letsbe/pn-new-crm
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
aaf4847fc2d026cbff20e161e10ea330c8ee05af
pn-new-crm/competing-plans/blessed/L0-FOUNDATION.md

2908 lines
91 KiB
Markdown
Raw Normal View History

Initial commit: Port Nimara CRM (Layers 0-4) Full CRM rebuild with Next.js 15, TypeScript, Tailwind, Drizzle ORM, PostgreSQL, Redis, BullMQ, MinIO, and Socket.io. Includes 461 source files covering clients, berths, interests/pipeline, documents/EOI, expenses/invoices, email, notifications, dashboard, admin, and client portal. CI/CD via Gitea Actions with Docker builds. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 11:52:51 +01:00
# L0 — Foundation (Competing Plan — Claude Code)
**Duration:** Days 69 (4 days)
**Parallelism:** None — sequential foundation; everything depends on this
**References:** `07-DATABASE-SCHEMA.md`, `10-AUTH-AND-PERMISSIONS.md`, `11-REALTIME-AND-BACKGROUND-JOBS.md`, `14-TECHNICAL-DECISIONS.md`, `15-DESIGN-TOKENS.md`, `SECURITY-GUIDELINES.md`
---
## 1. Baseline Critique
### What the baseline gets right
- **Step ordering is sound.** Scaffold → Docker → DB → Auth → Infra → Layout → Security is the correct dependency chain.
- **Drizzle schema grouping** (1 file per domain) is practical and matches the project scale.
- **Docker multi-stage build** with standalone output is correct for production.
- **Nginx security headers and rate limiting zones** are thorough and match `SECURITY-GUIDELINES.md`.
- **Acceptance criteria** are concrete and testable.
### What's missing or wrong
1. **Route structure is wrong.** The baseline uses `(crm)/` as the route group. The locked file organization in `PROMPT-CLAUDE-CODE.md` specifies `(dashboard)/[portSlug]/` with a dynamic port slug segment. This is a fundamental routing decision — every page URL, every link, every breadcrumb depends on it. Getting this wrong means rework across every layer.
2. **Session storage contradicts `14-TECHNICAL-DECISIONS.md`.** The baseline stores sessions in PostgreSQL. The locked tech decisions say `better-auth/plugins/redis` for session persistence. Redis sessions are faster and reduce DB load for the most frequent operation in the system (session validation on every request).
3. **BullMQ queue names don't match the spec.** The baseline invents names like `notification-processing`, `email-sync`, `email-send`. The spec in `11-REALTIME-AND-BACKGROUND-JOBS.md` defines exactly 10 queues: `email`, `documents`, `notifications`, `import`, `export`, `reports`, `webhooks`, `maintenance`, `ai`, `bulk`. Use the spec names.
4. **Role count mismatch.** The baseline seeds 4 roles (`super_admin`, `director`, `sales`, `readonly`). The spec in `10-AUTH-AND-PERMISSIONS.md` Section 2.4 defines 5 system roles: `super_admin`, `director`, `sales_manager`, `sales_agent`, `viewer`. All 5 must be seeded.
5. **Missing environment variables.** The `.env.example` omits `CSRF_SECRET`, `EMAIL_CREDENTIAL_KEY`, `DOCUMENSO_WEBHOOK_SECRET`, `GOOGLE_CLIENT_ID`, `GOOGLE_CLIENT_SECRET`, `PUBLIC_SITE_URL` — all required by `SECURITY-GUIDELINES.md`.
6. **Socket.io + Next.js integration is hand-waved.** "Create Socket.io server alongside Next.js custom server" is not a plan. Next.js standalone mode runs `node server.js` with no extension point for WebSocket servers. This needs a custom `server.ts` entry point that boots both Next.js and Socket.io, or a separate worker process. The approach must be specified.
7. **No Drizzle relations defined.** Schemas without `relations()` declarations mean no relational query builder (`db.query.*.findFirst({ with: ... })`). The auth middleware pseudocode in the baseline itself uses `with: { role: true }` — this requires relation definitions.
8. **No application-level rate limiting.** The baseline only has nginx rate limiting. `SECURITY-GUIDELINES.md` Section 6.1 requires Redis sliding window rate limiting at the application layer with `X-RateLimit-*` response headers.
9. **No `pgcrypto` extension.** Security guidelines require AES-256-GCM encryption for email credentials and pgcrypto for Google Calendar tokens. The database init must enable this extension.
10. **No env validation.** No Zod schema validating that all required environment variables are present and well-formed at startup. The app should fail fast with a clear error, not crash mid-request when `process.env.DATABASE_URL` is undefined.
11. **No custom server entry point.** BullMQ workers need a long-running process. Next.js standalone `server.js` doesn't run background workers. Need either a custom server wrapper or a separate worker process in Docker Compose.
12. **Missing `lint-staged`.** Pre-commit hook runs ESLint on the entire project. With `lint-staged` + `husky`, only staged files are linted — dramatically faster as the project grows.
13. **No health check endpoints.** Docker Compose health checks need an HTTP endpoint. The baseline's postgres and redis have health checks, but `crm-app` has none.
14. **`next.config.ts` incomplete.** Needs `serverExternalPackages` for `pino`, `bullmq`, `ioredis`, `minio`, `postgres` — these packages use native Node.js APIs that Next.js's bundler will break if it tries to bundle them.
### What I'd change structurally
- **Split the custom server concern early.** Define a `server.ts` that boots Next.js + Socket.io + BullMQ workers together in development, and use separate Docker Compose services for `crm-app` (Next.js) and `crm-worker` (BullMQ) in production.
- **Define Zod env schema as the very first file.** Every other module imports validated config from it.
- **Port slug in URLs from Day 1.** `/(dashboard)/[portSlug]/clients` not `/(crm)/clients`. This avoids a painful routing migration later.
- **Add a `lib/api/helpers.ts` pattern** for API route handlers — a composable middleware chain (`withAuth → withPort → withPermission → handler`) rather than ad-hoc checks in each route.
---
## 2. Implementation Plan
### Day 1 — Scaffold + Docker + Database Schema
#### Morning: Project Init (2 hours)
**Step 1: Create Next.js project**
```bash
pnpm create next-app@latest port-nimara-crm \
--typescript --tailwind --eslint --app \
--src-dir --import-alias "@/*" \
--use-pnpm
```
**Step 2: Environment validation**
**File:** `src/lib/env.ts`
```typescript
import { z } from 'zod';
const envSchema = z.object({
// Database
DATABASE_URL: z.string().url().startsWith('postgresql://'),
// Redis
REDIS_URL: z.string().url().startsWith('redis://'),
// Auth
BETTER_AUTH_SECRET: z.string().min(32),
BETTER_AUTH_URL: z.string().url(),
CSRF_SECRET: z.string().min(32),
// MinIO
MINIO_ENDPOINT: z.string().min(1),
MINIO_PORT: z.coerce.number().int().positive(),
MINIO_ACCESS_KEY: z.string().min(1),
MINIO_SECRET_KEY: z.string().min(1),
MINIO_BUCKET: z.string().min(1),
MINIO_USE_SSL: z.enum(['true', 'false']).transform((v) => v === 'true'),
// Documenso
DOCUMENSO_API_URL: z.string().url(),
DOCUMENSO_API_KEY: z.string().min(1),
DOCUMENSO_WEBHOOK_SECRET: z.string().min(16),
// Email
SMTP_HOST: z.string().min(1),
SMTP_PORT: z.coerce.number().int().positive(),
// Encryption
EMAIL_CREDENTIAL_KEY: z
.string()
.length(64)
.regex(/^[0-9a-f]+$/i, 'Must be 64-char hex'),
// Google OAuth
GOOGLE_CLIENT_ID: z.string().optional(),
GOOGLE_CLIENT_SECRET: z.string().optional(),
// OpenAI
OPENAI_API_KEY: z.string().optional(),
// App
APP_URL: z.string().url(),
PUBLIC_SITE_URL: z.string().url(),
NODE_ENV: z.enum(['development', 'production', 'test']).default('development'),
LOG_LEVEL: z.enum(['fatal', 'error', 'warn', 'info', 'debug', 'trace']).default('info'),
});
export type Env = z.infer<typeof envSchema>;
function validateEnv(): Env {
const result = envSchema.safeParse(process.env);
if (!result.success) {
console.error('❌ Invalid environment variables:');
for (const issue of result.error.issues) {
console.error(` ${issue.path.join('.')}: ${issue.message}`);
}
process.exit(1);
}
return result.data;
}
export const env = validateEnv();
```
**Step 3: TypeScript strict config**
**File:** `tsconfig.json`
```json
{
"compilerOptions": {
"strict": true,
"noUncheckedIndexedAccess": true,
"noImplicitReturns": true,
"noFallthroughCasesInSwitch": true,
"forceConsistentCasingInFileNames": true,
"target": "ES2022",
"lib": ["dom", "dom.iterable", "ES2022"],
"module": "esnext",
"moduleResolution": "bundler",
"jsx": "preserve",
"incremental": true,
"plugins": [{ "name": "next" }],
"paths": { "@/*": ["./src/*"] },
"skipLibCheck": true
},
"include": ["next-env.d.ts", "**/*.ts", "**/*.tsx", ".next/types/**/*.ts"],
"exclude": ["node_modules"]
}
```
**Step 4: ESLint + Prettier + lint-staged**
```bash
pnpm add -D prettier eslint-config-prettier lint-staged
```
**File:** `.eslintrc.json`
```json
{
"extends": ["next/core-web-vitals", "next/typescript", "prettier"],
"rules": {
"@typescript-eslint/no-explicit-any": "error",
"@typescript-eslint/no-unused-vars": ["error", { "argsIgnorePattern": "^_" }],
"import/order": [
"warn",
{
"groups": ["builtin", "external", "internal", "parent", "sibling"],
"newlines-between": "always",
"alphabetize": { "order": "asc" }
}
]
}
}
```
**File:** `.prettierrc`
```json
{
"semi": true,
"singleQuote": true,
"trailingComma": "all",
"tabWidth": 2,
"printWidth": 100
}
```
**File:** `.lintstagedrc.json`
```json
{
"*.{ts,tsx}": ["eslint --fix", "prettier --write"],
"*.{json,md,css}": ["prettier --write"]
}
```
**Step 5: Git setup**
**File:** `.gitignore`
```
node_modules/
.next/
.env
.env.local
.env.production
*.pem
*.key
drizzle/*.sql
coverage/
.turbo/
```
**File:** `.env.example` — all variables from `src/lib/env.ts` schema with placeholder values (no real secrets).
```bash
pnpm add -D husky
pnpm exec husky init
```
**File:** `.husky/pre-commit`
```bash
#!/bin/sh
pnpm exec lint-staged
# Verify no .env files staged
if git diff --cached --name-only | grep -qE '\.env($|\.)'; then
echo "❌ .env files must not be committed"
exit 1
fi
# Scan for potential secrets
if git diff --cached -U0 | grep -qiE '(password|secret|api_key|access_key)\s*[:=]\s*["\x27][A-Za-z0-9+/=]{16,}'; then
echo "⚠️ Possible hardcoded secret detected. Review staged changes."
exit 1
fi
```
**Step 6: Directory structure**
Create all directories per the locked file organization in `PROMPT-CLAUDE-CODE.md`. Key difference from baseline: `(dashboard)/[portSlug]/` not `(crm)/`.
