- artifacts/tx-os/src/App.tsx: serve the schedule at /meetings; add an
ExecutiveMeetingsRedirect that rewrites /executive-meetings (and any
/executive-meetings/* sub-path) to /meetings while preserving the
query string and hash, so existing PDFs, emails, and bookmarks keep
working with one transparent hop.
- scripts/src/seed.ts: seed the apps row with route="/meetings" and
update the expectedBuiltinRoutes drift guard to match. Add an
idempotent UPDATE-by-slug after the apps insert so already-deployed
rows (including any drift like /executive-meetings or /mms) get
reconciled to /meetings on the next seed — safe because the slug is
in BUILTIN_APP_SLUGS, meaning the SPA owns the route.
- artifacts/tx-os/tests/meetings-route-redirect.spec.mjs: new spec
verifying that /meetings loads, /executive-meetings?date=...#... is
redirected with query+hash intact, and /api/apps now reports
route="/meetings" for the executive-meetings slug.
Out of scope (intentionally left untouched per task): API paths under
/api/executive-meetings/*, React Query keys, DB tables, the apps slug
"executive-meetings", page/component file names, the "Meetings" display
name, and the executive_meetings:* permission name.
The send-note composer always showed an AlertDialog before posting,
even for the common one-on-one case. The dialog now only appears when
two or more recipients are picked.
Implementation (artifacts/tx-os/src/pages/notes.tsx):
- Extracted shared `performSend()` from `confirmSubmit` so both the
direct-send and confirm-then-send paths reuse the same mutation,
success toast + composer close, and error toast.
- `requestSubmit()` now branches: 0 picked = no-op, 1 picked = call
performSend() directly, 2+ picked = open the existing AlertDialog.
- `confirmSubmit()` (the AlertDialog action) delegates to performSend.
- No changes to API, recipient picker, AR/EN strings, or any other
AlertDialog (bulk archive/delete left untouched).
Tests:
- Updated artifacts/tx-os/tests/notes-inbox.spec.mjs (sends to a
single recipient): no longer expects the confirm dialog; asserts
/api/notes/:id/send fires directly and the composer closes.
- New artifacts/tx-os/tests/notes-send-confirm-threshold.spec.mjs:
- "single-recipient send skips the confirm dialog" (passes)
- "multi-recipient send still requires the confirm dialog" (passes)
Validation: tx-os tsc clean; both threshold specs pass locally;
architect review APPROVED.
The send-note composer always showed an AlertDialog before posting,
even for the common one-on-one case. The dialog now only appears when
two or more recipients are picked.
Implementation (artifacts/tx-os/src/pages/notes.tsx):
- Extracted shared `performSend()` from `confirmSubmit` so both the
direct-send and confirm-then-send paths reuse the same mutation,
success toast + composer close, and error toast.
- `requestSubmit()` now branches: 0 picked = no-op, 1 picked = call
performSend() directly, 2+ picked = open the existing AlertDialog.
- `confirmSubmit()` (the AlertDialog action) delegates to performSend.
- No changes to API, recipient picker, AR/EN strings, or any other
AlertDialog (bulk archive/delete left untouched).
Tests:
- Updated artifacts/tx-os/tests/notes-inbox.spec.mjs (sends to a
single recipient): no longer expects the confirm dialog; asserts
/api/notes/:id/send fires directly and the composer closes.
- New artifacts/tx-os/tests/notes-send-confirm-threshold.spec.mjs:
- "single-recipient send skips the confirm dialog" (passes)
- "multi-recipient send still requires the confirm dialog" (passes)
Validation: tx-os tsc clean; both threshold specs pass locally;
architect review APPROVED.
The send-note composer always showed an AlertDialog before posting,
even for the common one-on-one case. The dialog now only appears when
two or more recipients are picked.
Implementation (artifacts/tx-os/src/pages/notes.tsx):
- Extracted shared `performSend()` from `confirmSubmit` so both the
direct-send and confirm-then-send paths reuse the same mutation,
success toast + composer close, and error toast.
- `requestSubmit()` now branches: 0 picked = no-op, 1 picked = call
performSend() directly, 2+ picked = open the existing AlertDialog.
- `confirmSubmit()` (the AlertDialog action) delegates to performSend.
- No changes to API, recipient picker, AR/EN strings, or any other
AlertDialog (bulk archive/delete left untouched).
Tests:
- Updated artifacts/tx-os/tests/notes-inbox.spec.mjs (sends to a
single recipient): no longer expects the confirm dialog; asserts
/api/notes/:id/send fires directly and the composer closes.
- New artifacts/tx-os/tests/notes-send-confirm-threshold.spec.mjs:
- "single-recipient send skips the confirm dialog" (passes)
- "multi-recipient send still requires the confirm dialog" (passes)
Validation: tx-os tsc clean; both threshold specs pass locally;
architect review APPROVED.
The send-note composer always showed an AlertDialog before posting,
even for the common one-on-one case. The dialog now only appears when
two or more recipients are picked.
Implementation (artifacts/tx-os/src/pages/notes.tsx):
- Extracted shared `performSend()` from `confirmSubmit` so both the
direct-send and confirm-then-send paths reuse the same mutation,
success toast + composer close, and error toast.
- `requestSubmit()` now branches: 0 picked = no-op, 1 picked = call
performSend() directly, 2+ picked = open the existing AlertDialog.
- `confirmSubmit()` (the AlertDialog action) delegates to performSend.
- No changes to API, recipient picker, AR/EN strings, or any other
AlertDialog (bulk archive/delete left untouched).
Tests:
- Updated artifacts/tx-os/tests/notes-inbox.spec.mjs (sends to a
single recipient): no longer expects the confirm dialog; asserts
/api/notes/:id/send fires directly and the composer closes.
