feat(app): M5.2 — customer-area route shells + role-gated nav #7

Merged

sharang merged 2 commits from feat/m5.2-shells-v2 into main 2026-05-19 14:47:16 +00:00

Conversation 0 Commits 2 Files Changed 18

+524 -32

sharang commented 2026-05-19 12:02:56 +00:00

Owner

Copy Link

Copy Source

What

M5.2 in full: 10 customer-area route shells + a role-gated nav + a backstage stub. (Re-opened from #6 due to a Gitea Actions trigger glitch.)

Same content — see PR #6 description.

Routes:

• /[slug]/products · projects · catalog · settings · settings/{users,api-keys,integrations} · billing · audit · support
• /backstage stub
• src/lib/session.ts is the single source of truth for role × surface
• 24 vitest tests; 100% src/lib coverage

Refs: M5.2

## What M5.2 in full: 10 customer-area route shells + a role-gated nav + a backstage stub. (Re-opened from #6 due to a Gitea Actions trigger glitch.) Same content — see PR #6 description. Routes: - /[slug]/products · projects · catalog · settings · settings/{users,api-keys,integrations} · billing · audit · support - /__backstage__ stub - src/lib/session.ts is the single source of truth for role × surface - 24 vitest tests; 100% src/lib coverage Refs: M5.2

sharang added 2 commits 2026-05-19 12:02:57 +00:00

feat(app): M5.2 — customer-area route shells + role-gated nav ... 60209428b5

Adds the M5.2 surface set per PLATFORM_ARCHITECTURE.md §5a. Every route
is a navigable skeleton with a per-route empty-state pointing at the
milestone that ships the real content; the Nav component filters links
by session.org_roles so an IT_ADMIN sees settings + api-keys, a CXO
sees billing, a USER sees only dashboard + products + support, etc.

New surfaces (10):
  /[slug]/products              M10.1
  /[slug]/projects              M10.1
  /[slug]/catalog               M11.1
  /[slug]/settings              M10.1
  /[slug]/settings/users        M10.1
  /[slug]/settings/api-keys     M15.1
  /[slug]/settings/integrations M15.2
  /[slug]/billing               M8.3
  /[slug]/audit                 M10.2
  /[slug]/support               M9.1

Dashboard upgraded: reads session.products, renders one tile per
entitled product (real tile content lands in M10.1). Empty-state when
the user has no entitlements yet — links into the catalog flow.

Backstage stub at /__backstage__ — middleware already rewrites
backstage.<apex>/* to this prefix; real RBAC against BREAKPILOT_ADMIN /
SUPPORT_ENGINEER / SALES_REP lands in M13.2.

Layout enforces tenant-slug match: a session with tenant_slug=A trying
to view /B/... gets redirected to /A/dashboard. Prevents JWT-replay
across tenants (defence in depth; the real guard is at the API layer,
which M4.3 adds in tenant-registry).

src/lib/session.ts is the single source of truth for the role matrix
+ canSee(surface) helper. 13 vitest cases, 100% coverage of src/lib.

Refs: M5.2

chore: trigger ci 2a12f2f7e4

CODEOWNERS rules requested review from Benjamin_Boenisch 2026-05-19 12:02:57 +00:00

sharang merged commit fe139332ee into main 2026-05-19 14:47:16 +00:00

sharang deleted branch feat/m5.2-shells-v2 2026-05-19 14:47:16 +00:00

Sign in to join this conversation.

Reviewers

No Reviewers

Benjamin_Boenisch

Labels

No items

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

Benjamin_Boenisch sharang (Sharang Parnerkar)

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: platform/portal#7