docs: create roadmap (5 phases)
This commit is contained in:
curo1305
@@ -0,0 +1,67 @@
|
||||
# Project State
|
||||
|
||||
**Project:** DocuVault
|
||||
**Status:** Planning
|
||||
**Current Phase:** —
|
||||
**Last Updated:** 2026-05-21
|
||||
|
||||
## Phase Status
|
||||
|
||||
| Phase | Name | Status |
|
||||
|---|---|---|
|
||||
| 1 | Infrastructure Foundation | Not Started |
|
||||
| 2 | Users & Authentication | Not Started |
|
||||
| 3 | Document Migration & Multi-User Isolation | Not Started |
|
||||
| 4 | Folders, Sharing, Quotas & Document UX | Not Started |
|
||||
| 5 | Cloud Storage Backends | Not Started |
|
||||
|
||||
## Current Position
|
||||
|
||||
**Phase:** —
|
||||
**Plan:** —
|
||||
**Progress:** ░░░░░░░░░░ 0%
|
||||
|
||||
## Performance Metrics
|
||||
|
||||
| Metric | Value |
|
||||
|---|---|
|
||||
| Phases complete | 0 / 5 |
|
||||
| Requirements mapped | 54 / 54 |
|
||||
| Plans written | 0 |
|
||||
| Plans complete | 0 |
|
||||
|
||||
## Accumulated Context
|
||||
|
||||
### Key Decisions
|
||||
|
||||
| Decision | Rationale |
|
||||
|---|---|
|
||||
| PostgreSQL + MinIO | Multi-user quotas and horizontal scaling require shared, consistent state |
|
||||
| HKDF per-user key derivation | Single Fernet key would be catastrophic on leak — must be derived before first credential is stored |
|
||||
| Presigned MinIO URL flow | FastAPI handles metadata only; bytes never pass through the API layer |
|
||||
| Atomic PostgreSQL quota UPDATE | Never perform quota arithmetic in Python between two DB statements |
|
||||
| JWT in httpOnly cookie | Refresh token in httpOnly cookie; access token in Pinia memory only — never localStorage |
|
||||
| Refresh token family revocation | RFC 9700 — reuse of a rotated token revokes entire family and alerts user |
|
||||
| BackgroundTasks replacement | FastAPI BackgroundTasks is per-instance; replace with Celery+Redis or pgqueuer before horizontal scale |
|
||||
| Admin impersonation excluded | Explicit architectural exclusion — no endpoint or UI pathway; violates privacy-first core value |
|
||||
|
||||
### Open Questions
|
||||
|
||||
- Celery + Redis vs pgqueuer for Phase 3 (depends on Redis availability in deployment target)
|
||||
- Verify cloud SDK minor versions on PyPI before Phase 5 pinning
|
||||
- Confirm PyOTP `valid_window` default in current docs (recommend `valid_window=1` for ±30s clock drift)
|
||||
- Audit existing codebase for any bcrypt hashes before removing passlib in Phase 2
|
||||
|
||||
### Blockers
|
||||
|
||||
None.
|
||||
|
||||
## Session Continuity
|
||||
|
||||
_Updated at each phase transition._
|
||||
|
||||
| Field | Value |
|
||||
|---|---|
|
||||
| Last session | 2026-05-21 — Roadmap created |
|
||||
| Next action | Run `/gsd:plan-phase 1` to begin Phase 1 planning |
|
||||
| Pending decisions | See Open Questions above |
|
||||
Reference in New Issue
Block a user