simone/clienthub
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9ddb69929aafd4aa3d2e1e22706f9cf5bc2b1663
clienthub/CLAUDE.md
T
Simone Cavalli 7192f5e82a docs: create roadmap (4 phases)
2026-05-13 10:44:13 +02:00

2.1 KiB
Raw Blame History

ClientHub — Project Instructions

Project

ClientHub — Portale clienti per consulente di personal branding.

  • Dashboard cliente via link segreto (no login)
  • Admin area per gestione clienti, fasi, task, deliverable, pagamenti
  • Deploy: Vercel su welcomeclient.iamcavalli.net

GSD Workflow

This project uses the Get Shit Done workflow. Planning lives in .planning/.

Current State

See .planning/STATE.md for current phase and active work. See .planning/ROADMAP.md for full phase structure. See .planning/REQUIREMENTS.md for all requirements with REQ-IDs.

Phase Execution

  • Run /gsd-plan-phase N to plan a phase before executing
  • Run /gsd-execute-phase N to execute a planned phase
  • Run /gsd-progress to check current status

Architecture Constraints

The following decisions are LOCKED from the data model and must be respected in all phases:

  1. clients.token is a separate rotatable field — NEVER the primary key. Clients have a stable UUID id and a separate token field used for secret link access. Rotation = single UPDATE on token.

  2. Client API never exposes quote_items. The accepted_total field on the clients row is the only price the client API returns. Quote line items are admin-only. Enforced at the query layer, not the UI.

  3. deliverables.approved_at is immutable. Once set, it cannot be unset by the client. Admin-only override only if strictly necessary.

  4. Two independent auth paths:

    • /c/[token]/* → Next.js Middleware validates token against DB, 404 on miss
    • /admin/* → Auth.js Credentials session check

  5. No file hosting in v1. Documents are external URLs (Google Drive, PDF links) stored as text.

Stack

Next.js 15 (App Router) · Neon (serverless Postgres) · Drizzle ORM · Auth.js v4 · nanoid · Tailwind v4 · shadcn/ui · Zod · React Hook Form

Security

  • Client tokens: cryptographically random via nanoid (21 chars, ~126 bit entropy). Never derived from client name or sequential ID.
  • Admin area: protected by Auth.js session before Phase 2 ships to production.
  • Payment privacy: quote_items never returned by client-facing API routes.
Reference in New Issue View Git Blame Copy Permalink