Promote four now-decided directions from Future Ideas into a new
"下一阶段:已确定要做" section (roadmap altitude, not yet broken into task cards):
TOTP second factor for the public dashboard, frontend optimization (scope TBD),
MQTT / IoT integration, and a settings-page long-lived API token (PAT-style,
related to but distinct from M3's mobile OAuth). Future Ideas is now an empty,
purpose-stated bucket for not-yet-decided ideas.
Record TOTP (RFC 6238) as a deferred hardening idea for the now public-facing
Web dashboard: second factor on the single-admin login, with CLI-only password
reset and a CLI TOTP reset/recovery path that works even if the recovery codes
are lost (no lock-out dead end). Not M2.5, not scheduled — parked under a new
Future Ideas section.
- README: add 前端 v2 (React SPA) section (dev/build/codegen/hosting/gates),
update directory listing, drop stale Jinja descriptions
- architecture-overview: retire '不引入前后端分离' constraint; reflect SPA + JSON API
- roadmap: mark M2 done
- remove orphaned jinja2 dependency (recompile requirements*.txt; no other churn)
- delete empty tests/test_auth.py stub; drop dead _extract_csrf_token in test_api_data
- verified image still builds and app imports with the slimmer deps
Record the decisions reached in planning into docs/design/m2-frontend-v2.md:
component library = Mantine; map = Leaflet (react-leaflet + leaflet.heat +
markercluster, isolated behind a component seam for a future MapLibre swap);
OpenAPI typed client committed + CI-checked; CSRF simplified to SameSite=Lax +
a custom write header (no per-session token); heatmap-first map as the home
view with a required time-range picker and an auxiliary paginated list;
record CRUD edits non-PK fields and deletes single rows (no UI create); bare
ingestion endpoints stay until M3; trips optional. Wireframes intentionally
skipped for this milestone.
Rewrite README (single app.db + one alembic_app chain, legacy data moved
once via scripts.migrate_legacy_data, accurate test list) and remove the
Grafana Provisioning section. Update architecture-overview to the unified
data layer (one Base, app-DB engine with WAL) and retire the
alembic_location / alembic_poo sections. Mark M1 done in the roadmap.
Re-export openapi/, which catches the spec up to the already-existing
/config/smtp/test and /public-ip/check endpoints (purely additive; M1's
DB-session dependency swap produced no schema change).
pytest 95 passed; ruff clean (pre-existing only); OpenAPI export idempotent.
tliu93