Skip to content

docs: add phase v1.2.0 spec (auth pages, settings store, ADR-007)#24

Merged
rbrasier merged 1 commit into
mainfrom
claude/login-register-admin-settings-ma3xe1
Jun 27, 2026
Merged

docs: add phase v1.2.0 spec (auth pages, settings store, ADR-007)#24
rbrasier merged 1 commit into
mainfrom
claude/login-register-admin-settings-ma3xe1

Conversation

@rbrasier

Copy link
Copy Markdown
Owner

Summary

Add comprehensive planning and architectural documentation for phase v1.2.0, which introduces standalone authentication pages (login, register, password reset) and a runtime-configurable admin settings store backed by a single JSON field in the database.

Changes

  • docs/development/prd/admin-settings-auth-pages.prd.md — Product requirements document covering:

    • Problem statement (no password reset, no public registration page, no runtime config UI)
    • User personas and goals
    • Key entities and user stories
    • Pages/surfaces affected (/login, /register, /reset-password, rebuilt /admin/settings)
    • Database schema changes (admin_settings table, core_users.status column)
    • Acceptance criteria and risks
  • docs/development/adr/007-application-settings-store.adr.md — Architectural Decision Record for the settings store:

    • Single-row JSONB-backed storage with DB-over-env precedence
    • Encrypted secrets at rest (AES-256-GCM) via ISecretCipher port
    • Per-request AI resolution and lazy auth-instance refresh
    • Enforcement rules and consequences
  • docs/development/to-be-implemented/admin-settings-auth-pages.phase.md — Detailed phase specification including:

    • Scope (in/out), architecture, sub-components in build order
    • New environment variable (APP_SETTINGS_ENCRYPTION_KEY)
    • Acceptance criteria checklist
    • Risk matrix and representative test files
    • Indicative file changes across all packages

Notable Details

  • Establishes DB-over-env precedence: settings row is runtime source of truth; env seeds on first boot and serves as fallback
  • Secrets (API keys) stored encrypted in the JSON field; API never returns plaintext, only "set" / "unset" flags
  • Auth-instance refresh strategy deferred to Build phase (verify Better Auth rebuild cost in node_modules)
  • Reuses existing ADR-005 (composable auth) and ADR-006 (RBAC); introduces ADR-007 as new decision
  • Version bump: 1.1.01.2.0 (MINOR — new feature + DB schema change)

https://claude.ai/code/session_014RidJe5jrM3fWcena4hqBg

Add PRD, ADR-007, and phase doc for standalone login/register/reset-password
pages (email+password) and a runtime admin settings store at /admin/settings
backed by a single admin_settings JSON field. DB-over-env precedence, encrypted
secrets, and a registration-approval toggle.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_014RidJe5jrM3fWcena4hqBg
@rbrasier rbrasier merged commit 5812471 into main Jun 27, 2026
4 checks passed
@rbrasier rbrasier deleted the claude/login-register-admin-settings-ma3xe1 branch June 27, 2026 06:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants