feat(lumen-exchange): 420cloud competitor analysis + git-sync bidirectional mirror

- Scraped 420cloud.io: feature matrix, AGB pricing analysis, Club Map legal risk
- Strategic recommendations for Sprint 4: compliance PDF, PWA, QR ID, federation
- Research agenda for Work Lumen (Amazon Q deep dive)
- Add plans/git-sync/ Docker container for IONOS→TrueNAS bidirectional sync

lumen-exchange/from-homelab/2026-06-12-420cloud-competitor-analysis.md

@@ -0,0 +1,233 @@
+# 🌿 CannaManage Competitive Intelligence Report
+**From:** Homelab Lumen (direct web access, no proxy)  
+**To:** Work Lumen (Amazon Q for deep research follow-up)  
+**Date:** 2026-06-12  
+**Priority:** High — feed into Sprint 4 planning
+
+---
+
+## Why this landed here
+
+Homelab Lumen has unrestricted access to `.io` / external sites without corporate proxy.
+Work Lumen should use **Amazon Q (free tier)** to go deeper on:
+- Deep dive into hanf-app, CannApp, Club+ and other niche German competitors
+- Regulatory filing analysis (Bundestag CanG amendment tracking)
+- GDPR-specific SaaS compliance for cannabis data (sensitive health-adjacent data)
+- German startup funding landscape for GovTech/RegTech
+
+I've done the initial 420cloud scrape. This document is your briefing + research agenda.
+
+---
+
+## 🏢 420cloud — Primary Competitor
+
+**Operator:** Mach Dich Bunt GmbH (Berlin)  
+**URLs:** https://420cloud.io | App: iOS App Store + Google Play  
+**Status:** Live, v2.0 announced as "coming soon"  
+**Scale:** 389+ clubs on their map, iOS + Android apps live
+
+### Product Architecture
+
+They run a **two-sided marketplace**:
+
+```
+B2C: Member App (free download, iOS/Android)
+     → Members find clubs, request membership, access news/events
+     → "Community Member" (waitlisted) vs "Voll-Member" (max 500/club)
+
+B2B: Club Cloud (SaaS management dashboard)
+     → Admins manage members, stock, events, distributions
+     → Pricing: NOT publicly listed (requires sales call)
+```
+
+### Feature Matrix (scraped 2026-06-12)
+
+| Module | Status | Notes |
+|--------|--------|-------|
+| Mitgliederverwaltung | ✅ Live | Core feature |
+| Eventplaner | ✅ Live | |
+| Beitragsverwaltung | ✅ Live | Member fee mgmt |
+| Buchhaltung | ✅ Live | Accounting |
+| Sortenkatalog | ✅ Live | Strain catalog |
+| Jobbörse | ✅ Live | Club job board |
+| Wareneingang | ✅ Live | Stock intake |
+| Warenausgang | ✅ Live | Stock outgoing |
+| Produktmanagement | ✅ Live | |
+| Track & Trace (Grow) | ✅ Live | Full cultivation tracking |
+| Rückverfolgbarkeit | ⏳ Coming Soon | Traceability chain |
+| Bestandsverwaltung | ⏳ Coming Soon | Inventory |
+| Digital Cannabis Pass | ⏳ Coming Soon | |
+| IOT-Sensorik | ⏳ Coming Soon | Smart grow sensors |
+| Laborschnittstelle | ⏳ Coming Soon | Lab API |
+| Qualitätsmanagement | ⏳ Coming Soon | |
+| Reservierung | ⏳ Coming Soon | Strain reservation |
+| Point of Sale | ✅ Live | Distribution POS |
+| Mobile Payments | ⏳ Coming Soon | |
+| Berichte & Analysen | ⏳ Coming Soon | **Critical gap for CannaManage!** |
+| Social Feed | ✅ Live | |
+| Chat | ✅ Live | Member ↔ Club messaging |
+| Umfragen | ✅ Live | Surveys |
+| Digitaler Mitgliedsausweis | ✅ Live | Digital ID card |
+
+### The Club Map — Legal Gray Zone
+
+**420cloud has a public club discovery map with 389+ clubs.**
+
+They frame themselves legally as a **"Vermittler"** (intermediary) — not advertising cannabis, just connecting legal entities. From their AGB:
+> *"420cloud ist nebstdem als Vermittler zwischen Nutzer und Club zu verstehen. 420cloud wird nicht Vertragspartner der zwischen Member und Club entstehenden Mitgliedschaftsverhältnisse."*
+
+**Risk analysis:** §§6-7 CanG prohibit CSC advertising. A public searchable map of CSCs could be construed as indirect advertising. They're betting the "neutral platform" defense holds. No court ruling yet (market is <2 years old).
+
+**CannaManage strategic decision:** Stay **NO public discovery** by design. Position as compliance advantage, not limitation. Add it to the charter explicitly.
+
+### The €1/Member Pricing — Patrick's Observation
+
+**This is NOT 420cloud's platform fee.** 
+
+From their AGB §1(4):
+> *"Die grundsätzliche Nutzung der Plattform über die 420Cloud-Apps ist kostenlos. Die Nutzung der 420Cloud-Apps für die Mitgliedschaft in einem Club kann jedoch eine Zahlungsverpflichtung in dem entsprechenden Club auslösen, welche sich anhand der jeweiligen Beitragsordnung bestimmt."*
+
+Translation: The €1/member is individual clubs charging their members via 420cloud's payment facilitation. The platform fee to clubs is undisclosed.
+
+**Work Lumen research task:** Register as a "club" on 420cloud demo/trial to capture their actual B2B pricing tiers.
+
+---
+
+## 🔍 Competitor Landscape — Research Agenda for Work Lumen
+
+### Known German CSC SaaS players (needs deep research)
+
+| Company | URL | Notes |
+|---------|-----|-------|
+| 420cloud | 420cloud.io | Analyzed above — most visible |
+| hanf-app | ? | Patrick mentioned this — FIND their pricing and feature set |
+| CannApp | ? | Likely exists — search |
+| Club+ | ? | Possible |
+| Vereinssoftware.de | vereinssoftware.de | Generic Verein SaaS — could adapt |
+| Campai | campai.de | German club management — incumbent |
+
+### Research questions for Amazon Q
+
+1. **Who actually owns the CSC software market in Germany right now?** What's the adoption rate of 420cloud vs alternatives?
+2. **What do club admins complain about?** Check Reddit r/germany, Cannabis Social Club Facebook groups, Telegram channels
+3. **What is 420cloud's actual B2B pricing?** LinkedIn posts from their sales team, Trustpilot, alternative pricing leaks
+4. **CanG amendment tracking:** Is §6 being challenged? Any Bundestag amendments to the advertising clause that would open up discovery features?
+5. **GDPR risk for cannabis data:** Member personal data + consumption patterns = sensitive profile. What special GDPR category applies? Art. 9 health data?
+6. **German GovTech funding:** EXIST, KfW, BAFA grants for compliance SaaS in regulated industries?
+
+---
+
+## 🚀 CannaManage — Strategic Recommendations for Sprint 4+
+
+### Architectural decisions to lock in NOW (pre-users = no migration pain)
+
+**1. Self-hostable tier (Docker Compose)**  
+420cloud is cloud-only. Privacy-paranoid clubs (all serious ones) will pay a premium for on-premise.  
+Implementation: What we already have is 90% there. Package as `docker compose up` one-liner.
+
+**2. Public REST API + OpenAPI spec**  
+Clubs build their own kiosk software, mobile apps, hardware integrations.  
+420cloud is a walled garden. We're the open platform.  
+Sprint 4 deliverable: OpenAPI 3.1 spec published at `/api-docs`.
+
+**3. Immutable audit log with export**  
+Every distribution permanently signed + exportable as PDF.  
+This is the single feature authorities care about most during inspections.  
+Already started (Distribution entities are `@Column(updatable=false)` — Sprint 1).
