Customer now signs on the confirm page instead of inputting the last
4 digits of their phone. Signature is stored as a base64 PNG dataURL
on the work order and shown back to the customer plus archived for
admin review. Reject still bypasses signature but now requires a
reason.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Adds /api/users endpoints (admin only) plus /api/users/assignable
(admin + technician) used by the aftersales reassign picker. Guards
prevent self-demotion, self-deletion, and removing the last admin.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- AftersalesOrder model with state machine (created/pending_confirmation/closed/rejected)
- Public scan-to-confirm flow with phone last-4 verification and rate limiting
- Technician role and middleware for ownership-scoped operations
- QR code generation pointing to /aftersales/{serialNumber}
- Admin overrides: reassign, force-close, delete
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>