# Navi Database Dashboard Reflection Matrix

Date: 2026-05-05

| Mobile or website action | API endpoint | Database model | Record created or updated | Dashboard page where visible | Role that can see it | Role that can edit it | Audit log required | Current status | Fix required |
|---|---|---|---|---|---|---|---|---|---|
| Register user | `POST /v1/auth/signup` | `User`, `UserCredential`, `OtpCode`, `UserRole` | Pending user, password credential, OTP, default role | Users | Admin, Super Admin | Admin/Super Admin once write API exists | Yes for registration/verification | Partial | Add registration audit and admin write actions |
| Verify signup OTP | `POST /v1/auth/verify-otp` | `OtpCode`, `User`, `Session` | Consumed OTP, active user, session | Users | Admin, Super Admin | Admin/Super Admin | Yes | Partial | Add audit event |
| Login | `POST /v1/auth/login` | `Session` | Session created and refresh hash stored | Engagement only if tracked separately | User/Admin indirect | User logout/Admin session revoke missing | Failed login yes | Partial | Add login/failed-login audit |
| Logout | `POST /v1/auth/logout` | `Session` | Session revoked/deleted | Not visible | User/Admin missing | User/Admin missing | Yes | Partial | Add sessions dashboard |
| Update own profile | `PATCH /v1/users/me` | `User` | User fields updated | Users | User/Admin | User/Admin | Yes for delete/sensitive fields | Connected | Add Profile model if needed |
| Search catalog | `GET /v1/search` | `EngagementEvent` | `search.performed` event | Engagement | Admin, Super Admin, permitted Ops | Read only | No, telemetry sufficient | Connected | Add user/session attribution for anonymous sessions |
| Click suggestion | `POST /v1/engagement/events` | `EngagementEvent` | `search.suggestion_clicked` | Engagement | Admin, Super Admin, permitted Ops | Read only | No | Connected | Add dashboard filters |
| View home | `GET /v1/home` | `EngagementEvent` | `home.viewed` | Engagement | Admin, Super Admin | Read only | No | Connected | Add banner/content source |
| View listing | `GET /v1/listings/:id` | `EngagementEvent` | `listing.viewed` | Engagement | Admin, Super Admin, Provider when scoped later | Read only | No | Connected | Provider-scoped engagement |
| Save destination/listing | `POST /v1/saved` | `SavedItem`, `EngagementEvent` | Saved item and `saved.created` | Engagement, Saved mobile | User/Admin analytics | User only | No | Connected | Admin saved-count cards |
| Unsave item | `DELETE /v1/saved/:refType/:refId` | `SavedItem`, `EngagementEvent` | Saved item deleted and `saved.removed` | Engagement | User/Admin analytics | User only | No | Connected | Soft-delete saved items optional |
| Create booking | `POST /v1/bookings` | `Booking`, optional `PaymentIntent` | Booking record | Bookings | User, Provider scoped, Admin | User cancel/provider status/admin | Yes | Partial | Status update, provider audit, payment start |
| Quote booking | `POST /v1/bookings/quote` | None or quote object | Quote response | Not persisted | User | N/A | No | Partial | Persist quote/idempotency if checkout starts |
| Create order | `POST /v1/orders` | `Order`, `OrderItem` | Order and items | Orders page missing/dash reports | User, Provider, Admin | Provider/Driver status | Yes | Partial | Dedicated orders dashboard/API validation |
| Taxi booking | Missing dedicated endpoint | `Booking` or taxi model | Expected taxi booking | Bookings/Driver | User, Taxi Partner, Driver, Admin | Driver/Provider/Admin | Yes | Partial | Add taxi estimate/book/status APIs |
| Upload prescription | Missing dedicated endpoint | `UploadFile`, `Order` or prescription model | Expected private file and pharmacy request | Pharmacy provider/support | Pharmacy, Admin/Support scoped | Pharmacy/Admin | Yes | Missing | Add private upload and prescription request model |
| Generate trip | `POST /v1/trip-planner/generate` | `Trip`, `TripStep`, `EngagementEvent` | Trip, itinerary steps, `trip.generated` | Engagement/Reports | User, Admin analytics | User | Yes when AI/cost provider is used | Connected deterministic | Add AI cost audit/queue |
| Translate image | `POST /v1/translator/image` | `TranslationJob` | Translation job | Not dedicated | User, Admin privacy-safe analytics missing | User delete | Privacy audit if support views content | Partial | Real OCR/translation provider and dashboard analytics |
| Emergency call tap | `POST /v1/engagement/events` or local native action | `EngagementEvent` optional | Safe telemetry only | Engagement | Admin/Super Admin | Read only | No | Partial | Ensure mobile logs call tap without blocking dialer |
| Partner apply | Missing public endpoint | `PartnerApplication` missing | Application expected | Partner Applications | Admin/Super Admin | Admin/Super Admin | Yes | Missing | Add model/API/review flow |
| Approve partner | Missing | `Business`, `User`, `UserMembership`, `AuditLog` | Business and owner membership | Businesses/Memberships | Admin/Super Admin | Admin/Super Admin | Yes | Missing | Add approval transaction |
| Partner creates listing | Missing provider write endpoint | `Listing`, `AuditLog` | Listing draft/published | Listings | Partner scoped/Admin | Partner/Admin | Yes | Partial | Provider create/update/publish APIs |
| Admin edits content | `content/translations` partial | `ContentTranslation`, `ContentAsset`, `MarketingPage`, `OnboardingPage` | Content updated | Content | Admin/Super Admin | Content/Admin | Yes | Partial | Home/onboarding/banner write APIs |
| Admin edits emergency number | Missing write endpoint | `EmergencyNumber`, `AuditLog` | Number updated | Content/Emergency page missing | Admin/Super Admin | Admin/Super Admin | Yes | Partial | Emergency admin CRUD |
| Super Admin changes role | Missing write endpoint | `Role`, `Permission`, `RolePermission`, `UserRole`, `AuditLog` | Permission assignment | Roles/Permissions | Super Admin | Super Admin | Yes | Partial | Role builder and permission assignment |
| View reports | `GET /v1/dashboard/overview`, `/v1/engagement/dashboard` | Many | Aggregated reads | Overview/Reports/Engagement | Admin/Super Admin/Provider scoped later | Read only | No | Partial | Provider-scoped reports and real KPIs |