yslootahrobotics/.github/prompts/plan-adminDashboardAuthCrudEnhancements.prompt.md

# Plan: Admin Dashboard Auth + CRUD + Enhancements

## TL;DR
Add password authentication to the admin dashboard, enable full CRUD for personas/pricing, and add useful admin features like order analytics and configurator settings management.

## Phase 1: Admin Authentication (Database-backed with Prisma + SQLite)

### Steps
1. **Setup Prisma + SQLite**
   - Install `prisma` and `@prisma/client`
   - Create `prisma/schema.prisma` with SQLite provider
   - Models: `AdminUser` (id, username, passwordHash, createdAt), `AppSettings` (key, value)
   - Run `npx prisma db push` to create the database
   - Create `src/lib/prisma.ts` — singleton Prisma client

2. **Create seed script** `prisma/seed.ts`
   - Creates default admin user with bcrypt-hashed password
   - Generates and stores JWT secret in `AppSettings` table
   - Run with `npx prisma db seed`

3. **Create admin auth API routes**
   - `src/app/api/admin/login/route.ts` — POST, accepts `{ username, password }`, verifies bcrypt hash from DB, returns JWT in httpOnly cookie (JWT secret from DB)
   - `src/app/api/admin/verify/route.ts` — GET, checks JWT cookie validity
   - `src/app/api/admin/logout/route.ts` — POST, clears auth cookie
   - `src/app/api/admin/change-password/route.ts` — POST, accepts `{ currentPassword, newPassword }`, updates hash in DB

4. **Create admin middleware** `src/middleware.ts`
   - Protects all `/admin/*` routes (except `/admin/login/`)
   - Checks for valid JWT cookie, redirects to `/admin/login/` if missing/invalid
   - Note: middleware can't use Prisma directly (edge runtime), so JWT secret needs to be in env OR verify via API call

5. **Create admin login page** `src/app/admin/login/page.tsx`
   - Username + password form (styled to match existing admin design)
   - Calls login API, redirects to `/admin/` on success
   - Shows error on wrong credentials

6. **Add JWT_SECRET to .env.local** (only this one — password is in DB)
   - Alternative: store JWT secret in DB and load at startup into a module-level cache

### Dependencies to install
- `prisma` (dev), `@prisma/client`, `bcryptjs`, `@types/bcryptjs` (dev), `jose`

## Phase 2: Full CRUD for Pricing Items + Personas

### Steps (depends on Phase 1)
6. **Add/Remove pricing items in admin** — Update `src/app/admin/page.tsx`
   - "Add Item" button with fields: id (auto-slug from label), label, price
   - Delete button per row (with confirmation)
   - Update `usePricingStore` to support `addItem()` and `removeItem()` actions

7. **Persona management section** — New section in admin page
   - List current personas with edit capability (label, description, colors)
   - Add new persona form
   - Delete persona button
   - Create `usePersonaStore` or extend `usePricingStore` to manage persona definitions
   - Sync persona list with ConfigPanel's `PERSONA_OPTIONS` (currently hardcoded)

## Phase 3: Additional Admin Features

### Steps (parallel with Phase 2)
8. **Orders dashboard section** — New section in admin page
   - Show orders from Stripe API (list recent payments)
   - Display: order ID, customer email, amount, status, date
   - New API route `src/app/api/admin/orders/route.ts` to fetch from Stripe

9. **Analytics overview cards** at top of admin page
   - Total revenue (from Stripe)
   - Number of orders
   - Most popular persona
   - Most popular color

10. **Configurator settings** section
    - Edit default color (`#96a2b6`)
    - Toggle available color options
    - Set min/max price boundaries

11. **Logout button** in admin header

## Relevant Files
- `src/app/admin/page.tsx` — Main admin dashboard (add CRUD UI, analytics)
- `src/app/admin/login/page.tsx` — New login page
- `src/app/api/admin/login/route.ts` — New auth API
- `src/app/api/admin/verify/route.ts` — New verify API
- `src/app/api/admin/orders/route.ts` — New orders API
- `src/middleware.ts` — New, protects admin routes
- `src/lib/prisma.ts` — New, Prisma client singleton
- `prisma/schema.prisma` — New, database schema (AdminUser, AppSettings)
- `prisma/seed.ts` — New, seeds default admin user
- `src/store/usePricingStore.ts` — Add `addItem()`, `removeItem()` actions
- `src/components/ConfigPanel.tsx` — Persona options currently hardcoded (PERSONA_OPTIONS const)
- `.env.local` — Add ADMIN_PASSWORD, ADMIN_JWT_SECRET

## Verification
1. Visit `/admin/` without login → redirected to `/admin/login/`
2. Enter wrong password → error message shown
3. Enter correct password → redirected to `/admin/`
4. Add a pricing item → appears in configurator pricing breakdown
5. Remove a pricing item → disappears from pricing
6. Edit persona → reflected in ConfigPanel
7. Orders section shows real Stripe payment data
8. Refresh admin page → still logged in (cookie persists)
9. Run `npx vitest run` → all existing tests pass

## Decisions
- **Database: Prisma + SQLite** — file-based, no external server needed, real ORM
- Admin password stored as bcrypt hash in DB (not in env vars)
- JWT secret stored in AppSettings table in DB
- JWT in httpOnly cookie — secure, no localStorage tokens
- jose library for JWT — lightweight, edge-compatible (works in Next.js middleware)
- Personas need to move from hardcoded array to store-driven — breaking change in ConfigPanel
- Stripe orders fetched via Stripe API directly — no local DB needed for orders

## Further Considerations
1. **Persona storage**: Currently hardcoded in ConfigPanel. Moving to a store means ConfigPanel reads from store dynamically. This is required for admin CRUD to work. **Recommended: create persona store with localStorage persistence (same pattern as pricing store)**
2. **Stripe orders vs local orders**: Currently orders only exist client-side. To show in admin, we fetch from Stripe's payment intents list. **Recommended: use Stripe API directly, no local DB needed**
3. **Multi-admin support**: Currently single password. If needed later, can upgrade to NextAuth with credentials provider. **Recommended: start simple, upgrade if needed**