Docs: Bump constitution to v1.2.0 — reflect JWT auth completion

Phase 2 (JWT bearer) is shipped; update §2.4 phase status, add PyJWT to §6 tech stack table, remove username/password from §8 out-of-scope. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-03 19:17:18 +00:00
parent 86961d19ee
commit 5179786261
1 changed files with 11 additions and 10 deletions
--- a/.specify/memory/constitution.md
+++ b/.specify/memory/constitution.md
@@ -1,7 +1,7 @@
 <!--
 SYNC IMPACT REPORT
 ==================
-Version change: 1.1.0 → 1.1.1
+Version change: 1.1.1 → 1.2.0
 Ratified: 2026-05-01 | Last amended: 2026-05-03
 Principles introduced (first population from docs/CONSTITUTION.md):
@@ -82,14 +82,14 @@ or SDK-specific types directly — only the interface contract.
 ### 2.4 Auth abstraction (progressive)
-Authentication is treated as a pluggable backend from day one, even though
+Authentication is treated as a pluggable backend from day one. The API MUST
-Phase 1 ships with no auth. The API MUST route all request-identity resolution
+route all request-identity resolution through a single `AuthProvider` interface.
-through a single `AuthProvider` interface. The no-op provider (Phase 1) returns
+Each phase introduces a new provider implementation; no phase rewrites business
-a static anonymous identity. Adding username/password or OIDC in a later phase
+logic already behind the interface.
 MUST be a new provider implementation, not a rewrite of business logic.
-**Phase 1 implements: no-auth (localhost only).**
+**Phase 1 — no-auth (NoOpAuthProvider): complete.**
-**Planned phases: username/password, then OIDC.**
+**Phase 2 — JWT bearer token (JWTAuthProvider, HS256, single owner): complete.**
 **Phase 3 — OIDC: planned.**
 The constitution acknowledges all three; the spec governs which is built.
 ### 2.5 Database abstraction
@@ -206,6 +206,7 @@ NOT be marked complete while CI is failing.
 | ORM / query      | SQLAlchemy 2.x (async) + asyncpg driver   | Repository layer owns all queries         |
 | DB migrations    | Alembic                                   | Schema changes tracked in version control |
 | Object storage   | S3-compatible via `boto3` / `aiobotocore` | Swap MinIO ↔ S3 via env config            |
 | Auth tokens      | PyJWT (HS256)                             | Lightweight; compatible with OIDC migration path |
 | UI framework     | Angular (latest stable)                   | Job-relevant, learning goal               |
 | UI language      | TypeScript strict mode                    | No `any`, no implicit types               |
 | Containerisation | Docker + Docker Compose                   | Local dev must start with one command     |
@@ -244,7 +245,6 @@ revised:
 - Image editing or transformation beyond thumbnail generation
 - OR/NOT tag logic
 - Mobile-native app
 - Username/password auth (planned Phase 2)
 - OIDC auth (planned Phase 3)
 ---
@@ -283,7 +283,8 @@ Phase 1 design is complete.
 | 1.1.0   | 2026-05-01 | asyncpg driver explicit; SHA-256 deduplication added to data model; deduplication removed from out-of-scope                     |
 | 1.1.0   | 2026-05-02 | Adopted into Spec Kit memory; fixed duplicate §4.3 → §4.4; strengthened "should" language to MUST/MUST NOT; added §9 Governance |
 | 1.1.1   | 2026-05-03 | Clarify that the only acceptable form of image transformation or editing is thumbnail generation                                |
 | 1.2.0   | 2026-05-03 | §2.4: Mark Phase 2 (JWT bearer auth) complete, reword phase status; §6: Add PyJWT to tech stack table; §8: Remove username/password auth from out-of-scope (now shipped) |
 ---
-**Version**: 1.1.1 | **Ratified**: 2026-05-01 | **Last Amended**: 2026-05-03
+**Version**: 1.2.0 | **Ratified**: 2026-05-01 | **Last Amended**: 2026-05-03