feat(commissions): add editable assignment and artwork linkage

feat(users): add managed users role and status controls
feat(navigation): complete menu and nested item management
2026-02-12 22:59:53 +01:00 · 2026-02-12 22:57:30 +01:00 · 2026-02-12 22:54:43 +01:00 · 2026-02-12 22:53:00 +01:00 · 2026-02-12 22:51:31 +01:00 · 2026-02-12 22:50:18 +01:00
18 changed files with 1171 additions and 151 deletions
--- a/TODO.md
+++ b/TODO.md
@@ -137,21 +137,21 @@ This file is the single source of truth for roadmap and delivery progress.
 ### Admin App (Primary Focus)
 - [~] [P1] Page management (create/edit/publish/unpublish/schedule)
- [ ] [P1] Page builder with reusable content blocks (hero, rich text, gallery, CTA, forms, price cards)
+- [x] [P1] Page builder with reusable content blocks (hero, rich text, gallery, CTA, forms, price cards)
- [~] [P1] Navigation management (menus, nested items, order, visibility)
+- [x] [P1] Navigation management (menus, nested items, order, visibility)
 - [~] [P1] Media library (upload, browse, replace, delete) with media-type classification (artwork, banner, promo, generic, video/gif)
 - [x] [P1] Media enrichment metadata (alt text, copyright, author, source, tags, licensing, usage context)
 - [x] [P1] Portfolio grouping primitives (galleries, albums, categories, tags) with ordering/visibility controls
 - [x] [P1] Artwork refinement fields (medium, dimensions, year, framing, availability, price visibility)
- [ ] [P1] Artwork rendition management (thumbnail, card, full, retina/custom sizes)
+- [x] [P1] Artwork rendition management (thumbnail, card, full, retina/custom sizes)
- [ ] [P1] Type-specific processing presets (artwork/banner/promo/video/gif) with validation rules
+- [x] [P1] Type-specific processing presets (artwork/banner/promo/video/gif) with validation rules
- [ ] [P1] Users management (invite, roles, status)
+- [x] [P1] Users management (invite, roles, status)
- [ ] [P1] Disable/ban user function and enforcement in auth/session checks
+- [x] [P1] Disable/ban user function and enforcement in auth/session checks
- [~] [P1] Owner/support protection rules in user management actions (cannot delete/demote)
+- [x] [P1] Owner/support protection rules in user management actions (cannot delete/demote)
- [~] [P1] Commissions management (request intake, owner, due date, notes, linked customer, linked artworks)
+- [x] [P1] Commissions management (request intake, owner, due date, notes, linked customer, linked artworks)
- [~] [P1] Customer records (contact profile, notes, consent flags, recurrence marker)
+- [x] [P1] Customer records (contact profile, notes, consent flags, recurrence marker)
- [~] [P1] Customer-to-commission linkage and reuse workflow (no re-entry for recurring customers)
+- [x] [P1] Customer-to-commission linkage and reuse workflow (no re-entry for recurring customers)
- [~] [P1] Kanban workflow for commissions (new, scoped, in-progress, review, done)
+- [x] [P1] Kanban workflow for commissions (new, scoped, in-progress, review, done)
 - [x] [P1] Header banner management (message, CTA, active window)
 - [~] [P1] Announcements management (prominent site notices with schedule, priority, and audience targeting)
 - [~] [P2] News/blog editorial workflow (draft/review/publish, authoring metadata)
@@ -363,6 +363,12 @@ This file is the single source of truth for roadmap and delivery progress.
 - [2026-02-12] Public portfolio baseline added with `/{locale}/portfolio` and `/{locale}/portfolio/{slug}`, including published-artwork filters (gallery/album/category/tag), rendition image streaming via web `/api/media/file/:id`, and media-aware artwork detail rendering.
 - [2026-02-12] Portfolio grouping controls completed in admin `/portfolio`: galleries/albums/categories/tags now support visibility and sort-order management (create/update/delete), and public tag filters now respect visibility.
 - [2026-02-12] Artwork refinement baseline completed: admin `/portfolio` now captures/edits medium, dimensions, year, framing, availability, publish state, and optional price visibility (`priceAmountCents` + `priceCurrency`), with public artwork detail rendering visible prices only.
 - [2026-02-12] Artwork rendition management completed: admin `/portfolio` supports `thumbnail/card/full/retina/custom` slot assignment with dimensions and primary flag, plus per-artwork rendition listing and delete controls.
 - [2026-02-12] Media type presets baseline completed in upload API: server-side validation now uses shared per-type rules (mime + max size) for `artwork/banner/promotion/video/gif/generic`, with optional env cap override via `CMS_MEDIA_UPLOAD_MAX_BYTES`.
 - [2026-02-12] Page builder reusable blocks completed: admin block editor now supports full field editing + ordering controls for hero/rich-text/gallery/cta/form/price-cards; public renderer includes form-link behavior for `contact`/`commission` keys.
 - [2026-02-12] Navigation management completed: admin `/navigation` now supports menu update/delete controls, nested item parent selection via menu-local dropdown, and full order/visibility updates across menus and items.
 - [2026-02-12] Users management baseline completed: admin `/users` now supports managed user creation, role changes (`admin/editor/manager`), status changes (ban/unban), and protected/system guardrails for role-change/delete/ban actions.
 - [2026-02-12] Commissions management completed: admin kanban cards now include inline detail editing (assignee/customer/budget/due date/notes), linked-artwork references via `linkedArtworkIds`, and creation/edit flows use assignable users instead of raw ID entry.
 - [2026-02-12] Public UX pass: commission request flow now reports explicit invalid budget range errors, and header navigation now falls back to localized defaults (`home`, `portfolio`, `news`, `commissions`) when no CMS menu exists; seed data now creates those default menu entries.
 - [2026-02-12] Added `e2e/public-rendering.pw.ts` web coverage for fallback navigation visibility, portfolio routes, and commission submission validation (invalid budget range + successful submission path).
 - [2026-02-12] Testing execution is temporarily paused for delivery velocity: root test scripts are stubbed and CI test steps are disabled; all testing backlog is consolidated under `MVP 3: Testing and Quality`.
--- a/apps/admin/src/app/api/media/upload/route.ts
+++ b/apps/admin/src/app/api/media/upload/route.ts
@@ -1,4 +1,9 @@
 import { randomUUID } from "node:crypto"
 import {
  getMediaUploadMaxBytes,
  isMimeAllowedForMediaType,
  mediaAssetTypeSchema,
 } from "@cms/content"
 import { hasPermission } from "@cms/content/rbac"
 import { createMediaAsset } from "@cms/db"
@@ -7,33 +12,7 @@ import { storeUpload } from "@/lib/media/storage"
 export const runtime = "nodejs"
-const MAX_UPLOAD_BYTES = Number(process.env.CMS_MEDIA_UPLOAD_MAX_BYTES ?? 25 * 1024 * 1024)
+const MAX_UPLOAD_BYTES_OVERRIDE = Number(process.env.CMS_MEDIA_UPLOAD_MAX_BYTES ?? 0)
 type AllowedRule = {
  mimePrefix?: string
  mimeExact?: string[]
 }
 const ALLOWED_MIME_BY_TYPE: Record<string, AllowedRule> = {
  artwork: {
    mimePrefix: "image/",
  },
  banner: {
    mimePrefix: "image/",
  },
  promotion: {
    mimePrefix: "image/",
  },
  video: {
    mimePrefix: "video/",
  },
  gif: {
    mimeExact: ["image/gif"],
  },
  generic: {
    mimePrefix: "",
  },
 }
 function parseTextField(formData: FormData, field: string): string {
  const value = formData.get(field)
@@ -88,24 +67,6 @@ function deriveTitleFromFilename(fileName: string): string {
  return normalized.length > 0 ? normalized : "Untitled media"
 }
 function isMimeAllowed(mediaType: string, mimeType: string): boolean {
  const rule = ALLOWED_MIME_BY_TYPE[mediaType]
  if (!rule) {
    return false
  }
  if (rule.mimeExact?.includes(mimeType)) {
    return true
  }
  if (rule.mimePrefix === "") {
    return true
  }
  return rule.mimePrefix ? mimeType.startsWith(rule.mimePrefix) : false
 }
 function badRequest(message: string): Response {
  return Response.json(
    {
@@ -147,12 +108,13 @@ export async function POST(request: Request): Promise<Response> {
    return badRequest("Invalid form payload.")
