Arete MSP Platform - Unified Blueprint

Platform Overview

Arete consolidates 80+ standalone MSP tools into a single platform. It extends an existing codebase with 43 backend modules, 107 Prisma models, 695 tests, and a universal connector system. The platform is designed for internal MSP use with future multi-MSP productization in mind. Both web and iOS companion app provide full feature parity across all 75 modules (81 module IDs defined, 6 consolidated into parent modules).

What This Blueprint Is

A complete specification document for AI-assisted code generation. Every module, data model, API endpoint pattern, and UI component is described in enough detail for an AI to generate the implementation. Existing code references are provided for reuse wherever possible.

Key Decisions

Decision	Choice	Rationale
Foundation	Extend Arete (`C:\GIT\Arete`)	43 modules, connector system, auth, RBAC already built
Frontend	React 19 + Vite + TailwindCSS	Already configured in Arete with Radix UI, TanStack
Backend	Fastify 4 + TypeScript	Existing, performant, OpenAPI support
Database	PostgreSQL + Prisma	Existing 40+ model schema, excellent migration tooling
Auth	Zitadel SSO + JWT	Already integrated, supports multi-tenant RBAC
iOS	React Native (recommended)	Share TypeScript types/logic with web, faster to build
Theme	Dark mode default	Professional consultancy aesthetic, toggle to light

Architecture

graph TB subgraph "Client Layer" WEB[React 19 SPA
TailwindCSS + Radix UI] IOS[React Native
iOS Companion] end subgraph "API Layer" GW[Fastify 4 Gateway
OpenAPI + JWT Auth] WS[WebSocket Server
Real-time Updates] end subgraph "Service Layer" AUTH[Auth Service
Zitadel SSO + RBAC] MOD[75 Feature Modules
Service + Routes + Types] CONN[Connector Engine
BaseConnector + Registry] SYNC[Sync Worker
BullMQ Job Queue] RPT[Report Engine
PDF + Excel Generation] end subgraph "Data Layer" PG[(PostgreSQL
Prisma ORM)] REDIS[(Redis
Cache + Queue)] PGVEC[(pgvector
Embeddings)] end subgraph "External APIs" CW[ConnectWise] NINJA[NinjaOne] AFI[AFI.AI] MS[Microsoft Graph] CF[Cloudflare] TEN[Tenable] SOPH[Sophos] AZURE[Azure Cost Mgmt] AWS[AWS Cost Explorer] AI[Claude/OpenAI] NINJA2[Backup Radar] SCALE[ScalePad] PARTNER[Partner Center] TWIL[Twilio/SMS] SHODAN[Shodan/Censys] MORE[+30 More...] end WEB --> GW IOS --> GW GW --> AUTH GW --> MOD GW --> WS MOD --> CONN CONN --> SYNC SYNC --> REDIS MOD --> PG MOD --> REDIS MOD --> PGVEC MOD --> RPT CONN --> CW CONN --> NINJA CONN --> AFI CONN --> MS CONN --> CF CONN --> TEN CONN --> SOPH CONN --> AZURE CONN --> AWS CONN --> AI CONN --> NINJA2 CONN --> SCALE CONN --> PARTNER CONN --> TWIL CONN --> SHODAN CONN --> MORE

Existing Arete Architecture (What's Already Built)

Component	Status	Details
Fastify server + route registration	Built	43 module routes, health/ready endpoints, graceful shutdown
Auth (JWT + MFA + RBAC)	Built	4 roles (super_admin, admin, operator, viewer), API key scopes
Prisma schema (40+ models)	Built	3,124 lines — domains, monitors, status pages, secrets, SMS, PBX, M365, etc.
App Registry + BaseConnector	Built	454-line abstract class with health, sync, rate limiting, pagination
React 19 frontend	Built	Vite + TailwindCSS + Radix UI + TanStack Query/Table + Zustand
Core infrastructure	Built	Logger (Pino), encryption (AES-256-GCM), cache, write batcher, error hierarchy
Docker deployment	Built	Traefik reverse proxy, health checks, K8s helm charts
Test suite	Built	695 tests (Vitest + Supertest + Playwright)

Current State Audit WHAT EXISTS

The Arete codebase is a mature, production-grade backend with significant existing infrastructure. This section documents what's already built so an AI generator knows what to extend vs build from scratch.

Foundation (Already Production-Ready)

Component	Metric	Details
Prisma Models	107 models	Domains, monitors, alerts, M365, PBX, DNS zones, bookings, dark web, secrets, SMS, etc.
Backend Modules	44 modules	40 with full route registration, 35+ with real service implementations (not scaffolding)
API Routes	40 registered	All mounted in Fastify server with OpenAPI support
BullMQ Workers	11 queues	Monitors, dossier, dark web, reports, notifications, 5x space-booking queues
Auth System	Production-grade	JWT + API keys (ak_live_*) + MFA + RBAC (4 roles) + token blacklisting via Redis
Core Infrastructure	7 core modules	Redis cache with TTL, AES-256-GCM encryption, Pino logger, write batcher, error hierarchy, security headers
Test Suite	695 tests	Vitest + Supertest + Playwright
Deployment	Docker + Traefik	docker-compose.prod.yml, health checks, graceful shutdown, K8s helm charts

Frontend State

Component	Status	Details
UI Component Library	23 components	shadcn/ui: Button, Card, Dialog, Dropdown, Table, Tabs, Toast, Badge, Input, etc.
API Client	Built	Axios with JWT refresh, interceptors, auto-retry on 401, generic CRUD methods
State Management	Built	Zustand stores + TanStack Query (server state) + React Hook Form + Zod
Layout System	Built	AppLayout with sidebar, header, responsive design
Auth Pages	Production	Login, Register, MFA setup/verify — polished with animations
Dashboard	Production	4 stat cards, monitor status, recent alerts, expiry widgets
Analytics	Production	4-tab backup analytics: Overview, Compliance, Timeline, Resources. Export CSV/JSON
Domains CRUD	Production	Add/delete/search domains, verification badges, expiry warnings
Monitors CRUD	Production	HTTP/TCP/DNS/SSL types, pause/resume, status filtering
Secrets CRUD	Production	Password pusher with reveal/hide, copy, last-accessed tracking
DNS / SSL / Status Pages / Alerting	Stubs	Basic layout and query structure only — no business logic or CRUD
Remaining 34 modules	Not Built	No frontend components exist for most backend modules

Critical Gap: Zero Connector Implementations

The BaseConnector abstract class (454 lines) and AppDefinition registry pattern are fully built and ready to use. However, no concrete vendor connectors have been implemented yet. The blueprint requires 21+ connectors (ConnectWise, NinjaOne, AFI, Datto, Veeam, Tenable, Sophos, etc.) — all need to be built from scratch extending BaseConnector.

Per-Module Status Matrix

For each blueprint module: what exists, what's needed, and the build effort.

Module	Backend	Frontend	Connectors	Effort
M1: Executive Dashboard	Partial	Basic page	N/A	Extend — aggregate KPIs from all modules
M2: Backup Intelligence	None	Analytics tab	AFI + Datto + Veeam	New — connectors + service + full UI
M3: Security Posture	breach-scanner exists	None	Tenable + Sophos + 3 more	New — aggregation layer + 5 connectors
M4: Email Security	None	None	N/A (DNS lookups)	New — port 8 PS validators to TS
M5: Domain Management	domains module	CRUD page	Namecheap partial	Extend — add WHOIS monitoring, CT logs, TLD pricing
M6: Uptime Monitoring	monitors module (691-line stats)	CRUD page	N/A (direct probes)	Extend — add TCP/DNS/ICMP probes, maintenance windows
M7: Ticket Intelligence	None	None	ConnectWise	New — AI triage, semantic search, connector
M8: Asset & License	license-optimizer	None	CW + NinjaOne	Extend — device inventory, compliance tracking
M9: M365 Management	m365-audit module	None	Graph API + Partner Center	Extend — add CIPP features, user mgmt, CA policies
M10: Reporting Engine	Worker queue (placeholder)	None	N/A	New — PDF/Excel generation, templates, scheduling
M11: IT Tools	dns + ssl + files modules	DNS/SSL stubs	SecurityTrails, crt.sh, MaxMind	Extend — 45+ tools: network diagnostics, security analysis, dev/admin utilities, PDF/doc tools
M12: CW Email Audit	None	None	ConnectWise	New — port PS framework to TS
M13: Infrastructure	None	None	Docker API	New — port standalone HTML to React
M14: Breach Intel	breach-scanner + darkweb	None	HIBP partial	Extend — add CT logs, typosquatting
M15: Vault Analysis	vault-manager	None	Client-side	Extend — port Argus D3.js viz to React
M16: Backup Catalog	None	None	Kopia + PBS	New — cross-vendor backup metadata
M17: NinjaOne Suite	None	None	NinjaOne	New — reboot automation UI
M18: API Hub	None	None	N/A	New — markdown renderer + endpoint tester
M19: Client Onboarding	None	None	All modules	New
M20: Compliance Tracker	None	None	M3 + M4 + M9	New
M21: Playbooks	None	None	All modules	New — flow builder + trigger engine
M22: Profitability	None	None	ConnectWise	New — financial analysis
M23: Patch Management	None	None	NinjaOne + CW Automate	New
M24: DR Testing	None	None	Datto + Veeam	New
M25: Change Management	None	None	N/A	New
M26: AI Copilot	None	None	Claude/OpenAI	New — function calling + RAG
M27: Client Portal	None	None	N/A	New — separate auth realm + branding
M28: Network Discovery	None	None	NinjaOne + SNMP	New — D3.js topology viz
M29: Cloud Cost	None	None	Azure + AWS	New
M30: Space & Parking	Full (752-line svc)	None	N/A (built-in)	Frontend only — backend 100% complete
M31: Procurement	None	None	QuoteWerks + Distis	New
M32: QBR Generator	None	None	All modules	New — cross-module aggregation
M33: Vendor Hub	None	None	N/A	New
M34: Training Tracker	None	None	N/A	New
M35: Warranty/ScalePad	None	None	ScalePad	New
M36: SharePoint Builder	None	None	Graph API	New
M37: Intune/M365 Config	None	None	Intune + Graph	New — config export/import/drift
M38: IPAM	None	None	N/A	New — NetBox-style
M39: DNS Operations	None	None	Cloudflare	New — extends M4/M5
M40: Documentation Engine	None	None	BookStack	New
M41: Alert Correlation	None	None	All modules	New — cross-module AI
M42: Integration Health	None	None	All connectors	New
M43: DevOps/CI	None	None	GitHub + Trivy	New
M44: Website Tracker	website-audit exists	None	Playwright	Extend — add visual diff
M45: Contracts/SLA	None	None	CW Manage	New
M46: Client Comms	None	None	M365	New
M47: Dispatch	None	None	CW Time	New
M48: Pw Rotation	None	None	AD + M365 + LAPS	New
M49: Runbooks	None	None	BookStack	New
M50: Endpoint Compliance	None	None	NinjaOne + Intune	New
M51: Custom Dashboards	None	None	All modules	New — widget engine
M52: Notifications	alerting module	None	Twilio + Slack + Teams	Extend — centralized hub
M53: Audit Log	None	None	N/A	New — immutable append-only
M54: Attack Surface	None	None	Shodan + Censys	New
M55: Phishing Sim	None	None	Sophos + M365 + usecure	New
M56: Post-Mortem	None	None	N/A	New
M57: Billing Recon	None	None	CW + NinjaOne	New
M58: Data Migration	None	None	IT Glue + Hudu + 6 more	New
M59: AI Email	None	None	Claude + Graph API	New
M60: Timesheets	None	None	10+ sources	New — multi-source aggregation
M61: CVE/ISM Feed	None	None	NVD + CISA KEV	New
M62: Firmware CVE	None	None	Vendor PSIRTs	New — multi-vendor firmware
M63: Health Score	None	None	All modules	New — composite scoring
M64: Capacity Planning	None	None	NinjaOne + Azure	New
M65: BI Warehouse	None	None	All modules	New — analytics engine
M66: CSAT/NPS	None	None	N/A	New
M67: Cyber Insurance	None	None	All security modules	New
M68: Offboarding	None	None	All modules	New
M69: Backup Testing	None	None	Datto + Veeam + AFI	New
M70: Remote Sessions	rustdesk module	None	NinjaOne + VPN APIs	Extend
M71: IoT/Peripherals	None	None	SNMP	New
M72: Multi-Cloud	None	None	Azure + AWS + GCP	New — extends M29
M73: MS Partner	None	None	Partner Center + Graph	New
M74: Auto Diagrams	network-architect	None	All data sources	Extend — add live data feeds
M75: Vaulwarden	None	None	Vaulwarden API	New — extends M15
M76: Email Infra	None	None	Spamhaus + DNS	New — extends M4
M77: WordPress/CMS	None	None	WPScan	New
M78: Vendor Risk	None	None	UpGuard-style	New
M79: SMS	sms-gateway module	None	Twilio + MessageMedia	Extend — add templates + automation
M80: Secure Sharing	secrets module	secrets page	N/A	Extend — add file sharing + ephemeral
M81: Platform Status	None	None	All internal	New — health + status page

Existing Modules NOT in Blueprint

These modules exist in the Arete codebase but are not part of the 29-module blueprint. They can be left as-is or deprecated.

Module	Purpose	Status
pbx	Full VoIP/PBX system (extensions, DIDs, IVR, queues, call records)	Production-grade, 8+ models
space-booking	Desk/room/parking booking with approval workflows	Production-grade, 752-line service, 5 BullMQ workers — Now M30
vanity-dns	Vanity DNS with Cloudflare integration, multi-registrar provisioning	Enterprise-grade, 10+ models
aussie-donations	ShoutMeAColdie donation platform (creators, goals, subscriptions)	Complete
sms-gateway	SMS messaging (messages, templates, auto-responses, providers)	Complete
rustdesk	RustDesk remote desktop management	Complete
docker-lab	Ephemeral Docker test environments	Complete
network-architect	Network design tool (projects, exports, vendor configs)	Complete
fuel-tool	Fuel price tracking	Standalone tool
server-inventory	Server inventory (providers, locations, SSH keys)	Complete
dossier	Domain dossier generation	Complete (overlaps M5)
company-intel	Company intelligence gathering	Complete
website-audit	Website auditing with scheduling	Complete
load-testing	Load testing scenarios and runs	Complete
architecture-audit	Architecture auditing	Complete

Overall Readiness Summary

~95%

Core Infrastructure

100%

Auth / RBAC

~15%

Blueprint Modules (backend)

~7%

Blueprint Modules (frontend)

~2%

API Connectors (0/46)

~12-15%

Overall Blueprint Coverage

Module Inventory 75 MODULES (6 CONSOLIDATED)

Each module follows the Arete pattern: src/modules/{name}/ with index.ts, routes.ts, service.ts, types.ts. Frontend features at src/frontend/src/features/{name}/. iOS companion app provides feature parity with adaptive mobile layouts.

📈

M1: Executive Dashboard

Single-pane-of-glass KPIs across all modules

New FrontendAll Module APIs

💾

M2: Backup Intelligence

Multi-vendor backup compliance monitoring

AFIDattoVeeamafi-bandaid

🛡

M3: Security Posture

Unified vulnerability & threat visibility

TenableSophosHuntressSentinelOne

📧

M4: Email Security

SPF/DKIM/DMARC monitoring, flattening, DMARC reports

DNSCloudflareTest-EmailAuth.ps1SPF Flatten

🌐

M5: Domain Management

Multi-registrar, WHOIS, certs, TLD pricing

NamecheapCloudflareWHOISCT LogsTLD Pricing

🟢

M6: Uptime Monitoring

HTTP/TCP/DNS monitoring with incidents

Arete monitorsArete status-pagesArete alerting

🎯

M7: Ticket Intelligence

AI triage, semantic search, analytics

ConnectWisecw-triage-dashboardknowledge-db

💻

M8: Asset & License

Hardware inventory, license compliance

ConnectWiseNinjaOnelicense-platform-worker

☁️

M9: M365 Management

CIPP-style tenant management

Graph APIPartner CenterCIPP fork

📄

M10: Reporting Engine

PDF/Excel generation, scheduling, white-label

jsPDFPuppeteerExcelJS

🔧

M11: IT Tools

45+ network, security, developer & admin utilities

NetworkSecurityFormattersSpeed Test

🔍

M12: CW Email Audit

Deep-dive email investigation from PSA tickets

ConnectWiseconnectwise-email-audit

🖥

M13: Infrastructure

Service inventory and health overview

infrastructure-audit.htmlDocker API

🕷

M14: Breach Intel

Dark web monitoring, credential leaks, CT logs

HIBPArete breach-scannerbreach-intel repo

🔐

M15: Vault Analysis

Password health & security posture

Argus (SvelteKit)Port to React

🗃

M16: Backup Catalog

Cross-vendor backup metadata

/opt/backup-catalogKopiaPBS

🔄

M17: NinjaOne Suite

Reboot automation management

NinjaOne6 PS scripts

📚

M18: API Hub

Searchable API docs with try-it-now

10 API docsEndpoint Tester

🚀

M19: Client Onboarding

Guided wizard for new client setup

Wizard UIAuto-provisionTemplates

📋

M20: Compliance Tracker

Essential Eight, CIS, NIST, ISO 27001 mapping

FrameworksAuto-evidenceGap Analysis

⚡

M21: Playbooks

Automated remediation & response workflows

Flow BuilderTriggersSLA Timers

💰

M22: Profitability

Per-client & per-service financial analysis

ConnectWiseMarginsMRR Trends

🛠

M23: Patch Management

OS & third-party patch compliance

NinjaOneCW AutomatePatch Rings

🔄

M24: DR Testing

Backup restore verification & DR runbooks

DattoVeeamScreenshot Verify

📝

M25: Change Management

RFC workflow, CAB approval, change calendar

RFCRisk MatrixCAB Workflow

🤖

M26: AI Copilot

Natural language query across all platform data

Chat UIClaude/OpenAIActions

🎨

M27: Client Portal

White-labeled client-facing dashboard

BrandingSelf-serviceCSAT/NPS

🖱

M28: Network Discovery

Automated topology mapping & device inventory

NinjaOneSNMPD3.js Topology

💲

M29: Cloud Cost

Multi-cloud spending optimization

AzureAWSLicense Optimization

🏢

M30: Space & Parking

Desk/room/parking booking with approvals

Already Built60+ endpoints5 BullMQ workers

📦

M31: Procurement & Stock

Product lookup, PO tracking, distributor pricing

QuoteWerksCW SellDicker Data

📊

M32: QBR Generator

Auto-generate quarterly business reviews

PDF/PresentationAI InsightsAll Modules

🤝

M33: Vendor Hub

Vendor/distributor relationship management

ContractsPricing TiersExpiry Alerts

🎓

M34: Training Tracker

Technician certifications & CPD tracking

Cert ExpirySkills MatrixCPD Hours

🛠

M35: Warranty Lifecycle

Hardware warranty & EOL tracking via ScalePad

ScalePadEOL/EOSReplacement Planning

📁

M36: SharePoint Builder

Auto-generate folder structures & templates

Graph APITemplatesBulk Provision

⚙️

M37: Intune/M365 Config

Export, import, drift detection, design review

IntuneConfig DriftMaester.dev

🌐

M38: IPAM

IP address management (NetBox-style)

SubnetsVLANConflict Detection

🔒

M39: DNS Operations

A/B testing, auto-rollback, propagation monitoring

CloudflareStaging PipelineAuto-rollback

📖

M40: Documentation Engine

Auto-generate docs, BookStack sync, freshness scoring

BookStackAuto-generateStale Detection

🔭

M41: Alert Correlation

Cross-module alert intelligence & deduplication

Pattern DetectionRoot CauseEscalation

🟢

M42: Integration Health

Monitor all 50+ API connections in one dashboard

Auth AlertsRate LimitsSync Status

💻

M43: DevOps & CI

YAML pipelines, vulnerability scanning, repo management

GitHubTrivyTerraform

📷

M44: Website Change Tracker

Visual & content change detection with Playwright

PlaywrightDOM DiffScreenshot History

📝

M45: Contract & SLA

Service agreements, SLA tracking, digital signing

LifecycleRevenue ForecastAuto-alert

💬

M46: Client Comms

Unified client touchpoint timeline

TimelineAction ItemsM365

🚚

M47: Dispatch & Scheduling

Field tech scheduling with calendar & time tracking

CalendarTravel TimeCW Time

🔑

M48: Password Rotation

Automated service account password rotation

ADM365LAPS-style

📑

M49: Runbook Library

Step-by-step operational guides & decision trees

FlowchartsBookStackVersioned

🛡

M50: Endpoint Compliance

Per-device compliance scoring (BitLocker, AV, FW)

NinjaOneIntuneAuto-remediate

🎨

M51: Custom Dashboards

Drag-and-drop widget builder from any module

WidgetsWebSocketEmbeddable

🔔

M52: Notification Center

Per-user channel preferences, quiet hours, digest

EmailSMSSlackTeams

📋

M53: Platform Audit Log

Immutable who-did-what log (SOC2/ISO)

SOC2ISO 27001SIEM Export

🎯

M54: Attack Surface

External asset discovery & risk scoring

ShodanCensysSSL Grade

🎣

M55: Phishing Simulation

Campaign management + Sophos/M365/usecure sync

SophosM365usecure

📝

M56: Incident Post-Mortem

5 Whys, timeline builder, lessons learned

TemplatesAction ItemsPatterns

💰

M57: Billing Reconciliation

Revenue leakage detection & device count sync

CW ManageNinjaOneDiscrepancies

🚀

M58: Data Migration Hub

Import from IT Glue, Hudu, ITFlow, NetBox, Wiki.js

Field MappingValidationRollback

✉️

M59: AI Email Drafts

Generate client-facing emails from context

Claude/OpenAIGraph APITone Presets

⏱️

M60: Timesheet Generator

Auto-generate timesheets from 10+ activity sources

SlackNinjaOne3CXM365

📰

M61: Security Alert Feed

CVE, ISM, Essential Eight, PSPF, ASD alerts

NVD/MITRECISA KEVAI Summary

💻

M62: Firmware Tracker

Multi-vendor firmware CVEs & patch urgency

WatchGuardFortinetCiscoUbiquiti

📈

M63: Client Health Score

Composite 0-100 score from all modules

Traffic LightDrill-downTrending

📈

M64: Capacity Planning

Storage, bandwidth, license growth forecasting

NinjaOneAzurePredictions

📊

M65: BI Warehouse

Advanced analytics, query builder, cross-module insights

SQL BuilderPivot TablesScheduled

⭐

M66: CSAT / NPS

Post-ticket satisfaction & NPS scoring

SurveysPer-tech RatingsFollow-up

🛡

M67: Cyber Insurance

Pre-fill questionnaires with real platform data

EvidenceGap AnalysisReadiness Report

🚪

M68: Client Offboarding

Structured offboarding checklist & data export

ComplianceData RetentionSign-off

🔄

M69: Backup Testing

Automated restore tests & integrity verification

DattoVeeamAFI

🖥

M70: Remote Sessions

Centralized remote access session management

RDPTeamViewerNinjaOne

🖨

M71: IoT & Peripherals

Printers, cameras, UPS, environmental sensors

SNMPToner LevelsUPS Health

☁️

M72: Multi-Cloud Ops

Unified AWS + Azure + GCP management

AzureAWSGCP

🤝

M73: MS Partner Manager

CSP/GDAP, solutions partner, license optimization

Partner CenterGDAPDesignations

🗺

M74: Auto Diagrams

Always up-to-date infrastructure diagrams from live data

D3.jsMermaidAuto-refresh

🔐

M75: Vaulwarden

Self-hosted Bitwarden password vault integration

VaulwardenHIBP CheckCollections

📧

M76: Email Infrastructure

SMTP testing, blacklist monitoring, DNS zone watch

SpamhausSTARTTLSDNSSEC

🌐

M77: WordPress/CMS Monitor

WordPress vuln scanning & page change detection

WPScanPlugin AuditDefacement

🛡

M78: Vendor Risk

Third-party security risk scoring (UpGuard-style)

QuestionnairesRisk MatrixAPRA CPS 234

📱

M79: SMS Automation

SMS notifications, templates, two-way messaging

TwilioMessageMediaBulk SMS

🔒

M80: Secure Sharing

PwPush-style ephemeral password & file sharing

Time-limitedE2E EncryptedAudit Trail

🟢

M81: Platform Status Page

Health monitor for APIs, K8s, DB, and all modules

Per-module HealthUptime HistoryBranded

MODULE M1

Executive Dashboard

New Frontend

Unified home screen with KPI cards pulling real-time data from all other modules. The first thing users see after login.

KPI Cards (Top Row)

Backup Compliance: % of resources with successful backup in last 24h (from M2)
Security Score: Composite 0-100 across all security modules (from M3, M4, M14)
Open Tickets: Count + trend sparkline, broken by priority (from M7)
Domain Health: % of domains passing all email auth checks (from M4, M5)
Uptime: Overall SLA % across all monitors (from M6)
License Compliance: Over/under-licensed count (from M8)

Widgets (Body)

Alert feed: Real-time stream of events from all modules (WebSocket)
Client health heatmap: Grid of clients x health dimensions, color-coded
Quick actions: Common tasks (acknowledge alert, approve triage, run audit)
Trend charts: 30-day sparklines for key metrics

API Pattern

GET /api/v1/dashboard/kpis          -> { backup: 98.5, security: 82, tickets: 47, ... }
GET /api/v1/dashboard/alerts?limit=20 -> AlertFeedItem[]
GET /api/v1/dashboard/health-matrix   -> { clients: [{name, scores: {backup, security, ...}}] }

MODULE M2

Backup Intelligence

Extend + New Connectors

Multi-vendor backup compliance monitoring. Consolidates AFI.AI, Datto, and Veeam data into unified dashboards with SLA tracking and compliance reporting.

Features

90-day compliance grid: Per-resource daily backup status (green/red cells). Reuse grid component from C:\GIT\afi-bandaid
SLA scorecard: RPO/RTO tracking per resource, highlight violations
Protection gap detection: Resources with no backup configured
Duration trends: Chart.js line chart showing backup duration over time
Failure analysis: Group failures by error type, show frequency
Export: 6 formats (PDF, CSV, Excel, Executive 2-sheet, Technical 10-sheet, Compliance). Reuse export logic from afi-bandaid

Connectors

Vendor	API	Auth	Key Endpoints
AFI.AI	REST	OAuth2	/tasks (with progress), /policies (with stats), /resources
Datto	REST	API Key	/bcdr/devices, /bcdr/snapshots, /saas/domains
Veeam	REST	OAuth2	/v3/organizations, /v3/backupJobs, /v3/restorePoints

Reuse Map

Source	What	Port Effort
`C:\GIT\afi-bandaid\src\`	ComplianceDashboard.vue, ProtectionTimeline.vue, AdvancedCharts.vue, export services	Vue 3 → React (component logic reusable, template syntax changes)
`C:\Users\Tom\afi-internal-api\`	afi-auth.js, afi-client.js (OAuth flow, pagination)	Direct reuse in connector

MODULE M4

Email Security & Authentication

New Module (Port PS → TS)

Continuous monitoring of email authentication (SPF/DKIM/DMARC/MTA-STS/TLS-RPT/BIMI/DANE) across all domains, with auto-remediation capabilities including SPF flattening and DMARC aggregate report parsing.

✅ ABSORBS M12 (ConnectWise Email Audit): Adds email investigation/audit tab — deep-dive email security investigation from PSA tickets. Port existing 4-file PowerShell framework (cw-api-client, cw-data-parser, cw-investigator, html-generator) to TypeScript connector + service layer.

Feature Details

Auth status grid: All domains as rows, auth mechanisms as columns, traffic light status cells. Click cell for details.
SPF auto-flattening: Recursively resolve include: mechanisms → generate flat IP-based record. Warn when approaching 10 DNS lookup limit or 255 char limit. Auto-generate CNAME-based SPF delegation as alternative.
DMARC aggregate reports: Accept XML RUA reports via email webhook or file upload. Parse into: source IP, org name, auth results (SPF/DKIM pass/fail counts), policy applied. Visualize as table + pie chart + timeline. Identify unauthorized senders (potential spoofing).
TLS-RPT monitoring: Parse JSON TLS failure reports. Track MTA-STS policy compliance rate. Alert on delivery failures caused by TLS enforcement.
BIMI validation: Check SVG logo URL reachability, validate VMC (Verified Mark Certificate) if present, preview brand indicator rendering.
DANE/TLSA: Monitor certificate fingerprints against published TLSA records. Alert when cert rotation breaks DANE. Auto-generate TLSA records from current certs.
Best practice scoring: Grade A-F per domain. A = all 8 mechanisms configured and valid. Weighted scoring (SPF/DKIM/DMARC = critical, rest = bonus).
Remediation wizard: For each failing check, show step-by-step fix. Auto-generate the DNS record value. One-click apply via Cloudflare API for managed domains.
DKIM rotation: Dual-selector strategy. Stage new key on selector2, validate, switch primary, deprecate old. Zero-downtime rollover.

Reuse Map (PowerShell → TypeScript Port)

Source Script	Lines	Port Target
`Test-EmailAuthentication.ps1`	364	`src/modules/email-security/validators/` — 8 validator functions
`Invoke-BatchHealthAudit.ps1`	469	`src/modules/email-security/batch-audit.ts` — orchestrator + scoring
`Invoke-DomainHealthCheck.ps1`	171	`src/modules/email-security/health-check.ts` — single domain check
`Test-SMTPDelivery.ps1`	100+	`src/modules/email-security/validators/smtp.ts` — SMTP connectivity

API Endpoints

GET    /api/v1/email-security/status                  -> AuthStatusGrid (all domains)
GET    /api/v1/email-security/domains/:domain          -> DomainAuthDetail
POST   /api/v1/email-security/check/:domain            -> Run live check
GET    /api/v1/email-security/spf/:domain/flatten      -> FlattenedSPFRecord
POST   /api/v1/email-security/dmarc-reports            -> Upload XML RUA
GET    /api/v1/email-security/dmarc-reports/:domain     -> ParsedDmarcReports[]
GET    /api/v1/email-security/tls-reports/:domain       -> TlsReportSummary
POST   /api/v1/email-security/remediate/:domain/:check -> Apply fix via Cloudflare API
GET    /api/v1/email-security/scores                    -> DomainScore[] (A-F grades)

MODULE M5

Domain Management

New Module

Unified multi-registrar domain lifecycle management with deep WHOIS monitoring, certificate tracking, TLD price comparison, and DNS propagation checking.

Features

Multi-registrar inventory: Pull domains from Namecheap, Spaceship, SAV, VentraIP, Cloudflare APIs into unified table. Show registrar, expiry, auto-renew, cost, DNS provider.
Deep WHOIS monitoring: Daily WHOIS snapshots. Diff detection: registrant changes, nameserver changes, status code changes (clientTransferProhibited removal = transfer attempt). Alert on unexpected mutations.
Certificate monitoring: Watch Certificate Transparency logs via crt.sh API. Track cert expiry dates. Alert on: unexpected certs issued for your domains (phishing), certs expiring within 14 days, new CA issuers.
TLD price comparison: Scrape/API pricing from multiple registrars for each TLD. Show cheapest provider for renewals and new registrations. Historical price tracking. Bulk renewal cost optimization.
Renewal calendar: Timeline/Gantt view of upcoming renewals. Cost projections by month. Highlight bulk renewal clusters (e.g., Oct-Nov 2026 = $1,760).
DNS propagation checker: Multi-location DNS resolution (query resolvers in AU, US, EU, Asia). Show propagation status per location with TTL countdown. Like whatsmydns.net but integrated.
Domain health score: Composite of DNS config, email auth, SSL status, WHOIS health. A-F grade per domain.
Consolidation advisor: Identify parked/unused domains (no DNS records, no traffic). Calculate potential savings. Recommend registrar consolidation.

API Endpoints

GET    /api/v1/domains                          -> PaginatedDomainList
GET    /api/v1/domains/:domain                   -> DomainDetail (registrar, WHOIS, certs, health)
GET    /api/v1/domains/:domain/whois-history      -> WhoisSnapshot[]
GET    /api/v1/domains/:domain/certificates       -> CertificateWatch[]
GET    /api/v1/domains/:domain/propagation        -> PropagationResult[]
GET    /api/v1/domains/pricing/:tld               -> TldPricing[] (cross-registrar)
GET    /api/v1/domains/renewals/calendar          -> RenewalCalendarData
GET    /api/v1/domains/consolidation              -> ConsolidationRecommendation[]
POST   /api/v1/domains/sync                       -> Trigger registrar sync

MODULE M9

M365 Management (CIPP-Style)

Extend Arete m365-audit

Replicate key CIPP features for Microsoft 365 tenant management. Focus on read-heavy dashboards first; write operations with approval flows later.

✅ ABSORBS M37 (Intune & M365 Config Manager): Adds config management tab — export/import full tenant config (CA policies, compliance policies, device configs, Entra settings), drift detection with baseline snapshots, side-by-side diff viewer, AI-assisted design review against E8/CIS/ASD Blueprint, and Maester.dev integration.

CIPP Features to Replicate

Tenant overview: Per-client card showing user count, license usage, secure score, conditional access policy count, admin count
User management: List all users across tenants. Search, filter by MFA status, license, sign-in activity. Actions: reset password, enable/disable MFA, block/unblock sign-in
Conditional Access: View all CA policies across all tenants. Compare policies. Clone a policy from one tenant to another. Template library of best-practice policies
Security defaults & baselines: Define standard settings (MFA required, legacy auth blocked, etc.). Audit each tenant against standards. Show compliance %. Auto-remediate gaps (with approval)
License management: Cross-tenant license inventory. Usage reports (assigned vs consumed). Cost per user. Optimization recommendations (downgrade unused E5 to E3)
Standards enforcement: Template-based: "All tenants must have X". Scheduled audit runs. Dashboard showing % compliance per standard per tenant
Alert feed: Risky sign-ins, impossible travel, MFA registration gaps, new global admins, external sharing changes

Existing Code

Source	Reuse
Arete `m365-audit` module	Existing route/service structure, M365SecurityFinding model
`C:\GIT\CIPP-Project\`	Reference implementation for Graph API patterns, CA policy structure
API Standards: `Microsoft-Graph.md`, `Partner-Center.md`	Endpoint reference, auth patterns, rate limits

MODULE M11

IT Tools / Utilities

New Module

Comprehensive suite of 45+ built-in tools for daily MSP work. Client-side tools run entirely in-browser (privacy, zero server load). Server-side tools use Fastify endpoints with rate limiting. Inspired by What's My IP, CyberChef, and DevToys. Every tool logs usage to ToolUsageLog for M65 BI analytics.

Network & Diagnostics (15 tools, server-side)

What's My IP: Show public IPv4/IPv6, ISP name, ASN, geolocation (city, region, country, lat/long, timezone, local time). Auto-detect on page load. Map pin visualization
Ping: ICMP ping to any host with latency stats (min/avg/max/jitter), packet loss %. Configurable count (1-100). Live results streaming via WebSocket
Traceroute: Visual network path trace with hop count, latency per hop, ASN lookup per hop. Map visualization of geographic path. Server-side traceroute with streaming output
Speed Test: Download/upload speed + ping/jitter measurement (Cloudflare-style). WebSocket relay for accurate bandwidth measurement. Results chart with history. Latency under load (bufferbloat detection)
DNS Lookup / Dig: Full record types (A, AAAA, MX, TXT, CNAME, NS, SOA, SRV, CAA, DNSKEY, TLSA, PTR). Multiple resolver comparison (Google 8.8.8.8, Cloudflare 1.1.1.1, OpenDNS, authoritative NS). Dig-style raw output toggle. Propagation check across resolvers
DNS History: Historical DNS record changes over time (passive DNS). Integration with SecurityTrails API or community passive DNS. Timeline visualization of record changes
WHOIS Lookup: Domain registration details: registrar, nameservers, dates, status codes, DNSSEC status. Raw WHOIS output + parsed structured view. Domain age calculation
Domain Dossier: Comprehensive single-page domain analysis combining: DNS records + WHOIS + SSL certificate + MX records + HTTP headers + security headers + blacklist status. One-click full audit. Export as PDF
SSL Checker: Certificate chain visualization (tree view), SAN list, validity dates, issuer, cipher suite, TLS version, key size. Security grade (A-F). Certificate expiry countdown. CT log cross-reference
Certificate Transparency: CT log search (crt.sh API). Find all certificates ever issued for a domain or wildcard. Subdomain discovery via CT logs. Identify rogue/unexpected certificates. Feed discovered subdomains to M54 Attack Surface Monitor
Port Checker: TCP connect check on any host:port. Preset profiles: Web (80,443), Email (25,587,993,143), Remote (22,3389,5900), Database (3306,5432,1433,27017), Custom. Bulk port scan with results table
IP Geolocation: Map view with pin for any IP address. ISP/ASN info, reverse DNS, hostname. MaxMind GeoLite2 database (server-side, updated weekly). Bulk IP lookup
HTTP Header Analyzer: Fetch any URL and display all response headers. Security header audit with pass/fail grading: HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, CORS headers. Overall security grade (A-F)
Subnet Calculator: CIDR to IP range converter. Broadcast address, network address, usable hosts count, wildcard mask. Visual subnet breakdown. VLSM calculator. IPv4 and IPv6 support
Bandwidth Calculator: File size × transfer speed = estimated time. Convert between Mbps/MBps/Gbps. Useful for backup window planning

Developer & Admin Tools (17 tools, mostly client-side)

JSON Formatter: Format, validate, beautify, minify JSON with syntax highlighting and error detection. Tree view toggle with expand/collapse. Click node → copy JSONPath. Diff two JSON documents side-by-side. Client-side (no data leaves browser)
Text Diff: Side-by-side or unified diff view. Word/line/character level comparison. Syntax-highlighted. Large file support. Copy diff output. Useful for config comparison
Code Formatter: Prettier-powered formatting for JavaScript, TypeScript, HTML, CSS, YAML, SQL, GraphQL, XML, Markdown. Language auto-detect. Configurable options (indent size, quotes, semicolons). Client-side via Prettier standalone bundle
Image Converter: Convert between PNG, JPEG, WebP, GIF, BMP, HEIC/HEIF, SVG→PNG. Quality slider. Batch conversion (drag multiple files). Resize with aspect ratio lock. All client-side via Canvas API
Base64 Encode/Decode: Text ↔ Base64, file ↔ Base64 data URI. URL-safe variant toggle. Auto-detect input type. Copy to clipboard
JWT Decoder: Paste token, see decoded header + payload with syntax highlighting. Expiry check with countdown. Signature verification (paste secret/public key). Claim inspection (iss, sub, aud, exp, iat)
Hash Generator: MD5, SHA-1, SHA-256, SHA-512, HMAC-SHA256 variants. Text or file input. Compare hash to verify file integrity (paste expected hash). Client-side via SubtleCrypto API
Regex Tester: Live regex with match highlighting, capture groups, named groups. Common patterns library (email, IPv4, IPv6, URL, phone AU, ABN, MAC address). Flags toggles (g, i, m, s, u). Match count and group extraction table
Cron Expression Builder: Visual cron builder with dropdown selectors for minute/hour/day/month/weekday. Human-readable description auto-generated. Next 10 run times preview with timezone. Standard (5-field) + Quartz (6-field) syntax support
Epoch/Date Converter: Unix timestamp (seconds/milliseconds) ↔ human date. ISO 8601 format. Relative time ("3 hours ago"). Multi-timezone converter. Current epoch live counter
QR Code Generator: URL, WiFi config (SSID/password/encryption), vCard, plain text, email, phone, SMS. Download as PNG/SVG. Configurable size, error correction level, colors. Bulk generation from CSV
Password Generator: Configurable length (8-128), character sets (upper, lower, digits, symbols, ambiguous exclusion). Passphrase mode (diceware/EFF wordlist). Bulk generation (up to 100). Strength meter (zxcvbn) + HIBP breach check. Copy + auto-clear clipboard after 30s
UUID/ULID Generator: UUID v1 (timestamp), v4 (random), v7 (timestamp-sortable). ULID generation. Bulk generation with copy. Decode UUID v1 timestamp
Color Converter: HEX ↔ RGB ↔ HSL ↔ CMYK. Visual color picker. Contrast ratio checker (WCAG AA/AAA). Palette generator (complementary, analogous, triadic)
Markdown Preview: Live split-pane editor with GFM support (tables, task lists, footnotes). Syntax highlighting for code blocks. Export to HTML/PDF. Mermaid diagram rendering
YAML ↔ JSON Converter: Bidirectional conversion with validation and error highlighting. Supports multi-document YAML. Pretty-print output
URL Encoder/Decoder: Encode/decode URL components. Parse query strings into editable table view. Rebuild URL from components. URI component vs full URL encoding

Security Tools (6 tools)

Security Headers Check: Analyze any URL's response headers against OWASP best practices. Individual pass/fail per header with recommendations. Overall grade (A-F). Compare against industry benchmarks. Server-side fetch
Cookie Inspector: Fetch URL and display all cookies with attributes: Name, Value, Domain, Path, Secure, HttpOnly, SameSite, Expires. Flag insecure cookies (missing Secure/HttpOnly on sensitive domains). Server-side
Certificate Transparency Log: Search crt.sh API for all certificates issued for a domain. Discover subdomains from SAN fields. Timeline of certificate issuance. Identify unexpected/rogue certificates. Feed results to M54 Attack Surface Monitor
Subdomain Finder: Combine CT log search + DNS brute-force (common wordlist) + public sources. Deduplicate and resolve each subdomain. Export list. One-click "Add to M54 monitoring"
Content Security Policy Builder: Visual CSP builder with directive explanations (default-src, script-src, style-src, img-src, etc.). Test policy against live URL. Common presets (strict, moderate, permissive). Export as header value or meta tag
MIME Type Validator: Upload file, detect actual MIME type via magic bytes vs file extension. Flag mismatches. Useful for verifying file integrity and detecting disguised malware

PDF & Document Tools (10 tools)

PDF Merge: Combine multiple PDFs into one. Drag-and-drop reorder. Client-side (pdf-lib)
PDF Split: Extract page ranges from a PDF. Preview thumbnails. Client-side
PDF Compress: Reduce PDF file size with quality presets (screen, ebook, print). Client-side
PDF Convert: Word/HTML/Markdown → PDF (Puppeteer server-side). Configurable page size, margins, headers/footers
PDF Sign: Digital signature placement (pdf-lib + canvas for signature drawing). Position signature on specific page/location
OCR: Extract text from scanned PDFs and images (Tesseract.js client-side). Multi-language support
Image Format Converter: SVG generator (shapes, icons, patterns). Format conversion (HEIF/HEIC → JPEG, WebP ↔ PNG, SVG → PNG). Resize/crop with presets
PDF Viewer: pdf.js embedded viewer with annotations, search, zoom
DOCX/XLSX Viewer: Word (mammoth.js) and Excel (SheetJS) rendering in-browser
Markdown Viewer: remark/rehype pipeline with syntax highlighting, table support, Mermaid diagrams

Frontend Layout

Tool Hub (/tools): Grid of tool cards with icons. Category filter tabs: All | Network | Security | Developer | Documents. Search bar with fuzzy matching. "Recently used" and "Favorites" sections at top
Individual tool pages: Clean single-purpose UI. Input area (left/top) + Output area (right/bottom). Copy/download buttons on all outputs. Share result via M80 Secure Sharing link
Tool usage analytics: Usage logged to ToolUsageLog model. "Most popular tools" widget for M1 Executive Dashboard. Per-technician tool usage in M65 BI

API Endpoints (server-side tools only)

GET    /api/v1/tools/my-ip                           -> PublicIpInfo { ipv4, ipv6, isp, asn, geo }
POST   /api/v1/tools/ping                            -> PingResult { host, stats, packets[] } (WebSocket for live)
POST   /api/v1/tools/traceroute                      -> TracerouteResult { hops[] } (WebSocket for live)
WS     /api/v1/tools/speed-test                      -> SpeedTestResult { download, upload, ping, jitter }
POST   /api/v1/tools/dns-lookup                      -> DnsRecords { records[], resolver }
GET    /api/v1/tools/dns-history/:domain              -> DnsHistory[] (SecurityTrails API proxy)
GET    /api/v1/tools/whois/:domain                   -> WhoisResult { parsed, raw }
GET    /api/v1/tools/domain-dossier/:domain           -> DomainDossier { dns, whois, ssl, mx, headers, blacklist }
POST   /api/v1/tools/ssl-check                       -> SslCertInfo { chain[], grade, expiry, sans[] }
GET    /api/v1/tools/ct-logs/:domain                  -> CtLogEntry[] (crt.sh API proxy)
POST   /api/v1/tools/port-check                      -> PortCheckResult { ports[] }
GET    /api/v1/tools/ip-geolocation/:ip               -> GeoResult { city, region, country, latLong, isp, asn }
POST   /api/v1/tools/http-headers                    -> HeaderAnalysis { headers[], securityGrade }
POST   /api/v1/tools/security-headers                -> SecurityHeaderGrade { checks[], grade }
POST   /api/v1/tools/subnet-calc                     -> SubnetCalcResult { network, broadcast, hosts, range }
POST   /api/v1/tools/subdomain-finder                -> SubdomainResult[] { subdomain, ip, source }
POST   /api/v1/tools/cookie-inspect                  -> CookieResult { cookies[] }

Note: Client-side tools (JSON formatter, text diff, code formatter, image converter, hash gen, regex, cron, base64, JWT, UUID, color, markdown, YAML, URL encoder) run entirely in-browser with zero API calls. No data leaves the user's device.

Cross-Module Integration

M4 Email Security: DNS Lookup feeds SPF/DKIM/DMARC validation results
M5 Domain Management: WHOIS + SSL + Domain Dossier provide domain health data
M28 Network Discovery: Port checker and subnet calculator assist network mapping
M38 IPAM: Subnet calculator integrates with IP address management
M39 DNS Operations: DNS lookup + DNS history validate DNS changes
M54 Attack Surface: CT logs + subdomain finder feed external asset discovery
M65 BI Warehouse: ToolUsageLog provides usage analytics data
M76 Email Infra: Security headers check validates email server config
M80 Secure Sharing: Any tool output can be shared via secure ephemeral link

MODULE M3

Security Posture

Unified vulnerability and threat visibility across Tenable, Sophos, ThreatLocker, Huntress, SentinelOne. Composite security score per client. Compliance mapping to CIS, NIST, Essential Eight.

✅ ABSORBS M50 (Endpoint Compliance Checker): Adds endpoint compliance tab — per-device compliance checks (BitLocker, AV, OS updates, firewall, screen lock), 0-100 compliance scoring per device and client, configurable policy definitions per tier, auto-remediation via M21 Playbooks, and evidence feed to M20 Compliance.

Key Features

Vulnerability dashboard: CVE severity distribution (Critical/High/Medium/Low donut), trending over time, remediation tracking with SLA
Endpoint protection: Agent deployment coverage per client, gap detection, auto-alert on unprotected devices
Threat feed: Real-time aggregated alerts from all security vendors, unified severity normalization
Client security score: 0-100 composite (vuln count 30%, patch currency 25%, protection coverage 25%, config compliance 20%)
Essential Eight maturity: Map findings to ACSC Essential Eight controls, show maturity level per control

Connectors

Vendor	Auth	Key Data
Tenable	API Key	Vulnerabilities, assets, scan results
Sophos	OAuth2	Alerts, endpoints, policies
ThreatLocker	API Key	Application control events, ringfencing
Huntress	API Key	Incidents, agents, footholds
SentinelOne	API Token	Threats, agents, policies

MODULE M6

Uptime & Infrastructure Monitoring

Already built in Arete (monitors, status-pages, alerting modules). Extend with additional probe types and Prometheus integration.

Existing (Already in Arete)

Monitor, CheckResult, Incident, UptimeStats models
StatusPage, StatusComponent, StatusIncident models
AlertChannel, AlertPolicy models
API routes for CRUD + status page public API

Extensions Needed

Additional probe types: TCP, DNS, ICMP, gRPC (currently HTTP only)
Prometheus metrics export for Grafana integration
Maintenance window scheduling
Response time percentile charts (P50/P95/P99)

MODULE M7

Ticket Intelligence

AI-powered ticket management pulling from ConnectWise/Autotask. Semantic search via pgvector embeddings. Reuses Knowledge-DB (2.15M records) and CW Triage Dashboard patterns.

Features

AI triage: Auto-suggest Type/Subtype/Item with confidence %. Side-by-side current vs suggested. Approve/deny workflow. Reuse: C:\GIT\cw-triage-dashboard
Semantic search: Natural language query → pgvector cosine similarity. "Show me tickets about email delivery issues for Construction Control". Reuse: Knowledge-DB embedding worker pattern
Trend analysis: Ticket volume over time by type, client, technician. Chart.js time series
SLA tracking: Response/resolution time vs targets. Breach alerts
Technician workload: Billable utilization gauge (actual vs target), hours by category, balance across team
Customer health: Composite of ticket volume, SLA performance, recurring issues, sentiment
Quick wins: Low-effort/high-impact tickets scored and ranked. Reuse: Grafana kb-quick-wins design
Zammad integration (optional): Connect Zammad helpdesk for customer-facing multichannel support (email, chat, phone, social media, web forms). Client-submitted tickets auto-sync to CW/Autotask PSA. Enables M27 Client Portal ticket submission via Zammad's multi-channel engine

MODULE M8

Asset & License Management

Hardware inventory and software license compliance tracking from ConnectWise, NinjaOne, and optional Snipe-IT/GLPI connectors.

Features

Device inventory with sync from RMM + PSA
Software license count vs entitlement tracking
Compliance alerts (over/under-licensed)
Warranty tracking, EOL/EOS alerts with timeline
Cost optimization recommendations
SaaS auto-discovery: Scan SSO/IAM/IDP login events (Entra ID, Okta, Google Workspace) via Microsoft Graph and Google Workspace APIs to detect SaaS subscriptions not in official inventory. Flag shadow IT. Feed M22 Profitability for cost analysis

MODULE M10

Reporting Engine

Cross-module report generation with PDF, Excel, and scheduled delivery. White-label branding per tenant.

✅ ABSORBS M32 (QBR Generator): QBR becomes a report template — adds cross-module data pull (M2/M3/M6/M7/M20/M22/M23/M29/M63), AI-generated executive summaries (via M26 Copilot), quarter-over-quarter trend comparison, drag-and-drop section ordering, scheduled quarterly generation with auto-email, and branded PDF/PowerPoint output.

Features

PDF reports: Server-side via Puppeteer (HTML template → PDF). Branded with logo, colors, footer
PDF signing: Digital signature placement for compliance deliverables (node-signpdf)
Excel workbooks: Multi-sheet with pivot-ready data (ExcelJS). Executive summary sheet + detail sheets
Scheduled reports: Cron-based generation. Weekly security posture, monthly backup compliance, quarterly QBR
Templates: Per-module report templates. Customizable sections, chart selection, data range
White-labeling: Logo, primary/secondary colors, company name, contact info per tenant

MODULE M12

ConnectWise Email Audit

⚠️ CONSOLIDATION NOTE: This module is merged into M4 (Email Security & Authentication). Implement email investigation/audit features as a sub-section/tab within M4. M12's PSA ticket email investigation, PowerShell port, and HTML report generation become M4 features.

Deep-dive email security investigation from PSA tickets. Port existing 4-file PowerShell framework to TypeScript.

Reuse

Entire C:\GIT\connectwise-email-audit\: cw-api-client.ps1, cw-data-parser.ps1, cw-investigator.ps1, html-generator.ps1. Port to TypeScript connector + service layer.

MODULE M13

Infrastructure Audit

Service catalog with health status. Port from standalone HTML to React module.

Reuse

C:\Users\Tom\infrastructure-audit.html (80+ services, 14 categories, Work Mode toggle, live search). Port to React with Docker API integration for live container health.

MODULE M14

Breach & Dark Web Intel

Monitor for credential leaks, domain mentions on dark web, and Certificate Transparency log anomalies.

Features

Domain breach monitoring via HIBP API (domain search endpoint)
Credential leak alerts with affected user count
CT log watching via crt.sh API (new certs for monitored domains)
Typosquatting detection (Levenshtein distance on domain names)

Reuse

Arete's existing breach-scanner module + C:\GIT\breach-intel repo structure.

MODULE M15

Bitwarden Vault Analysis

Password health scoring from Bitwarden export. All client-side processing (no passwords sent to server).

Reuse

C:\GIT\Argus (SvelteKit + D3.js). Port 10 visualization tabs to React: Sankey (password reuse flow), Network (site connections), Bubble (strength), Treemap (categories). Keep IndexedDB for local persistence.

MODULE M16

Backup Catalog

Unified backup metadata from Kopia, PBS, rclone. Query interface for cross-vendor backup inventory.

Reuse

/opt/backup-catalog/ PostgreSQL schema + collector scripts. Build React frontend for query.sh CLI capabilities (status, recent, missing, size).

MODULE M17

NinjaOne Automation Suite

Visual management interface for the 6-script NinjaOne reboot automation system.

Features

Reboot schedule management (create, modify, cancel)
State machine visualization (Idle → Scheduled → Rebooting → Complete/Failed)
Compliance dashboard (uptime days vs 30-day policy)
Audit trail viewer (append-only history per device)

Reuse

6 PowerShell scripts + 20 custom field definitions from G:\Documents\Bidness\NinjaOne\scripts\. 8 Mermaid architecture diagrams from Architecture-Diagrams.md.

MODULE M18

API Documentation Hub

Searchable API reference with try-it-now endpoint tester.

Reuse

10 standardized API docs from G:\Documents\Bidness\API-Standards\ (AFI 22KB, NinjaOne 24KB, Sophos 13KB, Tenable 12KB, ThreatLocker 9KB, ScalePad 11KB, Atlassian 14KB, Microsoft Graph 17KB, Partner Center 16KB, Keeper 15KB). Parse markdown → render with syntax highlighting + interactive endpoint tester.

MODULE M19

Client Onboarding Wizard

New Module

Guided step-by-step workflow for onboarding new MSP clients into the platform. Automates tenant provisioning, API connections, and initial data sync.

Features

Step-by-step wizard: Progress bar, save & resume, back/forward navigation. Steps: Company Info → Service Tier → API Credentials → Initial Sync → Monitor Setup → Review
Checklist generator: Auto-generate onboarding checklist based on service tier (M365, infrastructure-only, full-stack managed)
Auto-provision: Create Arete tenant, invite initial users, connect APIs with validation, set default monitors and alert policies
Document collection: Upload agreements, licenses, network diagrams. Stored as ClientDocuments (shared with M27)
Integration kickoff: Auto-trigger first sync for all connected services (backup, security, M365). Show real-time sync progress
Template library: Customizable onboarding templates per service tier. Clone and modify for specific client needs
Time-to-value tracking: Measure days from signup to full monitoring coverage. Dashboard metric for M1

API Endpoints

POST   /api/v1/onboarding/workflows              -> Create new onboarding
GET    /api/v1/onboarding/workflows/:id           -> Get workflow status
PATCH  /api/v1/onboarding/workflows/:id/steps/:n  -> Complete/update step
GET    /api/v1/onboarding/templates                -> List templates
POST   /api/v1/onboarding/templates                -> Create template
POST   /api/v1/onboarding/workflows/:id/provision  -> Trigger auto-provisioning
GET    /api/v1/onboarding/metrics                  -> Time-to-value stats

MODULE M20

Compliance Framework Tracker

New Module

Map client security posture against industry compliance frameworks. Auto-collect evidence from other Arete modules to satisfy control requirements.

Supported Frameworks

Framework	Controls	Primary Data Sources
ACSC Essential Eight	8 strategies, 4 maturity levels	M23 Patching, M3 Security, M9 M365
CIS Controls v8	18 controls, 153 safeguards	M3, M8, M9, M23, M28
NIST CSF 2.0	6 functions, 22 categories	All security modules
ISO 27001:2022	93 controls, 4 categories	All modules
SOC 2 Type II	5 trust criteria	M3, M6, M25, M14

Features

Per-client maturity matrix: Control → status (not implemented/partial/implemented) → evidence links. Color-coded heatmap view
Auto-evidence collection: Pull data from security modules (M3 vulns, M4 email auth, M9 MFA status, M23 patch compliance) to auto-satisfy controls
Gap analysis: Prioritized remediation roadmap with effort estimates. Link gaps to playbooks (M21) for resolution
Audit-ready reports: PDF report with timestamped evidence snapshots. Generated via M10 Reporting Engine
Compliance score trending: Track % compliance over time per framework per client. Chart.js line graph
Control-to-module mapping: Visual matrix showing which Arete modules satisfy which compliance controls

API Endpoints

GET    /api/v1/compliance/frameworks                     -> Framework[]
GET    /api/v1/compliance/clients/:clientId               -> ClientComplianceSummary
GET    /api/v1/compliance/clients/:clientId/:frameworkId  -> ControlStatusMatrix
POST   /api/v1/compliance/evidence/collect/:clientId      -> Trigger auto-evidence collection
GET    /api/v1/compliance/gaps/:clientId                  -> PrioritizedGap[]
GET    /api/v1/compliance/scores/:clientId/trend          -> ComplianceTrend[]

MODULE M21

Automated Playbooks / Remediation

New Module

Codified response procedures for common MSP scenarios. Visual flow builder with trigger-based execution, manual gates, and automated API actions.

Built-in Playbooks

Playbook	Trigger	Steps
Ransomware Response	M3 threat alert (severity=critical)	Isolate device → Notify team → Collect evidence → Create ticket → Manager approval → Begin remediation
New User Onboarding	Manual or M7 ticket type match	Create M365 account → Assign licenses → Set MFA → Add to groups → Send welcome email
User Offboarding	Manual or M7 ticket type match	Block sign-in → Revoke sessions → Convert to shared mailbox → Remove licenses → Archive
Backup Failure	M2 backup status=failed (3+ consecutive)	Alert tech → Check vendor status → Retry backup → Escalate if still failing → Create ticket
Phishing Incident	Manual or M14 breach detection	Block sender → Purge emails → Reset affected passwords → MFA re-enroll → Report → User training
Domain Expiry Warning	M5 domain expiry < 30 days	Alert admin → Check auto-renew → Verify payment method → Confirm renewal → Update records

Features

Visual builder: Flowchart-style editor. Drag & drop step types: Manual, Automated (API call), Approval (manager gate), Notification, Conditional (if/else), Delay
Trigger engine: Alerts from any module can trigger playbooks. Configurable conditions (severity, count threshold, time window)
SLA timers: Per-step time limits. Auto-escalate if overdue. Visual countdown in execution view
Execution audit trail: Full history with timestamps, actors, inputs/outputs. Compliance-ready logging
Playbook versioning: Edit creates new version. Rollback to previous. Side-by-side diff view

API Endpoints

GET    /api/v1/playbooks                          -> Playbook[]
POST   /api/v1/playbooks                          -> Create playbook
GET    /api/v1/playbooks/:id                      -> PlaybookDetail (with steps)
POST   /api/v1/playbooks/:id/execute              -> Trigger manual execution
GET    /api/v1/playbooks/executions                -> PlaybookExecution[] (active + history)
PATCH  /api/v1/playbooks/executions/:id/steps/:n  -> Complete step (manual/approval)

MODULE M22

Client Profitability Analysis

New Module

Financial visibility into per-client and per-service profitability. Combines PSA revenue data with actual technician effort to reveal true margins.

Features

Revenue vs cost per client: Agreement MRR vs actual technician time × loaded rate. Traffic light margin indicator (green >40%, amber 20-40%, red <20%)
Service margin breakdown: Split by managed services (recurring), projects, break-fix. Stacked bar chart per client
Technician utilization: Billable hours / available hours gauge. Effective hourly rate (revenue / hours). Compare across team
Client health quadrant: Scatter plot: X=profitability, Y=satisfaction (CSAT from M66). Quadrants: Stars (high/high), Cash Cows (high prof/low sat), Problem Children (low prof/high sat), Dogs (low/low)
Agreement optimization: Flag under-priced agreements where actual effort exceeds agreement value by >20%. Suggest price adjustment amount
MRR trends: Monthly recurring revenue trending with growth rate. Churn risk indicators (declining tickets, missed SLAs, low engagement)
What-if modelling: Slider for price change → show projected impact on margin. "If we increase Client X by $500/mo, margin goes from 15% to 32%"

Data Sources

Source	Data	Via
ConnectWise Manage	Agreements, invoices, time entries, billing rates	M7 connector (extended)
NinjaOne	Device counts per client (cost driver)	NinjaOne connector
Internal config	Technician loaded rates, overhead allocation	Settings UI

API Endpoints

GET    /api/v1/profitability/clients              -> ClientProfitability[]
GET    /api/v1/profitability/clients/:id           -> ClientProfitabilityDetail
GET    /api/v1/profitability/technicians           -> TechnicianUtilization[]
GET    /api/v1/profitability/agreements/flagged    -> UnderPricedAgreement[]
GET    /api/v1/profitability/mrr/trend             -> MrrTrendData
POST   /api/v1/profitability/what-if               -> WhatIfResult

MODULE M23

Patch Management Dashboard

New Module

Centralized view of OS and third-party patch compliance across all managed endpoints. Supports patch rings for staged rollouts.

Features

Compliance grid: Per-device, per-update matrix. Status: Installed (green), Pending (amber), Failed (red), Excluded (grey). Filterable by client, OS, severity
Critical/zero-day tracking: Highlight critical patches with SLA countdown timer. Alert when SLA about to breach
Patch rings: Test (5% devices) → Pilot (20%) → Broad (75%). Auto-promote after X days with no failures. Ring membership configurable per client
Third-party patching: Chrome, Firefox, Adobe, Java, 7-Zip, etc. Track version currency across fleet
Reboot-pending tracking: Devices needing reboot after patch install. Ties into M17 NinjaOne Automation for scheduled reboots
Historical trending: Compliance % over time per client. Line chart with 30/60/90 day view
Patch Tuesday digest: Auto-generated summary of monthly Microsoft patches. Risk-rated (critical count, zero-day count, affected products)

API Endpoints

GET    /api/v1/patching/compliance                -> ComplianceSummary (by client)
GET    /api/v1/patching/devices/:deviceId          -> DevicePatchStatus
GET    /api/v1/patching/critical                   -> CriticalPatch[] (with SLA)
GET    /api/v1/patching/rings                      -> PatchRingConfig[]
PATCH  /api/v1/patching/rings/:id                  -> Update ring config
GET    /api/v1/patching/trend/:clientId             -> ComplianceTrend[]
GET    /api/v1/patching/digest/:month              -> PatchTuesdayDigest

MODULE M24

Backup DR Testing & Verification

New Module

Scheduled backup restore testing with automated verification and evidence collection. Maintains per-client DR runbooks.

✅ ABSORBS M69 (Backup Testing): Adds restorability scoring (confidence score per backup set), auto-ticket on restore failure (M7 integration), test types (file-level, VM-level, application-level for M365 mailboxes/SharePoint), and evidence trail feeding M67 Insurance evidence.

Features

Scheduled restore verification: Define test schedule per client (monthly, quarterly). Auto-trigger test restore from latest backup
Screenshot verification: Boot VM from backup image, wait for OS load, capture screenshot, AI-verify successful boot (green checkmark or red X)
File-level integrity: Restore random sample of files, compare checksums against source. Report % integrity
DR runbook per client: Document RTO/RPO targets, restore priority order (AD → Email → LOB apps), contact chain, failover procedures
Test result history: Pass/fail trending over time. Last successful test date prominently displayed. Alert if overdue
Compliance certificates: Auto-generate "Backup tested and verified on [date]" PDF certificates. Tied to M20 compliance evidence
Failover simulation: Track DR rehearsal exercises. Measure actual RTO vs target. Document deviations and improvements

API Endpoints

GET    /api/v1/dr/tests                           -> DrTest[] (scheduled + completed)
POST   /api/v1/dr/tests                           -> Schedule new test
GET    /api/v1/dr/tests/:id/results               -> DrTestResult[]
GET    /api/v1/dr/runbooks/:clientId               -> DrRunbook (with steps)
PUT    /api/v1/dr/runbooks/:clientId               -> Update runbook
GET    /api/v1/dr/certificates/:testId             -> PDF certificate (stream)
GET    /api/v1/dr/compliance/:clientId              -> DR compliance status

MODULE M25

Change Management / RFC Tracker

New Module

Lightweight ITIL-aligned change management for MSP operations. RFC submission, CAB approval workflow, change calendar, and post-implementation review.

Workflow

Draft → Submitted → Under Review (CAB) → Approved/Rejected → Scheduled → Implementing → Verifying → Complete
                                                          ↓
                                               Emergency Fast-Track (retrospective required)

Features

RFC submission form: Title, description, affected systems, risk assessment (auto-scored), rollback plan, implementation window, testing plan
Risk matrix: Auto-score based on: scope (single device vs infrastructure-wide), timing (business hours vs maintenance window), systems affected (critical vs non-critical), reversibility
CAB approval: Configurable approvers per risk level. Low risk = auto-approve. Medium = single approver. High = full CAB. Email/Teams notifications
Change calendar: Visual timeline of all scheduled changes across clients. Conflict detection (overlapping maintenance windows)
Post-implementation review: Mandatory for high-risk changes. Success/failure, lessons learned, actual vs planned duration
Emergency changes: Fast-track path that skips CAB but requires retrospective review within 48 hours
Integration: Link changes to tickets (M7), playbooks (M21), maintenance windows (M6). Auto-create ticket when change is approved

API Endpoints

GET    /api/v1/changes                            -> ChangeRequest[] (with filters)
POST   /api/v1/changes                            -> Submit RFC
GET    /api/v1/changes/:id                        -> ChangeRequestDetail
PATCH  /api/v1/changes/:id/approve                -> CAB approval action
PATCH  /api/v1/changes/:id/implement              -> Mark as implementing
POST   /api/v1/changes/:id/review                 -> Submit post-implementation review
GET    /api/v1/changes/calendar                   -> ChangeCalendarData

MODULE M26

AI Copilot Chat

New Module

Natural language interface to query all platform data, generate reports, and take actions across modules. Powered by Claude/OpenAI function calling against Arete's internal API.

Example Queries

Natural Language Input	Module(s) Queried	Response Type
"Which clients have failing backups this week?"	M2	Table of clients with failure counts
"Generate a QBR for Nexia covering last quarter"	M1-M7, M10	PDF report via Reporting Engine
"What's the security score trend for all clients?"	M3	Chart (sparklines per client)
"Create a ticket for Construction Control about their SPF record"	M7	Action confirmation + ticket link
"Show me all domains expiring in the next 60 days"	M5	Sorted table with costs
"What playbooks ran last week?"	M21	Execution summary table

Features

Chat interface: Persistent sidebar or full-page chat. Markdown rendering for responses. Code blocks for technical output
Context-aware: Knows current user, tenant scope, active page/module. "Show me more details on this client" works from any module
Function calling: Claude/OpenAI function calling against all Arete API endpoints. Read-only by default, write actions require confirmation modal
Knowledge base: RAG over ticket history, KB articles, past incidents using pgvector embeddings (M7 infrastructure)
Suggested questions: Based on current alerts and anomalies. "3 clients have failing backups — want to see details?"
Multi-modal: Accept screenshot uploads (error messages), return charts/tables inline in chat
Conversation history: Persistent conversations per user. Searchable. Share conversations with team

Tech Stack

// AI Provider: Claude API (preferred) or OpenAI, configurable per tenant
// Function definitions: Auto-generated from Arete's OpenAPI spec
// Embeddings: Ollama local or OpenAI ada-002 for RAG
// Streaming: Server-Sent Events for real-time token delivery
// Rate limiting: Per-user token budget (configurable)

API Endpoints

POST   /api/v1/copilot/chat                       -> Stream chat response (SSE)
GET    /api/v1/copilot/conversations                -> UserConversation[]
GET    /api/v1/copilot/conversations/:id            -> ConversationDetail
DELETE /api/v1/copilot/conversations/:id            -> Delete conversation
GET    /api/v1/copilot/suggestions                  -> SuggestedQuestion[]

MODULE M27

Client Portal (Branded, Client-Facing)

New Module

White-labeled portal for clients to view their own service status, submit tickets, access documents, and approve changes. Separate from the main MSP interface.

Features

Custom branding: Logo, primary/accent colors, company name, custom domain (client.arete.dev or client's own domain via CNAME). Auto-logo population via logo.dev API — client logos fetched by domain name, no manual upload needed. Fallback: professional monogram generated automatically
Client dashboard: Their backup status (M2), security score (M3), open tickets (M7), uptime (M6). Simplified KPI cards
Ticket management: Submit new tickets with category picker. View open/closed tickets. Add notes/attachments. Limited to their own tickets only
Document library: Access SOWs, reports, compliance certificates, network diagrams. Uploaded by MSP via M19 onboarding or manually
Approval workflows: Approve change requests (M25), acknowledge security alerts, authorize emergency access
Service catalog: Request new services (new user, license change, hardware). Auto-creates ticket in M7
Satisfaction surveys: Post-ticket CSAT (1-5 stars + comment). Periodic NPS survey (quarterly). Results feed into M22 client health
Self-service: Password reset requests, user onboarding requests, contact info updates

Auth

Separate authentication from MSP staff. Options: Zitadel realm per client, magic link (email verification), or M365 SSO (Graph API). No access to other clients' data.

API Endpoints

GET    /api/v1/portal/config/:clientId             -> PortalConfig + Branding
PUT    /api/v1/portal/config/:clientId             -> Update branding
GET    /api/v1/portal/dashboard                    -> ClientDashboard (scoped)
GET    /api/v1/portal/tickets                      -> ClientTicket[] (their tickets only)
POST   /api/v1/portal/tickets                      -> Submit ticket
GET    /api/v1/portal/documents                    -> ClientDocument[]
POST   /api/v1/portal/surveys                      -> Submit survey response
GET    /api/v1/portal/services                     -> ServiceCatalog[]
POST   /api/v1/portal/services/request             -> Request service

MODULE M28

Network Discovery & Mapping

New Module

Automated network topology discovery and interactive visualization. Identifies devices, maps connections, and detects rogue endpoints.

Features

Auto-discovery: Scan subnets via agent (NinjaOne script or dedicated agent). ARP table collection, SNMP queries, optional nmap. Classify: server, workstation, network device, printer, IoT, unknown
Interactive topology map: D3.js force-directed graph. Nodes = devices (colored by type), edges = connections. Click node for details. Zoom/pan. Filter by subnet/VLAN
VLAN & subnet visualization: Visual subnet layout showing IP usage, DHCP range, gateway. Color-code by utilization (%)
Rogue device detection: Alert on unknown MAC addresses not in known device inventory. Auto-flag and notify. Compare against M8 asset inventory
Port/service inventory: Per-device list of open ports and detected services. Flag unexpected services (e.g., RDP on workstation)
Historical tracking: Device first-seen/last-seen dates. IP change history. Device disappearance alerts
Export: CSV device inventory, SVG/PNG topology diagram, Visio-compatible XML
M8 reconciliation: Compare discovered devices against asset inventory. Flag unmanaged devices. Suggest additions

API Endpoints

POST   /api/v1/network/scans                      -> Trigger subnet scan
GET    /api/v1/network/scans/:id                   -> ScanResult (with devices)
GET    /api/v1/network/devices/:clientId            -> DiscoveredDevice[]
GET    /api/v1/network/topology/:clientId           -> TopologyGraph (nodes + edges)
GET    /api/v1/network/subnets/:clientId            -> SubnetConfig[]
GET    /api/v1/network/rogue/:clientId              -> RogueDevice[]
GET    /api/v1/network/devices/:deviceId/history    -> DeviceHistory[]

MODULE M29

Cloud Cost Optimizer

New Module

Multi-cloud cost tracking and optimization across Azure, AWS, and M365 licensing. Identifies savings opportunities and detects cost anomalies.

Features

Multi-cloud dashboard: Aggregate spend per client across Azure, AWS, M365. Monthly trend with MoM change %. Breakdown by service/resource group
M365 license optimization: Identify unused licenses (last sign-in > 90 days). Downgrade recommendations (E5 → E3 if premium features unused). Monthly savings projection
Azure right-sizing: VM CPU/memory utilization analysis. Recommendations: downsize over-provisioned, shut down idle, convert to reserved instances
Reserved instance advisor: Compare on-demand vs 1yr vs 3yr reserved pricing. Show break-even point. Recommend based on usage patterns
Cost anomaly detection: ML-based baseline per client/service. Alert on spend > 2σ above baseline. Investigate: which resource caused the spike
Budget tracking: Set monthly thresholds per client/service. Alert at 80%, 100%, 120%. Visual burn-rate gauge
Savings report: Monthly summary: implemented savings, potential savings, recommendations. PDF export for client QBR
Chargeback/showback: Allocate shared infrastructure costs to departments/cost centers using tagging

Connectors

Provider	API	Auth	Key Data
Azure	Cost Management API	Service Principal (OAuth2)	Usage details, reservations, budgets, advisor recommendations
AWS	Cost Explorer API	IAM Access Key	Cost and usage, reserved instance coverage, savings plans
M365	Graph API (reuse M9)	OAuth2 (delegated)	License usage, sign-in activity, subscription pricing

API Endpoints

GET    /api/v1/cloud-cost/summary/:clientId        -> CostSummary (all providers)
GET    /api/v1/cloud-cost/trend/:clientId           -> MonthlyCostTrend[]
GET    /api/v1/cloud-cost/licenses/:clientId        -> LicenseUtilization[]
GET    /api/v1/cloud-cost/recommendations/:clientId -> CostRecommendation[]
GET    /api/v1/cloud-cost/anomalies/:clientId       -> CostAnomaly[]
GET    /api/v1/cloud-cost/budgets/:clientId         -> CostBudget[]
PUT    /api/v1/cloud-cost/budgets/:clientId         -> Set budget thresholds
GET    /api/v1/cloud-cost/savings-report/:clientId  -> MonthlySavingsReport

MODULE M30

Space & Parking Management

Already Built

Production-grade desk, room, and parking booking system with approval workflows, calendar sync, and analytics. Already implemented with 60+ endpoints and 752-line service. Reuse: src/modules/space-booking/

Features (Already Implemented)

7 space types: Desk, Hot Desk, Room, Meeting Room, Phone Booth, Locker, Parking (with 7 subtypes: standard, compact, accessible, ev, reserved, motorcycle, bicycle)
Approval workflows: Configurable per space type, manager approval chain, auto-approve for recurring bookings
Calendar sync: Google Calendar, Outlook (CalDAV), bidirectional sync with conflict detection
Booking rules engine: Max duration, advance booking limits, check-in/check-out, no-show auto-cancel
Floor plans: Interactive SVG with clickable spaces, real-time availability overlay
Analytics: Utilization heatmaps, peak usage patterns, space ROI calculations
5 BullMQ workers: Reminder notifications, waitlist processing, recurring booking generation, check-in enforcement, analytics aggregation

API (60+ existing endpoints)

GET    /api/v1/spaces                    -> PaginatedSpaces
POST   /api/v1/bookings                  -> Create booking
GET    /api/v1/bookings/calendar          -> Calendar view
POST   /api/v1/bookings/:id/check-in     -> Check in
GET    /api/v1/analytics/utilization      -> Heatmap data
// ... 55+ more endpoints already built

MODULE M31

Procurement & Stock Tool

New Module

Product lookup, inventory management, purchase order tracking, and distributor price comparison. Future integrations with QuoteWerks and ConnectWise Sell for quote-to-order workflow.

Features

Product catalog: Search by serial, model, product name. Live search with autocomplete. Product images, specs, compatibility info
Inventory tracking: Quantity on hand, reorder points, location tracking (warehouse, client site, in transit)
Purchase orders: Create PO, track status (draft/submitted/approved/shipped/received), line items with quantities and pricing
Distributor pricing: Compare prices across Dicker Data, Synnex, Ingram Micro, Westcon-Comstor APIs. Show cheapest source for each product
Quote-to-order: Generate client quotes from catalog, convert approved quotes to POs. Future: QuoteWerks and CW Sell integration
Cost tracking: Per-item cost history, bulk pricing tiers, shipping cost estimation
Vendor catalog sync: Auto-import product catalogs from distributor APIs. Daily price refresh

API Endpoints

GET    /api/v1/procurement/products               -> ProductCatalog (search/filter)
GET    /api/v1/procurement/products/:id            -> ProductDetail
GET    /api/v1/procurement/inventory               -> InventoryList
POST   /api/v1/procurement/purchase-orders          -> Create PO
GET    /api/v1/procurement/pricing/:productId       -> DistributorPricing[]
POST   /api/v1/procurement/quotes                   -> Create quote
POST   /api/v1/procurement/quotes/:id/convert       -> Convert to PO

MODULE M32

QBR Generator

New Module

⚠️ CONSOLIDATION NOTE: This module is merged into M10 (Reporting Engine). QBR is a specialized report template — implement cross-module data pull, AI executive summary, trend comparison, and scheduled quarterly generation as an M10 report type/template.

Auto-generate Quarterly Business Review reports by pulling data from ALL platform modules. Branded PDF/presentation with AI-generated executive summaries.

Features

Cross-module data pull: M2 backup compliance, M3 security score, M6 uptime SLA, M7 ticket trends, M20 compliance maturity, M22 profitability, M23 patch status, M29 cloud costs, M63 health score
Branded output: Client logo, colors, MSP branding. PDF and PowerPoint formats via M10 Reporting Engine
AI executive summary: Claude/OpenAI generates natural language summary of quarter highlights, risks, recommendations (via M26 Copilot)
Trend comparison: This quarter vs last quarter. Improvement/degradation indicators with percentage change
Customizable sections: Drag-and-drop section ordering. Include/exclude modules per client. Custom narrative sections
Scheduled generation: Auto-generate on quarterly cadence (configurable start dates). Email delivery to client contacts

API Endpoints

POST   /api/v1/qbr/generate/:clientId              -> Generate QBR
GET    /api/v1/qbr/templates                        -> QbrTemplate[]
GET    /api/v1/qbr/history/:clientId                -> QbrReport[]
GET    /api/v1/qbr/preview/:clientId                -> QbrPreviewData
PATCH  /api/v1/qbr/schedules/:clientId              -> Update schedule

MODULE M33

Vendor & Distributor Hub

New Module

Track vendor relationships, contracts, pricing agreements, and distributor account management. Feeds M31 Procurement for live pricing data.

Features

Vendor directory: Contact info, account managers, support portals, SLA terms per vendor
Contract management: Track agreement terms, renewal dates, pricing tiers, discount structures
Distributor accounts: Dicker Data, Synnex, Ingram Micro, Westcon-Comstor — account credentials, rep contacts, pricing tier status
Expiry alerts: 30/60/90 day warnings for contract renewals. Auto-create M7 tickets for upcoming renewals
Pricing tier tracking: Current tier, next tier requirements, volume tracking toward tier upgrades
Vendor scorecard: Rate vendors on response time, pricing, support quality. Compare side-by-side

API Endpoints

GET    /api/v1/vendors                              -> Vendor[]
GET    /api/v1/vendors/:id                           -> VendorDetail
GET    /api/v1/vendors/:id/contracts                  -> Contract[]
GET    /api/v1/vendors/expiring                      -> ExpiringContract[]
POST   /api/v1/vendors/:id/scorecard                 -> Submit rating

MODULE M34

Training & Certification Tracker

New Module

Per-technician certification tracking with expiry alerts, CPD hours, and team skills matrix. Reuse: G:\Documents\Bidness\03 - Resources\Documentation\Training Requirements.md

Features

Cert tracking: Microsoft, Sophos, Datto, CompTIA, ITIL, Cisco, etc. Per-tech cert inventory with expiry dates
Expiry alerts: 30/60/90 day warnings. Auto-create renewal reminder tasks
CPD hours: Log continuing professional development hours. Track against annual requirements
Training requirements: Define required certs per role/tier. Identify gaps in team coverage
Skills matrix heatmap: Visual grid showing team competencies. Identify single points of failure (only one person with cert X)
Cert-to-skill mapping: Which certs cover which competencies. Recommend training paths

API Endpoints

GET    /api/v1/training/technicians                  -> TechCertSummary[]
GET    /api/v1/training/technicians/:id               -> TechCertDetail
POST   /api/v1/training/certifications                -> Add certification
GET    /api/v1/training/expiring                      -> ExpiringCert[]
GET    /api/v1/training/skills-matrix                 -> SkillsMatrix
GET    /api/v1/training/requirements/:role            -> RequiredCert[]

MODULE M35

Warranty Lifecycle (ScalePad)

New Module

Hardware warranty tracking via ScalePad API. EOL/EOS alerts, replacement planning, and lifecycle reporting. Integrates with M8 Asset Management. Reuse: G:\Documents\Bidness\03 - Resources\API-Standards\ScalePad-API-Reference.md

Features

Warranty lookup: Device serial → warranty status, expiry, coverage type. Bulk lookup across fleet
EOL/EOS alerts: End-of-life and end-of-support tracking with replacement recommendations
Lifecycle reporting: Fleet age distribution charts. Devices past warranty, approaching EOL, in coverage
Replacement planning: Budget projections for hardware refresh cycles. Priority scoring (oldest + most critical first)
Warranty renewal quotes: Generate renewal quotes via ScalePad. Track renewal decisions

API Endpoints

GET    /api/v1/warranty/devices                     -> DeviceWarranty[]
GET    /api/v1/warranty/devices/:serial              -> WarrantyDetail
GET    /api/v1/warranty/eol                          -> EolDevice[]
GET    /api/v1/warranty/lifecycle/report/:clientId   -> LifecycleReport
POST   /api/v1/warranty/sync                         -> Trigger ScalePad sync

MODULE M36

SharePoint Structure Builder

New Module

Auto-generate SharePoint folder structure diagrams from existing sites. Recommend standard structures, manage templates, and bulk-provision to new sites via Microsoft Graph API.

Features

Structure discovery: Crawl existing SharePoint sites via Graph API → generate folder tree diagrams
Template library: Pre-built structures for Legal, Finance, HR, Projects, Client Folders. MSP best practices
Visual tree editor: Drag-and-drop folder reorganization. Permission inheritance visualization
Bulk provisioning: Apply template to new SharePoint site with one click. Create libraries, folders, default permissions
Recommendations: AI-powered suggestions based on industry and company size

API Endpoints

GET    /api/v1/sharepoint/sites/:tenantId           -> SharePointSite[]
GET    /api/v1/sharepoint/structure/:siteId          -> FolderTree
GET    /api/v1/sharepoint/templates                  -> Template[]
POST   /api/v1/sharepoint/provision                  -> Apply template to site
POST   /api/v1/sharepoint/templates                  -> Create template

MODULE M37

Intune & M365 Config Manager

New Module

⚠️ CONSOLIDATION NOTE: This module is merged into M9 (M365 Management / CIPP-Style). Implement config export/import, drift detection, design review, and diff viewer as sub-sections within M9. Both manage M365 tenant configuration.

Export, import, diff, and drift-detect M365/Intune/Entra configurations. AI-assisted design review against security baselines (E8, CIS, ASD Blueprint). References: M365DSC, Maester.dev, CISA SCuBA, EntraDocumentation.com.

Features

Config export: Dump full tenant config to JSON/YAML — CA policies, compliance policies, device configs, app deployments, Entra settings
Config import: Apply exported config to another tenant (clone tenant setup). Dry-run mode with change preview
Drift detection: Schedule baseline snapshots. Alert on deviations from golden config. Show exact diff of what changed
Design review: AI-assisted review against E8, CIS benchmarks, ASD Blueprint for Secure Cloud. Recommendation engine
Diff viewer: Side-by-side comparison of two tenants or two snapshots. Highlight differences with color coding
Maester.dev integration: Run PowerShell test automation. Show pass/fail results per test. Track compliance trending

API Endpoints

POST   /api/v1/m365-config/export/:tenantId         -> ConfigExport
POST   /api/v1/m365-config/import/:tenantId         -> Apply config
GET    /api/v1/m365-config/drift/:tenantId           -> DriftReport
POST   /api/v1/m365-config/review/:tenantId          -> DesignReview
GET    /api/v1/m365-config/diff/:id1/:id2            -> ConfigDiff
GET    /api/v1/m365-config/baselines                 -> SecurityBaseline[]

MODULE M38

IPAM (IP Address Management)

New Module

NetBox-style IP address management with subnet planning, conflict detection, DHCP visualization, and integration with M28 Network Discovery for auto-population.

Features

Subnet management: Plan and allocate subnets per client/site. Tree view of subnet hierarchy
IP assignments: Track device, purpose, VLAN, site for each IP. Search and filter
Conflict detection: Alert on duplicate IP assignments across clients
DHCP scope visualization: Visual range display showing allocated, available, reserved
DNS correlation: Link forward (A/AAAA) and reverse (PTR) records to IP assignments
Auto-population: Import from M28 Network Discovery scans. Import from CSV/NetBox export
Network documentation: Auto-generate per-client IP allocation tables for M40 Documentation Engine

API Endpoints

GET    /api/v1/ipam/subnets/:clientId               -> Subnet[]
GET    /api/v1/ipam/addresses/:subnetId              -> IpAddress[]
POST   /api/v1/ipam/addresses                        -> Assign IP
GET    /api/v1/ipam/conflicts                        -> IpConflict[]
POST   /api/v1/ipam/import                           -> Import CSV/NetBox
GET    /api/v1/ipam/dhcp/:subnetId                   -> DhcpScopeView

MODULE M39

DNS Operations & Safety

New Module

Operational safety layer for DNS changes. A/B testing, staged rollouts, auto-rollback on propagation failures, and continuous drift detection. Extends M4 Email Security and M5 Domain Management.

Features

Config drift detection: Monitor DNS records across all nameservers. Alert on unauthorized changes
A/B testing: Stage DNS changes on dev/staging nameservers. Verify resolution before pushing to production
Auto-rollback: If propagation monitoring detects failures (SERVFAIL, NXDOMAIN), auto-revert to last known good config
Propagation monitoring: Multi-location resolver checks. Real-time propagation status dashboard with TTL countdown
Change staging pipeline: Dev → Staging → Production. Approval gates between stages
Recommendations: TTL optimization, CNAME vs A best practices, security headers (CAA, TLSA)
DNS cache poisoning detection: Compare authoritative vs recursive resolver responses. Alert on discrepancies

API Endpoints

GET    /api/v1/dns-ops/zones/:domain                -> DnsZoneDetail
GET    /api/v1/dns-ops/drift/:domain                 -> DriftReport
POST   /api/v1/dns-ops/stage                         -> Stage DNS change
POST   /api/v1/dns-ops/promote/:changeId             -> Promote to production
POST   /api/v1/dns-ops/rollback/:changeId            -> Rollback change
GET    /api/v1/dns-ops/propagation/:domain           -> PropagationStatus
GET    /api/v1/dns-ops/recommendations/:domain       -> DnsRecommendation[]

MODULE M40

Documentation Engine (IT Glue Killer)

New Module

Auto-generate client documentation from all modules. BookStack integration for publishing. Freshness scoring to detect stale docs.

Features

Auto-generation: Pull data from M28 (network diagrams), M15/M75 (passwords), M37 (configs), M38 (IPAM), contacts, procedures → generate per-client documentation packages
BookStack sync: Push generated docs to BookStack instance (already deployed on docker-host). Two-way sync
Documentation-as-code: Version-controlled docs in Git. Rendered as searchable web pages
Freshness scoring: Track when source data changed vs when doc was last updated. Flag stale documents
Template library: Network overview, password register, backup procedure, DR plan, onboarding checklist
Per-client workspace: Dedicated documentation area per client with search and access controls

API Endpoints

POST   /api/v1/docs/generate/:clientId              -> Generate docs
GET    /api/v1/docs/clients/:clientId                -> ClientDocIndex
POST   /api/v1/docs/sync/bookstack                   -> Sync to BookStack
GET    /api/v1/docs/freshness/:clientId              -> FreshnessReport
GET    /api/v1/docs/templates                        -> DocTemplate[]

MODULE M41

Alert Correlation Engine

New Module

Cross-module alert intelligence. Group related alerts, detect patterns, deduplicate noise, suggest root causes. Feeds M21 Playbooks for automated response.

Features

Pattern detection: Backup failure + security alert + uptime down on same client within time window = correlated incident
Alert deduplication: Suppress duplicate alerts from multiple sources for same issue
Root cause suggestion: AI-powered: "3 alerts for Client X all stem from network outage at 2:30 AM"
Severity escalation: Single alert = info, correlated cluster = warning/critical. Auto-escalate
Alert timeline: Visual timeline per incident showing all related events across modules
Noise reduction metrics: Track % of alerts suppressed. Show alert fatigue improvement over time

API Endpoints

GET    /api/v1/alerts/correlated                    -> CorrelatedIncident[]
GET    /api/v1/alerts/correlated/:id                 -> IncidentDetail
GET    /api/v1/alerts/timeline/:clientId              -> AlertTimeline
GET    /api/v1/alerts/stats                          -> AlertReductionStats
POST   /api/v1/alerts/acknowledge/:id                -> Acknowledge incident

MODULE M42

Platform & Integration Health

New Module

Single dashboard monitoring health of ALL 50+ API connections AND internal platform components. Auth failures, rate limits, sync status, and historical uptime per integration.

✅ ABSORBS M81 (Platform Health & Status Page): Adds internal component health (PostgreSQL, Redis, K8s pods, BullMQ queue depth, API response times), public status page (branded, status.arete.dev), incident tracking with timeline, maintenance window scheduling, and alerting via M52. Renamed from "Integration Health Monitor" to "Platform & Integration Health".

Features

Connection dashboard: Green/amber/red status per connector. Last successful sync time. Error count
Auth monitoring: Token expiry countdown. Alert before expiry. Auto-refresh where possible
Rate limit tracking: Current usage vs limit per API. Alert when approaching threshold
Sync failure tracking: Failed sync history with error details. Auto-retry with exponential backoff
Historical uptime: Per-integration uptime percentage. SLA tracking for your own connectivity
API deprecation notices: Track vendor API version lifecycle. Alert on upcoming deprecations
New Relic APM (optional): Application-level performance monitoring via NerdGraph GraphQL API. Distributed traces, error tracking, response time analytics for the Arete platform itself. Free tier: 100GB/month data ingest. Complements Prometheus/Grafana infrastructure monitoring

API Endpoints

GET    /api/v1/integrations/health                  -> IntegrationHealth[]
GET    /api/v1/integrations/:connectorId/history     -> SyncHistory
POST   /api/v1/integrations/:connectorId/test        -> Test connection
POST   /api/v1/integrations/:connectorId/retry       -> Retry failed sync
GET    /api/v1/integrations/uptime                   -> UptimeReport

MODULE M43

DevOps & CI Pipeline Manager

New Module

YAML pipeline editor, vulnerability scanning, repo management, and deployment tracking for MSP automation infrastructure.

Features

Pipeline editor: YAML-based pipeline definitions for PowerShell, Python, Terraform automation
Runner management: Execute pipelines on docker-host or client infrastructure. Queue and schedule
Vulnerability scanning: GitHub Advanced Security / Trivy for container and dependency scanning
Repo management: Track all Git repos, upstream provider status, dependency freshness, security alerts
Deployment tracking: What was deployed where, when, by whom. Approval gates for production
Templates: Best-practice pipelines for Intune config deployment, DNS changes, user provisioning

API Endpoints

GET    /api/v1/devops/pipelines                     -> Pipeline[]
POST   /api/v1/devops/pipelines/:id/run              -> Trigger pipeline
GET    /api/v1/devops/repos                          -> RepoInventory[]
GET    /api/v1/devops/vulnerabilities                -> VulnScanResult[]
GET    /api/v1/devops/deployments                    -> Deployment[]

MODULE M44

Website Change Tracker

New Module

Monitor websites for visual and content changes using Playwright. Detect defacement, unexpected modifications, SSL changes, and script injection.

Features

Playwright screenshots: Scheduled screenshot capture with visual diff (pixel comparison)
DOM diff: Show exactly what HTML/CSS changed between checks. Syntax-highlighted diff view
Per-client monitoring: Track client sites, MSP sites, vendor portals. Configurable check frequency
Alert triggers: Content changes, SSL changes, new scripts injected, meta tag modifications
Screenshot history: Timeline view of all captured screenshots. Side-by-side comparison

API Endpoints

GET    /api/v1/website-tracker/sites                -> MonitoredSite[]
POST   /api/v1/website-tracker/sites                -> Add site
GET    /api/v1/website-tracker/changes/:siteId      -> ChangeHistory[]
GET    /api/v1/website-tracker/screenshots/:siteId  -> Screenshot[]
POST   /api/v1/website-tracker/check/:siteId        -> Trigger immediate check

MODULE M45

Contract & SLA Builder

New Module

Service agreement creation with SLA tracking, contract lifecycle management, digital signatures, and revenue forecasting.

Features

Agreement builder: Templated T&Cs, SLA tier definitions, pricing schedules (per-device, per-user, flat, tiered)
SLA tracking: Link SLA definitions to M7 ticket tracking. Auto-calculate compliance percentage
Contract lifecycle: Draft → Active → Expiring → Renewed/Terminated. Visual pipeline view
Expiry alerts: 30/60/90 day warnings. Auto-create renewal tasks
Digital signatures: PDF signing via M10 Reporting Engine. Signature workflow with audit trail
Revenue forecasting: Project MRR from active contracts. Feed M22 Profitability analysis

API Endpoints

GET    /api/v1/contracts                            -> Contract[]
POST   /api/v1/contracts                            -> Create contract
GET    /api/v1/contracts/:id/sla                     -> SlaComplianceReport
GET    /api/v1/contracts/expiring                    -> ExpiringContract[]
GET    /api/v1/contracts/revenue/forecast            -> RevenueForecast

MODULE M46

Client Communication Timeline

New Module

Unified log of ALL client touchpoints — emails, calls, meetings, ticket updates, portal activity. Per-client timeline with action item tracking.

Features

Unified timeline: All communication events in chronological order. Filter by type, date, person
Auto-capture: CW ticket notes, M27 portal activity, M365 email sync (opt-in), Teams meeting records
Manual entries: Meeting notes, phone call logs, action items with due dates
Action tracking: Create tasks from meeting notes. Link to M7 tickets. Track completion
Last contact: "When did we last talk to Client X?" instant answer with communication gap alerts

API Endpoints

GET    /api/v1/comms/:clientId/timeline              -> TimelineEvent[]
POST   /api/v1/comms/:clientId/entries               -> Add manual entry
GET    /api/v1/comms/:clientId/actions               -> ActionItem[]
GET    /api/v1/comms/last-contact                    -> LastContactReport[]

MODULE M47

Technician Dispatch & Scheduling

New Module

Field tech scheduling for on-site work with calendar views, travel time estimation, and time tracking that auto-logs to ConnectWise.

Features

Calendar view: Team-wide availability, job assignments, drag-and-drop scheduling
Travel estimation: Google Maps API for drive time between sites. Optimize route for multi-site days
Client site details: Address, parking, contact, access instructions (from M19 onboarding data)
Job types: Install, maintenance, troubleshooting, audit. Link to M7 tickets and M25 change requests
Time tracking: On-site hours auto-logged to CW time entries. Start/stop timer with GPS verification
Mobile-first: iOS app priority for this module. Push notifications for schedule changes

API Endpoints

GET    /api/v1/dispatch/calendar                    -> TeamCalendar
POST   /api/v1/dispatch/jobs                         -> Create job
GET    /api/v1/dispatch/technicians/availability     -> TechAvailability[]
POST   /api/v1/dispatch/jobs/:id/checkin             -> Check in on-site
POST   /api/v1/dispatch/jobs/:id/checkout            -> Check out + log time

MODULE M48

Password Rotation Automation

New Module

Automated service account password rotation with verification, rollback, and compliance tracking. Integrates with M15/M75 Vault for storage and M20 Compliance for evidence.

Features

Scheduled rotation: Configurable schedule per account (30/60/90 day cycles)
Target systems: Active Directory, M365 admin accounts, local admin (LAPS-style), application service accounts
Rotation verification: Confirm new password works before committing. Rollback on failure
Vault sync: Rotated passwords auto-update in M15/M75 vault with full history
Compliance tracking: Last rotation date per account. Enforce max password age. Feed M20 evidence
Failure alerting: Immediate alert if rotation fails. Auto-create M7 ticket for manual intervention

API Endpoints

GET    /api/v1/password-rotation/accounts            -> RotationAccount[]
POST   /api/v1/password-rotation/rotate/:accountId   -> Trigger rotation
GET    /api/v1/password-rotation/history/:accountId  -> RotationHistory
GET    /api/v1/password-rotation/compliance          -> ComplianceReport
PATCH  /api/v1/password-rotation/schedules/:id       -> Update schedule

MODULE M49

Runbook Library

New Module

Searchable library of human-readable operational guides. Different from M21 Playbooks (which are automated). Version-controlled with decision trees, BookStack sync.

Features

Searchable library: Full-text search across all runbooks. Filter by technology, difficulty, category
Decision trees: Interactive flowcharts for troubleshooting. Step-by-step with branching logic
Version control: Change history with diff view. Rollback to previous versions
Rich content: Screenshot/video embed support. Code blocks with syntax highlighting
Difficulty ratings: Per-runbook estimated time and difficulty level
BookStack sync: Push runbooks to BookStack for external access. Two-way sync
Playbook linking: Link to related M21 Playbooks for automation of common steps

API Endpoints

GET    /api/v1/runbooks                             -> Runbook[]
GET    /api/v1/runbooks/:id                          -> RunbookDetail
GET    /api/v1/runbooks/:id/versions                 -> Version[]
POST   /api/v1/runbooks                              -> Create runbook
POST   /api/v1/runbooks/sync/bookstack               -> Sync to BookStack

MODULE M50

Endpoint Compliance Checker

New Module

⚠️ CONSOLIDATION NOTE: This module is merged into M3 (Security Posture). Implement endpoint compliance checks (BitLocker, AV, OS updates, firewall, screen lock), per-device scoring, and policy definitions as a sub-section/tab within M3. Device-level compliance is a component of overall security posture.

Per-device compliance dashboard. Checks BitLocker, AV, OS updates, firewall, screen lock. 0-100 compliance score per device and client. Auto-remediation via M21 Playbooks.

Features

Compliance checks: BitLocker enabled, antivirus current, OS updates installed, firewall enabled, screen lock configured, local admin password rotated
Scoring: 0-100 per device, aggregated per client. Weighted by check criticality
Policy definitions: Configurable requirements per client/tier. Different standards for different SLA levels
Auto-remediation: Link non-compliant devices to M21 Playbooks. One-click fix for common issues
Evidence feed: Feed M20 Compliance with Essential Eight / CIS evidence data
Data sources: NinjaOne (device details), Intune (compliance policies), M3 Security (protection status)

API Endpoints

GET    /api/v1/endpoint-compliance/devices           -> DeviceCompliance[]
GET    /api/v1/endpoint-compliance/clients/:id       -> ClientComplianceScore
GET    /api/v1/endpoint-compliance/policies          -> CompliancePolicy[]
POST   /api/v1/endpoint-compliance/remediate/:deviceId -> Trigger remediation
GET    /api/v1/endpoint-compliance/evidence/:clientId -> ComplianceEvidence

MODULE M51

Custom Dashboard Builder

New Module

Drag-and-drop widget placement from any module's data. Per-user layouts with real-time WebSocket updates. Embeddable in M27 Client Portal.

Features

Widget library: Charts (line, bar, pie, donut), tables, KPIs, gauges, maps, timelines, status indicators
Drag-and-drop: Grid-based layout editor. Resize, reorder, configure per widget. Save/load layouts
Data binding: Connect any widget to any module's API endpoint. Real-time refresh via WebSocket
Role-based visibility: Admin sees revenue widgets, tech sees ticket widgets, client sees their health
Shareable: Share dashboard layouts between users. Export as PDF/image for reports
Client portal embedding: Embed custom dashboards in M27 Client Portal (scoped to client data)

API Endpoints

GET    /api/v1/dashboards                           -> Dashboard[]
POST   /api/v1/dashboards                           -> Create dashboard
GET    /api/v1/dashboards/:id                        -> DashboardLayout
PATCH  /api/v1/dashboards/:id                        -> Update layout
GET    /api/v1/dashboards/widgets/catalog             -> WidgetDefinition[]

MODULE M52

Notification Center & Preferences

New Module

Centralized notification hub for ALL module alerts with per-user channel preferences, quiet hours, digest mode, and priority escalation.

✅ ABSORBS M79 (SMS & Communication Automation): SMS becomes a notification channel — adds SMS sending (Twilio/MessageMedia), bulk campaigns, two-way SMS routing to M7 tickets, template engine, cost tracking per client, provider failover, and Spam Act 2003 compliance (opt-in/opt-out management).

Features

Multi-channel: Email, SMS (M79), Slack, Teams, push (iOS), in-app notifications
Per-user preferences: Choose channels per alert type. Quiet hours / DND scheduling
Digest mode: Batch low-priority alerts into daily/weekly summary email
Priority escalation: Critical alerts override quiet hours. Configurable escalation chains
Notification history: Read/unread tracking. Mark all as read. Filter by module/priority
Template engine: Customizable notification content per module. Variable substitution

API Endpoints

GET    /api/v1/notifications                        -> Notification[]
PATCH  /api/v1/notifications/:id/read                -> Mark read
GET    /api/v1/notifications/preferences              -> UserPreferences
PATCH  /api/v1/notifications/preferences              -> Update preferences
GET    /api/v1/notifications/digest/preview           -> DigestPreview

MODULE M53

Platform Audit Log

New Module

Immutable append-only log of ALL platform actions. SOC2/ISO 27001 compliance evidence. SIEM export capabilities.

Features

Immutable logging: Every platform action logged: who, what, when, from where (IP, device, session)
Change history: Per-entity diff view showing before/after state for every modification
Compliance evidence: Pre-formatted reports for SOC2 Type II and ISO 27001 auditors
Retention policies: Configurable per tenant (90 days, 1 year, 7 years). Auto-archive old logs
Search/filter: By user, action type, module, date range, entity. Full-text search in action details
SIEM export: Stream audit events to external SIEM (Splunk, Sentinel, ELK) via webhook or syslog

API Endpoints

GET    /api/v1/audit-log                            -> AuditEvent[]
GET    /api/v1/audit-log/entity/:type/:id            -> EntityHistory
GET    /api/v1/audit-log/users/:userId               -> UserActivityLog
GET    /api/v1/audit-log/export                      -> Export (CSV/JSON/SIEM)
GET    /api/v1/audit-log/compliance-report            -> ComplianceReport

MODULE M54

Attack Surface Monitor

New Module

External attack surface discovery (Shodan/Censys-style). Per-client external asset inventory with risk scoring, continuous monitoring, and dark web credential correlation.

Features

External asset discovery: Public IPs, open ports, exposed services, SSL certificates per client
Risk scoring: Per-asset risk based on exposed services, known vulns, SSL grade, open ports
Continuous monitoring: Detect changes: new ports opened, services exposed, certs expired
Subdomain enumeration: DNS brute-force + Certificate Transparency log analysis
Dark web correlation: Cross-reference M14 Breach & Dark Web findings with exposed services
Internal vs external gap: Compare M50 Endpoint Compliance (internal) vs attack surface (external)

API Endpoints

GET    /api/v1/attack-surface/:clientId              -> ExternalAsset[]
GET    /api/v1/attack-surface/:clientId/score        -> RiskScore
POST   /api/v1/attack-surface/:clientId/scan         -> Trigger scan
GET    /api/v1/attack-surface/:clientId/changes      -> ChangeHistory[]
GET    /api/v1/attack-surface/:clientId/subdomains   -> Subdomain[]

MODULE M55

Phishing Simulation & Security Awareness

New Module

Create and schedule phishing simulation campaigns with direct integration to Sophos Central, M365 Attack Simulation Training, and usecure for unified reporting.

Features

Campaign management: Create, schedule, monitor phishing simulation campaigns
Template library: Credential harvest, malware link, invoice fraud, CEO impersonation, IT support
User tracking: Click rates, report rates, per-user risk scoring with trend over time
Training assignment: Auto-assign training modules when users fail. Track completion
Sophos Central integration: Import results from Sophos-managed phishing campaigns via Sophos API
M365 Attack Simulation: Sync results from Microsoft's built-in phishing simulation training
usecure integration: Import campaign results and user risk scores from usecure platform
Unified reporting: Combined view across Sophos, M365, usecure, and native campaigns. Client-facing reports via M32 QBR

Connectors

Platform	Auth	Data
Sophos Central	OAuth2	Phishing campaign results, user outcomes
M365 Attack Simulation	Graph API	Simulation results, training assignments
usecure	API Key	Campaign results, user risk scores, training progress

API Endpoints

GET    /api/v1/phishing/campaigns                   -> Campaign[]
POST   /api/v1/phishing/campaigns                   -> Create campaign
GET    /api/v1/phishing/campaigns/:id/results        -> CampaignResult
GET    /api/v1/phishing/users/:clientId               -> UserRiskScore[]
POST   /api/v1/phishing/sync                         -> Sync external platforms
GET    /api/v1/phishing/reports/:clientId              -> UnifiedPhishingReport

MODULE M56

Incident Post-Mortem

New Module

Structured post-mortem templates (5 Whys, Timeline, Blameless Retrospective). Auto-populate from M41 alerts and M7 tickets. Lessons learned database.

Features

Templates: 5 Whys analysis, chronological timeline builder, blameless retrospective format
Auto-populate: Pull timeline from M41 Alert Correlation and M7 ticket history. Pre-fill with affected clients, duration, SLA breach info
Impact assessment: Affected clients, downtime duration, SLA breaches, estimated financial cost
Action items: Track remediation tasks with owner, due date. Feed into M7 tickets
Lessons learned: Searchable database of past incidents and what was learned
Pattern detection: Identify recurring incident types. Flag systemic issues
Client sharing: Share sanitized post-mortems with affected clients via M27 Portal

API Endpoints

GET    /api/v1/postmortems                          -> PostMortem[]
POST   /api/v1/postmortems                          -> Create post-mortem
GET    /api/v1/postmortems/:id                       -> PostMortemDetail
GET    /api/v1/postmortems/lessons                   -> LessonLearned[]
GET    /api/v1/postmortems/patterns                  -> RecurringPattern[]

MODULE M57

Billing Reconciliation

New Module

Compare CW PSA agreements vs actual resource counts. Detect revenue leakage from unbilled devices. Auto-sync counts from NinjaOne and M365.

Features

Agreement vs actual: Compare CW agreement line items (devices, users, mailboxes) vs actual counts from NinjaOne + Graph API
Revenue leakage: Flag unbilled devices, users exceeding agreement limits. Calculate lost revenue
Discrepancy dashboard: Per-client view of all billing discrepancies. Sort by impact ($)
Auto-sync: Device counts from NinjaOne, user/mailbox counts from M365 Graph API. Daily refresh
History tracking: Track reconciliation over time. Show improvement trends
Adjustment recommendations: Generate specific billing adjustment suggestions with dollar amounts

API Endpoints

GET    /api/v1/billing/reconciliation                -> ClientReconciliation[]
GET    /api/v1/billing/reconciliation/:clientId      -> ReconciliationDetail
GET    /api/v1/billing/leakage                       -> LeakageSummary
POST   /api/v1/billing/sync                          -> Trigger count sync
GET    /api/v1/billing/adjustments/:clientId          -> AdjustmentRecommendation[]

MODULE M58

Data Migration Hub

New Module

Import wizards for migrating from competitive documentation platforms. Data mapping, validation, incremental sync, and rollback capabilities.

Supported Sources

Platform	Data Types	Method
IT Glue	Passwords, configs, contacts, sites, documents	REST API
Hudu	Passwords, assets, articles, companies	REST API
Autotask/Datto PSA	Tickets, contacts, companies, configs	REST API
Halo PSA	Tickets, assets, clients, contracts	REST API
ITFlow	Clients, contacts, passwords, documents	REST API
NetBox	IPs, subnets, devices, sites, VLANs	REST API + CSV
BookStack	Books, chapters, pages, attachments	REST API
Wiki.js	Pages, assets, comments	GraphQL API

Features

Field mapping: Map source fields to Arete schema. Auto-detect common mappings
Validation: Preview imported data before committing. Show conflicts and warnings
Incremental sync: Run migration in stages. Resume from where you left off
Rollback: Undo last import batch. Full audit trail of imported records
Export: Full platform data export for compliance/portability (reverse migration)

API Endpoints

POST   /api/v1/migration/import                     -> Start import
GET    /api/v1/migration/jobs                        -> MigrationJob[]
GET    /api/v1/migration/jobs/:id/preview             -> ImportPreview
POST   /api/v1/migration/jobs/:id/commit              -> Commit import
POST   /api/v1/migration/jobs/:id/rollback            -> Rollback import
POST   /api/v1/migration/export                      -> Full data export

MODULE M59

AI Email Drafts

New Module

Generate client-facing emails from ticket/alert context using AI. Tone presets, template awareness, and review workflow. Powered by M26 AI Copilot's LLM engine.

Features

Context-aware drafts: Generate emails from ticket details, alert context, backup reports, security summaries
Tone presets: Professional, urgent, casual, executive summary. Client-specific communication style
Auto-attach data: Include relevant reports, charts, compliance summaries as attachments
Review workflow: Draft → Tech review → Approve → Send. Never auto-send without human review
M365 integration: Send via Outlook using Graph API. Track delivery and read receipts
Template library: Common email types: outage notification, maintenance complete, monthly report, onboarding welcome

API Endpoints

POST   /api/v1/email-drafts/generate                 -> DraftEmail
GET    /api/v1/email-drafts                          -> Draft[]
PATCH  /api/v1/email-drafts/:id                      -> Edit draft
POST   /api/v1/email-drafts/:id/send                 -> Send via M365
GET    /api/v1/email-drafts/templates                -> EmailTemplate[]

MODULE M60

Automatic Timesheet Generator

New Module

Auto-generate timesheet entries by aggregating activity data from 10+ sources. AI-powered activity clustering, gap detection, and confidence scoring.

Data Sources

Source	Data	Integration
Slack	Channel activity, message timestamps, thread participation	Slack API
ActivityWatcher	Desktop app usage, window focus, idle detection	AW API
OneNote	Note creation/modification timestamps, page titles	Graph API
Obsidian	Vault file changes, note timestamps, daily notes	File watcher
Filesystem	File creation/modification in work directories	File watcher
Edge/Browser	Work-related domain history (whitelist filtered)	Browser API
Atlassian	Jira transitions, Confluence edits, Bitbucket commits	Atlassian API
NinjaOne	Remote connection session logs (start/end, device)	NinjaOne API
3CX	Call logs with duration, caller info, timestamps	3CX API
Teams/Outlook/M365	Calendar meetings, Bookings, Teams calls	Graph API

Features

AI clustering: Group related activities into logical work blocks. "9:00-10:30 = Working on Client X network issue"
Gap detection: Highlight time periods with no tracked activity. Prompt for manual entry
Confidence scoring: High = multiple sources agree, Medium = single source, Low = inferred from gaps
Manual adjustment: Review/edit UI before submission. Split, merge, re-classify entries
CW export: Export to ConnectWise time entries or CSV. Map to agreement/project/ticket
Manager approval: Submission workflow with manager review and approve/reject

API Endpoints

GET    /api/v1/timesheets/:userId/generate           -> GeneratedTimesheet
GET    /api/v1/timesheets/:userId/day/:date          -> DayDetail
PATCH  /api/v1/timesheets/:userId/entries/:id         -> Adjust entry
POST   /api/v1/timesheets/:userId/submit              -> Submit for approval
POST   /api/v1/timesheets/export/cw                   -> Export to ConnectWise

MODULE M61

Security News & Compliance Alert Feed

New Module

Monitor CVEs, ISM updates, Essential Eight changes, PSPF changes, and ASD alerts. Per-client relevance scoring and automated action item generation.

Feed Sources

Source	Data	Method
NVD/MITRE	New CVEs affecting managed products	NVD API
CISA KEV	Known Exploited Vulnerabilities catalog	CISA API
ASD (ACSC)	Australian advisories and threat intel	RSS + scrape
ISM	Information Security Manual updates	Scrape + diff
Essential Eight	E8 maturity model changes	ASD publications
PSPF	Protective Security Policy Framework	Scrape + diff

Features

AI-summarized briefings: Daily/weekly digests with natural language summaries of relevant security news
Client relevance scoring: Cross-reference CVEs with M8 asset inventory. Score which clients are affected
Action items: CVE detected → Check if patched in M23 → Alert if not → Create M7 ticket
Compliance calendar: Track regulatory deadlines, update cycles, audit dates
Weekly digest: Auto-email security digest to stakeholders with risk-rated items

API Endpoints

GET    /api/v1/security-feed                        -> SecurityAlert[]
GET    /api/v1/security-feed/cves                    -> CveAlert[]
GET    /api/v1/security-feed/cves/:cveId/affected     -> AffectedClient[]
GET    /api/v1/security-feed/compliance-calendar      -> ComplianceEvent[]
GET    /api/v1/security-feed/digest                   -> WeeklyDigest

MODULE M62

Hardware & Firmware Vulnerability Tracker

New Module

Multi-vendor firmware monitoring across firewalls, networking, wireless, hypervisors, Windows Server, storage, and UPS. Auto-discovery integration, patch urgency scoring, and vendor advisory aggregation.

Supported Vendors

Category	Vendors
Firewalls	WatchGuard, Fortinet/FortiGate, Sophos XGS/XG
Networking	Cisco Catalyst/Nexus, Meraki, Aruba, HPE ProCurve
Wireless	Ubiquiti/UniFi, Aruba IAP, Meraki MR
Hypervisors	VMware ESXi/vCenter, Hyper-V, Proxmox
Windows	Windows Server Patch Tuesday, Windows VMs
Storage	Synology, QNAP, Dell EMC, HPE StoreEasy
UPS/PDU	APC, CyberPower, Eaton

Features

Firmware comparison: Current vs latest vs vendor-recommended "stable" branch per device
Critical alert priority: Flag devices with known exploited CVEs (cross-ref M61 CISA KEV)
Patch urgency scoring: CVSS score × asset criticality × exposure (internal vs external facing)
Vendor advisory aggregation: API/scrape advisories from WatchGuard, Fortinet PSIRT, Cisco PSIRT, HPE, Ubiquiti
Auto-discovery: Pull inventory from NinjaOne, M28 Network Discovery, UniFi Controller, FortiManager
Change management: Integrate with M25 for firmware update RFCs and maintenance windows
Compliance evidence: Track firmware patch compliance for E8 (Patch Applications, Patch OS) and CIS
Dashboard: Fleet-wide firmware age distribution, devices running vulnerable firmware, devices past EOL

API Endpoints

GET    /api/v1/firmware/devices                      -> FirmwareDevice[]
GET    /api/v1/firmware/devices/:id                   -> FirmwareDetail
GET    /api/v1/firmware/vulnerable                    -> VulnerableDevice[]
GET    /api/v1/firmware/advisories                    -> VendorAdvisory[]
GET    /api/v1/firmware/compliance/:clientId           -> FirmwareCompliance
POST   /api/v1/firmware/sync                          -> Trigger vendor sync

MODULE M63

Client Health Score

New Module

Composite 0-100 health score per client combining ALL module data. Executive-friendly traffic light dashboard with drill-down and trending.

Score Components

Factor	Weight	Source
Backup health	15%	M2 — success rate, coverage, RPO compliance
Security posture	20%	M3 — threat count, EDR coverage, vuln count
Compliance	15%	M20 — E8 maturity, policy adherence
Ticket health	10%	M7 — volume trend, SLA compliance, aging
Patch status	15%	M23 — devices patched, critical outstanding
Endpoint compliance	15%	M50 — BitLocker, AV, firewall, screen lock
Firmware currency	10%	M62 — devices on latest vs vulnerable

Features

Traffic light dashboard: All clients at a glance — green (>80), amber (60-80), red (<60)
Drill-down: Click score to see contributing factors with per-module breakdown
Trending: Quarterly comparison showing improvement or degradation per client
Auto-flag: Alert when any client drops below configurable threshold
QBR integration: Feed M32 QBR with health trend data and executive summary

API Endpoints

GET    /api/v1/health-score/clients                  -> ClientHealthScore[]
GET    /api/v1/health-score/clients/:id               -> HealthScoreDetail
GET    /api/v1/health-score/clients/:id/trend         -> ScoreTrend[]
GET    /api/v1/health-score/alerts                    -> HealthAlert[]

MODULE M64

Capacity Planning & Forecasting

New Module

Predict resource needs by analyzing growth trends. Storage, bandwidth, licenses, mailboxes, and Azure resources. Auto-generate upgrade recommendations.

Features

Storage forecasting: Disk growth trend analysis. Predict when drives fill up per device/client
Mailbox growth: M365 mailbox size tracking with projection. Alert on approaching quota
License consumption: User count growth projections. Predict when current license count is exhausted
Azure resource forecasting: Compute, storage, networking utilization trends
Proactive alerts: "Client X will exceed 1TB mailbox in 3 months" style warnings
Upgrade recommendations: Auto-generate hardware/service upgrade proposals with cost estimates

API Endpoints

GET    /api/v1/capacity/forecasts/:clientId           -> CapacityForecast[]
GET    /api/v1/capacity/storage/:clientId              -> StorageForecast
GET    /api/v1/capacity/licenses/:clientId             -> LicenseForecast
GET    /api/v1/capacity/alerts                        -> CapacityAlert[]
GET    /api/v1/capacity/recommendations/:clientId      -> UpgradeRecommendation[]

MODULE M65

Business Intelligence Warehouse

New Module

Advanced analytics engine aggregating ALL module data. Custom query builder, interactive visualizations, cross-module correlation analysis, and scheduled report delivery.

Features

Data warehouse: Unified schema aggregating data from all 75 modules. Materialized views for fast queries
Query builder: SQL-like interface for non-technical users. Saved queries, parameterized reports
Visualizations: Power BI-style interactive charts, heatmaps, pivot tables, scatter plots
Cross-module correlation: "Clients with low backup scores also have 2.3x more tickets" type insights
Scheduled delivery: Email, Slack, Teams delivery of recurring reports
Pre-built templates: Revenue trends, ticket patterns, security trends, client health over time

API Endpoints

POST   /api/v1/bi/query                             -> Execute query
GET    /api/v1/bi/saved-queries                      -> SavedQuery[]
GET    /api/v1/bi/templates                          -> AnalyticsTemplate[]
POST   /api/v1/bi/schedule                           -> Schedule report delivery
GET    /api/v1/bi/insights                           -> AiInsight[]

MODULE M66

CSAT / NPS Surveys

New Module

Post-ticket satisfaction surveys and quarterly NPS scoring. Per-technician ratings, automated follow-up on negative feedback, and integration with QBR reporting.

Features

Post-ticket CSAT: Auto-send survey on ticket closure. 1-5 star rating with optional comment
Quarterly NPS: 0-10 scale NPS campaigns. Calculate Promoter/Passive/Detractor distribution
Per-technician ratings: Track individual tech satisfaction scores with trend lines
Negative follow-up: Auto-alert manager on scores < 3 stars. Create follow-up task
Response tracking: Response rate monitoring. Nudge for non-responses
QBR integration: Feed satisfaction data into M32 QBR and M22 Profitability reports

API Endpoints

GET    /api/v1/surveys/responses/:clientId            -> SurveyResponse[]
POST   /api/v1/surveys/campaigns                     -> Create NPS campaign
GET    /api/v1/surveys/nps/:clientId                  -> NpsScore
GET    /api/v1/surveys/technicians                    -> TechSatisfaction[]
GET    /api/v1/surveys/trends/:clientId               -> SatisfactionTrend

MODULE M67

Cyber Insurance Readiness

New Module

Pre-fill cyber insurance questionnaires with real platform data. Evidence collection, gap analysis against insurer requirements, and readiness reporting.

Features

Auto-populate questionnaires: Pull real data: MFA status (M9), backup verification (M2/M69), patch compliance (M23/M50), EDR coverage (M3), password policies (M48), training (M34)
Insurer templates: Pre-built question sets for Chubb, QBE, Allianz, Zurich. Customizable
Gap analysis: Compare current state vs insurer requirements. Highlight deficiencies with remediation guidance
Evidence snapshots: Timestamped compliance evidence for claims support
Readiness reports: Per-client readiness report with confidence scores per requirement
Policy tracking: Renewal dates, premium trends, coverage limits per client

API Endpoints

GET    /api/v1/insurance/readiness/:clientId          -> ReadinessReport
GET    /api/v1/insurance/questionnaires                -> QuestionnaireTemplate[]
POST   /api/v1/insurance/questionnaires/:id/fill       -> AutoFillAnswers
GET    /api/v1/insurance/gaps/:clientId                -> InsuranceGap[]
GET    /api/v1/insurance/evidence/:clientId             -> EvidencePackage

MODULE M68

Client Offboarding

New Module

Structured offboarding checklist (opposite of M19). Remove access, export data, archive docs, revoke licenses, with compliance evidence of clean separation.

Features

Checklist workflow: Remove NinjaOne agent → Export data → Archive docs (M40) → Revoke M365 licenses → Transfer DNS/domains → Final billing (M57) → Remove monitoring (M6, M3)
Data export: Generate complete client data package (passwords, configs, documentation, tickets)
Compliance evidence: Timestamped proof of clean separation. Data retention policy enforcement
Sign-off gates: Require approvals at key stages. Manager sign-off on data destruction

API Endpoints

POST   /api/v1/offboarding/workflows                 -> Create offboarding
GET    /api/v1/offboarding/workflows/:id              -> OffboardingStatus
PATCH  /api/v1/offboarding/workflows/:id/steps/:n     -> Complete step
POST   /api/v1/offboarding/workflows/:id/export       -> Generate data package

MODULE M69

Backup Testing & Verification

New Module

⚠️ CONSOLIDATION NOTE: This module is merged into M24 (Backup DR Testing & Verification). Implement these features as a sub-section/tab within M24. Both modules test backup restores — M69's restorability scoring, auto-ticket on failure, and test type variants (file/VM/application-level) become M24 features.

Scheduled automated backup restore tests with integrity verification. Evidence for DR compliance (M24) and cyber insurance (M67).

Features

Automated restore tests: Schedule per client (monthly/quarterly). Auto-trigger from latest backup
Integrity verification: Checksum validation, file sampling, boot verification (screenshot capture)
Test types: File-level, VM-level, application-level (M365 mailbox, SharePoint site)
Evidence trail: Timestamped results with screenshots. Feed M24 DR and M67 Insurance evidence
Auto-ticket: Create M7 ticket on restore test failure. Track remediation
Restorability scoring: Confidence score per backup set. Feed M2 Backup Intelligence

API Endpoints

GET    /api/v1/backup-testing/tests                  -> RestoreTest[]
POST   /api/v1/backup-testing/tests                  -> Schedule test
GET    /api/v1/backup-testing/results/:testId         -> TestResult
GET    /api/v1/backup-testing/scores/:clientId        -> RestorabilityScore

MODULE M70

Remote Session Manager

New Module

Centralized view of ALL remote access sessions across RDP, TeamViewer, AnyDesk, NinjaOne, and VPN connections. Session logging for compliance.

Features

Unified view: All active remote sessions across all tools in one dashboard
Session logging: Who accessed what, when, for how long. Compliance-ready audit trail
Access policies: Restrict which technicians can access which clients. Manager approval for sensitive systems
Emergency kill switch: Terminate any session immediately from the dashboard
Duration tracking: Idle timeout alerts. Session time limits. Cost tracking per session

API Endpoints

GET    /api/v1/sessions/active                       -> ActiveSession[]
GET    /api/v1/sessions/history                       -> SessionHistory[]
POST   /api/v1/sessions/:id/terminate                 -> Kill session
GET    /api/v1/sessions/policies                      -> AccessPolicy[]

MODULE M71

IoT & Peripheral Management

New Module

Track printers, cameras, UPS, environmental sensors, and display signage. SNMP monitoring with toner/battery health tracking.

Features

Device inventory: Printers, cameras, sensors, UPS, signage per client/site
UPS monitoring: Battery health, load percentage, runtime remaining (via SNMP)
Environmental: Temperature, humidity sensors for server rooms. Alert on out-of-range
Printer consumables: Toner levels, page counts, maintenance kit status
Firmware updates: Track IoT device firmware versions. Alert on updates available
Network segmentation: Recommend VLAN isolation for IoT devices (security best practice)

API Endpoints

GET    /api/v1/iot/devices/:clientId                  -> IoTDevice[]
GET    /api/v1/iot/ups/:deviceId                      -> UpsHealth
GET    /api/v1/iot/environmental/:siteId               -> EnvironmentalReading[]
GET    /api/v1/iot/printers/:clientId                  -> PrinterStatus[]

MODULE M72

Multi-Cloud Operations

New Module

Unified AWS + Azure + GCP management extending M29 Cloud Cost. Resource provisioning, security audit, and right-sizing recommendations.

Features

Single pane of glass: All cloud resources across all providers in one view
Security audit: NSG/security group review, public IP exposure, storage access policies
Cost allocation: Tag compliance, cost by department/project, chargeback reports
Right-sizing: Identify over-provisioned resources. Savings recommendations
Reserved instances: RI/savings plan coverage analysis. Purchase recommendations

API Endpoints

GET    /api/v1/cloud/resources/:clientId              -> CloudResource[]
GET    /api/v1/cloud/security/:clientId               -> SecurityAudit
GET    /api/v1/cloud/optimization/:clientId            -> OptimizationRecommendation[]
GET    /api/v1/cloud/costs/:clientId/breakdown         -> CostBreakdown

MODULE M73

Microsoft Partner Tenancy Manager

New Module

CSP/GDAP management, solutions partner designation tracking, license optimization, config drift detection, and unified M365 Service Health across ALL partner tenants.

Features

CSP/GDAP: Track GDAP role assignments with expiry. CSP subscription management. Ensure MSP is partner of record for all eligible tenants
Solutions Partner: Track points/skilling progress per competency. Identify gaps in tenant associations and certifications
Config drift: Monitor partner-managed tenants for unexpected CA policy changes, license modifications, admin role changes
Unified M365 Health: Aggregate Service Health across ALL tenants. Per-tenant health dashboard. Incident correlation
License optimization: Detect unused licenses (no sign-in 90+ days). Suggest tier changes (E3 ↔ E5 ↔ F1). Cost impact analysis
Direct billing detection: Flag clients not billing Azure subs through CSP. Revenue opportunity identification

API Endpoints

GET    /api/v1/partner/tenants                       -> PartnerTenant[]
GET    /api/v1/partner/gdap/:tenantId                 -> GdapAssignment[]
GET    /api/v1/partner/designations                   -> PartnerDesignation[]
GET    /api/v1/partner/drift/:tenantId                -> ConfigDrift[]
GET    /api/v1/partner/health                         -> TenantHealth[]
GET    /api/v1/partner/licensing/:tenantId             -> LicenseOptimization

MODULE M74

Auto-Generated Infrastructure Diagrams

New Module

Always up-to-date network and infrastructure diagrams generated from live NinjaOne, PSA, M365, Azure, UniFi, and firewall data. Auto-refresh on sync, export to SVG/PNG/Visio.

Diagram Types

Type	Data Sources
Network topology (L2/L3)	M28 Network Discovery, UniFi, SNMP
Cloud architecture	Azure Resource Manager, AWS CloudFormation
M365 tenant overview	Graph API (licenses, groups, CA policies)
Physical rack/site layout	NinjaOne device inventory, M38 IPAM
Data flow diagrams	All connector data flow mappings
AD / Entra ID structure	Graph API (OUs, groups, users, roles)

Features

Auto-refresh: Diagrams update when source data syncs. Never stale
History: View diagram snapshots over time. See how infrastructure evolved
Export: SVG, PNG, PDF, Visio-compatible (.vsdx), Mermaid markdown
Embed: Auto-insert into M40 Documentation Engine per client
Technology: D3.js for force-directed graphs, Mermaid.js for structured diagrams

API Endpoints

GET    /api/v1/diagrams/:clientId                     -> DiagramIndex
GET    /api/v1/diagrams/:clientId/:type               -> DiagramData
GET    /api/v1/diagrams/:clientId/:type/export/:fmt   -> Export (svg/png/pdf/vsdx)
GET    /api/v1/diagrams/:clientId/history              -> DiagramHistory
POST   /api/v1/diagrams/:clientId/refresh              -> Force refresh

MODULE M75

Vaulwarden Integration

New Module

Self-hosted Bitwarden (Vaulwarden) as enterprise password vault. Extends M15 with organization management, breach detection, and client portal access.

Features

Organization management: Per-client collections. Shared vault for tech teams. Access controls
HIBP breach check: Check all stored passwords against HaveIBeenPwned database. Alert on compromised
Password strength audit: Reuse detection, weak password flagging, age tracking
Emergency access: Break-glass procedures with audit trail. Time-delayed access for emergencies
Rotation sync: M48 Password Rotation auto-updates vault entries on rotation
Client portal access: Scoped vault access via M27 Client Portal (clients see only their passwords)
Mobile compatibility: Standard Bitwarden mobile/desktop clients work with Vaulwarden instance

API Endpoints

GET    /api/v1/vault/organizations                    -> Organization[]
GET    /api/v1/vault/collections/:orgId               -> Collection[]
POST   /api/v1/vault/breach-check                     -> BreachCheckResult
GET    /api/v1/vault/health/:orgId                    -> VaultHealthReport

MODULE M76

Email Infrastructure Monitor

New Module

SMTP server testing, blacklist monitoring, DNS zone watching, and S3/cloud storage health. Extends M4 Email Security with operational monitoring.

Features

SMTP testing: Periodic connectivity tests, STARTTLS verification, certificate validation, open relay detection
Blacklist monitoring: Check IPs/domains against 50+ blacklists (Spamhaus, Barracuda, SURBL). Real-time alerting on new listings
Delisting automation: Auto-generate delisting request links. Track delisting progress
DNS zone watcher: Monitor MX, SPF, DKIM, DMARC records for unauthorized changes. DNSSEC validation
DNS cache poisoning: Compare authoritative vs recursive resolver responses. Alert on discrepancies
Cloud storage monitoring: S3 bucket health, public exposure detection, lifecycle policy compliance

API Endpoints

GET    /api/v1/email-infra/smtp/:domain               -> SmtpTestResult
GET    /api/v1/email-infra/blacklists/:ip              -> BlacklistStatus
GET    /api/v1/email-infra/zones/:domain               -> ZoneHealth
GET    /api/v1/email-infra/storage                     -> StorageHealth[]
POST   /api/v1/email-infra/smtp/:domain/test           -> Run SMTP test

MODULE M77

WordPress & CMS Vulnerability Monitor

New Module

WordPress vulnerability scanning powered by WPScan API v3 (free tier: 25 requests/day). Pretty frontend dashboard with per-site plugin/theme vulnerability tracking, abandoned plugin detection, page change monitoring, and multi-CMS support. User-configurable API key in tenant settings.

WPScan API v3 Integration

Property	Value
Base URL	`https://wpscan.com/api/v3/`
Auth	Header: `Authorization: Token token=API_TOKEN`
Free Tier Limit	25 requests/day (1 per WP version check, 1 per plugin, 1 per theme)
Rate Strategy	Budget planner: scan 1 site with 20 plugins + 3 themes + 1 core = 24 requests. Queue sites across days if >25 total checks needed
When Exhausted	Scanner continues but returns no vulnerability data until next day reset
API Key Storage	Per-tenant encrypted setting (`settings.wpscanApiKey`). User enters via Settings → Integrations → WPScan

WPScan API Endpoints Used

WPScan Endpoint	Method	Purpose	Free Tier
`/wordpresses/{version}`	GET	Get vulnerabilities for a specific WP core version (e.g., `694` for 6.9.4)	Yes
`/plugins/{slug}`	GET	Get all known vulnerabilities for a plugin by slug (e.g., `contact-form-7`)	Yes
`/themes/{slug}`	GET	Get all known vulnerabilities for a theme by slug	Yes
`/status`	GET	Check remaining daily API quota and plan details	Yes
`/plugins/latest`	GET	Last 20 plugin vulnerabilities (proactive feed)	Enterprise only
`/themes/latest`	GET	Last 20 theme vulnerabilities	Enterprise only
`/all/latest`	GET	Last 20 vulnerabilities across entire database	Enterprise only
`/vulnerabilities/{id}`	GET	Single vulnerability detail by WPScan ID	Enterprise only

Response fields: id, title, created_at, updated_at, published_date, vuln_type (sqli, xss, rce, lfi, etc.), references (url, cve, wpvulndb), fixed_in (version). Enterprise-only fields: description, poc (proof of concept).

Features

Site registration: Add WordPress sites by URL. Auto-detect WP version, installed plugins (via /wp-json or HTML fingerprinting), and active theme. Store in WordPressSite model
Scheduled scanning: Daily scan queue with smart budgeting. Sites rotate if total plugins+themes exceed 25/day limit. Priority scanning for sites with previously detected vulns
API quota dashboard: Real-time display of remaining daily API calls via /status endpoint. Visual gauge showing used/remaining. Alert when quota < 5 remaining
Vulnerability dashboard: Per-site vulnerability cards with severity badges (critical/high/medium/low based on vuln_type). Sortable by severity, site, plugin name. Click to expand: CVE details, affected versions, fixed_in version, references
Plugin/theme audit: Side-by-side: installed version vs. latest vs. fixed_in. Traffic light indicators (green = current + no vulns, amber = outdated, red = vulnerable)
Abandoned plugin detection: Flag plugins with no updates in 12+ months (cross-reference wordpress.org API for last_updated date). Recommend alternatives
Auto-remediation suggestions: Link each vulnerability to its fixed_in version. One-click "Create update ticket" for M7 Tickets with pre-populated details
Page change detection: Content changes in CMS-managed pages. Detect defacement, SEO spam injection, unauthorized script injection. DOM diff view
Admin user audit: Track WP admin account creation/changes via WP REST API (/wp/v2/users). Alert on new admin accounts or role elevation
Multi-CMS support: WordPress (primary, WPScan-powered), Joomla (version fingerprint), Drupal (changelog.txt/CHANGELOG.md detection). Unified vulnerability view across CMS types
Attack surface feed: Push discovered WordPress vulns to M54 Attack Surface Monitor for external risk scoring
Security news correlation: Cross-reference M61 CVE feed with installed WordPress plugins across all clients. Proactive alert: "CVE-2026-XXXX affects plugin X installed on 3 client sites"

Frontend Pages

CMS Dashboard (/cms): Overview cards — total sites monitored, total vulns (by severity), sites needing attention, API quota gauge. Pie chart: vuln distribution by type. Bar chart: vulns per client
Site List (/cms/sites): TanStack Table — URL, CMS type, version, plugin count, vuln count, last scanned, health badge. Filters: by client, CMS type, has-vulns. Bulk scan action
Site Detail (/cms/sites/:id): Tabbed view — Overview (version + health score), Plugins (table with version/vuln status per plugin), Themes, Vulnerabilities (timeline of discovered vulns), Changes (content change history with diff), Admin Users
Vulnerability Feed (/cms/vulnerabilities): Chronological feed of all discovered vulns across all sites. Filter by severity, CMS, client. Click to drill into affected site. "Create ticket" quick action per vuln
Settings (/settings/integrations/wpscan): API key input (masked), quota display, scan schedule configuration, notification preferences

Rate Limit Budget Planner

The connector implements a daily budget planner to maximize coverage within 25 requests/day:

// Budget calculation per site
const budget = (site) => 1 (core) + site.plugins.length + site.themes.length;

// Example: Site with 15 plugins + 2 themes = 18 requests
// Remaining budget: 25 - 18 = 7 requests for other sites

// Strategy:
// 1. Check /status first (free, doesn't count)
// 2. Prioritize sites with known vulnerabilities
// 3. Rotate remaining sites across days
// 4. Cache results for 24h (don't re-check same plugin twice per day)
// 5. Skip plugins already checked today (deduplicate across sites)

API Endpoints

GET    /api/v1/cms/sites                             -> WordPressSite[]
POST   /api/v1/cms/sites                             -> Add site to monitor
GET    /api/v1/cms/sites/:id                          -> WordPressSite (detail)
DELETE /api/v1/cms/sites/:id                          -> Remove site
GET    /api/v1/cms/sites/:id/plugins                  -> PluginStatus[]
GET    /api/v1/cms/sites/:id/themes                   -> ThemeStatus[]
GET    /api/v1/cms/sites/:id/vulnerabilities           -> Vulnerability[]
GET    /api/v1/cms/sites/:id/changes                  -> ContentChange[]
GET    /api/v1/cms/sites/:id/admins                   -> WpAdmin[]
POST   /api/v1/cms/sites/:id/scan                     -> Trigger manual scan
GET    /api/v1/cms/vulnerabilities                    -> AllVulnerabilities[] (cross-site)
GET    /api/v1/cms/vulnerabilities/:id                 -> VulnerabilityDetail
POST   /api/v1/cms/vulnerabilities/:id/create-ticket   -> Create M7 ticket from vuln
GET    /api/v1/cms/quota                              -> WPScan API quota status
GET    /api/v1/cms/stats                              -> Dashboard stats

Connector: WPScan

Property	Value
Auth Type	API Token (header: `Authorization: Token token={key}`)
Base URL	`https://wpscan.com/api/v3`
Rate Limit	25 requests/day (free tier) — tracked in `IntegrationHealth` model (M42)
Caching	24-hour TTL per plugin/theme response. Redis key: `wpscan:{type}:{slug}`
Sync Schedule	BullMQ daily job at 06:00 AEST. Distributes budget across queued sites
Error Handling	429 (rate limit) → stop scanning, log remaining budget. 401 → alert M42 Integration Health. 404 → plugin/theme not in WPScan DB (skip, don't retry)

MODULE M78

Vendor Risk Management

New Module

Third-party vendor security risk scoring (UpGuard-style). Questionnaire management, continuous posture monitoring, and APRA CPS 234 compliance tracking.

Features

Risk scoring: Automated security posture assessment per vendor (SSL, email auth, open ports, breach history)
Questionnaires: Send, track, score security questionnaire responses. Customizable templates
Continuous monitoring: Ongoing posture checks. Alert on degradation (cert expiry, new vulns)
Vendor inventory: Per-client: which vendors handle what data, what certifications they hold
Risk matrix: Likelihood × Impact scoring. Visual risk heatmap
Regulatory compliance: APRA CPS 234 (third-party risk), Privacy Act requirements tracking
Insurance feed: Provide third-party risk evidence to M67 Cyber Insurance module

API Endpoints

GET    /api/v1/vendor-risk/vendors                    -> VendorRisk[]
GET    /api/v1/vendor-risk/vendors/:id/score           -> RiskScore
POST   /api/v1/vendor-risk/questionnaires              -> Send questionnaire
GET    /api/v1/vendor-risk/matrix/:clientId             -> RiskMatrix
GET    /api/v1/vendor-risk/compliance                  -> ComplianceReport

MODULE M79

SMS & Communication Automation

New Module

⚠️ CONSOLIDATION NOTE: This module is merged into M52 (Notification Center & Preferences). SMS is a notification channel — implement SMS sending, templates, two-way messaging, bulk campaigns, and cost tracking as M52 features. Provider config (Twilio/MessageMedia) becomes a notification channel setting.

SMS notifications, templates, and two-way messaging via Twilio/MessageMedia. Automation triggers from any module. Spam Act 2003 compliant.

Features

SMS sending: Template-based messages (outage, maintenance, password reset, appointment reminder)
Bulk campaigns: Mass SMS for planned maintenance notifications. Delivery tracking
Two-way SMS: Receive replies, route to M7 tickets. Auto-responses for common queries
Automation triggers: Link to any module alert. Critical backup failure → SMS to client. SLA breach → SMS to tech
Provider flexibility: Twilio (international) or MessageMedia (Australian optimized). Failover between providers
Cost tracking: SMS spend per client/month. Budget alerts. Feed M22 Profitability
Compliance: Opt-in/opt-out management per contact (Spam Act 2003). DNC list integration

API Endpoints

POST   /api/v1/sms/send                              -> Send SMS
POST   /api/v1/sms/campaigns                         -> Create bulk campaign
GET    /api/v1/sms/history                            -> SmsHistory[]
GET    /api/v1/sms/costs                              -> SmsCostReport
GET    /api/v1/sms/templates                          -> SmsTemplate[]

MODULE M80

Secure Sharing (PwPush / Ephemeral)

New Module

PwPush-style time-limited, view-limited password and file sharing with end-to-end encryption. Self-hosted, no third-party dependency.

Features

Password sharing: Generate time-limited links. Set expiry (hours/days), max views, optional passphrase
File sharing: Encrypted file transfer with same limits. Client-side encryption before upload
Auto-destroy: Content destroyed after expiry or view limit reached. Immutable deletion
Audit trail: Who created, who viewed, when expired. Feed M53 Platform Audit Log
Branding: Client-facing sharing page with MSP branding via M27 Client Portal
Vault integration: One-click "share securely" from M15/M75 vault. Pre-populate from vault entries
Onboarding integration: Share initial credentials during M19 Client Onboarding workflow

API Endpoints

POST   /api/v1/sharing/passwords                     -> Create password share
POST   /api/v1/sharing/files                         -> Create file share
GET    /api/v1/sharing/:token                        -> Retrieve (public endpoint)
GET    /api/v1/sharing/history                        -> ShareHistory[]
DELETE /api/v1/sharing/:id                            -> Manually destroy

MODULE M81

Platform Health & Status Page

New Module

⚠️ CONSOLIDATION NOTE: This module is merged into M42 (Integration Health Monitor), renamed to "Platform & Integration Health". Both answer "is the platform healthy?" — combine internal component health, infrastructure monitors, public status page, incident tracking, and maintenance windows with M42's existing API connection health features.

Internal and public status page showing health of ALL platform components — APIs, K8s pods, PostgreSQL, Redis, BullMQ workers, and every module. Branded status page with historical uptime, incident tracking, and maintenance scheduling.

Features

Component health: Per-module/service health check with logo/icon. Green/amber/red status indicators
Infrastructure monitors: PostgreSQL connection pool, Redis memory/connections, K8s pod health, BullMQ queue depth, API response times
API health: Per-connector health from M42 Integration Health. Token expiry, rate limit status, last successful sync
Historical uptime: 90-day uptime chart per component. Response time graphs (P50/P95/P99)
Incident tracking: Log incidents with timeline, impact assessment, resolution. Auto-create from M41 Alert Correlation
Maintenance windows: Schedule maintenance with advance notification. Auto-update status page
Public status page: Branded public-facing page (like status.arete.dev) with real-time status. RSS/Atom feed for subscribers
Alerting: Push/email/SMS notifications on status changes via M52 Notification Center

API Endpoints

GET    /api/v1/status/components                     -> ComponentHealth[]
GET    /api/v1/status/uptime                          -> UptimeHistory[]
GET    /api/v1/status/incidents                       -> StatusIncident[]
POST   /api/v1/status/incidents                       -> Create incident
POST   /api/v1/status/maintenance                     -> Schedule maintenance
GET    /api/v1/status/public                          -> PublicStatusPage (unauthenticated)

Universal Connector Catalog 50+ CONNECTORS

All connectors extend BaseConnector from src/lib/connectors/base.ts (454 lines). Each provides: health check, sync (full/incremental), rate limiting, pagination, optional webhooks.

ConnectWise Manage

PSA • OAuth2

NinjaOne

RMM • OAuth2

AFI.AI

Backup • OAuth2

Datto

Backup • API Key

Veeam

Backup • OAuth2

Backup Radar

Backup • API Key

Tenable

Security • API Key

Sophos Central

Security • OAuth2

ThreatLocker

Security • API Key

Huntress

Security • API Key

SentinelOne

Security • API Token

Microsoft Graph

M365 • OAuth2

Partner Center

M365 • OAuth2

Cloudflare

DNS • API Key

Namecheap

Domains • API Key

Forward Email

Email • API Key

HIBP

Breach • API Key

Vaulwarden

Vault • API Key

Azure Cost Mgmt

Cloud • OAuth2

AWS Cost Explorer

Cloud • IAM Key

GCP Billing

Cloud • OAuth2

CW Automate

RMM • API Key

Claude / OpenAI

AI • API Key

ScalePad

Warranty • API Key

QuoteWerks

Procurement • API

Dicker Data

Distributor • API

Synnex

Distributor • API

Ingram Micro

Distributor • API

BookStack

Docs • API Key

WPScan

CMS Security • API Token • 25 req/day (free)

GitHub

DevOps • OAuth2

Shodan

Recon • API Key

usecure

Phishing • API Key

Twilio

SMS • API Key

MessageMedia

SMS • API Key

Slack

Comms • OAuth2

3CX

PBX • API Key

ActivityWatcher

Timesheets • REST

NVD / MITRE

CVE • Public API

CISA KEV

CVE • Public API

Spamhaus

Blacklist • DNS

WatchGuard

Firewall • API

Fortinet PSIRT

Firewall • API

Cisco PSIRT

Network • API

UniFi Controller

Network • REST

Atlassian

DevOps • OAuth2

SecurityTrails

DNS History • API Key

GLPI

ITSM/CMDB • REST API

PDQ Deploy

Patching • CLI/REST

Zammad

Helpdesk • REST API

Snipe-IT

Asset Mgmt • REST API

New Relic

APM • GraphQL (NerdGraph)

logo.dev

Brand Assets • REST API

Universal Secure API Adapter Layer

Core Architectural Principle: Every external integration flows through BaseConnector (454 lines, src/lib/connectors/base.ts). This is the foundation of all 45+ integrations — no direct API calls anywhere else in the codebase.

Standardized Interface

Every connector inherits these capabilities with zero boilerplate:

healthCheck(): Standardized connectivity test. Auto-reported to M42 Integration Health Monitor
performSync(): Idempotent data synchronization with upsert semantics and conflict resolution
paginatedRequest(): Auto-handles cursor, offset, and page-based pagination across all vendor APIs
rateLimiter: Per-connector token bucket with configurable burst. Prevents API bans. Rate usage visible in M42
getAuthHeaders(): Server-side only auth header generation. Supports API Key, OAuth2, Bearer Token, Basic Auth, HMAC

Self-Registration via AppDefinition

// Every connector self-describes its capabilities
const APP_DEFINITION: AppDefinition = {
  id: 'connectwise-manage',
  name: 'ConnectWise Manage',
  category: 'PSA',
  authType: 'api-key',
  configFields: [
    { key: 'clientId', label: 'Client ID', required: true },
    { key: 'publicKey', label: 'Public Key', required: true, secret: true },
    { key: 'privateKey', label: 'Private Key', required: true, secret: true },
  ],
  capabilities: ['tickets', 'contacts', 'companies', 'configurations'],
  version: '2024.1',
  docsUrl: 'https://developer.connectwise.com/',
}
// registerConnector(APP_DEFINITION, ConnectWiseManageConnector)

Plug-and-Play Pattern

Adding a new integration requires zero core platform changes:

Create 1 file extending BaseConnector (~200-300 lines)
Implement getAuthHeaders() and performSync()
Define AppDefinition with capabilities and config fields
Call registerConnector() — connector auto-appears in Settings → Integrations

Effort estimates: New backup vendor ≈ 200 lines. New RMM ≈ 300 lines. New PSA ≈ 400 lines. The platform grows by adding connectors, not by modifying core.

Unified Data Pipeline

External API  →  Connector (BaseConnector)  →  BullMQ Queue  →  PostgreSQL  →  Module Service  →  API  →  Frontend
     │                     │                          │                    │                    │              │
     │              Rate limiting            Retry + DLQ          Prisma ORM          Business logic    React + SWR
     │              Auth headers             Scheduled jobs       Multi-tenant          Validation        Real-time WS
     │              Pagination               Priority queues      Audit trail           Authorization     Push notifications
     │                     │                          │                    │                    │
     └─────────────────────┴──────────────────────────┴────────────────────┘                    │
                                                                                               │
                              Auto-instrumented: M42 Integration Health tracks every connector  ┘

Security by Design

Encrypted at rest: API keys and tokens stored encrypted in tenant settings table (AES-256-GCM)
Server-side only: Auth headers generated exclusively in backend. Never exposed to frontend or client-side code
Per-connector rate limiting: Token bucket prevents API abuse. Configurable per integration
Tenant isolation: Prisma middleware enforces tenantId on every query. No cross-tenant data leakage
Audit trail: Every sync operation logged to M53 Platform Audit Log with before/after state

Auto-Instrumentation (Zero Extra Code)

Every connector automatically reports to M42 (Integration Health) — no additional code required per connector:

Health check results (pass/fail, response time, error details)
Sync success/failure counts with error categorization
Rate limit usage percentage and remaining quota
Token expiry countdown with auto-refresh where supported
Data volume metrics (records synced, bytes transferred)

Platform-Wide Utilities

logo.dev integration: Any component rendering a company, vendor, or client card can auto-fetch the logo by domain via logo.dev REST API. Returns SVG/PNG/WebP with retina support and dark mode variants. Professional monogram fallback for companies without logos. Used by M1 Dashboard (client cards), M27 Client Portal (auto-branding), M33 Vendor Hub, M8 Assets (manufacturer logos), M45 Contracts. Free tier available, $33/mo for higher volume

Connector Implementation Pattern

// src/lib/connectors/connectwise-manage.ts

import { BaseConnector, ConnectionConfig, AppDefinition, SyncOptions, SyncResult } from './base'

interface ConnectWiseConfig extends ConnectionConfig {
  clientId: string
  publicKey: string
  privateKey: string
  companyId: string
  apiUrl: string  // e.g., https://api-aus.myconnectwise.net/v4_6_release/apis/3.0
}

export class ConnectWiseManageConnector extends BaseConnector<ConnectWiseConfig> {
  readonly definition: AppDefinition = {
    id: 'connectwise-manage',
    name: 'ConnectWise Manage',
    category: 'psa',
    vendor: 'ConnectWise',
    version: '1.0.0',
    capabilities: [
      { id: 'tickets', name: 'Service Tickets', syncable: true },
      { id: 'companies', name: 'Companies', syncable: true },
      { id: 'contacts', name: 'Contacts', syncable: true },
      { id: 'configurations', name: 'Configurations', syncable: true },
      { id: 'time-entries', name: 'Time Entries', syncable: true },
      { id: 'agreements', name: 'Agreements', syncable: true },
    ],
    authType: 'basic', // Base64(companyId+publicKey:privateKey)
    configFields: [
      { key: 'companyId', label: 'Company ID', type: 'text', required: true },
      { key: 'publicKey', label: 'Public Key', type: 'text', required: true },
      { key: 'privateKey', label: 'Private Key', type: 'password', required: true },
      { key: 'clientId', label: 'Client ID', type: 'text', required: true },
      { key: 'apiUrl', label: 'API Base URL', type: 'url', required: true },
    ],
    status: 'stable',
  }

  protected rateLimitConfig = { requestsPerSecond: 10, requestsPerMinute: 600 }

  protected getAuthHeaders() {
    const token = Buffer.from(
      `${this.config!.companyId}+${this.config!.publicKey}:${this.config!.privateKey}`
    ).toString('base64')
    return {
      'Authorization': `Basic ${token}`,
      'clientId': this.config!.clientId,
    }
  }

  async performSync(options: SyncOptions): Promise<SyncResult> {
    // Implement per-entity sync using paginatedRequest()
    // Map CW data to Arete models
    // Return { recordsIn, recordsOut, errors }
  }
}

registerConnector(ConnectWiseManageConnector)

Data Model Extensions PRISMA SCHEMA

New models to add to the existing 40+ model Prisma schema at prisma/schema.prisma. Multi-tenancy rule: Every model MUST include tenantId String. Tenant scoping is enforced via Prisma middleware that automatically injects WHERE tenantId = ? on every query using the JWT claim tenant_id from Zitadel. All models should include createdAt DateTime @default(now()) and updatedAt DateTime @updatedAt unless explicitly a snapshot/log table.

// ═══════════════════════════════════════ // FOUNDATIONAL MODELS (CORE) // ═══════════════════════════════════════ model Tenant { id String @id @default(cuid()) name String // MSP company name slug String @unique zitadelOrgId String @unique plan String @default("professional") // starter | professional | enterprise settings Json? // tenant-level config overrides createdAt DateTime @default(now()) updatedAt DateTime @updatedAt clients Client[] } model Client { id String @id @default(cuid()) tenantId String tenant Tenant @relation(fields: [tenantId], references: [id]) name String slug String status String @default("active") // active | onboarding | offboarding | inactive cwCompanyId Int? // ConnectWise company ID ninjaOrgId Int? // NinjaOne organization ID m365TenantId String? // Microsoft 365 tenant GUID primaryContact Json? // { name, email, phone } sites Json? // [{ name, address, isPrimary }] tags Json? // ["managed", "co-managed", "project-only"] createdAt DateTime @default(now()) updatedAt DateTime @updatedAt @@unique([tenantId, slug]) @@index([tenantId, status]) } // ═══════════════════════════════════════ // ASSET & LICENSE MANAGEMENT (M8) // ═══════════════════════════════════════ model Asset { id String @id @default(cuid()) tenantId String clientId String name String assetType String // workstation | server | laptop | mobile | network | printer | other serialNumber String? manufacturer String? model String? os String? osVersion String? ipAddress String? macAddress String? ninjaDeviceId Int? // NinjaOne device ID cwConfigId Int? // ConnectWise configuration ID intuneDeviceId String? purchaseDate DateTime? status String @default("active") // active | retired | disposed | lost | rma assignedTo String? // user or location siteId String? tags Json? lastSeen DateTime? createdAt DateTime @default(now()) updatedAt DateTime @updatedAt @@index([tenantId, clientId, assetType]) @@index([tenantId, ninjaDeviceId]) @@unique([tenantId, clientId, serialNumber]) } model SoftwareLicense { id String @id @default(cuid()) tenantId String clientId String productName String vendor String licenseType String // per_user | per_device | site | volume | subscription totalSeats Int usedSeats Int @default(0) licenseKey String? // encrypted at rest expiryDate DateTime? annualCost Decimal? createdAt DateTime @default(now()) updatedAt DateTime @updatedAt @@index([tenantId, clientId]) @@index([tenantId, expiryDate]) } // ═══════════════════════════════════════ // EMAIL SECURITY (M4) // ═══════════════════════════════════════ model EmailAuthStatus { id String @id @default(cuid()) tenantId String domain String spfStatus String // pass | fail | softfail | none spfRecord String? dkimStatus String dkimSelector String? dmarcStatus String // reject | quarantine | none | missing dmarcPolicy String? mtaStsStatus String tlsRptStatus String bimiStatus String daneStatus String score Int // 0-100 grade String // A-F lastChecked DateTime @@unique([tenantId, domain]) } model DmarcReport { id String @id @default(cuid()) tenantId String domain String reportId String orgName String // Reporter org (e.g., google.com) sourceIp String spfResult String dkimResult String disposition String // none | quarantine | reject messageCount Int dateBegin DateTime dateEnd DateTime rawXml String? // @db.Text } model SpfFlatRecord { id String @id @default(cuid()) tenantId String domain String originalRecord String flattenedRecord String lookupCount Int charCount Int lastFlattened DateTime @@unique([tenantId, domain]) } // ═══════════════════════════════════════ // DOMAIN MANAGEMENT (M5) // ═══════════════════════════════════════ model DomainRegistration { id String @id @default(cuid()) tenantId String domain String registrar String // namecheap | spaceship | sav | ventraip | cloudflare expiryDate DateTime autoRenew Boolean annualCost Decimal currency String @default("AUD") nameservers String[] dnsProvider String? // cloudflare | registrar | other healthScore Int? // 0-100 lastSynced DateTime @@unique([tenantId, domain]) } model WhoisSnapshot { id String @id @default(cuid()) tenantId String domain String registrant Json? nameservers String[] statusCodes String[] createdDate DateTime? updatedDate DateTime? expiryDate DateTime? snapshotDate DateTime @default(now()) changesDetected Boolean @default(false) @@index([tenantId, domain, snapshotDate]) } model CertificateWatch { id String @id @default(cuid()) tenantId String domain String issuer String serialNumber String notBefore DateTime notAfter DateTime sans String[] ctLogUrl String? isExpected Boolean @default(true) alertSent Boolean @default(false) firstSeen DateTime @default(now()) } model TldPricing { id String @id @default(cuid()) tld String // .com, .com.au, .tech, etc. registrar String registerPrice Decimal renewPrice Decimal transferPrice Decimal currency String @default("USD") lastUpdated DateTime @@unique([tld, registrar]) } // ═══════════════════════════════════════ // SECURITY POSTURE (M3) // ═══════════════════════════════════════ model VulnerabilityFinding { id String @id @default(cuid()) tenantId String clientId String vendor String // tenable | sophos | huntress | sentinelone externalId String // Vendor's finding ID cve String? severity String // critical | high | medium | low | info title String description String? asset String // Hostname or IP status String // open | remediated | accepted | false_positive firstSeen DateTime resolvedAt DateTime? @@unique([tenantId, vendor, externalId]) } // ═══════════════════════════════════════ // M365 MANAGEMENT (M9) // ═══════════════════════════════════════ model M365Tenant { id String @id @default(cuid()) tenantId String // Arete tenant m365TenantId String // Microsoft tenant GUID displayName String userCount Int licenseCount Int secureScore Decimal? lastSynced DateTime } // ═══════════════════════════════════════ // BACKUP INTELLIGENCE (M2) // ═══════════════════════════════════════ model BackupResource { id String @id @default(cuid()) tenantId String clientId String vendor String // afi | datto | veeam externalId String resourceName String resourceType String // mailbox | sharepoint | onedrive | teams | vm | server lastBackup DateTime? status String // protected | unprotected | failed | warning slaCompliant Boolean @@unique([tenantId, vendor, externalId]) } model BackupJob { id String @id @default(cuid()) resourceId String startTime DateTime endTime DateTime? status String // success | failed | partial | running sizeBytes BigInt? durationMs Int? errorMessage String? } // ═══════════════════════════════════════ // TICKET INTELLIGENCE (M7) // ═══════════════════════════════════════ model TicketTriage { id String @id @default(cuid()) tenantId String ticketId String // External ticket ID suggestedType String suggestedSubtype String? suggestedItem String? confidence Decimal // 0.0-1.0 reasoning String? status String // pending | approved | denied reviewedBy String? createdAt DateTime @default(now()) } // ═══════════════════════════════════════ // CLIENT ONBOARDING (M19) // ═══════════════════════════════════════ model OnboardingWorkflow { id String @id @default(cuid()) tenantId String clientId String templateId String? status String // draft | in_progress | completed | cancelled startedAt DateTime @default(now()) completedAt DateTime? assignedTo String steps OnboardingStep[] } model OnboardingStep { id String @id @default(cuid()) workflowId String stepName String order Int status String // pending | in_progress | completed | skipped completedAt DateTime? notes String? data Json? // Step-specific data (credentials, config, etc.) workflow OnboardingWorkflow @relation(fields: [workflowId], references: [id]) } model OnboardingTemplate { id String @id @default(cuid()) tenantId String name String description String? serviceTier String // basic | standard | premium | custom steps Json // Step definitions array isDefault Boolean @default(false) } // ═══════════════════════════════════════ // COMPLIANCE FRAMEWORK (M20) // ═══════════════════════════════════════ model ComplianceFramework { id String @id @default(cuid()) name String // "Essential Eight", "CIS Controls v8", etc. version String description String? controlCount Int controls ComplianceControl[] } model ComplianceControl { id String @id @default(cuid()) frameworkId String controlId String // "E8-1", "CIS-1.1", etc. title String description String category String sourceModules String[] // ["M3", "M23"] — which Arete modules provide evidence framework ComplianceFramework @relation(fields: [frameworkId], references: [id]) @@unique([frameworkId, controlId]) } model ClientCompliance { id String @id @default(cuid()) tenantId String clientId String controlId String status String // not_implemented | partial | implemented | not_applicable maturityLevel Int? // 0-3 (for Essential Eight) lastAssessed DateTime notes String? evidence ComplianceEvidence[] @@unique([tenantId, clientId, controlId]) } model ComplianceEvidence { id String @id @default(cuid()) complianceId String type String // auto | manual | document sourceModule String? // "M3", "M23", etc. description String data Json? collectedAt DateTime @default(now()) compliance ClientCompliance @relation(fields: [complianceId], references: [id]) } // ═══════════════════════════════════════ // PLAYBOOKS (M21) // ═══════════════════════════════════════ model Playbook { id String @id @default(cuid()) tenantId String name String description String? triggerType String // manual | alert | schedule | webhook triggerConfig Json? // Trigger-specific config (module, severity, etc.) isActive Boolean @default(true) version Int @default(1) steps PlaybookStep[] executions PlaybookExecution[] } model PlaybookStep { id String @id @default(cuid()) playbookId String order Int type String // manual | automated | approval | notification | conditional | delay name String config Json // Step-specific config (API call, email template, etc.) slaMinutes Int? // Time limit before escalation playbook Playbook @relation(fields: [playbookId], references: [id]) } model PlaybookExecution { id String @id @default(cuid()) playbookId String triggeredBy String // user ID or "system" triggerContext Json? // Alert data, etc. status String // running | completed | failed | cancelled startedAt DateTime @default(now()) completedAt DateTime? stepResults PlaybookStepResult[] playbook Playbook @relation(fields: [playbookId], references: [id]) } model PlaybookStepResult { id String @id @default(cuid()) executionId String stepId String status String // pending | running | completed | failed | skipped actor String? // User who completed (for manual/approval steps) output Json? startedAt DateTime? completedAt DateTime? execution PlaybookExecution @relation(fields: [executionId], references: [id]) } // ═══════════════════════════════════════ // CLIENT PROFITABILITY (M22) // ═══════════════════════════════════════ model ClientFinancial { id String @id @default(cuid()) tenantId String clientId String period String // "2026-02" (YYYY-MM) revenue Decimal cost Decimal margin Decimal // Calculated: (revenue - cost) / revenue deviceCount Int ticketCount Int billableHours Decimal @@unique([tenantId, clientId, period]) } model AgreementAnalysis { id String @id @default(cuid()) tenantId String clientId String agreementId String // CW agreement ID agreementName String monthlyRevenue Decimal actualCost Decimal margin Decimal isFlagged Boolean @default(false) // Under-priced lastCalculated DateTime } // ═══════════════════════════════════════ // PATCH MANAGEMENT (M23) // ═══════════════════════════════════════ model PatchPolicy { id String @id @default(cuid()) tenantId String clientId String name String rings Json // [{name: "Test", pct: 5, delayDays: 0}, ...] autoApprove Boolean @default(false) excludedKBs String[] // KB numbers to exclude slaHours Int @default(72) // Hours to install critical patches } model PatchStatus { id String @id @default(cuid()) tenantId String deviceId String patchId String // KB number or vendor patch ID title String severity String // critical | important | moderate | low status String // installed | pending | failed | excluded installedAt DateTime? failReason String? @@unique([tenantId, deviceId, patchId]) } // ═══════════════════════════════════════ // DR TESTING (M24) // ═══════════════════════════════════════ model DrTest { id String @id @default(cuid()) tenantId String clientId String type String // restore_verify | screenshot | file_integrity | failover_sim scheduledAt DateTime completedAt DateTime? status String // scheduled | running | passed | failed | skipped summary String? results DrTestResult[] } model DrTestResult { id String @id @default(cuid()) testId String resourceName String restoreType String // full_vm | file_level | application verified Boolean screenshotUrl String? checksum String? // For file integrity checks durationMs Int? errorMessage String? test DrTest @relation(fields: [testId], references: [id]) } model DrRunbook { id String @id @default(cuid()) tenantId String clientId String @unique name String rtoMinutes Int rpoMinutes Int contactChain Json // [{name, role, phone, email, priority}] lastTested DateTime? lastUpdated DateTime @default(now()) steps DrRunbookStep[] } model DrRunbookStep { id String @id @default(cuid()) runbookId String order Int action String responsible String estimatedMin Int notes String? runbook DrRunbook @relation(fields: [runbookId], references: [id]) } // ═══════════════════════════════════════ // CHANGE MANAGEMENT (M25) // ═══════════════════════════════════════ model ChangeRequest { id String @id @default(cuid()) tenantId String clientId String title String description String riskLevel String // low | medium | high | emergency riskScore Int // Auto-calculated 1-10 rollbackPlan String affectedSystems String[] status String // draft | submitted | reviewing | approved | rejected | scheduled | implementing | verifying | complete | failed scheduledAt DateTime? implementedAt DateTime? createdBy String createdAt DateTime @default(now()) ticketId String? // Linked M7 ticket approvals ChangeApproval[] } model ChangeApproval { id String @id @default(cuid()) changeId String approverId String decision String // approved | rejected | needs_info comments String? decidedAt DateTime @default(now()) change ChangeRequest @relation(fields: [changeId], references: [id]) } model ChangeReview { id String @id @default(cuid()) changeId String @unique success Boolean actualDurationMin Int? lessonsLearned String? reviewedAt DateTime @default(now()) reviewedBy String } // ═══════════════════════════════════════ // AI COPILOT (M26) // ═══════════════════════════════════════ model CopilotConversation { id String @id @default(cuid()) tenantId String userId String title String? // Auto-generated from first message createdAt DateTime @default(now()) lastMessageAt DateTime messages CopilotMessage[] } model CopilotMessage { id String @id @default(cuid()) conversationId String role String // user | assistant | system content String tokens Int? actions CopilotAction[] createdAt DateTime @default(now()) conversation CopilotConversation @relation(fields: [conversationId], references: [id]) } model CopilotAction { id String @id @default(cuid()) messageId String actionType String // query | create | update | generate_report targetModule String // "M2", "M7", etc. payload Json status String // pending | executed | failed | cancelled result Json? message CopilotMessage @relation(fields: [messageId], references: [id]) } // ═══════════════════════════════════════ // CLIENT PORTAL (M27) // ═══════════════════════════════════════ model PortalConfig { id String @id @default(cuid()) tenantId String clientId String @unique subdomain String? @unique // client.arete.dev customDomain String? @unique // portal.clientdomain.com isActive Boolean @default(true) authMethod String // zitadel | magic_link | m365_sso branding PortalBranding? } model PortalBranding { id String @id @default(cuid()) portalId String @unique logoUrl String? primaryColor String @default("#58a6ff") accentColor String @default("#3fb950") companyName String supportEmail String? portal PortalConfig @relation(fields: [portalId], references: [id]) } model ClientDocument { id String @id @default(cuid()) tenantId String clientId String name String category String // agreement | report | compliance | network_diagram | other filePath String mimeType String sizeBytes Int uploadedAt DateTime @default(now()) expiresAt DateTime? uploadedBy String } // SatisfactionSurvey consolidated into M66 SurveyResponse model // Client Portal (M27) consumes M66 survey data via shared API // ═══════════════════════════════════════ // NETWORK DISCOVERY (M28) // ═══════════════════════════════════════ model NetworkScan { id String @id @default(cuid()) tenantId String clientId String subnet String // "192.168.1.0/24" scanType String // arp | snmp | nmap | agent startedAt DateTime @default(now()) completedAt DateTime? deviceCount Int @default(0) devices DiscoveredDevice[] } model DiscoveredDevice { id String @id @default(cuid()) tenantId String clientId String scanId String? ip String mac String? hostname String? deviceType String // server | workstation | network | printer | iot | unknown vendor String? // From MAC OUI lookup openPorts Int[] services Json? // [{port, service, version}] isKnown Boolean @default(false) // Matches M8 asset inventory firstSeen DateTime @default(now()) lastSeen DateTime scan NetworkScan? @relation(fields: [scanId], references: [id]) @@unique([tenantId, clientId, mac]) } // SubnetConfig merged into M38 Subnet model — use Subnet for both M28 and M38 // M28 DiscoveredDevice.subnetId references the shared Subnet model (M38 IPAM section) // ═══════════════════════════════════════ // CLOUD COST (M29) // ═══════════════════════════════════════ model CloudCostEntry { id String @id @default(cuid()) tenantId String clientId String provider String // azure | aws | m365 service String // "Virtual Machines", "S3", "E5 License" resourceGroup String? cost Decimal currency String @default("AUD") usageDate DateTime tags Json? // Resource tags for cost allocation @@index([tenantId, clientId, usageDate]) } model CostBudget { id String @id @default(cuid()) tenantId String clientId String provider String? // null = all providers monthlyLimit Decimal alertThresholds Json // [80, 100, 120] (percentages) currency String @default("AUD") @@unique([tenantId, clientId, provider]) } model CostAnomaly { id String @id @default(cuid()) tenantId String clientId String provider String service String expectedCost Decimal actualCost Decimal deviationPct Decimal detectedAt DateTime @default(now()) acknowledged Boolean @default(false) acknowledgedBy String? } model LicenseUtilization { id String @id @default(cuid()) tenantId String clientId String skuId String skuName String assigned Int active Int // Sign-in within 90 days inactive Int // No sign-in > 90 days monthlyCost Decimal potentialSaving Decimal // inactive * unit price lastCalculated DateTime @@unique([tenantId, clientId, skuId]) } // ═══════════════════════════════════════ // PROCUREMENT & STOCK (M31) // ═══════════════════════════════════════ model Product { id String @id @default(cuid()) tenantId String name String sku String? serialNumber String? manufacturer String? category String // hardware | software | consumable | accessory quantityOnHand Int @default(0) reorderPoint Int @default(0) unitCost Decimal? currency String @default("AUD") distributorPrices Json? // { "dickerData": 199, "synnex": 205, "ingram": 198 } createdAt DateTime @default(now()) updatedAt DateTime @updatedAt @@index([tenantId, category]) } model PurchaseOrder { id String @id @default(cuid()) tenantId String orderNumber String @unique vendorId String // FK to Vendor clientId String? // if ordered for a specific client status String // draft | submitted | confirmed | shipped | received | cancelled totalAmount Decimal currency String @default("AUD") lines Json // [{ productId, qty, unitPrice, lineTotal }] shippingDate DateTime? receivedDate DateTime? createdBy String createdAt DateTime @default(now()) @@index([tenantId, status]) } // ═══════════════════════════════════════ // QBR GENERATOR (M32) // ═══════════════════════════════════════ model QbrReport { id String @id @default(cuid()) tenantId String clientId String quarter String // "2026-Q1" status String // draft | generated | reviewed | delivered sections Json // [{ title, moduleSource, data, aiSummary }] executiveSummary String? // AI-generated pdfUrl String? deliveredAt DateTime? createdAt DateTime @default(now()) @@unique([tenantId, clientId, quarter]) } // ═══════════════════════════════════════ // VENDOR & DISTRIBUTOR HUB (M33) // ═══════════════════════════════════════ model Vendor { id String @id @default(cuid()) tenantId String name String type String // distributor | vendor | oem | reseller accountNumber String? contacts Json // [{ name, email, phone, role }] pricingTier String? // gold | silver | standard discountPct Decimal? website String? notes String? createdAt DateTime @default(now()) @@index([tenantId, type]) } model VendorContract { id String @id @default(cuid()) tenantId String vendorId String contractName String startDate DateTime expiryDate DateTime renewalType String // auto | manual | none annualValue Decimal? documentUrl String? @@index([tenantId, expiryDate]) } // ═══════════════════════════════════════ // TRAINING & CERTIFICATION (M34) // ═══════════════════════════════════════ model TechCertification { id String @id @default(cuid()) tenantId String userId String certName String // "AZ-104", "CompTIA Security+" certProvider String // Microsoft, CompTIA, Sophos, Datto earnedDate DateTime expiryDate DateTime? cpdHours Decimal @default(0) skills Json // ["cloud", "security", "networking"] verificationUrl String? @@index([tenantId, userId]) @@index([tenantId, expiryDate]) } // ═══════════════════════════════════════ // WARRANTY LIFECYCLE (M35) // ═══════════════════════════════════════ model WarrantyRecord { id String @id @default(cuid()) tenantId String clientId String assetId String? // FK to Asset (M8) deviceName String serialNumber String manufacturer String warrantyStart DateTime warrantyEnd DateTime warrantyType String // standard | extended | nbd | 4hr eolDate DateTime? eosDate DateTime? replacementRec String? scalePadId String? @@index([tenantId, clientId]) @@index([tenantId, warrantyEnd]) } // ═══════════════════════════════════════ // SHAREPOINT STRUCTURE BUILDER (M36) // ═══════════════════════════════════════ model SharePointTemplate { id String @id @default(cuid()) tenantId String name String description String? structure Json // nested folder tree definition permissions Json? // inheritance rules clientType String? // legal | finance | hr | generic isDefault Boolean @default(false) createdAt DateTime @default(now()) } // ═══════════════════════════════════════ // INTUNE & M365 CONFIG MANAGER (M37) // ═══════════════════════════════════════ model TenantConfigSnapshot { id String @id @default(cuid()) tenantId String clientId String configType String // conditionalAccess | compliance | deviceConfig | appDeployment configData Json // full JSON export of the config isBaseline Boolean @default(false) snapshotAt DateTime @default(now()) @@index([tenantId, clientId, configType]) } model ConfigDrift { id String @id @default(cuid()) tenantId String clientId String configType String driftDetails Json // { field, expected, actual, severity } severity String // critical | warning | info acknowledged Boolean @default(false) detectedAt DateTime @default(now()) @@index([tenantId, clientId, severity]) } // ═══════════════════════════════════════ // IPAM (M38) // ═══════════════════════════════════════ // Shared model: Used by both M28 (Network Discovery) and M38 (IPAM) model Subnet { id String @id @default(cuid()) tenantId String clientId String cidr String // "192.168.1.0/24" vlan Int? name String description String? gateway String? siteId String? dhcpRange String? // "192.168.1.100-192.168.1.200" (from M28 scan config) scanSchedule String? // Cron expression for M28 discovery scans @@unique([tenantId, clientId, cidr]) } model IpAddress { id String @id @default(cuid()) tenantId String subnetId String address String status String // active | reserved | available | dhcp assignedTo String? // device name or purpose macAddress String? dnsHostname String? lastSeen DateTime? @@unique([tenantId, subnetId, address]) } // ═══════════════════════════════════════ // DNS OPERATIONS (M39) // ═══════════════════════════════════════ model DnsChange { id String @id @default(cuid()) tenantId String domain String recordType String // A | AAAA | CNAME | MX | TXT | NS | SRV recordName String oldValue String? newValue String stage String // dev | staging | production status String // pending | propagating | verified | rolled_back createdBy String createdAt DateTime @default(now()) @@index([tenantId, domain]) } // ═══════════════════════════════════════ // DOCUMENTATION ENGINE (M40) // ═══════════════════════════════════════ model DocumentationPage { id String @id @default(cuid()) tenantId String clientId String title String content String // markdown category String // network | password | backup | dr | onboarding sourceModule String? // which module auto-generated this freshnessScore Int // 0-100, degrades as config changes without doc update bookStackId Int? // synced BookStack page ID lastVerified DateTime? createdAt DateTime @default(now()) updatedAt DateTime @updatedAt @@index([tenantId, clientId, category]) } // ═══════════════════════════════════════ // ALERT CORRELATION ENGINE (M41) // ═══════════════════════════════════════ model CorrelatedIncident { id String @id @default(cuid()) tenantId String clientId String severity String // info | warning | critical alertIds Json // [{ module, alertId, timestamp }] rootCauseSuggestion String? status String // active | investigating | resolved resolvedAt DateTime? createdAt DateTime @default(now()) @@index([tenantId, clientId, severity]) } // ═══════════════════════════════════════ // INTEGRATION HEALTH MONITOR (M42) // ═══════════════════════════════════════ model IntegrationHealth { id String @id @default(cuid()) tenantId String connectorName String status String // healthy | degraded | down | auth_failed lastSuccessSync DateTime? lastError String? errorCount Int @default(0) tokenExpiresAt DateTime? rateLimitPct Int? // % of rate limit consumed uptimePct Decimal @default(100) checkedAt DateTime @default(now()) @@unique([tenantId, connectorName]) } // ═══════════════════════════════════════ // DEVOPS & CI PIPELINE (M43) // ═══════════════════════════════════════ model Pipeline { id String @id @default(cuid()) tenantId String name String description String? yamlConfig String // pipeline YAML definition trigger String // manual | schedule | webhook | event schedule String? // cron expression lastRunId String? lastRunStatus String? createdAt DateTime @default(now()) @@index([tenantId]) } model PipelineRun { id String @id @default(cuid()) pipelineId String status String // running | success | failed | cancelled triggeredBy String logs String? startedAt DateTime @default(now()) finishedAt DateTime? @@index([pipelineId, status]) } // ═══════════════════════════════════════ // WEBSITE CHANGE TRACKER (M44) // ═══════════════════════════════════════ model WebsiteMonitor { id String @id @default(cuid()) tenantId String clientId String? url String checkInterval String // hourly | daily | weekly lastScreenshot String? // S3 path lastDomHash String? changeCount Int @default(0) lastChecked DateTime? @@unique([tenantId, url]) } model WebsiteChange { id String @id @default(cuid()) monitorId String changeType String // visual | dom | script | meta | ssl diff Json? // { added, removed, changed } screenshotBefore String? screenshotAfter String? detectedAt DateTime @default(now()) } // ═══════════════════════════════════════ // CONTRACT & SLA (M45) // ═══════════════════════════════════════ model ServiceContract { id String @id @default(cuid()) tenantId String clientId String contractName String status String // draft | active | expiring | terminated startDate DateTime endDate DateTime pricingModel String // per_device | per_user | flat | tiered monthlyRevenue Decimal slaDefinitions Json // [{ priority, responseTime, resolutionTime }] signedDocUrl String? autoRenew Boolean @default(false) @@index([tenantId, clientId]) @@index([tenantId, endDate]) } // ═══════════════════════════════════════ // CLIENT COMMUNICATION TIMELINE (M46) // ═══════════════════════════════════════ model CommunicationEntry { id String @id @default(cuid()) tenantId String clientId String type String // email | call | meeting | ticket_note | portal | sms direction String // inbound | outbound subject String? summary String? participants Json? // [{ name, email, role }] actionItems Json? // [{ task, assignee, dueDate }] relatedTicketId String? createdBy String occurredAt DateTime @@index([tenantId, clientId, occurredAt]) } // ═══════════════════════════════════════ // TECHNICIAN DISPATCH (M47) // ═══════════════════════════════════════ model DispatchJob { id String @id @default(cuid()) tenantId String clientId String ticketId String? technicianId String jobType String // install | maintenance | troubleshoot | audit status String // scheduled | en_route | on_site | completed | cancelled scheduledStart DateTime scheduledEnd DateTime actualStart DateTime? actualEnd DateTime? travelTime Int? // minutes notes String? siteAddress String? @@index([tenantId, technicianId, scheduledStart]) } // ═══════════════════════════════════════ // PASSWORD ROTATION (M48) // ═══════════════════════════════════════ model PasswordRotationPolicy { id String @id @default(cuid()) tenantId String clientId String accountType String // ad_service | m365_admin | local_admin | app_service rotationDays Int // rotate every N days lastRotated DateTime? nextRotation DateTime? targetAccounts Json // [{ username, target, vaultEntryId }] enabled Boolean @default(true) failureCount Int @default(0) @@index([tenantId, clientId]) } // ═══════════════════════════════════════ // RUNBOOK LIBRARY (M49) // ═══════════════════════════════════════ model Runbook { id String @id @default(cuid()) tenantId String title String category String // m365 | networking | backup | security | onboarding difficulty String // beginner | intermediate | advanced estimatedMins Int? content String // markdown with decision tree syntax relatedPlaybookId String? // link to M21 automated playbook version Int @default(1) bookStackPageId Int? createdAt DateTime @default(now()) updatedAt DateTime @updatedAt @@index([tenantId, category]) } // ═══════════════════════════════════════ // ENDPOINT COMPLIANCE (M50) // ═══════════════════════════════════════ model EndpointComplianceCheck { id String @id @default(cuid()) tenantId String clientId String deviceId String deviceName String complianceScore Int // 0-100 checks Json // { bitlocker: true, av: true, firewall: true, osUpdated: false, screenLock: true } nonCompliantItems Json // [{ check, expected, actual, severity }] checkedAt DateTime @default(now()) @@index([tenantId, clientId, complianceScore]) } // ═══════════════════════════════════════ // CUSTOM DASHBOARD BUILDER (M51) // ═══════════════════════════════════════ model CustomDashboard { id String @id @default(cuid()) tenantId String ownerId String name String layout Json // grid layout definition with widget positions isShared Boolean @default(false) visibleToRoles Json? // ["admin", "operator"] refreshInterval Int @default(30) // seconds createdAt DateTime @default(now()) updatedAt DateTime @updatedAt } model DashboardWidget { id String @id @default(cuid()) dashboardId String widgetType String // chart | table | kpi | gauge | map | timeline moduleSource String // which module data to pull from config Json // widget-specific configuration position Json // { x, y, w, h } } // ═══════════════════════════════════════ // NOTIFICATION CENTER (M52) // ═══════════════════════════════════════ model NotificationPreference { id String @id @default(cuid()) tenantId String userId String module String channels Json // { email: true, sms: false, slack: true, push: true, inApp: true } quietHoursStart String? // "22:00" quietHoursEnd String? // "07:00" digestMode String? // none | daily | weekly @@unique([tenantId, userId, module]) } model NotificationLog { id String @id @default(cuid()) tenantId String userId String module String channel String // email | sms | slack | push | inApp title String body String priority String // low | medium | high | critical read Boolean @default(false) sentAt DateTime @default(now()) @@index([tenantId, userId, read]) } // ═══════════════════════════════════════ // PLATFORM AUDIT LOG (M53) // ═══════════════════════════════════════ model AuditLogEntry { id String @id @default(cuid()) tenantId String userId String action String // create | update | delete | login | export | approve module String entityType String entityId String changes Json? // { field: { old, new } } ipAddress String? userAgent String? sessionId String? timestamp DateTime @default(now()) @@index([tenantId, module, timestamp]) @@index([tenantId, userId, timestamp]) @@index([tenantId, entityType, entityId]) } // ═══════════════════════════════════════ // ATTACK SURFACE MONITOR (M54) // ═══════════════════════════════════════ model ExternalAsset { id String @id @default(cuid()) tenantId String clientId String assetType String // ip | domain | subdomain | service value String // IP address, domain, or URL openPorts Json? // [{ port, service, version }] sslGrade String? sslExpiry DateTime? riskScore Int // 0-100 knownVulns Json? // [{ cve, cvss, description }] lastScanned DateTime? @@unique([tenantId, clientId, value]) } // ═══════════════════════════════════════ // PHISHING SIMULATION (M55) // ═══════════════════════════════════════ model PhishingCampaign { id String @id @default(cuid()) tenantId String clientId String source String // native | sophos | m365 | usecure name String template String? // attack vector template status String // draft | scheduled | active | completed sentCount Int @default(0) clickedCount Int @default(0) reportedCount Int @default(0) clickRate Decimal? scheduledAt DateTime? completedAt DateTime? @@index([tenantId, clientId]) } // ═══════════════════════════════════════ // INCIDENT POST-MORTEM (M56) // ═══════════════════════════════════════ model PostMortem { id String @id @default(cuid()) tenantId String clientId String incidentId String? // FK to CorrelatedIncident (M41) title String template String // five_whys | timeline | blameless timeline Json // [{ time, event, actor }] rootCause String? impactAssessment Json? // { clientsAffected, durationMins, slaBreach, financialCost } actionItems Json // [{ task, owner, dueDate, ticketId, status }] lessonsLearned String? createdAt DateTime @default(now()) @@index([tenantId, clientId]) } // ═══════════════════════════════════════ // BILLING RECONCILIATION (M57) // ═══════════════════════════════════════ model BillingReconciliation { id String @id @default(cuid()) tenantId String clientId String period String // "2026-02" agreementDevices Int actualDevices Int agreementUsers Int actualUsers Int discrepancies Json // [{ type, billed, actual, monthlyImpact }] totalLeakage Decimal // unbilled revenue per month status String // pending | reviewed | adjusted | accepted generatedAt DateTime @default(now()) @@unique([tenantId, clientId, period]) } // ═══════════════════════════════════════ // DATA MIGRATION HUB (M58) // ═══════════════════════════════════════ model MigrationJob { id String @id @default(cuid()) tenantId String sourcePlatform String // it_glue | hudu | autotask | halo | itflow | netbox | bookstack | wiki_js status String // mapping | validating | importing | completed | rolled_back totalRecords Int @default(0) importedRecords Int @default(0) failedRecords Int @default(0) fieldMappings Json // { sourceField: targetField } mapping rules errorLog Json? startedAt DateTime? completedAt DateTime? createdAt DateTime @default(now()) } // ═══════════════════════════════════════ // AI EMAIL DRAFTS (M59) // ═══════════════════════════════════════ model EmailDraft { id String @id @default(cuid()) tenantId String clientId String contextModule String // which module triggered the draft contextId String // ticket ID, alert ID, etc. tone String // professional | urgent | casual | executive subject String body String recipients Json // [{ email, name }] status String // draft | reviewed | sent | discarded reviewedBy String? sentAt DateTime? createdAt DateTime @default(now()) @@index([tenantId, clientId, status]) } // ═══════════════════════════════════════ // AUTOMATIC TIMESHEET (M60) // ═══════════════════════════════════════ model TimesheetEntry { id String @id @default(cuid()) tenantId String userId String date DateTime clientId String? description String durationMins Int sources Json // ["slack", "activitywatcher", "ninja"] — which data sources contributed confidence String // high | medium | low status String // auto_generated | adjusted | submitted | approved cwTimeEntryId String? // ConnectWise time entry ID after export @@index([tenantId, userId, date]) } // ═══════════════════════════════════════ // SECURITY NEWS & CVE FEED (M61) // ═══════════════════════════════════════ model SecurityAdvisory { id String @id @default(cuid()) tenantId String source String // nvd | asd | cisa_kev | ism | pspf | vendor_psirt cveId String? title String description String severity String // critical | high | medium | low cvssScore Decimal? affectedProducts Json? // ["Windows Server 2022", "FortiOS 7.x"] affectedClients Json? // computed: which clients have these products patchAvailable Boolean @default(false) publishedAt DateTime @@index([tenantId, severity, publishedAt]) @@unique([tenantId, source, cveId]) } // ═══════════════════════════════════════ // HARDWARE & FIRMWARE TRACKER (M62) // ═══════════════════════════════════════ model FirmwareRecord { id String @id @default(cuid()) tenantId String clientId String deviceId String deviceName String deviceType String // firewall | switch | wireless | hypervisor | server | storage | ups manufacturer String // watchguard | fortinet | cisco | meraki | aruba | hpe | ubiquiti | vmware currentVersion String latestVersion String? recommendedVersion String? hasKnownCves Boolean @default(false) cveList Json? // [{ cve, cvss, exploited }] patchUrgency String? // critical | high | medium | low eolDate DateTime? lastChecked DateTime @@index([tenantId, clientId, patchUrgency]) @@unique([tenantId, clientId, deviceId]) } // ═══════════════════════════════════════ // CLIENT HEALTH SCORE (M63) // ═══════════════════════════════════════ model ClientHealthScore { id String @id @default(cuid()) tenantId String clientId String overallScore Int // 0-100 components Json // { backup: 95, security: 82, compliance: 70, tickets: 88, patches: 91, endpoints: 85, firmware: 78 } trend String // improving | stable | declining previousScore Int? calculatedAt DateTime @default(now()) @@unique([tenantId, clientId]) @@index([tenantId, overallScore]) } // ═══════════════════════════════════════ // CAPACITY PLANNING (M64) // ═══════════════════════════════════════ model CapacityMetric { id String @id @default(cuid()) tenantId String clientId String metricType String // disk | ram | cpu | bandwidth | mailbox | users | azure_compute resourceName String // device or resource identifier currentValue Decimal maxCapacity Decimal utilizationPct Decimal growthRatePerMonth Decimal? projectedFullDate DateTime? // when capacity will be exhausted measuredAt DateTime @default(now()) @@index([tenantId, clientId, metricType]) } // ═══════════════════════════════════════ // BI WAREHOUSE (M65) // ═══════════════════════════════════════ model BIReport { id String @id @default(cuid()) tenantId String name String query String // SQL or query builder JSON visualization String // table | bar | line | pie | heatmap | pivot schedule String? // cron for auto-delivery deliveryChannels Json? // ["email", "slack", "teams"] createdBy String createdAt DateTime @default(now()) updatedAt DateTime @updatedAt } // ═══════════════════════════════════════ // CSAT / NPS SURVEYS (M66) // ═══════════════════════════════════════ model SurveyResponse { id String @id @default(cuid()) tenantId String clientId String ticketId String? technicianId String? surveyType String // csat | nps score Int // 1-5 (CSAT) or 0-10 (NPS) comment String? followUpStatus String? // none | pending | resolved respondedAt DateTime @default(now()) @@index([tenantId, clientId]) @@index([tenantId, technicianId]) } // ═══════════════════════════════════════ // CYBER INSURANCE READINESS (M67) // ═══════════════════════════════════════ model InsuranceReadiness { id String @id @default(cuid()) tenantId String clientId String readinessScore Int // 0-100 evidenceItems Json // [{ requirement, status, moduleSource, evidenceUrl, timestamp }] gaps Json // [{ requirement, severity, recommendation }] policyRenewalDate DateTime? insurer String? // Chubb | QBE | Allianz premiumHistory Json? // [{ year, premium, currency }] generatedAt DateTime @default(now()) @@unique([tenantId, clientId]) } // ═══════════════════════════════════════ // CLIENT OFFBOARDING (M68) // ═══════════════════════════════════════ model OffboardingChecklist { id String @id @default(cuid()) tenantId String clientId String status String // initiated | in_progress | completed | archived steps Json // [{ step, category, completed, completedBy, completedAt, notes }] dataExportUrl String? retentionPolicy String? // 30d | 90d | 1yr | permanent initiatedBy String initiatedAt DateTime @default(now()) completedAt DateTime? @@unique([tenantId, clientId]) } // ═══════════════════════════════════════ // BACKUP TESTING & VERIFICATION (M69) // ═══════════════════════════════════════ model BackupTest { id String @id @default(cuid()) tenantId String clientId String testType String // file_restore | vm_restore | app_restore | full_dr backupSource String // datto | veeam | afi resourceName String status String // scheduled | running | success | failed restoreTimeMins Int? checksumValid Boolean? errorDetails String? scheduledAt DateTime completedAt DateTime? @@index([tenantId, clientId, status]) } // ═══════════════════════════════════════ // REMOTE SESSION MANAGER (M70) // ═══════════════════════════════════════ model RemoteSession { id String @id @default(cuid()) tenantId String clientId String technicianId String deviceName String tool String // rdp | teamviewer | anydesk | ninjaone | vpn status String // active | completed | terminated startedAt DateTime @default(now()) endedAt DateTime? durationMins Int? recordingUrl String? @@index([tenantId, technicianId, startedAt]) } // ═══════════════════════════════════════ // IoT & PERIPHERAL MANAGEMENT (M71) // ═══════════════════════════════════════ model IoTDevice { id String @id @default(cuid()) tenantId String clientId String deviceType String // printer | camera | sensor | ups | pdu | display | environmental name String ipAddress String? macAddress String? manufacturer String? model String? firmwareVersion String? status String // online | offline | warning | maintenance metrics Json? // { tonerLevel, pageCount, batteryHealth, temperature, humidity } networkSegment String? // VLAN or subnet lastSeen DateTime? @@index([tenantId, clientId, deviceType]) } // ═══════════════════════════════════════ // MULTI-CLOUD OPERATIONS (M72) // ═══════════════════════════════════════ model CloudResource { id String @id @default(cuid()) tenantId String clientId String provider String // azure | aws | gcp resourceType String // vm | database | storage | network | container resourceId String // provider resource ARN/ID name String region String size String? // instance type / SKU monthlyCost Decimal? tags Json? rightSizeRec String? // recommended size if over-provisioned lastSynced DateTime @@unique([tenantId, provider, resourceId]) } // ═══════════════════════════════════════ // MS PARTNER TENANCY MANAGER (M73) // ═══════════════════════════════════════ model PartnerTenant { id String @id @default(cuid()) tenantId String clientId String m365TenantId String // client's M365 tenant GUID gdapStatus String // active | expired | pending gdapRoles Json // [{ role, expiryDate }] cspType String // csp | direct | none partnerOfRecord Boolean @default(false) unusedLicenses Json? // [{ sku, count, monthlyWaste }] serviceHealth Json? // latest M365 service health status lastSynced DateTime @@unique([tenantId, clientId, m365TenantId]) } model GdapAssignment { id String @id @default(cuid()) partnerTenantId String roleName String roleId String expiryDate DateTime status String // active | expiring_soon | expired @@index([partnerTenantId, expiryDate]) } // ═══════════════════════════════════════ // AUTO-GENERATED DIAGRAMS (M74) // ═══════════════════════════════════════ model InfraDiagram { id String @id @default(cuid()) tenantId String clientId String diagramType String // network_topology | cloud_architecture | m365_overview | rack_layout | data_flow | ad_structure title String renderData Json // D3.js / Mermaid render data mermaidSource String? // Mermaid markdown for export svgUrl String? dataSources Json // ["ninjaone", "unifi", "m365"] — which connectors fed this lastGenerated DateTime @default(now()) @@index([tenantId, clientId, diagramType]) } // ═══════════════════════════════════════ // VAULWARDEN INTEGRATION (M75) // ═══════════════════════════════════════ model VaultOrganization { id String @id @default(cuid()) tenantId String clientId String vaulwardenOrgId String name String totalItems Int @default(0) weakPasswords Int @default(0) reusedPasswords Int @default(0) breachedPasswords Int @default(0) lastAudited DateTime? @@unique([tenantId, clientId]) } // ═══════════════════════════════════════ // EMAIL INFRASTRUCTURE MONITOR (M76) // ═══════════════════════════════════════ model SmtpTest { id String @id @default(cuid()) tenantId String clientId String serverHost String port Int starttlsOk Boolean certValid Boolean authOk Boolean? openRelay Boolean @default(false) deliveryTestMs Int? // roundtrip delivery time testedAt DateTime @default(now()) @@index([tenantId, clientId]) } model BlacklistCheck { id String @id @default(cuid()) tenantId String clientId String ipOrDomain String listedOn Json // ["spamhaus", "barracuda"] — blacklists where listed isListed Boolean delistingStatus String? // none | requested | completed checkedAt DateTime @default(now()) @@index([tenantId, clientId, isListed]) } // ═══════════════════════════════════════ // WORDPRESS & CMS VULNERABILITY (M77) // ═══════════════════════════════════════ model WordPressSite { id String @id @default(cuid()) tenantId String clientId String url String cmsType String // wordpress | joomla | drupal coreVersion String? plugins Json? // [{ name, version, latestVersion, hasVuln, abandoned }] themes Json? // [{ name, version, latestVersion }] vulnCount Int @default(0) lastScanned DateTime? @@unique([tenantId, url]) } // ═══════════════════════════════════════ // VENDOR RISK MANAGEMENT (M78) // ═══════════════════════════════════════ model VendorRisk { id String @id @default(cuid()) tenantId String vendorName String riskScore Int // 0-100 sslGrade String? emailSecurity Json? // { spf, dkim, dmarc } breachHistory Json? // [{ date, description, records }] certifications Json? // [{ type: "SOC2", expiryDate }] dataHandled Json? // what client data this vendor processes lastAssessed DateTime? @@index([tenantId, riskScore]) } // ═══════════════════════════════════════ // SMS & COMMUNICATION AUTOMATION (M79) // ═══════════════════════════════════════ model SmsMessage { id String @id @default(cuid()) tenantId String clientId String? direction String // outbound | inbound recipientPhone String senderPhone String? body String status String // queued | sent | delivered | failed provider String // twilio | messagemedia | vonage providerMsgId String? costAud Decimal? triggerModule String? // which module triggered this SMS sentAt DateTime @default(now()) @@index([tenantId, clientId]) } // ═══════════════════════════════════════ // SECURE SHARING (M80) // ═══════════════════════════════════════ model SecureShare { id String @id @default(cuid()) tenantId String createdBy String shareType String // password | file | text encryptedContent String // AES-256-GCM encrypted passphrase String? // optional additional passphrase (hashed) maxViews Int @default(1) currentViews Int @default(0) expiresAt DateTime viewLog Json? // [{ viewedAt, ip, userAgent }] isExpired Boolean @default(false) createdAt DateTime @default(now()) } // ═══════════════════════════════════════ // PLATFORM HEALTH & STATUS PAGE (M81) // ═══════════════════════════════════════ model PlatformService { id String @id @default(cuid()) tenantId String serviceName String // module name or infra component serviceType String // module | database | cache | queue | k8s | backup | api status String // operational | degraded | partial_outage | major_outage | maintenance uptimePct Decimal @default(100) lastChecked DateTime responseTimeMs Int? logoUrl String? @@unique([tenantId, serviceName]) } model StatusIncident { id String @id @default(cuid()) tenantId String serviceId String title String severity String // minor | major | critical status String // investigating | identified | monitoring | resolved updates Json // [{ time, status, message }] startedAt DateTime @default(now()) resolvedAt DateTime? @@index([tenantId, status, startedAt]) } // ─── M11: IT Tools Usage Analytics ─── model ToolUsageLog { id String @id @default(cuid()) tenantId String userId String toolName String // "dns-lookup", "json-formatter", "speed-test" category String // "network", "security", "developer", "document" inputSize Int? // bytes of input data (for analytics) duration Int? // ms to complete usedAt DateTime @default(now()) @@index([tenantId, toolName]) @@index([tenantId, userId, usedAt]) }

