managarten

till/managarten

Fork 0

mirror of https://github.com/Memo-2023/mana-monorepo.git synced 2026-05-17 23:09:39 +02:00

Commit graph

Author	SHA1	Message	Date
Till JS	49935c9628	feat(shared-privacy): M1 — visibility foundation package Scaffold the unified visibility/privacy layer introduced by docs/plans/ visibility-system.md. No module adopts it yet — this is the foundation PR (M1). Module rollout lands in follow-ups starting with Library (M2). What ships: - @mana/shared-privacy package - VisibilityLevel enum ('private' \| 'space' \| 'unlisted' \| 'public') - VisibilityLevelSchema + UnlistedTokenSchema (zod) - defaultVisibilityFor(spaceType): personal → private, else → space - predicates: canEmbedOnWebsite, isReachableByLink, isVisibleToSpaceMember, canAiAccessCrossUser (always false in P1) - generateUnlistedToken() — 32-char base64url, CSPRNG, ~192 bits - VISIBILITY_METADATA: German labels + descriptions + phosphor icon names so non-UI surfaces (audit logs, CLI) label levels consistently - <VisibilityPicker> svelte component: compact lock/globe trigger with 4-option menu, full descriptions, optional compact + disabledLevels - VisibilityChangedPayload type for the domain-event catalog (consumer registers it when the first module adopts the system) - .claude/guidelines/visibility.md — step-by-step for module authors (schema migrations + store wiring + picker placement + embed resolver + legacy isPublic migration), with a pre-PR checklist - Plan-doc "Offene Fragen" section rewritten as "Designentscheidungen" with the seven resolutions the user approved - CLAUDE.md: shared-privacy listed in the packages table; visibility.md listed in the guidelines table - 15 unit tests covering predicates (one-and-only-one 'public' for embed; phase-1 AI always-deny), defaults (personal vs multi-member, null fallback), token uniqueness + schema round-trip Key constraints honored: - `visibility` stays plaintext (NOT added to the encryption registry) so RLS predicates and publish resolvers can read it without the user's master key - Publish flow remains "decrypt client-side, inline plaintext into snapshot" — the pattern picture.board already uses in embeds.ts - Deny-by-default everywhere (personal default = private; unknown space type defaults to private; cross-user AI always false) Not in this PR (per plan): - No schema migrations in any module (M2–M6) - No RLS predicate updates (arrives with M2) - No /settings/privacy overview (M7) - No unlisted share routes (M8) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-24 01:59:11 +02:00
Till JS	ca2809da89	docs(plans): visibility-system — unified 4-tier privacy model (planning) Write up the design for a repo-wide visibility layer before building. Today the state is fragmented: 7 modules carry ad-hoc isPublic booleans (picture, cards, presi, memoro, times, broadcast.audience, uload.tags) with inconsistent semantics and mostly no UI; the majority of modules (library, calendar, todo, places, events, recipes, goals, habits, quiz, wardrobe, invoices-clients, …) have nothing. Spaces only carry member permissions, no public tier. The existing encryption layer (27 encrypted tables) is not a blocker — embeds.ts already demonstrates "decrypt client-side, inline plaintext into the publish snapshot". Design: - @mana/shared-privacy package with `VisibilityLevel = 'private' \| 'space' \| 'unlisted' \| 'public'`, a `<VisibilityPicker>` svelte component, and predicate helpers (canEmbedOnWebsite, isVisibleToSpaceMember, …) - Per-record `visibility text not null default 'private'` on public-capable tables only; `unlistedToken`, `visibilityChangedAt`, `visibilityChangedBy` alongside. Field stays plaintext so RLS + publish resolvers can read it without the user's master key - Default-per-space-type: personal → private, team/club → space. Never public/unlisted by default - Embed resolvers gate hard on `canEmbedOnWebsite`; user filters (tags, status, date window) stack on top, never replace - RLS predicate extended: `space_member OR visibility='public' OR (visibility='unlisted' AND unlisted_token matches header)` Rollout (soft-first / hard-follow-up per existing migration convention): M1 shared package · M2 library (pilot) · M3 picture (replaces isPublic) · M4 calendar + todo + goals · M5 places/events/recipes/habits/quiz/wardrobe /invoices · M6 legacy-flag consolidation · M7 /settings/privacy overview + kill-switch · M8 (optional) unlisted share links. Out of scope: per-user sharing, field-level visibility, visibility cascading, time-boxed public, search-indexing by default. Documented explicitly so the first implementer doesn't reopen these. No code yet — waiting on user go-ahead before starting M1. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-23 23:50:17 +02:00

Author

SHA1

Message

Date

Till JS

49935c9628

feat(shared-privacy): M1 — visibility foundation package

Scaffold the unified visibility/privacy layer introduced by docs/plans/
visibility-system.md. No module adopts it yet — this is the foundation
PR (M1). Module rollout lands in follow-ups starting with Library (M2).

