Design document for Tier 1 UX enhancement implementing toast
notifications using sonner library.
- Comprehensive context on current state problems
- Phase-by-phase implementation plan
- Design patterns and best practices
- Complete verification checklist
- Risk assessment and mitigation strategies
Related: #33, #34, #35
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Railway already ran the old migration 020 which enforced NOT NULL on
owner_id. Since alembic won't re-run a corrected 020, this new migration
explicitly reverts the constraint for databases that already applied it.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Account.owner_id and User.account_id are both NOT NULL, creating a
circular dependency that prevents inserting either row first. Fix by:
1. Making owner_id nullable (set immediately after user creation)
2. Creating Account before User, then setting owner_id after flush
3. Removing NOT NULL enforcement on owner_id in migration 020
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replace all team_id/team_admin references with account_id/owner across
types, store, hooks, API clients, components, and pages. Add new
AccountSettingsPage, UpgradePrompt, CheckoutButton, useSubscription
hook, and accounts API client. AuthStore now parallel-fetches account
and subscription data alongside user profile.
Also fix folder sidebar not refreshing after tree deletion by
dispatching the folder-changed event in handleDeleteTree.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replace team_id with account_id across all API endpoints (trees,
categories, tags, steps, step_categories, admin, auth). Add new
accounts and webhooks endpoints. Registration now atomically creates
Account + Subscription, with account_invite_code bypassing the
platform invite gate.
Schemas updated for account_id/account_role. 82 tests passing
including 18 new tests for accounts, subscriptions, and permissions.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Transition from team-based to account-based multi-tenancy (Free/Pro/Team).
Migrations 016-020 create accounts, subscriptions, plan_limits, and
account_invites tables, then migrate existing users and content FKs.
New models: Account, Subscription, PlanLimits, AccountInvite.
Updated models add account_id alongside existing team_id (coexistence
for safe two-PR deployment). Permissions and deps refactored for
account_role instead of is_team_admin.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Comprehensive implementation plan for transitioning from team-based
to SaaS subscription model with Free/Pro/Team tiers:
- Phase 1 (Days 1-3): Database migration in 6 separate migrations
- Migration 016: Create accounts, subscriptions, plan_limits, account_invites tables
- Migration 017: Add account_id and account_role to users
- Migration 018 (critical): Migrate users/teams to accounts
- Migration 019: Migrate team_id FKs to account_id on content tables
- Migration 020: Add constraints and finalize migration
- Migration 021: Drop old team columns and teams table
- Phase 2 (Days 4-7): Backend updates
- New models: Account, Subscription, PlanLimits, AccountInvites
- Refactor permissions system (account_role replaces role/is_team_admin)
- Add subscription helpers for feature gating
- Update all 25+ endpoints to use account_id
- Update test fixtures and fix 61+ tests
- Phase 3 (Days 8-10): Frontend updates
- Update types (account_id, account_role)
- New hooks: useSubscription, updated usePermissions
- Account settings page with subscription info
- Usage indicators and upgrade prompts
- Stripe Checkout button (disabled until ready)
- Phase 4 (Days 11-12): Stripe preparation
- Install Stripe SDK
- Webhook skeleton with event handlers
- Code ready to enable when Stripe account created
Key features:
- Build Stripe-ready but ship free-tier-only initially
- Feature branch workflow (feat/subscription-tiers)
- Comprehensive rollback plans for each phase
- All limits configurable via plan_limits table
- 10-12 day timeline with safety checks
- Test on production copy before migration
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Fixed @typescript-eslint/no-explicit-any (4 occurrences):
- FolderEditModal.tsx: proper error type checking instead of any
- StepForm.tsx: explicit union type for visibility select
- StepLibraryBrowser.tsx: explicit union types for stepType and sortBy selects
Fixed react-hooks/set-state-in-effect (1 occurrence):
- NodeEditorModal.tsx: replaced useEffect with direct state comparison
Fixed @typescript-eslint/no-unused-vars (3 occurrences):
- NodeEditorModal.tsx: removed unused useEffect import
- NodeEditorModal.tsx: added eslint-disable for intentionally destructured children
- usePermissions.ts: removed unused _tree parameter from canDeleteTree
- TreeLibraryPage.tsx: updated canDeleteTree call site
Fixed @typescript-eslint/no-empty-object-type (1 occurrence):
- types/step.ts: changed empty interface to type alias
Verification:
- npm run lint: 0 errors (9 warnings are intentional exhaustive-deps)
- npm run build: succeeds
- TypeScript compilation: passes
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add mobile hamburger menu with slide-out nav drawer (AppLayout)
- Make modals responsive: full-width on mobile, slide-up animation
- Scratchpad becomes full-screen overlay on mobile with backdrop
- Folder sidebar hidden on mobile, opens as slide-over drawer
- Tree editor shows "Desktop Required" gate on mobile
- Stack action buttons vertically on mobile (sessions, detail pages)
- Increase touch targets throughout (buttons, close icons)
- Add CSS animations: fade-in, slide-in-left, scale-in, btn-press
- Add card hover lift effect and consistent border highlights
- Standardize page padding (px-4 py-6 sm:px-6 sm:py-8)
- Responsive headings (text-2xl sm:text-3xl)
- CustomStepModal goes full-screen on mobile
- Tighten auth page spacing on mobile
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The % and _ characters in user search input are now escaped before
the LIKE query, preventing unintended wildcard matching in tag search.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The /debug/cors endpoint is now conditionally registered, preventing
information leakage about CORS configuration in production.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
When a tree is soft-deleted, folder assignments and tag assignments are
now removed from junction tables. Tag usage counts are decremented with
a floor of zero to prevent negative counts.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Passwords must now contain at least one uppercase letter, one lowercase
letter, and one digit (in addition to the existing 10-char minimum).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Viewers who cannot create steps will only see the "Browse Library"
tab in the CustomStepModal, hiding the "Type My Own" creation form.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Adds a reusable ConfirmDialog component and integrates tree deletion
into the TreeLibraryPage with permission-gated delete buttons and
a destructive confirmation dialog.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
TreeEditorPage now verifies canEditTree() after fetching tree data but
before loading it into the editor store. Previously only checked
canCreateTrees which doesn't prevent non-owners from editing.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
ProtectedRoute now accepts an optional requiredRole prop for role-based
route guards. When specified, users below the required role level are
redirected to /trees. 403 responses already pass through to components
for inline error display.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Adds deleted_at and deleted_by columns to trees table for proper soft
delete tracking. Supports future 30-day restore window functionality.
