Sprint: 14 — Landing Page, Login Redesign, Pricing Page, Storage Quotas Period: 2026-06-18 (AI-assisted sprint) Mode: Solo development, AI-assisted (Claude Opus via Roo Orchestrator) Outcome: ✅ Complete — Marketing landing page, pricing tiers, login UX redesign, storage quotas

What Went Well ✅

Landing page with feature showcase creates professional first impression for potential club customers
Pricing page with tier comparison enables self-service sign-up without sales calls
Login redesign improves onboarding UX — clearer CTAs, better error states
Storage quotas per subscription tier — clean enforcement without breaking existing users

Key Decisions Made 📋

Decision	Rationale
Marketing pages as SSR (not static)	SEO benefits, dynamic pricing from backend
Three subscription tiers	Starter (small clubs), Professional (medium), Enterprise (large)
Storage quotas as soft limits	Warn at 80%, block at 100%, admin can override
Login page as marketing entry point	First thing users see — must look professional

Sprint 13 Retrospective — Production Hardening

Sprint: 13 — Security Fixes, CI/CD Quality Gates, Repo Cleanup Period: 2026-06-17 (AI-assisted sprint) Outcome: ✅ Complete — Security fixes, CI quality gates, repository cleanup

What Went Well ✅

Gitea Actions CI pipeline now runs full test suite with PostgreSQL 16 service container
Security audit identified and fixed several issues (XSS in forum, CSRF token handling)
Repository cleanup removed dead code, unused dependencies, and test artifacts
Quality gates prevent merging code below 80% coverage

Key Decisions Made 📋

Decision	Rationale
PostgreSQL service container (not Testcontainers in CI)	More reliable in Gitea Actions environment
Branch protection on main	Require passing CI before merge
Snyk integration	Automated dependency vulnerability scanning

Sprint 12 Retrospective — Golden Test Standard

Sprint: 12 — Documents Page Integration, UX Improvements, Integration Test Hardening Period: 2026-06-16 (AI-assisted sprint) Outcome: ✅ Complete — Documents page fully integrated, UX polish, test infrastructure hardened

What Went Well ✅

Documents page now supports upload, download, categorization, and retention policies
UX improvements across all pages: better loading states, consistent error handling
Integration test hardening — eliminated flaky tests, added retry logic for async operations
Panel review process caught edge cases in document permissions

Key Decisions Made 📋

Decision	Rationale
File storage on local volume (not S3)	Simpler for self-hosted, DSGVO-compliant data locality
Retention categories per document	Legal requirement: different documents have different retention periods
Soft-delete for documents	Allow recovery within retention period

Sprint 11 Retrospective — Backend Test Coverage

Sprint: 11 — JaCoCo, ~250 New Tests, 80% Coverage Target Period: 2026-06-15 (AI-assisted sprint) Outcome: ✅ Complete — Coverage raised from ~45% to ~82%, quality gates established

What Went Well ✅

JaCoCo 80% gate now blocks any PR that drops below threshold
~250 new tests across all service classes — not just happy paths, edge cases too
ComplianceService 100% — every legal rule has a test backing it
Testcontainers adoption eliminated all H2-specific test issues
Test naming convention established: method_scenario_expected()

What Was Challenging ⚠️

Writing tests for legacy service code required some refactoring for testability
Testcontainers startup time adds ~15s per test class — mitigated with @Testcontainers shared instances
Mocking multi-tenant context required custom test utilities for TenantContext

Key Decisions Made 📋

Decision	Rationale
80% overall, 100% ComplianceService	Compliance is legal obligation; rest follows best practice
Testcontainers over H2	Real PostgreSQL catches real issues
No test coverage for DTOs/entities	Boilerplate coverage inflates numbers without value

Sprint 10 Retrospective — Smart Payment Import

Sprint: 10 — Bank Statement Import (MT940/CAMT053/CSV), Auto-Matching Period: 2026-06-14 (AI-assisted sprint) Outcome: ✅ Complete — Bank import pipeline, auto-matching, manual review UI

What Went Well ✅

Multi-format bank import (MT940, CAMT053, CSV) handles all common German bank export formats
Auto-matching algorithm correctly matches ~85% of incoming payments to member fees
Import session workflow (upload → preview → confirm) prevents accidental data corruption
Unmatched payment review UI lets treasurer manually assign remaining 15%

Key Decisions Made 📋

Decision	Rationale
Client-side parsing (not backend)	Keeps sensitive bank data in browser until confirmed
Fuzzy matching by amount + reference	German bank transfers often have garbled reference text
Import session as state machine	PENDING → REVIEWING → CONFIRMED → COMPLETED prevents partial imports
Batch processing with flush/clear	Large statements (1000+ transactions) need memory management

Sprint 9 Retrospective — Berichtszentrale (Report Center)

Sprint: 9 — Report Center, Authority-Ready Exports, Generated Reports Period: 2026-06-13 (AI-assisted sprint) Outcome: ✅ Complete — 8 report types, PDF/CSV export, compliance dashboard

What Went Well ✅

8 report types covering all CanG compliance obligations (monthly, annual, member-list, destruction, transport, propagation, prevention, compliance-status)
Authority-ready PDF format matches what German authorities expect to see
Compliance dashboard gives club admins a single view of their compliance status
Deadline tracking alerts clubs before compliance deadlines

Key Decisions Made 📋

Decision	Rationale
OpenPDF for all reports	LGPL, no license cost, good table support
Report generation async (background)	Large reports can take 10-30s
Pre-built templates per report type	Authorities expect specific formats
Compliance deadlines as entity	Track, alert, and mark as completed

Sprint 8 Retrospective — Vereinsverwaltung (Club Governance)

Sprint: 8 — Club Treasury, General Assembly, Document Archive, Board Management Period: 2026-06-12 (AI-assisted sprint) Outcome: ✅ Complete — Finance module, assembly voting, document management, board member tracking

What Went Well ✅

Club Treasury with income/expense tracking, categorization, and balance reports
General Assembly module with agenda items, voting (secret + open), quorum validation
Document Archive with upload, categorization, and retention period enforcement
Board Management tracks current board composition with term dates

Key Decisions Made 📋

Decision	Rationale
Secret ballot as default	German Vereinsrecht requires secret votes for board elections
Treasury separate from payment import	Different concerns: treasury = overview, import = automation
Document retention per CanG	Cannabis-specific documents: 5-year retention minimum
Board terms as date ranges	Enables historical board composition queries

Sprint 7 Retrospective — Communication & Community

Sprint: 7 — Info Board, Club Events Calendar, Club-Internal Forum, Notifications Period: 2026-06-12 (AI-assisted sprint) Outcome: ✅ Complete — Full community communication stack

What Went Well ✅

Info Board (Schwarzes Brett) provides a WhatsApp-alternative for club announcements
Events Calendar with RSVP tracking and recurring events
Forum with threads, posts, and moderation — clubs don't need external Discord/Telegram
Notification system unifies all alerts (push, email, in-app) with per-user preferences

Key Decisions Made 📋

Decision	Rationale
Forum over external chat	DSGVO compliance requires data stays in our system
Notifications as unified system	One preference center for all notification types
Event RSVP with capacity limits	Clubs have physical space constraints
Info Board moderation by admin/staff	Prevent misuse, keep content relevant

Sprint 6 Retrospective — Production Readiness

Sprint: 6 — DSGVO Consent, Stripe Payments, Audit Log, Grow Calendar, Notifications, PWA Period: 2026-06-12 (AI-assisted sprint) Outcome: ✅ Complete — All launch-critical features delivered

What Went Well ✅

DSGVO consent management with granular consent types, revocation, and data export
Stripe integration supporting SEPA, PayPal, and Credit Card — covers all common German payment methods
Audit log provides immutable trail for all compliance-relevant actions
Grow calendar with cycle tracking, sensor readings, harvest projections
PWA with service worker enables offline access to key data
TrueNAS deployment works — simpler and cheaper than Hetzner VPS

