Private
Public Access
1
0

Initial implementation: multi-tenant Kanban board (Phase 1)

Complete Phase 1 foundation with working board, column, and card CRUD:
- SvelteKit + TypeScript + Tailwind CSS v4 + adapter-node
- Full Prisma schema with 18 tables (tenants, users, boards, columns, cards, etc.)
- Multi-tenant architecture with hostname-based tenant resolution
- Email/password auth with bcrypt + session cookies
- Board/Column/Card API routes with full CRUD
- Fractional indexing for drag-and-drop ordering
- Board view with svelte-dnd-action for column and card drag-and-drop
- Card modal with inline editing
- Auth pages (login, register)
- Board listing with create form
- RLS policies SQL script for tenant isolation
- Prisma RLS client extensions (forTenant/bypassRLS)
- Permission helpers (canEditBoard, canManageMembers, etc.)
- Socket.IO server setup (dev Vite plugin + production Express server)
- Client-side socket store for real-time updates
- Docker Compose (app + PostgreSQL 16) + multi-stage Dockerfile
- Database seed script (default tenant + admin user)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Catherine Renelle
2026-02-25 20:58:49 -05:00
commit 2f398711c8
52 changed files with 7369 additions and 0 deletions
+102
View File
@@ -0,0 +1,102 @@
import { json, error } from '@sveltejs/kit';
import type { RequestHandler } from './$types.js';
import { prisma } from '$lib/server/db.js';
import { boardSchema } from '$lib/server/validation.js';
// Get single board with all columns and cards
export const GET: RequestHandler = async ({ params, locals }) => {
const tenant = locals.tenant;
if (!tenant) throw error(400, 'Unknown tenant');
const board = await prisma.board.findFirst({
where: { id: params.boardId, tenantId: tenant.id },
include: {
columns: {
orderBy: { position: 'asc' },
include: {
cards: {
where: { archived: false },
orderBy: { position: 'asc' },
include: {
assignees: {
include: { user: { select: { id: true, name: true, avatarUrl: true } } }
},
labels: { include: { tag: true } },
_count: { select: { comments: true, checklists: true, attachments: true } }
}
}
}
},
members: {
include: { user: { select: { id: true, name: true, email: true, avatarUrl: true } } }
}
}
});
if (!board) throw error(404, 'Board not found');
// Check access
if (board.visibility === 'PRIVATE') {
if (!locals.user) throw error(401, 'Not authenticated');
const isMember = board.members.some((m) => m.userId === locals.user!.id);
const isAdmin =
locals.user.globalRole === 'SITE_ADMIN' || locals.user.tenantRole === 'ADMIN';
if (!isMember && !isAdmin) throw error(403, 'Access denied');
}
return json({ board });
};
// Update board
export const PATCH: RequestHandler = async ({ params, request, locals }) => {
const tenant = locals.tenant;
if (!tenant) throw error(400, 'Unknown tenant');
if (!locals.user) throw error(401, 'Not authenticated');
const board = await prisma.board.findFirst({
where: { id: params.boardId, tenantId: tenant.id },
include: { members: true }
});
if (!board) throw error(404, 'Board not found');
const member = board.members.find((m) => m.userId === locals.user!.id);
const isAdmin =
locals.user.globalRole === 'SITE_ADMIN' || locals.user.tenantRole === 'ADMIN';
if (!member && !isAdmin) throw error(403, 'Access denied');
if (member && member.role === 'VIEWER') throw error(403, 'Viewers cannot edit boards');
const body = await request.json();
const result = boardSchema.partial().safeParse(body);
if (!result.success) {
return json({ error: result.error.issues[0].message }, { status: 400 });
}
const updated = await prisma.board.update({
where: { id: params.boardId },
data: result.data
});
return json({ board: updated });
};
// Delete board
export const DELETE: RequestHandler = async ({ params, locals }) => {
const tenant = locals.tenant;
if (!tenant) throw error(400, 'Unknown tenant');
if (!locals.user) throw error(401, 'Not authenticated');
const board = await prisma.board.findFirst({
where: { id: params.boardId, tenantId: tenant.id },
include: { members: true }
});
if (!board) throw error(404, 'Board not found');
const member = board.members.find((m) => m.userId === locals.user!.id);
const isAdmin =
locals.user.globalRole === 'SITE_ADMIN' || locals.user.tenantRole === 'ADMIN';
if (member?.role !== 'OWNER' && !isAdmin) throw error(403, 'Only owners can delete boards');
await prisma.board.delete({ where: { id: params.boardId } });
return json({ ok: true });
};
@@ -0,0 +1,50 @@
import { json, error } from '@sveltejs/kit';
import type { RequestHandler } from './$types.js';
import { prisma } from '$lib/server/db.js';
import { columnSchema } from '$lib/server/validation.js';
import { generatePosition } from '$lib/utils/fractional-index.js';
// Create column
export const POST: RequestHandler = async ({ params, request, locals }) => {
const tenant = locals.tenant;
if (!tenant) throw error(400, 'Unknown tenant');
