Niko kadi
May 19, 2026 1 min read
Status transitions are strict. A report cannot skip states or move backwards except from changes_requested back to in_review.
Every status change must record the acting user and the timestamp.
RLS must enforce who can update the status field. Role-based permission on status transitions is enforced at the database level, not only in the application layer.
Notifications are triggered by status changes. The database change is the source of truth — use database triggers or server actions to fire notifications, not client-side calls.