392ba9a040
service_day 10h cutoff, VAT snapshot by line, drive cross-constraint, atomic stock decrement/re-credit, optimistic concurrency on status, dashboard filter by role_visible_source, Maxi format multiplier (quantity_normal/quantity_maxi).
637 lines
42 KiB
Markdown
637 lines
42 KiB
Markdown
# Model of Logical Treatments (MLT) — Wakdo
|
|
|
|
**Merise phase** : P1 - Conception, step 4 (derived from MCT)
|
|
**Version** : v0.2 — prod-like, 4-state machine
|
|
**Date** : 2026-06-04
|
|
**Branch** : `feat/p1-conception`
|
|
**Status** : prod-like — all D1-D8 + stock decisions applied (see `docs/notes/revue-alignement-p1.md` §7)
|
|
**Author** : BYAN (methodology layer)
|
|
|
|
---
|
|
|
|
## 1. Purpose
|
|
|
|
The MLT (Model of Logical Treatments) refines each MCT operation by specifying:
|
|
- **preconditions** — what must be true before execution
|
|
- **business rules** — validation, computation, business logic
|
|
- **postconditions** — the state guaranteed after success
|
|
- **outputs** — produced data or emitted events
|
|
- **error cases** — alternative outputs when a condition fails
|
|
|
|
It bridges the MCT (conceptual level) and the PHP/SQL implementation (physical level).
|
|
All entity/attribute references use the names from `docs/merise/dictionary.md` (English,
|
|
snake_case). All monetary amounts are in integer cents.
|
|
|
|
**Tag conventions**:
|
|
- `[PRE]` — precondition; must be satisfied for the operation to execute
|
|
- `[RG]` — business rule (regle de gestion); logic applied during execution
|
|
- `[POST]` — postcondition; database state guaranteed after success
|
|
- `[OUT]` — output; data or event produced
|
|
- `[ERR]` — error case; alternative output when a condition fails
|
|
|
|
---
|
|
|
|
## 2. Transverse business rules
|
|
|
|
These rules apply to multiple operations and are centralised here to avoid repetition.
|
|
|
|
| Rule code | Label | Operations concerned |
|
|
|-----------|-------|----------------------|
|
|
| **RG-T01** | CSRF token verified on every back-office POST/PUT/DELETE form | AUTH, all admin ops |
|
|
| **RG-T02** | Session active + `user.is_active = 1` verified on each authenticated request | All domains 3-10 |
|
|
| **RG-T03** | Permission verified via `role_permission` before executing operation | All domains 3-10 |
|
|
| **RG-T04** | All monetary amounts are manipulated in integer cents; EUR conversion at output only | 3.3, 4.1, 8.1, 8.4 |
|
|
| **RG-T05** | Snapshots (`label_snapshot`, `unit_price_cents_snapshot`, `vat_rate_snapshot`) on `order_item` are not modified after INSERT (historical integrity of placed orders — design guarantee) | 3.3, 4.1, 8.2, 8.5 |
|
|
| **RG-T06** | All SQL queries use PDO with prepared statements; no user data concatenated into SQL | All operations |
|
|
| **RG-T07** | Status transition UPDATE statements include `AND status = <expected_status>` in the WHERE clause (optimistic concurrency protection against double transition) | 6.1, 7.1 |
|
|
| **RG-T08** | Operations touching multiple tables execute in an atomic database transaction; partial failure triggers full rollback | 3.3, 4.1, 7.1, 8.4, 9.1, 9.2 |
|
|
| **RG-T09** | Cross-constraint on `customer_order`: `source = 'drive'` implies `service_mode = 'drive'`; verified at order creation. Materialisable as a MariaDB CHECK: `CHECK (source != 'drive' OR service_mode = 'drive')`. | 3.3, 4.1 |
|
|
| **RG-T10** | VAT computation is line-by-line: each `order_item` carries its own `vat_rate_snapshot` (per-mille integer snapshotted from `product.vat_rate`). Order totals (`total_ht_cents`, `total_vat_cents`, `total_ttc_cents`) are the sum of line-level amounts. | 3.3, 4.1 |
|
|
| **RG-T11** | Stock decrements at the `pending_payment -> paid` transition and re-credits at `paid -> cancelled` are within the same database transaction as the status update (no orphan decrement). | 3.3, 4.1, 7.1 |
|
|
| **RG-T12** | Dashboard filter by source: each role's visible sources are read from `role_visible_source`; the query uses `WHERE customer_order.source IN (role_visible_sources)`. | 6.1 |
|
|
|
|
---
|
|
|
|
## 3. Domain 1 — Order lifecycle (kiosk)
|
|
|
|
### 3.1 LOAD_CATALOGUE
|
|
|
|
**Corresponds to MCT section 3.1**
|
|
|
|
| Tag | Content |
|
|
|-----|---------|
|
|
| **[PRE-1]** | Request originates from the kiosk endpoint (public, no authentication required) |
|
|
| **[PRE-2]** | Current time is within the service window (10:00-01:00); outside the window the kiosk displays a closed message |
|
|
| **[RG-1]** | Read all `category` rows with `is_active = 1`, ordered by `category.display_order ASC` |
|
|
| **[RG-2]** | For each category, read `product` rows with `is_available = 1` and matching `category_id`, ordered by `product.display_order ASC` |
|
|
| **[RG-3]** | Read all `menu` rows with `is_available = 1`; for each menu, load `menu_slot` rows ordered by `menu_slot.display_order ASC`; for each slot, load eligible products via `menu_slot_option JOIN product` (where `product.is_available = 1`) |
|
|
| **[RG-4]** | For each product, compute allergens by joining `product_ingredient -> ingredient_allergen -> allergen` (no manual re-entry per product) |
|
|
| **[RG-5]** | For each product with `product_ingredient` rows, load `ingredient` composition (for the configurator) |
|
|
| **[RG-6]** | Prices are returned in integer cents; EUR conversion is performed client-side |
|
|
| **[POST-1]** | No database write; database state unchanged |
|
|
| **[OUT-1]** | JSON response: `{data: {categories: [...], products: {...}, menus: [{..., slots: [{..., options: [...]}]}]}}` |
|
|
| **[ERR-1]** | DB unreachable: response `{data: null, error: {code: "DB_ERROR"}}` and front-end falls back to static JSON |
|
|
|
|
---
|
|
|
|
