From a53c1f016f7715f8f027cef0d4eebf6d64ac7c1e Mon Sep 17 00:00:00 2001
From: Ho Ngoc Hai <hongochai10@icloud.com>
Date: Wed, 8 Apr 2026 04:03:01 +0700
Subject: [PATCH] docs: add Phase 4-5 production hardening and quality polish
 roadmap

Comprehensive audit identified 24 improvements across security,
performance, testing, frontend, and infrastructure. Created 12
Paperclip issues (TEC-1449 through TEC-1461) covering critical
JWT fix, deployment pipeline, HMAC timing, test coverage gaps,
and documentation.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 IMPLEMENTATION_PLAN.md | 67 +++++++++++++++++++++++++++++++++++++-----
 PROJECT_TRACKER.md     | 40 ++++++++++++++++++++-----
 2 files changed, 92 insertions(+), 15 deletions(-)

diff --git a/IMPLEMENTATION_PLAN.md b/IMPLEMENTATION_PLAN.md
index 79a011c..0d51d28 100644
--- a/IMPLEMENTATION_PLAN.md
+++ b/IMPLEMENTATION_PLAN.md
@@ -1,6 +1,6 @@
 # GoodGo Platform AI — Implementation Plan
 
-**Last Updated:** 2026-04-07
+**Last Updated:** 2026-04-08
 
 ---
 
@@ -94,13 +94,66 @@ C5 + A2 ──→ A3 (MCP Servers)
 | TEC-1432 (M4) | C1, C3     |
 | TEC-1433 (X4) | Phase 1    |
 
+### Milestone 5: Production Hardening (Phase 4)
+
+**Goal:** Fix all critical security issues. Establish production deployment capability.
+
+**Execution Order:**
+
+1. **[TEC-1449] JWT Secret Fix** + **[TEC-1451] HMAC Timing Fix** + **[TEC-1452] MinIO Fix** + **[TEC-1453] CSRF** (parallel — no deps between them)
+2. **[TEC-1455] DB Index** (independent — can run parallel with above)
+3. **[TEC-1450] Deployment Pipeline** (after security fixes verified)
+4. **[TEC-1457] Backups + Logs** (after deployment infra exists)
+5. **[TEC-1456] Test Coverage** (parallel — independent of infra)
+
+```
+TEC-1449 (JWT) ──────┐
+TEC-1451 (HMAC) ─────┤
+TEC-1452 (MinIO) ────┼──→ TEC-1450 (Deploy Pipeline) ──→ TEC-1457 (Backups + Logs)
+TEC-1453 (CSRF) ─────┘
+TEC-1455 (DB Index) ──────────────────────────────────(independent)
+TEC-1456 (Tests) ─────────────────────────────────────(independent)
+```
+
+### Milestone 6: Quality & Polish (Phase 5)
+
+**Goal:** Production-quality UX, documentation, and performance.
+
+```
+Phase 4 done ──→ TEC-1458 (Redis Caching)
+                 TEC-1459 (Frontend Polish)    (parallel)
+                 TEC-1460 (OpenAPI/Swagger)    (parallel)
+                 TEC-1461 (Documentation)      (parallel)
+```
+
+---
+
+## Dependency Map (Phase 4-5)
+
+| Task            | Depends On        |
+| --------------- | ----------------- |
+| TEC-1449        | None              |
+| TEC-1450        | TEC-1449 (security first) |
+| TEC-1451        | None              |
+| TEC-1452        | None              |
+| TEC-1453        | None              |
+| TEC-1455        | None              |
+| TEC-1456        | None              |
+| TEC-1457        | TEC-1450          |
+| TEC-1458        | Phase 4           |
+| TEC-1459        | None              |
+| TEC-1460        | None              |
+| TEC-1461        | None              |
+
 ---
 
 ## Rollout Notes
 
-- **Phase 0 tasks F1 và F2 có thể chạy song song** — không có dependency lẫn nhau
-- **F3 (Prisma) cần cả F1 và F2** — monorepo structure + running PostgreSQL
-- **Phase 1 bắt đầu ngay khi Phase 0 core done** (F1, F2, F3, F4)
-- **Phase 2 issues ở backlog** — activate khi Phase 1 Auth + Listings done
-- **Phase 3 chưa tạo issues** — sẽ tạo khi Phase 2 gần hoàn thành
-- **Critical path:** F1 → F3 → C1 → C3 → C5 → C6 (longest dependency chain)
+- **Phase 0-3 complete** — 23/23 tasks done
+- **Phase 4 is immediate priority** — security fixes must land before any production deployment
+- **TEC-1449 (JWT) is the single most critical fix** — blocks production deployment
+- **Security tasks (TEC-1449, 1451, 1452, 1453) can all run in parallel** — assign to Security Engineer + Senior Backend
+- **TEC-1450 (Deployment Pipeline) should start after security fixes** — no point deploying insecure code
+- **TEC-1456 (Tests) and TEC-1455 (DB Index) are independent** — can run anytime
+- **Phase 5 tasks are all independent** — can run fully in parallel once Phase 4 is done
+- **Critical path:** TEC-1449 → TEC-1450 → TEC-1457 (security → deploy → observability)
diff --git a/PROJECT_TRACKER.md b/PROJECT_TRACKER.md
index 4ac2816..5fa4276 100644
--- a/PROJECT_TRACKER.md
+++ b/PROJECT_TRACKER.md
@@ -2,7 +2,7 @@
 
