911 lines
38 KiB
HTML
911 lines
38 KiB
HTML
<!doctype html>
|
|
<html lang="en">
|
|
<head>
|
|
<meta charset="utf-8" />
|
|
<meta name="viewport" content="width=device-width, initial-scale=1" />
|
|
<title>Amanat Taskmaster Queue</title>
|
|
<style>
|
|
:root {
|
|
--ink: #10100f;
|
|
--muted: #6f716c;
|
|
--paper: #f4f2eb;
|
|
--panel: #ffffff;
|
|
--soft: #e8e4d8;
|
|
--line: #d8d3c5;
|
|
--green: #169b62;
|
|
--amber: #c98616;
|
|
--red: #d64c3c;
|
|
--blue: #3568ff;
|
|
--black: #10100f;
|
|
--shadow: 0 20px 60px rgba(16, 16, 15, 0.08);
|
|
}
|
|
* { box-sizing: border-box; }
|
|
html { scroll-behavior: smooth; }
|
|
body {
|
|
margin: 0;
|
|
font-family: Inter, ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif;
|
|
color: var(--ink);
|
|
background: var(--paper);
|
|
min-height: 100vh;
|
|
}
|
|
body::before {
|
|
content: "";
|
|
position: fixed;
|
|
inset: 0;
|
|
pointer-events: none;
|
|
background:
|
|
linear-gradient(rgba(16, 16, 15, 0.035) 1px, transparent 1px),
|
|
linear-gradient(90deg, rgba(16, 16, 15, 0.035) 1px, transparent 1px);
|
|
background-size: 52px 52px;
|
|
mask-image: linear-gradient(to bottom, black, transparent 72%);
|
|
}
|
|
header {
|
|
padding: 22px clamp(18px, 4vw, 56px) 30px;
|
|
}
|
|
.topbar {
|
|
max-width: 1280px;
|
|
margin: 0 auto 72px;
|
|
display: flex;
|
|
align-items: center;
|
|
justify-content: space-between;
|
|
gap: 16px;
|
|
}
|
|
.brand {
|
|
display: inline-flex;
|
|
align-items: center;
|
|
gap: 10px;
|
|
color: var(--ink);
|
|
font-size: 0.9rem;
|
|
font-weight: 800;
|
|
letter-spacing: 0.02em;
|
|
text-decoration: none;
|
|
text-transform: uppercase;
|
|
}
|
|
.brand-mark {
|
|
width: 28px;
|
|
height: 28px;
|
|
border: 2px solid var(--ink);
|
|
border-radius: 50%;
|
|
display: inline-grid;
|
|
place-items: center;
|
|
font-size: 0.78rem;
|
|
}
|
|
.nav {
|
|
display: flex;
|
|
gap: 8px;
|
|
align-items: center;
|
|
flex-wrap: wrap;
|
|
justify-content: flex-end;
|
|
}
|
|
.nav a {
|
|
color: var(--ink);
|
|
text-decoration: none;
|
|
border: 1px solid transparent;
|
|
border-radius: 999px;
|
|
padding: 9px 13px;
|
|
font-size: 0.88rem;
|
|
font-weight: 700;
|
|
}
|
|
.nav a:hover,
|
|
.nav .active {
|
|
background: var(--black);
|
|
color: #fff;
|
|
}
|
|
.hero {
|
|
max-width: 1280px;
|
|
margin: 0 auto;
|
|
display: grid;
|
|
grid-template-columns: minmax(0, 1fr) minmax(300px, 420px);
|
|
gap: clamp(28px, 5vw, 72px);
|
|
align-items: center;
|
|
}
|
|
h1 {
|
|
font-size: clamp(3.2rem, 10vw, 9.6rem);
|
|
line-height: 0.82;
|
|
letter-spacing: 0;
|
|
margin: 0;
|
|
font-weight: 900;
|
|
max-width: 8ch;
|
|
}
|
|
.lead {
|
|
color: var(--muted);
|
|
font-size: clamp(1.02rem, 1.5vw, 1.25rem);
|
|
max-width: 720px;
|
|
line-height: 1.45;
|
|
margin: 28px 0 0;
|
|
}
|
|
.stats {
|
|
display: grid;
|
|
grid-template-columns: repeat(2, minmax(0, 1fr));
|
|
gap: 10px;
|
|
}
|
|
.stat {
|
|
min-height: 132px;
|
|
background: var(--panel);
|
|
border: 1px solid var(--line);
|
|
border-radius: 8px;
|
|
padding: 18px;
|
|
box-shadow: var(--shadow);
|
|
display: flex;
|
|
flex-direction: column;
|
|
justify-content: space-between;
|
|
}
|
|
.stat strong {
|
|
display: block;
|
|
font-size: clamp(2.2rem, 4vw, 4.2rem);
|
|
line-height: 0.85;
|
|
letter-spacing: 0;
|
|
}
|
|
.stat span {
|
|
color: var(--muted);
|
|
font-size: 0.82rem;
|
|
font-weight: 800;
|
|
text-transform: uppercase;
|
|
}
|
|
main {
|
|
max-width: 1280px;
|
|
margin: 0 auto;
|
|
padding: 36px clamp(18px, 4vw, 56px) 72px;
|
|
}
|
|
.toolbar {
|
|
display: flex;
|
|
gap: 12px;
|
|
flex-wrap: wrap;
|
|
align-items: center;
|
|
justify-content: space-between;
|
|
border-top: 1px solid var(--line);
|
|
border-bottom: 1px solid var(--line);
|
|
padding: 16px 0;
|
|
margin-bottom: 30px;
|
|
}
|
|
input, select, a.button, .status-pill {
|
|
border: 1px solid var(--black);
|
|
background: transparent;
|
|
border-radius: 999px;
|
|
padding: 12px 15px;
|
|
color: var(--ink);
|
|
font: inherit;
|
|
text-decoration: none;
|
|
font-size: 0.9rem;
|
|
font-weight: 750;
|
|
}
|
|
input {
|
|
min-width: min(100%, 320px);
|
|
flex: 1 1 320px;
|
|
background: var(--panel);
|
|
}
|
|
select {
|
|
appearance: none;
|
|
background: var(--panel);
|
|
cursor: pointer;
|
|
}
|
|
a.button {
|
|
background: var(--black);
|
|
color: #fff;
|
|
display: inline-flex;
|
|
align-items: center;
|
|
justify-content: center;
|
|
}
|
|
.roadmap-tabs {
|
|
display: grid;
|
|
grid-template-columns: repeat(3, minmax(0, 1fr));
|
|
gap: 10px;
|
|
margin: 0 0 18px;
|
|
}
|
|
.status-pill {
|
|
