Aller au contenu principal

EMTB Epic Roadmap - Current State & Priorities

Current Development Status (January 2026)

🎯 Strategic Overview

The EMTB Tax Claim Management System has evolved into a secure, enterprise-grade platform with complete RBAC infrastructure, multi-tenant data isolation, and a modern React/Vite frontend with Shadcn UI. The project has completed its foundational security and UX transformation, and is now focused on feature enrichment and domain-specific workflows.

Epic Status Matrix

EpicStatusPriorityTimelineDependencies
Epic 1: RBAC ImplementationCOMPLETEDCriticalCompletedNone
Epic 2: Tenant IsolationCOMPLETEDCriticalCompletedEpic 1
Epic 3: Enhanced UXCOMPLETEDHighCompletedEpic 1, Epic 2
Epic 4: Data TablesCOMPLETEDHighCompletedEpic 3
Epic 5: Document Management🔄 IN PROGRESSHighCurrentEpic 4
Epic 6: Domain Workflows📋 PLANNEDMediumNextEpic 5
Epic 7: Hardening & Quality📋 PLANNEDCriticalParallelNone

Detailed Epic Breakdown

✅ Epic 1: Role-Based Authentication and Multi-Tenant Data Siloing

Status: COMPLETED (Foundation) Achievement: Enterprise-grade authentication and authorization infrastructure

Completed Components:

  • ✅ JWT-based authentication with Auth0 integration
  • ✅ Role-based guards (JwtAuthGuard, RolesGuard)
  • ✅ Security infrastructure and decorators
  • ✅ Comprehensive E2E testing suite
  • ✅ Security penetration testing framework
  • ✅ Bearer token API authentication

Key Files Implemented:

apps/api/src/auth/
├── strategies/jwt.strategy.ts          ✅ JWT authentication
├── guards/roles.guard.ts               ✅ Role authorization
├── auth.module.ts                      ✅ Auth infrastructure
└── auth.controller.ts                  ✅ Auth endpoints

apps/e2e/tests/
├── epic-1-rbac-tenant-isolation.spec.ts  ✅ RBAC E2E tests
├── security-penetration-testing.spec.ts  ✅ Security tests
└── utils/rbac-helpers.ts                  ✅ Test utilities

Next Steps: Apply RBAC to remaining endpoints, complete frontend integration

✅ Epic 2: Complete Multi-Tenant Data Isolation

Status: COMPLETED Priority: CRITICAL - Security Requirement

Objective: Complete database-level tenant isolation with automatic filtering

Completed Implementation:

  1. Database Schema Enhancement

    • tenant_id columns on all relevant tables
    • NOT NULL constraints with proper indexing
    • Data migration with integrity verification

  2. Tenant Middleware

    • Automatic tenant filtering via CLS (Continuation Local Storage)
    • Tenant context extraction from authenticated users
    • Admin bypass mechanisms for cross-tenant operations

  3. API Security

    • TenantAccessGuard on all endpoints
    • Tenant-aware service methods
    • Comprehensive audit logging

✅ Epic 3: RBAC-Enhanced User Experience & Interface

Status: COMPLETED Priority: HIGH - User Productivity

Objective: Transform frontend UX to leverage RBAC infrastructure

Completed Development:

  1. Role-Based Navigation

    • Dynamic menus based on user permissions
    • Role-aware route protection with React Router
    • Responsive navigation with Shadcn sidebar

  2. Personalized Dashboards

    • Role-specific dashboard layouts
    • Permission-aware data visualization
    • Real-time updates with TanStack Query

  3. Context-Aware Forms

    • PermissionGate component for role-based UI
    • Tenant-scoped search and filtering
    • React Hook Form + Zod validation

  4. Responsive Design

    • Mobile-responsive layouts
    • Shadcn/Radix component library
    • Tailwind CSS 4 styling

✅ Epic 4: Data Tables Refactoring

Status: COMPLETED Priority: HIGH

Completed Stories:

  • 5-1-1: Data Table Core Components ✅
  • 5-1-2: Pagination CSV Utility Functions ✅
  • 5-1-3: Testing Infrastructure Documentation ✅
  • 5-2-1: ClientsList Full Features ✅
  • 5-2-2: SitesList Faceted Status Filter ✅
  • 5-2-3: ReclamationsList Multi-Faceted Filters ✅
  • 5-3-1: CadastresList Page ✅
  • 5-3-2: PartnersList Page ✅
  • 5-4-1: InvoicesList Page ✅
  • 5-4-2: PartnerInvoicesList Page ✅
  • 5-4-3: ContactsList Page ✅
  • 5-4-4: UsersList Page ✅

🔄 Epic 5: Document Management

Status: IN PROGRESS (Current Focus) Priority: HIGH

OpenSpec Changes:

  • add-file-upload-system - ✅ COMPLETED
  • add-site-documents-sections - 🔄 IN PROGRESS
  • add-expert-partner-role - 📋 HIGH PRIORITY
  • add-client-convention-mandat - 📋 PLANNED
  • add-reclamation-subprocesses - 📋 PLANNED
  • add-facture-reclamation-flow - 📋 PLANNED

Completed:

  • Document entity with polymorphic linking (DocumentLink)
  • Full CRUD endpoints with CASL authorization
  • S3/R2 storage integration
  • FileUpload and MultiFileUpload components
  • useDocuments hook with upload/delete/download

In Progress:

  • Site document sections (cadastral, technical, legal)
  • Accordion-based collapsible UI

📋 Epic 6: Domain Workflows (Planned)

Status: PLANNED Priority: MEDIUM

Planned Features:

  • Client convention and mandat management
  • Reclamation sub-processes (dégrèvement, intérêts moratoires, incidence CFE)
  • Invoice generation from reclamation outcomes
  • Scheduled legacy data import

📋 Epic 7: Codebase Hardening & Quality (Planned)

Status: PLANNED Priority: CRITICAL (Stories 7.1-7.4), HIGH (Stories 7.5-7.6)

Objective: Address security vulnerabilities, testing gaps, and quality issues identified during comprehensive codebase audit (February 2026).

Stories:

StoryTitleSeverityScope
7.1Fix Tenant Isolation Query BugCRITICALBackend
7.2Add Production Safety GuardsCRITICALBackend
7.3Add API Rate LimitingCRITICALBackend
7.4Add Tests to CI PipelineCRITICALDevOps
7.5Test Security Guards & AuthHIGHBackend
7.6Frontend Quality ImprovementsHIGHFrontend

Key Findings:

  • .where() overwrites tenant filter during search (data leak risk)
  • DB_SYNC has no production guard, JWT_SECRET has insecure fallback
  • No rate limiting on API endpoints
  • Release workflow doesn't run tests before publishing
  • Security guards (PoliciesGuard, TenantAccessGuard) have zero test coverage
  • Frontend: phantom Vite plugin, any types in API client, no Error Boundaries

Note: This epic can be worked in parallel with Epic 5/6 since it addresses cross-cutting concerns.

⏸️ Deferred Epics

Scheduled Legacy Import

Status: Backlog (pending business priority)

  • Incremental import from legacy Strapi system
  • Scheduled job for daily sync
  • Import reconciliation reports

Development Priorities & Resource Allocation

Immediate Focus (Current Sprint)

  1. Epic 5 Completion - 80% of development effort

    • Complete Site Documents Sections integration
    • Client Convention & Mandat implementation
    • Document validation workflows

  2. Testing & Quality - 20% of development effort

    • E2E tests for document workflows
    • API integration tests

Short-term Goals (Next 2-3 Sprints)

  1. Epic 6: Domain Workflows - Primary focus

    • Reclamation sub-processes implementation
    • Invoice generation from claim outcomes
    • Partner invoice calculations

  2. Legacy Data Import - Secondary focus

    • Scheduled import from legacy Strapi system
    • Reconciliation and validation

Long-term Vision

  1. Business Process Automation

    • Workflow automation for claim processing
    • Advanced approval processes
    • Email notifications and reminders

  2. Advanced Analytics & Reporting

    • Role-based analytics dashboards
    • Cross-tenant reporting for EMTB administrators
    • Performance monitoring and business intelligence

Technical Architecture (Current State)

React/Vite Frontend → JWT Auth → Role Guards → Tenant Middleware → NestJS API → PostgreSQL
     ↓                                                                    ↓
TanStack Query                                                    TypeORM + CASL
     ↓                                                                    ↓
Shadcn/UI + Tailwind                                              S3/R2 Storage

Stack Summary:

  • Frontend: React 19, Vite 7, TanStack Query 5, Shadcn/UI, Tailwind CSS 4
  • Backend: NestJS 11, TypeORM 0.3.x, CASL 6.x, PostgreSQL 16
  • Auth: JWT + Passport, Role-based guards
  • Storage: AWS S3 / Cloudflare R2

Success Metrics & KPIs

Security Metrics (All Met ✅)

  • Authentication Coverage: 100% of API endpoints protected
  • Tenant Isolation: 100% via CLS middleware
  • CASL Authorization: All CRUD operations protected
  • Audit Compliance: DocumentAudit trail implemented

Performance Metrics

  • API Response Time: < 200ms average
  • Frontend Load Time: < 2 seconds initial load
  • Bundle Size: Optimized with Vite tree-shaking

User Experience Metrics

  • Role-Based Navigation: Dynamic menu adaptation
  • Permission Gates: Clear UI access boundaries
  • Mobile Responsiveness: Full functionality on mobile

OpenSpec Change Status

Change IDStatusDescription
add-file-upload-system✅ CompleteDocument upload infrastructure
add-site-documents-sections🔄 In ProgressSite document categories
add-expert-partner-role📋 PriorityExternal partner login with referrer-scoped access
add-client-convention-mandat📋 PlannedClient agreements & mandates
add-reclamation-subprocesses📋 PlannedClaim sub-process tracking
add-facture-reclamation-flow📋 PlannedInvoice generation workflow
add-scheduled-legacy-import⏸️ DeferredLegacy data sync

Conclusion

The EMTB project has completed its foundational transformation (Epics 1-4) and is now in the feature enrichment phase (Epic 5). The document management system is the current focus, with domain-specific workflows planned next.

The platform now provides:

  • Enterprise-grade security with RBAC and tenant isolation
  • Modern, responsive UI with Shadcn components
  • Robust data table infrastructure for all entities
  • Document management with S3/R2 storage

Document Owner: Product & Development Team Last Updated: January 2026 Next Review: After Epic 5 completion Stakeholders: Security, Development, Product, Business Teams