feat: ST-401-ST-410 M4 REST API, tokenbeleer en activiteitenlog

- api-auth.ts was al aanwezig; demo-check toegevoegd per endpoint (ST-401)
- Token aanmaken (SHA-256 hash, eenmalig tonen), intrekken, max 10 (ST-402)
- GET /api/products actieve productenlijst (ST-403)
- GET /api/products/:id/next-story hoogst geprioriteerde open story (ST-404)
- GET /api/sprints/:id/tasks met limit parameter (ST-405)
- PATCH /api/stories/:id/tasks/reorder met ID-validatie (ST-406)
- POST /api/stories/:id/log met discriminatedUnion per type (ST-407)
- PATCH /api/tasks/:id status bijwerken met cross-user bescherming (ST-408)
- POST /api/todos via API aanmaken (ST-409)
- StoryLog component met kleurcodering per type in story slide-over (ST-410)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

app/api/products/[id]/next-story/route.ts

@@ -0,0 +1,44 @@
+import { authenticateApiRequest } from '@/lib/api-auth'
+import { prisma } from '@/lib/prisma'
+
+export async function GET(
+  request: Request,
+  { params }: { params: Promise<{ id: string }> }
+) {
+  const auth = await authenticateApiRequest(request)
+  if ('error' in auth) {
+    return Response.json({ error: auth.error }, { status: auth.status })
+  }
+
+  const { id } = await params
+
+  const sprint = await prisma.sprint.findFirst({
+    where: { product_id: id, status: 'ACTIVE', product: { user_id: auth.userId } },
+  })
+  if (!sprint) {
+    return Response.json({ error: 'Geen actieve Sprint gevonden' }, { status: 404 })
+  }
+
+  const story = await prisma.story.findFirst({
+    where: { sprint_id: sprint.id, status: 'IN_SPRINT' },
+    orderBy: [{ priority: 'asc' }, { sort_order: 'asc' }],
+    include: {
+      tasks: {
+        orderBy: [{ priority: 'asc' }, { sort_order: 'asc' }],
+        select: { id: true, title: true, description: true, priority: true, sort_order: true, status: true },
+      },
+    },
+  })
+
+  if (!story) {
+    return Response.json({ error: 'Geen open stories in de Sprint' }, { status: 404 })
+  }
+
+  return Response.json({
+    id: story.id,
+    title: story.title,
+    description: story.description,
+    acceptance_criteria: story.acceptance_criteria,
+    tasks: story.tasks,
+  })
+}

app/api/products/route.ts

@@ -0,0 +1,17 @@
+import { authenticateApiRequest } from '@/lib/api-auth'
+import { prisma } from '@/lib/prisma'
+
+export async function GET(request: Request) {
+  const auth = await authenticateApiRequest(request)
+  if ('error' in auth) {
+    return Response.json({ error: auth.error }, { status: auth.status })
+  }
+
+  const products = await prisma.product.findMany({
+    where: { user_id: auth.userId, archived: false },
+    orderBy: { created_at: 'desc' },
+    select: { id: true, name: true, repo_url: true },
+  })
+
+  return Response.json(products)
+}

app/api/sprints/[id]/tasks/route.ts

@@ -0,0 +1,37 @@
+import { authenticateApiRequest } from '@/lib/api-auth'
+import { prisma } from '@/lib/prisma'
+
+export async function GET(
+  request: Request,
+  { params }: { params: Promise<{ id: string }> }
+) {
+  const auth = await authenticateApiRequest(request)
+  if ('error' in auth) {
+    return Response.json({ error: auth.error }, { status: auth.status })
+  }
+
+  const { id } = await params
+  const url = new URL(request.url)
+  const limitParam = parseInt(url.searchParams.get('limit') ?? '10')
+  const limit = Math.min(Math.max(1, limitParam), 50)
+
+  const sprint = await prisma.sprint.findFirst({
+    where: { id, product: { user_id: auth.userId } },
+  })
+  if (!sprint) {
+    return Response.json({ error: 'Sprint niet gevonden' }, { status: 404 })
+  }
+
+  const tasks = await prisma.task.findMany({
+    where: { sprint_id: id },
+    orderBy: [
+      { story: { sort_order: 'asc' } },
+      { priority: 'asc' },
+      { sort_order: 'asc' },
+    ],
+    take: limit,
+    select: { id: true, title: true, story_id: true, priority: true, sort_order: true, status: true },
+  })
+
+  return Response.json(tasks)
+}

