Project Completion Backlog

Date: 2026-05-29

This backlog captures the remaining work after the Astro scaffold cutover, Flow Studio protected-host slice, and private dashboard publishing checks. It is intentionally public-safe: do not add credential values, account identifiers, private URLs, tokens, raw provider payloads, screenshots with private data, or admin-only records.

Immediate Status

No immediate break/fix item is open for the current architecture repo cutover path.

Verified current state:

• main worker CI passed on merge commit 5f004df596273186ca8f372d0857a1ca23bf6f7d: https://github.com/Mobilis-Mobile/00-MobilisArchitectureInfo/actions/runs/26620052697
• main docs portal CI passed on the same merge commit: https://github.com/Mobilis-Mobile/00-MobilisArchitectureInfo/actions/runs/26620052663
• Private Cloudflare Pages workflow passed and deployed the private dashboard: https://github.com/Mobilis-Mobile/00-MobilisArchitectureInfo/actions/runs/26620208492
• Latest private immutable deploy: https://97416eb9.mobilis-private-service-dashboard.pages.dev
• Stable private dashboard host: https://mobilis-private-service-dashboard.pages.dev
• Unauthenticated private Flow Studio evidence route returns Cloudflare Access 302 with protected-resource metadata.
• Public Flow Studio private path returns only the locked public-safe placeholder, not restricted evidence.
• SEO/AEO protected admin route still fails closed with HTTP 503, x-mobilis-auth-result: runtime_config_missing, and public-safe message Clerk issuer is not configured.

Backlog Priorities

P0. SEO/AEO Live Clerk And Mobilis Authorization Bindings

Owner repo: mobilis-seo-aeo-engine

Tracker: https://github.com/Mobilis-Mobile/mobilis-seo-aeo-engine/issues/104

Current state:

• The live Pages Functions auth runtime is merged and deployed.
• Public preview and report surfaces remain redacted and noindexed.
• Admin/API routes fail closed before tenant dashboard data loads because production Clerk issuer/JWKS and Mobilis tenant authorization bindings are not configured.

Future implementation:

• Configure production Pages bindings for Clerk issuer/JWKS or equivalent signed-token verification.
• Configure the Mobilis tenant authorization binding used by the runtime.
• Run permitted-admin, anonymous-denial, wrong-tenant, stale-session, missing-capability, and resource-tenant mismatch remote smoke checks.
• Post only public-safe evidence: route status, redacted result labels, workflow links, and non-secret verifier summaries.
• Keep generated dashboard write actions disabled until owner approval and rollback coverage are recorded.

Completion evidence required:

• Remote protected admin route succeeds only for an authorized admin account.
• Lower-permission and anonymous routes remain denied.
• Public reports do not expose tokens, account IDs, org IDs, emails, private membership data, private URLs, provider payloads, or secret names/values.

P0. Flow Studio Real Authenticated Viewer Mapping

Owner repo: 00-MobilisArchitectureInfo for architecture propagation and mobilis-flow-studio for canonical Flow Studio route behavior.

Tracker: https://github.com/Mobilis-Mobile/00-MobilisArchitectureInfo/issues/194

Current state:

• Protected private dashboard host is verified with Cloudflare Access.
• Public routes expose only public-safe readiness shells and reports.
• Technical-admin-only scenario evidence remains out of the public Astro route set.
• The remaining gap is real authenticated-account authorization, not anonymous host protection.

Future implementation:

• Map Cloudflare Access or equivalent identity claims to Flow Studio viewer profiles from a server-controlled source.
• Ensure viewer, role, scenario, and surface URL parameters cannot elevate a lower-permission account.
• Prove allowed and denied behavior with real authenticated accounts without posting account data.
• Document account request, approval ownership, emergency access, and removal process.
• Add regression coverage for guest, moderator, non-technical admin, developer, and technical-admin access boundaries.

Completion evidence required:

• Authenticated technical-admin/developer accounts can reach restricted evidence.
• Lower-permission accounts receive denied or limited views before restricted bundles/internal layouts are served.
• Non-technical viewers never see API payloads, private implementation details, source links, credentials, or admin-only data.

