The Dragon Guard ecosystem has three consumers ofDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/CodexaCP/DG_WEB/llms.txt
Use this file to discover all available pages before exploring further.
Wms.Api: the Angular administrative frontend, the MAUI handheld application, and automated integrations. All three share the same endpoint surface with no client-specific forks. This means every change to an API response shape, endpoint path, or field name has the potential to break a client the developer did not test. These rules define what changes are safe, what requires versioning, and what the frontend is forbidden from doing regardless of whether the API would permit it.
Base URL Configuration
The Angular app resolves the backend base URL from three sources, evaluated in order at deployment time:Development: environment.ts
src/environments/environment.ts sets apiUrl for local development builds. This file is never deployed to production.Production build: environment.prod.ts
src/environments/environment.prod.ts sets the default production apiUrl. Angular CLI substitutes this file during ng build --configuration production.Runtime override: runtime-config.js
src/assets/runtime-config.js is loaded by index.html before the Angular bundle. It can override apiUrl without rebuilding the app — useful for environment-specific Docker deployments.WmsService checks window['__env']?.apiUrl first and falls back to environment.apiUrl.Contract Rules
These rules apply to all changes made toWms.Api, regardless of which client or team requests them:
| Rule | Rationale |
|---|---|
| Never break existing endpoints | Both Angular and MAUI depend on the same surface; a 404 on a renamed path crashes both clients simultaneously |
| Never rename endpoints without versioning | Create /api/v1/… before removing or renaming any path in production |
| Never remove response fields used by Angular or MAUI | Field removal is a breaking change even if the endpoint path stays the same |
| Prefer additive changes | New optional fields in a response are safe; existing consumers ignore fields they do not read |
| All API changes must consider MAUI impact | MAUI ships as a mobile app; rollback requires a new store release; backend changes must be backward compatible |
| Web must never call handheld-only posting endpoints | Physical execution endpoints are MAUI-only by design; calling them from the web UI violates the responsibility boundary |
Endpoint Inventory
- Auth
- Receipts
- Shipments
- Items & Stock
- Commercial
| Method | Path | Consumer | Notes |
|---|---|---|---|
POST | /api/Auth/login | Web, MAUI | Returns JWT + session metadata; no auth header required |
companies array drives company-switcher UI for multi-company tenant admins. is_supreme_admin is derived from JWT claims decoded on the frontend.Standard Error Responses
All API errors follow a consistent status-code convention. Angular’sWmsService and the JWT interceptor handle these globally:
| HTTP Status | Meaning | Angular behaviour |
|---|---|---|
400 Bad Request | Validation error — invalid payload or business rule violation | Display validation message returned in response body |
401 Unauthorized | Missing, invalid, or expired JWT | JWT interceptor clears sessionStorage and redirects to /auth/login |
500 Internal Server Error | Unhandled server exception | Display generic error toast; log to console |
403 Forbidden may also be returned by the backend when a valid token lacks the required role (e.g., a company admin calling a supreme endpoint). Angular should treat 403 as a navigation-permission error and redirect to the dashboard, not to the login screen.API Versioning Strategy
The current API is unversioned. All endpoints live directly under/api/. Before making any breaking change in a production environment, the following versioning strategy must be followed:
Introduce the new versioned path
Add the new endpoint under
/api/v1/ alongside the existing /api/ path. Both must function simultaneously. Do not remove the old path yet.Migrate Angular to the new path
Update
WmsService to call the /api/v1/ endpoint. Deploy the Angular update. Verify all Angular flows work against the new path.Coordinate MAUI migration
Notify the MAUI team. MAUI must release an app update pointing to
/api/v1/ before the old path can be removed. This may require a store submission cycle — plan accordingly.Forbidden Actions from the Frontend
These actions are explicitly prohibited in the Angular frontend regardless of whether a backend endpoint exists to support them:| Forbidden action | Reason |
|---|---|
| Calling any stock-write or stock-manipulation endpoint | Stock integrity is owned by MAUI and server-side business logic |
| Calling posting or confirmation endpoints | Physical execution is MAUI-only |
| Bypassing backend validation with client-side pre-processing | The backend is the authoritative validation layer |
| Accessing data from another company (cross-tenant reads) | WmsService always scopes to active_company_id; cross-company calls are never constructed |
Hard-coding API paths outside of WmsService | All HTTP must flow through the central service to maintain contract traceability |
Architecture Overview
Module structure, lazy routing, central service rule, JWT auth flow, and the web/handheld responsibility boundary.
Multitenancy
Tenant vs. SaaS surface separation, session keys, SupremeService endpoints, and the role-based routing model.