Development Roadmap
| Project | PTX Channel Manager (ptx-cm) |
| Current Version | 2.0.0 |
| Last Updated | 2026-02-20 |
Project Phases
Phase 01: Anti-Overbooking Core
| Status | ⚠️ PARTIAL (infrastructure complete, OTA integration stubbed) |
| Priority | P1 |
| Timeline | Original (MVP) |
| Last Updated | 2026-02-18 |
Features Delivered:
- [x] OTA Account Management (FR-01) - Encrypted credential storage, session tracking. ⚠️ testConnection/refreshSession are stubs.
- [ ] Property Discovery & Import (FR-02) - ❌ OTA adapters are stubs. No auto-discover, no import UI.
- [x] Booking Pull (FR-03) - BullMQ orchestration + dedup. ⚠️ OTA
fetchBookings()returns empty. No incremental pull. - [x] Availability Auto-Sync (FR-04) - Recalculate logic + overbooking detection. ⚠️ OTA
pushAvailability()is a stub. - [x] Property & Room Management (FR-05) - CRUD for properties, room types, mappings
- [x] Sync Status Dashboard (FR-06) - Real-time overview per property/OTA
- [x] Overbooking Alert (FR-07) - Alert creation/resolve ✅. ⚠️ LINE Notify stub. Email depends on SMTP config.
- [x] Country-Scoped Access (FR-08) - Staff scoped to country, manager sees all
Deliverables:
- Database schema (15 tables)
- NestJS backend with 10 core modules
- Next.js frontend with 6 pages (login, dashboard, properties, bookings, alerts, sync-jobs)
- OTA adapters (Booking.com, Agoda, Traveloka, Expedia) — ALL 4 ARE STUBS (no real HTTP/scraping)
- BullMQ job queue for async sync (orchestration wired, adapters empty)
Known Gaps:
- All 4 OTA adapters return empty/false — sync engine runs but produces no real data
/ota-accounts/[id]detail page → 404 (list links to non-existent route)- Import Properties (S-07) screen not built
- No Force Sync button in sync-jobs UI (backend endpoint exists)
- OtaConnection + OtaRoomMapping not seeded
Phase 02: Operational Efficiency
| Status | ❌ NOT IMPLEMENTED |
| Priority | P2 |
| Timeline | Post-MVP |
| Last Updated | 2026-02-18 |
Features NOT Built:
- [ ] Bulk Rate Update (FR-09) - ❌ No service, no controller, no API, no UI. DB models (Rate, RateRule) exist but unused.
- [ ] Availability Calendar (FR-10) - ❌ No route, no component, no page.
- [ ] Booking Timeline (FR-11) - ❌ No route, no component, no page.
- [ ] Cancellation Sync (FR-12) - ❌ No cancelBooking in adapter interface. Status workflow can mark cancelled but no OTA-side detection.
