Audit & troubleshooting

هذا المحتوى غير متوفر بلغتك بعد.

When permissions don’t work as expected, the answer is usually layered. Run through this list.

”I gave the user `cars:write` but they still can’t edit existing cars”

Inline pencil edits are gated on cars:edit, not cars:write. write means “create new”; edit means “modify existing”. Add cars:edit = true to their role.

”I added a saved view but the user can’t see it”

Per-view ACL is opt-in. Open the view’s config → Bindings tab → toggle Visible on for that user’s role. Save.

Bulk operations on /cars require cars:edit OR cars:delete (since some bulk actions are deletions). Without either, the row-selection checkboxes are also hidden.

”I removed the user from the company but they still see it in their picker”

Hard refresh. The company picker caches across the session. After hard refresh the company list re-fetches.

”Why is 3001 OBE non-zero on my running company?”

You posted a manual opening JE for an account the migration wizard didn’t cover (prepaid rent, fixed assets) and didn’t reclassify the OBE side. Post a manual JE: Dr 3001 OBE / Cr <proper equity destination> or the other way around. See Opening balance equity.

”My trial balance has Dr ≠ Cr by a few cents”

Likely a vault cost-basis ghost from a JE reversal that bypassed the IAS 21 updater (a bug present in early-2026 versions, fixed mid-2026). Check /vaults — look for foreign vaults where homeBalanceAtCost doesn’t match native balance × current spot rate × historical average. A one-time reconciliation may be needed; contact support.

”Why did my container’s status not propagate to my cars?”

Cars only advance from shipped → arrived via container propagation. If the car was already purchased (never mapped) or sold_* or cancelled, propagation skips. If the car was in shipped but propagation still didn’t fire, check the container’s event log — look for a .catch() warning indicating a transient failure.

”I can’t void this invoice — it says period is locked”

The invoice is dated in a closed accounting period. Either ask an admin to unlock the period (and re-lock after), OR issue a Credit Note dated in the current open period.

”Drizzle column not found” or “Unknown column ‘X’ in ‘field list’”

A schema migration didn’t apply. On Railway, the pre-deploy hook runs npm run migrate on every deploy from main — so the cause is usually a manual operator action that bypassed the runner. Check npm run migrate:status to see drift; re-run npm run migrate to catch up.

Per-location ACL status

The per-location ACL plan exists at OPEN TASKS/per-location-inventory-acl.md in the cartrade-pro repo. As of late-2026, only canSee is enforced; the other flags (canEdit, canMoveOut, canReceive, canSell) are persisted and visible in the admin matrix but not yet active gates. Roadmap item.

”User can see the page but a sub-section is empty”

Most likely the underlying tRPC query is gated correctly but their custom role doesn’t have read on the inner section. E.g., they have cars:read but the page also queries vaults.list for the cash-strip widget, and they don’t have vaults:read. Add the missing inner section permission.

When to escalate

If you’ve worked through the above and the behavior still doesn’t make sense, capture:

The user’s role’s full permission set (Settings → Roles → click the role → “Copy permissions JSON”).
The exact URL or action they tried.
The error message or screenshot.

…and reach out via the contact form. The platform’s audit log captures every permission denial with timestamp and user — support can trace exactly what gate fired.