MicroPyramid
diff --git a/‎backend/accounts/tests/test_accounts_api.py‎
Lines changed: 22 additions & 0 deletions b/‎backend/accounts/tests/test_accounts_api.py‎
Lines changed: 22 additions & 0 deletions
diff --git a/‎backend/accounts/views.py‎
Lines changed: 4 additions & 2 deletions b/‎backend/accounts/views.py‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎backend/cases/views.py‎
Lines changed: 88 additions & 37 deletions b/‎backend/cases/views.py‎
Lines changed: 88 additions & 37 deletions
diff --git a/‎backend/cases/watcher_views.py‎
Lines changed: 7 additions & 4 deletions b/‎backend/cases/watcher_views.py‎
Lines changed: 7 additions & 4 deletions
diff --git a/‎backend/common/manager.py‎
Lines changed: 5 additions & 0 deletions b/‎backend/common/manager.py‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎backend/common/migrations/0026_add_user_name.py‎
Lines changed: 18 additions & 0 deletions b/‎backend/common/migrations/0026_add_user_name.py‎
Lines changed: 18 additions & 0 deletions
diff --git a/‎backend/common/models.py‎
Lines changed: 10 additions & 0 deletions b/‎backend/common/models.py‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎backend/common/serializer.py‎
Lines changed: 1 addition & 1 deletion b/‎backend/common/serializer.py‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎backend/common/tests/test_auth.py‎
Lines changed: 5 additions & 0 deletions b/‎backend/common/tests/test_auth.py‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎backend/common/tests/test_organizations.py‎
Lines changed: 37 additions & 0 deletions b/‎backend/common/tests/test_organizations.py‎
Lines changed: 37 additions & 0 deletions
@@ -685,6 +685,28 @@ def test_filter_by_assigned_to(self, admin_client, org_a, admin_profile):
         names = [a["name"] for a in response.json()["active_accounts"]["open_accounts"]]
         assert "Assigned Acct" in names
 
+    def test_filter_by_tags(self, admin_client, org_a):
+        """?tags=<uuid> returns only accounts carrying that tag.
+
+        Regression: previously the filter used `tags__in=params.get("tags")`,
+        iterating the UUID string char-by-char. Now uses
+        `tags__id__in=params.getlist("tags")`.
+        """
+        tag_vip = Tags.objects.create(name="VIP", org=org_a)
+        tag_cold = Tags.objects.create(name="Cold", org=org_a)
+        tagged = Account.objects.create(name="Tagged Acct", org=org_a)
+        tagged.tags.add(tag_vip)
+        other = Account.objects.create(name="Other Acct", org=org_a)
+        other.tags.add(tag_cold)
+        Account.objects.create(name="Untagged Acct", org=org_a)
+
+        response = admin_client.get(f"/api/accounts/?tags={tag_vip.id}")
+        assert response.status_code == 200
+        names = {
+            a["name"] for a in response.json()["active_accounts"]["open_accounts"]
+        }
+        assert names == {"Tagged Acct"}
+
     def test_filter_by_created_at_range(self, admin_client, org_a):
         """Filter accounts by created_at date range."""
         Account.objects.create(name="Date Range Acct", org=org_a)
 
@@ -77,8 +77,10 @@ def get_context_data(self, **kwargs):
                 queryset = queryset.filter(city__icontains=params.get("city"))
             if params.get("industry"):
                 queryset = queryset.filter(industry__icontains=params.get("industry"))
-            if params.get("tags"):
-                queryset = queryset.filter(tags__in=params.get("tags")).distinct()
+            if params.getlist("tags"):
+                queryset = queryset.filter(
+                    tags__id__in=params.getlist("tags")
+                ).distinct()
             if params.getlist("assigned_to"):
                 queryset = queryset.filter(
                     assigned_to__id__in=params.getlist("assigned_to")
 
