Fizzy CLI

app/controllers/account/entropies_controller.rb

@@ -3,7 +3,10 @@ class Account::EntropiesController < ApplicationController
 
   def update
     Current.account.entropy.update!(entropy_params)
-    redirect_to account_settings_path, notice: "Account updated"
+    respond_to do |format|
+      format.html { redirect_to account_settings_path, notice: "Account updated" }
+      format.json { head :no_content }
+    end
   end
 
   private

app/controllers/account/exports_controller.rb

@@ -5,11 +5,25 @@ class Account::ExportsController < ApplicationController
   CURRENT_EXPORT_LIMIT = 10
 
   def show
+    respond_to do |format|
+      format.html
+      format.json do
+        if @export
+          render json: @export.as_json(only: %i[id status created_at])
+        else
+          head :not_found
+        end
+      end
+    end
   end
 
   def create
-    Current.account.exports.create!(user: Current.user).build_later
-    redirect_to account_settings_path, notice: "Export started. You'll receive an email when it's ready."
+    export = Current.account.exports.create!(user: Current.user)
+    export.build_later
+    respond_to do |format|
+      format.html { redirect_to account_settings_path, notice: "Export started. You'll receive an email when it's ready." }
+      format.json { render json: export.as_json(only: %i[id status created_at]), status: :accepted }
+    end
   end
 
   private

app/controllers/account/join_codes_controller.rb

@@ -3,22 +3,35 @@ class Account::JoinCodesController < ApplicationController
   before_action :ensure_admin, only: %i[ update destroy ]
 
   def show
+    respond_to do |format|
+      format.html
+      format.json { render json: @join_code.as_json(only: %i[code usage_limit usage_count]) }
+    end
   end
 
   def edit
   end
 
   def update
     if @join_code.update(join_code_params)
-      redirect_to account_join_code_path
+      respond_to do |format|
+        format.html { redirect_to account_join_code_path }
+        format.json { head :no_content }
+      end
     else
-      render :edit, status: :unprocessable_entity
+      respond_to do |format|
+        format.html { render :edit, status: :unprocessable_entity }
+        format.json { render json: { errors: @join_code.errors }, status: :unprocessable_entity }
+      end
     end
   end
 
   def destroy
     @join_code.reset
-    redirect_to account_join_code_path
+    respond_to do |format|
+      format.html { redirect_to account_join_code_path }
+      format.json { render json: @join_code.as_json(only: %i[code usage_limit usage_count]) }
+    end
   end
 
   private

app/controllers/account/settings_controller.rb

@@ -4,11 +4,18 @@ class Account::SettingsController < ApplicationController
 
   def show
     @users = @account.users.active.alphabetically.includes(:identity)
+    respond_to do |format|
+      format.html
+      format.json { render json: @account.as_json(only: %i[id name]) }
+    end
   end
 
   def update
     @account.update!(account_params)
-    redirect_to account_settings_path
+    respond_to do |format|
+      format.html { redirect_to account_settings_path }
+      format.json { head :no_content }
+    end
   end
 
   private

app/controllers/boards/entropies_controller.rb

@@ -5,6 +5,11 @@ class Boards::EntropiesController < ApplicationController
 
   def update
     @board.update!(entropy_params)
+    respond_to do |format|
+      format.html
+      format.turbo_stream
+      format.json { head :no_content }
+    end
   end
 
   private

app/controllers/boards/involvements_controller.rb

@@ -3,5 +3,10 @@ class Boards::InvolvementsController < ApplicationController
 
   def update
     @board.access_for(Current.user).update!(involvement: params[:involvement])
+    respond_to do |format|
+      format.html
+      format.turbo_stream
+      format.json { head :no_content }
+    end
   end
 end

app/controllers/boards/publications_controller.rb

@@ -5,10 +5,20 @@ class Boards::PublicationsController < ApplicationController
 
   def create
     @board.publish
+    respond_to do |format|
+      format.html
+      format.turbo_stream
+      format.json { render json: { key: @board.publication.key, url: published_board_url(@board) } }
+    end
   end
 
