Property PrismDev Hub

Project Prism — Remaining Work

Updated Apr 3, 2026

Last updated: April 2, 2026 (frontend tests complete, documentation cleanup done)

All features are implemented end-to-end. What remains is hardening: tests, performance, documentation accuracy, security posture, and observability.

1. Backend Tests

PriorityItemNotes
Highcontact_handler_test.goDone — 27 tests
Highcontact_service_test.goDone — 14 tests
Highcontact_activity_service_test.goDone — 16 tests
Mediummap_view_service_test.goDone — 12 tests
Mediumvacancy_rollup_service_test.goDone — 7 tests
Medium28 untested postgres reposDone — all 35 repos now have integration tests (was 10/38, now 35/35). See details below.
Repo integration test coverage (completed April 2, 2026)

New test infrastructure:

  • testcontainer_test.go — shared PostGIS container (testcontainers-go v0.41.0), applies schema + all migrations, dual-pool pattern (prism_app w/ RLS for repo calls, superuser for seed/cleanup)
  • newClaimsPool() sets request.jwt.claims via pgxpool PrepareConn hook, matching production behavior
  • bootstrapTestRoles() stubs auth.jwt(), creates authenticated + prism_app roles
  • seedTestData() inserts 2 orgs, user memberships, submarket lookup

25 new integration test files:

  • owner_repo, tenant_repo, brokerage_firm_repo, organization_repo, contact_repo
  • building_distance_repo, building_drive_catchment_repo, building_metrics_repo, building_park_repo, building_score_repo
  • tim_building_interest_repo, tim_comment_repo, tim_comp_lease_repo, tim_target_submarket_repo, broker_assignment_repo
  • lookup_repo, map_view_repo, key_point_repo, labor_block_group_repo, vacancy_rollup_repo
  • operations_repo, report_repo, contact_activity_repo, geography_repo, rail_line_building_repo

10 existing test files updated to use shared container, admin pool for cleanup, consistent test constants.

2. Frontend Tests

Current coverage: ~37% (36 test files / 135 source files). Up from ~16% (22 files).

PriorityModuleFilesNotes
HighAnalytics5 pages, 5 testsDone — 20 tests (4 per page). All passing.
HighDashboard3 files, 2 testsDone — 10 tests. DashboardPage + DashboardPulseMap. All passing.
MediumLookups2 files, 2 testsDone — api.test.ts (5 tests) + hooks.test.ts (4 tests).
MediumData mgmt3 pages, 3 testsDone — LeasingCompanies, BuildingParks, Contacts (15 tests). All passing.
LowAdmin4 pages, 4 testsDone — Imports (5 tests), Errors (3 tests), SystemSetup (5 tests), DataExport (5 tests). All passing.

All 118 tests passing (36 test files). Previous assertion failures fixed: added explicit cleanup() in test setup (RTL auto-cleanup needs it without globals: true), switched duplicate-text assertions to getAllByText().length checks, and fixed async timing for data-dependent assertions.

3. Backend Performance

From docs/backend-performance-audit-2026-03-31.md:

IDPriorityIssueFix
F-01HighCOUNT queries carry unnecessary JOINsDone (2026-03-31)
F-02HighListByBuildingID / ListByTenantID unboundedDone — LIMIT 1000 (2026-03-31)
F-03HighBulkCalculate scorecard fully sequentialDeferred — needs pool saturation data
F-04HighImport does 4 DB calls per rowDeferred — needs import speed measurement

10 of 15 performance findings already resolved (see docs/backend-performance-audit-2026-03-31.md §4). F-03, F-04, F-08, F-09, F-12 deferred pending production metrics.

4. Documentation Cleanup

4a. Stale / inaccurate content

FileIssue
docs/backend/go-backend-api-migration.mdDone — corrected building distance note, added contacts handler mention, updated review date to April 2.
docs/frontend/implementation-checklist.mdDone — checked off all completed backend dependency items (CORS, auth, role claims, list params, owner_ids, field validation, request_id, admin auth, observability). Updated date.
docs/frontend/api-integration.mdDone — replaced "Open Questions" with "Resolved Questions" section documenting OpenAPI strategy, token conventions, and error taxonomy. Updated backend action items to checked-off status. Updated date.
docs/frontend/maps-architecture.mdDone — added TIM-building-interest workflow section with cross-ref to tim-building-interest-workflow.md. Updated component list to reflect actual implementation. Updated date.
docs/backend/database-reference.mdDone — updated "Last reviewed" to April 2, 2026.
docs/backend/security-audit-2026-02-07.mdDone — marked as historical, notes superseded by docs/security/security-audit-2026-04-01.md.

4b. Planned/TBD items needing closure

FileItem
docs/security/secrets-management.mdDone — preview and dev environments changed from "Planned" to "Deferred" with clear rationale. Ops secrets folder note updated to "deferred — migrate when monitoring stack is productionised".
docs/security/vulnerability-management.mdDone — pen test row updated with owner (Backend Lead) and trigger condition ("deferred until SOC 2 prep or first enterprise customer requires it").

