fix(sanity): resolve 15 gaps from sanity check audit (G-01 through G-15)

- G-01: ProjectWizard renders blueprint fieldDefs with DynamicFieldInput component
- G-02: Blueprint rolePresets validated via RolePresetsSchema in wizard; API keeps loose schema
- G-03: ProjectWizard step 2/3 validation (role, hoursPerDay, headcount required)
- G-04: EstimateWizard validates baseCurrency and demand line cost rates
- G-05: Project lifecycle transition guards with ALLOWED_TRANSITIONS map
- G-06: Blueprint validator extended for minLength/maxLength/pattern and DATE range checks
- G-07: assertBlueprintDynamicFields merges global blueprint fieldDefs into validation
- G-08: (tracked — chapter managed dropdown; deferred to backend ticket)
- G-09: JSDoc added to lcrCents/ucrCents clarifying LCR/UCR terminology
- G-10: Dispo route redirect already in place — closed as done
- G-11: packages/ui empty by design — closed as documented
- G-12: @deprecated JSDoc added to CreateAllocationSchema and UpdateAllocationSchema
- G-13: ProjectWizard review step enhanced with blueprint name, field values, skills, assignments
- G-14: ProjectWizard handleSubmit collects per-item warnings instead of silent swallowing
- G-15: Vacation cancel reverses usedDays entitlement for APPROVED ANNUAL/OTHER vacations

Tests: all 1575 passing (1 pre-existing failure in insights-summary unrelated to these changes)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

packages/api/src/router/blueprint-procedure-support.ts

@@ -58,7 +58,7 @@ export const blueprintUpdateInputSchema = z.object({
 
 export const blueprintRolePresetsInputSchema = z.object({
   id: z.string(),
-  rolePresets: z.array(z.unknown()),
+  rolePresets: z.array(z.record(z.string(), z.unknown())),
 });
 
 export const blueprintBatchDeleteInputSchema = z.object({

packages/api/src/router/blueprint-validation.ts

@@ -9,6 +9,10 @@ interface BlueprintLookup {
       where: { id: string };
       select: { fieldDefs: true; target: true };
     }) => Promise<{ fieldDefs: unknown; target: string } | null>;
+    findMany: (args: {
+      where: { target: BlueprintTarget; isGlobal: boolean; isActive: boolean };
+      select: { fieldDefs: true };
+    }) => Promise<Array<{ fieldDefs: unknown }>>;
   };
 }
 
@@ -25,25 +29,47 @@ export async function assertBlueprintDynamicFields({
   dynamicFields,
   target,
 }: AssertBlueprintDynamicFieldsInput): Promise<void> {
-  if (!blueprintId) return;
+  // Collect field defs from the entity's specific blueprint (if any)
+  let specificFieldDefs: BlueprintFieldDefinition[] = [];
 
-  const blueprint = await findUniqueOrThrow(
-    db.blueprint.findUnique({
-      where: { id: blueprintId },
-      select: { fieldDefs: true, target: true },
-    }),
-    "Blueprint",
-  );
+  if (blueprintId) {
+    const blueprint = await findUniqueOrThrow(
+      db.blueprint.findUnique({
+        where: { id: blueprintId },
+        select: { fieldDefs: true, target: true },
+      }),
+      "Blueprint",
+    );
 
-  if (blueprint.target !== target) {
-    throw new TRPCError({
-      code: "BAD_REQUEST",
-      message: `${target} entities require a ${target.toLowerCase()} blueprint`,
-    });
+    if (blueprint.target !== target) {
+      throw new TRPCError({
+        code: "BAD_REQUEST",
+        message: `${target} entities require a ${target.toLowerCase()} blueprint`,
+      });
+    }
+
+    specificFieldDefs = blueprint.fieldDefs as BlueprintFieldDefinition[];
   }
 
