pplate/cannamanage
1
0
Fork 0
Code Issues 9 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a267a905427cb94e29233bd32a38d8c0201a0e91
cannamanage/docs/cannamanage-strategic-differentiation.md
T
Patrick Plate a267a90542 docs: add strategic differentiation plan
2026-06-12 09:25:50 +02:00

374 lines
20 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# CannaManage — Strategic Differentiation Plan
**Date:** 2026-06-12
**Author:** Patrick Plate / Lumen
**Status:** Living Document
---
## 1. Market Position
### 1.1 Competitive Landscape Summary
| Competitor | Clubs | Pricing | Key Strength | Key Weakness | Threat Level |
|-----------|-------|---------|-------------|-------------|-------------|
| **420cloud** | 389+ | Undisclosed (free member app + B2B) | Network effects via free member app, marketplace model | Core features still "Coming Soon" (reports, inventory, IoT) | 🔴 High — first-mover with club count |
| **Hanf-App** | Unknown | ~30€/month | Feature-complete: §26 reports, Steuerlogik, SEPA, 2FA | Closed system, no public API, no self-hosting | 🟡 Medium — feature leader but locked ecosystem |
| **Cannanas** | Unknown | ~25€/month | Intuitive UX, lower price point | No 2FA, no data export, partial feature set | 🟢 Low — incomplete and weak on security |
| **Cannavigia** | Enterprise | Enterprise pricing | GACP/EU-GMP compliance, international (CH/DE/TH) | Overkill for CSCs, targets commercial cultivators | ⚪ None — different market segment |
**Market dynamics:**
- 420cloud is winning on **distribution** (389+ clubs on their map) but not on **features** (many are "Coming Soon")
- Hanf-App is winning on **features** but losing on **openness** (walled garden)
- The comparison site csc-verwaltung.de exists — getting listed there is table stakes for credibility
- Spain (oldest CSC market since 2001) has NO specialized software — pure paper/Excel. Future expansion market.
### 1.2 Where We Stand Today
**What we have (Sprint 1-3 delivered):**
- ✅ Multi-tenant architecture (tenant_id isolation) — production-grade from day one
- ✅ JWT auth with token rotation, revocation, jti blacklist — more secure than Cannanas
- ✅ RBAC with 8 granular StaffPermissions — more fine-grained than any competitor
- ✅ Staff invite flow with email + set-password
- ✅ CanG quota enforcement (25g/day, 50g/month, 30g under-21)
- ✅ Stock/batch tracking with full movement history
- ✅ Distribution recording with compliance pre-check
- ✅ Club settings (prevention officers, email domain whitelist)
- ✅ OpenAPI/Swagger documented REST API — no competitor exposes this
- ✅ 42+ unit tests with solid coverage
**What we're missing (honest gaps):**
- ❌ No §26 evaluation/report generation (Hanf-App has this)
- ❌ No SEPA integration (Hanf-App has this)
- ❌ No 2FA/TOTP (Hanf-App has this)
- ❌ No frontend (API-only — competitors all have web + mobile)
- ❌ No Transportbescheinigung
- ❌ No member-facing portal or app
- ❌ No self-hosted deployment option yet (Docker Compose planned)
- ❌ No public club map or marketplace
**Assessment:** We have a stronger technical foundation than all competitors (architecture, security, API design) but are behind on user-facing features and market presence. The gap is closable in 2-3 sprints.
---
## 2. Core Differentiators (Moats)
### 2.1 API-First Architecture (vs. walled gardens)
**Why this matters:** Every CSC will eventually need integrations — Buchhaltungssoftware (DATEV, lexoffice), SEPA providers (GoCardless, Stripe SEPA), Behörden-APIs for reporting, label printers, scales.
**Competitive reality:**
- 420cloud: No public API. Clubs are locked into their ecosystem.
- Hanf-App: No public API. "Integrations" means they built it or it doesn't exist.
- CannaManage: Full OpenAPI 3.0 spec, documented endpoints, JWT bearer auth.
**Strategic value:**
1. Third-party developers can build integrations (Buchhaltung connectors, POS systems)
2. White-label partners can reskin the frontend with their own brand
3. Dachverbände can build dashboards on top of our API
4. Developer ecosystem creates switching costs — once integrations exist, clubs can't leave
**Moat depth:** Medium-high. APIs are easy to build but hard to build an ecosystem around. First-mover advantage matters here.
### 2.2 Self-Hostable + SaaS Dual-Mode (vs. cloud-only)
**Why this matters:** German CSCs handle member PII + consumption data. Many clubs are run by privacy activists who don't trust cloud providers with member cannabis consumption records.
**What we offer:**
- **Self-hosted:** Docker Compose for clubs that want data on their own hardware
- **Managed SaaS:** Hosted instance for clubs that want zero ops overhead
- **Same codebase:** No feature gap between modes
**Competitive reality:**
- 420cloud: Cloud-only. Your member data lives on their servers in Berlin.
- Hanf-App: Cloud-only. No self-hosting option.
- Cannanas: Cloud-only.
- **Nobody in the DE CSC market offers self-hosting.**
**Strategic value:**
1. Captures the privacy-conscious segment that will NEVER use cloud-only
2. Data sovereignty argument resonates strongly in German market (DSGVO awareness is high)
3. Self-hosted clubs become evangelists in the community ("we control our own data")
4. Reduces our infrastructure costs for price-sensitive clubs
**Moat depth:** High. Competitors would need to re-architect for self-hosting. Their cloud-native assumptions (shared infra, centralized auth) make this very hard to bolt on.
### 2.3 Multi-Club Federation (vs. single-tenant silos)
**Why this matters:** Germany has 10+ Dachverbände (umbrella organizations) representing dozens of clubs each. A single contract with a Dachverband = 50+ clubs onboarded simultaneously.
**What we offer:**
- Shared admin dashboard for Dachverband management
- Per-club data isolation (our tenant_id architecture already supports this)
- Consolidated billing, reporting, compliance overview across all clubs
- Role hierarchy: Dachverband Admin → Club Admin → Staff → Member
**Competitive reality:**
- 420cloud: Single-club focus. No federation concept. Each club is independent.
- Hanf-App: Single-club accounts. No umbrella org support.
- This is a **completely unserved market segment.**
**Strategic value:**
1. Enterprise sales motion: one deal = 50 clubs (vs. selling one-by-one)
2. Dachverband lock-in: once the umbrella org standardizes on us, individual clubs can't easily leave
3. Consolidated compliance reporting makes the Dachverband look good to regulators
4. Higher ARPU per deal, lower CAC
**Moat depth:** Very high. Multi-tenant federation is architecturally complex. Our `tenant_id` design was built for this from Sprint 1.
### 2.4 Immutable Audit Trail + PDF Compliance Reports
**Why this matters:** CanG §26 requires clubs to be inspectable by authorities at any time. Clubs need tamper-evident records proving they followed the law.
**What we offer:**
- Append-only event log for all compliance-relevant actions (distributions, stock changes, member status)
- Cryptographic hash chain (each event references the previous hash) — tamper-evident
- One-click PDF export for authority inspections
- Pre-formatted §26 reports matching regulatory expectations
**Competitive reality:**
- 420cloud: Reports & Analysen listed as "Coming Soon" — not shipped yet
- Hanf-App: Has §26 reports (their strongest feature) but no cryptographic audit trail
- **We can be FIRST with cryptographic tamper-evidence** — this is a leapfrog opportunity
**Strategic value:**
1. Legal safety argument: "Our records are mathematically provable" vs. "trust our database"
2. Authority inspections become trivial: click → PDF → hand over
3. Insurance companies may require tamper-evident records in the future
4. Creates a "compliance moat" — switching away means losing your audit history
**Moat depth:** Medium. The PDF reports are easy to copy. The cryptographic hash chain is harder. The brand perception ("the compliance-first platform") is the real moat.
### 2.5 Fine-Grained RBAC (vs. simple Admin/Member split)
**What we have:** 8 granular permissions, configurable per staff member:
- `MANAGE_MEMBERS`, `VIEW_MEMBERS`, `MANAGE_STOCK`, `DISTRIBUTE`
- `VIEW_REPORTS`, `MANAGE_SETTINGS`, `MANAGE_STAFF`, `FULL_ACCESS`
**Why this matters:** Real CSCs have 5-10 staff with different roles — Ausgabe (distribution), Lager (stock), Vorstand (board), Kassierer (treasurer). You don't want the person doing Ausgabe to have access to financial reports.
