# GFS Platform — All Gaps to Close **Generated:** May 19, 2026 **Source:** Full session audit — 15+ agents, 3 C-suite reviews, 6 cross-reference audits --- ## TIER 1 — CRITICAL (do immediately) ### Security & Access - [ ] **CF Access (Zero Trust)** on gfs-system-guide.pages.dev — revenue, customer names, employee org chart, financial data all publicly accessible. One command to add email OTP. - [ ] **48 public Suitelets** — internal ops portal, all 8 broker portals, daily sales dashboard, all 7 product programs accessible without NS login (isonline=T, allroles=T). Audit each, restrict internal ones immediately. - [ ] **Echo Lake vendor portal** — public, exposes vendor data. Disable or add auth. ### Data Protection - [ ] **git init** on gfs-platform — no version control exists. One accidental delete loses everything: 1,897-line guide, 17 reference docs, Worker code, schema, 45 SQL loaders. - [ ] **D1 backup script** — no export scheduled. SQL loaders can rebuild from initial load but any data added since (entity backfill, GL accounts, 2 vb_lines) would be lost. ### Accounting - [ ] **Close accounting periods** — ALL 153 periods open since Jan 2018. Anyone can post to any prior period. Close through Dec 2025 minimum. Takes 30 min in NS. --- ## TIER 2 — HIGH (do this week) ### Infrastructure - [ ] **Full Disk Access for Terminal.app** — macOS Sequoia com.apple.provenance blocks sync.sh via launchd. System Settings → Privacy & Security → Full Disk Access → add Terminal.app. - [ ] **Test custom domain from phone** — api.ai-globalfoodsolutions.co fails locally (firewall/VPN) but TCP connects. SSL may already work from other networks. - [ ] **Move sync off localhost** — Chartstone on a single Mac is the #1 SPOF. Build Worker cron to call SuiteAPI #2948 directly. Eliminates laptop dependency. - [ ] **Wrangler update** — 4.90.1 installed, 4.93.0 available. `npm update wrangler` ### Data Quality (F-grade items) - [ ] **Vendor payment terms** — 93% missing (451 of 484). AP aging completely unreliable. Owner: Amanda S. Bulk CSV import or Map/Reduce. - [ ] **Vendor emails** — 70% missing (341). Can't send PO confirmations. Owner: James M. - [ ] **Item GTIN/UPC** — 78% missing (765 items). Can't print barcodes. Owner: Elena M. - [ ] **Item case weight** — 71% missing (694). BOL weight calculations fail. Owner: Sal B. - [ ] **Item storage temp** — 75% missing. Cold chain documentation gap. Owner: Elena M. ### Security Findings (NS side — 10 open) - [ ] **NS1** — 48 public Suitelets (see Tier 1) - [ ] **NS3** — SuiteAPI #2948 runs as Administrator. Create restricted role. 1 hr. - [ ] **NS4** — Toolkit #2949 full CRUD as Admin. Restrict permissions. 30 min. - [ ] **NS5** — Mike Bot uses personal Gmail + full Admin role. Switch to corporate email + limited role. 30 min. - [ ] **NS6** — Accounting periods (see Tier 1) - [ ] **NS7** — Echo Lake fraud reversals + public portal. Disable portal, close fraud periods. 1 hr. - [ ] **NS8** — 5 scripts in TESTING mode in production. Release or remove. 30 min. - [ ] **NS9** — 24 unused international scripts (SII, Intrastat) adding overhead to every transaction. Deactivate. 1 hr. - [ ] **NS10** — Single admin concentration (23 roles on Michael Levine). Need second admin. 1 hr. --- ## TIER 3 — MEDIUM (do this month) ### Operational Fixes - [ ] **Zapier WO automation dead** — 0 WOs created in 2026. 179 items negative inventory. $4.3M in worksheets as workaround. Either repair Zapier or build WO creation into CF platform. - [ ] **Dual dunning system** — both day-based (3/7/14/30/60) and level-based (L1/L2/L3) templates active simultaneously. Risk of double-dunning. Deactivate one system. - [ ] **9 Power Up meal kits negative inventory** — assembly builds not recorded. Richard G. to investigate. - [ ] **11 customers expired pricing** — some 4+ years expired (Pittsburgh Public Schools since 1/25/2022). Review and update or inactivate. ### Template Bugs (3 in production) - [ ] **Vendor Bill (id 117)** — prints "TESTBill" on every vendor bill. Fix: find `TEST${record@title}` → change to `${record@title}`. - [ ] **GL Export (id 118)** — prints "TESTING". Fix: find `${record@title}TESTING` → remove TESTING. - [ ] **GL Impact (id 119)** — contains BOL code instead of GL content. Compare with standard (id 45), fix or inactivate. ### Data Quality (remaining items) - [ ] **Item kosher status** — 98% missing. Certification missing from labels. Owner: Elena M. Q4 2026. - [ ] **Item shelf life** — 70% missing. WO product dating incorrect. Owner: Elena M. Q4 2026. - [ ] **Item country of origin** — 70% missing. BOL compliance risk. Owner: Elena M. Q4 2026. - [ ] **Customer emails** — 12% missing (33). Can't receive confirmations/dunning. Owner: Danielle S. - [ ] **Customer payment terms** — 10% missing (28). AR aging incorrect. Owner: Amanda S. - [ ] **Employee data** — 45% populated. ~50+ missing email, ~60+ missing title. Grade: D. ### Security Findings (CF side — 4 open) - [ ] **C4** — Sensitive data (PII, financials, vendor tax IDs) unfiltered on API responses. Filter after auth is in place. - [ ] **H1** — No rate limiting on API. Add after auth. - [ ] **H4** — No logging/monitoring. Add request logging