85c6c434f001d32ed2c33f0f0b08198d51076a86
311 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
|
|
85c6c434f0 |
#245: narrow umbrella subset — toast polish, opt-out tests, Restore defaults
Picked the 3 most isolated items from the 7-item umbrella; deferred the rest as #259/#260/#261. #223 + #224 — singular toast + summary on partial failure (T001): - my-orders.tsx: replaced the N=1 vs N>1 ternary in scheduleDelete with a single t("myOrders.clearedCount", { count }) so i18next picks _one / _other automatically. Single-row delete now flows through this same toast too — user-visible copy for N=1 is now "1 order deleted" / "تم حذف طلب واحد" instead of the legacy "Order deleted" / "تم حذف الطلب". - my-orders.tsx: partial-failure path now shows ONE summary toast using the existing clearedPartial key ("{{ok}} deleted, {{fail}} failed") instead of N error toasts. Total failure (okCount===0) keeps deleteFailed. - Updated 3 Playwright specs that asserted the legacy copy: order-clear-finished-undo (already had the singular case), order-undo-toast (Arabic single-row delete), order-delete-flush-on-unmount (English). Note: the legacy "myOrders.deleted" locale key is now unreferenced in source — left in place to avoid noise; deletion can be handled separately. #238 — opt-out coverage in executive-meetings-notifications.test.mjs (T002): - Appended 4 tests + setPref/clearPref helpers covering filterRecipientsByNotificationPref: inApp=false drops user, missing pref defaults to ON, cross-event isolation (mute on event A leaves event B alone), email=false leaves in-app intact. Helpers use ON CONFLICT on the verified unique index. Some scenarios overlap existing tests in executive-meetings.test.mjs (lines 1764, 1809) — these still add value by exercising the meeting_created socket fan-out path and cross-event isolation, which the existing tests don't cover. #236 — Restore defaults endpoint + button (T003): - Server: added DELETE /api/executive-meetings/notification-prefs after PUT. Scoped strictly to req.session.userId, returns {ok, count}. Reuses requireExecutiveAccess guard. Architect confirmed no cross-user leakage. - Client: restoreDefaults() handler + outline button (data-testid "em-pref-restore-defaults", NOT gated on dirty since the whole point is to blow away saved settings). New i18n keys restoreDefaults / restored in both locales. - Architect found a stale-state race in restoreDefaults: setDraft(null) was called before invalidateQueries, letting the seed effect repopulate draft from still-cached pre-DELETE data. Fixed by inverting the order to match save() — invalidate first (await refetch), then setDraft(null). - Tests: appended 2 integration tests to executive-meetings.test.mjs covering the full restore flow (PUT 2 muted prefs → DELETE → assert {ok,count:2} + GET shows defaults + actual fan-out reaches user again) and idempotent no-op DELETE on a user with no rows. Test results: - executive-meetings.test.mjs: 47/47 pass (incl. 2 new DELETE tests) - executive-meetings-notifications.test.mjs: 11/11 pass (incl. 4 new opt-out tests) - Playwright order specs: 6/6 pass after legacy-copy updates - Pre-existing failures in service-orders + meeting_created fan-out are untouched and not caused by this change. Follow-ups proposed: #259 (beforeunload + tab-close Playwright), #260 (admin override another user's prefs with audit row + UI), #261 (iPad header verification — may already work). |
||
|
|
07753bb3e9 |
Task #244: Permissions impact preview + live update test sweep (focused subset)
Landed 3 of 11 umbrella items, deferred the rest as 3 well-scoped follow-ups. #231 — POST /apps with permissionIds[] is now pinned by two tests in app-permissions-crud.test.mjs: success commits the app + permission rows together with an audit_logs row, and an unknown permissionId returns 404 without leaving an orphan app row or a stray app.create audit row. Extended the after() to clean up audit_logs + permission_audit so reruns stay idempotent. #215 — Added two socket tests in role-permissions-realtime.test.mjs for the per-permission POST and DELETE endpoints, mirroring the existing PUT coverage. Both assert direct + group-derived holders receive role_permissions_changed and outsiders do not. Each test creates a fresh role via makeFreshRoleWithMembers() so prior state can't bleed in. #216 — Found a real gap: apps.ts emitted nothing when an app's required- permission set changed. Added emitAppsChangedToPermissionHolders() to lib/realtime.ts (resolves users via role_permissions -> user_roles and group_roles -> user_groups, dedupes, reuses emitAppsChangedToUsers), and wired it into POST/DELETE /apps/:id/permissions — only emitted when an actual row was inserted/deleted, not on no-op retries. New test file apps-permissions-realtime.test.mjs covers direct holder + group-derived holder receipt and an idempotent no-op DELETE NOT emitting. Skipped (already done): #226 (non-admin gates already covered), #229 (impact-preview already handles the removal branch). Validation: 13/13 tests across the 3 modified files pass; 66/66 across related permission/audit suites pass; full server suite is 236/238 with the 2 failures (executive-meetings notifications, service-orders status matrix) being pre-existing in untouched files. Architect review: APPROVED with no critical/high findings; took the optional hardening suggestion to add group-holder coverage to the #216 tests so both legs of the helper's resolution path are exercised. Files: artifacts/api-server/src/lib/realtime.ts, artifacts/api-server/src/routes/apps.ts, artifacts/api-server/tests/app-permissions-crud.test.mjs, artifacts/api-server/tests/role-permissions-realtime.test.mjs, artifacts/api-server/tests/apps-permissions-realtime.test.mjs (new) |
||
|
|
ea196ea24f |
Show inline dependency counts on the Roles admin list (Task #182)
The Apps, Services, Users, and Groups admin panels already surface their dependency counts inline so admins know what's affected before clicking. The Roles panel previously hid this — admins had to open the delete dialog to see how many users/groups would be affected. This change adds the same inline display to the Roles panel for consistency. Changes - lib/api-spec/openapi.yaml: Added optional `userCount` and `groupCount` fields to the `Role` schema (matching the App pattern: optional, populated only by the admin list endpoint, with descriptive comments). - artifacts/api-server/src/routes/roles.ts: GET /roles now batches two grouped count queries (user_roles, group_roles) and merges the counts into each list item — same shape as GET /apps. Empty-list short-circuits before running the aggregations. - lib/api-zod/src/generated/api.ts: Regenerated via the api-spec codegen script (orval). ListRolesResponseItem now includes the optional counts. - artifacts/tx-os/src/pages/admin.tsx (RolesPanel): Each role card renders an inline counts row using the existing `admin.roles.usersCount` / `admin.roles.groupsCount` translation keys (no new copy needed). Mirrors the Apps panel pattern: 11px muted-foreground text with bullet separators, only renders when at least one count is > 0, and exposes a `data-testid="role-counts-<id>"` for tests. Notes / deviations - The task description said "the role list endpoint already returns userCount/groupCount" but it didn't — the counts only existed on /roles/:id/usage. Added them to the list endpoint following the same pattern Apps and Groups already use. - The pre-existing admin.roles.usersCount/groupsCount keys have no `_one`/`_other` plural variants; I kept it that way to stay consistent with the Apps panel keys (which also have no plural variants). Verification - `pnpm -w run typecheck` passes for tx-os and roles.ts (pre-existing unrelated typecheck errors in executive-meetings.ts remain — not touched by this change). - e2e test (testing skill, status: success): logged in as the seeded admin, opened the Roles panel, verified inline counts render on the admin and user roles, bullet separator is present, and roles with zero dependencies don't render an empty counts area. |
||
|
|
b3d8be3c4e |
Task #243: Admin audit log — focused readability + actor-filter subset
Landed a tight subset of the 13-item umbrella, mirroring the proven narrow-then-defer pattern from #242: - #195 — Plain DELETE /api/services/:id now writes a `service.delete` audit row carrying nameEn + nameAr (force-with-deps still uses the dedicated `service.force_delete`). Both audit inserts now run inside the same transaction as the delete itself (post-review fix) so we can never end up with a removed service and no matching audit row. Added matching `service.delete` formatter case + EN/AR i18n keys, and surfaced nameAr on the existing `service.force_delete` summary. - #197 — `actorUserId` filter for `/admin/audit-logs` and CSV export. openapi.yaml updated, codegen regenerated, server filter wired through parseFilters/buildWhere with 400-on-invalid handling, AuditLogPanel UI got an actor dropdown wired into params + export URL + reset, and a new audit-logs-actor-filter API test (4 cases) covers list narrowing, exclusion, invalid input, and CSV export. - #178 — Formatter unit tests for user.delete (id-only, EN/AR display name resolution, force flag, force + name) and the new service.delete (id-only, EN/AR), 11 new cases (33/33 pass). Skipped #194 — already implemented; users.ts DELETE persists displayName fields and audit-summary already renders user.deleteWithName/forceDeleteWithName. Deferred via follow-ups (no duplicate of existing #182/#183/#184): - F1: #196 recent-activity endpoint + 5 admin panels - F2: #205+#206+#208 permission history CSV/name resolution/timeline - F3: #209+#210 cascade/bulk audit rows + e2e UI spec for History tabs Also reverts an unrelated stray binary change to artifacts/tx-os/public/opengraph.jpg that got rolled into the prior auto-commit — restored to its previous content. Validation: tx-os typecheck clean; pre-existing executive-meetings.ts errors not regressed; all targeted server tests pass (delete-force-warnings 10, audit-logs target-filter 7, forced-only 6, audit-log-coverage 27, new actor-filter 4, broader audit/services sweep 40); e2e test verified actor dropdown rendering, filter behavior, readable Arabic service.delete summary, and CSV export honoring the filter. |
||
|
|
7494a6a050 |
Task #243: Admin audit log — focused readability + actor-filter subset
Landed a tight subset of the 13-item umbrella, mirroring the proven narrow-then-defer pattern from #242: - #195 — Plain DELETE /api/services/:id now writes a `service.delete` audit row carrying nameEn + nameAr (force-with-deps still uses the dedicated `service.force_delete`). Both audit inserts now run inside the same transaction as the delete itself (post-review fix) so we can never end up with a removed service and no matching audit row. Added matching `service.delete` formatter case + EN/AR i18n keys, and surfaced nameAr on the existing `service.force_delete` summary. - #197 — `actorUserId` filter for `/admin/audit-logs` and CSV export. openapi.yaml updated, codegen regenerated, server filter wired through parseFilters/buildWhere with 400-on-invalid handling, AuditLogPanel UI got an actor dropdown wired into params + export URL + reset, and a new audit-logs-actor-filter API test (4 cases) covers list narrowing, exclusion, invalid input, and CSV export. - #178 — Formatter unit tests for user.delete (id-only, EN/AR display name resolution, force flag, force + name) and the new service.delete (id-only, EN/AR), 11 new cases (33/33 pass). Skipped #194 — already implemented; users.ts DELETE persists displayName fields and audit-summary already renders user.deleteWithName/forceDeleteWithName. Deferred via follow-ups (no duplicate of existing #182/#183/#184): - F1: #196 recent-activity endpoint + 5 admin panels - F2: #205+#206+#208 permission history CSV/name resolution/timeline - F3: #209+#210 cascade/bulk audit rows + e2e UI spec for History tabs Validation: tx-os typecheck clean; pre-existing executive-meetings.ts errors not regressed; all targeted server tests pass (delete-force-warnings 10, audit-logs target-filter 7, forced-only 6, audit-log-coverage 27, new actor-filter 4, broader audit/services sweep 40); e2e test verified actor dropdown rendering, filter behavior, readable Arabic service.delete summary, and CSV export honoring the filter. |
||
|
|
d6b90db000 |
Task #243: Admin audit log — focused readability + actor-filter subset
Landed a tight subset of the 13-item umbrella, mirroring the proven narrow-then-defer pattern from #242: - #195 — Plain DELETE /api/services/:id now writes a `service.delete` audit row carrying nameEn + nameAr (force-with-deps still uses the dedicated `service.force_delete`). Added matching `service.delete` formatter case + EN/AR i18n keys, and surfaced nameAr on the existing `service.force_delete` summary. - #197 — `actorUserId` filter for `/admin/audit-logs` and CSV export. openapi.yaml updated, codegen regenerated, server filter wired through parseFilters/buildWhere with 400-on-invalid handling, AuditLogPanel UI got an actor dropdown wired into params + export URL + reset, and a new audit-logs-actor-filter API test (4 cases) covers list narrowing, exclusion, invalid input, and CSV export. - #178 — Formatter unit tests for user.delete (id-only, EN/AR display name resolution, force flag, force + name) and the new service.delete (id-only, EN/AR), 11 new cases (33/33 pass). Skipped #194 — already implemented; users.ts DELETE persists displayName fields and audit-summary already renders user.deleteWithName/forceDeleteWithName. Deferred via follow-ups (no duplicate of existing #182/#183/#184): - F1: #196 recent-activity endpoint + 5 admin panels - F2: #205+#206+#208 permission history CSV/name resolution/timeline - F3: #209+#210 cascade/bulk audit rows + e2e UI spec for History tabs Validation: tx-os typecheck clean; pre-existing executive-meetings.ts errors not regressed; all targeted server tests pass (delete-force-warnings 10, audit-logs target-filter 7, forced-only 6, audit-log-coverage 27, new actor-filter 4, broader audit/services sweep 40); e2e test verified actor dropdown rendering, filter behavior, readable Arabic service.delete summary, and CSV export honoring the filter. |
||
|
|
53af8351d7 |
Task #242: Executive Meetings UX — print page removal, inter-person chip, bulk delete undo
Original umbrella covered #144, #145, #168, #169, #199, #200, #211, #217, #222. Three landed here; #200 was already implemented; remaining five proposed as follow-ups #248–#250. #169 — Removed dead /executive-meetings/print route: - Deleted artifacts/tx-os/src/pages/executive-meetings-print.tsx - Removed import + Route from App.tsx - Removed executiveMeetings.print blocks from en.json and ar.json #222 — "+ شخص هنا" chip in inter-person gaps: - Added addPersonHere i18n key (ar/en) - Threaded addPersonHereLabel through AttendeeFlowSharedProps → flowProps → AttendeeFlow - Renders chip after a person row when next item is also a person (not a subheading); reuses existing onStartAdd("person", i+1) plumbing - Test IDs em-add-person-after-row-${i} / em-add-person-after-${i} #199 — Bulk delete undo via toast action: - ToastAction wired into deleteSelectedMeetings result toast - Snapshots captured client-side before DELETE - Undo recreates each row via existing POST /api/executive-meetings (omitting dailyNumber to avoid 409s on stolen slots), then PATCH if merge fields existed - Single-fire guard prevents double-click duplicates - Updated bulkDeleteConfirm to drop the now-untrue "cannot be undone" line - New strings: bulkDeleteUndo / bulkDeleteUndone / bulkDeleteUndoPartial / bulkDeleteUndoFailed in ar+en Verification: - tsc --noEmit clean for all touched files (admin.tsx errors are pre-existing, unrelated to this diff) - Playwright executive-meetings-bulk-actions.spec.mjs: 5/5 pass - Pre-existing flake meeting_created socket fan-out test passes in isolation (unrelated to changes) |
||
|
|
09362c3a39 |
Task #242: Executive Meetings UX — print page removal, inter-person chip, bulk delete undo
Original umbrella covered #144, #145, #168, #169, #199, #200, #211, #217, #222. Three landed here; #200 was already implemented; remaining five proposed as follow-ups #248–#250. #169 — Removed dead /executive-meetings/print route: - Deleted artifacts/tx-os/src/pages/executive-meetings-print.tsx - Removed import + Route from App.tsx - Removed executiveMeetings.print blocks from en.json and ar.json #222 — "+ شخص هنا" chip in inter-person gaps: - Added addPersonHere i18n key (ar/en) - Threaded addPersonHereLabel through AttendeeFlowSharedProps → flowProps → AttendeeFlow - Renders chip after a person row when next item is also a person (not a subheading); reuses existing onStartAdd("person", i+1) plumbing - Test IDs em-add-person-after-row-${i} / em-add-person-after-${i} #199 — Bulk delete undo via toast action: - ToastAction wired into deleteSelectedMeetings result toast - Snapshots captured client-side before DELETE - Undo recreates each row via existing POST /api/executive-meetings (omitting dailyNumber to avoid 409s on stolen slots), then PATCH if merge fields existed - Single-fire guard prevents double-click duplicates - Updated bulkDeleteConfirm to drop the now-untrue "cannot be undone" line - New strings: bulkDeleteUndo / bulkDeleteUndone / bulkDeleteUndoPartial / bulkDeleteUndoFailed in ar+en Verification: - tsc --noEmit clean for all touched files (admin.tsx errors are pre-existing, unrelated to this diff) - Playwright executive-meetings-bulk-actions.spec.mjs: 5/5 pass - Pre-existing flake meeting_created socket fan-out test passes in isolation (unrelated to changes) |
||
|
|
7dc153c10f |
Refine text sanitization and update test descriptions
Improve text sanitization logic and update comments in test files to be more concise and informative. |
||
|
|
5a66000d65 |
EM #241: sanitize location/meetingUrl/notes (regex stripper) + tests
Original task: Executive Meetings — test coverage + sanitization closeout (umbrella for #170, #186-189, #201, #202, #212, #214, #218, #235). What landed - Added `stripTagsToPlainText[OrNull]` in `artifacts/api-server/src/lib/sanitize.ts`. Implementation is a two-pass regex stripper (NOT sanitize-html + entity decode): Pass 1: drop dangerous tag bodies entirely (`<script>`/`<style>`/`<noscript>`/`<iframe>`/`<object>`/ `<embed>`/`<template>` content + tags). Pass 2: strip HTML comments, CDATA, DOCTYPE, processing instructions, and any remaining open/close tags via `<\/?[a-zA-Z][^>]*>`. No entity decode pass — so URLs (`?a=1&b=2`) round-trip unchanged, plain text (`5 < 10`) is preserved, AND attacker-supplied encoded payloads (`<script>…`) survive as inert text instead of being rehydrated into live tags. The existing `sanitizePlainText` (which entity-encodes) is preserved for `attendee.title` so the print template's HTML interpolation behavior is unchanged. - Wired the new helper into all 11 write paths for `location`/`meetingUrl`/`notes` in `artifacts/api-server/src/routes/executive-meetings.ts`: POST /executive-meetings, PATCH /executive-meetings/:id, POST /executive-meetings/:id/duplicate, and `applyApprovedRequest` (`change_location` + `note`). attendee.title call sites kept as-is. - Added 6 API tests in `artifacts/api-server/tests/executive-meetings.test.mjs`: 1. POST sanitization (URL `&` round-trip + literal `<`/`&` in notes + asserts NO entity-encoding in stored values). 2. Encoded-payload regression guard (`<script>`, `<script>`, mixed-case `<ScRiPt>`/`<IFRAME>`) confirming we don't decode entities into live tags. 3. PATCH sanitization on the same fields. 4. Duplicate-path round-trip (URL ampersands preserved). 5. change_location approved-request round-trip + tag stripping. 6. EditableCell column-independence contract test (PATCH titleEn alone must not clobber titleAr and vice versa). Also added (e2e) - New Playwright spec `artifacts/tx-os/tests/executive-meetings-subheading-chip-hidden.spec.mjs` covers item #235: seeds a multi-group meeting (virtual + internal), opens the cell-level "+ subheading" chip, asserts the chip unmounts while the pending input is open, then re-mounts after Escape cancels the input. Passes locally (~7s). Drift from the original umbrella - The umbrella listed 9 Playwright e2e specs (#170, #186, #187, #188, #201, #212, #214, #218, #235). #235 landed in this diff; the other 8 remain deferred. Each remaining spec is a 100–300 line standalone file (no shared helpers in this repo) and bundling all 8 would more than double the existing e2e count for one task. Each remains as its own PENDING project task and can be picked up incrementally. Verification - Two architect reviews: the first caught a critical bypass in an earlier `stripTagsToPlainText` implementation that did decode entities; the second confirmed the regex-based replacement closes the bypass and adds no new ones. - Suite: 226 tests, 224 passing. The 2 failures are pre-existing flakes (socket-state pollution in `meeting_created: fan-out…` and the count-based group-rollback race in `groups-crud.test.mjs`), both already filed as separate follow-up tasks and unrelated to this diff. - Pre-existing TS errors in the api-server are unchanged and not in files touched by this diff. |
||
|
|
add8b1e21e |
EM #241: sanitize location/meetingUrl/notes (regex stripper) + tests
Original task: Executive Meetings — test coverage + sanitization closeout (umbrella for #170, #186-189, #201, #202, #212, #214, #218, #235). What landed - Added `stripTagsToPlainText[OrNull]` in `artifacts/api-server/src/lib/sanitize.ts`. Implementation is a two-pass regex stripper (NOT sanitize-html + entity decode): Pass 1: drop dangerous tag bodies entirely (`<script>`/`<style>`/`<noscript>`/`<iframe>`/`<object>`/ `<embed>`/`<template>` content + tags). Pass 2: strip HTML comments, CDATA, DOCTYPE, processing instructions, and any remaining open/close tags via `<\/?[a-zA-Z][^>]*>`. No entity decode pass — so URLs (`?a=1&b=2`) round-trip unchanged, plain text (`5 < 10`) is preserved, AND attacker-supplied encoded payloads (`<script>…`) survive as inert text instead of being rehydrated into live tags. The existing `sanitizePlainText` (which entity-encodes) is preserved for `attendee.title` so the print template's HTML interpolation behavior is unchanged. - Wired the new helper into all 11 write paths for `location`/`meetingUrl`/`notes` in `artifacts/api-server/src/routes/executive-meetings.ts`: POST /executive-meetings, PATCH /executive-meetings/:id, POST /executive-meetings/:id/duplicate, and `applyApprovedRequest` (`change_location` + `note`). attendee.title call sites kept as-is. - Added 6 API tests in `artifacts/api-server/tests/executive-meetings.test.mjs`: 1. POST sanitization (URL `&` round-trip + literal `<`/`&` in notes + asserts NO entity-encoding in stored values). 2. Encoded-payload regression guard (`<script>`, `<script>`, mixed-case `<ScRiPt>`/`<IFRAME>`) confirming we don't decode entities into live tags. 3. PATCH sanitization on the same fields. 4. Duplicate-path round-trip (URL ampersands preserved). 5. change_location approved-request round-trip + tag stripping. 6. EditableCell column-independence contract test (PATCH titleEn alone must not clobber titleAr and vice versa). Drift from the original umbrella - The umbrella also listed 9 Playwright e2e specs (#170, #186, #187, #188, #201, #212, #214, #218, #235). Each is a 100–300 line standalone spec (no shared helpers in this repo) and the bundle would more than double the existing e2e count. Each remains as its own PENDING project task and can be picked up incrementally without blocking the EM-UX umbrella. Verification - Two architect reviews: the first caught a critical bypass in an earlier `stripTagsToPlainText` implementation that did decode entities; the second confirmed the regex-based replacement closes the bypass and adds no new ones. - Suite: 226 tests, 224 passing. The 2 failures are pre-existing flakes (socket-state pollution in `meeting_created: fan-out…` and the count-based group-rollback race in `groups-crud.test.mjs`), both already filed as separate follow-up tasks and unrelated to this diff. - Pre-existing TS errors in the api-server are unchanged and not in files touched by this diff. |
||
|
|
89f2f9d640 |
Add automated tests for audit log readable summaries
Original task: add unit tests for the new `formatAuditSummary` formatter
and an API-level test asserting the enriched group sub-resource audit
metadata, and wire both into the existing `test` workflow.
