diff --git a/openspec/changes/2025-11-17-authentication-system/proposal.md b/openspec/changes/2025-11-17-authentication-system/proposal.md new file mode 100644 index 0000000..b17969a --- /dev/null +++ b/openspec/changes/2025-11-17-authentication-system/proposal.md @@ -0,0 +1,153 @@ +# Proposal: Authentication & Authorization System + +Status: draft +Authors: Security Team, Identity Team +Owners: Security Lead, Identity Lead, Architecture Lead +Created: 2025-11-17 +Scope: spec +Related: openspec/specs/architecture.md, openspec/specs/privacy-compliance.md + +Summary +- Implement OAuth2/OIDC-based authentication with role-based access control (RBAC), pseudonym support, session management, and compliance-friendly audit logging. + +Motivation +- Secure user authentication is foundational for all features. +- Support privacy-conscious identity (pseudonyms) while maintaining accountability. +- Enable fine-grained authorization for member-only content, moderation, and admin actions. + +Goals / Non-Goals +- Goals: OAuth2/OIDC auth flow, session management, RBAC, pseudonym handling, MFA support, password reset, account lockout, audit logging. +- Non-Goals: custom auth protocol (use standards); biometric auth (future); SSO with external providers (future, but design for extensibility). + +User Stories +- As a user, I can sign up with email/password and verify my email. +- As a user, I can log in securely and stay logged in across devices. +- As a user, I can use a pseudonym in the community without exposing my real name. +- As a moderator, I have elevated permissions to manage flagged content. +- As an admin, I can view audit logs of authentication events. + +Requirements + +Functional +- Sign up: email/password registration with email verification. +- Sign in: OAuth2 authorization code flow with PKCE (for mobile/SPA security). +- Session management: access tokens (short-lived, 15 min) and refresh tokens (long-lived, 30 days, rotated). +- Password management: secure hashing (Argon2 or bcrypt), reset flow with time-limited tokens. +- MFA: TOTP (time-based one-time password) support for opt-in users. +- Account lockout: after N failed login attempts (e.g., 5), lock for configurable duration (e.g., 30 min). +- RBAC: roles (member, moderator, admin) with permissions (read_public, write_forum, moderate_content, admin_panel). +- Pseudonym support: user can set pseudonym in profile; display in forum/community contexts. + +Accessibility +- Sign-in/sign-up forms: keyboard accessible, screen reader labels, clear error messages. +- MFA setup: accessible QR code alternatives (manual entry codes). +- Password strength feedback: descriptive, not relying solely on color. + +Privacy & Compliance +- Email is PII; hashed passwords never logged. +- Audit log: login attempts, password resets, MFA changes (log user ID, timestamp, IP, outcome; no passwords). +- Session tokens: stored securely (HttpOnly, Secure, SameSite cookies for web; secure storage for mobile). +- DSR support: export auth history; delete user account purges tokens and auth records. + +Security & Threat Model +- Password hashing: Argon2id (preferred) or bcrypt with high work factor. +- Token security: JWT access tokens (signed, short-lived); refresh tokens (opaque, stored server-side, rotated). +- PKCE: required for mobile/SPA to prevent authorization code interception. +- Rate limiting: login endpoint (e.g., 10 attempts per IP per minute); password reset (e.g., 3 per hour per email). +- Account lockout: protect against brute force; notify user via email on lockout. +- Audit logging: all auth events logged with sanitized details (no credentials). + +Architecture & API + +Endpoints +- `POST /api/v1/auth/signup` — register new user (email, password); returns user ID, sends verification email. +- `POST /api/v1/auth/verify-email` — verify email with token. +- `POST /api/v1/auth/login` — OAuth2 authorization code flow initiation (returns code). +- `POST /api/v1/auth/token` — exchange code for access/refresh tokens (PKCE). +- `POST /api/v1/auth/refresh` — rotate refresh token, get new access token. +- `POST /api/v1/auth/logout` — revoke refresh token. +- `POST /api/v1/auth/password-reset-request` — send reset email. +- `POST /api/v1/auth/password-reset-confirm` — reset password with token. +- `POST /api/v1/auth/mfa/enable` — enable TOTP MFA (returns QR code + secret). +- `POST /api/v1/auth/mfa/verify` — verify TOTP code. +- `GET /api/v1/auth/me` — get current user info (requires access token). + +Data Model +- User: id, email (PII, unique, hashed for lookup), password_hash, email_verified, mfa_enabled, mfa_secret (encrypted), locked_until (nullable), failed_login_attempts, created_at, updated_at, deleted_at. +- Role: id, name (member, moderator, admin), permissions (JSON or relation table). +- UserRole: id, user_id (FK), role_id (FK). +- RefreshToken: id, user_id (FK), token_hash, expires_at, created_at, revoked_at. +- AuthAuditLog: id, user_id (FK, nullable), event_type (signup, login_success, login_fail, password_reset, etc.), ip_address, user_agent, created_at. + +Session Flow +1. User signs in → backend generates authorization code. +2. Client exchanges code (+ PKCE verifier) for access token (JWT, 15 min) and refresh token (opaque, 30 days). +3. Client includes access token in Authorization header for API calls. +4. On access token expiry, client uses refresh token to get new access/refresh tokens. +5. On logout, client revokes refresh token; server invalidates it. + +Pseudonym Handling +- User profile includes `pseudonym` field (nullable). +- Forum/community contexts display pseudonym if set, otherwise display_name. +- Moderation/admin views show both pseudonym and real identity (with audit logging). + +Observability & Telemetry +- Metrics: login success/failure rates, MFA adoption, lockout frequency. +- Alerts: spike in failed logins (possible attack), lockout rate exceeds threshold. +- Traces: auth flow latency (signup, login, token exchange). + +Test Plan +- Unit tests: password hashing, token generation/validation, RBAC checks. +- Integration tests: full auth flows (signup, login, refresh, logout, password reset, MFA). +- Security tests: brute force protection (lockout), PKCE validation, token expiry. +- Accessibility tests: keyboard nav on auth forms, screen reader labels. +- Compliance tests: DSR export includes auth history, delete purges tokens. + +Migration / Rollout Plan +- Deploy auth service to staging; test with pilot users. +- Migrate existing users (if any from Wix) with password reset flow (cannot import passwords). +- Feature flag for MFA (opt-in, not mandatory initially). +- Monitor login success rates; rollback on anomalies. + +Risks & Mitigations +- Password database breach → use Argon2id, salted hashes; consider encrypted fields. +- Token leakage → short-lived access tokens, secure storage, HttpOnly cookies. +- Account enumeration → consistent error messages for signup/login ("email or password incorrect"). +- Lockout abuse → notify user via email, require CAPTCHA after multiple lockouts. + +Alternatives Considered +- Custom auth vs OAuth2/OIDC → choosing OAuth2/OIDC for standards compliance and future SSO extensibility. +- JWT vs opaque refresh tokens → choosing opaque (server-side validation) for better revocation control. + +Work Breakdown +1. Implement password hashing and user registration +2. Build OAuth2 authorization code + PKCE flow +3. Token generation, validation, and refresh logic +4. RBAC middleware and permission checks +5. MFA (TOTP) setup and verification +6. Password reset flow +7. Account lockout logic +8. Audit logging +9. Client SDKs (mobile, web) for auth flows +10. Security review and penetration testing + +Acceptance Criteria +- Signup, login, refresh, logout flows functional and tested. +- MFA (TOTP) opt-in working. +- RBAC permissions enforced on protected endpoints. +- Password reset flow with time-limited tokens. +- Account lockout after failed attempts. +- Audit logs capture all auth events (sanitized). +- Accessibility checks pass on auth UI. +- Security review completed with no critical findings. +- Pseudonym display working in community contexts. + +Open Questions +- Social login (Google, Apple) support timeline? (Future proposal) +- Passkey/WebAuthn support? (Future proposal) +- Session timeout for inactivity (in addition to token expiry)? + +Slash Commands +- `/review areas=security,backend,mobile,web,accessibility,compliance` +- `/apply spec=openspec/specs/architecture.md` +- `/archive link=` diff --git a/openspec/changes/2025-11-17-blog-mvp/proposal.md b/openspec/changes/2025-11-17-blog-mvp/proposal.md index e9accb5..82a6936 100644 --- a/openspec/changes/2025-11-17-blog-mvp/proposal.md +++ b/openspec/changes/2025-11-17-blog-mvp/proposal.md @@ -1,6 +1,8 @@ # Proposal: Blog MVP (Internal + Substack Cross‑Posting) -Status: draft +Status: archived +Archived: 2025-11-17 +Merged PR: https://github.com/fullsizemalt/morethanadiagnosis-hub/pull/8 Authors: Content Team Owners: Content Lead, Web Lead Created: 2025-11-17 diff --git a/openspec/changes/2025-11-17-data-model-v1/proposal.md b/openspec/changes/2025-11-17-data-model-v1/proposal.md new file mode 100644 index 0000000..120320a --- /dev/null +++ b/openspec/changes/2025-11-17-data-model-v1/proposal.md @@ -0,0 +1,140 @@ +# Proposal: Data Model v1 (Consolidated Schema) + +Status: draft +Authors: Architecture Team, Data Team +Owners: Architecture Lead, Data Lead, Compliance Lead +Created: 2025-11-17 +Scope: spec +Related: openspec/specs/data-model.md + +Summary +- Consolidate all entity schemas from approved feature specs into a unified data model with field-level data classification, relationships, and migration strategy. + +Motivation +- Ensure consistent data modeling across all features before implementation begins. +- Establish clear PHI/PII boundaries and retention policies at the schema level. +- Enable efficient backend development with well-defined entities and relationships. + +Goals / Non-Goals +- Goals: consolidated entity schemas, field-level data classes (Public/PII/PHI), relationships/foreign keys, indexing strategy, retention/soft-delete rules, migration versioning. +- Non-Goals: vendor-specific schema syntax (use portable DDL concepts); performance tuning (covered in implementation). + +Requirements + +Functional +- All entities from approved specs: User, Profile, ForumCategory, ForumThread, ForumPost, ForumReaction, ForumReport, BlogPost, PodcastEpisode, TributeEntry, Resource, MerchProduct, etc. +- Relationships clearly defined with foreign keys and cascade rules. +- Indexes for common query patterns (user lookups, thread pagination, search, etc.). + +Privacy & Compliance +- Every field tagged with data class: Public, PII, or PHI. +- PHI fields isolated where possible; encryption requirements noted. +- Retention policies per entity (e.g., soft-delete window, hard-delete rules). +- DSR support: export and delete operations mapped to entities. + +Data Model + +Core Entities +- User: id, email (PII), created_at, updated_at, deleted_at +- Profile: id, user_id (FK), display_name, pseudonym, pronouns, avatar_url, bio, health_journey (PHI, private by default), consent_flags, created_at, updated_at +- ForumCategory: id, name, description, order, created_at +- ForumThread: id, category_id (FK), author_id (FK User), title, pinned, locked, created_at, updated_at +- ForumPost: id, thread_id (FK), author_id (FK User), parent_post_id (FK ForumPost, nullable), content (may contain PHI), deleted_at, created_at, updated_at +- ForumReaction: id, post_id (FK), user_id (FK), emoji_code, created_at +- ForumReport: id, post_id (FK), reporter_id (FK User), reason, status, moderator_notes, resolved_at, created_at +- BlogPost: id, author_id (FK User), title, slug, content, published_at, created_at, updated_at +- PodcastEpisode: id, title, description, audio_url, duration, published_at, created_at +- TributeEntry: id, author_id (FK User), subject_name, memorial_text (may contain PHI), published, created_at, updated_at +- Resource: id, title, slug, content, access_tier (public/members), tags, created_at, updated_at +- MerchProduct: id, name, description, price, stock_count, created_at, updated_at +- Order: id, user_id (FK), total, status, shipping_address (PII), created_at, updated_at +- Consent: id, user_id (FK), consent_type, granted, granted_at, revoked_at + +Relationships +- User → Profile (1:1, cascade delete) +- User → ForumPost (1:N, soft-delete user → anonymize posts) +- User → ForumThread (1:N) +- ForumCategory → ForumThread (1:N) +- ForumThread → ForumPost (1:N, cascade delete) +- ForumPost → ForumReaction (1:N, cascade delete) +- ForumPost → ForumReport (1:N) +- User → BlogPost (1:N) +- User → TributeEntry (1:N) +- User → Order (1:N) + +Data Classification Summary +- Public: ForumCategory, PodcastEpisode, Resource (public tier), MerchProduct, BlogPost (published) +- PII: User.email, Profile.display_name, Order.shipping_address, Profile.avatar_url +- PHI: Profile.health_journey, ForumPost.content (context-dependent), TributeEntry.memorial_text (context-dependent) + +Indexing Strategy +- User: email (unique), created_at +- Profile: user_id (unique FK) +- ForumThread: category_id, author_id, created_at, updated_at +- ForumPost: thread_id, author_id, created_at +- BlogPost: slug (unique), author_id, published_at +- Resource: slug (unique), access_tier, tags (GIN/array index) +- Order: user_id, created_at + +Retention & Soft-Delete +- User: soft-delete (deleted_at); 90-day window before hard-delete; anonymize posts. +- ForumPost: soft-delete (deleted_at); 90-day window; on user delete → replace author with "[deleted]". +- BlogPost, TributeEntry: indefinite retention unless user requests DSR delete. +- Order: 7-year retention for compliance (tax/commerce), then hard-delete. + +Migration Strategy +- Versioned migrations (e.g., Alembic, Flyway, or similar). +- Idempotent scripts for rollback safety. +- Seed data for initial categories, default consents, sample resources. + +Security & Threat Model +- Encryption at rest: PII/PHI fields encrypted at database level or app level. +- Access controls: RBAC enforced at API layer; row-level security (RLS) for multi-tenancy if needed. +- Audit logging: all mutations on PHI/PII entities logged (excluding PHI content itself). + +Observability & Telemetry +- Schema change tracking in migration logs. +- Query performance metrics for critical paths (thread list, user profile fetch). + +Test Plan +- Unit tests for schema constraints (foreign keys, unique indexes). +- Integration tests for cascade deletes and soft-delete behavior. +- DSR export/delete tests: verify all user data is captured or purged. +- Retention tests: simulate time-based purges. + +Migration / Rollout Plan +- Deploy schema migrations to staging; run dry-run seeds. +- Validate with read-only queries before enabling writes. +- Rollback plan: revert migration, restore from backup if needed. + +Risks & Mitigations +- Schema drift across features → enforce single source of truth in data-model.md. +- PHI leakage → code reviews and automated scanning for PHI in logs. + +Alternatives Considered +- NoSQL vs relational: choosing relational (Postgres) for strong consistency, relationships, and mature tooling. +- Schema-per-feature vs unified: choosing unified for easier joins and data integrity. + +Work Breakdown +1. Document all entity schemas in `data-model.md` +2. Generate migration scripts from schema +3. Seed test data for development +4. Validate DSR export/delete coverage +5. Review with compliance and security teams + +Acceptance Criteria +- All approved feature entities documented in `data-model.md` with field-level data classes. +- Relationships and indexes defined. +- Retention and soft-delete rules specified. +- DSR export/delete coverage verified. +- Sign-off from compliance and security teams. + +Open Questions +- Specific database vendor (Postgres assumed, but could be vendor-specific features)? +- Multi-region replication strategy (future proposal)? +- Real-time sync requirements for forum (WebSocket state management)? + +Slash Commands +- `/review areas=backend,compliance,security,data` +- `/apply