Specification
9. Build Order

9. Build Order

Estimated ~4 weeks to Phase 1 soft launch with Claude Code assistance. Full-time Mon–Wed, Fri–Sat.

Sprint 1: Foundation (3 days)

  • Medusa v2 project init + custom tables + MikroORM migrations
  • Supabase project + connection string
  • Vercel project + Next.js 14 init + env vars wired
  • GitHub repos + CI workflow (ci.yml)
  • Basic auth (login, logout, JWT cookie)
  • Staging deploy working end-to-end

Done when: staging.shop.vespertene.com loads, login works.

Sprint 2: Core Commerce (3 days)

  • Products CRUD (admin)
  • Product listing page (/products) — server rendered
  • Product detail page (/products/[slug])
  • Cloudflare R2 integration
  • File upload endpoint (POST /admin/products/:id/files)
  • Preview image upload + display

Done when: Admin can create a product, upload a ZIP, see it on the storefront.

Sprint 3: Cart & Checkout (4 days)

  • Cart drawer (Zustand + Medusa SDK)
  • AddToCartButton component with loading/added states
  • Checkout page — order summary (server) + Stripe Elements (client)
  • Stripe webhook handler + signature verification
  • Order confirmation pages (/checkout/success, /checkout/failed)
  • Order created in DB with correct status

Done when: Full purchase flow works end-to-end in test mode.

Sprint 4: Digital Delivery (3 days)

  • Download links table + generation on order completion
  • GET /store/downloads/:token — validation + presigned URL
  • POST /store/downloads/:token/redeem — count increment
  • Resend integration — order confirmation email with download link
  • DownloadButton component on account/orders page

Done when: Customer can purchase, receive email, and download their file.

Sprint 5: Invite System (2 days)

  • Invite token creation (POST /admin/invites)
  • Resend invite email with link
  • GET /store/invites/:token — validation endpoint
  • POST /store/invites/:token/accept — account creation
  • /invite/[token] page with pre-filled email
  • Auth guard: invite-only store (no public registration)

Done when: Admin can invite staff, staff can register and log in.

Sprint 6: Account & Polish (3 days)

  • /account/orders — order history + download buttons
  • /account/orders/[id] — order detail page
  • /account/settings — update profile, change password
  • Promo codes (admin create, customer apply at checkout)
  • Static pages: /about, /faq, /contact
  • SEO: generateMetadata, sitemap, robots.txt, JSON-LD
  • Security headers in next.config.ts

Done when: Full account experience working, securityheaders.com scores A.

Sprint 7: Testing & Launch (4 days)

  • Unit tests — 80% coverage target
  • Integration tests — all custom endpoints
  • E2E tests — all critical user journeys (Playwright)
  • Smoke tests — 5–10 paths, runs post prod deploy
  • Security audit — CORS, rate limits, IDOR, headers
  • Soft launch to 5 staff members

Done when: All tests pass, staff can use the store end-to-end.

Sprint 8: Phase 2 Prep (Ongoing)

  • Google OAuth (NextAuth.js)
  • Gelato POD integration + webhook handler
  • Public launch — remove invite-only restriction
  • Railway migration (if needed)
  • Supabase Pro upgrade

9.1 Build Tools

ToolPurpose
Claude CodeAI-assisted development — primary coding tool
GitHubVersion control + CI/CD via Actions
Fly.io CLIBackend deployment (fly deploy)
Vercel CLIFrontend deployment (vercel --prod)
Supabase CLIDatabase migrations (supabase db push)

Claude Code can handle full sprint implementation with the spec as context. Feed it one sprint at a time — start with the spec doc and ask it to implement Sprint 1 step by step.

8. Testing10. Legal