Status by Subfeature:
- FR-09: Design ✅ | Implementation ❌ | Testing ❌
- FR-10: Design ✅ | Implementation ❌ | Testing ❌
- FR-11: Design ✅ | Implementation ❌ | Testing ❌
- FR-12: Design ✅ | Implementation ❌ | Testing ❌
Phase 2.5: User Profile & Auth Improvements
| Status | ✅ COMPLETE (as of 2026-02-13) |
| Priority | P2 |
| Timeline | Mid-cycle enhancement |
Features Delivered:
- [x] User Profile Management (FR-16) - Edit name, email, locale
- [x] Password Change (FR-17) - Secure password update with verification
- [x] Auth Hydration (FR-18) - GET /users/me on app mount
- [x] Client-Side Theme (FR-19) - Dark/light toggle with localStorage
- [x] Admin Password Reset (FR-20) - Temp password & email reset link flows
- [x] Forgot Password (FR-21) - Self-service password reset
Deliverables:
/profilepage with edit form- Password change modal with mustChangePassword flow
GET /users/meendpoint for auth restoration- Theme toggle in TopBar
- Public pages: /forgot-password, /reset-password, /change-password
- Admin endpoints: POST /users/:id/reset-password, POST /users/:id/send-reset-link
- Public endpoints: POST /auth/forgot-password, POST /auth/reset-password
- PasswordResetToken model with SHA-256 hashing
- Email service integration (HTML reset emails)
- Daily cron job for token cleanup
Implementation Details:
- Profile form: zod validation on frontend, class-validator on backend
- Password change: Current password verification, 8-char minimum, mustChangePassword support
- Auth hydration: Called on app mount, 401 → redirect to login
- Theme: Stored in localStorage, no backend persistence
- Password reset: SHA-256 token hashing, 1-hour expiry, one-time use
- Rate limiting: 3 tokens per user per hour, throttle on endpoints
- Email enumeration prevention: Always return success on forgot-password
- Superadmin hierarchy enforcement: Cannot reset SA password
- Session invalidation: All refresh tokens revoked on password reset
Phase 03: Security Hardening Sprint
| Status | ✅ COMPLETE (as of 2026-02-12) |
| Priority | P1 (Security) |
| Timeline | Continuous security improvements |
Implemented Phases:
Phase 03.0: Activity Logging (Feb 12)
- [x] NestJS middleware for HTTP request logging
- [x] Efficient tail-reading for large log files (64KB buffer)
- [x] SuperAdminGuard protecting activity logs endpoint
- [x] Activity log dashboard panel with SWR polling
- [x] Environment variable toggle (ACTIVITY_LOG_ENABLED)
Code Changes:
apps/api/src/common/middleware/activity-log.middleware.ts- New middleware logging all requestsapps/api/src/modules/activity-logs/- New module with controller & serviceapps/api/src/common/guards/super-admin.guard.ts- New guard for activity logs endpointapps/web/components/dashboard/activity-log-panel.tsx- Terminal-style activity viewerlogs/added to.gitignore(log files excluded from version control).env.example- AddedACTIVITY_LOG_ENABLED=true
Features:
- Log format:
TIMESTAMP | EMAIL | METHOD | PATH | STATUS | SCREEN - Excludes activity-logs endpoint itself from logging
- Color-coded HTTP method badges (GET/POST/PATCH/PUT/DELETE)
- Status highlighting (2xx/3xx white, 4xx amber, 5xx red)
- SWR polling every 5s with pause/resume controls
- Limit selector (1-500 entries, default 100)
- Terminal-style dark panel on dashboard (super admin only)
Phase 03.1: Auth Hardening (Feb 10)
- [x] DB-backed refresh tokens (RefreshToken model)
- [x] Token rotation on each refresh
- [x] Token revocation on logout & password change
- [x] JWT ID (jti) tracking for session management
- [x] Rate limiting: 5/min login, 10/min refresh
- [x] HttpOnly cookies for token storage
Code Changes:
packages/database/prisma/schema.prisma- Added RefreshToken modelapps/api/src/modules/auth/auth.service.ts- Token storage & revocationapps/api/src/modules/auth/auth.controller.ts- Cookie-based token handling.env.example- JWT_REFRESH_SECRET added
