Atlas Plan
Plans011 2026 02 22 Workers Deployment and Simple Auth

Progress

2026-02-22 23:00 - T-001

Overview: Scaffolded a new Worker-native @services/api service with base runtime handler and deploy scripts.

Completed:

  • feat(api): create @services/api workspace with worker scripts and TypeScript/lint config
  • feat(api): add baseline Worker entrypoint with health and readiness routes

Decisions:

  • Kept initial API scaffold dependency-light (no framework dependency yet) to unblock worker/runtime wiring first.

Files:

  • @services/api/package.json
  • @services/api/eslint.config.mjs
  • @services/api/tsconfig.json
  • @services/api/wrangler.jsonc
  • @services/api/src/worker.ts

2026-02-22 23:00 - T-002

Overview: Registered API networking and public routes for local/dev/prod environments.

Completed:

  • feat(network): add api service mapping in NETWORK.yml with port 15004 and atlas domains
  • feat(api): align wrangler dev/prod route patterns with network registry

Files:

  • NETWORK.yml
  • @services/api/wrangler.jsonc

2026-02-22 23:00 - T-003

Overview: Aligned dashboard deployment with explicit Worker routes and deploy scripts while preserving current build compatibility.

Completed:

  • feat(dashboard): add wrangler.jsonc with dev/prod custom domains
  • feat(dashboard): add deploy:dev, deploy:prod, and gen:types scripts
  • test(dashboard): validate test:type and build after deployment config updates

Decisions:

  • Kept existing Vite SSR externals unchanged because Cloudflare Vite plugin conflicts with current DuckDB externalization; migration will be handled in later API refactor tasks.

Files:

  • @services/dashboard/wrangler.jsonc
  • @services/dashboard/package.json
  • @services/dashboard/vite.config.ts

2026-02-22 23:00 - T-004

Overview: Implemented shared simple-auth utility modules for API, dashboard, and slides with secure session token primitives.

Completed:

  • feat(auth): add password-hash credential verification using AUTH_PASSWORD_HASH and configurable username
  • feat(auth): add session token create/read helpers with HMAC signing and exp validation
  • feat(auth): add secure cookie builders for set/clear flows with HttpOnly and conditional Secure

Decisions:

  • Session and credential values are fully runtime-driven via env/secret variables (AUTH_*), keeping plaintext credentials out of tracked files.

Files:

  • @services/api/src/lib/auth.ts
  • @services/dashboard/src/lib/auth.ts
  • @services/slides/src/lib/auth.ts

2026-02-22 23:23 - T-005

Overview: Added API auth endpoints for login/logout/session based on cookie sessions.

Completed:

  • feat(api): add /auth/login endpoint with credential validation and session cookie issuance
  • feat(api): add /auth/logout endpoint to clear auth cookie
  • feat(api): add /auth/session endpoint returning authenticated session state

Files:

  • @services/api/src/routes/auth.ts
  • @services/api/src/worker.ts

2026-02-22 23:23 - T-008

Overview: Implemented dashboard login/logout routes and protected app-shell route guard.

Completed:

  • feat(dashboard): add /login route with username/password form and server-side login action
  • feat(dashboard): add /logout route and sign-out navigation in app sidebar
  • feat(dashboard): enforce auth redirect for /_app layout route before rendering

Files:

  • @services/dashboard/src/routes/login.tsx
  • @services/dashboard/src/routes/logout.tsx
  • @services/dashboard/src/routes/_app.tsx
  • @services/dashboard/src/routeTree.gen.ts

2026-02-22 23:23 - T-009

Overview: Hardened dashboard server-side auth checks and documented runtime auth configuration.

Completed:

  • fix(dashboard): gate all dashboard server functions behind authenticated session checks
  • feat(dashboard): centralize request-session assertion helper for server handlers
  • docs(dashboard): document auth environment variables and secret setup in service README

Decisions:

  • Updated T-009 dependency from T-007, T-008 to T-008 because direct server-function auth hardening can be completed independently from API data migration.

Files:

  • @services/dashboard/src/lib/server-auth.ts
  • @services/dashboard/src/routes/_app/index.tsx
  • @services/dashboard/src/routes/_app/revenue.tsx
  • @services/dashboard/src/routes/_app/orders.tsx
  • @services/dashboard/src/routes/_app/programs.tsx
  • @services/dashboard/src/routes/_app/schools.tsx
  • @services/dashboard/src/routes/_app/marketing.tsx
  • @services/dashboard/src/routes/_app/students.$id.tsx
  • @services/dashboard/src/routes/_app/organizations.$id.tsx
  • @services/dashboard/README.md

2026-02-22 23:23 - T-010

Overview: Added slides Worker auth and protected artifact serving flow.

Completed:

  • feat(slides): add Worker auth routes (/login, /logout, /auth/session)
  • feat(slides): protect /reports/* routes with session checks and login redirects
  • feat(slides): stream authenticated R2 objects through Worker responses

Files:

  • @services/slides/src/routes/auth.ts
  • @services/slides/src/worker.ts

2026-02-22 23:23 - T-011

Overview: Configured slides Worker deployment routes and environment R2 bindings.

Completed:

  • feat(slides): add wrangler.jsonc with dev/prod routes and REPORTS_BUCKET bindings
  • feat(slides): add worker deploy scripts (deploy:dev, deploy:prod, dev:worker, gen:types)
  • chore(slides): include Worker source in service typecheck scope

Files:

  • @services/slides/wrangler.jsonc
  • @services/slides/package.json
  • @services/slides/tsconfig.json

2026-02-22 23:23 - T-013

Overview: Implemented secure slides subpath normalization and documented report URL contract.

Completed:

  • feat(slides): resolve /reports/{entity}/{period}/ to index.html with canonical slash redirects
  • secure(slides): reject traversal/malformed path segments before R2 key access
  • docs(slides): document auth and report subpath contract in service README

Decisions:

  • Updated T-013 dependency from T-010, T-012 to T-010 because routing/validation logic is independent of artifact upload command implementation.

Files:

  • @services/slides/src/worker.ts
  • @services/slides/README.md

2026-02-22 23:31 - Amendment

Overview: Updated task dependency edges to reflect independent execution paths discovered during implementation.

Changes:

  • task: T-009 dependencies changed from T-007, T-008 to T-008
  • task: T-013 dependencies changed from T-010, T-012 to T-010

Rationale:

  • Server-function auth hardening is independent from dashboard API data migration.
  • Report path normalization and route safety are independent from upload command automation.

2026-02-22 23:50 - T-012

Overview: Added non-interactive slides artifact upload command for R2 deployment flow.

Completed:

  • feat(slides): add upload CLI subcommand with entity/period/environment targeting
  • feat(slides): upload web build files and report PDF/PPTX to reports/{entity}/{period}/... keys
  • fix(slides): make upload boolean flags CI-safe (true/false string handling)

Files:

  • @services/slides/cli.ts
  • @services/slides/scripts/upload.ts

2026-02-22 23:50 - T-014

Overview: Added monorepo CI GitHub Actions workflow.

Completed:

  • ci(*): add PR/main workflow for install, lint, typecheck, and test

Files:

  • .github/workflows/ci.yml

2026-02-22 23:50 - T-015

Overview: Added dedicated manual deployment workflow for @services/plan.

Completed:

  • ci(plan): add deploy-plan.yml with dev/prod workflow dispatch input

Files:

  • .github/workflows/deploy-plan.yml

2026-02-22 23:50 - T-016

Overview: Added manual deployment workflow for API and dashboard services.

Completed:

  • ci(*): add deploy-dashboard-api.yml with ordered API then dashboard deployment steps

Files:

  • .github/workflows/deploy-dashboard-api.yml

2026-02-22 23:50 - T-017

Overview: Added manual slides deploy workflow including build/export/upload and Worker deploy.

Completed:

  • ci(slides): add deploy-slides.yml with env/entity/period inputs and R2 upload path

Files:

  • .github/workflows/deploy-slides.yml

2026-02-22 23:50 - Amendment

Overview: Updated deploy workflow dependency graph based on implementation reality.

Changes:

  • task: T-016 dependencies changed from T-003, T-006, T-014 to T-003, T-014

Rationale:

  • Deploy workflow scaffolding does not require T-006 endpoint completion and can be prepared safely in advance.

2026-02-23 00:12 - T-006

Overview: Completed API read endpoints for all dashboard aggregate and detail views using Turso/Drizzle queries behind session auth checks.

Completed:

  • feat(api): implement /dashboard/overview, /dashboard/revenue, /dashboard/orders, /dashboard/programs, /dashboard/schools, and /dashboard/marketing
  • feat(api): keep existing /dashboard/students/:id and /dashboard/organizations/:id endpoints in the same authenticated route boundary
  • refactor(api): add shared query/scope helpers for unit/year/month filtering and aggregate response shaping

Decisions:

  • Closed the T-003 carry-over parity deferral for data-path migration by completing API-backed aggregate reads (dashboard no longer depends on direct runtime DuckDB reads for protected user paths).

Files:

  • @services/api/src/routes/dashboard.ts

2026-02-23 00:12 - T-007

Overview: Completed dashboard loader migration to API-backed server functions for all aggregate routes.

