ColaFlow/reports/2025-11-03-Day-7-10-Roadmap.md

ColaFlow Days 7-10 Roadmap

Date: 2025-11-03 Prepared By: Product Manager Agent Sprint: M1 Sprint 2 - Enterprise-Grade Multi-Tenancy & SSO Status: Planning Complete

---

Overview

This roadmap outlines Days 7-10 of the 10-day sprint, building on the foundation established in Days 1-6 (Authentication, RBAC, Role Management).

Strategic Goal: Complete M1.1 core features and prepare for M2 MCP integration.

---

Day 7: Email Service + Verification + Password Reset

Duration: 8 hours Priority: P1 (High - Security and UX) Dependencies: None (independent feature)

Objectives

1. Integrate email service (SendGrid or SMTP)
2. Implement email verification flow
3. Implement password reset flow
4. Create email templates
5. Add rate limiting for security

Deliverables

Backend:

• Email service abstraction (IEmailService)
• SendGrid implementation (primary)
• SMTP fallback implementation
• Email verification tokens (24-hour expiration)
• Password reset tokens (1-hour expiration)
• Rate limiting (max 5 verification emails/hour, max 3 reset emails/hour)

API Endpoints:

1. POST /api/auth/verify-email - Verify email with token
2. POST /api/auth/resend-verification - Resend verification email
3. POST /api/auth/forgot-password - Request password reset
4. POST /api/auth/reset-password - Reset password with token

Database:

• Add email_verified column to identity.users
• Add email_verified_at column
• Create email_verification_tokens table
• Create password_reset_tokens table

Email Templates:

• Welcome + verification email
• Password reset email
• Password changed confirmation email

Tests:

• 20+ integration tests
• Email delivery verification (use test inbox)
• Token expiration tests
• Rate limiting tests

Success Criteria

• ✅ Emails sent successfully (99% delivery rate)
• ✅ Verification flow completes in < 30 seconds
• ✅ Password reset flow completes in < 30 seconds
• ✅ Rate limiting prevents abuse
• ✅ 100% test coverage

---

Day 8: Project-Level Roles + Audit Logging

Duration: 8 hours Priority: P0 (Critical - Required for M1 Projects module) Dependencies: Day 6 (Role Management API)

Objectives

1. Design and implement project-level role system
2. Implement role inheritance logic
3. Create authorization policies for project operations
4. Implement comprehensive audit logging
5. Prepare for M1.1 Projects CRUD

Deliverables

Domain Layer:

• ProjectRole enum (ProjectOwner, ProjectManager, ProjectMember, ProjectGuest)
• UserProjectRole entity
• IUserProjectRoleRepository interface
• Role inheritance rules:
  • TenantOwner → ProjectOwner (all projects)
  • TenantAdmin → ProjectManager (all projects)
  • Project-specific roles override tenant defaults

Database:

CREATE TABLE projects.user_project_roles (
    id UUID PRIMARY KEY,
    user_id UUID NOT NULL,
    project_id UUID NOT NULL,
    role VARCHAR(50) NOT NULL,
    assigned_at TIMESTAMP NOT NULL,
    assigned_by_user_id UUID NULL,
    UNIQUE(user_id, project_id)
);

Authorization Policies:

• RequireProjectOwner - Full control over project
• RequireProjectManager - Manage tasks and team
• RequireProjectMember - Create and update tasks
• RequireProjectAccess - Read-only access

Audit Logging:

CREATE TABLE audit.audit_logs (
    id UUID PRIMARY KEY,
    tenant_id UUID NOT NULL,
    user_id UUID NOT NULL,
    action VARCHAR(100) NOT NULL,
    entity_type VARCHAR(50) NOT NULL,
    entity_id UUID NULL,
    old_value JSONB NULL,
    new_value JSONB NULL,
    ip_address VARCHAR(50) NULL,
    user_agent VARCHAR(500) NULL,
    timestamp TIMESTAMP NOT NULL DEFAULT NOW()
);

API Endpoints:

1. POST /api/projects/{projectId}/members - Add member to project
2. PUT /api/projects/{projectId}/members/{userId}/role - Update member role
3. DELETE /api/projects/{projectId}/members/{userId} - Remove member
4. GET /api/projects/{projectId}/members - List project members
5. GET /api/audit/logs - Query audit logs (TenantOwner only)

