plate-auth

A reusable auth + multi-tenancy library for the plate-software app family. Spring Boot starter (backend) + npm package (frontend). One source of truth, every app consumes it.

Status: Planning (Sprint 0 — extraction from InspectFlow) · Wiki version: Draft v1 · Date: 2026-06-24

🎯 What is plate-auth?

plate-auth is the carve-out of InspectFlow's Sprint 14 auth & membership system into a standalone, versioned library. It ships two artifacts:

Artifact	Coordinate	Consumed by
Spring Boot Starter	`de.platesoft:plate-auth-starter:0.1.0`	Java/Spring Boot 4 backends
npm package	`@platesoft/auth:0.1.0`	Next.js 15+ frontends

Provides:

🔐 T1 — Auth core: Google OAuth (via NextAuth v5), magic-link email, JWT issuance + filter, Spring Security config, NextAuth ↔ backend exchange protocol (HMAC-signed envelope, replay-protected)
🏢 T2 — Multi-tenancy: User + UserIdentity, Company/Membership (or generic Organization), invitations, access requests, admin panel, login audit
🔌 T3 (stays in app): App-specific onboarding, tenant auto-mapping rules, business-domain entities

📚 Wiki pages

Strategy

Page	Purpose
Vision	What plate-auth is, who consumes it, what success looks like
Architecture	T1/T2/T3 tier model, package boundaries, public API, dependency diagrams
Roadmap	v0.1 → v0.2 → v0.3 → v0.4 — speculative beyond v0.1

Sprint 0 (current — Extraction from InspectFlow)

Page	Purpose
Sprint-0-Assessment	State of the InspectFlow auth code, what is reusable, risks, recommendation
Sprint-0-Plan	File-by-file extraction plan, package renames, Flyway consolidation, publishing pipeline
Sprint-0-Testplan	Unit / integration / contract test coverage matrix
Sprint-0-Plan-Review	✅ Plan Review — APPROVED (2 warnings, panel confidence 82%)

Consumer guides

Page	Purpose
Integration-Guide	How a NEW app (Sparkboard etc.) consumes plate-auth on day 1
Migration-InspectFlow	Step-by-step refactor of InspectFlow to consume the library

Open

Page	Purpose
Open-Questions	Parking lot for ❓ Ask phase — decisions Patrick must make

🧬 Heritage

plate-auth is not greenfield. It is the fully battle-tested auth system built across six sub-sprints in InspectFlow Sprint 14 (2026-06-22 → 2026-06-24):

14.1 — Multi-provider auth foundation (🐙 Octopus Camouflage)
14.2 — Membership model + MS tenant auto-mapping (🦠 Cell Membranes)
14.3 — Invitation flow (🐜 Pheromone Trails)
14.4 — Self-service access requests (🐝 Honeybee Quorum)
14.5 — Onboarding UX (🐻‍❄️ Tardigrade Cryptobiosis)
14.6 — Admin panel + login audit (🌳 Tree Rings)

Sprint 0 is the modularization sprint — same code, repackaged, repointed, republished.

🚦 Sprint 0 pipeline

Planner (this wiki)
   ↓
Plan Reviewer  (quality gate)
   ↓
❓ Ask Phase   (Patrick answers Open-Questions)
   ↓
Planner v2     (revise)
   ↓
Code mode      (implementation — new plate-auth repo + InspectFlow refactor + Sparkboard consumption)

📦 Distribution

License: Apache-2.0 placeholder for v0.1.0 (see LICENSE.md in the repo root). plate-auth lives in a private Gitea repo today, so the license is dormant — it only activates if/when the project is open-sourced. Apache-2.0 was chosen over MIT for the explicit patent grant.
Maven artifact: de.platesoft:plate-auth-starter:0.1.0 — Gitea Maven Package Registry
npm artifact: @platesoft/auth:0.1.0 — Gitea npm Package Registry
Lockstep: Both artifacts ship from the same v0.x.y git tag. Frontend 0.2.0 implies backend 0.2.0 is the required peer.

📜 Decisions log

2026-06-24 — 11 plate-auth decisions locked (F1, F2, Q01, Q05, Q10) and 6 sparkboard decisions locked. See Open-Questions § 4 Decided (history) for the canonical list.

🔗 External links

Repo: https://git.plate-software.de/pplate/plate-auth
Wiki (this site): https://git.plate-software.de/pplate/plate-auth/wiki
Consumer 1 (existing): InspectFlow
Consumer 2 (incoming, greenfield): Sparkboard