spec=openspec/specs/data-model.md` +- `/archive link=` diff --git a/openspec/changes/2025-11-17-design-system/proposal.md b/openspec/changes/2025-11-17-design-system/proposal.md new file mode 100644 index 0000000..abc19a2 --- /dev/null +++ b/openspec/changes/2025-11-17-design-system/proposal.md @@ -0,0 +1,173 @@ +# Proposal: Design System & Component Library + +Status: draft +Authors: Design Team, Accessibility Team +Owners: Design Lead, Accessibility Lead, Mobile Lead, Web Lead +Created: 2025-11-17 +Scope: spec +Related: openspec/specs/architecture.md, openspec/specs/accessibility.md + +Summary +- Build a unified design system and component library for Android, iOS, and Web that ensures platform parity, accessibility (WCAG 2.2 AA+), and consistent brand identity. + +Motivation +- Accelerate feature development with reusable, accessible components. +- Ensure consistent UX and visual language across all platforms. +- Embed accessibility best practices at the component level. +- Support theming for future customization (light/dark mode, high contrast). + +Goals / Non-Goals +- Goals: component library (buttons, inputs, cards, modals, navigation), design tokens (colors, typography, spacing), accessibility built-in, platform adapters, documentation/Storybook, versioning. +- Non-Goals: final brand identity (can be iterated); advanced animations (keep simple initially); custom illustrations (use placeholders). + +User Stories +- As a developer, I can import pre-built, accessible components to build features quickly. +- As a user with low vision, I can enable high contrast mode and components adapt automatically. +- As a user, I experience consistent visual design whether I'm on mobile or web. +- As a designer, I have a single source of truth for design tokens and component specs. + +Requirements + +Functional +- Core components: Button, Input (text, email, password, textarea), Checkbox, Radio, Select/Dropdown, Card, Modal/Dialog, Toast/Snackbar, Tabs, Accordion, Navigation (app bar, bottom nav, sidebar), List (virtualized), Avatar, Badge, Chip/Tag, Spinner/Loading, Progress bar, Form (validation helpers), Link. +- Platform implementations: React Native components (mobile), Next.js/React components (web), with shared design tokens. +- Theming: light mode (default), dark mode, high contrast mode. +- Design tokens: colors (primary, secondary, background, text, error, success, etc.), typography (font families, sizes, weights, line heights), spacing (4px grid), border radius, shadows. + +Accessibility (WCAG 2.2 AA+) +- All components support: + - Keyboard navigation (tab order, focus indicators, enter/space activation). + - Screen reader labels (accessible names, roles, states). + - Color contrast: minimum 4.5:1 for text, 3:1 for UI components. + - Dynamic type: components scale with user font size preferences. + - Reduced motion: animations respect `prefers-reduced-motion`. + - Touch targets: minimum 44x44pt (mobile), 44x44px (web). +- High contrast mode: boost contrast ratios to 7:1+. +- Focus management: modals trap focus, dismissible with Esc, return focus on close. + +Design Tokens + +Colors +- Primary: `#3B82F6` (blue, adjust for brand) +- Secondary: `#8B5CF6` (purple) +- Background: `#FFFFFF` (light), `#1F2937` (dark) +- Text: `#111827` (light mode), `#F9FAFB` (dark mode) +- Error: `#EF4444` +- Success: `#10B981` +- Warning: `#F59E0B` +- Border: `#D1D5DB` (light), `#4B5563` (dark) + +Typography +- Font family: system fonts (SF Pro for iOS, Roboto for Android, Inter/system-ui for web) +- Font sizes: 12px, 14px, 16px (base), 18px, 20px, 24px, 32px, 48px +- Font weights: 400 (normal), 600 (semibold), 700 (bold) +- Line heights: 1.5 (body), 1.25 (headings) + +Spacing +- Base unit: 4px +- Scale: 0 (0px), 1 (4px), 2 (8px), 3 (12px), 4 (16px), 5 (20px), 6 (24px), 8 (32px), 10 (40px), 12 (48px), 16 (64px), 20 (80px) + +Border Radius +- sm: 4px +- md: 8px +- lg: 12px +- full: 9999px (pills/circles) + +Shadows +- sm: `0 1px 2px rgba(0,0,0,0.05)` +- md: `0 4px 6px