PLS job 04dd826b Yanwenzi member access operations production pack

acceptance-tests.md

Acceptance Tests

1. Primary artifact URL returns HTTP 200.
2. Required appendix files exist: production brief, data model, acceptance tests, decision record, artifact URL record.
3. D1 / D7 / D14 / D30 path exists.
4. Purpose-to-purpose E2E connects password reset to member operations and space/SITA decisions.
5. Owner, due, and acceptance are explicit.
6. Data model includes schema, API, sync, permissions, and audit.
7. Password reset flow records admin, member, reason, expiry, use, and revoke state.
8. Members with must_change_password=true cannot access member functions until password change.
9. Market maturity includes at least two external sources.
10. People sync and learning memory exist.

E2E Scenario

Given an admin resets a member password, when the member logs in with temporary password, then the system sets pending_password_change, blocks member features, requires password change, records the audit event, and only then returns the member to active.

artifact-url-or-pr.md

Artifact URL or PR

Primary artifact URL: https://gist.github.com/esz135888/07de3f2a10d96e4b25a6d354a10398da#file-yanwenzi-member-access-ops-console-html

Artifact type: public Gist production pack.

data-model.md

Data Model

members

• id: uuid primary key.
• name: text.
• email: text unique.
• status: enum active, pending_password_change, suspended, inactive.
• membership_tier: text nullable.
• space_access_level: enum none, member, admin, staff.
• last_login_at: timestamptz nullable.
• must_change_password: boolean.

admin_password_resets

• id: uuid primary key.
• member_id: uuid.
• admin_id: uuid.
• reason: text.
• temporary_password_hash: text.
• expires_at: timestamptz.
• used_at: timestamptz nullable.
• created_at: timestamptz.
• revoked_at: timestamptz nullable.

member_access_events

• id: uuid primary key.
• member_id: uuid.
• event_type: enum login, password_reset, password_changed, reset_expired, admin_override, access_denied.
• actor_id: uuid nullable.
• ip_hash: text nullable.
• user_agent_hash: text nullable.
• created_at: timestamptz.
• metadata: jsonb.

space_ops_plan

• id: uuid primary key.
• owner_id: uuid.
• venue_option: text.
• monthly_cost: numeric nullable.
• capacity: integer nullable.
• revenue_model: text.
• risk_status: enum green, yellow, red, blocked.
• due_at: timestamptz.

sita_application_tasks

• id: uuid primary key.
• task_name: text.
• owner_id: uuid.
• status: enum todo, doing, done, blocked.
• due_at: timestamptz.
• evidence_url: text nullable.

API / Sync

• POST /admin/members/:id/reset-password
• POST /members/change-password
• GET /ops/member-access-scorecard
• GET /ops/sita-application-tasks
• POST /ops/venue-options

Permissions / Audit

Only admins can reset passwords. The member must change password before accessing member functions. Supervisors can audit reset events. Louis can approve SITA escalation and venue decisions. Every reset and override is append-only in member_access_events.

decision-record.md

Decision Record

Decision

Use system / governance for this round.

Why

The latest commit is a security and membership capability. Because the project also has venue, SITA, and operations risk, the deliverable must connect member access governance to an operating cadence. A simple communication reminder would not capture password reset audit and permissions. A pure project pack would ignore security.

Options Considered

• Communication: too small; does not productize access control.
• Project pack: useful for SITA and venue, but lacks account security governance.
• System / governance: best fit; covers password reset, member state, audit, permissions, and operating scorecard.

Adoption Status

Recommended. D7 should connect real member reset logs and SITA task owners.

Feedback Needed If Rejected

Clarify whether the blocker is missing member table access, lack of admin policy, or uncertainty about venue/SITA owner authority.

e2e-verification.md

E2E Verification

Status: pass.

Verified target:

• Primary artifact URL: https://gist.github.com/esz135888/07de3f2a10d96e4b25a6d354a10398da#file-yanwenzi-member-access-ops-console-html
• Gist pack URL: https://gist.github.com/esz135888/07de3f2a10d96e4b25a6d354a10398da

Checks:

• Primary artifact URL returns HTTP 200.
• Gist includes primary HTML and appendices.
• Upload-files succeeds for the deliverable.
• Complete uses stable shared cloud URLs.

learning-memory.json

{
  "project": "AI 自建專案：言文字（共學空間） 的最大化推進",
  "job_id": "04dd826b-7460-459b-bfda-311778914fd8",
  "selected_solution": "system/governance",
  "learned_signal": "Latest repo commit added admin member password reset with temporary password and must_change_password forced change.",
  "market_learning": "Secure password reset requires robust tokens, expiry, auditability, and safe account state transitions; coworking operations maturity connects member CRM, access, billing, and analytics.",
  "next_run_bias": "Treat member access commits as operations governance triggers, not isolated engineering updates.",
  "must_check_next": [
    "Does admin reset require reason?",
    "Does temporary password expire and revoke?",
    "Can must_change_password block member features?",
    "Who owns SITA application tasks?",
    "What venue options and revenue model are being compared?"
  ]
}

market-maturity.md

Market Maturity

Comparable Practices

• OWASP Forgot Password Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html
• NIST SP 800-63B Digital Identity Guidelines: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b-4.pdf
• Coworking space management maturity around CRM, billing, access, and analytics: https://www.coworks.com/blog/what-to-look-for-in-coworking-space-management-tools

PLS Gap

言文字 has a password reset feature, but lacks production governance: temporary password expiry, audit reason, member state machine, SITA task owners, venue option scorecard, and weekly operating cadence.

This Round Upgrade

This pack connects secure member access to coworking operating readiness, with data model, APIs, permissions, audit, and D30 dashboard path.

people-sync.md

People Sync

LINE Draft

Louis，這輪我把言文字最新的「管理員重設成員密碼 / 臨時密碼 / must_change_password」整理成會員存取與營運作戰台。D1 先補 reset audit、臨時密碼到期、成員強制改密碼 gates；D7 要阿惟/松霖補 SITA 申請資料缺口與場域方案比較，讓登入安全、會員狀態、營運計畫同一張 scorecard 管。

Ask

請確認：SITA 申請 owner 是阿惟還是松霖？以及管理員重設密碼是否必填 reason 才能執行？

If No Reply

先把 SITA 任務標為 owner_gap，並把 reset reason 設為必填 gate。

production-brief.md

Production Brief

場景

專案：AI 自建專案：言文字（共學空間） 的最大化推進。

最新訊號：a531cba Hsu-Pei-Chun 新增管理員重設成員密碼功能，產生臨時密碼並標記 must_change_password，成員登入後須強制變更密碼。

專案卡點：阿惟 + 松霖缺明確營運計劃，新場域未定，3 月底 SITA 申請截止壓力。

本輪產出

建立「會員存取與營運作戰台」，將密碼重設功能升級為會員存取治理、營運節奏、場域決策和 SITA 申請缺口管理的 production pack。

D1 / D7 / D14 / D30

• D1: 定義 password reset flow、臨時密碼到期、must_change_password、audit event、營運計畫欄位。
• D7: 完成會員存取 scorecard、reset audit、SITA 資料缺口、場域方案比較。
• D14: 接會員、課程、空間預約、收費資料，形成週營運節奏。
• D30: 升級為共學空間 operating dashboard。

Owner / Due / Acceptance

• Owner: 阿惟 / 松霖。
• Decision owner: Louis.
• Due: D7 營運 scorecard。
• Acceptance: reset audit 可追、會員復權流程可驗、SITA 申請缺口 owner/due 清楚、場域營運方案可比較。

production-readiness.md

Production Readiness

Ready Now

• Openable member access and operations console.
• Required production appendix pack.
• Password reset governance gates.
• Member and ops data model.
• D1/D7/D14/D30 operating path.

Integration Required

• Connect real member table and admin reset logs.
• Add temporary password expiry and revoke behavior if not already present.
• Connect SITA application task owners and due dates.
• Add venue option scorecard.

Failure / Rollback

If temporary password expires, revoke and require new admin reset. If admin reset lacks reason, block action. If SITA task owner is missing, mark blocked and escalate to Louis. If venue data is incomplete, keep decision in data_gap.

skill-usage.md

Skill / Tool Usage

Tools Used

• PLS helper: doctor, touch, claim, context, progress, upload-files, complete.
• Web search: checked OWASP password reset, NIST digital identity, and coworking operations software maturity.
• GitHub CLI: publishes production pack as a public Gist.
• curl: verifies primary artifact URL returns HTTP 200.

Evidence

The job was claimed and context was read through the helper. Progress was written before production work. Market maturity references were checked. The final artifact is published and verified before completion.

solution-selection.md

Solution Selection

Selected route: system / governance.

The repo signal is account access control. The business risk is operating readiness. The right production unit is therefore a system governance pack: secure reset flow, member state machine, audit log, SITA task board, and venue operating scorecard.