  }
-  const type = parseTextField(formData, "type")
+  const parsedType = mediaAssetTypeSchema.safeParse(parseTextField(formData, "type"))
  const fileEntry = formData.get("file")
-  if (!type) {
+  if (!parsedType.success) {
    return badRequest("Type is required.")
  }
  const type = parsedType.data
  if (!(fileEntry instanceof File)) {
    return badRequest("File is required.")
@@ -162,13 +124,17 @@ export async function POST(request: Request): Promise<Response> {
    return badRequest("File is empty.")
  }
-  if (fileEntry.size > MAX_UPLOAD_BYTES) {
+  const typeMaxBytes = getMediaUploadMaxBytes(type)
  const effectiveMaxBytes =
    MAX_UPLOAD_BYTES_OVERRIDE > 0 ? Math.min(MAX_UPLOAD_BYTES_OVERRIDE, typeMaxBytes) : typeMaxBytes
  if (fileEntry.size > effectiveMaxBytes) {
    return badRequest(
-      `File is too large. Maximum upload is ${Math.floor(MAX_UPLOAD_BYTES / 1024 / 1024)} MB.`,
+      `File is too large for ${type}. Maximum upload is ${Math.floor(effectiveMaxBytes / 1024 / 1024)} MB.`,
    )
  }
-  if (!isMimeAllowed(type, fileEntry.type)) {
+  if (!isMimeAllowedForMediaType(type, fileEntry.type)) {
    return badRequest(`File type ${fileEntry.type || "unknown"} is not allowed for ${type}.`)
  }
--- a/apps/admin/src/app/commissions/page.tsx
+++ b/apps/admin/src/app/commissions/page.tsx
@@ -2,8 +2,11 @@ import {
  commissionKanbanOrder,
  createCommission,
  createCustomer,
  db,
  listArtworks,
  listCommissions,
  listCustomers,
  updateCommission,
  updateCommissionStatus,
 } from "@cms/db"
 import { Button } from "@cms/ui/button"
@@ -67,6 +70,19 @@ function readNullableDate(formData: FormData, field: string): Date | null {
  return parsed
 }
 function readUuidList(formData: FormData, field: string): string[] {
  const raw = readInputString(formData, field)
  if (!raw) {
    return []
  }
  return raw
    .split(",")
    .map((entry) => entry.trim())
    .filter((entry) => entry.length > 0)
 }
 function redirectWithState(params: { notice?: string; error?: string }) {
  const query = new URLSearchParams()
@@ -124,6 +140,7 @@ async function createCommissionAction(formData: FormData) {
      status: readInputString(formData, "status"),
      customerId: readNullableString(formData, "customerId"),
      assignedUserId: readNullableString(formData, "assignedUserId"),
      linkedArtworkIds: readUuidList(formData, "linkedArtworkIds"),
      budgetMin: readNullableNumber(formData, "budgetMin"),
      budgetMax: readNullableNumber(formData, "budgetMax"),
      dueAt: readNullableDate(formData, "dueAt"),
@@ -136,6 +153,35 @@ async function createCommissionAction(formData: FormData) {
  redirectWithState({ notice: "Commission created." })
 }
 async function updateCommissionAction(formData: FormData) {
  "use server"
  await requirePermissionForRoute({
    nextPath: "/commissions",
    permission: "commissions:write",
    scope: "own",
  })
  try {
    await updateCommission({
      id: readInputString(formData, "id"),
      title: readInputString(formData, "title"),
      description: readNullableString(formData, "description"),
      customerId: readNullableString(formData, "customerId"),
      assignedUserId: readNullableString(formData, "assignedUserId"),
      linkedArtworkIds: readUuidList(formData, "linkedArtworkIds"),
      budgetMin: readNullableNumber(formData, "budgetMin"),
      budgetMax: readNullableNumber(formData, "budgetMax"),
      dueAt: readNullableDate(formData, "dueAt"),
    })
  } catch {
    redirectWithState({ error: "Failed to update commission details." })
  }
  revalidatePath("/commissions")
  redirectWithState({ notice: "Commission updated." })
 }
 async function updateCommissionStatusAction(formData: FormData) {
  "use server"
@@ -166,6 +212,14 @@ function formatDate(value: Date | null) {
  return value.toLocaleDateString("en-US")
 }
 function formatDateInput(value: Date | null) {
  if (!value) {
    return ""
  }
  return value.toISOString().slice(0, 10)
 }
 export default async function CommissionsManagementPage({
  searchParams,
 }: {
@@ -177,10 +231,22 @@ export default async function CommissionsManagementPage({
    scope: "own",
  })
-  const [resolvedSearchParams, customers, commissions] = await Promise.all([
+  const [resolvedSearchParams, customers, commissions, assignees, artworks] = await Promise.all([
    searchParams,
    listCustomers(200),
    listCommissions(300),
    db.user.findMany({
      where: {
        isBanned: false,
      },
      orderBy: [{ createdAt: "asc" }],
      select: {
        id: true,
        name: true,
        username: true,
      },
    }),
    listArtworks(300),
  ])
  const notice = readFirstValue(resolvedSearchParams.notice)
@@ -309,11 +375,18 @@ export default async function CommissionsManagementPage({
            </div>
            <div className="grid gap-3 md:grid-cols-3">
              <label className="space-y-1">
-                <span className="text-xs text-neutral-600">Assigned user id</span>
+                <span className="text-xs text-neutral-600">Assigned user</span>
-                <input
+                <select
                  name="assignedUserId"
                  className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
-                />
+                >
                  <option value="">(none)</option>
                  {assignees.map((assignee) => (
                    <option key={assignee.id} value={assignee.id}>
                      {assignee.name} @{assignee.username ?? "no-user"}
                    </option>
                  ))}
                </select>
              </label>
              <label className="space-y-1">
                <span className="text-xs text-neutral-600">Budget min</span>
@@ -344,6 +417,14 @@ export default async function CommissionsManagementPage({
                className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
              />
            </label>
            <label className="space-y-1">
              <span className="text-xs text-neutral-600">Linked artwork IDs (comma separated)</span>
              <textarea
                name="linkedArtworkIds"
                rows={2}
                className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
              />
            </label>
            <Button type="submit">Create commission</Button>
          </form>
        </article>
@@ -383,6 +464,9 @@ export default async function CommissionsManagementPage({
                          <p className="text-xs text-neutral-600">
                            {commission.customer?.name ?? "No customer"}
                          </p>
                          <p className="text-xs text-neutral-500">
                            Assignee: {commission.assignedUser?.name ?? "none"}
                          </p>
                          <p className="text-xs text-neutral-500">
                            Due: {formatDate(commission.dueAt)}
                          </p>
@@ -406,6 +490,99 @@ export default async function CommissionsManagementPage({
                            Move
                          </button>
                        </div>
                        <details className="mt-2 rounded border border-neutral-200 p-2 text-xs">
                          <summary className="cursor-pointer text-neutral-700">
                            Edit details
                          </summary>
                          <form action={updateCommissionAction} className="mt-2 space-y-2">
                            <input type="hidden" name="id" value={commission.id} />
                            <input
                              name="title"
                              defaultValue={commission.title}
                              className="w-full rounded border border-neutral-300 px-2 py-1"
                            />
                            <textarea
                              name="description"
                              rows={2}
                              defaultValue={commission.description ?? ""}
                              className="w-full rounded border border-neutral-300 px-2 py-1"
                            />
                            <select
                              name="customerId"
                              defaultValue={commission.customerId ?? ""}
                              className="w-full rounded border border-neutral-300 px-2 py-1"
                            >
                              <option value="">(no customer)</option>
                              {customers.map((customer) => (
                                <option
                                  key={`${commission.id}-customer-${customer.id}`}
                                  value={customer.id}
                                >
                                  {customer.name}
                                </option>
                              ))}
                            </select>
                            <select
                              name="assignedUserId"
                              defaultValue={commission.assignedUserId ?? ""}
                              className="w-full rounded border border-neutral-300 px-2 py-1"
                            >
                              <option value="">(no assignee)</option>
                              {assignees.map((assignee) => (
                                <option
                                  key={`${commission.id}-assignee-${assignee.id}`}
                                  value={assignee.id}
                                >
                                  {assignee.name}
                                </option>
                              ))}
                            </select>
                            <div className="grid grid-cols-2 gap-2">
                              <input
