib/supabase/artist_organization_ids/selectArtistOrganizationIds";
+import { selectAccountOrganizationIds } from "@/lib/supabase/account_organization_ids/selectAccountOrganizationIds";
+
+describe("checkAccountArtistAccess", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  it("should return true when account has direct access to artist", async () => {
+    vi.mocked(selectAccountArtistId).mockResolvedValue({ artist_id: "artist-123" });
+
+    const result = await checkAccountArtistAccess("account-123", "artist-123");
+
+    expect(selectAccountArtistId).toHaveBeenCalledWith("account-123", "artist-123");
+    expect(result).toBe(true);
+    expect(selectArtistOrganizationIds).not.toHaveBeenCalled();
+  });
+
+  it("should return true when account and artist share an organization", async () => {
+    vi.mocked(selectAccountArtistId).mockResolvedValue(null);
+    vi.mocked(selectArtistOrganizationIds).mockResolvedValue([
+      { organization_id: "org-1" },
+    ]);
+    vi.mocked(selectAccountOrganizationIds).mockResolvedValue([
+      { organization_id: "org-1" },
+    ]);
+
+    const result = await checkAccountArtistAccess("account-123", "artist-456");
+
+    expect(selectArtistOrganizationIds).toHaveBeenCalledWith("artist-456");
+    expect(selectAccountOrganizationIds).toHaveBeenCalledWith("account-123", ["org-1"]);
+    expect(result).toBe(true);
+  });
+
+  it("should return false when artist org lookup errors (fail closed)", async () => {
+    vi.mocked(selectAccountArtistId).mockResolvedValue(null);
+    vi.mocked(selectArtistOrganizationIds).mockResolvedValue(null);
+
+    const result = await checkAccountArtistAccess("account-123", "artist-123");
+
+    expect(result).toBe(false);
+  });
+
+  it("should return false when account has no access", async () => {
+    vi.mocked(selectAccountArtistId).mockResolvedValue(null);
+    vi.mocked(selectArtistOrganizationIds).mockResolvedValue([]);
+
+    const result = await checkAccountArtistAccess("account-123", "artist-456");
+
+    expect(result).toBe(false);
+    expect(selectAccountOrganizationIds).not.toHaveBeenCalled();
+  });
+
+  it("should return false when account org lookup errors (fail closed)", async () => {
+    vi.mocked(selectAccountArtistId).mockResolvedValue(null);
+    vi.mocked(selectArtistOrganizationIds).mockResolvedValue([
+      { organization_id: "org-1" },
+    ]);
+    vi.mocked(selectAccountOrganizationIds).mockResolvedValue(null);
+
+    const result = await checkAccountArtistAccess("account-123", "artist-456");
+
+    expect(result).toBe(false);
+  });
+});

lib/artists/__tests__/checkAccountArtistAccess.test.ts

@@ -0,0 +1,44 @@
+import { selectAccountArtistId } from "@/lib/supabase/account_artist_ids/selectAccountArtistId";
+import { selectArtistOrganizationIds } from "@/lib/supabase/artist_organization_ids/selectArtistOrganizationIds";
+import { selectAccountOrganizationIds } from "@/lib/supabase/account_organization_ids/selectAccountOrganizationIds";
+
+/**
+ * Check if an account has access to a specific artist.
+ *
+ * Access is granted if:
+ * 1. Account has direct access via account_artist_ids, OR
+ * 2. Account and artist share an organization
+ *
+ * Fails closed: returns false on any database error to deny access safely.
+ *
+ * @param accountId - The account ID to check
+ * @param artistId - The artist ID to check access for
+ * @returns true if the account has access to the artist, false otherwise
+ */
+export async function checkAccountArtistAccess(
+  accountId: string,
+  artistId: string,
+): Promise<boolean> {
+  // 1. Check direct access via account_artist_ids
+  const directAccess = await selectAccountArtistId(accountId, artistId);
+
+  if (directAccess) return true;
+
+  // 2. Check organization access: account and artist share an org
+  const artistOrgs = await selectArtistOrganizationIds(artistId);
+
+  if (!artistOrgs) return false; // Fail closed on error
+
+  if (!artistOrgs.length) return false;
+
+  const orgIds = artistOrgs
+    .map((o) => o.organization_id)
+    .filter((id): id is string => Boolean(id));
+  if (!orgIds.length) return false;
+
+  const userOrgAccess = await selectAccountOrganizationIds(accountId, orgIds);
+
+  if (!userOrgAccess) return false; // Fail closed on error
+
+  return !!userOrgAccess.length;
+}