# Roadmap Status Audit — SPQ-v2 ## When to maintain this After completing any item in `roadmap_5.2.md` (or any successor roadmap file), **append a dated Master Status Audit section at the bottom of the roadmap file itself**. Ray explicitly asked for this so the next agent can boot up in seconds instead of re-running `search_files`/`read_file` across the whole repo to figure out what's done. ## What it contains A per-item ✅ / ⚠️ / ❌ / ❓ table for every phase, with **file:line evidence** of the actual current codebase state — not what was planned. Status values: - ✅ DONE — complete and verified (cite the file/test that proves it) - ⚠️ PARTIAL — part done (say which part), part blocked (say why, usually `> APPROVAL REQUIRED`) - ❌ NOT DONE — unstarted; note if approval-gated - ❓ UNKNOWN — server-side / host-level, not verifiable from the repo ## Format (copy this skeleton) ```markdown ## Master Status Audit — YYYY-MM-DD > Compiled by an audit pass so the next agent does not burn time re-checking each item. > Each line records what is actually in the codebase today (verified by search_files / read_file / test run), > not what was planned. ### Phase N — | # | Item | Status | Evidence | |---|------|--------|----------| | N.M | | ✅ DONE | `path/file.ts:NN` … | ### Next-item recommendation ### Verification snapshot (YYYY-MM-DD) ``` npm run test → … npm run build → … npm run lint → … ``` ``` ## How to verify each item efficiently - `search_files` for the symbol/file the roadmap step says to create (e.g. `ErrorBoundary`, `mutateAssignment`, `quoteWriteSchema`). - `read_file` the cited file:line to confirm the implementation matches the roadmap spec, not just that the symbol exists. - `terminal` run `npx vitest run` once for the test-count snapshot; `npm run build` only if code changed this session (prior memos already recorded green builds). - For PB-migration items: list `pb_migrations/` — absence of the named migration file = ❌ NOT DONE (don't apply without approval). - **For PB migration items — verify the migration is actually applied in the running container**, not just that the file exists in `pb_migrations/` or in the container's `/pb_data/migrations/`. The proof is: ```bash docker exec /usr/local/bin/pocketbase migrate up --dir=/pb_data --migrationsDir=/pb_data/migrations ``` If it says **"No new migrations to apply."** → the migration is live (✅). If it applies a migration → it was on disk but not yet run (⚠️, now applied). Find the container ID with `docker ps --format '{{.ID}} {{.Names}}' | grep pocketbase`. - **For nginx snippet / security-header items — curl the production URL and grep for headers**: ```bash curl -sI https://shopproquote.graj-media.com/ | grep -iE 'content-security|x-content|x-frame|referrer|permissions|HTTP/' ``` Snippets can exist on disk (`/etc/nginx/snippets/`) and even be included in the site block but not actually served if the server block wasn't reloaded. The curl check is the source of truth. Run `sudo nginx -t` before relying on config. - **For systemd-service items — check both the unit file and the running state**: ```bash systemctl status | head -15 ss -tlnp | grep ``` A unit file on disk doesn't mean the service is enabled or running. `systemctl is-enabled ` confirms auto-start. ## Pitfalls - **Don't trust the "Execution Memo" sections alone** — those record what an agent *claimed* to finish, not what survived. Verify against the codebase. A memo can say "done" while a later refactor reverted it. During the 2026-07-07 Phase 1 audit pass, items 1.2, 1.3, and 1.4 were all already fully implemented on the server but had no Execution Memo and showed ❌/⚠️ in the status table — the code and infrastructure were done, the roadmap just hadn't been updated. - **"Already done" is a valid outcome** — before writing new code, audit the live state. Items may have been implemented in a prior session without the roadmap being updated. In