B2B-Commerce — Enterprise Operating Platform

B2B-COMMERCEENTERPRISE OPERATING PLATFORMNZD · LOCAL-FIRST · MEDUSA v2SHIPPED-VS-ROADMAP · NO VAPOR
B2B-Commerce Platform
Generic enterprise operating platform for trade, service fulfilment, partner collaboration, document vault, and the full lifecycle of commercial workflows — from quote to order to settlement. OceanSoft (NZ) · NZD pricing · local-first Docker Compose.
Modules shipped
6
company · quote · approval · document · invite · auth-keycloak
HTTP test suites
6
one per module; all passing
Quote workflows
9
draft → submitted → approved → accepted
Approval workflows
5
single-level · multi-level is v0.2
MISSION
OceanSoft (NZ) builds B2B-Commerce as a generic enterprise operating platform that digitises commercial relationships end-to-end: trade catalogues, service-fulfilment workflows, partner collaboration, digital documentation, audit trails, and the full lifecycle of commercial workflows — from quote to order to settlement. ANZ mid-market enterprises, NZD pricing, local-first Docker Compose, AWS on-demand.
Domain framing: Metering/field-service is ONE illustrative vertical. It is NOT the product identity. The platform is domain-agnostic B2B — telemetry is a trigger-gated roadmap item (v0.8+), not a built surface.
HONESTY CONTRACT — WHAT IS NOT BUILT YET
These items are roadmap, not shipped. They will not appear in the Gantt or module table as complete.
No real AWS provisioned yet — Phase 1 runs entirely on local Docker Compose. First AWS seam is v0.4 (trigger-gated).
Approval is single-level only. Multi-level chains (sequential + parallel, threshold-based) are v0.2 roadmap.
Vendor / marketplace seam is native-feasible per Medusa recipe but NOT yet shipped in this repo.
Payments are Stripe TEST-mode mock. Stripe Connect marketplace payout is v0.7+ roadmap, gated on committed seller demand.
Heavy event-streaming, workflow-durability, and IoT-telemetry infrastructure is OUT OF SCOPE for now. Current focus is hardening the Medusa-native close-circle to enterprise-grade production-readiness.
SHIPPED MODULES — VERIFIED AS-IS
Exactly 6 modules · 6 HTTP integration-test suites. All ship/complete status traces to a real module path + passing test suite. Do NOT write "9 integration suites" — the 9 is QUOTE WORKFLOWS only.
#ModuleModule PathTest SuiteStatusDetail
M1Companyapps/backend/src/modules/company/integration-tests/http/companies/shippedCompany entity, employee links, admin routes for buyer-org management
M2Quote (9 workflows)apps/backend/src/modules/quote/integration-tests/http/quotes/shipped9 workflows: full lifecycle from draft → submitted → approved → accepted
M3Approval (5 workflows, single-level)apps/backend/src/modules/approval/integration-tests/http/approvals/shipped5 workflows: request / approve / reject / cancel / expire — single-level only
M4Document Vaultapps/backend/src/modules/document/integration-tests/http/documents/shippedMedusa File abstraction · local/S3-WORM seam · append-only enforcement
M5Inviteapps/backend/src/modules/invite/integration-tests/http/admin/ (included)shippedCompany employee onboarding via invitation; delegated admin self-serve
M6Auth-Keycloak (OIDC SSO)apps/backend/src/modules/auth-keycloak/unit test + live SSO proof (scripts/run-sso-proof.sh)shippedMulti-tenant OIDC · org-claim extraction · both actors authenticated live
IN-PROGRESS — SPRINT B2B-S2
MVP slice = E1 + E2 + E7 (indivisible). E7 adversarial tests are co-equal P0 with E1/E2 — shipping isolation without the test suite = TESTS_GREEN_UI_BROKEN.
E1Buyer-org isolation (company_id)in-progressB2B-S2
Add company_id column to Quote + Approval + enforce at store-middleware choke-point. Fail-closed 403 if company context missing. Closes P0 cross-tenant read gap.
E2Keycloak tenancy claimsin-progressB2B-S2
Patch @vymalo allowlist to carry company_id / vendor_id from token payload. Makes SSO the cryptographic source of tenant identity (not a spoofable header).
E7Isolation / adversarial test suitein-progressB2B-S2
>=20 cross-tenant negative paths covering Quote + Approval. Co-equal P0 with E1/E2. Shipping isolation without the test suite = TESTS_GREEN_UI_BROKEN.
PRODUCT LAYERS
Headless B2B platform for ANZ enterprise — Medusa-native catalog and order management, Keycloak identity, Grafana observability, and FOCUS 1.2+ cost attribution from day one.
LayerToolingOutcome
StorefrontNext.js 15 App Router · first-party (apps/storefront — MIT)Buyer-facing catalog, cart, checkout, quote, approval, company, document, and account pages.
BackendMedusa 2.15+ headless · first-party (apps/backend — MIT)6 B2B domain modules: company, quote, approval, document, invite, auth-keycloak.
IdentityKeycloak OIDC (local docker-compose · Keycloak 25)Multi-tenant SSO · org-claim extraction · Principle-I auth boundary.
ObservabilityGrafana + Prometheus (local docker-compose · ECS Fargate / Grafana Cloud on AWS)Cart conversion, order count, DB connections, latency p50/p95/p99 dashboards.
Cost AttributionFOCUS 1.2+ tags + /commerce:tag-audit (local IaC · CUR 2.0 pipeline on AWS)Per-module cost rollup for CFO chargeback; infracost exits 0 at $0 local.
AI OperationsADLC 40-agent Talent Bench (design/build/test)Agent-scaffolded modules, Playwright E2E smoke tests, and compiled LLM-docs wiki.
TRIGGER-GATED ROADMAP — RATIFIED 2026-06-11
Every phase opens on a real trigger, not a calendar date. Phase 1-2 (v0.2–v0.4) is Medusa-native with ZERO new always-on infra runtimes. Heavy event-streaming / workflow-durability / IoT-telemetry infrastructure is out of scope; native Medusa workflow engine carries all Phase 1-2 features.
v0.2Approval depth + audit trailproposed
Opens on: First design-partner using the portal
Multi-level approval chains (sequential + parallel, threshold-based)
Audit-trail surfacing in storefront (who approved/quoted/when)
Quote expiry + re-quote workflow
Medusa-native — zero new infra
v0.3Contract pricing + spending limitsbacklog
Opens on: Design partner requests negotiated / account-specific pricing
Contract / account-specific price lists per company
Spending limits per company/employee with workflow enforcement
Bulk-order / requisition lists
Medusa Pricing module + company module links
v0.4Partner API + first AWS seambacklog
Opens on: First request to integrate an external ERP/procurement system OR partner API
Auth-scoped partner / B2B API surface
Webhook event delivery (order/quote/approval lifecycle)
First AWS deployment seam (RDS/ElastiCache via terraform-aws submodule)
Medusa API + subscribers · AWS infra via terraform-aws submodule
GOLDEN PATH — FROM STACK UP TO RELEASE CUT
task up → seed → smoke test → scaffold module → tag audit → release cut. All steps autonomous except the final git tag (HITL, Principle I).
1.Start stack
task upMedusa backend, Next.js storefront, Grafana, Prometheus, and Keycloak running on localhost; health gate passes
2.Seed data
task seedCompanies, employees, quotes, approvals, and documents seeded; idempotent — safe to run twice
3.Run smoke tests
task test:e2eDual-persona smoke (buyer + admin) passes; screenshots in tmp/B2B-Commerce/screenshots/
4.Scaffold new module
/commerce:medusa-module-new <name>New module under apps/backend/src/modules/ following the company/quote pattern
5.Tag audit
/commerce:tag-audit infra/All 6 FOCUS mandatory tags present; evidence at tmp/B2B-Commerce/tag-audit-*.json
6.Release cut
/commerce:release-cut 0.x.0CHANGELOG entry prepared; HITL commits + tags (Principle I — agent does not push)
RELEVANT COMMANDS
/commerce:medusa-module-new/commerce:storefront-page-new/commerce:checkout-smoke/commerce:tag-audit/commerce:aws-bootstrap/commerce:release-cut/commerce:storefront-doctor/adlc.plantask uptask seedtask test:e2etask health
REFERENCES
GitHub — nnthanh101/b2b-commerceProject page — /project?id=b2b-commercePO coordination log 2026-06-11CA coordination log 2026-06-11ADR-018 — Native-First vs MercurJSADR-008 — Medusa Modules: Reuse vs NewADR-011 — Stripe Connect Marketplace