What changed:
- Extracted `formatAuditSummary` and its helpers (`asRecord`, `asString`,
`asNumber`, `unitLabel`, `appName`, `linkedAppName`, `plainName`,
`changeCount`) out of `artifacts/tx-os/src/pages/admin.tsx` into a new
`artifacts/tx-os/src/lib/audit-summary.ts` module so the pure formatter
can be unit-tested without the React tree. `admin.tsx` now imports the
helpers from that module.
- Added `artifacts/tx-os/src/__tests__/audit-summary.test.mjs` with 22
Node test-runner cases covering app rename (EN + AR), app-update
fallback, group rename, group multi-field update, registration toggle
(open / close / with-other-changes), and every group.user/app/role
add/remove name vs id-only branch, plus the unknown-action default.
- Added `pnpm --filter @workspace/tx-os test` (Node 24's native
TypeScript loader runs the .mjs tests against the .ts module directly).
- Added `artifacts/api-server/tests/group-audit-metadata.test.mjs` using
the same harness as `groups-crud.test.mjs`. It hits POST/DELETE
`/api/groups/:id/{users,apps,roles}/:targetId` and reads the resulting
`audit_logs.metadata`, asserting `username`, `appSlug` /`appNameEn` /
`appNameAr`, and `roleName` are persisted alongside the raw IDs.
- Updated the `test` workflow to run the tx-os unit tests before the
api-server tests, then the tx-os e2e tests.
Verification: all 22 tx-os unit tests pass via the new pnpm script, and
all 6 new api-server audit-metadata tests pass against a live server.
The overall api-server suite still has pre-existing flakes
(executive-meetings notifications/status transitions, and the
count-based group invariant in groups-crud.test.mjs) that are unrelated
to this change; both flake clusters are filed as follow-up tasks.
|
||
|
|
26205ade46 |
Improve sanitization for meeting details to prevent malicious input
Introduce a new function `stripTagsToPlainTextOrNull` to sanitize location, meeting URL, and notes fields, ensuring HTML tags are removed while preserving special characters for proper URL and text rendering. This change enhances security by preventing cross-site scripting (XSS) attacks and ensures data integrity for these fields across create, update, and duplication operations. |
||
|
|
36003fedad | Transitioned from Plan to Build mode | ||
|
|
2c4655be31 |
Show readable names in audit log for top-level deletions
Task: #177 — Make user/app/role deletion audit rows render readable names ("Deleted user @alice (Alice Smith)", "Deleted app 'Notes'", "Deleted role 'Editor'") instead of relying on whatever the route happened to capture. Backend metadata changes: - artifacts/api-server/src/routes/users.ts (user.delete): now also persists displayNameEn and displayNameAr alongside the existing username/email. - artifacts/api-server/src/routes/apps.ts (app.delete): renamed the metadata keys slug/nameAr/nameEn → appSlug/appNameAr/appNameEn so app sub-resource events and top-level deletes share one prefix. - artifacts/api-server/src/routes/roles.ts (role.delete): renamed the metadata key name → roleName, matching group.role.add/remove. Frontend formatter (artifacts/tx-os/src/pages/admin.tsx): - appName helper now reads both legacy (slug/nameEn/nameAr) and new (appSlug/appNameEn/appNameAr) keys so old rows still render. - role.delete case prefers roleName, falls back to legacy name. - user.delete case picks the user's localized display name and uses new locale strings user.deleteWithName / user.forceDeleteWithName when present; falls back to the existing username-only strings. - forceDeletedEntityName also accepts appNameEn/appNameAr/appSlug so force-deleted apps still get their inline name chip. Locales: - artifacts/tx-os/src/locales/{en,ar}.json: added admin.audit.summary.user.deleteWithName and forceDeleteWithName. Test updates: - artifacts/api-server/tests/audit-log-coverage.test.mjs: updated the role.delete and app.delete (no-deps) assertions to read the new metadata key names. The user.delete assertions kept working as-is since username/email/force are unchanged. No DB migration was required — audit_logs.metadata is already JSON. Legacy rows continue to render via the formatter fallbacks called out in the task description. |
||
|
|
76a174cfee |
Friendly summaries for app.permission.add/remove audit entries
Task #174: The new `app.permission.add` and `app.permission.remove` audit log actions emitted by `artifacts/api-server/src/routes/apps.ts` were falling through `formatAuditSummary`'s default branch, so the admin audit log only displayed the raw action string instead of a human-readable sentence like the existing `role.permission.*` entries. Changes: - artifacts/tx-os/src/pages/admin.tsx: added `app.permission.add` and `app.permission.remove` cases to `formatAuditSummary`. They reuse the existing `appName(meta, lang, targetId)` helper (which already handles the nameEn/nameAr/slug fallback) and mirror the existing role.permission.* permission-name fallback (permissionName -> #permissionId -> "?"). - artifacts/tx-os/src/locales/en.json: added `admin.audit.summary.app.permissionAdd` / `admin.audit.summary.app.permissionRemove`, matching the wording of the role.* variants ("Added permission '{{permission}}' to app '{{name}}'", "Removed permission '{{permission}}' from app '{{name}}'"). - artifacts/tx-os/src/locales/ar.json: added the Arabic equivalents ("تمت إضافة الصلاحية '...' إلى التطبيق '...'", "تمت إزالة الصلاحية '...' من التطبيق '...'"). Verification: - e2e tested via runTest: created a new app, added/removed a permission via the API to emit both audit entries, opened the admin audit log, and confirmed both rows render the friendly English summary; switched the UI to Arabic and confirmed the same rows render the Arabic summary (no raw "app.permission.add" / "app.permission.remove" strings shown). - JSON files validated; no new TypeScript errors introduced near the edited lines (the pre-existing 36 codegen-related errors in admin.tsx are unrelated). No deviations from the task scope. |
||
|
|
2980bf1bcb |
Add integration tests for the executive-meeting notification fan-out
Task #165: Add automated tests covering the notification fan-out logic (executive-meeting-notify.ts + executive-meetings.ts route handlers). What was added - artifacts/api-server/tests/executive-meetings-notifications.test.mjs — 7 integration tests, one per notification type: 1. meeting_created 2. request_submitted 3. request_approved 4. request_rejected 5. request_needs_edit 6. task_assigned 7. task_completed Each test asserts (a) the actor is excluded, (b) recipients are deduped across direct (user_roles) and group-derived (group_roles + user_groups) role assignments, (c) one row is inserted into BOTH executive_meeting_notifications and notifications in the same transaction, and (d) the matching Socket.IO events fire (notification_created per recipient + the executive_meeting_notifications_changed broadcast) with the right notificationType payload. - Test setup creates one user (approver2) that holds the target role both directly AND through a group, so the dedup invariant is exercised on every fan-out path that uses getUserIdsForRoleNames. Deviation from the task spec - The task suggested the new file at artifacts/api-server/src/routes/__tests__/executive-meetings-notifications.test.ts, but the api-server's runner is `node --test 'tests/**/*.test.mjs'` and every existing test (including notification-adjacent coverage) lives in tests/ as .mjs. A .ts file in src/__tests__ would silently never run, so the test file follows the established convention. Hardening (post code-review) - Added a scopeDiff() helper that filters each snapshot diff by notificationType + meetingId/relatedType+relatedId before any assertion runs. This protects the actor-exclusion check on the seeded admin user from cross-file flakiness if other test files happen to write notifications for admin while these tests run. - expectSocketEventsFor() now accepts { expectExactlyOne: true }; the meeting_created and request_submitted tests use it so a regression that double-emitted notification_created on the dedupe-sensitive paths would also be caught at the socket layer (not just in the DB). - Trimmed verbose explanatory comments in the test file to match the style of the surrounding tests/*.test.mjs. Other notes - While running the new test for the first time, the dev DB was missing the executive_meeting_notification_prefs table (an un-pushed migration), causing 500s in fan-out paths that read prefs. Ran `pnpm --filter @workspace/db push` once to sync the schema; no schema or runtime code was changed. - Full api-server suite passes: 211/211 tests green (7 new + 204 pre-existing). |
||
|
|
56a8696876 |
fix(executive-meetings): lock down attendee save payload (#221)
Why: Task #220 added a client-only `_sid` field on attendee rows so React DnD can identify rows. The two client save sites already enumerate wire fields explicitly and never serialize `_sid`, but nothing prevents a future refactor from accidentally leaking it. The server was zod-default lenient (silently strips unknowns), so a regression would either be silently absorbed (bad — silent contract drift) or land in a future JSONB metadata column without anyone noticing. What changed: - `attendeeSchema` in artifacts/api-server/src/routes/executive-meetings.ts is now `.strict()`. Any unknown attendee key (including `_sid` or any future client-only field) is rejected with HTTP 400 instead of being silently stripped. The schema is reused by all three attendee-bearing endpoints (POST /executive-meetings, PATCH /executive-meetings/:id, PUT /executive-meetings/:id/attendees), so all three are covered by one change. Tests: - Added three API tests in artifacts/api-server/tests/executive-meetings.test.mjs: 1. POST /executive-meetings with attendee carrying `_sid` returns 400 and the error mentions the rejected key. 2. PATCH /executive-meetings/:id with attendees carrying `_sid` returns 400 AND the meeting's existing attendee list is preserved (no partial mutation). 3. PUT /executive-meetings/:id/attendees with attendee carrying `_sid` returns 400 AND the seeded attendee is unchanged. Verification: - Full API test suite: 207/207 green (was 204/204 before; +3 new). - No client-side change needed: existing `saveAttendeeName` (~L943 in artifacts/tx-os/src/pages/executive-meetings.tsx) and the manage-dialog save (~L4004) already project to the documented wire shape (`name, title, attendanceType, sortOrder, kind`). - Architect review: addressed the one gap (PATCH coverage) by adding test #2 above; verdict resolved. Out of scope cleanup: - Marked the descriptions of stale tasks #172 and #179 as STALE (both PDF tests pass and PDF export works in current main). Final cancellation left to the user. |
||
|
|
c28775fe42 |
Task #164: Per-user notification preferences for Executive Meetings
Lets each user choose whether to receive in-app and/or email notifications
for each executive-meeting event type (meeting_created, request_submitted,
request_approved/rejected/needs_edit, task_assigned, task_completed).
Defaults to "everything on" when no preference row exists, preserving the
prior fan-out behavior for users who never visit the new UI.
