Adds POST /api/admin/cafes/{cafeId}/grant-subscription (admin-auth): sets the
café's plan and adds N months of coverage, appended to any time it already has so
a grant never shortens existing paid time. Records the gift as a SubscriptionPayment
(provider Manual, amount 0, Completed) for billing history/audit. New
PaymentProvider.Manual = 4 (int append, no migration). Admin-web café cards get a
"grant free subscription" panel (plan select + months + apply), showing the current
expiry; fa/en/ar strings.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Adds a signed broker integration for online plan purchases:
- FlatPayService: POST /v1/pay/request with X-Api-Key + X-Signature =
hex(HMAC-SHA256(secret, raw JSON bytes)); the exact serialized bytes are both
signed and sent. VerifyWebhook does a fixed-time compare of the digest, plus an
in-memory first-seen idempotency set.
- POST /api/payment/request (auth, ManageBilling): parses a "Tier:Months" product
(e.g. "Pro:12"), prices it via the plan catalog, creates a Pending SubscriptionPayment
(provider=FlatPay) as the order, and returns the broker payment URL. The order id is
the client_ref / metadata.payment_id.
- POST /api/payment/webhook (anonymous; HMAC is the auth — 401 on bad signature):
on status=Paid + first-seen id, grants the order via the shared plan-activation
path (extracted ActivatePaymentAsync, reused by all providers). Always 200 after a
valid signature so the broker won't retry an accepted job.
- Config FlatPay__{ApiKey,Secret,BaseUrl,ReturnUrl} (env-supplied; secrets stay out
of git), compose + .env.example wiring. PaymentProvider.FlatPay appended (int, no
migration).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The card-terminal integration only ever worked when the API could reach the
terminal's IP directly — impossible for the cloud deployment, where the terminal
sits on the café LAN (the same wall the Print Agent already climbs for printers).
And the terminal IP had to be typed by hand. Both fixed by reusing the agent.
Cloud→LAN relay:
- PrintAgentRegistry.SendPaymentAsync sends a PaymentRequest to the café's online
agent and awaits its ack (PaymentResult on the hub); 95s window for the customer.
- PosDeviceService now prefers an online agent (branch-matched, else any café
agent) to relay POST /pay over the LAN, and falls back to the direct HTTP call
only when no agent is connected (on-prem). Agent errors map back to POS_DEVICE_*.
- Agent (Program.cs + PosTerminal.cs) handles PaymentRequest → POSTs the amount to
the terminal's local http://ip:port/pay and reports approval/decline/timeout.
Auto-detect:
- Registry.ScanAsync + hub ReportScan; POST /print-agents/scan asks online agents
to scan their /24 for given ports and merges the hosts found.
- Agent NetworkScanner scans the LAN (:9100 printers, :8088 terminals) with a
short per-host TCP probe.
- Dashboard: a "تشخیص خودکار" (auto-detect) button on the POS-device, receipt and
kitchen IP fields scans via the agent and fills the IP:port from a found host.
Backend + agent build clean; dashboard tsc clean. NOTE: the agent app is not in
CI — it must be rebuilt and redeployed on the café PC to gain these handlers.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Two go-live money-correctness bugs in the POS pay flow (deferred TODO #1/#2):
#2 — pay against the server's amount, not a client recompute. The pay sheet
took `orderAmountDue(payTarget) || total`, so any time the server figure was
absent/zero it silently fell back to the POS's own 9% tax recompute. The backend
records whatever amount the client posts (it only uses its own order.Total to
decide closure), so a client/server mismatch books the wrong cash-drawer amount.
Now a real (server) order always charges orderAmountDue(serverOrder); only a
genuinely-local offline order — which has no server figure — uses the client
total.
#1 — don't record a card payment that wasn't confirmed. A connected terminal
that declines already throws POS_DEVICE_* and records nothing. But when no
terminal is wired up the request is "skipped" and the card was booked as paid
with zero proof it cleared. Now, when the card leg isn't machine-confirmed, the
cashier must confirm "card approved on the terminal?" before it's recorded;
cancel records nothing.
Also raise the shared AlertDialog to z-[80] so a confirmation renders above the
POS pay sheet (z-[60]) and its busy overlay (z-[70]); still below toasts.
tsc clean.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Phase 4 (final). Settings → Printers now has a "Print servers" section: add a
print server (issues a one-time pairing code with steps), see each agent's online
status, its auto-discovered printers, test any of them, and revoke. Receipt,
kitchen and per-station printers can now be picked from a dropdown of discovered
devices instead of typing an IP (manual IP stays as fallback). Wires the device
mappings through the branch print-settings + kitchen-station DTOs/services and adds
the device-test endpoint. fa/en/ar strings added.
Completes the cloud↔LAN print-agent feature (entities/hub → routing → agent → UI).
Remaining polish: agent system-tray + run-at-login + installer, optional LAN scan.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
A standalone net10.0-windows console app (agent/Meezi.PrintAgent) installed on the
café cash PC. It pairs with a one-time code (POST /print-agent/claim), stores the
token in %APPDATA%, holds a SignalR connection to /hubs/print-agent (retries
forever, re-reports on reconnect), discovers installed printers via WMI (USB +
network, classified), and prints jobs it receives by writing raw ESC/POS bytes —
winspool RAW passthrough for installed printers, raw TCP for ip:port devices —
acking each job back. Not in the API solution or CI (own net10.0-windows build);
see agent/README.md for build/publish/pair. Builds clean; startup + pairing flow
smoke-tested.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Phase 2. NetworkPrinterService now builds the ESC/POS bytes (as before) and
dispatches them via a new router: if the receipt/kitchen/station printer is mapped
to a PrintDevice whose agent is online, the bytes are sent to that agent over the
hub and we await its ack; otherwise it falls back to a direct TCP connection (raw
IP), so existing on-prem/reachable printers keep working unchanged. Adds nullable
mapping columns Branch.ReceiptPrintDeviceId / KitchenPrintDeviceId and
KitchenStation.PrintDeviceId (additive migration), plus TestPrintDeviceAsync for
testing an agent printer. The cloud can now reach LAN/USB printers it never could.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
First phase of auto-discovered printing for cloud-hosted cafés whose printers are
on the local network (the cloud can't reach a LAN/USB printer directly). Adds:
- PrintAgent + PrintDevice entities (+ additive migration) — a per-café local
bridge and the printers it reports.
- PrintAgentHub (/hubs/print-agent): agents connect outbound, authenticated by a
token in access_token (not the user JWT); ReportPrinters upserts devices,
PrintJob is pushed to the agent, JobResult/Heartbeat come back.
- PrintAgentRegistry (singleton): tracks connected agents and dispatches a job to
one, awaiting its ack with a timeout.
- Pairing: POST /cafes/{id}/print-agents/pairing-code (ManagePrintSettings) issues
a short one-time code; anonymous POST /print-agent/claim redeems it for a
long-lived token (only its SHA-256 hash is stored). List + revoke endpoints,
online status from the registry.
Inert until Phase 2 routes jobs through it and the agent app (Phase 3) connects.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
On the POS, once a line is fired to the kitchen its sent quantity is the locked
portion: a user without the VoidOrder permission (the default cashier) can no
longer remove that line or decrease it below what was sent — otherwise they could
send food and then erase it from the order (charge less / pocket cash). The unsent
portion of a line stays freely editable, and adding more is always allowed. The
delete button is replaced by a lock icon on sent lines, and the minus button is
disabled at the sent floor. Gated by VoidOrder, so owners/managers with the
permission are unaffected. Mirrors the server-side order-cancel lock.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The SignalR connection used the default auto-reconnect, which gives up after
~30s and, even when it did reconnect, never re-ran JoinCafe — so the client
dropped out of the café group and silently stopped receiving notifications until
a manual refresh. Now it retries forever (capped backoff), re-joins the group on
reconnect (and catches up via invalidate), and re-establishes the connection when
the network returns or the tab is refocused. As a safety net, the unread/bell and
tab-badge polls now run in background tabs too (refetchIntervalInBackground).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Two bugs made "N در صف" persist even when online:
- The badge counted poisoned ops (failed after 5 retries, never removed), so it
never returned to 0. Now the badge counts only retryable (active) ops; poisoned
ops are tracked separately as failedCount and surfaced as a red "N failed —
clear" chip the user can tap to discard them.
- The manual-retry click drained the LEGACY order_queue, not the real outbox the
app actually uses — so clicking did nothing for stuck items. It now drains the
outbox (drainOutbox), invalidates queries on success, and recounts.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Anti-fraud / integrity: a cashier could fire an order to the kitchen, take cash
without recording a payment, then cancel (soft-delete) the unpaid order to erase
it. CancelOrderAsync now only allows cancelling a still-Pending order; once the
kitchen has acted on it (Confirmed/Preparing/Ready) it returns ORDER_IN_PREPARATION
and a started order can no longer be removed — it must be completed (and refunded
through the audited refund flow if needed). Delivered → ORDER_NOT_OPEN; paid →
ORDER_HAS_PAYMENTS (unchanged). Orders are never hard-deleted and every cancel is
already audited with the actor. Applies to all roles, independent of permissions.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Previously desktop popups had to be enabled from Settings. Now a dismissible
prompt card appears for signed-in users on a supporting browser that haven't
decided yet ("Turn on notifications?" + Enable/Later). Tapping Enable triggers
the browser permission request (user gesture, as browsers require), turns on
desktop popups, and immediately fires one (force) so the user sees it works.
Shown once per device (remembered in localStorage); mounted on both the
dashboard and POS/queue layouts. fa/en/ar added.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Each menu item can now pick its own print station, overriding the category's —
so a category can fan out to different printers (e.g. a drink → cold bar, a
food → kitchen). Adds MenuItem.KitchenStationId (+ migration, FK SetNull), wires
create/update/DTO, and updates kitchen-ticket routing to group by the item's
station ?? the category's station ?? the branch kitchen printer. Deleting a
station now also clears item assignments. Menu item editor gains a "Print
station" dropdown (default = "same as category"). fa/en/ar added.
Backend built clean via the Nexus mirror; migration applies on deploy (MigrateAsync).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Custom roles is staff governance, so it belongs with the team — added a "Roles &
permissions" tab to the HR screen (owner-only) rendering the existing
CustomRolesPanel, and removed the Settings → Team → Custom Roles leaf/group.
fa/en/ar label added.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The call-waiter flow was fully wired (guest QR button → public endpoint →
NotifyCallWaiterAsync persists + broadcasts NotificationReceived), but the alert
hook (useOrderAlerts: sound + toast + desktop popup) and the bell live only in
the (dashboard) layout. During service staff are on the POS (fullscreen) layout,
which mounted neither — so a waiter call produced nothing where staff actually
stand. Mount useOrderAlerts in the (fullscreen) layout so POS / queue-display
get the chime + toast for waiter calls and new guest orders. (KDS is a dashboard
route, already covered.)
