Add API extensions and Canny adapter for API-to-API imports

Extend the REST API to support all operations needed for importing
data without direct database access, and add a complete Canny import
pipeline that works purely via HTTP.

API extensions:
- Add createdAt to post, comment, and vote write endpoints (admin-only)
- Add X-Import-Mode header: suppresses webhooks/Slack/AI side effects
  and raises rate limit to 2000 req/min (admin-only)
- Add POST /api/v1/posts/:postId/notes for internal notes
- Add POST /api/v1/posts/:postId/merge for merge relationships
- Add linkedPostIds to POST /api/v1/changelog

Canny adapter:
- Fix vote.author -> vote.voter field mapping (was silently dropping
  all votes)
- Add QuackbackClient with auth, import mode, retry, rate awareness
- Add API-based import orchestrator (users, posts, comments, votes,
  merges, changelogs)
- Add --quackback-url and --quackback-key CLI flags for API mode
- Topological sort for comment threading (parents before children)

Also adds core importer support for changelogs, notes, and merged
post relationships via direct DB mode.

Author: mortondev

apps/web/src/lib/server/domains/api/__tests__/auth.test.ts

@@ -94,6 +94,7 @@ describe('API Auth', () => {
         apiKey: mockApiKey,
         principalId: mockApiKey.principalId,
         role: 'admin',
+        importMode: false,
       })
     })
 
@@ -163,6 +164,7 @@ describe('API Auth', () => {
         apiKey: mockApiKey,
         principalId: mockApiKey.principalId,
         role: 'admin',
+        importMode: false,
       })
     })
 

apps/web/src/lib/server/domains/api/auth.ts

@@ -21,6 +21,8 @@ export interface ApiAuthContext {
   principalId: PrincipalId
   /** The role of the member who created the key */
   role: MemberRole
+  /** Whether the request is in import mode (suppresses side effects, raises rate limit) */
+  importMode: boolean
 }
 
 /**
@@ -70,6 +72,7 @@ export async function requireApiKey(request: Request): Promise<ApiAuthContext |
     apiKey,
     principalId: apiKey.principalId,
     role,
+    importMode: false,
   }
 }
 
@@ -91,9 +94,10 @@ export async function withApiKeyAuth(
   request: Request,
   options: { role: AuthLevel }
 ): Promise<ApiAuthContext | Response> {
-  // Check rate limit before processing
+  // Check rate limit before processing (import mode gets higher limit)
   const clientIp = getClientIp(request)
-  const rateLimit = checkRateLimit(clientIp)
+  const wantsImportMode = request.headers.get('x-import-mode') === 'true'
+  const rateLimit = checkRateLimit(clientIp, wantsImportMode)
 
   if (!rateLimit.allowed) {
     return rateLimitedResponse(rateLimit.retryAfter ?? 60)
@@ -116,5 +120,10 @@ export async function withApiKeyAuth(
     return forbiddenResponse('Team member access required for this operation')
   }
 
+  // Import mode requires admin role
+  if (wantsImportMode && isAdmin(auth.role)) {
+    auth.importMode = true
+  }
+
   return auth
 }

apps/web/src/lib/server/domains/api/rate-limit.ts

@@ -19,6 +19,7 @@ const rateLimitStore = new Map<string, RateLimitEntry>()
 // Configuration
 const WINDOW_MS = 60_000 // 1 minute
 const MAX_REQUESTS = 100 // 100 requests per minute per IP
+const MAX_REQUESTS_IMPORT = 2000 // 2000 requests per minute per IP in import mode
 const MAX_STORE_SIZE = 50_000 // Cap store size to prevent memory exhaustion
 const CLEANUP_INTERVAL_MS = 60_000 // Cleanup every minute
 
@@ -45,14 +46,19 @@ startCleanup()
  * Check if a request is rate limited.
  *
  * @param ip - The client IP address
+ * @param importMode - Whether the request is in import mode (higher limit)
  * @returns Object with allowed flag and remaining requests
  */
-export function checkRateLimit(ip: string): {
+export function checkRateLimit(
+  ip: string,
+  importMode?: boolean
+): {
   allowed: boolean
   remaining: number
   retryAfter?: number
 } {
   const now = Date.now()
+  const maxRequests = importMode ? MAX_REQUESTS_IMPORT : MAX_REQUESTS
   const entry = rateLimitStore.get(ip)
 
