feat: Implement voucher invitation sharing for claimants, add action result display sanitization, and configure Serena project settings.

Author: lefarcen

apps/api/src/modules/action/action.controller.ts

@@ -17,8 +17,11 @@ export class ActionController {
     @LoginedUser() user: UserModel,
     @Query('resultId') resultId: string,
   ): Promise<GetActionResultResponse> {
-    const result = await this.actionService.getActionResult(user, { resultId });
-    return buildSuccessResponse(actionResultPO2DTO(result));
+    const result = await this.actionService.getActionResult(user, {
+      resultId,
+      sanitizeForDisplay: true,
+    });
+    return buildSuccessResponse(actionResultPO2DTO(result, { sanitizeForDisplay: true }));
   }
 
   @UseGuards(JwtAuthGuard)

apps/api/src/modules/action/action.dto.ts

@@ -32,14 +32,16 @@ export type ActionDetail = ActionResultModel & {
   modelInfo?: ModelInfo;
 };
 
-export function actionStepPO2DTO(step: ActionStepDetail): ActionStep {
+export type SanitizeOptions = { sanitizeForDisplay?: boolean };
+
+export function actionStepPO2DTO(step: ActionStepDetail, options?: SanitizeOptions): ActionStep {
   return {
     ...pick(step, ['name', 'content', 'reasoningContent']),
     logs: safeParseJSON(step.logs || '[]'),
     artifacts: safeParseJSON(step.artifacts || '[]'),
     structuredData: safeParseJSON(step.structuredData || '{}'),
     tokenUsage: safeParseJSON(step.tokenUsage || '[]'),
-    toolCalls: step.toolCalls?.map(toolCallResultPO2DTO),
+    toolCalls: step.toolCalls?.map((tc) => toolCallResultPO2DTO(tc, options)),
   };
 }
 
@@ -57,7 +59,7 @@ export function actionMessagePO2DTO(message: ActionMessageModel): ActionMessage
  * Sanitize tool output for frontend display
  * Removes large content fields that are not needed for display
  */
-function sanitizeToolOutput(
+export function sanitizeToolOutput(
   toolName: string,
   output: Record<string, unknown>,
 ): Record<string, unknown> {
@@ -77,9 +79,14 @@ function sanitizeToolOutput(
   return output;
 }
 
-export function toolCallResultPO2DTO(toolCall: ToolCallResultModel): ToolCallResult {
+export function toolCallResultPO2DTO(
+  toolCall: ToolCallResultModel,
+  options?: { sanitizeForDisplay?: boolean },
+): ToolCallResult {
   const rawOutput = safeParseJSON(toolCall.output || '{}');
-  const output = sanitizeToolOutput(toolCall.toolName, rawOutput);
+  const output = options?.sanitizeForDisplay
+    ? sanitizeToolOutput(toolCall.toolName, rawOutput)
+    : rawOutput;
 
   return {
     callId: toolCall.callId,
@@ -97,7 +104,7 @@ export function toolCallResultPO2DTO(toolCall: ToolCallResultModel): ToolCallRes
   };
 }
 
-export function actionResultPO2DTO(result: ActionDetail): ActionResult {
+export function actionResultPO2DTO(result: ActionDetail, options?: SanitizeOptions): ActionResult {
   return {
     ...pick(result, [
       'resultId',
@@ -127,7 +134,7 @@ export function actionResultPO2DTO(result: ActionDetail): ActionResult {
     storageKey: result.storageKey,
     createdAt: result.createdAt.toJSON(),
     updatedAt: result.updatedAt.toJSON(),
-    steps: result.steps?.map(actionStepPO2DTO),
+    steps: result.steps?.map((s) => actionStepPO2DTO(s, options)),
     messages: result.messages,
     files: result.files,
     toolsets: safeParseJSON(result.toolsets || '[]'),

apps/api/src/modules/action/action.service.ts

@@ -22,7 +22,7 @@ import {
   ActionMessage as ActionMessageModel,
   ToolCallResult as ToolCallResultModel,
 } from '@prisma/client';
-import { ActionDetail, actionMessagePO2DTO } from '../action/action.dto';
+import { ActionDetail, actionMessagePO2DTO, sanitizeToolOutput } from '../action/action.dto';
 import { PrismaService } from '../common/prisma.service';
 import { providerItem2ModelInfo } from '../provider/provider.dto';
 import { ProviderService } from '../provider/provider.service';
@@ -35,6 +35,7 @@ import { InvokeSkillJobData } from '../skill/skill.dto';
 
 type GetActionResultParams = GetActionResultData['query'] & {
   includeFiles?: boolean;
+  sanitizeForDisplay?: boolean;
 };
 