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
contact / careers / status / privacy / terms / docs set no alternates, so they
inherited the layout's canonical (= the locale homepage) — Google treats them as
duplicates of the home page and drops them. Each now sets a self-referencing
canonical + full fa/en/x-default hreflang (new shared lib/seo.ts pageAlternates)
and a unique meta description (added *Desc keys, fa/en) + per-page OpenGraph.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Production serves robots.txt Host/Sitemap, sitemap <loc>, and every page's
canonical + og:url as http://localhost:3010 — so Google rejects all URLs
("URL not allowed") and indexes nothing. Cause: NEXT_PUBLIC_SITE_URL is baked in
at BUILD time and was unset in prod, so it fell back to the localhost defaults in
the compose files + website Dockerfile.
Changes the defaults to the real domains (website → https://meezi.ir, koja →
https://koja.meezi.ir) in docker-compose.yml, docker-compose.full.yml, the
website Dockerfile ARG, and .env.example.
Build-time var → the website image MUST be rebuilt + redeployed (CI does this on
push), then purge the WCDN cache and resubmit the sitemap in Search Console.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
- Global MutationCache.onError safety net so mutations without their own onError
no longer fail silently (skips ones that handle errors → no double toast).
- Notifications feed no longer opens its own SignalR connection; it reuses the
one in useOrderAlerts (was double sockets + double cache churn per session).
- "Send test notification" now works on the settings page (force flag bypasses
the tab-visible guard) instead of silently doing nothing.
- POS: re-entry guard on payment confirm (no duplicate payment on double-tap);
notes on already-sent lines are read-only (a note-only edit was silently lost);
ORDER_ALREADY_CLOSED surfaced with a clear Persian message.
- Reservation Confirm/Cancel/Complete buttons disabled while pending.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
- Payments: reject RecordPaymentsAsync when the order is already Delivered/
Cancelled (ORDER_ALREADY_CLOSED) — prevents duplicate payments, double loyalty
earn, and overstated cash drawer from a double-tap or paying a reopened order.
- Push broadcast: POST /api/push/broadcast was [Authorize]-only (any user → any
topic, platform-wide). Now requires SendSms + café context and is forced to the
caller's own topic (cafe-{slug}); arbitrary/cross-café topics rejected.
- HR reads: GetEmployees/GetAttendance/GetShifts now require ViewStaff/
ViewAttendance/ViewSchedules (were café-access-only, leaking roster PII the UI
already hid). Expenses list now requires ViewExpenses.
- Receipt: removed the auto-print on full payment so the POS success sheet is the
single print path (no more double receipt).
Local build blocked by NU1301 (NuGet network unreachable); CI builds via mirror.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Adds a "سفارشها" (Orders) nav page listing closed orders by day (date +
branch filter, paged), each with reprint actions:
- چاپ فاکتور → customer receipt
- فیش آشپزخانه → kitchen ticket (all stations)
- one button per print station (e.g. Bar) → reprints only that station's items
Backend: the kitchen print endpoint gains an optional ?stationId= to reprint a
single station; PrintKitchenTicketAsync filters its station groups accordingly
(NO_STATION_ITEMS when that station has nothing on the order). Nav gated by
ViewOrders (visible to branch staff too). fa/en/ar strings added.
Note: local backend build couldn't run (NU1301 — NuGet restore network timeout);
dashboard typecheck is clean and the C# changes are minimal — CI builds via the
Nexus mirror.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The payment-success sheet with the "چاپ فاکتور" button lives in the order-view
return, but confirmPay called backToBoard() which switched to the board view —
so the sheet never rendered and the cashier couldn't print after paying.
Now payment clears the cart + closes the pay sheet but STAYS on the order view,
so the success sheet shows; returning to the board happens when the cashier taps
"سفارش جدید" or the backdrop. Offline/local orders still go straight to the board.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The note control was an unlabeled icon next to the trash on each cart line, so
cashiers couldn't tell where to add a note. Replaced it with a clear
"افزودن یادداشت" (add note) text button under each item; clicking it reveals the
note input, which collapses again on blur when left empty. Existing notes still
show the editable field.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
POS v2 has been the default at /pos for a while; this deletes the old classic
POS entirely:
- removed the /pos-classic route and all classic-only components
(pos-screen, pos-pay-panel, pos-table-board, pos-queue-bar, pos-receipt-modal,
pos-slip-modal, pos-receipt-print.css)
- relocated the two modules POS v2 still shared into the pos2 tree
(lib/pos/submit-order → lib/pos2, components/pos/pos-customer-picker → pos2),
so the components/pos and lib/pos folders are gone
- dropped the now-dead "نسخه کلاسیک" (classic version) button + RotateCcw import
from the POS v2 header, and updated stale comments
POS v2 (/pos) is unchanged and fully self-contained. Typecheck clean.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Bug: confirming payment ran backToBoard() → clearSession(), wiping the cart's
activeOrderId, so the order vanished from the POS and the "print receipt" button
(which keys off activeOrderId) went dead — the only escape was a 4s toast.
Fix: capture the just-paid order id in local state (survives the session clear)
and show a persistent payment-success sheet with a "چاپ فاکتور" button so the
cashier can print/reprint the customer receipt, then "سفارش جدید" to continue.
Shared printReceiptById() backs both the in-order button and the success sheet.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
POS v2 auto-printed the receipt on full payment but had no manual button. Adds a
"چاپ فاکتور" (print receipt) action in the order panel that prints/reprints the
active saved order's customer receipt, plus a "print receipt" action on the
payment-success toast. Replaces the dead disabled "hold" placeholder button.
Backend print endpoint unchanged.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The cart store, order payload (create + add-items + offline), KDS ticket and
receipt already supported per-item notes — but POS v2 had no way to enter one.
Adds a note button on each cart line that toggles an inline input (e.g. "no
sugar"); the note shows highlighted when set and rides along to the kitchen/bar
ticket. No backend change.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Logs showed the raw User ID (ActorName was almost never stored) and an English
role enum. Now:
- AuditController resolves each entry's actor to the employee's CURRENT full name
and localized role at read time (joins Employees with IgnoreQueryFilters, so it
also names soft-deleted staff and fixes all historical rows — no migration).
- The audit table renders "Full name (Role)" with the role localized (fa/en/ar);
the name is a button that opens an employee-details dialog.
- New EmployeeDetailsDialog: fetches the employee and shows name, role, phone,
base salary, and an "Open in HR" link; handles removed staff gracefully.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Mirrors the login guard: visiting /register while authenticated redirects to the
dashboard home (/) instead of showing the form. Gated on _hasHydrated; shows a
brief redirecting state. Reuses the existing auth.redirecting string.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Visiting /login while authenticated now redirects to the app (/pos) instead of
showing the login form again. Guarded on _hasHydrated so the not-yet-rehydrated
(null) session isn't misread, and renders a brief "redirecting" state instead of
flashing the form. fa/en/ar strings added.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Complements the separate kitchen/bar printers with an on-screen split. The live
order DTO now carries each item's prep station (MenuItem → Category →
KitchenStation), and the KDS shows station tabs (All / Kitchen / Bar / …) that
appear only once ≥2 stations are in play. Selecting a station shows just the
tickets — and just the items within each ticket — for that station, so bar staff
see drinks and kitchen staff see food. Single-station cafés see the board
unchanged. fa/en/ar strings added.
Note: order status is still per-order (one advance button); the split is for
viewing/printing, not per-item status.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Documents the new separate kitchen/bar print stations plus the customer
receipt (factor): how to set printer IPs, create Kitchen/Bar stations, route
menu categories to a station, and what auto-prints at send-to-kitchen vs
payment. fa/en; auto-listed on /docs and in the sitemap.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The print engine already routed items to per-station printers (MenuCategory →
KitchenStation.PrinterIp, falling back to the branch kitchen printer) and prints
the customer receipt to the receipt printer — but there was no UI to set it up.
This exposes it:
- Settings → "Kitchen & bar printers": create/edit/delete print stations, each
with its own printer IP/port, with a per-station test print (gated by
ManageKitchenStations).
- Menu category editor: a "Print station" dropdown to route each category to a
station (food → Kitchen, drinks → Bar); no station = branch kitchen printer.
Result: kitchen and bar tickets print on separate printers, while the customer
factor/receipt keeps printing on the receipt printer. fa/en/ar strings added.
No backend/migration changes — purely wiring the existing capability.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The recent dashboard features shipped without knowledge-base coverage. Adds two
fa/en guides at meezi.ir/docs:
- "Notifications & sound" — bell/unread count, configurable sound (chime + volume
+ preview), desktop/Windows popups, browser-tab counter, and click-to-navigate
to the related page.
- "Roles & permissions" — base roles, defining custom roles via the permission
matrix (CRUD + sensitive actions), assigning them, and how page/action access
is enforced.
Also fixes a standing SEO gap: the sitemap listed only /docs, never the
per-feature /docs/{slug} pages — now all guide pages (fa+en) are included so the
whole knowledge base is crawlable.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Every notification surface now deep-links to where the staff member needs to act:
- bell dropdown: clicking an actionable notification navigates and closes the
dropdown (platform broadcasts still expand inline to show their text)
- notifications page: rows navigate to the right page
- in-app toast: gains a "View" action button
- desktop/Windows popup: clicking it focuses the tab and navigates
Routing is now permission-aware via a single resolver (notification-routes.ts):
a new-order alert sends a kitchen user to /kds, a cashier to /pos, and a floor
user to /tables — never to a page their role can't open; a waiter call → /tables.
This also fixes the old bug where table_call_waiter (which carries a referenceId)
wrongly routed to /kds. Toast/desktop clicks navigate client-side through a small
event bridge mounted in the dashboard shell.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Nav already hides pages a role can't view (NAV_REQUIRED_PERMISSION). This wraps
the sensitive/CRUD action controls in <Can permission> so users only see what
they can do (server still enforces):
- POS/orders: void → VoidOrder, cancel → VoidOrder, transfer → EditOrder,
pay/split → HandlePayments
- menu/inventory/coupons/customers/reservations/expenses/taxes/branches:
add/edit/delete buttons → the matching Create/Edit/Delete permission
- reports CSV export → ExportReports; SMS send → SendSms, settings → ManageSmsSettings
- home dashboard: revenue/orders KPI queries gated on ViewReports so non-report
roles don't 403 on the landing page
(Refund/discount/comp/cash-drawer have no UI control yet — no buttons to gate.)
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Mirrors the expanded backend catalog on the client: the Permission type and the
custom-role permission matrix now expose all ~80 capabilities grouped into 16
sections (admin, branches, menu, inventory, taxes, staff, tables, orders,
register, queue/kitchen, delivery, customers, coupons, marketing, reports,
expenses), each with fa/en/ar labels. Nav visibility now maps each page to its
View permission; taxes & branches become permission-driven (managers can view),
leaving billing as the sole hard owner-only nav gate.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Closes the gap where the custom-role matrix was defined but unenforced — most
write endpoints only checked café membership, so the API would accept writes a
role's UI hid. Adds EnsurePermission(...) to all mutating/sensitive endpoints
across 32 controllers, mapped to the granular catalog:
- menu/inventory/coupons/customers/expenses/reservations/taxes/branches → CRUD perms
- tables/queue/kitchen-stations/print-settings → manage perms
- orders → ProcessOrders / EditOrder / VoidOrder / UpdateOrderStatus / HandlePayments,
payment corrections → ManageFinancials
- HR → CreateStaff / ManageSchedules / ReviewLeave / View+ManageSalaries /
ManageStaffCredentials (self-service clock-in/leave preserved)
- reports → ViewReports, export → ExportReports, audit → ViewAuditLog
- billing → ManageBilling, sms → SendSms/ManageSmsSettings, reviews → ManageReviews,
discover/public profile → ManageDiscoverProfile, café settings → ManageCafeSettings,
custom roles → ManageRoles
Removes legacy [Authorize(Roles=...)] attributes that would have overridden the
permission model (orders, branch-menu, pos-device, print). Manual discount/comp
have no backend endpoint yet (discounts come from coupons) — gated on the POS UI.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Expands the authorization catalog from 21 coarse page-level permissions to a
granular set: View/Create/Edit/Delete per record module, plus distinct
permissions for sensitive actions (VoidOrder, RefundOrder, ApplyDiscount,
CompOrder, OpenCashDrawer, ExportReports) and the previously-uncovered pages
(customers/CRM, SMS, reviews, financials, audit log, attendance, schedules).
RolePermissions now derives Manager as "everything except owner-only governance"
and gives Cashier/Waiter/Chef/Delivery sensible day-to-day defaults; owners
refine further via custom roles. Effective permissions already flow to the
client through AuthService, so no token-shape change is needed.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
New Settings → "Notifications & sound" leaf to make the alert channels
changeable: toggle sound (+ picker with live preview + volume slider),
enable desktop notifications (permission flow + test button), toggle the
tab unread badge and in-app toasts. Strings added for fa/en/ar.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Per-device notification preferences (localStorage) drive three new alert
channels in the dashboard shell, all fed by the existing SignalR
NotificationReceived events:
- Sound: 6 selectable procedural Web Audio chimes + volume, no asset files.
- Desktop/Windows popups via the Notification API, fired only when the tab
is backgrounded (in-app toast covers the focused case).
- Unread count on the browser tab: (N) title prefix + numbered favicon badge.
useOrderAlerts is now the single orchestrator (sound + toast + desktop),
each gated by prefs; topbar feed enableToasts disabled to avoid double toasts.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
- Owner can define named custom roles (e.g. Barista, Supervisor) with
color, description, and a fine-grained permission set (21 permissions
across 7 categories: admin, menu, staff, customer, reports, ops, kitchen)
- Employee assigned a custom role gets its permissions embedded in the
JWT at login (customPerms claim) and parsed by TenantMiddleware —
overrides the static EmployeeRole matrix for all API permission checks
- New endpoints: GET/POST/PATCH/DELETE /api/cafes/{id}/custom-roles and
PUT /api/cafes/{id}/employees/{id}/custom-role for assignment
- Dashboard Settings → Team & Staff → Custom Roles panel with grouped
checkbox matrix, group-level toggles, color preset picker, CRUD forms,
and employee-count display; translations in fa/en/ar
- EF migration adds CustomRoles table + nullable CustomRoleId FK on Employees
- POS slip now shows per-item notes on both thermal print and bill preview
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
DemoSeedService / DemoMenuSeeder:
Add IgnoreQueryFilters() to every seeder lookup (Taxes, MenuCategories,
MenuItems). Soft-deleted rows still hold their PKs; without this a second
seed run after user-deletion throws a PK collision on the Tax or category
that was soft-deleted but is still in the index.
sitemap.ts:
Guard new Date(post.date) against empty / missing frontmatter date fields.
new Date("") = Invalid Date → broken <lastmod> in sitemap XML.
Fall back to the build-time date when the post date is absent or invalid.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The admin send-otp used the SAME Redis key ("otp:admin:{phone}") for both the
OTP value and the per-hour attempts counter. After storing the code and SMSing
it, the rate-limit StringIncrementAsync ran on that same key, turning the stored
value into code+1 (e.g. SMS said 337835, Redis held 337836). verify-otp then
compared the entered code to the incremented value, never matched, and returned
INVALID_OTP → 400. Admin OTP login could never succeed.
Give the attempts counter its own key ("otp:admin:attempts:{phone}"), exactly
like the main API (otp:{phone} vs otp:attempts:{phone}). Password login was
unaffected.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The admin login OTP tab hard-coded phone "09120000001" as the initial value.
In production that placeholder belongs to no SystemAdmin, so hitting "send code"
returns NOT_FOUND → 404 (which WCDN then repaints as an HTML error page) — it
looked like the login endpoint was broken. Keep the convenience prefill in
development only; ship an empty field in production so the admin types their
real number (e.g. the registered admin phone).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Prod diag showed every /api/admin/* call returning 401 with
"IDX10223: token expired, ValidTo 06/09" — the admin access token was 6 days
dead and nothing renewed it, so cafes/tickets/integrations/settings all loaded
empty. The admin web (unlike the café dashboard) had NO refresh logic at all:
it only ever sent the access token, and its 401 handler early-returned on any
error code before the login redirect, so the admin wasn't even bounced to login
— pages just showed no data.
Client (admin-client.ts): add a silent refresh-on-401 mirroring the dashboard —
one shared in-flight POST /api/admin/auth/refresh for a burst of 401s, replay
the original request on success, force-logout only on a definitive 4xx, and
ride out a transient failure (API restarting during deploy) without logging out.
Backend (AdminAuthService): make refresh non-rotating + sliding (reuse the
presented refresh token and re-store it) instead of revoke-and-mint, so the
dashboard's many concurrent refreshes don't race the rotated token — same fix
already applied to the main API.
Also bump admin tokens 7d/30d → 30d/365d to match the main API, so the session
is long-lived even before the first refresh round-trip.
tsc clean; Admin.API builds clean.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Diagnostic on prod confirmed the backend keeps sessions valid across deploys
(stable 64-char JWT key, 30-day access tokens, 62 refresh tokens persisting in
Redis with appendonly; redis/db never restart on deploy). The forced logout was
client-side:
1. The axios refresh path treated ANY refresh failure as "session gone" and
nuked the tokens. During the ~30s API restart window of a deploy, the refresh
POST gets a 502/timeout (transient) → user kicked to /login. Now refresh
distinguishes a definitive 4xx (truly invalid/expired refresh → log out) from
a transient network/5xx failure (reject + keep the session; retry later).
Refresh tokens are opaque Redis GUIDs, so they survive even a key rotation —
the only thing that was breaking sessions was this over-eager logout.
2. PWA service worker served a stale app shell after an update, pointing at JS
chunks the new build replaced. Added skipWaiting + clientsClaim +
cleanupOutdatedCaches and a NetworkFirst handler for navigations so the HTML
and its chunk refs always match the live deploy; hashed static stays
CacheFirst.
Net: a normal update no longer logs anyone out. tsc clean.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Replaced the placeholder Flutter launcher icons in all 5 mipmap densities
(48/72/96/144/192) with the real Meezi mark, ready for the Android APK build.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
- web/website: manifest referenced /icon-192.png and /icon-512.png that
didn't exist (broken favicon). Added the real transparent Meezi mark
(32/180/192/512) + wired icons into metadata. OG image stays dynamic.
- web/admin: had no metadata or icons at all. Added title template,
favicon/apple icons (icons/ dir), themeColor, noindex.
Dashboard + Koja already carry the real logo; web apps are now consistent.
Mobile launcher icons will be handled with the Android packaging task.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
- Icons/favicon were a plain solid-green square (a 547B placeholder). Replaced
with the actual Meezi mark (green rounded square + menu lines) on transparent
corners, generated at 32/48/180/192/512 + a full-bleed green maskable-512.
Wired 32/48 favicon + 180 apple-touch-icon into the panel and /q metadata.
Copied the same icons to Koja for consistent branding.
- Guest QR menu showed blank muted boxes for items without a photo. Added a
minimal themed café-cup placeholder (MenuImageFallback) across all four
layouts so the menu looks intentional. (Admin/POS already had placeholders.)
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The app had no metadata anywhere — pages showed no <title> and no favicon
or app icon. Added:
- Root metadata in [locale]/layout: title default + "%s — میزی" template,
description, icons (favicon + apple-touch-icon → /icons), manifest link,
appleWebApp, themeColor viewport, noindex (private panel).
- Per-page title on all 22 dashboard route pages (داشبورد, منو, گزارشها, …).
- Guest menu (/q) layout: own title + icon + manifest.
PWA + favicon now use the Meezi icon everywhere. Verified via SSR: titles
render (e.g. "منو — میزی") and icon/manifest/apple-touch-icon links present.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Price fields showed raw digits (1490000) while typing — hard to read for
Toman amounts. New shared MoneyInput groups as you type (1,490,000),
accepts Persian/Arabic digits, and reports a raw digit string so callers
keep parsing unchanged. Applied to menu item price, branch price override,
expense amount, and payment-correction replacement amount. Displays already
group via formatCurrency (incl. the QR guest-menu preview).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Platform admins can generate a permanent recovery key per café (admin
panel → Cafés). The café Owner uses it to sign in when OTP access is lost;
once authenticated, all server-side data syncs as normal (data is per-café
on the server, the device only caches it).
Backend:
- Cafe.RecoveryKeyHash (SHA-256, unique index) + RecoveryKeyCreatedAt; migration
- RecoveryKeyGenerator util: MZ-XXXXX-XXXXX-XXXXX-XXXXX, ~190-bit entropy,
stored as SHA-256 (API-token pattern — raw key shown once, never retrievable)
- Admin: POST/DELETE /api/admin/cafes/{id}/recovery-key (key returned once);
café list now reports HasRecoveryKey + RecoveryKeyCreatedAt
- Login: POST /api/auth/login-key → exact-hash lookup → resolves café Owner →
issues normal JWT; rate-limited (auth-otp), suspended/no-owner guarded, logged
Admin UI: per-café generate / regenerate / revoke with one-time reveal + copy.