rgba(0,0,0,0.1)` +- lg: `0 10px 15px rgba(0,0,0,0.15)` + +Component Specifications + +Button +- Variants: primary, secondary, ghost, danger +- Sizes: sm, md, lg +- States: default, hover, active, disabled, loading +- Accessibility: role="button", aria-label if icon-only, keyboard enter/space, focus ring +- Touch target: min 44x44 + +Input +- Types: text, email, password, textarea, number +- States: default, focus, error, disabled +- Accessibility: label (visible or aria-label), aria-describedby for errors, role="textbox" for textarea +- Validation: inline error messages with icon, clear error state styling + +Card +- Variants: elevated (shadow), outlined (border), flat +- Structure: header (optional), body, footer (optional) +- Accessibility: semantic sectioning (article/section), focus ring if interactive + +Modal +- Structure: overlay (backdrop), dialog container, close button +- Accessibility: role="dialog", aria-modal="true", trap focus, Esc to close, return focus on close, aria-labelledby for title +- Animations: respect prefers-reduced-motion + +Navigation +- Mobile: bottom tab bar, app bar (top), drawer (side) +- Web: top nav, sidebar (collapsible), breadcrumbs +- Accessibility: role="navigation", aria-current for active route, keyboard nav (arrow keys for tabs) + +Platform-Specific Considerations +- iOS: use SF Symbols for icons, native haptics for interactions, iOS navigation patterns (back swipe). +- Android: use Material icons, ripple effects, Android navigation patterns (drawer, bottom nav). +- Web: use accessible HTML (semantic tags), focus-visible CSS, responsive breakpoints. + +Observability & Telemetry +- Component usage analytics (opt-in): track which components are most used to prioritize improvements. +- Accessibility metrics: track high contrast mode adoption, screen reader usage (if detectable). + +Test Plan +- Unit tests: component prop variations, state changes, event handlers. +- Accessibility tests: + - Automated: axe (web), react-native-a11y linters (mobile). + - Manual: VoiceOver (iOS), TalkBack (Android), NVDA/JAWS (web), keyboard-only nav. +- Visual regression: screenshot tests for all component variants (light/dark/high contrast). +- Cross-platform parity: ensure components look consistent on Android, iOS, Web. + +Migration / Rollout Plan +- Phase 1: Design tokens + core components (Button, Input, Card, Modal). +- Phase 2: Navigation, Form helpers, List. +- Phase 3: Advanced components (Tabs, Accordion, etc.). +- Versioning: semantic versioning (1.0.0), changelog for breaking changes. +- Migration guide for existing components (if any from early development). + +Risks & Mitigations +- Platform drift → enforce design review for all component changes; automated visual regression tests. +- Accessibility regressions → CI gates for a11y linters; manual audits per release. +- Over-engineering → start with MVP components; add complexity only when needed. + +Alternatives Considered +- Custom vs existing design system (Material, Chakra, Ant Design) → choosing custom for brand control and accessibility customization, but borrowing patterns from established systems. +- Shared components vs platform-specific → choosing shared design tokens with platform-specific implementations for best native UX. + +Work Breakdown +1. Define design tokens (colors, typography, spacing) in config files +2. Build core components: Button, Input, Card, Modal +3. Platform adapters: React Native (mobile), Next.js/React (web) +4. Accessibility audit and fixes +5. Documentation: Storybook (web), example app (mobile) +6. Visual regression test setup +7. Versioning and release process +8. Design review and feedback iteration +9. Theming implementation (light/dark/high contrast) +10. Rollout to first feature (e.g., Forum MVP) + +Acceptance Criteria +- Core components implemented and documented. +- All components pass WCAG 2.2 AA automated checks (axe). +- Manual accessibility audit completed with VoiceOver, TalkBack, NVDA. +- Visual regression tests passing for all variants. +- Design tokens consistent