books/backend/Books.Api/GraphQL/Mutations/BooksMutation.cs

using System.Security.Claims;
using Books.Api.Authorization;
using Books.Api.Commands.Companies;
using Books.Api.Commands.UserAccess;
using Books.Api.Domain.Companies;
using Books.Api.Domain.UserAccess;
using Books.Api.EventFlow.Repositories;
using Books.Api.GraphQL.InputTypes;
using Books.Api.GraphQL.Types;
using EventFlow;
using GraphQL;
using GraphQL.Types;

namespace Books.Api.GraphQL.Mutations;

public class BooksMutation : ObjectGraphType
{
    public BooksMutation()
    {
        Name = "Mutation";
        Description = "Root mutation for the Books API";

        // createCompany(input: CreateCompanyInput!): CompanyType
        Field<CompanyType>("createCompany")
            .Description("Create a new company")
            .Argument<NonNullGraphType<CreateCompanyInputType>>("input", "The company data")
            .ResolveAsync(async ctx =>
            {
                var input = ctx.GetArgument<CreateCompanyInput>("input");
                var commandBus = ctx.RequestServices!.GetRequiredService<ICommandBus>();
                var repository = ctx.RequestServices!.GetRequiredService<ICompanyRepository>();

                var companyId = CompanyId.New;

                var command = new CreateCompanyCommand(
                    companyId,
                    input.Name,
                    input.Cvr,
                    input.Address,
                    input.PostalCode,
                    input.City,
                    input.Country ?? "DK",
                    input.FiscalYearStartMonth ?? 1,
                    input.Currency ?? "DKK",
                    input.VatRegistered ?? false,
                    input.VatPeriodFrequency);

                await commandBus.PublishAsync(command, ctx.CancellationToken);

                // Grant the creating user owner access to the new company
                var httpContext = ctx.RequestServices!.GetRequiredService<IHttpContextAccessor>().HttpContext;
                var userId = httpContext?.User.FindFirst(ClaimTypes.NameIdentifier)?.Value;
                if (userId != null)
                {
                    var accessId = UserCompanyAccessId.FromUserAndCompany(userId, companyId.Value);
                    var grantCmd = new GrantUserCompanyAccessCommand(
                        accessId, userId, companyId.Value, CompanyRole.Owner, userId);
                    await commandBus.PublishAsync(grantCmd, ctx.CancellationToken);
                }

                // Return the created company (eventually consistent)
                return await repository.GetByIdAsync(companyId.Value, ctx.CancellationToken);
            });

        // updateCompany(id: ID!, input: UpdateCompanyInput!): CompanyType
        Field<CompanyType>("updateCompany")
            .Description("Update an existing company")
            .Argument<NonNullGraphType<IdGraphType>>("id", "The company ID")
            .Argument<NonNullGraphType<UpdateCompanyInputType>>("input", "The updated company data")
            .ResolveAsync(async ctx =>
            {
                var id = ctx.GetArgument<string>("id");

                // Require Owner or Accountant role to update a company
                var accessService = ctx.RequestServices!.GetRequiredService<ICompanyAccessService>();
                await accessService.RequireAccessAsync(id, CompanyRole.Accountant, ctx.CancellationToken);

                var input = ctx.GetArgument<UpdateCompanyInput>("input");
                var commandBus = ctx.RequestServices!.GetRequiredService<ICommandBus>();
                var repository = ctx.RequestServices!.GetRequiredService<ICompanyRepository>();

                var companyId = CompanyId.With(id);

                var command = new UpdateCompanyCommand(
                    companyId,
                    input.Name,
                    input.Cvr,
                    input.Address,
                    input.PostalCode,
                    input.City,
                    input.Country ?? "DK",
                    input.FiscalYearStartMonth ?? 1,
                    input.Currency ?? "DKK",
                    input.VatRegistered ?? false,
                    input.VatPeriodFrequency);

                await commandBus.PublishAsync(command, ctx.CancellationToken);

                return await repository.GetByIdAsync(companyId.Value, ctx.CancellationToken);
            });
    }
}
Full product audit: fix security, compliance, UX, and wire broken features Security (Phase 1): - Add authentication middleware on /graphql endpoint - Filter company queries by user access (prevent IDOR) - Add role-based authorization on mutations (owner/accountant) - Reduce API key cache TTL from 24h to 5 minutes - Hide exception details in production GraphQL errors - Fix RBAC in frontend companyStore (was hardcoded) Wiring broken features (Phase 2): - Wire Kassekladde submit/void/copy to GraphQL mutations - Wire Kontooversigt account creation to createAccount mutation - Wire Settings save to updateCompany mutation - Wire CreateFiscalYearModal and CloseFiscalYearWizard to mutations - Replace Momsindberetning mock data with real useVatReport query - Remove Dashboard hardcoded percentages and fake VAT deadline - Fix Kreditnotaer invoice selector to use real data - Fix mutation retry from 1 to 0 (prevent duplicate operations) Accounting compliance (Phase 3): - Add balanced entry validation (debit==credit) in JournalEntryDraftAggregate - Add fiscal year boundary enforcement (status, date range checks) - Add PostedAt timestamp to posted events (Bogføringsloven §7) - Add account number uniqueness check within company - Add fiscal year overlap and gap checks - Add sequential invoice auto-numbering - Fix InvoiceLine VAT rate to use canonical VatCodes - Fix SAF-T account type mapping (financial → Expense) - Add DraftLine validation (cannot have both debit and credit > 0) UX improvements (Phase 4): - Fix Danish character encoding across 15+ files (ø, æ, å) - Deploy DemoDataDisclaimer on pages with mock/incomplete data - Adopt PageHeader component universally across all pages - Standardize active/inactive filtering to Switch pattern - Fix dead buttons in Header (Help, Notifications) - Remove hardcoded mock data from Settings - Fix Sidebar controlled state and Kontooversigt navigation Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-05 21:35:26 +01:00			`using System.Security.Claims;`
			`using Books.Api.Authorization;`
Initial commit: Books accounting system with EventFlow CQRS Backend (.NET 10): - EventFlow CQRS/Event Sourcing with PostgreSQL - GraphQL.NET API with mutations and queries - Custom ReadModelSqlGenerator for snake_case PostgreSQL columns - Hangfire for background job processing - Integration tests with isolated test databases Frontend (React/Vite): - Initial project structure 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-18 02:52:30 +01:00			`using Books.Api.Commands.Companies;`
Full product audit: fix security, compliance, UX, and wire broken features Security (Phase 1): - Add authentication middleware on /graphql endpoint - Filter company queries by user access (prevent IDOR) - Add role-based authorization on mutations (owner/accountant) - Reduce API key cache TTL from 24h to 5 minutes - Hide exception details in production GraphQL errors - Fix RBAC in frontend companyStore (was hardcoded) Wiring broken features (Phase 2): - Wire Kassekladde submit/void/copy to GraphQL mutations - Wire Kontooversigt account creation to createAccount mutation - Wire Settings save to updateCompany mutation - Wire CreateFiscalYearModal and CloseFiscalYearWizard to mutations - Replace Momsindberetning mock data with real useVatReport query - Remove Dashboard hardcoded percentages and fake VAT deadline - Fix Kreditnotaer invoice selector to use real data - Fix mutation retry from 1 to 0 (prevent duplicate operations) Accounting compliance (Phase 3): - Add balanced entry validation (debit==credit) in JournalEntryDraftAggregate - Add fiscal year boundary enforcement (status, date range checks) - Add PostedAt timestamp to posted events (Bogføringsloven §7) - Add account number uniqueness check within company - Add fiscal year overlap and gap checks - Add sequential invoice auto-numbering - Fix InvoiceLine VAT rate to use canonical VatCodes - Fix SAF-T account type mapping (financial → Expense) - Add DraftLine validation (cannot have both debit and credit > 0) UX improvements (Phase 4): - Fix Danish character encoding across 15+ files (ø, æ, å) - Deploy DemoDataDisclaimer on pages with mock/incomplete data - Adopt PageHeader component universally across all pages - Standardize active/inactive filtering to Switch pattern - Fix dead buttons in Header (Help, Notifications) - Remove hardcoded mock data from Settings - Fix Sidebar controlled state and Kontooversigt navigation Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-05 21:35:26 +01:00			`using Books.Api.Commands.UserAccess;`
Initial commit: Books accounting system with EventFlow CQRS Backend (.NET 10): - EventFlow CQRS/Event Sourcing with PostgreSQL - GraphQL.NET API with mutations and queries - Custom ReadModelSqlGenerator for snake_case PostgreSQL columns - Hangfire for background job processing - Integration tests with isolated test databases Frontend (React/Vite): - Initial project structure 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-18 02:52:30 +01:00			`using Books.Api.Domain.Companies;`
Full product audit: fix security, compliance, UX, and wire broken features Security (Phase 1): - Add authentication middleware on /graphql endpoint - Filter company queries by user access (prevent IDOR) - Add role-based authorization on mutations (owner/accountant) - Reduce API key cache TTL from 24h to 5 minutes - Hide exception details in production GraphQL errors - Fix RBAC in frontend companyStore (was hardcoded) Wiring broken features (Phase 2): - Wire Kassekladde submit/void/copy to GraphQL mutations - Wire Kontooversigt account creation to createAccount mutation - Wire Settings save to updateCompany mutation - Wire CreateFiscalYearModal and CloseFiscalYearWizard to mutations - Replace Momsindberetning mock data with real useVatReport query - Remove Dashboard hardcoded percentages and fake VAT deadline - Fix Kreditnotaer invoice selector to use real data - Fix mutation retry from 1 to 0 (prevent duplicate operations) Accounting compliance (Phase 3): - Add balanced entry validation (debit==credit) in JournalEntryDraftAggregate - Add fiscal year boundary enforcement (status, date range checks) - Add PostedAt timestamp to posted events (Bogføringsloven §7) - Add account number uniqueness check within company - Add fiscal year overlap and gap checks - Add sequential invoice auto-numbering - Fix InvoiceLine VAT rate to use canonical VatCodes - Fix SAF-T account type mapping (financial → Expense) - Add DraftLine validation (cannot have both debit and credit > 0) UX improvements (Phase 4): - Fix Danish character encoding across 15+ files (ø, æ, å) - Deploy DemoDataDisclaimer on pages with mock/incomplete data - Adopt PageHeader component universally across all pages - Standardize active/inactive filtering to Switch pattern - Fix dead buttons in Header (Help, Notifications) - Remove hardcoded mock data from Settings - Fix Sidebar controlled state and Kontooversigt navigation Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-05 21:35:26 +01:00			`using Books.Api.Domain.UserAccess;`
Initial commit: Books accounting system with EventFlow CQRS Backend (.NET 10): - EventFlow CQRS/Event Sourcing with PostgreSQL - GraphQL.NET API with mutations and queries - Custom ReadModelSqlGenerator for snake_case PostgreSQL columns - Hangfire for background job processing - Integration tests with isolated test databases Frontend (React/Vite): - Initial project structure 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-18 02:52:30 +01:00			`using Books.Api.EventFlow.Repositories;`
			`using Books.Api.GraphQL.InputTypes;`
			`using Books.Api.GraphQL.Types;`
			`using EventFlow;`
			`using GraphQL;`
			`using GraphQL.Types;`

			`namespace Books.Api.GraphQL.Mutations;`

			`public class BooksMutation : ObjectGraphType`
			`{`
			`public BooksMutation()`
			`{`
			`Name = "Mutation";`
			`Description = "Root mutation for the Books API";`

			`// createCompany(input: CreateCompanyInput!): CompanyType`
			`Field<CompanyType>("createCompany")`
			`.Description("Create a new company")`
			`.Argument<NonNullGraphType<CreateCompanyInputType>>("input", "The company data")`
			`.ResolveAsync(async ctx =>`
			`{`
			`var input = ctx.GetArgument<CreateCompanyInput>("input");`
			`var commandBus = ctx.RequestServices!.GetRequiredService<ICommandBus>();`
			`var repository = ctx.RequestServices!.GetRequiredService<ICompanyRepository>();`

			`var companyId = CompanyId.New;`

			`var command = new CreateCompanyCommand(`
			`companyId,`
			`input.Name,`
			`input.Cvr,`
			`input.Address,`
			`input.PostalCode,`
			`input.City,`
			`input.Country ?? "DK",`
			`input.FiscalYearStartMonth ?? 1,`
			`input.Currency ?? "DKK",`
			`input.VatRegistered ?? false,`
			`input.VatPeriodFrequency);`

			`await commandBus.PublishAsync(command, ctx.CancellationToken);`

Full product audit: fix security, compliance, UX, and wire broken features Security (Phase 1): - Add authentication middleware on /graphql endpoint - Filter company queries by user access (prevent IDOR) - Add role-based authorization on mutations (owner/accountant) - Reduce API key cache TTL from 24h to 5 minutes - Hide exception details in production GraphQL errors - Fix RBAC in frontend companyStore (was hardcoded) Wiring broken features (Phase 2): - Wire Kassekladde submit/void/copy to GraphQL mutations - Wire Kontooversigt account creation to createAccount mutation - Wire Settings save to updateCompany mutation - Wire CreateFiscalYearModal and CloseFiscalYearWizard to mutations - Replace Momsindberetning mock data with real useVatReport query - Remove Dashboard hardcoded percentages and fake VAT deadline - Fix Kreditnotaer invoice selector to use real data - Fix mutation retry from 1 to 0 (prevent duplicate operations) Accounting compliance (Phase 3): - Add balanced entry validation (debit==credit) in JournalEntryDraftAggregate - Add fiscal year boundary enforcement (status, date range checks) - Add PostedAt timestamp to posted events (Bogføringsloven §7) - Add account number uniqueness check within company - Add fiscal year overlap and gap checks - Add sequential invoice auto-numbering - Fix InvoiceLine VAT rate to use canonical VatCodes - Fix SAF-T account type mapping (financial → Expense) - Add DraftLine validation (cannot have both debit and credit > 0) UX improvements (Phase 4): - Fix Danish character encoding across 15+ files (ø, æ, å) - Deploy DemoDataDisclaimer on pages with mock/incomplete data - Adopt PageHeader component universally across all pages - Standardize active/inactive filtering to Switch pattern - Fix dead buttons in Header (Help, Notifications) - Remove hardcoded mock data from Settings - Fix Sidebar controlled state and Kontooversigt navigation Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-05 21:35:26 +01:00			`// Grant the creating user owner access to the new company`
			`var httpContext = ctx.RequestServices!.GetRequiredService<IHttpContextAccessor>().HttpContext;`
			`var userId = httpContext?.User.FindFirst(ClaimTypes.NameIdentifier)?.Value;`
			`if (userId != null)`
			`{`
			`var accessId = UserCompanyAccessId.FromUserAndCompany(userId, companyId.Value);`
			`var grantCmd = new GrantUserCompanyAccessCommand(`
			`accessId, userId, companyId.Value, CompanyRole.Owner, userId);`
			`await commandBus.PublishAsync(grantCmd, ctx.CancellationToken);`
			`}`

Initial commit: Books accounting system with EventFlow CQRS Backend (.NET 10): - EventFlow CQRS/Event Sourcing with PostgreSQL - GraphQL.NET API with mutations and queries - Custom ReadModelSqlGenerator for snake_case PostgreSQL columns - Hangfire for background job processing - Integration tests with isolated test databases Frontend (React/Vite): - Initial project structure 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-18 02:52:30 +01:00			`// Return the created company (eventually consistent)`
			`return await repository.GetByIdAsync(companyId.Value, ctx.CancellationToken);`
			`});`