border-color: var(--line);
|
|
background: var(--panel);
|
|
min-height: 56px;
|
|
display: flex;
|
|
align-items: center;
|
|
justify-content: space-between;
|
|
gap: 12px;
|
|
}
|
|
.status-pill::after {
|
|
content: "";
|
|
width: 10px;
|
|
height: 10px;
|
|
border-radius: 50%;
|
|
background: var(--muted);
|
|
}
|
|
.status-pill.done::after { background: var(--green); }
|
|
.status-pill.progress::after { background: var(--blue); }
|
|
.status-pill.planned::after { background: var(--amber); }
|
|
#tasks {
|
|
display: grid;
|
|
grid-template-columns: repeat(3, minmax(0, 1fr));
|
|
gap: 14px;
|
|
align-items: start;
|
|
}
|
|
.roadmap-column {
|
|
display: grid;
|
|
gap: 14px;
|
|
align-content: start;
|
|
}
|
|
.column-title {
|
|
position: sticky;
|
|
top: 0;
|
|
z-index: 2;
|
|
background: rgba(244, 242, 235, 0.92);
|
|
backdrop-filter: blur(12px);
|
|
border: 1px solid var(--line);
|
|
border-radius: 8px;
|
|
padding: 12px 14px;
|
|
display: flex;
|
|
justify-content: space-between;
|
|
align-items: center;
|
|
font-size: 0.78rem;
|
|
font-weight: 900;
|
|
letter-spacing: 0.1em;
|
|
text-transform: uppercase;
|
|
}
|
|
.column-title span:last-child {
|
|
color: var(--muted);
|
|
letter-spacing: 0;
|
|
}
|
|
.task {
|
|
position: relative;
|
|
background: var(--panel);
|
|
border: 1px solid var(--line);
|
|
border-radius: 8px;
|
|
padding: clamp(18px, 2.4vw, 26px);
|
|
box-shadow: var(--shadow);
|
|
margin: 0;
|
|
overflow: clip;
|
|
}
|
|
.task::before {
|
|
content: "";
|
|
position: absolute;
|
|
inset: 0 0 auto;
|
|
height: 5px;
|
|
background: var(--amber);
|
|
}
|
|
.task[data-status="done"]::before { background: var(--green); }
|
|
.task[data-status="in-progress"]::before { background: var(--blue); }
|
|
.task[data-priority="high"] {
|
|
border-color: rgba(16, 16, 15, 0.32);
|
|
}
|
|
.task-head, .subtask-top {
|
|
display: flex;
|
|
justify-content: space-between;
|
|
gap: 14px;
|
|
align-items: flex-start;
|
|
}
|
|
.eyebrow {
|
|
color: var(--muted);
|
|
margin: 0 0 10px;
|
|
text-transform: uppercase;
|
|
letter-spacing: 0.12em;
|
|
font-size: 0.72rem;
|
|
font-weight: 900;
|
|
}
|
|
h2 {
|
|
font-size: clamp(1.35rem, 2vw, 2rem);
|
|
line-height: 0.98;
|
|
margin: 0;
|
|
letter-spacing: 0;
|
|
font-weight: 900;
|
|
}
|
|
h3 {
|
|
margin: 24px 0 10px;
|
|
font-size: 0.82rem;
|
|
text-transform: uppercase;
|
|
letter-spacing: 0.1em;
|
|
}
|
|
.desc, details p, .subtask p { color: var(--muted); line-height: 1.55; }
|
|
.desc {
|
|
font-size: 0.98rem;
|
|
margin: 18px 0 0;
|
|
}
|
|
details {
|
|
border-top: 1px solid var(--line);
|
|
border-bottom: 1px solid var(--line);
|
|
padding: 14px 0;
|
|
margin-top: 18px;
|
|
}
|
|
summary {
|
|
cursor: pointer;
|
|
color: var(--ink);
|
|
font-weight: 850;
|
|
font-size: 0.92rem;
|
|
}
|
|
.badges { display: flex; gap: 8px; flex-wrap: wrap; justify-content: flex-end; }
|
|
.badge {
|
|
display: inline-flex;
|
|
align-items: center;
|
|
border-radius: 999px;
|
|
padding: 6px 9px;
|
|
font-size: 0.68rem;
|
|
font-weight: 900;
|
|
line-height: 1;
|
|
background: var(--soft);
|
|
color: var(--ink);
|
|
white-space: nowrap;
|
|
text-transform: uppercase;
|
|
}
|
|
.done { background: rgba(22, 155, 98, 0.12); color: #09683f; }
|
|
.pending { background: rgba(201, 134, 22, 0.14); color: #8a5709; }
|
|
.in-progress { background: rgba(53, 104, 255, 0.12); color: #264fca; }
|
|
.blocked, .critical { background: rgba(214, 76, 60, 0.14); color: #a83327; }
|
|
.priority-high { background: var(--black); color: #fff; }
|
|
.priority-medium { background: rgba(16, 16, 15, 0.08); color: var(--ink); }
|
|
.priority-low { background: rgba(111, 113, 108, 0.12); color: var(--muted); }
|
|
.subtasks { list-style: none; padding: 0; margin: 0; display: grid; gap: 10px; }
|
|
.subtask {
|
|
border-top: 1px solid var(--line);
|
|
padding: 14px 0 0;
|
|
background: transparent;
|
|
}
|
|
.sub-id {
|
|
color: var(--muted);
|
|
font-weight: 800;
|
|
min-width: 42px;
|
|
}
|
|
.subtask strong { flex: 1; line-height: 1.2; }
|
|
.subtask p { margin: 9px 0 0 56px; font-size: 0.9rem; }
|
|
.deps { font-size: 0.9rem; color: var(--blue) !important; }
|
|
footer {
|
|
color: var(--muted);
|
|
border-top: 1px solid var(--line);
|
|
text-align: center;
|
|
padding: 30px;
|
|
font-size: 0.9rem;
|
|
}
|
|
@media (max-width: 1100px) {
|
|
#tasks { grid-template-columns: 1fr 1fr; }
|
|
}
|
|
@media (max-width: 760px) {
|
|
header { padding-top: 16px; }
|
|
.topbar { margin-bottom: 48px; align-items: flex-start; }
|
|
.nav { display: none; }
|
|
