BlueDesk

Project Roadmap
View Technical Architecture →

BlueDesk Project Roadmap

BlueDesk gives every Blue Car Rental employee a single Microsoft login to access all internal tools, relevant to them, and gives IT a single place to control who can access what.

Overall ProgressC1

Phase 2 Complete — Phase 4 Next
Assessment
CompleteC2
Credentials
Next UpC3
Dev Tooling
Complete
Cleanup
CompleteC4
Security
CompleteC5
Quality
TBDC6
Deploy
TBDC7
Apps
TBDC58
History
Completed
August 2025
Project Conceived

The IT 2.0 initiative on Asana was created,C9 with Maggi Thor as owner,C8 to bring all internal tools under one roof.

Completed
February 8, 2026C10
Initial Prototype Built

Gisli Orn (former Software Dev Manager) created the first versionC11 of BlueDesk — a working skeleton with login, user management, and app launching capabilities.C12

Completed
Mid-February 2026C13
Developer Transition

Gisli Orn departed the company.C14 The project was pausedC15 until a new developer could take ownership.

Completed
February 13, 2026C16
New Leadership

Gudmundur joined as Software Development ManagerC17 and began assessing all internal systems, including BlueDesk.C18

Completed
February 18, 2026C19
Full Assessment Completed

A comprehensive review of BlueDesk's code revealed a solid foundation but identified 10 security issuesC20 that must be fixed before the system can go live. A clear action plan was created with five phases.C21

The system was successfully started in a development environmentC22 and all core pages were confirmed working.C23
Completed
February 19, 2026C24
Documentation Published

Complete system documentation was createdC25 — both a technical reference for developers and this visual roadmap for stakeholders. The project's architecture, workflows, and plan are now fully documented.

Completed
February 23, 2026
Hosting Decision (Initial)

Three hosting options were evaluated: on-premise (nýi server), Dacoda hosting, and third-party cloud. Dacoda was initially chosen as the hosting provider. Blue Car Rental owns 50% of Dacoda,C63 and they already manage Blue's CMS sites.C64 On-premise hosting was ruled out due to the nýi server being locked outC62 and the single-developer bus factor. This decision was superseded on February 25, 2026.C71

Completed
February 25, 2026
Hosting Provider Changed

Railway was selected as the BlueDesk hosting provider, replacing the prior Dacoda decision.C71 Ástþór from Dacoda confirmed that their shared hosting environment cannot provide developer access to individual Docker containers or databases for debugging and deployment. Railway provides full developer control, Docker auto-detect deployment,C73 one-click PostgreSQL,C74 private networking,C78 auto-SSL,C76 automated backups,C77 and costs $20/month flat on the Pro plan.C72 BlueDesk will be hosted on Railway, not on the nýi on-premise server and not by Dacoda.C59

Completed
February 27, 2026
Frontend Brand & Localization

Blue Car Rental brand guidelines applied to admin portal. Brand colors (Dark Blue #00143B sidebar, Bright Blue #1B56FD accents), BLUE Display + Host Grotesk typography, BlueLogo SVG component, full Icelandic localization (111 strings), and Playwright e2e test infrastructure added.

Completed
February 2026
Security Hardening & Test Infrastructure

Major security hardening of the authentication system and creation of a comprehensive backend test suite. Originally planned as Phase 3 and Phase 4 work, completed early due to critical security findings.

  • OAuth flow rewritten with CSRF state validation (HTTP-only cookie)
  • Session JWT moved to HTTP-only cookies (session_token, refresh_token, user_info)
  • Auth service fail-closed initialization (refuses to start without config)
  • User deletion changed to soft-delete (deactivation)
  • 26 Go integration tests covering auth, users, and app launcher
  • Test database infrastructure (docker-compose, port 5433, tmpfs)
  • Playwright E2E tests (mock and integration modes)
Next Up
Next Up
TBDC26
Phase 0: Credential Rotation

Rotating compromised security credentials that were accidentally committed to the code repository. This must be completed before any other development work begins.

  • Rotate Azure OAuth client credentials (client ID and secret)
  • Add .env.template file and update .gitignore for environment filesC48
What this means Security keys that should have been kept private were included in the code. These need to be replaced with new ones before we can safely proceed.
Planned
Complete
February 2026
Phase 1: Dev Tooling

Next.js API route handlers serving mock data at /api/v1/*, enabling frontend development and testing without the Go backend.C82 Activated by NEXT_PUBLIC_AUTH_MODE=dev (the default in local development).C87

  • Catch-all route handler covering 12 API patterns across GET, POST, PUT, DELETEC83
  • Mock data: 8 users, 4 apps, 3 roles, 21 user-app assignments — snake_case contracts matching Go backendC84C90
  • Dev mode auth bypass with localStorage mock tokenC88
  • Health check endpoint at /healthzC92
What this means The frontend can be run and tested fully — user management, app management, permissions, and the launcher — without needing the Go backend, PostgreSQL, or Microsoft credentials set up locally.
Complete (5/5)
March 2026C27
Phase 2: Cleanup

Database and code cleanup. The originally planned file deletions were unnecessary — investigation confirmed those files were never created. Actual cleanup focused on dead database tables, unused model fields, and query inconsistencies.

  • ✓ Drop 4 dead service registry tables (migration 000013)
  • ✓ Drop 3 unused app columns (migration 000014)
  • ✓ Remove unused App model fields from Go code
  • ✓ Fix query inconsistencies (GetAppByName, handler queries)
  • ✓ Create missing migration 000007 down file
What this means The database schema is now clean — dead tables from the original on-premise vision have been removed, unused columns dropped, and Go models updated to match. The originally scoped file deletions (7 backend + 4 frontend) were unnecessary because those files were never created in the prototype.
Complete (12/12)
February 2026
Phase 3: Security Hardening

All 12 security tasks from the assessment completed.C30C50

  • ✅ Rewrite OAuth flow with CSRF state validation
  • ✅ Move tokens to HTTP-only cookies
  • ✅ Fix auth middleware to fail closed
  • ✅ Remove all plaintext token logging
  • ✅ Fix user deletion (soft delete)
  • ✅ Fix refresh token cookie + rewrite flow
  • ✅ Make redirect URLs and CORS origins configurable
  • ✅ Externalize secrets to environment variables
  • ✅ Fix Dockerfile (non-root user, remove Docker-in-Docker)
  • ✅ Restrict Microsoft user directory to admin-only access
  • ✅ Sanitize error messages returned to clients
What this means All critical security work from the February 2026 audit is now complete. The system is ready for cleanup and quality work.
Planned
TBDC31
Phase 4: Quality and Polish

Adding automated testing,C32 fixing user interface issues,C33 and improving performance.C34 The admin page will be refactored into proper components for better maintainability.C35

  • ✅ Add tests for JWT generation/validation, OAuth callback, permissions, auth middleware (26 integration tests + unit tests)
  • Fix N+1 queries in user listing and audit logs
  • Move audit log filtering from application code to SQL
  • Add server-side route protection (Next.js middleware)C52
  • Decompose 750-line admin page into proper componentsC35
  • Consolidate API layer (fix dual fetch/axios pattern and double /api/v1 prefix)C53
  • Fix broken login page SVGs
  • Re-enable ESLint during builds
  • Add explicit "Save Changes" button for permission updates
What this means Making the system reliable and pleasant to use. When IT staff manage user access, the interface should be fast and intuitive.
Planned
TBDC36
Phase 5: Production Deployment

Setting up the live server with proper security certificates, monitoring, and backups.C37 BlueDesk goes live for the IT team first as a pilot.C38 Deployment target: Railway cloud platform (decision 2026-02-25).C66

  • Configure HTTPS with valid SSL certificates
  • Set up health check endpoints (backend + frontend)
  • Implement structured logging and monitoring
  • Set up automated database backups
  • Configure firewall rules
  • Validate dual-access app integration flow end-to-endC54
  • IT team pilot deployment
What this means The system is installed on a real server and the IT team starts using it for their daily work.
Planned
TBDC57
Phase 6: Application Onboarding

Connect internal applications to BlueDesk one by one. Each app requires JWT integration, permission configuration, and testing before going live. Priority order to be determined.

