feat: ST-401-ST-410 M4 REST API, tokenbeleer en activiteitenlog

- api-auth.ts was al aanwezig; demo-check toegevoegd per endpoint (ST-401)
- Token aanmaken (SHA-256 hash, eenmalig tonen), intrekken, max 10 (ST-402)
- GET /api/products actieve productenlijst (ST-403)
- GET /api/products/:id/next-story hoogst geprioriteerde open story (ST-404)
- GET /api/sprints/:id/tasks met limit parameter (ST-405)
- PATCH /api/stories/:id/tasks/reorder met ID-validatie (ST-406)
- POST /api/stories/:id/log met discriminatedUnion per type (ST-407)
- PATCH /api/tasks/:id status bijwerken met cross-user bescherming (ST-408)
- POST /api/todos via API aanmaken (ST-409)
- StoryLog component met kleurcodering per type in story slide-over (ST-410)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

actions/api-tokens.ts

@@ -0,0 +1,60 @@
+'use server'
+
+import { revalidatePath } from 'next/cache'
+import { cookies } from 'next/headers'
+import { getIronSession } from 'iron-session'
+import { createHash, randomBytes } from 'crypto'
+import { prisma } from '@/lib/prisma'
+import { SessionData, sessionOptions } from '@/lib/session'
+
+async function getSession() {
+  return getIronSession<SessionData>(await cookies(), sessionOptions)
+}
+
+export async function createApiTokenAction(_prevState: unknown, formData: FormData) {
+  const session = await getSession()
+  if (!session.userId) return { error: 'Niet ingelogd' }
+  if (session.isDemo) return { error: 'Niet beschikbaar in demo-modus' }
+
+  const label = (formData.get('label') as string | null)?.trim() || null
+
+  // Max 10 active tokens
+  const activeCount = await prisma.apiToken.count({
+    where: { user_id: session.userId, revoked_at: null },
+  })
+  if (activeCount >= 10) return { error: 'Maximaal 10 actieve tokens toegestaan' }
+
+  const rawToken = randomBytes(32).toString('hex')
+  const tokenHash = createHash('sha256').update(rawToken).digest('hex')
+
+  await prisma.apiToken.create({
+    data: {
+      user_id: session.userId,
+      token_hash: tokenHash,
+      label,
+    },
+  })
+
+  revalidatePath('/settings/tokens')
+  // Return the raw token once — it won't be retrievable later
+  return { success: true, token: rawToken }
+}
+
+export async function revokeApiTokenAction(id: string) {
+  const session = await getSession()
+  if (!session.userId) return { error: 'Niet ingelogd' }
+  if (session.isDemo) return { error: 'Niet beschikbaar in demo-modus' }
+
+  const token = await prisma.apiToken.findFirst({
+    where: { id, user_id: session.userId },
+  })
+  if (!token) return { error: 'Token niet gevonden' }
+
+  await prisma.apiToken.update({
+    where: { id },
+    data: { revoked_at: new Date() },
+  })
+
+  revalidatePath('/settings/tokens')
+  return { success: true }
+}

actions/stories.ts

@@ -163,6 +163,36 @@ export async function updatePbiPriorityAction(pbiId: string, priority: number, p
   return { success: true }
 }
 
+export async function getStoryLogsAction(storyId: string) {
+  const session = await getSession()
+  if (!session.userId) return { error: 'Niet ingelogd' }
+
+  const story = await prisma.story.findFirst({
+    where: { id: storyId, product: { user_id: session.userId } },
+    include: { product: { select: { repo_url: true } } },
+  })
+  if (!story) return { error: 'Story niet gevonden' }
+
+  const logs = await prisma.storyLog.findMany({
+    where: { story_id: storyId },
+    orderBy: { created_at: 'asc' },
+  })
+
+  return {
+    success: true,
+    logs: logs.map(l => ({
+      id: l.id,
+      type: l.type,
+      content: l.content,
+      status: l.status,
+      commit_hash: l.commit_hash,
+      commit_message: l.commit_message,
+      created_at: l.created_at.toISOString(),
+    })),
+    repoUrl: story.product.repo_url,
+  }
+}
+
 export async function reorderStoriesAction(
   pbiId: string,
   productId: string,