Dashboard login: discreet "ورود با کلید بازیابی" link → key field. fa/en/ar.
86 tests pass; all tsc clean.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
1. The /q/{code} guest menu returned HTTP 500 on every load. Root cause:
menu-item-model-viewer.tsx did a top-level `import "@google/model-viewer"`,
a browser-only lib that touches `self` at module evaluation. Next pulled
it into the server module graph (page → qr-guest-menu → qr-menu-3d-sheet →
model-viewer) and SSR crashed with "self is not defined". Now the library
is imported lazily inside useEffect (client-only); a poster placeholder
shows until the custom element registers. Verified /q/* now returns 200.
2. Removed the "discover" (browse other cafés) item from the café owner
sidebar — café discovery belongs in Koja, not the owner panel. The owner
still manages their OWN Koja listing from Settings.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Production-readiness audit fixes — every mock fallback is now gated on
IsDevelopment; in production these paths fail loudly instead:
- ZarinPal/Tara/SnappPay init: missing credentials returned a MOCK
payment URL whose callback verified as paid — a café could activate a
paid plan without paying. Now: "Payment gateway is not configured."
- Tara/SnappPay verify: a forged MOCK-* trace/token on the callback was
accepted as a verified payment in any environment. Now rejected
outside Development.
- Taraz (سامانه مودیان): returned a fake MOCK-TARAZ tracking code as if
invoices reached the tax authority. Now returns an honest error (the
real integration is not built yet).
- Admin integrations: NextPay/Vandar removed — they were listed but have
no gateway implementation (selecting them silently used ZarinPal).
- docker-compose: ASPNETCORE_ENVIRONMENT default flipped Development →
Production so a missing env var can never run prod in dev mode.
86 tests pass.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
The platform no longer sells SMS. Each café saves its OWN Kavenegar API
key + sender line (new Cafes columns + migration) and campaigns are sent
and billed through that account.
Backend:
- GET/PUT /sms/settings (Manager/Owner; key echoed masked, verified
against the provider before saving)
- campaign + balance use the café's credentials; SMS_NOT_CONFIGURED
error when missing; plan-tier SMS gating removed everywhere
(PlanLimitChecker, SmsMarketingService, billing status)
- platform Kavenegar config stays ONLY for login OTPs (env/DB)
- design-time DbContext factory so `dotnet ef migrations add` works
without booting the host
Dashboard:
- SMS screen: provider-settings card, not-configured callout, campaign
form disabled until configured; quota bar removed (usage stays as info)
- subscription screen + plan comparison no longer show SMS limits
Admin panel:
- Kavenegar/SMS section removed from integrations (request field now
optional; stored OTP config untouched)
- SMS limit field removed from the plan editor
- nav label "درگاه و پیامک" → "درگاه پرداخت و AI"
fa/en/ar translations. 86 tests pass; all tsc clean.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
The merchant plan page hard-coded 4 tiers, prices and a feature matrix
that drifted from the admin-editable platform catalog (Starter tier
missing, stale prices/features). PlanComparison and CheckoutScreen now
consume /platform/plans + new /platform/features-catalog:
- columns = active plans by SortOrder (incl. Starter), names from
DisplayNameFa/En, prices from MonthlyPriceToman
- limit rows from PlanLimitsData (int.MaxValue → "نامحدود")
- feature rows from the feature catalog, ticked via FeatureKeys
- checkout validates the ?plan= param against isBillableOnline and
prices from the catalog — no more client-side price constants
fa/en/ar limit-row labels added.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Local tsconfig.json has uncommitted target changes, so `[...voidIds]`
passed locally but failed CI's tsc (TS2802, target < es2015).
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Backend:
- POST /orders/{id}/payments/corrections (Manager/Owner): void wrong
payments (marked Refunded, never deleted) and/or record replacements
atomically; mandatory reason; requires an open register shift; full
before/after written to the immutable audit trail.
- GET /orders/closed?date= — closed orders of one Iran-calendar day,
paged, the browsing surface for corrections.
- CalculateExpectedCash now subtracts cash refunds so corrections keep
the drawer expectation honest.
Dashboard (reports screen now has three tabs):
- عملکرد و سود: existing KPIs/charts + new day-by-day breakdown table
(orders, revenue, expenses, net profit per Jalali day).
- اصلاح سند: closed-orders browser with payment chips + correction
dialog (void checkboxes, replacement rows, live balance, reason).
- گزارش عملیات: filterable audit-log viewer (category, Jalali range,
branch) with expandable structured details.
fa/en/ar translations included. 86 backend tests pass; dashboard tsc clean.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Full Persian calendar:
- New JalaliDateField — Shamsi popover picker (Saturday-first weeks,
Persian digits, امروز shortcut); wire format stays ISO Gregorian
YYYY-MM-DD. Falls back to the native input for the en locale.
- Replaces all 5 native type="date" inputs (Gregorian-only pickers):
reservations, expenses from/to, reports from/to.
- Reservations list date now renders Jalali instead of the raw ISO
string; branches purge timestamp now formats with fa-IR.
Responsive shell (mobile + tablet):
- New MobileNav: hamburger in the topbar (< md) opening an RTL-aware
slide-over drawer with all nav destinations, permission-filtered,
Escape/backdrop close and body scroll lock.
- Desktop sidebar hidden below md; header center cluster (clock/plan)
hidden below md; language switcher hidden below sm.
- Main content padding scales p-3 → p-4 → p-6.
- Verified at 375px and 768px: no horizontal overflow, drawer and
Jalali picker fully functional.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
The sidebar had 22 items in 5 accordion groups, all defaulting closed:
first visit showed five vague headers and zero destinations, there was
no Dashboard/Home link at all, and rare pages (taxes, subscription) had
equal weight with POS. Restructured around usage frequency:
- Flat primary (always visible, no header): Dashboard, POS, Tables,
Kitchen, Queue, Reservations, Menu, Reports
- Two collapsible groups: Customers & marketing (crm, coupons, sms,
reviews, discover) and Café management (inventory, expenses, shifts,
taxes, hr, branches)
- Footer utility icons: settings, subscription, support
- Removed "notifications" from the nav (duplicate of the topbar bell)
Other fixes folded in:
- Deleted [locale]/page.tsx which redirected "/" to /pos — it made the
POS exit button a no-op loop and left OverviewScreen unreachable.
"/" now renders the overview home; login still lands on /pos.
- Branch gating moved from group-level to an item whitelist
(BRANCH_ALLOWED_NAV_KEYS) — also closes the hole where branch
accounts could deep-link to /reports etc. past the RouteGuard.
- RouteGuard now checks footer items too (subscription stays gated).
- revalidate=300 on the locale layout: Next emitted s-maxage=31536000
and the WCDN edge kept serving year-old HTML shells after deploys.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Run 77 diagnostics proved http://yr.i.lencr.org/ connects but never
responds from the runner (national filtering), so fetching ISRG Root YR
at build time can never work. Meanwhile the mirror's fullchain.pem now
serves the complete chain: leaf → YR2 → ISRG Root YR cross-signed by
ISRG Root X1, which IS in every stock trust store — verified with
strict curl (ssl_verify_result=0) and openssl verify.
Replace both Trust steps with a cheap s_client sanity check that fails
early with a pointer to the server-side fix if the cert regresses on
its ~90-day renewal.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Gitea act runner v0.6.1 ignores `shell: bash` step overrides and always
executes with `sh -e {0}`. The `set -euo pipefail` on line 2 caused sh to
exit immediately with "Illegal option -o pipefail" before any curl/openssl
ran. Replace with POSIX-compatible `set -eu` in both api-build and
admin-api-build trust steps so the diagnostic curl output is finally visible.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
set -euo pipefail is bash-only; Gitea act runner used sh by default so
the step crashed on line 1 before curl even ran. Adding shell: bash
lets the step actually execute and surface the real AIA/cert output.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Previous attempt used curl -sf which silently swallows failures, so
we never knew if ISRG Root YR was actually fetched. This run:
• set -euo pipefail → step fails fast and loudly on any error
• curl -v → shows connection result / error in log
• openssl verify → confirms cert bundle is good before restore
• openssl s_client → shows full chain verify against live mirror
If the AIA URL (http://yr.i.lencr.org/) is unreachable from the
runner, the step will fail HERE rather than silently at dotnet restore.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The prior Trust step added only the YR2 intermediate to the OS trust
store. dotnet's X.509 chain builder requires a self-signed ROOT as the
trust anchor (it does not enable OpenSSL's X509_V_FLAG_PARTIAL_CHAIN),
so intermediate-only still caused PartialChain.
New approach (two jobs: api-build, admin-api-build):
1. curl http://yr.i.lencr.org/ (plain HTTP AIA) → ISRG Root YR DER
→ convert to PEM → add to /usr/local/share/ca-certificates/
2. cp YR2 intermediate (docker/nexus-mirror-ca.crt) → same dir
3. update-ca-certificates (OS method)
4. cat both certs >> /etc/ssl/certs/ca-certificates.crt
(belt-and-suspenders: directly appends to the OpenSSL bundle
dotnet reads on Linux, works even if step 3 is a no-op)
If the AIA fetch fails (network block) step 4 still appends the
intermediate, which may work if dotnet ever enables partial chains.
Fetch failure is non-fatal (echo warning + continue).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
POS runs in the (fullscreen) layout which strips the sidebar.
Adds a Home → داشبورد button at the top-left of the table board so
users can navigate back to the dashboard without being stuck.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Race fix: orderBranchId now returns `undefined` (not null) while the /branches
query is in flight. usePos2Menu treats undefined as "not yet determined" and
skips the fetch, preventing getBranchMenu(cafeId, null) → empty array.
Once branchesFetched=true, orderBranchId resolves to the correct branchId
(or null for café-wide fallback).
