feat: Issue Voting & Prioritization (v0.4.0) (#129)

* feat(#126): add Votes+VotedBy to Issue model; VoteIssueCommand/UnvoteIssueCommand

- Issue.cs: add Votes (int) and VotedBy (List<string>) properties
- IssueConfiguration.cs: configure Votes and VotedBy for MongoDB EF Core
- IssueDto.cs: add Votes and VotedBy positional parameters; update constructors and Empty
- IssueMapper.cs: map Votes and VotedBy in ToDto() and ToModel()
- VoteIssueCommand.cs: sealed handler with duplicate-vote guard; proper error code propagation
- UnvoteIssueCommand.cs: sealed handler with not-voted guard; proper error code propagation
- VoteIssueCommandValidator.cs: FluentValidation for both vote commands
- Tests: 12 new handler tests; fix all IssueDto positional constructions across test projects

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat(#127): VotingService + vote API endpoints + SignalR broadcast

- IVotingService.cs / VotingService.cs: scoped service wrapping VoteIssueCommand/
  UnvoteIssueCommand via MediatR; extracts current user from IHttpContextAccessor
- VoteEndpoints.cs: POST/DELETE /api/issues/{id}/vote; RequireAuthorization(UserPolicy);
  proper 400/404/500 mapping; broadcasts IssueVoted via SignalR hub context
- Program.cs: register IHttpContextAccessor, IVotingService/VotingService scoped,
  add app.MapVoteEndpoints()
- SignalRClientService.cs: add OnIssueVoted event + IssueVoted hub handler registration
- BunitTestBase.cs: register IVotingService mock for component tests

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat(#128): vote badge + Top Voted sort/filter on issues list UI

- Index.razor: vote badge (▲ N) on issue cards; Top Voted quick-filter button that
  shows issues with Votes > 0 sorted by votes desc (client-side, no backend change);
  subscribes to OnIssueVoted SignalR event to auto-reload vote counts
- Details.razor: inject IVotingService; show ▲ Vote / ▼ Unvote button for
  authenticated non-admin non-author users on non-archived issues; disabled while
  voting; optimistic local state update on success; subscribe to OnIssueVoted for
  real-time vote sync from other users

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: sanitize user-provided values in VotingService log statements (CodeQL CWE-117)

Replace newline characters in userId and issueId before logging to prevent
log injection attacks flagged by CodeQL as high-severity security alerts.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: mpaulosky

src/Domain/DTOs/IssueDto.cs

@@ -27,7 +27,9 @@ public record IssueDto(
 	UserDto ArchivedBy,
 	bool ApprovedForRelease,
 	bool Rejected,
-	UserDto Assignee)
+	UserDto Assignee,
+	int Votes,
+	IReadOnlyList<string> VotedBy)
 {
 	/// <summary>
 	///   Initializes a new instance of the <see cref="IssueDto" /> record.
@@ -46,7 +48,9 @@ public IssueDto(Issue issue) : this(
 		UserMapper.ToDto(issue.ArchivedBy),
 		issue.ApprovedForRelease,
 		issue.Rejected,
-		UserMapper.ToDto(issue.Assignee))
+		UserMapper.ToDto(issue.Assignee),
+		issue.Votes,
+		issue.VotedBy)
 	{
 	}
 
@@ -63,5 +67,7 @@ public IssueDto(Issue issue) : this(
 		UserDto.Empty,
 		false,
 		false,
-		UserDto.Empty);
+		UserDto.Empty,
+		0,
+		[]);
 }

