# Navi Product Platform Gap Audit

Date: 2026-05-06  
Branch: `wave1/product-platform-gap-audit`  
Scope: audit-only; no application logic, schema, mobile, dashboard, website, or API code changes.

## Executive Summary

Navi now has a credible Phase One platform foundation: a separated monorepo, NestJS API, Prisma schema, Expo mobile app, Next.js dashboard, Next.js website, shared packages, RBAC guard, audit interceptor, provider control tower, analytics endpoints, engagement tracking, bookings, saved items, trip planner, translator, payments/refunds shell, and demo users.

The platform is not yet market-ready as a real tourism marketplace. The strongest working areas are authentication, public catalog browsing, search/engagement capture, saved items, deterministic trip planner, dashboard analytics, provider control tower configuration, and read-side admin views. The weakest areas are live commerce completion, provider operational workflows, partner onboarding, pharmacy compliance, support workflows, production payments/webhooks, notification delivery, app-store production readiness, and real dashboard write operations for content and providers.

The main CTO decision is to keep Navi in a controlled demo/staging posture until the P0 gaps below are resolved. The current code can support investor and internal demos if the environment is clearly labeled, demo/local API URLs are controlled, and no fake payment or provider operation is presented as production.

## Evidence Inspected

| Area | Evidence |
|---|---|
| Mobile routes | `apps/mobile/app/(auth)`, `apps/mobile/app/(tabs)`, `apps/mobile/app/services/[type].tsx`, `apps/mobile/app/trip-planner/*`, `apps/mobile/app/translator/*` |
| Dashboard routes | `apps/dashboard/src/app/(app)/*`, including overview, provider control, users, bookings, payments, refunds, reports, engagement |
| Website routes | `apps/website/src/app/[locale]/*`, including home, about, tourists, partners, destinations, contact, terms, privacy |
| API modules | `apps/api/src/modules/*`, including auth, users, listings, bookings, saved, payments, refunds, provider-control, analytics, engagement |
| Prisma schema | `apps/api/prisma/schema.prisma` |
| Shared packages | `packages/api-client`, `packages/types`, `packages/validators`, `packages/config`, `packages/ui` |
| Existing audit docs | `docs/audit/NAVI_FULL_PLATFORM_REFLECTION_AUDIT.md`, `docs/audit/NAVI_DATABASE_DASHBOARD_REFLECTION_MATRIX.md` |

## Platform Readiness Scorecard

| Capability | Current status | Readiness | Release impact |
|---|---|---:|---|
| Monorepo separation | Apps and shared packages are separated | 8/10 | Good foundation |
| Shared types/validators/client | Strong shared package pattern exists | 8/10 | Continue enforcing |
| Authentication | Signup, OTP, login, refresh, profile read exist | 7/10 | Needs audit/session hardening |
| RBAC | Backend guard and permissions exist | 7/10 | Needs write-side coverage and role builder |
| Audit logs | Audit model/interceptor exist | 6/10 | Sensitive action coverage incomplete |
| Mobile Phase One UI | Main screens/routes exist | 6/10 | Needs real-device QA and no-fake-button pass |
| Search and engagement | Search API and engagement dashboard exist | 8/10 | Strong demo capability |
| Dashboard analytics | Admin analytics API/UI are committed | 8/10 | Useful operational control view |
| Provider control tower | Category modes/integrations foundation exists | 7/10 | Needs production provider readiness checks |
| Website | Bilingual shell exists | 5/10 | Needs sales pages, SEO evidence, real content source |
| Bookings | Basic create/read exists | 5/10 | Needs quote, status, cancellation, provider operations |
| Orders | Prisma model exists but API/dashboard maturity is low | 3/10 | Blocks service marketplace demo depth |
| Payments/refunds | Shell exists with idempotency concept | 4/10 | Blocks real checkout |
| Partner onboarding | Business/member read side exists; apply flow missing | 3/10 | Blocks GTM funnel |
| Notifications | Mostly missing | 2/10 | Can wait for demo; blocks launch polish |
| AI trip planner | Deterministic generator exists | 5/10 | Needs real provider, quotas, queue |
| Translator | Basic job flow exists | 4/10 | Needs OCR provider and privacy model |
| QA automation | API tests exist; mobile/dashboard/website E2E thin | 5/10 | Blocks release confidence |
| Store/TestFlight readiness | Local artifacts exist, but production signing/API readiness incomplete | 4/10 | Blocks public beta |

## P0 Release Blockers

| ID | Gap | Why it blocks release | Required fix | Owner |
|---|---|---|---|---|
| P0-01 | No real production/staging payment completion | Bookings cannot become trusted paid transactions | Stripe/Telr hosted checkout, signed webhooks, booking status transitions, dashboard payment state | Backend + Mobile + DevOps |
| P0-02 | Partner application and approval flow missing | Providers cannot enter the marketplace cleanly | Public apply endpoint/page, KYB upload, admin approval, business/user/membership creation | Backend + Website + Dashboard |
| P0-03 | Provider create/update/status operations incomplete | Dashboard cannot operate bookings/orders/listings end to end | Provider-scoped listing/order/booking write APIs and UI | Backend + Dashboard |
| P0-04 | Pharmacy prescription privacy/compliance missing | Pharmacy flow risks mishandling sensitive files | Private upload model, prescription request state machine, scoped provider/support access | Backend + Security |
| P0-05 | No full mobile-to-dashboard commerce reflection for orders | Services like food/grocery/SIM can appear fake if not reflected | Order API, OrderItem model or equivalent, provider/admin dashboard order views | Backend + Mobile + Dashboard |
| P0-06 | Environment separation not fully proven | Demo/local API can be confused with production | Staging HTTPS API, config matrix, build profiles, visible environment labels | DevOps + Release |

## P1 Critical Gaps

| ID | Gap | Required outcome |
|---|---|---|
| P1-01 | Role builder is read-only or partial | Super Admin can assign roles/permissions with audit logs |
| P1-02 | Dashboard forgot-password/admin auth recovery incomplete | Admins can recover access safely without manual DB edits |
| P1-03 | Booking lifecycle incomplete | Quote, create, cancel, provider status, admin override, audit |
| P1-04 | Support ticket workspace incomplete | Support agent can view tickets, customers, bookings, orders, notes |
| P1-05 | Content write operations incomplete | Admin edits home, onboarding, emergency, marketing content through APIs |
| P1-06 | Website partner/sales pages thin | Partner category pages, contact/demo request, SEO, locale metadata |
| P1-07 | Trip planner still deterministic | Queue/provider/quota/fallback/cost audit needed before AI claims |
| P1-08 | Translator lacks real OCR/translation provider | Camera/gallery upload must create private job and reliable result |
| P1-09 | Audit coverage inconsistent | Sensitive auth, role, provider, payment, content, booking/order actions logged |
| P1-10 | Mobile APK/TestFlight process not production-grade | EAS profiles, HTTPS API, signing, store metadata, privacy manifests |

## Product Journey Gap Matrix

| Journey | Mobile | API/database | Dashboard reflection | Current problem | Priority |
|---|---|---|---|---|---|
| Guest browse UAE services | Present | Public home/search/listings exist | Analytics can show engagement | Website/mobile content source not fully CMS-managed | P1 |
| User registers/logs in | Present | User, credentials, OTP, session exist | Users list can read | Registration/login audit and session management thin | P1 |
| User searches and saves | Present | Search and SavedItem exist; EngagementEvent exists | Engagement dashboard exists | Needs stronger user journey timeline per user | P1 |
| User books stay/activity | Present | Booking create/read exists | Bookings page exists | Quote/payment/status/provider workflow incomplete | P0 |
| User orders food/grocery/pharmacy/SIM | UI service routes exist | Order model exists; API maturity unclear | Dedicated order ops weak | Cannot honestly demo end-to-end service operations yet | P0 |
| User requests taxi | UI route exists | Generic booking/listing model only | Driver/provider reflection incomplete | Taxi estimate/assign/status missing | P1 |
| User uses emergency | Mobile route exists | Emergency read endpoint/model exists | Admin editor missing | Works as read-only; needs admin CRUD and call telemetry | P1 |
| User uses trip planner | Routes exist | Trip/TripStep deterministic generation | Analytics partial | Real AI/queue/cost/privacy missing | P1 |
| User uses image translator | Routes exist | TranslationJob exists | Analytics only | Real OCR/translation/private file flow missing | P1 |
| Partner applies | Website partners page exists as mailto | PartnerApplication missing | Partner review queue missing | GTM partner funnel is not real | P0 |
| Partner operates listings/orders | Dashboard pages exist | Business/listing/order models exist | Partial pages | Write workflows and scoping need completion | P0 |
| Admin manages platform | Dashboard shell broad | Many read endpoints exist | Overview/Control Tower present | Write-side coverage inconsistent | P1 |
| Super Admin controls system | Roles/permissions pages exist | Role/Permission models exist | Partial | Builder/settings/integrations need strict enforcement | P1 |