Phase 03.2: Access Control (Feb 11)
- [x] Country-scope guard & decorator
- [x]
assertPropertyAccess()helper - [x]
@Roles(manager)guards on mutations - [x] Allowed countries validation (TH, VN, ID)
- [x] sortBy whitelist on list DTOs
Code Changes:
apps/api/src/common/guards/country-scope.guard.ts- New guardapps/api/src/common/decorators/country-scope.decorator.ts- New decoratorapps/api/src/common/helpers/country-scope.helper.ts- assertPropertyAccess helper- All list DTOs updated with sortBy validation
Phase 03.3: Frontend Security (Feb 11)
- [x] Edge middleware for route protection
- [x] Promise-based token refresh queue (race condition fix)
- [x] Content-Type header forwarding in proxy
- [x] Cookie-only token flow
Code Changes:
apps/web/middleware.ts- Route protection, redirect to /loginapps/web/lib/api-client.ts- Token refresh queue, interceptorsapps/web/app/api/[...proxy]/route.ts- Proxy with header forwarding
Phase 03.4: Infrastructure Security (Feb 12)
- [x] Docker ports bound to 127.0.0.1 only
- [x] Redis password authentication
- [x] ENCRYPTION_KEY placeholder in .env.example
Code Changes:
docker-compose.yml- Port bindings to 127.0.0.1.env.example- ENCRYPTION_KEY documentation
Security Audit Results:
- ✅ No plaintext credentials in code
- ✅ All tokens HttpOnly + SameSite=lax
- ✅ Rate limiting on auth endpoints
- ✅ Country scope enforced on all queries
- ✅ Property ownership verified
- ✅ Role-based access control active
- ✅ Database connections localhost-only
- ✅ Activity logging for admin audit trail
- ✅ SuperAdminGuard protecting sensitive endpoints
Phase 04: Intelligence & Analytics (Future)
| Status | 🔄 PLANNED |
| Priority | P3 |
| Estimated Timeline | Q2 2026 |
Features:
- [ ] FR-13: Rate Parity Checker - Compare rates across OTAs
- [ ] FR-14: Revenue Analytics - Revenue by OTA/property/country, occupancy trends, ADR
- [ ] FR-15: Rate Rules Engine - Auto-apply markup/discount/seasonal rules
Acceptance Criteria:
- Rate parity report shows discrepancies with thresholds
- Revenue dashboard with date range filters, grouping options
- Rate rules configured per property/OTA with effective date range
- Automatic rate calculation respects rule priority
Technical Approach:
- New
AnalyticsServicewith aggregation queries - RateRulesService for rule application in pricing
- Dashboard page with recharts visualization
Phase 05: Performance & Caching (Future)
| Status | 📋 BACKLOG |
| Priority | P3 |
| Estimated Timeline | Q3 2026 |
Goals:
- Redis caching for property/booking lists (5-min TTL)
- Query optimization with Prisma select()
- Database index review and optimization
Metrics Target:
- P95 API response time < 200ms (currently ~500ms)
- List endpoints < 100ms
Phase 06: Real-time Updates (Future)
| Status | 📋 BACKLOG |
| Priority | P2 |
| Estimated Timeline | Q3 2026 |
Features:
- WebSocket for sync status updates
- Real-time alert notifications
- Availability grid auto-refresh
Technology:
- Socket.io or ws library
- RxJS for event streams
- Frontend subscription via useSWRSubscription or custom hook
Milestone Status
| Milestone | Target | Status | Completion % |
|---|---|---|---|
| MVP (P1) | 2026-01-31 | ⚠️ Partial | ~70% (infra done, OTA adapters all stubs) |
| Operations (P2) | 2026-02-07 | ❌ Not Started | 0% (FR-09/10/11/12 not built) |
| User Profile (P2.5) | 2026-02-13 | ✅ Complete | 100% |
| Security Sprint (P1) | 2026-02-12 | ✅ Complete | 100% |
| Activity Logging (P1) | 2026-02-12 | ✅ Complete | 100% |
| Intelligence (P3) | 2026-04-30 | 🔄 In Planning | 0% |
| Performance (P3) | 2026-05-31 | 📋 Backlog | 0% |
| Real-time (P2) | 2026-06-30 | 📋 Backlog | 0% |
Known Issues & Debt
Code Debt
- [ ] Audit trail not wired to AuditLogInterceptor (minor)
- [ ] OTA adapters use Playwright (fragile, not production-ready for scale)
- [ ] No comprehensive error retry strategy for OTA API calls
- [ ] Rate limiting config hardcoded (should be configurable)
Feature Gaps
- [ ] User invitation/onboarding flow
- [ ] Email templates for notifications
- [ ] Batch user import (CSV)
- [ ] Property bulk operations (enable/disable)
- [ ] Advanced alert filtering & resolution workflows
Performance
- [ ] No caching on frequently accessed queries
- [ ] Large booking lists (1000+) may be slow
- [ ] No DB index on (room_type_id, date, otaType)
Documentation
- [ ] OTA adapter implementation guide
- [ ] Deployment to production (Docker/K8s)
- [ ] Monitoring & alerting setup
- [ ] Disaster recovery procedures
Success Metrics
Q1 2026
- ✅ Zero overbooking incidents (from previous 5-10/week)
- ✅ 60s avg sync latency (target: <60s)
- ✅ 99% uptime during business hours
- ✅ All 4 OTA channels reliably synced
Security (Feb 2026)
- ✅ All auth tokens DB-tracked
- ✅ Country scoping enforced on 100% of queries
- ✅ Rate limiting active on all auth endpoints
- ✅ Zero plaintext credential storage
User Adoption
- ✅ 15 staff accounts active
- ✅ 100+ properties managed
- ✅ <5 min avg time to find/manage booking
Development Rules & Constraints
Team: 1 solo developer
Tech Stack: See System Architecture for full stack details.
Standards:
- All features branch from main, PR required
- Tests must pass before merge (jest + coverage 80%+)
- Code review by: [project owner]
- Commit format: Conventional Commits
- Documentation: Update docs/ on feature merge
Deployment:
- Manual deployments (no CI/CD yet)
- Blue-green strategy (if multi-server)
- Database migrations: Prisma migrate
Next 30 Days (Feb - Mar 2026)
Week 1 (Feb 13-19)
- [x] Complete admin password reset feature (temp password + email link)
- [x] Complete self-service forgot password flow
- [ ] User acceptance testing with ops team
- [ ] Bug fixes from Phase 2.5 testing
Week 2-3 (Feb 19 - Mar 5)
- [ ] Performance profiling & caching analysis
- [ ] Begin Rate Rules engine design
- [ ] Gather user feedback on UI/UX
Week 4 (Mar 5-12)
- [ ] Planning sprint for Phase 04 (Analytics)
- [ ] Infrastructure performance tuning
- [ ] Production deployment if needed
Critical Dependencies
- PostgreSQL 16 database (production backup needed)
- Redis 7 for BullMQ (critical path for async jobs)
- OTA APIs stability (Booking.com, Agoda, Traveloka, Expedia)
- SSL certificates for HTTPS (production)
- SMTP server for email notifications
Communication Plan
- Weekly standup: [to be defined]
- Issue tracking: [GitHub Issues, if applicable]
- Documentation: Updated on each feature merge
- Stakeholder updates: [to be defined]
Related Documentation
- SRD.md - Functional requirements
- API_SPEC.md - API endpoint reference
- DB_DESIGN.md - Database schema
- system-architecture.md - Architecture & security details
- code-standards.md - Development guidelines
- codebase-summary.md - Project structure
Revision History
| Date | Version | Changes |
|---|---|---|
| 2026-02-18 | 2.1.0 | Implementation audit: corrected Phase 01 to PARTIAL (OTA adapters all stubs), Phase 02 to NOT IMPLEMENTED (FR-09/10/11/12 not built), updated milestones |
| 2026-02-13 | 2.2.0 | Added admin password reset (temp password, email link) and self-service forgot password to Phase 2.5 |
| 2026-02-12 | 2.1.0 | Added Phase 03.0 Activity Logging (middleware, API, dashboard panel), SuperAdminGuard |
| 2026-02-12 | 2.0.0 | Added security sprint phases (01-04), Phase 2.5 user profile complete |
| 2026-02-10 | 1.9.0 | Phase 01 MVP + Phase 02 complete |
| 2026-02-01 | 1.0.0 | Initial roadmap (skeleton) |