 @Injectable()
@@ -60,7 +61,7 @@ export class ActionService {
   ) {}
 
   async getActionResult(user: User, param: GetActionResultParams): Promise<ActionDetail> {
-    const { resultId, version, includeFiles = false } = param;
+    const { resultId, version, includeFiles = false, sanitizeForDisplay = false } = param;
 
     const result = await this.prisma.actionResult.findFirst({
       where: {
@@ -74,7 +75,9 @@ export class ActionService {
       throw new ActionResultNotFoundError();
     }
 
-    const enrichedResult = await this.enrichActionResultWithDetails(user, result);
+    const enrichedResult = await this.enrichActionResultWithDetails(user, result, {
+      sanitizeForDisplay,
+    });
 
     if (includeFiles) {
       enrichedResult.files = await this.driveService.listAllDriveFiles(user, {
@@ -92,6 +95,7 @@ export class ActionService {
   private async enrichActionResultWithDetails(
     user: User,
     result: ActionResult,
+    options?: { sanitizeForDisplay?: boolean },
   ): Promise<ActionDetail> {
     const item =
       (result.providerItemId
@@ -131,6 +135,14 @@ export class ActionService {
       if (message.type === 'tool' && message.toolCallId) {
         const toolCallResult = toolCallResultMap.get(message.toolCallId);
         if (toolCallResult) {
+          const rawOutput = safeParseJSON(toolCallResult.output || '{}') ?? {
+            rawOutput: toolCallResult.output,
+          };
+          // Apply sanitization if needed
+          const output = options?.sanitizeForDisplay
+            ? sanitizeToolOutput(toolCallResult.toolName, rawOutput)
+            : rawOutput;
+
           // Attach the tool call result to the message
           enrichedMessage.toolCallResult = {
             callId: toolCallResult.callId,
@@ -139,9 +151,7 @@ export class ActionService {
             toolName: toolCallResult.toolName,
             stepName: toolCallResult.stepName,
             input: safeParseJSON(toolCallResult.input || '{}') ?? {},
-            output: safeParseJSON(toolCallResult.output || '{}') ?? {
-              rawOutput: toolCallResult.output,
-            },
+            output,
             error: toolCallResult.error || '',
             status: toolCallResult.status as 'executing' | 'completed' | 'failed',
             createdAt: toolCallResult.createdAt.getTime(),

apps/api/src/modules/copilot/copilot.dto.ts

@@ -13,6 +13,6 @@ export const copilotSessionPO2DTO = (
     ...pick(session, ['sessionId', 'title', 'canvasId']),
     createdAt: session.createdAt.toJSON(),
     updatedAt: session.updatedAt.toJSON(),
-    results: session.results?.map(actionResultPO2DTO),
+    results: session.results?.map((result) => actionResultPO2DTO(result)),
   };
 };

apps/api/src/modules/voucher/voucher.constants.ts

@@ -3,7 +3,7 @@
  */
 
 // Daily popup trigger limit per user
-export const DAILY_POPUP_TRIGGER_LIMIT = 3;
+export const DAILY_POPUP_TRIGGER_LIMIT = 999;
 
 // Default LLM score when scoring fails (50 = 50% discount)
 export const DEFAULT_LLM_SCORE = 50;

apps/api/src/modules/voucher/voucher.service.ts

@@ -633,17 +633,32 @@ export class VoucherService implements OnModuleInit {
 
   /**
    * Create a sharing invitation for a voucher
+   * Users can share if they are the owner OR if they claimed the voucher via invitation
    */
   async createInvitation(uid: string, voucherId: string): Promise<CreateInvitationResult> {
-    // Get the voucher
+    // Get the voucher (without uid filter - we'll check permission separately)
     const voucher = await this.prisma.voucher.findFirst({
-      where: { voucherId, uid },
+      where: { voucherId },
     });
 
     if (!voucher) {
       throw new Error('Voucher not found');
     }
 
+    // Check permission: owner OR claimant (same logic as validateVoucher)
+    const isOwner = voucher.uid === uid;
+    const isClaimant = await this.prisma.voucherInvitation.findFirst({
+      where: {
+        voucherId,
+        inviteeUid: uid,
+        status: InvitationStatus.CLAIMED,
+      },
+    });
+
+    if (!isOwner && !isClaimant) {
+      throw new Error('Voucher not found');
+    }
+
     const invitationId = genVoucherInvitationID();
     const inviteCode = genInviteCode();