What ships:
- @mana/shared-privacy package
  - VisibilityLevel enum ('private' | 'space' | 'unlisted' | 'public')
  - VisibilityLevelSchema + UnlistedTokenSchema (zod)
  - defaultVisibilityFor(spaceType): personal → private, else → space
  - predicates: canEmbedOnWebsite, isReachableByLink,
    isVisibleToSpaceMember, canAiAccessCrossUser (always false in P1)
  - generateUnlistedToken() — 32-char base64url, CSPRNG, ~192 bits
  - VISIBILITY_METADATA: German labels + descriptions + phosphor icon
    names so non-UI surfaces (audit logs, CLI) label levels consistently
  - <VisibilityPicker> svelte component: compact lock/globe trigger with
    4-option menu, full descriptions, optional compact + disabledLevels
- VisibilityChangedPayload type for the domain-event catalog (consumer
  registers it when the first module adopts the system)
- .claude/guidelines/visibility.md — step-by-step for module authors
  (schema migrations + store wiring + picker placement + embed resolver +
  legacy isPublic migration), with a pre-PR checklist
- Plan-doc "Offene Fragen" section rewritten as "Designentscheidungen"
  with the seven resolutions the user approved
- CLAUDE.md: shared-privacy listed in the packages table; visibility.md
  listed in the guidelines table
- 15 unit tests covering predicates (one-and-only-one 'public' for
  embed; phase-1 AI always-deny), defaults (personal vs multi-member,
  null fallback), token uniqueness + schema round-trip

Key constraints honored:
- `visibility` stays plaintext (NOT added to the encryption registry)
  so RLS predicates and publish resolvers can read it without the user's
  master key
- Publish flow remains "decrypt client-side, inline plaintext into
  snapshot" — the pattern picture.board already uses in embeds.ts
- Deny-by-default everywhere (personal default = private; unknown space
  type defaults to private; cross-user AI always false)

Not in this PR (per plan):
- No schema migrations in any module (M2–M6)
- No RLS predicate updates (arrives with M2)
- No /settings/privacy overview (M7)
- No unlisted share routes (M8)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-04-24 01:59:11 +02:00

Till JS

ca2809da89

docs(plans): visibility-system — unified 4-tier privacy model (planning)

Write up the design for a repo-wide visibility layer before building. Today
the state is fragmented: 7 modules carry ad-hoc isPublic booleans (picture,
cards, presi, memoro, times, broadcast.audience, uload.tags) with
inconsistent semantics and mostly no UI; the majority of modules (library,
calendar, todo, places, events, recipes, goals, habits, quiz, wardrobe,
invoices-clients, …) have nothing. Spaces only carry member permissions,
no public tier. The existing encryption layer (27 encrypted tables) is not
a blocker — embeds.ts already demonstrates "decrypt client-side, inline
plaintext into the publish snapshot".

Design:
- @mana/shared-privacy package with `VisibilityLevel = 'private' | 'space'
  | 'unlisted' | 'public'`, a `<VisibilityPicker>` svelte component, and
  predicate helpers (canEmbedOnWebsite, isVisibleToSpaceMember, …)
- Per-record `visibility text not null default 'private'` on public-capable
  tables only; `unlistedToken`, `visibilityChangedAt`, `visibilityChangedBy`
  alongside. Field stays plaintext so RLS + publish resolvers can read it
  without the user's master key
- Default-per-space-type: personal → private, team/club → space. Never
  public/unlisted by default
- Embed resolvers gate hard on `canEmbedOnWebsite`; user filters (tags,
  status, date window) stack on top, never replace
- RLS predicate extended: `space_member OR visibility='public' OR
  (visibility='unlisted' AND unlisted_token matches header)`

Rollout (soft-first / hard-follow-up per existing migration convention):
M1 shared package · M2 library (pilot) · M3 picture (replaces isPublic) ·
M4 calendar + todo + goals · M5 places/events/recipes/habits/quiz/wardrobe
/invoices · M6 legacy-flag consolidation · M7 /settings/privacy overview
+ kill-switch · M8 (optional) unlisted share links.

Out of scope: per-user sharing, field-level visibility, visibility
cascading, time-boxed public, search-indexing by default. Documented
explicitly so the first implementer doesn't reopen these.

No code yet — waiting on user go-ahead before starting M1.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-04-23 23:50:17 +02:00

2 commits