# MOHPortal MOHPortal (MerchantsOfHope.org) — a modular, secure recruiting and staffing platform built to serve TSYS Group and its lines of business. The platform supports multi-tenant operations, agency-style recruiting workflows, managed services, and deep integration with existing TSYS business units. ## Purpose and Goals - Provide a central, extensible platform for recruiting, contracting, and managed services across TSYS Group. - Support multiple independent tenants with strict data isolation. - Ship as a containerized application suitable for Docker Compose and Kubernetes deployments. - Meet enterprise security, privacy, and accessibility requirements for government and commercial contracts. ## Key Capabilities - Job seeker experience: browse jobs, upload/resume parsing, apply, track application status. - Employer experience: create/manage job postings, review candidates, manage hiring workflows. - Candidate lifecycle management: screening stages, interview scheduling, offer management. - Tenant administration: tenant onboarding, role-based access control, tenant-scoped configuration. - Integrations: identity providers (OIDC, social login), ATS/HR systems, internal TSYS services, analytics. ## Architecture & Integration Notes - Modular microservice-friendly design; services should be containerized and communicate over internal networks. - Use the current directory name to determine the primary language/runtime for implementation and test artifacts. - Only expose the main web interface externally; all other service ports remain on internal docker/k8s networks. - Provide API-first design with versioned REST/GraphQL endpoints and clear schema contracts for downstream integrations. ## Multi-Tenancy & Data Isolation - Strong tenant separation (logical and storage-level isolation where appropriate). - Tenant configuration, branding, and feature flags per tenant. - Admins scoped by tenant; global system admins for platform operations only. ## Authentication & Authorization - Support OIDC providers and federated social logins (configurable per tenant). - Role-based access control (RBAC) and least-privilege principles. - Audit logging for administrative actions and authentication events. ## Accessibility & Compliance - Target WCAG 2.1 AA at minimum to satisfy government contract accessibility requirements. - English-only for MVP; ensure UI and content flows are accessible and keyboard-navigable. - Compliance posture: design with PCI, GDPR, SOC, FedRAMP considerations in mind. Implement data minimization, encryption at rest/in transit, and strong access controls. - Assume USA law jurisdiction for legal and privacy decisions. ## Security & Privacy - Encrypt sensitive data at rest and in transit (TLS everywhere). - Rotate secrets and credentials using secrets management (Vault or cloud-native equivalents). - Implement rate limiting, WAF patterns, hardened container images, and supply-chain security best practices. - Logging and monitoring with alerting and observability (prometheus/ELK or equivalent). ## Development Practices - Follow Test Driven Development (TDD) with comprehensive unit, integration, and E2E tests. - Maintain a docker-compose.yml for local stacks and a Kubernetes-friendly deployment manifest for production. - Adopt CI/CD pipelines for automated builds, tests, image scans, and deployments. - Keep the repo organized by service, tests, and infrastructure-as-code. Do not create artifacts outside the current directory. ## Deployment & Operations - Ship as Docker container(s). Use a naming convention for artifacts and containers that maps agent-language-function (e.g., copilot-python-api). - Only expose the main web UI port externally; other services on internal stack networks. - Prepare for k8s deployment: manifests, helm charts, resource requests/limits, and readiness/liveness probes. - Define backup, disaster recovery, and tenant migration procedures. ## Governance & Contributing - Document coding standards, security checklists, and QA acceptance criteria. - Review process for changes that affect compliance or tenant data handling. - Add clear contribution guidelines and changelog for tenant-impacting changes. ## Next Steps (MVP) - Define core user stories (job search, apply, post job, admin tenant onboarding). - Scaffold services and initial docker-compose stack. - Implement auth (OIDC), multi-tenant data model, and accessible UI skeleton. - Establish CI pipeline and baseline security scans. For questions or to propose changes to platform scope, contact the PMO and reference the project-specific agent guidelines in the repository.