pplate/pi_mcps
1
1
Fork 0
Code Issues 9 Pull Requests Actions Packages Projects 1 Releases Wiki Activity
Files
038e5469635d4d45cd2c8fed953b28b66272d636
pi_mcps/docs/wiki/pages/CannaManage-01-Charter.md
T
Patrick Plate cda8946c75 docs(cannamanage): add CannaManage wiki pages and mockup images 
- 11 wiki pages: CannaManage-Home + 01-10 covering full Phase 0 docs
- 5 mockup images in docs/wiki/images/
- Updated _Sidebar.md with CannaManage section
2026-04-06 11:21:35 +02:00

228 lines
12 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# CannaManage — Project Charter
**Author:** Patrick Plate
**Date:** 2026-04-06
**Version:** 1.0
**Status:** Draft for Review
---
## 1. Executive Summary
### Vision Statement
> *CannaManage is the compliance backbone for German cannabis social clubs — purpose-built to turn a legally mandated administrative burden into a manageable, auditable, and digitised workflow.*
### The Problem
Germany's **Konsumcannabisgesetz (CanG)**, in force since April 1, 2024, legalised cannabis for personal use and established a framework for **Anbauvereinigungen** (cannabis social clubs / CSCs). Every operating CSC faces mandatory, recurring compliance obligations:
- Track every distribution (recipient, strain, weight, date/time) — by law
- Enforce quantity limits per member (50g/month for adults, 30g/month for under-21, 25g/day)
- Maintain batch-level contamination traceability
- Produce periodic authority reports
- Designate and track a Prevention Officer (Präventionsbeauftragter)
- Manage member data under DSGVO
Clubs currently manage this with Excel spreadsheets, pen-and-paper logs, and WhatsApp groups — creating legal risk, audit gaps, and administrative chaos.
### Why Now
The market is less than two years old. **No purpose-built software tooling exists** for German CSCs. The window to establish market leadership is 20262027 before larger players notice the niche. First-mover advantage combined with the permanent regulatory moat from CanG compliance requirements makes this the right moment.
### What We Are Building
A **multi-tenant B2B SaaS platform** offering:
- Club admin portal (member management, distribution logging, stock management, compliance reporting)
- Member portal (personal quota, distribution history, stock visibility)
- Built-in CanG compliance enforcement and export tooling
**We are selling compliance management software to licensed, regulated entities. We are not in the cannabis business.**
---
## 2. Project Scope
### 2.1 In Scope — MVP v1
| Area | Features Included |
|------|-------------------|
| **Onboarding** | Club registration, setup wizard, admin account creation |
| **Member Management** | Add/remove members, age verification (18+, 1821 restricted), contact data |
| **Distribution Tracking** | Log each handout (member, strain, weight, date/time); enforce daily/monthly limits |
| **Limit Enforcement** | 25g/day cap, 50g/month (adult), 30g/month (under-21), 10% THC flag |
| **Stock Management** | Strains, batch tracking, quantity levels |
| **Admin Dashboard** | Club-level totals: members, distributions this month, stock levels |
| **Compliance Exports** | Monthly distribution report (PDF + CSV), member list export for inspections |
| **Contamination Recall** | Flag a batch; system lists all members who received from it |
| **Prevention Officer** | Store officer contact info and designation date |
| **Member Portal** | Login with club-issued credentials; view quota, distribution history, stock availability |
| **Authentication** | Spring Security + JWT; role-based (ADMIN, MEMBER) |
| **Hosting** | Hetzner VPS (German DC), Docker Compose, PostgreSQL + Flyway |
### 2.2 Explicitly Out of Scope — MVP v1
| Feature | Reason Excluded |
|---------|-----------------|
| Public club discovery / "find clubs near you" | **Illegal under CanG §§67 advertising ban** |
| Cannabis e-commerce or payment for cannabis | Illegal; violates positioning |
| Non-EU data storage (AWS us-east, etc.) | DSGVO violation |
| Stripe subscription billing | Deferred to Phase 1 (Weeks 916) |
| Email/SMS notifications | v2 feature |
| Mobile native app (Android/iOS) | v2/v3 feature |
| Multi-location club support | v3 feature |
| Legal template marketplace | v3 feature |
| Next.js/React frontend | v2 migration after revenue justifies investment |
| Authority portal integrations | v3 feature (portals don't exist yet) |
---
## 3. Stakeholders
| Role | Description | Needs |
|------|-------------|-------|
| **Club Admin** *(primary user)* | Vereinsvorstand or designated manager; runs day-to-day club operations | Compliant distribution logging, member management, authority-ready exports |
| **Club Member** *(secondary user)* | Verified adult member of the Anbauvereinigung | Self-service quota visibility, distribution history, stock availability |
| **Prevention Officer** *(Präventionsbeauftragter, tertiary user)* | Legally required role; may or may not be the admin | Contact info tracked in system; receives relevant reports |
| **Patrick Plate** *(developer & product owner)* | Solo developer; nights/weekends; ADP Germany full-time | Minimal learning overhead; fast path to first revenue; legally sound product |
---
## 4. Success Criteria
MVP is considered complete when all of the following are true:
| # | Criterion | Measure |
|---|-----------|---------|
| 1 | **Core compliance loop working** | Admin can log a distribution → system enforces limits → admin exports PDF report for authorities |
| 2 | **Multi-tenant isolation** | Two clubs' data are completely isolated — no cross-tenant data leakage |
| 3 | **Member portal live** | Member can log in with club-issued credentials and view their quota + history |
| 4 | **Contamination recall functional** | Admin flags a batch; system returns full recipient list in < 2 seconds |
| 5 | **Deployment stable** | Platform runs on Hetzner VPS via Docker Compose with uptime ≥ 99% over 30-day beta |
| 6 | **Beta validation** | 35 real club admins have used the system and provided written feedback |
| 7 | **Legal review passed** | No features violate CanG advertising ban; DSGVO AVV in place before any live data |
| 8 | **Zero PII on non-EU infrastructure** | All data confirmed to reside in Hetzner DE datacenter |
---
## 5. Constraints & Assumptions
### Constraints
| Type | Constraint |
|------|-----------|
| **Legal** | CanG §§67 imposes a **total advertising and sponsoring ban** on cannabis AND Anbauvereinigungen — no public club discovery feature, ever |
| **Legal** | DSGVO requires EU hosting, data processing agreements (AVV), member data export/deletion capability |
| **Technical (MVP)** | Frontend is PrimeFaces + JSF — Patrick's existing expertise; no new framework learning in Phase 0 |
| **Technical** | Multi-tenancy via `tenant_id` on all JPA entities — no row-level security shortcuts |
| **Team** | Solo developer — Patrick; nights and weekends only; full-time at ADP Germany |
| **Timeline** | Phase 0 target: 8 weeks; Phase 1 target: 16 weeks total from project start |
| **Budget** | Infrastructure: Hetzner €520/month; no team salary cost |
### Assumptions
- German CSCs are willing to pay €29–€79/month for compliance software
- Stripe will process subscriptions for compliance software (not cannabis sales) without restriction
- Spring Boot 3.x is sufficiently adjacent to Patrick's Jakarta EE expertise to use without major ramp-up
- PrimeFaces MVP is sufficient for beta validation — UI polish deferred to v2
- CanG remains in force and CSC licensing continues in all major Bundesländer
---
## 6. Risk Register
| Risk | Probability | Impact | Mitigation |
|------|-------------|--------|-----------|
| **Advertising ban reinterpreted to include B2B SaaS** | Low | High | Obtain legal opinion from cannabis law specialist before launch (€300500); strict no-discovery design enforced at architecture level |
| **New German government rolls back or tightens CanG** | Medium | High | Modular architecture — compliance-only features can be extracted and pivoted to a general club management tool |
| **Stripe blocks cannabis-adjacent businesses** | Medium | High | Position as "Vereinsverwaltungs-Software" (club management software); never process cannabis payments; test with Stripe before public launch |