Layout: desktop order screen now shows a left vertical category sidebar
(116 px, md+) instead of horizontal chips, giving the classic POS sidebar
feel. Horizontal chips kept for mobile (<md). Menu grid columns adjusted.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The menu/tables are branch-scoped. v2 used the raw stored branchId, which is
null or stale for users who never opened the classic POS (it has no branch
picker), so getBranchMenu returned an empty menu. Now v2 fetches /branches,
auto-selects the first valid branch (self-healing the stored id), and loads the
branch menu + tables + order submission against that resolved branch — matching
the classic POS exactly. Also adds a visible "menu failed to load / retry"
state instead of a silent empty grid.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The (fullscreen) layout redirected to /login whenever user.accessToken was
falsy — but on a page refresh that fires before Zustand finishes rehydrating
the persisted auth from localStorage, so an authenticated user was bounced to
login on every refresh. Gate the redirect on _hasHydrated (and show a loader
while rehydrating), matching RouteGuard. Tokens themselves are already long
(30d access / 365d refresh), so sessions now survive refreshes as expected.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Card is now the pre-selected payment method (and split rows default to Card),
matching Iran's card-dominant payments. Card already sits first in the selector.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Reorder the payment method tabs to کارت / نقدی / تقسیم (Card first, most common
in Iran) while keeping Cash as the pre-selected default method.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Completes the four POS v2 roadmap items:
1. Real split payments — split tab records N separate payment rows (equal split,
last row takes the remainder), each row toggles Cash/Card; posts payments[].
2. Card-terminal push — confirmPay sums Card amounts and calls requestPosPayment
(POS device) before recording; surfaces POS_DEVICE_* errors.
3. Customer + coupons + loyalty — reuses PosCustomerPicker (attach/search/create)
and validates coupons via /coupons/validate (discount in totals). Pay sheet
offers loyalty redemption (1 point = 100 toman) when a customer is attached.
4. Promote to default — /pos now renders POS v2 (full-screen, café-themed); the
classic terminal moves to /pos-classic with its sidebar+topbar chrome. The
"نسخه کلاسیک" link points there.
Order submission already carried customerId/guestName/guestPhone/couponId via the
shared cart store, so customer + coupon flow straight through send + pay.
tsc --noEmit clean.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
POS v2 is now a real, working point of sale at /[locale]/pos2 (was a static
mock). It reuses the existing data layer so it shares the React Query cache and
offline pipeline with the classic POS:
- Table board ← fetchCafeTableBoard (Free/Busy/Reserved/Cleaning, live totals,
guest-QR badge); polls every 15s. Open a free table to start an order; open a
busy table to hydrate its existing order (GET order → cart hydrateFromOrder).
- Order screen ← real branch/café menu + categories, bound to useCartStore
(add/qty/remove). Send via submitOrderToApi (online + offline outbox) then
re-hydrate; "ارسال (n)" shows the pending (unsynced) line count.
- Pay sheet ← POST /orders/{id}/payments. Cash (numpad + change), Card, and a
Split helper (records the full amount; split is cashier guidance for now).
- Online/offline badge, loading/empty states, toasts, busy overlay, and a
"نسخه کلاسیک" link back to /pos.
The static design mock stays at /[locale]/pos2-preview (dev-only, 404 in prod).
tsc --noEmit clean.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The mirror's Let's Encrypt cert renewed under the new ISRG Root YR root,
which isn't in the dotnet SDK image's trust store. `dotnet restore` validates
TLS and fails (NU1301 / unable to get local issuer certificate), so both
backend CI jobs fail and the deploy is skipped. The npm jobs are unaffected
because they already pass --strict-ssl=false.
Pin the mirror's intermediate (CN=YR2, CA:TRUE, valid to Sept 2028) and add it
as a trust anchor before restore in:
- CI api-build + admin-api-build jobs (.gitea/workflows/ci-cd.yml)
- docker/api/Dockerfile + docker/admin-api/Dockerfile (deploy image builds)
Also set NUGET_CERT_REVOCATION_MODE=offline in the CI restore steps to avoid
CRL/OCSP fetches to lencr.org (filtered from Iran).
Permanent fix is server-side (re-chain to ISRG Root X1 or update trust stores);
this unblocks CI/deploys without depending on that.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Responsive RTL big-touch reimagining of the POS order screen for judging the
redesign on real devices before decomposing the 1568-line pos-screen.tsx + wiring
real logic. Self-contained: mock menu + local cart, no API/store/SignalR.
- 3 zones: category chips + item grid · order ticket · sticky action bar.
- lg+ side-panel ticket; smaller screens get a "view order" bar + slide-over
(covers landscape tablet, portrait tablet, phone).
- Big-touch (56px primary / 44px qty), brand green #0F6E56, Toman totals.
Send/Pay are mock toasts. tsc clean.
Google's Android maven2 artifacts (AGP, androidx, Kotlin) 404 from Iran like
pub.dev does. Route Gradle resolution through the reachable Aliyun mirrors:
- android/settings.gradle.kts (pluginManagement) + build.gradle.kts (allprojects)
now list maven.aliyun.com/repository/{gradle-plugin,google,central} before the
originals (kept as fallback).
- BUILD_IRAN.md documents the full setup incl. the machine-local GRADLE_USER_HOME
init.gradle needed for Flutter's included flutter_tools/gradle build.
Verified: dependency resolution now succeeds via the mirrors (AGP + kotlin-compiler
download from Aliyun). The APK build itself is currently blocked only by low disk
space on this machine, not configuration.
Full pass over the marketing site so every page reflects the current product:
- Features page: +"Works Offline" and +"Get Discovered on Koja" cards (NEW badges);
rewrote "Real-time Notifications" to describe the dashboard sound+toast alert.
- Solutions: added offline / Koja / real-time-alert bullets across cafés,
restaurants, chains, and cloud kitchens.
- Tour: POS step now mentions offline + auto-sync; kitchen step describes the
sound+toast new-order alert on any screen.
- Docs: +Offline Mode and +Koja Discovery module guides (fa/en).
- appPromo: waiter-app "new order" alert notes sound.
- privacy/terms: "Last updated" June 2025 → June 2026.
Website build clean.
Connectivity fixed: pub.dev/googleapis are 403 under sanctions, so PUB_HOSTED_URL
+ FLUTTER_STORAGE_BASE_URL now point at the reachable Flutter mirror
(pub.flutter-io.cn / storage.flutter-io.cn) — set persistently on the build machine.
- `flutter create --platforms=android,web --org ir.meezi` generated android/ + web/
(#33). `flutter build web` succeeds; `flutter analyze` errors all cleared.
- pubspec: intl ^0.19.0 → ^0.20.2 (SDK pins 0.20.2 via flutter_localizations).
- Fixed 3 pre-existing compile errors (app had never been built):
* attendance: JalaliFormatter.yyyyMMdd() removed → build the date from year/month/day.
* qr_scan: dropped a call to a non-existent CartNotifier.setTable (table context is
already set via tableContextProvider just above).
* widget_test: default counter test referenced MyApp → minimal MeeziApp smoke test.
- discover_screen: drop redundant foundation import; value → initialValue (non-deprecated).
Verified: flutter build web ✓. (Android packaging still needs a Gradle/Maven mirror.)
Enhances the café detail screen toward web-Koja parity. Parsing verified against
the real backend DTOs (CafePublicDto / WorkingHoursPublicDto), still unbuilt (pub blocked).
- Cover image hero (coverImageUrl), open/closed badge (isOpenNow).
- Photo gallery (galleryUrls) horizontal strip.
- Working hours rendered from the day-keyed WorkingHoursPublicDto ({sat..fri} of
{isOpen,open,close}), Sat→Fri with Persian day labels.
Brings the Flutter discover screen toward web-Koja parity. Unverified (pub blocked).
- DiscoverFilters is now a copyWith class so the many optional filters set safely.
- Adds an "open now" chip, rating chips, sort, and a taxonomy-driven filter sheet
(themes/vibes/occasions/space-features as multi-select chips + price tier),
feeding the rich discover() query. Active-filter badge + pull-to-refresh.
- Café cards show open/closed status.
Head-start on the Koja-Flutter build while pub access is unavailable (pub.dev 403
under sanctions). NOT yet built/verified — needs `flutter create` + `pub get` once
package access is restored.
- core/theme/app_theme.dart: centralized MeeziTheme (brand green #0F6E56, Material 3,
filled/outlined buttons, inputs), wired into main.dart (was a brown seed, no theme).
- public_api.dart: discover() gains the full filter set (themes/vibes/occasions/
spaceFeatures/noise/priceTier/size/openNow) + discoverNearby/nlpParse/discoverTaxonomy,
matching the web Koja's backend surface. Follows the existing dio pattern.
The last two limits that still read hardcoded PlanLimits now come from the
admin-editable catalog, so editing them in the admin panel takes effect:
- ReportPlanGate is now limit-driven (takes int maxDays, not a tier); ReportsController
resolves MaxReportHistoryDays from catalog.GetLimitsAsync. LimitMessage is generic
(reflects the actual days). EnsureReportDateAllowed is now async.
- MenuAi3dGenerationService.ResolveLimitAsync reads MaxMenuAi3dPerMonth from the catalog.
Every plan limit + feature gate is now DB-driven and admin-editable. 86 tests pass.
Guest orders from the QR/digital menu already notified via SignalR, but only
screens that were open (KDS/POS/tables) reacted — and silently (a data refresh,
no alert). So staff on any other screen never knew a menu order arrived.
- Add a global useOrderAlerts() mounted in the dashboard shell: connects to
/hubs/kds, joins the café group, and on a new GUEST order plays a chime + shows
a toast (localized fa/en/ar) + nudges order/KDS/POS lists to refresh — on every
screen.
- Filter to guest QR-menu orders only (not staff POS orders): LiveOrderDto now
carries Source, set in MapLiveOrder (+ the delivery/snappfood mappers).
86 API tests pass; dashboard tsc + build clean.
Guest QR menu shows a "ساختهشده با میزی" watermark under the menu unless the café's
plan has the `watermark_removed` feature (Starter+).
- PublicMenuDto gains ShowWatermark; PublicService computes it from
IsFeatureEnabledForCafeAsync("watermark_removed") for both slug and branch menus.
- Guest menu renders the watermark footer when showWatermark.
- NoOpPlatformCatalogService test double (all features on) for the PublicService
ctor; QrMenuTests updated.
86 tests pass; dashboard tsc clean.
Make more plan rules read the admin-editable catalog instead of hardcoded values:
- Review reply gated by the `review_reply` feature (Starter+) — 403 if not in plan.
- Custom menu styling gated by `custom_menu_styling` (Starter+): only blocks an
actual theme change, so a normal settings save re-sending the current theme is fine.
- Menu categories/items limits now read catalog.GetLimitsAsync (Free categories
editable; message no longer hardcodes a number).
- Terminals limit reads the catalog (enforcement in TerminalRegistryService +
the displayed max in TerminalsController).
Remaining (small): menu watermark (Free shows it, `watermark_removed` removes it —
needs the public-menu render), report-history (static ReportPlanGate) and AI-3D
routing — these already enforce the correct matrix values, just not yet editable.
86 tests pass; build clean.
