pplate/pi_mcps
1
1
Fork 0
Code Issues 9 Pull Requests Actions Packages Projects 1 Releases Wiki Activity

docs(cannamanage): add CannaManage wiki pages and mockup images

Browse Source 
- 11 wiki pages: CannaManage-Home + 01-10 covering full Phase 0 docs
- 5 mockup images in docs/wiki/images/
- Updated _Sidebar.md with CannaManage section
This commit is contained in:
Patrick Plate
2026-04-06 11:21:35 +02:00
parent 97ccafc0d7
commit cda8946c75
17 changed files with 5733 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docs/wiki/pages/CannaManage-01-Charter.md
+227
View File
@@ -0,0 +1,227 @@
# CannaManage — Project Charter
**Author:** Patrick Plate
**Date:** 2026-04-06
**Version:** 1.0
**Status:** Draft for Review
---
## 1. Executive Summary
### Vision Statement
> *CannaManage is the compliance backbone for German cannabis social clubs — purpose-built to turn a legally mandated administrative burden into a manageable, auditable, and digitised workflow.*
### The Problem
Germany's **Konsumcannabisgesetz (CanG)**, in force since April 1, 2024, legalised cannabis for personal use and established a framework for **Anbauvereinigungen** (cannabis social clubs / CSCs). Every operating CSC faces mandatory, recurring compliance obligations:
- Track every distribution (recipient, strain, weight, date/time) — by law
- Enforce quantity limits per member (50g/month for adults, 30g/month for under-21, 25g/day)
- Maintain batch-level contamination traceability
- Produce periodic authority reports
- Designate and track a Prevention Officer (Präventionsbeauftragter)
- Manage member data under DSGVO
Clubs currently manage this with Excel spreadsheets, pen-and-paper logs, and WhatsApp groups — creating legal risk, audit gaps, and administrative chaos.
### Why Now
The market is less than two years old. **No purpose-built software tooling exists** for German CSCs. The window to establish market leadership is 20262027 before larger players notice the niche. First-mover advantage combined with the permanent regulatory moat from CanG compliance requirements makes this the right moment.
### What We Are Building
A **multi-tenant B2B SaaS platform** offering:
- Club admin portal (member management, distribution logging, stock management, compliance reporting)
- Member portal (personal quota, distribution history, stock visibility)
- Built-in CanG compliance enforcement and export tooling
**We are selling compliance management software to licensed, regulated entities. We are not in the cannabis business.**
---
## 2. Project Scope
### 2.1 In Scope — MVP v1
| Area | Features Included |
|------|-------------------|
| **Onboarding** | Club registration, setup wizard, admin account creation |
| **Member Management** | Add/remove members, age verification (18+, 1821 restricted), contact data |
| **Distribution Tracking** | Log each handout (member, strain, weight, date/time); enforce daily/monthly limits |
| **Limit Enforcement** | 25g/day cap, 50g/month (adult), 30g/month (under-21), 10% THC flag |
| **Stock Management** | Strains, batch tracking, quantity levels |
| **Admin Dashboard** | Club-level totals: members, distributions this month, stock levels |
| **Compliance Exports** | Monthly distribution report (PDF + CSV), member list export for inspections |
| **Contamination Recall** | Flag a batch; system lists all members who received from it |
| **Prevention Officer** | Store officer contact info and designation date |
| **Member Portal** | Login with club-issued credentials; view quota, distribution history, stock availability |
| **Authentication** | Spring Security + JWT; role-based (ADMIN, MEMBER) |
| **Hosting** | Hetzner VPS (German DC), Docker Compose, PostgreSQL + Flyway |
### 2.2 Explicitly Out of Scope — MVP v1
| Feature | Reason Excluded |
|---------|-----------------|
| Public club discovery / "find clubs near you" | **Illegal under CanG §§67 advertising ban** |
| Cannabis e-commerce or payment for cannabis | Illegal; violates positioning |
| Non-EU data storage (AWS us-east, etc.) | DSGVO violation |
| Stripe subscription billing | Deferred to Phase 1 (Weeks 916) |
| Email/SMS notifications | v2 feature |
| Mobile native app (Android/iOS) | v2/v3 feature |
| Multi-location club support | v3 feature |
| Legal template marketplace | v3 feature |
| Next.js/React frontend | v2 migration after revenue justifies investment |
| Authority portal integrations | v3 feature (portals don't exist yet) |
---
## 3. Stakeholders
| Role | Description | Needs |
|------|-------------|-------|
| **Club Admin** *(primary user)* | Vereinsvorstand or designated manager; runs day-to-day club operations | Compliant distribution logging, member management, authority-ready exports |
| **Club Member** *(secondary user)* | Verified adult member of the Anbauvereinigung | Self-service quota visibility, distribution history, stock availability |
| **Prevention Officer** *(Präventionsbeauftragter, tertiary user)* | Legally required role; may or may not be the admin | Contact info tracked in system; receives relevant reports |
| **Patrick Plate** *(developer & product owner)* | Solo developer; nights/weekends; ADP Germany full-time | Minimal learning overhead; fast path to first revenue; legally sound product |
---
## 4. Success Criteria
MVP is considered complete when all of the following are true:
| # | Criterion | Measure |
|---|-----------|---------|
| 1 | **Core compliance loop working** | Admin can log a distribution → system enforces limits → admin exports PDF report for authorities |
| 2 | **Multi-tenant isolation** | Two clubs' data are completely isolated — no cross-tenant data leakage |
| 3 | **Member portal live** | Member can log in with club-issued credentials and view their quota + history |
| 4 | **Contamination recall functional** | Admin flags a batch; system returns full recipient list in < 2 seconds |
| 5 | **Deployment stable** | Platform runs on Hetzner VPS via Docker Compose with uptime ≥ 99% over 30-day beta |
| 6 | **Beta validation** | 35 real club admins have used the system and provided written feedback |
| 7 | **Legal review passed** | No features violate CanG advertising ban; DSGVO AVV in place before any live data |
| 8 | **Zero PII on non-EU infrastructure** | All data confirmed to reside in Hetzner DE datacenter |
---
## 5. Constraints & Assumptions
### Constraints
| Type | Constraint |
|------|-----------|
| **Legal** | CanG §§67 imposes a **total advertising and sponsoring ban** on cannabis AND Anbauvereinigungen — no public club discovery feature, ever |
| **Legal** | DSGVO requires EU hosting, data processing agreements (AVV), member data export/deletion capability |
| **Technical (MVP)** | Frontend is PrimeFaces + JSF — Patrick's existing expertise; no new framework learning in Phase 0 |
| **Technical** | Multi-tenancy via `tenant_id` on all JPA entities — no row-level security shortcuts |
| **Team** | Solo developer — Patrick; nights and weekends only; full-time at ADP Germany |
| **Timeline** | Phase 0 target: 8 weeks; Phase 1 target: 16 weeks total from project start |
| **Budget** | Infrastructure: Hetzner €520/month; no team salary cost |
### Assumptions
- German CSCs are willing to pay €29–€79/month for compliance software
- Stripe will process subscriptions for compliance software (not cannabis sales) without restriction
- Spring Boot 3.x is sufficiently adjacent to Patrick's Jakarta EE expertise to use without major ramp-up
- PrimeFaces MVP is sufficient for beta validation — UI polish deferred to v2
- CanG remains in force and CSC licensing continues in all major Bundesländer
---
## 6. Risk Register
| Risk | Probability | Impact | Mitigation |
|------|-------------|--------|-----------|
| **Advertising ban reinterpreted to include B2B SaaS** | Low | High | Obtain legal opinion from cannabis law specialist before launch (€300500); strict no-discovery design enforced at architecture level |
| **New German government rolls back or tightens CanG** | Medium | High | Modular architecture — compliance-only features can be extracted and pivoted to a general club management tool |
