# PROJECT_PLAN.md — eng-pad-server Implementation Steps

This file tracks all implementation steps. Check off steps as they are
completed and log them in PROGRESS.md.

## Phase 0: Project Setup

- [ ] 0.1: Initialize Go module (`git.wntrmute.dev/kyle/eng-pad-server`)
- [ ] 0.2: Create Makefile with standard targets
- [ ] 0.3: Configure `.golangci.yaml`
- [ ] 0.4: Create `.gitignore`
- [ ] 0.5: Create example config `deploy/examples/eng-pad-server.toml`
- **Verify:** `make build`

## Phase 1: Database + Config

- [ ] 1.1: TOML config loading
  - `internal/config/config.go`
- [ ] 1.2: SQLite database setup (WAL, foreign keys, busy timeout)
  - `internal/db/db.go`
- [ ] 1.3: Schema migrations (users, notebooks, pages, strokes, share_links, webauthn_credentials)
  - `internal/db/migrations.go`
- [ ] 1.4: Unit tests for migrations
- **Verify:** `make test`

## Phase 2: Auth — Password

- [ ] 2.1: Argon2id password hashing + verification
  - `internal/auth/argon2.go`
- [ ] 2.2: Bearer token generation, storage, validation
  - `internal/auth/tokens.go`
- [ ] 2.3: User creation (for `init` command)
- [ ] 2.4: Unit tests for auth
- **Verify:** `make test`

## Phase 3: CLI

- [ ] 3.1: Cobra CLI scaffold
  - `cmd/eng-pad-server/main.go`
- [ ] 3.2: `init` command — create DB, prompt for admin user
  - `cmd/eng-pad-server/init.go`
- [ ] 3.3: `server` command — start gRPC + REST + web servers
  - `cmd/eng-pad-server/server.go`
- [ ] 3.4: `snapshot` command — VACUUM INTO backup
- [ ] 3.5: `status` command — health check
- **Verify:** `make all && ./eng-pad-server init`

## Phase 4: gRPC Sync Service

- [ ] 4.1: Proto definitions
  - `proto/engpad/v1/sync.proto`
- [ ] 4.2: Generate Go code
  - `make proto`
- [ ] 4.3: gRPC server setup with TLS
  - `internal/grpcserver/server.go`
- [ ] 4.4: Auth interceptor (username/password from metadata)
  - `internal/grpcserver/interceptors.go`
- [ ] 4.5: SyncNotebook handler (upsert: delete + re-insert)
  - `internal/grpcserver/sync.go`
- [ ] 4.6: DeleteNotebook handler
- [ ] 4.7: ListNotebooks handler
- [ ] 4.8: Unit tests for sync
- **Verify:** `make test` + manual gRPC test with `grpcurl`

## Phase 5: Rendering

- [ ] 5.1: SVG rendering — strokes to SVG path elements
  - `internal/render/svg.go`
- [ ] 5.2: JPG rendering — rasterize page at 300 DPI
  - `internal/render/jpg.go`
- [ ] 5.3: PDF rendering — notebook to multi-page PDF
  - `internal/render/pdf.go`
- [ ] 5.4: Unit tests — verify SVG output, JPG dimensions, PDF page count
- **Verify:** `make test`

## Phase 6: REST API

- [ ] 6.1: chi router setup with TLS
  - `internal/server/server.go`, `routes.go`
- [ ] 6.2: Auth middleware (bearer token validation)
  - `internal/server/middleware.go`
- [ ] 6.3: Login endpoint
  - `internal/server/auth.go`
- [ ] 6.4: Notebook/page endpoints (JSON metadata)
  - `internal/server/notebooks.go`
- [ ] 6.5: Rendering endpoints (SVG, JPG, PDF)
- [ ] 6.6: Unit tests for API
- **Verify:** `make test` + manual curl

## Phase 7: Share Links

- [ ] 7.1: Token generation + storage
  - `internal/share/share.go`
- [ ] 7.2: gRPC RPCs — CreateShareLink, RevokeShareLink, ListShareLinks
  - `internal/grpcserver/share.go`
- [ ] 7.3: REST endpoints — /s/:token routes
- [ ] 7.4: Expiry enforcement (check on access, periodic cleanup)
- [ ] 7.5: Unit tests
- **Verify:** `make test`

## Phase 8: Web UI

- [ ] 8.1: Template skeleton — layout.html, navigation
  - `web/templates/layout.html`
- [ ] 8.2: Login page (password + WebAuthn)
  - `web/templates/login.html`
- [ ] 8.3: Notebook list page
  - `web/templates/notebooks.html`
- [ ] 8.4: Notebook view page (page grid with SVG thumbnails)
  - `web/templates/notebook.html`
- [ ] 8.5: Page viewer (embedded SVG, export buttons)
  - `web/templates/page.html`
- [ ] 8.6: Shared notebook/page views (same templates, no auth chrome)
- [ ] 8.7: Web server setup + embed
  - `internal/webserver/`, `web/embed.go`
- **Verify:** manual browser test

## Phase 9: FIDO2/U2F (WebAuthn)

- [ ] 9.1: WebAuthn integration with `go-webauthn/webauthn`
  - `internal/auth/webauthn.go`
- [ ] 9.2: Registration endpoints (begin/finish)
- [ ] 9.3: Login endpoints (begin/finish)
- [ ] 9.4: Key management UI (list keys, add key, remove key)
- [ ] 9.5: Unit tests
- **Verify:** manual test with security key

## Phase 10: Deployment

- [ ] 10.1: Dockerfile (multi-stage, non-root)
- [ ] 10.2: systemd units (service, backup timer)
  - `deploy/systemd/`
- [ ] 10.3: Install script
  - `deploy/scripts/install.sh`
- [ ] 10.4: Graceful shutdown (SIGINT/SIGTERM)
- **Verify:** `make docker && docker run`

## Phase 11: Android App Sync Integration

_(Implemented in the eng-pad repo, not here)_

- [ ] 11.1: gRPC client dependency (protobuf-lite)
- [ ] 11.2: SyncClient.kt — gRPC channel + stub
- [ ] 11.3: SyncManager.kt — serialize notebook to proto, call sync
- [ ] 11.4: Sync settings screen (server URL, username, password)
- [ ] 11.5: Notebook overflow menu — "Sync to server"
- [ ] 11.6: Library — "Sync all" button
- [ ] 11.7: Sync status indicator on notebook cards