.hero { grid-template-columns: 1fr; }
|
|
.stats { grid-template-columns: repeat(2, 1fr); }
|
|
.roadmap-tabs, #tasks { grid-template-columns: 1fr; }
|
|
.task-head, .subtask-top { flex-direction: column; }
|
|
.badges { justify-content: flex-start; }
|
|
.subtask p { margin-left: 0; }
|
|
}
|
|
</style>
|
|
</head>
|
|
<body>
|
|
<header>
|
|
<nav class="topbar" aria-label="Primary">
|
|
<a class="brand" href="#">
|
|
<span class="brand-mark">A</span>
|
|
Amanat
|
|
</a>
|
|
<div class="nav">
|
|
<a class="active" href="#tasks">Roadmap</a>
|
|
<a href="#search">Filter</a>
|
|
<a href="tasks.json">JSON</a>
|
|
</div>
|
|
</nav>
|
|
<section class="hero">
|
|
<div>
|
|
<p class="eyebrow">Amanat docs · Taskmaster</p>
|
|
<h1>Roadmap</h1>
|
|
<p class="lead">A public planning view generated from the docs-side Taskmaster queue. Track security remediation, payment architecture, Telegram-native work, refactor decisions, and completed documentation work from one place.</p>
|
|
</div>
|
|
<aside class="stats">
|
|
<div class="stat"><strong>5</strong><span>parent tasks</span></div>
|
|
<div class="stat"><strong>40</strong><span>subtasks</span></div>
|
|
<div class="stat"><strong>41</strong><span>pending items</span></div>
|
|
<div class="stat"><strong>4</strong><span>done items</span></div>
|
|
</aside>
|
|
</section>
|
|
</header>
|
|
<main>
|
|
<div class="toolbar">
|
|
<input id="search" type="search" placeholder="Search tasks, subtasks, PRDs..." />
|
|
<select id="status"><option value="">All statuses</option><option>pending</option><option>done</option><option>in-progress</option><option>blocked</option></select>
|
|
<select id="priority"><option value="">All priorities</option><option>high</option><option>medium</option><option>low</option></select>
|
|
<a class="button" href="tasks.json">Raw JSON</a>
|
|
</div>
|
|
<div class="roadmap-tabs" aria-label="Roadmap columns">
|
|
<div class="status-pill done">Shipped</div>
|
|
<div class="status-pill progress">In progress</div>
|
|
<div class="status-pill planned">Planned</div>
|
|
</div>
|
|
<section id="tasks">
|
|
<article class="task" data-status="pending" data-priority="high">
|
|
<div class="task-head">
|
|
<div>
|
|
<p class="eyebrow">Task 2</p>
|
|
<h2>Implement platform audit remediation plan</h2>
|
|
</div>
|
|
<div class="badges"><span class="badge pending">pending</span><span class="badge priority-high">high</span></div>
|
|
</div>
|
|
<p class="desc">Address the code-backed security and consistency issues identified in the 2026-05-24 platform audit remediation PRD.</p>
|
|
<details>
|
|
<summary>Details and test strategy</summary>
|
|
<p>Source PRD: .taskmaster/docs/prd-platform-audit-remediation-plan-2026-05-24.md. Target backend hardening first, then documentation/runtime alignment. Delivery order suggested by PRD: security/auth, rate limiting, passkeys, Web3 verification, socket hardening, dispute hold controls, docs/API alignment.</p>
|
|
<p><strong>Test strategy:</strong> Add focused regression tests for route auth/ownership, passkey challenge/verification, Web3 verification semantics, socket authorization, rate limiting tiers, and payout/release dispute holds. Update API docs after behavior is implemented.</p>
|
|
|
|
</details>
|
|
<h3>Subtasks (7)</h3>
|
|
<ul class="subtasks">
|
|
<li class="subtask" data-status="pending" data-priority="high">
|
|
<div class="subtask-top">
|
|
<span class="sub-id">2.1</span>
|
|
<strong>Secure unauthenticated endpoints and owner enforcement</strong>
|
|
<span class="badge pending">pending</span>
|
|
<span class="badge priority-high">high</span>
|
|
</div>
|
|
<p>Require authenticateToken and owner/admin checks on exposed payment, AI, and legacy notification routes.</p>
|
|
|
|
</li>
|
|
<li class="subtask" data-status="pending" data-priority="high">
|
|
<div class="subtask-top">
|
|
<span class="sub-id">2.2</span>
|
|
<strong>Re-enable and scope rate limiting</strong>
|
|
<span class="badge pending">pending</span>
|
|
<span class="badge priority-high">high</span>
|
|
</div>
|
|
<p>Restore global and route-tiered rate limits for public-sensitive paths.</p>
|
|
<p class="deps">Depends on: 2.1</p>
|
|
</li>
|
|
<li class="subtask" data-status="pending" data-priority="high">
|
|
<div class="subtask-top">
|
|
<span class="sub-id">2.3</span>
|
|
<strong>Replace stubbed passkey/WebAuthn flow</strong>
|
|
<span class="badge pending">pending</span>
|
|
<span class="badge priority-high">high</span>
|
|
</div>
|
|
<p>Implement production-grade WebAuthn registration/authentication and shared challenge storage.</p>
