claudetools/projects/msp-tools/guru-connect/MASTER_ACTION_PLAN.md

GuruConnect - Master Action Plan

Comprehensive Review Synthesis

Date: 2026-01-17 Project Status: Infrastructure Complete, 30-35% Feature Complete Reviews Conducted: 6 specialized analyses

---

EXECUTIVE SUMMARY

GuruConnect has excellent technical foundations but requires significant development across security, features, UI/UX, and infrastructure before production readiness. All reviews converge on a 3-6 month timeline to MVP with focused effort.

Overall Grades

Review Area	Grade	Completion	Key Finding
Security	D+	40% secure	5 CRITICAL vulnerabilities must be fixed before launch
Architecture	B-	30% complete	Solid design, needs feature implementation
Code Quality	B+	85% ready	High quality Rust code, good practices
Infrastructure	D+	15-20% ready	No systemd, no monitoring, manual deployment
Frontend/UI	C+	35-40% complete	Good visual design, massive UX gaps
Requirements Gap	C	30-35% complete	4 launch blockers, 10+ critical missing features

Critical Path Insights

LAUNCH BLOCKERS (Cannot ship without):

1. JWT secret hardcoded (SECURITY)
2. No end-user portal (FUNCTIONALITY)
3. No one-time agent download (FUNCTIONALITY)
4. Input relay incomplete (FUNCTIONALITY)
5. No systemd service (INFRASTRUCTURE)

Time to Unblock: 10-12 weeks minimum

Recommended Approach

PHASE 1: Security & Foundation (3-4 weeks) Fix all critical security issues, establish proper deployment infrastructure

PHASE 2: Core Features (6-8 weeks) Build missing launch blockers: portal, agent download, input completion, dashboard UI

PHASE 3: Competitive Features (6-8 weeks) Add clipboard, file transfer, PowerShell, chat - features needed to compete with ScreenConnect

PHASE 4: Polish & Production (4-6 weeks) Installer builder, machine grouping, monitoring, optimization

Total Time to Production: 19-26 weeks (Conservative: 26 weeks, Aggressive: 16 weeks)

---

1. CRITICAL SECURITY ISSUES (Must Fix Before Launch)

SEVERITY: CRITICAL (5 issues)

ID	Issue	Impact	Fix Effort	Priority
SEC-1	JWT secret hardcoded in source	Anyone can forge admin tokens, full system compromise	2 hours	P0 - IMMEDIATE
SEC-2	No rate limiting on auth endpoints	Brute force attacks succeed	1 day	P0 - IMMEDIATE
SEC-3	SQL injection in machine filters	Database compromise	3 days	P0 - IMMEDIATE
SEC-4	Agent connections without validation	Rogue agents can connect	2 days	P0 - IMMEDIATE
SEC-5	Session takeover possible	Attackers can hijack sessions	2 days	P0 - IMMEDIATE

Total Critical Fix Time: 1.5 weeks

SEVERITY: HIGH (8 issues)

ID	Issue	Impact	Fix Effort	Priority
SEC-6	Plaintext passwords in logs	Credential exposure	1 day	P1
SEC-7	No input sanitization (XSS)	Dashboard compromise	2 days	P1
SEC-8	Missing TLS cert validation	MITM attacks	1 day	P1
SEC-9	Weak PBKDF2 password hashing	Password cracking easier	1 day	P1
SEC-10	No HTTPS enforcement	Credential interception	4 hours	P1
SEC-11	Overly permissive CORS	Cross-site attacks	2 hours	P1
SEC-12	No CSP headers	XSS attacks easier	4 hours	P1
SEC-13	Session tokens never expire	Stolen tokens valid forever	1 day	P1

Total High-Priority Fix Time: 1.5 weeks

Security Roadmap

Week 1:

• Day 1-2: Fix JWT secret (SEC-1), add env variable, rotate keys
• Day 3: Implement rate limiting (SEC-2)
• Day 4-5: Fix SQL injection (SEC-3), use parameterized queries

Week 2:

• Day 1-2: Fix agent validation (SEC-4)
• Day 3-4: Fix session takeover (SEC-5)
• Day 5: Add HTTPS enforcement (SEC-10)

Week 3:

• Day 1: Fix password logging (SEC-6)
• Day 2-3: Add input sanitization (SEC-7)
• Day 4: Upgrade to Argon2id (SEC-9)
• Day 5: Add session expiration (SEC-13)

Security Testing: After Week 3, conduct penetration testing

---

2. LAUNCH BLOCKERS (Cannot Ship Without These)

Functional Blockers

Blocker	Current State	Required State	Effort	Dependencies
Portal Missing	0%	End-user portal with code entry, agent download	2 weeks	None
Agent Download	0%	One-time agent EXE with embedded code	3-4 weeks	Portal
Input Relay	50%	Complete mouse/keyboard viewer → agent	1 week	None
Dashboard UI	40%	Session list, join button, real-time updates	2 weeks	None

Infrastructure Blockers

Blocker	Current State	Required State	Effort	Dependencies
Systemd Service	None	Server runs as systemd service, auto-restart	1 week	None
Monitoring	None	Prometheus metrics, health checks, alerting	1 week	None
Automated Backup	None	Daily PostgreSQL backups, retention policy	3 days	None
CI/CD Pipeline	None	Automated builds, tests, deployment	1 week	None

Combined Launch Blocker Timeline

Can be parallelized:

• Security fixes (3 weeks) || Portal + Agent Download (5 weeks) || Infrastructure (2.5 weeks)
• Input relay (1 week) || Dashboard UI (2 weeks)

Critical Path: Portal → Agent Download → Testing = 6 weeks Parallel Work: Security (3 weeks) + Infrastructure (2.5 weeks)

Minimum Time to Launchable MVP: 8-10 weeks (with 2+ developers)

---

3. FEATURE PRIORITIZATION MATRIX

TIER 0: Launch Blockers (Must Have)

Feature	Status	Effort	Critical Path	Owner
End-user portal	0%	2 weeks	YES	Frontend Dev
One-time agent download	0%	3-4 weeks	YES	Agent Dev
Complete input relay	50%	1 week	YES	Agent Dev
Dashboard session list UI	40%	2 weeks	YES	Frontend Dev
JWT secret externalized	0%	2 hours	NO	Backend Dev
SQL injection fixes	0%	3 days	NO	Backend Dev
Rate limiting	0%	1 day	NO	Backend Dev
Systemd service	0%	1 week	NO	DevOps

TIER 1: Critical for Usability (Howard's Priorities)

Feature	Status	Effort	Business Value	Owner
Text clipboard sync	0%	2 weeks	HIGH - industry standard	Agent Dev
Remote PowerShell/CMD	0%	2 weeks	CRITICAL - Howard's #1 request	Agent Dev
PowerShell timeout controls	0%	3 days	HIGH - Howard specific ask	Frontend Dev
File download	0%	1-2 weeks	HIGH - essential for support	Agent Dev
System info display	20%	1 week	MEDIUM - quick win	Frontend Dev
Chat UI integration	20%	1-2 weeks	HIGH - user expectation	Frontend Dev
Process viewer	0%	1 week	MEDIUM - troubleshooting aid	Agent Dev
Multi-monitor support	0%	2 weeks	MEDIUM - common scenario	Agent Dev

TIER 2: Competitive Parity (Nice to Have)

Feature	Status	Effort	Competitor Has	Owner
Persistent agent service	70%	2 weeks	ScreenConnect, TeamViewer	Agent Dev
Installer builder (EXE)	0%	4 weeks	ScreenConnect	DevOps
Machine grouping (company/site)	0%	2 weeks	ScreenConnect	Frontend Dev
Search and filtering	0%	2 weeks	All competitors	Frontend Dev
File upload	0%	2 weeks	All competitors	Agent Dev
Rich clipboard (HTML, images)	0%	2 weeks	TeamViewer, AnyDesk	Agent Dev
Session recording	0%	4+ weeks	ScreenConnect (paid)	Agent Dev

