pplate/cannamanage
1
0
Fork 0
Code Issues 9 Pull Requests Actions Packages Projects Releases Wiki Activity

docs: add strategic differentiation plan

Browse Source
This commit is contained in:
Patrick Plate
2026-06-12 09:25:50 +02:00
parent 59b7486cec
commit a267a90542
1 changed files with 373 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docs/cannamanage-strategic-differentiation.md
+373
View File
@@ -0,0 +1,373 @@
# CannaManage — Strategic Differentiation Plan
**Date:** 2026-06-12
**Author:** Patrick Plate / Lumen
**Status:** Living Document
---
## 1. Market Position
### 1.1 Competitive Landscape Summary
| Competitor | Clubs | Pricing | Key Strength | Key Weakness | Threat Level |
|-----------|-------|---------|-------------|-------------|-------------|
| **420cloud** | 389+ | Undisclosed (free member app + B2B) | Network effects via free member app, marketplace model | Core features still "Coming Soon" (reports, inventory, IoT) | 🔴 High — first-mover with club count |
| **Hanf-App** | Unknown | ~30€/month | Feature-complete: §26 reports, Steuerlogik, SEPA, 2FA | Closed system, no public API, no self-hosting | 🟡 Medium — feature leader but locked ecosystem |
| **Cannanas** | Unknown | ~25€/month | Intuitive UX, lower price point | No 2FA, no data export, partial feature set | 🟢 Low — incomplete and weak on security |
| **Cannavigia** | Enterprise | Enterprise pricing | GACP/EU-GMP compliance, international (CH/DE/TH) | Overkill for CSCs, targets commercial cultivators | ⚪ None — different market segment |
**Market dynamics:**
- 420cloud is winning on **distribution** (389+ clubs on their map) but not on **features** (many are "Coming Soon")
- Hanf-App is winning on **features** but losing on **openness** (walled garden)
- The comparison site csc-verwaltung.de exists — getting listed there is table stakes for credibility
- Spain (oldest CSC market since 2001) has NO specialized software — pure paper/Excel. Future expansion market.
### 1.2 Where We Stand Today
**What we have (Sprint 1-3 delivered):**
- ✅ Multi-tenant architecture (tenant_id isolation) — production-grade from day one
- ✅ JWT auth with token rotation, revocation, jti blacklist — more secure than Cannanas
- ✅ RBAC with 8 granular StaffPermissions — more fine-grained than any competitor
- ✅ Staff invite flow with email + set-password
- ✅ CanG quota enforcement (25g/day, 50g/month, 30g under-21)
- ✅ Stock/batch tracking with full movement history
- ✅ Distribution recording with compliance pre-check
- ✅ Club settings (prevention officers, email domain whitelist)
- ✅ OpenAPI/Swagger documented REST API — no competitor exposes this
- ✅ 42+ unit tests with solid coverage
**What we're missing (honest gaps):**
- ❌ No §26 evaluation/report generation (Hanf-App has this)
- ❌ No SEPA integration (Hanf-App has this)
- ❌ No 2FA/TOTP (Hanf-App has this)
- ❌ No frontend (API-only — competitors all have web + mobile)
- ❌ No Transportbescheinigung
- ❌ No member-facing portal or app
- ❌ No self-hosted deployment option yet (Docker Compose planned)
- ❌ No public club map or marketplace
**Assessment:** We have a stronger technical foundation than all competitors (architecture, security, API design) but are behind on user-facing features and market presence. The gap is closable in 2-3 sprints.
---
## 2. Core Differentiators (Moats)
### 2.1 API-First Architecture (vs. walled gardens)
**Why this matters:** Every CSC will eventually need integrations — Buchhaltungssoftware (DATEV, lexoffice), SEPA providers (GoCardless, Stripe SEPA), Behörden-APIs for reporting, label printers, scales.
**Competitive reality:**
- 420cloud: No public API. Clubs are locked into their ecosystem.
- Hanf-App: No public API. "Integrations" means they built it or it doesn't exist.
- CannaManage: Full OpenAPI 3.0 spec, documented endpoints, JWT bearer auth.
**Strategic value:**
1. Third-party developers can build integrations (Buchhaltung connectors, POS systems)
2. White-label partners can reskin the frontend with their own brand
3. Dachverbände can build dashboards on top of our API
4. Developer ecosystem creates switching costs — once integrations exist, clubs can't leave
**Moat depth:** Medium-high. APIs are easy to build but hard to build an ecosystem around. First-mover advantage matters here.
