Orin — Kanban

apps/api (NestJS), apps/miniapp (Vite React), apps/web (Next.js), apps/admin (Vite React + react-admin); packages/ui (DS tokens ported), packages/i18n.

make up brings infra with healthchecks; .env.example documents every variable; ports bound to localhost only.

kanban.json single source of truth; kanban-validate.mjs in CI; kanban-render.mjs emits read-only index.html until the web app serves /kanban.

GitHub Actions on PR + develop/main pushes; secrets scanning and dependency audit are merge-blocking per security-technical §5/§9. BLOCKED: needs gh auth refresh -s workflow from the founder (see /root/DO-THIS-FIRST.md).

docs/process/function-doc-template.md fixed structure (AI-assistant-ready); docs-validate.mjs enforces frontmatter + headings + kanban cross-links.

Finalize ORM ADR (Prisma vs TypeORM), wire migration tooling, country cell root entity, and project-wide conventions: money as bigint tiyin, country_id on every table, UTC-in-DB.

Verify Mini App initData (HMAC-SHA256 with bot secret, Ed25519 for 3rd-party), auth_date TTL ≤24h, never log initData; exchange for tokens.

Short access (15m) + refresh (30d) with rotation-on-use and reuse detection (reuse → whole chain revoked); asymmetric signing (RS256/EdDSA), kid in header.

6-digit OTP for web cabinet: 3-min TTL, ≤3 attempts, 3 sends/hour per number and per IP, exponential backoff, code never logged.

Master (user_id, display_name, category_id, geo point, verified, plan, slug). Ownership-scoped CRUD; public-safe projection vs private fields.

Service: name_i18n, duration, price (tiyin), formats[studio|visit|online|project], buffer before/after, variants, add-ons, padding/processing, on/off + secret-link, per-service deposit/cancel policy.

Salon + salon_member(role); single role→actions matrix (authz/matrix.ts); global NestJS deny-by-default guard; resource-ownership guard.

Shared RU/UZ catalogs, flat-key t(), no-hardcode lint rule; UZ-Latin + RU parity; UZ 15-25% longer length checks in component tests.

make seed produces synthetic masters/services/clients/bookings; never production dumps; deterministic for tests.

schedule_rule(weekday,start,end) + schedule_block + date overrides + split day ranges + Uzbekistan public-holiday auto-block (Navruz, Eid, Independence Day) preloaded UZ/RU.

Compute availability intervals (schedule minus occupancy minus buffers); materialized "nearest free slots" cache in Redis, invalidated on schedule/booking change.

booking entity + status machine pending→confirmed→in_progress→completed|no_show|cancelled; source[link|catalog|manual]; created_by; status is the transaction trigger.

[CRITICAL] EXCLUDE constraint on (master_id, tstzrange(start,end)) for active statuses + advisory lock on create + Idempotency-Key (Redis 24h).

Advance notice + booking window (separate first-visit vs regular) + 3-option horizon (rolling/fixed/indefinite); enforced server-side.

Endpoints with ownership, cutoff-window enforcement (buttons disappear inside window = server rejects), in-system-actions-only rule for state.

Port Button, IconButton, Icon, Spinner, Input, Switch, SegmentedControl, Badge, Tag, Toast, EmptyState, Avatar, Card, StatCard, ListRow, Rating, ProfessionalCard to @orin/ui (pixel-perfect, tokens only).

Port ServiceRow, CalendarStrip, SlotPicker, BookingCard, MainButton, Tabs, BottomNav, StatusStepper, ProfileBadge, RatingHistogram, ChipGroup.

initData bootstrap, 15 theme tokens (live switch), MainButton/SecondaryButton, BackButton, haptic vocabulary, native popups, CloudStorage drafts, closing confirmation, disableVerticalSwipes.

Profile page → service → staff (Any default) → slot picker → confirm sheet (policies before tap) → MainButton "Book for X"; success haptic + receipt; idempotency.

My bookings home; reschedule/cancel (buttons disappear inside cutoff); Book-again pre-fill; book-for-family; share booking (shareMessage card).

Day view (staff columns), dual-color cards (origin+status), one-tap status chips, tap-empty→staged booking sheet, New-appointment vs Block-time, buffers, walk-in type; <100ms interactions.

Auto-create first service from category; operating-mode question (salon/visit/online); activation checklist with progress; profile-completeness funnel with real rewards.

Personal t.me deep link + server-generated QR + printable UZ/RU poster templates; Instagram/Telegram-channel portfolio import; "send 3 slots in chat".

Deep links (startapp payloads), requestContact (verified phone), requestWriteAccess (bundled into confirm), quick buttons; no business logic — subscribes to domain events.

