# Changelog

## 0.1.4 — Foundation fixes applied

- **API**: every NestJS-injected service (`PrismaService`, `JwtService`, `Reflector`) reverted to value imports across 19 files. ESLint override on `apps/api` enforces `no-type-imports` so the regression cannot return.
- **API**: replaced 4 bare `throw new Error('Unauthenticated')` calls with `throw new UnauthorizedException()` (bookings, payments, refunds, trip-planner). Errors now correctly surface as `401`.
- **Mobile**: `(auth)/login.tsx` and `(auth)/signup.tsx` now call `api.auth.login` / `api.auth.signup`, fetch `/v1/users/me`, and persist the session via `useAuth.setSession`. Locale is propagated to signup.
- **Dashboard**: `/login` posts to a new Next route handler at `/api/auth/login` that calls the API and writes an HttpOnly session cookie. Logout handler at `/api/auth/logout`. Session helpers in `src/lib/session.ts`.
- **Tests**: new `cross-partner-isolation.spec.ts` covering `applyScope` + `assertBusinessAccess` from a partner-vs-partner perspective.

## 0.1.3 — Tooling, auth-context verification, Phase-1 fills

- Tooling/CI: per-package `.eslintrc.cjs`, `.eslintignore`, root devDeps for `@typescript-eslint/*` and `eslint-config-prettier`; consolidated `lint`/`typecheck`/`test`/`build` scripts across all packages.
- CI workflow hardened: env seeding, Prisma generate, concurrency control.
- Tests: `apps/api/test/common/request-context.spec.ts` covers `RequestContextStore` async-isolation and `applyScope` for `own`/`assigned`/`all` (including refusal cases). `apps/api/jest.config.cjs` added.
- New shared package `@navi/api-client`: typed HTTP wrapper around `/v1/*` with `auth`, `users`, `destinations`, `listings`, `bookings`, `saved`, `emergency`, `trip-planner` endpoint factories. Mobile API client refactored to use it.
- Mobile: dedicated `app/emergency.tsx` with confirm-call modal; falls back to seed numbers when offline. Home tile routes there.
- Dashboard: new `/partners` route (overview into `/businesses`, `/listings`, `/memberships`); sidebar updated.
- README updated to mention `@navi/api-client`.

## 0.1.2 — Foundation audit fixes

- API: AsyncLocalStorage `RequestContextStore`, `JwtAuthMiddleware` (decodes Bearer tokens, resolves user/roles/permissions/memberships), `IdempotencyMiddleware` (in-memory for dev), `applyScope` Prisma helper for `own/assigned/all`, `assertBusinessAccess`, HMAC verifier with replay protection.
- API: `WebhooksModule` and `RefundsModule` scaffolds.
- API: `AuditInterceptor` semantics fixed — request body no longer stored as `before`.
- API: schema additions — `WebhookEvent`, `IdempotencyRecord`, `Booking.checkInAt` index.
- API: seed adds `audit.read.assigned` and `membership.read.assigned` for partner roles.
- Mobile: locale persistence + i18n boot, onboarding flag, tabs route guard, root error boundary, trip-planner result rendered via `formatMoney` (no hardcoded literals).
- Dashboard: `middleware.ts` redirects unauthenticated requests to `/login`.
- `@navi/ui`: `formatMoney`, `formatDate`, `formatNumber`, `isRtl`.
- Doc: `docs/architecture/26-foundation-audit-fixes.md` records what was fixed and what's still open.

## 0.1.1 — Strategy & Operations layer

- CPO docs: Product Strategy, Monetization, Go-to-Market, Positioning & Brand, Accessibility commitments.
- CTO docs: Security & Compliance, Observability & SLOs, Infrastructure & Deployment, Disaster Recovery, Data Platform, Engineering Process & Hiring, FinOps.
- Templates: RFC, ADR, Incident Postmortem.
- `docs/README.md` index updated with all new sections.

## 0.1.0 — Foundation (Phase 1)

- Monorepo (pnpm + turbo) with `apps/{api,mobile,dashboard,website}` and `packages/{types,validators,config,ui}`.
- 13 architecture/product/QA documents under `docs/`.
- API skeleton: NestJS + Fastify + Prisma; modules for auth, users, roles, permissions, businesses, destinations, listings, bookings, saved, trip-planner, translator, emergency, audit, i18n, payments, health.
- Provider abstractions (mock implementations) for payment, sms, ai, ocr, translation, email, storage.
- Prisma schema and UAE seed script (emirates, cities, emergency numbers, sample destinations and listings, system roles and permissions).
- Mobile shell (Expo Router) with splash, onboarding, login/signup/forgot/OTP, tabs (Home/Discover/Bookings/Saved/Profile), services screen, listing detail, trip planner 4-step + result, settings, English/Arabic + RTL toggle.
- Dashboard skeleton (Next.js) with login, sidebar gated by permissions, overview, users, roles, permissions, businesses, listings, bookings, payments, reports, audit logs, content, settings.
- Website skeleton (Next.js) with locale-prefixed routes (/en, /ar), home, tourists, partners, destinations, about, contact, privacy, terms.
- CI workflow stub (typecheck + lint + test + build).