About

Project: Multi-Workspace Project & Task Manager (React web + iOS wrapper later) Owner wants a fast, usable personal app first; then harden for public release. # Phase 0 — Foundations (must-have security baseline) — 20–30h Goals: Set guardrails so later work isn’t thrown away. Scope * Add **Clerk** sign-in (email+link or passkeys). * Introduce **Workspaces** (orgs) even if owner-only. * Database with **Prisma** (or Drizzle): `organizations`, `projects`, `tasks`, `memberships`, `audit_logs`. * Add `org_id` to core tables; **enable Postgres RLS** with a simple `org_id = current_org` policy. * API pattern with **Zod** validation & helpful errors. * Sentry wired (client + serverless) with PII scrubbing. Done When: * Owner can sign in and land in a default workspace. * Schema migrated; `org_id` present on projects/tasks. * RLS ON and verified with a simple test (cross-org read blocked). * Zod errors surface as friendly toasts / messages. * Sentry events visible in dashboard. # Phase 1 — Personal MVP (functionality & UI first) — 60–100h Goals: Fast daily use for the owner; no external users yet. Scope * Projects & Tasks CRUD** with notes, priority, due date, status. * Unified Priority View** across all projects in the workspace. * Filters (due, priority, status), quick search, and **fast add** from anywhere. * Responsive UI** (Tailwind), keyboard shortcuts, mobile-friendly tap targets. * Offline basics**: cache tasks/projects (IndexedDB), optimistic writes, retry queue. * Basic **export** (CSV/JSON). Done means: * Owner can add/edit/complete tasks; latency feels snappy. * Unified view shows items from all projects; filters persist in URL. * Works offline for read + simple edits; syncs on reconnect. * Lighthouse PWA ≥ 90; Core Web Vitals in green on mid-range mobile. * Exports produce correct CSV/JSON. --- # Phase 1.5 — iOS App Shell (Capacitor) — 8–14h Goals: Installable iOS build for personal TestFlight use (no public users yet). Scope * Add **Capacitor**; configure icons/splash. * Build & **Archive to TestFlight** for owner’s device. * Secure token storage** via Keychain plugin. * (Optional) **Deep links** for `app.example.com/task/:id`. Done means * App installs from TestFlight; sessions persist across launches. * Links to `app.example.com/task/…` open the correct in-app screen. --- # Phase 2 — Polish & Power Features (still owner-only) — 30–50h Scope * Batch actions** (multi-select → complete/defer/move). * Saved view presets (Today, Hot, Waiting). * Better empty states, toasts, haptics (via Capacitor when on iOS). * Attachments** (optional) using a simple file picker; upload to your storage bucket. * Improved exports with filters. Done means * Preset views work and can be toggled quickly. * Bulk operations behave correctly and are undoable. * Attachments (if included) upload and render; size/type checked. --- # Phase 3 — Public Hardening (security & multi-user) — 40–70h Scope * RBAC* (owner/admin/member), member invites, and workspace switching. * Rate limitin* on auth & write routes. * **Audit log MVP** (who did what, when), simple viewer. * **Native push** (APNs) for reminders/assignments, with device upsert & server sender. * **Notification preferences** per user/workspace. * **Data exports & deletion** paths; privacy policy scaffolding. * Backup & recovery checklist (Neon PITR confirmed). **Done means** * [ ] New members can be invited with role; permissions enforced in UI & API. * [ ] RLS test suite proves cross-tenant access is blocked. * [ ] Push works; payloads are generic (IDs only). * [ ] Audit entries appear for key actions; rate-limited routes return friendly errors. * [ ] Data export/delete endpoints function; backups tested. --- ### Out of scope (for now, unless added) * SOC 2 or formal compliance, SSO for enterprises, field-level encryption for notes, Android build, complex integrations. ### Working style & deliverables * Milestone demos via Loom (≤5 min) + short PR descriptions. * Code in feature branches with checklists; you (owner) approve before merge. * After each phase, rotate dev credentials and run a brief handoff. ### Acceptance baseline * TypeScript strict mode; ESLint/Prettier clean; unit tests for core reducers/hooks. * Minimal E2E: sign-in, create/edit/complete task, offline edit → sync. * All env secrets via Netlify/CI; none committed. * Clear README with run/build instructions for web & iOS.