1 files changed, 25 insertions, 1 deletions

diff --git a/makima/src/server/handlers/orders.rs b/makima/src/server/handlers/orders.rs
index cddf6a6..1251f79 100644
--- a/makima/src/server/handlers/orders.rs
+++ b/makima/src/server/handlers/orders.rs
@@ -81,13 +81,14 @@ pub async fn list_orders(
     }
 }
 
-/// Create a new order.
+/// Create a new order. A valid directive_id is required.
 #[utoipa::path(
     post,
     path = "/api/v1/orders",
     request_body = CreateOrderRequest,
     responses(
         (status = 201, description = "Order created", body = Order),
+        (status = 400, description = "Invalid directive_id", body = ApiError),
         (status = 401, description = "Unauthorized", body = ApiError),
         (status = 503, description = "Database not configured", body = ApiError),
     ),
@@ -107,6 +108,29 @@ pub async fn create_order(
             .into_response();
     };
 
+    // Validate the directive exists and belongs to this owner.
+    // directive_id is required by the CreateOrderRequest struct (Uuid, not Option<Uuid>).
+    match repository::get_directive_for_owner(pool, auth.owner_id, req.directive_id).await {
+        Ok(Some(_)) => {}
+        Ok(None) => {
+            return (
+                StatusCode::BAD_REQUEST,
+                Json(ApiError::new(
+                    "INVALID_DIRECTIVE",
+                    "directive_id is required and must reference a valid directive owned by you",
+                )),
+            )
+                .into_response();
+        }
+        Err(e) => {
+            return (
+                StatusCode::INTERNAL_SERVER_ERROR,
+                Json(ApiError::new("VALIDATION_FAILED", &e.to_string())),
+            )
+                .into_response();
+        }
+    }
+
     match repository::create_order(pool, auth.owner_id, req).await {
         Ok(order) => (StatusCode::CREATED, Json(order)).into_response(),
         Err(e) => {