**Competitive reality:**
- 420cloud: Basic role system (details unclear)
- Hanf-App: Admin/Staff/Member — no granular permissions documented
- Cannanas: Simple Admin/Member split
- **We have the most fine-grained permission model in the market**
**Moat depth:** Low-medium. This is copyable, but it's table stakes for enterprise/federation sales.
---
## 3. Feature Gap Analysis (Critical)
### 3.1 Must-Close Gaps (to match Hanf-App)
These are non-negotiable for market credibility. Without them, clubs will choose Hanf-App.
| Gap | Competitor Benchmark | Priority | Sprint Target |
|-----|---------------------|----------|---------------|
| §26 Evaluation + Bestand Reports | Hanf-App ships these | P0 | Sprint 4 |
| SEPA Integration (Beitragszahlung) | Hanf-App has full Steuerlogik | P0 | Sprint 5 |
| Transportbescheinigung PDF | Hanf-App generates these | P1 | Sprint 5 |
| 2FA (TOTP) | Hanf-App has 2FA, Cannanas doesn't | P1 | Sprint 5 |
| Frontend (any web UI at all) | All competitors have web + mobile | P0 | Sprint 4-7 |
| Member self-service portal | 420cloud has free member app | P1 | Sprint 4 |
### 3.2 Leapfrog Opportunities (where we can be FIRST)
These features don't exist in ANY competitor. Shipping them creates differentiation.
| Opportunity | Why No One Has It | Our Advantage | Effort |
|------------|-------------------|---------------|--------|
| Public REST API + OpenAPI spec | Competitors are closed platforms | Already built — just document + publish | Low |
| Self-hosted Docker deployment | Cloud-only business models | Our architecture supports it | Medium |
| Multi-club federation dashboard | Single-tenant architectures | tenant_id design ready | Medium-High |
| Immutable audit log (hash chain) | No regulatory pressure yet | ComplianceService foundation exists | Medium |
| QR code member ID (offline JWT) | Physical cards are the norm | JwtService already generates tokens | Low |
| Migration tool (import from Hanf-App/Cannanas) | They don't want you to leave | We want you to come | Medium |
| Offline-capable PWA | Everyone assumes internet | Service Worker + IndexedDB | Medium |
---
## 4. Go-to-Market Strategy
### 4.1 Target Segments (prioritized)
1. **Privacy-conscious clubs** — Data sovereignty is their #1 requirement. Self-hosting argument wins immediately. These clubs are vocal in forums and will evangelize. *Estimated segment: 15-20% of clubs.*
2. **Tech-savvy clubs wanting API integrations** — They're building their own tools, frustrated by closed ecosystems. Our API-first approach is exactly what they want. *Estimated segment: 10% of clubs.*
3. **Dachverbände / umbrella organizations** — Enterprise deals. One contract = 30-80 clubs. Federation feature is our unique selling point. *Estimated orgs: 10-15 nationwide, each with 20-80 member clubs.*
4. **Clubs frustrated with 420cloud's "Coming Soon" promises** — They signed up, features aren't shipping, they're looking for alternatives. *Growing segment as 420cloud fails to deliver.*
5. **New clubs not yet committed** — Greenfield. No migration friction. Capture before 420cloud's network effects lock them in. *~100 new clubs forming per quarter in 2026.*
### 4.2 Pricing Strategy
**Market context:**
- Hanf-App: ~30€/month (feature-complete)
- Cannanas: ~25€/month (partial features)
- 420cloud: Free member app + undisclosed B2B (likely 20-40€/month)
**Recommended positioning:**
| Tier | Price | Includes | Target |
|------|-------|----------|--------|
| **Community** | Free | API access, 1 staff user, 50 members max | Developer preview, tiny clubs |
| **Standard** | 19€/month | Full features, 5 staff, 500 members, cloud-hosted | Single clubs, price-sensitive |
| **Professional** | 39€/month | Unlimited staff/members, priority support, SEPA, advanced reports | Established clubs |
| **Federation** | 29€/club/month (min 10) | Multi-club dashboard, consolidated billing, dedicated support | Dachverbände |
| **Self-Hosted** | 99€/year (license) | Docker Compose, self-managed, community support | Privacy-focused clubs |
**Rationale:**
- Undercut Hanf-App on Standard tier (19€ vs 30€) — win on price + openness
- Federation tier creates volume deals (10 clubs × 29€ = 290€/month per Dachverband)
- Self-hosted is cheap enough to attract privacy clubs but still generates revenue
- Free tier creates developer ecosystem and word-of-mouth
### 4.3 Channel Strategy
| Channel | Action | Priority | Timeline |
|---------|--------|----------|----------|
| **csc-verwaltung.de** | Get listed on the comparison site | P0 | Once MVP frontend ships |
| **CSC Telegram groups** | Active presence, answer compliance questions, soft-sell | P1 | Immediately |
| **Dachverbände direct outreach** | Cold outreach with federation pitch deck | P1 | Sprint 6 (after federation ships) |
| **GitHub / Dev community** | Open-source API client libraries, public docs | P2 | Sprint 4 |
| **CSC founding workshops** | Partner with lawyers/consultants who help clubs form | P2 | Q3 2026 |
| **Content marketing** | CanG compliance guides, §26 checklists (SEO play) | P2 | Ongoing |
