fix: policy version API content bug + published version protection (#2130)

* fix(api): fix policy version content stored as empty arrays via API

class-transformer with enableImplicitConversion was converting TipTap node
objects to empty arrays when processing content: unknown[] DTO fields.
Added @Transform decorator to preserve raw values.

Also:
- Block content updates on published policies via PATCH /policies/:id
- Align updateVersionContent guard with UI (only block current version when published)
- Sync content to current version when updating via PATCH /policies/:id
- Add GET /policies/:id/versions/:versionId endpoint
- Add Swagger docs for new endpoint

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(app): allow PDF upload/delete on draft policy versions and fix false success toast

The upload and delete PDF guards blocked all operations on the current version
regardless of policy status. Now only blocks when policy is actually published
(matching the pattern used everywhere else).

Also fixed PdfViewer onSuccess handlers to check result.data.success before
showing the success toast — previously showed "PDF uploaded successfully"
even when the server action returned { success: false }.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(api,app): protect current version during needs_review status and fix stale pointer

Change version mutation guards from `status === 'published'` to `status !== 'draft'`
so that the current version is also protected when the policy is in needs_review state.
Fix stale currentVersionId in updateById by reading it inside the transaction.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(api): move status guard inside transaction to prevent concurrent publish bypass

The draft-only content guard was reading policy status before the
transaction, allowing a concurrent publish to bypass the check. Now
the existence check and status guard both run inside the transaction.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Tofik Hasanov <annexcies@gmail.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: 3 people

apps/api/src/policies/dto/ai-suggest-policy.dto.ts

@@ -1,4 +1,5 @@
 import { ApiProperty } from '@nestjs/swagger';
+import { Transform } from 'class-transformer';
 import { IsString, IsOptional, IsArray } from 'class-validator';
 
 export class AISuggestPolicyRequestDto {
@@ -29,5 +30,6 @@ export class AISuggestPolicyRequestDto {
   })
   @IsOptional()
   @IsArray()
+  @Transform(({ value }) => value)
   chatHistory?: Array<{ role: 'user' | 'assistant'; content: string }>;
 }

apps/api/src/policies/dto/create-policy.dto.ts

@@ -1,4 +1,5 @@
 import { ApiProperty } from '@nestjs/swagger';
+import { Transform } from 'class-transformer';
 import {
   IsString,
   IsOptional,
@@ -81,6 +82,7 @@ export class CreatePolicyDto {
     items: { type: 'object', additionalProperties: true },
   })
   @IsArray()
+  @Transform(({ value }) => value)
   content: unknown[];
 
   @ApiProperty({

apps/api/src/policies/dto/version.dto.ts

@@ -1,4 +1,5 @@
 import { ApiProperty } from '@nestjs/swagger';
+import { Transform } from 'class-transformer';
 import { IsArray, IsBoolean, IsOptional, IsString } from 'class-validator';
 
 export class CreateVersionDto {
@@ -36,6 +37,7 @@ export class UpdateVersionContentDto {
     items: { type: 'object', additionalProperties: true },
   })
   @IsArray()
+  @Transform(({ value }) => value)
   content: unknown[];
 }
 

apps/api/src/policies/policies.controller.ts

@@ -52,6 +52,7 @@ import { VERSION_BODIES } from './schemas/version-bodies';
 import {
   CREATE_POLICY_VERSION_RESPONSES,
   DELETE_VERSION_RESPONSES,
+  GET_POLICY_VERSION_BY_ID_RESPONSES,
   GET_POLICY_VERSIONS_RESPONSES,
   PUBLISH_VERSION_RESPONSES,
   SET_ACTIVE_VERSION_RESPONSES,
@@ -265,6 +266,37 @@ export class PoliciesController {
     };
   }
 
+  @Get(':id/versions/:versionId')
+  @ApiOperation(VERSION_OPERATIONS.getPolicyVersionById)
+  @ApiParam(VERSION_PARAMS.policyId)
+  @ApiParam(VERSION_PARAMS.versionId)
+  @ApiResponse(GET_POLICY_VERSION_BY_ID_RESPONSES[200])
+  @ApiResponse(GET_POLICY_VERSION_BY_ID_RESPONSES[401])
+  @ApiResponse(GET_POLICY_VERSION_BY_ID_RESPONSES[404])
+  async getPolicyVersionById(
+    @Param('id') id: string,
+    @Param('versionId') versionId: string,
+    @OrganizationId() organizationId: string,
+    @AuthContext() authContext: AuthContextType,
+  ) {
+    const data = await this.policiesService.getVersionById(
+      id,
+      versionId,
+      organizationId,
+    );
+
+    return {
+      data,
+      authType: authContext.authType,
+      ...(authContext.userId && {
+        authenticatedUser: {
+          id: authContext.userId,
+          email: authContext.userEmail,
+        },
+      }),
+    };
+  }
+
   @Post(':id/versions')
   @ApiOperation(VERSION_OPERATIONS.createPolicyVersion)
   @ApiParam(VERSION_PARAMS.policyId)

