Enforce authentication/authorization for admin pages and add several management actions and UI improvements.
Key changes:
- Added auth checks and redirects on admin pages (contracts, stores, subsidies, vendors) to restrict access to SUPER_ADMIN/OPS_MANAGER.
- Hooked server actions to authenticated user IDs (release escrow, review/publish stores, review subsidies/vendors, open disputes, create subsidy cases, create match requests, submit/delete store drafts).
- Implemented store publish flow including policy version resolution and StoreActionButtons update to show approve/reject/publish based on reviewStatus.
- Added filtering UIs and query handling: admin lists (stores/subsidies/vendors) now support status filters; public stores list uses a new client StoreFilters component to build search params.
- New client-side improvements: invite form triggers router.refresh() after success; register page accepts/validates optional phone and persists it; store creation now uses createStoreDraftService and shows error banner on failure.
- Matching and subsidies pages now support contextual forms to create match requests and subsidy cases when a storeId is provided.
- Various UX tweaks: disabled inspection button, dispute form, list link styling, and revalidation calls after server actions.
- Added docs/BUG-REPORT-2026-03-08.md.
These changes centralize auth, connect actions to real user IDs, and improve admin and store workflows and filtering.
Johngreen
de531bfe11