# Changelog All notable changes to the GoodGo Platform will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). ## [Unreleased] ### Added (CEO Audit Wave 13 — 2026-04-12) - CEO audit routine (TEC-1915) — full codebase audit + project state review - Plan document with 7-section report: audit summary, critical issues, priorities, recommendations - 6 new subtasks created (TEC-1918 through TEC-1923) for Wave 13 - Updated PROJECT_TRACKER with Wave 13 tracking section ### QA Results (2026-04-12) - Lint: PASS (0 errors) - TypeScript: 7 errors in web test files (vitest types missing) — TEC-1918 - Unit Tests: 232 files, 1454 tests, ALL PASS - Build: ALL 3 packages build successfully - Git: Clean working tree ### Added - CEO full audit & implementation plan (TEC-1882) — 8-part report covering architecture, quality, security - 7 new subtasks created (TEC-1888 through TEC-1894) for Wave 11D-13 - Updated PROJECT_TRACKER with Waves 11D-13 subtask tracking - Updated QA_TRACKER with 2026-04-11 test report (27 failing tests identified) - Comprehensive audit reports: AUDIT_SUMMARY, COMPREHENSIVE_AUDIT, AUDIT_INDEX ### Identified (from CEO Audit 2026-04-11) - 725 ESLint errors (712 auto-fixable) — TEC-1888 - TypeScript errors in web tests (json-ld.spec.tsx) — TEC-1888 - 27 failing rate limit guard tests — TEC-1889 - 3 incomplete API modules (health, metrics, mcp) — TEC-1890 - MCP servers are stubs (~50 lines each) — TEC-1891 - Only 6 web unit tests (need 50+) — TEC-1892 - No field-level PII encryption — TEC-1893 - No MFA for agent/admin accounts — TEC-1894 ### Previously Added - CEO audit plan document with full improvement & feature matrix (TEC-1682) - Wave 5 issues: npm vulnerability fixes, test coverage, Saved Searches, Dependabot - PgBouncer connection pooling for production PostgreSQL - SEO optimization — JSON-LD, dynamic sitemap, meta tags for listings - API error codes reference documentation - Security headers hardening across API and Web apps - Multi-stage production Dockerfile for NestJS API - Startup-time validation for JWT secrets (rejects placeholders) - Per-type file size limits and 413 responses for media uploads - Rate limiting and auth guard for MCP transport controller - Async error handling for critical module handlers - QueryErrorBoundary component with real map coordinates (web) - GDPR-compliant user data deletion endpoint - Listing search caching with @Cacheable decorator - Auth + search i18n translations and filter-bar accessibility ### Fixed - MCP transport controller now requires JWT authentication (BUG-004 resolved) - 21 lint errors from GDPR/logger/caching commits - Replaced `new Logger()` with DI LoggerService across modules - CI workflow branch targets corrected from main to master - Lint error and typecheck failures for MVP launch readiness ### Changed - Split large files during logger refactor --- ## [1.4.0] - 2026-04-08 ### Added - Redis caching for user quota checks with prefix-based cache invalidation - Domain layer unit tests across all modules (auth, payments, subscriptions, admin, analytics, listings, notifications, reviews, search, metrics) - Health check endpoints (`/health`, `/health/db`, `/health/redis`) using `@nestjs/terminus` - Property Valuation UI with AVM (Automated Valuation Model) integration on the web frontend ### Changed - Improved cache service with prefix-based clearing patterns - Enhanced analytics query handlers with caching layer ### Fixed - Lint errors resolved across codebase --- ## [1.3.0] - 2026-03-28 ### Added - Complete notification delivery system with email (Nodemailer + Handlebars), push (Firebase Cloud Messaging), and in-app channels - Mapbox district heatmap visualization and agent performance dashboard on web frontend - Reviews module with full CRUD endpoints, CQRS handlers, and 1-5 star rating value objects - Unit tests for analytics, metrics, notifications, payments, and search modules - Enhanced geo-search with PostGIS spatial queries and Typesense listing-approved event handlers - Dedicated `/health` endpoint with timestamp response ### Changed - Refactored cache service internals and analytics handlers for better reliability ### Fixed - Missing `AuthState` properties in web frontend test mocks - E2E workflow improvements: Prisma generate step, browser cache, trace artifacts --- ## [1.2.0] - 2026-03-20 ### Added - React Query integration for data fetching with error retry UX - Dark mode toggle for web frontend - Redis caching layer for search and analytics hot paths - Vietnamese NLP pipeline (Underthesea) for property description analysis in AI services - Prometheus `MetricsService`, `HttpMetricsInterceptor`, and custom metric constants - Agent Profile, KYC verification, Subscription, and Payment dashboard pages on web frontend - Unit tests for MCP servers (property search, market analytics, valuation) - Unit tests for web frontend validations and utility functions ### Fixed - Removed MinIO hardcoded credentials; added presigned URL support for media uploads - JWT secret enforcement in all environments (not just production) - Added missing `Review.userId` index for FK query performance --- ## [1.1.0] - 2026-03-12 ### Added - Listing duplicate detection service to prevent redundant property submissions - Subscription quota enforcement with per-plan feature limits and usage metering - Google and Zalo OAuth backend strategies for social login - 58 unit tests covering critical auth, payment, and subscription paths - Loading skeletons, error boundaries, and accessibility improvements on web frontend - Sentry error tracking integration for both API and web apps ### Fixed - Hardened production Docker deployment configuration for all services --- ## [1.0.0] - 2026-03-01 ### Added #### Authentication & Security - User registration