   // New IP or window expired - reset
@@ -62,18 +68,18 @@ export function checkRateLimit(ip: string): {
       return { allowed: false, remaining: 0, retryAfter: 60 }
     }
     rateLimitStore.set(ip, { count: 1, windowStart: now })
-    return { allowed: true, remaining: MAX_REQUESTS - 1 }
+    return { allowed: true, remaining: maxRequests - 1 }
   }
 
   // Within window - increment and check
   entry.count++
 
-  if (entry.count > MAX_REQUESTS) {
+  if (entry.count > maxRequests) {
     const retryAfter = Math.ceil((entry.windowStart + WINDOW_MS - now) / 1000)
     return { allowed: false, remaining: 0, retryAfter }
   }
 
-  return { allowed: true, remaining: MAX_REQUESTS - entry.count }
+  return { allowed: true, remaining: maxRequests - entry.count }
 }
 
 /**

apps/web/src/lib/server/domains/comments/comment.service.ts

@@ -102,7 +102,8 @@ export async function createComment(
     email?: string
     displayName?: string
     role: 'admin' | 'member' | 'user'
-  }
+  },
+  options?: { skipDispatch?: boolean }
 ): Promise<CreateCommentResult> {
   console.log(
     `[domain:comments] createComment: postId=${input.postId}, parentId=${input.parentId ?? 'none'}`
@@ -203,6 +204,7 @@ export async function createComment(
           isPrivate,
           statusChangeFromId: prevStatus?.id ?? null,
           statusChangeToId: newStatus.id,
+          ...(input.createdAt && { createdAt: input.createdAt }),
         })
         .returning()
 
@@ -231,6 +233,7 @@ export async function createComment(
           principalId: author.principalId,
           isTeamMember: authorIsTeamMember,
           isPrivate,
+          ...(input.createdAt && { createdAt: input.createdAt }),
         })
         .returning()
 
@@ -248,43 +251,45 @@ export async function createComment(
     comment = result
   }
 
-  // Auto-subscribe commenter to the post
-  if (author.principalId) {
-    await subscribeToPost(author.principalId, input.postId, 'comment')
-  }
-
-  // Dispatch comment.created event for webhooks, Slack, etc.
-  const actorName = author.displayName ?? author.name
-  await dispatchCommentCreated(
-    buildEventActor(author),
-    {
-      id: comment.id,
-      content: comment.content,
-      authorName: actorName,
-      authorEmail: author.email,
-      isPrivate,
-    },
-    {
-      id: post.id,
-      title: post.title,
-      boardId: board.id,
-      boardSlug: board.slug,
+  if (!options?.skipDispatch) {
+    // Auto-subscribe commenter to the post
+    if (author.principalId) {
+      await subscribeToPost(author.principalId, input.postId, 'comment')
     }
-  )
 
-  // Dispatch status change event if status was changed
-  if (shouldChangeStatus && previousStatusName && newStatusName) {
-    await dispatchPostStatusChanged(
+    // Dispatch comment.created event for webhooks, Slack, etc.
+    const actorName = author.displayName ?? author.name
+    await dispatchCommentCreated(
       buildEventActor(author),
+      {
+        id: comment.id,
+        content: comment.content,
+        authorName: actorName,
+        authorEmail: author.email,
+        isPrivate,
+      },
       {
         id: post.id,
         title: post.title,
         boardId: board.id,
         boardSlug: board.slug,
-      },
-      previousStatusName,
-      newStatusName
+      }
     )
+
+    // Dispatch status change event if status was changed
+    if (shouldChangeStatus && previousStatusName && newStatusName) {
+      await dispatchPostStatusChanged(
+        buildEventActor(author),
+        {
+          id: post.id,
+          title: post.title,
+          boardId: board.id,
+          boardSlug: board.slug,
+        },
+        previousStatusName,
+        newStatusName
+      )
+    }
   }
 
   return { comment, post: { id: post.id, title: post.title, boardSlug: board.slug } }

apps/web/src/lib/server/domains/comments/comment.types.ts

@@ -16,6 +16,8 @@ export interface CreateCommentInput {
   statusId?: StatusId | null
   /** Whether this comment is only visible to team members */
   isPrivate?: boolean
+  /** Override creation timestamp (admin-only, for imports) */
+  createdAt?: Date
 }
 
