[ { "id": "R001", "description": "Revert or isolate `.env.localtest` credential changes before committing remediation work.", "implemented": true, "prdRefs": [ "Hygiene and baseline" ] }, { "id": "R002", "description": "Revert or justify `package-lock.json` package version regressions before committing remediation work.", "implemented": true, "prdRefs": [ "Hygiene and baseline" ] }, { "id": "R003", "description": "Remove or deliberately commit only relevant review artifacts; do not accidentally commit transient `progress.md`.", "implemented": true, "prdRefs": [ "Hygiene and baseline" ] }, { "id": "R004", "description": "Record the current reviewed commit range and blockers in the remediation scratchpad.", "implemented": true, "prdRefs": [ "Hygiene and baseline" ] }, { "id": "R005", "description": "Establish a clean git status baseline for remediation commits excluding unrelated local changes.", "implemented": true, "prdRefs": [ "Hygiene and baseline" ] }, { "id": "R006", "description": "Move product_code NextAuth type augmentation to the shared auth package type declaration.", "implemented": true, "prdRefs": [ "TypeScript and auth session" ] }, { "id": "R007", "description": "Remove conflicting product_code declaration from server-only NextAuth augmentation or make it exactly match the shared declaration.", "implemented": true, "prdRefs": [ "TypeScript and auth session" ] }, { "id": "R008", "description": "Add product_code to JWT type augmentation consistently.", "implemented": true, "prdRefs": [ "TypeScript and auth session" ] }, { "id": "R009", "description": "Add product_code to Session.user type augmentation consistently.", "implemented": true, "prdRefs": [ "TypeScript and auth session" ] }, { "id": "R010", "description": "Add product_code to ExtendedUser or local auth runtime user shape where token/session mapping requires it.", "implemented": true, "prdRefs": [ "TypeScript and auth session" ] }, { "id": "R011", "description": "Select product_code from tenants in tenant subscription/product info lookup.", "implemented": true, "prdRefs": [ "TypeScript and auth session" ] }, { "id": "R012", "description": "Return product_code from fetchTenantSubscriptionInfo or equivalent auth helper.", "implemented": true, "prdRefs": [ "TypeScript and auth session" ] }, { "id": "R013", "description": "Set token.product_code on initial sign-in for tenant users.", "implemented": true, "prdRefs": [ "TypeScript and auth session" ] }, { "id": "R014", "description": "Refresh token.product_code on periodic tenant info refresh.", "implemented": true, "prdRefs": [ "TypeScript and auth session" ] }, { "id": "R015", "description": "Map token.product_code into session.user.product_code in session callback.", "implemented": true, "prdRefs": [ "TypeScript and auth session" ] }, { "id": "R016", "description": "Preserve existing plan mapping in auth callbacks.", "implemented": true, "prdRefs": [ "TypeScript and auth session" ] }, { "id": "R017", "description": "Preserve existing addons mapping in auth callbacks.", "implemented": true, "prdRefs": [ "TypeScript and auth session" ] }, { "id": "R018", "description": "Preserve existing trial fields in auth callbacks.", "implemented": true, "prdRefs": [ "TypeScript and auth session" ] }, { "id": "R019", "description": "Make ProductProvider resolve AlgaDesk from session without unsafe casts where possible.", "implemented": true, "prdRefs": [ "TypeScript and auth session" ] }, { "id": "R020", "description": "Define safe fallback behavior for sessions without product_code during rollout.", "implemented": true, "prdRefs": [ "TypeScript and auth session" ] }, { "id": "R021", "description": "Add unit coverage proving an AlgaDesk session resolves `useProduct().isAlgaDesk` true.", "implemented": true, "prdRefs": [ "TypeScript and auth session" ] }, { "id": "R022", "description": "Add regression coverage proving a PSA session resolves `useProduct().isPsa` true.", "implemented": true, "prdRefs": [ "TypeScript and auth session" ] }, { "id": "R023", "description": "Run server typecheck after auth/session fixes.", "implemented": true, "prdRefs": [ "TypeScript and auth session" ] }, { "id": "R024", "description": "Add statusCode=403 to ProductAccessError.", "implemented": true, "prdRefs": [ "Product error handling" ] }, { "id": "R025", "description": "Keep PRODUCT_ACCESS_DENIED code stable on all product-denied errors.", "implemented": true, "prdRefs": [ "Product error handling" ] }, { "id": "R026", "description": "Update API error handling to map product-denied errors with status or statusCode to HTTP 403.", "implemented": true, "prdRefs": [ "Product error handling" ] }, { "id": "R027", "description": "Update standalone route handlers to return product-denied 403 instead of generic 500.", "implemented": true, "prdRefs": [ "Product error handling" ] }, { "id": "R028", "description": "Add a helper for converting ProductAccessError to NextResponse where route handlers do not use API middleware.", "implemented": true, "prdRefs": [ "Product error handling" ] }, { "id": "R029", "description": "Add tests for product-denied API middleware response shape.", "implemented": true, "prdRefs": [ "Product error handling" ] }, { "id": "R030", "description": "Allow `/client-portal/client-settings` for AlgaDesk in portal route rules.", "implemented": true, "prdRefs": [ "Product surface registry correction" ] }, { "id": "R031", "description": "Keep `/client-portal/settings` behavior only if the route exists or is intentionally supported.", "implemented": true, "prdRefs": [ "Product surface registry correction" ] }, { "id": "R032", "description": "Treat `/msp/settings/notifications` as denied or upgrade-boundary for AlgaDesk unless explicitly narrowed.", "implemented": true, "prdRefs": [ "Product surface registry correction" ] }, { "id": "R033", "description": "Treat `/msp/settings/extensions` as denied or upgrade-boundary for AlgaDesk.", "implemented": true, "prdRefs": [ "Product surface registry correction" ] }, { "id": "R034", "description": "Treat broad `/msp/settings/integrations` and integration callback paths as denied for AlgaDesk except focused email-channel paths.", "implemented": true, "prdRefs": [ "Product surface registry correction" ] }, { "id": "R035", "description": "Keep `/msp/settings?tab=email` allowed only for focused Email Channels configuration.", "implemented": true, "prdRefs": [ "Product surface registry correction" ] }, { "id": "R036", "description": "Keep `/msp/settings?tab=knowledge-base` allowed for focused KB configuration.", "implemented": true, "prdRefs": [ "Product surface registry correction" ] }, { "id": "R037", "description": "Correct AlgaDesk API KB allowlist to `/api/v1/kb-articles`.", "implemented": true, "prdRefs": [ "Product surface registry correction" ] }, { "id": "R038", "description": "Add deny rules for `/api/v1/financial`.", "implemented": true, "prdRefs": [ "Product surface registry correction" ] }, { "id": "R039", "description": "Add deny rules for `/api/v1/quotes`.", "implemented": true, "prdRefs": [ "Product surface registry correction" ] }, { "id": "R040", "description": "Add deny rules for `/api/v1/contracts` and contract-line route variants.", "implemented": true, "prdRefs": [ "Product surface registry correction" ] }, { "id": "R041", "description": "Add deny rules for `/api/v1/services`, `/api/v1/service-types`, and `/api/v1/products`.", "implemented": true, "prdRefs": [ "Product surface registry correction" ] }, { "id": "R042", "description": "Add deny rules for `/api/v1/accounting-exports` and accounting integration API families.", "implemented": true, "prdRefs": [ "Product surface registry correction" ] }, { "id": "R043", "description": "Add deny rules for `/api/v1/platform-*`, `/api/v1/admin`, and tenant-management APIs.", "implemented": true, "prdRefs": [ "Product surface registry correction" ] }, { "id": "R044", "description": "Add deny rules for `/api/v1/feature-flags` and platform feature flag APIs unless admin-only PSA behavior requires otherwise.", "implemented": true, "prdRefs": [ "Product surface registry correction" ] }, { "id": "R045", "description": "Add deny rules for `/api/v1/documents` while preserving ticket attachment and KB-safe routes.", "implemented": true, "prdRefs": [ "Product surface registry correction" ] }, { "id": "R046", "description": "Add deny rules for automation/workflow API families.", "implemented": true, "prdRefs": [ "Product surface registry correction" ] }, { "id": "R047", "description": "Add deny rules for AI/chat API families including non-v1 chat routes.", "implemented": true, "prdRefs": [ "Product surface registry correction" ] }, { "id": "R048", "description": "Add deny rules for assets/RMM route families.", "implemented": true, "prdRefs": [ "Product surface registry correction" ] }, { "id": "R049", "description": "Add deny rules for scheduling/time route families.", "implemented": true, "prdRefs": [ "Product surface registry correction" ] }, { "id": "R050", "description": "Add deny rules for surveys route families.", "implemented": true, "prdRefs": [ "Product surface registry correction" ] }, { "id": "R051", "description": "Add deny rules for extensions route families.", "implemented": true, "prdRefs": [ "Product surface registry correction" ] }, { "id": "R052", "description": "Add representative registry tests for exact allowed AlgaDesk routes.", "implemented": true, "prdRefs": [ "Product surface registry correction" ] }, { "id": "R053", "description": "Add representative registry tests for exact denied AlgaDesk routes.", "implemented": true, "prdRefs": [ "Product surface registry correction" ] }, { "id": "R054", "description": "Add representative registry tests for unknown AlgaDesk route/API fail-closed behavior.", "implemented": true, "prdRefs": [ "Product surface registry correction" ] }, { "id": "R055", "description": "Add representative registry tests proving PSA remains allowed for PSA route/API groups.", "implemented": true, "prdRefs": [ "Product surface registry correction" ] }, { "id": "R056", "description": "Replace raw AlgaDesk children rendering in MspLayoutClient with a real AlgaDesk shell component.", "implemented": true, "prdRefs": [ "AlgaDesk MSP shell remediation" ] }, { "id": "R057", "description": "Render an AlgaDesk sidebar in the AlgaDesk MSP shell.", "implemented": true, "prdRefs": [ "AlgaDesk MSP shell remediation" ] }, { "id": "R058", "description": "Render a header/app chrome in the AlgaDesk MSP shell.", "implemented": true, "prdRefs": [ "AlgaDesk MSP shell remediation" ] }, { "id": "R059", "description": "Render a main content container matching normal page layout expectations.", "implemented": true, "prdRefs": [ "AlgaDesk MSP shell remediation" ] }, { "id": "R060", "description": "Avoid ActivityDrawerProvider in AlgaDesk shell unless explicitly needed for help desk.", "implemented": true, "prdRefs": [ "AlgaDesk MSP shell remediation" ] }, { "id": "R061", "description": "Avoid SchedulingProviderWithCallbacks in AlgaDesk shell.", "implemented": true, "prdRefs": [ "AlgaDesk MSP shell remediation" ] }, { "id": "R062", "description": "Avoid project integration providers in AlgaDesk shell.", "implemented": true, "prdRefs": [ "AlgaDesk MSP shell remediation" ] }, { "id": "R063", "description": "Avoid asset/document full-management providers in AlgaDesk shell except ticket/KB-safe providers.", "implemented": true, "prdRefs": [ "AlgaDesk MSP shell remediation" ] }, { "id": "R064", "description": "Avoid AIChatContextProvider in AlgaDesk shell unless AI is explicitly excluded from UI and provider has no user-facing effect.", "implemented": true, "prdRefs": [ "AlgaDesk MSP shell remediation" ] }, { "id": "R065", "description": "Keep TagProvider and required i18n/session/tier/product providers in AlgaDesk shell.", "implemented": true, "prdRefs": [ "AlgaDesk MSP shell remediation" ] }, { "id": "R066", "description": "Fix SidebarWithFeatureFlags generic return types so filtered sections typecheck as NavigationSection arrays.", "implemented": true, "prdRefs": [ "AlgaDesk MSP shell remediation" ] }, { "id": "R067", "description": "Ensure product-filtered settings sections typecheck without unsafe broad casts.", "implemented": true, "prdRefs": [ "AlgaDesk MSP shell remediation" ] }, { "id": "R068", "description": "Keep PSA MspLayoutClient path using DefaultLayout unchanged for PSA tenants.", "implemented": true, "prdRefs": [ "AlgaDesk MSP shell remediation" ] }, { "id": "R069", "description": "Add a shell test that AlgaDesk renders sidebar/header, not only raw children.", "implemented": true, "prdRefs": [ "AlgaDesk MSP shell remediation" ] }, { "id": "R070", "description": "Create a server-side helper to resolve current tenant product and route behavior for an explicit pathname.", "implemented": true, "prdRefs": [ "Server-side route enforcement" ] }, { "id": "R071", "description": "Create a server-side helper to return upgrade boundary/notFound before page data fetching.", "implemented": true, "prdRefs": [ "Server-side route enforcement" ] }, { "id": "R072", "description": "Apply server-side guard to `/msp/billing` before billing data loads.", "implemented": true, "prdRefs": [ "Server-side route enforcement" ] }, { "id": "R073", "description": "Apply server-side guard to `/msp/projects` and project child routes before project data loads.", "implemented": true, "prdRefs": [ "Server-side route enforcement" ] }, { "id": "R074", "description": "Apply server-side guard to `/msp/assets` and asset child routes before asset data loads.", "implemented": true, "prdRefs": [ "Server-side route enforcement" ] }, { "id": "R075", "description": "Apply server-side guard to scheduling and dispatch pages before schedule data loads.", "implemented": true, "prdRefs": [ "Server-side route enforcement" ] }, { "id": "R076", "description": "Apply server-side guard to time entry and approvals pages before time data loads.", "implemented": true, "prdRefs": [ "Server-side route enforcement" ] }, { "id": "R077", "description": "Apply server-side guard to workflow pages before workflow data loads.", "implemented": true, "prdRefs": [ "Server-side route enforcement" ] }, { "id": "R078", "description": "Apply server-side guard to surveys pages before survey data loads.", "implemented": true, "prdRefs": [ "Server-side route enforcement" ] }, { "id": "R079", "description": "Apply server-side guard to extensions pages before extension data loads.", "implemented": true, "prdRefs": [ "Server-side route enforcement" ] }, { "id": "R080", "description": "Apply server-side guard to reports and service request pages before excluded data loads.", "implemented": true, "prdRefs": [ "Server-side route enforcement" ] }, { "id": "R081", "description": "Apply server-side guard to excluded client portal billing/project/device/document/appointment/service-request/extension pages.", "implemented": true, "prdRefs": [ "Server-side route enforcement" ] }, { "id": "R082", "description": "Keep client-side ProductRouteBoundary as secondary UI fallback only.", "implemented": true, "prdRefs": [ "Server-side route enforcement" ] }, { "id": "R083", "description": "Add tests proving excluded page loaders do not call their data actions for AlgaDesk.", "implemented": true, "prdRefs": [ "Server-side route enforcement" ] }, { "id": "R084", "description": "Add tests proving representative PSA excluded routes still render for PSA tenants.", "implemented": true, "prdRefs": [ "Server-side route enforcement" ] }, { "id": "R085", "description": "Centralize product API enforcement in authenticate/context creation or another unavoidable API controller path.", "implemented": true, "prdRefs": [ "API enforcement remediation" ] }, { "id": "R086", "description": "Remove reliance on individual base CRUD methods for product API enforcement.", "implemented": true, "prdRefs": [ "API enforcement remediation" ] }, { "id": "R087", "description": "Audit overridden controller methods for product enforcement coverage.", "implemented": true, "prdRefs": [ "API enforcement remediation" ] }, { "id": "R088", "description": "Ensure ApiProjectController overridden list/get/task methods cannot bypass product API gate.", "implemented": true, "prdRefs": [ "API enforcement remediation" ] }, { "id": "R089", "description": "Ensure financial controller methods cannot bypass product API gate.", "implemented": true, "prdRefs": [ "API enforcement remediation" ] }, { "id": "R090", "description": "Ensure invoice controller methods cannot bypass product API gate.", "implemented": true, "prdRefs": [ "API enforcement remediation" ] }, { "id": "R091", "description": "Ensure quote controller methods cannot bypass product API gate.", "implemented": true, "prdRefs": [ "API enforcement remediation" ] }, { "id": "R092", "description": "Ensure asset/RMM controller methods cannot bypass product API gate.", "implemented": true, "prdRefs": [ "API enforcement remediation" ] }, { "id": "R093", "description": "Ensure custom tag/client/contact methods preserve allowed AlgaDesk behavior while still passing product gate.", "implemented": true, "prdRefs": [ "API enforcement remediation" ] }, { "id": "R094", "description": "Add product guards to standalone chat API routes.", "implemented": true, "prdRefs": [ "API enforcement remediation" ] }, { "id": "R095", "description": "Add product guards to standalone email routes while preserving allowed email-to-ticket paths.", "implemented": true, "prdRefs": [ "API enforcement remediation" ] }, { "id": "R096", "description": "Add product guards to standalone extension and integration API routes.", "implemented": true, "prdRefs": [ "API enforcement remediation" ] }, { "id": "R097", "description": "Return structured 403 PRODUCT_ACCESS_DENIED for denied AlgaDesk API requests.", "implemented": true, "prdRefs": [ "API enforcement remediation" ] }, { "id": "R098", "description": "Keep allowed AlgaDesk ticket/client/contact/KB/email APIs functional.", "implemented": true, "prdRefs": [ "API enforcement remediation" ] }, { "id": "R099", "description": "Keep PSA API behavior unchanged for PSA tenants.", "implemented": true, "prdRefs": [ "API enforcement remediation" ] }, { "id": "R100", "description": "Filter API endpoint metadata by product for AlgaDesk.", "implemented": true, "prdRefs": [ "Metadata and OpenAPI remediation" ] }, { "id": "R101", "description": "Filter OpenAPI paths by product for AlgaDesk.", "implemented": true, "prdRefs": [ "Metadata and OpenAPI remediation" ] }, { "id": "R102", "description": "Filter API docs output by product for AlgaDesk.", "implemented": true, "prdRefs": [ "Metadata and OpenAPI remediation" ] }, { "id": "R103", "description": "Filter generated permission metadata by product for AlgaDesk.", "implemented": true, "prdRefs": [ "Metadata and OpenAPI remediation" ] }, { "id": "R104", "description": "Filter metadata stats/counts so AlgaDesk counts only visible endpoints/schemas/permissions.", "implemented": true, "prdRefs": [ "Metadata and OpenAPI remediation" ] }, { "id": "R105", "description": "Filter schemas/models that are exclusively PSA-only from AlgaDesk metadata where feasible.", "implemented": true, "prdRefs": [ "Metadata and OpenAPI remediation" ] }, { "id": "R106", "description": "Document any shared schemas intentionally still visible to AlgaDesk.", "implemented": true, "prdRefs": [ "Metadata and OpenAPI remediation" ] }, { "id": "R107", "description": "Preserve complete PSA metadata/OpenAPI output for PSA tenants.", "implemented": true, "prdRefs": [ "Metadata and OpenAPI remediation" ] }, { "id": "R108", "description": "Integrate relevant contact-detail AlgaDesk mode changes from the current uncommitted working tree.", "implemented": true, "prdRefs": [ "Contact and document leak remediation" ] }, { "id": "R109", "description": "Prevent AlgaDesk `/msp/contacts/[id]?tab=documents` from fetching contact documents.", "implemented": true, "prdRefs": [ "Contact and document leak remediation" ] }, { "id": "R110", "description": "Prevent AlgaDesk ContactDetails from rendering the Documents tab.", "implemented": true, "prdRefs": [ "Contact and document leak remediation" ] }, { "id": "R111", "description": "Preserve PSA contact document fetching on `tab=documents`.", "implemented": true, "prdRefs": [ "Contact and document leak remediation" ] }, { "id": "R112", "description": "Preserve PSA ContactDetails Documents tab rendering.", "implemented": true, "prdRefs": [ "Contact and document leak remediation" ] }, { "id": "R113", "description": "Add product composition tests for AlgaDesk and PSA contact detail behavior.", "implemented": true, "prdRefs": [ "Contact and document leak remediation" ] }, { "id": "R114", "description": "Fix T015 Playwright helper signatures to match actual helper APIs.", "implemented": true, "prdRefs": [ "Test remediation" ] }, { "id": "R115", "description": "Fix T015 route assumptions for portal ticket creation so it targets a real creation flow.", "implemented": true, "prdRefs": [ "Test remediation" ] }, { "id": "R116", "description": "Add cleanup for tenants and related data created by AlgaDesk Playwright tests.", "implemented": true, "prdRefs": [ "Test remediation" ] }, { "id": "R117", "description": "Fix package-level ticket detail test runner failure or move test to a runnable server Vitest context.", "implemented": true, "prdRefs": [ "Test remediation" ] }, { "id": "R118", "description": "Audit source-string contract tests and rename any that remain as contract/static tests.", "implemented": true, "prdRefs": [ "Test remediation" ] }, { "id": "R119", "description": "Replace T016/T017 inbound email source-string coverage with DB-backed behavior coverage or mark as external-prerequisite tests.", "implemented": true, "prdRefs": [ "Test remediation" ] }, { "id": "R120", "description": "Replace T019 API source-string coverage with real API-key request coverage for allowed and denied routes.", "implemented": true, "prdRefs": [ "Test remediation" ] }, { "id": "R121", "description": "Replace T020 metadata source-string coverage with real metadata/OpenAPI endpoint coverage.", "implemented": true, "prdRefs": [ "Test remediation" ] }, { "id": "R122", "description": "Ensure DB-backed tests have clear prerequisites and skip/fail behavior appropriate for CI.", "implemented": true, "prdRefs": [ "Test remediation" ] }, { "id": "R123", "description": "Run focused unit tests for product resolver, registry, product context, shell, settings, contact detail, and error handling.", "implemented": true, "prdRefs": [ "Test remediation" ] }, { "id": "R124", "description": "Run focused integration tests for product_code migration and representative API gates when DB is available.", "implemented": true, "prdRefs": [ "Test remediation" ] }, { "id": "R125", "description": "Run Playwright list and at least one smoke execution path when browser environment is available.", "implemented": true, "prdRefs": [ "Test remediation" ] }, { "id": "R126", "description": "Add a note to the parent scratchpad that this remediation plan supersedes implementation tracking until blockers are resolved.", "implemented": true, "prdRefs": [ "Parent plan reconciliation" ] }, { "id": "R127", "description": "Reset or correct parent tests.json implemented booleans for tests proven non-runnable or source-only if the team chooses to keep parent status authoritative.", "implemented": true, "prdRefs": [ "Parent plan reconciliation" ] }, { "id": "R128", "description": "Reset or correct parent features.json implemented booleans for features contradicted by remediation blockers if the team chooses to keep parent status authoritative.", "implemented": true, "prdRefs": [ "Parent plan reconciliation" ] }, { "id": "R129", "description": "Keep this remediation features.json entirely false until fixes are verified.", "implemented": true, "prdRefs": [ "Parent plan reconciliation" ] }, { "id": "R130", "description": "Keep this remediation tests.json entirely false until tests are verified.", "implemented": true, "prdRefs": [ "Parent plan reconciliation" ] } ]