phil/Gondulf
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9135edfe8440417580409a9059400b6dfd626c36
Gondulf/docs/roadmap/backlog.md
Phil Skentelbery 6f06aebf40 docs: add Phase 2 domain verification design and clarifications 
Add comprehensive Phase 2 documentation:
- Complete design document for two-factor domain verification
- Implementation guide with code examples
- ADR for implementation decisions (ADR-0004)
- ADR for rel="me" email discovery (ADR-008)
- Phase 1 impact assessment
- All 23 clarification questions answered
- Updated architecture docs (indieauth-protocol, security)
- Updated ADR-005 with rel="me" approach
- Updated backlog with technical debt items

Design ready for Phase 2 implementation.

Generated with Claude Code https://claude.com/claude-code

Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-20 13:05:09 -07:00

712 lines
17 KiB
Markdown
Raw Blame History

# Feature Backlog
This document tracks all planned features for Gondulf, sized using t-shirt sizes based on estimated implementation effort.
**T-shirt sizes**:
- **XS (Extra Small)**: < 1 day of implementation
- **S (Small)**: 1-2 days of implementation
- **M (Medium)**: 3-5 days of implementation
- **L (Large)**: 1-2 weeks of implementation
- **XL (Extra Large)**: 2+ weeks (should be broken down)
**Priority levels**:
- **P0**: Required for v1.0.0 (MVP blocker)
- **P1**: High priority for post-v1.0.0
- **P2**: Medium priority, nice to have
- **P3**: Low priority, future consideration
## v1.0.0 MVP Features (P0)
These features are REQUIRED for the first production-ready release.
### Core Infrastructure (M)
**What**: Basic FastAPI application structure, configuration management, error handling.
**Includes**:
- FastAPI app initialization
- Environment-based configuration (Pydantic Settings)
- Logging setup (structured logging)
- Error handling middleware
- Security headers middleware
- Health check endpoint
**Dependencies**: None
**Acceptance Criteria**:
- Application starts successfully
- Configuration loads from environment
- Logging outputs structured JSON
- /health endpoint returns 200 OK
- Security headers present on all responses
**Effort**: 3-5 days
---
### Database Schema & Storage Layer (S)
**What**: SQLite schema definition and SQLAlchemy Core setup.
**Includes**:
- SQLAlchemy Core connection setup
- Schema definition (tokens, domains tables)
- Migration approach (simple SQL files for v1.0.0)
- Connection pooling
- Database initialization script
**Dependencies**: Core Infrastructure
**Acceptance Criteria**:
- Database initializes on first run
- Tables created correctly
- SQLAlchemy Core queries work
- File permissions set correctly (600)
**Effort**: 1-2 days
---
### In-Memory Storage (XS)
**What**: TTL-based in-memory storage for authorization codes and email verification codes.
**Includes**:
- Python dict-based storage with expiration
- Automatic cleanup of expired entries
- Thread-safe operations (if needed)
- Storage interface abstraction (for future Redis migration)
**Dependencies**: Core Infrastructure
**Acceptance Criteria**:
- Codes expire after configured TTL
- Expired codes automatically removed
- Thread-safe operations
- Memory usage bounded
**Effort**: < 1 day
---
### Email Service (S)
**What**: SMTP-based email sending for verification codes.
**Includes**:
- SMTP configuration (host, port, credentials)
- Email template rendering
- Verification code email generation
- Error handling (connection failures, send failures)
- TLS/STARTTLS support
**Dependencies**: Core Infrastructure
**Acceptance Criteria**:
- Emails sent successfully via configured SMTP
- Templates render correctly
- Errors logged appropriately
- TLS connection established
**Effort**: 1-2 days
---
### DNS Service (S)
**What**: DNS TXT record verification for domain ownership.
**Includes**:
- DNS query implementation (using dnspython)
- TXT record validation logic
- Multi-resolver consensus (Google + Cloudflare)
- Timeout handling
- Result caching in database
**Dependencies**: Database Schema
**Acceptance Criteria**:
- TXT records verified correctly
- Multiple resolvers queried
- Timeouts handled gracefully
- Results cached in database
**Effort**: 1-2 days
---
### Domain Service (M)
**What**: Domain ownership validation and management.
**Includes**:
- Domain normalization
- TXT record verification flow
- Email verification flow (fallback)
- Domain ownership caching
- Periodic re-verification (background task)
