Skip to content

[Phase 1] Base Application Foundation β€” Multi-tenancy, Auth, API & PWA SkeletonΒ #1

Description

@CodinginID

πŸ—οΈ Phase 1 β€” Base Application Foundation

Epic tracking untuk fondasi aplikasi netra (SaaS multi-tenant face-recognition attendance). Issue ini mengkonsolidasikan seluruh pekerjaan dasar sebelum masuk ke fitur recognition/liveness. Berbasis PRD v1.0 (Sprint 1: Fondasi & multi-tenancy).

🎯 Keputusan teknis (terkunci)

  • Backend: FastAPI (Python)
  • Database: PostgreSQL + pgvector
  • Engine recognition: InsightFace buffalo_s (small) via ONNX Runtime (CPU), embedding 512-d
  • Liveness: Silent-Face (pasif) + MediaPipe FaceMesh (aktif) β€” implementasi di fase berikutnya
  • Frontend: PWA (satu basis kode)
  • Kiosk offline mode: ❌ tidak perlu di v1
  • ⏳ Item terbuka: Identity server (Keycloak vs Authentik), residensi data & infra

πŸ“¦ Scope checklist β€” Base Application

A. Project Setup & Tooling

  • [SETUP-1] Struktur monorepo: backend/ (FastAPI) + ui/ (PWA) + docs/ + docker/
  • [SETUP-2] Backend scaffold FastAPI: layout hexagonal/clean (domain, application, adapter, infrastructure), pyproject.toml/requirements.txt, uv/poetry
  • [SETUP-3] Konfigurasi via env (pydantic-settings): DB URL, secret keys, CORS, environment flags
  • [SETUP-4] Linting & format: ruff + black + mypy; pre-commit hooks
  • [SETUP-5] Testing harness: pytest + pytest-asyncio + httpx test client; coverage baseline
  • [SETUP-6] .gitignore, README.md, .env.example, CHANGELOG.md

B. Database & Multi-Tenancy Core

  • [DB-1] Setup PostgreSQL + ekstensi pgvector; koneksi async (SQLAlchemy 2.0 / asyncpg)
  • [DB-2] Migrasi via Alembic; baseline migration
  • [DB-3] Skema inti (semua ber-tenant_id): tenants, users, face_embeddings(vector 512), schedules, attendance_records, devices, sso_connections, audit_logs
  • [DB-4] Row-Level Security (RLS) PostgreSQL per tenant_id β€” isolasi ketat antar tenant, set app.current_tenant per request
  • [DB-5] Tenant context middleware: resolve tenant dari token/subdomain β†’ inject ke session DB
  • [DB-6] Index & constraint: unique (tenant_id, external_id) pada users, ivfflat/hnsw index untuk pgvector

C. Identity & Auth (fondasi, SSO penuh di Phase 2)

  • [AUTH-1] Model peran berjenjang: Super Admin (platform) + Tenant Admin / Supervisor-HR / End User / Kiosk (tenant)
  • [AUTH-2] Login internal milik sendiri (username/password, hashing argon2/bcrypt) untuk tenant tanpa SSO korporat
  • [AUTH-3] JWT issue/verify + refresh; klaim tenant_id, role, external_id
  • [AUTH-4] Guard/dependency RBAC per endpoint (platform-level vs tenant-level)
  • [AUTH-5] Device token untuk akun Kiosk (terdaftar ke tenant, mode 1:N) β€” skeleton

D. Tenant Management & Onboarding

  • [TENANT-1] CRUD tenant oleh Super Admin: create / suspend / reactivate
  • [TENANT-2] Ruang konfigurasi per tenant: branding, aturan absensi (skeleton), daftar kiosk
  • [TENANT-3] Onboarding: buat Tenant Admin pertama + panduan konfigurasi awal
  • [TENANT-4] Provisioning user awal: impor data + field external_id (NIS/NIM/NIK)

E. API Foundation & Observability

  • [API-1] Struktur router versioned /api/v1, OpenAPI/Swagger auto-doc
  • [API-2] Error handling terstandarisasi + response envelope konsisten
  • [API-3] GET /health (status DB + readiness) untuk reverse proxy & uptime monitor
  • [API-4] Structured logging (JSON) dengan tenant_id + request_id di context
  • [API-5] Audit log writer (siapa, aksi, kapan, tenant) β†’ tabel audit_logs

F. PWA Frontend Skeleton

  • [UI-1] Scaffold PWA (manifest, service worker, installable); routing dasar
  • [UI-2] Halaman login internal + simpan sesi/token
  • [UI-3] Shell dashboard Tenant Admin (nav + layout, halaman kosong)
  • [UI-4] Shell dashboard Super Admin (daftar tenant)
  • [UI-5] State auth + guard route berbasis peran

G. DevOps & Compliance Baseline

  • [OPS-1] docker-compose dev: Postgres+pgvector, backend, (placeholder identity server)
  • [OPS-2] Dockerfile multi-stage backend (slim, no dev deps)
  • [OPS-3] CI pipeline (GitHub Actions): lint + typecheck + test pada PR
  • [OPS-4] Skeleton consent biometrik (UU PDP): model consent + endpoint capture persetujuan
  • [OPS-5] Enkripsi field sensitif at-rest (embedding & external_id NIK) β€” desain & util

βœ… Definition of Done (Phase 1)

  • Multi-tenant berjalan dengan RLS terverifikasi (tenant A tidak bisa lihat data tenant B)
  • Login internal + RBAC berfungsi; Super Admin bisa onboard tenant baru
  • Skema lengkap termigrasi; pgvector siap menyimpan embedding
  • /health hijau, CI hijau (lint + test), docker-compose dev jalan
  • PWA shell terpasang & installable, dashboard skeleton tampil per peran

πŸ“‹ Catatan

  • Recognition (verify/identify), enrollment wajah, liveness, mesin aturan, pelaporan, dan webhook TIDAK termasuk Phase 1 β€” akan dipecah ke epic Phase 2+ sesuai roadmap PRD (Sprint 2–8).
  • Item terbuka (Keycloak vs Authentik, residensi data) harus diputuskan sebelum/awal Phase 2 (Identitas & SSO).

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requestepicLarge bulk tracking issuephase:1-foundationPhase 1: Base application foundation & multi-tenancy

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions