# Navi Foundation Progress - 2026-05-04

## Completed Locally By Codex

- Initialized a local git repository on branch `main` so `git status` works.
- Added application-boundary ADR: `docs/architecture/27-application-boundaries.md`.
- Added initial Prisma migration: `apps/api/prisma/migrations/20260504190000_init/migration.sql`.
- Added `prisma:migrate:deploy` script for deployment use.
- Added API DTO mappers for money, users, listings, rooms, bookings, trips, payments, and refunds.
- Mapped public listing, booking, trip, payment, and refund responses away from raw Prisma shapes.
- Added OTP request/verify and password-reset API contracts.
- Added mobile OTP verification, reset-password route, and dev-code display for local console provider builds.
- Added mobile access-token refresh retry and session token update.
- Added missing mobile settings routes: notifications, payment methods, and security.
- Added server-owned payment intent amount calculation from booking totals.
- Added refund validation and payment ownership checks.
- Replaced in-memory idempotency with Postgres-backed `IdempotencyRecord` persistence.
- Added raw-body capture for webhook routes and persisted valid webhook events.
- Tightened production environment validation for secrets, providers, and CORS.
- Removed JWT fallback registration from `AuthModule`.
- Added dashboard server API helper, route permission map, deny state, memberships route, and API-backed core pages.
- Added website `sitemap.ts`, `robots.ts`, metadata, and non-placeholder bilingual privacy/terms copy.
- Added route audit script and `pnpm audit:routes`.
- Updated CI to run Postgres, Redis, Prisma migrations, seed, route audit, typecheck, lint, test, and build.
- Added mobile EAS build config: `apps/mobile/eas.json`.
- Added release, staging, mobile release, and staging environment docs.

## Verified Locally

- `./bin/bootstrap.sh` passes.
- `pnpm audit:routes` passes.
- Typecheck, lint, test, and build pass through bootstrap.
- API tests pass: 3 suites, 16 tests.

## Still Requires User Input Or External Access

- Choose whether this local repository should be the repo of record, then provide or approve the Git remote.
- Commit and push once the repo/remote decision is made.
- Provide Apple Developer, Google Play, and Expo/EAS access for real mobile builds/submission.
- Provide staging/production hosting targets and managed secret store.
- Choose real payment, email, SMS, OCR, AI, translation, and storage providers.
- Provide provider credentials and webhook secrets.
- Legal counsel must approve final privacy policy, terms, refund/cancellation policy, and partner agreements.
- Provide production domains and final app identifiers/package names.

## Still Technical Work For Next Slice

- Add DB-backed request-level tests for OTP, reset password, idempotency, webhooks, payments, refunds, and dashboard permissions.
- Replace remaining dashboard placeholder pages with full workflows.
- Connect real payment provider sandbox.
- Add monitoring, backups, and rollback drill once hosting is selected.
- Add Playwright/mobile automation beyond the current route audit.