- New artifacts/tx-os/tests/notes-send-confirm-threshold.spec.mjs:
- "single-recipient send skips the confirm dialog" (passes)
- "multi-recipient send still requires the confirm dialog" (passes)
Validation: tx-os tsc clean; both threshold specs pass locally;
architect review APPROVED.
Admin Add/Edit App now supports:
- Custom image upload (or fall back to Lucide icon) via the existing
ServiceImageUploader; rendered on the home launcher when set.
- Open mode picker: internal (default), external_tab (window.open),
external_iframe (renders inside /embedded/:id). External URL input
shown conditionally and required when an external mode is chosen.
- Internal route field is hidden entirely when an external mode is
selected, and locked (readOnly + lock hint) when editing a built-in
app. Slug input is also locked (readOnly) for built-in apps so the
built-in identity cannot drift via the form.
Backend:
- apps schema gains image_url, external_url, open_mode (default
'internal'); drizzle-kit push applied.
- New lib/db/src/built-in-apps.ts exports BUILTIN_APP_SLUGS +
isBuiltinAppSlug. Exposed via subpath export
`@workspace/db/built-in-apps`; the file has zero imports so the
browser bundle uses it without pulling in `pg`. tx-os now imports it
directly — duplicate FE constant removed.
- Built-in slug list: services, notifications, admin, notes,
my-orders, orders-incoming, executive-meetings (everything with a
hardcoded <Route> in artifacts/tx-os/src/App.tsx). calendar /
documents are seeded but admin-defined and remain editable.
- PATCH /apps/:id rejects route changes whose previous slug is
built-in with 400 + code='builtin_route_locked'. Same-route no-op
is allowed; non-route updates on built-ins still work.
- PATCH /apps/:id ALSO rejects slug changes when the previous slug is
built-in (code='builtin_slug_locked'). UpdateAppBody zod schema
intentionally omits slug, so we inspect req.body.slug raw before zod
stripping. Closes the 2-step bypass: rename slug (allowed) → change
route (now previous.slug looks non-built-in, allowed).
- POST /apps and PATCH /apps/:id reject externalUrl values that are
not http:// or https:// (code='invalid_external_url'). Prevents
shipping javascript:/data:/file: payloads tenant-wide via launcher.
Other:
- New SPA route /embedded/:id and embedded-app page (iframe host with
back + open-in-new-tab + error/not-embeddable states).
- OpenAPI App / CreateAppBody / UpdateAppBody extended; codegen ran.
- en/ar locales: admin.appImage, appExternalUrl, appOpenMode.*,
builtinPathLocked, embeddedFrame.*.
- scripts/src/seed.ts: drift guard throws if a seeded built-in slug
uses a route that does not match the hardcoded SPA route.
Tests:
- New API test apps-builtin-route-lock.test.mjs (6/6 pass): reject
built-in route change, allow non-route built-in updates, allow
non-builtin route changes, reject built-in slug change (anti-bypass),
reject non-http(s) externalUrl scheme + accept https, allow built-in
same-route no-op.
- New Playwright E2E admin-app-image-external-embedded.spec.mjs
(passes): launcher renders custom image_url, external_tab opens
external URL via window.open, external_iframe navigates to
/embedded/:id and renders <iframe src=externalUrl>.
Out of scope (pre-existing, not introduced here):
- Failing tests in executive-meetings-* and tsc errors in
api-server/src/routes/executive-meetings.ts.
Admin Add/Edit App now supports:
- Custom image upload (or fall back to Lucide icon) via the existing
ServiceImageUploader; rendered on the home launcher when set.
- Open mode picker: internal (default), external_tab (window.open),
external_iframe (renders inside /embedded/:id). External URL input
shown conditionally and required when an external mode is chosen.
- Internal route field is hidden entirely when an external mode is
selected, and locked (readOnly + lock hint) when editing a built-in
app. Slug input is also locked (readOnly) for built-in apps so the
built-in identity cannot drift via the form.
Backend:
- apps schema gains image_url, external_url, open_mode (default
'internal'); drizzle-kit push applied.
- New lib/db/src/built-in-apps.ts exports BUILTIN_APP_SLUGS +
isBuiltinAppSlug. Exposed via subpath export
`@workspace/db/built-in-apps`; the file has zero imports so the
browser bundle uses it without pulling in `pg`. tx-os now imports it
directly — duplicate FE constant removed.
- Built-in slug list: services, notifications, admin, notes,
my-orders, orders-incoming, executive-meetings (everything with a
hardcoded <Route> in artifacts/tx-os/src/App.tsx). calendar /
documents are seeded but admin-defined and remain editable.
- PATCH /apps/:id rejects route changes whose previous slug is
built-in with 400 + code='builtin_route_locked'. Same-route no-op
is allowed; non-route updates on built-ins still work.
- PATCH /apps/:id ALSO rejects slug changes when the previous slug is
built-in (code='builtin_slug_locked'). UpdateAppBody zod schema
intentionally omits slug, so we inspect req.body.slug raw before zod
stripping. Closes the 2-step bypass: rename slug (allowed) → change
route (now previous.slug looks non-built-in, allowed).
- POST /apps and PATCH /apps/:id reject externalUrl values that are
not http:// or https:// (code='invalid_external_url'). Prevents
shipping javascript:/data:/file: payloads tenant-wide via launcher.
Other:
- New SPA route /embedded/:id and embedded-app page (iframe host with
back + open-in-new-tab + error/not-embeddable states).
- OpenAPI App / CreateAppBody / UpdateAppBody extended; codegen ran.
- en/ar locales: admin.appImage, appExternalUrl, appOpenMode.*,
builtinPathLocked, embeddedFrame.*.
