Authenticate via OAuth
Issue a session for verified Google identities. Reject everything else without disclosing why.
- Verified emails create a session
- Unverified emails are rejected silently
- Sessions expire after 24 hours
Atomic primitives in the specs & documents family. Click any tile for the live render, the spec it was built from, and the code that fell out.
Issue a session for verified Google identities. Reject everything else without disclosing why.
Authenticate via OAuth so verified identities can act, and unverified ones cannot — silently.
SPEC-014 / v1.3.0
Authenticate via OAuth. Verified emails create a 24-hour session. Unverified emails are rejected silently. Rate-limit at 10 attempts per minute per identity. p99 latency must remain ≤ 200ms.
spec lifecycle
URGENT — THIS QUARTER
SPEC-014 / priority
Verified Google identities create a 24-hour session; unverified emails are rejected silently; rate limit at 10 attempts per minute per identity. Not in scope: SSO providers beyond Google.
spec domains
spec touches
NEEDS GOVERNANCE REVIEW
| SEV | THREAT | MITIGATION | OUT-OF-SCOPE |
|---|---|---|---|
| HIGH | Credential stuffing on /auth | Rate-limit + lockout @ 10/min | Botnet behind residential proxies |
| MED | Session token replay | Bind to UA + IP fingerprint | Mobile NAT roaming churn |
| LOW | OAuth open-redirect | Allowlist redirect domains | Subdomain takeover detection |
| HIGH | PII in error responses | Sanitise + opaque error codes | Error timing oracles |
Stripe Tax computes rates within 50ms p95 in EU regions
session.verified == true session.expiresAt == now + 24h Vague term "secure" — replace with measurable property
Closed set. Every finding is exactly one tier.
SPEC-038 mandates 24h; SPEC-061 mandates 12h
One pill per spec. Roll-up of ICS, lint, and drift signals.
// lifecycle pip
// lifecycle pip
// lifecycle pip
// lifecycle pip
SPEC-148 / v2.4.1
Legacy session ttl policy. Superseded by tighter audit controls; retained until consumers migrate.
SPEC-077 / v3.0.0 (final)
v1 telemetry pipeline contract. Closed after the v3 fleet cutover; retained for lineage only.
// spec age
// re-spec window
// transition
// ownership handoff
// version bump
SPEC-353 / v1.4.0
Public retention contract. Visible on the consumer portal; pinnable by downstream callers from this moment.
DoCoDeGo is in Alpha. The framework is documented, the practices are battle-tested at small scale, and the next release is being shaped in public.
If it produces anything, it should produce engineers and teams who think more clearly about what they are building and why.
Discord is where specs are debated, the framework gets sharper, and decisions land in writing. The conversation is the artefact.