 /**

apps/web/src/lib/server/domains/posts/post.service.ts

@@ -69,7 +69,8 @@ export async function createPost(
     name?: string
     email?: string
     displayName?: string
-  }
+  },
+  options?: { skipDispatch?: boolean }
 ): Promise<CreatePostResult> {
   console.log(`[domain:posts] createPost: boardId=${input.boardId}`)
   // Basic validation (also done at action layer, but enforced here for direct service calls)
@@ -132,6 +133,7 @@ export async function createPost(
       statusId,
       principalId: author.principalId,
       widgetMetadata: input.widgetMetadata ?? null,
+      ...(input.createdAt && { createdAt: input.createdAt }),
     })
     .returning()
 
@@ -142,28 +144,30 @@ export async function createPost(
     await db.insert(postTags).values(input.tagIds.map((tagId) => ({ postId: post.id, tagId })))
   }
 
-  // Auto-subscribe the author to their own post
-  await subscribeToPost(author.principalId, post.id, 'author')
-
-  // Dispatch post.created event for webhooks, Slack, AI processing, etc.
-  const actorName = author.displayName ?? author.name
-  await dispatchPostCreated(buildEventActor(author), {
-    id: post.id,
-    title: post.title,
-    content: post.content,
-    boardId: post.boardId,
-    boardSlug: board.slug,
-    authorEmail: author.email,
-    authorName: actorName,
-    voteCount: post.voteCount,
-  })
+  if (!options?.skipDispatch) {
+    // Auto-subscribe the author to their own post
+    await subscribeToPost(author.principalId, post.id, 'author')
+
+    // Dispatch post.created event for webhooks, Slack, AI processing, etc.
+    const actorName = author.displayName ?? author.name
+    await dispatchPostCreated(buildEventActor(author), {
+      id: post.id,
+      title: post.title,
+      content: post.content,
+      boardId: post.boardId,
+      boardSlug: board.slug,
+      authorEmail: author.email,
+      authorName: actorName,
+      voteCount: post.voteCount,
+    })
 
-  createActivity({
-    postId: post.id,
-    principalId: author.principalId,
-    type: 'post.created',
-    metadata: { boardName: board.name },
-  })
+    createActivity({
+      postId: post.id,
+      principalId: author.principalId,
+      type: 'post.created',
+      metadata: { boardName: board.name },
+    })
+  }
 
   return { ...post, boardSlug: board.slug }
 }

apps/web/src/lib/server/domains/posts/post.types.ts

@@ -17,6 +17,8 @@ export interface CreatePostInput {
   statusId?: StatusId
   tagIds?: TagId[]
   widgetMetadata?: Record<string, string>
+  /** Override creation timestamp (admin-only, for imports) */
+  createdAt?: Date
 }
 
 /**

apps/web/src/lib/server/domains/posts/post.voting.ts

@@ -166,7 +166,8 @@ export async function addVoteOnBehalf(
   principalId: PrincipalId,
   source?: { type: string; externalUrl: string },
   feedbackSuggestionId?: string | null,
-  addedByPrincipalId?: PrincipalId
+  addedByPrincipalId?: PrincipalId,
+  createdAt?: Date
 ): Promise<VoteResult> {
   const postUuid = toUuid(postId)
   const principalUuid = toUuid(principalId)
@@ -177,6 +178,7 @@ export async function addVoteOnBehalf(
   const sourceExternalUrl = source?.externalUrl ?? null
   const suggestionUuid = feedbackSuggestionId ? toUuid(feedbackSuggestionId) : null
   const addedByUuid = addedByPrincipalId ? toUuid(addedByPrincipalId) : null
+  const createdAtSql = createdAt ? sql`${createdAt.toISOString()}::timestamptz` : sql`NOW()`
 