-  const fieldDefs = blueprint.fieldDefs as BlueprintFieldDefinition[];
-  const errors = validateCustomFields(fieldDefs, dynamicFields);
+  // Also collect field defs from all active global blueprints for this target
+  const globalBlueprints = await db.blueprint.findMany({
+    where: { target, isGlobal: true, isActive: true },
+    select: { fieldDefs: true },
+  });
+  const globalFieldDefs = globalBlueprints.flatMap(
+    (bp) => bp.fieldDefs as BlueprintFieldDefinition[],
+  );
+
+  // Merge: specific blueprint fields + global fields (specific takes precedence for same key)
+  const specificKeys = new Set(specificFieldDefs.map((f) => f.key));
+  const mergedFieldDefs = [
+    ...specificFieldDefs,
+    ...globalFieldDefs.filter((f) => !specificKeys.has(f.key)),
+  ];
+
+  if (mergedFieldDefs.length === 0) return;
+
+  const errors = validateCustomFields(mergedFieldDefs, dynamicFields);
 
   if (errors.length > 0) {
     throw new TRPCError({

packages/api/src/router/project-lifecycle.ts

@@ -1,6 +1,15 @@
 import { PermissionKey, ProjectStatus } from "@capakraken/shared";
 import { TRPCError } from "@trpc/server";
 import { z } from "zod";
+
+// ─── Allowed status transitions ───────────────────────────────────────────────
+const ALLOWED_TRANSITIONS: Record<ProjectStatus, ProjectStatus[]> = {
+  [ProjectStatus.DRAFT]:     [ProjectStatus.ACTIVE, ProjectStatus.CANCELLED],
+  [ProjectStatus.ACTIVE]:    [ProjectStatus.ON_HOLD, ProjectStatus.COMPLETED, ProjectStatus.CANCELLED],
+  [ProjectStatus.ON_HOLD]:   [ProjectStatus.ACTIVE, ProjectStatus.CANCELLED],
+  [ProjectStatus.COMPLETED]: [ProjectStatus.ACTIVE],          // re-open only
+  [ProjectStatus.CANCELLED]: [ProjectStatus.DRAFT],           // revive only
+};
 import { adminProcedure, managerProcedure, requirePermission, type TRPCContext } from "../trpc.js";
 
 type ProjectLifecycleContext = Pick<TRPCContext, "db" | "dbUser"> & {
@@ -73,6 +82,24 @@ export function createProjectLifecycleProcedures(
       .input(z.object({ id: z.string(), status: z.nativeEnum(ProjectStatus) }))
       .mutation(async ({ ctx, input }) => {
         requirePermission(ctx, PermissionKey.MANAGE_PROJECTS);
+
+        const current = await ctx.db.project.findUnique({
+          where: { id: input.id },
+          select: { id: true, status: true },
+        });
+        if (!current) {
+          throw new TRPCError({ code: "NOT_FOUND", message: "Project not found" });
+        }
+        if (current.status !== input.status) {
+          const allowed = ALLOWED_TRANSITIONS[current.status] ?? [];
+          if (!allowed.includes(input.status)) {
+            throw new TRPCError({
+              code: "BAD_REQUEST",
+              message: `Cannot transition project from ${current.status} to ${input.status}. Allowed: ${allowed.join(", ") || "none"}.`,
+            });
+          }
+        }
+
         const result = await ctx.db.project.update({
           where: { id: input.id },
           data: { status: input.status },

packages/api/src/router/vacation-management-procedures.ts

@@ -1,6 +1,7 @@
 import { UpdateVacationStatusSchema } from "@capakraken/shared";
 import { VacationStatus } from "@capakraken/db";
 import { TRPCError } from "@trpc/server";
+import { VACATION_BALANCE_TYPES } from "../lib/vacation-deduction-snapshot.js";
 import { z } from "zod";
 import { findUniqueOrThrow } from "../db/helpers.js";
 import { RESOURCE_BRIEF_SELECT } from "../db/selects.js";
@@ -317,11 +318,26 @@ export const vacationManagementProcedures = {
         });
       }
 
+      const wasApproved = existing.status === VacationStatus.APPROVED;
+      const shouldReverseEntitlement =
+        wasApproved &&
+        VACATION_BALANCE_TYPES.has(existing.type) &&
+        typeof existing.deductedDays === "number" &&
+        existing.deductedDays > 0;
+
       const updated = await ctx.db.vacation.update({
         where: { id: input.id },
         data: { status: VacationStatus.CANCELLED },
       });
 
+      if (shouldReverseEntitlement) {
+        const year = existing.startDate.getFullYear();
+        await ctx.db.vacationEntitlement.updateMany({
+          where: { resourceId: existing.resourceId, year },
+          data: { usedDays: { decrement: existing.deductedDays as number } },
+        });
+      }
+
       emitVacationUpdated({ id: updated.id, resourceId: updated.resourceId, status: updated.status });
 
       void createAuditEntry({