The admin → Plans screen now edits EVERYTHING per plan (the backend already
accepted it; only the UI was partial):
- All limits (orders/day, tables, terminals, branches, menu categories, menu
items, customers, report history, SMS, AI-3D) with an "unlimited (∞)" toggle.
- Display names (fa/en), monthly price, sort order, billable-online, active on/off.
- Per-plan feature checkboxes grouped by module, plus an "all features (*)" toggle
(Enterprise). Sourced from the live feature catalog (/api/admin/features).
- Plans listed in sort order (Free·Starter·Pro·Business·Enterprise).
- i18n fa/en/ar.
Admin tsc + build clean.
PlanLimitChecker already enforces orders/customers/branches/SMS from the
admin-editable catalog (GetLimitsAsync). Add the tables cap the same way
(POST /api/cafes/{cafeId}/tables → MaxTables), so Free's 6-table limit is both
enforced and admin-editable. Terminals/categories/report-history already enforce
the correct matrix values via PlanLimits defaults; routing them through the
catalog for editability + the watermark/styling/review-reply feature gates are
the remaining S3 items.
86 tests pass.
- CanonicalPlans(): single source for Free·Starter·Pro·Business·Enterprise with the
locked feature sets (Free is broad: KDS/queue/Koja/offline/reviews/reservations/
coupons/employees; Starter +watermark-removal/custom-styling/review-reply; Pro +CRM/
reports/taxes/HR/delivery/expenses/branches; Business +3D/AI-3D; Enterprise *).
- Feature catalog: + offline, employees, watermark_removed, custom_menu_styling,
review_reply, api, white_label.
- New Starter plan (690k Toman default, billable, sort 1).
- One-time, version-guarded matrix upgrade (catalog.planMatrixVersion=2): brings the
existing (never-yet-admin-edited) prod plans to the canonical limits/features/order/
price and inserts Starter. Runs once; won't clobber later admin edits.
- Replaced the additive feature-merge (which would wrongly re-add menu_3d to Pro).
Defaults only — admins will be able to change everything in S4. 86 tests pass.
A user can be offline for months (offline-first dashboard) and must stay logged
in / be able to sync on reconnect. Access 7d→30d, refresh 30d→365d, so a ~3-month
offline gap still has a valid refresh token on reconnect (queued writes sync, no
forced logout). Client only logs out on a server 401, never while offline.
Previously the only Employee records were the Owner (created at café signup) and
one Manager per branch — there was no way to add a waiter/cashier/chef. Adds it.
Backend:
- POST /api/cafes/{cafeId}/employees (HrController). Owner/Manager only; creating a
Manager requires Owner; Owner cannot be created here. Validates name/phone/role,
enforces one-employee-per-phone, validates branch belongs to the café, and can
optionally set username/password login in the same step (same hashing + uniqueness
as the credentials endpoint). Returns EmployeeSummaryDto.
Dashboard:
- New "Team" tab on the HR screen (now the default): employee roster (name, role,
phone, base salary) + an "Add employee" button (owner/manager) opening an inline
form — name, phone, role, optional branch, optional base salary, optional login.
- Role labels + all form strings in fa/en/ar.
86 API tests pass; dashboard tsc + build clean.
Blog post bodies were plain <textarea>s labelled "Markdown". Replace with a
TipTap rich editor (bold/italic/strike, H1–H3, lists, blockquote, code, links,
undo/redo), RTL-aware, producing HTML.
- New RichTextEditor component (TipTap v2: react + starter-kit + pm + link +
placeholder), immediatelyRender:false for Next SSR, self-contained content
styling, external-value sync.
- Wired into the FA/EN content fields of the blog editor; labels no longer say
"Markdown" (fa/en/ar).
- Website blog page now renders HTML when the body is HTML and falls back to
MDXRemote for older Markdown posts (backward-compatible). Content is authored
only by trusted SystemAdmins, so HTML is stored/rendered directly.
Admin build + website typecheck clean.
Uploads previously wrote every file to disk with a fresh GUID name, so the
same image uploaded twice produced two identical files. Now:
- New MediaAsset table records each stored upload (SHA-256 hash, size, type,
url, kind, scope) + migration. Indexed on (CafeId, ContentHash).
- MediaStorageService computes the content hash on upload; if an identical file
already exists for that café it returns the existing URL instead of writing a
duplicate (covers images, videos, 3D models). Dedup lookup/record run via a
scoped DbContext (the service is a singleton) and never block an upload on
failure.
- GET /api/cafes/{cafeId}/media lists the café's library (newest first, optional
?kind=) so the UI can let users pick an existing file instead of re-uploading.
86 API tests pass.
Builds on the outbox engine to take the whole dashboard offline in one place
instead of wiring 114 mutation sites individually.
Frontend (single chokepoint = the API client):
- offline-write: any write auto-queues to the outbox on offline/network failure
and returns an optimistic value; the online path is unchanged apart from an
Idempotency-Key header (so even online retries de-dup). entityType is derived
from the URL; POSTs get a remappable local id.
- client.doWrite unifies POST/PUT/PATCH/DELETE through this path. WriteOptions
gains `offline: "queue" | "reject" | "manual"`.
- Guardrails: auth / billing / payments / SMS / exports are online-only and throw
OFFLINE_UNAVAILABLE offline rather than queueing (no queued double-charges or
surprise SMS blasts). use-api-error resolves the friendly localized message
(fa/en/ar).
- submit-order opts out ("manual") to keep its richer local-Order mock; shared
helpers de-duplicated into offline-write.
- Request persistent storage on mount so unsynced writes survive eviction.
Backend:
- IdempotencyCleanupJob: daily purge of idempotency records older than 7 days
(the table now gets a row per keyed write). Registered in Hangfire. No migration.
86 API tests pass; dashboard tsc + build clean.
Completes offline Phase 1 (frontend). Generalises the POS-orders-only queue into
a reusable write engine and fixes the two correctness bugs in the old path.
- offline-db: generic `outbox` store (DB v3, order_queue/kv preserved) with
enqueue/list/update/remove + a persisted client→server id map.
- outbox.ts: drains in causal order — remaps local_* ids to server ids (blocking
an op until its creator syncs), sends each op with its idempotency key, and
classifies failures (offline → stop; 5xx / in-progress → retry; 4xx → poison
after 5 attempts). remap/blocked logic validated against representative cases.
- client: apiPost/Put/Patch/Delete take an optional idempotencyKey →
`Idempotency-Key` header; ApiClientError now carries HTTP status.
- submit-order: generates ONE idempotency key per submit, used for both the
online attempt and the queued replay → server de-dups (no more double-create);
offline create carries createsClientId so a later add-items remaps onto the
real order instead of spawning a second order.
- use-offline-sync: drains the outbox, one-time migrates legacy order_queue
items, invalidates queries after a successful sync.
tsc + production build clean.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Backend half of offline Phase 1. Lets the offline outbox replay a write after a
lost response without executing it twice (e.g. an order whose POST reached the
server but whose reply never came back).
- IdempotencyRecord entity + table (unique index on (Scope, Key)); migration
AddIdempotencyRecords. Standalone POCO — no tenant/soft-delete filters.
- IdempotencyMiddleware (after TenantMiddleware, before plan-limit/controllers):
opt-in via `Idempotency-Key` header on POST/PUT/PATCH/DELETE.
* Completed key → replays stored status+body with `Idempotent-Replay: true`.
* In-progress key → 409 IDEMPOTENCY_IN_PROGRESS; the unique index serializes
racing first requests; stale (>60s) reservations are recovered after a crash.
* Only <500 responses are cached; 5xx is released so the client can retry.
Bookkeeping runs in isolated DI scopes so it never contaminates the controller's
unit of work. Keys are scoped per café — no cross-tenant collisions.
- 5 middleware tests (replay/execute-once, distinct key, pass-through, tenant
isolation, 5xx-not-cached). Full suite 86 passing.
Next in Phase 1: generalize the POS order queue into a generic client outbox that
sends these keys and remaps client→server ids.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
First slice of offline-first (Phase 1). Makes every dashboard area *viewable*
offline with last-synced data, instead of empty lists on an offline reload
(previously only next-pwa's 10-min API cache survived).
- offline-db: add a generic `kv` IndexedDB store (DB v2, preserves order_queue)
with kvGet/kvSet/kvDelete; all degrade silently on quota/unavailable.
- query-persister: debounced snapshot of the React Query cache via
dehydrate/hydrate (no new dependency). Restore is guarded by a schema buster,
24h max-age, and a café scope so one tenant never hydrates another's data.
- providers: gcTime 24h so hydrated data isn't GC'd; restore on mount + persist
on cache changes, re-scoped when the signed-in café changes.
No write-path changes; the existing POS order queue is untouched. Next in
Phase 1: generalize that queue into an idempotent outbox with client→server
ID remapping.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Before, buying a plan immediately switched the tier and stacked the duration.
Now a purchase made while the café still has paid coverage is QUEUED to start
when the current coverage ends, and the owner can cancel a queued one.
Model:
- SubscriptionPayment gains EffectiveFrom/EffectiveTo; status gains Scheduled
(paid, queued) and Cancelled. EF migration AddSubscriptionScheduling (nullable).
BillingService:
- On payment completion, compute coverage end (latest of active expiry + furthest
queued period). If it is in the future → Scheduled (queued, café tier/expiry
untouched); else activate immediately as before. Periods chain correctly.
- GetStatusAsync lazily promotes any due queued period to active, and returns the
queue (QueuedPlans).
- CancelQueuedAsync cancels a Scheduled period (owner-only) and re-packs the queue
so later periods slide earlier. Active prepaid plan is never cut short; no
automatic refund (manual, per product decision).
- Confirmation SMS distinguishes "activated until X" vs "queued, starts X".
API: BillingStatusDto.QueuedPlans + DELETE /api/billing/queued/{paymentId}.
Dashboard:
- Subscription screen shows a "Queued subscriptions" card (tier, window, cancel
with confirm).
- Checkout shows "you already have an active subscription — this will start on
{date}" when the café is still covered.
- i18n fa/en/ar.
81 API tests pass; dashboard typechecks.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Delete (every manageable entity that only had "add" now has delete):
- Ingredients (warehouse): new DELETE /inventory/ingredients/{id} (soft-delete via
the global DeletedAt filter — no FK trouble with recipes/movements) + NoOp stub +
trash button in the materials cards.
- Reservations: new DELETE /reservations/{id} (soft-delete) + per-card delete button.
- Coupons & Customers: backend DELETE already existed; wired delete buttons in the UI.
- Shared ConfirmDialog component used by all delete flows (RTL-aware).
- Audit result: tables/branches/taxes/kitchen-stations/expenses/menu/terminals already
had delete; HR has no "add" so no delete needed; shifts intentionally excluded
(financial open/close records, not add-style entities).
