feat: enhance governance ballot functionality and bot integration

- Added rationaleComments field to the Ballot model in Prisma schema for storing draft rationale comments.
- Updated bot-related API endpoints to support governance ballot creation and updates, allowing bots to submit rationale comments.
- Improved proposal ID parsing logic across components to enhance error handling and type safety.
- Enhanced the BotManagementCard to utilize typed bot scopes for better type safety.
- Updated documentation to reflect new governance bot flow and API changes, ensuring clarity for developers.

Author: Andre-Diamond

prisma/migrations/20260226000000_add_ballot_rationale_comments/migration.sql

@@ -0,0 +1,3 @@
+ALTER TABLE "Ballot"
+ADD COLUMN "rationaleComments" TEXT[] NOT NULL DEFAULT ARRAY[]::TEXT[],
+ADD COLUMN "updatedAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP;

prisma/schema.prisma

@@ -113,8 +113,10 @@ model Ballot {
   choices          String[]
   anchorUrls       String[] @default([])
   anchorHashes     String[] @default([])
+  rationaleComments String[] @default([])
   type             Int
   createdAt        DateTime @default(now())
+  updatedAt        DateTime @updatedAt
 }
 
 model Proxy {

scripts/bot-ref/README.md

@@ -127,3 +127,24 @@ BOT_TOKEN='...' BOT_CONFIG_PATH=bot-config.json npx tsx bot-client.ts walletIds
 ```
 
 The reference client only uses **bot-key auth** (POST /api/v1/botAuth). Wallet-based auth (getNonce + sign + authSigner) would require a real Cardano signer; implement that in your bot if needed.
+
+## Governance bot flow
+
+For governance automation, grant these bot scopes when creating the bot key:
+
+- `governance:read` to call `GET /api/v1/governanceActiveProposals`
+- `ballot:write` to call `POST /api/v1/botBallotsUpsert`
+
+Typical sequence:
+
+1. `POST /api/v1/botAuth` -> get bot JWT
+2. `GET /api/v1/governanceActiveProposals?network=0|1&details=false`
+3. Bot decides `Yes`/`No`/`Abstain` + optional `rationaleComment`
+4. `POST /api/v1/botBallotsUpsert` with `{ walletId, ballotId|ballotName, proposals[] }`
+5. Human reviews draft rationale in UI and uploads to IPFS via the existing "Upload to IPFS & Save" action
+
+Notes:
+
+- `proposalId` format is `<txHash>#<certIndex>`.
+- Bots cannot set `anchorUrl` or `anchorHash`; only `rationaleComment` draft text is accepted.
+- If `ballotName` matches multiple governance ballots, the API returns `409`; use `ballotId` to disambiguate.

src/__tests__/botBallotsUpsert.test.ts

@@ -0,0 +1,201 @@
+import { beforeAll, beforeEach, describe, expect, it, jest } from "@jest/globals";
+import type { NextApiRequest, NextApiResponse } from "next";
+
+const addCorsCacheBustingHeadersMock = jest.fn<(res: NextApiResponse) => void>();
+const corsMock = jest.fn<(req: NextApiRequest, res: NextApiResponse) => Promise<void>>();
+const applyRateLimitMock = jest.fn<(req: NextApiRequest, res: NextApiResponse) => boolean>();
+const applyBotRateLimitMock = jest.fn<(req: NextApiRequest, res: NextApiResponse, botId: string) => boolean>();
+const enforceBodySizeMock = jest.fn<(req: NextApiRequest, res: NextApiResponse, maxBytes: number) => boolean>();
+const verifyJwtMock = jest.fn();
+const isBotJwtMock = jest.fn();
+const assertBotWalletAccessMock = jest.fn();
+const findBotUserMock = jest.fn();
+const transactionMock = jest.fn();
+const parseScopeMock = jest.fn();
+const scopeIncludesMock = jest.fn();
+const isValidChoiceMock = jest.fn();
+const parseProposalIdMock = jest.fn();
+
+const txMock = {
+  ballot: {
+    findUnique: jest.fn(),
+    findMany: jest.fn(),
+    create: jest.fn(),
+    updateMany: jest.fn(),
+  },
+};
+
+jest.mock(
+  "@/lib/cors",
+  () => ({
+    __esModule: true,
+    addCorsCacheBustingHeaders: addCorsCacheBustingHeadersMock,
+    cors: corsMock,
+  }),
+  { virtual: true },
+);
+
+jest.mock(
+  "@/lib/security/requestGuards",
+  () => ({
+    __esModule: true,
+    applyRateLimit: applyRateLimitMock,
+    applyBotRateLimit: applyBotRateLimitMock,
+    enforceBodySize: enforceBodySizeMock,
+  }),
+  { virtual: true },
+);
+
+jest.mock(
+  "@/lib/verifyJwt",
+  () => ({
+    __esModule: true,
+    verifyJwt: verifyJwtMock,
+    isBotJwt: isBotJwtMock,
+  }),
+  { virtual: true },
+);
+