@@ -51,6 +51,93 @@
 from contacts.serializer import ContactSerializer
 
 
+_ALLOWED_CASE_ORDERINGS = frozenset(
+    {
+        "-created_at",
+        "created_at",
+        "-priority",
+        "priority",
+        "-id",
+        "id",
+        "-name",
+        "name",
+    }
+)
+
+
+def apply_case_list_filters(queryset, params):
+    """Apply the case-list query-param filters to ``queryset``.
+
+    Shared between CaseListView and WatchingListView so both endpoints accept
+    the same filter chips from the mobile client. Caller is responsible for
+    the base scope (org membership, watcher allowance, etc.) — this only
+    layers in user-supplied filters.
+    """
+    if not params:
+        return queryset
+
+    if params.get("name"):
+        queryset = queryset.filter(name__icontains=params.get("name"))
+    # Status can be a single value or a list. Mobile uses the list form for
+    # its Open/Closed quick chips (Open = New, Assigned, Pending).
+    status_values = [s for s in params.getlist("status") if s]
+    if len(status_values) > 1:
+        queryset = queryset.filter(status__in=status_values)
+    elif status_values:
+        queryset = queryset.filter(status=status_values[0])
+    if params.get("priority"):
+        queryset = queryset.filter(priority=params.get("priority"))
+    if params.get("account"):
+        queryset = queryset.filter(account=params.get("account"))
+    if params.get("case_type"):
+        queryset = queryset.filter(case_type=params.get("case_type"))
+    if params.getlist("assigned_to"):
+        queryset = queryset.filter(
+            assigned_to__id__in=params.getlist("assigned_to")
+        ).distinct()
+    if params.get("tags"):
+        queryset = queryset.filter(tags__id__in=params.getlist("tags")).distinct()
+    if params.get("search"):
+        search = params.get("search")
+        queryset = queryset.filter(
+            Q(name__icontains=search) | Q(description__icontains=search)
+        )
+    if params.get("created_at__gte"):
+        queryset = queryset.filter(created_at__gte=params.get("created_at__gte"))
+    if params.get("created_at__lte"):
+        queryset = queryset.filter(created_at__lte=params.get("created_at__lte"))
+    if params.get("sla_breached") == "true":
+        # Wall-clock approximation matching the mobile card's
+        # `isFirstResponseSlaBreached` getter — `Case.is_sla_*_breached` uses
+        # business hours, but the badges on both clients compute from
+        # created_at + hours, so this filter mirrors what the user actually
+        # sees on the row. Postgres-specific (INTERVAL).
+        queryset = queryset.extra(
+            where=[
+                "(first_response_at IS NULL "
+                "AND sla_first_response_hours IS NOT NULL "
+                "AND created_at + sla_first_response_hours "
+                "* INTERVAL '1 hour' < NOW()) "
+                "OR (resolved_at IS NULL "
+                "AND sla_resolution_hours IS NOT NULL "
+                "AND created_at + sla_resolution_hours "
+                "* INTERVAL '1 hour' < NOW())"
+            ]
+        )
+    # Custom-field filters: ?cf_<key>=<value> -> custom_fields contains pair.
+    for raw_key, raw_value in params.items():
+        if raw_key.startswith("cf_") and raw_value:
+            cf_key = raw_key[3:]
+            if cf_key:
+                queryset = queryset.filter(custom_fields__contains={cf_key: raw_value})
+    # Ordering — whitelisted so callers can't sort on arbitrary cols.
+    ordering = params.get("ordering")
+    if ordering in _ALLOWED_CASE_ORDERINGS:
+        queryset = queryset.order_by(ordering, "-id")
+
+    return queryset
+
+
 class CaseListView(APIView, LimitOffsetPagination):
     permission_classes = (IsAuthenticated, HasOrgContext)
     model = Case
@@ -98,43 +185,7 @@ def get_context_data(self, **kwargs):
             ).distinct()
             profiles = profiles.filter(role="ADMIN")
 
-        if params:
-            if params.get("name"):
-                queryset = queryset.filter(name__icontains=params.get("name"))
-            if params.get("status"):
-                queryset = queryset.filter(status=params.get("status"))
-            if params.get("priority"):
-                queryset = queryset.filter(priority=params.get("priority"))
-            if params.get("account"):
-                queryset = queryset.filter(account=params.get("account"))
-            if params.get("case_type"):
-                queryset = queryset.filter(case_type=params.get("case_type"))
-            if params.getlist("assigned_to"):
-                queryset = queryset.filter(
-                    assigned_to__id__in=params.getlist("assigned_to")
-                ).distinct()
-            if params.get("tags"):
-                queryset = queryset.filter(
-                    tags__id__in=params.getlist("tags")
-                ).distinct()
-            if params.get("search"):
-                queryset = queryset.filter(name__icontains=params.get("search"))
-            if params.get("created_at__gte"):
-                queryset = queryset.filter(
-                    created_at__gte=params.get("created_at__gte")
-                )
-            if params.get("created_at__lte"):
-                queryset = queryset.filter(
-                    created_at__lte=params.get("created_at__lte")
-                )
-            # Custom-field filters: ?cf_<key>=<value> -> custom_fields contains pair.
-            for raw_key, raw_value in params.items():
-                if raw_key.startswith("cf_") and raw_value:
-                    cf_key = raw_key[3:]
-                    if cf_key:
-                        queryset = queryset.filter(
-                            custom_fields__contains={cf_key: raw_value}
-                        )
+        queryset = apply_case_list_filters(queryset, params)
 
         context = {}
 
 
@@ -99,16 +99,18 @@ def get(self, request, pk, *args, **kwargs):
 class WatchingListView(APIView):
     """GET /api/cases/watching/
 
-    Returns the list of cases the current profile watches. Lightweight
-    payload — the full case detail is fetched separately when the user opens
-    one. Reusing `Case.serializer.CaseSerializer` for parity with the main
-    list endpoint.
+    Returns the list of cases the current profile watches. Accepts the same
+    query-param filters as `CaseListView` (status, priority, account,
+    case_type, assigned_to[], tags[], search, created_at__gte/lte,
+    sla_breached, ordering) so the mobile filter chips work identically in
+    watching mode.
     """
 
     permission_classes = (IsAuthenticated,)
 
     def get(self, request, *args, **kwargs):
         from cases.serializer import CaseSerializer
+        from cases.views import apply_case_list_filters
 
         cases = (
             Case.objects.filter(
@@ -117,6 +119,7 @@ def get(self, request, *args, **kwargs):
             .order_by("-created_at")
             .distinct()
         )
+        cases = apply_case_list_filters(cases, request.query_params)
         return Response(
             {
                 "cases": CaseSerializer(cases, many=True).data,
 