   // Single atomic CTE: validate post/board, insert vote (never delete), update count, auto-subscribe
   const result = await db.execute<{
@@ -194,8 +196,8 @@ export async function addVoteOnBehalf(
       WHERE id = (SELECT board_id FROM post_check)
     ),
     inserted AS (
-      INSERT INTO ${votes} (id, post_id, principal_id, source_type, source_external_url, feedback_suggestion_id, added_by_principal_id, updated_at)
-      SELECT ${voteId}::uuid, ${postUuid}::uuid, ${principalUuid}::uuid, ${sourceType}, ${sourceExternalUrl}, ${suggestionUuid}::uuid, ${addedByUuid}::uuid, NOW()
+      INSERT INTO ${votes} (id, post_id, principal_id, source_type, source_external_url, feedback_suggestion_id, added_by_principal_id, created_at, updated_at)
+      SELECT ${voteId}::uuid, ${postUuid}::uuid, ${principalUuid}::uuid, ${sourceType}, ${sourceExternalUrl}, ${suggestionUuid}::uuid, ${addedByUuid}::uuid, ${createdAtSql}, ${createdAtSql}
       WHERE EXISTS (SELECT 1 FROM post_check)
         AND EXISTS (SELECT 1 FROM board_check)
       ON CONFLICT (post_id, principal_id) DO NOTHING

apps/web/src/routes/api/v1/changelog/index.ts

@@ -10,12 +10,14 @@ import {
 import { listChangelogs, createChangelog } from '@/lib/server/domains/changelog'
 import { publishedAtToPublishState } from '@/lib/shared/schemas/changelog'
 import { db, principal, eq } from '@/lib/server/db'
+import type { PostId } from '@quackback/ids'
 
 // Input validation schema
 const createChangelogSchema = z.object({
   title: z.string().min(1, 'Title is required').max(200),
   content: z.string().min(1, 'Content is required'),
   publishedAt: z.string().datetime().optional(),
+  linkedPostIds: z.array(z.string()).optional(),
 })
 
 export const Route = createFileRoute('/api/v1/changelog/')({
@@ -103,6 +105,7 @@ export const Route = createFileRoute('/api/v1/changelog/')({
               title: parsed.data.title,
               content: parsed.data.content,
               publishState,
+              linkedPostIds: parsed.data.linkedPostIds as PostId[] | undefined,
             },
             {
               principalId: authResult.principalId,

apps/web/src/routes/api/v1/posts/$postId.comments.ts

@@ -15,6 +15,7 @@ const createCommentSchema = z.object({
   content: z.string().min(1, 'Content is required').max(5000),
   parentId: z.string().optional().nullable(),
   isPrivate: z.boolean().optional(),
+  createdAt: z.string().datetime().optional(),
 })
 
 export const Route = createFileRoute('/api/v1/posts/$postId/comments')({
@@ -114,12 +115,19 @@ export const Route = createFileRoute('/api/v1/posts/$postId/comments')({
             return badRequestResponse('Principal not found')
           }
 
+          // Only admins can set createdAt (for imports)
+          const createdAt =
+            parsed.data.createdAt && authResult.role === 'admin'
+              ? new Date(parsed.data.createdAt)
+              : undefined
+
           const result = await createComment(
             {
               postId: postId as PostId,
               content: parsed.data.content,
               parentId: parsed.data.parentId as CommentId | undefined,
               isPrivate: parsed.data.isPrivate,
+              createdAt,
             },
             {
               principalId,
@@ -128,7 +136,8 @@ export const Route = createFileRoute('/api/v1/posts/$postId/comments')({
               name: principalRecord.user?.name,
               email: principalRecord.user?.email ?? undefined,
               role: principalRecord.role as 'admin' | 'member' | 'user',
-            }
+            },
+            { skipDispatch: authResult.importMode }
           )
 
           return createdResponse({