phil/Gondulf
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(core): implement Phase 1 foundation infrastructure

Browse Source 
Implements Phase 1 Foundation with all core services:

Core Components:
- Configuration management with GONDULF_ environment variables
- Database layer with SQLAlchemy and migration system
- In-memory code storage with TTL support
- Email service with SMTP and TLS support (STARTTLS + implicit TLS)
- DNS service with TXT record verification
- Structured logging with Python standard logging
- FastAPI application with health check endpoint

Database Schema:
- authorization_codes table for OAuth 2.0 authorization codes
- domains table for domain verification
- migrations table for tracking schema versions
- Simple sequential migration system (001_initial_schema.sql)

Configuration:
- Environment-based configuration with validation
- .env.example template with all GONDULF_ variables
- Fail-fast validation on startup
- Sensible defaults for optional settings

Testing:
- 96 comprehensive tests (77 unit, 5 integration)
- 94.16% code coverage (exceeds 80% requirement)
- All tests passing
- Test coverage includes:
  - Configuration loading and validation
  - Database migrations and health checks
  - In-memory storage with expiration
  - Email service (STARTTLS, implicit TLS, authentication)
  - DNS service (TXT records, domain verification)
  - Health check endpoint integration

Documentation:
- Implementation report with test results
- Phase 1 clarifications document
- ADRs for key decisions (config, database, email, logging)

Technical Details:
- Python 3.10+ with type hints
- SQLite with configurable database URL
- System DNS with public DNS fallback
- Port-based TLS detection (465=SSL, 587=STARTTLS)
- Lazy configuration loading for testability

Exit Criteria Met:
✓ All foundation services implemented
✓ Application starts without errors
✓ Health check endpoint operational
✓ Database migrations working
✓ Test coverage exceeds 80%
✓ All tests passing

Ready for Architect review and Phase 2 development.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Phil Skentelbery
2025-11-20 12:21:42 -07:00
parent 7255867fde
commit bebd47955f
39 changed files with 8134 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

650
docs/roadmap/backlog.md Normal file
View File

@@ -0,0 +1,650 @@
# Feature Backlog
This document tracks all planned features for Gondulf, sized using t-shirt sizes based on estimated implementation effort.
**T-shirt sizes**:
- **XS (Extra Small)**: < 1 day of implementation
- **S (Small)**: 1-2 days of implementation
- **M (Medium)**: 3-5 days of implementation
- **L (Large)**: 1-2 weeks of implementation
- **XL (Extra Large)**: 2+ weeks (should be broken down)
**Priority levels**:
- **P0**: Required for v1.0.0 (MVP blocker)
- **P1**: High priority for post-v1.0.0
- **P2**: Medium priority, nice to have
- **P3**: Low priority, future consideration
## v1.0.0 MVP Features (P0)
These features are REQUIRED for the first production-ready release.
### Core Infrastructure (M)
**What**: Basic FastAPI application structure, configuration management, error handling.
**Includes**:
- FastAPI app initialization
- Environment-based configuration (Pydantic Settings)
- Logging setup (structured logging)
- Error handling middleware
- Security headers middleware
- Health check endpoint
**Dependencies**: None
**Acceptance Criteria**:
- Application starts successfully
- Configuration loads from environment
- Logging outputs structured JSON
- /health endpoint returns 200 OK
- Security headers present on all responses
**Effort**: 3-5 days
---
### Database Schema & Storage Layer (S)
**What**: SQLite schema definition and SQLAlchemy Core setup.
**Includes**:
- SQLAlchemy Core connection setup
- Schema definition (tokens, domains tables)
- Migration approach (simple SQL files for v1.0.0)
- Connection pooling
- Database initialization script
**Dependencies**: Core Infrastructure
**Acceptance Criteria**:
- Database initializes on first run
- Tables created correctly
- SQLAlchemy Core queries work
- File permissions set correctly (600)
**Effort**: 1-2 days
---
### In-Memory Storage (XS)
**What**: TTL-based in-memory storage for authorization codes and email verification codes.
**Includes**:
- Python dict-based storage with expiration
- Automatic cleanup of expired entries
- Thread-safe operations (if needed)
- Storage interface abstraction (for future Redis migration)
**Dependencies**: Core Infrastructure
**Acceptance Criteria**:
- Codes expire after configured TTL
- Expired codes automatically removed
- Thread-safe operations
- Memory usage bounded
**Effort**: < 1 day
---
### Email Service (S)
**What**: SMTP-based email sending for verification codes.
**Includes**:
- SMTP configuration (host, port, credentials)
- Email template rendering
- Verification code email generation
- Error handling (connection failures, send failures)
- TLS/STARTTLS support
**Dependencies**: Core Infrastructure
**Acceptance Criteria**:
- Emails sent successfully via configured SMTP
- Templates render correctly
- Errors logged appropriately
- TLS connection established
**Effort**: 1-2 days
---
### DNS Service (S)
**What**: DNS TXT record verification for domain ownership.
**Includes**:
- DNS query implementation (using dnspython)
- TXT record validation logic
- Multi-resolver consensus (Google + Cloudflare)
- Timeout handling
- Result caching in database
**Dependencies**: Database Schema
**Acceptance Criteria**:
- TXT records verified correctly
- Multiple resolvers queried
- Timeouts handled gracefully
- Results cached in database
**Effort**: 1-2 days
---
### Domain Service (M)
**What**: Domain ownership validation and management.
**Includes**:
- Domain normalization
- TXT record verification flow
- Email verification flow (fallback)
- Domain ownership caching
- Periodic re-verification (background task)
**Dependencies**: Email Service, DNS Service, Database Schema
**Acceptance Criteria**:
- Both verification methods work
- TXT record preferred over email
- Verification results cached
- Re-verification scheduled correctly
**Effort**: 3-5 days
---
### Authorization Endpoint (M)
**What**: `/authorize` endpoint implementing IndieAuth authorization flow.
**Includes**:
- Request parameter validation (me, client_id, redirect_uri, state, response_type)
- Client metadata fetching (h-app microformat parsing)
- URL validation (open redirect prevention)
- User consent form rendering
- Authorization code generation
- Redirect to client with code + state
**Dependencies**: Domain Service, In-Memory Storage
**Acceptance Criteria**:
- All parameters validated per spec
- Client metadata fetched and displayed
- User consent required
- Authorization codes generated securely
- Redirects work correctly
- Errors handled per OAuth 2.0 spec
**Effort**: 3-5 days
---
### Token Endpoint (S)
**What**: `/token` endpoint implementing token exchange.
**Includes**:
- Request parameter validation (grant_type, code, client_id, redirect_uri, me)
- Authorization code verification
- Single-use code enforcement
- Access token generation
- Token storage (hashed)
- JSON response formatting
**Dependencies**: Authorization Endpoint, Database Schema
**Acceptance Criteria**:
- All parameters validated
- Codes verified correctly
- Single-use enforced (replay prevention)
- Tokens generated securely
- Tokens stored as hashes
- Response format per spec
**Effort**: 1-2 days
---
### Metadata Endpoint (XS)
**What**: `/.well-known/oauth-authorization-server` discovery endpoint.
**Includes**:
- Static JSON response
- Endpoint URLs
- Supported features list
- Caching headers
**Dependencies**: Core Infrastructure
**Acceptance Criteria**:
- Returns valid JSON per RFC 8414
- Correct endpoint URLs
- Cache-Control headers set
**Effort**: < 1 day
---
### Email Verification UI (S)
**What**: Web forms for email verification flow.
**Includes**:
- Email address input form
- Verification code input form
- Error message display
- Success/failure feedback
- Basic styling (minimal, functional)
**Dependencies**: Email Service, Domain Service
**Acceptance Criteria**:
- Forms render correctly
- Client-side validation
- Error messages clear
- Accessible (WCAG AA)
**Effort**: 1-2 days
---
### Authorization Consent UI (S)
**What**: User consent screen for authorization.
**Includes**:
- Client information display (name, icon, URL)
- Domain identity display (me parameter)
- Approve/Deny buttons
- Security warnings (if redirect_uri differs)
- Basic styling (minimal, functional)
**Dependencies**: Authorization Endpoint
**Acceptance Criteria**:
- Client info displayed correctly
- User can approve/deny
- Security warnings shown when appropriate
- Accessible (WCAG AA)
**Effort**: 1-2 days
---
### Security Hardening (S)
**What**: Implementation of all v1.0.0 security requirements.
**Includes**:
- HTTPS enforcement (production)
- Security headers (HSTS, CSP, etc.)
