Overall platform readiness across six assessment domains
DB::connection('pt') calls across three files (DocuPrintApiController, ConsentFormDispatcher, DocuSignApiController). All 18 violations have been eliminated. Six new Delphi DataSnap methods were written and deployed: ProductionTemplatesList, ProductionTemplateSave, ProductionTemplateDelete, PrintSignRequestGet, ConsentFormLookup, and MincomProfileSync. The ConsentFormLookup method consolidates the seven previously-direct DB reads in the background consent dispatcher into a single DataSnap call. The DocuSeal webhook handler's mincom_minor_profile and guardian_links writes are now routed through MincomProfileSync. All six methods confirmed live via Describe smoke test. The DataSnap access-layer contract is now uniformly enforced across the entire application. Architecture Stability raised A− → A; External Integrations raised C− → C; Overall Readiness raised B+ → A−.API.RTSOracle.Service.pas GetRoster SQL rewritten from SELECT DISTINCT … JOIN roles fan-out to STUFF/FOR XML PATH — single row per user with all roles concatenated server-side; (2) 6 missing state codes inserted into rts_state_type (NOT_LANDED, LANDED_IDLE, HAS_CONCERN, IN_CUSTODY, IN_TRANSIT_TO_SET, ENDED) — COALESCE JOIN now resolves plain-English labels from DB. JS safety-net humaniseStateCode() + puid dedup remain as defensive fallbacks. Action tiles colour-coded by semantic group; roster column widths pinned via colgroup; Request modal close button added. Core Feature Set lifted B → B+; UX Completeness lifted B+ → A−.resources/views/app/instruction_reporting.blade.php. A listener binding referenced confirmCurrentAlloc before it existed in local scope, causing a ReferenceError and aborting the student/week bootstrap path. The handler wiring was corrected to deferred window.* lookups, eliminating the startup exception and restoring normal student-pane hydration. This closes a high-visibility UX reliability gap and supports a UX Completeness grade lift B → B+.JsonResponse contracts, controller-level new DataSnapClient() factory patterns were replaced with constructor DI, and auth resolution now flows through the middleware-attached request context. The SL-3 inline-handler remediation has also been completed with delegated action handlers and a zero-hit runtime/source sweep for onclick=/onchange=/oninput=/onsubmit= attributes in active code paths. This justifies an additional grading lift in Architecture Stability and Overall Readiness.What's working well: The presence/gating engine is database-driven and rule-driven by design — this is architecturally superior to most competitors. The 14 mobile screens cover the primary daily workflow competently. The DataSnap layer enforces server-side auth on all calls. The rule resolver uses age groups from the database, not hardcoded conditionals. Infrastructure redundancy is strong: DataSnap runs on a minimum 3-node IIS cluster behind HAProxy/pfSense, and SQL Server is a 2-node Always On cluster (expanding by launch).
What must be addressed before commercial launch: Meal/rest break tracking, minor PII masking, night work enforcement, MFA for privileged roles, and offline mode degradation handling. End-to-end onboarding on web is complete as of May 11, 2026, and document-driven work-eligibility gating is implemented as of May 12, 2026.
DataSnap API, Laravel shim, database design, and deployment stability
Original finding: The endpoint
https://appserver.pumpkintime.pro/bin/server.dll was the sole data gateway. A
single IIS crash, DLL deadlock, or host reboot would drop all connected users — including
Studio Teachers mid-session. CA Labor Code does not accept "server was down" as a compliance
defense.
Additional concern (open): Multiple Delphi source file variants still exist
(ServerMethodsUnit1.pas, _FINAL, _lastfail,
_refactored, _B4 Manus). The deployed binary's provenance remains
unconfirmed. This sub-item remains open.
server.dll. Traffic is distributed and
health-checked by HAProxy running on pfSense, which performs active/passive
failover and round-robin load balancing. If any single node fails, HAProxy drains its
connections and routes to the remaining nodes with no user impact.Remaining action: Confirm which
ServerMethodsUnit1 variant is the canonical build artifact. Enforce a single
versioned build pipeline to prevent binary ambiguity.
No offline queue, no service worker, no local SQLite caching is referenced anywhere in the codebase or mockups. On stage sets with Faraday shielding, remote locations, or during network maintenance windows, the app will show blank screens or errors with no user guidance.
Minimum required: Read-only offline access to today's roster (cached at check-in time), queued welfare checks that sync when connectivity restores, and a visible "Offline — data may be stale" indicator.
Original finding: Delphi ISAPI DLLs are loaded by IIS at process start.
Replacing server.dll required stopping the application pool, replacing the
file, and restarting — dropping all active connections. On active shoot days, a mid-day
deploy was operationally unsafe.
DRAIN mode.
HAProxy stops sending new requests to Node 1; existing sessions complete naturally.server.dll, restart the pool, and verify health.Completed: Rolling deploy runbook is now published at
.copilot/docs/OPS-HAPROXY-ROLLING-DEPLOY-RUNBOOK.md. Drain/enable steps are
standardized for ops execution in this release phase.
The presence_states table is a derived/materialized view of
presence_events. If state derivation is asynchronous (e.g., triggered by a SQL
job), there is a window where the mobile roster shows stale status after a presence action.
This is a compliance risk: a ST could believe a minor is "In Class" when the system hasn't
yet updated their state.
Required: Document whether RealtimeState.Engine.pas runs
synchronously within the DataSnap request pipeline or asynchronously. The mobile UI must
show a brief "updating…" state after any presence action until the next roster refresh
confirms the change.
The Laravel tests/Feature/ExampleTest.php is the framework scaffold — no real
test cases exist. No Delphi DUnit or DUnitX tests are present in the source. This means
every deployment is a gamble: a regression in the rule resolver or timer engine will not be
caught before it reaches production.
RuleResolver.pas, regulatory_rules table) is architecturally correct
and legally defensible. Age-group rules are stored in the database, not hardcoded — this allows
multi-jurisdiction compliance without code changes.DB::connection calls in Docu moduleOriginal finding: The copilot-instructions mandate "All DB access from Laravel must go through the DataSnap ISAPI service. Never use DB::connection('pt') directly." An audit of the app/ tree found 18 violations across three files, introduced as the Docu (consent form PDF-signing) module was built out:
DocuPrintApiController — 5 violations: fallback DocuSealTemplateId read, Docu_ProductionTemplates CRUD (3 methods), and resend() sign-request fetchConsentFormDispatcher — 8 violations: 7 reads (invite, opt-in, idempotency, template, guardian, minor, production) + 1 INSERT into Docu_PrintSignRequestsDocuSignApiController — 1 violation: mincom_minor_profile and guardian_links writes in the DocuSeal webhook handlerAPI.Docu.Service.pas, routed in API.Docu.Router.pas, wrapped in DocuService.php, and deployed:DocuPrintApiController.Docu_PrintTemplates JOIN for the resend() endpoint.ConsentFormDispatcher::dispatch() into a single DataSnap round-trip. Returns proceed=false+reason or proceed=true with all dispatch data.mincom_minor_profile and guardian_links.relationship; replaces the webhook handler's direct DB writes.Describe smoke test. DB::connection('pt') usage in app/ is now zero.
End-to-end flow from first contact to first active production day — for all three roles, across both platforms
Invitation.Engine.pas + MsgX). User clicks link →
/join/{code} public landing page (built May 2026). If the recipient
has no account the landing page creates one inline; if they already have an account
they sign in to accept. No production membership is required to create a global
account — users exist in the ecosystem independently and join productions
via invite.admin_docs) — required document definitions, compliance status
cards, expiry tracking, and reminder notifications are all built-in.regulatory_rules and governed by the
Global Regulatory configuration. The assignment model is built in. What
remains is exposing the real-time ratio as a live indicator on the PA mobile roster.
invi_role_invite_permissions table.
