feat(dashboard): Task 1E — Mobile-first review dashboard with approve/reject, config panel, pipeline status#666

codercatdev

Task 1E: Review Dashboard — Mobile-First Control Center

Spec: 41bSaBJF (Content Engine v2)
Task: i9AiY0S7
Branch: feat/review-dashboard
10 files, +1,686 lines

What's Built

Review Queue (`/dashboard/review`)

Mobile-first card grid showing pending_review videos
Quality score badges (color-coded green/yellow/red)
Thumbnail preview, issue count, date
Links to detail page

Review Detail (`/dashboard/review/[id]`)

Inline title editing with save/cancel
Quality score breakdown + issues list
Infographic gallery (responsive 2→3→4 col grid)
Script viewer (hook, scenes, CTA)
One-tap approve/reject — large touch-friendly buttons (44px min)
Reject flow with reason textarea

Config Panel (`/dashboard/config`)

All engineConfig fields grouped into 6 sections:
- Pipeline Control (autoPublish toggle, qualityThreshold slider)
- Content Cadence (longFormPerWeek, shortsPerDay, publishDays)
- AI & Generation (geminiModel, infographicModel, systemInstruction)
- Distribution (6 platform toggles, YouTube settings)
- Sponsor (cooldownDays, rateCardTiers with add/remove)
- Brand (color pickers with hex input)
Sticky save button, success toast with "propagates within 5 minutes"

Pipeline Status (`/dashboard/pipeline`)

14 status count cards (responsive grid)
Active Workflows panel (in-progress videos)
Recent completions & failures

API Routes

POST /api/dashboard/review — approve/reject with CF Workflow webhook
GET/PUT /api/dashboard/config — read/write engineConfig

Server Actions

approveVideo(id) — patches status + reviewedAt/reviewedBy
rejectVideo(id, reason) — patches status + flaggedReason
updateVideoField(id, field, value) — whitelist: title, script.hook, script.cta

Auth & Security

✅ FAIL CLOSED on all API routes (503 if no Supabase, 401 if no user)
✅ Input validation with field whitelists on all mutations
✅ 28 allowed fields whitelist on config PUT
✅ rateCardTiers validated with _key for Sanity arrays

Patterns

✅ force-dynamic on all pages
✅ "use client" only on interactive components
✅ Mobile-first cards, 44px tap targets, responsive grids
✅ shadcn/ui components throughout
✅ Both env var names supported

Depends On

✅ Task 1D (engineConfig schema) — merged in PR feat: Task 1D — engineConfig singleton + mediaAsset + automatedVideo v2 #665

Task 1E deliverables: - Review Queue page (mobile-first card layout, quality badges) - Review Detail page (inline editing, approve/reject with touch-friendly buttons) - Review server actions (approve, reject, updateVideoField with field whitelist) - Config Panel page with grouped form sections (6 fieldsets) - Config Form client component (save to API, success toast) - Config API route (GET/PUT with fail-closed auth, field whitelist validation) - Pipeline Status page (12 status count cards, active workflows, recent completions) - Review API route (POST approve/reject with fail-closed auth, CF Workflow webhook) - Updated sidebar navigation with Review Queue, Pipeline, Config links Co-authored-by: dashboard <dashboard@miriad.systems>

vercel

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
codingcat-dev	Ignored		Mar 14, 2026 2:21pm

codercatdev

PR #666 Review — Task 1E: Review Dashboard

Verdict: 🔴 REQUEST_CHANGES

🚨 BLOCKER: Server Actions Missing Auth (1 issue, 3 functions affected)

app/(dashboard)/dashboard/review/actions.ts — The three server actions (approveVideo, rejectVideo, updateVideoField) have zero auth checks. Server actions are exposed as POST endpoints by Next.js and can be called by anyone without authentication.

This is the #1 recurring issue on this project (caught 4+ times before). The API routes (/api/dashboard/config and /api/dashboard/review) correctly implement requireAuth() with fail-closed behavior, but the server actions bypass all of that.

Fix: Add requireAuth() at the top of each server action, identical to the pattern used in the API routes.

What's Good ✅

API route auth is correct — Both /api/dashboard/config and /api/dashboard/review use requireAuth() that returns 503 when Supabase env vars are missing and 401 when user is not authenticated. Fail-closed. ✅
Field whitelists — Config PUT has 28 allowed fields via Set. Server actions have ALLOWED_FIELDS for updateVideoField. Review API validates action to approve/reject only. ✅
getEngineConfig() integration — Correctly uses the new config API from PR #665, including invalidateEngineConfig() after writes. ✅
GROQ queries are mostly bounded — Pipeline page uses [0..19] and [0..9]. Review detail uses [0] for single doc. ✅
Mobile-first design — 44px min-height on all interactive buttons, responsive grids (grid-cols-2 sm:grid-cols-3 md:grid-cols-4), flex-col gap-3 sm:flex-row for approve/reject. ✅
CF Workflow webhook — Fire-and-forget with error logging, doesn't block approval. ✅
force-dynamic on all pages. ✅
"use client" only on interactive components (config-form, review-detail-client). ✅
Sidebar navigation — Clean additions with appropriate icons. ✅
rateCardTiers — Properly adds _key and _type for Sanity array items. ✅

Issues to Fix 🔶

#	Severity	File	Issue
1	🚨 Blocker	`review/actions.ts`	Server actions have NO auth — anyone can approve/reject/edit videos
2	🔶 Medium	`review/page.tsx`	Unbounded GROQ query (no `[0..N]` limit)
3	🟡 Minor	`config/config-form.tsx:371`	`as any` type cast on toggle
4	🟡 Minor	`review/[id]/page.tsx:49`	`video as any` bypasses type safety
5	🟡 Minor	`api/dashboard/config/route.ts:140`	`as any[]` on rateCardTiers
6	🟡 Minor	`api/dashboard/config/route.ts`	`notificationEmails`, string fields not type-validated

Architecture Notes

No middleware.ts exists — Dashboard route protection relies entirely on per-route auth checks. This is acceptable as long as every route/action checks auth, but a middleware would provide defense-in-depth. Consider adding one in a follow-up.
Dashboard layout has a comment saying "the proxy will have already redirected to login for protected routes" but no proxy/middleware exists. The layout itself doesn't block unauthenticated access — it just renders without the sidebar. This means unauthenticated users can see page content if the page itself doesn't check auth. The server component pages use dashboardQuery which returns empty results without a Sanity token, so data leakage is limited, but the server actions are the real risk.

Summary

The API routes are well-secured. The UI is excellent — mobile-first, good UX, proper component architecture. But the server actions are a critical auth gap. Fix the auth on actions.ts and add a limit to the review queue query, then this is ready to merge.

- Add requireAuth() to all 3 server actions (approveVideo, rejectVideo, updateVideoField) - Fail closed: throws if Supabase not configured or user not authenticated - Use actual user email for reviewedBy instead of hardcoded string - Add [0..49] limit to review queue GROQ query Co-authored-by: dashboard <dashboard@miriad.systems>

@pm

Task 1D: engineConfig singleton + mediaAsset + automatedVideo v2 (PR #665, 6ab3833). Task 1E: Review dashboard with fail-closed auth on all server actions (PR #666, 18dee75). All code reviewed by @pm + workers.

codercatdev commented Mar 14, 2026

View reviewed changes

codercatdev mentioned this pull request Mar 14, 2026

release: Task 1D (engineConfig) + Task 1E (review dashboard) → main #667

Merged

codercatdev deleted the feat/review-dashboard branch March 18, 2026 16:00

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat(dashboard): Task 1E — Mobile-first review dashboard with approve/reject, config panel, pipeline status#666