Sprinter Docs

Feature Backlog

All planned work for the Sprinter Platform, organized by priority and category.

This is the single source of truth for all planned work on the Sprinter Platform. Before starting new work, agents and developers should check this backlog for priority items and existing specs.

Items flow from this backlog into scoped specs when they are ready for implementation. See the spec-first workflow for how features move from idea to code.

Total open items: ~65 across all sources. P0: 10, P1: 20, P2: 27, P3: 18.

Last audited: 2026-03-30. See documents/QA-REPORT-2026-03-30.md for browser QA report.

2026-05-01 — PR #1100 punted items

  • Embed-form auth redirect (P2): /embed/v/... form confirmation redirects to the wrong branch preview because Supabase SITE_URL is fixed per environment. The form-flow date fix (form-flow-summary.tsx) was verified by code inspection only. Verify on production after merge — no code change needed.

2026-05-01 — Chat

Chat panel sidebar lifecycle tests (pending orphan-chat fix)

Status: Deferred — waiting on Phase 1c UX agent fix.

features/chat/components/chat-panel.tsx needs component tests covering the sidebar session lifecycle: specifically the eager-session-creation bug that caused duplicate chat entries in the sidebar. The regression was in the persistence layer (orphan chats created before the user sends a message), and the UX agent (Phase 1c) is fixing that behavior. Adding component tests before the fix lands would mean testing the broken behavior and then having to rewrite them immediately.

Action: Once the orphan-chat fix lands in dev, add component tests for chat-panel.tsx that verify:

  • A new chat entry does NOT appear in the sidebar until the first message is sent
  • Switching agents on an unsent chat does not create a duplicate sidebar entry
  • The sidebar list reconciles correctly after the first message persists the chat

Files: features/chat/components/chat-panel.tsx, features/chat/persistence.ts

2026-04-17 — Unified tool platform follow-ups (PR #755)

PR #755 (feat: unified tool platform foundation) shipped Phases 1–8 of the unified tool platform. The full follow-up list lives in the spec at docs/superpowers/specs/2026-04-16-unified-tool-platform.md under "Follow-ups & deferred work" — IDs FU-1 through FU-13. Highlights:

  • FU-1 to FU-3 — pre-merge: verify build + visual on Vercel preview; unskip the Playwright e2e once a runner is wired up
  • FU-8 — wire chat route + agent runner into getUserFacingToolSetWithTenant / resolveAgentToolsWithTenant so tenant_custom tools become callable from chat (otherwise authoring a tool doesn't actually surface it to agents)
  • FU-9 — reconcile content/docs/features/tool-system.mdx (legacy 667 lines preserved below the new section)
  • FU-4 / FU-5[slug]/test and [slug]/versions API routes (currently runToolPreview server action covers preview)
  • Phase Roadmap — MCP caching, webhook execution, extension UI, AI sandbox, defer_loading, FieldDefinition adoption in entity_types/criteria_sets, Fields-as-table — each is a separate spec when prioritized

2026-03-30 Production QA Audit

Browser QA testing of app.sprinter.ai plus code-based design system audit. Key findings and fixes:

Fixed in this audit

IDDescriptionFix
QA-1Custom tools tenant scoping -- IMS + OCI tools showing on all tenantsAdded tenantSlugs field to ToolDefinition, filtering in getAvailableToolMeta(), getAvailableTool(), and getUserFacingToolSet()
QA-2Audit log 403 for admins -- requirePermission("audit_logs.team.read") failing due to stale user_permissions tableSwitched to requireAdmin() which checks role directly (item 2.11)
QA-3Tenant logo proxy 502 -- Upstream fetch failures returning hard 502 on every page loadAdded timeout + graceful 204 fallback instead of error response
QA-4Hardcoded Tailwind colors -- text-emerald-600, text-amber-600, text-blue-600 in schema-check componentsReplaced with text-status-success, text-status-warning, text-primary

Remaining P2 findings (not blocking)

FindingDescriptionSeverity
Quick Wins emptyDashboard + Insights "Quick Wins" panel shows empty with no explanationP2
Tab truncation mobileView switcher tabs clipped on 375px viewport (Opportunity list, Admin)P2
Inbox overflowLong conversation preview text overflows card boundaryP2
Chat prompt overflowSuggested prompt buttons clipped on mobile viewportP2
Components >200 lines15+ components exceed 200-line limit (chart-block-renderers 608, schema-config-fields 442, etc.)P2

2026-03-30 Audit Refresh

This refresh uses current origin/dev (5cd134a6) plus the dedicated cleanup worktree branch tech-debt-pass-5, and it focuses on the places where recent exploratory work still leaves unnecessary bug surface.

What changed in the audit

  • The March 27 pass successfully reduced tool-layer drift, but current dev still has route/service gaps where writes bypass shared enforcement.
  • Recent churn is now concentrated in record detail, views/blocks, chat APIs, import/ingestion flows, and oversized admin/entity modules.
  • The highest-value cleanup for this pass is to tighten route auth, collapse direct write paths onto shared entity services, and remove hidden ownership assumptions from chat APIs.

Current priority queue after the audit

IDPriorityStatusDescriptionWhy it matters
TD5-1P0COMPLETEDCSV import route bypasses explicit auth/permission checksPOST /api/entities/import now fails closed through route-level RBAC before any write path runs
TD5-2P1COMPLETEDCSV import bypasses shared entity services and tenant entity-type resolutionImport now reuses keyed entity creation, preserving shared side effects and tenant-scoped resolution
TD5-3P1COMPLETEDChat REST endpoints rely on downstream auth/ownership instead of explicit route/service checksChat routes now require auth explicitly and reuse shared owned-chat verification helpers
TD5-4P2COMPLETEDInbound email routing still depends on an O(n) membership scan as a self-heal fallbackSigned addresses now resolve directly; legacy hash-only addresses use lookup rows or one-shot backfill
TD5-5P2IN PROGRESSOversized, high-churn modules remain concentrated in views/entities/responses/admin toolingInbox conversation shaping is now extracted, but broader views/entities/responses/admin decomposition remains

2026-03-27 Audit Refresh

This audit used current origin/dev (220de12a) plus a dedicated cleanup worktree (tech-debt-pass-4) to re-rank platform debt against the North Star and recent churn.

What changed in the audit

  • Recent churn is concentrated in features/entities, features/blocks, features/views, app/api, features/tools, and features/agents.
  • Several historical auth items in this file are already fixed on current dev and should no longer drive priority by themselves: 1.4, 1.5, 1.7, 1.12, and 1.13.
  • The most immediate active risk found on current dev was tool-layer tenant scoping drift in admin-client record access. That was fixed in tech-debt-pass-4 along with shared-service consolidation for entity tools.

Current priority queue after the audit

IDPriorityStatusDescriptionWhy it matters
TD4-1P0COMPLETED (2026-03-27)Tool-layer tenant scoping gaps -- entity, response, and tool-run reads/writes were not consistently tenant-scoped when using admin clientsHigh-risk cross-tenant bug surface in agent-facing tooling
TD4-2P1COMPLETED (2026-03-27)Entity tool CRUD drift -- entity tools duplicated mutation logic instead of reusing shared keyed entity servicesDuplicate write paths had already drifted from platform rules
TD4-3P1PARTIALRecord detail north-star drift -- record detail still mixes schema-first detail UX with exploratory workspace-view customizationThe client no longer recomputes custom-detail view selection; server selection and block resolution now flow through one unified state object, but the optional workspace editor/custom-view surface still exists by product choice
TD4-4P1PARTIALLegacy extraction surface area -- deprecated extraction routes/types/actions remain live beside workflow + responsesWorkflow routes now have API-key parity and the deprecated extraction trigger/history/rerun wrappers are gone, but extraction audit/result compatibility endpoints and legacy extraction tables still exist
TD4-5P1PARTIALView/block compatibility layers -- deprecated resolvers and migration shims still carry a large part of the presentation stackLegacy field-card/stat-card config is canonicalized on parse/write, entity-single resolution is fully collapsed into resolveView(), the old resolve.ts helper is now an internal resolveServerBlocks() path, and list pages no longer mutate the DB to materialize legacy dashboards; the remaining debt is mostly historical schema/config compatibility code and old docs/plans
TD4-6P2PARTIALVerification baseline drift -- local typecheck relied on generated .source/ output and had a localized graph hook test typing regressionMakes cleanup work harder to verify; graph test fixed in this pass

P0 -- Blocking / Security

These items block production readiness or represent security vulnerabilities. They should be addressed before any P1+ feature work.

Security and Auth Hardening

IDDescriptionStatusSource
1.1Fix build: auth.ts "use server" exports class -- AuthenticationError/AuthorizationError class exports violate Next.js "use server" constraint, breaking build with 40+ errorsFIXED (uses plain Error objects now)Codebase review
1.2Harden agent/tool authorization -- Code-defined agents, delegation, workflow, heartbeat can execute tools without permission filtersFIXED (audit 2026-03-30)TECH_DEBT TD-001
1.3Lock down tenant member mutation routes -- POST/PATCH/DELETE on members without requireAdmin()FIXED (audit 2026-03-30)TECH_DEBT TD-002
1.4Lock down webhook CRUD and redact secrets -- No auth gate, secrets returned in responsesFIXED (audit 2026-03-30)TECH_DEBT TD-003
1.5Lock down API key routes and redact sensitive data -- No admin guard, key_hash exposedFIXED (audit 2026-03-30)TECH_DEBT TD-004
1.6Fix notification tenant isolation -- Reads/updates by user_id only, no tenant scopingFIXED (audit 2026-03-30)TECH_DEBT TD-006
1.7Auth blind spots on agent/model routes -- Manual run, rollback, models routes lack explicit authFIXED (GET /api/agents now requires auth; admin=true requires requireAdmin)TECH_DEBT TD-007
1.8Tenant scoping on single-record entity/view reads -- Missing explicit tenant filtersFIXED (audit 2026-03-30)TECH_DEBT TD-008
1.12Skills route auth -- Add requireAdmin() to skills POST/PATCH/DELETEFIXED (audit 2026-03-30)RBAC Plan
1.14Fix deleteUserMemory scope -- Add user_id checkFIXED (audit 2026-03-30)RBAC Plan

Config and Data (OCI)

IDDescriptionStatusSource
6.1OCI tenant setup -- Create tenant, configure branding, invite membersNOT STARTEDNew

P1 -- High Value

These items deliver significant value to users or enable important capabilities.

Security and Auth (P1)

IDDescriptionStatusSource
1.9Viewer role enforcement -- Viewers can write via RLS (membership-only check)NOT STARTEDBACKLOG T007
1.10Guest role as default signup -- New guest role with viewer permissions, replace member as defaultNOT STARTEDRBAC Plan
1.11Admin Roles and Permissions page -- Permission matrix UI (roles x permissions), toggle editingNOT STARTEDRBAC Plan
1.13Fix getViewById -- .single() to .maybeSingle()FIXED (uses .maybeSingle() in getTenantView)RBAC Plan

Architecture and Code Quality (P1)

IDDescriptionStatusSource
2.1Shared API route wrapper -- 40+ routes repeat auth + Zod + error handling boilerplatePARTIALTECH_DEBT TD-041
2.2Unified agent execution runtime -- Chat, inbox, heartbeat, workflows, extraction duplicate model/tool executionNOT STARTEDTECH_DEBT TD-042
2.3Entity/relation mutation orchestration -- Writes/activity scattered across routes, actions, tools, importsPARTIALTECH_DEBT TD-043
2.4Platform/custom boundary violations -- Platform modules import features/custom/* directlyNOT STARTEDTECH_DEBT TD-009
2.5Fail-open permission in tool execution -- No permissions = no enforcementFIXED (executeTool now fails closed)TECH_DEBT TD-010
2.9Remove risky default-tenant fallback -- Silent fallback to default tenant on errorsNOT STARTEDTECH_DEBT TD-014
2.11Enforce audit permissions -- Audit routes do not use RBACFIXED (2026-03-30, uses requireAdmin)TECH_DEBT TD-016
2.18Fix view CRUD scoping and test coverage -- Important but lightly testedNOT STARTEDTECH_DEBT TD-024
2.19Remove global entity type assumptions -- Platform code restricts to tenant_id IS NULLNOT STARTEDTECH_DEBT TD-025

Features (P1)

IDDescriptionStatusSource
4.1Entity embeddings and hybrid search -- pgvector, HNSW index, embedding generation, hybrid RRF searchPARTIAL (column exists)BACKLOG T020

UI Polish (P1)

IDDescriptionStatusSource
3.2Agent version tracking fix -- updateAgent() never calls createVersion()NOT STARTEDAdmin Cleanup Plan
3.5Radix Select empty value audit -- agent-dialog model select, entity-form dynamic selectsPARTIALPOLISH-PLAN
3.7Raw UUIDs in Activity entries -- Some activity entries show raw UUIDs in user-facing text. Resolve to display names.FIXED (QA Sprint)QA Audit 2026-03-30
3.8Empty views showing "Empty canvas" -- 5 named views show empty canvases. Either populate with blocks or remove from views list.NOT STARTEDQA Audit 2026-03-30
3.9Activity copy uses internal jargon -- "Linked entities (uses)" should be "Connected records". "blocks" should be "components".FIXED (QA Sprint)QA Audit 2026-03-30

Config and Data (P1)

IDDescriptionStatusSource
6.2Entity type optimization -- Review/tune opportunity fields, scoring weights, extraction instructionsNOT STARTEDNew
6.3Seed more opportunity data -- Enrich existing entities, extract from documentsNOT STARTEDNew
6.4Agent prompt tuning -- Customize default agent prompts for PE consulting contextNOT STARTEDNew
6.5View configuration -- Create useful saved views (pipeline by stage, high-score, recent activity)NOT STARTEDNew
6.6Dashboard customization -- Tune dashboard KPIs and charts for PE workflowNOT STARTEDNew

Plans with Remaining Tasks (P1)

IDPlanTasks RemainingStatusSource
7.1RBAC Admin and Guest Role12 tasks (all)NOT STARTEDdocs/superpowers/plans/2026-03-19-rbac-admin-and-guest-role.md
7.2Agent version tracking fixTasks 1-2 from admin cleanupNOT STARTEDdocs/superpowers/plans/2026-03-18-admin-cleanup.md

P2 -- Quality

These items improve code quality, developer experience, or system reliability.

Architecture and Code Quality (P2)

IDDescriptionStatusSource
2.6Persist rich AI SDK message parts -- Autonomous paths flatten tool traces to textNOT STARTEDTECH_DEBT TD-011
2.7Fix unread-count semantics in chat -- Self-authored messages count as unreadNOT STARTEDTECH_DEBT TD-012
2.8Clarify workflow retry semantics -- Implicit node status changesNOT STARTEDTECH_DEBT TD-013
2.10Normalize API key scope semantics -- Canonical scopes do not match UI choicesNOT STARTEDTECH_DEBT TD-015
2.12Fix webhooks secret lifecycle -- No rotation, delivery not fully loggedNOT STARTEDTECH_DEBT TD-017
2.13Consolidate memory data access -- Different access paths, admin client leaksNOT STARTEDTECH_DEBT TD-018
2.14Finish shared-context runtime -- LESSONS/ROUTING exist but not loaded into promptsNOT STARTEDTECH_DEBT TD-019
2.15Fix skills admin/edit behavior -- Disabled skills vanish, metadata.tools mishandledNOT STARTEDTECH_DEBT TD-020
2.16Fix realtime presence math -- Multi-tab dedup, typing logic duplicationNOT STARTEDTECH_DEBT TD-021
2.17Remove business logic from route layer -- Entity/relation/extraction routes mix concernsNOT STARTEDTECH_DEBT TD-022
2.20Unify navigation metadata -- Labels/icons/routes in 4+ placesNOT STARTEDTECH_DEBT TD-032
2.21Consolidate document UI -- 4 document list components duplicate logicNOT STARTEDTECH_DEBT TD-035
2.23Raise route and interaction test depthNOT STARTEDTECH_DEBT TD-038
2.24Clean up model metadata ownership -- Multiple truth sourcesNOT STARTEDTECH_DEBT TD-039
2.25Add stronger service-role guardrailsNOT STARTEDTECH_DEBT TD-040
2.26Scale cost reporting -- 10k-row cap, overlapping APIsNOT STARTEDTECH_DEBT TD-026
2.27Documents robustness -- No overlap >= chunkSize guard, naive CSV previewNOT STARTEDTECH_DEBT TD-027
2.28Stop bypassing shared AI abstractions in documentsNOT STARTEDTECH_DEBT TD-028
2.29Improve MCP fidelity -- Discards input schemas, no health trackingNOT STARTEDTECH_DEBT TD-030

Features (P2)

IDDescriptionStatusSource
4.2Tool permissions system -- tool_permission_rules table, isToolAllowedForUser()NOT STARTEDPLATFORM-BACKLOG 4.4
4.3Extraction results SQL dedup -- Switch to DISTINCT ON via RPCNOT STARTEDBACKLOG T016
4.4Entity creation from documents -- Upload PDF, extraction agents create entitiesNOT STARTEDSTATUS
4.7Langfuse integration -- LLM observability (Phase 2 of cost tracking)DEFERREDPLATFORM-BACKLOG

UI Polish (P2)

IDDescriptionStatusSource
3.1IconPicker component -- Shared visual icon grid replacing text selectsNOT STARTEDAdmin Cleanup Plan
3.3Responsive fixes -- notification-bell, tag-input popover, entity detail tablet, ViewEditor mobileNOT STARTEDBACKLOG T011
3.10Graph auto-fit and node visibility -- Graph nodes are tiny dots at default zoom. Auto-fit to viewport or increase default zoom.FIXED (QA Sprint)Design Review 2026-03-30
3.11Dashboard green banner violates design system -- Transformation Snapshot card uses saturated green. Use navy primary or neutral.FIXED (QA Sprint)Design Review 2026-03-30
3.12Hide empty activity stats on Feed -- When all values are zero, hide the stats grid.FIXED (QA Sprint)Design Review 2026-03-30
3.13Admin nav visible to non-admin users -- Admin items should be hidden from sidebar for users without admin role.NOT STARTEDDesign Review 2026-03-30

Venture Factory (P2, Deferred)

IDDescriptionStatusSource
5.1Venture templates -- Export/import tenant configurationsDEFERREDPLATFORM-BACKLOG 5.1
5.2Portfolio dashboard -- Cross-tenant metrics for system_adminDEFERREDPLATFORM-BACKLOG 5.2
5.3Governance/approvals -- Approval gates for high-impact agent actionsDEFERREDPLATFORM-BACKLOG 5.3

P3 -- Nice to Have

IDDescriptionStatusSource
2.22Share auth page form logic -- Login/signup/reset repeat validationNOT STARTEDTECH_DEBT TD-037
2.30Improve shared error handling UX -- Mixed ErrorCard + bespoke pagesNOT STARTEDTECH_DEBT TD-036
3.4RTE polish -- Link toolbar, mode indicator, toolbar overflow, editor min-heightNOT STARTEDBACKLOG T012
3.6Console.log cleanup -- 16 console statements in features, wrap with DEBUG flagNOT STARTEDCodebase review
4.5Document page tagging -- Tag pages with entity refs, categories, sectionsNOT STARTEDSTATUS
4.6Document thumbnail generation -- PDF page thumbnails via pdfjs-distNOT STARTEDSTATUS
4.8Subdomain-based tenant routing -- Alternative to path-based /t/[slug]DEFERREDSTATUS
5.4A2A protocol support -- Full agent-to-agent protocolPARTIAL (adapter exists)PLATFORM-BACKLOG 5.4

Cross-References

These documents contain additional context for backlog items:

  • TECH_DEBT_BACKLOG.md -- 40 items (4 archived in pass-3, 7 in next batch, 8 P0, 8 P1, 13 P2)
  • BACKLOG.md -- 10 open items (2 active sprint verification, 3 next-up, 5 platform features)
  • PLATFORM-BACKLOG.md -- Tier 1-4 complete; Tier 5 deferred; entity workflow orchestration done
  • POLISH-PLAN.md -- 7 sections (error boundaries done, loading states done, empty states done, responsive partial, RTE partial, Radix partial, console partial)
  • STATUS.md -- Last updated 2026-03-16, needs refresh

Scoped Specs

These features have been scoped into full design specs ready for implementation.

Active Specs

SpecPriorityStatusTarget Doc
Entity Card SystemP1approved/docs/features/entity-system
Feed v2P1approved/docs/features/feed
Entity Graph OverhaulP1approved/docs/features/entity-system
Entity Sharing SystemP1approved/docs/features/entity-system
View and Block System v2P1approved/docs/features/views

Legacy Specs

These design documents were written before the spec-first workflow was established. They live in docs/superpowers/specs/ and contain useful architectural context, but do not follow the current frontmatter format.

FileTopicDate
2026-03-17-auth-permissions-design.mdAuth and permissions system design2026-03-17
2026-03-17-agent-orchestration-engine-design.mdAgent orchestration engine2026-03-17
2026-03-18-datatable-design.mdDataTable component design2026-03-18
2026-03-18-datatable-v2-design.mdDataTable v2 redesign2026-03-18
2026-03-18-chat-redesign-design.mdChat system redesign2026-03-18
2026-03-18-external-agents-design.mdExternal agents integration2026-03-18
2026-03-18-realtime-entity-fix-design.mdRealtime entity fix2026-03-18
2026-03-18-realtime-presence-messaging-design.mdRealtime presence and messaging2026-03-18
2026-03-18-models-admin-enhancement-design.mdModels admin enhancements2026-03-18
2026-03-19-chat-dock-design.mdChat dock panel design2026-03-19

Spec-First Development

How features move from idea to spec to implementation to documentation. The spec IS the doc.

Agent Context and Caching

Shared agent context pipeline, workspace business profiles, compact schema prompts, provider-aware caching, and runtime loop controls.

On this page

2026-05-01 — PR #1100 punted items2026-05-01 — ChatChat panel sidebar lifecycle tests (pending orphan-chat fix)2026-04-17 — Unified tool platform follow-ups (PR #755)2026-03-30 Production QA AuditFixed in this auditRemaining P2 findings (not blocking)2026-03-30 Audit RefreshWhat changed in the auditCurrent priority queue after the audit2026-03-27 Audit RefreshWhat changed in the auditCurrent priority queue after the auditP0 -- Blocking / SecuritySecurity and Auth HardeningConfig and Data (OCI)P1 -- High ValueSecurity and Auth (P1)Architecture and Code Quality (P1)Features (P1)UI Polish (P1)Config and Data (P1)Plans with Remaining Tasks (P1)P2 -- QualityArchitecture and Code Quality (P2)Features (P2)UI Polish (P2)Venture Factory (P2, Deferred)P3 -- Nice to HaveCross-ReferencesScoped SpecsActive SpecsLegacy Specs