update

doc/core/authentication/features.md

@@ -0,0 +1,6 @@
+- authentication
+	- "who are you?"
+	- password hashing with argon2
+	- JWT (15 min access) with refresh (30 days)
+	- identity dependencies (current_user_claims, optional_user, get_current_user_id, oauth2_scheme)
+	- room for growth: OAuth/SSO, API-tokens for third-party apps, 2FA, refresh-token rotation, impersonation

doc/core/authentication/specs.md

@@ -0,0 +1 @@
+- authentication.py

doc/core/authorization/features.md

@@ -0,0 +1,4 @@
+- authorization
+	- "what are you allowed to do?"
+	- role checks (require_admin today)
+	- room for growth: require_role, require_permission, per-resource checks (owner-of), B2B approval workflows, per-app permissions for marketplace apps

doc/core/authorization/specs.md

@@ -0,0 +1 @@
+- authorization.py

doc/core/cache/features.md

@@ -0,0 +1,5 @@
+- cache
+	- shared read-store / cache client (Redis today)
+	- backend writes, frontend reads
+	- apps keep the cache in sync via event handlers (projectors), not the core client
+	- room for growth: CacheProvider abstraction so the read-store becomes swappable

doc/core/cache/specs.md

@@ -0,0 +1 @@
+- cache.py

doc/core/config/features.md

@@ -0,0 +1,2 @@
+- config
+	- read .env into Settings object

doc/core/config/specs.md

@@ -0,0 +1 @@
+- config.py

doc/core/db/features.md

@@ -0,0 +1,4 @@
+- db
+	- base setup for ORM
+	- use SQLAlchemy
+	- provide get_db() dependency

doc/core/db/specs.md

@@ -0,0 +1 @@
+- db.py

doc/core/di/features.md

@@ -0,0 +1,3 @@
+- di
+	- global register for services
+	- no direct service import between apps

doc/core/di/specs.md

@@ -0,0 +1 @@
+- di.py

doc/core/events/features.md

@@ -0,0 +1,5 @@
+- events
+	- apps can react on events
+	- apps can emit events
+	- events persist in db (audit/replay)
+	- allow wildcard subscribe (e.g. product.*)

doc/core/events/specs.md

@@ -0,0 +1 @@
+- events.py

doc/core/i18n/features.md

@@ -0,0 +1,2 @@
+- i18n
+	- internationalisation helper for DE/EN text fields

doc/core/i18n/specs.md

@@ -0,0 +1 @@
+- i18n.py

doc/core/loader/features.md

@@ -0,0 +1,6 @@
+- loader
+	- load apps as python module
+	- discover apps/*/manifest.yaml
+	- order by app dependency (topological sort), circles not allowed
+	- check for conflicts
+	- mount each app router under /api/<app>

doc/core/loader/specs.md

@@ -0,0 +1 @@
+- loader.py

doc/core/main/features.md

@@ -0,0 +1,5 @@
+- main
+	- entrypoint for backend
+	- build fastAPI
+	- run loader on lifespan startup
+	- expose /health and core settings routes

doc/core/main/specs.md

@@ -0,0 +1 @@
+- main.py

doc/core/middleware/features.md

@@ -0,0 +1,4 @@
+- middleware
+	- central place to install FastAPI middlewares (install_middlewares(app))
+	- today: CORS (allowed origins from .env)
+	- room for growth: request-id, access logging, rate-limit, security headers (HSTS/CSP), compression

doc/core/middleware/specs.md

@@ -0,0 +1 @@
+- middleware.py

doc/core/migrations/features.md

@@ -0,0 +1,5 @@
+- migrations
+	- orchestrator (migrations.py): discover per-app migration folders (apps/<name>/migrations/), configure alembic version_locations dynamically, coordinate multi-head merging
+	- startup check: fail fast if schema is not up to date
+	- migrations/ directory: alembic version store (today still holds all migrations centrally; per-app folders are the target state)
+	- use alembic

doc/core/migrations/specs.md

@@ -0,0 +1,2 @@
+- migrations.py
+- migrations/ (Alembic version store)

doc/core/seed/features.md

@@ -0,0 +1,2 @@
+- seed
+	- demo data (admin, demo customer, categories, products)

doc/core/seed/specs.md

@@ -0,0 +1 @@
+- seed.py

doc/core/settings/features.md

@@ -0,0 +1,6 @@
+- settings
+	- key-value store for shop settings (runtime-changeable, e.g. shop_name, currency)
+	- postgres is source of truth
+	- mirrored to redis on write
+	- emits core.settings_updated event
+	- distinct from config (which only reads .env infrastructure values)

doc/core/settings/specs.md

@@ -0,0 +1 @@
+- settings.py