### 2.2 Self-Hostable + SaaS Dual-Mode (vs. cloud-only)
**Why this matters:** German CSCs handle member PII + consumption data. Many clubs are run by privacy activists who don't trust cloud providers with member cannabis consumption records.
**What we offer:**
- **Self-hosted:** Docker Compose for clubs that want data on their own hardware
- **Managed SaaS:** Hosted instance for clubs that want zero ops overhead
- **Same codebase:** No feature gap between modes
**Competitive reality:**
- 420cloud: Cloud-only. Your member data lives on their servers in Berlin.
- Hanf-App: Cloud-only. No self-hosting option.
- Cannanas: Cloud-only.
- **Nobody in the DE CSC market offers self-hosting.**
**Strategic value:**
1. Captures the privacy-conscious segment that will NEVER use cloud-only
2. Data sovereignty argument resonates strongly in German market (DSGVO awareness is high)
3. Self-hosted clubs become evangelists in the community ("we control our own data")
4. Reduces our infrastructure costs for price-sensitive clubs
**Moat depth:** High. Competitors would need to re-architect for self-hosting. Their cloud-native assumptions (shared infra, centralized auth) make this very hard to bolt on.
### 2.3 Multi-Club Federation (vs. single-tenant silos)
**Why this matters:** Germany has 10+ Dachverbände (umbrella organizations) representing dozens of clubs each. A single contract with a Dachverband = 50+ clubs onboarded simultaneously.
**What we offer:**
- Shared admin dashboard for Dachverband management
- Per-club data isolation (our tenant_id architecture already supports this)
- Consolidated billing, reporting, compliance overview across all clubs
- Role hierarchy: Dachverband Admin → Club Admin → Staff → Member
**Competitive reality:**
- 420cloud: Single-club focus. No federation concept. Each club is independent.
- Hanf-App: Single-club accounts. No umbrella org support.
- This is a **completely unserved market segment.**
**Strategic value:**
1. Enterprise sales motion: one deal = 50 clubs (vs. selling one-by-one)
2. Dachverband lock-in: once the umbrella org standardizes on us, individual clubs can't easily leave
3. Consolidated compliance reporting makes the Dachverband look good to regulators
4. Higher ARPU per deal, lower CAC
**Moat depth:** Very high. Multi-tenant federation is architecturally complex. Our `tenant_id` design was built for this from Sprint 1.
### 2.4 Immutable Audit Trail + PDF Compliance Reports
**Why this matters:** CanG §26 requires clubs to be inspectable by authorities at any time. Clubs need tamper-evident records proving they followed the law.
**What we offer:**
- Append-only event log for all compliance-relevant actions (distributions, stock changes, member status)
- Cryptographic hash chain (each event references the previous hash) — tamper-evident
- One-click PDF export for authority inspections
- Pre-formatted §26 reports matching regulatory expectations
**Competitive reality:**
- 420cloud: Reports & Analysen listed as "Coming Soon" — not shipped yet
- Hanf-App: Has §26 reports (their strongest feature) but no cryptographic audit trail
- **We can be FIRST with cryptographic tamper-evidence** — this is a leapfrog opportunity
**Strategic value:**
1. Legal safety argument: "Our records are mathematically provable" vs. "trust our database"
2. Authority inspections become trivial: click → PDF → hand over
3. Insurance companies may require tamper-evident records in the future
4. Creates a "compliance moat" — switching away means losing your audit history
**Moat depth:** Medium. The PDF reports are easy to copy. The cryptographic hash chain is harder. The brand perception ("the compliance-first platform") is the real moat.
### 2.5 Fine-Grained RBAC (vs. simple Admin/Member split)
**What we have:** 8 granular permissions, configurable per staff member:
- `MANAGE_MEMBERS`, `VIEW_MEMBERS`, `MANAGE_STOCK`, `DISTRIBUTE`
- `VIEW_REPORTS`, `MANAGE_SETTINGS`, `MANAGE_STAFF`, `FULL_ACCESS`
**Why this matters:** Real CSCs have 5-10 staff with different roles — Ausgabe (distribution), Lager (stock), Vorstand (board), Kassierer (treasurer). You don't want the person doing Ausgabe to have access to financial reports.
