# MerchantsOfHope-SupplyANdDemandPortal - Production Readiness TODO

_Last updated: October 17, 2025_

## ✅ COMPLETED - Application Running
- [x] **Docker Configuration**: Fixed nginx port mapping and database authentication
- [x] **Single Port Exposure**: Only port 12000 exposed (maps to nginx:80 internally)
- [x] **Production Build**: Using nginx with production React build (no dev/prod drift)
- [x] **API Proxy**: Backend accessible via `/api/*` routes through nginx
- [x] **End-to-End Testing**: Application actually tested and working
- [x] **Documentation**: Updated README with correct setup instructions

**Application Status**: ✅ **RUNNING** at http://localhost:12000

## 🚨 CRITICAL PRODUCTION BLOCKERS

### Database & Schema Issues
- [ ] **CRITICAL**: Fix `pgcrypto` extension requirement in `backend/src/database/schema.sql#L1` - add `CREATE EXTENSION IF NOT EXISTS pgcrypto;` before schema creation
- [ ] **CRITICAL**: Ensure database migrations run idempotently on fresh databases
- [ ] **CRITICAL**: Fix test database connection issues - local Docker tests are failing with timeout errors
- [ ] **CRITICAL**: Validate that CI and local test environments use identical configurations

### Security & Data Protection
- [ ] **CRITICAL**: Implement proper RBAC (Role-Based Access Control) in all endpoints
- [ ] **CRITICAL**: Sanitize resume file paths - never expose `file_path` in API responses
- [ ] **CRITICAL**: Add input validation and sanitization to prevent SQL injection
- [ ] **CRITICAL**: Implement proper file upload validation and size limits
- [ ] **CRITICAL**: Add rate limiting to all API endpoints

### Frontend Production Build
- [ ] **CRITICAL**: Replace CRA dev server with production build in `frontend/Dockerfile`
- [ ] **CRITICAL**: Update Coolify deployment to serve prebuilt static assets
- [ ] **CRITICAL**: Fix Tailwind CSS processing - add `postcss.config.js` with proper configuration
- [ ] **CRITICAL**: Ensure all frontend routes work in production build

## 🔥 HIGH PRIORITY FIXES

### Test Coverage & Quality
- [ ] **HIGH**: Increase backend test coverage from 23.57% branches to ≥50%
  - Current: statements 61.60%, lines 61.95%, branches 23.57%, functions 78.33%
  - Target: Focus on RBAC/error paths in applications, resumes, and jobs routes
- [ ] **HIGH**: Increase frontend test coverage from ~19% statements to ≥60%
  - Add React Testing Library tests for Dashboard, Login/Register, Jobs, Applications
  - Test AuthContext flows and error states
- [ ] **HIGH**: Fix local Docker test suite to match CI configuration exactly
- [ ] **HIGH**: Add integration tests for resume upload/download workflows
- [ ] **HIGH**: Add end-to-end tests for critical user flows (login, job posting, applying)

### API & Backend Issues
- [ ] **HIGH**: Fix dashboard metrics wiring in `frontend/src/pages/Dashboard.js#L18-L45`
  - Fetch candidate totals from `/api/candidates` instead of duplicating `/api/applications` calls
  - Gate employer/candidate queries by role for accurate, authorized counts
- [ ] **HIGH**: Implement resume listing functionality in `frontend/src/pages/Resumes.js#L11-L15`
  - Create candidate-scoped endpoint `/api/resumes/me`
  - Wire to `useAuth` for candidate ID
- [ ] **HIGH**: Allow recruiters to create jobs by selecting authorized employers
  - Update `frontend/src/pages/CreateJob.js#L27-L85`
  - Fix `backend/src/routes/jobs.js#L141-L214` to validate ownership
- [ ] **HIGH**: Harden employer and candidate listings for least-privilege access
  - Add role checks in `backend/src/routes/employers.js#L9-L78`
  - Redact contact fields for unauthorized roles in `backend/src/routes/candidates.js#L8-L110`

### Infrastructure & DevOps
- [ ] **HIGH**: Ensure local test suite and CI run identically (Docker-only approach)
- [ ] **HIGH**: Add global request size limits and structured logging to Express
- [ ] **HIGH**: Make Jest `globalSetup` resilient when Docker is unavailable
- [ ] **HIGH**: Add security scans to CI pipeline (npm audit, Trivy)
- [ ] **HIGH**: Update `.gitignore` to exclude coverage artifacts

## 📋 MEDIUM PRIORITY IMPROVEMENTS

### Code Quality & Architecture
- [ ] **MEDIUM**: Create shared axios instance with interceptors for auth failures
- [ ] **MEDIUM**: Remove ad-hoc `fetch` usage in favor of centralized HTTP client
- [ ] **MEDIUM**: Add pagination bounds and input validation to list endpoints
- [ ] **MEDIUM**: Implement proper error handling and user feedback
- [ ] **MEDIUM**: Add request/response logging for debugging

### User Experience
- [ ] **MEDIUM**: Fix all broken UI components and missing functionality
- [ ] **MEDIUM**: Add loading states and error boundaries
- [ ] **MEDIUM**: Implement proper form validation and user feedback
- [ ] **MEDIUM**: Add email notifications for application status changes