### 3.2 COMPOSE_CART
|
|
|
|
**Corresponds to MCT section 3.2**
|
|
|
|
| Tag | Content |
|
|
|-----|---------|
|
|
| **[PRE-1]** | Catalogue loaded into front-end memory (LOAD_CATALOGUE completed) |
|
|
| **[PRE-2]** | Selected item (product or menu) is present in the loaded catalogue with `is_available = 1` |
|
|
| **[RG-1]** | Cart is a JavaScript in-memory structure (array of items); no database persistence at this stage |
|
|
| **[RG-2]** | Each item contains: `type` (`product` or `menu`), `item_id`, `label`, `unit_price_cents` (snapshot from catalogue), `quantity`, `format` (`normal` or `maxi`, for menus), `slot_selections` (array of `{menu_slot_id, product_id, label}` for menu items), `modifiers` (array of `{ingredient_id, action, extra_price_cents}`) |
|
|
| **[RG-3]** | Format Normal/Maxi (menu items only): `normal` uses `menu.price_normal_cents`; `maxi` uses `menu.price_maxi_cents`. No individual component price change is stored; the price differential is at menu level. |
|
|
| **[RG-4]** | Ingredient modifier rules: `action = 'remove'` requires `is_removable = 1` on `product_ingredient` (free); `action = 'add'` requires `is_addable = 1` (may carry `extra_price_cents`). These constraints are verified at cart composition time against the loaded catalogue. |
|
|
| **[RG-5]** | If an item with the same `(type, item_id, format, slot_selections, modifiers)` already exists in the cart, its quantity is incremented rather than adding a new item |
|
|
| **[RG-6]** | Cart total recomputed after each change: `SUM(unit_price_cents * quantity + modifier_extras)` across all items |
|
|
| **[POST-1]** | No database write; cart in-memory state updated |
|
|
| **[OUT-1]** | Cart summary displayed with TTC total |
|
|
| **[ERR-1]** | If a product becomes `is_available = 0` between catalogue load and order submission, the server-side validation in CREATE_ORDER catches it |
|
|
|
|
---
|
|
|
|
### 3.3 CREATE_ORDER
|
|
|
|
**Corresponds to MCT section 3.3**
|
|
|
|
| Tag | Content |
|
|
|-----|---------|
|
|
| **[PRE-1]** | Cart contains at least 1 item (`items.length >= 1`) |
|
|
| **[PRE-2]** | Order number entered by customer is non-empty (front-end validation) |
|
|
| **[PRE-3]** | POST JSON body is valid (schema validation at API layer) |
|
|
| **[RG-1]** | Server-side availability check: for each item, verify `product.is_available = 1` or `menu.is_available = 1`. If any item is unavailable, reject with list of unavailable articles. |
|
|
| **[RG-2 — service_day]** | `service_day` for a given order is computed at query time as: `CASE WHEN HOUR(created_at) < 10 THEN DATE(created_at) - INTERVAL 1 DAY ELSE DATE(created_at) END`. Cutoff is 10:00. This is NOT stored as a column — computed at query time only. The v0.1 formula with `INTERVAL 4 HOUR 30 MINUTE` was incorrect and is dropped. |
|
|
| **[RG-3 — order number]** | Order number format: `K-YYYY-MM-DD-NNN` where NNN is the sequential counter for the current service_day for the `kiosk` source (SELECT COUNT + 1 with a table-level lock or serialised insert to avoid duplicate generation under concurrency). Source is `kiosk` (set by the kiosk endpoint, derived from the public entry point). |
|
|
| **[RG-4 — VAT by line]** | For each `order_item`: `vat_rate_snapshot` is copied from `product.vat_rate`. Line amounts: `unit_ttc = unit_price_cents_snapshot`; `unit_ht = ROUND(unit_ttc * 1000 / (1000 + vat_rate_snapshot))`; `unit_vat = unit_ttc - unit_ht`. Order totals: `total_ttc_cents = SUM(unit_ttc * quantity)` across all lines; `total_ht_cents = SUM(unit_ht * quantity)`; `total_vat_cents = total_ttc_cents - total_ht_cents`. Invariant: `total_ttc_cents = total_ht_cents + total_vat_cents` (verified before INSERT). |
|
|
| **[RG-5 — atomic transaction]** | All writes within one database transaction: (1) INSERT `customer_order` (status `pending_payment`, source `kiosk`, service_mode from cart, computed totals); (2) INSERT `order_item` rows (label_snapshot, unit_price_cents_snapshot, vat_rate_snapshot, quantity, format, item_type, product_id or menu_id); (3) INSERT `order_item_selection` rows for each slot filled in a menu item (order_item_id, menu_slot_id, product_id, label_snapshot); (4) INSERT `order_item_modifier` rows for each ingredient modification (order_item_id, ingredient_id, action, extra_price_cents snapshot); (5) for each ingredient consumed: compute units = `(order_item.format = 'maxi' ? product_ingredient.quantity_maxi : product_ingredient.quantity_normal) * order_item.quantity`, adjusted by modifiers (remove => no decrement for that ingredient; add => extra decrement); UPDATE `ingredient.stock_quantity -= units`; INSERT `stock_movement` (type `sale`, delta = -units, order_id, user_id = NULL for kiosk); (6) UPDATE `customer_order` SET status = `paid`, `paid_at = NOW()`. All six steps commit together or roll back entirely. |
|
|
| **[RG-6 — cross-constraint]** | Source `kiosk` implies no particular service_mode constraint; the customer selects `dine_in` or `takeaway`. The drive cross-constraint (RG-T09) does not apply to kiosk-originated orders. |
|
|
| **[RG-7 — immutability]** | After INSERT, `label_snapshot`, `unit_price_cents_snapshot`, and `vat_rate_snapshot` are not modified even if the source product is later renamed or repriced (see RG-T05). |
|
|
| **[POST-1]** | One `customer_order` row exists with `status = 'paid'`, `source = 'kiosk'`, all totals computed, `paid_at` set. The `pending_payment` phase is not observable outside the transaction. |
|
|
| **[POST-2]** | N `order_item` rows exist, each referencing either a `product_id` (item_type='product') or a `menu_id` (item_type='menu') — exclusivity constraint verified. |
|
|
| **[POST-3]** | `customer_order.order_number` is unique in the database (UNIQUE constraint). |