**Competitive reality:**
- 420cloud: Basic role system (details unclear)
- Hanf-App: Admin/Staff/Member — no granular permissions documented
- Cannanas: Simple Admin/Member split
- **We have the most fine-grained permission model in the market**
**Moat depth:** Low-medium. This is copyable, but it's table stakes for enterprise/federation sales.
---
## 3. Feature Gap Analysis (Critical)
### 3.1 Must-Close Gaps (to match Hanf-App)
These are non-negotiable for market credibility. Without them, clubs will choose Hanf-App.
| Gap | Competitor Benchmark | Priority | Sprint Target |
|-----|---------------------|----------|---------------|
| §26 Evaluation + Bestand Reports | Hanf-App ships these | P0 | Sprint 4 |
| SEPA Integration (Beitragszahlung) | Hanf-App has full Steuerlogik | P0 | Sprint 5 |
| Transportbescheinigung PDF | Hanf-App generates these | P1 | Sprint 5 |
| 2FA (TOTP) | Hanf-App has 2FA, Cannanas doesn't | P1 | Sprint 5 |
| Frontend (any web UI at all) | All competitors have web + mobile | P0 | Sprint 4-7 |
| Member self-service portal | 420cloud has free member app | P1 | Sprint 4 |
### 3.2 Leapfrog Opportunities (where we can be FIRST)
These features don't exist in ANY competitor. Shipping them creates differentiation.
| Opportunity | Why No One Has It | Our Advantage | Effort |
|------------|-------------------|---------------|--------|
| Public REST API + OpenAPI spec | Competitors are closed platforms | Already built — just document + publish | Low |
| Self-hosted Docker deployment | Cloud-only business models | Our architecture supports it | Medium |
| Multi-club federation dashboard | Single-tenant architectures | tenant_id design ready | Medium-High |
| Immutable audit log (hash chain) | No regulatory pressure yet | ComplianceService foundation exists | Medium |
| QR code member ID (offline JWT) | Physical cards are the norm | JwtService already generates tokens | Low |
| Migration tool (import from Hanf-App/Cannanas) | They don't want you to leave | We want you to come | Medium |
| Offline-capable PWA | Everyone assumes internet | Service Worker + IndexedDB | Medium |
---
## 4. Go-to-Market Strategy
### 4.1 Target Segments (prioritized)
1. **Privacy-conscious clubs** — Data sovereignty is their #1 requirement. Self-hosting argument wins immediately. These clubs are vocal in forums and will evangelize. *Estimated segment: 15-20% of clubs.*
2. **Tech-savvy clubs wanting API integrations** — They're building their own tools, frustrated by closed ecosystems. Our API-first approach is exactly what they want. *Estimated segment: 10% of clubs.*
3. **Dachverbände / umbrella organizations** — Enterprise deals. One contract = 30-80 clubs. Federation feature is our unique selling point. *Estimated orgs: 10-15 nationwide, each with 20-80 member clubs.*
4. **Clubs frustrated with 420cloud's "Coming Soon" promises** — They signed up, features aren't shipping, they're looking for alternatives. *Growing segment as 420cloud fails to deliver.*
5. **New clubs not yet committed** — Greenfield. No migration friction. Capture before 420cloud's network effects lock them in. *~100 new clubs forming per quarter in 2026.*
### 4.2 Pricing Strategy
**Market context:**
- Hanf-App: ~30€/month (feature-complete)
- Cannanas: ~25€/month (partial features)
- 420cloud: Free member app + undisclosed B2B (likely 20-40€/month)
**Recommended positioning:**
| Tier | Price | Includes | Target |
|------|-------|----------|--------|
| **Community** | Free | API access, 1 staff user, 50 members max | Developer preview, tiny clubs |
| **Standard** | 19€/month | Full features, 5 staff, 500 members, cloud-hosted | Single clubs, price-sensitive |
| **Professional** | 39€/month | Unlimited staff/members, priority support, SEPA, advanced reports | Established clubs |
| **Federation** | 29€/club/month (min 10) | Multi-club dashboard, consolidated billing, dedicated support | Dachverbände |
| **Self-Hosted** | 99€/year (license) | Docker Compose, self-managed, community support | Privacy-focused clubs |
**Rationale:**
- Undercut Hanf-App on Standard tier (19€ vs 30€) — win on price + openness