Tests:

• 25+ integration tests
• Role inheritance tests
• Authorization policy tests
• Audit log verification

Success Criteria

• ✅ Role inheritance works correctly
• ✅ All API operations logged
• ✅ Authorization policies enforce project-level permissions
• ✅ 100% test coverage

---

Day 9: M1 Core Projects Module - Multi-Tenant Update

Duration: 8 hours Priority: P0 (Critical - M1.1 core feature) Dependencies: Day 8 (Project-level roles)

Objectives

1. Update existing Projects module for multi-tenancy
2. Add project-level authorization
3. Integrate project roles
4. Complete Epics, Stories, Tasks multi-tenant update
5. Test full workflow (register → create project → manage tasks)

Deliverables

Database Migration:

• Add tenant_id column to projects.projects
• Add tenant_id column to projects.epics
• Add tenant_id column to projects.stories
• Add tenant_id column to projects.tasks
• Update foreign keys
• Add EF Core global query filters

Application Layer Updates:

• Update all commands to include tenant context
• Add project role validation
• Update queries to filter by tenant

API Updates:

• Protect all endpoints with project-level authorization
• Example: [Authorize(Policy = "RequireProjectMember")]
• Add tenant validation middleware

Tests:

• 30+ integration tests
• Cross-tenant isolation tests
• Project role authorization tests
• Full workflow tests (E2E)

Success Criteria

• ✅ All Projects/Epics/Stories/Tasks isolated by tenant
• ✅ Project-level authorization works
• ✅ No cross-tenant data leakage
• ✅ 100% test coverage
• ✅ Full E2E workflow passes

---

Day 10: Kanban Workflow + Sprint Management

Duration: 8 hours Priority: P1 (High - M1.1 core feature) Dependencies: Day 9 (Projects module updated)

Objectives

1. Implement Sprint management
2. Enhance Kanban board with sprint support
3. Add sprint burndown chart data
4. Implement sprint velocity tracking
5. Complete M1.1 core features

Deliverables

Domain Layer:

• Sprint entity
• SprintId value object
• Sprint status (Planning, Active, Completed)
• Sprint business rules (start/end dates, task capacity)

Database:

CREATE TABLE projects.sprints (
    id UUID PRIMARY KEY,
    project_id UUID NOT NULL,
    tenant_id UUID NOT NULL,
    name VARCHAR(100) NOT NULL,
    goal TEXT NULL,
    start_date DATE NOT NULL,
    end_date DATE NOT NULL,
    status VARCHAR(20) NOT NULL,
    created_at TIMESTAMP NOT NULL,
    FOREIGN KEY (project_id) REFERENCES projects.projects(id)
);

ALTER TABLE projects.tasks
ADD COLUMN sprint_id UUID NULL,
ADD CONSTRAINT fk_tasks_sprints FOREIGN KEY (sprint_id) REFERENCES projects.sprints(id);

API Endpoints:

1. POST /api/projects/{projectId}/sprints - Create sprint
2. PUT /api/projects/{projectId}/sprints/{sprintId} - Update sprint
3. DELETE /api/projects/{projectId}/sprints/{sprintId} - Delete sprint
4. POST /api/projects/{projectId}/sprints/{sprintId}/start - Start sprint
5. POST /api/projects/{projectId}/sprints/{sprintId}/complete - Complete sprint
6. GET /api/projects/{projectId}/sprints - List sprints
7. GET /api/projects/{projectId}/sprints/{sprintId}/burndown - Burndown data
8. POST /api/projects/{projectId}/tasks/{taskId}/assign-to-sprint - Add task to sprint

Analytics:

• Sprint burndown chart data (remaining story points per day)
• Sprint velocity (completed story points per sprint)
• Sprint completion percentage
• Team capacity utilization

Tests:

• 20+ integration tests
• Sprint workflow tests
• Burndown calculation tests
• Velocity tracking tests

Success Criteria

• ✅ Full sprint lifecycle works (create → start → complete)
• ✅ Tasks can be assigned to sprints
• ✅ Burndown chart data accurate
• ✅ Velocity tracking functional
• ✅ 100% test coverage
• ✅ M1.1 COMPLETE

