Add review workflow, IMAP mail backend, org project routes, and CLI token refresh

- Add review/approval workflow for translations (4 states: pending, translated, reviewed, approved)
- Add ProjectReviewer and OrganizationReviewer entities
- Add ReviewWorkflowService and ReviewWorkflowController
- Add IMAP mail backend support with configurable backend selection
- Add OrgProjectsController for organization project access by slug
- Fix CLI cloud commands to auto-refresh expired JWT tokens
- Update CLI RemoteUrl to use /api/organizations/{slug}/projects/{slug} route
- Add comprehensive tests for ReviewWorkflow, TranslationMemory, and Glossary services
- Update config.sample.json and setup.sh for mail backend configuration

Author: nickprotop

Commands/Cloud/CloneCommand.cs

@@ -143,7 +143,7 @@ public override int Execute(CommandContext context, CloneCommandSettings setting
 
             // 7. Fetch and validate remote project
             using var apiClient = new CloudApiClient(remoteUrl);
-            ConfigureAuth(apiClient, cloudConfig);
+            ConfigureAuth(apiClient, cloudConfig, targetDirectory);
 
             CloudProject? remoteProject = null;
             try
@@ -339,7 +339,7 @@ private bool Authenticate(RemoteUrl remoteUrl, CloudConfig config, CloneCommandS
         }
     }
 
-    private static void ConfigureAuth(CloudApiClient apiClient, CloudConfig config)
+    private static void ConfigureAuth(CloudApiClient apiClient, CloudConfig config, string? projectDirectory = null)
     {
         if (!string.IsNullOrWhiteSpace(config.ApiKey))
         {
@@ -348,6 +348,11 @@ private static void ConfigureAuth(CloudApiClient apiClient, CloudConfig config)
         else
         {
             apiClient.SetAccessToken(config.AccessToken);
+            // Enable auto-refresh for JWT authentication
+            if (!string.IsNullOrEmpty(projectDirectory))
+            {
+                apiClient.EnableAutoRefresh(projectDirectory);
+            }
         }
     }
 
@@ -442,7 +447,7 @@ private int PullResources(string targetDirectory, RemoteUrl remoteUrl, CloudConf
             AnsiConsole.Status()
                 .Start("Fetching resources...", ctx =>
                 {
-                    pullResponse = apiClient.PullResourcesAsync(ct).GetAwaiter().GetResult();
+                    pullResponse = apiClient.PullResourcesAsync(includeUnapproved: false, ct).GetAwaiter().GetResult();
                 });
         }
         catch (CloudApiException ex)

Commands/Cloud/InitCommand.cs

@@ -134,7 +134,7 @@ private int InitInteractive(string projectDirectory, CloudConfig config, CloudIn
         }
 
         // 3. Fetch user's projects
-        var projects = FetchUserProjects(host, port, useHttps, config, cancellationToken);
+        var projects = FetchUserProjects(projectDirectory, host, port, useHttps, config, cancellationToken);
 
         // 4. Select or create project
         CloudProject? selectedProject = null;
@@ -314,7 +314,7 @@ private RemoteUrl CreateAuthRemoteUrl(string host, int port, bool useHttps)
     }
 
     private List<CloudProject> FetchUserProjects(
-        string host, int port, bool useHttps, CloudConfig config, CancellationToken cancellationToken)
+        string projectDirectory, string host, int port, bool useHttps, CloudConfig config, CancellationToken cancellationToken)
     {
         var remoteUrl = CreateAuthRemoteUrl(host, port, useHttps);
         List<CloudProject> projects = new();
@@ -331,6 +331,8 @@ private List<CloudProject> FetchUserProjects(
                 else
                 {
                     apiClient.SetAccessToken(config.AccessToken);
+                    // Enable auto-refresh for JWT authentication
+                    apiClient.EnableAutoRefresh(projectDirectory);
                 }
 
                 projects = apiClient.GetUserProjectsAsync(cancellationToken).GetAwaiter().GetResult();
@@ -481,6 +483,8 @@ private List<CloudProject> FetchUserProjects(
                 else
                 {
                     apiClient.SetAccessToken(config.AccessToken);
+                    // Enable auto-refresh for JWT authentication
+                    apiClient.EnableAutoRefresh(projectDirectory);
                 }
 
                 var request = new CreateProjectRequest

Commands/Cloud/PullCommand.cs

@@ -45,6 +45,11 @@ public class PullCommandSettings : BaseCommandSettings
     [Description("Pull only resources, skip configuration")]
     [DefaultValue(false)]
     public bool ResourcesOnly { get; set; }
+
+    [CommandOption("--include-unapproved")]
+    [Description("Include translations that haven't been approved yet (when project has review workflow enabled)")]
+    [DefaultValue(false)]
+    public bool IncludeUnapproved { get; set; }
 }
 