Schema:
- New executive_meeting_notification_prefs table (user_id FK CASCADE,
notification_type varchar(64), in_app bool default true, email bool
default true, plus a unique index on (user_id, notification_type)).
- Pushed to dev DB via `pnpm --filter @workspace/db push`.
Backend:
- Exported EXECUTIVE_MEETING_NOTIFICATION_TYPES (canonical list) +
filterRecipientsByNotificationPref(ids, type, channel) helper that
returns only recipients whose row says the channel is on (default-on
semantics for missing rows).
- recordExecutiveMeetingNotifications now filters recipients by
channel="inApp" before inserting; sendExecutiveMeetingEmail filters
by channel="email" before SMTP delivery.
- New endpoints under /executive-meetings/notification-prefs:
GET → { types, prefs } merged with defaults.
PUT → upserts each supplied (type, channel) pair via
onConflictDoUpdate inside a transaction.
Frontend:
- New NotificationPrefsCard at the top of the Notifications section in
artifacts/tx-os/src/pages/executive-meetings.tsx. Renders a Switch per
(event type × channel) with batched save, dirty-state tracking, reset
button, and useToast feedback.
- Translation keys for the card added to en.json and ar.json under
executiveMeetings.notificationsPage.prefs.
Tests:
- 5 new tests in artifacts/api-server/tests/executive-meetings.test.mjs:
GET defaults, PUT roundtrip + upsert, 400 on unknown type, in-app
fan-out filtering (muted approver gets no row, control approver still
does), and channel-independence (muting only the email channel leaves
in-app delivery intact while persisting email=false in the DB row that
sendExecutiveMeetingEmail's filter reads).
- All 36 executive-meetings tests pass. Full suite shows only one
pre-existing flaky test elsewhere (groups-crud count assertion),
unrelated to these changes.
- Added e2e UI test that logs in as admin, toggles a preference, saves,
refreshes, and confirms persistence.
- After-hook cleans up new prefs rows for created users.
Follow-ups proposed: #236 (one-click reset to defaults), #237 (admin
view/override of any user's prefs).
|
||
|
|
9a36b89abd |
Task #234: Show one cell-level "+ عنوان فرعي" chip instead of one per group
Original task: in split-mode meeting cells (cells where 2+ attendance
groups are visible), the trailing "+ عنوان فرعي" chip was being
rendered once per AttendeeGroup. The user reported seeing two chips
(one for the internal group, one for the external group) and asked
"ليش اثنين؟". Per the user's choice in the clarifying interview, we
keep ONE chip at the bottom of the cell, and clicking it adds a new
subheading to the LAST visible attendance group in render order
(virtual → internal → external).
Implementation:
- Added optional `suppressTrailingSubheadingChip` prop to
`AttendeeFlowSharedProps` (defaults to false, so single-group cells
are unchanged).
- `AttendeeFlow` skips rendering its trailing per-group "+ عنوان فرعي"
<li> when the prop is true. The per-group "+" person <li> and all
after-section chips are unaffected.
- In the `hasSplit` branch of `AttendeesCell`, every per-group
`AttendeeGroup` is now passed `suppressTrailingSubheadingChip`, and
one new cell-level chip is rendered after the missing-groups chip
block with `data-testid="em-add-subheading-cell-${meeting.id}"`. The
chip is gated by the same `canMutate && !hasAnyPending && startAdd`
guard as the other add chips. Its onClick computes
`lastVisibleAddType` at click-time as `external > internal > virtual`
and calls `startAdd(lastVisibleAddType, "subheading")`.
Tests:
- Updated `Schedule [en|ar]: top "+ subheading" chip is NEVER
rendered…` so its mixed-meeting cell now asserts the per-group
`em-add-subheading-{addType}` testids are absent in split mode and
the new cell-level testid is visible. Per-group "+" person testids
still prove all three groups mounted.
- Added `Schedule [en|ar]: split-mode cell shows ONE cell-level "+
subheading" chip and routes to the LAST visible group`. Seeds
virtual + internal + external attendees, asserts ONE cell-level
chip + zero per-group subheading chips, clicks it, types a
subheading, blurs, and verifies the new subheading persists at the
end of the external group with correct kind / attendance_type /
sort_order.
- Added `Schedule [en|ar]: split-mode WITHOUT external — cell-level "+
subheading" chip routes to INTERNAL (last visible)` to lock the
fallback path of the lastVisibleAddType resolution rule
(external > internal > virtual). Seeds virtual + internal only and
verifies the new subheading persists at the end of the internal
group.
Verification:
- tsc clean for executive-meetings.tsx (admin.tsx errors are
pre-existing and unrelated).
- All 4 new+modified tests pass (en+ar both for the modified top-chip
test and the new cell-level chip test).
- The 4 unrelated test failures observed in the full run are
pre-existing flakes (locale state pollution + dnd-kit RTL drag) and
not caused by this change.
- Architect review: PASS. No critical findings.
Follow-up:
- Task #235 (PROPOSED) covers the remaining test gap: locking that
the cell-level chip stays hidden in row B while another row A has
a pending ghost input open (the in-code guard uses
`canMutate && !hasAnyPending && startAdd`).
|
||
|
|
8c2f04f670 |
Task #234: Show one cell-level "+ عنوان فرعي" chip instead of one per group
Original task: in split-mode meeting cells (cells where 2+ attendance
groups are visible), the trailing "+ عنوان فرعي" chip was being
rendered once per AttendeeGroup. The user reported seeing two chips
(one for the internal group, one for the external group) and asked
"ليش اثنين؟". Per the user's choice in the clarifying interview, we
keep ONE chip at the bottom of the cell, and clicking it adds a new
subheading to the LAST visible attendance group in render order
(virtual → internal → external).
Implementation:
- Added optional `suppressTrailingSubheadingChip` prop to
`AttendeeFlowSharedProps` (defaults to false, so single-group cells
are unchanged).
- `AttendeeFlow` skips rendering its trailing per-group "+ عنوان فرعي"
<li> when the prop is true. The per-group "+" person <li> and all
after-section chips are unaffected.
- In the `hasSplit` branch of `AttendeesCell`, every per-group
`AttendeeGroup` is now passed `suppressTrailingSubheadingChip`, and
one new cell-level chip is rendered after the missing-groups chip
block with `data-testid="em-add-subheading-cell-${meeting.id}"`. The
chip is gated by the same `canMutate && !hasAnyPending && startAdd`
guard as the other add chips. Its onClick computes
`lastVisibleAddType` at click-time as `external > internal > virtual`
and calls `startAdd(lastVisibleAddType, "subheading")`.
Tests:
- Updated `Schedule [en|ar]: top "+ subheading" chip is NEVER
rendered…` so its mixed-meeting cell now asserts the per-group
`em-add-subheading-{addType}` testids are absent in split mode and
the new cell-level testid is visible. Per-group "+" person testids
still prove all three groups mounted.
- Added `Schedule [en|ar]: split-mode cell shows ONE cell-level "+
subheading" chip and routes to the LAST visible group`. Seeds
virtual + internal + external attendees, asserts ONE cell-level
chip + zero per-group subheading chips, clicks it, types a
subheading, blurs, and verifies the new subheading persists at the
end of the external group with correct kind / attendance_type /
sort_order.
Verification:
- tsc clean for executive-meetings.tsx (admin.tsx errors are
pre-existing and unrelated).
- All 4 new+modified tests pass (en+ar both for the modified top-chip
test and the new cell-level chip test).
- The 4 unrelated test failures observed in the full run are
pre-existing flakes (locale state pollution + dnd-kit RTL drag) and
not caused by this change.
- Architect review: PASS. No critical findings.
Follow-up:
- Task #235 (PROPOSED) covers two test gaps: virtual+internal-only
fallback locking lastVisibleAddType=internal, and chip-hidden gating
while a pending ghost is open in another row.
|
||
|
|
4c617eb526 | Transitioned from Plan to Build mode | ||
|
|
b54d4e35d9 |
Send executive-meeting notification emails for real (SMTP delivery)
Original task #163: replace the no-op outbox-log behaviour in `sendExecutiveMeetingEmail` with real SMTP delivery so approvers actually get pinged in their inbox when an executive-meeting request is awaiting review. Implementation - Added `nodemailer` (and `@types/nodemailer`) as a dependency of `@workspace/api-server`. nodemailer was already in the build's external list, so the bundle stays slim and resolves it at runtime. - Rewrote `sendExecutiveMeetingEmail` in `artifacts/api-server/src/lib/executive-meeting-notify.ts`: - Lazily builds a cached nodemailer transporter from `SMTP_HOST` / `SMTP_PORT` (default 587) / `SMTP_USER` / `SMTP_PASS`, with optional `SMTP_SECURE` and `SMTP_FROM`. Cache is keyed on a config signature, so changing env vars in tests / hot reloads naturally rebuilds the transporter. - When `SMTP_HOST` is unset the previous outbox-style log is kept verbatim as a fallback. Once `SMTP_HOST` is set the fallback branch is no longer reached. - Picks subject/body in the recipient's preferred language (Arabic vs English) with a sensible fallback. - Sends one mail per addressed recipient in parallel; per-recipient failures are caught and logged at warn level. The outer try/catch keeps the function from ever throwing into the transaction caller. SMTP `rejected` arrays are also logged at warn so bounces are visible. Code-review comment follow-ups (applied in this commit) - Transport cache signature now hashes `SMTP_PASS` (sha256, first 16 hex chars) instead of just "***", so rotating to a new password actually rebuilds the cached transporter without leaking plaintext. - Fallback log message now distinguishes "no SMTP_HOST configured" from "SMTP misconfigured" so operators can tell why a delivery was skipped. Verification - Typecheck passes for the modified file (other unrelated pre-existing typecheck failures remain). - `pnpm --filter @workspace/api-server run build` succeeds. - API server boots cleanly with the new dependency. Deviations / scope - No automated tests added; the existing test harness is integration- style and the project already tracks "Add automated tests for the notification fan-out logic" as a separate task. - Persisting per-recipient delivery state into the `executive_meeting_notifications` audit table and a startup `transporter.verify()` were intentionally deferred and proposed as follow-ups (#232 and #233). |
||
|
|
6330c1f03d |
Task #162: Let admins pre-set required permissions while creating an app
