security hardening + drafts/attachments

2026-02-21 19:10:56 -05:00
parent 1dc99eb681
commit a0105956e4
35 changed files with 4928 additions and 0 deletions
--- a/DEVELOPMENT.md
+++ b/DEVELOPMENT.md
@@ -0,0 +1,38 @@
+# DEVELOPMENT — Mastermind MVP
+
+## Web app
+- Entry point: `web/src/index.js`
+- Views: `web/src/views/*.ejs`
+
+## Database
+Schema is created/altered on startup (MVP style) in `ensureSchema()`.
+
+Tables of interest:
+- `users`, `identities` — auth + multi-provider identities
+- `audit_logs` — append-only audit trail
+- `projects`, `project_members` — project profiles + membership
+- `ingested_emails` — unified inbox store (upload now, OAuth later)
+- `email_connectors` — gmail/microsoft status rows
+- `email_rules` — sorting/assignment rules
+
+## Audit logging convention
+Use:
+```js
+await audit(req, 'namespace.action', { targetType, targetId, metadata })
+```
+
+Examples:
+- `auth.login_success`
+- `admin.user_created`
+- `project.created`
+- `inbox.email_imported`
+
+## Adding a new feature (pattern)
+1) Add DB table/column in `ensureSchema()`
+2) Add routes in `web/src/index.js`
+3) Add views in `web/src/views/`
+4) Log all state changes to `audit_logs`
+
+## Worker
+- `worker/src/worker.js` is a placeholder loop.
+- Later it will pull from connectors, OCR, classify, and run rule assignment.