npm - create-crm-starter - Versions diffs - 0.1.0 - Mend

create-crm-starter 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (261) hide show

package/template/extras/mobile-api/drizzle/src/app/api/mobile/v1/jobs/[id]/time/clock-in/route.ts ADDED Viewed

@@ -0,0 +1,35 @@
+import type { NextRequest } from 'next/server';
+import { and, eq, isNull } from 'drizzle-orm';
+import { db } from '@/db/client';
+import { timeEntries } from '@/db/schema';
+import { json, preflight } from '@/lib/mobile/cors';
+import { requireApiUser } from '@/lib/mobile/guard';
+export const dynamic = 'force-dynamic';
+export const OPTIONS = preflight;
+/**
+ * POST /api/mobile/v1/jobs/:id/time/clock-in
+ * Opens a time entry. If one is already open on this job for this user it's
+ * returned as-is (idempotent — no double clock-in).
+ */
+export async function POST(req: NextRequest, { params }: { params: Promise<{ id: string }> }) {
+  const user = await requireApiUser(req, ['technician', 'dispatcher']);
+  if (user instanceof Response) return user;
+  const { id } = await params;
+  const [open] = await db
+    .select({ id: timeEntries.id })
+    .from(timeEntries)
+    .where(
+      and(eq(timeEntries.jobId, id), eq(timeEntries.userId, user.id), isNull(timeEntries.clockOut)),
+    )
+    .limit(1);
+  if (open) return json({ entryId: open.id, alreadyOpen: true });
+  const [row] = await db
+    .insert(timeEntries)
+    .values({ jobId: id, userId: user.id })
+    .returning({ id: timeEntries.id });
+  return json({ entryId: row.id });
+}

package/template/extras/mobile-api/drizzle/src/app/api/mobile/v1/jobs/[id]/time/clock-out/route.ts ADDED Viewed

@@ -0,0 +1,27 @@
+import type { NextRequest } from 'next/server';
+import { and, eq, isNull } from 'drizzle-orm';
+import { db } from '@/db/client';
+import { timeEntries } from '@/db/schema';
+import { json, preflight } from '@/lib/mobile/cors';
+import { requireApiUser } from '@/lib/mobile/guard';
+export const dynamic = 'force-dynamic';
+export const OPTIONS = preflight;
+/**
+ * POST /api/mobile/v1/jobs/:id/time/clock-out
+ * Closes this tech's open time entry on the job.
+ */
+export async function POST(req: NextRequest, { params }: { params: Promise<{ id: string }> }) {
+  const user = await requireApiUser(req, ['technician', 'dispatcher']);
+  if (user instanceof Response) return user;
+  const { id } = await params;
+  await db
+    .update(timeEntries)
+    .set({ clockOut: new Date() })
+    .where(
+      and(eq(timeEntries.jobId, id), eq(timeEntries.userId, user.id), isNull(timeEntries.clockOut)),
+    );
+  return json({ ok: true });
+}

package/template/extras/mobile-api/drizzle/src/app/api/mobile/v1/jobs/[id]/time/route.ts ADDED Viewed

@@ -0,0 +1,36 @@
+import type { NextRequest } from 'next/server';
+import { and, desc, eq } from 'drizzle-orm';
+import { db } from '@/db/client';
+import { timeEntries } from '@/db/schema';
+import { json, preflight } from '@/lib/mobile/cors';
+import { requireApiUser } from '@/lib/mobile/guard';
+export const dynamic = 'force-dynamic';
+export const OPTIONS = preflight;
+/**
+ * GET /api/mobile/v1/jobs/:id/time
+ * Returns this tech's time entries on the job + the id of any open entry
+ * (clocked in, not yet out) so the app can show a running timer.
+ */
+export async function GET(req: NextRequest, { params }: { params: Promise<{ id: string }> }) {
+  const user = await requireApiUser(req, ['technician', 'dispatcher']);
+  if (user instanceof Response) return user;
+  const { id } = await params;
+  const rows = await db
+    .select()
+    .from(timeEntries)
+    .where(and(eq(timeEntries.jobId, id), eq(timeEntries.userId, user.id)))
+    .orderBy(desc(timeEntries.clockIn));
+  const open = rows.find((r) => r.clockOut === null);
+  return json({
+    entries: rows.map((r) => ({
+      id: r.id,
+      clockIn: r.clockIn.toISOString(),
+      clockOut: r.clockOut ? r.clockOut.toISOString() : null,
+    })),
+    openEntryId: open?.id ?? null,
+  });
+}

package/template/extras/mobile-api/drizzle/src/app/api/mobile/v1/jobs/route.ts ADDED Viewed