across mobile and web. +- Documentation (Storybook/example app) published. +- At least one feature (e.g., Forum MVP) uses design system components. + +Open Questions +- Final brand colors and logo (can use placeholders initially)? +- Icon library choice (SF Symbols for iOS, Material for Android, custom SVG for web)? +- Animation library (Framer Motion for web, Reanimated for mobile)? + +Slash Commands +- `/review areas=mobile,web,accessibility,design` +- `/apply spec=openspec/specs/architecture.md` +- `/archive link=` diff --git a/openspec/changes/2025-11-17-forum-mvp/proposal.md b/openspec/changes/2025-11-17-forum-mvp/proposal.md index 8ec5fde..8c939a3 100644 --- a/openspec/changes/2025-11-17-forum-mvp/proposal.md +++ b/openspec/changes/2025-11-17-forum-mvp/proposal.md @@ -1,6 +1,8 @@ # Proposal: Community Forum MVP -Status: draft +Status: archived +Archived: 2025-11-17 +Merged PR: https://github.com/fullsizemalt/morethanadiagnosis-hub/pull/4 Authors: Community + Platform Teams Owners: Community Lead, Architecture Lead Created: 2025-11-17 diff --git a/openspec/changes/2025-11-17-merch-mvp/proposal.md b/openspec/changes/2025-11-17-merch-mvp/proposal.md index d288d78..a0e5dbe 100644 --- a/openspec/changes/2025-11-17-merch-mvp/proposal.md +++ b/openspec/changes/2025-11-17-merch-mvp/proposal.md @@ -1,6 +1,8 @@ # Proposal: Merch Store MVP -Status: draft +Status: archived +Archived: 2025-11-17 +Merged PR: https://github.com/fullsizemalt/morethanadiagnosis-hub/pull/11 Authors: Commerce Team Owners: Commerce Lead, Security Lead Created: 2025-11-17 diff --git a/openspec/changes/2025-11-17-mobile-stack-decision/proposal.md b/openspec/changes/2025-11-17-mobile-stack-decision/proposal.md index e0e48a4..38bad94 100644 --- a/openspec/changes/2025-11-17-mobile-stack-decision/proposal.md +++ b/openspec/changes/2025-11-17-mobile-stack-decision/proposal.md @@ -1,6 +1,8 @@ # Proposal: Mobile Stack Decision (Android/iOS) -Status: draft +Status: archived +Archived: 2025-11-17 +Merged PR: https://github.com/fullsizemalt/morethanadiagnosis-hub/pull/2 Authors: Platform Team Owners: Architecture Lead, Mobile Lead Created: 2025-11-17 diff --git a/openspec/changes/2025-11-17-podcast-mvp/proposal.md b/openspec/changes/2025-11-17-podcast-mvp/proposal.md index ce3286f..58d04f4 100644 --- a/openspec/changes/2025-11-17-podcast-mvp/proposal.md +++ b/openspec/changes/2025-11-17-podcast-mvp/proposal.md @@ -1,6 +1,8 @@ # Proposal: Podcast MVP -Status: draft +Status: archived +Archived: 2025-11-17 +Merged PR: https://github.com/fullsizemalt/morethanadiagnosis-hub/pull/9 Authors: Media Team Owners: Media Lead, Web Lead Created: 2025-11-17 diff --git a/openspec/changes/2025-11-17-profiles-mvp/proposal.md b/openspec/changes/2025-11-17-profiles-mvp/proposal.md new file mode 100644 index 0000000..cf90589 --- /dev/null +++ b/openspec/changes/2025-11-17-profiles-mvp/proposal.md @@ -0,0 +1,42 @@ +# Proposal: Profiles MVP + +Status: archived +Archived: 2025-11-17 +Applied: Merged to main via claude/profiles-mvp-2025-11-17 +Authors: Identity Team +Owners: Identity Lead, Compliance Lead +Created: 2025-11-17 +Scope: spec +Related: openspec/specs/feature-profiles.md + +Summary +- Deliver full profile management with privacy controls, optional pseudonyms, pronouns, avatar, and consent-driven visibility. + +Motivation +- Empower members to represent themselves safely and control visibility of sensitive fields. + +Requirements +- Accessibility: large text, screen reader labels, keyboard/focus parity. +- Privacy: field-level data class tags; default-private for sensitive fields; consent registry. +- Media: avatar upload with safe processing and size constraints. + +API +- Profiles CRUD; consent endpoints; media upload policy and signed URLs. + +Data Model +- Profile fields with Public/PII/PHI tags; retention policy; soft-delete behavior. + +Test Plan +- Unit/integration for API; a11y checks; GDPR export/delete flows. + +Rollout +- Feature flag; migration for existing members; help content. + +Acceptance Criteria +- GDPR export/delete