|
|
| **[POST-4]** | `ingredient.stock_quantity` decremented for each consumed ingredient unit; one `stock_movement` row of type `sale` per affected ingredient. |
|
|
| **[OUT-1]** | HTTP 201: `{data: {id: int, order_number: string, status: 'paid'}}` |
|
|
| **[OUT-2]** | Logical event ORDER_CREATED available for preparation domain (preparation display refreshes via polling or server push depending on implementation) |
|
|
| **[ERR-1]** | Empty cart: HTTP 422, `{error: {code: "EMPTY_CART"}}` |
|
|
| **[ERR-2]** | Unavailable item: HTTP 422, `{error: {code: "ITEM_UNAVAILABLE", items: [...]}}` |
|
|
| **[ERR-3]** | DB error / timeout: HTTP 500 with rollback, `{error: {code: "DB_ERROR"}}` |
|
|
|
|
---
|
|
|
|
### 3.4 DISPLAY_CONFIRMATION
|
|
|
|
**Corresponds to MCT section 3.4**
|
|
|
|
| Tag | Content |
|
|
|-----|---------|
|
|
| **[PRE-1]** | CREATE_ORDER returned HTTP 201 with `{id, order_number, status: 'paid'}` |
|
|
| **[RG-1]** | Order number displayed prominently on the confirmation screen |
|
|
| **[RG-2]** | After a configurable delay (suggestion: 15 seconds), the kiosk auto-resets for the next customer |
|
|
| **[POST-1]** | No database write |
|
|
| **[OUT-1]** | Confirmation screen displayed with order number |
|
|
| **[ERR-1]** | If API response is an error: generic error message displayed with option to retry |
|
|
|
|
---
|
|
|
|
## 4. Domain 2 — Order lifecycle (counter and drive)
|
|
|
|
### 4.1 CREATE_COUNTER_ORDER
|
|
|
|
**Corresponds to MCT section 4.1**
|
|
|
|
| Tag | Content |
|
|
|-----|---------|
|
|
| **[PRE-1]** | Actor is authenticated (valid session, `user.is_active = 1`) |
|
|
| **[PRE-2]** | Actor holds permission `order.create` (verified via `role_permission`) |
|
|
| **[PRE-3]** | Cart contains at least 1 item |
|
|
| **[RG-1]** | Creation logic identical to CREATE_ORDER (RG-1 through RG-7 apply), with the following differences: `source` is auto-tagged from `role.order_source` (counter role -> `counter`, drive role -> `drive`); `service_mode` is selected by the staff member (`dine_in` / `takeaway` / `drive`); `user_id` is set to the authenticated user's id in `stock_movement` rows (instead of NULL for kiosk). |
|
|
| **[RG-2 — cross-constraint]** | If `source = 'drive'` then `service_mode` must be `'drive'` (RG-T09); verified before INSERT. HTTP 422 if violated. |
|
|
| **[RG-3 — order number]** | Format: `C-YYYY-MM-DD-NNN` for counter source; `D-YYYY-MM-DD-NNN` for drive source. Sequential NNN counter is per source per service_day. |
|
|
| **[RG-4 — stock]** | Same stock decrement logic as CREATE_ORDER RG-5; `stock_movement.user_id` is set to the authenticated staff member's id. |
|
|
| **[POST-1]** | One `customer_order` row with `status = 'paid'`, `source = 'counter'` or `'drive'`, `paid_at` set. |
|
|
| **[POST-2]** | N `order_item` rows with snapshots. Slot selections and modifiers written identically to kiosk flow. |
|
|
| **[POST-3]** | Stock decremented; movements logged with actor `user_id`. |
|
|
| **[OUT-1]** | HTTP 201: `{data: {id: int, order_number: string, status: 'paid'}}`. Order number communicated to customer. |
|
|
| **[ERR-1]** | Same error cases as CREATE_ORDER (ERR-1, ERR-2, ERR-3) |
|
|
| **[ERR-2]** | Cross-constraint violation (`source = drive` but `service_mode != drive`): HTTP 422, `{error: {code: "INVALID_SERVICE_MODE"}}` |
|
|
|
|
---
|
|
|
|
## 5. Domain 3 — Preparation display (kitchen)
|
|
|
|
### 5.1 LIST_ORDERS_DISPLAY
|
|
|
|
**Corresponds to MCT section 5.1**
|
|
|
|
| Tag | Content |
|
|
|-----|---------|
|
|
| **[PRE-1]** | Actor is authenticated, `is_active = 1` |
|
|
| **[PRE-2]** | Actor holds permission `order.read` |
|
|
| **[RG-1 — source filter]** | Retrieve visible sources for the actor's role: `SELECT source FROM role_visible_source WHERE role_id = :role_id`. Kitchen sees all three; counter sees `kiosk` and `counter`; drive sees `drive`. |
|
|
| **[RG-2 — query]** | `SELECT customer_order.*, order_item.* FROM customer_order JOIN order_item ON order_item.order_id = customer_order.id WHERE customer_order.status = 'paid' AND customer_order.source IN (:visible_sources) ORDER BY customer_order.paid_at ASC` |
|
|
| **[RG-3 — item detail]** | For each order line of type `menu`, also load `order_item_selection` rows (slot choices). For all lines, load `order_item_modifier` rows (ingredient modifications). Display uses snapshots (`label_snapshot`, `quantity`, `format`); no re-join on `product` or `menu` tables needed. |
|
|
| **[RG-4 — KDS colour]** | Colour indicator computed at render time: `elapsed = NOW() - customer_order.paid_at`; green if elapsed < SLA threshold (configurable, approx. 10 min); amber if approaching; red if exceeded. Not stored; computed client-side or in PHP before response. |
|
|
| **[RG-5 — read only]** | Kitchen staff perform no status transition from this view. No UPDATE is issued by this operation. |
|
|
| **[POST-1]** | No database write |
|
|
| **[OUT-1]** | List of orders with status `paid`, filtered by role, sorted by `paid_at` ascending, with full item detail (selections, modifiers, KDS colour) |
|
|
|
|
---
|
|
|
|
## 6. Domain 4 — Delivery to customer
|
|
|
|
### 6.1 DELIVER_ORDER
|
|
|
|
**Corresponds to MCT section 6.1**
|
|
|
|
| Tag | Content |
|
|
|-----|---------|
|
|
| **[PRE-1]** | Actor is authenticated, holds permission `order.deliver` |
|
|
| **[PRE-2]** | Targeted order exists and `status = 'paid'` |
|
|
| **[PRE-3]** | Order source is in the actor's visible sources (verified via `role_visible_source`) |
|
|
| **[RG-1]** | `UPDATE customer_order SET status = 'delivered', delivered_at = NOW(), updated_at = NOW() WHERE id = :id AND status = 'paid'` |
|
|
