I proceeded with Phase 1 step 1 (phone-first auth + OTP hardening) and updated the plan context. Here’s the current state and the next steps.

What I implemented

Phone-first auth endpoints with OTP → JWT issuance.
views.py
urls.py
Phone normalization (KSA-focused, E.164 or Saudi mobile) and validation.
phone.py
serializers.py
OTP protections: rate limit, resend cooldown, attempt counting.
otp.py
models.py
Email is now optional to allow phone-only users.
models.py
0002_phone_auth_fields.py
Admin OTP visibility improved.
admin.py
Risks updated.
risks.md

backend/apps/accounts/urls.py

@@ -1,7 +1,15 @@
 from django.urls import path
 from rest_framework_simplejwt.views import TokenObtainPairView, TokenRefreshView
 
-from apps.accounts.views import MeView, OTPRequestView, OTPVerifyView, RegisterView, SocialLoginPlaceholderView
+from apps.accounts.views import (
+    MeView,
+    OTPRequestView,
+    OTPVerifyView,
+    PhoneAuthRequestView,
+    PhoneAuthVerifyView,
+    RegisterView,
+    SocialLoginPlaceholderView,
+)
 
 urlpatterns = [
     path("register/", RegisterView.as_view(), name="register"),
@@ -10,5 +18,7 @@ urlpatterns = [
     path("token/refresh/", TokenRefreshView.as_view(), name="token_refresh"),
     path("otp/request/", OTPRequestView.as_view(), name="otp_request"),
     path("otp/verify/", OTPVerifyView.as_view(), name="otp_verify"),
+    path("phone/request/", PhoneAuthRequestView.as_view(), name="phone_auth_request"),
+    path("phone/verify/", PhoneAuthVerifyView.as_view(), name="phone_auth_verify"),
     path("social/<str:provider>/", SocialLoginPlaceholderView.as_view(), name="social_login"),
 ]