Koja visibility:
- New Cafe.ShowOnKoja flag, default TRUE (DB default true so existing cafés stay
listed). Discover query now filters IsVerified && !Deleted && ShowOnKoja.
- public-profile GET/PUT expose showOnKoja; dashboard public-profile panel has an
on-by-default toggle that persists immediately. Platform IsVerified gate unchanged.
- EF migration AddCafeShowOnKoja (defaultValue: true).
Also: added the missing errors.generic i18n key (fa/en/ar) so useApiError's fallback
resolves instead of rendering the literal "errors.generic". 81 API tests pass.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Login already issues a 7-day access token + 30-day refresh token, and the
dashboard persists the session and silently refreshes on 401 — so a session
should last well over a week. The real cause of "re-login every time / massive
OTP" was single-use refresh-token rotation: RefreshAsync revoked the presented
token and minted a new one, so when a café runs POS + KDS + queue display at
once (or two tabs), the first refresh won the race and every other concurrent
refresh hit the now-revoked token -> INVALID_TOKEN -> forced logout -> OTP.
Make refresh idempotent and race-safe:
- IssueTokensAsync takes an optional existingRefreshToken; on refresh we reuse
the presented token and re-store it (sliding the 30-day TTL) instead of
minting a new one. Login still mints a fresh token.
- RefreshAsync no longer revokes the presented token.
Net effect: concurrent refreshes all succeed; an active session slides forward
and effectively never forces re-auth. Access stays 7 days, refresh 30 days.
All 81 API tests pass.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The branch-menu-overrides availability switch (dashboard) and the BlogToggle
(admin website editor) still moved their knob with translate-x while inheriting
RTL, so the knob escaped the track on the right. Pin both to dir="ltr" like the
other switches. All four role="switch" toggles in the codebase now share the fix.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
- Add DELETE /api/cafes/{cafeId}/menu/items/{id} (DeleteItemAsync soft-delete,
mirroring the existing category delete) — item delete had no backend route.
- Dashboard menu admin: destructive "delete" action in the item and category
edit modals, behind a shared confirm dialog (AlertDialog). Deleting the
selected category falls back to "all items".
- Fix the availability ToggleSwitch in RTL: force dir="ltr" so the knob's
translate-x stays inside the track instead of escaping on the right
(same fix as the admin-panel toggles).
- i18n: deleteItem/deleteCategory confirm + success strings (fa/en/ar).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
BuildDemoIngredients/BuildDemoTables built ids as
"{cafeId}_ing_{guid}"[..36]. For a real cafe (32-char hex id) the
first 36 chars are just "{cafeId}_ing" — the unique guid is cut off,
so all 15 ingredients (and all 10 tables) get the SAME id, causing a
primary-key collision on SaveChanges -> 500. cafe_demo_001 has a short
id so the guid survived, which is why the bug only hit real cafes.
The Id columns are text (no length limit), so the truncation served no
purpose. Removed [..36] from both so the full unique id is kept.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
ROOT CAUSE of demo-seed/billing/etc. returning 403 for real owners: .NET's JWT
handler remaps the short "role" claim to ClaimTypes.Role on inbound, so
TenantMiddleware's FindFirst("role") returned null and tenant.Role (EmployeeRole?)
stayed null. EnsureManager/EnsureOwner then rejected even a valid Owner token with
MANAGER_REQUIRED / OWNER_REQUIRED, while reads (no role gate) worked and
[Authorize(Roles=...)] worked (it reads the remapped claim). Now reads the role
under both MeeziClaimTypes.Role ("role") and ClaimTypes.Role. Same fix applied to
the AuthController whoami role. Fixes demo seed, subscription billing, and every
other tenant.Role-gated action.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Lets the POS agent and the QR/app customer attach a free-text note to each
order line (e.g. "no tomato", "extra hot") that reaches the kitchen/bar.
- Backend already supported it (OrderItem.Notes persists; CreateOrderItemRequest
and OrderItemDto carry Notes; LiveOrderDto items include it) — this wires the UI.
- cart.store: add setNotes(menuItemId, notes); notes already travel in
getPendingLines and round-trip via hydrateFromOrder.
- POS pos-screen: a note input under each cart line.
- QR guest menu: a note input under each cart line (QrCartLine.note).
- KDS: render the note prominently under each item so kitchen/bar sees it.
- i18n: pos.itemNotePlaceholder + qrMenu.itemNote (fa/ar/en).
Note: notes are captured on items being added; editing a note on an
already-submitted line is out of scope (no pending delta to re-send).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The redirect source "/:slug([a-z0-9][a-z0-9-]*[a-z0-9])" matched single-segment
paths including the locale itself, so /fa redirected to /fa/cafe/fa (slug "fa")
and /en to /fa/cafe/en — non-existent cafés that returned Internal Server Error.
Visiting koja.meezi.ir (-> /fa) hit this. Removed the redirect so the home page
renders; short café URLs can be re-added via middleware with reserved-word guards.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The integrations form rendered from (gateways state, falling back to fetched data) but SAVED from the state and edited via updateGateway on . If gateways hadn't hydrated, edits (e.g. Zarinpal merchantId) were written to an empty array and the save sent nothing. Now updateGateway seeds from fetched data on first edit, and the save maps over — render, edit, and save share one source. NOTE: prod admin had also been stale because recent deploys aborted on the main-API crash before the admin containers restarted.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Root cause of the crash-loop: a soft-deleted Free plan still occupies its Tier in the unique index, but the existing-row check queried THROUGH the soft-delete global filter and missed it, so the seeder re-inserted Free and violated IX_PlatformPlanDefinitions_Tier on boot. Fixes: (1) IgnoreQueryFilters() on the plan/feature existing-checks so soft-deleted tiers/keys are counted; (2) wrap plan/feature/location seeding in try/catch so any seeding failure logs and startup continues — non-essential seeding must never crash-loop the API.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The previous change deduped on Id, but the unique constraints are on PlatformPlanDefinitions.Tier and PlatformFeatures.Key. Prod's existing Free plan has a different Id, so seeding re-inserted a Free-tier row and crashed on IX_PlatformPlanDefinitions_Tier (23505), crash-looping the API. Now skips any tier/key that already exists.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Location card gets a 'موقعیت فعلی من' button that fills lat/lng from the browser's geolocation. Support ticket list now shows the resolved (localized) error instead of a generic message, so a failure is diagnosable.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Koja auto-detected locale from the browser Accept-Language (en for many Persian users); set localeDetection:false so locale-less URLs default to fa. Also guarded cafe.discoverProfile across the cafe page, cafe card, and JSON-LD — a café without a discover profile crashed the page (500). The cafe page now resolves the café first and notFound()s an unknown slug before fetching menu/reviews.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Plan + feature seeding was dev-gated and all-or-nothing, so production only had the Free plan (admin Plans page showed one). Now runs in every environment and upserts missing rows (adds Pro/Business/Enterprise on top of the existing Free). Also force LTR on the admin toggle switch so the knob doesn't render off-track under the RTL page.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Error toasts surfaced the raw English backend message. Added an errors namespace (fa/ar/en) keyed by error code + a useApiError() resolver that maps ApiClientError.code to the localized message (fallback to a localized generic). Wired into menu, tables, demo banner, and subscription checkout; hardened getErrorMessage so it never returns the raw backend message.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The dashboard demo-data banner is shown to Owner and Manager, but the /demo/seed endpoint required strictly Owner, so a Manager clicking it got a silent 403 (the banner had no error handler) — appearing as 'nothing happens, no tables or items'. The endpoint now allows Owner or Manager, and the banner shows the error on failure.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Marketing-site login/register/dashboard links were locale-less (app.meezi.ir/login), so the dashboard auto-detected locale from the browser Accept-Language (en-US) and redirected Persian users to /en. Links now carry the current locale, and the dashboard sets localeDetection:false so any locale-less entry defaults to fa (Iran-first) instead of guessing from the browser.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Real cafés without a map pin now get approximate coordinates at their city centre (with a deterministic per-café offset) on every boot, in all environments, so the public Iran map lights up with merchant dots. Only fills rows where Latitude/Longitude is null and the city is recognised (20 major Iranian cities); never overwrites an owner-set pin. Owners can drop an exact pin from Settings.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Showcase cafés (dev/staging only) now get Latitude/Longitude scattered around their real city (Tehran/Karaj) with a deterministic per-id offset, so the homepage Iran map renders a realistic cluster of blinking merchant lights. Backfills existing rows where coords are null. Production cafés get coordinates when owners set their location in dashboard Settings.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Replaced the rough 40-point hand-drawn polygon with the real national border (74 vertices, Natural Earth via world.geo.json) and fitted the projection bounding box to Iran's true extent, so the silhouette is recognisable and café markers stay aligned. Reworked the marker animation from a radar-style expanding ring into a slow 3.6s ease-in-out lamp fade (opacity 1->0.2->1) with a halo that glows on and off in sync. Verified via the SVG timeline: opacity 1.0 at 0s, 0.2 at 1.8s, 1.0 at 3.6s.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The test project no longer compiled: recent feature commits changed
interfaces and DTOs without updating the test doubles/call sites, so the
whole suite (and therefore CI) was failing to build.
- NoOpInventoryService: add IInventoryService.GetPurchasesSummaryAsync and
the new string? userId param on AdjustAsync.
- NoOpLoyaltyService: add ILoyaltyService.RedeemOnOrderAsync.
- NoOpOrderNotificationService: add NotifyCallWaiterAsync.
- New NoOpAbuseProtectionService and NoOpMediaStorageService test doubles.
- QrMenuTests: ReviewService/PublicService gained IAbuseProtectionService +
IHttpContextAccessor (and ReviewService an IMediaStorageService); wire the
new no-op doubles + a real HttpContextAccessor.
- PrintingTests: OrderDto gained a DisplayNumber int between CreatedAt and
Items; pass it.
- DiscoverFilterTests: add missing `using Xunit;` and the new openNow arg on
DiscoverFilterParams.FromQuery.
Result: dotnet test -> Passed: 81, Failed: 0.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Dashboard & API bug fixes for owner-reported breakage:
- MenuController validators (PosValidators): NameEn was required but the
dashboard sends null when blank, so every manual menu-item create failed
and category create failed 100% (the form never sends nameEn). Now optional.
- DemoDataBanner: only showed when a cafe was exactly empty, so
showcase-seeded cafes (2-3 cats / 3-5 items) could never trigger the
one-click seed. Widened gate to sparse menus (<5 cats && <10 items) and
added a clear "nothing to add" message when already populated.