@@ -0,0 +1,30 @@
+import type { NextRequest } from 'next/server';
+import { getJobs } from '@/lib/jobs/data';
+import { json, preflight } from '@/lib/mobile/cors';
+import { requireApiUser } from '@/lib/mobile/guard';
+export const dynamic = 'force-dynamic';
+export const OPTIONS = preflight;
+/**
+ * GET /api/mobile/v1/jobs?scope=today|mine|all
+ * Technicians get only the jobs assigned to them; dispatchers/admins get
+ * all. `scope=today` further limits to jobs scheduled for the current day.
+ */
+export async function GET(req: NextRequest) {
+  const user = await requireApiUser(req, ['technician', 'dispatcher']);
+  if (user instanceof Response) return user;
+  const scope = req.nextUrl.searchParams.get('scope') ?? 'mine';
+  const all = await getJobs();
+  // Field techs only ever see their own work; office roles see everything.
+  let jobs = user.role === 'technician' ? all.filter((j) => j.assigneeIds.includes(user.id)) : all;
+  if (scope === 'today') {
+    const today = new Date().toISOString().slice(0, 10);
+    jobs = jobs.filter((j) => j.scheduledAt?.slice(0, 10) === today);
+  }
+  return json({ jobs });
+}

package/template/extras/mobile-api/drizzle/src/app/api/mobile/v1/me/route.ts ADDED Viewed

@@ -0,0 +1,26 @@
+import type { NextRequest } from 'next/server';
+import { business } from '@/lib/business';
+import { json, preflight } from '@/lib/mobile/cors';
+import { requireApiUser } from '@/lib/mobile/guard';
+export const dynamic = 'force-dynamic';
+export const OPTIONS = preflight;
+/**
+ * GET /api/mobile/v1/me
+ * Returns the signed-in user + the business branding the app uses to theme
+ * itself and confirm which company this build points at.
+ */
+export async function GET(req: NextRequest) {
+  const user = await requireApiUser(req);
+  if (user instanceof Response) return user;
+  return json({
+    user: { id: user.id, email: user.email, name: user.name, role: user.role },
+    business: {
+      name: business.name,
+      phone: business.phone,
+      brand: business.brand,
+    },
+  });
+}

package/template/extras/mobile-api/drizzle/src/app/api/mobile/v1/uploads/sign/route.ts ADDED Viewed

@@ -0,0 +1,46 @@
+import crypto from 'node:crypto';
+import type { NextRequest } from 'next/server';
+import { PutObjectCommand } from '@aws-sdk/client-s3';
+import { getSignedUrl } from '@aws-sdk/s3-request-presigner';
+import { isR2Configured, publicUrlFor, r2BucketName, r2Client } from '@/lib/r2';
+import { json, jsonError, preflight } from '@/lib/mobile/cors';
+import { requireApiUser } from '@/lib/mobile/guard';
+export const dynamic = 'force-dynamic';
+export const OPTIONS = preflight;
+/**
+ * POST /api/mobile/v1/uploads/sign   body: { jobId, contentType, ext? }
+ * Returns a short-lived presigned R2 PUT URL. The app uploads the photo
+ * bytes directly to R2 (so large images never pass through the serverless
+ * function), then records the attachment via POST /jobs/:id/attachments
+ * using the returned { key, publicUrl }.
+ */
+export async function POST(req: NextRequest) {
+  const user = await requireApiUser(req, ['technician', 'dispatcher']);
+  if (user instanceof Response) return user;
+  if (!isR2Configured) {
+    return jsonError(503, 'File storage (R2) is not configured on this deployment.');
+  }
+  const body = (await req.json().catch(() => ({}))) as {
+    jobId?: string;
+    contentType?: string;
+    ext?: string;
+  };
+  if (!body.jobId || !body.contentType) {
+    return jsonError(400, 'jobId and contentType are required');
+  }
+  const safeExt = body.ext ? `.${body.ext.replace(/[^a-z0-9]/gi, '').toLowerCase()}` : '';
+  const key = `jobs/${body.jobId}/${crypto.randomBytes(8).toString('hex')}${safeExt}`;
+  const uploadUrl = await getSignedUrl(
+    r2Client,
+    new PutObjectCommand({ Bucket: r2BucketName, Key: key, ContentType: body.contentType }),
+    { expiresIn: 600 },
+  );
+  return json({ uploadUrl, key, publicUrl: publicUrlFor(key) });
+}

package/template/extras/mobile-api/drizzle/src/db/schema/push-tokens.ts ADDED Viewed

@@ -0,0 +1,21 @@
+import { pgTable, text, timestamp, uuid } from 'drizzle-orm/pg-core';
+import { user } from './auth';
+/**
+ * Expo push notification tokens, one row per device a technician signs in
+ * on. The field-tech iPhone app registers its Expo push token here on
+ * login (POST /api/mobile/v1/devices); the server sends "new job assigned"
+ * pushes to every token owned by the assignee.
+ */
+export const pushTokens = pgTable('push_tokens', {
+  id: uuid('id').primaryKey().defaultRandom(),
+  userId: text('user_id')
+    .notNull()
+    .references(() => user.id, { onDelete: 'cascade' }),
+  expoToken: text('expo_token').notNull().unique(),
+  platform: text('platform').notNull().default('ios'),
+  createdAt: timestamp('created_at').notNull().defaultNow(),
+});
+export type PushTokenRow = typeof pushTokens.$inferSelect;
+export type NewPushToken = typeof pushTokens.$inferInsert;

package/template/extras/mobile-api/drizzle/src/db/schema/time-entries.ts ADDED Viewed

@@ -0,0 +1,23 @@
+import { pgTable, text, timestamp, uuid } from 'drizzle-orm/pg-core';
+import { user } from './auth';
+import { jobs } from './jobs';
+/**
+ * Labor time entries — one row per clock-in/out a technician does on a job
+ * from the field app. An open entry has clockOut = null.
+ */
+export const timeEntries = pgTable('time_entries', {
+  id: uuid('id').primaryKey().defaultRandom(),
+  jobId: uuid('job_id')
+    .notNull()
+    .references(() => jobs.id, { onDelete: 'cascade' }),
+  userId: text('user_id')
+    .notNull()
+    .references(() => user.id, { onDelete: 'cascade' }),
+  clockIn: timestamp('clock_in').notNull().defaultNow(),
+  clockOut: timestamp('clock_out'),
+  createdAt: timestamp('created_at').notNull().defaultNow(),
+});
+export type TimeEntryRow = typeof timeEntries.$inferSelect;
+export type NewTimeEntry = typeof timeEntries.$inferInsert;

package/template/extras/mobile-api/drizzle/src/lib/mobile/cors.ts ADDED Viewed

@@ -0,0 +1,30 @@
+import { NextResponse } from 'next/server';
+/**
+ * Shared JSON + CORS helpers for the mobile API (`/api/mobile/v1/*`).
+ *
+ * Native apps don't enforce CORS, but Expo Web and the Expo dev client do,
+ * so we send permissive headers. These endpoints authenticate with a
+ * bearer token (not cookies), so `Access-Control-Allow-Origin: *` is safe —
+ * there are no ambient credentials to leak.
+ */
+const CORS_HEADERS: Record<string, string> = {
+  'Access-Control-Allow-Origin': '*',
+  'Access-Control-Allow-Methods': 'GET,POST,PUT,DELETE,OPTIONS',
+  'Access-Control-Allow-Headers': 'Content-Type, Authorization',
+};
+export function json(data: unknown, status = 200): NextResponse {
+  const res = NextResponse.json(data, { status });
+  for (const [k, v] of Object.entries(CORS_HEADERS)) res.headers.set(k, v);
+  return res;
+}
+export function jsonError(status: number, message: string): NextResponse {
+  return json({ error: message }, status);
+}
+/** Export as the route's `OPTIONS` handler to answer CORS preflight. */
+export function preflight(): NextResponse {
+  return new NextResponse(null, { status: 204, headers: CORS_HEADERS });
+}

package/template/extras/mobile-api/drizzle/src/lib/mobile/guard.ts ADDED Viewed

@@ -0,0 +1,49 @@
+import type { NextRequest } from 'next/server';
+import { auth } from '@/lib/auth';
+import type { AppRole, AppUser } from '@/lib/auth-server';
+import { jsonError } from './cors';
+function normalizeRole(role: string | null | undefined): AppRole {
+  switch (role) {
+    case 'admin':
+    case 'dispatcher':
+    case 'technician':
+    case 'csr':
+    case 'sales':
+    case 'accountant':
+      return role;
+    default:
+      return 'csr';
+  }
+}
+/**
+ * Resolves the bearer-token (or cookie) session for a mobile API request.
+ * Returns the AppUser on success, or a 401/403 Response to return directly:
+ *
+ *   const user = await requireApiUser(req, ['technician', 'dispatcher']);
+ *   if (user instanceof Response) return user;
+ *
+ * `admin` always passes the role check. Pass no roles to allow any signed-in
+ * user.
+ */
+export async function requireApiUser(
+  req: NextRequest,
+  roles?: AppRole[],
+): Promise<AppUser | Response> {
+  const session = await auth.api.getSession({ headers: req.headers });
+  if (!session?.user) return jsonError(401, 'Unauthorized');
+  const u = session.user as { id: string; email: string; name: string | null; role?: string | null };
+  const user: AppUser = {
+    id: u.id,
+    email: u.email,
+    name: u.name,
+    role: normalizeRole(u.role),
+  };
+  if (roles && roles.length > 0 && user.role !== 'admin' && !roles.includes(user.role)) {
+    return jsonError(403, 'Forbidden');
+  }
+  return user;
+}

package/template/extras/mobile-api/drizzle/src/lib/push/send.ts ADDED Viewed

@@ -0,0 +1,56 @@
+import 'server-only';
+import { eq } from 'drizzle-orm';
+import { db } from '@/db/client';
+import { pushTokens } from '@/db/schema';
+export interface PushMessage {
+  title: string;
+  body: string;
+  data?: Record<string, unknown>;
+}
+/**
+ * Sends an Expo push notification to every device a user has registered.
+ * Uses Expo's hosted push service — no API key required for basic sends
+ * (set EXPO_ACCESS_TOKEN to use an authorized sender). Best-effort: failures
+ * are logged, never thrown, so a push problem can't break the calling action.
+ *
+ * See https://docs.expo.dev/push-notifications/sending-notifications/
+ */
+export async function sendPushToUser(userId: string, message: PushMessage): Promise<void> {
+  let tokens: { expoToken: string }[] = [];
+  try {
+    tokens = await db
+      .select({ expoToken: pushTokens.expoToken })
+      .from(pushTokens)
+      .where(eq(pushTokens.userId, userId));
+  } catch (err) {
+    console.error('[push] failed to load tokens', err);
+    return;
+  }
+  if (tokens.length === 0) return;
+  const payload = tokens.map((t) => ({
+    to: t.expoToken,
+    sound: 'default',
+    title: message.title,
+    body: message.body,
+    data: message.data ?? {},
+  }));
+  try {
+    await fetch('https://exp.host/--/api/v2/push/send', {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        Accept: 'application/json',
+        ...(process.env.EXPO_ACCESS_TOKEN
+          ? { Authorization: `Bearer ${process.env.EXPO_ACCESS_TOKEN}` }
+          : {}),
+      },
+      body: JSON.stringify(payload),
+    });
+  } catch (err) {
+    console.error('[push] send failed', err);
+  }
+}

package/template/extras/mobile-api/estimates/src/app/api/mobile/v1/estimates/route.ts ADDED Viewed

