chore: update planning notes
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
+39
-1
@@ -4,7 +4,7 @@
|
||||
Persist Brand Kits by authenticated user, bind one optional Brand Kit to each project/canvas, expose a canvas-header selector, and make every Agent Chat turn and newly created thread use the selected kit as authoritative creative context.
|
||||
|
||||
## Current Phase
|
||||
Phase 5
|
||||
Phase 7
|
||||
|
||||
## Phases
|
||||
|
||||
@@ -45,6 +45,29 @@ Phase 5
|
||||
- [ ] Provide preview URL and concise implementation notes
|
||||
- **Status:** pending
|
||||
|
||||
### Phase 7: Device Management Discovery and Design
|
||||
- [x] Trace the existing account dialog, authentication gateway, and device API behavior
|
||||
- [x] Define production-grade loading, empty, error, current-device, and destructive-action states
|
||||
- **Status:** complete
|
||||
|
||||
### Phase 8: Device Management Implementation
|
||||
- [ ] Implement the device management view and responsive styling in the existing account surface
|
||||
- [ ] Wire list/remove-all behavior to the authenticated device API without changing unrelated account flows
|
||||
- [ ] Make desktop/mobile session limits configuration-driven and return the effective policy from the device API
|
||||
- [ ] Enforce each configured device-type limit atomically and render last-active timestamps in the browser timezone
|
||||
- [ ] Add focused backend or frontend coverage where the repository supports it
|
||||
- **Status:** in_progress
|
||||
|
||||
### Phase 9: Device Management Verification
|
||||
- [ ] Run focused tests, frontend typecheck/build, and Go verification if backend code changes
|
||||
- [ ] Inspect the authenticated desktop and mobile UI in a real browser
|
||||
- **Status:** pending
|
||||
|
||||
### Phase 10: Device Management Delivery
|
||||
- [ ] Review scope and final diff
|
||||
- [ ] Provide the working preview URL and concise implementation notes
|
||||
- **Status:** pending
|
||||
|
||||
## Invariants
|
||||
- Brand Kits are owned and queried only through the authenticated user ID from request context.
|
||||
- A project may reference zero or one Brand Kit owned by the same user.
|
||||
@@ -52,6 +75,14 @@ Phase 5
|
||||
- Server-side Agent Chat context is derived from the persisted project binding, never trusted from a client-supplied prompt.
|
||||
- Home may request a Brand Kit ID only from the authenticated user's list; the server revalidates ownership before binding it.
|
||||
- Deleting a Brand Kit clears project bindings to it.
|
||||
- Device sessions are always scoped from the authenticated server-side user identity.
|
||||
- Bulk device removal preserves the current session unless the product contract explicitly requires otherwise.
|
||||
- New access and refresh tokens carry an opaque random session ID; the server validates that session before accepting the bearer token.
|
||||
- Legacy access tokens without a session ID are migrated once from a stable token digest after user validation, preserving existing signed-in users.
|
||||
- Revoked and expired sessions never authenticate or appear in the active-device list.
|
||||
- Device metadata is derived from request headers for display only and never used as an authorization signal.
|
||||
- Device timestamps cross the API boundary as RFC3339 UTC instants and are localized only in the browser's timezone.
|
||||
- Desktop and mobile web-session limits come from server configuration; the API returns the effective values and the UI never hard-codes them.
|
||||
|
||||
## Errors Encountered
|
||||
| Error | Attempt | Resolution |
|
||||
@@ -64,3 +95,10 @@ Phase 5
|
||||
| One patch to remove a temporary `err = nil` line used the wrong surrounding field name | 1 | Reapplied the patch against the exact current lines; no code change was lost. |
|
||||
| Workspace import patch assumed a nonexistent `BrandMark` import | 1 | Located the actual import block and applied the selector change against current source. |
|
||||
| First i18n patch used an inexact Chinese source string | 1 | Re-read the locale file and patched the exact key/value context. |
|
||||
| Existing account-device test called removal without an authenticated session context | 1 | Update the test to resolve the issued bearer identity and assert the new current-session contract. |
|
||||
| Preview backend rejected `/dev/stdin` because go-zero infers config format from the filename extension | 1 | Use a `.yaml` symlink to stdin so the transformed preview config retains a recognized extension without creating a repository config file. |
|
||||
| A second Next development server refused to start because the existing repo-wide dev lock is active | 1 | Use the already-built Next production server on the alternate preview port. |
|
||||
| BSD `sed` did not support the GNU `0,/pattern/` address used for the preview port substitution | 1 | Replace it with a portable anchored substitution; the backend now listens on 8889. |
|
||||
| The in-app browser runtime reported no available browser backends | 1 | Keep the verified local preview running and report the browser-only visual inspection gap; do not substitute an unrelated browser surface against the browser skill rules. |
|
||||
| Escaping the `psql \d` meta-command through Docker produced an invalid command | 1 | Query `information_schema.columns` and `pg_indexes` with regular SQL instead. |
|
||||
| Desktop limit regression test observed two valid desktop sessions when the configured limit was 1 | 1 | Confirmed the limit was presentation-only; enforce it atomically during session creation and reconcile pre-fix sessions during device listing. |
|
||||
|
||||
Reference in New Issue
Block a user