                                name="budgetMin"
                                type="number"
                                min={0}
                                step="0.01"
                                defaultValue={commission.budgetMin ?? ""}
                                placeholder="Budget min"
                                className="rounded border border-neutral-300 px-2 py-1"
                              />
                              <input
                                name="budgetMax"
                                type="number"
                                min={0}
                                step="0.01"
                                defaultValue={commission.budgetMax ?? ""}
                                placeholder="Budget max"
                                className="rounded border border-neutral-300 px-2 py-1"
                              />
                            </div>
                            <input
                              name="dueAt"
                              type="date"
                              defaultValue={formatDateInput(commission.dueAt)}
                              className="w-full rounded border border-neutral-300 px-2 py-1"
                            />
                            <textarea
                              name="linkedArtworkIds"
                              rows={2}
                              defaultValue={commission.linkedArtworkIds.join(",")}
                              placeholder="Artwork IDs"
                              className="w-full rounded border border-neutral-300 px-2 py-1"
                            />
                            <button
                              type="submit"
                              className="rounded border border-neutral-300 px-2 py-1 text-xs"
                            >
                              Save details
                            </button>
                          </form>
                        </details>
                        {commission.linkedArtworkIds.length > 0 ? (
                          <p className="mt-2 text-[11px] text-neutral-500">
                            Linked artworks: {commission.linkedArtworkIds.length}
                          </p>
                        ) : null}
                      </form>
                    ))
                  )}
@@ -449,6 +626,24 @@ export default async function CommissionsManagementPage({
          </table>
        </div>
      </section>
      <section className="rounded-xl border border-neutral-200 p-6">
        <h2 className="text-xl font-medium">Artwork Reference</h2>
        <p className="mt-1 text-sm text-neutral-600">
          Use these IDs when linking artworks to commissions.
        </p>
        <div className="mt-3 max-h-64 overflow-auto rounded border border-neutral-200 p-3 text-xs">
          {artworks.length === 0 ? (
            <p className="text-neutral-500">No artworks available.</p>
          ) : (
            artworks.map((artwork) => (
              <p key={artwork.id} className="font-mono text-neutral-700">
                {artwork.id} - {artwork.title}
              </p>
            ))
          )}
        </div>
      </section>
    </AdminShell>
  )
 }
--- a/apps/admin/src/app/navigation/page.tsx
+++ b/apps/admin/src/app/navigation/page.tsx
@@ -2,9 +2,11 @@ import {
  createNavigationItem,
  createNavigationMenu,
  deleteNavigationItem,
  deleteNavigationMenu,
  listNavigationMenus,
  listPages,
  updateNavigationItem,
  updateNavigationMenu,
  upsertNavigationItemTranslation,
 } from "@cms/db"
 import { Button } from "@cms/ui/button"
@@ -131,6 +133,50 @@ async function createItemAction(formData: FormData) {
  redirectWithState({ notice: "Navigation item created." })
 }
 async function updateMenuAction(formData: FormData) {
  "use server"
  await requirePermissionForRoute({
    nextPath: "/navigation",
    permission: "navigation:write",
    scope: "team",
  })
  try {
    await updateNavigationMenu({
      id: readInputString(formData, "id"),
      name: readInputString(formData, "name"),
      slug: readInputString(formData, "slug"),
      location: readInputString(formData, "location"),
      isVisible: readInputString(formData, "isVisible") === "true",
    })
  } catch {
    redirectWithState({ error: "Failed to update navigation menu." })
  }
  revalidatePath("/navigation")
  redirectWithState({ notice: "Navigation menu updated." })
 }
 async function deleteMenuAction(formData: FormData) {
  "use server"
  await requirePermissionForRoute({
    nextPath: "/navigation",
    permission: "navigation:write",
    scope: "team",
  })
  try {
    await deleteNavigationMenu(readInputString(formData, "id"))
  } catch {
    redirectWithState({ error: "Failed to delete navigation menu." })
  }
  revalidatePath("/navigation")
  redirectWithState({ notice: "Navigation menu deleted." })
 }
 async function updateItemAction(formData: FormData) {
  "use server"
@@ -279,14 +325,58 @@ export default async function NavigationManagementPage({
        ) : (
          menus.map((menu) => (
            <article key={menu.id} className="rounded-xl border border-neutral-200 p-6">
-              <div className="flex flex-wrap items-center justify-between gap-2">
+              <form action={updateMenuAction} className="rounded border border-neutral-200 p-3">
-                <h3 className="text-lg font-medium">
+                <input type="hidden" name="id" value={menu.id} />
-                  {menu.name} <span className="text-sm text-neutral-500">({menu.location})</span>
+                <div className="grid gap-3 md:grid-cols-4">
-                </h3>
+                  <label className="space-y-1">
-                <span className="text-xs text-neutral-500">
+                    <span className="text-xs text-neutral-600">Menu name</span>
-                  {menu.isVisible ? "visible" : "hidden"}
+                    <input
-                </span>
+                      name="name"
-              </div>
+                      defaultValue={menu.name}
                      className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
                    />
                  </label>
                  <label className="space-y-1">
                    <span className="text-xs text-neutral-600">Slug</span>
                    <input
                      name="slug"
                      defaultValue={menu.slug}
                      className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
                    />
                  </label>
                  <label className="space-y-1">
                    <span className="text-xs text-neutral-600">Location</span>
                    <input
                      name="location"
                      defaultValue={menu.location}
                      className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
                    />
                  </label>
                  <label className="space-y-1">
                    <span className="text-xs text-neutral-600">Visible</span>
                    <select
                      name="isVisible"
                      defaultValue={menu.isVisible ? "true" : "false"}
                      className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
                    >
                      <option value="true">Visible</option>
                      <option value="false">Hidden</option>
                    </select>
                  </label>
                </div>
                <div className="mt-3 flex items-center gap-2">
                  <Button type="submit" size="sm">
                    Save menu
                  </Button>
                  <button
                    type="submit"
                    formAction={deleteMenuAction}
                    className="rounded-md border border-red-300 px-3 py-2 text-sm text-red-700"
                  >
                    Delete menu
                  </button>
                </div>
              </form>
              <div className="mt-4 space-y-3">
                {menu.items.length === 0 ? (
@@ -348,11 +438,20 @@ export default async function NavigationManagementPage({
                            </label>
                            <label className="space-y-1">
                              <span className="text-xs text-neutral-600">Parent id</span>
-                              <input
+                              <select
                                name="parentId"
                                defaultValue={item.parentId ?? ""}
                                className="w-full rounded border border-neutral-300 px-3 py-2 text-sm"
-                              />
+                              >
                                <option value="">(none)</option>
                                {menu.items
                                  .filter((entry) => entry.id !== item.id)
                                  .map((entry) => (
                                    <option key={`${item.id}-parent-${entry.id}`} value={entry.id}>
                                      {entry.label}
                                    </option>
                                  ))}
                              </select>
                            </label>
                          </div>
--- a/apps/admin/src/app/portfolio/page.tsx
+++ b/apps/admin/src/app/portfolio/page.tsx
@@ -5,6 +5,7 @@ import {
  createCategory,
  createGallery,
  createTag,
  deleteArtworkRendition,
  deleteGrouping,
  linkArtworkToGrouping,
  listArtworks,
@@ -316,6 +317,21 @@ async function attachRenditionAction(formData: FormData) {
  redirectWithState({ notice: "Rendition attached." })
 }
 async function deleteRenditionAction(formData: FormData) {
  "use server"
  await requireWritePermission()
  try {
    await deleteArtworkRendition(readField(formData, "renditionId"))
  } catch {
    redirectWithState({ error: "Failed to delete rendition." })
  }
  revalidatePath("/portfolio")
  redirectWithState({ notice: "Rendition deleted." })
 }
 export default async function PortfolioPage({
  searchParams,
 }: {
@@ -641,6 +657,7 @@ export default async function PortfolioPage({
            <option value="thumbnail">thumbnail</option>
            <option value="card">card</option>
            <option value="full">full</option>
            <option value="retina">retina</option>
            <option value="custom">custom</option>
          </select>
          <input
@@ -719,7 +736,40 @@ export default async function PortfolioPage({
                        ? `price: ${(artwork.priceAmountCents / 100).toFixed(2)} ${artwork.priceCurrency} (${artwork.isPriceVisible ? "visible" : "hidden"})`
                        : "price: -"}
                    </td>
-                    <td className="py-3 pr-4">{artwork.renditions.length}</td>
+                    <td className="py-3 pr-4">
                      <div className="space-y-1">
                        {artwork.renditions.length === 0 ? (
                          <span className="text-xs text-neutral-500">0</span>
                        ) : (
                          artwork.renditions.map((rendition) => (
                            <form
                              key={rendition.id}
                              action={deleteRenditionAction}
                              className="flex items-center gap-2 text-xs"
                            >
                              <input type="hidden" name="renditionId" value={rendition.id} />
                              <span className="rounded bg-neutral-100 px-2 py-1 font-mono">
                                {rendition.slot}
                              </span>
                              <span className="text-neutral-500">
                                {rendition.width ?? "-"}x{rendition.height ?? "-"}
                              </span>
                              {rendition.isPrimary ? (
                                <span className="rounded bg-emerald-100 px-2 py-1 text-emerald-700">
                                  primary
                                </span>
                              ) : null}
                              <button
                                type="submit"
                                className="rounded border border-red-300 px-2 py-1 text-red-700 hover:bg-red-50"
                              >
                                delete
                              </button>
                            </form>
                          ))
                        )}
                      </div>
                    </td>
                    <td className="py-3 pr-4 text-neutral-600">
                      g:{artwork.galleryLinks.length} a:{artwork.albumLinks.length} c:
                      {artwork.categoryLinks.length} t:{artwork.tagLinks.length}
--- a/apps/admin/src/app/users/page.tsx
+++ b/apps/admin/src/app/users/page.tsx
@@ -1,34 +1,425 @@
-import { AdminSectionPlaceholder } from "@/components/admin-section-placeholder"
+import { hasPermission, normalizeRole, type Role } from "@cms/content/rbac"
 import { db } from "@cms/db"
 import { Button } from "@cms/ui/button"
 import { revalidatePath } from "next/cache"
 import { headers } from "next/headers"
 import { redirect } from "next/navigation"
 import { AdminShell } from "@/components/admin-shell"
 import {
  auth,
  canDeleteUserAccount,
  createManagedUserAccount,
  enforceOwnerInvariant,
 } from "@/lib/auth/server"
 import { requirePermissionForRoute } from "@/lib/route-guards"
 export const dynamic = "force-dynamic"
-export default async function UsersManagementPage() {
+const MANAGED_ROLES: Role[] = ["admin", "editor", "manager"]
 type SearchParamsInput = Record<string, string | string[] | undefined>
 function readFirstValue(value: string | string[] | undefined): string | null {
  if (Array.isArray(value)) {
    return value[0] ?? null
  }
  return value ?? null
 }
 function readInputString(formData: FormData, field: string): string {
  const value = formData.get(field)
  return typeof value === "string" ? value.trim() : ""
 }
 function redirectWithState(params: { notice?: string; error?: string }) {
  const query = new URLSearchParams()
  if (params.notice) {
    query.set("notice", params.notice)
  }
  if (params.error) {
    query.set("error", params.error)
  }
  const value = query.toString()
  redirect(value ? `/users?${value}` : "/users")
 }
 async function createUserAction(formData: FormData) {
  "use server"
  await requirePermissionForRoute({
    nextPath: "/users",
    permission: "users:write",
    scope: "team",
  })
  const role = normalizeRole(readInputString(formData, "role"))
  if (!role || !MANAGED_ROLES.includes(role)) {
    return redirectWithState({ error: "Invalid role for managed user creation." })
  }
  try {
    await createManagedUserAccount({
      email: readInputString(formData, "email"),
      username: readInputString(formData, "username") || undefined,
      name: readInputString(formData, "name"),
      password: readInputString(formData, "password"),
      role,
    })
  } catch (error) {
    const message = error instanceof Error ? error.message : "Failed to create user."
    redirectWithState({ error: message })
  }
  revalidatePath("/users")
  redirectWithState({ notice: "User account created." })
 }
 async function updateUserRoleAction(formData: FormData) {
  "use server"
  await requirePermissionForRoute({
    nextPath: "/users",
    permission: "users:manage_roles",
    scope: "global",
  })
  const userId = readInputString(formData, "userId")
  const role = normalizeRole(readInputString(formData, "role"))
  if (!role || !MANAGED_ROLES.includes(role)) {
    return redirectWithState({ error: "Only admin/editor/manager can be assigned here." })
  }
  const user = await db.user.findUnique({
    where: { id: userId },
    select: { id: true, isProtected: true, isSystem: true },
  })
  if (!user) {
    return redirectWithState({ error: "User not found." })
  }
  if (user.isProtected || user.isSystem) {
    return redirectWithState({ error: "Protected/system users cannot be role-edited." })
  }
  try {
    await db.user.update({
      where: { id: userId },
      data: { role },
    })
    await enforceOwnerInvariant()
  } catch {
    redirectWithState({ error: "Failed to update user role." })
  }
  revalidatePath("/users")
  redirectWithState({ notice: "User role updated." })
 }
 async function updateUserBanAction(formData: FormData) {
  "use server"
  await requirePermissionForRoute({
    nextPath: "/users",
    permission: "users:write",
    scope: "team",
  })
  const userId = readInputString(formData, "userId")
  const isBanned = readInputString(formData, "isBanned") === "true"
  const user = await db.user.findUnique({
    where: { id: userId },
    select: { id: true, isProtected: true, isSystem: true },
  })
  if (!user) {
    return redirectWithState({ error: "User not found." })
  }
  if ((user.isProtected || user.isSystem) && isBanned) {
    return redirectWithState({ error: "Protected/system users cannot be banned." })
  }
  try {
    await db.user.update({
      where: { id: userId },
      data: { isBanned },
    })
    await enforceOwnerInvariant()
  } catch {
    redirectWithState({ error: "Failed to update user status." })
  }
  revalidatePath("/users")
  redirectWithState({ notice: isBanned ? "User banned." : "User unbanned." })
 }
 async function deleteUserAction(formData: FormData) {
  "use server"
  await requirePermissionForRoute({
    nextPath: "/users",
    permission: "users:write",
    scope: "team",
  })
  const userId = readInputString(formData, "userId")
  const isAllowed = await canDeleteUserAccount(userId)
  if (!isAllowed) {
    return redirectWithState({
      error: "User cannot be deleted due to protection or owner constraints.",
    })
  }
  try {
    await db.user.delete({
      where: { id: userId },
    })
    await enforceOwnerInvariant()
  } catch {
    redirectWithState({ error: "Failed to delete user." })
  }
  revalidatePath("/users")
  redirectWithState({ notice: "User deleted." })
 }
 export default async function UsersManagementPage({
  searchParams,
 }: {
  searchParams: Promise<SearchParamsInput>
 }) {
  const role = await requirePermissionForRoute({
    nextPath: "/users",
    permission: "users:read",
    scope: "own",
  })
  const session = await auth.api
    .getSession({
      headers: await headers(),
    })
    .catch(() => null)
  const viewerId = session?.user?.id ?? null
  const canWriteUsers = hasPermission(role, "users:write", "team")
  const canManageRoles = hasPermission(role, "users:manage_roles", "global")
  const canReadGlobal = hasPermission(role, "users:read", "global")
  const [resolvedSearchParams, users] = await Promise.all([
    searchParams,
    db.user.findMany({
      where: canReadGlobal
        ? undefined
        : viewerId
          ? {
              id: viewerId,
            }
          : {
              id: "__none__",
            },
      orderBy: [{ createdAt: "desc" }],
      select: {
        id: true,
        email: true,
        username: true,
        name: true,
        role: true,
        isBanned: true,
        isSystem: true,
        isHidden: true,
        isProtected: true,
        createdAt: true,
      },
    }),
  ])
  const notice = readFirstValue(resolvedSearchParams.notice)
  const error = readFirstValue(resolvedSearchParams.error)
  return (
    <AdminShell
      role={role}
      activePath="/users"
      badge="Admin App"
      title="Users"
-      description="Prepare user lifecycle and role management operations."
