release: cut v0.0.9

Author: 248Tech

CHANGELOG.md

@@ -12,9 +12,29 @@ All notable changes are documented here. The project uses [Semantic Versioning](
 - **0.0.6** - UI foundation and layout redesign release
 - **0.0.7** - Projects-first workflow and operations tooling release
 - **0.0.8** - Navigation, admin backup, UX polish, and hotfix stabilization release
+- **0.0.9** - Security hardening and quote-workflow refactor release
 
 ---
 
+## [0.0.9] - 2026-03-26
+
+### Added
+- **Quote workflow service modules** - Added `server/lib/quoteActivity.js`, `server/services/itemStatsService.js`, and `server/services/quoteService.js` so activity logging, item analytics bookkeeping, quote send, duplication, and status transitions are reusable outside the route layer.
+- **Quote UI extraction primitives** - Added `client/src/lib/quoteTotals.js`, `client/src/hooks/useQuoteDetail.js`, extracted quote modals (`ImagePicker`, `QuoteFilePicker`, `QuoteSendModal`), and dedicated `quote-builder/` panel components.
+- **Release notes for 0.0.9** - Added a dedicated `RELEASE_NOTES_0.0.9.md` summary for packaging/tagging and downstream release publishing.
+
+### Changed
+- **Quote detail architecture** - `QuoteDetailPage.jsx` has been reduced substantially by moving shared state and modal/file-picker concerns into dedicated modules.
+- **Quote builder architecture** - `QuoteBuilder.jsx` now delegates line-item editing, adjustment management, and inventory browsing to smaller focused panels.
+- **Shared pricing logic** - Public and operator quote totals now derive from the same shared helper instead of duplicating pricing/adjustment math in two pages.
+- **Backend route structure** - `server/routes/quotes.js` now routes through extracted quote services/helpers instead of hosting the core orchestration inline.
+
+### Fixed
+- **JWT and extension-auth fallback behavior** - Auth middleware no longer leaves broad route access coupled to a generic extension token path.
+- **Public file and quote exposure** - File serving and public quote payloads now use tighter access checks and smaller response surfaces.
+- **Upload and attachment safety** - File uploads are validated from actual file signatures, and outbound quote mail only attaches files already linked to the quote.
+- **Public quote state mutation guardrails** - Public approval/signing-related flows now have stronger state checks and safer backend handling.
+
 ## [0.0.8] - 2026-03-24
 
 ### Added

README.md

@@ -1,6 +1,6 @@
-# BadShuffle v0.0.8
+# BadShuffle v0.0.9
 
-![Release](https://img.shields.io/badge/release-0.0.8-0a7ea4)
+![Release](https://img.shields.io/badge/release-0.0.9-0a7ea4)
 ![Status](https://img.shields.io/badge/status-pre--release-c79200)
 ![Stack](https://img.shields.io/badge/stack-React%20%7C%20Express%20%7C%20SQLite-1f6feb)
 ![Deploy](https://img.shields.io/badge/deploy-Docker%20%7C%20Windows%20EXE-2ea44f)
@@ -21,18 +21,16 @@ BadShuffle is a self-hosted event rental software platform for project-centric q
 - **Domain complexity** — Availability conflicts, per-line pricing overrides, reusable rental/payment policies, and public quote signing target actual event-rental workflows.
 - **Deployment pragmatism** — Run it locally, on a LAN, in Docker, or as packaged Windows executables.
 
-## What’s New In v0.0.8
+## What’s New In v0.0.9
 
-`v0.0.8` is the navigation, admin continuity, UX polish, and Windows host packaging release, now followed by a hotfix pass that focuses on performance, mobile behavior, editing safety, and import resilience. It reorganizes the operator experience around workflow-based navigation, adds in-app database backup/restore, ships packaged Windows `.exe` artifacts for self-hosted deployments, and tightens daily operator workflows with better loading, error handling, and guardrails.
+`v0.0.9` is the security hardening and quote-workflow refactor release. It tightens public/auth/file handling on the backend, breaks the largest quote surfaces into smaller maintainable modules, and standardizes shared pricing logic so the operator and public quote experiences stay in sync as the product grows.
 
