# 09 — Dashboard Module Structure

Stack: Next.js App Router, TypeScript, Tailwind CSS (with `packages/ui` tokens), shadcn-style primitives, React Query, server actions for forms.

## Information architecture

Sidebar groups (collapsible):

1. **Operations** — Overview, Bookings, Orders, Support
2. **Catalog** — Destinations, Categories, Listings
3. **Partners** — Businesses, Memberships, Approvals
4. **People** — Users, Roles, Permissions
5. **Finance** — Payments, Refunds, Payouts, Reports
6. **System** — Audit Logs, Settings, Integrations, Feature Flags

Each link is gated by a permission. Items the user lacks permissions for are hidden — no broken pages.

## Routes (selected)

```
/login
/forgot-password
/(app)/overview
/(app)/bookings
/(app)/bookings/[id]
/(app)/orders
/(app)/orders/[id]
/(app)/support
/(app)/destinations
/(app)/destinations/[id]
/(app)/categories
/(app)/listings
/(app)/listings/[id]
/(app)/businesses
/(app)/businesses/[id]
/(app)/memberships
/(app)/users
/(app)/users/[id]
/(app)/roles
/(app)/roles/[id]
/(app)/permissions
/(app)/payments
/(app)/refunds
/(app)/payouts
/(app)/reports
/(app)/audit-logs
/(app)/settings
/(app)/settings/integrations
/(app)/settings/feature-flags
```

## Partner experience

Partner users (e.g. HotelPartner) see a slim sidebar:

- Overview (their business KPIs)
- Listings (assigned only)
- Bookings (assigned only)
- Payouts (assigned only)
- Members (assigned only)
- Settings

The same routes, scoped by permissions and businessId.

## Tables

- Server-side pagination, sort, and filter.
- URL-driven state (deep links to filtered views).
- CSV export gated on permission.

## Forms

- Zod schemas from `packages/validators`.
- Server actions or `/v1/*` calls; never inline business rules.
- Confirmation modals for destructive actions; audit captures the change.

## Notifications

In-app toast for action feedback; persistent banner for system-wide alerts (e.g. payment provider degraded).

## Documented assumptions

1. Dashboard runs on a separate origin from the website (`dashboard.navi.ae`).
2. Auth via the same API; access token stored in HTTP-only cookie issued by a Next.js route handler.
3. SuperAdmin can impersonate partner accounts (audited) — UI + audit log captures impersonation start/stop.