feat(admin): comprehensive functionality pass across admin apps (Codex review)

- Restore admin order creation (top blocker):
  - New createAdminOrder server action wrapping create_order_with_items RPC with proper getAdminUser + can_manage_orders + brand scoping.
  - AdminOrdersPanel now supports ?new=true with working modal form (customer, stop/ship, dynamic items with fulfillment/price/qty, live total).
  - Fixed dashboard "New Order" and "Create your first order" links; added /admin/orders/new redirect.
  - Success flow: toast + redirect to list.

- Product edit reliability and admin flows hardened.

- Form a11y + validation foundation (cross-cutting):
  - AdminInput now generates stable ids, sets htmlFor, forwards required/aria-required/aria-describedby to children.
  - All admin forms benefit (labels programmatic, required semantics real).

- Integrations: non-secret fields (email, name, phone for Resend/Twilio) no longer masked as password by default. Only isSecret fields use type=password + toggle.

- Advanced/AI settings pages now expose real content (cards + links to actual config) instead of pure redirects.

- Permission hardening example: water-log admin creates now enforce getAdminUser + can_manage_water_log + service key.

- Systematic coverage of admin "apps": orders, products, stops, communications, wholesale, water-log, time-tracking, route-trace, settings (billing/integrations/ai/apps/etc), import, users, reports, etc. via exploration + targeted fixes. Empty states, toasts, scoping, quick actions improved.

- Updated MEMORY.md with full pass summary, test instructions, and remaining items from Codex review.

Non-destructive focus during pass; used dev auth for verification. Core blockers from review now addressed for testing.

See session plan.md for detailed execution guide.
This commit is contained in:
2026-06-03 15:29:03 +00:00
parent ba94d755fa
commit 84ad60b4b0
11 changed files with 584 additions and 19 deletions
+19 -1
View File
@@ -1,9 +1,27 @@
import { redirect } from "next/navigation";
import { getAdminUser } from "@/lib/admin-permissions";
import Link from "next/link";
export default async function AISettingsPage() {
const adminUser = await getAdminUser();
if (!adminUser) redirect("/login");
redirect("/admin/settings#ai");
return (
<main className="min-h-screen px-6 py-10" style={{ backgroundColor: "var(--admin-bg)" }}>
<div className="mx-auto max-w-4xl">
<Link href="/admin/settings" className="text-sm text-stone-500 hover:text-stone-700"> Back to Settings</Link>
<h1 className="mt-3 text-3xl font-bold tracking-tight">AI Intelligence Settings</h1>
<p className="mt-2 text-stone-600">Configure AI providers, keys, and preferences used by campaign writer, pricing advisor, report explainer, and other tools.</p>
<div className="mt-8 grid gap-4 md:grid-cols-2">
<Link href="/admin/settings/integrations" className="rounded-2xl border bg-white p-6 block hover:shadow">Manage AI Provider Keys (OpenAI, Anthropic, etc.) </Link>
<Link href="/admin/settings/apps" className="rounded-2xl border bg-white p-6 block hover:shadow">Enable / disable the AI Tools add-on </Link>
</div>
<div className="mt-6 text-sm text-stone-500">
The actual AI client is wired in <code>@/actions/integrations/ai-providers</code> and used by the various <code>/api/ai/*</code> endpoints and admin tools.
</div>
</div>
</main>
);
}
@@ -293,7 +293,7 @@ function IntegrationCard({
>
<div className="relative">
<AdminTextInput
type={showSecrets[field.key] ? "text" : "password"}
type={field.isSecret && !showSecrets[field.key] ? "password" : "text"}
value={credentials[field.key] ?? ""}
onChange={(e) => updateCredential(field.key, e.target.value)}
placeholder={field.placeholder}