docs: create roadmap (4 phases)
This commit is contained in:
Simone Cavalli
@@ -0,0 +1,50 @@
|
|||||||
|
# ClientHub — Project Instructions
|
||||||
|
|
||||||
|
## Project
|
||||||
|
|
||||||
|
**ClientHub** — Portale clienti per consulente di personal branding.
|
||||||
|
- Dashboard cliente via link segreto (no login)
|
||||||
|
- Admin area per gestione clienti, fasi, task, deliverable, pagamenti
|
||||||
|
- Deploy: Vercel su `welcomeclient.iamcavalli.net`
|
||||||
|
|
||||||
|
## GSD Workflow
|
||||||
|
|
||||||
|
This project uses the **Get Shit Done** workflow. Planning lives in `.planning/`.
|
||||||
|
|
||||||
|
### Current State
|
||||||
|
|
||||||
|
See `.planning/STATE.md` for current phase and active work.
|
||||||
|
See `.planning/ROADMAP.md` for full phase structure.
|
||||||
|
See `.planning/REQUIREMENTS.md` for all requirements with REQ-IDs.
|
||||||
|
|
||||||
|
### Phase Execution
|
||||||
|
|
||||||
|
- Run `/gsd-plan-phase N` to plan a phase before executing
|
||||||
|
- Run `/gsd-execute-phase N` to execute a planned phase
|
||||||
|
- Run `/gsd-progress` to check current status
|
||||||
|
|
||||||
|
## Architecture Constraints
|
||||||
|
|
||||||
|
The following decisions are LOCKED from the data model and must be respected in all phases:
|
||||||
|
|
||||||
|
1. **`clients.token` is a separate rotatable field — NEVER the primary key.** Clients have a stable UUID `id` and a separate `token` field used for secret link access. Rotation = single UPDATE on `token`.
|
||||||
|
|
||||||
|
2. **Client API never exposes `quote_items`.** The `accepted_total` field on the `clients` row is the only price the client API returns. Quote line items are admin-only. Enforced at the query layer, not the UI.
|
||||||
|
|
||||||
|
3. **`deliverables.approved_at` is immutable.** Once set, it cannot be unset by the client. Admin-only override only if strictly necessary.
|
||||||
|
|
||||||
|
4. **Two independent auth paths:**
|
||||||
|
- `/c/[token]/*` → Next.js Middleware validates token against DB, 404 on miss
|
||||||
|
- `/admin/*` → Auth.js Credentials session check
|
||||||
|
|
||||||
|
5. **No file hosting in v1.** Documents are external URLs (Google Drive, PDF links) stored as text.
|
||||||
|
|
||||||
|
## Stack
|
||||||
|
|
||||||
|
Next.js 15 (App Router) · Neon (serverless Postgres) · Drizzle ORM · Auth.js v4 · nanoid · Tailwind v4 · shadcn/ui · Zod · React Hook Form
|
||||||
|
|
||||||
|
## Security
|
||||||
|
|
||||||
|
- Client tokens: cryptographically random via `nanoid` (21 chars, ~126 bit entropy). Never derived from client name or sequential ID.
|
||||||
|
- Admin area: protected by Auth.js session before Phase 2 ships to production.
|
||||||
|
- Payment privacy: `quote_items` never returned by client-facing API routes.
|
||||||
Reference in New Issue
Block a user