vibe_erp — Implementation Plan (post-v0.1)

Status: Approved roadmap. v0.1 skeleton is built, tested end-to-end against a real Postgres, and pushed. This document is the source of truth for the work that turns v0.1 into v1.0. Date: 2026-04-07 Companion document: Architecture spec

2026-04-07 update — single-tenant refactor. vibe_erp is now deliberately single-tenant per instance: one running process serves exactly one company against an isolated Postgres database. All multi-tenancy work has been removed from the framework — no tenant_id columns, no Hibernate tenant filter, no Postgres Row-Level Security policies, no TenantContext. The previously-deferred P1.1 (RLS transaction hook) and H1 (per-region tenant routing) units are gone. See CLAUDE.md guardrail #5 for the rationale.

---

What v0.1 actually delivers (verified on a running app)

Item	Status
Gradle multi-project, 7 subprojects	✅ Builds end-to-end
api/api-v1 — public plug-in contract	✅ Compiles, 12 unit tests
platform/platform-bootstrap — Spring Boot main, properties, @EnableJpaRepositories, GlobalExceptionHandler	✅
platform/platform-persistence — JPA, audit listener (no tenant scaffolding)	✅
platform/platform-plugins — PF4J host, lifecycle	✅
pbc/pbc-identity — User entity end-to-end	✅ Compiles, 6 unit tests, smoke-tested via REST against real Postgres
reference-customer/plugin-printing-shop — hello-world PF4J plug-in	✅ Compiles, packs into a real PF4J JAR
distribution — Spring Boot fat jar (vibe-erp.jar)	✅ bootJar succeeds, bootRun boots cleanly in dev profile
Liquibase changelogs (platform init + identity init)	✅ Run cleanly against fresh Postgres
Dockerfile, docker-compose.yaml, Makefile	✅ Present; docker compose up -d db verified
GitHub Actions workflows	✅ Present, running in CI on every push to https://github.com/reporkey/vibe-erp
Architecture-rule enforcement in build.gradle.kts	✅ Active — fails on cross-PBC deps, on plug-ins importing internals, and on PBCs depending on platform-bootstrap
README, CONTRIBUTING, LICENSE, 8 docs guides	✅
Architecture spec + this implementation plan	✅
End-to-end smoke test against real Postgres	✅ POST/GET/PATCH/DELETE on /api/v1/identity/users; duplicate-username → 400; bogus id → 404; disable flow works

What v0.1 explicitly does NOT deliver:

• The 9 other core PBCs (catalog, partners, inventory, warehousing, orders-sales, orders-purchase, production, quality, finance)
• The metadata store machinery (custom-field application, form designer, list views, rules engine)
• Embedded Flowable workflow engine
• ICU4J Translator implementation
• JasperReports
• Real authentication (anonymous access; the bootstrap admin lands in P4.1)
• React web SPA
• Plug-in linter (rejecting reflection into platform internals at install time)
• Plug-in Liquibase application
• Per-plug-in Spring child context
• MCP server
• Mobile app (v2 anyway)

The architecture accommodates all of these — the seams are in api.v1 already — they just aren't implemented.

---

How to read this plan

Each work unit is sized to be a single coherent implementation pass: roughly 1–5 days of work, one developer, one PR. Units are grouped by theme, ordered roughly by dependency, but parallelizable wherever the prerequisites are satisfied.

Each unit names:

• the Gradle modules it touches (or creates)
• the api.v1 surface it consumes (and never modifies, unless explicitly noted)
• the acceptance test that proves it landed correctly
• any upstream dependencies that must complete first

The 11 architecture guardrails in CLAUDE.md and the 14-section design in 2026-04-07-vibe-erp-architecture-design.md apply to every unit. This document does not restate them.

---

Phase 1 — Platform completion (the foundation everything else needs)

These units finish the platform layer so PBCs can be implemented without inventing scaffolding.

P1.2 — Plug-in linter

Module: platform-plugins Depends on: — What: At plug-in load time, scan the JAR's class files for any reference to org.vibeerp.platform.* or org.vibeerp.pbc.*.internal.* packages. If any are found, refuse to load and report a "grade D extension" error to the operator. Reuse ASM (already a transitive dep of Spring) for bytecode inspection. Acceptance: unit test with a hand-crafted bad JAR that imports a fictitious org.vibeerp.platform.foo.Bar — the loader rejects it with a clear message.

P1.3 — Per-plug-in Spring child context

Module: platform-plugins Depends on: P1.2 (linter must run first) What: When a plug-in starts, create a Spring AnnotationConfigApplicationContext with the host context as parent. Register the plug-in's @Component classes (discovered via classpath scanning of its classloader). The plug-in's Plugin.start(context: PluginContext) is invoked with a PluginContext whose dependencies are wired from the parent context. Acceptance: the reference printing-shop plug-in declares an @Extension and a @PluginEndpoint controller; the integration test confirms the endpoint is mounted under /api/v1/plugins/printing-shop/... and the extension is invocable.

P1.4 — Plug-in Liquibase application

Module: platform-plugins + platform-persistence Depends on: P1.3 What: When a plug-in starts, look for db/changelog/master.xml in its JAR; if present, run it through Liquibase against the host's datasource with the plug-in's id as the changelog contexts filter. Tables created live under the plugin_<id>__* prefix (enforced by lint of the changelog at load time, not runtime). Acceptance: a test plug-in ships a changelog that creates plugin_test__widget; after load, the table exists. Uninstall removes the table after operator confirmation.

P1.5 — Metadata store seeding

Module: new platform-metadata module (or expand platform-persistence) Depends on: — What: A MetadataLoader Spring component that, on boot and on plug-in start, upserts rows into metadata__entity, metadata__form, metadata__workflow, etc. from YAML files in the classpath / plug-in JAR. Each row carries source = 'core' | 'plugin:<id>' | 'user'. Idempotent; safe to run on every boot. Acceptance: integration test confirms that booting twice doesn't duplicate rows; uninstalling a plug-in removes its source = 'plugin:<id>' rows; user-edited rows (source = 'user') are never touched.

P1.6 — Translator implementation backed by ICU4J

Module: new platform-i18n module Depends on: P1.5 (so plug-in message bundles can be loaded as part of metadata) What: Implement org.vibeerp.api.v1.i18n.Translator using ICU4J MessageFormat with locale fallback. Resolve message bundles in this order: metadata__translation (operator overrides) → plug-in i18n/messages_<locale>.properties → core i18n/messages_<locale>.properties → fallback locale. Acceptance: unit tests covering plurals, gender, number formatting in en-US, zh-CN, de-DE, ja-JP, es-ES; a test that an operator override beats a plug-in default beats a core default.

P1.7 — Event bus + outbox

Module: new platform-events module Depends on: — What: Implement org.vibeerp.api.v1.event.EventBus with two parts: (a) an in-process Spring ApplicationEventPublisher for synchronous delivery to listeners in the same process; (b) an event_outbox table written in the same DB transaction as the originating change, scanned by a background poller, marked dispatched after delivery. The outbox is the seam where Kafka/NATS plugs in later. Acceptance: integration test that an OrderCreated event survives a process crash between the original transaction commit and a downstream listener — the listener fires when the process restarts.

P1.8 — JasperReports integration

Module: new platform-reporting module Depends on: P1.5 What: Wrap JasperReports compilation/rendering behind a ReportRenderer Spring component. Reports live in metadata__report (path or content). API exposes /api/v1/_meta/reports/{id}.pdf?param=... for synchronous rendering, with a job-based async path for big reports. Acceptance: ship one core report (a User list) and confirm it renders to PDF with the correct locale-aware date and number formatting.

P1.9 — File store (local + S3)

Module: new platform-files module Depends on: — What: A FileStore interface with LocalFileStore and S3FileStore implementations, configured via vibeerp.files.backend. Files are stored under a flat key namespace — there is exactly one company per instance, so no per-tenant prefixing is needed. Acceptance: unit tests for both backends; integration test with MinIO Testcontainer for S3.

P1.10 — Job scheduler

Module: new platform-jobs module Depends on: — What: Quartz integration with the JDBCJobStore against the same Postgres. PBCs and plug-ins register jobs through a typed JobScheduler API in api.v1 (already has the seam, may need a tiny addition). Each job runs inside a PrincipalContext.runAs(systemPrincipal) block so audit columns get a sensible value instead of inheriting whatever the trigger thread had. Acceptance: a recurring core job that prunes the audit log; integration test confirms the job runs with the expected system principal in audit columns.

---

Phase 2 — Embedded workflow engine

P2.1 — Embedded Flowable

Module: new platform-workflow module Depends on: P1.5 (metadata), P1.6 (i18n for task names), P1.7 (events) What: Pull in flowable-spring-boot-starter. Configure Flowable to use the same Postgres datasource (so its tables live alongside ours, prefixed flowable_*). Wire org.vibeerp.api.v1.workflow.TaskHandler implementations registered by plug-ins as Flowable JavaDelegates. Workflows are deployed from metadata__workflow rows (BPMN XML payload) on boot and on plug-in load. Acceptance: the reference printing-shop plug-in registers a "quote-to-job-card" TaskHandler; a BPMN process that calls it can be started via REST and returns the expected output.

P2.2 — BPMN designer integration (web)

Module: the future React SPA Depends on: P2.1, R1 (web bootstrap) What: Embed bpmn-js (Camunda's BPMN modeler) in a "Workflow Designer" page. Save as a metadata__workflow row; deploy through the Tier 1 path. Acceptance: end-to-end test where a Tier 1 user creates a workflow in the browser and starts an instance of it.

P2.3 — User task / form rendering

Module: platform-workflow + future React SPA Depends on: P2.1, P3.3 (form designer), R1 What: When a Flowable user task fires, look up the form id from the task definition, render it via the form renderer (P3.x), capture the user's input, and complete the task. Acceptance: end-to-end test of an approval workflow where a human clicks a button.

---

Phase 3 — Metadata store: forms and rules (the Tier 1 user journeys)

P3.1 — JSON Schema form renderer (server)

Module: new platform-forms module Depends on: P1.5 What: A FormRenderer that, given an entity instance and a FormSchema, returns a server-side JSON describing what to render. The actual rendering happens in the SPA (P3.2). The server-side piece is needed for non-browser clients (CLI, integration tests, AI agents). Acceptance: snapshot tests of the rendered JSON for a User form with an added custom field.

P3.2 — Form renderer (web)

Module: future React SPA Depends on: P3.1, R1 What: A React component that consumes JSON Schema + UI Schema and renders an interactive form. Use react-jsonschema-form as the base, customize the widget set for vibe_erp's design language. Acceptance: Storybook for every widget type; e2e test that filling and submitting a form persists the data.

P3.3 — Form designer (web)

Module: future React SPA Depends on: P3.2 What: A drag-and-drop designer that produces JSON Schema + UI Schema and saves into metadata__form. This is the Tier 1 entry point for "add a field, change a layout". Acceptance: e2e test where a Tier 1 user adds a "Customer PO Reference" field to the Sales Order form without writing code.

P3.4 — Custom field application

Module: platform-metadata Depends on: P1.5 What: A Hibernate interceptor (or JPA listener) that reads the entity's metadata__custom_field rows on save and validates the JSON in the ext column against them — required, type, max length, etc. Validation errors come back as 422 with a per-field map. Acceptance: integration test that a User with a missing required custom field cannot be saved; one with a valid one round-trips.

P3.5 — Rules engine (simple "if X then Y")

Module: new platform-rules module Depends on: P1.7 (events) What: Listen to DomainEvents, evaluate metadata__rule rows scoped to that event type, run the configured action (send email, set field, call workflow, publish another event). Use a simple expression language (Spring SpEL — already on the classpath). Acceptance: integration test where a rule "on UserCreated, set ext.greeting = 'Welcome'" actually fires.

P3.6 — List view designer (web)

Module: future React SPA Depends on: R1 What: A grid component backed by metadata__list_view rows. Operators pick columns, filters, sort, save as a named list view. Acceptance: e2e test where a user creates a "Active customers in Germany" list view and re-opens it later.

---

Phase 4 — Authentication and authorization (PROMOTED to next priority)

Promoted from "after the platform layer" to "do this next." With the single-tenant refactor, there is no second wall protecting data. Auth is the only security. Until P4.1 lands, vibe_erp is only safe to run on localhost.

P4.1 — Built-in JWT auth

Module: pbc-identity (extended) + platform-bootstrap (Spring Security config) Depends on: — What: Username/password login backed by identity__user_credential (separate table from identity__user so the User entity stays free of secrets). Argon2id for hashing via Spring Security's Argon2PasswordEncoder. Issue an HMAC-SHA256-signed JWT with sub (user id), username, iss = vibe-erp, iat, exp. Validate on every request via a Spring Security filter, bind the resolved Principal to a per-request PrincipalContext, and have the audit listener read from it (replacing today's __system__ placeholder). On first boot of an empty identity__user table, create a bootstrap admin with a random one-time password printed to the application logs. Acceptance: end-to-end smoke test against the running app:

• unauthenticated GET /api/v1/identity/users → 401
• POST /api/v1/auth/login with admin → 200 + access + refresh tokens
• GET /api/v1/identity/users with Authorization: Bearer … → 200
• new user created via REST has created_by = <admin user id>, not __system__

P4.2 — OIDC integration

Module: pbc-identity Depends on: P4.1 What: Plug Spring Security's OIDC client into the same Principal resolution. Configurable per instance (not per tenant — vibe_erp is single-tenant): which provider, which client id, which claim is the username. Keycloak is the smoke-test target. Acceptance: Keycloak Testcontainer + integration test of a full OIDC code flow; the same UserController endpoints work without changes.