- scripts/src/seed.ts: drift guard throws if a seeded built-in slug
uses a route that does not match the hardcoded SPA route.
Tests:
- New API test apps-builtin-route-lock.test.mjs (6/6 pass): reject
built-in route change, allow non-route built-in updates, allow
non-builtin route changes, reject built-in slug change (anti-bypass),
reject non-http(s) externalUrl scheme + accept https, allow built-in
same-route no-op.
- New Playwright E2E admin-app-image-external-embedded.spec.mjs
(passes): launcher renders custom image_url, external_tab opens
external URL via window.open, external_iframe navigates to
/embedded/:id and renders <iframe src=externalUrl>.
Out of scope (pre-existing, not introduced here):
- Failing tests in executive-meetings-* and tsc errors in
api-server/src/routes/executive-meetings.ts.
Admin Add/Edit App now supports:
- Custom image upload (or fall back to Lucide icon) via the existing
ServiceImageUploader; rendered on the home launcher when set.
- Open mode picker: internal (default), external_tab (window.open),
external_iframe (renders inside /embedded/:id). External URL input
shown conditionally and required when an external mode is chosen.
- Internal route field is hidden entirely when an external mode is
selected, and locked (readOnly + lock hint) when editing a built-in
app. Slug input is also locked (readOnly) for built-in apps so the
built-in identity cannot drift via the form.
Backend:
- apps schema gains image_url, external_url, open_mode (default
'internal'); drizzle-kit push applied.
- New lib/db/src/built-in-apps.ts exports BUILTIN_APP_SLUGS +
isBuiltinAppSlug. Exposed via subpath export
`@workspace/db/built-in-apps`; the file has zero imports so the
browser bundle uses it without pulling in `pg`. tx-os now imports it
directly — duplicate FE constant removed.
- Built-in slug list: services, notifications, admin, notes,
my-orders, orders-incoming, executive-meetings (everything with a
hardcoded <Route> in artifacts/tx-os/src/App.tsx). calendar /
documents are seeded but admin-defined and remain editable.
- PATCH /apps/:id rejects route changes whose previous slug is
built-in with 400 + code='builtin_route_locked'. Same-route no-op
is allowed; non-route updates on built-ins still work.
- PATCH /apps/:id ALSO rejects slug changes when the previous slug is
built-in (code='builtin_slug_locked'). UpdateAppBody zod schema
intentionally omits slug, so we inspect req.body.slug raw before zod
stripping. Closes the 2-step bypass: rename slug (allowed) → change
route (now previous.slug looks non-built-in, allowed).
- POST /apps and PATCH /apps/:id reject externalUrl values that are
not http:// or https:// (code='invalid_external_url'). Prevents
shipping javascript:/data:/file: payloads tenant-wide via launcher.
Other:
- New SPA route /embedded/:id and embedded-app page (iframe host with
back + open-in-new-tab + error/not-embeddable states).
- OpenAPI App / CreateAppBody / UpdateAppBody extended; codegen ran.
- en/ar locales: admin.appImage, appExternalUrl, appOpenMode.*,
builtinPathLocked, embeddedFrame.*.
- scripts/src/seed.ts: drift guard throws if a seeded built-in slug
uses a route that does not match the hardcoded SPA route.
Tests:
- New API test apps-builtin-route-lock.test.mjs (6/6 pass): reject
built-in route change, allow non-route built-in updates, allow
non-builtin route changes, reject built-in slug change (anti-bypass),
reject non-http(s) externalUrl scheme + accept https, allow built-in
same-route no-op.
- New Playwright E2E admin-app-image-external-embedded.spec.mjs
(passes): launcher renders custom image_url, external_tab opens
external URL via window.open, external_iframe navigates to
/embedded/:id and renders <iframe src=externalUrl>.
Out of scope (pre-existing, not introduced here):
- Failing tests in executive-meetings-* and tsc errors in
api-server/src/routes/executive-meetings.ts.
Admin Add/Edit App now supports:
- Custom image upload (or fall back to Lucide icon) via the existing
ServiceImageUploader; rendered on the home launcher when set.
- Open mode picker: internal (default), external_tab (window.open),
external_iframe (renders inside /embedded/:id). External URL input
shown conditionally and required when an external mode is chosen.
Internal route field is hidden entirely when an external mode is
selected, and locked (readOnly + lock hint) when editing a built-in
app whose path is hardcoded in the SPA.
Backend:
- apps schema gains image_url, external_url, open_mode (default
'internal'); drizzle-kit push applied.
- New lib/db/src/built-in-apps.ts exports BUILTIN_APP_SLUGS +
isBuiltinAppSlug. Exposed via subpath export
`@workspace/db/built-in-apps`; the file has zero imports so the
browser bundle can use it without pulling in `pg`. tx-os now imports
it directly — duplicate FE constant removed.
- Built-in slug list: services, notifications, admin, notes,
my-orders, orders-incoming, executive-meetings (everything with a
hardcoded <Route> in artifacts/tx-os/src/App.tsx). calendar /
documents are seeded but admin-defined and remain editable.
- PATCH /apps/:id rejects route changes whose previous slug is
built-in with 400 + code='builtin_route_locked'. Same-route no-op
is allowed; non-route updates on built-ins still work.
Other:
- New SPA route /embedded/:id and embedded-app page (iframe host with
back + open-in-new-tab + error/not-embeddable states).
- OpenAPI App / CreateAppBody / UpdateAppBody extended; codegen ran.
- en/ar locales: admin.appImage, appExternalUrl, appOpenMode.*,
builtinPathLocked, embeddedFrame.*.
