Implementation Checklist - Football Field Booking System
Version: 1.0
Last Updated: 2026-01-13
Owner: Tech Lead / PM
Total Tasks: 320+ (Phases 0–10)
Status Values: todo | in-progress | done
How to Use This Checklist
- Update Status, Assigned To, and Done Date as you progress.
- Use Dependencies to sequence work.
- Use story points as estimates (1,2,3,5,8,13).
Summary Milestones & Success Criteria
| Milestone | Criteria |
|---|---|
| M0 - Foundations | NX repo stable, CI green, infra runs locally |
| M1 - Auth & User | Keycloak integrated, user profiles working |
| M2 - Field Catalog | Field CRUD + search + approval workflow |
| M3 - Booking Core | Booking create/cancel, no double booking, basic availability |
| M4 - Payment MVP | Payment intents + webhook confirmation + idempotency |
| M5 - Notifications | Kafka event flow + email notifications + logs |
| M6 - Security Hardening | Rate limiting, RBAC, webhook security, audit logs |
| M7 - Observability | Traces/metrics/logs in Signoz + alerting |
| M8 - Deployment | K8s manifests + staging/prod pipeline + backups |
| M9 - Testing | Unit/integration/e2e + load testing + reports |
| M10 - Release | Runbook complete, go-live checklist passed |
Phase 0 (P0) - Project Setup & Standards (35 tasks)
| ID | Task | Priority | SP | Assigned To | Status | Dependencies |
|---|---|---|---|---|---|---|
| P0-01 | Create NX workspace and verify nx.json configuration |
P0 | 3 | - | todo | - |
| P0-02 | Ensure Node.js >= 20 and Yarn configured in docs | P1 | 1 | - | todo | - |
| P0-03 | Configure TypeScript base config (tsconfig.base.json) |
P0 | 2 | - | todo | P0-01 |
| P0-04 | Setup ESLint + Prettier + lint-staged + husky | P0 | 3 | - | todo | P0-01 |
| P0-05 | Enforce Conventional Commits via commitlint | P1 | 1 | - | todo | P0-04 |
| P0-06 | Add repo-level scripts: lint, test, build, format | P1 | 1 | - | todo | P0-04 |
| P0-07 | Configure CI workflow (lint/typecheck/test/build) | P0 | 3 | - | todo | P0-04 |
| P0-08 | Enable CodeQL workflow for TypeScript | P1 | 1 | - | todo | P0-07 |
| P0-09 | Create service skeletons for 6 services (ports 3000–3005) | P0 | 5 | - | todo | P0-01 |
| P0-10 | Verify each service has /health endpoint |
P0 | 2 | - | todo | P0-09 |
| P0-11 | Add shared libs: libs/shared (DTOs, enums) |
P0 | 3 | - | todo | P0-09 |
| P0-12 | Add shared libs: libs/database (TypeORM config) |
P0 | 3 | - | todo | P0-09 |
| P0-13 | Add shared libs: libs/messaging (Kafka + BullMQ) |
P1 | 5 | - | todo | P0-09 |
| P0-14 | Add shared libs: libs/cache (Redis client/lock helper) |
P1 | 3 | - | todo | P0-09 |
| P0-15 | Add shared libs: libs/observability (OTEL bootstrap) |
P1 | 3 | - | todo | P0-09 |
| P0-16 | Define global error response model in gateway | P0 | 2 | - | todo | P0-09 |
| P0-17 | Define shared error codes enum in libs/shared |
P1 | 2 | - | todo | P0-11 |
| P0-18 | Create initial environment templates .env.example |
P0 | 2 | - | todo | P0-09 |
| P0-19 | Configure docker-compose.dev.yml infra (Postgres, Kafka, Redis, Keycloak, Signoz) | P0 | 5 | - | todo | P0-18 |
| P0-20 | Verify docker-compose brings up infra cleanly | P0 | 2 | - | todo | P0-19 |
| P0-21 | Add local tooling docs (PgAdmin/Mongo Express/Kafka UI) | P2 | 1 | - | todo | P0-19 |
| P0-22 | Add Swagger setup to each service /api/docs |
P1 | 3 | - | todo | P0-09 |
| P0-23 | Add requestId + traceId propagation middleware/interceptors | P0 | 3 | - | todo | P0-15 |
| P0-24 | Add centralized logging format (JSON logs) | P1 | 2 | - | todo | P0-23 |
| P0-25 | Add basic RBAC guard scaffolding | P0 | 2 | - | todo | P0-09 |
| P0-26 | Add DTO validation pipeline (class-validator) | P0 | 2 | - | todo | P0-09 |
| P0-27 | Add global exception filters mapping to error model | P0 | 3 | - | todo | P0-16 |
| P0-28 | Add baseline unit test setup for each service | P1 | 3 | - | todo | P0-09 |
| P0-29 | Add integration test harness (testcontainers or docker compose) | P2 | 5 | - | todo | P0-19 |
| P0-30 | Add API Gateway routing to each service | P0 | 3 | - | todo | P0-09 |
