Document landed local auth in CLAUDE.md and ARCHITECTURE

Records the auth model (Argon2, opaque sessions, Bearer/cookie, email verify/reset behind AuthProvider/Mailer), supersedes the interim X-User-Id note, and adds integrations/ to the backend layout.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Justin Paul <justin@jpaul.me>
This commit is contained in:
2026-06-06 10:51:51 -04:00
parent 9f8dd960f4
commit e2edd4b2f1
2 changed files with 4 additions and 4 deletions
+2 -2
View File
@@ -147,7 +147,7 @@ Three parts, deliberately separated:
- `AuthProvider` interface with implementations for **local** (password + email verification/reset), **OIDC** (validated against Authentik; expected to work with Keycloak, Auth0, etc.), and **social** (Google, Apple, Facebook).
- Operators enable any subset via config. This deployment will use Authentik (`auth.jpaul.io`) plus selected social providers; a bare self-hoster can run local-only.
- Sessions are backend-issued; the assistant principal is minted per-session and scoped to the acting user.
- *Phase 0 interim:* until the auth slice lands, the API identifies the caller via a temporary `X-User-Id` header shim (replaced by real sessions/tokens), and account creation is an open dev bootstrap. Every write still records an attributable actor in the audit log.
- *Status:* **local auth has landed** — Argon2id password hashing, opaque backend-issued sessions (only the token hash is stored; presented as a Bearer token or HttpOnly cookie), and email verification + password reset via the `Mailer` interface (console in dev, SMTP for operators). OIDC and social providers are Phase 5. Every write records an attributable actor in the audit log.
## 10. Search
@@ -179,7 +179,7 @@ Jobs are idempotent and retryable; an external failure degrades gracefully rathe
**Repository layout (as scaffolded):**
```
/backend # FastAPI, uv-managed. app/{api/v1, services (+privacy), repositories, models, schemas, core}; migrations/ = Alembic
/backend # FastAPI, uv-managed. app/{api/v1, services (+privacy), repositories, models, schemas, integrations (auth/mailer), core}; migrations/ = Alembic
/deploy # docker-compose.yml, Caddyfile, .env.example
/.gitea/workflows # Gitea Actions: build images → Gitea registry
/frontend # Next.js (pending)