From 33a68b3bf8bc0074397a2aa6ebafbb520fa2179c Mon Sep 17 00:00:00 2001
From: "s0wlz (Matthias Puchstein)" <matthias@puchstein.lu>
Date: Tue, 10 Mar 2026 17:36:02 +0100
Subject: [PATCH] let codex write a start point to implement and some ci
 updates

---
 NEXT_STEPS.md       | 111 ++++++++++++++++++++++++++++++++++++++++++++
 scripts/ci-local.sh |   1 -
 web/Dockerfile      |   2 -
 3 files changed, 111 insertions(+), 3 deletions(-)
 create mode 100644 NEXT_STEPS.md

diff --git a/NEXT_STEPS.md b/NEXT_STEPS.md
new file mode 100644
index 0000000..9dca378
--- /dev/null
+++ b/NEXT_STEPS.md
@@ -0,0 +1,111 @@
+# NEXT STEPS
+
+This file is the implementation order from the current scaffold state.
+
+## 1. Start Here: Lock API contracts first
+
+Create a short API contract document before writing more feature code.
+
+1. Define request/response payloads for:
+   - `POST /v1/auth/register`
+   - `POST /v1/auth/login`
+   - `POST /v1/auth/refresh`
+   - `POST /v1/auth/logout`
+   - `GET/POST/PATCH/DELETE` for groups, characters, rulesets
+2. Define shared error schema and status code rules.
+3. Decide role model now:
+   - global roles (from `cm_users`)
+   - campaign/group roles (service/domain-level)
+
+Done when:
+- All endpoints have stable JSON schema examples.
+- Web + symbiote can be implemented against the same contract.
+
+## 2. Implement Auth Core in `campaign-service`
+
+Use `cm_users` as the auth source of truth (no extra auth service needed now).
+
+1. Implement registration with `argon2` password hashing.
+2. Implement login with password verification.
+3. Persist refresh sessions in `refresh_sessions` table.
+4. Return JWT access token + refresh token flow.
+5. Add middleware/helper for auth context extraction.
+
+Done when:
+- Register/login/refresh/logout are fully working against Postgres.
+- `content-service` accepts tokens issued by `campaign-service`.
+
+## 3. Add migration runner + startup checks
+
+1. Add migration execution command/process for both services.
+2. Ensure services fail fast on invalid DB config.
+3. Add health/readiness checks that include DB connectivity.
+
+Done when:
+- Fresh database can be initialized and migrated with one command path.
+- Service startup gives clear errors if DB/env is wrong.
+
+## 4. Implement `content-service` ruleset management
+
+1. Replace stubbed ruleset list with DB-backed queries.
+2. Add create/update/deactivate ruleset endpoints.
+3. Enforce auth + authorization checks.
+
+Done when:
+- Rulesets are fully CRUD-capable with audit fields.
+- API behaves correctly for authorized vs unauthorized users.
+
+## 5. Implement `campaign-service` domain features
+
+1. Build group endpoints (create/list/update membership).
+2. Build character endpoints and ownership rules.
+3. Add campaign/group role enforcement.
+
+Done when:
+- Core campaign management flow works end-to-end.
+- Permissions are enforced at API level.
+
+## 6. Wire web app flows to real APIs
+
+1. Replace placeholder UI interactions with real API calls.
+2. Implement login/logout/session refresh UX.
+3. Add basic error handling and loading states for all core pages.
+
+Done when:
+- User can sign in, manage rulesets, groups, and characters through the web app.
+
+## 7. Integrate symbiote MVP
+
+1. Implement token/bootstrap handoff strategy from campaign backend.
+2. Add minimal read/use flow needed inside TaleSpire.
+3. Validate it with real campaign and ruleset data.
+
+Done when:
+- Symbiote performs one complete gameplay-relevant flow against live backend data.
+
+## 8. Testing and CI hardening
+
+1. Add integration tests for auth flows and permission checks.
+2. Add API-level tests for rulesets/groups/characters.
+3. Keep `pnpm ci:local` green and mirror same checks in Woodpecker.
+
+Done when:
+- Critical flows are covered by automated tests.
+- CI failures are actionable and reproducible locally.
+
+## 9. Kubernetes readiness pass
+
+1. Add production env var matrix and secret mapping.
+2. Add image/tag strategy for first release pinning.
+3. Add readiness/liveness probes and resource requests/limits.
+
+Done when:
+- Services can be deployed to your cluster with the same topology as local dev.
+
+## Suggested first implementation chunk (next PR)
+
+1. Contract doc for auth + rulesets.
+2. Full register/login/refresh/logout in `campaign-service`.
+3. `content-service` token validation test against real JWT secret.
+
+If you do only one thing first, do auth end-to-end; everything else depends on it.
diff --git a/scripts/ci-local.sh b/scripts/ci-local.sh
index dcb9611..d33dcd9 100755
--- a/scripts/ci-local.sh
+++ b/scripts/ci-local.sh
@@ -1,7 +1,6 @@
 #!/usr/bin/env sh
 set -eu
 
-corepack enable
 pnpm install --frozen-lockfile
 
 pnpm build:web
diff --git a/web/Dockerfile b/web/Dockerfile
index cc087c6..99393d4 100644
--- a/web/Dockerfile
+++ b/web/Dockerfile
@@ -2,8 +2,6 @@ FROM node:current-alpine
 
 WORKDIR /app
 
-RUN corepack enable
-
 COPY package.json pnpm-lock.yaml pnpm-workspace.yaml .npmrc ./
 COPY web ./web
 COPY rulesets ./rulesets