| P0-31 | Add API Gateway auth middleware stub (Keycloak) | P0 | 3 | - | todo | P0-30 |
| P0-32 | Add basic rate limiting middleware at gateway | P1 | 3 | - | todo | P0-30 |
| P0-33 | Add repo documentation index in docs/ |
P2 | 1 | - | todo | P0-01 |
| P0-34 | Add service README templates and run instructions | P2 | 2 | - | todo | P0-33 |
| P0-35 | Release tagging/versioning strategy documented | P2 | 1 | - | todo | P0-07 |
Phase 1 (P0) - Authentication & User Management (38 tasks)
| ID | Task | Priority | SP | Assigned To | Status | Dependencies |
|---|---|---|---|---|---|---|
| P1-01 | Import Keycloak realm config (football-booking) | P0 | 3 | - | todo | P0-19 |
| P1-02 | Configure Keycloak clients: api-gateway, frontend-web, mobile-app | P0 | 2 | - | todo | P1-01 |
| P1-03 | Configure roles: ADMIN/OWNER/CUSTOMER in Keycloak | P0 | 2 | - | todo | P1-01 |
| P1-04 | Configure API Gateway token validation (jwks caching) | P0 | 5 | - | todo | P0-31 |
| P1-05 | Map roles from Keycloak claims to app roles | P0 | 3 | - | todo | P1-04 |
| P1-06 | Implement /auth/login (token exchange) in gateway |
P1 | 3 | - | todo | P1-04 |
| P1-07 | Implement /auth/refresh |
P1 | 3 | - | todo | P1-06 |
| P1-08 | Implement /auth/logout (refresh revoke) |
P2 | 2 | - | todo | P1-07 |
| P1-09 | Create user DB migrations (users, user_profiles) | P0 | 5 | - | todo | P0-12 |
| P1-10 | Implement User entity + repository (TypeORM) | P0 | 3 | - | todo | P1-09 |
| P1-11 | Implement Profile entity (TypeORM) | P1 | 2 | - | todo | P1-09 |
| P1-12 | Implement GET /users/me |
P0 | 2 | - | todo | P1-10 |
| P1-13 | Implement PUT /users/me |
P0 | 3 | - | todo | P1-12 |
| P1-14 | Implement avatar upload endpoint | P2 | 5 | - | todo | P1-13 |
| P1-15 | Add validation rules for profile updates | P0 | 2 | - | todo | P1-13 |
| P1-16 | Add RBAC: protect admin endpoints | P0 | 2 | - | todo | P1-05 |
| P1-17 | Add resource-level auth helper (userId matching) | P0 | 2 | - | todo | P1-12 |
| P1-18 | Implement admin user list endpoint | P2 | 3 | - | todo | P1-16 |
| P1-19 | Implement admin ban/unban endpoints | P2 | 3 | - | todo | P1-16 |
| P1-20 | Add audit log event for admin actions | P1 | 3 | - | todo | P0-24 |
| P1-21 | Implement password reset flow (if not Keycloak-managed) | P3 | 8 | - | todo | P1-06 |
| P1-22 | Add Zalo user id field support in user model | P1 | 2 | - | todo | P1-10 |
| P1-23 | Create migration for zalo_user_id (if not already) |
P1 | 2 | - | todo | P1-22 |
| P1-24 | Add service-to-service auth strategy (mTLS or internal token) | P2 | 8 | - | todo | P1-04 |
| P1-25 | Add user-service Swagger docs and examples | P2 | 2 | - | todo | P0-22 |
| P1-26 | Add unit tests for UsersService (happy + error) | P1 | 3 | - | todo | P1-10 |
| P1-27 | Add integration tests for /users/me | P2 | 5 | - | todo | P1-12 |
| P1-28 | Add contract tests for auth claims mapping | P2 | 5 | - | todo | P1-05 |
| P1-29 | Add monitoring dashboards for auth failures | P2 | 3 | - | todo | P0-15 |
| P1-30 | Add rate limit for auth endpoints | P0 | 3 | - | todo | P0-32 |
| P1-31 | Add account lockout policies (Phase 2) | P3 | 5 | - | todo | P1-30 |
| P1-32 | Add PII redaction in logs | P1 | 3 | - | todo | P0-24 |
| P1-33 | Add email verification strategy (Keycloak or app) | P2 | 5 | - | todo | P1-01 |
| P1-34 | Add user deletion (soft delete vs hard delete) decision | P2 | 3 | - | todo | P1-10 |
| P1-35 | Add GDPR export endpoint (Phase 2) | P3 | 8 | - | todo | P1-12 |
| P1-36 | Add user preferences schema | P2 | 3 | - | todo | P1-11 |
| P1-37 | Add user preferences update tests | P2 | 3 | - | todo | P1-36 |
| P1-38 | Add API gateway e2e auth smoke test | P1 | 5 | - | todo | P1-06 |
Phase 2 (P0/P1) - Field Management (33 tasks)
| ID | Task | Priority | SP | Assigned To | Status | Dependencies |
|---|---|---|---|---|---|---|
| P2-01 | Create field DB migrations (fields, images, amenities, hours) | P0 | 5 | - | todo | P0-12 |
| P2-02 | Implement Field entity + repository | P0 | 3 | - | todo | P2-01 |