#	Module	Module Path	Test Suite	Status	Detail
M1	Company	`apps/backend/src/modules/company/`	`integration-tests/http/companies/`	shipped	Company entity, employee links, admin routes for buyer-org management
M2	Quote (9 workflows)	`apps/backend/src/modules/quote/`	`integration-tests/http/quotes/`	shipped	9 workflows: full lifecycle from draft → submitted → approved → accepted
M3	Approval (5 workflows, single-level)	`apps/backend/src/modules/approval/`	`integration-tests/http/approvals/`	shipped	5 workflows: request / approve / reject / cancel / expire — single-level only
M4	Document Vault	`apps/backend/src/modules/document/`	`integration-tests/http/documents/`	shipped	Medusa File abstraction · local/S3-WORM seam · append-only enforcement
M5	Invite	`apps/backend/src/modules/invite/`	`integration-tests/http/admin/ (included)`	shipped	Company employee onboarding via invitation; delegated admin self-serve
M6	Auth-Keycloak (OIDC SSO)	`apps/backend/src/modules/auth-keycloak/`	`unit test + live SSO proof (scripts/run-sso-proof.sh)`	shipped	Multi-tenant OIDC · org-claim extraction · both actors authenticated live

Layer	Tooling	Outcome
Storefront	Next.js 15 App Router · first-party (apps/storefront — MIT)	Buyer-facing catalog, cart, checkout, quote, approval, company, document, and account pages.
Backend	Medusa 2.15+ headless · first-party (apps/backend — MIT)	6 B2B domain modules: company, quote, approval, document, invite, auth-keycloak.
Identity	Keycloak OIDC (local docker-compose · Keycloak 25)	Multi-tenant SSO · org-claim extraction · Principle-I auth boundary.
Observability	Grafana + Prometheus (local docker-compose · ECS Fargate / Grafana Cloud on AWS)	Cart conversion, order count, DB connections, latency p50/p95/p99 dashboards.
Cost Attribution	FOCUS 1.2+ tags + /commerce:tag-audit (local IaC · CUR 2.0 pipeline on AWS)	Per-module cost rollup for CFO chargeback; infracost exits 0 at $0 local.
AI Operations	ADLC 40-agent Talent Bench (design/build/test)	Agent-scaffolded modules, Playwright E2E smoke tests, and compiled LLM-docs wiki.