  • BlueQueue — queue management system (possibly dual-access: public kiosk + admin panel)
  • Dacoda CMS — content management system
  • safe.bluecarrental.is — safety/compliance portal
  • Vehicle tracking system — dual-access (PIN for field users, admin panel via BlueDesk)
  • Tire management system
What this means Employees will start seeing their assigned tools appear in BlueDesk. Each application is connected individually, tested, and then made available to the appropriate staff.
Deferred: Two database columns (per-user session timeout and per-user security level) exist in the schema but have no defined requirements.C55C56 These are deferred until a concrete use case is identified — implementing undefined features is how scope creep starts.
Vision

The Future of Employee AccessC39

When BlueDesk is complete, every Blue Car Rental employeeC47 — from customer service agents at Blikavellir to IT administrators — will sign in once with their Microsoft account and see exactly the tools they need. No more separate passwords. No more asking IT for access to each system. One portal, every tool, every brand.

Application Rollout

Once BlueDesk is live, internal applications could be connected one by oneC40 — starting with the most-used tools. Every Blue Car Rental employee gets their single login. Applications like the queue system, tire management, and vehicle tracking become accessible through BlueDesk.

This section describes the aspirational end-state, not current capability. Timelines depend on completion of Phases 0–6.

◄ Before BlueDesk

  • Each system has its own login.C41 Employees juggle multiple usernames and passwords.
  • IT manages access manually, system by system, with no central overview.C42
  • New employees may need to wait for multiple accounts to be set up before they can start working.C43

After BlueDesk ►

  • One Microsoft login for everything.C44 Employees sign in once and see all their tools.
  • IT controls all access from one dashboard, with changes reflected across systems.C45
  • New employees can be quickly set up with access to their assigned tools.C46
Sources & Claims — Fact-check table for every claim on this page

All factual claims on this roadmap are tagged with a reference number (e.g. C1, C2). This table shows where each claim comes from and whether it has been verified.