- scripts/src/seed.ts: drift guard throws if a seeded built-in slug
uses a route that does not match the hardcoded SPA route.
Tests:
- New API test apps-builtin-route-lock.test.mjs (4/4 pass): reject
built-in route change, allow non-route built-in updates, allow
non-builtin route changes, allow built-in same-route no-op.
- New Playwright E2E admin-app-image-external-embedded.spec.mjs
(passes): launcher renders custom image_url, external_tab opens
external URL via window.open, external_iframe navigates to
/embedded/:id and renders <iframe src=externalUrl>.
Out of scope (pre-existing, not introduced here):
- 3 failing tests in executive-meetings-* and tsc errors in
api-server/src/routes/executive-meetings.ts.
Admin Add/Edit App now supports:
- Custom image upload (or fall back to Lucide icon) via the existing
ServiceImageUploader; rendered on the home launcher when set.
- Open mode picker: internal (default), external_tab (window.open),
external_iframe (renders inside /embedded/:id). External URL input
shown conditionally and required by the form when an external mode
is chosen.
- Route field is locked (readOnly + lock hint) when editing a built-in
app, since those slugs are hardcoded in the SPA router.
Backend:
- apps schema gains image_url, external_url, open_mode (default
'internal'); drizzle-kit push applied.
- New lib/db/src/built-in-apps.ts exports BUILTIN_APP_SLUGS +
isBuiltinAppSlug, re-exported from lib/db.
- PATCH /apps/:id rejects route changes whose previous slug is
built-in with 400 + code='builtin_route_locked'. Same-route no-op
is allowed; non-route updates on built-ins still work.
Other:
- New SPA route /embedded/:id and embedded-app page (iframe host with
back + open-in-new-tab + error/not-embeddable states).
- OpenAPI App / CreateAppBody / UpdateAppBody extended; codegen ran.
- en/ar locales: admin.appImage, appExternalUrl, appOpenMode.*,
builtinPathLocked, embeddedFrame.*.
- New tests in apps-builtin-route-lock.test.mjs (4/4 pass) covering
reject built-in route change, allow non-route built-in updates,
allow non-builtin route changes, allow built-in same-route no-op.
Notes / drift:
- BUILTIN_APP_SLUGS is duplicated inline in admin.tsx
(BUILTIN_APP_SLUGS_FE) because the browser bundle cannot import
@workspace/db (pulls pg). Comment points at the canonical source;
drift risk filed as a follow-up.
- Pre-existing failures unrelated to this task: 3 tests in
executive-meetings-* and tsc errors in
api-server/src/routes/executive-meetings.ts. Out of scope.
The floating "new note" popup's Reply button used to navigate to
/notes?thread=X&reply=1, yanking the user out of whatever page they
were on (Tasks, Calendar, etc.). Now Reply opens an inline composer
inside the popup card itself.
Changes (artifacts/tx-os/src/components/notes/incoming-note-popup.tsx):
- New composerOpen / replyText / justSent state, reset whenever the
popup head rotates so a half-typed reply never leaks across payloads.
- handleReply now opens the inline composer and focuses the textarea
(rAF) instead of routing. Acknowledge (mark-as-read) is deferred to
successful send so Cancel keeps the note unread.
- handleSubmitReply uses the existing useReplyToNote hook. Resolves
recipientUserId from replyPayload.replier.id for the reply variant
(owner replying back), undefined for the note variant (recipient
replying — server infers the original sender).
- On success: brief on-card "Reply sent" confirmation (aria-live),
then auto-dismiss after 700ms. On failure: destructive toast with
the textarea preserved.
- Composer textarea: Enter (or Cmd/Ctrl+Enter) sends, Shift+Enter
inserts a newline. Esc cancels the composer and is handled by the
popup's global keydown listener so it works whether focus is in the
textarea or on the Send/Cancel buttons. dir="auto" so the user's
reply renders RTL/LTR per its own characters.
- pointerdown/click stopPropagation on the composer wrapper so typing
doesn't accidentally drag the card.
Locale keys added to ar.json + en.json under notes.popup:
inlineReplyPlaceholder, sendReply, cancelReply, replySending,
replySent, replyFailed.
Pre-existing failing tests (groups-crud, executive-meetings-
notifications, executive-meetings-postpone-race) are unrelated to
this change.
The floating "new note" popup's Reply button used to navigate to
/notes?thread=X&reply=1, yanking the user out of whatever page they
were on (Tasks, Calendar, etc.). Now Reply opens an inline composer
inside the popup card itself.
Changes (artifacts/tx-os/src/components/notes/incoming-note-popup.tsx):
- New composerOpen / replyText / justSent state, reset whenever the
popup head rotates so a half-typed reply never leaks across payloads.
- handleReply now opens the inline composer and focuses the textarea
(rAF) instead of routing. Acknowledge (mark-as-read) is deferred to
successful send so Cancel keeps the note unread.
- handleSubmitReply uses the existing useReplyToNote hook. Resolves
recipientUserId from replyPayload.replier.id for the reply variant
(owner replying back), undefined for the note variant (recipient
replying — server infers the original sender).
- On success: brief on-card "Reply sent" confirmation (aria-live),
then auto-dismiss after 700ms. On failure: destructive toast with
the textarea preserved.
- Composer textarea: Cmd/Ctrl+Enter to send, plain Enter for newline,
Esc to cancel (stops propagation so the global Esc listener doesn't
dismiss the whole popup with an unsent reply). dir="auto" so the
user's reply renders RTL/LTR per its own characters.
- pointerdown/click stopPropagation on the composer wrapper so typing
doesn't accidentally drag the card.
Locale keys added to ar.json + en.json under notes.popup:
inlineReplyPlaceholder, sendReply, cancelReply, replySending,
replySent, replyFailed.