- Federation tier creates volume deals (10 clubs × 29€ = 290€/month per Dachverband)
- Self-hosted is cheap enough to attract privacy clubs but still generates revenue
- Free tier creates developer ecosystem and word-of-mouth
### 4.3 Channel Strategy
| Channel | Action | Priority | Timeline |
|---------|--------|----------|----------|
| **csc-verwaltung.de** | Get listed on the comparison site | P0 | Once MVP frontend ships |
| **CSC Telegram groups** | Active presence, answer compliance questions, soft-sell | P1 | Immediately |
| **Dachverbände direct outreach** | Cold outreach with federation pitch deck | P1 | Sprint 6 (after federation ships) |
| **GitHub / Dev community** | Open-source API client libraries, public docs | P2 | Sprint 4 |
| **CSC founding workshops** | Partner with lawyers/consultants who help clubs form | P2 | Q3 2026 |
| **Content marketing** | CanG compliance guides, §26 checklists (SEO play) | P2 | Ongoing |
---
## 5. Sprint 4+ Roadmap (Competition-Informed)
### 5.1 Sprint 4: Compliance Reports + Member Portal (IMMEDIATE)
**Strategic goal:** Ship §26 reports before 420cloud does. They list this as "Coming Soon" — we race them.
- Complete Sprint 3 remaining phases (4-7): report engine, PDF generation, member portal endpoints
- §26-compatible PDF reports (Bestandsmeldung, Abgabenachweis, Mitgliederverzeichnis)
- Member self-service portal (view quota, distribution history, membership status)
- PWA manifest + service worker (mobile-ready without app stores)
- Public API documentation site (Redoc/Swagger UI hosted)
**Milestone:** A club admin can generate inspection-ready PDFs in one click.
### 5.2 Sprint 5: SEPA + Transportbescheinigung + 2FA
**Strategic goal:** Close the critical feature gaps vs. Hanf-App. After this sprint, we have feature parity on compliance.
- SEPA direct debit integration (GoCardless or Stripe SEPA as provider)
- Beitragsverwaltung (echte/unechte Beiträge — real/virtual contribution tracking)
- Transportbescheinigung PDF generation (CanG §22 transport certificates)
- TOTP-based 2FA (Google Authenticator / Authy compatible)
- Immutable audit log with SHA-256 hash chain (compliance moat)
**Milestone:** Feature parity with Hanf-App on compliance. Surpass them on security (audit trail + 2FA).
### 5.3 Sprint 6: Federation + Self-Hosting
**Strategic goal:** Unlock enterprise sales (Dachverbände) and the privacy segment. No competitor can follow here quickly.
- Multi-club federation dashboard (shared admin view, per-club drill-down)
- Docker Compose deployment (self-hosted mode)
- Helm chart for Kubernetes (larger orgs / hosting providers)
- Club onboarding wizard (guided setup for new clubs)
- Data migration tool (CSV import from Hanf-App/Cannanas export formats)
- Backup/restore workflow for self-hosted instances
**Milestone:** First Dachverband deal signed. First self-hosted club running independently.
### 5.4 Sprint 7: Frontend + PWA
**Strategic goal:** World-class UX that matches or exceeds Flowhub's speed. Tablet-optimized for Ausgabetisch.
- **Template:** shadcn-admin (React 19 + Vite + TanStack Router + shadcn/ui)
- Quick-Dispensing Card (inspired by Flowhub's "Maui POS" — 20-second checkout)
- Compliance dashboard with real-time quota visualization
- Member search with instant results + quick-info popover
- Batch trace timeline (Metrc-inspired seed-to-sale visualization)
- QR code member ID with offline JWT verification (scan → verify → dispense)
- Tablet-optimized layouts for Ausgabetisch workflow
- Dark mode with green accent theme
**Milestone:** A distribution takes under 30 seconds from member scan to confirmation.
---
## 6. Competitive Intelligence Actions
- [ ] Monitor 420cloud "Coming Soon" features — when do Berichte & Analysen actually ship?
- [ ] Get Hanf-App demo access — document actual UX flow, confirm pricing, identify pain points
- [ ] Find 420cloud B2B pricing via LinkedIn outreach / Trustpilot reviews / direct inquiry
- [ ] Join 3-5 German CSC Telegram groups — listen for admin pain points and feature requests
- [ ] CanG §6/§7/§26 deep legal analysis — what EXACTLY must be reported and in what format?