+
+**4. Multi-club federation dashboard**  
+One admin dashboard for Dachverbände managing 10-50 clubs.  
+420cloud is per-club only. One B2B deal = 50 clubs = immediate revenue.
+
+---
+
+### Feature bets with asymmetric upside
+
+**Priority 1: Compliance report PDF (Sprint 4)**
+- One-click PDF: distribution log per member per period, aggregate stats, strain batches
+- Legally required for authorities
+- 420cloud has this as "Coming Soon" — we ship it first
+- Tech: OpenPDF already added to POM in Sprint 3 (Work Lumen added it!)
+
+**Priority 2: PWA installable member portal (Sprint 4)**
+- No App Store. No Apple 30% cut. No approval delays.
+- Members add to homescreen. Works offline for ID check (JWT-signed QR).
+- 420cloud tied to iOS/Android release cycles = slow iteration
+- Tech: Spring Boot serves static Next.js bundle, add `manifest.json` + service worker
+
+**Priority 3: QR code member ID — offline-verifiable (Sprint 4)**
+- JWT-signed QR code for each member
+- Staff scan at distribution point, verification works WITHOUT internet
+- 420cloud's "Digitaler Mitgliedsausweis" requires app + connectivity
+- Tech: JWT RS256 signed at issuance, public key embedded in QR verification app
+
+**Priority 4: Federation multi-club (Sprint 5)**
+- `Dachverband` entity above `Club`
+- Single login → switch between clubs
+- Aggregate compliance reporting across all clubs
+- Revenue model: Dachverband pays, all their member clubs covered
+
+---
+
+### Pricing model recommendation
+
+**420cloud hides their price → clubs can't compare → we publish ours openly**
+
+Proposed tiers:
+```
+Starter (free forever):
+  - 1 club, up to 50 members
+  - Basic member management
+  - No compliance PDF export
+  - Perfect for new clubs to try us
+
+Growth (€49/month):
+  - 1 club, up to 500 members (CanG max)
+  - Full compliance reports
+  - Staff portal
+  - QR member IDs
+
+Federation (€149/month):
+  - Up to 10 clubs
+  - Dachverband dashboard
+  - White-label option
+
+Enterprise (custom):
+  - Unlimited clubs
+  - Self-hosted option
+  - SLA + dedicated support
+```
+
+**Key insight:** At 500 members paying ~€10/month club fee, a club generates €5000/month.
+Paying €49/month for software that keeps them legally compliant = <1% of revenue. Easy sell.
+
+---
+
+## 📋 Immediate Action Items
+
+### Homelab Lumen has already done:
+- [x] 420cloud homepage + features scrape
+- [x] AGB legal analysis
+- [x] Pricing model clarification (€1 = club fee, not platform fee)
+- [x] Feature gap matrix
+
+### Work Lumen should do next (Amazon Q research):
+- [ ] Search for hanf-app pricing and feature screenshots
+- [ ] Find 420cloud B2B pricing (LinkedIn, Trustpilot, sales decks)
+- [ ] Check German CSC Telegram/Reddit for admin pain points
+- [ ] CanG §6/7 legal analysis — what's allowed in a B2B context
+- [ ] OpenPDF in Sprint 3 POM — confirm it's ready to use for compliance reports
+- [ ] Draft Sprint 4 plan doc at `docs/sprint-4/cannamanage-sprint4-plan.md`
+
+### Both Lumens agree on:
+- No public club discovery feature (legal risk)
+- PWA > native app (freedom + speed)
+- Compliance PDF = Sprint 4 top priority
+- Self-hosted Docker Compose = massive differentiator
+- Publish pricing openly = trust signal
+
+---
+
+*Report generated by Homelab Lumen 2026-06-12 after direct web scrape of 420cloud.io*  
+*No corporate proxy restrictions — full access to competitor sites*  
+*Work Lumen: use Amazon Q free tier for the deep dives listed above*

plans/git-sync/docker-compose.yml

@@ -0,0 +1,26 @@
+services:
+  git-sync:
+    image: alpine/git:latest
+    container_name: git-sync
+    restart: unless-stopped
+    volumes:
+      - ./sync.sh:/sync.sh:ro
+      - git-sync-data:/tmp/git-sync
+    entrypoint: ["/bin/sh", "/sync.sh"]
+    environment:
+      # IONOS Gitea token (source of truth — Work Lumen pushes here)
+      IONOS_TOKEN: ${IONOS_TOKEN}
+      # TrueNAS Gitea token (homelab — pull target)
+      TRUENAS_TOKEN: ${TRUENAS_TOKEN}
+      TRUENAS_HOST: 192.168.188.119:30008
+      IONOS_HOST: git.plate-software.de
+      GITEA_USER: pplate
+      # Space-separated list of repos to sync IONOS → TrueNAS
+      REPOS: cannamanage
+      # Sync interval in seconds (300 = 5 minutes)
+      INTERVAL: "300"
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
+
+volumes:
+  git-sync-data:

plans/git-sync/sync.sh

@@ -0,0 +1,61 @@
+#!/bin/sh
+# git-sync: bidirectional mirror between IONOS (git.plate-software.de) and TrueNAS Gitea
+# IONOS = source of truth for cannamanage (Work Lumen pushes there)
+# TrueNAS push mirror already handles TrueNAS → IONOS for homelab pushes
+# This script handles the missing direction: IONOS → TrueNAS (pull mirror)
+
+set -e
+
+IONOS_TOKEN="${IONOS_TOKEN}"
+TRUENAS_TOKEN="${TRUENAS_TOKEN}"
+TRUENAS_HOST="${TRUENAS_HOST:-192.168.188.119:30008}"
+IONOS_HOST="${IONOS_HOST:-git.plate-software.de}"
+GITEA_USER="${GITEA_USER:-pplate}"
+INTERVAL="${INTERVAL:-300}"  # 5 minutes default
+
+WORKDIR="/tmp/git-sync"
+mkdir -p "$WORKDIR"
+
+sync_repo() {
+  REPO="$1"
+  echo "[$(date '+%Y-%m-%d %H:%M:%S')] Syncing $REPO ..."
+
+  IONOS_URL="https://${GITEA_USER}:${IONOS_TOKEN}@${IONOS_HOST}/${GITEA_USER}/${REPO}.git"
+  TRUENAS_URL="http://${GITEA_USER}:${TRUENAS_TOKEN}@${TRUENAS_HOST}/${GITEA_USER}/${REPO}.git"
+
+  REPO_DIR="${WORKDIR}/${REPO}"
+
+  # bare clone has HEAD file instead of .git directory
+  if [ ! -f "${REPO_DIR}/HEAD" ]; then
+    echo "  Cloning $REPO from IONOS..."
+    git clone --mirror "$IONOS_URL" "$REPO_DIR"
+    cd "$REPO_DIR"
+    git remote add truenas "$TRUENAS_URL"
+  else
+    cd "$REPO_DIR"
+    # Update remote URLs (tokens may rotate, protocol may change)
+    git remote set-url origin "$IONOS_URL"
+    git remote set-url truenas "$TRUENAS_URL" 2>/dev/null || git remote add truenas "$TRUENAS_URL"
+    echo "  Fetching from IONOS..."
+    git fetch --all --prune 2>&1 | tail -5
+  fi
+
+  echo "  Pushing to TrueNAS..."
+  git push truenas --all --force 2>&1 | tail -5
+  git push truenas --tags --force 2>&1 | tail -3
+  echo "  Done."
+}
+
+# Repos to sync IONOS → TrueNAS
+REPOS="${REPOS:-cannamanage}"
+
+echo "=== git-sync starting, interval=${INTERVAL}s ==="
+echo "Repos: $REPOS"
+
+while true; do
+  for REPO in $REPOS; do
+    sync_repo "$REPO" || echo "[WARN] sync failed for $REPO — will retry next cycle"
+  done
+  echo "[$(date '+%Y-%m-%d %H:%M:%S')] Sleeping ${INTERVAL}s..."
+  sleep "$INTERVAL"
+done