Skip to content

Internal Tools — Scoping & Delivery Checklist

SCOPE_ITEM: Comprehensive checklist for scoping and delivering internal tool projects. Used during intake (Aimee), architecture (Anna), and project management (Faye/Sytske).

Phase 1: Discovery & Scoping

Business Context

CHECK: What business process is being digitised? CHECK: Who are the primary users (roles, departments, count)? CHECK: What tools are currently used (spreadsheets, email, legacy app)? CHECK: What is the primary pain point (speed, errors, visibility, compliance)? CHECK: What does success look like? (measurable KPIs)

Authentication & Users

CHECK: Which identity provider does the client use? - [ ] Microsoft Entra ID (Azure AD) - [ ] Google Workspace - [ ] Okta / OneLogin / Other - [ ] None (email + password needed) CHECK: Estimated number of users (initial and 12-month projection). CHECK: Are there external users who need access? CHECK: Is MFA required? Managed by IdP or application? CHECK: Are service accounts needed for API integrations?

Workflow Requirements

CHECK: How many distinct workflow types are needed? CHECK: List each workflow with states and transitions. CHECK: Are multi-level approvals required? How many levels? CHECK: Is parallel approval needed (multiple approvers simultaneously)? CHECK: Are SLA targets defined? What are the business hours? CHECK: Are escalation rules needed? Escalation path? CHECK: Is conditional routing needed (different paths based on data)?

Data & Forms

CHECK: What data entities are managed in the tool? CHECK: List fields per entity with types and validation rules. CHECK: Are there relationships between entities? CHECK: Is bulk data import needed (CSV, Excel)? CHECK: Is there existing data to migrate?

Reporting

CHECK: What KPIs and metrics need to be tracked? CHECK: How many dashboard views are needed? CHECK: What export formats are required (CSV, PDF, Excel)? CHECK: Are scheduled email reports needed? CHECK: What is the acceptable data staleness? CHECK: Is real-time data required for any view?

Integrations

CHECK: Which external systems must be integrated? - [ ] ERP (Exact Online / SAP / Dynamics 365 / Other) - [ ] CRM (Salesforce / HubSpot / Pipedrive / Other) - [ ] Email (Outlook / Gmail) - [ ] Calendar (Outlook / Google Calendar) - [ ] File storage (SharePoint / Google Drive / Other) - [ ] Other: ___ CHECK: Is the integration read-only or bi-directional? CHECK: Does the client have API access to the external system? CHECK: Are there network restrictions (VPN, firewall, on-premises)?

Compliance

CHECK: GDPR applicability confirmed (EU data subjects). CHECK: Data residency requirements (EU-only hosting). CHECK: Audit trail requirements (which actions must be logged). CHECK: Data retention policy (how long to keep records). CHECK: Data export capability (right to portability). CHECK: Industry-specific regulations (healthcare, finance, legal)?

Phase 2: Architecture & Design

Technical Architecture

  • [ ] Stack confirmed: Next.js + Hono + PostgreSQL + Drizzle.
  • [ ] Authentication approach selected (SSO/OIDC/email+password).
  • [ ] Database schema designed (ERD reviewed).
  • [ ] API route structure defined.
  • [ ] File storage approach confirmed (S3-compatible, EU region).
  • [ ] Background job strategy defined (BullMQ for async work).
  • [ ] Search strategy confirmed (PostgreSQL FTS or Meilisearch).
  • [ ] Caching strategy defined (Redis, TTL policy).

Integration Architecture

  • [ ] Integration endpoints identified and documented.
  • [ ] Authentication method per integration confirmed.
  • [ ] Sync pattern per integration defined (one-way/bi-directional/event).
  • [ ] Sync frequency per integration defined.
  • [ ] Error handling and retry strategy documented.
  • [ ] Rate limits per external API documented.

Security Architecture

  • [ ] Authentication flow documented (sequence diagram).
  • [ ] RBAC model defined (roles, permissions, inheritance).
  • [ ] API authentication for service accounts defined.
  • [ ] Input validation strategy (Zod schemas for all endpoints).
  • [ ] File upload security (type validation, virus scanning, size limits).
  • [ ] CORS configuration defined.
  • [ ] CSP headers defined.

Phase 3: Development

Sprint 0 — Foundation

  • [ ] Repository initialised with GE stack template.
  • [ ] Database provisioned (EU-hosted PostgreSQL).
  • [ ] Drizzle schema + initial migration created.
  • [ ] Authentication flow implemented and tested.
  • [ ] RBAC middleware implemented.
  • [ ] CI/CD pipeline configured.
  • [ ] Staging environment provisioned.

Core Features

  • [ ] Data models and CRUD API routes implemented.
  • [ ] Forms with validation implemented.
  • [ ] Workflow engine (if applicable) implemented.
  • [ ] Approval chains (if applicable) implemented.
  • [ ] Notification system implemented (in-app + email).
  • [ ] Search functionality implemented.
  • [ ] Audit trail implemented.

Reporting & Dashboard

  • [ ] Dashboard layout implemented.
  • [ ] KPI cards with real data.
  • [ ] Chart widgets with real data.
  • [ ] Data export (CSV minimum).
  • [ ] Scheduled reports (if applicable).

Integrations

  • [ ] Integration service layer implemented.
  • [ ] Each integration tested against sandbox/test environment.
  • [ ] Sync jobs scheduled and tested.
  • [ ] Error handling and retry logic tested.
  • [ ] Integration health monitoring in admin panel.

Phase 4: Quality Assurance

Functional Testing

  • [ ] All workflow state transitions tested (happy + error paths).
  • [ ] Approval chains tested with multiple approvers.
  • [ ] SLA tracking tested (clock start, pause, breach).
  • [ ] Notification delivery tested (in-app + email).
  • [ ] Data export tested (CSV, PDF if applicable).
  • [ ] Search tested with realistic data volume.
  • [ ] RBAC tested: each role can only access permitted resources.

Security Testing

  • [ ] Authentication bypass attempted (direct URL access without SSO).
  • [ ] RBAC enforcement verified (role A cannot access role B resources).
  • [ ] Input validation tested (XSS, SQL injection, oversized payloads).
  • [ ] File upload tested (malicious file types, oversized files).
  • [ ] API rate limiting tested.
  • [ ] Session management tested (expiry, revocation).

Performance Testing

  • [ ] Dashboard loads in <2 seconds with production data volume.
  • [ ] Search returns results in <500ms.
  • [ ] CSV export completes in <30 seconds for 100k rows.
  • [ ] Concurrent user simulation (expected load + 2x headroom).

Integration Testing

  • [ ] Each integration tested against production credentials (client provides).
  • [ ] Sync handles rate limits gracefully (backoff, retry).
  • [ ] Sync handles network failures gracefully (retry, alert).
  • [ ] Data mapping validated with client stakeholder.

Phase 5: Deployment & Handover

Pre-Launch

  • [ ] Production environment provisioned (EU-hosted).
  • [ ] SSL certificate configured.
  • [ ] DNS configured (client domain or subdomain).
  • [ ] Backup strategy configured and tested (daily automated).
  • [ ] Monitoring configured (uptime, error rate, response time).
  • [ ] SSO configured with client's production IdP.
  • [ ] User provisioning tested (SCIM or JIT).
  • [ ] Data migration completed (if applicable).
  • [ ] Client UAT completed and sign-off received.

Go-Live

  • [ ] Production deployment executed.
  • [ ] Smoke test on production (login, create record, view dashboard).
  • [ ] Integration sync verified on production.
  • [ ] Scheduled reports verified on production.
  • [ ] Client notified, launch communication sent.

Post-Launch

  • [ ] Hypercare period active (2 weeks, priority support).
  • [ ] Error monitoring reviewed daily during hypercare.
  • [ ] Performance monitoring reviewed (response times, error rates).
  • [ ] Client feedback collected after week 1 and week 2.
  • [ ] Handover documentation delivered to client.
  • [ ] Support and maintenance agreement activated.