pplate/plate-auth
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Page: Home
Pages
Architecture Home Integration Guide Migration InspectFlow Open Questions Roadmap Sprint 0 Assessment Sprint 0 Plan Review v2 Sprint 0 Plan Review v3 Sprint 0 Plan Review Sprint 0 Plan Sprint 0 Testplan Sprint 1 Assessment Sprint 1 Plan Sprint 1 Testplan Vision
Clone
6
Home
Patrick Plate edited this page 2026-06-24 21:22:07 +02:00
Unescape Escape
Table of Contents
This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

plate-auth

A reusable auth + multi-tenancy library for the plate-software app family. Spring Boot starter (backend) + npm package (frontend). One source of truth, every app consumes it.

Status: Sprint 0 — Phase 1 complete (W1W7 scaffold), Phase 2 in progress (W8W12 completion) · Wiki version: Draft v2 · Date: 2026-06-24 · Decision: Path A — full v0.1.0 extraction

🎯 What is plate-auth?

plate-auth is the carve-out of InspectFlow's Sprint 14 auth & membership system into a standalone, versioned library. It ships two artifacts:

Artifact Coordinate Consumed by
Spring Boot Starter de.platesoft:plate-auth-starter:0.1.0 Java/Spring Boot 4 backends
npm package @platesoft/auth:0.1.0 Next.js 15+ frontends

Provides:

  • 🔐 T1 — Auth core: Google OAuth (via NextAuth v5), magic-link email, JWT issuance + filter, Spring Security config, NextAuth ↔ backend exchange protocol (HMAC-signed envelope, replay-protected)
  • 🏢 T2 — Multi-tenancy: User + UserIdentity, Company/Membership (or generic Organization), invitations, access requests, admin panel, login audit
  • 🔌 T3 (stays in app): App-specific onboarding, tenant auto-mapping rules, business-domain entities

📚 Wiki pages

Strategy

Page Purpose
Vision What plate-auth is, who consumes it, what success looks like
Architecture T1/T2/T3 tier model, package boundaries, public API, dependency diagrams
Roadmap v0.1 → v0.2 → v0.3 → v0.4 — speculative beyond v0.1

Sprint 0 (current — Extraction from InspectFlow)

Page Purpose
Sprint-0-Assessment State of the InspectFlow auth code, what is reusable, risks, recommendation
Sprint-0-Plan File-by-file extraction plan, package renames, Flyway consolidation, publishing pipeline
Sprint-0-Testplan Unit / integration / contract test coverage matrix
Sprint-0-Plan-Review Plan Review v1 — APPROVED docs-only (2 warnings, panel 82%)
Sprint-0-Plan-Review-v2 ⚠️ Plan Review v2 — REVISE (panel 72%) — code-reality check found 5 blockers. 4 of 5 now fixed in code @ b43ab5e.
Sprint-0-Plan-Review-v3 Plan Review v3 — on-track (panel 79%) — v2 fixes verified (B1/B2/B4/B5/W-A/W-C), new finding N1 (deprecated web starter), Path A endorsed. 13 gaps closed by W8W12. Target: 9697%.

Consumer guides

Page Purpose
Integration-Guide How a NEW app (Sparkboard etc.) consumes plate-auth on day 1
Migration-InspectFlow Step-by-step refactor of InspectFlow to consume the library

Open

Page Purpose
Open-Questions Parking lot for Ask phase — decisions Patrick must make

🧬 Heritage

plate-auth is not greenfield. It is the fully battle-tested auth system built across six sub-sprints in InspectFlow Sprint 14 (2026-06-22 → 2026-06-24):

  • 14.1 — Multi-provider auth foundation (🐙 Octopus Camouflage)
  • 14.2 — Membership model + MS tenant auto-mapping (🦠 Cell Membranes)
  • 14.3 — Invitation flow (🐜 Pheromone Trails)
  • 14.4 — Self-service access requests (🐝 Honeybee Quorum)
  • 14.5 — Onboarding UX (🐻‍❄️ Tardigrade Cryptobiosis)
  • 14.6 — Admin panel + login audit (🌳 Tree Rings)

Sprint 0 is the modularization sprint — same code, repackaged, repointed, republished.

🚦 Sprint 0 pipeline

Phase 1 — Scaffold (W1..W7)            ✅ COMPLETE
  ├── W1: Repo scaffolding             ✅
  ├── W2: Backend extraction           🟡 Partial (exchange/OAuth core only)
  ├── W3: Frontend extraction          🔴 Stubs (throws NotYetImplemented)
  ├── W4: SPI design (5 interfaces)    ✅
  ├── W5: Flyway consolidation V1..V6  ✅
  ├── W6: Build pipeline skeleton      🟡 CI only (no packages published)
  ├── W7: Integration tests            🟡 3 of 9 ITs
  ├── Review v2 fixes (B1/B2/B4/B5)    ✅ Verified @ b43ab5e
  ↓
Plan Review v3                         ✅ Score 79% — Path A endorsed
  ↓
Phase 2 — Completion (W8..W12)         🔶 IN PROGRESS (defined, not yet executed)
  ├── W8: Backend completion           ⬜ AuthController, Invitation/AccessRequest/AdminAudit
  ├── W9: Frontend implementation      ⬜ createAuthConfig, signEnvelope, proxy, hooks
  ├── W10: N1 fix + unit tests         ⬜ T-UT01..15, rename web starter
  ├── W11: Security + IT + Envers      ⬜ T-SEC01..10, T-IT04..09, RevInfo
  ├── W12: Polish + validation tag     ⬜ Flyway co-existence, v0.0.1 tag
  ↓
v0.0.1 validation tag                  ⬜
  ↓
v0.1.0 release                         ⬜ Target: 9697% panel score

📦 Distribution

  • License: Apache-2.0 placeholder for v0.1.0 (see LICENSE.md in the repo root). plate-auth lives in a private Gitea repo today, so the license is dormant — it only activates if/when the project is open-sourced. Apache-2.0 was chosen over MIT for the explicit patent grant.
  • Maven artifact: de.platesoft:plate-auth-starter:0.1.0 — Gitea Maven Package Registry
  • npm artifact: @platesoft/auth:0.1.0 — Gitea npm Package Registry
  • Lockstep: Both artifacts ship from the same v0.x.y git tag. Frontend 0.2.0 implies backend 0.2.0 is the required peer.

📜 Decisions log

  • 2026-06-24 — 11 plate-auth decisions locked (F1, F2, Q01, Q05, Q10) and 6 sparkboard decisions locked. See Open-Questions § 4 Decided (history) for the canonical list.
  • 2026-06-24 — Review v2 fixes verified in code (B1/B2/B4/B5 @ b43ab5e). Q13Q18 decided: Path A (full extraction), scoped security chain, no @ComponentScan, CORS fail-closed, RefreshToken removed, web starter rename (N1). Score 72% → 79%.

🔗 External links