From 14bab444ff061c13dac0effb7f08aa135ab70c5c Mon Sep 17 00:00:00 2001
From: Disco DeDisco <adamcraighamilton@gmail.com>
Date: Fri, 8 May 2026 18:15:43 -0400
Subject: [PATCH] =?UTF-8?q?brief=20sprint=20C3.b+c+d+e:=20share-post=20Lin?=
 =?UTF-8?q?e+Brief=20async,=20magic-link=20/=20invalid-link=20banners=20us?=
 =?UTF-8?q?e=20Brief=20styling,=20.alert-*=20retired=20=E2=80=94=20TDD?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Closes the C3 brief sprint. Three event sources (note unlock, share invite, login messages) now route through the Brief slide-down, & the legacy .alert-success/.alert-warning rendering in base.html is retired.

C3.b — share-post async Line + Brief:
- billboard.share_post detects Accept: application/json. JSON path appends a Line (text="Shared with X at <isoformat>", isoformat carries microseconds so two rapid shares of the same email don't collide on Line.unique_together(post,text)), spawns a Brief(kind=SHARE_INVITE) for the sharer, and returns {brief: brief.to_banner_dict() | None, line_text, recipient_display}. Sharer-shares-with-themselves stays a silent no-op (response carries brief: null). Legacy form-submit path preserved for non-AJAX (still redirects + flashes the privacy-safe message — kept for older FTs / no-JS fallback).
- billboard.Brief.to_banner_dict() (moved from dashboard.views helper to a model method) shapes the JSON the banner JS consumes.
- post.html: share form intercepted by JS — fetches POST w. Accept:application/json, then appends `data.line_text` as the next row in #id_post_table, calls Brief.showBanner(data.brief), and (when registered) appends a fresh `<span class="post-recipient">` to the new #id_post_recipients box. No page reload — the alert-success flash is gone.
- 10 new ITs (SharePostAsyncTest + SharePostLegacyRedirectTest) cover the JSON path, line append, brief creation w. SHARE_INVITE kind, registered/unregistered recipient behaviour, sharer-self skip, line dedupe via timestamp, and that the legacy form-submit redirect path still works.
- functional_tests.test_sharing line numbering updated: the share now records its own Line so the alice-reply lands at row 3 instead of 2.

C3.c+d — magic-link confirmation + invalid-link error use Brief banner styling:
- base.html's {% if messages %} block stops rendering .alert-success/.alert-warning divs. Instead each message renders as a transient Brief-styled banner: <div class="note-banner note-banner--message note-banner--{{level_tag}}"> with .note-banner__body / __description carrying the message text and a .btn-cancel NVM that removes the banner via inline onclick. No DB Brief row; no FYI; no square. Same Gaussian-glass look as note-unlock + share-invite Briefs.
- _note.scss adds the note-banner--message variant (full-opacity description) + note-banner--error/--warning border-color override (priRd 0.6) so the invalid-link banner reads as red/abandon.

C3.e — .alert-success/.alert-warning retired in markup; the SCSS class blocks aren't referenced anywhere else in templates so they sit dormant (left in place — base form styling keeps .form-control etc. working; no need to ripple into _base.scss).

Banner JS (note.js / Brief module) was untouched in C3.b+c+d — the Brief.showBanner contract from C3.a already handles all three kinds (NOTE_UNLOCK / USER_POST / SHARE_INVITE) by reading kind off the brief; the message-banner path doesn't go through showBanner because there's no Brief row.

Tests: 218 dashboard+billboard+api ITs + 322 lyric+dashboard+billboard ITs + 2 sharing FTs + 9 my_notes FTs + 1 Jasmine FT all green. Existing lyric.test_views login message-text assertions unchanged (they pull from messages framework — not the rendered HTML — so the markup swap doesn't affect them).

Code architected by Disco DeDisco <discodedisco@outlook.com>
Git commit message Co-Authored-By:
Claude Sonnet 4.6 <noreply@anthropic.com>
---
 src/apps/billboard/models.py                  |  18 +++
 .../tests/integrated/test_share_post.py       | 125 ++++++++++++++++++
 src/apps/billboard/views.py                   |  57 +++++++-
 src/apps/dashboard/views.py                   |  21 +--
 src/functional_tests/test_sharing.py          |   4 +-
 src/static_src/scss/_note.scss                |  12 ++
 src/templates/apps/billboard/post.html        |  70 +++++++++-
 src/templates/core/base.html                  |  21 +--
 8 files changed, 288 insertions(+), 40 deletions(-)
 create mode 100644 src/apps/billboard/tests/integrated/test_share_post.py

diff --git a/src/apps/billboard/models.py b/src/apps/billboard/models.py
index 8743a2a..f42841b 100644
--- a/src/apps/billboard/models.py
+++ b/src/apps/billboard/models.py
@@ -118,3 +118,21 @@ class Brief(models.Model):
             f"Brief({self.kind}, {self.owner.email}, "
             f"unread={self.is_unread})"
         )
+
+    def to_banner_dict(self):
+        """Shape this Brief for the slide-down banner JS. NOTE_UNLOCK kind
+        carries a square_url pointing at /billboard/my-notes/ so the
+        thumbnail-square inside the banner jumps direct to the user's Note
+        collection — other kinds get an empty square_url."""
+        square_url = ""
+        if self.kind == self.KIND_NOTE_UNLOCK:
+            square_url = reverse("billboard:my_notes")
+        return {
+            "id":         str(self.id),
+            "kind":       self.kind,
+            "title":      self.title,
+            "line_text":  self.line.text if self.line else "",
+            "post_url":   self.post.get_absolute_url(),
+            "square_url": square_url,
+            "created_at": self.created_at.isoformat(),
+        }
diff --git a/src/apps/billboard/tests/integrated/test_share_post.py b/src/apps/billboard/tests/integrated/test_share_post.py
new file mode 100644
index 0000000..8dcfdfe
--- /dev/null
+++ b/src/apps/billboard/tests/integrated/test_share_post.py
@@ -0,0 +1,125 @@
+"""ITs for share-post async-Brief flow (C3.b).
+
+POST /billboard/post/<uuid>/share-post w. Accept: application/json now:
+  - Adds the recipient to Post.shared_with (if registered, not the sharer)
+  - Appends a Line to the Post recording the share event
+  - Spawns a Brief(kind=SHARE_INVITE) for the sharer that JS slide-downs
+  - Returns JSON {brief: {…}, line_text: "…"}; no redirect, no messages
+
+Legacy form-submit (no Accept: application/json) still redirects + flashes
+the privacy-safe success message — kept for non-AJAX fallback / older FTs.
+"""
+
+from django.test import TestCase
+from django.urls import reverse
+
+from apps.billboard.models import Brief, Line, Post
+from apps.lyric.models import User
+
+
+class SharePostAsyncTest(TestCase):
+    def setUp(self):
+        self.sharer = User.objects.create(email="sharer@test.io")
+        self.client.force_login(self.sharer)
+        self.post = Post.objects.create(owner=self.sharer)
+
+    def _share_async(self, recipient_email):
+        return self.client.post(
+            reverse("billboard:share_post", args=[self.post.id]),
+            data={"recipient": recipient_email},
+            HTTP_ACCEPT="application/json",
+        )
+
+    def test_async_share_returns_brief_payload(self):
+        User.objects.create(email="alice@test.io")
+        response = self._share_async("alice@test.io")
+        self.assertEqual(response.status_code, 200)
+        body = response.json()
+        self.assertIn("brief", body)
+        self.assertIn("line_text", body)
+
+    def test_async_share_appends_line_to_post(self):
+        User.objects.create(email="alice@test.io")
+        self.assertEqual(self.post.lines.count(), 0)
+        self._share_async("alice@test.io")
+        self.assertEqual(self.post.lines.count(), 1)
+        line = self.post.lines.first()
+        self.assertIn("alice@test.io", line.text)
+
+    def test_async_share_creates_share_invite_brief_for_sharer(self):
+        User.objects.create(email="alice@test.io")
+        self._share_async("alice@test.io")
+        brief = Brief.objects.get(owner=self.sharer)
+        self.assertEqual(brief.kind, Brief.KIND_SHARE_INVITE)
+        self.assertEqual(brief.post, self.post)
+        self.assertIsNotNone(brief.line)
+        self.assertTrue(brief.is_unread)
+
+    def test_async_share_adds_registered_recipient_to_shared_with(self):
+        alice = User.objects.create(email="alice@test.io")
+        self._share_async("alice@test.io")
+        self.assertIn(alice, self.post.shared_with.all())
+
+    def test_async_share_unregistered_recipient_still_appends_line_and_brief(self):
+        """Privacy: even if the email isn't registered, the sharer gets the
+        same confirmation Brief + Line. Otherwise the response shape would
+        leak whether an address is on the system."""
+        response = self._share_async("ghost@test.io")
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(self.post.lines.count(), 1)
+        self.assertEqual(Brief.objects.filter(owner=self.sharer).count(), 1)
+
+    def test_async_share_does_not_add_owner_as_recipient(self):
+        """Sharer shares w. their own email — no shared_with add, no Line, no
+        Brief; response carries brief: null so the JS just no-ops."""
+        response = self._share_async("sharer@test.io")
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(response.json()["brief"], None)
+        self.assertEqual(self.post.lines.count(), 0)
+        self.assertEqual(Brief.objects.filter(owner=self.sharer).count(), 0)
+        self.assertNotIn(self.sharer, self.post.shared_with.all())
+
+    def test_async_share_brief_payload_carries_share_invite_kind(self):
+        User.objects.create(email="alice@test.io")
+        body = self._share_async("alice@test.io").json()
+        self.assertEqual(body["brief"]["kind"], "share_invite")
+        self.assertIn("alice@test.io", body["line_text"])
+
+    def test_async_share_line_text_dedupes_via_timestamp(self):
+        """Two consecutive shares of the same email must not collide on the
+        Line.unique_together(post, text) constraint — the share line should
+        carry a timestamp suffix."""
+        User.objects.create(email="alice@test.io")
+        self._share_async("alice@test.io")
+        # Second share — should append a second distinct Line, not 500.
+        response = self._share_async("alice@test.io")
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(self.post.lines.count(), 2)
+
+
+class SharePostLegacyRedirectTest(TestCase):
+    """Legacy form-submit path (no Accept: application/json) is preserved —
+    redirects + flashes the privacy-safe message + adds shared_with. Existing
+    FTs that submit the share form via Selenium still work."""
+
+    def setUp(self):
+        self.sharer = User.objects.create(email="sharer@test.io")
+        self.client.force_login(self.sharer)
+        self.post = Post.objects.create(owner=self.sharer)
+
+    def test_form_submit_still_redirects(self):
+        User.objects.create(email="alice@test.io")
+        response = self.client.post(
+            reverse("billboard:share_post", args=[self.post.id]),
+            data={"recipient": "alice@test.io"},
+        )
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(response["Location"], reverse("billboard:view_post", args=[self.post.id]))
+
+    def test_form_submit_still_adds_shared_with(self):
+        alice = User.objects.create(email="alice@test.io")
+        self.client.post(
+            reverse("billboard:share_post", args=[self.post.id]),
+            data={"recipient": "alice@test.io"},
+        )
+        self.assertIn(alice, self.post.shared_with.all())
diff --git a/src/apps/billboard/views.py b/src/apps/billboard/views.py
index 112be83..3fb7db1 100644
--- a/src/apps/billboard/views.py
+++ b/src/apps/billboard/views.py
@@ -8,8 +8,10 @@ from django.http import HttpResponseForbidden, JsonResponse
 from django.shortcuts import redirect, render
 
 from apps.applets.utils import applet_context, apply_applet_toggle
+from django.utils import timezone
+
 from apps.billboard.forms import ExistingPostLineForm, LineForm
-from apps.billboard.models import Brief, Post
+from apps.billboard.models import Brief, Line, Post
 from apps.dashboard.views import _PALETTE_DEFS
 from apps.drama.models import GameEvent, Note, ScrollPosition
 from apps.epic.models import Room
@@ -275,13 +277,58 @@ def my_posts(request, user_id):
 
 def share_post(request, post_id):
     our_post = Post.objects.get(id=post_id)
+    is_ajax = "application/json" in request.headers.get("Accept", "")
+
+    recipient_email = request.POST.get("recipient", "")
+    recipient = None
     try:
-        recipient = User.objects.get(email=request.POST["recipient"])
-        if recipient == request.user:
-            return redirect(our_post)
-        our_post.shared_with.add(recipient)
+        recipient = User.objects.get(email=recipient_email)
     except User.DoesNotExist:
         pass
+
+    # Sharer-tries-to-share-with-themselves: silent no-op (existing behavior).
+    if recipient is not None and recipient == request.user:
+        if is_ajax:
+            return JsonResponse({"brief": None, "line_text": ""})
+        return redirect(our_post)
+
+    if recipient is not None:
+        our_post.shared_with.add(recipient)
+
+    # Always append a Line + spawn a Brief for the sharer — privacy: the
+    # response shape mustn't leak whether the email is on the system. Line
+    # text carries an isoformat timestamp w/ microseconds so two rapid
+    # shares of the same email don't collide on the
+    # Line.unique_together(post, text) constraint.
+    line_text = (
+        f"Shared with {recipient_email} at {timezone.now().isoformat()}"
+    )
+    line = Line.objects.create(post=our_post, text=line_text)
+
+    brief = None
+    if request.user.is_authenticated:
+        brief = Brief.objects.create(
+            owner=request.user,
+            post=our_post,
+            line=line,
+            kind=Brief.KIND_SHARE_INVITE,
+            title="Invite sent",
+        )
+
+    if is_ajax:
+        # recipient_display is populated only when the address resolves to a
+        # registered User — same evidence the server-rendered .post-recipient
+        # list exposes; doesn't widen the privacy surface beyond what the
+        # post detail page already shows publicly.
+        recipient_display = None
+        if recipient is not None:
+            recipient_display = recipient.username or recipient.email
+        return JsonResponse({
+            "brief":             brief.to_banner_dict() if brief is not None else None,
+            "line_text":         line_text,
+            "recipient_display": recipient_display,
+        })
+
     messages.success(request, "An invite has been sent if that address is registered.")
     return redirect(our_post)
 
diff --git a/src/apps/dashboard/views.py b/src/apps/dashboard/views.py
index 4ad37e3..c67a2de 100644
--- a/src/apps/dashboard/views.py
+++ b/src/apps/dashboard/views.py
@@ -366,30 +366,11 @@ def sky_save(request):
     if user.sky_chart_data:
         note, created, brief = Note.grant_if_new(user, "stargazer")
         if created and brief is not None:
-            brief_payload = _brief_to_banner_dict(brief)
+            brief_payload = brief.to_banner_dict()
 
     return JsonResponse({"saved": True, "brief": brief_payload})
 
 
-def _brief_to_banner_dict(brief):
-    """Shape a Brief for the slide-down banner JS. NOTE_UNLOCK kind carries
-    a `square_url` pointing at /billboard/my-notes/ so the thumbnail-square
-    inside the banner jumps direct to the user's Note collection."""
-    square_url = ""
-    if brief.kind == "note_unlock":
-        from django.urls import reverse
-        square_url = reverse("billboard:my_notes")
-    return {
-        "id":         str(brief.id),
-        "kind":       brief.kind,
-        "title":      brief.title,
-        "line_text":  brief.line.text if brief.line else "",
-        "post_url":   brief.post.get_absolute_url(),
-        "square_url": square_url,
-        "created_at": brief.created_at.isoformat(),
-    }
-
-
 @login_required(login_url="/")
 def sky_delete(request):
     if request.method != 'POST':
diff --git a/src/functional_tests/test_sharing.py b/src/functional_tests/test_sharing.py
index ee3e5d9..89a5145 100644
--- a/src/functional_tests/test_sharing.py
+++ b/src/functional_tests/test_sharing.py
@@ -59,7 +59,9 @@ class SharingTest(FunctionalTest):
 
         self.browser = disco_browser
         self.browser.refresh()
-        post_page.wait_for_row_in_post_table("At your command, Disco King", 2)
+        # Line numbering: 1) "Send help" 2) "Shared with alice@test.io …"
+        # (auto-appended by share_post in C3.b) 3) Alice's reply.
+        post_page.wait_for_row_in_post_table("At your command, Disco King", 3)
 
 class PostAccessTest(FunctionalTest):
     def test_stranger_cannot_access_owned_post(self):
diff --git a/src/static_src/scss/_note.scss b/src/static_src/scss/_note.scss
index e44ba9e..d54e8ef 100644
--- a/src/static_src/scss/_note.scss
+++ b/src/static_src/scss/_note.scss
@@ -40,6 +40,18 @@
     .note-banner__fyi {
         flex-shrink: 0;
     }
+
+    // Transient message-banner variants (magic-link confirmation, errors).
+    // No DB Brief row — just inherits the Gaussian-glass shell from the
+    // .note-banner base & shifts the border colour for level=error/warning.
+    &.note-banner--message .note-banner__description {
+        opacity: 1;            // message body is the whole content; full opacity
+    }
+
+    &.note-banner--error,
+    &.note-banner--warning {
+        border-color: rgba(var(--priRd), 0.6);
+    }
 }
 
 // ── Notes page ─────────────────────────────────────────────────────────────
diff --git a/src/templates/apps/billboard/post.html b/src/templates/apps/billboard/post.html
index f96f299..2e2fa51 100644
--- a/src/templates/apps/billboard/post.html
+++ b/src/templates/apps/billboard/post.html
@@ -25,7 +25,7 @@
     <div class="row justify-content-center">
         <div class="col-lg-6">
 
