Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/CodexaCP/DG_WEB/llms.txt

Use this file to discover all available pages before exploring further.

The Dragon Guard ecosystem has three consumers of Wms.Api: the Angular administrative frontend, the MAUI handheld application, and automated integrations. All three share the same endpoint surface with no client-specific forks. This means every change to an API response shape, endpoint path, or field name has the potential to break a client the developer did not test. These rules define what changes are safe, what requires versioning, and what the frontend is forbidden from doing regardless of whether the API would permit it.

Base URL Configuration

The Angular app resolves the backend base URL from three sources, evaluated in order at deployment time:
1

Development: environment.ts

src/environments/environment.ts sets apiUrl for local development builds. This file is never deployed to production.
// src/environments/environment.ts
export const environment = {
  production: false,
  apiUrl: 'https://localhost:7001'
};
2

Production build: environment.prod.ts

src/environments/environment.prod.ts sets the default production apiUrl. Angular CLI substitutes this file during ng build --configuration production.
// src/environments/environment.prod.ts
export const environment = {
  production: true,
  apiUrl: 'https://api.dragonguardwms.com'
};
3

Runtime override: runtime-config.js

src/assets/runtime-config.js is loaded by index.html before the Angular bundle. It can override apiUrl without rebuilding the app — useful for environment-specific Docker deployments.
// src/assets/runtime-config.js  (production override)
window['__env'] = {
  apiUrl: 'https://api.dragonguardwms.com'
};
WmsService checks window['__env']?.apiUrl first and falls back to environment.apiUrl.
Use runtime-config.js when deploying the same Docker image to multiple environments. Baking the URL into environment.prod.ts means a different image per environment; the runtime config avoids that.

Contract Rules

These rules apply to all changes made to Wms.Api, regardless of which client or team requests them:
RuleRationale
Never break existing endpointsBoth Angular and MAUI depend on the same surface; a 404 on a renamed path crashes both clients simultaneously
Never rename endpoints without versioningCreate /api/v1/… before removing or renaming any path in production
Never remove response fields used by Angular or MAUIField removal is a breaking change even if the endpoint path stays the same
Prefer additive changesNew optional fields in a response are safe; existing consumers ignore fields they do not read
All API changes must consider MAUI impactMAUI ships as a mobile app; rollback requires a new store release; backend changes must be backward compatible
Web must never call handheld-only posting endpointsPhysical execution endpoints are MAUI-only by design; calling them from the web UI violates the responsibility boundary
The API is not currently versioned. Until /api/v1/ is established, treat every endpoint as a public contract. Any change to a path, method, or required field in production requires coordination with the MAUI team before deployment.

Endpoint Inventory

MethodPathConsumerNotes
POST/api/Auth/loginWeb, MAUIReturns JWT + session metadata; no auth header required
Login request body:
{
  "email": "string",
  "password": "string"
}
Login response body:
{
  "token": "string",
  "userId": 0,
  "email": "string",
  "fullName": "string",
  "companies": []
}
The companies array drives company-switcher UI for multi-company tenant admins. is_supreme_admin is derived from JWT claims decoded on the frontend.

Standard Error Responses

All API errors follow a consistent status-code convention. Angular’s WmsService and the JWT interceptor handle these globally:
HTTP StatusMeaningAngular behaviour
400 Bad RequestValidation error — invalid payload or business rule violationDisplay validation message returned in response body
401 UnauthorizedMissing, invalid, or expired JWTJWT interceptor clears sessionStorage and redirects to /auth/login
500 Internal Server ErrorUnhandled server exceptionDisplay generic error toast; log to console
403 Forbidden may also be returned by the backend when a valid token lacks the required role (e.g., a company admin calling a supreme endpoint). Angular should treat 403 as a navigation-permission error and redirect to the dashboard, not to the login screen.

API Versioning Strategy

The current API is unversioned. All endpoints live directly under /api/. Before making any breaking change in a production environment, the following versioning strategy must be followed:
1

Introduce the new versioned path

Add the new endpoint under /api/v1/ alongside the existing /api/ path. Both must function simultaneously. Do not remove the old path yet.
GET /api/ReceivingHeaders/{id}        ← existing (keep working)
GET /api/v1/ReceivingHeaders/{id}     ← new shape
2

Migrate Angular to the new path

Update WmsService to call the /api/v1/ endpoint. Deploy the Angular update. Verify all Angular flows work against the new path.
3

Coordinate MAUI migration

Notify the MAUI team. MAUI must release an app update pointing to /api/v1/ before the old path can be removed. This may require a store submission cycle — plan accordingly.
4

Deprecate and remove the old path

Only after both Angular and MAUI have migrated and the old version is no longer in active use, remove /api/ReceivingHeaders/{id}. Log the removal in the API changelog.

Forbidden Actions from the Frontend

These actions are explicitly prohibited in the Angular frontend regardless of whether a backend endpoint exists to support them:
Forbidden actionReason
Calling any stock-write or stock-manipulation endpointStock integrity is owned by MAUI and server-side business logic
Calling posting or confirmation endpointsPhysical execution is MAUI-only
Bypassing backend validation with client-side pre-processingThe backend is the authoritative validation layer
Accessing data from another company (cross-tenant reads)WmsService always scopes to active_company_id; cross-company calls are never constructed
Hard-coding API paths outside of WmsServiceAll HTTP must flow through the central service to maintain contract traceability

Architecture Overview

Module structure, lazy routing, central service rule, JWT auth flow, and the web/handheld responsibility boundary.

Multitenancy

Tenant vs. SaaS surface separation, session keys, SupremeService endpoints, and the role-based routing model.

Build docs developers (and LLMs) love