 /// <summary>
@@ -128,6 +133,8 @@ public override int Execute(CommandContext context, PullCommandSettings settings
             else
             {
                 apiClient.SetAccessToken(cloudConfig.AccessToken);
+                // Enable auto-refresh for JWT authentication
+                apiClient.EnableAutoRefresh(projectDirectory);
             }
 
             // Fetch remote project info and validate format compatibility
@@ -184,14 +191,21 @@ public override int Execute(CommandContext context, PullCommandSettings settings
             AnsiConsole.Status()
                 .Start("Fetching remote data...", ctx =>
                 {
-                    pullResponse = apiClient.PullResourcesAsync(cancellationToken).GetAwaiter().GetResult();
+                    pullResponse = apiClient.PullResourcesAsync(settings.IncludeUnapproved, cancellationToken).GetAwaiter().GetResult();
                 });
 
             if (pullResponse == null)
             {
                 throw new InvalidOperationException("Failed to pull resources from server");
             }
 
+            // Show workflow message if translations were excluded
+            if (!string.IsNullOrEmpty(pullResponse.WorkflowMessage))
+            {
+                AnsiConsole.MarkupLine($"[yellow]⚠ {pullResponse.WorkflowMessage.EscapeMarkup()}[/]");
+                AnsiConsole.WriteLine();
+            }
+
             // Detect conflicts and show diff
             var conflictDetector = new ConflictDetector();
             var conflicts = new List<ConflictDetector.Conflict>();

Commands/Cloud/PushCommand.cs

@@ -138,6 +138,8 @@ public override int Execute(CommandContext context, PushCommandSettings settings
             else
             {
                 apiClient.SetAccessToken(cloudConfig.AccessToken);
+                // Enable auto-refresh for JWT authentication
+                apiClient.EnableAutoRefresh(projectDirectory);
             }
 
             // Fetch remote project info and validate format compatibility

Commands/Cloud/StatusCommand.cs

@@ -104,6 +104,8 @@ private int DisplaySyncStatus(CloudConfig config, string projectDirectory, Core.
         else
         {
             apiClient.SetAccessToken(config.AccessToken);
+            // Enable auto-refresh for JWT authentication
+            apiClient.EnableAutoRefresh(projectDirectory);
         }
 
         // Fetch sync status
@@ -193,6 +195,8 @@ private int DisplayAccountStatus(CloudConfig config, string projectDirectory, Co
         else
         {
             apiClient.SetAccessToken(config.AccessToken);
+            // Enable auto-refresh for JWT authentication
+            apiClient.EnableAutoRefresh(projectDirectory);
         }
 
         // Fetch user info

LocalizationManager.Core/Cloud/CloudApiClient.cs

@@ -198,9 +198,18 @@ public async Task<PushResponse> PushResourcesAsync(
     /// <summary>
     /// Pulls files from the cloud (V2 - generates files from database).
     /// </summary>
-    public async Task<PullResponse> PullResourcesAsync(CancellationToken cancellationToken = default)
+    /// <param name="includeUnapproved">If true, include all translations regardless of workflow approval status.
+    /// If false (default), only include approved translations when project requires approval before export.</param>
+    /// <param name="cancellationToken">Cancellation token.</param>
+    public async Task<PullResponse> PullResourcesAsync(
+        bool includeUnapproved = false,
+        CancellationToken cancellationToken = default)
     {
         var url = $"{_remoteUrl.ProjectApiUrl}/sync/pull";
+        if (includeUnapproved)
+        {
+            url += "?includeUnapproved=true";
+        }
         var response = await GetAsync<PullResponse>(url, cancellationToken);
         return response ?? throw new CloudApiException("Failed to pull resources");
     }
@@ -277,11 +286,87 @@ public async Task<List<CloudOrganization>> GetUserOrganizationsAsync(Cancellatio
         return response ?? new List<CloudOrganization>();
     }
 
