Current Store Development Status

Last updated: 2026-05-18 Production: https://aovis.app

Current Phase

AOVIS Account + Direct Store is in live payment readiness and production validation. In this repository, “live payment readiness” means Stripe live-payment readiness and production checkout verification, not livestream commerce.

Recently Completed Account-Center Work

Customer Orders

Customer order management now supports:

Search and filters.
Archived/hidden orders and restore.
Safe cancellation for unpaid/unfulfilled orders.

Order removal is archive/hide only, not hard delete.

Data Plan Checkout

Data-plan checkout now requires choosing a SIM before payment.

Current flow:

Choose SIM/device
→ Stripe Checkout
→ metadata includes simCardId
→ DataPlanPurchase records simCardId
→ fulfillment can activate against EIOTCLUB ICCID

Old purchases without simCardId remain compatible and are treated as historical/exception states.

Services Page

/account/services is device-centered. It aggregates per device:

SIM and cellular usage.
Bound extra data plans.
Cloud storage and included AI features.
Duplicate cloud-plan warnings when applicable.

A SIM with carrier usage data can show cellular access even when no extra data package has been purchased.

Devices Page

/account/devices supports multi-device review using a device selector and ?device=DEVICE_ID URL state. The selector auto-navigates when a device is chosen; there is no separate "View" click.

The page now starts with the connected device list, because that is the user's primary mental model. The selected device detail includes:

Device identity.
SIM/network state.
Data plans.
Cloud storage & AI.
Sharing and transfer controls.

The old account-level Network access card was removed. Network details are shown inside the selected device detail instead. A small Network attention section only appears when a SIM is unlinked from a connected device or needs review.

Device Display Names

Users can set a per-account device display name. The name is stored on DeviceOwnership.displayName, so shared-device users can each have their own alias.

Display name surfaces:

/account/devices
/account/services
/services/cellular-data SIM selector

Nickname save feedback is implemented through query params:

deviceName=updated
deviceName=too_long

Redirects use env.appUrl, not request.url, to avoid localhost redirects behind Nginx/PM2.

Owners can review and manage sharing from the selected device detail:

People with access shows accepted shared users with role labels and plain-language role descriptions.
Pending invites shows outstanding invites with resend and cancel controls.
Invite someone new is the only place to add a new email.

Owners no longer need to remember or re-enter a full email address to remove an existing shared user. Accepted invitees initially inherit the owner's device display name, but can rename the device independently afterward.

/signin and /login use native HTML forms backed by Auth.js server actions for Google, Apple, and Email Magic Link sign-in. This avoids Safari-specific failures where client-side click handlers can appear inert.

Recently Completed AWS AI / KVS Validation

KVS / HLS Cloud Playback

Field	Value
aoviseDeviceId	`aovis-n4k-000001`
deviceId	`cmp3hyo970000qm97c1foeybk`
KVS stream	`aovis-stream-aovis-n4k-000001`

GStreamer kvssink pushed sample KVS fragments.
On-Demand HLS URL generation verified.
Authenticated browser playback on /devices/aovis-n4k-000001/playback verified.
Conclusion: KVS media fragments → AOVIS stream API → HLS playback page → authenticated browser playback: PASS

Web Device Service Auth

PR #2 deployed.
Release commit: 38292e450028e6de29c56c969036ed21ad244b89
Fix: device service APIs now accept authenticated web sessions in addition to App Bearer tokens.
Ownership / role / entitlement checks remain unchanged.

Daily Summary

Controlled production DailySummary test completed.
Scoped userId: cmne10rir000h8mwi8gvxvwqs
Scoped deviceId: cmp3hyo970000qm97c1foeybk
CloudEvent → Bedrock Nova Lite → DailySummary upsert verified.
pushSent=false and no SNS push sent because active PushToken + endpointArn count was 0.
CRON_SECRET is present on production VM; do not record its value.

S3 Sample Video AI Analysis

Sample: s3://aovis-video-storage/ai-lab/inputs/AOVIS_test_short_00002.mp4
Model: us.amazon.nova-lite-v1:0
Result: "A person walks past a small building at night."
Test CloudEvent: p3c-sample-video-20260517-00002 — this is a test CloudEvent, not a real device event.

Bedrock Bearer Token Cleanup

PR #3 deployed.
Release commit: 253bcac0496626afd3d74f207be4e4e1286116a1
AWS_BEARER_TOKEN_BEDROCK cleanup is now present in both:
- lib/aws/bedrock.ts
- lib/aws/bedrock-daily.ts
Note: stale bearer token can override SigV4 and cause "Bearer Token has expired".
AWS access key was rotated after accidental exposure; do not include any key value.

Recently Completed WebRTC Viewer Temporary Credentials PoC

Overview

WebRTC temporary credentials PoC (P6) has been merged and deployed. This is a controlled single-channel PoC — not a full production multi-device rollout.

Field	Value
PR	#6
Release commit	`9911bfe`
Test device	`aovis-n4k-000001` (aoviseDeviceId)
IAM role	`arn:aws:iam::288669178338:role/aovis-webrtc-viewer-dev-role`
IAM base policy	`arn:aws:iam::288669178338:policy/aovis-webrtc-viewer-dev-base-policy`
Current scope	Single KVS WebRTC channel: `aovis-webrtc-aovis-n4k-000001`

Architecture Decisions

Auth.js / App Bearer Token + DeviceOwnership live_view permission checks remain unchanged.
Backend issues STS temporary credentials via AssumeRole + inline session policy.
No Cognito User Pool or Identity Pool introduced.
Auth.js is not replaced or bypassed.

Production Runtime Config

WEBRTC_VIEWER_ROLE_ARN is present on the production VM .env.production.
WEBRTC_VIEWER_SESSION_SECONDS = 900 (default, clamped [900–3600]).
.env.production was appended to, not overwritten.

API Readiness

/api/devices/[id]/webrtc returns:

Field	Status
`channel_arn`	Present (test channel)
`region`	`us-east-1`
`endpoints.wss`	Present
`endpoints.https`	Present
`ice_servers`	2 entries
`credentials.accessKeyId`	ASIA prefix (STS temporary)
`credentials.sessionToken`	Present
`credentials.expiration`	Present

Online Verification Results

Unauthenticated /api/devices/test/webrtc returns 401.
Unauthenticated /devices/test/live redirects to /signin (307).
Authenticated test device aovis-n4k-000001 returns 200 with STS temporary credentials.
Live page renders readiness state (client-side WebRTC component).
No IPC master device is online — real live video has not been verified yet.
Permission scope validated in P6-1: inline session policy narrows to single channel ARN; cross-channel, S3, and Bedrock actions all denied.

AWS Credential Security: IAM User → EC2 Instance Profile (P8)

Field	Value
Completed	2026-05-18
EC2	`i-01b89c7132555fc68` (aovis-store-aws)
Instance profile	`aovis-backend-ec2-instance-profile`
App role	`aovis-backend-ec2-role`
App policy	`aovis-backend-ec2-policy` (v2)
Old IAM user key	Ending `3JXF` — deactivated (P8-3A) then deleted (P8-3B)

Production backend no longer stores long-term AWS credentials. AWS SDK uses EC2 instance profile temporary credentials. See docs/aws-backend-instance-profile-migration-20260518.md for full archive.

Remaining Items

Hardware IPC master online → validate end-to-end live video streaming.
Production multi-device IAM policy design (expand from single test channel).

Key Production Commits

Commit	Summary
`9911bfe`	WebRTC temporary credentials PoC using STS AssumeRole
(infra-only)	Production backend migrated from IAM user env keys to EC2 instance profile (P8)
`b090728`	Archived AWS AI / KVS validation results
`253bcac`	Bedrock bearer token cleanup for video analysis
`38292e4`	Web session access for device service APIs
`a746592`	AWS AI daily summary and web playback readiness
`3622606`	Data-plan SIM-first checkout and account services/devices UX
`29c2eef`	Device display names with Prisma migration
`1cab3f4`	Device nickname redirect hotfix
`fe102b6`	Device nickname feedback hotfix
`509d1c0`	Device page section order and network access cleanup
`d1ec735`	Share access management UI

Historical order/services/account summary commits include 8dc25cb, c09a524, c8a17ca, and 040e953.

High-Risk Path Status

Recent high-risk changes were intentional and deployed:

prisma/schema.prisma
prisma/migrations/*
app/api/checkout/data-plan/route.ts

Do not modify auth, checkout, webhooks, admin, or Prisma again unless the task explicitly requires it.

Remaining External Dependencies

Mobile App PushToken / SNS endpoint registration is not yet verified.
Hardware IPC prototype real push-streaming is not yet verified.
WebRTC live view PoC deployed; real live video pending hardware IPC master online.
IoT Credentials Provider and Fleet Provisioning still require ODM / hardware workflow confirmation.

Still Out of Scope

Per project rules, do not expand into these unless explicitly requested:

New device binding system.
Entitlement auto-granting.
Refund/coupon engines.
Apple IAP / Google Play Billing.
Shopify migration.
GCP VM self-hosting migration.

Current Phase​

Recently Completed Account-Center Work​

Customer Orders​

Data Plan Checkout​

Services Page​

Devices Page​

Device Display Names​

Device Sharing​

Sign-In Pages​

Recently Completed AWS AI / KVS Validation​

KVS / HLS Cloud Playback​

Web Device Service Auth​

Daily Summary​

S3 Sample Video AI Analysis​

Bedrock Bearer Token Cleanup​

Recently Completed WebRTC Viewer Temporary Credentials PoC​

Overview​

Architecture Decisions​

Production Runtime Config​

API Readiness​

Online Verification Results​

AWS Credential Security: IAM User → EC2 Instance Profile (P8)​

Remaining Items​

Key Production Commits​

High-Risk Path Status​

Remaining External Dependencies​

Still Out of Scope​