diff --git a/Charter.md b/Charter.md new file mode 100644 index 0000000..cdb8b5f --- /dev/null +++ b/Charter.md @@ -0,0 +1,227 @@ +# CannaManage — Project Charter + +**Author:** Patrick Plate +**Date:** 2026-04-06 +**Version:** 1.0 +**Status:** Draft for Review + +--- + +## 1. Executive Summary + +### Vision Statement + +> *CannaManage is the compliance backbone for German cannabis social clubs — purpose-built to turn a legally mandated administrative burden into a manageable, auditable, and digitised workflow.* + +### The Problem + +Germany's **Konsumcannabisgesetz (CanG)**, in force since April 1, 2024, legalised cannabis for personal use and established a framework for **Anbauvereinigungen** (cannabis social clubs / CSCs). Every operating CSC faces mandatory, recurring compliance obligations: + +- Track every distribution (recipient, strain, weight, date/time) — by law +- Enforce quantity limits per member (50g/month for adults, 30g/month for under-21, 25g/day) +- Maintain batch-level contamination traceability +- Produce periodic authority reports +- Designate and track a Prevention Officer (Präventionsbeauftragter) +- Manage member data under DSGVO + +Clubs currently manage this with Excel spreadsheets, pen-and-paper logs, and WhatsApp groups — creating legal risk, audit gaps, and administrative chaos. + +### Why Now + +The market is less than two years old. **No purpose-built software tooling exists** for German CSCs. The window to establish market leadership is 2026–2027 before larger players notice the niche. First-mover advantage combined with the permanent regulatory moat from CanG compliance requirements makes this the right moment. + +### What We Are Building + +A **multi-tenant B2B SaaS platform** offering: +- Club admin portal (member management, distribution logging, stock management, compliance reporting) +- Member portal (personal quota, distribution history, stock visibility) +- Built-in CanG compliance enforcement and export tooling + +**We are selling compliance management software to licensed, regulated entities. We are not in the cannabis business.** + +--- + +## 2. Project Scope + +### 2.1 In Scope — MVP v1 + +| Area | Features Included | +|------|-------------------| +| **Onboarding** | Club registration, setup wizard, admin account creation | +| **Member Management** | Add/remove members, age verification (18+, 18–21 restricted), contact data | +| **Distribution Tracking** | Log each handout (member, strain, weight, date/time); enforce daily/monthly limits | +| **Limit Enforcement** | 25g/day cap, 50g/month (adult), 30g/month (under-21), 10% THC flag | +| **Stock Management** | Strains, batch tracking, quantity levels | +| **Admin Dashboard** | Club-level totals: members, distributions this month, stock levels | +| **Compliance Exports** | Monthly distribution report (PDF + CSV), member list export for inspections | +| **Contamination Recall** | Flag a batch; system lists all members who received from it | +| **Prevention Officer** | Store officer contact info and designation date | +| **Member Portal** | Login with club-issued credentials; view quota, distribution history, stock availability | +| **Authentication** | Spring Security + JWT; role-based (ADMIN, MEMBER) | +| **Hosting** | Hetzner VPS (German DC), Docker Compose, PostgreSQL + Flyway | + +### 2.2 Explicitly Out of Scope — MVP v1 + +| Feature | Reason Excluded | +|---------|-----------------| +| Public club discovery / "find clubs near you" | **Illegal under CanG §§6–7 advertising ban** | +| Cannabis e-commerce or payment for cannabis | Illegal; violates positioning | +| Non-EU data storage (AWS us-east, etc.) | DSGVO violation | +| Stripe subscription billing | Deferred to Phase 1 (Weeks 9–16) | +| Email/SMS notifications | v2 feature | +| Mobile native app (Android/iOS) | v2/v3 feature | +| Multi-location club support | v3 feature | +| Legal template marketplace | v3 feature | +| Next.js/React frontend | v2 migration after revenue justifies investment | +| Authority portal integrations | v3 feature (portals don't exist yet) | + +--- + +## 3. Stakeholders + +| Role | Description | Needs | +|------|-------------|-------| +| **Club Admin** *(primary user)* | Vereinsvorstand or designated manager; runs day-to-day club operations | Compliant distribution logging, member management, authority-ready exports | +| **Club Member** *(secondary user)* | Verified adult member of the Anbauvereinigung | Self-service quota visibility, distribution history, stock availability | +| **Prevention Officer** *(Präventionsbeauftragter, tertiary user)* | Legally required role; may or may not be the admin | Contact info tracked in system; receives relevant reports | +| **Patrick Plate** *(developer & product owner)* | Solo developer; nights/weekends; ADP Germany full-time | Minimal learning overhead; fast path to first revenue; legally sound product | + +--- + +## 4. Success Criteria + +MVP is considered complete when all of the following are true: + +| # | Criterion | Measure | +|---|-----------|---------| +| 1 | **Core compliance loop working** | Admin can log a distribution → system enforces limits → admin exports PDF report for authorities | +| 2 | **Multi-tenant isolation** | Two clubs' data are completely isolated — no cross-tenant data leakage | +| 3 | **Member portal live** | Member can log in with club-issued credentials and view their quota + history | +| 4 | **Contamination recall functional** | Admin flags a batch; system returns full recipient list in < 2 seconds | +| 5 | **Deployment stable** | Platform runs on Hetzner VPS via Docker Compose with uptime ≥ 99% over 30-day beta | +| 6 | **Beta validation** | 3–5 real club admins have used the system and provided written feedback | +| 7 | **Legal review passed** | No features violate CanG advertising ban; DSGVO AVV in place before any live data | +| 8 | **Zero PII on non-EU infrastructure** | All data confirmed to reside in Hetzner DE datacenter | + +--- + +## 5. Constraints & Assumptions + +### Constraints + +| Type | Constraint | +|------|-----------| +| **Legal** | CanG §§6–7 imposes a **total advertising and sponsoring ban** on cannabis AND Anbauvereinigungen — no public club discovery feature, ever | +| **Legal** | DSGVO requires EU hosting, data processing agreements (AVV), member data export/deletion capability | +| **Technical (MVP)** | Frontend is PrimeFaces + JSF — Patrick's existing expertise; no new framework learning in Phase 0 | +| **Technical** | Multi-tenancy via `tenant_id` on all JPA entities — no row-level security shortcuts | +| **Team** | Solo developer — Patrick; nights and weekends only; full-time at ADP Germany | +| **Timeline** | Phase 0 target: 8 weeks; Phase 1 target: 16 weeks total from project start | +| **Budget** | Infrastructure: Hetzner €5–20/month; no team salary cost | + +### Assumptions + +- German CSCs are willing to pay €29–€79/month for compliance software +- Stripe will process subscriptions for compliance software (not cannabis sales) without restriction +- Spring Boot 3.x is sufficiently adjacent to Patrick's Jakarta EE expertise to use without major ramp-up +- PrimeFaces MVP is sufficient for beta validation — UI polish deferred to v2 +- CanG remains in force and CSC licensing continues in all major Bundesländer + +--- + +## 6. Risk Register + +| Risk | Probability | Impact | Mitigation | +|------|-------------|--------|-----------| +| **Advertising ban reinterpreted to include B2B SaaS** | Low | High | Obtain legal opinion from cannabis law specialist before launch (€300–500); strict no-discovery design enforced at architecture level | +| **New German government rolls back or tightens CanG** | Medium | High | Modular architecture — compliance-only features can be extracted and pivoted to a general club management tool | +| **Stripe blocks cannabis-adjacent businesses** | Medium | High | Position as "Vereinsverwaltungs-Software" (club management software); never process cannabis payments; test with Stripe before public launch | +| **Clubs fail / licenses revoked** | Medium | Medium | Diversified customer base; per-month billing (easy cancellation); no annual lock-in required for MVP | +| **DSGVO violation** | Low | Very High | EU-only hosting (Hetzner DE), DPA/AVV agreements before any live data, DSGVO-compliant privacy policy in German, member data export/deletion API from day one | + +--- + +## 7. Budget & Resources + +| Item | Cost | Notes | +|------|------|-------| +| **Development** | €0 (Patrick's time) | Nights/weekends; valued at opportunity cost only | +| **Infrastructure — Hetzner VPS** | €5–20/month | German DC; scales with load | +| **Infrastructure — PostgreSQL** | €0 (self-hosted on VPS) | Managed DB upgrade available when needed | +| **Legal opinion** | €300–500 (one-time) | Cannabis law specialist; pre-launch requirement | +| **Domain (cannamanage.de)** | ~€15/year | To be registered | +| **Stripe fees** | 1.4% + €0.25 per transaction | EU cards; only on paid subscriptions | +| **Email (Resend / Jakarta Mail)** | €0–10/month | Resend free tier for low volume | +| **Sentry monitoring** | €0 (free tier) | Error tracking; Java SDK | +| **Total pre-launch** | **~€600–700** | Including legal opinion | + +--- + +## 8. Timeline Overview + +```mermaid +gantt + title CannaManage Development Roadmap + dateFormat YYYY-MM-DD + axisFormat %b %Y + + section Phase 0 — Foundation + Spring Boot setup + JPA entities :p0a, 2026-04-07, 2w + Core REST API (member, distribution) :p0b, after p0a, 2w + Admin portal PrimeFaces :p0c, after p0b, 2w + Limit enforcement + PDF report :p0d, after p0c, 2w + + section Phase 1 — MVP + Member portal :p1a, after p0d, 2w + Stock management + contamination recall :p1b, after p1a, 2w + Stripe billing integration :p1c, after p1b, 2w + DSGVO + beta launch (5 clubs) :p1d, after p1c, 2w + + section Phase 2 — Launch + Payment flows + email notifications :p2a, after p1d, 4w + Marketing site + legal review :p2b, after p2a, 4w + Soft launch to club community :milestone, after p2b, 0d + + section Phase 3 — Growth + PrimeFaces → Next.js migration :p3a, 2026-12-01, 8w + PWA mobile :p3b, after p3a, 4w + Template marketplace + referral :p3c, after p3b, 8w +``` + +--- + +## 9. Legal Framework + +### Key CanG Provisions + +| Provision | Content | Product Implication | +|-----------|---------|---------------------| +| **§2 CanG** | Definitions — Anbauvereinigung, Mitglied | Data model must align with statutory definitions of club and member | +| **§§15–26 CanG** | Anbauvereinigungen — formation, rights, obligations | Club registration flow must capture legally required club attributes | +| **§22 CanG** | Distribution limits: 25g/day, 50g/month per adult member | Hard enforcement in distribution service; cannot be overridden by admin | +| **§23 CanG** | Under-21 restrictions: 30g/month max, max 10% THC | Age flag on member entity; separate limit enforcement path for restricted category | +| **§§6–7 CanG** | **Total advertising and sponsoring ban** for cannabis and Anbauvereinigungen | **No public club discovery. No stock visible to non-members. No club listings.** Architecture constraint. | +| **§26 CanG** | Documentation and reporting obligations | Compliance export module is a legal requirement, not an optional feature | +| **§27 CanG** | Prevention officer requirements | Prevention officer fields mandatory in club setup; not optional | + +### DSGVO Obligations + +- All personal data stored on EU infrastructure (Hetzner DE) +- Data processing agreement (AVV) required with each club before live data entry +- Member data export endpoint required (Art. 20 DSGVO — data portability) +- Member data deletion endpoint required (Art. 17 DSGVO — right to erasure) +- Privacy policy in German, DSGVO-compliant, published before launch + +--- + +## 10. Sign-Off + +| Role | Name | Date | +|------|------|------| +| **Project Sponsor** | Patrick Plate | 2026-04-06 | +| **Lead Developer** | Patrick Plate | 2026-04-06 | +| **Product Owner** | Patrick Plate | 2026-04-06 | + +--- + +*Next review date: 2026-05-01 | Source: [STRATEGY.md](../STRATEGY.md)*