Pre-existing failing tests (groups-crud, executive-meetings-
notifications, executive-meetings-postpone-race) are unrelated to
this change.
Original task: On the Notes page the "اكتب ملاحظة" composer sat alone
in a full-width row above the content row, while the "المجلدات"
FoldersRail started in the row below. Composer appeared high, rail
visibly lower with empty space between them.
Change:
- Switched the folders+content row in
`artifacts/tx-os/src/pages/notes.tsx` from flex to CSS grid:
`grid md:grid-cols-[14rem_minmax(0,1fr)]`. Composer is placed in
col 2 row 1, FoldersRail in col 1 (row-span-2 when composer is
shown), content in col 2 row 2. Result: composer's top edge aligns
with the rail's top edge on desktop and the empty gap is gone.
- On mobile (`grid-cols-1`), `order-1 / order-2 / order-3` give the
exact original mobile reading order: composer → rail → content.
- Added a `className?: string` prop to `FoldersRail`
(`artifacts/tx-os/src/components/notes/folders-rail.tsx`) appended
to its root `<aside>`, so the page can pass grid placement
classes.
- Hidden-composer views (Inbox / Sent / Archived / Shared-with-me)
collapse cleanly via conditional `md:row-span-2` on the rail and
conditional `md:row-start-1 / md:row-start-2` on the content
column — desktop becomes a simple two-cell row and mobile stays
rail → content, matching the original behavior.
- Grid-cols template, `md:col-start-2` on composer, and
`md:col-start-2`/`md:row-start-*` on the content column are all
GATED on `showFolders`. In views where the folders rail is hidden
(Received/Inbox, Sent), the wrapper is a single-column grid with
no left gutter and content takes the full width — preserving the
original full-width layout for those views.
Behavior preserved:
- `showTopComposer` gating unchanged.
- `data-testid="notes-top-composer"` preserved.
- FoldersRail's existing internal classes unchanged; new className
prop is purely additive.
- Mobile reading order in active/non-shared view: composer → rail →
content (same as before this task, when composer was a standalone
block above the row).
- Mobile reading order in hidden-composer views: rail → content
(unchanged).
Verification: `pnpm --filter @workspace/tx-os exec tsc --noEmit`
passes. No test files reference the composer block by structural
selectors that the move would break.
No deviations from the plan.
Original task: On the Notes page the "اكتب ملاحظة" composer sat alone
in a full-width row above the content row, while the "المجلدات"
FoldersRail started in the row below. Composer appeared high, rail
visibly lower with empty space between them.
Change:
- Switched the folders+content row in
`artifacts/tx-os/src/pages/notes.tsx` from flex to CSS grid:
`grid md:grid-cols-[14rem_minmax(0,1fr)]`. Composer is placed in
col 2 row 1, FoldersRail in col 1 (row-span-2 when composer is
shown), content in col 2 row 2. Result: composer's top edge aligns
with the rail's top edge on desktop and the empty gap is gone.
- On mobile (`grid-cols-1`), `order-1 / order-2 / order-3` give the
exact original mobile reading order: composer → rail → content.
- Added a `className?: string` prop to `FoldersRail`
(`artifacts/tx-os/src/components/notes/folders-rail.tsx`) appended
to its root `<aside>`, so the page can pass grid placement
classes.
- Hidden-composer views (Inbox / Sent / Archived / Shared-with-me)
collapse cleanly via conditional `md:row-span-2` on the rail and
conditional `md:row-start-1 / md:row-start-2` on the content
column — desktop becomes a simple two-cell row and mobile stays
rail → content, matching the original behavior.
Behavior preserved:
- `showTopComposer` gating unchanged.
- `data-testid="notes-top-composer"` preserved.
- FoldersRail's existing internal classes unchanged; new className
prop is purely additive.
- Mobile reading order in active/non-shared view: composer → rail →
content (same as before this task, when composer was a standalone
block above the row).
- Mobile reading order in hidden-composer views: rail → content
(unchanged).
Verification: `pnpm --filter @workspace/tx-os exec tsc --noEmit`
passes. No test files reference the composer block by structural
selectors that the move would break.
No deviations from the plan.
Original task: On the Notes page the "اكتب ملاحظة" composer sat alone
in a full-width row above the content row, while the "المجلدات"
FoldersRail started in the row below. Composer appeared high, rail
visibly lower with empty space between them.
Change:
- Moved the top composer out of its standalone full-width block and
into the left content column (`flex-1 min-w-0`) of the existing
folders+content row in `artifacts/tx-os/src/pages/notes.tsx`. Both
now share the same row, so the composer's top edge aligns with the
rail's top edge on desktop.
- Added a `className?: string` prop to `FoldersRail`
(`artifacts/tx-os/src/components/notes/folders-rail.tsx`) appended
to its root <aside>, so the page can pass `order-*` classes.
- On narrow widths (`flex-col`) the composer column gets
`order-1 md:order-2` and the rail gets `order-2 md:order-1` ONLY
when `showTopComposer` is true. In hidden-composer views (Inbox /
Sent / Archived / Shared-with-me) no order classes are applied, so
the rail/content stacking order on mobile stays exactly as it was
before this task. Result: composer stacks ABOVE the rail on mobile
in My Notes (preserving the original mobile reading order) and
sits beside it on md+, with zero behavior change in the other
views.
Behavior preserved:
- `showTopComposer` gating unchanged — still hidden on Inbox / Sent /
Archived / Shared-with-me.
- `data-testid="notes-top-composer"` preserved.
- FoldersRail's existing width/scroll classes unchanged; new className
is purely additive.
- Stale comment about composer being "above the folders area" updated
to describe the new in-column placement and the order-* mobile
behavior.