Key Decisions Made 📋

Decision	Rationale
TrueNAS over Hetzner VPS	Cost savings, local network, ZFS backups included
Stripe for all payment types	Single integration for SEPA + PayPal + Card
Audit log as append-only	Legal requirement: compliance trail must be immutable
PWA over native app	Cross-platform, no app store approval, faster iteration
Consent per data category	DSGVO requires granular consent (not just one checkbox)

Sprint 5 Retrospective — API Integration, Docker Compose & Staff UI

Sprint: 5 — React Query Integration, Docker Compose Full-Stack, Staff CRUD, System Tests Period: 2026-06-12 (single-day intensive sprint, AI-assisted) Outcome: ✅ Complete — React Query mock fallback, Docker Compose stack, Staff UI, 190+ automated tests

What Went Well ✅

React Query mock fallback pattern — frontend works without backend via stale-while-revalidate + automatic mock fallback
Multi-persona review process now mature (90% first-pass approval)
Vitest + MSW setup provides sub-second test feedback
Full staff CRUD UI with invite flow, permission editor, role assignment
SQL seed + API-driven system tests provide end-to-end confidence

Key Decisions Made 📋

Decision	Rationale
@tanstack/react-query over SWR	Better devtools, granular cache control, optimistic updates
Per-component loading (not page-level)	Each data source loads independently — faster perceived performance
Vitest over Jest	Native ESM, faster execution, better TypeScript support

Sprint 4 Retrospective — Frontend MVP

Sprint: 4 — Admin Dashboard + Member Portal (Next.js 15, React 19, shadcn/ui) Period: 2026-06-12 (single-day intensive sprint, AI-assisted) Outcome: ✅ Complete — 143 files, ~23,568 LoC, 14 routes, 6 Playwright E2E tests

What Went Well ✅

Shadboard starter kit saved weeks of boilerplate (MIT-licensed)
Persona review caught compliance gaps early
Dark + light mode from Day 1 was low-effort, high-value
i18n architecture (next-intl) scales cleanly
Separate route groups for admin vs. portal

Key Decisions Made 📋

Decision	Rationale
Shadboard (MIT) as starter kit	Pre-built layout, theme, sidebar. Saves 2-3 weeks
i18n from Day 1 (next-intl)	Cheaper to add from start than retrofit
Dark mode default + light toggle	Cannabis club aesthetic suits dark mode
pnpm over npm/yarn	Faster installs, strict dependency resolution

Sprint 3 Retrospective — Staff, Portal & Compliance Reports

Sprint: 3 — Staff Permissions, Token Revocation, Member Portal, Reports, Prevention Officer Period: 2026-05-15 to 2026-06-12 Outcome: ✅ Complete — 7 phases delivered, ~80 files, ~8,500 LoC, 67+ tests

What Went Well ✅

OpenPDF over iText 7 — LGPL, no license cost, API identical to iText 5
Caffeine cache for token revocation — O(1) lookup, no Redis needed
Dual SecurityFilterChain — clean separation of JWT (admin) and session (member)
Testcontainers caught a Flyway migration issue that H2 would have hidden

Sprint 2 Retrospective — REST API

Sprint: 2 — 5 Controllers, JWT Auth, Spring Security 7, OpenAPI Outcome: ✅ Complete — Full REST API with auth, docs, and tenant isolation

Sprint 1 Retrospective — Domain Foundation

Sprint: 1 — 8 Entities, ComplianceService, Flyway V1 Outcome: ✅ Complete — Core domain model with compliance enforcement from Day 1

🌿 CannaManage

📋 Planning

🏗️ Architecture

🎨 Design

Wireframes & Mockups

💻 Development

🌟 Product

Features

📊 Sprint Status

Sprint	Theme	Status
1	Domain Foundation	✅
2	REST API	✅
3	Staff & Portal	✅
4	Frontend MVP	✅
5	API Integration	✅
6	Production Readiness	✅
7	Communication	✅
8	Vereinsverwaltung	✅
9	Berichtszentrale	✅
10	Payment Import	✅
11	Test Coverage	✅
12	Golden Tests	✅
13	Prod Hardening	✅
14	Marketing	✅

📈 Metrics

Metric	Value
Entities	57
Controllers	33
Migrations	V1–V36
Tests	500+
Coverage	80%