**Dependencies**: Email Service, DNS Service, Database Schema
**Acceptance Criteria**:
- Both verification methods work
- TXT record preferred over email
- Verification results cached
- Re-verification scheduled correctly
**Effort**: 3-5 days
---
### Authorization Endpoint (M)
**What**: `/authorize` endpoint implementing IndieAuth authorization flow.
**Includes**:
- Request parameter validation (me, client_id, redirect_uri, state, response_type)
- Client metadata fetching (h-app microformat parsing)
- URL validation (open redirect prevention)
- User consent form rendering
- Authorization code generation
- Redirect to client with code + state
**Dependencies**: Domain Service, In-Memory Storage
**Acceptance Criteria**:
- All parameters validated per spec
- Client metadata fetched and displayed
- User consent required
- Authorization codes generated securely
- Redirects work correctly
- Errors handled per OAuth 2.0 spec
**Effort**: 3-5 days
---
### Token Endpoint (S)
**What**: `/token` endpoint implementing token exchange.
**Includes**:
- Request parameter validation (grant_type, code, client_id, redirect_uri, me)
- Authorization code verification
- Single-use code enforcement
- Access token generation
- Token storage (hashed)
- JSON response formatting
**Dependencies**: Authorization Endpoint, Database Schema
**Acceptance Criteria**:
- All parameters validated
- Codes verified correctly
- Single-use enforced (replay prevention)
- Tokens generated securely
- Tokens stored as hashes
- Response format per spec
**Effort**: 1-2 days
---
### Metadata Endpoint (XS)
**What**: `/.well-known/oauth-authorization-server` discovery endpoint.
**Includes**:
- Static JSON response
- Endpoint URLs
- Supported features list
- Caching headers
**Dependencies**: Core Infrastructure
**Acceptance Criteria**:
- Returns valid JSON per RFC 8414
- Correct endpoint URLs
- Cache-Control headers set
**Effort**: < 1 day
---
### Email Verification UI (S)
**What**: Web forms for email verification flow.
**Includes**:
- Email address input form
- Verification code input form
- Error message display
- Success/failure feedback
- Basic styling (minimal, functional)
**Dependencies**: Email Service, Domain Service
**Acceptance Criteria**:
- Forms render correctly
- Client-side validation
- Error messages clear
- Accessible (WCAG AA)
**Effort**: 1-2 days
---
### Authorization Consent UI (S)
**What**: User consent screen for authorization.
**Includes**:
- Client information display (name, icon, URL)
- Domain identity display (me parameter)
- Approve/Deny buttons
- Security warnings (if redirect_uri differs)
- Basic styling (minimal, functional)
**Dependencies**: Authorization Endpoint
**Acceptance Criteria**:
- Client info displayed correctly
- User can approve/deny
- Security warnings shown when appropriate
- Accessible (WCAG AA)
**Effort**: 1-2 days
---
### Security Hardening (S)
**What**: Implementation of all v1.0.0 security requirements.
**Includes**:
- HTTPS enforcement (production)
- Security headers (HSTS, CSP, etc.)
- Constant-time token comparison
- Input sanitization
- SQL injection prevention (parameterized queries)
- Logging security (no PII)
**Dependencies**: All endpoints
**Acceptance Criteria**:
- HTTPS enforced in production
- All security headers present
- No timing attack vulnerabilities
- No SQL injection vulnerabilities
- Logs contain no PII
**Effort**: 1-2 days
---
### Deployment Configuration (S)
**What**: Docker setup and deployment documentation.
**Includes**:
- Dockerfile (multi-stage build)
- docker-compose.yml (for testing)
- Environment variable documentation
- Backup script (SQLite file copy)
- Health check configuration
**Dependencies**: All features
**Acceptance Criteria**:
- Docker image builds successfully
- Container runs properly
- Environment variables documented
- Backup script works
- Health checks pass
**Effort**: 1-2 days
---
### Comprehensive Test Suite (L)
**What**: 80%+ code coverage with unit, integration, and e2e tests.
**Includes**:
- Unit tests for all services
- Integration tests for endpoints
- End-to-end IndieAuth flow tests
- Security tests (timing attacks, injection, etc.)
- Compliance tests (W3C spec verification)
**Dependencies**: All features
**Acceptance Criteria**:
- 80%+ overall coverage
- 95%+ coverage for auth/token/security code
- All tests passing
- Fast execution (< 1 minute for unit tests)
**Effort**: 1-2 weeks (parallel with development)
---
## Post-v1.0.0 Features
### PKCE Support (S)
**Priority**: P1
**Dependencies**: Token Endpoint
**What**: Implement Proof Key for Code Exchange (RFC 7636) for enhanced security.
**Includes**:
- Accept `code_challenge` and `code_challenge_method` in /authorize
- Validate `code_verifier` in /token
- Support S256 challenge method
- Update metadata endpoint
**Effort**: 1-2 days
**Rationale**: Deferred from v1.0.0 per ADR-003 for MVP simplicity. Should be added in v1.1.0.
---
### Token Revocation (S)
**Priority**: P1
**Dependencies**: Token Endpoint
**What**: `/token/revoke` endpoint per RFC 7009.
**Includes**:
- Revocation endpoint implementation
- Mark tokens as revoked in database
- Return appropriate responses
- Update metadata endpoint
**Effort**: 1-2 days
---
### Token Refresh (M)
**Priority**: P1
**Dependencies**: Token Endpoint
**What**: Refresh token support for long-lived sessions.
**Includes**:
- Refresh token generation and storage
- `refresh_token` grant type support
- Rotation of refresh tokens (security best practice)
- Expiration management
**Effort**: 3-5 days
---
### Rate Limiting (M)
**Priority**: P1
**Dependencies**: Core Infrastructure
**What**: Request rate limiting to prevent abuse.
**Includes**:
- Redis-based rate limiting
- Per-endpoint limits
- Per-IP and per-client_id limits
- Exponential backoff on failures
- Rate limit headers (X-RateLimit-*)
**Effort**: 3-5 days
**Note**: Requires Redis, breaking single-process assumption.
---
### Admin Dashboard (L)
**Priority**: P2
**Dependencies**: All v1.0.0 features
**What**: Web-based admin interface for server management.
**Includes**:
- Active tokens view
- Domain verification status
- Revoke tokens manually
- View audit logs
- Configuration management
**Effort**: 1-2 weeks
---
### Client Pre-Registration (M)
**Priority**: P2
**Dependencies**: Authorization Endpoint
**What**: Allow admin to pre-register known clients.
**Includes**:
- Client registration UI (admin-only)
- Store registered clients in database
- Skip metadata fetching for registered clients
- Manage redirect URIs per client
**Effort**: 3-5 days
**Note**: Not required per spec, but useful for trusted clients.
---
### Token Introspection (S)
**Priority**: P1
**Dependencies**: Token Endpoint
**What**: `/token/verify` endpoint for resource servers.
**Includes**:
- Verify token validity
- Return token metadata (me, client_id, scope)
- Support Bearer authentication
- Rate limiting
**Effort**: 1-2 days
---
### Scope Support (Authorization) (L)
**Priority**: P1
**Dependencies**: Token Endpoint, Token Introspection
**What**: Full OAuth 2.0 scope-based authorization.
**Includes**:
- Scope validation and parsing
- Scope consent UI (checkboxes)
- Token scope storage and verification
- Scope-based access control
- Standard scopes (profile, email, create, update, delete)
**Effort**: 1-2 weeks
**Note**: Major feature, expands from authentication to authorization.
---
### GitHub/GitLab Providers (M)
**Priority**: P2
**Dependencies**: Domain Service
**What**: Alternative authentication via GitHub/GitLab (like IndieLogin).
**Includes**:
- OAuth 2.0 client for GitHub/GitLab
- Link GitHub username to domain (via profile URL)
- Verify domain ownership via GitHub/GitLab profile
- Provider selection UI
**Effort**: 3-5 days
**Note**: Per user request, email-only in v1.0.0. This is future enhancement.
---
### WebAuthn Support (L)
**Priority**: P2
**Dependencies**: Domain Service
**What**: Passwordless authentication via WebAuthn (FIDO2).
**Includes**:
- WebAuthn registration flow
- WebAuthn authentication flow
- Credential storage
- Browser compatibility
- Fallback to email
**Effort**: 1-2 weeks
---
### PostgreSQL Support (S)
**Priority**: P2
**Dependencies**: Database Schema
**What**: Support PostgreSQL as alternative to SQLite.
**Includes**:
- Connection configuration
- Schema adaptation (minimal changes)
- Migration from SQLite
- Documentation
**Effort**: 1-2 days
**Note**: SQLAlchemy Core makes this trivial.
---
### Prometheus Metrics (S)
**Priority**: P2
**Dependencies**: Core Infrastructure
**What**: `/metrics` endpoint for Prometheus scraping.
**Includes**:
- Request counters (by endpoint, status)
- Response time histograms
- Token generation rate
- Email send success rate
- Error rate by type
**Effort**: 1-2 days
---
### Internationalization (M)
**Priority**: P3
**Dependencies**: UI components
**What**: Multi-language support for user-facing pages.
**Includes**:
- i18n framework (Babel)
- English (default)
- Extract translatable strings
- Translation workflow
**Effort**: 3-5 days
**Note**: Low priority, English-first acceptable for MVP.
---
## Technical Debt
Technical debt items are tracked here with a DEBT: prefix. Per project standards, each release must allocate at least 10% of effort to technical debt reduction.
