GFS Platform
Gaps to close
Open items, all tiers. Source: GAPS_TO_CLOSE.md.
Source: GAPS_TO_CLOSE.md. This HTML is generated from the markdown — edit the .md and re-run python3 assets/build_pages.py to refresh.
GFS Platform — All Gaps to Close
Generated: May 19, 2026
Source: Full session audit — 15+ agents, 3 C-suite reviews, 6 cross-reference audits
TIER 1 — CRITICAL (do immediately)
Security & Access
- CF Access (Zero Trust) on gfs-system-guide.pages.dev — revenue, customer names, employee org chart, financial data all publicly accessible. One command to add email OTP.
- 48 public Suitelets — internal ops portal, all 8 broker portals, daily sales dashboard, all 7 product programs accessible without NS login (isonline=T, allroles=T). Audit each, restrict internal ones immediately.
- Echo Lake vendor portal — public, exposes vendor data. Disable or add auth.
Data Protection
- git init on gfs-platform — no version control exists. One accidental delete loses everything: 1,897-line guide, 17 reference docs, Worker code, schema, 45 SQL loaders.
- D1 backup script — no export scheduled. SQL loaders can rebuild from initial load but any data added since (entity backfill, GL accounts, 2 vb_lines) would be lost.
Accounting
- Close accounting periods — ALL 153 periods open since Jan 2018. Anyone can post to any prior period. Close through Dec 2025 minimum. Takes 30 min in NS.
TIER 2 — HIGH (do this week)
Infrastructure
- Full Disk Access for Terminal.app — macOS Sequoia com.apple.provenance blocks sync.sh via launchd. System Settings → Privacy & Security → Full Disk Access → add Terminal.app.
- Test custom domain from phone — api.ai-globalfoodsolutions.co fails locally (firewall/VPN) but TCP connects. SSL may already work from other networks.
- Move sync off localhost — Chartstone on a single Mac is the #1 SPOF. Build Worker cron to call SuiteAPI #2948 directly. Eliminates laptop dependency.
- Wrangler update — 4.90.1 installed, 4.93.0 available. npm update wrangler
Data Quality (F-grade items)
- Vendor payment terms — 93% missing (451 of 484). AP aging completely unreliable. Owner: Amanda S. Bulk CSV import or Map/Reduce.
- Vendor emails — 70% missing (341). Can't send PO confirmations. Owner: James M.
- Item GTIN/UPC — 78% missing (765 items). Can't print barcodes. Owner: Elena M.
- Item case weight — 71% missing (694). BOL weight calculations fail. Owner: Sal B.
- Item storage temp — 75% missing. Cold chain documentation gap. Owner: Elena M.
Security Findings (NS side — 10 open)
- NS1 — 48 public Suitelets (see Tier 1)
- NS3 — SuiteAPI #2948 runs as Administrator. Create restricted role. 1 hr.
- NS4 — Toolkit #2949 full CRUD as Admin. Restrict permissions. 30 min.
- NS5 — Mike Bot uses personal Gmail + full Admin role. Switch to corporate email + limited role. 30 min.
- NS6 — Accounting periods (see Tier 1)
- NS7 — Echo Lake fraud reversals + public portal. Disable portal, close fraud periods. 1 hr.
- NS8 — 5 scripts in TESTING mode in production. Release or remove. 30 min.
- NS9 — 24 unused international scripts (SII, Intrastat) adding overhead to every transaction. Deactivate. 1 hr.
- NS10 — Single admin concentration (23 roles on Michael Levine). Need second admin. 1 hr.
TIER 3 — MEDIUM (do this month)
Operational Fixes
- Zapier WO automation dead — 0 WOs created in 2026. 179 items negative inventory. $4.3M in worksheets as workaround. Either repair Zapier or build WO creation into CF platform.
- Dual dunning system — both day-based (3/7/14/30/60) and level-based (L1/L2/L3) templates active simultaneously. Risk of double-dunning. Deactivate one system.
- 9 Power Up meal kits negative inventory — assembly builds not recorded. Richard G. to investigate.
- 11 customers expired pricing — some 4+ years expired (Pittsburgh Public Schools since 1/25/2022). Review and update or inactivate.
Template Bugs (3 in production)
- Vendor Bill (id 117) — prints "TESTBill" on every vendor bill. Fix: find TEST${record@title} → change to ${record@title}.
- GL Export (id 118) — prints "TESTING". Fix: find ${record@title}TESTING → remove TESTING.
- GL Impact (id 119) — contains BOL code instead of GL content. Compare with standard (id 45), fix or inactivate.
Data Quality (remaining items)
- Item kosher status — 98% missing. Certification missing from labels. Owner: Elena M. Q4 2026.
- Item shelf life — 70% missing. WO product dating incorrect. Owner: Elena M. Q4 2026.
- Item country of origin — 70% missing. BOL compliance risk. Owner: Elena M. Q4 2026.
- Customer emails — 12% missing (33). Can't receive confirmations/dunning. Owner: Danielle S.
- Customer payment terms — 10% missing (28). AR aging incorrect. Owner: Amanda S.
- Employee data — 45% populated. ~50+ missing email, ~60+ missing title. Grade: D.
Security Findings (CF side — 4 open)
- C4 — Sensitive data (PII, financials, vendor tax IDs) unfiltered on API responses. Filter after auth is in place.
- H1 — No rate limiting on API. Add after auth.
- H4 — No logging/monitoring. Add request logging to Worker.
- H5 — Chartstone token residual in CLAUDE.md. Move to env var only.
Architecture (6 open)
- M1 — No tests. Zero test files, no framework.
- M2 — No CI/CD pipeline. Manual wrangler deploy only.
- M3 — Sync handler stub. handleSync() only writes sync_log. handleDailyReport() only console.logs.
- M4 — No TypeScript type safety. data: any, no interfaces.
- M5 — D1 schema missing constraints. No UNIQUE on tranid, no CHECK, no FK enforcement.
- L2 — No API versioning (/v1/ prefix).
TIER 4 — IMPROVEMENT (ongoing)
Guide Enhancements
- Section reorder refinement — health/risk moved up but some sections still scattered. Full reorder in next session.
- Executive summary page — board-ready, built but could be enhanced with live data.
- Mobile hamburger nav — built but needs testing on actual phone.
- Search match highlighting — built but may need performance optimization on large page.
System Monitoring
- Uptime monitoring — Worker cron that checks /api/health and emails on failure.
- Sync monitoring — alert if sync_log shows failures or gaps > 1 hour.
- D1 capacity tracking — 28.3 MB of 10 GB (0.3% used). Log growth monthly.
Documentation Gaps (5 items need manual NS access)
- Custom list dropdown values — 129 lists identified, values not queryable via SuiteQL. Need NS screenshots.
- Role permission matrices — permission_count=0 in all exports. Need NS role record inspection.
- Custom transaction form layouts — which fields on which form. Need NS form editor access.
- Dashboard/portlet config per role — need NS dashboard screenshots per role.
- Field show/hide dependencies — need NS form editor or script analysis.
Saved Search Cleanup
- ~300 TAF/SII/Intrastat searches — from unused international bundles. Candidates for deactivation.
- ~20 Zapier/Airtable searches — integration dead, searches orphaned.
- Duplicate searches — multiple versions of same SO/WO searches from iterative development.
Bundle Cleanup
- 6 unused bundles — SII (Spain), Intrastat (EU), Norway SAF-T, UAE Emirate, France Tax, UK/AU Payments. All international tax for a US-only company.
- Celigo/Zapier remnants — tokens revoked but bot accounts, workflows, searches still exist.
Long-Term Platform
- Workers AI integration — NL → D1 queries (Phase 4 in blueprint)
- GFS Hub Suitelet — SuiteFrame, Center Tab (Sprint 3-4 in blueprint)
- 6 Suitelet views — CME, AR, Chat, Rebate, Products, C360
- 5 MCP Custom Tools — AR, prices, sales, rebate, query
- SuiteFlow workflows — PO approval, SO notifications, welcome emails
- 8 saved search email alerts — overdue AR, PO pending, contracts, inventory
- USDA price feed — Worker cron fetching barrel/block from LMPRS API
- Anomaly detection — nightly z-score analysis on vendor bills, customer volume drops
SUMMARY
| Tier | Items | Estimated Effort |
|---|---|---|
| CRITICAL | 6 | 2-3 hours |
| HIGH | 15 | 8-10 hours |
| MEDIUM | 18 | 15-20 hours |
| IMPROVEMENT | 20+ | Ongoing |
| TOTAL | 59+ |
Top 5 — Do First
- git init on gfs-platform (5 min — protects everything)
- CF Access on Pages (10 min — protects all sensitive data)
- Close accounting periods through Dec 2025 (30 min in NS)
- Full Disk Access for Terminal (2 min in System Settings)
- Fix 3 template bugs (15 min each in NS)
Dashboard cleanup — merged from AUDIT_FIXES.md (2026-05-19)
Original audit of dashboard/index.html (now in archive/2026-05/dashboard-original.html). The file has been replaced by /admin-dashboard.html; these items apply to the new dashboard.
Critical
- Missing </html> closing tag — apply to the new /admin-dashboard.html
- No empty state for data tables — when an API returns 0 rows, show explicit "No data" row, not a blank tbody
High
- Title and meta description: confirm new dashboard has descriptive title + meta
- Print stylesheet: new dashboard needs print rules (was 5/10 in original audit)
- Accessibility: ARIA labels, skip-to-content link, focus management (was 6/10)
- Keyboard navigation: shortcuts for tab switching / refresh (was 8/10 nav)
- Edge-case procedures (returns, deposits) — extend runbook coverage
Medium / addressed by consolidation
- Dashboard sprawl (3 separate dashboards) — addressed by consolidating into a single /admin-dashboard.html
- Design system fragmentation — addressed by single assets/styles.css + shared brand block
- Duplicate KPI code across dashboards — addressed by single source of truth
Validated (carried forward)
- Auth flow: sessionStorage for key (clears on tab close), 401 redirects to modal, key never logged — keep this pattern in the new dashboard
- Data accuracy: 185K+ rows / 21 endpoints / 18 tables verified against source — re-verify against current Worker
- 6 workflows, 47 checklist items, 28 procedures — preserve in /admin-dashboard.html runbook section
- Security findings: 10 NS + 4 CF findings (matches GAPS_TO_CLOSE.md) — covered above
Related surfaces
Admin dashboard
Live health, sync status, risk register, known issues, pricing pipeline status.
Runbook
Procedures, checklists, onboarding, secret rotation, incident response, pricing procedures.
Decision log
11 ADRs covering platform architecture, AI stack, pricing pipeline.
Architecture blueprint
Full audit + 4-phase execution plan.