TIER 3: Advanced Features (Defer to Post-Launch)

Feature	Status	Effort	Justification for Deferral
MSI packaging (64-bit)	0%	3-4 weeks	EXE works for initial launch
MFA/2FA support	0%	2 weeks	Single-tenant MSP initially
Mobile viewer	0%	8+ weeks	Desktop-first strategy
GuruRMM integration	0%	4+ weeks	Standalone value first
PSA integrations	0%	6+ weeks	After market validation
Safe mode reboot	0%	2 weeks	Advanced troubleshooting
Wake-on-LAN	0%	3 weeks	Requires network infrastructure

---

4. INTEGRATED DEVELOPMENT ROADMAP

PHASE 1: Security & Infrastructure (Weeks 1-4)

Goal: Fix critical vulnerabilities, establish production-ready infrastructure

Team: 1 Backend Dev + 1 DevOps Engineer

Week	Backend Tasks	DevOps Tasks	Deliverable
1	JWT secret fix, rate limiting, SQL injection fixes	Systemd service setup, auto-restart config	Secure auth system
2	Agent validation, session security, password logging fix	Prometheus metrics, Grafana dashboards	Production monitoring
3	Input sanitization, session expiration, Argon2id upgrade	PostgreSQL automated backups, retention policy	Secure data persistence
4	TLS enforcement, CORS fix, CSP headers	CI/CD pipeline (GitHub Actions or Gitea CI)	Automated deployments

Milestone: Production-ready infrastructure, all critical security issues resolved

Exit Criteria:

• No critical or high-severity security issues remain
• Server runs as systemd service with auto-restart
• Prometheus metrics exposed, Grafana dashboard configured
• Daily automated PostgreSQL backups
• CI/CD pipeline builds and tests on every commit

PHASE 2: Core Functionality (Weeks 5-12)

Goal: Build missing features needed for basic attended support sessions

Team: 1 Frontend Dev + 1 Agent Dev + 1 Backend Dev (part-time)

Week	Frontend	Agent	Backend	Deliverable
5	End-user portal HTML/CSS/JS	Complete input relay wiring	Support code API enhancements	Portal + input working
6	Portal browser detection, instructions	One-time agent download (phase 1)	Support code → agent linking	Code entry functional
7	Dashboard session list real-time updates	One-time agent download (phase 2)	Session state management	Live session tracking
8	Session detail panel with tabs	One-time agent download (phase 3)	File download API	Agent download working
9	Join session button, viewer launch	Text clipboard sync (agent side)	Clipboard relay protocol	Join sessions working
10	Clipboard sync UI indicators	Text clipboard sync (complete)	PowerShell execution backend	Clipboard working
11	Remote PowerShell UI with output	PowerShell timeout controls	Command streaming	PowerShell working
12	System info panel, process viewer	File download implementation	File transfer protocol	File download working

Milestone: Functional attended support sessions end-to-end

Exit Criteria:

• End user can enter support code and download agent
• Technician can see session in dashboard and join
• Screen viewing works reliably
• Mouse and keyboard control works
• Text clipboard syncs bidirectionally
• Remote PowerShell executes with live output
• Files can be downloaded from remote machine
• System information displays in dashboard

PHASE 3: Competitive Features (Weeks 13-20)

Goal: Feature parity with ScreenConnect for attended support

Team: Same team as Phase 2

Week	Frontend	Agent	Backend	Deliverable
13	Chat UI in session panel	Chat integration	Chat persistence	Working chat
14	Multi-monitor switcher UI	Multi-monitor enumeration	Monitor state tracking	Multi-monitor support
15	Machine grouping sidebar (company/site)	Persistent agent service completion	Machine grouping API	Persistent agents
16	Search and filter interface	Process viewer, kill process	Process list API	Advanced troubleshooting
17	File upload UI with drag-drop	File upload implementation	File upload chunking	Bidirectional file transfer
18	Rich clipboard UI indicators	Rich clipboard (HTML, RTF)	Enhanced clipboard protocol	Advanced clipboard
19	Screenshot thumbnails, session timeline	Services viewer	Service control API	Enhanced session management
20	Performance optimization, polish	Agent optimization	Server optimization	Performance tuning

Milestone: Competitive product ready for MSP beta testing

Exit Criteria:

• Chat works between tech and end user
• Multi-monitor switching works
• Persistent agents install as Windows service
• Machines can be grouped by company/site
• Search and filtering works
• File upload and download both work
• Rich clipboard formats supported
• Process and service viewers functional

PHASE 4: Production Readiness (Weeks 21-26)

Goal: Installer builder, scalability, polish for general availability

Team: 2 Frontend Devs + 1 Agent Dev + 1 DevOps

Week	Frontend	Agent	DevOps	Deliverable
21	Installer builder UI	Installer metadata embedding	Build pipeline for custom agents	Builder MVP
22	Mobile-responsive dashboard	64-bit agent compilation (Howard req)	Horizontal scaling architecture	Multi-device support
23	Advanced grouping (smart groups)	Auto-update implementation	Load balancer configuration	Smart filtering
24	Accessibility improvements (WCAG 2.1)	Update verification	Database connection pooling	Accessible UI
25	UI polish, animations, final design pass	Agent stability testing	Performance testing, benchmarking	Polished product
26	User testing feedback integration	Bug fixes	Production deployment checklist	Production-ready

Milestone: Production-ready MSP remote support solution

Exit Criteria:

• Installer builder generates custom EXE with metadata
• 64-bit agent available (Howard requirement)
• Dashboard works on tablets and phones
• Smart groups (Online, Offline 30d, Attention) work
• WCAG 2.1 AA accessibility compliance
• Auto-update mechanism works
• Server can handle 50+ concurrent sessions
• Full end-to-end testing passed

---

5. RESOURCE REQUIREMENTS

Team Composition

Minimum Team (Slower Path - 26 weeks):

• 1 Full-Stack Developer (Rust + Frontend)
• 1 DevOps Engineer (part-time, first 4 weeks full-time)

Recommended Team (Faster Path - 16-20 weeks):

• 1 Frontend Developer (HTML/CSS/JS)
• 1 Agent Developer (Rust, Windows APIs)
• 1 Backend Developer (Rust, Axum, PostgreSQL)
• 1 DevOps Engineer (Weeks 1-4 full-time, then part-time)

Optimal Team (Aggressive Path - 12-16 weeks):

• 2 Frontend Developers (one for dashboard, one for portal/viewer)
• 2 Agent Developers (one for capture/input, one for features)
• 1 Backend Developer
• 1 DevOps Engineer (Weeks 1-4 full-time)
• 1 QA Engineer (Weeks 8+)

Skill Requirements

Frontend Developer:

• HTML5, CSS3, Modern JavaScript (ES6+)
• WebSocket client programming
• Canvas API (for viewer rendering)
• Protobuf.js or similar
• Responsive design, accessibility (WCAG)

Agent Developer:

• Rust (intermediate to advanced)
• Windows API (screen capture, input injection, clipboard)
• Tokio async runtime
• Protobuf
• Windows internals (services, registry, UAC)

Backend Developer:

• Rust (advanced)
• Axum or similar async web framework
• PostgreSQL, sqlx
• JWT authentication
• WebSocket relay patterns
• Security best practices

DevOps Engineer:

• Linux system administration (Ubuntu)
• Systemd services
• Prometheus, Grafana
• PostgreSQL administration
• CI/CD pipelines (GitHub Actions or Gitea)
• NPM (Nginx Proxy Manager) or similar

---

6. RISK ASSESSMENT & MITIGATION

HIGH RISK (Likely to Cause Delays)

