You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Create one coordinated program for member-only content, authoritative website accounts, WhatsApp and Strava access reconciliation, and approval-gated Instagram coordination.
Architectural boundaries
Firebase UID plus server-verified current MPRC membership is the only membership authority.
Account entry must offer both email/password and a plain-language Continue with Google option on one simple screen. Provider choice proves identity only and never grants membership, discounts, member pricing, payment state, or admin access.
Member-facing membership, navigation, and payment journeys minimize steps for elderly and nontechnical members: preserve the task they started, use one clear next action, readable controls/status, and consistent recovery without provider jargon.
Google Sites/Groups, WhatsApp, and Strava are derived access projections. They never grant website membership, discounts, or admin privileges.
Instagram is a separate one-way club publishing integration. Personal member Instagram accounts are out of scope.
Provider tokens, invite links, phone identifiers, and private rosters are not stored in public issues, logs, custom claims, or client-readable documents.
Coordination with the secure-commerce backlog
Stable dependencies owned by the parallel planning/security work:
SAFETY-001 — callback preservation and local Firebase isolation (currently in progress)
SEC-001 — resource-specific Firestore trust boundaries (currently in progress)
AUTH-001 — verified email for member and privileged claims
AUTH-003 — scoped admin capabilities, MFA, and recent authentication
ABUSE-001 — App Check and abuse controls
ADMIN-001 — scoped admin APIs and append-oriented audit
CI-001 / OBS-001 — reliable deployment and operational alerting
The canonical detailed backlog is currently GITHUB_ISSUES.md in the shared worktree. Child issues below must keep these stable IDs in their dependency sections until the coordinating agent publishes corresponding GitHub issue numbers.
Provider constraints
Google Sites can be Restricted to named Google principals or a Google Group, but Firebase claims cannot directly authorize a Google Site.
WhatsApp automation for the existing large club group must not be assumed. The Groups API is restricted and unsuitable unless provider-console evidence proves eligibility.
Strava supports per-user OAuth and a self club-list check, but no club join/approve/remove API.
Instagram publishing uses one club-owned professional account and must never ingest member-only content or member data.
Work claim protocol
No child issue is claimed by creating it. Before implementation begins:
Confirm dependencies are complete and the issue has status:ready.
Assign the issue to the worker.
Post: CLAIMED by at ; branch .
Re-read comments before editing. The earliest valid claim wins.
Change status only after the claim; never work two outcomes in one branch.
All provider integrations have least-privilege ownership, explicit consent, idempotent desired/observed reconciliation, safe deprovisioning, redacted audit, non-production tests, and documented manual fallbacks. Critical member journeys offer plain-language email or Google entry, preserve navigation intent, and never confuse account creation with membership or payment approval. External provider-console work requires a named owner and private evidence.
Outcome
Create one coordinated program for member-only content, authoritative website accounts, WhatsApp and Strava access reconciliation, and approval-gated Instagram coordination.
Architectural boundaries
Continue with Googleoption on one simple screen. Provider choice proves identity only and never grants membership, discounts, member pricing, payment state, or admin access.Coordination with the secure-commerce backlog
Stable dependencies owned by the parallel planning/security work:
The canonical detailed backlog is currently GITHUB_ISSUES.md in the shared worktree. Child issues below must keep these stable IDs in their dependency sections until the coordinating agent publishes corresponding GitHub issue numbers.
Provider constraints
Work claim protocol
No child issue is claimed by creating it. Before implementation begins:
Child tickets
Immediate containment
Membership and Google access
WhatsApp and Strava reconciliation
Instagram coordination
Recommended sequence
Definition of done
All provider integrations have least-privilege ownership, explicit consent, idempotent desired/observed reconciliation, safe deprovisioning, redacted audit, non-production tests, and documented manual fallbacks. Critical member journeys offer plain-language email or Google entry, preserve navigation intent, and never confuse account creation with membership or payment approval. External provider-console work requires a named owner and private evidence.