that case: verify live, flip the status table to ✅, write the Execution Memo, and skip the code work. Do NOT re-implement from the roadmap spec. - **Approval-gated items stay ❌/⚠️** even if frontend prep is done. The `> APPROVAL REQUIRED` marker in the roadmap text is real — never mark the server half ✅ without the owner's go-ahead (AGENTS.md standing rule). - **vite.config.ts dev proxy drift**: roadmap 1.2 says point `/deepseek` at `http://127.0.0.1:80`. The live config still targets `https://127.0.0.1:3448` (dead gateway). Ray confirmed on 2026-07-07 he runs **prod only** (nginx/dist, not `npm run dev`), so this fix has zero practical impact and was intentionally skipped. Mark it ⚠️ with a note, not ❌. Do NOT keep re-suggesting this fix every session. - **`patch` tool parameter gotcha** — the `patch` tool requires `path` (not `patch`) as the parameter name for the file path. Repeated calls with `path` missing hit the tool-call guardrail (5 retries → blocked). If `patch` keeps failing with "path required", switch to `execute_code` with the Python `patch()` wrapper from `hermes_tools`, which takes `path` as a named kwarg and is more forgiving. - Keep evidence lines terse — `path:line` plus a 6-word fragment. The table is for triage, not prose. ## Current audit location The live audit lives at the bottom of `/mnt/seagate8tb/Websites/ShopProQuote.backup-20260626-2058/spq-v2/roadmap_5.2.md` (section `## Master Status Audit — 2026-07-07`). Append *new* dated sections below the prior one; don't overwrite old audits — they're a timeline. ## Phase 1 completion (as of 2026-07-07) All Phase 1 items (1.1–1.7) are ✅ DONE. ## Phase 2 completion (as of 2026-07-07) All Phase 2 items (2.1–2.10) are ✅ DONE, including 2.7 (logo uploads to PB). ## Phase 3 status (updated 2026-07-07) | # | Item | Status | Notes | |---|------|--------|-------| | 3.1 | GlitchTip self-hosted error tracking | ❌ NOT DONE | Needs go-ahead — Docker stack + @sentry/react + DSN. No /opt/glitchtip exists yet. | | 3.2 | PocketBase production hardening | ❌ NOT DONE | Needs go-ahead — SMTP env vars on PB container, backup cron, superadmin env. None set currently. | | 3.3 | Frontend hosting (nginx static) | ✅ ALREADY LIVE | `/etc/nginx/sites-enabled/shopproquote` serves dist/ on 443 with TLS, try_files SPA fallback, security headers. No work needed. | | 3.4 | Reverse proxy for /pb and /api | ✅ ALREADY LIVE | /pb/ → 127.0.0.1:8091 with WS upgrade + 86400 timeout. /api/ also proxied. No work needed. | | 3.5 | Structured logging | ❌ NOT DONE | Needs go-ahead — nginx JSON access log format, PB log rotation (json-file driver is set but no rotation limits). | | 3.6 | Offline banner | ✅ DONE | `src/components/OfflineBanner.tsx` wired in `src/App.tsx` above ``. | | 3.7 | Dependency audit | ✅ DONE | 0 vulnerabilities. 8 minor/patch updates available (all same-major). No action needed. | **Key lesson:** Before implementing any Phase 3 item, audit the live nginx config first. 3.3 and 3.4 were already fully deployed via prior sessions with no roadmap update — the roadmap said ❌ but reality said ✅. This mirrors the Phase 1 pattern where 1.2/1.3/1.4 were live but unmarked. Always curl the production URL and inspect the actual server block before writing new config. See `references/spq-v2-deployment.md` for the live nginx layout. ## Phase 4 status (as of 2026-07-07) All Phase 4 items (4.1–4.10) are ❌ NOT DONE. These are feature items, not infrastructure. Best self-contained picks: - **4.1** Quote approval notifications (PB hook only, no frontend change) — tiny - **4.2** Quote expiry enforcement (PB hook + frontend expired UI) — small - **4.4** Multi-vehicle customer history (new page + route, reuses existing customerId) — most self-contained feature pick - **4.5** Technician time-card CSV export (new advisor page) — self-contained - **4.7** Offline-first service worker — scoped as sub-project, significant effort