GFS Platform

Gaps to close

Open items, all tiers. Source: GAPS_TO_CLOSE.md.

Source: GAPS_TO_CLOSE.md. This HTML is generated from the markdown — edit the .md and re-run python3 assets/build_pages.py to refresh.

GFS Platform — All Gaps to Close

Generated: May 19, 2026

Source: Full session audit — 15+ agents, 3 C-suite reviews, 6 cross-reference audits

TIER 1 — CRITICAL (do immediately)

Security & Access

  • CF Access (Zero Trust) on gfs-system-guide.pages.dev — revenue, customer names, employee org chart, financial data all publicly accessible. One command to add email OTP.
  • 48 public Suitelets — internal ops portal, all 8 broker portals, daily sales dashboard, all 7 product programs accessible without NS login (isonline=T, allroles=T). Audit each, restrict internal ones immediately.
  • Echo Lake vendor portal — public, exposes vendor data. Disable or add auth.

Data Protection

  • git init on gfs-platform — no version control exists. One accidental delete loses everything: 1,897-line guide, 17 reference docs, Worker code, schema, 45 SQL loaders.
  • D1 backup script — no export scheduled. SQL loaders can rebuild from initial load but any data added since (entity backfill, GL accounts, 2 vb_lines) would be lost.

Accounting

  • Close accounting periods — ALL 153 periods open since Jan 2018. Anyone can post to any prior period. Close through Dec 2025 minimum. Takes 30 min in NS.

TIER 2 — HIGH (do this week)

Infrastructure

  • Full Disk Access for Terminal.app — macOS Sequoia com.apple.provenance blocks sync.sh via launchd. System Settings → Privacy & Security → Full Disk Access → add Terminal.app.
  • Test custom domain from phone — api.ai-globalfoodsolutions.co fails locally (firewall/VPN) but TCP connects. SSL may already work from other networks.
  • Move sync off localhost — Chartstone on a single Mac is the #1 SPOF. Build Worker cron to call SuiteAPI #2948 directly. Eliminates laptop dependency.
  • Wrangler update — 4.90.1 installed, 4.93.0 available. npm update wrangler

Data Quality (F-grade items)

  • Vendor payment terms — 93% missing (451 of 484). AP aging completely unreliable. Owner: Amanda S. Bulk CSV import or Map/Reduce.
  • Vendor emails — 70% missing (341). Can't send PO confirmations. Owner: James M.
  • Item GTIN/UPC — 78% missing (765 items). Can't print barcodes. Owner: Elena M.
  • Item case weight — 71% missing (694). BOL weight calculations fail. Owner: Sal B.
  • Item storage temp — 75% missing. Cold chain documentation gap. Owner: Elena M.

Security Findings (NS side — 10 open)

  • NS1 — 48 public Suitelets (see Tier 1)
  • NS3 — SuiteAPI #2948 runs as Administrator. Create restricted role. 1 hr.
  • NS4 — Toolkit #2949 full CRUD as Admin. Restrict permissions. 30 min.
  • NS5 — Mike Bot uses personal Gmail + full Admin role. Switch to corporate email + limited role. 30 min.
  • NS6 — Accounting periods (see Tier 1)
  • NS7 — Echo Lake fraud reversals + public portal. Disable portal, close fraud periods. 1 hr.
  • NS8 — 5 scripts in TESTING mode in production. Release or remove. 30 min.
  • NS9 — 24 unused international scripts (SII, Intrastat) adding overhead to every transaction. Deactivate. 1 hr.
  • NS10 — Single admin concentration (23 roles on Michael Levine). Need second admin. 1 hr.

TIER 3 — MEDIUM (do this month)

Operational Fixes

  • Zapier WO automation dead — 0 WOs created in 2026. 179 items negative inventory. $4.3M in worksheets as workaround. Either repair Zapier or build WO creation into CF platform.
  • Dual dunning system — both day-based (3/7/14/30/60) and level-based (L1/L2/L3) templates active simultaneously. Risk of double-dunning. Deactivate one system.
  • 9 Power Up meal kits negative inventory — assembly builds not recorded. Richard G. to investigate.
  • 11 customers expired pricing — some 4+ years expired (Pittsburgh Public Schools since 1/25/2022). Review and update or inactivate.

Template Bugs (3 in production)

  • Vendor Bill (id 117) — prints "TESTBill" on every vendor bill. Fix: find TEST${record@title} → change to ${record@title}.
  • GL Export (id 118) — prints "TESTING". Fix: find ${record@title}TESTING → remove TESTING.
  • GL Impact (id 119) — contains BOL code instead of GL content. Compare with standard (id 45), fix or inactivate.

Data Quality (remaining items)

  • Item kosher status — 98% missing. Certification missing from labels. Owner: Elena M. Q4 2026.
  • Item shelf life — 70% missing. WO product dating incorrect. Owner: Elena M. Q4 2026.
  • Item country of origin — 70% missing. BOL compliance risk. Owner: Elena M. Q4 2026.
  • Customer emails — 12% missing (33). Can't receive confirmations/dunning. Owner: Danielle S.
  • Customer payment terms — 10% missing (28). AR aging incorrect. Owner: Amanda S.
  • Employee data — 45% populated. ~50+ missing email, ~60+ missing title. Grade: D.