| P2-03 | Implement POST /fields (OWNER only) |
P0 | 3 | - | todo | P2-02 |
| P2-04 | Implement GET /fields/:id |
P0 | 2 | - | todo | P2-02 |
| P2-05 | Implement PUT /fields/:id (OWNER only) |
P0 | 3 | - | todo | P2-03 |
| P2-06 | Implement PUT /fields/:id/status (ADMIN) |
P1 | 3 | - | todo | P2-03 |
| P2-07 | Implement GET /fields/search filters (sportType, price, amenities) |
P0 | 5 | - | todo | P2-02 |
| P2-08 | Implement geo search (radius lat/lng) | P1 | 8 | - | todo | P2-07 |
| P2-09 | Add indexes for search performance | P0 | 3 | - | todo | P2-01 |
| P2-10 | Add caching for field details | P1 | 3 | - | todo | P0-14 |
| P2-11 | Add caching for field search results | P2 | 5 | - | todo | P2-07 |
| P2-12 | Add image upload strategy (object storage) | P2 | 8 | - | todo | P2-03 |
| P2-13 | Add owner phone display policy | P2 | 2 | - | todo | P1-32 |
| P2-14 | Add field availability endpoint contract | P0 | 3 | - | todo | P2-04 |
| P2-15 | Implement GET /fields/:id/availability in gateway to booking-service |
P0 | 3 | - | todo | P2-14 |
| P2-16 | Add field service swagger docs | P2 | 2 | - | todo | P0-22 |
| P2-17 | Add unit tests for field CRUD | P1 | 5 | - | todo | P2-02 |
| P2-18 | Add integration tests for search endpoint | P2 | 8 | - | todo | P2-07 |
| P2-19 | Add admin approval audit log | P1 | 2 | - | todo | P2-06 |
| P2-20 | Implement owner-only field listing | P2 | 3 | - | todo | P2-02 |
| P2-21 | Implement public field listing | P2 | 3 | - | todo | P2-02 |
| P2-22 | Add field status transitions validation | P1 | 3 | - | todo | P2-06 |
| P2-23 | Add amenities normalization or enum strategy | P2 | 3 | - | todo | P2-01 |
| P2-24 | Add operating hours validation | P2 | 3 | - | todo | P2-01 |
| P2-25 | Add pagination defaults and limits | P1 | 2 | - | todo | P2-07 |
| P2-26 | Add response sorting options | P2 | 2 | - | todo | P2-07 |
| P2-27 | Add field rating/reviews design (Phase 2) | P3 | 8 | - | todo | P2-04 |
| P2-28 | Add field review DB tables (Phase 2) | P3 | 8 | - | todo | P2-27 |
| P2-29 | Add data seeding scripts for fields | P2 | 3 | - | todo | P2-01 |
| P2-30 | Add performance test for search (k6) | P2 | 5 | - | todo | P2-07 |
| P2-31 | Add caching invalidation on update | P1 | 3 | - | todo | P2-10 |
| P2-32 | Add trace spans for search pipeline | P2 | 2 | - | todo | P0-15 |
| P2-33 | Add error mapping and codes for field service | P1 | 2 | - | todo | P0-17 |
Phase 3 (P0) - Booking Core (42 tasks)
| ID | Task | Priority | SP | Assigned To | Status | Dependencies |
|---|---|---|---|---|---|---|
| P3-01 | Create booking DB migrations (bookings table) | P0 | 5 | - | todo | P0-12 |
| P3-02 | Implement Booking entity + repository | P0 | 3 | - | todo | P3-01 |
| P3-03 | Implement booking status machine | P0 | 5 | - | todo | P3-02 |
| P3-04 | Implement POST /bookings |
P0 | 5 | - | todo | P3-03 |
| P3-05 | Implement conflict detection logic (overlap check) | P0 | 5 | - | todo | P3-02 |
| P3-06 | Implement Redis distributed lock for create booking | P0 | 5 | - | todo | P0-14 |
| P3-07 | Combine lock + DB check for no-double-booking | P0 | 5 | - | todo | P3-05,P3-06 |
| P3-08 | Implement booking expiry policy (PENDING timeout) | P1 | 3 | - | todo | P3-03 |
| P3-09 | Implement GET /bookings/me |
P0 | 3 | - | todo | P3-02 |
| P3-10 | Implement GET /bookings/:id + authz |
P0 | 3 | - | todo | P3-02,P1-17 |
| P3-11 | Implement PUT /bookings/:id/cancel |
P0 | 3 | - | todo | P3-10 |
| P3-12 | Implement receipt generation contract | P2 | 5 | - | todo | P3-10 |
| P3-13 | Implement GET /bookings/:id/receipt (PDF) |
P2 | 8 | - | todo | P3-12 |
| P3-14 | Implement availability query by date | P0 | 5 | - | todo | P3-02 |
| P3-15 | Add caching for availability (short TTL) | P1 | 3 | - | todo | P3-14 |
| P3-16 | Invalidate availability cache on booking changes | P1 | 3 | - | todo | P3-11 |
| P3-17 | Emit BOOKING_CREATED/BOOKING_CANCELLED events to Kafka | P1 | 5 | - | todo | P0-13 |
| P3-18 | Define Kafka topics enum in shared lib | P1 | 2 | - | todo | P0-11 |
| P3-19 | Add booking-service swagger docs | P2 | 2 | - | todo | P0-22 |
| P3-20 | Add unit tests for overlap detection | P0 | 3 | - | todo | P3-05 |
| P3-21 | Add unit tests for lock acquisition/release | P0 | 3 | - | todo | P3-06 |
| P3-22 | Add integration test: 2 concurrent bookings, 1 fails | P0 | 8 | - | todo | P3-07 |
| P3-23 | Add integration test: 10 concurrent bookings | P1 | 8 | - | todo | P3-07 |
| P3-24 | Add error mapping: 409 CONFLICT on overlap | P0 | 2 | - | todo | P3-07 |
| P3-25 | Add booking cancellation policy (refund windows) | P2 | 5 | - | todo | P4-01 |
| P3-26 | Add booking completion flow | P2 | 3 | - | todo | P3-03 |
| P3-27 | Add cron/job for expiring PENDING bookings | P2 | 5 | - | todo | P0-13 |
| P3-28 | Add tracing spans for lock + db tx | P2 | 2 | - | todo | P0-15 |
| P3-29 | Add booking search/filter for owners | P2 | 5 | - | todo | P3-02 |
| P3-30 | Add admin booking audit/report endpoint | P3 | 8 | - | todo | P3-02 |
| P3-31 | Add booking notes sanitization | P2 | 2 | - | todo | P0-26 |
| P3-32 | Add validation: startTime < endTime, max duration | P0 | 2 | - | todo | P3-04 |
| P3-33 | Add pricing calculation rules (hourly + rounding) | P0 | 3 | - | todo | P3-04 |
| P3-34 | Add field ownership verification for owner views | P1 | 3 | - | todo | P2-02 |
| P3-35 | Add gateway routing for booking endpoints | P0 | 2 | - | todo | P0-30 |
| P3-36 | Add booking export (CSV) (Phase 2) | P3 | 8 | - | todo | P3-30 |
| P3-37 | Add booking status transitions tests | P1 | 5 | - | todo | P3-03 |
| P3-38 | Add performance test for booking create (k6) | P1 | 5 | - | todo | P3-04 |
| P3-39 | Add DB indexes for time range queries | P0 | 2 | - | todo | P3-01 |
| P3-40 | Add anti-overbooking fallback strategy if Redis down | P1 | 5 | - | todo | P3-07 |
| P3-41 | Add structured logging for booking lifecycle events | P1 | 2 | - | todo | P0-24 |
| P3-42 | Add booking SLO dashboards | P2 | 3 | - | todo | P0-15 |
Phase 4 (P0/P1) - Payment Processing (40 tasks)
| ID | Task | Priority | SP | Assigned To | Status | Dependencies |
|---|---|---|---|---|---|---|
| P4-01 | Create payment DB migrations (payments + idempotency) | P0 | 5 | - | todo | P0-12 |
| P4-02 | Implement Payment entity + repository | P0 | 3 | - | todo | P4-01 |
| P4-03 | Implement POST /payments/create |
P0 | 5 | - | todo | P4-02 |
| P4-04 | Implement idempotency key strategy | P0 | 5 | - | todo | P4-03 |
| P4-05 | Add provider integration abstraction (Stripe/VNPay) | P1 | 8 | - | todo | P4-03 |
| P4-06 | Implement Stripe webhook verification | P0 | 5 | - | todo | P4-05 |
| P4-07 | Implement VNPay webhook verification | P1 | 8 | - | todo | P4-05 |
| P4-08 | Deduplicate webhook events (provider event id) | P0 | 3 | - | todo | P4-06 |
| P4-09 | Implement GET /payments/:id |
P1 | 3 | - | todo | P4-02 |
| P4-10 | Implement payment state machine | P0 | 3 | - | todo | P4-02 |
| P4-11 | Publish PAYMENT_SUCCESS / PAYMENT_FAILED events to Kafka | P0 | 5 | - | todo | P0-13 |
| P4-12 | Update booking status on payment success (Saga) | P0 | 5 | - | todo | P3-03,P4-11 |
| P4-13 | Implement refunds (Phase 2) | P2 | 13 | - | todo | P4-10 |
| P4-14 | Add payment transaction log table | P1 | 5 | - | todo | P4-01 |
| P4-15 | Store only non-sensitive payment references | P0 | 2 | - | todo | P4-02 |
| P4-16 | Add audit log for payment transitions | P1 | 3 | - | todo | P0-24 |
| P4-17 | Add retry strategy for provider calls | P1 | 3 | - | todo | P4-05 |
| P4-18 | Add circuit breaker for provider calls | P1 | 5 | - | todo | P4-05 |
| P4-19 | Add payment-service swagger docs | P2 | 2 | - | todo | P0-22 |
| P4-20 | Add unit tests for idempotency | P0 | 3 | - | todo | P4-04 |
| P4-21 | Add unit tests for webhook verification | P0 | 3 | - | todo | P4-06 |
| P4-22 | Add integration test: payment intent + webhook success | P1 | 8 | - | todo | P4-06 |
| P4-23 | Add integration test: webhook replay ignored | P0 | 5 | - | todo | P4-08 |
| P4-24 | Add gateway routing for payment endpoints | P0 | 2 | - | todo | P0-30 |
| P4-25 | Add secure storage of webhook secrets | P0 | 2 | - | todo | P8-10 |
| P4-26 | Add outbox pattern for payment events (Phase 2) | P2 | 8 | - | todo | P4-11 |
| P4-27 | Add payment expiration policy | P2 | 5 | - | todo | P4-03 |
| P4-28 | Add job to reconcile pending payments (Phase 2) | P3 | 8 | - | todo | P0-13 |
| P4-29 | Add metrics: payment success rate, webhook failures | P1 | 3 | - | todo | P0-15 |
| P4-30 | Add tracing spans for payment workflow | P2 | 2 | - | todo | P0-15 |
| P4-31 | Add load test for webhook handler | P2 | 5 | - | todo | P4-06 |
| P4-32 | Add provider sandbox setup docs | P2 | 2 | - | todo | P4-05 |
| P4-33 | Add admin endpoint to view payments (Phase 2) | P3 | 8 | - | todo | P4-02 |
| P4-34 | Add DB indexes for payment queries | P1 | 2 | - | todo | P4-01 |
| P4-35 | Add refund policy doc and implementation flags | P2 | 3 | - | todo | P4-13 |
| P4-36 | Add notification hooks for payment outcomes | P1 | 3 | - | todo | P5-01 |
| P4-37 | Add security tests for webhook invalid signature | P0 | 3 | - | todo | P4-06 |
| P4-38 | Add security tests for webhook replay | P0 | 3 | - | todo | P4-08 |
| P4-39 | Add payment database backup plan | P1 | 2 | - | todo | P8-20 |
| P4-40 | Add SLO dashboards for payments | P2 | 3 | - | todo | P0-15 |
Phase 5 (P0/P1) - Notifications & Messaging (32 tasks)
| ID | Task | Priority | SP | Assigned To | Status | Dependencies |
|---|---|---|---|---|---|---|
| P5-01 | Define Kafka topics: BOOKING_CONFIRMED, PAYMENT_SUCCESS, etc. | P0 | 2 | - | todo | P3-18 |
| P5-02 | Implement Kafka producer wrapper in libs | P0 | 3 | - | todo | P0-13 |
| P5-03 | Implement Kafka consumer module in notification-service | P0 | 5 | - | todo | P0-13 |
| P5-04 | Consume PAYMENT_SUCCESS and send email confirmation | P0 | 5 | - | todo | P5-03,P4-11 |
| P5-05 | Consume BOOKING_CONFIRMED and send email | P1 | 5 | - | todo | P5-03,P3-17 |
| P5-06 | Store notification delivery logs to MongoDB | P1 | 3 | - | todo | P5-03 |
| P5-07 | Add Mongo indexes for logs queries | P2 | 2 | - | todo | P5-06 |
| P5-08 | Add retry strategy for provider failures | P1 | 5 | - | todo | P5-04 |
| P5-09 | Add BullMQ for background retries (optional) | P2 | 8 | - | todo | P0-13 |
| P5-10 | Add templating system for email content | P2 | 8 | - | todo | P5-04 |
| P5-11 | Add BOOKING_REMINDER scheduled job (Phase 2) | P3 | 13 | - | todo | P5-09 |
| P5-12 | Add SMS support (Phase 2) | P3 | 13 | - | todo | P5-08 |
| P5-13 | Add ZNS integration (Phase 2) - service + credentials | P2 | 13 | - | todo | P1-22 |
| P5-14 | Consume events and send ZNS (Phase 2) | P2 | 8 | - | todo | P5-13 |
| P5-15 | Add dead-letter queue strategy | P2 | 8 | - | todo | P5-03 |
| P5-16 | Add message schema/versioning policy | P1 | 3 | - | todo | P5-01 |
| P5-17 | Add contract tests for Kafka payloads | P2 | 8 | - | todo | P5-16 |
| P5-18 | Add end-to-end test: booking→payment→notification | P1 | 13 | - | todo | P3-04,P4-06,P5-04 |
| P5-19 | Add metrics: send success rate, queue depth | P1 | 3 | - | todo | P0-15 |
| P5-20 | Add tracing for event consumption | P2 | 2 | - | todo | P0-15 |
| P5-21 | Add email provider configuration + secrets | P0 | 3 | - | todo | P8-10 |
| P5-22 | Add notification-service swagger docs (admin endpoints optional) | P3 | 3 | - | todo | P0-22 |
| P5-23 | Add admin endpoint to view notification logs | P3 | 8 | - | todo | P5-06 |
| P5-24 | Add data retention policy for Mongo logs | P2 | 3 | - | todo | P5-06 |
| P5-25 | Add failure playbook for provider outages | P2 | 3 | - | todo | P8-30 |
| P5-26 | Add consumer scaling strategy (partitions) | P2 | 3 | - | todo | P5-03 |
| P5-27 | Add schema registry strategy (Phase 2) | P3 | 13 | - | todo | P5-16 |
| P5-28 | Add notification preference checks | P2 | 5 | - | todo | P1-36 |
| P5-29 | Add opt-out compliance (Phase 2) | P3 | 8 | - | todo | P5-28 |
| P5-30 | Add spam prevention and throttling | P2 | 5 | - | todo | P5-08 |
| P5-31 | Add security tests for PII leakage in logs | P1 | 3 | - | todo | P1-32 |
| P5-32 | Add SLO dashboards for notifications | P2 | 3 | - | todo | P0-15 |
Phase 6 (P0/P1) - Security Hardening (30 tasks)
| ID | Task | Priority | SP | Assigned To | Status | Dependencies |
|---|---|---|---|---|---|---|
| P6-01 | Implement gateway rate limiting policies | P0 | 5 | - | todo | P0-32 |
| P6-02 | Implement brute-force detection for auth | P1 | 5 | - | todo | P6-01 |
| P6-03 | Implement RBAC guards on all endpoints | P0 | 5 | - | todo | P1-05 |
| P6-04 | Implement resource-level authorization checks (booking/field) | P0 | 5 | - | todo | P3-10,P2-05 |
| P6-05 | Implement webhook signature verification (Stripe/VNPay) | P0 | 5 | - | todo | P4-06 |
| P6-06 | Implement webhook replay protection | P0 | 3 | - | todo | P4-08 |
| P6-07 | Implement secret scanning in CI | P1 | 3 | - | todo | P0-07 |
| P6-08 | Configure dependency scanning gating (no critical) | P1 | 3 | - | todo | P0-07 |
| P6-09 | Enforce TLS in prod (Ingress) | P0 | 3 | - | todo | P8-01 |
| P6-10 | Add PII redaction middleware | P0 | 3 | - | todo | P1-32 |
| P6-11 | Add audit logs for admin actions | P1 | 5 | - | todo | P1-20 |
| P6-12 | Add audit logs for payments | P1 | 5 | - | todo | P4-16 |
| P6-13 | Add security headers at gateway | P1 | 2 | - | todo | P0-30 |
| P6-14 | Configure CORS allowlist per env | P0 | 2 | - | todo | P0-30 |
| P6-15 | Add request payload size limits | P1 | 2 | - | todo | P0-30 |
| P6-16 | Add WAF/CDN rules (Phase 2) | P3 | 8 | - | todo | P6-01 |
| P6-17 | Add network policies in Kubernetes | P1 | 8 | - | todo | P8-02 |
| P6-18 | Lock down DB access to cluster only | P0 | 3 | - | todo | P8-02 |
| P6-19 | Rotate secrets policy documented | P2 | 2 | - | todo | P6-07 |
| P6-20 | Add incident response runbook | P2 | 3 | - | todo | P8-30 |
| P6-21 | Security regression test suite | P1 | 8 | - | todo | P9-01 |
| P6-22 | OWASP ZAP baseline scan on staging | P2 | 8 | - | todo | P8-10 |
| P6-23 | Add SAST custom rules (Phase 2) | P3 | 13 | - | todo | P6-08 |
| P6-24 | Add SSRF allowlist for outbound providers | P1 | 3 | - | todo | P4-05 |
| P6-25 | Add file upload restrictions (type/size) | P1 | 3 | - | todo | P1-14 |
| P6-26 | Add malware scan for uploads (Phase 2) | P3 | 13 | - | todo | P6-25 |
| P6-27 | Add admin MFA policy (Phase 2) | P2 | 8 | - | todo | P1-03 |
| P6-28 | Add security monitoring alerts (auth anomalies) | P1 | 3 | - | todo | P7-10 |
| P6-29 | Add webhook failure spike alerts | P1 | 3 | - | todo | P7-10 |
| P6-30 | Add compliance checklist (PII, retention) | P2 | 3 | - | todo | P10-05 |
Phase 7 (P0/P1) - Observability & Operations (24 tasks)
| ID | Task | Priority | SP | Assigned To | Status | Dependencies |
|---|---|---|---|---|---|---|
| P7-01 | Enable OpenTelemetry in all services | P0 | 5 | - | todo | P0-15 |
| P7-02 | Configure collector endpoint per env | P0 | 3 | - | todo | P7-01 |
| P7-03 | Add trace propagation to Kafka headers | P1 | 5 | - | todo | P5-02 |
| P7-04 | Add requestId middleware in gateway | P0 | 2 | - | todo | P0-23 |
| P7-05 | Add structured logs with traceId | P0 | 3 | - | todo | P0-24 |
| P7-06 | Define dashboards for RED metrics | P1 | 5 | - | todo | P7-01 |
| P7-07 | Define dashboards for USE metrics | P1 | 5 | - | todo | P7-01 |
| P7-08 | Add Kafka lag dashboards | P1 | 3 | - | todo | P5-03 |
| P7-09 | Add DB pool metrics dashboards | P2 | 3 | - | todo | P0-12 |
| P7-10 | Configure alert rules (latency/error/lag) | P0 | 5 | - | todo | P7-06 |
| P7-11 | Add SLO reports per service | P2 | 5 | - | todo | P7-10 |
| P7-12 | Add log retention policies | P2 | 3 | - | todo | P7-05 |
| P7-13 | Add runbook for incident triage | P1 | 3 | - | todo | P7-10 |
| P7-14 | Add on-call rotation placeholder | P3 | 1 | - | todo | P7-13 |
| P7-15 | Add synthetic health checks | P2 | 5 | - | todo | P8-01 |
| P7-16 | Add tracing spans for DB queries | P2 | 3 | - | todo | P7-01 |
| P7-17 | Add tracing spans for Redis locks | P2 | 2 | - | todo | P7-01 |
| P7-18 | Add tracing spans for external providers | P2 | 2 | - | todo | P7-01 |
| P7-19 | Add error budget policy | P2 | 3 | - | todo | P7-11 |
| P7-20 | Add capacity planning doc | P3 | 5 | - | todo | P7-07 |
| P7-21 | Add chaos testing plan (Phase 2) | P3 | 13 | - | todo | P7-13 |
| P7-22 | Add backlog processing KPIs for notifications | P2 | 3 | - | todo | P5-09 |
| P7-23 | Add audit log dashboards | P2 | 3 | - | todo | P6-11 |
| P7-24 | Add cost monitoring (Phase 2) | P3 | 8 | - | todo | P7-07 |
Phase 8 (P0/P1) - Deployment & Platform (30 tasks)
| ID | Task | Priority | SP | Assigned To | Status | Dependencies |
|---|---|---|---|---|---|---|
| P8-01 | Create Kubernetes namespace per env | P0 | 2 | - | todo | - |
| P8-02 | Create NetworkPolicies for services and datastores | P1 | 8 | - | todo | P8-01 |
| P8-03 | Create Deployment/Service manifests for all services | P0 | 8 | - | todo | P8-01 |
| P8-04 | Create Ingress for gateway with TLS | P0 | 5 | - | todo | P8-03 |
| P8-05 | Configure HPA for gateway/booking/payment | P1 | 5 | - | todo | P8-03 |
| P8-06 | Setup container registry and image tagging | P0 | 3 | - | todo | P0-07 |
| P8-07 | Setup secrets management in cluster | P0 | 5 | - | todo | P8-01 |
| P8-08 | Setup configmaps per service | P1 | 3 | - | todo | P8-03 |
| P8-09 | Setup Postgres in prod (managed recommended) | P0 | 8 | - | todo | P8-01 |
| P8-10 | Setup CI/CD pipeline: build/push/deploy staging | P0 | 8 | - | todo | P8-06 |
| P8-11 | Add manual approval gate for production deploy | P1 | 3 | - | todo | P8-10 |
| P8-12 | Add smoke tests post-deploy | P1 | 5 | - | todo | P8-10 |
| P8-13 | Add rollback automation | P1 | 5 | - | todo | P8-10 |
| P8-14 | Configure Keycloak in staging/prod | P0 | 5 | - | todo | P1-01 |
| P8-15 | Configure Kafka in staging/prod | P1 | 8 | - | todo | P0-13 |
| P8-16 | Configure Redis in staging/prod | P1 | 5 | - | todo | P0-14 |
| P8-17 | Configure MongoDB in staging/prod | P2 | 5 | - | todo | P5-06 |
| P8-18 | Configure Signoz in staging/prod | P1 | 8 | - | todo | P7-01 |
| P8-19 | Implement migration jobs per service | P0 | 8 | - | todo | P8-03 |
| P8-20 | Setup backup policy for all Postgres DBs | P0 | 5 | - | todo | P8-09 |
| P8-21 | Setup restore test automation (weekly) | P1 | 5 | - | todo | P8-20 |
| P8-22 | Setup DR documentation and RTO/RPO | P1 | 3 | - | todo | P8-20 |
| P8-23 | Setup staging data seeding | P2 | 5 | - | todo | P2-29 |
| P8-24 | Setup environment parity checklist | P2 | 3 | - | todo | P8-03 |
| P8-25 | Setup domain/DNS + certificates | P0 | 5 | - | todo | P8-04 |
| P8-26 | Add WAF/rate-limiting at edge (Phase 2) | P3 | 8 | - | todo | P8-25 |
| P8-27 | Add blue/green deploy strategy (optional) | P3 | 13 | - | todo | P8-10 |
| P8-28 | Add log retention policies per env | P2 | 3 | - | todo | P7-12 |
| P8-29 | Add cost optimization review (Phase 2) | P3 | 8 | - | todo | P7-24 |
| P8-30 | Create full operations runbook | P1 | 5 | - | todo | P7-13 |
Phase 9 (P0/P1) - Testing & Quality (33 tasks)
| ID | Task | Priority | SP | Assigned To | Status | Dependencies |
|---|---|---|---|---|---|---|
| P9-01 | Define testing pyramid and coverage goals | P1 | 2 | - | todo | P0-28 |
| P9-02 | Unit tests for user-service | P1 | 5 | - | todo | P1-26 |
| P9-03 | Unit tests for field-service | P1 | 5 | - | todo | P2-17 |
| P9-04 | Unit tests for booking-service | P0 | 8 | - | todo | P3-20 |
| P9-05 | Unit tests for payment-service | P0 | 8 | - | todo | P4-20 |
| P9-06 | Integration tests for gateway routes | P1 | 8 | - | todo | P0-30 |
| P9-07 | Integration tests: booking conflict | P0 | 8 | - | todo | P3-22 |
| P9-08 | Integration tests: payment webhook | P0 | 8 | - | todo | P4-22 |
| P9-09 | Integration tests: notification consumption | P1 | 8 | - | todo | P5-04 |
| P9-10 | End-to-end test: search→book→pay→notify | P1 | 13 | - | todo | P5-18 |
| P9-11 | Load test for field search | P2 | 5 | - | todo | P2-30 |
| P9-12 | Load test for booking create | P1 | 5 | - | todo | P3-38 |