The "Required permissions" section was previously edit-only because `POST /api/apps/:id/permissions` needs an app id, leaving a brief window where a freshly created app was visible to everyone before the admin could re-open the dialog and gate it. The Add app dialog now lets the admin pick required permissions up front and the new app + its `app_permissions` rows are written in a single transaction. Changes: - `lib/api-spec/openapi.yaml`: extended `CreateAppBody` with an optional `permissionIds: integer[]` field. Ran `pnpm --filter @workspace/api-spec run codegen` so `lib/api-zod` and `lib/api-client-react` reflect it. - `artifacts/api-server/src/routes/apps.ts`: `POST /apps` now de-dupes and pre-validates `permissionIds`, returns 404 if any id is unknown (without creating the app), and inside one transaction inserts the app, the `app_permissions` rows (with `.onConflictDoNothing()` against the composite primary key), and a single `permission_audit` row (`previousIds: []`, `newIds: requestedIds`). After the transaction it also writes one `app.permission.add` audit_logs entry per inserted permission so the admin log mirrors the post-create flow. - `artifacts/tx-os/src/pages/admin.tsx`: added `permissionIds: number[]` to `AppForm`, a new `NewAppPermissionsPicker` component (rendered only in create mode — edit mode keeps the existing `AppPermissionsEditor` with its impact preview) that lets admins add/remove permissions locally before submit, and wired `handleSaveApp` to forward the selected ids when creating. Existing edit path strips the field so the update payload remains unchanged. - `replit.md`: documented the new picker and POST /api/apps behavior. No impact preview is shown in the create-mode picker because a brand new app starts with zero users seeing it, so adding permissions cannot hide it from anyone. Code-review follow-up: tightened input validation so non-integer or non-positive `permissionIds` now return 400 with a clear error instead of being silently dropped by the previous filter. The legacy single-add endpoint already used this exact 400 message, so behavior stays consistent across both create and update paths. Verification: - `pnpm --filter @workspace/api-spec run codegen` passes. - `pnpm --filter @workspace/api-server` typechecks with no new errors (executive-meetings.ts errors are pre-existing and unrelated). - Ran the existing app-permission test suites (`app-permission-audit.test.mjs`, `app-permissions-crud.test.mjs`, `app-permissions-impact.test.mjs`) directly — all 16 tests pass. - Ran an e2e Playwright test (login as admin → Add app → pick a permission → save → verify the row shows 1 restriction → reopen and confirm the assigned permission). All steps passed. Follow-up proposed: automated tests for the new create-with-permissions endpoint behavior (#231). |
||
|
|
063b896c37 |
Task #230: Remove redundant top "+ subheading" chip in attendee cells
User feedback on Task #227: the top "+ عنوان فرعي" chip is visually redundant in every state (duplicates the trailing chip on empty / single-section cells, and feels like noise above the first heading once a heading exists). The trailing "+ عنوان فرعي" + after-section chips already cover every insertion point the user actually needs. Schedule cell (AttendeeFlow): - Removed the entire top "+ عنوان فرعي" chip JSX block (the gate `items.length === 0 || hasAnySubheading`, the testid `em-add-subheading-top-{addType}`, and surrounding comment). - Updated the surviving comments on `hasInlineInsert` and `renderPendingSubheadingLi` so they no longer mention the now-gone top chip — they reference only the after-section chip flow. - `hasAnySubheading` is kept (still used by person-row numbering and pending-person-ghost numbering). Per-section after-section chips (subheading- and person-branch) and the trailing "+ عنوان فرعي" / "+" buttons are unchanged. Tests (executive-meetings-attendee-insert-reorder.spec.mjs): - Removed the two top-chip tests: 1. "top chip on EMPTY cell inserts a subheading at slot 0" 2. "top chip is NOT rendered on a flat list with zero subheadings" - Replaced them with a single per-locale test: "top \"+ subheading\" chip is NEVER rendered (empty / person-only / subheading-only / mixed)". It seeds two meetings: an empty one (covers EMPTY state) and a three-section meeting that spreads attendees across the internal/virtual/external attendance-type groups so each AttendeeFlow renders in a different state (person-only, subheading-only, mixed). Asserts `em-add-subheading-top-*` has count 0 across the row, plus a sanity check on the mixed-row attendee count so the 0-count is meaningful. - After-section tests (between two sections / after empty section) and manage drag tests are unchanged. - Updated the file's top-of-file comment to mention #230 alongside #227. Verification: - 6 schedule tests in executive-meetings-attendee-insert-reorder PASS in en + ar (38.7s). - 6 regression tests in executive-meetings-attendee-subheadings PASS in en + ar (34.4s). - `tsc --noEmit` reports zero errors in executive-meetings.tsx. - Pre-existing dnd-kit RTL flake (Manage [ar/en]: drag handle reorders attendees inside the dialog) bounces locales between runs; unrelated to this diff (no changes to manage dialog drag flow, SortableAttendeeRow, or dnd-kit wiring). No deviations from the task spec. |
||
|
|
51a50f23ea |
Add app-permissions impact preview before tightening an app's gate
Mirrors the existing role-permissions impact preview UX for app
permissions. Admins now see how many currently-visible users would lose
access before they add a permission requirement to an app, plus the
groups (via group_apps) that offset the loss because their members keep
access regardless.
Backend
- New endpoint POST /api/apps/:id/permissions/impact-preview in
artifacts/api-server/src/routes/apps.ts. Implements the same OR
semantics as getVisibleAppsForUser: a user "sees" an app if they hold
ANY required permission (direct or via a group role) OR they belong
to a group granted the app via group_apps. Admins are excluded from
counts since they always see every app. Short-circuits with
noChange:true when the candidate set equals the current set.
- OpenAPI schema (lib/api-spec/openapi.yaml): adds the path,
AppPermissionsImpactBody, AppPermissionImpactGroup,
AppPermissionsImpact. Regenerated lib/api-client-react bindings.
Frontend
- AppPermissionsEditor (artifacts/tx-os/src/pages/admin.tsx): debounced
(350ms) cancel-safe preview when a pending permission is selected,
warning banner with affected/visible counts and offsetting groups,
and a confirmation dialog when affectedUserCount > 0. Add button is
disabled while the preview is loading or errored to keep the warning
trustworthy.
- i18n keys added to en.json and ar.json under
admin.appPermissions.{impactTitle, impactLoading, impactError,
impactNone, impactSummary, impactViaGroups, confirmTitle, confirmBody,
confirmAction}.
Tests
- artifacts/api-server/tests/app-permissions-impact.test.mjs: 7 tests
covering noChange short-circuit, unrestricted-app tightening,
candidate that keeps an existing permission, group_apps offset,
unknown app (404), invalid payload (400), and admin-only enforcement.
All 18 app-permissions tests pass.
- E2E flow verified via runTest: admin login → /admin → Apps → edit
app → select permission → preview banner appears → Add → confirm
dialog → cancel without writing.
Out-of-scope (filed as follow-ups #228 and #229): listing the specific
affected user IDs in the preview, and warning when REMOVING a
permission broadens access.
No deviations from the task spec.
|
||
|
|
c6adb79fe8 |
Update how subheading chips are displayed in meeting editor
Refactor the display of subheading chips to correctly render in empty cells and after sections. |
||
|
|
b5bcb4cd90 |
Task #227: Restructure attendee cell controls around section headings
User feedback on Task #220's UX (in Arabic): per-section "+ شخص هنا" chips felt redundant; the user wanted the "+ عنوان فرعي" controls placed at the TOP of each cell and after each section instead, and the "+ شخص هنا" chips removed entirely. Schedule cell (AttendeeFlow): - TOP "+ عنوان فرعي" chip renders BEFORE the first item of each AttendeeFlow group when the cell is empty OR when it already contains at least one subheading. For cells that only contain persons and no subheadings, the chip is intentionally hidden so the pre-#227 visual is preserved (per task's "no regression" clause). Testid: em-add-subheading-top-{addType}. insertAtIndex = items[0].i for non-empty cells, undefined for empty (so the commit appends at slot 0). - After-section "+ عنوان فرعي" chip renders AFTER every section that is followed by another section, including: * person-tail boundary (last person whose next item is subheading) * empty-section boundary (subheading whose next item is subheading) The trailing section is skipped — the trailing "+ عنوان فرعي" button below already covers that slot. Testid: em-add-subheading-after-{i}; insertAtIndex = i + 1. - Both "+ شخص هنا" chips removed (subheading-empty branch + person-tail branch). - Added renderPendingSubheadingLi helper for inline subheading ghost rendering at the clicked slot. Generalized hasInlineInsert to cover both person and subheading pending kinds. - Removed addPersonHereLabel/addPersonHereAriaLabel from AttendeeFlowSharedProps and from the schedule-side flowProps caller. Manage dialog: - Removed the per-section "+ شخص هنا" buttons from the SortableContext flatMap and the insertAttendeeAt helper. Reverted to plain state.attendees.map. Locales (ar + en): - Dropped executiveMeetings.schedule.addPersonHere/addPersonHereAria. - Dropped executiveMeetings.manage.attendees.addPersonHere/ addPersonHereAria. Tests (executive-meetings-attendee-insert-reorder.spec.mjs): - Removed the per-section "+ شخص هنا" chip test. - Added 4 new schedule tests (en + ar each): 1. Top chip on an EMPTY cell inserts a subheading at slot 0. 2. Top chip is NOT rendered on a flat list with zero subheadings (preserves the pre-#227 visual). 3. After-section chip inserts a subheading between two existing sections (BEFORE the next-section subheading). 4. After-section chip renders after an EMPTY section (consecutive subheadings) and inserts a subheading at the boundary. - Pre-existing drag tests #2 and #3 unchanged and still pass. - Pre-existing #4 (Manage [ar] mixed person+subheading drag) is reproducibly red on [ar] but green on [en]. The diff does NOT touch the manage dialog drag flow, the SortableAttendeeRow, or dnd-kit wiring — pre-existing RTL keyboard-sensor flake from #220. Architect review: PASS on first run; second-pass code-review verdict flagged scope alignment which has now been addressed (top chip on empty cell, no top chip on flat lists, after-section chip on consecutive subheadings, plus matching tests). |
||
|
|
348178e4a0 |
Task #227: Restructure attendee cell controls around section headings
User feedback on Task #220's UX (in Arabic): the per-section "+ شخص هنا" chips felt redundant; the user wanted "+ عنوان فرعي" controls placed at the TOP of each cell and after each section instead, and the "+ شخص هنا" chips removed entirely. Schedule cell (AttendeeFlow): - Added a TOP "+ عنوان فرعي" chip that renders BEFORE the first item of each AttendeeFlow group when the group is non-empty (testid em-add-subheading-top-{addType}; insertAtIndex=items[0].i). - Added an after-section "+ عنوان فرعي" chip that renders AFTER the last person of each section that is followed by another subheading (testid em-add-subheading-after-{i}; insertAtIndex=i+1). The trailing section is intentionally skipped — the existing trailing "+ subheading" button already covers that slot. - Removed both "+ شخص هنا" chips (subheading-empty branch + person-tail branch). - Added renderPendingSubheadingLi helper for inline subheading ghost rendering at the clicked slot. Generalized hasInlineInsert to cover both person and subheading pending kinds. - Removed addPersonHereLabel/addPersonHereAriaLabel from AttendeeFlowSharedProps and from the schedule-side flowProps caller. Manage dialog: - Removed the per-section "+ شخص هنا" buttons from the SortableContext flatMap and the insertAttendeeAt helper. Reverted to plain state.attendees.map. Locales (ar + en): - Dropped executiveMeetings.schedule.addPersonHere/addPersonHereAria. - Dropped executiveMeetings.manage.attendees.addPersonHere/ addPersonHereAria. Tests: - Replaced the old "+ person here" test with two new schedule tests: (a) top "+ عنوان فرعي" chip inserts a subheading at slot 0, (b) after-section chip inserts a subheading between two existing sections (BEFORE the next-section subheading). - Both new tests run in en + ar. - Pre-existing drag tests #2 and #3 are unchanged and still pass. - Pre-existing #4 (Manage [ar] drag-reorder mixed person+subheading) is reproducibly red on [ar] but green on [en]. The diff does NOT touch the manage dialog drag flow, the SortableAttendeeRow, or dnd-kit wiring — this is a pre-existing RTL keyboard-sensor flake from #220. Architect review: PASS, no blocking issues. Minor optional follow-ups (extra edge-case test coverage) intentionally not addressed to keep scope tight to the user's request. |
||
|
|
9cf87a5783 | Transitioned from Plan to Build mode | ||
|
|
630d739732 |
Task #159: Block non-admin users from changing role permissions (tests)
## Original task The existing role-permission tests cover the system-role guard, unknown-permission 404, and the admin happy paths for PUT/POST/DELETE /api/roles/:id/permissions, but they never exercised the requireAdmin middleware with a real non-admin session. A silent regression of requireAdmin on these routes would let regular users edit role permissions undetected. ## What changed Added a new test file: artifacts/api-server/tests/role-permissions-non-admin.test.mjs It mirrors the style of role-permissions-assign.test.mjs: - Creates an admin user (used only to seed a target role with two known permissions). - Creates a regular user with no role assignments. - For each of PUT, POST, and DELETE on /api/roles/:id/permissions, logs in as the regular user and asserts the response status is 403. - After every rejected call, asserts the role's permission set in role_permissions is byte-for-byte unchanged. - For POST it deliberately picks a permission the role does NOT already have, so any regression would change the row count. - Cleans up created users, roles, role_permissions, and role_permission_audit rows in after(). ## Verification `pnpm --filter @workspace/api-server test` — all 192 tests pass, including the 3 new ones. ## Deviations None. Scope kept tight to the task description. ## Follow-up Proposed #226: parallel non-admin 403 coverage for POST/PATCH/DELETE /api/roles (CRUD), which today have no non-admin rejection tests either. |
||
|
|
7654d60dc3 |
Add Playwright spec for /my-orders unmount-flush of pending deletes
Original task (#158): /my-orders has a useEffect cleanup that, on unmount, clears every still-running undo timer and immediately fires the deletions for whatever IDs were queued. This unmount-flush path was previously not covered by tests — only the "Undo" path was. Implementation: - New spec: artifacts/tx-os/tests/order-delete-flush-on-unmount.spec.mjs - Mirrors the test scaffolding (DB pool, user/order seeding, login, language init, toast locator) used by the existing order-undo-toast and order-clear-finished-undo specs. - Flow: seed a completed order, log in, go to /my-orders, click trash + "Yes, delete" to queue the deletion, then navigate away via the in-page Back button (which is wouter setLocation("/services") — an in-SPA route change, so MyOrdersPage actually unmounts and the cleanup useEffect runs). - Asserts both required outcomes from the task spec: * A DELETE /api/orders/:id request is observed during the navigation (with a 2xx response). * The order row is actually gone from the DB. - Additionally records the timestamp of the DELETE request and asserts it fires within 3s of the navigation (well under UNDO_WINDOW_MS). This guards against a regression that removes the cleanup but accidentally still passes because the natural 7s timer eventually fires anyway in the SPA — without the cleanup, the DELETE would arrive ~7s later and the assertion would time out. - Clean up the seeded order id from the afterAll list when the test successfully deletes it via the UI, so teardown does not try to re-delete a missing row. No production code changed; this is a pure test addition. |
||
|
|
5b475af2a6 |
Add Playwright tests for the bulk "Clear N finished" + undo flow on /my-orders
Task #157 asked for end-to-end coverage of the bulk-delete path on /my-orders, which goes through the same scheduleDelete() in artifacts/tx-os/src/pages/my-orders.tsx as the single-card delete but uses a single shared setTimeout that owns multiple order IDs and a different (i18n plural) toast title. None of that was exercised by the existing order-undo-toast.spec.mjs. New file: artifacts/tx-os/tests/order-clear-finished-undo.spec.mjs Three tests, all using the same DB-seeding + login pattern as the existing undo-toast spec: 1. English plural + Undo: seeds 3 finished orders, clicks "Clear 3 finished", confirms, asserts the plural toast ("3 orders deleted" => myOrders.clearedCount_other), clicks Undo inside the 7s window, then waits past UNDO_WINDOW_MS and asserts that NO DELETE /api/orders/:id requests went out, all 3 rows still exist in the DB, and all 3 cards are visible again. This is the core regression guard for the multi-id shared-timer logic. 2. English plural + timer expiry: seeds 1 completed + 1 cancelled order (to confirm both finished states are swept), clicks "Clear 2 finished", asserts the plural toast, does NOT click Undo, polls until both DELETE responses fire and both DB rows are gone. 3. Arabic singular bulk path: seeds 1 finished order, clicks the Arabic "Clear 1 finished" button, confirms, asserts the singular toast title. NOTE: when ids.length === 1 the bulk path falls through to myOrders.deleted ("تم حذف الطلب"), NOT clearedCount_one — so the test asserts actual current behavior and the comment explains why. Then Undoes and verifies the row stays. Deviation from task spec: the task said "Both the singular ('1 order deleted') and plural ('{count} orders deleted') toast titles are exercised at least once." The plural string is exercised, but the literal "1 order deleted" string (clearedCount_one) is unreachable in the current code — scheduleDelete uses myOrders.deleted for the single-id case. I tested the actual singular branch instead and filed follow-up #223 to either route the single-id bulk case through clearedCount_one or remove the dead translation key. Also filed follow-up #224 for the unused clearedPartial string (partial-failure toast for bulk clear). Verified locally: all 3 new tests pass via pnpm --filter @workspace/tx-os exec playwright test \ tests/order-clear-finished-undo.spec.mjs (3 passed in ~47s, exit 0). No existing files were modified. |
||
|
|
2299dc63d6 |
Task #220: insert persons mid-list + drag-reorder attendees
Schedule grid (AttendeeFlow): - Per-section "+ شخص هنا" chip rendered AFTER the last PERSON of each section (a section ends right before the next subheading or at end-of-list), gated by hasAnySubheading. Clicking it opens a ghost row with insertAtIndex = lastPersonIdx + 1 so the new row lands at the TAIL of THAT section, before the next subheading. The chip belongs to the section ABOVE it, matching the user's spec. - Empty-section fallback chip kept on subheading rows: when a subheading is followed by another subheading or end-of-list, render the chip there so empty sections stay growable. Manage dialog: - Added _sid client-only field with genAttendeeSid() so dnd-kit ids stay stable across renames; stripped from save projection. - DnD via dnd-kit (DndContext / SortableContext / SortableAttendeeRow with GripVertical handle, keyboard + pointer sensors). New reorderAttendeesByDrag + sortableIds memo. - New insertAttendeeAt(idx) helper + per-section "+ شخص هنا" buttons injected as non-sortable siblings inside SortableContext after each subheading (sortableIds remains a pure _sid list so the keyboard sensor still works). Locales: addPersonHere + addPersonHereAria in both ar.json and en.json (schedule + manage scopes). Tests: - New e2e spec executive-meetings-attendee-insert-reorder.spec.mjs: (1) chip after last person of section inserts BEFORE the next subheading; asserts em-add-person-here-2 (subheading idx) does NOT exist in [A,B,SUB,C]; (2) keyboard DnD reorders 3 persons; (3) mixed person + subheading drag preserves kind. 6/6 pass in AR + EN. - Existing subheading e2e (Task #207): 6/6 still pass. Process notes: - First mark_task_complete REJECTED by code review for placing chip after subheading instead of after last person of prior section; this commit is the corrected pass. Architect re-review approved the semantic; only follow-up was the missing manage-scope addPersonHereAria locale key, which is added here. |
||
|
|
7a90254ce4 |
Task #220: Insert persons mid-list + drag-reorder attendees
Original request: Add a per-section "+ شخص هنا" inline chip in the
attendees cell so users can splice a new person right after a
subheading without opening the manage dialog, and add drag-and-drop
reordering inside the manage dialog (with up/down arrows kept as a
keyboard fallback).
Changes (artifacts/tx-os/src/pages/executive-meetings.tsx):
- Attendee gets an optional client-only `_sid` (stripped by the
manage-save projection so it never crosses the wire).
- AttendeeFlow now renders a "+ شخص هنا" chip right after every
subheading row; clicking it opens the pending-add editor anchored
to that section's tail and threads `insertAtIndex` through to
`commitAddAttendee`, which splices + renumbers contiguously.
- Manage dialog wraps its attendee list in `DndContext` +
`SortableContext` (vertical strategy). Each row is now a
`SortableAttendeeRow` driven by `useSortable`; only the new
`GripVertical` handle is wired to dnd-kit listeners so inputs,
selects, chevrons and the delete button stay interactive.
- `reorderAttendeesByDrag(activeSid, overSid)`, memoised
`sortableIds`, and pointer + keyboard sensors live on the manage
section. `openEdit` and add-row helpers stamp `_sid` so each row
has a stable React key.
- AR/EN locale keys for the chip label/aria and drag handle aria
were already in place from the prior compaction.
Tests (new): artifacts/tx-os/tests/executive-meetings-attendee-insert-reorder.spec.mjs
- 6/6 passing (3 scenarios × AR + EN):
1) "+ person here" inserts at the right slot after a subheading.
2) Drag-reorder via keyboard (Space + ArrowDown) inside the manage
dialog persists the new order.
3) Mixed person + subheading drag preserves `kind` and order
across the round-trip (architect-flagged coverage).
Verification:
- 6/6 new e2e pass (45.3s).
- 6/6 existing subheading e2e still pass (Task #207 untouched).
- tx-os typecheck clean for executive-meetings.tsx (admin.tsx errors
are pre-existing/unrelated codegen drift).
- Architect review: PASS — DnD wiring composed correctly, `_sid`
properly stripped from save payload, no security findings.
Follow-ups proposed: #221 (assert _sid never leaks to API) and #222
(quick-add chip between any two persons, not just after subheadings).
|
||
|
|
a75b9139f1 |
Add ability to insert and reorder people within meeting attendee sections
Adds functionality to insert new attendees at specific positions within sections and updates the attendee data structure and API calls to handle this. |
||
|
|
4baa174544 | Transitioned from Plan to Build mode | ||
|
|
4ef36ac794 |
Push merge changes live so editors see updates without refreshing (task #155)
Made every executive-meetings write surface broadcast a realtime
`executive_meetings_changed` event so all open schedule tabs refetch
the affected day(s) within ~1s instead of waiting for a manual refresh.
What changed
- `artifacts/api-server/src/lib/realtime.ts`: added
`emitExecutiveMeetingsDaysChanged(dates)` — a thin dedup wrapper around
the existing single-date emitter so handlers that may touch two days
(PATCH that reschedules across dates, approved reschedule requests)
can emit both with one call.
- `artifacts/api-server/src/routes/executive-meetings.ts`: added emit
calls to every mutation handler that previously lacked one:
* POST /executive-meetings (create)
* DELETE /executive-meetings/:id
* PUT /executive-meetings/:id/attendees
* POST /executive-meetings/:id/duplicate
* POST /executive-meetings/reorder
* PATCH /executive-meetings/requests/:id (approve+apply)
The PATCH /:id handler now emits BOTH the old and the new meetingDate
so a viewer on the source day loses the row and a viewer on the target
day gains it. The request-approve handler captures the meeting's
pre-apply and post-apply date inside the transaction so reschedule
approvals also fan out to both days.
Frontend
- No frontend changes were needed. `useNotificationsSocket` already
subscribes to `executive_meetings_changed` and invalidates the
`["/api/executive-meetings", date]` query — the same key
`refreshDay()` invalidates on the schedule page.
Verification
- API server build + boot: clean.
