docs

2026-01-11 14:42:54 +01:00
parent 2f0b83f030
commit 90b6e73a22
27 changed files with 980 additions and 2513 deletions
--- a/docs/architecture/website/WEBSITE_AUTH_FLOW.md
+++ b/docs/architecture/website/WEBSITE_AUTH_FLOW.md
@@ -0,0 +1,46 @@
+# Authentication UX Flow (Website)
+
+This document defines how the website handles authentication from a UX perspective.
+
+Shared contract:
+
+- [`docs/architecture/shared/AUTH_CONTRACT.md`](docs/architecture/shared/AUTH_CONTRACT.md:1)
+
+Authoritative website contract:
+
+- [`docs/architecture/website/WEBSITE_CONTRACT.md`](docs/architecture/website/WEBSITE_CONTRACT.md:1)
+
+## 1) Website role (strict)
+
+The website:
+
+- redirects unauthenticated users to login
+- hides or disables UI based on best-effort session knowledge
+
+The website does not enforce security.
+
+## 2) Canonical website flow
+
+```text
+Request
+  ↓
+Website routing
+  ↓
+API requests with credentials
+  ↓
+API enforces authentication and authorization
+  ↓
+Website renders result or redirects
+```
+
+## 3) Non-negotiable rules
+
+1. The website MUST NOT claim authorization.
+2. The website MUST NOT trust client state for enforcement.
+3. Every write still relies on the API to accept or reject.
+
+Related:
+
+- Website blockers: [`docs/architecture/website/BLOCKERS.md`](docs/architecture/website/BLOCKERS.md:1)
+- Client state rules: [`docs/architecture/website/CLIENT_STATE.md`](docs/architecture/website/CLIENT_STATE.md:1)
+