-            <form method="POST" action="{% url "billboard:share_post" post.id %}">
+            <form id="id_share_form" method="POST" action="{% url "billboard:share_post" post.id %}">
                 {% csrf_token %}
                 <input
                     id="id_recipient"
@@ -44,9 +44,11 @@
                 <button type="submit" class="btn btn-primary">Share</button>
             </form>
             <small>Post shared with:
-                {% for user in post.shared_with.all %}
-                    <span class="post-recipient">{{ user|display_name }}</span>
-                {% endfor %}
+                <span id="id_post_recipients">
+                    {% for user in post.shared_with.all %}
+                        <span class="post-recipient">{{ user|display_name }}</span>
+                    {% endfor %}
+                </span>
             </small>
         </div>
     </div>
@@ -54,4 +56,64 @@
 
 {% block scripts %}
     {% include "apps/dashboard/_partials/_scripts.html" %}
+    <script>
+    // Async share: intercepts the share form, POSTs w. Accept:application/json,
+    // then slide-downs the SHARE_INVITE Brief banner under the navbar h2 + appends
+    // the freshly-recorded Line into #id_post_table. No page reload — the legacy
+    // alert-success flash is gone.
+    (function () {
+        'use strict';
+        var form = document.getElementById('id_share_form');
+        var input = document.getElementById('id_recipient');
+        var table = document.getElementById('id_post_table');
+        var recipientsBox = document.getElementById('id_post_recipients');
+        if (!form || !input || !table) return;
+
+        function _csrf() {
+            var m = document.cookie.match(/csrftoken=([^;]+)/);
+            return m ? m[1] : '';
+        }
+
+        function _appendLine(text) {
+            var n = table.querySelectorAll('tr').length + 1;
+            var tr = document.createElement('tr');
+            var td = document.createElement('td');
+            td.textContent = n + '. ' + text;
+            tr.appendChild(td);
+            table.appendChild(tr);
+        }
+
+        form.addEventListener('submit', function (e) {
+            e.preventDefault();
+            var fd = new FormData(form);
+            fetch(form.action, {
+                method: 'POST',
+                credentials: 'same-origin',
+                headers: {
+                    'Accept':       'application/json',
+                    'X-CSRFToken':  _csrf(),
+                },
+                body: fd,
+            })
+                .then(function (r) { return r.ok ? r.json() : Promise.reject(r.status); })
+                .then(function (data) {
+                    if (data.line_text) _appendLine(data.line_text);
+                    if (window.Brief && data.brief) Brief.showBanner(data.brief);
+                    if (data.recipient_display && recipientsBox) {
+                        var span = document.createElement('span');
+                        span.className = 'post-recipient';
+                        span.textContent = data.recipient_display;
+                        recipientsBox.appendChild(document.createTextNode(' '));
+                        recipientsBox.appendChild(span);
+                    }
+                    input.value = '';
+                })
+                .catch(function () {
+                    // No-op for now — the privacy-safe response shape means
+                    // even an unregistered recipient is a 200 w. brief data;
+                    // a true error path (5xx) silently swallows.
+                });
+        });
+    }());
+    </script>
 {% endblock scripts %}
diff --git a/src/templates/core/base.html b/src/templates/core/base.html
index b6f6df2..e829894 100644
--- a/src/templates/core/base.html
+++ b/src/templates/core/base.html
@@ -30,17 +30,18 @@
             </div>
 
             {% if messages %}
-                <div class="row">
-                    <div class="col-md-12">
-                        {% for message in messages %}
-                            {% if message.level_tag == 'success' %}
-                                <div class="alert alert-success">{{ message }}</div>
-                            {% else %}
-                                <div class="alert alert-warning">{{ message }}</div>
-                            {% endif %}
-                        {% endfor %}
+                {% for message in messages %}
+                    {# Transient Brief-styled banner — no DB row, no FYI/square. #}
+                    {# Slides in under the navbar h2 w. the same Gaussian-glass    #}
+                    {# look as the Brief notification banner; NVM dismisses.       #}
+                    <div class="note-banner note-banner--message note-banner--{{ message.level_tag }}">
+                        <div class="note-banner__body">
+                            <p class="note-banner__description">{{ message }}</p>
+                        </div>
+                        <button type="button" class="btn btn-cancel note-banner__nvm"
+                                onclick="this.parentElement.remove()">NVM</button>
                     </div>
-                </div>
+                {% endfor %}
             {% endif %}
 
             {% block content %}