Skip to content

docs: plan email+password/magic-link/Entra auth, RBAC, and nav progress bar#22

Merged
rbrasier merged 11 commits into
mainfrom
claude/auth-trpc-roles-setup-4rdit9
Jun 27, 2026
Merged

docs: plan email+password/magic-link/Entra auth, RBAC, and nav progress bar#22
rbrasier merged 11 commits into
mainfrom
claude/auth-trpc-roles-setup-4rdit9

Conversation

@rbrasier

Copy link
Copy Markdown
Owner

Planning docs only (no code) for the auth-trpc-roles setup phase:

  • PRD covering composable auth, roles/permissions, and a 2px nav progress bar
  • ADR-005: composable auth methods (email+password base; magic-link & Entra OIDC options; core_accounts table)
  • ADR-006: RBAC roles & permissions with an immutable admin wildcard
  • Phase doc with build order, env vars, tests, and acceptance criteria

Target version 1.1.0 (MINOR).

Co-Authored-By: Claude Opus 4.8 noreply@anthropic.com
Claude-Session: https://claude.ai/code/session_01Ewa1QXiECffBLhV2XewhvW

claude added 11 commits June 26, 2026 21:04
…ss bar

Planning docs only (no code) for the auth-trpc-roles setup phase:
- PRD covering composable auth, roles/permissions, and a 2px nav progress bar
- ADR-005: composable auth methods (email+password base; magic-link & Entra OIDC options; core_accounts table)
- ADR-006: RBAC roles & permissions with an immutable admin wildcard
- Phase doc with build order, env vars, tests, and acceptance criteria

Target version 1.1.0 (MINOR).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Ewa1QXiECffBLhV2XewhvW
…pass

Extend the phase plan and PRD so email+password (default), magic-link, and
Entra options are selectable in both bootstrappers (scripts/init-project.sh
and packages/create), including Entra OIDC fields and env writes.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Ewa1QXiECffBLhV2XewhvW
- core_roles, core_permissions, core_role_permissions, core_user_roles tables + migration 0004
- domain: Role/Permission entities, repository ports, pure hasPermission policy + PERMISSION_CATALOG
- application: ListRoles/CreateRole/UpdateRole/DeleteRole/Assign/Remove/GetUserPermissions/ListPermissions
- admin role immutable (UpdateRole rejects), system roles non-deletable (DeleteRole rejects)

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Ewa1QXiECffBLhV2XewhvW
Pin via pnpm overrides to clear advisories that pre-dated this branch and
blocked validate.sh section 13:
- vitest/@vitest/coverage-v8 -> v4 (critical: Vitest UI arbitrary file read)
- vite -> ^6.4.3 (high: server.fs.deny bypass)
- better-auth -> >=1.6.11 <1.7 (high: device auth approve/deny)
- @grpc/grpc-js -> >=1.14.4 (high: malformed request DoS)
- protobufjs -> >=7.6.1 (high: unbounded Any DoS)

All test suites pass under vitest 4; validate.sh fully green.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Ewa1QXiECffBLhV2XewhvW
…er wiring

- DrizzleRoleRepository (role CRUD, permission-set replacement, user assignment, effective-permission resolution incl. everyone role)
- DrizzlePermissionRepository (catalog list)
- seedRbac: idempotent seed of everyone/admin system roles + permission catalog
- web container exposes role/permission repos + use cases; instrumentation.ts seeds RBAC at startup

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Ewa1QXiECffBLhV2XewhvW
- shared: role input schemas (create/update/delete/assign)
- trpc: permissionProcedure(key) middleware; context resolves effective permissions (admin = wildcard)
- role router gated by roles.read / roles.manage / users.write
- /admin/roles page: create custom roles with permission checkboxes, edit/delete; admin role rendered locked (all permissions, immutable)
- admin nav gains Roles link

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Ewa1QXiECffBLhV2XewhvW
- NavigationProgressProvider renders one fixed 2px top bar, shown while any
  ProgressLink reports a pending navigation (prefetch -> route change)
- ProgressLink wraps next/link and reports per-link useLinkStatus to a shared context
- mounted in root layout; admin nav links switched to ProgressLink
- indeterminate CSS animation added to globals.css; no new dependency

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Ewa1QXiECffBLhV2XewhvW
- core_accounts table + email_verified/image (users) + ip_address/user_agent (sessions); migration 0005
- better-auth: AuthMethodsConfig (emailPassword base + optional magicLink/entra via microsoftEntraId genericOAuth); drizzle schema + snake_case field mapping for user/session/account/verification
- env: AUTH_METHOD default email-password; AUTH_ENABLE_MAGIC_LINK/ENTRA + ENTRA_* with required-when-enabled refinement
- container builds AuthMethodsConfig; auth-client adds genericOAuthClient
- login page: server-resolved enabled methods -> client form with password/magic-link/Microsoft options; middleware default updated
- installers (init-project.sh + packages/create) prompt for email-password default, magic-link/Entra toggles, Entra OIDC fields; .env.example updated; helpers test covers new keys

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Ewa1QXiECffBLhV2XewhvW
- bump VERSION + package.json to 1.1.0 (MINOR)
- move phase doc to implemented/v1.1.0 with implementation summary
- add changeset

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Ewa1QXiECffBLhV2XewhvW
The login page reads enabled auth methods via serverEnv(), which validates
DATABASE_URL/BETTER_AUTH_SECRET. Those are absent during `next build`, so static
prerendering threw a ZodError and failed CI. Force per-request rendering — the
enabled methods are runtime deploy config anyway.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Ewa1QXiECffBLhV2XewhvW
Section 22 runs `pnpm build` so prerender-time failures that tsc/lint/test miss
(like a server component reading validated env during static generation) are
caught locally, matching the CI build step.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Ewa1QXiECffBLhV2XewhvW
@rbrasier rbrasier merged commit 356d969 into main Jun 27, 2026
4 checks passed
@rbrasier rbrasier deleted the claude/auth-trpc-roles-setup-4rdit9 branch June 27, 2026 00:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants