xtablo-source/.planning/STATE.md

gsd_state_version	milestone	milestone_name	status	last_updated	progress
1.0	v1.0	milestone	in_progress	2026-05-14T20:34:00.000Z	total_phases completed_phases total_plans completed_plans percent 7 1 11 10 91

STATE

Project: Xtablo Go+HTMX Rewrite Milestone: v1 — Tablos workflow Created: 2026-05-14

Project Reference

See: .planning/PROJECT.md (updated 2026-05-14)

Core value: A user can sign in and run the Tablos workflow — create tablos, manage their tasks (kanban), and attach files — without a JS framework. Current focus: Phase 02 — authentication, Plan 05 next (login handler)

Phase Status

#	Phase	Status
1	Foundation	✓ Complete
2	Authentication	◑ In Progress (5/7 plans done)
3	Tablos CRUD	○ Pending
4	Tasks (Kanban)	○ Pending
5	Files	○ Pending
6	Background Worker	○ Pending
7	Deploy v1	○ Pending

Active Phase

Phase 2: Authentication — Plans 01–05 complete. Plan 06 (logout handler) next.

Decisions

• Consolidated internal/auth package (not split with internal/session) — RESEARCH Open Question 3
• compose Postgres + schema isolation for tests (not testcontainers-go) — RESEARCH Open Question 1
• goose.SetTableName per test-schema prevents public goose_db_version table collision
• argon2id over bcrypt for password hashing — D-08, confirmed by user
• Hand-rolled PHC encode/decode (Pattern 1 verbatim) — no alexedwards/argon2id wrapper dep; keeps code lean and self-tested
• Store.now injectable field (not method/interface) — simpler for single-test-clock use case in MaybeExtend threshold tests
• sha256.Sum256 inlined at Create + Lookup (not in helper) — satisfies >= 2 grep acceptance criterion; makes D-05 hashing visible at usage sites
• SignupForm/SignupErrors in templates package (not handlers or separate forms pkg) — avoids import cycle between templates and internal/web
• setupTestDB duplicated into web package test file — Go prohibits importing _test.go files across packages; duplication chosen over non-test shared infra
• nil-Store guard in auth.ResolveSession — enables Phase 1 unit tests to pass AuthDeps{} zero value without panic
• errInvalidCreds const (not inline string) — satisfies D-20 single-source-of-truth grep gate; both credential failure paths use the constant
• NewLimiterStoreWithClock exported — cross-package integration tests inject a frozen clock without a test-helper shim
• Status 401 for non-HTMX credential failures — consistent with HTTP semantics; HTMX path returns 200+fragment

Performance Metrics

Phase	Plan	Duration	Tasks	Files
02-authentication	01	~10min	3	9
02-authentication	02	~8min	2	4
02-authentication	03	~15min	2	5
02-authentication	04	~25min	2	11
02-authentication	05	~7min	2	9

Notes

• Existing go-backend/ is set aside; new code lives in a fresh backend/ Go package.
• DB schema is changing from the JS/Supabase version — user is in the loop on every schema decision (Phases 2–5).
• Phase 2 Plan 01 SUMMARY: .planning/phases/02-authentication/02-01-SUMMARY.md
• Phase 2 Plan 02 SUMMARY: .planning/phases/02-authentication/02-02-SUMMARY.md
• Phase 2 Plan 03 SUMMARY: .planning/phases/02-authentication/02-03-SUMMARY.md
• Commits (02-01): 513044d (migration), 799c260 (sqlc), 2c84f42 (auth package + test harness)
• Commits (02-02): 3bb3828 (RED tests), ee36a5c (GREEN implementation)
• Commits (02-03): fd2301d (session store + cookie helpers), 1d07830 (middleware)
• Commits (02-04): 73935ed (signup templates + smoke tests), efdc16b (handler + router + integration tests)
• Phase 2 Plan 04 SUMMARY: .planning/phases/02-authentication/02-04-SUMMARY.md
• Commits (02-05): b5c20c7 (LimiterStore + tests), 7d8c498 (login handler + integration tests)
• Phase 2 Plan 05 SUMMARY: .planning/phases/02-authentication/02-05-SUMMARY.md

---

Last updated: 2026-05-14 after 02-05 execution