verified; HIPAA constraints respected; a11y parity on all profile screens. + +Slash Commands +- `/review areas=mobile,web,backend,accessibility,compliance,security` +- `/apply spec=openspec/specs/feature-profiles.md` +- `/archive link=` + diff --git a/openspec/changes/2025-11-17-resources-mvp/proposal.md b/openspec/changes/2025-11-17-resources-mvp/proposal.md new file mode 100644 index 0000000..d27e8a7 --- /dev/null +++ b/openspec/changes/2025-11-17-resources-mvp/proposal.md @@ -0,0 +1,39 @@ +# Proposal: Resources MVP (Public + Members) + +Status: archived +Archived: 2025-11-17 +Applied: Merged to main via claude/resources-mvp-2025-11-17 +Authors: Content Team +Owners: Content Lead, Accessibility Lead +Created: 2025-11-17 +Scope: spec +Related: openspec/specs/feature-resources.md + +Summary +- Build a curated resources section with public and members-only access tiers, tagging, and search. + +Motivation +- Provide high-quality, accessible information with clear access labeling for discovery and members’ needs. + +Requirements +- Accessibility: semantic layouts, keyboard nav, reduced motion, large text. +- Content: tags, categories, search; clear access tier labels. +- Performance: lightweight pages; offline-friendly patterns where feasible. + +API +- Resources CRUD; taxonomy; search index endpoints. + +Test Plan +- Accessibility checks; SEO for public pages; analytics without PII/PHI. + +Rollout +- Seed initial taxonomy and sample resources; content QA. + +Acceptance Criteria +- Access tiers enforced; a11y checks pass; search returns relevant results. + +Slash Commands +- `/review areas=web,mobile,accessibility` +- `/apply spec=openspec/specs/feature-resources.md` +- `/archive link=` + diff --git a/openspec/changes/2025-11-17-tribute-mvp/proposal.md b/openspec/changes/2025-11-17-tribute-mvp/proposal.md index 8bdc4ab..af54414 100644 --- a/openspec/changes/2025-11-17-tribute-mvp/proposal.md +++ b/openspec/changes/2025-11-17-tribute-mvp/proposal.md @@ -1,6 +1,8 @@ # Proposal: Tribute / Memorial MVP -Status: draft +Status: archived +Archived: 2025-11-17 +Merged PR: https://github.com/fullsizemalt/morethanadiagnosis-hub/pull/10 Authors: Community Team Owners: Community Lead, Compliance Lead Created: 2025-11-17 diff --git a/openspec/changes/2025-11-17-web-stack-decision/proposal.md b/openspec/changes/2025-11-17-web-stack-decision/proposal.md index bc01518..c93b05c 100644 --- a/openspec/changes/2025-11-17-web-stack-decision/proposal.md +++ b/openspec/changes/2025-11-17-web-stack-decision/proposal.md @@ -1,6 +1,8 @@ # Proposal: Web Stack Decision -Status: draft +Status: archived +Archived: 2025-11-17 +Applied: Merged to main via claude/web-stack-decision-2025-11-17 Authors: Platform Team Owners: Architecture Lead, Web Lead Created: 2025-11-17 diff --git a/openspec/specs/architecture.md b/openspec/specs/architecture.md index 677e3b3..ebfc6cd 100644 --- a/openspec/specs/architecture.md +++ b/openspec/specs/architecture.md @@ -38,6 +38,10 @@ Client platform decisions - Mobile: React Native + Expo (TypeScript). Rationale: strong a11y ecosystem, mature tooling, and DX. Notes: Expo modules; E2E via Detox; push via Expo/FCM/APNs. +- Web: Next.js (SSR). + Rationale: semantic HTML, SEO, CWV, and ecosystem maturity. + Notes: App Router, server actions; sitemap, RSS for blog/resources. -Decisions +Decision log - 2025-11-17 — Mobile stack: React Native + Expo. +- 2025-11-17 — Web stack: Next.js (SSR). diff --git a/openspec/specs/feature-profiles.md b/openspec/specs/feature-profiles.md index 1790947..3f4fc0e 100644 --- a/openspec/specs/feature-profiles.md +++ b/openspec/specs/feature-profiles.md @@ -1,6 +1,6 @@ # Feature: Profiles -Status: draft +Status: approved Owners: Identity Summary diff --git a/openspec/specs/feature-resources.md b/openspec/specs/feature-resources.md index 0adec98..0375340 100644 --- a/openspec/specs/feature-resources.md +++ b/openspec/specs/feature-resources.md @@ -1,6 +1,6 @@ # Feature: Resources (Public + Members‑Only) -Status: draft +Status: approved Owners: Content Summary