# CannaManage β€” Sprint 5 Planning Backlog **Date:** 2026-06-12 **Author:** Patrick Plate / Lumen (Planner) **Status:** Backlog (not yet planned) **Prerequisite:** Sprint 4 completion (Frontend MVP) --- ## Purpose This document captures features and improvements deferred from Sprint 4 during the persona review process. These items are the "known gaps" that prevent all 6 review personas from scoring β‰₯90%. They represent the natural next iteration after the frontend MVP is delivered. --- ## Deferred Items (from Sprint 4 Persona Review) ### High Priority (multiple personas impacted) | # | Feature | Source Personas | Expected Impact | |---|---------|----------------|-----------------| | 1 | **Staff Management UI** β€” invite flow, permission editor, activity log | 🏒 Owner, πŸ›‘οΈ Compliance | Owner +10%, Compliance +3% | | 2 | **Notification System** β€” email alerts for recalls, quota resets, new batches; WebSocket for real-time updates | πŸ‘€ Member, 🏒 Owner, 🎨 UX | Member +8%, Owner +5% | | 3 | **Inspector Read-Only Mode** β€” time-limited token for BehΓΆrde officials to browse audit logs without admin assistance | πŸ›‘οΈ Compliance, 🏒 Owner | Compliance +8% | | 4 | **Club Settings UI** β€” email whitelist, prevention officer limit, club profile editing | 🏒 Owner | Owner +5% | ### Medium Priority (UX polish + compliance hardening) | # | Feature | Source Personas | Expected Impact | |---|---------|----------------|-----------------| | 5 | **PWA Manifest + Service Worker** β€” home-screen installable, offline quota cache | πŸ‘€ Member, 🎨 UX | Member +5%, UX +3% | | 6 | **Micro-interactions & Page Transitions** β€” Framer Motion fade-in, form animations | 🎨 UX | UX +5% | | 7 | **Distribution Form Progress Stepper** β€” visual 3-step indicator (Select Member β†’ Batch β†’ Confirm) | 🎨 UX | UX +3% | | 8 | **Monthly Report Auto-Sealing** β€” auto-generate + SHA-256 hash at month-end, store sealed PDF | πŸ›‘οΈ Compliance | Compliance +5% | | 9 | **Cryptographic Hash Chain** β€” SHA-256 linking distribution records for tamper-evidence | πŸ›‘οΈ Compliance, πŸ”’ Security | Compliance +5% | ### Lower Priority (nice-to-have) | # | Feature | Source Personas | Expected Impact | |---|---------|----------------|-----------------| | 10 | **Portal Visual Differentiation** β€” subtle accent color shift or branding to distinguish member portal from admin | 🎨 UX | UX +2% | | 11 | **Nonce-Based CSP** β€” eliminate `unsafe-inline`/`unsafe-eval` with Next.js middleware nonces | πŸ”’ Security | Security +3% | | 12 | **Date-Range Reports** β€” custom period report (Q1, ad-hoc date range) beyond month picker | 🏒 Owner | Owner +3% | | 13 | **2FA (TOTP)** β€” optional two-factor authentication for members and staff | πŸ‘€ Member, πŸ”’ Security | Security +3%, Member +3% | | 14 | **SWR/React Query** β€” client-side data cache for real-time updates without full page refresh | πŸ’» Developer | Developer +2% | --- ## Estimated Sprint 5 Scope Based on priority and effort, a reasonable Sprint 5 scope would be: **Sprint 5.a β€” Staff & Settings (~5 days)** - Staff management UI (list, invite, permission editor, activity log) - Club settings page (email whitelist, prevention officer limit) - Date-range report picker **Sprint 5.b β€” Notifications & PWA (~5 days)** - Email notification system (recall alerts, quota reset reminders) - WebSocket real-time quota updates - PWA manifest + service worker (offline quota cache) - Distribution form progress stepper - Page transitions (Framer Motion) --- ## Technical Prerequisites | Feature | Backend Changes Needed | |---------|----------------------| | Notifications | Email templates, event bus (Spring ApplicationEvents), WebSocket endpoint | | Inspector mode | New auth scope, time-limited read-only token endpoint | | Report sealing | Scheduled job (month-end), SHA-256 hash storage, sealed PDF S3/filesystem | | Hash chain | Migration: add `prev_hash` column to distributions table | | 2FA | TOTP library (e.g., `dev.samstevens.totp`), QR code endpoint, recovery codes | --- ## Open Questions (for Sprint 5 planning) - [ ] Should notifications use email only, or also in-app (bell icon) + push (web push API)? - [ ] Inspector mode: do we build a full separate UI, or just a token that grants read-only API access (inspector uses existing admin UI)? - [ ] PWA: offline-first for quota only, or cache entire portal for offline viewing? - [ ] 2FA: mandatory for staff, optional for members? Or optional for everyone? - [ ] Report sealing: store sealed PDFs in S3 or local filesystem? --- ## References - Sprint 4 Plan: `docs/sprint-4/cannamanage-sprint4-plan.md` (v3) - Sprint 4 Persona Review: `docs/sprint-4/cannamanage-sprint4-plan-persona-review.md` (Iteration 2) - Sprint 3 Plan: `docs/sprint-3/cannamanage-sprint3-plan.md`