EST = my estimate, not measured from tracked data ·
N/A = no data, frontend team has not shared status yet ·
Frontend-readiness runway is measured: 7 / 7 PLAN-011 tasks done.
23
Tasks done
1
In progress
8 EST
Required for R1
3 EST
Blocked external
404
Tests pass
▼ Required for R1, NOT done
ENG-CONTRACT-002Final 1C / BACKEND field-level contract intakeExternalWaiting for Andrey: real payload schema, idempotency, document references
ENG-001IntegrationJob lifecycle (Platform ↔ 1C)BlockedCannot start before ENG-CONTRACT-002 lands
DOCREF-001Document reference read model (official PDFs, doc IDs)BlockedNeeds BACKEND return shape from ENG-CONTRACT-002
NOTIF-001Email / in-app notificationsOps gapNo outbox, no SMTP creds, no template engine
LURSOFT-001Live Lursoft validation (LV registry lookup)ExternalNo live credentials yet; manual fallback works
OPS-001CI/CD, staging environment, secrets managementOps gapManual rsync deploy only; no CI pipeline; secrets in plain .env
ADMIN-001Platform admin / support views (beyond Django admin)Ops gapOnly Django admin exists; no manual-review queue, no support actions
FE-FOUND-001+Entire frontend application?Live API intake confirmed by smoke. Full scope and current % unknown — frontend team has not shared status. N/A
▼ Open risks / gaps in what IS done
CORS not configured. Frontend hits API through Next.js server-side proxy. Direct browser → API will fail until CORS is added.
Single Postgres container, no backups. Test data only — but no backup/restore drill yet.
SECRET_KEY and DB password live in plain .env on the test server. Acceptable for test, not for prod.
No rate limiting on auth endpoints. Brute-force protection is absent.
No structured logging / observability. Gunicorn access log only. No Sentry, no metrics, no traces.
Demo seed wipes data on every run. Anyone running it on a non-test DB loses everything. No safety check.
Legacy /api/... endpoints still exposed. Compatibility bridge. Should be removed before prod.
ENG-CONTRACT-001 is a mock seam. Platform talks to nothing real. All "integration" claims are stubs.
HTTPS / domain on test server depends on manual NPM config. Not reproducible from code.
▼ Done so far (from handoff packet + this week)
IDWhatTests
TEN-001Tenant isolation, active company context—
AUTH-001Session login/logout, CSRF—
AUTH-002JWT access/refresh, server-side rotation—
CMP-001Company membership management—
TEN-002Membership/role/status hardening—
ONB-001Manual company onboarding + profiles—
CAT-001Catalog + supplier card—
REL-001Buyer-supplier relationships—
CART-001Cart + checkout validation gate—
ORD-001Supplier-specific order split + snapshots—
CART-002/ORD-002Checkout UX completion + cancel—
SUP-001Supplier order visibility—
SUP-002Confirm / ship / deliver actions—
ACC-001Buyer acceptance + discrepancy—
API-FACADE-001v1 auth facade—
API-FACADE-002v1 product facade—
API-CONTRACT-001OpenAPI freeze + error envelope—
API-CLIENT-001TypeScript typed client from OpenAPI—
ENG-CONTRACT-001Mock-only Platform↔BACKEND seam (no real I/O)—
DEV-SEED-001Idempotent demo seed for frontend—
TOOL-002Django admin registration for core models—
INFRA (today)Docker deploy to big-buddy, nginx config pending—
SEED-FIX (today)Pending supplier relationship for smoke flow—
Total23 tasks done404 pass
▼ Demo users (test data only)
Role
Email
Company / id
Buyer
demo.buyer.admin@example.com
Demo Buyer SIA — 1
Supplier
demo.supplier.admin@example.com
Demo Supplier Food SIA — 2
Both roles
demo.both.admin@example.com
Demo Both Trade SIA — 4
3-company switcher
demo.context.switcher@example.com
1 + 2 + 4
Password: demo-pass-123 · Wiped and rebuilt on every seed_frontend_demo run · Not pilot data.