Backlog
This page contains planned work, follow-up issues, and feature requests for the Nexus project.
Working backlog
User security, tenant security, projects, and assets
Outcome: keep Nexus focused first on secure user access, secure tenant boundaries, project organization, and tenant/project-owned asset operations.
Scope:
- Treat user security and tenant security as the highest-priority platform work.
- Keep Projects and Assets as the next operational priorities.
- Ensure projects are tenant-owned through
projects.tenant_id. - Ensure assets are tenant-owned through
assets.tenant_idand can optionally belong to a project throughassets.project_id. - Validate project-scoped asset writes so a tenant asset cannot silently point at a project outside the tenant or shared root scope.
SIS ingestion, MOSIS extracts, and grade-card marts
Outcome: make Nexus an operational data platform for daily SIS ingestion, MOSIS file generation, exception reporting, and DESE-style education analytics.
Scope:
- Ingest Infinite Campus and other SIS extracts into auditable staging tables before mapping records into Nexus canonical education objects.
- Add school-year-versioned MOSIS layout metadata, extract builders, validation results, and export run history.
- Create datamarts for SIS source quality, MOSIS extract readiness, post-submission corrections, and district/school grade-card style indicators.
- Track implementation details in MOSIS operational data platform.
Directory and productivity suite integrations
Outcome: integrate workforce identity and collaboration context from Google Workspace, Microsoft Active Directory, and Microsoft 365 into Nexus for operational workflows.
Scope:
- Add connectors and ingestion pipelines for Google Workspace directory data.
- Add connectors and ingestion pipelines for Microsoft Active Directory user, group, and organizational unit data.
- Add connectors and ingestion pipelines for Microsoft 365 identity and collaboration metadata needed for Nexus use cases.
- Track source-system sync runs, deltas, mapping rules, and reconciliation errors for each connector.
- Keep imported records tenant-scoped, auditable, and replayable without mutating canonical records until validations pass.
Frontend endpoint workflow completion
Outcome: turn broad API client coverage into real operator workflows.
Scope:
- Add UI for issue comments, attachments, links, history, activity, watchers, and issue catalog objects.
- Add UI for configuration relationships, person identity contacts, contact ordering, school lifecycle actions, asset assignment close, and group memberships.
- Keep create, update, archive, restore, and related-record actions consistent across object workspaces.
Object detail and inspector experiences
Outcome: make master/detail pages feel complete instead of list-only.
Scope:
- Add related-record panes, lifecycle action buttons, archive/restore visibility, empty states, and edit/create modes.
- Finish inspector/edit sheets for remaining object workspaces.
- Review keyboard flow through object cards, detail panes, and sheet controls.
Package landing pages
Outcome: give each package a useful first screen for navigation and triage.
Scope:
- Finish landing pages for System, Projects, Education, Assets, Census, Configurations, and Locations.
- Include counts, recent activity, and direct create actions.
- Keep package navigation aligned with the current module taxonomy.
Search implementation
Outcome: make global and workspace search return useful, context-aware results.
Scope:
- Wire the global top-bar search to filtered or query-backed results.
- Wire master-view search to object-specific filtering.
- Respect tenant, project, school, and calendar context when searching.
Release validation expansion
Outcome: provide one repeatable pre-release command that catches common regressions.
Scope:
- Add backend route/import tests and application router coverage.
- Add migration graph smoke tests.
- Add frontend production build checks.
- Add docs build validation to the release script.
Frontend regression coverage
Outcome: protect high-traffic UI flows from release-to-release drift.
Scope:
- Cover package navigation, context controls, asset model/detail splits, auth expiry behavior, and package landing pages.
- Add accessibility checks for popover menus, drawers, object cards, detail panes, and sheet controls.
- Keep Playwright or equivalent browser coverage runnable from release validation.
API ownership and REST consistency audit
Outcome: make route ownership, tags, verbs, and related-resource shapes predictable.
Scope:
- Verify related-object endpoints are owned by the intended secondary object's package.
- Ensure route tags follow the
<Package>: <Object>convention. - Normalize
PUTversusPATCH, lifecycle actions, list/read/create/update/delete shapes, and related-resource delete URLs.
Tenancy and access-control hardening
Outcome: verify scoped access stays correct as modules expand.
Scope:
- Add focused tests for tenant scope headers and Global tenant visibility.
- Cover current/default tenant, project, and school preferences.
- Cover admin-only writes and group membership boundaries.
Dependency version pinning
Outcome: improve dependency stability and supply-chain reviewability.
Scope:
- Replace floating dependency versions in
frontend/package.jsonwith explicit version pins. - Confirm lockfiles capture the intended resolved versions.
- Keep dependency updates intentional and reviewable through release validation.
Browser security headers
Outcome: harden browser behavior for deployed frontend and docs surfaces.
Scope:
- Add or enforce headers such as
Strict-Transport-Security,Content-Security-Policy, andX-Frame-Options. - Document local, staging, and production header expectations.
- Verify headers through deployment or release validation checks.
Dependency vulnerability audits
Outcome: keep backend and frontend dependency risk visible.
Scope:
- Run vulnerability audits for Python and frontend packages.
- Track actionable findings in this backlog or the issue tracker.
- Add repeatable audit commands to release validation when they are stable enough for CI.
Documentation taxonomy refresh
Outcome: keep README and developer docs aligned with current Nexus modules.
Scope:
- Use System, Projects, Education, Assets, Census, Configurations, and Locations language consistently.
- Remove stale Census Edu, Users-only, Service-module, Directory, Access, Workspace, and API Suite language where it no longer matches the product.
- Keep schema and package boundary docs synchronized with route ownership.
Frontend module taxonomy cleanup
Outcome: make in-app labels match the current package taxonomy.
Scope:
- Replace stale
Service moduleandCensus Edu modulelabels with Projects and Education language. - Move issue catalog support pages out of the legacy Service grouping and into the Projects package navigation.
- Normalize
/mepackage labels so schools and calendars consistently appear under Education.
Frontend route and collection registry
Outcome: reduce manual route, menu, record-store, and collection-view drift as objects are added.
Scope:
- Introduce a shared object registry for package, path, record key, label, lifecycle, and supported actions.
- Generate package navigation, protected-route checks, add-sheet routing, and collection-view selection from the registry where practical.
- Keep specialized asset and issue workflows extensible without hiding domain-specific behavior.
Seed and demo data refresh
Outcome: make the UI reviewable without manual setup.
Scope:
- Add realistic tenants, projects, schools, calendars, people, assets, issues, and relationships.
- Include groups, locations, and configuration items.
- Ensure demo paths exercise July package navigation and object detail workflows.
/me portal workflow completion
Outcome: make user-facing account and context controls dependable.
Scope:
- Complete default context preference workflows.
- Add active session visibility.
- Finish account settings flows exposed through the user portal.
Dashboard operational summary
Outcome: make the signed-in dashboard useful for daily triage instead of only navigation.
Scope:
- Show tenant-aware counts for open issues, active assets, current enrollments, current employments, and recent configuration changes.
- Surface stale or high-priority records that need action.
- Link each dashboard signal to the filtered object view that explains it.
API contract examples and fixtures
Outcome: make route behavior easier to verify and consume from frontend and future clients.
Scope:
- Add minimal request and response examples for core object routes and related-resource endpoints.
- Keep fixtures aligned with seeded demo data and tenant scope behavior.
- Use examples as inputs for API contract or smoke tests where the release validation script can exercise them.
Workspace cleanup and generated file hygiene
Outcome: keep the repository clean after tests, docs builds, and frontend builds.
Scope:
- Confirm
__pycache__,.pytest_cache, frontend/docs build output, and local dependency folders are ignored. - Keep generated files out of release commits unless they are intentional lockfiles or fixtures.
Apple client path decision
Outcome: clarify whether the Apple app is an active client or a deliberately minimal project artifact.
Scope:
- Define a short Apple client roadmap if the app remains active.
- Document the minimal/supporting role if it is not on the near-term roadmap.
Nexus platform expansion
Outcome: continue the foundational work needed to support the expanded Nexus feature set across core domains.
Scope:
- Keep shared platform patterns stable as modules mature.
- Fold completed expansion work into narrower follow-up issues when it becomes actionable.
Documentation and deployment updates
Outcome: keep project documentation and deployment references current.
Scope:
- Refresh deploy guidance when infrastructure or module boundaries change.
- Link release validation expectations from developer docs.
Completed backlog
Default secrets hardening
Outcome: replaced insecure default handling for POSTGRES_PASSWORD and JWT_SECRET_KEY with explicit secret configuration practices.
Production secret handling
Outcome: production deployments no longer depend on repo-managed defaults and are documented around external secret storage.
Token storage security
Outcome: authentication token storage was moved to a more secure session approach so frontend state can respond cleanly to token expiry and revocation.
Backend API refinement
Outcome: split backend route adapters, application services, domain schemas, tenancy and auth helpers, and infrastructure row mappers into focused modules with stable import surfaces.
Expired token session-state handling
Outcome: invalid or expired tokens clear local auth state, redirect users to sign-in, and show a clear session-expired message.
Asset domain first-class object migration
Outcome: replaced legacy asset transactions with first-class Asset Circulation and Asset Repair objects across frontend workflows, backend APIs, and database schema.
Users module group and membership management
Outcome: added first-class User Groups and User Group Membership management across database schema, backend APIs, and frontend workflows.
Tenant-scoped write consistency and schema documentation
Outcome: ensured school-domain create flows honor selected tenant scope, corrected tenant assignment drift for seeded records, and published comprehensive per-table schema documentation.
Responsive shell and object workspace navigation
Outcome: added switchable sidebar/top-bar navigation, tenant and user menu placement, card-first master views, inline detail panes, and related-object shortcuts.
Object editor sheets and frontend clean architecture
Outcome: added sheet-based object editing for assets and asset models, generalized split master/detail object views, introduced URL-focused object selection routes, and split frontend helpers into shared, infrastructure, application, feature, and component layers.
Issue parent model
Outcome: introduced a parent Issue model with service request, known problem, incident, post-incident analysis, change, and repair subtypes.
Projects module
Outcome: added Projects as the core organizing object for issues and seeded Technology Service and Maintenance Service as shared service projects.
Education module API expansion
Outcome: moved school-related route adapters into the education API package, expanded education LCRUD and lifecycle endpoints, added school grade levels and employment assignment types, and documented the package boundary.
System API and frontend navigation consolidation
Outcome: folded users, groups, tenants, sessions, preferences, and health into the system API package; added key-backed school context objects; expanded /me context endpoints; and reworked the frontend shell around package navigation pages, categorized popovers, context filters, and compact master/detail workspaces.