scope: retire login flow for self-hosted mode #287

New issue

Closed

opened 2026-05-11 15:54:42 +00:00 by barrettruth · 0 comments

barrettruth commented

2026-05-11 15:54:42 +00:00

Owner

Change of plan

Delta is narrowing scope around a self-hosted personal app. The full login/auth flow is too much surface area right now. Settings should keep the provider and account configuration that still matters inside the app, instead of hiding setup inside login/onboarding flows.

Scope

Remove the public login flow, OAuth sign-in/callback UX, WebAuthn/passkey sign-in, TOTP/recovery-code flows, invite-gated first login, and associated UI/tests.
Preserve the main authenticated app shape by replacing login with a simple self-hosted local-user/session path or equivalent minimal single-user entrypoint.
Keep configurable provider/API settings in the main settings area where still relevant.
Keep CLI/API authentication only if needed for local/self-hosted automation, and simplify docs/help accordingly.

Issue impact

Closes #228 as no longer the right direction.
Revises the auth assumptions from #144 Phase 3.
Notes closed #273 because onboarding/provider setup should be moved into normal settings rather than startup/login flow.

Acceptance criteria

Visiting the app no longer requires or advertises OAuth/passkey/TOTP login.
Removed login routes and auth settings do not leave dead navigation, broken imports, or stale CLI/help copy.
Remaining provider settings are reachable from the normal settings pages.
The PR explains this as a deliberate scope reduction for the self-hosted product.

## Change of plan Delta is narrowing scope around a self-hosted personal app. The full login/auth flow is too much surface area right now. Settings should keep the provider and account configuration that still matters inside the app, instead of hiding setup inside login/onboarding flows. ## Scope - Remove the public login flow, OAuth sign-in/callback UX, WebAuthn/passkey sign-in, TOTP/recovery-code flows, invite-gated first login, and associated UI/tests. - Preserve the main authenticated app shape by replacing login with a simple self-hosted local-user/session path or equivalent minimal single-user entrypoint. - Keep configurable provider/API settings in the main settings area where still relevant. - Keep CLI/API authentication only if needed for local/self-hosted automation, and simplify docs/help accordingly. ## Issue impact - Closes #228 as no longer the right direction. - Revises the auth assumptions from #144 Phase 3. - Notes closed #273 because onboarding/provider setup should be moved into normal settings rather than startup/login flow. ## Acceptance criteria - Visiting the app no longer requires or advertises OAuth/passkey/TOTP login. - Removed login routes and auth settings do not leave dead navigation, broken imports, or stale CLI/help copy. - Remaining provider settings are reachable from the normal settings pages. - The PR explains this as a deliberate scope reduction for the self-hosted product.

barrettruth referenced this issue

2026-05-11 15:56:07 +00:00

audit login flow end-to-end #228

barrettruth added the

labels

2026-05-11 15:56:34 +00:00

barrettruth referenced this issue from a pull request that will close it,

2026-05-11 18:17:32 +00:00