|
|
<p class="deps">Depends on: 2.1</p>
|
|
</li>
|
|
<li class="subtask" data-status="pending" data-priority="high">
|
|
<div class="subtask-top">
|
|
<span class="sub-id">2.4</span>
|
|
<strong>Strengthen DePay/Web3 payment verification</strong>
|
|
<span class="badge pending">pending</span>
|
|
<span class="badge priority-high">high</span>
|
|
</div>
|
|
<p>Verify transaction recipient, token contract, and amount, not only receipt success.</p>
|
|
<p class="deps">Depends on: 2.1</p>
|
|
</li>
|
|
<li class="subtask" data-status="pending" data-priority="medium">
|
|
<div class="subtask-top">
|
|
<span class="sub-id">2.5</span>
|
|
<strong>Lock Socket.IO room joins to authenticated context</strong>
|
|
<span class="badge pending">pending</span>
|
|
<span class="badge priority-medium">medium</span>
|
|
</div>
|
|
<p>Remove trust in client-supplied user/buyer/seller room IDs.</p>
|
|
<p class="deps">Depends on: 2.1</p>
|
|
</li>
|
|
<li class="subtask" data-status="pending" data-priority="medium">
|
|
<div class="subtask-top">
|
|
<span class="sub-id">2.6</span>
|
|
<strong>Enforce dispute hold before payout and release operations</strong>
|
|
<span class="badge pending">pending</span>
|
|
<span class="badge priority-medium">medium</span>
|
|
</div>
|
|
<p>Add payment hold state and central release/refund guards that block disputed funds.</p>
|
|
<p class="deps">Depends on: 2.1, 2.4</p>
|
|
</li>
|
|
<li class="subtask" data-status="pending" data-priority="medium">
|
|
<div class="subtask-top">
|
|
<span class="sub-id">2.7</span>
|
|
<strong>Align documentation, API references, and runtime enums</strong>
|
|
<span class="badge pending">pending</span>
|
|
<span class="badge priority-medium">medium</span>
|
|
</div>
|
|
<p>Normalize disputed/payment/request status docs and implementation references after security behavior changes.</p>
|
|
<p class="deps">Depends on: 2.1, 2.2, 2.3, 2.4, 2.5, 2.6</p>
|
|
</li></ul>
|
|
</article>
|
|
|
|
<article class="task" data-status="pending" data-priority="high">
|
|
<div class="task-head">
|
|
<div>
|
|
<p class="eyebrow">Task 3</p>
|
|
<h2>Migrate payment architecture toward Request Network and internal funds management</h2>
|
|
</div>
|
|
<div class="badges"><span class="badge pending">pending</span><span class="badge priority-high">high</span></div>
|
|
</div>
|
|
<p class="desc">Plan and implement provider-neutral payment flows, Request Network pay-in support, funds ledger, webhook reconciliation, release/refund orchestration, UI migration, and SHKeeper decommissioning.</p>
|
|
<details>
|
|
<summary>Details and test strategy</summary>
|
|
<p>Source PRD: .taskmaster/docs/prd-request-network-migration-and-funds-management.md. The PRD recommends phased migration behind a provider adapter, Secure Payment Pages first, platform-controlled escrow/payee destination, and a first-class internal funds ledger before release/refund enforcement.</p>
|
|
<p><strong>Test strategy:</strong> Use feature flags, provider fixture tests, webhook signature/idempotency tests, ledger invariant tests, migration dry-run reports, and limited cohort rollout before default provider switch.</p>
|
|
<p><strong>Depends on:</strong> 2</p>
|
|
</details>
|
|
<h3>Subtasks (7)</h3>
|
|
<ul class="subtasks">
|
|
<li class="subtask" data-status="pending" data-priority="high">
|
|
<div class="subtask-top">
|
|
<span class="sub-id">3.1</span>
|
|
<strong>Introduce provider-neutral payment adapter</strong>
|
|
<span class="badge pending">pending</span>
|
|
<span class="badge priority-high">high</span>
|
|
</div>
|
|
<p>Decouple checkout, webhook, and payout flows from SHKeeper-specific routes and metadata.</p>
|
|
|
|
</li>
|
|
<li class="subtask" data-status="pending" data-priority="high">
|
|
<div class="subtask-top">
|
|
<span class="sub-id">3.2</span>
|
|
<strong>Implement Request Network pay-in integration</strong>
|
|
<span class="badge pending">pending</span>
|
|
<span class="badge priority-high">high</span>
|
|
</div>
|
|
<p>Create Request Network payment requests or Secure Payment Pages for new checkout flows.</p>
|
|
<p class="deps">Depends on: 3.1</p>
|
|
</li>
|
|
<li class="subtask" data-status="pending" data-priority="high">
|
|
<div class="subtask-top">
|
|
<span class="sub-id">3.3</span>
|
|
<strong>Add funds ledger and escrow state machine</strong>
|
|
<span class="badge pending">pending</span>
|
|
<span class="badge priority-high">high</span>
|
|
</div>
|
|
<p>Introduce internal funds accounting independent from provider metadata.</p>
|
|
<p class="deps">Depends on: 3.1</p>
|
|
</li>
|
|
<li class="subtask" data-status="pending" data-priority="high">
|
|
<div class="subtask-top">
|
|
<span class="sub-id">3.4</span>
|
|
<strong>Build Request Network webhook and reconciliation service</strong>
|
|
<span class="badge pending">pending</span>
|
|
<span class="badge priority-high">high</span>
|
|
</div>
|
|
<p>Process signed Request Network events and repair missed webhook state through reconciliation.</p>
|
|
<p class="deps">Depends on: 3.2, 3.3</p>
|
|
</li>
|
|
<li class="subtask" data-status="pending" data-priority="high">
|
|
<div class="subtask-top">
|
|
<span class="sub-id">3.5</span>
|
|
<strong>Implement release, refund, and payout orchestration</strong>
|
|
<span class="badge pending">pending</span>
|
|
<span class="badge priority-high">high</span>
|
|
</div>
|
|
<p>Replace SHKeeper payout tasks and simulated release with auditable transaction instruction and confirmation flows.</p>
|
|
<p class="deps">Depends on: 3.3, 3.4</p>
|
|
</li>
|
|
<li class="subtask" data-status="pending" data-priority="medium">
|
|
<div class="subtask-top">
|
|
<span class="sub-id">3.6</span>
|
|
<strong>Migrate frontend checkout and admin payment UI</strong>
|
|
<span class="badge pending">pending</span>
|
|
<span class="badge priority-medium">medium</span>
|
|
</div>
|
|
<p>Update buyer checkout, admin release, seller payout, and payment details for provider-neutral Request Network flows.</p>
|
|
<p class="deps">Depends on: 3.2, 3.3, 3.5</p>
|
|
</li>
|
|
<li class="subtask" data-status="pending" data-priority="medium">
|
|
<div class="subtask-top">
|
|
<span class="sub-id">3.7</span>
|
|
<strong>Backfill legacy SHKeeper records and decommission provider-specific code</strong>
|
|
<span class="badge pending">pending</span>
|
|
<span class="badge priority-medium">medium</span>
|
|
</div>
|
|
<p>Migrate historical SHKeeper payment metadata and safely remove legacy wallet monitor/webhook/payout paths after cutoff.</p>
|
|
<p class="deps">Depends on: 3.3, 3.4, 3.5, 3.6</p>
|
|
</li></ul>
|
|
</article>
|
|
|
|
<article class="task" data-status="pending" data-priority="high">
|
|
<div class="task-head">
|
|
<div>
|
|
<p class="eyebrow">Task 4</p>
|
|
<h2>Define backend security and refactor strategy from latest audit</h2>
|
|
</div>
|
|
<div class="badges"><span class="badge pending">pending</span><span class="badge priority-high">high</span></div>
|
|
</div>
|
|
<p class="desc">Convert the backend stack security/refactor assessment into concrete architecture decisions, documentation deliverables, and developer handoff criteria.</p>
|
|
<details>
|
|
<summary>Details and test strategy</summary>
|
|
<p>Source audit: .taskmaster/docs/audit-backend-stack-security-and-refactor-assessment-2026-05-24.md. This task is advisory/architecture-focused and should run in parallel with immediate hardening. It should produce the decision artifacts needed before any backend-core rewrite or provider migration is started.</p>
|
|
<p><strong>Test strategy:</strong> Review and sign off each architecture document with backend, payments, frontend, and operations stakeholders. Confirm every open question has an owner or explicit deferred decision before implementation work begins.</p>
|
|
|
|
</details>
|
|
<h3>Subtasks (9)</h3>
|
|
<ul class="subtasks">
|
|
<li class="subtask" data-status="pending" data-priority="high">
|
|
<div class="subtask-top">
|
|
<span class="sub-id">4.1</span>
|
|
<strong>Assign security ownership and launch decision criteria</strong>
|
|
<span class="badge pending">pending</span>
|
|
<span class="badge priority-high">high</span>
|
|
</div>
|
|
<p>Define who owns security decisions and what must be true before public launch or migration work proceeds.</p>
|
|
|
|
</li>
|
|
<li class="subtask" data-status="pending" data-priority="high">
|
|
<div class="subtask-top">
|
|
<span class="sub-id">4.2</span>
|
|
<strong>Produce threat model for escrow platform</strong>
|
|
<span class="badge pending">pending</span>
|
|
<span class="badge priority-high">high</span>
|
|
</div>
|
|
<p>Document protected assets, actors, trust boundaries, and abuse cases for the financial marketplace.</p>
|
|
<p class="deps">Depends on: 4.1</p>
|
|
</li>
|
|
<li class="subtask" data-status="pending" data-priority="high">
|
|
<div class="subtask-top">
|
|
<span class="sub-id">4.3</span>
|
|
<strong>Specify funds ledger and escrow state machine</strong>
|
|
<span class="badge pending">pending</span>
|
|
<span class="badge priority-high">high</span>