| **Clubs fail / licenses revoked** | Medium | Medium | Diversified customer base; per-month billing (easy cancellation); no annual lock-in required for MVP |
| **DSGVO violation** | Low | Very High | EU-only hosting (Hetzner DE), DPA/AVV agreements before any live data, DSGVO-compliant privacy policy in German, member data export/deletion API from day one |
---
## 7. Budget & Resources
| Item | Cost | Notes |
|------|------|-------|
| **Development** | €0 (Patrick's time) | Nights/weekends; valued at opportunity cost only |
| **Infrastructure — Hetzner VPS** | €520/month | German DC; scales with load |
| **Infrastructure — PostgreSQL** | €0 (self-hosted on VPS) | Managed DB upgrade available when needed |
| **Legal opinion** | €300500 (one-time) | Cannabis law specialist; pre-launch requirement |
| **Domain (cannamanage.de)** | ~€15/year | To be registered |
| **Stripe fees** | 1.4% + €0.25 per transaction | EU cards; only on paid subscriptions |
| **Email (Resend / Jakarta Mail)** | €010/month | Resend free tier for low volume |
| **Sentry monitoring** | €0 (free tier) | Error tracking; Java SDK |
| **Total pre-launch** | **~€600700** | Including legal opinion |
---
## 8. Timeline Overview
```mermaid
gantt
title CannaManage Development Roadmap
dateFormat YYYY-MM-DD
axisFormat %b %Y
section Phase 0 — Foundation
Spring Boot setup + JPA entities :p0a, 2026-04-07, 2w
Core REST API (member, distribution) :p0b, after p0a, 2w
Admin portal PrimeFaces :p0c, after p0b, 2w
Limit enforcement + PDF report :p0d, after p0c, 2w
section Phase 1 — MVP
Member portal :p1a, after p0d, 2w
Stock management + contamination recall :p1b, after p1a, 2w
Stripe billing integration :p1c, after p1b, 2w
DSGVO + beta launch (5 clubs) :p1d, after p1c, 2w
section Phase 2 — Launch
Payment flows + email notifications :p2a, after p1d, 4w
Marketing site + legal review :p2b, after p2a, 4w
Soft launch to club community :milestone, after p2b, 0d
section Phase 3 — Growth
PrimeFaces → Next.js migration :p3a, 2026-12-01, 8w
PWA mobile :p3b, after p3a, 4w
Template marketplace + referral :p3c, after p3b, 8w
```
---
## 9. Legal Framework
### Key CanG Provisions
| Provision | Content | Product Implication |
|-----------|---------|---------------------|
| **§2 CanG** | Definitions — Anbauvereinigung, Mitglied | Data model must align with statutory definitions of club and member |
| **§§1526 CanG** | Anbauvereinigungen — formation, rights, obligations | Club registration flow must capture legally required club attributes |
| **§22 CanG** | Distribution limits: 25g/day, 50g/month per adult member | Hard enforcement in distribution service; cannot be overridden by admin |
| **§23 CanG** | Under-21 restrictions: 30g/month max, max 10% THC | Age flag on member entity; separate limit enforcement path for restricted category |
| **§§67 CanG** | **Total advertising and sponsoring ban** for cannabis and Anbauvereinigungen | **No public club discovery. No stock visible to non-members. No club listings.** Architecture constraint. |
| **§26 CanG** | Documentation and reporting obligations | Compliance export module is a legal requirement, not an optional feature |
| **§27 CanG** | Prevention officer requirements | Prevention officer fields mandatory in club setup; not optional |
### DSGVO Obligations
- All personal data stored on EU infrastructure (Hetzner DE)
- Data processing agreement (AVV) required with each club before live data entry
- Member data export endpoint required (Art. 20 DSGVO — data portability)
- Member data deletion endpoint required (Art. 17 DSGVO — right to erasure)
- Privacy policy in German, DSGVO-compliant, published before launch
---
## 10. Sign-Off
| Role | Name | Date |
|------|------|------|
| **Project Sponsor** | Patrick Plate | 2026-04-06 |
| **Lead Developer** | Patrick Plate | 2026-04-06 |
| **Product Owner** | Patrick Plate | 2026-04-06 |
---
*Next review date: 2026-05-01 | Source: [STRATEGY.md](../STRATEGY.md)*
Reference in New Issue View Git Blame Copy Permalink