-    private Task<bool> TryRefreshTokenAsync(CancellationToken cancellationToken = default)
+    private async Task<bool> TryRefreshTokenAsync(CancellationToken cancellationToken = default)
     {
-        // Auto-refresh is currently disabled.
-        // Callers should handle token refresh externally using CloudConfigManager.
-        return Task.FromResult(false);
+        // Check if auto-refresh is enabled
+        if (string.IsNullOrEmpty(_projectDirectory))
+        {
+            return false;
+        }
+
+        try
+        {
+            // Load current cloud config to get refresh token
+            var cloudConfig = await CloudConfigManager.LoadAsync(_projectDirectory, cancellationToken);
+
+            if (string.IsNullOrWhiteSpace(cloudConfig.RefreshToken))
+            {
+                return false;
+            }
+
+            // Check if refresh token is still valid
+            if (cloudConfig.RefreshTokenExpiresAt.HasValue && cloudConfig.RefreshTokenExpiresAt.Value <= DateTime.UtcNow)
+            {
+                return false;
+            }
+
+            // Call refresh endpoint directly (bypass normal request path to avoid recursion)
+            var url = $"{_remoteUrl.ApiBaseUrl}/auth/refresh";
+            var request = new RefreshTokenRequest { RefreshToken = cloudConfig.RefreshToken };
+
+            // Remove auth header temporarily to avoid sending expired token
+            var currentAuth = _httpClient.DefaultRequestHeaders.Authorization;
+            _httpClient.DefaultRequestHeaders.Authorization = null;
+
+            try
+            {
+                var response = await _httpClient.PostAsJsonAsync(url, request, _jsonOptions, cancellationToken);
+                if (!response.IsSuccessStatusCode)
+                {
+                    return false;
+                }
+
+                var apiResponse = await response.Content.ReadFromJsonAsync<ApiResponse<LoginResponse>>(_jsonOptions, cancellationToken);
+                var loginResponse = apiResponse?.Data;
+
+                if (loginResponse == null || string.IsNullOrWhiteSpace(loginResponse.Token))
+                {
+                    return false;
+                }
+
+                // Update the access token in this client
+                SetAccessToken(loginResponse.Token);
+
+                // Save the new tokens to config
+                await CloudConfigManager.SetAuthenticationAsync(
+                    _projectDirectory,
+                    loginResponse.Token,
+                    loginResponse.ExpiresAt,
+                    loginResponse.RefreshToken,
+                    loginResponse.RefreshTokenExpiresAt,
+                    cancellationToken);
+
+                // Notify callback if registered
+                if (_onTokenRefreshed != null)
+                {
+                    await _onTokenRefreshed();
+                }
+
+                return true;
+            }
+            finally
+            {
+                // Restore auth header if refresh failed
+                if (_httpClient.DefaultRequestHeaders.Authorization == null && currentAuth != null)
+                {
+                    _httpClient.DefaultRequestHeaders.Authorization = currentAuth;
+                }
+            }
+        }
+        catch
+        {
+            return false;
+        }
     }
 
     #endregion
@@ -293,6 +378,13 @@ private Task<bool> TryRefreshTokenAsync(CancellationToken cancellationToken = de
         try
         {
             var response = await _httpClient.GetAsync(url, cancellationToken);
+
+            // Try to refresh token and retry once on 401
+            if (!response.IsSuccessStatusCode && await ShouldRetryAfterTokenRefreshAsync(response, cancellationToken))
+            {
+                response = await _httpClient.GetAsync(url, cancellationToken);
+            }
+
             await EnsureSuccessAsync(response, cancellationToken);
             var apiResponse = await response.Content.ReadFromJsonAsync<ApiResponse<T>>(_jsonOptions, cancellationToken);
             return apiResponse != null ? apiResponse.Data : default;
@@ -308,6 +400,13 @@ private Task<bool> TryRefreshTokenAsync(CancellationToken cancellationToken = de
         try
         {
             var response = await _httpClient.PostAsJsonAsync(url, request, _jsonOptions, cancellationToken);
+
+            // Try to refresh token and retry once on 401
+            if (!response.IsSuccessStatusCode && await ShouldRetryAfterTokenRefreshAsync(response, cancellationToken))
+            {
+                response = await _httpClient.PostAsJsonAsync(url, request, _jsonOptions, cancellationToken);
+            }
+
             await EnsureSuccessAsync(response, cancellationToken);
             var apiResponse = await response.Content.ReadFromJsonAsync<ApiResponse<T>>(_jsonOptions, cancellationToken);
             return apiResponse != null ? apiResponse.Data : default;
@@ -323,6 +422,13 @@ private Task<bool> TryRefreshTokenAsync(CancellationToken cancellationToken = de
         try
         {
             var response = await _httpClient.PutAsJsonAsync(url, request, _jsonOptions, cancellationToken);
+
+            // Try to refresh token and retry once on 401
+            if (!response.IsSuccessStatusCode && await ShouldRetryAfterTokenRefreshAsync(response, cancellationToken))
+            {
+                response = await _httpClient.PutAsJsonAsync(url, request, _jsonOptions, cancellationToken);
+            }
+
             await EnsureSuccessAsync(response, cancellationToken);
             var apiResponse = await response.Content.ReadFromJsonAsync<ApiResponse<T>>(_jsonOptions, cancellationToken);
             return apiResponse != null ? apiResponse.Data : default;
@@ -333,23 +439,25 @@ private Task<bool> TryRefreshTokenAsync(CancellationToken cancellationToken = de
         }
     }
 