- Constant-time token comparison
- Input sanitization
- SQL injection prevention (parameterized queries)
- Logging security (no PII)
**Dependencies**: All endpoints
**Acceptance Criteria**:
- HTTPS enforced in production
- All security headers present
- No timing attack vulnerabilities
- No SQL injection vulnerabilities
- Logs contain no PII
**Effort**: 1-2 days
---
### Deployment Configuration (S)
**What**: Docker setup and deployment documentation.
**Includes**:
- Dockerfile (multi-stage build)
- docker-compose.yml (for testing)
- Environment variable documentation
- Backup script (SQLite file copy)
- Health check configuration
**Dependencies**: All features
**Acceptance Criteria**:
- Docker image builds successfully
- Container runs properly
- Environment variables documented
- Backup script works
- Health checks pass
**Effort**: 1-2 days
---
### Comprehensive Test Suite (L)
**What**: 80%+ code coverage with unit, integration, and e2e tests.
**Includes**:
- Unit tests for all services
- Integration tests for endpoints
- End-to-end IndieAuth flow tests
- Security tests (timing attacks, injection, etc.)
- Compliance tests (W3C spec verification)
**Dependencies**: All features
**Acceptance Criteria**:
- 80%+ overall coverage
- 95%+ coverage for auth/token/security code
- All tests passing
- Fast execution (< 1 minute for unit tests)
**Effort**: 1-2 weeks (parallel with development)
---
## Post-v1.0.0 Features
### PKCE Support (S)
**Priority**: P1
**Dependencies**: Token Endpoint
**What**: Implement Proof Key for Code Exchange (RFC 7636) for enhanced security.
**Includes**:
- Accept `code_challenge` and `code_challenge_method` in /authorize
- Validate `code_verifier` in /token
- Support S256 challenge method
- Update metadata endpoint
**Effort**: 1-2 days
**Rationale**: Deferred from v1.0.0 per ADR-003 for MVP simplicity. Should be added in v1.1.0.
---
### Token Revocation (S)
**Priority**: P1
**Dependencies**: Token Endpoint
**What**: `/token/revoke` endpoint per RFC 7009.
**Includes**:
- Revocation endpoint implementation
- Mark tokens as revoked in database
- Return appropriate responses
- Update metadata endpoint
**Effort**: 1-2 days
---
### Token Refresh (M)
**Priority**: P1
**Dependencies**: Token Endpoint
**What**: Refresh token support for long-lived sessions.
**Includes**:
- Refresh token generation and storage
- `refresh_token` grant type support
- Rotation of refresh tokens (security best practice)
- Expiration management
**Effort**: 3-5 days
---
### Rate Limiting (M)
**Priority**: P1
**Dependencies**: Core Infrastructure
**What**: Request rate limiting to prevent abuse.
**Includes**:
- Redis-based rate limiting
- Per-endpoint limits
- Per-IP and per-client_id limits
- Exponential backoff on failures
- Rate limit headers (X-RateLimit-*)
**Effort**: 3-5 days
**Note**: Requires Redis, breaking single-process assumption.
---
### Admin Dashboard (L)
**Priority**: P2
**Dependencies**: All v1.0.0 features
**What**: Web-based admin interface for server management.
**Includes**:
- Active tokens view
- Domain verification status
- Revoke tokens manually
- View audit logs
- Configuration management
**Effort**: 1-2 weeks
---
### Client Pre-Registration (M)
**Priority**: P2
**Dependencies**: Authorization Endpoint
**What**: Allow admin to pre-register known clients.
**Includes**:
- Client registration UI (admin-only)
- Store registered clients in database
- Skip metadata fetching for registered clients
- Manage redirect URIs per client
**Effort**: 3-5 days
**Note**: Not required per spec, but useful for trusted clients.
---
### Token Introspection (S)
**Priority**: P1
**Dependencies**: Token Endpoint
**What**: `/token/verify` endpoint for resource servers.
**Includes**:
- Verify token validity
- Return token metadata (me, client_id, scope)
- Support Bearer authentication
- Rate limiting
**Effort**: 1-2 days
---
### Scope Support (Authorization) (L)
**Priority**: P1
**Dependencies**: Token Endpoint, Token Introspection
**What**: Full OAuth 2.0 scope-based authorization.
**Includes**:
- Scope validation and parsing
- Scope consent UI (checkboxes)
- Token scope storage and verification
- Scope-based access control
- Standard scopes (profile, email, create, update, delete)
**Effort**: 1-2 weeks
**Note**: Major feature, expands from authentication to authorization.
---
### GitHub/GitLab Providers (M)
**Priority**: P2
**Dependencies**: Domain Service
**What**: Alternative authentication via GitHub/GitLab (like IndieLogin).
**Includes**:
- OAuth 2.0 client for GitHub/GitLab
- Link GitHub username to domain (via profile URL)
- Verify domain ownership via GitHub/GitLab profile
- Provider selection UI
**Effort**: 3-5 days
**Note**: Per user request, email-only in v1.0.0. This is future enhancement.
---
### WebAuthn Support (L)
**Priority**: P2
**Dependencies**: Domain Service
**What**: Passwordless authentication via WebAuthn (FIDO2).
**Includes**:
- WebAuthn registration flow
- WebAuthn authentication flow
- Credential storage
- Browser compatibility
- Fallback to email
**Effort**: 1-2 weeks
---
### PostgreSQL Support (S)
**Priority**: P2
**Dependencies**: Database Schema
**What**: Support PostgreSQL as alternative to SQLite.
**Includes**:
- Connection configuration
- Schema adaptation (minimal changes)
- Migration from SQLite
- Documentation
**Effort**: 1-2 days
**Note**: SQLAlchemy Core makes this trivial.
---
### Prometheus Metrics (S)
**Priority**: P2
**Dependencies**: Core Infrastructure
**What**: `/metrics` endpoint for Prometheus scraping.
**Includes**:
- Request counters (by endpoint, status)
- Response time histograms
- Token generation rate
- Email send success rate
- Error rate by type
**Effort**: 1-2 days
---
### Internationalization (M)
**Priority**: P3
**Dependencies**: UI components
**What**: Multi-language support for user-facing pages.
**Includes**:
- i18n framework (Babel)
- English (default)
- Extract translatable strings
- Translation workflow
**Effort**: 3-5 days
**Note**: Low priority, English-first acceptable for MVP.
---
## Technical Debt
Technical debt items are tracked here with a DEBT: prefix. Per project standards, each release must allocate at least 10% of effort to technical debt reduction.
### DEBT: Add Redis for session storage (M)
**Created**: 2025-11-20 (architectural decision)
**Priority**: P2
**Issue**: In-memory storage doesn't survive restarts.
**Impact**: Authorization codes and email codes lost on restart.
**Mitigation (current)**: Codes are short-lived (10-15 min), restart impact minimal.
**Effort to Fix**: 3-5 days (Redis integration, deployment changes)
**Plan**: Address when scaling beyond single process or when restarts become frequent.
---
### DEBT: Implement schema migrations (S)
**Created**: 2025-11-20 (architectural decision)
**Priority**: P2
**Issue**: No formal migration system, using raw SQL files.
**Impact**: Schema changes require manual intervention.
**Mitigation (current)**: Simple schema, infrequent changes acceptable for v1.0.0.
**Effort to Fix**: 1-2 days (Alembic integration)
**Plan**: Address before v1.1.0 when schema changes become more frequent.
---
## Backlog Management
### Adding New Features
When adding features to the backlog:
1. Define clear scope and acceptance criteria
2. Assign t-shirt size
3. Assign priority (P0-P3)
4. Identify dependencies
5. Estimate effort in days
6. Add to appropriate section
### Prioritization Criteria
Features are prioritized based on:
1. **MVP requirement**: Is it required for v1.0.0?
2. **Security impact**: Does it improve security?
3. **User value**: How much does it benefit users?