Risk	Probability	Impact	Mitigation Strategy
One-time agent download complexity	80%	CRITICAL	Start early (Week 6), consider simplified approach (agent runs without install initially)
Installer builder scope creep	70%	HIGH	Define strict MVP: EXE only with embedded metadata. Defer MSI to Phase 4 or post-launch.
Input relay timing/latency issues	60%	CRITICAL	Extensive testing on WAN (throttled networks), optimize early, consider adaptive quality.
Team availability/turnover	50%	HIGH	Document everything, code reviews, pair programming for knowledge transfer.
Security vulnerabilities in rush	60%	CRITICAL	Security review after each phase, automated security scanning in CI/CD.

MEDIUM RISK (Manageable)

Risk	Probability	Impact	Mitigation Strategy
Multi-monitor switching complexity	50%	MEDIUM	Protocol already supports it. Focus on UI simplicity. Test with 2-4 monitors.
Clipboard compatibility issues	50%	MEDIUM	Start text-only, add formats incrementally. Test on Windows 7-11.
PowerShell output streaming	40%	HIGH	Use existing .NET/Windows libraries, test with long-running commands, handle timeouts gracefully.
File transfer chunking/resume	40%	MEDIUM	Start with simple implementation (no resume), optimize later based on real-world usage.
Dashboard real-time update performance	30%	MEDIUM	WebSocket infrastructure exists. Test with 50+ sessions, optimize selectively.

LOW RISK (Minor Concerns)

Risk	Probability	Impact	Mitigation Strategy
Cross-browser compatibility	30%	MEDIUM	Modern browsers are similar. Test Chrome, Firefox, Edge. Defer Safari/old browsers.
MSI packaging learning curve	30%	LOW	Defer to Phase 4 or post-launch. Use WiX toolset, plenty of documentation.
Safe mode reboot compatibility	20%	LOW	Windows API well-documented. Test on Windows 10/11 and Server 2019/2022.

---

7. QUICK WINS (High Value, Low Effort)

These features can be completed quickly and provide immediate value:

Week	Quick Win	Value	Effort	Owner
2	Join session button	CRITICAL	3 days	Frontend
5	Complete input relay	CRITICAL	1 week	Agent
9	System info display	MEDIUM	1 week	Frontend
11	PowerShell timeout controls	HIGH	3 days	Frontend
12	Process list viewer	MEDIUM	1 week	Agent + Frontend
15	Session detail panel	HIGH	1 week	Frontend
19	Chat UI integration	HIGH	1-2 weeks	Frontend
22	Command audit logging	MEDIUM	3 days	Backend

Combined Quick Win Time: 6-7 weeks of work (can be distributed across phases)

---

8. FRONTEND/UI SPECIFIC IMPROVEMENTS

Tier 1: Critical UX Issues (Blocks Adoption)

Issue	Current State	Target State	Effort	Week
Machine organization missing	Flat list	Company/Site/Tag hierarchy with collapsible tree	2 weeks	15-16
No session detail panel	Click machine → nothing	Detail panel with tabs (Info, Screen, Chat, Commands, Files)	1 week	8
No search/filter	No search box	Full-text search + multi-filter (online, OS, company, tag)	2 weeks	16-17
Connect flow confusing	Modal with web/native choice	Default to web viewer, clear guidance	3 days	9
Support code entry not optimized	Single input field	6 segmented inputs with auto-advance (Apple-style)	1 week	5

Tier 2: Important UX Improvements

Issue	Current State	Target State	Effort	Week
No toast notifications	Silent updates	Toast for new sessions, errors, status changes	1 week	11
No keyboard navigation	Mouse-only	Full Tab order, focus indicators, shortcuts	1 week	24
Minimal viewer toolbar	3 buttons	10+ buttons (Quality, Monitors, Clipboard, Files, Chat, Screenshot)	1 week	18
No connection quality feedback	FPS counter only	Latency, bandwidth, quality indicator (Good/Fair/Poor)	1 week	20
Poor mobile experience	Desktop-only	Responsive dashboard, mobile-optimized viewer	2 weeks	22-23

