Skip to main content

Cross-Repo Execution Rollup — Centralized Web Session

What this is. One coordination/sequencing view across the four per-repo task breakdowns for the Centralized Web Session initiative. It does not re-list implementation tasks — those live in the per-repo breakdowns (referenced by repo + task number below). It sequences the work, surfaces the shared upstream blockers, and exposes the critical path.

Parent RFC (cross-repo orchestration): ./cross-repo.md

Per-repo breakdowns (drill-down):


1. Portfolio effort summary

RepoTotalFEBEQATasksRunnerConfidenceOne-line note
CRM17.011.52.03.58jest (yarn test)lowFour [critical] OQs; user_sso_id source, toggle code, switch_user flow + current_company all unverified.
Launchpad FE15.510.02.03.57vitest (pnpm test)lowPilot repo (Rollout step 4); blocked on SDK distribution (Q1), current-company host (Q3), FE-readable server_down predicate (Q2).
Hub Chat v213.57.52.04.08vitest (pnpm test)mediumNuxt 4 legacy srcDir; well-anchored; movers are SDK package shape (Q2), cross-domain _mekari_account (Q1), current-company ownership (Q4).
Hub12.58.02.02.56jest (npm run test)mediumAuth primitives all verified in-repo; movers are SDK event-name contract (OQ-4) + blocked company-sync endpoint (OQ-1).
GRAND58.537.08.013.529All four totals reconcile exactly against the source files (no contradictions found).

2. Shared blockers (the gating contracts)

These are the upstream backend deliverables common to all four repos. None of the four FE squads owns them — they are owned by SSO/Account (BE) (with Platform/SSO on Kong and infosec on CSP), exactly as the cross-repo RFC's Cross-Service Responsibility Map states. They are the OQ-1/OQ-2/OQ-3 family in the parent RFC. This is the heart of the rollup: until these land, every repo can only build the mocked-SDK slice in §3.

SB-1 — @mekari/sdk package + CDN not published

  • What: The @mekari/sdk Session package (or the account.mekari.com/sm/sdk.js CDN script). Absent from package.json in all four repos (verified by grep in each breakdown — only @mekari/pixel present).
  • Owner: SSO/Account (BE) — package publish to the Mekari/private npm registry + CDN.
  • Unblocks:
    • CRM → Task 6 (add dep, real import); turns Tasks 2, 3, 5 from stubbed to complete.
    • Launchpad → Task 2 (loader plugin real distribution; npm-vs-CDN = Q1).
    • Hub Chat v2 → Tasks 2 & 4 (live SDK boot; package name/registry/version/module-entry = Q2).
    • Hub → Task 1 (real @mekari/sdk import un-mocked; OQ-3).
  • Until then: every repo builds against a vi.mock/jest.mock'd Session behind a thin adapter.

SB-2 — Session Manager /sm/current + Redis + Kong /sm/* not live

  • What: The Session Manager iframe page, its dedicated Redis, and the Kong account.mekari.com/sm/* routing. Absent from all FE repos (no service to integration-test against).
  • Owner: SSO/Account (BE) + Platform/SSO (Kong gateway + MAG).
  • Unblocks: the end-to-end integration / verification step in every repo — the point at which the mocked SDK is swapped for a real session and the postMessage contract, server_down backoff, and event flow can be exercised for real. No single per-repo task builds this, but it gates every repo's pilot enable (CRM ordering note 5; Launchpad ch.6; Hub Chat §4.D; Hub ordering note 5).
  • Until then: no repo can run a true end-to-end session test; all server_down/fallback logic is unit-tested against synthetic events only.

SB-3 — Canonical iframe path unresolved (/sm/current vs /sessionmanager/current)

  • What: The parent RFC names two iframe paths; the canonical one must be fixed before CSP frame-ancestors/frame-src and server_down timing can be wired (parent OQ-3).
  • Owner: PRD author / SSO/Account (BE) + infosec (for the CSP whitelist mechanism).
  • Unblocks:
    • Launchpad → Task 2 (iframe path = Q5) and its CSP posture.
    • Hub Chat v2 → Task 8 (nginx-ingress CSP frame-src; also needs infosec sign-off Q8 + A&L adding chat.qontak.com to the SDK frame-ancestors whitelist).
    • CRM / Hub → CSP whitelist add at pilot (each repo's domain must be whitelisted SDK-side before its flag flips on).
  • Until then: CSP rules can be drafted but not merged-to-prod-enabled.

Secondary cross-cutting contracts (important, not strictly all-repo-blocking): the current-company endpoint (host/owner/shape — Launchpad Q3, Hub OQ-1, Hub Chat Q4, CRM Q4) blocks each repo's logged_in/company-sync task and carries the only BE days in the portfolio (2.0 BE × 4 repos = 8.0 BE total — every BE estimate in the program is this one contract, repeated per repo and likely collapsible to fewer real endpoints); and the session.refresh() throttle interval (parent OQ-6) is TBD but is implemented as a tunable constant everywhere, so it gates acceptance assertions, not coding.


3. What can start NOW in parallel (the mocked-SDK slice)

Every repo can build its feature-flag + event-router composable/mixin against a mocked SDK, TDD red-first, today — no @mekari/sdk, no live Session Manager, no cross-repo coordination required. Each repo's spine is independent; four engineers can run in parallel immediately.