| **Stripe blocks cannabis-adjacent businesses** | Medium | High | Position as "Vereinsverwaltungs-Software" (club management software); never process cannabis payments; test with Stripe before public launch |
| **Clubs fail / licenses revoked** | Medium | Medium | Diversified customer base; per-month billing (easy cancellation); no annual lock-in required for MVP |
| **DSGVO violation** | Low | Very High | EU-only hosting (Hetzner DE), DPA/AVV agreements before any live data, DSGVO-compliant privacy policy in German, member data export/deletion API from day one |
---
## 7. Budget & Resources
| Item | Cost | Notes |
|------|------|-------|
| **Development** | €0 (Patrick's time) | Nights/weekends; valued at opportunity cost only |
| **Infrastructure — Hetzner VPS** | €520/month | German DC; scales with load |
| **Infrastructure — PostgreSQL** | €0 (self-hosted on VPS) | Managed DB upgrade available when needed |
| **Legal opinion** | €300500 (one-time) | Cannabis law specialist; pre-launch requirement |
| **Domain (cannamanage.de)** | ~€15/year | To be registered |
| **Stripe fees** | 1.4% + €0.25 per transaction | EU cards; only on paid subscriptions |
| **Email (Resend / Jakarta Mail)** | €010/month | Resend free tier for low volume |
| **Sentry monitoring** | €0 (free tier) | Error tracking; Java SDK |
| **Total pre-launch** | **~€600700** | Including legal opinion |
---
## 8. Timeline Overview
```mermaid
gantt
title CannaManage Development Roadmap
dateFormat YYYY-MM-DD
axisFormat %b %Y
section Phase 0 — Foundation
Spring Boot setup + JPA entities :p0a, 2026-04-07, 2w
Core REST API (member, distribution) :p0b, after p0a, 2w
Admin portal PrimeFaces :p0c, after p0b, 2w
Limit enforcement + PDF report :p0d, after p0c, 2w
section Phase 1 — MVP
Member portal :p1a, after p0d, 2w
Stock management + contamination recall :p1b, after p1a, 2w
Stripe billing integration :p1c, after p1b, 2w
DSGVO + beta launch (5 clubs) :p1d, after p1c, 2w
section Phase 2 — Launch
Payment flows + email notifications :p2a, after p1d, 4w
Marketing site + legal review :p2b, after p2a, 4w
Soft launch to club community :milestone, after p2b, 0d
section Phase 3 — Growth
PrimeFaces → Next.js migration :p3a, 2026-12-01, 8w
PWA mobile :p3b, after p3a, 4w
Template marketplace + referral :p3c, after p3b, 8w
```
---
## 9. Legal Framework
### Key CanG Provisions
| Provision | Content | Product Implication |
|-----------|---------|---------------------|
| **§2 CanG** | Definitions — Anbauvereinigung, Mitglied | Data model must align with statutory definitions of club and member |
| **§§1526 CanG** | Anbauvereinigungen — formation, rights, obligations | Club registration flow must capture legally required club attributes |
| **§22 CanG** | Distribution limits: 25g/day, 50g/month per adult member | Hard enforcement in distribution service; cannot be overridden by admin |
| **§23 CanG** | Under-21 restrictions: 30g/month max, max 10% THC | Age flag on member entity; separate limit enforcement path for restricted category |
| **§§67 CanG** | **Total advertising and sponsoring ban** for cannabis and Anbauvereinigungen | **No public club discovery. No stock visible to non-members. No club listings.** Architecture constraint. |
| **§26 CanG** | Documentation and reporting obligations | Compliance export module is a legal requirement, not an optional feature |
| **§27 CanG** | Prevention officer requirements | Prevention officer fields mandatory in club setup; not optional |
### DSGVO Obligations
- All personal data stored on EU infrastructure (Hetzner DE)
- Data processing agreement (AVV) required with each club before live data entry
- Member data export endpoint required (Art. 20 DSGVO — data portability)
- Member data deletion endpoint required (Art. 17 DSGVO — right to erasure)
- Privacy policy in German, DSGVO-compliant, published before launch
---
## 10. Sign-Off
| Role | Name | Date |
|------|------|------|
| **Project Sponsor** | Patrick Plate | 2026-04-06 |
| **Lead Developer** | Patrick Plate | 2026-04-06 |
| **Product Owner** | Patrick Plate | 2026-04-06 |
---
*Next review date: 2026-05-01 | Source: [STRATEGY.md](../STRATEGY.md)*