src/Domain/Features/Issues/Commands/UnvoteIssueCommand.cs

@@ -0,0 +1,70 @@
+// Copyright (c) 2026. All rights reserved.
+
+using Domain.Abstractions;
+
+namespace Domain.Features.Issues.Commands;
+
+/// <summary>
+///   Command to remove a vote from an issue.
+/// </summary>
+public record UnvoteIssueCommand(
+	string IssueId,
+	string UserId) : IRequest<Result<IssueDto>>;
+
+/// <summary>
+///   Handler for removing a vote from an issue.
+/// </summary>
+public sealed class UnvoteIssueCommandHandler : IRequestHandler<UnvoteIssueCommand, Result<IssueDto>>
+{
+	private readonly IRepository<Issue> _repository;
+	private readonly ILogger<UnvoteIssueCommandHandler> _logger;
+
+	public UnvoteIssueCommandHandler(
+		IRepository<Issue> repository,
+		ILogger<UnvoteIssueCommandHandler> logger)
+	{
+		_repository = repository;
+		_logger = logger;
+	}
+
+	public async Task<Result<IssueDto>> Handle(UnvoteIssueCommand request, CancellationToken cancellationToken)
+	{
+		_logger.LogInformation("User {UserId} removing vote from issue {IssueId}", request.UserId, request.IssueId);
+
+		var existingResult = await _repository.GetByIdAsync(request.IssueId, cancellationToken);
+
+		if (existingResult.Failure)
+		{
+			_logger.LogWarning("Issue not found with ID: {IssueId}", request.IssueId);
+			return Result.Fail<IssueDto>(existingResult.Error ?? "Issue not found", existingResult.ErrorCode);
+		}
+
+		if (existingResult.Value is null)
+		{
+			return Result.Fail<IssueDto>("Issue not found", ResultErrorCode.NotFound);
+		}
+
+		var issue = existingResult.Value;
+
+		if (!issue.VotedBy.Contains(request.UserId))
+		{
+			_logger.LogWarning("User {UserId} has not voted on issue {IssueId}", request.UserId, request.IssueId);
+			return Result.Fail<IssueDto>("Not voted", ResultErrorCode.Validation);
+		}
+
+		issue.VotedBy.Remove(request.UserId);
+		issue.Votes = issue.VotedBy.Count;
+		issue.DateModified = DateTime.UtcNow;
+
+		var result = await _repository.UpdateAsync(issue, cancellationToken);
+
+		if (result.Failure)
+		{
+			_logger.LogError("Failed to remove vote from issue {IssueId}: {Error}", request.IssueId, result.Error);
+			return Result.Fail<IssueDto>(result.Error ?? "Failed to remove vote", result.ErrorCode);
+		}
+
+		_logger.LogInformation("User {UserId} successfully removed vote from issue {IssueId}", request.UserId, request.IssueId);
+		return Result.Ok(new IssueDto(result.Value!));
+	}
+}

src/Domain/Features/Issues/Commands/VoteIssueCommand.cs

@@ -0,0 +1,70 @@
+// Copyright (c) 2026. All rights reserved.
+
+using Domain.Abstractions;
+
+namespace Domain.Features.Issues.Commands;
+
+/// <summary>
+///   Command to cast a vote on an issue.
+/// </summary>
+public record VoteIssueCommand(
+	string IssueId,
+	string UserId) : IRequest<Result<IssueDto>>;
+
+/// <summary>
+///   Handler for casting a vote on an issue.
+/// </summary>
+public sealed class VoteIssueCommandHandler : IRequestHandler<VoteIssueCommand, Result<IssueDto>>
+{
+	private readonly IRepository<Issue> _repository;
+	private readonly ILogger<VoteIssueCommandHandler> _logger;
+
+	public VoteIssueCommandHandler(
+		IRepository<Issue> repository,
+		ILogger<VoteIssueCommandHandler> logger)
+	{
+		_repository = repository;
+		_logger = logger;
+	}
+
+	public async Task<Result<IssueDto>> Handle(VoteIssueCommand request, CancellationToken cancellationToken)
+	{
+		_logger.LogInformation("User {UserId} voting on issue {IssueId}", request.UserId, request.IssueId);
+
+		var existingResult = await _repository.GetByIdAsync(request.IssueId, cancellationToken);
+
+		if (existingResult.Failure)
+		{
+			_logger.LogWarning("Issue not found with ID: {IssueId}", request.IssueId);
+			return Result.Fail<IssueDto>(existingResult.Error ?? "Issue not found", existingResult.ErrorCode);
+		}
+
+		if (existingResult.Value is null)
+		{
+			return Result.Fail<IssueDto>("Issue not found", ResultErrorCode.NotFound);
+		}
+
+		var issue = existingResult.Value;
+
+		if (issue.VotedBy.Contains(request.UserId))
+		{
+			_logger.LogWarning("User {UserId} has already voted on issue {IssueId}", request.UserId, request.IssueId);
+			return Result.Fail<IssueDto>("Already voted", ResultErrorCode.Validation);
+		}
+
+		issue.VotedBy.Add(request.UserId);
+		issue.Votes = issue.VotedBy.Count;
+		issue.DateModified = DateTime.UtcNow;
+
+		var result = await _repository.UpdateAsync(issue, cancellationToken);
+
+		if (result.Failure)
+		{
+			_logger.LogError("Failed to save vote on issue {IssueId}: {Error}", request.IssueId, result.Error);
+			return Result.Fail<IssueDto>(result.Error ?? "Failed to save vote", result.ErrorCode);
+		}
+
+		_logger.LogInformation("User {UserId} successfully voted on issue {IssueId}", request.UserId, request.IssueId);
+		return Result.Ok(new IssueDto(result.Value!));
+	}
+}

