From 379a79bc9d76403ac4f323fbd273aae0aa5c4c9a Mon Sep 17 00:00:00 2001 From: James Date: Sun, 15 Mar 2026 06:02:11 -0400 Subject: [PATCH] chore: auto-commit uncommitted changes --- .claude/skills/README.md | 22 +++++++++ CLAUDE.md | 97 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 119 insertions(+) create mode 100644 .claude/skills/README.md create mode 100644 CLAUDE.md diff --git a/.claude/skills/README.md b/.claude/skills/README.md new file mode 100644 index 0000000..57e21f7 --- /dev/null +++ b/.claude/skills/README.md @@ -0,0 +1,22 @@ +# Dealspace Claude Code Skills + +Reusable workflows for Claude Code sessions. Invoke by name at the start of a session. + +## Available Skills + +*(none yet — add as patterns emerge)* + +## How to Use + +At the start of a Claude Code session: +``` +Use the skill: .claude/skills//SKILL.md +``` + +## Candidates (add when ready) + +- `add-role` — how to add a new RBAC role (rbac.go, migrations, tests) +- `add-workstream` — how to add a workstream type +- `deploy` — build-linux + deploy to Shannon procedure +- `watermark` — PDF watermarking implementation context +- `invite-flow` — invite/onboarding flow context diff --git a/CLAUDE.md b/CLAUDE.md new file mode 100644 index 0000000..c727a45 --- /dev/null +++ b/CLAUDE.md @@ -0,0 +1,97 @@ +# Dealspace (muskepo.com) + +M&A deal workflow platform for investment banking data rooms. Built for Misha (Michael Muskepo / Johan's son). Primary builder: Mira (James assists). + +## Ground Rules + +Johan is the architect. You are the collaborator. + +1. **Discussion first.** Default is conversation. No code until asked. +2. **Minimal diffs.** Change only what's requested. +3. **Less code, better architecture.** Flag opportunities to consolidate. +4. **Ask, don't assume.** Ambiguous → ask first. +5. **No unsolicited files.** +6. **Mention concerns once, then execute.** + +## Architecture + +``` +cmd/server/ — main binary entry point (embeds website/) +api/ — REST API handlers +lib/ — shared: auth, crypto, db, rbac, types +mcp/ — MCP server (planned v2.0) +portal/ — deal room UI (Go templates) +website/ — muskepo.com marketing site (go:embed) +migrations/ — SQLite migrations +docs/ — specs and design docs +``` + +**Build:** +```bash +make build # local build +make build-linux # linux/amd64 with CGO + fts5 +make deploy # build-linux + deploy to Shannon (root@82.24.174.112) +make test # run tests (CGO + fts5) +``` + +## Environments + +| Environment | Host | URL | +|-------------|------|-----| +| Production | root@82.24.174.112 (Shannon) | dealspace.jongsma.me | +| Local | forge (192.168.1.16) | - | + +Deploy path on Shannon: `/opt/dealspace/` + +## Key Design Docs + +- `MVP.md` — v1.0 scope (what ships, what doesn't) +- `API-SPEC.yaml` — REST API spec +- `EMBED-SPEC.md` — embedded portal spec +- `MCP-SPEC.md` — MCP server spec (v2.0) +- `ONBOARDING-SPEC.md` — invite/onboarding flow + +## RBAC Roles + +7 roles: `ib_admin`, `ib_member`, `seller_admin`, `seller_member`, `buyer_admin`, `buyer_member`, `observer`. Workstream-scoped permissions. All enforced at DB level — not just UI. + +## Data Model + +`Project → Workstream → Request List → Request → Answer` + +Key fields on requests: `assignee_id`, `return_to_id`, `origin_id` (routing chain). + +## Security Non-Negotiables + +- **Pre-dataroom content is DB-level invisible to buyers** — not a UI filter +- **PDF watermarking** at serve time: `{user_name} · {org_name} · {datetime} · CONFIDENTIAL` +- **Audit log** on every access grant, file download, status change, login — never disabled +- **File storage:** compressed + encrypted +- **TOTP required** for admin roles + +## Data Access Architecture + +Three choke points in `lib/dbcore.go` — ALL entry data goes through these: + +- `EntryRead(db, cfg, actorID, projectID, filter)` — all reads +- `EntryWrite(db, cfg, actorID, entries...)` — all writes +- `EntryDelete(db, actorID, projectID, entryIDs...)` — all deletes + +**RBAC:** Every choke point calls `CheckAccess()` before touching data. `actorID=""` = system/internal (always granted). + +**No stubs, no wrappers for writes/deletes.** Callers use `EntryWrite`/`EntryDelete` directly. Read-path convenience helpers are acceptable — they must delegate to `EntryRead`. + +**FORBIDDEN:** +- `db.Exec()`, `db.Query()`, `db.QueryRow()` outside dbcore.go +- New wrapper functions that bypass choke points +- Any modification to `lib/dbcore.go` without Johan's explicit approval + +**Encryption/compression:** Files stored via the designated path in dbcore.go only. Never handle file crypto inline in handlers. + +## Current Status (Mar 2026) + +- Mira is primary builder (Misha's AI) +- Portal templates and layouts in progress +- Invite flow, auto-assign UI (spec 3.b.2) pending +- SMTP not yet configured +- v1.0 target: 6 sprints, demoable to Misha after Sprint 2