regulatory_rules and regulatory_metrics via the Global
Regulatory web view — 3 tabs: Jurisdictions (manage
jurisdiction records), Rules (define metric thresholds per
jurisdiction), Overrides (production-level exceptions). Fully
DataSnap-backed. Present in both old and new system.
payment_transactions audit log.PRODUCTION_ROLE invite at their email; acceptance via /join/{code}
constitutes consent to the production terms. The Delphi Accept action atomically
creates the user account (if new), adds the minor to productionusers, and writes
the guardian_link record. Server auto-generates a co-guardian
GUARDIAN_LINK invite for any additional guardians when a minor is invited.
No separate consent portal is required for the MVP flow.
CA Labor Code §1308–1312 and associated DLSE regulations — gaps between DB capability and mobile UI enforcement
The presence event schema supports arbitrary event types via event_type varchar,
but no MEAL_BREAK_START or MEAL_BREAK_END event types are
referenced in any screen or DataSnap method found. The timer screen shows total elapsed time
but does not deduct or flag meal breaks.
Legal exposure: Failure to document meal breaks is a per-violation DLSE penalty. On a production with 7 minors, a missed meal break log on one shoot day is 7 separate violations.
Required: Add meal break event types to presence engine. Add a "Start Meal Break" action to the presence action sheet (Screen 04). Show meal break countdown/status in the minor snapshot (Screen 11).
The rule resolver has access to age-group data and can theoretically compute night-work limits, but the mobile home screen and roster show no countdown to a minor's latest allowable departure time. No push notification or hard-stop gate is triggered at the permit night limit.
Required: Add a "Latest wrap" countdown to the minor snapshot and PA home dashboard. Push a reminder 30 minutes before the night limit. Block any presence action that would extend a minor's on-set time past their permitted night cutoff.
regulatory_rules. ST assignment is handled via the Education Services org
model. What's missing is a live ratio indicator on the PA mobile roster.
The ST assignment model is handled through the Education Services Company
(ESC) org relationship — productions are linked to an ESC which manages its
Studio Teachers. The 1:10 ratio threshold is defined in regulatory_rules and
configured via Global Regulatory. The backend model and rule exist.
The gap is the mobile PA roster surface: if a ST has 11 minors marked "On Set," the system does not alert the PA or surface any ratio warning. No ratio chip or indicator exists in the current 14 mobile screens.
Required: Add a real-time ratio chip to the PA home roster grouped by ST.
Alert when the configured threshold is at or exceeded. Read the threshold from
regulatory_rules — never hardcode.
CA requires that minors working on a production receive a minimum of 3 hours of schooling per day, and this must be provided across the entire production run — not just on days they are on set. The minor snapshot (Screen 11) shows only "today's school" and a "week total" without enforcement logic. Deficits from previous days must be communicated as make-up obligations.
The Documents module now supports required document definitions, expiry-aware compliance status, and eligibility gating used for work participation. This closes the prior gap where permit status was visible but not enforced in participation flow. Remaining optimization is UX messaging consistency for all blocked actions.
When a ST logs a minor's first check-in time each morning, the system should compare that time against the previous day's wrap time and alert if the turnaround is less than 12 hours. This check is not present in any mobile screen or DataSnap method identified.
The web mock weekly-academic-report.html and
record-of-instruction.html exist but are static mockups. No actual export
pipeline (PDF, CSV, DLSE-formatted report) is implemented. An auditor arriving on set needs
records within minutes — the ST's phone must be able to produce a daily log on demand.
OWASP Top 10 mapping, minor PII exposure, authentication, and data handling
The minor snapshot (Screen 11) displays full guardian phone numbers
(+1 (310) 555-0147), permit numbers (EWP-2026-38241), and custody
status in plain text. Any screenshot shared on set (e.g., to show the roster to an AD)
exposes this data. The platform handles data for minors under 18, placing it under COPPA,
CCPA minor provisions, and FERPA (if school records are included).
