- requireAdmin() guard (mirrors catalog/actions.ts pattern), throws
"Non autorizzato" before any DB access
- updateLeadField: EDITABLE_FIELDS allowlist, name/status validated
server-side (LEAD_STAGES.includes), nullable fields cleared on empty
- addLeadTag/removeLeadTag/renameLeadTag: polymorphic tags table scoped
to entity_type="leads" (LEADS_TAG_ENTITY), never touches
entity_type="services" rows
- All four actions call revalidatePath for /admin/leads (+ detail page
where a single leadId applies)
- Log pre-existing lint issues (unrelated to this task) to
deferred-items.md per scope-boundary rule