archetecture security fix
This commit is contained in:
@@ -0,0 +1,152 @@
|
||||
# Features — Current Product Scope
|
||||
|
||||
This document lists the features that are active in the current codebase.
|
||||
|
||||
Source of truth:
|
||||
|
||||
- `apps/marketplace`
|
||||
- `apps/dashboard`
|
||||
- `apps/admin`
|
||||
- `apps/api`
|
||||
- `packages/database/prisma/schema.prisma`
|
||||
|
||||
## Active Applications
|
||||
|
||||
The current workspace contains four active apps:
|
||||
|
||||
- `apps/marketplace`
|
||||
- `apps/dashboard`
|
||||
- `apps/admin`
|
||||
- `apps/api`
|
||||
|
||||
There is no separate frontend app for a white-label company public site in this repo at the moment.
|
||||
|
||||
## Active Platform Features
|
||||
|
||||
### Company signup and employee access
|
||||
|
||||
- Company signup through the dashboard sign-up flow backed by `POST /auth/company/signup`
|
||||
- Employee sign-in with local email/password auth
|
||||
- Employee password reset flow
|
||||
- Team invitation flow that creates a pending employee and sends a reset-password invite link
|
||||
- Employee roles: `OWNER`, `MANAGER`, `AGENT`
|
||||
|
||||
### Multi-tenant company operations
|
||||
|
||||
- Company-scoped vehicles, customers, reservations, offers, payments, complaints, and notifications
|
||||
- API tenant isolation through employee auth plus `companyId` scoping
|
||||
- Company profile, brand, contract settings, insurance policies, pricing rules, and accounting settings
|
||||
- Public API key generation/regeneration for company integrations
|
||||
|
||||
### Dashboard operations
|
||||
|
||||
- Dashboard home with KPI cards and booking-source analytics
|
||||
- Fleet management
|
||||
- Vehicle photo uploads
|
||||
- Vehicle publish/unpublish
|
||||
- Vehicle status management
|
||||
- Vehicle maintenance logs
|
||||
- Vehicle calendar blocks
|
||||
- Reservation list, detail, create, update, confirm, check-in, check-out, close, extend, cancel
|
||||
- Reservation pickup/dropoff inspections
|
||||
- Reservation photo uploads
|
||||
- Additional-driver approval workflow
|
||||
- Online reservation intake queue
|
||||
- Customer CRM
|
||||
- Offer management
|
||||
- Team management
|
||||
- Company billing page for rental payments
|
||||
- Contract generation/viewing
|
||||
- Reviews and complaints management
|
||||
- Notification inbox and preferences
|
||||
- Subscription management
|
||||
|
||||
### Marketplace and public platform
|
||||
|
||||
- Public marketing homepage
|
||||
- Public pricing page
|
||||
- Public features page
|
||||
- Public marketplace/explore flow
|
||||
- Explore company profile pages under `/explore/[slug]`
|
||||
- Public review submission page via review token
|
||||
- Public legal/app policy pages
|
||||
- Public platform content loaded from `/site/platform/*` API endpoints
|
||||
|
||||
### Subscription and billing
|
||||
|
||||
- SaaS trial and subscription lifecycle
|
||||
- Subscription status handling including `TRIALING`, `ACTIVE`, `PAYMENT_PENDING`, `PAST_DUE`, `SUSPENDED`, `CANCELLED`, `EXPIRED`, `PAUSED`, `UNPAID`
|
||||
- Plan pricing loaded from DB or fallback config
|
||||
- AmanPay and PayPal provider support for SaaS subscription checkout
|
||||
- Subscription invoice history
|
||||
- Platform billing accounts, billing invoices, billing events, refunds, credit notes, and tax records
|
||||
|
||||
### Rental payments
|
||||
|
||||
- AmanPay payment initialization and webhook handling
|
||||
- PayPal payment initialization and capture handling
|
||||
- Manual rental payment recording
|
||||
- Reservation refund support for successful online payments
|
||||
- Payment status tracking on reservations
|
||||
|
||||
### Notifications
|
||||
|
||||
- Email notifications
|
||||
- SMS notifications
|
||||
- WhatsApp notifications
|
||||
- In-app notifications
|
||||
- Notification templates and per-channel preferences
|
||||
- Notification history for company users
|
||||
|
||||
### Reservation-adjacent advanced operations
|
||||
|
||||
- Insurance policy configuration
|
||||
- Reservation insurance snapshots
|
||||
- Additional-driver charging rules
|
||||
- Driver license validation and approval states
|
||||
- Pricing rules and reservation-time pricing-rule snapshots
|
||||
- Damage inspections and damage points
|
||||
- Contract settings for fuel policy, tax, numbering, and additional-driver behavior
|
||||
- Reporting and export-oriented accounting defaults
|
||||
|
||||
### Admin app
|
||||
|
||||
- Admin login and password reset
|
||||
- Admin dashboard
|
||||
- Company management
|
||||
- Renter management
|
||||
- Admin-user management
|
||||
- Audit-log views
|
||||
- Billing operations
|
||||
- Pricing configuration and promotions
|
||||
- Notification review
|
||||
- Marketplace/site config management
|
||||
|
||||
## Present But Not Active Product Features
|
||||
|
||||
These exist partially in code or schema, but they are not active end-user product flows and should not be treated as shipped features.
|
||||
|
||||
- Renter self-service signup
|
||||
- Renter self-service login
|
||||
- Renter email verification flow
|
||||
- Clerk-based employee auth
|
||||
- Clerk webhooks
|
||||
- Clerk invitation acceptance
|
||||
- Admin impersonation through Clerk sessions
|
||||
- Multi-currency SaaS checkout beyond `MAD`
|
||||
- Separate white-label company-site frontend app
|
||||
|
||||
## Explicitly Out Of Scope For Current Docs
|
||||
|
||||
The following old design ideas should not be treated as active features unless code is added later:
|
||||
|
||||
- marketing blog
|
||||
- standalone about/contact page set
|
||||
- Google renter auth
|
||||
- automatic custom-domain provisioning
|
||||
- Zapier/webhook marketplace integrations beyond the current API/webhook handlers
|
||||
|
||||
## Notes
|
||||
|
||||
- The database still contains legacy fields such as `Employee.clerkUserId`, but those fields are no longer evidence of active Clerk integration.
|
||||
- Some renter-facing `/renter/*` pages exist in the marketplace app, but the auth entrypoints they depend on are not active. They are therefore not listed as active product scope here.
|
||||
Reference in New Issue
Block a user