-
acd9a43 Thanks @Sam-Crane! - Security, stability, and inbox UX improvements
Security
- Block super admin users (
user_type = 'admin') from accessing the module platform. Admins are now redirected to /admin from dashboard/settings/module routes (impersonation sessions excepted). Enforcement added in middleware, login form, OAuth callback, and dashboard layout.
- Fix 38 Dependabot vulnerabilities (19 high, 17 moderate, 2 low) by upgrading direct dependencies (
next 14→15, @sentry/nextjs, fastify, resend, @serwist/next) and adding pnpm overrides for transitive deps (minimatch, brace-expansion, picomatch, serialize-javascript, flatted, yaml, rollup, undici, markdown-it).
- Update Rust
rustls-webpki to 0.103.10.
Stability
- Add database connection retry logic with exponential backoff (10 attempts, 2s→32s) to
realtime-gateway and analytics-engine Rust services, preventing crash loops on transient Supabase Supavisor failures.
- Fix CI build OOM on Next.js 15 compilation by increasing Node heap size (
NODE_OPTIONS=--max-old-space-size=4096).
Next.js 15 upgrade
- Migrate async
params in 7 page components (React.use(params)) and 1 API route (await params).
- Replace
<a> with <Link> for internal navigation in 4 files to satisfy stricter eslint-config-next@15 rules.
Inbox UI/UX redesign
- Decompose the 627-line monolithic inbox page into 8 modular components under
apps/web/src/components/inbox/.
- New split-pane layout: sidebar with search, filter tabs, and item list; detail panel with full item content and actions.
- Mobile responsive with list/detail toggle.
- Priority bars, hover quick-actions (approve/dismiss), framer-motion animations for list items and detail transitions.
- Debounced search across title/description.
- Improved empty states for global, filtered, and search-empty scenarios.
- Existing
useInbox hook and /api/inbox route unchanged.