src/Domain/Features/Issues/Validators/VoteIssueCommandValidator.cs

@@ -0,0 +1,43 @@
+// Copyright (c) 2026. All rights reserved.
+
+using Domain.Features.Issues.Commands;
+
+namespace Domain.Features.Issues.Validators;
+
+/// <summary>
+///   Validator for VoteIssueCommand.
+/// </summary>
+public sealed class VoteIssueCommandValidator : AbstractValidator<VoteIssueCommand>
+{
+	public VoteIssueCommandValidator()
+	{
+		RuleFor(x => x.IssueId)
+			.NotEmpty()
+			.WithMessage("Issue ID is required");
+
+		RuleFor(x => x.UserId)
+			.NotEmpty()
+			.WithMessage("User ID is required")
+			.Must(id => !string.IsNullOrWhiteSpace(id))
+			.WithMessage("User ID must not be whitespace");
+	}
+}
+
+/// <summary>
+///   Validator for UnvoteIssueCommand.
+/// </summary>
+public sealed class UnvoteIssueCommandValidator : AbstractValidator<UnvoteIssueCommand>
+{
+	public UnvoteIssueCommandValidator()
+	{
+		RuleFor(x => x.IssueId)
+			.NotEmpty()
+			.WithMessage("Issue ID is required");
+
+		RuleFor(x => x.UserId)
+			.NotEmpty()
+			.WithMessage("User ID is required")
+			.Must(id => !string.IsNullOrWhiteSpace(id))
+			.WithMessage("User ID must not be whitespace");
+	}
+}

src/Domain/Mappers/IssueMapper.cs

@@ -37,7 +37,9 @@ public static IssueDto ToDto(Issue? issue)
 			UserMapper.ToDto(issue.ArchivedBy),
 			issue.ApprovedForRelease,
 			issue.Rejected,
-			UserMapper.ToDto(issue.Assignee));
+			UserMapper.ToDto(issue.Assignee),
+			issue.Votes,
+			issue.VotedBy);
 	}
 
 	/// <summary>
@@ -62,7 +64,9 @@ public static Issue ToModel(IssueDto? dto)
 			Archived = dto.Archived,
 			ArchivedBy = UserMapper.ToInfo(dto.ArchivedBy),
 			ApprovedForRelease = dto.ApprovedForRelease,
-			Rejected = dto.Rejected
+			Rejected = dto.Rejected,
+			Votes = dto.Votes,
+			VotedBy = [..dto.VotedBy]
 		};
 	}
 

src/Domain/Models/Issue.cs

@@ -119,4 +119,20 @@ public class Issue
 	///   <c>true</c> if rejected; otherwise, <c>false</c>.
 	/// </value>
 	public bool Rejected { get; set; }
+
+	/// <summary>
+	///   Gets or sets the number of votes this issue has received.
+	/// </summary>
+	/// <value>
+	///   The vote count.
+	/// </value>
+	public int Votes { get; set; } = 0;
+
+	/// <summary>
+	///   Gets or sets the list of user IDs that have voted for this issue.
+	/// </summary>
+	/// <value>
+	///   The collection of voter user IDs.
+	/// </value>
+	public List<string> VotedBy { get; set; } = [];
 }

src/Persistence.MongoDb/Configurations/IssueConfiguration.cs

@@ -68,5 +68,8 @@ public void Configure(EntityTypeBuilder<Issue> builder)
 			// archival metadata belongs on the Status entity, not its embedded reference
 			s.Ignore(st => st.ArchivedBy);
 		});
+
+		builder.Property(i => i.Votes);
+		builder.Property(i => i.VotedBy);
 	}
 }