BullMQ queue: 24h/2h/10min reminders, visit statuses, "slot opened", day digests; confirm-tap→auto-Confirmed; idempotent jobs; Rich Messages + private-chat topics.

client entity (CRM projection, may have no user); notes, tags, visit history, total spend, reliability score + no-show/late-cancel counts.

Trusted (skip deposit) / Blocked levers; manual booking entry; walk-in as first-class client type.

Segment clients, compose, auto-append booking link, send via Telegram (free, two-way); replies land in real chat.

Two wallets (cash/cashless) + income/expense categories; "record payment" on appointment (cash/Payme/Click/Uzum); daily summary popover.

~6 opinionated dashboards (today’s take, occupancy, no-show rate, repeat rate, top clients); StatCards tabular; PIN/biometric gate on revenue screens only.

review entity: direction[c2m|m2c], UNIQUE per booking+direction, link to booking(status=completed) enforced by trigger/service; stars, text, tags, status[visible|hidden|flagged].

Full-screen 5-star sheet (4-5★ text+photo, 1-3★ reason chips+text); prompt at +30min, one +24h reminder; no-show cancels prompt; ~14-day edit window.

Compact 2-tap sheet after Done (stars + tag chips); client score in pro booking card (tap→tag breakdown, no other pros’ texts); <4.0 amber + deposit hint.

Average + mini histogram + review cards (abbrev name, date, photo, pro reply, staff attribution); 4-criteria optional; Report→reason form; New-pro badge <5 reviews.

Anti-fraud worker flags review-boost/mass-signup (hide-not-delete); graded verification badges (phone→ID→diploma) in profile/results/card.

subscription entity; plan→feature matrix in config/DB (editable without release); billing.can(masterId,feature) = backend source of truth (403 PLAN_REQUIRED); front draws locks from same endpoint.

4-plan swipe (current marked), compare table; lock states (visible+lock+plan label); upgrade sheet with concrete benefit; transparent pricing; self-serve cancel.

Redis month-booking counter with DB recount; LimitBar "23 of 30"; growth banner at 27+; trial strip "Pro free for N days".

[BLOCK] Provider webhooks: signature verify before parse, instant 200 + queued processing, idempotency by external_id (UNIQUE), amount/currency reconciliation, raw_webhook journal, never auto-credit on mismatch.

Invite link/QR/share; progress with anti-fraud steps; +1 month for both on 14-day activity; billing credit.

Flash Sale / Happy Hours / Last-Minute; off-peak discount attached to time slot (strikethrough + save% in picker); copy-to-other-days; 4-step start flow.

visit_zone(polygon geography, surcharge, min_order) + radius option; travel buffer (10-min steps); mandatory-deposit toggle; per-service format switch.

Port ZoneMapSelector + AddressPinPicker (schematic maps; 2GIS/Yandex SDK abstraction).

Format step (hidden if not mobile); LocationManager geo + map pin + entrance/floor/intercom + comment; saved addresses; total breakdown (service+travel) before confirm.

Stepper Confirmed→Departed→On-site→Done; pro tappable address (2GIS/Yandex), large status buttons, share live location; client start-confirmation tap = timestamp protecting deposits.

Per-service deposit as pro Payme/Click/Uzum invoice link in chat (copyable); Orin records paid/unpaid/refunded/forfeited; auto-release slot if unpaid after N min; two-option (part/all).

Passport + selfie upload (2 steps, progress); statuses under-review/verified/rejected+reason; graded Verified badge in profile/results/card; admin review queue feed.

Urgent request → first master in zone accepts with ETA (alongside slot booking); zone-routed visibility.

tsvector over service names/descriptions + pg_trgm; uz-Latin↔Cyrillic↔RU transliteration dictionary at index and query time.

PostGIS master points; ST_DWithin/ST_Contains "who travels to me"; materialized nearest-slots cache (Redis) for "free today".

Score = f(rating, profile completeness, activity, distance, slot availability); coefficients in config; factors logged for debugging.

Search bar + category chips + "Your pros" + "Free today nearby" rail; result card (orin anatomy: rating, district, Bugun: slot chips, from-price, Book); list/map toggle.

Filter sheet (price/rating/home-visit/gender/language/online-pay); removable chips; Today/Tomorrow chips; sort segmented; state-specific empty screens.

Checkbox on existing booking ("notify if frees earlier") + full-day waitlist; "slot opened" Telegram push with inline Book + timed exclusive hold in queue order.

Category open/close per city behind 6-item checklist; hide (not gray) empty categories; "Notify me when [category] arrives" demand collector; zero-result-search logging.

online_session entity; duration cards (30/60/90 + prices) → slot → mandatory prepayment (explains "link unlocks after payment"); pay via Payme/Click link.

