chore: update planning notes

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-07-11 01:02:12 +08:00
parent 0ef4b7c1ee
commit 869e2bb75b
3 changed files with 102 additions and 1 deletions
+39 -1
View File
@@ -4,7 +4,7 @@
Persist Brand Kits by authenticated user, bind one optional Brand Kit to each project/canvas, expose a canvas-header selector, and make every Agent Chat turn and newly created thread use the selected kit as authoritative creative context.
## Current Phase
Phase 5
Phase 7
## Phases
@@ -45,6 +45,29 @@ Phase 5
- [ ] Provide preview URL and concise implementation notes
- **Status:** pending
### Phase 7: Device Management Discovery and Design
- [x] Trace the existing account dialog, authentication gateway, and device API behavior
- [x] Define production-grade loading, empty, error, current-device, and destructive-action states
- **Status:** complete
### Phase 8: Device Management Implementation
- [ ] Implement the device management view and responsive styling in the existing account surface
- [ ] Wire list/remove-all behavior to the authenticated device API without changing unrelated account flows
- [ ] Make desktop/mobile session limits configuration-driven and return the effective policy from the device API
- [ ] Enforce each configured device-type limit atomically and render last-active timestamps in the browser timezone
- [ ] Add focused backend or frontend coverage where the repository supports it
- **Status:** in_progress
### Phase 9: Device Management Verification
- [ ] Run focused tests, frontend typecheck/build, and Go verification if backend code changes
- [ ] Inspect the authenticated desktop and mobile UI in a real browser
- **Status:** pending
### Phase 10: Device Management Delivery
- [ ] Review scope and final diff
- [ ] Provide the working preview URL and concise implementation notes
- **Status:** pending
## Invariants
- Brand Kits are owned and queried only through the authenticated user ID from request context.
- A project may reference zero or one Brand Kit owned by the same user.
@@ -52,6 +75,14 @@ Phase 5
- Server-side Agent Chat context is derived from the persisted project binding, never trusted from a client-supplied prompt.
- Home may request a Brand Kit ID only from the authenticated user's list; the server revalidates ownership before binding it.
- Deleting a Brand Kit clears project bindings to it.
- Device sessions are always scoped from the authenticated server-side user identity.
- Bulk device removal preserves the current session unless the product contract explicitly requires otherwise.
- New access and refresh tokens carry an opaque random session ID; the server validates that session before accepting the bearer token.
- Legacy access tokens without a session ID are migrated once from a stable token digest after user validation, preserving existing signed-in users.
- Revoked and expired sessions never authenticate or appear in the active-device list.
- Device metadata is derived from request headers for display only and never used as an authorization signal.
- Device timestamps cross the API boundary as RFC3339 UTC instants and are localized only in the browser's timezone.
- Desktop and mobile web-session limits come from server configuration; the API returns the effective values and the UI never hard-codes them.
## Errors Encountered
| Error | Attempt | Resolution |
@@ -64,3 +95,10 @@ Phase 5
| One patch to remove a temporary `err = nil` line used the wrong surrounding field name | 1 | Reapplied the patch against the exact current lines; no code change was lost. |
| Workspace import patch assumed a nonexistent `BrandMark` import | 1 | Located the actual import block and applied the selector change against current source. |
| First i18n patch used an inexact Chinese source string | 1 | Re-read the locale file and patched the exact key/value context. |
| Existing account-device test called removal without an authenticated session context | 1 | Update the test to resolve the issued bearer identity and assert the new current-session contract. |
| Preview backend rejected `/dev/stdin` because go-zero infers config format from the filename extension | 1 | Use a `.yaml` symlink to stdin so the transformed preview config retains a recognized extension without creating a repository config file. |
| A second Next development server refused to start because the existing repo-wide dev lock is active | 1 | Use the already-built Next production server on the alternate preview port. |
| BSD `sed` did not support the GNU `0,/pattern/` address used for the preview port substitution | 1 | Replace it with a portable anchored substitution; the backend now listens on 8889. |
| The in-app browser runtime reported no available browser backends | 1 | Keep the verified local preview running and report the browser-only visual inspection gap; do not substitute an unrelated browser surface against the browser skill rules. |
| Escaping the `psql \d` meta-command through Docker produced an invalid command | 1 | Query `information_schema.columns` and `pg_indexes` with regular SQL instead. |
| Desktop limit regression test observed two valid desktop sessions when the configured limit was 1 | 1 | Confirmed the limit was presentation-only; enforce it atomically during session creation and reconcile pre-fix sessions during device listing. |