Security Findings (CF side — 4 open)

  • C4 — Sensitive data (PII, financials, vendor tax IDs) unfiltered on API responses. Filter after auth is in place.
  • H1 — No rate limiting on API. Add after auth.
  • H4 — No logging/monitoring. Add request logging to Worker.
  • H5 — Chartstone token residual in CLAUDE.md. Move to env var only.

Architecture (6 open)

  • M1 — No tests. Zero test files, no framework.
  • M2 — No CI/CD pipeline. Manual wrangler deploy only.
  • M3 — Sync handler stub. handleSync() only writes sync_log. handleDailyReport() only console.logs.
  • M4 — No TypeScript type safety. data: any, no interfaces.
  • M5 — D1 schema missing constraints. No UNIQUE on tranid, no CHECK, no FK enforcement.
  • L2 — No API versioning (/v1/ prefix).

TIER 4 — IMPROVEMENT (ongoing)

Guide Enhancements

  • Section reorder refinement — health/risk moved up but some sections still scattered. Full reorder in next session.
  • Executive summary page — board-ready, built but could be enhanced with live data.
  • Mobile hamburger nav — built but needs testing on actual phone.
  • Search match highlighting — built but may need performance optimization on large page.

System Monitoring

  • Uptime monitoring — Worker cron that checks /api/health and emails on failure.
  • Sync monitoring — alert if sync_log shows failures or gaps > 1 hour.
  • D1 capacity tracking — 28.3 MB of 10 GB (0.3% used). Log growth monthly.

Documentation Gaps (5 items need manual NS access)

  • Custom list dropdown values — 129 lists identified, values not queryable via SuiteQL. Need NS screenshots.
  • Role permission matrices — permission_count=0 in all exports. Need NS role record inspection.
  • Custom transaction form layouts — which fields on which form. Need NS form editor access.
  • Dashboard/portlet config per role — need NS dashboard screenshots per role.
  • Field show/hide dependencies — need NS form editor or script analysis.

Saved Search Cleanup

  • ~300 TAF/SII/Intrastat searches — from unused international bundles. Candidates for deactivation.
  • ~20 Zapier/Airtable searches — integration dead, searches orphaned.
  • Duplicate searches — multiple versions of same SO/WO searches from iterative development.

Bundle Cleanup

  • 6 unused bundles — SII (Spain), Intrastat (EU), Norway SAF-T, UAE Emirate, France Tax, UK/AU Payments. All international tax for a US-only company.
  • Celigo/Zapier remnants — tokens revoked but bot accounts, workflows, searches still exist.

Long-Term Platform

  • Workers AI integration — NL → D1 queries (Phase 4 in blueprint)
  • GFS Hub Suitelet — SuiteFrame, Center Tab (Sprint 3-4 in blueprint)
  • 6 Suitelet views — CME, AR, Chat, Rebate, Products, C360
  • 5 MCP Custom Tools — AR, prices, sales, rebate, query
  • SuiteFlow workflows — PO approval, SO notifications, welcome emails
  • 8 saved search email alerts — overdue AR, PO pending, contracts, inventory
  • USDA price feed — Worker cron fetching barrel/block from LMPRS API
  • Anomaly detection — nightly z-score analysis on vendor bills, customer volume drops

SUMMARY

Tier Items Estimated Effort
CRITICAL 6 2-3 hours
HIGH 15 8-10 hours
MEDIUM 18 15-20 hours
IMPROVEMENT 20+ Ongoing
TOTAL 59+

Top 5 — Do First

  1. git init on gfs-platform (5 min — protects everything)
  2. CF Access on Pages (10 min — protects all sensitive data)
  3. Close accounting periods through Dec 2025 (30 min in NS)
  4. Full Disk Access for Terminal (2 min in System Settings)
  5. Fix 3 template bugs (15 min each in NS)

Dashboard cleanup — merged from AUDIT_FIXES.md (2026-05-19)

Original audit of dashboard/index.html (now in archive/2026-05/dashboard-original.html). The file has been replaced by /admin-dashboard.html; these items apply to the new dashboard.

Critical

  • Missing </html> closing tag — apply to the new /admin-dashboard.html
  • No empty state for data tables — when an API returns 0 rows, show explicit "No data" row, not a blank tbody

High

  • Title and meta description: confirm new dashboard has descriptive title + meta
  • Print stylesheet: new dashboard needs print rules (was 5/10 in original audit)
  • Accessibility: ARIA labels, skip-to-content link, focus management (was 6/10)
  • Keyboard navigation: shortcuts for tab switching / refresh (was 8/10 nav)
  • Edge-case procedures (returns, deposits) — extend runbook coverage

Medium / addressed by consolidation

  • Dashboard sprawl (3 separate dashboards) — addressed by consolidating into a single /admin-dashboard.html
  • Design system fragmentation — addressed by single assets/styles.css + shared brand block
  • Duplicate KPI code across dashboards — addressed by single source of truth

Validated (carried forward)

  • Auth flow: sessionStorage for key (clears on tab close), 401 redirects to modal, key never logged — keep this pattern in the new dashboard
  • Data accuracy: 185K+ rows / 21 endpoints / 18 tables verified against source — re-verify against current Worker
  • 6 workflows, 47 checklist items, 28 procedures — preserve in /admin-dashboard.html runbook section
  • Security findings: 10 NS + 4 CF findings (matches GAPS_TO_CLOSE.md) — covered above