---
## 5. Sprint 4+ Roadmap (Competition-Informed)
### 5.1 Sprint 4: Compliance Reports + Member Portal (IMMEDIATE)
**Strategic goal:** Ship §26 reports before 420cloud does. They list this as "Coming Soon" — we race them.
- Complete Sprint 3 remaining phases (4-7): report engine, PDF generation, member portal endpoints
- §26-compatible PDF reports (Bestandsmeldung, Abgabenachweis, Mitgliederverzeichnis)
- Member self-service portal (view quota, distribution history, membership status)
- PWA manifest + service worker (mobile-ready without app stores)
- Public API documentation site (Redoc/Swagger UI hosted)
**Milestone:** A club admin can generate inspection-ready PDFs in one click.
### 5.2 Sprint 5: SEPA + Transportbescheinigung + 2FA
**Strategic goal:** Close the critical feature gaps vs. Hanf-App. After this sprint, we have feature parity on compliance.
- SEPA direct debit integration (GoCardless or Stripe SEPA as provider)
- Beitragsverwaltung (echte/unechte Beiträge — real/virtual contribution tracking)
- Transportbescheinigung PDF generation (CanG §22 transport certificates)
- TOTP-based 2FA (Google Authenticator / Authy compatible)
- Immutable audit log with SHA-256 hash chain (compliance moat)
**Milestone:** Feature parity with Hanf-App on compliance. Surpass them on security (audit trail + 2FA).
### 5.3 Sprint 6: Federation + Self-Hosting
**Strategic goal:** Unlock enterprise sales (Dachverbände) and the privacy segment. No competitor can follow here quickly.
- Multi-club federation dashboard (shared admin view, per-club drill-down)
- Docker Compose deployment (self-hosted mode)
- Helm chart for Kubernetes (larger orgs / hosting providers)
- Club onboarding wizard (guided setup for new clubs)
- Data migration tool (CSV import from Hanf-App/Cannanas export formats)
- Backup/restore workflow for self-hosted instances
**Milestone:** First Dachverband deal signed. First self-hosted club running independently.
### 5.4 Sprint 7: Frontend + PWA
**Strategic goal:** World-class UX that matches or exceeds Flowhub's speed. Tablet-optimized for Ausgabetisch.
- **Template:** shadcn-admin (React 19 + Vite + TanStack Router + shadcn/ui)
- Quick-Dispensing Card (inspired by Flowhub's "Maui POS" — 20-second checkout)
- Compliance dashboard with real-time quota visualization
- Member search with instant results + quick-info popover
- Batch trace timeline (Metrc-inspired seed-to-sale visualization)
- QR code member ID with offline JWT verification (scan → verify → dispense)
- Tablet-optimized layouts for Ausgabetisch workflow
- Dark mode with green accent theme
**Milestone:** A distribution takes under 30 seconds from member scan to confirmation.
---
## 6. Competitive Intelligence Actions
- [ ] Monitor 420cloud "Coming Soon" features — when do Berichte & Analysen actually ship?
- [ ] Get Hanf-App demo access — document actual UX flow, confirm pricing, identify pain points
- [ ] Find 420cloud B2B pricing via LinkedIn outreach / Trustpilot reviews / direct inquiry
- [ ] Join 3-5 German CSC Telegram groups — listen for admin pain points and feature requests
- [ ] CanG §6/§7/§26 deep legal analysis — what EXACTLY must be reported and in what format?