+      description="Manage internal users, roles, and account status."
    >
-      <AdminSectionPlaceholder
+      {notice ? (
-        feature="Users Management"
+        <section className="rounded-xl border border-emerald-300 bg-emerald-50 px-4 py-3 text-sm text-emerald-800">
-        summary="This route sets the guardrail and UX entrypoint for role assignment, status, and invitation flows."
+          {notice}
-        requiredPermission="users:read (own)"
+        </section>
-        nextSteps={[
+      ) : null}
-          "Add user list, filter, and detail views.",
+      {error ? (
-          "Add role and permission editing actions with owner/support safety rules.",
+        <section className="rounded-xl border border-red-300 bg-red-50 px-4 py-3 text-sm text-red-800">
-          "Add disable/ban and invite workflows.",
+          {error}
-        ]}
+        </section>
-      />
+      ) : null}
      {canWriteUsers ? (
        <section className="rounded-xl border border-neutral-200 p-6">
          <h2 className="text-xl font-medium">Create managed user</h2>
          <form action={createUserAction} className="mt-4 grid gap-3 md:grid-cols-2 lg:grid-cols-3">
            <input
              name="name"
              required
              placeholder="Name"
              className="rounded border border-neutral-300 px-3 py-2 text-sm"
            />
            <input
              name="email"
              required
              type="email"
              placeholder="Email"
              className="rounded border border-neutral-300 px-3 py-2 text-sm"
            />
            <input
              name="username"
              placeholder="Username (optional)"
              className="rounded border border-neutral-300 px-3 py-2 text-sm"
            />
            <input
              name="password"
              required
              type="password"
              placeholder="Temporary password"
              className="rounded border border-neutral-300 px-3 py-2 text-sm"
            />
            <select
              name="role"
              defaultValue="editor"
              className="rounded border border-neutral-300 px-3 py-2 text-sm"
            >
              <option value="editor">editor</option>
              <option value="manager">manager</option>
              <option value="admin">admin</option>
            </select>
            <div className="md:col-span-2 lg:col-span-3">
              <Button type="submit">Create user</Button>
            </div>
          </form>
        </section>
      ) : null}
      <section className="rounded-xl border border-neutral-200 p-6">
        <h2 className="text-xl font-medium">User accounts</h2>
        <div className="mt-4 overflow-x-auto">
          <table className="min-w-full text-left text-sm">
            <thead className="text-xs uppercase tracking-wide text-neutral-500">
              <tr>
                <th className="py-2 pr-4">User</th>
                <th className="py-2 pr-4">Role</th>
                <th className="py-2 pr-4">Status</th>
                <th className="py-2 pr-4">Flags</th>
                <th className="py-2 pr-4">Created</th>
                <th className="py-2 pr-4">Actions</th>
              </tr>
            </thead>
            <tbody>
              {users.length === 0 ? (
                <tr>
                  <td className="py-3 text-neutral-500" colSpan={6}>
                    No users found.
                  </td>
                </tr>
              ) : (
                users.map((user) => (
                  <tr key={user.id} className="border-t border-neutral-200 align-top">
                    <td className="py-3 pr-4">
                      <p className="font-medium">{user.name}</p>
                      <p className="text-xs text-neutral-600">{user.email}</p>
                      <p className="text-xs text-neutral-500">@{user.username ?? "no-username"}</p>
                    </td>
                    <td className="py-3 pr-4">{user.role}</td>
                    <td className="py-3 pr-4">{user.isBanned ? "banned" : "active"}</td>
                    <td className="py-3 pr-4 text-xs text-neutral-600">
                      {user.isProtected ? "protected " : ""}
                      {user.isSystem ? "system " : ""}
                      {user.isHidden ? "hidden" : ""}
                    </td>
                    <td className="py-3 pr-4 text-xs text-neutral-600">
                      {user.createdAt.toLocaleString("en-US")}
                    </td>
                    <td className="py-3 pr-4">
                      <div className="grid min-w-56 gap-2">
                        {canManageRoles ? (
                          <form action={updateUserRoleAction} className="flex gap-2">
                            <input type="hidden" name="userId" value={user.id} />
                            <select
                              name="role"
                              defaultValue={
                                MANAGED_ROLES.includes(user.role as Role) ? user.role : "editor"
                              }
                              disabled={user.isProtected || user.isSystem}
                              className="w-full rounded border border-neutral-300 px-2 py-1 text-xs"
                            >
                              <option value="editor">editor</option>
                              <option value="manager">manager</option>
                              <option value="admin">admin</option>
                            </select>
                            <Button
                              type="submit"
                              size="sm"
                              variant="secondary"
                              disabled={user.isProtected || user.isSystem}
                            >
                              Role
                            </Button>
                          </form>
                        ) : null}
                        {canWriteUsers ? (
                          <form action={updateUserBanAction} className="flex gap-2">
                            <input type="hidden" name="userId" value={user.id} />
                            <select
                              name="isBanned"
                              defaultValue={user.isBanned ? "true" : "false"}
                              disabled={user.isProtected || user.isSystem}
                              className="w-full rounded border border-neutral-300 px-2 py-1 text-xs"
                            >
                              <option value="false">active</option>
                              <option value="true">banned</option>
                            </select>
                            <Button
                              type="submit"
                              size="sm"
                              variant="secondary"
                              disabled={user.isProtected || user.isSystem}
                            >
                              Status
                            </Button>
                          </form>
                        ) : null}
                        {canWriteUsers ? (
                          <form action={deleteUserAction}>
                            <input type="hidden" name="userId" value={user.id} />
                            <button
                              type="submit"
                              disabled={user.isProtected || user.isSystem}
                              className="rounded border border-red-300 px-3 py-1.5 text-xs text-red-700 disabled:cursor-not-allowed disabled:opacity-50"
                            >
                              Delete user
                            </button>
                          </form>
                        ) : null}
                      </div>
                    </td>
                  </tr>
                ))
              )}
            </tbody>
          </table>
        </div>
      </section>
    </AdminShell>
  )
 }
--- a/apps/admin/src/components/pages/page-block-editor.tsx
+++ b/apps/admin/src/components/pages/page-block-editor.tsx
@@ -43,6 +43,25 @@ function updateBlock(blocks: PageBlocks, blockId: string, next: Partial<PageBloc
  )
 }
 function moveBlock(blocks: PageBlocks, blockId: string, direction: "up" | "down"): PageBlocks {
  const index = blocks.findIndex((entry) => entry.id === blockId)
  if (index < 0) {
    return blocks
  }
  const nextIndex = direction === "up" ? index - 1 : index + 1
  if (nextIndex < 0 || nextIndex >= blocks.length) {
    return blocks
  }
  const next = [...blocks]
  const current = next[index]
  next[index] = next[nextIndex]
  next[nextIndex] = current
  return next
 }
 export function PageBlockEditor({
  name,
  initialContent,
@@ -156,13 +175,29 @@ export function PageBlockEditor({
              <span>
                #{index + 1} {block.type}
              </span>
-              <button
+              <div className="flex items-center gap-2">
-                type="button"
+                <button
-                className="rounded border px-2 py-1"
+                  type="button"
-                onClick={() => setBlocks((prev) => prev.filter((entry) => entry.id !== block.id))}
+                  className="rounded border px-2 py-1"
-              >
+                  onClick={() => setBlocks((prev) => moveBlock(prev, block.id, "up"))}
-                Remove
+                >
-              </button>
+                  Up
                </button>
                <button
                  type="button"
                  className="rounded border px-2 py-1"
                  onClick={() => setBlocks((prev) => moveBlock(prev, block.id, "down"))}
                >
                  Down
                </button>
                <button
                  type="button"
                  className="rounded border px-2 py-1"
                  onClick={() => setBlocks((prev) => prev.filter((entry) => entry.id !== block.id))}
                >
                  Remove
                </button>
              </div>
            </div>
            {block.type === "hero" ? (
@@ -187,6 +222,26 @@ export function PageBlockEditor({
                  placeholder="Subheading"