Tier 3: Polish & Accessibility

Improvement	Effort	Week
WCAG 2.1 AA compliance (focus, ARIA, contrast)	1 week	24
Dark/light theme toggle	3 days	25
Loading skeletons for async content	2 days	25
Empty states with helpful instructions	2 days	25
Micro-animations and transitions	3 days	25

Total Frontend Improvement Time: Integrated into main roadmap (Weeks 5-25)

---

9. TESTING STRATEGY

Unit Testing (Ongoing)

Target Coverage: 70%+ for agent, server Framework: Rust cargo test CI Integration: Run on every commit

Focus Areas:

• Agent: Screen capture, input injection, clipboard
• Server: Session management, authentication, WebSocket relay
• Protocol: Message serialization/deserialization

Integration Testing (Weekly)

Target: End-to-end workflows Tools: Manual testing + automated scripts (Playwright for dashboard)

Test Scenarios:

• Week 8: Support code entry → agent download → join session
• Week 12: Screen viewing + input control + clipboard sync
• Week 16: PowerShell execution + file download
• Week 20: Multi-monitor + chat + file upload
• Week 25: Full MSP workflow (code gen → session → transfer → close)

Performance Testing (Weeks 20, 25)

Metrics:

• Screen FPS: Target 30+ FPS on LAN, 15+ FPS on WAN
• Input latency: Target <100ms on LAN, <200ms on WAN
• Concurrent sessions: Target 50+ sessions on single server
• Bandwidth: Measure at various quality levels

Tools:

• Network throttling (Chrome DevTools, tc on Linux)
• Load generation (custom script or k6)
• Prometheus metrics analysis

Security Testing (Weeks 4, 12, 20, 26)

Penetration Testing:

• Week 4: After security fixes, basic pen test
• Week 12: Full authentication and session security review
• Week 20: WebSocket relay attack scenarios
• Week 26: Pre-production comprehensive security audit

Automated Scanning:

• OWASP ZAP or similar in CI/CD
• Rust cargo audit for dependency vulnerabilities
• Static analysis (Clippy in strict mode)

User Acceptance Testing (Weeks 24-26)

Beta Testers: 3-5 MSP technicians (Howard + team)

Scenarios:

• Remote troubleshooting sessions
• Software installation
• Network configuration
• Credential retrieval
• Multi-monitor workflows

Feedback Collection: Survey + direct interviews

---

10. DECISION POINTS & GO/NO-GO CRITERIA

DECISION POINT 1: After Week 4 (Security & Infrastructure Complete)

Go Criteria:

• All critical security issues resolved (SEC-1 through SEC-5)
• All high-priority security issues resolved (SEC-6 through SEC-13)
• Systemd service operational with auto-restart
• Prometheus metrics exposed, Grafana dashboard configured
• Automated PostgreSQL backups running
• CI/CD pipeline functional

No-Go Scenarios:

• Security issues remain → Continue Phase 1, delay Phase 2
• Infrastructure unreliable → Bring in senior DevOps consultant
• Team capacity issues → Reduce scope or extend timeline

Decision: Proceed to Phase 2 or re-evaluate timeline

DECISION POINT 2: After Week 12 (Core Features Complete)

Go Criteria:

• End-user portal functional
• One-time agent download working
• Input relay complete and responsive
• Dashboard session list with join functionality
• Text clipboard syncs bidirectionally
• Remote PowerShell executes with live output
• File download works

No-Go Scenarios:

• Input latency >500ms on WAN → Optimize before proceeding
• Agent download fails >20% of the time → Fix reliability
• Core features unstable → Extend Phase 2

Decision: Proceed to Phase 3 or extend core feature development

DECISION POINT 3: After Week 20 (Competitive Features Complete)

Go Criteria:

• Chat functional
• Multi-monitor support working
• Persistent agents install as service
• Machine grouping (company/site) implemented
• Search and filtering functional
• File upload and download both work
• Rich clipboard formats supported
• 30+ FPS on LAN, 15+ FPS on WAN (performance targets met)

No-Go Scenarios:

• Performance significantly below targets → Optimization sprint
• Critical bugs in competitive features → Fix before launch
• User testing reveals major UX issues → Address before GA

Decision: Proceed to Phase 4 or conduct extended beta period

DECISION POINT 4: After Week 26 (Production Readiness)

Go Criteria:

• Installer builder generates custom agents
• 64-bit agent available
• Dashboard mobile-responsive
• WCAG 2.1 AA compliant
• Auto-update working
• 50+ concurrent sessions supported
• Security audit passed
• Beta testing feedback addressed

Launch Decision: General Availability or Extended Beta

---

11. POST-LAUNCH ROADMAP (Optional Phase 5)

Months 7-9: Advanced Features

• MSI packaging (64-bit) for GPO deployment
• MFA/2FA support
• Session recording and playback
• Advanced role-based permissions (per-client access)
• Event log viewer
• Registry browser (with safety warnings)

Months 10-12: Integrations & Scale

• GuruRMM integration (shared auth, launch from RMM)
• PSA integrations (HaloPSA, Autotask, ConnectWise)
• Multi-server clustering
• Geographic load balancing
• Mobile apps (iOS, Android)

Year 2: Enterprise Features

• SSO integration (SAML, OAuth)
• LDAP/AD synchronization
• Custom branding/white-labeling
• Advanced reporting and analytics
• Wake-on-LAN with local relay
• Disaster recovery automation

---

12. COST ESTIMATION

Labor Costs (Recommended Team - 20 weeks)

Role	Weeks	Hours/Week	Total Hours	Rate Estimate	Total Cost
Frontend Developer	20	40	800	$75/hr	$60,000
Agent Developer	20	40	800	$85/hr	$68,000
Backend Developer	20	40	800	$85/hr	$68,000
DevOps Engineer	8 (full) + 12 (part)	40 + 20	560	$80/hr	$44,800
QA Engineer	12	30	360	$60/hr	$21,600

Total Labor: $262,400

Infrastructure Costs (6 months)

Resource	Monthly Cost	Total (6 months)
Server (existing 172.16.3.30)	$0 (owned)	$0
PostgreSQL (on same server)	$0	$0
Prometheus + Grafana (on same server)	$0	$0
Backup storage (100GB)	$5	$30
SSL certificates (Let's Encrypt)	$0	$0
Domain (azcomputerguru.com)	$15	$90
CI/CD (Gitea + runners)	$0 (self-hosted)	$0

Total Infrastructure: $120 (minimal)

Tools & Licenses

Tool	Cost
Development tools (VS Code, etc.)	$0 (free)
Testing tools (Playwright, k6)	$0 (free)
Security scanning (OWASP ZAP)	$0 (free)
Protobuf compiler	$0 (free)

Total Tools: $0

TOTAL PROJECT COST (20-week timeline): ~$262,500

---

13. SUCCESS METRICS

Technical Metrics

Metric	Target	Measurement
Screen FPS (LAN)	30+ FPS	Prometheus metrics
Screen FPS (WAN)	15+ FPS	Prometheus metrics
Input latency (LAN)	<100ms	Manual testing
Input latency (WAN)	<200ms	Manual testing
Concurrent sessions	50+	Load testing
Uptime	99.5%+	Prometheus uptime
Security issues	0 critical/high	Quarterly audits

Business Metrics

Metric	Target	Measurement
MSP adoption rate	5+ MSPs in first 3 months	Tracking
Sessions per week	100+	Database query
Agent installations	200+	Database query
Support tickets	<10/week	Gitea issues
Customer satisfaction	4.5+/5	Survey

User Experience Metrics

Metric	Target	Measurement
Time to first session	<5 minutes	User testing
Session join time	<10 seconds	Prometheus metrics
Dashboard load time	<2 seconds	Browser DevTools
Agent download success	>95%	Server logs
Accessibility compliance	WCAG 2.1 AA	Automated testing

---

14. FINAL RECOMMENDATIONS

IMMEDIATE ACTIONS (This Week)

1. Prioritize security fixes - Cannot launch with hardcoded JWT secret
2. Hire/assign frontend developer - Critical path bottleneck
3. Set up systemd service - Infrastructure requirement for production
4. Create GitHub/Gitea issues - Track all findings from this review
5. Schedule weekly team syncs - Every Monday, review progress vs roadmap

STRATEGIC DECISIONS

Decision 1: Timeline

• Conservative (26 weeks): Lower risk, thorough testing, minimal team stress
• Aggressive (16 weeks): Higher risk, requires optimal team, potential burnout
• RECOMMENDED (20 weeks): Balanced approach with contingency buffer

Decision 2: Team Size

• Minimum (1-2 people): 26+ weeks, high risk of delays
• RECOMMENDED (4-5 people): 16-20 weeks, manageable risk
• Optimal (6-7 people): 12-16 weeks, lowest risk

Decision 3: Feature Scope

• MVP Only (Tier 0): Fast to market but not competitive
• RECOMMENDED (Tier 0 + Tier 1): Competitive product, reasonable timeline
• Full Feature (Tier 0-3): 26+ weeks, defer some to post-launch

KEY SUCCESS FACTORS

1. Fix security issues FIRST - Non-negotiable
2. Build end-user portal early - Unblocks all testing
3. Focus on Howard's priorities - PowerShell/CMD, clipboard, 64-bit
4. Test on real networks - WAN latency is critical
5. Get beta users early - MSP feedback invaluable
6. Maintain code quality - Rust makes this easier, don't compromise
7. Document as you go - Reduces onboarding time for new team members

---

15. APPENDICES

A. Review Sources

This master action plan synthesizes findings from:

1. Security Review - 23 vulnerabilities (5 critical, 8 high, 6 medium, 4 low)
2. Architecture Review - Design assessment, 30% MVP completeness
3. Code Quality Review - Grade B+, 85/100 production readiness
4. Infrastructure Review - 15-20% production ready, systemd/monitoring gaps
5. Frontend/UI/UX Review - Grade C+, 35-40% complete, 14-section analysis
6. Requirements Gap Analysis - 100+ feature matrix, 30-35% implementation

B. File References

• GAP_ANALYSIS.md - Detailed feature implementation matrix
• REQUIREMENTS.md - Original requirements specification
• TODO.md - Current task tracking
• CLAUDE.md - Project guidelines and architecture
• Security review (conversation archive)
• Architecture review (conversation archive)
• Code quality review (conversation archive)
• Infrastructure review (conversation archive)
• Frontend/UI review (conversation archive)

C. Contact & Escalation

Project Owner: Howard Technical Escalation: TBD (assign technical lead) Security Escalation: TBD (assign security lead)

---

Document Version: 1.0 Last Updated: 2026-01-17 Next Review: After Phase 1 completion (Week 4) Status: DRAFT - Awaiting Howard's approval

---

SUMMARY: THE PATH FORWARD

GuruConnect is a well-architected project with solid technical foundations that needs focused feature development and security hardening to reach production readiness.

Timeline: 16-26 weeks (recommended: 20 weeks) Team: 4-5 developers + 1 DevOps Cost: ~$262,500 labor + minimal infrastructure Risk Level: MEDIUM (manageable with proper planning)

Critical Path:

1. Fix 5 critical security vulnerabilities (3 weeks)
2. Build end-user portal + agent download (5 weeks)
3. Complete core features (clipboard, PowerShell, files) (7 weeks)
4. Add competitive features (chat, multi-monitor, grouping) (8 weeks)
5. Polish and production readiness (6 weeks)

Outcome: Competitive MSP remote support solution ready for general availability

Next Step: Howard reviews this plan, approves timeline/budget, assigns team