📄️ Middleware & Route Protection
This page documents the active middleware + route-protection architecture. The legacy routePipelines middleware is no longer wired in — see Middleware Directory for context.
📄️ API Route Handlers
The app exposes five route handlers under src/app/api/. They split into three buckets:
📄️ Access Control
The access control surface lives in src/services/accessCheck/. There are three exports:
📄️ Utility Functions
10.1 isEntryComplete
📄️ Advanced Filtering System
2.1 applyAdvancedFilters
📄️ Signature Search & Validation
3.1 SignatureResultContextProvider
📄️ Data Fetching & Caching
4.1 useFetchTableData
📄️ Petition Management
5.1 getPetitionContextData
📄️ Form Validation Schemas
8.1 campaignFormSchema
📄️ Table State Management
9.1 Context Providers
📄️ Permissions Snapshot
The "permissions snapshot" is the unified data structure that drives every access-control decision in the app. It replaces the old per-request session enrichment and the legacy getusercombined_permissions SQL helper.
📄️ Role Hierarchy
In addition to permission keys, every role in the roles table has a numeric hierarchy_level. Higher numbers mean more senior. Hierarchy gates who can act on whom during member-management mutations: a non-super-admin actor can only assign or modify roles strictly below their own level.
📄️ Sidebar Route Bundles
The application sidebar is composed from one component per section. Each component lives under src/components/routes/, reads permissionKeys from TeamsContext, and renders a single `` group with the items the current user is allowed to see.