LogicSpike Implementation Plan (Phase 5)

This document outlines the step-by-step execution plan for the Authentication & Team Management overhaul.

📚 References

• Database Strategy
• Schema Specification
• API Spec: Auth
• API Spec: Team
• Engineering Standards

Phase 5.0: Environment Setup

• Git Strategy: Create dev branch from main.
• Feature Branch: Create feat/database-foundation from dev.
• Merge: Merge feat/database-foundation into dev.

Phase 5.1: Database Foundation

Step 1: Migration Setup (Building Level)

• Create migration to modify users table (Squashed for Multi-Tenancy):
  • Remove tenant_id (Decouple user from tenant).
  • Add default_tenant_id.
• Create memberships table (The link).
• Create invitations table.
• Create roles table (System roles seed).

Step 2: Migration Setup (Floor Level)

• Ensure posts, api_keys have tenant_id indexed (Deferred - posts table not in core schema yet).
• Verify RLS policies (Deferred).

Phase 5.2: Authentication Implementation (apps/manager)

Step 3: Core Auth Logic (packages/core-auth)

• Implement hashPassword / verifyPassword (Argon2 - Replaced with hash-wasm).
• Implement generateToken / verifyToken (JWT with asymmetric keys - Pending key management, using HS256 for now).
• Secure Gateway: Implement verifyGatewayRequest(request) helper to check GATEWAY_SECRET (supporting rotation).
• Implement SessionService (Interact with Redis/DB for blacklisting - Deferred).

Step 4: Auth API Endpoints

• POST /register: Create User -> Create Default Tenant -> Create Owner Membership.
• POST /login: Email/Password -> Return tokens (or MFA challenge).
• POST /auth/mfa/verify: Exchanges 2FA Code -> Real Tokens.
• POST /login/phone: Send OTP (Passwordless).
• POST /login/phone/verify: Verify OTP -> Tokens.
• POST /auth/mfa/setup: Generate TOTP Secret (Shared Key).
• POST /auth/mfa/enable: Confirm TOTP Code -> Enable 2FA.
• POST /refresh: Rotation logic.
• POST /logout: Cleanup.

Phase 5.3: Team Management Implementation (apps/manager)

Step 5: Team Logic

• Implement InviteService: Generate token, send email (mock for now).
• Implement MembershipService: Add user to tenant, check roles.

Step 6: Team API Endpoints

• POST /invitations: Guard with team:members.invite.
• GET /members: List with pagination.
• PATCH /members/:id: Role updates.

Phase 5.4: Frontend Integration (apps/seller-dashboard)

Step 7: API Client

• Fix Gateway Compliance: Update NextAuth and onboarding/route.ts to use NEXT_PUBLIC_GATEWAY_URL and send x-gateway-key.
• Create src/modules/auth/api.ts.
• Create src/modules/team/api.ts.
• Implement AuthProvider context (Global state).

Step 8: UI Pages

• Update /login & /register forms.
• Create /dashboard/settings/team page (List members, Invite modal).

🛡️ Validation Checklist

• Security: Can User A access User B's tenant? (Manual Penetration Test).
• Standards: Does every API return the standard JSON envelope?
• Performance: Do queries use tenant_id index?