websitebuilder/.tmp/sessions/phase1-foundation/context.md

# Phase 1: Foundation - Context Bundle

## Task Description

Implement Phase 1 Foundation for MoreMinimore SAAS platform. This phase establishes the core infrastructure including project setup, database configuration, authentication system, user management, and CI/CD pipeline.

## Scope Boundaries

### In Scope

- Next.js 15 project initialization with TypeScript
- PostgreSQL database setup with Drizzle ORM
- Complete database schema (20+ tables from SPECIFICATION.md)
- Redis caching setup
- JWT-based authentication system
- User management APIs and UI
- CI/CD pipeline with GitHub Actions
- Automated testing setup (Vitest, Playwright)

### Out of Scope

- Organization management (Phase 2)
- Project management (Phase 2)
- AI integration (Phase 2)
- Easypanel integration (Phase 4)
- Gitea integration (Phase 5)
- Billing system (Phase 6)

## Technical Requirements

### Technology Stack

- **Frontend**: Next.js 15 (App Router), React 19, Tailwind CSS 4, shadcn/ui
- **Backend**: Next.js API Routes, Node.js 20+
- **Database**: PostgreSQL 16+, Drizzle ORM
- **Cache**: Redis 7+
- **State**: Zustand (global), React Query (server state)
- **Testing**: Vitest (unit), Playwright (E2E)
- **CI/CD**: GitHub Actions

### Database Schema

All tables from SPECIFICATION.md lines 141-397:

- users, organizations, organization_members
- projects, project_versions
- chats, messages, prompts
- ai_providers, ai_models, user_api_keys
- design_systems, deployment_logs
- invoices, subscription_events
- audit_logs, sessions
- email_verification_tokens, password_reset_tokens

### Authentication Requirements

- JWT access tokens (15 min expiration)
- JWT refresh tokens (7 days expiration)
- HTTP-only cookies for token storage
- Email verification required
- Password reset flow
- Role-based authorization (admin, co_admin, owner, user)

## Constraints

### Code Quality Standards

- Pure functions (no side effects)
- Immutability (create new data, don't modify)
- Small functions (< 50 lines)
- Explicit dependencies (dependency injection)
- Modular design (< 100 lines per component)

### Testing Requirements

- AAA pattern (Arrange → Act → Assert)
- Critical code: 100% coverage
- High priority: 90%+ coverage
- Medium priority: 80%+ coverage

### Security Requirements

- Never expose sensitive data in logs
- Use environment variables for secrets
- Validate all input data
- Use parameterized queries
- Implement rate limiting
- CSRF protection

## Expected Deliverables

### 1. Project Structure

```
src/
├── app/                    # Next.js App Router
│   ├── api/               # API routes
│   ├── auth/              # Auth pages
│   ├── dashboard/         # Dashboard pages
│   └── layout.tsx
├── components/            # React components
│   ├── ui/               # shadcn/ui components
│   ├── auth/             # Auth components
│   └── dashboard/        # Dashboard components
├── lib/                  # Utilities
│   ├── db/              # Database utilities
│   ├── auth/            # Auth utilities
│   └── utils.ts
├── services/            # Business logic
│   ├── auth.service.ts
│   ├── user.service.ts
│   └── email.service.ts
├── types/               # TypeScript types
│   └── index.ts
└── middleware.ts        # Next.js middleware
```

### 2. Database

- PostgreSQL database `moreminimore`
- Drizzle ORM configured
- All tables created with proper indexes
- Initial migration generated and applied
- Redis connection configured

### 3. Authentication

- Password hashing utility (bcrypt)
- JWT generation/verification utilities
- Auth APIs: register, login, refresh, logout, verify-email, forgot-password, reset-password
- Auth middleware: requireAuth, requireRole, requireOrgMembership
- Session management in database

### 4. User Management

- User profile APIs (GET/PATCH /api/users/me)
- Admin user management APIs (GET/PATCH/DELETE /api/users)
- User profile page
- Settings page
- Admin user management page

