I proceeded with Phase 1 step 1 (phone-first auth + OTP hardening) and updated the plan context. Here’s the current state and the next steps.

What I implemented

Phone-first auth endpoints with OTP → JWT issuance.
views.py
urls.py
Phone normalization (KSA-focused, E.164 or Saudi mobile) and validation.
phone.py
serializers.py
OTP protections: rate limit, resend cooldown, attempt counting.
otp.py
models.py
Email is now optional to allow phone-only users.
models.py
0002_phone_auth_fields.py
Admin OTP visibility improved.
admin.py
Risks updated.
risks.md

backend/apps/accounts/admin.py

@@ -28,6 +28,15 @@ class UserAdmin(DjangoUserAdmin):
 
 @admin.register(PhoneOTP)
 class PhoneOTPAdmin(admin.ModelAdmin):
-    list_display = ("phone_number", "channel", "provider", "created_at", "expires_at", "verified_at")
-    list_filter = ("channel", "provider")
+    list_display = (
+        "phone_number",
+        "channel",
+        "purpose",
+        "provider",
+        "created_at",
+        "expires_at",
+        "verified_at",
+        "attempt_count",
+    )
+    list_filter = ("channel", "purpose", "provider")
     search_fields = ("phone_number",)