---

Summary Timeline

Day	Feature	Priority	Hours	Dependencies	Risk
6	Role Management API	P0	6-8	Day 5 RBAC	LOW
7	Email Service + Verification + Password Reset	P1	8	None	MEDIUM
8	Project-Level Roles + Audit Logging	P0	8	Day 6	MEDIUM
9	Projects Multi-Tenant Update	P0	8	Day 8	MEDIUM
10	Kanban Workflow + Sprint Management	P1	8	Day 9	LOW

Total Days: 5 days (Days 6-10) Total Hours: 38-40 hours Critical Path: Day 6 → Day 8 → Day 9 → Day 10

---

Milestone Completion Status

M1.1 - Core Project Module (Days 1-10)

Progress: 83% → 100% (after Day 10)

Completed (Days 1-5):

• ✅ Domain layer (Projects, Epics, Stories, Tasks)
• ✅ Infrastructure layer (EF Core, PostgreSQL)
• ✅ Application layer (CQRS commands/queries)
• ✅ API layer (RESTful endpoints)
• ✅ Unit tests (96.98% coverage)
• ✅ JWT authentication
• ✅ Refresh token mechanism
• ✅ RBAC system (5 tenant roles)

Remaining (Days 6-10):

• Role Management API (Day 6)
• Email verification (Day 7)
• Project-level roles (Day 8)
• Multi-tenant Projects update (Day 9)
• Sprint management (Day 10)

After Day 10:

• ✅ M1.1 100% COMPLETE
• ✅ Ready for M1.2 (SSO Integration)
• ✅ Ready for M2 (MCP Server)

---

Days 11-12: M2 MCP Server Foundation (Optional Extension)

Duration: 16 hours (2 days) Priority: P0 (Critical for M2 milestone) Dependencies: Days 6-10 complete

Objectives

1. Design MCP authentication architecture
2. Implement MCP token generation
3. Create preview and approval workflow
4. Implement basic MCP resources
5. Implement basic MCP tools

High-Level Deliverables

MCP Authentication:

• MCP token format: mcp_<tenant_slug>_<random_32_chars>
• Token scopes: read, create, update, delete, execute
• Token expiration: 90 days (configurable)
• Token revocation

Database:

CREATE TABLE identity.mcp_tokens (
    id UUID PRIMARY KEY,
    tenant_id UUID NOT NULL,
    token_hash VARCHAR(500) NOT NULL UNIQUE,
    name VARCHAR(100) NOT NULL,
    scopes JSONB NOT NULL,
    expires_at TIMESTAMP NOT NULL,
    created_by_user_id UUID NOT NULL,
    created_at TIMESTAMP NOT NULL,
    last_used_at TIMESTAMP NULL
);

Preview System:

CREATE TABLE mcp.previews (
    id UUID PRIMARY KEY,
    tenant_id UUID NOT NULL,
    mcp_token_id UUID NOT NULL,
    operation VARCHAR(100) NOT NULL,
    entity_type VARCHAR(50) NOT NULL,
    entity_id UUID NULL,
    diff JSONB NOT NULL,
    status VARCHAR(20) NOT NULL, -- Pending, Approved, Rejected
    created_at TIMESTAMP NOT NULL,
    reviewed_by_user_id UUID NULL,
    reviewed_at TIMESTAMP NULL
);

MCP Resources (Read-only):

• projects.search - Search projects
• projects.get - Get project details
• tasks.list - List tasks
• tasks.get - Get task details
• reports.daily - Daily progress report

MCP Tools (Write with preview):

• create_task - Create task (requires approval)
• update_task_status - Update task status (requires approval)
• add_comment - Add comment to task (auto-approved)
• assign_task - Assign task to user (requires approval)

API Endpoints:

1. POST /api/mcp/tokens - Generate MCP token
2. GET /api/mcp/tokens - List tokens
3. DELETE /api/mcp/tokens/{tokenId} - Revoke token
4. POST /api/mcp/preview - Create preview for approval
5. POST /api/mcp/preview/{previewId}/approve - Approve preview
6. POST /api/mcp/preview/{previewId}/reject - Reject preview
7. GET /api/mcp/resources/{resourceId} - MCP resource endpoint
8. POST /api/mcp/tools/{toolName} - MCP tool endpoint

