# Ironhand Social Radar Implementation Checklist

This checklist is the authoritative delivery tracker for the requirements in the
Ironhand Social Radar master prompt. Check items only after implementation,
verification, and relevant documentation are complete.

## Project-wide definition of done

- [ ] Backend behavior works for the completed feature.
- [ ] Tenant isolation and server-side authorization are enforced.
- [ ] Persistence, validation, and error handling are implemented.
- [ ] Sensitive changes are captured in the audit trail.
- [ ] Automated tests cover the critical paths and pass.
- [ ] UI states include loading, empty, success, and failure behavior.
- [ ] Accessibility and responsive behavior are addressed.
- [ ] Related documentation is current.
- [ ] No credentials, tokens, cookies, personal data, or other secrets are committed.
- [ ] Existing and unrelated functionality remains intact.

## Phase 0 — Audit and plan

### Repository audit

- [x] Read the complete master prompt and identify required deliverables.
- [x] Search for repository-level `AGENTS.md`, README, architecture, deployment, and contribution instructions.
- [x] Inspect the repository structure and existing files.
- [x] Inspect Git status and document that the starting directory is not a Git repository.
- [x] Identify installed PHP, Composer, Node.js, npm, MySQL, Docker, and Git versions.
- [x] Identify the existing cPanel/Apache/PHP deployment constraints.
- [x] Confirm the repository contains no reusable application framework or business logic.
- [x] Search for the three required brand-reference filenames.
- [x] Locate compatible Ironhand-owned source assets without changing sibling applications.
- [x] Create this implementation checklist before application implementation.

### Phase 0 documents and decisions

- [x] Write `docs/PRODUCT_REQUIREMENTS.md`.
- [x] Write `docs/ARCHITECTURE.md`.
- [x] Write `docs/SAAS_AND_TENANCY.md`.
- [x] Write `docs/DATABASE_SCHEMA.md`.
- [x] Write `docs/API_SPECIFICATION.md`.
- [x] Write `docs/SCANNER_DESIGN.md`.
- [x] Write `docs/CRM_INTEGRATION.md`.
- [x] Write `docs/BRANDING_AND_DESIGN_SYSTEM.md`.
- [x] Write `docs/SECURITY_AND_PRIVACY.md`.
- [x] Write `docs/DEPLOYMENT.md`.
- [x] Write `docs/TEST_PLAN.md`.
- [x] Write `docs/OPERATIONS_RUNBOOK.md`.
- [x] Write `docs/KNOWN_LIMITATIONS.md`.
- [x] Write `docs/branding/LOGO_GENERATION_BRIEF.md`.
- [x] Create `.env.example` with safe production-oriented defaults.
- [x] Document the architecture and reusable-functionality audit.
- [x] Document risks, constraints, assumptions, and external dependencies.
- [x] Document the proposed directory structure.
- [x] Document the database and multi-tenant strategy.
- [x] Document centralized plans, entitlements, licenses, and usage limits.
- [x] Document CRM activation/deactivation, labeling, and idempotency.
- [x] Document scanner and Manifest V3 extension strategy.
- [x] Document security and privacy boundaries.
- [x] Document the Ironhand design-system plan.
- [x] Document the Social Radar logo-generation plan.
- [x] Restore approved Ironhand references under `design-references/`.
- [x] Scaffold the selected production-ready application architecture.
- [x] Run the initial installation/build/test baseline.

## Phase 1 — SaaS foundation

### Application foundation

- [x] Use `Ironhand Social Radar`, `ironhand_radar`, and `radar.ironhand.org` consistently.
- [x] Configure the application URL through environment configuration.
- [x] Establish a Laravel modular-monolith control plane.
- [x] Establish a modern TypeScript frontend with reusable components.
- [x] Configure MySQL-compatible persistence.
- [x] Configure Redis-compatible queues/cache with a safe local fallback.
- [x] Configure versioned REST APIs under `/api/v1`.
- [x] Configure structured logging, correlation IDs, and health endpoints.
- [x] Provide local Docker Compose services where practical.

### Authentication and account security

- [x] Implement login and logout.
- [x] Implement secure password reset.
- [x] Implement mandatory Platform Owner 2FA.
- [ ] Implement optional/required tenant-user 2FA policy.
- [x] Implement brute-force protection and authentication rate limits.
- [x] Implement session and API-token rotation/revocation.
- [ ] Implement forced logout and revoke-all-token controls.
- [x] Audit authentication, password, and 2FA events.

### Organizations, memberships, roles, and permissions

- [x] Implement organizations with active, paused, suspended, deactivated, and read-only states.
- [x] Seed Ironhand as the first organization and default platform brand.
- [x] Implement owner-created organization onboarding.
- [x] Add self-service signup feature flag, disabled by default.
- [x] Implement invitations and membership management.
- [ ] Implement per-tenant teams and assignments.
- [x] Implement Platform Owner role and immutable owner protection.
- [x] Implement Delegated Superadmin with explicit grants and owner restrictions.
- [x] Implement Organization Administrator.
- [x] Implement Sales Manager.
- [x] Implement Sales Executive.
- [x] Implement Analyst.
- [x] Implement Viewer/read-only access.
- [ ] Enforce server-side authorization on every protected endpoint and job.
- [ ] Test cross-tenant URL, ID, export, search, job, and API-payload isolation.

### Plans, subscriptions, entitlements, and licenses

- [x] Implement plans and centralized feature entitlements.
- [x] Implement subscriptions, trials, grace periods, cancellation, and suspension states.
- [ ] Implement license start/end dates and activation/revocation.
- [x] Implement soft and hard usage limits.
- [x] Implement usage counters and monthly reset behavior.
- [x] Implement upgrade/downgrade-safe entitlement evaluation.
- [x] Implement users entitlement.
- [x] Implement campaigns entitlement.
- [x] Implement sources entitlement.
- [x] Implement scanner-devices entitlement.
- [x] Implement scans-per-month entitlement.
- [x] Implement posts/comments processed entitlements.
- [x] Implement AI-analysis and budget entitlements.
- [x] Implement opportunities-retained entitlement.
- [x] Implement alert-channel entitlement.
- [x] Implement CRM-integration entitlement.
- [x] Implement data-retention entitlement.
- [x] Implement export, API, white-label, and priority-support entitlements.
- [ ] Add billing-provider abstraction and tax/invoice metadata fields.

### Tenant settings and lifecycle

- [x] Implement per-tenant locale, language, timezone, and currency.
- [ ] Implement per-tenant AI provider, model, instructions, and budgets.
- [ ] Implement per-tenant notification settings.
- [ ] Implement per-tenant integrations and encrypted credentials.
- [ ] Implement per-tenant branding and future white-label settings.
- [ ] Implement retention policies.
- [ ] Implement tenant data export.
- [ ] Implement tenant data deletion and retention-safe cleanup.
- [x] Implement read-only tenant enforcement.

### Audit, security events, and owner controls

- [x] Implement append-protected audit logs with actor, tenant, action, target, time, context, reason, and before/after values.
- [ ] Implement security-event tracking.
- [x] Audit tenant/user status changes.
- [ ] Audit roles, permissions, plans, licenses, and entitlements.
- [x] Build protected owner-only administration routes and screens.
- [x] Implement tenant activation, suspension, deactivation, and read-only controls.
- [x] Implement user activation, suspension, and deactivation controls.
- [ ] Implement device and license approval/revocation controls.
- [ ] Implement global/tenant platform controls.
- [ ] Implement global/tenant AI controls.
- [ ] Implement global/tenant/connection CRM controls.
- [ ] Implement global/tenant export controls.

### Branding foundation

- [ ] Centralize logo and brand asset paths.
- [x] Define Ironhand red, graphite, neutral, semantic, and dark-mode-ready tokens.
- [x] Define typography, 8-point spacing, borders, elevation, grid, and motion tokens.
- [ ] Meet WCAG AA contrast targets for core components.
- [x] Build reusable buttons, inputs, tables, badges, cards, dialogs, filters, and navigation.

## Phase 2 — Core domain

### Campaigns

- [x] Implement tenant-scoped campaigns.
- [ ] Implement name, description, products/services, industries, locations, languages, and ideal-customer profile.
- [ ] Implement positive keywords, exact phrases, related concepts, and negative keywords.
- [ ] Implement exclusions and competitor-name handling.
- [ ] Implement assigned teams and source relationships.
- [ ] Implement campaign schedules and retention policies.
- [ ] Implement campaign AI instructions and brand voice.
- [ ] Implement suggested-response rules.
- [x] Implement CRM export opt-in/out.
- [x] Implement campaign enabled/disabled states.
- [x] Support Spanish and English.

### Scoring rules

- [x] Implement configurable scoring criteria and weights.
- [ ] Implement thresholds, required conditions, and exclusions.
- [x] Implement default 0–100 scoring guidance.
- [x] Implement scoring-rule versions.
- [x] Preserve the scoring version used by historical analyses.
- [ ] Build a scoring-rule editor with validation and preview.

### Sources

- [x] Implement source platform, name, URL, type, and access classification.
- [x] Implement source campaign, scanner/device assignment, schedule, priority, and limits.
- [x] Implement maximum posts, comments, depth, and lookback.
- [x] Implement enabled and health states.
- [x] Implement attempted/success/next-scan timestamps and failure counts.
- [x] Implement authentication-required status, notes, and tags.
- [x] Validate schemes, supported destinations, and normalized URLs.
- [x] Prevent internal-network SSRF and dangerous destinations.

### Devices, scanners, and licenses

- [x] Implement device registration and approval.
- [x] Implement scanner identity, version, capabilities, and authorization.
- [x] Implement scanner pause/resume and revocation.
- [x] Implement scanner heartbeats and online/offline state.
- [ ] Stop jobs when user, organization, license, token, or device is revoked.
- [x] Implement assigned-source management.

### Initial synthetic seed data

- [x] Seed the optional Spanish Ironhand campaign phrases.
- [x] Seed job-seeker, homework, free-only, consumer-app, out-of-market, and stale-discussion exclusions.
- [x] Use synthetic organizations, users, content, and opportunities only.
- [x] Do not include real people.

## Phase 3 — Scan infrastructure

### Scan orchestration

- [x] Scheduler identifies eligible sources.
- [x] Authorization validates global platform state.
- [x] Authorization validates tenant, user, device, scanner, license, plan, usage, campaign, and source.
- [x] Create a scan session before queueing work.
- [x] Queue idempotent scan jobs.
- [x] Allow only authorized scanners to accept jobs.
- [x] Record source access outcomes.
- [x] Validate ingestion server-side.
- [x] Finalize sessions with metrics, warnings, and errors.
- [ ] Implement cancellation, retries, and partial-success handling.

### Global and scoped kill switches

- [x] Implement global scanning kill switch.
- [x] Prevent new jobs while scanning is disabled.
- [x] Stop workers from accepting jobs while disabled.
- [ ] Revoke active scanner authorizations.
- [x] Preserve historical scan data.
- [x] Record owner, time, and reason.
- [x] Require Platform Owner authorization to reactivate.
- [ ] Implement per-tenant and per-scanner pause controls.
- [x] Implement separate CRM synchronization kill switch.

### Ingestion and deduplication

- [x] Define structured post/comment ingestion schemas.
- [x] Prefer native platform identifiers.
- [x] Generate stable content fingerprints when native IDs are unavailable.
- [x] Include platform, tenant, source, content type, URL, parent, author/profile, timestamp, and normalized content hash.
- [x] Store first discovered, last observed, and observation count.
- [x] Distinguish new, changed, repeated, matched, and qualified items.
- [ ] Prevent duplicate content, opportunities, alerts, and CRM leads.

### Scan metrics and telemetry

- [x] Track sources scheduled, attempted, opened, successful, partial, and failed.
- [x] Track pages/screens loaded.
- [x] Track posts displayed, extracted, processed, unique, and revisited.
- [x] Track comments displayed, extracted, processed, unique, and revisited.
- [x] Track keyword and exclusion matches.
- [x] Track AI queued, completed, and failed.
- [x] Track qualified and high-priority opportunities.
- [x] Track duplicates prevented.
- [ ] Track alerts queued, sent, delivered, and failed.
- [ ] Track CRM queued, imported, linked, skipped, and failed.
- [x] Track practical data volume, queue time, scan duration, and processing time.
- [x] Track errors and warnings with safe error codes.
- [x] Never conflate displayed, extracted, processed, and unique counts.
- [x] Build scan-session summary and detail screens.

## Phase 4 — Browser extension

- [x] Create Chrome/Edge Manifest V3 TypeScript extension.
- [x] Use the user’s existing authenticated browser session without collecting social passwords.
- [x] Register and identify an authorized device.
- [x] Support policy-driven administrator approval.
- [x] Retrieve only authorized source jobs.
- [x] Validate current authorization before each job.
- [x] Support pause/resume.
- [x] Display current state, connection health, and last scan.
- [x] Implement adapters behind a platform-neutral interface.
- [x] Process only visible content within configured limits.
- [x] Extract structured posts/comments and complete telemetry.
- [x] Submit results using authenticated, revocable tokens.
- [x] Never transmit raw session cookies as scan data.
- [x] Never hardcode secrets.
- [x] Stop immediately on user, organization, license, device, or token revocation.
- [x] Report authentication interruptions, access failures, and layout changes.
- [x] Avoid CAPTCHA solving, stealth, fingerprint evasion, access-control bypass, proxy rotation, and mass engagement.
- [x] Produce Manifest V3 packages and installation documentation.
- [x] Keep interfaces ready for a future Windows desktop agent.

## Phase 5 — AI and opportunities

### AI provider and analysis

- [x] Implement provider-independent AI interfaces.
- [x] Implement an OpenAI-compatible adapter.
- [x] Validate structured outputs against a schema.
- [x] Implement language detection.
- [x] Implement keyword and exclusion evaluation.
- [x] Implement semantic intent detection.
- [x] Implement need, industry, and service classification.
- [x] Extract location only when supported by evidence.
- [x] Detect urgency and buying intent without inventing facts.
- [x] Return potential-opportunity boolean and confidence.
- [x] Return problem, service category, industry, location, company-size and decision-maker indicators.
- [x] Return recommendation request, existing solution, dissatisfaction, budget, and timeframe indicators.
- [x] Return risk/exclusion reasons.
- [x] Return summary, score, and score explanation.
- [x] Return suggested public response and private message.
- [x] Return recommended action and follow-up time.
- [x] Distinguish fact from inference and use `unknown` when evidence is insufficient.
- [x] Handle timeouts, invalid responses, retries, budgets, and disabled-AI states.

### Opportunity records and workflow

- [x] Implement tenant-scoped opportunity numbers.
- [x] Store campaign, platform, source, original content, direct URL, and permitted author/profile data.
- [x] Store keywords, AI summary, need, industry, location, urgency, buying intent, score, confidence, and explanation.
- [x] Store recommended solution and response suggestions.
- [x] Store salesperson, deadline, status, notes, and activity history.
- [x] Store CRM connection, record, label, and status fields.
- [x] Store first detected, last observed, response time, outcome, estimated value, and actual revenue.
- [x] Implement Detected → AI Qualified → Needs Review → Assigned workflow.
- [x] Implement Contacted → Responded → Meeting Scheduled → Proposal Sent workflow.
- [x] Implement Negotiation → Won/Lost → Archived workflow.
- [x] Record every status change.

### Human response review

- [x] Generate response suggestions without auto-publishing.
- [x] Allow edit and regenerate.
- [x] Provide tone and language controls.
- [x] Provide copy action.
- [x] Show original-context preview.
- [x] Provide open-original-post action.
- [x] Record human approval.
- [x] Record the confirmed final text.
- [x] Do not automatically publish social comments or private messages.

## Phase 6 — Alerts and CRM

### Alerts

- [ ] Implement in-app notifications.
- [ ] Implement email notifications.
- [ ] Implement WhatsApp provider abstraction.
- [ ] Implement immediate alerts.
- [ ] Implement daily summaries.
- [ ] Implement weekly summaries.
- [ ] Filter rules by score, campaign, source, platform, keyword, location, industry, salesperson, hours, and frequency.
- [ ] Track queued, sent, delivered when supported, and failed.

### CRM connection lifecycle and controls

- [ ] Implement Not configured, Draft, Testing, Active, Paused, Authentication expired, Error, and Deactivated states.
- [ ] Configure encrypted CRM credentials.
- [ ] Test connection without importing.
- [ ] Activate, pause, resume, and deactivate a connection.
- [ ] Rotate and remove credentials.
- [ ] Show last success, sync health, queue, and failed records.
- [ ] Retry failed records.
- [ ] Record who changed state, when, and why.
- [ ] Enforce global platform CRM state.
- [ ] Enforce plan/entitlement CRM state.
- [ ] Enforce organization CRM state.
- [ ] Enforce connection CRM state.
- [ ] Enforce campaign CRM state.
- [ ] Ensure the most restrictive applicable setting wins.

### CRM synchronization

- [ ] Keep scanning and internal opportunities working while CRM is inactive.
- [ ] Stop new CRM exports immediately when deactivated.
- [ ] Implement explicit queued-job pause/cancel handling.
- [ ] Never auto-delete existing CRM records.
- [ ] Preserve historical mappings for reconciliation.
- [ ] Prevent duplicates after reconnecting.
- [ ] Implement asynchronous idempotent sync jobs.
- [ ] Implement import thresholds.
- [ ] Implement manual and automatic imports.
- [ ] Implement existing-lead matching and linking.
- [ ] Implement import preview.
- [ ] Implement retry with exponential backoff.
- [ ] Implement failed/dead-letter queue.
- [ ] Implement manual retry and reconciliation.
- [ ] Implement per-record sync history.
- [ ] Implement webhook handling when supported.
- [ ] Document conflict and source-of-truth rules.

### CRM import identification

- [ ] Set source label to `Ironhand Social Radar`.
- [ ] Set source code to `SOCIAL_RADAR`.
- [ ] Set platform, campaign, opportunity ID, source URL, permitted author/profile URL, score, and timestamps.
- [ ] Show `Imported from Social Radar` badge/tag.
- [ ] Apply machine tag `social-radar-import`.
- [ ] Maintain Social Radar opportunity-to-CRM record mappings.
- [ ] Make imports and retries idempotent.
- [ ] Provide CRM filters/reports by platform, campaign, source, score, salesperson, and won/lost revenue.

## Phase 7 — SaaS operations and billing readiness

- [ ] Build plan-management screens.
- [ ] Build subscription-state controls.
- [ ] Enforce plan limits in UI, APIs, jobs, and background workers.
- [ ] Implement trials and grace-period transitions.
- [ ] Implement tenant activation, pause, suspension, deactivation, read-only, export, and deletion lifecycle.
- [ ] Implement billing-provider adapter contracts without hardwiring a provider.
- [ ] Implement tenant billing/tax/invoice metadata.
- [ ] Build usage and entitlement dashboards.
- [ ] Audit all subscription, plan, license, and entitlement changes.

## Phase 8 — Dashboards, branding, UI, and product logo

### Required responsive screens

- [ ] Login and 2FA.
- [ ] Owner dashboard.
- [ ] SaaS organizations.
- [ ] Plans and subscriptions.
- [ ] Users, invitations, and roles.
- [ ] Licenses and entitlements.
- [ ] Devices and scanners.
- [ ] Campaign list and builder.
- [ ] Keywords and exclusions.
- [ ] Scoring-rule builder.
- [ ] Sources.
- [ ] Scan sessions and detail.
- [ ] Content matches.
- [x] Opportunities and detail.
- [x] Response review.
- [ ] Alerts.
- [ ] CRM connections.
- [ ] CRM field mapping.
- [ ] CRM sync history.
- [ ] Reports and exports.
- [ ] Audit log.
- [ ] Security events.
- [ ] Integrations.
- [ ] Branding settings.
- [ ] Owner settings.
- [ ] Kill-switch confirmations.
- [ ] Loading, empty, success, and failure states for all primary screens.
- [ ] Mobile, tablet, and desktop layouts.

### Dashboards and reporting

- [ ] Owner KPIs for tenants, users, devices, scanners, plans, trials, and subscriptions.
- [ ] Owner scan, unique-content, match, opportunity, alert, CRM, queue, AI, storage, security, and kill-switch KPIs.
- [ ] Tenant opportunity, priority queue, platform/source/campaign/salesperson, response, pipeline, keyword, scan, and CRM KPIs.
- [ ] Scanner device, user, tenant, version, heartbeat, job, scan, failure, source, auth, token, and update health.
- [ ] Date, tenant, user, platform, source, campaign, keyword, industry, location, score, status, scanner, scan, and CRM filters.
- [ ] Permission- and tenant-safe exports.
- [ ] Use exact-data tables and charts only when they clarify trends.

### Product-logo system

- [ ] Generate a distinctive Social Radar mark with Ironhand family resemblance.
- [ ] Preserve the parent Ironhand hand symbol and corporate logo.
- [ ] Use Ironhand red, graphite/charcoal, and white.
- [ ] Incorporate a restrained radar/signal/detection/opportunity motif.
- [ ] Avoid social-platform trademarks, gradients, tiny details, cartoons, and cyberpunk clichés.
- [ ] Produce primary horizontal logo.
- [ ] Produce stacked logo.
- [ ] Produce icon-only mark.
- [ ] Produce light-background version.
- [ ] Produce dark/reversed version.
- [ ] Produce monochrome version.
- [ ] Produce favicon assets.
- [ ] Produce Manifest V3 icon sizes.
- [ ] Produce app icon.
- [ ] Produce SVG source where practical.
- [ ] Produce practical PNG exports.
- [ ] Document clear space, minimum size, colors, and rationale.
- [ ] Centralize replaceable asset paths and tokens.