### DEBT: TD-001 - FastAPI Lifespan Migration (XS)
**Created**: 2025-11-20 (Phase 1 review)
**Priority**: P2
**Component**: Core Infrastructure
**Issue**: Using deprecated `@app.on_event()` decorators instead of lifespan context manager.
**Impact**:
- Deprecation warnings in FastAPI 0.109+
- Will break in future FastAPI version
- Not following current best practices
**Current Mitigation**: Still works in current FastAPI version.
**Effort to Fix**: < 1 day
- Replace `@app.on_event("startup")` with lifespan context manager
- Update database initialization to use lifespan
- Update tests if needed
**Plan**: Address in v1.1.0 or during FastAPI upgrade.
**References**: FastAPI lifespan documentation
---
### DEBT: TD-002 - Database Migration Rollback Safety (S)
**Created**: 2025-11-20 (Phase 1 review)
**Priority**: P2
**Component**: Database Layer
**Issue**: No migration rollback capability. Migrations are one-way only.
**Impact**:
- Cannot easily roll back schema changes
- Requires manual SQL to undo migrations
- Risk during production deployments
**Current Mitigation**: Simple schema, manual SQL backups acceptable for v1.0.0.
**Effort to Fix**: 1-2 days
- Integrate Alembic for migration management
- Create rollback scripts for existing migrations
- Update deployment documentation
**Plan**: Address before v1.1.0 when schema changes become more frequent.
**References**: Alembic documentation
---
### DEBT: TD-003 - Async Email Support (S)
**Created**: 2025-11-20 (Phase 1 review)
**Priority**: P2
**Component**: Email Service
**Issue**: Synchronous SMTP blocks request thread during email sending.
**Impact**:
- Email sending delays response to user (1-5 seconds)
- Thread blocked during SMTP operation
- Poor UX during slow email delivery
**Current Mitigation**: Acceptable for low-volume v1.0.0. Timeout limits (10s) prevent long blocks.
**Effort to Fix**: 1-2 days
- Implement background task queue (FastAPI BackgroundTasks or Celery)
- Make email sending non-blocking
- Update UX to show "Sending email..." message
- Add retry logic for failed sends
**Plan**: Address in v1.1.0 when user volume increases or when UX feedback indicates issue.
**Alternative**: Use async SMTP library (aiosmtplib)
---
### DEBT: TD-004 - Add Redis for Session Storage (M)
**Created**: 2025-11-20 (architectural decision)
**Priority**: P2
**Component**: Storage Layer
**Issue**: In-memory storage doesn't survive restarts.
**Impact**: Authorization codes and email codes lost on restart.
**Mitigation (current)**: Codes are short-lived (10-15 min), restart impact minimal.
**Effort to Fix**: 3-5 days (Redis integration, deployment changes)
**Plan**: Address when scaling beyond single process or when restarts become frequent.
---
## Backlog Management
### Adding New Features
When adding features to the backlog:
1. Define clear scope and acceptance criteria
2. Assign t-shirt size
3. Assign priority (P0-P3)
4. Identify dependencies
5. Estimate effort in days
6. Add to appropriate section
### Prioritization Criteria
Features are prioritized based on:
1. **MVP requirement**: Is it required for v1.0.0?
2. **Security impact**: Does it improve security?
3. **User value**: How much does it benefit users?
4. **Complexity**: Simpler features prioritized when value equal
5. **Dependencies**: Features blocking others prioritized
### Technical Debt Policy
- Minimum 10% effort per release allocated to technical debt
- Technical debt items must have:
- Creation date
- Issue description
- Current impact and mitigation
- Effort to fix
- Resolution plan
- Debt reviewed quarterly, re-prioritized based on impact
## Version Planning
See version-specific roadmap files:
- `/docs/roadmap/v1.0.0.md` - MVP features and plan
- `/docs/roadmap/v1.1.0.md` - First post-MVP release (future)
- `/docs/roadmap/v2.0.0.md` - Major feature release (future)
## Estimation Accuracy
After each feature implementation, review estimation accuracy:
- Compare actual effort vs. estimated
- Update t-shirt size if significantly different
- Document lessons learned
- Adjust future estimates accordingly
Current estimation baseline: TBD (will be established after v1.0.0 completion)
Reference in New Issue View Git Blame Copy Permalink