mcias/PROGRESS.md

# MCIAS Progress

Source of truth for current development state.

---

## Current Status: Phase 0 — Repository Bootstrap

### Completed

- [x] CLAUDE.md — project conventions and constraints
- [x] .golangci.yaml — linter configuration
- [x] PROJECT.md — project specifications
- [x] ARCHITECTURE.md — technical design document (token lifecycle, session
      management, multi-app trust boundaries, database schema)
- [x] PROJECT_PLAN.md — discrete implementation steps with acceptance criteria
- [x] PROGRESS.md — this file

### In Progress

- [ ] Step 0.1: Go module and dependency setup (`go.mod`, `go get`)
- [ ] Step 0.2: `.gitignore`

### Up Next

- Phase 1: Foundational packages (`internal/model`, `internal/config`,
  `internal/crypto`, `internal/db`)

---

## Implementation Log

### 2026-03-11

- Wrote ARCHITECTURE.md covering:
  - Security model and threat model
  - Cryptographic primitive choices with rationale
  - Account model (human + system accounts, roles, lifecycle)
  - Token lifecycle (issuance, validation, renewal, revocation flows)
  - Session management approach (stateless JWT + revocation table)
  - Multi-app trust boundaries
  - REST API design (all endpoints)
  - Database schema (SQLite, all tables with indexes)
  - TLS configuration
  - TOML configuration format
  - Package/directory structure
  - Error handling and logging conventions
  - Audit event catalog
  - Operational considerations

- Wrote PROJECT_PLAN.md with 5 phases, 12 steps, each with specific
  acceptance criteria.

---

## Notes / Decisions

- SQLite driver: using `modernc.org/sqlite` (pure Go, no CGo dependency).
  This simplifies cross-compilation and removes the need for a C toolchain.
- JWT library: `github.com/golang-jwt/jwt/v5`. The `alg` header validation
  is implemented manually before delegating to the library to ensure the
  library's own algorithm dispatch cannot be bypassed.
- No ORM. All database access via the standard `database/sql` interface with
  prepared statements.