# ColaFlow Days 7-10 Roadmap **Date**: 2025-11-03 **Prepared By**: Product Manager Agent **Sprint**: M1 Sprint 2 - Enterprise-Grade Multi-Tenancy & SSO **Status**: Planning Complete --- ## Overview This roadmap outlines Days 7-10 of the 10-day sprint, building on the foundation established in Days 1-6 (Authentication, RBAC, Role Management). **Strategic Goal**: Complete M1.1 core features and prepare for M2 MCP integration. --- ## Day 7: Email Service + Verification + Password Reset **Duration**: 8 hours **Priority**: P1 (High - Security and UX) **Dependencies**: None (independent feature) ### Objectives 1. Integrate email service (SendGrid or SMTP) 2. Implement email verification flow 3. Implement password reset flow 4. Create email templates 5. Add rate limiting for security ### Deliverables **Backend**: - Email service abstraction (`IEmailService`) - SendGrid implementation (primary) - SMTP fallback implementation - Email verification tokens (24-hour expiration) - Password reset tokens (1-hour expiration) - Rate limiting (max 5 verification emails/hour, max 3 reset emails/hour) **API Endpoints**: 1. `POST /api/auth/verify-email` - Verify email with token 2. `POST /api/auth/resend-verification` - Resend verification email 3. `POST /api/auth/forgot-password` - Request password reset 4. `POST /api/auth/reset-password` - Reset password with token **Database**: - Add `email_verified` column to `identity.users` - Add `email_verified_at` column - Create `email_verification_tokens` table - Create `password_reset_tokens` table **Email Templates**: - Welcome + verification email - Password reset email - Password changed confirmation email **Tests**: - 20+ integration tests - Email delivery verification (use test inbox) - Token expiration tests - Rate limiting tests ### Success Criteria - ✅ Emails sent successfully (99% delivery rate) - ✅ Verification flow completes in < 30 seconds - ✅ Password reset flow completes in < 30 seconds - ✅ Rate limiting prevents abuse - ✅ 100% test coverage --- ## Day 8: Project-Level Roles + Audit Logging **Duration**: 8 hours **Priority**: P0 (Critical - Required for M1 Projects module) **Dependencies**: Day 6 (Role Management API) ### Objectives 1. Design and implement project-level role system 2. Implement role inheritance logic 3. Create authorization policies for project operations 4. Implement comprehensive audit logging 5. Prepare for M1.1 Projects CRUD ### Deliverables **Domain Layer**: - `ProjectRole` enum (ProjectOwner, ProjectManager, ProjectMember, ProjectGuest) - `UserProjectRole` entity - `IUserProjectRoleRepository` interface - Role inheritance rules: - TenantOwner → ProjectOwner (all projects) - TenantAdmin → ProjectManager (all projects) - Project-specific roles override tenant defaults **Database**: ```sql CREATE TABLE projects.user_project_roles ( id UUID PRIMARY KEY, user_id UUID NOT NULL, project_id UUID NOT NULL, role VARCHAR(50) NOT NULL, assigned_at TIMESTAMP NOT NULL, assigned_by_user_id UUID NULL, UNIQUE(user_id, project_id) ); ``` **Authorization Policies**: - `RequireProjectOwner` - Full control over project - `RequireProjectManager` - Manage tasks and team - `RequireProjectMember` - Create and update tasks - `RequireProjectAccess` - Read-only access **Audit Logging**: ```sql CREATE TABLE audit.audit_logs ( id UUID PRIMARY KEY, tenant_id UUID NOT NULL, user_id UUID NOT NULL, action VARCHAR(100) NOT NULL, entity_type VARCHAR(50) NOT NULL, entity_id UUID NULL, old_value JSONB NULL, new_value JSONB NULL, ip_address VARCHAR(50) NULL, user_agent VARCHAR(500) NULL, timestamp TIMESTAMP NOT NULL DEFAULT NOW() ); ``` **API Endpoints**: 1. `POST /api/projects/{projectId}/members` - Add member to project 2. `PUT /api/projects/{projectId}/members/{userId}/role` - Update member role 3. `DELETE /api/projects/{projectId}/members/{userId}` - Remove member 4. `GET /api/projects/{projectId}/members` - List project members 5. `GET /api/audit/logs` - Query audit logs (TenantOwner only) **Tests**: - 25+ integration tests - Role inheritance tests - Authorization policy tests - Audit log verification ### Success Criteria - ✅ Role inheritance works correctly - ✅ All API operations logged - ✅ Authorization policies enforce project-level permissions - ✅ 100% test coverage --- ## Day 9: M1 Core Projects Module - Multi-Tenant Update **Duration**: 8 hours **Priority**: P0 (Critical - M1.1 core feature) **Dependencies**: Day 8 (Project-level roles) ### Objectives 1. Update existing Projects module for multi-tenancy 2. Add project-level authorization 3. Integrate project roles 4. Complete Epics, Stories, Tasks multi-tenant update 5. Test full workflow (register → create project → manage tasks) ### Deliverables **Database Migration**: - Add `tenant_id` column to `projects.projects` - Add `tenant_id` column to `projects.epics` - Add `tenant_id` column to `projects.stories` - Add `tenant_id` column to `projects.tasks` - Update foreign keys - Add EF Core global query filters **Application Layer Updates**: - Update all commands to include tenant context - Add project role validation - Update queries to filter by tenant **API Updates**: - Protect all endpoints with project-level authorization - Example: `[Authorize(Policy = "RequireProjectMember")]` - Add tenant validation middleware **Tests**: - 30+ integration tests - Cross-tenant isolation tests - Project role authorization tests - Full workflow tests (E2E) ### Success Criteria - ✅ All Projects/Epics/Stories/Tasks isolated by tenant - ✅ Project-level authorization works - ✅ No cross-tenant data leakage - ✅ 100% test coverage - ✅ Full E2E workflow passes --- ## Day 10: Kanban Workflow + Sprint Management **Duration**: 8 hours **Priority**: P1 (High - M1.1 core feature) **Dependencies**: Day 9 (Projects module updated) ### Objectives 1. Implement Sprint management 2. Enhance Kanban board with sprint support 3. Add sprint burndown chart data 4. Implement sprint velocity tracking 5. Complete M1.1 core features ### Deliverables **Domain Layer**: - `Sprint` entity - `SprintId` value object - Sprint status (Planning, Active, Completed) - Sprint business rules (start/end dates, task capacity) **Database**: ```sql CREATE TABLE projects.sprints ( id UUID PRIMARY KEY, project_id UUID NOT NULL, tenant_id UUID NOT NULL, name VARCHAR(100) NOT NULL, goal TEXT NULL, start_date DATE NOT NULL, end_date DATE NOT NULL, status VARCHAR(20) NOT NULL, created_at TIMESTAMP NOT NULL, FOREIGN KEY (project_id) REFERENCES projects.projects(id) ); ALTER TABLE projects.tasks ADD COLUMN sprint_id UUID NULL, ADD CONSTRAINT fk_tasks_sprints FOREIGN KEY (sprint_id) REFERENCES projects.sprints(id); ``` **API Endpoints**: 1. `POST /api/projects/{projectId}/sprints` - Create sprint 2. `PUT /api/projects/{projectId}/sprints/{sprintId}` - Update sprint 3. `DELETE /api/projects/{projectId}/sprints/{sprintId}` - Delete sprint 4. `POST /api/projects/{projectId}/sprints/{sprintId}/start` - Start sprint 5. `POST /api/projects/{projectId}/sprints/{sprintId}/complete` - Complete sprint 6. `GET /api/projects/{projectId}/sprints` - List sprints 7. `GET /api/projects/{projectId}/sprints/{sprintId}/burndown` - Burndown data 8. `POST /api/projects/{projectId}/tasks/{taskId}/assign-to-sprint` - Add task to sprint **Analytics**: - Sprint burndown chart data (remaining story points per day) - Sprint velocity (completed story points per sprint) - Sprint completion percentage - Team capacity utilization **Tests**: - 20+ integration tests - Sprint workflow tests - Burndown calculation tests - Velocity tracking tests ### Success Criteria - ✅ Full sprint lifecycle works (create → start → complete) - ✅ Tasks can be assigned to sprints - ✅ Burndown chart data accurate - ✅ Velocity tracking functional - ✅ 100% test coverage - ✅ **M1.1 COMPLETE** --- ## Summary Timeline | Day | Feature | Priority | Hours | Dependencies | Risk | |-----|---------|----------|-------|--------------|------| | **6** | Role Management API | P0 | 6-8 | Day 5 RBAC | LOW | | **7** | Email Service + Verification + Password Reset | P1 | 8 | None | MEDIUM | | **8** | Project-Level Roles + Audit Logging | P0 | 8 | Day 6 | MEDIUM | | **9** | Projects Multi-Tenant Update | P0 | 8 | Day 8 | MEDIUM | | **10** | Kanban Workflow + Sprint Management | P1 | 8 | Day 9 | LOW | **Total Days**: 5 days (Days 6-10) **Total Hours**: 38-40 hours **Critical Path**: Day 6 → Day 8 → Day 9 → Day 10 --- ## Milestone Completion Status ### M1.1 - Core Project Module (Days 1-10) **Progress**: 83% → 100% (after Day 10) **Completed** (Days 1-5): - ✅ Domain layer (Projects, Epics, Stories, Tasks) - ✅ Infrastructure layer (EF Core, PostgreSQL) - ✅ Application layer (CQRS commands/queries) - ✅ API layer (RESTful endpoints) - ✅ Unit tests (96.98% coverage) - ✅ JWT authentication - ✅ Refresh token mechanism - ✅ RBAC system (5 tenant roles) **Remaining** (Days 6-10): - [ ] Role Management API (Day 6) - [ ] Email verification (Day 7) - [ ] Project-level roles (Day 8) - [ ] Multi-tenant Projects update (Day 9) - [ ] Sprint management (Day 10) **After Day 10**: - ✅ M1.1 **100% COMPLETE** - ✅ Ready for M1.2 (SSO Integration) - ✅ Ready for M2 (MCP Server) --- ## Days 11-12: M2 MCP Server Foundation (Optional Extension) **Duration**: 16 hours (2 days) **Priority**: P0 (Critical for M2 milestone) **Dependencies**: Days 6-10 complete ### Objectives 1. Design MCP authentication architecture 2. Implement MCP token generation 3. Create preview and approval workflow 4. Implement basic MCP resources 5. Implement basic MCP tools ### High-Level Deliverables **MCP Authentication**: - MCP token format: `mcp__` - Token scopes: read, create, update, delete, execute - Token expiration: 90 days (configurable) - Token revocation **Database**: ```sql CREATE TABLE identity.mcp_tokens ( id UUID PRIMARY KEY, tenant_id UUID NOT NULL, token_hash VARCHAR(500) NOT NULL UNIQUE, name VARCHAR(100) NOT NULL, scopes JSONB NOT NULL, expires_at TIMESTAMP NOT NULL, created_by_user_id UUID NOT NULL, created_at TIMESTAMP NOT NULL, last_used_at TIMESTAMP NULL ); ``` **Preview System**: ```sql CREATE TABLE mcp.previews ( id UUID PRIMARY KEY, tenant_id UUID NOT NULL, mcp_token_id UUID NOT NULL, operation VARCHAR(100) NOT NULL, entity_type VARCHAR(50) NOT NULL, entity_id UUID NULL, diff JSONB NOT NULL, status VARCHAR(20) NOT NULL, -- Pending, Approved, Rejected created_at TIMESTAMP NOT NULL, reviewed_by_user_id UUID NULL, reviewed_at TIMESTAMP NULL ); ``` **MCP Resources** (Read-only): - `projects.search` - Search projects - `projects.get` - Get project details - `tasks.list` - List tasks - `tasks.get` - Get task details - `reports.daily` - Daily progress report **MCP Tools** (Write with preview): - `create_task` - Create task (requires approval) - `update_task_status` - Update task status (requires approval) - `add_comment` - Add comment to task (auto-approved) - `assign_task` - Assign task to user (requires approval) **API Endpoints**: 1. `POST /api/mcp/tokens` - Generate MCP token 2. `GET /api/mcp/tokens` - List tokens 3. `DELETE /api/mcp/tokens/{tokenId}` - Revoke token 4. `POST /api/mcp/preview` - Create preview for approval 5. `POST /api/mcp/preview/{previewId}/approve` - Approve preview 6. `POST /api/mcp/preview/{previewId}/reject` - Reject preview 7. `GET /api/mcp/resources/{resourceId}` - MCP resource endpoint 8. `POST /api/mcp/tools/{toolName}` - MCP tool endpoint **Tests**: - 40+ integration tests - MCP authentication tests - Preview workflow tests - Resource access tests - Tool execution tests ### Success Criteria - ✅ MCP tokens generated and validated - ✅ Preview workflow works (create → approve/reject → execute) - ✅ All MCP resources accessible - ✅ All MCP tools functional - ✅ 100% test coverage - ✅ **M2.1 Foundation COMPLETE** --- ## Risk Management ### High-Risk Items | Risk | Impact | Probability | Mitigation | |------|--------|-------------|------------| | Day 8 complexity (project roles) | HIGH | MEDIUM | Start simple, iterate later | | Email service delays (Day 7) | MEDIUM | MEDIUM | Use SMTP fallback | | Scope creep (Days 11-12) | HIGH | HIGH | Strictly time-box, defer to Sprint 3 | | Cross-tenant bugs (Day 9) | HIGH | LOW | Comprehensive integration tests | ### Mitigation Strategies 1. **Daily check-ins**: Review progress at end of each day 2. **Time-boxing**: Strictly limit each day to 8 hours 3. **Test-first approach**: Write tests before implementation 4. **Code reviews**: Backend agent reviews all code 5. **Incremental delivery**: Deploy after each day --- ## Success Metrics ### Sprint Success Criteria (Days 6-10) - ✅ All deliverables completed on time - ✅ Zero critical bugs in production - ✅ 100% test coverage maintained - ✅ M1.1 milestone 100% complete - ✅ Ready for M2 MCP integration ### Quality Metrics - **Test Coverage**: ≥ 85% (current: 96.98%) - **API Response Time**: < 200ms (p95) - **Bug Density**: ≤ 0.5 bugs per feature - **Code Quality**: No SonarQube violations - **Documentation**: 100% API endpoints documented ### Business Metrics - **Feature Completion Rate**: 100% (no deferred features) - **Development Velocity**: 5 features in 5 days - **Time to Market**: M1.1 completed in 10 days (on schedule) - **Customer Value**: Complete authentication + authorization + role management --- ## Recommendations ### Immediate Actions (Day 6) 1. ✅ Approve Day 6 planning document 2. ✅ Assign Role Management API to backend agent 3. ✅ Begin implementation (6-8 hours) 4. ✅ Deploy to development environment ### Medium-Term Actions (Days 7-10) 1. Review and approve each day's plan before starting 2. Daily progress check-ins 3. Continuous integration testing 4. Code reviews after each feature ### Long-Term Actions (M2) 1. Plan M2 MCP integration (16-hour sprint) 2. Design AI agent interaction patterns 3. Implement preview and approval workflow 4. Test ChatGPT/Claude integration --- ## Alternative Scenarios ### Scenario 1: Days 11-12 Deferred **If** scope exceeds 10 days: - **Action**: Defer MCP foundation to Sprint 3 - **Impact**: Delays M2 milestone by 1-2 weeks - **Mitigation**: Focus on M1.1 completion first ### Scenario 2: Email Service Issues (Day 7) **If** SendGrid integration fails: - **Action**: Use SMTP fallback (Gmail or local SMTP) - **Impact**: Slower email delivery, no analytics - **Mitigation**: Implement SendGrid in Sprint 3 ### Scenario 3: Project Roles Too Complex (Day 8) **If** role inheritance exceeds 8 hours: - **Action**: Simplify to basic project roles (no inheritance) - **Impact**: TenantOwner must be explicitly added to projects - **Mitigation**: Add inheritance in Sprint 3 --- ## Conclusion **Days 7-10 Roadmap**: Comprehensive plan to complete M1.1 milestone **Key Milestones**: - Day 7: Email infrastructure - Day 8: Project-level authorization - Day 9: Multi-tenant Projects - Day 10: Sprint management - **M1.1 100% COMPLETE** **Next Sprint** (M1.2 - Optional): - Days 11-12: MCP Server foundation - M2 milestone kickoff **Strategic Value**: - Complete authentication/authorization stack - Enable multi-tenant SaaS operations - Prepare for AI/MCP integration - Deliver enterprise-grade features --- **Document Status**: ✅ Planning Complete - Ready for Execution **Prepared By**: Product Manager Agent **Date**: 2025-11-03 **Version**: 1.0