- [ ] Track csc-verwaltung.de monthly for new entrants and feature comparison updates
- [ ] Monitor 420cloud's club map growth rate (389 clubs as of June 2026 — check monthly)
- [ ] Research Dachverbände: identify top 5, get contact info, understand their tech needs
- [ ] Check if any competitor ships a public API within 6 months (would erode our differentiator)
- [ ] Analyze Hanf-App's Steuerlogik implementation — can we replicate from CanG legal text alone?
---
## 7. Design Direction
### 7.1 Color Scheme
| Role | Color | Hex | Usage |
|------|-------|-----|-------|
| Primary | Dark Green | `#1a5632` | Headers, nav, primary buttons |
| Secondary | Warm Slate | `#475569` | Body text, secondary elements |
| Accent | Light Green | `#4ade80` | CTAs, success states, active indicators |
| Background | White/Light Gray | `#f8fafc` | Page backgrounds |
| Surface | White | `#ffffff` | Cards, panels |
| Error | Red | `#ef4444` | Quota warnings, compliance violations |
| Dark BG | Deep Slate | `#0f172a` | Dark mode background |
| Dark Accent | Emerald | `#10b981` | Dark mode green accents |
**Rationale:** Professional, trustworthy, not "stoner aesthetic." Think fintech-meets-compliance. The dark green signals cannabis without being cartoonish. The slate keeps it serious.
### 7.2 UI Patterns (inspired by competitor research)
| Pattern | Source | Our Implementation |
|---------|--------|-------------------|
| Quick-Dispensing Card | Flowhub "Maui POS" | Scan member → see quota → select strain → confirm. Under 30 seconds. |
| Compliance Dashboard | BioTrack | Real-time quota bars, upcoming report deadlines, compliance health score |
| Member Quick-Search | Flowhub | Instant typeahead with photo + quota preview in results |
| Batch Trace Timeline | Metrc/BioTrack | Visual timeline from procurement → storage → distribution → consumed |
| Report Export Buttons | Hanf-App | Prominent "Export PDF" on every report view. One click, done. |
| Mobile Card Layout | Cannanas/Hanf-App | Stack cards vertically on mobile, swipe actions for common tasks |
| Status Indicators | All | Traffic-light system: green (compliant), yellow (warning), red (violation) |
### 7.3 Template Choice
**Selected:** [shadcn-admin](https://github.com/satnaing/shadcn-admin) (MIT license, 11k+ stars)
**Why this template:**
- SPA architecture matches our REST API backend (no SSR overhead needed)
- TanStack Router for type-safe routing
- shadcn/ui components are accessible, customizable, and production-ready
- Built-in dark mode, responsive layout, sidebar navigation
- React 19 + Vite = fast builds, modern DX
- MIT license = no restrictions for commercial use
**What we'll customize:**
- Color scheme → our green/slate palette
- Navigation → Club admin sections (Members, Stock, Distributions, Reports, Settings)
- Dashboard → Compliance overview with quota visualizations
- Tables → TanStack Table with server-side pagination (our API already supports pagination)
- Forms → React Hook Form + Zod validation (matching our backend validation rules)
---
## 8. Key Decisions Log
| Decision | Rationale | Date |
|----------|-----------|------|
| API-first, frontend-second | Technical moat > pretty UI. API is the platform. | Sprint 1 |
| Multi-tenant from day one | Federation requires tenant isolation. Retrofitting is impossible. | Sprint 1 |
| PostgreSQL over H2 | Production-grade from start. No database migration later. | Sprint 1 |
| Spring Boot 4 + Java 17 | LTS, enterprise-proven, strong ecosystem for compliance software | Sprint 1 |
| 8 granular permissions | Enterprise readiness. Simple roles don't scale to 10-person staff teams. | Sprint 3 |
| JWT with rotation + revocation | Security differentiator. Competitors use basic session cookies. | Sprint 3 |
| shadcn-admin for frontend | SPA fits REST API. Modern stack. MIT. High star count = maintained. | Sprint 4 (planned) |
| Docker Compose self-hosting | Privacy segment is underserved. Low effort given our architecture. | Sprint 6 (planned) |