if (!locals.user) throw error(401, 'Not authenticated');
const board = await prisma.board.findFirst({
where: { id: params.boardId, tenantId: tenant.id },
include: { members: true }
});
if (!board) throw error(404, 'Board not found');
const member = board.members.find((m) => m.userId === locals.user!.id);
const isAdmin = locals.user.globalRole === 'SITE_ADMIN' || locals.user.tenantRole === 'ADMIN';
if (!member && !isAdmin) throw error(403, 'Access denied');
if (member && member.role === 'VIEWER') throw error(403, 'Viewers cannot add columns');
const body = await request.json();
const result = columnSchema.safeParse(body);
if (!result.success) {
return json({ error: result.error.issues[0].message }, { status: 400 });
}
// Get the last column position
const lastColumn = await prisma.column.findFirst({
where: { boardId: params.boardId },
orderBy: { position: 'desc' }
});
const position = generatePosition(lastColumn?.position, null);
const column = await prisma.column.create({
data: {
boardId: params.boardId,
title: result.data.title,
position
},
include: {
cards: true
}
});
return json({ column }, { status: 201 });
};
@@ -0,0 +1,71 @@
import { json, error } from '@sveltejs/kit';
import type { RequestHandler } from './$types.js';
import { prisma } from '$lib/server/db.js';
import { columnSchema, moveColumnSchema } from '$lib/server/validation.js';
// Update column title
export const PATCH: RequestHandler = async ({ params, request, locals }) => {
const tenant = locals.tenant;
if (!tenant) throw error(400, 'Unknown tenant');
if (!locals.user) throw error(401, 'Not authenticated');
const column = await prisma.column.findFirst({
where: { id: params.columnId, board: { id: params.boardId, tenantId: tenant.id } },
include: { board: { include: { members: true } } }
});
if (!column) throw error(404, 'Column not found');
const member = column.board.members.find((m) => m.userId === locals.user!.id);
const isAdmin = locals.user.globalRole === 'SITE_ADMIN' || locals.user.tenantRole === 'ADMIN';
if (!member && !isAdmin) throw error(403, 'Access denied');
if (member && member.role === 'VIEWER') throw error(403, 'Viewers cannot edit columns');
const body = await request.json();
// Allow both title update and position update
if (body.position !== undefined) {
const result = moveColumnSchema.safeParse(body);
if (!result.success) {
return json({ error: result.error.issues[0].message }, { status: 400 });
}
const updated = await prisma.column.update({
where: { id: params.columnId },
data: { position: result.data.position }
});
return json({ column: updated });
}
const result = columnSchema.safeParse(body);
if (!result.success) {
return json({ error: result.error.issues[0].message }, { status: 400 });
}
const updated = await prisma.column.update({
where: { id: params.columnId },
data: { title: result.data.title }
});
return json({ column: updated });
};
// Delete column
export const DELETE: RequestHandler = async ({ params, locals }) => {
const tenant = locals.tenant;
if (!tenant) throw error(400, 'Unknown tenant');
if (!locals.user) throw error(401, 'Not authenticated');
const column = await prisma.column.findFirst({
where: { id: params.columnId, board: { id: params.boardId, tenantId: tenant.id } },
include: { board: { include: { members: true } } }
});
if (!column) throw error(404, 'Column not found');
const member = column.board.members.find((m) => m.userId === locals.user!.id);
const isAdmin = locals.user.globalRole === 'SITE_ADMIN' || locals.user.tenantRole === 'ADMIN';
if (member?.role === 'VIEWER' && !isAdmin) throw error(403, 'Viewers cannot delete columns');
if (!member && !isAdmin) throw error(403, 'Access denied');
await prisma.column.delete({ where: { id: params.columnId } });
return json({ ok: true });
};
@@ -0,0 +1,55 @@
import { json, error } from '@sveltejs/kit';
import type { RequestHandler } from './$types.js';
import { prisma } from '$lib/server/db.js';
import { cardSchema } from '$lib/server/validation.js';
import { generatePosition } from '$lib/utils/fractional-index.js';
// Create card in column
export const POST: RequestHandler = async ({ params, request, locals }) => {
const tenant = locals.tenant;
if (!tenant) throw error(400, 'Unknown tenant');
if (!locals.user) throw error(401, 'Not authenticated');
const column = await prisma.column.findFirst({
where: { id: params.columnId, board: { id: params.boardId, tenantId: tenant.id } },
include: { board: { include: { members: true } } }
});
if (!column) throw error(404, 'Column not found');
const member = column.board.members.find((m) => m.userId === locals.user!.id);
const isAdmin = locals.user.globalRole === 'SITE_ADMIN' || locals.user.tenantRole === 'ADMIN';
if (!member && !isAdmin) throw error(403, 'Access denied');
if (member && member.role === 'VIEWER') throw error(403, 'Viewers cannot add cards');
const body = await request.json();
const result = cardSchema.safeParse(body);
if (!result.success) {
