Add categories and suppliers with CRUD routes

- category table with hierarchical parent_id, sort ordering, soft-delete
- supplier table with contact info, account number, payment terms
- CRUD routes for both with search on suppliers
- Zod validation schemas in @forte/shared
- Products will link to suppliers via join table (many-to-many)
- 26 tests passing

packages/backend/src/routes/v1/inventory.test.ts

@@ -0,0 +1,193 @@
+import { describe, it, expect, beforeAll, beforeEach, afterAll } from 'bun:test'
+import type { FastifyInstance } from 'fastify'
+import {
+  createTestApp,
+  cleanDb,
+  seedTestCompany,
+  registerAndLogin,
+} from '../../test/helpers.js'
+
+describe('Category routes', () => {
+  let app: FastifyInstance
+  let token: string
+
+  beforeAll(async () => {
+    app = await createTestApp()
+  })
+
+  beforeEach(async () => {
+    await cleanDb(app)
+    await seedTestCompany(app)
+    const auth = await registerAndLogin(app)
+    token = auth.token
+  })
+
+  afterAll(async () => {
+    await app.close()
+  })
+
+  it('creates a category', async () => {
+    const response = await app.inject({
+      method: 'POST',
+      url: '/v1/categories',
+      headers: { authorization: `Bearer ${token}` },
+      payload: { name: 'Guitars', description: 'All guitars', sortOrder: 1 },
+    })
+
+    expect(response.statusCode).toBe(201)
+    expect(response.json().name).toBe('Guitars')
+    expect(response.json().sortOrder).toBe(1)
+  })
+
+  it('creates a child category', async () => {
+    const parentRes = await app.inject({
+      method: 'POST',
+      url: '/v1/categories',
+      headers: { authorization: `Bearer ${token}` },
+      payload: { name: 'Instruments' },
+    })
+    const parentId = parentRes.json().id
+
+    const childRes = await app.inject({
+      method: 'POST',
+      url: '/v1/categories',
+      headers: { authorization: `Bearer ${token}` },
+      payload: { name: 'Brass', parentId },
+    })
+
+    expect(childRes.statusCode).toBe(201)
+    expect(childRes.json().parentId).toBe(parentId)
+  })
+
+  it('lists categories sorted by sortOrder', async () => {
+    await app.inject({
+      method: 'POST',
+      url: '/v1/categories',
+      headers: { authorization: `Bearer ${token}` },
+      payload: { name: 'Zzz Last', sortOrder: 99 },
+    })
+    await app.inject({
+      method: 'POST',
+      url: '/v1/categories',
+      headers: { authorization: `Bearer ${token}` },
+      payload: { name: 'Aaa First', sortOrder: 1 },
+    })
+
+    const response = await app.inject({
+      method: 'GET',
+      url: '/v1/categories',
+      headers: { authorization: `Bearer ${token}` },
+    })
+
+    expect(response.statusCode).toBe(200)
+    const body = response.json()
+    expect(body.length).toBe(2)
+    expect(body[0].name).toBe('Aaa First')
+  })
+
+  it('soft-deletes a category', async () => {
+    const createRes = await app.inject({
+      method: 'POST',
+      url: '/v1/categories',
+      headers: { authorization: `Bearer ${token}` },
+      payload: { name: 'To Delete' },
+    })
+
+    const delRes = await app.inject({
+      method: 'DELETE',
+      url: `/v1/categories/${createRes.json().id}`,
+      headers: { authorization: `Bearer ${token}` },
+    })
+    expect(delRes.json().isActive).toBe(false)
+
+    const listRes = await app.inject({
+      method: 'GET',
+      url: '/v1/categories',
+      headers: { authorization: `Bearer ${token}` },
+    })
+    expect(listRes.json().length).toBe(0)
+  })
+})
+
+describe('Supplier routes', () => {
+  let app: FastifyInstance
+  let token: string
+
+  beforeAll(async () => {
+    app = await createTestApp()
+  })
+
+  beforeEach(async () => {
+    await cleanDb(app)
+    await seedTestCompany(app)
+    const auth = await registerAndLogin(app, { email: `supplier-${Date.now()}@test.com` })
+    token = auth.token
+  })
+
+  afterAll(async () => {
+    await app.close()
+  })
+
+  it('creates a supplier', async () => {
+    const response = await app.inject({
+      method: 'POST',
+      url: '/v1/suppliers',
+      headers: { authorization: `Bearer ${token}` },
+      payload: {
+        name: 'RS Musical',
+        contactName: 'Bob Smith',
+        email: 'bob@rsmusical.com',
+        paymentTerms: 'Net 30',
+      },
+    })
+
+    expect(response.statusCode).toBe(201)
+    expect(response.json().name).toBe('RS Musical')
+    expect(response.json().paymentTerms).toBe('Net 30')
+  })
+
+  it('searches suppliers by name', async () => {
+    await app.inject({
+      method: 'POST',
+      url: '/v1/suppliers',
+      headers: { authorization: `Bearer ${token}` },
+      payload: { name: "Ferree's Tools" },
+    })
+    await app.inject({
+      method: 'POST',
+      url: '/v1/suppliers',
+      headers: { authorization: `Bearer ${token}` },
+      payload: { name: 'Allied Supply' },
+    })
+
+    const response = await app.inject({
+      method: 'GET',
+      url: '/v1/suppliers/search?q=ferree',
+      headers: { authorization: `Bearer ${token}` },
+    })
+
+    expect(response.statusCode).toBe(200)
+    expect(response.json().length).toBe(1)
+    expect(response.json()[0].name).toBe("Ferree's Tools")
+  })
+
+  it('updates a supplier', async () => {
+    const createRes = await app.inject({
+      method: 'POST',
+      url: '/v1/suppliers',
+      headers: { authorization: `Bearer ${token}` },
+      payload: { name: 'Old Name' },
+    })
+
+    const updateRes = await app.inject({
+      method: 'PATCH',
+      url: `/v1/suppliers/${createRes.json().id}`,
+      headers: { authorization: `Bearer ${token}` },
+      payload: { name: 'New Name', paymentTerms: 'COD' },
+    })
+
+    expect(updateRes.statusCode).toBe(200)
+    expect(updateRes.json().name).toBe('New Name')
+    expect(updateRes.json().paymentTerms).toBe('COD')
+  })
+})

packages/backend/src/routes/v1/inventory.ts

@@ -0,0 +1,99 @@
+import type { FastifyPluginAsync } from 'fastify'
+import {
+  CategoryCreateSchema,
+  CategoryUpdateSchema,
+  SupplierCreateSchema,
+  SupplierUpdateSchema,
+} from '@forte/shared/schemas'
+import { CategoryService, SupplierService } from '../../services/inventory.service.js'
+
+export const inventoryRoutes: FastifyPluginAsync = async (app) => {
+  // --- Categories ---
+
+  app.post('/categories', { preHandler: [app.authenticate] }, async (request, reply) => {
+    const parsed = CategoryCreateSchema.safeParse(request.body)
+    if (!parsed.success) {
+      return reply.status(400).send({ error: { message: 'Validation failed', details: parsed.error.flatten(), statusCode: 400 } })
+    }
+    const category = await CategoryService.create(app.db, request.companyId, parsed.data)
+    return reply.status(201).send(category)
+  })
+
+  app.get('/categories', { preHandler: [app.authenticate] }, async (request, reply) => {
+    const list = await CategoryService.list(app.db, request.companyId)
+    return reply.send(list)
+  })
+
+  app.get('/categories/:id', { preHandler: [app.authenticate] }, async (request, reply) => {
+    const { id } = request.params as { id: string }
+    const category = await CategoryService.getById(app.db, request.companyId, id)
+    if (!category) return reply.status(404).send({ error: { message: 'Category not found', statusCode: 404 } })
+    return reply.send(category)
+  })
+
+  app.patch('/categories/:id', { preHandler: [app.authenticate] }, async (request, reply) => {
+    const { id } = request.params as { id: string }
+    const parsed = CategoryUpdateSchema.safeParse(request.body)
+    if (!parsed.success) {
+      return reply.status(400).send({ error: { message: 'Validation failed', details: parsed.error.flatten(), statusCode: 400 } })
+    }
+    const category = await CategoryService.update(app.db, request.companyId, id, parsed.data)
+    if (!category) return reply.status(404).send({ error: { message: 'Category not found', statusCode: 404 } })
+    return reply.send(category)
+  })
+
+  app.delete('/categories/:id', { preHandler: [app.authenticate] }, async (request, reply) => {
+    const { id } = request.params as { id: string }
+    const category = await CategoryService.softDelete(app.db, request.companyId, id)
+    if (!category) return reply.status(404).send({ error: { message: 'Category not found', statusCode: 404 } })
+    return reply.send(category)
+  })
+
+  // --- Suppliers ---
+
+  app.post('/suppliers', { preHandler: [app.authenticate] }, async (request, reply) => {
+    const parsed = SupplierCreateSchema.safeParse(request.body)
+    if (!parsed.success) {
+      return reply.status(400).send({ error: { message: 'Validation failed', details: parsed.error.flatten(), statusCode: 400 } })
+    }
+    const supplier = await SupplierService.create(app.db, request.companyId, parsed.data)
+    return reply.status(201).send(supplier)
+  })
+
+  app.get('/suppliers', { preHandler: [app.authenticate] }, async (request, reply) => {
+    const list = await SupplierService.list(app.db, request.companyId)
+    return reply.send(list)
+  })
+
+  app.get('/suppliers/search', { preHandler: [app.authenticate] }, async (request, reply) => {
+    const { q } = request.query as { q?: string }
+    if (!q) return reply.status(400).send({ error: { message: 'Query parameter q is required', statusCode: 400 } })
+    const results = await SupplierService.search(app.db, request.companyId, q)
+    return reply.send(results)
+  })
+
+  app.get('/suppliers/:id', { preHandler: [app.authenticate] }, async (request, reply) => {
+    const { id } = request.params as { id: string }
+    const supplier = await SupplierService.getById(app.db, request.companyId, id)
+    if (!supplier) return reply.status(404).send({ error: { message: 'Supplier not found', statusCode: 404 } })
+    return reply.send(supplier)
+  })
+
+  app.patch('/suppliers/:id', { preHandler: [app.authenticate] }, async (request, reply) => {
+    const { id } = request.params as { id: string }
+    const parsed = SupplierUpdateSchema.safeParse(request.body)
+    if (!parsed.success) {
+      return reply.status(400).send({ error: { message: 'Validation failed', details: parsed.error.flatten(), statusCode: 400 } })
+    }
+    const supplier = await SupplierService.update(app.db, request.companyId, id, parsed.data)
+    if (!supplier) return reply.status(404).send({ error: { message: 'Supplier not found', statusCode: 404 } })
+    return reply.send(supplier)
+  })
+
+  app.delete('/suppliers/:id', { preHandler: [app.authenticate] }, async (request, reply) => {
+    const { id } = request.params as { id: string }
+    const supplier = await SupplierService.softDelete(app.db, request.companyId, id)
+    if (!supplier) return reply.status(404).send({ error: { message: 'Supplier not found', statusCode: 404 } })
+    return reply.send(supplier)
+  })
+}