```
src/
├── app/
│ ├── (auth)/
│ │ ├── login/
│ │ ├── set-password/
│ │ └── reset-password/
│ ├── (dashboard)/
│ │ ├── [portSlug]/
│ │ │ ├── clients/
│ │ │ ├── interests/
│ │ │ ├── berths/
│ │ │ ├── expenses/
│ │ │ ├── invoices/
│ │ │ ├── email/
│ │ │ ├── reminders/
│ │ │ ├── documents/
│ │ │ ├── reports/
│ │ │ ├── settings/
│ │ │ └── admin/
│ │ │ ├── users/
│ │ │ ├── roles/
│ │ │ ├── ports/
│ │ │ ├── settings/
│ │ │ ├── audit/
│ │ │ ├── webhooks/
│ │ │ ├── reports/
│ │ │ ├── templates/
│ │ │ ├── forms/
│ │ │ ├── tags/
│ │ │ ├── import/
│ │ │ ├── monitoring/
│ │ │ ├── backup/
│ │ │ ├── custom-fields/
│ │ │ └── onboarding/
│ │ └── layout.tsx
│ ├── api/
│ │ ├── auth/[...all]/
│ │ ├── health/
│ │ ├── v1/
│ │ │ ├── clients/
│ │ │ ├── interests/
│ │ │ ├── berths/
│ │ │ ├── expenses/
│ │ │ ├── invoices/
│ │ │ ├── files/
│ │ │ ├── email/
│ │ │ ├── reminders/
│ │ │ ├── documents/
│ │ │ ├── reports/
│ │ │ ├── notifications/
│ │ │ ├── calendar/
│ │ │ ├── admin/
│ │ │ └── search/
│ │ ├── public/
│ │ └── webhooks/
│ ├── layout.tsx
│ └── not-found.tsx
├── components/
│ ├── ui/ # shadcn/ui
│ ├── layout/ # Sidebar, Topbar, PortSwitcher, Breadcrumbs
│ ├── shared/ # Reusable composed components
│ └── [domain]/ # Per-domain (clients/, interests/, berths/, etc.)
├── lib/
│ ├── db/
│ │ ├── index.ts # Drizzle client
│ │ ├── schema/ # 1 file per domain + relations
│ │ │ ├── index.ts
│ │ │ ├── ports.ts
│ │ │ ├── users.ts
│ │ │ ├── clients.ts
│ │ │ ├── interests.ts
│ │ │ ├── berths.ts
│ │ │ ├── documents.ts
│ │ │ ├── financial.ts
│ │ │ ├── email.ts
│ │ │ ├── operations.ts
│ │ │ ├── system.ts
│ │ │ └── relations.ts # ← NEW: all relations() in one file
│ │ ├── migrations/
│ │ └── seed.ts
│ ├── auth/
│ │ ├── index.ts # Better Auth server
│ │ ├── client.ts # Better Auth React hooks
│ │ └── permissions.ts # Permission check helpers
│ ├── api/
│ │ └── helpers.ts # ← NEW: withAuth/withPort/withPermission composable chain
│ ├── services/ # Business logic (1 file per domain, added in L1+)
│ ├── validators/ # Zod schemas (1 file per domain, added in L1+)
│ ├── queue/
│ │ ├── index.ts # Queue definitions (10 queues matching spec)
│ │ ├── scheduler.ts # Recurring job registration
│ │ └── workers/ # Worker processors (stubs)
│ ├── socket/
│ │ ├── server.ts # Socket.io setup
│ │ ├── events.ts # Event type definitions
│ │ └── rooms.ts # Room join/leave logic
│ ├── minio/
│ │ └── index.ts
│ ├── email/
│ │ └── index.ts # Nodemailer transporter factory
│ ├── redis.ts
│ ├── rate-limit.ts # ← NEW: Redis sliding window rate limiter
│ ├── logger.ts
│ ├── errors.ts
│ ├── constants.ts
│ ├── audit.ts # ← NEW: dedicated audit log module
│ ├── env.ts
│ └── utils.ts
├── hooks/
│ ├── use-auth.ts
│ ├── use-port.ts
│ ├── use-socket.ts
│ └── use-permissions.ts
├── providers/
│ ├── query-provider.tsx
│ ├── socket-provider.tsx
│ └── port-provider.tsx
├── stores/
│ └── ui-store.ts
├── types/
│ ├── api.ts
│ ├── auth.ts
│ └── domain.ts
├── jobs/ # ← matches locked structure
│ └── (empty — populated in L2+)
├── emails/ # MJML templates
│ └── (empty — populated in L2+)
└── server.ts # ← NEW: custom server entry point
```
#### Morning: Docker Compose (1 hour)
**Step 7: Docker Compose**
**File:** `docker-compose.yml`
```yaml
services:
postgres:
image: postgres:16-alpine
environment:
POSTGRES_DB: port_nimara_crm
POSTGRES_USER: ${DB_USER:-crm}
POSTGRES_PASSWORD: ${DB_PASSWORD}
volumes:
- pgdata:/var/lib/postgresql/data
- ./docker/postgres/init.sql:/docker-entrypoint-initdb.d/01-init.sql
healthcheck:
test: ['CMD-SHELL', 'pg_isready -U crm -d port_nimara_crm']
interval: 10s
timeout: 5s
retries: 5
networks:
- internal
redis:
image: redis:7-alpine
command: redis-server --requirepass ${REDIS_PASSWORD} --maxmemory 256mb --maxmemory-policy allkeys-lru
volumes:
- redisdata:/data
healthcheck:
test: ['CMD', 'redis-cli', '-a', '${REDIS_PASSWORD}', 'ping']
interval: 10s
timeout: 5s
retries: 5
networks:
- internal
crm-app:
build:
context: .
dockerfile: Dockerfile
env_file: .env
depends_on:
postgres:
condition: service_healthy
redis:
condition: service_healthy
healthcheck:
test:
['CMD', 'wget', '--no-verbose', '--tries=1', '--spider', 'http://localhost:3000/api/health']
interval: 15s
timeout: 5s
retries: 3
networks:
- internal
crm-worker:
build:
context: .
dockerfile: Dockerfile.worker
env_file: .env
depends_on:
postgres:
condition: service_healthy
redis:
condition: service_healthy
networks:
- internal
nginx:
image: nginx:alpine
ports:
- '443:443'
- '80:80'
volumes:
- ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro
- ./nginx/certs:/etc/nginx/certs:ro
depends_on:
crm-app:
condition: service_healthy
networks:
- internal
volumes:
pgdata:
redisdata:
networks:
internal:
driver: bridge
```
**File:** `docker-compose.dev.yml` (override)
```yaml
services:
postgres:
ports:
- '5432:5432'
redis:
ports:
- '6379:6379'
crm-app:
build:
dockerfile: Dockerfile.dev
ports:
- '3000:3000'
volumes:
- .:/app
- /app/node_modules
command: pnpm dev
crm-worker:
profiles: ['worker'] # Optional in dev — server.ts runs workers inline
nginx:
profiles: ['nginx'] # Skip nginx in dev
```
**File:** `docker/postgres/init.sql`
```sql
CREATE EXTENSION IF NOT EXISTS "pgcrypto";
CREATE EXTENSION IF NOT EXISTS "uuid-ossp";
```
**File:** `Dockerfile`
```dockerfile
FROM node:20-alpine AS deps
RUN corepack enable && corepack prepare pnpm@latest --activate
WORKDIR /app
COPY package.json pnpm-lock.yaml ./
RUN pnpm install --frozen-lockfile --prod=false
FROM node:20-alpine AS builder
RUN corepack enable && corepack prepare pnpm@latest --activate
WORKDIR /app
COPY --from=deps /app/node_modules ./node_modules
COPY . .
ENV NEXT_TELEMETRY_DISABLED=1
RUN pnpm build
FROM node:20-alpine AS runner
RUN addgroup --system --gid 1001 nodejs && adduser --system --uid 1001 nextjs
WORKDIR /app
ENV NODE_ENV=production
ENV NEXT_TELEMETRY_DISABLED=1
COPY --from=builder --chown=nextjs:nodejs /app/.next/standalone ./
COPY --from=builder --chown=nextjs:nodejs /app/.next/static ./.next/static
COPY --from=builder --chown=nextjs:nodejs /app/public ./public
USER nextjs
EXPOSE 3000
CMD ["node", "server.js"]
```
**File:** `Dockerfile.worker`
```dockerfile
FROM node:20-alpine AS deps
RUN corepack enable && corepack prepare pnpm@latest --activate
WORKDIR /app
COPY package.json pnpm-lock.yaml ./
RUN pnpm install --frozen-lockfile --prod
FROM node:20-alpine AS runner
RUN addgroup --system --gid 1001 nodejs && adduser --system --uid 1001 worker
WORKDIR /app
COPY --from=deps /app/node_modules ./node_modules
COPY dist/worker.js ./worker.js
USER worker
CMD ["node", "worker.js"]
```
**File:** `next.config.ts`
```typescript
import type { NextConfig } from 'next';
const nextConfig: NextConfig = {
output: 'standalone',
serverExternalPackages: [
'pino',
'pino-pretty',
'bullmq',
'ioredis',
'minio',
'postgres',
'better-auth',
'argon2',
'nodemailer',
],
images: {
remotePatterns: [{ protocol: 'https', hostname: '*.portnimara.com' }],
},
experimental: {
typedRoutes: true,
},
};
export default nextConfig;
```
#### Afternoon: Database Layer (4 hours)
**Step 8: Install Drizzle + driver**
```bash
pnpm add drizzle-orm postgres
pnpm add -D drizzle-kit
```
**Step 9: Drizzle config**
**File:** `drizzle.config.ts`
```typescript
import { defineConfig } from 'drizzle-kit';
export default defineConfig({
schema: './src/lib/db/schema',
out: './src/lib/db/migrations',
dialect: 'postgresql',
dbCredentials: {
url: process.env.DATABASE_URL!,
},
verbose: true,
strict: true,
});
```
**Step 10: Drizzle client**
**File:** `src/lib/db/index.ts`
```typescript
import { drizzle } from 'drizzle-orm/postgres-js';
import postgres from 'postgres';
import * as schema from './schema';
const connectionString = process.env.DATABASE_URL!;
// Connection pool for queries
const queryClient = postgres(connectionString, {
max: 20,
idle_timeout: 20,
connect_timeout: 10,
});
export const db = drizzle(queryClient, { schema, logger: process.env.NODE_ENV === 'development' });
export type Database = typeof db;
```
**Step 11: Define ALL 49 table schemas**
Each schema file follows these conventions from `07-DATABASE-SCHEMA.md`:
- UUID primary keys: `uuid('id').primaryKey().defaultRandom()`
- Timestamps: `timestamp('created_at', { withTimezone: true }).notNull().defaultNow()`
- Port scoping: `uuid('port_id').notNull().references(() => ports.id, { onDelete: 'cascade' })`
- Soft deletes: `timestamp('archived_at', { withTimezone: true })`
Schema files (matching `07-DATABASE-SCHEMA.md` exactly):
**File:** `src/lib/db/schema/ports.ts`
```typescript
import { pgTable, uuid, varchar, boolean, timestamp, jsonb } from 'drizzle-orm/pg-core';
export const ports = pgTable('ports', {
id: uuid('id').primaryKey().defaultRandom(),
name: varchar('name', { length: 100 }).notNull(),
slug: varchar('slug', { length: 50 }).notNull().unique(),
defaultCurrency: varchar('default_currency', { length: 3 }).notNull().default('USD'),
timezone: varchar('timezone', { length: 50 }).notNull().default('America/Anguilla'),
settings: jsonb('settings').$type<PortSettings>().default({}),
branding: jsonb('branding').$type<PortBranding>().default({}),
isActive: boolean('is_active').notNull().default(true),
createdAt: timestamp('created_at', { withTimezone: true }).notNull().defaultNow(),
updatedAt: timestamp('updated_at', { withTimezone: true }).notNull().defaultNow(),
});
export type PortSettings = {
followUpReminderDays?: number[];
tenureExpiryWarningMonths?: number;
eoiReminderIntervalDays?: number;
berthStatusRules?: Array<{
trigger: string;
mode: 'auto' | 'suggest' | 'off';
targetStatus: string;
}>;
};
export type PortBranding = {
logoUrl?: string;
primaryColor?: string;
secondaryColor?: string;
};
```
**File:** `src/lib/db/schema/users.ts`
```typescript
import { pgTable, uuid, varchar, boolean, timestamp, jsonb, index } from 'drizzle-orm/pg-core';
import { ports } from './ports';
export const users = pgTable('users', {
id: uuid('id').primaryKey().defaultRandom(),
email: varchar('email', { length: 255 }).notNull().unique(),
name: varchar('name', { length: 255 }).notNull(),
emailVerified: boolean('email_verified').notNull().default(false),
image: varchar('image', { length: 500 }),
isSuperAdmin: boolean('is_super_admin').notNull().default(false),
isActive: boolean('is_active').notNull().default(true),
timezone: varchar('timezone', { length: 50 }).default('America/Anguilla'),
preferences: jsonb('preferences').$type<UserPreferences>().default({}),
lastLoginAt: timestamp('last_login_at', { withTimezone: true }),
createdAt: timestamp('created_at', { withTimezone: true }).notNull().defaultNow(),
updatedAt: timestamp('updated_at', { withTimezone: true }).notNull().defaultNow(),
});
export type UserPreferences = {
sidebarCollapsed?: boolean;
darkMode?: boolean;
defaultPortId?: string;
notificationChannels?: Record<string, { inApp: boolean; email: boolean }>;
};
export const roles = pgTable('roles', {
id: uuid('id').primaryKey().defaultRandom(),
name: varchar('name', { length: 100 }).notNull().unique(),
description: varchar('description', { length: 500 }),
permissions: jsonb('permissions').$type<RolePermissions>().notNull(),
isSystem: boolean('is_system').notNull().default(false),
createdAt: timestamp('created_at', { withTimezone: true }).notNull().defaultNow(),
updatedAt: timestamp('updated_at', { withTimezone: true }).notNull().defaultNow(),
});
export const userPortRoles = pgTable(
'user_port_roles',
{
id: uuid('id').primaryKey().defaultRandom(),
userId: uuid('user_id')
.notNull()
.references(() => users.id, { onDelete: 'cascade' }),
portId: uuid('port_id')
.notNull()
.references(() => ports.id, { onDelete: 'cascade' }),
roleId: uuid('role_id')
.notNull()
.references(() => roles.id, { onDelete: 'restrict' }),
createdAt: timestamp('created_at', { withTimezone: true }).notNull().defaultNow(),
},
(table) => [index('idx_upr_user_port').on(table.userId, table.portId)],
);
export const portRoleOverrides = pgTable('port_role_overrides', {
id: uuid('id').primaryKey().defaultRandom(),
portId: uuid('port_id')
.notNull()
.references(() => ports.id, { onDelete: 'cascade' }),
roleId: uuid('role_id')
.notNull()
.references(() => roles.id, { onDelete: 'cascade' }),
permissionOverrides: jsonb('permission_overrides').$type<Partial<RolePermissions>>().notNull(),
createdAt: timestamp('created_at', { withTimezone: true }).notNull().defaultNow(),
updatedAt: timestamp('updated_at', { withTimezone: true }).notNull().defaultNow(),
});
export const sessions = pgTable(
'sessions',
{
id: uuid('id').primaryKey().defaultRandom(),
userId: uuid('user_id')
.notNull()
.references(() => users.id, { onDelete: 'cascade' }),
token: varchar('token', { length: 500 }).notNull().unique(),
expiresAt: timestamp('expires_at', { withTimezone: true }).notNull(),
ipAddress: varchar('ip_address', { length: 45 }),
userAgent: varchar('user_agent', { length: 500 }),
createdAt: timestamp('created_at', { withTimezone: true }).notNull().defaultNow(),
},
(table) => [
index('idx_sessions_token').on(table.token),
index('idx_sessions_user').on(table.userId),
],
);
export type RolePermissions = {
clients: {
view: boolean;
create: boolean;
edit: boolean;
delete: boolean;
merge: boolean;
export: boolean;
};
interests: {
view: boolean;
create: boolean;
edit: boolean;
delete: boolean;
change_stage: boolean;
generate_eoi: boolean;
export: boolean;
};
berths: { view: boolean; edit: boolean; import: boolean; manage_waiting_list: boolean };
documents: {
view: boolean;
create: boolean;
send_for_signing: boolean;
upload_signed: boolean;
delete: boolean;
};
expenses: {
view: boolean;
create: boolean;
edit: boolean;
delete: boolean;
export: boolean;
scan_receipt: boolean;
};
invoices: {
view: boolean;
create: boolean;
edit: boolean;
delete: boolean;
send: boolean;
record_payment: boolean;
export: boolean;
};
files: { view: boolean; upload: boolean; delete: boolean; manage_folders: boolean };
email: { view: boolean; send: boolean; configure_account: boolean };
reminders: {
view_own: boolean;
view_all: boolean;
create: boolean;
edit_own: boolean;
edit_all: boolean;
assign_others: boolean;
};
calendar: { connect: boolean; view_events: boolean };
reports: { view_dashboard: boolean; view_analytics: boolean; export: boolean };
document_templates: { view: boolean; generate: boolean; manage: boolean };
admin: {
manage_users: boolean;
view_audit_log: boolean;
manage_settings: boolean;
manage_webhooks: boolean;
manage_reports: boolean;
manage_custom_fields: boolean;
manage_forms: boolean;
manage_tags: boolean;
system_backup: boolean;
};
};
```
I won't reproduce the full schema for every table here (the remaining 40+ tables follow the same conventions), but the key schema files and their table lists:
**File:** `src/lib/db/schema/clients.ts``clients`, `client_contacts`, `client_relationships`, `client_notes`, `client_tags`, `client_merge_log`
**File:** `src/lib/db/schema/interests.ts``interests`, `interest_notes`, `interest_tags`
**File:** `src/lib/db/schema/berths.ts``berths`, `berth_map_data`, `berth_recommendations`, `berth_waiting_list`, `berth_maintenance_log`, `berth_tags`
**File:** `src/lib/db/schema/documents.ts``documents`, `document_signers`, `document_events`, `document_templates`, `form_templates`, `form_submissions`
**File:** `src/lib/db/schema/financial.ts``expenses`, `invoices`, `invoice_line_items`, `invoice_expenses`
**File:** `src/lib/db/schema/email.ts``email_accounts`, `email_threads`, `email_messages`
**File:** `src/lib/db/schema/operations.ts``reminders`, `google_calendar_tokens`, `google_calendar_cache`, `notifications`, `scheduled_reports`, `report_recipients`
**File:** `src/lib/db/schema/system.ts``audit_logs`, `tags`, `files`, `webhooks`, `webhook_deliveries`, `system_settings`, `saved_views`, `scratchpad_notes`, `user_notification_preferences`, `currency_rates`, `custom_field_definitions`, `custom_field_values`
**Critical:** Every port-scoped table includes `portId: uuid('port_id').notNull().references(() => ports.id, { onDelete: 'cascade' })` and an index on `port_id`. Tables with soft deletes include `archivedAt` column. All foreign keys specify `onDelete` behavior per `07-DATABASE-SCHEMA.md`.
**File:** `src/lib/db/schema/relations.ts`
```typescript
import { relations } from 'drizzle-orm';
import { ports } from './ports';
import { users, roles, userPortRoles, portRoleOverrides, sessions } from './users';
import { clients, clientContacts, clientRelationships, clientNotes, clientTags } from './clients';
// ... all other imports
export const portsRelations = relations(ports, ({ many }) => ({
userPortRoles: many(userPortRoles),
portRoleOverrides: many(portRoleOverrides),
clients: many(clients),
interests: many(interests),
berths: many(berths),
}));
export const usersRelations = relations(users, ({ many }) => ({
sessions: many(sessions),
portRoles: many(userPortRoles),
}));
export const userPortRolesRelations = relations(userPortRoles, ({ one }) => ({
user: one(users, { fields: [userPortRoles.userId], references: [users.id] }),
port: one(ports, { fields: [userPortRoles.portId], references: [ports.id] }),
role: one(roles, { fields: [userPortRoles.roleId], references: [roles.id] }),
}));
// ... relations for all other tables following the same pattern
// Every FK gets a corresponding relation() declaration
```
**File:** `src/lib/db/schema/index.ts`
```typescript
export * from './ports';
export * from './users';
export * from './clients';
export * from './interests';
export * from './berths';
export * from './documents';
export * from './financial';
export * from './email';
export * from './operations';
export * from './system';
export * from './relations';
```
**Step 12: Run initial migration**
```bash
pnpm drizzle-kit generate
pnpm drizzle-kit push
```
Verify: all 49 tables created with correct columns, constraints, indexes, and the `pgcrypto` + `uuid-ossp` extensions enabled.
**Step 13: Seed data**
**File:** `src/lib/db/seed.ts`
Seeds:
1. Default port: `{ name: 'Port Nimara', slug: 'port-nimara', defaultCurrency: 'USD', timezone: 'America/Anguilla' }`
2. Five system roles matching `10-AUTH-AND-PERMISSIONS.md` Section 2.4:
- `super_admin` — all permissions `true`
- `director` — all operational permissions `true`, `admin.manage_users: true`, `admin.view_audit_log: true`, system admin `false`
- `sales_manager` — full sales access, `reminders.view_all: true`, `reminders.assign_others: true`
- `sales_agent` — standard sales (view/create/edit clients/interests, own reminders only)
- `viewer` — all `view` permissions `true`, everything else `false`
3. Super admin user: `{ email: 'matt@portnimara.com', name: 'Matt', isSuperAdmin: true }` — password set via email flow
4. Assign Matt to Port Nimara with `super_admin` role
Run via: `pnpm tsx src/lib/db/seed.ts`
---
### Day 2 — Auth + Infrastructure
#### Morning: Authentication (3 hours)
**Step 14: Better Auth setup**
```bash
pnpm add better-auth @better-auth/redis
```
**File:** `src/lib/auth/index.ts`
```typescript
import { betterAuth } from 'better-auth';
import { drizzleAdapter } from 'better-auth/adapters/drizzle';
import { redis as redisPlugin } from '@better-auth/redis';
import { db } from '@/lib/db';
import { redis } from '@/lib/redis';
import { logger } from '@/lib/logger';
export const auth = betterAuth({
database: drizzleAdapter(db),
emailAndPassword: {
enabled: true,
minPasswordLength: 12,
requireEmailVerification: false, // Admin-created accounts, no self-signup
},
session: {
cookieCache: { enabled: true, maxAge: 5 * 60 },
expiresIn: 60 * 60 * 24, // 24 hours absolute
updateAge: 60 * 60 * 6, // Refresh in last 25%
},
plugins: [
redisPlugin({ redis }), // Session store in Redis per 14-TECHNICAL-DECISIONS.md
],
advanced: {
cookiePrefix: 'pn-crm',
defaultCookieAttributes: {
httpOnly: true,
secure: process.env.NODE_ENV === 'production',
sameSite: 'strict' as const,
},
},
logger: {
error: (msg) => logger.error(msg, 'auth'),
warn: (msg) => logger.warn(msg, 'auth'),
},
});
export type Session = typeof auth.$Infer.Session;
```
**File:** `src/lib/auth/client.ts`
```typescript
import { createAuthClient } from 'better-auth/react';
export const authClient = createAuthClient({
baseURL: process.env.NEXT_PUBLIC_APP_URL,
});
export const { useSession, signIn, signOut } = authClient;
```
**File:** `src/app/api/auth/[...all]/route.ts`
```typescript
import { auth } from '@/lib/auth';
import { toNextJsHandler } from 'better-auth/next-js';
export const { GET, POST } = toNextJsHandler(auth);
```
**Step 15: Auth + port context middleware for API routes**
**File:** `src/lib/api/helpers.ts`
```typescript
import { NextRequest, NextResponse } from 'next/server';
import { and, eq } from 'drizzle-orm';
import { auth } from '@/lib/auth';
import { db } from '@/lib/db';
import { users, userPortRoles, roles, portRoleOverrides } from '@/lib/db/schema';
import { type RolePermissions } from '@/lib/db/schema/users';
import { AppError, errorResponse } from '@/lib/errors';
import { createAuditLog } from '@/lib/audit';
import { logger } from '@/lib/logger';
export interface AuthContext {
userId: string;
portId: string;
portSlug: string;
isSuperAdmin: boolean;
permissions: RolePermissions | null; // null = super admin (bypasses all)
user: {
email: string;
name: string;
};
ipAddress: string;
userAgent: string;
}
type RouteHandler<T = unknown> = (
req: NextRequest,
ctx: AuthContext,
params: Record<string, string>,
) => Promise<NextResponse<T>>;
/**
* Composable API route wrapper.
* Usage: export const GET = withAuth(withPermission('clients', 'view', handler))
*/
export function withAuth(
handler: RouteHandler,
): (
req: NextRequest,
context: { params: Promise<Record<string, string>> },
) => Promise<NextResponse> {
return async (req, routeContext) => {
try {
// 1. Validate session
const session = await auth.api.getSession({ headers: req.headers });
if (!session?.user) {
return NextResponse.json({ error: 'Authentication required' }, { status: 401 });
}
// 2. Load user record
const user = await db.query.users.findFirst({
where: eq(users.id, session.user.id),
});
if (!user || !user.isActive) {
return NextResponse.json({ error: 'Account disabled' }, { status: 403 });
}
// 3. Determine port context from header or default
const portId = req.headers.get('X-Port-Id') || user.preferences?.defaultPortId;
if (!portId && !user.isSuperAdmin) {
return NextResponse.json({ error: 'Port context required' }, { status: 400 });
}
// 4. Load permissions (skip for super admin)
let permissions: RolePermissions | null = null;
let portSlug = '';
if (!user.isSuperAdmin && portId) {
const portRole = await db.query.userPortRoles.findFirst({
where: and(eq(userPortRoles.userId, user.id), eq(userPortRoles.portId, portId)),
with: { role: true, port: true },
});
if (!portRole) {
return NextResponse.json({ error: 'No access to this port' }, { status: 403 });
}
permissions = { ...portRole.role.permissions } as RolePermissions;
portSlug = portRole.port?.slug ?? '';
// Apply port overrides
const override = await db.query.portRoleOverrides.findFirst({
where: and(
eq(portRoleOverrides.portId, portId),
eq(portRoleOverrides.roleId, portRole.roleId),
),
});
if (override) {
permissions = deepMerge(permissions, override.permissionOverrides) as RolePermissions;
}
}
const ctx: AuthContext = {
userId: user.id,
portId: portId!,
portSlug,
isSuperAdmin: user.isSuperAdmin,
permissions,
user: { email: user.email, name: user.name },
ipAddress: req.headers.get('x-forwarded-for')?.split(',')[0]?.trim() || 'unknown',
userAgent: req.headers.get('user-agent') || 'unknown',
};
const params = await routeContext.params;
return await handler(req, ctx, params);
} catch (error) {
return errorResponse(error);
}
};
}
export function withPermission(
resource: keyof RolePermissions,
action: string,
handler: RouteHandler,
): RouteHandler {
return async (req, ctx, params) => {
if (!ctx.isSuperAdmin) {
const resourcePerms = ctx.permissions?.[resource] as Record<string, boolean> | undefined;
if (!resourcePerms || !resourcePerms[action]) {
logger.warn({ userId: ctx.userId, resource, action }, 'Permission denied');
await createAuditLog({
userId: ctx.userId,
portId: ctx.portId,
action: 'permission_denied',
entityType: resource,
entityId: '',
metadata: { attemptedAction: action },
ipAddress: ctx.ipAddress,
userAgent: ctx.userAgent,
});
return NextResponse.json({ error: 'Insufficient permissions' }, { status: 403 });
}
}
return handler(req, ctx, params);
};
}
function deepMerge(
target: Record<string, unknown>,
source: Record<string, unknown>,
): Record<string, unknown> {
const result = { ...target };
for (const key of Object.keys(source)) {
if (
typeof source[key] === 'object' &&
source[key] !== null &&
typeof result[key] === 'object' &&
result[key] !== null
) {
result[key] = deepMerge(
result[key] as Record<string, unknown>,
source[key] as Record<string, unknown>,
);
} else {
result[key] = source[key];
}
}
return result;
}
```
**Step 16: Next.js page-level middleware**
**File:** `src/middleware.ts`
```typescript
import { NextRequest, NextResponse } from 'next/server';
const PUBLIC_PATHS = ['/login', '/auth/', '/api/auth/', '/api/public/', '/api/health', '/scan'];
export function middleware(req: NextRequest) {
const { pathname } = req.nextUrl;
// Public paths — no auth check
if (PUBLIC_PATHS.some((p) => pathname.startsWith(p))) {
return NextResponse.next();
}
// Check for session cookie
const sessionCookie = req.cookies.get('pn-crm.session_token');
if (!sessionCookie?.value) {
// API routes → 401 JSON
if (pathname.startsWith('/api/')) {
return NextResponse.json({ error: 'Authentication required' }, { status: 401 });
}
// Pages → redirect to login
const loginUrl = new URL('/login', req.url);
loginUrl.searchParams.set('redirect', pathname);
return NextResponse.redirect(loginUrl);
}
return NextResponse.next();
}
export const config = {
matcher: ['/((?!_next/static|_next/image|favicon.ico|.*\\.(?:svg|png|jpg|jpeg|gif|webp)$).*)'],
};
```
**Step 17: Login page**
**File:** `src/app/(auth)/login/page.tsx`
- Full-width centered card on dark navy (`#1e2844`) background
- PN logo + "Port Nimara" text + "Marina CRM" subtitle
- Email + password fields using shadcn `Input` + `Label` components
- React Hook Form + Zod validation:
```typescript
const loginSchema = z.object({
email: z.string().email('Invalid email'),
password: z.string().min(1, 'Password is required'),
});
```
- "Forgot password?" link → `/auth/reset-password`
- Rate limiting feedback: show lockout message after 5 failures
- On success: redirect to `/(dashboard)/[portSlug]/` (derive slug from user's port assignment)
- No "sign up" link — accounts are admin-created only
- shadcn components used: `Card`, `CardHeader`, `CardContent`, `Input`, `Label`, `Button`, `Form`
**File:** `src/app/(auth)/set-password/page.tsx`
- Token from URL search params
- New password + confirm password
- Zod schema: min 12 chars, 1 uppercase, 1 lowercase, 1 digit, 1 special char
```typescript
const passwordSchema = z
.object({
password: z
.string()
.min(12, 'Minimum 12 characters')
.regex(/[A-Z]/, 'Must contain uppercase letter')
.regex(/[a-z]/, 'Must contain lowercase letter')
.regex(/[0-9]/, 'Must contain digit')
.regex(/[^A-Za-z0-9]/, 'Must contain special character'),
confirmPassword: z.string(),
})
.refine((data) => data.password === data.confirmPassword, {
message: 'Passwords must match',
path: ['confirmPassword'],
});
```
**File:** `src/app/(auth)/reset-password/page.tsx`
- Email input form → submit → same success message regardless of whether email exists
**File:** `src/app/(auth)/layout.tsx`
- Dark navy background, centered content, no sidebar/topbar
- Port Nimara branding
#### Afternoon: Infrastructure (3 hours)
**Step 18: Redis connection**
```bash
pnpm add ioredis
```
**File:** `src/lib/redis.ts`
```typescript
import Redis from 'ioredis';
import { logger } from '@/lib/logger';
const redisUrl = process.env.REDIS_URL!;
export const redis = new Redis(redisUrl, {
maxRetriesPerRequest: 3,
retryStrategy(times) {
const delay = Math.min(times * 200, 2000);
return delay;
},
lazyConnect: true,
});
redis.on('error', (err) => logger.error({ err }, 'Redis connection error'));
redis.on('connect', () => logger.info('Redis connected'));
```
**Step 19: Application-level rate limiter**
**File:** `src/lib/rate-limit.ts`
```typescript
import { NextResponse } from 'next/server';
import { redis } from '@/lib/redis';
interface RateLimitConfig {
windowMs: number;
max: number;
keyPrefix: string;
}
interface RateLimitResult {
allowed: boolean;
limit: number;
remaining: number;
resetAt: number;
}
export async function checkRateLimit(
identifier: string,
config: RateLimitConfig,
): Promise<RateLimitResult> {
const key = `rl:${config.keyPrefix}:${identifier}`;
const now = Date.now();
const windowStart = now - config.windowMs;
const pipeline = redis.pipeline();
pipeline.zremrangebyscore(key, '-inf', windowStart);
pipeline.zadd(key, now.toString(), `${now}:${Math.random()}`);
pipeline.zcard(key);
pipeline.pexpire(key, config.windowMs);
const results = await pipeline.exec();
const count = (results?.[2]?.[1] as number) ?? 0;
const remaining = Math.max(0, config.max - count);
return {
allowed: count <= config.max,
limit: config.max,
remaining,
resetAt: now + config.windowMs,
};
}
export function rateLimitHeaders(result: RateLimitResult): Record<string, string> {
return {
'X-RateLimit-Limit': result.limit.toString(),
'X-RateLimit-Remaining': result.remaining.toString(),
'X-RateLimit-Reset': Math.ceil(result.resetAt / 1000).toString(),
};
}
// Pre-configured limiters
export const rateLimiters = {
auth: { windowMs: 15 * 60 * 1000, max: 5, keyPrefix: 'auth' },
api: { windowMs: 60 * 1000, max: 120, keyPrefix: 'api' },
upload: { windowMs: 60 * 1000, max: 10, keyPrefix: 'upload' },
bulk: { windowMs: 60 * 1000, max: 5, keyPrefix: 'bulk' },
} as const;
```
**Step 20: Structured logger**
```bash
pnpm add pino pino-pretty
```
**File:** `src/lib/logger.ts`
```typescript
import pino from 'pino';
export const logger = pino({
level: process.env.LOG_LEVEL || 'info',
redact: {
paths: [
'password',
'token',
'secret',
'accessKey',
'secretKey',
'creditCard',
'*.password',
'*.token',
],
censor: '[REDACTED]',
},
transport:
process.env.NODE_ENV !== 'production'
? { target: 'pino-pretty', options: { colorize: true } }
: undefined,
serializers: {
err: pino.stdSerializers.err,
req: pino.stdSerializers.req,
},
});
```
**Step 21: Error handling**
**File:** `src/lib/errors.ts`
```typescript
import { NextResponse } from 'next/server';
import { ZodError } from 'zod';
import { logger } from '@/lib/logger';
export class AppError extends Error {
constructor(
public statusCode: number,
message: string,
public code?: string,
) {
super(message);
this.name = 'AppError';
}
}
export class NotFoundError extends AppError {
constructor(entity: string) {
super(404, `${entity} not found`, 'NOT_FOUND');
}
}
export class ForbiddenError extends AppError {
constructor(message = 'Access denied') {
super(403, message, 'FORBIDDEN');
}
}
export class ValidationError extends AppError {
constructor(
message: string,
public details?: Array<{ field: string; message: string }>,
) {
super(400, message, 'VALIDATION_ERROR');
}
}
export class ConflictError extends AppError {
constructor(message: string) {
super(409, message, 'CONFLICT');
}
}
export class RateLimitError extends AppError {
constructor(public retryAfter: number) {
super(429, 'Too many requests', 'RATE_LIMITED');
}
}
export function errorResponse(error: unknown): NextResponse {
if (error instanceof AppError) {
const body: Record<string, unknown> = { error: error.message, code: error.code };
if (error instanceof ValidationError && error.details) {
body.details = error.details;
}
if (error instanceof RateLimitError) {
body.retryAfter = error.retryAfter;
}
return NextResponse.json(body, { status: error.statusCode });
}
if (error instanceof ZodError) {
return NextResponse.json(
{
error: 'Validation failed',
code: 'VALIDATION_ERROR',
details: error.errors.map((e) => ({
field: e.path.join('.'),
message: e.message,
})),
},
{ status: 400 },
);
}
// Never leak internals
logger.error({ err: error }, 'Unhandled error');
return NextResponse.json({ error: 'Internal server error' }, { status: 500 });
}
```
**Step 22: Audit log module**
**File:** `src/lib/audit.ts`
```typescript
import { db } from '@/lib/db';
import { auditLogs } from '@/lib/db/schema';
import { logger } from '@/lib/logger';
interface AuditLogParams {
userId: string;
portId: string;
action:
| 'create'
| 'update'
| 'delete'
| 'archive'
| 'restore'
| 'merge'
| 'login'
| 'logout'
| 'permission_denied'
| 'revert';
entityType: string;
entityId: string;
fieldChanged?: string;
oldValue?: Record<string, unknown>;
newValue?: Record<string, unknown>;
metadata?: Record<string, unknown>;
ipAddress: string;
userAgent: string;
}
export async function createAuditLog(params: AuditLogParams): Promise<void> {
try {
await db.insert(auditLogs).values({
portId: params.portId || null,
userId: params.userId || null,
action: params.action,
entityType: params.entityType,
entityId: params.entityId,
fieldChanged: params.fieldChanged,
oldValue: maskSensitiveFields(params.oldValue),
newValue: maskSensitiveFields(params.newValue),
metadata: params.metadata,
ipAddress: params.ipAddress,
userAgent: params.userAgent,
});
} catch (err) {
// Audit logging must never crash the parent operation
logger.error(
{ err, params: { ...params, oldValue: undefined, newValue: undefined } },
'Failed to write audit log',
);
}
}
/**
* Computes field-level diff between old and new records.
* Returns an array of { field, oldValue, newValue } for changed fields.
*/
export function diffFields(
oldRecord: Record<string, unknown>,
newRecord: Record<string, unknown>,
): Array<{ field: string; oldValue: unknown; newValue: unknown }> {
const changes: Array<{ field: string; oldValue: unknown; newValue: unknown }> = [];
for (const key of Object.keys(newRecord)) {
if (JSON.stringify(oldRecord[key]) !== JSON.stringify(newRecord[key])) {
changes.push({ field: key, oldValue: oldRecord[key], newValue: newRecord[key] });
}
}
return changes;
}
const SENSITIVE_FIELDS = new Set(['email', 'phone', 'password', 'credentials_enc', 'token']);
function maskSensitiveFields(data?: Record<string, unknown>): Record<string, unknown> | undefined {
if (!data) return undefined;
const masked = { ...data };
for (const key of Object.keys(masked)) {
if (SENSITIVE_FIELDS.has(key) && typeof masked[key] === 'string') {
const val = masked[key] as string;
masked[key] = val.length > 4 ? `${val.slice(0, 2)}***${val.slice(-2)}` : '***';
}
}
return masked;
}
```
**Step 23: Database utility functions**
**File:** `src/lib/db/utils.ts`
```typescript
import { sql, eq, and } from 'drizzle-orm';
import type { PgTable } from 'drizzle-orm/pg-core';
import { db, type Database } from '@/lib/db';
/**
* Transaction wrapper with automatic rollback on error.
*/
export async function withTransaction<T>(fn: (tx: Database) => Promise<T>): Promise<T> {
return db.transaction(fn);
}
/**
* Soft delete: sets archived_at timestamp.
* The table must have an `archivedAt` column and `portId` column.
*/
export async function softDelete(
table: PgTable & { archivedAt: any; id: any; portId: any },
id: string,
portId: string,
): Promise<void> {
await db
.update(table)
.set({ archivedAt: sql`now()` } as any)
.where(and(eq(table.id, id), eq(table.portId, portId)));
}
/**
* Restore: clears archived_at timestamp.
*/
export async function restore(
table: PgTable & { archivedAt: any; id: any; portId: any },
id: string,
portId: string,
): Promise<void> {
await db
.update(table)
.set({ archivedAt: null } as any)
.where(and(eq(table.id, id), eq(table.portId, portId)));
}
```
**Step 24: MinIO client**
```bash
pnpm add minio
```
**File:** `src/lib/minio/index.ts`
```typescript
import { Client } from 'minio';
import { logger } from '@/lib/logger';
export const minioClient = new Client({
endPoint: process.env.MINIO_ENDPOINT!,
port: parseInt(process.env.MINIO_PORT!, 10),
useSSL: process.env.MINIO_USE_SSL === 'true',
accessKey: process.env.MINIO_ACCESS_KEY!,
secretKey: process.env.MINIO_SECRET_KEY!,
});
const BUCKET = process.env.MINIO_BUCKET!;
export async function ensureBucket(): Promise<void> {
try {
const exists = await minioClient.bucketExists(BUCKET);
if (!exists) {
await minioClient.makeBucket(BUCKET);
logger.info({ bucket: BUCKET }, 'MinIO bucket created');
}
} catch (err) {
logger.error({ err }, 'Failed to ensure MinIO bucket');
throw err;
}
}
/**
* Generate presigned download URL (15-minute expiry per SECURITY-GUIDELINES.md)
*/
export async function getPresignedUrl(objectKey: string, expirySeconds = 900): Promise<string> {
return minioClient.presignedGetObject(BUCKET, objectKey, expirySeconds);
}
/**
* Build storage path from components (no user input in path — UUIDs only).
* Format: {portSlug}/{entity}/{entityId}/{uuid}.{ext}
*/
export function buildStoragePath(
portSlug: string,
entity: string,
entityId: string,
fileId: string,
extension: string,
): string {
return `${portSlug}/${entity}/${entityId}/${fileId}.${extension}`;
}
```
**Step 25: Health check endpoint**
**File:** `src/app/api/health/route.ts`
```typescript
import { NextResponse } from 'next/server';
import { db } from '@/lib/db';
import { redis } from '@/lib/redis';
import { minioClient } from '@/lib/minio';
import { sql } from 'drizzle-orm';
export async function GET() {
const checks: Record<string, 'ok' | 'error'> = {};
try {
await db.execute(sql`SELECT 1`);
checks.postgres = 'ok';
} catch {
checks.postgres = 'error';
}
try {
await redis.ping();
checks.redis = 'ok';
} catch {
checks.redis = 'error';
}
try {
await minioClient.bucketExists(process.env.MINIO_BUCKET!);
checks.minio = 'ok';
} catch {
checks.minio = 'error';
}
const allOk = Object.values(checks).every((v) => v === 'ok');
return NextResponse.json(
{ status: allOk ? 'healthy' : 'degraded', checks, timestamp: new Date().toISOString() },
{ status: allOk ? 200 : 503 },
);
}
```
---
### Day 3 — Socket.io + BullMQ + Layout Shell (Part 1)
#### Morning: Real-time + Background Jobs (3 hours)
**Step 26: Socket.io server**
```bash
pnpm add socket.io socket.io-client @socket.io/redis-adapter
```
**File:** `src/lib/socket/events.ts`
Type-safe event definitions matching `11-REALTIME-AND-BACKGROUND-JOBS.md` Section 2:
```typescript
// Server → Client events
export interface ServerToClientEvents {
// Berth events
'berth:statusChanged': (payload: {
berthId: string;
oldStatus: string;
newStatus: string;
triggeredBy: string;
}) => void;
'berth:updated': (payload: { berthId: string; changedFields: string[] }) => void;
'berth:waitingListChanged': (payload: {
berthId: string;
action: string;
entry: unknown;
}) => void;
'berth:maintenanceAdded': (payload: { berthId: string; logEntry: unknown }) => void;
// Client events
'client:created': (payload: { clientId: string; clientName: string; source: string }) => void;
'client:updated': (payload: { clientId: string; changedFields: string[] }) => void;
'client:archived': (payload: { clientId: string }) => void;
'client:restored': (payload: { clientId: string }) => void;
'client:merged': (payload: { survivingId: string; mergedId: string }) => void;
'client:noteAdded': (payload: {
clientId: string;
noteId: string;
authorName: string;
preview: string;
}) => void;
'client:duplicateDetected': (payload: {
clientAId: string;
clientBId: string;
score: number;
reason: string;
}) => void;
// Interest events
'interest:created': (payload: {
interestId: string;
clientId: string;
berthId: string | null;
source: string;
}) => void;
'interest:updated': (payload: { interestId: string; changedFields: string[] }) => void;
'interest:stageChanged': (payload: {
interestId: string;
oldStage: string;
newStage: string;
clientName: string;
berthNumber: string;
}) => void;
'interest:berthLinked': (payload: { interestId: string; berthId: string }) => void;
'interest:berthUnlinked': (payload: { interestId: string; berthId: string }) => void;
'interest:archived': (payload: { interestId: string }) => void;
'interest:noteAdded': (payload: {
interestId: string;
noteId: string;
authorName: string;
preview: string;
}) => void;
'interest:recommendationsGenerated': (payload: {
interestId: string;
count: number;
topBerthId: string;
}) => void;
'interest:recommendationAdded': (payload: {
interestId: string;
berthId: string;
source: string;
matchScore: number;
}) => void;
'interest:leadCategoryChanged': (payload: {
interestId: string;
oldCategory: string;
newCategory: string;
auto: boolean;
}) => void;
// Document events
'document:created': (payload: { documentId: string; type: string; interestId: string }) => void;
'document:sent': (payload: { documentId: string; type: string; signerCount: number }) => void;
'document:signed': (payload: {
documentId: string;
signerName: string;
signerRole: string;
remainingSigners: number;
}) => void;
'document:completed': (payload: {
documentId: string;
type: string;
interestId: string;
clientName: string;
}) => void;
'document:expired': (payload: { documentId: string }) => void;
'document:reminderSent': (payload: { documentId: string; recipientEmail: string }) => void;
// Financial events
'expense:created': (payload: {
expenseId: string;
amount: number;
currency: string;
category: string;
}) => void;
'expense:updated': (payload: { expenseId: string; changedFields: string[] }) => void;
'invoice:created': (payload: {
invoiceId: string;
invoiceNumber: string;
total: number;
clientName: string;
}) => void;
'invoice:sent': (payload: {
invoiceId: string;
invoiceNumber: string;
recipientEmail: string;
}) => void;
'invoice:paid': (payload: { invoiceId: string; invoiceNumber: string; amount: number }) => void;
'invoice:overdue': (payload: {
invoiceId: string;
invoiceNumber: string;
daysPastDue: number;
}) => void;
// Reminder & Calendar events
'reminder:created': (payload: {
reminderId: string;
title: string;
assignedTo: string;
dueAt: string;
}) => void;
'reminder:updated': (payload: { reminderId: string; changedFields: string[] }) => void;
'reminder:completed': (payload: {
reminderId: string;
title: string;
completedBy: string;
}) => void;
'reminder:overdue': (payload: { reminderId: string; title: string; dueAt: string }) => void;
'reminder:snoozed': (payload: { reminderId: string; snoozedUntil: string }) => void;
'calendar:synced': (payload: { eventCount: number; lastSyncAt: string }) => void;
'calendar:disconnected': (payload: { reason: string }) => void;
// Notification events
'notification:new': (payload: {
notificationId: string;
type: string;
title: string;
description: string;
link: string;
}) => void;
'notification:unreadCount': (payload: { count: number }) => void;
// System events
'system:alert': (payload: { alertType: string; message: string; severity: string }) => void;
'system:jobFailed': (payload: { queueName: string; jobId: string; error: string }) => void;
'registration:new': (payload: {
clientId: string;
