1. 🎯 Sprint Summary
| Sprint | 7.4 (M15 API · API + Marketplace) |
| Duration | 6 Mar - 2 Apr 2028 (4 weeks · 20 working days) |
| Module | M15 API · platform module |
| Goal | Public REST + GraphQL · OAuth 2.0 · developer portal · sandbox tenants · 3rd-party marketplace · revenue share · 50+ dev accounts · 10 marketplace apps · 80 tenants total |
| Capacity | 6 FTE (3 BE + 2 FE + 1 DevOps) + 0.5 Founder + 0.3 Doc Zam · external developer relations consultant |
| Velocity target | 120 SP (4-week sprint) |
| Demo date | 2 Apr 2028 — Public Platform Launch event |
2. 🧩 Module Scope
- Public REST API: /v1 · 40+ endpoints · OpenAPI 3.0 spec · Patient/Encounter/Prescription/LabOrder/etc · pagination · filtering
- GraphQL API: /graphql · same model surface · subscriptions for real-time
- OAuth 2.0 + Scopes: client_credentials + auth_code flows · 20+ scopes · per-tenant grant · token refresh
- Rate Limiting: Per-token + per-IP · adaptive · paid tier increase · burst allowance
- Developer Portal: dev.medieco.alesa.my · sign-up · sandbox tenant creation · API key management · usage analytics
- SDKs: PHP (Laravel) · Python · Node.js · auto-generated from OpenAPI · published to packagist/PyPI/npm
- Sandbox Tenants: Auto-provisioned per developer · synthetic patients · isolated · 30-day lifetime
- 3rd-Party App Marketplace: apps.medieco.alesa.my · listing · install per tenant · permission grants
- Revenue Share Billing: Stripe Connect · 70/30 dev/MediEco · monthly payouts · per-app billing
- Webhook Subscriptions: Tenant subscribe to event types · retry · signature verification · replay protection
- Marketing Launch Site: public-facing platform pitch · 5 anchor partner apps showcase · launch event
- 5 Anchor Partner Apps: insurance claim app · pharma rep app · clinic accounting integration · patient education content app · medical research recruitment
3. 🏗️ Architecture
┌─────────────────────────────────────────────────────────────┐
│ dev.medieco.alesa.my (Developer Portal) │
│ · Sign-up · Sandbox tenants · API keys · Docs · Analytics │
└─────────────────────────┬───────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────┐
│ apps.medieco.alesa.my (App Marketplace) │
│ · App listing · Install per tenant · Permission grants │
│ · Stripe Connect · 70/30 revenue share · Monthly payouts │
└─────────────────────────┬───────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────┐
│ api.medieco.alesa.my (API Gateway) │
│ · OAuth 2.0 · Scopes · Rate limiting · Webhook delivery │
│ · /v1 REST · /graphql GraphQL · /webhook subscriptions │
└─────────────────────────┬───────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────┐
│ Backend (Laravel 11 + Filament 3 cluster) │
│ · Multi-tenant · Per-tenant region pinning · Federated │
│ · M9 audit · Cross-tenant isolation · PDPA compliant │
└──────────────────────────────────────────────────────────────┘
4. 🚦 Pre-Sprint Gate Checklist
- Sprint 7.3 closeout · M14 Cardiology live
- OpenAPI 3.0 spec drafted · 40+ endpoints reviewed
- GraphQL schema drafted · cross-checked with REST
- OAuth 2.0 + scopes catalogue approved (20+ scopes)
- Stripe Connect account onboarded · revenue share model approved
- Rate limit policy drafted · paid tier matrix
- SDK auto-generation toolchain (OpenAPI Generator) tested
- 5 anchor partner apps committed · LOIs signed
- Public platform launch event venue booked (2 Apr)
- Developer relations consultant onboarded (4 weeks)
- Compliance Lead reviewed API surface · pen-test scope updated
5. 📅 Day-by-Day Plan (20 days · 4-week sprint)
D1Mon 6 Mar · Kickoff + REST API Skeleton
Sprint planning · 40 endpoints stubs · OpenAPI 3.0 spec generated.
Sprint planning · 40 endpoints stubs · OpenAPI 3.0 spec generated.
D2Tue 7 Mar · OAuth 2.0 Server
Laravel Passport extended · 20 scopes · client credentials + auth code flows.
Laravel Passport extended · 20 scopes · client credentials + auth code flows.
D3Wed 8 Mar · GraphQL API
Lighthouse PHP · same model surface · subscriptions over WebSocket.
Lighthouse PHP · same model surface · subscriptions over WebSocket.
D4Thu 9 Mar · Rate Limiting
Per-token + per-IP · adaptive · burst · paid tier matrix · Redis-backed.
Per-token + per-IP · adaptive · burst · paid tier matrix · Redis-backed.
D5Fri 10 Mar · Mid-Demo + Webhook Subscriptions
Live API mid-demo · webhook subscribe/unsubscribe · signature · retry · replay.
Live API mid-demo · webhook subscribe/unsubscribe · signature · retry · replay.
D6-7Mon-Tue 13-14 Mar · Developer Portal
dev.medieco.alesa.my · sign-up · API key mgmt · usage analytics dashboard.
dev.medieco.alesa.my · sign-up · API key mgmt · usage analytics dashboard.
D8Wed 15 Mar · Sandbox Tenants
Per-developer auto-provisioning · synthetic patients · isolated · 30-day lifetime.
Per-developer auto-provisioning · synthetic patients · isolated · 30-day lifetime.
D9Thu 16 Mar · SDK Generation (PHP/Python/Node)
OpenAPI Generator · published to packagist · PyPI · npm · examples + tutorials.
OpenAPI Generator · published to packagist · PyPI · npm · examples + tutorials.
D10Fri 17 Mar · Mid-Demo Round 2
Developer portal live · 5 SDKs published · DevRel consultant feedback.
Developer portal live · 5 SDKs published · DevRel consultant feedback.
D11-12Mon-Tue 20-21 Mar · App Marketplace + Stripe Connect
apps.medieco.alesa.my · listing · install per tenant · permission grants · Stripe Connect.
apps.medieco.alesa.my · listing · install per tenant · permission grants · Stripe Connect.
D13Wed 22 Mar · Revenue Share Billing
70/30 dev/MediEco · monthly payouts · per-app metering · invoice automation.
70/30 dev/MediEco · monthly payouts · per-app metering · invoice automation.
D14Thu 23 Mar · 5 Anchor Partner Apps Onboarded
Insurance · pharma · accounting · patient ed · research apps · sandbox testing.
Insurance · pharma · accounting · patient ed · research apps · sandbox testing.
D15Fri 24 Mar · Mid-Demo Round 3
Marketplace live · 5 apps installable · revenue share verified · DevRel polish.
Marketplace live · 5 apps installable · revenue share verified · DevRel polish.
D16Mon 27 Mar · Marketing Launch Site
Public platform pitch site · 5 partner showcase · launch event materials.
Public platform pitch site · 5 partner showcase · launch event materials.
D17Tue 28 Mar · Pen-Test Light + Hardening
API surface · OAuth · sandbox isolation · webhook signature verification.
API surface · OAuth · sandbox isolation · webhook signature verification.
D18Wed 29 Mar · Production Cutover
api.medieco.alesa.my goes production · DNS · cert · monitor 24h.
api.medieco.alesa.my goes production · DNS · cert · monitor 24h.
D19Thu 30 Mar · Public Launch Press Kit
Press release · partner quotes · launch event speakers confirmed.
Press release · partner quotes · launch event speakers confirmed.
D20Fri 31 Mar · 80th Tenant + Demo Prep
80th tenant · demo deck · launch event run-through.
80th tenant · demo deck · launch event run-through.
+Mon 2 Apr · MediEco Platform Launch Event + Demo
9am launch event live-streamed · 50+ developers attendee · 10am demo + retro.
9am launch event live-streamed · 50+ developers attendee · 10am demo + retro.
6. 📦 Deliverables
| FR | Item | SP |
|---|---|---|
| FR-15.1 | REST API /v1 · 40+ endpoints · OpenAPI 3.0 | 13 |
| FR-15.2 | GraphQL /graphql · subscriptions | 8 |
| FR-15.3 | OAuth 2.0 + 20 scopes (Laravel Passport) | 8 |
| FR-15.4 | Rate limiting + adaptive + tier matrix | 5 |
| FR-15.5 | Developer portal (sign-up · keys · analytics) | 13 |
| FR-15.6 | Sandbox tenant auto-provisioning | 8 |
| FR-15.7 | SDKs PHP + Python + Node + tutorials | 13 |
| FR-15.8 | App marketplace (listing · install · permissions) | 13 |
| FR-15.9 | Stripe Connect + 70/30 revenue share | 8 |
| FR-15.10 | Webhook subscriptions + retry + signature | 5 |
| FR-15.11 | 5 anchor partner apps onboarded | 13 |
| FR-15.12 | Marketing launch site + press kit | 5 |
| FR-15.13 | Pen-test light + production cutover | 8 |
| FR-15.14 | Compliance pack update (API surface) | 3 |
| FR-15.15 | Public Platform Launch Event | 5 |
| TOTAL | 128 SP |
7. 👥 Team Capacity
| Role | Allocation | Focus |
|---|---|---|
| Eng Lead / BE | 1.0 FTE | OAuth · rate limiting · production cutover |
| BE Dev 2 | 1.0 FTE | REST + GraphQL · webhook · SDK generation |
| BE Dev 3 | 1.0 FTE | Marketplace · Stripe Connect · revenue share |
| FE Dev 1 | 1.0 FTE | Developer portal · marketplace UI |
| FE Dev 2 | 1.0 FTE | Marketing launch site · partner showcase |
| DevOps | 1.0 FTE | API gateway · sandbox isolation · scale |
| Founder | 0.5 FTE | Anchor partners BD · launch event speaker recruitment |
| Doc Zam | 0.3 FTE | Clinical safety review of partner apps |
| DevRel consultant | 0.5 FTE | Developer portal UX · SDK quality · launch event prep |
8. 🔔 Sprint Ceremonies
- Mon 6 Mar 9am — Sprint Planning (90 min · longer 4-week sprint)
- Daily 9am — Standup (15 min · DevRel joins Tue/Thu)
- Fri 10 + Fri 17 + Fri 24 Mar 4pm — Mid-sprint demos (60 min each · 3 mid-demos in 4-week sprint)
- Tue 28 Mar 4pm — Pen-test debrief + production readiness review (90 min)
- Mon 2 Apr 9am — Public Platform Launch Event (90 min · live-streamed)
- Mon 2 Apr 11am — Sprint Demo (60 min · internal)
- Mon 2 Apr 1pm — Sprint Retro (60 min)
9. 🩺 Sign-off Items
- REST API: 40+ endpoints functional · OpenAPI spec accurate · 95% test coverage
- GraphQL parity with REST · subscriptions working · 5 sample queries
- OAuth 2.0 + 20 scopes · sandbox + production flows · token refresh
- Rate limiting: 1000/min per token · burst tested · paid tier increase verified
- Developer portal sign-up flow: 50+ test accounts created · keys generated
- Sandbox tenant: auto-provisioned · isolated (no cross-leak verified) · 30-day TTL
- SDKs: 3 languages · packagist/PyPI/npm published · 5 sample apps each · doc complete
- Marketplace: 5 anchor apps installable · permission grants · Stripe payouts tested
- Webhook delivery: 99% success · retry logic · signature verified
- Pen-test light: 0 critical · 0 high · ≤ 3 medium with mitigations
- Public launch: 50+ developer accounts · 10 marketplace apps · launch event success
- Compliance attestation: API + marketplace surface complies with PDPA
- Final sign-off (2 Apr) — Founder + Compliance Lead + Doc Zam + DevRel consultant
10. 🎬 Public Platform Launch — 2 Apr 9am (90 min · live-streamed)
| Time | Segment |
|---|---|
| 0-10 | v2.0 narrative · platform vision · 80-tenant milestone · launch announcement |
| 10-20 | Live API demo · OAuth 2.0 flow · REST query · GraphQL subscription |
| 20-30 | Developer portal walk · sandbox tenant created in 30 sec · API key issued |
| 30-40 | SDK demo · PHP/Python/Node sample · build a clinic dashboard in 5 min |
| 40-55 | 5 anchor partner apps showcase · insurance · pharma · accounting · patient ed · research |
| 55-65 | Marketplace install demo · permission grants · revenue share |
| 65-75 | Founder + Doc Zam keynote · platform vision · regional roadmap · Q3 invitation |
| 75-90 | Q&A · partner panel · sign-off · 50+ developer registrations open |
11. 🛡️ Contingency
| Risk | Trigger | Response |
|---|---|---|
| OAuth implementation issue | Auth flow broken | Beta API gateway with manual key issuance · production OAuth post-launch |
| Stripe Connect onboarding slow | Compliance review delay | Manual invoicing for first month · Stripe live by April end |
| Anchor partner not ready | < 4 of 5 apps | Launch with 4 · 5th by April mid · don't slip launch event |
| Pen-test critical finding | API surface vulnerability | Hot-fix · re-test · slip 1 week if needed (no public launch with critical) |
| SDK auto-gen quality poor | Hand-tuning required | Manual SDK polish · 1 day buffer · DevRel consultant intensive |
| Launch event venue/streaming issue | Tech failure | Backup virtual-only event · Zoom + YouTube live · venue secondary |