Solavel Solavel Docs

Route Inventory

docs/reference/route-inventory.md

Audience: admins, support engineers, internal developers Difficulty: intermediate

What this covers

A grouped, navigable map of every routable URL in the Solavel parent app (308 routes) and the Solabooks app (1,060 routes). The full list is too long to read by hand, so routes are bucketed by area and the auth chain that protects them is given once per group.

For the literal route list, run php artisan route:list --json in either app — these tables are summaries, not a copy.


Parent app (/var/www/html/solavel)

Mounted at the apex domain (e.g. solavel.com/).

Public marketing & docs

URI Purpose Auth
GET / Marketing homepage none
GET /finance Solabooks landing none
GET /hr HR landing none
GET /finance/plans, GET /hr/plans Plans listing none
GET /comparison, GET /launch Plan comparison & launch CTA none
GET /docs/finance Public finance setup walkthrough none
POST /error-report Public error capture endpoint none

Authentication (Breeze + SSO bridge)

URI Purpose Auth
GET|POST /login, POST /logout Session login/logout guest / auth
GET|POST /register Account registration guest
GET|POST /forgot-password, /reset-password/{token} Password reset guest
GET /verify-email, POST /email/verification-notification Email verification auth
GET /confirm-password, POST /confirm-password Re-confirm password auth
GET /signin/finance, GET /signin/hr Project-scoped sign-in entry guest
GET /sso/finance SSO entry (cold) web
GET /sso/finance/redirect SSO redirect (warm, throttled 20/min) auth
POST /sso/logout Cross-app logout web

Onboarding

URI prefix Purpose Auth
/onboarding/* Workspace onboarding verification auth + client
/finance/onboarding/* Solabooks project onboarding auth
/hr/onboarding/* HR project onboarding auth
/finance/start, /finance/login, /finance/provisioning/status Solabooks provisioning shell auth
/hr/start, /hr/login, /hr/provisioning/status HR provisioning shell auth

/admin/* — admin shell (89 routes)

Auth chain: web + auth + EnsureAdmin + LoadMyWorkspace. The super-admin sub-tree (permissions, roles, send-email) layers EnsureSuperAdmin on top.

Sub-prefix Routes Notes
admin/projects 14 Projects + nested project plans CRUD
admin/my-workspace 8 Internal "Solavel Internal" workspace tools
admin/admins 7 Manage admin users
admin/clients 7 Client (tenant) CRUD
admin/plans 7 Bundle plans CRUD
admin/permissions 7 Super-admin only
admin/roles 7 Super-admin only
admin/client-users 5 Cross-tenant user list
admin/system-event-logs 3 Cross-app audit feed
admin/user-monitor, admin/form-monitor 6 Live presence and form-event tail
admin/tap-test, admin/contact-messages, admin/errors, admin/beta-reports, admin/features misc See logs-and-errors

/portal/* — client workspace (35 routes)

Auth chain: web + auth + SetClientContext + EnsureWorkspaceOnboardingCompleted. This is the canonical post-login surface for tenant owners and members.

Sub-prefix Routes Notes
portal/orgs/* 32 Org list, members, projects, billing, subscriptions, invoices, payments
portal/billing/*, portal/plan/*, portal/settings/* 3 Workspace-level billing

/client/* — client beta-reports

URI Routes
client/beta-reports/* 4

/api/* — parent API surface (52 routes)

Sub-prefix Auth Notes
api/auth/{login,logout,me} open / sanctum Token issue
api/sso/validate throttle:60,1 Open by design — Solabooks verifies tokens here
api/workspace-control/* auth:sanctum Used by tenant apps to read/write central data
api/subscriptions/* sanctum Subscription lifecycle
api/beta-reports, api/errors/ingest, api/system-events/ingest, api/tenancy/organizations/projects/sync VerifySolavelSyncSignature (HMAC) Sync ingest
api/webhooks/tap open route, controller-verified Tap payment webhook

Solabooks app (/var/www/html/solavel-finance)

Mounted at solavel.com/finance/.

Per-org chain (most pages)

The default authenticated chain for tenant pages is:

web → Authenticate → ResolveActiveOrganization → EnsureOrgMembership → EnsureOrgSelected

On top, most pages add feature:<flag> and/or perm:<key> checks. See permission-matrix and plan-feature-matrix.

/admin/* (180 routes)

Auth: web + Authenticate + RoleMiddleware:admin (Spatie role).

Sub-prefix Routes Notes
admin/inventory 101 Items, categories, units; mounted under admin but withoutMiddleware('role:admin') (open to org users)
admin/suppliers 17 Legacy supplier admin
admin/plans, admin/plan-tasks, admin/steps, admin/task-steps 38 Project-plan editor (legacy)
admin/customers, admin/quotations 14 Legacy editors
admin/clients, admin/inventory-setup, admin/activity-logs misc Admin-shell utilities

Reports (/reports/*, 120 routes)

41 viewer routes + 48 PDF endpoints + 12 CSV endpoints + 7 scheduled-report admin routes + per-area sub-paths (budgets, projects, dimensions, fixed-assets). Most viewers gate on feature:tracker.<report> and perm:reports.view.

Sales / AR (/ar/*, 89 routes)

Sub-prefix Feature gate Permission gate
ar/invoices tracker.invoices sales.invoices.*
ar/quotes tracker.quotes_estimates quotes.*
ar/sales-orders sales.use_sales_orders + tracker.sales_orders sales_orders.*
ar/credit-notes tracker.credit_notes sales.credit_notes.*
ar/sales-receipts tracker.sales_receipts sales.receipts.*
ar/customer-payments tracker.record_offline_payments sales.payments.*
ar/refund-receipts sales.refunds.*
ar/retainers finance.retainers (undeclared, see audit)
ar/price-lists, ar/pricing-rules price_lists, advanced_pricing_rules price_lists.*, pricing_rules.*

Purchases / AP (/ap/*, 95 routes)

Sub-prefix Feature gate Permission gate
ap/bills tracker.bills purchases.bills.*
ap/expenses tracker.expenses_direct_pay purchases.expenses.*
ap/bill-payments tracker.record_payments_made purchases.bill_payments.*
ap/debit-notes tracker.vendor_credits_debit_notes purchases.debit_notes.*
ap/purchase-orders enable_purchase_orders + tracker.purchase_orders purchase_orders.*
ap/landed-costs tracker.landed_costs landed_costs.*

Banking (/banking/*, /reconciliations/*, /bank-imports/*)

Sub-prefix Feature gate Permission gate
banking/accounts banking.accounts.*
reconciliations bank_reconciliation_enabled + tracker.bank_reconciliation banking.reconciliation.*
bank-imports tracker.import_bank_statements banking.import.*
banking/rules, banking/templates banking.rules.*, banking.templates.*

Settings (/settings/*, 79 routes)

Gates use perm:settings.*, plus perm:custom_fields.manage, perm:custom_views.manage_*, perm:dimensions.manage, etc. Each settings sub-page is one row in permission-matrix.

Customer-facing (no auth on parent app)

URI Throttle Token middleware
i/{token}/* (canonical) portal-public portal.token
portal/{token}/* (legacy) portal-public portal.token
i/{token}/request-access, i/{token}/send-again portal-recovery
q/{token}/* (public quote) quotes-public quote.token
customer-portal/* (account-based) customer-portal-{login,password} customer-portal.tenant + customer-portal.{auth,guest}
customer/time-approvals/{timeEntry}/{token}/* 30,1 controller-verified
shared/projects/{token}/*, p/projects/{token}/* portal-public controller-verified

See secure-document-links and overview.

Solabooks API (/api/*, 40 routes)

Sub-prefix Auth
api/auth/login open
api/v1/{customers,suppliers,invoices,bills,payments} EnsureExternalApiAccess:<scope>
api/tenancy/* VerifySolavelSyncSignature (HMAC, parent-issued)

Related

Source: docs/reference/route-inventory.md ← All documentation