   def destroy
     @board.unpublish
     @board.reload
+    respond_to do |format|
+      format.html
+      format.turbo_stream
+      format.json { head :no_content }
+    end
   end
 end

app/controllers/cards/pins_controller.rb

@@ -8,15 +8,25 @@ def show
   def create
     @pin = @card.pin_by Current.user
 
-    broadcast_add_pin_to_tray
-    render_pin_button_replacement
+    respond_to do |format|
+      format.html do
+        broadcast_add_pin_to_tray
+        render_pin_button_replacement
+      end
+      format.json { head :no_content }
+    end
   end
 
   def destroy
     @pin = @card.unpin_by Current.user
 
-    broadcast_remove_pin_from_tray
-    render_pin_button_replacement
+    respond_to do |format|
+      format.html do
+        broadcast_remove_pin_from_tray
+        render_pin_button_replacement
+      end
+      format.json { head :no_content }
+    end
   end
 
   private

app/controllers/cards/publishes_controller.rb

@@ -4,11 +4,16 @@ class Cards::PublishesController < ApplicationController
   def create
     @card.publish
 
-    if add_another_param?
-      card = @board.cards.create!(status: :drafted)
-      redirect_to card_draft_path(card), notice: "Card added"
-    else
-      redirect_to @card.board
+    respond_to do |format|
+      format.html do
+        if add_another_param?
+          card = @board.cards.create!(status: :drafted)
+          redirect_to card_draft_path(card), notice: "Card added"
+        else
+          redirect_to @card.board
+        end
+      end
+      format.json { head :no_content }
     end
   end
 

app/controllers/columns/left_positions_controller.rb

@@ -4,5 +4,10 @@ class Columns::LeftPositionsController < ApplicationController
   def create
     @left_column = @column.left_column
     @column.move_left
+    respond_to do |format|
+      format.html
+      format.turbo_stream
+      format.json { head :no_content }
+    end
   end
 end

app/controllers/columns/right_positions_controller.rb

@@ -4,5 +4,10 @@ class Columns::RightPositionsController < ApplicationController
   def create
     @right_column = @column.right_column
     @column.move_right
+    respond_to do |format|
+      format.html
+      format.turbo_stream
+      format.json { head :no_content }
+    end
   end
 end

app/controllers/oauth/authorizations_controller.rb

@@ -1,4 +1,21 @@
 class Oauth::AuthorizationsController < Oauth::BaseController
+  # Allow form submission to the client's redirect_uri for OAuth callbacks
+  # Only widen CSP if the client allows this redirect_uri (validated in before_action)
+  content_security_policy only: :new do |policy|
+    if (redirect_uri = params[:redirect_uri]).present? && (client_id = params[:client_id]).present?
+      client = Oauth::Client.find_by(client_id: client_id)
+      if client&.allows_redirect?(redirect_uri)
+        begin
+          uri = URI.parse(redirect_uri)
+          origin = "#{uri.scheme}://#{uri.host}#{":#{uri.port}" if uri.port}"
+          policy.form_action :self, origin
+        rescue URI::InvalidURIError
+          # Invalid URI - don't widen CSP
+        end
+      end
+    end
+  end
+
   before_action :save_oauth_return_url
   before_action :require_authentication
 

app/controllers/users/roles_controller.rb

@@ -4,7 +4,10 @@ class Users::RolesController < ApplicationController
 
   def update
     @user.update!(role_params)
-    redirect_to account_settings_path
+    respond_to do |format|
+      format.html { redirect_to account_settings_path }
+      format.json { head :no_content }
+    end
   end
 
   private

app/controllers/webhooks_controller.rb

@@ -16,21 +16,30 @@ def new
   end
 
   def create
-    webhook = @board.webhooks.create!(webhook_params)
-    redirect_to webhook
+    @webhook = @board.webhooks.create!(webhook_params)
+    respond_to do |format|
+      format.html { redirect_to @webhook }
+      format.json
+    end
   end
 
   def edit
   end
 
   def update
     @webhook.update!(webhook_params.except(:url))
-    redirect_to @webhook
+    respond_to do |format|
+      format.html { redirect_to @webhook }
+      format.json { head :no_content }
+    end
   end
 
