Total Build Commitment
Seven phases. Fixed price. Ark Fortune absorbs any overrun.
220 hrs
TBD
hours
Required from DME Express IT before Ark Fortune can begin. These components are owned and delivered entirely by DME’s internal team.
- Database design and managementSchema design, hosting, and management of all order and contractor data.
- Odoo integration and order routing logicConnecting Odoo’s order management to the contractor dispatch flow.
- Backend APIDME IT builds and exposes the API. Ark Fortune consumes it — we do not build the backend.
- All order management backendAssignment logic, contractor accounts, order lifecycle — all managed by DME Express IT.
25
hours
- Login screen UIEmail + password entry. Contractor and admin roles handled separately.
- Token generation & secure storageJWT issued on login, stored in httpOnly cookie — not localStorage.
- Token refresh & session timeoutAuto-renew before expiry. HIPAA-required auto-logout after inactivity.
- Role-based access controlContractor sees only their orders. Every page enforces role before rendering.
- Forgot password & protected routesReset via email. Every screen checks authentication state before loading.
20
hours
- HTTPS enforcementAll traffic encrypted. Plain HTTP blocked at the edge.
- PHI data handlingPatient names and hospice addresses never cached or logged outside approved storage.
- Audit loggingRecord of who accessed which order and when. Required for healthcare compliance.
- Rate limiting & input validationBrute force protection on login. All form inputs sanitized to prevent injection.
- Security headers & CORSCSP, X-Frame-Options, HSTS. Only TPA Light's domains communicate with the backend.
30
hours
- Authenticated API clientAll requests to DME's API include auth token. Unauthorized calls are blocked.
- Order fetching & displayPull active orders per contractor. Map to TPA Light's UI format.
- Delivery status updatesSend confirmation (items delivered, reasons flagged) back to DME's API.
- Offline caching & retryCache last-known orders for zero-signal scenarios. Auto-retry on reconnect.
80
hours
- Dashboard — active orders listPriority order, status badges, new order highlight.
- Order detail viewHospice name, address, contact, item list, assignment time.
- Item selection UICheckbox per item. Partial delivery fully supported.
- Reason flow for undelivered itemsBlocked from proceeding until reason selected or entered.
- Slide to Deliver componentDeliberate gesture-based confirmation. Cannot be triggered accidentally.
- PWA setup — offline, installablemanifest.json, service worker, home screen install prompt on iOS and Android.
25
hours
- Order history with filtersDate range, hospice, status. Full historical log per contractor.
- Delivery statisticsDeliveries this week, this month, flag rate, item non-delivery breakdown.
- Item-level delivery logsTimestamps and reasons per item across all historical orders.
15
hours
- SMS trigger on order assignmentFires immediately when DME's API assigns an order. Uses existing Twilio account.
- Message template"New TPA Light order: [Hospice Name], [N] items. Open your app."
- Failure handlingIf SMS fails, log it and retry automatically.
25
hours
- End-to-end testingOrder received → contractor notified → delivery confirmed → status updated.
- Mobile device testingiOS Safari + Android Chrome. PWA install flow on both platforms.
- Security testingAuth bypass attempts, token expiry enforcement, role isolation verification.
- Cloudflare Pages deploymentProduction deploy. Environment variables set. Zero-downtime.
Hours Summary
| Phase | Focus | Hours |
|---|---|---|
| Phase 0 | DME Express Provides | TBD |
| Phase 1 | OAuth Implementation | 25 |
| Phase 2 | Security Layer (HIPAA) | 20 |
| Phase 3 | API Integration | 30 |
| Phase 4 | Contractor PWA — Mobile | 80 |
| Phase 5 | Contractor Web Portal — Desktop | 25 |
| Phase 6 | Twilio SMS | 15 |
| Phase 7 | QA, Testing & Deployment | 25 |
| Total | 220 | |