Ref # Claim Verdict Source
C1 Overall progress percentage CALCULATED 4 of 8 phases complete (Assessment, Phase 1, Phase 2, Phase 3). Phase 4 partially complete.
C2 Assessment: "Complete" TRUE Code audit performed by Gudmundur on Feb 18, 2026
C3 Credential Rotation: "Planned" TRUE Code audit action plan, Phase 0 — not started
C4 Cleanup: "Complete" TRUE Phase 2 completed March 2026 — 5 tasks done (scope adjusted from original plan)
C5 Security: "Complete" TRUE Code audit action plan, Phase 3 — all 12 tasks complete
C6 Quality: "TBD" TRUE Code audit action plan, Phase 4 — no dates set
C7 Deploy: "TBD" TRUE Code audit action plan, Phase 5 — no dates set. Deployment target: Railway (decision 2026-02-25)
C8 "With Maggi Thor as owner" TRUE Maggi Thor is owner of the IT 2.0 project on Asana (created Aug 15, 2025); identified as his top pain point
C9 "The IT 2.0 initiative on Asana was created" in August 2025 TRUE IT 2.0 project on Asana, created Aug 15, 2025
C10 Initial prototype: "February 8, 2026" TRUE Git repository history — first commit on Feb 8, 2026
C11 "Gisli Orn (former Software Dev Manager) created the first version" TRUE Git repository — committed under Gisli Orn's account
C12 "A working skeleton with login, user management, and app launching capabilities" TRUE Code audit confirmed a usable foundation — database design, backend structure, user interface, and server setup were all in place
C13 Developer transition: "Mid-February 2026" APPROXIMATE No exact departure date on record. His company email was closed on Feb 19, 2026.
C14 "Gisli Orn departed the company" TRUE Confirmed by Gudmundur (Software Development Manager) upon joining the company
C15 "The project was paused" after Gisli's departure TRUE No development activity in the repository between Feb 8 and Feb 19, 2026
C16 New leadership: "February 13, 2026" APPROXIMATE Feb 13 was Gudmundur's first meeting with the CEO; exact start date may differ
C17 "Gudmundur joined as Software Development Manager" TRUE Gudmundur's employment confirmed by Blue Car Rental management
C18 "Began assessing all internal systems, including BlueDesk" TRUE Code audit performed by Gudmundur on Feb 18, 2026
C19 Full assessment: "February 18, 2026" TRUE Code audit report is dated Feb 18, 2026
C20 "Identified 10 security issues" TRUE Code audit report lists exactly 10 critical security findings
C21 "A clear action plan was created with five phases" TRUE Code audit action plan defines Phases 0 through 6
C22 "The system was successfully started in a development environment" TRUE Verified by running the system in development — all services started successfully
C23 "All core pages were confirmed working" TRUE Verified by testing each page in the development environment
C24 Documentation published: "February 19, 2026" TRUE Published to the web on Feb 19, 2026
C25 "Complete system documentation was created" TRUE Technical documentation and this roadmap were published
C26 Phase 0: Credential rotation planned TRUE Code audit action plan, Phase 0 — not started
C27 Phase 2: Cleanup complete TRUE Phase 2 completed March 2026. Scope adjusted: originally planned file deletions were unnecessary (files never existed); actual work was database/model cleanup
C28 "About 2,000 lines of unused code will be removed" REVISED Original estimate based on expected scope-creep files. Investigation (March 2026) found these files were never created. Actual cleanup removed dead database tables and unused model fields
C29 Phase 3: Security hardening planned TRUE Code audit action plan, Phase 3 — lists 12 specific security tasks
C30 "Fixing the 10 security issues found during the assessment" TRUE Code audit action plan — Phase 3 addresses the 10 critical security findings
C31 Phase 4: Quality planned TRUE Code audit action plan, Phase 4 — lists testing and stability tasks
C32 "Adding automated testing" TRUE Code audit action plan, Phase 4 — lists 4 specific test areas
C33 "Fixing user interface issues" TRUE Code audit found visual bugs and code quality issues to fix
C34 "Improving performance" TRUE Code audit found database query performance issues
C35 "The admin page will be refactored into proper components" TRUE Code audit recommended splitting the oversized admin page into smaller components
C36 Phase 5: Production deployment planned TRUE Code audit action plan, Phase 5 — lists deployment requirements
C37 "Setting up the live server with proper security certificates, monitoring, and backups" TRUE Code audit action plan, Phase 5 — lists deployment requirements. Deployment target: Railway cloud platform (decision 2026-02-25)
C38 "BlueDesk goes live for the IT team first as a pilot" TRUE Code audit action plan, Phase 5 — IT team to be the first users
C39 Vision section present ASPIRATIONAL Written by Gudmundur based on the BlueDesk project goals
C40 "Internal applications could be connected one by one" UNVERIFIED IT 2.0 project backlog on Asana (owned by Maggi Thor)
C41 "Each system has its own login..." UNVERIFIED Project premise — awaiting confirmation from Eidur (IT Manager)
