feat: sales activities, forecast products, catalog categories, member cache, procurement filters, and comprehensive tests

New features:
- ActivityController and manager for CW sales activities (CRUD)
- ForecastProductController for opportunity forecast/product lines
- CW member cache with dual-layer (in-memory + Redis) resolution
- Catalog category/subcategory/ecosystem taxonomy module
- Quote statuses type definitions with CW mapping
- User-defined fields (UDF) module with cache and event refresh
- Company sites CW module with serialization
- Procurement manager filters (category, ecosystem, manufacturer, price, stock)
- Opportunity notes CRUD and product line management via CW API
- Opportunity type definitions endpoint

Updates:
- OpportunityController: CW refresh, company hydration, activities, custom fields
- UserController: cwIdentifier field for CW member linking
- CatalogItemController: category/subcategory fields from CW
- PermissionNodes: sales note/product CRUD nodes, subCategories, collectPermissions
- API routes: procurement categories/filters, sales notes/products, opportunity types
- Global events: UDF and member refresh intervals on startup

Tests (414 passing):
- ActivityController, ForecastProductController, OpportunityController unit tests
- UserController cwIdentifier tests
- catalogCategories, companySites, memberCache, procurement module tests
- activityTypes, opportunityTypes, quoteStatuses type tests
- permissionNodes subCategories and getAllPermissionNodes tests
- Updated test setup with redis mock, API method mocks, and builder helpers

src/api/sales/[id]/contacts.ts

@@ -3,7 +3,6 @@ import { opportunities } from "../../../managers/opportunities";
 import { apiResponse } from "../../../modules/api-utils/apiResponse";
 import { ContentfulStatusCode } from "hono/utils/http-status";
 import { authMiddleware } from "../../middleware/authorization";
-import { opportunityCw } from "../../../modules/cw-utils/opportunities/opportunities";
 
 /* GET /v1/sales/opportunities/:identifier/contacts */
 export default createRoute(
@@ -13,22 +12,7 @@ export default createRoute(
     const identifier = c.req.param("identifier");
     const item = await opportunities.fetchItem(identifier);
 
-    const contacts = await opportunityCw.fetchContacts(item.cwOpportunityId);
-
-    const data = contacts.map((ct) => ({
-      id: ct.id,
-      contact: ct.contact ? { id: ct.contact.id, name: ct.contact.name } : null,
-      company: ct.company
-        ? {
-            id: ct.company.id,
-            identifier: ct.company.identifier,
-            name: ct.company.name,
-          }
-        : null,
-      role: ct.role ? { id: ct.role.id, name: ct.role.name } : null,
-      notes: ct.notes,
-      referralFlag: ct.referralFlag,
-    }));
+    const data = await item.fetchContacts();
 
     const response = apiResponse.successful(
       "Opportunity contacts fetched successfully!",

src/api/sales/[id]/createNote.ts

@@ -0,0 +1,47 @@
+import { createRoute } from "../../../modules/api-utils/createRoute";
+import { opportunities } from "../../../managers/opportunities";
+import { apiResponse } from "../../../modules/api-utils/apiResponse";
+import { ContentfulStatusCode } from "hono/utils/http-status";
+import { authMiddleware } from "../../middleware/authorization";
+import { resolveMember } from "../../../modules/cw-utils/members/memberCache";
+import { z } from "zod";
+
+/* POST /v1/sales/opportunities/:identifier/notes */
+export default createRoute(
+  "post",
+  ["/opportunities/:identifier/notes"],
+  async (c) => {
+    const identifier = c.req.param("identifier");
+    const body = await c.req.json();
+
+    const schema = z.object({
+      text: z.string().min(1, "Note text is required"),
+      flagged: z.boolean().optional(),
+    });
+
+    const data = schema.parse(body);
+
+    const item = await opportunities.fetchItem(identifier);
+    const user = c.get("user");
+
+    const created = await item.addNote(data.text, user.login, {
+      flagged: data.flagged,
+    });
+
+    const response = apiResponse.created(
+      "Opportunity note created successfully!",
+      {
+        id: created.id,
+        text: created.text,
+        type: created.type
+          ? { id: created.type.id, name: created.type.name }
+          : null,
+        flagged: created.flagged,
+        enteredBy: await resolveMember(created.enteredBy),
+      },
+    );
+
+    return c.json(response, response.status as ContentfulStatusCode);
+  },
+  authMiddleware({ permissions: ["sales.opportunity.note.create"] }),
+);

src/api/sales/[id]/deleteNote.ts

@@ -0,0 +1,33 @@
+import { createRoute } from "../../../modules/api-utils/createRoute";
+import { opportunities } from "../../../managers/opportunities";
+import { apiResponse } from "../../../modules/api-utils/apiResponse";
+import { ContentfulStatusCode } from "hono/utils/http-status";
+import { authMiddleware } from "../../middleware/authorization";
+import GenericError from "../../../Errors/GenericError";
+
+/* DELETE /v1/sales/opportunities/:identifier/notes/:noteId */
+export default createRoute(
+  "delete",
+  ["/opportunities/:identifier/notes/:noteId"],
+  async (c) => {
+    const identifier = c.req.param("identifier");
+    const noteId = Number(c.req.param("noteId"));
+
+    if (isNaN(noteId))
+      throw new GenericError({
+        status: 400,
+        name: "InvalidNoteId",
+        message: "Note ID must be a number",
+      });
+
+    const item = await opportunities.fetchItem(identifier);
+    await item.deleteNote(noteId);
+
+    const response = apiResponse.successful(
+      "Opportunity note deleted successfully!",
+    );
+
+    return c.json(response, response.status as ContentfulStatusCode);
+  },
+  authMiddleware({ permissions: ["sales.opportunity.note.delete"] }),
+);

src/api/sales/[id]/fetch.ts

@@ -3,6 +3,7 @@ import { opportunities } from "../../../managers/opportunities";
 import { apiResponse } from "../../../modules/api-utils/apiResponse";
 import { ContentfulStatusCode } from "hono/utils/http-status";
 import { authMiddleware } from "../../middleware/authorization";
+import { processObjectValuePerms } from "../../../modules/permission-utils/processObjectPermissions";
 
 /* GET /v1/sales/opportunities/:identifier */
 export default createRoute(
@@ -13,9 +14,18 @@ export default createRoute(
 
     const item = await opportunities.fetchItem(identifier);
 
+    // Eagerly load site data so toJson() includes full site info
+    await item.fetchSite();
+
+    const gatedData = await processObjectValuePerms(
+      item.toJson(),
+      "obj.opportunity",
+      c.get("user"),
+    );
+
     const response = apiResponse.successful(
       "Opportunity fetched successfully!",
-      item.toJson(),
+      gatedData,
     );
 
     return c.json(response, response.status as ContentfulStatusCode);

src/api/sales/[id]/fetchNote.ts

@@ -0,0 +1,34 @@
+import { createRoute } from "../../../modules/api-utils/createRoute";
+import { opportunities } from "../../../managers/opportunities";
+import { apiResponse } from "../../../modules/api-utils/apiResponse";
+import { ContentfulStatusCode } from "hono/utils/http-status";
+import { authMiddleware } from "../../middleware/authorization";
+import GenericError from "../../../Errors/GenericError";
+
+/* GET /v1/sales/opportunities/:identifier/notes/:noteId */
+export default createRoute(
+  "get",
+  ["/opportunities/:identifier/notes/:noteId"],
+  async (c) => {
+    const identifier = c.req.param("identifier");
+    const noteId = Number(c.req.param("noteId"));
+
+    if (isNaN(noteId))
+      throw new GenericError({
+        status: 400,
+        name: "InvalidNoteId",
+        message: "Note ID must be a number",
+      });
+
+    const item = await opportunities.fetchItem(identifier);
+    const data = await item.fetchNote(noteId);
+
+    const response = apiResponse.successful(
+      "Opportunity note fetched successfully!",
+      data,
+    );
+
+    return c.json(response, response.status as ContentfulStatusCode);
+  },
+  authMiddleware({ permissions: ["sales.opportunity.fetch"] }),
+);

src/api/sales/[id]/forecasts.ts

@@ -1,39 +0,0 @@
-import { createRoute } from "../../../modules/api-utils/createRoute";
-import { opportunities } from "../../../managers/opportunities";
-import { apiResponse } from "../../../modules/api-utils/apiResponse";
-import { ContentfulStatusCode } from "hono/utils/http-status";
-import { authMiddleware } from "../../middleware/authorization";
-import { opportunityCw } from "../../../modules/cw-utils/opportunities/opportunities";
-
-/* GET /v1/sales/opportunities/:identifier/forecasts */
-export default createRoute(
-  "get",
-  ["/opportunities/:identifier/forecasts"],
-  async (c) => {
-    const identifier = c.req.param("identifier");
-    const item = await opportunities.fetchItem(identifier);
-
-    const forecasts = await opportunityCw.fetchForecasts(item.cwOpportunityId);
-
-    const data = forecasts.map((f) => ({
-      id: f.id,
-      forecastType: f.forecastType,
-      forecastMonth: f.forecastMonth,
-      revenue: f.revenue,
-      cost: f.cost,
-      forecastPercentage: f.forecastPercentage,
-      status: f.status ? { id: f.status.id, name: f.status.name } : null,
-      includedFlag: f.includedFlag,
-      linkedFlag: f.linkedFlag,
-      recurringFlag: f.recurringFlag,
-    }));
-
-    const response = apiResponse.successful(
-      "Opportunity forecasts fetched successfully!",
-      data,
-    );
-
-    return c.json(response, response.status as ContentfulStatusCode);
-  },
-  authMiddleware({ permissions: ["sales.opportunity.fetch"] }),
-);

src/api/sales/[id]/notes.ts

@@ -3,7 +3,6 @@ import { opportunities } from "../../../managers/opportunities";
 import { apiResponse } from "../../../modules/api-utils/apiResponse";
 import { ContentfulStatusCode } from "hono/utils/http-status";
 import { authMiddleware } from "../../middleware/authorization";
-import { opportunityCw } from "../../../modules/cw-utils/opportunities/opportunities";
 
 /* GET /v1/sales/opportunities/:identifier/notes */
 export default createRoute(
@@ -13,15 +12,7 @@ export default createRoute(
     const identifier = c.req.param("identifier");
     const item = await opportunities.fetchItem(identifier);
 
-    const notes = await opportunityCw.fetchNotes(item.cwOpportunityId);
-
-    const data = notes.map((n) => ({
-      id: n.id,
-      text: n.text,
-      type: n.type ? { id: n.type.id, name: n.type.name } : null,
-      flagged: n.flagged,
-      enteredBy: n.enteredBy,
-    }));
+    const data = await item.fetchNotes();
 
     const response = apiResponse.successful(
       "Opportunity notes fetched successfully!",

src/api/sales/[id]/products.ts

@@ -0,0 +1,25 @@
+import { createRoute } from "../../../modules/api-utils/createRoute";
+import { opportunities } from "../../../managers/opportunities";
+import { apiResponse } from "../../../modules/api-utils/apiResponse";
+import { ContentfulStatusCode } from "hono/utils/http-status";
+import { authMiddleware } from "../../middleware/authorization";
+
+/* GET /v1/sales/opportunities/:identifier/products */
+export default createRoute(
+  "get",
+  ["/opportunities/:identifier/products"],
+  async (c) => {
+    const identifier = c.req.param("identifier");
+    const item = await opportunities.fetchItem(identifier);
+
+    const data = await item.fetchProducts();
+
+    const response = apiResponse.successful(
+      "Opportunity products fetched successfully!",
+      data.map((p) => p.toJson()),
+    );
+
+    return c.json(response, response.status as ContentfulStatusCode);
+  },
+  authMiddleware({ permissions: ["sales.opportunity.fetch"] }),
+);