| P9-13 | Load test for payment webhooks | P2 | 5 | - | todo | P4-31 |
| P9-14 | Soak test (Phase 2) | P3 | 13 | - | todo | P9-12 |
| P9-15 | Add contract tests for Kafka payload schemas | P2 | 8 | - | todo | P5-17 |
| P9-16 | Add API schema tests (OpenAPI) | P2 | 5 | - | todo | P0-22 |
| P9-17 | Add mutation tests (Phase 2) | P3 | 13 | - | todo | P9-04 |
| P9-18 | Add coverage reporting in CI | P1 | 3 | - | todo | P0-07 |
| P9-19 | Add quality gate: coverage >= 80% | P1 | 3 | - | todo | P9-18 |
| P9-20 | Add static analysis check in CI (typecheck + lint) | P0 | 2 | - | todo | P0-07 |
| P9-21 | Add security test suite (IDOR/webhook invalid) | P1 | 8 | - | todo | P6-21 |
| P9-22 | Add snapshot tests for email templates | P3 | 5 | - | todo | P5-10 |
| P9-23 | Add chaos experiment (Phase 2) | P3 | 13 | - | todo | P7-21 |
| P9-24 | Add regression test plan | P2 | 3 | - | todo | P9-01 |
| P9-25 | Add test data management strategy | P2 | 5 | - | todo | P9-10 |
| P9-26 | Add database migration test pipeline | P2 | 5 | - | todo | P8-19 |
| P9-27 | Add lint rules to prevent secrets | P2 | 3 | - | todo | P6-07 |
| P9-28 | Add API gateway authz tests | P1 | 5 | - | todo | P6-03 |
| P9-29 | Add booking state machine tests | P1 | 5 | - | todo | P3-37 |
| P9-30 | Add performance budget checks (p95/p99) | P2 | 8 | - | todo | P7-11 |
| P9-31 | Add flaky test tracking and quarantine | P3 | 5 | - | todo | P9-18 |
| P9-32 | Add test run documentation and commands | P2 | 2 | - | todo | P9-01 |
| P9-33 | Publish testing report template | P3 | 2 | - | todo | P9-32 |
Phase 10 (P0/P1) - Documentation, Release & Go-Live (26 tasks)
| ID | Task | Priority | SP | Assigned To | Status | Dependencies |
|---|---|---|---|---|---|---|
| P10-01 | Finalize requirements docs set | P0 | 5 | - | todo | - |
| P10-02 | Ensure Swagger docs accurate for all services | P1 | 3 | - | todo | P0-22 |
| P10-03 | Create architecture diagrams and ADRs | P2 | 5 | - | todo | P0-33 |
| P10-04 | Create operations runbook and on-call guide | P1 | 5 | - | todo | P8-30 |
| P10-05 | Create security runbook + incident response | P1 | 5 | - | todo | P6-20 |
| P10-06 | Create go-live checklist (prod readiness) | P0 | 5 | - | todo | P10-04 |
| P10-07 | Validate backup/restore in prod | P0 | 5 | - | todo | P8-21 |
| P10-08 | Validate SLO dashboards and alerts | P0 | 5 | - | todo | P7-10 |
| P10-09 | Conduct load test on staging | P1 | 8 | - | todo | P9-12 |
| P10-10 | Conduct security scan on staging | P1 | 8 | - | todo | P6-22 |
| P10-11 | Run full end-to-end demo script | P1 | 5 | - | todo | P9-10 |
| P10-12 | Prepare release notes template | P2 | 2 | - | todo | P0-35 |
| P10-13 | Define versioning policy for API changes | P1 | 3 | - | todo | P0-35 |
| P10-14 | Create migration roll-forward/rollback guide | P1 | 5 | - | todo | P8-19 |
| P10-15 | Create “known issues” and mitigations list | P2 | 3 | - | todo | P10-11 |
| P10-16 | Create support escalation contacts | P3 | 1 | - | todo | P10-04 |
| P10-17 | Create SLA/SLO summary for stakeholders | P2 | 3 | - | todo | P7-11 |
| P10-18 | Prepare database retention and GDPR policy | P3 | 5 | - | todo | P6-30 |
| P10-19 | Verify secrets rotation process | P2 | 3 | - | todo | P6-19 |
| P10-20 | Validate audit logs coverage | P1 | 3 | - | todo | P6-11 |
| P10-21 | Create postmortem template | P2 | 2 | - | todo | P6-20 |
| P10-22 | Verify service scaling policies | P2 | 5 | - | todo | P8-05 |
| P10-23 | Validate cron/job schedules in prod | P2 | 3 | - | todo | P3-27 |
| P10-24 | Create data seeding / demo dataset for evaluation | P2 | 5 | - | todo | P8-23 |
| P10-25 | Run production readiness review meeting | P1 | 2 | - | todo | P10-06 |
| P10-26 | Go-live | P0 | 1 | - | todo | P10-25 |
Progress Tracking
| Phase | % Done | Notes |
|---|---|---|
| 0 | 0% | - |
| 1 | 0% | - |
| 2 | 0% | - |
| 3 | 0% | - |
| 4 | 0% | - |
| 5 | 0% | - |
| 6 | 0% | - |
| 7 | 0% | - |
| 8 | 0% | - |
| 9 | 0% | - |
| 10 | 0% | - |
Document Version: 1.0 Last Updated: 2026-01-13 Owner: Tech Lead / PM