From 4bd40f047a6f4703945c6db2811d8feda27241d6 Mon Sep 17 00:00:00 2001
From: soryu <soryu@soryu.co>
Date: Mon, 16 Feb 2026 19:01:56 +0000
Subject: soryu-co/soryu - makima (#66)

* feat: soryu-co/soryu - makima: Fix contracts page scrolling overflow

* WIP: heartbeat checkpoint

* WIP: heartbeat checkpoint

* WIP: heartbeat checkpoint

* WIP: heartbeat checkpoint
---
 makima/src/server/handlers/orders.rs | 26 +++++++++++++++++++++++++-
 1 file changed, 25 insertions(+), 1 deletion(-)

(limited to 'makima/src/server/handlers/orders.rs')

diff --git a/makima/src/server/handlers/orders.rs b/makima/src/server/handlers/orders.rs
index cddf6a6..1251f79 100644
--- a/makima/src/server/handlers/orders.rs
+++ b/makima/src/server/handlers/orders.rs
@@ -81,13 +81,14 @@ pub async fn list_orders(
     }
 }
 
-/// Create a new order.
+/// Create a new order. A valid directive_id is required.
 #[utoipa::path(
     post,
     path = "/api/v1/orders",
     request_body = CreateOrderRequest,
     responses(
         (status = 201, description = "Order created", body = Order),
+        (status = 400, description = "Invalid directive_id", body = ApiError),
         (status = 401, description = "Unauthorized", body = ApiError),
         (status = 503, description = "Database not configured", body = ApiError),
     ),
@@ -107,6 +108,29 @@ pub async fn create_order(
             .into_response();
     };
 
+    // Validate the directive exists and belongs to this owner.
+    // directive_id is required by the CreateOrderRequest struct (Uuid, not Option<Uuid>).
+    match repository::get_directive_for_owner(pool, auth.owner_id, req.directive_id).await {
+        Ok(Some(_)) => {}
+        Ok(None) => {
+            return (
+                StatusCode::BAD_REQUEST,
+                Json(ApiError::new(
+                    "INVALID_DIRECTIVE",
+                    "directive_id is required and must reference a valid directive owned by you",
+                )),
+            )
+                .into_response();
+        }
+        Err(e) => {
+            return (
+                StatusCode::INTERNAL_SERVER_ERROR,
+                Json(ApiError::new("VALIDATION_FAILED", &e.to_string())),
+            )
+                .into_response();
+        }
+    }
+
     match repository::create_order(pool, auth.owner_id, req).await {
         Ok(order) => (StatusCode::CREATED, Json(order)).into_response(),
         Err(e) => {
-- 
cgit v1.2.3