# ARV - Task Backlog
Last Updated: 2026-01-10
Status: Production system with enhancement backlog

**See FEATURE_STATUS.md for comprehensive feature completion tracking**

## ✅ Recently Completed (Jan 10, 2026)
- ✅ **Accounts Management System** - Full Salesforce-style account management
  - Account list, detail, create, edit, delete pages
  - Account hierarchy support (parent_account_id)
  - Lead-to-account relationships with department tracking
  - Account import/export functionality
  - Navigation updated across all pages
  - Database migration completed

## ⏳ Pending Tasks (From Recent Work)

### Email-to-Case System
- [ ] **Configure MXRoute email forwarding** - Set up `crm@arvelobuilt.com` to pipe to `/php/email-to-case/receive.php`
- [ ] **Test email-to-case flow** - Send test email with BCC, verify activity appears on lead timeline
- [ ] **Add UI to lead detail page** - Display "BCC this email to append: crm@arvelobuilt.com" with copy button
- [ ] **Test with multiple tenants** - Verify tenant isolation works correctly
- [ ] **Handle edge cases** - Test with no lead match, multiple leads with same email
- [ ] **Monitor error logs** - Check `/var/log/arvelobuilt/email_to_case_errors.log` for issues

### Email Tracking Testing
- [ ] **Test email tracking end-to-end** - Send email, open in Gmail, verify green dot appears
- [ ] **Verify tracking pixel loads** - Check server logs for tracking requests
- [ ] **Test with multiple email clients** - Gmail, Outlook, Apple Mail
- [ ] **Verify activity timeline indicators** - Each email shows individual read status

### Trial & Billing Configuration
- [ ] **Configure Stripe API key** - Add to AWS Secrets Manager or environment variables
- [ ] **Configure SMTP settings** - Set up email account in admin panel for trial notifications
- [ ] **Verify cron jobs** - Check auto-billing.php and trial-reminders.php are scheduled
- [ ] **Test complete trial flow** - Signup → Trial → Payment → Active subscription
- [ ] **Test payment failure scenarios** - Verify downgrade to FREE plan works
- [ ] **Monitor email logs** - Check trial-reminders.log and auto-billing.log

### Email System Discussion
- [ ] **DISCUSSION: Default ArveloBuilt email process** - Should we provide built-in email sending from CRM without requiring customers to configure their own SMTP, or should we require customers to use their own email service? Consider:
  - MXRoute integration
  - Email deliverability
  - Spam prevention
  - User experience
  - Cost implications

## 🔴 Critical (Security & Reliability)

### 1. Enable 2FA for Admin Accounts
- **Priority:** CRITICAL
- **Effort:** 4 hours
- **Status:** Framework exists (TwoFactorAuth.php), needs enforcement
- **Blocker:** None
- **Details:**
  - Enforce 2FA for SUPER_ADMIN and TENANT_ADMIN roles
  - QR code generation for Google Authenticator
  - Backup codes for account recovery
  - Grace period for existing users (7 days)

### 2. Configure CloudWatch Monitoring & Alerts
- **Priority:** CRITICAL
- **Effort:** 6 hours
- **Status:** Not started
- **Blocker:** None
- **Details:**
  - Set up CloudWatch log groups for Apache, PHP, and application logs
  - Create alarms for:
    - High error rate (>10 errors/5min)
    - Failed login attempts (>20/minute)
    - Database connection failures (>5/5min)
    - High CPU/memory usage (>80% for 10min)
  - Configure SNS topic for alert notifications
  - Test alert delivery

### 3. Test Backup/Restore Procedures
- **Priority:** CRITICAL
- **Effort:** 3 hours
- **Status:** Backups running, never tested
- **Blocker:** None
- **Details:**
  - Document RDS backup locations
  - Perform test restore to separate instance
  - Document restore time (RPO/RTO)
  - Create runbook for emergency restore
  - Test manual snapshot creation
  - Verify 7-day retention working

## 🟡 High Priority (Production Enhancements)

### 4. Activate Rate Limiting
- **Priority:** HIGH
- **Effort:** 3 hours
- **Status:** RateLimiter.php exists but not active
- **Blocker:** None
- **Details:**
  - Implement on all API endpoints
  - Configure Redis for distributed rate limiting (optional)
  - Set limits:
    - Login: 5 attempts / 15 minutes
    - API: 100 requests / 15 minutes per user
    - Lead creation: 50 / hour per user
  - Add rate limit headers (X-RateLimit-*)
  - Test with load testing tool

### 5. Configure & Test AWS SES
- **Priority:** HIGH
- **Effort:** 4 hours
- **Status:** Integration ready, not configured
- **Blocker:** Domain verification needed
- **Details:**
  - Verify domain in AWS SES
  - Configure DKIM and SPF records
  - Test email sending from application
  - Configure bounce and complaint handling
  - Set up email sending dashboard
  - Document email templates usage

### 6. Password Breach Checking (HIBP API)
- **Priority:** HIGH
- **Effort:** 2 hours
- **Status:** Not implemented
- **Blocker:** None
- **Details:**
  - Integrate Have I Been Pwned API
  - Check passwords on registration and change
  - Hash passwords with k-anonymity model
  - Warn users if password found in breach database
  - Log breach attempts to audit log

### 7. API Rate Limiting Per Tenant
- **Priority:** HIGH
- **Effort:** 3 hours
- **Status:** Not implemented
- **Blocker:** None
- **Details:**
  - Implement tenant-level rate limits
  - Track usage per tenant in database
  - Add tenant quota management
  - Create admin interface to adjust limits
  - Alert when tenant approaches limit

## 🟢 Medium Priority (Feature Enhancements)

### 8. Advanced Reporting Features
- **Priority:** MEDIUM
- **Effort:** 8 hours
- **Status:** Basic reports exist
- **Blocker:** None
- **Details:**
  - Lead source performance reports
  - Sales rep performance metrics
  - Pipeline velocity reports
  - Conversion funnel analysis
  - Export to PDF/Excel
  - Schedule automated reports

### 9. Document Management System
- **Priority:** MEDIUM
- **Effort:** 10 hours
- **Status:** Not implemented
- **Blocker:** Security review needed
- **Details:**
  - File upload to S3
  - Virus scanning integration
  - File type validation (whitelist)
  - Thumbnail generation for images
  - Version control for documents
  - Attach files to leads/opportunities
  - Access control by tenant

### 10. Email Campaign Management
- **Priority:** MEDIUM
- **Effort:** 12 hours
- **Status:** Templates exist, no campaigns
- **Blocker:** AWS SES must be configured first
- **Details:**
  - Bulk email sending
  - Campaign scheduling
  - Open/click tracking
  - Unsubscribe management
  - A/B testing for subject lines
  - Campaign analytics

### 11. Calendar Integration
- **Priority:** MEDIUM
- **Effort:** 8 hours
- **Status:** Not implemented
- **Blocker:** None
- **Details:**
  - Activity calendar view
  - Meeting scheduling
  - Reminders for follow-ups
  - Google Calendar sync (optional)
  - Team calendar visibility
  - Conflict detection

### 12. API Documentation
- **Priority:** MEDIUM
- **Effort:** 4 hours
- **Status:** APIs exist but not documented
- **Blocker:** None
- **Details:**
  - Generate OpenAPI/Swagger docs
  - Document all endpoints
  - Add example requests/responses
  - Authentication flow documentation
  - Error code reference
  - Postman collection

## 🟦 Low Priority (Future Enhancements)

### 13. AWS WAF Configuration
- **Priority:** LOW
- **Effort:** 4 hours
- **Status:** Not configured
- **Details:**
  - Configure WAF rules
  - SQL injection protection
  - XSS protection
  - Rate limiting at WAF level
  - Geo-blocking (optional)

### 14. GuardDuty Threat Detection
- **Priority:** LOW
- **Effort:** 2 hours
- **Status:** Not enabled
- **Details:**
  - Enable GuardDuty
  - Configure SNS alerts
  - Review findings regularly
  - Document response procedures

### 15. Multi-language Support (i18n)
- **Priority:** LOW
- **Effort:** 20 hours
- **Status:** English only
- **Details:**
  - Implement translation framework
  - Spanish translation
  - French translation (optional)
  - Date/time localization
  - Currency formatting

### 16. Dark Mode UI
- **Priority:** LOW
- **Effort:** 6 hours
- **Status:** Light mode only
- **Details:**
  - Design dark theme
  - User preference storage
  - CSS variables for theming
  - Toggle switch in header
  - Persist preference

### 17. Bulk Import/Export ✅ COMPLETED (Jan 10, 2026)
- ✅ **Status:** Fully implemented for Leads, Contacts, Opportunities, Accounts, Calendar Events, Notes
- ✅ **Features:** CSV import/export, field mapping, duplicate detection, validation, progress tracking
- ✅ **Location:** Admin → Import/Export → Open Import/Export Tool
- ✅ **Entity Types Supported:** Leads, Contacts, Opportunities, Accounts, Calendar Events, Notes

### 18. Mobile Native App
- **Priority:** LOW
- **Effort:** 100+ hours
- **Status:** Web only (responsive)
- **Details:**
  - React Native or Flutter
  - iOS app
  - Android app
  - Push notifications
  - Offline mode
  - App store deployment

## 📋 Maintenance Tasks

### Regular Maintenance (Ongoing)
- [ ] Weekly dependency updates (`composer update`)
- [ ] Weekly security patch review
- [ ] Monthly user account audit (disable inactive)
- [ ] Monthly database performance review
- [ ] Quarterly disaster recovery test
- [ ] Quarterly penetration testing
- [ ] Quarterly password rotation for admin accounts

## ✅ Recently Completed (December 28, 2025)

### Features Page Redesign (Dec 28, 2025)
- ✅ Created comprehensive features page with all CRM capabilities
- ✅ Redesigned from cards to expandable categorized list format
- ✅ Compact Parsley section with larger image and professional layout
- ✅ Added BrokerBusinessListings.com link to format list
- ✅ Updated badge styling (muted gray) to emphasize CTA button
- ✅ Fixed all "Start Free Trial" button links to point to signup page
- ✅ Reduced footprint and spacing for better UX

## ✅ Recently Completed (December 28, 2025 - Earlier)

### Email Tracking System (Dec 28, 2025)
- ✅ Database migration for email tracking columns (tracking_id, opened_at, opened_count, first_opened_at)
- ✅ EmailService tracking pixel injection (1x1 transparent PNG, Salesforce-style)
- ✅ Email tracking endpoint (`/api/email-track.php`) with activity logging
- ✅ Global email read status indicators (green/yellow dots in lead list and detail pages)
- ✅ Individual email read status indicators in activity timeline
- ✅ Improved email-to-activity matching query (30-second window, fallback lookup)
- ✅ Fixed EmailService deployment (updated old version at `/var/www/html/includes/classes/EmailService.php`)
- ✅ Enhanced tooltips with read/sent timestamps

### Trial Tracking & Billing (Dec 27-28, 2025)
- ✅ Database migration for trial tracking columns
- ✅ StripeService integration for trial field management
- ✅ Admin portal trial status displays
- ✅ Auto-billing script for expired trials
- ✅ Trial reminder cron job (3-day and 1-day notifications)
- ✅ Email templates for trial notifications and payment status
- ✅ TrialNotificationService for centralized email notifications

### API & Security Fixes (Dec 28, 2025)
- ✅ Fixed email-settings.php CSRF validation (GET requests don't require CSRF)
- ✅ Fixed SMTP account display in admin portal
- ✅ Added logging to email tracking endpoint

### AWS SES Decision (Dec 28, 2025)
- ✅ Security assessment completed (secure implementation)
- ✅ Decision: Keep AWS SES for future use, continue using MXRoute for production

## ✅ Recently Completed (December 27, 2025)

### Priority 1 Admin Features (Dec 27, 2025)
- ✅ Activity/Audit Logs tab - View, search, filter, export all system activity logs
- ✅ System Settings tab - SMTP email configuration (extracted from old admin-email-settings.php)
- ✅ Data Export/Import tab - Export leads/opportunities/activities to CSV, import from CSV
- ✅ User management enhancements - Edit, Suspend/Activate, Archive, Delete with consistent UI
- ✅ Lead sources enhancements - View leads, reassign, merge duplicates
- ✅ API endpoints created - audit-logs.php, email-settings.php, data-export.php, data-import.php, users.php

## ✅ Recently Completed (December 25-26, 2025)

### Marketing Website (Dec 25-26, 2025)
- ✅ Created 15+ marketing pages (terms, privacy, security, compliance, signup, about, careers, FAQ, press, partners, api-docs, blog, migration, sla, docs, support)
- ✅ SEO optimization (meta tags, Open Graph, Twitter Cards, Schema.org structured data)
- ✅ Created robots.txt and sitemap.xml
- ✅ Social media icons added (Facebook, X, LinkedIn, Instagram, YouTube, TikTok)
- ✅ Apache configuration for clean URLs

### Pricing Updates (Dec 26, 2025)
- ✅ Added Free tier ($0/user/month, 1 user, 10 leads, 10 contacts)
- ✅ Reduced Starter pricing ($49/month from $79)
- ✅ Reduced Professional pricing ($99/month from $150)
- ✅ Added annual/monthly pricing toggle with 17% discount
- ✅ Professional 7-day free trial with credit card requirement
- ✅ Updated features section with all tiers
- ✅ Updated comparison table with new pricing

### Core Features (Dec 25, 2025)
- ✅ Fixed Parsley email parser for BusinessForSale format ("Name:", "Email:", "Tel:")
- ✅ Reprocessed and corrected 5 incorrectly parsed leads
- ✅ Added lead deletion functionality (soft delete)
- ✅ Fixed Parsley view page styling and header
- ✅ Added link from lead detail to original email
- ✅ Rebuilt 2FA system with proper TOTP implementation
- ✅ Enhanced email source detection (BusinessesForSale.com support)
- ✅ Added generic email parser for unknown sources

See COMPLETED.md for full history

---

## 🎯 Feature Roadmap (Based on CRM Requirements)

### Phase 1: Complete Basic CRM Core (Q1 2026)

**Contact/Account Management:**
- [ ] Custom fields per tenant
- [ ] Duplicate detection and merge functionality
- ✅ Account hierarchy (parent_account_id field implemented, UI enhancements possible)
- ✅ Account management system (list, detail, create, edit, delete) - Completed Jan 10, 2026
- ✅ Lead-to-account relationships with department tracking - Completed Jan 10, 2026
- [ ] Contact-to-account roles (decision maker, influencer, etc.)
- ✅ Bulk import/export with field mapping (Leads, Contacts, Opportunities, Accounts, Calendar Events, Notes)

**Lead Management:**
- [ ] Lead scoring/grading algorithm
- [ ] Automated assignment rules (round-robin, territory-based)
- [ ] Lead capture API endpoints
- [ ] Web form builder for lead capture
- [ ] Bulk import/export

**Opportunity Pipeline:**
- [ ] Probability percentages in UI
- [ ] Weighted pipeline calculations
- [ ] Close date forecasting algorithms
- [ ] Product catalog and line items
- [ ] Win/loss reason tracking and analysis

**Tasks & Calendar:**
- [ ] Calendar view (monthly, weekly, daily)
- [ ] Google Calendar integration
- [ ] Outlook Calendar integration
- [ ] Task reminders and notifications
- [ ] Recurring tasks

**Reporting & Dashboards:**
- [ ] Custom report builder (drag-and-drop)
- [ ] Advanced filtering and grouping
- [ ] Matrix reports
- [ ] Cross-object reporting
- [ ] Export to CSV/Excel
- [ ] Scheduled reports via email
- [ ] Funnel analysis charts

### Phase 2: Automation & Customization (Q2 2026)
- [ ] Workflow rules (if/then field updates)
- [ ] Email automation sequences
- [ ] Custom objects with relationships
- [ ] Page layouts per record type
- [ ] Validation rules
- [ ] Formula fields (calculated values)
- [ ] Picklist dependencies

### Phase 3: Advanced Features (Q3 2026)
- [ ] REST/SOAP API with rate limits
- [ ] OAuth 2.0 authentication
- [ ] Zapier/Make.com connectors
- [ ] Native integrations (Mailchimp, QuickBooks, Slack)
- [ ] Mobile apps (iOS/Android)
- [ ] Advanced reporting (matrix, funnel, territory)

---

**Next Sprint Focus:** Complete Basic CRM Core features
**Estimated Sprint Duration:** 4 weeks
**Total High Priority Tasks:** 7 tasks, ~25 hours estimated