DeeperSensor API & Frontend Roadmap (TODO) Last Updated: 2025-01-XX (MVP Code Quality Phase)
Status: [ ] pending · [~] in progress · [x] completed · [-] cancelled
Priority: (H) High · (M) Medium · (L) Low
IDs match internal automation / tooling references
Overall Progress: 15 / 20 completed (75%)
Phase 0 – Foundation & Workspace
ID
Task
Priority
Status
Notes
workspace
Convert to Cargo workspace (crates: api, core, model, auth)
H
[x]
Completed initial workspace + relocation
deps
Add foundational crates (axum, tokio, tracing, serde, sqlx, argon2, jsonwebtoken, config/dotenv, anyhow/thiserror)
H
[x]
Added base deps incl. sqlx
config
Unified config loader (env + .env + defaults)
H
[x]
Includes database.url + prod secret checks
logging
Structured logging + tracing + metrics (/metrics)
H
[x]
Request spans, Prometheus metrics endpoint
errors
Unified error type and HTTP mapper
M
[x]
ApiError with 422 variant, comprehensive handling
Phase 1 – Core AI & HTTP Surface
ID
Task
Priority
Status
Notes
model-provider
Trait: ModelProvider + Ollama client implementation
H
[x]
Full HTTP streaming implementation with proper parsing
http-routes
Base routes: /health, /v1/models, /v1/chat (stream)
H
[x]
Implemented incl. SSE stream endpoint + health checks
auth
Auth: signup/login, password hashing, JWT issuance & refresh
H
[x]
Signup/login + JWT access + email claims + password rehashing
persistence
Postgres integration (sqlx) + migrations folder
H
[x]
Pool + users migration + conversations/messages schema
Phase 2 – Platform & Reliability
ID
Task
Priority
Status
Notes
validation
Input validation layer (email, password, models, messages)
H
[x]
Comprehensive validation module with regex + unit tests
auth-middleware
JWT verification middleware for protected routes
H
[x]
auth_middleware.rs created, ready to apply
rate-limiting
Rate limiting (in-memory token buckets, per-IP)
M
[x]
DashMap-based, applied to unauthenticated endpoints
health-checks
Comprehensive health endpoints with dependency checks
H
[x]
/health, /readiness, /metrics with DB/Ollama verification
docker
Multi-stage Dockerfile + docker-compose (api, postgres, redis, ollama, nginx)
H
[x]
Production docker-compose.prod.yml with hardening
nginx
Reverse proxy config (security headers, gzip, rate limits)
M
[x]
350+ line nginx.conf with production headers
security
CORS policy, security headers, input validation hooks
M
[x]
Comprehensive security layer in app.rs
Phase 3 – DevOps & Documentation
ID
Task
Priority
Status
Notes
ci-cd
GitHub Actions workflows (CI, Docker builds, Dependabot)
H
[x]
4 workflow files: ci.yml, docker.yml, dependabot.yml, auto-merge
deployment-docs
Deployment guide & architecture documentation
H
[x]
DEPLOYMENT.md (700+ lines), ARCHITECTURE.md, TESTING.md
security-docs
Security policy & disclosure process
M
[x]
SECURITY.md + .well-known/security.txt (RFC 9116)
db-ops
Database backup/restore scripts
M
[x]
scripts/backup-db.sh + restore-db.sh with rotation
Phase 4 – Quality & Testing
ID
Task
Priority
Status
Notes
testing
Integration test harness (test server, seed db)
M
[x]
crates/api/tests/integration_tests.rs with 8 tests
unit-tests
Unit tests for validation, auth, core modules
M
[x]
Validation module has comprehensive tests
Phase 5 – Frontend Integration (Future)
ID
Task
Priority
Status
Notes
nextjs
Scaffold Next.js app (web/) with auth pages + chat UI
M
[ ]
Deferred to next milestone
frontend-docs
Frontend integration guide
M
[ ]
To be created with Next.js app
Phase 6 – Advanced Features (Future)
ID
Task
Priority
Status
Notes
redis-rate-limit
Redis-backed rate limiting (vs in-memory)
L
[ ]
Current: DashMap in-memory
apply-auth-middleware
Apply JWT middleware to /v1/chat endpoints
M
[~]
Middleware created, not yet applied
request-metrics
Request latency histograms & status counters
L
[ ]
Basic metrics present, could add more detail
Task Details & Acceptance Criteria
Email validation: regex pattern, max 190 chars
Password validation: 8-128 chars, requires letter + number
Model name validation: alphanumeric + allowed chars, max 100
Message content validation: non-empty, configurable max length
Comprehensive unit tests for all validators
Status : COMPLETE - validation.rs with EMAIL_REGEX, validators, tests integrated into routes
JWT verification using ds-auth::verify_jwt
Extract Bearer token from Authorization header
Insert AuthUser (user_id, email) into request extensions
Proper error logging for auth failures
Status : COMPLETE - auth_middleware.rs created, ready to apply to routes
/health: JSON with status, version, DB health, Ollama health, latency metrics/readiness: Simple "ready" response for K8s probes/metrics: Prometheus exposition format with pool size, rate limit bucketsStatus : COMPLETE - comprehensive health monitoring implemented
Integration tests for signup, login, health, metrics endpoints
Test database setup/teardown with migrations
HTTP request/response testing using Tower's oneshot
Test coverage: success cases + validation errors + auth failures
Status : COMPLETE - integration_tests.rs with 8 tests + TESTING.md guide
CI workflow: fmt, clippy, tests, audit
Docker workflow: multi-platform builds (amd64, arm64)
Dependabot: Cargo, GitHub Actions, Docker updates
Auto-merge workflow for patch updates
Status : COMPLETE - 4 GitHub Actions workflows configured
Comprehensive deployment guide (700+ lines)
Architecture documentation with diagrams
Testing guide with setup instructions
Security policy with disclosure process
Status : COMPLETE - DEPLOYMENT.md, ARCHITECTURE.md, TESTING.md, SECURITY.md
✅ Production-Ready Components
✅ Multi-crate workspace architecture
✅ Comprehensive configuration system
✅ Structured logging with request IDs
✅ Unified error handling
✅ Proper Ollama HTTP streaming implementation
✅ Input validation layer
✅ Password hashing with Argon2id + rehashing on parameter changes
✅ JWT authentication (generation + verification)
✅ Database migrations & connection pooling
✅ Health monitoring with dependency checks
✅ Prometheus metrics
✅ Rate limiting (in-memory per-IP)
✅ Security headers (HSTS, CSP, X-Frame-Options, etc.)
✅ CORS configuration
✅ Docker multi-stage builds
✅ Production docker-compose with resource limits
✅ Nginx reverse proxy with security hardening
✅ CI/CD pipelines
✅ Integration test suite
✅ Comprehensive documentation
🔄 In Progress / Ready to Apply
🔄 JWT middleware on chat endpoints (created, not yet applied)
🔄 Request metrics (basic metrics present, could add histograms)
📋 Redis-backed rate limiting (currently in-memory)
📋 Next.js frontend
📋 OpenTelemetry integration
📋 Multi-provider LLM support (OpenAI, etc.)
📋 Conversation history persistence in endpoints
📋 WebSocket support for chat streaming
📋 Property-based testing with proptest
📋 Load testing with criterion
Open Design Decisions (To Resolve)
Streaming format: SSE vs JSON lines vs WebSocket → Decided: SSE for now JWT refresh strategy: stored refresh table vs rotating stateless tokens → Current: Single access token
Telemetry stack: OpenTelemetry + collector? (phase gating) → Future milestone
Model abstraction: support future providers (OpenAI, local huggingface, etc.) → Architecture supports via ModelProvider trait
Metrics crate: prometheus vs opentelemetry-prometheus → Decided: Manual Prometheus format for now
2025-09-20: Initial TODO roadmap created.
2025-09-23: Phase 0 workspace, deps, config complete; partial logging & errors; Phase 1 model-provider & http-routes complete.
2025-01-XX: MVP code quality phase complete - added validation, auth middleware, comprehensive health checks, full Ollama implementation, integration tests, CI/CD, deployment docs, security hardening. 75% overall completion.
Update statuses as work proceeds (search by ID).
Keep acceptance criteria immutable; append clarifications below rather than rewriting history.
Add new tasks under proper phase; increment total for progress metric.
Record changes in Changelog with date.
Review and adjust priorities as project evolves.