## Architecture Gaps

1. `OrderItem` is required by product scope but the current inspected Prisma schema has `Order` without item rows. This weakens food, pharmacy, grocery, and SIM order integrity.
2. `PartnerApplication` is required by GTM scope but is not present in the inspected Prisma schema.
3. `UploadFile` is required for prescriptions, translator images, avatars, and KYB documents but is not present in the inspected Prisma schema.
4. Provider integrations exist, but real provider adapter execution, health verification, secret vault resolution, and production enablement gates need a separate implementation wave.
5. Payments are represented by `PaymentIntent`, `Refund`, and provider abstraction, but real provider webhook completion and booking status transitions need hardening before any live-money demo.
6. Content models exist (`ContentAsset`, `MarketingPage`, `OnboardingPage`, `ContentTranslation`), but mobile/website content still includes hardcoded copy in inspected pages.
7. API modules are broad but not all mobile/product journeys have a matching write endpoint or dashboard workflow.

## Security and Compliance Gaps

| Area | Gap | Required control |
|---|---|---|
| Payments | Live provider/webhook processing not production-ready | Hosted checkout/payment sheet only, signature verification, idempotency, audit |
| Prescription data | No clear private upload/prescription request model | Private storage, signed URLs, provider/support scope, audit |
| Demo vs production | Local/demo builds can confuse operators | Environment gates, visible labels, no demo provider in production |
| RBAC | Read-side coverage stronger than write-side coverage | Permission-backed write APIs for all admin/provider actions |
| Audit logs | Some sensitive actions missing audit writes | Required action catalog and test assertions |
| PII analytics | Engagement is useful but privacy policy and user timeline controls need care | Privacy-safe analytics, no private image/prescription content in dashboards |
| Secrets | Provider integrations store vault refs, but runtime secret resolution must be verified | Vault-only references, no raw secret forms, CI secret scanning |

## Dashboard Gap Map

| Dashboard module | Current state | Gap |
|---|---|---|
| Overview analytics | Wired to admin analytics API | Good; keep role-based limited views |
| Provider integrations | Foundation exists | Needs production readiness gate and adapter health evidence |
| Category modes | Foundation exists | Needs marketing/product workflow documentation and mobile behavior mapping |
| Users | Read-side exists | Needs create/edit/status/role actions with audit |
| Roles/permissions | Read-side exists | Needs Super Admin builder and assignment APIs |
| Businesses/memberships | Read-side exists | Needs partner approval/onboarding/team writes |
| Listings | Read-side exists | Needs provider/admin create/edit/publish flow |
| Bookings | Read-side exists | Needs status/cancel/refund/payment actions |
| Orders | Not yet strong enough | Needs dedicated operational order page/API |
| Payments/refunds | Shell exists | Needs real transaction state and webhook/refund evidence |
| Content | Partial | Needs home/onboarding/banner/emergency/marketing editors |
| Support | Missing/partial | Needs ticket workspace and customer lookup |
| Reports | Analytics started | Needs provider, finance, conversion, support, export reports |

## Website Gap Map

| Website area | Current state | Gap |
|---|---|---|
| Locale routes | `en/ar` route pattern exists | Need metadata/hreflang/OG validation |
| Home | Static bilingual marketing shell | Needs API/CMS-backed content and stronger visuals |
| Tourist page | Exists | Needs conversion-focused content and app links |
| Partners page | Exists but apply is mailto | Needs real application form/API |
| Category partner pages | Missing | Hotels, restaurants, pharmacies, groceries, taxi, SIM, tours |
| Legal | Terms/privacy routes exist | Needs final counsel review and UAE PDPL/payment language |
| SEO | Sitemap/robots exist | Need Lighthouse evidence, JSON-LD, destination/listing pages |