The delete endpoint now sets both is_active=False (backward compat) and
deleted_at/deleted_by. Migration backfills existing is_active=False rows.
Fixed ambiguous FK relationship between User/Tree models by adding
explicit foreign_keys to both sides of the author relationship.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Creates AuditLog model with JSONB details column for tracking admin
actions. Integrates log_audit() helper into admin endpoints (role
change, team admin toggle, deactivate, activate) and tree delete.
IP address column reserved for future Railway proxy header support.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Super admins now see all trees regardless of ownership, team, or
public/default status. Previously the build_tree_access_filter function
had no super_admin check, so admins could only see their own trees plus
public/default/team trees.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Phase B addresses 7 high-severity gaps from the permissions audit:
- B1: Enforce tree access check on session start via can_access_tree
- B2: Replace all inline permission helpers with centralized permissions.py
- B3: Fix require_engineer_or_admin to check is_team_admin before role
- B4: Add is_active field on User with enforcement in get_current_active_user
- B5: Add admin user management endpoints (list, get, role, team-admin, deactivate, activate)
- B6: Add rate limiting on auth/invite endpoints via slowapi (disabled in DEBUG)
- B7: Implement refresh token rotation with JTI-based revocation and meaningful logout
Also reduces access token TTL from 15 to 5 minutes and updates CLAUDE.md
with SaaS/MSP context for future planning sessions.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Remove role field from UserCreate schema, hardcode 'engineer' at registration
- Escape all user content in HTML export with html.escape() (XSS fix)
- Add field_validator to reject default SECRET_KEY when DEBUG=False
- Add CHECK constraint on users.role ('engineer'|'viewer') + migration 011
- Fix test_admin fixture to properly grant is_super_admin via ORM
- Fix circular FK (users↔invite_codes) in test DB setup with DROP SCHEMA CASCADE
- Add 5 new security tests (role validation + XSS prevention)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Re-audited after RBAC commit (34daa26). Key findings:
- permissions.py is dead code (no endpoint imports it)
- require_engineer_or_admin blocks team admins with viewer role
- 49 endpoints bypass get_current_active_user
- 3 critical issues still open (role field, XSS, secret key)
- Updated implementation plan with new Phase B items
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Full-stack RBAC audit covering frontend UX, backend architecture,
and adversarial analysis. Implementation plan phased by severity
(Critical → High → Medium → Low).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add role-based access control with hierarchy: super_admin > team_admin >
engineer > viewer. Adds is_super_admin boolean to User model (migration 010),
centralized backend permissions module, frontend usePermissions hook, and
UI enforcement (conditional Create/Edit buttons, editor redirect for viewers,
role badge in header). All endpoint admin checks updated from role=="admin"
to is_super_admin.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Refactor scratchpad from a flex-layout sidebar that pushes content left
to a floating overlay panel (position: fixed) that doesn't affect layout.
Panel slides in from the right with Ctrl+/ toggle. Main content adjusts
padding responsively when panel is open.
Also apply thin scrollbar styling globally across all scrollable elements
for a consistent, minimal look.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Fix broken JWT token refresh that caused "Failed to load trees" after
idle timeout. The refresh endpoint expected token as query param but
frontend sent it as Authorization header. Added proper dependency
(get_refresh_token_payload) and refresh queue to handle concurrent 401s.
Also fix seed trees not being visible to non-admin users by updating
the seed script to set is_public/is_default on existing trees.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add Session Scratchpad design doc (Idea 6 from brainstorm)
- Update CLAUDE.md production URLs to resolutionflow.com
- Update CORS lesson domain refs for rebrand
- Add .claude/settings.local.json to gitignore docs
- Add docs/plans/ to project structure
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Captures brainstorming session covering session scratchpad, time tracking,
command output capture, share progress/escalation, push steps, path analytics,
multi-tree sessions, recurring issue detection, tree health scores, and
AI tree intelligence. Includes suggested build order and dependency map.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Adds brand-assets/ (SVGs, brand guide) and REBRAND-IMPLEMENTATION-GUIDE.md
as reference docs. Removes .claude/settings.local.json from tracking
(contains local permissions and tokens).
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Document the frontend rebrand including brand colors, fonts, logo
locations, CSS utilities, and naming conventions for future development.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The tree count and hamburger menu were overlapping at the right edge of
folder items. Now the count hides on hover and the menu button appears
in its place.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