			`// updateCompany(id: ID!, input: UpdateCompanyInput!): CompanyType`
			`Field<CompanyType>("updateCompany")`
			`.Description("Update an existing company")`
			`.Argument<NonNullGraphType<IdGraphType>>("id", "The company ID")`
			`.Argument<NonNullGraphType<UpdateCompanyInputType>>("input", "The updated company data")`
			`.ResolveAsync(async ctx =>`
			`{`
			`var id = ctx.GetArgument<string>("id");`
Full product audit: fix security, compliance, UX, and wire broken features Security (Phase 1): - Add authentication middleware on /graphql endpoint - Filter company queries by user access (prevent IDOR) - Add role-based authorization on mutations (owner/accountant) - Reduce API key cache TTL from 24h to 5 minutes - Hide exception details in production GraphQL errors - Fix RBAC in frontend companyStore (was hardcoded) Wiring broken features (Phase 2): - Wire Kassekladde submit/void/copy to GraphQL mutations - Wire Kontooversigt account creation to createAccount mutation - Wire Settings save to updateCompany mutation - Wire CreateFiscalYearModal and CloseFiscalYearWizard to mutations - Replace Momsindberetning mock data with real useVatReport query - Remove Dashboard hardcoded percentages and fake VAT deadline - Fix Kreditnotaer invoice selector to use real data - Fix mutation retry from 1 to 0 (prevent duplicate operations) Accounting compliance (Phase 3): - Add balanced entry validation (debit==credit) in JournalEntryDraftAggregate - Add fiscal year boundary enforcement (status, date range checks) - Add PostedAt timestamp to posted events (Bogføringsloven §7) - Add account number uniqueness check within company - Add fiscal year overlap and gap checks - Add sequential invoice auto-numbering - Fix InvoiceLine VAT rate to use canonical VatCodes - Fix SAF-T account type mapping (financial → Expense) - Add DraftLine validation (cannot have both debit and credit > 0) UX improvements (Phase 4): - Fix Danish character encoding across 15+ files (ø, æ, å) - Deploy DemoDataDisclaimer on pages with mock/incomplete data - Adopt PageHeader component universally across all pages - Standardize active/inactive filtering to Switch pattern - Fix dead buttons in Header (Help, Notifications) - Remove hardcoded mock data from Settings - Fix Sidebar controlled state and Kontooversigt navigation Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-05 21:35:26 +01:00
			`// Require Owner or Accountant role to update a company`
			`var accessService = ctx.RequestServices!.GetRequiredService<ICompanyAccessService>();`
			`await accessService.RequireAccessAsync(id, CompanyRole.Accountant, ctx.CancellationToken);`

Initial commit: Books accounting system with EventFlow CQRS Backend (.NET 10): - EventFlow CQRS/Event Sourcing with PostgreSQL - GraphQL.NET API with mutations and queries - Custom ReadModelSqlGenerator for snake_case PostgreSQL columns - Hangfire for background job processing - Integration tests with isolated test databases Frontend (React/Vite): - Initial project structure 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-18 02:52:30 +01:00			`var input = ctx.GetArgument<UpdateCompanyInput>("input");`
			`var commandBus = ctx.RequestServices!.GetRequiredService<ICommandBus>();`
			`var repository = ctx.RequestServices!.GetRequiredService<ICompanyRepository>();`

			`var companyId = CompanyId.With(id);`

			`var command = new UpdateCompanyCommand(`
			`companyId,`
			`input.Name,`
			`input.Cvr,`
			`input.Address,`
			`input.PostalCode,`
			`input.City,`
			`input.Country ?? "DK",`
			`input.FiscalYearStartMonth ?? 1,`
			`input.Currency ?? "DKK",`
			`input.VatRegistered ?? false,`
			`input.VatPeriodFrequency);`

			`await commandBus.PublishAsync(command, ctx.CancellationToken);`

			`return await repository.GetByIdAsync(companyId.Value, ctx.CancellationToken);`
			`});`
			`}`
			`}`