and login with phone number and password - JWT access tokens (15-minute expiry) with refresh token rotation (7-day expiry) - Token family-based rotation detection to prevent replay attacks - OAuth social login support (Google, Zalo) - KYC (Know Your Customer) verification workflow (NONE -> PENDING -> VERIFIED/REJECTED) - Role-based access control with `@Roles()` decorator (USER, AGENT, ADMIN) - Rate limiting: 60 req/min default, 10 req/min auth, 20 req/min payment callbacks - `ThrottlerBehindProxyGuard` for X-Forwarded-For-aware IP tracking - Helmet security headers, CORS configuration - Input validation (class-validator) and content sanitization (sanitize-html) - CSRF protection with double-submit cookie pattern - PII masking in structured logs (Pino) - Bcrypt password hashing #### Property Listings - Full CRUD for property listings with status state machine (DRAFT -> PENDING_REVIEW -> ACTIVE -> RESERVED -> SOLD/RENTED) - Media upload support (S3/MinIO) with file validation - AI-assisted moderation scoring via Claude API - Admin moderation queue with bulk approve/reject - Quota-gated listing creation tied to subscription plans #### Search & Discovery - Full-text property search via Typesense with Vietnamese language support - Geo-spatial search using PostGIS (lat/long + radius queries) - Faceted filtering by price, property type, bedrooms, district - Event-driven search index updates (listing approved/updated/sold -> re-index) - Prefix-based cache invalidation for search results #### Payments - Payment processing with VNPay, MoMo, and ZaloPay provider integration - Idempotent webhook callback handling with signature verification - Payment refund support - Atomic status transitions (PENDING -> COMPLETED/FAILED) - Event emission on payment completion/failure for downstream processing #### Subscriptions & Billing - Subscription plans with tiered feature flags (JSON columns) - Usage metering and quota enforcement (Redis-backed) - Plan upgrades and cancellations - Billing history tracking - Event-driven usage tracking (`listing.created` -> meter usage) #### Admin Panel - Dashboard with system-wide statistics - User management (list, view, ban/unban) - KYC approval queue with approve/reject actions - Listing moderation queue with bulk moderation - Revenue statistics and analytics - Subscription adjustment for individual users #### Analytics & Market Data - District-level market reports with PostGIS spatial aggregation - Price trend analysis by property type and district - District heatmap data (geo aggregates) - Market index tracking and updates - Cache-based report delivery #### Notifications - Multi-channel notification delivery: EMAIL, SMS, PUSH (FCM), IN_APP - 8 event-driven listeners: welcome email, KYC approval, listing approval/rejection, payment confirmation/failure, subscription expiry, quota exceeded - Handlebars email templates with Vietnamese localization - User notification preferences (opt-out per channel/type) #### Reviews - Property and agent reviews with 1-5 star ratings - Review CRUD with target polymorphism (agent or property) - Average rating calculation per target #### MCP (Model Context Protocol) Servers - Property Search Server: `search_properties`, `compare_properties`, `get_property_details` - Market Analytics Server: `get_market_report`, `analyze_trends`, `get_price_indices` - Valuation Server: `estimate_valuation`, `extract_features`, `compare_valuations` (XGBoost via FastAPI) - HTTP transport controller with `McpRegistryService` #### AI Services - FastAPI microservice with XGBoost property valuation model - Claude API-powered content moderation for listing descriptions - Vietnamese NLP preprocessing with Underthesea #### Infrastructure - PostgreSQL 16 with PostGIS extension (22 models, spatial indexes) - Redis caching layer for search, analytics, quota, and session data - Typesense search engine with Vietnamese language support - Prometheus metrics endpoint with HTTP request duration histograms and error rate counters - Grafana dashboards auto-provisioned from `monitoring/` directory - Pino structured JSON logging with correlation IDs - Prisma ORM with migration system and seed data (Ho Chi Minh City districts/wards, sample properties, subscription plans) #### Frontend (Next.js 14) - App Router with Tailwind CSS and Zustand state management - Property search page with Mapbox GL map integration - Listing detail pages with media gallery - Agent dashboard with KYC, subscription, and payment management - District heatmap visualization - Property valuation UI with AVM integration - Dark mode toggle - Loading skeletons and error boundaries - Vietnamese UI text throughout (property types, districts, currency in VND) #### Developer Experience - Monorepo with pnpm workspaces and Turborepo - ESLint with import ordering rules - Prettier code formatting - Husky git hooks - E2E tests with Playwright (14 web test files) - GitHub Actions CI pipeline (lint -> typecheck -> test -> build) ### Security - httpOnly cookie-based token storage with CSRF hardening - Idempotency keys on payment flows with amount validation - Magic byte file validation for media uploads - Admin audit logging - JWT audience/issuer validation - Production environment variable validation - Sanitized `.env.example` (no leaked secrets) - Graceful shutdown hooks for clean process termination [Unreleased]: https://github.com/goodgo/platform-ai/compare/v1.4.0...HEAD [1.4.0]: https://github.com/goodgo/platform-ai/compare/v1.3.0...v1.4.0 [1.3.0]: https://github.com/goodgo/platform-ai/compare/v1.2.0...v1.3.0 [1.2.0]: https://github.com/goodgo/platform-ai/compare/v1.1.0...v1.2.0 [1.1.0]: https://github.com/goodgo/platform-ai/compare/v1.0.0...v1.1.0 [1.0.0]: https://github.com/goodgo/platform-ai/releases/tag/v1.0.0