- [ ] Track csc-verwaltung.de monthly for new entrants and feature comparison updates
- [ ] Monitor 420cloud's club map growth rate (389 clubs as of June 2026 — check monthly)
- [ ] Research Dachverbände: identify top 5, get contact info, understand their tech needs
- [ ] Check if any competitor ships a public API within 6 months (would erode our differentiator)
- [ ] Analyze Hanf-App's Steuerlogik implementation — can we replicate from CanG legal text alone?
---
## 7. Design Direction
### 7.1 Color Scheme
| Role | Color | Hex | Usage |
|------|-------|-----|-------|
| Primary | Dark Green | `#1a5632` | Headers, nav, primary buttons |
| Secondary | Warm Slate | `#475569` | Body text, secondary elements |
| Accent | Light Green | `#4ade80` | CTAs, success states, active indicators |
| Background | White/Light Gray | `#f8fafc` | Page backgrounds |
| Surface | White | `#ffffff` | Cards, panels |
| Error | Red | `#ef4444` | Quota warnings, compliance violations |
| Dark BG | Deep Slate | `#0f172a` | Dark mode background |
| Dark Accent | Emerald | `#10b981` | Dark mode green accents |
**Rationale:** Professional, trustworthy, not "stoner aesthetic." Think fintech-meets-compliance. The dark green signals cannabis without being cartoonish. The slate keeps it serious.
### 7.2 UI Patterns (inspired by competitor research)
| Pattern | Source | Our Implementation |
|---------|--------|-------------------|
| Quick-Dispensing Card | Flowhub "Maui POS" | Scan member → see quota → select strain → confirm. Under 30 seconds. |
| Compliance Dashboard | BioTrack | Real-time quota bars, upcoming report deadlines, compliance health score |
| Member Quick-Search | Flowhub | Instant typeahead with photo + quota preview in results |
| Batch Trace Timeline | Metrc/BioTrack | Visual timeline from procurement → storage → distribution → consumed |
| Report Export Buttons | Hanf-App | Prominent "Export PDF" on every report view. One click, done. |
| Mobile Card Layout | Cannanas/Hanf-App | Stack cards vertically on mobile, swipe actions for common tasks |
| Status Indicators | All | Traffic-light system: green (compliant), yellow (warning), red (violation) |
### 7.3 Template Choice
**Selected:** [shadcn-admin](https://github.com/satnaing/shadcn-admin) (MIT license, 11k+ stars)
**Why this template:**
- SPA architecture matches our REST API backend (no SSR overhead needed)
- TanStack Router for type-safe routing
- shadcn/ui components are accessible, customizable, and production-ready
- Built-in dark mode, responsive layout, sidebar navigation
- React 19 + Vite = fast builds, modern DX
- MIT license = no restrictions for commercial use
**What we'll customize:**
- Color scheme → our green/slate palette
- Navigation → Club admin sections (Members, Stock, Distributions, Reports, Settings)
- Dashboard → Compliance overview with quota visualizations
- Tables → TanStack Table with server-side pagination (our API already supports pagination)
- Forms → React Hook Form + Zod validation (matching our backend validation rules)
---
## 8. Key Decisions Log
| Decision | Rationale | Date |
|----------|-----------|------|
| API-first, frontend-second | Technical moat > pretty UI. API is the platform. | Sprint 1 |
| Multi-tenant from day one | Federation requires tenant isolation. Retrofitting is impossible. | Sprint 1 |
| PostgreSQL over H2 | Production-grade from start. No database migration later. | Sprint 1 |
| Spring Boot 4 + Java 17 | LTS, enterprise-proven, strong ecosystem for compliance software | Sprint 1 |
| 8 granular permissions | Enterprise readiness. Simple roles don't scale to 10-person staff teams. | Sprint 3 |
| JWT with rotation + revocation | Security differentiator. Competitors use basic session cookies. | Sprint 3 |
| shadcn-admin for frontend | SPA fits REST API. Modern stack. MIT. High star count = maintained. | Sprint 4 (planned) |
| Docker Compose self-hosting | Privacy segment is underserved. Low effort given our architecture. | Sprint 6 (planned) |
Reference in New Issue View Git Blame Copy Permalink