iOS Companion App

React Native app sharing TypeScript types and API client with the web frontend. Provides push notifications, dashboard KPIs, and a subset of IT tools.

Feature Parity Matrix (All 75 Modules)

Every module has full iOS feature parity unless noted. The iOS app uses React Native with shared TypeScript types, API client, and Zod validation schemas from the web codebase.

Module	Web	iOS	iOS Priority
M1 Executive Dashboard	Full	KPI cards + alert feed + widget grid	Launch
M2 Backup Intelligence	Full	Compliance summary + failure alerts + push	Launch
M3 Security Posture	Full	Score card + critical alerts + vuln feed	Launch
M4 Email Security	Full	Status grid (read-only) + alerts	Launch
M5 Domain Management	Full	Expiry alerts + health scores + TLD price monitor	Launch
M6 Uptime Monitoring	Full	Status overview + push on downtime	Launch
M7 Ticket Intelligence	Full	Triage approve/deny + quick view + time entry	Launch
M8 Asset & License	Full	Asset lookup + license counts (read-only)	Phase 2
M9 M365 Management	Full	Tenant overview + user search (read-only)	Phase 2
M10 Reporting Engine	Full	View/share reports (PDF viewer)	Launch
M11 IT Tools	Full (45+ tools)	What's My IP, DNS, ping, traceroute, speed test, password gen, QR, subnet calc, JSON formatter, hash gen, IP geoloc	Launch
M12 Email Audit	Full	Results viewer (read-only)	Phase 2
M13 Infrastructure	Full	Status overview + alerts	Phase 2
M14 Breach Scanner	Full	Breach alerts + push notifications	Launch
M15 Password Vault	Full	View + copy (biometric unlock) + TOTP	Launch
M16 Backup Catalog	Full	Catalog status + alerts	Phase 2
M17 NinjaOne	Full	Device status + reboot approval + push	Phase 2
M18 API Hub	Full	Connector health status (read-only)	Phase 3
M19 Client Onboarding	Full	Checklist progress + task assignment	Phase 2
M20 Compliance Tracker	Full	Score overview + gap alerts	Launch
M21 Automated Playbooks	Full	Trigger/approve playbooks + execution status	Phase 2
M22 Client Profitability	Full	Revenue/cost cards (read-only)	Phase 2
M23 Patch Management	Full	Patch status + approval + push on critical	Launch
M24 DR Testing	Full	DR status overview + test scheduling	Phase 3
M25 Change Management	Full	Approve/reject RFCs + push notifications	Launch
M26 AI Copilot	Full	Chat interface + voice input + context menu	Launch
M27 Client Portal	N/A (separate)	Separate client-facing app or web view	Phase 2
M28 Network Discovery	Full	Network map viewer + device list	Phase 3
M29 Cloud Cost Optimizer	Full	Cost summary + anomaly alerts	Phase 2
M30 Space & Parking	Full	Book/cancel desks + parking + calendar view	Launch
M31 Procurement & Stock	Full	Product lookup + PO approval + stock check	Phase 2
M32 QBR Generator	Full	View/share QBR PDFs + schedule	Phase 2
M33 Vendor Hub	Full	Vendor contacts + contract expiry alerts	Phase 2
M34 Training Tracker	Full	My certifications + expiry alerts + CPD log	Phase 2
M35 Warranty Lifecycle	Full	Warranty expiry alerts + lookup	Phase 2
M36 SharePoint Builder	Full	View structures (read-only)	Phase 3
M37 Intune Config Mgr	Full	Drift alerts + config comparison (read-only)	Phase 2
M38 IPAM	Full	IP lookup + subnet viewer	Phase 3
M39 DNS Operations	Full	Propagation status + rollback approval	Phase 2
M40 Documentation	Full	Search + read docs + freshness alerts	Phase 2
M41 Alert Correlation	Full	Correlated incident feed + push	Launch
M42 Integration Health	Full	Health dashboard + failure push alerts	Launch
M43 DevOps & CI	Full	Pipeline status + approval gates	Phase 3
M44 Website Tracker	Full	Change alerts + screenshot comparison	Phase 2
M45 Contract & SLA	Full	Contract expiry alerts + SLA compliance view	Phase 2
M46 Comm Timeline	Full	Client timeline + add notes + call logging	Launch
M47 Tech Dispatch	Full	My schedule + job details + GPS navigation + time log	Launch
M48 Password Rotation	Full	Rotation status + failure alerts	Phase 2
M49 Runbook Library	Full	Search + read runbooks + decision trees	Launch
M50 Endpoint Compliance	Full	Compliance score cards + non-compliant alerts	Launch
M51 Custom Dashboards	Full (drag-drop)	View dashboards + KPI widgets (simplified)	Phase 2
M52 Notification Center	Full	Notification hub + preference management + push	Launch
M53 Audit Log	Full	Search + filter audit entries (read-only)	Phase 3
M54 Attack Surface	Full	Risk overview + new exposure alerts	Phase 2
M55 Phishing Simulation	Full	Campaign results + click-rate summaries	Phase 2
M56 Post-Mortem	Full	View post-mortems + action items	Phase 3
M57 Billing Reconcile	Full	Discrepancy alerts + summary view	Phase 2
M58 Data Migration	Full	Migration progress tracking (read-only)	Phase 3
M59 AI Email Drafts	Full	Review + approve drafts + voice-to-draft	Phase 2
M60 Auto Timesheet	Full	Review + adjust + submit timesheets	Launch
M61 Security News	Full	CVE feed + relevance alerts + push on critical	Launch
M62 Firmware Tracker	Full	Vulnerability alerts + firmware status overview	Launch
M63 Client Health Score	Full	Traffic light dashboard + drill-down + trends	Launch
M64 Capacity Planning	Full	Capacity alerts + forecast summaries	Phase 2
M65 BI Warehouse	Full	View reports + scheduled delivery	Phase 3
M66 CSAT / NPS	Full	Survey response viewer + NPS trend card	Phase 2
M67 Cyber Insurance	Full	Readiness score + gap summary	Phase 2
M68 Client Offboarding	Full	Checklist progress + step sign-off	Phase 3
M69 Backup Testing	Full	Test results + failure alerts	Phase 2
M70 Remote Sessions	Full	Active session list + emergency kill switch	Launch
M71 IoT & Peripherals	Full	Device status + offline alerts + UPS health	Phase 2
M72 Multi-Cloud Ops	Full	Resource overview + cost alerts	Phase 3
M73 Partner Tenancy	Full	GDAP status + license recommendations + alerts	Phase 2
M74 Auto Diagrams	Full (D3.js)	View diagrams (pinch-zoom) + export/share	Phase 2
M75 Vaulwarden	Full	Bitwarden client integration (native)	Phase 2
M76 Email Infra Monitor	Full	SMTP test results + blacklist alerts	Phase 2
M77 WordPress/CMS	Full	Vulnerability alerts + plugin status	Phase 2
M78 Vendor Risk	Full	Risk score overview + vendor status	Phase 3
M79 SMS Automation	Full	Send SMS + delivery status + templates	Launch
M80 Secure Sharing	Full	Create + share secure links + expiry tracking	Launch
M81 Platform Health	Full	Status page + module health + push on incidents	Launch

iOS Launch Phases

Phase	Modules	Count	Focus
Launch	M1-M7, M10-M11, M14-M15, M20, M23, M25-M26, M30, M41-M42, M46-M47, M49-M50, M52, M60-M63, M70, M79-M81	33	Core operations, alerts, field tech tools
Phase 2	M8-M9, M16-M17, M19, M21-M22, M27, M29, M31-M35, M37, M39-M40, M44-M45, M48, M51, M54-M55, M57, M59, M64, M66-M67, M69, M71, M73-M77	36	Management, compliance, vendor tools
Phase 3	M12-M13, M18, M24, M28, M36, M38, M43, M53, M56, M58, M65, M68, M72, M78	14	Advanced/admin features

Total: All 75 modules (81 IDs, 6 consolidated) have defined iOS functionality. No module is web-only.

iOS-Specific Features

Offline mode: Cache critical data (client list, passwords, runbooks) for offline access. Sync when reconnected
Apple Watch: Complication showing active alerts count. Haptic notification on critical events. Glance at client health score
Widgets: Home screen widgets for alert count, uptime status, today's dispatch schedule, platform health
Shortcuts: Siri Shortcuts for "show my tickets", "check backup status for [client]", "start time entry"
Share extension: Share screenshots/files directly to M80 Secure Sharing or M46 Communication Timeline
3D Touch / Haptic Touch: Quick actions from app icon: New ticket, Password lookup, DNS lookup, Start timer
Camera integration: Scan QR codes for asset lookup, photograph equipment for M8 asset records
GPS: Auto-log travel time in M47 Dispatch, nearest client site lookup
CallKit: Integrate with M79 SMS and 3CX call logs for seamless call tracking

Push Notification Triggers

Backup failure (immediate) — M2
Security incident (immediate) — M3
Uptime monitor down (after 2 consecutive failures) — M6
Domain/SSL expiring within 14 days — M5
DMARC report with failures > 5% — M4
WHOIS change detected — M5
New breach detected — M14/M16
Critical patch available — M23
RFC pending approval — M25
Correlated incident detected — M41
Integration health failure — M42
Firmware CVE on managed device — M62
Client health score drop > 15 points — M63
Blacklist detection — M76
WordPress critical vulnerability — M77
Platform service degradation — M81
Dispatch job assigned/updated — M47
SLA breach approaching — M45
Negative CSAT response — M66
Capacity threshold exceeded — M64

Auth

Zitadel SSO via PKCE OAuth2 flow (no client secret in mobile app). Biometric unlock for subsequent sessions. Secure token storage in iOS Keychain.

Code Reuse Map 30+ EXISTING TOOLS

Every existing tool mapped to its target module. Nothing orphaned.

Existing Tool	Location	Target Module	Reuse Type
AFI.AIDS Dashboard	`C:\GIT\afi-bandaid`	M2 Backup	Port Vue → React (components + logic)
AFI Internal API	`C:\Users\Tom\afi-internal-api\`	M2 Backup	Direct reuse (Node.js auth + client)
CW Triage Dashboard	`C:\GIT\cw-triage-dashboard`	M7 Tickets	Port Vue → React
Knowledge-DB	`C:\GIT\knowledge-db`	M7 Tickets	Sync patterns, Grafana designs, embedding worker
NinjaOne Vuln Report	`C:\GIT\ninja-vuln-report`	M3 Security	OAuth flow, scanner pattern
License Platform Worker	`C:\GIT\license-platform-worker`	M8 Licenses	D1 schema, sync logic
Email Auth Validators	`cloudflare-dns-terraform\scripts\validation\`	M4 Email Security	Port PS → TS (8 validators)
Batch Health Audit	`Invoke-BatchHealthAudit.ps1`	M4 Email Security	Port PS → TS (orchestrator + scoring)
CW Email Audit	`C:\GIT\connectwise-email-audit\`	M12 Email Audit	Port PS → TS (4 libs)
Argus Vault Analyzer	`C:\GIT\Argus`	M15 Vault	Port Svelte → React (D3.js viz)
Infrastructure Dashboard	`infrastructure-audit.html`	M13 Infra	Port HTML → React
Domain Inventory	`02 - Areas\Domain Inventory.md`	M5 Domains	Data source (83 domains, costs)
Cloudflare DNS Terraform	`C:\GIT\cloudflare-dns-terraform`	M4/M5	Reference for DNS record patterns
NinjaOne Reboot Suite	`G:\Documents\Bidness\NinjaOne\scripts\`	M17 NinjaOne	Backend logic reference
API Documentation	`G:\Documents\Bidness\API-Standards\`	M18 API Hub	Direct content (10 API docs)
CIPP Fork	`C:\GIT\CIPP-Project\`	M9 M365	Graph API patterns reference
Backup Catalog	`/opt/backup-catalog/`	M16 Backup Cat	PostgreSQL schema, collectors
Breach Intel	`C:\GIT\breach-intel`	M14 Breach	Repo structure, API patterns
Arete Existing (43 modules)	`C:\GIT\Arete\src\modules\`	M6, M9, M14	Direct use (monitors, status-pages, alerting, m365-audit, breach-scanner)
Arete Space-Booking	`C:\GIT\Arete\src\modules\space-booking\`	M30 Space & Parking	Direct use (60+ endpoints, 752-line service, 5 BullMQ workers)
Grafana Dashboards (6)	`kb-*.json`	M1, M7	Design reference for chart layouts
Training Requirements	`G:\Documents\Bidness\03 - Resources\Training Requirements.md`	M34 Training	Data source (role/cert requirements)
ScalePad API Reference	`G:\Documents\Bidness\03 - Resources\API-Standards\ScalePad-API-Reference.md`	M35 Warranty	Connector implementation guide
API Standards Library (11)	`G:\Documents\Bidness\03 - Resources\API-Standards\`	M18, M31, M33, M35	Connector auth patterns + endpoint docs
NinjaOne Reboot Automation v2	`G:\Documents\Bidness\Invoke-ServerRebootAutomation.ps1`	M17, M62	State machine pattern, server role awareness
Server Maintenance Templates	`G:\Documents\Bidness\templates\server-maintenance-notification.html`	M52, M79	Email/SMS notification template reference
NinjaOne Enhancement Roadmap	`C:\Users\Tom\ninjaone-reboot-automation-roadmap.html`	M17, M62, M71	85+ improvement ideas for RMM integration

UI Design Specification

Design System

Property	Value
Theme	Dark mode default (toggle to light). Use TailwindCSS `dark:` prefix
Colors (Dark)	BG: #0d1117, Surface: #161b22, Border: #30363d, Text: #e6edf3, Accent: #58a6ff
Typography	Inter (UI), JetBrains Mono (code/data)
Border Radius	8px (cards), 6px (inputs), 12px (modals)
Spacing Scale	4px base (TailwindCSS default)
Icons	Lucide React (consistent with Radix UI)
Charts	Chart.js (simple), D3.js (complex/custom)

Layout Pattern

┌─────────────────────────────────────────────────┐
│  Topbar: Logo | Search (Cmd+K) | Notifications | Profile  │
├──────┬──────────────────────────────────────────┤
│      │                                           │
│ Side │  Breadcrumb: Module > Section > Detail    │
│ bar  │                                           │
│      │  ┌─────────┐ ┌─────────┐ ┌─────────┐    │
│ M1   │  │ KPI Card│ │ KPI Card│ │ KPI Card│    │
│ M2   │  └─────────┘ └─────────┘ └─────────┘    │
│ M3   │                                           │
│ ...  │  ┌───────────────────────────────────┐    │
│ M81  │  │                                   │    │
│      │  │  Main Content (Table/Chart/Form)  │    │
│      │  │                                   │    │
│      │  └───────────────────────────────────┘    │
├──────┴──────────────────────────────────────────┤
│  Status Bar: Connection status | Last sync | Version      │
└─────────────────────────────────────────────────┘

Component Patterns

Every module: Overview (KPI cards) → List (TanStack Table) → Detail (tabbed view) → Actions (modal dialogs)
Tables: Sortable, filterable, paginated, row actions, bulk select, export button
Forms: React Hook Form + Zod validation, inline errors, auto-save drafts
Charts: Consistent color palette, responsive, tooltip on hover, time range selector
Status indicators: Traffic lights (green/amber/red), health scores (0-100 with color gradient), grades (A-F with color)
Command palette: Cmd+K opens search across all modules, recent items, quick actions
Real-time: WebSocket for alert feed, monitor status changes, sync progress