@@ -0,0 +1,52 @@
+import type { NextRequest } from 'next/server';
+import { db } from '@/db/client';
+import { estimates } from '@/db/schema';
+import type { EstimateLineItem, EstimateStatus } from '@/lib/estimates/types';
+import { json, jsonError, preflight } from '@/lib/mobile/cors';
+import { requireApiUser } from '@/lib/mobile/guard';
+export const dynamic = 'force-dynamic';
+export const OPTIONS = preflight;
+/**
+ * POST /api/mobile/v1/estimates
+ * body: { customerId, lineItems[], notes?, validUntil?, status? }
+ * Creates an estimate from the field (mirrors the web createEstimate minus
+ * the redirect). Default status 'sent' so the customer can review it.
+ */
+export async function POST(req: NextRequest) {
+  const user = await requireApiUser(req, ['technician', 'dispatcher']);
+  if (user instanceof Response) return user;
+  const body = (await req.json().catch(() => ({}))) as {
+    customerId?: string;
+    lineItems?: EstimateLineItem[];
+    notes?: string;
+    validUntil?: string;
+    status?: EstimateStatus;
+  };
+  if (!body.customerId) return jsonError(400, 'customerId is required');
+  const lineItems = body.lineItems ?? [];
+  if (lineItems.length === 0) return jsonError(400, 'At least one line item is required');
+  const subtotal = lineItems.reduce((acc, li) => acc + li.qty * li.unitPrice, 0);
+  const totalCost = lineItems.reduce((acc, li) => acc + li.qty * (li.unitCost ?? 0), 0);
+  const status: EstimateStatus = body.status ?? 'sent';
+  const [row] = await db
+    .insert(estimates)
+    .values({
+      customerId: body.customerId,
+      status,
+      lineItems,
+      subtotal,
+      total: subtotal,
+      totalCost,
+      notes: body.notes ?? null,
+      validUntil: body.validUntil ? new Date(body.validUntil) : null,
+      sentAt: status === 'sent' ? new Date() : null,
+    })
+    .returning({ id: estimates.id });
+  return json({ estimateId: row.id });
+}

package/template/extras/mobile-api/estimates/src/app/api/mobile/v1/price-book/route.ts ADDED Viewed

@@ -0,0 +1,14 @@
+import type { NextRequest } from 'next/server';
+import { getPriceBook } from '@/lib/price-book/data';
+import { json, preflight } from '@/lib/mobile/cors';
+import { requireApiUser } from '@/lib/mobile/guard';
+export const dynamic = 'force-dynamic';
+export const OPTIONS = preflight;
+/** GET /api/mobile/v1/price-book — categories + items for the field estimate builder. */
+export async function GET(req: NextRequest) {
+  const user = await requireApiUser(req, ['technician', 'dispatcher']);
+  if (user instanceof Response) return user;
+  return json({ categories: await getPriceBook() });
+}

package/template/extras/mobile-api/invoices/src/app/api/mobile/v1/invoices/[id]/payments/route.ts ADDED Viewed

@@ -0,0 +1,32 @@
+import type { NextRequest } from 'next/server';
+import { recordInvoicePayment } from '@/lib/invoices/actions';
+import { PAYMENT_METHODS, type PaymentMethod } from '@/lib/invoices/types';
+import { json, jsonError, preflight } from '@/lib/mobile/cors';
+import { requireApiUser } from '@/lib/mobile/guard';
+export const dynamic = 'force-dynamic';
+export const OPTIONS = preflight;
+/**
+ * POST /api/mobile/v1/invoices/:id/payments   body: { amount, method, note? }
+ * Records a manual payment taken in the field (cash/check). Card payments go
+ * through the hosted /i/[token] page instead. Reuses recordInvoicePayment,
+ * which recomputes the invoice balance + status.
+ */
+export async function POST(req: NextRequest, { params }: { params: Promise<{ id: string }> }) {
+  const user = await requireApiUser(req, ['technician', 'dispatcher']);
+  if (user instanceof Response) return user;
+  const { id } = await params;
+  const body = (await req.json().catch(() => ({}))) as {
+    amount?: number;
+    method?: string;
+    note?: string;
+  };
+  if (!body.amount || body.amount <= 0) return jsonError(400, 'A positive amount (cents) is required');
+  const method = (body.method ?? 'cash') as PaymentMethod;
+  if (!PAYMENT_METHODS.includes(method)) return jsonError(400, 'Invalid payment method');
+  await recordInvoicePayment({ invoiceId: id, amount: body.amount, method, note: body.note });
+  return json({ ok: true });
+}

package/template/extras/mobile-api/invoices/src/app/api/mobile/v1/invoices/[id]/route.ts ADDED Viewed

@@ -0,0 +1,28 @@
+import type { NextRequest } from 'next/server';
+import { eq } from 'drizzle-orm';
+import { db } from '@/db/client';
+import { invoices } from '@/db/schema';
+import { getInvoice } from '@/lib/invoices/data';
+import { json, jsonError, preflight } from '@/lib/mobile/cors';
+import { requireApiUser } from '@/lib/mobile/guard';
+export const dynamic = 'force-dynamic';
+export const OPTIONS = preflight;
+/** GET /api/mobile/v1/invoices/:id — full invoice + payments + pay link. */
+export async function GET(req: NextRequest, { params }: { params: Promise<{ id: string }> }) {
+  const user = await requireApiUser(req, ['technician', 'dispatcher']);
+  if (user instanceof Response) return user;
+  const { id } = await params;
+  const invoice = await getInvoice(id);
+  if (!invoice) return jsonError(404, 'Invoice not found');
+  const [row] = await db
+    .select({ publicToken: invoices.publicToken })
+    .from(invoices)
+    .where(eq(invoices.id, id))
+    .limit(1);
+  return json({ invoice, payPath: row ? `/i/${row.publicToken}` : null });
+}

package/template/extras/mobile-api/invoices/src/app/api/mobile/v1/jobs/[id]/invoice/route.ts ADDED Viewed

@@ -0,0 +1,82 @@
+import crypto from 'node:crypto';
+import type { NextRequest } from 'next/server';
+import { desc, eq } from 'drizzle-orm';
+import { db } from '@/db/client';
+import { invoices, jobs } from '@/db/schema';
+import { getInvoice } from '@/lib/invoices/data';
+import type { InvoiceLineItem } from '@/lib/invoices/types';
+import { json, jsonError, preflight } from '@/lib/mobile/cors';
+import { requireApiUser } from '@/lib/mobile/guard';
+export const dynamic = 'force-dynamic';
+export const OPTIONS = preflight;
+function genInvoiceNumber(): string {
+  const year = new Date().getUTCFullYear();
+  return `INV-${year}-${crypto.randomBytes(3).toString('hex').toUpperCase()}`;
+}
+/** GET /api/mobile/v1/jobs/:id/invoice — the latest invoice for a job (or null). */
+export async function GET(req: NextRequest, { params }: { params: Promise<{ id: string }> }) {
+  const user = await requireApiUser(req, ['technician', 'dispatcher']);
+  if (user instanceof Response) return user;
+  const { id } = await params;
+  const [row] = await db
+    .select({ id: invoices.id, publicToken: invoices.publicToken })
+    .from(invoices)
+    .where(eq(invoices.jobId, id))
+    .orderBy(desc(invoices.createdAt))
+    .limit(1);
+  if (!row) return json({ invoice: null });
+  const invoice = await getInvoice(row.id);
+  return json({ invoice, payPath: `/i/${row.publicToken}` });
+}
+/**
+ * POST /api/mobile/v1/jobs/:id/invoice
+ * Generates an invoice from the job's line items (mirrors the web
+ * createInvoiceFromJob, minus the redirect). Returns the pay link the app
+ * opens for card payment.
+ */
+export async function POST(req: NextRequest, { params }: { params: Promise<{ id: string }> }) {
+  const user = await requireApiUser(req, ['technician', 'dispatcher']);
+  if (user instanceof Response) return user;
+  const { id } = await params;
+  const [job] = await db.select().from(jobs).where(eq(jobs.id, id)).limit(1);
+  if (!job) return jsonError(404, 'Job not found');
+  const lineItems = (job.lineItems as InvoiceLineItem[]).map((li) => ({
+    description: li.description,
+    qty: li.qty,
+    unitPrice: li.unitPrice,
+    taxable: true,
+  }));
+  const total = lineItems.reduce((acc, li) => acc + li.qty * li.unitPrice, 0);
+  if (total <= 0) return jsonError(400, 'Job has no priced line items to invoice.');
+  const dueDate = new Date();
+  dueDate.setDate(dueDate.getDate() + 30);
+  const publicToken = crypto.randomBytes(16).toString('hex');
+  const [row] = await db
+    .insert(invoices)
+    .values({
+      invoiceNumber: genInvoiceNumber(),
+      customerId: job.customerId,
+      jobId: job.id,
+      status: 'sent',
+      lineItems,
+      subtotal: total,
+      total,
+      amountPaid: 0,
+      publicToken,
+      dueDate,
+      sentAt: new Date(),
+    })
+    .returning({ id: invoices.id });
+  return json({ invoiceId: row.id, publicToken, payPath: `/i/${publicToken}` });
+}

package/template/extras/mobile-api/sms/src/app/api/mobile/v1/sms/send/route.ts ADDED Viewed

@@ -0,0 +1,32 @@
+import type { NextRequest } from 'next/server';
+import { sendSmsRaw } from '@/lib/sms/actions';
+import { json, jsonError, preflight } from '@/lib/mobile/cors';
+import { requireApiUser } from '@/lib/mobile/guard';
+export const dynamic = 'force-dynamic';
+export const OPTIONS = preflight;
+/**
+ * POST /api/mobile/v1/sms/send   body: { to, body, customerId? }
+ * Sends an SMS via Twilio (reuses sendSmsRaw, which also persists the
+ * outbound message). 503 if Twilio isn't configured on this deployment.
+ */
+export async function POST(req: NextRequest) {
+  const user = await requireApiUser(req, ['technician', 'dispatcher']);
+  if (user instanceof Response) return user;
+  const data = (await req.json().catch(() => ({}))) as {
+    to?: string;
+    body?: string;
+    customerId?: string;
+  };
+  if (!data.to || !data.body) return jsonError(400, 'to and body are required');
+  try {
+    await sendSmsRaw({ to: data.to, body: data.body, customerId: data.customerId });
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : 'Send failed';
+    return jsonError(msg.includes('not configured') ? 503 : 500, msg);
+  }
+  return json({ ok: true });
+}

package/template/extras/mobile-api/sms/src/app/api/mobile/v1/sms/threads/[customerId]/route.ts ADDED Viewed

@@ -0,0 +1,15 @@
+import type { NextRequest } from 'next/server';
+import { getMessagesForCustomer } from '@/lib/sms/data';
+import { json, preflight } from '@/lib/mobile/cors';
+import { requireApiUser } from '@/lib/mobile/guard';
+export const dynamic = 'force-dynamic';
+export const OPTIONS = preflight;
+/** GET /api/mobile/v1/sms/threads/:customerId — messages in one conversation. */
+export async function GET(req: NextRequest, { params }: { params: Promise<{ customerId: string }> }) {
+  const user = await requireApiUser(req, ['technician', 'dispatcher']);
+  if (user instanceof Response) return user;
+  const { customerId } = await params;
+  return json({ messages: await getMessagesForCustomer(customerId) });
+}

package/template/extras/mobile-api/sms/src/app/api/mobile/v1/sms/threads/route.ts ADDED Viewed

@@ -0,0 +1,14 @@
+import type { NextRequest } from 'next/server';
+import { getSmsThreads } from '@/lib/sms/data';
+import { json, preflight } from '@/lib/mobile/cors';
+import { requireApiUser } from '@/lib/mobile/guard';
+export const dynamic = 'force-dynamic';
+export const OPTIONS = preflight;
+/** GET /api/mobile/v1/sms/threads — one row per customer conversation. */
+export async function GET(req: NextRequest) {
+  const user = await requireApiUser(req, ['technician', 'dispatcher']);
+  if (user instanceof Response) return user;
+  return json({ threads: await getSmsThreads() });
+}