                  className="rounded border border-neutral-300 px-2 py-1 text-sm"
                />
                <input
                  value={block.ctaLabel ?? ""}
                  onChange={(event) =>
                    setBlocks((prev) =>
                      updateBlock(prev, block.id, { ctaLabel: event.target.value || null }),
                    )
                  }
                  placeholder="CTA label"
                  className="rounded border border-neutral-300 px-2 py-1 text-sm"
                />
                <input
                  value={block.ctaHref ?? ""}
                  onChange={(event) =>
                    setBlocks((prev) =>
                      updateBlock(prev, block.id, { ctaHref: event.target.value || null }),
                    )
                  }
                  placeholder="CTA href"
                  className="rounded border border-neutral-300 px-2 py-1 text-sm"
                />
              </div>
            ) : null}
@@ -203,22 +258,34 @@ export function PageBlockEditor({
            ) : null}
            {block.type === "gallery" ? (
-              <textarea
+              <div className="space-y-2">
-                rows={3}
+                <input
-                value={block.imageIds.join(",")}
+                  value={block.title ?? ""}
-                onChange={(event) =>
+                  onChange={(event) =>
-                  setBlocks((prev) =>
+                    setBlocks((prev) =>
-                    updateBlock(prev, block.id, {
+                      updateBlock(prev, block.id, { title: event.target.value || null }),
-                      imageIds: event.target.value
+                    )
-                        .split(",")
+                  }
-                        .map((entry) => entry.trim())
+                  placeholder="Gallery title"
-                        .filter((entry) => entry.length > 0),
+                  className="w-full rounded border border-neutral-300 px-2 py-1 text-sm"
-                    }),
+                />
-                  )
+                <textarea
-                }
+                  rows={3}
-                placeholder="Media asset IDs (comma separated UUIDs)"
+                  value={block.imageIds.join(",")}
-                className="w-full rounded border border-neutral-300 px-2 py-1 text-sm"
+                  onChange={(event) =>
-              />
+                    setBlocks((prev) =>
                      updateBlock(prev, block.id, {
                        imageIds: event.target.value
                          .split(",")
                          .map((entry) => entry.trim())
                          .filter((entry) => entry.length > 0),
                      }),
                    )
                  }
                  placeholder="Media asset IDs (comma separated UUIDs)"
                  className="w-full rounded border border-neutral-300 px-2 py-1 text-sm"
                />
              </div>
            ) : null}
            {block.type === "cta" ? (
@@ -239,50 +306,101 @@ export function PageBlockEditor({
                  placeholder="Link href"
                  className="rounded border border-neutral-300 px-2 py-1 text-sm"
                />
                <select
                  value={block.variant}
                  onChange={(event) =>
                    setBlocks((prev) =>
                      updateBlock(prev, block.id, {
                        variant: event.target.value as "primary" | "secondary",
                      }),
                    )
                  }
                  className="rounded border border-neutral-300 px-2 py-1 text-sm"
                >
                  <option value="primary">Primary</option>
                  <option value="secondary">Secondary</option>
                </select>
              </div>
            ) : null}
            {block.type === "form" ? (
-              <input
+              <div className="space-y-2">
-                value={block.formKey}
+                <input
-                onChange={(event) =>
+                  value={block.formKey}
-                  setBlocks((prev) => updateBlock(prev, block.id, { formKey: event.target.value }))
+                  onChange={(event) =>
-                }
+                    setBlocks((prev) =>
-                placeholder="Form key (e.g. contact, commission)"
+                      updateBlock(prev, block.id, { formKey: event.target.value }),
-                className="w-full rounded border border-neutral-300 px-2 py-1 text-sm"
+                    )
-              />
+                  }
                  placeholder="Form key (e.g. contact, commission)"
                  className="w-full rounded border border-neutral-300 px-2 py-1 text-sm"
                />
                <input
                  value={block.title ?? ""}
                  onChange={(event) =>
                    setBlocks((prev) =>
                      updateBlock(prev, block.id, { title: event.target.value || null }),
                    )
                  }
                  placeholder="Form title"
                  className="w-full rounded border border-neutral-300 px-2 py-1 text-sm"
                />
                <textarea
                  rows={2}
                  value={block.description ?? ""}
                  onChange={(event) =>
                    setBlocks((prev) =>
                      updateBlock(prev, block.id, { description: event.target.value || null }),
                    )
                  }
                  placeholder="Form description"
                  className="w-full rounded border border-neutral-300 px-2 py-1 text-sm"
                />
              </div>
            ) : null}
            {block.type === "price_cards" ? (
-              <textarea
+              <div className="space-y-2">
-                rows={4}
+                <input
-                value={block.cards
+                  value={block.title ?? ""}
-                  .map((card) => [card.name, card.price ?? "", card.description ?? ""].join("|"))
+                  onChange={(event) =>
-                  .join("\n")}
+                    setBlocks((prev) =>
-                onChange={(event) =>
+                      updateBlock(prev, block.id, { title: event.target.value || null }),
-                  setBlocks((prev) =>
+                    )
-                    updateBlock(prev, block.id, {
+                  }
-                      cards: event.target.value
+                  placeholder="Price card section title"
-                        .split("\n")
+                  className="w-full rounded border border-neutral-300 px-2 py-1 text-sm"
-                        .map((line) => line.trim())
+                />
-                        .filter((line) => line.length > 0)
+                <textarea
-                        .map((line, lineIndex) => {
+                  rows={4}
-                          const [name, price, description] = line
+                  value={block.cards
-                            .split("|")
+                    .map((card) => [card.name, card.price ?? "", card.description ?? ""].join("|"))
-                            .map((entry) => entry.trim())
+                    .join("\n")}
-                          return {
+                  onChange={(event) =>
-                            id: `card-${lineIndex}`,
+                    setBlocks((prev) =>
-                            name: name || `Card ${lineIndex + 1}`,
+                      updateBlock(prev, block.id, {
-                            price: price || null,
+                        cards: event.target.value
-                            description: description || null,
+                          .split("\n")
-                          }
+                          .map((line) => line.trim())
-                        }),
+                          .filter((line) => line.length > 0)
-                    }),
+                          .map((line, lineIndex) => {
-                  )
+                            const [name, price, description] = line
-                }
+                              .split("|")
-                placeholder="One card per line: Name|Price|Description"
+                              .map((entry) => entry.trim())
-                className="w-full rounded border border-neutral-300 px-2 py-1 text-sm"
+                            return {
-              />
+                              id: `card-${lineIndex}`,
                              name: name || `Card ${lineIndex + 1}`,
                              price: price || null,
                              description: description || null,
                            }
                          }),
                      }),
                    )
                  }
                  placeholder="One card per line: Name|Price|Description"
                  className="w-full rounded border border-neutral-300 px-2 py-1 text-sm"
                />
              </div>
            ) : null}
          </article>
        ))}
--- a/apps/admin/src/lib/auth/server.ts
+++ b/apps/admin/src/lib/auth/server.ts
@@ -375,6 +375,63 @@ export async function ensureSupportUserBootstrap(): Promise<void> {
  }
 }
 const MANAGED_USER_ROLE_ALLOWLIST = new Set<Role>(["admin", "editor", "manager"])
 export async function createManagedUserAccount(input: {
  email: string
  username?: string | null
  name: string
  password: string
  role: string
 }): Promise<{ id: string; email: string; username: string | null; role: string }> {
  const normalizedEmail = input.email.trim().toLowerCase()
  const normalizedRole = normalizeRole(input.role)
  if (!normalizedRole || !MANAGED_USER_ROLE_ALLOWLIST.has(normalizedRole)) {
    throw new Error("Unsupported role for managed user account")
  }
  const existing = await db.user.findUnique({
    where: { email: normalizedEmail },
    select: { id: true, isProtected: true, isSystem: true },
  })
  if (existing) {
    if (existing.isProtected || existing.isSystem) {
      throw new Error("Cannot mutate protected/system account via managed user provisioning")
    }
    throw new Error("A user with this email already exists")
  }
  const preferredUsername =
    normalizeUsernameCandidate(input.username) ??
    normalizeUsernameCandidate(extractEmailLocalPart(normalizedEmail)) ??
    "user"
  await ensureCredentialUser({
    email: normalizedEmail,
    username: preferredUsername,
    name: input.name.trim(),
    password: input.password,
    role: normalizedRole,
    isHidden: false,
    isSystem: false,
    isProtected: false,
  })
  const created = await db.user.findUnique({
    where: { email: normalizedEmail },
    select: { id: true, email: true, username: true, role: true },
  })
  if (!created) {
    throw new Error("Managed user provisioning failed")
  }
  return created
 }
 const DEFAULT_E2E_ADMIN_EMAIL = "e2e-admin@cms.local"
 const DEFAULT_E2E_ADMIN_USERNAME = "e2e-admin"
 const DEFAULT_E2E_ADMIN_PASSWORD = "e2e-admin-password"
--- a/apps/web/src/components/public-page-view.tsx
+++ b/apps/web/src/components/public-page-view.tsx
@@ -12,6 +12,16 @@ type PublicPageViewProps = {
  page: PageEntity
 }
 function resolveFormLink(formKey: string): { href: string; label: string } {
  const normalized = formKey.trim().toLowerCase()
  if (normalized === "commission" || normalized === "commissions") {
    return { href: "/commissions", label: "Open commission form" }
  }
  return { href: `/#form-${normalized || "contact"}`, label: "Open contact form" }
 }
 export function PublicPageView({ page }: PublicPageViewProps) {
  const blocks = (() => {
    try {
@@ -106,6 +116,7 @@ export function PublicPageView({ page }: PublicPageViewProps) {
          }
          if (block.type === "form") {
            const formLink = resolveFormLink(block.formKey)
            return (
              <section key={block.id} className="space-y-2 rounded border border-neutral-200 p-4">
                <h3 className="text-lg font-medium">{block.title || "Form block"}</h3>
@@ -113,6 +124,12 @@ export function PublicPageView({ page }: PublicPageViewProps) {
                  {block.description || "Form integration pending."}
                </p>
                <p className="text-xs text-neutral-500">formKey: {block.formKey}</p>
                <a
                  href={formLink.href}
                  className="inline-flex rounded border border-neutral-300 px-3 py-1.5 text-sm"
                >
                  {formLink.label}
                </a>
              </section>
            )
          }
--- a/packages/content/src/commissions.ts
+++ b/packages/content/src/commissions.ts
@@ -23,7 +23,21 @@ export const createCommissionInputSchema = z.object({
  description: z.string().max(4000).nullable().optional(),
  status: commissionStatusSchema.default("new"),
  customerId: z.string().uuid().nullable().optional(),
-  assignedUserId: z.string().max(120).nullable().optional(),
+  assignedUserId: z.string().uuid().nullable().optional(),
  linkedArtworkIds: z.array(z.string().uuid()).default([]),
  budgetMin: z.number().nonnegative().nullable().optional(),
  budgetMax: z.number().nonnegative().nullable().optional(),
  dueAt: z.date().nullable().optional(),
 })
 export const updateCommissionInputSchema = z.object({
  id: z.string().uuid(),
  title: z.string().min(1).max(180).optional(),
  description: z.string().max(4000).nullable().optional(),
  status: commissionStatusSchema.optional(),
  customerId: z.string().uuid().nullable().optional(),
  assignedUserId: z.string().uuid().nullable().optional(),
  linkedArtworkIds: z.array(z.string().uuid()).optional(),
  budgetMin: z.number().nonnegative().nullable().optional(),
  budgetMax: z.number().nonnegative().nullable().optional(),
  dueAt: z.date().nullable().optional(),
@@ -57,6 +71,7 @@ export const updateCommissionStatusInputSchema = z.object({
 export type CommissionStatus = z.infer<typeof commissionStatusSchema>
 export type CreateCustomerInput = z.infer<typeof createCustomerInputSchema>
 export type CreateCommissionInput = z.infer<typeof createCommissionInputSchema>
 export type UpdateCommissionInput = z.infer<typeof updateCommissionInputSchema>
 export type CreatePublicCommissionRequestInput = z.infer<
  typeof createPublicCommissionRequestInputSchema
 >
--- a/packages/content/src/media.ts
+++ b/packages/content/src/media.ts
@@ -9,7 +9,57 @@ export const mediaAssetTypeSchema = z.enum([
  "generic",
 ])
-export const artworkRenditionSlotSchema = z.enum(["thumbnail", "card", "full", "custom"])
+export type MediaUploadRule = {
  maxBytes: number
  allowedMimePrefix?: string
  allowedMimeExact?: string[]
 }
 export const mediaUploadRulesByType: Record<MediaAssetType, MediaUploadRule> = {
  artwork: {
    maxBytes: 40 * 1024 * 1024,
    allowedMimePrefix: "image/",
  },
  banner: {
    maxBytes: 20 * 1024 * 1024,
    allowedMimePrefix: "image/",
  },
  promotion: {
    maxBytes: 20 * 1024 * 1024,
    allowedMimePrefix: "image/",
  },
  video: {
    maxBytes: 250 * 1024 * 1024,
    allowedMimePrefix: "video/",
  },
  gif: {
    maxBytes: 40 * 1024 * 1024,
    allowedMimeExact: ["image/gif"],
  },
  generic: {
    maxBytes: 50 * 1024 * 1024,
  },
 }
 export function isMimeAllowedForMediaType(type: MediaAssetType, mimeType: string): boolean {
  const rule = mediaUploadRulesByType[type]
  if (rule.allowedMimeExact?.includes(mimeType)) {
    return true
  }
  if (rule.allowedMimePrefix) {
    return mimeType.startsWith(rule.allowedMimePrefix)
  }
  return true
 }
 export function getMediaUploadMaxBytes(type: MediaAssetType): number {
  return mediaUploadRulesByType[type].maxBytes
 }
 export const artworkRenditionSlotSchema = z.enum(["thumbnail", "card", "full", "retina", "custom"])
 export const createMediaAssetInputSchema = z.object({
  id: z.string().uuid().optional(),
--- a/packages/content/src/pages-navigation.ts
+++ b/packages/content/src/pages-navigation.ts
@@ -133,6 +133,14 @@ export const createNavigationMenuInputSchema = z.object({
  isVisible: z.boolean().default(true),
 })
 export const updateNavigationMenuInputSchema = z.object({
  id: z.string().uuid(),
  name: z.string().min(1).max(180).optional(),
  slug: z.string().min(1).max(180).optional(),
  location: z.string().min(1).max(80).optional(),
  isVisible: z.boolean().optional(),
 })
 export const createNavigationItemInputSchema = z.object({
  menuId: z.string().uuid(),
  label: z.string().min(1).max(180),
@@ -157,6 +165,7 @@ export type CreatePageInput = z.infer<typeof createPageInputSchema>
 export type UpdatePageInput = z.infer<typeof updatePageInputSchema>
 export type UpsertPageTranslationInput = z.infer<typeof upsertPageTranslationInputSchema>
 export type CreateNavigationMenuInput = z.infer<typeof createNavigationMenuInputSchema>
 export type UpdateNavigationMenuInput = z.infer<typeof updateNavigationMenuInputSchema>
 export type CreateNavigationItemInput = z.infer<typeof createNavigationItemInputSchema>
 export type UpdateNavigationItemInput = z.infer<typeof updateNavigationItemInputSchema>
 export type PageBlock = z.infer<typeof pageBlockSchema>
--- a/packages/db/prisma/migrations/20260213012000_commission_linked_artworks/migration.sql
+++ b/packages/db/prisma/migrations/20260213012000_commission_linked_artworks/migration.sql
@@ -0,0 +1,2 @@
 ALTER TABLE "Commission"
 ADD COLUMN "linkedArtworkIds" TEXT[] NOT NULL DEFAULT ARRAY[]::TEXT[];
--- a/packages/db/prisma/schema.prisma
+++ b/packages/db/prisma/schema.prisma
@@ -386,6 +386,7 @@ model Commission {
  status         String
  customerId     String?
  assignedUserId String?
  linkedArtworkIds String[] @default([])
  budgetMin      Float?
  budgetMax      Float?
  dueAt          DateTime?
--- a/packages/db/src/commissions.ts
+++ b/packages/db/src/commissions.ts
@@ -3,6 +3,7 @@ import {
  createCommissionInputSchema,
  createCustomerInputSchema,
  createPublicCommissionRequestInputSchema,
  updateCommissionInputSchema,
  updateCommissionStatusInputSchema,
 } from "@cms/content"
@@ -57,6 +58,16 @@ export async function createCommission(input: unknown) {
  })
 }
 export async function updateCommission(input: unknown) {
  const payload = updateCommissionInputSchema.parse(input)
  const { id, ...data } = payload
  return db.commission.update({
    where: { id },
    data,
  })
 }
 export async function createPublicCommissionRequest(input: unknown) {
  const payload = createPublicCommissionRequestInputSchema.parse(input)
  const normalizedEmail = payload.customerEmail.trim().toLowerCase()
--- a/packages/db/src/index.ts
+++ b/packages/db/src/index.ts
@@ -14,6 +14,7 @@ export {
  createPublicCommissionRequest,
  listCommissions,
  listCustomers,
  updateCommission,
  updateCommissionStatus,
 } from "./commissions"
 export {
@@ -24,6 +25,7 @@ export {
  createGallery,
  createMediaAsset,
  createTag,
  deleteArtworkRendition,
  deleteGrouping,
  deleteMediaAsset,
  getMediaAssetById,
@@ -45,6 +47,7 @@ export {
  createNavigationMenu,
  createPage,
  deleteNavigationItem,
  deleteNavigationMenu,
  deletePage,
  getPageById,
  getPublishedPageBySlug,
@@ -55,6 +58,7 @@ export {
  listPublicNavigation,
  listPublishedPageSlugs,
  updateNavigationItem,
  updateNavigationMenu,
  updatePage,
  upsertNavigationItemTranslation,
  upsertPageTranslation,
--- a/packages/db/src/media-foundation.ts
+++ b/packages/db/src/media-foundation.ts
@@ -33,10 +33,14 @@ export async function listArtworks(limit = 24) {
    take: limit,
    include: {
      renditions: {
        orderBy: [{ isPrimary: "desc" }, { updatedAt: "desc" }],
        select: {
          id: true,
          slot: true,
          mediaAssetId: true,
          width: true,
          height: true,
          isPrimary: true,
        },
      },
      galleryLinks: {
@@ -340,6 +344,12 @@ export async function attachArtworkRendition(input: unknown) {
  })
 }
 export async function deleteArtworkRendition(id: string) {
  return db.artworkRendition.delete({
    where: { id },
  })
 }
 export async function getMediaFoundationSummary() {
  const [mediaAssets, artworks, galleries, albums, categories, tags] = await Promise.all([
    db.mediaAsset.count(),
@@ -473,6 +483,7 @@ export async function listPublishedArtworks(input: ListPublishedArtworksInput =
            isPublished: true,
          },
        },
        orderBy: [{ isPrimary: "desc" }, { updatedAt: "desc" }],
        include: {
          mediaAsset: {
            select: {
@@ -547,6 +558,7 @@ export async function getPublishedArtworkBySlug(slug: string) {
            isPublished: true,
          },
        },
        orderBy: [{ isPrimary: "desc" }, { updatedAt: "desc" }],
        include: {
          mediaAsset: {
            select: {
--- a/packages/db/src/pages-navigation.ts
+++ b/packages/db/src/pages-navigation.ts
@@ -3,6 +3,7 @@ import {
  createNavigationMenuInputSchema,
  createPageInputSchema,
  updateNavigationItemInputSchema,
  updateNavigationMenuInputSchema,
  updatePageInputSchema,
  upsertPageTranslationInputSchema,
 } from "@cms/content"
@@ -297,6 +298,22 @@ export async function createNavigationMenu(input: unknown) {
  })
 }
 export async function updateNavigationMenu(input: unknown) {
  const payload = updateNavigationMenuInputSchema.parse(input)
  const { id, ...data } = payload
  return db.navigationMenu.update({
    where: { id },
    data,
  })
 }
 export async function deleteNavigationMenu(id: string) {
  return db.navigationMenu.delete({
    where: { id },
  })
 }
 export async function createNavigationItem(input: unknown) {
  const payload = createNavigationItemInputSchema.parse(input)
Author	SHA1	Message	Date
Citali	741883465c	feat(commissions): add editable assignment and artwork linkage	2026-02-12 22:59:53 +01:00
Citali	7a82934fe7	feat(users): add managed users role and status controls	2026-02-12 22:57:30 +01:00
Citali	473433b220	feat(navigation): complete menu and nested item management	2026-02-12 22:54:43 +01:00
Citali	987843d96b	feat(pages): complete reusable page block editor controls	2026-02-12 22:53:00 +01:00
Citali	c6ebf3759a	feat(media): add type-specific upload preset validation	2026-02-12 22:51:31 +01:00
Citali	81983cfe40	feat(portfolio): add rendition management controls	2026-02-12 22:50:18 +01:00
		`@@ -0,0 +1,2 @@`
							`ALTER TABLE "Commission"`
							`ADD COLUMN "linkedArtworkIds" TEXT[] NOT NULL DEFAULT ARRAY[]::TEXT[];`