   def destroy
     @webhook.destroy!
-    redirect_to board_webhooks_path
+    respond_to do |format|
+      format.html { redirect_to board_webhooks_path }
+      format.json { head :no_content }
+    end
   end
 
   private

app/views/webhooks/create.json.jbuilder

@@ -0,0 +1,2 @@
+json.(@webhook, :id, :name, :url, :subscribed_actions)
+json.created_at @webhook.created_at.utc

app/views/webhooks/index.json.jbuilder

@@ -0,0 +1,4 @@
+json.array! @webhooks do |webhook|
+  json.(webhook, :id, :name, :url, :subscribed_actions)
+  json.created_at webhook.created_at.utc
+end

app/views/webhooks/show.json.jbuilder

@@ -0,0 +1,3 @@
+json.(@webhook, :id, :name, :url, :subscribed_actions)
+json.created_at @webhook.created_at.utc
+json.updated_at @webhook.updated_at.utc

cli/PARITY.md

@@ -0,0 +1,43 @@
+# API ↔ CLI Parity Matrix
+
+Status: ✅ full | ⚠️ partial | — not covered
+
+| Area | API Docs | CLI Commands | Notes |
+|------|----------|--------------|-------|
+| Auth | ✅ PAT + magic link | ✅ PAT (`FIZZY_TOKEN`) | OAuth undocumented |
+| Identity | ✅ `GET /my/identity` | ✅ `fizzy identity` | |
+| Boards | ✅ list/show/create/update/delete | ✅ `boards`, `board show/create/update/delete` | |
+| Board publish | ✅ publish/unpublish | ✅ `board publish/unpublish` | Uses publish response URL |
+| Board entropy | ✅ | ✅ `board entropy` | |
+| Columns | ✅ list/show/create/update/delete | ✅ `columns`, `column show/create/update/delete` | |
+| Column reorder | ✅ left/right | ✅ `column left/right` | Shallow routes (no board in path) |
+| Cards list/show | ✅ filters + show | ✅ `cards`, `show` | Search via `terms[]` filter |
+| Card create/update/delete | ✅ | ✅ `card`, `card update`, `card delete` | |
+| Card image | ✅ delete | ✅ `card image delete` | |
+| Card lifecycle | ✅ close/reopen/postpone | ✅ `close`, `reopen`, `postpone` | |
+| Card triage | ✅ triage/untriage | ✅ `triage`, `untriage` | |
+| Card tagging | ✅ | ✅ `tag`, `untag` | |
+| Card assignment | ✅ | ✅ `assign`, `unassign` | |
+| Card watch | ✅ | ✅ `watch`, `unwatch` | |
+| Card gold | ✅ | ✅ `gild`, `ungild` | |
+| Card publish | ✅ | ✅ `card publish` | |
+| Card move | ✅ | ✅ `card move --to` | Top-level `board_id` |
+| Comments | ✅ list/show/create/update/delete | ✅ `comments`, `comment`, `comment edit/delete` | Update returns 204 |
+| Reactions | ✅ list/create/delete | ✅ `reactions`, `react`, `react delete` | |
+| Steps | ✅ show/create/update/delete | ✅ `step show/create/update/delete` | |
+| Tags | ✅ list | ✅ `tags` | |
+| Users | ✅ list/show/update/delete/role | ✅ `people`, `user show/update/delete/role` | |
+| Notifications | ✅ list/read/unread/bulk | ✅ `notifications`, `read/unread/read-all` | |
+| Account | ✅ show/update/entropy/join-code/export | ✅ `account show/update/entropy/join-code/export` | Export accepts 202 |
+| Webhooks | ✅ list/show/create/update/delete | ✅ `webhooks`, `webhook create/show/update/delete` | Actions match `PERMITTED_ACTIONS` |
+
+## Intentional Omissions
+
+These API endpoints exist but are intentionally not documented or exposed in the CLI:
+
+| Endpoint | Reason |
+|----------|--------|
+| `POST/DELETE /cards/:card_id/pin` | Internal UI feature |
+| `PUT /boards/:board_id/involvement` | Internal UI feature |
+
+These are Tier 3 endpoints—functional but not part of the public API contract.