# role-user Project Notes

This project is the employee-facing C-side app for the `access-manage` backend and the `role-admin` management console.

When working in this repository:

- Prefer Chinese for project notes, PRDs, comments, and delivery summaries.
- Use React + Next.js App Router + TypeScript as the default frontend stack.
- Keep the app mobile-first and PWA-friendly; desktop should work, but the primary user is a store employee using a phone.
- Treat `access-manage/docs/ROLE_USER_BACKEND_REQUIREMENTS.md` as the backend contract source and `docs/C_EMPLOYEE_APP_REQUIREMENTS.md` as the frontend product source.
- Do not store or expose plaintext passwords in the frontend. Password operations must use reset/change flows, temporary one-time passwords, and audit logs.
- Use a Backend-for-Frontend layer in Next.js Route Handlers when it improves session safety. Prefer HttpOnly cookies over localStorage for tokens.
- Keep business API types and request helpers centralized under `src/lib/` once the app is scaffolded.
- When files or directories are added, removed, renamed, or reorganized, update `README.md` in the same change once a README exists.