# ROADMAP.md

## Milestone 1 — Foundation ✅
- [x] Node/TypeScript API skeleton with Express
- [x] Health check endpoint (`GET /api/v1/health`)
- [x] JWT auth: login, refresh, logout, /me
- [x] Prisma schema: vendors, users, roles, products, categories, taxes, transactions
- [x] SQLite for local dev; Postgres for production
- [x] React admin SPA (Vite + TypeScript)
- [x] Login page + protected routing
- [x] Dashboard shell with auth context
- [x] Multi-stage Dockerfile; docker-compose with Postgres
- [x] Seed script with demo data

---

## Milestone 2 — Core Data & Admin ✅
- [x] Full CRUD: vendors, users, categories, products, taxes
- [x] RBAC enforcement on all routes (owner / manager / cashier)
- [x] Vendor settings page in admin UI
- [x] User management UI (add, edit, delete, assign role)
- [x] Catalog management UI (products, categories, taxes — tabbed)
- [x] Input validation with Zod on all endpoints
- [x] Pagination on list endpoints

---

## Milestone 3 — Android & Offline Sync
- [ ] `GET /api/v1/catalog/sync?since=` for delta syncs
- [ ] `POST /api/v1/transactions/batch` with idempotency keys
- [ ] Android Kotlin app: MVVM, Room, offline-first flows
- [ ] Background sync worker (Android)
- [ ] Conflict resolution strategy: server-authoritative for payments
- [ ] Admin reporting: Android-originated transactions appear in reports

---

## Milestone 4 — Payments & Hardening
- [ ] Payment abstraction layer (cash + card stub; provider-agnostic)
- [ ] Shift/daily summary endpoint and UI
- [ ] Receipt generation (print / email hooks)
- [ ] Advanced reporting: sales by product, tax summaries
- [ ] Telemetry and structured logging
- [ ] Production Docker hardening (non-root user, health checks, secrets)
- [ ] CI/CD pipeline skeleton