interestId: string;
clientName: string;
berthNumber: string;
}) => void;
// File events
'file:uploaded': (payload: {
fileId: string;
filename: string;
clientId: string;
category: string;
}) => void;
'file:deleted': (payload: { fileId: string; filename: string }) => void;
}
// Client → Server events (minimal — most actions go through REST API)
export interface ClientToServerEvents {
'join:entity': (payload: { type: 'berth' | 'client' | 'interest'; id: string }) => void;
'leave:entity': (payload: { type: 'berth' | 'client' | 'interest'; id: string }) => void;
}
```
**File:** `src/lib/socket/server.ts`
```typescript
import { Server } from 'socket.io';
import { createAdapter } from '@socket.io/redis-adapter';
import type { Server as HTTPServer } from 'node:http';
import { redis } from '@/lib/redis';
import { auth } from '@/lib/auth';
import { logger } from '@/lib/logger';
import type { ServerToClientEvents, ClientToServerEvents } from './events';
let io: Server<ClientToServerEvents, ServerToClientEvents> | null = null;
export function initSocketServer(
httpServer: HTTPServer,
): Server<ClientToServerEvents, ServerToClientEvents> {
const pubClient = redis.duplicate();
const subClient = redis.duplicate();
io = new Server<ClientToServerEvents, ServerToClientEvents>(httpServer, {
path: '/socket.io/',
adapter: createAdapter(pubClient, subClient),
cors: {
origin: process.env.APP_URL,
credentials: true,
},
connectionStateRecovery: { maxDisconnectionDuration: 2 * 60 * 1000 },
maxHttpBufferSize: 1e6, // 1MB message limit per SECURITY-GUIDELINES.md
});
// Auth middleware — validate session cookie
io.use(async (socket, next) => {
try {
const cookie = socket.handshake.headers.cookie;
if (!cookie) return next(new Error('Authentication required'));
// Parse session from cookie
const session = await auth.api.getSession({
headers: new Headers({ cookie }),
});
if (!session?.user) return next(new Error('Invalid session'));
// Enforce max 10 connections per user
const userSockets = await io!.in(`user:${session.user.id}`).fetchSockets();
if (userSockets.length >= 10) {
return next(new Error('Maximum connections reached'));
}
socket.data = {
userId: session.user.id,
portId: socket.handshake.auth.portId,
};
next();
} catch {
next(new Error('Authentication failed'));
}
});
// Connection handler
io.on('connection', (socket) => {
const { userId, portId } = socket.data;
logger.debug({ userId, portId }, 'Socket connected');
// Auto-join rooms
socket.join(`user:${userId}`);
if (portId) socket.join(`port:${portId}`);
// Entity-level room management
socket.on('join:entity', ({ type, id }) => {
socket.join(`${type}:${id}`);
});
socket.on('leave:entity', ({ type, id }) => {
socket.leave(`${type}:${id}`);
});
// Idle timeout (30 seconds per SECURITY-GUIDELINES.md)
let idleTimer = setTimeout(() => socket.disconnect(), 30_000);
socket.onAny(() => {
clearTimeout(idleTimer);
idleTimer = setTimeout(() => socket.disconnect(), 30_000);
});
socket.on('disconnect', () => {
clearTimeout(idleTimer);
logger.debug({ userId }, 'Socket disconnected');
});
});
return io;
}
export function getIO(): Server<ClientToServerEvents, ServerToClientEvents> {
if (!io) throw new Error('Socket.io not initialized');
return io;
}
/**
* Emit an event to a specific room. Used by service layer after mutations.
*/
export function emitToRoom<E extends keyof ServerToClientEvents>(
room: string,
event: E,
...args: Parameters<ServerToClientEvents[E]>
): void {
if (!io) return;
io.to(room).emit(event, ...args);
}
```
**File:** `src/providers/socket-provider.tsx`
```typescript
'use client';
import { createContext, useContext, useEffect, useState, type ReactNode } from 'react';
import { io, type Socket } from 'socket.io-client';
import { useSession } from '@/lib/auth/client';
import { usePortStore } from '@/stores/ui-store';
const SocketContext = createContext<Socket | null>(null);
export function SocketProvider({ children }: { children: ReactNode }) {
const { data: session } = useSession();
const currentPortId = usePortStore((s) => s.currentPortId);
const [socket, setSocket] = useState<Socket | null>(null);
useEffect(() => {
if (!session?.user || !currentPortId) return;
const s = io(process.env.NEXT_PUBLIC_APP_URL!, {
path: '/socket.io/',
withCredentials: true,
auth: { portId: currentPortId },
transports: ['websocket', 'polling'],
});
s.on('connect', () => setSocket(s));
s.on('disconnect', () => setSocket(null));
return () => {
s.disconnect();
setSocket(null);
};
}, [session?.user, currentPortId]);
return (
<SocketContext.Provider value={socket}>
{children}
</SocketContext.Provider>
);
}
export function useSocket() {
return useContext(SocketContext);
}
```
**Step 27: BullMQ setup**
```bash
pnpm add bullmq
```
**File:** `src/lib/queue/index.ts`
```typescript
import { Queue } from 'bullmq';
import { redis } from '@/lib/redis';
// 10 queues matching 11-REALTIME-AND-BACKGROUND-JOBS.md Section 3.1
const QUEUE_CONFIGS = {
email: { concurrency: 5, maxAttempts: 5 },
documents: { concurrency: 3, maxAttempts: 5 },
notifications: { concurrency: 10, maxAttempts: 3 },
import: { concurrency: 1, maxAttempts: 1 },
export: { concurrency: 2, maxAttempts: 3 },
reports: { concurrency: 1, maxAttempts: 3 },
webhooks: { concurrency: 5, maxAttempts: 3 },
maintenance: { concurrency: 1, maxAttempts: 3 },
ai: { concurrency: 2, maxAttempts: 3 },
bulk: { concurrency: 2, maxAttempts: 3 },
} as const;
export type QueueName = keyof typeof QUEUE_CONFIGS;
const queues = new Map<QueueName, Queue>();
export function getQueue(name: QueueName): Queue {
let queue = queues.get(name);
if (!queue) {
queue = new Queue(name, {
connection: redis,
defaultJobOptions: {
attempts: QUEUE_CONFIGS[name].maxAttempts,
backoff: { type: 'exponential', delay: 1000 },
removeOnComplete: { age: 24 * 3600 },
removeOnFail: { age: 7 * 24 * 3600 },
},
});
queues.set(name, queue);
}
return queue;
}
export { QUEUE_CONFIGS };
```
**File:** `src/lib/queue/scheduler.ts`
```typescript
import { getQueue } from './index';
import { logger } from '@/lib/logger';
/**
* Register all recurring jobs from 11-REALTIME-AND-BACKGROUND-JOBS.md Section 3.2
* Called once on server startup.
*/
export async function registerRecurringJobs(): Promise<void> {
const recurring = [
{ queue: 'documents', name: 'signature-poll', pattern: '0 */6 * * *' },
{ queue: 'notifications', name: 'reminder-check', pattern: '0 * * * *' },
{ queue: 'notifications', name: 'reminder-overdue-check', pattern: '*/15 * * * *' },
{ queue: 'maintenance', name: 'calendar-sync', pattern: '*/30 * * * *' },
{ queue: 'notifications', name: 'invoice-overdue-check', pattern: '0 8 * * *' },
{ queue: 'notifications', name: 'tenure-expiry-check', pattern: '0 8 * * *' },
{ queue: 'maintenance', name: 'currency-refresh', pattern: '0 */6 * * *' },
{ queue: 'maintenance', name: 'database-backup', pattern: '0 2 * * *' },
{ queue: 'maintenance', name: 'backup-cleanup', pattern: '0 3 * * 0' },
{ queue: 'maintenance', name: 'session-cleanup', pattern: '0 4 * * *' },
{ queue: 'reports', name: 'report-scheduler', pattern: '* * * * *' },
{ queue: 'maintenance', name: 'temp-file-cleanup', pattern: '0 5 * * *' },
{ queue: 'maintenance', name: 'form-expiry-check', pattern: '0 * * * *' },
] as const;
for (const job of recurring) {
const queue = getQueue(job.queue as any);
await queue.upsertJobScheduler(
job.name,
{ pattern: job.pattern },
{ data: {}, name: job.name },
);
logger.info(
{ queue: job.queue, job: job.name, pattern: job.pattern },
'Registered recurring job',
);
}
}
```
**File:** `src/lib/queue/workers/` — one stub file per queue (e.g., `email.ts`, `documents.ts`, etc.):
```typescript
// src/lib/queue/workers/email.ts
import { Worker, type Job } from 'bullmq';
import { redis } from '@/lib/redis';
import { logger } from '@/lib/logger';
export const emailWorker = new Worker(
'email',
async (job: Job) => {
logger.info({ jobId: job.id, jobName: job.name }, 'Processing email job');
// TODO: implement in Layer 2
},
{
connection: redis,
concurrency: 5,
},
);
emailWorker.on('failed', (job, err) => {
logger.error({ jobId: job?.id, err }, 'Email job failed');
});
```
#### Afternoon: Layout Shell Start (3 hours) — continues into Day 4
**Step 28: Install shadcn/ui + core components**
```bash
pnpm dlx shadcn@latest init
```
Configure: New York style, Tailwind CSS, navy theme.
Install all core components from `14-TECHNICAL-DECISIONS.md` Section 2.2:
```bash
pnpm dlx shadcn@latest add button input label select textarea checkbox radio-group switch dialog sheet dropdown-menu command tabs table card badge avatar tooltip popover calendar form skeleton separator scroll-area alert-dialog accordion breadcrumb navigation-menu pagination progress slider sonner
```
**Step 29: Tailwind config with design tokens**
**File:** `tailwind.config.ts`
Apply ALL tokens from `15-DESIGN-TOKENS.md`:
- Brand colors with full tint ladders (`navy`, `brand`, `sage`, `mint`, `teal`, `purple`)
- Semantic color variables via CSS custom properties
- Shadows using `rgba(30, 40, 68, ...)` values
- Typography: Inter (font-sans), Georgia (font-serif), JetBrains Mono (font-mono)
- Border radius variable
**File:** `src/app/globals.css`
All CSS custom properties from `15-DESIGN-TOKENS.md` Section 5 — light mode defaults and dark mode overrides via `[data-theme="dark"]` or `.dark` class. Full HSL values for shadcn/ui compatibility.
---
### Day 4 — Layout Shell (Part 2) + Security + Verification
#### Morning: Layout Components (3 hours)
**Step 30: Root layout + providers**
**File:** `src/app/layout.tsx`
```typescript
import type { Metadata } from 'next';
import { Inter, JetBrains_Mono } from 'next/font/google';
import { Toaster } from '@/components/ui/sonner';
import './globals.css';
const inter = Inter({ subsets: ['latin'], variable: '--font-sans' });
const jetbrainsMono = JetBrains_Mono({ subsets: ['latin'], variable: '--font-mono' });
export const metadata: Metadata = {
title: 'Port Nimara CRM',
description: 'Marina management system',
};
export default function RootLayout({ children }: { children: React.ReactNode }) {
return (
<html lang="en" suppressHydrationWarning>
<body className={`${inter.variable} ${jetbrainsMono.variable} font-sans antialiased`}>
{children}
<Toaster richColors position="top-right" />
</body>
</html>
);
}
```
**File:** `src/app/(dashboard)/layout.tsx`
```typescript
import { redirect } from 'next/navigation';
import { headers } from 'next/headers';
import { auth } from '@/lib/auth';
import { db } from '@/lib/db';
import { QueryProvider } from '@/providers/query-provider';
import { SocketProvider } from '@/providers/socket-provider';
import { PortProvider } from '@/providers/port-provider';
import { Sidebar } from '@/components/layout/sidebar';
import { Topbar } from '@/components/layout/topbar';
export default async function DashboardLayout({ children }: { children: React.ReactNode }) {
const session = await auth.api.getSession({ headers: await headers() });
if (!session?.user) redirect('/login');
// Load user's port assignments for PortProvider
const portRoles = await db.query.userPortRoles.findMany({
where: eq(userPortRoles.userId, session.user.id),
with: { port: true, role: true },
});
return (
<QueryProvider>
<PortProvider ports={portRoles.map(pr => pr.port)} defaultPortId={portRoles[0]?.port.id}>
<SocketProvider>
<div className="flex h-screen overflow-hidden">
<Sidebar ports={portRoles} />
<div className="flex-1 flex flex-col overflow-hidden">
<Topbar />
<main className="flex-1 overflow-y-auto bg-background p-6">
{children}
</main>
</div>
</div>
</SocketProvider>
</PortProvider>
</QueryProvider>
);
}
```
**File:** `src/components/layout/sidebar.tsx`
- Dark navy background (`bg-[#1e2844]`)
- Logo area: "PN" mark + "Port Nimara" + "Marina CRM"
- Navigation sections per `13-UI-PAGE-MAP.md`:
- **Main:** Dashboard, Clients, Interests, Berths
- **Financial:** Expenses, Invoices
- **Operations:** Files, Email, Reminders
- **Admin** (expandable, permission-gated): Users, Roles, Ports, Audit, Settings, etc.
- Active state: `border-l-2 border-brand bg-sidebar-active text-white`
- Hover state: `bg-[#171f35]`
- Icons: Lucide React (`LayoutDashboard`, `Users`, `Bookmark`, `Anchor`, `Receipt`, `FileText`, `FolderOpen`, `Mail`, `Bell`, `Settings`, `Shield`)
- Collapsible: persisted via Zustand `sidebarCollapsed`
- Mobile: Sheet/drawer triggered by hamburger
- User footer: avatar + name + role badge
- shadcn components: `Sheet`, `ScrollArea`, `Tooltip`, `Badge`, `Avatar`, `Separator`
**File:** `src/components/layout/topbar.tsx`
- Page title (derived from route params)
- Search box: `Button` with `⌘K` label → placeholder for Command palette (implemented in L3)
- Notification bell: `Button` with `Badge` unread count dot → placeholder panel
- "+ New" dropdown: `DropdownMenu` with context-aware options (New Client, New Interest, New Expense)
- Port switcher (only if 2+ ports): `Select` dropdown with port names
- User menu: `DropdownMenu` with Profile, Dark Mode toggle, Scratchpad, Logout
- shadcn components: `Button`, `DropdownMenu`, `Badge`, `Avatar`, `Separator`
**File:** `src/components/layout/port-switcher.tsx`
- Hidden when user has only 1 port
- `Select` dropdown showing port name
- On change: updates Zustand `currentPortId` → invalidates all TanStack Query caches → Socket.io reconnects to new port room
**File:** `src/components/layout/breadcrumbs.tsx`
- Auto-generated from `usePathname()` route segments
- Maps `[portSlug]` to port name
- Clickable segments using shadcn `Breadcrumb` component
**Step 31: Zustand UI store**
```bash
pnpm add zustand
```
**File:** `src/stores/ui-store.ts`
```typescript
import { create } from 'zustand';
import { persist } from 'zustand/middleware';
interface UIStore {
sidebarCollapsed: boolean;
currentPortId: string | null;
currentPortSlug: string | null;
darkMode: boolean;
toggleSidebar: () => void;
setPort: (portId: string, portSlug: string) => void;
toggleDarkMode: () => void;
}
export const useUIStore = create<UIStore>()(
persist(
(set) => ({
sidebarCollapsed: false,
currentPortId: null,
currentPortSlug: null,
darkMode: false,
toggleSidebar: () => set((s) => ({ sidebarCollapsed: !s.sidebarCollapsed })),
setPort: (portId, portSlug) => set({ currentPortId: portId, currentPortSlug: portSlug }),
toggleDarkMode: () => set((s) => ({ darkMode: !s.darkMode })),
}),
{
name: 'pn-crm-ui',
partialize: (state) => ({
sidebarCollapsed: state.sidebarCollapsed,
currentPortId: state.currentPortId,
currentPortSlug: state.currentPortSlug,
darkMode: state.darkMode,
}),
},
),
);
// Alias for port-specific access
export const usePortStore = useUIStore;
```
**Step 32: TanStack Query provider**
```bash
pnpm add @tanstack/react-query @tanstack/react-query-devtools
```
**File:** `src/providers/query-provider.tsx`
```typescript
'use client';
import { QueryClient, QueryClientProvider } from '@tanstack/react-query';
import { ReactQueryDevtools } from '@tanstack/react-query-devtools';
import { useState, type ReactNode } from 'react';
export function QueryProvider({ children }: { children: ReactNode }) {
const [queryClient] = useState(
() =>
new QueryClient({
defaultOptions: {
queries: {
staleTime: 30 * 1000,
retry: 1,
refetchOnWindowFocus: false,
},
mutations: {
onError: (error) => {
console.error('Mutation error:', error);
},
},
},
}),
);
return (
<QueryClientProvider client={queryClient}>
{children}
{process.env.NODE_ENV === 'development' && <ReactQueryDevtools initialIsOpen={false} />}
</QueryClientProvider>
);
}
```
**Step 33: Base UI patterns**
**File:** `src/components/shared/page-header.tsx` — consistent page header with title, description, action buttons
**File:** `src/components/shared/empty-state.tsx` — "no data" pattern with icon, title, description, optional CTA
**File:** `src/components/shared/loading-skeleton.tsx` — reusable skeleton patterns (table, card, form)
**File:** `src/components/shared/confirmation-dialog.tsx` — destructive action confirmation using shadcn `AlertDialog`
**Step 34: Placeholder pages**
Create minimal placeholder pages for every route. Each renders `<PageHeader>` + `<EmptyState>` with "Coming in Layer X" message and correct breadcrumbs.
Pages under `src/app/(dashboard)/[portSlug]/`:
- `page.tsx` (dashboard)
- `clients/page.tsx`
- `interests/page.tsx`
- `berths/page.tsx`
- `expenses/page.tsx`
- `invoices/page.tsx`
- `documents/page.tsx`
- `email/page.tsx`
- `reminders/page.tsx`
- `reports/page.tsx`
- `settings/profile/page.tsx`
- `settings/notifications/page.tsx`
- `settings/calendar/page.tsx`
- `admin/page.tsx`
- `admin/users/page.tsx`
- `admin/roles/page.tsx`
- `admin/ports/page.tsx`
- `admin/audit/page.tsx`
- `admin/settings/page.tsx`
- `admin/webhooks/page.tsx`
- `admin/reports/page.tsx`
- `admin/templates/page.tsx`
- `admin/forms/page.tsx`
- `admin/tags/page.tsx`
- `admin/import/page.tsx`
- `admin/monitoring/page.tsx`
- `admin/backup/page.tsx`
- `admin/custom-fields/page.tsx`
- `admin/onboarding/page.tsx`
#### Afternoon: Security Baseline + Nginx + Verification (3 hours)
**Step 35: Nginx configuration**
**File:** `nginx/nginx.conf`
Full configuration matching `SECURITY-GUIDELINES.md` Section 6:
- TLS 1.3 only
- All security headers (HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, CSP, Permissions-Policy)
- Rate limiting zones: `auth` (5r/m), `general` (30r/s), `api` (60r/s), `upload` (10r/m)
- Proxy to `crm-app:3000`
- WebSocket upgrade for `/socket.io/`
- CORS for `/api/public/` (allow `portnimara.com` only)
- HTTP → HTTPS redirect
- Request body size limits (1MB JSON, 50MB uploads)
**Step 36: Constants file**
**File:** `src/lib/constants.ts`
```typescript
// Pipeline stages (from 09-BUSINESS-RULES.md)
export const PIPELINE_STAGES = [
'open',
'details_sent',
'in_communication',
'visited',
'signed_eoi_nda',
'ten_percent_deposit',
'contract',
'completed',
] as const;
export type PipelineStage = (typeof PIPELINE_STAGES)[number];
// Berth statuses
export const BERTH_STATUSES = [
'available',
'under_offer',
'sold',
'maintenance',
'reserved',
] as const;
export type BerthStatus = (typeof BERTH_STATUSES)[number];
// Lead categories
export const LEAD_CATEGORIES = ['hot', 'warm', 'cold', 'dormant'] as const;
export type LeadCategory = (typeof LEAD_CATEGORIES)[number];
// Invoice statuses
export const INVOICE_STATUSES = ['draft', 'sent', 'paid', 'overdue', 'cancelled'] as const;
export type InvoiceStatus = (typeof INVOICE_STATUSES)[number];
// Expense categories
export const EXPENSE_CATEGORIES = [
'food_beverage',
'transportation',
'accommodation',
'supplies',
'maintenance',
'utilities',
'professional_services',
'entertainment',
'marketing',
'office',
'other',
] as const;
export type ExpenseCategory = (typeof EXPENSE_CATEGORIES)[number];
// Document types
export const DOCUMENT_TYPES = ['eoi', 'nda', 'contract', 'addendum', 'other'] as const;
export type DocumentType = (typeof DOCUMENT_TYPES)[number];
// Reminder priorities
export const REMINDER_PRIORITIES = ['low', 'normal', 'high', 'urgent'] as const;
export type ReminderPriority = (typeof REMINDER_PRIORITIES)[number];
// Client sources
export const CLIENT_SOURCES = [
'website',
'manual',
'referral',
'broker',
'event',
'other',
] as const;
export type ClientSource = (typeof CLIENT_SOURCES)[number];
// Notification types
export const NOTIFICATION_TYPES = [
'reminder_due',
'reminder_overdue',
'new_registration',
'eoi_signature_event',
'new_email',
'duplicate_alert',
'invoice_overdue',
'waiting_list',
'system_alert',
'follow_up_created',
'tenure_expiring',
] as const;
export type NotificationType = (typeof NOTIFICATION_TYPES)[number];
// File MIME type allowlist (SECURITY-GUIDELINES.md Section 10)
export const ALLOWED_MIME_TYPES = new Set([
'image/jpeg',
'image/png',
'image/gif',
'image/webp',
'application/pdf',
'application/msword',
'application/vnd.openxmlformats-officedocument.wordprocessingml.document',
'application/vnd.ms-excel',
'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',
]);
export const MAX_FILE_SIZE = 50 * 1024 * 1024; // 50MB
export const MAX_JSON_BODY_SIZE = 1 * 1024 * 1024; // 1MB
export const PRESIGNED_URL_EXPIRY = 900; // 15 minutes
```
**Step 37: Custom server entry point**
**File:** `src/server.ts`
This is the custom entry point that boots Next.js + Socket.io together in development. In production, the standalone Next.js `server.js` handles HTTP, and `crm-worker` handles BullMQ separately.
```typescript
import { createServer } from 'node:http';
import next from 'next';
import { initSocketServer } from '@/lib/socket/server';
import { registerRecurringJobs } from '@/lib/queue/scheduler';
import { ensureBucket } from '@/lib/minio';
import { logger } from '@/lib/logger';
const dev = process.env.NODE_ENV !== 'production';
const hostname = 'localhost';
const port = parseInt(process.env.PORT || '3000', 10);
async function main() {
const app = next({ dev, hostname, port });
const handle = app.getRequestHandler();
await app.prepare();
const httpServer = createServer(handle);
// Initialize Socket.io on the same HTTP server
initSocketServer(httpServer);
logger.info('Socket.io initialized');
// Ensure MinIO bucket exists
await ensureBucket();
logger.info('MinIO bucket verified');
// Register recurring BullMQ jobs (dev only — production uses crm-worker)
if (dev) {
await registerRecurringJobs();
// Import workers to start processing
await import('@/lib/queue/workers/email');
await import('@/lib/queue/workers/documents');
await import('@/lib/queue/workers/notifications');
await import('@/lib/queue/workers/maintenance');
// ... other workers
logger.info('BullMQ workers started (dev mode)');
}
httpServer.listen(port, () => {
logger.info({ port, dev }, `Server ready at http://${hostname}:${port}`);
});
}
main().catch((err) => {
logger.fatal(err, 'Failed to start server');
process.exit(1);
});
```
**Step 38: Final verification**
Run the full verification checklist:
```bash
# Type check
pnpm tsc --noEmit
# Lint
pnpm eslint src/
# Docker
docker compose -f docker-compose.yml -f docker-compose.dev.yml up --build
# Verify DB tables
pnpm drizzle-kit studio # Visual inspection of all 49 tables
# Seed
pnpm tsx src/lib/db/seed.ts
# Start dev server
pnpm tsx src/server.ts
# Verify:
# - Login page renders at /login
# - Can log in with seeded admin
# - Dashboard layout renders with sidebar
# - All placeholder pages accessible
# - Socket.io connects (check browser console)
# - BullMQ queues initialized (check server logs)
# - Health endpoint returns 200 at /api/health
```
---
## 3. Code-Ready Details
### API Route Middleware Chain
Every API route under `/api/v1/` follows this pattern:
```
Request → Next.js middleware (session cookie check)
→ withAuth() (load user, port, permissions)
→ withPermission(resource, action) (RBAC check)
→ rate limit check (Redis sliding window)
→ Zod input validation
→ handler (business logic)
→ audit log write
→ response
```
### State Management Per Page
| Page | Server State (TanStack Query) | Client State (Zustand) | URL State |
| -------------- | ------------------------------- | ------------------------------ | ------------------------ |
| Dashboard | `['dashboard', portId]` | `sidebarCollapsed` | none |
| Client List | `['clients', portId, filters]` | `sidebarCollapsed` | `?search=&source=&page=` |
| Client Detail | `['clients', portId, clientId]` | `activeTab` | `?tab=overview` |
| All list pages | `[entity, portId, filters]` | `sidebarCollapsed`, `viewMode` | `?page=&sort=&filter=` |
### shadcn Components Used in L0
| Component | Where Used |
| ----------------- | ----------------------------------------------------- |
| `Button` | Login form, sidebar nav, topbar actions, page headers |
| `Input`, `Label` | Login form, password forms |
| `Card` | Login page, empty states |
| `Avatar`, `Badge` | Sidebar user footer, topbar |
| `DropdownMenu` | Topbar "+ New", user menu |
| `Sheet` | Mobile sidebar drawer |
| `ScrollArea` | Sidebar navigation |
| `Separator` | Sidebar sections |
| `Tooltip` | Collapsed sidebar icons |
| `Breadcrumb` | All pages (auto-generated) |
| `Skeleton` | Loading states |
| `AlertDialog` | Confirmation dialogs |
| `Sonner` (Toast) | Notifications, errors |
| `Form` | Login, set-password, reset-password |
### CSS / Tailwind Patterns
- Sidebar: `w-64 bg-[#1e2844] text-sidebar-text` (expanded), `w-16` (collapsed)
- Content area: `bg-background` (white light mode, `#131a2c` dark mode)
- Page headers: `text-2xl font-semibold text-text-primary`
- Cards: `bg-card rounded-lg border shadow-sm`
- Status badges: `bg-success-bg text-success border-success-border` (and warning/error/info variants)
- Focus rings: `ring-2 ring-brand ring-offset-2`
- Transitions: sidebar collapse `transition-all duration-200`, page transitions via `motion-safe:animate-in`
---
## 4. Acceptance Criteria
1. `docker compose -f docker-compose.yml -f docker-compose.dev.yml up` starts postgres, redis, and crm-app successfully
2. All 49 database tables exist with correct schemas, constraints, indexes, and `pgcrypto` extension
3. Seed data inserted: 1 port, 5 system roles, 1 super admin user
4. Login page renders at `/login` with Port Nimara branding (dark navy, PN logo)
5. Can log in with super admin credentials → redirected to `/(dashboard)/port-nimara/`
6. Session persists across page refreshes (httpOnly cookie, Redis-backed)
7. Protected routes redirect to `/login` when not authenticated
8. API routes return 401 JSON when not authenticated
9. Sidebar renders all navigation sections with correct icons
10. All ~29 placeholder pages load with correct breadcrumbs and "Coming in Layer X" empty states
11. Port switcher hidden (single port mode) — visible only with 2+ ports
12. Socket.io connects on login, auto-joins `port:{portId}` and `user:{userId}` rooms
13. All 10 BullMQ queues initialized (visible in server logs)
14. All 13 recurring jobs registered (visible in server logs)
15. MinIO bucket exists and accessible (`/api/health` reports `minio: ok`)
16. Health endpoint at `/api/health` returns `{ status: "healthy", checks: { postgres: "ok", redis: "ok", minio: "ok" } }`
17. Structured logging active (pino JSON output in production, pretty-printed in dev)
18. Nginx serves over HTTPS with all security headers (HSTS, CSP, X-Frame-Options, etc.)
19. Application-level rate limiter functional (Redis sliding window)
20. ESLint passes with zero errors, TypeScript strict mode passes with zero errors
21. No secrets in source code — `.env.example` has placeholders only, pre-commit hook catches accidental commits
22. Audit log middleware functional — login event written to `audit_logs` table
23. Zod env validation fails fast on missing/invalid environment variables
24. Dark mode toggle in user menu switches theme (CSS variables swap)
25. Mobile responsive: sidebar collapses to hamburger drawer below 768px
---
## 5. Self-Review Checklist
Before calling Layer 0 done:
- [ ] **Security:** All env vars externalized, no hardcoded secrets, pgcrypto enabled, TLS 1.3 configured
- [ ] **Auth:** Better Auth + Redis sessions, Argon2id hashing, 12-char minimum password, CSRF protection, rate-limited login
- [ ] **Port scoping:** Every query helper includes `portId`, middleware extracts port from session context
- [ ] **RBAC:** 5 system roles match `10-AUTH-AND-PERMISSIONS.md`, permission check helper works with JSON permission map
- [ ] **Audit:** `createAuditLog()` called on login/logout, sensitive fields masked, append-only
- [ ] **Error handling:** `AppError` hierarchy, Zod validation errors formatted as `{ error, details }`, no stack traces leak to client
- [ ] **Rate limiting:** Both nginx (per-IP) and application (per-user Redis sliding window) active
- [ ] **Type safety:** Zero `any` types, strict mode, all Drizzle schemas typed, all API responses typed
- [ ] **Docker:** Multi-stage build, non-root user, health checks on all services, no exposed internal ports
- [ ] **Logging:** Pino with redaction rules, no PII in logs, log levels configurable via env
- [ ] **Real-time:** Socket.io connects, authenticates, joins rooms, idle timeout configured
- [ ] **Background jobs:** All 10 queues created, all 13 recurring jobs registered, exponential backoff configured
- [ ] **UI:** Sidebar matches mockup-A design, Inter font loaded, design tokens applied, responsive breakpoints working
- [ ] **Developer experience:** ESLint + Prettier + lint-staged + husky, TypeScript strict, hot reload works, Drizzle Studio accessible
- [ ] **Schema completeness:** All 49 tables from `07-DATABASE-SCHEMA.md` present with correct columns, types, constraints, indexes, and Drizzle relation definitions
---
## Estimated File Count
Layer 0 produces approximately **8595 files**:
- Config files: ~10 (tsconfig, eslint, prettier, drizzle, next.config, docker, nginx, husky, lint-staged, .env.example)
- Schema files: 12 (10 domain + relations + index)
- Auth: 4 (server, client, permissions, api catch-all)
- Infrastructure: 8 (redis, rate-limit, logger, errors, audit, minio, env, constants)
- Socket.io: 4 (server, events, rooms, provider)
- BullMQ: 13 (index, scheduler, 10 worker stubs, types)
- Layout components: 5 (sidebar, topbar, port-switcher, breadcrumbs, dashboard layout)
- Shared components: 4 (page-header, empty-state, loading-skeleton, confirmation-dialog)
- Providers: 3 (query, socket, port)
- Stores: 1 (ui-store)
- Pages: ~32 (3 auth + 29 placeholder dashboard pages + not-found)
- Server: 1 (custom server.ts)
- Seed: 1
- API routes: 2 (auth catch-all, health)
---
## Codex Addenda — Merged from Competing Plan Review
The following items are cherry-picked from the Codex competing plan and should be incorporated during implementation. They represent architectural patterns and corrections that complement the Claude Code base plan.
### 1. Execution Spine Framing
Frame L0 not as "setup work" but as building the **execution spine** that all subsequent layers hang from. The reusable contracts produced here — `defineRoute`, `RequestContext`, `requirePermission`, `auditLog`, `buildStorageKey`, queue registry, and socket emitter — are the multiplier for 250+ endpoints. Pages stay minimal until those contracts exist.
### 2. Table Count Correction
The locked schema defines **51 application tables** plus Better Auth-managed auth tables. Plans referencing "49 tables" should be corrected. The coding agent will drift if the count is wrong.
### 3. Session Storage Resolution
Standardize on **PostgreSQL as the Better Auth session source of truth**. Redis is for cache, rate limits, queues, and Socket.io only. This resolves the contradiction across foundation docs.
### 4. Health Response Schema
Add a typed health check response schema:
```ts
export const healthResponseSchema = z.object({
status: z.enum(['healthy', 'degraded', 'down']),
services: z.array(
z.object({
name: z.string(),
status: z.enum(['healthy', 'degraded', 'down']),
latencyMs: z.number().nullable(),
detail: z.string().optional(),
}),
),
});
```
### 5. Storage Key Builder Signature
Adopt Codex's explicit entity enum in `buildStorageKey`:
```ts
export function buildStorageKey(input: {
portSlug: string;
entity: 'clients' | 'expenses' | 'invoices' | 'documents' | 'general';
entityId: string;
extension: string;
}): string;
```
Storage keys use UUID filenames only: `{portSlug}/{entity}/{entityId}/{uuid}.{ext}`.
### 6. Graceful Degradation Edge Cases
- **Redis unavailable on boot:** App still starts, but queues, rate limiting, and sockets are marked degraded in health check.
- **MinIO unavailable on boot:** File-dependent routes are disabled via startup status, not silent failures.
- **Duplicate socket connections:** Beyond 10 per user are rejected.
- **Presigned URLs:** Expire after 15 minutes and are never cached client-side in persisted state.
- **User has no assigned ports:** Redirect to a blocked access page, not the dashboard.
- **One active port only:** Port switcher component never mounts.
### 7. Security: Queue Job Payloads
Never put secrets or raw credentials into BullMQ job payloads — enqueue record IDs only.
### 8. Docker Acceptance Criteria
`docker compose up` must start `crm-app`, `postgres`, `redis`, and `nginx` without manual patching. This should be verified as part of L0 acceptance.
Reference in New Issue Copy Permalink