|
|
</div>
|
|
<p>Define canonical money movement and legal state transitions before refactor or provider migration.</p>
|
|
<p class="deps">Depends on: 4.2</p>
|
|
</li>
|
|
<li class="subtask" data-status="pending" data-priority="high">
|
|
<div class="subtask-top">
|
|
<span class="sub-id">4.4</span>
|
|
<strong>Create authorization matrix for REST and Socket.IO</strong>
|
|
<span class="badge pending">pending</span>
|
|
<span class="badge priority-high">high</span>
|
|
</div>
|
|
<p>Map every endpoint and realtime event to access level, ownership checks, state preconditions, rate-limit tier, and audit-log requirement.</p>
|
|
<p class="deps">Depends on: 4.2</p>
|
|
</li>
|
|
<li class="subtask" data-status="pending" data-priority="high">
|
|
<div class="subtask-top">
|
|
<span class="sub-id">4.5</span>
|
|
<strong>Decide session, passkey, and admin step-up architecture</strong>
|
|
<span class="badge pending">pending</span>
|
|
<span class="badge priority-high">high</span>
|
|
</div>
|
|
<p>Choose browser session model and high-risk admin authentication requirements.</p>
|
|
<p class="deps">Depends on: 4.2</p>
|
|
</li>
|
|
<li class="subtask" data-status="pending" data-priority="high">
|
|
<div class="subtask-top">
|
|
<span class="sub-id">4.6</span>
|
|
<strong>Specify webhook security and provider adapter contracts</strong>
|
|
<span class="badge pending">pending</span>
|
|
<span class="badge priority-high">high</span>
|
|
</div>
|
|
<p>Define provider-neutral payment interface and signed webhook processing rules.</p>
|
|
<p class="deps">Depends on: 4.3</p>
|
|
</li>
|
|
<li class="subtask" data-status="pending" data-priority="medium">
|
|
<div class="subtask-top">
|
|
<span class="sub-id">4.7</span>
|
|
<strong>Define secure build and supply-chain policy</strong>
|
|
<span class="badge pending">pending</span>
|
|
<span class="badge priority-medium">medium</span>
|
|
</div>
|
|
<p>Reduce npm/dependency compromise risk across frontend and any remaining Node services.</p>
|
|
<p class="deps">Depends on: 4.1</p>
|
|
</li>
|
|
<li class="subtask" data-status="pending" data-priority="medium">
|
|
<div class="subtask-top">
|
|
<span class="sub-id">4.8</span>
|
|
<strong>Make backend-core stack decision</strong>
|
|
<span class="badge pending">pending</span>
|
|
<span class="badge priority-medium">medium</span>
|
|
</div>
|
|
<p>Choose whether the security-critical backend core remains TypeScript or moves to Go/Kotlin/Rust/Python.</p>
|
|
<p class="deps">Depends on: 4.2, 4.3, 4.4, 4.5, 4.6, 4.7</p>
|
|
</li>
|
|
<li class="subtask" data-status="pending" data-priority="medium">
|
|
<div class="subtask-top">
|
|
<span class="sub-id">4.9</span>
|
|
<strong>Create migration and operational runbooks</strong>
|
|
<span class="badge pending">pending</span>
|
|
<span class="badge priority-medium">medium</span>
|
|
</div>
|
|
<p>Document rollout, rollback, and incident response for the selected backend/funds architecture.</p>
|
|
<p class="deps">Depends on: 4.8</p>
|
|
</li></ul>
|
|
</article>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<article class="task" data-status="pending" data-priority="high">
|
|
<div class="task-head">
|
|
<div>
|
|
<p class="eyebrow">Task 5</p>
|
|
<h2>Deliver Telegram-native app, bot, and wallet experience</h2>
|
|
</div>
|
|
<div class="badges"><span class="badge pending">pending</span><span class="badge priority-high">high</span></div>
|
|
</div>
|
|
<p class="desc">Create a Telegram bot plus Mini App surface so users can complete Amanat buyer, seller, escrow, chat, dispute, payment, release/refund, and support workflows from inside Telegram.</p>
|
|
<details>
|
|
<summary>Details and test strategy</summary>
|
|
<p>Source PRD: .taskmaster/docs/prd-telegram-native-app-bot-wallet.md. Keep this as a separate delivery track from security remediation and Request Network migration. Identity, bot navigation, Mini App shell, and notifications can start behind flags; wallet/payment crediting and release/refund actions must use canonical backend authorization, provider adapter, funds ledger, escrow state machine, idempotency, and dispute holds.</p>
|
|
<p><strong>Test strategy:</strong> Use Telegram sandbox and production bot separation, Mini App client matrix testing, provider/wallet payment fixtures, backend authorization and ledger invariant tests, webhook/callback replay tests, and staged rollout analytics before launch.</p>
|
|
|
|
</details>
|
|
<h3>Subtasks (9)</h3>
|
|
<ul class="subtasks">
|
|
<li class="subtask" data-status="pending" data-priority="high">
|
|
<div class="subtask-top">
|
|
<span class="sub-id">5.1</span>
|
|
<strong>Define Telegram product surface and flow map</strong>
|
|
<span class="badge pending">pending</span>
|
|
<span class="badge priority-high">high</span>
|
|
</div>
|
|
<p>Document which Amanat workflows live in bot messages, which live in the Mini App, and which remain web/admin-only for first release.</p>
|
|
|
|
</li>
|
|
<li class="subtask" data-status="pending" data-priority="high">
|
|
<div class="subtask-top">
|
|
<span class="sub-id">5.2</span>
|
|
<strong>Build Telegram identity linking and session model</strong>
|
|
<span class="badge pending">pending</span>
|
|
<span class="badge priority-high">high</span>
|
|
</div>
|
|
<p>Implement secure account linking between Telegram users and Amanat accounts.</p>
|
|
<p class="deps">Depends on: 5.1</p>
|
|
</li>
|
|
<li class="subtask" data-status="pending" data-priority="high">
|
|
<div class="subtask-top">
|
|
<span class="sub-id">5.3</span>
|
|
<strong>Implement bot command and notification foundation</strong>
|
|
<span class="badge pending">pending</span>
|
|
<span class="badge priority-high">high</span>
|
|
</div>
|
|
<p>Create the Telegram bot backend for commands, inline keyboards, callback queries, deep links, and outbound notifications.</p>
|
|
<p class="deps">Depends on: 5.1, 5.2</p>
|
|
</li>
|
|
<li class="subtask" data-status="pending" data-priority="high">
|
|
<div class="subtask-top">
|
|
<span class="sub-id">5.4</span>
|
|
<strong>Build Telegram Mini App shell for marketplace workflows</strong>
|
|
<span class="badge pending">pending</span>
|
|
<span class="badge priority-high">high</span>
|
|
</div>
|
|
<p>Deliver the mobile-first Mini App that gives users the full Amanat workflow surface inside Telegram.</p>
|
|
<p class="deps">Depends on: 5.1, 5.2</p>
|
|
</li>
|
|
<li class="subtask" data-status="pending" data-priority="high">
|
|
<div class="subtask-top">
|
|
<span class="sub-id">5.5</span>
|
|
<strong>Add Telegram payment and wallet strategy</strong>
|
|
<span class="badge pending">pending</span>
|
|
<span class="badge priority-high">high</span>
|
|
</div>
|
|
<p>Evaluate and implement safe payment entry points for Telegram-native users without weakening escrow accounting.</p>
|
|
<p class="deps">Depends on: 5.2, 5.4</p>
|
|
</li>
|
|
<li class="subtask" data-status="pending" data-priority="high">
|
|
<div class="subtask-top">
|
|
<span class="sub-id">5.6</span>
|
|
<strong>Expose escrow, delivery, dispute, and release actions safely</strong>
|
|
<span class="badge pending">pending</span>
|
|
<span class="badge priority-high">high</span>
|
|
</div>
|
|
<p>Make Telegram actions useful for real escrow work while preserving backend state authority.</p>
|
|
<p class="deps">Depends on: 5.4, 5.5</p>
|
|
</li>
|
|
<li class="subtask" data-status="pending" data-priority="high">
|
|
<div class="subtask-top">
|
|
<span class="sub-id">5.7</span>
|
|
<strong>Add admin and support surface for Telegram-originated cases</strong>
|
|
<span class="badge pending">pending</span>
|
|
<span class="badge priority-high">high</span>
|
|
</div>
|
|
<p>Give support/admin users visibility and controls for Telegram-originated users, payments, and bot events.</p>
|
|
<p class="deps">Depends on: 5.2, 5.3, 5.5</p>
|
|
</li>
|
|
<li class="subtask" data-status="pending" data-priority="high">
|
|
<div class="subtask-top">
|
|
<span class="sub-id">5.8</span>
|
|
<strong>Add security, compliance, and abuse controls for Telegram</strong>
|
|
<span class="badge pending">pending</span>
|
|
<span class="badge priority-high">high</span>
|
|
</div>
|
|
<p>Threat-model the Telegram surface and add controls before launch.</p>
|
|
<p class="deps">Depends on: 5.2, 5.3, 5.5, 5.6</p>
|
|
</li>
|
|
<li class="subtask" data-status="pending" data-priority="high">
|
|
<div class="subtask-top">
|
|
<span class="sub-id">5.9</span>
|
|
<strong>Prepare QA, rollout, analytics, and launch operations</strong>
|
|
<span class="badge pending">pending</span>
|
|
<span class="badge priority-high">high</span>
|
|
</div>
|
|
<p>Prepare the Telegram app and bot for controlled release.</p>
|
|
<p class="deps">Depends on: 5.3, 5.4, 5.5, 5.6, 5.7, 5.8</p>
|
|
</li>
|
|
</ul>
|
|
</article>
|
|
<article class="task" data-status="done" data-priority="medium">
|
|
<div class="task-head">
|
|
<div>
|
|
<p class="eyebrow">Task 1</p>
|
|
<h2>Stabilize Mermaid diagram rendering across documentation vault</h2>
|
|
</div>
|
|
<div class="badges"><span class="badge done">done</span><span class="badge priority-medium">medium</span></div>
|
|
</div>
|
|
<p class="desc">Correct Mermaid syntax/rendering issues across the documentation vault and validate all Mermaid blocks.</p>
|
|
<details>
|
|
<summary>Details and test strategy</summary>
|
|
<p>Source PRD: .taskmaster/docs/prd-mermaid-diagram-rendering-stabilization.md. Scope covered 57 Mermaid blocks and 11 failing blocks. The source PRD records that all targeted files now pass mmdc parse validation and the full vault sweep passes.</p>
|
|
<p><strong>Test strategy:</strong> Run the same mmdc-based syntax validation across all Markdown Mermaid blocks and confirm zero parser failures in Obsidian/markdown previews.</p>
|
|
|
|
</details>
|
|
<h3>Subtasks (3)</h3>
|
|
<ul class="subtasks">
|
|
<li class="subtask" data-status="done" data-priority="medium">
|
|
<div class="subtask-top">
|
|
<span class="sub-id">1.1</span>
|
|
<strong>Fix Security Architecture email/password sequence</strong>
|
|
<span class="badge done">done</span>
|
|
<span class="badge priority-medium">medium</span>
|
|
</div>
|
|
<p>Normalize parser-sensitive sequence text in 01 - Architecture/Security Architecture.md.</p>
|
|
|
|
</li>
|
|
<li class="subtask" data-status="done" data-priority="medium">
|
|
<div class="subtask-top">
|
|
<span class="sub-id">1.2</span>
|
|
<strong>Fix authentication login and refresh diagrams</strong>
|
|
<span class="badge done">done</span>
|
|
<span class="badge priority-medium">medium</span>
|
|
</div>
|
|
<p>Normalize parser-sensitive token and refresh-token sequence text in Authentication Flow.</p>
|
|
|
|
</li>
|
|
<li class="subtask" data-status="done" data-priority="medium">
|
|
<div class="subtask-top">
|
|
<span class="sub-id">1.3</span>
|
|
<strong>Fix chat, delivery, dispute, OAuth, purchase request, referral, registration, and seller-offer diagrams</strong>
|
|
<span class="badge done">done</span>
|
|
<span class="badge priority-medium">medium</span>
|
|
</div>
|
|
<p>Clean the remaining Mermaid sequence diagrams with invalid or ambiguous syntax.</p>
|
|
|
|
</li></ul>
|
|
</article></section>
|
|
</main>
|
|
<footer>Generated from <code>.taskmaster/tasks/tasks.json</code>. Last docs update: 2026-05-24T00:00:00.000Z</footer>
|
|
<script>
|
|
const taskSection = document.querySelector('#tasks');
|
|
const originalCards = [...taskSection.querySelectorAll('.task')];
|
|
const columns = [
|
|
{ key: 'done', title: 'Shipped' },
|
|
{ key: 'in-progress', title: 'In progress' },
|
|
{ key: 'pending', title: 'Planned' }
|
|
];
|
|
taskSection.innerHTML = '';
|
|
const columnMap = new Map();
|
|
for (const column of columns) {
|
|
const wrapper = document.createElement('div');
|
|
wrapper.className = 'roadmap-column';
|
|
wrapper.dataset.column = column.key;
|
|
const count = originalCards.filter((card) => card.dataset.status === column.key).length;
|
|
wrapper.innerHTML = `<div class="column-title"><span>${column.title}</span><span>${count}</span></div>`;
|
|
taskSection.appendChild(wrapper);
|
|
columnMap.set(column.key, wrapper);
|
|
}
|
|
for (const card of originalCards) {
|
|
const target = columnMap.get(card.dataset.status) || columnMap.get('pending');
|
|
target.appendChild(card);
|
|
}
|
|
const search = document.querySelector('#search');
|
|
const status = document.querySelector('#status');
|
|
const priority = document.querySelector('#priority');
|
|
const cards = [...document.querySelectorAll('.task')];
|
|
function applyFilters() {
|
|
const q = search.value.trim().toLowerCase();
|
|
const s = status.value;
|
|
const p = priority.value;
|
|
for (const card of cards) {
|
|
const text = card.innerText.toLowerCase();
|
|
const statusMatch = !s || card.dataset.status === s || [...card.querySelectorAll('.subtask')].some((el) => el.dataset.status === s);
|
|
const priorityMatch = !p || card.dataset.priority === p || [...card.querySelectorAll('.subtask')].some((el) => el.dataset.priority === p);
|
|
const searchMatch = !q || text.includes(q);
|
|
card.style.display = statusMatch && priorityMatch && searchMatch ? '' : 'none';
|
|
}
|
|
for (const column of document.querySelectorAll('.roadmap-column')) {
|
|
const visibleCards = [...column.querySelectorAll('.task')].filter((card) => card.style.display !== 'none').length;
|
|
column.style.display = visibleCards ? '' : 'none';
|
|
}
|
|
}
|
|
search.addEventListener('input', applyFilters);
|
|
status.addEventListener('change', applyFilters);
|
|
priority.addEventListener('change', applyFilters);
|
|
</script>
|
|
</body>
|
|
</html>
|