sharang
60209428b5
Adds the M5.2 surface set per PLATFORM_ARCHITECTURE.md §5a. Every route is a navigable skeleton with a per-route empty-state pointing at the milestone that ships the real content; the Nav component filters links by session.org_roles so an IT_ADMIN sees settings + api-keys, a CXO sees billing, a USER sees only dashboard + products + support, etc. New surfaces (10): /[slug]/products M10.1 /[slug]/projects M10.1 /[slug]/catalog M11.1 /[slug]/settings M10.1 /[slug]/settings/users M10.1 /[slug]/settings/api-keys M15.1 /[slug]/settings/integrations M15.2 /[slug]/billing M8.3 /[slug]/audit M10.2 /[slug]/support M9.1 Dashboard upgraded: reads session.products, renders one tile per entitled product (real tile content lands in M10.1). Empty-state when the user has no entitlements yet — links into the catalog flow. Backstage stub at /__backstage__ — middleware already rewrites backstage.<apex>/* to this prefix; real RBAC against BREAKPILOT_ADMIN / SUPPORT_ENGINEER / SALES_REP lands in M13.2. Layout enforces tenant-slug match: a session with tenant_slug=A trying to view /B/... gets redirected to /A/dashboard. Prevents JWT-replay across tenants (defence in depth; the real guard is at the API layer, which M4.3 adds in tenant-registry). src/lib/session.ts is the single source of truth for the role matrix + canSee(surface) helper. 13 vitest cases, 100% coverage of src/lib. Refs: M5.2
17 lines
521 B
TypeScript
17 lines
521 B
TypeScript
import { auth } from "@/auth";
|
|
import { NotAuthorized, ShellEmpty } from "@/components/ShellEmpty";
|
|
import type { SessionWithExtras } from "@/lib/session";
|
|
import { canSee } from "@/lib/session";
|
|
|
|
export default async function Page() {
|
|
const session = (await auth()) as SessionWithExtras | null;
|
|
if (!canSee(session, "support")) return <NotAuthorized />;
|
|
return (
|
|
<ShellEmpty
|
|
title="Support"
|
|
description="Submit a ticket — Frappe HD customer portal embedded."
|
|
milestone="M9.1"
|
|
/>
|
|
);
|
|
}
|