pplate/plate-auth
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs: lock Q01 (polymorphic FK), Q05 (@platesoft/auth + de.platesoft:plate-auth-starter), Q10 (Apache-2.0 placeholder); add Home Distribution + Decisions log

Patrick Plate
2026-06-24 15:23:58 +02:00
parent ab7be39839
commit 9bceb0ae96
2 changed files with 34 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Home.md
+15
@@ -89,6 +89,21 @@ Code mode (implementation — new plate-auth repo + InspectFlow refactor +
---
## 📦 Distribution
- **License:** Apache-2.0 placeholder for v0.1.0 (see `LICENSE.md` in the repo root). plate-auth lives in a private Gitea repo today, so the license is dormant — it only activates if/when the project is open-sourced. Apache-2.0 was chosen over MIT for the explicit patent grant.
- **Maven artifact:** `de.platesoft:plate-auth-starter:0.1.0` — Gitea Maven Package Registry
- **npm artifact:** `@platesoft/auth:0.1.0` — Gitea npm Package Registry
- **Lockstep:** Both artifacts ship from the same `v0.x.y` git tag. Frontend `0.2.0` implies backend `0.2.0` is the required peer.
---
## 📜 Decisions log
- **2026-06-24** — 11 plate-auth decisions locked (F1, F2, Q01, Q05, Q10) and 6 sparkboard decisions locked. See [Open-Questions § 4 Decided (history)](Open-Questions) for the canonical list.
---
## 🔗 External links
- **Repo:** https://git.plate-software.de/pplate/plate-auth
Open-Questions.md
+19 -20
@@ -28,16 +28,16 @@ When a question is decided, this doc gets updated; the decision is also reflecte
| ID | Topic | Status | Decide by |
|----|-------|--------|-----------|
| Q01 | Concrete org table abstraction (Company → generic Organization?) | 🟡 Leaning | Before W4 (SPI design) |
| Q01 | Concrete org table abstraction (Company → generic Organization?) | ✅ Decided (2026-06-24) | n/a |
| Q02 | Microsoft Entra ID in v0.1 or defer to v0.2 | 🟡 Leaning | Before W2 starts |
| Q03 | Flyway migration strategy (separate schema_history vs baseline reset) | 🟡 Leaning | Before W5 (Flyway work) |
| Q04 | Email magic-link provider in v0.1 or v0.2 | ⏭️ Deferred | n/a |
| Q05 | npm package name (`@platesoft/auth` vs alternatives) | 🟡 Leaning | Before W3 starts |
| Q05 | npm package name (`@platesoft/auth` vs alternatives) | ✅ Decided (2026-06-24) | n/a |
| Q06 | SemVer policy details — peer-version lockstep enforcement | 🟡 Leaning | Before v0.1.0 release |
| Q07 | Gitea publishing pipeline (Gitea Actions vs manual deploy) | 🟡 Leaning | Before W6 |
| Q08 | Spring Boot version pin (4.0.7 vs 4.1.0 vs latest milestone) | ✅ Decided | n/a (4.1.0) |
| Q09 | Frontend bundler — `tsup` vs `tsc` vs `unbuild` | 🟠 Open | Before W3-A |
| Q10 | License — MIT, Apache-2.0, or internal proprietary | 🟠 Open | Before v0.1.0 release |
| Q10 | License — MIT, Apache-2.0, or internal proprietary | ✅ Decided (2026-06-24) | n/a |
| Q11 | First-class i18n in `@platesoft/auth`/react? | ⏭️ Deferred | n/a |
| Q12 | Audit emit channel — DB rows only, or also event stream? | 🟡 Leaning | Before W2 |
@@ -47,7 +47,7 @@ When a question is decided, this doc gets updated; the decision is also reflecte
### Q01 — Concrete org table abstraction
**Status:** 🟡 Leaning toward: **Keep org as polymorphic FK validated by SPI; do NOT ship a concrete `organizations` table in plate-auth 0.1**
**Status:** **Decided 2026-06-24** — Option **A**: polymorphic FK `(org_type, org_id)` validated by `OrgValidator` SPI. plate-auth does NOT ship a concrete `organizations` table in 0.1.
**Context.** InspectFlow's [`Membership`](backend/src/main/java/de/platesoft/inspectflow/entity/Membership.java) entity references `Company` (concrete entity). Sparkboard will have its own org table (probably `Project` or `Studio`). plate-auth must support both without leaking either domain.
@@ -59,11 +59,9 @@ When a question is decided, this doc gets updated; the decision is also reflecte
| B) Generic `organizations` table in plate-auth, consumers reference it | Real FK; consistent schema | Consumers must mirror their own org table into ours; cross-DB sync nightmare |
| C) Abstract `@MappedSuperclass` consumers extend | Type-safe at JPA level | Forces JPA inheritance; cross-app reuse breaks |
**Leaning:** Option **A**. Matches [Architecture.md § 4 SPI seams](Architecture.md) and was already designed into Sprint 14.2 ([`SPRINT-14.2-MEMBERSHIP-PLAN.md`](docs/SPRINT-14.2-MEMBERSHIP-PLAN.md:1)).
