phil/StarPunk
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
caabf0087e17c8a5f79dcb1eba5481c9928bf9cc
StarPunk/docs/projectplan/v1/feature-scope.md
Phil Skentelbery a68fd570c7 that initial commit
2025-11-18 19:21:31 -07:00

408 lines
16 KiB
Markdown
Raw Blame History

# StarPunk V1 Feature Scope
## Purpose
This document clearly defines what is IN SCOPE and OUT OF SCOPE for StarPunk V1. This helps maintain focus and prevents scope creep while implementing the minimal viable IndieWeb CMS.
---
## V1 Core Philosophy
"Every line of code must justify its existence. When in doubt, leave it out."
V1 is intentionally minimal. The goal is a working, standards-compliant IndieWeb CMS that does ONE thing well: publish short notes with maximum simplicity and data ownership.
---
## IN SCOPE for V1
### Authentication & Authorization
| Feature | Status | Priority | Implementation |
|---------|--------|----------|----------------|
| IndieLogin.com OAuth flow | IN SCOPE | REQUIRED | ADR-005 |
| Session-based admin auth | IN SCOPE | REQUIRED | 30-day sessions |
| Single authorized user (ADMIN_ME) | IN SCOPE | REQUIRED | Config-based |
| Secure session cookies | IN SCOPE | REQUIRED | HttpOnly, Secure, SameSite |
| CSRF protection (state tokens) | IN SCOPE | REQUIRED | OAuth state param |
| Logout functionality | IN SCOPE | REQUIRED | Delete session |
| Micropub bearer tokens | IN SCOPE | REQUIRED | For API access |
**Why**: Authentication is core requirement for admin access and IndieWeb compliance.
---
### Notes Management
| Feature | Status | Priority | Implementation |
|---------|--------|----------|----------------|
| Create note (markdown) | IN SCOPE | REQUIRED | Web form + Micropub |
| Read note (single) | IN SCOPE | REQUIRED | By slug |
| List notes (all/published) | IN SCOPE | REQUIRED | Paginated |
| Update note | IN SCOPE | REQUIRED | Web form |
| Delete note | IN SCOPE | REQUIRED | Soft delete |
| Published/draft status | IN SCOPE | REQUIRED | Boolean flag |
| Timestamps (created, updated) | IN SCOPE | REQUIRED | Automatic |
| Unique slugs (URL-safe) | IN SCOPE | REQUIRED | Auto-generated |
| File-based storage (markdown) | IN SCOPE | REQUIRED | ADR-004 |
| Database metadata | IN SCOPE | REQUIRED | SQLite |
| File/DB sync | IN SCOPE | REQUIRED | Atomic operations |
| Content hash (integrity) | IN SCOPE | REQUIRED | SHA-256 |
**Why**: Notes are the core entity. File+DB hybrid provides portability + performance.
---
### Web Interface (Public)
| Feature | Status | Priority | Implementation |
|---------|--------|----------|----------------|
| Homepage (note list) | IN SCOPE | REQUIRED | Reverse chronological |
| Note permalink page | IN SCOPE | REQUIRED | Individual note view |
| Responsive design | IN SCOPE | REQUIRED | Mobile-first CSS |
| Semantic HTML5 | IN SCOPE | REQUIRED | Valid markup |
| Microformats2 markup | IN SCOPE | REQUIRED | h-entry, h-card, h-feed |
| RSS feed auto-discovery | IN SCOPE | REQUIRED | Link rel="alternate" |
| Basic CSS styling | IN SCOPE | REQUIRED | ~200 lines |
| Server-side rendering | IN SCOPE | REQUIRED | Jinja2 templates |
**Why**: Public interface is how notes are consumed. Microformats are IndieWeb requirement.
---
### Web Interface (Admin)
| Feature | Status | Priority | Implementation |
|---------|--------|----------|----------------|
| Login page | IN SCOPE | REQUIRED | IndieLogin form |
| Admin dashboard | IN SCOPE | REQUIRED | List all notes |
| Create note form | IN SCOPE | REQUIRED | Markdown textarea |
| Edit note form | IN SCOPE | REQUIRED | Pre-filled form |
| Delete note button | IN SCOPE | REQUIRED | With confirmation |
| Logout button | IN SCOPE | REQUIRED | Clear session |
| Flash messages (errors/success) | IN SCOPE | REQUIRED | User feedback |
| Protected routes (@require_auth) | IN SCOPE | REQUIRED | Auth decorator |
**Why**: Admin interface is essential for creating/managing notes without external tools.
---
### Micropub Support
| Feature | Status | Priority | Implementation |
|---------|--------|----------|----------------|
| Micropub endpoint (/api/micropub) | IN SCOPE | REQUIRED | POST + GET |
| Create h-entry (note) | IN SCOPE | REQUIRED | JSON + form-encoded |
| Query config (q=config) | IN SCOPE | REQUIRED | Return capabilities |
| Query source (q=source) | IN SCOPE | REQUIRED | Return note by URL |
| Bearer token authentication | IN SCOPE | REQUIRED | Authorization header |
| Scope validation (create/post) | IN SCOPE | REQUIRED | Check token scope |
| Endpoint discovery (link rel) | IN SCOPE | REQUIRED | In HTML head |
| Micropub spec compliance | IN SCOPE | REQUIRED | Pass micropub.rocks |
**Why**: Micropub is core IndieWeb standard. Enables publishing from external clients.
---
### RSS Feed
| Feature | Status | Priority | Implementation |
|---------|--------|----------|----------------|
| RSS 2.0 feed (/feed.xml) | IN SCOPE | REQUIRED | Valid XML |
| All published notes | IN SCOPE | REQUIRED | Limit 50 most recent |
| Valid RSS structure | IN SCOPE | REQUIRED | Pass W3C validator |
| RFC-822 date format | IN SCOPE | REQUIRED | pubDate element |
| CDATA-wrapped content | IN SCOPE | REQUIRED | Rendered HTML |
| Feed metadata (title, link, desc) | IN SCOPE | REQUIRED | From config |
| Cache-Control headers | IN SCOPE | REQUIRED | 5 minute cache |
**Why**: RSS is core requirement for syndication. Standard feed format.
---
### Data Management
| Feature | Status | Priority | Implementation |
|---------|--------|----------|----------------|
| SQLite database | IN SCOPE | REQUIRED | Single file |
| Database schema (4 tables) | IN SCOPE | REQUIRED | notes, sessions, tokens, auth_state |
| Database indexes | IN SCOPE | REQUIRED | For performance |
| Markdown files on disk | IN SCOPE | REQUIRED | Year/month structure |
| Atomic file writes | IN SCOPE | REQUIRED | Temp + rename |
| Backup via file copy | IN SCOPE | REQUIRED | User can copy data/ |
| Configuration via .env | IN SCOPE | REQUIRED | python-dotenv |
**Why**: Hybrid storage gives portability + performance. Simple backup strategy.
---
### Security
| Feature | Status | Priority | Implementation |
|---------|--------|----------|----------------|
| HTTPS required (production) | IN SCOPE | REQUIRED | Via reverse proxy |
| SQL injection prevention | IN SCOPE | REQUIRED | Parameterized queries |
| XSS prevention | IN SCOPE | REQUIRED | Markdown sanitization |
| CSRF protection | IN SCOPE | REQUIRED | State tokens |
| Path traversal prevention | IN SCOPE | REQUIRED | Path validation |
| Security headers | IN SCOPE | REQUIRED | CSP, X-Frame-Options, etc |
| Secure cookie flags | IN SCOPE | REQUIRED | HttpOnly, Secure, SameSite |
| Session expiry | IN SCOPE | REQUIRED | 30 days |
**Why**: Security is non-negotiable. Basic protections are essential.
---
### Testing
| Feature | Status | Priority | Implementation |
|---------|--------|----------|----------------|
| Unit tests (pytest) | IN SCOPE | REQUIRED | >80% coverage |
| Integration tests | IN SCOPE | REQUIRED | Key user flows |
| Mock external services | IN SCOPE | REQUIRED | IndieLogin, etc |
| Test fixtures (conftest.py) | IN SCOPE | REQUIRED | Shared setup |
| HTML validation | IN SCOPE | REQUIRED | W3C validator |
| RSS validation | IN SCOPE | REQUIRED | W3C feed validator |
| Microformats validation | IN SCOPE | REQUIRED | IndieWebify.me |
| Micropub validation | IN SCOPE | REQUIRED | micropub.rocks |
**Why**: Tests ensure reliability. Validation ensures standards compliance.
---
### Documentation
| Feature | Status | Priority | Implementation |
|---------|--------|----------|----------------|
| README.md | IN SCOPE | REQUIRED | Installation, usage |
| Architecture docs | IN SCOPE | REQUIRED | Already complete |
| ADRs (Architecture decisions) | IN SCOPE | REQUIRED | Already complete |
| User guide | IN SCOPE | REQUIRED | How to use |
| Deployment guide | IN SCOPE | REQUIRED | Production setup |
| API documentation | IN SCOPE | REQUIRED | Micropub + REST |
| Code documentation (docstrings) | IN SCOPE | REQUIRED | All functions |
**Why**: Documentation is code. Essential for users and maintainers.
---
## OUT OF SCOPE for V1
### Deferred to V2 or Later
| Feature | Status | Reason | Consider for V2? |
|---------|--------|--------|------------------|
| Multi-user support | OUT OF SCOPE | V1 is single-user | Maybe V2 |
| User management | OUT OF SCOPE | Not needed for single user | Maybe V2 |
| Tags/categories | OUT OF SCOPE | Keep it simple | Yes V2 |
| Full-text search | OUT OF SCOPE | Can grep files | Yes V2 |
| Media uploads (images) | OUT OF SCOPE | Notes are text-only | Yes V2 |
| Media management | OUT OF SCOPE | No media in V1 | Yes V2 |
| Update/delete via Micropub | OUT OF SCOPE | Create only is sufficient | Yes V2 |
| Webmentions (send) | OUT OF SCOPE | Future feature | Yes V2 |
| Webmentions (receive) | OUT OF SCOPE | Future feature | Yes V2 |
| Syndication targets (POSSE) | OUT OF SCOPE | Manual syndication | Yes V2 |
| Reply-context | OUT OF SCOPE | Simple notes only | Maybe V2 |
| Like/repost support | OUT OF SCOPE | h-entry notes only | Maybe V2 |
| Custom post types | OUT OF SCOPE | Just notes | Maybe V2 |
| Frontmatter in files | OUT OF SCOPE | Pure markdown | Maybe V2 |
| Git integration | OUT OF SCOPE | User can add manually | Maybe V2 |
| Media endpoint (Micropub) | OUT OF SCOPE | No media support | Yes V2 |
| Database migrations | OUT OF SCOPE | Fresh install only | Yes V2 |
| Import from other systems | OUT OF SCOPE | Manual import | Yes V2 |
| Export functionality | OUT OF SCOPE | Just copy files | Maybe V2 |
| Themes/customization | OUT OF SCOPE | One simple theme | No |
| Plugins/extensions | OUT OF SCOPE | No plugin system | No |
| Admin user roles | OUT OF SCOPE | Single admin only | No |
| Rate limiting (app-level) | OUT OF SCOPE | Use reverse proxy | No |
| Caching (Redis/Memcached) | OUT OF SCOPE | Simple in-memory | Maybe V2 |
| Multiple databases | OUT OF SCOPE | SQLite only | No |
| Email notifications | OUT OF SCOPE | No notifications | Maybe V2 |
| Scheduled posts | OUT OF SCOPE | Manual publish | Maybe V2 |
| Draft autosave | OUT OF SCOPE | Manual save | Maybe V2 |
| Revision history | OUT OF SCOPE | Use git if needed | Maybe V2 |
| Markdown preview (real-time) | OPTIONAL V1 | Enhancement only | Low priority |
| Dark mode toggle | OUT OF SCOPE | CSS only | Maybe V2 |
| Mobile app | OUT OF SCOPE | Use Micropub clients | No |
| Desktop app | OUT OF SCOPE | Web interface | No |
| Self-hosted IndieAuth | OUT OF SCOPE | Use indielogin.com | Maybe V2 |
| Token endpoint | OUT OF SCOPE | External IndieAuth | Maybe V2 |
| Metrics/analytics | OUT OF SCOPE | Use reverse proxy logs | Maybe V2 |
| Comments | OUT OF SCOPE | Use webmentions (V2) | Maybe V2 |
| OpenGraph meta tags | OUT OF SCOPE | Microformats enough | Maybe V2 |
| Twitter cards | OUT OF SCOPE | Not needed | Maybe V2 |
| Sitemap.xml | OUT OF SCOPE | Small site, not needed | Maybe V2 |
| robots.txt | OUT OF SCOPE | User can add | Maybe V2 |
| Custom domains (multi-site) | OUT OF SCOPE | Single instance | No |
| CDN integration | OUT OF SCOPE | Static files local | Maybe V2 |
| Backups (automated) | OUT OF SCOPE | Manual copy | Maybe V2 |
| Monitoring/alerting | OUT OF SCOPE | Use external tools | No |
**Why Defer**: These features add complexity without adding essential value for V1. The goal is a minimal, working system. Additional features can be added after V1 proves the core concept.
