clienthub/.planning/phases/03-service-catalog-quote-builder/03-04-PLAN.md

phase, plan, type, wave, depends_on, files_modified, autonomous, requirements, must_haves

phase	plan	type	wave	depends_on	files_modified	autonomous	requirements	must_haves
03	04	execute	3	03-02 03-03		false	CAT-01 CAT-02 ADMIN-03	truths artifacts key_links Admin navigates to /admin/catalog — table shows all services with correct columns and status badges Admin adds a service, edits it inline, and disattiva/riattiva it — all changes persist on page refresh Admin opens a client's Preventivo tab — adds a catalog item and a freeform item — both appear in the table with correct subtotals and calculated total Admin saves an accepted_total — the client dashboard shows that exact amount, not the calculated sum A curl request to the client API returns NO quote_items field and NO service_id references path provides src/app/admin/catalog/page.tsx Verified: catalog page loads and renders table path provides src/components/admin/tabs/QuoteTab.tsx Verified: three sections render correctly, catalog and freeform items work path provides src/lib/client-view.ts Verified: zero quote_items references from to via pattern clients.accepted_total (DB) client dashboard display client-view.ts query → /c/[token] page accepted_total

End-to-end verification of Phase 3. The admin runs the full workflow — create catalog service, add to quote, set accepted_total — and confirms the client dashboard shows the correct total. Also verifies the security constraint: `quote_items` are never returned by the client API.

Purpose: Confirms Phase 3 is shippable. Catches any integration issue between catalog, quote builder, and client dashboard before the phase is marked complete. Output: Human verification sign-off + SUMMARY.md.

<execution_context> @$HOME/.claude/get-shit-done/workflows/execute-plan.md @$HOME/.claude/get-shit-done/templates/summary.md </execution_context>

@/Users/simonecavalli/IAMCAVALLI/.planning/ROADMAP.md @/Users/simonecavalli/IAMCAVALLI/.planning/phases/03-service-catalog-quote-builder/03-02-SUMMARY.md @/Users/simonecavalli/IAMCAVALLI/.planning/phases/03-service-catalog-quote-builder/03-03-SUMMARY.md Task 1: Automated security and integration checks - /Users/simonecavalli/IAMCAVALLI/src/lib/client-view.ts (must contain zero quote_items references) - /Users/simonecavalli/IAMCAVALLI/src/app/api (check all client-facing API route files for quote_items leaks) Run the following automated checks in sequence. Report results for each.

Check 1 — TypeScript compiles clean:

cd /Users/simonecavalli/IAMCAVALLI && npx tsc --noEmit

Expected: zero output (no errors).

Check 2 — Build succeeds:

cd /Users/simonecavalli/IAMCAVALLI && npm run build

Expected: "Compiled successfully" with routes listed. No error lines.

Check 3 — Security: quote_items not in client-facing code:

cd /Users/simonecavalli/IAMCAVALLI && grep -rn 'quote_items' src/lib/client-view.ts src/app/api/ src/app/c/ 2>/dev/null || echo "CLEAN"

Expected: "CLEAN" or no output. If any match appears, that file must be fixed before the checkpoint.

Check 4 — Service catalog page references getAllServices:

cd /Users/simonecavalli/IAMCAVALLI && grep -c 'getAllServices' src/app/admin/catalog/page.tsx

Expected: 1

Check 5 — NavBar contains Catalogo link:

cd /Users/simonecavalli/IAMCAVALLI && grep -c '/admin/catalog' src/components/admin/NavBar.tsx

Expected: 1

Check 6 — Client detail page has Preventivo tab:

cd /Users/simonecavalli/IAMCAVALLI && grep -c 'Preventivo' src/app/admin/clients/\[id\]/page.tsx

Expected: 2

Check 7 — quote-actions has requireAdmin in all three actions:

cd /Users/simonecavalli/IAMCAVALLI && grep -c 'requireAdmin' src/app/admin/clients/\[id\]/quote-actions.ts

Expected: 3 (one per action)

Check 8 — accepted_total security check (client view does NOT expose quote detail):

cd /Users/simonecavalli/IAMCAVALLI && grep 'accepted_total\|quote_items\|service_id' src/lib/client-view.ts

Expected: accepted_total appears (it's the field clients see), quote_items does NOT appear, service_id does NOT appear.

If all 8 checks pass, proceed to the human verification checkpoint. If any check fails, fix the issue before proceeding. cd /Users/simonecavalli/IAMCAVALLI && npx tsc --noEmit && npm run build 2>&1 | tail -5 Expected: build output ends with route list — no "Failed to compile" line. cd /Users/simonecavalli/IAMCAVALLI && grep -rn 'quote_items' src/lib/client-view.ts src/app/c/ 2>/dev/null | wc -l | tr -d ' ' Expected: 0 All 8 automated checks pass. TypeScript clean, build succeeds, quote_items absent from client-facing code.