4. **Complexity**: Simpler features prioritized when value equal
5. **Dependencies**: Features blocking others prioritized
### Technical Debt Policy
- Minimum 10% effort per release allocated to technical debt
- Technical debt items must have:
- Creation date
- Issue description
- Current impact and mitigation
- Effort to fix
- Resolution plan
- Debt reviewed quarterly, re-prioritized based on impact
## Version Planning
See version-specific roadmap files:
- `/docs/roadmap/v1.0.0.md` - MVP features and plan
- `/docs/roadmap/v1.1.0.md` - First post-MVP release (future)
- `/docs/roadmap/v2.0.0.md` - Major feature release (future)
## Estimation Accuracy
After each feature implementation, review estimation accuracy:
- Compare actual effort vs. estimated
- Update t-shirt size if significantly different
- Document lessons learned
- Adjust future estimates accordingly
Current estimation baseline: TBD (will be established after v1.0.0 completion)

593
docs/roadmap/v1.0.0.md Normal file
View File

@@ -0,0 +1,593 @@
# Version 1.0.0 Release Plan
## Release Overview
**Target Version**: 1.0.0
**Release Type**: Initial MVP (Minimum Viable Product)
**Target Date**: TBD (6-8 weeks from project start)
**Status**: Planning
## Release Goals
### Primary Objective
Deliver a production-ready, W3C IndieAuth-compliant authentication server that:
1. Allows users to authenticate using their domain as their identity
2. Supports email-based domain ownership verification
3. Enables any compliant IndieAuth client to authenticate successfully
4. Operates securely in a Docker-based deployment
5. Supports 10s of users with room to scale
### Success Criteria
**Functional**:
- ✅ Complete IndieAuth authentication flow (authorization + token exchange)
- ✅ Email-based domain ownership verification
- ✅ DNS TXT record verification (preferred method)
- ✅ Secure token generation and storage
- ✅ Client metadata fetching (h-app microformat)
**Quality**:
- ✅ 80%+ overall test coverage
- ✅ 95%+ coverage for authentication/token/security code
- ✅ All security best practices implemented
- ✅ Comprehensive documentation
**Operational**:
- ✅ Docker deployment ready
- ✅ Simple SQLite backup strategy
- ✅ Health check endpoint
- ✅ Structured logging
**Compliance**:
- ✅ W3C IndieAuth specification compliance
- ✅ OAuth 2.0 error responses
- ✅ Security headers and HTTPS enforcement
## Feature Scope
### Included Features (P0)
All features listed below are REQUIRED for v1.0.0 release.
| Feature | Size | Effort (days) | Dependencies |
|---------|------|---------------|--------------|
| Core Infrastructure | M | 3-5 | None |
| Database Schema & Storage Layer | S | 1-2 | Core Infrastructure |
| In-Memory Storage | XS | <1 | Core Infrastructure |
| Email Service | S | 1-2 | Core Infrastructure |
| DNS Service | S | 1-2 | Database Schema |
| Domain Service | M | 3-5 | Email, DNS, Database |
| Authorization Endpoint | M | 3-5 | Domain Service, In-Memory |
| Token Endpoint | S | 1-2 | Authorization Endpoint, Database |
| Metadata Endpoint | XS | <1 | Core Infrastructure |
| Email Verification UI | S | 1-2 | Email Service, Domain Service |
| Authorization Consent UI | S | 1-2 | Authorization Endpoint |
| Security Hardening | S | 1-2 | All endpoints |
| Deployment Configuration | S | 1-2 | All features |
| Comprehensive Test Suite | L | 10-14 | All features (parallel) |
**Total Estimated Effort**: 32-44 days of development + testing
### Explicitly Excluded Features
These features are intentionally deferred to post-v1.0.0 releases:
**Excluded (for simplicity)**:
- ❌ PKCE support (planned for v1.1.0, see ADR-003)
- ❌ Token refresh (planned for v1.1.0)
- ❌ Token revocation (planned for v1.1.0)
- ❌ Scope-based authorization (planned for v1.2.0)
- ❌ Rate limiting (planned for v1.1.0)
**Excluded (not needed for MVP)**:
- ❌ Admin dashboard (planned for v1.2.0)
- ❌ Client pre-registration (planned for v1.2.0)
- ❌ Alternative auth providers (GitHub/GitLab) (planned for v1.3.0)
- ❌ WebAuthn support (planned for v2.0.0)
- ❌ PostgreSQL support (planned for v1.2.0)
- ❌ Prometheus metrics (planned for v1.1.0)
**Rationale**: Focus on core authentication functionality with minimal complexity. Additional features add value but increase risk and development time. MVP should prove the concept and gather user feedback.