Production stack:

• Framework: access governance + coworking operations.
• Workflow: admin reset -> temporary credential -> forced password change -> audit -> member status -> ops scorecard.
• Data model: members, resets, access events, ops plan, SITA tasks.
• Tool: openable HTML console.
• Acceptance: security and operations pass/fail gates.
• Upgrade: real member table and SITA task integration.

yanwenzi-member-access-ops-console.html

<!doctype html>
<html lang="zh-Hant">
<head>
  <meta charset="utf-8">
  <meta name="viewport" content="width=device-width, initial-scale=1">
  <title>言文字 共學空間會員存取與營運作戰台</title>
  <style>
    :root{--ink:#18212f;--muted:#617083;--line:#d9e1e8;--paper:#f6f8fb;--card:#fff;--blue:#1d4ed8;--green:#0f7f5c;--amber:#a16207;--red:#b3361d;--violet:#6d28d9}
    *{box-sizing:border-box}body{margin:0;background:var(--paper);color:var(--ink);font-family:Inter,ui-sans-serif,system-ui,-apple-system,BlinkMacSystemFont,"Segoe UI",sans-serif;line-height:1.5}
    header{background:#fff;border-bottom:1px solid var(--line);padding:28px clamp(20px,4vw,56px)}main{padding:24px clamp(20px,4vw,56px) 48px}
    h1{margin:0 0 12px;font-size:clamp(30px,4vw,52px);line-height:1.05;max-width:1080px}h2{margin:0 0 12px;font-size:22px}h3{margin:0 0 6px;font-size:16px}p{margin-top:0}code{background:#eef3f8;padding:1px 5px;border-radius:4px}
    .sub{max-width:1080px;color:var(--muted);font-size:17px}.grid{display:grid;gap:16px}.kpis{grid-template-columns:repeat(4,minmax(0,1fr));margin-top:22px}.two{grid-template-columns:1.1fr .9fr}.three{grid-template-columns:repeat(3,minmax(0,1fr))}.timeline{grid-template-columns:repeat(4,minmax(0,1fr))}.flow{grid-template-columns:repeat(5,minmax(0,1fr))}
    .card{background:var(--card);border:1px solid var(--line);border-radius:8px;padding:18px;box-shadow:0 1px 2px rgba(24,33,47,.04)}.metric{font-size:34px;font-weight:780}.label{color:var(--muted);font-size:13px}
    .pill{display:inline-flex;border:1px solid var(--line);border-radius:999px;padding:4px 10px;font-size:12px;background:#fff;margin:0 6px 8px 0;white-space:nowrap}.ok{color:var(--green)}.warn{color:var(--amber)}.bad{color:var(--red)}.info{color:var(--blue)}
    table{width:100%;border-collapse:collapse;font-size:14px}th,td{text-align:left;padding:10px;border-bottom:1px solid var(--line);vertical-align:top}th{color:var(--muted);font-size:12px;text-transform:uppercase}
    .day{border-left:4px solid var(--violet)}.step{border:1px solid var(--line);border-radius:8px;padding:12px;min-height:126px;background:#fbfdff}.step strong{display:block;color:var(--violet);margin-bottom:6px}.source a{color:var(--blue);word-break:break-word}
    @media(max-width:920px){.kpis,.two,.three,.timeline,.flow{grid-template-columns:1fr}h1{font-size:34px}}
  </style>
</head>
<body>
  <header>
    <span class="pill info">PLS production delivery pack</span><span class="pill ok">Solution: system / governance</span>
    <h1>言文字（共學空間）會員存取與營運作戰台</h1>
    <p class="sub">把最新 commit「管理員重設成員密碼、產生臨時密碼、標記 must_change_password」推成 production 級會員存取治理：登入安全、成員復權、場域營運、SITA 申請節奏、owner/due/acceptance 同步進一張作戰台。</p>
    <section class="grid kpis">
      <div class="card"><div class="metric">1</div><div class="label">最新 repo commit：管理員重設成員密碼</div></div>
      <div class="card"><div class="metric ok">MCP</div><div class="label">must_change_password 強制改密碼治理</div></div>
      <div class="card"><div class="metric warn">3月底</div><div class="label">SITA 申請截止壓力</div></div>
      <div class="card"><div class="metric">D30</div><div class="label">會員、場域、營收、資安同表營運</div></div>
    </section>
  </header>
  <main class="grid">
    <section class="grid two">
      <div class="card">
        <h2>本輪問題</h2>
        <p>言文字已有會員登入與管理員重設密碼能力，但專案卡點仍是阿惟、松霖缺營運計畫、新場域未定、SITA 截止壓力。若只交密碼功能，無法解決共學空間真正的營運風險；需要把會員存取、安全稽核、場域營運、申請節奏接成 production operating pack。</p>
        <span class="pill">Owner: 阿惟 / 松霖</span><span class="pill">Decision: Louis</span><span class="pill">Due: D7 營運 scorecard</span><span class="pill">Acceptance: reset audit + ops plan</span>
      </div>
      <div class="card">
        <h2>解法選型</h2>
        <p><strong>system / governance</strong>。最新 commit 是帳號安全能力，適合升級成會員存取系統規格；同時因涉及成員身份、密碼、權限、營收與場域申請，必須補 governance 與 audit，而不是只做一般 project memo。</p>
      </div>
    </section>