Verification: `pnpm --filter @workspace/tx-os exec tsc --noEmit`
passes. No test files reference the composer block by structural
selectors that the move would break.
No deviations from the plan.
Original task: On the Notes page the "اكتب ملاحظة" composer sat alone
in a full-width row above the content row, while the "المجلدات"
FoldersRail started in the row below. Composer appeared high, rail
visibly lower with empty space between them.
Change:
- Moved the top composer out of its standalone full-width block and
into the left content column (`flex-1 min-w-0`) of the existing
folders+content row in `artifacts/tx-os/src/pages/notes.tsx`. Both
now share the same row, so the composer's top edge aligns with the
rail's top edge on desktop.
- Added a `className?: string` prop to `FoldersRail`
(`artifacts/tx-os/src/components/notes/folders-rail.tsx`) appended
to its root <aside>, so the page can pass `order-*` classes.
- On narrow widths (`flex-col`) the composer column gets
`order-1 md:order-2` and the rail gets `order-2 md:order-1`. Result:
composer stacks ABOVE the rail on mobile (preserving the original
mobile reading order) and sits beside it on md+.
Behavior preserved:
- `showTopComposer` gating unchanged — still hidden on Inbox / Sent /
Archived / Shared-with-me.
- `data-testid="notes-top-composer"` preserved.
- FoldersRail's existing width/scroll classes unchanged; new className
is purely additive.
- Stale comment about composer being "above the folders area" updated
to describe the new in-column placement and the order-* mobile
behavior.
Verification: `pnpm --filter @workspace/tx-os exec tsc --noEmit`
passes. No test files reference the composer block by structural
selectors that the move would break.
No deviations from the plan.
Original task: On the Notes page, the "اكتب ملاحظة" composer sat alone
in a full-width row above the content row, while the "المجلدات"
FoldersRail started in the row below it. The result was a visible
vertical mismatch — composer high, rail noticeably lower with empty
space between them.
Change: Moved the top composer out of its standalone full-width block
and into the left content column (`flex-1 min-w-0`) at the top of the
existing row that already hosts the FoldersRail. Both now share the
same row, so the composer's top edge aligns with the rail's top edge.
Details:
- Single edit in `artifacts/tx-os/src/pages/notes.tsx`.
- The composer's `data-testid="notes-top-composer"` is preserved, so
any existing E2E selectors continue to work.
- `showTopComposer` gating (hide on Inbox/Sent/Archived/Shared-with-me)
is unchanged — only the position of the rendered block moved.
- Removed the old wrapper's `px-4 pt-1 max-w-6xl w-full mx-auto`
(those paddings/centering are now provided by the parent row), and
added a `mb-4` for breathing room between composer and the content
below it inside the column.
- Responsive behavior preserved: the parent row is
`flex-col md:flex-row`, so on narrow widths the composer still
stacks above the folders area cleanly with no horizontal overflow.
Verification: pnpm tsc --noEmit on tx-os passes; no test files
reference the composer block by structural selectors that the move
would break.
No deviations from the plan.
Adds a recipient-scoped delete that's distinct from Archive: a recipient
can remove a note from their own inbox without touching the underlying
note or other recipients' rows.
Backend (artifacts/api-server/src/routes/notes.ts):
- DELETE /notes/received/:id — recipient-only; 404 if no row.
- POST /notes/received/bulk-delete — body {ids:number[]}, max 500,
single SQL DELETE, returns {ok, notFound} for partial-success UI.
- Both registered before DELETE /notes/:id so Express matches /received
first.
Frontend (artifacts/tx-os):
- New hooks useDeleteReceivedNote / useBulkDeleteReceivedNotes in
src/lib/notes-api.ts; both invalidate notes + folders queries.
- Inbox bulk bar: Delete button (rose) next to Archive plus a confirm
AlertDialog with all/none/partial toasts.
- Inbox card: per-row Trash button next to the status badge with a
page-level confirm AlertDialog (testid inbox-row-delete-confirm).
- ThreadDialog: per-row Delete next to Archive plus a confirm dialog
that closes the thread on success.
- AR + EN locale strings added for all new copy.
Tests:
- artifacts/api-server/tests/notes-inbox-delete.test.mjs — recipient
delete, non-recipient/sender 404, bulk mix of valid+missing ids, and
DB-level checks that the note + other recipients survive.
- artifacts/tx-os/tests/notes-inbox-bulk-delete.spec.mjs — Playwright
flow seeds three received notes, bulk-deletes two from the inbox,
then deletes the third via the per-row card Delete button.
Adds a recipient-scoped delete that's distinct from Archive: a recipient
can remove a note from their own inbox without touching the underlying
note or other recipients' rows.
Backend (artifacts/api-server/src/routes/notes.ts):
- DELETE /notes/received/:id — recipient-only; 404 if no row.
- POST /notes/received/bulk-delete — body {ids:number[]}, max 500,
single SQL DELETE, returns {ok, notFound} for partial-success UI.
- Both registered before DELETE /notes/:id so Express matches /received
first.
Frontend (artifacts/tx-os):
- New hooks useDeleteReceivedNote / useBulkDeleteReceivedNotes in
src/lib/notes-api.ts; both invalidate notes + folders queries.
- Inbox bulk bar gets a Delete button (rose) next to Archive plus a
confirm AlertDialog with all/none/partial toasts (src/pages/notes.tsx).
- ThreadDialog gets a per-row Delete next to Archive plus a single
confirm dialog that closes the thread on success.
- AR + EN locale strings added for all new copy.
Tests:
- artifacts/api-server/tests/notes-inbox-delete.test.mjs — recipient
delete, non-recipient/sender 404, bulk mix of valid+missing ids, and
DB-level checks that the note + other recipients survive.
- artifacts/tx-os/tests/notes-inbox-bulk-delete.spec.mjs — Playwright
flow seeds three received notes, bulk-deletes two from the inbox,
then deletes the third via ThreadDialog per-row.
User asked for the Edit App modal to match the new professional Edit
Service design and confirmed responsiveness for iPad / mobile.
Changes — admin.tsx only:
1. New shell matching Edit Service modal:
- bg-slate-950/50 backdrop-blur-md overlay, click-outside-to-close,
fade + zoom-in animations.
- White rounded-2xl container, max-w-2xl (wider than Service modal
because of the additional fields + permissions list), max-h-[90vh],
flex column with sticky-feeling header / footer.
- Header tile is now LIVE — its gradient color comes from the
editing app's color field, and the icon comes from the app's
iconName via a new resolveAppIcon() helper. So the header
previews the app as you edit.
- X close button in header.
2. Form layout:
- Names row (sm:grid-cols-2): nameAr (RTL, ع badge) | nameEn (LTR,
EN badge).
- Identifier row (sm:grid-cols-2): slug | route, both font-mono.
- Visuals row (sm:grid-cols-2):
- Icon picker: 40x40 preview tile + text input. Tile shows the
resolved Lucide icon, or a dashed HelpCircle when the name
doesn't resolve. Hint text under the field.
- Color picker: clickable color swatch wrapping a hidden native
<input type=color> + hex text input. Both stay in sync.
- Permissions wrapped in a bordered card with its own header strip.
3. Footer: Cancel (outline) + Save (gradient indigo→blue, shadow),
each flex-1 h-10 rounded-lg.
4. New helper resolveAppIcon() above the imports — does a safe lookup
into the lucide-react namespace and returns null when the name is
invalid. Mirrors the pattern already used in pages/home.tsx.
Responsiveness verified by reasoning over breakpoints:
- Mobile (≤414px): sm: never kicks in, so all rows stack into one
column; outer p-4 keeps gutters; max-h-[90vh] + scroll handles tall
permissions.
- iPad portrait (768px) and up: sm:grid-cols-2 activates, two-column
layout fits comfortably inside max-w-2xl (672px).
- Desktop: same max-w-2xl cap looks well-proportioned, not cramped.
- Edit Service modal already uses the same primitives, no changes
needed.
No behavioral changes — all state wiring (editingApp, handleSaveApp,
permission flows, history sections) is unchanged. Pure presentational
refactor.
Code review: skipped — presentational refactor with no logic / data
flow changes.
Follow-ups: none proposed — request fully addressed; the other admin
modals are deliberately out of scope per the plan.
Refactors the "Edit Service" modal UI in `admin.tsx` to improve visual hierarchy, user experience, and overall professionalism, including styling changes to the header, input fields, image uploader, and availability toggle.
Replit-Commit-Author: Agent
Replit-Commit-Session-Id: 77cfe984-2c65-4152-bb7a-0df28274fe66
Replit-Commit-Checkpoint-Type: full_checkpoint
Replit-Commit-Event-Id: 28ee2705-c2ec-476e-aa4f-cc6c7cd5624e
Replit-Commit-Screenshot-Url: https://storage.googleapis.com/screenshot-production-us-central1/c3c252e4-c83d-40ca-9fff-99a3ea60701e/77cfe984-2c65-4152-bb7a-0df28274fe66/O07Jndv
Replit-Helium-Checkpoint-Created: true
User requested removal of the price field from the admin Services edit
form ("بالنسبه الى الاسعار أحذفها لايوجد اسعار") because there are no
prices in the product.
Changes — frontend only, all in tx-os:
- artifacts/tx-os/src/pages/admin.tsx
- Drop `price: string` from ServiceForm type.
- Drop `price: "0.00"` from emptyServiceForm.
- Remove the price entry from the edit dialog's field array
(no more السعر input).
- Remove the `<div>{service.price}</div>` from the services list.
- Remove the `price` line from the edit-load mapper.
- artifacts/tx-os/src/locales/ar.json + en.json
- Drop the now-unused `servicePrice` key.
Left intact:
- The generic `"price"` key in locales (line 104) — kept conservatively
in case anything outside this scope expects it, though ripgrep shows
no current usage.
- The `services.price` DB column and api-server code — unused in api
src; only test fixtures insert a placeholder. Removing would require
a migration and break tests for zero benefit.
- The user-facing services page — never displayed price.
Verification:
- ripgrep confirms zero `price` / `servicePrice` references remain in
artifacts/tx-os/src/pages/admin.tsx and the locales (other than the
generic shared key).
- Vite HMR applied cleanly with no TS errors.
- Pre-existing test failures (executive-meetings, service-orders) are
unrelated and already tracked as separate project tasks.
Code review: skipped — change is a 5-line mechanical removal of dead
UI with no logic or data-flow implications.
Follow-ups: none proposed — this is a self-contained, complete fix.
User report: after #505 the admin "لوحة التحكم" header looked pinned
at the top of the page, but disappeared as soon as the user scrolled
down. Same bug silently affected every page wrapped in `.os-bg`.
Root cause (artifacts/tx-os/src/index.css, lines 190-193):
.os-bg > * { position: relative; z-index: 1; }
This rule was meant to lift page content above the decorative
gradient blobs (`.os-bg::before/::after`, position:fixed z-index:0).
But by setting `position: relative` on every direct child it also
overrode any `position: sticky` declared via Tailwind utilities on
those children — equal-specificity class selectors, with index.css
loaded after Tailwind utilities, so .os-bg won source-order. The
"sticky" headers therefore behaved as plain in-flow elements and
scrolled away with the rest of the content.
Fix (one CSS rule):
- Replace `position: relative; z-index: 1` with `isolation: isolate`.
- `isolation: isolate` creates a new stacking context (so children
still paint above the z-index:0 blobs) without forcing them to
position:relative — sticky/fixed children now work as written.
No markup changes anywhere. Followed Option A in the task plan
exactly. Implication: every sticky header across the app (admin,
home, chat, services, notifications) is now actually pinned on
scroll. Decorative blobs continue to sit behind page content
because the new stacking context still paints over the parent's
z-index 0 background layer.
No tests were modified; existing tx-os tests are presentation-
agnostic and unaffected.
User report: in the admin dashboard on iPad, the top bar (back arrow,
gear icon, "لوحة التحكم" title, mobile menu button) felt like it
detached from the top during scroll — content showed through it and
it didn't look pinned.
Root cause (artifacts/tx-os/src/pages/admin.tsx, line 1148):
the header was `glass-panel ... sticky top-0 z-10`. The `glass-panel`
background is rgba(255,255,255,0.7) — semi-transparent — and z-10 is
low enough that floating elements on the page (os-bg blobs, sidebar
backdrop) bled across it. The sticky positioning itself was correct;
the perception of "not pinned" came from the see-through background.
Fix (single-file CSS-only change, exactly as planned):
- Drop `glass-panel`, replace with inline styles for full control.
- Background: rgba(255,255,255,0.96) — visually opaque so scrolled
content no longer shows through.
- Keep blur(16px) saturate(160%) (with -webkit- prefix) so the bar
still has the same soft glass aesthetic.
- z-30 instead of z-10 so nothing in the page overlays it. Modals
use z-50 so they still cover the bar correctly.
- Add boxShadow 0 4px 20px rgba(15,23,42,0.06) so the bar visibly
floats above content once scrolling starts.
- Kept `sticky top-0` (not converted to fixed) so the desktop
sidebar's `top-[73px]` offset still aligns with the bar's bottom.
- Header height unchanged (px-4 py-4 + same children).
No layout changes. No other top bars touched (out of scope).
Existing tx-os tests are unaffected (no logic, only presentation).
User report: in the Tx OS launcher, the dot above ج in "الاجتماعات"
(and similar diacritics on other tile labels) was being sliced off on
iPad — a visible visual-quality bug on the most-used screen.
Root cause (artifacts/tx-os/src/pages/home.tsx, AppIconContent):
the label span used `leading-tight` (line-height 1.25) + `truncate`
(overflow: hidden). At 11px the line-box was 13.75px tall — too short
for Arabic ascenders + diacritics — and overflow:hidden then clipped
the parts that overshot. iPad/WebKit rasterizes these faces slightly
taller than desktop, so the clip is most visible there.
Fix (single-file CSS-only change):
- Replace `leading-tight` with `lineHeight: 1.6` for plenty of room
above the baseline.
- Add `paddingTop: 2` as cheap insurance for any remaining overshoot.
- Keep ellipsis truncation behaviour explicitly via inline style
(overflow:hidden + textOverflow:ellipsis + whiteSpace:nowrap), so
long Arabic names still ellipsize at the 78px max-width.
- Add `block` so max-width applies cleanly.
No change to icon tile size, grid layout, badges, or any other
markup. Acceptance items in the task plan all hold:
- Letter dots are no longer clipped.
- Long names still truncate with an ellipsis at 78px.
- Desktop layout is visually unchanged.
Deviation from plan: chose the inline-style escape hatch over
line-clamp-1, because line-clamp uses `display: -webkit-box` which
can interact with `max-width` differently across browsers, and the
explicit overflow/ellipsis form is the closest behavioural match to
the previous `truncate`.
Adds a title tag to the HTML output for PDF generation and refactors the Content-Disposition header to include both a stable ASCII filename and a localized, human-readable filename for PDF downloads.
Replit-Commit-Author: Agent
Replit-Commit-Session-Id: 77cfe984-2c65-4152-bb7a-0df28274fe66
Replit-Commit-Checkpoint-Type: full_checkpoint
Replit-Commit-Event-Id: 7b3c6ef0-56bb-48e7-8f67-40892dcf240d
Replit-Commit-Screenshot-Url: https://storage.googleapis.com/screenshot-production-us-central1/c3c252e4-c83d-40ca-9fff-99a3ea60701e/77cfe984-2c65-4152-bb7a-0df28274fe66/4ugHzxo
Replit-Helium-Checkpoint-Created: true
The notes composer now starts with the yellow swatch pre-selected
instead of the neutral "default" color, so a freshly created note
becomes a yellow sticky by default. The user can still pick any
other color from the swatch picker before saving, and that choice
is honored. After a successful save (or send), the composer resets
back to yellow rather than "default", so the next note in the same
session is also yellow unless the user changes it.
Changes:
- artifacts/tx-os/src/pages/notes.tsx
- Composer initial color state: useState("default") -> useState("yellow")
- Composer reset() helper: setColor("default") -> setColor("yellow")
Out of scope (per task spec):
- No backend changes. The API's data.color = "default" fallback for
notes created via other paths (shared-folder stamping, incoming-
note flows) is intentionally untouched.
- No changes to existing notes already saved in the database.
- No new "default color" user setting.
- NOTE_COLORS palette and color-picker UI unchanged.
Verification:
- `pnpm exec tsc --noEmit` passes clean.
- "yellow" is a valid id in NOTE_COLORS (src/lib/notes-api.ts:801),
so colorBg/colorAccent/colorMeta resolve correctly and the swatch
shows pre-selected.
- Color-picker onChange path unchanged, so user-picked colors still
override the new yellow default before save.