Task 2: Human end-to-end verification of Phase 3 Service Catalog CRUD at /admin/catalog, Quote Builder tab in client detail, accepted_total round-trip to client dashboard. Start the dev server: `npm run dev` (port 3000).

**Test A — Catalog page:**
1. Open http://localhost:3000/admin/catalog
2. Confirm the page loads with "Catalogo Servizi" heading and "Aggiungi servizio" button
3. Click "Aggiungi servizio" — fill in Nome: "Test Servizio", Prezzo: "500" — click Aggiungi
4. Confirm "Test Servizio" appears in the table with "Attivo" badge and €500,00 price
5. Click "Modifica" on the row — change price to "750" — click Salva
6. Confirm price updates to €750,00 without page reload
7. Click "Disattiva" — confirm badge changes to "Disattivato" and row becomes dimmed (50% opacity)
8. Click "Riattiva" — confirm badge returns to "Attivo"

**Test B — NavBar:**
1. Confirm "Catalogo" link appears in the admin NavBar between "Statistiche" and "Esci"
2. Click it — confirm it navigates to /admin/catalog

**Test C — Quote Builder tab:**
1. Open any existing client at http://localhost:3000/admin/clients/[id]
2. Confirm "Preventivo" tab appears as 5th tab (after Commenti)
3. Click the Preventivo tab
4. Select "Test Servizio" from the dropdown (if inactive, reactivate first) — set qty 1 — click Aggiungi
5. Confirm item appears in the table with correct unit price and subtotal
6. Click "Oppure aggiungi voce libera →" — enter Nome: "Extra consulenza", Prezzo: "200", Qty: 2 — click Aggiungi voce libera
7. Confirm second item appears with "Extra consulenza" label, subtotal €400,00
8. Confirm "Totale calcolato" shows the sum (e.g., €1.150,00 if service was €750)
9. Click "Rimuovi" on one item — confirm it disappears

**Test D — Accepted total round-trip (critical):**
1. In the Preventivo tab, set "Totale accettato dal cliente" to 1200 — click Salva
2. Open the client dashboard at http://localhost:3000/c/[client-token] in a new tab
3. Confirm the dashboard shows "€1.200,00" (or equivalent) as the accepted total
4. Back in admin, open the Pagamenti tab — confirm "Totale preventivo" input shows 1200

**Test E — Security check (quote_items never exposed):**
1. In the browser DevTools (Network tab), open the client dashboard /c/[token]
2. Find any API calls made by that page — inspect their response bodies
3. Confirm NO response contains "quote_items", "service_id" (from quote context), or individual line item prices
4. Alternative: run `curl http://localhost:3000/api/client/[client-id-or-token]` if a client API route exists — confirm response has only `accepted_total`, not quote item details

Type "approved" if all 5 tests pass. Or describe any failures (e.g., "Test C step 5 fails — items not appearing") so they can be fixed.

<threat_model>

Trust Boundaries

Boundary	Description
Client browser → /c/[token] route	Client sees only what the route explicitly returns — verified here that quote_items are absent

STRIDE Threat Register

Threat ID	Category	Component	Disposition	Mitigation Plan
T-03-04-01	Information Disclosure	Client dashboard API response	mitigate	Check 3 + Test E verify that no quote_items appear in any client-facing response; if found, fix before approving
T-03-04-02	Tampering	Phase 3 shipped without DB push	mitigate	03-01 is a hard dependency of this wave; if drizzle-kit push was skipped, custom_label column absent causes runtime crash caught in Test C
</threat_model>

Phase 3 complete when: 1. All 8 automated checks in Task 1 pass 2. Human verifies Tests A–E in Task 2 3. Client dashboard shows correct `accepted_total` after update (Test D) 4. Zero `quote_items` in any client-facing response (Test E)

<success_criteria>

• Service catalog is fully operational: add, edit, disable, re-enable services
• Quote builder adds catalog items (with snapshotted price) and freeform items (service_id = null)
• accepted_total write in admin is reflected in client dashboard
• Phase 3 roadmap success criteria 1–3 are all TRUE:
  1. Admin can add/edit/disable catalog services
  2. Admin can compose a quote from catalog; system calculates total
  3. After saving accepted_total, client dashboard shows correct total; quote_items never exposed </success_criteria>

After completion, create `.planning/phases/03-service-catalog-quote-builder/03-04-SUMMARY.md`