| **[RG-2 — concurrency]** | The `AND status = 'paid'` clause in the UPDATE protects against concurrent double-delivery: if two staff members click simultaneously, only the first succeeds (second receives 0 rows affected). |
|
|
| **[RG-3]** | `delivered` is a terminal status: no further transition is defined from this status (application constraint, not enforced as a DB trigger). |
|
|
| **[POST-1]** | `customer_order.status = 'delivered'`, `delivered_at` set, lifecycle complete. Order passes to history. |
|
|
| **[OUT-1]** | HTTP 200 with confirmation. Order disappears from the `paid` queue. |
|
|
| **[ERR-1]** | Invalid transition (status was not `paid` when UPDATE executed — concurrency): HTTP 409, `{error: {code: "INVALID_TRANSITION"}}` |
|
|
| **[ERR-2]** | Order source not in actor's visible sources: HTTP 403, `{error: {code: "FORBIDDEN"}}` |
|
|
|
|
---
|
|
|
|
## 7. Domain 5 — Cancellation
|
|
|
|
### 7.1 CANCEL_ORDER
|
|
|
|
**Corresponds to MCT section 7.1**
|
|
|
|
| Tag | Content |
|
|
|-----|---------|
|
|
| **[PRE-1]** | Actor is authenticated, holds permission `order.cancel` |
|
|
| **[PRE-2]** | Targeted order exists |
|
|
| **[PRE-3]** | `customer_order.status` is in `['pending_payment', 'paid']`. Terminal statuses `delivered` and `cancelled` cannot transition to `cancelled`. |
|
|
| **[RG-1 — status update]** | `UPDATE customer_order SET status = 'cancelled', cancelled_at = NOW(), updated_at = NOW() WHERE id = :id AND status IN ('pending_payment', 'paid')` |
|
|
| **[RG-2 — concurrency]** | The `AND status IN (...)` clause protects against concurrent cancellation (see RG-T07). |
|
|
| **[RG-3 — stock re-credit — conditional]** | Re-credit applies only if the order was at status `paid` before cancellation. Orders at `pending_payment` had not yet decremented stock (the decrement occurs at the `paid` transition). For each `order_item` line of a `paid` order, recompute ingredient units consumed: `(order_item.format = 'maxi' ? product_ingredient.quantity_maxi : product_ingredient.quantity_normal) * order_item.quantity`, adjusted by `order_item_modifier` rows (remove modifier -> ingredient was not decremented, so no re-credit; add modifier -> ingredient had extra decrement, so extra re-credit). UPDATE `ingredient.stock_quantity += units`. INSERT `stock_movement` (type `cancellation`, delta = +units, order_id, user_id of actor). |
|
|
| **[RG-4 — transaction]** | Status update and stock re-credit (when applicable) execute in the same database transaction (RG-T11). |
|
|
| **[RG-5 — history]** | Order is not physically deleted; retained for history and stats. Cancelled orders are excluded from revenue totals but included in volume counts in READ_STATS. `order_item` rows are not deleted (ON DELETE CASCADE is not triggered); they allow reconstruction of what was ordered. |
|
|
| **[POST-1]** | `customer_order.status = 'cancelled'`, `cancelled_at` set, terminal state. |
|
|
| **[POST-2]** | If prior status was `paid`: `ingredient.stock_quantity` re-credited; one `stock_movement` row of type `cancellation` per affected ingredient. |
|
|
| **[OUT-1]** | HTTP 200 with cancellation confirmation |
|
|
| **[ERR-1]** | Attempt to cancel a delivered or already cancelled order: HTTP 422, `{error: {code: "CANNOT_CANCEL_IN_STATE", current_status: "..."}}` |
|
|
| **[ERR-2]** | Concurrent cancellation (0 rows affected by UPDATE): HTTP 409, `{error: {code: "INVALID_TRANSITION"}}` |
|
|
|
|
---
|
|
|
|
## 8. Domain 6 — Catalogue management
|
|
|
|
### 8.1 CREATE_PRODUCT
|
|
|
|
**Corresponds to MCT section 8.1**
|
|
|
|
| Tag | Content |
|
|
|-----|---------|
|
|
| **[PRE-1]** | Actor authenticated, holds permission `product.create` |
|
|
| **[PRE-2]** | `category_id` references an existing category with `is_active = 1` |
|
|
| **[RG-1]** | Form validation: `name` non-empty, `price_cents > 0`, `category_id` valid, `vat_rate` in `(55, 100)` |
|
|
| **[RG-2]** | Image upload (optional): validate MIME type (JPEG, PNG, WEBP), max size configurable (suggestion: 2 MB), store under `UPLOAD_DIR/products/`, record relative path in `image_path` |
|
|
| **[RG-3]** | `is_available = 1` by default at INSERT |
|
|
| **[RG-4]** | `display_order` set to `MAX(display_order) + 1` for the target category, or 0 if first product |
|
|
| **[POST-1]** | One `product` row in the database with all valid fields |
|
|
| **[OUT-1]** | Redirect to category product list with success message |
|
|
| **[ERR-1]** | Validation failure: inline field errors displayed |
|
|
| **[ERR-2]** | Invalid image (type or size): specific error message |
|
|
|
|
---
|
|
|
|
### 8.2 UPDATE_PRODUCT
|
|
|
|
**Corresponds to MCT section 8.2**
|
|
|
|
| Tag | Content |
|
|
|-----|---------|
|
|
| **[PRE-1]** | Actor authenticated, holds permission `product.update` |
|
|
| **[PRE-2]** | Target `product.id` exists |
|
|
| **[RG-1]** | Same validations as CREATE_PRODUCT on modified fields |
|
|
| **[RG-2]** | If a new image is uploaded, the old image file is deleted from the filesystem (volume cleanup) |
|
|
| **[RG-3]** | `label_snapshot`, `unit_price_cents_snapshot`, `vat_rate_snapshot` in historical `order_item` rows are not modified (see RG-T05) |
|
|
| **[POST-1]** | `product` updated, `updated_at` refreshed |
|
|
| **[OUT-1]** | Redirect to product list with success message |
|
|
|
|
---
|
|
|
|
### 8.3 DELETE_PRODUCT
|
|
|
|
**Corresponds to MCT section 8.3**
|
|
|
|
| Tag | Content |
|
|
|-----|---------|
|
|
| **[PRE-1]** | Actor authenticated, holds permission `product.delete` |
|
|
| **[PRE-2]** | Target `product.id` exists |
|
|
| **[RG-1]** | Pre-check (PHP): is the product referenced in `menu_slot_option.product_id`? If yes, display blocking message listing the menus. |
|
|
| **[RG-2]** | Pre-check (PHP): is the product the `burger_product_id` of any `menu`? If yes, block with message to delete or reassign the menu first. |
