# ROADMAP.md

## Milestone 1 — Foundation ✅
- [x] Node/TypeScript API skeleton with Express
- [x] Health check endpoint (`GET /api/v1/health`)
- [x] JWT auth: login, refresh, logout, /me
- [x] Prisma schema: vendors, users, roles, products, categories, taxes, transactions
- [x] SQLite for local dev; Postgres for production
- [x] React admin SPA (Vite + TypeScript)
- [x] Login page + protected routing
- [x] Dashboard shell with auth context
- [x] Multi-stage Dockerfile; docker-compose with Postgres
- [x] Seed script with demo data

---

## Milestone 2 — Core Data & Admin ✅
- [x] Full CRUD: vendors, users, categories, products, taxes
- [x] RBAC enforcement on all routes (owner / manager / cashier)
- [x] Vendor settings page in admin UI
- [x] User management UI (add, edit, delete, assign role)
- [x] Catalog management UI (products, categories, taxes — tabbed)
- [x] Input validation with Zod on all endpoints
- [x] Pagination on list endpoints

---

## Milestone 3 — Android & Offline Sync ✅ (server-side)
- [x] `GET /api/v1/catalog/sync?since=<ISO>` — delta sync for products, categories, taxes
- [x] `POST /api/v1/transactions/batch` — idempotency-keyed batch upload (207 Multi-Status)
- [x] `GET /api/v1/transactions` — paginated list with date/status/payment filters
- [x] `GET /api/v1/transactions/reports/summary` — revenue, tax, top products, payment breakdown
- [x] Reports page: stat cards, payment method breakdown, top products, transaction table
- [ ] Android Kotlin app: MVVM, Room, offline-first flows (separate deliverable)
- [ ] Background sync worker (Android)
- [ ] Conflict resolution: server-authoritative for payments (enforced via idempotency)

---

## Milestone 4 — Payments & Hardening ✅
- [x] Payment abstraction layer (`lib/payments.ts`) — cash + card stub; swap processCard() for real SDK
- [x] `POST /api/v1/transactions/:id/refund` — manager/owner only, server-authoritative
- [x] `GET /api/v1/transactions/:id/receipt` — structured receipt payload for print/email/SMS
- [x] Structured JSON request logging (`lib/logger.ts`, `middleware/requestLogger.ts`)
- [x] Dockerfile hardened: non-root user (`appuser`), `HEALTHCHECK`, npm cache cleared
- [x] Error handler uses structured logger instead of console.error