-- **Navigation architecture refresh** — The sidebar is now grouped around workflows (Projects, Inventory, Messages, Directory, Settings), supports collapse + flyout behavior, and surfaces unread-message plus pending-admin counts alongside live team presence.
-- **Admin continuity tooling** — Admin now includes SQLite backup export/import so operators can migrate or restore data without leaving the app.
-- **New workspace surfaces** — Added a Directory hub for Leads/Vendors plus dedicated Inventory Settings and Message Settings screens for operational preferences.
-- **Windows host packaging** — The project is packaged for Windows hosts with separate server, client, and updater `.exe` artifacts so operators can run BadShuffle without a manual Node deployment.
-- **Performance hotfixes** — Heavy operator and public routes now lazy-load on first navigation, reducing the initial client bundle cost for day-to-day use.
-- **Workflow safety hotfixes** — Quote detail editing now warns before reload or navigation when there are unsaved changes, making large project edits harder to lose accidentally.
-- **Responsive messaging polish** — Messages now behaves as a focused single-pane experience on smaller screens, with cleaner thread/detail transitions during mobile use.
-- **Debugging and import hardening** — Settings can enable verbose error output for debugging, quote creation failures now return cleaner API errors, and sheet/item imports reject numeric-only titles that commonly come from spreadsheet date serials or malformed source data.
+- **Security hardening pass** — JWT and extension-token handling is narrowed, file-serving auth is stricter, public quote payloads are least-privilege, upload MIME detection is content-based, and quote email attachments are scoped to the active project.
+- **Backend quote-service extraction** — Quote send, duplicate, activity logging, status transitions, and item stats bookkeeping now live in dedicated service/lib modules instead of a single oversized route file.
+- **Quote detail decomposition** — QuoteDetailPage now relies on extracted helpers/components and a shared controller hook so editing, files, sending, and totals logic are easier to evolve independently.
+- **Quote builder decomposition** — QuoteBuilder has been split into focused line-items, adjustments, and inventory-picker panels, reducing rerender pressure and making future UI changes less risky.
+- **Shared totals utility** — Quote total/adjustment logic now comes from one shared utility instead of drifting between QuoteDetail and PublicQuote.
+- **Release documentation refresh** — README, changelog, status notes, package versions, and release notes have all been aligned to `0.0.9`.
 
 ## Core Features
 
@@ -54,10 +52,10 @@ BadShuffle is a self-hosted event rental software platform for project-centric q
 
 ## Near-Term Roadmap
 
-- **Cross-theme QA + responsive pass** — Finish theme verification and close the remaining mobile layout gaps across quote editing, messages, and modal-heavy views.
-- **Performance follow-up** — Finish image lazy loading on the remaining public/files surfaces and review post-split route chunk sizes.
-- **Workflow safety** — Extend unsaved-change protection to other high-risk forms and replace destructive browser confirms with better inline confirmation patterns.
-- **Operations depth** — Send preview, pull sheets, and richer warehouse workflows.
+- **Frontend refactor completion** — Finish landing the QuoteDetail/QuoteBuilder extraction work and smoke-test the refactored flows across desktop and mobile.
+- **Cross-theme QA + responsive pass** — Close the remaining theme/mobile gaps across quote editing, messages, and modal-heavy views.
+- **Workflow safety** — Extend unsaved-change protection and better destructive-action confirmation patterns to other high-risk forms.
+- **Operations depth** — Send preview, pull sheets, richer warehouse workflows, and migration/versioning cleanup for the database bootstrap.
 
 More context lives in [ai/KNOWN_GAPS.md](ai/KNOWN_GAPS.md) and [ai/TODO.md](ai/TODO.md).
 
@@ -491,4 +489,3 @@ Client helpers in `client/src/api.js`: `getVendors`, `getConflicts`, `getQuoteAv
 ## License
 
 MIT. See [LICENSE](LICENSE).
-

RELEASE_NOTES_0.0.9.md

@@ -0,0 +1,25 @@
+# BadShuffle 0.0.9 Release Notes
+
+Release date: 2026-03-26
+
+## Summary
+
+`0.0.9` is the security hardening and quote-workflow refactor release. It tightens auth/public/file behavior on the backend, extracts the largest quote flows into reusable services and helpers, and continues the QuoteDetail/QuoteBuilder decomposition so future work can land with less coupling and less drift.
+
+## Highlights
+
+- Stricter auth and public-surface handling around JWT, extension-token access, file serving, and public quote payloads
+- Upload validation now uses detected file signatures instead of trusting browser MIME values
+- Quote email attachments are restricted to files already linked to the active quote
+- `server/routes/quotes.js` now delegates orchestration to:
+  - `server/lib/quoteActivity.js`
+  - `server/services/itemStatsService.js`
+  - `server/services/quoteService.js`
+- Shared quote pricing/totals logic moved to `client/src/lib/quoteTotals.js`
+- QuoteDetail and QuoteBuilder have been broken into smaller modules, hooks, and focused panels for easier iteration
+
+## Notes
+
+- This remains a `0.x` pre-release line
+- The backend extraction work is complete in this release
+- Frontend refactor follow-through and broader responsive/theme QA remain active follow-up work

ai/STATUS.md

@@ -1,5 +1,7 @@
 # STATUS
 
+**Released v0.0.9** (2026-03-26): Security hardening + quote workflow refactor release. Highlights: stricter auth/file/public quote handling; extracted backend quote services (`quoteActivity`, `itemStatsService`, `quoteService`); shared quote totals utility; QuoteDetail and QuoteBuilder decomposition into focused hooks/components/panels; and release/versioning docs aligned to `0.0.9`.
+
 **Released v0.0.8** (2026-03-24): Navigation + UX polish release. Highlights: grouped collapsible sidebar with hover flyouts, unread/pending badges, and live team presence; new Directory landing page; new Inventory Settings and Message Settings pages; Admin database export/import; ErrorBoundary fallback; skeleton loaders; contextual empty-search states; lazy-loaded inventory thumbnails; toast `aria-live`; PublicQuotePage `document.title`; theme-token cleanup and layout max-width polish.
 
 **Released v0.0.7** (2026-03-24): PRD batch 2 — files list view + bulk delete, billing search/sort/export, single-screen new project creation. PRD batch 1 — rename Quotes→Projects, fix inventory hover, file auth, search bars.
@@ -495,4 +497,3 @@ Help: `node server/cli.js --help`
 
 ## Next Steps
 - Optional: add more target fields to lead import (e.g. guest count, delivery address) if sheet columns expand.
-

client/package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "badshuffle-client",
-  "version": "0.0.8",
+  "version": "0.0.9",
   "private": true,
   "type": "module",
   "scripts": {

client/package.json

@@ -258,6 +258,7 @@ export const api = {
     const qs = new URLSearchParams(Object.entries(params || {}).filter(function(e) { return e[1] !== undefined && e[1] !== ''; }));
     return request('/messages?' + qs);
   },
+  sendQuoteMessage:  (quoteId, body) => request('/messages', { method: 'POST', body: { quote_id: quoteId, ...body } }),
   getUnreadCount:    () => request('/messages/unread-count'),
   markMessageRead:   (id) => request('/messages/' + id + '/read', { method: 'PUT' }),
   deleteMessage:     (id) => request('/messages/' + id, { method: 'DELETE' }),

client/src/api.js

@@ -0,0 +1,92 @@
+import React, { useEffect, useState } from 'react';
+import { api } from '../api.js';
+
+export default function ImagePicker({ onSelect, classNames = {} }) {
+  const [open, setOpen] = useState(false);
+  const [fileImages, setFileImages] = useState([]);
+  const [invImages, setInvImages] = useState([]);
+  const [loading, setLoading] = useState(false);
+
+  useEffect(() => {
+    if (!open) return;
+    setLoading(true);
+    Promise.all([api.getFiles().catch(() => ({ files: [] })), api.getItems({ hidden: '0' }).catch(() => ({ items: [] }))])
+      .then(([filesData, itemsData]) => {
+        setFileImages((filesData.files || []).filter((f) => f.mime_type && f.mime_type.startsWith('image/')));
+        setInvImages((itemsData.items || []).filter((i) => i.photo_url));
+      })
+      .finally(() => setLoading(false));
+  }, [open]);
+
+  if (!open) {
+    return (
+      <button type="button" className="btn btn-ghost btn-sm" onClick={() => setOpen(true)}>
+        Pick image from library
+      </button>
+    );
+  }
+
+  return (
+    <div className={classNames.imagePicker}>
+      <div className={classNames.imagePickerHeader}>
+        <span style={{ fontSize: 13, fontWeight: 600 }}>Pick an image</span>
+        <button type="button" className="btn btn-ghost btn-sm" onClick={() => setOpen(false)}>
+          Close
+        </button>
+      </div>
+      {loading ? (
+        <div style={{ padding: 20, textAlign: 'center' }}>
+          <div className="spinner" />
+        </div>
+      ) : (
+        <div className={classNames.imagePickerGrid}>
+          {fileImages.map((f) => (
+            <button
+              key={'f-' + f.id}
+              type="button"
+              className={classNames.imagePickerThumb}
+              onClick={() => {
+                onSelect(api.fileServeUrl(f.id), null);
+                setOpen(false);
+              }}
+              title={f.original_name}
+            >
+              <img
+                src={api.fileServeUrl(f.id)}
+                alt={f.original_name}
+                onError={(e) => {
+                  e.target.style.display = 'none';
+                }}
+              />
+            </button>
+          ))}
+          {invImages.map((i) => (
+            <button
+              key={'i-' + i.id}
+              type="button"
+              className={classNames.imagePickerThumb}
+              onClick={() => {
+                onSelect(api.proxyImageUrl(i.photo_url), i.unit_price || null);
+                setOpen(false);
+              }}
+              title={i.title}
+            >
+              <img
+                src={api.proxyImageUrl(i.photo_url)}
+                alt={i.title}
+                onError={(e) => {
+                  e.target.style.display = 'none';
+                }}
+              />
+            </button>
+          ))}
+          {fileImages.length === 0 && invImages.length === 0 && (
+            <p style={{ fontSize: 13, color: 'var(--color-text-muted)', padding: 12 }}>
+              No images found. Upload images to the Files page first.
+            </p>
+          )}
+        </div>
+      )}
+    </div>
+  );
+}

client/src/components/ImagePicker.jsx

@@ -108,11 +108,9 @@
   overflow-x: hidden;
   -webkit-overflow-scrolling: touch;
   background: var(--color-surface);
-  padding: 24px 32px;
+  padding: 20px 24px;
 }
 
 .mainInner {
   width: 100%;
-  max-width: 1440px;
-  margin: 0 auto;
 }