apps/api/src/policies/policies.service.ts

@@ -222,19 +222,6 @@ export class PoliciesService {
     updateData: UpdatePolicyDto,
   ) {
     try {
-      // First check if the policy exists and belongs to the organization
-      const existingPolicy = await db.policy.findFirst({
-        where: {
-          id,
-          organizationId,
-        },
-        select: { id: true, name: true },
-      });
-
-      if (!existingPolicy) {
-        throw new NotFoundException(`Policy with ID ${id} not found`);
-      }
-
       // Prepare update data with special handling for status changes
       const updatePayload: Record<string, unknown> = { ...updateData };
 
@@ -249,35 +236,70 @@ export class PoliciesService {
       }
 
       // Coerce content to Prisma JSON[] input if provided
-      if (Array.isArray(updateData.content)) {
-        updatePayload.content = updateData.content as Prisma.InputJsonValue[];
+      const contentValue = Array.isArray(updateData.content)
+        ? (updateData.content as Prisma.InputJsonValue[])
+        : null;
+
+      if (contentValue) {
+        updatePayload.content = contentValue;
       }
 
-      // Update the policy
-      const updatedPolicy = await db.policy.update({
-        where: { id },
-        data: updatePayload,
-        select: {
-          id: true,
-          name: true,
-          description: true,
-          status: true,
-          content: true,
-          frequency: true,
-          department: true,
-          isRequiredToSign: true,
-          signedBy: true,
-          reviewDate: true,
-          isArchived: true,
-          createdAt: true,
-          updatedAt: true,
-          lastArchivedAt: true,
-          lastPublishedAt: true,
-          organizationId: true,
-          assigneeId: true,
-          approverId: true,
-          policyTemplateId: true,
-        },
+      // All reads and writes in one transaction to prevent concurrent publish bypass
+      const updatedPolicy = await db.$transaction(async (tx) => {
+        // Check existence and status inside the transaction
+        const existingPolicy = await tx.policy.findFirst({
+          where: { id, organizationId },
+          select: { id: true, status: true },
+        });
+
+        if (!existingPolicy) {
+          throw new NotFoundException(`Policy with ID ${id} not found`);
+        }
+
+        // Cannot update content unless policy is in draft status
+        // This covers both 'published' and 'needs_review' states
+        if (contentValue && existingPolicy.status !== 'draft') {
+          throw new BadRequestException(
+            'Cannot update content of a published policy. Create a new version to make changes.',
+          );
+        }
+
+        const policy = await tx.policy.update({
+          where: { id },
+          data: updatePayload,
+          select: {
+            id: true,
+            name: true,
+            description: true,
+            status: true,
+            content: true,
+            frequency: true,
+            department: true,
+            isRequiredToSign: true,
+            signedBy: true,
+            reviewDate: true,
+            isArchived: true,
+            createdAt: true,
+            updatedAt: true,
+            lastArchivedAt: true,
+            lastPublishedAt: true,
+            organizationId: true,
+            assigneeId: true,
+            approverId: true,
+            policyTemplateId: true,
+            currentVersionId: true,
+          },
+        });
+
+        // Keep current version content in sync with policy content
+        if (contentValue && policy.currentVersionId) {
+          await tx.policyVersion.update({
+            where: { id: policy.currentVersionId },
+            data: { content: contentValue },
+          });
+        }
+
+        return policy;
       });
 
       this.logger.log(`Updated policy: ${updatedPolicy.name} (${id})`);
@@ -361,6 +383,48 @@ export class PoliciesService {
     }
   }
 
+  async getVersionById(
+    policyId: string,
+    versionId: string,
+    organizationId: string,
+  ) {
+    const policy = await db.policy.findFirst({
+      where: { id: policyId, organizationId },
+      select: { id: true, currentVersionId: true, pendingVersionId: true },
+    });
+
+    if (!policy) {
+      throw new NotFoundException(`Policy with ID ${policyId} not found`);
+    }
+
+    const version = await db.policyVersion.findUnique({
+      where: { id: versionId },
+      include: {
+        publishedBy: {
+          include: {
+            user: {
+              select: {
+                id: true,
+                name: true,
+                image: true,
+              },
+            },
+          },
+        },
+      },
+    });
+
+    if (!version || version.policyId !== policyId) {
+      throw new NotFoundException('Version not found');
+    }
+
+    return {
+      version,
+      currentVersionId: policy.currentVersionId,
+      pendingVersionId: policy.pendingVersionId,
+    };
+  }
+
   async getVersions(policyId: string, organizationId: string) {
     const policy = await db.policy.findFirst({
       where: { id: policyId, organizationId },
@@ -530,6 +594,7 @@ export class PoliciesService {
           select: {
             id: true,
             organizationId: true,
+            status: true,
             currentVersionId: true,
             pendingVersionId: true,
           },
@@ -545,7 +610,12 @@ export class PoliciesService {
       throw new NotFoundException('Version not found');
     }
 
-    if (version.id === version.policy.currentVersionId) {
+    // Cannot edit the current version unless the policy is in draft status
+    // This covers both 'published' and 'needs_review' states
+    if (
+      version.id === version.policy.currentVersionId &&
+      version.policy.status !== 'draft'
+    ) {
       throw new BadRequestException(
         'Cannot edit the published version. Create a new version to make changes.',
       );

apps/api/src/policies/schemas/version-operations.ts

@@ -6,6 +6,11 @@ export const VERSION_OPERATIONS: Record<string, ApiOperationOptions> = {
     description:
       'Returns all versions for a policy in descending order. Supports both API key authentication and session authentication.',
   },
+  getPolicyVersionById: {
+    summary: 'Get policy version by ID',
+    description:
+      'Returns a single policy version by its ID, including content and metadata.',
+  },
   createPolicyVersion: {
     summary: 'Create policy version',
     description:

apps/api/src/policies/schemas/version-responses.ts

@@ -43,6 +43,30 @@ const BAD_REQUEST_RESPONSE: ApiResponseOptions = {
   },
 };
 
+export const GET_POLICY_VERSION_BY_ID_RESPONSES: Record<
+  string,
+  ApiResponseOptions
+> = {
+  200: {
+    status: 200,
+    description: 'Policy version retrieved successfully',
+    content: {
+      'application/json': {
+        schema: {
+          type: 'object',
+          properties: {
+            version: { type: 'object' },
+            currentVersionId: { type: 'string', nullable: true },
+            pendingVersionId: { type: 'string', nullable: true },
+          },
+        },
+      },
+    },
+  },
+  401: UNAUTHORIZED_RESPONSE,
+  404: NOT_FOUND_RESPONSE,
+};
+
 export const GET_POLICY_VERSIONS_RESPONSES: Record<string, ApiResponseOptions> =
   {
     200: {

apps/app/src/actions/policies/update-version-content.ts

@@ -105,8 +105,9 @@ export const updateVersionContentAction = authActionClient
       return { success: false, error: 'Version does not belong to this policy' };
     }
 
-    // Cannot edit published version (only if the policy is actually published)
-    if (version.id === version.policy.currentVersionId && version.policy.status === PolicyStatus.published) {
+    // Cannot edit the current version unless the policy is in draft status
+    // This covers both 'published' and 'needs_review' states
+    if (version.id === version.policy.currentVersionId && version.policy.status !== PolicyStatus.draft) {
       return {
         success: false,
         error: 'Cannot edit the published version. Create a new version to make changes.',

apps/app/src/app/(app)/[orgId]/policies/[policyId]/actions/delete-policy-pdf.ts

@@ -34,8 +34,9 @@ export const deletePolicyPdfAction = authActionClient
       // Verify policy belongs to organization
       const policy = await db.policy.findUnique({
         where: { id: policyId, organizationId },
-        select: { 
-          id: true, 
+        select: {
+          id: true,
+          status: true,
           pdfUrl: true,
           currentVersionId: true,
           pendingVersionId: true,
@@ -59,8 +60,9 @@ export const deletePolicyPdfAction = authActionClient
           return { success: false, error: 'Version not found' };
         }
 
-        // Don't allow deleting PDF from published or pending versions
-        if (version.id === policy.currentVersionId) {
+        // Don't allow deleting PDF from the current version unless policy is in draft
+        // This covers both 'published' and 'needs_review' states
+        if (version.id === policy.currentVersionId && policy.status !== 'draft') {
           return { success: false, error: 'Cannot delete PDF from the published version' };
         }
         if (version.id === policy.pendingVersionId) {

apps/app/src/app/(app)/[orgId]/policies/[policyId]/actions/upload-policy-pdf.ts

@@ -41,8 +41,9 @@ export const uploadPolicyPdfAction = authActionClient
       // Verify policy belongs to organization
       const policy = await db.policy.findUnique({
         where: { id: policyId, organizationId },
-        select: { 
-          id: true, 
+        select: {
+          id: true,
+          status: true,
           pdfUrl: true,
           currentVersionId: true,
           pendingVersionId: true,
@@ -66,8 +67,9 @@ export const uploadPolicyPdfAction = authActionClient
           return { success: false, error: 'Version not found' };
         }
 
-        // Don't allow uploading PDF to published or pending versions
-        if (version.id === policy.currentVersionId) {
+        // Don't allow uploading PDF to the current version unless policy is in draft
+        // This covers both 'published' and 'needs_review' states
+        if (version.id === policy.currentVersionId && policy.status !== 'draft') {
           return { success: false, error: 'Cannot upload PDF to the published version' };
         }
         if (version.id === policy.pendingVersionId) {