Each task below is fully specified in the working plan: the failing test to write first, the code that makes it pass, the exact commands, and the commit. The full 11,000-line document is available at the bottom. Before it was accepted, an adversarial review pass checked every task against every other — it found 15 defects (interface drift, a broken deploy step, missing test coverage) which were fixed and re-verified.
A running skeleton with database, logging, and secrets before any product code.
Next.js 14 + TypeScript strict + Tailwind + vitest, hand-configured. Deliberate break from the checkout site: secrets are never baked into build artifacts.
Postgres via Prisma: 9 synced mirror tables (orders, line items, cases, invoices, payments…) + portal-native tables (users, sessions, service requests, sync state, audit log). Local dev database in Docker.
Structured logging, database client, and getSecret() — environment first, AWS Secrets Manager fallback, so credentials rotate without redeploys.
The security core: what may cross from Salesforce to AWS is defined in code and enforced by tests.
Per-object allowlists of the exact Salesforce fields the portal may read, a denylist of every vendor/margin/card field, and a leak test asserting they never intersect — including object-level exclusions. All queries built through an escaping template; no string concatenation.
OAuth client-credentials auth (separate connected app from checkout), REST query/create with paging, and a full mock mode so the entire suite runs without touching Salesforce.
Raw internal picklists ("Vendor Queue", "Ready for Procurement") map to customer-safe statuses in one tested module. Internals can never render.
Salesforce data lands in the portal database within 2 minutes of changing.
One tested mapper per object turning Salesforce records into portal rows — including the subtlety that "Additional Tonnage" line items are charges, not phantom dumpsters.
Polls each object for changes since its high-water mark, upserts in batches, survives one object failing without blocking the rest, and locks against overlapping runs. Runs as a Lambda every 2 minutes.
Resumable batched seed of the existing 250k orders / 1M line items, built on the same engine.
The part the old portal failed hardest at, rebuilt without passwords.
Email in, single-use link out — only for addresses that exist as contacts on customer accounts. Rate-limited, tokens hashed at rest, 15-minute expiry, no account enumeration.
30-day rolling sessions, account picker when one email serves several companies, security headers, audit log of every login.
Every query scoped to the signed-in account — enforced in one place, tested with cross-account negatives.
Sites grouped by store name/number (how national accounts actually think), unit lifecycles, open balances, activity feed.
Navigation, account switcher, data-freshness banner, dashboard, sites list, order detail with delivery timeline.
Payment history, open invoices from the NetSuite-synced records, cards on file (display only).
The account's real cases, with the ~130k/yr of internal automation noise filtered out.
The one write path: request → saved on our side → pushed to Salesforce as a case with retry and backoff → confirmation email → status visible in the portal. A request can never be silently lost.
Prove it end-to-end, then the exact AWS runbook.
Seeded browser tests: sign in, read the dashboard, open an order, submit a request, and — critically — verify another company's order URL returns 404.
Amplify build config, Lambda bundling, and a step-by-step AWS + Salesforce-admin runbook: RDS, Secrets Manager, EventBridge schedules, SES, DNS, alarms, backfill procedure.
The complete task-by-task document with all test code, implementation code, and commands (11,063 lines, markdown):