# SecureFlow MVP Implementation Plan

> **For Hermes:** Use subagent-driven-development skill to implement this plan task-by-task.

**Goal:** Build a production-oriented FastAPI + React MVP for cybersecurity readiness, evidence, policies, risks, supplier risk, questionnaires, AI-assisted answers, exports, tenant/RBAC, and audit logging.

**Architecture:** API-first multi-tenant SaaS. Every sensitive row has `tenant_id`; route dependencies enforce current tenant and role. Backend exposes typed REST endpoints and OpenAPI, frontend consumes with a token session.

**Tech Stack:** FastAPI, SQLModel/SQLAlchemy, PostgreSQL, Alembic, React TypeScript, Vite, Docker Compose, local/S3-ready file storage, OpenAI-compatible client abstraction.

---

## File Structure

- `backend/app/`: FastAPI application
- `backend/app/models.py`: SQLModel database schema
- `backend/app/routers/`: REST resources
- `backend/app/services/`: scoring, exports, storage, AI, seeding
- `backend/alembic/`: migrations
- `backend/tests/`: pytest API tests
- `frontend/src/`: React application
- `docker-compose.yml`: local Postgres, Redis, API, frontend

## Incremental Tasks

1. Scaffold repo, Docker, env examples, package files.
2. Add models and first Alembic migration.
3. Seed CMMC/NIST-style controls, tenant, demo users, policies, assessments, risks, evidence metadata.
4. Implement auth, JWT, password reset-ready primitives, RBAC dependencies.
5. Implement dashboard score service.
6. Implement self-assessment CRUD and evidence linking.
7. Implement evidence upload/version metadata and secure validation.
8. Implement risk register and POA&M export.
9. Implement policy library/revisions/acknowledgements.
10. Implement questionnaire assistant with grounded AI logs and citations.
11. Implement supplier risk and reporting exports.
12. Implement React pages with usable forms and lists.
13. Add tests for auth, tenant isolation, scoring, AI log persistence, exports.
14. Verify with pytest and frontend build.

## Compliance Guardrails

- Product language uses readiness/alignment/gap analysis, never “certified.”
- Reports include qualified review disclaimer.
- AI answers cite internal records and log prompt, response, sources, user, timestamp.
- Tenant isolation and RBAC are enforced server-side, not just UI-side.