## Implementation Plan
### Phase 1: Foundation (Week 1-2)
**Goal**: Establish application foundation and core services.
**Features**:
1. Core Infrastructure (M) - 3-5 days
2. Database Schema & Storage Layer (S) - 1-2 days
3. In-Memory Storage (XS) - <1 day
4. Email Service (S) - 1-2 days
5. DNS Service (S) - 1-2 days
**Deliverables**:
- FastAPI application running
- Configuration management working
- SQLite database initialized
- Email sending functional
- DNS queries working
- Unit tests for all services (80%+ coverage)
**Risks**:
- SMTP configuration issues (mitigation: test with real SMTP early)
- DNS query timeouts (mitigation: implement retries and fallback)
**Exit Criteria**:
- All foundation services have passing unit tests
- Application starts without errors
- Health check endpoint returns 200
- Email can be sent successfully
- DNS queries resolve correctly
---
### Phase 2: Domain Verification (Week 2-3)
**Goal**: Implement complete domain ownership verification flows.
**Features**:
1. Domain Service (M) - 3-5 days
2. Email Verification UI (S) - 1-2 days
**Deliverables**:
- TXT record verification working
- Email verification flow complete
- Domain ownership caching in database
- User-facing verification forms
- Integration tests for both verification methods
**Risks**:
- Email delivery failures (mitigation: comprehensive error handling)
- DNS propagation delays (mitigation: cache results, allow retry)
- UI/UX complexity (mitigation: keep forms minimal)
**Exit Criteria**:
- Both verification methods work end-to-end
- TXT record verification preferred when available
- Email fallback works when TXT record absent
- Verification results cached in database
- UI forms accessible and functional
---
### Phase 3: IndieAuth Protocol (Week 3-5)
**Goal**: Implement core IndieAuth endpoints (authorization and token).
**Features**:
1. Authorization Endpoint (M) - 3-5 days
2. Token Endpoint (S) - 1-2 days
3. Metadata Endpoint (XS) - <1 day
4. Authorization Consent UI (S) - 1-2 days
**Deliverables**:
- /authorize endpoint with full validation
- /token endpoint with code exchange
- /.well-known/oauth-authorization-server metadata
- Client metadata fetching (h-app)
- User consent screen
- OAuth 2.0 compliant error responses
- Integration tests for full auth flow
**Risks**:
- Client metadata fetching failures (mitigation: timeouts, fallbacks)
- Open redirect vulnerabilities (mitigation: thorough URL validation)
- State parameter handling (mitigation: clear documentation, tests)
**Exit Criteria**:
- Authorization flow completes successfully
- Tokens generated and validated
- Client metadata displayed correctly
- All parameter validation working
- Error responses compliant with OAuth 2.0
- End-to-end tests pass
---
### Phase 4: Security & Hardening (Week 5-6)
**Goal**: Ensure all security requirements met and production-ready.
**Features**:
1. Security Hardening (S) - 1-2 days
2. Security testing - 2-3 days
**Deliverables**:
- HTTPS enforcement (production)
- Security headers on all responses
- Constant-time token comparison
- Input sanitization throughout
- SQL injection prevention verified
- No PII in logs
- Security test suite (timing attacks, injection, etc.)
- Security documentation review
**Risks**:
- Undiscovered vulnerabilities (mitigation: comprehensive security testing)
- Performance impact of security measures (mitigation: benchmark)
**Exit Criteria**:
- All security tests passing
- Security headers verified
- HTTPS enforced in production
- Timing attack tests pass
- SQL injection tests pass
- No sensitive data in logs
- External security review recommended (optional but encouraged)
---
### Phase 5: Deployment & Testing (Week 6-8)
**Goal**: Prepare for production deployment with comprehensive testing.
**Features**:
1. Deployment Configuration (S) - 1-2 days
2. Comprehensive Test Suite (L) - ongoing
3. Documentation review and updates - 2-3 days
4. Integration testing with real clients - 2-3 days
**Deliverables**:
- Dockerfile with multi-stage build
- docker-compose.yml for testing
- Backup script for SQLite
- Complete environment variable documentation
- 80%+ test coverage achieved
- All documentation reviewed and updated
- Tested with at least one real IndieAuth client
- Release notes prepared
**Risks**:
- Docker build issues (mitigation: test early and often)
- Interoperability issues with clients (mitigation: test multiple clients)
- Documentation gaps (mitigation: external review)
**Exit Criteria**:
- Docker image builds successfully
- Container runs in production-like environment
- All tests passing (unit, integration, e2e, security)
- Test coverage ≥80% overall, ≥95% for critical code
- Successfully authenticates with real IndieAuth client
- Documentation complete and accurate
- Release notes approved
---
## Testing Strategy
### Test Coverage Requirements
**Overall**: 80% minimum coverage
**Critical Paths** (auth, token, security): 95% minimum coverage
**New Code**: 90% coverage required
### Test Levels
**Unit Tests** (70% of test suite):
- All services (Domain, Email, DNS, Auth, Token)
- All utility functions
- Input validation
- Error handling
- Fast execution (<1 minute total)
**Integration Tests** (20% of test suite):
- Endpoint tests (FastAPI TestClient)
- Database operations
- Email sending (mocked SMTP)
- DNS queries (mocked resolver)
- Multi-component workflows
**End-to-End Tests** (10% of test suite):
- Complete authentication flow
- Email verification flow
- TXT record verification flow
- Error scenarios
- OAuth 2.0 error responses
**Security Tests**:
- Timing attack resistance (token verification)
- SQL injection prevention
- XSS prevention (HTML escaping)
- Open redirect prevention
- CSRF protection (state parameter)
- Input validation edge cases
**Compliance Tests**:
- W3C IndieAuth specification adherence
- OAuth 2.0 error response format
- Required parameters validation
- Optional parameters handling
### Test Execution
**Local Development**:
```bash
# All tests
uv run pytest
# With coverage
uv run pytest --cov=src/gondulf --cov-report=html --cov-report=term-missing
# Specific test level
uv run pytest -m unit
uv run pytest -m integration
uv run pytest -m e2e
uv run pytest -m security
```
**CI/CD Pipeline**:
- Run on every commit to main
- Run on all pull requests
- Block merge if tests fail
- Block merge if coverage drops
- Generate coverage reports
**Pre-release**:
- Full test suite execution
- Manual end-to-end testing
- Test with real IndieAuth clients
- Security scan (bandit, pip-audit)
- Performance baseline
---
## Risk Assessment
### High-Risk Areas
**Email Delivery**:
- **Risk**: SMTP configuration issues or delivery failures
- **Impact**: Users cannot verify domain ownership
- **Mitigation**:
- Comprehensive error handling and logging
- Test with real SMTP early in development
- Provide clear error messages to users
- Support TXT record as primary verification method
- **Contingency**: Admin can manually verify domains if email fails
**Security Vulnerabilities**:
- **Risk**: Security flaws in authentication/authorization logic
- **Impact**: Unauthorized access, data exposure
- **Mitigation**:
- Follow OAuth 2.0 security best practices
- Comprehensive security testing
- External security review (recommended)
- Conservative defaults
- **Contingency**: Rapid patch release if vulnerability found
**Interoperability**:
- **Risk**: Incompatibility with IndieAuth clients
- **Impact**: Clients cannot authenticate
- **Mitigation**:
- Strict W3C spec compliance
- Test with multiple clients
- Reference implementation comparison
- **Contingency**: Fix and patch release
### Medium-Risk Areas
**Client Metadata Fetching**:
- **Risk**: Timeout or parse failures when fetching client_id
- **Impact**: Poor UX (generic client display)
- **Mitigation**:
- Aggressive timeouts (5 seconds)
- Fallback to domain name
- Cache successful fetches
- **Contingency**: Display warning, continue with basic info
**DNS Resolution**:
- **Risk**: DNS query failures or timeouts
- **Impact**: TXT verification unavailable
- **Mitigation**:
- Multiple resolvers (Google + Cloudflare)
- Timeout handling
- Fallback to email verification
- **Contingency**: Email verification as alternative
**Database Performance**:
- **Risk**: SQLite performance degrades with usage
- **Impact**: Slow response times
- **Mitigation**:
- Indexes on critical columns
- Periodic cleanup of expired tokens
- Benchmark under load
- **Contingency**: Migrate to PostgreSQL if needed (already supported by SQLAlchemy)
### Low-Risk Areas
**Deployment**:
- **Risk**: Docker issues or configuration errors
- **Impact**: Cannot deploy
- **Mitigation**: Test deployment early, document thoroughly
**UI/UX**:
- **Risk**: Forms confusing or inaccessible
- **Impact**: User frustration
- **Mitigation**: Keep forms simple, test accessibility
---
## Release Checklist
### Pre-Release
- [ ] All P0 features implemented
- [ ] All tests passing (unit, integration, e2e, security)
- [ ] Test coverage ≥80% overall, ≥95% critical paths
- [ ] Security scan completed (bandit, pip-audit)
- [ ] Documentation complete and reviewed
- [ ] Tested with real IndieAuth client(s)
- [ ] Docker image builds successfully
- [ ] Deployment tested in production-like environment
- [ ] Environment variables documented
- [ ] Backup/restore procedure tested
- [ ] Release notes drafted
- [ ] Version bumped to 1.0.0 in pyproject.toml
### Security Review
- [ ] HTTPS enforcement verified
- [ ] Security headers present
- [ ] No PII in logs
- [ ] Constant-time comparisons verified
- [ ] SQL injection tests pass
- [ ] Open redirect tests pass
- [ ] CSRF protection verified
- [ ] Timing attack tests pass
- [ ] Input validation comprehensive
- [ ] External security review recommended (optional)
### Documentation Review
- [ ] README.md accurate and complete
- [ ] /docs/architecture/ documents accurate
- [ ] /docs/standards/ documents followed
- [ ] Installation guide tested
- [ ] Configuration guide complete
- [ ] Deployment guide tested
- [ ] API documentation generated (OpenAPI)
- [ ] Troubleshooting guide created
### Deployment Verification
- [ ] Docker image tagged with v1.0.0
- [ ] Docker image pushed to registry
- [ ] Test deployment successful
- [ ] Health check endpoint responds
- [ ] Logging working correctly
- [ ] Backup script functional
- [ ] Environment variables set correctly
- [ ] HTTPS certificate valid
### Release Publication
- [ ] Git tag created: v1.0.0
- [ ] GitHub release created with notes
- [ ] Docker image published
- [ ] Documentation published
- [ ] Announcement prepared (optional)
---
## Post-Release Activities
### Monitoring (First Week)
- Monitor logs for errors
- Track authentication success/failure rates
- Monitor email delivery success
- Monitor DNS query failures
- Monitor response times
- Collect user feedback
### Support
- Respond to bug reports within 24 hours
- Security issues: patch within 24-48 hours
- Feature requests: triage and add to backlog
- Documentation improvements: apply quickly
### Retrospective (After 2 Weeks)
- Review actual vs. estimated effort
- Document lessons learned
- Update estimation baseline
- Identify technical debt
- Plan v1.1.0 features
---
## Version 1.1.0 Preview
Tentative features for next release:
**High Priority**:
- PKCE support (ADR-003 resolution)
- Token revocation endpoint
- Rate limiting (Redis-based)
- Token introspection endpoint
**Medium Priority**:
- Token refresh
- Prometheus metrics
- Enhanced logging
**Technical Debt**:
- Schema migrations (Alembic)
- Redis integration (if scaling needed)
**Target**: 4-6 weeks after v1.0.0 release
---
## Success Metrics
### Release Success
The v1.0.0 release is successful if:
1. **Functional**: At least one real-world user successfully authenticates
2. **Quality**: No critical bugs reported in first week
3. **Security**: No security vulnerabilities reported in first month
4. **Operational**: Server runs stably for 1 week without restarts
5. **Compliance**: Successfully interoperates with ≥2 different IndieAuth clients
### User Success
Users are successful if:
1. Can verify domain ownership (either method) in <5 minutes
2. Can complete authentication flow in <2 minutes
3. Understand what is happening at each step
4. Feel secure about the process
5. Experience no unexpected errors
### Developer Success
Development process is successful if:
1. Actual effort within 20% of estimated effort
2. No major scope changes during development
3. Test coverage goals met
4. No cutting corners on security
5. Documentation kept up-to-date during development
---
## Budget
**Total Estimated Effort**: 32-44 days of development + 10-14 days of testing (parallel)
**Breakdown**:
- Phase 1 (Foundation): 7-11 days
- Phase 2 (Domain Verification): 4-7 days
- Phase 3 (IndieAuth Protocol): 6-9 days
- Phase 4 (Security): 3-5 days
- Phase 5 (Deployment & Testing): 5-8 days
- Testing (parallel throughout): 10-14 days
**Technical Debt Allocation**: 10% = 4-5 days
- Schema migration prep
- Redis integration groundwork
- Documentation improvements
**Total Timeline**: 6-8 weeks (assuming 1 developer, ~5 days/week)
---
## Approval
This release plan requires review and approval by:
- [x] Architect (design complete)
- [ ] Developer (feasibility confirmed)
- [ ] User (scope confirmed)
Once approved, this plan becomes the binding contract for v1.0.0 development.
**Approved by**: TBD
**Approval Date**: TBD
**Development Start Date**: TBD
**Target Release Date**: TBD