### Documentation & Onboarding
- [ ] **MEDIUM**: Create architecture diagrams (high-level & data flow)
- [ ] **MEDIUM**: Add comprehensive API documentation
- [ ] **MEDIUM**: Create deployment guides for different environments
- [ ] **MEDIUM**: Add troubleshooting guides for common issues

## 🔧 TECHNICAL DEBT

### Dependencies & Updates
- [ ] **LOW**: Migrate to `@tanstack/react-query` v4 for supported releases
- [ ] **LOW**: Update all dependencies to latest stable versions
- [ ] **LOW**: Remove unused dependencies and clean up package.json files

### Performance & Monitoring
- [ ] **LOW**: Add basic request metrics (Prometheus or OpenTelemetry)
- [ ] **LOW**: Implement database query optimization
- [ ] **LOW**: Add performance monitoring and alerting
- [ ] **LOW**: Implement caching strategies

### Future Enhancements
- [ ] **LOW**: Evaluate moving resume storage to object storage (S3-compatible)
- [ ] **LOW**: Add configurable email templates
- [ ] **LOW**: Implement advanced search and filtering
- [ ] **LOW**: Add mobile-responsive design improvements

## 🐳 DOCKER & CONTAINERIZATION

### Current Issues
- [ ] **CRITICAL**: Local Docker test suite is failing with database connection timeouts
- [ ] **CRITICAL**: CI and local test environments are not synchronized
- [ ] **HIGH**: Test database configuration mismatch between local and CI
- [ ] **HIGH**: Docker Compose test configuration needs simplification

### Required Fixes
- [ ] **CRITICAL**: Fix `docker-compose.test.yml` database connection issues
- [ ] **CRITICAL**: Ensure all tests run in Docker containers (no host execution)
- [ ] **HIGH**: Simplify test database setup and teardown
- [ ] **HIGH**: Add proper health checks for all services
- [ ] **MEDIUM**: Optimize Docker images for faster builds
- [ ] **MEDIUM**: Add multi-stage builds for production images

## 🚀 DEPLOYMENT & PRODUCTION

### Environment Configuration
- [ ] **CRITICAL**: Ensure all environment variables are properly configured
- [ ] **CRITICAL**: Add proper secrets management
- [ ] **HIGH**: Create production-ready Docker Compose configuration
- [ ] **HIGH**: Add health checks and monitoring
- [ ] **MEDIUM**: Implement blue-green deployment strategy

### Business Requirements
- [ ] **CRITICAL**: Ensure application supports MerchantsOfHope.org business model
- [ ] **CRITICAL**: Validate all user roles work correctly (Admin, Recruiter, Employer, Candidate)
- [ ] **HIGH**: Test all critical business workflows end-to-end
- [ ] **HIGH**: Ensure data integrity and backup strategies
- [ ] **MEDIUM**: Add audit logging for compliance

## 📊 TESTING STRATEGY

### Current Test Status
- **Backend**: 61.60% statements, 23.57% branches (TARGET: ≥50% branches)
- **Frontend**: ~19% statements, 4% branches (TARGET: ≥60% statements)
- **Integration**: Missing critical workflow tests
- **E2E**: No end-to-end tests implemented

### Required Test Coverage
- [ ] **CRITICAL**: Fix local Docker test suite
- [ ] **HIGH**: Add comprehensive unit tests for all business logic
- [ ] **HIGH**: Add integration tests for API endpoints
- [ ] **HIGH**: Add React component tests with React Testing Library
- [ ] **MEDIUM**: Add end-to-end tests with Playwright or Cypress
- [ ] **MEDIUM**: Add performance tests for critical paths

## 🎯 SUCCESS CRITERIA

### Production Readiness Checklist
- [ ] All tests pass in Docker containers
- [ ] CI and local environments are identical
- [ ] Test coverage meets minimum thresholds
- [ ] Security vulnerabilities are addressed
- [ ] Performance is acceptable under load
- [ ] All critical business workflows work end-to-end
- [ ] Production deployment is automated and reliable
- [ ] Monitoring and alerting are in place

### Business Value Delivery
- [ ] Application supports MerchantsOfHope.org business model
- [ ] All user roles function correctly
- [ ] Data integrity is maintained
- [ ] User experience is smooth and intuitive
- [ ] System is scalable and maintainable

---

## 📝 NOTES

- **Container-Only Policy**: All development, testing, and deployment must happen in Docker containers
- **No Host Pollution**: Never install or run Node.js directly on the host system
- **Test Synchronization**: Local and CI test suites must run identically
- **Production Focus**: This application will support critical business operations for MerchantsOfHope.org

## 🔄 NEXT STEPS

1. **IMMEDIATE**: Fix Docker test suite database connection issues
2. **URGENT**: Synchronize local and CI test configurations
3. **HIGH**: Increase test coverage to meet minimum thresholds
4. **HIGH**: Fix critical security and RBAC issues
5. **MEDIUM**: Implement production build and deployment pipeline