P4.3 — Permission checking (real)

Module: platform-security Depends on: P4.1 What: Implement org.vibeerp.api.v1.security.PermissionCheck. Resolve permissions from metadata__role_permission rows for the current Principal's roles. Plug-ins register their own permissions via @Extension(point = PermissionRegistrar::class) (api.v1 may need a tiny addition here — deliberate, with a minor version bump). Acceptance: integration test that a user without identity.user.create gets 403 from POST /api/v1/identity/users; with the role, 201.

---

Phase 5 — Core PBCs (the meat of the framework)

Each PBC follows the same 7-step recipe:

1. Create the Gradle subproject under pbc/
2. Domain entities (extending AuditedJpaEntity, with ext jsonb)
3. Spring Data JPA repositories
4. Application services
5. REST controllers under /api/v1/<pbc>/<resource>
6. Liquibase changelog (db/changelog/<pbc>/) with rollback blocks
7. Cross-PBC facade in api.v1.ext.<pbc> + adapter in the PBC

No tenant_id columns. No RLS policies. vibe_erp is single-tenant per instance — everything in the database belongs to the one company that owns the instance.

P5.1 — pbc-catalog — items, units of measure, attributes

Foundation for everything that's bought, sold, made, or stored. Hold off on price lists and configurable products until P5.10.

P5.2 — pbc-partners — customers, suppliers, contacts

Companies, addresses, contacts, contact channels. PII-tagged from day one (CLAUDE.md guardrail #6 / DSAR).

P5.3 — pbc-inventory — stock items, lots, locations, movements

Movements as immutable events; on-hand quantity is a projection. Locations are hierarchical.

P5.4 — pbc-warehousing — receipts, picks, transfers, counts

Built on top of inventory via api.v1.ext.inventory. The first PBC that proves the cross-PBC dependency rule under load.

P5.5 — pbc-orders-sales — quotes, sales orders, deliveries

Workflow-heavy. The reference printing-shop plug-in's quote-to-job-card flow exercises this.

P5.6 — pbc-orders-purchase — RFQs, POs, receipts

Mirror image of sales. Shares the document/approval pattern.

P5.7 — pbc-production (basic) — work orders, routings, operations

Generic discrete-manufacturing primitives. NOT printing-specific.

P5.8 — pbc-quality (basic) — inspection plans, results, holds

Generic; the printing-specific QC steps live in the plug-in.

P5.9 — pbc-finance (basic) — GL, journal entries, AR/AP minimal

Basic double-entry. Tax engines, multi-currency revaluation, consolidation are v1.2+.

P5.10 — pbc-catalog — pricing, configurable products

Defer until P5.5 (orders-sales) is real, since pricing only matters when orders exist.

---

Phase 6 — Web SPA

R1 — React + TypeScript bootstrap

Module: new web/ directory (Vite + React + TS) Depends on: P4.1 (need a way to log in) What: Vite scaffold, design system (likely Mantine or Radix), routing (React Router), data fetching (TanStack Query), generated TypeScript client from the backend's OpenAPI spec. Acceptance: can log in, see a list of users, log out.

R2 — Identity screens

Depends on: R1 What: User list, user detail, role list, role detail, permission editor.

R3 — Customize / metadata UIs

Depends on: R1, P3.3, P3.6 What: The Tier 1 entry point. Form designer, list view designer, custom field designer, workflow designer.

R4 — One screen per core PBC

Depends on: R1, the matching PBC from Phase 5 What: Per-PBC list / detail / create / edit screens. Generated from metadata wherever possible; hand-built where the metadata-driven approach falls short (and those gaps become future enhancements to the metadata store).

---

Phase 7 — Reference plug-in (the executable acceptance test)

REF.1 — Real workflow handler

Module: reference-customer/plugin-printing-shop Depends on: P2.1 (Flowable) What: Replace the v0.1 hello-world with a real TaskHandler that converts a Quote into a JobCard, registered as acme.printingshop.quoteToJobCard. A BPMN file in the plug-in JAR drives a workflow that calls this handler. Acceptance: integration test starts the workflow with a real Quote and asserts the JobCard appears.

REF.2 — Plate / ink / press domain

Module: same plug-in Depends on: P1.4 (plug-in Liquibase application) What: The plug-in defines its own entities (plugin_printingshop__plate, plugin_printingshop__ink_recipe, plugin_printingshop__press) via its own Liquibase changelog. It registers REST endpoints for them via @PluginEndpoint. It registers permissions like printingshop.plate.approve. Acceptance: integration test that a printing-shop user can CRUD plates against /api/v1/plugins/printing-shop/plates.

REF.3 — Real reference forms and metadata

Module: same plug-in Depends on: P3.3, P3.4 What: The plug-in ships YAML metadata for: a custom field on Sales Order ("printing job type"), a custom form for plate approval, an automation rule "on plate approved, dispatch to press". All loaded at plug-in start, all tagged source = 'plugin:printing-shop'. Acceptance: end-to-end smoke test that loads the plug-in into a fresh instance and exercises the full quote-to-job-card-to-press flow without any code changes outside the plug-in.

---

Phase 8 — Hosted operations, AI agents, mobile (post-v1.0)

H1 — Instance provisioning console (hosted)

What: A separate operator console that, given a "create customer" request, provisions a fresh vibe_erp instance: spin up a dedicated Postgres database, deploy a vibe_erp container pointed at it, register DNS, hand the customer their bootstrap admin credentials. The vibe_erp framework itself is not changed for this — provisioning is a layer on top of the framework. Each customer gets their own process, their own database, their own backups, their own upgrade cadence. Acceptance: can provision and tear down a customer instance via a single CLI command.

A1 — MCP server

Module: new platform-mcp Depends on: every PBC, every endpoint having a typed OpenAPI definition What: Expose every REST endpoint as an MCP function. Permission-checked, locale-aware. A Tier 2 plug-in can register additional MCP functions via a new @McpFunction annotation in api.v1 (an additive change, minor version bump). Acceptance: an LLM-driven agent can call vibe_erp.identity.users.create and the result is identical to a REST call.

M1 — React Native skeleton

Shared TypeScript types with the web SPA; first screens cover shop-floor scanning and approvals.

---

Tracking and ordering

A coarse dependency view (after the single-tenant refactor):

P4.1 — auth (PROMOTED) ─────────┐
P1.5 — metadata seed ──┐ ──┐    │
P1.6 — translator ──── (depends on P1.5)
P1.7 — events ─────────┘   │
P1.2 — linter ──┐
P1.3 — child ctx ┘
P1.4 — plug-in liquibase ── depends on P1.3
P1.8 — reports ── depends on P1.5
P1.9 — files
P1.10 — jobs
P2.1 — Flowable ── depends on P1.5, P1.6, P1.7
P3.x — metadata Tier 1 ── depends on P1.5
P5.x — core PBCs ── depend on P1.x complete + P4.x for permission checks
R1   — web bootstrap ── depends on P4.1
REF.x — reference plug-in ── depends on P1.4 + P2.1 + P3.3

Sensible ordering for one developer (single-tenant world): P4.1 → P1.5 → P1.7 → P1.6 → P1.2 → P1.3 → P1.4 → P1.10 → P2.1 → P3.4 → P3.1 → P5.1 → P5.2 → R1 → ...

Sensible parallel ordering for a team of three:

• Dev A: P4.1, P1.5, P1.7, P1.6, P2.1
• Dev B: P1.4, P1.3, P1.2, P3.4, P3.1
• Dev C: P5.1 (catalog), P5.2 (partners), P4.3

Then converge on R1 (web) and the rest of Phase 5 in parallel.

---

Definition of "v1.0 ready"

v1.0 ships when, on a fresh Postgres, an operator can:

1. docker run the image with a connection string and a company name
2. Read the bootstrap admin password from the logs
3. Log in to the web SPA
4. Drop the printing-shop plug-in JAR into ./plugins/
5. Restart the container
6. See the printing-shop's screens, custom fields, workflows, and permissions in the SPA
7. Walk a quote through the printing shop's full workflow without writing any code
8. Generate a PDF report for that quote in zh-CN
9. Export a DSAR for one of their customers

…and the same image, against a fresh empty Postgres pointed at a different company, also serves a customer who has loaded a completely different plug-in expressing a completely different business — without any change to the core image. (Hosting both customers in one process is explicitly NOT a goal — they are two independent instances.)

That's the bar. Until that bar is met, the framework has not delivered on its premise.