## Phase 9 — Hardening, testing, deployment, and operations

### Security and privacy

- [ ] Verify strict tenant isolation.
- [ ] Verify server-side authorization.
- [ ] Configure TLS expectations and encryption in transit.
- [ ] Encrypt sensitive values at rest.
- [ ] Document production secret management.
- [ ] Validate inputs and safely encode outputs.
- [ ] Verify SQL injection protections.
- [ ] Verify XSS and CSRF protections.
- [ ] Verify SSRF protections.
- [ ] Configure rate limits.
- [ ] Configure secure cookies and headers.
- [ ] Verify token rotation/revocation.
- [ ] Verify least privilege and immutable owner protections.
- [ ] Add dependency scanning.
- [ ] Implement backup and recovery procedures.
- [ ] Implement configurable retention, export, deletion, minimization, and redaction.
- [ ] Prevent raw passwords, cookies, tokens, secrets, and production traces in logs.
- [ ] Document browser-assisted monitoring limitations and immediate revocation.

### Automated tests

- [ ] Authentication, 2FA, owner protection, roles, suspension, tokens, and tenancy tests.
- [ ] Plan, license, entitlement, trial, usage, read-only, export, and deletion tests.
- [ ] Scan authorization, success, partial, failure, interruption, cancellation, retry, limit, metric, and kill-switch tests.
- [ ] Deduplication, repeat-observation, unique-count, fingerprint, and retention tests.
- [x] AI schema, timeout, invalid response, retry, unknown-value, scoring, and version-retention tests.
- [ ] CRM lifecycle, inactive-scanning, labels, mapping, linking, idempotency, retry, reconnection, and tenant-isolation tests.
- [ ] SQL injection, XSS, CSRF, SSRF, tenant-ID, export, secret, and rate-limit tests.
- [ ] Frontend component and accessibility tests.
- [x] Scanner unit/integration tests.
- [x] Extension tests.
- [ ] Playwright end-to-end desktop and mobile tests.
- [x] Use synthetic data only.

### Performance and resilience

- [ ] Validate the initial 5–20 user/device and 20–100 source target.
- [ ] Validate thousands of posts and tens of thousands of comments per day at the architecture level.
- [ ] Validate near-real-time priority-alert paths.
- [ ] Add useful indexes, constraints, pagination, chunking, and queue backpressure.
- [ ] Add retries, timeouts, circuit breakers, dead-letter handling, and idempotency.
- [ ] Test failure recovery and worker restarts.

### Deployment and operations

- [ ] Document local setup and environment variables.
- [ ] Document migrations, scheduler, queue workers, scanner workers, and extension builds.
- [ ] Document production deployment for `radar.ironhand.org`.
- [ ] Document DNS prerequisites without making DNS changes.
- [ ] Provide HTTPS/TLS and reverse-proxy configuration.
- [ ] Provide application/API routing and real-time notification configuration when used.
- [ ] Configure secure cookies, session domain, CORS, and CSRF trusted origins.
- [ ] Provide health checks, log rotation, backups, retention, restore, and rollback.
- [ ] Provide zero- or low-downtime deployment steps.
- [ ] Document key rotation and incident response.
- [ ] Document scanner-adapter updates and CRM troubleshooting.
- [ ] Document SaaS tenant recovery.
- [ ] Do not deploy, change DNS/certificates, or mutate external services without explicit authorization.

## Final verification and handoff

- [x] Run backend tests.
- [ ] Run frontend tests.
- [x] Run scanner tests.
- [x] Run extension tests.
- [ ] Run end-to-end tests.
- [x] Run linting and formatting checks.
- [ ] Run static analysis.
- [x] Run all production builds.
- [ ] Validate clean database migrations and synthetic seed data.
- [ ] Validate owner protection and cross-tenant isolation.
- [ ] Validate plan limits, revocation, and expiration behavior.
- [x] Validate scan counts and duplicate prevention.
- [x] Validate AI failure behavior.
- [ ] Validate CRM activation, pause, deactivation, and reconnection.
- [ ] Validate all CRM source labels, codes, tags, and mappings.
- [ ] Validate CRM deactivation does not stop scanning or remove opportunities.
- [ ] Validate retries cannot duplicate CRM records.
- [ ] Validate scanner and CRM kill switches.
- [ ] Validate retention and tenant deletion.
- [ ] Review security-sensitive endpoints.
- [ ] Review mobile and desktop layouts.
- [ ] Confirm centralized design tokens and brand assets.
- [ ] Confirm logo deliverables and guidance.
- [ ] Update every required document.
- [ ] Update this checklist to reflect verified completion.
- [ ] Produce the final completion report with features, test results, deployment steps, credentials still needed, and remaining limitations.
