docs: plan email+password/magic-link/Entra auth, RBAC, and nav progress bar#22
Merged
Conversation
…ss bar Planning docs only (no code) for the auth-trpc-roles setup phase: - PRD covering composable auth, roles/permissions, and a 2px nav progress bar - ADR-005: composable auth methods (email+password base; magic-link & Entra OIDC options; core_accounts table) - ADR-006: RBAC roles & permissions with an immutable admin wildcard - Phase doc with build order, env vars, tests, and acceptance criteria Target version 1.1.0 (MINOR). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Ewa1QXiECffBLhV2XewhvW
…pass Extend the phase plan and PRD so email+password (default), magic-link, and Entra options are selectable in both bootstrappers (scripts/init-project.sh and packages/create), including Entra OIDC fields and env writes. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Ewa1QXiECffBLhV2XewhvW
- core_roles, core_permissions, core_role_permissions, core_user_roles tables + migration 0004 - domain: Role/Permission entities, repository ports, pure hasPermission policy + PERMISSION_CATALOG - application: ListRoles/CreateRole/UpdateRole/DeleteRole/Assign/Remove/GetUserPermissions/ListPermissions - admin role immutable (UpdateRole rejects), system roles non-deletable (DeleteRole rejects) Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Ewa1QXiECffBLhV2XewhvW
Pin via pnpm overrides to clear advisories that pre-dated this branch and blocked validate.sh section 13: - vitest/@vitest/coverage-v8 -> v4 (critical: Vitest UI arbitrary file read) - vite -> ^6.4.3 (high: server.fs.deny bypass) - better-auth -> >=1.6.11 <1.7 (high: device auth approve/deny) - @grpc/grpc-js -> >=1.14.4 (high: malformed request DoS) - protobufjs -> >=7.6.1 (high: unbounded Any DoS) All test suites pass under vitest 4; validate.sh fully green. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Ewa1QXiECffBLhV2XewhvW
…er wiring - DrizzleRoleRepository (role CRUD, permission-set replacement, user assignment, effective-permission resolution incl. everyone role) - DrizzlePermissionRepository (catalog list) - seedRbac: idempotent seed of everyone/admin system roles + permission catalog - web container exposes role/permission repos + use cases; instrumentation.ts seeds RBAC at startup Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Ewa1QXiECffBLhV2XewhvW
- shared: role input schemas (create/update/delete/assign) - trpc: permissionProcedure(key) middleware; context resolves effective permissions (admin = wildcard) - role router gated by roles.read / roles.manage / users.write - /admin/roles page: create custom roles with permission checkboxes, edit/delete; admin role rendered locked (all permissions, immutable) - admin nav gains Roles link Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Ewa1QXiECffBLhV2XewhvW
- NavigationProgressProvider renders one fixed 2px top bar, shown while any ProgressLink reports a pending navigation (prefetch -> route change) - ProgressLink wraps next/link and reports per-link useLinkStatus to a shared context - mounted in root layout; admin nav links switched to ProgressLink - indeterminate CSS animation added to globals.css; no new dependency Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Ewa1QXiECffBLhV2XewhvW
- core_accounts table + email_verified/image (users) + ip_address/user_agent (sessions); migration 0005 - better-auth: AuthMethodsConfig (emailPassword base + optional magicLink/entra via microsoftEntraId genericOAuth); drizzle schema + snake_case field mapping for user/session/account/verification - env: AUTH_METHOD default email-password; AUTH_ENABLE_MAGIC_LINK/ENTRA + ENTRA_* with required-when-enabled refinement - container builds AuthMethodsConfig; auth-client adds genericOAuthClient - login page: server-resolved enabled methods -> client form with password/magic-link/Microsoft options; middleware default updated - installers (init-project.sh + packages/create) prompt for email-password default, magic-link/Entra toggles, Entra OIDC fields; .env.example updated; helpers test covers new keys Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Ewa1QXiECffBLhV2XewhvW
- bump VERSION + package.json to 1.1.0 (MINOR) - move phase doc to implemented/v1.1.0 with implementation summary - add changeset Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Ewa1QXiECffBLhV2XewhvW
The login page reads enabled auth methods via serverEnv(), which validates DATABASE_URL/BETTER_AUTH_SECRET. Those are absent during `next build`, so static prerendering threw a ZodError and failed CI. Force per-request rendering — the enabled methods are runtime deploy config anyway. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Ewa1QXiECffBLhV2XewhvW
Section 22 runs `pnpm build` so prerender-time failures that tsc/lint/test miss (like a server component reading validated env during static generation) are caught locally, matching the CI build step. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Ewa1QXiECffBLhV2XewhvW
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Planning docs only (no code) for the auth-trpc-roles setup phase:
Target version 1.1.0 (MINOR).
Co-Authored-By: Claude Opus 4.8 noreply@anthropic.com
Claude-Session: https://claude.ai/code/session_01Ewa1QXiECffBLhV2XewhvW