src/api/sales/[id]/resequenceProducts.ts

@@ -0,0 +1,44 @@
+import { createRoute } from "../../../modules/api-utils/createRoute";
+import { opportunities } from "../../../managers/opportunities";
+import { apiResponse } from "../../../modules/api-utils/apiResponse";
+import { ContentfulStatusCode } from "hono/utils/http-status";
+import { authMiddleware } from "../../middleware/authorization";
+import { z } from "zod";
+
+/* PATCH /v1/sales/opportunities/:identifier/products/sequence */
+export default createRoute(
+  "patch",
+  ["/opportunities/:identifier/products/sequence"],
+  async (c) => {
+    const identifier = c.req.param("identifier");
+    const body = await c.req.json();
+
+    const schema = z.object({
+      orderedIds: z
+        .array(z.number().int().positive())
+        .min(1, "At least one forecast item ID is required"),
+    });
+
+    const { orderedIds } = schema.parse(body);
+
+    const item = await opportunities.fetchItem(identifier);
+    const updated = await item.resequenceProducts(orderedIds);
+
+    // Map original IDs to the new IDs returned by ConnectWise
+    const idMap: Record<number, number> = {};
+    for (let i = 0; i < orderedIds.length; i++) {
+      idMap[orderedIds[i]!] = updated[i]!.cwForecastId;
+    }
+
+    const response = apiResponse.successful(
+      "Product sequence updated successfully!",
+      {
+        products: updated.map((p) => p.toJson()),
+        idMap,
+      },
+    );
+
+    return c.json(response, response.status as ContentfulStatusCode);
+  },
+  authMiddleware({ permissions: ["sales.opportunity.product.update"] }),
+);

src/api/sales/[id]/updateNote.ts

@@ -0,0 +1,57 @@
+import { createRoute } from "../../../modules/api-utils/createRoute";
+import { opportunities } from "../../../managers/opportunities";
+import { apiResponse } from "../../../modules/api-utils/apiResponse";
+import { ContentfulStatusCode } from "hono/utils/http-status";
+import { authMiddleware } from "../../middleware/authorization";
+import GenericError from "../../../Errors/GenericError";
+import { resolveMember } from "../../../modules/cw-utils/members/memberCache";
+import { z } from "zod";
+
+/* PATCH /v1/sales/opportunities/:identifier/notes/:noteId */
+export default createRoute(
+  "patch",
+  ["/opportunities/:identifier/notes/:noteId"],
+  async (c) => {
+    const identifier = c.req.param("identifier");
+    const noteId = Number(c.req.param("noteId"));
+
+    if (isNaN(noteId))
+      throw new GenericError({
+        status: 400,
+        name: "InvalidNoteId",
+        message: "Note ID must be a number",
+      });
+
+    const body = await c.req.json();
+
+    const schema = z
+      .object({
+        text: z.string().min(1).optional(),
+        flagged: z.boolean().optional(),
+      })
+      .refine((d) => d.text !== undefined || d.flagged !== undefined, {
+        message: "At least one of 'text' or 'flagged' must be provided",
+      });
+
+    const data = schema.parse(body);
+
+    const item = await opportunities.fetchItem(identifier);
+    const updated = await item.updateNote(noteId, data);
+
+    const response = apiResponse.successful(
+      "Opportunity note updated successfully!",
+      {
+        id: updated.id,
+        text: updated.text,
+        type: updated.type
+          ? { id: updated.type.id, name: updated.type.name }
+          : null,
+        flagged: updated.flagged,
+        enteredBy: await resolveMember(updated.enteredBy),
+      },
+    );
+
+    return c.json(response, response.status as ContentfulStatusCode);
+  },
+  authMiddleware({ permissions: ["sales.opportunity.note.update"] }),
+);