C42 "IT manages access manually, system by system" UNVERIFIED Project premise — awaiting confirmation from Eidur (IT Manager)
C43 "New employees may need to wait for multiple accounts to be set up..." UNVERIFIED Reasonable inference but no documents specifically confirm it
C44 "One Microsoft login for everything" TRUE Core goal in the BlueDesk project specification
C45 "IT controls all access from one dashboard, with changes reflected across systems" ASPIRATIONAL Described in the BlueDesk system architecture; caveat: target apps may cache old tokens
C46 "New employees can be quickly set up with access to their assigned tools" ASPIRATIONAL Described in the BlueDesk system architecture, user management workflow
C47 Vision: "Every Blue Car Rental employee..." ASPIRATIONAL Written by Gudmundur; describes the intended end-state of the project
C48 Phase 0 includes .env.template creation TRUE Code audit action plan, Phase 0
C49 Phase 2: 7 backend + 4 frontend files to delete REVISED Code audit listed these files, but investigation confirmed they were never created. Phase 2 cleanup addressed database tables and model fields instead
C50 Phase 3 includes 12 specific security tasks TRUE Code audit action plan, Phase 3 (12 items listed)
C51 Token refresh flow needs rewrite TRUE Code audit found the token refresh code needs to be rewritten
C52 Phase 4 includes server-side route protection TRUE Code audit found no server-side page access protection
C53 Phase 4 includes API layer consolidation TRUE Code audit found inconsistent code patterns and a URL bug in the frontend
C54 Phase 5 includes dual-access app validation TRUE Described in the system architecture; not yet validated with a test
C55 Per-user session timeout column exists but is unused TRUE Database has the column but no feature uses it yet
C56 Per-user security level column exists but is unused TRUE Database has the column but no feature uses it yet
C57 Phase 6: Application onboarding planned TRUE Candidate apps listed in the project specification; see also the Vision section above
C58 Apps phase: "TBD" TRUE No dates set; app onboarding order still to be decided
C59 BlueDesk will be hosted on Railway, not on the nýi on-premise server and not by Dacoda TRUE knowledge/bluedesk-reference.md — Hosting Decision (2026-02-25); Gudmundur (Software Development Manager), 2026-02-25
C60 Gisli Orn's original vision was for BlueDesk to serve as a control plane for the nýi server, managing Docker containers, collecting metrics, and reading other apps' databases TRUE brain/knowledge/company/asana-it-2.0.md — IT 2.0 backlog (planned integrations); knowledge/bluedesk-reference.md line 455 — control plane language
C61 The nýi server (192.168.202.96, hostname "blue-hub") runs BlueDesk in Docker alongside a container management UI (likely Portainer) on port 8080, Prometheus (port 9090), and Node Exporter (port 9100) TRUE brain/knowledge/company/systems.md — nýi server section
C62 The nýi server is currently locked out as of 2026-02-20 — nobody has SSH access TRUE brain/knowledge/company/systems.md — nýi server lockout section
C63 Blue Car Rental owns 50% of Dacoda TRUE brain/knowledge/company/systems.md — Dacoda section. Standalone corporate fact; no longer a hosting decision factor for BlueDesk
C64 Dacoda already hosts Blue's CMS sites and is the approved destination for database hosting (bluestaff.is soft migration in progress, approved 2026-02-20) TRUE brain/knowledge/strategic/domain-hosting-strategy.md — Per-Domain Plan table. Standalone corporate fact; no longer a hosting decision factor for BlueDesk
C65 Approximately 2,000 lines of Docker management scope-creep code are confirmed for deletion based on the hosting decision TRUE knowledge/bluedesk-reference.md — Hosting Decision implications; code audit action plan. Railway hosting (like Dacoda before it) confirms this code is unnecessary
C66 Phase 5 deployment target is Railway cloud platform, not the nýi on-premise server and not Dacoda TRUE knowledge/bluedesk-reference.md — Hosting Decision (2026-02-25)
C68 The nýi server's future is a separate, unresolved decision — it may still host other internal apps but BlueDesk won't be its management UI TRUE knowledge/bluedesk-reference.md — Hosting Decision implications, item 5
C69 BlueDesk's mission narrows to SSO + launcher + access control — no container management, no app metrics, no log viewing TRUE knowledge/bluedesk-reference.md — Hosting Decision implications, item 2
C71 Railway was selected as the BlueDesk hosting provider on 2026-02-25, replacing the prior Dacoda decision (2026-02-23). Reason: Dacoda's shared hosting environment cannot provide developer access to individual Docker containers or databases for debugging and deployment. TRUE Gudmundur (Software Development Manager), 2026-02-25; Ástþór (Dacoda), 2026-02-25
C72 Railway Pro plan costs $20/month with $20 of included resource credit. Estimated BlueDesk usage: $6–12/month (well within included credit). Effective cost: $20/month flat with no overage expected. TRUE Gudmundur (Software Development Manager), 2026-02-25; railway.com/pricing
C73 Railway detects Dockerfiles automatically and deploys containerized services without manual configuration. TRUE railway.com — "Using detected Dockerfile" in build logs
C74 Railway offers PostgreSQL via one-click provisioning with SSL-enabled containers. TRUE docs.railway.com/reference/databases
C75 Railway supports environment variable reference variables between services using ${{SERVICE_NAME.VAR}} syntax. TRUE docs.railway.com/guides/variables
C76 Railway provides custom domains with auto-SSL (Let's Encrypt certificates). bluedesk.bluecarrental.is would be pointed to Railway via Cloudflare DNS (CNAME record). TRUE docs.railway.com/guides/public-networking
C77 Railway supports automated database backups with daily (retained 6 days), weekly (retained 1 month), and monthly (retained 3 months) schedules, with self-serve restore. TRUE docs.railway.com/reference/backups
C78 Railway's private networking (.railway.internal domain, Wireguard-encrypted) enables service-to-service communication without egress charges. The Go backend should connect to PostgreSQL via the internal URL rather than the public URL. TRUE docs.railway.com/reference/private-networking
C79 PR preview environments (auto-created via GitHub integration) should not be enabled for BlueDesk, to avoid duplicate resource costs. TRUE docs.railway.com/guides/environments
C80 Railway Pro plan provides 30-day log retention. Railway Hobby plan provides 7-day log retention. TRUE railway.com/pricing
C81 Railway Pro is recommended over Hobby for BlueDesk production use. Hobby has no SLA. Pro plan support is "usually within 72 hours" via private threads. Formal SLAs only exist at the Business Class tier ($2,000+/month). TRUE railway.com/pricing; docs.railway.com/platform/support
C82 The BlueDesk frontend includes a catch-all Next.js route handler at src/app/api/v1/[...path]/route.ts that serves mock API responses, enabling frontend development without the Go backend. TRUE admin-portal/frontend/src/app/api/v1/[...path]/route.ts
C83 The mock API implements 12 discrete route patterns across 4 HTTP methods: 6 GET, 2 POST, 3 PUT, 1 DELETE. CALCULATED Route patterns enumerated from admin-portal/frontend/src/app/api/v1/[...path]/route.ts
C84 The mock data set includes 8 users, 4 apps, 3 roles, and 21 user-app assignment records. CALCULATED Array elements counted from admin-portal/frontend/src/lib/mock-data.ts
C85 All 8 mock users have @bluecarrental.is email addresses. 2 are IT admins (Gudmundur Sigurdsson, Jon Gunnarsson); 6 are regular users. TRUE admin-portal/frontend/src/lib/mock-data.ts — MOCK_USERS array, is_it_admin field
C86 The 4 mock apps: BlueQ (dual_access, active), BlueTires (admin_only, active), Geofence Monitor (admin_only, active), Blue Lock (admin_only, inactive). 3 active, 1 inactive. TRUE admin-portal/frontend/src/lib/mock-data.ts — MOCK_APPS array
C87 Dev mode activated by NEXT_PUBLIC_AUTH_MODE=dev. Pre-set in .env.development. Defaults to 'dev' if absent. TRUE .env.development line 2; auth-context.tsx line 5
C88 Dev mode auth bypass stores mock token in localStorage with 24h expiry, bypasses JWT decode. TRUE auth-dev.ts lines 19-30; auth-context.tsx lines 36-47
C89 Permission flags derived from app_role: app_admin gets all four flags true; other assigned users get can_view and can_edit true, can_admin and can_configure false. TRUE admin-portal/frontend/src/lib/mock-data.ts — getUserApps() function
C90 Mock API interfaces use snake_case field names matching Go backend JSON contracts. TRUE admin-portal/frontend/src/lib/mock-data.ts — interface definitions
C91 Mock launch flow returns static 'mock-app-token' and app_url as redirect. No real JWT generated. TRUE admin-portal/frontend/src/app/api/v1/[...path]/route.ts — POST handler lines 188-193
C92 Frontend /healthz endpoint at src/app/healthz/route.ts returns { status: 'ok' }. Separate from mock API, not under /api/v1/. TRUE admin-portal/frontend/src/app/healthz/route.ts
C93 Phase 1 frontend brand styling completed February 27, 2026 TRUE Git commit c88065e on staging branch
C94 111 UI strings translated to Icelandic across 11 frontend files TRUE Git commit c88065e
C95 Host Grotesk variable font added as companion body font TRUE globals.css, tailwind.config.ts
C96 Playwright e2e test infrastructure added TRUE playwright.config.ts, e2e/*.spec.ts
C97 Brand color palette applied from Blue Car Rental guidelines TRUE Design authority guidelines; applied in frontend components
C87 Security hardening: OAuth CSRF, cookie-based sessions, fail-closed auth, soft-delete, token logging removed TRUE Git commit 0d76e25 on staging branch (February 2026)
C88 26 Go integration tests covering auth (8), users (9), and apps (8) TRUE admin-portal/backend/internal/handlers/*_integration_test.go
C89 Test database infrastructure: docker-compose.test.yml on port 5433 with tmpfs TRUE admin-portal/backend/docker-compose.test.yml, internal/testutil/
C90 Phase 3 security hardening: 12 of 12 tasks complete TRUE Code review of committed changes vs. code audit Phase 3 task list
C91 Phase 4 testing: 26 integration tests built covering all three domains TRUE admin-portal/backend/internal/handlers/*_integration_test.go