---
## Borderline Features (Decide During Implementation)
These features are on the fence. Implement only if trivial, defer if any complexity.
| Feature | Status | Decision Criteria |
|---------|--------|-------------------|
| Markdown preview (JS) | OPTIONAL | If <50 lines of code, include. Otherwise defer. |
| JSON REST API | OPTIONAL | If admin interface uses it, include. Otherwise defer. |
| Note search | OUT OF SCOPE | Too complex. User can grep files. |
| Feed caching | OPTIONAL | If easy with Flask-Caching, include. Otherwise defer. |
| Orphan detection | OUT OF SCOPE | Too complex for V1. Manual recovery. |
| Email fallback auth | OUT OF SCOPE | IndieLogin only. Keep it simple. |
---
## Feature Justification Framework
When considering a feature for V1, ask:
### 1. Is it required for core functionality?
- Can create, read, update, delete notes? ✓ REQUIRED
- Can authenticate and access admin? ✓ REQUIRED
- Can publish via Micropub? ✓ REQUIRED (IndieWeb spec)
- Can syndicate via RSS? ✓ REQUIRED (Spec requirement)
- Everything else? → Consider deferring
### 2. Is it required for standards compliance?
- IndieAuth? ✓ REQUIRED
- Micropub? ✓ REQUIRED
- Microformats2? ✓ REQUIRED
- RSS 2.0? ✓ REQUIRED
- Everything else? → Consider deferring
### 3. Is it required for security?
- Authentication? ✓ REQUIRED
- CSRF protection? ✓ REQUIRED
- SQL injection prevention? ✓ REQUIRED
- XSS prevention? ✓ REQUIRED
- Everything else? → Consider case by case
### 4. Does it add significant complexity?
- Adds >100 LOC? → Probably defer
- Adds dependencies? → Probably defer
- Adds database tables? → Probably defer
- Adds external services? → Probably defer
### 5. Can it be added later without breaking changes?
- Yes? → DEFER to V2
- No? → Consider including (but scrutinize)
---
## V1 Success Criteria
V1 is successful if a user can:
1. ✓ Install and configure StarPunk in <15 minutes
2. ✓ Authenticate with their IndieWeb identity
3. ✓ Create a note via web interface
4. ✓ See the note on the public homepage
5. ✓ Access the note at a permanent URL
6. ✓ Edit and delete notes
7. ✓ Publish via a Micropub client (e.g., Quill)
8. ✓ Subscribe to updates via RSS
9. ✓ Back up their data by copying a directory
10. ✓ Migrate to another server by copying files
**What V1 is NOT**:
- Not a full-featured blog platform (use WordPress)
- Not a social network (use Mastodon)
- Not a CMS for large sites (use Django)
- Not a photo gallery (use Pixelfed)
- Not a link blog (build that in V2)
**What V1 IS**:
- A minimal note-publishing system
- IndieWeb-compliant
- User owns their data
- Simple enough to understand completely
- Extensible foundation for V2
---
## Lines of Code Budget
To maintain simplicity, we set maximum LOC targets:
| Module | Target LOC | Maximum LOC | Actual LOC |
|--------|-----------|-------------|------------|
| utils.py | 100 | 150 | TBD |
| models.py | 150 | 200 | TBD |
| notes.py | 300 | 400 | TBD |
| auth.py | 200 | 300 | TBD |
| feed.py | 100 | 150 | TBD |
| micropub.py | 250 | 350 | TBD |
| routes/public.py | 100 | 150 | TBD |
| routes/admin.py | 200 | 300 | TBD |
| routes/api.py | 150 | 200 | TBD |
| **Total Application** | **~1,550** | **~2,200** | TBD |
| **Total Tests** | **~1,000** | **~1,500** | TBD |
| **Grand Total** | **~2,550** | **~3,700** | TBD |
**If a module exceeds maximum**: Refactor or defer features.
---
## V2 Feature Ideas (Future)
Good ideas for after V1 ships:
### High Priority for V2
- Tags and categories
- Full-text search
- Media uploads and management
- Update/delete via Micropub
- Webmentions (send and receive)
- POSSE syndication
- Database migrations
### Medium Priority for V2
- Multiple post types (articles, photos, etc.)
- Reply context
- Revision history
- Scheduled posts
- Import from other platforms
- Better admin dashboard (stats, charts)
### Low Priority for V2+
- Self-hosted IndieAuth
- Themes
- Plugins
- Multi-user support
---
## Scope Change Process
If a feature is proposed during V1 development:
1. **Check this document** - Is it already in/out of scope?
2. **Apply justification framework** - Does it meet criteria?
3. **Estimate complexity** - How many LOC? New dependencies?
4. **Consider deferral** - Can it wait for V2?
5. **Document decision** - Update this document
6. **Get approval** - Architect must approve scope changes
**Default answer**: "Great idea! Let's add it to the V2 backlog."
---
## Summary
**IN SCOPE**: Core note CRUD, IndieAuth, Micropub, RSS, basic web interface, security essentials, tests, docs
**OUT OF SCOPE**: Everything else (tags, search, media, multi-user, fancy features)
**Philosophy**: Ship a minimal, working, standards-compliant V1. Then iterate.
**Remember**: "When in doubt, leave it out."
---
**Last Updated**: 2025-11-18
Reference in New Issue View Git Blame Copy Permalink