@@ -6,6 +6,11 @@ def create_user(self, email, password=None, **extra_fields):
         if not email:
             raise ValueError("The Email field must be set")
         email = self.normalize_email(email)
+        # Mirror the User.save() invariant so callers reading the manager
+        # in isolation see the contract: name defaults to email-local-part
+        # when not provided.
+        if not extra_fields.get("name"):
+            extra_fields["name"] = email.split("@", 1)[0][:255]
         user = self.model(email=email, **extra_fields)
         user.set_password(password)
         user.save(using=self._db)
 
@@ -0,0 +1,18 @@
+# Generated by Django 6.0.5 on 2026-05-14 21:37
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('common', '0025_magic_link_token_otp'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='user',
+            name='name',
+            field=models.CharField(blank=True, default='', max_length=255, verbose_name='name'),
+        ),
+    ]
@@ -33,6 +33,7 @@ class User(AbstractBaseUser, PermissionsMixin):
         default=uuid.uuid4, unique=True, editable=False, db_index=True, primary_key=True
     )
     email = models.EmailField(_("email address"), blank=True, unique=True)
+    name = models.CharField(_("name"), max_length=255, blank=True, default="")
     profile_pic = models.CharField(max_length=1000, null=True, blank=True)
     activation_key = models.CharField(max_length=150, null=True, blank=True)
     key_expires = models.DateTimeField(null=True, blank=True)
@@ -50,6 +51,14 @@ class Meta:
         db_table = "users"
         ordering = ("-is_active",)
 
+    def save(self, *args, **kwargs):
+        # On first save only, fall back to the email local-part when no name
+        # was supplied — keeps `name` non-empty without overwriting later
+        # edits (PATCHing name to "" leaves it empty by user intent).
+        if self._state.adding and not self.name and self.email:
+            self.name = self.email.split("@", 1)[0][:255]
+        super().save(*args, **kwargs)
+
     def __str__(self):
         return self.email
 
@@ -224,6 +233,7 @@ def user_details(self):
         return {
             "email": self.user.email,
             "id": self.user.id,
+            "name": self.user.name,
             "is_active": self.user.is_active,
             "profile_pic": self.user.profile_pic,
             "last_login": self.user.last_login,
 
@@ -460,7 +460,7 @@ def __init__(self, *args, **kwargs):
 class UserSerializer(serializers.ModelSerializer):
     class Meta:
         model = User
-        fields = ["id", "email", "profile_pic"]
+        fields = ["id", "email", "name", "profile_pic"]
 
 
 class ProfileSerializer(serializers.ModelSerializer):
 
@@ -465,6 +465,11 @@ def test_successful_new_user(self, mock_request_cls, mock_verify, unauthenticate
         )
         assert response.status_code == status.HTTP_200_OK
         assert "JWTtoken" in response.data
+        # Refresh token must be present so the mobile client can refresh the
+        # 1-hour access token before the user picks an org (which is the only
+        # other place that would mint a refresh token via OrgSwitchView).
+        assert "refresh_token" in response.data
+        assert response.data["refresh_token"]
         assert response.data["user"]["email"] == "mobileuser@example.com"
         assert User.objects.filter(email="mobileuser@example.com").exists()
 
 
@@ -167,6 +167,43 @@ def test_patch_profile_phone(self, admin_client, admin_profile):
         admin_profile.refresh_from_db()
         assert admin_profile.phone == "+9876543210"
 
+    def test_patch_profile_name(self, admin_client, admin_profile):
+        """Update name on User via PATCH /api/profile/."""
+        response = admin_client.patch(
+            self.url,
+            {"name": "Alex Carter"},
+            format="json",
+        )
+        assert response.status_code == status.HTTP_200_OK
+        admin_profile.user.refresh_from_db()
+        assert admin_profile.user.name == "Alex Carter"
+
+    def test_patch_profile_name_trims_whitespace(self, admin_client, admin_profile):
+        """Name input is trimmed before save."""
+        response = admin_client.patch(
+            self.url,
+            {"name": "  Alex Carter  "},
+            format="json",
+        )
+        assert response.status_code == status.HTTP_200_OK
+        admin_profile.user.refresh_from_db()
+        assert admin_profile.user.name == "Alex Carter"
+
+    def test_patch_profile_name_and_phone_together(
+        self, admin_client, admin_profile
+    ):
+        """Both fields update in a single PATCH."""
+        response = admin_client.patch(
+            self.url,
+            {"name": "Alex Carter", "phone": "+1234567890"},
+            format="json",
+        )
+        assert response.status_code == status.HTTP_200_OK
+        admin_profile.refresh_from_db()
+        admin_profile.user.refresh_from_db()
+        assert admin_profile.user.name == "Alex Carter"
+        assert admin_profile.phone == "+1234567890"
+
 
 @pytest.mark.django_db
 class TestOrgSettingsView: