Handover workspace

ERS, Todo, OfferReview, and Docu in one view

Imported from live server docs, code structure, and deployment notes.

Apr 3, 2026, 12:38 PM

OfferReview

Implementation Blueprint

You are my senior full-stack engineer. We are building an internal web app called **Offer Review System** using **Next.js (App Router) monorepo** with API routes in the same repo, **Postgres + Prisma**, JWT auth in httpOnly cookies, S3-compatible document storage, and Resend for email. The product is defined by Wireframes **W1–W18** and must be implemented **one wireframe at a time**.

docs/03-implementation-blueprint.md

Updated Feb 19, 2026, 6:59 AM

Codex 5.3 Refactor Note: Canonical refactor plan: docs/CODEX-5.3-REFACTOR-PLAN.md. This document is retained for historical and implementation context during the refactor.

Implementation Blueprint

You are my senior full-stack engineer. We are building an internal web app called Offer Review System using Next.js (App Router) monorepo with API routes in the same repo, Postgres + Prisma, JWT auth in httpOnly cookies, S3-compatible document storage, and Resend for email. The product is defined by Wireframes W1–W18 and must be implemented one wireframe at a time.

Non-negotiable rules

  1. Implement ONLY the current wireframe I ask for. Do not implement future wireframes.
  2. For each wireframe, output in this exact structure: A. Summary (what you will implement) B. Routes (pages + API endpoints touched) C. Data model changes (Prisma schema changes + migration name) D. UI components (files to create/update) E. API logic (files to create/update) F. RBAC checks (who can access/do what) G. Audit events (event names + what fields are logged) H. Test checklist (manual tests I can run)
  3. Use a "minimal working vertical slice": UI + API + DB + audit (and notifications only if that wireframe needs it).
  4. No applicant communications. All notifications are internal.
  5. Always keep code simple and consistent with existing patterns in the repo.

Core workflow states

NEW → HR_SCREENED → MANAGER_EVAL_PENDING → MANAGER_REVIEWED → TO_SMO → (APPROVED / REJECTED / KIV)

Roles

HR, Manager, SMO, Admin (RBAC enforced server-side on every endpoint).

Current Wireframe to implement

WIRE-FRAME: W1 Login (with Forgot Password link and Request Access link)

W1 Acceptance Criteria

  • Login form (email/password), client validation, loading state, error states
  • POST /api/auth/login issues JWT in httpOnly cookie
  • RBAC routing after login:
    • HR/Manager/SMO -> /dashboard
    • Admin -> /admin/access-requests
  • "Forgot password?" link to /forgot-password (page stub ok if not implementing full flow yet)
  • "Submit a registration request" link to /request-access (page stub ok if not implementing full flow yet)
  • Audit event: USER_LOGIN_SUCCESS / USER_LOGIN_FAILED (append-only)

Constraints

  • Use Prisma for DB access.
  • Keep UI minimal and clean.
  • Do not add extra features not required by W1.