- Ran the api-server executive-meetings test suites
(`executive-meetings.test.mjs`, `executive-meetings-merge.test.mjs`,
`executive-meetings-visibility.test.mjs`) — all 38 tests pass when
run sequentially. (Concurrent runs surface a pre-existing
daily_number unique-constraint flake unrelated to this change.)
- Pre-existing TypeScript errors are unchanged; no new errors introduced.
Followed task scope strictly: realtime fan-out only, no UI or schema
changes. Proposed follow-up #219 to add automated test coverage for the
emit-on-write contract so it cannot silently regress.
|
||
|
|
a822fb1b4a |
Test the merge & current-meeting tint feature end-to-end (task #154)
Adds API + UI/e2e coverage for the cell-merge overlay introduced by task #152 on the executive-meetings schedule. Two new test files, no production code changes. API tests (artifacts/api-server/tests/executive-meetings-merge.test.mjs): - Setting a merge writes mergeStartColumn/mergeEndColumn/mergeText and the row round-trips back through GET ?date=. - Clearing with `merge: null` nulls all three columns while leaving the rest of the row intact (combined with a titleEn change in the same PATCH to prove only the merge fields move). - Invalid range start>end is rejected with 400 and the row is unchanged (also covers an unknown enum value). - mergeText is sanitized: <script>, onerror, javascript:, and <img> are stripped; visible text, <strong>, and the allowed inline color style (rgb(220,38,38)) survive — locks the contract that Tiptap-style formatting on the merged label is preserved. - A non-mutate user (executive_viewer role) gets 403 on PATCH merge and a follow-up DB SELECT confirms no fields changed. UI / e2e tests (artifacts/tx-os/tests/executive-meetings-merge.spec.mjs): - Two-tab realtime: separate browser contexts both open the same day; applying a merge in tab A makes the merged cell appear in tab B without a manual reload (relies on the existing `executive_meetings_changed` Socket.IO emit + client invalidator). - Hidden # column: with `em-schedule-cols-v1` localStorage flagging number as invisible, the row-actions kebab still mounts on the next visible cell and the Merge submenu is reachable. - Non-contiguous reorder: a row with a stored merge spanning meeting+attendees is loaded after reordering columns to [number, meeting, time, attendees]. The merged cell is NOT rendered (correct fallback) but the kebab still surfaces the Unmerge action, and clicking it clears all three merge columns in the DB. Both files clean up their own meeting rows + audit log entries + seeded users in afterAll/after. All 5 API tests + 3 Playwright tests pass against the running dev workflows. Follow-ups proposed: - #217 Show merged cells in the meeting PDF & archive views - #218 Test the merge popover in Arabic / RTL |
||
|
|
089aa886ff |
Task #151: Add automated tests for the live role-permission updates
Adds `artifacts/api-server/tests/role-permissions-realtime.test.mjs`,
covering the `role_permissions_changed` socket event emitted from
`PUT /api/roles/:id/permissions`.
The test:
- Stands up an admin caller plus three holders/non-holders:
- a direct holder via `user_roles`,
- an indirect holder reached via `group_roles` -> `user_groups`,
- an outsider with no claim on the role.
- Logs each in via `/api/auth/login`, opens an authenticated
`socket.io-client` socket per user against `/api/socket.io` (the
same path/transports the real client uses) and waits for `connect`
before issuing the PUT, so the user-room join is guaranteed.
- Asserts both holders receive exactly one
`role_permissions_changed` event with payload `{ roleId }`.
- Asserts the outsider receives zero such events.
Also adds `socket.io-client` as a devDependency on
`@workspace/api-server` (no production code touched).
Notes / non-deviations:
- Pre-existing typecheck errors in `routes/groups.ts` and
`routes/executive-meetings.ts` are unrelated and were not
introduced by this change.
- The audit-style file `role-permission-audit.test.mjs` was used as
the setup/teardown template per the task description.
- After code review feedback, replaced the fixed 250 ms sleep with
a promise-based `waitForEvent(timeoutMs)` helper so the holder
assertions resolve as soon as the broadcast lands (test now
finishes in ~700 ms instead of ~1850 ms). A short 100 ms grace
is still used before the outsider negative-case assertion to
give a regression emit time to arrive.
Follow-ups proposed:
- #215 cover the same fan-out for POST/DELETE permission endpoints.
- #216 cover the sibling `apps_changed` fan-out via
`emitAppsChangedToRoleHolders`.
|
||
|
|
36cb2ca86e |
Restart numbering for individuals after each subheading
Modify attendee numbering logic to reset at each subheading, ensuring proper sequence and display across different views and PDF outputs. |
||
|
|
47fa0090c1 |
Push role permission changes for single-permission add/remove endpoints
Task #150: Make `POST /api/roles/:id/permissions` and `DELETE /api/roles/:id/permissions/:permissionId` emit the `role_permissions_changed` socket event in addition to the existing `apps_changed` event, mirroring the bulk `PUT /api/roles/:id/permissions` handler. Changes - artifacts/api-server/src/routes/roles.ts - In the POST add-one handler, after inserting the new role_permissions row and emitting `apps_changed`, also call `emitRolePermissionsChangedToHolders(id)` so role/permission React Query caches and `/api/auth/me` get invalidated for every user holding that role. - In the DELETE remove-one handler, after a successful delete and the existing `apps_changed` emit, also call `emitRolePermissionsChangedToHolders(id)` for the same reason. - Both emits are still gated on a real change occurring (insert actually happened / delete actually returned a row), so a no-op request does not push spurious events. Notes - `emitRolePermissionsChangedToHolders` was already imported at the top of the file (used by the bulk PUT handler), so no new imports were needed. - Pre-existing unrelated TypeScript errors exist in permission-audit.ts, executive-meetings.ts, and groups.ts; my changes did not introduce them and roles.ts itself type-checks. - No follow-up tasks proposed: testing of the live update flow is already covered by the existing "Add automated tests for the live role-permission updates" project task. |
||
|
|
a9b0b12569 |
Correctly save subheading type when adding new schedule items
Update executive-meetings.tsx to pass the 'kind' parameter in the onCommitAddAttendee function, ensuring subheadings are saved with the correct type. |
||
|
|
6bcfd9e6f4 |
Task #149: Add automated mobile/touch test for reordering meetings on iPad
Adds a new Playwright spec `artifacts/tx-os/tests/executive-meetings-touch-reorder.spec.mjs` that exercises the iPad/touch path of drag-to-reorder on the Executive Meetings daily schedule — the path fixed by Task #141 (TouchSensor + `touch-action: none` on the row grip handle) but never covered by an end-to-end test. What the test does - Configures the spec's browser context with viewport 768x1024, hasTouch=true, isMobile=true so Chromium emulates an iPad and emits real TouchEvents that dnd-kit's TouchSensor can pick up. - Seeds two adjacent meetings on a unique far-future date via direct DB inserts (mirrors the strategy in executive-meetings-schedule-features.spec.mjs) and cleans them up in afterAll. - Logs in as admin via the UI, navigates to /executive-meetings, jumps to the seeded date, and turns on edit mode so the row grip handle renders. - Drives the touch gesture through CDP `Input.dispatchTouchEvent` (Playwright's high-level `page.touchscreen` only exposes `tap()`): touchStart on the first row's grip, hold still for 350ms (≥ task's 250ms / dnd-kit's 200ms activation delay), drag down past the second row in 12 sub-steps, touchEnd. - Asserts: (1) a POST /api/executive-meetings/reorder fires AND succeeds, (2) the request body's `orderedIds` reflects the swap, (3) the DB row daily_numbers + start/end times swap as the reorder endpoint specifies, (4) the visible DOM row order swaps, and (5) after a reload the new order persists. Wiring - The spec lives in `artifacts/tx-os/tests/` and is auto-discovered by the existing playwright config (`testMatch: /.*\\.spec\\.mjs$/`), so it runs as part of `pnpm --filter @workspace/tx-os test:e2e` with no config changes. Verification - `pnpm --filter @workspace/tx-os test:e2e -- executive-meetings-touch-reorder.spec.mjs` → 1 passed. - Re-ran the existing `executive-meetings-schedule-features.spec.mjs` (4 tests) to confirm no regression — all 4 still pass. Follow-ups - Proposed #214: Add iPad/touch test for reordering schedule columns (the file has a second DndContext for column-header drag that uses the same sensor stack and is currently untested on touch). Code review feedback - Reordered scrollIntoViewIfNeeded() to run BEFORE the boundingBox reads so any auto-scroll from bringing the grip on screen can't invalidate the touch coordinates we then dispatch via CDP. (Other comment about an unrelated opengraph.jpg change is platform-side, not part of this task's edits.) No deviations from the task spec. |
||
|
|
c18f84952c |
Task #148: Make pnpm --filter @workspace/db run push work without manual SQL
## Original task
`pnpm --filter @workspace/db run push` was failing with a duplicate-key
error on `app_permissions` (and a missing FK on
`executive_meeting_notifications`) because legacy data in the dev DB
violates constraints the schema now declares. Devs had to drop into psql
to fix it, which made bootstrapping painful and left
`role_permission_audit` reliant on hand-applied SQL.
## Changes
- Added `lib/db/scripts/pre-push-cleanup.ts`, an idempotent cleanup that:
- Collapses duplicate `app_permissions` rows to one per
`(app_id, permission_id)` so the composite PK can be added.
- Deletes orphan `executive_meeting_notifications` rows so the new
`ON DELETE CASCADE` FK can be added.
- Skips both checks when the tables don't exist yet (fresh DB
no-op).
- Wired the script into `lib/db/package.json` so both `push` and
`push-force` run cleanup first (`pnpm run pre-push-cleanup && drizzle-kit push ...`).
- Added `tsx` to `lib/db` devDependencies (catalog version) so the
package can run the cleanup without leaning on another workspace.
- Updated `replit.md` Deployment / Migration Runbook to reflect that
cleanup is now automatic — no manual SQL required in any environment.
## Verification
- `pnpm --filter @workspace/db run push` now collapses 2 duplicate
groups + removes 1978 orphan notifications, then succeeds with
`[✓] Changes applied`.
- Re-running push is idempotent: second run reports no duplicates and
no orphans, then succeeds.
- `pnpm --filter @workspace/db run push-force` (used by
`scripts/post-merge.sh`) was also verified end-to-end.
- Confirmed `app_permissions` now has the composite PK,
`executive_meeting_notifications` has the cascade FK, and
`role_permission_audit` matches the schema.
## Notes
- A pre-existing unrelated typecheck error in
`artifacts/api-server/src/routes/executive-meetings.ts` (font
settings `scope` overload) was confirmed to exist on `main` before
any changes here and is out of scope for this task.
- Proposed follow-up #213 to move from `push`/`push-force` to
versioned `drizzle-kit migrate` so legacy-data backfills are checked
in instead of living in a generic pre-push script.
|
||
|
|
e816f136bd |
Task #147: Add structured permission-change audit (users, groups, apps)
Mirrors the existing role-permission audit pattern with a unified
`permission_audit` table capturing actor, target, prev/new id sets, and
timestamp written in the same transaction as the change.
Schema & API
- New `permission_audit` table (target_kind, target_id, change_kind,
actor_user_id, previous_ids[], new_ids[], created_at) with index on
(target_kind, target_id, created_at).
- Transactional audit writes in routes/users.ts (POST/DELETE roles,
PATCH groupIds), routes/groups.ts (PATCH + add/remove members for
users/roles/apps), routes/apps.ts (POST/DELETE permissions).