## Mobile Gap Map

| Mobile area | Current state | Gap |
|---|---|---|
| Auth/onboarding | Routes exist and API client exists | Needs real-device API profile per build and QA proof |
| Home/discover/saved | Strongest connected area | Needs no-fake-button registry completion |
| Service routes | Generic service screens exist | Need service-specific data/write flows for food/pharmacy/grocery/SIM/taxi |
| Bookings | User bookings route exists | Need quote/payment/status/cancel flow |
| Profile/settings | Routes exist | Need profile update/device/session/security completion |
| Translator | Routes/job API exist | Need real OCR provider and private upload |
| Trip planner | Routes/generate/list/detail exist | Need real AI provider/queue/cost guardrails |
| i18n/RTL | EN/AR packages exist | Need device screenshots and full RTL QA |

## Recommended Implementation Order

### Slice 1: Release Environment Lockdown

1. Define local, demo, staging, production API URL rules.
2. Add visible environment label in non-production dashboard/mobile.
3. Ensure local APK/TestFlight builds cannot be mistaken for production.
4. Document GitHub/GitLab remote and credential process.

### Slice 2: Partner Application and Provider Onboarding

1. Add `PartnerApplication` and `UploadFile` models.
2. Add public partner apply API and website form.
3. Add dashboard review/approve/reject flow.
4. Approval creates Business, owner User, membership, audit log.

### Slice 3: Commerce Completion

1. Add order item integrity for food/pharmacy/grocery/SIM.
2. Complete booking quote/create/payment lifecycle.
3. Add provider/admin status transitions and audit.
4. Complete refund state machine and dashboard actions.

### Slice 4: Provider Operations

1. Provider listing CRUD.
2. Provider order and booking queues.
3. Staff and driver assigned scopes.
4. Provider reports and settlement visibility.

### Slice 5: Content and Marketing Control

1. Admin CRUD for home banners, onboarding, emergency, marketing pages.
2. Website fetches content from API or controlled repo JSON.
3. Mobile home/onboarding uses API-backed content.

### Slice 6: AI, Translator, Notifications

1. Queue trip generation.
2. Add provider abstraction, quota, deterministic fallback.
3. Add translator OCR/private upload.
4. Add push notification registration and delivery.

## Tickets To Create Next

| Ticket | Owner | Acceptance criteria |
|---|---|---|
| Add partner application model/API | Backend | Public apply creates `PartnerApplication`; admin review list reads it |
| Build website partner apply form | Website | EN/AR form posts to API; success/error states |
| Add upload file abstraction | Backend/Security | Signed private upload, no public prescription/KYB URLs |
| Add OrderItem model and order endpoints | Backend | Order create persists line items and totals; provider/admin scoped reads |
| Complete provider listing write APIs | Backend | Partner owner can create/update own listing; admin can approve/publish |
| Add dashboard order operations page | Dashboard | Admin/provider sees live orders and can update allowed statuses |
| Complete payment webhook handling | Backend/DevOps | Sandbox payment confirms booking and writes audit |
| Add dashboard role assignment | Dashboard/API | Super Admin assigns role/permissions with audit |
| Add content management write APIs | Backend/Dashboard | Home/onboarding/emergency edits reflect in mobile/API |
| Add mobile release QA checklist execution | QA/Release | Real iOS/Android screenshots, auth, save, booking, trip, translator smoke |

## Go/No-Go Recommendation

No-go for public production launch.

Conditional go for controlled CEO/investor demo if:

1. Demo environment is clearly labeled.
2. Payment flows are described as sandbox or not enabled.
3. Provider operations are described as foundation/partial unless completing the P0 slices.
4. Mobile APK/TestFlight uses a reachable API and not a local-only URL for external testers.
5. Dashboard analytics/control tower are shown as real operational foundation, not complete marketplace operations.

## Audit Branch Rules Followed

- Created documentation only under `docs/audit/`.
- Did not edit API, dashboard, mobile, website, schema, or shared package code.
- Did not restore or mix the unrelated pre-existing working tree changes.