Story: Accounts to IAM
Table of Contents
This page documents a story in Sprint 07. It captures the goal, current status, acceptance criteria, and the tasks that compose it.
Goal
Rename ores.accounts to ores.iam and broaden it from
accounts management into proper Identity and Access Management. Add
the missing self-service surfaces — lock, password reset, sign-up — and
leave the component ready for RBAC to land on top.
Status
| Field | Value |
|---|---|
| State | DONE |
| Parent sprint | Sprint 07 |
| Now | Completed 2025-12-25. |
| Waiting on | None. |
| Next | None. |
| Last touched | 2025-12-25 |
Acceptance
- Component renamed to
ores.iamwith noores.accountsreferences in live code. - Lock account, password reset, and sign-up land end-to-end across protocol + handler + CLI/shell.
- Build and tests green throughout.
Tasks
| Task | State | Start | End | Description |
|---|---|---|---|---|
| Rename accounts to iam | DONE | 2026-05-19 | 2025-12-25 | Rename ores.accounts to ores.iam to reflect the broader identity-and-access concern; pure rename PR. |
| Add lock account request | DONE | 2026-05-19 | 2025-12-22 | Add a protocol message + service handler to lock an account (administrative action, separate from auto-lock on failed logins). |
| Add password reset functionality to accounts | DONE | 2026-05-19 | 2025-12-23 | User-initiated password reset: protocol message, server-side reset flow, CLI/Qt entry points. |
| Add sign-up workflow | DONE | 2026-05-19 | 2025-12-24 | End-to-end sign-up: collect user details, validate, create account, route to first-login. |
Decisions
- Rename first, then extend
- a pure-rename PR is cheap to review and gives the subsequent IAM work a stable home.
- In-app reset tokens
- defers the email-integration question to a later sprint without locking the protocol shape.
Out of scope
- Email-based reset delivery (token transport is in-app for now).
- OAuth / SSO.
See also
- ores.iam — the renamed component.
- Roles and permissions — the sibling story that lands RBAC on top of IAM.