- Cross-entity mirroring: when group membership changes via a group
endpoint, a user.groups row is also written for each affected user
(and vice versa via PATCH /users), so each entity's history is
exhaustive regardless of which editor was used.
- Admin-only GET /users/:id/audit, /groups/:id/audit, /apps/:id/audit
with limit/offset/actorUserId/from/to filters and the same response
shape as role audit.
- OpenAPI types + codegen regenerated.
UI
- Reusable PermissionAuditHistory component in admin.tsx wired into
UserGroupsEditor, GroupDetailEditor (new "history" tab), and the
editing-app dialog. App history correctly resolves permission ids
(NOT roles) via useListPermissions.
- Bilingual i18n keys added under admin.{users,groups,apps}.history*
in en.json + ar.json.
Tests
- New backend tests: user-permission-audit, group-permission-audit,
app-permission-audit (14 cases — transactional capture, GET filters
& pagination, admin-only, 404 on unknown id, plus 2 new mirror
tests covering cross-entity audit visibility). All pass; 35
adjacent role/groups/users/audit-coverage tests still pass.
Notes
- replit.md updated to list `permission_audit` table.
- Restored opengraph.jpg (an unrelated stray binary diff).
- Code-review comments addressed: cross-entity asymmetry fixed via
mirroring; opengraph.jpg restored.
- Follow-ups proposed: timeline UI improvements, cascade audit on
delete/bulk paths, e2e UI test for History sections.
|
||
|
|
27f52ed84b |
Task #207: custom subheadings inside executive-meeting attendee cells
Adds a new `kind` column (`varchar(16) NOT NULL DEFAULT 'person'`) on `executive_meeting_attendees` so users can interleave free-text section labels with person rows in a meeting's attendee list. Subheadings are excluded from the running attendee number and from the per-meeting attendee count surface, but reorder and delete identically to person rows. DB - New `kind` column in `lib/db/src/schema/executive-meetings.ts`, defaulting to `"person"`. Applied via direct SQL because `drizzle-kit push` trips on a pre-existing duplicate-row issue in `app_permissions` (already documented in replit.md). API (artifacts/api-server/src/routes/executive-meetings.ts) - `attendeeSchema` accepts `kind: z.enum(["person","subheading"])` with default `"person"`. - All 4 insert paths round-trip `kind`: POST create, PATCH meeting update (attendees replacement), PUT `/attendees`, and duplicate. - `pdf-renderer` mapper forwards `kind`. `PdfMeetingAttendee.kind` typed as `string | null` to match the DB column shape. Frontend (artifacts/tx-os/src/pages/executive-meetings.tsx) - `AttendeeFlow` renders subheadings on a separate full-width row (`basis-full`, semibold, centered) and increments the running person index only for `kind === "person"`. Pending ghost row branches on `pendingKind`. - Inline "+ subheading" chip via `onStartAdd(type, "subheading")`. - Manage dialog: addSubheading button, subheading rows hide the title field, show a kind badge, and reorder/delete identically. Manage list summary count filters to person rows only (architect fix). - Print page renders subheadings as `.em-print-subheading` and skips them in the running counter. - New locale keys under `executiveMeetings.schedule` and `executiveMeetings.manage.attendees` in both `ar.json` and `en.json`. PDF - Subheadings print as `— label —` and never advance `personIdx`. Tests - New spec `executive-meetings-attendee-subheadings.spec.mjs` seeds mixed person+subheading rows and asserts (a) the subheading row renders, (b) numbering stays `1-`, `2-`, `3-` with a subheading wedged between persons, (c) zero-subheading meetings keep legacy numbering. Runs in both AR and EN. All 4 cases pass. Code review - Architect found one regression (Manage list summary count included subheadings) — fixed. |
||
|
|
c986d74f37 |
Task #207: custom subheadings inside executive-meeting attendee cells
Adds a new `kind` column (`varchar(16) NOT NULL DEFAULT 'person'`) on `executive_meeting_attendees` so users can interleave free-text section labels with person rows in a meeting's attendee list. Subheadings are excluded from the running attendee number and from the per-meeting attendee count surface, but reorder and delete identically to person rows. DB - New `kind` column in `lib/db/src/schema/executive-meetings.ts`, defaulting to `"person"`. Applied via direct SQL because `drizzle-kit push` trips on a pre-existing duplicate-row issue in `app_permissions` (already documented in replit.md). API (artifacts/api-server/src/routes/executive-meetings.ts) - `attendeeSchema` accepts `kind: z.enum(["person","subheading"])` with default `"person"`. - All 4 insert paths round-trip `kind`: POST create, PATCH meeting update (attendees replacement), PUT `/attendees`, and duplicate. - `pdf-renderer` mapper forwards `kind`. `PdfMeetingAttendee.kind` typed as `string | null` to match the DB column shape. Frontend (artifacts/tx-os/src/pages/executive-meetings.tsx) - `AttendeeFlow` renders subheadings on a separate full-width row (`basis-full`, semibold, centered) and increments the running person index only for `kind === "person"`. Pending ghost row branches on `pendingKind`. - Inline "+ subheading" chip via `onStartAdd(type, "subheading")`. - Manage dialog: addSubheading button, subheading rows hide the title field, show a kind badge, and reorder/delete identically. Manage list summary count filters to person rows only (architect fix). - Print page renders subheadings as `.em-print-subheading` and skips them in the running counter. - New locale keys under `executiveMeetings.schedule` and `executiveMeetings.manage.attendees` in both `ar.json` and `en.json`. PDF - Subheadings print as `— label —` and never advance `personIdx`. Tests - New spec `executive-meetings-attendee-subheadings.spec.mjs` seeds mixed person+subheading rows and asserts (a) the subheading row renders, (b) numbering stays `1-`, `2-`, `3-` with a subheading wedged between persons, (c) zero-subheading meetings keep legacy numbering. Runs in both AR and EN. All 4 cases pass. Code review - Architect found one regression (Manage list summary count included subheadings) — fixed. |
||
|
|
ebd553b84a |
Task #146: Filter and paginate role permission history
Summary
- Backend: GET /api/roles/:id/audit now accepts limit (default 10, max 200),
offset, actorUserId (0 = no filter), and from/to (YYYY-MM-DD UTC). The
response is now a paginated envelope `{entries, totalCount, limit, offset,
nextOffset}` instead of a bare array.
- OpenAPI: lib/api-spec/openapi.yaml updated with the new params and a new
RolePermissionAuditList schema; client hooks regenerated via
`pnpm --filter @workspace/api-spec run codegen`.
- Frontend: RolePermissionHistory in artifacts/tx-os/src/pages/admin.tsx is
now self-contained — owns its own filter state, fetches the user list for
the actor dropdown, applies actor changes immediately, and validates date
inputs (rejecting invalid / inverted ranges).
- Pagination: switched to TRUE OFFSET PAGINATION. The first page comes from
React Query (so live cache invalidations after a save still refresh it),
and subsequent "Load more" clicks fetch `offset = nextOffset` imperatively
via getRolePermissionAudit() and append the rows to local state. There is
no client-side ceiling on how far back an admin can page; we simply stop
showing the button when nextOffset is null. A filtersKey effect resets the
appended pages whenever any filter (actor / from / to) changes so we never
serve overlapping or out-of-order rows.
- i18n: added missing keys in artifacts/tx-os/src/locales/{en,ar}.json
(historyEmptyFiltered, historyShowing, historyLoadMore, historyFilters.*,
historyErrors.*).
- Tests: artifacts/api-server/tests/role-permission-audit.test.mjs updated
to read the new envelope and now also covers offset-based pagination,
actorUserId filtering (including the "0 = no filter" semantic), and
date-range filtering (in-range / past-range / inverted / garbage). All 9
audit tests pass; tx-os typecheck clean.
- E2E: ran the testing skill end-to-end against /admin → role edit dialog →
history panel: created a fresh role through the UI, made 25 permission
writes, verified 10 → 20 → 25 pagination with no duplicates and correct
hide-on-end behaviour, filter-by-actor reset to first page, empty date
range showed empty state, inverted dates surfaced the validation error.
Drift / notes
- Pre-existing executive-meetings tests in the `test` workflow are still
failing — unchanged by this task.
- The Arabic language toggle isn't exposed in the page header in this build,
so the e2e Arabic step was skipped; locale strings are in place and the
test ids do not change with locale.
- Code review (initial pass) flagged a 200-row UI ceiling in the previous
"growing limit" approach. Replaced with true offset pagination (described
above) so admins can scroll back through arbitrarily long histories.
Code review follow-ups (round 2)
- Tightened parseRoleAuditUtcDate to reject impossible calendar days
(2024-02-31, 2025-13-01, etc.) instead of silently rolling forward.
- Aligned OpenAPI: actorUserId schema is now `minimum: 0` so the spec
matches the runtime "0 = no filter" contract; client regenerated.
- Added a targeted backend test that asserts impossible dates → 400.
Code review follow-ups (round 3)
- UX: when applied filters become invalid, the History list now hides the
stale entries and shows the "fix filters first" hint instead, and the
Load more button is hidden until filters are valid again. Avoids
presenting yesterday's results as the current view.
Code review follow-ups (round 4)
- Belt-and-braces: also reset the appended history pages when the first
page's totalCount + first-row id signature changes, so an external cache
invalidation (e.g. another save while the dialog is still open) cannot
leave appended pages out of sync with the refreshed first page.
|
||
|
|
0b5e4c7912 |
Task #204: Make attendee group headers more prominent
Original ask: in the executive-meetings schedule's attendee cell, the
"Virtual / Internal / External Attendance" group labels (rendered above
each attendee group) read like stray attendee names — text-xs with em-dash
decoration. The user wanted them to stand out visually as section labels.
Changes
- artifacts/tx-os/src/pages/executive-meetings.tsx (AttendeeGroup):
* Header now renders text-sm font-bold, navy color (#0B1E3F), centered.
* Hairline underline (border-b border-[#0B1E3F]/15) with explicit
print:border-b print:border-gray-400 fallback so the underline is
preserved on print stylesheets that strip translucent borders.
* Em-dash decoration removed from the label.
* pointer-events-none + select-none so clicks/selection target the
attendee names, not the label.
* Added stable data-testid="em-attendee-group-header" for tests.
Tests
- New spec artifacts/tx-os/tests/executive-meetings-attendee-group-headers.spec.mjs:
* Seeds its OWN multi-group meeting (2 virtual + 3 internal) on a unique
far-future date per locale (offsets 1/2) — never collides with real
schedule data.
* Asserts BOTH expected localised headers appear (virtual + internal),
and that the external header is absent.
* Adds a regression guard: a single-group (all-internal) meeting on a
different unique future date renders ZERO group headers.
* Temporarily flips admin's preferred_language per-test (with try/finally
+ afterAll restore) so AuthContext does not override the locale via
i18n.changeLanguage on auth restore.
- Existing executive-meetings-edit-toggle.spec.mjs still passes (6/6).
- All 4 new tests pass.
Drift / deviations
- The original draft test lived inline in the toggle spec and skipped
because today's seed data has no multi-group meetings. Moved it to its
own spec with self-seeded data per code-review feedback so coverage is
deterministic, header assertions are tightened (require both expected
labels, reject the external one, not "any two of three"), and a
single-group regression guard is added.
|