app/api/stories/[id]/log/route.ts

@@ -0,0 +1,59 @@
+import { authenticateApiRequest } from '@/lib/api-auth'
+import { prisma } from '@/lib/prisma'
+import { z } from 'zod'
+
+const logSchema = z.discriminatedUnion('type', [
+  z.object({
+    type: z.literal('IMPLEMENTATION_PLAN'),
+    content: z.string().min(1),
+  }),
+  z.object({
+    type: z.literal('TEST_RESULT'),
+    content: z.string().min(1),
+    status: z.enum(['PASSED', 'FAILED']),
+  }),
+  z.object({
+    type: z.literal('COMMIT'),
+    content: z.string().min(1),
+    commit_hash: z.string().min(1),
+    commit_message: z.string().min(1),
+  }),
+])
+
+export async function POST(
+  request: Request,
+  { params }: { params: Promise<{ id: string }> }
+) {
+  const auth = await authenticateApiRequest(request)
+  if ('error' in auth) {
+    return Response.json({ error: auth.error }, { status: auth.status })
+  }
+
+  const { id: storyId } = await params
+
+  const story = await prisma.story.findFirst({
+    where: { id: storyId, product: { user_id: auth.userId } },
+  })
+  if (!story) {
+    return Response.json({ error: 'Story niet gevonden' }, { status: 404 })
+  }
+
+  const body = await request.json().catch(() => null)
+  const parsed = logSchema.safeParse(body)
+  if (!parsed.success) {
+    return Response.json({ error: parsed.error.flatten() }, { status: 400 })
+  }
+
+  const log = await prisma.storyLog.create({
+    data: {
+      story_id: storyId,
+      type: parsed.data.type,
+      content: parsed.data.content,
+      status: 'status' in parsed.data ? parsed.data.status : null,
+      commit_hash: 'commit_hash' in parsed.data ? parsed.data.commit_hash : null,
+      commit_message: 'commit_message' in parsed.data ? parsed.data.commit_message : null,
+    },
+  })
+
+  return Response.json({ id: log.id, created_at: log.created_at }, { status: 201 })
+}

app/api/stories/[id]/tasks/reorder/route.ts

@@ -0,0 +1,50 @@
+import { authenticateApiRequest } from '@/lib/api-auth'
+import { prisma } from '@/lib/prisma'
+import { z } from 'zod'
+
+const bodySchema = z.object({
+  task_ids: z.array(z.string()).min(1),
+})
+
+export async function PATCH(
+  request: Request,
+  { params }: { params: Promise<{ id: string }> }
+) {
+  const auth = await authenticateApiRequest(request)
+  if ('error' in auth) {
+    return Response.json({ error: auth.error }, { status: auth.status })
+  }
+  if (auth.isDemo) {
+    return Response.json({ error: 'Niet beschikbaar in demo-modus' }, { status: 403 })
+  }
+
+  const { id: storyId } = await params
+
+  const body = await request.json().catch(() => null)
+  const parsed = bodySchema.safeParse(body)
+  if (!parsed.success) {
+    return Response.json({ error: parsed.error.flatten() }, { status: 400 })
+  }
+
+  const story = await prisma.story.findFirst({
+    where: { id: storyId, product: { user_id: auth.userId } },
+    include: { tasks: { select: { id: true } } },
+  })
+  if (!story) {
+    return Response.json({ error: 'Story niet gevonden' }, { status: 404 })
+  }
+
+  const storyTaskIds = new Set(story.tasks.map(t => t.id))
+  const invalidId = parsed.data.task_ids.find(id => !storyTaskIds.has(id))
+  if (invalidId) {
+    return Response.json({ error: `Ongeldig task_id: ${invalidId}` }, { status: 400 })
+  }
+
+  await prisma.$transaction(
+    parsed.data.task_ids.map((id, i) =>
+      prisma.task.update({ where: { id }, data: { sort_order: i + 1.0 } })
+    )
+  )
+
+  return Response.json({ success: true })
+}

app/api/tasks/[id]/route.ts

@@ -0,0 +1,46 @@
+import { authenticateApiRequest } from '@/lib/api-auth'
+import { prisma } from '@/lib/prisma'
+import { z } from 'zod'
+
+const patchSchema = z.object({
+  status: z.enum(['TO_DO', 'IN_PROGRESS', 'DONE']),
+})
+
+export async function PATCH(
+  request: Request,
+  { params }: { params: Promise<{ id: string }> }
+) {
+  const auth = await authenticateApiRequest(request)
+  if ('error' in auth) {
+    return Response.json({ error: auth.error }, { status: auth.status })
+  }
+  if (auth.isDemo) {
+    return Response.json({ error: 'Niet beschikbaar in demo-modus' }, { status: 403 })
+  }
+
+  const { id } = await params
+
+  const task = await prisma.task.findFirst({
+    where: { id },
+    include: { story: { include: { product: true } } },
+  })
+  if (!task) {
+    return Response.json({ error: 'Taak niet gevonden' }, { status: 404 })
+  }
+  if (task.story.product.user_id !== auth.userId) {
+    return Response.json({ error: 'Geen toegang' }, { status: 403 })
+  }
+
+  const body = await request.json().catch(() => null)
+  const parsed = patchSchema.safeParse(body)
+  if (!parsed.success) {
+    return Response.json({ error: parsed.error.flatten() }, { status: 400 })
+  }
+
+  const updated = await prisma.task.update({
+    where: { id },
+    data: { status: parsed.data.status },
+  })
+
+  return Response.json({ id: updated.id, status: updated.status })
+}

app/api/todos/route.ts

@@ -0,0 +1,29 @@
+import { authenticateApiRequest } from '@/lib/api-auth'
+import { prisma } from '@/lib/prisma'
+import { z } from 'zod'
+
+const bodySchema = z.object({
+  title: z.string().min(1, 'Titel is verplicht').max(500),
+})
+
+export async function POST(request: Request) {
+  const auth = await authenticateApiRequest(request)
+  if ('error' in auth) {
+    return Response.json({ error: auth.error }, { status: auth.status })
+  }
+
+  const body = await request.json().catch(() => null)
+  const parsed = bodySchema.safeParse(body)
+  if (!parsed.success) {
+    return Response.json({ error: parsed.error.flatten() }, { status: 400 })
+  }
+
+  const todo = await prisma.todo.create({
+    data: {
+      user_id: auth.userId,
+      title: parsed.data.title,
+    },
+  })
+
+  return Response.json({ id: todo.id, title: todo.title, created_at: todo.created_at }, { status: 201 })
+}