chore: auth gaps docs
This commit is contained in:
@@ -6,6 +6,17 @@ This document describes the requirements for an execution plan ("ExecPlan"), a d
|
||||
|
||||
The current execution plan is `docs/execplans/booking-notifications.md`. It focuses on booking lifecycle notifications (confirmation/cancellation) as the next Phase 1 reliability milestone. Keep it updated in line with the requirements below.
|
||||
|
||||
## Queued Next Review Focus
|
||||
|
||||
After the active booking notifications plan, the next reliability review track is phone-first authentication hardening. Keep these points visible when planning the next ExecPlan update:
|
||||
|
||||
- Enforce phone as first-class identifier at model/DB boundaries (normalized E.164, nullability/uniqueness policy).
|
||||
- Consolidate auth contract (phone OTP vs password endpoints) and document intended public login surface.
|
||||
- Enforce OTP purpose boundaries (`auth` vs `verify`) in verification flows.
|
||||
- Align Django admin and cross-app display/audit behavior for phone-only users.
|
||||
- Define OAuth linking policy and conflict handling (phone/email collisions, account merge rules).
|
||||
- Add/expand tests for phone-first invariants and abuse controls (IP/device throttling strategy review).
|
||||
|
||||
## How to use ExecPlans and PLANS.md
|
||||
|
||||
When authoring an executable specification (ExecPlan), follow PLANS.md _to the letter_. If it is not in your context, refresh your memory by reading the entire PLANS.md file. Be thorough in reading (and re-reading) source material to produce an accurate specification. When creating a spec, start from the skeleton and flesh it out as you do your research.
|
||||
|
||||
Reference in New Issue
Block a user