MOHPortal/TODO.md

MerchantsOfHope-SupplyANdDemandPortal - Production Readiness TODO

Last updated: January 2025

🚨 CRITICAL PRODUCTION BLOCKERS

Database & Schema Issues

• CRITICAL: Fix pgcrypto extension requirement in backend/src/database/schema.sql#L1 - add CREATE EXTENSION IF NOT EXISTS pgcrypto; before schema creation
• CRITICAL: Ensure database migrations run idempotently on fresh databases
• CRITICAL: Fix test database connection issues - local Docker tests are failing with timeout errors
• CRITICAL: Validate that CI and local test environments use identical configurations

Security & Data Protection

• CRITICAL: Implement proper RBAC (Role-Based Access Control) in all endpoints
• CRITICAL: Sanitize resume file paths - never expose file_path in API responses
• CRITICAL: Add input validation and sanitization to prevent SQL injection
• CRITICAL: Implement proper file upload validation and size limits
• CRITICAL: Add rate limiting to all API endpoints

Frontend Production Build

• CRITICAL: Replace CRA dev server with production build in frontend/Dockerfile
• CRITICAL: Update Coolify deployment to serve prebuilt static assets
• CRITICAL: Fix Tailwind CSS processing - add postcss.config.js with proper configuration
• CRITICAL: Ensure all frontend routes work in production build

🔥 HIGH PRIORITY FIXES

Test Coverage & Quality

• HIGH: Increase backend test coverage from 23.57% branches to ≥50%
  • Current: statements 61.60%, lines 61.95%, branches 23.57%, functions 78.33%
  • Target: Focus on RBAC/error paths in applications, resumes, and jobs routes
• HIGH: Increase frontend test coverage from ~19% statements to ≥60%
  • Add React Testing Library tests for Dashboard, Login/Register, Jobs, Applications
  • Test AuthContext flows and error states
• HIGH: Fix local Docker test suite to match CI configuration exactly
• HIGH: Add integration tests for resume upload/download workflows
• HIGH: Add end-to-end tests for critical user flows (login, job posting, applying)

API & Backend Issues

• HIGH: Fix dashboard metrics wiring in frontend/src/pages/Dashboard.js#L18-L45
  • Fetch candidate totals from /api/candidates instead of duplicating /api/applications calls
  • Gate employer/candidate queries by role for accurate, authorized counts
• HIGH: Implement resume listing functionality in frontend/src/pages/Resumes.js#L11-L15
  • Create candidate-scoped endpoint /api/resumes/me
  • Wire to useAuth for candidate ID
• HIGH: Allow recruiters to create jobs by selecting authorized employers
  • Update frontend/src/pages/CreateJob.js#L27-L85
  • Fix backend/src/routes/jobs.js#L141-L214 to validate ownership
• HIGH: Harden employer and candidate listings for least-privilege access
  • Add role checks in backend/src/routes/employers.js#L9-L78
  • Redact contact fields for unauthorized roles in backend/src/routes/candidates.js#L8-L110

Infrastructure & DevOps

• HIGH: Ensure local test suite and CI run identically (Docker-only approach)
• HIGH: Add global request size limits and structured logging to Express
• HIGH: Make Jest globalSetup resilient when Docker is unavailable
• HIGH: Add security scans to CI pipeline (npm audit, Trivy)
• HIGH: Update .gitignore to exclude coverage artifacts

📋 MEDIUM PRIORITY IMPROVEMENTS

Code Quality & Architecture

• MEDIUM: Create shared axios instance with interceptors for auth failures
• MEDIUM: Remove ad-hoc fetch usage in favor of centralized HTTP client
• MEDIUM: Add pagination bounds and input validation to list endpoints
• MEDIUM: Implement proper error handling and user feedback
• MEDIUM: Add request/response logging for debugging

User Experience

• MEDIUM: Fix all broken UI components and missing functionality
• MEDIUM: Add loading states and error boundaries
• MEDIUM: Implement proper form validation and user feedback
• MEDIUM: Add email notifications for application status changes

Documentation & Onboarding

• MEDIUM: Create architecture diagrams (high-level & data flow)
• MEDIUM: Add comprehensive API documentation
• MEDIUM: Create deployment guides for different environments
• MEDIUM: Add troubleshooting guides for common issues

🔧 TECHNICAL DEBT

Dependencies & Updates

• LOW: Migrate to @tanstack/react-query v4 for supported releases
• LOW: Update all dependencies to latest stable versions
• LOW: Remove unused dependencies and clean up package.json files

Performance & Monitoring

• LOW: Add basic request metrics (Prometheus or OpenTelemetry)
• LOW: Implement database query optimization
• LOW: Add performance monitoring and alerting
• LOW: Implement caching strategies

Future Enhancements

• LOW: Evaluate moving resume storage to object storage (S3-compatible)
• LOW: Add configurable email templates
• LOW: Implement advanced search and filtering
• LOW: Add mobile-responsive design improvements

🐳 DOCKER & CONTAINERIZATION

Current Issues

• CRITICAL: Local Docker test suite is failing with database connection timeouts
• CRITICAL: CI and local test environments are not synchronized
• HIGH: Test database configuration mismatch between local and CI
• HIGH: Docker Compose test configuration needs simplification

Required Fixes

• CRITICAL: Fix docker-compose.test.yml database connection issues
• CRITICAL: Ensure all tests run in Docker containers (no host execution)
• HIGH: Simplify test database setup and teardown
• HIGH: Add proper health checks for all services
• MEDIUM: Optimize Docker images for faster builds
• MEDIUM: Add multi-stage builds for production images

🚀 DEPLOYMENT & PRODUCTION

Environment Configuration

• CRITICAL: Ensure all environment variables are properly configured
• CRITICAL: Add proper secrets management
• HIGH: Create production-ready Docker Compose configuration
• HIGH: Add health checks and monitoring
• MEDIUM: Implement blue-green deployment strategy

Business Requirements

• CRITICAL: Ensure application supports MerchantsOfHope.org business model
• CRITICAL: Validate all user roles work correctly (Admin, Recruiter, Employer, Candidate)
• HIGH: Test all critical business workflows end-to-end
• HIGH: Ensure data integrity and backup strategies
• MEDIUM: Add audit logging for compliance

📊 TESTING STRATEGY

Current Test Status

• Backend: 61.60% statements, 23.57% branches (TARGET: ≥50% branches)
• Frontend: ~19% statements, 4% branches (TARGET: ≥60% statements)
• Integration: Missing critical workflow tests
• E2E: No end-to-end tests implemented

Required Test Coverage

• CRITICAL: Fix local Docker test suite
• HIGH: Add comprehensive unit tests for all business logic
• HIGH: Add integration tests for API endpoints
• HIGH: Add React component tests with React Testing Library
• MEDIUM: Add end-to-end tests with Playwright or Cypress
• MEDIUM: Add performance tests for critical paths

🎯 SUCCESS CRITERIA

Production Readiness Checklist

• All tests pass in Docker containers
• CI and local environments are identical
• Test coverage meets minimum thresholds
• Security vulnerabilities are addressed
• Performance is acceptable under load
• All critical business workflows work end-to-end
• Production deployment is automated and reliable
• Monitoring and alerting are in place

Business Value Delivery

• Application supports MerchantsOfHope.org business model
• All user roles function correctly
• Data integrity is maintained
• User experience is smooth and intuitive
• System is scalable and maintainable

---

📝 NOTES

• Container-Only Policy: All development, testing, and deployment must happen in Docker containers
• No Host Pollution: Never install or run Node.js directly on the host system
• Test Synchronization: Local and CI test suites must run identically
• Production Focus: This application will support critical business operations for MerchantsOfHope.org

🔄 NEXT STEPS

1. IMMEDIATE: Fix Docker test suite database connection issues
2. URGENT: Synchronize local and CI test configurations
3. HIGH: Increase test coverage to meet minimum thresholds
4. HIGH: Fix critical security and RBAC issues
5. MEDIUM: Implement production build and deployment pipeline