Week 1 Sprint β Discovery, Foundations & First Deliverables
20 Mar 2026 β 27 Mar 2026 Β· 6 Engineers + Delta Orchestration Β· Day 1 audits complete
Sprint Progress14%
6 of 42 tasks complete (Day 1 audits β
)
π¨ P0 Alerts β Action Required
Live Bug: seo_monitor_settings table missing from DB schema
Signup and login flows reference this table β throwing 500 errors in production right now. Needs immediate patch.
.env files are world-readable (chmod 644)
API keys and secrets readable by any process on the server. Fix: chmod 600 on all .env files. Awaiting Lonzo sign-off.
Clinic subdomains serving HTTP only β no TLS
Patient-facing *.dentalhelp.co.nz sites are unencrypted. NZ Privacy Act IPP 5 violation risk. Wildcard cert needed.
Stripe billing is dead β no checkout, no webhooks
SDK installed, keys configured, but zero API calls implemented. Billing page shows "coming soon." Clinics cannot pay.
No email system installed
No Resend, SendGrid, Postmark, or Nodemailer. Zero transactional email capability for a healthcare SaaS. Critical gap.
π Sprint KPIs
6
Day 1 Tasks Done
All audits complete β
5
P0 Issues
Awaiting action
8
High Issues
Day 2β5 targets
20+
API Endpoints Live
Not greenfield β
0
Test Coverage
Starting Day 2
6
Days Remaining
Ends 27 Mar 2026
π
7-Day Sprint Timeline
Agent
Day 1
Mar 20
Mar 20
Day 2
Mar 21
Mar 21
Day 3
Mar 22
Mar 22
Day 4
Mar 23
Mar 23
Day 5
Mar 24
Mar 24
Day 6
Mar 25
Mar 25
Day 7
Mar 26
Mar 26
π§ Apex
Audit β
Models + DB fix
JWT + CORS
CRUD verify
Rate limit + helmet
OpenAPI docs
QA handoff
π¨ Blaze
Audit β
Design tokens
Component lib
Login + Dashboard
Booking UI
Mobile pass
QA handoff
βοΈ Nexus
Audit β
Arch diagram + swap
Envs + wildcard SSL
CI/CD
Monitoring
Backup
Runbook
π‘οΈ Shield
Scan β
Auth deep-dive
PII/PHI map
Privacy Act gap
Audit log plan
Hardening report
Compliance v1
π Flux
Audit β
Integration roadmap
Pipeline design
Stripe checkout
Stripe webhooks
Email + SMS
Test report
π§ͺ Orion
QA design β
10 test cases
Staging connect
API tests
UI tests
Integration tests
Bug report v1
π₯ Agent Status β Day 1 Reports
π§
Apex
Backend Engineer Β· API Β· Database Β· Auth
Day 1 β
7-Day Progress
1Done
2Models
3JWT fix
4CRUD
5Harden
6Docs
7Handoff
Stack confirmed: Node 22 Β· Express Β· PostgreSQL Β· TypeScriptDone
20+ API endpoints already live (not greenfield)Done
Core data models documentedDay 2
OpenAPI docs publishedDay 6
Zero critical security gapsDays 3β5
Day 1 Key Findings
P0seo_monitor_settings table missing β signup/login 500 errors in prod
P0JWT secret is weak and predictable (not cryptographically random)
HIGHNo rate limiting on /auth/login β brute force unmitigated
HIGHCORS set to wildcard * β too open for healthcare data
GOOD25+ DB tables exist covering full PMS, SEO, LinkedIn, Voice
π¨
Blaze
Frontend Engineer Β· UI Β· Dashboard Β· Portal
Day 1 β
7-Day Progress
1Done
2Tokens
3Comps
4Screens
5Booking
6Mobile
7Handoff
Stack confirmed: Next.js 16 Β· React 19 Β· TypeScript Β· Tailwind 4Done
Login, signup, main dashboard screens already existDone
Design token file consolidatedDay 2
Patient portal screens (zero exist)Day 4
Appointment booking UIDay 5
Day 1 Key Findings
GOOD15 dashboard screens exist, live API wiring already in place
P0No patient portal screens at all β highest priority gap
HIGHAuth tokens in localStorage β not httpOnly cookies (security risk)
HIGHNo shared component library β no Button, Card, Input primitives
INFONo .env files present β needs NEXT_PUBLIC_API_URL to run locally
βοΈ
Nexus
DevOps Β· AWS Β· CI/CD Β· Monitoring
Day 1 β
7-Day Progress
1Done
2Arch
3Envs+SSL
4CI/CD
5Monitor
6Backup
7Runbook
Full stack mapped: EC2 Β· Nginx Β· PM2 Β· Docker Β· Postgres Β· RedisDone
Architecture diagramDay 2
Dev / staging / prod environmentsDay 3
CI/CD pipeline activeDay 4
Monitoring + alerts liveDay 5
Day 1 Key Findings
P0Clinic subdomains HTTP only β no TLS for patient-facing sites
HIGHAPI restarted 14x, Dashboard 11x β silent crashes, no alerting
HIGHNo swap β OOM risk with 8 Node processes + Docker
HIGHapi/ and clinic-sites/ have no git β code only on this one server
NOTEiptables blocking DB ports externally (despite bind config)
π‘οΈ
Shield
Security Β· Compliance Β· NZ Privacy Act
Day 1 β
7-Day Progress
1Done
2Auth
3PII Map
4Privacy
5Audit log
6Harden
7Checklist
Security surface scan completeDone
NZ Privacy Act gap analysisDay 4
0 critical unmitigated vulnsDays 2β6
Audit logging plan signed offDay 5
Compliance checklist v1Day 7
Day 1 Key Findings
CRITZero MFA β single-factor auth for clinics and platform admin
CRIT.env files world-readable (rw-rw-r--) β must chmod 600 now
HIGHCORS wildcard + credentials:true β allows cross-site credential abuse
HIGHNo Nginx security headers (HSTS, CSP, X-Frame-Options missing)
GOODbcrypt cost 12 β
Β· SQL injection protected β
Β· SSH locked to VPC β
π
Flux
Data & Integrations Β· Payments Β· Comms Β· Pipelines
Day 1 β
7-Day Progress
1Done
2Roadmap
3Pipeline
4Stripeβ
5Stripeβ
6Email+SMS
7Report
Integration audit complete β full landscape mappedDone
Claude, LinkedIn, Twilio Voice, ElevenLabs β all liveDone
Stripe checkout + webhooks live in stagingDays 4β5
Email integration live (Resend recommended)Day 6
SMS appointment reminders firingDay 6
Day 1 Key Findings
LIVEClaude AI Β· LinkedIn OAuth Β· Twilio Voice Β· ElevenLabs β working
P0Stripe: SDK installed, keys set β but zero API calls. Billing is broken.
P0Email: nothing installed at all. No transactional email capability.
HIGHSMS reminders: Twilio account exists but reminder flow never fires
HIGHNo Stripe webhook handler β subscription status can never update
π§ͺ
Orion
QA Engineer Β· Testing Β· Bug Triage Β· Regression
Day 1 β
7-Day Progress
1Done
210 Tests
3Staging
4API tests
5UI tests
6Int. tests
7Bug report
QA process designed + tooling selectedDone
Severity scale: P1βP4 defined (P1/P2 = release blockers)Done
β₯10 test cases written and executedDay 2
Bug report with severity ratingsDay 7
Regression suite running in CIDay 7
Day 1 Key Findings
HIGHZero existing test coverage across entire codebase
TOOLAPI: Jest + Supertest Β· UI/E2E: Playwright Β· CI: GitHub Actions
DEPNeeds staging URL from Nexus by Day 3
DEPNeeds Stripe test keys from Flux by Day 6
DEPNeeds GitHub Actions write access for CI setup
β οΈ Risk Register β Updated Day 1
| Risk | Owner | Severity | Mitigation | Status |
|---|---|---|---|---|
| seo_monitor_settings missing β live 500 errors on signup/login | Apex | P0 | Add migration to initDB() on Day 2 | β‘ Active |
| .env files world-readable β secrets exposed | Shield | P0 | chmod 600 β awaiting Lonzo approval | β³ Pending |
| Clinic subdomains HTTP only β NZ Privacy Act risk | Nexus + Shield | P0 | Wildcard SSL cert β Day 3 | β‘ Active |
| No email system β zero transactional email capability | Flux | P0 | Install Resend β Day 6 | β‘ Active |
| Stripe billing non-functional β clinics cannot pay | Flux | P0 | Build checkout + webhooks Days 4β5 | β‘ Active |
| JWT secret weak + no rate limiting on auth | Apex + Shield | High | Rotate secret + add express-rate-limit Day 3β5 | Planned |
| Auth tokens in localStorage (not httpOnly cookies) | Blaze + Shield | High | Migrate to httpOnly cookies β Day 2β3 | Planned |
| No git on api/ and clinic-sites/ β single point of failure | Nexus | High | Init git repos + push to remote Day 2 | Planned |
| API crashing 14x, no alerting or visibility | Nexus | High | Root cause + monitoring setup Day 2β5 | Planned |
| No patient portal β core product gap | Blaze | Medium | Build Days 4β6 | Queued |
π― Week 1 Definition of Done
π§ Backend
DB bug patched Β· JWT hardened Β· Rate limiting on auth Β· CORS locked Β· OpenAPI docs live
π¨ Frontend
Design tokens extracted Β· Component lib scaffolded Β· Patient portal + booking UI built Β· Mobile-ready
βοΈ Infra
Wildcard SSL Β· Swap added Β· Git on all repos Β· CI/CD running Β· Monitoring active Β· Backups verified
π‘οΈ Security
.env secured Β· MFA plan Β· Nginx headers Β· Privacy Act gap analysis Β· Compliance checklist v1
π Integrations
Stripe checkout + webhooks live Β· Email via Resend Β· SMS reminders firing Β· Integration roadmap published
π§ͺ QA
β₯10 test cases run Β· Bug report v1 with severity ratings Β· Regression suite in CI Β· Staging connected