 **Last Updated:** 2026-04-08
 **Project:** Goodgo Platform AI
-**Status:** All Phases Complete (0-3) — Polish & Production Readiness
+**Status:** Phases 0-3 Complete — Phase 4 (Production Hardening) In Progress
 
 ---
 
@@ -49,14 +49,38 @@
 | —     | MCP Server Integration (Property Search, Analytics, Valuation) | Medium | done | cb00b12 |
 | —     | Performance Monitoring (Prometheus + Grafana)     | Low      | done   | d99dfba |
 
+## Phase 4: Production Hardening (P0/P1 — Security + Infrastructure)
+
+| Issue                            | Title                                                        | Priority | Status | Assignee              |
+| -------------------------------- | ------------------------------------------------------------ | -------- | ------ | --------------------- |
+| [TEC-1449](/TEC/issues/TEC-1449) | Fix JWT hardcoded fallback secret                            | Critical | todo   | Security Engineer     |
+| [TEC-1450](/TEC/issues/TEC-1450) | Create production deployment pipeline — Dockerfiles + CI/CD  | Critical | todo   | DevOps Engineer       |
+| [TEC-1451](/TEC/issues/TEC-1451) | Fix timing-unsafe HMAC in payment verification               | High     | todo   | Security Engineer     |
+| [TEC-1452](/TEC/issues/TEC-1452) | Fix MinIO hardcoded credentials and unsigned PUT             | High     | todo   | Senior Backend Eng    |
+| [TEC-1453](/TEC/issues/TEC-1453) | Add CSRF protection middleware                               | High     | todo   | Security Engineer     |
+| [TEC-1455](/TEC/issues/TEC-1455) | Add missing DB index on Listing.sellerId                     | High     | todo   | Database Architect    |
+| [TEC-1456](/TEC/issues/TEC-1456) | Add unit tests for Analytics, Search, Notifications          | High     | todo   | QA Engineer           |
+| [TEC-1457](/TEC/issues/TEC-1457) | Set up database backup strategy and log aggregation          | High     | todo   | SRE Engineer          |
+
+## Phase 5: Quality & Polish (P2 — UX, Docs, Performance)
+
+| Issue                            | Title                                                        | Priority | Status | Assignee              |
+| -------------------------------- | ------------------------------------------------------------ | -------- | ------ | --------------------- |
+| [TEC-1458](/TEC/issues/TEC-1458) | Implement Redis caching layer for hot queries                | Medium   | todo   | Senior Backend Eng    |
+| [TEC-1459](/TEC/issues/TEC-1459) | Add error boundaries, 404 page, loading states, SEO metadata | Medium   | todo   | Senior Frontend Eng   |
+| [TEC-1460](/TEC/issues/TEC-1460) | Add OpenAPI/Swagger documentation for API                    | Medium   | todo   | API Architect         |
+| [TEC-1461](/TEC/issues/TEC-1461) | Create README.md and deployment documentation                | Medium   | todo   | Technical Writer      |
+
 ---
 
 ## Summary
 
-| Phase     | Total  | Done  | In Progress | Todo |
-| --------- | ------ | ----- | ----------- | ---- |
-| Phase 0   | 6      | 6     | 0           | 0    |
-| Phase 1   | 8      | 8     | 0           | 0    |
-| Phase 2   | 5      | 5     | 0           | 0    |
-| Phase 3   | 4      | 4     | 0           | 0    |
-| **Total** | **23** | **23**| **0**       | **0**|
+| Phase     | Total  | Done  | In Progress | Todo   |
+| --------- | ------ | ----- | ----------- | ------ |
+| Phase 0   | 6      | 6     | 0           | 0      |
+| Phase 1   | 8      | 8     | 0           | 0      |
+| Phase 2   | 5      | 5     | 0           | 0      |
+| Phase 3   | 4      | 4     | 0           | 0      |
+| Phase 4   | 8      | 0     | 0           | 8      |
+| Phase 5   | 4      | 0     | 0           | 4      |
+| **Total** | **35** | **23**| **0**       | **12** |