docs: add Phase 4-5 production hardening and quality polish roadmap

Comprehensive audit identified 24 improvements across security,
performance, testing, frontend, and infrastructure. Created 12
Paperclip issues (TEC-1449 through TEC-1461) covering critical
JWT fix, deployment pipeline, HMAC timing, test coverage gaps,
and documentation.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

IMPLEMENTATION_PLAN.md

@@ -1,6 +1,6 @@
 # GoodGo Platform AI — Implementation Plan
 
-**Last Updated:** 2026-04-07
+**Last Updated:** 2026-04-08
 
 ---
 
@@ -94,13 +94,66 @@ C5 + A2 ──→ A3 (MCP Servers)
 | TEC-1432 (M4) | C1, C3     |
 | TEC-1433 (X4) | Phase 1    |
 
+### Milestone 5: Production Hardening (Phase 4)
+
+**Goal:** Fix all critical security issues. Establish production deployment capability.
+
+**Execution Order:**
+
+1. **[TEC-1449] JWT Secret Fix** + **[TEC-1451] HMAC Timing Fix** + **[TEC-1452] MinIO Fix** + **[TEC-1453] CSRF** (parallel — no deps between them)
+2. **[TEC-1455] DB Index** (independent — can run parallel with above)
+3. **[TEC-1450] Deployment Pipeline** (after security fixes verified)
+4. **[TEC-1457] Backups + Logs** (after deployment infra exists)
+5. **[TEC-1456] Test Coverage** (parallel — independent of infra)
+
+```
+TEC-1449 (JWT) ──────┐
+TEC-1451 (HMAC) ─────┤
+TEC-1452 (MinIO) ────┼──→ TEC-1450 (Deploy Pipeline) ──→ TEC-1457 (Backups + Logs)
+TEC-1453 (CSRF) ─────┘
+TEC-1455 (DB Index) ──────────────────────────────────(independent)
+TEC-1456 (Tests) ─────────────────────────────────────(independent)
+```
+
+### Milestone 6: Quality & Polish (Phase 5)
+
+**Goal:** Production-quality UX, documentation, and performance.
+
+```
+Phase 4 done ──→ TEC-1458 (Redis Caching)
+                 TEC-1459 (Frontend Polish)    (parallel)
+                 TEC-1460 (OpenAPI/Swagger)    (parallel)
+                 TEC-1461 (Documentation)      (parallel)
+```
+
+---
+
+## Dependency Map (Phase 4-5)
+
+| Task            | Depends On        |
+| --------------- | ----------------- |
+| TEC-1449        | None              |
+| TEC-1450        | TEC-1449 (security first) |
+| TEC-1451        | None              |
+| TEC-1452        | None              |
+| TEC-1453        | None              |
+| TEC-1455        | None              |
+| TEC-1456        | None              |
+| TEC-1457        | TEC-1450          |
+| TEC-1458        | Phase 4           |
+| TEC-1459        | None              |
+| TEC-1460        | None              |
+| TEC-1461        | None              |
+
 ---
 
 ## Rollout Notes
 
-- **Phase 0 tasks F1 và F2 có thể chạy song song** — không có dependency lẫn nhau
-- **F3 (Prisma) cần cả F1 và F2** — monorepo structure + running PostgreSQL
-- **Phase 1 bắt đầu ngay khi Phase 0 core done** (F1, F2, F3, F4)
-- **Phase 2 issues ở backlog** — activate khi Phase 1 Auth + Listings done
-- **Phase 3 chưa tạo issues** — sẽ tạo khi Phase 2 gần hoàn thành
-- **Critical path:** F1 → F3 → C1 → C3 → C5 → C6 (longest dependency chain)
+- **Phase 0-3 complete** — 23/23 tasks done
+- **Phase 4 is immediate priority** — security fixes must land before any production deployment
+- **TEC-1449 (JWT) is the single most critical fix** — blocks production deployment
+- **Security tasks (TEC-1449, 1451, 1452, 1453) can all run in parallel** — assign to Security Engineer + Senior Backend
+- **TEC-1450 (Deployment Pipeline) should start after security fixes** — no point deploying insecure code
+- **TEC-1456 (Tests) and TEC-1455 (DB Index) are independent** — can run anytime
+- **Phase 5 tasks are all independent** — can run fully in parallel once Phase 4 is done
+- **Critical path:** TEC-1449 → TEC-1450 → TEC-1457 (security → deploy → observability)