# WAGW SaaS Worklog

## 2026-05-18

### Completed

- Modern Laravel 12 + Docker Compose stack running on OrbStack.
- PostgreSQL, Redis, MinIO, app, worker, scheduler, web, and self-built GOWA services wired.
- Custom admin shell (`/app-admin`) replacing Filament admin.
- Domain foundation migrations created for tenants, users, API keys, devices, plans, subscriptions, invoices, messages, webhooks, audit logs.
- BRAC tables added (`m_user`, `m_group`, `m_module`, `m_module_action`, `m_rule`).
- API key authentication fixed to SHA-256 lookup matching `ApiKeyService`.
- Baseline API routes added for messages, devices, API keys, and GOWA webhook.
- GOWA default base URL corrected to `http://gowa:3000`.
- GOWA send route verified against source: `POST /send/message`.
- GOWA webhook UUID/phone lookup made PostgreSQL-safe.
- Demo seeder added/idempotent:
  - `super@demo.wagw.local / password`
  - `owner@demo.wagw.local / password`
  - `operator@demo.wagw.local / password`
  - `admin@demo.wagw.local / password`
  - demo tenant, node, device, plan, API key, BRAC groups/modules/rules.
- Product UX phase started:
  - Custom admin shell with login/dashboard/permission matrix.
  - onboarding checklist: Connect WhatsApp, Generate API key, Test send, Setup webhook.
  - API key manager endpoints.
  - device onboarding endpoints for create/show/login QR/login code/status/test send/delete.
  - GOWA client service wrapper.
  - WaDevice/Webhook resource actions polished.
- Tests expanded and passing in Docker: `21 passed (81 assertions)`.

### Still Missing vs PRD

- Filament removed; custom `/app-admin` shell is the primary admin.
- Real QR display/scan flow validated against running GOWA browser session.
- Free plan enforcement: 300 messages/day/device + mandatory footer.
- Paid plan activation per device.
- Message attempts table/history, idempotency key, structured retry logs.
- Tenant webhook delivery worker with HMAC signing, retry, delivery logs.
- Billing/invoice/payment proof/DOKU/QRIS/bank transfer flows.
- Queue/job monitor and device health scheduler.
- Full BRAC gating on UI/resource actions.
- API docs pages and public pricing/landing/register flow.

### Latest Verified Commands

```bash
docker compose exec -T app php artisan test --compact
# 21 passed (81 assertions)

docker compose exec -T app php artisan db:seed --class=DemoSeeder --force
# demo users + API key created
```