**Decision:** Option **A**. Matches [Architecture.md § 4 SPI seams](Architecture.md) and was already designed into Sprint 14.2 ([`SPRINT-14.2-MEMBERSHIP-PLAN.md`](docs/SPRINT-14.2-MEMBERSHIP-PLAN.md:1)). The runtime-validation gap is closed by the mandatory `OrgValidator` SPI (default `PermissiveOrgValidator` with per-call WARN — see [Architecture.md § 3.4](Architecture.md)).
**Decision deadline:** Before W4 (SPI design) starts.
**Owner:** Patrick.
**Owner:** Patrick. Locked 2026-06-24.
---
@@ -126,11 +124,11 @@ When a question is decided, this doc gets updated; the decision is also reflecte
### Q05 — npm package name
**Status:** 🟡 Leaning toward: **`@platesoft/auth`**
**Status:** **Decided 2026-06-24** — npm: `@platesoft/auth` · Maven: `de.platesoft:plate-auth-starter`.
**Context.** The npm scope must be registered on the Gitea npm registry, which means it must be unique within our setup. We control the registry, so collisions aren't a concern; aesthetics + intent are.
**Options:**
**Options considered:**
| Option | Pros | Cons |
|--------|------|------|
@@ -139,11 +137,9 @@ When a question is decided, this doc gets updated; the decision is also reflecte
| `plate-auth` (unscoped) | Simpler | No org scope — collides with NPM-public name space if we ever publish there |
| `@plate-software/auth` | Verbose but explicit | Long imports |
**Leaning:** `@platesoft/auth`. Matches the Gitea org slug `platesoft`. Maven group is `de.platesoft` (reverse-DNS) → npm scope is `@platesoft` (shortened).
**Decision:** `@platesoft/auth` (npm) paired with `de.platesoft:plate-auth-starter` (Maven). Matches the Gitea org slug `platesoft`. Maven group is `de.platesoft` (reverse-DNS) → npm scope is `@platesoft` (shortened). Both artifacts ship in lockstep from the same `v0.x.y` git tag.
**Decision deadline:** Before W3-A starts (first `package.json` written).
**Owner:** Patrick.
**Owner:** Patrick. Locked 2026-06-24.
---
@@ -226,15 +222,13 @@ When a question is decided, this doc gets updated; the decision is also reflecte
### Q10 — License
**Status:** 🟠 Open
**Status:** **Decided 2026-06-24** — Apache-2.0 **placeholder** for v0.1.0.
**Options:** MIT, Apache-2.0 (with explicit patent grant — recommended for libs), or internal proprietary.
**Options considered:** MIT, Apache-2.0 (with explicit patent grant — recommended for libs), or internal proprietary.
**Note:** plate-auth lives in a private Gitea repo. License only matters if/when we decide to open-source. For Sprint 0 we ship with `LICENSE.md` set to `Apache-2.0` placeholder; flip to proprietary if Patrick decides later.
**Decision.** plate-auth ships `LICENSE.md` set to **Apache-2.0** as a placeholder for v0.1.0. The repo lives in private Gitea, so the license is dormant — it only activates if/when we choose to open-source. Apache-2.0 was picked over MIT for the explicit patent grant (standard for libraries that consumers will depend on). Patrick may flip to proprietary or another OSI license before any public release.
**Decision deadline:** Before v0.1.0 tag.
**Owner:** Patrick.
**Owner:** Patrick. Locked 2026-06-24.
---
@@ -265,6 +259,11 @@ When a question is decided, this doc gets updated; the decision is also reflecte
| Q08 | Spring Boot 4.1.0 minimum | 2026-06-24 | Architecture.md |
| Q04 | Magic-link → v0.2 | 2026-06-24 | Roadmap.md |
| Q11 | i18n → consumer-supplied | 2026-06-24 | this doc |
| Q01 | Polymorphic FK `(org_type, org_id)` validated by `OrgValidator` SPI; no concrete `organizations` table in 0.1 | 2026-06-24 | Architecture.md § 3.4, this doc |
| Q05 | npm: `@platesoft/auth` · Maven: `de.platesoft:plate-auth-starter` (lockstep versions) | 2026-06-24 | Architecture.md § 9, this doc |
| Q10 | Apache-2.0 placeholder for v0.1.0 (dormant until open-sourced) | 2026-06-24 | Home.md § Distribution, this doc |
| F1 | `PermissiveOrgValidator` ships as default `OrgValidator`, logs WARN on every call | 2026-06-24 | Architecture.md § 3.4, Sprint-0-Plan.md § 4.5, Sprint-0-Testplan.md T-UT15, Integration-Guide.md § 3.3 |
| F2 | plate-auth ships **6** Flyway migrations (V1..V6) in `db/migration/auth/`; `V5__add_microsoft_tenant_id_index.sql` is a standalone index migration | 2026-06-24 | Architecture.md § 8.1, Sprint-0-Plan.md § 7.2, Sprint-0-Testplan.md T-IT01 |
---