# PROGRESS.md — eng-pad-server Implementation Progress

This file tracks completed work and decisions. Updated after every step.
See PROJECT_PLAN.md for the full step list.

## Completed

### Phase 0: Project Setup (2026-03-24)
- Go module, Makefile, .golangci.yaml, .gitignore, example config

### Phase 1: Database + Config (2026-03-24)
- TOML config loading with validation
- SQLite with WAL/FK/busy_timeout, schema migrations (7 tables + indexes)
- 4 tests: open+migrate, idempotent, foreign keys, cascade delete

### Phase 2: Auth — Password (2026-03-24)
- Argon2id hashing/verification, bearer tokens (SHA-256 hashed storage)
- User creation and authentication
- 6 tests

### Phase 3: CLI (2026-03-24)
- Cobra CLI: init, server, snapshot, status commands

### Phase 4: gRPC Sync Service (2026-03-24)
- Proto definitions, generated Go code
- Auth interceptor (username/password from metadata)
- SyncNotebook (upsert in tx), DeleteNotebook, ListNotebooks
- Share link RPCs: CreateShareLink, RevokeShareLink, ListShareLinks
- gRPC server with TLS 1.3

### Phase 5: Rendering (2026-03-24)
- SVG: strokes → path elements with dashed/arrow support
- JPG: 300 DPI rasterization via Go image package
- PDF: minimal raw PDF generation (no external library)
- 6 tests

### Phase 6: REST API (2026-03-24)
- chi router with TLS, auth middleware (bearer/cookie)
- Login endpoint, notebook/page endpoints, rendering endpoints
- Share link endpoints (no auth)

### Phase 7: Share Links (2026-03-24)
- Token generation, validation, revocation, listing
- Expiry enforcement
- 4 tests, fixed expiry check bug

### Phase 8: Web UI (2026-03-24)
- HTML templates: layout, login, notebook list, notebook view, page viewer
- Web server with embedded templates, session auth
- Share link views, server command wiring, graceful shutdown

### Phase 9: FIDO2/U2F (2026-03-24)
- WebAuthn integration via go-webauthn/webauthn
- Credential CRUD, user lookup by credential ID

### Phase 10: Deployment (2026-03-24)
- Dockerfile (multi-stage, non-root alpine)
- systemd units (service, backup oneshot, daily timer)
- Install script (user, dirs, config, units)

## In Progress

Phase 11: Android App Sync Integration (in eng-pad repo)

## Decisions

- **Language**: Go (Metacircular standard)
- **Database**: SQLite via modernc.org/sqlite (pure Go, no CGo)
- **Auth**: Argon2id passwords + FIDO2/U2F via go-webauthn/webauthn
- **gRPC auth**: username/password in metadata per-request (no tokens)
- **Web auth**: password → bearer token in session cookie
- **Rendering**: SVG for web viewing, JPG/PDF for export
- **Sync model**: full notebook replacement (upsert), no incremental sync
- **Share links**: 32-byte random token, optional expiry, scoped to notebook
- **Grid**: not rendered server-side (tablet writing aid only)
- **Coordinate system**: 300 DPI canonical, scaled to 72 DPI for SVG/PDF
- **FIDO2/U2F**: web UI login only, not gRPC sync
- **Server is read-only**: mirrors tablet exactly, no content modification