P1. Scaffold Reference Retirement

Tracker: https://github.com/Mobilis-Mobile/00-MobilisArchitectureInfo/issues/348

Current state:

• Canonical product, tenant, Flow Studio, and prototype routes use redirect-enabled handoffs where owner-route evidence is available.
• /astro-scaffold/... routes remain noindexed scaffold references for rollback and evidence continuity.

Future implementation:

• Collect longer-lived owner-route production evidence for each redirected route.
• Decide route-by-route whether retained scaffold references should become pointer-only, move to evidence-only paths, or remain as rollback references.
• Keep rollback notes and route reports discoverable before retiring any scaffold reference.

Completion evidence required:

• Every retired scaffold route has owner-route evidence, route report coverage, rollback notes, and explicit retirement approval.

P1. Tenant Dashboard Live Readiness

Owner repos: mobilis-product-event-submission, mobilis-tenant-fiestagenius, and future tenant repos.

Current state:

• Event Submission publishes the reusable request-boundary, Clerk verifier, claim adapter, protected-entry, live-row-loader, access-policy, claim-proof, paid-state, and access-guard contracts.
• FiestaGenius dashboard readiness references those contracts but remains readiness evidence, not live tenant dashboard authorization.

Future implementation:

• Configure production protected-entry routing for tenant dashboards.
• Complete tenant/session/submission matching.
• Review Supabase RLS/access policy against live dashboard read/write paths.
• Add server-side proof verification and provider-backed paid-state checks.
• Keep WhatsApp, Stripe, calendar publishing, private distribution, and provider writes disabled until tenant owner approval and rollback coverage pass.

Completion evidence required:

• Tenant owner route can load only approved live rows for an authorized account.
• Wrong-tenant, stale-session, unpaid-feature, and missing-proof paths are denied with public-safe labels.
• Write/publish/provider actions remain approval-gated and auditable.

P2. Deployment And Operations Housekeeping

Current state:

• Public and private Pages workflows are passing.
• Private dashboard deploys through the dedicated private-cloudflare-pages workflow.
• The Flow Studio canonical URL setting still uses the pages.dev fallback until the selected custom-domain gate is ready.
• actions/download-artifact@v8 may emit an upstream Buffer() deprecation warning during artifact extraction; this is not currently a repo failure.

Future implementation:

• Configure the selected Flow Studio custom domain variable after the custom-domain gate is ready.
• Track the upstream artifact warning only if CI policy starts failing on it.
• Keep public and private publishing paths separate.

Completion evidence required:

• Custom-domain variable points to the approved domain.
• Public builds continue to exclude private registries and restricted Flow Studio evidence.
• Private builds remain behind Cloudflare Access.

P2. Marketplace Claim And Correction Ownership

Current state:

• Mi Gente directory routes show public-safe correction intent as disabled launch feedback.
• Reusable marketplace claim/correction ownership remains future product work.

Future implementation:

• Define the owner product and route contract for claim/correction workflows.
• Add public-safe route reports and disabled-action metadata.
• Preserve moderation, approval, audit, and rollback gates before any correction write path is enabled.

Completion evidence required:

• Claim/correction routes have owner-route evidence, denied-path coverage, and disabled write/publish gates until launch approval passes.

P2. Picante Meetup Planning Re-Enablement

Status: Backlog ticket added 2026-06-10.

Current state:

• Picante meetup planning is disabled while event submission, event updates, source ingest, and approval chat flows are hardened.
• The assistant should not offer meetup planning, ride-seat planning, hotel-split planning, or group-discount coordination until this feature is explicitly reapproved.

Future implementation:

• Define the intended meetup-planning scope separately from event-management chat.
• Add permission, persistence, notification, rollback, and moderation boundaries for meetup plans.
• Add regression tests proving disabled behavior, enabled behavior behind a feature flag, and no accidental upsell copy in event-submission replies.

Completion evidence required:

• Owner approval for the feature flag and product scope.
• Passing chat smoke tests for disabled and enabled states.
• Public-safe release notes documenting what meetup planning can and cannot do.

Safety Rules For Future Work

• Do not merge GLD source-ingest lanes into GLD submission lanes.
• Route Flow Studio copy and behavior changes through scenario or registry data first.
• Preserve allowedViewers, denied paths, role-aware views, and RestrictedScenarioView.
• Keep non-technical viewers away from API payloads, source links, credentials, private implementation details, and admin-only data.
• Keep public and private deployment artifacts separate.