|
|
| **[RG-3]** | Pre-check (PHP): is the product referenced in `order_item.product_id` (historical orders)? FK `ON DELETE RESTRICT` blocks at DB level. Recommended response: propose deactivation (`is_available=0`) rather than deletion. |
|
|
| **[RG-4]** | FK constraints (`menu_slot_option.product_id ON DELETE RESTRICT`, `order_item.product_id ON DELETE RESTRICT`) enforce the constraint even if the PHP check is bypassed. |
|
|
| **[POST-1]** | Product deleted if no FK constraint was blocking |
|
|
| **[OUT-1]** | Redirect to product list with success message |
|
|
| **[ERR-1]** | Product in menu slot: HTTP 422 or inline message with blocking menu list |
|
|
| **[ERR-2]** | Product in historical orders: message proposing deactivation instead |
|
|
|
|
---
|
|
|
|
### 8.4 CREATE_MENU
|
|
|
|
**Corresponds to MCT section 8.4**
|
|
|
|
| Tag | Content |
|
|
|-----|---------|
|
|
| **[PRE-1]** | Actor authenticated, holds permission `menu.create` |
|
|
| **[PRE-2]** | `burger_product_id` references an existing, available product |
|
|
| **[PRE-3]** | At least one `menu_slot` is defined with at least one `menu_slot_option` |
|
|
| **[RG-1]** | Validation: `name` non-empty, `price_normal_cents > 0`, `price_maxi_cents > 0`, `burger_product_id` valid, all `product_id` values in slot options exist |
|
|
| **[RG-2]** | Transaction: INSERT `menu`, then INSERT `menu_slot` rows (name, slot_type, is_required, display_order), then INSERT `menu_slot_option` rows (menu_slot_id, product_id) |
|
|
| **[RG-3]** | Valid `slot_type` values (from dictionary ENUM): `drink`, `side`, `sauce`, `dessert`, `extra` |
|
|
| **[POST-1]** | One `menu` row, N `menu_slot` rows, M `menu_slot_option` rows in the database |
|
|
| **[OUT-1]** | Redirect to menu list with success message |
|
|
| **[ERR-1]** | Invalid configuration (no slot, no option): business error message |
|
|
| **[ERR-2]** | Slot option product unavailable: warning (menu can be created; product availability is checked at order time) |
|
|
|
|
---
|
|
|
|
### 8.5 UPDATE_MENU
|
|
|
|
**Corresponds to MCT section 8.5**
|
|
|
|
| Tag | Content |
|
|
|-----|---------|
|
|
| **[PRE-1]** | Actor authenticated, holds permission `menu.update` |
|
|
| **[PRE-2]** | Target `menu.id` exists |
|
|
| **[RG-1]** | Same validations as CREATE_MENU on modified fields |
|
|
| **[RG-2]** | If slot configuration is modified: `DELETE FROM menu_slot_option WHERE menu_slot_id IN (SELECT id FROM menu_slot WHERE menu_id = :id)`, then `DELETE FROM menu_slot WHERE menu_id = :id`, then re-INSERT (delete-and-reinsert pattern, atomic in transaction) |
|
|
| **[RG-3]** | `label_snapshot` values in historical `order_item_selection` rows are not affected (see RG-T05) |
|
|
| **[POST-1]** | `menu` updated; `menu_slot` and `menu_slot_option` rebuilt |
|
|
| **[OUT-1]** | Redirect with success message |
|
|
|
|
---
|
|
|
|
### 8.6 DELETE_MENU
|
|
|
|
**Corresponds to MCT section 8.6**
|
|
|
|
| Tag | Content |
|
|
|-----|---------|
|
|
| **[PRE-1]** | Actor authenticated, holds permission `menu.delete` |
|
|
| **[PRE-2]** | Target `menu.id` exists |
|
|
| **[RG-1]** | Pre-check (PHP): is the menu referenced in `order_item.menu_id`? FK `ON DELETE RESTRICT`. If yes, propose deactivation (`is_available=0`) instead of deletion. |
|
|
| **[RG-2]** | If no historical reference: DELETE `menu` triggers CASCADE to `menu_slot` (which cascades to `menu_slot_option`) |
|
|
| **[POST-1]** | `menu`, its `menu_slot` rows, and its `menu_slot_option` rows deleted |
|
|
| **[OUT-1]** | Redirect with success message |
|
|
| **[ERR-1]** | Menu in historical orders: message proposing deactivation instead |
|
|
|
|
---
|
|
|
|
### 8.7 MANAGE_CATEGORY
|
|
|
|
**Corresponds to MCT section 8.7**
|
|
|
|
| Tag | Content |
|
|
|-----|---------|
|
|
| **[PRE-1]** | Actor authenticated, holds permission `category.manage` |
|
|
| **[RG-CREATE]** | `name` and `slug` non-empty and unique in the database; `display_order` set to MAX + 1 |
|
|
| **[RG-UPDATE]** | UPDATE `name`, `slug`, `image_path`, `display_order`, `is_active` |
|
|
| **[RG-DEACTIVATE]** | Deactivation (`is_active=0`) does not auto-deactivate child products/menus in the DB (no CASCADE on `is_active`). PHP layer proposes to the admin to also deactivate child products/menus, or the kiosk filter on `category.is_active = 1` implicitly hides them. |
|
|
| **[RG-DELETE]** | Physical deletion blocked if `product.category_id` or `menu.category_id` references this category (FK `ON DELETE RESTRICT`). Propose deactivation. |
|
|
| **[POST-CREATE]** | New `category` row in database |
|
|
| **[POST-UPDATE]** | `category` updated, `updated_at` refreshed |
|
|
| **[OUT-1]** | Confirmation, redirect to category list |
|
|
|
|
---
|
|
|
|
### 8.8 MANAGE_INGREDIENT
|
|
|
|
**Corresponds to MCT section 8.8**
|
|
|
|
| Tag | Content |
|
|
|-----|---------|
|
|
| **[PRE-1]** | Actor authenticated, holds permission `ingredient.manage` |
|
|
| **[RG-CREATE-ING]** | `name` non-empty and UNIQUE; `unit` non-empty; `pack_size >= 1`; `low_stock_threshold >= 0`; `stock_quantity` defaults to 0 at creation |
|
|
| **[RG-UPDATE-ING]** | UPDATE `name`, `unit`, `pack_size`, `pack_label`, `low_stock_threshold`, `is_active` |
|
|
| **[RG-DEACTIVATE-ING]** | `is_active=0` hides ingredient from configurator. Physical deletion blocked if referenced in `product_ingredient` (FK `ON DELETE RESTRICT`) or `stock_movement` (FK `ON DELETE RESTRICT`). |
|
|
| **[RG-COMPOSITION]** | UPDATE `product_ingredient`: for each ingredient in a product's recipe, set `quantity_normal`, `quantity_maxi`, `is_removable`, `is_addable`, `extra_price_cents`. Delete-and-reinsert pattern within transaction. |
|
|
| **[RG-ALLERGEN]** | Manage `ingredient_allergen`: INSERT or DELETE `(ingredient_id, allergen_id)` pairs. Allergen list is read-only (14 rows fixed by EU regulation 1169/2011). |
|
|
| **[POST-1]** | `ingredient` / `product_ingredient` / `ingredient_allergen` rows updated |
|
|
| **[OUT-1]** | Confirmation, redirect to ingredient list or product composition form |
|
|
|
|
---
|
|
|
|
## 9. Domain 7 — Stock management
|
|
|
|
### 9.1 RESTOCK
|
|
|
|
**Corresponds to MCT section 9.1**
|
|
|
|
| Tag | Content |
|
|
|-----|---------|
|
|
| **[PRE-1]** | Actor authenticated, holds permission `stock.manage` |
|
|
| **[PRE-2]** | Target ingredient exists and `is_active = 1` |
|
|
| **[PRE-3]** | Number of packs `N >= 1` |
|
|
| **[RG-1]** | `delta = N * ingredient.pack_size` |
|
|
| **[RG-2]** | Transaction: `UPDATE ingredient SET stock_quantity = stock_quantity + :delta WHERE id = :id`; INSERT `stock_movement` (ingredient_id, movement_type=`restock`, delta=+delta, order_id=NULL, user_id=actor, note=optional) |
|
|
| **[RG-3]** | `stock_movement` is append-only: no UPDATE or DELETE on this table (corrections are new rows) |
|
|
| **[POST-1]** | `ingredient.stock_quantity` incremented by `delta`. One `stock_movement` row of type `restock` inserted. |
|
|
| **[OUT-1]** | Confirmation with new stock level displayed |
|
|
|
|
---
|
|
|
|
### 9.2 INVENTORY_COUNT
|
|
|
|
**Corresponds to MCT section 9.2**
|
|
|
|
| Tag | Content |
|
|
|-----|---------|
|
|
| **[PRE-1]** | Actor authenticated, holds permission `stock.count` |
|
|
| **[PRE-2]** | Target ingredient exists |
|
|
| **[PRE-3]** | `actual_quantity >= 0` (physical count is non-negative) |
|
|
| **[RG-1]** | `delta = actual_quantity - ingredient.stock_quantity` (may be negative if actual < theoretical) |
|
|
| **[RG-2]** | Transaction: `UPDATE ingredient SET stock_quantity = :actual_quantity WHERE id = :id`; INSERT `stock_movement` (ingredient_id, movement_type=`inventory_correction`, delta=computed, order_id=NULL, user_id=actor, note=optional) |
|
|
| **[RG-3]** | `delta = 0` is a valid correction (physical count matches theoretical); a movement row is still inserted for audit completeness |
|
|
| **[POST-1]** | `ingredient.stock_quantity = actual_quantity`. One `stock_movement` row of type `inventory_correction` inserted. |
|
|
| **[OUT-1]** | Confirmation with reconciled stock level and discrepancy displayed |
|
|
|
|
---
|
|
|
|
### 9.3 READ_STOCK
|
|
|
|
**Corresponds to MCT section 9.3**
|
|
|
|
| Tag | Content |
|
|
|-----|---------|
|
|
| **[PRE-1]** | Actor authenticated, holds permission `stock.read` |
|
|
| **[RG-1]** | `SELECT * FROM ingredient WHERE is_active = 1 ORDER BY name ASC` |
|
|
| **[RG-2]** | Low-stock alert computed at render time: `stock_quantity <= low_stock_threshold` -> flag `low_stock: true` in response. Not stored as a column. |
|
|
| **[RG-3]** | Optional movement history for a given ingredient: `SELECT * FROM stock_movement WHERE ingredient_id = :id ORDER BY created_at DESC LIMIT :n` |
|
|
| **[POST-1]** | No database write |
|
|
| **[OUT-1]** | Ingredient list with `stock_quantity`, `low_stock_threshold`, `pack_size`, `pack_label`, `low_stock` flag |
|
|
|
|
---
|
|
|
|
## 10. Domain 8 — User and role management
|
|
|
|
### 10.1 CREATE_USER
|
|
|
|
**Corresponds to MCT section 10.1**
|
|
|
|
| Tag | Content |
|
|
|-----|---------|
|
|
| **[PRE-1]** | Actor authenticated, holds permission `user.create` |
|
|
| **[PRE-2]** | Email does not already exist in `user.email` (UNIQUE constraint) |
|
|
| **[PRE-3]** | `role_id` references an existing, active role |
|
|
| **[RG-1]** | Validation: `email` conforms to RFC 5321 (PHP `FILTER_VALIDATE_EMAIL`), `first_name` and `last_name` non-empty, `role_id` valid |
|
|
| **[RG-2]** | Password hash: `password_hash($password, PASSWORD_ARGON2ID)`. Minimum password length: 8 characters. |
|
|
| **[RG-3]** | `is_active = 1` by default; `last_login_at = NULL` at creation |
|
|
| **[POST-1]** | One `user` row with argon2id `password_hash`, valid `role_id` |
|
|
| **[OUT-1]** | Redirect to user list with success message |
|
|
| **[ERR-1]** | Duplicate email: message "This email is already in use" |
|
|
| **[ERR-2]** | Password too short: inline validation message |
|
|
|
|
---
|
|
|
|
### 10.2 UPDATE_USER
|
|
|
|
**Corresponds to MCT section 10.2**
|
|
|
|
| Tag | Content |
|
|
|-----|---------|
|
|
| **[PRE-1]** | Actor authenticated, holds permission `user.update` |
|
|
| **[PRE-2]** | Target `user.id` exists |
|
|
| **[RG-1]** | If a new password is supplied (non-empty field): rehash via `PASSWORD_ARGON2ID` and replace existing hash |
|
|
| **[RG-2]** | If password field is empty: existing hash is preserved unchanged |
|
|
| **[RG-3]** | Email update subject to UNIQUE constraint (pre-check before UPDATE) |
|
|
| **[POST-1]** | `user` updated, `updated_at` refreshed |
|
|
| **[OUT-1]** | Redirect with success message |
|
|
|
|
---
|
|
|
|
### 10.3 DEACTIVATE_USER
|
|
|
|
**Corresponds to MCT section 10.3**
|
|
|
|
| Tag | Content |
|
|
|-----|---------|
|
|
| **[PRE-1]** | Actor authenticated, holds permission `user.deactivate` |
|
|
| **[PRE-2]** | Actor is not targeting their own account (`$targetUserId !== $currentUserId`) |
|
|
| **[RG-1]** | `UPDATE user SET is_active = 0, updated_at = NOW() WHERE id = :id` |
|
|
| **[RG-2]** | The user's potentially active session is invalidated on next request: middleware checks `user.is_active = 1` on each authenticated request |
|
|
| **[POST-1]** | `user.is_active = 0`; user cannot log in; history remains intact |
|
|
| **[OUT-1]** | Redirect with success message |
|
|
| **[ERR-1]** | Self-deactivation attempt: HTTP 403, `{error: {code: "SELF_DEACTIVATION_FORBIDDEN"}}` |
|
|
|
|
---
|
|
|
|
### 10.4 MANAGE_RBAC
|
|
|
|
**Corresponds to MCT section 10.4**
|
|
|
|
| Tag | Content |
|
|
|-----|---------|
|
|
| **[PRE-1]** | Actor authenticated, holds permission `role.manage` |
|
|
| **[PRE-2]** | Target `role.id` exists (for permission update) or role fields are valid (for role creation) |
|
|
| **[PRE-3]** | All submitted `permission_id` values exist in the `permission` catalogue |
|
|
| **[RG-1 — permissions]** | Transaction: `DELETE FROM role_permission WHERE role_id = :id`; INSERT new `(role_id, permission_id)` pairs for each selected permission |
|
|
| **[RG-2]** | Permissions are not modifiable via this operation: they are read-only to populate the selection form. Permission catalogue is frozen at seed. |
|
|
| **[RG-3]** | Effect is immediate for new requests; sessions of users bearing this role see the change on the next permission check (sessions store `role_id`; permissions are reloaded from DB on each check). |
|
|
| **[RG-4 — custom role]** | Creating a custom role: INSERT `role` (code UNIQUE, label, description, default_route nullable, order_source nullable); INSERT `role_visible_source` rows as needed. |
|
|
| **[RG-5 — order_source]** | `role.order_source` controls the auto-tagging of `customer_order.source` when this role creates an order. NULL for admin and manager (they can create on behalf of any channel). |
|
|
| **[POST-1]** | `role_permission` reflects exactly the selected permissions for this role |
|
|
| **[OUT-1]** | Redirect with success message |
|
|
|
|
---
|
|
|
|
## 11. Domain 9 — Stats and KPI
|
|
|
|
### 11.1 READ_STATS
|
|
|
|
**Corresponds to MCT section 11.1**
|
|
|
|
| Tag | Content |
|
|
|-----|---------|
|
|
| **[PRE-1]** | Actor authenticated, holds permission `stats.read` |
|
|
| **[RG-1 — service_day]** | `service_day` expression used in all stats aggregations: `CASE WHEN HOUR(customer_order.created_at) < 10 THEN DATE(customer_order.created_at) - INTERVAL 1 DAY ELSE DATE(customer_order.created_at) END`. Cutoff at 10:00. No stored column. The v0.1 formula with `INTERVAL 4 HOUR 30 MINUTE` is dropped. |
|
|
| **[RG-2 — revenue]** | Revenue queries filter `status != 'cancelled'`; they sum `total_ttc_cents` from `customer_order`. Cancelled orders are excluded from revenue but appear in volume counts with `status = 'cancelled'` filter. |
|
|
| **[RG-3 — top products]** | `SELECT label_snapshot, SUM(quantity) AS total_sold FROM order_item JOIN customer_order ON ... WHERE customer_order.status != 'cancelled' GROUP BY label_snapshot ORDER BY total_sold DESC LIMIT 10` |
|
|
| **[RG-4 — delivery time KPI]** | Average delivery time: `AVG(TIMESTAMPDIFF(SECOND, paid_at, delivered_at))` on orders with `status = 'delivered'`. SLA reference approx. 10 min (configurable). |
|
|
| **[RG-5 — breakdown]** | Breakdowns available by `source` (kiosk/counter/drive) and `service_mode` (dine_in/takeaway/drive) for capacity planning. `service_mode` carries no fiscal role (see dictionary note 9). |
|
|
| **[POST-1]** | No database write |
|
|
| **[OUT-1]** | Stats dashboard data: revenue by service_day, order counts, top products, cancellation rate, average delivery time, breakdown by source/service_mode |
|
|
|
|
---
|
|
|
|
## 12. Domain 10 — Back-office authentication
|
|
|
|
### 12.1 AUTHENTICATE_USER
|
|
|
|
**Corresponds to MCT section 12.1**
|
|
|
|
| Tag | Content |
|
|
|-----|---------|
|
|
| **[PRE-1]** | Login form submitted with email and password |
|
|
| **[PRE-2]** | CSRF token of the form is valid (anti-CSRF protection) |
|
|
| **[RG-1]** | Lookup: `SELECT * FROM user WHERE email = :email AND is_active = 1 LIMIT 1` |
|
|
| **[RG-2]** | Password verification: `password_verify($password, $user->password_hash)`. On failure: same generic error whether the email does not exist or the password is wrong (protection against email enumeration). |
|
|
| **[RG-3]** | On success: `session_regenerate(true)` (session ID regeneration, protection against session fixation) |
|
|
| **[RG-4]** | Session storage: `$_SESSION['user_id']`, `$_SESSION['role_id']`, `$_SESSION['logged_in_at']` |
|
|
| **[RG-5]** | UPDATE: `UPDATE user SET last_login_at = NOW() WHERE id = :id` |
|
|
| **[RG-6]** | Session timeouts: idle timeout 4h (detection via last-activity timestamp in session); absolute timeout 10h (detection via `logged_in_at`) |
|
|
| **[RG-7]** | Redirect target is `role.default_route` (dynamic; no hardcoded role name in routing logic) |
|
|
| **[POST-1]** | PHP session open with `user_id` and `role_id`; `user.last_login_at` updated |
|
|
| **[OUT-1]** | Redirect to `role.default_route` |
|
|
| **[ERR-1]** | Incorrect credentials or inactive account: generic message "Email or password incorrect" (no distinction to prevent enumeration) |
|
|
| **[ERR-2]** | Invalid CSRF token: HTTP 403 |
|
|
|
|
---
|
|
|
|
### 12.2 LOGOUT_USER
|
|
|
|
**Corresponds to MCT section 12.2**
|
|
|
|
| Tag | Content |
|
|
|-----|---------|
|
|
| **[PRE-1]** | Valid session open (`session_id()` non-empty, `$_SESSION['user_id']` present) |
|
|
| **[RG-1]** | `$_SESSION = []` (clear session data) |
|
|
| **[RG-2]** | If session cookie exists, expire it: `setcookie(session_name(), '', time() - 3600, '/', '', true, true)` |
|
|
| **[RG-3]** | `session_destroy()` |
|
|
| **[POST-1]** | PHP session destroyed; no authenticated access possible with the old cookie |
|
|
| **[OUT-1]** | Redirect to login page |
|
|
|
|
---
|
|
|
|
## 13. Automated treatments — Crons (outside user interactions)
|
|
|
|
These treatments are executed by the `wakdo-cron` service container in the maintenance
|
|
window 01:30-09:30 (outside active service). They are outside the MCT scope (technical
|
|
treatments, no user trigger) but are documented here for consistency with PROJECT_CONTEXT.
|
|
|
|
### 13.1 Stats aggregation (cron 04:30)
|
|
|
|
| Tag | Content |
|
|
|-----|---------|
|
|
| **[TRIGGER]** | Cron: `30 4 * * *` |
|
|
| **[RG-1]** | `service_day` to aggregate: computed per order (see RG-1 of READ_STATS). At 04:30 the service_day in progress is the previous calendar day. |
|
|
| **[RG-2]** | Aggregations by `service_day`: order count, TTC revenue (sum `total_ttc_cents` where `status != 'cancelled'`), top products (by `label_snapshot`, COUNT in `order_item`) |
|
|
| **[POST-1]** | Stats available for admin dashboard (direct queries on `customer_order` filtered by `service_day`, or an aggregation table if implemented) |
|
|
|
|
### 13.2 Expired sessions purge (cron every 15 min)
|
|
|
|
| Tag | Content |
|
|
|-----|---------|
|
|
| **[TRIGGER]** | Cron: `*/15 * * * *` |
|
|
| **[RG-1]** | File-based sessions (default): `find /tmp/sessions -mmin +240 -delete` |
|
|
| **[RG-2]** | DB-based sessions (option): `DELETE FROM php_sessions WHERE updated_at < NOW() - INTERVAL 4 HOUR` |
|
|
| **[POST-1]** | Expired sessions deleted; users inactive for more than 4h are forced to re-login |
|
|
|
|
### 13.3 DB backup (cron 03:00)
|
|
|
|
| Tag | Content |
|
|
|-----|---------|
|
|
| **[TRIGGER]** | Cron: `0 3 * * *` |
|
|
| **[RG-1]** | `mysqldump` of the `wakdo` database to a dated file in the backup volume |
|
|
| **[RG-2]** | Retention: keep the last 7 dumps; delete older ones |
|
|
| **[POST-1]** | SQL dump available for restoration |
|
|
|
|
---
|
|
|
|
## 14. State machine — consistency recap (MLT)
|
|
|
|
Summary of `customer_order.status` transitions covered in the MLT, with corresponding
|
|
operations, SQL condition, concurrency protection, and phase timestamp set.
|
|
|
|
| Transition | MLT operation | SQL condition | Concurrency protection | Phase timestamp set |
|
|
|------------|--------------|---------------|------------------------|---------------------|
|
|
| `-> pending_payment` (creation) | CREATE_ORDER (3.3), CREATE_COUNTER_ORDER (4.1) | INSERT with status `pending_payment` | Atomic transaction | `created_at` |
|
|
| `pending_payment -> paid` | CREATE_ORDER (3.3), CREATE_COUNTER_ORDER (4.1) | UPDATE in same transaction | Atomic transaction | `paid_at` |
|
|
| `paid -> delivered` | DELIVER_ORDER (6.1) | `WHERE status = 'paid'` | AND status in WHERE | `delivered_at` |
|
|
| `pending_payment/paid -> cancelled` | CANCEL_ORDER (7.1) | `WHERE status IN ('pending_payment', 'paid')` | AND status IN WHERE | `cancelled_at` |
|
|
|
|
Terminal statuses (no further transition defined from these states): `delivered`, `cancelled`.
|
|
|
|
**Dropped from v0.1**:
|
|
- `paid -> preparing` and `preparing -> ready` transitions — intermediate states removed.
|
|
- MARQUER_EN_PREPARATION (v0.1 MLT section 4.2) — dropped.
|
|
- MARQUER_PRETE (v0.1 MLT section 4.3) — dropped.
|
|
- `preparing` and `ready` in the cancellable state set — the cancellable set is now
|
|
`['pending_payment', 'paid']` only.
|
|
- `commande_event` table and v0.1 RG-T10 — replaced by phase timestamps on `customer_order`.
|
|
|
|
---
|
|
|
|
## 15. Residual notes and open points
|
|
|
|
### 15.1 `service_day` — not materialised as a column
|
|
|
|
The `service_day` computation is documented (RG-2 of CREATE_ORDER, RG-1 of READ_STATS):
|
|
`CASE WHEN HOUR(created_at) < 10 THEN DATE(created_at) - INTERVAL 1 DAY ELSE DATE(created_at) END`
|
|
(cutoff 10:00). It is computed at query time, not stored. For high-frequency stats queries,
|
|
a MariaDB generated column `VIRTUAL` or `STORED` could be added at DDL time to avoid
|
|
per-row recomputation, but this is not a blocker for the RNCP scope.
|
|
The v0.1 formula with `INTERVAL 4 HOUR 30 MINUTE` was incorrect and is dropped.
|
|
|
|
### 15.2 `order_item_modifier` for menu items
|
|
|
|
For a menu line (`item_type='menu'`), modifiers target the fixed burger identified via
|
|
`order_item.menu_id -> menu.burger_product_id`. The constraint that modifiers reference
|
|
only ingredients belonging to the burger's `product_ingredient` is enforced at the
|
|
application layer, not at the DB FK layer (see dictionary note 10). This is a known
|
|
trade-off: a multi-column FK or a DB trigger would be needed to enforce it at DB level.
|
|
Documenting it as an application invariant is the retained approach for this project scope.
|
|
|
|
### 15.3 Order number NNN counter — concurrency
|
|
|
|
The sequential NNN counter per `(source, service_day)` could produce duplicates under
|
|
high concurrency if implemented naively as `SELECT COUNT + 1`. The recommended
|
|
implementation at DDL/code time is either: (a) a table-level advisory lock around the
|
|
count-and-insert sequence; or (b) a dedicated sequence table with an atomic increment.
|
|
The UNIQUE constraint on `order_number` provides the last-resort guard (INSERT would fail
|
|
and the application retries). This is not a blocker for the RNCP demo volume.
|