Tests:

• 40+ integration tests
• MCP authentication tests
• Preview workflow tests
• Resource access tests
• Tool execution tests

Success Criteria

• ✅ MCP tokens generated and validated
• ✅ Preview workflow works (create → approve/reject → execute)
• ✅ All MCP resources accessible
• ✅ All MCP tools functional
• ✅ 100% test coverage
• ✅ M2.1 Foundation COMPLETE

---

Risk Management

High-Risk Items

Risk	Impact	Probability	Mitigation
Day 8 complexity (project roles)	HIGH	MEDIUM	Start simple, iterate later
Email service delays (Day 7)	MEDIUM	MEDIUM	Use SMTP fallback
Scope creep (Days 11-12)	HIGH	HIGH	Strictly time-box, defer to Sprint 3
Cross-tenant bugs (Day 9)	HIGH	LOW	Comprehensive integration tests

Mitigation Strategies

1. Daily check-ins: Review progress at end of each day
2. Time-boxing: Strictly limit each day to 8 hours
3. Test-first approach: Write tests before implementation
4. Code reviews: Backend agent reviews all code
5. Incremental delivery: Deploy after each day

---

Success Metrics

Sprint Success Criteria (Days 6-10)

• ✅ All deliverables completed on time
• ✅ Zero critical bugs in production
• ✅ 100% test coverage maintained
• ✅ M1.1 milestone 100% complete
• ✅ Ready for M2 MCP integration

Quality Metrics

• Test Coverage: ≥ 85% (current: 96.98%)
• API Response Time: < 200ms (p95)
• Bug Density: ≤ 0.5 bugs per feature
• Code Quality: No SonarQube violations
• Documentation: 100% API endpoints documented

Business Metrics

• Feature Completion Rate: 100% (no deferred features)
• Development Velocity: 5 features in 5 days
• Time to Market: M1.1 completed in 10 days (on schedule)
• Customer Value: Complete authentication + authorization + role management

---

Recommendations

Immediate Actions (Day 6)

1. ✅ Approve Day 6 planning document
2. ✅ Assign Role Management API to backend agent
3. ✅ Begin implementation (6-8 hours)
4. ✅ Deploy to development environment

Medium-Term Actions (Days 7-10)

1. Review and approve each day's plan before starting
2. Daily progress check-ins
3. Continuous integration testing
4. Code reviews after each feature

Long-Term Actions (M2)

1. Plan M2 MCP integration (16-hour sprint)
2. Design AI agent interaction patterns
3. Implement preview and approval workflow
4. Test ChatGPT/Claude integration

---

Alternative Scenarios

Scenario 1: Days 11-12 Deferred

If scope exceeds 10 days:

• Action: Defer MCP foundation to Sprint 3
• Impact: Delays M2 milestone by 1-2 weeks
• Mitigation: Focus on M1.1 completion first

Scenario 2: Email Service Issues (Day 7)

If SendGrid integration fails:

• Action: Use SMTP fallback (Gmail or local SMTP)
• Impact: Slower email delivery, no analytics
• Mitigation: Implement SendGrid in Sprint 3

Scenario 3: Project Roles Too Complex (Day 8)

If role inheritance exceeds 8 hours:

• Action: Simplify to basic project roles (no inheritance)
• Impact: TenantOwner must be explicitly added to projects
• Mitigation: Add inheritance in Sprint 3

---

Conclusion

Days 7-10 Roadmap: Comprehensive plan to complete M1.1 milestone

Key Milestones:

• Day 7: Email infrastructure
• Day 8: Project-level authorization
• Day 9: Multi-tenant Projects
• Day 10: Sprint management
• M1.1 100% COMPLETE

Next Sprint (M1.2 - Optional):

• Days 11-12: MCP Server foundation
• M2 milestone kickoff

Strategic Value:

• Complete authentication/authorization stack
• Enable multi-tenant SaaS operations
• Prepare for AI/MCP integration
• Deliver enterprise-grade features

---

Document Status: ✅ Planning Complete - Ready for Execution

Prepared By: Product Manager Agent Date: 2025-11-03 Version: 1.0