Countdown; Join button disabled (lock) until ~10min before, then activates + deep-links auto-provisioned room; recording notice if enabled.

Consent-gated recording toggle (legal hint); private bucket; signed URLs (1h TTL) for two participants only; auto-delete at expires_at by worker with journal.

Call extension push ("ends in 5 min — extend 15min for X?") one-tap pay; "Extend storage" paid; "Book again".

Request form (niche-prompted textarea, photos/files, budget range, deadline); screening-questions-first; requirements gate auto-cancels/releases if client doesn’t respond in X hours.

estimate(items jsonb,total) + milestone(ord,title,amount,status); LineItemBuilder (pro) + EstimateCard (client) + MilestoneStepper components.

Client Approve/Discuss; approval locks (padlock+timestamp); project card both sides; milestone machine (agreed→deposit paid→submitted→approved/auto-approved after N days); one-active-milestone.

Portfolio cases (before/after, timeline, budget); diagnostic-visit SKU + published rate card for repairs; "looks first, estimate second, milestones third".

"Generate contract" → PDF (parties + estimate on brand letterhead); downloadFile (native).

Next.js landing: pro numbers/earnings, quantified stats, transparent pricing ladder (anchored middle), SEO, objection-killing FAQ; CSP/HSTS/headers.

SEO-friendly public booking pages mirroring the salon-page anatomy; QR target.

Desktop Biz: OTP login, sidebar, week calendar grid ("all chairs"), same API.

Roles grid; resource-gated availability (shared chair/equipment/room prevents cross-master double-book).

3 plain-language presets (fixed %, %+daily, tiered %); red/yellow drift highlighting ("why did salary change?"); master self-view of earnings.

react-admin on same API (separate namespace + auth); separate issuer; mandatory TOTP 2FA; 8h sessions; optional IP binding.

Manage masters/bookings/payments/reviews; impersonation with distinct tagged token recorded in every audit event.

Append-only audit_log (app insert-only); admin actions always recorded; alerts on 401/403 spikes, OTP brute force, webhook mismatches, admin exports.

Review-flag handling; verification document review queue; hide/restore content.

Category open/close per city UI; zero-result-search dashboard (curtain demand signal); business metrics (MRR, cohorts).

Ensure every shipped function has its docs/functions doc (use/edge/error/test cases) passing docs:validate; machine-readable for the AI support assistant.

/docs/staff generated from corpus staff_summary + hand-written staff guides; UZ/RU.

/help generated from client_summary + client guides; friendly UZ/RU; FAQ incl. "we never ask for codes/cards".

/security page with security@orin.uz; responsible-disclosure policy; "we never ask for codes/passwords/cards".

Replace static render with a read-only /kanban page in the web app, rendering kanban.json from the deployed build; DS status colors; no edit controls.

IaC: users, firewall (default-deny, 80/443 + allowlisted 22), Docker, DOCKER-USER chain, services, hardening §12; assert-role drift check run weekly via cron.

Caddy reverse proxy (TLS auto-renew + 14-day expiry alert); isolated dev/staging compose (own networks/volumes/secrets/bots); dev.orin.uz + staging.orin.uz live.

GHCR private images (pinned by sha); GitHub Actions: PR→test, develop→dev, main/tag→staging; deploy via docker compose pull&&up over restricted SSH key; migrations + volume snapshot; sha rollback.

Daily pg_dump + WAL archiving (PITR); 7-day local + encrypted (age/gpg) offsite on Hetzner Storage Box 30-day; quarterly restore drill.

Sentry (front+back); Prometheus/Grafana (RPS, p95, queues, bookings/min); Loki (JSON logs, PII-masked); PostHog product events; alerts to TG channel.

Separate dev + staging bots; setWebhook to /webhook/tg; signature/secret verification.

Full IDOR sweep (every endpoint: someone-else id → 404/403); rate-limit coverage (API 60rpm/user 300/IP, OTP, search 30rpm, booking 10/h, webhooks); captcha on booking excess.

Logger masking (phones +99890***1234, addresses district-only, tokens never); contact exposure only at confirmed/in_progress, hidden after completion; gitleaks clean; deletion/anonymization procedure.

End-to-end suite across all flows green; load sanity (booking creation, search, webhooks); flake elimination.

Incident-response one-pager; migrate-to-uz.md rehearsed on staging copy (timed); security-policy launch checklist fully ticked.

External-pentest scope (Mini App + API + webhooks + admin); Dependabot/Renovate on; pnpm audit fail-on-critical; trivy image scan; critical CVEs closed.