RepoParallel-startable nowDay countThe actionable slice (see per-repo breakdown)
CRMTasks 1–59.0msli helper, plugin shell + toggle gate + origin guard, 4 event handlers, logout→SSO redirect, RUM observability
Launchpad FETasks 1, 2*, 3, 4, 59.5toggle composable, SDK loader (mocked, *partial), logged_out, switch_user+toast, middleware await/timeout
HubTasks 1–59.0toggle+boot plugin+mixin scaffold, logged_out/logged_in/msli, switch_user re-auth, server_down fallback, observability
Hub Chat v2Tasks 1–6, 8*10.5AppConfig flag, useCentralizedSession (lifecycle+origin+msli), 4-event map, gated client plugin, RUM, docs (Task 8 CSP draftable, *partial)
Parallel-startable total38.0of 58.5 grand (the remaining ~20.5 days is SDK-/contract-gated integration + the per-repo company-sync)

* Partial: the shell/wiring/tests build now against the mock; only the live-distribution or infosec/whitelist swap waits on a shared blocker.

No cross-repo coordination needed for any of the above. The four repos do not depend on each other — only on the shared upstream BE deps in §2.


4. Critical path

SSO/Account publishes ──► each repo swaps mock→real, ──► each repo
SB-1 @mekari/sdk wires real integration flips flag
+ SB-2 /sm/current (mutually INDEPENDENT — for pilot
(+ SB-3 iframe path) all 4 in parallel) cohort
  • The dependency chain is upstream-only. The single hard gate is SSO/Account shipping SB-1 (SDK) and a staging SB-2 (/sm/current) (with SB-3 resolved). The four repos are mutually independent of one another — they share only the upstream BE dependency, never each other. So the moment the SDK + staging Session Manager land, all four repos can integrate in parallel (no repo waits on another's merge).
  • Critical path = the longest single-repo chain, which is CRM at 17.0 days. CRM is the largest envelope (FE 11.5) and carries the most unverified [critical] OQs (low confidence), so even though its actionable slice (9.0) starts immediately, its full end-to-end completion — including the blocked switch_user autologin (Task 7, 3.5d) and current_company sync (Task 8, 3.5d) — is the longest pole. Program critical path ≈ SSO/Account SDK+SM lead time, then CRM's 17.0-day chain in parallel with the other three (Launchpad 15.5, Hub Chat 13.5, Hub 12.5).
  • Pilot ordering is set by the parent RFC, not by repo size: Launchpad pilots first (Rollout step 4 "Taking Off"); CRM/Hub/HubChat are step 5 "Next Chapter" (gated per-repo on adding their domain to the CSP frame-ancestors whitelist).

5. Per-repo blocked-task index

Compact map of each repo's blocked / externally-gated task → the OQ/contract that unblocks it. (Full unblock conditions live in each per-repo breakdown's "Skipped stories" table.)

RepoBlocked taskUnblocked by
CRMTask 6 — add @mekari/sdk depSB-1 (CRM Q6: registry publish)
CRMTask 7 — switch_user SSO-autologin flowparent Q1 (autologin contract for token products)
CRMTask 8 — current_company synccurrent-company contract (CRM Q4 + BE RFC)
Launchpad FETask 2 — SDK loader (real distribution)SB-1 (Q1 npm-vs-CDN) + SB-3 (Q5 iframe path) — partial
Launchpad FETask 6 — logged_in + current-company synccurrent-company endpoint host/owner (Q3)
Launchpad FETask 7 — server_down + msli fallbackFE-readable fallback predicate (Q2 — _mekari_account unreadable cross-origin)
Hub Chat v2Tasks 2 & 4 — live SDK bootSB-1 (Q2: package name/registry/version/entry) — partial
Hub Chat v2Task 3 — server_down/msli grace branchQ1 (_mekari_account lives in SDK/iframe, not hub-chat) — partial
Hub Chat v2Task 7 — current-company sync (BE)Q4 (BE ownership; may drop to 0 if FE refetch suffices)
Hub Chat v2Task 8 — CSP frame-src at nginx ingressSB-3 + Q8 infosec sign-off + A&L frame-ancestors whitelist — partial
HubTask 1 — real @mekari/sdk importSB-1 (OQ-3) — partial; mock now
HubTask 6 — logged_in company syncOQ-1 (Hub BE current_company endpoint) + OQ-2 (org-payload flag)

  1. Start the mocked-SDK slice in all four repos now, in parallel — the §3 actionable work (~38 days across the portfolio: CRM 1–5, Launchpad 1–5, Hub 1–5, Hub Chat 1–6/8). Each repo's flag + event-router composable/mixin builds TDD red-first against a mocked Session; no cross-repo coordination, no waiting.
  2. Push SSO/Account to publish SB-1 (@mekari/sdk package + CDN) and stand up a staging SB-2 (/sm/current + Redis + Kong /sm/*), and to resolve SB-3 (canonical iframe path). This is the single upstream gate for the whole program — escalate it as the #1 cross-team dependency; everything downstream is blocked-but-mocked until it lands.
  3. In parallel, close the secondary contracts: the current-company endpoint host/owner/shape (Launchpad Q3 / Hub OQ-1 / Hub Chat Q4 / CRM Q4 — likely one shared SSO contract, not four), the session.refresh() throttle interval (parent OQ-6), and CRM's switch_user autologin contract (Q1, token-based products). These unblock the per-repo company-sync and switch_user tasks (the BE-day and blocked-task tail).
  4. Once SB-1 + SB-2 land, integrate all four repos in parallel — swap mock→real behind the thin adapter each repo already built (a localized, near-one-file change), then run true end-to-end session tests against staging. No repo blocks another.
  5. Pilot Launchpad first (Rollout step 4 "Taking Off") — flip its flag for the pilot cohort, watch SDK event metrics + server_down rate against threshold.
  6. Then roll CRM / Hub / Hub Chat v2 (Rollout step 5 "Next Chapter"), each gated on adding its domain to the SDK-side CSP frame-ancestors whitelist + infosec sign-off. CRM is the longest remaining chain (17.0d) so start its integration earliest among the step-5 trio.