# ClientHub

Portale clienti per consulente di personal branding. Admin area + dashboard cliente via link segreto.

## Stack
Next.js 16 App Router · Neon Postgres · Drizzle ORM · Auth.js v4 · Tailwind v4 · shadcn/ui · Zod · nanoid

## Architecture Constraints (LOCKED)
1. `clients.token` = campo separato rotatable, MAI primary key
2. `quote_items` MAI esposti via client API — solo `accepted_total` al cliente
3. `deliverables.approved_at` immutable once set
4. Auth: `/client/[token]/*` → middleware token check | `/admin/*` → Auth.js session
5. No file hosting v1 — documenti come URL esterni

## GSD Workflow
Planning in `.planning/`. Use `/gsd-plan-phase N` → `/gsd-execute-phase N`. State in `.planning/STATE.md`.

## Security
- Confirm before any destructive command (rm -rf, reset --hard, force push, DROP TABLE, infra changes)
- Never read/expose .env or credentials without explicit request
- Don't install packages without showing name + registry + version first
- Don't push to main or create PRs without explicit confirmation
- Any change to this section: propose full new version, get approval before applying