return json({ error: result.error.issues[0].message }, { status: 400 });
}
// Get the last card position in this column
const lastCard = await prisma.card.findFirst({
where: { columnId: params.columnId },
orderBy: { position: 'desc' }
});
const position = generatePosition(lastCard?.position, null);
const card = await prisma.card.create({
data: {
columnId: params.columnId,
title: result.data.title,
description: result.data.description,
position
},
include: {
assignees: {
include: { user: { select: { id: true, name: true, avatarUrl: true } } }
},
labels: { include: { tag: true } },
_count: { select: { comments: true, checklists: true, attachments: true } }
}
});
return json({ card }, { status: 201 });
};
@@ -0,0 +1,129 @@
import { json, error } from '@sveltejs/kit';
import type { RequestHandler } from './$types.js';
import { prisma } from '$lib/server/db.js';
import { cardSchema, moveCardSchema } from '$lib/server/validation.js';
// Get single card with full details
export const GET: RequestHandler = async ({ params, locals }) => {
const tenant = locals.tenant;
if (!tenant) throw error(400, 'Unknown tenant');
const card = await prisma.card.findFirst({
where: {
id: params.cardId,
column: { id: params.columnId, board: { id: params.boardId, tenantId: tenant.id } }
},
include: {
assignees: {
include: { user: { select: { id: true, name: true, email: true, avatarUrl: true } } }
},
labels: { include: { tag: true } },
checklists: {
orderBy: { position: 'asc' },
include: { items: { orderBy: { position: 'asc' } } }
},
comments: {
orderBy: { createdAt: 'desc' },
include: { user: { select: { id: true, name: true, avatarUrl: true } } }
},
attachments: { orderBy: { createdAt: 'desc' } },
column: { select: { id: true, title: true } }
}
});
if (!card) throw error(404, 'Card not found');
return json({ card });
};
// Update card
export const PATCH: RequestHandler = async ({ params, request, locals }) => {
const tenant = locals.tenant;
if (!tenant) throw error(400, 'Unknown tenant');
if (!locals.user) throw error(401, 'Not authenticated');
const card = await prisma.card.findFirst({
where: {
id: params.cardId,
column: { board: { id: params.boardId, tenantId: tenant.id } }
},
include: { column: { include: { board: { include: { members: true } } } } }
});
if (!card) throw error(404, 'Card not found');
const member = card.column.board.members.find((m) => m.userId === locals.user!.id);
const isAdmin = locals.user.globalRole === 'SITE_ADMIN' || locals.user.tenantRole === 'ADMIN';
if (!member && !isAdmin) throw error(403, 'Access denied');
if (member && member.role === 'VIEWER') throw error(403, 'Viewers cannot edit cards');
const body = await request.json();
// Handle move (column change + position)
if (body.columnId !== undefined || body.position !== undefined) {
const data: Record<string, unknown> = {};
if (body.columnId) data.columnId = body.columnId;
if (body.position) data.position = body.position;
const updated = await prisma.card.update({
where: { id: params.cardId },
data,
include: {
assignees: {
include: { user: { select: { id: true, name: true, avatarUrl: true } } }
},
labels: { include: { tag: true } },
_count: { select: { comments: true, checklists: true, attachments: true } }
}
});
return json({ card: updated });
}
// Handle content update
const result = cardSchema.partial().safeParse(body);
if (!result.success) {
return json({ error: result.error.issues[0].message }, { status: 400 });
}
const updateData: Record<string, unknown> = { ...result.data };
if (body.dueDate !== undefined) updateData.dueDate = body.dueDate ? new Date(body.dueDate) : null;
if (body.archived !== undefined) updateData.archived = body.archived;
const updated = await prisma.card.update({
where: { id: params.cardId },
data: updateData,
include: {
assignees: {
include: { user: { select: { id: true, name: true, avatarUrl: true } } }
},
labels: { include: { tag: true } },
_count: { select: { comments: true, checklists: true, attachments: true } }
}
});
return json({ card: updated });
};
// Delete card
export const DELETE: RequestHandler = async ({ params, locals }) => {
const tenant = locals.tenant;
if (!tenant) throw error(400, 'Unknown tenant');
if (!locals.user) throw error(401, 'Not authenticated');
const card = await prisma.card.findFirst({
where: {
id: params.cardId,
column: { board: { id: params.boardId, tenantId: tenant.id } }
},
include: { column: { include: { board: { include: { members: true } } } } }
});
if (!card) throw error(404, 'Card not found');
const member = card.column.board.members.find((m) => m.userId === locals.user!.id);
const isAdmin = locals.user.globalRole === 'SITE_ADMIN' || locals.user.tenantRole === 'ADMIN';
if (!member && !isAdmin) throw error(403, 'Access denied');
if (member && member.role === 'VIEWER') throw error(403, 'Viewers cannot delete cards');
await prisma.card.delete({ where: { id: params.cardId } });
return json({ ok: true });
};