# Backlog — Open Gaps and Remaining Work

Persistent list of deferred work and known gaps so they are not forgotten. **This is the single source for open/remaining work** — the sequenced integration plan is retired now that its phases are done or folded here; its history remains in git.

## Remaining work at a glance

- ⛔ **Design-gated (need a customer design decision):** the generic-CRUD management UIs (`users`/`roles`/`permissions` + the other groups), the roles/permissions admin UI, applying `<PermissionGate>` to specific create/edit/delete affordances, the `MANAGE_*` permissions that depend on it, and the director-creates-classrooms UI (needs a first-class `classrooms` entity, which the backend can build independently).
- **Unblocked, backend-only:** the self-editable-vs-privileged profile-field split; the `classrooms` entity backend; the manager acknowledgment-status report (pending an audience decision); the binary `file` audio-upload path (needs the file-download ownership fix); AI sound generation (swap the `generateSoundRecipe` stub).
- **Dev-machine runs / verification:** `npm install` (sync the OAuth dependency change), `npm run db:reset` (apply the Phase 4 migrations), `npm test`, `npm run test:e2e:content` (incl. the accessibility suite — zero WCAG 2/2.1 A/AA violations across 19 pages), `npm run lint`.
- **Last:** delete `ref-frontend/` once the generic-CRUD UIs (it is their reference) are built.

## Endpoint wiring

The backend exposes the full generated CRUD surface; the frontend consumes a subset. The SIS prune is complete (owner-approved): `students`, `guardians`, `fee_plans`, `invoices`, `payments`, and `documents` were removed (students/guardians live as **roles**, not SIS entities; the finance cluster is unused; the handbook migrated to `policy_documents`). **Kept for future wiring:** `academic_years`, `assessments`, `assessment_results`, `attendance_records`, `attendance_sessions`, `classes`, `class_enrollments`, `class_subjects`, `subjects`, `grades`, `timetables`, `timetable_periods` (plus `messages`/`message_recipients`, already used by communications).

### To wire during frontend implementation (generic CRUD)

Each exposes the identical 9-endpoint shape (`POST /`, `/bulk-import`, `PUT /:id`, `DELETE /:id`, `deleteByIds`, `GET /`, `/count`, `/autocomplete`, `/:id`). Build the management UI + typed `shared/api` module + business hooks for each:

`academic_years`, `assessments`, `assessment_results`, `attendance_records`, `attendance_sessions`, `campuses` (authenticated `/api/campuses`), `classes`, `class_enrollments`, `class_subjects`, `grades`, `message_recipients`, `messages`, `organizations`, `permissions`, `roles`, `staff`, `subjects`, `timetable_periods`, `timetables`, `users`.

> Wiring `roles` / `permissions` / `users` unblocks the roles/permissions admin UI and lets `<PermissionGate>` gate real create/edit/delete affordances.

### Decision-gated extras (keep only if the workflow lands)

- **`auth` extras** (signup, profile, password-reset, verify-email, `email-configured`) — keep only if onboarding/recovery is in scope; otherwise prune.
- **`file`** (`GET /api/file/download`, `POST /api/file/upload/:table/:field`) — both JWT-authenticated; keep if document/avatar/audio upload is on the roadmap, otherwise prune. Upload still needs per-file tenant/ownership before exposing an upload UI.
- **`search`** (`GET /api/search`) — prune unless a search UI is planned.

## Cross-cutting open gaps

Authorization / RBAC:
- Dedicated `MANAGE_*` permissions for the manager-only writes (FRAME / walkthrough / communications / content-catalog editing, staff/attendance reports) — currently role-gated in their services; add when the admin UI needs them.
- ⛔ **Blocked on customer design decision:** apply `<PermissionGate>` to specific create/edit/delete affordances and build the roles/permissions admin UI + the generic-CRUD management pages. The backend endpoints are wired and enforced; the page/UX work is paused pending a design.
- Optionally switch frontend module/route gating from role-based to permission-based (currently role-based, equivalent to the matrix).

Provisioning:
- **Director-creates-classrooms** — needs a first-class `classrooms` entity (backend buildable independently); the classroom management UI is ⛔ blocked on the same customer design decision.
- Define the **self-editable vs privileged profile-field** split (backend contract; unblocked).

Files:
- Upload-side per-file ownership + a typed frontend upload client — only after the file UI lands. (Download ownership is already enforced.)

Phase 4 product UIs:
- **Audio library — remaining:** AI sound generation (swap the `generateSoundRecipe` stub for a real model call); the binary `file` upload UI — needs a typed upload client **and** the download-ownership fix (`assertCanDownloadFile` denies any `privateUrl` with no tracked `file` row, but the standalone `/file/upload/:table/:field` path doesn't create one; `recipe`/`url` rows are unaffected).
- **Manager acknowledgment-status report** — backend addition pending the report-audience decision.

Phase 5 — operations & cleanup:
- **`ref-frontend/` removal** — last; after the generic-CRUD UIs are built (it is their reference).