    <section class="card">
      <h2>D1 / D7 / D14 / D30 路徑</h2>
      <div class="grid timeline">
        <div class="card day"><h3>D1</h3><p>定義 password reset flow、臨時密碼到期、must_change_password、audit event；補營運計畫欄位。</p></div>
        <div class="card day"><h3>D7</h3><p>完成會員存取 scorecard、管理員操作紀錄、SITA 申請資料缺口、場域方案比較。</p></div>
        <div class="card day"><h3>D14</h3><p>接入會員/課程/空間預約/收費資料，形成週營運節奏與風險清單。</p></div>
        <div class="card day"><h3>D30</h3><p>升級成共學空間 operating dashboard：會員、權限、活動、收入、場域、申請進度同表治理。</p></div>
      </div>
    </section>

    <section class="card">
      <h2>Purpose-to-Purpose E2E</h2>
      <div class="grid flow">
        <div class="step"><strong>原始目的</strong>讓言文字共學空間能安全管理成員與營運。</div>
        <div class="step"><strong>產品能力</strong>管理員重設密碼、臨時密碼、強制改密碼、audit log。</div>
        <div class="step"><strong>營運作戰</strong>會員狀態、場域決策、SITA 申請、活動/收入節奏。</div>
        <div class="step"><strong>人採用</strong>阿惟/松霖補營運計畫；Louis 看場域與申請決策。</div>
        <div class="step"><strong>結果</strong>降低帳號風險、提高成員復權效率、補齊申請資料、推動空間收入模型。</div>
      </div>
    </section>

    <section class="grid two">
      <div class="card">
        <h2>存取治理 Gate</h2>
        <table>
          <thead><tr><th>Gate</th><th>Pass Rule</th><th>Action</th></tr></thead>
          <tbody>
            <tr><td>temporary_password_expiry</td><td>臨時密碼有有效期限且不可重複使用。</td><td>逾期自動失效並通知管理員。</td></tr>
            <tr><td>must_change_password</td><td>成員用臨時密碼登入後必須改密碼。</td><td>未完成前不可進入會員功能。</td></tr>
            <tr><td>admin_reset_audit</td><td>每次重設記錄 actor、member、reason、time。</td><td>缺 reason 不允許 reset。</td></tr>
            <tr><td>member_ops_status</td><td>會員狀態對應付費、活動、場域權限。</td><td>狀態不一致進 data_gap。</td></tr>
            <tr><td>sita_application_ready</td><td>SITA 申請資料 owner/due/缺口清楚。</td><td>D7 前未補齊升級 Louis。</td></tr>
          </tbody>
        </table>
      </div>
      <div class="card">
        <h2>資料 / API / 權限</h2>
        <p><strong>Tables:</strong> <code>members</code>, <code>admin_password_resets</code>, <code>member_access_events</code>, <code>space_ops_plan</code>, <code>sita_application_tasks</code>.</p>
        <p><strong>APIs:</strong> <code>POST /admin/members/:id/reset-password</code>, <code>POST /members/change-password</code>, <code>GET /ops/member-access-scorecard</code>.</p>
        <p><strong>Permissions:</strong> only admins reset passwords; members change their own password; Louis/supervisor can audit resets and approve SITA escalation.</p>
      </div>
    </section>

    <section class="grid three">
      <div class="card"><h2>價值 / 錢路徑</h2><p>安全的會員復權降低客服時間和帳號風險；營運計畫與會員狀態連動後，可推動收費會員、課程活動與場域申請轉換。</p></div>
      <div class="card"><h2>人的能力提升</h2><p>阿惟/松霖不只「有功能」，而是知道每週要補哪些營運欄位、誰決策、哪個資料缺口會擋住申請。</p></div>
      <div class="card"><h2>下一輪升級</h2><p>接真實會員表與 reset audit，生成 D7 營運 scorecard 與 SITA 申請缺口清單。</p></div>
    </section>

    <section class="card source">
      <h2>Market Maturity Inputs</h2>
      <p>OWASP recommends robust password reset tokens, secure reset flow, and not changing account state before a valid token is presented: <a href="https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html">OWASP Forgot Password Cheat Sheet</a>.</p>
      <p>NIST Digital Identity Guidelines emphasize modern authenticator and password lifecycle practices: <a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b-4.pdf">NIST SP 800-63B-4</a>.</p>
      <p>Coworking management software maturity centers member CRM, billing, access control, analytics, and space operations dashboards: <a href="https://www.coworks.com/blog/what-to-look-for-in-coworking-space-management-tools">Coworks space management tools</a>.</p>
    </section>
  </main>
</body>
</html>