+jest.mock(
+  "@/lib/governance",
+  () => ({
+    __esModule: true,
+    isValidChoice: isValidChoiceMock,
+    parseProposalId: parseProposalIdMock,
+  }),
+  { virtual: true },
+);
+
+jest.mock(
+  "@/lib/auth/botKey",
+  () => ({
+    __esModule: true,
+    parseScope: parseScopeMock,
+    scopeIncludes: scopeIncludesMock,
+  }),
+  { virtual: true },
+);
+
+jest.mock(
+  "@/lib/auth/botAccess",
+  () => ({
+    __esModule: true,
+    assertBotWalletAccess: assertBotWalletAccessMock,
+  }),
+  { virtual: true },
+);
+
+jest.mock(
+  "@/server/db",
+  () => ({
+    __esModule: true,
+    db: {
+      botUser: {
+        findUnique: findBotUserMock,
+      },
+      $transaction: transactionMock,
+    },
+  }),
+  { virtual: true },
+);
+
+type ResponseMock = NextApiResponse & { statusCode?: number };
+
+function createMockResponse(): ResponseMock {
+  const res = {
+    statusCode: undefined as number | undefined,
+    status: jest.fn<(code: number) => NextApiResponse>(),
+    json: jest.fn<(payload: unknown) => unknown>(),
+    end: jest.fn<() => void>(),
+    setHeader: jest.fn<(name: string, value: string) => void>(),
+  };
+
+  res.status.mockImplementation((code: number) => {
+    res.statusCode = code;
+    return res as unknown as NextApiResponse;
+  });
+  res.json.mockImplementation((payload: unknown) => payload);
+  return res as unknown as ResponseMock;
+}
+
+let handler: (req: NextApiRequest, res: NextApiResponse) => Promise<void | NextApiResponse>;
+
+beforeAll(async () => {
+  ({ default: handler } = await import("../pages/api/v1/botBallotsUpsert"));
+});
+
+beforeEach(() => {
+  jest.clearAllMocks();
+  applyRateLimitMock.mockReturnValue(true);
+  applyBotRateLimitMock.mockReturnValue(true);
+  enforceBodySizeMock.mockReturnValue(true);
+  corsMock.mockResolvedValue(undefined);
+  verifyJwtMock.mockReturnValue({ address: "addr_test1", botId: "bot-1", type: "bot" });
+  isBotJwtMock.mockReturnValue(true);
+  parseScopeMock.mockImplementation((scope: string) => JSON.parse(scope));
+  scopeIncludesMock.mockImplementation((scopes: string[], required: string) =>
+    scopes.includes(required),
+  );
+  isValidChoiceMock.mockReturnValue(true);
+  parseProposalIdMock.mockImplementation((value: string) => {
+    const [txHash, certIndex] = value.split("#");
+    return { txHash, certIndex: Number(certIndex) };
+  });
+  findBotUserMock.mockResolvedValue({
+    id: "bot-1",
+    botKey: { scope: JSON.stringify(["multisig:read", "ballot:write"]) },
+  });
+  assertBotWalletAccessMock.mockResolvedValue({ wallet: { id: "wallet-1" }, role: "cosigner" });
+  transactionMock.mockImplementation(async (cb: any) => cb(txMock));
+});
+
+describe("botBallotsUpsert API", () => {
+  it("rejects anchor fields in proposal payload", async () => {
+    const req = {
+      method: "POST",
+      headers: { authorization: "Bearer token" },
+      body: {
+        walletId: "wallet-1",
+        proposals: [
+          {
+            proposalId: "tx#0",
+            proposalTitle: "Title",
+            choice: "Yes",
+            anchorUrl: "ipfs://should-not-be-allowed",
+          },
+        ],
+      },
+    } as unknown as NextApiRequest;
+    const res = createMockResponse();
+
+    await handler(req, res);
+
+    expect(res.status).toHaveBeenCalledWith(400);
+    expect(transactionMock).not.toHaveBeenCalled();
+  });
+
+  it("returns 409 when ballotName is ambiguous", async () => {
+    txMock.ballot.findMany.mockResolvedValue([
+      { id: "b1", walletId: "wallet-1", type: 1, description: "Gov", updatedAt: new Date() },
+      { id: "b2", walletId: "wallet-1", type: 1, description: "Gov", updatedAt: new Date() },
+    ]);
+
+    const req = {
+      method: "POST",
+      headers: { authorization: "Bearer token" },
+      body: {
+        walletId: "wallet-1",
+        ballotName: "Gov",
+        proposals: [{ proposalId: "tx#0", proposalTitle: "Title", choice: "No" }],
+      },
+    } as unknown as NextApiRequest;
+    const res = createMockResponse();
+
+    await handler(req, res);
+
+    expect(res.status).toHaveBeenCalledWith(409);
+    expect(res.json).toHaveBeenCalledWith({
+      error: "Multiple ballots match ballotName; provide ballotId to disambiguate",
+    });
+  });
+});