Complete OAuth-based authentication with JWT session management:
Core Services:
- JWT service for access/refresh token creation and verification
- Token store with Redis-backed refresh token revocation
- User service for CRUD operations and OAuth-based creation
- Google and Discord OAuth services with full flow support
API Endpoints:
- GET /api/auth/{google,discord} - Start OAuth flows
- GET /api/auth/{google,discord}/callback - Handle OAuth callbacks
- POST /api/auth/refresh - Exchange refresh token for new access token
- POST /api/auth/logout - Revoke single refresh token
- POST /api/auth/logout-all - Revoke all user sessions
- GET/PATCH /api/users/me - User profile management
- GET /api/users/me/linked-accounts - List OAuth providers
- GET /api/users/me/sessions - Count active sessions
Infrastructure:
- Pydantic schemas for auth/user request/response models
- FastAPI dependencies (get_current_user, get_current_premium_user)
- OAuthLinkedAccount model for multi-provider support
- Alembic migration for oauth_linked_accounts table
Dependencies added: email-validator, fakeredis (dev), respx (dev)
84 new tests, 1058 total passing
Technical architecture overview covering frontend (Vue+Phaser), backend (FastAPI), database schema, real-time communication, game engine design, and offline fork considerations.
GAME_RULES.md
Game rules document defining campaign structure, base ruleset, energy system, deck building, win conditions, turn structure, card types, and status conditions.
Legacy Documentation
Historical documents from completed development phases, preserved for reference.
File
Description
legacy/SYSTEM_REVIEW.md
Comprehensive code review of the core game engine (Jan 2026). Identified 15 issues across models, effects, and engine - all resolved. 826 tests passing.
legacy/PROJECT_PLAN_ENERGY_EVOLUTION.md
Implementation plan for energy/tool attachment refactor and evolution stack system. Changed attached_energy/attached_tools from list[str] to list[CardInstance]. Completed Jan 2026.
996c43fbd9