Required: Mask guardian phone numbers (•••• 0147) with
tap-to-reveal. Add FLAG_SECURE (Android) /
UITextField.isSecureTextEntry context or equivalent to screens containing minor
PII. Implement screen capture blocking for PII-containing views.
If a user's password is compromised, an attacker can log in from any device and view all minor PII, compliance records, and guardian contact data for every production the user belongs to. No MFA challenge exists at any step. TOTP or SMS OTP is the minimum required for Admin and PA roles given the sensitivity of the data.
The DataSnap REST endpoint is accessible at a known URL pattern. The Laravel
DataSnapClient wraps calls server-side, which is correct — but the raw DataSnap
endpoint may also be callable directly from a browser or curl if not firewall-restricted to
localhost only. Every DataSnap method must validate the caller's role before executing, not
just validate that a session exists.
Required: Verify that server.dll is only accessible from
127.0.0.1 (via IIS binding) and all external calls must go through Laravel. Add
role assertions at the top of each DataSnap method using PtContext.
Chat messages referencing minor welfare, custody, and permit data are stored in SQL Server without field-level encryption. If the database is compromised, all message history is immediately readable. At minimum, message content fields should be encrypted at rest using AES-256 with keys managed separately from the data.
If a ST's session token expires while they are mid-way through logging a welfare check, the DataSnap call will fail silently or with a cryptic error. The mobile app must intercept 401 responses globally, attempt silent token refresh, and if refresh fails, present a clear "Session expired" modal that preserves the in-progress action for re-submission after re-auth.
Missing states, accessibility, interaction patterns, and edge case screens
| Gap | Severity | Affected Screens | Notes |
|---|---|---|---|
| Empty states — no minors, no sessions, no messages | 03, 05, 12 | First shoot day with 0 minors checked in shows blank roster. Confusing for new users. | |
| Error states — network failure, API timeout, server 500 | All screens | No error state designed. A DataSnap timeout would show a blank screen with no user guidance. | |
| Loading skeletons — no shimmer/skeleton while data loads | 02, 03, 07, 13 | Data-heavy screens (roster, request queue) need skeleton placeholders to prevent layout shift. | |
| Offline indicator — no banner when connectivity is lost | All screens | Critical on set. User has no way to know if the data they're viewing is stale. | |
| Accessibility — status indicated by color only | 03, 11, 13 | Presence status uses color stripes (green/red/orange) with no text label fallback for color-blind users. WCAG 1.4.1 violation. | |
| Dark mode — only login screen (01) is dark-themed | 02–14 | System-level dark mode preference will not be respected. Not blocking for launch but a user expectation on iOS/Android. | |
| Tablet / landscape layout — not designed | All screens | PAs on iPad expect side-by-side roster + detail view. The 390px-wide phone frame is not responsive. | |
| Confirmation dialogs — destructive actions have no confirm step | 04, 09 | "Wrap minor for the day" in the presence sheet has no confirmation. A mis-tap ends a session prematurely with no undo. | |
| Undo support — no undo for presence changes or session end | 04, 05 | The presence event log is append-only by design, but the UI should allow a grace-period reversal within 60 seconds of an accidental action. | |
| Form validation — no inline error states on request submit | 08 | Request submission form (Screen 08) has no visible validation error states — required fields, invalid data, or duplicate submission. | |
| Voice / quick-log — no hands-free mode for on-set use | 04, 05 | STs on busy sets often cannot look at their phone. A voice shortcut ("Log welfare check for Emma") would reduce compliance friction. |
Industry systems the platform does not yet connect with
| System | Category | Gap | Priority |
|---|---|---|---|
| Movie Magic / Showbiz Scheduling | Call Sheets | No import of daily call sheet. STs manually interpret which minors are called each day — error-prone. | |
| Cast & Crew / Entertainment Partners | Payroll | No payroll data feed. Minor work hours tracked in PumpkinTime are not automatically synced to payroll. Reconciliation is manual. | |
| CA DLSE Online Portal | Regulatory | No direct permit number validation against the state database. Work permit numbers are entered manually and trusted without verification. | |
| SAG-AFTRA / DGA Portals | Union | No union membership verification for minor performers. Union status is self-reported on enrollment. | |
| VoIP.ms / SMS Gateway | Notifications | VoipMs brief exists (VoipMs_Laravel_SMS_Brief.md) but is not integrated.
Guardian SMS notifications for pickup/drop-off events are manual. |
|
| School SIS / Canvas / Schoology | Education | School session records are isolated in PumpkinTime. No way to push lesson completion data to a minor's actual school for curriculum credit. | |
| Emergency Services / 911 Integration | Safety | No one-tap emergency call with pre-populated location and minor information. On a set emergency, STs must manually dial and provide info verbally. |
All identified findings mapped by likelihood × impact
Prioritized by risk × effort — 4-phase sprint plan
MEAL_BREAK_START / MEAL_BREAK_END to the presence
engine. Add "Start Meal Break" to the presence action sheet. Show meal break
timer in the minor snapshot. Alert ST 15 min before the 5-hour meal break
threshold.Invitation.Engine.pas. Build mobile screens OB-1 and OB-2: app
download landing, invite claim, and new account creation.VoipMs_Laravel_SMS_Brief.md plan. Send guardian SMS on minor
check-in, checkout, and welfare check completion. Include a "Guardian Notified"
indicator on the minor snapshot.server.dll to localhost-only binding in IIS. All calls must route
through Laravel.record-of-instruction.html mock. Available from the PA home screen
and the minor snapshot. ST can generate on-demand for auditors.server.dll, restart pool, verify health → (3)
re-enable node in HAProxy → repeat for next node. Minimum 2 nodes stay live at
all times. Runbook published:
.copilot/docs/OPS-HAPROXY-ROLLING-DEPLOY-RUNBOOK.md.request_status.status_name + isClosingStatus). Post-deploy verification for status mutation persistence and ODBC/FireDAC field-type tolerance has been completed for the current release window.JsonResponse objects, and controller-level new DataSnapClient() service factories were replaced by constructor DI. Auth resolution now flows through the middleware-attached request context and the controller layer no longer carries the old duplication.Screens that must be designed and built to close the gaps identified in this report
| # | Screen Name | Role | Phase | Closes Gap |
|---|---|---|---|---|
| 15 | Invite Landing / App Download | All | OB-1: No universal link / deep link handler | |
| 16 | New Account / Claim Invite (Mobile) | All | OB-2: Web complete — mobile native registration screen only | |
| 17 | ST Credential Upload | ST | OB-3: No credential verification | |
| 18 | Guardian Digital Consent | Guardian / PA | OB-4: Legal consent capture absent | |
| 19 | Minor Enrollment (PA) | PA | OB-5: No permit intake or photo capture | |
| 20 | Meal Break Timer / Log | ST | CA Labor Code meal break tracking absent | |
| 21 | Error / Offline State | All | No network error or offline state designed | |
| 22 | Session Expired Modal | All | Auth expiry handling absent | |
| 23 | Daily Compliance Report (PDF view) | ST / PA | No DLSE-ready report on device | |
| 24 | Night Wrap Countdown Modal | PA / ST | Night work restriction not enforced | |
| 25 | ST / Minor Ratio Dashboard Widget | PA | 1:10 ratio not enforced or visualized | |
| 26 | Production Setup Wizard (Web) | Admin / PA | OB-6: No production creation flow | |
| 27 | Permit Gate Error Screen | ST / PA | Expired permit does not block presence actions | |
| 28 | Empty State Screens (Roster, Timer, Msgs) | All | No empty states designed for first-use | |
| 29 | Passwordless Login / Mobile Verification (WishList) | All | OB-7: Wishlist enhancement (excluded from readiness scoring) |
All closed findings with resolution details — updated whenever a mitigation is applied. Most-recent entries first.
POST /api/bulletins/mark-read and records the read-receipt server-side. The button is replaced by a green "✓ Acknowledged" badge after confirmation. Already-read bulletins show the badge directly on open. The Edit button is now Admin-only (hidden from non-admins).API.RTSOracle.Service.pas GetRoster used SELECT DISTINCT … JOIN productionroles JOIN roles which produced one row per role assignment. Replaced with a STUFF/FOR XML PATH correlated subquery — single row per user, all roles comma-joined server-side.rts_state_type was missing 6 state codes (NOT_LANDED, LANDED_IDLE, HAS_CONCERN, IN_CUSTODY, IN_TRANSIT_TO_SET, ENDED). The COALESCE fell through to the raw code as its own label. All 6 rows inserted; server now returns plain-English labels directly.humaniseStateCode() remain active as defensive fallbacks.role: "Production Admin, Studio Teacher" (single row) and currentStateLabel: "Not on set" for multi-role Global Admin. Full dispatch smoke-test: Minor selected → Start Break committed → dashboard KPIs updated immediately.
<colgroup> + table-layout: fixed: State column 140 px, Role 110 px, Location 100 px.api.closeModal().
402 requiring return_url for redirect-capable methods.RegistrationController::createAndConfirmSignupPaymentIntent() is now explicitly card-only (payment_method_types=['card']) and disables automatic payment-method expansion (automatic_payment_methods.enabled=false).invi_invitations.ACCEPTED with accepted timestamps persisted.Invitations/Get with userId=0) failed DATETIME2 parsing in Delphi (expires_on) and intermittently surfaced "Invitation Not Available" on valid pending links. Laravel landing now applies a controlled preview fallback for that known defect and still enforces terminal-state gates (PENDING + not expired). Delphi source mirror was corrected to use FieldAsDateTime(...) in public expiry checks for next deploy.
#3), existing-user sign-in accept completed with known credentials (invite #5), and the earlier credential-mismatch existing-user case was closed after credential verification (invite #4 now ACCEPTED).
#6 (9BFADAA3E1CD4B7589E8B5E678901233) now renders the full public claim UI at /join/{code} with no degraded warning.
/api/maintenance/seed-families generated 2 guardian families with 4 minors in Production 1; /api/maintenance/seed-lesson-week generated week-ending lesson records for timer/reporting exercise.layouts/app.blade.php now guards those fetch paths with in-flight promises so each lookup runs once per active request and clears cleanly on completion.layouts/app.blade.php now uses single-flight guards, adaptive backoff, visibility-aware scheduling, production-context gating, and a consolidated poll path that avoids running both refreshBadge() and fetchQueue() in the same visible cycle./api/production-requests/queue, with queue behavior preserved. A follow-up steady-state cadence tune (45s base poll) reduced closed-panel baseline traffic further to approximately 0.86 calls/min.
bindUiActions() attached a click handler using confirmCurrentAlloc as an unscoped identifier, but that function was declared later as window.confirmCurrentAlloc = async function() {...}. In shell-injected execution this produced ReferenceError: confirmCurrentAlloc is not defined and halted initialization.window.* lookups for window-assigned handlers, preventing pre-definition reference failures while preserving delegated event behavior.https://pumpkintime.test/ confirmed Instruction Reporting loads the student pane and no longer hangs on Loading….
MsgX_EmitLog, making password reset and presence messaging difficult to verify operationally.ServerGlobals.EmitMsgXEvent(...) wrapper for Auth/Registration/Invitations and Realtime State flows; audit rows are written to MsgX_EmitLog with source, payload, dispatch attempt/success, and error fields./app/msgx_emit_diag) and API endpoint (/api/global-msgx/emit-log) were added for polling, filtering, and dequeue trigger validation.auth.password.reset.requested, MINOR_CONCERN_AUTO, and MINOR_LANDED with successful dispatch status.RealtimeState.Engine.pas as a client-owned TODO (FireMonkey/mobile subscribe/unsubscribe orchestration).
pt-hero pattern with descriptive subtitles
instead of custom prefix styles. Timesheets and Billing hero structures fixed to properly wrap
title+subtitle in a left container and actions in pt-hero-right, ensuring correct alignment and responsive behavior.
Invitations Manager and Instruction Reporting — both with non-standard custom layouts — now include standard
hero headers with title and subtitle context. All views validate with no syntax errors; all hero structures now follow the shared pattern
established in core app views.
pbExplainError function that detects session expiry, permission denial, and other common error states, returning
human-readable guidance instead of generic "Failed" messages. Applied to invoice/timesheet delete and save operations as a proof
of concept for systemic error standardization. Session expiry and permission errors now provide explicit re-auth or permission
guidance matching the My Groups hardening pattern.
app/Http/Controllers/Controller.php now own common auth, DataSnap error, and list-unwrapping behavior for the JsonResponse-based API layer.InstructionReportingApiController, InvitationManagerApiController, LessonBuilderController, ProfileApiController, and WalletApiController was repaired and revalidated.ProdController, GlobalDocsApiController, GlobalMsgxApiController) were migrated to explicit JsonResponse responses, and controller-level service factories that built new DataSnapClient() were migrated to constructor DI.onclick=, onchange=, oninput=, and onsubmit= attributes outside docs/mock/cache/vendor trees.dbo.request_status.status_name and dbo.request_status.isClosingStatus, replacing hardcoded frontend/backend status assumptions.Users.IsGlobalAdmin and role-table assumptions.Users.IsGlobalAdmin=1 as authoritative for global admin actions, while preserving role validation for invite targets. Invite permission checks were normalized to the current invi_* schema and role-class mapping.API.Payments.Service.pas
and API.Payments.Router.pas replace the legacy
TPaymentService singleton. GuaranteePayProfile creates
Stripe customers on demand; AddPaymentMethod attaches cards;
ChargeCustomer runs off-session charges. All charges logged to
payment_transactions with GUID idempotency keys.UserWallets credited). Drawer z-index fixed
(raised above Lesson Timers FAB). Fields clear after successful transaction./join/{code} route
handles invite accept for new and existing accounts. New users get a create-account
form; existing users sign in; already-authenticated users get a one-click accept.
Delphi Accept action creates the user account inline for new registrants,
then atomically writes productionusers + guardian_links.
Email template designer added to backlog.
ProdController, GlobalAdminController),
eliminating ~120 lines of duplicated auth and error-handling boilerplate. DataSnap
exceptions now consistently call report() across all controllers, closing a
silent error-swallowing gap.GlobalPaymentsApiController::recordPayment() was missing
ok:true in its response — every successful payment showed a false
error toast to the user. Fixed.bnCurrentUserId was never
populated from session. Fixed.admin_docs approve/reject optimistic update
set item.StatusName but the renderer reads item.Status —
badge showed stale status until next navigation. Fixed.window.ptEsc, window.ptCsrf,
window.ptPostJSON added to pt-shell.js as shared utilities,
replacing per-view copies across 19 blade files.
server.dll → restart & health-check → re-enable node
→ repeat for each node. Minimum 2 of 3 nodes remain live at all times. No user
session is dropped..copilot/docs/OPS-HAPROXY-ROLLING-DEPLOY-RUNBOOK.md; drain/enable
procedure is now standardized for ops use.
ServerMethodsUnit1 build artifact and establish a versioned CI/CD pipeline
for the Delphi DLL.
Invitation.Engine.pas and the existing
invite infrastructure in both the old and new system.
admin_docs). This covers ST license, CPR
cert, work permits, and any other role-required documents. The system automatically
flags missing or expired required docs and reminds users to update them. Remaining gap:
the mobile Profile screen (14) needs a shortcut link to the Documents module.
global_regulatory.blade.php.
All references to “no ruleset editor UI” have been corrected.
regulatory_rules and configured via Global
Regulatory. Both the assignment model and the ratio rule are built in.
Finding downgraded from Critical → High. Remaining gap: live ratio chip on the PA
mobile roster.