Checked at
۰۶:۳۳:۰۸
Admin widget builder
F032 maps admin session, tenant ownership, RBAC, audit, revision and read-after-write gates before any real POST/PATCH save can be enabled.
Checked at
۰۶:۳۳:۰۸
Persisted save
BLOCKED
Manual token UI
FORBIDDEN
Session transport
anonymous
This phase maps the exact gates required before the Widget Builder can call persisted create/update. It proves what is available in the backend source map, and it explicitly keeps frontend direct save disabled because the dashboard still lacks an app-owned admin session transport and saved/applied reconciliation.
Pass
5
Warnings
5
Blocked
2
Failed
0
/api/admin/auth/login
Backend exposes app-owned admin auth endpoints, including login, refresh and logout. Frontend still needs a safe session transport before mutations can run.
The current dashboard has no httpOnly-cookie/server-session transport. Manual bearer token input remains forbidden, so persisted save must stay disabled.
/api/admin/widget-instances
Backend resource map requires widget_instances.write for persisted create/update/delete.
Backend generic admin mutations resolve tenant scope and reject related records from other tenants before widget instance save.
Backend contracts describe license/widget type validation, but frontend has not yet verified read-after-write entitlement evidence through an authenticated session.
Frontend still needs explicit savedConfig/appliedConfig/publishedAt policy before copy-code can be tied to persisted state.
Backend UUID update endpoint exists; frontend DTO now carries expectedRevision, but live conflict handling is not enabled in the builder.
/api/admin/audit-logs
Backend service writes audit records for admin mutations and exposes audit log reading through admin API.
/api/admin/widget-instances/:id
GET by UUID exists, but frontend edit/list reconciliation is still pending before the builder can verify persisted responses.
Frontend redaction helpers block token-like evidence from reports; persisted save DTO does not include admin/runtime/provider tokens.
/api/admin/widget-instances
Backend create endpoint exists, but frontend must not call it until session transport, saved/applied policy and live read-after-write are green.
/api/admin/widget-instances/:id
Backend update endpoint exists, but frontend must not call it until persisted UUID reconciliation is available.