### 5. CI/CD

- GitHub Actions workflow file
- Automated testing on push/PR
- Test coverage reporting
- Build validation

## Acceptance Criteria

### Project Setup

- [ ] Next.js 15 project created with TypeScript
- [ ] Tailwind CSS 4 configured
- [ ] shadcn/ui components installed
- [ ] ESLint and Prettier configured
- [ ] Path aliases configured (@/components, @/lib, etc.)
- [ ] Environment variables template created

### Database

- [ ] PostgreSQL database created
- [ ] Drizzle ORM configured
- [ ] All 20+ tables defined in schema
- [ ] Indexes created for performance
- [ ] Initial migration generated
- [ ] Migration applied successfully
- [ ] Redis connection tested

### Authentication

- [ ] Password hashing/verification working
- [ ] JWT tokens generated with correct expiration
- [ ] Register API creates user and sends verification email
- [ ] Login API generates tokens and sets cookies
- [ ] Refresh API rotates tokens correctly
- [ ] Logout API clears cookies and invalidates session
- [ ] Email verification API works
- [ ] Password reset flow works end-to-end
- [ ] Auth middleware protects routes correctly
- [ ] Role-based authorization works

### User Management

- [ ] User profile API returns correct data
- [ ] User profile update works
- [ ] Password change works
- [ ] Admin can list all users
- [ ] Admin can update user details
- [ ] Admin can ban/unban users
- [ ] User profile page displays correctly
- [ ] Settings page works
- [ ] Admin user management page works

### CI/CD

- [ ] GitHub Actions workflow runs on push
- [ ] Tests execute automatically
- [ ] Coverage report generated
- [ ] Build validation passes
- [ ] PR checks work

## Context Files

### Code Quality Standards

- Location: /Users/kunthawatgreethong/.config/opencode/context/core/standards/code-quality.md
- Key principles: Modular, Functional, Maintainable
- Critical patterns: Pure functions, immutability, composition, dependency injection
- Anti-patterns: Mutation, side effects, deep nesting, god modules

### Documentation Standards

- Location: /Users/kunthawatgreethong/.config/opencode/context/core/standards/documentation.md
- Golden Rule: If users ask the same question twice, document it
- Document WHY decisions were made, not just WHAT code does

### Testing Standards

- Location: /Users/kunthawatgreethong/.config/opencode/context/core/standards/test-coverage.md
- Golden Rule: If you can't test it easily, refactor it
- AAA pattern: Arrange → Act → Assert
- Coverage goals: Critical 100%, High 90%+, Medium 80%+

### Essential Patterns

- Location: /Users/kunthawatgreethong/.config/opencode/context/core/essential-patterns.md
- Core patterns: Error handling, validation, security, logging, pure functions
- ALWAYS: Handle errors gracefully, validate input, use env vars for secrets
- NEVER: Expose sensitive info, hardcode credentials, skip validation

### Specification

- Location: /Users/kunthawatgreethong/Gitea/moreminimore-vibe/Websitebuilder/SPECIFICATION.md
- Complete technical specification with database schema, API design, authentication flow

### Task Breakdown

- Location: /Users/kunthawatgreethong/Gitea/moreminimore-vibe/Websitebuilder/TASKS.md
- Detailed task breakdown for all phases

## Risks & Considerations

### Technical Risks

- PostgreSQL setup complexity on local development
- Redis configuration and connection pooling
- JWT token security and rotation
- Email service integration (Resend/SendGrid)
- Database migration conflicts

### Mitigation Strategies

- Use Docker for local PostgreSQL/Redis if needed
- Implement comprehensive error handling
- Add extensive logging for debugging
- Create rollback procedures for migrations
- Test authentication flow thoroughly

## Next Steps

After Phase 1 completion:

1. Validate all acceptance criteria
2. Run full test suite
3. Document any deviations
4. Prepare for Phase 2: Core Features

---

**Session ID**: ses_phase1_foundation
**Created**: January 19, 2026
**Priority**: High
**Estimated Duration**: 4 weeks