diff --git a/prd.json b/prd.json index 429b4ac..4f9ad08 100644 --- a/prd.json +++ b/prd.json @@ -232,7 +232,7 @@ "Typecheck passes" ], "priority": 13, - "passes": false, + "passes": true, "notes": "" }, { diff --git a/progress.txt b/progress.txt index a9bc7d7..2fdeb52 100644 --- a/progress.txt +++ b/progress.txt @@ -43,6 +43,8 @@ - `ChoiceOption` type includes optional `condition?: Condition`. When counting variable usage, check variable nodes + edge conditions + choice option conditions. - React Compiler lint forbids `setState` in effects and reading `useRef().current` during render. Use `useState(() => computeValue())` lazy initializer pattern for one-time initialization logic. - For detecting legacy data shape (pre-migration), pass a flag from the server component (page.tsx) to the client component, since only the server reads raw DB data. +- Collaboration tables: `project_collaborators` (roles), `collaboration_sessions` (presence), `audit_trail` (history) — all with RLS scoped by project ownership or collaborator membership +- RLS pattern for shared resources: check `projects.user_id = auth.uid()` OR `project_collaborators.user_id = auth.uid()` to cover both owners and collaborators --- @@ -198,3 +200,17 @@ - Pre-existing lint issues in `ConditionEditor.tsx` and `OptionConditionEditor.tsx` (React Compiler `preserve-manual-memoization` errors) are from prior stories and not related to this change. - No browser testing tools are available; manual verification is needed. --- + +## 2026-01-23 - US-043 +- What was implemented: Database migration adding project_collaborators, collaboration_sessions, and audit_trail tables with RLS policies and indexes +- Files changed: + - `supabase/migrations/20260123100000_add_collaboration_and_audit_trail.sql` - New migration with three tables, RLS policies, indexes, and updated projects RLS for collaborator access +- **Learnings for future iterations:** + - `project_collaborators` has a UNIQUE constraint on (project_id, user_id) to prevent duplicate invitations + - RLS policies for collaboration tables use subqueries to check either project ownership (via `projects.user_id`) or collaboration membership (via `project_collaborators.user_id`) + - The audit_trail insert policy requires both `auth.uid() = user_id` AND project access (owner or editor role) to prevent unauthorized audit writes + - New RLS policies were added to the existing `projects` table to allow collaborators to SELECT and UPDATE (editors/owners only) shared projects + - The audit_trail index uses `created_at DESC` for efficient reverse-chronological pagination in the history sidebar + - `collaboration_sessions.cursor_position` is JSONB to store flexible coordinate data (x, y, and potentially viewport info) + - `collaboration_sessions.selected_node_id` is nullable text since a user may not have any node selected +---