init local package repo

ROADMAP.md

@@ -0,0 +1,92 @@
+# Venture CRM Roadmap (Airtable Replacement)
+
+## Current status
+- Premium Airtable-like frontend grid exists and is actively iterating.
+- Backend now has production-grade APIs for:
+  - `GET /api/fundraising/state`
+  - `PUT /api/fundraising/state` (with optimistic version check)
+  - `GET /api/fundraising/export`
+  - `POST /api/fundraising/backup`
+  - `POST /api/fundraising/restore-preview`
+  - `POST /api/fundraising/restore`
+  - `GET /api/fundraising/backups`
+  - `GET/PATCH /api/fundraising/backup-policy`
+  - `GET /api/fundraising/relational-summary`
+  - `GET /api/feature-requests`
+  - `POST /api/feature-requests`
+  - `PATCH /api/feature-requests/:id`
+- New DB tables:
+  - `fundraising_state`
+  - `fundraising_investors`
+  - `fundraising_contacts`
+  - `fundraising_funds`
+  - `fundraising_commitments`
+  - `fundraising_views`
+  - `feature_requests`
+  - `app_settings`
+- Grid saves/restores now sync into relational fundraising tables automatically.
+- Formula engine is now sandboxed (no `eval`/`new Function`) with expanded function support.
+- Automation engine v1 added:
+  - Rule table + toggle API
+  - List memberships (`main`, `follow_up`, `graveyard`, `longshot`, `all`)
+  - Automation run log
+- Collaboration/reliability additions:
+  - Unified activity feed API (`audit` + `automation` + `backup`)
+  - Backup integrity verification API
+  - Better version-conflict metadata (`updated_at`, `updated_by`)
+- Security hardening additions:
+  - Basic IP rate limiting (login and write APIs)
+  - Configurable CORS origin (`CRM_CORS_ORIGIN`)
+  - Production secret enforcement (`CRM_ENV=production` requires `CRM_SECRET_KEY`)
+  - Security status API + go-live checklist (`SECURITY.md`)
+
+## Phase 1 (Production foundation)
+1. Persist grid + views on backend
+- Wire frontend fundraising grid reads/writes to `/api/fundraising/state`.
+- Keep localStorage only as emergency fallback.
+- Add autosave debounce and conflict handling (`expected_version`).
+
+2. Admin-invite auth model
+- Disable self-register for non-admin users.
+- Add admin-only invite/create-user endpoint.
+- Keep role model: `admin`, `member`.
+
+3. Deployment and remote access
+- Add `docker-compose` for one-command launch.
+- Reverse proxy + TLS option (Caddy/Traefik) for non-Tailscale deployments.
+- Recommended for your use case: Tailscale private access to laptop host.
+
+4. Data safety and operations
+- Automated nightly SQLite backups and restore test script.
+- Add `/api/fundraising/export` for JSON snapshot export.
+- Add health/readiness checks.
+
+## Phase 2 (Airtable parity)
+1. Advanced views
+- Multi-condition filter groups (AND/OR groups)
+- Multi-column sorting
+- Pinned/frozen columns
+- Personal vs shared views
+
+2. Formula engine v2
+- Add functions: `SUM`, `MIN`, `MAX`, `ROUND`, `ABS`, `CONCAT` (done)
+- Type-aware formulas and better errors
+- Dependency graph and recalculation rules
+
+3. Activity + audit
+- Record-level change history in UI
+- Last modified by / at fields
+- Restore archived rows
+
+## Phase 3 (Team workflow and automation)
+1. Tasks/reminders tied to investors/contacts
+2. Automation rules (graveyard/follow-up triggers)
+3. Email/communication integrations (optional)
+4. Granular permissions (if team grows)
+
+## Definition of done for "Airtable substitute" v1
+- Team can manage all investors in one master table
+- Saved views replicate current Airtable workflows
+- CSV import from Airtable is reliable and repeatable
+- Data persists safely and supports multi-user access
+- Auth is invite-only and backups are automated