+    /// <summary>
+    /// Checks if a 401 response can be retried after token refresh.
+    /// Returns true if the token was refreshed and the request should be retried.
+    /// </summary>
+    private async Task<bool> ShouldRetryAfterTokenRefreshAsync(HttpResponseMessage response, CancellationToken cancellationToken)
+    {
+        if (response.StatusCode == System.Net.HttpStatusCode.Unauthorized
+            && !IsUsingApiKey  // Don't refresh for API key auth
+            && !string.IsNullOrEmpty(_projectDirectory))
+        {
+            return await TryRefreshTokenAsync(cancellationToken);
+        }
+        return false;
+    }
+
     private async Task EnsureSuccessAsync(HttpResponseMessage response, CancellationToken cancellationToken = default)
     {
         if (!response.IsSuccessStatusCode)
         {
-            // If 401 and using JWT (not API key) with auto-refresh enabled, try to refresh token
-            if (response.StatusCode == System.Net.HttpStatusCode.Unauthorized
-                && !IsUsingApiKey  // Don't refresh for API key auth
-                && !string.IsNullOrEmpty(_projectDirectory))
-            {
-                var refreshed = await TryRefreshTokenAsync(cancellationToken);
-                if (refreshed)
-                {
-                    // Token refreshed - throw special exception so caller can retry
-                    throw new CloudApiException("Token expired and refreshed", 401);
-                }
-            }
-
             var errorContent = await response.Content.ReadAsStringAsync();
             var statusCode = (int)response.StatusCode;
 
@@ -507,6 +615,18 @@ public class PullResponse
 {
     public string? Configuration { get; set; }
     public List<FileDto> Files { get; set; } = new();
+
+    /// <summary>
+    /// Number of translations excluded due to workflow requirements.
+    /// Only populated when project has review workflow enabled.
+    /// </summary>
+    public int ExcludedTranslationCount { get; set; }
+
+    /// <summary>
+    /// Informational message about excluded translations due to workflow.
+    /// Null if no translations were excluded.
+    /// </summary>
+    public string? WorkflowMessage { get; set; }
 }
 
 /// <summary>

LocalizationManager.Core/Cloud/RemoteUrl.cs

@@ -59,7 +59,7 @@ public string ProjectApiUrl
             if (IsPersonalProject)
                 return $"{ApiBaseUrl}/users/{Username}/projects/{ProjectName}";
             else
-                return $"{ApiBaseUrl}/projects/{Organization}/{ProjectName}";
+                return $"{ApiBaseUrl}/organizations/{Organization}/projects/{ProjectName}";
         }
     }
 

cloud/deploy/config.sample.json

@@ -28,13 +28,24 @@
     "jwtExpiryHours": 24
   },
   "mail": {
+    "backend": "smtp",
     "host": "smtp.example.com",
     "port": 587,
     "username": "YOUR_SMTP_USERNAME",
     "password": "YOUR_SMTP_PASSWORD",
     "fromAddress": "noreply@your-domain.com",
     "fromName": "LRM Cloud",
-    "useSsl": true
+    "useSsl": true,
+    "imap": {
+      "host": "imap.example.com",
+      "port": 993,
+      "useSsl": true,
+      "smtpHost": "smtp.example.com",
+      "smtpPort": 587,
+      "smtpUseSsl": false,
+      "sentFolder": "Sent",
+      "saveToSent": true
+    }
   },
   "features": {
     "registration": true,