Skip to main content

Implementation status (monorepo) — interim backlog mirror

Until Jira project MEL is the system of record, this file tracks which user stories in 07-epics-and-user-stories.md have partial or complete implementation in the ghasi-melmastoon implementation monorepo (sibling of this documentation repo, e.g. D:\GhasiTech\ghasi-melmastoon).
The canonical acceptance criteria stay in §7 of the master doc; this file only states what shipped in code and what is still open.

Last updated: 2026-04-23
Owner: update this file in the same PR or follow-up as any merge that changes story-relevant behaviour (same rule will apply once Jira sync is enabled).

Status legend

StatusMeaning
Not startedNo implementation work mapped to this story (default; most of the 161 stories). Omitted from the tables below.
In progressAt least one acceptance criterion is met in the monorepo; others remain.
BlockedDepends on external dependency or an explicit deferral (e.g. Cloud KMS wiring).
DoneAll ACs in the master doc are satisfied by automated tests + integration paths. None of the tracked stories below are Done yet.

Stories with implementation touchpoints

US-MEL-0001 — Owner self-signup with verified email & SMS (EP-MEL-01)

StatusIn progress
ImplementedPassword policy and POST /api/v1/auth/register on iam-service (202, Idempotency-Key, spec-shaped body); transactional outbox + melmastoon.iam.user.registered.v1; idempotent replay; email-uniqueness conflict path; web-tenant-booking server route proxies to iam-service with tenant from middleware (browser cannot spoof tenant).
Not yetOTP email/SMS confirmation, breach check, geo/sanctions gate, Tenant(plan=trial) creation, Pact/E2E as in story Test types line.
Evidence (monorepo)services/iam-service/, apps/web-tenant-booking/src/app/api/auth/register/, packages/contracts/openapi/iam-service.openapi.yaml
NotesWave 5.0 realignment + register slice; Wave 5.1 does not complete this story (see US-MEL-0126 for JWT stack).

US-MEL-0126 — JWT issuance & rotation (EP-MEL-17)

StatusIn progress
ImplementedEd25519 access-token signing contract (TokenSigner), file-backed LocalEd25519Signer (dev/test), KmsAsymmetricSigner scaffold (prod path; GCP client not wired yet — Blocked for production signing until infra batch), GET /.well-known/jwks.json, opaque refresh token generator (rft_… + sha256), iam.sessions table + migration per data model, env contract for iss/aud/TTL.
Not yetAC1 — no /auth/login yet (no access+refresh pair issued on sign-in). AC2 — refresh rotation, reuse detection, session family revoke. AC3 — logout / revoke-all.
Evidence (monorepo)services/iam-service/src/infrastructure/crypto/, .../interface/http/jwksController.ts, .../migrations/0002_sessions.sql, planning/wave-audits/wave-04-spec-deviations.md §0.1
NotesWave 5.1 lands signing + storage + JWKS; Wave 5.2 is the planned slice for login/refresh/logout and full AC coverage.

Engineering milestones (not 1:1 with a single story)

These are vertical-slice / wave deliveries; link them to stories above where relevant.

MilestoneSummaryMonorepo reference
Wave 5.0Spec realignment: register route, BFF no-auth, outbox shape, OpenAPI, web→iam routingplanning/wave-audits/wave-04-spec-deviations.md
Wave 5.1IAM JWT signing primitives, JWKS, sessions DDL, D-13 response consistency.cursor/INDEX.md (Wave 5.1 block), same deviation doc §0.1
NextWave 5.2 — login/refresh, envelope+relayer (D-05/D-10)TBD; update this file when merged

Process (until Jira)

This file is part of the mandatory development workflow. Full rules: ../standards/DEVELOPMENT_WORKFLOW.md.

  1. When a PR implements part of a user story: add or update a row in Stories with implementation touchpoints (or move status toward Done when all ACs are proven).
  2. Link the PR or branch name in the Notes column when helpful.
  3. After Jira MEL is live: either generate this file from Jira (preferred) or replace body with “See Jira” and keep a one-line pointer here.

Cross-references