to Worker. - [ ] **H5** — Chartstone token residual in CLAUDE.md. Move to env var only. ### Architecture (6 open) - [ ] **M1** — No tests. Zero test files, no framework. - [ ] **M2** — No CI/CD pipeline. Manual `wrangler deploy` only. - [ ] **M3** — Sync handler stub. `handleSync()` only writes sync_log. `handleDailyReport()` only console.logs. - [ ] **M4** — No TypeScript type safety. `data: any`, no interfaces. - [ ] **M5** — D1 schema missing constraints. No UNIQUE on tranid, no CHECK, no FK enforcement. - [ ] **L2** — No API versioning (/v1/ prefix). --- ## TIER 4 — IMPROVEMENT (ongoing) ### Guide Enhancements - [ ] **Section reorder refinement** — health/risk moved up but some sections still scattered. Full reorder in next session. - [ ] **Executive summary page** — board-ready, built but could be enhanced with live data. - [ ] **Mobile hamburger nav** — built but needs testing on actual phone. - [ ] **Search match highlighting** — built but may need performance optimization on large page. ### System Monitoring - [ ] **Uptime monitoring** — Worker cron that checks /api/health and emails on failure. - [ ] **Sync monitoring** — alert if sync_log shows failures or gaps > 1 hour. - [ ] **D1 capacity tracking** — 28.3 MB of 10 GB (0.3% used). Log growth monthly. ### Documentation Gaps (5 items need manual NS access) - [ ] **Custom list dropdown values** — 129 lists identified, values not queryable via SuiteQL. Need NS screenshots. - [ ] **Role permission matrices** — permission_count=0 in all exports. Need NS role record inspection. - [ ] **Custom transaction form layouts** — which fields on which form. Need NS form editor access. - [ ] **Dashboard/portlet config per role** — need NS dashboard screenshots per role. - [ ] **Field show/hide dependencies** — need NS form editor or script analysis. ### Saved Search Cleanup - [ ] **~300 TAF/SII/Intrastat searches** — from unused international bundles. Candidates for deactivation. - [ ] **~20 Zapier/Airtable searches** — integration dead, searches orphaned. - [ ] **Duplicate searches** — multiple versions of same SO/WO searches from iterative development. ### Bundle Cleanup - [ ] **6 unused bundles** — SII (Spain), Intrastat (EU), Norway SAF-T, UAE Emirate, France Tax, UK/AU Payments. All international tax for a US-only company. - [ ] **Celigo/Zapier remnants** — tokens revoked but bot accounts, workflows, searches still exist. ### Long-Term Platform - [ ] **Workers AI integration** — NL → D1 queries (Phase 4 in blueprint) - [ ] **GFS Hub Suitelet** — SuiteFrame, Center Tab (Sprint 3-4 in blueprint) - [ ] **6 Suitelet views** — CME, AR, Chat, Rebate, Products, C360 - [ ] **5 MCP Custom Tools** — AR, prices, sales, rebate, query - [ ] **SuiteFlow workflows** — PO approval, SO notifications, welcome emails - [ ] **8 saved search email alerts** — overdue AR, PO pending, contracts, inventory - [ ] **USDA price feed** — Worker cron fetching barrel/block from LMPRS API - [ ] **Anomaly detection** — nightly z-score analysis on vendor bills, customer volume drops --- ## SUMMARY | Tier | Items | Estimated Effort | |---|---|---| | CRITICAL | 6 | 2-3 hours | | HIGH | 15 | 8-10 hours | | MEDIUM | 18 | 15-20 hours | | IMPROVEMENT | 20+ | Ongoing | | **TOTAL** | **59+** | | ### Top 5 — Do First 1. `git init` on gfs-platform (5 min — protects everything) 2. CF Access on Pages (10 min — protects all sensitive data) 3. Close accounting periods through Dec 2025 (30 min in NS) 4. Full Disk Access for Terminal (2 min in System Settings) 5. Fix 3 template bugs (15 min each in NS) --- ## Dashboard cleanup — merged from AUDIT_FIXES.md (2026-05-19) Original audit of `dashboard/index.html` (now in `archive/2026-05/dashboard-original.html`). The file has been replaced by `/admin-dashboard.html`; these items apply to the new dashboard. ### Critical - Missing `` closing tag — apply to the new `/admin-dashboard.html` - No empty state for data tables — when an API returns 0 rows, show explicit "No data" row, not a blank tbody ### High - Title and meta description: confirm new dashboard has descriptive title + meta - Print stylesheet: new dashboard needs print rules (was 5/10 in original audit) - Accessibility: ARIA labels, skip-to-content link, focus management (was 6/10) - Keyboard navigation: shortcuts for tab switching / refresh (was 8/10 nav) - Edge-case procedures (returns, deposits) — extend runbook coverage ### Medium / addressed by consolidation - Dashboard sprawl (3 separate dashboards) — addressed by consolidating into a single `/admin-dashboard.html` - Design system fragmentation — addressed by single `assets/styles.css` + shared brand block - Duplicate KPI code across dashboards — addressed by single source of truth ### Validated (carried forward) - Auth flow: sessionStorage for key (clears on tab close), 401 redirects to modal, key never logged — keep this pattern in the new dashboard - Data accuracy: 185K+ rows / 21 endpoints / 18 tables verified against source — re-verify against current Worker - 6 workflows, 47 checklist items, 28 procedures — preserve in `/admin-dashboard.html` runbook section - Security findings: 10 NS + 4 CF findings (matches GAPS_TO_CLOSE.md) — covered above