Skip to content

Tracking β€” Auth expansion Phase 1 (Linear stand-in) ​

Linear (team gravitas) is at the free-plan issue cap; this doc stands in for the issue set. One row per work item. Update the Status column in the same commit that completes the item. When Linear frees up, port rows to issues and link them here.

Spec: docs/superpowers/specs/2026-07-14-auth-expansion-design.mdPlan: docs/superpowers/plans/2026-07-14-auth-expansion-phase1.mdBranch: feature/auth-expansion-phase1

#Work itemStatus
1Migration A β€” Pending enum valueβœ… Done
2Migration B β€” open signup, is_member(), restrictive RLS, seed fixβœ… Done
3Go libs/auth β€” RolePending + exclusion testsβœ… Done
4Supabase config β€” GitHub/Apple blocks, email confirmations, env docsβœ… Done
5Web core β€” LoginPolicy, environments, AuthService rework (no bypass)βœ… Done
6Guards + routes β€” memberGuard/pendingGuard, role-aware callbackβœ… Done
7Login page β€” policy-driven buttons, password panel, MFA challengeβœ… Done
8Signup pageβœ… Done
9Verify pageβœ… Done
10Reset-password pages (request + update)βœ… Done
11Pending pageβœ… Done
12MFA scaffold β€” /settings/securityβœ… Done
13Dev-bypass removal + seed script rename + e2e support updateβœ… Done
14E2E β€” signupβ†’verifyβ†’pending, reset flow, mail helperβœ… Done
15Full gate + review record + STATUS notesβœ… Done

Known gaps (Phase 2) ​

  • MFA/AAL2 is enforced client-side only; the Go API and RLS do not check the aal claim β€” server-side enforcement lands with Phase 2 org policies.

Ops checklist (user-run, not code β€” mirrors spec Β§4.6) ​

  • [ ] Google consent screen Internal β†’ External
  • [ ] GitHub OAuth app (prod) + Dashboard provider config
  • [ ] GitHub OAuth app (local) β†’ GITHUB_CLIENT_ID/SECRET in .env
  • [ ] SMTP provider on hosted Supabase
  • [ ] Apple Developer account β†’ credentials β†’ flip appleEnabled

Manual OAuth verification (needs real GITHUB_* / GOOGLE_* creds in .env) ​

OAuth providers can't be driven headlessly, so the e2e suite covers only the password flows; verify these by hand once local OAuth creds exist:

  • [ ] Google: /login β†’ Continue with Google β†’ account chooser (any domain) β†’ lands /pending (new) or / (member)
  • [ ] GitHub: /login β†’ Continue with GitHub β†’ authorize β†’ lands /pending
  • [ ] Same-email linking: GitHub sign-in with an email that already has a password account β†’ single user row, two identities