Retire login flow #289

Merged

barrettruth merged 1 commit from shutdown/login-flow into main

2026-05-11 18:22:59 +00:00

barrettruth commented

2026-05-11 18:17:32 +00:00

Owner

Problem

Delta is narrowing to a self-hosted tracker before launch. The browser login product (OAuth sign-in/callbacks, passkeys, TOTP, recovery codes, invite-gated first login, and separate security/invite settings) expanded the project beyond the current scope and created broken OAuth/security-key paths. This change replaces that plan with a local self-hosted user model.

Solution

Remove login, OAuth, passkey/WebAuthn, TOTP, recovery-code, logout, invite, and OAuth provider-settings routes and UI.
Auto-provision/reuse the first local user so existing user-scoped data remains visible without browser login.
Keep API-key auth for CLI/scripts, accept both Authorization: Bearer and x-api-key, and expose copy/regenerate controls from account settings.
Remove CLI invite commands and update CLI auth help/completions/manpage to describe token storage instead of browser/device-flow login.
Leave old auth tables/columns inert for now instead of adding a destructive migration in this scope-change PR.

Verification

pnpm vitest run tests/api/auth.test.ts tests/core/auth.test.ts tests/core/commands.test.ts tests/core/system-config.test.ts tests/lib/settings-navigation.test.ts
bun run build:npm in cli/
pnpm tsc --noEmit
just ci

just ci still reports the pre-existing Biome specificity warning in src/components/calendar/fc-styles.css; it does not fail the check.

Closes #287
Closes #228
Revises #144
Supersedes closed #273

## Problem Delta is narrowing to a self-hosted tracker before launch. The browser login product (OAuth sign-in/callbacks, passkeys, TOTP, recovery codes, invite-gated first login, and separate security/invite settings) expanded the project beyond the current scope and created broken OAuth/security-key paths. This change replaces that plan with a local self-hosted user model. ## Solution - Remove login, OAuth, passkey/WebAuthn, TOTP, recovery-code, logout, invite, and OAuth provider-settings routes and UI. - Auto-provision/reuse the first local user so existing user-scoped data remains visible without browser login. - Keep API-key auth for CLI/scripts, accept both `Authorization: Bearer` and `x-api-key`, and expose copy/regenerate controls from account settings. - Remove CLI invite commands and update CLI auth help/completions/manpage to describe token storage instead of browser/device-flow login. - Leave old auth tables/columns inert for now instead of adding a destructive migration in this scope-change PR. ## Verification - `pnpm vitest run tests/api/auth.test.ts tests/core/auth.test.ts tests/core/commands.test.ts tests/core/system-config.test.ts tests/lib/settings-navigation.test.ts` - `bun run build:npm` in `cli/` - `pnpm tsc --noEmit` - `just ci` `just ci` still reports the pre-existing Biome specificity warning in `src/components/calendar/fc-styles.css`; it does not fail the check. Closes #287 Closes #228 Revises #144 Supersedes closed #273

barrettruth added 1 commit

2026-05-11 18:17:32 +00:00

Retire login flow

quality / Test (pull_request) Failing after 3s

Details

quality / Lint (pull_request) Successful in 20s

Details

quality / Build (pull_request) Has been skipped

Details

4afebef2ba