01 / Product
Tasks, exceptions, and readiness in one product.
Areas hold tasks, problems become tracked exceptions with severity, and readiness is computed from what's still open.
implemented coverage
- StructureEvents, typed areas, tasks with status and priority
- ExceptionsSeverity, status, resolution note and resolver
- ReadinessPer-area and event-wide scores with blockers
- RecordsReports, CSV & print export, activity log, dashboard
02 / Architecture
Feature modules across the interface and API.
Both the API and the React app are organized around the same product areas, and every backend feature follows the same routes → controller → service → repository → schema shape.
implemented API modules · routes / controller / service / repository / schema per folder
Cross-cutting pluginsdb · auth · rate limit · uploads · error handler
03 / Core workflow
From event structure to scoped access.
The application connects event records, server-side roles, calculated readiness, and revocable area access.
Structure and exceptions
Areas contain the work and the problems.
Tasks carry status, priority, and due dates. Exceptions record severity, resolution status, and the resolver.
Authorization
Every write is checked by the API.
Members hold one of four event roles — owner, coordinator, operator, viewer — and server-side checks decide what each role can change.
Readiness
The score is derived from open work.
A critical open exception or blocked task blocks an area; ready requires completed tasks with no critical blockers.
Area access and records
QR access stays scoped and revocable.
Only the SHA-256 hash of each area token is stored. Reports, CSV exports, activity records, and the dashboard use the same application data.
04 / Access & security
Account and event access are enforced by the API.
These are implemented controls, not a general security guarantee.
- Sessions
- JWT sessions carried in HttpOnly cookies; passwords hashed with bcrypt.
- Sign-in
- Email and password with emailed verification codes, Google OAuth 2.0, password reset, and an optional recovery email.
- Enumeration & abuse
- Generic login errors, failed-attempt delays, and lockouts.
- Tokens
- Verification, reset, and QR area tokens are stored only as SHA-256 hashes.
decision 01
Authorize every write against the caller’s event role
- Constraint
- Four roles act on the same event from different devices.
- Decision
- Role checks live in the API beside input validation.
- Result
- The interface reflects permissions that the server already enforces.
- Trade-off
- Every new write endpoint requires an authorization rule and test.
backend hardening, from code
- Query safetyParameterized SQL across repositories
- HTTP headersHelmet security headers and a CORS policy
- UploadsFile validation by magic-byte signature
- Rate & emailRequest rate limiting; transactional email via Nodemailer
05 / AI assistance
Optional assistance, no write authority.
The application works without AI. When configured, one service can use local Ollama or hosted Groq to draft, scaffold, explain, and summarize event content; results do not bypass normal write endpoints.
assistant capabilities
- DraftingTask and exception drafts from a short prompt
- Event scaffoldingSuggested areas and tasks for a new event
- Gap & readinessGap checks, readiness explanations, and blocker summaries
- Q&A & retrospectiveEvent question answering and retrospective drafting
guardrails, from configuration and code
- Per-user rate limitingRequests per rolling window
- Context capsBounded input size per request
- Output capsBounded response size and timeouts
- No write authorityEvent data changes only through the same authorized endpoints as manual edits
06 / Current boundaries
Core workflow implemented; public evidence still in progress.
- Scope
- An active-development university project, not a commercial production SaaS.
- Metrics
- No load, uptime, or usage figures are published.
- Evidence
- Public screenshots, repository documentation, and test reporting are still required.
- Assistant
- Runs only when Ollama or a Groq key is configured.
what it demonstrates
React product work, a layered Fastify API, relational data, authentication, roles, QR-scoped access, and controlled AI assistance.
next evidence
Sanitized screenshots, focused tests, setup documentation, and a public repository are the next publication steps.