Internal Platform Spec · Codeaza Technologies

HR Portal Unification

One platform for everything people-operations — Reporting & Analytics, Leaves, Time Tracking, and HR Ops, merged into a single source of truth, powered by Wazir.

v1.0 · June 2026 Owner: Mubeen Aftab (Internal Tools) For: Team presentation

1 Vision

Why we are doing this.

Today our people-operations data lives in separate places — attendance and reporting run through Wazir, time tracking sits in WebWork, leaves are handled manually, and HR operations are scattered across docs and chats. The HR Portal becomes the single place that merges all of it.

The core idea: Wazir isn't a separate reporting tool that needs automation added to it — Wazir is the engine that merges automation, analytics, and operational data into one platform. The HR Portal is the single pane of glass; Wazir fills it.

2 The Problem & The Shift

From fragmented tools to one unified platform.

Today — Fragmented

  • Attendance & reporting generated as separate Wazir outputs
  • Time tracking lives only in WebWork
  • Leaves managed manually, no system of record
  • HR ops scattered across docs, sheets, and chat
  • No single view — managers stitch data together by hand

Tomorrow — Unified

  • One HR Portal — every people metric in one place
  • Time tracking, attendance & SOP compliance native to the portal
  • Leaves requested, approved & tracked in-platform
  • HR ops centralised with role-based access
  • Reporting & analytics auto-updated, always live

3 The Four Pillars

Everything the unified HR Portal brings together.

📊

Reporting & Analytics

Live dashboards across the whole team — no more one-off reports.

  • Attendance & SOP-hours compliance
  • Activity %, idle, productivity trends
  • Team & per-member analytics, date ranges
  • Exportable reports (PDF / HTML)
🌴

Leaves Integration

End-to-end leave management inside the portal.

  • Request → approve → track workflow
  • Leave balances & policy rules
  • Reflected automatically in attendance reports
  • Manager visibility & calendar view
⏱️

Time Tracking

WebWork data surfaced natively, not in a separate tool.

  • Tracked hours, projects & tasks per member
  • SOP (7h 30m) compliance at a glance
  • Daily & sprint-level views
  • Synced automatically by Wazir
🧩

HR Ops

The operational backbone, all in one workspace.

  • Employee records & profiles
  • Documents — offers, contracts, letters, payslips
  • Performance signals & reviews
  • Onboarding / offboarding workflows

4 How It Fits Together

Wazir merges the sources; the HR Portal presents them.

Sources

WebWork · Leaves · HR records · Performance signals

Wazir (the merge engine)

Pulls, syncs & normalises automation + analytics + data into one model

HR Portal

Single platform · role-based dashboards (Admin / Manager / User)
Role-based access: Admins see everything, Managers see their reports, and team members see their own attendance, hours, and leaves — one platform, the right view for each person.

Already Shipped — HR Portal

Released to main · Fri 19 June 2026 · PR #21 (merge 75b59e2) · 33 files · +998 / −382

A dev→prod gate-hardening pass: security holes closed, a real approval state machine for payroll/reimbursement, business-logic fixes, async/observability tidy-up, and a batch of self-service ("user" role) fixes. The HR Portal foundation the unification builds on is already live.
🔒

Security

  • Closed two IDOR holes (CNIC + reimbursement receipt downloads, ownership-gated)
  • Removed legacy single-step /approve that bypassed the 2-step gate
  • New RLS migration — policies scoped to service_role
🔁

Approval State Machine

  • Guarded transitions — illegal ones return 409, not silent applies
  • Least-advanced row governs aggregate status; rows insert as draft
  • Re-apply resets approved/paid rows to draft & clears stale timestamps
🧮

Business Logic

  • Loan deduction capped at remaining balance (no over-deduction)
  • Offboarding handles skipped exit interview; requires full checklist
  • Letter reference reserved before S3 upload (no orphans)
  • Reimbursement edits attributed to the actual user
👤

Self-Service (User Role)

  • Create-employee PGRST204 fixed (workstatus_id migration)
  • Standups show only the user's own responses
  • Users can download their own payslip; leave cards scoped to self

Async / Observability

  • Permission load off the event loop, cached, invalidated on role change
  • Sentry hardening — mask replays, drop PII, filter 401/403 noise
  • Standup query N+1 addressed
🖥️

Frontend & Cleanup

  • Page-aware leave pagination; UserManagement refetch after mutations
  • Single shared API base URL; auth-gated keep-alive
  • Clean 409 on duplicate employee; stepout UTC-aware fix; RBAC seed drift test

Authored by Jawad Babar (with Claude), merged to main by Muhammad Asim. The larger security/authorization completion wave (PRs #22–#25) landed Sat 20 June. DB migrations introduced: add_workstatus_id_to_employees.sql, fix_rls_scope_to_service_role.sql.

5 Phased Rollout

Ship value early, expand in stages.

Phase 1

Reporting & Time Tracking

Migrate Wazir's attendance & SOP reporting and WebWork time-tracking into the portal as live dashboards. Immediate single-view win.

Phase 2

Leaves Integration

Build request → approval → tracking, wired into attendance so leaves reflect automatically. Removes the manual leave process.

Phase 3

HR Ops & Analytics

Bring in employee records, documents, performance signals and full cross-pillar analytics — the complete single platform.

6 What Success Looks Like

How we'll know the unification worked.

1
Single platform for all people-ops
0
Manual reports stitched by hand
Live
Always-current analytics
3
Role-based access levels

7 Ownership & Next Steps

The foundation is live — here's what's next.

Where we are: The hardened HR Portal foundation (security, approvals, RBAC, self-service) shipped 19–20 June. That's the platform the unification sits on — so we're not starting from zero; we're merging the four pillars onto a solid base.
NOW

Team review & lock scope

Present this spec, agree the four-pillar scope, and lock the Phase 1 timeline + owners.

NEXT

Phase 1 — Reporting & Time Tracking into the portal

Wire Wazir's WebWork sync + attendance/SOP reporting as live in-portal dashboards (replacing standalone reports). Quickest visible win on the existing base.

THEN

Leaves → HR Ops → cross-pillar analytics

Build the leaves workflow (feeding attendance), then consolidate HR Ops records/documents, then unify analytics across all four pillars.

Platform ownerMubeen Aftab — Internal Tools / HR Portal
Merge engineWazir — data sync, automation & analytics layer
Foundation✓ Shipped 19–20 Jun (PRs #21–#25) — security, approvals, RBAC, self-service
Immediate actionTeam review of this spec → lock four-pillar scope & Phase 1 plan