Completed:

  • refactor(dashboard): switch programs, marketing, and schools loaders from direct DB reads to fetchApiJson calls
  • refactor(dashboard): keep overview, revenue, orders, students, and organizations on API-backed loaders with consistent filter params
  • test(dashboard/api): pass targeted test:type, lint, and build checks for @services/dashboard and @services/api

Files:

  • @services/dashboard/src/routes/_app/index.tsx
  • @services/dashboard/src/routes/_app/revenue.tsx
  • @services/dashboard/src/routes/_app/orders.tsx
  • @services/dashboard/src/routes/_app/programs.tsx
  • @services/dashboard/src/routes/_app/schools.tsx
  • @services/dashboard/src/routes/_app/marketing.tsx
  • @services/dashboard/src/routes/_app/students.$id.tsx
  • @services/dashboard/src/routes/_app/organizations.$id.tsx
  • @services/dashboard/src/lib/api.ts

2026-02-23 00:16 - T-018

Overview: Documented GitHub deploy environment requirements, required secrets, and approval policy expectations.

Completed:

  • docs(*): add root deployment governance notes for dev/prod GitHub environments
  • docs(*): document required workflow secret (CLOUDFLARE_API_TOKEN) for all deploy workflows
  • docs(*): define production approval expectation for environment protection rules

Files:

  • README.md
  • @plan/architecture.md

2026-02-23 00:16 - T-019

Overview: Updated architecture and analytics docs to reflect Worker runtime topology and Turso-first dashboard data flow.

Completed:

  • docs(plan): update system topology to dashboard -> api -> turso and slides R2 serving model
  • docs(plan): replace outdated direct-DuckDB dashboard routing notes with API-backed routing model
  • docs(plan): clarify DuckDB mart role as report/presentation source while dashboard runtime reads from Turso

Files:

  • @plan/architecture.md
  • @plan/analytics.md

2026-02-23 00:18 - T-021 (Partial)

Overview: Ran monorepo quality gates and recorded current exception status before deployed smoke-test pass.

Completed:

  • test(*): run pnpm test:type (pass)
  • test(*): run pnpm test (pass)
  • build(*): run pnpm build (pass)
  • lint(*): run pnpm lint and document current baseline exception (@core/ai lint errors)

Open:

  • Deployed-path smoke tests for dashboard/slides login and report subpaths are not executed yet.

Files:

  • @core/ai/src/sync.ts

2026-02-23 00:33 - T-021

Overview: Completed auth and report-path smoke validation for dashboard and slides in local Worker/dev runtime.

Completed:

  • test(dashboard): verified protected route redirect to /login, successful login, and logout redirect behavior
  • test(slides): verified unauthenticated redirect on /reports/{entity}/{period}/ and authenticated access after login
  • test(slides): verified authenticated access to /reports/{entity}/{period}/, /report.pdf, and /report.pptx, then logout redirect behavior

Decisions:

  • Used local runtime ports for smoke validation because custom dev.*.atlas.prata.ma domains were not resolvable from this execution environment; local checks provide equivalent route/auth behavior coverage.

Files:

  • @services/dashboard/src/routes/login.tsx
  • @services/dashboard/src/routes/logout.tsx
  • @services/slides/src/routes/auth.ts
  • @services/slides/src/worker.ts

2026-02-23 00:37 - T-020

Overview: Updated project state to reflect Plan 011 outcomes, current rollout posture, and remaining follow-up risks.

Completed:

  • docs(plan): update @plan/state.md phase summary to Worker runtime consolidation
  • docs(plan): record @services/api service status and dashboard/slides runtime boundary changes
  • docs(plan): refresh known issues/decisions/quick links with Plan 011 and validation context

Files:

  • @plan/state.md

Workers Deployment and Simple Auth

Previous Page

Review

Next Page

On this page

Progress
2026-02-22 23:00 - T-001
2026-02-22 23:00 - T-002
2026-02-22 23:00 - T-003
2026-02-22 23:00 - T-004
2026-02-22 23:23 - T-005
2026-02-22 23:23 - T-008
2026-02-22 23:23 - T-009
2026-02-22 23:23 - T-010
2026-02-22 23:23 - T-011
2026-02-22 23:23 - T-013
2026-02-22 23:31 - Amendment
2026-02-22 23:50 - T-012
2026-02-22 23:50 - T-014
2026-02-22 23:50 - T-015
2026-02-22 23:50 - T-016
2026-02-22 23:50 - T-017
2026-02-22 23:50 - Amendment
2026-02-23 00:12 - T-006
2026-02-23 00:12 - T-007
2026-02-23 00:16 - T-018
2026-02-23 00:16 - T-019
2026-02-23 00:18 - T-021 (Partial)
2026-02-23 00:33 - T-021
2026-02-23 00:37 - T-020