- client.ts: added one-time JWT refresh-and-retry on 401 (shared in-flight
promise) before bouncing to /login. Expired access tokens silently broke
ticket list, add-table, and other reads.
- Surface API errors as toasts on menu + table mutations (were swallowed
silently, so failures looked like "nothing happens").
- Admin blog editor: saving an edit dropped IsPublished (defaulted false,
silently unpublishing the post on every save); now persisted with a
toggle. Also hoisted the inner Field component to module scope - it was
remounting every input on each keystroke and dropping focus.
- Admin integrations: replaced raw radio gateway selector with a styled
RadioDot matching the iOS toggles.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Manual migration was missing the [Migration("...")] and [DbContext] attributes
that EF Core requires to discover and apply migrations via MigrateAsync().
Without them the Latitude/Longitude columns were never added to Cafes, causing
every query involving the Cafe entity to throw 42703 column-not-found errors.
Columns must be applied manually on the server before the next deploy:
ALTER TABLE "Cafes" ADD COLUMN IF NOT EXISTS "Latitude" double precision, ...
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Removes <none>-tagged images left over from previous builds.
Only affects untagged images (dangling=true) — never touches other
projects' named images (soroushasadi-site, drsousan, etc.).
Also logs disk usage after prune.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
DemoMenuSeeder used hardcoded IDs like cat_demo_coffee for every café.
If the dev seeder (runs when ASPNETCORE_ENVIRONMENT=Development) already
inserted those IDs for cafe_demo_001, a production café clicking
"Add demo data" hit a primary-key constraint violation.
Fix: EnsureMenuAsync now accepts useScopedIds=true which prefixes every
category and item ID with cafeId (e.g. cafe_abc_cat_demo_coffee).
CategoryId FKs on items are remapped through the same function.
DemoSeedService (the API endpoint handler) always passes useScopedIds=true.
DevelopmentDataSeeder keeps useScopedIds=false (default) so the existing
cafe_demo_001 rows in dev databases are not touched.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Start api alone first; web/admin-api each wait for their own step
so a health-check wait never blocks unrelated services
- Detect crash-loops via RestartCount > 1 (restart:unless-stopped hides
the exited state behind rapid restarts — count is reliable)
- Dump up to 120 lines of api logs immediately on crash/timeout
- Log infra network state (json) in attach step + failure dump so we
can see exactly which aliases are registered on meezi_default
- admin-api and admin-web are now started in separate steps, same pattern
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Without --alias, meezi-db joins meezi_default but is only reachable
as "meezi-db". The API uses Host=postgres — DNS lookup fails after
~5s, migration throws, container crashes.
Fix: disconnect first, then reconnect with service-name aliases
so "postgres" and "redis" resolve correctly on meezi_default.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
postgres/redis were created before the compose project name was locked
to "meezi", so they're on a different Docker network. New app containers
join meezi_default — the API crashes immediately because it can't reach
Host=postgres.
Fix: create meezi_default if needed, then docker network connect
meezi-db and meezi-redis to it before starting the app containers.
Also dump API and admin-api logs on failure to make future failures
easier to diagnose.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Root cause: after successful creation the form stayed on /blog/new.
User couldn't tell it worked, clicked Save again, the second attempt
hit the unique slug constraint and showed an error — making it look
like creation was broken.
Fix: adminPost is now typed, onSuccess redirects to /blog/{id} on new
posts so the user lands on the edit page immediately.
Also fixes commentCount being undefined in the list (MapPost now
includes comment count via eager-loaded Comments).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Existing containers lack compose project labels so Compose cannot claim
them — it tries to CREATE alongside them and hits a name conflict.
Fix: stop + rm only the 6 meezi app containers by name before compose up.
Postgres, redis, and all other projects are never touched.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The meezi-redis container was created before the name:meezi label existed
in docker-compose.yml, so Compose doesn't recognise it as its own project
container and tries to CREATE a new one, causing the name conflict.
Real fix: postgres and redis are persistent infrastructure — CI should
never restart them. Remove them from all deploy steps entirely.
Only api, web, website, koja, admin-api, admin-web are cycled on deploy.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
docker compose up without --no-recreate tries to recreate postgres/redis
when it detects a config change or finds a stopped container, which causes
"container name already in use" when the container is still running.
Fix: infrastructure (postgres, redis) uses --no-recreate so a healthy
container is never touched. App services (api, web, website, koja,
admin-api, admin-web) use --force-recreate so freshly-built images are
always applied.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds POST /api/cafes/{cafeId}/demo/seed (owner-only) that seeds:
- 9% default VAT tax
- 7 menu categories + 59+ items via DemoMenuSeeder
- 15 inventory ingredients (coffee shop staples)
- 10 tables across 3 floors on the first active branch
Frontend DemoDataBanner appears on menu, tables, and inventory
pages when the café is completely empty, so owners can populate
demo data in one click instead of entering everything manually.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- dashboard layout: wait for Zustand _hasHydrated before redirecting to /login
(was redirecting on first render before localStorage was read)
- admin shell: same fix using new _hasHydrated on admin auth store
- admin-auth.store: add _hasHydrated + onRehydrateStorage to mirror merchant store
- AdminPlansScreen: replace direct cache mutation with per-plan PlanCard component
that owns its own useState — fixes other plans disappearing after save
- AdminSettingsScreen: detect boolean values and render iOS-style Toggle switches
- AdminIntegrationsScreen: replace all <input type=checkbox> with Toggle switches;
replace OpenAI model text input with <select> dropdown (gpt-4o-mini/4o/4-turbo/4/3.5)
- blog editor: fix form never syncing existing post data into state (editing was broken);
all fields now use local form state, save uses form directly
- blog links: fix broken relative hrefs (website/blog/new → /admin/website/blog/new)
and back button using proper Link components
- ci-cd: remove image prune step entirely — never removes containers or images
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Prevents runner workspace collisions with other projects (DrSousan etc.)
causing containers to be treated as orphans and stopped on deploy.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Previously the subscribe mutation had no onError handler, so any
payment initiation failure (wrong merchant ID, ZarinPal API error,
disabled payment method) would silently re-enable the button with
no user feedback. Now errors are shown below the Pay button.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Sidebar:
- All groups start collapsed on first load (v4 storage key resets old state)
- Opening one group closes all others (accordion)
- Navigating to a section opens only that section's group
Koja slug:
- SlugHelper: Persian->Latin transliteration, slug validation
- Registration accepts optional custom slug; auto-derives from cafe name
- Slug can be updated from dashboard Settings -> Profile
- Settings PATCH validates uniqueness (SLUG_TAKEN) and format (INVALID_SLUG)
- koja.meezi.ir/{slug} now redirects to /fa/cafe/{slug} (short URL support)
Bug fix:
- SupportTicketService: cafeId/status filters applied before Select() projection
to fix EF "could not be translated" crash on the support tickets page
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
VerifyOtpRequestValidator was passing the raw phone string to
IsValidIranMobile which requires a pre-normalized 11-digit "09…" string.
Any other format (country code prefix, Persian digits, etc.) failed
validation instantly — causing verify-otp to return HTTP 400 in ~2ms
before the service logic could ever run.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- VerifyRegisterAsync: create a Branch named after the café alongside
the Café and Owner, so new owners can use the dashboard immediately
without hitting the "select a branch" gate
- PlatformDataSeeder: EnsureDefaultBranchesAsync runs on every boot and
creates a default branch for any existing café that has none (covers
cafés registered before this fix)
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- docker-compose.admin.yml: RUN_MIGRATIONS was hardcoded false → now
uses ${RUN_MIGRATIONS:-true} so migrations run automatically on deploy
- Both compose files: expose Seed__SystemAdminPhone/Username/Password
env vars so the seeder sets admin credentials without manual SQL
- .env.example: document SEED_ADMIN_* variables
On next deploy: migrations run, Username='admin' is patched on the
existing admin, and password is hashed from SEED_ADMIN_PASSWORD.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
EnsureOwnerAdminAsync now sets Username='admin' (configurable via
Seed:SystemAdminUsername) on any existing admin that has no username,
and hashes Seed:SystemAdminPassword if provided and no hash is stored.
Covers fresh deploys and existing prod admins created before credentials
were added.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
npm ci failed in Docker because package-lock.json was stale (missing three
and the workbox/PWA deps) and @google/model-viewer@4.2.0 requires three@^0.182.0
while package.json pinned ^0.163.0. Bumped three and regenerated the lockfile.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Plan comparison and website pricing advertised branch counts that did not
match PlanLimitsData.ForTier: Pro now shows 3 (was 1) and Business shows
unlimited (was 5), matching what the backend actually enforces.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The admin app runs Next.js 14.2.18, where `next build --webpack` is an
unknown option (the flag only exists in Next 15+). This broke the CI
admin-web image build. Other web apps stay on the flag since they're on
Next 16.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The Docker daemon reaches the Nexus Docker group over the dedicated
connector port 8087 (its registry mirror), not the main 8081 HTTP port,
which caused HTTPS-to-HTTP pull failures in CI. Repoint all image refs to
171.22.25.73:8087 at the connector root; npm and NuGet stay on 8081.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Insert a factor/invoice page between plan selection and payment showing
billing-period choice, line items, and totals before redirecting to the
gateway, moving payment-method selection to where the charge happens.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Wrap the POS terminal in the sidebar + topbar layout via a nested
fullscreen layout, and make the sidebar collapse to an icon-only rail
with a persisted toggle so operators keep navigation on the POS screen.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Replace the raw HttpClient implementation with the Kavenegar NuGet SDK
(v1.2.4) for OTP, single, and bulk sends plus account info, wrapping the
synchronous SDK calls and translating its exceptions. Register the
service as scoped instead of via AddHttpClient.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Point Docker, NuGet, and npm pulls at the Nexus group repos on
171.22.25.73:8081 for both CI/CD and local builds, so the pipeline and
developers no longer depend on Docker Hub, MCR, nuget.org, or npmjs.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Next 16 defaults `next build` to Turbopack, which requires native SWC
bindings unavailable for Alpine musl from our npm mirror (only the WASM
fallback loads). Pass --webpack so the build uses the WASM SWC fallback
and succeeds inside the Docker images.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-29 17:35:28 +03:30
469 changed files with 74367 additions and 5806 deletions
- **Not part of the API solution or CI** — it targets `net10.0-windows` and builds on its own.
- Console MVP today. Next: system-tray UI, run-at-login (Task Scheduler / service), auto-update, and an optional LAN scan for raw `ip:9100` printers that aren't installed in Windows.
- The token is bearer-equivalent — keep `config.json` on a trusted machine. Revoke from the dashboard if a PC is lost.
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
soroush.asadi
