Technical roadmap · Firebase → own backend
From a static SPA wired directly to Firebase to an architecture with its own backend, a relational database, and real per-company data isolation.
The current system works and is in production, but security relies only on checks done in the browser. Any authenticated user can, in theory, read and write another company's data. This plan exists to fix that by moving authorization logic and data behind a backend the client never accesses directly.
The 5 changes
01 — Structure
/frontend and /backendimport of code from one side into the other02 — Backend
NestJS is what exposes the endpoints, running on top of Express (swappable for Fastify) and already organizing modules and dependency injection03 — Data
workspace_id, checked on every query in the backendPrisma — the most widely used in the market today, type-safe. Kept behind a repository interface in the domain layer, so business rules never depend on the ORM directly04 — Frontend
05 — Internal architecture
domain (business rules) → application (use cases) → infrastructure (database, HTTP)Validation happens on both sides, but with different roles: the backend owns business rules (domain layer) and re-validates everything, always. The frontend only handles UX — required fields, formatting, immediate feedback — it never decides a business rule, and no frontend validation is trusted on its own.
All code is written in English (variables, functions, tables, endpoints, commits), no exceptions. The backend always responds in English — error messages and translation keys, never fixed translated text. The frontend decides the display language — defaulting to the client's browser, with the option to choose manually — reusing the i18n module that already exists.
06 — Execution order
Based on the data that already exists today in Firestore.
Clean Architecture layers + first working endpoint: authentication.
Clients → Jobs → Expenses → Inventory → the rest. Never all at once.
Until each new module is validated — so the client never feels the transition.
Per-company isolation, server-side validation, and the public approval page depending on a real token stored in the database — not on URL parameters.