4c. Overlapping docs to consolidate

OverlapRecommendation
docs/frontend-pages.md vs docs/frontend/menu-tree-page-map.md vs docs/frontend/navigation-ia.mdDone — menu-tree-page-map.md and navigation-ia.md marked as historical context. frontend-pages.md confirmed canonical. Frontend README updated.
docs/frontend/page-backend-wiring-checklist.md vs docs/frontend/backend-api-work-items.mdDone — backend-api-work-items.md updated with companion note pointing to wiring checklist for current integration status.
docs/frontend/rebuild-plan.md vs docs/frontend/implementation-checklist.mdDone — rebuild-plan.md marked as historical. Frontend README updated.
docs/backend/go-backend.md vs docs/backend/README.mdDone — README.md now labels go-backend.md as the canonical entry point.

4d. Formatting inconsistencies

IssueWhere
Date format inconsistencyDone — all 8 docs using YYYY-MM-DD normalized to "Month DD, YYYY" convention (security/*, audit/*, ops/production-runbook).
docs/README.md timestamp mismatchDone — both "Last Edited" and "Last reviewed" updated to April 2, 2026.

5. Security & Compliance

PriorityItemSource
HighDev DB uses postgres superuser — create least-privilege roleCRIT-2 — Fixed. See details below.
High4 high-severity findings from April 1 auditAll 4 resolved — HIGH-1 removed, HIGH-2 validated, HIGH-3 logged, HIGH-4 rotated (2026-04-02)
MediumMigrate remaining ops secrets to Infisicaldocs/security/secrets-management.md
MediumSchedule external pen testdocs/security/vulnerability-management.md
LowSOC 2 Type I blockers: backup/DR testing, access review process, evidence collectiondocs/audit/soc2-readiness-assessment-2026-03-26.md
CRIT-2 fix: prism_app RLS enforcement (April 2, 2026)

Problem: Production connects as postgres superuser, bypassing all 72 RLS policies. The prism_app role existed but had no grants and no authenticated role membership — RLS was effectively decoration.

What was done:

  1. Migration 000020_grant_prism_app_role.up.sql — grants authenticated to prism_app (idempotent). Down migration revokes the grant.
  2. cmd/api/main.go — PrepareConn / AfterRelease hooks — every DB connection now has request.jwt.claims set from the request's AuthContext (populated by auth middleware). This makes auth.jwt()can_org_read() / can_org_write() work at the Postgres level, enforcing RLS as defense-in-depth alongside Go-layer organization_id filtering.
  3. Test infrastructure validates RLS end-to-end: repo tests run as prism_app with claims set, while seed/cleanup uses a superuser pool.

Production deployment (completed April 2, 2026):

  • Run on prod Supabase: GRANT authenticated TO prism_app;
  • Deploy Go backend with PrepareConn hooks
  • Update Render DATABASE_URL to connect as prism_app instead of postgres
  • Verify RLS enforcement in prod — pg_stat_activity confirms all app connections are prism_app via Supavisor, zero postgres connections from the app

6. Infrastructure & Observability

PriorityItemNotes
MediumProduction monitoring stackDone — Grafana Cloud free tier. Alloy agent on Render scrapes backend /metrics, remote-writes to Grafana Cloud Prometheus. Existing prism-api-overview dashboard imported.
MediumProduction alerting beyond SentryDone — 10 alert rules in Grafana Cloud Alerting (API down, 5xx rate, p95 latency, async queue depth/drops/panics/latency). Slack contact point configured.
LowInfisical preview environmentPlanned but not set up — needed for QA branch builds

Quick Reference: What's Done

For context on what does NOT need work:

  • All 28 frontend routes — fully implemented, no stubs
  • All 28 backend handlers — wired, tested, documented in Swagger
  • Auth (Clerk JWT + API keys), CORS, rate limiting, RLS (72 policies)
  • Field-level validation errors (backend FieldErrors + frontend ApiRequestError)
  • request_id on all error responses
  • Pagination normalization across all list endpoints
  • CI/CD (GitHub Actions for both frontend and backend)
  • Marketing site (complete, deployed to Cloudflare Pages)
  • Database schema (66+ tables, 20 migrations, PostGIS)
  • Swagger docs (auto-generated, drift-checked in CI)
  • Repo integration tests — all 35 postgres repos covered (testcontainers-go, dual-pool, RLS-enforced)
  • Frontend tests — 118 tests across 36 files, all passing (analytics, dashboard, data mgmt, admin, lookups, schemas, shared utils)
  • RLS defense-in-depth — Go backend sets JWT claims via pgxpool PrepareConn hooks; prism_app role granted authenticated
  • Production monitoring — Grafana Cloud (Alloy → Prometheus remote write), 10 alert rules, Slack notifications
  • Documentation cleanup — all stale frontend/backend docs updated, overlapping docs consolidated with historical markers, dates refreshed

7. Developer Documentation Site

PriorityItemNotes
LowScaffold docs siteFumadocs, Nextra, or Starlight (Astro) — renders existing docs/ markdown with zero rewriting
LowEmbed Swagger UIAPI reference from existing swagger.json
LowAdd changelog pagePull from git tags or a CHANGELOG.md
LowDeploy to Cloudflare PagesAlongside marketing site — infra already exists
LowAdd decision log / ADR sectionCapture architectural decisions that aren't obvious from code