docs: Add PRD V2 with comprehensive review and next phase roadmap

[Datakult0r]

Summary

Adds a comprehensive Product Requirements Document (PRD V2) that reviews all 18 PRs created across Sessions 1-9 and Phases 2-4, identifies critical issues blocking production deployment, and outlines a 4-week roadmap for the next development phase.

Key findings from the review:

• 5 critical issues identified requiring immediate attention before production
• In-memory storage in PRs feat: Add email notifications with Resend integration (Phase 3.1) #24 and feat: Add AI model configuration settings (Phase 3.4) #26 will lose data on server restart
• Unprotected API endpoints expose sensitive admin and analytics routes
• Landing page contains fictional testimonials and dead links
• AI model settings UI doesn't actually affect which models are used

Proposed roadmap:

• Week 1-2: Production readiness (Supabase migration, endpoint security, email compliance)
• Week 2-3: Integration testing and performance validation
• Week 3-4: Documentation and demo video
• Week 4: Merge PRs, deploy to Fly.io, launch

Review & Testing Checklist for Human

• Verify critical issue prioritization - Review Section 1.3 to confirm the 5 identified issues are correctly prioritized (P0 vs P1) based on business needs
• Validate proposed database schema - Review Section 6.2 SQL for notification_subscribers and user_settings tables to ensure they integrate with existing schema
• Confirm timeline feasibility - The 4-week timeline in Section 5 assumes dedicated development time; adjust if resources are constrained
• Decide on testimonials approach - Section 2.1.4 offers 3 options for handling fictional testimonials; choose one before landing page goes live

Recommended review approach: Read through the Executive Summary and Section 1.3 (Critical Issues) first, then skim the roadmap sections to validate the proposed approach aligns with your priorities.

Notes

This is a documentation-only PR with no code changes. The PRD will serve as the planning document for the next development phase.

All 18 referenced PRs (#10-27) are currently open and awaiting merge in the specified order.

Link to Devin run: https://app.devin.ai/sessions/9573820f0f6d41dab1cff8a61c26c981
Requested by: @Datakult0r

Summary by CodeRabbit

• Documentation
  • Added Phase 2 Product Requirements Document outlining project roadmap, success metrics, risk assessment, and deployment timeline.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[devin-ai-integration]

Original prompt from Datakult

https://github.com/Datakult0r/ai-grant-crawler-a2a-pro
index this

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
ai-grant-crawler-a2a-pro	Error		Jan 25, 2026 9:01pm

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR that start with 'DevinAI' or '@devin'.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[coderabbitai]

📝 Walkthrough

Walkthrough

A new Phase 2 Product Requirements Document is added to docs/PRD-V2.md, detailing production readiness, integration testing, remaining features, deployment steps, success metrics, risk assessment, timeline, and environment configuration requirements for the AI Grant Crawler A2A Pro project.

Changes

Cohort / File(s)	Summary
Phase 2 PRD Documentation docs/PRD-V2.md	Added comprehensive 479-line Phase 2 Product Requirements Document containing executive summary, current state assessment, detailed roadmap (production readiness, integration & testing, remaining features, deployment), success metrics, risk assessment with mitigations, timeline, database schema appendix, and environment variables checklist for backend and frontend deployment.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

A document hops forth, so grand and so long,
Phase Two takes the stage with PRD strong,
From schemas to timelines, each detail in place,
Our roadmap blooms bright at a measured pace! 🐰✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding a Phase 2 Product Requirements Document (PRD V2) with a comprehensive review and next-phase roadmap. It is concise, specific, and directly matches the changeset's primary content.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

Warning

Review ran into problems

🔥 Problems

Git: Failed to clone repository. Please run the @coderabbitai full review command to re-trigger a full review. If the issue persists, set path_filters to include or exclude specific files.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@docs/PRD-V2.md`:
- Around line 434-447: Add explicit RLS policies for the
notification_subscribers table similar to user_settings: create three policies
(e.g., "Users can view own subscriptions", "Users can update own subscriptions",
"Users can insert own subscriptions") that grant FOR SELECT USING (auth.uid() =
user_id), FOR UPDATE USING (auth.uid() = user_id), and FOR INSERT WITH CHECK
(auth.uid() = user_id) respectively; alternatively, if a service role should
bypass RLS, document that intent and show the appropriate role-based policies or
use a SECURITY DEFINER function instead.
- Around line 120-142: The two table schemas diverge and must be unified: choose
a canonical schema for notification_subscribers and user_settings and update
both places (Section 2.1.1 and Appendix 6.2) to match exactly; specifically
ensure notification_subscribers includes fields unsubscribe_token and is_active
and any desired defaults/constraints, and ensure user_settings includes the
preset CHECK constraint, UNIQUE(user_id), custom_models, timestamps, and the
intended RLS policies; update the SQL snippets and any accompanying prose so
both occurrences reference the same table names (notification_subscribers,
user_settings), columns, constraints (e.g., CHECK on preset, UNIQUE(user_id)),
default values, and RLS policy text.

🧹 Nitpick comments (1)

docs/PRD-V2.md (1)

123-142: Note required UUID extension for gen_random_uuid().
Consider adding a short note to enable pgcrypto (or whichever extension is expected) so the schema is reproducible across environments.

Also applies to: 413-433

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Align table definitions between Section 2.1.1 and Appendix 6.2.
The notification_subscribers and user_settings schemas differ (e.g., unsubscribe_token, is_active, preset CHECK, UNIQUE(user_id), RLS policies). This can lead to partial implementations. Pick a single canonical definition and update both sections to match.

Also applies to: 409-447

🤖 Prompt for AI Agents

In `@docs/PRD-V2.md` around lines 120 - 142, The two table schemas diverge and
must be unified: choose a canonical schema for notification_subscribers and
user_settings and update both places (Section 2.1.1 and Appendix 6.2) to match
exactly; specifically ensure notification_subscribers includes fields
unsubscribe_token and is_active and any desired defaults/constraints, and ensure
user_settings includes the preset CHECK constraint, UNIQUE(user_id),
custom_models, timestamps, and the intended RLS policies; update the SQL
snippets and any accompanying prose so both occurrences reference the same table
names (notification_subscribers, user_settings), columns, constraints (e.g.,
CHECK on preset, UNIQUE(user_id)), default values, and RLS policy text.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Add RLS policies for notification_subscribers.
RLS is enabled but no policies are defined, so all access will be denied. Please add explicit SELECT/INSERT/UPDATE policies (or clarify if a service role is intended for all access).

🤖 Prompt for AI Agents

In `@docs/PRD-V2.md` around lines 434 - 447, Add explicit RLS policies for the
notification_subscribers table similar to user_settings: create three policies
(e.g., "Users can view own subscriptions", "Users can update own subscriptions",
"Users can insert own subscriptions") that grant FOR SELECT USING (auth.uid() =
user_id), FOR UPDATE USING (auth.uid() = user_id), and FOR INSERT WITH CHECK
(auth.uid() = user_id) respectively; alternatively, if a service role should
bypass RLS, document that intent and show the appropriate role-based policies or
use a SECURITY DEFINER function instead.